From: Neil Horman <nhorman@openssl.org>
Date: Wed, 4 Dec 2024 14:25:12 +0000 (-0500)
Subject: Add a public flag to disable address validation on listeners
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c517cc3b18dc854144861fe56f79f0533c6af89a;p=thirdparty%2Fopenssl.git

Add a public flag to disable address validation on listeners

Now that we have the infrastructure to skip address validation, add a
public flag to SSL_new_listener and SSL_new_listener_from to allow the
skipping of address validation on selected quic listener SSL objects

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26114)
---

diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod
index 517df82a0fb..dfcacfc842b 100644
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@@ -163,6 +163,10 @@ Calling SSL_accept_connection() is an error and will return NULL. One or more
 outgoing connections under a listener can then be created using the call
 SSL_new_from_listener().
 
+To disable client address validation on a listener SSL object, the flag
+B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
+SSL_new_listener() and SSL_new_listener_from(). 
+
 The SSL_new_from_listener() creates a client connection under a given listener
 SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
 conjunction with a listener which does accept incoming connections (i.e., which
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 232f5647813..e6e0c8407a8 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2295,6 +2295,7 @@ __owur int SSL_is_connection(SSL *s);
 __owur int SSL_is_listener(SSL *ssl);
 __owur SSL *SSL_get0_listener(SSL *s);
 #define SSL_LISTENER_FLAG_NO_ACCEPT     (1UL << 0)
+#define SSL_LISTENER_FLAG_NO_VALIDATE   (1UL << 1)
 __owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
 __owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
 __owur SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags);
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index ee360969998..e8b0888bcad 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4233,6 +4233,8 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
 
     port_args.channel_ctx       = ctx;
     port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
     ql->port = ossl_quic_engine_create_port(ql->engine, &port_args);
     if (ql->port == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
@@ -4286,6 +4288,8 @@ SSL *ossl_quic_new_listener_from(SSL *ssl, uint64_t flags)
 
     port_args.channel_ctx       = ssl->ctx;
     port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
     ql->port = ossl_quic_engine_create_port(ctx.qd->engine, &port_args);
     if (ql->port == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index 43c5417eba7..a17eeef096c 100644
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -128,7 +128,7 @@ QUIC_TSERVER *ossl_quic_tserver_new(const QUIC_TSERVER_ARGS *args,
 
     port_args.channel_ctx       = srv->ctx;
     port_args.is_multi_conn     = 1;
-
+    port_args.do_addr_validation = 1;
     if ((srv->port = ossl_quic_engine_create_port(srv->engine, &port_args)) == NULL)
         goto err;