From: Neil Horman Date: Fri, 11 Apr 2025 18:52:42 +0000 (-0400) Subject: Add flag to determine how quic accepts connections X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c6eb7383702638c89b71884551eb1f990b6886a5;p=thirdparty%2Fopenssl.git Add flag to determine how quic accepts connections The flag defaults to 0 (unknown), and gets set to 1 (using SSL_accept_ex), or -1 (using SSL_accpet_connection) Reviewed-by: Saša Nedvědický Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/27397) --- diff --git a/include/internal/quic_port.h b/include/internal/quic_port.h index 6a4dde81da9..bf8edda1ae8 100644 --- a/include/internal/quic_port.h +++ b/include/internal/quic_port.h @@ -159,6 +159,11 @@ size_t ossl_quic_port_get_num_incoming_channels(const QUIC_PORT *port); /* Sets if incoming connections should currently be allowed. */ void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming); +/* Sets flag to indicate we are using SSL_listen_ex to get connections */ +void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff); + +int ossl_quic_port_get_using_peeloff(QUIC_PORT *port); + /* Returns 1 if we are using addressed mode on the read side. */ int ossl_quic_port_is_addressed_r(const QUIC_PORT *port); diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 51cabf3fd90..c141fa70527 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -4643,12 +4643,21 @@ int ossl_quic_peeloff_conn(SSL *listener, SSL *new_conn) return 0; qctx_lock_for_io(&lctx); + if (ossl_quic_port_get_using_peeloff(lctx.ql->port) == -1) { + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + "This listener is using SSL_accept_connection"); + ret = -1; + goto out; + } + + ossl_quic_port_set_using_peeloff(lctx.ql->port, 1); new_ch = ossl_quic_port_pop_incoming(lctx.ql->port); if (new_ch != NULL) { /* * Do our cloning work here */ } +out: qctx_unlock(&lctx); return ret; } @@ -4689,6 +4698,14 @@ SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags) if (!ql_listen(ctx.ql)) goto out; + if (ossl_quic_get_using_peeloff(ctx.ql->port) == 1) { + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + "This listener is using SSL_accept_ex"); + goto out; + } + + ossl_quic_set_using_peeloff(ctx.ql->port, -1); + /* Wait for an incoming connection if needed. */ new_ch = ossl_quic_port_pop_incoming(ctx.ql->port); if (new_ch == NULL && ossl_quic_port_is_running(ctx.ql->port)) { diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 1fc05092137..8264699f872 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -648,6 +648,16 @@ void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming) port->allow_incoming = allow_incoming; } +void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff) +{ + port->using_peeloff = using_peeloff; +} + +int ossl_quic_port_get_using_peeloff(QUIC_PORT *port) +{ + return port->using_peeloff; +} + /* * QUIC Port: Ticker-Mutator * ========================= diff --git a/ssl/quic/quic_port_local.h b/ssl/quic/quic_port_local.h index e36272a94d6..39a9094e2cf 100644 --- a/ssl/quic/quic_port_local.h +++ b/ssl/quic/quic_port_local.h @@ -114,6 +114,9 @@ struct quic_port_st { /* Has the BIO been changed since we last updated reactor pollability? */ unsigned int bio_changed : 1; + /* Are we using SSL_listen_ex to peeloff connections */ + unsigned int using_peeloff; + /* AES-256 GCM context for token encryption */ EVP_CIPHER_CTX *token_ctx; };