From: Neil Horman <nhorman@openssl.org>
Date: Fri, 31 Jan 2025 13:02:34 +0000 (-0500)
Subject: Remove SSL_TOKEN_STORE_HANDLE type
X-Git-Tag: openssl-3.5.0-alpha1~224
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e732f4456afc67efe87fbebcc97a2c5e4cce1369;p=thirdparty%2Fopenssl.git

Remove SSL_TOKEN_STORE_HANDLE type

Replace it with SSL_TOKEN_STORE and make the structure opaque in the
public api

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26517)
---

diff --git a/doc/man3/SSL_CTX_get0_token_store.pod b/doc/man3/SSL_CTX_get0_token_store.pod
index 77858d64a7a..f80095fe9fa 100644
--- a/doc/man3/SSL_CTX_get0_token_store.pod
+++ b/doc/man3/SSL_CTX_get0_token_store.pod
@@ -7,8 +7,8 @@ SSL_CTX_get0_token_store, SSL_CTX_set1_token_store
 
 =head1 SYNOPSIS
 
- SSL_TOKEN_STORE_HANDLE *SSL_CTX_get0_token_store(SSL_CTX *ctx);
- int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl);
+ SSL_TOKEN_STORE *SSL_CTX_get0_token_store(SSL_CTX *ctx);
+ int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE *hdl);
 
 =head1 DESCRIPTION
 The QUIC protocol supports the exchange of opaque tokens which a client can use
@@ -52,7 +52,7 @@ The following code snippet shows how to share a token store between separate
 B<SSL_CTX> objects
 
     SSL_CTX *ctx1, *ctx2;
-    SSL_TOKEN_CACHE_HANDLE *tc;
+    SSL_TOKEN_CACHE *tc;
 
     /*
      * token stores are generally only used for quic client contexts
diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h
index bf0e079afb7..bd6477325c1 100644
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@@ -37,10 +37,10 @@ typedef struct quic_token_st {
     size_t token_len;
 } QUIC_TOKEN;
 
-SSL_TOKEN_STORE_HANDLE *ossl_quic_new_token_store(void);
-void ossl_quic_free_token_store(SSL_TOKEN_STORE_HANDLE *hdl);
-SSL_TOKEN_STORE_HANDLE *ossl_quic_get0_token_store(SSL_CTX *ctx);
-int ossl_quic_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl);
+SSL_TOKEN_STORE *ossl_quic_new_token_store(void);
+void ossl_quic_free_token_store(SSL_TOKEN_STORE *hdl);
+SSL_TOKEN_STORE *ossl_quic_get0_token_store(SSL_CTX *ctx);
+int ossl_quic_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE *hdl);
 int ossl_quic_set_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
                              const uint8_t *token, size_t token_len);
 int ossl_quic_get_peer_token(SSL_CTX *ctx, BIO_ADDR *peer,
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index b337ef0f3d2..92098a3d189 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2307,9 +2307,9 @@ __owur int SSL_set1_initial_peer_addr(SSL *s, const BIO_ADDR *peer_addr);
 __owur SSL *SSL_get0_connection(SSL *s);
 __owur int SSL_is_connection(SSL *s);
 
-typedef void SSL_TOKEN_STORE_HANDLE;
-__owur SSL_TOKEN_STORE_HANDLE *SSL_CTX_get0_token_store(SSL_CTX *ctx);
-__owur int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl);
+typedef struct ssl_token_store_st SSL_TOKEN_STORE;
+__owur SSL_TOKEN_STORE *SSL_CTX_get0_token_store(SSL_CTX *ctx);
+__owur int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE *hdl);
 
 __owur int SSL_is_listener(SSL *ssl);
 __owur SSL *SSL_get0_listener(SSL *s);
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index f2c3d44800b..47039d0f864 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4370,7 +4370,7 @@ err:
 SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
 {
     QCTX ctx;
-    QUIC_CONNECTION *qc;
+    QUIC_CONNECTION *qc = NULL;
     QUIC_LISTENER *ql;
     SSL_CONNECTION *sc = NULL;
 
@@ -4394,7 +4394,8 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
      * ctx as a client, so we should allocate one now
      */
     if (ssl->ctx->tokencache == NULL)
-        ssl->ctx->tokencache = ossl_quic_new_token_store();
+        if ((ssl->ctx->tokencache = ossl_quic_new_token_store()) == NULL)
+            goto err;
 
     if ((qc = OPENSSL_zalloc(sizeof(*qc))) == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL);
@@ -4634,11 +4635,11 @@ err:
 
 DEFINE_LHASH_OF_EX(QUIC_TOKEN);
 
-typedef struct ssl_token_store_st {
+struct ssl_token_store_st {
     LHASH_OF(QUIC_TOKEN) *cache;
     CRYPTO_REF_COUNT references;
     CRYPTO_MUTEX *mutex;
-} SSL_TOKEN_STORE;
+};
 
 static uint64_t fnv1a_hash_token(uint8_t *key, size_t len)
 {
@@ -4664,7 +4665,7 @@ static int quic_token_cmp(const QUIC_TOKEN *a, const QUIC_TOKEN *b)
     return memcmp(a->hashkey, b->hashkey, a->hashkey_len);
 }
 
-SSL_TOKEN_STORE_HANDLE *ossl_quic_new_token_store(void)
+SSL_TOKEN_STORE *ossl_quic_new_token_store(void)
 {
     int ok = 0;
     SSL_TOKEN_STORE *newcache = OPENSSL_zalloc(sizeof(SSL_TOKEN_STORE));
@@ -4690,7 +4691,7 @@ out:
         ossl_quic_free_token_store(newcache);
         newcache = NULL;
     }
-    return (SSL_TOKEN_STORE_HANDLE *)newcache;
+    return newcache;
 }
 
 static void free_this_token(QUIC_TOKEN *tok)
@@ -4698,37 +4699,36 @@ static void free_this_token(QUIC_TOKEN *tok)
     ossl_quic_free_peer_token(tok);
 }
 
-void ossl_quic_free_token_store(SSL_TOKEN_STORE_HANDLE *hdl)
+void ossl_quic_free_token_store(SSL_TOKEN_STORE *hdl)
 {
     int refs;
-    SSL_TOKEN_STORE *c = (SSL_TOKEN_STORE *)hdl;
 
-    if (c == NULL)
+    if (hdl == NULL)
         return;
 
-    if (!CRYPTO_DOWN_REF(&c->references, &refs))
+    if (!CRYPTO_DOWN_REF(&hdl->references, &refs))
         return;
 
     if (refs > 0)
         return;
 
     /* last reference, we can clean up */
-    ossl_crypto_mutex_free(&c->mutex);
-    lh_QUIC_TOKEN_doall(c->cache, free_this_token);
-    lh_QUIC_TOKEN_free(c->cache);
-    OPENSSL_free(c);
+    ossl_crypto_mutex_free(&hdl->mutex);
+    lh_QUIC_TOKEN_doall(hdl->cache, free_this_token);
+    lh_QUIC_TOKEN_free(hdl->cache);
+    OPENSSL_free(hdl);
     return;
 }
 
-SSL_TOKEN_STORE_HANDLE *ossl_quic_get0_token_store(SSL_CTX *ctx)
+SSL_TOKEN_STORE *ossl_quic_get0_token_store(SSL_CTX *ctx)
 {
     return ctx->tokencache;
 }
 
-int ossl_quic_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl)
+int ossl_quic_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE *hdl)
 {
     SSL_TOKEN_STORE *new = hdl;
-    SSL_TOKEN_STORE_HANDLE *old = ctx->tokencache;
+    SSL_TOKEN_STORE *old = ctx->tokencache;
     int ref;
 
     if (!CRYPTO_UP_REF(&new->references, &ref))
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6a6af9ebf61..b179aad3824 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -7987,7 +7987,7 @@ SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags)
 #endif
 }
 
-SSL_TOKEN_STORE_HANDLE *SSL_CTX_get0_token_store(SSL_CTX *ctx)
+SSL_TOKEN_STORE *SSL_CTX_get0_token_store(SSL_CTX *ctx)
 {
 #ifndef OPENSSL_NO_QUIC
     return ossl_quic_get0_token_store(ctx);
@@ -7996,7 +7996,7 @@ SSL_TOKEN_STORE_HANDLE *SSL_CTX_get0_token_store(SSL_CTX *ctx)
 #endif
 }
 
-int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl)
+int SSL_CTX_set1_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE *hdl)
 {
 #ifndef OPENSSL_NO_QUIC
     return ossl_quic_set1_token_store(ctx, hdl);
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index b466f1b5962..a8000882326 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1201,7 +1201,7 @@ struct ssl_ctx_st {
 
 # ifndef OPENSSL_NO_QUIC
     uint64_t domain_flags;
-    SSL_TOKEN_STORE_HANDLE *tokencache;
+    SSL_TOKEN_STORE *tokencache;
 # endif
 
 # ifndef OPENSSL_NO_QLOG