From: Neil Horman Date: Tue, 28 Jan 2025 14:41:52 +0000 (-0500) Subject: Review fixups X-Git-Tag: openssl-3.5.0-alpha1~227 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8148315ca6d44157afc882460e17cc9d9c3ffe2;p=thirdparty%2Fopenssl.git Review fixups Reviewed-by: Matt Caswell Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/26517) --- diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h index 812d1ad38e6..95b837da5cb 100644 --- a/include/internal/quic_ssl.h +++ b/include/internal/quic_ssl.h @@ -30,8 +30,8 @@ SSL_TOKEN_STORE_HANDLE *ossl_quic_new_token_store(void); void ossl_quic_free_token_store(SSL_TOKEN_STORE_HANDLE *hdl); SSL_TOKEN_STORE_HANDLE *ossl_quic_get_token_store(SSL_CTX *ctx); int ossl_quic_set_token_store(SSL_CTX *ctx, SSL_TOKEN_STORE_HANDLE *hdl); -int ossl_quic_update_peer_token(SSL_CTX *ctx, BIO_ADDR *peer, - const uint8_t *token, size_t token_len); +int ossl_quic_set_peer_token(SSL_CTX *ctx, BIO_ADDR *peer, + const uint8_t *token, size_t token_len); int ossl_quic_get_peer_token(SSL_CTX *ctx, BIO_ADDR *peer, uint8_t **token, size_t *token_len, QTOK **token_free_ptr); diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 7e271bd5b33..a180f1ce8de 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -2819,16 +2819,17 @@ int ossl_quic_channel_start(QUIC_CHANNEL *ch) /* * Look to see if we have a token, and if so, set it on the packetiser */ - if (!ch->is_server && ossl_quic_get_peer_token(ch->port->channel_ctx, - &ch->cur_peer_addr, - &token, &token_len, - &token_ptr)) { - if (!ossl_quic_tx_packetiser_set_initial_token(ch->txp, token, - token_len, - free_peer_token, - token_ptr)) - free_peer_token(NULL, 0, token_ptr); - } + if (!ch->is_server + && ossl_quic_get_peer_token(ch->port->channel_ctx, + &ch->cur_peer_addr, + &token, &token_len, + &token_ptr) + && !ossl_quic_tx_packetiser_set_initial_token(ch->txp, token, + token_len, + free_peer_token, + token_ptr)) + free_peer_token(NULL, 0, token_ptr); + /* Plug in secrets for the Initial EL. */ if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx, ch->port->engine->propq, diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 7810335430b..5915c25fa5b 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -4790,6 +4790,9 @@ static QUIC_TOKEN *ossl_quic_build_new_token(BIO_ADDR *peer, uint8_t *token, unsigned short *portptr; uint8_t *addrptr; + if ((token != NULL && token_len == 0) || (token == NULL && token_len != 0)) + return NULL; + if (!BIO_ADDR_rawaddress(peer, NULL, &addr_len)) return NULL; family = BIO_ADDR_family(peer); @@ -4828,8 +4831,8 @@ static QUIC_TOKEN *ossl_quic_build_new_token(BIO_ADDR *peer, uint8_t *token, return new_token; } -int ossl_quic_update_peer_token(SSL_CTX *ctx, BIO_ADDR *peer, - const uint8_t *token, size_t token_len) +int ossl_quic_set_peer_token(SSL_CTX *ctx, BIO_ADDR *peer, + const uint8_t *token, size_t token_len) { SSL_TOKEN_STORE *c = ctx->tokencache; QUIC_TOKEN *tok, *old = NULL; diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index ff3c327758c..6cc2c264467 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -1354,7 +1354,7 @@ static int port_validate_token(QUIC_PKT_HDR *hdr, QUIC_PORT *port, * * If however, we validated a NEW_TOKEN, which may be * reused multiple times, only send a NEW_TOKEN frame - * if the existing received token has 10% of its lifetime + * if the existing received token has less than 10% of its lifetime * remaining. This prevents us from constantly sending * NEW_TOKEN frames on every connection when not needed */ @@ -1410,6 +1410,7 @@ static void generate_new_token(QUIC_CHANNEL *ch, BIO_ADDR *peer) &ct_len) || !ossl_assert(ct_len >= QUIC_RETRY_INTEGRITY_TAG_LEN)) { OPENSSL_free(ct_buf); + cleanup_validation_token(&token); return; } @@ -1532,24 +1533,24 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * a NEW_TOKEN frame during a prior connection, which we should still * validate here */ - if (hdr.token != NULL) { - if (port_validate_token(&hdr, port, &e->peer, - &odcid, &scid, &gen_new_token) == 0) { - /* - * RFC 9000 s 8.1.3 - * When a server receives an Initial packet with an address - * validation token, it MUST attempt to validate the token, - * unless it has already completed address validation. - * If the token is invalid, then the server SHOULD proceed as - * if the client did not have a validated address, - * including potentially sending a Retry packet - * Note: If address validation is disabled, just act like - * The request is valid - */ - if (port->validate_addr == 1) { - port_send_retry(port, &e->peer, &hdr); - goto undesirable; - } + if (hdr.token != NULL + && port_validate_token(&hdr, port, &e->peer, + &odcid, &scid, + &gen_new_token) == 0) { + /* + * RFC 9000 s 8.1.3 + * When a server receives an Initial packet with an address + * validation token, it MUST attempt to validate the token, + * unless it has already completed address validation. + * If the token is invalid, then the server SHOULD proceed as + * if the client did not have a validated address, + * including potentially sending a Retry packet + * Note: If address validation is disabled, just act like + * the request is valid + */ + if (port->validate_addr == 1) { + port_send_retry(port, &e->peer, &hdr); + goto undesirable; } } diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c index 49c3ea21c77..d96a2b29522 100644 --- a/ssl/quic/quic_rx_depack.c +++ b/ssl/quic/quic_rx_depack.c @@ -351,8 +351,8 @@ static int depack_do_frame_new_token(PACKET *pkt, QUIC_CHANNEL *ch, } /* store the new token in our token cache */ - if (!ossl_quic_update_peer_token(ossl_quic_port_get_channel_ctx(ch->port), - &ch->cur_peer_addr, token, token_len)) + if (!ossl_quic_set_peer_token(ossl_quic_port_get_channel_ctx(ch->port), + &ch->cur_peer_addr, token, token_len)) return 0; return 1;