From 0746d4628ecf5e6c990c320e255bb47fc274970e Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 3 Dec 2024 16:52:55 -0500 Subject: [PATCH] Add quic port flag to turn off address validation MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Give us the infrastrucute to skip addr validation on the server Reviewed-by: Saša Nedvědický Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26114) --- include/internal/quic_port.h | 5 +++++ ssl/quic/quic_port.c | 14 +++++++++----- ssl/quic/quic_port_local.h | 3 +++ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/include/internal/quic_port.h b/include/internal/quic_port.h index 48a2ecfa09c..4229cc25be3 100644 --- a/include/internal/quic_port.h +++ b/include/internal/quic_port.h @@ -54,6 +54,11 @@ typedef struct quic_port_args_st { * for a single connection, so a zero-length local CID can be used. */ int is_multi_conn; + + /* + * if 1, this port should do server address validation + */ + int do_addr_validation; } QUIC_PORT_ARGS; /* Only QUIC_ENGINE should use this function. */ diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 073a4e8add4..c2b1bee7b48 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -84,6 +84,7 @@ QUIC_PORT *ossl_quic_port_new(const QUIC_PORT_ARGS *args) port->engine = args->engine; port->channel_ctx = args->channel_ctx; port->is_multi_conn = args->is_multi_conn; + port->validate_addr = args->do_addr_validation; if (!port_init(port)) { OPENSSL_free(port); @@ -1196,11 +1197,14 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * states in TCP. If we reach certain threshold, then we want to * validate clients. */ - if (hdr.token == NULL) { - port_send_retry(port, &e->peer, &hdr); - goto undesirable; - } else if (port_validate_token(&hdr, port, &e->peer, &odcid, &scid) != 1) { - goto undesirable; + if (port->validate_addr == 1) { + if (hdr.token == NULL) { + port_send_retry(port, &e->peer, &hdr); + goto undesirable; + } else if (port_validate_token(&hdr, port, &e->peer, + &odcid, &scid) == 0) { + goto undesirable; + } } port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, diff --git a/ssl/quic/quic_port_local.h b/ssl/quic/quic_port_local.h index 0b954d6d1cc..a60ad00dd3d 100644 --- a/ssl/quic/quic_port_local.h +++ b/ssl/quic/quic_port_local.h @@ -92,6 +92,9 @@ struct quic_port_st { /* Is this port created to support multiple connections? */ unsigned int is_multi_conn : 1; + /* Is this port doing server address validation */ + unsigned int validate_addr : 1; + /* Has this port sent any packet of any kind yet? */ unsigned int have_sent_any_pkt : 1; -- 2.47.2