From 3f06ebcfe39ea2d386061d264fa094eff4d533f3 Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Wed, 29 Jan 2025 14:38:45 -0500
Subject: [PATCH] Eliminate SSL_LISTENER_FLAG_NO_ACCEPT flag in QUIC
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

We've not implemented it yet, and don't need it for MVP, so move the
TODO's to QUIC FUTURE and remove the docs for it.

Fixes openssl/project#1074

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: SaÅ¡a NedvÄdickÃ½ <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26593)
---
 doc/man3/SSL_new_listener.pod | 24 ++++--------------------
 include/openssl/ssl.h.in      |  1 -
 ssl/quic/quic_impl.c          | 11 +++++++++--
 3 files changed, 13 insertions(+), 23 deletions(-)
diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod
index 3a500c46dcd..de230f92e59 100644
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@@ -5,7 +5,7 @@
 SSL_new_listener, SSL_new_listener_from, SSL_is_listener, SSL_get0_listener,
 SSL_listen,
 SSL_accept_connection, SSL_get_accept_connection_queue_len,
-SSL_new_from_listener, SSL_LISTENER_FLAG_NO_ACCEPT,
+SSL_new_from_listener,
 SSL_ACCEPT_CONNECTION_NO_BLOCK - SSL object interface for abstracted connection
 acceptance
 
@@ -13,7 +13,6 @@ acceptance
 
  #include <openssl/ssl.h>
 
- #define SSL_LISTENER_FLAG_NO_ACCEPT
  SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
  SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
 
@@ -158,13 +157,6 @@ circumstances where it is desirable for multiple connections to share the same
 underlying network resources. For example, multiple outgoing QUIC client
 connections could be made to use the same underlying UDP socket.
 
-To use client-only mode, pass the flag B<SSL_LISTENER_FLAG_NO_ACCEPT> when
-calling SSL_new_listener(). In this mode, SSL_listen() still begins the process
-of handling network resources, but incoming connections are never accepted.
-Calling SSL_accept_connection() is an error and will return NULL. One or more
-outgoing connections under a listener can then be created using the call
-SSL_new_from_listener().
-
 To disable client address validation on a listener SSL object, the flag
 B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
 SSL_new_listener() and SSL_new_listener_from().  Note that this flag only
@@ -177,21 +169,13 @@ numbers of connections and never transact data on them (roughly equivalent to
 a TCP syn flood attack), which address validation mitigates.
 
 The SSL_new_from_listener() creates a client connection under a given listener
-SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
-conjunction with a listener which does accept incoming connections (i.e., which
-was not created using B<SSL_LISTENER_FLAG_NO_ACCEPT>), leading to a UDP network
-endpoint which has both incoming and outgoing connections.
+SSL object. For QUIC, it is also possible to use SSL_new_from_listener(),
+leading to a UDP network endpoint which has both incoming and outgoing'
+connections.
 
 The I<flags> argument of SSL_new_from_listener() is reserved and must be set to
 0.
 
-Creating a listener using a B<SSL_CTX> which uses a client-oriented
-B<SSL_METHOD> such as L<OSSL_QUIC_client_method(3)> or
-L<OSSL_QUIC_client_thread_method(3)> automatically implies the
-B<SSL_LISTENER_FLAG_NO_ACCEPT> flag. The B<SSL_LISTENER_FLAG_NO_ACCEPT> flag may
-optionally also be specified in this case but is ignored. This is an alternative
-way of using the listener functionality in client-only mode.
-
 =head1 RETURN VALUES
 
 SSL_new_listener() and SSL_new_listener_from() return a new listener SSL object
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index c62b9497730..e25899f627b 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2309,7 +2309,6 @@ __owur int SSL_is_connection(SSL *s);
 
 __owur int SSL_is_listener(SSL *ssl);
 __owur SSL *SSL_get0_listener(SSL *s);
-#define SSL_LISTENER_FLAG_NO_ACCEPT     (1UL << 0)
 #define SSL_LISTENER_FLAG_NO_VALIDATE   (1UL << 1)
 __owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
 __owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index d37ddc39c56..4288788d422 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4269,7 +4269,7 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
         goto err;
     }
 
-    /* TODO(QUIC SERVER): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
+    /* TODO(QUIC FUTURE): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
 
     ossl_quic_port_set_allow_incoming(ql->port, 1);
 
@@ -4332,7 +4332,14 @@ SSL *ossl_quic_new_listener_from(SSL *ssl, uint64_t flags)
     ql->mutex   = ctx.qd->mutex;
 #endif
 
-    /* TODO(QUIC SERVER): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
+    /*
+     * TODO(QUIC FUTURE): Implement SSL_LISTENER_FLAG_NO_ACCEPT
+     * Given that we have apis to create client SSL objects from
+     * server SSL objects (see SSL_new_from_listener), we have aspirations
+     * to enable a flag that allows for the creation of the latter, but not
+     * be used to do accept any connections.  This is a placeholder for the
+     * implementation of that flag
+     */
 
     ossl_quic_port_set_allow_incoming(ql->port, 1);
 
-- 
2.47.2

