From: Matt Caswell <matt@openssl.org>
Date: Tue, 18 Mar 2025 14:36:28 +0000 (+0000)
Subject: Fix the use of CCM ciphersuites with QUIC TLS API
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=207cd5bb975f1cda542757b9695ac4e5bdb71576;p=thirdparty%2Fopenssl.git

Fix the use of CCM ciphersuites with QUIC TLS API

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)
---

diff --git a/include/internal/ssl.h b/include/internal/ssl.h
index 8a0c7974967..622be7ec69a 100644
--- a/include/internal/ssl.h
+++ b/include/internal/ssl.h
@@ -20,5 +20,7 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err);
 
 /* Set if this is the QUIC handshake layer */
 # define TLS1_FLAGS_QUIC                         0x2000
+/* Set if this is our QUIC handshake layer */
+# define TLS1_FLAGS_QUIC_INTERNAL                0x4000
 
 #endif
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 4f076c6c9df..05373a8d60d 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -308,6 +308,7 @@ extern "C" {
 # define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
 
 /* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */
+/* 0x4000 is reserved for TLS1_FLAGS_QUIC_INTERNAL (internal) */
 
 # define SSL3_MT_HELLO_REQUEST                   0
 # define SSL3_MT_CLIENT_HELLO                    1
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 5fa422473d4..4e9b63b046d 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -583,7 +583,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     }
 
     /* override the user_ssl of the inner connection */
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     sc->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
@@ -4436,7 +4436,7 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
         goto err;
     }
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     qc->default_ssl_options = OSSL_QUIC_PERMITTED_OPTIONS;
     qc->last_error = SSL_ERROR_NONE;
diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 9ab350fb762..9097f56aa1c 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -490,7 +490,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
         }
 
     /* Override the user_ssl of the inner connection. */
-    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;
+    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     tls_conn->options       &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c
index dba1ec338fb..d31c93dcf9b 100644
--- a/ssl/quic/quic_tls.c
+++ b/ssl/quic/quic_tls.c
@@ -802,6 +802,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
         if (!ossl_quic_tls_configure(qtls))
             return RAISE_INTERNAL_ERROR(qtls);
 
+        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
+
         if (qtls->args.is_server)
             SSL_set_accept_state(qtls->args.s);
         else
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 08b40420109..22095fbf232 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3498,7 +3498,7 @@ int ssl3_clear(SSL *s)
      * NULL/zero-out everything in the s3 struct, but remember if we are doing
      * QUIC.
      */
-    flags = sc->s3.flags & TLS1_FLAGS_QUIC;
+    flags = sc->s3.flags & (TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL);
     memset(&sc->s3, 0, sizeof(sc->s3));
     sc->s3.flags |= flags;
 
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 81b94ad1c2a..3a7c8098817 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -315,6 +315,7 @@
 # define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
 
 # define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)
+# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0)
 
 /* no end of early data */
 # define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8f5f9b4c4bd..a201a71cf36 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2874,7 +2874,7 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
     if (s->s3.tmp.max_ver == 0)
         return 1;
 
-    if (SSL_IS_QUIC_HANDSHAKE(s))
+    if (SSL_IS_QUIC_INT_HANDSHAKE(s))
         /* For QUIC, only allow these ciphersuites. */
         switch (SSL_CIPHER_get_id(c)) {
         case TLS1_3_CK_AES_128_GCM_SHA256: