From: Hugo Landau <hlandau@openssl.org>
Date: Wed, 24 Apr 2024 09:24:45 +0000 (+0100)
Subject: QUIC APL: Add support for configuring domain flags
X-Git-Tag: openssl-3.5.0-alpha1~384
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50c779626757070653ceda70b7f18caa8257c989;p=thirdparty%2Fopenssl.git

QUIC APL: Add support for configuring domain flags

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24971)
---

diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h
index ab91d0a49d6..fac069fe535 100644
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@@ -79,6 +79,7 @@ __owur SSL *ossl_quic_conn_stream_new(SSL *s, uint64_t flags);
 __owur SSL *ossl_quic_get0_connection(SSL *s);
 __owur SSL *ossl_quic_get0_listener(SSL *s);
 __owur SSL *ossl_quic_get0_domain(SSL *s);
+__owur int ossl_quic_get_domain_flags(const SSL *s, uint64_t *domain_flags);
 __owur int ossl_quic_get_stream_type(SSL *s);
 __owur uint64_t ossl_quic_get_stream_id(SSL *s);
 __owur int ossl_quic_is_stream_local(SSL *s);
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 7a62e3af3cf..72731ea7a5a 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2317,6 +2317,16 @@ __owur int SSL_is_domain(SSL *s);
 __owur SSL *SSL_get0_domain(SSL *s);
 __owur SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags);
 
+#define SSL_DOMAIN_FLAG_SINGLE_THREAD       (1U << 0)
+#define SSL_DOMAIN_FLAG_MULTI_THREAD        (1U << 1)
+#define SSL_DOMAIN_FLAG_THREAD_ASSISTED     (1U << 2)
+#define SSL_DOMAIN_FLAG_BLOCKING            (1U << 3)
+#define SSL_DOMAIN_FLAG_LEGACY_BLOCKING     (1U << 4)
+
+__owur int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags);
+__owur int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags);
+__owur int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags);
+
 #define SSL_STREAM_TYPE_NONE        0
 #define SSL_STREAM_TYPE_READ        (1U << 0)
 #define SSL_STREAM_TYPE_WRITE       (1U << 1)
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index fb71192ad65..6820b2d7f53 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -3248,12 +3248,29 @@ SSL *ossl_quic_get0_domain(SSL *s)
 {
     QCTX ctx;
 
-    if (!expect_quic_csld(s, &ctx))
+    if (!expect_quic_any(s, &ctx))
         return NULL;
 
     return ctx.qd != NULL ? &ctx.qd->obj.ssl : NULL;
 }
 
+/*
+ * SSL_get_domain_flags
+ * --------------------
+ */
+int ossl_quic_get_domain_flags(const SSL *ssl, uint64_t *domain_flags)
+{
+    QCTX ctx;
+
+    if (!expect_quic_any(ssl, &ctx))
+        return 0;
+
+    if (domain_flags != NULL)
+        *domain_flags = ctx.obj->domain_flags;
+
+    return 1;
+}
+
 /*
  * SSL_get_stream_type
  * -------------------
diff --git a/ssl/quic/quic_obj.c b/ssl/quic/quic_obj.c
index 85b43924387..b2c4add2a56 100644
--- a/ssl/quic/quic_obj.c
+++ b/ssl/quic/quic_obj.c
@@ -34,6 +34,7 @@ int ossl_quic_obj_init(QUIC_OBJ *obj,
     if (!ossl_ssl_init(&obj->ssl, ctx, ctx->method, type))
         goto err;
 
+    obj->domain_flags       = ctx->domain_flags;
     obj->parent_obj         = (QUIC_OBJ *)parent_obj;
     obj->is_event_leader    = is_event_leader;
     obj->is_port_leader     = is_port_leader;
diff --git a/ssl/quic/quic_obj_local.h b/ssl/quic/quic_obj_local.h
index b7216165fb7..bf81b24a248 100644
--- a/ssl/quic/quic_obj_local.h
+++ b/ssl/quic/quic_obj_local.h
@@ -100,6 +100,9 @@ struct quic_obj_st {
      */
     QUIC_PORT               *port;
 
+    /* SSL_DOMAIN_FLAG values taken from SSL_CTX at construction time. */
+    uint64_t                domain_flags;
+
     unsigned int            init_done       : 1;
     unsigned int            is_event_leader : 1;
     unsigned int            is_port_leader  : 1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 346dc2c8665..4d73387dec4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4213,6 +4213,27 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
     /* By default we send two session tickets automatically in TLSv1.3 */
     ret->num_tickets = 2;
 
+# ifndef OPENSSL_NO_QUIC
+    ret->domain_flags = 0;
+    if (IS_QUIC_METHOD(meth)) {
+# if defined(OPENSSL_THREADS)
+        if (meth == OSSL_QUIC_client_thread_method())
+            ret->domain_flags
+                = SSL_DOMAIN_FLAG_MULTI_THREAD
+                | SSL_DOMAIN_FLAG_THREAD_ASSISTED
+                | SSL_DOMAIN_FLAG_BLOCKING;
+        else
+            ret->domain_flags
+                = SSL_DOMAIN_FLAG_MULTI_THREAD
+                | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
+# else
+        ret->domain_flags
+            = SSL_DOMAIN_FLAG_SINGLE_THREAD
+            | SSL_DOMAIN_FLAG_LEGACY_BLOCKING;
+# endif
+    }
+# endif
+
     if (!ssl_ctx_system_config(ret)) {
         ERR_raise(ERR_LIB_SSL, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG);
         goto err;
@@ -7999,6 +8020,60 @@ SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags)
 #endif
 }
 
+int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t domain_flags)
+{
+#ifndef OPENSSL_NO_QUIC
+    if (IS_QUIC_CTX(ctx)) {
+        if ((domain_flags & ~OSSL_QUIC_SUPPORTED_DOMAIN_FLAGS) != 0) {
+            ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
+                           "unsupported domain flag requested");
+            return 0;
+        }
+
+        if ((domain_flags & SSL_DOMAIN_FLAG_SINGLE_THREAD) != 0
+            && (domain_flags & (SSL_DOMAIN_FLAG_MULTI_THREAD
+                                | SSL_DOMAIN_FLAG_THREAD_ASSISTED)) != 0) {
+            ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
+                           "mutually exclusive domain flags specified");
+            return 0;
+        }
+
+        ctx->domain_flags = domain_flags;
+        return 1;
+    }
+#endif
+
+    ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
+                   "domain flags unsupported on this kind of SSL_CTX");
+    return 0;
+}
+
+int SSL_CTX_get_domain_flags(const SSL_CTX *ctx, uint64_t *domain_flags)
+{
+#ifndef OPENSSL_NO_QUIC
+    if (IS_QUIC_CTX(ctx)) {
+        if (domain_flags != NULL)
+            *domain_flags = ctx->domain_flags;
+
+        return 1;
+    }
+#endif
+
+    ERR_raise_data(ERR_LIB_SSL, ERR_R_UNSUPPORTED,
+                   "domain flags unsupported on this kind of SSL_CTX");
+    return 0;
+}
+
+int SSL_get_domain_flags(const SSL *ssl, uint64_t *domain_flags)
+{
+#ifndef OPENSSL_NO_QUIC
+    if (IS_QUIC(ssl))
+        return ossl_quic_get_domain_flags(ssl, domain_flags);
+#endif
+
+    return 0;
+}
+
 int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
 {
     unsigned char *data = NULL;
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index cf308cf4362..7d9727aef77 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1195,6 +1195,10 @@ struct ssl_ctx_st {
     unsigned char *server_cert_type;
     size_t server_cert_type_len;
 
+# ifndef OPENSSL_NO_QUIC
+    uint64_t domain_flags;
+# endif
+
 # ifndef OPENSSL_NO_QLOG
     char *qlog_title; /* Session title for qlog */
 # endif
@@ -3122,4 +3126,12 @@ long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic);
     (OSSL_QUIC_PERMITTED_OPTIONS_CONN |         \
      OSSL_QUIC_PERMITTED_OPTIONS_STREAM)
 
+/* Total mask of domain flags supported on a QUIC SSL_CTX. */
+#define OSSL_QUIC_SUPPORTED_DOMAIN_FLAGS        \
+    (SSL_DOMAIN_FLAG_SINGLE_THREAD |            \
+     SSL_DOMAIN_FLAG_MULTI_THREAD |             \
+     SSL_DOMAIN_FLAG_THREAD_ASSISTED |          \
+     SSL_DOMAIN_FLAG_BLOCKING |                 \
+     SSL_DOMAIN_FLAG_LEGACY_BLOCKING)
+
 #endif