From: Matt Caswell Date: Mon, 4 Nov 2024 15:16:18 +0000 (+0000) Subject: Keep hold of a reference to the user SSL in QUIC X-Git-Tag: openssl-3.4.1~120 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6612799fb51eea3ddd0f077a76d01db873d43df9;p=thirdparty%2Fopenssl.git Keep hold of a reference to the user SSL in QUIC In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference to the original SSL object as created by the user. We should keep a reference to it. Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25931) --- diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index cc00f32eae1..1dacce8bcc2 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -403,7 +403,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) goto err; } - qc->tls = ossl_ssl_connection_new_int(ctx, TLS_method()); + qc->tls = ossl_ssl_connection_new_int(ctx, ssl_base, TLS_method()); if (qc->tls == NULL || (sc = SSL_CONNECTION_FROM_SSL(qc->tls)) == NULL) { QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 87c0ac0ca6c..fbc79860176 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -290,7 +290,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port) SSL *tls = NULL; SSL_CONNECTION *tls_conn = NULL; - tls = ossl_ssl_connection_new_int(port->channel_ctx, TLS_method()); + tls = ossl_ssl_connection_new_int(port->channel_ctx, NULL, TLS_method()); if (tls == NULL || (tls_conn = SSL_CONNECTION_FROM_SSL(tls)) == NULL) return NULL; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a9b6f8a4ffe..8deb26be2eb 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -725,7 +725,8 @@ int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type) return 1; } -SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) +SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl, + const SSL_METHOD *method) { SSL_CONNECTION *s; SSL *ssl; @@ -735,6 +736,8 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) return NULL; ssl = &s->ssl; + s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl; + if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) { OPENSSL_free(s); s = NULL; @@ -930,7 +933,7 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) SSL *ossl_ssl_connection_new(SSL_CTX *ctx) { - return ossl_ssl_connection_new_int(ctx, ctx->method); + return ossl_ssl_connection_new_int(ctx, NULL, ctx->method); } int SSL_is_dtls(const SSL *s) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index d1c1afe94e8..277be3084dc 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1210,6 +1210,13 @@ struct ssl_st { struct ssl_connection_st { /* type identifier and common data */ struct ssl_st ssl; + + /* + * The actual end user's SSL object. Could be different to this one for + * QUIC + */ + SSL *user_ssl; + /* * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, * DTLS1_VERSION) @@ -1817,6 +1824,7 @@ struct ssl_connection_st { SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, const) # define SSL_CONNECTION_GET_CTX(sc) ((sc)->ssl.ctx) # define SSL_CONNECTION_GET_SSL(sc) (&(sc)->ssl) +# define SSL_CONNECTION_GET_USER_SSL(sc) ((sc)->user_ssl) # ifndef OPENSSL_NO_QUIC # include "quic/quic_local.h" # define SSL_CONNECTION_FROM_SSL_int(ssl, c) \ @@ -2488,7 +2496,8 @@ static ossl_inline void tls1_get_peer_groups(SSL_CONNECTION *s, __owur int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type); -__owur SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method); +__owur SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl, + const SSL_METHOD *method); __owur SSL *ossl_ssl_connection_new(SSL_CTX *ctx); void ossl_ssl_connection_free(SSL *ssl); __owur int ossl_ssl_connection_reset(SSL *ssl);