From: Neil Horman Date: Mon, 3 Nov 2025 17:43:22 +0000 (-0500) Subject: Drop use of get_using_peeloff for quic connections X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfbd214c8cad98e9296be3bb33655bc666778c87;p=thirdparty%2Fopenssl.git Drop use of get_using_peeloff for quic connections folow the using_peeloff get/set routines to just a set routine that fails if the set is for a mode that doesn't match the current mode Reviewed-by: Saša Nedvědický Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/27397) --- diff --git a/include/internal/quic_port.h b/include/internal/quic_port.h index bf8edda1ae8..bf451a6108a 100644 --- a/include/internal/quic_port.h +++ b/include/internal/quic_port.h @@ -159,10 +159,14 @@ size_t ossl_quic_port_get_num_incoming_channels(const QUIC_PORT *port); /* Sets if incoming connections should currently be allowed. */ void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming); -/* Sets flag to indicate we are using SSL_listen_ex to get connections */ -void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff); - -int ossl_quic_port_get_using_peeloff(QUIC_PORT *port); +#define PEELOFF_LISTEN -1 +#define PEELOFF_ACCEPT 1 +#define PEELOFF_UNSET 0 +/* + * Sets flag to indicate we are using SSL_listen_ex to get connections + * returns 1 if set was successful, or 0 if the set fails + */ +int ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff); /* Returns 1 if we are using addressed mode on the read side. */ int ossl_quic_port_is_addressed_r(const QUIC_PORT *port); diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 2e3d1b0bb10..ab5334d2f22 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -565,6 +565,15 @@ void ossl_quic_channel_set0_tls(QUIC_CHANNEL *ch, SSL *ssl) { SSL_free(ch->tls); ch->tls = ssl; +#ifndef OPENSSL_NO_QLOG + /* + * If we're using qlog, make sure the tls get further configured properly + */ + ch->use_qlog = 1; + if (ch->tls->ctx->qlog_title != NULL) + ch->qlog_title = OPENSSL_strdup(ch->tls->ctx->qlog_title); +#endif + } static void free_buf_mem(unsigned char *buf, size_t buf_len, void *arg) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 84eac8cd771..df96011d6ea 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -4651,14 +4651,14 @@ int ossl_quic_peeloff_conn(SSL *listener, SSL *new_conn) return -1; qctx_lock_for_io(&lctx); - if (ossl_quic_port_get_using_peeloff(lctx.ql->port) == -1) { + + if (!ossl_quic_port_set_using_peeloff(lctx.ql->port, PEELOFF_LISTEN)) { QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, "This listener is using SSL_accept_connection"); ret = -1; goto out; } - - ossl_quic_port_set_using_peeloff(lctx.ql->port, 1); + new_ch = ossl_quic_port_pop_incoming(lctx.ql->port); if (new_ch != NULL) { qc = cctx.qc; @@ -4734,14 +4734,13 @@ SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags) if (!ql_listen(ctx.ql)) goto out; - if (ossl_quic_port_get_using_peeloff(ctx.ql->port) == 1) { + if (!ossl_quic_port_set_using_peeloff(ctx.ql->port, PEELOFF_ACCEPT)) { QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, - "This listener is using SSL_accept_ex"); + "This listener is using SSL_listen_ex"); goto out; + } - ossl_quic_port_set_using_peeloff(ctx.ql->port, -1); - /* Wait for an incoming connection if needed. */ new_ch = ossl_quic_port_pop_incoming(ctx.ql->port); if (new_ch == NULL && ossl_quic_port_is_running(ctx.ql->port)) { diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 326a0ab0982..57cee322571 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -536,15 +536,14 @@ static QUIC_CHANNEL *port_make_channel(QUIC_PORT *port, SSL *tls, OSSL_QRX *qrx, if (tls != NULL) { ch->tls = tls; } else { - if (ossl_quic_port_get_using_peeloff(port) <= 0) { - ossl_quic_port_set_using_peeloff(port, -1); + if (ossl_quic_port_set_using_peeloff(port, PEELOFF_ACCEPT)) { /* * We're using the normal SSL_accept_connection_path */ ch->tls = port_new_handshake_layer(port, ch); } else { /* - * We're deferring user ssl creation until SSL_accept_ex is called + * We're deferring user ssl creation until SSL_listen_ex is called */ ch->tls = NULL; } @@ -554,7 +553,7 @@ static QUIC_CHANNEL *port_make_channel(QUIC_PORT *port, SSL *tls, OSSL_QRX *qrx, * If we're using qlog, make sure the tls get further configured properly */ ch->use_qlog = 1; - if (ch->tls && ch->tls->ctx->qlog_title != NULL) { + if (ch->tls != NULL && ch->tls->ctx->qlog_title != NULL) { if ((ch->qlog_title = OPENSSL_strdup(ch->tls->ctx->qlog_title)) == NULL) { OPENSSL_free(ch); return NULL; @@ -654,14 +653,25 @@ void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming) port->allow_incoming = allow_incoming; } -void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff) +int ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff) { - port->using_peeloff = using_peeloff; -} -int ossl_quic_port_get_using_peeloff(QUIC_PORT *port) -{ - return port->using_peeloff; + /* + * Peeloff state must be one of PEELOFF_LISTEN or PEELOFF_ACCEPT + */ + if (using_peeloff != PEELOFF_LISTEN && using_peeloff != PEELOFF_ACCEPT) + return 0; + + /* + * We can only set the peeloff state if its not already been set + * or if we're setting it to the already set value + * i.e. this is a trapdoor, once we set using_peeloff to LISTEN or ACCEPT + * Then the only thing we can set that port too in the future is the same value. + */ + if (port->using_peeloff != using_peeloff && port->using_peeloff != PEELOFF_UNSET) + return 0; + port->using_peeloff = using_peeloff; + return 1; } /* diff --git a/ssl/quic/quic_port_local.h b/ssl/quic/quic_port_local.h index 39a9094e2cf..1fdb0f62a4b 100644 --- a/ssl/quic/quic_port_local.h +++ b/ssl/quic/quic_port_local.h @@ -115,7 +115,7 @@ struct quic_port_st { unsigned int bio_changed : 1; /* Are we using SSL_listen_ex to peeloff connections */ - unsigned int using_peeloff; + int using_peeloff; /* AES-256 GCM context for token encryption */ EVP_CIPHER_CTX *token_ctx;