From 09a34c53e1607dd94317e8775d7749309db2a1fa Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 4 Nov 2024 15:16:18 +0000 Subject: [PATCH] Keep hold of a reference to the user SSL in QUIC In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference to the original SSL object as created by the user. We should keep a reference to it. Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25931) (cherry picked from commit 6612799fb51eea3ddd0f077a76d01db873d43df9) --- ssl/quic/quic_impl.c | 2 +- ssl/quic/quic_port.c | 2 +- ssl/ssl_lib.c | 7 +++++-- ssl/ssl_local.h | 11 ++++++++++- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index cc00f32eae1..1dacce8bcc2 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -403,7 +403,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) goto err; } - qc->tls = ossl_ssl_connection_new_int(ctx, TLS_method()); + qc->tls = ossl_ssl_connection_new_int(ctx, ssl_base, TLS_method()); if (qc->tls == NULL || (sc = SSL_CONNECTION_FROM_SSL(qc->tls)) == NULL) { QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 87cec5fcdce..c1a8463e5a7 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -290,7 +290,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port) SSL *tls = NULL; SSL_CONNECTION *tls_conn = NULL; - tls = ossl_ssl_connection_new_int(port->channel_ctx, TLS_method()); + tls = ossl_ssl_connection_new_int(port->channel_ctx, NULL, TLS_method()); if (tls == NULL || (tls_conn = SSL_CONNECTION_FROM_SSL(tls)) == NULL) return NULL; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 956132f495d..93ebde76c50 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -720,7 +720,8 @@ int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type) return 1; } -SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) +SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl, + const SSL_METHOD *method) { SSL_CONNECTION *s; SSL *ssl; @@ -730,6 +731,8 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) return NULL; ssl = &s->ssl; + s->user_ssl = (user_ssl == NULL) ? ssl : user_ssl; + if (!ossl_ssl_init(ssl, ctx, method, SSL_TYPE_SSL_CONNECTION)) { OPENSSL_free(s); s = NULL; @@ -924,7 +927,7 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method) SSL *ossl_ssl_connection_new(SSL_CTX *ctx) { - return ossl_ssl_connection_new_int(ctx, ctx->method); + return ossl_ssl_connection_new_int(ctx, NULL, ctx->method); } int SSL_is_dtls(const SSL *s) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index c5eb7bc3954..11711218b66 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1216,6 +1216,13 @@ struct ssl_st { struct ssl_connection_st { /* type identifier and common data */ struct ssl_st ssl; + + /* + * The actual end user's SSL object. Could be different to this one for + * QUIC + */ + SSL *user_ssl; + /* * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, * DTLS1_VERSION) @@ -1823,6 +1830,7 @@ struct ssl_connection_st { SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, const) # define SSL_CONNECTION_GET_CTX(sc) ((sc)->ssl.ctx) # define SSL_CONNECTION_GET_SSL(sc) (&(sc)->ssl) +# define SSL_CONNECTION_GET_USER_SSL(sc) ((sc)->user_ssl) # ifndef OPENSSL_NO_QUIC # include "quic/quic_local.h" # define SSL_CONNECTION_FROM_SSL_int(ssl, c) \ @@ -2462,7 +2470,8 @@ static ossl_inline void tls1_get_peer_groups(SSL_CONNECTION *s, __owur int ossl_ssl_init(SSL *ssl, SSL_CTX *ctx, const SSL_METHOD *method, int type); -__owur SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method); +__owur SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, SSL *user_ssl, + const SSL_METHOD *method); __owur SSL *ossl_ssl_connection_new(SSL_CTX *ctx); void ossl_ssl_connection_free(SSL *ssl); __owur int ossl_ssl_connection_reset(SSL *ssl); -- 2.47.2