From f443b4048d0cd8ec17df09b08b9cb04fc293d6de Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 4 Dec 2024 16:12:02 -0500 Subject: [PATCH] Clarify that this validation only relates to retry packets MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Disabling server address validation here only relates to new connections that arrive without a token. Future connections using tokens provided by the server via NEW_TOKEN frames will still be validated Reviewed-by: Saša Nedvědický Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26114) --- doc/man3/SSL_new_listener.pod | 5 ++++- ssl/quic/quic_port.c | 21 ++++++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/doc/man3/SSL_new_listener.pod b/doc/man3/SSL_new_listener.pod index dfcacfc842b..e8c41fa66be 100644 --- a/doc/man3/SSL_new_listener.pod +++ b/doc/man3/SSL_new_listener.pod @@ -165,7 +165,10 @@ SSL_new_from_listener(). To disable client address validation on a listener SSL object, the flag B may be passed in the flags field of both -SSL_new_listener() and SSL_new_listener_from(). +SSL_new_listener() and SSL_new_listener_from(). Note that this flag only +impacts the sending of retry frames for server address validation. Tokens may +still be communicated from the server via NEW_TOKEN frames, which will still +be validated on receipt in future connections. The SSL_new_from_listener() creates a client connection under a given listener SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index c2b1bee7b48..28457f3bcd3 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -1197,14 +1197,21 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, * states in TCP. If we reach certain threshold, then we want to * validate clients. */ - if (port->validate_addr == 1) { - if (hdr.token == NULL) { - port_send_retry(port, &e->peer, &hdr); - goto undesirable; - } else if (port_validate_token(&hdr, port, &e->peer, - &odcid, &scid) == 0) { + if (port->validate_addr == 1 && hdr.token == NULL) { + port_send_retry(port, &e->peer, &hdr); + goto undesirable; + } + + /* + * Note, even if we don't enforce the sending of retry frames for + * server address validation, we may still get a token if we sent + * a NEW_TOKEN frame during a prior connection, which we should still + * validate here + */ + if (hdr.token != NULL) { + if (port_validate_token(&hdr, port, &e->peer, + &odcid, &scid) == 0) goto undesirable; - } } port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id, -- 2.47.2