mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-19 08:23:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Minor fixes

Browse Source 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
This commit is contained in:
Hugo Landau 2023-06-26 13:47:03 +01:00 committed by Pauli
parent 5f69db396c
commit d6e7ebba33
26 changed files with 134 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/man3/BIO_f_ssl.pod
View File

@ -131,7 +131,8 @@ BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(),
BIO_set_ssl_renegotiate_bytes(), BIO_set_ssl_renegotiate_timeout(),
BIO_get_num_renegotiates(), and BIO_do_handshake() are implemented as macros.
BIO_ssl_copy_session_id() is not currently supported on QUIC SSL objects.
BIO_ssl_copy_session_id() is not currently supported on QUIC SSL objects and
fails if called on such an object.
=head1 RETURN VALUES
@ -144,7 +145,8 @@ success or a value which is less than or equal to 0 if an error occurred.
BIO_new_ssl(), BIO_new_ssl_connect() and BIO_new_buffer_ssl_connect() return
a valid B<BIO> structure on success or B<NULL> if an error occurred.
BIO_ssl_copy_session_id() returns 1 on success or 0 on error.
BIO_ssl_copy_session_id() returns 1 on success or 0 on error, or if called
on a QUIC SSL object.
BIO_do_handshake() returns 1 if the connection was established successfully.
A zero or negative value is returned if the connection could not be established.

3
doc/man3/DTLSv1_listen.pod
View File

@ -103,7 +103,8 @@ TLSv1.3 is used.
Both SSL_stateless() and DTLSv1_listen() will clear the error queue when they
start.
SSL_stateless() cannot be used with QUIC SSL objects.
SSL_stateless() cannot be used with QUIC SSL objects and returns an error if
called on such an object.
=head1 RETURN VALUES

6
doc/man3/SSL_CTX_set_alpn_select_cb.pod
View File

@ -25,6 +25,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned int *len);
void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
int (*cb)(SSL *ssl,
const unsigned char **out,
@ -112,7 +114,9 @@ this function need not be a member of the list of supported protocols
provided by the callback.
NPN functionality cannot be used with QUIC SSL objects. Use of ALPN is mandatory
when using QUIC SSL objects.
when using QUIC SSL objects. SSL_CTX_set_next_protos_advertised_cb() and
SSL_CTX_set_next_proto_select_cb() have no effect if called on a QUIC SSL
context.
=head1 NOTES

3
doc/man3/SSL_CTX_set_quiet_shutdown.pod
View File

@ -30,7 +30,8 @@ B<mode> may be 0 or 1.
SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
These functions are not supported for QUIC SSL objects.
These functions are not supported for QUIC SSL objects. SSL_set_quiet_shutdown()
has no effect if called on a QUIC SSL object.
=head1 NOTES

3
doc/man3/SSL_CTX_set_read_ahead.pod
View File

@ -34,7 +34,8 @@ SSL_CTX_get_read_ahead() and SSL_get_read_ahead() indicate whether reading
ahead has been set or not.
SSL_CTX_get_default_read_ahead() is identical to SSL_CTX_get_read_ahead().
These functions cannot be used with QUIC SSL objects.
These functions cannot be used with QUIC SSL objects. SSL_set_read_ahead()
has no effect if called on a QUIC SSL object.
=head1 NOTES

2
doc/man3/SSL_CTX_set_record_padding_callback.pod
View File

@ -54,6 +54,8 @@ The B<arg> parameter is the value set via SSL_CTX_set_record_padding_callback_ar
or SSL_set_record_padding_callback_arg().
These functions cannot be used with QUIC SSL objects.
SSL_set_record_padding_callback() and SSL_set_block_padding() fail if called on
a QUIC SSL object.
=head1 RETURN VALUES

3
doc/man3/SSL_CTX_set_split_send_fragment.pod
View File

@ -124,6 +124,9 @@ SSL_SESSION_get_max_fragment_length() gets the maximum fragment length
negotiated in B<session>.
These functions cannot be used with QUIC SSL objects.
SSL_set_max_send_fragment(), SSL_set_max_pipelines(),
SSL_set_split_send_fragment(), SSL_set_default_read_buffer_len() and
SSL_set_tlsext_max_fragment_length() fail if called on a QUIC SSL object.
=head1 RETURN VALUES

3
doc/man3/SSL_CTX_set_ssl_version.pod
View File

@ -48,7 +48,8 @@ try to reuse an existing one in this fashion. Its usage is considered
deprecated.
SSL_set_ssl_method() cannot be used to change a non-QUIC SSL object to a QUIC
SSL object or vice versa.
SSL object or vice versa, or change a QUIC SSL object from one QUIC method to
another.
=head1 RETURN VALUES

2
doc/man3/SSL_CTX_set_tlsext_use_srtp.pod
View File

@ -117,6 +117,8 @@ use. This provides the client write master key, the server write master key, the
client write master salt and the server write master salt in that order.
These functions cannot be used with QUIC SSL objects.
SSL_CTX_set_tlsext_use_srtp() fails if called on a QUIC SSL context.
SSL_set_tlsext_use_srtp() fails if called on a QUIC SSL object.
=head1 RETURN VALUES

1
doc/man3/SSL_CTX_set_verify.pod
View File

@ -216,6 +216,7 @@ When post-handshake authentication occurs, a refreshed NewSessionTicket
message is sent to the client.
Post-handshake authentication cannot be used with QUIC.
SSL_set_post_handshake_auth() has no effect if called on a QUIC SSL object.
=head1 BUGS

3
doc/man3/SSL_clear.pod
View File

@ -34,7 +34,8 @@ server method, even if TLS_*_methods were chosen on startup. This
will might lead to connection failures (see L<SSL_new(3)>)
for a description of the method's properties.
This function is not supported on QUIC SSL objects.
This function is not supported on QUIC SSL objects and returns failure if called
on such an object.
=head1 WARNINGS

3
doc/man3/SSL_new.pod
View File

@ -96,7 +96,8 @@ SSL_set0_client_CA_list() or similar functions
=back
SSL_dup() is not supported on QUIC SSL objects.
SSL_dup() is not supported on QUIC SSL objects and returns NULL if called on
such an object.
=head1 RETURN VALUES

3
doc/man3/SSL_read_early_data.pod
View File

@ -242,6 +242,9 @@ has been explicitly disabled using the SSL_OP_NO_ANTI_REPLAY option. See
L</REPLAY PROTECTION> below.
These functions cannot currently be used with QUIC SSL objects.
SSL_set_max_early_data(), SSL_set_recv_max_early_data(), SSL_write_early_data(),
SSL_read_early_data(), SSL_get_early_data_status() and
SSL_set_allow_early_data_cb() fail if called on a QUIC SSL object.
=head1 NOTES

3
doc/man3/SSL_rstate_string.pod
View File

@ -48,7 +48,8 @@ The read state is unknown. This should never happen.
=back
When used with QUIC SSL objects, these functions always return "unknown".
When used with QUIC SSL objects, these functions always return "RH"/"read
header" in normal conditions.
=head1 SEE ALSO

5
doc/man3/SSL_set_fd.pod
View File

@ -23,8 +23,9 @@ interface between the B<ssl> and B<fd>. The BIO and hence the SSL engine
inherit the behaviour of B<fd>. If B<fd> is nonblocking, the B<ssl> will
also have nonblocking behaviour.
When used on a QUIC SSL object, a B<datagram BIO> is automatically created
instead of a B<socket BIO>.
When used on a QUIC connection SSL object, a B<datagram BIO> is automatically
created instead of a B<socket BIO>. These functions fail if called
on a QUIC stream SSL object.
If there was already a BIO connected to B<ssl>, BIO_free() will be called
(for both the reading and writing side, if different).

4
include/internal/quic_ssl.h
View File

@ -117,9 +117,7 @@ void ossl_quic_conn_force_assist_thread_wake(SSL *s);
/* For use by tests only. */
QUIC_CHANNEL *ossl_quic_conn_get_channel(SSL *s);
uint64_t ossl_quic_set_options(SSL *s, uint64_t opts);
uint64_t ossl_quic_clear_options(SSL *s, uint64_t opts);
uint64_t ossl_quic_get_options(SSL *s);
int ossl_quic_has_pending(const SSL *s);
# endif

4
include/internal/statem.h
View File

@ -6,6 +6,8 @@
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef STATEM_H
# define STATEM_H
/*****************************************************************************
* *
@ -165,3 +167,5 @@ int ossl_statem_set_mutator(SSL *s,
ossl_statem_mutate_handshake_cb mutate_handshake_cb,
ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,
void *mutatearg);
#endif

1
ssl/d1_srtp.c
View File

@ -16,6 +16,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_local.h"
#include "quic/quic_local.h"
#ifndef OPENSSL_NO_SRTP

31
ssl/quic/quic_impl.c
View File

@ -617,33 +617,39 @@ static void qc_set_default_xso(QUIC_CONNECTION *qc, QUIC_XSO *xso, int touch)
}
/* SSL_set_options */
QUIC_TAKES_LOCK
static uint64_t quic_mask_or_options(SSL *ssl, uint64_t mask_value, uint64_t or_value)
{
QCTX ctx;
uint64_t r, options;
uint64_t options;
if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, &ctx))
if (!expect_quic(ssl, &ctx))
return 0;
quic_lock(ctx.qc);
/*
* Currently most options that we permit are handled in the handshake
* layer.
*/
options = (SSL_get_options(ctx.qc->tls) & ~mask_value) | or_value;
options &= OSSL_QUIC_PERMITTED_OPTIONS;
r = SSL_set_options(ctx.qc->tls, options);
or_value &= OSSL_QUIC_PERMITTED_OPTIONS;
if (ctx.xso->stream != NULL && ctx.xso->stream->rstream != NULL)
SSL_clear_options(ctx.qc->tls, mask_value);
options = SSL_set_options(ctx.qc->tls, or_value);
if (ctx.xso != NULL
&& ctx.xso->stream != NULL
&& ctx.xso->stream->rstream != NULL)
ossl_quic_rstream_set_cleanse(ctx.xso->stream->rstream,
(options & SSL_OP_CLEANSE_PLAINTEXT) != 0);
quic_unlock(ctx.qc);
return r;
return options;
}
uint64_t ossl_quic_set_options(SSL *ssl, uint64_t options)
{
return quic_mask_or_options(ssl, UINT64_MAX, options);
return quic_mask_or_options(ssl, 0, options);
}
/* SSL_clear_options */
@ -2118,7 +2124,7 @@ int ossl_quic_peek(SSL *s, void *buf, size_t len, size_t *bytes_read)
*/
QUIC_TAKES_LOCK
static size_t ossl_quic_pending_int(const SSL *s)
static size_t ossl_quic_pending_int(const SSL *s, int check_channel)
{
QCTX ctx;
size_t avail = 0;
@ -2134,6 +2140,9 @@ static size_t ossl_quic_pending_int(const SSL *s)
if (!ossl_quic_rstream_available(ctx.xso->stream->rstream, &avail, &fin))
avail = 0;
if (avail == 0 && check_channel && ossl_quic_channel_has_pending(ctx.qc->ch))
avail = 1;
out:
quic_unlock(ctx.qc);
return avail;
@ -2141,13 +2150,13 @@ out:
size_t ossl_quic_pending(const SSL *s)
{
return ossl_quic_pending_int(s);
return ossl_quic_pending_int(s, /*check_channel=*/0);
}
int ossl_quic_has_pending(const SSL *s)
{
/* Do we have app-side pending data or pending URXEs or RXEs? */
return ossl_quic_pending_int(s) > 0 || ossl_quic_channel_has_pending(qc->ch);
return ossl_quic_pending_int(s, /*check_channel=*/1) > 0;
}
/*

16
ssl/quic/quic_local.h
View File

@ -216,16 +216,10 @@ void ossl_quic_conn_on_remote_conn_close(QUIC_CONNECTION *qc,
int ossl_quic_trace(int write_p, int version, int content_type,
const void *buf, size_t msglen, SSL *ssl, void *arg);
# define OSSL_QUIC_ANY_VERSION 0x5155
# ifndef OPENSSL_NO_QUIC
# define IS_QUIC_METHOD(m) ((m)->version == OSSL_QUIC_ANY_VERSION)
# define IS_QUIC_SSL(s) ((s) != NULL && \
((s)->type == SSL_TYPE_QUIC_CONNECTION || \
(s)->type == SSL_TYPE_QUIC_STREAM))
# else
# define IS_QUIC_METHOD(m) 0
# define IS_QUIC_SSL(s) 0
# endif
# define OSSL_QUIC_ANY_VERSION 0xFFFFF
# define IS_QUIC_METHOD(m) \
((m) == OSSL_QUIC_client_method() || \
(m) == OSSL_QUIC_client_thread_method())
# define IS_QUIC_CTX(ctx) IS_QUIC_METHOD((ctx)->method)
# define QUIC_CONNECTION_FROM_SSL_int(ssl, c) \
@ -257,6 +251,8 @@ int ossl_quic_trace(int write_p, int version, int content_type,
# define QUIC_XSO_FROM_SSL_int(ssl, c) NULL
# define SSL_CONNECTION_FROM_QUIC_SSL_int(ssl, c) NULL
# define IS_QUIC(ssl) 0
# define IS_QUIC_CTX(ctx) 0
# define IS_QUIC_METHOD(m) 0
# endif
# define QUIC_CONNECTION_FROM_SSL(ssl) \

19
ssl/record/rec_layer_s3.c
View File

@ -12,6 +12,7 @@
#include <errno.h>
#include <assert.h>
#include "../ssl_local.h"
#include "../quic/quic_local.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
#include <openssl/rand.h>
@ -162,7 +163,7 @@ void SSL_set_default_read_buffer_len(SSL *s, size_t len)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return;
sc->rlayer.default_read_buf_len = len;
}
@ -170,16 +171,8 @@ void SSL_set_default_read_buffer_len(SSL *s, size_t len)
const char *SSL_rstate_string_long(const SSL *s)
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
#ifndef OPENSSL_NO_QUIC
const QUIC_CONNECTION *qc = QUIC_CONNECTION_FROM_CONST_SSL(s);
#endif
const char *lng;
#ifndef OPENSSL_NO_QUIC
if (qc != NULL)
return "unknown";
#endif
if (sc == NULL)
return NULL;
@ -194,16 +187,8 @@ const char *SSL_rstate_string_long(const SSL *s)
const char *SSL_rstate_string(const SSL *s)
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
#ifndef OPENSSL_NO_QUIC
const QUIC_CONNECTION *qc = QUIC_CONNECTION_FROM_CONST_SSL(s);
#endif
const char *shrt;
#ifndef OPENSSL_NO_QUIC
if (qc != NULL)
return "unknown";
#endif
if (sc == NULL)
return NULL;

125
ssl/ssl_lib.c
View File

@ -425,8 +425,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
* Return 0 if there is only one version configured and it was disabled
* at configure time. Return 1 otherwise.
*/
static int ssl_check_allowed_versions(int min_version, int max_version,
int is_quic)
static int ssl_check_allowed_versions(int min_version, int max_version)
{
int minisdtls = 0, maxisdtls = 0;
@ -474,7 +473,7 @@ static int ssl_check_allowed_versions(int min_version, int max_version,
} else {
/* Regular TLS version checks. */
if (min_version == 0)
min_version = is_quic ? TLS1_3_VERSION : SSL3_VERSION;
min_version = SSL3_VERSION;
if (max_version == 0)
max_version = TLS1_3_VERSION;
#ifdef OPENSSL_NO_TLS1_3
@ -764,17 +763,8 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method)
s->max_proto_version = ctx->max_proto_version;
}
s->min_proto_version = ctx->min_proto_version;
if (IS_QUIC_CTX(ctx) && s->min_proto_version < TLS1_3_VERSION)
s->min_proto_version = TLS1_3_VERSION;
s->max_proto_version = ctx->max_proto_version;
if (IS_QUIC_CTX(ctx) && s->max_proto_version < TLS1_3_VERSION)
s->max_proto_version = 0;
s->mode = ctx->mode;
s->max_cert_list = ctx->max_cert_list;
if (!IS_QUIC_CTX(ctx)) {
s->max_early_data = ctx->max_early_data;
s->recv_max_early_data = ctx->recv_max_early_data;
@ -806,11 +796,9 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method)
s->msg_callback_arg = ctx->msg_callback_arg;
s->verify_mode = ctx->verify_mode;
s->not_resumable_session_cb = ctx->not_resumable_session_cb;
if (!IS_QUIC_CTX(ctx)) {
s->rlayer.record_padding_cb = ctx->record_padding_cb;
s->rlayer.record_padding_arg = ctx->record_padding_arg;
s->rlayer.block_padding = ctx->block_padding;
}
s->rlayer.record_padding_cb = ctx->record_padding_cb;
s->rlayer.record_padding_arg = ctx->record_padding_arg;
s->rlayer.block_padding = ctx->block_padding;
s->sid_ctx_length = ctx->sid_ctx_length;
if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)))
goto err;
@ -1672,12 +1660,27 @@ int SSL_get_wfd(const SSL *s)
}
#ifndef OPENSSL_NO_SOCK
static const BIO_METHOD *fd_method(SSL *s)
{
#ifndef OPENSSL_NO_DGRAM
if (IS_QUIC(s))
return BIO_s_datagram();
#endif
return BIO_s_socket();
}
int SSL_set_fd(SSL *s, int fd)
{
int ret = 0;
BIO *bio = NULL;
bio = BIO_new(IS_QUIC_SSL(s) ? BIO_s_datagram() : BIO_s_socket());
if (s->type == SSL_TYPE_QUIC_XSO) {
ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
goto err;
}
bio = BIO_new(fd_method(s));
if (bio == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
@ -1702,11 +1705,16 @@ int SSL_set_fd(SSL *s, int fd)
int SSL_set_wfd(SSL *s, int fd)
{
BIO *rbio = SSL_get_rbio(s);
int desired_type = IS_QUIC_SSL(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
if (s->type == SSL_TYPE_QUIC_XSO) {
ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
return 0;
}
if (rbio == NULL || BIO_method_type(rbio) != desired_type
|| (int)BIO_get_fd(rbio, NULL) != fd) {
BIO *bio = BIO_new(IS_QUIC_SSL(s) ? BIO_s_datagram() : BIO_s_socket());
BIO *bio = BIO_new(fd_method(s));
if (bio == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
@ -1733,11 +1741,16 @@ int SSL_set_wfd(SSL *s, int fd)
int SSL_set_rfd(SSL *s, int fd)
{
BIO *wbio = SSL_get_wbio(s);
int desired_type = IS_QUIC_SSL(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
int desired_type = IS_QUIC(s) ? BIO_TYPE_DGRAM : BIO_TYPE_SOCKET;
if (s->type == SSL_TYPE_QUIC_XSO) {
ERR_raise(ERR_LIB_SSL, SSL_R_CONN_USE_ONLY);
return 0;
}
if (wbio == NULL || BIO_method_type(wbio) != desired_type
|| ((int)BIO_get_fd(wbio, NULL) != fd)) {
BIO *bio = BIO_new(IS_QUIC_SSL(s) ? BIO_s_datagram() : BIO_s_socket());
BIO *bio = BIO_new(fd_method(s));
if (bio == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
@ -1857,7 +1870,7 @@ void SSL_set_read_ahead(SSL *s, int yes)
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
OSSL_PARAM options[2], *opts = options;
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return;
RECORD_LAYER_set_read_ahead(&sc->rlayer, yes);
@ -1874,7 +1887,7 @@ int SSL_get_read_ahead(const SSL *s)
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return 0;
return RECORD_LAYER_get_read_ahead(&sc->rlayer);
@ -1899,10 +1912,6 @@ int SSL_pending(const SSL *s)
int SSL_has_pending(const SSL *s)
{
#ifndef OPENSSL_NO_QUIC
const QUIC_CONNECTION *qc = QUIC_CONNECTION_FROM_SSL(s);
#endif
/*
* Similar to SSL_pending() but returns a 1 to indicate that we have
* processed or unprocessed data available or 0 otherwise (as opposed to the
@ -1920,11 +1929,6 @@ int SSL_has_pending(const SSL *s)
sc = SSL_CONNECTION_FROM_CONST_SSL(s);
#ifndef OPENSSL_NO_QUIC
if (qc != NULL)
return ossl_quic_has_pending(qc);
#endif
/* Check buffered app data if any first */
if (SSL_CONNECTION_IS_DTLS(sc)) {
TLS_RECORD *rdata;
@ -2364,10 +2368,8 @@ int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes)
int ret;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
if (sc == NULL)
return 0;
if (!sc->server) {
/* TODO(QUIC 0RTT): 0-RTT support */
if (sc == NULL || !sc->server) {
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return SSL_READ_EARLY_DATA_ERROR;
}
@ -2421,6 +2423,7 @@ int SSL_get_early_data_status(const SSL *s)
{
const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL_ONLY(s);
/* TODO(QUIC 0RTT): 0-RTT support */
if (sc == NULL)
return 0;
@ -2909,11 +2912,11 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
switch (cmd) {
case SSL_CTRL_GET_READ_AHEAD:
if (IS_QUIC_SSL(s))
if (IS_QUIC(s))
return 0;
return RECORD_LAYER_get_read_ahead(&sc->rlayer);
case SSL_CTRL_SET_READ_AHEAD:
if (IS_QUIC_SSL(s))
if (IS_QUIC(s))
return 0;
l = RECORD_LAYER_get_read_ahead(&sc->rlayer);
RECORD_LAYER_set_read_ahead(&sc->rlayer, larg);
@ -2945,7 +2948,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
sc->max_cert_list = (size_t)larg;
return l;
case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH || IS_QUIC_SSL(s))
if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH || IS_QUIC(s))
return 0;
#ifndef OPENSSL_NO_KTLS
if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
@ -2957,12 +2960,12 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg);
return 1;
case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
if ((size_t)larg > sc->max_send_fragment || larg == 0 || IS_QUIC_SSL(s))
if ((size_t)larg > sc->max_send_fragment || larg == 0 || IS_QUIC(s))
return 0;
sc->split_send_fragment = larg;
return 1;
case SSL_CTRL_SET_MAX_PIPELINES:
if (larg < 1 || larg > SSL_MAX_PIPELINES || IS_QUIC_SSL(s))
if (larg < 1 || larg > SSL_MAX_PIPELINES || IS_QUIC(s))
return 0;
sc->max_pipelines = larg;
if (sc->rlayer.rrlmethod->set_max_pipelines != NULL)
@ -2995,17 +2998,13 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
else
return 0;
case SSL_CTRL_SET_MIN_PROTO_VERSION:
return ssl_check_allowed_versions(larg, sc->max_proto_version,
IS_QUIC_SSL(s))
return ssl_check_allowed_versions(larg, sc->max_proto_version)
&& ssl_set_version_bound(s->defltmeth->version, (int)larg,
&sc->min_proto_version);
case SSL_CTRL_GET_MIN_PROTO_VERSION:
return sc->min_proto_version;
case SSL_CTRL_SET_MAX_PROTO_VERSION:
if (IS_QUIC_SSL(s) && larg < TLS1_3_VERSION)
return 0;
return ssl_check_allowed_versions(sc->min_proto_version, larg,
IS_QUIC_SSL(s))
return ssl_check_allowed_versions(sc->min_proto_version, larg)
&& ssl_set_version_bound(s->defltmeth->version, (int)larg,
&sc->max_proto_version);
case SSL_CTRL_GET_MAX_PROTO_VERSION:
@ -3138,13 +3137,13 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_CLEAR_CERT_FLAGS:
return (ctx->cert->cert_flags &= ~larg);
case SSL_CTRL_SET_MIN_PROTO_VERSION:
return ssl_check_allowed_versions(larg, ctx->max_proto_version, 0)
return ssl_check_allowed_versions(larg, ctx->max_proto_version)
&& ssl_set_version_bound(ctx->method->version, (int)larg,
&ctx->min_proto_version);
case SSL_CTRL_GET_MIN_PROTO_VERSION:
return ctx->min_proto_version;
case SSL_CTRL_SET_MAX_PROTO_VERSION:
return ssl_check_allowed_versions(ctx->min_proto_version, larg, 0)
return ssl_check_allowed_versions(ctx->min_proto_version, larg)
&& ssl_set_version_bound(ctx->method->version, (int)larg,
&ctx->max_proto_version);
case SSL_CTRL_GET_MAX_PROTO_VERSION:
@ -5675,7 +5674,7 @@ int SSL_set_record_padding_callback(SSL *ssl,
BIO *b;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
if (sc == NULL || IS_QUIC_SSL(ssl))
if (sc == NULL || IS_QUIC(ssl))
return 0;
b = SSL_get_wbio(ssl);
@ -5710,7 +5709,7 @@ int SSL_set_block_padding(SSL *ssl, size_t block_size)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
if (sc == NULL || (IS_QUIC_SSL(ssl) && block_size > 1))
if (sc == NULL || (IS_QUIC(ssl) && block_size > 1))
return 0;
/* block size of 0 or 1 is basically no padding */
@ -6606,7 +6605,7 @@ int SSL_free_buffers(SSL *ssl)
return 0;
/* QUIC buffers are always 'in use'. */
if (IS_QUIC_SSL(ssl))
if (IS_QUIC(ssl))
return 0;
rl = &sc->rlayer;
@ -6624,7 +6623,7 @@ int SSL_alloc_buffers(SSL *ssl)
return 0;
/* QUIC always has buffers allocated. */
if (IS_QUIC_SSL(ssl))
if (IS_QUIC(ssl))
return 1;
rl = &sc->rlayer;
@ -6912,7 +6911,7 @@ int SSL_set_max_early_data(SSL *s, uint32_t max_early_data)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return 0;
sc->max_early_data = max_early_data;
@ -6946,7 +6945,7 @@ int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return 0;
sc->recv_max_early_data = recv_max_early_data;
@ -6994,7 +6993,7 @@ int SSL_stateless(SSL *s)
int ret;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return 0;
/* Ensure there is no state left over from a previous invocation */
@ -7024,10 +7023,9 @@ void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
void SSL_set_post_handshake_auth(SSL *ssl, int val)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
#ifndef OPENSSL_NO_QUIC
QUIC_CONNECTION *qc = QUIC_CONNECTION_FROM_SSL(ssl);
if (qc != NULL)
#ifndef OPENSSL_NO_QUIC
if (IS_QUIC(ssl))
return;
#endif
@ -7040,10 +7038,9 @@ void SSL_set_post_handshake_auth(SSL *ssl, int val)
int SSL_verify_client_post_handshake(SSL *ssl)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
#ifndef OPENSSL_NO_QUIC
QUIC_CONNECTION *qc = QUIC_CONNECTION_FROM_SSL(ssl);
if (qc != NULL) {
#ifndef OPENSSL_NO_QUIC
if (IS_QUIC(ssl)) {
ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
return 0;
}
@ -7122,7 +7119,7 @@ void SSL_set_allow_early_data_cb(SSL *s,
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL || IS_QUIC_SSL(s))
if (sc == NULL || IS_QUIC(s))
return;
sc->allow_early_data_cb = cb;

3
ssl/t1_lib.c
View File

@ -24,6 +24,7 @@
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
#include "ssl_local.h"
#include "quic/quic_local.h"
#include <openssl/ct.h>
static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey);
@ -3866,7 +3867,7 @@ int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode)
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ssl);
if (sc == NULL
|| (IS_QUIC_SSL(ssl) && mode != TLSEXT_max_fragment_length_DISABLED))
|| (IS_QUIC(ssl) && mode != TLSEXT_max_fragment_length_DISABLED))
return 0;
if (mode != TLSEXT_max_fragment_length_DISABLED

5
test/quicapitest.c
View File

@ -501,11 +501,6 @@ static int test_quic_forbidden_options(void)
|| !TEST_false(SSL_set_max_pipelines(ssl, 2)))
goto err;
/* Protocol Version */
if (!TEST_false(SSL_set_max_proto_version(ssl, TLS1_2_VERSION))
|| !TEST_true(SSL_set_max_proto_version(ssl, TLS1_3_VERSION)))
goto err;
/* HRR */
if (!TEST_false(SSL_stateless(ssl)))
goto err;

29
test/ssl-tests/31-quic.cnf
View File

@ -1,29 +0,0 @@
# Generated with generate_ssl_tests.pl
num_tests = 1
test-0 = 0-certstatus-good
# ===========================================================
[0-certstatus-good]
ssl_conf = 0-certstatus-good-ssl
[0-certstatus-good-ssl]
server = 0-certstatus-good-server
client = 0-certstatus-good-client
[0-certstatus-good-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-certstatus-good-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedResult = Success
Method = QUIC

28
test/ssl-tests/31-quic.cnf.in
View File

@ -1,28 +0,0 @@
# -*- mode: perl; -*-
# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Basic test of the QUIC protocol
use strict;
use warnings;
package ssltests;
our @tests = (
{
name => "certstatus-good",
server => {},
client => {},
test => {
"Method" => "QUIC",
"ExpectedResult" => "Success"
}
}
);