Commit c6eb738370 for openssl.org
commit c6eb7383702638c89b71884551eb1f990b6886a5
Author: Neil Horman <nhorman@openssl.org>
Date: Fri Apr 11 14:52:42 2025 -0400
Add flag to determine how quic accepts connections
The flag defaults to 0 (unknown), and gets set to
1 (using SSL_accept_ex), or -1 (using SSL_accpet_connection)
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27397)
diff --git a/include/internal/quic_port.h b/include/internal/quic_port.h
index 6a4dde81da..bf8edda1ae 100644
--- a/include/internal/quic_port.h
+++ b/include/internal/quic_port.h
@@ -159,6 +159,11 @@ size_t ossl_quic_port_get_num_incoming_channels(const QUIC_PORT *port);
/* Sets if incoming connections should currently be allowed. */
void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming);
+/* Sets flag to indicate we are using SSL_listen_ex to get connections */
+void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff);
+
+int ossl_quic_port_get_using_peeloff(QUIC_PORT *port);
+
/* Returns 1 if we are using addressed mode on the read side. */
int ossl_quic_port_is_addressed_r(const QUIC_PORT *port);
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 51cabf3fd9..c141fa7052 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4643,12 +4643,21 @@ int ossl_quic_peeloff_conn(SSL *listener, SSL *new_conn)
return 0;
qctx_lock_for_io(&lctx);
+ if (ossl_quic_port_get_using_peeloff(lctx.ql->port) == -1) {
+ QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED,
+ "This listener is using SSL_accept_connection");
+ ret = -1;
+ goto out;
+ }
+
+ ossl_quic_port_set_using_peeloff(lctx.ql->port, 1);
new_ch = ossl_quic_port_pop_incoming(lctx.ql->port);
if (new_ch != NULL) {
/*
* Do our cloning work here
*/
}
+out:
qctx_unlock(&lctx);
return ret;
}
@@ -4689,6 +4698,14 @@ SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags)
if (!ql_listen(ctx.ql))
goto out;
+ if (ossl_quic_get_using_peeloff(ctx.ql->port) == 1) {
+ QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED,
+ "This listener is using SSL_accept_ex");
+ goto out;
+ }
+
+ ossl_quic_set_using_peeloff(ctx.ql->port, -1);
+
/* Wait for an incoming connection if needed. */
new_ch = ossl_quic_port_pop_incoming(ctx.ql->port);
if (new_ch == NULL && ossl_quic_port_is_running(ctx.ql->port)) {
diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 1fc0509213..8264699f87 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -648,6 +648,16 @@ void ossl_quic_port_set_allow_incoming(QUIC_PORT *port, int allow_incoming)
port->allow_incoming = allow_incoming;
}
+void ossl_quic_port_set_using_peeloff(QUIC_PORT *port, int using_peeloff)
+{
+ port->using_peeloff = using_peeloff;
+}
+
+int ossl_quic_port_get_using_peeloff(QUIC_PORT *port)
+{
+ return port->using_peeloff;
+}
+
/*
* QUIC Port: Ticker-Mutator
* =========================
diff --git a/ssl/quic/quic_port_local.h b/ssl/quic/quic_port_local.h
index e36272a94d..39a9094e2c 100644
--- a/ssl/quic/quic_port_local.h
+++ b/ssl/quic/quic_port_local.h
@@ -114,6 +114,9 @@ struct quic_port_st {
/* Has the BIO been changed since we last updated reactor pollability? */
unsigned int bio_changed : 1;
+ /* Are we using SSL_listen_ex to peeloff connections */
+ unsigned int using_peeloff;
+
/* AES-256 GCM context for token encryption */
EVP_CIPHER_CTX *token_ctx;
};