mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Eliminate SSL_LISTENER_FLAG_NO_ACCEPT flag in QUIC

Browse Source 
We've not implemented it yet, and don't need it for MVP, so move the
TODO's to QUIC FUTURE and remove the docs for it.

Fixes openssl/project#1074

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26593)
This commit is contained in:
Neil Horman 2025-01-29 14:38:45 -05:00
parent a6f3110318
commit 3f06ebcfe3
3 changed files with 13 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/man3/SSL_new_listener.pod
View File

@ -5,7 +5,7 @@
SSL_new_listener, SSL_new_listener_from, SSL_is_listener, SSL_get0_listener,
SSL_listen,
SSL_accept_connection, SSL_get_accept_connection_queue_len,
SSL_new_from_listener, SSL_LISTENER_FLAG_NO_ACCEPT,
SSL_new_from_listener,
SSL_ACCEPT_CONNECTION_NO_BLOCK - SSL object interface for abstracted connection
acceptance
@ -13,7 +13,6 @@ acceptance
#include <openssl/ssl.h>
#define SSL_LISTENER_FLAG_NO_ACCEPT
SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
@ -158,13 +157,6 @@ circumstances where it is desirable for multiple connections to share the same
underlying network resources. For example, multiple outgoing QUIC client
connections could be made to use the same underlying UDP socket.
To use client-only mode, pass the flag B<SSL_LISTENER_FLAG_NO_ACCEPT> when
calling SSL_new_listener(). In this mode, SSL_listen() still begins the process
of handling network resources, but incoming connections are never accepted.
Calling SSL_accept_connection() is an error and will return NULL. One or more
outgoing connections under a listener can then be created using the call
SSL_new_from_listener().
To disable client address validation on a listener SSL object, the flag
B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
SSL_new_listener() and SSL_new_listener_from(). Note that this flag only
@ -177,21 +169,13 @@ numbers of connections and never transact data on them (roughly equivalent to
a TCP syn flood attack), which address validation mitigates.
The SSL_new_from_listener() creates a client connection under a given listener
SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
conjunction with a listener which does accept incoming connections (i.e., which
was not created using B<SSL_LISTENER_FLAG_NO_ACCEPT>), leading to a UDP network
endpoint which has both incoming and outgoing connections.
SSL object. For QUIC, it is also possible to use SSL_new_from_listener(),
leading to a UDP network endpoint which has both incoming and outgoing'
connections.
The I<flags> argument of SSL_new_from_listener() is reserved and must be set to
0.
Creating a listener using a B<SSL_CTX> which uses a client-oriented
B<SSL_METHOD> such as L<OSSL_QUIC_client_method(3)> or
L<OSSL_QUIC_client_thread_method(3)> automatically implies the
B<SSL_LISTENER_FLAG_NO_ACCEPT> flag. The B<SSL_LISTENER_FLAG_NO_ACCEPT> flag may
optionally also be specified in this case but is ignored. This is an alternative
way of using the listener functionality in client-only mode.
=head1 RETURN VALUES
SSL_new_listener() and SSL_new_listener_from() return a new listener SSL object

1
include/openssl/ssl.h.in
View File

@ -2309,7 +2309,6 @@ __owur int SSL_is_connection(SSL *s);
__owur int SSL_is_listener(SSL *ssl);
__owur SSL *SSL_get0_listener(SSL *s);
#define SSL_LISTENER_FLAG_NO_ACCEPT (1UL << 0)
#define SSL_LISTENER_FLAG_NO_VALIDATE (1UL << 1)
__owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
__owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);

11
ssl/quic/quic_impl.c
View File

@ -4269,7 +4269,7 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
goto err;
}
/* TODO(QUIC SERVER): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
/* TODO(QUIC FUTURE): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
ossl_quic_port_set_allow_incoming(ql->port, 1);
@ -4332,7 +4332,14 @@ SSL *ossl_quic_new_listener_from(SSL *ssl, uint64_t flags)
ql->mutex = ctx.qd->mutex;
#endif
/* TODO(QUIC SERVER): Implement SSL_LISTENER_FLAG_NO_ACCEPT */
/*
* TODO(QUIC FUTURE): Implement SSL_LISTENER_FLAG_NO_ACCEPT
* Given that we have apis to create client SSL objects from
* server SSL objects (see SSL_new_from_listener), we have aspirations
* to enable a flag that allows for the creation of the latter, but not
* be used to do accept any connections. This is a placeholder for the
* implementation of that flag
*/
ossl_quic_port_set_allow_incoming(ql->port, 1);