QUIC DISPATCH/APL: Add SSL_set_incoming_stream_reject_policy (unwired)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20765)

include/internal/quic_ssl.h

@@ -72,6 +72,8 @@ __owur uint64_t ossl_quic_get_stream_id(SSL *s);
 __owur int ossl_quic_set_default_stream_mode(SSL *s, uint32_t mode);
 __owur SSL *ossl_quic_detach_stream(SSL *s);
 __owur int ossl_quic_attach_stream(SSL *conn, SSL *stream);
+__owur int ossl_quic_set_incoming_stream_reject_policy(SSL *s, int policy,
+                                                       uint64_t aec);
 
 /*
  * Used to override ossl_time_now() for debug purposes. Must be called before

include/openssl/ssl.h.in

@@ -2288,6 +2288,11 @@ __owur int SSL_attach_stream(SSL *conn, SSL *stream);
 #define SSL_STREAM_FLAG_UNI     (1U << 0)
 __owur SSL *SSL_new_stream(SSL *s, uint64_t flags);
 
+#define SSL_INCOMING_STREAM_REJECT_POLICY_AUTO      0
+#define SSL_INCOMING_STREAM_REJECT_POLICY_ACCEPT    1
+#define SSL_INCOMING_STREAM_REJECT_POLICY_REJECT    2
+__owur int SSL_set_incoming_stream_reject_policy(SSL *s, int policy, uint64_t aec);
+
 # ifndef OPENSSL_NO_QUIC
 __owur int SSL_inject_net_dgram(SSL *s, const unsigned char *buf,
                                 size_t buf_len,

ssl/quic/quic_impl.c

@@ -296,6 +296,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     qc->default_stream_mode     = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI;
     qc->default_ssl_mode        = qc->ssl.ctx->mode;
     qc->default_blocking        = 1;
+    qc->incoming_stream_reject_policy
+        = SSL_INCOMING_STREAM_REJECT_POLICY_AUTO;
     qc->last_error              = SSL_ERROR_NONE;
 
     if (!create_channel(qc))
@@ -2093,6 +2095,38 @@ int ossl_quic_attach_stream(SSL *conn, SSL *stream)
     return 1;
 }
 
+/*
+ * SSL_set_incoming_stream_reject_policy
+ * -------------------------------------
+ */
+int ossl_quic_set_incoming_stream_reject_policy(SSL *s, int policy,
+                                                uint64_t aec)
+{
+    int ret = 1;
+    QCTX ctx;
+
+    if (!expect_quic_conn_only(s, &ctx))
+        return 0;
+
+    quic_lock(ctx.qc);
+
+    switch (policy) {
+    case SSL_INCOMING_STREAM_REJECT_POLICY_AUTO:
+    case SSL_INCOMING_STREAM_REJECT_POLICY_ACCEPT:
+    case SSL_INCOMING_STREAM_REJECT_POLICY_REJECT:
+        ctx.qc->incoming_stream_reject_policy = policy;
+        ctx.qc->incoming_stream_reject_aec    = aec;
+        break;
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    quic_unlock(ctx.qc);
+    return ret;
+}
+
 /*
  * QUIC Front-End I/O API: SSL_CTX Management
  * ==========================================

ssl/quic/quic_local.h

@@ -178,6 +178,10 @@ struct quic_conn_st {
     /* SSL_set_mode. This is not used directly but inherited by new XSOs. */
     uint32_t                        default_ssl_mode;
 
+    /* SSL_set_incoming_stream_reject_policy. */
+    int                             incoming_stream_reject_policy;
+    uint64_t                        incoming_stream_reject_aec;
+
     /*
      * Last 'normal' error during an app-level I/O operation, used by
      * SSL_get_error(); used to track data-path errors like SSL_ERROR_WANT_READ

ssl/ssl_lib.c

@@ -7388,6 +7388,18 @@ int SSL_attach_stream(SSL *conn, SSL *stream)
 #endif
 }
 
+int SSL_set_incoming_stream_reject_policy(SSL *s, int policy, uint64_t aec)
+{
+#ifndef OPENSSL_NO_QUIC
+    if (!IS_QUIC(s))
+        return 0;
+
+    return ossl_quic_set_incoming_stream_reject_policy(s, policy, aec);
+#else
+    return 0;
+#endif
+}
+
 int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk)
 {
     unsigned char *data = NULL;

util/libssl.num

@@ -568,3 +568,4 @@ SSL_get_stream_id                       ?	3_2_0	EXIST::FUNCTION:
 SSL_set_default_stream_mode             ?	3_2_0	EXIST::FUNCTION:
 SSL_detach_stream                       ?	3_2_0	EXIST::FUNCTION:
 SSL_attach_stream                       ?	3_2_0	EXIST::FUNCTION:
+SSL_set_incoming_stream_reject_policy   ?	3_2_0	EXIST::FUNCTION: