mirror of
https://github.com/openssl/openssl.git
synced 2024-12-09 05:51:54 +08:00
QUIC TLS: Prohibit SRTP-related calls for QUIC TLS
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20061)
This commit is contained in:
parent
43788fb3ac
commit
f082205bcf
@ -116,6 +116,8 @@ master key length and the salt length as defined for the protection profile in
|
||||
use. This provides the client write master key, the server write master key, the
|
||||
client write master salt and the server write master salt in that order.
|
||||
|
||||
These functions cannot be used with QUIC SSL objects.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_CTX_set_tlsext_use_srtp() and SSL_set_tlsext_use_srtp() return 0 on success
|
||||
|
@ -139,6 +139,9 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
|
||||
|
||||
int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
|
||||
{
|
||||
if (IS_QUIC_METHOD(ctx->method))
|
||||
return 1;
|
||||
|
||||
return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);
|
||||
}
|
||||
|
||||
@ -147,7 +150,7 @@ int SSL_set_tlsext_use_srtp(SSL *s, const char *profiles)
|
||||
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
|
||||
|
||||
if (sc == NULL)
|
||||
return 0;
|
||||
return 1;
|
||||
|
||||
return ssl_ctx_make_profiles(profiles, &sc->srtp_profiles);
|
||||
}
|
||||
|
@ -323,8 +323,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
|
||||
if (qc->tls == NULL || (sc = SSL_CONNECTION_FROM_SSL(qc->tls)) == NULL)
|
||||
goto err;
|
||||
/* override the user_ssl of the inner connection */
|
||||
sc->user_ssl = ssl_base;
|
||||
sc->flags |= TLS1_FLAGS_QUIC;
|
||||
sc->user_ssl = ssl_base;
|
||||
sc->s3.flags |= TLS1_FLAGS_QUIC;
|
||||
|
||||
#if defined(OPENSSL_THREADS)
|
||||
if ((qc->mutex = ossl_crypto_mutex_new()) == NULL)
|
||||
|
@ -216,7 +216,8 @@ void ossl_quic_conn_on_remote_conn_close(QUIC_CONNECTION *qc,
|
||||
int ossl_quic_trace(int write_p, int version, int content_type,
|
||||
const void *buf, size_t msglen, SSL *ssl, void *arg);
|
||||
|
||||
# define OSSL_QUIC_ANY_VERSION 0xFFFFF
|
||||
# define OSSL_QUIC_ANY_VERSION 0x5155
|
||||
# define IS_QUIC_METHOD(m) ((m)->version == OSSL_QUIC_ANY_VERSION)
|
||||
|
||||
# define QUIC_CONNECTION_FROM_SSL_int(ssl, c) \
|
||||
((ssl) == NULL ? NULL \
|
||||
|
@ -313,6 +313,36 @@ static int test_ssl_trace(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Test that handshake-layer APIs which shouldn't work don't work with QUIC.
|
||||
*/
|
||||
static int test_quic_forbidden_apis(void)
|
||||
{
|
||||
int testresult = 0;
|
||||
SSL_CTX *ctx = NULL;
|
||||
SSL *ssl = NULL;
|
||||
|
||||
if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method())))
|
||||
goto err;
|
||||
|
||||
/* This function returns 0 on success and 1 on error, and should fail. */
|
||||
if (!TEST_true(SSL_CTX_set_tlsext_use_srtp(ctx, "SRTP_AEAD_AES_128_GCM")))
|
||||
goto err;
|
||||
|
||||
if (!TEST_ptr(ssl = SSL_new(ctx)))
|
||||
goto err;
|
||||
|
||||
/* This function returns 0 on success and 1 on error, and should fail. */
|
||||
if (!TEST_true(SSL_set_tlsext_use_srtp(ssl, "SRTP_AEAD_AES_128_GCM")))
|
||||
goto err;
|
||||
|
||||
testresult = 1;
|
||||
err:
|
||||
SSL_free(ssl);
|
||||
SSL_CTX_free(ctx);
|
||||
return testresult;
|
||||
}
|
||||
|
||||
OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n")
|
||||
|
||||
int setup_tests(void)
|
||||
@ -374,7 +404,7 @@ int setup_tests(void)
|
||||
#if !defined(OPENSSL_NO_SSL_TRACE) && !defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_ZLIB)
|
||||
ADD_TEST(test_ssl_trace);
|
||||
#endif
|
||||
|
||||
ADD_TEST(test_quic_forbidden_apis);
|
||||
return 1;
|
||||
err:
|
||||
cleanup_tests();
|
||||
|
Loading…
Reference in New Issue
Block a user