Fix SSL_new() with QUIC_server_method and improve formatting (Fixes #27255)

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27264)
2025-04-04 17:08:22 +05:30 · 2025-04-04 17:08:22 +05:30 · 5341e271d9
parent 0a16bb7e74
commit 5341e271d9
2 changed files with 44 additions and 1 deletions
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -561,6 +561,15 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
    QUIC_CONNECTION *qc = NULL;
    SSL_CONNECTION *sc = NULL;

+    /*
+     * QUIC_server_method should not be used with SSL_new.
+     * It should only be used with SSL_new_listener.
+     */
+    if (ctx->method == OSSL_QUIC_server_method()) {
+        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL);
+        return NULL;
+    }
+
    qc = OPENSSL_zalloc(sizeof(*qc));
    if (qc == NULL) {
        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL);
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@ -2654,10 +2654,43 @@ static int test_ssl_new_from_listener(void)
    return testresult;
 }

-/***********************************************************************************/
+static int test_server_method_with_ssl_new(void)
+{
+    SSL_CTX *ctx = NULL;
+    SSL *ssl = NULL;
+    int ret = 0;
+    unsigned long err;

+    /* Create a new SSL_CTX using the QUIC server method */
+    ctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_server_method());
+    if (!TEST_ptr(ctx))
+        goto end;
+
+    /* Try to create a new SSL object - this should fail */
+    ssl = SSL_new(ctx);
+
+    /* Check that SSL_new() returned NULL */
+    if (!TEST_ptr_null(ssl))
+        goto end;
+
+    /* Check for the expected error */
+    err = ERR_peek_error();
+    if (!TEST_true(ERR_GET_LIB(err) == ERR_LIB_SSL &&
+                   ERR_GET_REASON(err) == ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED))
+        goto end;
+
+    ret = 1;
+
+end:
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+    return ret;
+}
+
+/***********************************************************************************/
 OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n")

+
 int setup_tests(void)
 {
    char *modulename;
@ -2753,6 +2786,7 @@ int setup_tests(void)
 #ifndef OPENSSL_NO_SSL_TRACE
    ADD_TEST(test_new_token);
 #endif
+    ADD_TEST(test_server_method_with_ssl_new);
    return 1;
 err:
    cleanup_tests();