Add a public flag to disable address validation on listeners

Now that we have the infrastructure to skip address validation, add a public flag to SSL_new_listener and SSL_new_listener_from to allow the skipping of address validation on selected quic listener SSL objects Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26114)
2024-12-04 09:25:12 -05:00 · 2024-12-04 09:25:12 -05:00 · 60762be09b
parent 0746d4628e
commit 60762be09b
4 changed files with 10 additions and 1 deletions
--- a/doc/man3/SSL_new_listener.pod
+++ b/doc/man3/SSL_new_listener.pod
@ -163,6 +163,10 @@ Calling SSL_accept_connection() is an error and will return NULL. One or more
 outgoing connections under a listener can then be created using the call
 SSL_new_from_listener().

+To disable client address validation on a listener SSL object, the flag
+B<SSL_LISTENER_FLAG_NO_VALIDATE> may be passed in the flags field of both
+SSL_new_listener() and SSL_new_listener_from(). 
+
 The SSL_new_from_listener() creates a client connection under a given listener
 SSL object. For QUIC, it is also possible to use SSL_new_from_listener() in
 conjunction with a listener which does accept incoming connections (i.e., which
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@ -2305,6 +2305,7 @@ __owur int SSL_is_connection(SSL *s);
 __owur int SSL_is_listener(SSL *ssl);
 __owur SSL *SSL_get0_listener(SSL *s);
 #define SSL_LISTENER_FLAG_NO_ACCEPT     (1UL << 0)
+#define SSL_LISTENER_FLAG_NO_VALIDATE   (1UL << 1)
 __owur SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
 __owur SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
 __owur SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags);
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -4233,6 +4233,8 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)

    port_args.channel_ctx       = ctx;
    port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
    ql->port = ossl_quic_engine_create_port(ql->engine, &port_args);
    if (ql->port == NULL) {
        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
@ -4286,6 +4288,8 @@ SSL *ossl_quic_new_listener_from(SSL *ssl, uint64_t flags)

    port_args.channel_ctx       = ssl->ctx;
    port_args.is_multi_conn     = 1;
+    if ((flags & SSL_LISTENER_FLAG_NO_VALIDATE) == 0)
+        port_args.do_addr_validation = 1;
    ql->port = ossl_quic_engine_create_port(ctx.qd->engine, &port_args);
    if (ql->port == NULL) {
        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@ -128,7 +128,7 @@ QUIC_TSERVER *ossl_quic_tserver_new(const QUIC_TSERVER_ARGS *args,

    port_args.channel_ctx       = srv->ctx;
    port_args.is_multi_conn     = 1;
-
+    port_args.do_addr_validation = 1;
    if ((srv->port = ossl_quic_engine_create_port(srv->engine, &port_args)) == NULL)
        goto err;