Add SSL_get_peer_addr() function to query peer address for QUIC

This change introduces a new public API symbol: SSL_get_peer_addr(). The change is QUIC-only, there are no changes for TLS connections - API: add peer address query for QUIC connections * Internal: declare/implement ossl_quic_get_peer_addr(SSL*, BIO_ADDR*) * Public: declare/implement SSL_get_peer_addr(SSL*, BIO_ADDR*) Rationale: - Allow applications to retrieve the remote UDP tuple for QUIC sessions (e.g., logging, access control, diagnostics) Provided documentation and test cases for SSL_get_peer_addr(). Set peer via channel API on new-conn. - In ch_on_new_conn_common(), BIO_ADDR_copy(&ch->cur_peer_addr, peer) was replaced with ossl_quic_channel_set_peer_addr(ch, peer) so addressed_mode is enabled at connection bring-up. Dropped redundant peer detection in create_qc_from_incoming_conn() The peer address is now propagated in ch_on_new_conn_common() via ossl_quic_channel_set_peer_addr(), so the channel is already in "addressed" mode. This also avoids querying the (unconnected) server UDP BIO, reduces duplication, and simplifies the accept path. All regression tests pass. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28690)
2025-09-28 15:03:32 +02:00 · 2025-09-28 15:03:32 +02:00 · beec4e146a
parent 2b97f4d300
commit beec4e146a
11 changed files with 287 additions and 3 deletions
--- a/doc/build.info
+++ b/doc/build.info
@ -2659,6 +2659,10 @@ DEPEND[html/man3/SSL_get_handshake_rtt.html]=man3/SSL_get_handshake_rtt.pod
 GENERATE[html/man3/SSL_get_handshake_rtt.html]=man3/SSL_get_handshake_rtt.pod
 DEPEND[man/man3/SSL_get_handshake_rtt.3]=man3/SSL_get_handshake_rtt.pod
 GENERATE[man/man3/SSL_get_handshake_rtt.3]=man3/SSL_get_handshake_rtt.pod
 DEPEND[html/man3/SSL_get_peer_addr.html]=man3/SSL_get_peer_addr.pod
 GENERATE[html/man3/SSL_get_peer_addr.html]=man3/SSL_get_peer_addr.pod
 DEPEND[man/man3/SSL_get_peer_addr.3]=man3/SSL_get_peer_addr.pod
 GENERATE[man/man3/SSL_get_peer_addr.3]=man3/SSL_get_peer_addr.pod
 DEPEND[html/man3/SSL_get_peer_cert_chain.html]=man3/SSL_get_peer_cert_chain.pod
 GENERATE[html/man3/SSL_get_peer_cert_chain.html]=man3/SSL_get_peer_cert_chain.pod
 DEPEND[man/man3/SSL_get_peer_cert_chain.3]=man3/SSL_get_peer_cert_chain.pod
@ -3716,6 +3720,7 @@ html/man3/SSL_get_event_timeout.html \
 html/man3/SSL_get_extms_support.html \
 html/man3/SSL_get_fd.html \
 html/man3/SSL_get_handshake_rtt.html \
 html/man3/SSL_get_peer_addr.html \
 html/man3/SSL_get_peer_cert_chain.html \
 html/man3/SSL_get_peer_certificate.html \
 html/man3/SSL_get_peer_signature_nid.html \
@ -4388,6 +4393,7 @@ man/man3/SSL_get_event_timeout.3 \
 man/man3/SSL_get_extms_support.3 \
 man/man3/SSL_get_fd.3 \
 man/man3/SSL_get_handshake_rtt.3 \
 man/man3/SSL_get_peer_addr.3 \
 man/man3/SSL_get_peer_cert_chain.3 \
 man/man3/SSL_get_peer_certificate.3 \
 man/man3/SSL_get_peer_signature_nid.3 \
--- a/doc/man3/SSL_get_peer_addr.pod
+++ b/doc/man3/SSL_get_peer_addr.pod
@ -0,0 +1,57 @@
 =pod
 =head1 NAME
 SSL_get_peer_addr - obtain the peer address of a QUIC connection
 =head1 SYNOPSIS
 #include <openssl/ssl.h>
 int SSL_get_peer_addr(SSL *ssl, BIO_ADDR *peer_addr);
 =head1 DESCRIPTION
 SSL_get_peer_addr() retrieves the peer address of a QUIC connection and stores
 it into the B<BIO_ADDR> structure pointed to by I<peer_addr>. The caller must
 supply a valid B<BIO_ADDR> object which will be filled in on success.
 This function is only meaningful when called on an SSL object which represents
 a QUIC connection or stream. It is not valid for non-QUIC SSL objects.
 =head1 NOTES
 The peer address identifies the remote endpoint of a QUIC connection. For UDP
 sockets used by QUIC, the kernel does not maintain a connected peer in the same
 sense as for TCP. Instead, the peer address is tracked in the QUIC connection
 state. SSL_get_peer_addr() provides a way to obtain this address information
 from OpenSSL.
 The B<BIO_ADDR> type is an OpenSSL abstraction which can represent
 both IPv4 and IPv6 socket addresses. Applications can get the address
 family via the L<BIO_ADDR(3)> API.
 =head1 RETURN VALUES
 SSL_get_peer_addr() returns 1 on success. On failure, or if called on an SSL
 object which is not a QUIC SSL object, 0 is returned and I<peer_addr> is left
 unchanged.
 =head1 SEE ALSO
 L<SSL_accept_connection(3)>, L<SSL_accept_stream(3)>, L<BIO_ADDR(3)>
 =head1 HISTORY
 This function was added in OpenSSL 4.0.
 =head1 COPYRIGHT
 Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 L<https://www.openssl.org/source/license.html>.
 =cut
--- a/doc/man7/openssl-quic.pod
+++ b/doc/man7/openssl-quic.pod
@ -710,6 +710,10 @@ or allow them to be handled using L<SSL_accept_stream(3)>.
 Used to configure or disable default stream mode; see the MODES OF OPERATION
 section for details.
 =item L<SSL_get_peer_addr(3)>
 Used to obtain the peer address from a QUIC connection or stream.
 =back
 The following BIO APIs are not specific to QUIC but have been added to
--- a/include/internal/quic_ssl.h
+++ b/include/internal/quic_ssl.h
@ -120,6 +120,7 @@ __owur int ossl_quic_set_value_uint(SSL *s, uint32_t class_, uint32_t id,
 __owur SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags);
 __owur size_t ossl_quic_get_accept_connection_queue_len(SSL *ssl);
 __owur int ossl_quic_listen(SSL *ssl);
 __owur int ossl_quic_get_peer_addr(SSL *ssl, BIO_ADDR *peer_addr);
 __owur int ossl_quic_stream_reset(SSL *ssl,
                                  const SSL_STREAM_RESET_ARGS *args,
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@ -2302,6 +2302,7 @@ size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
 /* QUIC support */
 int SSL_handle_events(SSL *s);
 __owur int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite);
 __owur int SSL_get_peer_addr(SSL *ssl, BIO_ADDR *peer_addr);
 __owur int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc);
 __owur int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc);
 __owur int SSL_net_read_desired(SSL *s);
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@ -3718,7 +3718,7 @@ static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
                                 const QUIC_CONN_ID *peer_odcid)
 {
    /* Note our newly learnt peer address and CIDs. */
-    if (!BIO_ADDR_copy(&ch->cur_peer_addr, peer))
+    if (!ossl_quic_channel_set_peer_addr(ch, peer))
        return 0;
    ch->init_dcid       = *peer_dcid;
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -4729,7 +4729,6 @@ static QUIC_CONNECTION *create_qc_from_incoming_conn(QUIC_LISTENER *ql, QUIC_CHA
        goto err;
    }
    ossl_quic_channel_get_peer_addr(ch, &qc->init_peer_addr); /* best effort */
    qc->pending                 = 1;
    qc->engine                  = ql->engine;
    qc->port                    = ql->port;
@ -5000,6 +4999,22 @@ size_t ossl_quic_get_accept_connection_queue_len(SSL *ssl)
    return ret;
 }
 QUIC_TAKES_LOCK
 int ossl_quic_get_peer_addr(SSL *ssl, BIO_ADDR *peer_addr)
 {
    QCTX ctx;
    int ret;
    if (!expect_quic_cs(ssl, &ctx))
        return 0;
    qctx_lock(&ctx);
    ret = ossl_quic_channel_get_peer_addr(ctx.qc->ch, peer_addr);
    qctx_unlock(&ctx);
    return ret;
 }
 /*
 * QUIC Front-End I/O API: Domains
 * ===============================
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@ -519,7 +519,7 @@ static QUIC_CHANNEL *port_make_channel(QUIC_PORT *port, SSL *tls, OSSL_QRX *qrx,
    args.is_tserver_ch = is_tserver;
    /*
-     * Creating a a new channel is made a bit tricky here as there is a
+     * Creating a new channel is made a bit tricky here as there is a
     * bit of a circular dependency.  Initializing a channel requires that
     * the ch->tls and optionally the qlog_title be configured prior to
     * initialization, but we need the channel at least partially configured
@ -740,6 +740,9 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
    if (port->tserver_ch != NULL) {
        ch = port->tserver_ch;
        port->tserver_ch = NULL;
        if (peer != NULL && BIO_ADDR_family(peer) != AF_UNSPEC)
            ossl_quic_channel_set_peer_addr(ch, peer);
        ossl_quic_channel_bind_qrx(ch, qrx);
        ossl_qrx_set_msg_callback(ch->qrx, ch->msg_callback,
                                  ch->msg_callback_ssl);
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -8105,6 +8105,18 @@ size_t SSL_get_accept_connection_queue_len(SSL *ssl)
 #endif
 }
 int SSL_get_peer_addr(SSL *ssl, BIO_ADDR *peer_addr)
 {
 #ifndef OPENSSL_NO_QUIC
    if (!IS_QUIC(ssl))
        return 0;
    return ossl_quic_get_peer_addr(ssl, peer_addr);
 #else
    return 0;
 #endif
 }
 int SSL_listen(SSL *ssl)
 {
 #ifndef OPENSSL_NO_QUIC
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@ -2998,6 +2998,187 @@ err:
 #endif
 }
 /* family = AF_INET (alen=4) or AF_INET6 (alen=16) */
 static int create_quic_ssl_objects_seed_peer(SSL_CTX *sctx, SSL_CTX *cctx,
                                             SSL **lssl, SSL **cssl,
                                             int family,
                                             const unsigned char *srv_ip, uint16_t srv_port,
                                             const unsigned char *cli_ip, uint16_t cli_port)
 {
    BIO *cbio = NULL, *sbio = NULL;
    BIO_ADDR *srv_local = NULL, *cli_local = NULL;
    BIO_ADDR *srv_peer  = NULL, *srv_peer2 = NULL;
    size_t alen = (family == AF_INET) ? 4 : 16;
    int ret = 0;
    *cssl = *lssl = NULL;
    if (!TEST_true(BIO_new_bio_dgram_pair(&cbio, 0, &sbio, 0)))
        goto err;
    /* server local bind (in-memory dgram pair metadata) */
    if (!TEST_ptr(srv_local = BIO_ADDR_new())
        || !TEST_true(BIO_ADDR_rawmake(srv_local, family, srv_ip, alen, htons(srv_port)))
        || !TEST_true(bio_addr_bind(sbio, srv_local)))
        goto err;
    srv_local = NULL; /* set0 consumed */
    /* seed peer on the BIO we give the listener (so port's net BIO sees it) */
    if (!TEST_ptr(srv_peer = BIO_ADDR_new())
        || !TEST_true(BIO_ADDR_rawmake(srv_peer, family, cli_ip, alen, htons(cli_port))))
        goto err;
    (void)BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_PEER, 0, srv_peer);
    BIO_ADDR_free(srv_peer);
    srv_peer = NULL;
    /* create listener */
    if (!TEST_ptr(*lssl = ql_create(sctx, sbio)))
        goto err;
    sbio = NULL;
    /* also seed on the listener's current wbio (covers wrapping) */
    if (!TEST_ptr(srv_peer2 = BIO_ADDR_new())
        || !TEST_true(BIO_ADDR_rawmake(srv_peer2, family, cli_ip, alen, htons(cli_port))))
        goto err;
    (void)BIO_ctrl(SSL_get_wbio(*lssl), BIO_CTRL_DGRAM_SET_PEER, 0, srv_peer2);
    BIO_ADDR_free(srv_peer2);
    srv_peer2 = NULL;
    /* client object + local bind */
    if (!TEST_ptr(*cssl = SSL_new(cctx)))
        goto err;
    if (!TEST_ptr(cli_local = BIO_ADDR_new())
        || !TEST_true(BIO_ADDR_rawmake(cli_local, family, cli_ip, alen, htons(cli_port)))
        || !TEST_true(bio_addr_bind(cbio, cli_local)))
        goto err;
    cli_local = NULL; /* consumed */
    /* qc_init needs server addr (fresh copy) */
    if (!TEST_ptr(srv_peer = BIO_ADDR_new())
        || !TEST_true(BIO_ADDR_rawmake(srv_peer, family, srv_ip, alen, htons(srv_port)))
        || !TEST_true(qc_init(*cssl, srv_peer)))
        goto err;
    BIO_ADDR_free(srv_peer);
    srv_peer = NULL;
    SSL_set_bio(*cssl, cbio, cbio);
    cbio = NULL;
    ret = 1;
 err:
    if (!ret) {
        SSL_free(*cssl);
        SSL_free(*lssl);
        *cssl = *lssl = NULL;
    }
    BIO_free(cbio);
    BIO_free(sbio);
    BIO_ADDR_free(srv_local);
    BIO_ADDR_free(cli_local);
    BIO_ADDR_free(srv_peer);
    BIO_ADDR_free(srv_peer2);
    return ret;
 }
 /* Parameterized test: family=AF_INET/AF_INET6, e.g. "127.0.0.1" / "::1" */
 static int test_quic_peer_addr_common(int family,
                                      const char *srv_str, uint16_t srv_port,
                                      const char *cli_str, uint16_t cli_port)
 {
    SSL_CTX *sctx = NULL, *cctx = NULL;
    SSL *qlistener = NULL, *clientssl = NULL, *serverssl = NULL;
    BIO_ADDR *got = NULL;
    unsigned char srv_ip[16], cli_ip[16], raw[16];
    size_t alen = (family == AF_INET) ? 4 : 16, rawlen = 0;
    int ret, ok = 0;
 #if defined(_WIN32)
    /* OpenSSL's tests usually call BIO_sock_init() elsewhere; safe to call here too */
    BIO_sock_init();
 #endif
    if (!TEST_int_eq(inet_pton(family, srv_str, srv_ip), 1)
        || !TEST_int_eq(inet_pton(family, cli_str, cli_ip), 1))
        goto err;
    if (!TEST_ptr(sctx = create_server_ctx())
        || !TEST_ptr(cctx = create_client_ctx()))
        goto err;
    if (!TEST_true(create_quic_ssl_objects_seed_peer(sctx, cctx,
                                                     &qlistener, &clientssl,
                                                     family,
                                                     srv_ip, srv_port,
                                                     cli_ip, cli_port)))
        goto err;
    /* Minimal QUIC progress */
    ret = SSL_connect(clientssl);
    if (!TEST_true(ret <= 0))
        goto err;
    SSL_handle_events(qlistener);
    ret = SSL_connect(clientssl);
    if (!TEST_true(ret <= 0))
        goto err;
    SSL_handle_events(qlistener);
    /* Accept connection (pre-handshake) */
    if (!TEST_ptr(serverssl = SSL_accept_connection(qlistener, 0)))
        goto err;
    /* Server sees client */
    if (!TEST_ptr(got = BIO_ADDR_new()))
        goto err;
    BIO_ADDR_clear(got);
    if (!TEST_int_eq(SSL_get_peer_addr(serverssl, got), 1)
        || !TEST_int_eq(BIO_ADDR_family(got), family)
        || !TEST_true(BIO_ADDR_rawaddress(got, raw, &rawlen))
        || !TEST_size_t_eq(rawlen, alen)
        || !TEST_mem_eq(raw, rawlen, cli_ip, alen)
        || !TEST_int_eq((int)ntohs(BIO_ADDR_rawport(got)), (int)cli_port))
        goto err;
    /* Client sees server */
    BIO_ADDR_clear(got);
    if (!TEST_int_eq(SSL_get_peer_addr(clientssl, got), 1)
        || !TEST_int_eq(BIO_ADDR_family(got), family)
        || !TEST_true(BIO_ADDR_rawaddress(got, raw, &rawlen))
        || !TEST_size_t_eq(rawlen, alen)
        || !TEST_mem_eq(raw, rawlen, srv_ip, alen)
        || !TEST_int_eq((int)ntohs(BIO_ADDR_rawport(got)), (int)srv_port))
        goto err;
    ok = 1;
 err:
    BIO_ADDR_free(got);
    SSL_free(serverssl);
    SSL_free(clientssl);
    SSL_free(qlistener);
    SSL_CTX_free(cctx);
    SSL_CTX_free(sctx);
    return ok;
 }
 static int test_quic_peer_addr_v4(void)
 {
    return test_quic_peer_addr_common(AF_INET,
                                      "127.0.0.1", 4433,
                                      "127.0.0.2", 4434);
 }
 static int test_quic_peer_addr_v6(void)
 {
    return test_quic_peer_addr_common(AF_INET6,
                                      "::1", 4433,
                                      "::2", 4434);
 }
 /***********************************************************************************/
 OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n")
@ -3101,6 +3282,9 @@ int setup_tests(void)
    ADD_TEST(test_ssl_set_verify);
    ADD_TEST(test_accept_stream);
    ADD_TEST(test_client_hello_retry);
    ADD_TEST(test_quic_peer_addr_v6);
    ADD_TEST(test_quic_peer_addr_v4);
    return 1;
 err:
    cleanup_tests();
--- a/util/libssl.num
+++ b/util/libssl.num
@ -606,3 +606,4 @@ SSL_CTX_set_domain_flags                ?	4_0_0	EXIST::FUNCTION:
 SSL_CTX_get_domain_flags                ?	4_0_0	EXIST::FUNCTION:
 SSL_get_domain_flags                    ?	4_0_0	EXIST::FUNCTION:
 SSL_CTX_set_new_pending_conn_cb         ?	4_0_0	EXIST::FUNCTION:
 SSL_get_peer_addr                       ?	4_0_0	EXIST::FUNCTION: