Make sure we can query the SSL object for version info when using QUIC

We have the existing functions SSL_version(), SSL_get_version() and SSL_is_dtls(). We extend the first two to return something sensible when using QUIC. We additionally provide the new functions SSL_is_tls() and SSL_is_quic() to provide a mechanism to figure out what protocol we are using. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20650)
2023-03-29 16:25:00 +01:00 · 2023-03-29 16:25:00 +01:00 · 50769b15ea
commit 50769b15ea
parent a76ccb9d0d
4 changed files with 48 additions and 0 deletions
--- a/include/openssl/prov_ssl.h
+++ b/include/openssl/prov_ssl.h
@ -19,6 +19,7 @@ extern "C" {

 # define SSL_MAX_MASTER_KEY_LENGTH 48

+/* SSL/TLS uses a 2 byte unsigned version number */
 # define SSL3_VERSION                    0x0300
 # define TLS1_VERSION                    0x0301
 # define TLS1_1_VERSION                  0x0302
@ -28,6 +29,9 @@ extern "C" {
 # define DTLS1_2_VERSION                 0xFEFD
 # define DTLS1_BAD_VER                   0x0100

+/* QUIC uses a 4 byte unsigned version number */
+# define OSSL_QUIC1_VERSION              0x0000001
+
 # ifdef __cplusplus
 }
 # endif
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@ -1798,6 +1798,8 @@ __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
 SSL *SSL_new(SSL_CTX *ctx);
 int SSL_up_ref(SSL *s);
 int SSL_is_dtls(const SSL *s);
+int SSL_is_tls(const SSL *s);
+int SSL_is_quic(const SSL *s);
 __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
                                      unsigned int sid_ctx_len);

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -928,12 +928,41 @@ int SSL_is_dtls(const SSL *s)
 {
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

+#ifndef OPENSSL_NO_QUIC
+    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM)
+        return 0;
+#endif
+
    if (sc == NULL)
        return 0;

    return SSL_CONNECTION_IS_DTLS(sc) ? 1 : 0;
 }

+int SSL_is_tls(const SSL *s)
+{
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+#ifndef OPENSSL_NO_QUIC
+    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM)
+        return 0;
+#endif
+
+    if (sc == NULL)
+        return 0;
+
+    return SSL_CONNECTION_IS_DTLS(sc) ? 0 : 1;
+}
+
+int SSL_is_quic(const SSL *s)
+{
+#ifndef OPENSSL_NO_QUIC
+    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM)
+        return 1;
+#endif
+    return 0;
+}
+
 int SSL_up_ref(SSL *s)
 {
    int i;
@ -4741,6 +4770,12 @@ const char *SSL_get_version(const SSL *s)
 {
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);

+#ifndef OPENSSL_NO_QUIC
+    /* We only support QUICv1 - so if its QUIC its QUICv1 */
+    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM)
+        return "QUICv1";
+#endif
+
    if (sc == NULL)
        return NULL;

@ -5077,6 +5112,11 @@ int SSL_version(const SSL *s)
 {
    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);

+#ifndef OPENSSL_NO_QUIC
+    /* We only support QUICv1 - so if its QUIC its QUICv1 */
+    if (s->type == SSL_TYPE_QUIC_CONNECTION || s->type == SSL_TYPE_QUIC_STREAM)
+        return OSSL_QUIC1_VERSION;
+#endif
    /* TODO(QUIC): Do we want to report QUIC version this way instead? */
    if (sc == NULL)
        return 0;
--- a/util/libssl.num
+++ b/util/libssl.num
@ -558,3 +558,5 @@ SSL_get_negotiated_client_cert_type     ?	3_2_0	EXIST::FUNCTION:
 SSL_get_negotiated_server_cert_type     ?	3_2_0	EXIST::FUNCTION:
 SSL_add_expected_rpk                    ?	3_2_0	EXIST::FUNCTION:
 d2i_SSL_SESSION_ex                      ?	3_2_0	EXIST::FUNCTION:
+SSL_is_tls                              ?	3_2_0	EXIST::FUNCTION:
+SSL_is_quic                             ?	3_2_0	EXIST::FUNCTION: