QUIC SSL: Forbid pipeline-related operations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d6edc5be1659205b90319aa9c94d2cdbb8571e7f..f27bbdfecc6d0702c63cc791e572801cbcba8406 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2930,7 +2930,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         sc->max_cert_list = (size_t)larg;
         return l;
     case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
-        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
+        if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH || IS_QUIC_SSL(s))
             return 0;
 #ifndef OPENSSL_NO_KTLS
         if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio))
@@ -2942,12 +2942,12 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg);
         return 1;
     case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT:
-        if ((size_t)larg > sc->max_send_fragment || larg == 0)
+        if ((size_t)larg > sc->max_send_fragment || larg == 0 || IS_QUIC_SSL(s))
             return 0;
         sc->split_send_fragment = larg;
         return 1;
     case SSL_CTRL_SET_MAX_PIPELINES:
-        if (larg < 1 || larg > SSL_MAX_PIPELINES)
+        if (larg < 1 || larg > SSL_MAX_PIPELINES || IS_QUIC_SSL(s))
             return 0;
         sc->max_pipelines = larg;
         if (sc->rlayer.rrlmethod->set_max_pipelines != NULL)

diff --git a/test/quicapitest.c b/test/quicapitest.c
index 2784f981983976fdc2431c080a4c200be71191ae..ce745a67daf262f5657aa536fd494a9b16fa1f4c 100644 (file)
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -494,6 +494,12 @@ static int test_quic_forbidden_options(void)
         || !TEST_false(SSL_free_buffers(ssl)))
         goto err;
 
+    /* Pipelining */
+    if (!TEST_false(SSL_set_max_send_fragment(ssl, 2))
+        || !TEST_false(SSL_set_split_send_fragment(ssl, 2))
+        || !TEST_false(SSL_set_max_pipelines(ssl, 2)))
+        goto err;
+
     /* HRR */
     if  (!TEST_false(SSL_stateless(ssl)))
         goto err;