Add SSL_CTX_dup

doc/man3/SSL_CTX_new.pod

@@ -3,7 +3,7 @@
 =head1 NAME
 
 TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
-SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_up_ref, SSLv3_method,
+SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_dup, SSL_CTX_up_ref, SSLv3_method,
 SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method,
 TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method,
 TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method,
@@ -21,6 +21,8 @@ functions
  SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
                          const SSL_METHOD *method);
  SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
+ SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source,
+                      const char *propq, const SSL_METHOD *meth);
  int SSL_CTX_up_ref(SSL_CTX *ctx);
 
  const SSL_METHOD *TLS_method(void);
@@ -88,6 +90,9 @@ parameters may be NULL.
 SSL_CTX_new() does the same as SSL_CTX_new_ex() except that the default
 library context is used and no property query string is specified.
 
+SSL_CTX_dup() creates a new SSL_CTX object and uses the current configuration from
+an existing SSL_CTX.
+
 An B<SSL_CTX> object is reference counted. Creating an B<SSL_CTX> object for the
 first time increments the reference count. Freeing the B<SSL_CTX> (using
 SSL_CTX_free) decrements it. When the reference count drops to zero, any memory

ssl/d1_lib.c

@@ -629,13 +629,18 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
             /*
              * We have a cookie, so lets check it.
              */
-            if (ssl->ctx->app_verify_cookie_cb == NULL) {
+            APP_VERIFY_COOKIE_CB verify_cookie_cb = NULL;
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                verify_cookie_cb = ssl->ctx->cnf->app_verify_cookie_cb;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+            if (verify_cookie_cb == NULL) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
                 /* This is fatal */
                 ret = -1;
                 goto end;
             }
-            if (ssl->ctx->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
+            if (verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
                     (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
                 /*
                  * We treat invalid cookies in the same was as no cookie as
@@ -652,16 +657,20 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
             WPACKET wpkt;
             unsigned int version;
             size_t wreclen;
-
+            APP_GEN_COOKIE_CB gen_cookie_cb = NULL;
             /*
              * There was no cookie in the ClientHello so we need to send a
              * HelloVerifyRequest. If this fails we do not worry about trying
              * to resend, we just drop it.
              */
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                gen_cookie_cb = ssl->ctx->cnf->app_gen_cookie_cb;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
 
             /* Generate the cookie */
-            if (ssl->ctx->app_gen_cookie_cb == NULL ||
-                ssl->ctx->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
+            if (gen_cookie_cb == NULL ||
+                gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
                 cookielen > 255) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */

ssl/d1_msg.c

@@ -67,8 +67,13 @@ int dtls1_dispatch_alert(SSL *ssl)
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->info_callback != NULL)
-            cb = ssl->ctx->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                if (ssl->ctx->cnf->info_callback != NULL)
+                    cb = ssl->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (s->s3.send_alert[0] << 8) | s->s3.send_alert[1];

ssl/quic/quic_impl.c

@@ -423,8 +423,11 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     qc->as_server_state = qc->as_server;
 
     qc->default_stream_mode     = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI;
-    qc->default_ssl_mode        = qc->ssl.ctx->mode;
-    qc->default_ssl_options     = qc->ssl.ctx->options & OSSL_QUIC_PERMITTED_OPTIONS;
+    if (CRYPTO_THREAD_read_lock(qc->ssl.ctx->cnf->cnf_lock)) {
+        qc->default_ssl_mode        = qc->ssl.ctx->cnf->mode;
+        qc->default_ssl_options     = qc->ssl.ctx->cnf->options & OSSL_QUIC_PERMITTED_OPTIONS;
+        CRYPTO_THREAD_unlock(qc->ssl.ctx->cnf->cnf_lock);
+    }
     qc->desires_blocking        = 1;
     qc->blocking                = 0;
     qc->incoming_stream_policy  = SSL_INCOMING_STREAM_POLICY_AUTO;
@@ -433,8 +436,11 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     if (!create_channel(qc))
         goto err;
 
-    ossl_quic_channel_set_msg_callback(qc->ch, ctx->msg_callback, ssl_base);
-    ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->msg_callback_arg);
+    if (CRYPTO_THREAD_read_lock(ctx->cnf->cnf_lock)) {
+        ossl_quic_channel_set_msg_callback(qc->ch, ctx->cnf->msg_callback, ssl_base);
+        ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->cnf->msg_callback_arg);
+        CRYPTO_THREAD_unlock(ctx->cnf->cnf_lock);
+    }
 
     qc_update_reject_policy(qc);
 

ssl/quic/quic_tls.c

@@ -742,7 +742,13 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
 
         /* ALPN is a requirement for QUIC and must be set */
         if (qtls->args.is_server) {
-            if (sctx->ext.alpn_select_cb == NULL)
+            int iserror = 0;
+            if (CRYPTO_THREAD_read_lock(sctx->cnf->cnf_lock)) {
+                if (sctx->cnf->ext.alpn_select_cb == NULL)
+                    iserror = 1;
+                CRYPTO_THREAD_unlock(sctx->cnf->cnf_lock);
+            }
+            if (iserror == 1)
                 return RAISE_INTERNAL_ERROR(qtls);
         } else {
             if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)

ssl/record/rec_layer_d1.c

@@ -397,8 +397,13 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type,
 
         if (sc->info_callback != NULL)
             cb = sc->info_callback;
-        else if (s->ctx->info_callback != NULL)
-            cb = s->ctx->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(s->ctx->cnf->cnf_lock)) {
+                if (s->ctx->cnf->info_callback != NULL)
+                    cb = s->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(s->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;

ssl/record/rec_layer_s3.c

@@ -156,7 +156,10 @@ size_t ssl3_pending(const SSL *s)
 
 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
 {
-    ctx->default_read_buf_len = len;
+    if (CRYPTO_THREAD_write_lock(ctx->cnf->cnf_lock)) {
+        ctx->cnf->default_read_buf_len = len;
+        CRYPTO_THREAD_unlock(ctx->cnf->cnf_lock);
+    }
 }
 
 void SSL_set_default_read_buffer_len(SSL *s, size_t len)
@@ -823,8 +826,13 @@ int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type,
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->info_callback != NULL)
-            cb = ssl->ctx->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                if (ssl->ctx->cnf->info_callback != NULL)
+                    cb = ssl->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;