Add SSL_CTX_dup API

doc/man3/SSL_CTX_new.pod

@@ -3,7 +3,7 @@
 =head1 NAME
 
 TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
-SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_up_ref, SSLv3_method,
+SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_dup, SSL_CTX_up_ref, SSLv3_method,
 SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method,
 TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method,
 TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method,
@@ -21,6 +21,8 @@ functions
  SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
                          const SSL_METHOD *method);
  SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
+ SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source,
+                      const char *propq, const SSL_METHOD *meth);
  int SSL_CTX_up_ref(SSL_CTX *ctx);
 
  const SSL_METHOD *TLS_method(void);
@@ -88,6 +90,9 @@ parameters may be NULL.
 SSL_CTX_new() does the same as SSL_CTX_new_ex() except that the default
 library context is used and no property query string is specified.
 
+SSL_CTX_dup() creates a new SSL_CTX object and uses the current configuration from
+an existing SSL_CTX.
+
 An B<SSL_CTX> object is reference counted. Creating an B<SSL_CTX> object for the
 first time increments the reference count. Freeing the B<SSL_CTX> (using
 SSL_CTX_free) decrements it. When the reference count drops to zero, any memory

include/openssl/ssl.h.in

@@ -1560,6 +1560,8 @@ __owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
 __owur SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
                                const SSL_METHOD *meth);
+__owur SSL_CTX *SSL_CTX_dup(OSSL_LIB_CTX *libctx, SSL_CTX *source,
+                            const char *propq, const SSL_METHOD *meth);
 int SSL_CTX_up_ref(SSL_CTX *ctx);
 void SSL_CTX_free(SSL_CTX *);
 __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);

include/openssl/types.h

@@ -186,6 +186,7 @@ typedef struct ui_method_st UI_METHOD;
 typedef struct engine_st ENGINE;
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;
+typedef struct ssl_ctx_cnf_st SSL_CTX_CNF;
 
 typedef struct comp_ctx_st COMP_CTX;
 typedef struct comp_method_st COMP_METHOD;

ssl/d1_lib.c

@@ -618,13 +618,13 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
             /*
              * We have a cookie, so lets check it.
              */
-            if (ssl->ctx->app_verify_cookie_cb == NULL) {
+            if (ssl->ctx->cnf->app_verify_cookie_cb == NULL) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
                 /* This is fatal */
                 ret = -1;
                 goto end;
             }
-            if (ssl->ctx->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
+            if (ssl->ctx->cnf->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
                     (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
                 /*
                  * We treat invalid cookies in the same was as no cookie as
@@ -649,8 +649,8 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
              */
 
             /* Generate the cookie */
-            if (ssl->ctx->app_gen_cookie_cb == NULL ||
-                ssl->ctx->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
+            if (ssl->ctx->cnf->app_gen_cookie_cb == NULL ||
+                ssl->ctx->cnf->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
                 cookielen > 255) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */

ssl/d1_msg.c

@@ -67,8 +67,8 @@ int dtls1_dispatch_alert(SSL *ssl)
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->info_callback != NULL)
-            cb = ssl->ctx->info_callback;
+        else if (ssl->ctx->cnf->info_callback != NULL)
+            cb = ssl->ctx->cnf->info_callback;
 
         if (cb != NULL) {
             j = (s->s3.send_alert[0] << 8) | s->s3.send_alert[1];

ssl/d1_srtp.c

@@ -140,7 +140,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
 
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
 {
-    if (IS_QUIC_METHOD(ctx->method))
+    if (IS_QUIC_METHOD(ctx->cnf->method))
         return 1;
 
     return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);

ssl/quic/quic_impl.c

@@ -387,7 +387,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
 
     /* Initialise the QUIC_CONNECTION's stub header. */
     ssl_base = &qc->ssl;
-    if (!ossl_ssl_init(ssl_base, ctx, ctx->method, SSL_TYPE_QUIC_CONNECTION)) {
+    if (!ossl_ssl_init(ssl_base, ctx, ctx->cnf->method, SSL_TYPE_QUIC_CONNECTION)) {
         ssl_base = NULL;
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
         goto err;
@@ -422,8 +422,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     qc->as_server_state = qc->as_server;
 
     qc->default_stream_mode     = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI;
-    qc->default_ssl_mode        = qc->ssl.ctx->mode;
-    qc->default_ssl_options     = qc->ssl.ctx->options & OSSL_QUIC_PERMITTED_OPTIONS;
+    qc->default_ssl_mode        = qc->ssl.ctx->cnf->mode;
+    qc->default_ssl_options     = qc->ssl.ctx->cnf->options & OSSL_QUIC_PERMITTED_OPTIONS;
     qc->desires_blocking        = 1;
     qc->blocking                = 0;
     qc->incoming_stream_policy  = SSL_INCOMING_STREAM_POLICY_AUTO;
@@ -432,8 +432,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     if (!create_channel(qc))
         goto err;
 
-    ossl_quic_channel_set_msg_callback(qc->ch, ctx->msg_callback, ssl_base);
-    ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->msg_callback_arg);
+    ossl_quic_channel_set_msg_callback(qc->ch, ctx->cnf->msg_callback, ssl_base);
+    ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->cnf->msg_callback_arg);
 
     qc_update_reject_policy(qc);
 

ssl/quic/quic_local.h

@@ -246,7 +246,7 @@ int ossl_quic_trace(int write_p, int version, int content_type,
 #  define IS_QUIC_METHOD(m) \
     ((m) == OSSL_QUIC_client_method() || \
      (m) == OSSL_QUIC_client_thread_method())
-#  define IS_QUIC_CTX(ctx)          IS_QUIC_METHOD((ctx)->method)
+#  define IS_QUIC_CTX(ctx)          IS_QUIC_METHOD((ctx)->cnf->method)
 
 #  define QUIC_CONNECTION_FROM_SSL_int(ssl, c)   \
      ((ssl) == NULL ? NULL                       \

ssl/quic/quic_tls.c

@@ -739,7 +739,7 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
 
         /* ALPN is a requirement for QUIC and must be set */
         if (qtls->args.is_server) {
-            if (sctx->ext.alpn_select_cb == NULL)
+            if (sctx->cnf->ext.alpn_select_cb == NULL)
                 return RAISE_INTERNAL_ERROR(qtls);
         } else {
             if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)

ssl/record/rec_layer_d1.c

@@ -397,8 +397,8 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type,
 
         if (sc->info_callback != NULL)
             cb = sc->info_callback;
-        else if (s->ctx->info_callback != NULL)
-            cb = s->ctx->info_callback;
+        else if (s->ctx->cnf->info_callback != NULL)
+            cb = s->ctx->cnf->info_callback;
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;

ssl/record/rec_layer_s3.c

@@ -156,7 +156,7 @@ size_t ssl3_pending(const SSL *s)
 
 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
 {
-    ctx->default_read_buf_len = len;
+    ctx->cnf->default_read_buf_len = len;
 }
 
 void SSL_set_default_read_buffer_len(SSL *s, size_t len)
@@ -820,8 +820,8 @@ int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type,
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->info_callback != NULL)
-            cb = ssl->ctx->info_callback;
+        else if (ssl->ctx->cnf->info_callback != NULL)
+            cb = ssl->ctx->cnf->info_callback;
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;