Add SSL_CTX_dup API

ssl/d1_lib.c

@@ -629,13 +629,18 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
             /*
              * We have a cookie, so lets check it.
              */
-            if (ssl->ctx->cnf->app_verify_cookie_cb == NULL) {
+            APP_VERIFY_COOKIE_CB verify_cookie_cb = NULL;
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                verify_cookie_cb = ssl->ctx->cnf->app_verify_cookie_cb;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+            if (verify_cookie_cb == NULL) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
                 /* This is fatal */
                 ret = -1;
                 goto end;
             }
-            if (ssl->ctx->cnf->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
+            if (verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
                     (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
                 /*
                  * We treat invalid cookies in the same was as no cookie as
@@ -652,16 +657,20 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
             WPACKET wpkt;
             unsigned int version;
             size_t wreclen;
-
+            APP_GEN_COOKIE_CB gen_cookie_cb = NULL;
             /*
              * There was no cookie in the ClientHello so we need to send a
              * HelloVerifyRequest. If this fails we do not worry about trying
              * to resend, we just drop it.
              */
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                gen_cookie_cb = ssl->ctx->cnf->app_gen_cookie_cb;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
 
             /* Generate the cookie */
-            if (ssl->ctx->cnf->app_gen_cookie_cb == NULL ||
-                ssl->ctx->cnf->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
+            if (gen_cookie_cb == NULL ||
+                gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
                 cookielen > 255) {
                 ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */

ssl/d1_msg.c

@@ -67,8 +67,13 @@ int dtls1_dispatch_alert(SSL *ssl)
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->cnf->info_callback != NULL)
-            cb = ssl->ctx->cnf->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                if (ssl->ctx->cnf->info_callback != NULL)
+                    cb = ssl->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (s->s3.send_alert[0] << 8) | s->s3.send_alert[1];

ssl/d1_srtp.c

@@ -140,7 +140,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
 
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
 {
-    if (IS_QUIC_METHOD(ctx->cnf->method))
+    if (IS_QUIC_METHOD(ctx->method))
         return 1;
 
     return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);

ssl/quic/quic_impl.c

@@ -393,7 +393,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
 
     /* Initialise the QUIC_CONNECTION's stub header. */
     ssl_base = &qc->ssl;
-    if (!ossl_ssl_init(ssl_base, ctx, ctx->cnf->method, SSL_TYPE_QUIC_CONNECTION)) {
+    if (!ossl_ssl_init(ssl_base, ctx, ctx->method, SSL_TYPE_QUIC_CONNECTION)) {
         ssl_base = NULL;
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
         goto err;
@@ -421,8 +421,11 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     qc->as_server_state = qc->as_server;
 
     qc->default_stream_mode     = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI;
-    qc->default_ssl_mode        = qc->ssl.ctx->cnf->mode;
-    qc->default_ssl_options     = qc->ssl.ctx->cnf->options & OSSL_QUIC_PERMITTED_OPTIONS;
+    if (CRYPTO_THREAD_read_lock(qc->ssl.ctx->cnf->cnf_lock)) {
+        qc->default_ssl_mode        = qc->ssl.ctx->cnf->mode;
+        qc->default_ssl_options     = qc->ssl.ctx->cnf->options & OSSL_QUIC_PERMITTED_OPTIONS;
+        CRYPTO_THREAD_unlock(qc->ssl.ctx->cnf->cnf_lock);
+    }
     qc->desires_blocking        = 1;
     qc->blocking                = 0;
     qc->incoming_stream_policy  = SSL_INCOMING_STREAM_POLICY_AUTO;
@@ -431,8 +434,11 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     if (!create_channel(qc))
         goto err;
 
-    ossl_quic_channel_set_msg_callback(qc->ch, ctx->cnf->msg_callback, ssl_base);
-    ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->cnf->msg_callback_arg);
+    if (CRYPTO_THREAD_read_lock(ctx->cnf->cnf_lock)) {
+        ossl_quic_channel_set_msg_callback(qc->ch, ctx->cnf->msg_callback, ssl_base);
+        ossl_quic_channel_set_msg_callback_arg(qc->ch, ctx->cnf->msg_callback_arg);
+        CRYPTO_THREAD_unlock(ctx->cnf->cnf_lock);
+    }
 
     qc_update_reject_policy(qc);
 

ssl/quic/quic_local.h

@@ -246,7 +246,7 @@ int ossl_quic_trace(int write_p, int version, int content_type,
 #  define IS_QUIC_METHOD(m) \
     ((m) == OSSL_QUIC_client_method() || \
      (m) == OSSL_QUIC_client_thread_method())
-#  define IS_QUIC_CTX(ctx)          IS_QUIC_METHOD((ctx)->cnf->method)
+#  define IS_QUIC_CTX(ctx)          IS_QUIC_METHOD((ctx)->method)
 
 #  define QUIC_CONNECTION_FROM_SSL_int(ssl, c)   \
      ((ssl) == NULL ? NULL                       \

ssl/quic/quic_tls.c

@@ -742,7 +742,13 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
 
         /* ALPN is a requirement for QUIC and must be set */
         if (qtls->args.is_server) {
-            if (sctx->cnf->ext.alpn_select_cb == NULL)
+            int iserror = 0;
+            if (CRYPTO_THREAD_read_lock(sctx->cnf->cnf_lock)) {
+                if (sctx->cnf->ext.alpn_select_cb == NULL)
+                    iserror = 1;
+                CRYPTO_THREAD_unlock(sctx->cnf->cnf_lock);
+            }
+            if (iserror == 1)
                 return RAISE_INTERNAL_ERROR(qtls);
         } else {
             if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0)

ssl/record/rec_layer_d1.c

@@ -397,8 +397,13 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type,
 
         if (sc->info_callback != NULL)
             cb = sc->info_callback;
-        else if (s->ctx->cnf->info_callback != NULL)
-            cb = s->ctx->cnf->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(s->ctx->cnf->cnf_lock)) {
+                if (s->ctx->cnf->info_callback != NULL)
+                    cb = s->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(s->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;

ssl/record/rec_layer_s3.c

@@ -156,7 +156,10 @@ size_t ssl3_pending(const SSL *s)
 
 void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
 {
-    ctx->cnf->default_read_buf_len = len;
+    if (CRYPTO_THREAD_write_lock(ctx->cnf->cnf_lock)) {
+        ctx->cnf->default_read_buf_len = len;
+        CRYPTO_THREAD_unlock(ctx->cnf->cnf_lock);
+    }
 }
 
 void SSL_set_default_read_buffer_len(SSL *s, size_t len)
@@ -823,8 +826,13 @@ int ssl3_read_bytes(SSL *ssl, uint8_t type, uint8_t *recvd_type,
 
         if (s->info_callback != NULL)
             cb = s->info_callback;
-        else if (ssl->ctx->cnf->info_callback != NULL)
-            cb = ssl->ctx->cnf->info_callback;
+        else {
+            if (CRYPTO_THREAD_read_lock(ssl->ctx->cnf->cnf_lock)) {
+                if (ssl->ctx->cnf->info_callback != NULL)
+                    cb = ssl->ctx->cnf->info_callback;
+                CRYPTO_THREAD_unlock(ssl->ctx->cnf->cnf_lock);
+            }
+        }
 
         if (cb != NULL) {
             j = (alert_level << 8) | alert_descr;