Add setters to set the early_data callback

author Matt Caswell <matt@openssl.org>

Thu, 7 Jun 2018 14:14:36 +0000 (15:14 +0100)

committer Matt Caswell <matt@openssl.org>

Mon, 2 Jul 2018 14:06:12 +0000 (15:06 +0100)
author Matt Caswell <matt@openssl.org>
Thu, 7 Jun 2018 14:14:36 +0000 (15:14 +0100)
committer Matt Caswell <matt@openssl.org>
Mon, 2 Jul 2018 14:06:12 +0000 (15:06 +0100)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h

index dca4f3d2d8eb0a0a0ab91501883ac90dcd0c4b6f..bbcfb3c0b32033bb3539147bfce21c020f6116d8 100644 (file)
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2389,13 +2389,19 @@ int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
  
  extern const char SSL_version_str[];
  
-
-
  typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us);
  
  void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
  
  
+typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg);
+void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
+                                     SSL_allow_early_data_cb_fn cb,
+                                     void *arg);
+void SSL_set_allow_early_data_cb(SSL *s,
+                                 SSL_allow_early_data_cb_fn cb,
+                                 void *arg);
+
  # ifdef  __cplusplus
  }
  # endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index e28e2b5eb1d9ce8ad05bc8f9a96fb3263631e249..1387067b30c3faebd266f33d258002653e42de28 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -805,6 +805,9 @@ SSL *SSL_new(SSL_CTX *ctx)
  
      s->key_update = SSL_KEY_UPDATE_NONE;
  
+    s->allow_early_data_cb = ctx->allow_early_data_cb;
+    s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
+
      if (!s->method->ssl_new(s))
          goto err;
  
@@ -5483,3 +5486,19 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
      ctx->ticket_cb_data = arg;
      return 1;
  }
+
+void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
+                                     SSL_allow_early_data_cb_fn cb,
+                                     void *arg)
+{
+    ctx->allow_early_data_cb = cb;
+    ctx->allow_early_data_cb_data = arg;
+}
+
+void SSL_set_allow_early_data_cb(SSL *s,
+                                 SSL_allow_early_data_cb_fn cb,
+                                 void *arg)
+{
+    s->allow_early_data_cb = cb;
+    s->allow_early_data_cb_data = arg;
+}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index 7295a9f0d7b0fc7a9fa0b443ba4385f71e27be0b..6a2edeb190390fea78467ed7756dd0bcfeafe7fb 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1047,6 +1047,10 @@ struct ssl_ctx_st {
  
      /* The number of TLS1.3 tickets to automatically send */
      size_t num_tickets;
+
+    /* Callback to determine if early_data is acceptable or not */
+    SSL_allow_early_data_cb_fn allow_early_data_cb;
+    void *allow_early_data_cb_data;
  };
  
  struct ssl_st {
@@ -1206,8 +1210,6 @@ struct ssl_st {
      SSL_psk_find_session_cb_func psk_find_session_cb;
      SSL_psk_use_session_cb_func psk_use_session_cb;
  
-    int (*allow_early_data_cb)(SSL *s, SSL_SESSION *sess);
-
      SSL_CTX *ctx;
      /* Verified chain of peer */
      STACK_OF(X509) *verified_chain;
@@ -1427,6 +1429,10 @@ struct ssl_st {
      size_t sent_tickets;
      /* The next nonce value to use when we send a ticket on this connection */
      uint64_t next_ticket_nonce;
+
+    /* Callback to determine if early_data is acceptable or not */
+    SSL_allow_early_data_cb_fn allow_early_data_cb;
+    void *allow_early_data_cb_data;
  };
  
  /*
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c

index 496039e3d4094f5ee7be448689bdb9706a9ce4cb..5309b12703ea429b142e49fee101a59180e7a980 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1622,7 +1622,10 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
              || s->session->ext.tick_identity != 0
              || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
              || !s->ext.early_data_ok
-            || s->hello_retry_request != SSL_HRR_NONE) {
+            || s->hello_retry_request != SSL_HRR_NONE
+            || (s->ctx->allow_early_data_cb != NULL
+                && !s->ctx->allow_early_data_cb(s,
+                                         s->ctx->allow_early_data_cb_data))) {
          s->ext.early_data = SSL_EARLY_DATA_REJECTED;
      } else {
          s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
diff --git a/util/libssl.num b/util/libssl.num

index 3495903e87bf0664e5fccf3f3f75d004509c85b9..df6a71e1b563cf117a8dc8684bbab7d51ad46ff4 100644 (file)
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -490,3 +490,5 @@ SSL_set_num_tickets                     490 1_1_1   EXIST::FUNCTION:
  SSL_CTX_get_num_tickets                 491    1_1_1   EXIST::FUNCTION:
  SSL_get_num_tickets                     492    1_1_1   EXIST::FUNCTION:
  SSL_CTX_set_num_tickets                 493    1_1_1   EXIST::FUNCTION:
+SSL_CTX_set_allow_early_data_cb         494    1_1_1   EXIST::FUNCTION:
+SSL_set_allow_early_data_cb             495    1_1_1   EXIST::FUNCTION:
author	Matt Caswell <matt@openssl.org>
	Thu, 7 Jun 2018 14:14:36 +0000 (15:14 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 2 Jul 2018 14:06:12 +0000 (15:06 +0100)
include/openssl/ssl.h		patch \| blob \| history
ssl/ssl_lib.c		patch \| blob \| history
ssl/ssl_locl.h		patch \| blob \| history
ssl/statem/extensions.c		patch \| blob \| history
util/libssl.num		patch \| blob \| history