From c9598459b6c797bd316e44834f5129bdf28add2b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Jun 2018 15:14:36 +0100 Subject: [PATCH] Add setters to set the early_data callback Reviewed-by: Viktor Dukhovni Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6469) --- include/openssl/ssl.h | 10 ++++++++-- ssl/ssl_lib.c | 19 +++++++++++++++++++ ssl/ssl_locl.h | 10 ++++++++-- ssl/statem/extensions.c | 5 ++++- util/libssl.num | 2 ++ 5 files changed, 41 insertions(+), 5 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index dca4f3d2d8..bbcfb3c0b3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2389,13 +2389,19 @@ int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len); extern const char SSL_version_str[]; - - typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us); void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb); +typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg); +void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, + SSL_allow_early_data_cb_fn cb, + void *arg); +void SSL_set_allow_early_data_cb(SSL *s, + SSL_allow_early_data_cb_fn cb, + void *arg); + # ifdef __cplusplus } # endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e28e2b5eb1..1387067b30 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -805,6 +805,9 @@ SSL *SSL_new(SSL_CTX *ctx) s->key_update = SSL_KEY_UPDATE_NONE; + s->allow_early_data_cb = ctx->allow_early_data_cb; + s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; + if (!s->method->ssl_new(s)) goto err; @@ -5483,3 +5486,19 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, ctx->ticket_cb_data = arg; return 1; } + +void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + ctx->allow_early_data_cb = cb; + ctx->allow_early_data_cb_data = arg; +} + +void SSL_set_allow_early_data_cb(SSL *s, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + s->allow_early_data_cb = cb; + s->allow_early_data_cb_data = arg; +} diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 7295a9f0d7..6a2edeb190 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1047,6 +1047,10 @@ struct ssl_ctx_st { /* The number of TLS1.3 tickets to automatically send */ size_t num_tickets; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; }; struct ssl_st { @@ -1206,8 +1210,6 @@ struct ssl_st { SSL_psk_find_session_cb_func psk_find_session_cb; SSL_psk_use_session_cb_func psk_use_session_cb; - int (*allow_early_data_cb)(SSL *s, SSL_SESSION *sess); - SSL_CTX *ctx; /* Verified chain of peer */ STACK_OF(X509) *verified_chain; @@ -1427,6 +1429,10 @@ struct ssl_st { size_t sent_tickets; /* The next nonce value to use when we send a ticket on this connection */ uint64_t next_ticket_nonce; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; }; /* diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 496039e3d4..5309b12703 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1622,7 +1622,10 @@ static int final_early_data(SSL *s, unsigned int context, int sent) || s->session->ext.tick_identity != 0 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING || !s->ext.early_data_ok - || s->hello_retry_request != SSL_HRR_NONE) { + || s->hello_retry_request != SSL_HRR_NONE + || (s->ctx->allow_early_data_cb != NULL + && !s->ctx->allow_early_data_cb(s, + s->ctx->allow_early_data_cb_data))) { s->ext.early_data = SSL_EARLY_DATA_REJECTED; } else { s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; diff --git a/util/libssl.num b/util/libssl.num index 3495903e87..df6a71e1b5 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -490,3 +490,5 @@ SSL_set_num_tickets 490 1_1_1 EXIST::FUNCTION: SSL_CTX_get_num_tickets 491 1_1_1 EXIST::FUNCTION: SSL_get_num_tickets 492 1_1_1 EXIST::FUNCTION: SSL_CTX_set_num_tickets 493 1_1_1 EXIST::FUNCTION: +SSL_CTX_set_allow_early_data_cb 494 1_1_1 EXIST::FUNCTION: +SSL_set_allow_early_data_cb 495 1_1_1 EXIST::FUNCTION: -- 2.34.1