Add setters to set the early_data callback

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6469)
author: Matt Caswell <matt@openssl.org> 2018-06-07 15:14:36 +0100
committer: Matt Caswell <matt@openssl.org> 2018-07-02 15:06:12 +0100
commit: c9598459b6c797bd316e44834f5129bdf28add2b (patch)
tree: fc35179840bc84813873a2f59f3b46148cd0414c
parent: 5d263fb78b51f96753056f21abc4d992d0219df2 (diff)
5 files changed, 41 insertions, 5 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index dca4f3d2d8..bbcfb3c0b3 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2389,13 +2389,19 @@ int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
 
 extern const char SSL_version_str[];
 
-
-
 typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us);
 
 void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
 
 
+typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg);
+void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
+                                     SSL_allow_early_data_cb_fn cb,
+                                     void *arg);
+void SSL_set_allow_early_data_cb(SSL *s,
+                                 SSL_allow_early_data_cb_fn cb,
+                                 void *arg);
+
 # ifdef  __cplusplus
 }
 # endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e28e2b5eb1..1387067b30 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -805,6 +805,9 @@ SSL *SSL_new(SSL_CTX *ctx)
 
     s->key_update = SSL_KEY_UPDATE_NONE;
 
+    s->allow_early_data_cb = ctx->allow_early_data_cb;
+    s->allow_early_data_cb_data = ctx->allow_early_data_cb_data;
+
     if (!s->method->ssl_new(s))
         goto err;
 
@@ -5483,3 +5486,19 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
     ctx->ticket_cb_data = arg;
     return 1;
 }
+
+void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
+                                     SSL_allow_early_data_cb_fn cb,
+                                     void *arg)
+{
+    ctx->allow_early_data_cb = cb;
+    ctx->allow_early_data_cb_data = arg;
+}
+
+void SSL_set_allow_early_data_cb(SSL *s,
+                                 SSL_allow_early_data_cb_fn cb,
+                                 void *arg)
+{
+    s->allow_early_data_cb = cb;
+    s->allow_early_data_cb_data = arg;
+}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 7295a9f0d7..6a2edeb190 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1047,6 +1047,10 @@ struct ssl_ctx_st {
 
     /* The number of TLS1.3 tickets to automatically send */
     size_t num_tickets;
+
+    /* Callback to determine if early_data is acceptable or not */
+    SSL_allow_early_data_cb_fn allow_early_data_cb;
+    void *allow_early_data_cb_data;
 };
 
 struct ssl_st {
@@ -1206,8 +1210,6 @@ struct ssl_st {
     SSL_psk_find_session_cb_func psk_find_session_cb;
     SSL_psk_use_session_cb_func psk_use_session_cb;
 
-    int (*allow_early_data_cb)(SSL *s, SSL_SESSION *sess);
-
     SSL_CTX *ctx;
     /* Verified chain of peer */
     STACK_OF(X509) *verified_chain;
@@ -1427,6 +1429,10 @@ struct ssl_st {
     size_t sent_tickets;
     /* The next nonce value to use when we send a ticket on this connection */
     uint64_t next_ticket_nonce;
+
+    /* Callback to determine if early_data is acceptable or not */
+    SSL_allow_early_data_cb_fn allow_early_data_cb;
+    void *allow_early_data_cb_data;
 };
 
 /*
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 496039e3d4..5309b12703 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1622,7 +1622,10 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
             || s->session->ext.tick_identity != 0
             || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
             || !s->ext.early_data_ok
-            || s->hello_retry_request != SSL_HRR_NONE) {
+            || s->hello_retry_request != SSL_HRR_NONE
+            || (s->ctx->allow_early_data_cb != NULL
+                && !s->ctx->allow_early_data_cb(s,
+                                         s->ctx->allow_early_data_cb_data))) {
         s->ext.early_data = SSL_EARLY_DATA_REJECTED;
     } else {
         s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
diff --git a/util/libssl.num b/util/libssl.num
index 3495903e87..df6a71e1b5 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -490,3 +490,5 @@ SSL_set_num_tickets                     490	1_1_1	EXIST::FUNCTION:
 SSL_CTX_get_num_tickets                 491	1_1_1	EXIST::FUNCTION:
 SSL_get_num_tickets                     492	1_1_1	EXIST::FUNCTION:
 SSL_CTX_set_num_tickets                 493	1_1_1	EXIST::FUNCTION:
+SSL_CTX_set_allow_early_data_cb         494	1_1_1	EXIST::FUNCTION:
+SSL_set_allow_early_data_cb             495	1_1_1	EXIST::FUNCTION:
author	Matt Caswell <matt@openssl.org>	2018-06-07 15:14:36 +0100
committer	Matt Caswell <matt@openssl.org>	2018-07-02 15:06:12 +0100
commit	c9598459b6c797bd316e44834f5129bdf28add2b (patch)
tree	fc35179840bc84813873a2f59f3b46148cd0414c
parent	5d263fb78b51f96753056f21abc4d992d0219df2 (diff)