diff options
| author | Matt Caswell <matt@openssl.org> | 2018-06-07 15:14:36 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-07-02 15:06:12 +0100 |
| commit | c9598459b6c797bd316e44834f5129bdf28add2b (patch) | |
| tree | fc35179840bc84813873a2f59f3b46148cd0414c /ssl | |
| parent | 5d263fb78b51f96753056f21abc4d992d0219df2 (diff) | |
Add setters to set the early_data callback
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_lib.c | 19 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 10 | ||||
| -rw-r--r-- | ssl/statem/extensions.c | 5 |
3 files changed, 31 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e28e2b5eb1..1387067b30 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -805,6 +805,9 @@ SSL *SSL_new(SSL_CTX *ctx) s->key_update = SSL_KEY_UPDATE_NONE; + s->allow_early_data_cb = ctx->allow_early_data_cb; + s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; + if (!s->method->ssl_new(s)) goto err; @@ -5483,3 +5486,19 @@ int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, ctx->ticket_cb_data = arg; return 1; } + +void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + ctx->allow_early_data_cb = cb; + ctx->allow_early_data_cb_data = arg; +} + +void SSL_set_allow_early_data_cb(SSL *s, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + s->allow_early_data_cb = cb; + s->allow_early_data_cb_data = arg; +} diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 7295a9f0d7..6a2edeb190 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1047,6 +1047,10 @@ struct ssl_ctx_st { /* The number of TLS1.3 tickets to automatically send */ size_t num_tickets; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; }; struct ssl_st { @@ -1206,8 +1210,6 @@ struct ssl_st { SSL_psk_find_session_cb_func psk_find_session_cb; SSL_psk_use_session_cb_func psk_use_session_cb; - int (*allow_early_data_cb)(SSL *s, SSL_SESSION *sess); - SSL_CTX *ctx; /* Verified chain of peer */ STACK_OF(X509) *verified_chain; @@ -1427,6 +1429,10 @@ struct ssl_st { size_t sent_tickets; /* The next nonce value to use when we send a ticket on this connection */ uint64_t next_ticket_nonce; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; }; /* diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 496039e3d4..5309b12703 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1622,7 +1622,10 @@ static int final_early_data(SSL *s, unsigned int context, int sent) || s->session->ext.tick_identity != 0 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING || !s->ext.early_data_ok - || s->hello_retry_request != SSL_HRR_NONE) { + || s->hello_retry_request != SSL_HRR_NONE + || (s->ctx->allow_early_data_cb != NULL + && !s->ctx->allow_early_data_cb(s, + s->ctx->allow_early_data_cb_data))) { s->ext.early_data = SSL_EARLY_DATA_REJECTED; } else { s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; |