Add a callback to announce newly created ssl waiting acceptance

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26361)

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index e6e0c8407a888e949aa7ea2a3537225461486ba7..4cb03a24649258b6c958a56ee67dea8b9090bb52 100644 (file)
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1897,6 +1897,11 @@ OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s);
 typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
                                  void *arg);
+typedef int (*SSL_new_pending_ssl_cb_fn) (SSL_CTX *ctx, SSL *new_ssl,
+                                           void *arg);
+void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb,
+                                    void *arg);
+
 int SSL_client_hello_isv2(SSL *s);
 unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 197afd5c9d645251e7f4c8fdd39fa9d6112b74ad..8ade740af34a0e840b4ff20fb648934cc4ce9fab 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -451,12 +451,14 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
     SSL_CONNECTION *tls_conn = NULL;
     SSL *user_ssl = NULL;
     QUIC_CONNECTION *qc = NULL;
+    QUIC_LISTENER *ql = NULL;
 
     if (port->get_conn_user_ssl != NULL) {
         user_ssl = port->get_conn_user_ssl(ch, port->user_ssl_arg);
         if (user_ssl == NULL)
             return NULL;
         qc = (QUIC_CONNECTION *)user_ssl;
+        ql = (QUIC_LISTENER *)port->user_ssl_arg;
     }
 
     tls = ossl_ssl_connection_new_int(port->channel_ctx, user_ssl, TLS_method());
@@ -471,8 +473,11 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
         qc->tls = tls;
 
     if (ql != NULL && ql->obj.ssl.ctx->new_pending_ssl_cb != NULL)
-        ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl,
-                                            ql->obj.ssl.ctx->new_pending_ssl_arg);
+        if (!ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl,
+                                                 ql->obj.ssl.ctx->new_pending_ssl_arg)) {
+            SSL_free(tls);
+            return NULL;
+    }
 
     /* Override the user_ssl of the inner connection. */
     tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 602f151c51b698c67060e73fcbc43e4b0fedef5a..ede2b286eb108e0e224658286ec217366f224d4e 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -6660,6 +6660,13 @@ void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
     c->client_hello_cb_arg = arg;
 }
 
+void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb,
+                                    void *arg)
+{
+    c->new_pending_ssl_cb = cb;
+    c->new_pending_ssl_arg = arg;
+}
+
 int SSL_client_hello_isv2(SSL *s)
 {
     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 23b4251a3347c96288856a26e3fa41a9a09ffc24..badc1965ea462cb22d75220a1beb960162b9483d 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -982,6 +982,10 @@ struct ssl_ctx_st {
     SSL_client_hello_cb_fn client_hello_cb;
     void *client_hello_cb_arg;
 
+    /* Callback to announce new pending ssl objects in the accept queue */
+    SSL_new_pending_ssl_cb_fn new_pending_ssl_cb;
+    void *new_pending_ssl_arg;
+
     /* TLS extensions. */
     struct {
         /* TLS extensions servername callback */