Add a callback to announce newly created ssl waiting acceptance

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26361)

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 9a69f62545f49204a70b97defe29f709cb608da0..839d49370b4c6fed41b6008d638d9dc55c38d682 100644 (file)
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1907,6 +1907,11 @@ OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s);
 typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
 void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
                                  void *arg);
+typedef int (*SSL_new_pending_ssl_cb_fn) (SSL_CTX *ctx, SSL *new_ssl,
+                                           void *arg);
+void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb,
+                                    void *arg);
+
 int SSL_client_hello_isv2(SSL *s);
 unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
 size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 197afd5c9d645251e7f4c8fdd39fa9d6112b74ad..8ade740af34a0e840b4ff20fb648934cc4ce9fab 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -451,12 +451,14 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
     SSL_CONNECTION *tls_conn = NULL;
     SSL *user_ssl = NULL;
     QUIC_CONNECTION *qc = NULL;
+    QUIC_LISTENER *ql = NULL;
 
     if (port->get_conn_user_ssl != NULL) {
         user_ssl = port->get_conn_user_ssl(ch, port->user_ssl_arg);
         if (user_ssl == NULL)
             return NULL;
         qc = (QUIC_CONNECTION *)user_ssl;
+        ql = (QUIC_LISTENER *)port->user_ssl_arg;
     }
 
     tls = ossl_ssl_connection_new_int(port->channel_ctx, user_ssl, TLS_method());
@@ -471,8 +473,11 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
         qc->tls = tls;
 
     if (ql != NULL && ql->obj.ssl.ctx->new_pending_ssl_cb != NULL)
-        ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl,
-                                            ql->obj.ssl.ctx->new_pending_ssl_arg);
+        if (!ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl,
+                                                 ql->obj.ssl.ctx->new_pending_ssl_arg)) {
+            SSL_free(tls);
+            return NULL;
+    }
 
     /* Override the user_ssl of the inner connection. */
     tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a3216a9e11bf97944e19a06ebfcd62ff24c54db7..a09c19111380fe079822f5127e1f151c5f737c94 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -6685,6 +6685,13 @@ void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
     c->client_hello_cb_arg = arg;
 }
 
+void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb,
+                                    void *arg)
+{
+    c->new_pending_ssl_cb = cb;
+    c->new_pending_ssl_arg = arg;
+}
+
 int SSL_client_hello_isv2(SSL *s)
 {
     const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 8aa2cd5799606d32a3039c9c981d4e967fe44758..2a96198d78a2513927ed570e883311bb51f87603 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -989,6 +989,10 @@ struct ssl_ctx_st {
     SSL_client_hello_cb_fn client_hello_cb;
     void *client_hello_cb_arg;
 
+    /* Callback to announce new pending ssl objects in the accept queue */
+    SSL_new_pending_ssl_cb_fn new_pending_ssl_cb;
+    void *new_pending_ssl_arg;
+
     /* TLS extensions. */
     struct {
         /* TLS extensions servername callback */