From a607146904c9bb5d417806d480827e0389902adf Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 8 Jan 2025 14:59:58 -0500 Subject: [PATCH] Add a callback to announce newly created ssl waiting acceptance MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/26361) --- include/openssl/ssl.h.in | 5 +++++ ssl/quic/quic_port.c | 9 +++++++-- ssl/ssl_lib.c | 7 +++++++ ssl/ssl_local.h | 4 ++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 9a69f62545f..839d49370b4 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1907,6 +1907,11 @@ OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s); typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg); void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, void *arg); +typedef int (*SSL_new_pending_ssl_cb_fn) (SSL_CTX *ctx, SSL *new_ssl, + void *arg); +void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb, + void *arg); + int SSL_client_hello_isv2(SSL *s); unsigned int SSL_client_hello_get0_legacy_version(SSL *s); size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out); diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 197afd5c9d6..8ade740af34 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -451,12 +451,14 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch) SSL_CONNECTION *tls_conn = NULL; SSL *user_ssl = NULL; QUIC_CONNECTION *qc = NULL; + QUIC_LISTENER *ql = NULL; if (port->get_conn_user_ssl != NULL) { user_ssl = port->get_conn_user_ssl(ch, port->user_ssl_arg); if (user_ssl == NULL) return NULL; qc = (QUIC_CONNECTION *)user_ssl; + ql = (QUIC_LISTENER *)port->user_ssl_arg; } tls = ossl_ssl_connection_new_int(port->channel_ctx, user_ssl, TLS_method()); @@ -471,8 +473,11 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch) qc->tls = tls; if (ql != NULL && ql->obj.ssl.ctx->new_pending_ssl_cb != NULL) - ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl, - ql->obj.ssl.ctx->new_pending_ssl_arg); + if (!ql->obj.ssl.ctx->new_pending_ssl_cb(ql->obj.ssl.ctx, user_ssl, + ql->obj.ssl.ctx->new_pending_ssl_arg)) { + SSL_free(tls); + return NULL; + } /* Override the user_ssl of the inner connection. */ tls_conn->s3.flags |= TLS1_FLAGS_QUIC; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a3216a9e11b..a09c1911138 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -6685,6 +6685,13 @@ void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, c->client_hello_cb_arg = arg; } +void SSL_CTX_set_new_pending_ssl_cb(SSL_CTX *c, SSL_new_pending_ssl_cb_fn cb, + void *arg) +{ + c->new_pending_ssl_cb = cb; + c->new_pending_ssl_arg = arg; +} + int SSL_client_hello_isv2(SSL *s) { const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 8aa2cd57996..2a96198d78a 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -989,6 +989,10 @@ struct ssl_ctx_st { SSL_client_hello_cb_fn client_hello_cb; void *client_hello_cb_arg; + /* Callback to announce new pending ssl objects in the accept queue */ + SSL_new_pending_ssl_cb_fn new_pending_ssl_cb; + void *new_pending_ssl_arg; + /* TLS extensions. */ struct { /* TLS extensions servername callback */ -- 2.47.2