Google Git
Sign in
pigweed/third_party/github/google/boringssl/524e717b87aff15ae2ef44bd03923a48f7aea2f4^!/./include/openssl
commit
524e717b87aff15ae2ef44bd03923a48f7aea2f4
[log]
author
Adam Langley <agl@google.com>
Fri Feb 20 16:04:00 2015 -0800
committer
Adam Langley <agl@google.com>
Wed Mar 18 19:53:29 2015 +0000
tree
f1222a9f0b0288a56b652643b80fa2593fb74d4b
parent
ab2a8e03d91b521df29ee975f43830d086d7ab1a [diff]
Add a callback for DDoS protection.

This callback receives information about the ClientHello and can decide
whether or not to allow the handshake to continue.

Change-Id: I21be28335fa74fedb5b73a310ee24310670fc923
Reviewed-on: https://boringssl-review.googlesource.com/3721
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 19ed07b..82d632a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -809,6 +809,11 @@
    * will not call the callback a second time. */
   int (*select_certificate_cb)(const struct ssl_early_callback_ctx *);
 
+  /* dos_protection_cb is called once the resumption decision for a ClientHello
+   * has been made. It returns one to continue the handshake or zero to
+   * abort. */
+  int (*dos_protection_cb) (const struct ssl_early_callback_ctx *);
+
   /* quiet_shutdown is true if the connection should not send a close_notify on
    * shutdown. */
   int quiet_shutdown;
@@ -2228,6 +2233,12 @@
 OPENSSL_EXPORT int SSL_cache_hit(SSL *s);
 OPENSSL_EXPORT int SSL_is_server(SSL *s);
 
+/* SSL_CTX_set_dos_protection_cb sets a callback that is called once the
+ * resumption decision for a ClientHello has been made. It can return 1 to
+ * allow the handshake to continue or zero to cause the handshake to abort. */
+void SSL_CTX_set_dos_protection_cb(
+    SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *));
+
 /* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
  * SSL_SESSION structures so that a test can ensure that outside code agrees on
  * these values. */