Add a callback for DDoS protection.

This callback receives information about the ClientHello and can decide
whether or not to allow the handshake to continue.

Change-Id: I21be28335fa74fedb5b73a310ee24310670fc923
Reviewed-on: https://boringssl-review.googlesource.com/3721
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index d1dbe87..3f26786 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2037,6 +2037,37 @@
 	}
 }
 
+func addDDoSCallbackTests() {
+	// DDoS callback.
+
+	for _, resume := range []bool{false, true} {
+		suffix := "Resume"
+		if resume {
+			suffix = "No" + suffix
+		}
+
+		testCases = append(testCases, testCase{
+			testType:      serverTest,
+			name:          "Server-DDoS-OK-" + suffix,
+			flags:         []string{"-install-ddos-callback"},
+			resumeSession: resume,
+		})
+
+		failFlag := "-fail-ddos-callback"
+		if resume {
+			failFlag = "-fail-second-ddos-callback"
+		}
+		testCases = append(testCases, testCase{
+			testType:      serverTest,
+			name:          "Server-DDoS-Reject-" + suffix,
+			flags:         []string{"-install-ddos-callback", failFlag},
+			resumeSession: resume,
+			shouldFail:    true,
+			expectedError: ":CONNECTION_REJECTED:",
+		})
+	}
+}
+
 func addVersionNegotiationTests() {
 	for i, shimVers := range tlsVersions {
 		// Assemble flags to disable all newer versions on the shim.
@@ -3029,6 +3060,7 @@
 	addCBCPaddingTests()
 	addCBCSplittingTests()
 	addClientAuthTests()
+	addDDoSCallbackTests()
 	addVersionNegotiationTests()
 	addMinimumVersionTests()
 	addD5BugTests()