wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.

Browse source 
"Early callback" is a little ambiguous now that early data exists.
Perhaps "ClientHello callback"?

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)
This commit is contained in:
David Benjamin 2017-09-07 18:39:40 -04:00 committed by Benjamin Kaduk
parent 4e049e2c36
commit a9c0d8beea
18 changed files with 302 additions and 283 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
doc/man3/SSL_CIPHER_get_name.pod
View file

@ -97,8 +97,9 @@ ChaCha20/Poly1305), and 0 if it is not AEAD.
SSL_CIPHER_find() returns a B<SSL_CIPHER> structure which has the cipher ID stored
in B<ptr>. The B<ptr> parameter is a two element array of B<char>, which stores the
two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter
is usually retrieved from a TLS packet by using functions like L<SSL_early_get0_ciphers(3)>.
SSL_CIPHER_find() returns NULL if an error occurs or the indicated cipher is not found.
is usually retrieved from a TLS packet by using functions like
L<SSL_client_hello_get0_ciphers(3)>. SSL_CIPHER_find() returns NULL if an
error occurs or the indicated cipher is not found.
SSL_CIPHER_get_id() returns the OpenSSL-specific ID of the given cipher B<c>. That ID is
not the same as the IANA-specific ID.

129
doc/man3/SSL_CTX_set_client_hello_cb.pod Normal file
View file

@ -0,0 +1,129 @@
=pod
=head1 NAME
SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext - callback functions for early server-side ClientHello processing
=head1 SYNOPSIS
typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg);
void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn *f,
void *arg);
int SSL_client_hello_isv2(SSL *s);
unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_compression_methods(SSL *s,
const unsigned char **out);
int SSL_client_hello_get1_extensions_present(SSL *s, int **out,
size_t *outlen);
int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out,
size_t *outlen);
=head1 DESCRIPTION
SSL_CTX_set_client_hello_cb() sets the callback function, which is automatically
called during the early stages of ClientHello processing on the server.
The argument supplied when setting the callback is passed back to the
callback at runtime. A callback that returns failure (0) will cause the
connection to terminate, and callbacks returning failure should indicate
what alert value is to be sent in the B<al> parameter. A callback may
also return a negative value to suspend the handshake, and the handshake
function will return immediately. L<SSL_get_error(3)> will return
SSL_ERROR_WANT_CLIENT_HELLO_CB to indicate that the handshake was suspended.
It is the job of the ClientHello callback to store information about the state
of the last call if needed to continue. On the next call into the handshake
function, the ClientHello callback will be called again, and, if it returns
success, normal handshake processing will continue from that point.
SSL_client_hello_isv2() indicates whether the ClientHello was carried in a
SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial
differences from the normal SSLv3 format, including using three bytes per
cipher suite, and not allowing extensions. Additionally, the SSLv2 format
'challenge' field is exposed via SSL_client_hello_get0_random(), padded to
SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos,
SSL_client_hello_get0_compression_methods() returns a dummy list that only includes
the null compression method, since the SSLv2 format does not include a
mechanism by which to negotiate compression.
SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
SSL_client_hello_get0_ciphers(), and
SSL_client_hello_get0_compression_methods() provide access to the corresponding
ClientHello fields, returning the field length and optionally setting an out
pointer to the octets of that field.
Similarly, SSL_client_hello_get0_ext() provides access to individual extensions
from the ClientHello on a per-extension basis. For the provided wire
protocol extension type value, the extension value and length are returned
in the output parameters (if present).
SSL_client_hello_get1_extensions_present() can be used prior to
SSL_client_hello_get0_ext(), to determine which extensions are present in the
ClientHello before querying for them. The B<out> and B<outlen> parameters are
both required, and on success the caller must release the storage allocated for
B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers
holding the numerical value of the TLS extension types in the order they appear
in the ClientHello. B<*outlen> contains the number of elements in the array.
=head1 NOTES
The ClientHello callback provides a vast window of possibilities for application
code to affect the TLS handshake. A primary use of the callback is to
allow the server to examine the server name indication extension provided
by the client in order to select an appropriate certificate to present,
and make other configuration adjustments relevant to that server name
and its configuration. Such configuration changes can include swapping out
the associated SSL_CTX pointer, modifying the server's list of permitted TLS
versions, changing the server's cipher list in response to the client's
cipher list, etc.
It is also recommended that applications utilize a ClientHello callback and
not use a servername callback, in order to avoid unexpected behavior that
occurs due to the relative order of processing between things like session
resumption and the historical servername callback.
The SSL_client_hello_* family of functions may only be called from code executing
within a ClientHello callback.
=head1 RETURN VALUES
The application's supplied ClientHello callback returns 1 on success, 0 on failure,
and a negative value to suspend processing.
SSL_client_hello_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise.
SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
SSL_client_hello_get0_ciphers(), and
SSL_client_hello_get0_compression_methods() return the length of the
corresponding ClientHello fields. If zero is returned, the output pointer
should not be assumed to be valid.
SSL_client_hello_get0_ext() returns 1 if the extension of type 'type' is present, and
0 otherwise.
SSL_client_hello_get1_extensions_present() returns 1 on success and 0 on failure.
=head1 SEE ALSO
L<ssl(7)>, L<SSL_CTX_set_tlsext_servername_callback(3)>,
L<SSL_bytes_to_cipher_list>
=head1 HISTORY
The SSL ClientHello callback, SSL_client_hello_isv2(),
SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
SSL_client_hello_get0_ciphers(), SSL_client_hello_get0_compression_methods(),
SSL_client_hello_get0_ext(), and SSL_client_hello_get1_extensions_present()
were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

123
doc/man3/SSL_CTX_set_early_cb.pod
View file

@ -1,123 +0,0 @@
=pod
=head1 NAME
SSL_CTX_set_early_cb, SSL_early_cb_fn, SSL_early_isv2, SSL_early_get0_legacy_version, SSL_early_get0_random, SSL_early_get0_session_id, SSL_early_get0_ciphers, SSL_early_get0_compression_methods, SSL_early_get1_extensions_present, SSL_early_get0_ext - callback functions for early server-side ClientHello processing
=head1 SYNOPSIS
typedef int (*SSL_early_cb_fn)(SSL *s, int *al, void *arg);
void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn *f, void *arg);
int SSL_early_isv2(SSL *s);
unsigned int SSL_early_get0_legacy_version(SSL *s);
size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen);
int SSL_early_get0_ext(SSL *s, int type, const unsigned char **out,
size_t *outlen);
=head1 DESCRIPTION
SSL_CTX_set_early_cb() sets the callback function, which is automatically
called during the early stages of ClientHello processing on the server.
The argument supplied when setting the callback is passed back to the
callback at runtime. A callback that returns failure (0) will cause the
connection to terminate, and callbacks returning failure should indicate
what alert value is to be sent in the B<al> parameter. A callback may
also return a negative value to suspend the handshake, and the handshake
function will return immediately. L<SSL_get_error(3)> will return
SSL_ERROR_WANT_EARLY to indicate that the handshake was suspended.
It is the job of the early callback to store information about the state
of the last call if needed to continue. On the next call into the handshake
function, the early callback will be called again, and, if it returns
success, normal handshake processing will continue from that point.
SSL_early_isv2() indicates whether the ClientHello was carried in a
SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial
differences from the normal SSLv3 format, including using three bytes per
cipher suite, and not allowing extensions. Additionally, the SSLv2 format
'challenge' field is exposed via SSL_early_get0_random(), padded to
SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos,
SSL_early_get0_compression_methods() returns a dummy list that only includes
the null compression method, since the SSLv2 format does not include a
mechanism by which to negotiate compression.
SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
and SSL_early_get0_compression_methods() provide access to the corresponding
ClientHello fields, returning the field length and optionally setting an
out pointer to the octets of that field.
Similarly, SSL_early_get0_ext() provides access to individual extensions
from the ClientHello on a per-extension basis. For the provided wire
protocol extension type value, the extension value and length are returned
in the output parameters (if present).
SSL_early_get1_extensions_present() can be used prior to SSL_early_get0_ext(),
to determine which extensions are present in the ClientHello before querying
for them. The B<out> and B<outlen> parameters are both required, and on
success the caller must release the storage allocated for B<*out> using
OPENSSL_free(). The contents of B<*out> is an array of integers holding the
numerical value of the TLS extension types in the order they appear in the
ClientHello. B<*outlen> contains the number of elements in the array.
=head1 NOTES
The early callback provides a vast window of possibilities for application
code to affect the TLS handshake. A primary use of the callback is to
allow the server to examine the server name indication extension provided
by the client in order to select an appropriate certificate to present,
and make other configuration adjustments relevant to that server name
and its configuration. Such configuration changes can include swapping out
the associated SSL_CTX pointer, modifying the server's list of permitted TLS
versions, changing the server's cipher list in response to the client's
cipher list, etc.
It is also recommended that applications utilize an early callback and
not use a servername callback, in order to avoid unexpected behavior that
occurs due to the relative order of processing between things like session
resumption and the historical servername callback.
The SSL_early_* family of functions may only be called from code executing
within an early callback.
=head1 RETURN VALUES
The application's supplied early callback returns 1 on success, 0 on failure,
and a negative value to suspend processing.
SSL_early_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise.
SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
and SSL_early_get0_compression_methods() return the length of the corresponding
ClientHello fields. If zero is returned, the output pointer should not be
assumed to be valid.
SSL_early_get0_ext() returns 1 if the extension of type 'type' is present, and
0 otherwise.
SSL_early_get1_extensions_present() returns 1 on success and 0 on failure.
=head1 SEE ALSO
L<ssl(7)>, L<SSL_CTX_set_tlsext_servername_callback(3)>,
L<SSL_bytes_to_cipher_list>
=head1 HISTORY
The SSL early callback, SSL_early_isv2(), SSL_early_get0_random(),
SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
SSL_early_get0_compression_methods(), SSL_early_get0_ext(), and
SSL_early_get1_extensions_present() were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

10
doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
View file

@ -21,8 +21,8 @@ SSL_set_tlsext_host_name - handle server name indication (SNI)
=head1 DESCRIPTION
The functionality provided by the servername callback is superseded by
the early callback, which can be set using SSL_CTX_set_early_cb().
The functionality provided by the servername callback is superseded by the
ClientHello callback, which can be set using SSL_CTX_set_client_hello_cb().
The servername callback is retained for historical compatibility.
SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb>
@ -48,8 +48,8 @@ to B<TLSEXT_NAMETYPE_host_name> (defined in RFC3546).
=head1 NOTES
Several callbacks are executed during ClientHello processing, including
the early, ALPN, and servername callbacks. The early callback is executed
first, then the servername callback, followed by the ALPN callback.
the ClientHello, ALPN, and servername callbacks. The ClientHello callback is
executed first, then the servername callback, followed by the ALPN callback.
The SSL_set_tlsext_host_name() function should only be called on SSL objects
that will act as clients; otherwise the configured B<name> will be ignored.
@ -63,7 +63,7 @@ SSL_set_tlsext_host_name() returns 1 on success, 0 in case of error.
=head1 SEE ALSO
L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>,
L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_early_cb(3)>
L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_client_hello_cb(3)>
=head1 COPYRIGHT

6
doc/man3/SSL_get_error.pod
View file

@ -110,10 +110,10 @@ through a call to L<ASYNC_init_thread(3)>. The application should retry the
operation after a currently executing asynchronous operation for the current
thread has completed.
=item SSL_ERROR_WANT_EARLY
=item SSL_ERROR_WANT_CLIENT_HELLO_CB
The operation did not complete because an application callback set by
SSL_CTX_set_early_cb() has asked to be called again.
SSL_CTX_set_client_hello_cb() has asked to be called again.
The TLS/SSL I/O function should be called again later.
Details depend on the application.
@ -137,7 +137,7 @@ L<ssl(7)>
=head1 HISTORY
SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0.
SSL_ERROR_WANT_EARLY was added in OpenSSL 1.1.1.
SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1.
=head1 COPYRIGHT

18
doc/man3/SSL_want.pod
View file

@ -3,8 +3,8 @@
=head1 NAME
SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup,
SSL_want_async, SSL_want_async_job, SSL_want_early - obtain state information
TLS/SSL I/O operation
SSL_want_async, SSL_want_async_job, SSL_want_client_hello_cb - obtain state
information TLS/SSL I/O operation
=head1 SYNOPSIS
@ -17,7 +17,7 @@ TLS/SSL I/O operation
int SSL_want_x509_lookup(const SSL *ssl);
int SSL_want_async(const SSL *ssl);
int SSL_want_async_job(const SSL *ssl);
int SSL_want_early(const SSL *ssl);
int SSL_want_client_hello_cb(const SSL *ssl);
=head1 DESCRIPTION
@ -82,18 +82,18 @@ The asynchronous job could not be started because there were no async jobs
available in the pool (see ASYNC_init_thread(3)). A call to L<SSL_get_error(3)>
should return SSL_ERROR_WANT_ASYNC_JOB.
=item SSL_EARLY_WORK
=item SSL_CLIENT_HELLO_CB
The operation did not complete because an application callback set by
SSL_CTX_set_early_cb() has asked to be called again.
SSL_CTX_set_client_hello_cb() has asked to be called again.
A call to L<SSL_get_error(3)> should return
SSL_ERROR_WANT_EARLY.
SSL_ERROR_WANT_CLIENT_HELLO_CB.
=back
SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup(),
SSL_want_async(), SSL_want_async_job(), and SSL_want_early() return 1, when
the corresponding condition is true or 0 otherwise.
SSL_want_async(), SSL_want_async_job(), and SSL_want_client_hello_cb() return
1, when the corresponding condition is true or 0 otherwise.
=head1 SEE ALSO
@ -101,7 +101,7 @@ L<ssl(7)>, L<SSL_get_error(3)>
=head1 HISTORY
SSL_want_early() and SSL_EARLY_WORK were added in OpenSSL 1.1.1.
SSL_want_client_hello_cb() and SSL_CLIENT_HELLO_CB were added in OpenSSL 1.1.1.
=head1 COPYRIGHT

44
include/openssl/ssl.h
View file

@ -844,16 +844,16 @@ __owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_X509_LOOKUP 4
# define SSL_ASYNC_PAUSED 5
# define SSL_ASYNC_NO_JOBS 6
# define SSL_EARLY_WORK 7
# define SSL_CLIENT_HELLO_CB 7
/* These will only be used when doing non-blocking IO */
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
# define SSL_want_read(s) (SSL_want(s) == SSL_READING)
# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
# define SSL_want_early(s) (SSL_want(s) == SSL_EARLY_WORK)
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
# define SSL_want_read(s) (SSL_want(s) == SSL_READING)
# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@ -1135,7 +1135,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_ACCEPT 8
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
# define SSL_ERROR_WANT_EARLY 11
# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
# define SSL_CTRL_SET_TMP_DH 3
# define SSL_CTRL_SET_TMP_ECDH 4
# define SSL_CTRL_SET_TMP_DH_CB 6
@ -1697,19 +1697,21 @@ __owur char *SSL_get_srp_userinfo(SSL *s);
# endif
/*
* Early callback and helpers.
* ClientHello callback and helpers.
*/
typedef int (*SSL_early_cb_fn) (SSL *s, int *al, void *arg);
void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg);
int SSL_early_isv2(SSL *s);
unsigned int SSL_early_get0_legacy_version(SSL *s);
size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen);
int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
size_t *outlen);
typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
void *arg);
int SSL_client_hello_isv2(SSL *s);
unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_compression_methods(SSL *s,
const unsigned char **out);
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
const unsigned char **out, size_t *outlen);
void SSL_certs_clear(SSL *s);
void SSL_free(SSL *ssl);

27
ssl/ssl_lib.c
View file

@ -3301,8 +3301,8 @@ int SSL_get_error(const SSL *s, int i)
return SSL_ERROR_WANT_ASYNC;
if (SSL_want_async_job(s))
return SSL_ERROR_WANT_ASYNC_JOB;
if (SSL_want_early(s))
return SSL_ERROR_WANT_EARLY;
if (SSL_want_client_hello_cb(s))
return SSL_ERROR_WANT_CLIENT_HELLO_CB;
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
@ -4700,27 +4700,28 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
#endif /* OPENSSL_NO_CT */
void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg)
void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
void *arg)
{
c->early_cb = cb;
c->early_cb_arg = arg;
c->client_hello_cb = cb;
c->client_hello_cb_arg = arg;
}
int SSL_early_isv2(SSL *s)
int SSL_client_hello_isv2(SSL *s)
{
if (s->clienthello == NULL)
return 0;
return s->clienthello->isv2;
}
unsigned int SSL_early_get0_legacy_version(SSL *s)
unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
{
if (s->clienthello == NULL)
return 0;
return s->clienthello->legacy_version;
}
size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
{
if (s->clienthello == NULL)
return 0;
@ -4729,7 +4730,7 @@ size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
return SSL3_RANDOM_SIZE;
}
size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
{
if (s->clienthello == NULL)
return 0;
@ -4738,7 +4739,7 @@ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
return s->clienthello->session_id_len;
}
size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
{
if (s->clienthello == NULL)
return 0;
@ -4747,7 +4748,7 @@ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
return PACKET_remaining(&s->clienthello->ciphersuites);
}
size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
{
if (s->clienthello == NULL)
return 0;
@ -4756,7 +4757,7 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
return s->clienthello->compressions_len;
}
int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
{
RAW_EXTENSION *ext;
int *present;
@ -4788,7 +4789,7 @@ int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
return 0;
}
int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
size_t *outlen)
{
size_t i;

11
ssl/ssl_locl.h
View file

@ -877,9 +877,9 @@ struct ssl_ctx_st {
ENGINE *client_cert_engine;
# endif
/* Early callback. Mostly for extensions, but not entirely. */
SSL_early_cb_fn early_cb;
void *early_cb_arg;
/* ClientHello callback. Mostly for extensions, but not entirely. */
SSL_client_hello_cb_fn client_hello_cb;
void *client_hello_cb_arg;
/* TLS extensions. */
struct {
@ -1252,7 +1252,10 @@ struct ssl_st {
size_t tls13_cookie_len;
} ext;
/* Parsed form of the ClientHello, kept around across early_cb calls. */
/*
* Parsed form of the ClientHello, kept around across client_hello_cb
* calls.
*/
CLIENTHELLO_MSG *clienthello;
/*-

10
ssl/statem/statem_srvr.c
View file

@ -1430,15 +1430,15 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
DOWNGRADE dgrd = DOWNGRADE_NONE;
/* Finished parsing the ClientHello, now we can start processing it */
/* Give the early callback a crack at things */
if (s->ctx->early_cb != NULL) {
/* Give the ClientHello callback a crack at things */
if (s->ctx->client_hello_cb != NULL) {
int code;
/* A failure in the early callback terminates the connection. */
code = s->ctx->early_cb(s, &al, s->ctx->early_cb_arg);
/* A failure in the ClientHello callback terminates the connection. */
code = s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg);
if (code == 0)
goto err;
if (code < 0) {
s->rwstate = SSL_EARLY_WORK;
s->rwstate = SSL_CLIENT_HELLO_CB;
return code;
}
}

42
test/handshake_helper.c
View file

@ -137,7 +137,7 @@ static int select_server_ctx(SSL *s, void *arg, int ignore)
}
}
static int early_select_server_ctx(SSL *s, void *arg, int ignore)
static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore)
{
const char *servername;
const unsigned char *p;
@ -149,7 +149,8 @@ static int early_select_server_ctx(SSL *s, void *arg, int ignore)
* The server_name extension was given too much extensibility when it
* was written, so parsing the normal case is a bit complex.
*/
if (!SSL_early_get0_ext(s, TLSEXT_TYPE_server_name, &p, &remaining) ||
if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p,
&remaining) ||
remaining <= 2)
return 0;
/* Extract the length of the supplied list of names. */
@ -219,44 +220,44 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg)
return select_server_ctx(s, arg, 0);
}
static int early_ignore_cb(SSL *s, int *al, void *arg)
static int client_hello_ignore_cb(SSL *s, int *al, void *arg)
{
if (!early_select_server_ctx(s, arg, 1)) {
if (!client_hello_select_server_ctx(s, arg, 1)) {
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
return 1;
}
static int early_reject_cb(SSL *s, int *al, void *arg)
static int client_hello_reject_cb(SSL *s, int *al, void *arg)
{
if (!early_select_server_ctx(s, arg, 0)) {
if (!client_hello_select_server_ctx(s, arg, 0)) {
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
return 1;
}
static int early_nov12_cb(SSL *s, int *al, void *arg)
static int client_hello_nov12_cb(SSL *s, int *al, void *arg)
{
int ret;
unsigned int v;
const unsigned char *p;
v = SSL_early_get0_legacy_version(s);
v = SSL_client_hello_get0_legacy_version(s);
if (v > TLS1_2_VERSION || v < SSL3_VERSION) {
*al = SSL_AD_PROTOCOL_VERSION;
return 0;
}
(void)SSL_early_get0_session_id(s, &p);
(void)SSL_client_hello_get0_session_id(s, &p);
if (p == NULL ||
SSL_early_get0_random(s, &p) == 0 ||
SSL_early_get0_ciphers(s, &p) == 0 ||
SSL_early_get0_compression_methods(s, &p) == 0) {
SSL_client_hello_get0_random(s, &p) == 0 ||
SSL_client_hello_get0_ciphers(s, &p) == 0 ||
SSL_client_hello_get0_compression_methods(s, &p) == 0) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
ret = early_select_server_ctx(s, arg, 0);
ret = client_hello_select_server_ctx(s, arg, 0);
SSL_set_max_proto_version(s, TLS1_1_VERSION);
if (!ret)
*al = SSL_AD_UNRECOGNIZED_NAME;
@ -489,7 +490,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
/*
* Link the two contexts for SNI purposes.
* Also do early callbacks here, as setting both early and SNI is bad.
* Also do ClientHello callbacks here, as setting both ClientHello and SNI
* is bad.
*/
switch (extra->server.servername_callback) {
case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
@ -502,14 +504,14 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
break;
case SSL_TEST_SERVERNAME_CB_NONE:
break;
case SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH:
SSL_CTX_set_early_cb(server_ctx, early_ignore_cb, server2_ctx);
case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH:
SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx);
break;
case SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH:
SSL_CTX_set_early_cb(server_ctx, early_reject_cb, server2_ctx);
case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH:
SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx);
break;
case SSL_TEST_SERVERNAME_EARLY_NO_V12:
SSL_CTX_set_early_cb(server_ctx, early_nov12_cb, server2_ctx);
case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12:
SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx);
}
if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) {

90
test/ssl-tests/05-sni.conf
View file

@ -8,9 +8,9 @@ test-2 = 2-SNI-no-server-support
test-3 = 3-SNI-no-client-support
test-4 = 4-SNI-bad-sni-ignore-mismatch
test-5 = 5-SNI-bad-sni-reject-mismatch
test-6 = 6-SNI-bad-early-sni-ignore-mismatch
test-7 = 7-SNI-bad-early-sni-reject-mismatch
test-8 = 8-SNI-early-disable-v12
test-6 = 6-SNI-bad-clienthello-sni-ignore-mismatch
test-7 = 7-SNI-bad-clienthello-sni-reject-mismatch
test-8 = 8-SNI-clienthello-disable-v12
# ===========================================================
[0-SNI-switch-context]
@ -206,20 +206,20 @@ ServerName = invalid
# ===========================================================
[6-SNI-bad-early-sni-ignore-mismatch]
ssl_conf = 6-SNI-bad-early-sni-ignore-mismatch-ssl
[6-SNI-bad-clienthello-sni-ignore-mismatch]
ssl_conf = 6-SNI-bad-clienthello-sni-ignore-mismatch-ssl
[6-SNI-bad-early-sni-ignore-mismatch-ssl]
server = 6-SNI-bad-early-sni-ignore-mismatch-server
client = 6-SNI-bad-early-sni-ignore-mismatch-client
server2 = 6-SNI-bad-early-sni-ignore-mismatch-server
[6-SNI-bad-clienthello-sni-ignore-mismatch-ssl]
server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server
client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client
server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server
[6-SNI-bad-early-sni-ignore-mismatch-server]
[6-SNI-bad-clienthello-sni-ignore-mismatch-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-SNI-bad-early-sni-ignore-mismatch-client]
[6-SNI-bad-clienthello-sni-ignore-mismatch-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -227,33 +227,33 @@ VerifyMode = Peer
[test-6]
ExpectedResult = Success
ExpectedServerName = server1
server = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
server2 = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
client = 6-SNI-bad-early-sni-ignore-mismatch-client-extra
server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra
server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra
client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra
[6-SNI-bad-early-sni-ignore-mismatch-server-extra]
ServerNameCallback = EarlyIgnoreMismatch
[6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra]
ServerNameCallback = ClientHelloIgnoreMismatch
[6-SNI-bad-early-sni-ignore-mismatch-client-extra]
[6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra]
ServerName = invalid
# ===========================================================
[7-SNI-bad-early-sni-reject-mismatch]
ssl_conf = 7-SNI-bad-early-sni-reject-mismatch-ssl
[7-SNI-bad-clienthello-sni-reject-mismatch]
ssl_conf = 7-SNI-bad-clienthello-sni-reject-mismatch-ssl
[7-SNI-bad-early-sni-reject-mismatch-ssl]
server = 7-SNI-bad-early-sni-reject-mismatch-server
client = 7-SNI-bad-early-sni-reject-mismatch-client
server2 = 7-SNI-bad-early-sni-reject-mismatch-server
[7-SNI-bad-clienthello-sni-reject-mismatch-ssl]
server = 7-SNI-bad-clienthello-sni-reject-mismatch-server
client = 7-SNI-bad-clienthello-sni-reject-mismatch-client
server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server
[7-SNI-bad-early-sni-reject-mismatch-server]
[7-SNI-bad-clienthello-sni-reject-mismatch-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-SNI-bad-early-sni-reject-mismatch-client]
[7-SNI-bad-clienthello-sni-reject-mismatch-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -261,33 +261,33 @@ VerifyMode = Peer
[test-7]
ExpectedResult = ServerFail
ExpectedServerAlert = UnrecognizedName
server = 7-SNI-bad-early-sni-reject-mismatch-server-extra
server2 = 7-SNI-bad-early-sni-reject-mismatch-server-extra
client = 7-SNI-bad-early-sni-reject-mismatch-client-extra
server = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra
server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra
client = 7-SNI-bad-clienthello-sni-reject-mismatch-client-extra
[7-SNI-bad-early-sni-reject-mismatch-server-extra]
ServerNameCallback = EarlyRejectMismatch
[7-SNI-bad-clienthello-sni-reject-mismatch-server-extra]
ServerNameCallback = ClientHelloRejectMismatch
[7-SNI-bad-early-sni-reject-mismatch-client-extra]
[7-SNI-bad-clienthello-sni-reject-mismatch-client-extra]
ServerName = invalid
# ===========================================================
[8-SNI-early-disable-v12]
ssl_conf = 8-SNI-early-disable-v12-ssl
[8-SNI-clienthello-disable-v12]
ssl_conf = 8-SNI-clienthello-disable-v12-ssl
[8-SNI-early-disable-v12-ssl]
server = 8-SNI-early-disable-v12-server
client = 8-SNI-early-disable-v12-client
server2 = 8-SNI-early-disable-v12-server
[8-SNI-clienthello-disable-v12-ssl]
server = 8-SNI-clienthello-disable-v12-server
client = 8-SNI-clienthello-disable-v12-client
server2 = 8-SNI-clienthello-disable-v12-server
[8-SNI-early-disable-v12-server]
[8-SNI-clienthello-disable-v12-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-SNI-early-disable-v12-client]
[8-SNI-clienthello-disable-v12-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -295,14 +295,14 @@ VerifyMode = Peer
[test-8]
ExpectedProtocol = TLSv1.1
ExpectedServerName = server2
server = 8-SNI-early-disable-v12-server-extra
server2 = 8-SNI-early-disable-v12-server-extra
client = 8-SNI-early-disable-v12-client-extra
server = 8-SNI-clienthello-disable-v12-server-extra
server2 = 8-SNI-clienthello-disable-v12-server-extra
client = 8-SNI-clienthello-disable-v12-client-extra
[8-SNI-early-disable-v12-server-extra]
ServerNameCallback = EarlyNoV12
[8-SNI-clienthello-disable-v12-server-extra]
ServerNameCallback = ClientHelloNoV12
[8-SNI-early-disable-v12-client-extra]
[8-SNI-clienthello-disable-v12-client-extra]
ServerName = server2

12
test/ssl-tests/05-sni.conf.in
View file

@ -111,10 +111,10 @@ our @tests = (
},
},
{
name => "SNI-bad-early-sni-ignore-mismatch",
name => "SNI-bad-clienthello-sni-ignore-mismatch",
server => {
extra => {
"ServerNameCallback" => "EarlyIgnoreMismatch",
"ServerNameCallback" => "ClientHelloIgnoreMismatch",
},
},
client => {
@ -128,10 +128,10 @@ our @tests = (
},
},
{
name => "SNI-bad-early-sni-reject-mismatch",
name => "SNI-bad-clienthello-sni-reject-mismatch",
server => {
extra => {
"ServerNameCallback" => "EarlyRejectMismatch",
"ServerNameCallback" => "ClientHelloRejectMismatch",
},
},
client => {
@ -148,10 +148,10 @@ our @tests = (
our @tests_tls_1_1 = (
{
name => "SNI-early-disable-v12",
name => "SNI-clienthello-disable-v12",
server => {
extra => {
"ServerNameCallback" => "EarlyNoV12",
"ServerNameCallback" => "ClientHelloNoV12",
},
},
client => {

8
test/ssl_test_ctx.c
View file

@ -238,9 +238,11 @@ static const test_enum ssl_servername_callbacks[] = {
{"None", SSL_TEST_SERVERNAME_CB_NONE},
{"IgnoreMismatch", SSL_TEST_SERVERNAME_IGNORE_MISMATCH},
{"RejectMismatch", SSL_TEST_SERVERNAME_REJECT_MISMATCH},
{"EarlyIgnoreMismatch", SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH},
{"EarlyRejectMismatch", SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH},
{"EarlyNoV12", SSL_TEST_SERVERNAME_EARLY_NO_V12},
{"ClientHelloIgnoreMismatch",
SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH},
{"ClientHelloRejectMismatch",
SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH},
{"ClientHelloNoV12", SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12},
};
__owur static int parse_servername_callback(SSL_TEST_SERVER_CONF *server_conf,

6
test/ssl_test_ctx.h
View file

@ -39,9 +39,9 @@ typedef enum {
SSL_TEST_SERVERNAME_CB_NONE = 0, /* Default */
SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
SSL_TEST_SERVERNAME_REJECT_MISMATCH,
SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH,
SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH,
SSL_TEST_SERVERNAME_EARLY_NO_V12
SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH,
SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH,
SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12
} ssl_servername_callback_t;
typedef enum {

22
test/sslapitest.c
View file

@ -401,7 +401,7 @@ end:
#endif
#ifndef OPENSSL_NO_TLS1_2
static int full_early_callback(SSL *s, int *al, void *arg)
static int full_client_hello_callback(SSL *s, int *al, void *arg)
{
int *ctr = arg;
const unsigned char *p;
@ -424,16 +424,17 @@ static int full_early_callback(SSL *s, int *al, void *arg)
if ((*ctr)++ == 0)
return -1;
len = SSL_early_get0_ciphers(s, &p);
len = SSL_client_hello_get0_ciphers(s, &p);
if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
|| !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
|| !TEST_size_t_eq(
SSL_client_hello_get0_compression_methods(s, &p), 1)
|| !TEST_int_eq(*p, 0))
return 0;
if (!SSL_early_get1_extensions_present(s, &exts, &len))
if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
return 0;
if (len != OSSL_NELEM(expected_extensions) ||
memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
printf("Early callback expected ClientHello extensions mismatch\n");
printf("ClientHello callback expected extensions mismatch\n");
OPENSSL_free(exts);
return 0;
}
@ -441,7 +442,7 @@ static int full_early_callback(SSL *s, int *al, void *arg)
return 1;
}
static int test_early_cb(void)
static int test_client_hello_cb(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@ -451,7 +452,7 @@ static int test_early_cb(void)
TLS_client_method(), &sctx,
&cctx, cert, privkey)))
goto end;
SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
/* The gimpy cipher list we configure can't do TLS 1.3. */
SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
@ -461,12 +462,13 @@ static int test_early_cb(void)
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
&clientssl, NULL, NULL))
|| !TEST_false(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_WANT_EARLY))
SSL_ERROR_WANT_CLIENT_HELLO_CB))
/*
* Passing a -1 literal is a hack since
* the real value was lost.
* */
|| !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
|| !TEST_int_eq(SSL_get_error(serverssl, -1),
SSL_ERROR_WANT_CLIENT_HELLO_CB)
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE)))
goto end;
@ -3123,7 +3125,7 @@ int setup_tests(void)
ADD_TEST(test_keylog_no_master_key);
#endif
#ifndef OPENSSL_NO_TLS1_2
ADD_TEST(test_early_cb);
ADD_TEST(test_client_hello_cb);
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_early_data_read_write, 3);

18
util/libssl.num
View file

@ -416,14 +416,14 @@ SSL_get_peer_signature_type_nid 416 1_1_1 EXIST::FUNCTION:
SSL_key_update 417 1_1_1 EXIST::FUNCTION:
SSL_get_key_update_type 418 1_1_1 EXIST::FUNCTION:
SSL_bytes_to_cipher_list 419 1_1_1 EXIST::FUNCTION:
SSL_early_get0_compression_methods 420 1_1_1 EXIST::FUNCTION:
SSL_early_get0_ciphers 421 1_1_1 EXIST::FUNCTION:
SSL_early_get0_ext 422 1_1_1 EXIST::FUNCTION:
SSL_early_get0_session_id 423 1_1_1 EXIST::FUNCTION:
SSL_early_get0_random 424 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_early_cb 425 1_1_1 EXIST::FUNCTION:
SSL_early_get0_legacy_version 426 1_1_1 EXIST::FUNCTION:
SSL_early_isv2 427 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_compression_methods 420 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_ciphers 421 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_ext 422 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_session_id 423 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_random 424 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_client_hello_cb 425 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get0_legacy_version 426 1_1_1 EXIST::FUNCTION:
SSL_client_hello_isv2 427 1_1_1 EXIST::FUNCTION:
SSL_set_max_early_data 428 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_max_early_data 429 1_1_1 EXIST::FUNCTION:
SSL_get_max_early_data 430 1_1_1 EXIST::FUNCTION:
@ -450,7 +450,7 @@ SSL_set_block_padding 450 1_1_1 EXIST::FUNCTION:
SSL_set_record_padding_callback_arg 451 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_record_padding_callback_arg 452 1_1_1 EXIST::FUNCTION:
SSL_CTX_use_serverinfo_ex 453 1_1_1 EXIST::FUNCTION:
SSL_early_get1_extensions_present 454 1_1_1 EXIST::FUNCTION:
SSL_client_hello_get1_extensions_present 454 1_1_1 EXIST::FUNCTION:
SSL_set_psk_find_session_callback 455 1_1_1 EXIST::FUNCTION:
SSL_set_psk_use_session_callback 456 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_psk_use_session_callback 457 1_1_1 EXIST::FUNCTION:

4
util/private.num
View file

@ -36,7 +36,7 @@ OSSL_STORE_open_fn datatype
OSSL_STORE_post_process_info_fn datatype
RAND_poll_cb datatype
SSL_CTX_keylog_cb_func datatype
SSL_early_cb_fn datatype
SSL_client_hello_cb_fn datatype
SSL_psk_client_cb_func datatype
SSL_psk_find_session_cb_func datatype
SSL_psk_server_cb_func datatype
@ -349,7 +349,7 @@ SSL_set_tlsext_status_type define
SSL_set_tmp_dh define
SSL_want_async define
SSL_want_async_job define
SSL_want_early define
SSL_want_client_hello_cb define
SSL_want_nothing define
SSL_want_read define
SSL_want_write define