From a9c0d8beeae98355a2ef6ae1f0a9ba624be8bd54 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 7 Sep 2017 18:39:40 -0400 Subject: [PATCH] Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb. "Early callback" is a little ambiguous now that early data exists. Perhaps "ClientHello callback"? Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/4349) --- doc/man3/SSL_CIPHER_get_name.pod | 5 +- doc/man3/SSL_CTX_set_client_hello_cb.pod | 129 ++++++++++++++++++ doc/man3/SSL_CTX_set_early_cb.pod | 123 ----------------- ...SSL_CTX_set_tlsext_servername_callback.pod | 10 +- doc/man3/SSL_get_error.pod | 6 +- doc/man3/SSL_want.pod | 18 +-- include/openssl/ssl.h | 44 +++--- ssl/ssl_lib.c | 27 ++-- ssl/ssl_locl.h | 11 +- ssl/statem/statem_srvr.c | 10 +- test/handshake_helper.c | 42 +++--- test/ssl-tests/05-sni.conf | 90 ++++++------ test/ssl-tests/05-sni.conf.in | 12 +- test/ssl_test_ctx.c | 8 +- test/ssl_test_ctx.h | 6 +- test/sslapitest.c | 22 +-- util/libssl.num | 18 +-- util/private.num | 4 +- 18 files changed, 302 insertions(+), 283 deletions(-) create mode 100644 doc/man3/SSL_CTX_set_client_hello_cb.pod delete mode 100644 doc/man3/SSL_CTX_set_early_cb.pod diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod index c82be8e4e2..b23a38ba6a 100644 --- a/doc/man3/SSL_CIPHER_get_name.pod +++ b/doc/man3/SSL_CIPHER_get_name.pod @@ -97,8 +97,9 @@ ChaCha20/Poly1305), and 0 if it is not AEAD. SSL_CIPHER_find() returns a B structure which has the cipher ID stored in B. The B parameter is a two element array of B, which stores the two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter -is usually retrieved from a TLS packet by using functions like L. -SSL_CIPHER_find() returns NULL if an error occurs or the indicated cipher is not found. +is usually retrieved from a TLS packet by using functions like +L. SSL_CIPHER_find() returns NULL if an +error occurs or the indicated cipher is not found. SSL_CIPHER_get_id() returns the OpenSSL-specific ID of the given cipher B. That ID is not the same as the IANA-specific ID. diff --git a/doc/man3/SSL_CTX_set_client_hello_cb.pod b/doc/man3/SSL_CTX_set_client_hello_cb.pod new file mode 100644 index 0000000000..18bbc2938d --- /dev/null +++ b/doc/man3/SSL_CTX_set_client_hello_cb.pod @@ -0,0 +1,129 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext - callback functions for early server-side ClientHello processing + +=head1 SYNOPSIS + + typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg); + void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn *f, + void *arg); + int SSL_client_hello_isv2(SSL *s); + unsigned int SSL_client_hello_get0_legacy_version(SSL *s); + size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out); + size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out); + size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out); + size_t SSL_client_hello_get0_compression_methods(SSL *s, + const unsigned char **out); + int SSL_client_hello_get1_extensions_present(SSL *s, int **out, + size_t *outlen); + int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out, + size_t *outlen); + +=head1 DESCRIPTION + +SSL_CTX_set_client_hello_cb() sets the callback function, which is automatically +called during the early stages of ClientHello processing on the server. +The argument supplied when setting the callback is passed back to the +callback at runtime. A callback that returns failure (0) will cause the +connection to terminate, and callbacks returning failure should indicate +what alert value is to be sent in the B parameter. A callback may +also return a negative value to suspend the handshake, and the handshake +function will return immediately. L will return +SSL_ERROR_WANT_CLIENT_HELLO_CB to indicate that the handshake was suspended. +It is the job of the ClientHello callback to store information about the state +of the last call if needed to continue. On the next call into the handshake +function, the ClientHello callback will be called again, and, if it returns +success, normal handshake processing will continue from that point. + +SSL_client_hello_isv2() indicates whether the ClientHello was carried in a +SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial +differences from the normal SSLv3 format, including using three bytes per +cipher suite, and not allowing extensions. Additionally, the SSLv2 format +'challenge' field is exposed via SSL_client_hello_get0_random(), padded to +SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos, +SSL_client_hello_get0_compression_methods() returns a dummy list that only includes +the null compression method, since the SSLv2 format does not include a +mechanism by which to negotiate compression. + +SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(), +SSL_client_hello_get0_ciphers(), and +SSL_client_hello_get0_compression_methods() provide access to the corresponding +ClientHello fields, returning the field length and optionally setting an out +pointer to the octets of that field. + +Similarly, SSL_client_hello_get0_ext() provides access to individual extensions +from the ClientHello on a per-extension basis. For the provided wire +protocol extension type value, the extension value and length are returned +in the output parameters (if present). + +SSL_client_hello_get1_extensions_present() can be used prior to +SSL_client_hello_get0_ext(), to determine which extensions are present in the +ClientHello before querying for them. The B and B parameters are +both required, and on success the caller must release the storage allocated for +B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers +holding the numerical value of the TLS extension types in the order they appear +in the ClientHello. B<*outlen> contains the number of elements in the array. + +=head1 NOTES + +The ClientHello callback provides a vast window of possibilities for application +code to affect the TLS handshake. A primary use of the callback is to +allow the server to examine the server name indication extension provided +by the client in order to select an appropriate certificate to present, +and make other configuration adjustments relevant to that server name +and its configuration. Such configuration changes can include swapping out +the associated SSL_CTX pointer, modifying the server's list of permitted TLS +versions, changing the server's cipher list in response to the client's +cipher list, etc. + +It is also recommended that applications utilize a ClientHello callback and +not use a servername callback, in order to avoid unexpected behavior that +occurs due to the relative order of processing between things like session +resumption and the historical servername callback. + +The SSL_client_hello_* family of functions may only be called from code executing +within a ClientHello callback. + +=head1 RETURN VALUES + +The application's supplied ClientHello callback returns 1 on success, 0 on failure, +and a negative value to suspend processing. + +SSL_client_hello_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise. + +SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(), +SSL_client_hello_get0_ciphers(), and +SSL_client_hello_get0_compression_methods() return the length of the +corresponding ClientHello fields. If zero is returned, the output pointer +should not be assumed to be valid. + +SSL_client_hello_get0_ext() returns 1 if the extension of type 'type' is present, and +0 otherwise. + +SSL_client_hello_get1_extensions_present() returns 1 on success and 0 on failure. + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +The SSL ClientHello callback, SSL_client_hello_isv2(), +SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(), +SSL_client_hello_get0_ciphers(), SSL_client_hello_get0_compression_methods(), +SSL_client_hello_get0_ext(), and SSL_client_hello_get1_extensions_present() +were added in OpenSSL 1.1.1. + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/SSL_CTX_set_early_cb.pod b/doc/man3/SSL_CTX_set_early_cb.pod deleted file mode 100644 index c2b4650a06..0000000000 --- a/doc/man3/SSL_CTX_set_early_cb.pod +++ /dev/null @@ -1,123 +0,0 @@ -=pod - -=head1 NAME - -SSL_CTX_set_early_cb, SSL_early_cb_fn, SSL_early_isv2, SSL_early_get0_legacy_version, SSL_early_get0_random, SSL_early_get0_session_id, SSL_early_get0_ciphers, SSL_early_get0_compression_methods, SSL_early_get1_extensions_present, SSL_early_get0_ext - callback functions for early server-side ClientHello processing - -=head1 SYNOPSIS - - typedef int (*SSL_early_cb_fn)(SSL *s, int *al, void *arg); - void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn *f, void *arg); - int SSL_early_isv2(SSL *s); - unsigned int SSL_early_get0_legacy_version(SSL *s); - size_t SSL_early_get0_random(SSL *s, const unsigned char **out); - size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out); - size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out); - size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out); - int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen); - int SSL_early_get0_ext(SSL *s, int type, const unsigned char **out, - size_t *outlen); - -=head1 DESCRIPTION - -SSL_CTX_set_early_cb() sets the callback function, which is automatically -called during the early stages of ClientHello processing on the server. -The argument supplied when setting the callback is passed back to the -callback at runtime. A callback that returns failure (0) will cause the -connection to terminate, and callbacks returning failure should indicate -what alert value is to be sent in the B parameter. A callback may -also return a negative value to suspend the handshake, and the handshake -function will return immediately. L will return -SSL_ERROR_WANT_EARLY to indicate that the handshake was suspended. -It is the job of the early callback to store information about the state -of the last call if needed to continue. On the next call into the handshake -function, the early callback will be called again, and, if it returns -success, normal handshake processing will continue from that point. - -SSL_early_isv2() indicates whether the ClientHello was carried in a -SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial -differences from the normal SSLv3 format, including using three bytes per -cipher suite, and not allowing extensions. Additionally, the SSLv2 format -'challenge' field is exposed via SSL_early_get0_random(), padded to -SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos, -SSL_early_get0_compression_methods() returns a dummy list that only includes -the null compression method, since the SSLv2 format does not include a -mechanism by which to negotiate compression. - -SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(), -and SSL_early_get0_compression_methods() provide access to the corresponding -ClientHello fields, returning the field length and optionally setting an -out pointer to the octets of that field. - -Similarly, SSL_early_get0_ext() provides access to individual extensions -from the ClientHello on a per-extension basis. For the provided wire -protocol extension type value, the extension value and length are returned -in the output parameters (if present). - -SSL_early_get1_extensions_present() can be used prior to SSL_early_get0_ext(), -to determine which extensions are present in the ClientHello before querying -for them. The B and B parameters are both required, and on -success the caller must release the storage allocated for B<*out> using -OPENSSL_free(). The contents of B<*out> is an array of integers holding the -numerical value of the TLS extension types in the order they appear in the -ClientHello. B<*outlen> contains the number of elements in the array. - -=head1 NOTES - -The early callback provides a vast window of possibilities for application -code to affect the TLS handshake. A primary use of the callback is to -allow the server to examine the server name indication extension provided -by the client in order to select an appropriate certificate to present, -and make other configuration adjustments relevant to that server name -and its configuration. Such configuration changes can include swapping out -the associated SSL_CTX pointer, modifying the server's list of permitted TLS -versions, changing the server's cipher list in response to the client's -cipher list, etc. - -It is also recommended that applications utilize an early callback and -not use a servername callback, in order to avoid unexpected behavior that -occurs due to the relative order of processing between things like session -resumption and the historical servername callback. - -The SSL_early_* family of functions may only be called from code executing -within an early callback. - -=head1 RETURN VALUES - -The application's supplied early callback returns 1 on success, 0 on failure, -and a negative value to suspend processing. - -SSL_early_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise. - -SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(), -and SSL_early_get0_compression_methods() return the length of the corresponding -ClientHello fields. If zero is returned, the output pointer should not be -assumed to be valid. - -SSL_early_get0_ext() returns 1 if the extension of type 'type' is present, and -0 otherwise. - -SSL_early_get1_extensions_present() returns 1 on success and 0 on failure. - -=head1 SEE ALSO - -L, L, -L - -=head1 HISTORY - -The SSL early callback, SSL_early_isv2(), SSL_early_get0_random(), -SSL_early_get0_session_id(), SSL_early_get0_ciphers(), -SSL_early_get0_compression_methods(), SSL_early_get0_ext(), and -SSL_early_get1_extensions_present() were added in OpenSSL 1.1.1. - -=head1 COPYRIGHT - -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the OpenSSL license (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod index 151de16079..b1fb5ab7d9 100644 --- a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod +++ b/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod @@ -21,8 +21,8 @@ SSL_set_tlsext_host_name - handle server name indication (SNI) =head1 DESCRIPTION -The functionality provided by the servername callback is superseded by -the early callback, which can be set using SSL_CTX_set_early_cb(). +The functionality provided by the servername callback is superseded by the +ClientHello callback, which can be set using SSL_CTX_set_client_hello_cb(). The servername callback is retained for historical compatibility. SSL_CTX_set_tlsext_servername_callback() sets the application callback B @@ -48,8 +48,8 @@ to B (defined in RFC3546). =head1 NOTES Several callbacks are executed during ClientHello processing, including -the early, ALPN, and servername callbacks. The early callback is executed -first, then the servername callback, followed by the ALPN callback. +the ClientHello, ALPN, and servername callbacks. The ClientHello callback is +executed first, then the servername callback, followed by the ALPN callback. The SSL_set_tlsext_host_name() function should only be called on SSL objects that will act as clients; otherwise the configured B will be ignored. @@ -63,7 +63,7 @@ SSL_set_tlsext_host_name() returns 1 on success, 0 in case of error. =head1 SEE ALSO L, L, -L, L +L, L =head1 COPYRIGHT diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index efa78ef099..4e26514a22 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -110,10 +110,10 @@ through a call to L. The application should retry the operation after a currently executing asynchronous operation for the current thread has completed. -=item SSL_ERROR_WANT_EARLY +=item SSL_ERROR_WANT_CLIENT_HELLO_CB The operation did not complete because an application callback set by -SSL_CTX_set_early_cb() has asked to be called again. +SSL_CTX_set_client_hello_cb() has asked to be called again. The TLS/SSL I/O function should be called again later. Details depend on the application. @@ -137,7 +137,7 @@ L =head1 HISTORY SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0. -SSL_ERROR_WANT_EARLY was added in OpenSSL 1.1.1. +SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1. =head1 COPYRIGHT diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod index ce21f4790f..ef4b2183e0 100644 --- a/doc/man3/SSL_want.pod +++ b/doc/man3/SSL_want.pod @@ -3,8 +3,8 @@ =head1 NAME SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup, -SSL_want_async, SSL_want_async_job, SSL_want_early - obtain state information -TLS/SSL I/O operation +SSL_want_async, SSL_want_async_job, SSL_want_client_hello_cb - obtain state +information TLS/SSL I/O operation =head1 SYNOPSIS @@ -17,7 +17,7 @@ TLS/SSL I/O operation int SSL_want_x509_lookup(const SSL *ssl); int SSL_want_async(const SSL *ssl); int SSL_want_async_job(const SSL *ssl); - int SSL_want_early(const SSL *ssl); + int SSL_want_client_hello_cb(const SSL *ssl); =head1 DESCRIPTION @@ -82,18 +82,18 @@ The asynchronous job could not be started because there were no async jobs available in the pool (see ASYNC_init_thread(3)). A call to L should return SSL_ERROR_WANT_ASYNC_JOB. -=item SSL_EARLY_WORK +=item SSL_CLIENT_HELLO_CB The operation did not complete because an application callback set by -SSL_CTX_set_early_cb() has asked to be called again. +SSL_CTX_set_client_hello_cb() has asked to be called again. A call to L should return -SSL_ERROR_WANT_EARLY. +SSL_ERROR_WANT_CLIENT_HELLO_CB. =back SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup(), -SSL_want_async(), SSL_want_async_job(), and SSL_want_early() return 1, when -the corresponding condition is true or 0 otherwise. +SSL_want_async(), SSL_want_async_job(), and SSL_want_client_hello_cb() return +1, when the corresponding condition is true or 0 otherwise. =head1 SEE ALSO @@ -101,7 +101,7 @@ L, L =head1 HISTORY -SSL_want_early() and SSL_EARLY_WORK were added in OpenSSL 1.1.1. +SSL_want_client_hello_cb() and SSL_CLIENT_HELLO_CB were added in OpenSSL 1.1.1. =head1 COPYRIGHT diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index da1fa0ff35..45d0083c58 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -844,16 +844,16 @@ __owur int SSL_extension_supported(unsigned int ext_type); # define SSL_X509_LOOKUP 4 # define SSL_ASYNC_PAUSED 5 # define SSL_ASYNC_NO_JOBS 6 -# define SSL_EARLY_WORK 7 +# define SSL_CLIENT_HELLO_CB 7 /* These will only be used when doing non-blocking IO */ -# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) -# define SSL_want_read(s) (SSL_want(s) == SSL_READING) -# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) -# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) -# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) -# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) -# define SSL_want_early(s) (SSL_want(s) == SSL_EARLY_WORK) +# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +# define SSL_want_read(s) (SSL_want(s) == SSL_READING) +# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) +# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) +# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) +# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) +# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB) # define SSL_MAC_FLAG_READ_MAC_STREAM 1 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 @@ -1135,7 +1135,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_ERROR_WANT_ACCEPT 8 # define SSL_ERROR_WANT_ASYNC 9 # define SSL_ERROR_WANT_ASYNC_JOB 10 -# define SSL_ERROR_WANT_EARLY 11 +# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 # define SSL_CTRL_SET_TMP_DH 3 # define SSL_CTRL_SET_TMP_ECDH 4 # define SSL_CTRL_SET_TMP_DH_CB 6 @@ -1697,19 +1697,21 @@ __owur char *SSL_get_srp_userinfo(SSL *s); # endif /* - * Early callback and helpers. + * ClientHello callback and helpers. */ -typedef int (*SSL_early_cb_fn) (SSL *s, int *al, void *arg); -void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg); -int SSL_early_isv2(SSL *s); -unsigned int SSL_early_get0_legacy_version(SSL *s); -size_t SSL_early_get0_random(SSL *s, const unsigned char **out); -size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out); -size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out); -size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out); -int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen); -int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, - size_t *outlen); +typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg); +void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, + void *arg); +int SSL_client_hello_isv2(SSL *s); +unsigned int SSL_client_hello_get0_legacy_version(SSL *s); +size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out); +size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out); +size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out); +size_t SSL_client_hello_get0_compression_methods(SSL *s, + const unsigned char **out); +int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen); +int SSL_client_hello_get0_ext(SSL *s, unsigned int type, + const unsigned char **out, size_t *outlen); void SSL_certs_clear(SSL *s); void SSL_free(SSL *ssl); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 70f4acf027..a909a57eb8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3301,8 +3301,8 @@ int SSL_get_error(const SSL *s, int i) return SSL_ERROR_WANT_ASYNC; if (SSL_want_async_job(s)) return SSL_ERROR_WANT_ASYNC_JOB; - if (SSL_want_early(s)) - return SSL_ERROR_WANT_EARLY; + if (SSL_want_client_hello_cb(s)) + return SSL_ERROR_WANT_CLIENT_HELLO_CB; if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) @@ -4700,27 +4700,28 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) #endif /* OPENSSL_NO_CT */ -void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg) +void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, + void *arg) { - c->early_cb = cb; - c->early_cb_arg = arg; + c->client_hello_cb = cb; + c->client_hello_cb_arg = arg; } -int SSL_early_isv2(SSL *s) +int SSL_client_hello_isv2(SSL *s) { if (s->clienthello == NULL) return 0; return s->clienthello->isv2; } -unsigned int SSL_early_get0_legacy_version(SSL *s) +unsigned int SSL_client_hello_get0_legacy_version(SSL *s) { if (s->clienthello == NULL) return 0; return s->clienthello->legacy_version; } -size_t SSL_early_get0_random(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4729,7 +4730,7 @@ size_t SSL_early_get0_random(SSL *s, const unsigned char **out) return SSL3_RANDOM_SIZE; } -size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4738,7 +4739,7 @@ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out) return s->clienthello->session_id_len; } -size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4747,7 +4748,7 @@ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out) return PACKET_remaining(&s->clienthello->ciphersuites); } -size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4756,7 +4757,7 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) return s->clienthello->compressions_len; } -int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen) +int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) { RAW_EXTENSION *ext; int *present; @@ -4788,7 +4789,7 @@ int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen) return 0; } -int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, +int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, size_t *outlen) { size_t i; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 59fba61a99..64d5e720e1 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -877,9 +877,9 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; # endif - /* Early callback. Mostly for extensions, but not entirely. */ - SSL_early_cb_fn early_cb; - void *early_cb_arg; + /* ClientHello callback. Mostly for extensions, but not entirely. */ + SSL_client_hello_cb_fn client_hello_cb; + void *client_hello_cb_arg; /* TLS extensions. */ struct { @@ -1252,7 +1252,10 @@ struct ssl_st { size_t tls13_cookie_len; } ext; - /* Parsed form of the ClientHello, kept around across early_cb calls. */ + /* + * Parsed form of the ClientHello, kept around across client_hello_cb + * calls. + */ CLIENTHELLO_MSG *clienthello; /*- diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d2f8f90109..360cd1c20b 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1430,15 +1430,15 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) DOWNGRADE dgrd = DOWNGRADE_NONE; /* Finished parsing the ClientHello, now we can start processing it */ - /* Give the early callback a crack at things */ - if (s->ctx->early_cb != NULL) { + /* Give the ClientHello callback a crack at things */ + if (s->ctx->client_hello_cb != NULL) { int code; - /* A failure in the early callback terminates the connection. */ - code = s->ctx->early_cb(s, &al, s->ctx->early_cb_arg); + /* A failure in the ClientHello callback terminates the connection. */ + code = s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg); if (code == 0) goto err; if (code < 0) { - s->rwstate = SSL_EARLY_WORK; + s->rwstate = SSL_CLIENT_HELLO_CB; return code; } } diff --git a/test/handshake_helper.c b/test/handshake_helper.c index dc020d9027..5e5c311cf3 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -137,7 +137,7 @@ static int select_server_ctx(SSL *s, void *arg, int ignore) } } -static int early_select_server_ctx(SSL *s, void *arg, int ignore) +static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore) { const char *servername; const unsigned char *p; @@ -149,7 +149,8 @@ static int early_select_server_ctx(SSL *s, void *arg, int ignore) * The server_name extension was given too much extensibility when it * was written, so parsing the normal case is a bit complex. */ - if (!SSL_early_get0_ext(s, TLSEXT_TYPE_server_name, &p, &remaining) || + if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p, + &remaining) || remaining <= 2) return 0; /* Extract the length of the supplied list of names. */ @@ -219,44 +220,44 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg) return select_server_ctx(s, arg, 0); } -static int early_ignore_cb(SSL *s, int *al, void *arg) +static int client_hello_ignore_cb(SSL *s, int *al, void *arg) { - if (!early_select_server_ctx(s, arg, 1)) { + if (!client_hello_select_server_ctx(s, arg, 1)) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; } return 1; } -static int early_reject_cb(SSL *s, int *al, void *arg) +static int client_hello_reject_cb(SSL *s, int *al, void *arg) { - if (!early_select_server_ctx(s, arg, 0)) { + if (!client_hello_select_server_ctx(s, arg, 0)) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; } return 1; } -static int early_nov12_cb(SSL *s, int *al, void *arg) +static int client_hello_nov12_cb(SSL *s, int *al, void *arg) { int ret; unsigned int v; const unsigned char *p; - v = SSL_early_get0_legacy_version(s); + v = SSL_client_hello_get0_legacy_version(s); if (v > TLS1_2_VERSION || v < SSL3_VERSION) { *al = SSL_AD_PROTOCOL_VERSION; return 0; } - (void)SSL_early_get0_session_id(s, &p); + (void)SSL_client_hello_get0_session_id(s, &p); if (p == NULL || - SSL_early_get0_random(s, &p) == 0 || - SSL_early_get0_ciphers(s, &p) == 0 || - SSL_early_get0_compression_methods(s, &p) == 0) { + SSL_client_hello_get0_random(s, &p) == 0 || + SSL_client_hello_get0_ciphers(s, &p) == 0 || + SSL_client_hello_get0_compression_methods(s, &p) == 0) { *al = SSL_AD_INTERNAL_ERROR; return 0; } - ret = early_select_server_ctx(s, arg, 0); + ret = client_hello_select_server_ctx(s, arg, 0); SSL_set_max_proto_version(s, TLS1_1_VERSION); if (!ret) *al = SSL_AD_UNRECOGNIZED_NAME; @@ -489,7 +490,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, /* * Link the two contexts for SNI purposes. - * Also do early callbacks here, as setting both early and SNI is bad. + * Also do ClientHello callbacks here, as setting both ClientHello and SNI + * is bad. */ switch (extra->server.servername_callback) { case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: @@ -502,14 +504,14 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, break; case SSL_TEST_SERVERNAME_CB_NONE: break; - case SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH: - SSL_CTX_set_early_cb(server_ctx, early_ignore_cb, server2_ctx); + case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH: + SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx); break; - case SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH: - SSL_CTX_set_early_cb(server_ctx, early_reject_cb, server2_ctx); + case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH: + SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx); break; - case SSL_TEST_SERVERNAME_EARLY_NO_V12: - SSL_CTX_set_early_cb(server_ctx, early_nov12_cb, server2_ctx); + case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12: + SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx); } if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { diff --git a/test/ssl-tests/05-sni.conf b/test/ssl-tests/05-sni.conf index d5d350e399..a6c7f43911 100644 --- a/test/ssl-tests/05-sni.conf +++ b/test/ssl-tests/05-sni.conf @@ -8,9 +8,9 @@ test-2 = 2-SNI-no-server-support test-3 = 3-SNI-no-client-support test-4 = 4-SNI-bad-sni-ignore-mismatch test-5 = 5-SNI-bad-sni-reject-mismatch -test-6 = 6-SNI-bad-early-sni-ignore-mismatch -test-7 = 7-SNI-bad-early-sni-reject-mismatch -test-8 = 8-SNI-early-disable-v12 +test-6 = 6-SNI-bad-clienthello-sni-ignore-mismatch +test-7 = 7-SNI-bad-clienthello-sni-reject-mismatch +test-8 = 8-SNI-clienthello-disable-v12 # =========================================================== [0-SNI-switch-context] @@ -206,20 +206,20 @@ ServerName = invalid # =========================================================== -[6-SNI-bad-early-sni-ignore-mismatch] -ssl_conf = 6-SNI-bad-early-sni-ignore-mismatch-ssl +[6-SNI-bad-clienthello-sni-ignore-mismatch] +ssl_conf = 6-SNI-bad-clienthello-sni-ignore-mismatch-ssl -[6-SNI-bad-early-sni-ignore-mismatch-ssl] -server = 6-SNI-bad-early-sni-ignore-mismatch-server -client = 6-SNI-bad-early-sni-ignore-mismatch-client -server2 = 6-SNI-bad-early-sni-ignore-mismatch-server +[6-SNI-bad-clienthello-sni-ignore-mismatch-ssl] +server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server +client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client +server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server -[6-SNI-bad-early-sni-ignore-mismatch-server] +[6-SNI-bad-clienthello-sni-ignore-mismatch-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-SNI-bad-early-sni-ignore-mismatch-client] +[6-SNI-bad-clienthello-sni-ignore-mismatch-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -227,33 +227,33 @@ VerifyMode = Peer [test-6] ExpectedResult = Success ExpectedServerName = server1 -server = 6-SNI-bad-early-sni-ignore-mismatch-server-extra -server2 = 6-SNI-bad-early-sni-ignore-mismatch-server-extra -client = 6-SNI-bad-early-sni-ignore-mismatch-client-extra +server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra +server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra +client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra -[6-SNI-bad-early-sni-ignore-mismatch-server-extra] -ServerNameCallback = EarlyIgnoreMismatch +[6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra] +ServerNameCallback = ClientHelloIgnoreMismatch -[6-SNI-bad-early-sni-ignore-mismatch-client-extra] +[6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra] ServerName = invalid # =========================================================== -[7-SNI-bad-early-sni-reject-mismatch] -ssl_conf = 7-SNI-bad-early-sni-reject-mismatch-ssl +[7-SNI-bad-clienthello-sni-reject-mismatch] +ssl_conf = 7-SNI-bad-clienthello-sni-reject-mismatch-ssl -[7-SNI-bad-early-sni-reject-mismatch-ssl] -server = 7-SNI-bad-early-sni-reject-mismatch-server -client = 7-SNI-bad-early-sni-reject-mismatch-client -server2 = 7-SNI-bad-early-sni-reject-mismatch-server +[7-SNI-bad-clienthello-sni-reject-mismatch-ssl] +server = 7-SNI-bad-clienthello-sni-reject-mismatch-server +client = 7-SNI-bad-clienthello-sni-reject-mismatch-client +server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server -[7-SNI-bad-early-sni-reject-mismatch-server] +[7-SNI-bad-clienthello-sni-reject-mismatch-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-SNI-bad-early-sni-reject-mismatch-client] +[7-SNI-bad-clienthello-sni-reject-mismatch-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -261,33 +261,33 @@ VerifyMode = Peer [test-7] ExpectedResult = ServerFail ExpectedServerAlert = UnrecognizedName -server = 7-SNI-bad-early-sni-reject-mismatch-server-extra -server2 = 7-SNI-bad-early-sni-reject-mismatch-server-extra -client = 7-SNI-bad-early-sni-reject-mismatch-client-extra +server = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra +server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra +client = 7-SNI-bad-clienthello-sni-reject-mismatch-client-extra -[7-SNI-bad-early-sni-reject-mismatch-server-extra] -ServerNameCallback = EarlyRejectMismatch +[7-SNI-bad-clienthello-sni-reject-mismatch-server-extra] +ServerNameCallback = ClientHelloRejectMismatch -[7-SNI-bad-early-sni-reject-mismatch-client-extra] +[7-SNI-bad-clienthello-sni-reject-mismatch-client-extra] ServerName = invalid # =========================================================== -[8-SNI-early-disable-v12] -ssl_conf = 8-SNI-early-disable-v12-ssl +[8-SNI-clienthello-disable-v12] +ssl_conf = 8-SNI-clienthello-disable-v12-ssl -[8-SNI-early-disable-v12-ssl] -server = 8-SNI-early-disable-v12-server -client = 8-SNI-early-disable-v12-client -server2 = 8-SNI-early-disable-v12-server +[8-SNI-clienthello-disable-v12-ssl] +server = 8-SNI-clienthello-disable-v12-server +client = 8-SNI-clienthello-disable-v12-client +server2 = 8-SNI-clienthello-disable-v12-server -[8-SNI-early-disable-v12-server] +[8-SNI-clienthello-disable-v12-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-SNI-early-disable-v12-client] +[8-SNI-clienthello-disable-v12-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -295,14 +295,14 @@ VerifyMode = Peer [test-8] ExpectedProtocol = TLSv1.1 ExpectedServerName = server2 -server = 8-SNI-early-disable-v12-server-extra -server2 = 8-SNI-early-disable-v12-server-extra -client = 8-SNI-early-disable-v12-client-extra +server = 8-SNI-clienthello-disable-v12-server-extra +server2 = 8-SNI-clienthello-disable-v12-server-extra +client = 8-SNI-clienthello-disable-v12-client-extra -[8-SNI-early-disable-v12-server-extra] -ServerNameCallback = EarlyNoV12 +[8-SNI-clienthello-disable-v12-server-extra] +ServerNameCallback = ClientHelloNoV12 -[8-SNI-early-disable-v12-client-extra] +[8-SNI-clienthello-disable-v12-client-extra] ServerName = server2 diff --git a/test/ssl-tests/05-sni.conf.in b/test/ssl-tests/05-sni.conf.in index 63b295dac8..a993a3421a 100644 --- a/test/ssl-tests/05-sni.conf.in +++ b/test/ssl-tests/05-sni.conf.in @@ -111,10 +111,10 @@ our @tests = ( }, }, { - name => "SNI-bad-early-sni-ignore-mismatch", + name => "SNI-bad-clienthello-sni-ignore-mismatch", server => { extra => { - "ServerNameCallback" => "EarlyIgnoreMismatch", + "ServerNameCallback" => "ClientHelloIgnoreMismatch", }, }, client => { @@ -128,10 +128,10 @@ our @tests = ( }, }, { - name => "SNI-bad-early-sni-reject-mismatch", + name => "SNI-bad-clienthello-sni-reject-mismatch", server => { extra => { - "ServerNameCallback" => "EarlyRejectMismatch", + "ServerNameCallback" => "ClientHelloRejectMismatch", }, }, client => { @@ -148,10 +148,10 @@ our @tests = ( our @tests_tls_1_1 = ( { - name => "SNI-early-disable-v12", + name => "SNI-clienthello-disable-v12", server => { extra => { - "ServerNameCallback" => "EarlyNoV12", + "ServerNameCallback" => "ClientHelloNoV12", }, }, client => { diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index 0be68c7e3c..d669d0d81c 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -238,9 +238,11 @@ static const test_enum ssl_servername_callbacks[] = { {"None", SSL_TEST_SERVERNAME_CB_NONE}, {"IgnoreMismatch", SSL_TEST_SERVERNAME_IGNORE_MISMATCH}, {"RejectMismatch", SSL_TEST_SERVERNAME_REJECT_MISMATCH}, - {"EarlyIgnoreMismatch", SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH}, - {"EarlyRejectMismatch", SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH}, - {"EarlyNoV12", SSL_TEST_SERVERNAME_EARLY_NO_V12}, + {"ClientHelloIgnoreMismatch", + SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH}, + {"ClientHelloRejectMismatch", + SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH}, + {"ClientHelloNoV12", SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12}, }; __owur static int parse_servername_callback(SSL_TEST_SERVER_CONF *server_conf, diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index ebeddde3d7..5eff75cfa1 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -39,9 +39,9 @@ typedef enum { SSL_TEST_SERVERNAME_CB_NONE = 0, /* Default */ SSL_TEST_SERVERNAME_IGNORE_MISMATCH, SSL_TEST_SERVERNAME_REJECT_MISMATCH, - SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH, - SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH, - SSL_TEST_SERVERNAME_EARLY_NO_V12 + SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH, + SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH, + SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12 } ssl_servername_callback_t; typedef enum { diff --git a/test/sslapitest.c b/test/sslapitest.c index 858f28b722..7437020d58 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -401,7 +401,7 @@ end: #endif #ifndef OPENSSL_NO_TLS1_2 -static int full_early_callback(SSL *s, int *al, void *arg) +static int full_client_hello_callback(SSL *s, int *al, void *arg) { int *ctr = arg; const unsigned char *p; @@ -424,16 +424,17 @@ static int full_early_callback(SSL *s, int *al, void *arg) if ((*ctr)++ == 0) return -1; - len = SSL_early_get0_ciphers(s, &p); + len = SSL_client_hello_get0_ciphers(s, &p); if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers)) - || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1) + || !TEST_size_t_eq( + SSL_client_hello_get0_compression_methods(s, &p), 1) || !TEST_int_eq(*p, 0)) return 0; - if (!SSL_early_get1_extensions_present(s, &exts, &len)) + if (!SSL_client_hello_get1_extensions_present(s, &exts, &len)) return 0; if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) { - printf("Early callback expected ClientHello extensions mismatch\n"); + printf("ClientHello callback expected extensions mismatch\n"); OPENSSL_free(exts); return 0; } @@ -441,7 +442,7 @@ static int full_early_callback(SSL *s, int *al, void *arg) return 1; } -static int test_early_cb(void) +static int test_client_hello_cb(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -451,7 +452,7 @@ static int test_early_cb(void) TLS_client_method(), &sctx, &cctx, cert, privkey))) goto end; - SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr); + SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); /* The gimpy cipher list we configure can't do TLS 1.3. */ SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); @@ -461,12 +462,13 @@ static int test_early_cb(void) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) || !TEST_false(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_WANT_EARLY)) + SSL_ERROR_WANT_CLIENT_HELLO_CB)) /* * Passing a -1 literal is a hack since * the real value was lost. * */ - || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY) + || !TEST_int_eq(SSL_get_error(serverssl, -1), + SSL_ERROR_WANT_CLIENT_HELLO_CB) || !TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; @@ -3123,7 +3125,7 @@ int setup_tests(void) ADD_TEST(test_keylog_no_master_key); #endif #ifndef OPENSSL_NO_TLS1_2 - ADD_TEST(test_early_cb); + ADD_TEST(test_client_hello_cb); #endif #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); diff --git a/util/libssl.num b/util/libssl.num index efbd079f4b..1d8f8ab525 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -416,14 +416,14 @@ SSL_get_peer_signature_type_nid 416 1_1_1 EXIST::FUNCTION: SSL_key_update 417 1_1_1 EXIST::FUNCTION: SSL_get_key_update_type 418 1_1_1 EXIST::FUNCTION: SSL_bytes_to_cipher_list 419 1_1_1 EXIST::FUNCTION: -SSL_early_get0_compression_methods 420 1_1_1 EXIST::FUNCTION: -SSL_early_get0_ciphers 421 1_1_1 EXIST::FUNCTION: -SSL_early_get0_ext 422 1_1_1 EXIST::FUNCTION: -SSL_early_get0_session_id 423 1_1_1 EXIST::FUNCTION: -SSL_early_get0_random 424 1_1_1 EXIST::FUNCTION: -SSL_CTX_set_early_cb 425 1_1_1 EXIST::FUNCTION: -SSL_early_get0_legacy_version 426 1_1_1 EXIST::FUNCTION: -SSL_early_isv2 427 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_compression_methods 420 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_ciphers 421 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_ext 422 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_session_id 423 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_random 424 1_1_1 EXIST::FUNCTION: +SSL_CTX_set_client_hello_cb 425 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get0_legacy_version 426 1_1_1 EXIST::FUNCTION: +SSL_client_hello_isv2 427 1_1_1 EXIST::FUNCTION: SSL_set_max_early_data 428 1_1_1 EXIST::FUNCTION: SSL_CTX_set_max_early_data 429 1_1_1 EXIST::FUNCTION: SSL_get_max_early_data 430 1_1_1 EXIST::FUNCTION: @@ -450,7 +450,7 @@ SSL_set_block_padding 450 1_1_1 EXIST::FUNCTION: SSL_set_record_padding_callback_arg 451 1_1_1 EXIST::FUNCTION: SSL_CTX_set_record_padding_callback_arg 452 1_1_1 EXIST::FUNCTION: SSL_CTX_use_serverinfo_ex 453 1_1_1 EXIST::FUNCTION: -SSL_early_get1_extensions_present 454 1_1_1 EXIST::FUNCTION: +SSL_client_hello_get1_extensions_present 454 1_1_1 EXIST::FUNCTION: SSL_set_psk_find_session_callback 455 1_1_1 EXIST::FUNCTION: SSL_set_psk_use_session_callback 456 1_1_1 EXIST::FUNCTION: SSL_CTX_set_psk_use_session_callback 457 1_1_1 EXIST::FUNCTION: diff --git a/util/private.num b/util/private.num index 242de12e5f..d705613a0c 100644 --- a/util/private.num +++ b/util/private.num @@ -36,7 +36,7 @@ OSSL_STORE_open_fn datatype OSSL_STORE_post_process_info_fn datatype RAND_poll_cb datatype SSL_CTX_keylog_cb_func datatype -SSL_early_cb_fn datatype +SSL_client_hello_cb_fn datatype SSL_psk_client_cb_func datatype SSL_psk_find_session_cb_func datatype SSL_psk_server_cb_func datatype @@ -349,7 +349,7 @@ SSL_set_tlsext_status_type define SSL_set_tmp_dh define SSL_want_async define SSL_want_async_job define -SSL_want_early define +SSL_want_client_hello_cb define SSL_want_nothing define SSL_want_read define SSL_want_write define