mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-03 05:41:46 +08:00
Code Issues Packages Projects Releases Wiki Activity
6b1bb98fad
openssl/doc/man3
History
Benjamin Kaduk 6b1bb98fad Add SSL_CTX early callback 
Provide a callback interface that gives the application the ability
to adjust the nascent SSL object at the earliest stage of ClientHello
processing, immediately after extensions have been collected but
before they have been processed.

This is akin to BoringSSL's "select_certificate_cb" (though it is not
API compatible), and as the name indicates, one major use is to examine
the supplied server name indication and select what certificate to
present to the client.  However, it can also be used to make more
sweeping configuration changes to the SSL object according to the
selected server identity and configuration.  That may include adjusting
the permitted TLS versions, swapping out the SSL_CTX object (as is
traditionally done in a tlsext_servername_callback), changing the
server's cipher list, and more.

We also wish to allow an early callback to indicate that it needs to perform
additional work asynchronously and resume processing later.  To that effect,
refactor the second half of tls_process_client_hello() into a subroutine to be
called at the post-processing stage (including the early callback itself), to
allow the callback to result in remaining in the same work stage for a later
call to succeed.  This requires allocating for and storing the CLIENTHELLO_MSG
in the SSL object to be preserved across such calls, but the storage is
reclaimed after ClientHello processing finishes.

Information about the CliehtHello is available to the callback by means of
accessor functions that can only be used from the early callback.  This allows
extensions to make use of the existing internal parsing machinery without
exposing structure internals (e.g., of PACKET), so that applications do not
have to write fragile parsing code.

Applications are encouraged to utilize an early callback and not use
a servername_callback, in order to avoid unexpected behavior that
occurs due to the relative order of processing between things like
session resumption and the historical servername callback.

Also tidy up nearby style by removing unnecessary braces around one-line
conditional bodies.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-23 19:40:26 +01:00
..
ASN1_generate_nconf.pod
ASN1_INTEGER_get_int64.pod
ASN1_ITEM_lookup.pod
ASN1_OBJECT_new.pod
ASN1_STRING_length.pod
ASN1_STRING_new.pod
ASN1_STRING_print_ex.pod
ASN1_TIME_set.pod
ASN1_TYPE_get.pod
ASYNC_start_job.pod
ASYNC_WAIT_CTX_new.pod
BF_encrypt.pod
BIO_ADDR.pod
BIO_ADDRINFO.pod
BIO_connect.pod
BIO_ctrl.pod
BIO_f_base64.pod
BIO_f_buffer.pod
BIO_f_cipher.pod
BIO_f_md.pod
BIO_f_null.pod
BIO_f_ssl.pod
BIO_find_type.pod
BIO_get_data.pod
BIO_get_ex_new_index.pod
BIO_meth_new.pod
BIO_new_CMS.pod
BIO_new.pod
BIO_parse_hostserv.pod
BIO_push.pod
BIO_read.pod
BIO_s_accept.pod
BIO_s_bio.pod
BIO_s_connect.pod
BIO_s_fd.pod
BIO_s_file.pod
BIO_s_mem.pod
BIO_s_null.pod
BIO_s_socket.pod
BIO_set_callback.pod
BIO_should_retry.pod
BN_add_word.pod
BN_add.pod
BN_BLINDING_new.pod
BN_bn2bin.pod
BN_cmp.pod
BN_copy.pod
BN_CTX_new.pod
BN_CTX_start.pod
BN_generate_prime.pod
BN_mod_inverse.pod
BN_mod_mul_montgomery.pod
BN_mod_mul_reciprocal.pod
BN_new.pod
BN_num_bytes.pod
BN_rand.pod
BN_set_bit.pod
BN_swap.pod
BN_zero.pod
BUF_MEM_new.pod
CMS_add0_cert.pod
CMS_add1_recipient_cert.pod
CMS_add1_signer.pod
CMS_compress.pod
CMS_decrypt.pod
CMS_encrypt.pod
CMS_final.pod
CMS_get0_RecipientInfos.pod
CMS_get0_SignerInfos.pod
CMS_get0_type.pod
CMS_get1_ReceiptRequest.pod
CMS_sign_receipt.pod
CMS_sign.pod
CMS_uncompress.pod
CMS_verify_receipt.pod
CMS_verify.pod
CONF_modules_free.pod
CONF_modules_load_file.pod
CRYPTO_get_ex_new_index.pod
CRYPTO_THREAD_run_once.pod
CT_POLICY_EVAL_CTX_new.pod
CTLOG_new.pod
CTLOG_STORE_get0_log_by_id.pod
CTLOG_STORE_new.pod
d2i_DHparams.pod
d2i_Netscape_RSA.pod
d2i_PKCS8PrivateKey_bio.pod
d2i_PrivateKey.pod
d2i_SSL_SESSION.pod
d2i_X509.pod
DEFINE_STACK_OF.pod
DES_random_key.pod DES keys are not 7 days long. 2017-02-13 11:50:44 +01:00
DH_generate_key.pod
DH_generate_parameters.pod Document DH_check_params() 2017-01-26 10:54:01 +00:00
DH_get0_pqg.pod
DH_get_1024_160.pod
DH_meth_new.pod
DH_new.pod
DH_set_method.pod
DH_size.pod
DSA_do_sign.pod
DSA_dup_DH.pod
DSA_generate_key.pod
DSA_generate_parameters.pod
DSA_get0_pqg.pod
DSA_meth_new.pod
DSA_new.pod
DSA_set_method.pod
DSA_SIG_new.pod
DSA_sign.pod
DSA_size.pod
DTLS_get_data_mtu.pod
DTLSv1_listen.pod
EC_GFp_simple_method.pod
EC_GROUP_copy.pod
EC_GROUP_new.pod
EC_KEY_get_enc_flags.pod
EC_KEY_new.pod
EC_POINT_add.pod
EC_POINT_new.pod
ECDSA_SIG_new.pod correct 3 mistakes 2017-01-19 12:45:04 -05:00
ECPKParameters_print.pod
ENGINE_add.pod
ERR_clear_error.pod
ERR_error_string.pod
ERR_get_error.pod
ERR_GET_LIB.pod
ERR_load_crypto_strings.pod
ERR_load_strings.pod
ERR_print_errors.pod
ERR_put_error.pod
ERR_remove_state.pod
ERR_set_mark.pod
EVP_BytesToKey.pod
EVP_CIPHER_CTX_get_cipher_data.pod
EVP_CIPHER_meth_new.pod
EVP_DigestInit.pod Few nit's 2017-01-25 09:06:34 +00:00
EVP_DigestSignInit.pod
EVP_DigestVerifyInit.pod
EVP_EncodeInit.pod
EVP_EncryptInit.pod
EVP_MD_meth_new.pod
EVP_OpenInit.pod
EVP_PKEY_cmp.pod
EVP_PKEY_CTX_ctrl.pod Add support for parameterized SipHash 2017-02-01 14:14:36 -05:00
EVP_PKEY_CTX_new.pod
EVP_PKEY_CTX_set_hkdf_md.pod
EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod Defines and strings for special salt length values, add tests 2017-01-18 15:04:49 +00:00
EVP_PKEY_CTX_set_tls1_prf_md.pod
EVP_PKEY_decrypt.pod
EVP_PKEY_derive.pod
EVP_PKEY_encrypt.pod
EVP_PKEY_get_default_digest_nid.pod
EVP_PKEY_keygen.pod
EVP_PKEY_new.pod
EVP_PKEY_print_private.pod
EVP_PKEY_set1_RSA.pod
EVP_PKEY_sign.pod
EVP_PKEY_verify_recover.pod
EVP_PKEY_verify.pod
EVP_SealInit.pod
EVP_SignInit.pod
EVP_VerifyInit.pod
HMAC.pod
i2d_CMS_bio_stream.pod
i2d_PKCS7_bio_stream.pod
i2d_re_X509_tbs.pod
MD5.pod
MDC2_Init.pod
o2i_SCT_LIST.pod
OBJ_nid2obj.pod
OCSP_cert_to_id.pod
OCSP_request_add1_nonce.pod
OCSP_REQUEST_new.pod
OCSP_resp_find_status.pod
OCSP_response_status.pod
OCSP_sendreq_new.pod
OpenSSL_add_all_algorithms.pod
OPENSSL_Applink.pod
OPENSSL_config.pod
OPENSSL_ia32cap.pod
OPENSSL_init_crypto.pod
OPENSSL_init_ssl.pod
OPENSSL_instrument_bus.pod
OPENSSL_LH_COMPFUNC.pod
OPENSSL_LH_stats.pod
OPENSSL_load_builtin_modules.pod
OPENSSL_malloc.pod Fix "failure rate" bugs 2017-01-13 15:47:02 -05:00
OPENSSL_secure_malloc.pod Fix man3 reference to CRYPTO_secure_used 2017-01-16 16:33:39 -05:00
OPENSSL_VERSION_NUMBER.pod
PEM_read_bio_PrivateKey.pod
PEM_read_CMS.pod
PEM_read.pod
PEM_write_bio_CMS_stream.pod
PEM_write_bio_PKCS7_stream.pod
PKCS5_PBKDF2_HMAC.pod
PKCS7_decrypt.pod
PKCS7_encrypt.pod
PKCS7_sign_add_signer.pod
PKCS7_sign.pod
PKCS7_verify.pod
PKCS12_create.pod
PKCS12_newpass.pod
PKCS12_parse.pod
RAND_add.pod
RAND_bytes.pod
RAND_cleanup.pod
RAND_egd.pod
RAND_load_file.pod
RAND_set_rand_method.pod
RC4_set_key.pod
RIPEMD160_Init.pod
RSA_blinding_on.pod
RSA_check_key.pod
RSA_generate_key.pod Doc fix 2017-02-06 09:13:35 -05:00
RSA_get0_key.pod
RSA_meth_new.pod
RSA_new.pod
RSA_padding_add_PKCS1_type_1.pod
RSA_print.pod
RSA_private_encrypt.pod
RSA_public_encrypt.pod
RSA_set_method.pod
RSA_sign_ASN1_OCTET_STRING.pod
RSA_sign.pod
RSA_size.pod
SCT_new.pod
SCT_print.pod
SCT_validate.pod
SHA256_Init.pod
SMIME_read_CMS.pod
SMIME_read_PKCS7.pod
SMIME_write_CMS.pod
SMIME_write_PKCS7.pod
SSL_accept.pod
SSL_alert_type_string.pod
SSL_check_chain.pod
SSL_CIPHER_get_name.pod Update documentation 2017-02-08 02:16:28 +00:00
SSL_clear.pod
SSL_COMP_add_compression_method.pod
SSL_CONF_cmd_argv.pod
SSL_CONF_cmd.pod
SSL_CONF_CTX_new.pod
SSL_CONF_CTX_set1_prefix.pod
SSL_CONF_CTX_set_flags.pod
SSL_CONF_CTX_set_ssl_ctx.pod
SSL_connect.pod
SSL_CTX_add1_chain_cert.pod
SSL_CTX_add_extra_chain_cert.pod
SSL_CTX_add_session.pod
SSL_CTX_config.pod
SSL_CTX_ctrl.pod
SSL_CTX_dane_enable.pod
SSL_CTX_flush_sessions.pod
SSL_CTX_free.pod
SSL_CTX_get0_param.pod
SSL_CTX_get_verify_mode.pod
SSL_CTX_has_client_custom_ext.pod
SSL_CTX_load_verify_locations.pod
SSL_CTX_new.pod
SSL_CTX_sess_number.pod
SSL_CTX_sess_set_cache_size.pod
SSL_CTX_sess_set_get_cb.pod
SSL_CTX_sessions.pod
SSL_CTX_set1_curves.pod
SSL_CTX_set1_sigalgs.pod Update documentation 2017-01-30 13:00:17 +00:00
SSL_CTX_set1_verify_cert_store.pod
SSL_CTX_set_alpn_select_cb.pod
SSL_CTX_set_cert_cb.pod
SSL_CTX_set_cert_store.pod
SSL_CTX_set_cert_verify_callback.pod
SSL_CTX_set_cipher_list.pod
SSL_CTX_set_client_CA_list.pod
SSL_CTX_set_client_cert_cb.pod
SSL_CTX_set_ct_validation_callback.pod
SSL_CTX_set_ctlog_list_file.pod
SSL_CTX_set_default_passwd_cb.pod
SSL_CTX_set_early_cb.pod Add SSL_CTX early callback 2017-02-23 19:40:26 +01:00
SSL_CTX_set_generate_session_id.pod
SSL_CTX_set_info_callback.pod
SSL_CTX_set_keylog_callback.pod Add documentation for the key logging callbacks 2017-01-23 17:07:43 +01:00
SSL_CTX_set_max_cert_list.pod
SSL_CTX_set_min_proto_version.pod
SSL_CTX_set_mode.pod
SSL_CTX_set_msg_callback.pod
SSL_CTX_set_options.pod
SSL_CTX_set_psk_client_callback.pod
SSL_CTX_set_quiet_shutdown.pod
SSL_CTX_set_read_ahead.pod
SSL_CTX_set_security_level.pod
SSL_CTX_set_session_cache_mode.pod
SSL_CTX_set_session_id_context.pod
SSL_CTX_set_split_send_fragment.pod
SSL_CTX_set_ssl_version.pod
SSL_CTX_set_timeout.pod
SSL_CTX_set_tlsext_status_cb.pod
SSL_CTX_set_tlsext_ticket_key_cb.pod Few nit's 2017-01-25 09:06:34 +00:00
SSL_CTX_set_tmp_dh_callback.pod
SSL_CTX_set_verify.pod
SSL_CTX_use_certificate.pod
SSL_CTX_use_psk_identity_hint.pod
SSL_CTX_use_serverinfo.pod
SSL_do_handshake.pod
SSL_extension_supported.pod
SSL_free.pod
SSL_get0_peer_scts.pod
SSL_get_all_async_fds.pod
SSL_get_ciphers.pod Refactor SSL_bytes_to_cipher_list() 2017-02-23 19:40:25 +01:00
SSL_get_client_CA_list.pod
SSL_get_client_random.pod
SSL_get_current_cipher.pod
SSL_get_default_timeout.pod
SSL_get_error.pod Add SSL_CTX early callback 2017-02-23 19:40:26 +01:00
SSL_get_extms_support.pod
SSL_get_fd.pod
SSL_get_peer_cert_chain.pod Correct reference to SSL_get_peer_cert_chain(). 2017-01-18 01:40:36 +01:00
SSL_get_peer_certificate.pod
SSL_get_peer_signature_nid.pod Update documentation 2017-01-30 13:00:17 +00:00
SSL_get_psk_identity.pod
SSL_get_rbio.pod
SSL_get_session.pod
SSL_get_shared_sigalgs.pod
SSL_get_SSL_CTX.pod
SSL_get_verify_result.pod
SSL_get_version.pod
SSL_key_update.pod Don't use an enum in the return type for a public API function 2017-02-17 10:28:01 +00:00
SSL_library_init.pod
SSL_load_client_CA_file.pod
SSL_new.pod
SSL_pending.pod
SSL_read.pod
SSL_rstate_string.pod
SSL_SESSION_free.pod
SSL_SESSION_get0_cipher.pod
SSL_SESSION_get0_hostname.pod
SSL_SESSION_get0_id_context.pod
SSL_SESSION_get_protocol_version.pod
SSL_SESSION_get_time.pod
SSL_SESSION_has_ticket.pod
SSL_session_reused.pod
SSL_SESSION_set1_id.pod
SSL_set1_host.pod
SSL_set_bio.pod
SSL_set_connect_state.pod
SSL_set_fd.pod
SSL_set_session.pod
SSL_set_shutdown.pod
SSL_set_verify_result.pod
SSL_shutdown.pod
SSL_state_string.pod
SSL_want.pod Add SSL_CTX early callback 2017-02-23 19:40:26 +01:00
SSL_write.pod
UI_new.pod Add a few documentation lines about UI_OpenSSL() 2017-01-11 18:27:27 +01:00
UI_UTIL_read_pw.pod UI documentation fixup 2017-01-12 15:23:15 +01:00
X509_ALGOR_dup.pod
X509_check_ca.pod
X509_check_host.pod
X509_check_issued.pod
X509_CRL_get0_by_serial.pod
X509_digest.pod Make X509_Digest,others public 2017-01-12 16:39:41 -05:00
X509_dup.pod
X509_EXTENSION_set_object.pod
X509_get0_notBefore.pod
X509_get0_signature.pod
X509_get0_uids.pod
X509_get_extension_flags.pod Fix a typo in the X509_get0_subject_key_id() documentation 2017-02-09 10:38:52 +00:00
X509_get_pubkey.pod
X509_get_serialNumber.pod
X509_get_subject_name.pod
X509_get_version.pod
X509_LOOKUP_hash_dir.pod
X509_NAME_add_entry_by_txt.pod
X509_NAME_ENTRY_get_object.pod
X509_NAME_get0_der.pod
X509_NAME_get_index_by_NID.pod
X509_NAME_print_ex.pod
X509_new.pod
X509_PUBKEY_new.pod
X509_SIG_get0.pod
X509_sign.pod
X509_STORE_CTX_get_error.pod
X509_STORE_CTX_new.pod
X509_STORE_CTX_set_verify_cb.pod
X509_STORE_get0_param.pod
X509_STORE_new.pod
X509_STORE_set_verify_cb_func.pod
X509_verify_cert.pod
X509_VERIFY_PARAM_set_flags.pod GH2176: Add X509_VERIFY_PARAM_get_time 2017-01-12 09:54:09 -05:00
X509v3_get_ext_by_NID.pod
X509V3_get_d2i.pod