sync with OpenSSL 1.1.1, which is still under a free license;

in particular, this includes new text by Matt Caswell from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000 and corrects a wrong argument type that i introduced into the SYNOPSIS; requested by tb@
author: schwarze <> 2021-08-30 18:18:16 +0000
committer: schwarze <> 2021-08-30 18:18:16 +0000
commit: 447f1c2b595ba3da3932bbb5ec4313a80587c746 (patch)
tree: 73c2da05ca9a7cb7032bfaa6fc1296a69226d984 /src
parent: 6773bdc789953cda24f6a3eb5b970041ae902890 (diff)
download: openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.tar.gz
openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.tar.bz2
openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.zip
1 files changed, 107 insertions, 15 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
index 8b8147a09f..d3cb5bc723 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,10 +1,11 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.5 2021/08/30 18:18:16 schwarze Exp $
-.\"     OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
+.\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
-.\"     OpenSSL 8c55c461 Mar 29 08:34:37 2017 +1000
+.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
-.\" This file was written by Jon Spillett <jon.spillett@oracle.com>
+.\" This file was written by Jon Spillett <jon.spillett@oracle.com>,
-.\" and Paul Yang <yang dot yang at baishancloud dot com>.
+.\" Paul Yang <yang dot yang at baishancloud dot com>, and
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+.\" Matt Caswell <matt@openssl.org>.
+.\" Copyright (c) 2017, 2019 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -50,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: August 30 2021 $
 .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
 .Os
 .Sh NAME
@@ -65,7 +66,7 @@
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_callback
 .Fa "SSL_CTX *ctx"
-.Fa "int (*cb)(SSL_CTX *, int *, void *)"
+.Fa "int (*cb)(SSL *ssl, int *alert, void *arg)"
 .Fc
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_arg
@@ -74,16 +75,16 @@
 .Fc
 .Ft const char *
 .Fo SSL_get_servername
-.Fa "const SSL *s"
+.Fa "const SSL *ssl"
 .Fa "const int type"
 .Fc
 .Ft int
 .Fo SSL_get_servername_type
-.Fa "const SSL *s"
+.Fa "const SSL *ssl"
 .Fc
 .Ft int
 .Fo SSL_set_tlsext_host_name
-.Fa "const SSL *s"
+.Fa "const SSL *ssl"
 .Fa "const char *name"
 .Fc
 .Sh DESCRIPTION
@@ -97,14 +98,105 @@ When
 is
 .Dv NULL ,
 SNI is not used.
-The
+.Pp
-.Fa arg
+The servername callback should return one of the following values:
-value is a pointer which is passed to the application callback.
+.Bl -tag -width Ds
+.It Dv SSL_TLSEXT_ERR_OK
+This is used to indicate that the servername requested by the client
+has been accepted.
+Typically a server will call
+.Xr SSL_set_SSL_CTX 3
+in the callback to set up a different configuration
+for the selected servername in this case.
+.It Dv SSL_TLSEXT_ERR_ALERT_FATAL
+In this case the servername requested by the client is not accepted
+and the handshake will be aborted.
+The value of the alert to be used should be stored in the location
+pointed to by the
+.Fa alert
+parameter to the callback.
+By default this value is initialised to
+.Dv SSL_AD_UNRECOGNIZED_NAME .
+.It Dv SSL_TLSEXT_ERR_ALERT_WARNING
+If this value is returned, then the servername is not accepted by the server.
+However, the handshake will continue and send a warning alert instead.
+The value of the alert should be stored in the location pointed to by the
+.Fa alert
+parameter as for
+.Dv SSL_TLSEXT_ERR_ALERT_FATAL
+above.
+Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has
+been negotiated then this return value is treated the same way as
+.Dv SSL_TLSEXT_ERR_NOACK .
+.It Dv SSL_TLSEXT_ERR_NOACK
+This return value indicates
+that the servername is not accepted by the server.
+No alerts are sent
+and the server will not acknowledge the requested servername.
+.El
 .Pp
 .Fn SSL_CTX_set_tlsext_servername_arg
-sets a context-specific argument to be passed into the callback for
+sets a context-specific argument to be passed into the callback via the
+.Fa arg
+parameter for
 .Fa ctx .
 .Pp
+The behaviour of
+.Fn SSL_get_servername
+depends on a number of different factors.
+In particular note that in TLSv1.3,
+the servername is negotiated in every handshake.
+In TLSv1.2 the servername is only negotiated on initial handshakes
+and not on resumption handshakes.
+.Bl -tag -width Ds
+.It On the client, before the handshake:
+If a servername has been set via a call to
+.Fn SSL_set_tlsext_host_name ,
+then it will return that servername.
+If one has not been set, but a TLSv1.2 resumption is being attempted
+and the session from the original handshake had a servername
+accepted by the server, then it will return that servername.
+Otherwise it returns
+.Dv NULL .
+.It On the client, during or after the handshake,\
+ if a TLSv1.2 (or below) resumption occurred:
+If the session from the original handshake had a servername accepted by the
+server, then it will return that servername.
+Otherwise it returns the servername set via
+.Fn SSL_set_tlsext_host_name
+or
+.Dv NULL
+if it was not called.
+.It On the client, during or after the handshake,\
+ if a TLSv1.2 (or below) resumption did not occur:
+It will return the servername set via
+.Fn SSL_set_tlsext_host_name
+or
+.Dv NULL
+if it was not called.
+.It On the server, before the handshake:
+The function will always return
+.Dv NULL
+before the handshake.
+.It On the server, after the servername extension has been processed,\
+ if a TLSv1.2 (or below) resumption occurred:
+If a servername was accepted by the server in the original handshake,
+then it will return that servername, or
+.Dv NULL
+otherwise.
+.It On the server, after the servername extension has been processed,\
+ if a TLSv1.2 (or below) resumption did not occur:
+The function will return the servername
+requested by the client in this handshake or
+.Dv NULL
+if none was requested.
+.El
+.Pp
+Note that the early callback occurs before a servername extension
+from the client is processed.
+The servername, certificate and ALPN callbacks occur
+after a servername extension from the client is processed.
+.Pp
 .Fn SSL_set_tlsext_host_name
 sets the server name indication ClientHello extension
 to contain the value
author	schwarze <>	2021-08-30 18:18:16 +0000
committer	schwarze <>	2021-08-30 18:18:16 +0000
commit	447f1c2b595ba3da3932bbb5ec4313a80587c746 (patch)
tree	73c2da05ca9a7cb7032bfaa6fc1296a69226d984 /src
parent	6773bdc789953cda24f6a3eb5b970041ae902890 (diff)
download	openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.tar.gz openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.tar.bz2 openbsd-447f1c2b595ba3da3932bbb5ec4313a80587c746.zip

diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 index 8b8147a09f..d3cb5bc723 100644 --- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 +++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,10 +1,11 @@
1	.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $	1	.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.5 2021/08/30 18:18:16 schwarze Exp $
2	.\" OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800	2	.\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
3	.\" OpenSSL 8c55c461 Mar 29 08:34:37 2017 +1000	3	.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
4	.\"	4	.\"
5	.\" This file was written by Jon Spillett <jon.spillett@oracle.com>	5	.\" This file was written by Jon Spillett <jon.spillett@oracle.com>,
6	.\" and Paul Yang <yang dot yang at baishancloud dot com>.	6	.\" Paul Yang <yang dot yang at baishancloud dot com>, and
7	.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved.	7	.\" Matt Caswell <matt@openssl.org>.
		8	.\" Copyright (c) 2017, 2019 The OpenSSL Project. All rights reserved.
8	.\"	9	.\"
9	.\" Redistribution and use in source and binary forms, with or without	10	.\" Redistribution and use in source and binary forms, with or without
10	.\" modification, are permitted provided that the following conditions	11	.\" modification, are permitted provided that the following conditions
@@ -50,7 +51,7 @@
50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
52	.\"	53	.\"
53	.Dd $Mdocdate: June 12 2019 $	54	.Dd $Mdocdate: August 30 2021 $
54	.Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3	55	.Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
55	.Os	56	.Os
56	.Sh NAME	57	.Sh NAME
@@ -65,7 +66,7 @@
65	.Ft long	66	.Ft long
66	.Fo SSL_CTX_set_tlsext_servername_callback	67	.Fo SSL_CTX_set_tlsext_servername_callback
67	.Fa "SSL_CTX *ctx"	68	.Fa "SSL_CTX *ctx"
68	.Fa "int (cb)(SSL_CTX , int , void )"	69	.Fa "int (cb)(SSL ssl, int alert, void arg)"
69	.Fc	70	.Fc
70	.Ft long	71	.Ft long
71	.Fo SSL_CTX_set_tlsext_servername_arg	72	.Fo SSL_CTX_set_tlsext_servername_arg
@@ -74,16 +75,16 @@
74	.Fc	75	.Fc
75	.Ft const char *	76	.Ft const char *
76	.Fo SSL_get_servername	77	.Fo SSL_get_servername
77	.Fa "const SSL *s"	78	.Fa "const SSL *ssl"
78	.Fa "const int type"	79	.Fa "const int type"
79	.Fc	80	.Fc
80	.Ft int	81	.Ft int
81	.Fo SSL_get_servername_type	82	.Fo SSL_get_servername_type
82	.Fa "const SSL *s"	83	.Fa "const SSL *ssl"
83	.Fc	84	.Fc
84	.Ft int	85	.Ft int
85	.Fo SSL_set_tlsext_host_name	86	.Fo SSL_set_tlsext_host_name
86	.Fa "const SSL *s"	87	.Fa "const SSL *ssl"
87	.Fa "const char *name"	88	.Fa "const char *name"
88	.Fc	89	.Fc
89	.Sh DESCRIPTION	90	.Sh DESCRIPTION
@@ -97,14 +98,105 @@ When
97	is	98	is
98	.Dv NULL ,	99	.Dv NULL ,
99	SNI is not used.	100	SNI is not used.
100	The	101	.Pp
101	.Fa arg	102	The servername callback should return one of the following values:
102	value is a pointer which is passed to the application callback.	103	.Bl -tag -width Ds
		104	.It Dv SSL_TLSEXT_ERR_OK
		105	This is used to indicate that the servername requested by the client
		106	has been accepted.
		107	Typically a server will call
		108	.Xr SSL_set_SSL_CTX 3
		109	in the callback to set up a different configuration
		110	for the selected servername in this case.
		111	.It Dv SSL_TLSEXT_ERR_ALERT_FATAL
		112	In this case the servername requested by the client is not accepted
		113	and the handshake will be aborted.
		114	The value of the alert to be used should be stored in the location
		115	pointed to by the
		116	.Fa alert
		117	parameter to the callback.
		118	By default this value is initialised to
		119	.Dv SSL_AD_UNRECOGNIZED_NAME .
		120	.It Dv SSL_TLSEXT_ERR_ALERT_WARNING
		121	If this value is returned, then the servername is not accepted by the server.
		122	However, the handshake will continue and send a warning alert instead.
		123	The value of the alert should be stored in the location pointed to by the
		124	.Fa alert
		125	parameter as for
		126	.Dv SSL_TLSEXT_ERR_ALERT_FATAL
		127	above.
		128	Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has
		129	been negotiated then this return value is treated the same way as
		130	.Dv SSL_TLSEXT_ERR_NOACK .
		131	.It Dv SSL_TLSEXT_ERR_NOACK
		132	This return value indicates
		133	that the servername is not accepted by the server.
		134	No alerts are sent
		135	and the server will not acknowledge the requested servername.
		136	.El
103	.Pp	137	.Pp
104	.Fn SSL_CTX_set_tlsext_servername_arg	138	.Fn SSL_CTX_set_tlsext_servername_arg
105	sets a context-specific argument to be passed into the callback for	139	sets a context-specific argument to be passed into the callback via the
		140	.Fa arg
		141	parameter for
106	.Fa ctx .	142	.Fa ctx .
107	.Pp	143	.Pp
		144	The behaviour of
		145	.Fn SSL_get_servername
		146	depends on a number of different factors.
		147	In particular note that in TLSv1.3,
		148	the servername is negotiated in every handshake.
		149	In TLSv1.2 the servername is only negotiated on initial handshakes
		150	and not on resumption handshakes.
		151	.Bl -tag -width Ds
		152	.It On the client, before the handshake:
		153	If a servername has been set via a call to
		154	.Fn SSL_set_tlsext_host_name ,
		155	then it will return that servername.
		156	If one has not been set, but a TLSv1.2 resumption is being attempted
		157	and the session from the original handshake had a servername
		158	accepted by the server, then it will return that servername.
		159	Otherwise it returns
		160	.Dv NULL .
		161	.It On the client, during or after the handshake,\
		162	if a TLSv1.2 (or below) resumption occurred:
		163	If the session from the original handshake had a servername accepted by the
		164	server, then it will return that servername.
		165	Otherwise it returns the servername set via
		166	.Fn SSL_set_tlsext_host_name
		167	or
		168	.Dv NULL
		169	if it was not called.
		170	.It On the client, during or after the handshake,\
		171	if a TLSv1.2 (or below) resumption did not occur:
		172	It will return the servername set via
		173	.Fn SSL_set_tlsext_host_name
		174	or
		175	.Dv NULL
		176	if it was not called.
		177	.It On the server, before the handshake:
		178	The function will always return
		179	.Dv NULL
		180	before the handshake.
		181	.It On the server, after the servername extension has been processed,\
		182	if a TLSv1.2 (or below) resumption occurred:
		183	If a servername was accepted by the server in the original handshake,
		184	then it will return that servername, or
		185	.Dv NULL
		186	otherwise.
		187	.It On the server, after the servername extension has been processed,\
		188	if a TLSv1.2 (or below) resumption did not occur:
		189	The function will return the servername
		190	requested by the client in this handshake or
		191	.Dv NULL
		192	if none was requested.
		193	.El
		194	.Pp
		195	Note that the early callback occurs before a servername extension
		196	from the client is processed.
		197	The servername, certificate and ALPN callbacks occur
		198	after a servername extension from the client is processed.
		199	.Pp
108	.Fn SSL_set_tlsext_host_name	200	.Fn SSL_set_tlsext_host_name
109	sets the server name indication ClientHello extension	201	sets the server name indication ClientHello extension
110	to contain the value	202	to contain the value