Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.

"Early callback" is a little ambiguous now that early data exists.
Perhaps "ClientHello callback"?
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

doc/man3/SSL_CIPHER_get_name.pod

@@ -97,8 +97,9 @@ ChaCha20/Poly1305), and 0 if it is not AEAD.
 SSL_CIPHER_find() returns a B<SSL_CIPHER> structure which has the cipher ID stored
 in B<ptr>. The B<ptr> parameter is a two element array of B<char>, which stores the
 two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter
-is usually retrieved from a TLS packet by using functions like L<SSL_early_get0_ciphers(3)>.
-SSL_CIPHER_find() returns NULL if an error occurs or the indicated cipher is not found.
+is usually retrieved from a TLS packet by using functions like
+L<SSL_client_hello_get0_ciphers(3)>.  SSL_CIPHER_find() returns NULL if an
+error occurs or the indicated cipher is not found.
 
 SSL_CIPHER_get_id() returns the OpenSSL-specific ID of the given cipher B<c>. That ID is
 not the same as the IANA-specific ID.

doc/man3/SSL_CTX_set_early_cb.pod → doc/man3/SSL_CTX_set_client_hello_cb.pod

@@ -2,25 +2,28 @@
 
 =head1 NAME
 
-SSL_CTX_set_early_cb, SSL_early_cb_fn, SSL_early_isv2, SSL_early_get0_legacy_version, SSL_early_get0_random, SSL_early_get0_session_id, SSL_early_get0_ciphers, SSL_early_get0_compression_methods, SSL_early_get1_extensions_present, SSL_early_get0_ext - callback functions for early server-side ClientHello processing
+SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext - callback functions for early server-side ClientHello processing
 
 =head1 SYNOPSIS
 
- typedef int (*SSL_early_cb_fn)(SSL *s, int *al, void *arg);
- void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn *f, void *arg);
- int SSL_early_isv2(SSL *s);
- unsigned int SSL_early_get0_legacy_version(SSL *s);
- size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
- size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
- size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
- size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
- int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen);
- int SSL_early_get0_ext(SSL *s, int type, const unsigned char **out,
-                        size_t *outlen);
+ typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg);
+ void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn *f,
+                                  void *arg);
+ int SSL_client_hello_isv2(SSL *s);
+ unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
+ size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
+ size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
+ size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
+ size_t SSL_client_hello_get0_compression_methods(SSL *s,
+                                                  const unsigned char **out);
+ int SSL_client_hello_get1_extensions_present(SSL *s, int **out,
+                                              size_t *outlen);
+ int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out,
+                               size_t *outlen);
 
 =head1 DESCRIPTION
 
-SSL_CTX_set_early_cb() sets the callback function, which is automatically
+SSL_CTX_set_client_hello_cb() sets the callback function, which is automatically
 called during the early stages of ClientHello processing on the server.
 The argument supplied when setting the callback is passed back to the
 callback at runtime.  A callback that returns failure (0) will cause the
@@ -28,43 +31,44 @@ connection to terminate, and callbacks returning failure should indicate
 what alert value is to be sent in the B<al> parameter.  A callback may
 also return a negative value to suspend the handshake, and the handshake
 function will return immediately.  L<SSL_get_error(3)> will return
-SSL_ERROR_WANT_EARLY to indicate that the handshake was suspended.
-It is the job of the early callback to store information about the state
+SSL_ERROR_WANT_CLIENT_HELLO_CB to indicate that the handshake was suspended.
+It is the job of the ClientHello callback to store information about the state
 of the last call if needed to continue.  On the next call into the handshake
-function, the early callback will be called again, and, if it returns
+function, the ClientHello callback will be called again, and, if it returns
 success, normal handshake processing will continue from that point.
 
-SSL_early_isv2() indicates whether the ClientHello was carried in a
+SSL_client_hello_isv2() indicates whether the ClientHello was carried in a
 SSLv2 record and is in the SSLv2 format.  The SSLv2 format has substantial
 differences from the normal SSLv3 format, including using three bytes per
 cipher suite, and not allowing extensions.  Additionally, the SSLv2 format
-'challenge' field is exposed via SSL_early_get0_random(), padded to
+'challenge' field is exposed via SSL_client_hello_get0_random(), padded to
 SSL3_RANDOM_SIZE bytes with zeros if needed.  For SSLv2 format ClientHellos,
-SSL_early_get0_compression_methods() returns a dummy list that only includes
+SSL_client_hello_get0_compression_methods() returns a dummy list that only includes
 the null compression method, since the SSLv2 format does not include a
 mechanism by which to negotiate compression.
 
-SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
-and SSL_early_get0_compression_methods() provide access to the corresponding
-ClientHello fields, returning the field length and optionally setting an
-out pointer to the octets of that field.
+SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
+SSL_client_hello_get0_ciphers(), and
+SSL_client_hello_get0_compression_methods() provide access to the corresponding
+ClientHello fields, returning the field length and optionally setting an out
+pointer to the octets of that field.
 
-Similarly, SSL_early_get0_ext() provides access to individual extensions
+Similarly, SSL_client_hello_get0_ext() provides access to individual extensions
 from the ClientHello on a per-extension basis.  For the provided wire
 protocol extension type value, the extension value and length are returned
 in the output parameters (if present).
 
-SSL_early_get1_extensions_present() can be used prior to SSL_early_get0_ext(),
-to determine which extensions are present in the ClientHello before querying
-for them.  The B<out> and B<outlen> parameters are both required, and on
-success the caller must release the storage allocated for B<*out> using
-OPENSSL_free().  The contents of B<*out> is an array of integers holding the
-numerical value of the TLS extension types in the order they appear in the
-ClientHello.  B<*outlen> contains the number of elements in the array.
+SSL_client_hello_get1_extensions_present() can be used prior to
+SSL_client_hello_get0_ext(), to determine which extensions are present in the
+ClientHello before querying for them.  The B<out> and B<outlen> parameters are
+both required, and on success the caller must release the storage allocated for
+B<*out> using OPENSSL_free().  The contents of B<*out> is an array of integers
+holding the numerical value of the TLS extension types in the order they appear
+in the ClientHello.  B<*outlen> contains the number of elements in the array.
 
 =head1 NOTES
 
-The early callback provides a vast window of possibilities for application
+The ClientHello callback provides a vast window of possibilities for application
 code to affect the TLS handshake.  A primary use of the callback is to
 allow the server to examine the server name indication extension provided
 by the client in order to select an appropriate certificate to present,
@@ -74,30 +78,31 @@ the associated SSL_CTX pointer, modifying the server's list of permitted TLS
 versions, changing the server's cipher list in response to the client's
 cipher list, etc.
 
-It is also recommended that applications utilize an early callback and
+It is also recommended that applications utilize a ClientHello callback and
 not use a servername callback, in order to avoid unexpected behavior that
 occurs due to the relative order of processing between things like session
 resumption and the historical servername callback.
 
-The SSL_early_* family of functions may only be called from code executing
-within an early callback.
+The SSL_client_hello_* family of functions may only be called from code executing
+within a ClientHello callback.
 
 =head1 RETURN VALUES
 
-The application's supplied early callback returns 1 on success, 0 on failure,
+The application's supplied ClientHello callback returns 1 on success, 0 on failure,
 and a negative value to suspend processing.
 
-SSL_early_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise.
+SSL_client_hello_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise.
 
-SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
-and SSL_early_get0_compression_methods() return the length of the corresponding
-ClientHello fields.  If zero is returned, the output pointer should not be
-assumed to be valid.
+SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
+SSL_client_hello_get0_ciphers(), and
+SSL_client_hello_get0_compression_methods() return the length of the
+corresponding ClientHello fields.  If zero is returned, the output pointer
+should not be assumed to be valid.
 
-SSL_early_get0_ext() returns 1 if the extension of type 'type' is present, and
+SSL_client_hello_get0_ext() returns 1 if the extension of type 'type' is present, and
 0 otherwise.
 
-SSL_early_get1_extensions_present() returns 1 on success and 0 on failure.
+SSL_client_hello_get1_extensions_present() returns 1 on success and 0 on failure.
 
 =head1 SEE ALSO
 
@@ -106,10 +111,11 @@ L<SSL_bytes_to_cipher_list>
 
 =head1 HISTORY
 
-The SSL early callback, SSL_early_isv2(), SSL_early_get0_random(),
-SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
-SSL_early_get0_compression_methods(), SSL_early_get0_ext(), and
-SSL_early_get1_extensions_present() were added in OpenSSL 1.1.1.
+The SSL ClientHello callback, SSL_client_hello_isv2(),
+SSL_client_hello_get0_random(), SSL_client_hello_get0_session_id(),
+SSL_client_hello_get0_ciphers(), SSL_client_hello_get0_compression_methods(),
+SSL_client_hello_get0_ext(), and SSL_client_hello_get1_extensions_present()
+were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 

doc/man3/SSL_CTX_set_tlsext_servername_callback.pod

@@ -21,8 +21,8 @@ SSL_set_tlsext_host_name - handle server name indication (SNI)
 
 =head1 DESCRIPTION
 
-The functionality provided by the servername callback is superseded by
-the early callback, which can be set using SSL_CTX_set_early_cb().
+The functionality provided by the servername callback is superseded by the
+ClientHello callback, which can be set using SSL_CTX_set_client_hello_cb().
 The servername callback is retained for historical compatibility.
 
 SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb>
@@ -48,8 +48,8 @@ to B<TLSEXT_NAMETYPE_host_name> (defined in RFC3546).
 =head1 NOTES
 
 Several callbacks are executed during ClientHello processing, including
-the early, ALPN, and servername callbacks.  The early callback is executed
-first, then the servername callback, followed by the ALPN callback.
+the ClientHello, ALPN, and servername callbacks.  The ClientHello callback is
+executed first, then the servername callback, followed by the ALPN callback.
 
 The SSL_set_tlsext_host_name() function should only be called on SSL objects
 that will act as clients; otherwise the configured B<name> will be ignored.
@@ -63,7 +63,7 @@ SSL_set_tlsext_host_name() returns 1 on success, 0 in case of error.
 =head1 SEE ALSO
 
 L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>,
-L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_early_cb(3)>
+L<SSL_get0_alpn_selected(3)>, L<SSL_CTX_set_client_hello_cb(3)>
 
 =head1 COPYRIGHT
 

doc/man3/SSL_get_error.pod

@@ -110,10 +110,10 @@ through a call to L<ASYNC_init_thread(3)>. The application should retry the
 operation after a currently executing asynchronous operation for the current
 thread has completed.
 
-=item SSL_ERROR_WANT_EARLY
+=item SSL_ERROR_WANT_CLIENT_HELLO_CB
 
 The operation did not complete because an application callback set by
-SSL_CTX_set_early_cb() has asked to be called again.
+SSL_CTX_set_client_hello_cb() has asked to be called again.
 The TLS/SSL I/O function should be called again later.
 Details depend on the application.
 
@@ -137,7 +137,7 @@ L<ssl(7)>
 =head1 HISTORY
 
 SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0.
-SSL_ERROR_WANT_EARLY was added in OpenSSL 1.1.1.
+SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 

doc/man3/SSL_want.pod

@@ -3,8 +3,8 @@
 =head1 NAME
 
 SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup,
-SSL_want_async, SSL_want_async_job, SSL_want_early - obtain state information
-TLS/SSL I/O operation
+SSL_want_async, SSL_want_async_job, SSL_want_client_hello_cb - obtain state
+information TLS/SSL I/O operation
 
 =head1 SYNOPSIS
 
@@ -17,7 +17,7 @@ TLS/SSL I/O operation
  int SSL_want_x509_lookup(const SSL *ssl);
  int SSL_want_async(const SSL *ssl);
  int SSL_want_async_job(const SSL *ssl);
- int SSL_want_early(const SSL *ssl);
+ int SSL_want_client_hello_cb(const SSL *ssl);
 
 =head1 DESCRIPTION
 
@@ -82,18 +82,18 @@ The asynchronous job could not be started because there were no async jobs
 available in the pool (see ASYNC_init_thread(3)). A call to L<SSL_get_error(3)>
 should return SSL_ERROR_WANT_ASYNC_JOB.
 
-=item SSL_EARLY_WORK
+=item SSL_CLIENT_HELLO_CB
 
 The operation did not complete because an application callback set by
-SSL_CTX_set_early_cb() has asked to be called again.
+SSL_CTX_set_client_hello_cb() has asked to be called again.
 A call to L<SSL_get_error(3)> should return
-SSL_ERROR_WANT_EARLY.
+SSL_ERROR_WANT_CLIENT_HELLO_CB.
 
 =back
 
 SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup(),
-SSL_want_async(), SSL_want_async_job(), and SSL_want_early() return 1, when
-the corresponding condition is true or 0 otherwise.
+SSL_want_async(), SSL_want_async_job(), and SSL_want_client_hello_cb() return
+1, when the corresponding condition is true or 0 otherwise.
 
 =head1 SEE ALSO
 
@@ -101,7 +101,7 @@ L<ssl(7)>, L<SSL_get_error(3)>
 
 =head1 HISTORY
 
-SSL_want_early() and SSL_EARLY_WORK were added in OpenSSL 1.1.1.
+SSL_want_client_hello_cb() and SSL_CLIENT_HELLO_CB were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 

include/openssl/ssl.h

@@ -844,16 +844,16 @@ __owur int SSL_extension_supported(unsigned int ext_type);
 # define SSL_X509_LOOKUP        4
 # define SSL_ASYNC_PAUSED       5
 # define SSL_ASYNC_NO_JOBS      6
-# define SSL_EARLY_WORK         7
+# define SSL_CLIENT_HELLO_CB    7
 
 /* These will only be used when doing non-blocking IO */
-# define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
-# define SSL_want_read(s)        (SSL_want(s) == SSL_READING)
-# define SSL_want_write(s)       (SSL_want(s) == SSL_WRITING)
-# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
-# define SSL_want_async(s)       (SSL_want(s) == SSL_ASYNC_PAUSED)
-# define SSL_want_async_job(s)   (SSL_want(s) == SSL_ASYNC_NO_JOBS)
-# define SSL_want_early(s)       (SSL_want(s) == SSL_EARLY_WORK)
+# define SSL_want_nothing(s)         (SSL_want(s) == SSL_NOTHING)
+# define SSL_want_read(s)            (SSL_want(s) == SSL_READING)
+# define SSL_want_write(s)           (SSL_want(s) == SSL_WRITING)
+# define SSL_want_x509_lookup(s)     (SSL_want(s) == SSL_X509_LOOKUP)
+# define SSL_want_async(s)           (SSL_want(s) == SSL_ASYNC_PAUSED)
+# define SSL_want_async_job(s)       (SSL_want(s) == SSL_ASYNC_NO_JOBS)
+# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
 
 # define SSL_MAC_FLAG_READ_MAC_STREAM 1
 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1135,7 +1135,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_ERROR_WANT_ACCEPT           8
 # define SSL_ERROR_WANT_ASYNC            9
 # define SSL_ERROR_WANT_ASYNC_JOB       10
-# define SSL_ERROR_WANT_EARLY           11
+# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
 # define SSL_CTRL_SET_TMP_DH                     3
 # define SSL_CTRL_SET_TMP_ECDH                   4
 # define SSL_CTRL_SET_TMP_DH_CB                  6
@@ -1697,19 +1697,21 @@ __owur char *SSL_get_srp_userinfo(SSL *s);
 # endif
 
 /*
- * Early callback and helpers.
+ * ClientHello callback and helpers.
  */
-typedef int (*SSL_early_cb_fn) (SSL *s, int *al, void *arg);
-void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg);
-int SSL_early_isv2(SSL *s);
-unsigned int SSL_early_get0_legacy_version(SSL *s);
-size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
-size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
-size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
-size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
-int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen);
-int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
-                       size_t *outlen);
+typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
+void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
+                                 void *arg);
+int SSL_client_hello_isv2(SSL *s);
+unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
+size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
+size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
+size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
+size_t SSL_client_hello_get0_compression_methods(SSL *s,
+                                                 const unsigned char **out);
+int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
+int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
+                              const unsigned char **out, size_t *outlen);
 
 void SSL_certs_clear(SSL *s);
 void SSL_free(SSL *ssl);

ssl/ssl_lib.c

@@ -3301,8 +3301,8 @@ int SSL_get_error(const SSL *s, int i)
         return SSL_ERROR_WANT_ASYNC;
     if (SSL_want_async_job(s))
         return SSL_ERROR_WANT_ASYNC_JOB;
-    if (SSL_want_early(s))
-        return SSL_ERROR_WANT_EARLY;
+    if (SSL_want_client_hello_cb(s))
+        return SSL_ERROR_WANT_CLIENT_HELLO_CB;
 
     if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
         (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
@@ -4700,27 +4700,28 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
 
 #endif  /* OPENSSL_NO_CT */
 
-void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg)
+void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
+                                 void *arg)
 {
-    c->early_cb = cb;
-    c->early_cb_arg = arg;
+    c->client_hello_cb = cb;
+    c->client_hello_cb_arg = arg;
 }
 
-int SSL_early_isv2(SSL *s)
+int SSL_client_hello_isv2(SSL *s)
 {
     if (s->clienthello == NULL)
         return 0;
     return s->clienthello->isv2;
 }
 
-unsigned int SSL_early_get0_legacy_version(SSL *s)
+unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
 {
     if (s->clienthello == NULL)
         return 0;
     return s->clienthello->legacy_version;
 }
 
-size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4729,7 +4730,7 @@ size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
     return SSL3_RANDOM_SIZE;
 }
 
-size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4738,7 +4739,7 @@ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
     return s->clienthello->session_id_len;
 }
 
-size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4747,7 +4748,7 @@ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
     return PACKET_remaining(&s->clienthello->ciphersuites);
 }
 
-size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4756,7 +4757,7 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
     return s->clienthello->compressions_len;
 }
 
-int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
+int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
 {
     RAW_EXTENSION *ext;
     int *present;
@@ -4788,7 +4789,7 @@ int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
     return 0;
 }
 
-int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
+int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
                        size_t *outlen)
 {
     size_t i;

ssl/ssl_locl.h

@@ -877,9 +877,9 @@ struct ssl_ctx_st {
     ENGINE *client_cert_engine;
 # endif
 
-    /* Early callback.  Mostly for extensions, but not entirely. */
-    SSL_early_cb_fn early_cb;
-    void *early_cb_arg;
+    /* ClientHello callback.  Mostly for extensions, but not entirely. */
+    SSL_client_hello_cb_fn client_hello_cb;
+    void *client_hello_cb_arg;
 
     /* TLS extensions. */
     struct {
@@ -1252,7 +1252,10 @@ struct ssl_st {
         size_t tls13_cookie_len;
     } ext;
 
-    /* Parsed form of the ClientHello, kept around across early_cb calls. */
+    /*
+     * Parsed form of the ClientHello, kept around across client_hello_cb
+     * calls.
+     */
     CLIENTHELLO_MSG *clienthello;
 
     /*-

ssl/statem/statem_srvr.c

@@ -1430,15 +1430,15 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
     DOWNGRADE dgrd = DOWNGRADE_NONE;
 
     /* Finished parsing the ClientHello, now we can start processing it */
-    /* Give the early callback a crack at things */
-    if (s->ctx->early_cb != NULL) {
+    /* Give the ClientHello callback a crack at things */
+    if (s->ctx->client_hello_cb != NULL) {
         int code;
-        /* A failure in the early callback terminates the connection. */
-        code = s->ctx->early_cb(s, &al, s->ctx->early_cb_arg);
+        /* A failure in the ClientHello callback terminates the connection. */
+        code = s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg);
         if (code == 0)
             goto err;
         if (code < 0) {
-            s->rwstate = SSL_EARLY_WORK;
+            s->rwstate = SSL_CLIENT_HELLO_CB;
             return code;
         }
     }

test/handshake_helper.c

@@ -137,7 +137,7 @@ static int select_server_ctx(SSL *s, void *arg, int ignore)
     }
 }
 
-static int early_select_server_ctx(SSL *s, void *arg, int ignore)
+static int client_hello_select_server_ctx(SSL *s, void *arg, int ignore)
 {
     const char *servername;
     const unsigned char *p;
@@ -149,7 +149,8 @@ static int early_select_server_ctx(SSL *s, void *arg, int ignore)
      * The server_name extension was given too much extensibility when it
      * was written, so parsing the normal case is a bit complex.
      */
-    if (!SSL_early_get0_ext(s, TLSEXT_TYPE_server_name, &p, &remaining) ||
+    if (!SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, &p,
+                                   &remaining) ||
         remaining <= 2)
         return 0;
     /* Extract the length of the supplied list of names. */
@@ -219,44 +220,44 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg)
     return select_server_ctx(s, arg, 0);
 }
 
-static int early_ignore_cb(SSL *s, int *al, void *arg)
+static int client_hello_ignore_cb(SSL *s, int *al, void *arg)
 {
-    if (!early_select_server_ctx(s, arg, 1)) {
+    if (!client_hello_select_server_ctx(s, arg, 1)) {
         *al = SSL_AD_UNRECOGNIZED_NAME;
         return 0;
     }
     return 1;
 }
 
-static int early_reject_cb(SSL *s, int *al, void *arg)
+static int client_hello_reject_cb(SSL *s, int *al, void *arg)
 {
-    if (!early_select_server_ctx(s, arg, 0)) {
+    if (!client_hello_select_server_ctx(s, arg, 0)) {
         *al = SSL_AD_UNRECOGNIZED_NAME;
         return 0;
     }
     return 1;
 }
 
-static int early_nov12_cb(SSL *s, int *al, void *arg)
+static int client_hello_nov12_cb(SSL *s, int *al, void *arg)
 {
     int ret;
     unsigned int v;
     const unsigned char *p;
 
-    v = SSL_early_get0_legacy_version(s);
+    v = SSL_client_hello_get0_legacy_version(s);
     if (v > TLS1_2_VERSION || v < SSL3_VERSION) {
         *al = SSL_AD_PROTOCOL_VERSION;
         return 0;
     }
-    (void)SSL_early_get0_session_id(s, &p);
+    (void)SSL_client_hello_get0_session_id(s, &p);
     if (p == NULL ||
-        SSL_early_get0_random(s, &p) == 0 ||
-        SSL_early_get0_ciphers(s, &p) == 0 ||
-        SSL_early_get0_compression_methods(s, &p) == 0) {
+        SSL_client_hello_get0_random(s, &p) == 0 ||
+        SSL_client_hello_get0_ciphers(s, &p) == 0 ||
+        SSL_client_hello_get0_compression_methods(s, &p) == 0) {
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
     }
-    ret = early_select_server_ctx(s, arg, 0);
+    ret = client_hello_select_server_ctx(s, arg, 0);
     SSL_set_max_proto_version(s, TLS1_1_VERSION);
     if (!ret)
         *al = SSL_AD_UNRECOGNIZED_NAME;
@@ -489,7 +490,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
 
     /*
      * Link the two contexts for SNI purposes.
-     * Also do early callbacks here, as setting both early and SNI is bad.
+     * Also do ClientHello callbacks here, as setting both ClientHello and SNI
+     * is bad.
      */
     switch (extra->server.servername_callback) {
     case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
@@ -502,14 +504,14 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
         break;
     case SSL_TEST_SERVERNAME_CB_NONE:
         break;
-    case SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH:
-        SSL_CTX_set_early_cb(server_ctx, early_ignore_cb, server2_ctx);
+    case SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH:
+        SSL_CTX_set_client_hello_cb(server_ctx, client_hello_ignore_cb, server2_ctx);
         break;
-    case SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH:
-        SSL_CTX_set_early_cb(server_ctx, early_reject_cb, server2_ctx);
+    case SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH:
+        SSL_CTX_set_client_hello_cb(server_ctx, client_hello_reject_cb, server2_ctx);
         break;
-    case SSL_TEST_SERVERNAME_EARLY_NO_V12:
-        SSL_CTX_set_early_cb(server_ctx, early_nov12_cb, server2_ctx);
+    case SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12:
+        SSL_CTX_set_client_hello_cb(server_ctx, client_hello_nov12_cb, server2_ctx);
     }
 
     if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) {

test/ssl-tests/05-sni.conf

@@ -8,9 +8,9 @@ test-2 = 2-SNI-no-server-support
 test-3 = 3-SNI-no-client-support
 test-4 = 4-SNI-bad-sni-ignore-mismatch
 test-5 = 5-SNI-bad-sni-reject-mismatch
-test-6 = 6-SNI-bad-early-sni-ignore-mismatch
-test-7 = 7-SNI-bad-early-sni-reject-mismatch
-test-8 = 8-SNI-early-disable-v12
+test-6 = 6-SNI-bad-clienthello-sni-ignore-mismatch
+test-7 = 7-SNI-bad-clienthello-sni-reject-mismatch
+test-8 = 8-SNI-clienthello-disable-v12
 # ===========================================================
 
 [0-SNI-switch-context]
@@ -206,20 +206,20 @@ ServerName = invalid
 
 # ===========================================================
 
-[6-SNI-bad-early-sni-ignore-mismatch]
-ssl_conf = 6-SNI-bad-early-sni-ignore-mismatch-ssl
+[6-SNI-bad-clienthello-sni-ignore-mismatch]
+ssl_conf = 6-SNI-bad-clienthello-sni-ignore-mismatch-ssl
 
-[6-SNI-bad-early-sni-ignore-mismatch-ssl]
-server = 6-SNI-bad-early-sni-ignore-mismatch-server
-client = 6-SNI-bad-early-sni-ignore-mismatch-client
-server2 = 6-SNI-bad-early-sni-ignore-mismatch-server
+[6-SNI-bad-clienthello-sni-ignore-mismatch-ssl]
+server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server
+client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client
+server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server
 
-[6-SNI-bad-early-sni-ignore-mismatch-server]
+[6-SNI-bad-clienthello-sni-ignore-mismatch-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[6-SNI-bad-early-sni-ignore-mismatch-client]
+[6-SNI-bad-clienthello-sni-ignore-mismatch-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -227,33 +227,33 @@ VerifyMode = Peer
 [test-6]
 ExpectedResult = Success
 ExpectedServerName = server1
-server = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
-server2 = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
-client = 6-SNI-bad-early-sni-ignore-mismatch-client-extra
+server = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra
+server2 = 6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra
+client = 6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra
 
-[6-SNI-bad-early-sni-ignore-mismatch-server-extra]
-ServerNameCallback = EarlyIgnoreMismatch
+[6-SNI-bad-clienthello-sni-ignore-mismatch-server-extra]
+ServerNameCallback = ClientHelloIgnoreMismatch
 
-[6-SNI-bad-early-sni-ignore-mismatch-client-extra]
+[6-SNI-bad-clienthello-sni-ignore-mismatch-client-extra]
 ServerName = invalid
 
 
 # ===========================================================
 
-[7-SNI-bad-early-sni-reject-mismatch]
-ssl_conf = 7-SNI-bad-early-sni-reject-mismatch-ssl
+[7-SNI-bad-clienthello-sni-reject-mismatch]
+ssl_conf = 7-SNI-bad-clienthello-sni-reject-mismatch-ssl
 
-[7-SNI-bad-early-sni-reject-mismatch-ssl]
-server = 7-SNI-bad-early-sni-reject-mismatch-server
-client = 7-SNI-bad-early-sni-reject-mismatch-client
-server2 = 7-SNI-bad-early-sni-reject-mismatch-server
+[7-SNI-bad-clienthello-sni-reject-mismatch-ssl]
+server = 7-SNI-bad-clienthello-sni-reject-mismatch-server
+client = 7-SNI-bad-clienthello-sni-reject-mismatch-client
+server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server
 
-[7-SNI-bad-early-sni-reject-mismatch-server]
+[7-SNI-bad-clienthello-sni-reject-mismatch-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[7-SNI-bad-early-sni-reject-mismatch-client]
+[7-SNI-bad-clienthello-sni-reject-mismatch-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -261,33 +261,33 @@ VerifyMode = Peer
 [test-7]
 ExpectedResult = ServerFail
 ExpectedServerAlert = UnrecognizedName
-server = 7-SNI-bad-early-sni-reject-mismatch-server-extra
-server2 = 7-SNI-bad-early-sni-reject-mismatch-server-extra
-client = 7-SNI-bad-early-sni-reject-mismatch-client-extra
+server = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra
+server2 = 7-SNI-bad-clienthello-sni-reject-mismatch-server-extra
+client = 7-SNI-bad-clienthello-sni-reject-mismatch-client-extra
 
-[7-SNI-bad-early-sni-reject-mismatch-server-extra]
-ServerNameCallback = EarlyRejectMismatch
+[7-SNI-bad-clienthello-sni-reject-mismatch-server-extra]
+ServerNameCallback = ClientHelloRejectMismatch
 
-[7-SNI-bad-early-sni-reject-mismatch-client-extra]
+[7-SNI-bad-clienthello-sni-reject-mismatch-client-extra]
 ServerName = invalid
 
 
 # ===========================================================
 
-[8-SNI-early-disable-v12]
-ssl_conf = 8-SNI-early-disable-v12-ssl
+[8-SNI-clienthello-disable-v12]
+ssl_conf = 8-SNI-clienthello-disable-v12-ssl
 
-[8-SNI-early-disable-v12-ssl]
-server = 8-SNI-early-disable-v12-server
-client = 8-SNI-early-disable-v12-client
-server2 = 8-SNI-early-disable-v12-server
+[8-SNI-clienthello-disable-v12-ssl]
+server = 8-SNI-clienthello-disable-v12-server
+client = 8-SNI-clienthello-disable-v12-client
+server2 = 8-SNI-clienthello-disable-v12-server
 
-[8-SNI-early-disable-v12-server]
+[8-SNI-clienthello-disable-v12-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[8-SNI-early-disable-v12-client]
+[8-SNI-clienthello-disable-v12-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -295,14 +295,14 @@ VerifyMode = Peer
 [test-8]
 ExpectedProtocol = TLSv1.1
 ExpectedServerName = server2
-server = 8-SNI-early-disable-v12-server-extra
-server2 = 8-SNI-early-disable-v12-server-extra
-client = 8-SNI-early-disable-v12-client-extra
+server = 8-SNI-clienthello-disable-v12-server-extra
+server2 = 8-SNI-clienthello-disable-v12-server-extra
+client = 8-SNI-clienthello-disable-v12-client-extra
 
-[8-SNI-early-disable-v12-server-extra]
-ServerNameCallback = EarlyNoV12
+[8-SNI-clienthello-disable-v12-server-extra]
+ServerNameCallback = ClientHelloNoV12
 
-[8-SNI-early-disable-v12-client-extra]
+[8-SNI-clienthello-disable-v12-client-extra]
 ServerName = server2
 
 

test/ssl-tests/05-sni.conf.in

@@ -111,10 +111,10 @@ our @tests = (
         },
     },
     {
-        name => "SNI-bad-early-sni-ignore-mismatch",
+        name => "SNI-bad-clienthello-sni-ignore-mismatch",
         server => {
             extra => {
-                "ServerNameCallback" => "EarlyIgnoreMismatch",
+                "ServerNameCallback" => "ClientHelloIgnoreMismatch",
             },
         },
         client => {
@@ -128,10 +128,10 @@ our @tests = (
         },
     },
     {
-        name => "SNI-bad-early-sni-reject-mismatch",
+        name => "SNI-bad-clienthello-sni-reject-mismatch",
         server => {
             extra => {
-                "ServerNameCallback" => "EarlyRejectMismatch",
+                "ServerNameCallback" => "ClientHelloRejectMismatch",
             },
         },
         client => {
@@ -148,10 +148,10 @@ our @tests = (
 
 our @tests_tls_1_1 = (
     {
-        name => "SNI-early-disable-v12",
+        name => "SNI-clienthello-disable-v12",
         server => {
             extra => {
-                "ServerNameCallback" => "EarlyNoV12",
+                "ServerNameCallback" => "ClientHelloNoV12",
             },
         },
         client => {

test/ssl_test_ctx.c

@@ -238,9 +238,11 @@ static const test_enum ssl_servername_callbacks[] = {
     {"None", SSL_TEST_SERVERNAME_CB_NONE},
     {"IgnoreMismatch", SSL_TEST_SERVERNAME_IGNORE_MISMATCH},
     {"RejectMismatch", SSL_TEST_SERVERNAME_REJECT_MISMATCH},
-    {"EarlyIgnoreMismatch", SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH},
-    {"EarlyRejectMismatch", SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH},
-    {"EarlyNoV12", SSL_TEST_SERVERNAME_EARLY_NO_V12},
+    {"ClientHelloIgnoreMismatch",
+     SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH},
+    {"ClientHelloRejectMismatch",
+     SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH},
+    {"ClientHelloNoV12", SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12},
 };
 
 __owur static int parse_servername_callback(SSL_TEST_SERVER_CONF *server_conf,

test/ssl_test_ctx.h

@@ -39,9 +39,9 @@ typedef enum {
     SSL_TEST_SERVERNAME_CB_NONE = 0,  /* Default */
     SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
     SSL_TEST_SERVERNAME_REJECT_MISMATCH,
-    SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH,
-    SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH,
-    SSL_TEST_SERVERNAME_EARLY_NO_V12
+    SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH,
+    SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH,
+    SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12
 } ssl_servername_callback_t;
 
 typedef enum {

test/sslapitest.c

@@ -401,7 +401,7 @@ end:
 #endif
 
 #ifndef OPENSSL_NO_TLS1_2
-static int full_early_callback(SSL *s, int *al, void *arg)
+static int full_client_hello_callback(SSL *s, int *al, void *arg)
 {
     int *ctr = arg;
     const unsigned char *p;
@@ -424,16 +424,17 @@ static int full_early_callback(SSL *s, int *al, void *arg)
     if ((*ctr)++ == 0)
         return -1;
 
-    len = SSL_early_get0_ciphers(s, &p);
+    len = SSL_client_hello_get0_ciphers(s, &p);
     if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
-            || !TEST_size_t_eq(SSL_early_get0_compression_methods(s, &p), 1)
+            || !TEST_size_t_eq(
+                       SSL_client_hello_get0_compression_methods(s, &p), 1)
             || !TEST_int_eq(*p, 0))
         return 0;
-    if (!SSL_early_get1_extensions_present(s, &exts, &len))
+    if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
         return 0;
     if (len != OSSL_NELEM(expected_extensions) ||
         memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
-        printf("Early callback expected ClientHello extensions mismatch\n");
+        printf("ClientHello callback expected extensions mismatch\n");
         OPENSSL_free(exts);
         return 0;
     }
@@ -441,7 +442,7 @@ static int full_early_callback(SSL *s, int *al, void *arg)
     return 1;
 }
 
-static int test_early_cb(void)
+static int test_client_hello_cb(void)
 {
     SSL_CTX *cctx = NULL, *sctx = NULL;
     SSL *clientssl = NULL, *serverssl = NULL;
@@ -451,7 +452,7 @@ static int test_early_cb(void)
                                        TLS_client_method(), &sctx,
                                        &cctx, cert, privkey)))
         goto end;
-    SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
+    SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
 
     /* The gimpy cipher list we configure can't do TLS 1.3. */
     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
@@ -461,12 +462,13 @@ static int test_early_cb(void)
             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
                                              &clientssl, NULL, NULL))
             || !TEST_false(create_ssl_connection(serverssl, clientssl,
-                                                 SSL_ERROR_WANT_EARLY))
+                        SSL_ERROR_WANT_CLIENT_HELLO_CB))
                 /*
                  * Passing a -1 literal is a hack since
                  * the real value was lost.
                  * */
-            || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_EARLY)
+            || !TEST_int_eq(SSL_get_error(serverssl, -1),
+                            SSL_ERROR_WANT_CLIENT_HELLO_CB)
             || !TEST_true(create_ssl_connection(serverssl, clientssl,
                                                 SSL_ERROR_NONE)))
         goto end;
@@ -3123,7 +3125,7 @@ int setup_tests(void)
     ADD_TEST(test_keylog_no_master_key);
 #endif
 #ifndef OPENSSL_NO_TLS1_2
-    ADD_TEST(test_early_cb);
+    ADD_TEST(test_client_hello_cb);
 #endif
 #ifndef OPENSSL_NO_TLS1_3
     ADD_ALL_TESTS(test_early_data_read_write, 3);

util/libssl.num

@@ -416,14 +416,14 @@ SSL_get_peer_signature_type_nid         416	1_1_1	EXIST::FUNCTION:
 SSL_key_update                          417	1_1_1	EXIST::FUNCTION:
 SSL_get_key_update_type                 418	1_1_1	EXIST::FUNCTION:
 SSL_bytes_to_cipher_list                419	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_compression_methods      420	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_ciphers                  421	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_ext                      422	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_session_id               423	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_random                   424	1_1_1	EXIST::FUNCTION:
-SSL_CTX_set_early_cb                    425	1_1_1	EXIST::FUNCTION:
-SSL_early_get0_legacy_version           426	1_1_1	EXIST::FUNCTION:
-SSL_early_isv2                          427	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_compression_methods 420	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_ciphers           421	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_ext               422	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_session_id        423	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_random            424	1_1_1	EXIST::FUNCTION:
+SSL_CTX_set_client_hello_cb             425	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get0_legacy_version    426	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_isv2                   427	1_1_1	EXIST::FUNCTION:
 SSL_set_max_early_data                  428	1_1_1	EXIST::FUNCTION:
 SSL_CTX_set_max_early_data              429	1_1_1	EXIST::FUNCTION:
 SSL_get_max_early_data                  430	1_1_1	EXIST::FUNCTION:
@@ -450,7 +450,7 @@ SSL_set_block_padding                   450	1_1_1	EXIST::FUNCTION:
 SSL_set_record_padding_callback_arg     451	1_1_1	EXIST::FUNCTION:
 SSL_CTX_set_record_padding_callback_arg 452	1_1_1	EXIST::FUNCTION:
 SSL_CTX_use_serverinfo_ex               453	1_1_1	EXIST::FUNCTION:
-SSL_early_get1_extensions_present       454	1_1_1	EXIST::FUNCTION:
+SSL_client_hello_get1_extensions_present 454	1_1_1	EXIST::FUNCTION:
 SSL_set_psk_find_session_callback       455	1_1_1	EXIST::FUNCTION:
 SSL_set_psk_use_session_callback        456	1_1_1	EXIST::FUNCTION:
 SSL_CTX_set_psk_use_session_callback    457	1_1_1	EXIST::FUNCTION:

util/private.num

@@ -36,7 +36,7 @@ OSSL_STORE_open_fn                      datatype
 OSSL_STORE_post_process_info_fn         datatype
 RAND_poll_cb                            datatype
 SSL_CTX_keylog_cb_func                  datatype
-SSL_early_cb_fn                         datatype
+SSL_client_hello_cb_fn                  datatype
 SSL_psk_client_cb_func                  datatype
 SSL_psk_find_session_cb_func            datatype
 SSL_psk_server_cb_func                  datatype
@@ -349,7 +349,7 @@ SSL_set_tlsext_status_type              define
 SSL_set_tmp_dh                          define
 SSL_want_async                          define
 SSL_want_async_job                      define
-SSL_want_early                          define
+SSL_want_client_hello_cb                define
 SSL_want_nothing                        define
 SSL_want_read                           define
 SSL_want_write                          define