The branch master has been updated
       via  2afaee5193c3f567ea00ad613f3ee82f985b7141 (commit)
       via  8e2236eff8e38109a57347c8ad795040b380c936 (commit)
       via  694c9180d7f082b896692048052413fc5dc4e467 (commit)
       via  0f82d2f5841fd1c0883f1570632f74c33ce2034c (commit)
       via  80de0c5947cf29ef04227714f3cae5c615012449 (commit)
       via  6b1bb98fad044a6f6b1aec9daee95d6cb450210e (commit)
       via  ddf972583439346cbaa99031fe8d3116018ba711 (commit)
       via  6e3dac1995eb6e34ed2649aca78b5aa88b1cbfeb (commit)
       via  90134d9806f0191bc0eb0cde2750f0cd68667a6d (commit)
       via  ccb8e6e0b1c536430290a87ba5c87dc072cc5a12 (commit)
       via  60d685d196e8d594d754751e4852f01d80d8c0cc (commit)
       via  650c6e41d60905fa1396dff2c7fe4d6fbb7239ba (commit)
       via  cb7a1f5fca4da49dbad1b3f453e7446baa23c1fe (commit)
       via  26f426846ec3798a27f19600f05e4e41446d5b4f (commit)
       via  fc5ece2ee4c7ef41759c2267eccbe08df3245721 (commit)
      from  46958a043d51633ed36bcfb13ff048a3381366a6 (commit)


- Log -----------------------------------------------------------------
commit 2afaee5193c3f567ea00ad613f3ee82f985b7141
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Feb 13 12:42:43 2017 -0600

    Add an sslapitest for early callback
    
    Make sure that we can stop handshake processing and resume it later.
    Also check that the cipher list and compression methods are sane.
    Unfortunately, we don't have the client-side APIs needed to force
    a specific (known) session ID to be sent in the ClientHello, so
    that accessor cannot be tested here.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 8e2236eff8e38109a57347c8ad795040b380c936
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Feb 13 15:10:54 2017 -0600

    Let test handshakes stop on certain errors
    
    Certain callback APIs allow the callback to request async processing
    by trickling a particular error value up the stack to the application
    as an error return from the handshake function.  In those cases,
    SSL_want() returns a code specific to the type of async processing
    needed.
    
    The create_ssl_connection() helper function for the tests is very
    helpful for several things, including creating API tests.  However,
    it does not currently let us test the async processing functionality
    of these callback interfaces, because the special SSL error codes
    are treated as generic errors and the helper continues to loop until
    it reaches its maximum iteration count.
    
    Add a new parameter, 'want', that indicates an expected/desired
    special SSL error code, so that the helper will terminate when
    either side reports that error, giving control back to the calling
    function and allowing the test to proceed.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 694c9180d7f082b896692048052413fc5dc4e467
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Feb 13 14:14:06 2017 -0600

    Use correct variable in test diagnostic
    
    create_ssl_connection() prints out the results if SSL_accept() and/or
    SSL_connect() fail, but was reusing the client return value when printing
    about SSL_accept() failures.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 0f82d2f5841fd1c0883f1570632f74c33ce2034c
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Thu Feb 9 17:21:42 2017 -0600

    Adopt test to changed behavior
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 80de0c5947cf29ef04227714f3cae5c615012449
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Tue Jan 31 16:06:30 2017 -0600

    Tests for SSL early callback
    
    Plumb things through in the same place as the SNI callback, since
    we recommend that the early callback replace (and supplement) the
    SNI callback, and add a few test cases.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 6b1bb98fad044a6f6b1aec9daee95d6cb450210e
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 23 17:03:16 2017 -0600

    Add SSL_CTX early callback
    
    Provide a callback interface that gives the application the ability
    to adjust the nascent SSL object at the earliest stage of ClientHello
    processing, immediately after extensions have been collected but
    before they have been processed.
    
    This is akin to BoringSSL's "select_certificate_cb" (though it is not
    API compatible), and as the name indicates, one major use is to examine
    the supplied server name indication and select what certificate to
    present to the client.  However, it can also be used to make more
    sweeping configuration changes to the SSL object according to the
    selected server identity and configuration.  That may include adjusting
    the permitted TLS versions, swapping out the SSL_CTX object (as is
    traditionally done in a tlsext_servername_callback), changing the
    server's cipher list, and more.
    
    We also wish to allow an early callback to indicate that it needs to perform
    additional work asynchronously and resume processing later.  To that effect,
    refactor the second half of tls_process_client_hello() into a subroutine to 
be
    called at the post-processing stage (including the early callback itself), 
to
    allow the callback to result in remaining in the same work stage for a later
    call to succeed.  This requires allocating for and storing the 
CLIENTHELLO_MSG
    in the SSL object to be preserved across such calls, but the storage is
    reclaimed after ClientHello processing finishes.
    
    Information about the CliehtHello is available to the callback by means of
    accessor functions that can only be used from the early callback.  This 
allows
    extensions to make use of the existing internal parsing machinery without
    exposing structure internals (e.g., of PACKET), so that applications do not
    have to write fragile parsing code.
    
    Applications are encouraged to utilize an early callback and not use
    a servername_callback, in order to avoid unexpected behavior that
    occurs due to the relative order of processing between things like
    session resumption and the historical servername callback.
    
    Also tidy up nearby style by removing unnecessary braces around one-line
    conditional bodies.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit ddf972583439346cbaa99031fe8d3116018ba711
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Feb 6 15:33:28 2017 -0600

    Prepare for WORK_MORE_C
    
    Add the new enum value and case statements as appropriate.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 6e3dac1995eb6e34ed2649aca78b5aa88b1cbfeb
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 30 12:59:59 2017 -0600

    Tests for SSL_bytes_to_cipher_list()
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 90134d9806f0191bc0eb0cde2750f0cd68667a6d
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 30 19:20:14 2017 -0600

    Refactor SSL_bytes_to_cipher_list()
    
    Split off the portions that mutate the SSL object into a separate
    function that the state machine calls, so that the public API can
    be a pure function.  (It still needs the SSL parameter in order
    to determine what SSL_METHOD's get_cipher_by_char() routine to use,
    though.)
    
    Instead of returning the stack of ciphers (functionality that was
    not used internally), require using the output parameter, and add
    a separate output parameter for the SCSVs contained in the supplied
    octets, if desired.  This lets us move to the standard return value
    convention.  Also make both output stacks optional parameters.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit ccb8e6e0b1c536430290a87ba5c87dc072cc5a12
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 30 11:24:17 2017 -0600

    Export SSL_bytes_to_cipher_list()
    
    Move ssl_bytes_to_cipher_list() to ssl_lib.c and create a public
    wrapper around it.  This lets application early callbacks easily get
    SSL_CIPHER objects from the raw ciphers bytes without having to
    reimplement the parsing code.  In particular, they do not need to
    know the details of the sslv2 format ClientHello's ciphersuite
    specifications.
    
    Document the new public function, including the arguably buggy behavior
    of modifying the supplied SSL object.  On the face of it, such a function
    should be able to be pure, just a direct translation of wire octets to
    internal data structures.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 60d685d196e8d594d754751e4852f01d80d8c0cc
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Feb 6 11:30:16 2017 -0600

    Let ssl_get_cipher_by_char yield not-valid ciphers
    
    Now that we have made SCSVs into more of a first-class object, provide
    a way for the bytes-to-SSL_CIPHER conversion to actually return them.
    Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want
    all the known ciphers, not just the ones valid for encryption.  This will,
    in practice, let the caller retrieve the SCSVs.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 650c6e41d60905fa1396dff2c7fe4d6fbb7239ba
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Fri Feb 3 17:17:21 2017 -0600

    Add more first-class support for SCSVS
    
    Just as we have a table of ssl3_ciphers, add a table of ssl3_scsvs, to 
contain
    SSL_CIPHER objects for these non-valid ciphers.  This will allow for unified
    handling of such indicators, especially as we are preparing to pass them 
around
    between functions.
    
    Since the 'valid' field is not set for the SCSVs, they should not be used
    for anything requiring a cryptographic cipher (as opposed to something
    being stuck in a cipher-shaped hole in the TLS wire protocol).
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit cb7a1f5fca4da49dbad1b3f453e7446baa23c1fe
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 23 17:00:47 2017 -0600

    Move CLIENTHELLO_MSG up in the header
    
    We'll be adding a field of this type to struct ssl_st in a subsequent
    commit, and need the type definition to be in scope already.
    Also move up the RAW_EXTENSION definition that it depends on.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit 26f426846ec3798a27f19600f05e4e41446d5b4f
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 23 16:59:23 2017 -0600

    Store the number of extensions in CLIENTHELLO_MSG
    
    Keep track of the length of the pre_proc_exts array.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

commit fc5ece2ee4c7ef41759c2267eccbe08df3245721
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Mon Jan 23 16:56:43 2017 -0600

    output number of exts from tls_collect_extensions()
    
    Modify the API of tls_collect_extensions() to be able to output the number 
of
    extensions that are known (i.e., the length of its 'res' output).  This 
number
    can never be zero on a successful return due to the builtin extensions list,
    but use a separate output variable so as to not overload the return value
    semantics.
    
    Having this value easily available will give consumers a way to avoid 
repeating
    the calculation.
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2279)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/SSL_CTX_set_early_cb.pod                  | 110 +++++
 doc/man3/SSL_get_ciphers.pod                       |  17 +-
 doc/man3/SSL_get_error.pod                         |  10 +-
 doc/man3/SSL_want.pod                              |  22 +-
 include/openssl/ssl.h                              |  23 +
 ssl/s3_lib.c                                       |  30 +-
 ssl/ssl_ciph.c                                     |   5 +-
 ssl/ssl_err.c                                      |   6 +-
 ssl/ssl_lib.c                                      | 251 ++++++++++-
 ssl/ssl_locl.h                                     |  73 ++--
 ssl/statem/extensions.c                            |  10 +-
 ssl/statem/statem.c                                |   3 +
 ssl/statem/statem.h                                |   4 +-
 ssl/statem/statem_clnt.c                           |  14 +-
 ssl/statem/statem_locl.h                           |   2 +-
 ssl/statem/statem_srvr.c                           | 472 +++++++++------------
 test/asynciotest.c                                 |   2 +-
 test/build.info                                    |   6 +-
 test/cipherbytes_test.c                            | 130 ++++++
 test/dtls_mtu_test.c                               |   2 +-
 test/dtlstest.c                                    |   2 +-
 test/handshake_helper.c                            | 118 +++++-
 test/recipes/70-test_sslrecords.t                  |   2 +-
 ...{80-test_cipherlist.t => 80-test_cipherbytes.t} |   6 +-
 test/ssl-tests/05-sni.conf                         | 107 ++++-
 test/ssl-tests/05-sni.conf.in                      |  57 +++
 test/ssl_test_ctx.c                                |   3 +
 test/ssl_test_ctx.h                                |   5 +-
 test/sslapitest.c                                  | 104 ++++-
 test/sslcorrupttest.c                              |   2 +-
 test/ssltestlib.c                                  |   8 +-
 test/ssltestlib.h                                  |   2 +-
 util/libssl.num                                    |   9 +
 33 files changed, 1261 insertions(+), 356 deletions(-)
 create mode 100644 doc/man3/SSL_CTX_set_early_cb.pod
 create mode 100644 test/cipherbytes_test.c
 copy test/recipes/{80-test_cipherlist.t => 80-test_cipherbytes.t} (78%)

diff --git a/doc/man3/SSL_CTX_set_early_cb.pod 
b/doc/man3/SSL_CTX_set_early_cb.pod
new file mode 100644
index 0000000..b007292
--- /dev/null
+++ b/doc/man3/SSL_CTX_set_early_cb.pod
@@ -0,0 +1,110 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_early_cb, SSL_early_cb_fn, SSL_early_isv2, 
SSL_early_get0_legacy_version, SSL_early_get0_random, 
SSL_early_get0_session_id, SSL_early_get0_ciphers, 
SSL_early_get0_compression_methods, SSL_early_get0_ext - callback functions for 
early server-side ClientHello processing
+
+=head1 SYNOPSIS
+
+ typedef int (*SSL_early_cb_fn)(SSL *s, int *al, void *arg);
+ void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn *f, void *arg);
+ int SSL_early_isv2(SSL *s);
+ unsigned int SSL_early_get0_legacy_version(SSL *s);
+ size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
+ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
+ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
+ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
+ int SSL_early_get0_ext(SSL *s, int type, const unsigned char **out,
+                        size_t *outlen);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_early_cb() sets the callback function, which is automatically
+called during the early stages of ClientHello processing on the server.
+The argument supplied when setting the callback is passed back to the
+callback at runtime.  A callback that returns failure (0) will cause the
+connection to terminate, and callbacks returning failure should indicate
+what alert value is to be sent in the B<al> parameter.  A callback may
+also return a negative value to suspend the handshake, and the handshake
+function will return immediately.  L<SSL_get_error(3)> will return
+SSL_ERROR_WANT_EARLY to indicate that the handshake was suspended.
+It is the job of the early callback to store information about the state
+of the last call if needed to continue.  On the next call into the handshake
+function, the early callback will be called again, and, if it returns
+success, normal handshake processing will continue from that point.
+
+SSL_early_isv2() indicates whether the ClientHello was carried in a
+SSLv2 record and is in the SSLv2 format.  The SSLv2 format has substantial
+differences from the normal SSLv3 format, including using three bytes per
+cipher suite, and not allowing extensions.  Additionally, the SSLv2 format
+'challenge' field is exposed via SSL_early_get0_random(), padded to
+SSL3_RANDOM_SIZE bytes with zeros if needed.  For SSLv2 format ClientHellos,
+SSL_early_get0_compression_methods() returns a dummy list that only includes
+the null compression method, since the SSLv2 format does not include a
+mechanism by which to negotiate compression.
+
+SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
+and SSL_early_get0_compression_methods() provide access to the corresponding
+ClientHello fields, returning the field length and optionally setting an
+out pointer to the octets of that field.
+
+Similarly, SSL_early_get0_ext() provides access to individual extensions
+from the ClientHello on a per-extension basis.  For the provided wire
+protocol extension type value, the extension value and length are returned
+in the output parameters (if present).
+
+=head1 NOTES
+
+The early callback provides a vast window of possibilities for application
+code to affect the TLS handshake.  A primary use of the callback is to
+allow the server to examine the server name indication extension provided
+by the client in order to select an appropriate certificate to present,
+and make other configuration adjustments relevant to that server name
+and its configuration.  Such configuration changes can include swapping out
+the associated SSL_CTX pointer, modifying the server's list of permitted TLS
+versions, changing the server's cipher list, etc.
+
+It is also recommended that applications utilize an early callback and
+not use a servername callback, in order to avoid unexpected behavior that
+occurs due to the relative order of processing between things like session
+resumption and the historical servername callback.
+
+The SSL_early_* family of functions may only be called from code executing
+within an early callback.
+
+=head1 RETURN VALUES
+
+The application's supplied early callback returns 1 on success, 0 on failure,
+and a negative value to suspend processing.
+
+SSL_early_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise.
+
+SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
+and SSL_early_get0_compression_methods() return the length of the corresponding
+ClientHello fields.  If zero is returned, the ouput pointer should not be
+assumed to be valid.
+
+SSL_early_get0_ext() returns 1 if the extension of type 'type' is present, and
+0 otherwise.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CTX_set_tlsext_servername_callback(3)>
+
+=head1 HISTORY
+
+The SSL early callback, SSL_early_isv2(), SSL_early_get0_random(),
+SSL_early_get0_session_id(), SSL_early_get0_ciphers(),
+SSL_early_get0_compression_methods(), and SSL_early_get0_ext() were
+added in OpenSSL 1.1.1.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/SSL_get_ciphers.pod b/doc/man3/SSL_get_ciphers.pod
index ce0be6e..d1baafe 100644
--- a/doc/man3/SSL_get_ciphers.pod
+++ b/doc/man3/SSL_get_ciphers.pod
@@ -3,7 +3,8 @@
 =head1 NAME
 
 SSL_get1_supported_ciphers, SSL_get_client_ciphers,
-SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list
+SSL_get_ciphers, SSL_CTX_get_ciphers,
+SSL_bytes_to_cipher_list, SSL_get_cipher_list
 - get list of available SSL_CIPHERs
 
 =head1 SYNOPSIS
@@ -14,6 +15,9 @@ SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list
  STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
  STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
  STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl);
+ int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
+                              int isv2format, STACK_OF(SSL_CIPHER) **sk,
+                              STACK_OF(SSL_CIPHER) **scsvs);
  const char *SSL_get_cipher_list(const SSL *ssl, int priority);
 
 =head1 DESCRIPTION
@@ -41,6 +45,14 @@ SSL_get_client_ciphers() returns the stack of available 
SSL_CIPHERs matching the
 list received from the client on B<ssl>. If B<ssl> is NULL, no ciphers are
 available, or B<ssl> is not operating in server mode, NULL is returned.
 
+SSL_bytes_to_cipher_list() treats the supplied B<len> octets in B<bytes>
+as a wire-protocol cipher suite specification (in the three-octet-per-cipher
+SSLv2 wire format if B<isv2format> is nonzero; otherwise the two-octet
+SSLv3/TLS wire format), and parses the cipher suites supported by the library
+into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher-Suite
+Values scsvs.  Unsupported cipher suites are ignored.  Returns 1 on success
+and 0 on failure.
+
 SSL_get_cipher_list() returns a pointer to the name of the SSL_CIPHER
 listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are
 available, or there are less ciphers than B<priority> available, NULL
@@ -63,6 +75,9 @@ free the return value itself.
 The stack returned by SSL_get1_supported_ciphers() should be freed using
 sk_SSL_CIPHER_free().
 
+The stacks returned by SSL_bytes_to_cipher_list() should be freed using
+sk_SSL_CIPHER_free().
+
 =head1 RETURN VALUES
 
 See DESCRIPTION
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index db8f85c..e318de8 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -110,6 +110,13 @@ through a call to L<ASYNC_init_thread(3)>. The application 
should retry the
 operation after a currently executing asynchronous operation for the current
 thread has completed.
 
+=item SSL_ERROR_WANT_EARLY
+
+The operation did not complete because an application callback set by
+SSL_CTX_set_early_cb() has asked to be called again.
+The TLS/SSL I/O function should be called again later.
+Details depend on the application.
+
 =item SSL_ERROR_SYSCALL
 
 Some non-recoverable I/O error occurred.
@@ -130,10 +137,11 @@ L<ssl(7)>, L<err(7)>
 =head1 HISTORY
 
 SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0.
+SSL_ERROR_WANT_EARLY was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod
index c86344e..8efe50b 100644
--- a/doc/man3/SSL_want.pod
+++ b/doc/man3/SSL_want.pod
@@ -3,8 +3,8 @@
 =head1 NAME
 
 SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, 
SSL_want_x509_lookup,
-SSL_want_async, SSL_want_async_job - obtain state information TLS/SSL I/O
-operation
+SSL_want_async, SSL_want_async_job, SSL_want_early - obtain state information
+TLS/SSL I/O operation
 
 =head1 SYNOPSIS
 
@@ -17,6 +17,7 @@ operation
  int SSL_want_x509_lookup(const SSL *ssl);
  int SSL_want_async(const SSL *ssl);
  int SSL_want_async_job(const SSL *ssl);
+ int SSL_want_early(const SSL *ssl);
 
 =head1 DESCRIPTION
 
@@ -81,19 +82,30 @@ The asynchronous job could not be started because there 
were no async jobs
 available in the pool (see ASYNC_init_thread(3)). A call to L<SSL_get_error(3)>
 should return SSL_ERROR_WANT_ASYNC_JOB.
 
+=item SSL_EARLY_WORK
+
+The operation did not complete because an application callback set by
+SSL_CTX_set_early_cb() has asked to be called again.
+A call to L<SSL_get_error(3)> should return
+SSL_ERROR_WANT_EARLY.
+
 =back
 
 SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup(),
-SSL_want_async() and SSL_want_async_job() return 1, when the corresponding
-condition is true or 0 otherwise.
+SSL_want_async(), SSL_want_async_job(), and SSL_want_early() return 1, when
+the corresponding condition is true or 0 otherwise.
 
 =head1 SEE ALSO
 
 L<ssl(7)>, L<err(7)>, L<SSL_get_error(3)>
 
+=head1 HISTORY
+
+SSL_want_early() and SSL_EARLY_WORK were added in OpenSSL 1.1.1.
+
 =head1 COPYRIGHT
 
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1c58dcc..d1614d3 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -764,6 +764,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
 # define SSL_X509_LOOKUP        4
 # define SSL_ASYNC_PAUSED       5
 # define SSL_ASYNC_NO_JOBS      6
+# define SSL_EARLY_WORK         7
 
 /* These will only be used when doing non-blocking IO */
 # define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
@@ -772,6 +773,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
 # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
 # define SSL_want_async(s)       (SSL_want(s) == SSL_ASYNC_PAUSED)
 # define SSL_want_async_job(s)   (SSL_want(s) == SSL_ASYNC_NO_JOBS)
+# define SSL_want_early(s)       (SSL_want(s) == SSL_EARLY_WORK)
 
 # define SSL_MAC_FLAG_READ_MAC_STREAM 1
 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1041,6 +1043,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_ERROR_WANT_ACCEPT           8
 # define SSL_ERROR_WANT_ASYNC            9
 # define SSL_ERROR_WANT_ASYNC_JOB       10
+# define SSL_ERROR_WANT_EARLY           11
 # define SSL_CTRL_SET_TMP_DH                     3
 # define SSL_CTRL_SET_TMP_ECDH                   4
 # define SSL_CTRL_SET_TMP_DH_CB                  6
@@ -1572,6 +1575,20 @@ __owur char *SSL_get_srp_username(SSL *s);
 __owur char *SSL_get_srp_userinfo(SSL *s);
 # endif
 
+/*
+ * Early callback and helpers.
+ */
+typedef int (*SSL_early_cb_fn) (SSL *s, int *al, void *arg);
+void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg);
+int SSL_early_isv2(SSL *s);
+unsigned int SSL_early_get0_legacy_version(SSL *s);
+size_t SSL_early_get0_random(SSL *s, const unsigned char **out);
+size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out);
+size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out);
+size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out);
+int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
+                       size_t *outlen);
+
 void SSL_certs_clear(SSL *s);
 void SSL_free(SSL *ssl);
 # ifdef OSSL_ASYNC_FD
@@ -1820,6 +1837,9 @@ __owur int SSL_COMP_add_compression_method(int id, 
COMP_METHOD *cm);
 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
+int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
+                             int isv2format, STACK_OF(SSL_CIPHER) **sk,
+                             STACK_OF(SSL_CIPHER) **scsvs);
 
 /* TLS extensions functions */
 __owur int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
@@ -2087,6 +2107,7 @@ int ERR_load_SSL_strings(void);
 /* Function codes. */
 # define SSL_F_ADD_CLIENT_KEY_SHARE_EXT                   438
 # define SSL_F_ADD_KEY_SHARE                              512
+# define SSL_F_BYTES_TO_CIPHER_LIST                       519
 # define SSL_F_CHECK_SUITEB_CIPHER_LIST                   331
 # define SSL_F_CT_MOVE_SCTS                               345
 # define SSL_F_CT_STRICT                                  349
@@ -2160,6 +2181,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_SSL_BAD_METHOD                             160
 # define SSL_F_SSL_BUILD_CERT_CHAIN                       332
 # define SSL_F_SSL_BYTES_TO_CIPHER_LIST                   161
+# define SSL_F_SSL_CACHE_CIPHERLIST                       520
 # define SSL_F_SSL_CERT_ADD0_CHAIN_CERT                   346
 # define SSL_F_SSL_CERT_DUP                               221
 # define SSL_F_SSL_CERT_NEW                               162
@@ -2343,6 +2365,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET          460
 # define SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST          461
 # define SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP                462
+# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO        521
 # define SSL_F_TLS_GET_MESSAGE_BODY                       351
 # define SSL_F_TLS_GET_MESSAGE_HEADER                     387
 # define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT               449
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 6932311..6449f8c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -55,6 +55,7 @@
 #include <openssl/rand.h>
 
 #define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
+#define SSL3_NUM_SCSVS          OSSL_NELEM(ssl3_scsvs)
 
 /*
  * The list of available ciphers, mostly organized into the following
@@ -2797,6 +2798,26 @@ static SSL_CIPHER ssl3_ciphers[] = {
 
 };
 
+/*
+ * The list of known Signalling Cipher-Suite Value "ciphers", non-valid
+ * values stuffed into the ciphers field of the wire protocol for signalling
+ * purposes.
+ */
+static SSL_CIPHER ssl3_scsvs[] = {
+    {
+     0,
+     "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
+     SSL3_CK_SCSV,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    },
+    {
+     0,
+     "TLS_FALLBACK_SCSV",
+     SSL3_CK_FALLBACK_SCSV,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    },
+};
+
 static int cipher_compare(const void *a, const void *b)
 {
     const SSL_CIPHER *ap = (const SSL_CIPHER *)a;
@@ -2807,8 +2828,9 @@ static int cipher_compare(const void *a, const void *b)
 
 void ssl_sort_cipher_list(void)
 {
-    qsort(ssl3_ciphers, OSSL_NELEM(ssl3_ciphers), sizeof ssl3_ciphers[0],
+    qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof ssl3_ciphers[0],
           cipher_compare);
+    qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof ssl3_scsvs[0], cipher_compare);
 }
 
 const SSL3_ENC_METHOD SSLv3_enc_data = {
@@ -3598,9 +3620,13 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void 
(*fp) (void))
 const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
 {
     SSL_CIPHER c;
+    const SSL_CIPHER *cp;
 
     c.id = id;
-    return OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
+    cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
+    if (cp != NULL)
+        return cp;
+    return OBJ_bsearch_ssl_cipher_id(&c, ssl3_scsvs, SSL3_NUM_SCSVS);
 }
 
 /*
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 2d2395c..e64e3da 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1915,11 +1915,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
     return -1;
 }
 
-const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
+                                         int all)
 {
     const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
 
-    if (c == NULL || c->valid == 0)
+    if (c == NULL || (!all && c->valid == 0))
         return NULL;
     return c;
 }
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 341712c..bcb9ddb 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -21,6 +21,7 @@
 static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_ADD_CLIENT_KEY_SHARE_EXT), "add_client_key_share_ext"},
     {ERR_FUNC(SSL_F_ADD_KEY_SHARE), "add_key_share"},
+    {ERR_FUNC(SSL_F_BYTES_TO_CIPHER_LIST), "bytes_to_cipher_list"},
     {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "check_suiteb_cipher_list"},
     {ERR_FUNC(SSL_F_CT_MOVE_SCTS), "ct_move_scts"},
     {ERR_FUNC(SSL_F_CT_STRICT), "ct_strict"},
@@ -116,7 +117,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "ssl_add_serverhello_use_srtp_ext"},
     {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"},
     {ERR_FUNC(SSL_F_SSL_BUILD_CERT_CHAIN), "ssl_build_cert_chain"},
-    {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "ssl_bytes_to_cipher_list"},
+    {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_bytes_to_cipher_list"},
+    {ERR_FUNC(SSL_F_SSL_CACHE_CIPHERLIST), "ssl_cache_cipherlist"},
     {ERR_FUNC(SSL_F_SSL_CERT_ADD0_CHAIN_CERT), "ssl_cert_add0_chain_cert"},
     {ERR_FUNC(SSL_F_SSL_CERT_DUP), "ssl_cert_dup"},
     {ERR_FUNC(SSL_F_SSL_CERT_NEW), "ssl_cert_new"},
@@ -374,6 +376,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "tls_construct_stoc_status_request"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP),
      "tls_construct_stoc_use_srtp"},
+    {ERR_FUNC(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO),
+     "tls_early_post_process_client_hello"},
     {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_BODY), "tls_get_message_body"},
     {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"},
     {ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index dea2dac..8304c73 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1014,6 +1014,7 @@ void SSL_free(SSL *s)
 #endif
     OPENSSL_free(s->ext.ocsp.resp);
     OPENSSL_free(s->ext.alpn);
+    OPENSSL_free(s->clienthello);
 
     sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
 
@@ -3012,15 +3013,14 @@ int SSL_get_error(const SSL *s, int i)
                 return (SSL_ERROR_SYSCALL);
         }
     }
-    if (SSL_want_x509_lookup(s)) {
+    if (SSL_want_x509_lookup(s))
         return (SSL_ERROR_WANT_X509_LOOKUP);
-    }
-    if (SSL_want_async(s)) {
+    if (SSL_want_async(s))
         return SSL_ERROR_WANT_ASYNC;
-    }
-    if (SSL_want_async_job(s)) {
+    if (SSL_want_async_job(s))
         return SSL_ERROR_WANT_ASYNC_JOB;
-    }
+    if (SSL_want_early(s))
+        return SSL_ERROR_WANT_EARLY;
 
     if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
         (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
@@ -4305,7 +4305,84 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const 
SSL_CTX *ctx)
     return ctx->ctlog_store;
 }
 
-#endif
+#endif  /* OPENSSL_NO_CT */
+
+void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg)
+{
+    c->early_cb = cb;
+    c->early_cb_arg = arg;
+}
+
+int SSL_early_isv2(SSL *s)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    return s->clienthello->isv2;
+}
+
+unsigned int SSL_early_get0_legacy_version(SSL *s)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    return s->clienthello->legacy_version;
+}
+
+size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    if (out != NULL)
+        *out = s->clienthello->random;
+    return SSL3_RANDOM_SIZE;
+}
+
+size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    if (out != NULL)
+        *out = s->clienthello->session_id;
+    return s->clienthello->session_id_len;
+}
+
+size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    if (out != NULL)
+        *out = PACKET_data(&s->clienthello->ciphersuites);
+    return PACKET_remaining(&s->clienthello->ciphersuites);
+}
+
+size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
+{
+    if (s->clienthello == NULL)
+        return 0;
+    if (out != NULL)
+        *out = s->clienthello->compressions;
+    return s->clienthello->compressions_len;
+}
+
+int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
+                       size_t *outlen)
+{
+    size_t i;
+    RAW_EXTENSION *r;
+
+    if (s->clienthello == NULL)
+        return 0;
+    for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) {
+        r = s->clienthello->pre_proc_exts + i;
+        if (r->present && r->type == type) {
+            if (out != NULL)
+                *out = PACKET_data(&r->data);
+            if (outlen != NULL)
+                *outlen = PACKET_remaining(&r->data);
+            return 1;
+        }
+    }
+    return 0;
+}
 
 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb)
 {
@@ -4402,3 +4479,163 @@ int ssl_log_secret(SSL *ssl,
                           secret_len);
 }
 
+#define SSLV2_CIPHER_LEN    3
+
+int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format,
+                         int *al)
+{
+    int n;
+
+    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
+
+    if (PACKET_remaining(cipher_suites) == 0) {
+        SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, SSL_R_NO_CIPHERS_SPECIFIED);
+        *al = SSL_AD_ILLEGAL_PARAMETER;
+        return 0;
+    }
+
+    if (PACKET_remaining(cipher_suites) % n != 0) {
+        SSLerr(SSL_F_SSL_CACHE_CIPHERLIST,
+               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+        *al = SSL_AD_DECODE_ERROR;
+        return 0;
+    }
+
+    OPENSSL_free(s->s3->tmp.ciphers_raw);
+    s->s3->tmp.ciphers_raw = NULL;
+    s->s3->tmp.ciphers_rawlen = 0;
+
+    if (sslv2format) {
+        size_t numciphers = PACKET_remaining(cipher_suites) / n;
+        PACKET sslv2ciphers = *cipher_suites;
+        unsigned int leadbyte;
+        unsigned char *raw;
+
+        /*
+         * We store the raw ciphers list in SSLv3+ format so we need to do some
+         * preprocessing to convert the list first. If there are any SSLv2 only
+         * ciphersuites with a non-zero leading byte then we are going to
+         * slightly over allocate because we won't store those. But that isn't 
a
+         * problem.
+         */
+        raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
+        s->s3->tmp.ciphers_raw = raw;
+        if (raw == NULL) {
+            *al = SSL_AD_INTERNAL_ERROR;
+            goto err;
+        }
+        for (s->s3->tmp.ciphers_rawlen = 0;
+             PACKET_remaining(&sslv2ciphers) > 0;
+             raw += TLS_CIPHER_LEN) {
+            if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
+                    || (leadbyte == 0
+                        && !PACKET_copy_bytes(&sslv2ciphers, raw,
+                                              TLS_CIPHER_LEN))
+                    || (leadbyte != 0
+                        && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
+                *al = SSL_AD_INTERNAL_ERROR;
+                OPENSSL_free(s->s3->tmp.ciphers_raw);
+                s->s3->tmp.ciphers_raw = NULL;
+                s->s3->tmp.ciphers_rawlen = 0;
+                goto err;
+            }
+            if (leadbyte == 0)
+                s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN;
+        }
+    } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
+                           &s->s3->tmp.ciphers_rawlen)) {
+        *al = SSL_AD_INTERNAL_ERROR;
+        goto err;
+    }
+    return 1;
+ err:
+    return 0;
+}
+
+int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
+                             int isv2format, STACK_OF(SSL_CIPHER) **sk,
+                             STACK_OF(SSL_CIPHER) **scsvs)
+{
+    int alert;
+    PACKET pkt;
+
+    if (!PACKET_buf_init(&pkt, bytes, len))
+        return 0;
+    return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, &alert);
+}
+
+int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
+                         STACK_OF(SSL_CIPHER) **skp,
+                         STACK_OF(SSL_CIPHER) **scsvs_out,
+                         int sslv2format, int *al)
+{
+    const SSL_CIPHER *c;
+    STACK_OF(SSL_CIPHER) *sk = NULL;
+    STACK_OF(SSL_CIPHER) *scsvs = NULL;
+    int n;
+    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
+    unsigned char cipher[SSLV2_CIPHER_LEN];
+
+    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
+
+    if (PACKET_remaining(cipher_suites) == 0) {
+        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
+        *al = SSL_AD_ILLEGAL_PARAMETER;
+        return 0;
+    }
+
+    if (PACKET_remaining(cipher_suites) % n != 0) {
+        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST,
+               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+        *al = SSL_AD_DECODE_ERROR;
+        return 0;
+    }
+
+    sk = sk_SSL_CIPHER_new_null();
+    scsvs = sk_SSL_CIPHER_new_null();
+    if (sk == NULL || scsvs == NULL) {
+        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+        *al = SSL_AD_INTERNAL_ERROR;
+        goto err;
+    }
+
+    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
+        /*
+         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
+         * first byte set to zero, while true SSLv2 ciphers have a non-zero
+         * first byte. We don't support any true SSLv2 ciphers, so skip them.
+         */
+        if (sslv2format && cipher[0] != '\0')
+            continue;
+
+        /* For SSLv2-compat, ignore leading 0-byte. */
+        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1);
+        if (c != NULL) {
+            if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
+                (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
+                SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+                *al = SSL_AD_INTERNAL_ERROR;
+                goto err;
+            }
+        }
+    }
+    if (PACKET_remaining(cipher_suites) > 0) {
+        *al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
+    if (skp != NULL)
+        *skp = sk;
+    else
+        sk_SSL_CIPHER_free(sk);
+    if (scsvs_out != NULL)
+        *scsvs_out = scsvs;
+    else
+        sk_SSL_CIPHER_free(scsvs);
+    return 1;
+ err:
+    sk_SSL_CIPHER_free(sk);
+    sk_SSL_CIPHER_free(scsvs);
+    return 0;
+}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6557834..89eeb45 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -622,12 +622,41 @@ typedef struct srp_ctx_st {
 
 # endif
 
+#define MAX_COMPRESSIONS_SIZE   255
+
 struct ssl_comp_st {
     int id;
     const char *name;
     COMP_METHOD *method;
 };
 
+typedef struct raw_extension_st {
+    /* Raw packet data for the extension */
+    PACKET data;
+    /* Set to 1 if the extension is present or 0 otherwise */
+    int present;
+    /* Set to 1 if we have already parsed the extension or 0 otherwise */
+    int parsed;
+    /* The type of this extension, i.e. a TLSEXT_TYPE_* value */
+    unsigned int type;
+} RAW_EXTENSION;
+
+typedef struct {
+    unsigned int isv2;
+    unsigned int legacy_version;
+    unsigned char random[SSL3_RANDOM_SIZE];
+    size_t session_id_len;
+    unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+    size_t dtls_cookie_len;
+    unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH];
+    PACKET ciphersuites;
+    size_t compressions_len;
+    unsigned char compressions[MAX_COMPRESSIONS_SIZE];
+    PACKET extensions;
+    size_t pre_proc_exts_len;
+    RAW_EXTENSION *pre_proc_exts;
+} CLIENTHELLO_MSG;
+
 DEFINE_LHASH_OF(SSL_SESSION);
 /* Needed in ssl_cert.c */
 DEFINE_LHASH_OF(X509_NAME);
@@ -801,6 +830,10 @@ struct ssl_ctx_st {
     ENGINE *client_cert_engine;
 # endif
 
+    /* Early callback.  Mostly for extensions, but not entirely. */
+    SSL_early_cb_fn early_cb;
+    void *early_cb_arg;
+
     /* TLS extensions. */
     struct {
         /* TLS extensions servername callback */
@@ -1142,6 +1175,9 @@ struct ssl_st {
         int use_etm;
     } ext;
 
+    /* Parsed form of the ClientHello, kept around across early_cb calls. */
+    CLIENTHELLO_MSG *clienthello;
+
     /*-
      * no further mod of servername
      * 0 : call the servername extension callback.
@@ -1698,17 +1734,6 @@ typedef struct ssl3_comp_st {
 } SSL3_COMP;
 # endif
 
-typedef struct raw_extension_st {
-    /* Raw packet data for the extension */
-    PACKET data;
-    /* Set to 1 if the extension is present or 0 otherwise */
-    int present;
-    /* Set to 1 if we have already parsed the extension or 0 otherwise */
-    int parsed;
-    /* The type of this extension, i.e. a TLSEXT_TYPE_* value */
-    unsigned int type;
-} RAW_EXTENSION;
-
 /*
  * Extension index values NOTE: Any updates to these defines should be mirrored
  * with equivalent updates to ext_defs in extensions.c
@@ -1783,23 +1808,6 @@ typedef enum tlsext_index_en {
 #define TLSEXT_signature_rsa_pss                                0x0101
 
 
-#define MAX_COMPRESSIONS_SIZE   255
-
-typedef struct {
-    unsigned int isv2;
-    unsigned int legacy_version;
-    unsigned char random[SSL3_RANDOM_SIZE];
-    size_t session_id_len;
-    unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
-    size_t dtls_cookie_len;
-    unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH];
-    PACKET ciphersuites;
-    size_t compressions_len;
-    unsigned char compressions[MAX_COMPRESSIONS_SIZE];
-    PACKET extensions;
-    RAW_EXTENSION *pre_proc_exts;
-} CLIENTHELLO_MSG;
-
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 
 __owur const SSL_METHOD *ssl_bad_method(int ver);
@@ -1990,6 +1998,12 @@ __owur STACK_OF(SSL_CIPHER) 
*ssl_create_cipher_list(const SSL_METHOD *meth,
                                                     **sorted,
                                                     const char *rule_str,
                                                     CERT *c);
+__owur int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites,
+                                int sslv2format, int *al);
+__owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
+                                STACK_OF(SSL_CIPHER) **skp,
+                                STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
+                                int *al);
 void ssl_update_cache(SSL *s, int mode);
 __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                               const EVP_MD **md, int *mac_pkey_type,
@@ -2000,7 +2014,8 @@ __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, 
size_t *mac_overhead,
                                    size_t *ext_overhead);
 __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
 __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
-                                                const unsigned char *ptr);
+                                                const unsigned char *ptr,
+                                                int all);
 __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8e1b502..c011445 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -382,10 +382,11 @@ static int extension_is_relevant(SSL *s, unsigned int 
extctx,
  * extensions that we know about. We ignore others.
  */
 int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
-                           RAW_EXTENSION **res, int *al)
+                           RAW_EXTENSION **res, int *al, size_t *len)
 {
     PACKET extensions = *packet;
     size_t i = 0;
+    size_t num_exts;
     custom_ext_methods *exts = NULL;
     RAW_EXTENSION *raw_extensions = NULL;
     const EXTENSION_DEFINITION *thisexd;
@@ -403,9 +404,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned 
int context,
         exts = &s->cert->cli_ext;
     }
 
-    raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs)
-                                     + (exts != NULL ? exts->meths_count : 0))
-                                     * sizeof(*raw_extensions));
+    num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
+    raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
     if (raw_extensions == NULL) {
         *al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE);
@@ -454,6 +454,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned 
int context,
     }
 
     *res = raw_extensions;
+    if (len != NULL)
+        *len = num_exts;
     return 1;
 
  err:
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index bd7d89a..a1c5a21 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -564,6 +564,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
             case WORK_ERROR:
             case WORK_MORE_A:
             case WORK_MORE_B:
+            case WORK_MORE_C:
                 return SUB_STATE_ERROR;
 
             case WORK_FINISHED_CONTINUE:
@@ -706,6 +707,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
             case WORK_ERROR:
             case WORK_MORE_A:
             case WORK_MORE_B:
+            case WORK_MORE_C:
                 return SUB_STATE_ERROR;
 
             case WORK_FINISHED_CONTINUE:
@@ -745,6 +747,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
             case WORK_ERROR:
             case WORK_MORE_A:
             case WORK_MORE_B:
+            case WORK_MORE_C:
                 return SUB_STATE_ERROR;
 
             case WORK_FINISHED_CONTINUE:
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index 021d2d0..906f2ec 100644
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -27,7 +27,9 @@ typedef enum {
     /* We're working on phase A */
     WORK_MORE_A,
     /* We're working on phase B */
-    WORK_MORE_B
+    WORK_MORE_B,
+    /* We're working on phase C */
+    WORK_MORE_C
 } WORK_STATE;
 
 /* Write transition return codes */
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3957a73..bc35a3e 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1254,7 +1254,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, 
PACKET *pkt)
 
     context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
                               : EXT_TLS1_2_SERVER_HELLO;
-    if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al))
+    if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL))
         goto f_err;
 
     s->hit = 0;
@@ -1294,7 +1294,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, 
PACKET *pkt)
                      && master_key_length > 0) {
                 s->session->master_key_length = master_key_length;
                 s->session->cipher = pref_cipher ?
-                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
+                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
             } else {
                 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
                 al = SSL_AD_INTERNAL_ERROR;
@@ -1353,7 +1353,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, 
PACKET *pkt)
         goto f_err;
     }
 
-    c = ssl_get_cipher_by_char(s, cipherchars);
+    c = ssl_get_cipher_by_char(s, cipherchars, 0);
     if (c == NULL) {
         /* unknown cipher */
         al = SSL_AD_ILLEGAL_PARAMETER;
@@ -1524,7 +1524,7 @@ static MSG_PROCESS_RETURN 
tls_process_hello_retry_request(SSL *s, PACKET *pkt)
     }
 
     if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
-                                &extensions, &al)
+                                &extensions, &al, NULL)
             || !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST,
                                          extensions, NULL, 0, &al))
         goto f_err;
@@ -1596,7 +1596,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, 
PACKET *pkt)
                 goto f_err;
             }
             if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
-                                        &rawexts, &al)
+                                        &rawexts, &al, NULL)
                     || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
                                                  rawexts, x, chainidx, &al)) {
                 OPENSSL_free(rawexts);
@@ -2399,7 +2399,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, 
PACKET *pkt)
         if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
                 || !tls_collect_extensions(s, &extpkt,
                                            EXT_TLS1_3_NEW_SESSION_TICKET,
-                                           &exts, &al)
+                                           &exts, &al, NULL)
                 || !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET,
                                              exts, NULL, 0, &al)) {
             SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION);
@@ -3362,7 +3362,7 @@ static MSG_PROCESS_RETURN 
tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
     }
 
     if (!tls_collect_extensions(s, &extensions, 
EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
-                                &rawexts, &al)
+                                &rawexts, &al, NULL)
             || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
                                          rawexts, NULL, 0, &al))
         goto err;
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h
index 595a803..9230332 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -167,7 +167,7 @@ __owur int tls_construct_new_session_ticket(SSL *s, WPACKET 
*pkt);
 /* Extension processing */
 
 __owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
-                                  RAW_EXTENSION **res, int *al);
+                                  RAW_EXTENSION **res, int *al, size_t *len);
 __owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
                                RAW_EXTENSION *exts,  X509 *x, size_t chainidx,
                                int *al);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 0037e79..9c422e4 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -63,11 +63,6 @@
 
 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
 static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
-static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
-                                                      PACKET *cipher_suites,
-                                                      STACK_OF(SSL_CIPHER)
-                                                      **skp, int sslv2format,
-                                                      int *al);
 
 /*
  * ossl_statem_server13_read_transition() encapsulates the logic for the 
allowed
@@ -1222,21 +1217,17 @@ static void ssl_check_for_safari(SSL *s, const 
CLIENTHELLO_MSG *hello)
 
 MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
 {
-    int i, al = SSL_AD_INTERNAL_ERROR;
-    unsigned int j;
-    size_t loop;
-    unsigned long id;
-    const SSL_CIPHER *c;
-#ifndef OPENSSL_NO_COMP
-    SSL_COMP *comp = NULL;
-#endif
-    STACK_OF(SSL_CIPHER) *ciphers = NULL;
-    int protverr;
+    int al = SSL_AD_INTERNAL_ERROR;
     /* |cookie| will only be initialized for DTLS. */
     PACKET session_id, compression, extensions, cookie;
     static const unsigned char null_compression = 0;
-    CLIENTHELLO_MSG clienthello;
+    CLIENTHELLO_MSG *clienthello;
 
+    clienthello = OPENSSL_zalloc(sizeof(*clienthello));
+    if (clienthello == NULL) {
+        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
     /* Check if this is actually an unexpected renegotiation ClientHello */
     if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
         s->renegotiate = 1;
@@ -1249,11 +1240,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
     /*
      * First, parse the raw ClientHello data into the CLIENTHELLO_MSG 
structure.
      */
-    memset(&clienthello, 0, sizeof(clienthello));
-    clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
+    clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
     PACKET_null_init(&cookie);
 
-    if (clienthello.isv2) {
+    if (clienthello->isv2) {
         unsigned int mt;
 
         if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
@@ -1289,14 +1279,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         }
     }
 
-    if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
+    if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
         goto err;
     }
 
     /* Parse the message and load client random. */
-    if (clienthello.isv2) {
+    if (clienthello->isv2) {
         /*
          * Handle an SSLv2 backwards compatible ClientHello
          * Note, this is only for SSLv3+ using the backward compatible format.
@@ -1320,9 +1310,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
             goto f_err;
         }
 
-        if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
+        if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
                                    ciphersuite_len)
-            || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len)
+            || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
             || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
             /* No extensions. */
             || PACKET_remaining(pkt) != 0) {
@@ -1331,18 +1321,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
         }
-        clienthello.session_id_len = session_id_len;
+        clienthello->session_id_len = session_id_len;
 
         /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
-         * here rather than sizeof(clienthello.random) because that is the 
limit
+         * here rather than sizeof(clienthello->random) because that is the 
limit
          * for SSLv3 and it is fixed. It won't change even if
-         * sizeof(clienthello.random) does.
+         * sizeof(clienthello->random) does.
          */
         challenge_len = challenge_len > SSL3_RANDOM_SIZE
                         ? SSL3_RANDOM_SIZE : challenge_len;
-        memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
+        memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
         if (!PACKET_copy_bytes(&challenge,
-                               clienthello.random + SSL3_RANDOM_SIZE -
+                               clienthello->random + SSL3_RANDOM_SIZE -
                                challenge_len, challenge_len)
             /* Advertise only null compression. */
             || !PACKET_buf_init(&compression, &null_compression, 1)) {
@@ -1351,14 +1341,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
             goto f_err;
         }
 
-        PACKET_null_init(&clienthello.extensions);
+        PACKET_null_init(&clienthello->extensions);
     } else {
         /* Regular ClientHello. */
-        if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
+        if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
             || !PACKET_get_length_prefixed_1(pkt, &session_id)
-            || !PACKET_copy_all(&session_id, clienthello.session_id,
+            || !PACKET_copy_all(&session_id, clienthello->session_id,
                     SSL_MAX_SSL_SESSION_ID_LENGTH,
-                    &clienthello.session_id_len)) {
+                    &clienthello->session_id_len)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
             goto f_err;
@@ -1370,9 +1360,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
                 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                 goto f_err;
             }
-            if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
+            if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
                                  DTLS1_COOKIE_LENGTH,
-                                 &clienthello.dtls_cookie_len)) {
+                                 &clienthello->dtls_cookie_len)) {
                 al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                 goto f_err;
@@ -1383,12 +1373,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
              * So check cookie length...
              */
             if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
-                if (clienthello.dtls_cookie_len == 0)
+                if (clienthello->dtls_cookie_len == 0)
                     return 1;
             }
         }
 
-        if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
+        if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
             goto f_err;
@@ -1402,9 +1392,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
 
         /* Could be empty. */
         if (PACKET_remaining(pkt) == 0) {
-            PACKET_null_init(&clienthello.extensions);
+            PACKET_null_init(&clienthello->extensions);
         } else {
-            if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
+            if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) {
                 al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                 goto f_err;
@@ -1412,95 +1402,137 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         }
     }
 
-    if (!PACKET_copy_all(&compression, clienthello.compressions,
+    if (!PACKET_copy_all(&compression, clienthello->compressions,
                          MAX_COMPRESSIONS_SIZE,
-                         &clienthello.compressions_len)) {
+                         &clienthello->compressions_len)) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
 
     /* Preserve the raw extensions PACKET for later use */
-    extensions = clienthello.extensions;
+    extensions = clienthello->extensions;
     if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
-                                &clienthello.pre_proc_exts, &al)) {
+                                &clienthello->pre_proc_exts, &al,
+                                &clienthello->pre_proc_exts_len)) {
         /* SSLerr already been called */
         goto f_err;
     }
+    s->clienthello = clienthello;
+
+    return MSG_PROCESS_CONTINUE_PROCESSING;
+ f_err:
+    ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ err:
+    ossl_statem_set_error(s);
+
+    OPENSSL_free(clienthello->pre_proc_exts);
+    OPENSSL_free(clienthello);
+
+    return MSG_PROCESS_ERROR;
+}
 
+static int tls_early_post_process_client_hello(SSL *s, int *al)
+{
+    unsigned int j;
+    int i;
+    int protverr;
+    size_t loop;
+    unsigned long id;
+#ifndef OPENSSL_NO_COMP
+    SSL_COMP *comp = NULL;
+#endif
+    const SSL_CIPHER *c;
+    STACK_OF(SSL_CIPHER) *ciphers = NULL;
+    STACK_OF(SSL_CIPHER) *scsvs = NULL;
+    CLIENTHELLO_MSG *clienthello = s->clienthello;
+
+    *al = SSL_AD_INTERNAL_ERROR;
     /* Finished parsing the ClientHello, now we can start processing it */
+    /* Give the early callback a crack at things */
+    if (s->ctx->early_cb != NULL) {
+        int code;
+        /* A failure in the early callback terminates the connection. */
+        code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg);
+        if (code == 0)
+            goto err;
+        if (code < 0) {
+            s->rwstate = SSL_EARLY_WORK;
+            return code;
+        }
+    }
 
     /* Set up the client_random */
-    memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);
+    memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
 
     /* Choose the version */
 
-    if (clienthello.isv2) {
-        if (clienthello.legacy_version == SSL2_VERSION
-                || (clienthello.legacy_version & 0xff00)
+    if (clienthello->isv2) {
+        if (clienthello->legacy_version == SSL2_VERSION
+                || (clienthello->legacy_version & 0xff00)
                    != (SSL3_VERSION_MAJOR << 8)) {
             /*
              * This is real SSLv2 or something complete unknown. We don't
              * support it.
              */
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_UNKNOWN_PROTOCOL);
             goto err;
         }
         /* SSLv3/TLS */
-        s->client_version = clienthello.legacy_version;
+        s->client_version = clienthello->legacy_version;
     }
     /*
      * Do SSL/TLS version negotiation if applicable. For DTLS we just check
      * versions are potentially compatible. Version negotiation comes later.
      */
     if (!SSL_IS_DTLS(s)) {
-        protverr = ssl_choose_server_version(s, &clienthello);
+        protverr = ssl_choose_server_version(s, clienthello);
     } else if (s->method->version != DTLS_ANY_VERSION &&
-               DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
+               DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
         protverr = SSL_R_VERSION_TOO_LOW;
     } else {
         protverr = 0;
     }
 
     if (protverr) {
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
+        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
         if (SSL_IS_FIRST_HANDSHAKE(s)) {
             /* like ssl3_get_record, send alert using remote version number */
-            s->version = s->client_version = clienthello.legacy_version;
+            s->version = s->client_version = clienthello->legacy_version;
         }
-        al = SSL_AD_PROTOCOL_VERSION;
-        goto f_err;
+        *al = SSL_AD_PROTOCOL_VERSION;
+        goto err;
     }
 
     if (SSL_IS_DTLS(s)) {
         /* Empty cookie was already handled above by returning early. */
         if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
             if (s->ctx->app_verify_cookie_cb != NULL) {
-                if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
-                        clienthello.dtls_cookie_len) == 0) {
-                    al = SSL_AD_HANDSHAKE_FAILURE;
-                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+                if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
+                        clienthello->dtls_cookie_len) == 0) {
+                    *al = SSL_AD_HANDSHAKE_FAILURE;
+                    SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                            SSL_R_COOKIE_MISMATCH);
-                    goto f_err;
+                    goto err;
                     /* else cookie verification succeeded */
                 }
                 /* default verification */
-            } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
-                    || memcmp(clienthello.dtls_cookie, s->d1->cookie,
+            } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
+                    || memcmp(clienthello->dtls_cookie, s->d1->cookie,
                               s->d1->cookie_len) != 0) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
-                goto f_err;
+                *al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_COOKIE_MISMATCH);
+                goto err;
             }
             s->d1->cookie_verified = 1;
         }
         if (s->method->version == DTLS_ANY_VERSION) {
-            protverr = ssl_choose_server_version(s, &clienthello);
+            protverr = ssl_choose_server_version(s, clienthello);
             if (protverr != 0) {
-                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
+                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
                 s->version = s->client_version;
-                al = SSL_AD_PROTOCOL_VERSION;
-                goto f_err;
+                *al = SSL_AD_PROTOCOL_VERSION;
+                goto err;
             }
         }
     }
@@ -1510,9 +1542,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
     /* We need to do this before getting the session */
     if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
                              EXT_CLIENT_HELLO,
-                             clienthello.pre_proc_exts, NULL, 0, &al)) {
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
-        goto f_err;
+                             clienthello->pre_proc_exts, NULL, 0, al)) {
+        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_CLIENTHELLO_TLSEXT);
+        goto err;
     }
 
     /*
@@ -1531,18 +1563,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
      * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
      * ignored.
      */
-    if (clienthello.isv2 ||
+    if (clienthello->isv2 ||
         (s->new_session &&
          (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
         if (!ssl_get_new_session(s, 1))
             goto err;
     } else {
-        i = ssl_get_prev_session(s, &clienthello, &al);
+        i = ssl_get_prev_session(s, clienthello, al);
         if (i == 1) {
             /* previous session */
             s->hit = 1;
         } else if (i == -1) {
-            goto f_err;
+            goto err;
         } else {
             /* i == 0 */
             if (!ssl_get_new_session(s, 1))
@@ -1550,9 +1582,42 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         }
     }
 
-    if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers,
-                                 clienthello.isv2, &al) == NULL) {
-        goto f_err;
+    if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
+                              clienthello->isv2, al) ||
+        !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
+                             clienthello->isv2, al)) {
+        goto err;
+    }
+
+    s->s3->send_connection_binding = 0;
+    /* Check what signalling cipher-suite values were received. */
+    if (scsvs != NULL) {
+        for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
+            c = sk_SSL_CIPHER_value(scsvs, i);
+            if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
+                if (s->renegotiate) {
+                    /* SCSV is fatal if renegotiating */
+                    SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
+                           SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+                    *al = SSL_AD_HANDSHAKE_FAILURE;
+                    goto err;
+                }
+                s->s3->send_connection_binding = 1;
+            } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
+                       !ssl_check_version_downgrade(s)) {
+                /*
+                 * This SCSV indicates that the client previously tried
+                 * a higher version.  We should fail if the current version
+                 * is an unexpected downgrade, as that indicates that the first
+                 * connection may have been tampered with in order to trigger
+                 * an insecure downgrade.
+                 */
+                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
+                       SSL_R_INAPPROPRIATE_FALLBACK);
+                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
+                goto err;
+            }
+        }
     }
 
     /* If it is a hit, check that the cipher is in the list */
@@ -1579,35 +1644,35 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
              * we need to have the cipher in the cipher list if we are asked
              * to reuse it
              */
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+            *al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                    SSL_R_REQUIRED_CIPHER_MISSING);
-            goto f_err;
+            goto err;
         }
     }
 
-    for (loop = 0; loop < clienthello.compressions_len; loop++) {
-        if (clienthello.compressions[loop] == 0)
+    for (loop = 0; loop < clienthello->compressions_len; loop++) {
+        if (clienthello->compressions[loop] == 0)
             break;
     }
 
-    if (loop >= clienthello.compressions_len) {
+    if (loop >= clienthello->compressions_len) {
         /* no compress */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
-        goto f_err;
+        *al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_NO_COMPRESSION_SPECIFIED);
+        goto err;
     }
 
 #ifndef OPENSSL_NO_EC
     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-        ssl_check_for_safari(s, &clienthello);
+        ssl_check_for_safari(s, clienthello);
 #endif                          /* !OPENSSL_NO_EC */
 
     /* TLS extensions */
     if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
-                                  clienthello.pre_proc_exts, NULL, 0, &al)) {
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
-        goto f_err;
+                                  clienthello->pre_proc_exts, NULL, 0, al)) {
+        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
+        goto err;
     }
 
     /*
@@ -1620,7 +1685,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         unsigned char *pos;
         pos = s->s3->server_random;
         if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
-            goto f_err;
+            goto err;
         }
     }
 
@@ -1650,9 +1715,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
                 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                  SSL_get_ciphers(s));
             if (pref_cipher == NULL) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
-                goto f_err;
+                *al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_NO_SHARED_CIPHER);
+                goto err;
             }
 
             s->session->cipher = pref_cipher;
@@ -1677,9 +1742,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         /* Perform sanity checks on resumed compression algorithm */
         /* Can't disable compression */
         if (!ssl_allow_compression(s)) {
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                    SSL_R_INCONSISTENT_COMPRESSION);
-            goto f_err;
+            goto err;
         }
         /* Look for resumed compression method */
         for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
@@ -1690,20 +1755,20 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
             }
         }
         if (s->s3->tmp.new_compression == NULL) {
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                    SSL_R_INVALID_COMPRESSION_ALGORITHM);
-            goto f_err;
+            goto err;
         }
         /* Look for resumed method in compression list */
-        for (k = 0; k < clienthello.compressions_len; k++) {
-            if (clienthello.compressions[k] == comp_id)
+        for (k = 0; k < clienthello->compressions_len; k++) {
+            if (clienthello->compressions[k] == comp_id)
                 break;
         }
-        if (k >= clienthello.compressions_len) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+        if (k >= clienthello->compressions_len) {
+            *al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                    SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
-            goto f_err;
+            goto err;
         }
     } else if (s->hit)
         comp = NULL;
@@ -1716,8 +1781,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         for (m = 0; m < nn; m++) {
             comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
             v = comp->id;
-            for (o = 0; o < clienthello.compressions_len; o++) {
-                if (v == clienthello.compressions[o]) {
+            for (o = 0; o < clienthello->compressions_len; o++) {
+                if (v == clienthello->compressions[o]) {
                     done = 1;
                     break;
                 }
@@ -1736,8 +1801,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
      * using compression.
      */
     if (s->session->compress_meth != 0) {
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
-        goto f_err;
+        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_INCONSISTENT_COMPRESSION);
+        goto err;
     }
 #endif
 
@@ -1754,29 +1819,33 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
         sk_SSL_CIPHER_free(s->session->ciphers);
         s->session->ciphers = ciphers;
         if (ciphers == NULL) {
-            al = SSL_AD_INTERNAL_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-            goto f_err;
+            *al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
ERR_R_INTERNAL_ERROR);
+            goto err;
         }
         ciphers = NULL;
         if (!tls1_set_server_sigalgs(s)) {
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 
SSL_R_CLIENTHELLO_TLSEXT);
             goto err;
         }
     }
 
     sk_SSL_CIPHER_free(ciphers);
-    OPENSSL_free(clienthello.pre_proc_exts);
-    return MSG_PROCESS_CONTINUE_PROCESSING;
- f_err:
-    ssl3_send_alert(s, SSL3_AL_FATAL, al);
+    sk_SSL_CIPHER_free(scsvs);
+    OPENSSL_free(clienthello->pre_proc_exts);
+    OPENSSL_free(s->clienthello);
+    s->clienthello = NULL;
+    return 1;
  err:
     ossl_statem_set_error(s);
 
     sk_SSL_CIPHER_free(ciphers);
-    OPENSSL_free(clienthello.pre_proc_exts);
+    sk_SSL_CIPHER_free(scsvs);
+    OPENSSL_free(clienthello->pre_proc_exts);
+    OPENSSL_free(s->clienthello);
+    s->clienthello = NULL;
 
-    return MSG_PROCESS_ERROR;
+    return 0;
 }
 
 /*
@@ -1833,6 +1902,16 @@ WORK_STATE tls_post_process_client_hello(SSL *s, 
WORK_STATE wst)
     const SSL_CIPHER *cipher;
 
     if (wst == WORK_MORE_A) {
+        int rv = tls_early_post_process_client_hello(s, &al);
+        if (rv == 0) {
+            /* SSLErr() was already called */
+            goto f_err;
+        }
+        if (rv < 0)
+            return WORK_MORE_A;
+        wst = WORK_MORE_B;
+    }
+    if (wst == WORK_MORE_B) {
         if (!s->hit) {
             /* Let cert callback update server certificates if required */
             if (s->cert->cert_cb) {
@@ -1845,7 +1924,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, 
WORK_STATE wst)
                 }
                 if (rv < 0) {
                     s->rwstate = SSL_X509_LOOKUP;
-                    return WORK_MORE_A;
+                    return WORK_MORE_B;
                 }
                 s->rwstate = SSL_NOTHING;
             }
@@ -1896,17 +1975,17 @@ WORK_STATE tls_post_process_client_hello(SSL *s, 
WORK_STATE wst)
             goto f_err;
         }
 
-        wst = WORK_MORE_B;
+        wst = WORK_MORE_C;
     }
 #ifndef OPENSSL_NO_SRP
-    if (wst == WORK_MORE_B) {
+    if (wst == WORK_MORE_C) {
         int ret;
         if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
             /*
              * callback indicates further work to be done
              */
             s->rwstate = SSL_X509_LOOKUP;
-            return WORK_MORE_B;
+            return WORK_MORE_C;
         }
         if (ret != SSL_ERROR_NONE) {
             /*
@@ -3128,7 +3207,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, 
PACKET *pkt)
                 goto f_err;
             }
             if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
-                                        &rawexts, &al)
+                                        &rawexts, &al, NULL)
                     || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
                                                  rawexts, x, chainidx, &al)) {
                 OPENSSL_free(rawexts);
@@ -3507,153 +3586,6 @@ static int tls_construct_encrypted_extensions(SSL *s, 
WPACKET *pkt)
     return 1;
 }
 
-#define SSLV2_CIPHER_LEN    3
-
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
-                                               PACKET *cipher_suites,
-                                               STACK_OF(SSL_CIPHER) **skp,
-                                               int sslv2format, int *al)
-{
-    const SSL_CIPHER *c;
-    STACK_OF(SSL_CIPHER) *sk;
-    int n;
-    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
-    unsigned char cipher[SSLV2_CIPHER_LEN];
-
-    s->s3->send_connection_binding = 0;
-
-    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
-
-    if (PACKET_remaining(cipher_suites) == 0) {
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
-        *al = SSL_AD_ILLEGAL_PARAMETER;
-        return NULL;
-    }
-
-    if (PACKET_remaining(cipher_suites) % n != 0) {
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-        *al = SSL_AD_DECODE_ERROR;
-        return NULL;
-    }
-
-    sk = sk_SSL_CIPHER_new_null();
-    if (sk == NULL) {
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-        *al = SSL_AD_INTERNAL_ERROR;
-        return NULL;
-    }
-
-    OPENSSL_free(s->s3->tmp.ciphers_raw);
-    s->s3->tmp.ciphers_raw = NULL;
-    s->s3->tmp.ciphers_rawlen = 0;
-
-    if (sslv2format) {
-        size_t numciphers = PACKET_remaining(cipher_suites) / n;
-        PACKET sslv2ciphers = *cipher_suites;
-        unsigned int leadbyte;
-        unsigned char *raw;
-
-        /*
-         * We store the raw ciphers list in SSLv3+ format so we need to do some
-         * preprocessing to convert the list first. If there are any SSLv2 only
-         * ciphersuites with a non-zero leading byte then we are going to
-         * slightly over allocate because we won't store those. But that isn't 
a
-         * problem.
-         */
-        raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
-        s->s3->tmp.ciphers_raw = raw;
-        if (raw == NULL) {
-            *al = SSL_AD_INTERNAL_ERROR;
-            goto err;
-        }
-        for (s->s3->tmp.ciphers_rawlen = 0;
-             PACKET_remaining(&sslv2ciphers) > 0;
-             raw += TLS_CIPHER_LEN) {
-            if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
-                    || (leadbyte == 0
-                        && !PACKET_copy_bytes(&sslv2ciphers, raw,
-                                              TLS_CIPHER_LEN))
-                    || (leadbyte != 0
-                        && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
-                *al = SSL_AD_INTERNAL_ERROR;
-                OPENSSL_free(s->s3->tmp.ciphers_raw);
-                s->s3->tmp.ciphers_raw = NULL;
-                s->s3->tmp.ciphers_rawlen = 0;
-                goto err;
-            }
-            if (leadbyte == 0)
-                s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN;
-        }
-    } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
-                           &s->s3->tmp.ciphers_rawlen)) {
-        *al = SSL_AD_INTERNAL_ERROR;
-        goto err;
-    }
-
-    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
-        /*
-         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
-         * first byte set to zero, while true SSLv2 ciphers have a non-zero
-         * first byte. We don't support any true SSLv2 ciphers, so skip them.
-         */
-        if (sslv2format && cipher[0] != '\0')
-            continue;
-
-        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
-        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
-            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
-            /* SCSV fatal if renegotiating */
-            if (s->renegotiate) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                *al = SSL_AD_HANDSHAKE_FAILURE;
-                goto err;
-            }
-            s->s3->send_connection_binding = 1;
-            continue;
-        }
-
-        /* Check for TLS_FALLBACK_SCSV */
-        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
-            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
-            /*
-             * The SCSV indicates that the client previously tried a higher
-             * version. Fail if the current version is an unexpected
-             * downgrade.
-             */
-            if (!ssl_check_version_downgrade(s)) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                       SSL_R_INAPPROPRIATE_FALLBACK);
-                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
-                goto err;
-            }
-            continue;
-        }
-
-        /* For SSLv2-compat, ignore leading 0-byte. */
-        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
-        if (c != NULL) {
-            if (!sk_SSL_CIPHER_push(sk, c)) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-                *al = SSL_AD_INTERNAL_ERROR;
-                goto err;
-            }
-        }
-    }
-    if (PACKET_remaining(cipher_suites) > 0) {
-        *al = SSL_AD_INTERNAL_ERROR;
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-    *skp = sk;
-    return sk;
- err:
-    sk_SSL_CIPHER_free(sk);
-    return NULL;
-}
-
 static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
 {
     int al = SSL_AD_INTERNAL_ERROR;
diff --git a/test/asynciotest.c b/test/asynciotest.c
index d4edd94..f418bbe 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -303,7 +303,7 @@ int main(int argc, char *argv[])
             goto end;
         }
 
-        if (!create_ssl_connection(serverssl, clientssl)) {
+        if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
             printf("Test %d failed: Create SSL connection failed\n", test);
             goto end;
         }
diff --git a/test/build.info b/test/build.info
index 4a43e5b..7c1a055 100644
--- a/test/build.info
+++ b/test/build.info
@@ -28,7 +28,7 @@ IF[{- !$disabled{tests} -}]
           dtlsv1listentest ct_test threadstest afalgtest d2i_test \
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
-          pkey_meth_test uitest
+          pkey_meth_test uitest cipherbytes_test
 
   SOURCE[aborttest]=aborttest.c
   INCLUDE[aborttest]=../include
@@ -320,6 +320,10 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[uitest]=.. ../include
   DEPEND[uitest]=../libcrypto ../libssl
 
+  SOURCE[cipherbytes_test]=cipherbytes_test.c
+  INCLUDE[cipherbytes_test]=.. ../include
+  DEPEND[cipherbytes_test]=../libcrypto ../libssl
+
   # Internal test programs.  These are essentially a collection of internal
   # test routines.  Some of them need to reach internal symbols that aren't
   # available through the shared library (at least on Linux, Solaris, Windows
diff --git a/test/cipherbytes_test.c b/test/cipherbytes_test.c
new file mode 100644
index 0000000..9be42f7
--- /dev/null
+++ b/test/cipherbytes_test.c
@@ -0,0 +1,130 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include <openssl/opensslconf.h>
+#include <openssl/err.h>
+#include <openssl/e_os2.h>
+#include <openssl/ssl.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h>
+
+#include "e_os.h"
+#include "test_main.h"
+#include "testutil.h"
+
+static int test_empty(SSL *s)
+{
+    STACK_OF(SSL_CIPHER) *sk = NULL, *scsv = NULL;
+    const unsigned char bytes[] = {0x00};
+
+    if (SSL_bytes_to_cipher_list(s, bytes, 0, 0, &sk, &scsv) ||
+        sk != NULL || scsv != NULL)
+        return 0;
+    return 1;
+}
+
+static int test_unsupported(SSL *s)
+{
+    STACK_OF(SSL_CIPHER) *sk, *scsv;
+    /* ECDH-RSA-AES256 (unsupported), ECDHE-ECDSA-AES128, <unassigned> */
+    const unsigned char bytes[] = {0xc0, 0x0f, 0x00, 0x2f, 0x01, 0x00};
+
+    if (!SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 0, &sk, &scsv) ||
+        sk == NULL || sk_SSL_CIPHER_num(sk) != 1 || scsv == NULL ||
+        sk_SSL_CIPHER_num(scsv) != 0)
+        return 0;
+    if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)),
+                "AES128-SHA") != 0)
+        return 0;
+
+    sk_SSL_CIPHER_free(sk);
+    sk_SSL_CIPHER_free(scsv);
+    return 1;
+}
+
+static int test_v2(SSL *s)
+{
+    STACK_OF(SSL_CIPHER) *sk, *scsv;
+    /* ECDHE-ECDSA-AES256GCM, SSL2_RC4_1238_WITH_MD5,
+     * ECDHE-ECDSA-CHACHA20-POLY1305 */
+    const unsigned char bytes[] = {0x00, 0x00, 0x35, 0x01, 0x00, 0x80,
+                                   0x00, 0x00, 0x33};
+
+    if (!SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 1, &sk, &scsv) ||
+        sk == NULL || sk_SSL_CIPHER_num(sk) != 2 || scsv == NULL ||
+        sk_SSL_CIPHER_num(scsv) != 0)
+        return 0;
+    if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)),
+               "AES256-SHA") != 0 ||
+        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)),
+               "DHE-RSA-AES128-SHA") != 0)
+        return 0;
+    sk_SSL_CIPHER_free(sk);
+    sk_SSL_CIPHER_free(scsv);
+    return 1;
+}
+
+static int test_v3(SSL *s)
+{
+    STACK_OF(SSL_CIPHER) *sk, *scsv;
+    /* ECDHE-ECDSA-AES256GCM, ECDHE-ECDSA-CHACHAPOLY, DHE-RSA-AES256GCM,
+     * EMPTY-RENEGOTIATION-INFO-SCSV, FALLBACK-SCSV */
+    const unsigned char bytes[] = {0x00, 0x2f, 0x00, 0x33, 0x00, 0x9f, 0x00, 
0xff,
+                                   0x56, 0x00};
+
+    if (!SSL_bytes_to_cipher_list(s, bytes, sizeof(bytes), 0, &sk, &scsv) ||
+        sk == NULL || sk_SSL_CIPHER_num(sk) != 3 || scsv == NULL ||
+        sk_SSL_CIPHER_num(scsv) != 2)
+        return 0;
+    if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 0)),
+               "AES128-SHA") != 0 ||
+        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 1)),
+               "DHE-RSA-AES128-SHA") != 0 ||
+        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(sk, 2)),
+               "DHE-RSA-AES256-GCM-SHA384") != 0 ||
+        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 0)),
+               "TLS_EMPTY_RENEGOTIATION_INFO_SCSV") != 0 ||
+        strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(scsv, 1)),
+               "TLS_FALLBACK_SCSV") != 0)
+        return 0;
+    sk_SSL_CIPHER_free(sk);
+    sk_SSL_CIPHER_free(scsv);
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    SSL_CTX *ctx;
+    SSL *s;
+
+    ctx = SSL_CTX_new(TLS_server_method());
+    s = SSL_new(ctx);
+    OPENSSL_assert(s != NULL);
+
+    if (!test_empty(s))
+        return 1;
+
+    if (!test_unsupported(s))
+        return 1;
+
+    if (!test_v2(s))
+        return 1;
+
+    if (!test_v3(s))
+        return 1;
+
+    printf("PASS\n");
+    SSL_free(s);
+    SSL_CTX_free(ctx);
+    return 0;
+}
diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index 1a05c54..24d4ccc 100644
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -70,7 +70,7 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm)
     }
     sc_bio = SSL_get_rbio(srvr_ssl);
 
-    if (create_ssl_connection(clnt_ssl, srvr_ssl) != 1)
+    if (create_ssl_connection(clnt_ssl, srvr_ssl, SSL_ERROR_NONE) != 1)
         goto out;
 
     if (debug)
diff --git a/test/dtlstest.c b/test/dtlstest.c
index b4a756f..bc22d32 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -89,7 +89,7 @@ static int test_dtls_unprocessed(int testidx)
     mempacket_test_inject(c_to_s_mempacket, (char *)certstatus,
                           sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ);
 
-    if (!create_ssl_connection(serverssl1, clientssl1)) {
+    if (!create_ssl_connection(serverssl1, clientssl1, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         ERR_print_errors_fp(stdout);
         goto end;
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index c82581c..88f6aec 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -123,6 +123,67 @@ static int select_server_ctx(SSL *s, void *arg, int ignore)
     }
 }
 
+static int early_select_server_ctx(SSL *s, void *arg, int ignore)
+{
+    const char *servername;
+    const unsigned char *p;
+    size_t len, remaining;
+    HANDSHAKE_EX_DATA *ex_data =
+        (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx));
+
+    /*
+     * The server_name extension was given too much extensibility when it
+     * was written, so parsing the normal case is a bit complex.
+     */
+    if (!SSL_early_get0_ext(s, TLSEXT_TYPE_server_name, &p, &remaining) ||
+        remaining <= 2)
+        return 0;
+    /* Extract the length of the supplied list of names. */
+    len = (*(p++) << 1);
+    len += *(p++);
+    if (len + 2 != remaining)
+        return 0;
+    remaining = len;
+    /*
+     * The list in practice only has a single element, so we only consider
+     * the first one.
+     */
+    if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name)
+        return 0;
+    remaining--;
+    /* Now we can finally pull out the byte array with the actual hostname. */
+    if (remaining <= 2)
+        return 0;
+    len = (*(p++) << 1);
+    len += *(p++);
+    if (len + 2 > remaining)
+        return 0;
+    remaining = len;
+    servername = (const char *)p;
+
+    if (len == strlen("server2") && strncmp(servername, "server2", len) == 0) {
+        SSL_CTX *new_ctx = arg;
+        SSL_set_SSL_CTX(s, new_ctx);
+        /*
+         * Copy over all the SSL_CTX options - reasonable behavior
+         * allows testing of cases where the options between two
+         * contexts differ/conflict
+         */
+        SSL_clear_options(s, 0xFFFFFFFFL);
+        SSL_set_options(s, SSL_CTX_get_options(new_ctx));
+
+        ex_data->servername = SSL_TEST_SERVERNAME_SERVER2;
+        return 1;
+    } else if (len == strlen("server1") &&
+               strncmp(servername, "server1", len) == 0) {
+        ex_data->servername = SSL_TEST_SERVERNAME_SERVER1;
+        return 1;
+    } else if (ignore) {
+        ex_data->servername = SSL_TEST_SERVERNAME_SERVER1;
+        return 1;
+    }
+    return 0;
+}
 /*
  * (RFC 6066):
  *  If the server understood the ClientHello extension but
@@ -144,6 +205,50 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg)
     return select_server_ctx(s, arg, 0);
 }
 
+static int early_ignore_cb(SSL *s, int *al, void *arg)
+{
+    if (!early_select_server_ctx(s, arg, 1)) {
+        *al = SSL_AD_UNRECOGNIZED_NAME;
+        return 0;
+    }
+    return 1;
+}
+
+static int early_reject_cb(SSL *s, int *al, void *arg)
+{
+    if (!early_select_server_ctx(s, arg, 0)) {
+        *al = SSL_AD_UNRECOGNIZED_NAME;
+        return 0;
+    }
+    return 1;
+}
+
+static int early_nov12_cb(SSL *s, int *al, void *arg)
+{
+    int ret;
+    unsigned int v;
+    const unsigned char *p;
+
+    v = SSL_early_get0_legacy_version(s);
+    if (v > TLS1_2_VERSION || v < SSL3_VERSION) {
+        *al = SSL_AD_PROTOCOL_VERSION;
+        return 0;
+    }
+    (void)SSL_early_get0_session_id(s, &p);
+    if (p == NULL ||
+        SSL_early_get0_random(s, &p) == 0 ||
+        SSL_early_get0_ciphers(s, &p) == 0 ||
+        SSL_early_get0_compression_methods(s, &p) == 0) {
+        *al = SSL_AD_INTERNAL_ERROR;
+        return 0;
+    }
+    ret = early_select_server_ctx(s, arg, 0);
+    SSL_set_max_proto_version(s, TLS1_1_VERSION);
+    if (!ret)
+        *al = SSL_AD_UNRECOGNIZED_NAME;
+    return ret;
+}
+
 static unsigned char dummy_ocsp_resp_good_val = 0xff;
 static unsigned char dummy_ocsp_resp_bad_val = 0xfe;
 
@@ -337,7 +442,10 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, 
SSL_CTX *server2_ctx,
         break;
     }
 
-    /* link the two contexts for SNI purposes */
+    /*
+     * Link the two contexts for SNI purposes.
+     * Also do early callbacks here, as setting both early and SNI is bad.
+     */
     switch (extra->server.servername_callback) {
     case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
         SSL_CTX_set_tlsext_servername_callback(server_ctx, 
servername_ignore_cb);
@@ -349,6 +457,14 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, 
SSL_CTX *server2_ctx,
         break;
     case SSL_TEST_SERVERNAME_CB_NONE:
         break;
+    case SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH:
+        SSL_CTX_set_early_cb(server_ctx, early_ignore_cb, server2_ctx);
+        break;
+    case SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH:
+        SSL_CTX_set_early_cb(server_ctx, early_reject_cb, server2_ctx);
+        break;
+    case SSL_TEST_SERVERNAME_EARLY_NO_V12:
+        SSL_CTX_set_early_cb(server_ctx, early_nov12_cb, server2_ctx);
     }
 
     if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) {
diff --git a/test/recipes/70-test_sslrecords.t 
b/test/recipes/70-test_sslrecords.t
index f699058..2ffa2cd 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -97,7 +97,7 @@ $sslv2testtype = SSLV2_IN_SSLV2;
 $proxy->clear();
 $proxy->serverflags("-tls1_2");
 $proxy->start();
-ok(!TLSProxy::Message->end(), "SSLv2 in SSLv2 ClientHello test");
+ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
 
 #Test 7: Sanity check ClientHello fragmentation. This isn't really an SSLv2 
test
 #        at all, but it gives us confidence that Test 8 fails for the right
diff --git a/test/recipes/80-test_cipherlist.t 
b/test/recipes/80-test_cipherbytes.t
similarity index 78%
copy from test/recipes/80-test_cipherlist.t
copy to test/recipes/80-test_cipherbytes.t
index 98d537e..27d627e 100644
--- a/test/recipes/80-test_cipherlist.t
+++ b/test/recipes/80-test_cipherbytes.t
@@ -1,6 +1,6 @@
 #! /usr/bin/perl
 #
-# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -15,7 +15,7 @@ use OpenSSL::Test::Simple;
 use OpenSSL::Test;
 use OpenSSL::Test::Utils qw(alldisabled available_protocols);
 
-setup("test_cipherlist");
+setup("test_cipherbytes");
 
 my $no_anytls = alldisabled(available_protocols("tls"));
 
@@ -23,4 +23,4 @@ my $no_anytls = alldisabled(available_protocols("tls"));
 plan skip_all => "No SSL/TLS protocol is supported by this OpenSSL build."
     if $no_anytls;
 
-simple_test("test_cipherlist", "cipherlist_test", "cipherlist");
+simple_test("test_cipherbytes", "cipherbytes_test", "bytes_to_cipherlist");
diff --git a/test/ssl-tests/05-sni.conf b/test/ssl-tests/05-sni.conf
index e1fb3d9..d5d350e 100644
--- a/test/ssl-tests/05-sni.conf
+++ b/test/ssl-tests/05-sni.conf
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 6
+num_tests = 9
 
 test-0 = 0-SNI-switch-context
 test-1 = 1-SNI-keep-context
@@ -8,6 +8,9 @@ test-2 = 2-SNI-no-server-support
 test-3 = 3-SNI-no-client-support
 test-4 = 4-SNI-bad-sni-ignore-mismatch
 test-5 = 5-SNI-bad-sni-reject-mismatch
+test-6 = 6-SNI-bad-early-sni-ignore-mismatch
+test-7 = 7-SNI-bad-early-sni-reject-mismatch
+test-8 = 8-SNI-early-disable-v12
 # ===========================================================
 
 [0-SNI-switch-context]
@@ -201,3 +204,105 @@ ServerNameCallback = RejectMismatch
 ServerName = invalid
 
 
+# ===========================================================
+
+[6-SNI-bad-early-sni-ignore-mismatch]
+ssl_conf = 6-SNI-bad-early-sni-ignore-mismatch-ssl
+
+[6-SNI-bad-early-sni-ignore-mismatch-ssl]
+server = 6-SNI-bad-early-sni-ignore-mismatch-server
+client = 6-SNI-bad-early-sni-ignore-mismatch-client
+server2 = 6-SNI-bad-early-sni-ignore-mismatch-server
+
+[6-SNI-bad-early-sni-ignore-mismatch-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-SNI-bad-early-sni-ignore-mismatch-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+ExpectedServerName = server1
+server = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
+server2 = 6-SNI-bad-early-sni-ignore-mismatch-server-extra
+client = 6-SNI-bad-early-sni-ignore-mismatch-client-extra
+
+[6-SNI-bad-early-sni-ignore-mismatch-server-extra]
+ServerNameCallback = EarlyIgnoreMismatch
+
+[6-SNI-bad-early-sni-ignore-mismatch-client-extra]
+ServerName = invalid
+
+
+# ===========================================================
+
+[7-SNI-bad-early-sni-reject-mismatch]
+ssl_conf = 7-SNI-bad-early-sni-reject-mismatch-ssl
+
+[7-SNI-bad-early-sni-reject-mismatch-ssl]
+server = 7-SNI-bad-early-sni-reject-mismatch-server
+client = 7-SNI-bad-early-sni-reject-mismatch-client
+server2 = 7-SNI-bad-early-sni-reject-mismatch-server
+
+[7-SNI-bad-early-sni-reject-mismatch-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-SNI-bad-early-sni-reject-mismatch-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedResult = ServerFail
+ExpectedServerAlert = UnrecognizedName
+server = 7-SNI-bad-early-sni-reject-mismatch-server-extra
+server2 = 7-SNI-bad-early-sni-reject-mismatch-server-extra
+client = 7-SNI-bad-early-sni-reject-mismatch-client-extra
+
+[7-SNI-bad-early-sni-reject-mismatch-server-extra]
+ServerNameCallback = EarlyRejectMismatch
+
+[7-SNI-bad-early-sni-reject-mismatch-client-extra]
+ServerName = invalid
+
+
+# ===========================================================
+
+[8-SNI-early-disable-v12]
+ssl_conf = 8-SNI-early-disable-v12-ssl
+
+[8-SNI-early-disable-v12-ssl]
+server = 8-SNI-early-disable-v12-server
+client = 8-SNI-early-disable-v12-client
+server2 = 8-SNI-early-disable-v12-server
+
+[8-SNI-early-disable-v12-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-SNI-early-disable-v12-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedProtocol = TLSv1.1
+ExpectedServerName = server2
+server = 8-SNI-early-disable-v12-server-extra
+server2 = 8-SNI-early-disable-v12-server-extra
+client = 8-SNI-early-disable-v12-client-extra
+
+[8-SNI-early-disable-v12-server-extra]
+ServerNameCallback = EarlyNoV12
+
+[8-SNI-early-disable-v12-client-extra]
+ServerName = server2
+
+
diff --git a/test/ssl-tests/05-sni.conf.in b/test/ssl-tests/05-sni.conf.in
index 76003e7..63b295d 100644
--- a/test/ssl-tests/05-sni.conf.in
+++ b/test/ssl-tests/05-sni.conf.in
@@ -13,6 +13,7 @@ use strict;
 use warnings;
 
 package ssltests;
+use OpenSSL::Test::Utils;
 
 our @tests = (
     {
@@ -109,4 +110,60 @@ our @tests = (
             "ExpectedServerAlert" => "UnrecognizedName"
         },
     },
+    {
+        name => "SNI-bad-early-sni-ignore-mismatch",
+        server => {
+            extra => {
+                "ServerNameCallback" => "EarlyIgnoreMismatch",
+            },
+        },
+        client => {
+            extra => {
+                "ServerName" => "invalid",
+            },
+        },
+        test   => {
+            "ExpectedServerName" => "server1",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "SNI-bad-early-sni-reject-mismatch",
+        server => {
+            extra => {
+                "ServerNameCallback" => "EarlyRejectMismatch",
+            },
+        },
+        client => {
+            extra => {
+                "ServerName" => "invalid",
+            },
+        },
+        test   => {
+            "ExpectedResult" => "ServerFail",
+            "ExpectedServerAlert" => "UnrecognizedName"
+        },
+    },
 );
+
+our @tests_tls_1_1 = (
+    {
+        name => "SNI-early-disable-v12",
+        server => {
+            extra => {
+                "ServerNameCallback" => "EarlyNoV12",
+            },
+        },
+        client => {
+            extra => {
+                "ServerName" => "server2",
+            },
+        },
+        test   => {
+            "ExpectedProtocol" => "TLSv1.1",
+            "ExpectedServerName" => "server2",
+        },
+    },
+);
+
+push @tests, @tests_tls_1_1 unless disabled("tls1_1");
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index 66fb31c..f9e74d1 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -237,6 +237,9 @@ static const test_enum ssl_servername_callbacks[] = {
     {"None", SSL_TEST_SERVERNAME_CB_NONE},
     {"IgnoreMismatch", SSL_TEST_SERVERNAME_IGNORE_MISMATCH},
     {"RejectMismatch", SSL_TEST_SERVERNAME_REJECT_MISMATCH},
+    {"EarlyIgnoreMismatch", SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH},
+    {"EarlyRejectMismatch", SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH},
+    {"EarlyNoV12", SSL_TEST_SERVERNAME_EARLY_NO_V12},
 };
 
 __owur static int parse_servername_callback(SSL_TEST_SERVER_CONF *server_conf,
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 1c66740..499e314 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -38,7 +38,10 @@ typedef enum {
 typedef enum {
     SSL_TEST_SERVERNAME_CB_NONE = 0,  /* Default */
     SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
-    SSL_TEST_SERVERNAME_REJECT_MISMATCH
+    SSL_TEST_SERVERNAME_REJECT_MISMATCH,
+    SSL_TEST_SERVERNAME_EARLY_IGNORE_MISMATCH,
+    SSL_TEST_SERVERNAME_EARLY_REJECT_MISMATCH,
+    SSL_TEST_SERVERNAME_EARLY_NO_V12
 } ssl_servername_callback_t;
 
 typedef enum {
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 47f008a..f492e0b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -338,7 +338,7 @@ static int test_keylog(void) {
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl, clientssl)) {
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -435,7 +435,7 @@ static int test_keylog_no_master_key(void) {
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl, clientssl)) {
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -477,6 +477,89 @@ end:
 }
 #endif
 
+static int full_early_callback(SSL *s, int *al, void *arg)
+{
+    int *ctr = arg;
+    const unsigned char *p;
+    /* We only configure two ciphers, but the SCSV is added automatically. */
+#ifdef OPENSSL_NO_EC
+    const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
+#else
+    const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
+                                              0x2c, 0x00, 0xff};
+#endif
+    size_t len;
+
+    /* Make sure we can defer processing and get called back. */
+    if ((*ctr)++ == 0)
+        return -1;
+
+    len = SSL_early_get0_ciphers(s, &p);
+    if (len != sizeof(expected_ciphers) ||
+        memcmp(p, expected_ciphers, len) != 0) {
+        printf("Early callback expected ciphers mismatch\n");
+        return 0;
+    }
+    len = SSL_early_get0_compression_methods(s, &p);
+    if (len != 1 || *p != 0) {
+        printf("Early callback expected comperssion methods mismatch\n");
+        return 0;
+    }
+    return 1;
+}
+
+static int test_early_cb(void) {
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testctr = 0, testresult = 0;
+
+    if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
+                             &cctx, cert, privkey)) {
+        printf("Unable to create SSL_CTX pair\n");
+        goto end;
+    }
+
+    SSL_CTX_set_early_cb(sctx, full_early_callback, &testctr);
+    /* The gimpy cipher list we configure can't do TLS 1.3. */
+    SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
+    if (!SSL_CTX_set_cipher_list(cctx,
+            "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384")) {
+        printf("Failed to set cipher list\n");
+        goto end;
+    }
+
+    if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
+        printf("Unable to create SSL objects\n");
+        goto end;
+    }
+
+    if (create_ssl_connection(serverssl, clientssl, SSL_ERROR_WANT_EARLY)) {
+        printf("Creating SSL connection succeeded with async early return\n");
+        goto end;
+    }
+
+    /* Passing a -1 literal is a hack since the real value was lost. */
+    if (SSL_get_error(serverssl, -1) != SSL_ERROR_WANT_EARLY) {
+        printf("Early callback failed to make state SSL_ERROR_WANT_EARLY\n");
+        goto end;
+    }
+
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
+        printf("Restarting SSL connection failed\n");
+        goto end;
+    }
+
+    testresult = 1;
+
+end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
 static int execute_test_large_message(const SSL_METHOD *smeth,
                                       const SSL_METHOD *cmeth, int read_ahead)
 {
@@ -541,7 +624,7 @@ static int execute_test_large_message(const SSL_METHOD 
*smeth,
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl, clientssl)) {
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -719,7 +802,7 @@ static int test_tlsext_status_type(void)
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl, clientssl)) {
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -745,7 +828,7 @@ static int test_tlsext_status_type(void)
     }
 
     /* This should fail because the callback will fail */
-    if (create_ssl_connection(serverssl, clientssl)) {
+    if (create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unexpected success creating the connection\n");
         goto end;
     }
@@ -799,7 +882,7 @@ static int test_tlsext_status_type(void)
     BIO_free(certbio);
     certbio = NULL;
 
-    if (!create_ssl_connection(serverssl, clientssl)) {
+    if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -906,7 +989,7 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE 
fix)
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl1, clientssl1)) {
+    if (!create_ssl_connection(serverssl1, clientssl1, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         goto end;
     }
@@ -932,7 +1015,7 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE 
fix)
         goto end;
     }
 
-    if (!create_ssl_connection(serverssl2, clientssl2)) {
+    if (!create_ssl_connection(serverssl2, clientssl2, SSL_ERROR_NONE)) {
         printf("Unable to create second SSL connection\n");
         goto end;
     }
@@ -1015,7 +1098,7 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE 
fix)
     }
 
     /* This should fail because of the mismatched protocol versions */
-    if (create_ssl_connection(serverssl3, clientssl3)) {
+    if (create_ssl_connection(serverssl3, clientssl3, SSL_ERROR_NONE)) {
         printf("Unable to create third SSL connection\n");
         goto end;
     }
@@ -1436,7 +1519,7 @@ static int test_set_sigalgs(int idx)
         }
     }
 
-    if (curr->connsuccess != create_ssl_connection(serverssl, clientssl)) {
+    if (curr->connsuccess != create_ssl_connection(serverssl, clientssl, 
SSL_ERROR_NONE)) {
         printf("Unexpected return value creating SSL connection (%d)\n", idx);
         goto end;
     }
@@ -1485,6 +1568,7 @@ int test_main(int argc, char *argv[])
 #ifndef OPENSSL_NO_TLS1_3
     ADD_TEST(test_keylog_no_master_key);
 #endif
+    ADD_TEST(test_early_cb);
 
     testresult = run_tests(argv[0]);
 
diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index c1f074b..8ccad16 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -240,7 +240,7 @@ static int test_ssl_corrupt(int testidx)
         goto end;
     }
 
-    if (!create_ssl_connection(server, client)) {
+    if (!create_ssl_connection(server, client, SSL_ERROR_NONE)) {
         printf("Unable to create SSL connection\n");
         ERR_print_errors_fp(stdout);
         goto end;
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 1981cb5..64aa916 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -641,7 +641,7 @@ int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX 
*clientctx, SSL **sssl,
     return 0;
 }
 
-int create_ssl_connection(SSL *serverssl, SSL *clientssl)
+int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
 {
     int retc = -1, rets = -1, err, abortctr = 0;
     int clienterr = 0, servererr = 0;
@@ -660,6 +660,8 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl)
             printf("SSL_connect() failed %d, %d\n", retc, err);
             clienterr = 1;
         }
+        if (want != SSL_ERROR_NONE && err == want)
+            return 0;
 
         err = SSL_ERROR_WANT_WRITE;
         while (!servererr && rets <= 0 && err == SSL_ERROR_WANT_WRITE) {
@@ -669,9 +671,11 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl)
         }
 
         if (!servererr && rets <= 0 && err != SSL_ERROR_WANT_READ) {
-            printf("SSL_accept() failed %d, %d\n", retc, err);
+            printf("SSL_accept() failed %d, %d\n", rets, err);
             servererr = 1;
         }
+        if (want != SSL_ERROR_NONE && err == want)
+            return 0;
         if (clienterr && servererr)
             return 0;
         if (++abortctr == MAXLOOPS) {
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index bd9272f..e74a5cc 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -17,7 +17,7 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const 
SSL_METHOD *cm,
                         char *privkeyfile);
 int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
                        SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
-int create_ssl_connection(SSL *serverssl, SSL *clientssl);
+int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want);
 
 /* Note: Not thread safe! */
 const BIO_METHOD *bio_f_tls_dump_filter(void);
diff --git a/util/libssl.num b/util/libssl.num
index 32b5f76..20642ce 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -415,3 +415,12 @@ SSL_CTX_get_keylog_callback             415        1_1_1   
EXIST::FUNCTION:
 SSL_get_peer_signature_type_nid         416    1_1_1   EXIST::FUNCTION:
 SSL_key_update                          417    1_1_1   EXIST::FUNCTION:
 SSL_get_key_update_type                 418    1_1_1   EXIST::FUNCTION:
+SSL_bytes_to_cipher_list                419    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_compression_methods      420    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_ciphers                  421    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_ext                      422    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_session_id               423    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_random                   424    1_1_1   EXIST::FUNCTION:
+SSL_CTX_set_early_cb                    425    1_1_1   EXIST::FUNCTION:
+SSL_early_get0_legacy_version           426    1_1_1   EXIST::FUNCTION:
+SSL_early_isv2                          427    1_1_1   EXIST::FUNCTION:
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to