Only use SSL_AD_* internally.

Due to hysterical raisins there are three different types of defines for alerts. SSL3_AD_* are from SSLv3, TLS1_AD_* are from TLSv1.0 onwards and SSL_AD_* currently map to either an SSL3_AD_* or TLS1_AD_* define. Currently, all three of these are used in various places - switch to using just SSL_AD_* values internally, as a first step in cleaning this up. ok tb@
author: jsing <> 2021-06-11 17:29:48 +0000
committer: jsing <> 2021-06-11 17:29:48 +0000
commit: c29106da26ba83d9f0dec29e9b66d329ad964c38 (patch)
tree: 9ed8ed1745db8d4d214ef9607fadbd3644769e1a
parent: 8eb08269b2394f412e06e5fe98f463c2291efe8a (diff)
download: openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.tar.gz
openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.tar.bz2
openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.zip
3 files changed, 88 insertions, 88 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 8e734f1277..52189128c8 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.74 2021/06/11 11:29:44 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -841,7 +841,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
         * handshake to fail
         */
        if (i != (int)frag_len) {
-                al = SSL3_AD_ILLEGAL_PARAMETER;
+                al = SSL_AD_ILLEGAL_PARAMETER;
                SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
                goto fatal_err;
        }
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index 6b26d4c915..b813ac6896 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.15 2021/06/11 17:29:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -578,94 +578,94 @@ SSL_alert_desc_string(int value)
        const char *str;
        switch (value & 0xff) {
-        case SSL3_AD_CLOSE_NOTIFY:
+        case SSL_AD_CLOSE_NOTIFY:
                str = "CN";
                break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:
+        case SSL_AD_UNEXPECTED_MESSAGE:
                str = "UM";
                break;
-        case SSL3_AD_BAD_RECORD_MAC:
+        case SSL_AD_BAD_RECORD_MAC:
                str = "BM";
                break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:
+        case SSL_AD_DECOMPRESSION_FAILURE:
                str = "DF";
                break;
-        case SSL3_AD_HANDSHAKE_FAILURE:
+        case SSL_AD_HANDSHAKE_FAILURE:
                str = "HF";
                break;
-        case SSL3_AD_NO_CERTIFICATE:
+        case SSL_AD_NO_CERTIFICATE:
                str = "NC";
                break;
-        case SSL3_AD_BAD_CERTIFICATE:
+        case SSL_AD_BAD_CERTIFICATE:
                str = "BC";
                break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+        case SSL_AD_UNSUPPORTED_CERTIFICATE:
                str = "UC";
                break;
-        case SSL3_AD_CERTIFICATE_REVOKED:
+        case SSL_AD_CERTIFICATE_REVOKED:
                str = "CR";
                break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:
+        case SSL_AD_CERTIFICATE_EXPIRED:
                str = "CE";
                break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:
+        case SSL_AD_CERTIFICATE_UNKNOWN:
                str = "CU";
                break;
-        case SSL3_AD_ILLEGAL_PARAMETER:
+        case SSL_AD_ILLEGAL_PARAMETER:
                str = "IP";
                break;
-        case TLS1_AD_DECRYPTION_FAILED:
+        case SSL_AD_DECRYPTION_FAILED:
                str = "DC";
                break;
-        case TLS1_AD_RECORD_OVERFLOW:
+        case SSL_AD_RECORD_OVERFLOW:
                str = "RO";
                break;
-        case TLS1_AD_UNKNOWN_CA:
+        case SSL_AD_UNKNOWN_CA:
                str = "CA";
                break;
-        case TLS1_AD_ACCESS_DENIED:
+        case SSL_AD_ACCESS_DENIED:
                str = "AD";
                break;
-        case TLS1_AD_DECODE_ERROR:
+        case SSL_AD_DECODE_ERROR:
                str = "DE";
                break;
-        case TLS1_AD_DECRYPT_ERROR:
+        case SSL_AD_DECRYPT_ERROR:
                str = "CY";
                break;
-        case TLS1_AD_EXPORT_RESTRICTION:
+        case SSL_AD_EXPORT_RESTRICTION:
                str = "ER";
                break;
-        case TLS1_AD_PROTOCOL_VERSION:
+        case SSL_AD_PROTOCOL_VERSION:
                str = "PV";
                break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:
+        case SSL_AD_INSUFFICIENT_SECURITY:
                str = "IS";
                break;
-        case TLS1_AD_INTERNAL_ERROR:
+        case SSL_AD_INTERNAL_ERROR:
                str = "IE";
                break;
-        case TLS1_AD_USER_CANCELLED:
+        case SSL_AD_USER_CANCELLED:
                str = "US";
                break;
-        case TLS1_AD_NO_RENEGOTIATION:
+        case SSL_AD_NO_RENEGOTIATION:
                str = "NR";
                break;
-        case TLS1_AD_UNSUPPORTED_EXTENSION:
+        case SSL_AD_UNSUPPORTED_EXTENSION:
                str = "UE";
                break;
-        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
                str = "CO";
                break;
-        case TLS1_AD_UNRECOGNIZED_NAME:
+        case SSL_AD_UNRECOGNIZED_NAME:
                str = "UN";
                break;
-        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
                str = "BR";
                break;
-        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
                str = "BH";
                break;
-        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+        case SSL_AD_UNKNOWN_PSK_IDENTITY:
                str = "UP";
                break;
        default:
@@ -681,94 +681,94 @@ SSL_alert_desc_string_long(int value)
        const char *str;
        switch (value & 0xff) {
-        case SSL3_AD_CLOSE_NOTIFY:
+        case SSL_AD_CLOSE_NOTIFY:
                str = "close notify";
                break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:
+        case SSL_AD_UNEXPECTED_MESSAGE:
                str = "unexpected_message";
                break;
-        case SSL3_AD_BAD_RECORD_MAC:
+        case SSL_AD_BAD_RECORD_MAC:
                str = "bad record mac";
                break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:
+        case SSL_AD_DECOMPRESSION_FAILURE:
                str = "decompression failure";
                break;
-        case SSL3_AD_HANDSHAKE_FAILURE:
+        case SSL_AD_HANDSHAKE_FAILURE:
                str = "handshake failure";
                break;
-        case SSL3_AD_NO_CERTIFICATE:
+        case SSL_AD_NO_CERTIFICATE:
                str = "no certificate";
                break;
-        case SSL3_AD_BAD_CERTIFICATE:
+        case SSL_AD_BAD_CERTIFICATE:
                str = "bad certificate";
                break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+        case SSL_AD_UNSUPPORTED_CERTIFICATE:
                str = "unsupported certificate";
                break;
-        case SSL3_AD_CERTIFICATE_REVOKED:
+        case SSL_AD_CERTIFICATE_REVOKED:
                str = "certificate revoked";
                break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:
+        case SSL_AD_CERTIFICATE_EXPIRED:
                str = "certificate expired";
                break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:
+        case SSL_AD_CERTIFICATE_UNKNOWN:
                str = "certificate unknown";
                break;
-        case SSL3_AD_ILLEGAL_PARAMETER:
+        case SSL_AD_ILLEGAL_PARAMETER:
                str = "illegal parameter";
                break;
-        case TLS1_AD_DECRYPTION_FAILED:
+        case SSL_AD_DECRYPTION_FAILED:
                str = "decryption failed";
                break;
-        case TLS1_AD_RECORD_OVERFLOW:
+        case SSL_AD_RECORD_OVERFLOW:
                str = "record overflow";
                break;
-        case TLS1_AD_UNKNOWN_CA:
+        case SSL_AD_UNKNOWN_CA:
                str = "unknown CA";
                break;
-        case TLS1_AD_ACCESS_DENIED:
+        case SSL_AD_ACCESS_DENIED:
                str = "access denied";
                break;
-        case TLS1_AD_DECODE_ERROR:
+        case SSL_AD_DECODE_ERROR:
                str = "decode error";
                break;
-        case TLS1_AD_DECRYPT_ERROR:
+        case SSL_AD_DECRYPT_ERROR:
                str = "decrypt error";
                break;
-        case TLS1_AD_EXPORT_RESTRICTION:
+        case SSL_AD_EXPORT_RESTRICTION:
                str = "export restriction";
                break;
-        case TLS1_AD_PROTOCOL_VERSION:
+        case SSL_AD_PROTOCOL_VERSION:
                str = "protocol version";
                break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:
+        case SSL_AD_INSUFFICIENT_SECURITY:
                str = "insufficient security";
                break;
-        case TLS1_AD_INTERNAL_ERROR:
+        case SSL_AD_INTERNAL_ERROR:
                str = "internal error";
                break;
-        case TLS1_AD_USER_CANCELLED:
+        case SSL_AD_USER_CANCELLED:
                str = "user canceled";
                break;
-        case TLS1_AD_NO_RENEGOTIATION:
+        case SSL_AD_NO_RENEGOTIATION:
                str = "no renegotiation";
                break;
-        case TLS1_AD_UNSUPPORTED_EXTENSION:
+        case SSL_AD_UNSUPPORTED_EXTENSION:
                str = "unsupported extension";
                break;
-        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
                str = "certificate unobtainable";
                break;
-        case TLS1_AD_UNRECOGNIZED_NAME:
+        case SSL_AD_UNRECOGNIZED_NAME:
                str = "unrecognized name";
                break;
-        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
                str = "bad certificate status response";
                break;
-        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
                str = "bad certificate hash value";
                break;
-        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+        case SSL_AD_UNKNOWN_PSK_IDENTITY:
                str = "unknown PSK identity";
                break;
        default:
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 8cc86d4649..035d6b4564 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        CBS list, proto;
        if (s->internal->alpn_client_proto_list == NULL) {
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                return 0;
        }
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        return 1;
 err:
-        *alert = TLS1_AD_DECODE_ERROR;
+        *alert = SSL_AD_DECODE_ERROR;
        return 0;
 }
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if ((groups = reallocarray(NULL, groups_len,
                    sizeof(uint16_t))) == NULL) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
        return 1;
 err:
-        *alert = TLS1_AD_DECODE_ERROR;
+        *alert = SSL_AD_DECODE_ERROR;
        return 0;
 }
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
         *  https://support.f5.com/csp/article/K37345003
         */
        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
        if (!CBS_contains_zero_byte(&ecpf)) {
                SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
        if (!s->internal->hit) {
                if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
                    &(SSI(s)->tlsext_ecpointformatlist_length))) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
            S3I(s)->previous_server_finished_len != 0) ||
            (S3I(s)->previous_client_finished_len != 0 &&
            S3I(s)->previous_server_finished_len == 0)) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * other implementations appear more tolerant.
         */
        if (name_type != TLSEXT_NAMETYPE_host_name) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                goto err;
        if (!tlsext_sni_is_valid_hostname(&host_name)) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
                if (s->session->tlsext_hostname == NULL) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        goto err;
                }
                if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
                    strlen(s->session->tlsext_hostname))) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        goto err;
                }
        } else {
                if (s->session->tlsext_hostname != NULL)
                        goto err;
                if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        goto err;
                }
        }
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * therefore we allow only one entry.
         */
        if (CBS_len(&server_name_list) != 0) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
        if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
-                *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                *alert = SSL_AD_UNRECOGNIZED_NAME;
                return 0;
        }
        if (s->internal->hit) {
                if (s->session->tlsext_hostname == NULL) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        return 0;
                }
                if (strcmp(s->tlsext_hostname,
                    s->session->tlsext_hostname) != 0) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        return 0;
                }
        } else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                }
                if ((s->session->tlsext_hostname =
                    strdup(s->tlsext_hostname)) == NULL) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                s->tlsext_status_type = -1;
                if (!CBS_skip(cbs, CBS_len(cbs))) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
                return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                }
        } else {
                if (s->tlsext_status_type == -1) {
-                        *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                        *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                        return 0;
                }
                /* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
                    (int)CBS_len(cbs),
                    s->internal->tls_session_ticket_ext_cb_arg)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
        /* We need to signal that this was processed fully */
        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
                    (int)CBS_len(cbs),
                    s->internal->tls_session_ticket_ext_cb_arg)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
        if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                return 0;
        }
author	jsing <>	2021-06-11 17:29:48 +0000
committer	jsing <>	2021-06-11 17:29:48 +0000
commit	c29106da26ba83d9f0dec29e9b66d329ad964c38 (patch)
tree	9ed8ed1745db8d4d214ef9607fadbd3644769e1a
parent	8eb08269b2394f412e06e5fe98f463c2291efe8a (diff)
download	openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.tar.gz openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.tar.bz2 openbsd-c29106da26ba83d9f0dec29e9b66d329ad964c38.zip

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 8e734f1277..52189128c8 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_both.c,v 1.74 2021/06/11 11:29:44 jsing Exp $ */	1	/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -841,7 +841,7 @@ dtls1_get_message_fragment(SSL s, int st1, int stn, long max, int ok)
841	* handshake to fail	841	* handshake to fail
842	*/	842	*/
843	if (i != (int)frag_len) {	843	if (i != (int)frag_len) {
844	al = SSL3_AD_ILLEGAL_PARAMETER;	844	al = SSL_AD_ILLEGAL_PARAMETER;
845	SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);	845	SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
846	goto fatal_err;	846	goto fatal_err;
847	}	847	}


diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c index 6b26d4c915..b813ac6896 100644 --- a/src/lib/libssl/ssl_stat.c +++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */	1	/* $OpenBSD: ssl_stat.c,v 1.15 2021/06/11 17:29:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -578,94 +578,94 @@ SSL_alert_desc_string(int value)
578	const char *str;	578	const char *str;
579		579
580	switch (value & 0xff) {	580	switch (value & 0xff) {
581	case SSL3_AD_CLOSE_NOTIFY:	581	case SSL_AD_CLOSE_NOTIFY:
582	str = "CN";	582	str = "CN";
583	break;	583	break;
584	case SSL3_AD_UNEXPECTED_MESSAGE:	584	case SSL_AD_UNEXPECTED_MESSAGE:
585	str = "UM";	585	str = "UM";
586	break;	586	break;
587	case SSL3_AD_BAD_RECORD_MAC:	587	case SSL_AD_BAD_RECORD_MAC:
588	str = "BM";	588	str = "BM";
589	break;	589	break;
590	case SSL3_AD_DECOMPRESSION_FAILURE:	590	case SSL_AD_DECOMPRESSION_FAILURE:
591	str = "DF";	591	str = "DF";
592	break;	592	break;
593	case SSL3_AD_HANDSHAKE_FAILURE:	593	case SSL_AD_HANDSHAKE_FAILURE:
594	str = "HF";	594	str = "HF";
595	break;	595	break;
596	case SSL3_AD_NO_CERTIFICATE:	596	case SSL_AD_NO_CERTIFICATE:
597	str = "NC";	597	str = "NC";
598	break;	598	break;
599	case SSL3_AD_BAD_CERTIFICATE:	599	case SSL_AD_BAD_CERTIFICATE:
600	str = "BC";	600	str = "BC";
601	break;	601	break;
602	case SSL3_AD_UNSUPPORTED_CERTIFICATE:	602	case SSL_AD_UNSUPPORTED_CERTIFICATE:
603	str = "UC";	603	str = "UC";
604	break;	604	break;
605	case SSL3_AD_CERTIFICATE_REVOKED:	605	case SSL_AD_CERTIFICATE_REVOKED:
606	str = "CR";	606	str = "CR";
607	break;	607	break;
608	case SSL3_AD_CERTIFICATE_EXPIRED:	608	case SSL_AD_CERTIFICATE_EXPIRED:
609	str = "CE";	609	str = "CE";
610	break;	610	break;
611	case SSL3_AD_CERTIFICATE_UNKNOWN:	611	case SSL_AD_CERTIFICATE_UNKNOWN:
612	str = "CU";	612	str = "CU";
613	break;	613	break;
614	case SSL3_AD_ILLEGAL_PARAMETER:	614	case SSL_AD_ILLEGAL_PARAMETER:
615	str = "IP";	615	str = "IP";
616	break;	616	break;
617	case TLS1_AD_DECRYPTION_FAILED:	617	case SSL_AD_DECRYPTION_FAILED:
618	str = "DC";	618	str = "DC";
619	break;	619	break;
620	case TLS1_AD_RECORD_OVERFLOW:	620	case SSL_AD_RECORD_OVERFLOW:
621	str = "RO";	621	str = "RO";
622	break;	622	break;
623	case TLS1_AD_UNKNOWN_CA:	623	case SSL_AD_UNKNOWN_CA:
624	str = "CA";	624	str = "CA";
625	break;	625	break;
626	case TLS1_AD_ACCESS_DENIED:	626	case SSL_AD_ACCESS_DENIED:
627	str = "AD";	627	str = "AD";
628	break;	628	break;
629	case TLS1_AD_DECODE_ERROR:	629	case SSL_AD_DECODE_ERROR:
630	str = "DE";	630	str = "DE";
631	break;	631	break;
632	case TLS1_AD_DECRYPT_ERROR:	632	case SSL_AD_DECRYPT_ERROR:
633	str = "CY";	633	str = "CY";
634	break;	634	break;
635	case TLS1_AD_EXPORT_RESTRICTION:	635	case SSL_AD_EXPORT_RESTRICTION:
636	str = "ER";	636	str = "ER";
637	break;	637	break;
638	case TLS1_AD_PROTOCOL_VERSION:	638	case SSL_AD_PROTOCOL_VERSION:
639	str = "PV";	639	str = "PV";
640	break;	640	break;
641	case TLS1_AD_INSUFFICIENT_SECURITY:	641	case SSL_AD_INSUFFICIENT_SECURITY:
642	str = "IS";	642	str = "IS";
643	break;	643	break;
644	case TLS1_AD_INTERNAL_ERROR:	644	case SSL_AD_INTERNAL_ERROR:
645	str = "IE";	645	str = "IE";
646	break;	646	break;
647	case TLS1_AD_USER_CANCELLED:	647	case SSL_AD_USER_CANCELLED:
648	str = "US";	648	str = "US";
649	break;	649	break;
650	case TLS1_AD_NO_RENEGOTIATION:	650	case SSL_AD_NO_RENEGOTIATION:
651	str = "NR";	651	str = "NR";
652	break;	652	break;
653	case TLS1_AD_UNSUPPORTED_EXTENSION:	653	case SSL_AD_UNSUPPORTED_EXTENSION:
654	str = "UE";	654	str = "UE";
655	break;	655	break;
656	case TLS1_AD_CERTIFICATE_UNOBTAINABLE:	656	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
657	str = "CO";	657	str = "CO";
658	break;	658	break;
659	case TLS1_AD_UNRECOGNIZED_NAME:	659	case SSL_AD_UNRECOGNIZED_NAME:
660	str = "UN";	660	str = "UN";
661	break;	661	break;
662	case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:	662	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
663	str = "BR";	663	str = "BR";
664	break;	664	break;
665	case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:	665	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
666	str = "BH";	666	str = "BH";
667	break;	667	break;
668	case TLS1_AD_UNKNOWN_PSK_IDENTITY:	668	case SSL_AD_UNKNOWN_PSK_IDENTITY:
669	str = "UP";	669	str = "UP";
670	break;	670	break;
671	default:	671	default:
@@ -681,94 +681,94 @@ SSL_alert_desc_string_long(int value)
681	const char *str;	681	const char *str;
682		682
683	switch (value & 0xff) {	683	switch (value & 0xff) {
684	case SSL3_AD_CLOSE_NOTIFY:	684	case SSL_AD_CLOSE_NOTIFY:
685	str = "close notify";	685	str = "close notify";
686	break;	686	break;
687	case SSL3_AD_UNEXPECTED_MESSAGE:	687	case SSL_AD_UNEXPECTED_MESSAGE:
688	str = "unexpected_message";	688	str = "unexpected_message";
689	break;	689	break;
690	case SSL3_AD_BAD_RECORD_MAC:	690	case SSL_AD_BAD_RECORD_MAC:
691	str = "bad record mac";	691	str = "bad record mac";
692	break;	692	break;
693	case SSL3_AD_DECOMPRESSION_FAILURE:	693	case SSL_AD_DECOMPRESSION_FAILURE:
694	str = "decompression failure";	694	str = "decompression failure";
695	break;	695	break;
696	case SSL3_AD_HANDSHAKE_FAILURE:	696	case SSL_AD_HANDSHAKE_FAILURE:
697	str = "handshake failure";	697	str = "handshake failure";
698	break;	698	break;
699	case SSL3_AD_NO_CERTIFICATE:	699	case SSL_AD_NO_CERTIFICATE:
700	str = "no certificate";	700	str = "no certificate";
701	break;	701	break;
702	case SSL3_AD_BAD_CERTIFICATE:	702	case SSL_AD_BAD_CERTIFICATE:
703	str = "bad certificate";	703	str = "bad certificate";
704	break;	704	break;
705	case SSL3_AD_UNSUPPORTED_CERTIFICATE:	705	case SSL_AD_UNSUPPORTED_CERTIFICATE:
706	str = "unsupported certificate";	706	str = "unsupported certificate";
707	break;	707	break;
708	case SSL3_AD_CERTIFICATE_REVOKED:	708	case SSL_AD_CERTIFICATE_REVOKED:
709	str = "certificate revoked";	709	str = "certificate revoked";
710	break;	710	break;
711	case SSL3_AD_CERTIFICATE_EXPIRED:	711	case SSL_AD_CERTIFICATE_EXPIRED:
712	str = "certificate expired";	712	str = "certificate expired";
713	break;	713	break;
714	case SSL3_AD_CERTIFICATE_UNKNOWN:	714	case SSL_AD_CERTIFICATE_UNKNOWN:
715	str = "certificate unknown";	715	str = "certificate unknown";
716	break;	716	break;
717	case SSL3_AD_ILLEGAL_PARAMETER:	717	case SSL_AD_ILLEGAL_PARAMETER:
718	str = "illegal parameter";	718	str = "illegal parameter";
719	break;	719	break;
720	case TLS1_AD_DECRYPTION_FAILED:	720	case SSL_AD_DECRYPTION_FAILED:
721	str = "decryption failed";	721	str = "decryption failed";
722	break;	722	break;
723	case TLS1_AD_RECORD_OVERFLOW:	723	case SSL_AD_RECORD_OVERFLOW:
724	str = "record overflow";	724	str = "record overflow";
725	break;	725	break;
726	case TLS1_AD_UNKNOWN_CA:	726	case SSL_AD_UNKNOWN_CA:
727	str = "unknown CA";	727	str = "unknown CA";
728	break;	728	break;
729	case TLS1_AD_ACCESS_DENIED:	729	case SSL_AD_ACCESS_DENIED:
730	str = "access denied";	730	str = "access denied";
731	break;	731	break;
732	case TLS1_AD_DECODE_ERROR:	732	case SSL_AD_DECODE_ERROR:
733	str = "decode error";	733	str = "decode error";
734	break;	734	break;
735	case TLS1_AD_DECRYPT_ERROR:	735	case SSL_AD_DECRYPT_ERROR:
736	str = "decrypt error";	736	str = "decrypt error";
737	break;	737	break;
738	case TLS1_AD_EXPORT_RESTRICTION:	738	case SSL_AD_EXPORT_RESTRICTION:
739	str = "export restriction";	739	str = "export restriction";
740	break;	740	break;
741	case TLS1_AD_PROTOCOL_VERSION:	741	case SSL_AD_PROTOCOL_VERSION:
742	str = "protocol version";	742	str = "protocol version";
743	break;	743	break;
744	case TLS1_AD_INSUFFICIENT_SECURITY:	744	case SSL_AD_INSUFFICIENT_SECURITY:
745	str = "insufficient security";	745	str = "insufficient security";
746	break;	746	break;
747	case TLS1_AD_INTERNAL_ERROR:	747	case SSL_AD_INTERNAL_ERROR:
748	str = "internal error";	748	str = "internal error";
749	break;	749	break;
750	case TLS1_AD_USER_CANCELLED:	750	case SSL_AD_USER_CANCELLED:
751	str = "user canceled";	751	str = "user canceled";
752	break;	752	break;
753	case TLS1_AD_NO_RENEGOTIATION:	753	case SSL_AD_NO_RENEGOTIATION:
754	str = "no renegotiation";	754	str = "no renegotiation";
755	break;	755	break;
756	case TLS1_AD_UNSUPPORTED_EXTENSION:	756	case SSL_AD_UNSUPPORTED_EXTENSION:
757	str = "unsupported extension";	757	str = "unsupported extension";
758	break;	758	break;
759	case TLS1_AD_CERTIFICATE_UNOBTAINABLE:	759	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
760	str = "certificate unobtainable";	760	str = "certificate unobtainable";
761	break;	761	break;
762	case TLS1_AD_UNRECOGNIZED_NAME:	762	case SSL_AD_UNRECOGNIZED_NAME:
763	str = "unrecognized name";	763	str = "unrecognized name";
764	break;	764	break;
765	case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:	765	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
766	str = "bad certificate status response";	766	str = "bad certificate status response";
767	break;	767	break;
768	case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:	768	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
769	str = "bad certificate hash value";	769	str = "bad certificate hash value";
770	break;	770	break;
771	case TLS1_AD_UNKNOWN_PSK_IDENTITY:	771	case SSL_AD_UNKNOWN_PSK_IDENTITY:
772	str = "unknown PSK identity";	772	str = "unknown PSK identity";
773	break;	773	break;
774	default:	774	default:


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 8cc86d4649..035d6b4564 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
139	CBS list, proto;	139	CBS list, proto;
140		140
141	if (s->internal->alpn_client_proto_list == NULL) {	141	if (s->internal->alpn_client_proto_list == NULL) {
142	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	142	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
143	return 0;	143	return 0;
144	}	144	}
145		145
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
163	return 1;	163	return 1;
164		164
165	err:	165	err:
166	*alert = TLS1_AD_DECODE_ERROR;	166	*alert = SSL_AD_DECODE_ERROR;
167	return 0;	167	return 0;
168	}	168	}
169		169
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL s, uint16_t msg_type, CBS cbs,
258		258
259	if ((groups = reallocarray(NULL, groups_len,	259	if ((groups = reallocarray(NULL, groups_len,
260	sizeof(uint16_t))) == NULL) {	260	sizeof(uint16_t))) == NULL) {
261	*alert = TLS1_AD_INTERNAL_ERROR;	261	*alert = SSL_AD_INTERNAL_ERROR;
262	return 0;	262	return 0;
263	}	263	}
264		264
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL s, uint16_t msg_type, CBS cbs,
281	return 1;	281	return 1;
282		282
283	err:	283	err:
284	*alert = TLS1_AD_DECODE_ERROR;	284	*alert = SSL_AD_DECODE_ERROR;
285	return 0;	285	return 0;
286	}	286	}
287		287
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL s, uint16_t msg_type, CBS cbs,
313	* https://support.f5.com/csp/article/K37345003	313	* https://support.f5.com/csp/article/K37345003
314	*/	314	*/
315	if (!CBS_skip(cbs, CBS_len(cbs))) {	315	if (!CBS_skip(cbs, CBS_len(cbs))) {
316	*alert = TLS1_AD_INTERNAL_ERROR;	316	*alert = SSL_AD_INTERNAL_ERROR;
317	return 0;	317	return 0;
318	}	318	}
319		319
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
362	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */	362	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
363	if (!CBS_contains_zero_byte(&ecpf)) {	363	if (!CBS_contains_zero_byte(&ecpf)) {
364	SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);	364	SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
365	*alert = SSL3_AD_ILLEGAL_PARAMETER;	365	*alert = SSL_AD_ILLEGAL_PARAMETER;
366	return 0;	366	return 0;
367	}	367	}
368		368
369	if (!s->internal->hit) {	369	if (!s->internal->hit) {
370	if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),	370	if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
371	&(SSI(s)->tlsext_ecpointformatlist_length))) {	371	&(SSI(s)->tlsext_ecpointformatlist_length))) {
372	*alert = TLS1_AD_INTERNAL_ERROR;	372	*alert = SSL_AD_INTERNAL_ERROR;
373	return 0;	373	return 0;
374	}	374	}
375	}	375	}
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
505	S3I(s)->previous_server_finished_len != 0) \|\|	505	S3I(s)->previous_server_finished_len != 0) \|\|
506	(S3I(s)->previous_client_finished_len != 0 &&	506	(S3I(s)->previous_client_finished_len != 0 &&
507	S3I(s)->previous_server_finished_len == 0)) {	507	S3I(s)->previous_server_finished_len == 0)) {
508	*alert = TLS1_AD_INTERNAL_ERROR;	508	*alert = SSL_AD_INTERNAL_ERROR;
509	return 0;	509	return 0;
510	}	510	}
511		511
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
737	* other implementations appear more tolerant.	737	* other implementations appear more tolerant.
738	*/	738	*/
739	if (name_type != TLSEXT_NAMETYPE_host_name) {	739	if (name_type != TLSEXT_NAMETYPE_host_name) {
740	*alert = SSL3_AD_ILLEGAL_PARAMETER;	740	*alert = SSL_AD_ILLEGAL_PARAMETER;
741	goto err;	741	goto err;
742	}	742	}
743		743
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
752	goto err;	752	goto err;
753		753
754	if (!tlsext_sni_is_valid_hostname(&host_name)) {	754	if (!tlsext_sni_is_valid_hostname(&host_name)) {
755	*alert = SSL3_AD_ILLEGAL_PARAMETER;	755	*alert = SSL_AD_ILLEGAL_PARAMETER;
756	goto err;	756	goto err;
757	}	757	}
758		758
759	if (s->internal->hit \|\| S3I(s)->hs.tls13.hrr) {	759	if (s->internal->hit \|\| S3I(s)->hs.tls13.hrr) {
760	if (s->session->tlsext_hostname == NULL) {	760	if (s->session->tlsext_hostname == NULL) {
761	*alert = TLS1_AD_UNRECOGNIZED_NAME;	761	*alert = SSL_AD_UNRECOGNIZED_NAME;
762	goto err;	762	goto err;
763	}	763	}
764	if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,	764	if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
765	strlen(s->session->tlsext_hostname))) {	765	strlen(s->session->tlsext_hostname))) {
766	*alert = TLS1_AD_UNRECOGNIZED_NAME;	766	*alert = SSL_AD_UNRECOGNIZED_NAME;
767	goto err;	767	goto err;
768	}	768	}
769	} else {	769	} else {
770	if (s->session->tlsext_hostname != NULL)	770	if (s->session->tlsext_hostname != NULL)
771	goto err;	771	goto err;
772	if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {	772	if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
773	*alert = TLS1_AD_INTERNAL_ERROR;	773	*alert = SSL_AD_INTERNAL_ERROR;
774	goto err;	774	goto err;
775	}	775	}
776	}	776	}
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
780	* therefore we allow only one entry.	780	* therefore we allow only one entry.
781	*/	781	*/
782	if (CBS_len(&server_name_list) != 0) {	782	if (CBS_len(&server_name_list) != 0) {
783	*alert = SSL3_AD_ILLEGAL_PARAMETER;	783	*alert = SSL_AD_ILLEGAL_PARAMETER;
784	goto err;	784	goto err;
785	}	785	}
786	if (CBS_len(cbs) != 0)	786	if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
811	tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)	811	tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
812	{	812	{
813	if (s->tlsext_hostname == NULL \|\| CBS_len(cbs) != 0) {	813	if (s->tlsext_hostname == NULL \|\| CBS_len(cbs) != 0) {
814	*alert = TLS1_AD_UNRECOGNIZED_NAME;	814	*alert = SSL_AD_UNRECOGNIZED_NAME;
815	return 0;	815	return 0;
816	}	816	}
817		817
818	if (s->internal->hit) {	818	if (s->internal->hit) {
819	if (s->session->tlsext_hostname == NULL) {	819	if (s->session->tlsext_hostname == NULL) {
820	*alert = TLS1_AD_UNRECOGNIZED_NAME;	820	*alert = SSL_AD_UNRECOGNIZED_NAME;
821	return 0;	821	return 0;
822	}	822	}
823	if (strcmp(s->tlsext_hostname,	823	if (strcmp(s->tlsext_hostname,
824	s->session->tlsext_hostname) != 0) {	824	s->session->tlsext_hostname) != 0) {
825	*alert = TLS1_AD_UNRECOGNIZED_NAME;	825	*alert = SSL_AD_UNRECOGNIZED_NAME;
826	return 0;	826	return 0;
827	}	827	}
828	} else {	828	} else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
832	}	832	}
833	if ((s->session->tlsext_hostname =	833	if ((s->session->tlsext_hostname =
834	strdup(s->tlsext_hostname)) == NULL) {	834	strdup(s->tlsext_hostname)) == NULL) {
835	*alert = TLS1_AD_INTERNAL_ERROR;	835	*alert = SSL_AD_INTERNAL_ERROR;
836	return 0;	836	return 0;
837	}	837	}
838	}	838	}
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
917	s->tlsext_status_type = -1;	917	s->tlsext_status_type = -1;
918		918
919	if (!CBS_skip(cbs, CBS_len(cbs))) {	919	if (!CBS_skip(cbs, CBS_len(cbs))) {
920	*alert = TLS1_AD_INTERNAL_ERROR;	920	*alert = SSL_AD_INTERNAL_ERROR;
921	return 0;	921	return 0;
922	}	922	}
923	return 1;	923	return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1051	}	1051	}
1052	} else {	1052	} else {
1053	if (s->tlsext_status_type == -1) {	1053	if (s->tlsext_status_type == -1) {
1054	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	1054	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
1055	return 0;	1055	return 0;
1056	}	1056	}
1057	/* Set flag to expect CertificateStatus message */	1057	/* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL s, uint16_t msg_type, CBS cbs,
1135	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),	1135	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1136	(int)CBS_len(cbs),	1136	(int)CBS_len(cbs),
1137	s->internal->tls_session_ticket_ext_cb_arg)) {	1137	s->internal->tls_session_ticket_ext_cb_arg)) {
1138	*alert = TLS1_AD_INTERNAL_ERROR;	1138	*alert = SSL_AD_INTERNAL_ERROR;
1139	return 0;	1139	return 0;
1140	}	1140	}
1141	}	1141	}
1142		1142
1143	/* We need to signal that this was processed fully */	1143	/* We need to signal that this was processed fully */
1144	if (!CBS_skip(cbs, CBS_len(cbs))) {	1144	if (!CBS_skip(cbs, CBS_len(cbs))) {
1145	*alert = TLS1_AD_INTERNAL_ERROR;	1145	*alert = SSL_AD_INTERNAL_ERROR;
1146	return 0;	1146	return 0;
1147	}	1147	}
1148		1148
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL s, uint16_t msg_type, CBS cbs,
1171	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),	1171	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1172	(int)CBS_len(cbs),	1172	(int)CBS_len(cbs),
1173	s->internal->tls_session_ticket_ext_cb_arg)) {	1173	s->internal->tls_session_ticket_ext_cb_arg)) {
1174	*alert = TLS1_AD_INTERNAL_ERROR;	1174	*alert = SSL_AD_INTERNAL_ERROR;
1175	return 0;	1175	return 0;
1176	}	1176	}
1177	}	1177	}
1178		1178
1179	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 \|\| CBS_len(cbs) > 0) {	1179	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 \|\| CBS_len(cbs) > 0) {
1180	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	1180	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
1181	return 0;	1181	return 0;
1182	}	1182	}
1183		1183