8 files changed, 39 insertions, 39 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0a1b6ea241..b6dcb8888d 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.69 2020/06/05 17:53:26 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.70 2020/07/03 04:12:50 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -775,7 +775,7 @@ ssl3_send_client_hello(SSL *s)
                        goto err;
                /* TLS extensions */
-                if (!tlsext_client_build(s, &client_hello, SSL_TLSEXT_MSG_CH)) {
+                if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -1024,7 +1024,7 @@ ssl3_get_server_hello(SSL *s)
                goto f_err;
        }
-        if (!tlsext_client_parse(s, &cbs, &al, SSL_TLSEXT_MSG_SH)) {
+        if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
                SSLerror(s, SSL_R_PARSE_TLSEXT);
                goto f_err;
        }
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 706ad1453b..67671f276c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.79 2020/06/05 17:53:26 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.80 2020/07/03 04:12:50 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1025,7 +1025,7 @@ ssl3_get_client_hello(SSL *s)
                goto f_err;
        }
-        if (!tlsext_server_parse(s, &cbs, &al, SSL_TLSEXT_MSG_CH)) {
+        if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) {
                SSLerror(s, SSL_R_PARSE_TLSEXT);
                goto f_err;
        }
@@ -1233,7 +1233,7 @@ ssl3_send_server_hello(SSL *s)
                        goto err;
                /* TLS extensions */
-                if (!tlsext_server_build(s, &server_hello, SSL_TLSEXT_MSG_SH)) {
+                if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        goto err;
                }
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index f6943c83ae..2b91a087af 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.76 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2009,7 +2009,7 @@ tlsext_funcs(struct tls_extension *tlsext, int is_server)
 }
 static int
-tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type)
+tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
 {
        struct tls_extension_funcs *ext;
        struct tls_extension *tlsext;
@@ -2087,7 +2087,7 @@ tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
 }
 static int
-tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
+tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
 {
        struct tls_extension_funcs *ext;
        struct tls_extension *tlsext;
@@ -2175,19 +2175,19 @@ tlsext_server_reset_state(SSL *s)
 }
 int
-tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type)
+tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        return tlsext_build(s, cbb, 1, msg_type);
+        return tlsext_build(s, 1, msg_type, cbb);
 }
 int
-tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type)
+tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
        /* XXX - this should be done by the caller... */
        if (msg_type == SSL_TLSEXT_MSG_CH)
                tlsext_server_reset_state(s);
-        return tlsext_parse(s, cbs, alert, 1, msg_type);
+        return tlsext_parse(s, 1, msg_type, cbs, alert);
 }
 static void
@@ -2199,17 +2199,17 @@ tlsext_client_reset_state(SSL *s)
 }
 int
-tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type)
+tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        return tlsext_build(s, cbb, 0, msg_type);
+        return tlsext_build(s, 0, msg_type, cbb);
 }
 int
-tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type)
+tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
        /* XXX - this should be done by the caller... */
        if (msg_type == SSL_TLSEXT_MSG_SH)
                tlsext_client_reset_state(s);
-        return tlsext_parse(s, cbs, alert, 0, msg_type);
+        return tlsext_parse(s, 0, msg_type, cbs, alert);
 }
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 15e0257e63..e2aafa7815 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.h,v 1.23 2020/05/23 17:13:24 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.h,v 1.24 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -118,11 +118,11 @@ int tlsext_srtp_server_build(SSL *s, CBB *cbb);
 int tlsext_srtp_server_parse(SSL *s, CBS *cbs, int *alert);
 #endif
-int tlsext_client_build(SSL *s, CBB *cbb, uint16_t msg_type);
+int tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb);
-int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
+int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
-int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type);
+int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb);
-int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
+int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
 struct tls_extension *tls_extension_find(uint16_t, size_t *);
 int tlsext_extension_seen(SSL *s, uint16_t);
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index e2f61f6c08..bd72db8be0 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.65 2020/06/04 18:41:42 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.66 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -118,7 +118,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
        if (!CBB_add_u8(&compression_methods, 0))
                goto err;
-        if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH))
+        if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb))
                goto err;
        if (!CBB_flush(cbb))
@@ -265,7 +265,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                ctx->hs->hrr = 1;
        }
-        if (!tlsext_client_parse(s, cbs, &alert_desc, tlsext_msg_type)) {
+        if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
                ctx->alert = alert_desc;
                goto err;
        }
@@ -504,7 +504,7 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        int alert_desc;
-        if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) {
+        if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) {
                ctx->alert = alert_desc;
                goto err;
        }
@@ -540,7 +540,7 @@ tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (CBS_len(&cert_request_context) != 0)
                goto err;
-        if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_CR)) {
+        if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) {
                ctx->alert = alert_desc;
                goto err;
        }
@@ -580,8 +580,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
                if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
                        goto err;
-                if (!tlsext_client_parse(ctx->ssl, &cert_list, &alert_desc,
+                if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT,
-                    SSL_TLSEXT_MSG_CT)) {
+                    &cert_list, &alert_desc)) {
                        ctx->alert = alert_desc;
                        goto err;
                }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index a18184f505..f35f09bbb1 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.84 2020/06/06 01:40:09 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.85 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -383,7 +383,7 @@ int tls13_server_finished_sent(struct tls13_ctx *ctx);
 void tls13_error_clear(struct tls13_error *error);
 int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type));
+    int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb));
 int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
 int tls13_clienthello_hash_init(struct tls13_ctx *ctx);
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index b5939aecab..8fef39a12f 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.51 2020/06/06 01:40:09 beck Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.52 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -415,7 +415,7 @@ tls13_ctx_free(struct tls13_ctx *ctx)
 int
 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
-    int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type))
+    int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
 {
        CBB cert_data;
        uint8_t *data;
@@ -431,7 +431,7 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
        if (i2d_X509(cert, &data) != cert_len)
                return 0;
        if (build_extensions != NULL) {
-                if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT))
+                if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
                        return 0;
        } else {
                CBB cert_exts;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 12601fa33d..a5c03b610c 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.60 2020/06/25 07:35:05 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -191,7 +191,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        }
-        if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {
+        if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
                ctx->alert = alert_desc;
                goto err;
        }
@@ -330,7 +330,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
                goto err;
        if (!CBB_add_u8(cbb, 0))
                goto err;
-        if (!tlsext_server_build(s, cbb, tlsext_msg_type))
+        if (!tlsext_server_build(s, tlsext_msg_type, cbb))
                goto err;
        if (!CBB_flush(cbb))
@@ -511,7 +511,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
 int
 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE))
+        if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
                goto err;
        return 1;
@@ -526,7 +526,7 @@ tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
                goto err;
-        if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
+        if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
                goto err;
        if (!CBB_flush(cbb))

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 0a1b6ea241..b6dcb8888d 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.69 2020/06/05 17:53:26 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.70 2020/07/03 04:12:50 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -775,7 +775,7 @@ ssl3_send_client_hello(SSL *s)
775	goto err;	775	goto err;
776		776
777	/* TLS extensions */	777	/* TLS extensions */
778	if (!tlsext_client_build(s, &client_hello, SSL_TLSEXT_MSG_CH)) {	778	if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
779	SSLerror(s, ERR_R_INTERNAL_ERROR);	779	SSLerror(s, ERR_R_INTERNAL_ERROR);
780	goto err;	780	goto err;
781	}	781	}
@@ -1024,7 +1024,7 @@ ssl3_get_server_hello(SSL *s)
1024	goto f_err;	1024	goto f_err;
1025	}	1025	}
1026		1026
1027	if (!tlsext_client_parse(s, &cbs, &al, SSL_TLSEXT_MSG_SH)) {	1027	if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
1028	SSLerror(s, SSL_R_PARSE_TLSEXT);	1028	SSLerror(s, SSL_R_PARSE_TLSEXT);
1029	goto f_err;	1029	goto f_err;
1030	}	1030	}


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 706ad1453b..67671f276c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.79 2020/06/05 17:53:26 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.80 2020/07/03 04:12:50 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1025,7 +1025,7 @@ ssl3_get_client_hello(SSL *s)
1025	goto f_err;	1025	goto f_err;
1026	}	1026	}
1027		1027
1028	if (!tlsext_server_parse(s, &cbs, &al, SSL_TLSEXT_MSG_CH)) {	1028	if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) {
1029	SSLerror(s, SSL_R_PARSE_TLSEXT);	1029	SSLerror(s, SSL_R_PARSE_TLSEXT);
1030	goto f_err;	1030	goto f_err;
1031	}	1031	}
@@ -1233,7 +1233,7 @@ ssl3_send_server_hello(SSL *s)
1233	goto err;	1233	goto err;
1234		1234
1235	/* TLS extensions */	1235	/* TLS extensions */
1236	if (!tlsext_server_build(s, &server_hello, SSL_TLSEXT_MSG_SH)) {	1236	if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) {
1237	SSLerror(s, ERR_R_INTERNAL_ERROR);	1237	SSLerror(s, ERR_R_INTERNAL_ERROR);
1238	goto err;	1238	goto err;
1239	}	1239	}


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index f6943c83ae..2b91a087af 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.76 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2009,7 +2009,7 @@ tlsext_funcs(struct tls_extension *tlsext, int is_server)
2009	}	2009	}
2010		2010
2011	static int	2011	static int
2012	tlsext_build(SSL s, CBB cbb, int is_server, uint16_t msg_type)	2012	tlsext_build(SSL s, int is_server, uint16_t msg_type, CBB cbb)
2013	{	2013	{
2014	struct tls_extension_funcs *ext;	2014	struct tls_extension_funcs *ext;
2015	struct tls_extension *tlsext;	2015	struct tls_extension *tlsext;
@@ -2087,7 +2087,7 @@ tlsext_clienthello_hash_extension(SSL s, uint16_t type, CBS cbs)
2087	}	2087	}
2088		2088
2089	static int	2089	static int
2090	tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)	2090	tlsext_parse(SSL s, int is_server, uint16_t msg_type, CBS cbs, int *alert)
2091	{	2091	{
2092	struct tls_extension_funcs *ext;	2092	struct tls_extension_funcs *ext;
2093	struct tls_extension *tlsext;	2093	struct tls_extension *tlsext;
@@ -2175,19 +2175,19 @@ tlsext_server_reset_state(SSL *s)
2175	}	2175	}
2176		2176
2177	int	2177	int
2178	tlsext_server_build(SSL s, CBB cbb, uint16_t msg_type)	2178	tlsext_server_build(SSL s, uint16_t msg_type, CBB cbb)
2179	{	2179	{
2180	return tlsext_build(s, cbb, 1, msg_type);	2180	return tlsext_build(s, 1, msg_type, cbb);
2181	}	2181	}
2182		2182
2183	int	2183	int
2184	tlsext_server_parse(SSL s, CBS cbs, int *alert, uint16_t msg_type)	2184	tlsext_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
2185	{	2185	{
2186	/* XXX - this should be done by the caller... */	2186	/* XXX - this should be done by the caller... */
2187	if (msg_type == SSL_TLSEXT_MSG_CH)	2187	if (msg_type == SSL_TLSEXT_MSG_CH)
2188	tlsext_server_reset_state(s);	2188	tlsext_server_reset_state(s);
2189		2189
2190	return tlsext_parse(s, cbs, alert, 1, msg_type);	2190	return tlsext_parse(s, 1, msg_type, cbs, alert);
2191	}	2191	}
2192		2192
2193	static void	2193	static void
@@ -2199,17 +2199,17 @@ tlsext_client_reset_state(SSL *s)
2199	}	2199	}
2200		2200
2201	int	2201	int
2202	tlsext_client_build(SSL s, CBB cbb, uint16_t msg_type)	2202	tlsext_client_build(SSL s, uint16_t msg_type, CBB cbb)
2203	{	2203	{
2204	return tlsext_build(s, cbb, 0, msg_type);	2204	return tlsext_build(s, 0, msg_type, cbb);
2205	}	2205	}
2206		2206
2207	int	2207	int
2208	tlsext_client_parse(SSL s, CBS cbs, int *alert, uint16_t msg_type)	2208	tlsext_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
2209	{	2209	{
2210	/* XXX - this should be done by the caller... */	2210	/* XXX - this should be done by the caller... */
2211	if (msg_type == SSL_TLSEXT_MSG_SH)	2211	if (msg_type == SSL_TLSEXT_MSG_SH)
2212	tlsext_client_reset_state(s);	2212	tlsext_client_reset_state(s);
2213		2213
2214	return tlsext_parse(s, cbs, alert, 0, msg_type);	2214	return tlsext_parse(s, 0, msg_type, cbs, alert);
2215	}	2215	}


diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h index 15e0257e63..e2aafa7815 100644 --- a/src/lib/libssl/ssl_tlsext.h +++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.h,v 1.23 2020/05/23 17:13:24 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.h,v 1.24 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -118,11 +118,11 @@ int tlsext_srtp_server_build(SSL s, CBB cbb);
118	int tlsext_srtp_server_parse(SSL s, CBS cbs, int *alert);	118	int tlsext_srtp_server_parse(SSL s, CBS cbs, int *alert);
119	#endif	119	#endif
120		120
121	int tlsext_client_build(SSL s, CBB cbb, uint16_t msg_type);	121	int tlsext_client_build(SSL s, uint16_t msg_type, CBB cbb);
122	int tlsext_client_parse(SSL s, CBS cbs, int *alert, uint16_t msg_type);	122	int tlsext_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert);
123		123
124	int tlsext_server_build(SSL s, CBB cbb, uint16_t msg_type);	124	int tlsext_server_build(SSL s, uint16_t msg_type, CBB cbb);
125	int tlsext_server_parse(SSL s, CBS cbs, int *alert, uint16_t msg_type);	125	int tlsext_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert);
126		126
127	struct tls_extension tls_extension_find(uint16_t, size_t );	127	struct tls_extension tls_extension_find(uint16_t, size_t );
128	int tlsext_extension_seen(SSL *s, uint16_t);	128	int tlsext_extension_seen(SSL *s, uint16_t);


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index e2f61f6c08..bd72db8be0 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.65 2020/06/04 18:41:42 tb Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.66 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -118,7 +118,7 @@ tls13_client_hello_build(struct tls13_ctx ctx, CBB cbb)
118	if (!CBB_add_u8(&compression_methods, 0))	118	if (!CBB_add_u8(&compression_methods, 0))
119	goto err;	119	goto err;
120		120
121	if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH))	121	if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb))
122	goto err;	122	goto err;
123		123
124	if (!CBB_flush(cbb))	124	if (!CBB_flush(cbb))
@@ -265,7 +265,7 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
265	ctx->hs->hrr = 1;	265	ctx->hs->hrr = 1;
266	}	266	}
267		267
268	if (!tlsext_client_parse(s, cbs, &alert_desc, tlsext_msg_type)) {	268	if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
269	ctx->alert = alert_desc;	269	ctx->alert = alert_desc;
270	goto err;	270	goto err;
271	}	271	}
@@ -504,7 +504,7 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs)
504	{	504	{
505	int alert_desc;	505	int alert_desc;
506		506
507	if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) {	507	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) {
508	ctx->alert = alert_desc;	508	ctx->alert = alert_desc;
509	goto err;	509	goto err;
510	}	510	}
@@ -540,7 +540,7 @@ tls13_server_certificate_request_recv(struct tls13_ctx ctx, CBS cbs)
540	if (CBS_len(&cert_request_context) != 0)	540	if (CBS_len(&cert_request_context) != 0)
541	goto err;	541	goto err;
542		542
543	if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_CR)) {	543	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) {
544	ctx->alert = alert_desc;	544	ctx->alert = alert_desc;
545	goto err;	545	goto err;
546	}	546	}
@@ -580,8 +580,8 @@ tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
580	if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))	580	if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
581	goto err;	581	goto err;
582		582
583	if (!tlsext_client_parse(ctx->ssl, &cert_list, &alert_desc,	583	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT,
584	SSL_TLSEXT_MSG_CT)) {	584	&cert_list, &alert_desc)) {
585	ctx->alert = alert_desc;	585	ctx->alert = alert_desc;
586	goto err;	586	goto err;
587	}	587	}


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index a18184f505..f35f09bbb1 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.84 2020/06/06 01:40:09 beck Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.85 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -383,7 +383,7 @@ int tls13_server_finished_sent(struct tls13_ctx *ctx);
383		383
384	void tls13_error_clear(struct tls13_error *error);	384	void tls13_error_clear(struct tls13_error *error);
385	int tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,	385	int tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
386	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type));	386	int(build_extensions)(SSL s, uint16_t msg_type, CBB *cbb));
387		387
388	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);	388	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
389	int tls13_clienthello_hash_init(struct tls13_ctx *ctx);	389	int tls13_clienthello_hash_init(struct tls13_ctx *ctx);


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index b5939aecab..8fef39a12f 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.51 2020/06/06 01:40:09 beck Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.52 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -415,7 +415,7 @@ tls13_ctx_free(struct tls13_ctx *ctx)
415		415
416	int	416	int
417	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,	417	tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
418	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type))	418	int(build_extensions)(SSL s, uint16_t msg_type, CBB *cbb))
419	{	419	{
420	CBB cert_data;	420	CBB cert_data;
421	uint8_t *data;	421	uint8_t *data;
@@ -431,7 +431,7 @@ tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
431	if (i2d_X509(cert, &data) != cert_len)	431	if (i2d_X509(cert, &data) != cert_len)
432	return 0;	432	return 0;
433	if (build_extensions != NULL) {	433	if (build_extensions != NULL) {
434	if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT))	434	if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
435	return 0;	435	return 0;
436	} else {	436	} else {
437	CBB cert_exts;	437	CBB cert_exts;


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 12601fa33d..a5c03b610c 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.60 2020/06/25 07:35:05 tb Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -191,7 +191,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
191	goto err;	191	goto err;
192	}	192	}
193		193
194	if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {	194	if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
195	ctx->alert = alert_desc;	195	ctx->alert = alert_desc;
196	goto err;	196	goto err;
197	}	197	}
@@ -330,7 +330,7 @@ tls13_server_hello_build(struct tls13_ctx ctx, CBB cbb, int hrr)
330	goto err;	330	goto err;
331	if (!CBB_add_u8(cbb, 0))	331	if (!CBB_add_u8(cbb, 0))
332	goto err;	332	goto err;
333	if (!tlsext_server_build(s, cbb, tlsext_msg_type))	333	if (!tlsext_server_build(s, tlsext_msg_type, cbb))
334	goto err;	334	goto err;
335		335
336	if (!CBB_flush(cbb))	336	if (!CBB_flush(cbb))
@@ -511,7 +511,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
511	int	511	int
512	tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb)	512	tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb)
513	{	513	{
514	if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE))	514	if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
515	goto err;	515	goto err;
516		516
517	return 1;	517	return 1;
@@ -526,7 +526,7 @@ tls13_server_certificate_request_send(struct tls13_ctx ctx, CBB cbb)
526		526
527	if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))	527	if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
528	goto err;	528	goto err;
529	if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))	529	if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
530	goto err;	530	goto err;
531		531
532	if (!CBB_flush(cbb))	532	if (!CBB_flush(cbb))