1 files changed, 25 insertions, 25 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 8cc86d4649..035d6b4564 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        CBS list, proto;
        if (s->internal->alpn_client_proto_list == NULL) {
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                return 0;
        }
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        return 1;
 err:
-        *alert = TLS1_AD_DECODE_ERROR;
+        *alert = SSL_AD_DECODE_ERROR;
        return 0;
 }
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if ((groups = reallocarray(NULL, groups_len,
                    sizeof(uint16_t))) == NULL) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
        return 1;
 err:
-        *alert = TLS1_AD_DECODE_ERROR;
+        *alert = SSL_AD_DECODE_ERROR;
        return 0;
 }
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
         *  https://support.f5.com/csp/article/K37345003
         */
        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
        /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
        if (!CBS_contains_zero_byte(&ecpf)) {
                SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
        if (!s->internal->hit) {
                if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
                    &(SSI(s)->tlsext_ecpointformatlist_length))) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
            S3I(s)->previous_server_finished_len != 0) ||
            (S3I(s)->previous_client_finished_len != 0 &&
            S3I(s)->previous_server_finished_len == 0)) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * other implementations appear more tolerant.
         */
        if (name_type != TLSEXT_NAMETYPE_host_name) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                goto err;
        if (!tlsext_sni_is_valid_hostname(&host_name)) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
                if (s->session->tlsext_hostname == NULL) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        goto err;
                }
                if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
                    strlen(s->session->tlsext_hostname))) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        goto err;
                }
        } else {
                if (s->session->tlsext_hostname != NULL)
                        goto err;
                if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        goto err;
                }
        }
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         * therefore we allow only one entry.
         */
        if (CBS_len(&server_name_list) != 0) {
-                *alert = SSL3_AD_ILLEGAL_PARAMETER;
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
        if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
-                *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                *alert = SSL_AD_UNRECOGNIZED_NAME;
                return 0;
        }
        if (s->internal->hit) {
                if (s->session->tlsext_hostname == NULL) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        return 0;
                }
                if (strcmp(s->tlsext_hostname,
                    s->session->tlsext_hostname) != 0) {
-                        *alert = TLS1_AD_UNRECOGNIZED_NAME;
+                        *alert = SSL_AD_UNRECOGNIZED_NAME;
                        return 0;
                }
        } else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                }
                if ((s->session->tlsext_hostname =
                    strdup(s->tlsext_hostname)) == NULL) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                s->tlsext_status_type = -1;
                if (!CBS_skip(cbs, CBS_len(cbs))) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
                return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                }
        } else {
                if (s->tlsext_status_type == -1) {
-                        *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                        *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                        return 0;
                }
                /* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
                    (int)CBS_len(cbs),
                    s->internal->tls_session_ticket_ext_cb_arg)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
        /* We need to signal that this was processed fully */
        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
+                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
                if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
                    (int)CBS_len(cbs),
                    s->internal->tls_session_ticket_ext_cb_arg)) {
-                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
        }
        if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                *alert = SSL_AD_UNSUPPORTED_EXTENSION;
                return 0;
        }

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 8cc86d4649..035d6b4564 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
139	CBS list, proto;	139	CBS list, proto;
140		140
141	if (s->internal->alpn_client_proto_list == NULL) {	141	if (s->internal->alpn_client_proto_list == NULL) {
142	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	142	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
143	return 0;	143	return 0;
144	}	144	}
145		145
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
163	return 1;	163	return 1;
164		164
165	err:	165	err:
166	*alert = TLS1_AD_DECODE_ERROR;	166	*alert = SSL_AD_DECODE_ERROR;
167	return 0;	167	return 0;
168	}	168	}
169		169
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL s, uint16_t msg_type, CBS cbs,
258		258
259	if ((groups = reallocarray(NULL, groups_len,	259	if ((groups = reallocarray(NULL, groups_len,
260	sizeof(uint16_t))) == NULL) {	260	sizeof(uint16_t))) == NULL) {
261	*alert = TLS1_AD_INTERNAL_ERROR;	261	*alert = SSL_AD_INTERNAL_ERROR;
262	return 0;	262	return 0;
263	}	263	}
264		264
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL s, uint16_t msg_type, CBS cbs,
281	return 1;	281	return 1;
282		282
283	err:	283	err:
284	*alert = TLS1_AD_DECODE_ERROR;	284	*alert = SSL_AD_DECODE_ERROR;
285	return 0;	285	return 0;
286	}	286	}
287		287
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL s, uint16_t msg_type, CBS cbs,
313	* https://support.f5.com/csp/article/K37345003	313	* https://support.f5.com/csp/article/K37345003
314	*/	314	*/
315	if (!CBS_skip(cbs, CBS_len(cbs))) {	315	if (!CBS_skip(cbs, CBS_len(cbs))) {
316	*alert = TLS1_AD_INTERNAL_ERROR;	316	*alert = SSL_AD_INTERNAL_ERROR;
317	return 0;	317	return 0;
318	}	318	}
319		319
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
362	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */	362	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
363	if (!CBS_contains_zero_byte(&ecpf)) {	363	if (!CBS_contains_zero_byte(&ecpf)) {
364	SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);	364	SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
365	*alert = SSL3_AD_ILLEGAL_PARAMETER;	365	*alert = SSL_AD_ILLEGAL_PARAMETER;
366	return 0;	366	return 0;
367	}	367	}
368		368
369	if (!s->internal->hit) {	369	if (!s->internal->hit) {
370	if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),	370	if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
371	&(SSI(s)->tlsext_ecpointformatlist_length))) {	371	&(SSI(s)->tlsext_ecpointformatlist_length))) {
372	*alert = TLS1_AD_INTERNAL_ERROR;	372	*alert = SSL_AD_INTERNAL_ERROR;
373	return 0;	373	return 0;
374	}	374	}
375	}	375	}
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
505	S3I(s)->previous_server_finished_len != 0) \|\|	505	S3I(s)->previous_server_finished_len != 0) \|\|
506	(S3I(s)->previous_client_finished_len != 0 &&	506	(S3I(s)->previous_client_finished_len != 0 &&
507	S3I(s)->previous_server_finished_len == 0)) {	507	S3I(s)->previous_server_finished_len == 0)) {
508	*alert = TLS1_AD_INTERNAL_ERROR;	508	*alert = SSL_AD_INTERNAL_ERROR;
509	return 0;	509	return 0;
510	}	510	}
511		511
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
737	* other implementations appear more tolerant.	737	* other implementations appear more tolerant.
738	*/	738	*/
739	if (name_type != TLSEXT_NAMETYPE_host_name) {	739	if (name_type != TLSEXT_NAMETYPE_host_name) {
740	*alert = SSL3_AD_ILLEGAL_PARAMETER;	740	*alert = SSL_AD_ILLEGAL_PARAMETER;
741	goto err;	741	goto err;
742	}	742	}
743		743
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
752	goto err;	752	goto err;
753		753
754	if (!tlsext_sni_is_valid_hostname(&host_name)) {	754	if (!tlsext_sni_is_valid_hostname(&host_name)) {
755	*alert = SSL3_AD_ILLEGAL_PARAMETER;	755	*alert = SSL_AD_ILLEGAL_PARAMETER;
756	goto err;	756	goto err;
757	}	757	}
758		758
759	if (s->internal->hit \|\| S3I(s)->hs.tls13.hrr) {	759	if (s->internal->hit \|\| S3I(s)->hs.tls13.hrr) {
760	if (s->session->tlsext_hostname == NULL) {	760	if (s->session->tlsext_hostname == NULL) {
761	*alert = TLS1_AD_UNRECOGNIZED_NAME;	761	*alert = SSL_AD_UNRECOGNIZED_NAME;
762	goto err;	762	goto err;
763	}	763	}
764	if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,	764	if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
765	strlen(s->session->tlsext_hostname))) {	765	strlen(s->session->tlsext_hostname))) {
766	*alert = TLS1_AD_UNRECOGNIZED_NAME;	766	*alert = SSL_AD_UNRECOGNIZED_NAME;
767	goto err;	767	goto err;
768	}	768	}
769	} else {	769	} else {
770	if (s->session->tlsext_hostname != NULL)	770	if (s->session->tlsext_hostname != NULL)
771	goto err;	771	goto err;
772	if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {	772	if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
773	*alert = TLS1_AD_INTERNAL_ERROR;	773	*alert = SSL_AD_INTERNAL_ERROR;
774	goto err;	774	goto err;
775	}	775	}
776	}	776	}
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
780	* therefore we allow only one entry.	780	* therefore we allow only one entry.
781	*/	781	*/
782	if (CBS_len(&server_name_list) != 0) {	782	if (CBS_len(&server_name_list) != 0) {
783	*alert = SSL3_AD_ILLEGAL_PARAMETER;	783	*alert = SSL_AD_ILLEGAL_PARAMETER;
784	goto err;	784	goto err;
785	}	785	}
786	if (CBS_len(cbs) != 0)	786	if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
811	tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)	811	tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
812	{	812	{
813	if (s->tlsext_hostname == NULL \|\| CBS_len(cbs) != 0) {	813	if (s->tlsext_hostname == NULL \|\| CBS_len(cbs) != 0) {
814	*alert = TLS1_AD_UNRECOGNIZED_NAME;	814	*alert = SSL_AD_UNRECOGNIZED_NAME;
815	return 0;	815	return 0;
816	}	816	}
817		817
818	if (s->internal->hit) {	818	if (s->internal->hit) {
819	if (s->session->tlsext_hostname == NULL) {	819	if (s->session->tlsext_hostname == NULL) {
820	*alert = TLS1_AD_UNRECOGNIZED_NAME;	820	*alert = SSL_AD_UNRECOGNIZED_NAME;
821	return 0;	821	return 0;
822	}	822	}
823	if (strcmp(s->tlsext_hostname,	823	if (strcmp(s->tlsext_hostname,
824	s->session->tlsext_hostname) != 0) {	824	s->session->tlsext_hostname) != 0) {
825	*alert = TLS1_AD_UNRECOGNIZED_NAME;	825	*alert = SSL_AD_UNRECOGNIZED_NAME;
826	return 0;	826	return 0;
827	}	827	}
828	} else {	828	} else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
832	}	832	}
833	if ((s->session->tlsext_hostname =	833	if ((s->session->tlsext_hostname =
834	strdup(s->tlsext_hostname)) == NULL) {	834	strdup(s->tlsext_hostname)) == NULL) {
835	*alert = TLS1_AD_INTERNAL_ERROR;	835	*alert = SSL_AD_INTERNAL_ERROR;
836	return 0;	836	return 0;
837	}	837	}
838	}	838	}
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
917	s->tlsext_status_type = -1;	917	s->tlsext_status_type = -1;
918		918
919	if (!CBS_skip(cbs, CBS_len(cbs))) {	919	if (!CBS_skip(cbs, CBS_len(cbs))) {
920	*alert = TLS1_AD_INTERNAL_ERROR;	920	*alert = SSL_AD_INTERNAL_ERROR;
921	return 0;	921	return 0;
922	}	922	}
923	return 1;	923	return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1051	}	1051	}
1052	} else {	1052	} else {
1053	if (s->tlsext_status_type == -1) {	1053	if (s->tlsext_status_type == -1) {
1054	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	1054	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
1055	return 0;	1055	return 0;
1056	}	1056	}
1057	/* Set flag to expect CertificateStatus message */	1057	/* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL s, uint16_t msg_type, CBS cbs,
1135	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),	1135	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1136	(int)CBS_len(cbs),	1136	(int)CBS_len(cbs),
1137	s->internal->tls_session_ticket_ext_cb_arg)) {	1137	s->internal->tls_session_ticket_ext_cb_arg)) {
1138	*alert = TLS1_AD_INTERNAL_ERROR;	1138	*alert = SSL_AD_INTERNAL_ERROR;
1139	return 0;	1139	return 0;
1140	}	1140	}
1141	}	1141	}
1142		1142
1143	/* We need to signal that this was processed fully */	1143	/* We need to signal that this was processed fully */
1144	if (!CBS_skip(cbs, CBS_len(cbs))) {	1144	if (!CBS_skip(cbs, CBS_len(cbs))) {
1145	*alert = TLS1_AD_INTERNAL_ERROR;	1145	*alert = SSL_AD_INTERNAL_ERROR;
1146	return 0;	1146	return 0;
1147	}	1147	}
1148		1148
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL s, uint16_t msg_type, CBS cbs,
1171	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),	1171	if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
1172	(int)CBS_len(cbs),	1172	(int)CBS_len(cbs),
1173	s->internal->tls_session_ticket_ext_cb_arg)) {	1173	s->internal->tls_session_ticket_ext_cb_arg)) {
1174	*alert = TLS1_AD_INTERNAL_ERROR;	1174	*alert = SSL_AD_INTERNAL_ERROR;
1175	return 0;	1175	return 0;
1176	}	1176	}
1177	}	1177	}
1178		1178
1179	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 \|\| CBS_len(cbs) > 0) {	1179	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 \|\| CBS_len(cbs) > 0) {
1180	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	1180	*alert = SSL_AD_UNSUPPORTED_EXTENSION;
1181	return 0;	1181	return 0;
1182	}	1182	}
1183		1183