Only use SSL_AD_* internally.

Due to hysterical raisins there are three different types of defines for
alerts. SSL3_AD_* are from SSLv3, TLS1_AD_* are from TLSv1.0 onwards and
SSL_AD_* currently map to either an SSL3_AD_* or TLS1_AD_* define.

Currently, all three of these are used in various places - switch to using
just SSL_AD_* values internally, as a first step in cleaning this up.

ok tb@

3 files changed, 88 insertions, 88 deletions

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 8e734f1277c..52189128c86 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.74 2021/06/11 11:29:44 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -841,7 +841,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	 * handshake to fail
 	 */
 	if (i != (int)frag_len) {
-		al = SSL3_AD_ILLEGAL_PARAMETER;
+		al = SSL_AD_ILLEGAL_PARAMETER;
 		SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
 		goto fatal_err;
 	}
diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c
index 6b26d4c9153..b813ac68964 100644
--- a/lib/libssl/ssl_stat.c
+++ b/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.15 2021/06/11 17:29:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -578,94 +578,94 @@ SSL_alert_desc_string(int value)
 	const char *str;
 
 	switch (value & 0xff) {
-	case SSL3_AD_CLOSE_NOTIFY:
+	case SSL_AD_CLOSE_NOTIFY:
 		str = "CN";
 		break;
-	case SSL3_AD_UNEXPECTED_MESSAGE:
+	case SSL_AD_UNEXPECTED_MESSAGE:
 		str = "UM";
 		break;
-	case SSL3_AD_BAD_RECORD_MAC:
+	case SSL_AD_BAD_RECORD_MAC:
 		str = "BM";
 		break;
-	case SSL3_AD_DECOMPRESSION_FAILURE:
+	case SSL_AD_DECOMPRESSION_FAILURE:
 		str = "DF";
 		break;
-	case SSL3_AD_HANDSHAKE_FAILURE:
+	case SSL_AD_HANDSHAKE_FAILURE:
 		str = "HF";
 		break;
-	case SSL3_AD_NO_CERTIFICATE:
+	case SSL_AD_NO_CERTIFICATE:
 		str = "NC";
 		break;
-	case SSL3_AD_BAD_CERTIFICATE:
+	case SSL_AD_BAD_CERTIFICATE:
 		str = "BC";
 		break;
-	case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+	case SSL_AD_UNSUPPORTED_CERTIFICATE:
 		str = "UC";
 		break;
-	case SSL3_AD_CERTIFICATE_REVOKED:
+	case SSL_AD_CERTIFICATE_REVOKED:
 		str = "CR";
 		break;
-	case SSL3_AD_CERTIFICATE_EXPIRED:
+	case SSL_AD_CERTIFICATE_EXPIRED:
 		str = "CE";
 		break;
-	case SSL3_AD_CERTIFICATE_UNKNOWN:
+	case SSL_AD_CERTIFICATE_UNKNOWN:
 		str = "CU";
 		break;
-	case SSL3_AD_ILLEGAL_PARAMETER:
+	case SSL_AD_ILLEGAL_PARAMETER:
 		str = "IP";
 		break;
-	case TLS1_AD_DECRYPTION_FAILED:
+	case SSL_AD_DECRYPTION_FAILED:
 		str = "DC";
 		break;
-	case TLS1_AD_RECORD_OVERFLOW:
+	case SSL_AD_RECORD_OVERFLOW:
 		str = "RO";
 		break;
-	case TLS1_AD_UNKNOWN_CA:
+	case SSL_AD_UNKNOWN_CA:
 		str = "CA";
 		break;
-	case TLS1_AD_ACCESS_DENIED:
+	case SSL_AD_ACCESS_DENIED:
 		str = "AD";
 		break;
-	case TLS1_AD_DECODE_ERROR:
+	case SSL_AD_DECODE_ERROR:
 		str = "DE";
 		break;
-	case TLS1_AD_DECRYPT_ERROR:
+	case SSL_AD_DECRYPT_ERROR:
 		str = "CY";
 		break;
-	case TLS1_AD_EXPORT_RESTRICTION:
+	case SSL_AD_EXPORT_RESTRICTION:
 		str = "ER";
 		break;
-	case TLS1_AD_PROTOCOL_VERSION:
+	case SSL_AD_PROTOCOL_VERSION:
 		str = "PV";
 		break;
-	case TLS1_AD_INSUFFICIENT_SECURITY:
+	case SSL_AD_INSUFFICIENT_SECURITY:
 		str = "IS";
 		break;
-	case TLS1_AD_INTERNAL_ERROR:
+	case SSL_AD_INTERNAL_ERROR:
 		str = "IE";
 		break;
-	case TLS1_AD_USER_CANCELLED:
+	case SSL_AD_USER_CANCELLED:
 		str = "US";
 		break;
-	case TLS1_AD_NO_RENEGOTIATION:
+	case SSL_AD_NO_RENEGOTIATION:
 		str = "NR";
 		break;
-	case TLS1_AD_UNSUPPORTED_EXTENSION:
+	case SSL_AD_UNSUPPORTED_EXTENSION:
 		str = "UE";
 		break;
-	case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
 		str = "CO";
 		break;
-	case TLS1_AD_UNRECOGNIZED_NAME:
+	case SSL_AD_UNRECOGNIZED_NAME:
 		str = "UN";
 		break;
-	case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
 		str = "BR";
 		break;
-	case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
 		str = "BH";
 		break;
-	case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+	case SSL_AD_UNKNOWN_PSK_IDENTITY:
 		str = "UP";
 		break;
 	default:
@@ -681,94 +681,94 @@ SSL_alert_desc_string_long(int value)
 	const char *str;
 
 	switch (value & 0xff) {
-	case SSL3_AD_CLOSE_NOTIFY:
+	case SSL_AD_CLOSE_NOTIFY:
 		str = "close notify";
 		break;
-	case SSL3_AD_UNEXPECTED_MESSAGE:
+	case SSL_AD_UNEXPECTED_MESSAGE:
 		str = "unexpected_message";
 		break;
-	case SSL3_AD_BAD_RECORD_MAC:
+	case SSL_AD_BAD_RECORD_MAC:
 		str = "bad record mac";
 		break;
-	case SSL3_AD_DECOMPRESSION_FAILURE:
+	case SSL_AD_DECOMPRESSION_FAILURE:
 		str = "decompression failure";
 		break;
-	case SSL3_AD_HANDSHAKE_FAILURE:
+	case SSL_AD_HANDSHAKE_FAILURE:
 		str = "handshake failure";
 		break;
-	case SSL3_AD_NO_CERTIFICATE:
+	case SSL_AD_NO_CERTIFICATE:
 		str = "no certificate";
 		break;
-	case SSL3_AD_BAD_CERTIFICATE:
+	case SSL_AD_BAD_CERTIFICATE:
 		str = "bad certificate";
 		break;
-	case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+	case SSL_AD_UNSUPPORTED_CERTIFICATE:
 		str = "unsupported certificate";
 		break;
-	case SSL3_AD_CERTIFICATE_REVOKED:
+	case SSL_AD_CERTIFICATE_REVOKED:
 		str = "certificate revoked";
 		break;
-	case SSL3_AD_CERTIFICATE_EXPIRED:
+	case SSL_AD_CERTIFICATE_EXPIRED:
 		str = "certificate expired";
 		break;
-	case SSL3_AD_CERTIFICATE_UNKNOWN:
+	case SSL_AD_CERTIFICATE_UNKNOWN:
 		str = "certificate unknown";
 		break;
-	case SSL3_AD_ILLEGAL_PARAMETER:
+	case SSL_AD_ILLEGAL_PARAMETER:
 		str = "illegal parameter";
 		break;
-	case TLS1_AD_DECRYPTION_FAILED:
+	case SSL_AD_DECRYPTION_FAILED:
 		str = "decryption failed";
 		break;
-	case TLS1_AD_RECORD_OVERFLOW:
+	case SSL_AD_RECORD_OVERFLOW:
 		str = "record overflow";
 		break;
-	case TLS1_AD_UNKNOWN_CA:
+	case SSL_AD_UNKNOWN_CA:
 		str = "unknown CA";
 		break;
-	case TLS1_AD_ACCESS_DENIED:
+	case SSL_AD_ACCESS_DENIED:
 		str = "access denied";
 		break;
-	case TLS1_AD_DECODE_ERROR:
+	case SSL_AD_DECODE_ERROR:
 		str = "decode error";
 		break;
-	case TLS1_AD_DECRYPT_ERROR:
+	case SSL_AD_DECRYPT_ERROR:
 		str = "decrypt error";
 		break;
-	case TLS1_AD_EXPORT_RESTRICTION:
+	case SSL_AD_EXPORT_RESTRICTION:
 		str = "export restriction";
 		break;
-	case TLS1_AD_PROTOCOL_VERSION:
+	case SSL_AD_PROTOCOL_VERSION:
 		str = "protocol version";
 		break;
-	case TLS1_AD_INSUFFICIENT_SECURITY:
+	case SSL_AD_INSUFFICIENT_SECURITY:
 		str = "insufficient security";
 		break;
-	case TLS1_AD_INTERNAL_ERROR:
+	case SSL_AD_INTERNAL_ERROR:
 		str = "internal error";
 		break;
-	case TLS1_AD_USER_CANCELLED:
+	case SSL_AD_USER_CANCELLED:
 		str = "user canceled";
 		break;
-	case TLS1_AD_NO_RENEGOTIATION:
+	case SSL_AD_NO_RENEGOTIATION:
 		str = "no renegotiation";
 		break;
-	case TLS1_AD_UNSUPPORTED_EXTENSION:
+	case SSL_AD_UNSUPPORTED_EXTENSION:
 		str = "unsupported extension";
 		break;
-	case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
 		str = "certificate unobtainable";
 		break;
-	case TLS1_AD_UNRECOGNIZED_NAME:
+	case SSL_AD_UNRECOGNIZED_NAME:
 		str = "unrecognized name";
 		break;
-	case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
 		str = "bad certificate status response";
 		break;
-	case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
 		str = "bad certificate hash value";
 		break;
-	case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+	case SSL_AD_UNKNOWN_PSK_IDENTITY:
 		str = "unknown PSK identity";
 		break;
 	default:
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 8cc86d4649f..035d6b4564d 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	CBS list, proto;
 
 	if (s->internal->alpn_client_proto_list == NULL) {
-		*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+		*alert = SSL_AD_UNSUPPORTED_EXTENSION;
 		return 0;
 	}
 
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	return 1;
 
  err:
-	*alert = TLS1_AD_DECODE_ERROR;
+	*alert = SSL_AD_DECODE_ERROR;
 	return 0;
 }
 
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
 
 		if ((groups = reallocarray(NULL, groups_len,
 		    sizeof(uint16_t))) == NULL) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
 	return 1;
 
  err:
-	*alert = TLS1_AD_DECODE_ERROR;
+	*alert = SSL_AD_DECODE_ERROR;
 	return 0;
 }
 
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
 	 *  https://support.f5.com/csp/article/K37345003
 	 */
 	if (!CBS_skip(cbs, CBS_len(cbs))) {
-		*alert = TLS1_AD_INTERNAL_ERROR;
+		*alert = SSL_AD_INTERNAL_ERROR;
 		return 0;
 	}
 
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
 	if (!CBS_contains_zero_byte(&ecpf)) {
 		SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
-		*alert = SSL3_AD_ILLEGAL_PARAMETER;
+		*alert = SSL_AD_ILLEGAL_PARAMETER;
 		return 0;
 	}
 
 	if (!s->internal->hit) {
 		if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
 		    &(SSI(s)->tlsext_ecpointformatlist_length))) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 	}
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	    S3I(s)->previous_server_finished_len != 0) ||
 	    (S3I(s)->previous_client_finished_len != 0 &&
 	    S3I(s)->previous_server_finished_len == 0)) {
-		*alert = TLS1_AD_INTERNAL_ERROR;
+		*alert = SSL_AD_INTERNAL_ERROR;
 		return 0;
 	}
 
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	 * other implementations appear more tolerant.
 	 */
 	if (name_type != TLSEXT_NAMETYPE_host_name) {
-		*alert = SSL3_AD_ILLEGAL_PARAMETER;
+		*alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		goto err;
 
 	if (!tlsext_sni_is_valid_hostname(&host_name)) {
-		*alert = SSL3_AD_ILLEGAL_PARAMETER;
+		*alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 
 	if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
 		if (s->session->tlsext_hostname == NULL) {
-			*alert = TLS1_AD_UNRECOGNIZED_NAME;
+			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			goto err;
 		}
 		if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
 		    strlen(s->session->tlsext_hostname))) {
-			*alert = TLS1_AD_UNRECOGNIZED_NAME;
+			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			goto err;
 		}
 	} else {
 		if (s->session->tlsext_hostname != NULL)
 			goto err;
 		if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			goto err;
 		}
 	}
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	 * therefore we allow only one entry.
 	 */
 	if (CBS_len(&server_name_list) != 0) {
-		*alert = SSL3_AD_ILLEGAL_PARAMETER;
+		*alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 	if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
 tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 {
 	if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
-		*alert = TLS1_AD_UNRECOGNIZED_NAME;
+		*alert = SSL_AD_UNRECOGNIZED_NAME;
 		return 0;
 	}
 
 	if (s->internal->hit) {
 		if (s->session->tlsext_hostname == NULL) {
-			*alert = TLS1_AD_UNRECOGNIZED_NAME;
+			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			return 0;
 		}
 		if (strcmp(s->tlsext_hostname,
 		    s->session->tlsext_hostname) != 0) {
-			*alert = TLS1_AD_UNRECOGNIZED_NAME;
+			*alert = SSL_AD_UNRECOGNIZED_NAME;
 			return 0;
 		}
 	} else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		}
 		if ((s->session->tlsext_hostname =
 		    strdup(s->tlsext_hostname)) == NULL) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 	}
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		s->tlsext_status_type = -1;
 
 		if (!CBS_skip(cbs, CBS_len(cbs))) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 		return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		}
 	} else {
 		if (s->tlsext_status_type == -1) {
-			*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+			*alert = SSL_AD_UNSUPPORTED_EXTENSION;
 			return 0;
 		}
 		/* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
 		if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
 		    (int)CBS_len(cbs),
 		    s->internal->tls_session_ticket_ext_cb_arg)) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 	}
 
 	/* We need to signal that this was processed fully */
 	if (!CBS_skip(cbs, CBS_len(cbs))) {
-		*alert = TLS1_AD_INTERNAL_ERROR;
+		*alert = SSL_AD_INTERNAL_ERROR;
 		return 0;
 	}
 
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
 		if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
 		    (int)CBS_len(cbs),
 		    s->internal->tls_session_ticket_ext_cb_arg)) {
-			*alert = TLS1_AD_INTERNAL_ERROR;
+			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
 	}
 
 	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
-		*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+		*alert = SSL_AD_UNSUPPORTED_EXTENSION;
 		return 0;
 	}