diff options
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/d1_both.c | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_stat.c | 122 | ||||
-rw-r--r-- | lib/libssl/ssl_tlsext.c | 50 |
3 files changed, 88 insertions, 88 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 8e734f1277c..52189128c86 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.74 2021/06/11 11:29:44 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -841,7 +841,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) * handshake to fail */ if (i != (int)frag_len) { - al = SSL3_AD_ILLEGAL_PARAMETER; + al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER); goto fatal_err; } diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c index 6b26d4c9153..b813ac68964 100644 --- a/lib/libssl/ssl_stat.c +++ b/lib/libssl/ssl_stat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: ssl_stat.c,v 1.15 2021/06/11 17:29:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -578,94 +578,94 @@ SSL_alert_desc_string(int value) const char *str; switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: + case SSL_AD_CLOSE_NOTIFY: str = "CN"; break; - case SSL3_AD_UNEXPECTED_MESSAGE: + case SSL_AD_UNEXPECTED_MESSAGE: str = "UM"; break; - case SSL3_AD_BAD_RECORD_MAC: + case SSL_AD_BAD_RECORD_MAC: str = "BM"; break; - case SSL3_AD_DECOMPRESSION_FAILURE: + case SSL_AD_DECOMPRESSION_FAILURE: str = "DF"; break; - case SSL3_AD_HANDSHAKE_FAILURE: + case SSL_AD_HANDSHAKE_FAILURE: str = "HF"; break; - case SSL3_AD_NO_CERTIFICATE: + case SSL_AD_NO_CERTIFICATE: str = "NC"; break; - case SSL3_AD_BAD_CERTIFICATE: + case SSL_AD_BAD_CERTIFICATE: str = "BC"; break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: + case SSL_AD_UNSUPPORTED_CERTIFICATE: str = "UC"; break; - case SSL3_AD_CERTIFICATE_REVOKED: + case SSL_AD_CERTIFICATE_REVOKED: str = "CR"; break; - case SSL3_AD_CERTIFICATE_EXPIRED: + case SSL_AD_CERTIFICATE_EXPIRED: str = "CE"; break; - case SSL3_AD_CERTIFICATE_UNKNOWN: + case SSL_AD_CERTIFICATE_UNKNOWN: str = "CU"; break; - case SSL3_AD_ILLEGAL_PARAMETER: + case SSL_AD_ILLEGAL_PARAMETER: str = "IP"; break; - case TLS1_AD_DECRYPTION_FAILED: + case SSL_AD_DECRYPTION_FAILED: str = "DC"; break; - case TLS1_AD_RECORD_OVERFLOW: + case SSL_AD_RECORD_OVERFLOW: str = "RO"; break; - case TLS1_AD_UNKNOWN_CA: + case SSL_AD_UNKNOWN_CA: str = "CA"; break; - case TLS1_AD_ACCESS_DENIED: + case SSL_AD_ACCESS_DENIED: str = "AD"; break; - case TLS1_AD_DECODE_ERROR: + case SSL_AD_DECODE_ERROR: str = "DE"; break; - case TLS1_AD_DECRYPT_ERROR: + case SSL_AD_DECRYPT_ERROR: str = "CY"; break; - case TLS1_AD_EXPORT_RESTRICTION: + case SSL_AD_EXPORT_RESTRICTION: str = "ER"; break; - case TLS1_AD_PROTOCOL_VERSION: + case SSL_AD_PROTOCOL_VERSION: str = "PV"; break; - case TLS1_AD_INSUFFICIENT_SECURITY: + case SSL_AD_INSUFFICIENT_SECURITY: str = "IS"; break; - case TLS1_AD_INTERNAL_ERROR: + case SSL_AD_INTERNAL_ERROR: str = "IE"; break; - case TLS1_AD_USER_CANCELLED: + case SSL_AD_USER_CANCELLED: str = "US"; break; - case TLS1_AD_NO_RENEGOTIATION: + case SSL_AD_NO_RENEGOTIATION: str = "NR"; break; - case TLS1_AD_UNSUPPORTED_EXTENSION: + case SSL_AD_UNSUPPORTED_EXTENSION: str = "UE"; break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + case SSL_AD_CERTIFICATE_UNOBTAINABLE: str = "CO"; break; - case TLS1_AD_UNRECOGNIZED_NAME: + case SSL_AD_UNRECOGNIZED_NAME: str = "UN"; break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "BR"; break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: str = "BH"; break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: + case SSL_AD_UNKNOWN_PSK_IDENTITY: str = "UP"; break; default: @@ -681,94 +681,94 @@ SSL_alert_desc_string_long(int value) const char *str; switch (value & 0xff) { - case SSL3_AD_CLOSE_NOTIFY: + case SSL_AD_CLOSE_NOTIFY: str = "close notify"; break; - case SSL3_AD_UNEXPECTED_MESSAGE: + case SSL_AD_UNEXPECTED_MESSAGE: str = "unexpected_message"; break; - case SSL3_AD_BAD_RECORD_MAC: + case SSL_AD_BAD_RECORD_MAC: str = "bad record mac"; break; - case SSL3_AD_DECOMPRESSION_FAILURE: + case SSL_AD_DECOMPRESSION_FAILURE: str = "decompression failure"; break; - case SSL3_AD_HANDSHAKE_FAILURE: + case SSL_AD_HANDSHAKE_FAILURE: str = "handshake failure"; break; - case SSL3_AD_NO_CERTIFICATE: + case SSL_AD_NO_CERTIFICATE: str = "no certificate"; break; - case SSL3_AD_BAD_CERTIFICATE: + case SSL_AD_BAD_CERTIFICATE: str = "bad certificate"; break; - case SSL3_AD_UNSUPPORTED_CERTIFICATE: + case SSL_AD_UNSUPPORTED_CERTIFICATE: str = "unsupported certificate"; break; - case SSL3_AD_CERTIFICATE_REVOKED: + case SSL_AD_CERTIFICATE_REVOKED: str = "certificate revoked"; break; - case SSL3_AD_CERTIFICATE_EXPIRED: + case SSL_AD_CERTIFICATE_EXPIRED: str = "certificate expired"; break; - case SSL3_AD_CERTIFICATE_UNKNOWN: + case SSL_AD_CERTIFICATE_UNKNOWN: str = "certificate unknown"; break; - case SSL3_AD_ILLEGAL_PARAMETER: + case SSL_AD_ILLEGAL_PARAMETER: str = "illegal parameter"; break; - case TLS1_AD_DECRYPTION_FAILED: + case SSL_AD_DECRYPTION_FAILED: str = "decryption failed"; break; - case TLS1_AD_RECORD_OVERFLOW: + case SSL_AD_RECORD_OVERFLOW: str = "record overflow"; break; - case TLS1_AD_UNKNOWN_CA: + case SSL_AD_UNKNOWN_CA: str = "unknown CA"; break; - case TLS1_AD_ACCESS_DENIED: + case SSL_AD_ACCESS_DENIED: str = "access denied"; break; - case TLS1_AD_DECODE_ERROR: + case SSL_AD_DECODE_ERROR: str = "decode error"; break; - case TLS1_AD_DECRYPT_ERROR: + case SSL_AD_DECRYPT_ERROR: str = "decrypt error"; break; - case TLS1_AD_EXPORT_RESTRICTION: + case SSL_AD_EXPORT_RESTRICTION: str = "export restriction"; break; - case TLS1_AD_PROTOCOL_VERSION: + case SSL_AD_PROTOCOL_VERSION: str = "protocol version"; break; - case TLS1_AD_INSUFFICIENT_SECURITY: + case SSL_AD_INSUFFICIENT_SECURITY: str = "insufficient security"; break; - case TLS1_AD_INTERNAL_ERROR: + case SSL_AD_INTERNAL_ERROR: str = "internal error"; break; - case TLS1_AD_USER_CANCELLED: + case SSL_AD_USER_CANCELLED: str = "user canceled"; break; - case TLS1_AD_NO_RENEGOTIATION: + case SSL_AD_NO_RENEGOTIATION: str = "no renegotiation"; break; - case TLS1_AD_UNSUPPORTED_EXTENSION: + case SSL_AD_UNSUPPORTED_EXTENSION: str = "unsupported extension"; break; - case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + case SSL_AD_CERTIFICATE_UNOBTAINABLE: str = "certificate unobtainable"; break; - case TLS1_AD_UNRECOGNIZED_NAME: + case SSL_AD_UNRECOGNIZED_NAME: str = "unrecognized name"; break; - case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str = "bad certificate status response"; break; - case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: str = "bad certificate hash value"; break; - case TLS1_AD_UNKNOWN_PSK_IDENTITY: + case SSL_AD_UNKNOWN_PSK_IDENTITY: str = "unknown PSK identity"; break; default: diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 8cc86d4649f..035d6b4564d 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) CBS list, proto; if (s->internal->alpn_client_proto_list == NULL) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; err: - *alert = TLS1_AD_DECODE_ERROR; + *alert = SSL_AD_DECODE_ERROR; return 0; } @@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 1; err: - *alert = TLS1_AD_DECODE_ERROR; + *alert = SSL_AD_DECODE_ERROR; return 0; } @@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, * https://support.f5.com/csp/article/K37345003 */ if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ if (!CBS_contains_zero_byte(&ecpf)) { SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } if (!s->internal->hit) { if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), &(SSI(s)->tlsext_ecpointformatlist_length))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } @@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) S3I(s)->previous_server_finished_len != 0) || (S3I(s)->previous_client_finished_len != 0 && S3I(s)->previous_server_finished_len == 0)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * other implementations appear more tolerant. */ if (name_type != TLSEXT_NAMETYPE_host_name) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } @@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; if (!tlsext_sni_is_valid_hostname(&host_name)) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } if (s->internal->hit || S3I(s)->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; } if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, strlen(s->session->tlsext_hostname))) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; } } else { if (s->session->tlsext_hostname != NULL) goto err; if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; goto err; } } @@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * therefore we allow only one entry. */ if (CBS_len(&server_name_list) != 0) { - *alert = SSL3_AD_ILLEGAL_PARAMETER; + *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } if (CBS_len(cbs) != 0) @@ -811,18 +811,18 @@ int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } if (s->internal->hit) { if (s->session->tlsext_hostname == NULL) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } if (strcmp(s->tlsext_hostname, s->session->tlsext_hostname) != 0) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; + *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; } } else { @@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } if ((s->session->tlsext_hostname = strdup(s->tlsext_hostname)) == NULL) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } @@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) s->tlsext_status_type = -1; if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } return 1; @@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } } else { if (s->tlsext_status_type == -1) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } /* Set flag to expect CertificateStatus message */ @@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), s->internal->tls_session_ticket_ext_cb_arg)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } /* We need to signal that this was processed fully */ if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), s->internal->tls_session_ticket_ext_cb_arg)) { - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_INTERNAL_ERROR; return 0; } } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } |