summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/d1_both.c4
-rw-r--r--lib/libssl/ssl_stat.c122
-rw-r--r--lib/libssl/ssl_tlsext.c50
3 files changed, 88 insertions, 88 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 8e734f1277c..52189128c86 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.74 2021/06/11 11:29:44 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.75 2021/06/11 17:29:48 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -841,7 +841,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
* handshake to fail
*/
if (i != (int)frag_len) {
- al = SSL3_AD_ILLEGAL_PARAMETER;
+ al = SSL_AD_ILLEGAL_PARAMETER;
SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER);
goto fatal_err;
}
diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c
index 6b26d4c9153..b813ac68964 100644
--- a/lib/libssl/ssl_stat.c
+++ b/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.15 2021/06/11 17:29:48 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -578,94 +578,94 @@ SSL_alert_desc_string(int value)
const char *str;
switch (value & 0xff) {
- case SSL3_AD_CLOSE_NOTIFY:
+ case SSL_AD_CLOSE_NOTIFY:
str = "CN";
break;
- case SSL3_AD_UNEXPECTED_MESSAGE:
+ case SSL_AD_UNEXPECTED_MESSAGE:
str = "UM";
break;
- case SSL3_AD_BAD_RECORD_MAC:
+ case SSL_AD_BAD_RECORD_MAC:
str = "BM";
break;
- case SSL3_AD_DECOMPRESSION_FAILURE:
+ case SSL_AD_DECOMPRESSION_FAILURE:
str = "DF";
break;
- case SSL3_AD_HANDSHAKE_FAILURE:
+ case SSL_AD_HANDSHAKE_FAILURE:
str = "HF";
break;
- case SSL3_AD_NO_CERTIFICATE:
+ case SSL_AD_NO_CERTIFICATE:
str = "NC";
break;
- case SSL3_AD_BAD_CERTIFICATE:
+ case SSL_AD_BAD_CERTIFICATE:
str = "BC";
break;
- case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+ case SSL_AD_UNSUPPORTED_CERTIFICATE:
str = "UC";
break;
- case SSL3_AD_CERTIFICATE_REVOKED:
+ case SSL_AD_CERTIFICATE_REVOKED:
str = "CR";
break;
- case SSL3_AD_CERTIFICATE_EXPIRED:
+ case SSL_AD_CERTIFICATE_EXPIRED:
str = "CE";
break;
- case SSL3_AD_CERTIFICATE_UNKNOWN:
+ case SSL_AD_CERTIFICATE_UNKNOWN:
str = "CU";
break;
- case SSL3_AD_ILLEGAL_PARAMETER:
+ case SSL_AD_ILLEGAL_PARAMETER:
str = "IP";
break;
- case TLS1_AD_DECRYPTION_FAILED:
+ case SSL_AD_DECRYPTION_FAILED:
str = "DC";
break;
- case TLS1_AD_RECORD_OVERFLOW:
+ case SSL_AD_RECORD_OVERFLOW:
str = "RO";
break;
- case TLS1_AD_UNKNOWN_CA:
+ case SSL_AD_UNKNOWN_CA:
str = "CA";
break;
- case TLS1_AD_ACCESS_DENIED:
+ case SSL_AD_ACCESS_DENIED:
str = "AD";
break;
- case TLS1_AD_DECODE_ERROR:
+ case SSL_AD_DECODE_ERROR:
str = "DE";
break;
- case TLS1_AD_DECRYPT_ERROR:
+ case SSL_AD_DECRYPT_ERROR:
str = "CY";
break;
- case TLS1_AD_EXPORT_RESTRICTION:
+ case SSL_AD_EXPORT_RESTRICTION:
str = "ER";
break;
- case TLS1_AD_PROTOCOL_VERSION:
+ case SSL_AD_PROTOCOL_VERSION:
str = "PV";
break;
- case TLS1_AD_INSUFFICIENT_SECURITY:
+ case SSL_AD_INSUFFICIENT_SECURITY:
str = "IS";
break;
- case TLS1_AD_INTERNAL_ERROR:
+ case SSL_AD_INTERNAL_ERROR:
str = "IE";
break;
- case TLS1_AD_USER_CANCELLED:
+ case SSL_AD_USER_CANCELLED:
str = "US";
break;
- case TLS1_AD_NO_RENEGOTIATION:
+ case SSL_AD_NO_RENEGOTIATION:
str = "NR";
break;
- case TLS1_AD_UNSUPPORTED_EXTENSION:
+ case SSL_AD_UNSUPPORTED_EXTENSION:
str = "UE";
break;
- case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+ case SSL_AD_CERTIFICATE_UNOBTAINABLE:
str = "CO";
break;
- case TLS1_AD_UNRECOGNIZED_NAME:
+ case SSL_AD_UNRECOGNIZED_NAME:
str = "UN";
break;
- case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
str = "BR";
break;
- case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
str = "BH";
break;
- case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:
str = "UP";
break;
default:
@@ -681,94 +681,94 @@ SSL_alert_desc_string_long(int value)
const char *str;
switch (value & 0xff) {
- case SSL3_AD_CLOSE_NOTIFY:
+ case SSL_AD_CLOSE_NOTIFY:
str = "close notify";
break;
- case SSL3_AD_UNEXPECTED_MESSAGE:
+ case SSL_AD_UNEXPECTED_MESSAGE:
str = "unexpected_message";
break;
- case SSL3_AD_BAD_RECORD_MAC:
+ case SSL_AD_BAD_RECORD_MAC:
str = "bad record mac";
break;
- case SSL3_AD_DECOMPRESSION_FAILURE:
+ case SSL_AD_DECOMPRESSION_FAILURE:
str = "decompression failure";
break;
- case SSL3_AD_HANDSHAKE_FAILURE:
+ case SSL_AD_HANDSHAKE_FAILURE:
str = "handshake failure";
break;
- case SSL3_AD_NO_CERTIFICATE:
+ case SSL_AD_NO_CERTIFICATE:
str = "no certificate";
break;
- case SSL3_AD_BAD_CERTIFICATE:
+ case SSL_AD_BAD_CERTIFICATE:
str = "bad certificate";
break;
- case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+ case SSL_AD_UNSUPPORTED_CERTIFICATE:
str = "unsupported certificate";
break;
- case SSL3_AD_CERTIFICATE_REVOKED:
+ case SSL_AD_CERTIFICATE_REVOKED:
str = "certificate revoked";
break;
- case SSL3_AD_CERTIFICATE_EXPIRED:
+ case SSL_AD_CERTIFICATE_EXPIRED:
str = "certificate expired";
break;
- case SSL3_AD_CERTIFICATE_UNKNOWN:
+ case SSL_AD_CERTIFICATE_UNKNOWN:
str = "certificate unknown";
break;
- case SSL3_AD_ILLEGAL_PARAMETER:
+ case SSL_AD_ILLEGAL_PARAMETER:
str = "illegal parameter";
break;
- case TLS1_AD_DECRYPTION_FAILED:
+ case SSL_AD_DECRYPTION_FAILED:
str = "decryption failed";
break;
- case TLS1_AD_RECORD_OVERFLOW:
+ case SSL_AD_RECORD_OVERFLOW:
str = "record overflow";
break;
- case TLS1_AD_UNKNOWN_CA:
+ case SSL_AD_UNKNOWN_CA:
str = "unknown CA";
break;
- case TLS1_AD_ACCESS_DENIED:
+ case SSL_AD_ACCESS_DENIED:
str = "access denied";
break;
- case TLS1_AD_DECODE_ERROR:
+ case SSL_AD_DECODE_ERROR:
str = "decode error";
break;
- case TLS1_AD_DECRYPT_ERROR:
+ case SSL_AD_DECRYPT_ERROR:
str = "decrypt error";
break;
- case TLS1_AD_EXPORT_RESTRICTION:
+ case SSL_AD_EXPORT_RESTRICTION:
str = "export restriction";
break;
- case TLS1_AD_PROTOCOL_VERSION:
+ case SSL_AD_PROTOCOL_VERSION:
str = "protocol version";
break;
- case TLS1_AD_INSUFFICIENT_SECURITY:
+ case SSL_AD_INSUFFICIENT_SECURITY:
str = "insufficient security";
break;
- case TLS1_AD_INTERNAL_ERROR:
+ case SSL_AD_INTERNAL_ERROR:
str = "internal error";
break;
- case TLS1_AD_USER_CANCELLED:
+ case SSL_AD_USER_CANCELLED:
str = "user canceled";
break;
- case TLS1_AD_NO_RENEGOTIATION:
+ case SSL_AD_NO_RENEGOTIATION:
str = "no renegotiation";
break;
- case TLS1_AD_UNSUPPORTED_EXTENSION:
+ case SSL_AD_UNSUPPORTED_EXTENSION:
str = "unsupported extension";
break;
- case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+ case SSL_AD_CERTIFICATE_UNOBTAINABLE:
str = "certificate unobtainable";
break;
- case TLS1_AD_UNRECOGNIZED_NAME:
+ case SSL_AD_UNRECOGNIZED_NAME:
str = "unrecognized name";
break;
- case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
str = "bad certificate status response";
break;
- case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
str = "bad certificate hash value";
break;
- case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:
str = "unknown PSK identity";
break;
default:
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 8cc86d4649f..035d6b4564d 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.94 2021/06/08 19:34:44 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.95 2021/06/11 17:29:48 jsing Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -139,7 +139,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
CBS list, proto;
if (s->internal->alpn_client_proto_list == NULL) {
- *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+ *alert = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
}
@@ -163,7 +163,7 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
return 1;
err:
- *alert = TLS1_AD_DECODE_ERROR;
+ *alert = SSL_AD_DECODE_ERROR;
return 0;
}
@@ -258,7 +258,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
if ((groups = reallocarray(NULL, groups_len,
sizeof(uint16_t))) == NULL) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -281,7 +281,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
return 1;
err:
- *alert = TLS1_AD_DECODE_ERROR;
+ *alert = SSL_AD_DECODE_ERROR;
return 0;
}
@@ -313,7 +313,7 @@ tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
* https://support.f5.com/csp/article/K37345003
*/
if (!CBS_skip(cbs, CBS_len(cbs))) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -362,14 +362,14 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
if (!CBS_contains_zero_byte(&ecpf)) {
SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
- *alert = SSL3_AD_ILLEGAL_PARAMETER;
+ *alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
if (!s->internal->hit) {
if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
&(SSI(s)->tlsext_ecpointformatlist_length))) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
}
@@ -505,7 +505,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
S3I(s)->previous_server_finished_len != 0) ||
(S3I(s)->previous_client_finished_len != 0 &&
S3I(s)->previous_server_finished_len == 0)) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -737,7 +737,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
* other implementations appear more tolerant.
*/
if (name_type != TLSEXT_NAMETYPE_host_name) {
- *alert = SSL3_AD_ILLEGAL_PARAMETER;
+ *alert = SSL_AD_ILLEGAL_PARAMETER;
goto err;
}
@@ -752,25 +752,25 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
goto err;
if (!tlsext_sni_is_valid_hostname(&host_name)) {
- *alert = SSL3_AD_ILLEGAL_PARAMETER;
+ *alert = SSL_AD_ILLEGAL_PARAMETER;
goto err;
}
if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
if (s->session->tlsext_hostname == NULL) {
- *alert = TLS1_AD_UNRECOGNIZED_NAME;
+ *alert = SSL_AD_UNRECOGNIZED_NAME;
goto err;
}
if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
strlen(s->session->tlsext_hostname))) {
- *alert = TLS1_AD_UNRECOGNIZED_NAME;
+ *alert = SSL_AD_UNRECOGNIZED_NAME;
goto err;
}
} else {
if (s->session->tlsext_hostname != NULL)
goto err;
if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
goto err;
}
}
@@ -780,7 +780,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
* therefore we allow only one entry.
*/
if (CBS_len(&server_name_list) != 0) {
- *alert = SSL3_AD_ILLEGAL_PARAMETER;
+ *alert = SSL_AD_ILLEGAL_PARAMETER;
goto err;
}
if (CBS_len(cbs) != 0)
@@ -811,18 +811,18 @@ int
tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
{
if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
- *alert = TLS1_AD_UNRECOGNIZED_NAME;
+ *alert = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
if (s->internal->hit) {
if (s->session->tlsext_hostname == NULL) {
- *alert = TLS1_AD_UNRECOGNIZED_NAME;
+ *alert = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
if (strcmp(s->tlsext_hostname,
s->session->tlsext_hostname) != 0) {
- *alert = TLS1_AD_UNRECOGNIZED_NAME;
+ *alert = SSL_AD_UNRECOGNIZED_NAME;
return 0;
}
} else {
@@ -832,7 +832,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
}
if ((s->session->tlsext_hostname =
strdup(s->tlsext_hostname)) == NULL) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
}
@@ -917,7 +917,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
s->tlsext_status_type = -1;
if (!CBS_skip(cbs, CBS_len(cbs))) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
return 1;
@@ -1051,7 +1051,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
}
} else {
if (s->tlsext_status_type == -1) {
- *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+ *alert = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
}
/* Set flag to expect CertificateStatus message */
@@ -1135,14 +1135,14 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
(int)CBS_len(cbs),
s->internal->tls_session_ticket_ext_cb_arg)) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
}
/* We need to signal that this was processed fully */
if (!CBS_skip(cbs, CBS_len(cbs))) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
@@ -1171,13 +1171,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
(int)CBS_len(cbs),
s->internal->tls_session_ticket_ext_cb_arg)) {
- *alert = TLS1_AD_INTERNAL_ERROR;
+ *alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
}
if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
- *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+ *alert = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
}