From 3c03665ab17a4a617a3a87425c74c4880de856f3 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Sun, 13 Jun 2021 15:47:11 +0000
Subject: [PATCH] Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@
---
 lib/libssl/ssl.h  | 77 ++++++++++++++++++++++++++---------------------
 lib/libssl/ssl3.h |  4 ++-
 lib/libssl/tls1.h | 10 ++----
 3 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 509b353fd56..1b81c2aed3f 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.192 2021/06/13 15:29:54 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.193 2021/06/13 15:47:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -988,43 +988,52 @@ SSL_SESSION *PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x,
 int PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x);
 int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 
-#define SSL_AD_REASON_OFFSET		1000 /* offset to get SSL_R_... value from SSL_AD_... */
+/*
+ * TLS Alerts.
+ *
+ * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
+ */
 
+/* Obsolete alerts. */
 #ifndef LIBRESSL_INTERNAL
-#define SSL_AD_DECRYPTION_FAILED	TLS1_AD_DECRYPTION_FAILED	/* Removed in TLSv1.1 */
-#define SSL_AD_NO_CERTIFICATE		SSL3_AD_NO_CERTIFICATE		/* Removed in TLSv1.0 */
-#define SSL_AD_EXPORT_RESTRICTION	TLS1_AD_EXPORT_RESTRICTION	/* Removed in TLSv1.1 */
+#define SSL_AD_DECRYPTION_FAILED		21	/* Removed in TLSv1.1 */
+#define SSL_AD_NO_CERTIFICATE			41	/* Removed in TLSv1.0 */
+#define SSL_AD_EXPORT_RESTRICTION		60	/* Removed in TLSv1.1 */
 #endif
 
-/* These alert types are for SSLv3 and TLSv1 */
-#define SSL_AD_CLOSE_NOTIFY		SSL3_AD_CLOSE_NOTIFY
-#define SSL_AD_UNEXPECTED_MESSAGE	SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
-#define SSL_AD_BAD_RECORD_MAC		SSL3_AD_BAD_RECORD_MAC     /* fatal */
-#define SSL_AD_RECORD_OVERFLOW		TLS1_AD_RECORD_OVERFLOW
-#define SSL_AD_DECOMPRESSION_FAILURE	SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
-#define SSL_AD_HANDSHAKE_FAILURE	SSL3_AD_HANDSHAKE_FAILURE/* fatal */
-#define SSL_AD_BAD_CERTIFICATE		SSL3_AD_BAD_CERTIFICATE
-#define SSL_AD_UNSUPPORTED_CERTIFICATE	SSL3_AD_UNSUPPORTED_CERTIFICATE
-#define SSL_AD_CERTIFICATE_REVOKED	SSL3_AD_CERTIFICATE_REVOKED
-#define SSL_AD_CERTIFICATE_EXPIRED	SSL3_AD_CERTIFICATE_EXPIRED
-#define SSL_AD_CERTIFICATE_UNKNOWN	SSL3_AD_CERTIFICATE_UNKNOWN
-#define SSL_AD_ILLEGAL_PARAMETER	SSL3_AD_ILLEGAL_PARAMETER   /* fatal */
-#define SSL_AD_UNKNOWN_CA		TLS1_AD_UNKNOWN_CA	/* fatal */
-#define SSL_AD_ACCESS_DENIED		TLS1_AD_ACCESS_DENIED	/* fatal */
-#define SSL_AD_DECODE_ERROR		TLS1_AD_DECODE_ERROR	/* fatal */
-#define SSL_AD_DECRYPT_ERROR		TLS1_AD_DECRYPT_ERROR
-#define SSL_AD_PROTOCOL_VERSION		TLS1_AD_PROTOCOL_VERSION /* fatal */
-#define SSL_AD_INSUFFICIENT_SECURITY	TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
-#define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
-#define SSL_AD_INAPPROPRIATE_FALLBACK	TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
-#define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
-#define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
-#define SSL_AD_UNSUPPORTED_EXTENSION	TLS1_AD_UNSUPPORTED_EXTENSION
-#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
-#define SSL_AD_UNRECOGNIZED_NAME	TLS1_AD_UNRECOGNIZED_NAME
-#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
-#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY	TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_CLOSE_NOTIFY			0
+#define SSL_AD_UNEXPECTED_MESSAGE		10
+#define SSL_AD_BAD_RECORD_MAC			20
+#define SSL_AD_RECORD_OVERFLOW			22
+#define SSL_AD_DECOMPRESSION_FAILURE		30	/* Removed in TLSv1.3 */
+#define SSL_AD_HANDSHAKE_FAILURE		40
+#define SSL_AD_BAD_CERTIFICATE			42
+#define SSL_AD_UNSUPPORTED_CERTIFICATE		43
+#define SSL_AD_CERTIFICATE_REVOKED		44
+#define SSL_AD_CERTIFICATE_EXPIRED		45
+#define SSL_AD_CERTIFICATE_UNKNOWN		46
+#define SSL_AD_ILLEGAL_PARAMETER		47
+#define SSL_AD_UNKNOWN_CA			48
+#define SSL_AD_ACCESS_DENIED			49
+#define SSL_AD_DECODE_ERROR			50
+#define SSL_AD_DECRYPT_ERROR			51
+#define SSL_AD_PROTOCOL_VERSION			70
+#define SSL_AD_INSUFFICIENT_SECURITY		71
+#define SSL_AD_INTERNAL_ERROR			80
+#define SSL_AD_INAPPROPRIATE_FALLBACK		86
+#define SSL_AD_USER_CANCELLED			90
+#define SSL_AD_NO_RENEGOTIATION			100	/* Removed in TLSv1.3 */
+#define SSL_AD_UNSUPPORTED_EXTENSION		110
+#define SSL_AD_CERTIFICATE_UNOBTAINABLE		111	/* Removed in TLSv1.3 */
+#define SSL_AD_UNRECOGNIZED_NAME		112
+#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE	113
+#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE	114	/* Removed in TLSv1.3 */
+#define SSL_AD_UNKNOWN_PSK_IDENTITY		115
+#define SSL_AD_CERTIFICATE_REQUIRED		116
+#define SSL_AD_NO_APPLICATION_PROTOCOL		120
+
+/* Offset to get an SSL_R_... value from an SSL_AD_... value. */
+#define SSL_AD_REASON_OFFSET			1000
 
 #define SSL_ERROR_NONE			0
 #define SSL_ERROR_SSL			1
diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index 631f8dee235..04c12bca9ca 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.53 2021/05/10 17:10:57 tb Exp $ */
+/* $OpenBSD: ssl3.h,v 1.54 2021/06/13 15:47:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -297,6 +297,7 @@ extern "C" {
 #define SSL3_AL_WARNING			1
 #define SSL3_AL_FATAL			2
 
+#ifndef LIBRESSL_INTERNAL
 #define SSL3_AD_CLOSE_NOTIFY		 0
 #define SSL3_AD_UNEXPECTED_MESSAGE	10	/* fatal */
 #define SSL3_AD_BAD_RECORD_MAC		20	/* fatal */
@@ -309,6 +310,7 @@ extern "C" {
 #define SSL3_AD_CERTIFICATE_EXPIRED	45
 #define SSL3_AD_CERTIFICATE_UNKNOWN	46
 #define SSL3_AD_ILLEGAL_PARAMETER	47	/* fatal */
+#endif
 
 #define TLS1_HB_REQUEST		1
 #define TLS1_HB_RESPONSE	2
diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h
index 628a6b2fca3..771ed96fc9a 100644
--- a/lib/libssl/tls1.h
+++ b/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.42 2021/03/10 18:32:38 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.43 2021/06/13 15:47:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -185,12 +185,7 @@ extern "C" {
 		((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
 #endif
 
-/*
- * TLS Alert codes.
- *
- * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
- */
-
+#ifndef LIBRESSL_INTERNAL
 #define TLS1_AD_DECRYPTION_FAILED		21
 #define TLS1_AD_RECORD_OVERFLOW			22
 #define TLS1_AD_UNKNOWN_CA			48	/* fatal */
@@ -213,6 +208,7 @@ extern "C" {
 #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE	114
 /* Code 115 from RFC 4279. */
 #define TLS1_AD_UNKNOWN_PSK_IDENTITY		115	/* fatal */
+#endif
 
 /*
  * TLS ExtensionType values.
-- 
2.20.1