Move the extensions context codes into the public API
This move prepares for the later addition of the new custom extensions
API. The context codes have an additional "SSL_" added to their name to
ensure we don't have name clashes with other applications.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index ab19497..d1a4014 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -468,9 +468,10 @@
TICKET_RETURN r;
if (SSL_IS_TLS13(s)) {
- if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, EXT_CLIENT_HELLO,
- hello->pre_proc_exts, NULL, 0, al)
- || !tls_parse_extension(s, TLSEXT_IDX_psk, EXT_CLIENT_HELLO,
+ if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
+ SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
+ NULL, 0, al)
+ || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
hello->pre_proc_exts, NULL, 0, al))
return -1;
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 96c5394..c2e0411 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -114,16 +114,16 @@
static const EXTENSION_DEFINITION ext_defs[] = {
{
TLSEXT_TYPE_renegotiate,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED
- | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
final_renegotiate
},
{
TLSEXT_TYPE_server_name,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_server_name,
tls_parse_ctos_server_name, tls_parse_stoc_server_name,
tls_construct_stoc_server_name, tls_construct_ctos_server_name,
@@ -132,7 +132,7 @@
#ifndef OPENSSL_NO_SRP
{
TLSEXT_TYPE_srp,
- EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
},
#else
@@ -141,14 +141,15 @@
#ifndef OPENSSL_NO_EC
{
TLSEXT_TYPE_ec_point_formats,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
},
{
TLSEXT_TYPE_supported_groups,
- EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, tls_parse_ctos_supported_groups, NULL,
NULL /* TODO(TLS1.3): Need to add this */,
tls_construct_ctos_supported_groups, NULL
@@ -159,14 +160,15 @@
#endif
{
TLSEXT_TYPE_session_ticket,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_session_ticket, tls_parse_ctos_session_ticket,
tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
tls_construct_ctos_session_ticket, NULL
},
{
TLSEXT_TYPE_signature_algorithms,
- EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
init_sig_algs, tls_parse_ctos_sig_algs,
tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
tls_construct_ctos_sig_algs, final_sig_algs
@@ -174,8 +176,8 @@
#ifndef OPENSSL_NO_OCSP
{
TLSEXT_TYPE_status_request,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_CERTIFICATE,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_CERTIFICATE,
init_status_request, tls_parse_ctos_status_request,
tls_parse_stoc_status_request, tls_construct_stoc_status_request,
tls_construct_ctos_status_request, NULL
@@ -186,7 +188,8 @@
#ifndef OPENSSL_NO_NEXTPROTONEG
{
TLSEXT_TYPE_next_proto_neg,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
},
@@ -199,16 +202,16 @@
* happens after server_name callbacks
*/
TLSEXT_TYPE_application_layer_protocol_negotiation,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
},
#ifndef OPENSSL_NO_SRTP
{
TLSEXT_TYPE_use_srtp,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
},
@@ -217,15 +220,16 @@
#endif
{
TLSEXT_TYPE_encrypt_then_mac,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
},
#ifndef OPENSSL_NO_CT
{
TLSEXT_TYPE_signed_certificate_timestamp,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_CERTIFICATE,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_CERTIFICATE,
NULL,
/*
* No server side support for this, but can be provided by a custom
@@ -239,20 +243,23 @@
#endif
{
TLSEXT_TYPE_extended_master_secret,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
},
{
TLSEXT_TYPE_supported_versions,
- EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
+ | SSL_EXT_TLS1_3_ONLY,
NULL,
/* Processed inline as part of version selection */
NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
},
{
TLSEXT_TYPE_psk_kex_modes,
- EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
+ | SSL_EXT_TLS1_3_ONLY,
init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
tls_construct_ctos_psk_kex_modes, NULL
},
@@ -263,9 +270,9 @@
* been parsed before we do this one.
*/
TLSEXT_TYPE_key_share,
- EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
- | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY
- | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
+ | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
+ | SSL_EXT_TLS1_3_ONLY,
NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
tls_construct_stoc_key_share, tls_construct_ctos_key_share,
final_key_share
@@ -273,8 +280,8 @@
#endif
{
TLSEXT_TYPE_cookie,
- EXT_CLIENT_HELLO | EXT_TLS1_3_HELLO_RETRY_REQUEST
- | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
+ | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie,
NULL
},
@@ -284,20 +291,21 @@
* SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
*/
TLSEXT_TYPE_cryptopro_bug,
- EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
},
{
TLSEXT_TYPE_early_data,
- EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
- | EXT_TLS1_3_NEW_SESSION_TICKET,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
tls_construct_stoc_early_data, tls_construct_ctos_early_data,
final_early_data
},
{
TLSEXT_TYPE_certificate_authorities,
- EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+ | SSL_EXT_TLS1_3_ONLY,
init_certificate_authorities,
tls_parse_certificate_authorities, tls_parse_certificate_authorities,
tls_construct_certificate_authorities,
@@ -306,7 +314,7 @@
{
/* Must be immediately before pre_shared_key */
TLSEXT_TYPE_padding,
- EXT_CLIENT_HELLO,
+ SSL_EXT_CLIENT_HELLO,
NULL,
/* We send this, but don't read it */
NULL, NULL, NULL, tls_construct_ctos_padding, NULL
@@ -314,8 +322,8 @@
{
/* Required by the TLSv1.3 spec to always be the last extension */
TLSEXT_TYPE_psk,
- EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY
- | EXT_TLS1_3_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
+ | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
tls_construct_ctos_psk, NULL
}
@@ -342,9 +350,9 @@
return 0;
if (SSL_IS_DTLS(s)) {
- if ((thisext->context & EXT_TLS_ONLY) != 0)
+ if ((thisext->context & SSL_EXT_TLS_ONLY) != 0)
return 0;
- } else if ((thisext->context & EXT_DTLS_ONLY) != 0) {
+ } else if ((thisext->context & SSL_EXT_DTLS_ONLY) != 0) {
return 0;
}
@@ -353,7 +361,7 @@
}
}
- if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) {
+ if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) == 0) {
/*
* Custom extensions only apply to <=TLS1.2. This extension is unknown
* in this context - we allow it
@@ -386,12 +394,12 @@
unsigned int thisctx)
{
if ((SSL_IS_DTLS(s)
- && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0)
+ && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
|| (s->version == SSL3_VERSION
- && (extctx & EXT_SSL3_ALLOWED) == 0)
+ && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
|| (SSL_IS_TLS13(s)
- && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0)
- || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0))
+ && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
+ || (!SSL_IS_TLS13(s) && (extctx & SSL_EXT_TLS1_3_ONLY) != 0))
return 0;
return 1;
@@ -429,10 +437,10 @@
* Initialise server side custom extensions. Client side is done during
* construction of extensions for the ClientHello.
*/
- if ((context & EXT_CLIENT_HELLO) != 0) {
+ if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
exts = &s->cert->srv_ext;
custom_ext_init(&s->cert->srv_ext);
- } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
+ } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
exts = &s->cert->cli_ext;
}
@@ -463,7 +471,7 @@
if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
|| (thisex != NULL && thisex->present == 1)
|| (type == TLSEXT_TYPE_psk
- && (context & EXT_CLIENT_HELLO) != 0
+ && (context & SSL_EXT_CLIENT_HELLO) != 0
&& PACKET_remaining(&extensions) != 0)) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
*al = SSL_AD_ILLEGAL_PARAMETER;
@@ -562,7 +570,7 @@
*/
if ((!s->hit || !s->server)
&& (context
- & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
+ & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
&& custom_ext_parse(s, s->server, currext->type,
PACKET_data(&currext->data),
PACKET_remaining(&currext->data),
@@ -587,9 +595,9 @@
const EXTENSION_DEFINITION *thisexd;
/* Calculate the number of extensions in the extensions list */
- if ((context & EXT_CLIENT_HELLO) != 0) {
+ if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
numexts += s->cert->srv_ext.meths_count;
- } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
+ } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
numexts += s->cert->cli_ext.meths_count;
}
@@ -640,15 +648,16 @@
* If extensions are of zero length then we don't even add the
* extensions length bytes to a ClientHello/ServerHello in SSLv3
*/
- || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
- && s->version == SSL3_VERSION
- && !WPACKET_set_flags(pkt,
+ || ((context &
+ (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
+ && s->version == SSL3_VERSION
+ && !WPACKET_set_flags(pkt,
WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
goto err;
}
- if ((context & EXT_CLIENT_HELLO) != 0) {
+ if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
@@ -657,10 +666,10 @@
}
/* Add custom extensions first */
- if ((context & EXT_CLIENT_HELLO) != 0) {
+ if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
custom_ext_init(&s->cert->cli_ext);
addcustom = 1;
- } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
+ } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
/*
* We already initialised the custom extensions during ClientHello
* parsing.
@@ -690,18 +699,18 @@
/* Check if this extension is defined for our protocol. If not, skip */
if ((SSL_IS_DTLS(s)
- && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY)
+ && (thisexd->context & SSL_EXT_TLS_IMPLEMENTATION_ONLY)
!= 0)
|| (s->version == SSL3_VERSION
- && (thisexd->context & EXT_SSL3_ALLOWED) == 0)
+ && (thisexd->context & SSL_EXT_SSL3_ALLOWED) == 0)
|| (SSL_IS_TLS13(s)
- && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY)
+ && (thisexd->context & SSL_EXT_TLS1_2_AND_BELOW_ONLY)
!= 0)
|| (!SSL_IS_TLS13(s)
- && (thisexd->context & EXT_TLS1_3_ONLY) != 0
- && (context & EXT_CLIENT_HELLO) == 0)
- || ((thisexd->context & EXT_TLS1_3_ONLY) != 0
- && (context & EXT_CLIENT_HELLO) != 0
+ && (thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0
+ && (context & SSL_EXT_CLIENT_HELLO) == 0)
+ || ((thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0
+ && (context & SSL_EXT_CLIENT_HELLO) != 0
&& (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
|| construct == NULL)
continue;
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 8bb9a88..af89494 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1307,7 +1307,7 @@
return 0;
}
- if ((context & EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
+ if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
unsigned const char *pcurves = NULL;
size_t i, num_curves;
@@ -1411,7 +1411,7 @@
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al)
{
- if (context == EXT_TLS1_3_NEW_SESSION_TICKET) {
+ if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
unsigned long max_early_data;
if (!PACKET_get_net_4(pkt, &max_early_data)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 076a635..da7e8c8 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1133,7 +1133,7 @@
int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al)
{
- if (context == EXT_TLS1_3_NEW_SESSION_TICKET) {
+ if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
if (s->max_early_data == 0)
return 1;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d4f8e0a..8207dde 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1200,7 +1200,7 @@
}
/* TLS extensions */
- if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) {
+ if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0;
@@ -1390,8 +1390,8 @@
goto f_err;
}
- context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
- : EXT_TLS1_2_SERVER_HELLO;
+ context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
+ : SSL_EXT_TLS1_2_SERVER_HELLO;
if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL))
goto f_err;
@@ -1400,7 +1400,7 @@
if (SSL_IS_TLS13(s)) {
/* This will set s->hit if we are resuming */
if (!tls_parse_extension(s, TLSEXT_IDX_psk,
- EXT_TLS1_3_SERVER_HELLO,
+ SSL_EXT_TLS1_3_SERVER_HELLO,
extensions, NULL, 0, &al))
goto f_err;
} else {
@@ -1634,9 +1634,9 @@
goto f_err;
}
- if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
&extensions, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
extensions, NULL, 0, &al))
goto f_err;
@@ -1728,9 +1728,10 @@
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
+ &al, NULL)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al)) {
OPENSSL_free(rawexts);
goto f_err;
@@ -2357,9 +2358,9 @@
goto err;
}
if (!tls_collect_extensions(s, &extensions,
- EXT_TLS1_3_CERTIFICATE_REQUEST,
+ SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
&rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE_REQUEST,
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
rawexts, NULL, 0, &al)) {
OPENSSL_free(rawexts);
goto err;
@@ -2511,9 +2512,10 @@
if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
|| !tls_collect_extensions(s, &extpkt,
- EXT_TLS1_3_NEW_SESSION_TICKET,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
&exts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET,
+ || !tls_parse_all_extensions(s,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
exts, NULL, 0, &al)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION);
goto f_err;
@@ -3479,9 +3481,10 @@
goto err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
+ &al, NULL)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
rawexts, NULL, 0, &al))
goto err;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index f292b82..d5e87f7 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -801,7 +801,7 @@
}
if (SSL_IS_TLS13(s)
- && !tls_construct_extensions(s, pkt, EXT_TLS1_3_CERTIFICATE, x,
+ && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
chain, al))
return 0;
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h
index 9bf1d8a..43d79b8 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -32,29 +32,6 @@
/* The maximum number of incoming KeyUpdate messages we will accept */
#define MAX_KEY_UPDATE_MESSAGES 32
-/* Extension context codes */
-/* This extension is only allowed in TLS */
-#define EXT_TLS_ONLY 0x0001
-/* This extension is only allowed in DTLS */
-#define EXT_DTLS_ONLY 0x0002
-/* Some extensions may be allowed in DTLS but we don't implement them for it */
-#define EXT_TLS_IMPLEMENTATION_ONLY 0x0004
-/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
-#define EXT_SSL3_ALLOWED 0x0008
-/* Extension is only defined for TLS1.2 and above */
-#define EXT_TLS1_2_AND_BELOW_ONLY 0x0010
-/* Extension is only defined for TLS1.3 and above */
-#define EXT_TLS1_3_ONLY 0x0020
-#define EXT_CLIENT_HELLO 0x0040
-/* Really means TLS1.2 or below */
-#define EXT_TLS1_2_SERVER_HELLO 0x0080
-#define EXT_TLS1_3_SERVER_HELLO 0x0100
-#define EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x0200
-#define EXT_TLS1_3_HELLO_RETRY_REQUEST 0x0400
-#define EXT_TLS1_3_CERTIFICATE 0x0800
-#define EXT_TLS1_3_NEW_SESSION_TICKET 0x1000
-#define EXT_TLS1_3_CERTIFICATE_REQUEST 0x2000
-
/* Dummy message type */
#define SSL3_MT_DUMMY -1
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 1c6c35e..d931c7f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1442,7 +1442,7 @@
/* Preserve the raw extensions PACKET for later use */
extensions = clienthello->extensions;
- if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
+ if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
&clienthello->pre_proc_exts, &al,
&clienthello->pre_proc_exts_len)) {
/* SSLerr already been called */
@@ -1580,7 +1580,7 @@
/* We need to do this before getting the session */
if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
- EXT_CLIENT_HELLO,
+ SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, al)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto err;
@@ -1708,7 +1708,7 @@
#endif /* !OPENSSL_NO_EC */
/* TLS extensions */
- if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
+ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, al)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
goto err;
@@ -2127,8 +2127,8 @@
&& !WPACKET_put_bytes_u8(pkt, compm))
|| !tls_construct_extensions(s, pkt,
SSL_IS_TLS13(s)
- ? EXT_TLS1_3_SERVER_HELLO
- : EXT_TLS1_2_SERVER_HELLO,
+ ? SSL_EXT_TLS1_3_SERVER_HELLO
+ : SSL_EXT_TLS1_2_SERVER_HELLO,
NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
@@ -2510,8 +2510,9 @@
goto err;
}
- if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_CERTIFICATE_REQUEST,
- NULL, 0, &al)) {
+ if (!tls_construct_extensions(s, pkt,
+ SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
+ 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR);
goto err;
@@ -3251,9 +3252,10 @@
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
+ &al, NULL)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al)) {
OPENSSL_free(rawexts);
goto f_err;
@@ -3550,7 +3552,7 @@
|| !WPACKET_close(pkt)
|| (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt,
- EXT_TLS1_3_NEW_SESSION_TICKET,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, 0, &al))) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
@@ -3637,7 +3639,7 @@
{
int al;
- if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
@@ -3659,7 +3661,8 @@
*/
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
- || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ || !tls_construct_extensions(s, pkt,
+ SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
