Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL error

dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
author: jsing <> 2015-02-07 09:50:09 +0000
committer: jsing <> 2015-02-07 09:50:09 +0000
commit: ff826d3cb94a579275eb6e97b3cf80ca69016d4b (patch)
tree: 91db1503e055d43a30b1aa24f0307097e2bfb2ed
parent: fa55b09a9d68c9b8034bc1953d02a2baf74096e1 (diff)
download: openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.tar.gz
openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.tar.bz2
openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.zip
4 files changed, 16 insertions, 26 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 696c35b459..9fc81b5a64 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.6 2015/02/07 04:33:51 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.7 2015/02/07 09:50:09 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -236,7 +236,7 @@ tls_reset(struct tls *ctx)
        ctx->errmsg = NULL;
 }
-static int
+int
 tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix)
 {
        const char *errstr = "unknown error";
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index d9354c3140..85733cdd5e 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.10 2015/01/30 14:25:37 bluhm Exp $ */
+/* $OpenBSD: tls_client.c,v 1.11 2015/02/07 09:50:09 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -136,7 +136,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 {
        union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
        X509 *cert = NULL;
-        int ret, ssl_err;
+        int ret, err;
        if (ctx->flags & TLS_CONNECTING)
                goto connecting;
@@ -216,18 +216,12 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 connecting:
        if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
-                ssl_err = SSL_get_error(ctx->ssl_conn, ret);
+                err = tls_ssl_error(ctx, ret, "connect");
-                switch (ssl_err) {
+                if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
-                case SSL_ERROR_WANT_READ:
                        ctx->flags |= TLS_CONNECTING;
-                        return (TLS_READ_AGAIN);
+                        return (err);
-                case SSL_ERROR_WANT_WRITE:
-                        ctx->flags |= TLS_CONNECTING;
-                        return (TLS_WRITE_AGAIN);
-                default:
-                        tls_set_error(ctx, "TLS connect failed (%i)", ssl_err);
-                        goto err;
                }
+                goto err;
        }
        ctx->flags &= ~TLS_CONNECTING;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 18fcf539c3..f0feddcf5b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.8 2015/02/07 06:19:26 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.9 2015/02/07 09:50:09 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -74,5 +74,6 @@ int tls_host_port(const char *hostport, char **host, char **port);
 int tls_set_error(struct tls *ctx, char *fmt, ...)
    __attribute__((__format__ (printf, 2, 3)))
    __attribute__((__nonnull__ (2)));
+int tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix);
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 8d71d2790f..8f34ecdded 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.5 2015/02/07 09:50:09 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -102,7 +102,7 @@ int
 tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
 {
        struct tls *conn_ctx = *cctx;
-        int ret, ssl_err;
+        int ret, err;
        
        if ((ctx->flags & TLS_SERVER) == 0) {
                tls_set_error(ctx, "not a server context");
@@ -131,16 +131,11 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
        }
        if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
-                ssl_err = SSL_get_error(conn_ctx->ssl_conn, ret);
+                err = tls_ssl_error(conn_ctx, ret, "accept");
-                switch (ssl_err) {
+                if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
-                case SSL_ERROR_WANT_READ:
+                        return (err);
-                        return (TLS_READ_AGAIN);
-                case SSL_ERROR_WANT_WRITE:
-                        return (TLS_WRITE_AGAIN);
-                default:
-                        tls_set_error(ctx, "TLS accept failed (%i)", ssl_err);
-                        goto err;
                }
+                goto err;
        }
        return (0);
author	jsing <>	2015-02-07 09:50:09 +0000
committer	jsing <>	2015-02-07 09:50:09 +0000
commit	ff826d3cb94a579275eb6e97b3cf80ca69016d4b (patch)
tree	91db1503e055d43a30b1aa24f0307097e2bfb2ed
parent	fa55b09a9d68c9b8034bc1953d02a2baf74096e1 (diff)
download	openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.tar.gz openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.tar.bz2 openbsd-ff826d3cb94a579275eb6e97b3cf80ca69016d4b.zip