diff options
| author | joshua <> | 2024-03-26 06:24:52 +0000 |
|---|---|---|
| committer | joshua <> | 2024-03-26 06:24:52 +0000 |
| commit | 936498dd6ef929653cff09dd6b3303e39c8ad08d (patch) | |
| tree | c0d04141b5fceb9e1cb05bec1e7e8fe3d0ac35f9 /src/lib/libtls/tls_verify.c | |
| parent | 7e79cc7d135c6ac69536ff44c870a4af9ecee499 (diff) | |
| download | openbsd-936498dd6ef929653cff09dd6b3303e39c8ad08d.tar.gz openbsd-936498dd6ef929653cff09dd6b3303e39c8ad08d.tar.bz2 openbsd-936498dd6ef929653cff09dd6b3303e39c8ad08d.zip | |
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
Diffstat (limited to 'src/lib/libtls/tls_verify.c')
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index a35ebe0252..78f6c249cc 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.29 2023/11/22 18:23:09 op Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.30 2024/03/26 06:24:52 joshua Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * | 4 | * |
| @@ -102,7 +102,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, | |||
| 102 | NULL); | 102 | NULL); |
| 103 | if (altname_stack == NULL) { | 103 | if (altname_stack == NULL) { |
| 104 | if (critical != -1) { | 104 | if (critical != -1) { |
| 105 | tls_set_errorx(ctx, "error decoding subjectAltName"); | 105 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 106 | "error decoding subjectAltName"); | ||
| 106 | goto err; | 107 | goto err; |
| 107 | } | 108 | } |
| 108 | goto done; | 109 | goto done; |
| @@ -141,7 +142,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, | |||
| 141 | len = ASN1_STRING_length(altname->d.dNSName); | 142 | len = ASN1_STRING_length(altname->d.dNSName); |
| 142 | 143 | ||
| 143 | if (len < 0 || (size_t)len != strlen(data)) { | 144 | if (len < 0 || (size_t)len != strlen(data)) { |
| 144 | tls_set_errorx(ctx, | 145 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 145 | "error verifying name '%s': " | 146 | "error verifying name '%s': " |
| 146 | "NUL byte in subjectAltName, " | 147 | "NUL byte in subjectAltName, " |
| 147 | "probably a malicious certificate", | 148 | "probably a malicious certificate", |
| @@ -155,7 +156,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, | |||
| 155 | * dNSName must be rejected. | 156 | * dNSName must be rejected. |
| 156 | */ | 157 | */ |
| 157 | if (strcmp(data, " ") == 0) { | 158 | if (strcmp(data, " ") == 0) { |
| 158 | tls_set_errorx(ctx, | 159 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 159 | "error verifying name '%s': " | 160 | "error verifying name '%s': " |
| 160 | "a dNSName of \" \" must not be " | 161 | "a dNSName of \" \" must not be " |
| 161 | "used", name); | 162 | "used", name); |
| @@ -182,7 +183,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, | |||
| 182 | data = ASN1_STRING_get0_data(altname->d.iPAddress); | 183 | data = ASN1_STRING_get0_data(altname->d.iPAddress); |
| 183 | 184 | ||
| 184 | if (datalen < 0) { | 185 | if (datalen < 0) { |
| 185 | tls_set_errorx(ctx, | 186 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 186 | "Unexpected negative length for an " | 187 | "Unexpected negative length for an " |
| 187 | "IP address: %d", datalen); | 188 | "IP address: %d", datalen); |
| 188 | goto err; | 189 | goto err; |
| @@ -243,7 +244,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, | |||
| 243 | * more than one CN fed to us in the subject, treating the | 244 | * more than one CN fed to us in the subject, treating the |
| 244 | * certificate as hostile. | 245 | * certificate as hostile. |
| 245 | */ | 246 | */ |
| 246 | tls_set_errorx(ctx, "error verifying name '%s': " | 247 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 248 | "error verifying name '%s': " | ||
| 247 | "Certificate subject contains multiple Common Name fields, " | 249 | "Certificate subject contains multiple Common Name fields, " |
| 248 | "probably a malicious or malformed certificate", name); | 250 | "probably a malicious or malformed certificate", name); |
| 249 | goto err; | 251 | goto err; |
| @@ -255,7 +257,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, | |||
| 255 | * Fail if we cannot encode the CN bytes as UTF-8. | 257 | * Fail if we cannot encode the CN bytes as UTF-8. |
| 256 | */ | 258 | */ |
| 257 | if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) { | 259 | if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) { |
| 258 | tls_set_errorx(ctx, "error verifying name '%s': " | 260 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 261 | "error verifying name '%s': " | ||
| 259 | "Common Name field cannot be encoded as a UTF-8 string, " | 262 | "Common Name field cannot be encoded as a UTF-8 string, " |
| 260 | "probably a malicious certificate", name); | 263 | "probably a malicious certificate", name); |
| 261 | goto err; | 264 | goto err; |
| @@ -265,7 +268,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, | |||
| 265 | * must be between 1 and 64 bytes long. | 268 | * must be between 1 and 64 bytes long. |
| 266 | */ | 269 | */ |
| 267 | if (common_name_len < 1 || common_name_len > 64) { | 270 | if (common_name_len < 1 || common_name_len > 64) { |
| 268 | tls_set_errorx(ctx, "error verifying name '%s': " | 271 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 272 | "error verifying name '%s': " | ||
| 269 | "Common Name field has invalid length, " | 273 | "Common Name field has invalid length, " |
| 270 | "probably a malicious certificate", name); | 274 | "probably a malicious certificate", name); |
| 271 | goto err; | 275 | goto err; |
| @@ -274,7 +278,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, | |||
| 274 | * Fail if the resulting text contains a NUL byte. | 278 | * Fail if the resulting text contains a NUL byte. |
| 275 | */ | 279 | */ |
| 276 | if (memchr(utf8_bytes, 0, common_name_len) != NULL) { | 280 | if (memchr(utf8_bytes, 0, common_name_len) != NULL) { |
| 277 | tls_set_errorx(ctx, "error verifying name '%s': " | 281 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
| 282 | "error verifying name '%s': " | ||
| 278 | "NUL byte in Common Name field, " | 283 | "NUL byte in Common Name field, " |
| 279 | "probably a malicious certificate", name); | 284 | "probably a malicious certificate", name); |
| 280 | goto err; | 285 | goto err; |
| @@ -282,7 +287,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, | |||
| 282 | 287 | ||
| 283 | common_name = strndup(utf8_bytes, common_name_len); | 288 | common_name = strndup(utf8_bytes, common_name_len); |
| 284 | if (common_name == NULL) { | 289 | if (common_name == NULL) { |
| 285 | tls_set_error(ctx, "out of memory"); | 290 | tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, |
| 291 | "out of memory"); | ||
| 286 | goto err; | 292 | goto err; |
| 287 | } | 293 | } |
| 288 | 294 | ||