libtls: prefer x version of error setting

If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook
author: tb <> 2026-04-16 07:28:00 +0000
committer: tb <> 2026-04-16 07:28:00 +0000
commit: 4ab01251a636fac40d8a39e8cc3ba506580aa79b (patch)
tree: 1507d9367c9990c48298039dc67d8d5ce9062f11 /src/lib
parent: d680a6fb78c5f1a30a0d45de7b989cee9631652a (diff)
download: openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.tar.gz
openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.tar.bz2
openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.zip
5 files changed, 17 insertions, 17 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 41bb06d857..02ff337b1e 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.104 2024/04/08 20:47:32 tb Exp $ */
+/* $OpenBSD: tls.c,v 1.105 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -686,7 +686,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
                        if (xi->crl == NULL)
                                continue;
                        if (!X509_STORE_add_crl(store, xi->crl)) {
-                                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                                    "failed to add crl");
                                goto err;
                        }
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 97e1d40210..7de9927b94 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
+/* $OpenBSD: tls_client.c,v 1.52 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -115,7 +115,7 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
                        hints.ai_family = AF_UNSPEC;
                        hints.ai_flags = AI_ADDRCONFIG;
                        if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
-                                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                                    "%s", gai_strerror(s));
                                goto err;
                        }
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index 594b9af438..e10d0fdc76 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.10 2026/04/16 05:16:48 tb Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.11 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -144,7 +144,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        *cert = NULL;
        if (keypair->cert_mem == NULL) {
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_UNKNOWN,
                    "keypair has no certificate");
                goto err;
        }
@@ -163,7 +163,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
            NULL)) == NULL) {
                if ((ssl_err = ERR_peek_error()) != 0)
                        errstr = ERR_error_string(ssl_err, NULL);
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_UNKNOWN,
                    "failed to load certificate: %s", errstr);
                goto err;
        }
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index c65911920a..784d911b7a 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.27 2026/03/28 11:49:31 tb Exp $ */
+/*      $OpenBSD: tls_ocsp.c,v 1.28 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
        info->revocation_time = info->this_update = info->next_update = -1;
        if (revtime != NULL &&
            tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse revocation time in OCSP reply");
                goto err;
        }
        if (thisupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse this update time in OCSP reply");
                goto err;
        }
        if (nextupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse next update time in OCSP reply");
                goto err;
        }
@@ -305,7 +305,7 @@ tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *respons
        if (resp == NULL) {
                tls_ocsp_free(ctx->ocsp);
                ctx->ocsp = NULL;
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse OCSP response");
                return -1;
        }
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 42a697327a..570020d6a2 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */
+/* $OpenBSD: tls_server.c,v 1.53 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -242,12 +242,12 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
        if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
            tls_servername_cb) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set servername callback");
                goto err;
        }
        if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set servername callback arg");
                goto err;
        }
@@ -298,7 +298,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
                SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
                if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
                    tls_server_ticket_cb)) {
-                        tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                        tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                            "failed to set the TLS ticket callback");
                        goto err;
                }
@@ -306,7 +306,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
        if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
            sizeof(ctx->config->session_id)) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set session id context");
                goto err;
        }
author	tb <>	2026-04-16 07:28:00 +0000
committer	tb <>	2026-04-16 07:28:00 +0000
commit	4ab01251a636fac40d8a39e8cc3ba506580aa79b (patch)
tree	1507d9367c9990c48298039dc67d8d5ce9062f11 /src/lib
parent	d680a6fb78c5f1a30a0d45de7b989cee9631652a (diff)
download	openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.tar.gz openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.tar.bz2 openbsd-4ab01251a636fac40d8a39e8cc3ba506580aa79b.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 41bb06d857..02ff337b1e 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.104 2024/04/08 20:47:32 tb Exp $ */	1	/* $OpenBSD: tls.c,v 1.105 2026/04/16 07:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -686,7 +686,7 @@ tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify)
686	if (xi->crl == NULL)	686	if (xi->crl == NULL)
687	continue;	687	continue;
688	if (!X509_STORE_add_crl(store, xi->crl)) {	688	if (!X509_STORE_add_crl(store, xi->crl)) {
689	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	689	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
690	"failed to add crl");	690	"failed to add crl");
691	goto err;	691	goto err;
692	}	692	}


diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 97e1d40210..7de9927b94 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_client.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */	1	/* $OpenBSD: tls_client.c,v 1.52 2026/04/16 07:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -115,7 +115,7 @@ tls_connect_servername(struct tls ctx, const char host, const char *port,
115	hints.ai_family = AF_UNSPEC;	115	hints.ai_family = AF_UNSPEC;
116	hints.ai_flags = AI_ADDRCONFIG;	116	hints.ai_flags = AI_ADDRCONFIG;
117	if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {	117	if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
118	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	118	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
119	"%s", gai_strerror(s));	119	"%s", gai_strerror(s));
120	goto err;	120	goto err;
121	}	121	}


diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c index 594b9af438..e10d0fdc76 100644 --- a/src/lib/libtls/tls_keypair.c +++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_keypair.c,v 1.10 2026/04/16 05:16:48 tb Exp $ */	1	/* $OpenBSD: tls_keypair.c,v 1.11 2026/04/16 07:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -144,7 +144,7 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
144	*cert = NULL;	144	*cert = NULL;
145		145
146	if (keypair->cert_mem == NULL) {	146	if (keypair->cert_mem == NULL) {
147	tls_error_set(error, TLS_ERROR_UNKNOWN,	147	tls_error_setx(error, TLS_ERROR_UNKNOWN,
148	"keypair has no certificate");	148	"keypair has no certificate");
149	goto err;	149	goto err;
150	}	150	}
@@ -163,7 +163,7 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
163	NULL)) == NULL) {	163	NULL)) == NULL) {
164	if ((ssl_err = ERR_peek_error()) != 0)	164	if ((ssl_err = ERR_peek_error()) != 0)
165	errstr = ERR_error_string(ssl_err, NULL);	165	errstr = ERR_error_string(ssl_err, NULL);
166	tls_error_set(error, TLS_ERROR_UNKNOWN,	166	tls_error_setx(error, TLS_ERROR_UNKNOWN,
167	"failed to load certificate: %s", errstr);	167	"failed to load certificate: %s", errstr);
168	goto err;	168	goto err;
169	}	169	}


diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index c65911920a..784d911b7a 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_ocsp.c,v 1.27 2026/03/28 11:49:31 tb Exp $ */	1	/* $OpenBSD: tls_ocsp.c,v 1.28 2026/04/16 07:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>	3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
102	info->revocation_time = info->this_update = info->next_update = -1;	102	info->revocation_time = info->this_update = info->next_update = -1;
103	if (revtime != NULL &&	103	if (revtime != NULL &&
104	tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {	104	tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
105	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	105	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
106	"unable to parse revocation time in OCSP reply");	106	"unable to parse revocation time in OCSP reply");
107	goto err;	107	goto err;
108	}	108	}
109	if (thisupd != NULL &&	109	if (thisupd != NULL &&
110	tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {	110	tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
111	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	111	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
112	"unable to parse this update time in OCSP reply");	112	"unable to parse this update time in OCSP reply");
113	goto err;	113	goto err;
114	}	114	}
115	if (nextupd != NULL &&	115	if (nextupd != NULL &&
116	tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {	116	tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
117	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	117	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
118	"unable to parse next update time in OCSP reply");	118	"unable to parse next update time in OCSP reply");
119	goto err;	119	goto err;
120	}	120	}
@@ -305,7 +305,7 @@ tls_ocsp_process_response_internal(struct tls ctx, const unsigned char respons
305	if (resp == NULL) {	305	if (resp == NULL) {
306	tls_ocsp_free(ctx->ocsp);	306	tls_ocsp_free(ctx->ocsp);
307	ctx->ocsp = NULL;	307	ctx->ocsp = NULL;
308	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	308	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
309	"unable to parse OCSP response");	309	"unable to parse OCSP response");
310	return -1;	310	return -1;
311	}	311	}


diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 42a697327a..570020d6a2 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */	1	/* $OpenBSD: tls_server.c,v 1.53 2026/04/16 07:28:00 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -242,12 +242,12 @@ tls_configure_server_ssl(struct tls ctx, SSL_CTX *ssl_ctx,
242		242
243	if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,	243	if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
244	tls_servername_cb) != 1) {	244	tls_servername_cb) != 1) {
245	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	245	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
246	"failed to set servername callback");	246	"failed to set servername callback");
247	goto err;	247	goto err;
248	}	248	}
249	if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {	249	if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
250	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	250	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
251	"failed to set servername callback arg");	251	"failed to set servername callback arg");
252	goto err;	252	goto err;
253	}	253	}
@@ -298,7 +298,7 @@ tls_configure_server_ssl(struct tls ctx, SSL_CTX *ssl_ctx,
298	SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);	298	SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
299	if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,	299	if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
300	tls_server_ticket_cb)) {	300	tls_server_ticket_cb)) {
301	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	301	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
302	"failed to set the TLS ticket callback");	302	"failed to set the TLS ticket callback");
303	goto err;	303	goto err;
304	}	304	}
@@ -306,7 +306,7 @@ tls_configure_server_ssl(struct tls ctx, SSL_CTX *ssl_ctx,
306		306
307	if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,	307	if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
308	sizeof(ctx->config->session_id)) != 1) {	308	sizeof(ctx->config->session_id)) != 1) {
309	tls_set_error(ctx, TLS_ERROR_UNKNOWN,	309	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
310	"failed to set session id context");	310	"failed to set session id context");
311	goto err;	311	goto err;
312	}	312	}