summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjoshua <>2024-03-26 06:24:52 +0000
committerjoshua <>2024-03-26 06:24:52 +0000
commitbd68c6e1694d8d4eb801f32889da4cdde0b3c311 (patch)
treec0d04141b5fceb9e1cb05bec1e7e8fe3d0ac35f9 /src
parent941ebfb2fe91a55863dd80aff9d8abc072a3a67c (diff)
downloadopenbsd-bd68c6e1694d8d4eb801f32889da4cdde0b3c311.tar.gz
openbsd-bd68c6e1694d8d4eb801f32889da4cdde0b3c311.tar.bz2
openbsd-bd68c6e1694d8d4eb801f32889da4cdde0b3c311.zip
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become public API at a later date. Additional error codes will be added in follow-up commits. ok jsing@ beck@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libtls/tls.c152
-rw-r--r--src/lib/libtls/tls.h12
-rw-r--r--src/lib/libtls/tls_bio_cb.c10
-rw-r--r--src/lib/libtls/tls_client.c87
-rw-r--r--src/lib/libtls/tls_config.c83
-rw-r--r--src/lib/libtls/tls_conninfo.c6
-rw-r--r--src/lib/libtls/tls_internal.h45
-rw-r--r--src/lib/libtls/tls_keypair.c11
-rw-r--r--src/lib/libtls/tls_ocsp.c44
-rw-r--r--src/lib/libtls/tls_server.c54
-rw-r--r--src/lib/libtls/tls_signer.c58
-rw-r--r--src/lib/libtls/tls_verify.c26
12 files changed, 363 insertions, 225 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 58245009d7..8433f556bf 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.100 2024/03/26 01:15:57 joshua Exp $ */ 1/* $OpenBSD: tls.c,v 1.101 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -72,23 +72,32 @@ tls_error(struct tls *ctx)
72 return ctx->error.msg; 72 return ctx->error.msg;
73} 73}
74 74
75int
76tls_error_code(struct tls *ctx)
77{
78 return ctx->error.code;
79}
80
75void 81void
76tls_error_clear(struct tls_error *error) 82tls_error_clear(struct tls_error *error)
77{ 83{
78 free(error->msg); 84 free(error->msg);
79 error->msg = NULL; 85 error->msg = NULL;
86 error->code = TLS_ERROR_UNKNOWN;
80 error->errno_value = 0; 87 error->errno_value = 0;
81 error->tls = 0; 88 error->tls = 0;
82} 89}
83 90
84static int 91static int
85tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_list ap) 92tls_error_vset(struct tls_error *error, int code, int errno_value,
93 const char *fmt, va_list ap)
86{ 94{
87 char *errmsg = NULL; 95 char *errmsg = NULL;
88 int rv = -1; 96 int rv = -1;
89 97
90 tls_error_clear(error); 98 tls_error_clear(error);
91 99
100 error->code = code;
92 error->errno_value = errno_value; 101 error->errno_value = errno_value;
93 error->tls = 1; 102 error->tls = 1;
94 103
@@ -115,7 +124,7 @@ tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_lis
115} 124}
116 125
117int 126int
118tls_error_set(struct tls_error *error, const char *fmt, ...) 127tls_error_set(struct tls_error *error, int code, const char *fmt, ...)
119{ 128{
120 va_list ap; 129 va_list ap;
121 int errno_value, rv; 130 int errno_value, rv;
@@ -123,27 +132,27 @@ tls_error_set(struct tls_error *error, const char *fmt, ...)
123 errno_value = errno; 132 errno_value = errno;
124 133
125 va_start(ap, fmt); 134 va_start(ap, fmt);
126 rv = tls_error_vset(error, errno_value, fmt, ap); 135 rv = tls_error_vset(error, code, errno_value, fmt, ap);
127 va_end(ap); 136 va_end(ap);
128 137
129 return (rv); 138 return (rv);
130} 139}
131 140
132int 141int
133tls_error_setx(struct tls_error *error, const char *fmt, ...) 142tls_error_setx(struct tls_error *error, int code, const char *fmt, ...)
134{ 143{
135 va_list ap; 144 va_list ap;
136 int rv; 145 int rv;
137 146
138 va_start(ap, fmt); 147 va_start(ap, fmt);
139 rv = tls_error_vset(error, -1, fmt, ap); 148 rv = tls_error_vset(error, code, -1, fmt, ap);
140 va_end(ap); 149 va_end(ap);
141 150
142 return (rv); 151 return (rv);
143} 152}
144 153
145int 154int
146tls_config_set_error(struct tls_config *config, const char *fmt, ...) 155tls_config_set_error(struct tls_config *config, int code, const char *fmt, ...)
147{ 156{
148 va_list ap; 157 va_list ap;
149 int errno_value, rv; 158 int errno_value, rv;
@@ -151,27 +160,27 @@ tls_config_set_error(struct tls_config *config, const char *fmt, ...)
151 errno_value = errno; 160 errno_value = errno;
152 161
153 va_start(ap, fmt); 162 va_start(ap, fmt);
154 rv = tls_error_vset(&config->error, errno_value, fmt, ap); 163 rv = tls_error_vset(&config->error, code, errno_value, fmt, ap);
155 va_end(ap); 164 va_end(ap);
156 165
157 return (rv); 166 return (rv);
158} 167}
159 168
160int 169int
161tls_config_set_errorx(struct tls_config *config, const char *fmt, ...) 170tls_config_set_errorx(struct tls_config *config, int code, const char *fmt, ...)
162{ 171{
163 va_list ap; 172 va_list ap;
164 int rv; 173 int rv;
165 174
166 va_start(ap, fmt); 175 va_start(ap, fmt);
167 rv = tls_error_vset(&config->error, -1, fmt, ap); 176 rv = tls_error_vset(&config->error, code, -1, fmt, ap);
168 va_end(ap); 177 va_end(ap);
169 178
170 return (rv); 179 return (rv);
171} 180}
172 181
173int 182int
174tls_set_error(struct tls *ctx, const char *fmt, ...) 183tls_set_error(struct tls *ctx, int code, const char *fmt, ...)
175{ 184{
176 va_list ap; 185 va_list ap;
177 int errno_value, rv; 186 int errno_value, rv;
@@ -179,27 +188,27 @@ tls_set_error(struct tls *ctx, const char *fmt, ...)
179 errno_value = errno; 188 errno_value = errno;
180 189
181 va_start(ap, fmt); 190 va_start(ap, fmt);
182 rv = tls_error_vset(&ctx->error, errno_value, fmt, ap); 191 rv = tls_error_vset(&ctx->error, code, errno_value, fmt, ap);
183 va_end(ap); 192 va_end(ap);
184 193
185 return (rv); 194 return (rv);
186} 195}
187 196
188int 197int
189tls_set_errorx(struct tls *ctx, const char *fmt, ...) 198tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...)
190{ 199{
191 va_list ap; 200 va_list ap;
192 int rv; 201 int rv;
193 202
194 va_start(ap, fmt); 203 va_start(ap, fmt);
195 rv = tls_error_vset(&ctx->error, -1, fmt, ap); 204 rv = tls_error_vset(&ctx->error, code, -1, fmt, ap);
196 va_end(ap); 205 va_end(ap);
197 206
198 return (rv); 207 return (rv);
199} 208}
200 209
201int 210int
202tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) 211tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...)
203{ 212{
204 va_list ap; 213 va_list ap;
205 int rv; 214 int rv;
@@ -209,7 +218,7 @@ tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
209 return (0); 218 return (0);
210 219
211 va_start(ap, fmt); 220 va_start(ap, fmt);
212 rv = tls_error_vset(&ctx->error, -1, fmt, ap); 221 rv = tls_error_vset(&ctx->error, code, -1, fmt, ap);
213 va_end(ap); 222 va_end(ap);
214 223
215 return (rv); 224 return (rv);
@@ -350,31 +359,35 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
350 return (0); 359 return (0);
351 360
352 if (len > INT_MAX) { 361 if (len > INT_MAX) {
353 tls_set_errorx(ctx, ctx->config->use_fake_private_key ? 362 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
363 ctx->config->use_fake_private_key ?
354 "cert too long" : "key too long"); 364 "cert too long" : "key too long");
355 goto err; 365 goto err;
356 } 366 }
357 367
358 if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { 368 if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
359 tls_set_errorx(ctx, "failed to create buffer"); 369 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to create buffer");
360 goto err; 370 goto err;
361 } 371 }
362 372
363 if (ctx->config->use_fake_private_key) { 373 if (ctx->config->use_fake_private_key) {
364 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, 374 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
365 NULL)) == NULL) { 375 NULL)) == NULL) {
366 tls_set_errorx(ctx, "failed to read X509 certificate"); 376 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
377 "failed to read X509 certificate");
367 goto err; 378 goto err;
368 } 379 }
369 if ((*pkey = X509_get_pubkey(x509)) == NULL) { 380 if ((*pkey = X509_get_pubkey(x509)) == NULL) {
370 tls_set_errorx(ctx, "failed to retrieve pubkey"); 381 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
382 "failed to retrieve pubkey");
371 goto err; 383 goto err;
372 } 384 }
373 } else { 385 } else {
374 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, 386 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
375 NULL)) == NULL) { 387 NULL)) == NULL) {
376 tls_set_errorx(ctx, "failed to read private key"); 388 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
377 goto err; 389 "failed to read private key");
390 goto err;
378 } 391 }
379 } 392 }
380 393
@@ -399,7 +412,7 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
399 return (0); 412 return (0);
400 413
401 if (keypair->pubkey_hash == NULL) { 414 if (keypair->pubkey_hash == NULL) {
402 tls_set_errorx(ctx, "public key hash not set"); 415 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "public key hash not set");
403 goto err; 416 goto err;
404 } 417 }
405 418
@@ -407,7 +420,8 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
407 case EVP_PKEY_RSA: 420 case EVP_PKEY_RSA:
408 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || 421 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
409 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { 422 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
410 tls_set_errorx(ctx, "RSA key setup failure"); 423 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
424 "RSA key setup failure");
411 goto err; 425 goto err;
412 } 426 }
413 if (ctx->config->sign_cb != NULL) { 427 if (ctx->config->sign_cb != NULL) {
@@ -415,20 +429,23 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
415 if (rsa_method == NULL || 429 if (rsa_method == NULL ||
416 RSA_set_ex_data(rsa, 1, ctx->config) == 0 || 430 RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
417 RSA_set_method(rsa, rsa_method) == 0) { 431 RSA_set_method(rsa, rsa_method) == 0) {
418 tls_set_errorx(ctx, "failed to setup RSA key"); 432 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
433 "failed to setup RSA key");
419 goto err; 434 goto err;
420 } 435 }
421 } 436 }
422 /* Reset the key to work around caching in OpenSSL 3. */ 437 /* Reset the key to work around caching in OpenSSL 3. */
423 if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { 438 if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
424 tls_set_errorx(ctx, "failed to set RSA key"); 439 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
440 "failed to set RSA key");
425 goto err; 441 goto err;
426 } 442 }
427 break; 443 break;
428 case EVP_PKEY_EC: 444 case EVP_PKEY_EC:
429 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || 445 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
430 EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { 446 EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
431 tls_set_errorx(ctx, "EC key setup failure"); 447 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
448 "EC key setup failure");
432 goto err; 449 goto err;
433 } 450 }
434 if (ctx->config->sign_cb != NULL) { 451 if (ctx->config->sign_cb != NULL) {
@@ -436,18 +453,20 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
436 if (ecdsa_method == NULL || 453 if (ecdsa_method == NULL ||
437 EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || 454 EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
438 EC_KEY_set_method(eckey, ecdsa_method) == 0) { 455 EC_KEY_set_method(eckey, ecdsa_method) == 0) {
439 tls_set_errorx(ctx, "failed to setup EC key"); 456 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
457 "failed to setup EC key");
440 goto err; 458 goto err;
441 } 459 }
442 } 460 }
443 /* Reset the key to work around caching in OpenSSL 3. */ 461 /* Reset the key to work around caching in OpenSSL 3. */
444 if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { 462 if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
445 tls_set_errorx(ctx, "failed to set EC key"); 463 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
464 "failed to set EC key");
446 goto err; 465 goto err;
447 } 466 }
448 break; 467 break;
449 default: 468 default:
450 tls_set_errorx(ctx, "incorrect key type"); 469 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "incorrect key type");
451 goto err; 470 goto err;
452 } 471 }
453 472
@@ -472,13 +491,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
472 491
473 if (keypair->cert_mem != NULL) { 492 if (keypair->cert_mem != NULL) {
474 if (keypair->cert_len > INT_MAX) { 493 if (keypair->cert_len > INT_MAX) {
475 tls_set_errorx(ctx, "certificate too long"); 494 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
495 "certificate too long");
476 goto err; 496 goto err;
477 } 497 }
478 498
479 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, 499 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
480 keypair->cert_mem, keypair->cert_len) != 1) { 500 keypair->cert_mem, keypair->cert_len) != 1) {
481 tls_set_errorx(ctx, "failed to load certificate"); 501 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
502 "failed to load certificate");
482 goto err; 503 goto err;
483 } 504 }
484 } 505 }
@@ -489,7 +510,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
489 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) 510 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
490 goto err; 511 goto err;
491 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { 512 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
492 tls_set_errorx(ctx, "failed to load private key"); 513 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
514 "failed to load private key");
493 goto err; 515 goto err;
494 } 516 }
495 EVP_PKEY_free(pkey); 517 EVP_PKEY_free(pkey);
@@ -498,7 +520,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
498 520
499 if (!ctx->config->skip_private_key_check && 521 if (!ctx->config->skip_private_key_check &&
500 SSL_CTX_check_private_key(ssl_ctx) != 1) { 522 SSL_CTX_check_private_key(ssl_ctx) != 1) {
501 tls_set_errorx(ctx, "private/public key mismatch"); 523 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
524 "private/public key mismatch");
502 goto err; 525 goto err;
503 } 526 }
504 527
@@ -534,7 +557,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
534 if (ctx->config->alpn != NULL) { 557 if (ctx->config->alpn != NULL) {
535 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, 558 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
536 ctx->config->alpn_len) != 0) { 559 ctx->config->alpn_len) != 0) {
537 tls_set_errorx(ctx, "failed to set alpn"); 560 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
561 "failed to set alpn");
538 goto err; 562 goto err;
539 } 563 }
540 } 564 }
@@ -542,7 +566,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
542 if (ctx->config->ciphers != NULL) { 566 if (ctx->config->ciphers != NULL) {
543 if (SSL_CTX_set_cipher_list(ssl_ctx, 567 if (SSL_CTX_set_cipher_list(ssl_ctx,
544 ctx->config->ciphers) != 1) { 568 ctx->config->ciphers) != 1) {
545 tls_set_errorx(ctx, "failed to set ciphers"); 569 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
570 "failed to set ciphers");
546 goto err; 571 goto err;
547 } 572 }
548 } 573 }
@@ -572,7 +597,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
572 return (1); 597 return (1);
573 598
574 if ((X509_verify_cert(x509_ctx)) < 0) { 599 if ((X509_verify_cert(x509_ctx)) < 0) {
575 tls_set_errorx(ctx, "X509 verify cert failed"); 600 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
601 "X509 verify cert failed");
576 return (0); 602 return (0);
577 } 603 }
578 604
@@ -580,7 +606,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
580 if (x509_err == X509_V_OK) 606 if (x509_err == X509_V_OK)
581 return (1); 607 return (1);
582 608
583 tls_set_errorx(ctx, "certificate verification failed: %s", 609 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
610 "certificate verification failed: %s",
584 X509_verify_cert_error_string(x509_err)); 611 X509_verify_cert_error_string(x509_err));
585 612
586 return (0); 613 return (0);
@@ -620,31 +647,35 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
620 647
621 if (ca_mem != NULL) { 648 if (ca_mem != NULL) {
622 if (ca_len > INT_MAX) { 649 if (ca_len > INT_MAX) {
623 tls_set_errorx(ctx, "ca too long"); 650 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ca too long");
624 goto err; 651 goto err;
625 } 652 }
626 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { 653 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
627 tls_set_errorx(ctx, "ssl verify memory setup failure"); 654 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
655 "ssl verify memory setup failure");
628 goto err; 656 goto err;
629 } 657 }
630 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, 658 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
631 ctx->config->ca_path) != 1) { 659 ctx->config->ca_path) != 1) {
632 tls_set_errorx(ctx, "ssl verify locations failure"); 660 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
661 "ssl verify locations failure");
633 goto err; 662 goto err;
634 } 663 }
635 664
636 if (crl_mem != NULL) { 665 if (crl_mem != NULL) {
637 if (crl_len > INT_MAX) { 666 if (crl_len > INT_MAX) {
638 tls_set_errorx(ctx, "crl too long"); 667 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "crl too long");
639 goto err; 668 goto err;
640 } 669 }
641 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { 670 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
642 tls_set_errorx(ctx, "failed to create buffer"); 671 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
672 "failed to create buffer");
643 goto err; 673 goto err;
644 } 674 }
645 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, 675 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
646 NULL)) == NULL) { 676 NULL)) == NULL) {
647 tls_set_errorx(ctx, "failed to parse crl"); 677 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
678 "failed to parse crl");
648 goto err; 679 goto err;
649 } 680 }
650 store = SSL_CTX_get_cert_store(ssl_ctx); 681 store = SSL_CTX_get_cert_store(ssl_ctx);
@@ -653,7 +684,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
653 if (xi->crl == NULL) 684 if (xi->crl == NULL)
654 continue; 685 continue;
655 if (!X509_STORE_add_crl(store, xi->crl)) { 686 if (!X509_STORE_add_crl(store, xi->crl)) {
656 tls_set_error(ctx, "failed to add crl"); 687 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
688 "failed to add crl");
657 goto err; 689 goto err;
658 } 690 }
659 } 691 }
@@ -759,21 +791,24 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
759 } else if (ssl_ret == -1) { 791 } else if (ssl_ret == -1) {
760 errstr = strerror(errno); 792 errstr = strerror(errno);
761 } 793 }
762 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); 794 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
795 "%s failed: %s", prefix, errstr);
763 return (-1); 796 return (-1);
764 797
765 case SSL_ERROR_SSL: 798 case SSL_ERROR_SSL:
766 if ((err = ERR_peek_error()) != 0) { 799 if ((err = ERR_peek_error()) != 0) {
767 errstr = ERR_error_string(err, NULL); 800 errstr = ERR_error_string(err, NULL);
768 } 801 }
769 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); 802 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
803 "%s failed: %s", prefix, errstr);
770 return (-1); 804 return (-1);
771 805
772 case SSL_ERROR_WANT_CONNECT: 806 case SSL_ERROR_WANT_CONNECT:
773 case SSL_ERROR_WANT_ACCEPT: 807 case SSL_ERROR_WANT_ACCEPT:
774 case SSL_ERROR_WANT_X509_LOOKUP: 808 case SSL_ERROR_WANT_X509_LOOKUP:
775 default: 809 default:
776 tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err); 810 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
811 "%s failed (%d)", prefix, ssl_err);
777 return (-1); 812 return (-1);
778 } 813 }
779} 814}
@@ -786,12 +821,14 @@ tls_handshake(struct tls *ctx)
786 tls_error_clear(&ctx->error); 821 tls_error_clear(&ctx->error);
787 822
788 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { 823 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
789 tls_set_errorx(ctx, "invalid operation for context"); 824 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
825 "invalid operation for context");
790 goto out; 826 goto out;
791 } 827 }
792 828
793 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) { 829 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
794 tls_set_errorx(ctx, "handshake already completed"); 830 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
831 "handshake already completed");
795 goto out; 832 goto out;
796 } 833 }
797 834
@@ -828,7 +865,8 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
828 } 865 }
829 866
830 if (buflen > INT_MAX) { 867 if (buflen > INT_MAX) {
831 tls_set_errorx(ctx, "buflen too long"); 868 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
869 "buflen too long");
832 goto out; 870 goto out;
833 } 871 }
834 872
@@ -859,7 +897,8 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
859 } 897 }
860 898
861 if (buflen > INT_MAX) { 899 if (buflen > INT_MAX) {
862 tls_set_errorx(ctx, "buflen too long"); 900 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
901 "buflen too long");
863 goto out; 902 goto out;
864 } 903 }
865 904
@@ -885,7 +924,8 @@ tls_close(struct tls *ctx)
885 tls_error_clear(&ctx->error); 924 tls_error_clear(&ctx->error);
886 925
887 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { 926 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
888 tls_set_errorx(ctx, "invalid operation for context"); 927 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
928 "invalid operation for context");
889 rv = -1; 929 rv = -1;
890 goto out; 930 goto out;
891 } 931 }
@@ -906,13 +946,13 @@ tls_close(struct tls *ctx)
906 if (shutdown(ctx->socket, SHUT_RDWR) != 0) { 946 if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
907 if (rv == 0 && 947 if (rv == 0 &&
908 errno != ENOTCONN && errno != ECONNRESET) { 948 errno != ENOTCONN && errno != ECONNRESET) {
909 tls_set_error(ctx, "shutdown"); 949 tls_set_error(ctx, TLS_ERROR_UNKNOWN, "shutdown");
910 rv = -1; 950 rv = -1;
911 } 951 }
912 } 952 }
913 if (close(ctx->socket) != 0) { 953 if (close(ctx->socket) != 0) {
914 if (rv == 0) { 954 if (rv == 0) {
915 tls_set_error(ctx, "close"); 955 tls_set_error(ctx, TLS_ERROR_UNKNOWN, "close");
916 rv = -1; 956 rv = -1;
917 } 957 }
918 } 958 }
@@ -920,7 +960,7 @@ tls_close(struct tls *ctx)
920 } 960 }
921 961
922 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) { 962 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
923 tls_set_errorx(ctx, "EOF without close notify"); 963 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "EOF without close notify");
924 rv = -1; 964 rv = -1;
925 } 965 }
926 966
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 34183745e5..0113c1c67f 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.63 2023/07/02 06:37:27 beck Exp $ */ 1/* $OpenBSD: tls.h,v 1.64 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -76,6 +76,12 @@ extern "C" {
76#define TLS_MAX_SESSION_ID_LENGTH 32 76#define TLS_MAX_SESSION_ID_LENGTH 32
77#define TLS_TICKET_KEY_SIZE 48 77#define TLS_TICKET_KEY_SIZE 48
78 78
79/* Error codes */
80#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
81#define TLS_ERROR_UNKNOWN 0x0000
82#define TLS_ERROR_OUT_OF_MEMORY 0x1000
83#endif
84
79struct tls; 85struct tls;
80struct tls_config; 86struct tls_config;
81 87
@@ -88,6 +94,10 @@ int tls_init(void);
88 94
89const char *tls_config_error(struct tls_config *_config); 95const char *tls_config_error(struct tls_config *_config);
90const char *tls_error(struct tls *_ctx); 96const char *tls_error(struct tls *_ctx);
97#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
98int tls_config_error_code(struct tls_config *_config);
99int tls_error_code(struct tls *_ctx);
100#endif
91 101
92struct tls_config *tls_config_new(void); 102struct tls_config *tls_config_new(void);
93void tls_config_free(struct tls_config *_config); 103void tls_config_free(struct tls_config *_config);
diff --git a/src/lib/libtls/tls_bio_cb.c b/src/lib/libtls/tls_bio_cb.c
index 8a1edfd5e4..56b9e12a71 100644
--- a/src/lib/libtls/tls_bio_cb.c
+++ b/src/lib/libtls/tls_bio_cb.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_bio_cb.c,v 1.21 2023/05/14 07:26:25 op Exp $ */ 1/* $OpenBSD: tls_bio_cb.c,v 1.22 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2016 Tobias Pape <tobias@netshed.de> 3 * Copyright (c) 2016 Tobias Pape <tobias@netshed.de>
4 * 4 *
@@ -143,7 +143,7 @@ tls_set_cbs(struct tls *ctx, tls_read_cb read_cb, tls_write_cb write_cb,
143 int rv = -1; 143 int rv = -1;
144 144
145 if (read_cb == NULL || write_cb == NULL) { 145 if (read_cb == NULL || write_cb == NULL) {
146 tls_set_errorx(ctx, "no callbacks provided"); 146 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "no callbacks provided");
147 goto err; 147 goto err;
148 } 148 }
149 149
@@ -152,11 +152,13 @@ tls_set_cbs(struct tls *ctx, tls_read_cb read_cb, tls_write_cb write_cb,
152 ctx->cb_arg = cb_arg; 152 ctx->cb_arg = cb_arg;
153 153
154 if ((bio_cb = bio_s_cb()) == NULL) { 154 if ((bio_cb = bio_s_cb()) == NULL) {
155 tls_set_errorx(ctx, "failed to create callback method"); 155 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
156 "failed to create callback method");
156 goto err; 157 goto err;
157 } 158 }
158 if ((bio = BIO_new(bio_cb)) == NULL) { 159 if ((bio = BIO_new(bio_cb)) == NULL) {
159 tls_set_errorx(ctx, "failed to create callback i/o"); 160 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
161 "failed to create callback i/o");
160 goto err; 162 goto err;
161 } 163 }
162 BIO_set_data(bio, ctx); 164 BIO_set_data(bio, ctx);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index deb24ebc23..40ef9a02e2 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_client.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ 1/* $OpenBSD: tls_client.c,v 1.50 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -66,12 +66,12 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
66 int rv = -1, s = -1, ret; 66 int rv = -1, s = -1, ret;
67 67
68 if ((ctx->flags & TLS_CLIENT) == 0) { 68 if ((ctx->flags & TLS_CLIENT) == 0) {
69 tls_set_errorx(ctx, "not a client context"); 69 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "not a client context");
70 goto err; 70 goto err;
71 } 71 }
72 72
73 if (host == NULL) { 73 if (host == NULL) {
74 tls_set_errorx(ctx, "host not specified"); 74 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "host not specified");
75 goto err; 75 goto err;
76 } 76 }
77 77
@@ -79,11 +79,11 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
79 if (port == NULL) { 79 if (port == NULL) {
80 ret = tls_host_port(host, &hs, &ps); 80 ret = tls_host_port(host, &hs, &ps);
81 if (ret == -1) { 81 if (ret == -1) {
82 tls_set_errorx(ctx, "memory allocation failure"); 82 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
83 goto err; 83 goto err;
84 } 84 }
85 if (ret != 0) { 85 if (ret != 0) {
86 tls_set_errorx(ctx, "no port provided"); 86 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "no port provided");
87 goto err; 87 goto err;
88 } 88 }
89 } 89 }
@@ -114,7 +114,8 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
114 hints.ai_family = AF_UNSPEC; 114 hints.ai_family = AF_UNSPEC;
115 hints.ai_flags = AI_ADDRCONFIG; 115 hints.ai_flags = AI_ADDRCONFIG;
116 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) { 116 if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
117 tls_set_error(ctx, "%s", gai_strerror(s)); 117 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
118 "%s", gai_strerror(s));
118 goto err; 119 goto err;
119 } 120 }
120 } 121 }
@@ -125,11 +126,13 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
125 for (res = res0; res; res = res->ai_next) { 126 for (res = res0; res; res = res->ai_next) {
126 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); 127 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
127 if (s == -1) { 128 if (s == -1) {
128 tls_set_error(ctx, "socket"); 129 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
130 "socket");
129 continue; 131 continue;
130 } 132 }
131 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) { 133 if (connect(s, res->ai_addr, res->ai_addrlen) == -1) {
132 tls_set_error(ctx, "connect"); 134 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
135 "connect");
133 close(s); 136 close(s);
134 s = -1; 137 s = -1;
135 continue; 138 continue;
@@ -174,11 +177,13 @@ tls_client_read_session(struct tls *ctx)
174 int rv = -1; 177 int rv = -1;
175 178
176 if (fstat(sfd, &sb) == -1) { 179 if (fstat(sfd, &sb) == -1) {
177 tls_set_error(ctx, "failed to stat session file"); 180 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
181 "failed to stat session file");
178 goto err; 182 goto err;
179 } 183 }
180 if (sb.st_size < 0 || sb.st_size > INT_MAX) { 184 if (sb.st_size < 0 || sb.st_size > INT_MAX) {
181 tls_set_errorx(ctx, "invalid session file size"); 185 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
186 "invalid session file size");
182 goto err; 187 goto err;
183 } 188 }
184 session_len = (size_t)sb.st_size; 189 session_len = (size_t)sb.st_size;
@@ -192,19 +197,22 @@ tls_client_read_session(struct tls *ctx)
192 197
193 n = pread(sfd, session, session_len, 0); 198 n = pread(sfd, session, session_len, 0);
194 if (n < 0 || (size_t)n != session_len) { 199 if (n < 0 || (size_t)n != session_len) {
195 tls_set_error(ctx, "failed to read session file"); 200 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
201 "failed to read session file");
196 goto err; 202 goto err;
197 } 203 }
198 if ((bio = BIO_new_mem_buf(session, session_len)) == NULL) 204 if ((bio = BIO_new_mem_buf(session, session_len)) == NULL)
199 goto err; 205 goto err;
200 if ((ss = PEM_read_bio_SSL_SESSION(bio, NULL, tls_password_cb, 206 if ((ss = PEM_read_bio_SSL_SESSION(bio, NULL, tls_password_cb,
201 NULL)) == NULL) { 207 NULL)) == NULL) {
202 tls_set_errorx(ctx, "failed to parse session"); 208 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
209 "failed to parse session");
203 goto err; 210 goto err;
204 } 211 }
205 212
206 if (SSL_set_session(ctx->ssl_conn, ss) != 1) { 213 if (SSL_set_session(ctx->ssl_conn, ss) != 1) {
207 tls_set_errorx(ctx, "failed to set session"); 214 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
215 "failed to set session");
208 goto err; 216 goto err;
209 } 217 }
210 218
@@ -234,7 +242,8 @@ tls_client_write_session(struct tls *ctx)
234 242
235 if ((ss = SSL_get1_session(ctx->ssl_conn)) == NULL) { 243 if ((ss = SSL_get1_session(ctx->ssl_conn)) == NULL) {
236 if (ftruncate(sfd, 0) == -1) { 244 if (ftruncate(sfd, 0) == -1) {
237 tls_set_error(ctx, "failed to truncate session file"); 245 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
246 "failed to truncate session file");
238 goto err; 247 goto err;
239 } 248 }
240 goto done; 249 goto done;
@@ -251,12 +260,14 @@ tls_client_write_session(struct tls *ctx)
251 offset = 0; 260 offset = 0;
252 261
253 if (ftruncate(sfd, len) == -1) { 262 if (ftruncate(sfd, len) == -1) {
254 tls_set_error(ctx, "failed to truncate session file"); 263 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
264 "failed to truncate session file");
255 goto err; 265 goto err;
256 } 266 }
257 while (len > 0) { 267 while (len > 0) {
258 if ((n = pwrite(sfd, data + offset, len, offset)) == -1) { 268 if ((n = pwrite(sfd, data + offset, len, offset)) == -1) {
259 tls_set_error(ctx, "failed to write session file"); 269 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
270 "failed to write session file");
260 goto err; 271 goto err;
261 } 272 }
262 offset += n; 273 offset += n;
@@ -281,13 +292,14 @@ tls_connect_common(struct tls *ctx, const char *servername)
281 int rv = -1; 292 int rv = -1;
282 293
283 if ((ctx->flags & TLS_CLIENT) == 0) { 294 if ((ctx->flags & TLS_CLIENT) == 0) {
284 tls_set_errorx(ctx, "not a client context"); 295 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "not a client context");
285 goto err; 296 goto err;
286 } 297 }
287 298
288 if (servername != NULL) { 299 if (servername != NULL) {
289 if ((ctx->servername = strdup(servername)) == NULL) { 300 if ((ctx->servername = strdup(servername)) == NULL) {
290 tls_set_errorx(ctx, "out of memory"); 301 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY,
302 "out of memory");
291 goto err; 303 goto err;
292 } 304 }
293 305
@@ -304,7 +316,7 @@ tls_connect_common(struct tls *ctx, const char *servername)
304 } 316 }
305 317
306 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { 318 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
307 tls_set_errorx(ctx, "ssl context failure"); 319 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl context failure");
308 goto err; 320 goto err;
309 } 321 }
310 322
@@ -317,7 +329,8 @@ tls_connect_common(struct tls *ctx, const char *servername)
317 329
318 if (ctx->config->verify_name) { 330 if (ctx->config->verify_name) {
319 if (ctx->servername == NULL) { 331 if (ctx->servername == NULL) {
320 tls_set_errorx(ctx, "server name not specified"); 332 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
333 "server name not specified");
321 goto err; 334 goto err;
322 } 335 }
323 } 336 }
@@ -328,23 +341,26 @@ tls_connect_common(struct tls *ctx, const char *servername)
328 if (ctx->config->ecdhecurves != NULL) { 341 if (ctx->config->ecdhecurves != NULL) {
329 if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves, 342 if (SSL_CTX_set1_groups(ctx->ssl_ctx, ctx->config->ecdhecurves,
330 ctx->config->ecdhecurves_len) != 1) { 343 ctx->config->ecdhecurves_len) != 1) {
331 tls_set_errorx(ctx, "failed to set ecdhe curves"); 344 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
345 "failed to set ecdhe curves");
332 goto err; 346 goto err;
333 } 347 }
334 } 348 }
335 349
336 if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { 350 if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
337 tls_set_errorx(ctx, "ssl OCSP verification setup failure"); 351 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
352 "ssl OCSP verification setup failure");
338 goto err; 353 goto err;
339 } 354 }
340 355
341 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 356 if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
342 tls_set_errorx(ctx, "ssl connection failure"); 357 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl connection failure");
343 goto err; 358 goto err;
344 } 359 }
345 360
346 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) { 361 if (SSL_set_app_data(ctx->ssl_conn, ctx) != 1) {
347 tls_set_errorx(ctx, "ssl application data failure"); 362 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
363 "ssl application data failure");
348 goto err; 364 goto err;
349 } 365 }
350 366
@@ -355,7 +371,8 @@ tls_connect_common(struct tls *ctx, const char *servername)
355 } 371 }
356 372
357 if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) { 373 if (SSL_set_tlsext_status_type(ctx->ssl_conn, TLSEXT_STATUSTYPE_ocsp) != 1) {
358 tls_set_errorx(ctx, "ssl OCSP extension setup failure"); 374 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
375 "ssl OCSP extension setup failure");
359 goto err; 376 goto err;
360 } 377 }
361 378
@@ -368,7 +385,8 @@ tls_connect_common(struct tls *ctx, const char *servername)
368 inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) { 385 inet_pton(AF_INET6, ctx->servername, &addrbuf) != 1) {
369 if (SSL_set_tlsext_host_name(ctx->ssl_conn, 386 if (SSL_set_tlsext_host_name(ctx->ssl_conn,
370 ctx->servername) == 0) { 387 ctx->servername) == 0) {
371 tls_set_errorx(ctx, "server name indication failure"); 388 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
389 "server name indication failure");
372 goto err; 390 goto err;
373 } 391 }
374 } 392 }
@@ -393,7 +411,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
393 int rv = -1; 411 int rv = -1;
394 412
395 if (fd_read < 0 || fd_write < 0) { 413 if (fd_read < 0 || fd_write < 0) {
396 tls_set_errorx(ctx, "invalid file descriptors"); 414 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "invalid file descriptors");
397 goto err; 415 goto err;
398 } 416 }
399 417
@@ -402,7 +420,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
402 420
403 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 || 421 if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
404 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) { 422 SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
405 tls_set_errorx(ctx, "ssl file descriptor failure"); 423 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
424 "ssl file descriptor failure");
406 goto err; 425 goto err;
407 } 426 }
408 427
@@ -437,12 +456,12 @@ tls_handshake_client(struct tls *ctx)
437 int rv = -1; 456 int rv = -1;
438 457
439 if ((ctx->flags & TLS_CLIENT) == 0) { 458 if ((ctx->flags & TLS_CLIENT) == 0) {
440 tls_set_errorx(ctx, "not a client context"); 459 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "not a client context");
441 goto err; 460 goto err;
442 } 461 }
443 462
444 if ((ctx->state & TLS_CONNECTED) == 0) { 463 if ((ctx->state & TLS_CONNECTED) == 0) {
445 tls_set_errorx(ctx, "context not connected"); 464 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "context not connected");
446 goto err; 465 goto err;
447 } 466 }
448 467
@@ -457,14 +476,16 @@ tls_handshake_client(struct tls *ctx)
457 if (ctx->config->verify_name) { 476 if (ctx->config->verify_name) {
458 cert = SSL_get_peer_certificate(ctx->ssl_conn); 477 cert = SSL_get_peer_certificate(ctx->ssl_conn);
459 if (cert == NULL) { 478 if (cert == NULL) {
460 tls_set_errorx(ctx, "no server certificate"); 479 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
480 "no server certificate");
461 goto err; 481 goto err;
462 } 482 }
463 if (tls_check_name(ctx, cert, ctx->servername, &match) == -1) 483 if (tls_check_name(ctx, cert, ctx->servername, &match) == -1)
464 goto err; 484 goto err;
465 if (!match) { 485 if (!match) {
466 tls_set_errorx(ctx, "name `%s' not present in" 486 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
467 " server certificate", ctx->servername); 487 "name `%s' not present in server certificate",
488 ctx->servername);
468 goto err; 489 goto err;
469 } 490 }
470 } 491 }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 5eb5b69ac6..449071641b 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.67 2023/07/02 06:37:27 beck Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.68 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -50,12 +50,14 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
50 *len = 0; 50 *len = 0;
51 51
52 if ((fd = open(filename, O_RDONLY)) == -1) { 52 if ((fd = open(filename, O_RDONLY)) == -1) {
53 tls_error_set(error, "failed to open %s file '%s'", 53 tls_error_set(error, TLS_ERROR_UNKNOWN,
54 "failed to open %s file '%s'",
54 filetype, filename); 55 filetype, filename);
55 goto err; 56 goto err;
56 } 57 }
57 if (fstat(fd, &st) != 0) { 58 if (fstat(fd, &st) != 0) {
58 tls_error_set(error, "failed to stat %s file '%s'", 59 tls_error_set(error, TLS_ERROR_UNKNOWN,
60 "failed to stat %s file '%s'",
59 filetype, filename); 61 filetype, filename);
60 goto err; 62 goto err;
61 } 63 }
@@ -63,13 +65,15 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
63 goto err; 65 goto err;
64 *len = (size_t)st.st_size; 66 *len = (size_t)st.st_size;
65 if ((*buf = malloc(*len)) == NULL) { 67 if ((*buf = malloc(*len)) == NULL) {
66 tls_error_set(error, "failed to allocate buffer for " 68 tls_error_set(error, TLS_ERROR_UNKNOWN,
67 "%s file", filetype); 69 "failed to allocate buffer for %s file",
70 filetype);
68 goto err; 71 goto err;
69 } 72 }
70 n = read(fd, *buf, *len); 73 n = read(fd, *buf, *len);
71 if (n < 0 || (size_t)n != *len) { 74 if (n < 0 || (size_t)n != *len) {
72 tls_error_set(error, "failed to read %s file '%s'", 75 tls_error_set(error, TLS_ERROR_UNKNOWN,
76 "failed to read %s file '%s'",
73 filetype, filename); 77 filetype, filename);
74 goto err; 78 goto err;
75 } 79 }
@@ -203,6 +207,12 @@ tls_config_error(struct tls_config *config)
203 return config->error.msg; 207 return config->error.msg;
204} 208}
205 209
210int
211tls_config_error_code(struct tls_config *config)
212{
213 return config->error.code;
214}
215
206void 216void
207tls_config_clear_keys(struct tls_config *config) 217tls_config_clear_keys(struct tls_config *config)
208{ 218{
@@ -291,17 +301,19 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
291 *alpn_len = 0; 301 *alpn_len = 0;
292 302
293 if ((buf_len = strlen(alpn) + 1) > 65535) { 303 if ((buf_len = strlen(alpn) + 1) > 65535) {
294 tls_config_set_errorx(config, "alpn too large"); 304 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN, "alpn too large");
295 goto err; 305 goto err;
296 } 306 }
297 307
298 if ((buf = malloc(buf_len)) == NULL) { 308 if ((buf = malloc(buf_len)) == NULL) {
299 tls_config_set_errorx(config, "out of memory"); 309 tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
310 "out of memory");
300 goto err; 311 goto err;
301 } 312 }
302 313
303 if ((s = strdup(alpn)) == NULL) { 314 if ((s = strdup(alpn)) == NULL) {
304 tls_config_set_errorx(config, "out of memory"); 315 tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
316 "out of memory");
305 goto err; 317 goto err;
306 } 318 }
307 319
@@ -309,12 +321,12 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
309 q = s; 321 q = s;
310 while ((p = strsep(&q, ",")) != NULL) { 322 while ((p = strsep(&q, ",")) != NULL) {
311 if ((len = strlen(p)) == 0) { 323 if ((len = strlen(p)) == 0) {
312 tls_config_set_errorx(config, 324 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
313 "alpn protocol with zero length"); 325 "alpn protocol with zero length");
314 goto err; 326 goto err;
315 } 327 }
316 if (len > 255) { 328 if (len > 255) {
317 tls_config_set_errorx(config, 329 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
318 "alpn protocol too long"); 330 "alpn protocol too long");
319 goto err; 331 goto err;
320 } 332 }
@@ -484,11 +496,13 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
484 ciphers = TLS_CIPHERS_ALL; 496 ciphers = TLS_CIPHERS_ALL;
485 497
486 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { 498 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
487 tls_config_set_errorx(config, "out of memory"); 499 tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
500 "out of memory");
488 goto err; 501 goto err;
489 } 502 }
490 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { 503 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
491 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); 504 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
505 "no ciphers for '%s'", ciphers);
492 goto err; 506 goto err;
493 } 507 }
494 508
@@ -526,7 +540,8 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
526 else if (strcasecmp(params, "legacy") == 0) 540 else if (strcasecmp(params, "legacy") == 0)
527 keylen = 1024; 541 keylen = 1024;
528 else { 542 else {
529 tls_config_set_errorx(config, "invalid dhe param '%s'", params); 543 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
544 "invalid dhe param '%s'", params);
530 return (-1); 545 return (-1);
531 } 546 }
532 547
@@ -543,8 +558,8 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *curve)
543 strcasecmp(curve, "auto") == 0) { 558 strcasecmp(curve, "auto") == 0) {
544 curve = TLS_ECDHE_CURVES; 559 curve = TLS_ECDHE_CURVES;
545 } else if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) { 560 } else if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) {
546 tls_config_set_errorx(config, "invalid ecdhe curve '%s'", 561 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
547 curve); 562 "invalid ecdhe curve '%s'", curve);
548 return (-1); 563 return (-1);
549 } 564 }
550 565
@@ -569,7 +584,8 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
569 curves = TLS_ECDHE_CURVES; 584 curves = TLS_ECDHE_CURVES;
570 585
571 if ((cs = strdup(curves)) == NULL) { 586 if ((cs = strdup(curves)) == NULL) {
572 tls_config_set_errorx(config, "out of memory"); 587 tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
588 "out of memory");
573 goto err; 589 goto err;
574 } 590 }
575 591
@@ -584,14 +600,15 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
584 if (nid == NID_undef) 600 if (nid == NID_undef)
585 nid = EC_curve_nist2nid(p); 601 nid = EC_curve_nist2nid(p);
586 if (nid == NID_undef) { 602 if (nid == NID_undef) {
587 tls_config_set_errorx(config, 603 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
588 "invalid ecdhe curve '%s'", p); 604 "invalid ecdhe curve '%s'", p);
589 goto err; 605 goto err;
590 } 606 }
591 607
592 if ((curves_new = reallocarray(curves_list, curves_num + 1, 608 if ((curves_new = reallocarray(curves_list, curves_num + 1,
593 sizeof(int))) == NULL) { 609 sizeof(int))) == NULL) {
594 tls_config_set_errorx(config, "out of memory"); 610 tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
611 "out of memory");
595 goto err; 612 goto err;
596 } 613 }
597 curves_list = curves_new; 614 curves_list = curves_new;
@@ -712,24 +729,26 @@ tls_config_set_session_fd(struct tls_config *config, int session_fd)
712 } 729 }
713 730
714 if (fstat(session_fd, &sb) == -1) { 731 if (fstat(session_fd, &sb) == -1) {
715 tls_config_set_error(config, "failed to stat session file"); 732 tls_config_set_error(config, TLS_ERROR_UNKNOWN,
733 "failed to stat session file");
716 return (-1); 734 return (-1);
717 } 735 }
718 if (!S_ISREG(sb.st_mode)) { 736 if (!S_ISREG(sb.st_mode)) {
719 tls_config_set_errorx(config, 737 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
720 "session file is not a regular file"); 738 "session file is not a regular file");
721 return (-1); 739 return (-1);
722 } 740 }
723 741
724 if (sb.st_uid != getuid()) { 742 if (sb.st_uid != getuid()) {
725 tls_config_set_errorx(config, "session file has incorrect " 743 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
726 "owner (uid %u != %u)", sb.st_uid, getuid()); 744 "session file has incorrect owner (uid %u != %u)",
745 sb.st_uid, getuid());
727 return (-1); 746 return (-1);
728 } 747 }
729 mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO); 748 mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
730 if (mugo != (S_IRUSR|S_IWUSR)) { 749 if (mugo != (S_IRUSR|S_IWUSR)) {
731 tls_config_set_errorx(config, "session file has incorrect " 750 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
732 "permissions (%o != 600)", mugo); 751 "session file has incorrect permissions (%o != 600)", mugo);
733 return (-1); 752 return (-1);
734 } 753 }
735 754
@@ -846,7 +865,8 @@ tls_config_set_session_id(struct tls_config *config,
846 const unsigned char *session_id, size_t len) 865 const unsigned char *session_id, size_t len)
847{ 866{
848 if (len > TLS_MAX_SESSION_ID_LENGTH) { 867 if (len > TLS_MAX_SESSION_ID_LENGTH) {
849 tls_config_set_errorx(config, "session ID too large"); 868 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
869 "session ID too large");
850 return (-1); 870 return (-1);
851 } 871 }
852 memset(config->session_id, 0, sizeof(config->session_id)); 872 memset(config->session_id, 0, sizeof(config->session_id));
@@ -858,11 +878,13 @@ int
858tls_config_set_session_lifetime(struct tls_config *config, int lifetime) 878tls_config_set_session_lifetime(struct tls_config *config, int lifetime)
859{ 879{
860 if (lifetime > TLS_MAX_SESSION_TIMEOUT) { 880 if (lifetime > TLS_MAX_SESSION_TIMEOUT) {
861 tls_config_set_errorx(config, "session lifetime too large"); 881 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
882 "session lifetime too large");
862 return (-1); 883 return (-1);
863 } 884 }
864 if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) { 885 if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) {
865 tls_config_set_errorx(config, "session lifetime too small"); 886 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
887 "session lifetime too small");
866 return (-1); 888 return (-1);
867 } 889 }
868 890
@@ -879,7 +901,7 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
879 901
880 if (TLS_TICKET_KEY_SIZE != keylen || 902 if (TLS_TICKET_KEY_SIZE != keylen ||
881 sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) { 903 sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) {
882 tls_config_set_errorx(config, 904 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
883 "wrong amount of ticket key data"); 905 "wrong amount of ticket key data");
884 return (-1); 906 return (-1);
885 } 907 }
@@ -903,7 +925,8 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
903 sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key, 925 sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key,
904 tk->hmac_key, sizeof(tk->hmac_key)) == 0) 926 tk->hmac_key, sizeof(tk->hmac_key)) == 0)
905 return (0); 927 return (0);
906 tls_config_set_errorx(config, "ticket key already present"); 928 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
929 "ticket key already present");
907 return (-1); 930 return (-1);
908 } 931 }
909 932
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 08f8714ecd..bc15b85eaf 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */ 1/* $OpenBSD: tls_conninfo.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -79,7 +79,7 @@ tls_get_peer_cert_hash(struct tls *ctx, char **hash)
79 return (0); 79 return (0);
80 80
81 if (tls_cert_hash(ctx->ssl_peer_cert, hash) == -1) { 81 if (tls_cert_hash(ctx->ssl_peer_cert, hash) == -1) {
82 tls_set_errorx(ctx, "unable to compute peer certificate hash - out of memory"); 82 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory")y
83 *hash = NULL; 83 *hash = NULL;
84 return -1; 84 return -1;
85 } 85 }
@@ -245,7 +245,7 @@ tls_conninfo_populate(struct tls *ctx)
245 tls_conninfo_free(ctx->conninfo); 245 tls_conninfo_free(ctx->conninfo);
246 246
247 if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) { 247 if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) {
248 tls_set_errorx(ctx, "out of memory"); 248 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
249 goto err; 249 goto err;
250 } 250 }
251 251
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index c06e8218f6..5ff48ed7c9 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.84 2024/03/26 00:50:22 joshua Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.85 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -46,6 +46,7 @@ union tls_addr {
46 46
47struct tls_error { 47struct tls_error {
48 char *msg; 48 char *msg;
49 int code;
49 int errno_value; 50 int errno_value;
50 int tls; 51 int tls;
51}; 52};
@@ -258,27 +259,27 @@ int tls_set_cbs(struct tls *ctx,
258 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg); 259 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg);
259 260
260void tls_error_clear(struct tls_error *error); 261void tls_error_clear(struct tls_error *error);
261int tls_error_set(struct tls_error *error, const char *fmt, ...) 262int tls_error_set(struct tls_error *error, int code, const char *fmt, ...)
262 __attribute__((__format__ (printf, 2, 3))) 263 __attribute__((__format__ (printf, 3, 4)))
263 __attribute__((__nonnull__ (2))); 264 __attribute__((__nonnull__ (3)));
264int tls_error_setx(struct tls_error *error, const char *fmt, ...) 265int tls_error_setx(struct tls_error *error, int code, const char *fmt, ...)
265 __attribute__((__format__ (printf, 2, 3))) 266 __attribute__((__format__ (printf, 3, 4)))
266 __attribute__((__nonnull__ (2))); 267 __attribute__((__nonnull__ (3)));
267int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...) 268int tls_config_set_error(struct tls_config *cfg, int code, const char *fmt, ...)
268 __attribute__((__format__ (printf, 2, 3))) 269 __attribute__((__format__ (printf, 3, 4)))
269 __attribute__((__nonnull__ (2))); 270 __attribute__((__nonnull__ (3)));
270int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...) 271int tls_config_set_errorx(struct tls_config *cfg, int code, const char *fmt, ...)
271 __attribute__((__format__ (printf, 2, 3))) 272 __attribute__((__format__ (printf, 3, 4)))
272 __attribute__((__nonnull__ (2))); 273 __attribute__((__nonnull__ (3)));
273int tls_set_error(struct tls *ctx, const char *fmt, ...) 274int tls_set_error(struct tls *ctx, int code, const char *fmt, ...)
274 __attribute__((__format__ (printf, 2, 3))) 275 __attribute__((__format__ (printf, 3, 4)))
275 __attribute__((__nonnull__ (2))); 276 __attribute__((__nonnull__ (3)));
276int tls_set_errorx(struct tls *ctx, const char *fmt, ...) 277int tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...)
277 __attribute__((__format__ (printf, 2, 3))) 278 __attribute__((__format__ (printf, 3, 4)))
278 __attribute__((__nonnull__ (2))); 279 __attribute__((__nonnull__ (3)));
279int tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) 280int tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...)
280 __attribute__((__format__ (printf, 2, 3))) 281 __attribute__((__format__ (printf, 3, 4)))
281 __attribute__((__nonnull__ (2))); 282 __attribute__((__nonnull__ (3)));
282 283
283int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 284int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
284 const char *prefix); 285 const char *prefix);
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index a12d21d0da..ffda91df8e 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_keypair.c,v 1.8 2021/01/05 17:37:12 jsing Exp $ */ 1/* $OpenBSD: tls_keypair.c,v 1.9 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -144,19 +144,22 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
144 *cert = NULL; 144 *cert = NULL;
145 145
146 if (keypair->cert_mem == NULL) { 146 if (keypair->cert_mem == NULL) {
147 tls_error_set(error, "keypair has no certificate"); 147 tls_error_set(error, TLS_ERROR_UNKNOWN,
148 "keypair has no certificate");
148 goto err; 149 goto err;
149 } 150 }
150 if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem, 151 if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
151 keypair->cert_len)) == NULL) { 152 keypair->cert_len)) == NULL) {
152 tls_error_set(error, "failed to create certificate bio"); 153 tls_error_set(error, TLS_ERROR_UNKNOWN,
154 "failed to create certificate bio");
153 goto err; 155 goto err;
154 } 156 }
155 if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, 157 if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
156 NULL)) == NULL) { 158 NULL)) == NULL) {
157 if ((ssl_err = ERR_peek_error()) != 0) 159 if ((ssl_err = ERR_peek_error()) != 0)
158 errstr = ERR_error_string(ssl_err, NULL); 160 errstr = ERR_error_string(ssl_err, NULL);
159 tls_error_set(error, "failed to load certificate: %s", errstr); 161 tls_error_set(error, TLS_ERROR_UNKNOWN,
162 "failed to load certificate: %s", errstr);
160 goto err; 163 goto err;
161 } 164 }
162 165
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index f7d7ba9199..bfd06e3c6a 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */ 1/* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> 3 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4 * Copyright (c) 2016 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -85,7 +85,7 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
85 ctx->ocsp->ocsp_result = NULL; 85 ctx->ocsp->ocsp_result = NULL;
86 86
87 if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) { 87 if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) {
88 tls_set_error(ctx, "calloc"); 88 tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
89 return -1; 89 return -1;
90 } 90 }
91 info->response_status = response_status; 91 info->response_status = response_status;
@@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
102 info->revocation_time = info->this_update = info->next_update = -1; 102 info->revocation_time = info->this_update = info->next_update = -1;
103 if (revtime != NULL && 103 if (revtime != NULL &&
104 tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { 104 tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
105 tls_set_error(ctx, 105 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
106 "unable to parse revocation time in OCSP reply"); 106 "unable to parse revocation time in OCSP reply");
107 goto err; 107 goto err;
108 } 108 }
109 if (thisupd != NULL && 109 if (thisupd != NULL &&
110 tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { 110 tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
111 tls_set_error(ctx, 111 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
112 "unable to parse this update time in OCSP reply"); 112 "unable to parse this update time in OCSP reply");
113 goto err; 113 goto err;
114 } 114 }
115 if (nextupd != NULL && 115 if (nextupd != NULL &&
116 tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { 116 tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
117 tls_set_error(ctx, 117 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
118 "unable to parse next update time in OCSP reply"); 118 "unable to parse next update time in OCSP reply");
119 goto err; 119 goto err;
120 } 120 }
@@ -180,19 +180,21 @@ tls_ocsp_setup_from_peer(struct tls *ctx)
180 ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); 180 ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
181 ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); 181 ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
182 if (ocsp->main_cert == NULL) { 182 if (ocsp->main_cert == NULL) {
183 tls_set_errorx(ctx, "no peer certificate for OCSP"); 183 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
184 "no peer certificate for OCSP");
184 goto err; 185 goto err;
185 } 186 }
186 187
187 ocsp_urls = X509_get1_ocsp(ocsp->main_cert); 188 ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
188 if (ocsp_urls == NULL) { 189 if (ocsp_urls == NULL) {
189 tls_set_errorx(ctx, "no OCSP URLs in peer certificate"); 190 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
191 "no OCSP URLs in peer certificate");
190 goto err; 192 goto err;
191 } 193 }
192 194
193 ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); 195 ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
194 if (ocsp->ocsp_url == NULL) { 196 if (ocsp->ocsp_url == NULL) {
195 tls_set_errorx(ctx, "out of memory"); 197 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
196 goto err; 198 goto err;
197 } 199 }
198 200
@@ -217,7 +219,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
217 unsigned long flags; 219 unsigned long flags;
218 220
219 if ((br = OCSP_response_get1_basic(resp)) == NULL) { 221 if ((br = OCSP_response_get1_basic(resp)) == NULL) {
220 tls_set_errorx(ctx, "cannot load ocsp reply"); 222 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "cannot load ocsp reply");
221 goto err; 223 goto err;
222 } 224 }
223 225
@@ -230,14 +232,15 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
230 /* now verify */ 232 /* now verify */
231 if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, 233 if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
232 SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { 234 SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
233 tls_set_errorx(ctx, "ocsp verify failed"); 235 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ocsp verify failed");
234 goto err; 236 goto err;
235 } 237 }
236 238
237 /* signature OK, look inside */ 239 /* signature OK, look inside */
238 response_status = OCSP_response_status(resp); 240 response_status = OCSP_response_status(resp);
239 if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 241 if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
240 tls_set_errorx(ctx, "ocsp verify failed: response - %s", 242 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
243 "ocsp verify failed: response - %s",
241 OCSP_response_status_str(response_status)); 244 OCSP_response_status_str(response_status));
242 goto err; 245 goto err;
243 } 246 }
@@ -245,19 +248,21 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
245 cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, 248 cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
246 ctx->ocsp->extra_certs, ctx->ssl_ctx); 249 ctx->ocsp->extra_certs, ctx->ssl_ctx);
247 if (cid == NULL) { 250 if (cid == NULL) {
248 tls_set_errorx(ctx, "ocsp verify failed: no issuer cert"); 251 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
252 "ocsp verify failed: no issuer cert");
249 goto err; 253 goto err;
250 } 254 }
251 255
252 if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, 256 if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
253 &revtime, &thisupd, &nextupd) != 1) { 257 &revtime, &thisupd, &nextupd) != 1) {
254 tls_set_errorx(ctx, "ocsp verify failed: no result for cert"); 258 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
259 "ocsp verify failed: no result for cert");
255 goto err; 260 goto err;
256 } 261 }
257 262
258 if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, 263 if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
259 MAXAGE_SEC) != 1) { 264 MAXAGE_SEC) != 1) {
260 tls_set_errorx(ctx, 265 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
261 "ocsp verify failed: ocsp response not current"); 266 "ocsp verify failed: ocsp response not current");
262 goto err; 267 goto err;
263 } 268 }
@@ -269,8 +274,9 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
269 /* finally can look at status */ 274 /* finally can look at status */
270 if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != 275 if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
271 V_OCSP_CERTSTATUS_UNKNOWN) { 276 V_OCSP_CERTSTATUS_UNKNOWN) {
272 tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s", 277 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
273 OCSP_crl_reason_str(crl_reason)); 278 "ocsp verify failed: revoked cert - %s",
279 OCSP_crl_reason_str(crl_reason));
274 goto err; 280 goto err;
275 } 281 }
276 ret = 0; 282 ret = 0;
@@ -298,7 +304,8 @@ tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *respons
298 if (resp == NULL) { 304 if (resp == NULL) {
299 tls_ocsp_free(ctx->ocsp); 305 tls_ocsp_free(ctx->ocsp);
300 ctx->ocsp = NULL; 306 ctx->ocsp = NULL;
301 tls_set_error(ctx, "unable to parse OCSP response"); 307 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
308 "unable to parse OCSP response");
302 return -1; 309 return -1;
303 } 310 }
304 ret = tls_ocsp_verify_response(ctx, resp); 311 ret = tls_ocsp_verify_response(ctx, resp);
@@ -320,7 +327,8 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg)
320 size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw); 327 size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
321 if (size <= 0) { 328 if (size <= 0) {
322 if (ctx->config->ocsp_require_stapling) { 329 if (ctx->config->ocsp_require_stapling) {
323 tls_set_errorx(ctx, "no stapled OCSP response provided"); 330 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
331 "no stapled OCSP response provided");
324 return 0; 332 return 0;
325 } 333 }
326 return 1; 334 return 1;
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 5f93c7a035..a42985744b 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.50 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -181,7 +181,8 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
181 /* create new session */ 181 /* create new session */
182 key = tls_server_ticket_key(tls_ctx->config, NULL); 182 key = tls_server_ticket_key(tls_ctx->config, NULL);
183 if (key == NULL) { 183 if (key == NULL) {
184 tls_set_errorx(tls_ctx, "no valid ticket key found"); 184 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
185 "no valid ticket key found");
185 return (-1); 186 return (-1);
186 } 187 }
187 188
@@ -189,12 +190,14 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
189 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 190 arc4random_buf(iv, EVP_MAX_IV_LENGTH);
190 if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 191 if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
191 key->aes_key, iv)) { 192 key->aes_key, iv)) {
192 tls_set_errorx(tls_ctx, "failed to init encrypt"); 193 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
194 "failed to init encrypt");
193 return (-1); 195 return (-1);
194 } 196 }
195 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 197 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
196 EVP_sha256(), NULL)) { 198 EVP_sha256(), NULL)) {
197 tls_set_errorx(tls_ctx, "failed to init hmac"); 199 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
200 "failed to init hmac");
198 return (-1); 201 return (-1);
199 } 202 }
200 return (0); 203 return (0);
@@ -206,12 +209,14 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
206 209
207 if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 210 if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
208 key->aes_key, iv)) { 211 key->aes_key, iv)) {
209 tls_set_errorx(tls_ctx, "failed to init decrypt"); 212 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
213 "failed to init decrypt");
210 return (-1); 214 return (-1);
211 } 215 }
212 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 216 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
213 EVP_sha256(), NULL)) { 217 EVP_sha256(), NULL)) {
214 tls_set_errorx(tls_ctx, "failed to init hmac"); 218 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
219 "failed to init hmac");
215 return (-1); 220 return (-1);
216 } 221 }
217 222
@@ -229,7 +234,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
229 SSL_CTX_free(*ssl_ctx); 234 SSL_CTX_free(*ssl_ctx);
230 235
231 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 236 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
232 tls_set_errorx(ctx, "ssl context failure"); 237 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl context failure");
233 goto err; 238 goto err;
234 } 239 }
235 240
@@ -237,11 +242,13 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
237 242
238 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 243 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
239 tls_servername_cb) != 1) { 244 tls_servername_cb) != 1) {
240 tls_set_error(ctx, "failed to set servername callback"); 245 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
246 "failed to set servername callback");
241 goto err; 247 goto err;
242 } 248 }
243 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 249 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
244 tls_set_error(ctx, "failed to set servername callback arg"); 250 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
251 "failed to set servername callback arg");
245 goto err; 252 goto err;
246 } 253 }
247 254
@@ -270,7 +277,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
270 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 277 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
271 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves, 278 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
272 ctx->config->ecdhecurves_len) != 1) { 279 ctx->config->ecdhecurves_len) != 1) {
273 tls_set_errorx(ctx, "failed to set ecdhe curves"); 280 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
281 "failed to set ecdhe curves");
274 goto err; 282 goto err;
275 } 283 }
276 } 284 }
@@ -279,7 +287,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
279 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 287 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
280 288
281 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) { 289 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
282 tls_set_errorx(ctx, "failed to add OCSP stapling callback"); 290 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
291 "failed to add OCSP stapling callback");
283 goto err; 292 goto err;
284 } 293 }
285 294
@@ -289,7 +298,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
289 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET); 298 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
290 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx, 299 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
291 tls_server_ticket_cb)) { 300 tls_server_ticket_cb)) {
292 tls_set_error(ctx, 301 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
293 "failed to set the TLS ticket callback"); 302 "failed to set the TLS ticket callback");
294 goto err; 303 goto err;
295 } 304 }
@@ -297,7 +306,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
297 306
298 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id, 307 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
299 sizeof(ctx->config->session_id)) != 1) { 308 sizeof(ctx->config->session_id)) != 1) {
300 tls_set_error(ctx, "failed to set session id context"); 309 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
310 "failed to set session id context");
301 goto err; 311 goto err;
302 } 312 }
303 313
@@ -323,7 +333,7 @@ tls_configure_server_sni(struct tls *ctx)
323 sni_ctx = &ctx->sni_ctx; 333 sni_ctx = &ctx->sni_ctx;
324 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 334 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
325 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 335 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
326 tls_set_errorx(ctx, "out of memory"); 336 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
327 goto err; 337 goto err;
328 } 338 }
329 (*sni_ctx)->keypair = kp; 339 (*sni_ctx)->keypair = kp;
@@ -362,22 +372,24 @@ tls_accept_common(struct tls *ctx)
362 struct tls *conn_ctx = NULL; 372 struct tls *conn_ctx = NULL;
363 373
364 if ((ctx->flags & TLS_SERVER) == 0) { 374 if ((ctx->flags & TLS_SERVER) == 0) {
365 tls_set_errorx(ctx, "not a server context"); 375 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "not a server context");
366 goto err; 376 goto err;
367 } 377 }
368 378
369 if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 379 if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
370 tls_set_errorx(ctx, "connection context failure"); 380 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
381 "connection context failure");
371 goto err; 382 goto err;
372 } 383 }
373 384
374 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 385 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
375 tls_set_errorx(ctx, "ssl failure"); 386 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl failure");
376 goto err; 387 goto err;
377 } 388 }
378 389
379 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 390 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
380 tls_set_errorx(ctx, "ssl application data failure"); 391 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
392 "ssl application data failure");
381 goto err; 393 goto err;
382 } 394 }
383 395
@@ -405,7 +417,8 @@ tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
405 417
406 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 418 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
407 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 419 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
408 tls_set_errorx(ctx, "ssl file descriptor failure"); 420 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
421 "ssl file descriptor failure");
409 goto err; 422 goto err;
410 } 423 }
411 424
@@ -448,7 +461,8 @@ tls_handshake_server(struct tls *ctx)
448 int rv = -1; 461 int rv = -1;
449 462
450 if ((ctx->flags & TLS_SERVER_CONN) == 0) { 463 if ((ctx->flags & TLS_SERVER_CONN) == 0) {
451 tls_set_errorx(ctx, "not a server connection context"); 464 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
465 "not a server connection context");
452 goto err; 466 goto err;
453 } 467 }
454 468
diff --git a/src/lib/libtls/tls_signer.c b/src/lib/libtls/tls_signer.c
index 177c9d07a4..5eb3707454 100644
--- a/src/lib/libtls/tls_signer.c
+++ b/src/lib/libtls/tls_signer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_signer.c,v 1.9 2023/06/18 19:12:58 tb Exp $ */ 1/* $OpenBSD: tls_signer.c,v 1.10 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2021 Eric Faurot <eric@openbsd.org> 3 * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
4 * 4 *
@@ -91,7 +91,7 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
91 91
92 /* Compute certificate hash */ 92 /* Compute certificate hash */
93 if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) { 93 if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) {
94 tls_error_setx(&signer->error, 94 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
95 "failed to create certificate bio"); 95 "failed to create certificate bio");
96 goto err; 96 goto err;
97 } 97 }
@@ -99,12 +99,12 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
99 NULL)) == NULL) { 99 NULL)) == NULL) {
100 if ((ssl_err = ERR_peek_error()) != 0) 100 if ((ssl_err = ERR_peek_error()) != 0)
101 errstr = ERR_error_string(ssl_err, NULL); 101 errstr = ERR_error_string(ssl_err, NULL);
102 tls_error_setx(&signer->error, "failed to load certificate: %s", 102 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
103 errstr); 103 "failed to load certificate: %s", errstr);
104 goto err; 104 goto err;
105 } 105 }
106 if (tls_cert_pubkey_hash(x509, &hash) == -1) { 106 if (tls_cert_pubkey_hash(x509, &hash) == -1) {
107 tls_error_setx(&signer->error, 107 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
108 "failed to get certificate hash"); 108 "failed to get certificate hash");
109 goto err; 109 goto err;
110 } 110 }
@@ -116,23 +116,27 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
116 116
117 /* Read private key */ 117 /* Read private key */
118 if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) { 118 if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) {
119 tls_error_setx(&signer->error, "failed to create key bio"); 119 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
120 "failed to create key bio");
120 goto err; 121 goto err;
121 } 122 }
122 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, 123 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
123 NULL)) == NULL) { 124 NULL)) == NULL) {
124 tls_error_setx(&signer->error, "failed to read private key"); 125 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
126 "failed to read private key");
125 goto err; 127 goto err;
126 } 128 }
127 129
128 if ((skey = calloc(1, sizeof(*skey))) == NULL) { 130 if ((skey = calloc(1, sizeof(*skey))) == NULL) {
129 tls_error_set(&signer->error, "failed to create key entry"); 131 tls_error_set(&signer->error, TLS_ERROR_UNKNOWN,
132 "failed to create key entry");
130 goto err; 133 goto err;
131 } 134 }
132 skey->hash = hash; 135 skey->hash = hash;
133 if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL && 136 if ((skey->rsa = EVP_PKEY_get1_RSA(pkey)) == NULL &&
134 (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) { 137 (skey->ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) {
135 tls_error_setx(&signer->error, "unknown key type"); 138 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
139 "unknown key type");
136 goto err; 140 goto err;
137 } 141 }
138 142
@@ -194,29 +198,31 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
194 } else if (padding_type == TLS_PADDING_RSA_PKCS1) { 198 } else if (padding_type == TLS_PADDING_RSA_PKCS1) {
195 rsa_padding = RSA_PKCS1_PADDING; 199 rsa_padding = RSA_PKCS1_PADDING;
196 } else { 200 } else {
197 tls_error_setx(&signer->error, "invalid RSA padding type (%d)", 201 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
198 padding_type); 202 "invalid RSA padding type (%d)", padding_type);
199 return (-1); 203 return (-1);
200 } 204 }
201 205
202 if (input_len > INT_MAX) { 206 if (input_len > INT_MAX) {
203 tls_error_setx(&signer->error, "input too large"); 207 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
208 "input too large");
204 return (-1); 209 return (-1);
205 } 210 }
206 if ((rsa_size = RSA_size(skey->rsa)) <= 0) { 211 if ((rsa_size = RSA_size(skey->rsa)) <= 0) {
207 tls_error_setx(&signer->error, "invalid RSA size: %d", 212 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
208 rsa_size); 213 "invalid RSA size: %d", rsa_size);
209 return (-1); 214 return (-1);
210 } 215 }
211 if ((signature = calloc(1, rsa_size)) == NULL) { 216 if ((signature = calloc(1, rsa_size)) == NULL) {
212 tls_error_set(&signer->error, "RSA signature"); 217 tls_error_set(&signer->error, TLS_ERROR_UNKNOWN, "RSA signature");
213 return (-1); 218 return (-1);
214 } 219 }
215 220
216 if ((signature_len = RSA_private_encrypt((int)input_len, input, 221 if ((signature_len = RSA_private_encrypt((int)input_len, input,
217 signature, skey->rsa, rsa_padding)) <= 0) { 222 signature, skey->rsa, rsa_padding)) <= 0) {
218 /* XXX - include further details from libcrypto. */ 223 /* XXX - include further details from libcrypto. */
219 tls_error_setx(&signer->error, "RSA signing failed"); 224 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
225 "RSA signing failed");
220 free(signature); 226 free(signature);
221 return (-1); 227 return (-1);
222 } 228 }
@@ -239,28 +245,32 @@ tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey,
239 *out_signature_len = 0; 245 *out_signature_len = 0;
240 246
241 if (padding_type != TLS_PADDING_NONE) { 247 if (padding_type != TLS_PADDING_NONE) {
242 tls_error_setx(&signer->error, "invalid ECDSA padding"); 248 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
249 "invalid ECDSA padding");
243 return (-1); 250 return (-1);
244 } 251 }
245 252
246 if (input_len > INT_MAX) { 253 if (input_len > INT_MAX) {
247 tls_error_setx(&signer->error, "digest too large"); 254 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
255 "digest too large");
248 return (-1); 256 return (-1);
249 } 257 }
250 if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) { 258 if ((signature_len = ECDSA_size(skey->ecdsa)) <= 0) {
251 tls_error_setx(&signer->error, "invalid ECDSA size: %d", 259 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
252 signature_len); 260 "invalid ECDSA size: %d", signature_len);
253 return (-1); 261 return (-1);
254 } 262 }
255 if ((signature = calloc(1, signature_len)) == NULL) { 263 if ((signature = calloc(1, signature_len)) == NULL) {
256 tls_error_set(&signer->error, "ECDSA signature"); 264 tls_error_set(&signer->error, TLS_ERROR_UNKNOWN,
265 "ECDSA signature");
257 return (-1); 266 return (-1);
258 } 267 }
259 268
260 if (!ECDSA_sign(0, input, input_len, signature, &signature_len, 269 if (!ECDSA_sign(0, input, input_len, signature, &signature_len,
261 skey->ecdsa)) { 270 skey->ecdsa)) {
262 /* XXX - include further details from libcrypto. */ 271 /* XXX - include further details from libcrypto. */
263 tls_error_setx(&signer->error, "ECDSA signing failed"); 272 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
273 "ECDSA signing failed");
264 free(signature); 274 free(signature);
265 return (-1); 275 return (-1);
266 } 276 }
@@ -286,7 +296,7 @@ tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash,
286 break; 296 break;
287 297
288 if (skey == NULL) { 298 if (skey == NULL) {
289 tls_error_setx(&signer->error, "key not found"); 299 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "key not found");
290 return (-1); 300 return (-1);
291 } 301 }
292 302
@@ -298,7 +308,7 @@ tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash,
298 return tls_sign_ecdsa(signer, skey, input, input_len, 308 return tls_sign_ecdsa(signer, skey, input, input_len,
299 padding_type, out_signature, out_signature_len); 309 padding_type, out_signature, out_signature_len);
300 310
301 tls_error_setx(&signer->error, "unknown key type"); 311 tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN, "unknown key type");
302 312
303 return (-1); 313 return (-1);
304} 314}
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index a35ebe0252..78f6c249cc 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.29 2023/11/22 18:23:09 op Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.30 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -102,7 +102,8 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
102 NULL); 102 NULL);
103 if (altname_stack == NULL) { 103 if (altname_stack == NULL) {
104 if (critical != -1) { 104 if (critical != -1) {
105 tls_set_errorx(ctx, "error decoding subjectAltName"); 105 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
106 "error decoding subjectAltName");
106 goto err; 107 goto err;
107 } 108 }
108 goto done; 109 goto done;
@@ -141,7 +142,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
141 len = ASN1_STRING_length(altname->d.dNSName); 142 len = ASN1_STRING_length(altname->d.dNSName);
142 143
143 if (len < 0 || (size_t)len != strlen(data)) { 144 if (len < 0 || (size_t)len != strlen(data)) {
144 tls_set_errorx(ctx, 145 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
145 "error verifying name '%s': " 146 "error verifying name '%s': "
146 "NUL byte in subjectAltName, " 147 "NUL byte in subjectAltName, "
147 "probably a malicious certificate", 148 "probably a malicious certificate",
@@ -155,7 +156,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
155 * dNSName must be rejected. 156 * dNSName must be rejected.
156 */ 157 */
157 if (strcmp(data, " ") == 0) { 158 if (strcmp(data, " ") == 0) {
158 tls_set_errorx(ctx, 159 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
159 "error verifying name '%s': " 160 "error verifying name '%s': "
160 "a dNSName of \" \" must not be " 161 "a dNSName of \" \" must not be "
161 "used", name); 162 "used", name);
@@ -182,7 +183,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
182 data = ASN1_STRING_get0_data(altname->d.iPAddress); 183 data = ASN1_STRING_get0_data(altname->d.iPAddress);
183 184
184 if (datalen < 0) { 185 if (datalen < 0) {
185 tls_set_errorx(ctx, 186 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
186 "Unexpected negative length for an " 187 "Unexpected negative length for an "
187 "IP address: %d", datalen); 188 "IP address: %d", datalen);
188 goto err; 189 goto err;
@@ -243,7 +244,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
243 * more than one CN fed to us in the subject, treating the 244 * more than one CN fed to us in the subject, treating the
244 * certificate as hostile. 245 * certificate as hostile.
245 */ 246 */
246 tls_set_errorx(ctx, "error verifying name '%s': " 247 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
248 "error verifying name '%s': "
247 "Certificate subject contains multiple Common Name fields, " 249 "Certificate subject contains multiple Common Name fields, "
248 "probably a malicious or malformed certificate", name); 250 "probably a malicious or malformed certificate", name);
249 goto err; 251 goto err;
@@ -255,7 +257,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
255 * Fail if we cannot encode the CN bytes as UTF-8. 257 * Fail if we cannot encode the CN bytes as UTF-8.
256 */ 258 */
257 if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) { 259 if ((common_name_len = ASN1_STRING_to_UTF8(&utf8_bytes, data)) < 0) {
258 tls_set_errorx(ctx, "error verifying name '%s': " 260 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
261 "error verifying name '%s': "
259 "Common Name field cannot be encoded as a UTF-8 string, " 262 "Common Name field cannot be encoded as a UTF-8 string, "
260 "probably a malicious certificate", name); 263 "probably a malicious certificate", name);
261 goto err; 264 goto err;
@@ -265,7 +268,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
265 * must be between 1 and 64 bytes long. 268 * must be between 1 and 64 bytes long.
266 */ 269 */
267 if (common_name_len < 1 || common_name_len > 64) { 270 if (common_name_len < 1 || common_name_len > 64) {
268 tls_set_errorx(ctx, "error verifying name '%s': " 271 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
272 "error verifying name '%s': "
269 "Common Name field has invalid length, " 273 "Common Name field has invalid length, "
270 "probably a malicious certificate", name); 274 "probably a malicious certificate", name);
271 goto err; 275 goto err;
@@ -274,7 +278,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
274 * Fail if the resulting text contains a NUL byte. 278 * Fail if the resulting text contains a NUL byte.
275 */ 279 */
276 if (memchr(utf8_bytes, 0, common_name_len) != NULL) { 280 if (memchr(utf8_bytes, 0, common_name_len) != NULL) {
277 tls_set_errorx(ctx, "error verifying name '%s': " 281 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
282 "error verifying name '%s': "
278 "NUL byte in Common Name field, " 283 "NUL byte in Common Name field, "
279 "probably a malicious certificate", name); 284 "probably a malicious certificate", name);
280 goto err; 285 goto err;
@@ -282,7 +287,8 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
282 287
283 common_name = strndup(utf8_bytes, common_name_len); 288 common_name = strndup(utf8_bytes, common_name_len);
284 if (common_name == NULL) { 289 if (common_name == NULL) {
285 tls_set_error(ctx, "out of memory"); 290 tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY,
291 "out of memory");
286 goto err; 292 goto err;
287 } 293 }
288 294
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-03 03:39:45 +0000