summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls.c152
1 files changed, 96 insertions, 56 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 58245009d7..8433f556bf 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.100 2024/03/26 01:15:57 joshua Exp $ */ 1/* $OpenBSD: tls.c,v 1.101 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -72,23 +72,32 @@ tls_error(struct tls *ctx)
72 return ctx->error.msg; 72 return ctx->error.msg;
73} 73}
74 74
75int
76tls_error_code(struct tls *ctx)
77{
78 return ctx->error.code;
79}
80
75void 81void
76tls_error_clear(struct tls_error *error) 82tls_error_clear(struct tls_error *error)
77{ 83{
78 free(error->msg); 84 free(error->msg);
79 error->msg = NULL; 85 error->msg = NULL;
86 error->code = TLS_ERROR_UNKNOWN;
80 error->errno_value = 0; 87 error->errno_value = 0;
81 error->tls = 0; 88 error->tls = 0;
82} 89}
83 90
84static int 91static int
85tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_list ap) 92tls_error_vset(struct tls_error *error, int code, int errno_value,
93 const char *fmt, va_list ap)
86{ 94{
87 char *errmsg = NULL; 95 char *errmsg = NULL;
88 int rv = -1; 96 int rv = -1;
89 97
90 tls_error_clear(error); 98 tls_error_clear(error);
91 99
100 error->code = code;
92 error->errno_value = errno_value; 101 error->errno_value = errno_value;
93 error->tls = 1; 102 error->tls = 1;
94 103
@@ -115,7 +124,7 @@ tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_lis
115} 124}
116 125
117int 126int
118tls_error_set(struct tls_error *error, const char *fmt, ...) 127tls_error_set(struct tls_error *error, int code, const char *fmt, ...)
119{ 128{
120 va_list ap; 129 va_list ap;
121 int errno_value, rv; 130 int errno_value, rv;
@@ -123,27 +132,27 @@ tls_error_set(struct tls_error *error, const char *fmt, ...)
123 errno_value = errno; 132 errno_value = errno;
124 133
125 va_start(ap, fmt); 134 va_start(ap, fmt);
126 rv = tls_error_vset(error, errno_value, fmt, ap); 135 rv = tls_error_vset(error, code, errno_value, fmt, ap);
127 va_end(ap); 136 va_end(ap);
128 137
129 return (rv); 138 return (rv);
130} 139}
131 140
132int 141int
133tls_error_setx(struct tls_error *error, const char *fmt, ...) 142tls_error_setx(struct tls_error *error, int code, const char *fmt, ...)
134{ 143{
135 va_list ap; 144 va_list ap;
136 int rv; 145 int rv;
137 146
138 va_start(ap, fmt); 147 va_start(ap, fmt);
139 rv = tls_error_vset(error, -1, fmt, ap); 148 rv = tls_error_vset(error, code, -1, fmt, ap);
140 va_end(ap); 149 va_end(ap);
141 150
142 return (rv); 151 return (rv);
143} 152}
144 153
145int 154int
146tls_config_set_error(struct tls_config *config, const char *fmt, ...) 155tls_config_set_error(struct tls_config *config, int code, const char *fmt, ...)
147{ 156{
148 va_list ap; 157 va_list ap;
149 int errno_value, rv; 158 int errno_value, rv;
@@ -151,27 +160,27 @@ tls_config_set_error(struct tls_config *config, const char *fmt, ...)
151 errno_value = errno; 160 errno_value = errno;
152 161
153 va_start(ap, fmt); 162 va_start(ap, fmt);
154 rv = tls_error_vset(&config->error, errno_value, fmt, ap); 163 rv = tls_error_vset(&config->error, code, errno_value, fmt, ap);
155 va_end(ap); 164 va_end(ap);
156 165
157 return (rv); 166 return (rv);
158} 167}
159 168
160int 169int
161tls_config_set_errorx(struct tls_config *config, const char *fmt, ...) 170tls_config_set_errorx(struct tls_config *config, int code, const char *fmt, ...)
162{ 171{
163 va_list ap; 172 va_list ap;
164 int rv; 173 int rv;
165 174
166 va_start(ap, fmt); 175 va_start(ap, fmt);
167 rv = tls_error_vset(&config->error, -1, fmt, ap); 176 rv = tls_error_vset(&config->error, code, -1, fmt, ap);
168 va_end(ap); 177 va_end(ap);
169 178
170 return (rv); 179 return (rv);
171} 180}
172 181
173int 182int
174tls_set_error(struct tls *ctx, const char *fmt, ...) 183tls_set_error(struct tls *ctx, int code, const char *fmt, ...)
175{ 184{
176 va_list ap; 185 va_list ap;
177 int errno_value, rv; 186 int errno_value, rv;
@@ -179,27 +188,27 @@ tls_set_error(struct tls *ctx, const char *fmt, ...)
179 errno_value = errno; 188 errno_value = errno;
180 189
181 va_start(ap, fmt); 190 va_start(ap, fmt);
182 rv = tls_error_vset(&ctx->error, errno_value, fmt, ap); 191 rv = tls_error_vset(&ctx->error, code, errno_value, fmt, ap);
183 va_end(ap); 192 va_end(ap);
184 193
185 return (rv); 194 return (rv);
186} 195}
187 196
188int 197int
189tls_set_errorx(struct tls *ctx, const char *fmt, ...) 198tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...)
190{ 199{
191 va_list ap; 200 va_list ap;
192 int rv; 201 int rv;
193 202
194 va_start(ap, fmt); 203 va_start(ap, fmt);
195 rv = tls_error_vset(&ctx->error, -1, fmt, ap); 204 rv = tls_error_vset(&ctx->error, code, -1, fmt, ap);
196 va_end(ap); 205 va_end(ap);
197 206
198 return (rv); 207 return (rv);
199} 208}
200 209
201int 210int
202tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) 211tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...)
203{ 212{
204 va_list ap; 213 va_list ap;
205 int rv; 214 int rv;
@@ -209,7 +218,7 @@ tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
209 return (0); 218 return (0);
210 219
211 va_start(ap, fmt); 220 va_start(ap, fmt);
212 rv = tls_error_vset(&ctx->error, -1, fmt, ap); 221 rv = tls_error_vset(&ctx->error, code, -1, fmt, ap);
213 va_end(ap); 222 va_end(ap);
214 223
215 return (rv); 224 return (rv);
@@ -350,31 +359,35 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
350 return (0); 359 return (0);
351 360
352 if (len > INT_MAX) { 361 if (len > INT_MAX) {
353 tls_set_errorx(ctx, ctx->config->use_fake_private_key ? 362 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
363 ctx->config->use_fake_private_key ?
354 "cert too long" : "key too long"); 364 "cert too long" : "key too long");
355 goto err; 365 goto err;
356 } 366 }
357 367
358 if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { 368 if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
359 tls_set_errorx(ctx, "failed to create buffer"); 369 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to create buffer");
360 goto err; 370 goto err;
361 } 371 }
362 372
363 if (ctx->config->use_fake_private_key) { 373 if (ctx->config->use_fake_private_key) {
364 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, 374 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
365 NULL)) == NULL) { 375 NULL)) == NULL) {
366 tls_set_errorx(ctx, "failed to read X509 certificate"); 376 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
377 "failed to read X509 certificate");
367 goto err; 378 goto err;
368 } 379 }
369 if ((*pkey = X509_get_pubkey(x509)) == NULL) { 380 if ((*pkey = X509_get_pubkey(x509)) == NULL) {
370 tls_set_errorx(ctx, "failed to retrieve pubkey"); 381 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
382 "failed to retrieve pubkey");
371 goto err; 383 goto err;
372 } 384 }
373 } else { 385 } else {
374 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, 386 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
375 NULL)) == NULL) { 387 NULL)) == NULL) {
376 tls_set_errorx(ctx, "failed to read private key"); 388 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
377 goto err; 389 "failed to read private key");
390 goto err;
378 } 391 }
379 } 392 }
380 393
@@ -399,7 +412,7 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
399 return (0); 412 return (0);
400 413
401 if (keypair->pubkey_hash == NULL) { 414 if (keypair->pubkey_hash == NULL) {
402 tls_set_errorx(ctx, "public key hash not set"); 415 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "public key hash not set");
403 goto err; 416 goto err;
404 } 417 }
405 418
@@ -407,7 +420,8 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
407 case EVP_PKEY_RSA: 420 case EVP_PKEY_RSA:
408 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || 421 if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
409 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { 422 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) {
410 tls_set_errorx(ctx, "RSA key setup failure"); 423 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
424 "RSA key setup failure");
411 goto err; 425 goto err;
412 } 426 }
413 if (ctx->config->sign_cb != NULL) { 427 if (ctx->config->sign_cb != NULL) {
@@ -415,20 +429,23 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
415 if (rsa_method == NULL || 429 if (rsa_method == NULL ||
416 RSA_set_ex_data(rsa, 1, ctx->config) == 0 || 430 RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
417 RSA_set_method(rsa, rsa_method) == 0) { 431 RSA_set_method(rsa, rsa_method) == 0) {
418 tls_set_errorx(ctx, "failed to setup RSA key"); 432 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
433 "failed to setup RSA key");
419 goto err; 434 goto err;
420 } 435 }
421 } 436 }
422 /* Reset the key to work around caching in OpenSSL 3. */ 437 /* Reset the key to work around caching in OpenSSL 3. */
423 if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { 438 if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
424 tls_set_errorx(ctx, "failed to set RSA key"); 439 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
440 "failed to set RSA key");
425 goto err; 441 goto err;
426 } 442 }
427 break; 443 break;
428 case EVP_PKEY_EC: 444 case EVP_PKEY_EC:
429 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || 445 if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
430 EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { 446 EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) {
431 tls_set_errorx(ctx, "EC key setup failure"); 447 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
448 "EC key setup failure");
432 goto err; 449 goto err;
433 } 450 }
434 if (ctx->config->sign_cb != NULL) { 451 if (ctx->config->sign_cb != NULL) {
@@ -436,18 +453,20 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
436 if (ecdsa_method == NULL || 453 if (ecdsa_method == NULL ||
437 EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || 454 EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
438 EC_KEY_set_method(eckey, ecdsa_method) == 0) { 455 EC_KEY_set_method(eckey, ecdsa_method) == 0) {
439 tls_set_errorx(ctx, "failed to setup EC key"); 456 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
457 "failed to setup EC key");
440 goto err; 458 goto err;
441 } 459 }
442 } 460 }
443 /* Reset the key to work around caching in OpenSSL 3. */ 461 /* Reset the key to work around caching in OpenSSL 3. */
444 if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { 462 if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
445 tls_set_errorx(ctx, "failed to set EC key"); 463 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
464 "failed to set EC key");
446 goto err; 465 goto err;
447 } 466 }
448 break; 467 break;
449 default: 468 default:
450 tls_set_errorx(ctx, "incorrect key type"); 469 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "incorrect key type");
451 goto err; 470 goto err;
452 } 471 }
453 472
@@ -472,13 +491,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
472 491
473 if (keypair->cert_mem != NULL) { 492 if (keypair->cert_mem != NULL) {
474 if (keypair->cert_len > INT_MAX) { 493 if (keypair->cert_len > INT_MAX) {
475 tls_set_errorx(ctx, "certificate too long"); 494 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
495 "certificate too long");
476 goto err; 496 goto err;
477 } 497 }
478 498
479 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, 499 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
480 keypair->cert_mem, keypair->cert_len) != 1) { 500 keypair->cert_mem, keypair->cert_len) != 1) {
481 tls_set_errorx(ctx, "failed to load certificate"); 501 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
502 "failed to load certificate");
482 goto err; 503 goto err;
483 } 504 }
484 } 505 }
@@ -489,7 +510,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
489 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) 510 if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
490 goto err; 511 goto err;
491 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { 512 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
492 tls_set_errorx(ctx, "failed to load private key"); 513 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
514 "failed to load private key");
493 goto err; 515 goto err;
494 } 516 }
495 EVP_PKEY_free(pkey); 517 EVP_PKEY_free(pkey);
@@ -498,7 +520,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
498 520
499 if (!ctx->config->skip_private_key_check && 521 if (!ctx->config->skip_private_key_check &&
500 SSL_CTX_check_private_key(ssl_ctx) != 1) { 522 SSL_CTX_check_private_key(ssl_ctx) != 1) {
501 tls_set_errorx(ctx, "private/public key mismatch"); 523 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
524 "private/public key mismatch");
502 goto err; 525 goto err;
503 } 526 }
504 527
@@ -534,7 +557,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
534 if (ctx->config->alpn != NULL) { 557 if (ctx->config->alpn != NULL) {
535 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, 558 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
536 ctx->config->alpn_len) != 0) { 559 ctx->config->alpn_len) != 0) {
537 tls_set_errorx(ctx, "failed to set alpn"); 560 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
561 "failed to set alpn");
538 goto err; 562 goto err;
539 } 563 }
540 } 564 }
@@ -542,7 +566,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
542 if (ctx->config->ciphers != NULL) { 566 if (ctx->config->ciphers != NULL) {
543 if (SSL_CTX_set_cipher_list(ssl_ctx, 567 if (SSL_CTX_set_cipher_list(ssl_ctx,
544 ctx->config->ciphers) != 1) { 568 ctx->config->ciphers) != 1) {
545 tls_set_errorx(ctx, "failed to set ciphers"); 569 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
570 "failed to set ciphers");
546 goto err; 571 goto err;
547 } 572 }
548 } 573 }
@@ -572,7 +597,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
572 return (1); 597 return (1);
573 598
574 if ((X509_verify_cert(x509_ctx)) < 0) { 599 if ((X509_verify_cert(x509_ctx)) < 0) {
575 tls_set_errorx(ctx, "X509 verify cert failed"); 600 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
601 "X509 verify cert failed");
576 return (0); 602 return (0);
577 } 603 }
578 604
@@ -580,7 +606,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
580 if (x509_err == X509_V_OK) 606 if (x509_err == X509_V_OK)
581 return (1); 607 return (1);
582 608
583 tls_set_errorx(ctx, "certificate verification failed: %s", 609 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
610 "certificate verification failed: %s",
584 X509_verify_cert_error_string(x509_err)); 611 X509_verify_cert_error_string(x509_err));
585 612
586 return (0); 613 return (0);
@@ -620,31 +647,35 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
620 647
621 if (ca_mem != NULL) { 648 if (ca_mem != NULL) {
622 if (ca_len > INT_MAX) { 649 if (ca_len > INT_MAX) {
623 tls_set_errorx(ctx, "ca too long"); 650 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ca too long");
624 goto err; 651 goto err;
625 } 652 }
626 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { 653 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
627 tls_set_errorx(ctx, "ssl verify memory setup failure"); 654 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
655 "ssl verify memory setup failure");
628 goto err; 656 goto err;
629 } 657 }
630 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, 658 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
631 ctx->config->ca_path) != 1) { 659 ctx->config->ca_path) != 1) {
632 tls_set_errorx(ctx, "ssl verify locations failure"); 660 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
661 "ssl verify locations failure");
633 goto err; 662 goto err;
634 } 663 }
635 664
636 if (crl_mem != NULL) { 665 if (crl_mem != NULL) {
637 if (crl_len > INT_MAX) { 666 if (crl_len > INT_MAX) {
638 tls_set_errorx(ctx, "crl too long"); 667 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "crl too long");
639 goto err; 668 goto err;
640 } 669 }
641 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { 670 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
642 tls_set_errorx(ctx, "failed to create buffer"); 671 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
672 "failed to create buffer");
643 goto err; 673 goto err;
644 } 674 }
645 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, 675 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
646 NULL)) == NULL) { 676 NULL)) == NULL) {
647 tls_set_errorx(ctx, "failed to parse crl"); 677 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
678 "failed to parse crl");
648 goto err; 679 goto err;
649 } 680 }
650 store = SSL_CTX_get_cert_store(ssl_ctx); 681 store = SSL_CTX_get_cert_store(ssl_ctx);
@@ -653,7 +684,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
653 if (xi->crl == NULL) 684 if (xi->crl == NULL)
654 continue; 685 continue;
655 if (!X509_STORE_add_crl(store, xi->crl)) { 686 if (!X509_STORE_add_crl(store, xi->crl)) {
656 tls_set_error(ctx, "failed to add crl"); 687 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
688 "failed to add crl");
657 goto err; 689 goto err;
658 } 690 }
659 } 691 }
@@ -759,21 +791,24 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
759 } else if (ssl_ret == -1) { 791 } else if (ssl_ret == -1) {
760 errstr = strerror(errno); 792 errstr = strerror(errno);
761 } 793 }
762 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); 794 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
795 "%s failed: %s", prefix, errstr);
763 return (-1); 796 return (-1);
764 797
765 case SSL_ERROR_SSL: 798 case SSL_ERROR_SSL:
766 if ((err = ERR_peek_error()) != 0) { 799 if ((err = ERR_peek_error()) != 0) {
767 errstr = ERR_error_string(err, NULL); 800 errstr = ERR_error_string(err, NULL);
768 } 801 }
769 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); 802 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
803 "%s failed: %s", prefix, errstr);
770 return (-1); 804 return (-1);
771 805
772 case SSL_ERROR_WANT_CONNECT: 806 case SSL_ERROR_WANT_CONNECT:
773 case SSL_ERROR_WANT_ACCEPT: 807 case SSL_ERROR_WANT_ACCEPT:
774 case SSL_ERROR_WANT_X509_LOOKUP: 808 case SSL_ERROR_WANT_X509_LOOKUP:
775 default: 809 default:
776 tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err); 810 tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN,
811 "%s failed (%d)", prefix, ssl_err);
777 return (-1); 812 return (-1);
778 } 813 }
779} 814}
@@ -786,12 +821,14 @@ tls_handshake(struct tls *ctx)
786 tls_error_clear(&ctx->error); 821 tls_error_clear(&ctx->error);
787 822
788 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { 823 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
789 tls_set_errorx(ctx, "invalid operation for context"); 824 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
825 "invalid operation for context");
790 goto out; 826 goto out;
791 } 827 }
792 828
793 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) { 829 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
794 tls_set_errorx(ctx, "handshake already completed"); 830 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
831 "handshake already completed");
795 goto out; 832 goto out;
796 } 833 }
797 834
@@ -828,7 +865,8 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
828 } 865 }
829 866
830 if (buflen > INT_MAX) { 867 if (buflen > INT_MAX) {
831 tls_set_errorx(ctx, "buflen too long"); 868 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
869 "buflen too long");
832 goto out; 870 goto out;
833 } 871 }
834 872
@@ -859,7 +897,8 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
859 } 897 }
860 898
861 if (buflen > INT_MAX) { 899 if (buflen > INT_MAX) {
862 tls_set_errorx(ctx, "buflen too long"); 900 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
901 "buflen too long");
863 goto out; 902 goto out;
864 } 903 }
865 904
@@ -885,7 +924,8 @@ tls_close(struct tls *ctx)
885 tls_error_clear(&ctx->error); 924 tls_error_clear(&ctx->error);
886 925
887 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { 926 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
888 tls_set_errorx(ctx, "invalid operation for context"); 927 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
928 "invalid operation for context");
889 rv = -1; 929 rv = -1;
890 goto out; 930 goto out;
891 } 931 }
@@ -906,13 +946,13 @@ tls_close(struct tls *ctx)
906 if (shutdown(ctx->socket, SHUT_RDWR) != 0) { 946 if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
907 if (rv == 0 && 947 if (rv == 0 &&
908 errno != ENOTCONN && errno != ECONNRESET) { 948 errno != ENOTCONN && errno != ECONNRESET) {
909 tls_set_error(ctx, "shutdown"); 949 tls_set_error(ctx, TLS_ERROR_UNKNOWN, "shutdown");
910 rv = -1; 950 rv = -1;
911 } 951 }
912 } 952 }
913 if (close(ctx->socket) != 0) { 953 if (close(ctx->socket) != 0) {
914 if (rv == 0) { 954 if (rv == 0) {
915 tls_set_error(ctx, "close"); 955 tls_set_error(ctx, TLS_ERROR_UNKNOWN, "close");
916 rv = -1; 956 rv = -1;
917 } 957 }
918 } 958 }
@@ -920,7 +960,7 @@ tls_close(struct tls *ctx)
920 } 960 }
921 961
922 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) { 962 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
923 tls_set_errorx(ctx, "EOF without close notify"); 963 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "EOF without close notify");
924 rv = -1; 964 rv = -1;
925 } 965 }
926 966