diff options
Diffstat (limited to '')
-rw-r--r-- | src/lib/libtls/tls.c | 152 |
1 files changed, 96 insertions, 56 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 58245009d7..8433f556bf 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tls.c,v 1.100 2024/03/26 01:15:57 joshua Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.101 2024/03/26 06:24:52 joshua Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
4 | * | 4 | * |
@@ -72,23 +72,32 @@ tls_error(struct tls *ctx) | |||
72 | return ctx->error.msg; | 72 | return ctx->error.msg; |
73 | } | 73 | } |
74 | 74 | ||
75 | int | ||
76 | tls_error_code(struct tls *ctx) | ||
77 | { | ||
78 | return ctx->error.code; | ||
79 | } | ||
80 | |||
75 | void | 81 | void |
76 | tls_error_clear(struct tls_error *error) | 82 | tls_error_clear(struct tls_error *error) |
77 | { | 83 | { |
78 | free(error->msg); | 84 | free(error->msg); |
79 | error->msg = NULL; | 85 | error->msg = NULL; |
86 | error->code = TLS_ERROR_UNKNOWN; | ||
80 | error->errno_value = 0; | 87 | error->errno_value = 0; |
81 | error->tls = 0; | 88 | error->tls = 0; |
82 | } | 89 | } |
83 | 90 | ||
84 | static int | 91 | static int |
85 | tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_list ap) | 92 | tls_error_vset(struct tls_error *error, int code, int errno_value, |
93 | const char *fmt, va_list ap) | ||
86 | { | 94 | { |
87 | char *errmsg = NULL; | 95 | char *errmsg = NULL; |
88 | int rv = -1; | 96 | int rv = -1; |
89 | 97 | ||
90 | tls_error_clear(error); | 98 | tls_error_clear(error); |
91 | 99 | ||
100 | error->code = code; | ||
92 | error->errno_value = errno_value; | 101 | error->errno_value = errno_value; |
93 | error->tls = 1; | 102 | error->tls = 1; |
94 | 103 | ||
@@ -115,7 +124,7 @@ tls_error_vset(struct tls_error *error, int errno_value, const char *fmt, va_lis | |||
115 | } | 124 | } |
116 | 125 | ||
117 | int | 126 | int |
118 | tls_error_set(struct tls_error *error, const char *fmt, ...) | 127 | tls_error_set(struct tls_error *error, int code, const char *fmt, ...) |
119 | { | 128 | { |
120 | va_list ap; | 129 | va_list ap; |
121 | int errno_value, rv; | 130 | int errno_value, rv; |
@@ -123,27 +132,27 @@ tls_error_set(struct tls_error *error, const char *fmt, ...) | |||
123 | errno_value = errno; | 132 | errno_value = errno; |
124 | 133 | ||
125 | va_start(ap, fmt); | 134 | va_start(ap, fmt); |
126 | rv = tls_error_vset(error, errno_value, fmt, ap); | 135 | rv = tls_error_vset(error, code, errno_value, fmt, ap); |
127 | va_end(ap); | 136 | va_end(ap); |
128 | 137 | ||
129 | return (rv); | 138 | return (rv); |
130 | } | 139 | } |
131 | 140 | ||
132 | int | 141 | int |
133 | tls_error_setx(struct tls_error *error, const char *fmt, ...) | 142 | tls_error_setx(struct tls_error *error, int code, const char *fmt, ...) |
134 | { | 143 | { |
135 | va_list ap; | 144 | va_list ap; |
136 | int rv; | 145 | int rv; |
137 | 146 | ||
138 | va_start(ap, fmt); | 147 | va_start(ap, fmt); |
139 | rv = tls_error_vset(error, -1, fmt, ap); | 148 | rv = tls_error_vset(error, code, -1, fmt, ap); |
140 | va_end(ap); | 149 | va_end(ap); |
141 | 150 | ||
142 | return (rv); | 151 | return (rv); |
143 | } | 152 | } |
144 | 153 | ||
145 | int | 154 | int |
146 | tls_config_set_error(struct tls_config *config, const char *fmt, ...) | 155 | tls_config_set_error(struct tls_config *config, int code, const char *fmt, ...) |
147 | { | 156 | { |
148 | va_list ap; | 157 | va_list ap; |
149 | int errno_value, rv; | 158 | int errno_value, rv; |
@@ -151,27 +160,27 @@ tls_config_set_error(struct tls_config *config, const char *fmt, ...) | |||
151 | errno_value = errno; | 160 | errno_value = errno; |
152 | 161 | ||
153 | va_start(ap, fmt); | 162 | va_start(ap, fmt); |
154 | rv = tls_error_vset(&config->error, errno_value, fmt, ap); | 163 | rv = tls_error_vset(&config->error, code, errno_value, fmt, ap); |
155 | va_end(ap); | 164 | va_end(ap); |
156 | 165 | ||
157 | return (rv); | 166 | return (rv); |
158 | } | 167 | } |
159 | 168 | ||
160 | int | 169 | int |
161 | tls_config_set_errorx(struct tls_config *config, const char *fmt, ...) | 170 | tls_config_set_errorx(struct tls_config *config, int code, const char *fmt, ...) |
162 | { | 171 | { |
163 | va_list ap; | 172 | va_list ap; |
164 | int rv; | 173 | int rv; |
165 | 174 | ||
166 | va_start(ap, fmt); | 175 | va_start(ap, fmt); |
167 | rv = tls_error_vset(&config->error, -1, fmt, ap); | 176 | rv = tls_error_vset(&config->error, code, -1, fmt, ap); |
168 | va_end(ap); | 177 | va_end(ap); |
169 | 178 | ||
170 | return (rv); | 179 | return (rv); |
171 | } | 180 | } |
172 | 181 | ||
173 | int | 182 | int |
174 | tls_set_error(struct tls *ctx, const char *fmt, ...) | 183 | tls_set_error(struct tls *ctx, int code, const char *fmt, ...) |
175 | { | 184 | { |
176 | va_list ap; | 185 | va_list ap; |
177 | int errno_value, rv; | 186 | int errno_value, rv; |
@@ -179,27 +188,27 @@ tls_set_error(struct tls *ctx, const char *fmt, ...) | |||
179 | errno_value = errno; | 188 | errno_value = errno; |
180 | 189 | ||
181 | va_start(ap, fmt); | 190 | va_start(ap, fmt); |
182 | rv = tls_error_vset(&ctx->error, errno_value, fmt, ap); | 191 | rv = tls_error_vset(&ctx->error, code, errno_value, fmt, ap); |
183 | va_end(ap); | 192 | va_end(ap); |
184 | 193 | ||
185 | return (rv); | 194 | return (rv); |
186 | } | 195 | } |
187 | 196 | ||
188 | int | 197 | int |
189 | tls_set_errorx(struct tls *ctx, const char *fmt, ...) | 198 | tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...) |
190 | { | 199 | { |
191 | va_list ap; | 200 | va_list ap; |
192 | int rv; | 201 | int rv; |
193 | 202 | ||
194 | va_start(ap, fmt); | 203 | va_start(ap, fmt); |
195 | rv = tls_error_vset(&ctx->error, -1, fmt, ap); | 204 | rv = tls_error_vset(&ctx->error, code, -1, fmt, ap); |
196 | va_end(ap); | 205 | va_end(ap); |
197 | 206 | ||
198 | return (rv); | 207 | return (rv); |
199 | } | 208 | } |
200 | 209 | ||
201 | int | 210 | int |
202 | tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) | 211 | tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...) |
203 | { | 212 | { |
204 | va_list ap; | 213 | va_list ap; |
205 | int rv; | 214 | int rv; |
@@ -209,7 +218,7 @@ tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) | |||
209 | return (0); | 218 | return (0); |
210 | 219 | ||
211 | va_start(ap, fmt); | 220 | va_start(ap, fmt); |
212 | rv = tls_error_vset(&ctx->error, -1, fmt, ap); | 221 | rv = tls_error_vset(&ctx->error, code, -1, fmt, ap); |
213 | va_end(ap); | 222 | va_end(ap); |
214 | 223 | ||
215 | return (rv); | 224 | return (rv); |
@@ -350,31 +359,35 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke | |||
350 | return (0); | 359 | return (0); |
351 | 360 | ||
352 | if (len > INT_MAX) { | 361 | if (len > INT_MAX) { |
353 | tls_set_errorx(ctx, ctx->config->use_fake_private_key ? | 362 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
363 | ctx->config->use_fake_private_key ? | ||
354 | "cert too long" : "key too long"); | 364 | "cert too long" : "key too long"); |
355 | goto err; | 365 | goto err; |
356 | } | 366 | } |
357 | 367 | ||
358 | if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { | 368 | if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { |
359 | tls_set_errorx(ctx, "failed to create buffer"); | 369 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "failed to create buffer"); |
360 | goto err; | 370 | goto err; |
361 | } | 371 | } |
362 | 372 | ||
363 | if (ctx->config->use_fake_private_key) { | 373 | if (ctx->config->use_fake_private_key) { |
364 | if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, | 374 | if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, |
365 | NULL)) == NULL) { | 375 | NULL)) == NULL) { |
366 | tls_set_errorx(ctx, "failed to read X509 certificate"); | 376 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
377 | "failed to read X509 certificate"); | ||
367 | goto err; | 378 | goto err; |
368 | } | 379 | } |
369 | if ((*pkey = X509_get_pubkey(x509)) == NULL) { | 380 | if ((*pkey = X509_get_pubkey(x509)) == NULL) { |
370 | tls_set_errorx(ctx, "failed to retrieve pubkey"); | 381 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
382 | "failed to retrieve pubkey"); | ||
371 | goto err; | 383 | goto err; |
372 | } | 384 | } |
373 | } else { | 385 | } else { |
374 | if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, | 386 | if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, |
375 | NULL)) == NULL) { | 387 | NULL)) == NULL) { |
376 | tls_set_errorx(ctx, "failed to read private key"); | 388 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
377 | goto err; | 389 | "failed to read private key"); |
390 | goto err; | ||
378 | } | 391 | } |
379 | } | 392 | } |
380 | 393 | ||
@@ -399,7 +412,7 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
399 | return (0); | 412 | return (0); |
400 | 413 | ||
401 | if (keypair->pubkey_hash == NULL) { | 414 | if (keypair->pubkey_hash == NULL) { |
402 | tls_set_errorx(ctx, "public key hash not set"); | 415 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "public key hash not set"); |
403 | goto err; | 416 | goto err; |
404 | } | 417 | } |
405 | 418 | ||
@@ -407,7 +420,8 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
407 | case EVP_PKEY_RSA: | 420 | case EVP_PKEY_RSA: |
408 | if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || | 421 | if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL || |
409 | RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { | 422 | RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0) { |
410 | tls_set_errorx(ctx, "RSA key setup failure"); | 423 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
424 | "RSA key setup failure"); | ||
411 | goto err; | 425 | goto err; |
412 | } | 426 | } |
413 | if (ctx->config->sign_cb != NULL) { | 427 | if (ctx->config->sign_cb != NULL) { |
@@ -415,20 +429,23 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
415 | if (rsa_method == NULL || | 429 | if (rsa_method == NULL || |
416 | RSA_set_ex_data(rsa, 1, ctx->config) == 0 || | 430 | RSA_set_ex_data(rsa, 1, ctx->config) == 0 || |
417 | RSA_set_method(rsa, rsa_method) == 0) { | 431 | RSA_set_method(rsa, rsa_method) == 0) { |
418 | tls_set_errorx(ctx, "failed to setup RSA key"); | 432 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
433 | "failed to setup RSA key"); | ||
419 | goto err; | 434 | goto err; |
420 | } | 435 | } |
421 | } | 436 | } |
422 | /* Reset the key to work around caching in OpenSSL 3. */ | 437 | /* Reset the key to work around caching in OpenSSL 3. */ |
423 | if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { | 438 | if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { |
424 | tls_set_errorx(ctx, "failed to set RSA key"); | 439 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
440 | "failed to set RSA key"); | ||
425 | goto err; | 441 | goto err; |
426 | } | 442 | } |
427 | break; | 443 | break; |
428 | case EVP_PKEY_EC: | 444 | case EVP_PKEY_EC: |
429 | if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || | 445 | if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || |
430 | EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { | 446 | EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0) { |
431 | tls_set_errorx(ctx, "EC key setup failure"); | 447 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
448 | "EC key setup failure"); | ||
432 | goto err; | 449 | goto err; |
433 | } | 450 | } |
434 | if (ctx->config->sign_cb != NULL) { | 451 | if (ctx->config->sign_cb != NULL) { |
@@ -436,18 +453,20 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
436 | if (ecdsa_method == NULL || | 453 | if (ecdsa_method == NULL || |
437 | EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || | 454 | EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 || |
438 | EC_KEY_set_method(eckey, ecdsa_method) == 0) { | 455 | EC_KEY_set_method(eckey, ecdsa_method) == 0) { |
439 | tls_set_errorx(ctx, "failed to setup EC key"); | 456 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
457 | "failed to setup EC key"); | ||
440 | goto err; | 458 | goto err; |
441 | } | 459 | } |
442 | } | 460 | } |
443 | /* Reset the key to work around caching in OpenSSL 3. */ | 461 | /* Reset the key to work around caching in OpenSSL 3. */ |
444 | if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { | 462 | if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { |
445 | tls_set_errorx(ctx, "failed to set EC key"); | 463 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
464 | "failed to set EC key"); | ||
446 | goto err; | 465 | goto err; |
447 | } | 466 | } |
448 | break; | 467 | break; |
449 | default: | 468 | default: |
450 | tls_set_errorx(ctx, "incorrect key type"); | 469 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "incorrect key type"); |
451 | goto err; | 470 | goto err; |
452 | } | 471 | } |
453 | 472 | ||
@@ -472,13 +491,15 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
472 | 491 | ||
473 | if (keypair->cert_mem != NULL) { | 492 | if (keypair->cert_mem != NULL) { |
474 | if (keypair->cert_len > INT_MAX) { | 493 | if (keypair->cert_len > INT_MAX) { |
475 | tls_set_errorx(ctx, "certificate too long"); | 494 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
495 | "certificate too long"); | ||
476 | goto err; | 496 | goto err; |
477 | } | 497 | } |
478 | 498 | ||
479 | if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, | 499 | if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, |
480 | keypair->cert_mem, keypair->cert_len) != 1) { | 500 | keypair->cert_mem, keypair->cert_len) != 1) { |
481 | tls_set_errorx(ctx, "failed to load certificate"); | 501 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
502 | "failed to load certificate"); | ||
482 | goto err; | 503 | goto err; |
483 | } | 504 | } |
484 | } | 505 | } |
@@ -489,7 +510,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
489 | if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) | 510 | if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1) |
490 | goto err; | 511 | goto err; |
491 | if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { | 512 | if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { |
492 | tls_set_errorx(ctx, "failed to load private key"); | 513 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
514 | "failed to load private key"); | ||
493 | goto err; | 515 | goto err; |
494 | } | 516 | } |
495 | EVP_PKEY_free(pkey); | 517 | EVP_PKEY_free(pkey); |
@@ -498,7 +520,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
498 | 520 | ||
499 | if (!ctx->config->skip_private_key_check && | 521 | if (!ctx->config->skip_private_key_check && |
500 | SSL_CTX_check_private_key(ssl_ctx) != 1) { | 522 | SSL_CTX_check_private_key(ssl_ctx) != 1) { |
501 | tls_set_errorx(ctx, "private/public key mismatch"); | 523 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
524 | "private/public key mismatch"); | ||
502 | goto err; | 525 | goto err; |
503 | } | 526 | } |
504 | 527 | ||
@@ -534,7 +557,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) | |||
534 | if (ctx->config->alpn != NULL) { | 557 | if (ctx->config->alpn != NULL) { |
535 | if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, | 558 | if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, |
536 | ctx->config->alpn_len) != 0) { | 559 | ctx->config->alpn_len) != 0) { |
537 | tls_set_errorx(ctx, "failed to set alpn"); | 560 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
561 | "failed to set alpn"); | ||
538 | goto err; | 562 | goto err; |
539 | } | 563 | } |
540 | } | 564 | } |
@@ -542,7 +566,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) | |||
542 | if (ctx->config->ciphers != NULL) { | 566 | if (ctx->config->ciphers != NULL) { |
543 | if (SSL_CTX_set_cipher_list(ssl_ctx, | 567 | if (SSL_CTX_set_cipher_list(ssl_ctx, |
544 | ctx->config->ciphers) != 1) { | 568 | ctx->config->ciphers) != 1) { |
545 | tls_set_errorx(ctx, "failed to set ciphers"); | 569 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
570 | "failed to set ciphers"); | ||
546 | goto err; | 571 | goto err; |
547 | } | 572 | } |
548 | } | 573 | } |
@@ -572,7 +597,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) | |||
572 | return (1); | 597 | return (1); |
573 | 598 | ||
574 | if ((X509_verify_cert(x509_ctx)) < 0) { | 599 | if ((X509_verify_cert(x509_ctx)) < 0) { |
575 | tls_set_errorx(ctx, "X509 verify cert failed"); | 600 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
601 | "X509 verify cert failed"); | ||
576 | return (0); | 602 | return (0); |
577 | } | 603 | } |
578 | 604 | ||
@@ -580,7 +606,8 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) | |||
580 | if (x509_err == X509_V_OK) | 606 | if (x509_err == X509_V_OK) |
581 | return (1); | 607 | return (1); |
582 | 608 | ||
583 | tls_set_errorx(ctx, "certificate verification failed: %s", | 609 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
610 | "certificate verification failed: %s", | ||
584 | X509_verify_cert_error_string(x509_err)); | 611 | X509_verify_cert_error_string(x509_err)); |
585 | 612 | ||
586 | return (0); | 613 | return (0); |
@@ -620,31 +647,35 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) | |||
620 | 647 | ||
621 | if (ca_mem != NULL) { | 648 | if (ca_mem != NULL) { |
622 | if (ca_len > INT_MAX) { | 649 | if (ca_len > INT_MAX) { |
623 | tls_set_errorx(ctx, "ca too long"); | 650 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ca too long"); |
624 | goto err; | 651 | goto err; |
625 | } | 652 | } |
626 | if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { | 653 | if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { |
627 | tls_set_errorx(ctx, "ssl verify memory setup failure"); | 654 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
655 | "ssl verify memory setup failure"); | ||
628 | goto err; | 656 | goto err; |
629 | } | 657 | } |
630 | } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, | 658 | } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, |
631 | ctx->config->ca_path) != 1) { | 659 | ctx->config->ca_path) != 1) { |
632 | tls_set_errorx(ctx, "ssl verify locations failure"); | 660 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
661 | "ssl verify locations failure"); | ||
633 | goto err; | 662 | goto err; |
634 | } | 663 | } |
635 | 664 | ||
636 | if (crl_mem != NULL) { | 665 | if (crl_mem != NULL) { |
637 | if (crl_len > INT_MAX) { | 666 | if (crl_len > INT_MAX) { |
638 | tls_set_errorx(ctx, "crl too long"); | 667 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "crl too long"); |
639 | goto err; | 668 | goto err; |
640 | } | 669 | } |
641 | if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { | 670 | if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { |
642 | tls_set_errorx(ctx, "failed to create buffer"); | 671 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
672 | "failed to create buffer"); | ||
643 | goto err; | 673 | goto err; |
644 | } | 674 | } |
645 | if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, | 675 | if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, |
646 | NULL)) == NULL) { | 676 | NULL)) == NULL) { |
647 | tls_set_errorx(ctx, "failed to parse crl"); | 677 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
678 | "failed to parse crl"); | ||
648 | goto err; | 679 | goto err; |
649 | } | 680 | } |
650 | store = SSL_CTX_get_cert_store(ssl_ctx); | 681 | store = SSL_CTX_get_cert_store(ssl_ctx); |
@@ -653,7 +684,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) | |||
653 | if (xi->crl == NULL) | 684 | if (xi->crl == NULL) |
654 | continue; | 685 | continue; |
655 | if (!X509_STORE_add_crl(store, xi->crl)) { | 686 | if (!X509_STORE_add_crl(store, xi->crl)) { |
656 | tls_set_error(ctx, "failed to add crl"); | 687 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, |
688 | "failed to add crl"); | ||
657 | goto err; | 689 | goto err; |
658 | } | 690 | } |
659 | } | 691 | } |
@@ -759,21 +791,24 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix) | |||
759 | } else if (ssl_ret == -1) { | 791 | } else if (ssl_ret == -1) { |
760 | errstr = strerror(errno); | 792 | errstr = strerror(errno); |
761 | } | 793 | } |
762 | tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); | 794 | tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN, |
795 | "%s failed: %s", prefix, errstr); | ||
763 | return (-1); | 796 | return (-1); |
764 | 797 | ||
765 | case SSL_ERROR_SSL: | 798 | case SSL_ERROR_SSL: |
766 | if ((err = ERR_peek_error()) != 0) { | 799 | if ((err = ERR_peek_error()) != 0) { |
767 | errstr = ERR_error_string(err, NULL); | 800 | errstr = ERR_error_string(err, NULL); |
768 | } | 801 | } |
769 | tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr); | 802 | tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN, |
803 | "%s failed: %s", prefix, errstr); | ||
770 | return (-1); | 804 | return (-1); |
771 | 805 | ||
772 | case SSL_ERROR_WANT_CONNECT: | 806 | case SSL_ERROR_WANT_CONNECT: |
773 | case SSL_ERROR_WANT_ACCEPT: | 807 | case SSL_ERROR_WANT_ACCEPT: |
774 | case SSL_ERROR_WANT_X509_LOOKUP: | 808 | case SSL_ERROR_WANT_X509_LOOKUP: |
775 | default: | 809 | default: |
776 | tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err); | 810 | tls_set_ssl_errorx(ctx, TLS_ERROR_UNKNOWN, |
811 | "%s failed (%d)", prefix, ssl_err); | ||
777 | return (-1); | 812 | return (-1); |
778 | } | 813 | } |
779 | } | 814 | } |
@@ -786,12 +821,14 @@ tls_handshake(struct tls *ctx) | |||
786 | tls_error_clear(&ctx->error); | 821 | tls_error_clear(&ctx->error); |
787 | 822 | ||
788 | if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { | 823 | if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { |
789 | tls_set_errorx(ctx, "invalid operation for context"); | 824 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
825 | "invalid operation for context"); | ||
790 | goto out; | 826 | goto out; |
791 | } | 827 | } |
792 | 828 | ||
793 | if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) { | 829 | if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) { |
794 | tls_set_errorx(ctx, "handshake already completed"); | 830 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
831 | "handshake already completed"); | ||
795 | goto out; | 832 | goto out; |
796 | } | 833 | } |
797 | 834 | ||
@@ -828,7 +865,8 @@ tls_read(struct tls *ctx, void *buf, size_t buflen) | |||
828 | } | 865 | } |
829 | 866 | ||
830 | if (buflen > INT_MAX) { | 867 | if (buflen > INT_MAX) { |
831 | tls_set_errorx(ctx, "buflen too long"); | 868 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
869 | "buflen too long"); | ||
832 | goto out; | 870 | goto out; |
833 | } | 871 | } |
834 | 872 | ||
@@ -859,7 +897,8 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen) | |||
859 | } | 897 | } |
860 | 898 | ||
861 | if (buflen > INT_MAX) { | 899 | if (buflen > INT_MAX) { |
862 | tls_set_errorx(ctx, "buflen too long"); | 900 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
901 | "buflen too long"); | ||
863 | goto out; | 902 | goto out; |
864 | } | 903 | } |
865 | 904 | ||
@@ -885,7 +924,8 @@ tls_close(struct tls *ctx) | |||
885 | tls_error_clear(&ctx->error); | 924 | tls_error_clear(&ctx->error); |
886 | 925 | ||
887 | if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { | 926 | if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) { |
888 | tls_set_errorx(ctx, "invalid operation for context"); | 927 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, |
928 | "invalid operation for context"); | ||
889 | rv = -1; | 929 | rv = -1; |
890 | goto out; | 930 | goto out; |
891 | } | 931 | } |
@@ -906,13 +946,13 @@ tls_close(struct tls *ctx) | |||
906 | if (shutdown(ctx->socket, SHUT_RDWR) != 0) { | 946 | if (shutdown(ctx->socket, SHUT_RDWR) != 0) { |
907 | if (rv == 0 && | 947 | if (rv == 0 && |
908 | errno != ENOTCONN && errno != ECONNRESET) { | 948 | errno != ENOTCONN && errno != ECONNRESET) { |
909 | tls_set_error(ctx, "shutdown"); | 949 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, "shutdown"); |
910 | rv = -1; | 950 | rv = -1; |
911 | } | 951 | } |
912 | } | 952 | } |
913 | if (close(ctx->socket) != 0) { | 953 | if (close(ctx->socket) != 0) { |
914 | if (rv == 0) { | 954 | if (rv == 0) { |
915 | tls_set_error(ctx, "close"); | 955 | tls_set_error(ctx, TLS_ERROR_UNKNOWN, "close"); |
916 | rv = -1; | 956 | rv = -1; |
917 | } | 957 | } |
918 | } | 958 | } |
@@ -920,7 +960,7 @@ tls_close(struct tls *ctx) | |||
920 | } | 960 | } |
921 | 961 | ||
922 | if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) { | 962 | if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) { |
923 | tls_set_errorx(ctx, "EOF without close notify"); | 963 | tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "EOF without close notify"); |
924 | rv = -1; | 964 | rv = -1; |
925 | } | 965 | } |
926 | 966 | ||