1 files changed, 53 insertions, 30 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 5eb5b69ac6..449071641b 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.67 2023/07/02 06:37:27 beck Exp $ */
+/* $OpenBSD: tls_config.c,v 1.68 2024/03/26 06:24:52 joshua Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -50,12 +50,14 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
        *len = 0;
        if ((fd = open(filename, O_RDONLY)) == -1) {
-                tls_error_set(error, "failed to open %s file '%s'",
+                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                    "failed to open %s file '%s'",
                    filetype, filename);
                goto err;
        }
        if (fstat(fd, &st) != 0) {
-                tls_error_set(error, "failed to stat %s file '%s'",
+                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                    "failed to stat %s file '%s'",
                    filetype, filename);
                goto err;
        }
@@ -63,13 +65,15 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
                goto err;
        *len = (size_t)st.st_size;
        if ((*buf = malloc(*len)) == NULL) {
-                tls_error_set(error, "failed to allocate buffer for "
+                tls_error_set(error, TLS_ERROR_UNKNOWN,
-                    "%s file", filetype);
+                    "failed to allocate buffer for %s file",
+                    filetype);
                goto err;
        }
        n = read(fd, *buf, *len);
        if (n < 0 || (size_t)n != *len) {
-                tls_error_set(error, "failed to read %s file '%s'",
+                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                    "failed to read %s file '%s'",
                    filetype, filename);
                goto err;
        }
@@ -203,6 +207,12 @@ tls_config_error(struct tls_config *config)
        return config->error.msg;
 }
+int
+tls_config_error_code(struct tls_config *config)
+{
+        return config->error.code;
+}
 void
 tls_config_clear_keys(struct tls_config *config)
 {
@@ -291,17 +301,19 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
        *alpn_len = 0;
        if ((buf_len = strlen(alpn) + 1) > 65535) {
-                tls_config_set_errorx(config, "alpn too large");
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN, "alpn too large");
                goto err;
        }
        if ((buf = malloc(buf_len)) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
+                tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+                    "out of memory");
                goto err;
        }
        if ((s = strdup(alpn)) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
+                tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+                    "out of memory");
                goto err;
        }
@@ -309,12 +321,12 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
        q = s;
        while ((p = strsep(&q, ",")) != NULL) {
                if ((len = strlen(p)) == 0) {
-                        tls_config_set_errorx(config,
+                        tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
                            "alpn protocol with zero length");
                        goto err;
                }
                if (len > 255) {
-                        tls_config_set_errorx(config,
+                        tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
                            "alpn protocol too long");
                        goto err;
                }
@@ -484,11 +496,13 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
                ciphers = TLS_CIPHERS_ALL;
        if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
+                tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+                    "out of memory");
                goto err;
        }
        if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
-                tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "no ciphers for '%s'", ciphers);
                goto err;
        }
@@ -526,7 +540,8 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
        else if (strcasecmp(params, "legacy") == 0)
                keylen = 1024;
        else {
-                tls_config_set_errorx(config, "invalid dhe param '%s'", params);
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "invalid dhe param '%s'", params);
                return (-1);
        }
@@ -543,8 +558,8 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *curve)
            strcasecmp(curve, "auto") == 0) {
                curve = TLS_ECDHE_CURVES;
        } else if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) {
-                tls_config_set_errorx(config, "invalid ecdhe curve '%s'",
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
-                    curve);
+                    "invalid ecdhe curve '%s'", curve);
                return (-1);
        }
@@ -569,7 +584,8 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
                curves = TLS_ECDHE_CURVES;
        if ((cs = strdup(curves)) == NULL) {
-                tls_config_set_errorx(config, "out of memory");
+                tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+                    "out of memory");
                goto err;
        }
@@ -584,14 +600,15 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
                if (nid == NID_undef)
                        nid = EC_curve_nist2nid(p);
                if (nid == NID_undef) {
-                        tls_config_set_errorx(config,
+                        tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
                            "invalid ecdhe curve '%s'", p);
                        goto err;
                }
                if ((curves_new = reallocarray(curves_list, curves_num + 1,
                    sizeof(int))) == NULL) {
-                        tls_config_set_errorx(config, "out of memory");
+                        tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+                            "out of memory");
                        goto err;
                }
                curves_list = curves_new;
@@ -712,24 +729,26 @@ tls_config_set_session_fd(struct tls_config *config, int session_fd)
        }
        if (fstat(session_fd, &sb) == -1) {
-                tls_config_set_error(config, "failed to stat session file");
+                tls_config_set_error(config, TLS_ERROR_UNKNOWN,
+                    "failed to stat session file");
                return (-1);
        }
        if (!S_ISREG(sb.st_mode)) {
-                tls_config_set_errorx(config,
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
                    "session file is not a regular file");
                return (-1);
        }
        if (sb.st_uid != getuid()) {
-                tls_config_set_errorx(config, "session file has incorrect "
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
-                    "owner (uid %u != %u)", sb.st_uid, getuid());
+                    "session file has incorrect owner (uid %u != %u)",
+                    sb.st_uid, getuid());
                return (-1);
        }
        mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
        if (mugo != (S_IRUSR|S_IWUSR)) {
-                tls_config_set_errorx(config, "session file has incorrect "
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
-                    "permissions (%o != 600)", mugo);
+                    "session file has incorrect permissions (%o != 600)", mugo);
                return (-1);
        }
@@ -846,7 +865,8 @@ tls_config_set_session_id(struct tls_config *config,
    const unsigned char *session_id, size_t len)
 {
        if (len > TLS_MAX_SESSION_ID_LENGTH) {
-                tls_config_set_errorx(config, "session ID too large");
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "session ID too large");
                return (-1);
        }
        memset(config->session_id, 0, sizeof(config->session_id));
@@ -858,11 +878,13 @@ int
 tls_config_set_session_lifetime(struct tls_config *config, int lifetime)
 {
        if (lifetime > TLS_MAX_SESSION_TIMEOUT) {
-                tls_config_set_errorx(config, "session lifetime too large");
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "session lifetime too large");
                return (-1);
        }
        if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) {
-                tls_config_set_errorx(config, "session lifetime too small");
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "session lifetime too small");
                return (-1);
        }
@@ -879,7 +901,7 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
        if (TLS_TICKET_KEY_SIZE != keylen ||
            sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) {
-                tls_config_set_errorx(config,
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
                    "wrong amount of ticket key data");
                return (-1);
        }
@@ -903,7 +925,8 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
                    sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key,
                    tk->hmac_key, sizeof(tk->hmac_key)) == 0)
                        return (0);
-                tls_config_set_errorx(config, "ticket key already present");
+                tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+                    "ticket key already present");
                return (-1);
        }