summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libtls/tls.c18
-rw-r--r--src/lib/libtls/tls.h3
-rw-r--r--src/lib/libtls/tls_config.c6
3 files changed, 15 insertions, 12 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index a8b03f0d4a..c2f7f3722c 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.102 2024/03/26 08:54:48 joshua Exp $ */ 1/* $OpenBSD: tls.c,v 1.103 2024/03/27 07:35:30 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -359,9 +359,9 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
359 return (0); 359 return (0);
360 360
361 if (len > INT_MAX) { 361 if (len > INT_MAX) {
362 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, 362 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
363 ctx->config->use_fake_private_key ? 363 ctx->config->use_fake_private_key ?
364 "cert too long" : "key too long"); 364 "certificate too long" : "key too long");
365 goto err; 365 goto err;
366 } 366 }
367 367
@@ -491,7 +491,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
491 491
492 if (keypair->cert_mem != NULL) { 492 if (keypair->cert_mem != NULL) {
493 if (keypair->cert_len > INT_MAX) { 493 if (keypair->cert_len > INT_MAX) {
494 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, 494 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
495 "certificate too long"); 495 "certificate too long");
496 goto err; 496 goto err;
497 } 497 }
@@ -647,7 +647,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
647 647
648 if (ca_mem != NULL) { 648 if (ca_mem != NULL) {
649 if (ca_len > INT_MAX) { 649 if (ca_len > INT_MAX) {
650 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ca too long"); 650 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
651 "ca too long");
651 goto err; 652 goto err;
652 } 653 }
653 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { 654 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
@@ -664,7 +665,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
664 665
665 if (crl_mem != NULL) { 666 if (crl_mem != NULL) {
666 if (crl_len > INT_MAX) { 667 if (crl_len > INT_MAX) {
667 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "crl too long"); 668 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
669 "crl too long");
668 goto err; 670 goto err;
669 } 671 }
670 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { 672 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
@@ -865,7 +867,7 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
865 } 867 }
866 868
867 if (buflen > INT_MAX) { 869 if (buflen > INT_MAX) {
868 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, 870 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
869 "buflen too long"); 871 "buflen too long");
870 goto out; 872 goto out;
871 } 873 }
@@ -897,7 +899,7 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
897 } 899 }
898 900
899 if (buflen > INT_MAX) { 901 if (buflen > INT_MAX) {
900 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, 902 tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
901 "buflen too long"); 903 "buflen too long");
902 goto out; 904 goto out;
903 } 905 }
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index b69c4af58c..67804d7cd8 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.65 2024/03/26 08:54:48 joshua Exp $ */ 1/* $OpenBSD: tls.h,v 1.66 2024/03/27 07:35:30 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -81,6 +81,7 @@ extern "C" {
81#define TLS_ERROR_UNKNOWN 0x0000 81#define TLS_ERROR_UNKNOWN 0x0000
82#define TLS_ERROR_OUT_OF_MEMORY 0x1000 82#define TLS_ERROR_OUT_OF_MEMORY 0x1000
83#define TLS_ERROR_INVALID_CONTEXT 0x2000 83#define TLS_ERROR_INVALID_CONTEXT 0x2000
84#define TLS_ERROR_INVALID_ARGUMENT 0x2001
84#endif 85#endif
85 86
86struct tls; 87struct tls;
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 449071641b..645562e838 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.68 2024/03/26 06:24:52 joshua Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.69 2024/03/27 07:35:30 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -321,12 +321,12 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
321 q = s; 321 q = s;
322 while ((p = strsep(&q, ",")) != NULL) { 322 while ((p = strsep(&q, ",")) != NULL) {
323 if ((len = strlen(p)) == 0) { 323 if ((len = strlen(p)) == 0) {
324 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN, 324 tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
325 "alpn protocol with zero length"); 325 "alpn protocol with zero length");
326 goto err; 326 goto err;
327 } 327 }
328 if (len > 255) { 328 if (len > 255) {
329 tls_config_set_errorx(config, TLS_ERROR_UNKNOWN, 329 tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
330 "alpn protocol too long"); 330 "alpn protocol too long");
331 goto err; 331 goto err;
332 } 332 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-29 21:14:22 +0000