From ff826d3cb94a579275eb6e97b3cf80ca69016d4b Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 7 Feb 2015 09:50:09 +0000
Subject: Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL
error dance handling code. This means that we get slightly useful messages
when a TLS connection or accept fails.
Requested by reyk@
---
src/lib/libtls/tls.c | 4 ++--
src/lib/libtls/tls_client.c | 18 ++++++------------
src/lib/libtls/tls_internal.h | 3 ++-
src/lib/libtls/tls_server.c | 17 ++++++-----------
4 files changed, 16 insertions(+), 26 deletions(-)
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 696c35b459..9fc81b5a64 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.6 2015/02/07 04:33:51 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.7 2015/02/07 09:50:09 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -236,7 +236,7 @@ tls_reset(struct tls *ctx)
ctx->errmsg = NULL;
}
-static int
+int
tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix)
{
const char *errstr = "unknown error";
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index d9354c3140..85733cdd5e 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.10 2015/01/30 14:25:37 bluhm Exp $ */
+/* $OpenBSD: tls_client.c,v 1.11 2015/02/07 09:50:09 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -136,7 +136,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
{
union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
X509 *cert = NULL;
- int ret, ssl_err;
+ int ret, err;
if (ctx->flags & TLS_CONNECTING)
goto connecting;
@@ -216,18 +216,12 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
connecting:
if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
- ssl_err = SSL_get_error(ctx->ssl_conn, ret);
- switch (ssl_err) {
- case SSL_ERROR_WANT_READ:
+ err = tls_ssl_error(ctx, ret, "connect");
+ if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
ctx->flags |= TLS_CONNECTING;
- return (TLS_READ_AGAIN);
- case SSL_ERROR_WANT_WRITE:
- ctx->flags |= TLS_CONNECTING;
- return (TLS_WRITE_AGAIN);
- default:
- tls_set_error(ctx, "TLS connect failed (%i)", ssl_err);
- goto err;
+ return (err);
}
+ goto err;
}
ctx->flags &= ~TLS_CONNECTING;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 18fcf539c3..f0feddcf5b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.8 2015/02/07 06:19:26 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.9 2015/02/07 09:50:09 jsing Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -74,5 +74,6 @@ int tls_host_port(const char *hostport, char **host, char **port);
int tls_set_error(struct tls *ctx, char *fmt, ...)
__attribute__((__format__ (printf, 2, 3)))
__attribute__((__nonnull__ (2)));
+int tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix);
#endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 8d71d2790f..8f34ecdded 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.5 2015/02/07 09:50:09 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -102,7 +102,7 @@ int
tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
{
struct tls *conn_ctx = *cctx;
- int ret, ssl_err;
+ int ret, err;
if ((ctx->flags & TLS_SERVER) == 0) {
tls_set_error(ctx, "not a server context");
@@ -131,16 +131,11 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
}
if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
- ssl_err = SSL_get_error(conn_ctx->ssl_conn, ret);
- switch (ssl_err) {
- case SSL_ERROR_WANT_READ:
- return (TLS_READ_AGAIN);
- case SSL_ERROR_WANT_WRITE:
- return (TLS_WRITE_AGAIN);
- default:
- tls_set_error(ctx, "TLS accept failed (%i)", ssl_err);
- goto err;
+ err = tls_ssl_error(conn_ctx, ret, "accept");
+ if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
+ return (err);
}
+ goto err;
}
return (0);
--
cgit v1.2.3-55-g6feb