From 2666540eb58ec0e76b541248bed9d159e6a2ccea Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 28 Apr 2016 16:48:44 +0000
Subject: Rework the error handling in libtls so that we can associate errors
 with both configuration and contexts. This allows us to propagate errors that
 occur during configuration, rather than either just failing with no reason or
 delaying the failure until it can be propagated via the tls context.

Also provide a tls_config_error() function for retrieving the last error
from a tls_config *.

ok bcook@
---
 src/lib/libtls/tls.c          | 59 ++++++++++++++++++++++++++++++++-----------
 src/lib/libtls/tls.h          |  3 ++-
 src/lib/libtls/tls_config.c   | 18 ++++++++++---
 src/lib/libtls/tls_init.3     | 15 +++++++----
 src/lib/libtls/tls_internal.h | 23 ++++++++++++++---
 5 files changed, 90 insertions(+), 28 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 5ca555027f..661aa6ad0a 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.35 2016/01/18 16:15:14 bcook Exp $ */
+/* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -58,17 +58,18 @@ tls_init(void)
 const char *
 tls_error(struct tls *ctx)
 {
-	return ctx->errmsg;
+	return ctx->error.msg;
 }
 
 static int
-tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
+tls_set_verror(struct tls_error *error, int errnum, const char *fmt, va_list ap)
 {
 	char *errmsg = NULL;
 	int rv = -1;
 
-	free(ctx->errmsg);
-	ctx->errmsg = NULL;
+	free(error->msg);
+	error->msg = NULL;
+	error->num = errnum;
 
 	if (vasprintf(&errmsg, fmt, ap) == -1) {
 		errmsg = NULL;
@@ -76,12 +77,12 @@ tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
 	}
 
 	if (errnum == -1) {
-		ctx->errmsg = errmsg;
+		error->msg = errmsg;
 		return (0);
 	}
 
-	if (asprintf(&ctx->errmsg, "%s: %s", errmsg, strerror(errnum)) == -1) {
-		ctx->errmsg = NULL;
+	if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
+		error->msg = NULL;
 		goto err;
 	}
 	rv = 0;
@@ -93,15 +94,43 @@ tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
 }
 
 int
-tls_set_error(struct tls *ctx, const char *fmt, ...)
+tls_set_config_error(struct tls_config *config, const char *fmt, ...)
+{
+	va_list ap;
+	int errnum, rv;
+
+	errnum = errno;
+
+	va_start(ap, fmt);
+	rv = tls_set_verror(&config->error, errnum, fmt, ap);
+	va_end(ap);
+
+	return (rv);
+}
+
+int
+tls_set_config_errorx(struct tls_config *config, const char *fmt, ...)
 {
 	va_list ap;
 	int rv;
 
-	ctx->errnum = errno;
+	va_start(ap, fmt);
+	rv = tls_set_verror(&config->error, -1, fmt, ap);
+	va_end(ap);
+
+	return (rv);
+}
+
+int
+tls_set_error(struct tls *ctx, const char *fmt, ...)
+{
+	va_list ap;
+	int errnum, rv;
+
+	errnum = errno;
 
 	va_start(ap, fmt);
-	rv = tls_set_verror(ctx, ctx->errnum, fmt, ap);
+	rv = tls_set_verror(&ctx->error, errnum, fmt, ap);
 	va_end(ap);
 
 	return (rv);
@@ -114,7 +143,7 @@ tls_set_errorx(struct tls *ctx, const char *fmt, ...)
 	int rv;
 
 	va_start(ap, fmt);
-	rv = tls_set_verror(ctx, -1, fmt, ap);
+	rv = tls_set_verror(&ctx->error, -1, fmt, ap);
 	va_end(ap);
 
 	return (rv);
@@ -328,9 +357,9 @@ tls_reset(struct tls *ctx)
 	free(ctx->servername);
 	ctx->servername = NULL;
 
-	free(ctx->errmsg);
-	ctx->errmsg = NULL;
-	ctx->errnum = 0;
+	free(ctx->error.msg);
+	ctx->error.msg = NULL;
+	ctx->error.num = -1;
 
 	tls_free_conninfo(ctx->conninfo);
 	free(ctx->conninfo);
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index e5c31ed581..da229d1fee 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -46,6 +46,7 @@ struct tls_config;
 
 int tls_init(void);
 
+const char *tls_config_error(struct tls_config *_config);
 const char *tls_error(struct tls *_ctx);
 
 struct tls_config *tls_config_new(void);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 5ab2379628..9c2b5810f6 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.14 2015/09/29 10:17:04 deraadt Exp $ */
+/* $OpenBSD: tls_config.c,v 1.15 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,6 +99,8 @@ tls_config_free(struct tls_config *config)
 
 	tls_config_clear_keys(config);
 
+	free(config->error.msg);
+
 	free((char *)config->ca_file);
 	free((char *)config->ca_path);
 	free((char *)config->cert_file);
@@ -110,6 +112,12 @@ tls_config_free(struct tls_config *config)
 	free(config);
 }
 
+const char *
+tls_config_error(struct tls_config *config)
+{
+	return config->error.msg;
+}
+
 void
 tls_config_clear_keys(struct tls_config *config)
 {
@@ -232,8 +240,10 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
 		keylen = -1;
 	else if (strcasecmp(params, "legacy") == 0)
 		keylen = 1024;
-	else
+	else {
+		tls_set_config_errorx(config, "invalid dhe param '%s'", params);
 		return (-1);
+	}
 
 	config->dheparams = keylen;
 
@@ -249,8 +259,10 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 		nid = NID_undef;
 	else if (strcasecmp(name, "auto") == 0)
 		nid = -1;
-	else if ((nid = OBJ_txt2nid(name)) == NID_undef)
+	else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
+		tls_set_config_errorx(config, "invalid ecdhe curve '%s'", name);
 		return (-1);
+	}
 
 	config->ecdhecurve = nid;
 
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index d5acc59cdc..48662e0868 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.56 2016/04/24 12:16:36 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.57 2016/04/28 16:48:44 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,11 +14,12 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 24 2016 $
+.Dd $Mdocdate: April 28 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
 .Nm tls_init ,
+.Nm tls_config_error ,
 .Nm tls_error ,
 .Nm tls_config_new ,
 .Nm tls_config_free ,
@@ -75,8 +76,10 @@
 .Ft "int"
 .Fn tls_init "void"
 .Ft "const char *"
-.Fn tls_error "struct tls *ctx"
+.Fn tls_config_error "struct tls *config"
 .Ft "struct tls_config *"
+.Fn tls_error "struct tls *ctx"
+.Ft "const char *"
 .Fn tls_config_new "void"
 .Ft "void"
 .Fn tls_config_free "struct tls_config *config"
@@ -668,9 +671,11 @@ while (len > 0) {
 .Ed
 .Sh ERRORS
 The
+.Fn tls_config_error
+and
 .Fn tls_error
-function may be used to retrieve a string containing more information
-about the most recent error.
+functions may be used to retrieve a string containing more information
+about the most recent error relating to a configuration or context.
 .\" .Sh SEE ALSO
 .Sh HISTORY
 The
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index b203b5662e..21bf2b4613 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -34,7 +34,14 @@ union tls_addr {
 	struct in6_addr ip6;
 };
 
+struct tls_error {
+	char *msg;
+	int num;
+};
+
 struct tls_config {
+	struct tls_error error;
+
 	const char *ca_file;
 	const char *ca_path;
 	char *ca_mem;
@@ -78,12 +85,11 @@ struct tls_conninfo {
 
 struct tls {
 	struct tls_config *config;
+	struct tls_error error;
+
 	uint32_t flags;
 	uint32_t state;
 
-	char *errmsg;
-	int errnum;
-
 	char *servername;
 	int socket;
 
@@ -104,14 +110,23 @@ int tls_configure_ssl_verify(struct tls *ctx, int verify);
 int tls_handshake_client(struct tls *ctx);
 int tls_handshake_server(struct tls *ctx);
 int tls_host_port(const char *hostport, char **host, char **port);
+
+int tls_set_config_error(struct tls_config *cfg, const char *fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+int tls_set_config_errorx(struct tls_config *cfg, const char *fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
 int tls_set_error(struct tls *ctx, const char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)))
     __attribute__((__nonnull__ (2)));
 int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)))
     __attribute__((__nonnull__ (2)));
+
 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
     const char *prefix);
+
 int tls_get_conninfo(struct tls *ctx);
 void tls_free_conninfo(struct tls_conninfo *conninfo);
 
-- 
cgit v1.2.3-55-g6feb