Rework the error handling in libtls so that we can associate errors with

both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@
author: jsing <jsing@openbsd.org> 2016-04-28 16:48:44 +0000
committer: jsing <jsing@openbsd.org> 2016-04-28 16:48:44 +0000
commit: a88e9e95f700d9db8d2f78052b581f175c0646f4 (patch)
tree: e88b38806fdcb15981a493bd8e37d1fa6655f646
parent: Plug a couple of leaks of input buffers. (diff)
download: wireguard-openbsd-a88e9e95f700d9db8d2f78052b581f175c0646f4.tar.xz
wireguard-openbsd-a88e9e95f700d9db8d2f78052b581f175c0646f4.zip
5 files changed, 90 insertions, 28 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 5ca555027f2..661aa6ad0ad 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.35 2016/01/18 16:15:14 bcook Exp $ */
+/* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -58,17 +58,18 @@ tls_init(void)
 const char *
 tls_error(struct tls *ctx)
 {
-	return ctx->errmsg;
+	return ctx->error.msg;
 }
 
 static int
-tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
+tls_set_verror(struct tls_error *error, int errnum, const char *fmt, va_list ap)
 {
 	char *errmsg = NULL;
 	int rv = -1;
 
-	free(ctx->errmsg);
-	ctx->errmsg = NULL;
+	free(error->msg);
+	error->msg = NULL;
+	error->num = errnum;
 
 	if (vasprintf(&errmsg, fmt, ap) == -1) {
 		errmsg = NULL;
@@ -76,12 +77,12 @@ tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
 	}
 
 	if (errnum == -1) {
-		ctx->errmsg = errmsg;
+		error->msg = errmsg;
 		return (0);
 	}
 
-	if (asprintf(&ctx->errmsg, "%s: %s", errmsg, strerror(errnum)) == -1) {
-		ctx->errmsg = NULL;
+	if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
+		error->msg = NULL;
 		goto err;
 	}
 	rv = 0;
@@ -93,15 +94,43 @@ tls_set_verror(struct tls *ctx, int errnum, const char *fmt, va_list ap)
 }
 
 int
-tls_set_error(struct tls *ctx, const char *fmt, ...)
+tls_set_config_error(struct tls_config *config, const char *fmt, ...)
+{
+	va_list ap;
+	int errnum, rv;
+
+	errnum = errno;
+
+	va_start(ap, fmt);
+	rv = tls_set_verror(&config->error, errnum, fmt, ap);
+	va_end(ap);
+
+	return (rv);
+}
+
+int
+tls_set_config_errorx(struct tls_config *config, const char *fmt, ...)
 {
 	va_list ap;
 	int rv;
 
-	ctx->errnum = errno;
+	va_start(ap, fmt);
+	rv = tls_set_verror(&config->error, -1, fmt, ap);
+	va_end(ap);
+
+	return (rv);
+}
+
+int
+tls_set_error(struct tls *ctx, const char *fmt, ...)
+{
+	va_list ap;
+	int errnum, rv;
+
+	errnum = errno;
 
 	va_start(ap, fmt);
-	rv = tls_set_verror(ctx, ctx->errnum, fmt, ap);
+	rv = tls_set_verror(&ctx->error, errnum, fmt, ap);
 	va_end(ap);
 
 	return (rv);
@@ -114,7 +143,7 @@ tls_set_errorx(struct tls *ctx, const char *fmt, ...)
 	int rv;
 
 	va_start(ap, fmt);
-	rv = tls_set_verror(ctx, -1, fmt, ap);
+	rv = tls_set_verror(&ctx->error, -1, fmt, ap);
 	va_end(ap);
 
 	return (rv);
@@ -328,9 +357,9 @@ tls_reset(struct tls *ctx)
 	free(ctx->servername);
 	ctx->servername = NULL;
 
-	free(ctx->errmsg);
-	ctx->errmsg = NULL;
-	ctx->errnum = 0;
+	free(ctx->error.msg);
+	ctx->error.msg = NULL;
+	ctx->error.num = -1;
 
 	tls_free_conninfo(ctx->conninfo);
 	free(ctx->conninfo);
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index e5c31ed5813..da229d1feed 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -46,6 +46,7 @@ struct tls_config;
 
 int tls_init(void);
 
+const char *tls_config_error(struct tls_config *_config);
 const char *tls_error(struct tls *_ctx);
 
 struct tls_config *tls_config_new(void);
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 5ab2379628a..9c2b5810f68 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.14 2015/09/29 10:17:04 deraadt Exp $ */
+/* $OpenBSD: tls_config.c,v 1.15 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,6 +99,8 @@ tls_config_free(struct tls_config *config)
 
 	tls_config_clear_keys(config);
 
+	free(config->error.msg);
+
 	free((char *)config->ca_file);
 	free((char *)config->ca_path);
 	free((char *)config->cert_file);
@@ -110,6 +112,12 @@ tls_config_free(struct tls_config *config)
 	free(config);
 }
 
+const char *
+tls_config_error(struct tls_config *config)
+{
+	return config->error.msg;
+}
+
 void
 tls_config_clear_keys(struct tls_config *config)
 {
@@ -232,8 +240,10 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
 		keylen = -1;
 	else if (strcasecmp(params, "legacy") == 0)
 		keylen = 1024;
-	else
+	else {
+		tls_set_config_errorx(config, "invalid dhe param '%s'", params);
 		return (-1);
+	}
 
 	config->dheparams = keylen;
 
@@ -249,8 +259,10 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 		nid = NID_undef;
 	else if (strcasecmp(name, "auto") == 0)
 		nid = -1;
-	else if ((nid = OBJ_txt2nid(name)) == NID_undef)
+	else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
+		tls_set_config_errorx(config, "invalid ecdhe curve '%s'", name);
 		return (-1);
+	}
 
 	config->ecdhecurve = nid;
 
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index d5acc59cdc0..48662e08683 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.56 2016/04/24 12:16:36 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.57 2016/04/28 16:48:44 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,11 +14,12 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 24 2016 $
+.Dd $Mdocdate: April 28 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
 .Nm tls_init ,
+.Nm tls_config_error ,
 .Nm tls_error ,
 .Nm tls_config_new ,
 .Nm tls_config_free ,
@@ -75,8 +76,10 @@
 .Ft "int"
 .Fn tls_init "void"
 .Ft "const char *"
-.Fn tls_error "struct tls *ctx"
+.Fn tls_config_error "struct tls *config"
 .Ft "struct tls_config *"
+.Fn tls_error "struct tls *ctx"
+.Ft "const char *"
 .Fn tls_config_new "void"
 .Ft "void"
 .Fn tls_config_free "struct tls_config *config"
@@ -668,9 +671,11 @@ while (len > 0) {
 .Ed
 .Sh ERRORS
 The
+.Fn tls_config_error
+and
 .Fn tls_error
-function may be used to retrieve a string containing more information
-about the most recent error.
+functions may be used to retrieve a string containing more information
+about the most recent error relating to a configuration or context.
 .\" .Sh SEE ALSO
 .Sh HISTORY
 The
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index b203b5662ed..21bf2b46130 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -34,7 +34,14 @@ union tls_addr {
 	struct in6_addr ip6;
 };
 
+struct tls_error {
+	char *msg;
+	int num;
+};
+
 struct tls_config {
+	struct tls_error error;
+
 	const char *ca_file;
 	const char *ca_path;
 	char *ca_mem;
@@ -78,12 +85,11 @@ struct tls_conninfo {
 
 struct tls {
 	struct tls_config *config;
+	struct tls_error error;
+
 	uint32_t flags;
 	uint32_t state;
 
-	char *errmsg;
-	int errnum;
-
 	char *servername;
 	int socket;
 
@@ -104,14 +110,23 @@ int tls_configure_ssl_verify(struct tls *ctx, int verify);
 int tls_handshake_client(struct tls *ctx);
 int tls_handshake_server(struct tls *ctx);
 int tls_host_port(const char *hostport, char **host, char **port);
+
+int tls_set_config_error(struct tls_config *cfg, const char *fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+int tls_set_config_errorx(struct tls_config *cfg, const char *fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
 int tls_set_error(struct tls *ctx, const char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)))
     __attribute__((__nonnull__ (2)));
 int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)))
     __attribute__((__nonnull__ (2)));
+
 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
     const char *prefix);
+
 int tls_get_conninfo(struct tls *ctx);
 void tls_free_conninfo(struct tls_conninfo *conninfo);
author	jsing <jsing@openbsd.org>	2016-04-28 16:48:44 +0000
committer	jsing <jsing@openbsd.org>	2016-04-28 16:48:44 +0000
commit	a88e9e95f700d9db8d2f78052b581f175c0646f4 (patch)
tree	e88b38806fdcb15981a493bd8e37d1fa6655f646
parent	Plug a couple of leaks of input buffers. (diff)
download	wireguard-openbsd-a88e9e95f700d9db8d2f78052b581f175c0646f4.tar.xz wireguard-openbsd-a88e9e95f700d9db8d2f78052b581f175c0646f4.zip