Import LibreSSL 4.0.0

author: June McEnroe <june@causal.agency> 2026-06-01 14:42:49 -0400
committer: June McEnroe <june@causal.agency> 2026-06-01 14:42:49 -0400
commit: d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d (patch)
tree: 01f7eb5bc8d9d0e708ec077364a6b3fda7f1bdde /tls_config.c
parent: Import LibreSSL 3.9.2 (diff)
download: libretls-d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d.tar.gz
libretls-d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d.zip
1 files changed, 56 insertions, 32 deletions
diff --git a/tls_config.c b/tls_config.c
index 5eb5b69..22fa845 100644
--- a/tls_config.c
+++ b/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.67 2023/07/02 06:37:27 beck Exp $ */
+/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -50,12 +50,14 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
 	*len = 0;
 
 	if ((fd = open(filename, O_RDONLY)) == -1) {
-		tls_error_set(error, "failed to open %s file '%s'",
+		tls_error_set(error, TLS_ERROR_UNKNOWN,
+		    "failed to open %s file '%s'",
 		    filetype, filename);
 		goto err;
 	}
 	if (fstat(fd, &st) != 0) {
-		tls_error_set(error, "failed to stat %s file '%s'",
+		tls_error_set(error, TLS_ERROR_UNKNOWN,
+		    "failed to stat %s file '%s'",
 		    filetype, filename);
 		goto err;
 	}
@@ -63,13 +65,15 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
 		goto err;
 	*len = (size_t)st.st_size;
 	if ((*buf = malloc(*len)) == NULL) {
-		tls_error_set(error, "failed to allocate buffer for "
-		    "%s file", filetype);
+		tls_error_set(error, TLS_ERROR_UNKNOWN,
+		    "failed to allocate buffer for %s file",
+		    filetype);
 		goto err;
 	}
 	n = read(fd, *buf, *len);
 	if (n < 0 || (size_t)n != *len) {
-		tls_error_set(error, "failed to read %s file '%s'",
+		tls_error_set(error, TLS_ERROR_UNKNOWN,
+		    "failed to read %s file '%s'",
 		    filetype, filename);
 		goto err;
 	}
@@ -203,6 +207,12 @@ tls_config_error(struct tls_config *config)
 	return config->error.msg;
 }
 
+int
+tls_config_error_code(struct tls_config *config)
+{
+	return config->error.code;
+}
+
 void
 tls_config_clear_keys(struct tls_config *config)
 {
@@ -251,9 +261,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
 		if (strcasecmp(p, "tlsv1") == 0)
 			proto = TLS_PROTOCOL_TLSv1;
 		else if (strcasecmp(p, "tlsv1.0") == 0)
-			proto = TLS_PROTOCOL_TLSv1_2;
+			proto = TLS_PROTOCOL_TLSv1_0;
 		else if (strcasecmp(p, "tlsv1.1") == 0)
-			proto = TLS_PROTOCOL_TLSv1_2;
+			proto = TLS_PROTOCOL_TLSv1_1;
 		else if (strcasecmp(p, "tlsv1.2") == 0)
 			proto = TLS_PROTOCOL_TLSv1_2;
 		else if (strcasecmp(p, "tlsv1.3") == 0)
@@ -291,17 +301,20 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
 	*alpn_len = 0;
 
 	if ((buf_len = strlen(alpn) + 1) > 65535) {
-		tls_config_set_errorx(config, "alpn too large");
+		tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
+		    "alpn too large");
 		goto err;
 	}
 
 	if ((buf = malloc(buf_len)) == NULL) {
-		tls_config_set_errorx(config, "out of memory");
+		tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+		    "out of memory");
 		goto err;
 	}
 
 	if ((s = strdup(alpn)) == NULL) {
-		tls_config_set_errorx(config, "out of memory");
+		tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+		    "out of memory");
 		goto err;
 	}
 
@@ -309,12 +322,12 @@ tls_config_parse_alpn(struct tls_config *config, const char *alpn,
 	q = s;
 	while ((p = strsep(&q, ",")) != NULL) {
 		if ((len = strlen(p)) == 0) {
-			tls_config_set_errorx(config,
+			tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
 			    "alpn protocol with zero length");
 			goto err;
 		}
 		if (len > 255) {
-			tls_config_set_errorx(config,
+			tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
 			    "alpn protocol too long");
 			goto err;
 		}
@@ -484,11 +497,13 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 		ciphers = TLS_CIPHERS_ALL;
 
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
-		tls_config_set_errorx(config, "out of memory");
+		tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+		    "out of memory");
 		goto err;
 	}
 	if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
-		tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "no ciphers for '%s'", ciphers);
 		goto err;
 	}
 
@@ -526,7 +541,8 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
 	else if (strcasecmp(params, "legacy") == 0)
 		keylen = 1024;
 	else {
-		tls_config_set_errorx(config, "invalid dhe param '%s'", params);
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "invalid dhe param '%s'", params);
 		return (-1);
 	}
 
@@ -543,8 +559,8 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *curve)
 	    strcasecmp(curve, "auto") == 0) {
 		curve = TLS_ECDHE_CURVES;
 	} else if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) {
-		tls_config_set_errorx(config, "invalid ecdhe curve '%s'",
-		    curve);
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "invalid ecdhe curve '%s'", curve);
 		return (-1);
 	}
 
@@ -569,7 +585,8 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
 		curves = TLS_ECDHE_CURVES;
 
 	if ((cs = strdup(curves)) == NULL) {
-		tls_config_set_errorx(config, "out of memory");
+		tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+		    "out of memory");
 		goto err;
 	}
 
@@ -584,14 +601,15 @@ tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
 		if (nid == NID_undef)
 			nid = EC_curve_nist2nid(p);
 		if (nid == NID_undef) {
-			tls_config_set_errorx(config,
+			tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
 			    "invalid ecdhe curve '%s'", p);
 			goto err;
 		}
 
 		if ((curves_new = reallocarray(curves_list, curves_num + 1,
 		    sizeof(int))) == NULL) {
-			tls_config_set_errorx(config, "out of memory");
+			tls_config_set_errorx(config, TLS_ERROR_OUT_OF_MEMORY,
+			    "out of memory");
 			goto err;
 		}
 		curves_list = curves_new;
@@ -712,24 +730,26 @@ tls_config_set_session_fd(struct tls_config *config, int session_fd)
 	}
 
 	if (fstat(session_fd, &sb) == -1) {
-		tls_config_set_error(config, "failed to stat session file");
+		tls_config_set_error(config, TLS_ERROR_UNKNOWN,
+		    "failed to stat session file");
 		return (-1);
 	}
 	if (!S_ISREG(sb.st_mode)) {
-		tls_config_set_errorx(config,
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
 		    "session file is not a regular file");
 		return (-1);
 	}
 
 	if (sb.st_uid != getuid()) {
-		tls_config_set_errorx(config, "session file has incorrect "
-		    "owner (uid %u != %u)", sb.st_uid, getuid());
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "session file has incorrect owner (uid %u != %u)",
+		    sb.st_uid, getuid());
 		return (-1);
 	}
 	mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
 	if (mugo != (S_IRUSR|S_IWUSR)) {
-		tls_config_set_errorx(config, "session file has incorrect "
-		    "permissions (%o != 600)", mugo);
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "session file has incorrect permissions (%o != 600)", mugo);
 		return (-1);
 	}
 
@@ -846,7 +866,8 @@ tls_config_set_session_id(struct tls_config *config,
     const unsigned char *session_id, size_t len)
 {
 	if (len > TLS_MAX_SESSION_ID_LENGTH) {
-		tls_config_set_errorx(config, "session ID too large");
+		tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
+		    "session ID too large");
 		return (-1);
 	}
 	memset(config->session_id, 0, sizeof(config->session_id));
@@ -858,11 +879,13 @@ int
 tls_config_set_session_lifetime(struct tls_config *config, int lifetime)
 {
 	if (lifetime > TLS_MAX_SESSION_TIMEOUT) {
-		tls_config_set_errorx(config, "session lifetime too large");
+		tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
+		    "session lifetime too large");
 		return (-1);
 	}
 	if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) {
-		tls_config_set_errorx(config, "session lifetime too small");
+		tls_config_set_errorx(config, TLS_ERROR_INVALID_ARGUMENT,
+		    "session lifetime too small");
 		return (-1);
 	}
 
@@ -879,7 +902,7 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
 
 	if (TLS_TICKET_KEY_SIZE != keylen ||
 	    sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) {
-		tls_config_set_errorx(config,
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
 		    "wrong amount of ticket key data");
 		return (-1);
 	}
@@ -903,7 +926,8 @@ tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
 		    sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key,
 		    tk->hmac_key, sizeof(tk->hmac_key)) == 0)
 			return (0);
-		tls_config_set_errorx(config, "ticket key already present");
+		tls_config_set_errorx(config, TLS_ERROR_UNKNOWN,
+		    "ticket key already present");
 		return (-1);
 	}
author	June McEnroe <june@causal.agency>	2026-06-01 14:42:49 -0400
committer	June McEnroe <june@causal.agency>	2026-06-01 14:42:49 -0400
commit	d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d (patch)
tree	01f7eb5bc8d9d0e708ec077364a6b3fda7f1bdde /tls_config.c
parent	Import LibreSSL 3.9.2 (diff)
download	libretls-d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d.tar.gz libretls-d08958f5d2c4d71d8132ea5c6cb45e48b5c4d83d.zip