Rework the error handling in libtls so that we can associate errors with

both configuration and contexts. This allows us to propagate errors that
occur during configuration, rather than either just failing with no reason
or delaying the failure until it can be propagated via the tls context.

Also provide a tls_config_error() function for retrieving the last error
from a tls_config *.

ok bcook@

1 files changed, 15 insertions, 3 deletions

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 5ab2379628a..9c2b5810f68 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.14 2015/09/29 10:17:04 deraadt Exp $ */
+/* $OpenBSD: tls_config.c,v 1.15 2016/04/28 16:48:44 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,6 +99,8 @@ tls_config_free(struct tls_config *config)
 
 	tls_config_clear_keys(config);
 
+	free(config->error.msg);
+
 	free((char *)config->ca_file);
 	free((char *)config->ca_path);
 	free((char *)config->cert_file);
@@ -110,6 +112,12 @@ tls_config_free(struct tls_config *config)
 	free(config);
 }
 
+const char *
+tls_config_error(struct tls_config *config)
+{
+	return config->error.msg;
+}
+
 void
 tls_config_clear_keys(struct tls_config *config)
 {
@@ -232,8 +240,10 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
 		keylen = -1;
 	else if (strcasecmp(params, "legacy") == 0)
 		keylen = 1024;
-	else
+	else {
+		tls_set_config_errorx(config, "invalid dhe param '%s'", params);
 		return (-1);
+	}
 
 	config->dheparams = keylen;
 
@@ -249,8 +259,10 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 		nid = NID_undef;
 	else if (strcasecmp(name, "auto") == 0)
 		nid = -1;
-	else if ((nid = OBJ_txt2nid(name)) == NID_undef)
+	else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
+		tls_set_config_errorx(config, "invalid ecdhe curve '%s'", name);
 		return (-1);
+	}
 
 	config->ecdhecurve = nid;