Store errors that occur during a tls_accept_socket() call on the context

for the server, rather than on the context for the connection. This makes
more sense than the current behaviour does.

Issue reported by Tim van der Molen.

4 files changed, 12 insertions, 11 deletions

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 9fc81b5a646..b7b6570ff96 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.7 2015/02/07 09:50:09 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.8 2015/03/31 12:21:27 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -237,13 +237,13 @@ tls_reset(struct tls *ctx)
 }
 
 int
-tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix)
+tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
 {
 	const char *errstr = "unknown error";
 	unsigned long err;
 	int ssl_err;
 
-	ssl_err = SSL_get_error(ctx->ssl_conn, ssl_ret);
+	ssl_err = SSL_get_error(ssl_conn, ssl_ret);
 	switch (ssl_err) {
 	case SSL_ERROR_NONE:
 		return (0);
@@ -301,7 +301,7 @@ tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen)
 		return (0);
 	}
 
-	return tls_ssl_error(ctx, ssl_ret, "read"); 
+	return tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read"); 
 }
 
 int
@@ -320,7 +320,7 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen)
 		return (0);
 	}
 
-	return tls_ssl_error(ctx, ssl_ret, "write"); 
+	return tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write"); 
 }
 
 int
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index 24140346512..7c4ca9f306a 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.16 2015/03/21 15:35:15 sthen Exp $ */
+/* $OpenBSD: tls_client.c,v 1.17 2015/03/31 12:21:27 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -246,7 +246,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
 
  connecting:
 	if ((ret = SSL_connect(ctx->ssl_conn)) != 1) {
-		err = tls_ssl_error(ctx, ret, "connect");
+		err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect");
 		if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
 			ctx->flags |= TLS_CONNECTING;
 			return (err);
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index d1ba48ea1a0..ba37e136e66 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.11 2015/02/22 14:50:41 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.12 2015/03/31 12:21:27 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -77,6 +77,7 @@ int tls_host_port(const char *hostport, char **host, char **port);
 int tls_set_error(struct tls *ctx, char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)))
     __attribute__((__nonnull__ (2)));
-int tls_ssl_error(struct tls *ctx, int ssl_ret, const char *prefix);
+int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
+    const char *prefix);
 
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index 8f34ecdded9..cbe064e2f5e 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.5 2015/02/07 09:50:09 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.6 2015/03/31 12:21:27 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -131,7 +131,7 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
 	}
 
 	if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
-		err = tls_ssl_error(conn_ctx, ret, "accept");
+		err = tls_ssl_error(ctx, conn_ctx->ssl_conn, ret, "accept");
 		if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
 			return (err);
 		}