This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 4eaa5c93c Use ERR_error_string_n instead of ERR_error_string.
4eaa5c93c is described below
commit 4eaa5c93c632f1ea80e889b5458d5b95f57b59a2
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Wed May 15 09:14:14 2024 -0400
Use ERR_error_string_n instead of ERR_error_string.
Use header-defined constant for error message buffer sizes.
---
native/include/ssl_private.h | 5 +++
native/src/ssl.c | 8 ++---
native/src/sslconf.c | 16 +++++-----
native/src/sslcontext.c | 76 ++++++++++++++++++++++----------------------
4 files changed, 55 insertions(+), 50 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 6c5c9d297..96e21275c 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -67,6 +67,11 @@ extern ENGINE *tcn_ssl_engine;
#define SSL_AIDX_ECC (3)
#define SSL_AIDX_MAX (4)
+/*
+ * The length of error message strings. MUST BE AT LEAST 256.
+ */
+#define TCN_OPENSSL_ERROR_STRING_LENGTH 256
+
/*
* Define the SSL options
*/
diff --git a/native/src/ssl.c b/native/src/ssl.c
index 7624a4e67..838300c53 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -1114,9 +1114,9 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL,
getPeerCertificate)(TCN_STDARGS,
TCN_IMPLEMENT_CALL(jstring, SSL, getErrorString)(TCN_STDARGS, jlong number)
{
- char buf[256];
+ char buf[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
- ERR_error_string(number, buf);
+ ERR_error_string_n(number, buf, TCN_OPENSSL_ERROR_STRING_LENGTH);
return tcn_new_string(e, buf);
}
@@ -1278,8 +1278,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSL,
setCipherSuites)(TCN_STDARGS, jlong ssl,
return JNI_FALSE;
}
if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
diff --git a/native/src/sslconf.c b/native/src/sslconf.c
index e5b18a7ce..02c3513b1 100644
--- a/native/src/sslconf.c
+++ b/native/src/sslconf.c
@@ -94,8 +94,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS, jlong
pool,
ec = SSL_ERR_get();
if (!cctx || ec != 0) {
if (ec != 0) {
- char err[256];
- ERR_error_string(ec, err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Could not create SSL_CONF context (%s)", err);
} else {
tcn_Throw(e, "Could not create SSL_CONF context");
@@ -167,8 +167,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong
cctx,
value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd));
ec = SSL_ERR_get();
if (ec != 0) {
- char err[256];
- ERR_error_string(ec, err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Could not determine SSL_CONF command type for '%s'
(%s)", J2S(cmd), err);
return 0;
}
@@ -270,8 +270,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong
cctx,
ec = SSL_ERR_get();
if (rc <= 0 || ec != 0) {
if (ec != 0) {
- char err[256];
- ERR_error_string(ec, err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value
'%s' (%s)", J2S(cmd), buf != NULL ? buf : J2S(value), err);
} else {
tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value
'%s'", J2S(cmd), buf != NULL ? buf : J2S(value));
@@ -302,8 +302,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, finish)(TCN_STDARGS,
jlong cctx)
ec = SSL_ERR_get();
if (rc <= 0 || ec != 0) {
if (ec != 0) {
- char err[256];
- ERR_error_string(ec, err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Could not finish SSL_CONF commands (%s)", err);
} else {
tcn_Throw(e, "Could not finish SSL_CONF commands");
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 0855822e5..a7951f53f 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -263,8 +263,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
}
if (!ctx) {
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err);
goto init_failed;
}
@@ -544,8 +544,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
#else
if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
#endif
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
@@ -603,7 +603,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
TCN_ALLOC_CSTRING(path);
jboolean rv = JNI_FALSE;
X509_LOOKUP *lookup;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
@@ -617,13 +617,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(file)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
if (lookup == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err);
goto cleanup;
}
if (!X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM)) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
c->crl = NULL;
tcn_Throw(e, "Load failed for file %s (%s)", J2S(file), err);
goto cleanup;
@@ -632,13 +632,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(path)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err);
goto cleanup;
}
if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
c->crl = NULL;
tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err);
goto cleanup;
@@ -690,8 +690,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCACertificate)(TCN_STDARGS,
*/
if (!SSL_CTX_load_verify_locations(c->ctx,
J2S(file), J2S(path))) {
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure locations "
"for client authentication (%s)", err);
rv = JNI_FALSE;
@@ -755,8 +755,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpDH)(TCN_STDARGS,
jlong ctx,
bio = BIO_new_file(J2S(file), "r");
if (!bio) {
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error while configuring DH using %s: %s", J2S(file),
err);
TCN_FREE_CSTRING(file);
return;
@@ -765,17 +765,17 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setTmpDH)(TCN_STDARGS, jlong ctx,
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dh) {
- char err[256];
- ERR_error_string(SSL_ERR_get(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error while configuring DH: no DH parameter found in %s
(%s)", J2S(file), err);
TCN_FREE_CSTRING(file);
return;
}
if (1 != SSL_CTX_set_tmp_dh(c->ctx, dh)) {
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
DH_free(dh);
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error while configuring DH with file %s: %s", J2S(file),
err);
TCN_FREE_CSTRING(file);
return;
@@ -814,9 +814,9 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setTmpECDHByCurveName)(TCN_STDARGS, jlong c
/* Setting found curve to context */
if (1 != SSL_CTX_set_tmp_ecdh(c->ctx, ecdh)) {
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
EC_KEY_free(ecdh);
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error while configuring elliptic curve %s: %s",
J2S(curveName), err);
TCN_FREE_CSTRING(curveName);
return;
@@ -995,7 +995,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
const char *p;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
#ifdef HAVE_ECC
EC_GROUP *ecparams = NULL;
int nid;
@@ -1028,7 +1028,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
if ((p = strrchr(cert_file, '.')) != NULL && strcmp(p, ".pkcs12") == 0) {
if (!ssl_load_pkcs12(c, cert_file, &c->keys[idx], &c->certs[idx], 0)) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -1043,14 +1043,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
NULL, NULL)) == NULL)
#endif
) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate key %s (%s)",
key_file, err);
rv = JNI_FALSE;
goto cleanup;
}
if ((c->certs[idx] = load_pem_cert(c, cert_file)) == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -1058,19 +1058,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
}
if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting private key (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_check_private_key(c->ctx) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Private key does not match the certificate public key
(%s)",
err);
rv = JNI_FALSE;
@@ -1128,7 +1128,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
/* we get the key contents into a byte array */
jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaKey, NULL);
@@ -1155,7 +1155,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
tmp = (const unsigned char *)cert;
certs = d2i_X509(NULL, &tmp, lengthOfCert);
if (certs == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error reading certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
@@ -1171,7 +1171,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
evp = PEM_read_bio_PrivateKey(bio, NULL, 0, NULL);
if (evp == NULL) {
BIO_free(bio);
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error reading private key (%s)", err);
rv = JNI_FALSE;
goto cleanup;
@@ -1183,19 +1183,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
c->keys[idx] = evp;
if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting private key (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_check_private_key(c->ctx) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Private key does not match the certificate public key
(%s)",
err);
rv = JNI_FALSE;
@@ -1228,7 +1228,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
addChainCertificateRaw)(TCN_STDARGS, jl
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
/* we get the cert contents into a byte array */
jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
@@ -1243,11 +1243,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
addChainCertificateRaw)(TCN_STDARGS, jl
tmp = (const unsigned char *)cert;
certs = d2i_X509(NULL, &tmp, lengthOfCert);
if (certs == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error reading certificate (%s)", err);
rv = JNI_FALSE;
} else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error adding certificate to chain (%s)", err);
rv = JNI_FALSE;
}
@@ -1266,7 +1266,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
addClientCACertificateRaw)(TCN_STDARGS,
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
jboolean rv = JNI_TRUE;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
/* we get the cert contents into a byte array */
jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL);
@@ -1281,11 +1281,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
addClientCACertificateRaw)(TCN_STDARGS,
tmp = (const unsigned char *)charCert;
cert = d2i_X509(NULL, &tmp, lengthOfCert);
if (cert == NULL) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error encoding allowed peer CA certificate (%s)", err);
rv = JNI_FALSE;
} else if (SSL_CTX_add_client_CA(c->ctx, cert) <= 0) {
- ERR_error_string(SSL_ERR_get(), err);
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error adding allowed peer CA certificate (%s)", err);
rv = JNI_FALSE;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
