This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push: new 4eaa5c93c Use ERR_error_string_n instead of ERR_error_string. 4eaa5c93c is described below commit 4eaa5c93c632f1ea80e889b5458d5b95f57b59a2 Author: Christopher Schultz <ch...@christopherschultz.net> AuthorDate: Wed May 15 09:14:14 2024 -0400 Use ERR_error_string_n instead of ERR_error_string. Use header-defined constant for error message buffer sizes. --- native/include/ssl_private.h | 5 +++ native/src/ssl.c | 8 ++--- native/src/sslconf.c | 16 +++++----- native/src/sslcontext.c | 76 ++++++++++++++++++++++---------------------- 4 files changed, 55 insertions(+), 50 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 6c5c9d297..96e21275c 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -67,6 +67,11 @@ extern ENGINE *tcn_ssl_engine; #define SSL_AIDX_ECC (3) #define SSL_AIDX_MAX (4) +/* + * The length of error message strings. MUST BE AT LEAST 256. + */ +#define TCN_OPENSSL_ERROR_STRING_LENGTH 256 + /* * Define the SSL options */ diff --git a/native/src/ssl.c b/native/src/ssl.c index 7624a4e67..838300c53 100644 --- a/native/src/ssl.c +++ b/native/src/ssl.c @@ -1114,9 +1114,9 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS, TCN_IMPLEMENT_CALL(jstring, SSL, getErrorString)(TCN_STDARGS, jlong number) { - char buf[256]; + char buf[TCN_OPENSSL_ERROR_STRING_LENGTH]; UNREFERENCED(o); - ERR_error_string(number, buf); + ERR_error_string_n(number, buf, TCN_OPENSSL_ERROR_STRING_LENGTH); return tcn_new_string(e, buf); } @@ -1278,8 +1278,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl, return JNI_FALSE; } if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) { - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); rv = JNI_FALSE; } diff --git a/native/src/sslconf.c b/native/src/sslconf.c index e5b18a7ce..02c3513b1 100644 --- a/native/src/sslconf.c +++ b/native/src/sslconf.c @@ -94,8 +94,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS, jlong pool, ec = SSL_ERR_get(); if (!cctx || ec != 0) { if (ec != 0) { - char err[256]; - ERR_error_string(ec, err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Could not create SSL_CONF context (%s)", err); } else { tcn_Throw(e, "Could not create SSL_CONF context"); @@ -167,8 +167,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx, value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); ec = SSL_ERR_get(); if (ec != 0) { - char err[256]; - ERR_error_string(ec, err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Could not determine SSL_CONF command type for '%s' (%s)", J2S(cmd), err); return 0; } @@ -270,8 +270,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx, ec = SSL_ERR_get(); if (rc <= 0 || ec != 0) { if (ec != 0) { - char err[256]; - ERR_error_string(ec, err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value '%s' (%s)", J2S(cmd), buf != NULL ? buf : J2S(value), err); } else { tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value '%s'", J2S(cmd), buf != NULL ? buf : J2S(value)); @@ -302,8 +302,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, finish)(TCN_STDARGS, jlong cctx) ec = SSL_ERR_get(); if (rc <= 0 || ec != 0) { if (ec != 0) { - char err[256]; - ERR_error_string(ec, err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Could not finish SSL_CONF commands (%s)", err); } else { tcn_Throw(e, "Could not finish SSL_CONF commands"); diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c index 0855822e5..a7951f53f 100644 --- a/native/src/sslcontext.c +++ b/native/src/sslcontext.c @@ -263,8 +263,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool, } if (!ctx) { - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err); goto init_failed; } @@ -544,8 +544,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx, #else if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) { #endif - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); rv = JNI_FALSE; } @@ -603,7 +603,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocation)(TCN_STDARGS, jlong ctx TCN_ALLOC_CSTRING(path); jboolean rv = JNI_FALSE; X509_LOOKUP *lookup; - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; UNREFERENCED(o); TCN_ASSERT(ctx != 0); @@ -617,13 +617,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocation)(TCN_STDARGS, jlong ctx if (J2S(file)) { lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file()); if (lookup == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); c->crl = NULL; tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err); goto cleanup; } if (!X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM)) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); c->crl = NULL; tcn_Throw(e, "Load failed for file %s (%s)", J2S(file), err); goto cleanup; @@ -632,13 +632,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocation)(TCN_STDARGS, jlong ctx if (J2S(path)) { lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir()); if (lookup == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); c->crl = NULL; tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err); goto cleanup; } if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); c->crl = NULL; tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err); goto cleanup; @@ -690,8 +690,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCACertificate)(TCN_STDARGS, */ if (!SSL_CTX_load_verify_locations(c->ctx, J2S(file), J2S(path))) { - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to configure locations " "for client authentication (%s)", err); rv = JNI_FALSE; @@ -755,8 +755,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpDH)(TCN_STDARGS, jlong ctx, bio = BIO_new_file(J2S(file), "r"); if (!bio) { - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error while configuring DH using %s: %s", J2S(file), err); TCN_FREE_CSTRING(file); return; @@ -765,17 +765,17 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpDH)(TCN_STDARGS, jlong ctx, dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (!dh) { - char err[256]; - ERR_error_string(SSL_ERR_get(), err); + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error while configuring DH: no DH parameter found in %s (%s)", J2S(file), err); TCN_FREE_CSTRING(file); return; } if (1 != SSL_CTX_set_tmp_dh(c->ctx, dh)) { - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; DH_free(dh); - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error while configuring DH with file %s: %s", J2S(file), err); TCN_FREE_CSTRING(file); return; @@ -814,9 +814,9 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setTmpECDHByCurveName)(TCN_STDARGS, jlong c /* Setting found curve to context */ if (1 != SSL_CTX_set_tmp_ecdh(c->ctx, ecdh)) { - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; EC_KEY_free(ecdh); - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error while configuring elliptic curve %s: %s", J2S(curveName), err); TCN_FREE_CSTRING(curveName); return; @@ -995,7 +995,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, TCN_ALLOC_CSTRING(password); const char *key_file, *cert_file; const char *p; - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; #ifdef HAVE_ECC EC_GROUP *ecparams = NULL; int nid; @@ -1028,7 +1028,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, } if ((p = strrchr(cert_file, '.')) != NULL && strcmp(p, ".pkcs12") == 0) { if (!ssl_load_pkcs12(c, cert_file, &c->keys[idx], &c->certs[idx], 0)) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to load certificate %s (%s)", cert_file, err); rv = JNI_FALSE; @@ -1043,14 +1043,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, NULL, NULL)) == NULL) #endif ) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to load certificate key %s (%s)", key_file, err); rv = JNI_FALSE; goto cleanup; } if ((c->certs[idx] = load_pem_cert(c, cert_file)) == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Unable to load certificate %s (%s)", cert_file, err); rv = JNI_FALSE; @@ -1058,19 +1058,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx, } } if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error setting certificate (%s)", err); rv = JNI_FALSE; goto cleanup; } if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error setting private key (%s)", err); rv = JNI_FALSE; goto cleanup; } if (SSL_CTX_check_private_key(c->ctx) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Private key does not match the certificate public key (%s)", err); rv = JNI_FALSE; @@ -1128,7 +1128,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong c tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); jboolean rv = JNI_TRUE; - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; /* we get the key contents into a byte array */ jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaKey, NULL); @@ -1155,7 +1155,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong c tmp = (const unsigned char *)cert; certs = d2i_X509(NULL, &tmp, lengthOfCert); if (certs == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error reading certificate (%s)", err); rv = JNI_FALSE; goto cleanup; @@ -1171,7 +1171,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong c evp = PEM_read_bio_PrivateKey(bio, NULL, 0, NULL); if (evp == NULL) { BIO_free(bio); - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error reading private key (%s)", err); rv = JNI_FALSE; goto cleanup; @@ -1183,19 +1183,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong c c->keys[idx] = evp; if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error setting certificate (%s)", err); rv = JNI_FALSE; goto cleanup; } if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error setting private key (%s)", err); rv = JNI_FALSE; goto cleanup; } if (SSL_CTX_check_private_key(c->ctx) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Private key does not match the certificate public key (%s)", err); rv = JNI_FALSE; @@ -1228,7 +1228,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, addChainCertificateRaw)(TCN_STDARGS, jl tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); jboolean rv = JNI_TRUE; - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; /* we get the cert contents into a byte array */ jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL); @@ -1243,11 +1243,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, addChainCertificateRaw)(TCN_STDARGS, jl tmp = (const unsigned char *)cert; certs = d2i_X509(NULL, &tmp, lengthOfCert); if (certs == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error reading certificate (%s)", err); rv = JNI_FALSE; } else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error adding certificate to chain (%s)", err); rv = JNI_FALSE; } @@ -1266,7 +1266,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, addClientCACertificateRaw)(TCN_STDARGS, tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); jboolean rv = JNI_TRUE; - char err[256]; + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; /* we get the cert contents into a byte array */ jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL); @@ -1281,11 +1281,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, addClientCACertificateRaw)(TCN_STDARGS, tmp = (const unsigned char *)charCert; cert = d2i_X509(NULL, &tmp, lengthOfCert); if (cert == NULL) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error encoding allowed peer CA certificate (%s)", err); rv = JNI_FALSE; } else if (SSL_CTX_add_client_CA(c->ctx, cert) <= 0) { - ERR_error_string(SSL_ERR_get(), err); + ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH); tcn_Throw(e, "Error adding allowed peer CA certificate (%s)", err); rv = JNI_FALSE; } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org