Not for 1.3.x? On 2024/05/15 13:14:56 schu...@apache.org wrote: > This is an automated email from the ASF dual-hosted git repository. > > schultz pushed a commit to branch main > in repository https://gitbox.apache.org/repos/asf/tomcat-native.git > > > The following commit(s) were added to refs/heads/main by this push: > new 4eaa5c93c Use ERR_error_string_n instead of ERR_error_string. > 4eaa5c93c is described below > > commit 4eaa5c93c632f1ea80e889b5458d5b95f57b59a2 > Author: Christopher Schultz <ch...@christopherschultz.net> > AuthorDate: Wed May 15 09:14:14 2024 -0400 > > Use ERR_error_string_n instead of ERR_error_string. > > Use header-defined constant for error message buffer sizes. > --- > native/include/ssl_private.h | 5 +++ > native/src/ssl.c | 8 ++--- > native/src/sslconf.c | 16 +++++----- > native/src/sslcontext.c | 76 > ++++++++++++++++++++++---------------------- > 4 files changed, 55 insertions(+), 50 deletions(-) > > diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h > index 6c5c9d297..96e21275c 100644 > --- a/native/include/ssl_private.h > +++ b/native/include/ssl_private.h > @@ -67,6 +67,11 @@ extern ENGINE *tcn_ssl_engine; > #define SSL_AIDX_ECC (3) > #define SSL_AIDX_MAX (4) > > +/* > + * The length of error message strings. MUST BE AT LEAST 256. > + */ > +#define TCN_OPENSSL_ERROR_STRING_LENGTH 256 > + > /* > * Define the SSL options > */ > diff --git a/native/src/ssl.c b/native/src/ssl.c > index 7624a4e67..838300c53 100644 > --- a/native/src/ssl.c > +++ b/native/src/ssl.c > @@ -1114,9 +1114,9 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, > getPeerCertificate)(TCN_STDARGS, > > TCN_IMPLEMENT_CALL(jstring, SSL, getErrorString)(TCN_STDARGS, jlong number) > { > - char buf[256]; > + char buf[TCN_OPENSSL_ERROR_STRING_LENGTH]; > UNREFERENCED(o); > - ERR_error_string(number, buf); > + ERR_error_string_n(number, buf, TCN_OPENSSL_ERROR_STRING_LENGTH); > return tcn_new_string(e, buf); > } > > @@ -1278,8 +1278,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, > setCipherSuites)(TCN_STDARGS, jlong ssl, > return JNI_FALSE; > } > if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) { > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); > rv = JNI_FALSE; > } > diff --git a/native/src/sslconf.c b/native/src/sslconf.c > index e5b18a7ce..02c3513b1 100644 > --- a/native/src/sslconf.c > +++ b/native/src/sslconf.c > @@ -94,8 +94,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS, jlong > pool, > ec = SSL_ERR_get(); > if (!cctx || ec != 0) { > if (ec != 0) { > - char err[256]; > - ERR_error_string(ec, err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Could not create SSL_CONF context (%s)", err); > } else { > tcn_Throw(e, "Could not create SSL_CONF context"); > @@ -167,8 +167,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, > jlong cctx, > value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); > ec = SSL_ERR_get(); > if (ec != 0) { > - char err[256]; > - ERR_error_string(ec, err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Could not determine SSL_CONF command type for '%s' > (%s)", J2S(cmd), err); > return 0; > } > @@ -270,8 +270,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, > jlong cctx, > ec = SSL_ERR_get(); > if (rc <= 0 || ec != 0) { > if (ec != 0) { > - char err[256]; > - ERR_error_string(ec, err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value > '%s' (%s)", J2S(cmd), buf != NULL ? buf : J2S(value), err); > } else { > tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value > '%s'", J2S(cmd), buf != NULL ? buf : J2S(value)); > @@ -302,8 +302,8 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, finish)(TCN_STDARGS, > jlong cctx) > ec = SSL_ERR_get(); > if (rc <= 0 || ec != 0) { > if (ec != 0) { > - char err[256]; > - ERR_error_string(ec, err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Could not finish SSL_CONF commands (%s)", err); > } else { > tcn_Throw(e, "Could not finish SSL_CONF commands"); > diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c > index 0855822e5..a7951f53f 100644 > --- a/native/src/sslcontext.c > +++ b/native/src/sslcontext.c > @@ -263,8 +263,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, > jlong pool, > } > > if (!ctx) { > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err); > goto init_failed; > } > @@ -544,8 +544,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCipherSuite)(TCN_STDARGS, jlong ctx, > #else > if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) { > #endif > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err); > rv = JNI_FALSE; > } > @@ -603,7 +603,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCARevocation)(TCN_STDARGS, jlong ctx > TCN_ALLOC_CSTRING(path); > jboolean rv = JNI_FALSE; > X509_LOOKUP *lookup; > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > > UNREFERENCED(o); > TCN_ASSERT(ctx != 0); > @@ -617,13 +617,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCARevocation)(TCN_STDARGS, jlong ctx > if (J2S(file)) { > lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file()); > if (lookup == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > c->crl = NULL; > tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err); > goto cleanup; > } > if (!X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM)) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > c->crl = NULL; > tcn_Throw(e, "Load failed for file %s (%s)", J2S(file), err); > goto cleanup; > @@ -632,13 +632,13 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCARevocation)(TCN_STDARGS, jlong ctx > if (J2S(path)) { > lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir()); > if (lookup == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > c->crl = NULL; > tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err); > goto cleanup; > } > if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > c->crl = NULL; > tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err); > goto cleanup; > @@ -690,8 +690,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCACertificate)(TCN_STDARGS, > */ > if (!SSL_CTX_load_verify_locations(c->ctx, > J2S(file), J2S(path))) { > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to configure locations " > "for client authentication (%s)", err); > rv = JNI_FALSE; > @@ -755,8 +755,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext, > setTmpDH)(TCN_STDARGS, jlong ctx, > > bio = BIO_new_file(J2S(file), "r"); > if (!bio) { > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error while configuring DH using %s: %s", J2S(file), > err); > TCN_FREE_CSTRING(file); > return; > @@ -765,17 +765,17 @@ TCN_IMPLEMENT_CALL(void, SSLContext, > setTmpDH)(TCN_STDARGS, jlong ctx, > dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); > BIO_free(bio); > if (!dh) { > - char err[256]; > - ERR_error_string(SSL_ERR_get(), err); > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error while configuring DH: no DH parameter found in > %s (%s)", J2S(file), err); > TCN_FREE_CSTRING(file); > return; > } > > if (1 != SSL_CTX_set_tmp_dh(c->ctx, dh)) { > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > DH_free(dh); > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error while configuring DH with file %s: %s", > J2S(file), err); > TCN_FREE_CSTRING(file); > return; > @@ -814,9 +814,9 @@ TCN_IMPLEMENT_CALL(void, SSLContext, > setTmpECDHByCurveName)(TCN_STDARGS, jlong c > > /* Setting found curve to context */ > if (1 != SSL_CTX_set_tmp_ecdh(c->ctx, ecdh)) { > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > EC_KEY_free(ecdh); > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error while configuring elliptic curve %s: %s", > J2S(curveName), err); > TCN_FREE_CSTRING(curveName); > return; > @@ -995,7 +995,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificate)(TCN_STDARGS, jlong ctx, > TCN_ALLOC_CSTRING(password); > const char *key_file, *cert_file; > const char *p; > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > #ifdef HAVE_ECC > EC_GROUP *ecparams = NULL; > int nid; > @@ -1028,7 +1028,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificate)(TCN_STDARGS, jlong ctx, > } > if ((p = strrchr(cert_file, '.')) != NULL && strcmp(p, ".pkcs12") == 0) { > if (!ssl_load_pkcs12(c, cert_file, &c->keys[idx], &c->certs[idx], > 0)) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to load certificate %s (%s)", > cert_file, err); > rv = JNI_FALSE; > @@ -1043,14 +1043,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificate)(TCN_STDARGS, jlong ctx, > NULL, NULL)) == NULL) > #endif > ) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to load certificate key %s (%s)", > key_file, err); > rv = JNI_FALSE; > goto cleanup; > } > if ((c->certs[idx] = load_pem_cert(c, cert_file)) == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Unable to load certificate %s (%s)", > cert_file, err); > rv = JNI_FALSE; > @@ -1058,19 +1058,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificate)(TCN_STDARGS, jlong ctx, > } > } > if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error setting certificate (%s)", err); > rv = JNI_FALSE; > goto cleanup; > } > if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error setting private key (%s)", err); > rv = JNI_FALSE; > goto cleanup; > } > if (SSL_CTX_check_private_key(c->ctx) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Private key does not match the certificate public key > (%s)", > err); > rv = JNI_FALSE; > @@ -1128,7 +1128,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificateRaw)(TCN_STDARGS, jlong c > > tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); > jboolean rv = JNI_TRUE; > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > > /* we get the key contents into a byte array */ > jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaKey, NULL); > @@ -1155,7 +1155,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificateRaw)(TCN_STDARGS, jlong c > tmp = (const unsigned char *)cert; > certs = d2i_X509(NULL, &tmp, lengthOfCert); > if (certs == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error reading certificate (%s)", err); > rv = JNI_FALSE; > goto cleanup; > @@ -1171,7 +1171,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificateRaw)(TCN_STDARGS, jlong c > evp = PEM_read_bio_PrivateKey(bio, NULL, 0, NULL); > if (evp == NULL) { > BIO_free(bio); > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error reading private key (%s)", err); > rv = JNI_FALSE; > goto cleanup; > @@ -1183,19 +1183,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificateRaw)(TCN_STDARGS, jlong c > c->keys[idx] = evp; > > if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error setting certificate (%s)", err); > rv = JNI_FALSE; > goto cleanup; > } > if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error setting private key (%s)", err); > rv = JNI_FALSE; > goto cleanup; > } > if (SSL_CTX_check_private_key(c->ctx) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Private key does not match the certificate public key > (%s)", > err); > rv = JNI_FALSE; > @@ -1228,7 +1228,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > addChainCertificateRaw)(TCN_STDARGS, jl > > tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); > jboolean rv = JNI_TRUE; > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > > /* we get the cert contents into a byte array */ > jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL); > @@ -1243,11 +1243,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > addChainCertificateRaw)(TCN_STDARGS, jl > tmp = (const unsigned char *)cert; > certs = d2i_X509(NULL, &tmp, lengthOfCert); > if (certs == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error reading certificate (%s)", err); > rv = JNI_FALSE; > } else if (SSL_CTX_add0_chain_cert(c->ctx, certs) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error adding certificate to chain (%s)", err); > rv = JNI_FALSE; > } > @@ -1266,7 +1266,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > addClientCACertificateRaw)(TCN_STDARGS, > > tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); > jboolean rv = JNI_TRUE; > - char err[256]; > + char err[TCN_OPENSSL_ERROR_STRING_LENGTH]; > > /* we get the cert contents into a byte array */ > jbyte* bufferPtr = (*e)->GetByteArrayElements(e, javaCert, NULL); > @@ -1281,11 +1281,11 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, > addClientCACertificateRaw)(TCN_STDARGS, > tmp = (const unsigned char *)charCert; > cert = d2i_X509(NULL, &tmp, lengthOfCert); > if (cert == NULL) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error encoding allowed peer CA certificate (%s)", err); > rv = JNI_FALSE; > } else if (SSL_CTX_add_client_CA(c->ctx, cert) <= 0) { > - ERR_error_string(SSL_ERR_get(), err); > + ERR_error_string_n(SSL_ERR_get(), err, > TCN_OPENSSL_ERROR_STRING_LENGTH); > tcn_Throw(e, "Error adding allowed peer CA certificate (%s)", err); > rv = JNI_FALSE; > } > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
