This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 1.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.1.x by this push:
new 0ab6bdd39 Use ERR_error_string_n instead of ERR_error_string.
0ab6bdd39 is described below
commit 0ab6bdd3973c702a46a9564266d1f4848bd05b01
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Fri May 31 13:10:27 2024 -0400
Use ERR_error_string_n instead of ERR_error_string.
Use header-defined constant for error message buffer sizes.
---
native/include/ssl_private.h | 5 +++++
native/src/ssl.c | 8 ++++----
native/src/sslcontext.c | 32 ++++++++++++++++----------------
native/src/sslnetwork.c | 4 ++--
4 files changed, 27 insertions(+), 22 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 68fc8a877..ede9ae94f 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -63,6 +63,11 @@
#define SSL_AIDX_ECC (3)
#define SSL_AIDX_MAX (4)
+/*
+ * The length of error message strings. MUST BE AT LEAST 256.
+ */
+#define TCN_OPENSSL_ERROR_STRING_LENGTH 256
+
/*
* Define the SSL options
*/
diff --git a/native/src/ssl.c b/native/src/ssl.c
index d6fdaee55..782de1139 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -806,11 +806,11 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS,
jint mode)
if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
/* arrange to get a human-readable error message */
unsigned long err = ERR_get_error();
- char msg[256];
+ char msg[TCN_OPENSSL_ERROR_STRING_LENGTH];
/* ERR_load_crypto_strings() already called in initialize() */
- ERR_error_string_n(err, msg, 256);
+ ERR_error_string_n(err, msg, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_ThrowException(e, msg);
}
@@ -1105,9 +1105,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSL,
loadDSATempKey)(TCN_STDARGS, jint idx,
TCN_IMPLEMENT_CALL(jstring, SSL, getLastError)(TCN_STDARGS)
{
- char buf[256];
+ char buf[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
- ERR_error_string(ERR_get_error(), buf);
+ ERR_error_string_n(ERR_get_error(), buf, TCN_OPENSSL_ERROR_STRING_LENGTH);
return tcn_new_string(e, buf);
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index c632fc7cf..e2d341c30 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -136,8 +136,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
}
if (!ctx) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err);
goto init_failed;
}
@@ -327,8 +327,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
#else
if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
#endif
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
@@ -348,7 +348,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
TCN_ALLOC_CSTRING(path);
jboolean rv = JNI_FALSE;
X509_LOOKUP *lookup;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
@@ -362,7 +362,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(file)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
if (lookup == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err);
@@ -373,7 +373,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(path)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err);
@@ -426,8 +426,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCACertificate)(TCN_STDARGS,
*/
if (!SSL_CTX_load_verify_locations(c->ctx,
J2S(file), J2S(path))) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure locations "
"for client authentication (%s)", err);
rv = JNI_FALSE;
@@ -637,7 +637,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
const char *p;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
#ifdef HAVE_ECC
EC_GROUP *ecparams;
int nid;
@@ -670,7 +670,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
if ((p = strrchr(cert_file, '.')) != NULL && strcmp(p, ".pkcs12") == 0) {
if (!ssl_load_pkcs12(c, cert_file, &c->keys[idx], &c->certs[idx], 0))
{
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -679,14 +679,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
else {
if ((c->keys[idx] = load_pem_key(c, key_file)) == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate key %s (%s)",
key_file, err);
rv = JNI_FALSE;
goto cleanup;
}
if ((c->certs[idx] = load_pem_cert(c, cert_file)) == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -694,19 +694,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
}
if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting private key (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_check_private_key(c->ctx) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Private key does not match the certificate public key
(%s)",
err);
rv = JNI_FALSE;
diff --git a/native/src/sslnetwork.c b/native/src/sslnetwork.c
index 4557b514e..094453c76 100644
--- a/native/src/sslnetwork.c
+++ b/native/src/sslnetwork.c
@@ -126,8 +126,8 @@ static tcn_ssl_conn_t *ssl_create(JNIEnv *env,
tcn_ssl_ctxt_t *ctx, apr_pool_t *
return NULL;
}
if ((ssl = SSL_new(ctx->ctx)) == NULL) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(env, "SSL_new failed (%s)", err);
con = NULL;
return NULL;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
