--- src/connections.c +++ src/connections.c @@ -220,10 +220,11 @@ case SSL_ERROR_SYSCALL: /* perhaps we have error waiting in our error-queue */ if (0 != (err = ERR_get_error())) { + char ssl_error_string_buf[256]; do { log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, ret, - ERR_error_string(err, NULL)); + lighttpd_ERR_error_string_n(err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); } while((err = ERR_get_error())); } else if (errno != 0) { /* ssl bug (see lighttpd ticket #2213): sometimes errno == 0 */ switch(errno) { @@ -241,9 +242,10 @@ break; default: while((err = ERR_get_error())) { + char ssl_error_string_buf[256]; log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, ret, - ERR_error_string(err, NULL)); + lighttpd_ERR_error_string_n(err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); } break; @@ -1073,8 +1075,9 @@ /* connect FD to SSL */ if (srv_socket->is_ssl) { if (NULL == (con->ssl = SSL_new(srv_socket->ssl_ctx))) { + char ssl_error_string_buf[256]; log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); connection_close(srv, con); return NULL; @@ -1085,8 +1088,9 @@ SSL_set_accept_state(con->ssl); if (1 != (SSL_set_fd(con->ssl, cnt))) { + char ssl_error_string_buf[256]; log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); connection_close(srv, con); return NULL; } --- src/connections-glue.c +++ src/connections-glue.c @@ -156,9 +156,10 @@ * */ while((ssl_err = ERR_get_error())) { + char ssl_error_string_buf[256]; /* get all errors from the error-queue */ log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:", - r, ERR_error_string(ssl_err, NULL)); + r, lighttpd_ERR_error_string_n(ssl_err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); } switch(oerrno) { @@ -196,9 +197,12 @@ default: break; } + { + char ssl_error_string_buf[256]; /* get all errors from the error-queue */ log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:", - r, ERR_error_string(ssl_err, NULL)); + r, lighttpd_ERR_error_string_n(ssl_err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); + } } break; } --- src/network.c +++ src/network.c @@ -98,6 +98,7 @@ #if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { + char ssl_error_string_buf[256]; const char *servername; connection *con = (connection *) SSL_get_app_data(ssl); UNUSED(al); @@ -138,14 +139,14 @@ if (!SSL_use_certificate(ssl, con->conf.ssl_pemfile_x509)) { log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", "failed to set certificate for TLS server name", con->tlsext_server_name, - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return SSL_TLSEXT_ERR_ALERT_FATAL; } if (!SSL_use_PrivateKey(ssl, con->conf.ssl_pemfile_pkey)) { log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", "failed to set private key for TLS server name", con->tlsext_server_name, - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return SSL_TLSEXT_ERR_ALERT_FATAL; } @@ -153,7 +154,7 @@ if (NULL == con->conf.ssl_ca_file_cert_names) { log_error_write(srv, __FILE__, __LINE__, "ssb:s", "SSL:", "can't verify client without ssl.ca-file for TLS server name", con->tlsext_server_name, - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return SSL_TLSEXT_ERR_ALERT_FATAL; } @@ -661,9 +662,10 @@ if (NULL == (s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr))) return -1; if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) { + char ssl_error_string_buf[256]; log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", "Private key does not match the certificate public key, reason:", - ERR_error_string(ERR_get_error(), NULL), + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_pemfile); return -1; } @@ -673,6 +675,7 @@ #endif int network_init(server *srv) { + char ssl_error_string_buf[256]; buffer *b; size_t i, j; network_backend_t backend; @@ -808,7 +811,7 @@ s->ssl_ca_file_cert_names = SSL_load_client_CA_file(s->ssl_ca_file->ptr); if (NULL == s->ssl_ca_file_cert_names) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_ca_file); } } @@ -816,7 +819,7 @@ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return -1; } @@ -824,7 +827,7 @@ if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) { log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:", "failed to set session context", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return -1; } @@ -845,7 +848,7 @@ /* disable SSLv2 */ if ((SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) != SSL_OP_NO_SSLv2) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return -1; } } @@ -854,7 +857,7 @@ /* disable SSLv3 */ if ((SSL_OP_NO_SSLv3 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv3)) != SSL_OP_NO_SSLv3) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return -1; } } @@ -863,7 +866,7 @@ /* Disable support for low encryption ciphers */ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", - ERR_error_string(ERR_get_error(), NULL)); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf))); return -1; } @@ -953,7 +956,7 @@ if (!buffer_string_is_empty(s1->ssl_ca_file)) { if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s1->ssl_ca_file->ptr, NULL)) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s1->ssl_ca_file); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s1->ssl_ca_file); return -1; } } @@ -977,20 +980,20 @@ if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_pemfile); return -1; } if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) { log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:", - ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile); + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_pemfile); return -1; } if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) { log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:", "Private key does not match the certificate public key, reason:", - ERR_error_string(ERR_get_error(), NULL), + lighttpd_ERR_error_string_n(ERR_get_error(), ssl_error_string_buf, sizeof(ssl_error_string_buf)), s->ssl_pemfile); return -1; } --- src/network_openssl.c +++ src/network_openssl.c @@ -134,10 +134,11 @@ case SSL_ERROR_SYSCALL: /* perhaps we have error waiting in our error-queue */ if (0 != (err = ERR_get_error())) { + char ssl_error_string_buf[256]; do { log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, - ERR_error_string(err, NULL)); + lighttpd_ERR_error_string_n(err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); } while((err = ERR_get_error())); } else if (r == -1) { /* no, but we have errno */ @@ -167,9 +168,10 @@ /* fall through */ default: while((err = ERR_get_error())) { + char ssl_error_string_buf[256]; log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, - ERR_error_string(err, NULL)); + lighttpd_ERR_error_string_n(err, ssl_error_string_buf, sizeof(ssl_error_string_buf))); } break; } --- src/server.c +++ src/server.c @@ -1845,3 +1845,10 @@ return 0; } + +#ifdef USE_OPENSSL +char* lighttpd_ERR_error_string_n(unsigned long e, char* buf, unsigned long len) { + ERR_error_string_n(e, buf, len); + return buf; +} +#endif --- src/server.h +++ src/server.h @@ -7,4 +7,8 @@ int config_read(server *srv, const char *fn); int config_set_defaults(server *srv); +#ifdef USE_OPENSSL +char* lighttpd_ERR_error_string_n(unsigned long e, char* buf, unsigned long len); +#endif + #endif