From: Alex Snast Date: Sun, 7 Jul 2024 09:18:28 +0000 (+0300) Subject: wolfssl: use larger error buffer when formatting errors X-Git-Tag: curl-8_9_0~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ab2eda80360c55db4072f9f4747d10a842b3233;p=thirdparty%2Fcurl.git wolfssl: use larger error buffer when formatting errors Currently we're using WOLFSSL_MAX_ERROR_SZ to define the error buffer size, this value is user defined which means it can be overwritten with -DWOLFSSL_MAX_ERROR_SZ=512 when building wolfssl and this overwrite is not exported to the users of wolfssl. Instead of relying on WOLFSSL_MAX_ERROR_SZ we'll just use a 256 bytes error buffer and use wolfSSL_ERR_error_string_n to fill it thus dropping the dependency on WOLFSSL_MAX_ERROR_SZ altogether. Closes #14114 --- diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 01036919b2..06601a8869 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -1009,6 +1009,23 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) } +static char *wolfssl_strerror(unsigned long error, char *buf, size_t size) +{ + DEBUGASSERT(size); + *buf = '\0'; + + wolfSSL_ERR_error_string_n(error, buf, size); + + if(!*buf) { + const char *msg = error ? "Unknown error" : "No error"; + strncpy(buf, msg, size - 1); + buf[size - 1] = '\0'; + } + + return buf; +} + + static CURLcode wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) { @@ -1080,8 +1097,7 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) #endif /* OPENSSL_EXTRA */ if(ret != 1) { - char error_buffer[WOLFSSL_MAX_ERROR_SZ]; - int detail = wolfSSL_get_error(backend->handle, ret); + int detail = wolfSSL_get_error(backend->handle, ret); if(SSL_ERROR_WANT_READ == detail) { connssl->io_need = CURL_SSL_IO_NEED_RECV; @@ -1163,8 +1179,10 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) return CURLE_OK; } else { + char error_buffer[256]; failf(data, "SSL_connect failed with error %d: %s", detail, - wolfSSL_ERR_error_string((unsigned long)detail, error_buffer)); + wolfssl_strerror((unsigned long)detail, error_buffer, + sizeof(error_buffer))); return CURLE_SSL_CONNECT_ERROR; } } @@ -1301,7 +1319,6 @@ static ssize_t wolfssl_send(struct Curl_cfilter *cf, struct ssl_connect_data *connssl = cf->ctx; struct wolfssl_ctx *backend = (struct wolfssl_ctx *)connssl->backend; - char error_buffer[WOLFSSL_MAX_ERROR_SZ]; int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len; int rc; @@ -1327,9 +1344,13 @@ static ssize_t wolfssl_send(struct Curl_cfilter *cf, return -1; } CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d, %d", len, rc, err); - failf(data, "SSL write: %s, errno %d", - wolfSSL_ERR_error_string((unsigned long)err, error_buffer), - SOCKERRNO); + { + char error_buffer[256]; + failf(data, "SSL write: %s, errno %d", + wolfssl_strerror((unsigned long)err, error_buffer, + sizeof(error_buffer)), + SOCKERRNO); + } *curlcode = CURLE_SEND_ERROR; return -1; } @@ -1415,10 +1436,11 @@ static CURLcode wolfssl_shutdown(struct Curl_cfilter *cf, connssl->io_need = CURL_SSL_IO_NEED_SEND; break; default: { - char error_buffer[WOLFSSL_MAX_ERROR_SZ]; + char error_buffer[256]; int detail = wolfSSL_get_error(wctx->handle, err); CURL_TRC_CF(data, cf, "SSL shutdown, error: '%s'(%d)", - wolfSSL_ERR_error_string((unsigned long)err, error_buffer), + wolfssl_strerror((unsigned long)err, error_buffer, + sizeof(error_buffer)), detail); result = CURLE_RECV_ERROR; break; @@ -1459,7 +1481,6 @@ static ssize_t wolfssl_recv(struct Curl_cfilter *cf, struct ssl_connect_data *connssl = cf->ctx; struct wolfssl_ctx *backend = (struct wolfssl_ctx *)connssl->backend; - char error_buffer[WOLFSSL_MAX_ERROR_SZ]; int buffsize = (blen > (size_t)INT_MAX) ? INT_MAX : (int)blen; int nread; @@ -1491,9 +1512,13 @@ static ssize_t wolfssl_recv(struct Curl_cfilter *cf, *curlcode = CURLE_AGAIN; return -1; } - failf(data, "SSL read: %s, errno %d", - wolfSSL_ERR_error_string((unsigned long)err, error_buffer), - SOCKERRNO); + { + char error_buffer[256]; + failf(data, "SSL read: %s, errno %d", + wolfssl_strerror((unsigned long)err, error_buffer, + sizeof(error_buffer)), + SOCKERRNO); + } *curlcode = CURLE_RECV_ERROR; return -1; }