diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c index f7603763c..82c0ec3ae 100644 --- a/lib/tls/mbedtls/mbedtls-client.c +++ b/lib/tls/mbedtls/mbedtls-client.c @@ -179,7 +179,7 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len) "server's cert didn't look good, X509_V_ERR = %d: %s\n", n, ERR_error_string(n, sb)); lwsl_info("%s\n", ebuf); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -278,7 +278,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, if (n < 1) { lwsl_err("problem %d getting cert '%s'\n", n, cert_filepath); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } @@ -293,7 +293,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, if (n < 1) { lwsl_err("%s: problem interpreting client cert\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } lwsl_notice("%s: using mem client cert %d\n", diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c index a0c5e3d03..f993a546b 100644 --- a/lib/tls/mbedtls/mbedtls-server.c +++ b/lib/tls/mbedtls/mbedtls-server.c @@ -265,7 +265,7 @@ lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd) if (wsi->tls.ssl == NULL) { lwsl_err("SSL_new failed: errno %d\n", errno); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } diff --git a/lib/tls/mbedtls/tls.c b/lib/tls/mbedtls/tls.c index e894d20e9..b02ca52f2 100644 --- a/lib/tls/mbedtls/tls.c +++ b/lib/tls/mbedtls/tls.c @@ -23,7 +23,7 @@ #include "tls/mbedtls/private.h" void -lws_tls_err_describe(void) +lws_tls_err_describe_clear(void) { } diff --git a/lib/tls/openssl/lws-genaes.c b/lib/tls/openssl/lws-genaes.c index 64580a7e5..f3704f0df 100644 --- a/lib/tls/openssl/lws-genaes.c +++ b/lib/tls/openssl/lws-genaes.c @@ -220,7 +220,7 @@ lws_genaes_create(struct lws_genaes_ctx *ctx, enum enum_aes_operation op, if (!n) { lwsl_err("%s: cipher init failed (cipher %p)\n", __func__, ctx->cipher); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); goto bail; } @@ -254,7 +254,7 @@ lws_genaes_destroy(struct lws_genaes_ctx *ctx, unsigned char *tag, size_t tlen) EVP_CTRL_GCM_GET_TAG, ctx->taglen, tag) != 1) { lwsl_err("get tag ctrl failed\n"); - //lws_tls_err_describe(); + //lws_tls_err_describe_clear(); n = 1; } } @@ -262,7 +262,7 @@ lws_genaes_destroy(struct lws_genaes_ctx *ctx, unsigned char *tag, size_t tlen) case LWS_GAESO_DEC: if (EVP_DecryptFinal_ex(ctx->ctx, buf, &outl) != 1) { lwsl_err("%s: dec final failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); n = -1; } @@ -346,7 +346,7 @@ lws_genaes_crypt(struct lws_genaes_ctx *ctx, } if (n != 1) { lwsl_err("%s: set AAD failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); lwsl_hexdump_err(in, len); return -1; } @@ -369,7 +369,7 @@ lws_genaes_crypt(struct lws_genaes_ctx *ctx, if (!n) { lwsl_notice("%s: update failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } diff --git a/lib/tls/openssl/lws-genec.c b/lib/tls/openssl/lws-genec.c index dd199f6fe..cb62a67f5 100644 --- a/lib/tls/openssl/lws-genec.c +++ b/lib/tls/openssl/lws-genec.c @@ -126,7 +126,7 @@ lws_genec_eckey_import(int nid, EVP_PKEY *pkey, struct lws_gencrypto_keyelem *el if (n != 1) { lwsl_err("%s: EC_KEY_set_public_key_affine_coordinates fail:\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); goto bail; } @@ -609,7 +609,7 @@ lws_genecdsa_hash_sig_verify_jws(struct lws_genec_ctx *ctx, const uint8_t *in, EC_KEY_free(eckey); if (n != 1) { lwsl_err("%s: ECDSA_do_verify fail\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); goto bail; } diff --git a/lib/tls/openssl/lws-genrsa.c b/lib/tls/openssl/lws-genrsa.c index a320c9171..ec7bde817 100644 --- a/lib/tls/openssl/lws-genrsa.c +++ b/lib/tls/openssl/lws-genrsa.c @@ -225,7 +225,7 @@ lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, mode_map_crypt[ctx->mode]); if (n < 0) { lwsl_err("%s: RSA_public_encrypt failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -240,7 +240,7 @@ lws_genrsa_private_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, mode_map_crypt[ctx->mode]); if (n < 0) { lwsl_err("%s: RSA_private_encrypt failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -269,7 +269,7 @@ lws_genrsa_private_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in, mode_map_crypt[ctx->mode]); if (n < 0) { lwsl_err("%s: RSA_private_decrypt failed\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -311,7 +311,7 @@ lws_genrsa_hash_sig_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in, if (n != 1) { lwsl_notice("%s: fail\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index 3fe923fcb..8bdea9ff1 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -160,7 +160,7 @@ lws_ssl_client_bio_create(struct lws *wsi) if (!wsi->tls.ssl) { lwsl_err("SSL_new failed: %s\n", ERR_error_string(lws_ssl_get_error(wsi, 0), NULL)); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -361,7 +361,7 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len) "server's cert didn't look good, X509_V_ERR = %d: %s\n", n, ERR_error_string(n, sb)); lwsl_info("%s\n", ebuf); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; @@ -585,7 +585,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, "Unable to load SSL Client certs " "file from %s -- client ssl isn't " "going to work\n", ca_filepath); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); } else lwsl_info("loaded ssl_ca_filepath\n"); @@ -598,7 +598,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, lwsl_err("Unable to load SSL Client certs from " "ssl_ca_mem -- client ssl isn't going to " "work\n"); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); } else { /* it doesn't increment x509_store ref counter */ SSL_CTX_set_cert_store(vh->tls.ssl_client_ctx, @@ -628,7 +628,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, if (n < 1) { lwsl_err("problem %d getting cert '%s'\n", n, cert_filepath); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } lwsl_notice("Loaded client cert %s\n", cert_filepath); @@ -638,7 +638,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, if (n < 1) { lwsl_err("%s: problem interpreting client cert\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } } @@ -650,7 +650,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, private_key_filepath, SSL_FILETYPE_PEM) != 1) { lwsl_err("use_PrivateKey_file '%s'\n", private_key_filepath); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } lwsl_notice("Loaded client cert private key %s\n", diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c index 5464fd8b1..b030077d8 100644 --- a/lib/tls/openssl/openssl-server.c +++ b/lib/tls/openssl/openssl-server.c @@ -563,7 +563,7 @@ lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd) lwsl_err("SSL_new failed: %d (errno %d)\n", lws_ssl_get_error(wsi, 0), errno); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return 1; } @@ -639,8 +639,9 @@ lws_tls_server_accept(struct lws *wsi) return LWS_SSL_CAPABLE_DONE; } - lws_tls_err_describe(); + m = lws_ssl_get_error(wsi, n); + lws_tls_err_describe_clear(); if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL) return LWS_SSL_CAPABLE_ERROR; diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c index c5203b4be..1b424ba52 100644 --- a/lib/tls/openssl/ssl.c +++ b/lib/tls/openssl/ssl.c @@ -332,7 +332,7 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len) } lwsl_debug("%s failed: %s\n",__func__, ERR_error_string(m, NULL)); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); wsi->socket_is_permanently_unusable = 1; diff --git a/lib/tls/openssl/tls.c b/lib/tls/openssl/tls.c index b568e2af0..cf4a7ef96 100644 --- a/lib/tls/openssl/tls.c +++ b/lib/tls/openssl/tls.c @@ -65,15 +65,16 @@ char* lws_ssl_get_error_string(int status, int ret, char *buf, size_t len) { } void -lws_tls_err_describe(void) +lws_tls_err_describe_clear(void) { - char buf[128]; + char buf[160]; unsigned long l; do { - l = ERR_peek_error(); + l = ERR_get_error(); if (!l) break; + ERR_error_string_n(l, buf, sizeof(buf)); lwsl_info(" openssl error: %s\n", buf); } while (l); diff --git a/lib/tls/openssl/x509.c b/lib/tls/openssl/x509.c index d6089720f..d441001e3 100644 --- a/lib/tls/openssl/x509.c +++ b/lib/tls/openssl/x509.c @@ -244,7 +244,7 @@ lws_x509_parse_from_pem(struct lws_x509_cert *x509, const void *pem, size_t len) BIO_free(bio); if (!x509->cert) { lwsl_err("%s: unable to parse PEM cert\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -279,7 +279,7 @@ lws_x509_verify(struct lws_x509_cert *x509, struct lws_x509_cert *trusted, ret = X509_check_issued(trusted->cert, x509->cert); if (ret != X509_V_OK) { lwsl_err("%s: unable to verify cert relationship\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } @@ -500,7 +500,7 @@ lws_x509_jwk_privkey_pem(struct lws_jwk *jwk, void *pem, size_t len, lws_explicit_bzero((void *)pem, len); if (!pkey) { lwsl_err("%s: unable to parse PEM privkey\n", __func__); - lws_tls_err_describe(); + lws_tls_err_describe_clear(); return -1; } diff --git a/lib/tls/private.h b/lib/tls/private.h index 6aab36916..f27a8366b 100644 --- a/lib/tls/private.h +++ b/lib/tls/private.h @@ -138,7 +138,7 @@ LWS_EXTERN int openssl_websocket_private_data_index; LWS_EXTERN void -lws_tls_err_describe(void); +lws_tls_err_describe_clear(void); LWS_EXTERN int lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,