From 30d6817e297f13c9a0014a32076425d814324865 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Thu, 13 Jun 2024 17:52:30 +0200
Subject: [PATCH 1/6] Return true/false from a function returning bool

Return false in case the certificate is about to expire, causing the
(only) caller to subsequently verify the proxy.
---
 src/client/vomsclient.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc
index 893988f0..4c89017a 100644
--- a/src/client/vomsclient.cc
+++ b/src/client/vomsclient.cc
@@ -1049,7 +1049,7 @@ bool Client::Test()
     Print(WARN) << std::endl << "ERROR: Your certificate expired "
                 << asctime(localtime(&time_after)) << std::endl;
     
-    return 2;
+    return true;
   } 
   
   if (hours && time_diff < length) {
@@ -1057,7 +1057,7 @@ bool Client::Test()
                 << asctime(localtime(&time_after))
                 << "which is within the requested lifetime of the proxy"
                 << std::endl;
-    return 1;
+    return false;
   }
   
   if (!quiet) {
@@ -1068,7 +1068,7 @@ bool Client::Test()
                 << asctime(localtime(&time_after_proxy)) << std::flush;
   }
 
-  return 0;
+  return false;
 }
 
 bool Client::AddToList(AC *ac) 

From a3eaa5cd020e87cc3d2179ae90187a84ee972cd3 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Thu, 13 Jun 2024 17:57:51 +0200
Subject: [PATCH 2/6] Fix how the read mode is specified to access

The mode passed to access is an int and not a string, like in fopen.
---
 src/sslutils/sslutils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sslutils/sslutils.c b/src/sslutils/sslutils.c
index 54e0f43a..931d1a38 100644
--- a/src/sslutils/sslutils.c
+++ b/src/sslutils/sslutils.c
@@ -519,7 +519,7 @@ ERR_load_prxyerr_strings(
 
         randfile = RAND_file_name(buffer,200);
 
-        if (randfile && access(randfile, "r") == 0)
+        if (randfile && access(randfile, R_OK) == 0)
         {
             RAND_load_file(randfile,1024L*1024L);
         }

From 1f25a6d67b5aa29edabf3c55b2f375b1ec941ae7 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Thu, 13 Jun 2024 18:01:27 +0200
Subject: [PATCH 3/6] Simplify the production of the SSL error message

Just rely on the canonical loop over the error stack, without special
treatment for an expired certificate, which is caught somewhere else in
any case.
Be sure that the data added to an error is a text string before printing
it.
---
 src/common/data.cc | 78 ++++++++++------------------------------------
 1 file changed, 16 insertions(+), 62 deletions(-)

diff --git a/src/common/data.cc b/src/common/data.cc
index 2b5cf1f4..494cc381 100644
--- a/src/common/data.cc
+++ b/src/common/data.cc
@@ -44,6 +44,7 @@ extern "C" {
 
 #include <string>
 #include <vector>
+#include <sstream>
 
 /*
  * Function:
@@ -144,71 +145,24 @@ stringify(int i, std::string &s)
 
 std::string OpenSSLError(bool debug) 
 {
-  unsigned long l;
-  char buf[256];
-#if SSLEAY_VERSION_NUMBER  >= 0x00904100L
-  const char *file;
-#else
-  char *file;
-#endif
-  char *dat;
-  int line;
-
-  std::string outstring;
-  char *msgstring = NULL;
-  char *errstring = NULL;
-
-  /* WIN32 does not have the ERR_get_error_line_data */ 
-  /* exported, so simulate it till it is fixed */
-  /* in SSLeay-0.9.0 */
-  
-  while ( ERR_peek_error() != 0 ) {
-    
-    int i;
-    ERR_STATE *es;
-      
-    es = ERR_get_state();
-    i = (es->bottom+1)%ERR_NUM_ERRORS;
-
-    if (es->err_data[i] == NULL)
-      dat = strdup("");
-    else
-      dat = strdup(es->err_data[i]);
-
-
-    if (dat) {
-      int code = 0;
-
-      l = ERR_get_error_line(&file, &line);
-      code = ERR_GET_REASON(l);
-
-      switch (code) {
-      case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
-        outstring += "Either proxy or user certificate are expired.";
-        break;
-
-      default:
-        if (debug) {
-          std::string temp;
-          
-          outstring += std::string(ERR_error_string(l,buf)) + ":" +
-            file + ":" + stringify(line, temp) + dat + "\n";
-        }
-
-        msgstring = (char*)ERR_reason_error_string(l);
-        errstring = (char*)ERR_func_error_string(l);
+  std::ostringstream os;
 
-        if (msgstring)
-          outstring += std::string(msgstring) + std::string(dat ? dat : "") +
-            "\nFunction: " + std::string(errstring ? errstring : "") + "\n";
-        break;
-      }
-    }
-    
-    free(dat);
+  char const *file;
+  int line;
+  char const *data;
+  int flags;
+  unsigned long code = ERR_get_error_line_data(&file, &line, &data, &flags);
+  while (code)
+  {
+    std::size_t const buf_size = 256;
+    char buf[buf_size];
+    ERR_error_string_n(code, buf, buf_size);
+    os << buf << ':' << file << ':'
+       << line << ':' << (data && (flags & ERR_TXT_STRING) ? data : "") << '\n';
+    code = ERR_get_error_line_data(&file, &line, &data, &flags);
   }
 
-  return outstring;
+  return os.str();
 }
 
 static char *readfile(const char *file, int *size)

From cd5c735199535b14a67f6c3ed365b2de9d227a59 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Fri, 14 Jun 2024 09:26:59 +0200
Subject: [PATCH 4/6] Remove commented out code

The code mentions OpenSSL functions related to error management, which
has changed in OpenSSL 3, deprecating old practices.
---
 testsuite/voms/voms/server.c  | 3 ---
 testsuite/voms/voms/server2.c | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/testsuite/voms/voms/server.c b/testsuite/voms/voms/server.c
index 9281df28..928cb55c 100644
--- a/testsuite/voms/voms/server.c
+++ b/testsuite/voms/voms/server.c
@@ -164,11 +164,8 @@ int main(int argc, char *argv[])
         //      if (debug)
         fprintf(stdout, "%s:%s,%d,%s\n", ERR_error_string(l, buf),
                 file, line, dat);
-        //      error += std::string(ERR_reason_error_string(l)) + ":" + std::string(ERR_func_error_string(l)) + "\n";
       }
     }
-/*     fprintf(stdout, "%s\n", */
-/*             ERR_reason_error_string( ERR_get_error() )); */
     fprintf(stdout, "ERROR\n");
     exit(1);
   }
diff --git a/testsuite/voms/voms/server2.c b/testsuite/voms/voms/server2.c
index c80e3fdc..56ae592b 100644
--- a/testsuite/voms/voms/server2.c
+++ b/testsuite/voms/voms/server2.c
@@ -161,11 +161,8 @@ int main(int argc, char *argv[])
         //      if (debug)
         fprintf(stdout, "%s:%s,%d,%s\n", ERR_error_string(l, buf),
                 file, line, dat);
-        //      error += std::string(ERR_reason_error_string(l)) + ":" + std::string(ERR_func_error_string(l)) + "\n";
       }
     }
-/*     fprintf(stdout, "%s\n", */
-/*             ERR_reason_error_string( ERR_get_error() )); */
     fprintf(stdout, "ERROR\n");
     exit(1);
   }

From 8866b953bd725adf7d5f55a4b9eaa765ff58e202 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Fri, 14 Jun 2024 09:40:39 +0200
Subject: [PATCH 5/6] Ignore the function name in OpenSSL errors

The use of the function name in errors has been abandoned in OpenSSL 3.
Profit to replace the use of sprintf with snprintf.
---
 src/socklib/Server.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp
index 0eb27ba6..21144776 100644
--- a/src/socklib/Server.cpp
+++ b/src/socklib/Server.cpp
@@ -719,7 +719,8 @@ void GSISocketServer::SetErrorOpenSSL(const std::string &err)
 
   while( ERR_peek_error() ){
 
-    char error_msg_buf[512];
+    std::size_t const error_msg_buf_size = 512;
+    char error_msg_buf[error_msg_buf_size];
 
     const char *filename;
     int lineno;
@@ -729,7 +730,6 @@ void GSISocketServer::SetErrorOpenSSL(const std::string &err)
     long error_code = ERR_get_error_line_data(&filename, &lineno, &data, &flags);
 
     const char *lib = ERR_lib_error_string(error_code);
-    const char *func = ERR_func_error_string(error_code);
     const char *error_reason = ERR_reason_error_string(error_code);
 
     if (lib == NULL) {
@@ -741,11 +741,11 @@ void GSISocketServer::SetErrorOpenSSL(const std::string &err)
       }
     }
 
-    sprintf(error_msg_buf,
-        "%s %s [err:%lu,lib:%s,func:%s(file: %s+%d)]",
+    snprintf(error_msg_buf, error_msg_buf_size,
+        "%s %s [err:%lu,lib:%s,file:%s+%d]",
         (error_reason) ? error_reason : "",
-        (data) ? data : "",
-        error_code,lib,func,filename,lineno);
+        (data && (flags & ERR_TXT_STRING)) ? data : "",
+        error_code,lib,filename,lineno);
 
     openssl_errors.push_back(error_msg_buf);
   }

From ac778b8bac75bca172d9e927f696998c4b9e004e Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
Date: Fri, 14 Jun 2024 15:18:19 +0200
Subject: [PATCH 6/6] Re-format the output of an SSL error message

To be more compatible with how it was done before.
---
 src/common/data.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/common/data.cc b/src/common/data.cc
index 494cc381..9941ff69 100644
--- a/src/common/data.cc
+++ b/src/common/data.cc
@@ -157,8 +157,8 @@ std::string OpenSSLError(bool debug)
     std::size_t const buf_size = 256;
     char buf[buf_size];
     ERR_error_string_n(code, buf, buf_size);
-    os << buf << ':' << file << ':'
-       << line << ':' << (data && (flags & ERR_TXT_STRING) ? data : "") << '\n';
+    os << file << ':' << line << ':'
+       << buf << (data && (flags & ERR_TXT_STRING) ? data : "") << '\n';
     code = ERR_get_error_line_data(&file, &line, &data, &flags);
   }