If ERR_reason_error_string() returns NULL, fall back on strerror(errno).

That way we get reasonable error messages for missing files, etc.

logsrvd/logsrvd.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -917,7 +917,8 @@ server_msg_cb(int fd, int what, void *v)
 		    goto finished;
                 default:
 		    errstr = ERR_reason_error_string(ERR_get_error());
-		    sudo_warnx("%s: SSL_write: %s", closure->ipaddr, errstr);
+		    sudo_warnx("%s: SSL_write: %s", closure->ipaddr,
+			errstr ? errstr : strerror(errno));
                     goto finished;
             }
         }
@@ -1027,7 +1028,8 @@ client_msg_cb(int fd, int what, void *v)
                     goto close_connection;
                 default:
 		    errstr = ERR_reason_error_string(ERR_get_error());
-		    sudo_warnx("%s: SSL_read: %s", closure->ipaddr, errstr);
+		    sudo_warnx("%s: SSL_read: %s", closure->ipaddr,
+			errstr ? errstr : strerror(errno));
 		    goto close_connection;
             }
         }
@@ -1331,7 +1333,8 @@ tls_handshake_cb(int fd, int what, void *v)
             goto bad;
         default:
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx("%s: SSL_accept: %s", closure->ipaddr, errstr);
+	    sudo_warnx("%s: SSL_accept: %s", closure->ipaddr,
+		errstr ? errstr : strerror(errno));
             goto bad;
     }
 
@@ -1397,13 +1400,15 @@ new_connection(int sock, bool tls, const struct sockaddr *sa,
         /* Create the SSL object for the closure and attach it to the socket */
         if ((closure->ssl = SSL_new(logsrvd_server_tls_ctx())) == NULL) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), "SSL_new", errstr);
+	    sudo_warnx(U_("%s: %s"), "SSL_new",
+		errstr ? errstr : strerror(errno));
             goto bad;
         }
 
         if (SSL_set_fd(closure->ssl, closure->sock) != 1) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), "SSL_set_fd", errstr);
+	    sudo_warnx(U_("%s: %s"), "SSL_set_fd",
+		errstr ? errstr : strerror(errno));
             goto bad;
         }
 
@@ -1413,7 +1418,7 @@ new_connection(int sock, bool tls, const struct sockaddr *sa,
         if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
             sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
-		errstr);
+		errstr ? errstr : strerror(errno));
             goto bad;
         }
 

logsrvd/logsrvd_relay.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -763,7 +763,8 @@ relay_server_msg_cb(int fd, int what, void *v)
 			closure->errstr = _("error reading from relay");
                     }
 		    sudo_warnx("%s: SSL_read: %s",
-			relay_closure->relay_name.ipaddr, errstr);
+			relay_closure->relay_name.ipaddr,
+			errstr ? errstr : strerror(errno));
                     goto send_error;
                 case SSL_ERROR_SYSCALL:
 		    if (nread == 0) {
@@ -778,7 +779,8 @@ relay_server_msg_cb(int fd, int what, void *v)
                 default:
                     errstr = ERR_reason_error_string(ERR_get_error());
 		    sudo_warnx("%s: SSL_read: %s",
-			relay_closure->relay_name.ipaddr, errstr);
+			relay_closure->relay_name.ipaddr,
+			errstr ? errstr : strerror(errno));
 		    closure->errstr = _("error reading from relay");
                     goto send_error;
             }
@@ -957,7 +959,8 @@ relay_client_msg_cb(int fd, int what, void *v)
                 default:
 		    errstr = ERR_reason_error_string(ERR_get_error());
 		    sudo_warnx("%s: SSL_write: %s",
-			relay_closure->relay_name.ipaddr, errstr);
+			relay_closure->relay_name.ipaddr,
+			errstr ? errstr : strerror(errno));
 		    closure->errstr = _("error writing to relay");
 		    goto send_error;
             }

logsrvd/sendlog.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1332,20 +1332,20 @@ server_msg_cb(int fd, int what, void *v)
 #if !defined(HAVE_WOLFSSL)
                     if (closure->state == RECV_HELLO &&
                         ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
-                        errstr = "host name does not match certificate";
+                        errstr = U_("host name does not match certificate");
                     } else
 #endif
 		    {
                         errstr = ERR_reason_error_string(err);
                     }
-                    sudo_warnx("%s", errstr);
+                    sudo_warnx("%s", errstr ? errstr : strerror(errno));
                     goto bad;
                 case SSL_ERROR_SYSCALL:
                     sudo_warn("recv");
                     goto bad;
                 default:
                     errstr = ERR_reason_error_string(ERR_get_error());
-                    sudo_warnx("recv: %s", errstr);
+                    sudo_warnx("recv: %s", errstr ? errstr : strerror(errno));
                     goto bad;
             }
         }
@@ -1469,7 +1469,7 @@ client_msg_cb(int fd, int what, void *v)
                     goto bad;
                 default:
 		    errstr = ERR_reason_error_string(ERR_get_error());
-		    sudo_warnx("send: %s", errstr);
+		    sudo_warnx("send: %s", errstr ? errstr : strerror(errno));
                     goto bad;
             }
         }

logsrvd/tls_client.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -153,7 +153,8 @@ tls_connect_cb(int sock, int what, void *v)
 		goto bad;
             default:
 		errstr = ERR_reason_error_string(ERR_get_error());
-                sudo_warnx(U_("TLS connection failed: %s"), errstr);
+                sudo_warnx(U_("TLS connection failed: %s"),
+		    errstr ? errstr : strerror(errno));
                 goto bad;
         }
     }
@@ -187,21 +188,22 @@ tls_ctx_client_setup(SSL_CTX *ssl_ctx, int sock,
 
     if ((closure->ssl = SSL_new(ssl_ctx)) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-        sudo_warnx(U_("unable to allocate ssl object: %s"), errstr);
+        sudo_warnx(U_("unable to allocate ssl object: %s"),
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 
     if (SSL_set_ex_data(closure->ssl, 1, closure->peer_name) <= 0) {
 	errstr = ERR_reason_error_string(ERR_get_error());
 	sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
-	    errstr);
+	    errstr ? errstr : strerror(errno));
 	goto done;
     }
 
     if (SSL_set_fd(closure->ssl, sock) <= 0) {
 	errstr = ERR_reason_error_string(ERR_get_error());
         sudo_warnx(U_("Unable to attach socket to the ssl object: %s"),
-	    errstr);
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 

logsrvd/tls_init.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -63,19 +63,22 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
 
     if ((x509 = SSL_CTX_get0_certificate(ctx)) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-	sudo_warnx("SSL_CTX_get0_certificate: %s", errstr);
+	sudo_warnx("SSL_CTX_get0_certificate: %s",
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 
     if ((store_ctx = X509_STORE_CTX_new()) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-	sudo_warnx("X509_STORE_CTX_new: %s", errstr);
+	sudo_warnx("X509_STORE_CTX_new: %s",
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 
     if (!SSL_CTX_get0_chain_certs(ctx, &chain_certs)) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-	sudo_warnx("SSL_CTX_get0_chain_certs: %s", errstr);
+	sudo_warnx("SSL_CTX_get0_chain_certs: %s",
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 
@@ -86,7 +89,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
 
     if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-	sudo_warnx("X509_STORE_CTX_init: %s", errstr);
+	sudo_warnx("X509_STORE_CTX_init: %s",
+	    errstr ? errstr : strerror(errno));
         goto done;
     }
 
@@ -125,7 +129,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
         } else {
 	    errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"),
-		ciphers_v12, errstr);
+		ciphers_v12, errstr ? errstr : strerror(errno));
         }
     }
     if (!success) {
@@ -133,7 +137,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
         if (SSL_CTX_set_cipher_list(ctx, DEFAULT_CIPHER_LST12) <= 0) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"),
-		DEFAULT_CIPHER_LST12, errstr);
+		DEFAULT_CIPHER_LST12, errstr ? errstr : strerror(errno));
             debug_return_bool(false);
         } else {
             sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -153,7 +157,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
         } else {
 	    errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"),
-		ciphers_v13, errstr);
+		ciphers_v13, errstr ? errstr : strerror(errno));
         }
     }
     if (!success) {
@@ -161,7 +165,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const char *ciphers_v12,
         if (SSL_CTX_set_ciphersuites(ctx, DEFAULT_CIPHER_LST13) <= 0) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"),
-		DEFAULT_CIPHER_LST13, errstr);
+		DEFAULT_CIPHER_LST13, errstr ? errstr : strerror(errno));
             debug_return_bool(false);
         } else {
             sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -193,7 +197,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio)
 	if (!ret) {
 	    const char *errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set diffie-hellman parameters: %s"),
-		errstr);
+		errstr ? errstr : strerror(errno));
 	    EVP_PKEY_free(dhparams);
 	}
     }
@@ -214,7 +218,7 @@ set_dhparams_bio(SSL_CTX *ctx, BIO *bio)
 	if (!ret) {
 	    const char *errstr = ERR_reason_error_string(ERR_get_error());
 	    sudo_warnx(U_("unable to set diffie-hellman parameters: %s"),
-		errstr);
+		errstr ? errstr : strerror(errno));
 	    DH_free(dhparams);
 	}
     }
@@ -269,14 +273,15 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
     /* Create the ssl context and enforce TLS 1.2 or higher. */
     if ((ctx = SSL_CTX_new(TLS_method())) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
-	sudo_warnx(U_("unable to create TLS context: %s"), errstr);
+	sudo_warnx(U_("unable to create TLS context: %s"),
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
 #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
     if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
 	errstr = ERR_reason_error_string(ERR_get_error());
 	sudo_warnx(U_("unable to set minimum protocol version to TLS 1.2: %s"),
-	    errstr);
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
 #else
@@ -290,20 +295,23 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
 
 	if (cacerts == NULL) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), ca_bundle_file, errstr);
+	    sudo_warnx(U_("%s: %s"), ca_bundle_file,
+		errstr ? errstr : strerror(errno));
 	    goto bad;
 	}
 	SSL_CTX_set_client_CA_list(ctx, cacerts);
 
 	if (SSL_CTX_load_verify_locations(ctx, ca_bundle_file, NULL) <= 0) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr);
+	    sudo_warnx("SSL_CTX_load_verify_locations: %s",
+		errstr ? errstr : strerror(errno));
 	    goto bad;
 	}
     } else {
 	if (!SSL_CTX_set_default_verify_paths(ctx)) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr);
+	    sudo_warnx("SSL_CTX_set_default_verify_paths: %s",
+		errstr ? errstr : strerror(errno));
 	    goto bad;
 	}
     }
@@ -311,7 +319,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
     if (cert_file != NULL) {
         if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), cert_file, errstr);
+	    sudo_warnx(U_("%s: %s"), cert_file,
+		errstr ? errstr : strerror(errno));
             goto bad;
         }
 	if (key_file == NULL) {
@@ -321,7 +330,8 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
         if (!SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) ||
 		!SSL_CTX_check_private_key(ctx)) {
 	    errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), key_file, errstr);
+	    sudo_warnx(U_("%s: %s"), key_file,
+		errstr ? errstr : strerror(errno));
             goto bad;
         }
 

plugins/sudoers/log_client.c

@@ -197,14 +197,16 @@ tls_init(struct client_closure *closure)
     /* Create the ssl context and enforce TLS 1.2 or higher. */
     if ((closure->ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) {
         errstr = ERR_reason_error_string(ERR_get_error());
-        sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"), errstr);
+        sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"),
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
 #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
     if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) {
         errstr = ERR_reason_error_string(ERR_get_error());
         sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-            "unable to restrict min. protocol version: %s", errstr);
+            "unable to restrict min. protocol version: %s",
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
 #else
@@ -219,7 +221,7 @@ tls_init(struct client_closure *closure)
                 closure->log_details->ca_bundle, NULL) <= 0) {
                 errstr = ERR_reason_error_string(ERR_get_error());
                 sudo_warnx(U_("%s: %s"), closure->log_details->ca_bundle,
-                    errstr);
+		    errstr ? errstr : strerror(errno));
                 sudo_warnx(U_("unable to load certificate authority bundle %s"),
                     closure->log_details->ca_bundle);
                 goto bad;
@@ -227,7 +229,8 @@ tls_init(struct client_closure *closure)
         } else {
             if (!SSL_CTX_set_default_verify_paths(closure->ssl_ctx)) {
                 errstr = ERR_reason_error_string(ERR_get_error());
-                sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr);
+                sudo_warnx("SSL_CTX_set_default_verify_paths: %s",
+		    errstr ? errstr : strerror(errno));
                 goto bad;
             }
         }
@@ -239,7 +242,8 @@ tls_init(struct client_closure *closure)
         if (!SSL_CTX_use_certificate_chain_file(closure->ssl_ctx,
                 closure->log_details->cert_file)) {
             errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), closure->log_details->cert_file, errstr);
+	    sudo_warnx(U_("%s: %s"), closure->log_details->cert_file,
+		errstr ? errstr : strerror(errno));
 	    sudo_warnx(U_("unable to load certificate %s"),
 		closure->log_details->cert_file);
             goto bad;
@@ -252,7 +256,8 @@ tls_init(struct client_closure *closure)
                 closure->log_details->key_file, SSL_FILETYPE_PEM) ||
                 !SSL_CTX_check_private_key(closure->ssl_ctx)) {
             errstr = ERR_reason_error_string(ERR_get_error());
-	    sudo_warnx(U_("%s: %s"), closure->log_details->key_file, errstr);
+	    sudo_warnx(U_("%s: %s"), closure->log_details->key_file,
+		errstr ? errstr : strerror(errno));
 	    sudo_warnx(U_("unable to load private key %s"),
 		closure->log_details->key_file);
             goto bad;
@@ -262,13 +267,14 @@ tls_init(struct client_closure *closure)
     /* Create the SSL object and attach the closure. */
     if ((closure->ssl = SSL_new(closure->ssl_ctx)) == NULL) {
         errstr = ERR_reason_error_string(ERR_get_error());
-        sudo_warnx(U_("Unable to allocate ssl object: %s"), errstr);
+        sudo_warnx(U_("Unable to allocate ssl object: %s"),
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
     if (SSL_set_ex_data(closure->ssl, 1, closure) <= 0) {
         errstr = ERR_reason_error_string(ERR_get_error());
         sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
-            errstr);
+	    errstr ? errstr : strerror(errno));
         goto bad;
     }
 
@@ -356,7 +362,8 @@ tls_connect_cb(int sock, int what, void *v)
             default:
                 errstr = ERR_reason_error_string(ERR_get_error());
 		sudo_warnx(U_("TLS connection to %s:%s failed: %s"),
-		    closure->host, closure->port, errstr);
+		    closure->host, closure->port,
+		    errstr ? errstr : strerror(errno));
                 goto bad;
         }
     }
@@ -1755,13 +1762,13 @@ server_msg_cb(int fd, int what, void *v)
 #if !defined(HAVE_WOLFSSL)
                     if (closure->state == RECV_HELLO &&
                         ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
-                        errstr = "host name does not match certificate";
+                        errstr = U_("host name does not match certificate");
                     } else
 #endif
 		    {
                         errstr = ERR_reason_error_string(err);
                     }
-                    sudo_warnx("%s", errstr);
+                    sudo_warnx("%s", errstr ? errstr : strerror(errno));
                     goto bad;
                 case SSL_ERROR_SYSCALL:
 		    if (nread == 0)
@@ -1771,7 +1778,7 @@ server_msg_cb(int fd, int what, void *v)
                     goto bad;
                 default:
                     errstr = ERR_reason_error_string(ERR_get_error());
-                    sudo_warnx("recv: %s", errstr);
+                    sudo_warnx("recv: %s", errstr ? errstr : strerror(errno));
                     goto bad;
             }
         }
@@ -1899,14 +1906,14 @@ client_msg_cb(int fd, int what, void *v)
                     debug_return;
                 case SSL_ERROR_SSL:
                     errstr = ERR_reason_error_string(ERR_get_error());
-                    sudo_warnx("%s", errstr);
+                    sudo_warnx("%s", errstr ? errstr : strerror(errno));
                     goto bad;
                 case SSL_ERROR_SYSCALL:
                     sudo_warn("send");
                     goto bad;
                 default:
                     errstr = ERR_reason_error_string(ERR_get_error());
-                    sudo_warnx("send: %s", errstr);
+                    sudo_warnx("send: %s", errstr ? errstr : strerror(errno));
                     goto bad;
             }
         }