Fixed #4058 -- use the thread-safe API from OpenSSL, not the danger one (#4059)
diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index 55f2470..5770429 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -231,7 +231,6 @@
"""
FUNCTIONS = """
-char *ERR_error_string(unsigned long, char *);
void ERR_error_string_n(unsigned long, char *, size_t);
const char *ERR_lib_error_string(unsigned long);
const char *ERR_func_error_string(unsigned long);
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 7790213..7d528ad 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -55,9 +55,10 @@
errors = _consume_errors(lib)
errors_with_text = []
for err in errors:
- err_text_reason = ffi.string(
- lib.ERR_error_string(err.code, ffi.NULL)
- )
+ buf = ffi.new("char[]", 256)
+ lib.ERR_error_string_n(err.code, buf, len(buf))
+ err_text_reason = ffi.string(buf)
+
errors_with_text.append(
_OpenSSLErrorWithText(
err.code, err.lib, err.func, err.reason, err_text_reason
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index e430e2d..5863149 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -125,9 +125,9 @@
assert cipher != backend._ffi.NULL
def test_error_strings_loaded(self):
- # returns a value in a static buffer
- err = backend._lib.ERR_error_string(101183626, backend._ffi.NULL)
- assert b"data not multiple of block length" in backend._ffi.string(err)
+ buf = backend._ffi.new("char[]", 256)
+ backend._lib.ERR_error_string_n(101183626, buf, len(buf))
+ assert b"data not multiple of block length" in backend._ffi.string(buf)
def test_unknown_error_in_cipher_finalize(self):
cipher = Cipher(AES(b"\0" * 16), CBC(b"\0" * 16), backend=backend)