Use ERR_error_string_n in FFM code

The buffer previously used was too small.

java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java

@@ -76,6 +76,8 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
 
     private static final Cleaner cleaner = Cleaner.create();
 
+    private static final int OPENSSL_ERROR_MESSAGE_BUFFER_SIZE = 256;
+
     private static final String defaultProtocol = "TLS";
 
     private static final int SSL_AIDX_RSA     = 0;
@@ -564,7 +566,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) {
                 if ((sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null)
                         && SSL_CTX_load_verify_locations(state.sslCtx,
                                 caCertificateFileNative == null ? MemorySegment.NULL : caCertificateFileNative,
-                                        caCertificatePathNative == null ? MemorySegment.NULL : caCertificatePathNative) <= 0) {
+                                caCertificatePathNative == null ? MemorySegment.NULL : caCertificatePathNative) <= 0) {
                     logLastError("openssl.errorConfiguringLocations");
                 } else {
                     var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
@@ -1326,8 +1328,8 @@ static String getLastError() {
             try (var localArena = Arena.ofConfined()) {
                 do {
                     // Loop until getLastErrorNumber() returns SSL_ERROR_NONE
-                    var buf = localArena.allocate(ValueLayout.JAVA_BYTE, 128);
-                    ERR_error_string(error, buf);
+                    var buf = localArena.allocate(ValueLayout.JAVA_BYTE, OPENSSL_ERROR_MESSAGE_BUFFER_SIZE);
+                    ERR_error_string_n(error, buf, OPENSSL_ERROR_MESSAGE_BUFFER_SIZE);
                     String err = buf.getString(0);
                     if (sslError == null) {
                         sslError = err;

java/org/apache/tomcat/util/openssl/openssl_h.java

@@ -5336,6 +5336,39 @@ public static MemorySegment ERR_error_string(long e, MemorySegment buf) {
         }
     }
 
+    private static MethodHandle ERR_error_string_n$MH() {
+        class Holder {
+            static final FunctionDescriptor DESC = FunctionDescriptor.of(
+                openssl_h.C_POINTER,
+                openssl_h.C_LONG,
+                openssl_h.C_POINTER,
+                openssl_h.C_INT
+            );
+
+            static final MethodHandle MH = Linker.nativeLinker().downcallHandle(
+                    openssl_h.findOrThrow("ERR_error_string_n"),
+                    DESC);
+        }
+        return Holder.MH;
+    }
+
+    /**
+     * {@snippet lang=c :
+     * char *ERR_error_string_n(unsigned long e, char *buf, size_t len)
+     * }
+     */
+    public static MemorySegment ERR_error_string_n(long e, MemorySegment buf, int len) {
+        var mh$ = ERR_error_string_n$MH();
+        try {
+            if (TRACE_DOWNCALLS) {
+                traceDowncall("ERR_error_string_n", e, buf, len);
+            }
+            return (MemorySegment) mh$.invokeExact(e, buf, len);
+        } catch (Throwable ex$) {
+           throw new AssertionError("should not reach here", ex$);
+        }
+    }
+
     private static MethodHandle PKCS12_verify_mac$MH() {
         class Holder {
             static final FunctionDescriptor DESC = FunctionDescriptor.of(

res/openssl/openssl-tomcat.conf

@@ -90,6 +90,7 @@
 
 --include-function ERR_clear_error                         # header: /usr/include/openssl/err.h
 --include-function ERR_error_string                        # header: /usr/include/openssl/err.h
+--include-function ERR_error_string_n                      # header: /usr/include/openssl/err.h
 --include-function ERR_get_error                           # header: /usr/include/openssl/err.h
 --include-function ERR_peek_last_error                     # header: /usr/include/openssl/err.h
 --include-constant ERR_REASON_MASK                         # header: /usr/include/openssl/err.h

webapps/docs/changelog.xml

@@ -105,6 +105,14 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 11.0.0-M21 (markt)" rtext="in development">
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
+        and use ERR_error_string_n instead. (remm)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 11.0.0-M20 (markt)" rtext="release in progress">
   <subsection name="Catalina">