int ssl_readable(struct worker_t *self, struct client_t *c)
{
int r;
int sslerr, err;
//hlog(LOG_DEBUG, "ssl_readable fd %d", c->fd);
ssl_clear_error();
r = SSL_read(c->ssl_con->connection, c->ibuf + c->ibuf_end, c->ibuf_size - c->ibuf_end - 1);
if (r > 0) {
/* we got some data... process */
//hlog(LOG_DEBUG, "SSL_read fd %d returned %d bytes of data", c->fd, r);
/* TODO: whatever the client_readable does */
return client_postread(self, c, r);
}
sslerr = SSL_get_error(c->ssl_con->connection, r);
err = (sslerr == SSL_ERROR_SYSCALL) ? errno : 0;
if (sslerr == SSL_ERROR_WANT_READ) {
hlog(LOG_DEBUG, "ssl_readable fd %d: SSL_read wants to read again, doing it later", c->fd);
if (c->obuf_end - c->obuf_start > 0) {
/* tell the poller that we have outgoing data */
xpoll_outgoing(&self->xp, c->xfd, 1);
}
return 0;
}
if (sslerr == SSL_ERROR_WANT_WRITE) {
hlog(LOG_INFO, "ssl_readable fd %d: SSL_read wants to write (peer starts SSL renegotiation?), calling ssl_write", c->fd);
return ssl_write(self, c);
}
c->ssl_con->no_wait_shutdown = 1;
c->ssl_con->no_send_shutdown = 1;
if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
hlog(LOG_DEBUG, "ssl_readable fd %d: peer shutdown SSL cleanly", c->fd);
client_close(self, c, CLIERR_EOF);
return -1;
}
if (err) {
hlog(LOG_DEBUG, "ssl_readable fd %d: I/O syscall error: %s", c->fd, strerror(err));
} else {
char ebuf[255];
ERR_error_string_n(sslerr, ebuf, sizeof(ebuf));
hlog(LOG_INFO, "ssl_readable fd %d failed with ret %d sslerr %d errno %d: %s (%s)",
c->fd, r, sslerr, err, ebuf, ERR_reason_error_string(sslerr));
}
client_close(self, c, err);
return -1;
}
static void disable_ssl(int do_errors)
{
if(do_errors)
{
char buf[256];
unsigned long e;
while((e = ERR_get_error()))
{
ERR_error_string_n(e, buf, sizeof(buf) - 1);
Debug((DEBUG_DEBUG, "%s", buf));
if (serverbooting) {
(void)fprintf(stderr, "%s\n", buf);
}
}
}
if (sslable) {
if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
(void)fprintf(stderr, "disable_ssl(): EVP_cleanup()\n");
EVP_cleanup();
}
if(ctx) {
if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG))
(void)fprintf(stderr, "disable_ssl(): SSL_CTX_free()\n");
SSL_CTX_free(ctx);
}
Debug((DEBUG_DEBUG, "SSL support is disabled."));
sslable = 0;
return;
}
isc_result_t
dst__openssl_toresult3(isc_logcategory_t *category,
const char *funcname, isc_result_t fallback) {
isc_result_t result;
unsigned long err;
const char *file, *data;
int line, flags;
char buf[256];
result = toresult(fallback);
isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
"%s failed (%s)", funcname,
isc_result_totext(result));
if (result == ISC_R_NOMEMORY)
goto done;
for (;;) {
err = ERR_get_error_line_data(&file, &line, &data, &flags);
if (err == 0U)
goto done;
ERR_error_string_n(err, buf, sizeof(buf));
isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
"%s:%s:%d:%s", buf, file, line,
(flags & ERR_TXT_STRING) ? data : "");
}
done:
ERR_clear_error();
return (result);
}
Boolean SSLSocket::incompleteSecureReadOccurred(Sint32 retCode)
{
Sint32 err = SSL_get_error(static_cast<SSL*>(_SSLConnection), retCode);
Boolean isIncompleteRead =
((err == SSL_ERROR_SYSCALL) &&
(_sslReadErrno == EAGAIN || _sslReadErrno == EINTR)) ||
(err == SSL_ERROR_WANT_READ) ||
(err == SSL_ERROR_WANT_WRITE);
if (Tracer::isTraceOn())
{
unsigned long rc = ERR_get_error ();
char buff[256];
ERR_error_string_n (rc, buff, sizeof (buff)); // added in OpenSSL 0.9.6
PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
"In SSLSocket::incompleteSecureReadOccurred : err = %d %s",
err, buff));
if (!isIncompleteRead && retCode < 0)
{
PEG_TRACE((TRC_DISCARDED_DATA, Tracer::LEVEL4,
"In SSLSocket::incompleteSecureReadOccurred : err = %d %s",
err, buff));
}
}
return isIncompleteRead;
}
MsnSsl *
msn_ssl_new (void)
{
MsnSsl *ssl;
ssl = g_new0 (MsnSsl, 1);
ssl->ctx = SSL_CTX_new (SSLv23_client_method ());
if (ssl->ctx == NULL)
{
char errmsg[128] = {0};
ERR_error_string_n (ERR_get_error (), errmsg, 128);
g_print ("error: %s\n", errmsg);
msn_ssl_free (ssl);
return NULL;
}
/* turn on all SSL implementation bug workarounds. */
SSL_CTX_set_options (ssl->ctx, SSL_OP_ALL);
/* don't do the verification. */
SSL_CTX_set_verify (ssl->ctx, SSL_VERIFY_NONE, NULL);
ssl->ssl = SSL_new (ssl->ctx);
return ssl;
}
/**
* Serves the entire OpenSSL error queue and logs each error.
* The last error is not logged but returned in 'errstr'.
*
* If 'rkb' is non-NULL broker-specific logging will be used,
* else it will fall back on global 'rk' debugging.
*/
static char *rd_kafka_ssl_error (rd_kafka_t *rk, rd_kafka_broker_t *rkb,
char *errstr, size_t errstr_size) {
unsigned long l;
const char *file, *data;
int line, flags;
int cnt = 0;
while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
char buf[256];
if (cnt++ > 0) {
/* Log last message */
if (rkb)
rd_rkb_log(rkb, LOG_ERR, "SSL", "%s", errstr);
else
rd_kafka_log(rk, LOG_ERR, "SSL", "%s", errstr);
}
ERR_error_string_n(l, buf, sizeof(buf));
rd_snprintf(errstr, errstr_size, "%s:%d: %s: %s",
file, line, buf, (flags & ERR_TXT_STRING) ? data : "");
}
if (cnt == 0)
rd_snprintf(errstr, errstr_size, "No error");
return errstr;
}
void reportError(SSL* ssl, int result)
{
if (result <= 0)
{
int error = SSL_get_error(ssl, result);
switch (error)
{
case SSL_ERROR_ZERO_RETURN:
cout << "SSL_ERROR_ZERO_RETURN" << endl;
break;
case SSL_ERROR_NONE:
cout << "SSL_ERROR_NONE" << endl;
break;
case SSL_ERROR_WANT_READ:
cout << "SSL_ERROR_WANT_READ" << endl;
break;
default:
char buffer[256];
while (error != 0)
{
ERR_error_string_n(error, buffer, sizeof(buffer));
cout << "Error: " << error << " - " << buffer << endl;
error = ERR_get_error();
}
break;
}
}
}
static Pfd*
opensslconnect(char *host)
{
Pfd *pfd;
BIO *sbio;
SSL_CTX *ctx;
SSL *ssl;
static int didinit;
char buf[1024];
if(!didinit){
httpsinit();
didinit = 1;
}
ctx = SSL_CTX_new(SSLv23_client_method());
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
snprint(buf, sizeof buf, "%s:https", host);
BIO_set_conn_hostname(sbio, buf);
if(BIO_do_connect(sbio) <= 0 || BIO_do_handshake(sbio) <= 0){
ERR_error_string_n(ERR_get_error(), buf, sizeof buf);
BIO_free_all(sbio);
werrstr("openssl: %s", buf);
return nil;
}
pfd = emalloc(sizeof *pfd);
pfd->sbio = sbio;
return pfd;
}
int openssl_error(neo4j_logger_t *logger, uint_fast8_t level,
const char *file, unsigned int line)
{
unsigned long code = ERR_get_error();
if (code == 0)
{
neo4j_log_error(logger, "OpenSSL error not available (%s:%d)",
file, line);
return NEO4J_UNEXPECTED_ERROR;
}
if (ERR_get_error() != 0)
{
neo4j_log_error(logger, "OpenSSL error stack too deep (%s:%d)",
file, line);
return NEO4J_UNEXPECTED_ERROR;
}
char ebuf[256];
ERR_error_string_n(code, ebuf, sizeof(ebuf));
neo4j_log(logger, level, "OpenSSL error: %lu:%s:%s:%s", code,
ERR_lib_error_string(code),
ERR_func_error_string(code),
ERR_reason_error_string(code));
return NEO4J_UNEXPECTED_ERROR;
}
void ERR_print_errors_cb(int (*cb) (const char *str, size_t len, void *u),
void *u)
{
unsigned long l;
char buf[256];
char buf2[4096];
const char *file, *data;
int line, flags;
/*
* We don't know what kind of thing CRYPTO_THREAD_ID is. Here is our best
* attempt to convert it into something we can print.
*/
union {
CRYPTO_THREAD_ID tid;
unsigned long ltid;
} tid;
tid.ltid = 0;
tid.tid = CRYPTO_THREAD_get_current_id();
while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
ERR_error_string_n(l, buf, sizeof(buf));
BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", tid.ltid, buf,
file, line, (flags & ERR_TXT_STRING) ? data : "");
if (cb(buf2, strlen(buf2), u) <= 0)
break; /* abort outputting the error report */
}
}
DLLEXPORT const char *
tqsl_getErrorString_v(int err) {
static char buf[256];
unsigned long openssl_err;
int adjusted_err;
if (err == 0)
return "NO ERROR";
if (err == TQSL_CUSTOM_ERROR) {
if (tQSL_CustomError[0] == 0)
return "Unknown custom error";
else {
strncpy(buf, tQSL_CustomError, sizeof buf);
return buf;
}
}
if (err == TQSL_SYSTEM_ERROR) {
strcpy(buf, "System error: ");
if (strlen(tQSL_ErrorFile) > 0) {
strncat(buf, tQSL_ErrorFile, sizeof buf - strlen(buf));
strncat(buf, ": ", sizeof buf - strlen(buf));
}
strncat(buf, strerror(errno), sizeof buf - strlen(buf));
return buf;
}
if (err == TQSL_OPENSSL_ERROR) {
openssl_err = ERR_get_error();
strcpy(buf, "OpenSSL error: ");
if (openssl_err)
ERR_error_string_n(openssl_err, buf + strlen(buf), sizeof buf - strlen(buf));
else
strncat(buf, "[error code not available]", sizeof buf - strlen(buf));
return buf;
}
if (err == TQSL_ADIF_ERROR) {
buf[0] = 0;
if (strlen(tQSL_ErrorFile) > 0) {
strncpy(buf, tQSL_ErrorFile, sizeof buf);
strncat(buf, ": ", sizeof buf - strlen(buf));
}
strncat(buf, tqsl_adifGetError(tQSL_ADIF_Error), sizeof buf - strlen(buf));
return buf;
}
if (err == TQSL_CABRILLO_ERROR) {
buf[0] = 0;
if (strlen(tQSL_ErrorFile) > 0) {
strncpy(buf, tQSL_ErrorFile, sizeof buf);
strncat(buf, ": ", sizeof buf - strlen(buf));
}
strncat(buf, tqsl_cabrilloGetError(tQSL_Cabrillo_Error), sizeof buf - strlen(buf));
return buf;
}
if (err == TQSL_OPENSSL_VERSION_ERROR) {
sprintf(buf, "Incompatible OpenSSL Library version %d.%d.%d; expected %d.%d.%d",
int(SSLeay() >> 28) & 0xff, int(SSLeay() >> 20) & 0xff, int(SSLeay() >> 12) & 0xff,
int(OPENSSL_VERSION_NUMBER >> 28) & 0xff, int(OPENSSL_VERSION_NUMBER >> 20) & 0xff,
int(OPENSSL_VERSION_NUMBER >> 12) & 0xff);
return buf;
}
char*
openssl_errormsg(char *buf, size_t len) {
ERR_error_string_n(ERR_get_error(), buf, len);
/* clear rest of errors in OpenSSL "error buffer" */
ERR_clear_error();
return(buf);
}
static const char *
ssl_error(void)
{
/* Minimum requirement is 120 characters */
static char ssl_errbuf[256];
ERR_error_string_n(ERR_get_error(), ssl_errbuf, sizeof(ssl_errbuf));
return ssl_errbuf;
}
static const char *
get_ssl_error(unsigned long err)
{
static char buf[512];
ERR_error_string_n(err, buf, sizeof buf);
return buf;
}
// This dumps the SSL error stack to the log.
static void LogSSLErrors(const std::string& prefix) {
char error_buf[200];
unsigned long err;
while ((err = ERR_get_error())) {
ERR_error_string_n(err, error_buf, sizeof(error_buf));
LOG(LS_ERROR) << prefix << ": " << error_buf << "\n";
}
}
std::string SSLManager::getSSLErrorMessage(int code) {
// 120 from the SSL documentation for ERR_error_string
static const size_t msglen = 120;
char msg[msglen];
ERR_error_string_n(code, msg, msglen);
return msg;
}
NOEXPORT void sslerror_log(unsigned long err, char *txt) {
char *error_string;
error_string=str_alloc(256);
ERR_error_string_n(err, error_string, 256);
s_log(LOG_ERR, "%s: %lX: %s", txt, err, error_string);
str_free(error_string);
}
/* Logs the SSL error stack. */
static void log_ssl_error_stack(void) {
unsigned long err;
while ((err = ERR_get_error()) != 0) {
char details[256];
ERR_error_string_n(err, details, sizeof(details));
gpr_log(GPR_ERROR, "%s", details);
}
}
void
log_crypto_err(const char* str)
{
#ifdef HAVE_SSL
/* error:[error code]:[library name]:[function name]:[reason string] */
char buf[128];
unsigned long e;
ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
log_err("%s crypto %s", str, buf);
while( (e=ERR_get_error()) ) {
ERR_error_string_n(e, buf, sizeof(buf));
log_err("and additionally crypto %s", buf);
}
#else
(void)str;
#endif /* HAVE_SSL */
}
int
as_tls_read_once(as_socket* sock, void* buf, size_t len)
{
int rv = SSL_read(sock->ssl, buf, (int)len);
if (rv > 0) {
return rv;
}
else {
int sslerr = SSL_get_error(sock->ssl, rv);
unsigned long errcode;
char errbuf[1024];
switch (sslerr) {
case SSL_ERROR_WANT_READ:
return -1;
case SSL_ERROR_WANT_WRITE:
return -2;
case SSL_ERROR_SSL:
log_verify_details(sock);
errcode = ERR_get_error();
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_log_warn("SSL_read_once failed: %s", errbuf);
return -3;
case SSL_ERROR_SYSCALL:
errcode = ERR_get_error();
if (errcode != 0) {
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_log_warn("SSL_read_once I/O error: %s", errbuf);
}
else {
if (rv == 0) {
as_log_warn("SSL_read_once I/O error: unexpected EOF");
}
else {
as_log_warn("SSL_read_once I/O error: %d", as_last_error());
}
}
return -4;
case SSL_ERROR_ZERO_RETURN:
as_log_debug("SSL_read_once: server closed connection");
return -5;
default:
as_log_warn("SSL_read_once: unexpected ssl error: %d", sslerr);
return -6;
}
}
}
SSLException::SSLException()
: Exception(ERR_peek_error()) {
SSL_load_error_strings();
char error_message[256];
ERR_error_string_n(ERR_peek_error(), error_message, 256);
set_error_message(error_message);
}
void print_errors(){
unsigned long err, line;
char *file;
while((err = ERR_get_error_line((const char**)&file, (int*)&line))){
ERR_error_string_n(err, err_str_buf, 128);
fprintf(stderr, "%s in %s at line %ld", err_str_buf, file, line);
}
}
char* ossSSLGetErrorMessage(INT32 error)
{
#define _MSG_LEN 256
static OSS_THREAD_LOCAL char buf[_MSG_LEN];
char* errorMsg;
INT32 err = ERR_get_error();
switch(error)
{
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
errorMsg = "possibly timed out during connect";
break;
case SSL_ERROR_ZERO_RETURN:
errorMsg = "SSL network connection closed";
break;
case SSL_ERROR_SYSCALL:
if (0 != err)
{
ERR_error_string_n(err, buf, _MSG_LEN);
errorMsg = buf;
}
else
{
INT32 lastError;
#ifdef _WINDOWS
lastError = WSAGetLastError();
#else
lastError = errno;
#endif
ossSnprintf(buf, _MSG_LEN, "the SSL BIO reported an I/O error, "
"system errno: %d", lastError);
errorMsg = buf;
}
break;
case SSL_ERROR_SSL:
ERR_error_string_n(err, buf, _MSG_LEN);
errorMsg = buf;
break;
default:
errorMsg = "unrecognized SSL error";
}
return errorMsg;
}
/* ERR_error_string_n should be used instead for ret != NULL
* as ERR_error_string cannot know how large the buffer is */
char *ERR_error_string(unsigned long e, char *ret)
{
static char buf[256];
if (ret == NULL) ret=buf;
ERR_error_string_n(e, ret, 256);
return(ret);
}
int
errstr_main(int argc, char **argv)
{
unsigned long ulval;
char *ularg, *ep;
int argsused, i;
char buf[256];
int ret = 0;
if (single_execution) {
if (pledge("stdio rpath", NULL) == -1) {
perror("pledge");
exit(1);
}
}
memset(&errstr_config, 0, sizeof(errstr_config));
if (options_parse(argc, argv, errstr_options, NULL, &argsused) != 0) {
errstr_usage();
return (1);
}
if (errstr_config.stats) {
BIO *out;
if ((out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
fprintf(stderr, "Out of memory");
return (1);
}
lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), out);
lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), out);
lh_ERR_STRING_DATA_node_usage_stats_bio(
ERR_get_string_table(), out);
BIO_free_all(out);
}
for (i = argsused; i < argc; i++) {
errno = 0;
ularg = argv[i];
ulval = strtoul(ularg, &ep, 16);
if (strchr(ularg, '-') != NULL ||
(ularg[0] == '\0' || *ep != '\0') ||
(errno == ERANGE && ulval == ULONG_MAX)) {
printf("%s: bad error code\n", ularg);
ret++;
continue;
}
ERR_error_string_n(ulval, buf, sizeof(buf));
printf("%s\n", buf);
}
return (ret);
}
/*
* ERR_error_string_n should be used instead for ret != NULL as
* ERR_error_string cannot know how large the buffer is
*/
char *ERR_error_string(unsigned long e, char *ret)
{
static char buf[256];
if (ret == NULL)
ret = buf;
ERR_error_string_n(e, ret, (int)sizeof(buf));
return ret;
}
char* ossSSLERRGetErrorMessage(INT32 error)
{
#define _MSG_LEN 256
static OSS_THREAD_LOCAL char buf[_MSG_LEN];
ERR_error_string_n(error, buf, _MSG_LEN);
return buf;
}
int
as_tls_connect_once(as_socket* sock)
{
int rv = SSL_connect(sock->ssl);
if (rv == 1) {
log_session_info(sock);
return 1;
}
int sslerr = SSL_get_error(sock->ssl, rv);
unsigned long errcode;
char errbuf[1024];
switch (sslerr) {
case SSL_ERROR_WANT_READ:
return -1;
case SSL_ERROR_WANT_WRITE:
return -2;
case SSL_ERROR_SSL:
log_verify_details(sock);
errcode = ERR_get_error();
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_log_warn("SSL_connect_once failed: %s", errbuf);
return -3;
case SSL_ERROR_SYSCALL:
errcode = ERR_get_error();
if (errcode != 0) {
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_log_warn("SSL_connect_once I/O error: %s", errbuf);
}
else {
if (rv == 0) {
as_log_warn("SSL_connect_once I/O error: unexpected EOF");
}
else {
as_log_warn("SSL_connect_once I/O error: %d", as_last_error());
}
}
return -4;
default:
as_log_warn("SSL_connect_once: unexpected ssl error: %d", sslerr);
return -5;
break;
}
}
std::string Utility::convertSSLError(SSL* pSSL, int errCode)
{
std::string errMsg;
if (errCode > 0) return "no error";
int connectErr = SSL_get_error(pSSL, errCode);
long lErr = 0;
char buf[512];
switch (connectErr)
{
case SSL_ERROR_ZERO_RETURN:
// connection closed
errMsg = "connection closed by server";
break;
case SSL_ERROR_WANT_READ:
errMsg = "want read";
break;
case SSL_ERROR_WANT_WRITE:
errMsg = "want write";
break;
case SSL_ERROR_WANT_CONNECT:
errMsg = "want connect";
break;
case SSL_ERROR_WANT_ACCEPT:
errMsg = "want accept";
break;
case SSL_ERROR_WANT_X509_LOOKUP:
errMsg = "want lookup";
break;
case SSL_ERROR_SYSCALL:
errMsg = "syscall";
break;
case SSL_ERROR_SSL:
lErr = ERR_get_error();
if (errCode == 0)
{
errMsg = "EOF was observed";
}
else if (errCode == -1)
{
errMsg = "The underlying BIO reported an I/O error";
}
else
{
ERR_error_string_n(lErr, buf, 512);
errMsg = buf;
}
break;
default:
errMsg = "none";
}
return errMsg;
}
static char * cipher_evp (const unsigned char *key, int keylen, const unsigned char *plaintext, int plaintextlen, const EVP_CIPHER *type, int *retsize, int ivsize)
{
unsigned char *outbuf;
int outlen = 0;
int extralen = 0;
unsigned char *iv = NULL;
unsigned long errcode;
u_32int_t randomval;
int iv_count;
EVP_CIPHER_CTX a;
EVP_CIPHER_CTX_init(&a);
EVP_CIPHER_CTX_set_padding(&a, 0);
if (ivsize < 0)
ivsize = 0; /* Shenanigans! */
if (ivsize > 0)
{
if (ivsize % sizeof(u_32int_t) != 0)
panic(1, "The IV size for a crypto type you're using is %d "
"which is not a multiple of %d",
ivsize, sizeof(u_32int_t));
iv = new_malloc(ivsize);
for (iv_count = 0; iv_count < ivsize; iv_count += sizeof(u_32int_t))
{
randomval = arc4random();
memmove(iv + iv_count, &randomval, sizeof(u_32int_t));
}
}
outbuf = new_malloc(plaintextlen + 100);
if (iv)
memcpy(outbuf, iv, ivsize);
EVP_EncryptInit_ex(&a, type, NULL, NULL, iv);
EVP_CIPHER_CTX_set_key_length(&a, keylen);
EVP_EncryptInit_ex(&a, NULL, NULL, key, NULL);
EVP_EncryptUpdate(&a, outbuf + ivsize, &outlen, plaintext, plaintextlen);
EVP_EncryptFinal_ex(&a, outbuf + ivsize + outlen, &extralen);
EVP_CIPHER_CTX_cleanup(&a);
outlen += extralen;
ERR_load_crypto_strings();
while ((errcode = ERR_get_error()))
{
char r[256];
ERR_error_string_n(errcode, r, 256);
yell("ERROR: %s", r);
}
*retsize = outlen + ivsize;
if (iv)
new_free(&iv); /* XXX Is this correct? */
return outbuf;
}