+static const char *
+openssl_errstr (int fd, void *arg)
+{
+ struct openssl_transport_context *ctx = arg;
+ unsigned long errcode;
+ char *errmsg = NULL;
+ int msglen = 0;
+
+ /* If there are no SSL-specific errors, just return NULL. */
+ if ((errcode = ERR_get_error ()) == 0)
+ return NULL;
+
+ /* Get rid of previous contents of ctx->last_error, if any. */
+ xfree_null (ctx->last_error);
+
+ /* Iterate over OpenSSL's error stack and accumulate errors in the
+ last_error buffer, separated by "; ". This is better than using
+ a static buffer, which *always* takes up space (and has to be
+ large, to fit more than one error message), whereas these
+ allocations are only performed when there is an actual error. */
+
+ for (;;)
+ {
+ const char *str = ERR_error_string (errcode, NULL);
+ int len = strlen (str);
+
+ /* Allocate space for the existing message, plus two more chars
+ for the "; " separator and one for the terminating \0. */
+ errmsg = xrealloc (errmsg, msglen + len + 2 + 1);
+ memcpy (errmsg + msglen, str, len);
+ msglen += len;
+
+ /* Get next error and bail out if there are no more. */
+ errcode = ERR_get_error ();
+ if (errcode == 0)
+ break;
+
+ errmsg[msglen++] = ';';
+ errmsg[msglen++] = ' ';
+ }
+ errmsg[msglen] = '\0';
+
+ /* Store the error in ctx->last_error where openssl_close will
+ eventually find it and free it. */
+ ctx->last_error = errmsg;
+
+ return errmsg;
+}
+