Re: rpki-client and non-existing files
Claudio Jeker wrote: > On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote: > > Currently rpki-client logs missing files like this: > > > > rpki-client: ...trace: error:02FFF002:system library:func(4095):No such > > file or directory > > rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such > > file > > rpki-client: > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: > > BIO_new_file > > > > Yes, you need to read the errors in reverse and even then the errors are > > just hard to read. > > > > This ugly format is mostly to blame on the error stack of OpenSSL. > > As a workaround I switched to using fopen() and then BIO_new_fd() > > which does the same thing but allows me to get a nice error from fopen(): > > > > rpki-client: > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: > > No such file or directory > > > > Any opinions? > > This diff removes the fopen: from the warn string: > > rpki-client: > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such > file or directory > > This is more in form with e.g. > > rpki-client: > rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa: > CRL has expired thank you, it was driving me crazy.
Re: rpki-client and non-existing files
On Wed, Apr 01, 2020 at 09:42:42PM +0200, Sebastian Benoit wrote: > ok > > you remove the "if (verbose > 0)" in the cms_parse_validate() case on > purpose? Yes, since we use rpki-client in cron with the magic -n prefix it would be nice to have enough verbosity to know why the process failed without having to run rpki-client -v. So I kind of walked back from the rpki-client must be silent by default unless a bad error happens case. > Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.01 16:33:44 +0200: > > On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote: > > > Currently rpki-client logs missing files like this: > > > > > > rpki-client: ...trace: error:02FFF002:system library:func(4095):No such > > > file or directory > > > rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no > > > such file > > > rpki-client: > > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: > > > BIO_new_file > > > > > > Yes, you need to read the errors in reverse and even then the errors are > > > just hard to read. > > > > > > This ugly format is mostly to blame on the error stack of OpenSSL. > > > As a workaround I switched to using fopen() and then BIO_new_fd() > > > which does the same thing but allows me to get a nice error from fopen(): > > > > > > rpki-client: > > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: > > > fopen: No such file or directory > > > > > > Any opinions? > > > > This diff removes the fopen: from the warn string: > > > > rpki-client: > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No > > such file or directory > > > > This is more in form with e.g. > > > > rpki-client: > > rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa: > > CRL has expired > > > > -- > > :wq Claudio > > > > Index: cert.c > > === > > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > > retrieving revision 1.14 > > diff -u -p -r1.14 cert.c > > --- cert.c 26 Feb 2020 02:35:08 - 1.14 > > +++ cert.c 1 Apr 2020 14:28:29 - > > @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char * > > ASN1_OBJECT *obj; > > struct parse p; > > BIO *bio = NULL, *shamd; > > + FILE*f; > > EVP_MD *md; > > char mdbuf[EVP_MAX_MD_SIZE]; > > > > *xp = NULL; > > > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > > + if ((f = fopen(fn, "rb")) == NULL) { > > + warn("%s", fn); > > + return NULL; > > + } > > + > > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { > > if (verbose > 0) > > cryptowarnx("%s: BIO_new_file", fn); > > return NULL; > > Index: cms.c > > === > > RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v > > retrieving revision 1.6 > > diff -u -p -r1.6 cms.c > > --- cms.c 29 Nov 2019 05:14:11 - 1.6 > > +++ cms.c 1 Apr 2020 14:28:34 - > > @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char > > ASN1_OCTET_STRING **os = NULL; > > BIO *bio = NULL, *shamd; > > CMS_ContentInfo *cms; > > + FILE*f; > > char buf[128], mdbuf[EVP_MAX_MD_SIZE]; > > int rc = 0, sz; > > STACK_OF(X509) *certs = NULL; > > @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char > > * This is usually fopen() failure, so let it pass through to > > * the handler, which will in turn ignore the entity. > > */ > > + if ((f = fopen(fn, "rb")) == NULL) { > > + warn("%s", fn); > > + return NULL; > > + } > > > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > > - if (verbose > 0) > > - cryptowarnx("%s: BIO_new_file", fn); > > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { > > + cryptowarnx("%s: BIO_new_fp", fn); > > return NULL; > > } > > > > Index: crl.c > > === > > RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v > > retrieving revision 1.7 > > diff -u -p -r1.7 crl.c > > --- crl.c 29 Nov 2019 04:40:04 - 1.7 > > +++ crl.c 1 Apr 2020 14:28:41 - > > @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned > > int rc = 0, sz; > > X509_CRL*x = NULL; > > BIO *bio = NULL, *shamd; > > + FILE*f; > > EVP_MD *md; > > char mdbuf[EVP_MAX_MD_SIZE]; > > > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > > + if ((f = fopen(fn, "rb")) == NULL) { > > + warn("%s", fn); > > + return NULL; > > + } > > + > > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
Re: rpki-client and non-existing files
ok you remove the "if (verbose > 0)" in the cms_parse_validate() case on purpose? Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.01 16:33:44 +0200: > On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote: > > Currently rpki-client logs missing files like this: > > > > rpki-client: ...trace: error:02FFF002:system library:func(4095):No such > > file or directory > > rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such > > file > > rpki-client: > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: > > BIO_new_file > > > > Yes, you need to read the errors in reverse and even then the errors are > > just hard to read. > > > > This ugly format is mostly to blame on the error stack of OpenSSL. > > As a workaround I switched to using fopen() and then BIO_new_fd() > > which does the same thing but allows me to get a nice error from fopen(): > > > > rpki-client: > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: > > No such file or directory > > > > Any opinions? > > This diff removes the fopen: from the warn string: > > rpki-client: > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such > file or directory > > This is more in form with e.g. > > rpki-client: > rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa: > CRL has expired > > -- > :wq Claudio > > Index: cert.c > === > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > retrieving revision 1.14 > diff -u -p -r1.14 cert.c > --- cert.c26 Feb 2020 02:35:08 - 1.14 > +++ cert.c1 Apr 2020 14:28:29 - > @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char * > ASN1_OBJECT *obj; > struct parse p; > BIO *bio = NULL, *shamd; > + FILE*f; > EVP_MD *md; > char mdbuf[EVP_MAX_MD_SIZE]; > > *xp = NULL; > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > + if ((f = fopen(fn, "rb")) == NULL) { > + warn("%s", fn); > + return NULL; > + } > + > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { > if (verbose > 0) > cryptowarnx("%s: BIO_new_file", fn); > return NULL; > Index: cms.c > === > RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v > retrieving revision 1.6 > diff -u -p -r1.6 cms.c > --- cms.c 29 Nov 2019 05:14:11 - 1.6 > +++ cms.c 1 Apr 2020 14:28:34 - > @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char > ASN1_OCTET_STRING **os = NULL; > BIO *bio = NULL, *shamd; > CMS_ContentInfo *cms; > + FILE*f; > char buf[128], mdbuf[EVP_MAX_MD_SIZE]; > int rc = 0, sz; > STACK_OF(X509) *certs = NULL; > @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char >* This is usually fopen() failure, so let it pass through to >* the handler, which will in turn ignore the entity. >*/ > + if ((f = fopen(fn, "rb")) == NULL) { > + warn("%s", fn); > + return NULL; > + } > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > - if (verbose > 0) > - cryptowarnx("%s: BIO_new_file", fn); > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { > + cryptowarnx("%s: BIO_new_fp", fn); > return NULL; > } > > Index: crl.c > === > RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v > retrieving revision 1.7 > diff -u -p -r1.7 crl.c > --- crl.c 29 Nov 2019 04:40:04 - 1.7 > +++ crl.c 1 Apr 2020 14:28:41 - > @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned > int rc = 0, sz; > X509_CRL*x = NULL; > BIO *bio = NULL, *shamd; > + FILE*f; > EVP_MD *md; > char mdbuf[EVP_MAX_MD_SIZE]; > > - if ((bio = BIO_new_file(fn, "rb")) == NULL) { > + if ((f = fopen(fn, "rb")) == NULL) { > + warn("%s", fn); > + return NULL; > + } > + > + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { > if (verbose > 0) > cryptowarnx("%s: BIO_new_file", fn); > return NULL; >
Re: rpki-client and non-existing files
On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote: > Currently rpki-client logs missing files like this: > > rpki-client: ...trace: error:02FFF002:system library:func(4095):No such file > or directory > rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such > file > rpki-client: > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: > BIO_new_file > > Yes, you need to read the errors in reverse and even then the errors are > just hard to read. > > This ugly format is mostly to blame on the error stack of OpenSSL. > As a workaround I switched to using fopen() and then BIO_new_fd() > which does the same thing but allows me to get a nice error from fopen(): > > rpki-client: > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: > No such file or directory > > Any opinions? This diff removes the fopen: from the warn string: rpki-client: rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such file or directory This is more in form with e.g. rpki-client: rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa: CRL has expired -- :wq Claudio Index: cert.c === RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v retrieving revision 1.14 diff -u -p -r1.14 cert.c --- cert.c 26 Feb 2020 02:35:08 - 1.14 +++ cert.c 1 Apr 2020 14:28:29 - @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char * ASN1_OBJECT *obj; struct parse p; BIO *bio = NULL, *shamd; + FILE*f; EVP_MD *md; char mdbuf[EVP_MAX_MD_SIZE]; *xp = NULL; - if ((bio = BIO_new_file(fn, "rb")) == NULL) { + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s", fn); + return NULL; + } + + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { if (verbose > 0) cryptowarnx("%s: BIO_new_file", fn); return NULL; Index: cms.c === RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v retrieving revision 1.6 diff -u -p -r1.6 cms.c --- cms.c 29 Nov 2019 05:14:11 - 1.6 +++ cms.c 1 Apr 2020 14:28:34 - @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char ASN1_OCTET_STRING **os = NULL; BIO *bio = NULL, *shamd; CMS_ContentInfo *cms; + FILE*f; char buf[128], mdbuf[EVP_MAX_MD_SIZE]; int rc = 0, sz; STACK_OF(X509) *certs = NULL; @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char * This is usually fopen() failure, so let it pass through to * the handler, which will in turn ignore the entity. */ + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s", fn); + return NULL; + } - if ((bio = BIO_new_file(fn, "rb")) == NULL) { - if (verbose > 0) - cryptowarnx("%s: BIO_new_file", fn); + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { + cryptowarnx("%s: BIO_new_fp", fn); return NULL; } Index: crl.c === RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v retrieving revision 1.7 diff -u -p -r1.7 crl.c --- crl.c 29 Nov 2019 04:40:04 - 1.7 +++ crl.c 1 Apr 2020 14:28:41 - @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned int rc = 0, sz; X509_CRL*x = NULL; BIO *bio = NULL, *shamd; + FILE*f; EVP_MD *md; char mdbuf[EVP_MAX_MD_SIZE]; - if ((bio = BIO_new_file(fn, "rb")) == NULL) { + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s", fn); + return NULL; + } + + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { if (verbose > 0) cryptowarnx("%s: BIO_new_file", fn); return NULL;
rpki-client and non-existing files
Currently rpki-client logs missing files like this: rpki-client: ...trace: error:02FFF002:system library:func(4095):No such file or directory rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such file rpki-client: rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: BIO_new_file Yes, you need to read the errors in reverse and even then the errors are just hard to read. This ugly format is mostly to blame on the error stack of OpenSSL. As a workaround I switched to using fopen() and then BIO_new_fd() which does the same thing but allows me to get a nice error from fopen(): rpki-client: rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: No such file or directory Any opinions? -- :wq Claudio Index: cert.c === RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v retrieving revision 1.14 diff -u -p -r1.14 cert.c --- cert.c 26 Feb 2020 02:35:08 - 1.14 +++ cert.c 30 Mar 2020 11:40:28 - @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char * ASN1_OBJECT *obj; struct parse p; BIO *bio = NULL, *shamd; + FILE*f; EVP_MD *md; char mdbuf[EVP_MAX_MD_SIZE]; *xp = NULL; - if ((bio = BIO_new_file(fn, "rb")) == NULL) { + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s: fopen", fn); + return NULL; + } + + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { if (verbose > 0) cryptowarnx("%s: BIO_new_file", fn); return NULL; Index: cms.c === RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v retrieving revision 1.6 diff -u -p -r1.6 cms.c --- cms.c 29 Nov 2019 05:14:11 - 1.6 +++ cms.c 30 Mar 2020 11:40:23 - @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char ASN1_OCTET_STRING **os = NULL; BIO *bio = NULL, *shamd; CMS_ContentInfo *cms; + FILE*f; char buf[128], mdbuf[EVP_MAX_MD_SIZE]; int rc = 0, sz; STACK_OF(X509) *certs = NULL; @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char * This is usually fopen() failure, so let it pass through to * the handler, which will in turn ignore the entity. */ + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s: fopen", fn); + return NULL; + } - if ((bio = BIO_new_file(fn, "rb")) == NULL) { - if (verbose > 0) - cryptowarnx("%s: BIO_new_file", fn); + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { + cryptowarnx("%s: BIO_new_fp", fn); return NULL; } Index: crl.c === RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v retrieving revision 1.7 diff -u -p -r1.7 crl.c --- crl.c 29 Nov 2019 04:40:04 - 1.7 +++ crl.c 30 Mar 2020 11:40:32 - @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned int rc = 0, sz; X509_CRL*x = NULL; BIO *bio = NULL, *shamd; + FILE*f; EVP_MD *md; char mdbuf[EVP_MAX_MD_SIZE]; - if ((bio = BIO_new_file(fn, "rb")) == NULL) { + if ((f = fopen(fn, "rb")) == NULL) { + warn("%s: fopen", fn); + return NULL; + } + + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) { if (verbose > 0) cryptowarnx("%s: BIO_new_file", fn); return NULL;