Re: rpki-client and non-existing files

2020-04-01 Thread Theo de Raadt
Claudio Jeker  wrote:

> On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote:
> > Currently rpki-client logs missing files like this:
> > 
> > rpki-client:  ...trace: error:02FFF002:system library:func(4095):No such 
> > file or directory
> > rpki-client:  ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such 
> > file
> > rpki-client: 
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: 
> > BIO_new_file
> > 
> > Yes, you need to read the errors in reverse and even then the errors are
> > just hard to read.
> > 
> > This ugly format is mostly to blame on the error stack of OpenSSL.
> > As a workaround I switched to using fopen() and then BIO_new_fd()
> > which does the same thing but allows me to get a nice error from fopen():
> > 
> > rpki-client: 
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: 
> > No such file or directory
> > 
> > Any opinions?
> 
> This diff removes the fopen: from the warn string:
> 
> rpki-client: 
> rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such 
> file or directory
> 
> This is more in form with e.g.
> 
> rpki-client: 
> rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa:
>  CRL has expired

thank you, it was driving me crazy.



Re: rpki-client and non-existing files

2020-04-01 Thread Claudio Jeker
On Wed, Apr 01, 2020 at 09:42:42PM +0200, Sebastian Benoit wrote:
> ok
> 
> you remove the "if (verbose > 0)" in the cms_parse_validate() case on
> purpose?

Yes, since we use rpki-client in cron with the magic -n prefix it would be
nice to have enough verbosity to know why the process failed without
having to run rpki-client -v. So I kind of walked back from the
rpki-client must be silent by default unless a bad error happens case.
 
> Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.01 16:33:44 +0200:
> > On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote:
> > > Currently rpki-client logs missing files like this:
> > > 
> > > rpki-client:  ...trace: error:02FFF002:system library:func(4095):No such 
> > > file or directory
> > > rpki-client:  ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no 
> > > such file
> > > rpki-client: 
> > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: 
> > > BIO_new_file
> > > 
> > > Yes, you need to read the errors in reverse and even then the errors are
> > > just hard to read.
> > > 
> > > This ugly format is mostly to blame on the error stack of OpenSSL.
> > > As a workaround I switched to using fopen() and then BIO_new_fd()
> > > which does the same thing but allows me to get a nice error from fopen():
> > > 
> > > rpki-client: 
> > > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: 
> > > fopen: No such file or directory
> > > 
> > > Any opinions?
> > 
> > This diff removes the fopen: from the warn string:
> > 
> > rpki-client: 
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No 
> > such file or directory
> > 
> > This is more in form with e.g.
> > 
> > rpki-client: 
> > rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa:
> >  CRL has expired
> > 
> > -- 
> > :wq Claudio
> > 
> > Index: cert.c
> > ===
> > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> > retrieving revision 1.14
> > diff -u -p -r1.14 cert.c
> > --- cert.c  26 Feb 2020 02:35:08 -  1.14
> > +++ cert.c  1 Apr 2020 14:28:29 -
> > @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char *
> > ASN1_OBJECT *obj;
> > struct parse p;
> > BIO *bio = NULL, *shamd;
> > +   FILE*f;
> > EVP_MD  *md;
> > char mdbuf[EVP_MAX_MD_SIZE];
> >  
> > *xp = NULL;
> >  
> > -   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> > +   if ((f = fopen(fn, "rb")) == NULL) {
> > +   warn("%s", fn);
> > +   return NULL;
> > +   }
> > +
> > +   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> > if (verbose > 0)
> > cryptowarnx("%s: BIO_new_file", fn);
> > return NULL;
> > Index: cms.c
> > ===
> > RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
> > retrieving revision 1.6
> > diff -u -p -r1.6 cms.c
> > --- cms.c   29 Nov 2019 05:14:11 -  1.6
> > +++ cms.c   1 Apr 2020 14:28:34 -
> > @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char
> > ASN1_OCTET_STRING   **os = NULL;
> > BIO *bio = NULL, *shamd;
> > CMS_ContentInfo *cms;
> > +   FILE*f;
> > char buf[128], mdbuf[EVP_MAX_MD_SIZE];
> > int  rc = 0, sz;
> > STACK_OF(X509)  *certs = NULL;
> > @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char
> >  * This is usually fopen() failure, so let it pass through to
> >  * the handler, which will in turn ignore the entity.
> >  */
> > +   if ((f = fopen(fn, "rb")) == NULL) {
> > +   warn("%s", fn);
> > +   return NULL;
> > +   }
> >  
> > -   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> > -   if (verbose > 0)
> > -   cryptowarnx("%s: BIO_new_file", fn);
> > +   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> > +   cryptowarnx("%s: BIO_new_fp", fn);
> > return NULL;
> > }
> >  
> > Index: crl.c
> > ===
> > RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
> > retrieving revision 1.7
> > diff -u -p -r1.7 crl.c
> > --- crl.c   29 Nov 2019 04:40:04 -  1.7
> > +++ crl.c   1 Apr 2020 14:28:41 -
> > @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned
> > int  rc = 0, sz;
> > X509_CRL*x = NULL;
> > BIO *bio = NULL, *shamd;
> > +   FILE*f;
> > EVP_MD  *md;
> > char mdbuf[EVP_MAX_MD_SIZE];
> >  
> > -   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> > +   if ((f = fopen(fn, "rb")) == NULL) {
> > +   warn("%s", fn);
> > +   return NULL;
> > +   }
> > +
> > +   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {

Re: rpki-client and non-existing files

2020-04-01 Thread Sebastian Benoit
ok

you remove the "if (verbose > 0)" in the cms_parse_validate() case on
purpose?

Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.01 16:33:44 +0200:
> On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote:
> > Currently rpki-client logs missing files like this:
> > 
> > rpki-client:  ...trace: error:02FFF002:system library:func(4095):No such 
> > file or directory
> > rpki-client:  ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such 
> > file
> > rpki-client: 
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: 
> > BIO_new_file
> > 
> > Yes, you need to read the errors in reverse and even then the errors are
> > just hard to read.
> > 
> > This ugly format is mostly to blame on the error stack of OpenSSL.
> > As a workaround I switched to using fopen() and then BIO_new_fd()
> > which does the same thing but allows me to get a nice error from fopen():
> > 
> > rpki-client: 
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: 
> > No such file or directory
> > 
> > Any opinions?
> 
> This diff removes the fopen: from the warn string:
> 
> rpki-client: 
> rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such 
> file or directory
> 
> This is more in form with e.g.
> 
> rpki-client: 
> rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa:
>  CRL has expired
> 
> -- 
> :wq Claudio
> 
> Index: cert.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 cert.c
> --- cert.c26 Feb 2020 02:35:08 -  1.14
> +++ cert.c1 Apr 2020 14:28:29 -
> @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char *
>   ASN1_OBJECT *obj;
>   struct parse p;
>   BIO *bio = NULL, *shamd;
> + FILE*f;
>   EVP_MD  *md;
>   char mdbuf[EVP_MAX_MD_SIZE];
>  
>   *xp = NULL;
>  
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
> +
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
>   if (verbose > 0)
>   cryptowarnx("%s: BIO_new_file", fn);
>   return NULL;
> Index: cms.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 cms.c
> --- cms.c 29 Nov 2019 05:14:11 -  1.6
> +++ cms.c 1 Apr 2020 14:28:34 -
> @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char
>   ASN1_OCTET_STRING   **os = NULL;
>   BIO *bio = NULL, *shamd;
>   CMS_ContentInfo *cms;
> + FILE*f;
>   char buf[128], mdbuf[EVP_MAX_MD_SIZE];
>   int  rc = 0, sz;
>   STACK_OF(X509)  *certs = NULL;
> @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char
>* This is usually fopen() failure, so let it pass through to
>* the handler, which will in turn ignore the entity.
>*/
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
>  
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> - if (verbose > 0)
> - cryptowarnx("%s: BIO_new_file", fn);
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> + cryptowarnx("%s: BIO_new_fp", fn);
>   return NULL;
>   }
>  
> Index: crl.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 crl.c
> --- crl.c 29 Nov 2019 04:40:04 -  1.7
> +++ crl.c 1 Apr 2020 14:28:41 -
> @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned
>   int  rc = 0, sz;
>   X509_CRL*x = NULL;
>   BIO *bio = NULL, *shamd;
> + FILE*f;
>   EVP_MD  *md;
>   char mdbuf[EVP_MAX_MD_SIZE];
>  
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
> +
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
>   if (verbose > 0)
>   cryptowarnx("%s: BIO_new_file", fn);
>   return NULL;
> 



Re: rpki-client and non-existing files

2020-04-01 Thread Claudio Jeker
On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote:
> Currently rpki-client logs missing files like this:
> 
> rpki-client:  ...trace: error:02FFF002:system library:func(4095):No such file 
> or directory
> rpki-client:  ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such 
> file
> rpki-client: 
> rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: 
> BIO_new_file
> 
> Yes, you need to read the errors in reverse and even then the errors are
> just hard to read.
> 
> This ugly format is mostly to blame on the error stack of OpenSSL.
> As a workaround I switched to using fopen() and then BIO_new_fd()
> which does the same thing but allows me to get a nice error from fopen():
> 
> rpki-client: 
> rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen: 
> No such file or directory
> 
> Any opinions?

This diff removes the fopen: from the warn string:

rpki-client: 
rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such 
file or directory

This is more in form with e.g.

rpki-client: 
rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa:
 CRL has expired

-- 
:wq Claudio

Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.14
diff -u -p -r1.14 cert.c
--- cert.c  26 Feb 2020 02:35:08 -  1.14
+++ cert.c  1 Apr 2020 14:28:29 -
@@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char *
ASN1_OBJECT *obj;
struct parse p;
BIO *bio = NULL, *shamd;
+   FILE*f;
EVP_MD  *md;
char mdbuf[EVP_MAX_MD_SIZE];
 
*xp = NULL;
 
-   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
+   if ((f = fopen(fn, "rb")) == NULL) {
+   warn("%s", fn);
+   return NULL;
+   }
+
+   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
if (verbose > 0)
cryptowarnx("%s: BIO_new_file", fn);
return NULL;
Index: cms.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
retrieving revision 1.6
diff -u -p -r1.6 cms.c
--- cms.c   29 Nov 2019 05:14:11 -  1.6
+++ cms.c   1 Apr 2020 14:28:34 -
@@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char
ASN1_OCTET_STRING   **os = NULL;
BIO *bio = NULL, *shamd;
CMS_ContentInfo *cms;
+   FILE*f;
char buf[128], mdbuf[EVP_MAX_MD_SIZE];
int  rc = 0, sz;
STACK_OF(X509)  *certs = NULL;
@@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char
 * This is usually fopen() failure, so let it pass through to
 * the handler, which will in turn ignore the entity.
 */
+   if ((f = fopen(fn, "rb")) == NULL) {
+   warn("%s", fn);
+   return NULL;
+   }
 
-   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
-   if (verbose > 0)
-   cryptowarnx("%s: BIO_new_file", fn);
+   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
+   cryptowarnx("%s: BIO_new_fp", fn);
return NULL;
}
 
Index: crl.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
retrieving revision 1.7
diff -u -p -r1.7 crl.c
--- crl.c   29 Nov 2019 04:40:04 -  1.7
+++ crl.c   1 Apr 2020 14:28:41 -
@@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned
int  rc = 0, sz;
X509_CRL*x = NULL;
BIO *bio = NULL, *shamd;
+   FILE*f;
EVP_MD  *md;
char mdbuf[EVP_MAX_MD_SIZE];
 
-   if ((bio = BIO_new_file(fn, "rb")) == NULL) {
+   if ((f = fopen(fn, "rb")) == NULL) {
+   warn("%s", fn);
+   return NULL;
+   }
+
+   if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
if (verbose > 0)
cryptowarnx("%s: BIO_new_file", fn);
return NULL;