error message oddity

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

error message oddity

Jeremy Harris
OpenSSL 1.1.0h-fips

On OpenSuse tumbleweed I'm getting an error message lacking
the last component:

    error:02001002:system library:fopen:

This is for a deliberately-triggered error, on calling
SSL_CTX_use_certificate_chain_file() with a non-existent file.

The global "errno" is properly set at 2 (ENOENT) between the
return from SSL_CTX_use_certificate_chain_file() and the call
to ERR_error_string_n(ERR_get_error(), ...) - and a call
to strerr() gets the correct string.

I don't recall seeing this particular oddity on any of my
other distribution system that I run the same test code on.
Other systems get:

    error:xxxxxxxx:system library:fopen:No such file or directory

for assorted values of xxxxxxxx (I'm also testing across
library release versions).


Any clues?  Does anyone else see this, or have I borked the
installation somehow?
--
Thanks,
  Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: error message oddity

Viktor Dukhovni
> On Nov 25, 2018, at 3:17 PM, Jeremy Harris <[hidden email]> wrote:
>
> OpenSSL 1.1.0h-fips

FWIW (not germane to this issue), there is no FIPS module for OpenSSL 1.1.0,
so the package name is rather misleading.

> On OpenSuse tumbleweed I'm getting an error message lacking
> the last component:
>
>    error:02001002:system library:fopen:
>
> This is for a deliberately-triggered error, on calling
> SSL_CTX_use_certificate_chain_file() with a non-existent file.
>
> The global "errno" is properly set at 2 (ENOENT) between the
> return from SSL_CTX_use_certificate_chain_file() and the call
> to ERR_error_string_n(ERR_get_error(), ...) - and a call
> to strerr() gets the correct string.

The only thing that comes to mind is that errno is thread-specific,
and there may be some issue with compiler or linker flags that leads
to a wrong implementation of the accessor.

> I don't recall seeing this particular oddity on any of my
> other distribution system that I run the same test code on.
> Other systems get:
>
>    error:xxxxxxxx:system library:fopen:No such file or directory
>
> for assorted values of xxxxxxxx (I'm also testing across
> library release versions).
>
>
> Any clues?  Does anyone else see this, or have I borked the
> installation somehow?

I would try to rebuild, paying attention to the thread support
flags.  If that fails, ask on an OpenSuse list.  It seems the
issue is rather platform-specific.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: error message oddity

Viktor Dukhovni
> On Nov 25, 2018, at 4:23 PM, Jeremy Harris <[hidden email]> wrote:
>
> That isn't the package name, it is text defined in openssl/opensslv.h

That happens when "OPENSSL_FIPS" is defined:

  # define OPENSSL_VERSION_NUMBER  0x101000b0L
  # ifdef OPENSSL_FIPS
  #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-fips-dev  xx XXX xxxx"
  # else
  #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-dev  xx XXX xxxx"
  # endif

Given no FIPS for 1.1.x, perhaps that "#ifdef" should be "#if 0".  With
1.1.x the "Configure" arguments should not mention "fips".

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: error message oddity

OpenSSL - User mailing list
On 25/11/2018 22:30, Viktor Dukhovni wrote:

>> On Nov 25, 2018, at 4:23 PM, Jeremy Harris <[hidden email]> wrote:
>>
>> That isn't the package name, it is text defined in openssl/opensslv.h
> That happens when "OPENSSL_FIPS" is defined:
>
>    # define OPENSSL_VERSION_NUMBER  0x101000b0L
>    # ifdef OPENSSL_FIPS
>    #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-fips-dev  xx XXX xxxx"
>    # else
>    #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-dev  xx XXX xxxx"
>    # endif
>
> Given no FIPS for 1.1.x, perhaps that "#ifdef" should be "#if 0".  With
> 1.1.x the "Configure" arguments should not mention "fips".
>
A better solution would be to have a separate part of the 1.1.0/1.1.1
headers error out hard (with #error) if attempting to build with
OPENSSL_FIPS defined.

This would preserve all the FIPS-related stuff (such as the above
version naming code) for when a FIPS module for 1.1.x is provided,
while leaving the blocking of accidental miscompilation in a clear
location having no other effects.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: error message oddity

Michael Wojcik

You might want to check what strerror_r gives you, rather than strerror, since on GCC platforms that's what OpenSSL uses.


Also, OpenSSL builds its table of error strings at startup (or, for older versions, when you tell it to). It's conceivable an application's NLS settings changed between the time when OpenSSL built its table and the time when the error occurred, which could result in different text from OpenSSL and from a strerror or strerror_r at the point of failure.


From: openssl-users <[hidden email]> on behalf of Jakob Bohm via openssl-users <[hidden email]>
Sent: Monday, November 26, 2018 11:13:35 AM
To: [hidden email]
Subject: Re: [openssl-users] error message oddity
 
On 25/11/2018 22:30, Viktor Dukhovni wrote:
>> On Nov 25, 2018, at 4:23 PM, Jeremy Harris <[hidden email]> wrote:
>>
>> That isn't the package name, it is text defined in openssl/opensslv.h
> That happens when "OPENSSL_FIPS" is defined:
>
>    # define OPENSSL_VERSION_NUMBER  0x101000b0L
>    # ifdef OPENSSL_FIPS
>    #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-fips-dev  xx XXX xxxx"
>    # else
>    #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0k-dev  xx XXX xxxx"
>    # endif
>
> Given no FIPS for 1.1.x, perhaps that "#ifdef" should be "#if 0".  With
> 1.1.x the "Configure" arguments should not mention "fips".
>
A better solution would be to have a separate part of the 1.1.0/1.1.1
headers error out hard (with #error) if attempting to build with
OPENSSL_FIPS defined.

This would preserve all the FIPS-related stuff (such as the above
version naming code) for when a FIPS module for 1.1.x is provided,
while leaving the blocking of accidental miscompilation in a clear
location having no other effects.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users