OpenSC's use of OpenSSL ERR_print_errors_fp

[dengert]

Problem Description

OpenSSL and other crypto libraries have function ERR_print_errors_fp . OpenSC uses this in ./libopensc/card-iasecc.c, ./libopensc/card-piv.c, ./pkcs15init/pkcs15-oberthur-awp.c, ./tools/piv-tool.c, ./tools/sc-hsm-tool.c and ./tools/gids-tool.c to either print to opensc-debug.log or stderr.

It use is most helpful during development. OpenSC code also detects failure within OpenSSL but not the specifics of why some call fails which is contained in the OpenSSL error strings.

It would also be helpful identify bad data passed to OpenSSL.

Proposed Resolution

Several issues to consider:

• Call at the end of all OpenSC tools to collect any OpenSSL errors.
• Call in OpenSC code when an error is returned and add to opensc-debug.log
• Only call when a new debug level is set. Very few messages would be logged.
• Log to opensc-debug.log but leave messages on the stack so a tool could also print to stderr on exit.
• Only compile in code when some DEBUG flag is defined
• Don't use at all.

My suggestion is for the tools would be either print to stderr as now or only when SC_LOG_DEBUG_VERBOSE_TOOL = 1, /* tools only: verbose */
In non tools files use SC SC_LOG_DEBUG_NORMAL, /* helps developers */ i.e. 3. there should be very few of these errors, accept for bad data.

This issue is in response to #2053 (comment)

[frankmorgner]

May be solved with #2922

[xhanulik]

@dengert please take a look at #2922; it should solve the problem with OpenSSL error logging

[dengert]

Yes it looks like it will solve the problem.

[xhanulik]

Fixed with #2922.