Commit 0e37e9e3 authored by Evan Hunt's avatar Evan Hunt

[master] silence noisy OpenSSL logging

3402.	[bug]		Correct interface numbers for IPv4 and IPv6 interfaces.
parent 24d82119
......@@ -275,7 +275,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
ret = dst_context_create(key, mctx, &ctx);
ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
......@@ -471,7 +471,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
}
again:
ret = dst_context_create(key, mctx, &ctx);
ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
......@@ -562,7 +562,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
"sucessfully validated after lower casing "
"successfully validated after lower casing "
"signer '%s'", namebuf);
inc_stat(dns_dnssecstats_downcase);
} else if (ret == ISC_R_SUCCESS)
......@@ -871,7 +871,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_context_create(key, mctx, &ctx));
RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
/*
* Digest the fields of the SIG - we can cheat and use
......@@ -1021,7 +1021,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
goto failure;
}
RETERR(dst_context_create(key, mctx, &ctx));
RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
/*
* Digest the SIG(0) record, except for the signature.
......
......@@ -293,6 +293,13 @@ dst_ds_digest_supported(unsigned int digest_type) {
isc_result_t
dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
return (dst_context_create2(key, mctx,
DNS_LOGCATEGORY_GENERAL, dctxp));
}
isc_result_t
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
isc_logcategory_t *category, dst_context_t **dctxp) {
dst_context_t *dctx;
isc_result_t result;
......@@ -311,6 +318,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
return (ISC_R_NOMEMORY);
dctx->key = key;
dctx->mctx = mctx;
dctx->category = category;
result = key->func->createctx(key, dctx);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, dctx, sizeof(dst_context_t));
......
......@@ -138,6 +138,7 @@ struct dst_context {
unsigned int magic;
dst_key_t *key;
isc_mem_t *mctx;
isc_logcategory_t *category;
union {
void *generic;
dst_gssapi_signverifyctx_t *gssctx;
......
......@@ -21,6 +21,7 @@
#define DST_OPENSSL_H 1
#include <isc/lang.h>
#include <isc/log.h>
#include <isc/result.h>
#include <openssl/err.h>
......@@ -42,6 +43,10 @@ dst__openssl_toresult(isc_result_t fallback);
isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
isc_result_t
dst__openssl_toresult3(isc_logcategory_t *category,
const char *funcname, isc_result_t fallback);
#ifdef USE_ENGINE
ENGINE *
dst__openssl_getengine(const char *engine);
......
......@@ -26,6 +26,7 @@
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/secalg.h>
#include <dns/ds.h>
......@@ -181,6 +182,11 @@ dst_ds_digest_supported(unsigned int digest_type);
isc_result_t
dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
isc_result_t
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
isc_logcategory_t *category, dst_context_t **dctxp);
/*%<
* Creates a context to be used for a sign or verify operation.
*
......
......@@ -329,6 +329,13 @@ dst__openssl_toresult(isc_result_t fallback) {
isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
funcname, fallback));
}
isc_result_t
dst__openssl_toresult3(isc_logcategory_t *category,
const char *funcname, isc_result_t fallback) {
isc_result_t result;
unsigned long err;
const char *file, *data;
......@@ -337,7 +344,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
result = toresult(fallback);
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
"%s failed (%s)", funcname,
isc_result_totext(result));
......@@ -350,7 +357,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
if (err == 0U)
goto done;
ERR_error_string_n(err, buf, sizeof(buf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
"%s:%s:%d:%s", buf, file, line,
(flags & ERR_TXT_STRING) ? data : "");
......
......@@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
EVP_PKEY_free(pkey);
free(sigbuf);
return (dst__openssl_toresult2("EVP_SignFinal",
return (dst__openssl_toresult3(dctx->category,
"EVP_SignFinal",
ISC_R_FAILURE));
}
INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
......@@ -182,25 +183,30 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
sb = sigbuf;
if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
free(sigbuf);
return (dst__openssl_toresult2("d2i_DSA_SIG", ISC_R_FAILURE));
return (dst__openssl_toresult3(dctx->category,
"d2i_DSA_SIG",
ISC_R_FAILURE));
}
free(sigbuf);
#elif 0
/* Only use EVP for the Digest */
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
return (dst__openssl_toresult2("EVP_DigestFinal_ex",
return (dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal_ex",
ISC_R_FAILURE));
}
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL)
return (dst__openssl_toresult2("DSA_do_sign",
return (dst__openssl_toresult3(dctx->category,
"DSA_do_sign",
DST_R_SIGNFAILURE));
#else
isc_sha1_final(sha1ctx, digest);
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL)
return (dst__openssl_toresult2("DSA_do_sign",
return (dst__openssl_toresult3(dctx->category,
"DSA_do_sign",
DST_R_SIGNFAILURE));
#endif
*r.base++ = (key->key_size - 512)/64;
......@@ -286,7 +292,8 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default:
return (dst__openssl_toresult2("DSA_do_verify",
return (dst__openssl_toresult3(dctx->category,
"DSA_do_verify",
DST_R_VERIFYFAILURE));
}
}
......
......@@ -73,7 +73,8 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
return (dst__openssl_toresult2("EVP_DigestInit_ex",
return (dst__openssl_toresult3(dctx->category,
"EVP_DigestInit_ex",
ISC_R_FAILURE));
}
......@@ -103,7 +104,8 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
dctx->key->key_alg == DST_ALG_ECDSA384);
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
return (dst__openssl_toresult2("EVP_DigestUpdate",
return (dst__openssl_toresult3(dctx->category,
"EVP_DigestUpdate",
ISC_R_FAILURE));
return (ISC_R_SUCCESS);
......@@ -147,12 +149,14 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DST_RET(ISC_R_NOSPACE);
if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
DST_RET(dst__openssl_toresult2("EVP_DigestFinal",
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal",
ISC_R_FAILURE));
ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
if (ecdsasig == NULL)
DST_RET(dst__openssl_toresult2("ECDSA_do_sign",
DST_RET(dst__openssl_toresult3(dctx->category,
"ECDSA_do_sign",
DST_R_SIGNFAILURE));
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
r.base += siglen / 2;
......@@ -196,7 +200,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
return (DST_R_VERIFYFAILURE);
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex",
DST_RET (dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal_ex",
ISC_R_FAILURE));
ecdsasig = ECDSA_SIG_new();
......@@ -216,7 +221,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
break;
default:
ret = dst__openssl_toresult2("ECDSA_do_verify",
ret = dst__openssl_toresult3(dctx->category,
"ECDSA_do_verify",
DST_R_VERIFYFAILURE);
break;
}
......
......@@ -127,7 +127,8 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default:
return (dst__openssl_toresult2("EVP_VerifyFinal",
return (dst__openssl_toresult3(dctx->category,
"EVP_VerifyFinal",
DST_R_VERIFYFAILURE));
}
}
......
......@@ -163,7 +163,8 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
return (dst__openssl_toresult2("EVP_DigestInit_ex",
return (dst__openssl_toresult3(dctx->category,
"EVP_DigestInit_ex",
ISC_R_FAILURE));
}
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
......@@ -312,7 +313,8 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
#if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (dst__openssl_toresult2("EVP_DigestUpdate",
return (dst__openssl_toresult3(dctx->category,
"EVP_DigestUpdate",
ISC_R_FAILURE));
}
#else
......@@ -402,7 +404,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
return (ISC_R_NOSPACE);
if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
return (dst__openssl_toresult2("EVP_SignFinal",
return (dst__openssl_toresult3(dctx->category,
"EVP_SignFinal",
ISC_R_FAILURE));
}
#else
......@@ -496,7 +499,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
#endif
if (status == 0)
return (dst__openssl_toresult2("RSA_sign",
return (dst__openssl_toresult3(dctx->category,
"RSA_sign",
DST_R_OPENSSLFAILURE));
#endif
......@@ -542,6 +546,16 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
return (DST_R_VERIFYFAILURE);
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
switch (status) {
case 1:
return (ISC_R_SUCCESS);
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default:
return (dst__openssl_toresult3(dctx->category,
"EVP_VerifyFinal",
DST_R_VERIFYFAILURE));
}
#else
if (BN_num_bits(rsa->e) > maxbits && maxbits != 0)
return (DST_R_VERIFYFAILURE);
......@@ -630,7 +644,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
original, rsa,
RSA_PKCS1_PADDING);
if (status <= 0)
return (dst__openssl_toresult2(
return (dst__openssl_toresult3(
dctx->category,
"RSA_public_decrypt",
DST_R_VERIFYFAILURE));
if (status != (int)(prefixlen + digestlen))
......@@ -650,13 +665,11 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
INSIST(type != 0);
status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa);
#endif
#endif
if (status != 1)
return (dst__openssl_toresult2("RSA_verify",
DST_R_VERIFYFAILURE));
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
#endif
}
static isc_result_t
......
......@@ -942,7 +942,8 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
ret = dst_context_create(key->key, mctx, &ctx);
ret = dst_context_create2(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
......@@ -1326,7 +1327,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
ret = dst_context_create(key, mctx, &ctx);
ret = dst_context_create2(key, mctx,
DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
......@@ -1557,7 +1559,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
key = tsigkey->key;
if (msg->tsigctx == NULL) {
ret = dst_context_create(key, mctx, &msg->tsigctx);
ret = dst_context_create2(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
&msg->tsigctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment