Commit 6eb6af67 authored by Mark Andrews's avatar Mark Andrews

3354. [func] Improve OpenSSL error logging. [RT #29932]

parent 141ae50a
3354. [func] Improve OpenSSL error logging. [RT #29932]
3353. [bug] Use a single task for task exclusive operations.
[RT #29872]
......
......@@ -179,7 +179,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
if (p == NULL) {
t_info("getcwd failed %d\n", errno);
++*nprobs;
return;
goto cleanup;
}
ret = dst_key_fromfile(name1, id1, alg, type, current, mctx, &key1);
......@@ -187,7 +187,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_key_fromfile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
ret = dst_key_fromfile(name2, id2, alg, type, current, mctx, &key2);
......@@ -195,7 +195,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_key_fromfile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
ret = isc_file_mktemplate("/tmp/", tmp, sizeof(tmp));
......@@ -203,7 +203,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("isc_file_mktemplate failed %s\n",
isc_result_totext(ret));
++*nprobs;
return;
goto cleanup;
}
ret = isc_dir_createunique(tmp);
......@@ -211,7 +211,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("isc_dir_createunique failed %s\n",
isc_result_totext(ret));
++*nprobs;
return;
goto cleanup;
}
ret = dst_key_tofile(key1, type, tmp);
......@@ -219,7 +219,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_key_tofile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
ret = dst_key_tofile(key2, type, tmp);
......@@ -227,7 +227,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_key_tofile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
cleandir(tmp);
......@@ -238,7 +238,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_computesecret() returned: %s\n",
dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
isc_buffer_init(&b2, array2, sizeof(array2));
......@@ -247,7 +247,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info("dst_computesecret() returned: %s\n",
dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
isc_buffer_usedregion(&b1, &r1);
......@@ -256,11 +256,14 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
{
t_info("computed secrets don't match\n");
++*nfails;
return;
goto cleanup;
}
dst_key_free(&key1);
dst_key_free(&key2);
cleanup:
if (key1 != NULL)
dst_key_free(&key1);
if (key2 != NULL)
dst_key_free(&key2);
}
static void
......@@ -382,12 +385,14 @@ generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
t_info("dst_key_generate(%d) returned: %s\n", alg,
dst_result_totext(ret));
++*nfails;
return;
goto cleanup;
}
if (alg != DST_ALG_DH)
use(key, mctx, ISC_R_SUCCESS, nfails);
dst_key_free(&key);
cleanup:
if (key != NULL)
dst_key_free(&key);
}
#define DBUFSIZ 25
......@@ -839,14 +844,20 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_create returned %s\n",
isc_result_totext(isc_result));
(void) free(data);
dst_key_free(&key);
++*nfails;
return;
}
isc_result = dst_context_adddata(ctx, &datareg);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_adddata returned %s\n",
isc_result_totext(isc_result));
(void) free(data);
dst_context_destroy(&ctx);
dst_key_free(&key);
++*nfails;
return;
}
isc_result = dst_context_verify(ctx, &sigreg);
if ( ((exp_res == 0) && (isc_result != ISC_R_SUCCESS)) ||
......@@ -855,7 +866,6 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
t_info("dst_context_verify returned %s, expected %s\n",
isc_result_totext(isc_result),
expected_result);
dst_context_destroy(&ctx);
++*nfails;
}
......
......@@ -18,4 +18,4 @@
if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
../../pkcs11/pkcs11-destroy -s 0 -p 1234
../../pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234
......@@ -45,9 +45,9 @@ DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
CHECKDS=$TOP/bin/python/dnssec-checkds
CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s 0 -p 1234"
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
......
......@@ -92,13 +92,13 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
#define CHECK(x) \
if ((x) != 1) { \
EVP_MD_CTX_cleanup(&ctx); \
return (DST_R_OPENSSLFAILURE); \
return (DST_R_CRYPTOFAILURE); \
}
case DNS_DSDIGEST_GOST:
md = EVP_gost();
if (md == NULL)
return (DST_R_OPENSSLFAILURE);
return (DST_R_CRYPTOFAILURE);
EVP_MD_CTX_init(&ctx);
CHECK(EVP_DigestInit(&ctx, md));
dns_name_toregion(name, &r);
......
......@@ -39,6 +39,9 @@ ISC_LANG_BEGINDECLS
isc_result_t
dst__openssl_toresult(isc_result_t fallback);
isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
#ifdef USE_ENGINE
ENGINE *
dst__openssl_getengine(const char *engine);
......
......@@ -30,7 +30,7 @@
static const char *text[DST_R_NRESULTS] = {
"algorithm is unsupported", /*%< 0 */
"openssl failure", /*%< 1 */
"crypto failure", /*%< 1 */
"built with no crypto support", /*%< 2 */
"illegal operation for a null key", /*%< 3 */
"public key is invalid", /*%< 4 */
......
......@@ -75,6 +75,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGMODULE_ACACHE (&dns_modules[25])
#define DNS_LOGMODULE_DLZ (&dns_modules[26])
#define DNS_LOGMODULE_DNSSEC (&dns_modules[27])
#define DNS_LOGMODULE_CRYPTO (&dns_modules[28])
ISC_LANG_BEGINDECLS
......
......@@ -34,7 +34,9 @@
#include <isc/result.h> /* Contractual promise. */
#define DST_R_UNSUPPORTEDALG (ISC_RESULTCLASS_DST + 0)
#define DST_R_OPENSSLFAILURE (ISC_RESULTCLASS_DST + 1)
#define DST_R_CRYPTOFAILURE (ISC_RESULTCLASS_DST + 1)
/* compat */
#define DST_R_OPENSSLFAILURE DST_R_CRYPTOFAILURE
#define DST_R_NOCRYPTO (ISC_RESULTCLASS_DST + 2)
#define DST_R_NULLKEY (ISC_RESULTCLASS_DST + 3)
#define DST_R_INVALIDPUBLICKEY (ISC_RESULTCLASS_DST + 4)
......
......@@ -81,6 +81,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
{ "dns/acache", 0 },
{ "dns/dlz", 0 },
{ "dns/dnssec", 0 },
{ "dns/crypto", 0 },
{ NULL, 0 }
};
......
......@@ -45,6 +45,8 @@
#include <isc/thread.h>
#include <isc/util.h>
#include <dns/log.h>
#include <dst/result.h>
#include "dst_internal.h"
......@@ -172,6 +174,8 @@ dst__openssl_init(const char *engine) {
CRYPTO_set_locking_callback(lock_callback);
CRYPTO_set_id_callback(id_callback);
ERR_load_crypto_strings();
rm = mem_alloc(sizeof(RAND_METHOD));
if (rm == NULL) {
result = ISC_R_NOMEMORY;
......@@ -285,7 +289,7 @@ dst__openssl_destroy() {
isc_result_t
dst__openssl_toresult(isc_result_t fallback) {
isc_result_t result = fallback;
int err = ERR_get_error();
unsigned long err = ERR_get_error();
switch (ERR_GET_REASON(err)) {
case ERR_R_MALLOC_FAILURE:
......@@ -298,6 +302,40 @@ dst__openssl_toresult(isc_result_t fallback) {
return (result);
}
isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
isc_result_t result = fallback;
unsigned long err = ERR_peek_error();
const char *file, *data;
int line, flags;
char buf[256];
switch (ERR_GET_REASON(err)) {
case ERR_R_MALLOC_FAILURE:
result = ISC_R_NOMEMORY;
goto done;
default:
break;
}
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
"%s failed", funcname);
for (;;) {
err = ERR_get_error_line_data(&file, &line, &data, &flags);
if (err == 0)
goto done;
ERR_error_string_n(err, buf, sizeof(buf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
"%s:%s:%d:%s", buf, file, line,
(flags & ERR_TXT_STRING) ? data : "");
}
done:
ERR_clear_error();
return (result);
}
#if defined(USE_ENGINE)
ENGINE *
dst__openssl_getengine(const char *engine) {
......
......@@ -94,7 +94,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
return (ISC_R_NOSPACE);
ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
if (ret == 0)
return (dst__openssl_toresult(DST_R_COMPUTESECRETFAILURE));
return (dst__openssl_toresult2("DH_compute_key",
DST_R_COMPUTESECRETFAILURE));
isc_buffer_add(secret, len);
return (ISC_R_SUCCESS);
}
......@@ -204,7 +205,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
dh = DH_new();
if (dh == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult(ISC_R_NOMEMORY));
if (callback == NULL) {
BN_GENCB_set_old(&cb, NULL, NULL);
......@@ -216,7 +217,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
if (!DH_generate_parameters_ex(dh, key->key_size, generator,
&cb)) {
DH_free(dh);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2(
"DH_generate_parameters_ex",
DST_R_OPENSSLFAILURE));
}
#else
dh = DH_generate_parameters(key->key_size, generator,
......@@ -225,11 +228,13 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
}
if (dh == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("DH_generate_parameters",
DST_R_OPENSSLFAILURE));
if (DH_generate_key(dh) == 0) {
DH_free(dh);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("DH_generate_key",
DST_R_OPENSSLFAILURE));
}
dh->flags &= ~DH_FLAG_CACHE_MONT_P;
......@@ -460,6 +465,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
dh = key->keydata.dh;
memset(bufs, 0, sizeof(bufs));
for (i = 0; i < 4; i++) {
bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
if (bufs[i] == NULL) {
......
......@@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
EVP_PKEY_free(pkey);
free(sigbuf);
return (ISC_R_FAILURE);
return (dst__openssl_toresult2("EVP_SignFinal",
ISC_R_FAILURE));
}
INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
EVP_PKEY_free(pkey);
......@@ -181,23 +182,26 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
sb = sigbuf;
if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
free(sigbuf);
return (ISC_R_FAILURE);
return (dst__openssl_toresult2("d2i_DSA_SIG", ISC_R_FAILURE));
}
free(sigbuf);
#elif 0
/* Only use EVP for the Digest */
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
return (ISC_R_FAILURE);
return (dst__openssl_toresult2("EVP_DigestFinal_ex",
ISC_R_FAILURE));
}
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL)
return (dst__openssl_toresult(DST_R_SIGNFAILURE));
return (dst__openssl_toresult2("DSA_do_sign",
DST_R_SIGNFAILURE));
#else
isc_sha1_final(sha1ctx, digest);
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL)
return (dst__openssl_toresult(DST_R_SIGNFAILURE));
return (dst__openssl_toresult2("DSA_do_sign",
DST_R_SIGNFAILURE));
#endif
*r.base++ = (key->key_size - 512)/64;
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
......@@ -276,10 +280,15 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
#endif
DSA_SIG_free(dsasig);
if (status != 1)
switch (status) {
case 1:
return (ISC_R_SUCCESS);
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
default:
return (dst__openssl_toresult2("DSA_do_verify",
DST_R_VERIFYFAILURE));
}
}
static isc_boolean_t
......@@ -370,19 +379,22 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
&cb))
{
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("DSA_generate_parameters_ex",
DST_R_OPENSSLFAILURE));
}
#else
dsa = DSA_generate_parameters(key->key_size, rand_array,
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
NULL, NULL);
if (dsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("DSA_generate_parameters",
DST_R_OPENSSLFAILURE));
#endif
if (DSA_generate_key(dsa) == 0) {
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("DSA_generate_key",
DST_R_OPENSSLFAILURE));
}
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
......
......@@ -73,7 +73,8 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx);
return (ISC_R_FAILURE);
return (dst__openssl_toresult2("EVP_DigestInit_ex",
ISC_R_FAILURE));
}
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
......@@ -102,7 +103,8 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
dctx->key->key_alg == DST_ALG_ECDSA384);
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
return (ISC_R_FAILURE);
return (dst__openssl_toresult2("EVP_DigestUpdate",
ISC_R_FAILURE));
return (ISC_R_SUCCESS);
}
......@@ -145,11 +147,13 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DST_RET(ISC_R_NOSPACE);
if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
DST_RET(ISC_R_FAILURE);
DST_RET(dst__openssl_toresult2("EVP_DigestFinal",
ISC_R_FAILURE));
ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
if (ecdsasig == NULL)
DST_RET(dst__openssl_toresult(DST_R_SIGNFAILURE));
DST_RET(dst__openssl_toresult2("ECDSA_do_sign",
DST_R_SIGNFAILURE));
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
r.base += siglen / 2;
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
......@@ -192,7 +196,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
return (DST_R_VERIFYFAILURE);
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
DST_RET (ISC_R_FAILURE);
DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex",
ISC_R_FAILURE));
ecdsasig = ECDSA_SIG_new();
if (ecdsasig == NULL)
......@@ -203,9 +208,18 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
/* cp += siglen / 2; */
status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
if (status != 1)
DST_RET (dst__openssl_toresult(DST_R_VERIFYFAILURE));
ret = ISC_R_SUCCESS;
switch (status) {
case 1:
ret = ISC_R_SUCCESS;
break;
case 0:
ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
break;
default:
ret = dst__openssl_toresult2("ECDSA_do_verify",
DST_R_VERIFYFAILURE);
break;
}
err:
if (ecdsasig != NULL)
......@@ -278,10 +292,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
eckey = EC_KEY_new_by_curve_name(group_nid);
if (eckey == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
DST_R_OPENSSLFAILURE));
if (EC_KEY_generate_key(eckey) != 1)
DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
DST_RET (dst__openssl_toresult2("EC_KEY_generate_key",
DST_R_OPENSSLFAILURE));
pkey = EVP_PKEY_new();
if (pkey == NULL)
......@@ -334,7 +350,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
pkey = key->keydata.pkey;
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (eckey == NULL)
return (ISC_R_FAILURE);
return (dst__openssl_toresult(ISC_R_FAILURE));
len = i2o_ECPublicKey(eckey, NULL);
/* skip form */
len--;
......@@ -344,7 +360,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
DST_RET (ISC_R_NOSPACE);
cp = buf;
if (!i2o_ECPublicKey(eckey, &cp))
DST_RET (ISC_R_FAILURE);
DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
memcpy(r.base, buf + 1, len);
isc_buffer_add(data, len);
ret = ISC_R_SUCCESS;
......@@ -393,16 +409,16 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (o2i_ECPublicKey(&eckey,
(const unsigned char **) &cp,
(long) len + 1) == NULL)
DST_RET (DST_R_INVALIDPUBLICKEY);
DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
if (EC_KEY_check_key(eckey) != 1)
DST_RET (DST_R_INVALIDPUBLICKEY);
DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
pkey = EVP_PKEY_new();
if (pkey == NULL)
DST_RET (ISC_R_NOMEMORY);
if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
EVP_PKEY_free(pkey);
DST_RET (ISC_R_FAILURE);
DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
}
isc_buffer_forward(data, len);
......@@ -430,7 +446,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
pkey = key->keydata.pkey;
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (eckey == NULL)
return (ISC_R_FAILURE);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
privkey = EC_KEY_get0_private_key(eckey);
if (privkey == NULL)
DST_RET (ISC_R_FAILURE);
......@@ -527,7 +543,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DST_RET (ISC_R_NOMEMORY);
if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
EVP_PKEY_free(pkey);
DST_RET (ISC_R_FAILURE);
DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
key->keydata.pkey = pkey;
ret = ISC_R_SUCCESS;
......
......@@ -121,10 +121,15 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
EVP_PKEY *pkey = key->keydata.pkey;
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
if (status != 1)
switch (status) {
case 1:
return (ISC_R_SUCCESS);
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
default:
return (dst__openssl_toresult2("EVP_VerifyFinal",
DST_R_VERIFYFAILURE));
}
}
static isc_boolean_t
......@@ -168,22 +173,27 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
void (*fptr)(int);
} u;
EVP_PKEY *pkey = NULL;
isc_result_t ret;
UNUSED(unused);
ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
if (ctx == NULL)
goto err;
DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
DST_R_OPENSSLFAILURE));
if (callback != NULL) {
u.fptr = callback;
EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
}
if (EVP_PKEY_keygen_init(ctx) <= 0)
goto err;
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
DST_R_OPENSSLFAILURE));
if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
goto err;
DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
DST_R_OPENSSLFAILURE));
if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
goto err;
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
DST_R_OPENSSLFAILURE));
key->keydata.pkey = pkey;
EVP_PKEY_CTX_free(ctx);
return (ISC_R_SUCCESS);
......@@ -193,7 +203,7 @@ err:
EVP_PKEY_free(pkey);
if (ctx != NULL)