Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
ISC Open Source Projects
BIND
Commits
6eb6af67
Commit
6eb6af67
authored
Jul 23, 2012
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
3354. [func] Improve OpenSSL error logging. [RT #29932]
parent
141ae50a
Changes
16
Hide whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
225 additions
and
102 deletions
+225
-102
CHANGES
CHANGES
+2
-0
bin/tests/dst/t_dst.c
bin/tests/dst/t_dst.c
+25
-15
bin/tests/system/cleanpkcs11.sh
bin/tests/system/cleanpkcs11.sh
+1
-1
bin/tests/system/conf.sh.in
bin/tests/system/conf.sh.in
+3
-3
lib/dns/ds.c
lib/dns/ds.c
+2
-2
lib/dns/dst_openssl.h
lib/dns/dst_openssl.h
+3
-0
lib/dns/dst_result.c
lib/dns/dst_result.c
+1
-1
lib/dns/include/dns/log.h
lib/dns/include/dns/log.h
+1
-0
lib/dns/include/dst/result.h
lib/dns/include/dst/result.h
+3
-1
lib/dns/log.c
lib/dns/log.c
+1
-0
lib/dns/openssl_link.c
lib/dns/openssl_link.c
+39
-1
lib/dns/openssldh_link.c
lib/dns/openssldh_link.c
+11
-5
lib/dns/openssldsa_link.c
lib/dns/openssldsa_link.c
+23
-11
lib/dns/opensslecdsa_link.c
lib/dns/opensslecdsa_link.c
+33
-17
lib/dns/opensslgost_link.c
lib/dns/opensslgost_link.c
+49
-24
lib/dns/opensslrsa_link.c
lib/dns/opensslrsa_link.c
+28
-21
No files found.
CHANGES
View file @
6eb6af67
3354. [func] Improve OpenSSL error logging. [RT #29932]
3353. [bug] Use a single task for task exclusive operations.
[RT #29872]
...
...
bin/tests/dst/t_dst.c
View file @
6eb6af67
...
...
@@ -179,7 +179,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
if
(
p
==
NULL
)
{
t_info
(
"getcwd failed %d
\n
"
,
errno
);
++*
nprobs
;
return
;
goto
cleanup
;
}
ret
=
dst_key_fromfile
(
name1
,
id1
,
alg
,
type
,
current
,
mctx
,
&
key1
);
...
...
@@ -187,7 +187,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_key_fromfile(%d) returned: %s
\n
"
,
alg
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
ret
=
dst_key_fromfile
(
name2
,
id2
,
alg
,
type
,
current
,
mctx
,
&
key2
);
...
...
@@ -195,7 +195,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_key_fromfile(%d) returned: %s
\n
"
,
alg
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
ret
=
isc_file_mktemplate
(
"/tmp/"
,
tmp
,
sizeof
(
tmp
));
...
...
@@ -203,7 +203,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"isc_file_mktemplate failed %s
\n
"
,
isc_result_totext
(
ret
));
++*
nprobs
;
return
;
goto
cleanup
;
}
ret
=
isc_dir_createunique
(
tmp
);
...
...
@@ -211,7 +211,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"isc_dir_createunique failed %s
\n
"
,
isc_result_totext
(
ret
));
++*
nprobs
;
return
;
goto
cleanup
;
}
ret
=
dst_key_tofile
(
key1
,
type
,
tmp
);
...
...
@@ -219,7 +219,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_key_tofile(%d) returned: %s
\n
"
,
alg
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
ret
=
dst_key_tofile
(
key2
,
type
,
tmp
);
...
...
@@ -227,7 +227,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_key_tofile(%d) returned: %s
\n
"
,
alg
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
cleandir
(
tmp
);
...
...
@@ -238,7 +238,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_computesecret() returned: %s
\n
"
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
isc_buffer_init
(
&
b2
,
array2
,
sizeof
(
array2
));
...
...
@@ -247,7 +247,7 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
t_info
(
"dst_computesecret() returned: %s
\n
"
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
isc_buffer_usedregion
(
&
b1
,
&
r1
);
...
...
@@ -256,11 +256,14 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
{
t_info
(
"computed secrets don't match
\n
"
);
++*
nfails
;
return
;
goto
cleanup
;
}
dst_key_free
(
&
key1
);
dst_key_free
(
&
key2
);
cleanup:
if
(
key1
!=
NULL
)
dst_key_free
(
&
key1
);
if
(
key2
!=
NULL
)
dst_key_free
(
&
key2
);
}
static
void
...
...
@@ -382,12 +385,14 @@ generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
t_info
(
"dst_key_generate(%d) returned: %s
\n
"
,
alg
,
dst_result_totext
(
ret
));
++*
nfails
;
return
;
goto
cleanup
;
}
if
(
alg
!=
DST_ALG_DH
)
use
(
key
,
mctx
,
ISC_R_SUCCESS
,
nfails
);
dst_key_free
(
&
key
);
cleanup:
if
(
key
!=
NULL
)
dst_key_free
(
&
key
);
}
#define DBUFSIZ 25
...
...
@@ -839,14 +844,20 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
if
(
isc_result
!=
ISC_R_SUCCESS
)
{
t_info
(
"dst_context_create returned %s
\n
"
,
isc_result_totext
(
isc_result
));
(
void
)
free
(
data
);
dst_key_free
(
&
key
);
++*
nfails
;
return
;
}
isc_result
=
dst_context_adddata
(
ctx
,
&
datareg
);
if
(
isc_result
!=
ISC_R_SUCCESS
)
{
t_info
(
"dst_context_adddata returned %s
\n
"
,
isc_result_totext
(
isc_result
));
(
void
)
free
(
data
);
dst_context_destroy
(
&
ctx
);
dst_key_free
(
&
key
);
++*
nfails
;
return
;
}
isc_result
=
dst_context_verify
(
ctx
,
&
sigreg
);
if
(
((
exp_res
==
0
)
&&
(
isc_result
!=
ISC_R_SUCCESS
))
||
...
...
@@ -855,7 +866,6 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
t_info
(
"dst_context_verify returned %s, expected %s
\n
"
,
isc_result_totext
(
isc_result
),
expected_result
);
dst_context_destroy
(
&
ctx
);
++*
nfails
;
}
...
...
bin/tests/system/cleanpkcs11.sh
View file @
6eb6af67
...
...
@@ -18,4 +18,4 @@
if
[
!
-x
../../pkcs11/pkcs11-destroy
]
;
then
exit
1
;
fi
../../pkcs11/pkcs11-destroy
-s
0
-p
1234
../../pkcs11/pkcs11-destroy
-s
${
SLOT
:-
0
}
-p
1234
bin/tests/system/conf.sh.in
View file @
6eb6af67
...
...
@@ -45,9 +45,9 @@ DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
CHECKDS
=
$TOP
/bin/python/dnssec-checkds
CHECKZONE
=
$TOP
/bin/check/named-checkzone
CHECKCONF
=
$TOP
/bin/check/named-checkconf
PK11GEN
=
"
$TOP
/bin/pkcs11/pkcs11-keygen -s
0
-p 1234"
PK11LIST
=
"
$TOP
/bin/pkcs11/pkcs11-list -s
0
-p 1234"
PK11DEL
=
"
$TOP
/bin/pkcs11/pkcs11-destroy -s
0
-p 1234"
PK11GEN
=
"
$TOP
/bin/pkcs11/pkcs11-keygen -s
${
SLOT
:-
0
}
-p 1234"
PK11LIST
=
"
$TOP
/bin/pkcs11/pkcs11-list -s
${
SLOT
:-
0
}
-p 1234"
PK11DEL
=
"
$TOP
/bin/pkcs11/pkcs11-destroy -s
${
SLOT
:-
0
}
-p 1234"
JOURNALPRINT
=
$TOP
/bin/tools/named-journalprint
VERIFY
=
$TOP
/bin/dnssec/dnssec-verify
...
...
lib/dns/ds.c
View file @
6eb6af67
...
...
@@ -92,13 +92,13 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
#define CHECK(x) \
if ((x) != 1) { \
EVP_MD_CTX_cleanup(&ctx); \
return (DST_R_
OPENSSL
FAILURE); \
return (DST_R_
CRYPTO
FAILURE); \
}
case
DNS_DSDIGEST_GOST
:
md
=
EVP_gost
();
if
(
md
==
NULL
)
return
(
DST_R_
OPENSSL
FAILURE
);
return
(
DST_R_
CRYPTO
FAILURE
);
EVP_MD_CTX_init
(
&
ctx
);
CHECK
(
EVP_DigestInit
(
&
ctx
,
md
));
dns_name_toregion
(
name
,
&
r
);
...
...
lib/dns/dst_openssl.h
View file @
6eb6af67
...
...
@@ -39,6 +39,9 @@ ISC_LANG_BEGINDECLS
isc_result_t
dst__openssl_toresult
(
isc_result_t
fallback
);
isc_result_t
dst__openssl_toresult2
(
const
char
*
funcname
,
isc_result_t
fallback
);
#ifdef USE_ENGINE
ENGINE
*
dst__openssl_getengine
(
const
char
*
engine
);
...
...
lib/dns/dst_result.c
View file @
6eb6af67
...
...
@@ -30,7 +30,7 @@
static
const
char
*
text
[
DST_R_NRESULTS
]
=
{
"algorithm is unsupported"
,
/*%< 0 */
"
openssl
failure"
,
/*%< 1 */
"
crypto
failure"
,
/*%< 1 */
"built with no crypto support"
,
/*%< 2 */
"illegal operation for a null key"
,
/*%< 3 */
"public key is invalid"
,
/*%< 4 */
...
...
lib/dns/include/dns/log.h
View file @
6eb6af67
...
...
@@ -75,6 +75,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGMODULE_ACACHE (&dns_modules[25])
#define DNS_LOGMODULE_DLZ (&dns_modules[26])
#define DNS_LOGMODULE_DNSSEC (&dns_modules[27])
#define DNS_LOGMODULE_CRYPTO (&dns_modules[28])
ISC_LANG_BEGINDECLS
...
...
lib/dns/include/dst/result.h
View file @
6eb6af67
...
...
@@ -34,7 +34,9 @@
#include <isc/result.h>
/* Contractual promise. */
#define DST_R_UNSUPPORTEDALG (ISC_RESULTCLASS_DST + 0)
#define DST_R_OPENSSLFAILURE (ISC_RESULTCLASS_DST + 1)
#define DST_R_CRYPTOFAILURE (ISC_RESULTCLASS_DST + 1)
/* compat */
#define DST_R_OPENSSLFAILURE DST_R_CRYPTOFAILURE
#define DST_R_NOCRYPTO (ISC_RESULTCLASS_DST + 2)
#define DST_R_NULLKEY (ISC_RESULTCLASS_DST + 3)
#define DST_R_INVALIDPUBLICKEY (ISC_RESULTCLASS_DST + 4)
...
...
lib/dns/log.c
View file @
6eb6af67
...
...
@@ -81,6 +81,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
{
"dns/acache"
,
0
},
{
"dns/dlz"
,
0
},
{
"dns/dnssec"
,
0
},
{
"dns/crypto"
,
0
},
{
NULL
,
0
}
};
...
...
lib/dns/openssl_link.c
View file @
6eb6af67
...
...
@@ -45,6 +45,8 @@
#include <isc/thread.h>
#include <isc/util.h>
#include <dns/log.h>
#include <dst/result.h>
#include "dst_internal.h"
...
...
@@ -172,6 +174,8 @@ dst__openssl_init(const char *engine) {
CRYPTO_set_locking_callback
(
lock_callback
);
CRYPTO_set_id_callback
(
id_callback
);
ERR_load_crypto_strings
();
rm
=
mem_alloc
(
sizeof
(
RAND_METHOD
));
if
(
rm
==
NULL
)
{
result
=
ISC_R_NOMEMORY
;
...
...
@@ -285,7 +289,7 @@ dst__openssl_destroy() {
isc_result_t
dst__openssl_toresult
(
isc_result_t
fallback
)
{
isc_result_t
result
=
fallback
;
int
err
=
ERR_get_error
();
unsigned
long
err
=
ERR_get_error
();
switch
(
ERR_GET_REASON
(
err
))
{
case
ERR_R_MALLOC_FAILURE
:
...
...
@@ -298,6 +302,40 @@ dst__openssl_toresult(isc_result_t fallback) {
return
(
result
);
}
isc_result_t
dst__openssl_toresult2
(
const
char
*
funcname
,
isc_result_t
fallback
)
{
isc_result_t
result
=
fallback
;
unsigned
long
err
=
ERR_peek_error
();
const
char
*
file
,
*
data
;
int
line
,
flags
;
char
buf
[
256
];
switch
(
ERR_GET_REASON
(
err
))
{
case
ERR_R_MALLOC_FAILURE
:
result
=
ISC_R_NOMEMORY
;
goto
done
;
default:
break
;
}
isc_log_write
(
dns_lctx
,
DNS_LOGCATEGORY_GENERAL
,
DNS_LOGMODULE_CRYPTO
,
ISC_LOG_WARNING
,
"%s failed"
,
funcname
);
for
(;;)
{
err
=
ERR_get_error_line_data
(
&
file
,
&
line
,
&
data
,
&
flags
);
if
(
err
==
0
)
goto
done
;
ERR_error_string_n
(
err
,
buf
,
sizeof
(
buf
));
isc_log_write
(
dns_lctx
,
DNS_LOGCATEGORY_GENERAL
,
DNS_LOGMODULE_CRYPTO
,
ISC_LOG_INFO
,
"%s:%s:%d:%s"
,
buf
,
file
,
line
,
(
flags
&
ERR_TXT_STRING
)
?
data
:
""
);
}
done:
ERR_clear_error
();
return
(
result
);
}
#if defined(USE_ENGINE)
ENGINE
*
dst__openssl_getengine
(
const
char
*
engine
)
{
...
...
lib/dns/openssldh_link.c
View file @
6eb6af67
...
...
@@ -94,7 +94,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
return
(
ISC_R_NOSPACE
);
ret
=
DH_compute_key
(
r
.
base
,
dhpub
->
pub_key
,
dhpriv
);
if
(
ret
==
0
)
return
(
dst__openssl_toresult
(
DST_R_COMPUTESECRETFAILURE
));
return
(
dst__openssl_toresult2
(
"DH_compute_key"
,
DST_R_COMPUTESECRETFAILURE
));
isc_buffer_add
(
secret
,
len
);
return
(
ISC_R_SUCCESS
);
}
...
...
@@ -204,7 +205,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
dh
=
DH_new
();
if
(
dh
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult
(
ISC_R_NOMEMORY
));
if
(
callback
==
NULL
)
{
BN_GENCB_set_old
(
&
cb
,
NULL
,
NULL
);
...
...
@@ -216,7 +217,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
if
(
!
DH_generate_parameters_ex
(
dh
,
key
->
key_size
,
generator
,
&
cb
))
{
DH_free
(
dh
);
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DH_generate_parameters_ex"
,
DST_R_OPENSSLFAILURE
));
}
#else
dh
=
DH_generate_parameters
(
key
->
key_size
,
generator
,
...
...
@@ -225,11 +228,13 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
}
if
(
dh
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DH_generate_parameters"
,
DST_R_OPENSSLFAILURE
));
if
(
DH_generate_key
(
dh
)
==
0
)
{
DH_free
(
dh
);
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DH_generate_key"
,
DST_R_OPENSSLFAILURE
));
}
dh
->
flags
&=
~
DH_FLAG_CACHE_MONT_P
;
...
...
@@ -460,6 +465,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
dh
=
key
->
keydata
.
dh
;
memset
(
bufs
,
0
,
sizeof
(
bufs
));
for
(
i
=
0
;
i
<
4
;
i
++
)
{
bufs
[
i
]
=
isc_mem_get
(
key
->
mctx
,
BN_num_bytes
(
dh
->
p
));
if
(
bufs
[
i
]
==
NULL
)
{
...
...
lib/dns/openssldsa_link.c
View file @
6eb6af67
...
...
@@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if
(
!
EVP_SignFinal
(
evp_md_ctx
,
sigbuf
,
&
siglen
,
pkey
))
{
EVP_PKEY_free
(
pkey
);
free
(
sigbuf
);
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult2
(
"EVP_SignFinal"
,
ISC_R_FAILURE
));
}
INSIST
(
EVP_PKEY_size
(
pkey
)
>=
(
int
)
siglen
);
EVP_PKEY_free
(
pkey
);
...
...
@@ -181,23 +182,26 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
sb
=
sigbuf
;
if
(
d2i_DSA_SIG
(
&
dsasig
,
&
sb
,
(
long
)
siglen
)
==
NULL
)
{
free
(
sigbuf
);
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult2
(
"d2i_DSA_SIG"
,
ISC_R_FAILURE
)
)
;
}
free
(
sigbuf
);
#elif 0
/* Only use EVP for the Digest */
if
(
!
EVP_DigestFinal_ex
(
evp_md_ctx
,
digest
,
&
siglen
))
{
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult2
(
"EVP_DigestFinal_ex"
,
ISC_R_FAILURE
));
}
dsasig
=
DSA_do_sign
(
digest
,
ISC_SHA1_DIGESTLENGTH
,
dsa
);
if
(
dsasig
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_SIGNFAILURE
));
return
(
dst__openssl_toresult2
(
"DSA_do_sign"
,
DST_R_SIGNFAILURE
));
#else
isc_sha1_final
(
sha1ctx
,
digest
);
dsasig
=
DSA_do_sign
(
digest
,
ISC_SHA1_DIGESTLENGTH
,
dsa
);
if
(
dsasig
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_SIGNFAILURE
));
return
(
dst__openssl_toresult2
(
"DSA_do_sign"
,
DST_R_SIGNFAILURE
));
#endif
*
r
.
base
++
=
(
key
->
key_size
-
512
)
/
64
;
BN_bn2bin_fixed
(
dsasig
->
r
,
r
.
base
,
ISC_SHA1_DIGESTLENGTH
);
...
...
@@ -276,10 +280,15 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
status
=
DSA_do_verify
(
digest
,
ISC_SHA1_DIGESTLENGTH
,
dsasig
,
dsa
);
#endif
DSA_SIG_free
(
dsasig
);
if
(
status
!=
1
)
switch
(
status
)
{
case
1
:
return
(
ISC_R_SUCCESS
);
case
0
:
return
(
dst__openssl_toresult
(
DST_R_VERIFYFAILURE
));
return
(
ISC_R_SUCCESS
);
default:
return
(
dst__openssl_toresult2
(
"DSA_do_verify"
,
DST_R_VERIFYFAILURE
));
}
}
static
isc_boolean_t
...
...
@@ -370,19 +379,22 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
&
cb
))
{
DSA_free
(
dsa
);
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DSA_generate_parameters_ex"
,
DST_R_OPENSSLFAILURE
));
}
#else
dsa
=
DSA_generate_parameters
(
key
->
key_size
,
rand_array
,
ISC_SHA1_DIGESTLENGTH
,
NULL
,
NULL
,
NULL
,
NULL
);
if
(
dsa
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DSA_generate_parameters"
,
DST_R_OPENSSLFAILURE
));
#endif
if
(
DSA_generate_key
(
dsa
)
==
0
)
{
DSA_free
(
dsa
);
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"DSA_generate_key"
,
DST_R_OPENSSLFAILURE
));
}
dsa
->
flags
&=
~
DSA_FLAG_CACHE_MONT_P
;
...
...
lib/dns/opensslecdsa_link.c
View file @
6eb6af67
...
...
@@ -73,7 +73,8 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if
(
!
EVP_DigestInit_ex
(
evp_md_ctx
,
type
,
NULL
))
{
EVP_MD_CTX_destroy
(
evp_md_ctx
);
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult2
(
"EVP_DigestInit_ex"
,
ISC_R_FAILURE
));
}
dctx
->
ctxdata
.
evp_md_ctx
=
evp_md_ctx
;
...
...
@@ -102,7 +103,8 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
dctx
->
key
->
key_alg
==
DST_ALG_ECDSA384
);
if
(
!
EVP_DigestUpdate
(
evp_md_ctx
,
data
->
base
,
data
->
length
))
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult2
(
"EVP_DigestUpdate"
,
ISC_R_FAILURE
));
return
(
ISC_R_SUCCESS
);
}
...
...
@@ -145,11 +147,13 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DST_RET
(
ISC_R_NOSPACE
);
if
(
!
EVP_DigestFinal
(
evp_md_ctx
,
digest
,
&
dgstlen
))
DST_RET
(
ISC_R_FAILURE
);
DST_RET
(
dst__openssl_toresult2
(
"EVP_DigestFinal"
,
ISC_R_FAILURE
));
ecdsasig
=
ECDSA_do_sign
(
digest
,
dgstlen
,
eckey
);
if
(
ecdsasig
==
NULL
)
DST_RET
(
dst__openssl_toresult
(
DST_R_SIGNFAILURE
));
DST_RET
(
dst__openssl_toresult2
(
"ECDSA_do_sign"
,
DST_R_SIGNFAILURE
));
BN_bn2bin_fixed
(
ecdsasig
->
r
,
r
.
base
,
siglen
/
2
);
r
.
base
+=
siglen
/
2
;
BN_bn2bin_fixed
(
ecdsasig
->
s
,
r
.
base
,
siglen
/
2
);
...
...
@@ -192,7 +196,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
return
(
DST_R_VERIFYFAILURE
);
if
(
!
EVP_DigestFinal_ex
(
evp_md_ctx
,
digest
,
&
dgstlen
))
DST_RET
(
ISC_R_FAILURE
);
DST_RET
(
dst__openssl_toresult2
(
"EVP_DigestFinal_ex"
,
ISC_R_FAILURE
));
ecdsasig
=
ECDSA_SIG_new
();
if
(
ecdsasig
==
NULL
)
...
...
@@ -203,9 +208,18 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
/* cp += siglen / 2; */
status
=
ECDSA_do_verify
(
digest
,
dgstlen
,
ecdsasig
,
eckey
);
if
(
status
!=
1
)
DST_RET
(
dst__openssl_toresult
(
DST_R_VERIFYFAILURE
));
ret
=
ISC_R_SUCCESS
;
switch
(
status
)
{
case
1
:
ret
=
ISC_R_SUCCESS
;
break
;
case
0
:
ret
=
dst__openssl_toresult
(
DST_R_VERIFYFAILURE
);
break
;
default:
ret
=
dst__openssl_toresult2
(
"ECDSA_do_verify"
,
DST_R_VERIFYFAILURE
);
break
;
}
err:
if
(
ecdsasig
!=
NULL
)
...
...
@@ -278,10 +292,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
eckey
=
EC_KEY_new_by_curve_name
(
group_nid
);
if
(
eckey
==
NULL
)
return
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
return
(
dst__openssl_toresult2
(
"EC_KEY_new_by_curve_name"
,
DST_R_OPENSSLFAILURE
));
if
(
EC_KEY_generate_key
(
eckey
)
!=
1
)
DST_RET
(
dst__openssl_toresult
(
DST_R_OPENSSLFAILURE
));
DST_RET
(
dst__openssl_toresult2
(
"EC_KEY_generate_key"
,
DST_R_OPENSSLFAILURE
));
pkey
=
EVP_PKEY_new
();
if
(
pkey
==
NULL
)
...
...
@@ -334,7 +350,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
pkey
=
key
->
keydata
.
pkey
;
eckey
=
EVP_PKEY_get1_EC_KEY
(
pkey
);
if
(
eckey
==
NULL
)
return
(
ISC_R_FAILURE
);
return
(
dst__openssl_toresult
(
ISC_R_FAILURE
)
)
;
len
=
i2o_ECPublicKey
(
eckey
,
NULL
);
/* skip form */
len
--
;
...
...
@@ -344,7 +360,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
DST_RET
(
ISC_R_NOSPACE
);
cp
=
buf
;
if
(
!
i2o_ECPublicKey
(
eckey
,
&
cp
))
DST_RET
(
ISC_R_FAILURE
);
DST_RET
(
dst__openssl_toresult
(
ISC_R_FAILURE
)
)
;
memcpy
(
r
.
base
,
buf
+
1
,
len
);
isc_buffer_add
(
data
,
len
);
ret
=
ISC_R_SUCCESS
;
...
...
@@ -393,16 +409,16 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if
(
o2i_ECPublicKey
(
&
eckey
,
(
const
unsigned
char
**
)
&
cp
,
(
long
)
len
+
1
)
==
NULL
)
DST_RET
(
DST_R_INVALIDPUBLICKEY
);
DST_RET
(
dst__openssl_toresult
(
DST_R_INVALIDPUBLICKEY
)
)
;
if
(
EC_KEY_check_key
(
eckey
)
!=
1
)
DST_RET
(
DST_R_INVALIDPUBLICKEY
);
DST_RET
(
dst__openssl_toresult
(
DST_R_INVALIDPUBLICKEY
)
)
;
pkey
=
EVP_PKEY_new
();
if
(
pkey
==
NULL
)
DST_RET
(
ISC_R_NOMEMORY
);
if
(
!
EVP_PKEY_set1_EC_KEY
(
pkey
,
eckey
))
{
EVP_PKEY_free
(
pkey
);
DST_RET
(
ISC_R_FAILURE
);
DST_RET
(
dst__openssl_toresult
(
ISC_R_FAILURE
)
)
;
}
isc_buffer_forward
(
data
,
len
);
...
...
@@ -430,7 +446,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
pkey
=
key
->
keydata
.
pkey
;
eckey
=
EVP_PKEY_get1_EC_KEY
(
pkey
);
if
(
eckey
==
NULL
)
return
(
ISC_R_
FAILURE
);
return
(
dst__openssl_toresult
(
DST_R_OPENSSL
FAILURE
)
)
;
privkey
=
EC_KEY_get0_private_key
(
eckey
);
if
(
privkey
==
NULL
)
DST_RET
(
ISC_R_FAILURE
);
...
...
@@ -527,7 +543,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DST_RET
(
ISC_R_NOMEMORY
);
if
(
!
EVP_PKEY_set1_EC_KEY
(
pkey
,
eckey
))
{
EVP_PKEY_free
(
pkey
);
DST_RET
(
ISC_R_
FAILURE
);
DST_RET
(
dst__openssl_toresult
(
DST_R_OPENSSL
FAILURE
)
)
;
}
key
->
keydata
.
pkey
=
pkey
;
ret
=
ISC_R_SUCCESS
;
...
...
lib/dns/opensslgost_link.c
View file @
6eb6af67
...
...
@@ -121,10 +121,15 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
EVP_PKEY
*
pkey
=
key
->
keydata
.
pkey
;
status
=
EVP_VerifyFinal
(
evp_md_ctx
,
sig
->
base
,
sig
->
length
,
pkey
);
if
(
status
!=
1
)
switch
(
status
)
{
case
1
:
return
(
ISC_R_SUCCESS
);
case
0
:
return
(
dst__openssl_toresult
(
DST_R_VERIFYFAILURE
));
return
(
ISC_R_SUCCESS
);
default:
return
(
dst__openssl_toresult2
(
"EVP_VerifyFinal"
,
DST_R_VERIFYFAILURE
));
}
}
static
isc_boolean_t
...
...
@@ -168,22 +173,27 @@ opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
void
(
*
fptr
)(
int
);
}
u
;
EVP_PKEY
*
pkey
=
NULL
;
isc_result_t
ret
;
UNUSED
(
unused
);
ctx
=
EVP_PKEY_CTX_new_id
(
NID_id_GostR3410_2001
,
NULL
);
if
(
ctx
==
NULL
)
goto
err
;
DST_RET
(
dst__openssl_toresult2
(
"EVP_PKEY_CTX_new_id"
,
DST_R_OPENSSLFAILURE
));
if
(
callback
!=
NULL
)
{
u
.
fptr
=
callback
;
EVP_PKEY_CTX_set_app_data
(
ctx
,
u
.
dptr
);
EVP_PKEY_CTX_set_cb
(
ctx
,
&
progress_cb
);
}
if
(
EVP_PKEY_keygen_init
(
ctx
)
<=
0
)
goto
err
;
DST_RET
(
dst__openssl_toresult2
(
"EVP_PKEY_keygen_init"
,
DST_R_OPENSSLFAILURE
));
if
(
EVP_PKEY_CTX_ctrl_str
(
ctx
,
"paramset"
,
"A"
)
<=
0
)
goto
err
;
DST_RET
(
dst__openssl_toresult2
(
"EVP_PKEY_CTX_ctrl_str"
,
DST_R_OPENSSLFAILURE
));
if
(
EVP_PKEY_keygen
(
ctx
,
&
pkey
)
<=
0
)
goto
err
;
DST_RET
(
dst__openssl_toresult2
(
"EVP_PKEY_keygen"
,
DST_R_OPENSSLFAILURE
));
key
->
keydata
.
pkey
=
pkey
;
EVP_PKEY_CTX_free
(
ctx
);
return
(
ISC_R_SUCCESS
);
...
...
@@ -193,7 +203,7 @@ err:
EVP_PKEY_free
(
pkey
);
if
(
ctx
!=
NULL
)