upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

For #660: formatting, less verbose logging, add EDE information.

Browse source
This commit is contained in:
George Thessalonikefs 2022-07-03 22:32:56 +02:00
parent 2fba248ebe
commit 317bab9f1d
3 changed files with 24 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/Changelog
View file

@ -2,6 +2,7 @@
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
mode on openssl3. mode on openssl3.
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure. - Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
- For #660: formatting, less verbose logging, add EDE information.
1 July 2022: George 1 July 2022: George
- Merge PR #706: NXNS fallback. - Merge PR #706: NXNS fallback.

20
validator/val_secalgo.c
View file

@ -686,7 +686,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
static void static void
digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key, digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key,
unsigned char* sigblock, int dofree, int docrypto_free) unsigned char* sigblock, int dofree, int docrypto_free)
{ {
#ifdef HAVE_EVP_MD_CTX_NEW #ifdef HAVE_EVP_MD_CTX_NEW
EVP_MD_CTX_destroy(ctx); EVP_MD_CTX_destroy(ctx);
@ -703,12 +703,14 @@ static enum sec_status
digest_error_status(const char *str) digest_error_status(const char *str)
{ {
unsigned long e = ERR_get_error(); unsigned long e = ERR_get_error();
log_crypto_verbose(VERB_QUERY, str, e);
#ifdef EVP_R_INVALID_DIGEST #ifdef EVP_R_INVALID_DIGEST
if (ERR_GET_LIB(e) == ERR_LIB_EVP && if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
log_crypto_verbose(VERB_ALGO, str, e);
return sec_status_indeterminate; return sec_status_indeterminate;
}
#endif #endif
log_crypto_verbose(VERB_QUERY, str, e);
return sec_status_unchecked; return sec_status_unchecked;
} }
@ -726,7 +728,7 @@ digest_error_status(const char *str)
* unchecked on format errors and alloc failures. * unchecked on format errors and alloc failures.
*/ */
enum sec_status enum sec_status
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen, unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
char** reason) char** reason)
{ {
@ -798,15 +800,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
enum sec_status sec; enum sec_status sec;
sec = digest_error_status("verify: EVP_DigestInit failed"); sec = digest_error_status("verify: EVP_DigestInit failed");
digest_ctx_free(ctx, evp_key, sigblock, digest_ctx_free(ctx, evp_key, sigblock,
dofree, docrypto_free); dofree, docrypto_free);
return sec; return sec;
} }
if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf)) == 0) { (unsigned int)sldns_buffer_limit(buf)) == 0) {
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed", log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
ERR_get_error()); ERR_get_error());
digest_ctx_free(ctx, evp_key, sigblock, digest_ctx_free(ctx, evp_key, sigblock,
dofree, docrypto_free); dofree, docrypto_free);
return sec_status_unchecked; return sec_status_unchecked;
} }
@ -816,7 +818,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
enum sec_status sec; enum sec_status sec;
sec = digest_error_status("verify: EVP_DigestVerifyInit failed"); sec = digest_error_status("verify: EVP_DigestVerifyInit failed");
digest_ctx_free(ctx, evp_key, sigblock, digest_ctx_free(ctx, evp_key, sigblock,
dofree, docrypto_free); dofree, docrypto_free);
return sec; return sec;
} }
res = EVP_DigestVerify(ctx, sigblock, sigblock_len, res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
@ -824,7 +826,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
sldns_buffer_limit(buf)); sldns_buffer_limit(buf));
#endif #endif
digest_ctx_free(ctx, evp_key, sigblock, digest_ctx_free(ctx, evp_key, sigblock,
dofree, docrypto_free); dofree, docrypto_free);
if(res == 1) { if(res == 1) {
return sec_status_secure; return sec_status_secure;

18
validator/val_sigcrypt.c
View file

@ -607,7 +607,7 @@ void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
*reason = s; *reason = s;
} }
enum sec_status enum sec_status
dnskey_verify_rrset(struct module_env* env, struct val_env* ve, dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus, size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
@ -642,13 +642,19 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
if(sec == sec_status_secure) if(sec == sec_status_secure)
return sec; return sec;
numchecked ++; numchecked ++;
if (sec == sec_status_indeterminate) if(sec == sec_status_indeterminate)
numindeterminate ++; numindeterminate ++;
} }
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) *reason = "signature missing"; if(!numchecked) {
else if (numchecked == numindeterminate) { *reason = "signature missing";
if(reason_bogus)
*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
} else if(numchecked == numindeterminate) {
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
"refusal by cryptolib");
if(reason_bogus)
*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
*reason = "algorithm refused by cryptolib"; *reason = "algorithm refused by cryptolib";
return sec_status_indeterminate; return sec_status_indeterminate;
} }
@ -703,7 +709,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
verbose(VERB_QUERY, "verify: could not find appropriate key"); verbose(VERB_QUERY, "verify: could not find appropriate key");
return sec_status_bogus; return sec_status_bogus;
} }
if (numindeterminate == numchecked) if(numindeterminate == numchecked)
return sec_status_indeterminate; return sec_status_indeterminate;
return sec_status_bogus; return sec_status_bogus;
} }