upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

For #660: formatting, less verbose logging, add EDE information.

Browse source
This commit is contained in:
George Thessalonikefs 2022-07-03 22:32:56 +02:00
parent 2fba248ebe
commit 317bab9f1d
3 changed files with 24 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/Changelog
View file

@ -2,6 +2,7 @@
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
mode on openssl3.
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
- For #660: formatting, less verbose logging, add EDE information.
1 July 2022: George
- Merge PR #706: NXNS fallback.

6
validator/val_secalgo.c
View file

@ -703,12 +703,14 @@ static enum sec_status
digest_error_status(const char *str)
{
unsigned long e = ERR_get_error();
log_crypto_verbose(VERB_QUERY, str, e);
#ifdef EVP_R_INVALID_DIGEST
if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST)
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
log_crypto_verbose(VERB_ALGO, str, e);
return sec_status_indeterminate;
}
#endif
log_crypto_verbose(VERB_QUERY, str, e);
return sec_status_unchecked;
}

16
validator/val_sigcrypt.c
View file

@ -642,13 +642,19 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
if(sec == sec_status_secure)
return sec;
numchecked ++;
if (sec == sec_status_indeterminate)
if(sec == sec_status_indeterminate)
numindeterminate ++;
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) *reason = "signature missing";
else if (numchecked == numindeterminate) {
if(!numchecked) {
*reason = "signature missing";
if(reason_bogus)
*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
} else if(numchecked == numindeterminate) {
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
"refusal by cryptolib");
if(reason_bogus)
*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
*reason = "algorithm refused by cryptolib";
return sec_status_indeterminate;
}
@ -703,7 +709,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
verbose(VERB_QUERY, "verify: could not find appropriate key");
return sec_status_bogus;
}
if (numindeterminate == numchecked)
if(numindeterminate == numchecked)
return sec_status_indeterminate;
return sec_status_bogus;
}