mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
For #660: formatting, less verbose logging, add EDE information.
This commit is contained in:
George Thessalonikefs
parent
2fba248ebe
commit
317bab9f1d
3 changed files with 24 additions and 15 deletions
|
|
@ -2,6 +2,7 @@
|
|||
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
|
||||
mode on openssl3.
|
||||
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
|
||||
- For #660: formatting, less verbose logging, add EDE information.
|
||||
|
||||
1 July 2022: George
|
||||
- Merge PR #706: NXNS fallback.
|
||||
|
|
|
|||
|
|
@ -686,7 +686,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
|
|||
|
||||
static void
|
||||
digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key,
|
||||
unsigned char* sigblock, int dofree, int docrypto_free)
|
||||
unsigned char* sigblock, int dofree, int docrypto_free)
|
||||
{
|
||||
#ifdef HAVE_EVP_MD_CTX_NEW
|
||||
EVP_MD_CTX_destroy(ctx);
|
||||
|
|
@ -703,12 +703,14 @@ static enum sec_status
|
|||
digest_error_status(const char *str)
|
||||
{
|
||||
unsigned long e = ERR_get_error();
|
||||
log_crypto_verbose(VERB_QUERY, str, e);
|
||||
#ifdef EVP_R_INVALID_DIGEST
|
||||
if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
|
||||
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST)
|
||||
ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
|
||||
log_crypto_verbose(VERB_ALGO, str, e);
|
||||
return sec_status_indeterminate;
|
||||
}
|
||||
#endif
|
||||
log_crypto_verbose(VERB_QUERY, str, e);
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
|
||||
|
|
@ -726,7 +728,7 @@ digest_error_status(const char *str)
|
|||
* unchecked on format errors and alloc failures.
|
||||
*/
|
||||
enum sec_status
|
||||
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
||||
unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
|
||||
char** reason)
|
||||
{
|
||||
|
|
@ -798,15 +800,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
enum sec_status sec;
|
||||
sec = digest_error_status("verify: EVP_DigestInit failed");
|
||||
digest_ctx_free(ctx, evp_key, sigblock,
|
||||
dofree, docrypto_free);
|
||||
dofree, docrypto_free);
|
||||
return sec;
|
||||
}
|
||||
if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
|
||||
(unsigned int)sldns_buffer_limit(buf)) == 0) {
|
||||
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
|
||||
ERR_get_error());
|
||||
ERR_get_error());
|
||||
digest_ctx_free(ctx, evp_key, sigblock,
|
||||
dofree, docrypto_free);
|
||||
dofree, docrypto_free);
|
||||
return sec_status_unchecked;
|
||||
}
|
||||
|
||||
|
|
@ -816,7 +818,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
enum sec_status sec;
|
||||
sec = digest_error_status("verify: EVP_DigestVerifyInit failed");
|
||||
digest_ctx_free(ctx, evp_key, sigblock,
|
||||
dofree, docrypto_free);
|
||||
dofree, docrypto_free);
|
||||
return sec;
|
||||
}
|
||||
res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
|
||||
|
|
@ -824,7 +826,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
|
|||
sldns_buffer_limit(buf));
|
||||
#endif
|
||||
digest_ctx_free(ctx, evp_key, sigblock,
|
||||
dofree, docrypto_free);
|
||||
dofree, docrypto_free);
|
||||
|
||||
if(res == 1) {
|
||||
return sec_status_secure;
|
||||
|
|
|
|||
|
|
@ -607,7 +607,7 @@ void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
|
|||
*reason = s;
|
||||
}
|
||||
|
||||
enum sec_status
|
||||
enum sec_status
|
||||
dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
||||
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
|
||||
size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
|
||||
|
|
@ -642,13 +642,19 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
|
|||
if(sec == sec_status_secure)
|
||||
return sec;
|
||||
numchecked ++;
|
||||
if (sec == sec_status_indeterminate)
|
||||
if(sec == sec_status_indeterminate)
|
||||
numindeterminate ++;
|
||||
|
||||
}
|
||||
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
|
||||
if(!numchecked) *reason = "signature missing";
|
||||
else if (numchecked == numindeterminate) {
|
||||
if(!numchecked) {
|
||||
*reason = "signature missing";
|
||||
if(reason_bogus)
|
||||
*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
|
||||
} else if(numchecked == numindeterminate) {
|
||||
verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
|
||||
"refusal by cryptolib");
|
||||
if(reason_bogus)
|
||||
*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
|
||||
*reason = "algorithm refused by cryptolib";
|
||||
return sec_status_indeterminate;
|
||||
}
|
||||
|
|
@ -703,7 +709,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
|
|||
verbose(VERB_QUERY, "verify: could not find appropriate key");
|
||||
return sec_status_bogus;
|
||||
}
|
||||
if (numindeterminate == numchecked)
|
||||
if(numindeterminate == numchecked)
|
||||
return sec_status_indeterminate;
|
||||
return sec_status_bogus;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue