[master] silence noisy OpenSSL logging

3402. [bug] Correct interface numbers for IPv4 and IPv6 interfaces.
2025-08-30 22:15:20 +00:00 · 2012-10-24 12:58:16 -07:00
parent 24d8211904
commit 0e37e9e3d7
11 changed files with 90 additions and 32 deletions
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -275,7 +275,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_databuf;

-	ret = dst_context_create(key, mctx, &ctx);
+	ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_databuf;

@@ -471,7 +471,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	}

 again:
-	ret = dst_context_create(key, mctx, &ctx);
+	ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;

@@ -562,7 +562,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
 			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
-			      "sucessfully validated after lower casing "
+			      "successfully validated after lower casing "
 			      "signer '%s'", namebuf);
 		inc_stat(dns_dnssecstats_downcase);
 	} else if (ret == ISC_R_SUCCESS)
@@ -871,7 +871,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {

 	isc_buffer_init(&databuf, data, sizeof(data));

-	RETERR(dst_context_create(key, mctx, &ctx));
+	RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));

 	/*
 	 * Digest the fields of the SIG - we can cheat and use
@@ -1021,7 +1021,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 		goto failure;
 	}

-	RETERR(dst_context_create(key, mctx, &ctx));
+	RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));

 	/*
 	 * Digest the SIG(0) record, except for the signature.
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -293,6 +293,13 @@ dst_ds_digest_supported(unsigned int digest_type) {

 isc_result_t
 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
+	return (dst_context_create2(key, mctx,
+				    DNS_LOGCATEGORY_GENERAL, dctxp));
+}
+
+isc_result_t
+dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, dst_context_t **dctxp) {
 	dst_context_t *dctx;
 	isc_result_t result;

@@ -311,6 +318,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
 		return (ISC_R_NOMEMORY);
 	dctx->key = key;
 	dctx->mctx = mctx;
+	dctx->category = category;
 	result = key->func->createctx(key, dctx);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, dctx, sizeof(dst_context_t));
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -138,6 +138,7 @@ struct dst_context {
 	unsigned int magic;
 	dst_key_t *key;
 	isc_mem_t *mctx;
+	isc_logcategory_t *category;
 	union {
 		void *generic;
 		dst_gssapi_signverifyctx_t *gssctx;
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -21,6 +21,7 @@
 #define DST_OPENSSL_H 1

 #include <isc/lang.h>
+#include <isc/log.h>
 #include <isc/result.h>

 #include <openssl/err.h>
@@ -42,6 +43,10 @@ dst__openssl_toresult(isc_result_t fallback);
 isc_result_t
 dst__openssl_toresult2(const char *funcname, isc_result_t fallback);

+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category,
+		       const char *funcname, isc_result_t fallback);
+
 #ifdef USE_ENGINE
 ENGINE *
 dst__openssl_getengine(const char *engine);
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -26,6 +26,7 @@
 #include <isc/stdtime.h>

 #include <dns/types.h>
+#include <dns/log.h>
 #include <dns/name.h>
 #include <dns/secalg.h>
 #include <dns/ds.h>
@@ -181,6 +182,11 @@ dst_ds_digest_supported(unsigned int digest_type);

 isc_result_t
 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, dst_context_t **dctxp);
+
 /*%<
 * Creates a context to be used for a sign or verify operation.
 *
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -329,6 +329,13 @@ dst__openssl_toresult(isc_result_t fallback) {

 isc_result_t
 dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
+	return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
+				       funcname, fallback));
+}
+
+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category,
+		       const char *funcname, isc_result_t fallback) {
 	isc_result_t result;
 	unsigned long err;
 	const char *file, *data;
@@ -337,7 +344,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {

 	result = toresult(fallback);

-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+	isc_log_write(dns_lctx, category,
 		      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
 		      "%s failed (%s)", funcname,
 		      isc_result_totext(result));
@@ -350,7 +357,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
 		if (err == 0U)
 			goto done;
 		ERR_error_string_n(err, buf, sizeof(buf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		isc_log_write(dns_lctx, category,
 			      DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
 			      "%s:%s:%d:%s", buf, file, line,
 			      (flags & ERR_TXT_STRING) ? data : "");
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
 		EVP_PKEY_free(pkey);
 		free(sigbuf);
-		return (dst__openssl_toresult2("EVP_SignFinal",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_SignFinal",
 					       ISC_R_FAILURE));
 	}
 	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
@@ -182,25 +183,30 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	sb = sigbuf;
 	if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
 		free(sigbuf);
-		return (dst__openssl_toresult2("d2i_DSA_SIG", ISC_R_FAILURE));
+		return (dst__openssl_toresult3(dctx->category,
+					       "d2i_DSA_SIG",
+					       ISC_R_FAILURE));
 	}
 	free(sigbuf);
 #elif 0
 	/* Only use EVP for the Digest */
 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
-		return (dst__openssl_toresult2("EVP_DigestFinal_ex",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestFinal_ex",
 					       ISC_R_FAILURE));
 	}
 	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
 	if (dsasig == NULL)
-		return (dst__openssl_toresult2("DSA_do_sign",
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_sign",
 					       DST_R_SIGNFAILURE));
 #else
 	isc_sha1_final(sha1ctx, digest);

 	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
 	if (dsasig == NULL)
-		return (dst__openssl_toresult2("DSA_do_sign",
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_sign",
 					       DST_R_SIGNFAILURE));
 #endif
 	*r.base++ = (key->key_size - 512)/64;
@@ -286,7 +292,8 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	case 0:
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 	default:
-		return (dst__openssl_toresult2("DSA_do_verify",
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_verify",
 					       DST_R_VERIFYFAILURE));
 	}
 }
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -73,7 +73,8 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {

 	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
 		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (dst__openssl_toresult2("EVP_DigestInit_ex",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestInit_ex",
 					       ISC_R_FAILURE));
 	}

@@ -103,7 +104,8 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
 		dctx->key->key_alg == DST_ALG_ECDSA384);

 	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
-		return (dst__openssl_toresult2("EVP_DigestUpdate",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestUpdate",
 					       ISC_R_FAILURE));

 	return (ISC_R_SUCCESS);
@@ -147,12 +149,14 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		DST_RET(ISC_R_NOSPACE);

 	if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
-		DST_RET(dst__openssl_toresult2("EVP_DigestFinal",
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestFinal",
 					       ISC_R_FAILURE));

 	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
 	if (ecdsasig == NULL)
-		DST_RET(dst__openssl_toresult2("ECDSA_do_sign",
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "ECDSA_do_sign",
 					       DST_R_SIGNFAILURE));
 	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
 	r.base += siglen / 2;
@@ -196,7 +200,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		return (DST_R_VERIFYFAILURE);

 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
-		DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex",
+		DST_RET (dst__openssl_toresult3(dctx->category,
+						"EVP_DigestFinal_ex",
 						ISC_R_FAILURE));

 	ecdsasig = ECDSA_SIG_new();
@@ -216,7 +221,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
 		break;
 	default:
-		ret = dst__openssl_toresult2("ECDSA_do_verify",
+		ret = dst__openssl_toresult3(dctx->category,
+					     "ECDSA_do_verify",
 					     DST_R_VERIFYFAILURE);
 		break;
 	}
--- a/lib/dns/opensslgost_link.c
+++ b/lib/dns/opensslgost_link.c
@@ -127,7 +127,8 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	case 0:
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 	default:
-		return (dst__openssl_toresult2("EVP_VerifyFinal",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_VerifyFinal",
 					       DST_R_VERIFYFAILURE));
 	}
 }
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -163,7 +163,8 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {

 	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
 		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (dst__openssl_toresult2("EVP_DigestInit_ex",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestInit_ex",
 					       ISC_R_FAILURE));
 	}
 	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
@@ -312,7 +313,8 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {

 #if USE_EVP
 	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
-		return (dst__openssl_toresult2("EVP_DigestUpdate",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestUpdate",
 					       ISC_R_FAILURE));
 	}
 #else
@@ -402,7 +404,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		return (ISC_R_NOSPACE);

 	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
-		return (dst__openssl_toresult2("EVP_SignFinal",
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_SignFinal",
 					       ISC_R_FAILURE));
 	}
 #else
@@ -496,7 +499,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
 #endif
 	if (status == 0)
-		return (dst__openssl_toresult2("RSA_sign",
+		return (dst__openssl_toresult3(dctx->category,
+					       "RSA_sign",
 					       DST_R_OPENSSLFAILURE));
 #endif

@@ -542,6 +546,16 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 		return (DST_R_VERIFYFAILURE);

 	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_VerifyFinal",
+					       DST_R_VERIFYFAILURE));
+	}
 #else
 	if (BN_num_bits(rsa->e) > maxbits && maxbits != 0)
 		return (DST_R_VERIFYFAILURE);
@@ -630,7 +644,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 						    original, rsa,
 						    RSA_PKCS1_PADDING);
 			if (status <= 0)
-				return (dst__openssl_toresult2(
+				return (dst__openssl_toresult3(
+						dctx->category,
 						"RSA_public_decrypt",
 						DST_R_VERIFYFAILURE));
 			if (status != (int)(prefixlen + digestlen))
@@ -650,13 +665,11 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 	INSIST(type != 0);
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			     RSA_size(rsa), rsa);
-#endif
 #endif
 	if (status != 1)
-		return (dst__openssl_toresult2("RSA_verify",
-					       DST_R_VERIFYFAILURE));
-
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 	return (ISC_R_SUCCESS);
+#endif
 }

 static isc_result_t
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -942,7 +942,8 @@ dns_tsig_sign(dns_message_t *msg) {
 		isc_buffer_t headerbuf;
 		isc_uint16_t digestbits;

-		ret = dst_context_create(key->key, mctx, &ctx);
+		ret = dst_context_create2(key->key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC, &ctx);
 		if (ret != ISC_R_SUCCESS)
 			return (ret);

@@ -1326,7 +1327,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		sig_r.base = tsig.signature;
 		sig_r.length = tsig.siglen;

-		ret = dst_context_create(key, mctx, &ctx);
+		ret = dst_context_create2(key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC, &ctx);
 		if (ret != ISC_R_SUCCESS)
 			return (ret);

@@ -1557,7 +1559,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	key = tsigkey->key;

 	if (msg->tsigctx == NULL) {
-		ret = dst_context_create(key, mctx, &msg->tsigctx);
+		ret = dst_context_create2(key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC,
+					  &msg->tsigctx);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_querystruct;