mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

[master] silence noisy OpenSSL logging

Browse Source 
3402.	[bug]		Correct interface numbers for IPv4 and IPv6 interfaces.
This commit is contained in:
Evan Hunt
2012-10-24 12:58:16 -07:00
parent 24d8211904
commit 0e37e9e3d7
11 changed files with 90 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/dns/dnssec.c
View File

@@ -275,7 +275,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
goto cleanup_databuf; goto cleanup_databuf;
ret = dst_context_create(key, mctx, &ctx); ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
goto cleanup_databuf; goto cleanup_databuf;
@@ -471,7 +471,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
} }
again: again:
ret = dst_context_create(key, mctx, &ctx); ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
goto cleanup_struct; goto cleanup_struct;
@@ -562,7 +562,7 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
dns_name_format(&sig.signer, namebuf, sizeof(namebuf)); dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1), DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
"sucessfully validated after lower casing " "successfully validated after lower casing "
"signer '%s'", namebuf); "signer '%s'", namebuf);
inc_stat(dns_dnssecstats_downcase); inc_stat(dns_dnssecstats_downcase);
} else if (ret == ISC_R_SUCCESS) } else if (ret == ISC_R_SUCCESS)
@@ -871,7 +871,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_buffer_init(&databuf, data, sizeof(data)); isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_context_create(key, mctx, &ctx)); RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
/* /*
* Digest the fields of the SIG - we can cheat and use * Digest the fields of the SIG - we can cheat and use
@@ -1021,7 +1021,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
goto failure; goto failure;
} }
RETERR(dst_context_create(key, mctx, &ctx)); RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
/* /*
* Digest the SIG(0) record, except for the signature. * Digest the SIG(0) record, except for the signature.

8
lib/dns/dst_api.c
View File

@@ -293,6 +293,13 @@ dst_ds_digest_supported(unsigned int digest_type) {
isc_result_t isc_result_t
dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) { dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
return (dst_context_create2(key, mctx,
DNS_LOGCATEGORY_GENERAL, dctxp));
}
isc_result_t
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
isc_logcategory_t *category, dst_context_t **dctxp) {
dst_context_t *dctx; dst_context_t *dctx;
isc_result_t result; isc_result_t result;
@@ -311,6 +318,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
return (ISC_R_NOMEMORY); return (ISC_R_NOMEMORY);
dctx->key = key; dctx->key = key;
dctx->mctx = mctx; dctx->mctx = mctx;
dctx->category = category;
result = key->func->createctx(key, dctx); result = key->func->createctx(key, dctx);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, dctx, sizeof(dst_context_t)); isc_mem_put(mctx, dctx, sizeof(dst_context_t));

1
lib/dns/dst_internal.h
View File

@@ -138,6 +138,7 @@ struct dst_context {
unsigned int magic; unsigned int magic;
dst_key_t *key; dst_key_t *key;
isc_mem_t *mctx; isc_mem_t *mctx;
isc_logcategory_t *category;
union { union {
void *generic; void *generic;
dst_gssapi_signverifyctx_t *gssctx; dst_gssapi_signverifyctx_t *gssctx;

5
lib/dns/dst_openssl.h
View File

@@ -21,6 +21,7 @@
#define DST_OPENSSL_H 1 #define DST_OPENSSL_H 1
#include <isc/lang.h> #include <isc/lang.h>
#include <isc/log.h>
#include <isc/result.h> #include <isc/result.h>
#include <openssl/err.h> #include <openssl/err.h>
@@ -42,6 +43,10 @@ dst__openssl_toresult(isc_result_t fallback);
isc_result_t isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback); dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
isc_result_t
dst__openssl_toresult3(isc_logcategory_t *category,
const char *funcname, isc_result_t fallback);
#ifdef USE_ENGINE #ifdef USE_ENGINE
ENGINE * ENGINE *
dst__openssl_getengine(const char *engine); dst__openssl_getengine(const char *engine);

6
lib/dns/include/dst/dst.h
View File

@@ -26,6 +26,7 @@
#include <isc/stdtime.h> #include <isc/stdtime.h>
#include <dns/types.h> #include <dns/types.h>
#include <dns/log.h>
#include <dns/name.h> #include <dns/name.h>
#include <dns/secalg.h> #include <dns/secalg.h>
#include <dns/ds.h> #include <dns/ds.h>
@@ -181,6 +182,11 @@ dst_ds_digest_supported(unsigned int digest_type);
isc_result_t isc_result_t
dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp); dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
isc_result_t
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
isc_logcategory_t *category, dst_context_t **dctxp);
/*%< /*%<
* Creates a context to be used for a sign or verify operation. * Creates a context to be used for a sign or verify operation.
* *

11
lib/dns/openssl_link.c
View File

@@ -329,6 +329,13 @@ dst__openssl_toresult(isc_result_t fallback) {
isc_result_t isc_result_t
dst__openssl_toresult2(const char *funcname, isc_result_t fallback) { dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
funcname, fallback));
}
isc_result_t
dst__openssl_toresult3(isc_logcategory_t *category,
const char *funcname, isc_result_t fallback) {
isc_result_t result; isc_result_t result;
unsigned long err; unsigned long err;
const char *file, *data; const char *file, *data;
@@ -337,7 +344,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
result = toresult(fallback); result = toresult(fallback);
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
"%s failed (%s)", funcname, "%s failed (%s)", funcname,
isc_result_totext(result)); isc_result_totext(result));
@@ -350,7 +357,7 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
if (err == 0U) if (err == 0U)
goto done; goto done;
ERR_error_string_n(err, buf, sizeof(buf)); ERR_error_string_n(err, buf, sizeof(buf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, isc_log_write(dns_lctx, category,
DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO, DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
"%s:%s:%d:%s", buf, file, line, "%s:%s:%d:%s", buf, file, line,
(flags & ERR_TXT_STRING) ? data : ""); (flags & ERR_TXT_STRING) ? data : "");

19
lib/dns/openssldsa_link.c
View File

@@ -168,7 +168,8 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) { if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
free(sigbuf); free(sigbuf);
return (dst__openssl_toresult2("EVP_SignFinal", return (dst__openssl_toresult3(dctx->category,
"EVP_SignFinal",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
INSIST(EVP_PKEY_size(pkey) >= (int) siglen); INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
@@ -182,25 +183,30 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
sb = sigbuf; sb = sigbuf;
if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) { if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
free(sigbuf); free(sigbuf);
return (dst__openssl_toresult2("d2i_DSA_SIG", ISC_R_FAILURE)); return (dst__openssl_toresult3(dctx->category,
"d2i_DSA_SIG",
ISC_R_FAILURE));
} }
free(sigbuf); free(sigbuf);
#elif 0 #elif 0
/* Only use EVP for the Digest */ /* Only use EVP for the Digest */
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
return (dst__openssl_toresult2("EVP_DigestFinal_ex", return (dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal_ex",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL) if (dsasig == NULL)
return (dst__openssl_toresult2("DSA_do_sign", return (dst__openssl_toresult3(dctx->category,
"DSA_do_sign",
DST_R_SIGNFAILURE)); DST_R_SIGNFAILURE));
#else #else
isc_sha1_final(sha1ctx, digest); isc_sha1_final(sha1ctx, digest);
dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
if (dsasig == NULL) if (dsasig == NULL)
return (dst__openssl_toresult2("DSA_do_sign", return (dst__openssl_toresult3(dctx->category,
"DSA_do_sign",
DST_R_SIGNFAILURE)); DST_R_SIGNFAILURE));
#endif #endif
*r.base++ = (key->key_size - 512)/64; *r.base++ = (key->key_size - 512)/64;
@@ -286,7 +292,8 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
case 0: case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default: default:
return (dst__openssl_toresult2("DSA_do_verify", return (dst__openssl_toresult3(dctx->category,
"DSA_do_verify",
DST_R_VERIFYFAILURE)); DST_R_VERIFYFAILURE));
} }
} }

18
lib/dns/opensslecdsa_link.c
View File

@@ -73,7 +73,8 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx); EVP_MD_CTX_destroy(evp_md_ctx);
return (dst__openssl_toresult2("EVP_DigestInit_ex", return (dst__openssl_toresult3(dctx->category,
"EVP_DigestInit_ex",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
@@ -103,7 +104,8 @@ opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
dctx->key->key_alg == DST_ALG_ECDSA384); dctx->key->key_alg == DST_ALG_ECDSA384);
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
return (dst__openssl_toresult2("EVP_DigestUpdate", return (dst__openssl_toresult3(dctx->category,
"EVP_DigestUpdate",
ISC_R_FAILURE)); ISC_R_FAILURE));
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
@@ -147,12 +149,14 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DST_RET(ISC_R_NOSPACE); DST_RET(ISC_R_NOSPACE);
if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen)) if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
DST_RET(dst__openssl_toresult2("EVP_DigestFinal", DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal",
ISC_R_FAILURE)); ISC_R_FAILURE));
ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey); ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
if (ecdsasig == NULL) if (ecdsasig == NULL)
DST_RET(dst__openssl_toresult2("ECDSA_do_sign", DST_RET(dst__openssl_toresult3(dctx->category,
"ECDSA_do_sign",
DST_R_SIGNFAILURE)); DST_R_SIGNFAILURE));
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
r.base += siglen / 2; r.base += siglen / 2;
@@ -196,7 +200,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
return (DST_R_VERIFYFAILURE); return (DST_R_VERIFYFAILURE);
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex", DST_RET (dst__openssl_toresult3(dctx->category,
"EVP_DigestFinal_ex",
ISC_R_FAILURE)); ISC_R_FAILURE));
ecdsasig = ECDSA_SIG_new(); ecdsasig = ECDSA_SIG_new();
@@ -216,7 +221,8 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
ret = dst__openssl_toresult(DST_R_VERIFYFAILURE); ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
break; break;
default: default:
ret = dst__openssl_toresult2("ECDSA_do_verify", ret = dst__openssl_toresult3(dctx->category,
"ECDSA_do_verify",
DST_R_VERIFYFAILURE); DST_R_VERIFYFAILURE);
break; break;
} }

3
lib/dns/opensslgost_link.c
View File

@@ -127,7 +127,8 @@ opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
case 0: case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default: default:
return (dst__openssl_toresult2("EVP_VerifyFinal", return (dst__openssl_toresult3(dctx->category,
"EVP_VerifyFinal",
DST_R_VERIFYFAILURE)); DST_R_VERIFYFAILURE));
} }
} }

31
lib/dns/opensslrsa_link.c
View File

@@ -163,7 +163,8 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
EVP_MD_CTX_destroy(evp_md_ctx); EVP_MD_CTX_destroy(evp_md_ctx);
return (dst__openssl_toresult2("EVP_DigestInit_ex", return (dst__openssl_toresult3(dctx->category,
"EVP_DigestInit_ex",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
dctx->ctxdata.evp_md_ctx = evp_md_ctx; dctx->ctxdata.evp_md_ctx = evp_md_ctx;
@@ -312,7 +313,8 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
#if USE_EVP #if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (dst__openssl_toresult2("EVP_DigestUpdate", return (dst__openssl_toresult3(dctx->category,
"EVP_DigestUpdate",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
#else #else
@@ -402,7 +404,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
return (ISC_R_NOSPACE); return (ISC_R_NOSPACE);
if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) { if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
return (dst__openssl_toresult2("EVP_SignFinal", return (dst__openssl_toresult3(dctx->category,
"EVP_SignFinal",
ISC_R_FAILURE)); ISC_R_FAILURE));
} }
#else #else
@@ -496,7 +499,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa); status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
#endif #endif
if (status == 0) if (status == 0)
return (dst__openssl_toresult2("RSA_sign", return (dst__openssl_toresult3(dctx->category,
"RSA_sign",
DST_R_OPENSSLFAILURE)); DST_R_OPENSSLFAILURE));
#endif #endif
@@ -542,6 +546,16 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
return (DST_R_VERIFYFAILURE); return (DST_R_VERIFYFAILURE);
status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey); status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
switch (status) {
case 1:
return (ISC_R_SUCCESS);
case 0:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
default:
return (dst__openssl_toresult3(dctx->category,
"EVP_VerifyFinal",
DST_R_VERIFYFAILURE));
}
#else #else
if (BN_num_bits(rsa->e) > maxbits && maxbits != 0) if (BN_num_bits(rsa->e) > maxbits && maxbits != 0)
return (DST_R_VERIFYFAILURE); return (DST_R_VERIFYFAILURE);
@@ -630,7 +644,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
original, rsa, original, rsa,
RSA_PKCS1_PADDING); RSA_PKCS1_PADDING);
if (status <= 0) if (status <= 0)
return (dst__openssl_toresult2( return (dst__openssl_toresult3(
dctx->category,
"RSA_public_decrypt", "RSA_public_decrypt",
DST_R_VERIFYFAILURE)); DST_R_VERIFYFAILURE));
if (status != (int)(prefixlen + digestlen)) if (status != (int)(prefixlen + digestlen))
@@ -650,13 +665,11 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
INSIST(type != 0); INSIST(type != 0);
status = RSA_verify(type, digest, digestlen, sig->base, status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa); RSA_size(rsa), rsa);
#endif
#endif #endif
if (status != 1) if (status != 1)
return (dst__openssl_toresult2("RSA_verify", return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
#endif
} }
static isc_result_t static isc_result_t

10
lib/dns/tsig.c
View File

@@ -942,7 +942,8 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_t headerbuf; isc_buffer_t headerbuf;
isc_uint16_t digestbits; isc_uint16_t digestbits;
ret = dst_context_create(key->key, mctx, &ctx); ret = dst_context_create2(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
return (ret); return (ret);
@@ -1326,7 +1327,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
sig_r.base = tsig.signature; sig_r.base = tsig.signature;
sig_r.length = tsig.siglen; sig_r.length = tsig.siglen;
ret = dst_context_create(key, mctx, &ctx); ret = dst_context_create2(key, mctx,
DNS_LOGCATEGORY_DNSSEC, &ctx);
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
return (ret); return (ret);
@@ -1557,7 +1559,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
key = tsigkey->key; key = tsigkey->key;
if (msg->tsigctx == NULL) { if (msg->tsigctx == NULL) {
ret = dst_context_create(key, mctx, &msg->tsigctx); ret = dst_context_create2(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
&msg->tsigctx);
if (ret != ISC_R_SUCCESS) if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct; goto cleanup_querystruct;