3354. [func] Improve OpenSSL error logging. [RT #29932]

2025-08-31 14:35:26 +00:00 · 2012-07-23 15:08:21 +10:00
parent 141ae50ab9
commit 6eb6af6732
16 changed files with 225 additions and 102 deletions
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -163,7 +163,8 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {

 	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
 		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (ISC_R_FAILURE);
+		return (dst__openssl_toresult2("EVP_DigestInit_ex",
+					       ISC_R_FAILURE));
 	}
 	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
 #else
@@ -311,7 +312,8 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {

 #if USE_EVP
 	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
-		return (ISC_R_FAILURE);
+		return (dst__openssl_toresult2("EVP_DigestUpdate",
+					       ISC_R_FAILURE));
 	}
 #else
 	switch (dctx->key->key_alg) {
@@ -381,7 +383,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	int status;
 	int type = 0;
 	unsigned int digestlen = 0;
-	char *message;
 	unsigned long err;
 	const char* file;
 	int line;
@@ -404,7 +405,8 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		return (ISC_R_NOSPACE);

 	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
-		return (ISC_R_FAILURE);
+		return (dst__openssl_toresult2("EVP_SignFinal",
+					       ISC_R_FAILURE));
 	}
 #else
 	if (r.length < (unsigned int) RSA_size(rsa))
@@ -496,13 +498,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	INSIST(type != 0);
 	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
 #endif
-	if (status == 0) {
-		err = ERR_peek_error_line(&file, &line);
-		if (err != 0U) {
-			message = ERR_error_string(err, NULL);
-		}
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
+	if (status == 0)
+		return (dst__openssl_toresult2("RSA_sign",
+					       DST_R_OPENSSLFAILURE));
 #endif

 	isc_buffer_add(sig, siglen);
@@ -635,7 +633,9 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 						    original, rsa,
 						    RSA_PKCS1_PADDING);
 			if (status <= 0)
-				return (DST_R_VERIFYFAILURE);
+				return (dst__openssl_toresult2(
+						"RSA_public_decrypt",
+						DST_R_VERIFYFAILURE));
 			if (status != (int)(prefixlen + digestlen))
 				return (DST_R_VERIFYFAILURE);
 			if (memcmp(original, prefix, prefixlen))
@@ -656,7 +656,8 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 #endif
 #endif
 	if (status != 1)
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+		return (dst__openssl_toresult2("RSA_verify",
+					       DST_R_VERIFYFAILURE));

 	return (ISC_R_SUCCESS);
 }
@@ -751,6 +752,7 @@ progress_cb(int p, int n, BN_GENCB *cb)

 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+	isc_result_t ret = DST_R_OPENSSLFAILURE;
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 	BN_GENCB cb;
 	union {
@@ -801,6 +803,8 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #endif
 		return (ISC_R_SUCCESS);
 	}
+	ret = dst__openssl_toresult2("RSA_generate_key_ex",
+				     DST_R_OPENSSLFAILURE);

 err:
 #if USE_EVP
@@ -811,7 +815,7 @@ err:
 		BN_free(e);
 	if (rsa != NULL)
 		RSA_free(rsa);
-	return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	return (dst__openssl_toresult(ret));
 #else
 	RSA *rsa;
 	unsigned long e;
@@ -835,7 +839,8 @@ err:
 #if USE_EVP
 		EVP_PKEY_free(pkey);
 #endif
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		return (dst__openssl_toresult2("RSA_generate_key",
+					       DST_R_OPENSSLFAILURE));
 	}
 	SET_FLAGS(rsa);
 #if USE_EVP
@@ -1034,6 +1039,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	rsa = key->keydata.rsa;
 #endif

+	memset(bufs, 0, sizeof(bufs));
 	for (i = 0; i < 8; i++) {
 		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
 		if (bufs[i] == NULL) {
@@ -1187,7 +1193,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
-		return (ret);
+		goto err;

 	for (i = 0; i < priv.nelements; i++) {
 		switch (priv.elements[i].tag) {
@@ -1213,10 +1219,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		if (e == NULL)
 			DST_RET(DST_R_NOENGINE);
 		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-		if (pkey == NULL) {
-			/* ERR_print_errors_fp(stderr); */
-			DST_RET(ISC_R_NOTFOUND);
-		}
+		if (pkey == NULL)
+			DST_RET(dst__openssl_toresult2(
+					"ENGINE_load_private_key",
+					ISC_R_NOTFOUND));
 		key->engine = isc_mem_strdup(key->mctx, engine);
 		if (key->engine == NULL)
 			DST_RET(ISC_R_NOMEMORY);
@@ -1365,7 +1371,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	}
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
 	if (pkey == NULL)
-		DST_RET(ISC_R_NOTFOUND);
+		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
+					       ISC_R_NOTFOUND));
 	if (engine != NULL) {
 		key->engine = isc_mem_strdup(key->mctx, engine);
 		if (key->engine == NULL)