static void
digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key,
- unsigned char* sigblock, int dofree, int docrypto_free)
+ unsigned char* sigblock, int dofree, int docrypto_free)
{
#ifdef HAVE_EVP_MD_CTX_NEW
EVP_MD_CTX_destroy(ctx);
digest_error_status(const char *str)
{
unsigned long e = ERR_get_error();
- log_crypto_verbose(VERB_QUERY, str, e);
#ifdef EVP_R_INVALID_DIGEST
if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
- ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST)
+ ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
+ log_crypto_verbose(VERB_ALGO, str, e);
return sec_status_indeterminate;
+ }
#endif
+ log_crypto_verbose(VERB_QUERY, str, e);
return sec_status_unchecked;
}
* unchecked on format errors and alloc failures.
*/
enum sec_status
-verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
char** reason)
{
enum sec_status sec;
sec = digest_error_status("verify: EVP_DigestInit failed");
digest_ctx_free(ctx, evp_key, sigblock,
- dofree, docrypto_free);
+ dofree, docrypto_free);
return sec;
}
if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf)) == 0) {
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
- ERR_get_error());
+ ERR_get_error());
digest_ctx_free(ctx, evp_key, sigblock,
- dofree, docrypto_free);
+ dofree, docrypto_free);
return sec_status_unchecked;
}
enum sec_status sec;
sec = digest_error_status("verify: EVP_DigestVerifyInit failed");
digest_ctx_free(ctx, evp_key, sigblock,
- dofree, docrypto_free);
+ dofree, docrypto_free);
return sec;
}
res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
sldns_buffer_limit(buf));
#endif
digest_ctx_free(ctx, evp_key, sigblock,
- dofree, docrypto_free);
+ dofree, docrypto_free);
if(res == 1) {
return sec_status_secure;
*reason = s;
}
-enum sec_status
+enum sec_status
dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
if(sec == sec_status_secure)
return sec;
numchecked ++;
- if (sec == sec_status_indeterminate)
+ if(sec == sec_status_indeterminate)
numindeterminate ++;
-
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
- if(!numchecked) *reason = "signature missing";
- else if (numchecked == numindeterminate) {
+ if(!numchecked) {
+ *reason = "signature missing";
+ if(reason_bogus)
+ *reason_bogus = LDNS_EDE_RRSIGS_MISSING;
+ } else if(numchecked == numindeterminate) {
+ verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
+ "refusal by cryptolib");
+ if(reason_bogus)
+ *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
*reason = "algorithm refused by cryptolib";
return sec_status_indeterminate;
}
verbose(VERB_QUERY, "verify: could not find appropriate key");
return sec_status_bogus;
}
- if (numindeterminate == numchecked)
+ if(numindeterminate == numchecked)
return sec_status_indeterminate;
return sec_status_bogus;
}
projects / thirdparty / unbound.git / commitdiff
