From: George Thessalonikefs <george@nlnetlabs.nl>
Date: Sun, 3 Jul 2022 20:32:56 +0000 (+0200)
Subject: For #660: formatting, less verbose logging, add EDE information.
X-Git-Tag: release-1.16.1rc1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=317bab9f1d7c108cb31cd74ec6918c9797931798;p=thirdparty%2Funbound.git

For #660: formatting, less verbose logging, add EDE information.
---

diff --git a/doc/Changelog b/doc/Changelog
index b6d7e477b..8e727f1ed 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Merge PR #671 from Petr MenÅ¡Ã­k: Disable ED25519 and ED448 in FIPS
 	  mode on openssl3.
 	- Merge PR #660 from Petr MenÅ¡Ã­k: Sha1 runtime insecure.
+	- For #660: formatting, less verbose logging, add EDE information.
 
 1 July 2022: George
 	- Merge PR #706: NXNS fallback.
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 9c52009f2..1d933f9a7 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -686,7 +686,7 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 
 static void
 digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key,
-		unsigned char* sigblock, int dofree, int docrypto_free)
+	unsigned char* sigblock, int dofree, int docrypto_free)
 {
 #ifdef HAVE_EVP_MD_CTX_NEW
 	EVP_MD_CTX_destroy(ctx);
@@ -703,12 +703,14 @@ static enum sec_status
 digest_error_status(const char *str)
 {
 	unsigned long e = ERR_get_error();
-	log_crypto_verbose(VERB_QUERY, str, e);
 #ifdef EVP_R_INVALID_DIGEST
 	if (ERR_GET_LIB(e) == ERR_LIB_EVP &&
-	    ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST)
+		ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) {
+		log_crypto_verbose(VERB_ALGO, str, e);
 		return sec_status_indeterminate;
+	}
 #endif
+	log_crypto_verbose(VERB_QUERY, str, e);
 	return sec_status_unchecked;
 }
 
@@ -726,7 +728,7 @@ digest_error_status(const char *str)
  *	unchecked on format errors and alloc failures.
  */
 enum sec_status
-verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, 
+verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen,
 	char** reason)
 {
@@ -798,15 +800,15 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		enum sec_status sec;
 		sec = digest_error_status("verify: EVP_DigestInit failed");
 		digest_ctx_free(ctx, evp_key, sigblock,
-				dofree, docrypto_free);
+			dofree, docrypto_free);
 		return sec;
 	}
 	if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 
 		(unsigned int)sldns_buffer_limit(buf)) == 0) {
 		log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
-				   ERR_get_error());
+			ERR_get_error());
 		digest_ctx_free(ctx, evp_key, sigblock,
-				dofree, docrypto_free);
+			dofree, docrypto_free);
 		return sec_status_unchecked;
 	}
 
@@ -816,7 +818,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		enum sec_status sec;
 		sec = digest_error_status("verify: EVP_DigestVerifyInit failed");
 		digest_ctx_free(ctx, evp_key, sigblock,
-				dofree, docrypto_free);
+			dofree, docrypto_free);
 		return sec;
 	}
 	res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
@@ -824,7 +826,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		sldns_buffer_limit(buf));
 #endif
 	digest_ctx_free(ctx, evp_key, sigblock,
-			dofree, docrypto_free);
+		dofree, docrypto_free);
 
 	if(res == 1) {
 		return sec_status_secure;
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 5fd774d7a..b4901f1ae 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -607,7 +607,7 @@ void algo_needs_reason(struct module_env* env, int alg, char** reason, char* s)
 		*reason = s;
 }
 
-enum sec_status 
+enum sec_status
 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
 	size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus,
@@ -642,13 +642,19 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
 		if(sec == sec_status_secure)
 			return sec;
 		numchecked ++;
-		if (sec == sec_status_indeterminate)
+		if(sec == sec_status_indeterminate)
 			numindeterminate ++;
-		
 	}
 	verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
-	if(!numchecked) *reason = "signature missing";
-	else if (numchecked == numindeterminate) {
+	if(!numchecked) {
+		*reason = "signature missing";
+		if(reason_bogus)
+			*reason_bogus = LDNS_EDE_RRSIGS_MISSING;
+	} else if(numchecked == numindeterminate) {
+		verbose(VERB_ALGO, "rrset failed to verify due to algorithm "
+			"refusal by cryptolib");
+		if(reason_bogus)
+			*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
 		*reason = "algorithm refused by cryptolib";
 		return sec_status_indeterminate;
 	}
@@ -703,7 +709,7 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 		verbose(VERB_QUERY, "verify: could not find appropriate key");
 		return sec_status_bogus;
 	}
-	if (numindeterminate == numchecked)
+	if(numindeterminate == numchecked)
 		return sec_status_indeterminate;
 	return sec_status_bogus;
 }