Skip to content

Commit ca240c7

Browse files
pemensikpemensik
committed
Log detailed openssl error also for digests failures
Make output still only shown in verbose detail. But provide openssl error details to make a reason more obvious.
1 parent 33c8baa commit ca240c7

File tree

1 file changed

+23
-3
lines changed

1 file changed

+23
-3
lines changed

validator/val_secalgo.c

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,23 @@ log_crypto_error(const char* str, unsigned long e)
9797
log_err("%s crypto %s", str, buf);
9898
}
9999

100+
/**
101+
* Output a libcrypto openssl error to the logfile as a debug message.
102+
* @param level: debug level to use in verbose() call
103+
* @param str: string to add to it.
104+
* @param e: the error to output, error number from ERR_get_error().
105+
*/
106+
static void
107+
log_crypto_verbose(enum verbosity_value level, const char str, unsigned long e)
108+
{
109+
char buf[128];
110+
/* or use ERR_error_string if ERR_error_string_n is not avail TODO */
111+
ERR_error_string_n(e, buf, sizeof(buf));
112+
/* buf now contains */
113+
/* error:[error code]:[library name]:[function name]:[reason string] */
114+
verbose(level, "%s crypto %s", str, buf);
115+
}
116+
100117
/* return size of digest if supported, or 0 otherwise */
101118
size_t
102119
nsec3_hash_algo_size_supported(int id)
@@ -763,14 +780,16 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
763780
#ifndef HAVE_EVP_DIGESTVERIFY
764781
if(EVP_DigestInit(ctx, digest_type) == 0) {
765782
enum sec_status sec = digest_error_status();
766-
verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
783+
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestInit failed",
784+
ERR_get_error());
767785
digest_ctx_free(ctx, evp_key, sigblock,
768786
dofree, docrypto_free);
769787
return sec;
770788
}
771789
if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
772790
(unsigned int)sldns_buffer_limit(buf)) == 0) {
773-
verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
791+
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed",
792+
ERR_get_error());
774793
digest_ctx_free(ctx, evp_key, sigblock,
775794
dofree, docrypto_free);
776795
return sec_status_unchecked;
@@ -780,7 +799,8 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
780799
#else /* HAVE_EVP_DIGESTVERIFY */
781800
if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
782801
enum sec_status sec = digest_error_status();
783-
verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
802+
log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed",
803+
ERR_get_error());
784804
digest_ctx_free(ctx, evp_key, sigblock,
785805
dofree, docrypto_free);
786806
return sec;

0 commit comments

Comments
 (0)