[crypto] lower logging severity during crypto reconfig

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

libknet/crypto.c

@@ -74,13 +74,25 @@ int crypto_authenticate_and_decrypt (
 	ssize_t *buf_out_len)
 {
 	int i, err = 0;
+	int multiple_configs = 0;
+	uint8_t log_level = KNET_LOG_ERR;
+
+	for (i = 1; i <= KNET_MAX_CRYPTO_INSTANCES; i++) {
+		if (knet_h->crypto_instance[i]) {
+			multiple_configs++;
+		}
+	}
 
 	/*
 	 * attempt to decrypt first with the in-use config
 	 * to avoid excessive performance hit.
 	 */
 
-	err = crypto_modules_cmds[knet_h->crypto_instance[knet_h->crypto_in_use_config]->model].ops->decrypt(knet_h, knet_h->crypto_instance[knet_h->crypto_in_use_config], buf_in, buf_in_len, buf_out, buf_out_len);
+	if (multiple_configs > 1) {
+		log_level = KNET_LOG_DEBUG;
+	}
+
+	err = crypto_modules_cmds[knet_h->crypto_instance[knet_h->crypto_in_use_config]->model].ops->decrypt(knet_h, knet_h->crypto_instance[knet_h->crypto_in_use_config], buf_in, buf_in_len, buf_out, buf_out_len, log_level);
 
 	/*
 	 * if we fail, try to use the other configurations
@@ -95,7 +107,7 @@ int crypto_authenticate_and_decrypt (
 			}
 			if (knet_h->crypto_instance[i]) {
 				log_debug(knet_h, KNET_SUB_CRYPTO, "Alternative crypto configuration found, attempting to decrypt with config %u", i);
-				err = crypto_modules_cmds[knet_h->crypto_instance[i]->model].ops->decrypt(knet_h, knet_h->crypto_instance[i], buf_in, buf_in_len, buf_out, buf_out_len);
+				err = crypto_modules_cmds[knet_h->crypto_instance[i]->model].ops->decrypt(knet_h, knet_h->crypto_instance[i], buf_in, buf_in_len, buf_out, buf_out_len, KNET_LOG_ERR);
 				if (!err) {
 					errno = 0; /* clear errno from previous failures */
 					return err;

libknet/crypto_model.h

@@ -48,7 +48,8 @@ typedef struct {
 			 const unsigned char *buf_in,
 			 const ssize_t buf_in_len,
 			 unsigned char *buf_out,
-			 ssize_t *buf_out_len);
+			 ssize_t *buf_out_len,
+			 uint8_t log_level);
 } crypto_ops_t;
 
 typedef struct {

libknet/crypto_nss.c

@@ -436,7 +436,8 @@ static int decrypt_nss (
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	PK11Context*	decrypt_context = NULL;
@@ -469,15 +470,25 @@ static int decrypt_nss (
 
 	if (PK11_CipherOp(decrypt_context, buf_out, &tmp1_outlen,
 			  KNET_DATABUFSIZE_CRYPT, data, datalen) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_CipherOp (decrypt) failed (err %d): %s",
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	if (PK11_DigestFinal(decrypt_context, buf_out + tmp1_outlen, &tmp2_outlen,
 			     KNET_DATABUFSIZE_CRYPT - tmp1_outlen) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinal (decrypt) failed (err %d): %s",
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
@@ -538,7 +549,8 @@ static int calculate_nss_hash(
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
-	unsigned char *hash)
+	unsigned char *hash,
+	uint8_t log_level)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	PK11Context*	hash_context = NULL;
@@ -571,17 +583,29 @@ static int calculate_nss_hash(
 	}
 
 	if (PK11_DigestOp(hash_context, buf, buf_len) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
-			(int)hash_to_nss[instance->crypto_hash_type],
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
+				  (int)hash_to_nss[instance->crypto_hash_type],
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestOp failed (hash) hash_type=%d (err %d): %s",
+				(int)hash_to_nss[instance->crypto_hash_type],
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
 	if (PK11_DigestFinal(hash_context, hash,
 			     &hash_tmp_outlen, nsshash_len[instance->crypto_hash_type]) != SECSuccess) {
-		log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
-			(int)hash_to_nss[instance->crypto_hash_type],
-			PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
+				  (int)hash_to_nss[instance->crypto_hash_type],
+				  PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		} else {
+			log_err(knet_h, KNET_SUB_NSSCRYPTO, "PK11_DigestFinale failed (hash) hash_type=%d (err %d): %s",
+				(int)hash_to_nss[instance->crypto_hash_type],
+				PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		}
 		goto out;
 	}
 
@@ -661,7 +685,7 @@ static int nsscrypto_encrypt_and_signv (
 	}
 
 	if (hash_to_nss[instance->crypto_hash_type]) {
-		if (calculate_nss_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len) < 0) {
+		if (calculate_nss_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len, KNET_LOG_ERR) < 0) {
 			return -1;
 		}
 		*buf_out_len = *buf_out_len + nsshash_len[instance->crypto_hash_type];
@@ -693,7 +717,8 @@ static int nsscrypto_authenticate_and_decrypt (
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
 	struct nsscrypto_instance *instance = crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
@@ -707,12 +732,16 @@ static int nsscrypto_authenticate_and_decrypt (
 			return -1;
 		}
 
-		if (calculate_nss_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash) < 0) {
+		if (calculate_nss_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash, log_level) < 0) {
 			return -1;
 		}
 
 		if (memcmp(tmp_hash, buf_in + temp_buf_len, nsshash_len[instance->crypto_hash_type]) != 0) {
-			log_err(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			if (log_level == KNET_LOG_DEBUG) {
+				log_debug(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			} else {
+				log_err(knet_h, KNET_SUB_NSSCRYPTO, "Digest does not match");
+			}
 			return -1;
 		}
 
@@ -721,7 +750,7 @@ static int nsscrypto_authenticate_and_decrypt (
 	}
 
 	if (cipher_to_nss[instance->crypto_cipher_type]) {
-		if (decrypt_nss(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len) < 0) {
+		if (decrypt_nss(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len, log_level) < 0) {
 			return -1;
 		}
 	} else {

libknet/crypto_openssl.c

@@ -114,7 +114,8 @@ static int decrypt_openssl (
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	ctx;
@@ -134,14 +135,22 @@ static int decrypt_openssl (
 
 	if (!EVP_DecryptUpdate(&ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(&ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
@@ -216,7 +225,8 @@ static int decrypt_openssl (
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	EVP_CIPHER_CTX	*ctx = NULL;
@@ -242,14 +252,22 @@ static int decrypt_openssl (
 
 	if (!EVP_DecryptUpdate(ctx, buf_out, &tmplen1, data, datalen)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
 
 	if (!EVP_DecryptFinal_ex(ctx, buf_out + tmplen1, &tmplen2)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to finalize decrypt: %s", sslerr);
+		}
 		err = -1;
 		goto out;
 	}
@@ -273,7 +291,8 @@ static int calculate_openssl_hash(
 	struct crypto_instance *crypto_instance,
 	const unsigned char *buf,
 	const size_t buf_len,
-	unsigned char *hash)
+	unsigned char *hash,
+	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	unsigned int hash_len = 0;
@@ -287,7 +306,11 @@ static int calculate_openssl_hash(
 
 	if ((!hash_out) || (hash_len != crypto_instance->sec_hash_size)) {
 		ERR_error_string_n(ERR_get_error(), sslerr, sizeof(sslerr));
-		log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		if (log_level == KNET_LOG_DEBUG) {
+			log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		} else {
+			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Unable to calculate hash: %s", sslerr);
+		}
 		return -1;
 	}
 
@@ -322,7 +345,7 @@ static int opensslcrypto_encrypt_and_signv (
 	}
 
 	if (instance->crypto_hash_type) {
-		if (calculate_openssl_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len) < 0) {
+		if (calculate_openssl_hash(knet_h, crypto_instance, buf_out, *buf_out_len, buf_out + *buf_out_len, KNET_LOG_ERR) < 0) {
 			return -1;
 		}
 		*buf_out_len = *buf_out_len + crypto_instance->sec_hash_size;
@@ -354,7 +377,8 @@ static int opensslcrypto_authenticate_and_decrypt (
 	const unsigned char *buf_in,
 	const ssize_t buf_in_len,
 	unsigned char *buf_out,
-	ssize_t *buf_out_len)
+	ssize_t *buf_out_len,
+	uint8_t log_level)
 {
 	struct opensslcrypto_instance *instance = crypto_instance->model_instance;
 	ssize_t temp_len = buf_in_len;
@@ -368,20 +392,24 @@ static int opensslcrypto_authenticate_and_decrypt (
 			return -1;
 		}
 
-		if (calculate_openssl_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash) < 0) {
+		if (calculate_openssl_hash(knet_h, crypto_instance, buf_in, temp_buf_len, tmp_hash, log_level) < 0) {
 			return -1;
 		}
 
 		if (memcmp(tmp_hash, buf_in + temp_buf_len, crypto_instance->sec_hash_size) != 0) {
-			log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+			if (log_level == KNET_LOG_DEBUG) {
+				log_debug(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+			} else {
+				log_err(knet_h, KNET_SUB_OPENSSLCRYPTO, "Digest does not match");
+			}
 			return -1;
 		}
 
 		temp_len = temp_len - crypto_instance->sec_hash_size;
 		*buf_out_len = temp_len;
 	}
 	if (instance->crypto_cipher_type) {
-		if (decrypt_openssl(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len) < 0) {
+		if (decrypt_openssl(knet_h, crypto_instance, buf_in, temp_len, buf_out, buf_out_len, log_level) < 0) {
 			return -1;
 		}
 	} else {