From 5ada7b03da0ca05505ab58d57713c00e66a60cc5 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jan.vcelak@nic.cz>
Date: Fri, 6 Sep 2013 15:38:16 +0200
Subject: [PATCH] DNSSEC: improve error codes for signature verification

- do not propagate OpenSSL errors as invalid signature

refs #4
---
 src/libknot/dnssec/sign.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/libknot/dnssec/sign.c b/src/libknot/dnssec/sign.c
index f8d0a56f6..323e29448 100644
--- a/src/libknot/dnssec/sign.c
+++ b/src/libknot/dnssec/sign.c
@@ -154,6 +154,7 @@ static int any_sign_write(const knot_dnssec_sign_context_t *context,
  * \return Error code.
  * \retval KNOT_EOK                        The signature is valid.
  * \retval KNOT_DNSSEC_EINVALID_SIGNATURE  The signature is invalid.
+ * \retval KNOT_DNSSEC_ESIGN               Some error occured.
  */
 static int any_sign_verify(const knot_dnssec_sign_context_t *context,
                             const uint8_t *signature, size_t signature_size)
@@ -165,7 +166,14 @@ static int any_sign_verify(const knot_dnssec_sign_context_t *context,
 	                             signature, signature_size,
 	                             context->key->data->private_key);
 
-	return result == 1 ? KNOT_EOK : KNOT_DNSSEC_EINVALID_SIGNATURE;
+	switch (result) {
+	case 1:
+		return KNOT_EOK;
+	case 0:
+		return KNOT_DNSSEC_EINVALID_SIGNATURE;
+	default:
+		return KNOT_DNSSEC_ESIGN;
+	};
 }
 
 /*- RSA specific -------------------------------------------------------------*/
-- 
GitLab