From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Wed, 22 Oct 2025 05:57:40 +0000 (+0200)
Subject: Replace DNSSEC_INVALID_SIGNATURE with KNOT_INVALID_SIGNATURE
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=180c98e6af1fb1cb30c22b8271c953385c818e0f;p=thirdparty%2Fknot-dns.git

Replace DNSSEC_INVALID_SIGNATURE with KNOT_INVALID_SIGNATURE
---

diff --git a/src/knot/dnssec/rrset-sign.c b/src/knot/dnssec/rrset-sign.c
index ff5a24c422..5173e36690 100644
--- a/src/knot/dnssec/rrset-sign.c
+++ b/src/knot/dnssec/rrset-sign.c
@@ -380,7 +380,7 @@ int knot_check_signature(const knot_rrset_t *covered,
 
 	if (!(dnssec_ctx->policy->unsafe & UNSAFE_EXPIRED) &&
 	    is_expired_signature(rrsig, dnssec_ctx->now, refresh)) {
-		return DNSSEC_INVALID_SIGNATURE;
+		return KNOT_INVALID_SIGNATURE;
 	}
 
 	if (skip_crypto) {
diff --git a/src/knot/dnssec/rrset-sign.h b/src/knot/dnssec/rrset-sign.h
index 4d346a83af..b7ebb83209 100644
--- a/src/knot/dnssec/rrset-sign.h
+++ b/src/knot/dnssec/rrset-sign.h
@@ -99,7 +99,7 @@ bool knot_synth_rrsig_exists(uint16_t type, const knot_rdataset_t *rrsig_rrs);
  * \param skip_crypto All RRSIGs in this node have been verified, just check validity.
  *
  * \return Error code, KNOT_EOK if successful and the signature is valid.
- * \retval KNOT_DNSSEC_EINVALID_SIGNATURE  The signature is invalid.
+ * \retval KNOT_INVALID_SIGNATURE  The signature is invalid.
  */
 int knot_check_signature(const knot_rrset_t *covered,
                          const knot_rrset_t *rrsigs, size_t pos,
diff --git a/src/libknot/dnssec/error.c b/src/libknot/dnssec/error.c
index 8de47d8a55..c678584bd4 100644
--- a/src/libknot/dnssec/error.c
+++ b/src/libknot/dnssec/error.c
@@ -43,7 +43,7 @@ static const error_message_t ERROR_MESSAGES[] = {
 
 	{ KNOT_ECRYPTO,	"signing initialization error" },
 	{ KNOT_ECRYPTO,		"signing error" },
-	{ DNSSEC_INVALID_SIGNATURE,	"invalid signature" },
+	{ KNOT_INVALID_SIGNATURE,	"invalid signature" },
 
 	{ DNSSEC_INVALID_NSEC3_ALGORITHM, "invalid NSEC3 algorithm" },
 	{ KNOT_ECRYPTO,	"NSEC3 hashing error" },
diff --git a/src/libknot/dnssec/error.h b/src/libknot/dnssec/error.h
index b47b40564d..768935eee7 100644
--- a/src/libknot/dnssec/error.h
+++ b/src/libknot/dnssec/error.h
@@ -55,7 +55,7 @@ enum dnssec_error {
 
 	KNOT_ECRYPTO,
 	KNOT_ECRYPTO,
-	DNSSEC_INVALID_SIGNATURE,
+	KNOT_INVALID_SIGNATURE,
 
 	KNOT_EALGORITHM,
 	KNOT_ECRYPTO,
diff --git a/src/libknot/dnssec/sign.h b/src/libknot/dnssec/sign.h
index f1f4f001b4..0654dc465b 100644
--- a/src/libknot/dnssec/sign.h
+++ b/src/libknot/dnssec/sign.h
@@ -95,7 +95,7 @@ int dnssec_sign_write(dnssec_sign_ctx_t *ctx, dnssec_sign_flags_t flags,
  *
  * \return Error code.
  * \retval KNOT_EOK                Validation successful, valid signature.
- * \retval DNSSEC_INVALID_SIGNATURE  Validation successful, invalid signature.
+ * \retval KNOT_INVALID_SIGNATURE  Validation successful, invalid signature.
  */
 int dnssec_sign_verify(dnssec_sign_ctx_t *ctx, bool sign_cmp,
                        const dnssec_binary_t *signature);
diff --git a/src/libknot/dnssec/sign/sign.c b/src/libknot/dnssec/sign/sign.c
index aca96c5524..b8ffb2939f 100644
--- a/src/libknot/dnssec/sign/sign.c
+++ b/src/libknot/dnssec/sign/sign.c
@@ -148,7 +148,7 @@ static int ecdsa_dnssec_to_x509(dnssec_sign_ctx_t *ctx,
 	size_t int_size = ecdsa_sign_integer_size(ctx);
 
 	if (dnssec->size != 2 * int_size) {
-		return DNSSEC_INVALID_SIGNATURE;
+		return KNOT_INVALID_SIGNATURE;
 	}
 
 	const dnssec_binary_t value_r = { .size = int_size, .data = dnssec->data };
@@ -345,7 +345,7 @@ int dnssec_sign_verify(dnssec_sign_ctx_t *ctx, bool sign_cmp, const dnssec_binar
 		int ret = dnssec_sign_write(ctx, DNSSEC_SIGN_REPRODUCIBLE, &sign);
 		if (ret == KNOT_EOK) {
 			ret = dnssec_binary_cmp(&sign, signature)
-			      ? DNSSEC_INVALID_SIGNATURE
+			      ? KNOT_INVALID_SIGNATURE
 			      : KNOT_EOK;
 		}
 		dnssec_binary_free(&sign);
@@ -374,7 +374,7 @@ int dnssec_sign_verify(dnssec_sign_ctx_t *ctx, bool sign_cmp, const dnssec_binar
 					    ctx->sign_algorithm,
 					    0, &data, &raw);
 	if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) {
-		return DNSSEC_INVALID_SIGNATURE;
+		return KNOT_INVALID_SIGNATURE;
 	} else if (result < 0) {
 		return KNOT_ERROR;
 	}
diff --git a/src/libknot/errcode.h b/src/libknot/errcode.h
index 30496d4f1a..546f906a3b 100644
--- a/src/libknot/errcode.h
+++ b/src/libknot/errcode.h
@@ -161,6 +161,7 @@ enum knot_error {
 	KNOT_INVALID_KEY_SIZE,
 	KNOT_INVALID_KEY_ID,
 	KNOT_INVALID_KEY_NAME,
+	KNOT_INVALID_SIGNATURE,
 	KNOT_NO_PUBLIC_KEY,
 	KNOT_NO_PRIVATE_KEY,
 	KNOT_NO_READY_KEY,
diff --git a/src/libknot/error.c b/src/libknot/error.c
index d1b17cb4a0..ec71814960 100644
--- a/src/libknot/error.c
+++ b/src/libknot/error.c
@@ -160,6 +160,7 @@ static const struct error errors[] = {
 	{ KNOT_INVALID_KEY_SIZE,       "invalid key size" },
 	{ KNOT_INVALID_KEY_ID,         "invalid key ID" },
 	{ KNOT_INVALID_KEY_NAME,       "invalid key name" },
+	{ KNOT_INVALID_SIGNATURE,      "invalid signature" },
 	{ KNOT_NO_PUBLIC_KEY,          "no public key" },
 	{ KNOT_NO_PRIVATE_KEY,         "no private key" },
 	{ KNOT_NO_READY_KEY,           "no key ready for submission" },