From: Aydın Mercan <aydin@isc.org>
Date: Wed, 14 Jan 2026 14:40:24 +0000 (+0300)
Subject: don't transform errors in hmac_sign
X-Git-Tag: v9.21.18~2^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ecb677658f541bac51cd3a70a2166bdd1f853e46;p=thirdparty%2Fbind9.git

don't transform errors in hmac_sign

The change from DST_R_OPENSSLFAILURE to ISC_R_CRYPTOFAILURE seems to be
benign. Furthermore it should a bug to rely on the exacts crypto failure
code.
---

diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index aa3d5d7141d..41913095f23 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -199,18 +199,10 @@ hmac_adddata(const dst_context_t *dctx, const isc_region_t *data) {
 static isc_result_t
 hmac_sign(const dst_context_t *dctx, isc_buffer_t *sig) {
 	isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx;
-	isc_result_t r;
 
 	REQUIRE(ctx != NULL);
 
-	r = isc_hmac_final(ctx, sig);
-
-	/* Turn CRYPTOFAILURE into OPENSSLFAILURE */
-	if (r == ISC_R_CRYPTOFAILURE) {
-		r = DST_R_OPENSSLFAILURE;
-	}
-
-	return r;
+	return isc_hmac_final(ctx, sig);
 }
 
 static isc_result_t