From d12bf2bdff8d616b7e59fc480c7e610003b494df Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 9 Dec 2015 17:40:32 +0100 Subject: [PATCH] resolved: fix libgcrypt error checking libgcrypt encodes the error source in the error code, we need to mask that away before comparing error codes. --- src/resolve/resolved-dns-dnssec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 2d06775dca..1f2977fba1 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -40,7 +40,7 @@ * - Make trust anchor store read additional DS+DNSKEY data from disk * - wildcard zones compatibility * - multi-label zone compatibility - * - DMSSEC cname/dname compatibility + * - DNSSEC cname/dname compatibility * - per-interface DNSSEC setting * - DSA support * - EC support? @@ -193,11 +193,12 @@ static int dnssec_rsa_verify( } ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp); - if (ge == GPG_ERR_BAD_SIGNATURE) + if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE) r = 0; - else if (ge != 0) + else if (ge != 0) { + log_debug("RSA signature check failed: %s", gpg_strerror(ge)); r = -EIO; - else + } else r = 1; finish: