MINOR: jwt: jwt_verify returns negative values in case of error

In order for all the error return values to be distributed on the same
side (instead of surrounding the success error code), the return values
for errors other than a simple verification failure are switched to
negative values. This way the result of the jwt_verify converter can be
compared strictly to 1 as well relative to 0 (any <= 0 return value is
an error).
The documentation was also modified to discourage conversion of the
return value into a boolean (which would definitely not work).

doc/configuration.txt

@@ -16576,8 +16576,10 @@ jwt_verify(<alg>,<key>)
   Performs a signature verification for the JSON Web Token (JWT) given in input
   by using the <alg> algorithm and the <key> parameter, which should either
   hold a secret or a path to a public certificate. Returns 1 in case of
-  verification success. See below for a full list of the possible return
-  values.
+  verification success, 0 in case of verification error and a strictly negative
+  value for any other error. Because of all those non-null error return values,
+  the result of this converter should never be converted to a boolean. See
+  below for a full list of the possible return values.
 
   For now, only JWS tokens using the Compact Serialization format can be
   processed (three dot-separated base64-url encoded strings). Among the
@@ -16604,13 +16606,13 @@ jwt_verify(<alg>,<key>)
   +----+----------------------------------------------------------------------+
   | ID | message                                                              |
   +----+----------------------------------------------------------------------+
-  | 0  | "Verification failure"                                               |
-  | 1  | "Verification sucess"                                                |
-  | 2  | "Unknown algorithm (not mentioned in RFC7518)"                       |
-  | 3  | "Unmanaged algorithm (PSXXX algorithm family)"                       |
-  | 4  | "Invalid token"                                                      |
-  | 5  | "Out of memory"                                                      |
-  | 6  | "Unknown certificate"                                                |
+  |  0 | "Verification failure"                                               |
+  |  1 | "Verification sucess"                                                |
+  | -1 | "Unknown algorithm (not mentioned in RFC7518)"                       |
+  | -2 | "Unmanaged algorithm (PSXXX algorithm family)"                       |
+  | -3 | "Invalid token"                                                      |
+  | -4 | "Out of memory"                                                      |
+  | -5 | "Unknown certificate"                                                |
   +----+----------------------------------------------------------------------+
 
   Please note that this converter is only available when HAProxy has been

include/haproxy/jwt-t.h

@@ -72,11 +72,12 @@ struct jwt_cert_tree_entry {
 enum jwt_vrfy_status {
 	JWT_VRFY_KO = 0,
 	JWT_VRFY_OK = 1,
-	JWT_VRFY_UNKNOWN_ALG,
-	JWT_VRFY_UNMANAGED_ALG,
-	JWT_VRFY_INVALID_TOKEN,
-	JWT_VRFY_OUT_OF_MEMORY,
-	JWT_VRFY_UNKNOWN_CERT
+
+	JWT_VRFY_UNKNOWN_ALG   = -1,
+	JWT_VRFY_UNMANAGED_ALG = -2,
+	JWT_VRFY_INVALID_TOKEN = -3,
+	JWT_VRFY_OUT_OF_MEMORY = -4,
+	JWT_VRFY_UNKNOWN_CERT  = -5
 };
 
 #endif /* USE_OPENSSL */

reg-tests/jwt/jws_verify.vtc

@@ -152,7 +152,7 @@ client c4 -connect ${h1_mainfe_sock} {
     rxresp
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "HS512"
-    expect resp.http.x-jwt-verify-HS512 == "4"
+    expect resp.http.x-jwt-verify-HS512 == "-3"
 } -run
 
 
@@ -269,7 +269,7 @@ client c13 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "PS512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "3"
+    expect resp.http.x-jwt-verify == "-2"
 } -run
 
 # Unknown algorithm
@@ -281,7 +281,7 @@ client c14 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "UNKNOWN_ALG"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "2"
+    expect resp.http.x-jwt-verify == "-1"
 } -run
 
 # Invalid token (not enough fields)
@@ -293,7 +293,7 @@ client c15 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Invalid token (too many fields)
@@ -305,7 +305,7 @@ client c16 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Invalid token (empty signature)
@@ -317,7 +317,7 @@ client c17 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "4"
+    expect resp.http.x-jwt-verify == "-3"
 } -run
 
 # Unknown certificate
@@ -332,5 +332,5 @@ client c18 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES512"
     # Unmanaged algorithm
-    expect resp.http.x-jwt-verify == "6"
+    expect resp.http.x-jwt-verify == "-5"
 } -run