The function EVP_PKEY_sign can explicitly return -1 or -2 in the case of
error.  Therefore, the error checking code should check whether the result
is less than or equal to 0, and not just whether it is equal to zero.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@expression@
expression list args;
@@

-   EVP_PKEY_sign(args) == 0
+   EVP_PKEY_sign(args) <= 0
    || ...

@expression@
expression list args;
@@

-   EVP_PKEY_sign(args) != 0
+   EVP_PKEY_sign(args) > 0
    || ...
// </smpl>

---

diff -u -p a/ssl/s3_clnt.c b/ssl/s3_clnt.c
--- a/ssl/s3_clnt.c 2009-06-16 19:02:56.000000000 +0200
+++ b/ssl/s3_clnt.c 2009-09-12 11:26:04.000000000 +0200
@@ -2707,7 +2707,7 @@ int ssl3_send_client_verify(SSL *s)
                s->method->ssl3_enc->cert_verify_mac(s,
                        NID_id_GostR3411_94,
                        data);
-               if (!EVP_PKEY_sign(pctx,signbuf,&sigsize,data,32)) {
+               if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
                        SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
                        ERR_R_INTERNAL_ERROR);
                        goto err;
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to