Fix another EVP_DigestVerify() instance
authorMatt Caswell <matt@openssl.org>
Fri, 23 Jun 2017 10:40:47 +0000 (11:40 +0100)
committerMatt Caswell <matt@openssl.org>
Fri, 23 Jun 2017 16:23:52 +0000 (17:23 +0100)
Following on from the previous commit this fixes another instance where
we need to treat a -ve return from EVP_DigestVerify() as a bad signature.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3756)

ssl/statem/statem_lib.c

index 63d8953164cdddc9fe09a693bc8be8085ae8cb2a..5cd17f28361825c72f23cb25e67e0b63c17f0338 100644 (file)
@@ -459,10 +459,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
         }
     } else {
         j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
-        if (j < 0) {
-            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
-            goto f_err;
-        } else if (j == 0) {
+        if (j <= 0) {
             al = SSL_AD_DECRYPT_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
             goto f_err;