Hello,
While going through the fix for CVE-2008-5077, I noticed RSA_sign() man
page (which also documents RSA_verify()) is not accurate. The man page says:
RSA_verify() returns 1 on successful verification, 0 otherwise.
However this is not true since the function can also return other values
(and the rest of the code contains checks for negative values, such as
s3_clnt.c, s3_srvr.c or speed.c).
It seems that the function can return negative values only when an
engine is configured:
158 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
159 {
160 return rsa->meth->rsa_verify(dtype, m, m_len,
161 sigbuf, siglen, rsa);
162 }
v.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
