The function EVP_PKEY_sign can explicitly return -1 or -2 in the case of error. Therefore, the error checking code should check whether the result is less than or equal to 0, and not just whether it is equal to zero.
The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @expression@ expression list args; @@ - EVP_PKEY_sign(args) == 0 + EVP_PKEY_sign(args) <= 0 || ... @expression@ expression list args; @@ - EVP_PKEY_sign(args) != 0 + EVP_PKEY_sign(args) > 0 || ... // </smpl> --- diff -u -p a/ssl/s3_clnt.c b/ssl/s3_clnt.c --- a/ssl/s3_clnt.c 2009-06-16 19:02:56.000000000 +0200 +++ b/ssl/s3_clnt.c 2009-09-12 11:26:04.000000000 +0200 @@ -2707,7 +2707,7 @@ int ssl3_send_client_verify(SSL *s) s->method->ssl3_enc->cert_verify_mac(s, NID_id_GostR3411_94, data); - if (!EVP_PKEY_sign(pctx,signbuf,&sigsize,data,32)) { + if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
