The function EVP_DigestVerifyFinal can return a negative integer in an error case, so the result should be tested with <= 0.
The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @match@ expression x, E; position p1,p2,p3; constant C; @@ ( break; // parsing problem, show that this is a statement disjunction | (x = EVP_DigestVerifyFinal(...)) <= \(0\|-C\) | (x = EVP_DigestVerifyFinal(...)) < \(0\|-C\) | (x = EVP_DigestVerifyFinal(...)) > 0 | (x = EVP_DigestVerifyFinal(...)) == -C | x...@p1 = EVP_DigestVerifyFinal(...) <... when != x <= \(0\|-C\) when != x < \(0\|-C\) when != x > 0 when != x == -C ( (x...@p3 != 0 || ...) // ensure it is a test expression | x...@p3 == 0 ) ...> ( return ...; | x...@p2++ | x...@p2-- | x...@p2 += E | x...@p2 -= E | x...@p2 = E ) ) @script:python@ p1 << match.p1; p3 << match.p3; @@ cocci.print_main("EVP_DigestVerifyFinal",p1) cocci.print_secs("test",p3) cocci.include_match(False) // </smpl> --- diff -u -p a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c --- a/crypto/cms/cms_sd.c 2008-04-06 18:29:47.000000000 +0200 +++ b/crypto/cms/cms_sd.c 2009-09-22 15:54:37.000000000 +0200 @@ -799,7 +799,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo } r = EVP_DigestVerifyFinal(&mctx, si->signature->data, si->signature->length); - if (!r) + if (r <= 0) CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); err: EVP_MD_CTX_cleanup(&mctx); ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
