On Mon, Nov 30, 2009 at 12:07:11PM +0100, Mounir IDRASSI via RT wrote:
> This is a patch against openssl-1.0.0-stable-SNAP-20091129 which
> corrects the way the error code returned by ECDSA_sign is handled in the
> function pkey_ec_sign.
A similar problem exists within pkey_dsa_sign. The error check is
'ret < 0' but DSA_sign only returns 0 or 1.
The ecdsa manpage is also slightly confusing, since it says:
...
ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1 on
error.
...
but in the example code the error is checked with:
...
if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey);
{
/* error */
}
Greetings
--- crypto/dsa/dsa_pmeth.c.org 2009-11-30 20:10:30.705588168 +0100
+++ crypto/dsa/dsa_pmeth.c 2009-11-30 20:11:03.482318708 +0100
@@ -132,7 +132,7 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c
ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa);
- if (ret < 0)
+ if (ret <= 0)
return ret;
*siglen = sltmp;
return 1;
