CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/03/14 03:49:49
Modified files:
usr.bin/ssh : cipher.c
Log message:
Fix EVP_CIPHER_CTX_ctrl() return checks
While this API tries to translate negative return values (i.e. -1) to 0
in BoringSSL and LibreSSL, it is still possible for it to return negative
values in prinicple. We even incorrectly document that -1 can be returned
while Boring and OpenSSL plead the Fifth.
In OpenSSL 3 there are now code paths that explicitly return -1 and they
started shifting their return checks to <= 0 - of course they do this in
inconsistent and sometimes incorrect manner. While these paths aren't
reachable from ssh right now, who can really tell what happens in the two
hundred lines of inscrutable bloated mess this has become.
So error check with <= 0 to ensure that we don't accidentally translate an
error to success.
ok markus schwarze
