From: ndossche <niels.dossche@ugent.be>
Date: Thu, 9 Feb 2023 08:49:47 +0000 (+0100)
Subject: Fix incomplete error check on RSA_public_decrypt()
X-Git-Tag: openssl-3.2.0-alpha1~1222
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8195e59986031f6f33e2569551d771904433fa04;p=thirdparty%2Fopenssl.git

Fix incomplete error check on RSA_public_decrypt()

According to the documentation and my analysis tool RSA_public_decrypt()
can return -1 on error, but this is not checked. Fix it by changing the
error condition.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20250)
---

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 7463efbc0fd..e0faf1c1ad3 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -838,7 +838,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
             return 0;
         rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa,
                                    prsactx->pad_mode);
-        if (rslen == 0) {
+        if (rslen <= 0) {
             ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB);
             return 0;
         }