let ECDSA_verify return -1 for ASN1 parsing fail

aws · Oct 18, 2024 · 8f55a2a · 8f55a2a
1 parent 54fc7b7
commit 8f55a2a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/crypto/fipsmodule/ecdsa/ecdsa.c b/crypto/fipsmodule/ecdsa/ecdsa.c
@@ -412,7 +412,7 @@ int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,
 int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
                  const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {
   ECDSA_SIG *s;
-  int ret = 0;
+  int ret = -1;
   uint8_t *der = NULL;
 
   // Decode the ECDSA signature.

diff --git a/include/openssl/ecdsa.h b/include/openssl/ecdsa.h
@@ -82,8 +82,8 @@ OPENSSL_EXPORT int ECDSA_sign(int type, const uint8_t *digest,
 
 // ECDSA_verify verifies that |sig_len| bytes from |sig| constitute a valid
 // signature by |key| of |digest|. (The |type| argument should be zero.) It
-// returns one on success or zero if the signature is invalid or an error
-// occurred.
+// returns one on success or zero if the signature is invalid. It returns -1
+// if any other error has occurred such as invalid ASN1 input.
 //
 // WARNING: |digest| must be the output of some hash function on the data to be
 // verified. Passing unhashed inputs will not result in a secure signature