Bug#511509: tqsllib: Improper checking of the return value of EVP_VerifyFinal()
Package: tqsllib
Severity: serious
Tags: security
Hi,
I've been checking packages to see if they properly check the return
value of some of the functions in openssl. In openssl_cert.cpp
there is this piece of code:
if (!EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key)) {
tQSL_Error = TQSL_OPENSSL_ERROR;
return 1;
}
But EVP_VerifyFinal can return -1 on errors too. A good way to check
the value would be something like:
if (EVP_VerifyFinal(&ctx, sig, slen, TQSL_API_TO_CERT(cert)->key) <= 0) {
I have no idea if this code is being used and what the consequences
of this might be.
Kurt
Reply to: