Skip to content

Fix EVP_PKEY_sign_init() return value check on OpenSSL 3.x#203

Draft
toddr-bot wants to merge 1 commit into
cpan-authors:mainfrom
toddr-bot:koan.toddr.bot/fix-sign-init-return-check
Draft

Fix EVP_PKEY_sign_init() return value check on OpenSSL 3.x#203
toddr-bot wants to merge 1 commit into
cpan-authors:mainfrom
toddr-bot:koan.toddr.bot/fix-sign-init-return-check

Conversation

@toddr-bot

@toddr-bot toddr-bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Fix bare truthiness check on EVP_PKEY_sign_init() return value in the sign() function.

Why

EVP_PKEY_sign_init() returns 1 on success, 0 on error, and -2 if the operation is unsupported for the key type. The bare THROW(EVP_PKEY_sign_init(ctx)) only catches 0 — a -2 return (truthy) would be silently accepted as success, leaving the signing context uninitialized for subsequent calls.

Every other _init() call in RSA.xs already checks == 1 or > 0:

  • EVP_PKEY_keygen_init(ctx) == 1 (line 881)
  • EVP_PKEY_fromdata_init(pctx) > 0 (line 930)
  • init_crypt(ctx) == 1 (line 509)
  • EVP_PKEY_verify_init(ctx) == 1 (line 1518)

How

Changed THROW(EVP_PKEY_sign_init(ctx)) to THROW(EVP_PKEY_sign_init(ctx) == 1).

Testing

Full test suite passes on OpenSSL 3.5.5. The fix aligns with the existing pattern used by verify_init on line 1518.


Quality Report

Changes: 1 file changed, 1 insertion(+), 1 deletion(-)

Code scan: clean

Tests: passed (OK)

Branch hygiene: clean

Generated by Kōan

EVP_PKEY_sign_init() returns 1 on success, 0 on error, and -2 if the
operation is unsupported.  The bare THROW(EVP_PKEY_sign_init(ctx))
only caught 0, treating -2 (truthy) as success.  Every other _init()
call in RSA.xs already uses == 1 or > 0; this aligns sign_init with
that pattern.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant