In OpenSSL 3, ASN1_item_verify*() can return 2 on error.
botovq opened this issue · comments
Introduced in #10942 as part of extracting ASN1_item_verify_ctx()
from ASN1_item_verify()
when a ret = -1;
was deleted after the goto err
here:
openssl/crypto/asn1/a_verify.c
Lines 143 to 154 in 5bbdbce
If item_verify()
returns 2
(which it usually will for RSA-PSS for example) the control flow would skip here and return 2 if ASN1_item_i2d()
errors:
openssl/crypto/asn1/a_verify.c
Lines 202 to 210 in 5bbdbce
Fix in #24576