Commit 3719143af6 for openssl.org

commit 3719143af63cb78551d5c68bef12be327bb73454
Author: Neil Horman <nhorman@openssl.org>
Date:   Tue Feb 24 08:36:08 2026 -0500

    Fix return values on PKCS7_dataVerfiy

    PKCS7_dataVerify returns 1 on success or 0 on failure, just like
    PKCS7_verify.

    except, if everything else goes right, it returns the value of
    PKCS7_signatureVerify, which may be -1, which seems wrong.

    Instead, check the retun of PKCS7_signatureVerify within this function
    for an error, and make PKCS7_dataVerify return 0 in the event
    signatureVerify fails.

    This brings us into line with PKCS7_verify behavior

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Norbert Pocs <norbertp@openssl.org>
    MergeDate: Sun Mar  1 14:18:14 2026
    (Merged from https://github.com/openssl/openssl/pull/30158)

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 55353e3e15..f2894fbfc9 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1029,7 +1029,9 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
         goto err;
     }

-    return PKCS7_signatureVerify(bio, p7, si, signer);
+    if (PKCS7_signatureVerify(bio, p7, si, signer) <= 0)
+        goto err;
+    ret = 1;
 err:
     return ret;
 }