Commit 674c23d265 for openssl.org

commit 674c23d2656ebb0203976fff8d0ab65fbf48f1b9
Author: ndossche <niels.dossche@ugent.be>
Date:   Tue Apr 21 23:15:58 2026 +0200

    Fix error check for EVP_CTRL_AEAD_GET_TAG

    "< 0" is definitely wrong as it can return 0 on error.
    Change the checks that are not of the form "== 1" or "!= 1" to "<= 0".

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Fri Apr 24 11:29:50 2026
    (Merged from https://github.com/openssl/openssl/pull/30923)

diff --git a/apps/speed.c b/apps/speed.c
index 501a36449b..aa10d32bd5 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2958,8 +2958,9 @@ int speed_main(int argc, char **argv)
                             exit(1);
                         }

-                        if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_AEAD_GET_TAG,
-                                TAG_LEN, &loopargs[k].tag)) {
+                        if (EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_AEAD_GET_TAG,
+                                TAG_LEN, &loopargs[k].tag)
+                            <= 0) {
                             BIO_puts(bio_err, "\nFailed to get the tag\n");
                             dofail();
                             exit(1);
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 15ad8e8a01..535481cdfe 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -105,7 +105,7 @@ unsigned char *PKCS12_pbe_crypt_ex(const X509_ALGOR *algor,
         if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
             if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG,
                     (int)mac_len, out + outlen)
-                < 0) {
+                <= 0) {
                 OPENSSL_free(out);
                 out = NULL;
                 ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9c18350157..88c1561470 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -6242,7 +6242,8 @@ static int test_evp_final_no_tag(int idx)
         goto err;

     ctext_len += len;
-    if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag)))
+    if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag),
+            0))
         goto err;
     EVP_CIPHER_CTX_free(ctx);