Commit 674c23d265 for openssl.org
commit 674c23d2656ebb0203976fff8d0ab65fbf48f1b9
Author: ndossche <niels.dossche@ugent.be>
Date: Tue Apr 21 23:15:58 2026 +0200
Fix error check for EVP_CTRL_AEAD_GET_TAG
"< 0" is definitely wrong as it can return 0 on error.
Change the checks that are not of the form "== 1" or "!= 1" to "<= 0".
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 24 11:29:50 2026
(Merged from https://github.com/openssl/openssl/pull/30923)
diff --git a/apps/speed.c b/apps/speed.c
index 501a36449b..aa10d32bd5 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2958,8 +2958,9 @@ int speed_main(int argc, char **argv)
exit(1);
}
- if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_AEAD_GET_TAG,
- TAG_LEN, &loopargs[k].tag)) {
+ if (EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_AEAD_GET_TAG,
+ TAG_LEN, &loopargs[k].tag)
+ <= 0) {
BIO_puts(bio_err, "\nFailed to get the tag\n");
dofail();
exit(1);
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 15ad8e8a01..535481cdfe 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -105,7 +105,7 @@ unsigned char *PKCS12_pbe_crypt_ex(const X509_ALGOR *algor,
if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG,
(int)mac_len, out + outlen)
- < 0) {
+ <= 0) {
OPENSSL_free(out);
out = NULL;
ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9c18350157..88c1561470 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -6242,7 +6242,8 @@ static int test_evp_final_no_tag(int idx)
goto err;
ctext_len += len;
- if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag)))
+ if (!TEST_int_gt(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag),
+ 0))
goto err;
EVP_CIPHER_CTX_free(ctx);