If we're going to return errors (no matter how stupid), then we should
[openssl.git] / crypto / ocsp / ocsp_vfy.c
index be9bf5b..415d67e 100644 (file)
@@ -308,6 +308,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                        }
 
                mdlen = EVP_MD_size(dgst);
+               if (mdlen < 0)
+                   return -1;
                if ((cid->issuerNameHash->length != mdlen) ||
                   (cid->issuerKeyHash->length != mdlen))
                        return 0;