Coverity 1513478: negative return

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19126)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 0d0c0a14e5411f09ee0f86bc694ca76a4da86b32..702ed736fdba69f5302132caf2db4ee3f87496fd 100644 (file)
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -811,13 +811,19 @@ int tls13_update_key(SSL_CONNECTION *s, int sending)
   static const unsigned char application_traffic[] = "traffic upd";
 #endif
     const EVP_MD *md = ssl_handshake_md(s);
-    size_t hashlen = EVP_MD_get_size(md);
+    size_t hashlen;
     unsigned char key[EVP_MAX_KEY_LENGTH];
     unsigned char *insecret, *iv;
     unsigned char secret[EVP_MAX_MD_SIZE];
     EVP_CIPHER_CTX *ciph_ctx;
     size_t keylen, ivlen, taglen;
-    int ret = 0;
+    int ret = 0, l;
+
+    if ((l = EVP_MD_get_size(md)) <= 0) {
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+    hashlen = (size_t)l;
 
     if (s->server == sending)
         insecret = s->server_app_traffic_secret;