From 2cdab83f85dc362c99c59ee5ade623d282355572 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Tue, 26 May 2026 02:00:41 +0000
Subject: [PATCH] Fix missing return value check in EVP_PKEY_sign_init

THROW(EVP_PKEY_sign_init(ctx)) treats any non-zero return as success,
including negative error codes (-2 = operation not supported). The
verify() path already checks == 1 correctly; bring sign() in line.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 RSA.xs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RSA.xs b/RSA.xs
index 238bebb..90f1659 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -1446,7 +1446,7 @@ sign(p_rsa, text_SV)
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
     ctx = EVP_PKEY_CTX_new(p_rsa->rsa, NULL /* no engine */);
     THROW(ctx);
-    THROW(EVP_PKEY_sign_init(ctx));
+    THROW(EVP_PKEY_sign_init(ctx) == 1);
     THROW(setup_pss_sign_ctx(ctx, p_rsa->padding, p_rsa->hashMode, &md));
     THROW(EVP_PKEY_sign(ctx, NULL, &signature_length, digest, get_digest_length(p_rsa->hashMode)) == 1);