From 43d02e7eabc13ed5f01a1e68aa595fd597d91729 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 10 Jul 2018 18:44:45 +0530
Subject: we don't actually care about the errstack here, it's an invalid
 signature (#4325)

* we don't actually care about the errstack here, it's an invalid signature

We previously had no cases where we could error without getting errors
on the error stack, but wycheproof contains test cases that can error
without adding anything to the stack. Accordingly, we should clear the
stack but raise InvalidSignature no matter what (rather than
InternalError if we have no error msgs)

* add a test
---
 src/cryptography/hazmat/backends/openssl/rsa.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index e7a77312..9a7bfaa5 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -264,8 +264,7 @@ def _rsa_sig_verify(backend, padding, algorithm, public_key, signature, data):
     # occurs.
     backend.openssl_assert(res >= 0)
     if res == 0:
-        errors = backend._consume_errors()
-        backend.openssl_assert(errors)
+        backend._consume_errors()
         raise InvalidSignature
 
 
-- 
cgit v1.2.3