Hi,
The verify() function in DSA.xs checks for -1 return value from DSA_verify() and croaks in this case.
The same check is missing in do_verify(), therefore leading to false positive results in case of error in DSA_do_verify(), leading to possible security problems.
The patch attached is to be applied to the Debian package of Crypt-OpenSSL-DSA. It also documents that [do_]verify() croaks in case of errors.
It would be nice if you can include the patch in a future release.
Thanks,
dam
Debian Perl Group
patch