Fix an error check for EVP_PBE_CipherInit_ex()

As pointed out during the review for the recent security issue in this
file, this error check is incorrect: as documented, this function has
the usual Boolean return values.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28727)

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index ba8646f93ce8f651b2ace5cb1f7159a970ece928..9e71c628f0de0ac2930476e3f6939f342bc674c4 100644 (file)
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -370,10 +370,10 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
 
     /* Finish password based key derivation to setup key in "ctx" */
 
-    if (EVP_PBE_CipherInit_ex(algtmp->algorithm,
-                              (char *)pwri->pass, (int)pwri->passlen,
-                              algtmp->parameter, kekctx, en_de,
-                              cms_ctx->libctx, cms_ctx->propq) < 0) {
+    if (!EVP_PBE_CipherInit_ex(algtmp->algorithm,
+                               (char *)pwri->pass, (int)pwri->passlen,
+                               algtmp->parameter, kekctx, en_de,
+                               cms_ctx->libctx, cms_ctx->propq)) {
         ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
         goto err;
     }