From: Theo Buehler <tb@openbsd.org>
Date: Wed, 1 Oct 2025 22:56:41 +0000 (+0200)
Subject: Fix an error check for EVP_PBE_CipherInit_ex()
X-Git-Tag: 3.0-PRE-CLANG-FORMAT-WEBKIT~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd5c3eb82272e211f9992e6789fdc5252d95fa43;p=thirdparty%2Fopenssl.git

Fix an error check for EVP_PBE_CipherInit_ex()

As pointed out during the review for the recent security issue in this
file, this error check is incorrect: as documented, this function has
the usual Boolean return values.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28727)

(cherry picked from commit f0efd026f7d69da97ec8f3b05f05a322e98fb21f)
(cherry picked from commit 9dc4b2f493ff87c012610e395f38fd0c2ab612fd)
---

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index 33a7ccaa76a..bf492aca3cc 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -352,10 +352,10 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
 
     /* Finish password based key derivation to setup key in "ctx" */
 
-    if (EVP_PBE_CipherInit_ex(algtmp->algorithm,
-                              (char *)pwri->pass, pwri->passlen,
-                              algtmp->parameter, kekctx, en_de,
-                              cms_ctx->libctx, cms_ctx->propq) < 0) {
+    if (!EVP_PBE_CipherInit_ex(algtmp->algorithm,
+                               (char *)pwri->pass, (int)pwri->passlen,
+                               algtmp->parameter, kekctx, en_de,
+                               cms_ctx->libctx, cms_ctx->propq)) {
         ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
         goto err;
     }