From: Theo Buehler <tb@openbsd.org>
Date: Wed, 1 Oct 2025 22:56:41 +0000 (+0200)
Subject: Fix an error check for EVP_PBE_CipherInit_ex()
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~385
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0efd026f7d69da97ec8f3b05f05a322e98fb21f;p=thirdparty%2Fopenssl.git

Fix an error check for EVP_PBE_CipherInit_ex()

As pointed out during the review for the recent security issue in this
file, this error check is incorrect: as documented, this function has
the usual Boolean return values.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28727)
---

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index ba8646f93ce..9e71c628f0d 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -370,10 +370,10 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
 
     /* Finish password based key derivation to setup key in "ctx" */
 
-    if (EVP_PBE_CipherInit_ex(algtmp->algorithm,
-                              (char *)pwri->pass, (int)pwri->passlen,
-                              algtmp->parameter, kekctx, en_de,
-                              cms_ctx->libctx, cms_ctx->propq) < 0) {
+    if (!EVP_PBE_CipherInit_ex(algtmp->algorithm,
+                               (char *)pwri->pass, (int)pwri->passlen,
+                               algtmp->parameter, kekctx, en_de,
+                               cms_ctx->libctx, cms_ctx->propq)) {
         ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
         goto err;
     }