From 114d99b46bfb212ffc510865df317ca2c1542623 Mon Sep 17 00:00:00 2001 From: Niels Dossche Date: Mon, 23 Jan 2023 17:16:34 +0100 Subject: Fix incomplete checks for EVP_CIPHER_asn1_to_param EVP_CIPHER_asn1_to_param() returns a value <= 0 in case of an error, and a value greater than 0 in case of success. Two callsites only check for < 0 instead of <= 0. The other callsites perform this check correctly. Change the two callsites to <= 0. Additionally correctly handle a zero return value from EVP_CIPHER_get_asn1_iv as success. Fixes: #20116 CLA: trivial Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/201213) --- crypto/evp/evp_lib.c | 2 +- crypto/evp/p5_crpt2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'crypto/evp') diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 8a66433512..91f72aa930 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -209,7 +209,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, break; default: - ret = EVP_CIPHER_get_asn1_iv(c, type); + ret = EVP_CIPHER_get_asn1_iv(c, type) >= 0 ? 1 : -1; } } else if (cipher->prov != NULL) { OSSL_PARAM params[3], *p = params; diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index 8e3fccb213..33763b18af 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -159,7 +159,7 @@ int PKCS5_v2_PBE_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, /* Fixup cipher based on AlgorithmIdentifier */ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de)) goto err; - if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) { + if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) <= 0) { ERR_raise(ERR_LIB_EVP, EVP_R_CIPHER_PARAMETER_ERROR); goto err; } -- cgit v1.2.3