- in EVP_read_pw_string_min(), the return value from UI_add_* wasn't
properly checked
- in UI_process(), |state| was never made NULL, which means an error
when closing the session wouldn't be accurately reported.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3849)
int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
int verify)
{
int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
int verify)
{
char buff[BUFSIZ];
UI *ui;
char buff[BUFSIZ];
UI *ui;
prompt = prompt_string;
ui = UI_new();
if (ui == NULL)
prompt = prompt_string;
ui = UI_new();
if (ui == NULL)
- return -1;
- UI_add_input_string(ui, prompt, 0, buf, min,
- (len >= BUFSIZ) ? BUFSIZ - 1 : len);
- if (verify)
- UI_add_verify_string(ui, prompt, 0,
- buff, min, (len >= BUFSIZ) ? BUFSIZ - 1 : len,
- buf);
+ return ret;
+ if (UI_add_input_string(ui, prompt, 0, buf, min,
+ (len >= BUFSIZ) ? BUFSIZ - 1 : len) < 0
+ || (verify
+ && UI_add_verify_string(ui, prompt, 0, buff, min,
+ (len >= BUFSIZ) ? BUFSIZ - 1 : len,
+ buf) < 0))
+ goto end;
OPENSSL_cleanse(buff, BUFSIZ);
OPENSSL_cleanse(buff, BUFSIZ);
err:
if (ui->meth->ui_close_session != NULL
&& ui->meth->ui_close_session(ui) <= 0) {
err:
if (ui->meth->ui_close_session != NULL
&& ui->meth->ui_close_session(ui) <= 0) {