1 files changed, 6 insertions, 6 deletions

diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index b6fe5df961..99eb60a940 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.31 2024/01/14 18:40:24 tb Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.31.4.1 2025/09/30 12:54:59 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -267,7 +267,7 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                 /* Check byte failure */
                 goto err;
         }
-        if (inlen < (size_t)(tmp[0] - 4)) {
+        if (inlen < 4 + (size_t)tmp[0]) {
                 /* Invalid length value */
                 goto err;
         }
@@ -368,13 +368,13 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
         kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
         if (!kekcipher) {
                 CMSerror(CMS_R_UNKNOWN_CIPHER);
-                return 0;
+                goto err;
         }
 
         kekctx = EVP_CIPHER_CTX_new();
         if (kekctx == NULL) {
                 CMSerror(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
         }
         /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
         if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
@@ -389,8 +389,8 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
 
         /* Finish password based key derivation to setup key in "ctx" */
 
-        if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
-            pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) {
+        if (!EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
+            pwri->passlen, algtmp->parameter, kekctx, en_de)) {
                 CMSerror(ERR_R_EVP_LIB);
                 goto err;
         }