prevent app_get_pass() from revealing cleartext password on syntax error

When the argument for '-pass' was badly formed, that argument got
displayed in full.  This turns out to not be such a good idea if the
user simply forgot to start the argument with 'pass:', or spellt the
prefix incorrectly.  We therefore change the display to say that a
colon is missing or only showing the incorrect prefix.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6218)

apps/apps.c

@@ -48,6 +48,8 @@ static int WIN32_rename(const char *from, const char *to);
 # define rename(from,to) WIN32_rename((from),(to))
 #endif
 
+#define PASS_SOURCE_SIZE_MAX 4
+
 typedef struct {
     const char *name;
     unsigned long flag;
@@ -205,6 +207,7 @@ static char *app_get_pass(const char *arg, int keepbio)
     char *tmp, tpass[APP_PASS_LEN];
     int i;
 
+    /* PASS_SOURCE_SIZE_MAX = max number of chars before ':' in below strings */
     if (strncmp(arg, "pass:", 5) == 0)
         return OPENSSL_strdup(arg + 5);
     if (strncmp(arg, "env:", 4) == 0) {
@@ -253,7 +256,16 @@ static char *app_get_pass(const char *arg, int keepbio)
                 return NULL;
             }
         } else {
-            BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg);
+            /* argument syntax error; do not reveal too much about arg */
+            tmp = strchr(arg, ':');
+            if (tmp == NULL || tmp - arg > PASS_SOURCE_SIZE_MAX)
+                BIO_printf(bio_err,
+                           "Invalid password argument, missing ':' within the first %d chars\n",
+                           PASS_SOURCE_SIZE_MAX + 1);
+            else
+                BIO_printf(bio_err,
+                           "Invalid password argument, starting with \"%.*s\"\n",
+                           (int)(tmp - arg + 1), arg);
             return NULL;
         }
     }