Revert part of r1.36: in the case of GCM, gcm.key is assigned from

aesni_gcm_init_key() via CRYPTO_gcm128_init(), so it needs to be
copied over...

Fixes cryptofuzz issue #14352 and likely also #14374.

ok beck jsing

1 files changed, 7 insertions, 1 deletions

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 25e69f9ae7..a1e94c8ff6 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.37 2019/04/14 17:27:42 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.38 2019/05/10 18:41:17 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -829,6 +829,12 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
                 EVP_CIPHER_CTX *out = ptr;
                 EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
 
+                if (gctx->gcm.key) {
+                        if (gctx->gcm.key != &gctx->ks)
+                                return 0;
+                        gctx_out->gcm.key = &gctx_out->ks;
+                }
+
                 if (gctx->iv == c->iv) {
                         gctx_out->iv = out->iv;
                 } else {