1 files changed, 15 insertions, 12 deletions
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 7534b4c9d2..eb279b2378 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.53 2023/09/10 16:53:56 tb Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.54 2023/11/18 09:37:15 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -181,6 +181,8 @@ skip_to_init:
        }
        if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
+                int iv_len;
                switch (EVP_CIPHER_CTX_mode(ctx)) {
                case EVP_CIPH_STREAM_CIPHER:
@@ -194,25 +196,26 @@ skip_to_init:
                        /* fall-through */
                case EVP_CIPH_CBC_MODE:
+                        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
-                        if ((size_t)EVP_CIPHER_CTX_iv_length(ctx) >
+                        if (iv_len < 0 || iv_len > sizeof(ctx->oiv)) {
-                            sizeof(ctx->iv)) {
                                EVPerror(EVP_R_IV_TOO_LARGE);
                                return 0;
                        }
-                        if (iv)
+                        if (iv != NULL)
-                                memcpy(ctx->oiv, iv,
+                                memcpy(ctx->oiv, iv, iv_len);
-                                    EVP_CIPHER_CTX_iv_length(ctx));
+                        memcpy(ctx->iv, ctx->oiv, iv_len);
-                        memcpy(ctx->iv, ctx->oiv,
-                            EVP_CIPHER_CTX_iv_length(ctx));
                        break;
                case EVP_CIPH_CTR_MODE:
                        ctx->num = 0;
+                        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
+                        if (iv_len < 0 || iv_len > sizeof(ctx->iv)) {
+                                EVPerror(EVP_R_IV_TOO_LARGE);
+                                return 0;
+                        }
                        /* Don't reuse IV for CTR mode */
-                        if (iv)
+                        if (iv != NULL)
-                                memcpy(ctx->iv, iv,
+                                memcpy(ctx->iv, iv, iv_len);
-                                    EVP_CIPHER_CTX_iv_length(ctx));
                        break;
                default:

diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index 7534b4c9d2..eb279b2378 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_enc.c,v 1.53 2023/09/10 16:53:56 tb Exp $ */	1	/* $OpenBSD: evp_enc.c,v 1.54 2023/11/18 09:37:15 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -181,6 +181,8 @@ skip_to_init:
181	}	181	}
182		182
183	if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {	183	if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
		184	int iv_len;
		185
184	switch (EVP_CIPHER_CTX_mode(ctx)) {	186	switch (EVP_CIPHER_CTX_mode(ctx)) {
185		187
186	case EVP_CIPH_STREAM_CIPHER:	188	case EVP_CIPH_STREAM_CIPHER:
@@ -194,25 +196,26 @@ skip_to_init:
194	/* fall-through */	196	/* fall-through */
195		197
196	case EVP_CIPH_CBC_MODE:	198	case EVP_CIPH_CBC_MODE:
197		199	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
198	if ((size_t)EVP_CIPHER_CTX_iv_length(ctx) >	200	if (iv_len < 0 \|\| iv_len > sizeof(ctx->oiv)) {
199	sizeof(ctx->iv)) {
200	EVPerror(EVP_R_IV_TOO_LARGE);	201	EVPerror(EVP_R_IV_TOO_LARGE);
201	return 0;	202	return 0;
202	}	203	}
203	if (iv)	204	if (iv != NULL)
204	memcpy(ctx->oiv, iv,	205	memcpy(ctx->oiv, iv, iv_len);
205	EVP_CIPHER_CTX_iv_length(ctx));	206	memcpy(ctx->iv, ctx->oiv, iv_len);
206	memcpy(ctx->iv, ctx->oiv,
207	EVP_CIPHER_CTX_iv_length(ctx));
208	break;	207	break;
209		208
210	case EVP_CIPH_CTR_MODE:	209	case EVP_CIPH_CTR_MODE:
211	ctx->num = 0;	210	ctx->num = 0;
		211	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
		212	if (iv_len < 0 \|\| iv_len > sizeof(ctx->iv)) {
		213	EVPerror(EVP_R_IV_TOO_LARGE);
		214	return 0;
		215	}
212	/* Don't reuse IV for CTR mode */	216	/* Don't reuse IV for CTR mode */
213	if (iv)	217	if (iv != NULL)
214	memcpy(ctx->iv, iv,	218	memcpy(ctx->iv, iv, iv_len);
215	EVP_CIPHER_CTX_iv_length(ctx));
216	break;	219	break;
217		220
218	default:	221	default: