From 829a3b5141fe5548704743974f88860479a8ed2b Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 30 Apr 2020 18:43:11 +0000
Subject: Disallow setting the AES-GCM IV length to 0

It is possible to do this by abusing the EVP_CTRL_INIT API.
Pointed out by jsing.

ok inoguchi jsing (as part of a larger diff)
---
 src/lib/libcrypto/evp/e_aes.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index e1b53c2ce7..80eba80244 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.40 2020/04/27 19:31:02 tb Exp $ */
+/* $OpenBSD: e_aes.c,v 1.41 2020/04/30 18:43:11 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -721,6 +721,10 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 	case EVP_CTRL_INIT:
 		gctx->key_set = 0;
 		gctx->iv_set = 0;
+		if (c->cipher->iv_len == 0) {
+			EVPerror(EVP_R_INVALID_IV_LENGTH);
+			return 0;
+		}
 		gctx->ivlen = c->cipher->iv_len;
 		gctx->iv = c->iv;
 		gctx->taglen = -1;
-- 
cgit v1.2.3-55-g6feb