From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 25 Sep 2025 12:19:22 +0000 (+0200)
Subject: krb5kdf.c.in: Check the key size before applying the key
X-Git-Tag: openssl-3.5.4~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25d9b42e7266e9f1d469867f1a39434bacfe92d6;p=thirdparty%2Fopenssl.git

krb5kdf.c.in: Check the key size before applying the key

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28663)

(cherry picked from commit 3addc8bb3a8e62e701d44ae849437f97940632cd)
---

diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c
index 566afa74fec..e7c51d83cad 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -350,7 +350,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx,
 {
     int klen, ret;
 
-    ret = EVP_EncryptInit_ex(ctx, cipher, engine, key, NULL);
+    ret = EVP_EncryptInit_ex(ctx, cipher, engine, NULL, NULL);
     if (!ret)
         goto out;
     /* set the key len for the odd variable key len cipher */
@@ -362,6 +362,9 @@ static int cipher_init(EVP_CIPHER_CTX *ctx,
             goto out;
         }
     }
+    ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL);
+    if (!ret)
+        goto out;
     /* we never want padding, either the length requested is a multiple of
      * the cipher block size or we are passed a cipher that can cope with
      * partial blocks via techniques like cipher text stealing */