1 files changed, 32 insertions, 1 deletions

diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index fa383165d8..7ad3eb0a1f 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -128,7 +128,10 @@ int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
             return 0;
         }
-        ctx->keylen = keylen;
+        if (ctx->keylen != keylen) {
+            ctx->keylen = keylen;
+            ctx->key_set = 0;
+        }
     }
     return 1;
 }
@@ -217,6 +220,7 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
         }
         if (!ctx->hw->init(ctx, key, ctx->keylen))
             return 0;
+        ctx->key_set = 1;
     }
     return ossl_cipher_generic_set_ctx_params(ctx, params);
 }
@@ -249,6 +253,11 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out,
     size_t blksz = ctx->blocksize;
     size_t nextblocks;
 
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (ctx->tlsversion > 0) {
         /*
          * Each update call corresponds to a TLS record and is individually
@@ -390,6 +399,11 @@ int ossl_cipher_generic_block_final(void *vctx, unsigned char *out,
     if (!ossl_prov_is_running())
         return 0;
 
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (ctx->tlsversion > 0) {
         /* We never finalize TLS, so this is an error */
         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
@@ -456,6 +470,11 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
 {
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
 
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (inl == 0) {
         *outl = 0;
         return 1;
@@ -510,9 +529,16 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
 int ossl_cipher_generic_stream_final(void *vctx, unsigned char *out,
                                      size_t *outl, size_t outsize)
 {
+    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
     if (!ossl_prov_is_running())
         return 0;
 
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     *outl = 0;
     return 1;
 }
@@ -526,6 +552,11 @@ int ossl_cipher_generic_cipher(void *vctx, unsigned char *out, size_t *outl,
     if (!ossl_prov_is_running())
         return 0;
 
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return 0;
+    }
+
     if (outsize < inl) {
         ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
         return 0;