aes_wrap: prevent crash on update without a key

EVP_CipherInit_ex2 with a NULL key followed by EVP_CipherUpdate
on AES-WRAP/WRAP-PAD/WRAP-INV ciphers dereferenced an uninitialised
function pointer because aes_wrap_init installs ctx->block only
when a key is supplied. aes_wrap_cipher_internal had no guard
before dispatching.

Track key state in ctx->key_set, matching OCB/CCM/GCM/Poly1305,
and refuse update if no key has been installed.

Added a regression test covering AES-256-WRAP, AES-256-WRAP-PAD
and AES-256-WRAP-INV.

CLA: trivial

Fixes: ca392b294359 "Add aes_wrap cipher to providers"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun  3 11:52:05 2026
(Merged from https://github.com/openssl/openssl/pull/31292)

diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c
index ff8c38f704bda736f61fadf98ef501fe443e31cb..2122756b28a789e03c3af40a28f202d88c3595d6 100644 (file)
--- a/providers/implementations/ciphers/cipher_aes_wrp.c
+++ b/providers/implementations/ciphers/cipher_aes_wrp.c
@@ -144,6 +144,7 @@ static int aes_wrap_init(void *vctx, const unsigned char *key,
             AES_set_decrypt_key(key, (int)(keylen * 8), &wctx->ks.ks);
             ctx->block = (block128_f)AES_decrypt;
         }
+        ctx->key_set = 1;
     }
     return aes_wrap_set_ctx_params(ctx, params);
 }
@@ -217,6 +218,10 @@ static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
         ERR_raise(ERR_LIB_PROV, EVP_R_UPDATE_ERROR);
         return -1;
     }
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return -1;
+    }
     wctx->updated = 1;
 
     rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,

diff --git a/test/aeswrap_test.c b/test/aeswrap_test.c
index 539536f4a85697ea4e97ab1c6cb1c9b8e55faaaf..1ec763e8f5b19f4b0856ce22e087e983d52f988f 100644 (file)
--- a/test/aeswrap_test.c
+++ b/test/aeswrap_test.c
@@ -8,6 +8,7 @@
  */
 
 #include "testutil.h"
+#include "internal/nelem.h"
 
 /* Test that calling EVP_CipherUpdate() twice fails for AES_WRAP_PAD */
 static int aeswrap_multi_update_fail_test(void)
@@ -56,9 +57,37 @@ err:
     return ret;
 }
 
+static const char *aeswrap_null_key_ciphers[] = {
+    "AES-256-WRAP", "AES-256-WRAP-PAD", "AES-256-WRAP-INV"
+};
+
+/* Test that EVP_CipherUpdate fails after EVP_CipherInit_ex2 with NULL key */
+static int aeswrap_null_key_init_fail_test(int idx)
+{
+    int ret = 0;
+    EVP_CIPHER_CTX *ctx = NULL;
+    EVP_CIPHER *cipher = NULL;
+    uint8_t in[32] = { 0 };
+    uint8_t out[64];
+    int outlen = sizeof(in) + 8;
+
+    if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+        || !TEST_ptr(cipher = EVP_CIPHER_fetch(NULL, aeswrap_null_key_ciphers[idx], NULL))
+        || !TEST_int_eq(EVP_CipherInit_ex2(ctx, cipher, NULL, NULL, 1, NULL), 1)
+        || !TEST_int_eq(EVP_CipherUpdate(ctx, out, &outlen, in, sizeof(in)), 0))
+        goto err;
+    ret = 1;
+err:
+    EVP_CIPHER_free(cipher);
+    EVP_CIPHER_CTX_free(ctx);
+    return ret;
+}
+
 int setup_tests(void)
 {
     ADD_TEST(aeswrap_input_size_fail_test);
     ADD_TEST(aeswrap_multi_update_fail_test);
+    ADD_ALL_TESTS(aeswrap_null_key_init_fail_test,
+        OSSL_NELEM(aeswrap_null_key_ciphers));
     return 1;
 }