From d099e33e5733bb9d3975fc4f3ac4a85b6ed1a4cb Mon Sep 17 00:00:00 2001
From: 007bsd <22483432+007bsd@users.noreply.github.com>
Date: Tue, 26 May 2026 00:10:43 +0300
Subject: [PATCH] aes_wrap: prevent crash on update without a key

EVP_CipherInit_ex2 with a NULL key followed by EVP_CipherUpdate
on AES-WRAP/WRAP-PAD/WRAP-INV ciphers dereferenced an uninitialised
function pointer because aes_wrap_init installs ctx->block only
when a key is supplied. aes_wrap_cipher_internal had no guard
before dispatching.

Track key state in ctx->key_set, matching OCB/CCM/GCM/Poly1305,
and refuse update if no key has been installed.

Added a regression test covering AES-256-WRAP, AES-256-WRAP-PAD
and AES-256-WRAP-INV.

CLA: trivial

Fixes: ca392b294359 "Add aes_wrap cipher to providers"

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun  3 11:52:05 2026
(Merged from https://github.com/openssl/openssl/pull/31292)
---
 .../implementations/ciphers/cipher_aes_wrp.c  |  5 ++++
 test/aeswrap_test.c                           | 29 +++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c
index ff8c38f704b..2122756b28a 100644
--- a/providers/implementations/ciphers/cipher_aes_wrp.c
+++ b/providers/implementations/ciphers/cipher_aes_wrp.c
@@ -144,6 +144,7 @@ static int aes_wrap_init(void *vctx, const unsigned char *key,
             AES_set_decrypt_key(key, (int)(keylen * 8), &wctx->ks.ks);
             ctx->block = (block128_f)AES_decrypt;
         }
+        ctx->key_set = 1;
     }
     return aes_wrap_set_ctx_params(ctx, params);
 }
@@ -217,6 +218,10 @@ static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
         ERR_raise(ERR_LIB_PROV, EVP_R_UPDATE_ERROR);
         return -1;
     }
+    if (!ctx->key_set) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+        return -1;
+    }
     wctx->updated = 1;
 
     rv = wctx->wrapfn(&wctx->ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in,
diff --git a/test/aeswrap_test.c b/test/aeswrap_test.c
index 539536f4a85..1ec763e8f5b 100644
--- a/test/aeswrap_test.c
+++ b/test/aeswrap_test.c
@@ -8,6 +8,7 @@
  */
 
 #include "testutil.h"
+#include "internal/nelem.h"
 
 /* Test that calling EVP_CipherUpdate() twice fails for AES_WRAP_PAD */
 static int aeswrap_multi_update_fail_test(void)
@@ -56,9 +57,37 @@ err:
     return ret;
 }
 
+static const char *aeswrap_null_key_ciphers[] = {
+    "AES-256-WRAP", "AES-256-WRAP-PAD", "AES-256-WRAP-INV"
+};
+
+/* Test that EVP_CipherUpdate fails after EVP_CipherInit_ex2 with NULL key */
+static int aeswrap_null_key_init_fail_test(int idx)
+{
+    int ret = 0;
+    EVP_CIPHER_CTX *ctx = NULL;
+    EVP_CIPHER *cipher = NULL;
+    uint8_t in[32] = { 0 };
+    uint8_t out[64];
+    int outlen = sizeof(in) + 8;
+
+    if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+        || !TEST_ptr(cipher = EVP_CIPHER_fetch(NULL, aeswrap_null_key_ciphers[idx], NULL))
+        || !TEST_int_eq(EVP_CipherInit_ex2(ctx, cipher, NULL, NULL, 1, NULL), 1)
+        || !TEST_int_eq(EVP_CipherUpdate(ctx, out, &outlen, in, sizeof(in)), 0))
+        goto err;
+    ret = 1;
+err:
+    EVP_CIPHER_free(cipher);
+    EVP_CIPHER_CTX_free(ctx);
+    return ret;
+}
+
 int setup_tests(void)
 {
     ADD_TEST(aeswrap_input_size_fail_test);
     ADD_TEST(aeswrap_multi_update_fail_test);
+    ADD_ALL_TESTS(aeswrap_null_key_init_fail_test,
+        OSSL_NELEM(aeswrap_null_key_ciphers));
     return 1;
 }
-- 
2.47.3