openssl/openssl

EVP_MAC POLY1305 crashes on NULL direct-key initialization in some code paths

Open

#31,332 opened on 2026年5月29日

GitHub で見る
 (4 comments) (0 reactions) (0 assignees)C (11,262 forks)batch import
help wantedissue: bug reporttriaged: bug

Repository metrics

Stars
 (30,157 stars)
PR merge metrics
 (30d に merged PR はありません)

説明

Summary

EVP_MAC POLY1305 handles some NULL-key initialization paths inconsistently.

In OpenSSL 3.5.6, the following initialization paths crash with SIGSEGV:

  • EVP_MAC_init(ctx, NULL, 0, NULL)
  • EVP_MAC_init(ctx, NULL, 1, NULL)
  • EVP_MAC_init(ctx, NULL, 0, end-only params)

In the same matrix, other invalid key cases fail cleanly with invalid key length instead of crashing:

  • non-NULL pointer with length 0
  • OSSL_MAC_PARAM_KEY set to a non-NULL pointer with length 0, 1, 31, or 33

A valid 32-byte key succeeds in both the direct-key and parameter-based paths.

This indicates that the crash is specific to NULL-key initialization paths, not to POLY1305 key-length validation in general.

Minimal reproducer

A minimal standalone reproducer is attached:

  • openssl_poly1305_init_matrix_repro.cpp

openssl_poly1305_init_matrix_repro.cpp

The reproducer runs each test case in a child process so that a crash in one case does not stop the full matrix.

The tested cases include:

  • direct key argument with NULL and length 0
  • direct key argument with NULL and length 1
  • direct key argument with a non-NULL dummy pointer and length 0
  • direct key argument with a valid 32-byte key
  • no direct key with no params
  • no direct key with end-only params
  • OSSL_MAC_PARAM_KEY with NULL,0
  • OSSL_MAC_PARAM_KEY with a valid 32-byte key

Observed behavior

Tested with OpenSSL 3.5.6.

openssl_version,OpenSSL 3.5.6 7 Apr 2026
child_row,case,init_rc,update_rc,final_rc,out_len,stage,error_text
parent_row,library,algorithm,case,parent_status,signal,exit_code
parent,OpenSSL,POLY1305,direct_NULL_0,child_signal,11,-1
parent,OpenSSL,POLY1305,direct_NULL_1,child_signal,11,-1
child,direct_dummy_0,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,direct_dummy_0,child_exit,0,1
child,direct_key_len_1,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,direct_key_len_1,child_exit,0,1
child,direct_key_len_31,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,direct_key_len_31,child_exit,0,1
child,direct_key_len_32,1,1,1,16,init_success,none|none|none
parent,OpenSSL,POLY1305,direct_key_len_32,child_exit,0,0
child,direct_key_len_33,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,direct_key_len_33,child_exit,0,1
parent,OpenSSL,POLY1305,params_absent_NULL_0,child_signal,11,-1
parent,OpenSSL,POLY1305,params_end_only,child_signal,11,-1
child,params_key_NULL_0,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_NULL_0,child_exit,0,1
child,params_key_NULL_1,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_NULL_1,child_exit,0,1
child,params_key_dummy_0,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_dummy_0,child_exit,0,1
child,params_key_len_1,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_len_1,child_exit,0,1
child,params_key_len_31,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_len_31,child_exit,0,1
child,params_key_len_32,1,1,1,16,init_success,none|none|none
parent,OpenSSL,POLY1305,params_key_len_32,child_exit,0,0
child,params_key_len_33,0,-1,-1,64,init_failed,error:1C800069:Provider routines::invalid key length|not_run|not_run
parent,OpenSSL,POLY1305,params_key_len_33,child_exit,0,1
exit_code=0

Result summary

The crash cases are:

direct_NULL_0:
  EVP_MAC_init(ctx, NULL, 0, NULL)
  => child process terminates with signal 11

direct_NULL_1:
  EVP_MAC_init(ctx, NULL, 1, NULL)
  => child process terminates with signal 11

params_absent_NULL_0:
  EVP_MAC_init(ctx, NULL, 0, NULL)
  => child process terminates with signal 11

params_end_only:
  EVP_MAC_init(ctx, NULL, 0, end-only params)
  => child process terminates with signal 11

The clean failure cases are:

direct_dummy_0:
  EVP_MAC_init(ctx, dummy_ptr, 0, NULL)
  => returns failure with invalid key length

params_key_NULL_0:
  EVP_MAC_init(ctx, NULL, 0, params_with_OSSL_MAC_PARAM_KEY_NULL_0)
  => returns failure with invalid key length

The valid key controls succeed:

direct_key_len_32:
  EVP_MAC_init(ctx, key32, 32, NULL)
  => init/update/final succeed

params_key_len_32:
  EVP_MAC_init(ctx, NULL, 0, params_with_OSSL_MAC_PARAM_KEY_key32)
  => init/update/final succeed

Expected behavior

NULL or otherwise invalid POLY1305 keys should fail cleanly instead of crashing.

Expected behavior would be that these initialization paths return failure, preferably with the same invalid key length error used by the other invalid key cases.

コントリビューターガイド