diff --git a/CMakeLists.txt b/CMakeLists.txt
index d3e0ae01..c09a03b6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.13.0)
 
 project(SymCrypt-OpenSSL
-    VERSION 1.9.4
+    VERSION 1.9.5
     DESCRIPTION "The SymCrypt engine and provider for OpenSSL (SCOSSL)"
     HOMEPAGE_URL "https://github.com/microsoft/SymCrypt-OpenSSL")
 
diff --git a/ScosslCommon/src/scossl_mac.c b/ScosslCommon/src/scossl_mac.c
index b7c191a5..66b5814f 100644
--- a/ScosslCommon/src/scossl_mac.c
+++ b/ScosslCommon/src/scossl_mac.c
@@ -109,6 +109,8 @@ SCOSSL_MAC_CTX *scossl_mac_dupctx(SCOSSL_MAC_CTX *ctx)
                 SCOSSL_COMMON_ALIGNED_ALLOC_EX(expandedKey, OPENSSL_malloc, SCOSSL_MAC_EXPANDED_KEY, ctx->pMac->expandedKeySize);
                 if (expandedKey == NULL)
                 {
+                    SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_DUPCTX, ERR_R_MALLOC_FAILURE,
+                        "Failed to aligned allocate expanded key");
                     goto cleanup;
                 }
 
@@ -118,15 +120,27 @@ SCOSSL_MAC_CTX *scossl_mac_dupctx(SCOSSL_MAC_CTX *ctx)
 
             if (ctx->macState != NULL)
             {
+                // A caller can potentially initialize a MAC context with state but no key (e.g. HMAC with digest set, but no key yet).
+                // SymCrypt HMAC and CMAC state copy functions allow us to pass NULL for the expanded key parameter, but the key from
+                // ctx will be set in copyCtx->macState, which is undesirable. Instead, allocate an empty expanded key in copyCtx.
                 if (copyCtx->expandedKey == NULL)
                 {
-                    SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_DUPCTX, ERR_R_INTERNAL_ERROR,
-                        "Missing expandedKey in mac context when attempting to copy macState");
-                    goto cleanup;
+                    SCOSSL_COMMON_ALIGNED_ALLOC_EX(expandedKey, OPENSSL_malloc, SCOSSL_MAC_EXPANDED_KEY, ctx->pMac->expandedKeySize);
+                    if (expandedKey == NULL)
+                    {
+                        SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_DUPCTX, ERR_R_MALLOC_FAILURE,
+                            "Failed to aligned allocate expanded key");
+                        goto cleanup;
+                    }
+
+                    copyCtx->expandedKey = expandedKey;
                 }
+
                 SCOSSL_COMMON_ALIGNED_ALLOC_EX(macState, OPENSSL_malloc, SCOSSL_MAC_STATE, ctx->pMac->stateSize);
                 if (macState == NULL)
                 {
+                    SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_DUPCTX, ERR_R_MALLOC_FAILURE,
+                        "Failed to aligned allocate mac state");
                     goto cleanup;
                 }
 
@@ -317,21 +331,26 @@ SCOSSL_STATUS scossl_mac_init(SCOSSL_MAC_CTX *ctx,
 {
     SYMCRYPT_ERROR scError;
 
-    if (pbKey != NULL)
+    if (ctx->pMac == NULL || ctx->macState == NULL)
     {
-        if (ctx->expandedKey == NULL)
-        {
-            SCOSSL_COMMON_ALIGNED_ALLOC_EX(expandedKey, OPENSSL_malloc, SCOSSL_MAC_EXPANDED_KEY, ctx->pMac->expandedKeySize);
-            if (expandedKey == NULL)
-            {
-                SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_INIT, ERR_R_INTERNAL_ERROR,
-                    "Failed to aligned allocated expanded key");
-                return SCOSSL_FAILURE;
-            }
+        return SCOSSL_FAILURE;
+    }
 
-            ctx->expandedKey = expandedKey;
+    if (ctx->expandedKey == NULL)
+    {
+        SCOSSL_COMMON_ALIGNED_ALLOC_EX(expandedKey, OPENSSL_malloc, SCOSSL_MAC_EXPANDED_KEY, ctx->pMac->expandedKeySize);
+        if (expandedKey == NULL)
+        {
+            SCOSSL_LOG_ERROR(SCOSSL_ERR_F_MAC_INIT, ERR_R_MALLOC_FAILURE,
+                "Failed to aligned allocate expanded key");
+            return SCOSSL_FAILURE;
         }
 
+        ctx->expandedKey = expandedKey;
+    }
+
+    if (pbKey != NULL)
+    {
         scError = ctx->pMac->expandKeyFunc(ctx->expandedKey, pbKey, cbKey);
 
         if (scError != SYMCRYPT_NO_ERROR)