Conversation
pkey_dsa_keygen() assigns a freshly allocated DSA into EVP_PKEY before EVP_PKEY_copy_parameters(), then frees the DSA on failure, leaving pkey holding a dangling pointer. Avoid freeing after ownership transfer by nulling the local pointer and clearing/freeing the pkey-held key on error. Also use DSA_free() for DSA objects. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
pkcs8_pbe_decrypt() allocates OPENSSL_malloc(in_len) where in_len is derived from attacker-influenced ASN.1 OCTET STRING lengths. The existing INT_MAX check only guards EVP_DecryptUpdate’s int parameter and occurs after the allocation. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
EVP_PKEY_kem_pkey_meth incorrectly assigned out->derive to pkey_hkdf_derive, causing ctx->data type confusion (KEM_PKEY_CTX vs HKDF_PKEY_CTX) when callers invoke EVP_PKEY_derive on a KEM context. Set out->derive to NULL so the operation fails as unsupported rather than dispatching into HKDF. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
Reject digests with EVP_MD_size <= 0 when configuring HKDF and when deriving, preventing divide-by-zero in HKDF_expand if an XOF digest is selected. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
DH_compute_key_hashed passes an uninitialized out_len to EVP_Digest. For XOF digests, EVP_DigestFinalXOF interprets *out_size as an input length, which can cause an out-of-bounds write to the caller-provided buffer. Reject XOF digests and initialize out_len to the fixed digest size. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue.
torben-hansen
approved these changes
Feb 17, 2026
dkostic
approved these changes
Feb 17, 2026
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3000 +/- ##
=======================================
Coverage 78.30% 78.31%
=======================================
Files 689 689
Lines 120978 120995 +17
Branches 16969 16971 +2
=======================================
+ Hits 94737 94761 +24
+ Misses 25345 25337 -8
- Partials 896 897 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Merged
justsmth
added a commit
that referenced
this pull request
Feb 20, 2026
### Description of changes: * Bump urllib3 from 2.6.0 to 2.6.3 in /tests/ci by @dependabot[bot] in #2932 * Add weekly automated check for outdated third-party test vectors by @sgmenda in #2933 * Enable Hybrid PQ KeyShares by default by @alexw91 in #2531 * Remove AVX conditional from cmake script by @torben-hansen in #2958 * openssl-ca command implementation for self-sign certificates by @skmcgrail in #2937 * Initial Framework for Using Doxygen to Document Public Header Files by @m271828 in #2908 * Move md4 out of FIPS module by @torben-hansen in #2956 * Fix image-build-windows workflow to only push on workflow_call and workflow_dispatch by @skmcgrail in #2961 * Remove FIPS counter framework and other tidying up by @torben-hansen in #2947 * Model Device Farm CI Resources in CDK by @skmcgrail in #2965 * Adds a new randomness generation API by @torben-hansen in #2963 * Migrate Android Testing to GitHub Actions by @skmcgrail in #2969 * Ensure pkcs7 checks ASN1_TYPE->type by @skmcgrail in #2968 * Fix checkout logic for android-omnibus by @skmcgrail in #2970 * Add missing env vars to check-vectors workflow step by @sgmenda in #2962 * Shorten Windows Build Directory Path by @skmcgrail in #2974 * Bump mysql cluster version by @WillChilds-Klein in #2967 * Integrate Wycheproof ML-DSA test vectors by @sgmenda in #2973 * Simplify FIPS conditional in top-level build script by @torben-hansen in #2976 * Fix aws-lc-rs CI job by @justsmth in #2966 * Add method to get type of ML-DSA instance configured under EVP PKEY by @torben-hansen in #2980 * Nmap build needs liblinear by @justsmth in #2985 * Disable SLP vectorizer for FIPS shared library builds on GCC 14+ by @geedo0 in #2977 * Update Wycheproof ECDSA test vectors and fix workflow typo by @sgmenda in #2972 * Address some CMake findings by @skmcgrail in #2979 * Bump bytes from 1.7.1 to 1.11.1 in /tests/ci/lambda by @dependabot[bot] in #2983 * Support GCC 4.8 for aarch64 by @justsmth in #2964 * Free potential memory before assigning new pointer by @torben-hansen in #2989 * Add PyOpenSSL integration test by @WillChilds-Klein in #2992 * Ensure index argument is not negative in ASN1_BIT_STRING_set_bit by @torben-hansen in #2987 * Ensure no overflow in signed output length in do_buf by @torben-hansen in #2988 * Remove redundant CPython 3.9 integration test by @WillChilds-Klein in #2996 * Ensure public key is set before verifying through ML-DSA verify by @torben-hansen in #2990 * Correct CCM nids in object definition by @torben-hansen in #2991 * Address Reported Bug Findings by @skmcgrail in #3000 * Fix CI: gcc-4.8 by @justsmth in #3011 * Fix Windows CI: use `cd /d` in run_windows_tests.bat to handle cross-drive paths by @justsmth in #3012 * Fix OPENSSL_memchr per C23 by @justsmth in #3008 * Fix argument order in `hmac_copy` by @justsmth in #3014 * Miscellaneous CI improvements by @skmcgrail in #2978 * Fix CI: mariadb by @justsmth in #3015 * Update Ubuntu 24:04 image compiler verification by @skmcgrail in #3017 * Support WASM/Emscripten by @justsmth in #2959 * Generate Rust Bindings by @justsmth in #2999 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains 6 bug fixes for various issues in AWS-LC. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting these issues.
Commits
1. evp: fix DSA keygen error-path UAF/double-free
pkey_dsa_keygen()assigns a freshly allocated DSA intoEVP_PKEYbeforeEVP_PKEY_copy_parameters(), then frees the DSA on failure, leavingpkeyholding a dangling pointer. This fix avoids freeing after ownership transfer by nulling the local pointer and clearing/freeing the pkey-held key on error.2. 1-byte OOB read in
EVP_PKEY_asn1_find_strlength calculationFixes an off-by-one out-of-bounds read in the
EVP_PKEY_asn1_find_strlength calculation.3. pkcs8: cap ciphertext length before allocating in
pkcs8_pbe_decryptpkcs8_pbe_decrypt()allocatesOPENSSL_malloc(in_len)wherein_lenis influenced by ASN.1 OCTET STRING lengths. The existingINT_MAXcheck only guardsEVP_DecryptUpdate's int parameter and occurs after the allocation. This fix caps the ciphertext length before allocating.4. evp: disable
EVP_PKEY_derivefor KEM methodEVP_PKEY_kem_pkey_methincorrectly assignedout->derivetopkey_hkdf_derive, causingctx->datatype confusion (KEM_PKEY_CTXvsHKDF_PKEY_CTX) when callers invokeEVP_PKEY_deriveon a KEM context. This fix setsout->derivetoNULLso the operation fails as unsupported.5. Reject zero-sized digests in HKDF EVP_PKEY
Rejects digests with
EVP_MD_size <= 0when configuring HKDF and when deriving, preventing divide-by-zero inHKDF_expandif an XOF digest is selected.6. Reject XOF digests in
DH_compute_key_hashedDH_compute_key_hashedpasses an uninitializedout_lentoEVP_Digest. For XOF digests,EVP_DigestFinalXOFinterprets*out_sizeas an input length, which can cause an out-of-bounds write to the caller-provided buffer. This fix rejects XOF digests and initializesout_lento the fixed digest size.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.