[FIPS 3.x] Address Reported Bug Findings#3005
Merged
skmcgrail merged 5 commits intoaws:fips-2024-09-27from Feb 18, 2026
Merged
Conversation
We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue. (cherry picked from commit 921c646)
pkcs8_pbe_decrypt() allocates OPENSSL_malloc(in_len) where in_len is derived from attacker-influenced ASN.1 OCTET STRING lengths. The existing INT_MAX check only guards EVP_DecryptUpdate’s int parameter and occurs after the allocation. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue. (cherry picked from commit e17506c)
EVP_PKEY_kem_pkey_meth incorrectly assigned out->derive to pkey_hkdf_derive, causing ctx->data type confusion (KEM_PKEY_CTX vs HKDF_PKEY_CTX) when callers invoke EVP_PKEY_derive on a KEM context. Set out->derive to NULL so the operation fails as unsupported rather than dispatching into HKDF. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue. (cherry picked from commit dcd1690)
Reject digests with EVP_MD_size <= 0 when configuring HKDF and when deriving, preventing divide-by-zero in HKDF_expand if an XOF digest is selected. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue. (cherry picked from commit 8a43348)
DH_compute_key_hashed passes an uninitialized out_len to EVP_Digest. For XOF digests, EVP_DigestFinalXOF interprets *out_size as an input length, which can cause an out-of-bounds write to the caller-provided buffer. Reject XOF digests and initialize out_len to the fixed digest size. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting this issue. (cherry picked from commit 110f184)
justsmth
approved these changes
Feb 18, 2026
dkostic
approved these changes
Feb 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains 5 bug fixes for various issues in AWS-LC. We would like to thank Joshua Rogers (https://joshua.hu/) of AISLE Research Team (https://aisle.com/) for reporting these issues.
Commits
1. 1-byte OOB read in
EVP_PKEY_asn1_find_strlength calculationFixes an off-by-one out-of-bounds read in the
EVP_PKEY_asn1_find_strlength calculation.2. pkcs8: cap ciphertext length before allocating in
pkcs8_pbe_decryptpkcs8_pbe_decrypt()allocatesOPENSSL_malloc(in_len)wherein_lenis influenced by ASN.1 OCTET STRING lengths. The existingINT_MAXcheck only guardsEVP_DecryptUpdate's int parameter and occurs after the allocation. This fix caps the ciphertext length before allocating.3. evp: disable
EVP_PKEY_derivefor KEM methodEVP_PKEY_kem_pkey_methincorrectly assignedout->derivetopkey_hkdf_derive, causingctx->datatype confusion (KEM_PKEY_CTXvsHKDF_PKEY_CTX) when callers invokeEVP_PKEY_deriveon a KEM context. This fix setsout->derivetoNULLso the operation fails as unsupported.4. Reject zero-sized digests in HKDF EVP_PKEY
Rejects digests with
EVP_MD_size <= 0when configuring HKDF and when deriving, preventing divide-by-zero inHKDF_expandif an XOF digest is selected.5. Reject XOF digests in
DH_compute_key_hashedDH_compute_key_hashedpasses an uninitializedout_lentoEVP_Digest. For XOF digests,EVP_DigestFinalXOFinterprets*out_sizeas an input length, which can cause an out-of-bounds write to the caller-provided buffer. This fix rejects XOF digests and initializesout_lento the fixed digest size.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.