Daniel Kubec [Mon, 24 Nov 2025 01:25:08 +0000 (02:25 +0100)]
CONF: Add support for configurations per OSSL_LIB_CTX
Add support for configurations per OSSL_LIB_CTX and fix cross-context overrides.
Fixes #19248
Fixes #19243
Co-authored-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29145)
Bernd Edlinger [Sun, 25 Feb 2024 15:33:33 +0000 (16:33 +0100)]
CIFuzz: Remove some unnecessary files to free up space
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29061)
Anton Moryakov [Wed, 27 Aug 2025 10:58:24 +0000 (13:58 +0300)]
keymgmt_from_algorithm(): Fix unchecked return of ossl_provider_up_ref
The ossl_provider_up_ref() call in keymgmt_from_algorithm() was not
checking its return value, unlike other similar calls in the codebase.
This could lead to inconsistent reference counting if the up-ref failed.
Now the return value is checked, and if the up-ref fails, the keymgmt
is freed and an error is raised, ensuring consistent cleanup.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28353)
Implement Poly1305 using SVE2 VLA instructions for AArch64.
This implementation is selected at runtime if SVE2 is present and the vector length is 256, 512, 1024 or 2048 bits.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28454)
Instead of transferring the ownership of the single OCSP response
to the SSL object, the multi-stapling PR modified the semantics
of SSL_set_tlsext_status_ocsp_resp() to copying semantics.
This change reverts the behavior to the previous one.
Partially based on fix by Remi Gacogne:
https://github.com/openssl/openssl/pull/28894
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29251)
Jiasheng Jiang [Fri, 27 Jun 2025 18:13:41 +0000 (18:13 +0000)]
apps/lib/log.c: Add check for BIO_new()
Add check for the return value of BIO_new() to avoid potential NULL pointer dereference.
Fixes: 8a2ec00d7f ("apps/lib/http_server.{c,h}: clean up logging and move it to log.{c,h}") Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27918)
Igor Ustinov [Thu, 27 Nov 2025 12:08:02 +0000 (13:08 +0100)]
Branch 3.2 was removed from and branch 3.6 was added to the
"Provider compatibility for PRs" test.
Do not test the provider from the PR against modified branches.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29236)
Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28995)
Dmitry Misharov [Tue, 25 Nov 2025 16:16:46 +0000 (17:16 +0100)]
add release notes from NEWS.md when making a release
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29224)
Shohei YOSHIDA [Mon, 24 Nov 2025 08:55:06 +0000 (17:55 +0900)]
DOC: fix typo in openssl-cmp
RAVERIFED -> RAVERIFIED
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29202)
Shohei YOSHIDA [Mon, 24 Nov 2025 07:20:11 +0000 (16:20 +0900)]
DOC: put an empty line before '=for' directive
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29201)
Clemens Lang [Mon, 24 Nov 2025 10:11:33 +0000 (11:11 +0100)]
test: Add test for #29196
Add a test that will cause one of the problems reported in
https://github.com/openssl/openssl/issues/29196 and skip it on 32-bit
systems.
Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
Clemens Lang [Fri, 21 Nov 2025 15:00:08 +0000 (16:00 +0100)]
Do not make key share choice in tls1_set_groups()
tls1_set_groups(), which is used by SSL_CTX_set1_groups() does not check
whether the NIDs passed as argument actually have an implementation
available in any of the currently loaded providers. It is not simple to
add this check, either, because it would require access to the SSL_CTX,
which this function does not receive. There are legacy callers that do
not have an SSL_CTX pointer and are public API.
This becomes a problem, when an application sets the first group to one
that is not supported by the current configuration, and can trigger
sending of an empty key share.
Set the first entry of the key share list to 0 (and the key share list
length to 1) to signal to tls1_construct_ctos_key_share that it should
pick the first supported group and generate a key share for that. See
also tls1_get_requested_keyshare_groups, which documents this special
case.
See: https://issues.redhat.com/browse/RHEL-128018 Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
Norbert Pocs [Wed, 26 Nov 2025 14:27:03 +0000 (15:27 +0100)]
Configure: Warn about deprecated option when enabled
Currently the deprecated configure option is warned only when
"(no|disabled)-feature" is used, but wasn't warning when
"enable-feature" was passed as a config option.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29229)
martin [Sun, 19 Oct 2025 16:37:06 +0000 (18:37 +0200)]
Fixed non-compliant handling of missing stapled OCSP responses
If the OCSP response was not present for a certificate the server
created a non-conforming empty CertificateStatus extension
instead of not sending the extension at all.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28588)
format embedded struct declaration for check-format.pl
so that subsequent commits to e_chacha20_poly1305.c doesn't trigger
warnings about handling '{' later in this file in related code.
i.e.
crypto/evp/e_chacha20_poly1305.c:610:indent = 0 != 4 for stmt/decl:static const EVP_CIPHER chacha20_poly1305 = {
crypto/evp/e_chacha20_poly1305.c:611:indent = 4 != 45 for hanging '{' or 8 for lines after '{': NID_chacha20_poly1305,
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28588)
Bernd Edlinger [Mon, 3 Nov 2025 13:00:15 +0000 (14:00 +0100)]
Document CVE-2021-4160
This was fixed in openssl 3.0.1 by #17258 and assigned
CVE-2021-4160 but unfortunately forgotten to mention
in the CHANGES and/or NEWS.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29051)
Daniel Kubec [Fri, 7 Nov 2025 22:45:33 +0000 (23:45 +0100)]
CRL: Enforce proper handling of ASN1_TIME validation results
ASN1 correctly validates date fields and reports errors to the error
stack. Previously, even when validation failed, a CRL object was still
returned and could, in some cases, be successfully used for
verification.
This change fixes that behavior by ensuring validation errors are
properly handled and invalid CRLs are rejected.
Fixes #27445
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29107)
Simo Sorce [Fri, 21 Nov 2025 21:11:20 +0000 (16:11 -0500)]
Disable buggy markdownlint rule MD032
The markdownlint rule MD032, which checks for blank lines surrounding lists,
is disabled because it is buggy and produces false positives. This change
prevents unnecessary build failures caused by incorrect linting.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Simo Sorce [Wed, 12 Nov 2025 20:56:06 +0000 (15:56 -0500)]
Clarify and expand FIPS deferred tests design
Add a new "Examples" section to the design document to illustrate the intended
behavior of the self-test mechanism. These examples cover simple tests,
composite algorithms, and the specific semantics of the `also_satisfies` and
`depends_on` lists.
This change also clarifies several key points:
- The `also_satisfies` list is not processed recursively, while `depends_on`
is.
- The entire FIPS module will enter a failure state if any individual self-
test fails.
Finally, the document is updated with various grammatical fixes and improved
wording for better readability.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Simo Sorce [Tue, 28 Oct 2025 14:34:10 +0000 (10:34 -0400)]
Describe FIPS deferred tests implementation
Add a "Current Implementation" section to the FIPS deferred tests design
document.
This section details the mechanism used to execute on-demand self-tests in a
thread-safe manner. It explains the roles of the core functions, the use of a
global lock to serialize test execution, and the thread-local storage strategy
to prevent deadlocks during nested test calls.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Simo Sorce [Thu, 23 Oct 2025 15:36:31 +0000 (11:36 -0400)]
Add design for deferred FIPS self-tests
This commit introduces a design document for a new FIPS self-test execution
model.
The proposed design moves from the current model, where all Known Answer Tests
(KATs) run at provider load time, to a deferred model. In this new approach,
each algorithm's self-test is executed on-demand, the first time that
algorithm is requested for use.
The primary motivation is to reduce the noticeable startup latency caused by
running all FIPS self-tests unconditionally. This change will benefit
applications that only use a small subset of the available cryptographic
algorithms. The document details requirements for on-demand execution, failure
handling, dependency management, and thread safety, while maintaining FIPS
140-3 compliance.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
pbkdf2: enable setting minimum password length at build time
This is required for FIPS, allow to customize minimum password length,
allow opting in doing the same for the default provider too.
Set FIPS provider default to minimum length of 8, and default provider
to 0. Controlled by -no_pbkdf2_lower_bound_check and indicated with
fips-approved indicator.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25621)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29211)
David von Oheimb [Thu, 31 Jan 2019 16:54:17 +0000 (17:54 +0100)]
Remove extra leading '00:' when printing key material with highest byte >= 0x80
Removed pseudo-DER encoding of (unsigned) BNs from output of ASN1_bn_print() and
print_labeled_bignum() in providers/implementations/encode_decode/encode_key2text.c
Also adapt test output reference files where needed.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8136)
David Benjamin [Mon, 20 Oct 2025 21:38:14 +0000 (17:38 -0400)]
doc: Discuss calling X509_verify_cert in cert_verify_callback
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
Viktor Dukhovni [Mon, 17 Nov 2025 08:04:58 +0000 (19:04 +1100)]
Expand and clarify SSL_CTX_config(3) docs.
- Document significant limitations in CONF_module_load_file() in OpenSSL 3.x
- Given the limitations, deëmphasise the use of CONF_module_load_file()
in SSL_CTX_config(3) documentation, showing an example with the default
config file instead.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28650)
Igor Ustinov [Wed, 19 Nov 2025 15:21:30 +0000 (16:21 +0100)]
Correct information about the default value of the -md parameter
of the openssl cms command.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29175)
doc/man3/OPENSSL_malloc.pod: mention rationale for OPENSSL_cleanse()
It was not entirely clear from the sole description, what is the reason
for preferring OPENSSL_cleanse() over memset(). Add a note about situations
in which OPENSSL_cleanse() should be chosen.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29174)
Neil Horman [Thu, 6 Nov 2025 14:38:17 +0000 (09:38 -0500)]
Add test for recordpadding
Just run the quicapitest (which attempts to create quic connections)
while using a config that specifies recordpadding, which quic should
ignore
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
Neil Horman [Sat, 25 Oct 2025 11:21:42 +0000 (07:21 -0400)]
Ignore RecordPadding option in config file for QUIC objects
QUIC connections always pad data at the packet level during packet
encryption, and so have no ability to do padding at the record level.
We want to be able to inform the user of this condition when
applications call SSL_set_block_padding_ex directly by returning an
error, we have no idea of what kind of SSL objects are created when the
config file is written.
As such, silently ignore this config file option when QUIC objects are created.
Fixes #28953
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
Neil Horman [Sat, 25 Oct 2025 11:12:50 +0000 (07:12 -0400)]
Add SSL_CTX_is_quic API
Like SSL_is_quic, it would be helpful to know if SSL_CTX objects create
QUIC SSL's or not.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28992)
Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes #29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29136)
zhoulu [Thu, 13 Nov 2025 06:54:36 +0000 (14:54 +0800)]
sm4-riscv64-zvksed.pl: Code comment corrections
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29134)
doc: Add HISTORY entry for message signing functions in provider-signature(7)
The OSSL_FUNC_signature_{sign,verify}_message_* functions were added
in OpenSSL 3.4 but weren't documented in the HISTORY section of
provider-signature(7), while the corresponding EVP_PKEY_sign_message_*
functions are properly documented in EVP_PKEY_sign(3).
This adds the missing HISTORY entry to document when these provider
functions were introduced.
Fixes #29088
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29130)
Lars Erik Wik [Wed, 8 Oct 2025 15:06:39 +0000 (17:06 +0200)]
bio_ok.c: Fixed undefined identifier 'SIZE_MAX'
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29053)
Neil Horman [Thu, 2 Oct 2025 14:45:55 +0000 (10:45 -0400)]
add a memfail test for x509 operations
Much like our handshake test, x509 has several operations that can be
tested easily in such a way that we ensure memory failures don't cause
cascading asan failures, and increase our test coverage.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29172)
Leon Timmermans [Mon, 11 Aug 2025 20:25:59 +0000 (22:25 +0200)]
Allow get_params to return length of the AES-GCM tag parameter
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
tag parameter when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Leon Timmermans [Mon, 11 Aug 2025 20:08:39 +0000 (22:08 +0200)]
Allow get_params to return length of AES-GCM IV parameters
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
IV parameters when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Igor Ustinov [Thu, 13 Nov 2025 12:47:48 +0000 (13:47 +0100)]
Removed ossl_assert() calls from public OSSL_EN/DECODER_CTX_*() functions
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29120)
Igor Ustinov [Tue, 11 Nov 2025 10:23:35 +0000 (11:23 +0100)]
Added finalized flag to the OSSL_ENCODER/DECODER_CTX structures
After this flag is set, the generic OSSL_ENCODER/DECODER_CTX_set_*()
functions shouldn't be called anymore, so they return error in this case.
Fixes #28249
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29120)
Anton Moryakov [Tue, 4 Nov 2025 22:18:47 +0000 (01:18 +0300)]
Prevent NULL deref in BN_is_zero when cofactor is missing
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29062)
KubaBoi [Tue, 28 Oct 2025 17:22:57 +0000 (18:22 +0100)]
asn1_gen: add ASN1_object_size() return check and fix else braces
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Stefan Berger [Thu, 6 Nov 2025 22:16:01 +0000 (16:16 -0600)]
Implement EVP_SIGNATURE_hash_message_update() and use it
Implement EVP_SIGNATURE_hash_message_update() to check for support
of EVP_PKEY_sign_message_update() and EVP_PKEY_verify_message_update() and
use this function to replace the has_msg_update column in CMS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Stefan Berger [Mon, 13 Oct 2025 18:54:17 +0000 (13:54 -0500)]
cms: Enable signature verification for no-attribute case (hashless signing)
Enable signature verification for hashless signing schemes, such as ML-DSA
and EdDSA, for the non-attribute case of CMS. Also in this case the BIO
with the plain input data needs to be passed through to the signature
verification function so that the pure-mode signature verification method
can hash the plain data itself.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Stefan Berger [Mon, 13 Oct 2025 16:00:38 +0000 (11:00 -0500)]
cms: Enable signing with hashless signing for no-attributes case
Enable the ability to sign with a hashless signing schemes, such as ML-DSA
in pure mode, in case no attributes are used in CMS. To support this, pass
the BIO with the plain data through to the signing function so that key's
pure mode signing scheme can hash the data itself.
The current implementation relies on a seek'able BIO so that the data
stream can be read multiple times for support of multiple keys.
Some signing schemes, such as ML-DSA, support the message_update function
when signing data, others, such as EdDSA keys do not support it. The former
allows for reading data in smaller chunks and calling
EVP_PKEY_sign_message_update with the data, while the latter requires that
all data are all read into memory and then passed for signing. This latter
method could run into out-of-memory issue when signing very large files.
Fixes: #28279 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Stefan Berger [Tue, 14 Oct 2025 22:52:45 +0000 (17:52 -0500)]
cms: Get a default hash for hash-less signing schemes
Get a default hash for hash-less signing schemes such as ML-DSA, SLH-DSA,
and EdDSA in the case when signed attributes are present as well as for the
no signed attributes case. For the latter case, EdDSA is the only signing
scheme that has a required hash (sha512 for ED25519 and shake256 for
ED448), all other ones have a suggested hash. Only use the suggested hash
if the hash provided by the caller of CMS_add1_signer passed a NULL pointer
for md. Use the required hash in any case, overriding any choice of the
caller.
Fixes: #13523 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Joshua Rogers [Sat, 11 Oct 2025 22:34:40 +0000 (06:34 +0800)]
apps/s_socket: fix FD and addrinfo leak on SCTP failure in init_client
If BIO_new_dgram_sctp(*sock, BIO_NOCLOSE) fails we returned 0 directly,
skipping the out: cleanup and leaking the just created socket plus the
addrinfo lists.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28917)
Joshua Rogers [Sat, 11 Oct 2025 21:43:38 +0000 (05:43 +0800)]
crypto/bio/bss_acpt: set b->init only on successful BIO_parse_hostserv
BIO_C_SET_ACCEPT with num == 0 unconditionally set b->init = 1 even if
BIO_parse_hostserv failed. Only mark the BIO initialized when parsing
succeeds to avoid inconsistent state.
Joshua Rogers [Fri, 10 Oct 2025 23:15:05 +0000 (07:15 +0800)]
comp/zstd: fix BIO_CTRL_RESET to properly reset state
BIO_CTRL_RESET zeroed compress.bufsize and did not reinitialize the ZSTD
streams or buffer positions. After a reset, the next write could try to use
a 0 byte buffer and stall or behave unpredictably.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28844)
slontis [Mon, 17 Nov 2025 03:37:00 +0000 (14:37 +1100)]
Fix CI Provider compatibility test breakage
Fixes #29142
In https://github.com/openssl/openssl/pull/28349 I forgot to tag
to run 'extended tests', and the additional RSA keygen acvp test
did not check for backwards compatability when testing against
older FIPS providers.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29157)
Bob Beck [Wed, 22 Oct 2025 03:34:56 +0000 (21:34 -0600)]
Simplify x509 time checking
This changes x509 verification to use int64 values of epoch
seconds internally instead of time_t. While time values from
a system will still come from/to a platform dependant time_t
which could be range constrained, we can simplify this
to convert the certificate time to a posix time and then
just do a normal comparison of the int64_t values. This
removes the need to do further computation to compare values
which potentially do not cover the range of certificate times,
and makes the internal functions a bit more readable.
This also modifies the tests to ensure the full range of
times are tested, without depending on time_t, and adds
tests for checking CRL expiry, which were lacking before.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28987)
Angel Baez [Wed, 12 Nov 2025 12:46:28 +0000 (07:46 -0500)]
TLS 1.3 session resumption convert nonce_label to ASCII hex
Fixes #27815
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29127)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29129)
slontis [Wed, 27 Aug 2025 04:24:59 +0000 (14:24 +1000)]
RSA: Update RSA keygen.
The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4,
and clarifies the keygen method used.
This PR also adds the new FIPS 186-5 2 optional parameters that allow
the generated probable primes to be congruent to a value mod 8.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28349)
doc/man3/X509_STORE_get0_param.pod: mention how to free the returned objects
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
projects / thirdparty / openssl.git / log
