This fixes the RSA-SM3 signatures to conform to the standard.
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28415)
Tomas Mraz [Tue, 23 Sep 2025 15:00:00 +0000 (17:00 +0200)]
Fix doublefree after failure in ossl_siv128_init()
The issue was reported by Ronald Crane from Zippenhop LLC.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28644)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28535)
Bob Beck [Tue, 16 Sep 2025 21:30:31 +0000 (15:30 -0600)]
Correct the documentation for OPENSSL_sk_find
Since April of 2023 with commit eb0935f, these functions have not
sorted the stack if it was not sorted. The documentation was noti
changed at the time to reflect this changed behaviour.
This corrects the documentation to reflect the current behaviour
of these functions
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28578)
Neil Horman [Tue, 23 Sep 2025 09:40:06 +0000 (05:40 -0400)]
Close small race condition on error raising in QUIC
Github issue #28501 reported an odd condition in which a double free was
occuring when a given thread was popping entries of its error stack.
It was hypothesized that, because a few places in the quic stack save
error state to a shared structure (ch->err_state, port->error_state,
qtls->error_state), that multiple threads may attempt to mutate the
shared structure during error save/restore in parallel.
Investigation showed that all paths which led to such mutations were
done under lock, so that shouldn't occur.
Except for one case, which this PR addresses.
In ossl_quic_conn_stream_conclude, we unlock our protecting mutex, prior
to calling QUIC_RAISE_NON_NORMAL_ERROR. If that function is called with
an reason code of SHUTDOWN, it attempts to restore the channel error
state. Given that the lock was released first, this creates a small
race condition in which two threads may manipulate the shared error
state in the channel struct in parallel.
According to the reporter, applying this patch prevents the reported
error from occuring again.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28642)
For unknown reasons using RW mutexes on RISC-V arch
seems to be broken, at least with glibc.
Fixes #28550
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28634)
Nikola Pajkovsky [Mon, 22 Sep 2025 10:17:16 +0000 (12:17 +0200)]
x509: fix mem leak on error path
The x509_store_add() creates X509_OBJECT wrapping either X509 or
X509_CRL. However, if you set the type to X509_LU_NONE before
X509_OBJECT_free then it skips the free on the wrapped type and just
calls OPENSSL_free on the object itself. Hence, leaking wrapped
object.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28631)
Tomas Mraz [Sat, 20 Sep 2025 14:45:50 +0000 (16:45 +0200)]
tls_common.c: Handle inner content type properly on Big Endian
When passing the inner content type to msg_callback,
the lowest byte of rec->type needs to be passed instead
of directly passing the rec->type otherwise the value is
incorrect on Big Endian platforms.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28627)
Viktor Dukhovni [Mon, 22 Sep 2025 05:02:28 +0000 (15:02 +1000)]
Added test suggested by Shane Lontis
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Viktor Dukhovni [Sat, 20 Sep 2025 04:02:52 +0000 (14:02 +1000)]
Harden property put_str() helper corner case
The put_str() helper of the internal ossl_property_list_to_string()
function failed to correctly check the remaining buffer length in a
corner case in which a property name or string value needs quoting,
and exactly one byte of unused space remained in the output buffer.
The only potentially affected calling code is conditionally compiled
(disabled by default) provider "QUERY" tracing that is executed only
when also requested at runtime. An initial fragment of the property
list encoding would need to use up exactly 511 bytes, leaving just 1
byte for the next string which requires quoting. Bug reported by
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28624)
Richard Levitte [Thu, 18 Sep 2025 05:14:13 +0000 (07:14 +0200)]
Fix OPENSSL_VERSION_NUMBER to always have zero status bits
The documentation suggested that they were always zero, while the
implementation in <openssl/opensslv.h> suggested that it could be
0xf in OpenSSL releases... which (almost) never happened because
of a bug in said implementation.
Therefore, we solidify that the status bits are indeed always zero,
at least in all OpenSSL 3 versions.
Ryan Hooper [Fri, 19 Sep 2025 15:33:09 +0000 (11:33 -0400)]
Fix CI Pipeline by Disabling SSL_TRACE_TEST
Disabling the SSL_TRACE_TEST since it caused an issue on
some cross compiles. A follow-on commit will change
the test.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28621)
this adds another release/acquire link between update_qp and
get_hold_current_qp via the reader_idx because the current
one which is based on the qp users count is only preventing
a race condition, but does not help when the reader acquires
the next qp.
Fixes #27267
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28585)
Viktor Dukhovni [Tue, 16 Sep 2025 12:40:32 +0000 (22:40 +1000)]
Fix ML-KEM key equality check when either unset
Fixes #28563
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28569)
Revert "rsa: expose pairwise consistency test API"
This reverts commit dc5cd6f70a0e "rsa: expose pairwise consistency test API",
that has introduced ossl_rsa_key_pairwise_test() function, as the only user
has been removed in 7f7f75816f26 "import pct: remove import PCTs for most
algorithms".
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28557)
The cipher protocol ID, the return type of SSL_CIPHER_get_protocol_id,
is uint16_t and correctly described in docs to be 2 bytes, however the
function signature on the same page incorrectly pointed to it being
uint32_t, which is 4 bytes.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28523)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28393)
providers/implementations/keymgmt/ecx_kmgmt.c.in: remove PCT on ECX import
While PCT on import has been removed for DH, EC, RSA, and SLH-DSA,
ECX seems to be overlooked. Correct that omission.
Complements: 7f7f75816f26 "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28573)
test/recipes/25-test_verify.t: correct the number of skipped tests on Win/VMS
On 3.5, there is one test fewer to be skipped due to absence of support
of colon in filenames after the commit b3e7dad7ac08 "Fix
test/recipes/25-test_verify.t [3.5]", provide the correct number
in the skip call.
Fixes: b3e7dad7ac08 "Fix test/recipes/25-test_verify.t [3.5]" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28591)
25-test_verify.t: fix partly case-sensitive matching for Windows OS: s/MsWin32/MSWin32/
Fixes #27984
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28098)
Viktor Dukhovni [Sat, 13 Sep 2025 02:52:42 +0000 (12:52 +1000)]
Test failure of rsa_encrypt when buffer too short
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28517)
Viktor Dukhovni [Thu, 11 Sep 2025 08:50:44 +0000 (18:50 +1000)]
Harden RSA public encrypt
Check the that the indicated output buffer length is large enough.
Fix EVP_SealInit() to initialise the output buffer length to the RSA
modulus length, not the input KEK length.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28517)
OSSL_CALLBACK.pod: add missing info on required return values of callback functions
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28474)
Jakub Jelen [Tue, 9 Sep 2025 16:10:30 +0000 (18:10 +0200)]
doc: Add missing commas
CLA: trivial Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28493)
Add one more trace message to the torture_rcu_high test
It is interesting that in the very rare cases, where this
test failure has been observed so far, the rcu torture value
went always backwards to 0. This could be either due to
ossl_rcu_deref(&writer_ptr) returning NULL, or the initial
value of "new = CRYPTO_zalloc(sizeof(uint64_t), NULL, 0)"
still visible despite ossl_rcu_assign_ptr(&writer_ptr, &new)
immediatley after the "*new = global_ctr++" statement.
Add one additional trace message to find out what exactly
happens here, when it happens again.
Additionally, we do no longer initialize the new value to
zero but something else, so it can also be detected.
Related to #27267
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28487)
doc/man3/RAND_load_file.pod: RAND_load_file on non-regular files with bytes=-1
Mention that RAND_load_file attempts to read only RAND_DRBG_STRENGTH
bytes on non-regular files if the number of bytes to be read
is not specified explicitly.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28379)
crypto/rand/randfile.c: avoid signed integer overflow in RAND_load_file
If a file supplied to RAND_load_file is too big (more than INT_MAX bytes),
it is possible to trigger a signer integer overflow during ret calculation.
Avoid it by returning early when we are about to hit it on the next
iteration.
Reported-by: Liu-Ermeng <liuermeng2@huawei.com>
Resolves: https://github.com/openssl/openssl/issues/28375 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28379)
Enji Cooper [Fri, 5 Sep 2025 03:22:00 +0000 (20:22 -0700)]
Make the Unix build process more repeatable
Before this change all manpages would contain the date when pod2man was
run. This resulted in outputs that differed between builds--or
potentially across a single build if the host clock "ticked" to the next
day when the build was being run.
This commit modifies the manpage generation process as follows:
- The date all manpages were generated will be normalized to a single
date.
- The release date specified in `VERSION.dat` is used instead of the
date/time when `pod2man` was executed OR--in the event a date isn't
specified in `VERSION.dat`--the time when the Makefiles were last
regenerated.
Embedding a consistent date into the generated manpages helps ensure that
the build process as a whole is more repeatable and helps ensure that
release versions of OpenSSL create artifacts consistent with the date
that the official release was cut.
Co-authored-by: Richard Levitte <levitte@openssl.org> Signed-off-by: Enji Cooper <yaneurabeya@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28449)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28422)
David Benjamin [Sun, 31 Aug 2025 22:09:52 +0000 (18:09 -0400)]
Add a helper function to delete the extension list
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28398)
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, #13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.
Fixes #28397
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28398)
Viperinius [Sun, 31 Aug 2025 16:09:11 +0000 (16:09 +0000)]
Fix typo in BN_generate_prime docs
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28395)
Norbert Pocs [Wed, 27 Aug 2025 13:45:45 +0000 (15:45 +0200)]
docs: Be case specific with links to man headers
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28356)
The last (and only?) user has been removed in commit eca471391378 "APPS:
Drop interactive mode in the 'openssl' program".
Complements: eca471391378 "APPS: Drop interactive mode in the 'openssl' program" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28441)
There are some code paths where resp is used without a previous check
for being non-NULL (specifically, OCSP_response_create() can return
NULL, and do_responder() can return -1, that would also lead to resp
being NULL). Avoid hitting NULL dereferences by wrapping the code that
uses resp in "if (resp != NULL)".
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665155
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28406)
crypto/x509/t_req.c: avoid exts leaking on error paths
If an error occurred and jump to the "err" label is performed after
exts has been allocated, it can leak. Avoid that by adding
sk_X509_EXTENSION_pop_free() on the error path and setting exts to NULL
after sk_X509_EXTENSION_pop_free() in the normal handling.
Fixes: ae880ae6719e "Fix error handling in X509_REQ_print_ex" Fixes: 87c49f622e7f "Support for parsing of certificate extensions in PKCS#10 requests: these are"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665161
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28406)
test/radix/quic_bindings.c: move locking after child_script_info assignment
Coverity complains that some child_script_info field accesses are guarded
by the mutexes, while others are not; placate it by performing the assignment
before taking the lock.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665151
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28406)
doc/man1/openssl-enc.pod.in: document 'k' handling for -bufsize
Apparently, '-bufsize' option parser can handle the 'k' suffix
(and treat is as the value being provided in the multiples of 1024).
Document that.
Complements: d02b48c63a58 "Import of old SSLeay release: SSLeay 0.8.1b" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28406)
apps/enc.c: avoid signed integer overflow on bufsize assignment
The calculated option value, while being long-typed, is not checked
for fitting into int-sized bufsize. Avoid overflow by throwing error
if it is bigger than INT_MAX and document that behaviour.
Fixes: 7e1b7485706c "Big apps cleanup (option-parsing, etc)"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665149
References: https://github.com/openssl/project/issues/1362 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28406)
Pauli [Thu, 4 Sep 2025 21:24:19 +0000 (07:24 +1000)]
slh-dsa: omit test of import PCT
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
Pauli [Thu, 4 Sep 2025 21:23:28 +0000 (07:23 +1000)]
import pct: remove import PCTs for most algorithms
This coveres DH, EC, RSA and SLH-DSA.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28437)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28409)
X509_VERIFY_PARAM_get0(): add check to defend on out-of-bound table access
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28370)
slontis [Fri, 29 Aug 2025 04:11:59 +0000 (14:11 +1000)]
FIPS: Don't allow SHA512-224 and SHA512-256 for ECDSA/DSA signatures
These algorithms do not have OIDS (Note that RSA does have OIDS),
and are not valid values for FIPS.
Note that this was only possible if the "ECDSA" algorithm is fetched.
Note that "ECDSA-SHA512-256" and "ECDSA-SHA512-224" are not currently
fetchable.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28377)
Pauli [Sun, 31 Aug 2025 07:21:42 +0000 (17:21 +1000)]
slh-dsa: enter FIPS error state if pairwise test fails
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28394)
Pauli [Thu, 14 Aug 2025 04:57:19 +0000 (14:57 +1000)]
slh-dsa: add a PCT for key import when in FIPS mode
Fixes #28182
Co-Authored-By: slontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28276)
Jakub Jelen [Mon, 25 Aug 2025 08:04:41 +0000 (10:04 +0200)]
doc: Fix function name in example code
CLA: trivial Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28334)
Holger Dengler [Wed, 20 Aug 2025 15:55:43 +0000 (17:55 +0200)]
aes-s390x.pl: Initialize reserved and unused memory
The reserved bytes in the parameter block (bytes 0-11) for the KMA
instruction should be set to zero to be compatible in case of future
architecture changes.
While at it, also the following unused parts of the parameter block
(bytes 48-63) are also cleared to avoid false positives with various
memory checkers like valgrind.
As it makes - performance wise - no difference to process 12, 48 or 64
bytes with one XC call, but two XC calls are slower than one call, the
first 64 bytes of the parameter block will be cleared with a single XC
call. This will also initialize the counter in the parameter block
(bytes 12-15), although it is not strictly necessary.
Co-developed-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28315)
doc/man3/SSL_poll.pod: mention SSL_POLL_EVENT_{EL,IC} in SYNOPSIS
While the constants are present since the initial commit 2a5ee0a08d2c "QUIC:
Add polling API", they weren't initially documented in c9b0df2250e2 "QUIC:
Add manpage for SSL_poll" (probably due to absence of the QUIC server
mode support at the time), and mentioned for the first time in b20f55702100
"QUIC: Update SSL_poll documentation", but without the accompanying update
of the SYNOPSIS section. Rescind the omission by updating it as well.
Complements: b20f55702100 "QUIC: Update SSL_poll documentation" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28303)
Nachel72 [Sun, 17 Aug 2025 06:08:38 +0000 (14:08 +0800)]
Fix: Add free to avoid memory leak.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28289)
Nikola Pajkovsky [Fri, 15 Aug 2025 12:02:44 +0000 (14:02 +0200)]
dh: add FIPS 140-3 PCT on key generation
According to FIPS 140-3 IG 10.3.A Additonal Comment 1, a PCT shall be
performed.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28280)
ritoban23 [Wed, 13 Aug 2025 20:19:17 +0000 (01:49 +0530)]
Fix null pointer check in pkey_dh_derive to ensure both keys are set
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28259)
Nachel72 [Wed, 13 Aug 2025 15:15:05 +0000 (23:15 +0800)]
Fix: Check for wrong object. The converted sc should be checked instead of the original s
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28248)
Niels Dossche [Thu, 21 Aug 2025 11:24:01 +0000 (13:24 +0200)]
Fix reallocation failure condition in qtx_resize_txe()
Returning the same pointer does not mean that the reallocation failed,
it would also prevent updating alloc_len down below.
This is similar code and a similar change to 043a41ddee.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28317)
Niels Dossche [Tue, 19 Aug 2025 20:56:38 +0000 (22:56 +0200)]
Make error checks on RSA_public_decrypt() consistent
Some are only checking for a value < 0, some for <= 0, some for == 0, etc.
The documentation tells us that -1 is returned on error, so at least the
== 0 ones are wrong. In general, the return values are checked
inconsistently. This patch makes the return value checks consistent to
the form that seems to occur most.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28306)
Matt Caswell [Thu, 7 Aug 2025 16:50:17 +0000 (17:50 +0100)]
Don't keep the store open in by_store_ctrl_ex
Previously #27529 made a change to `by_store_ctrl_ex` in order to open
the OSSL_STORE early. The reason given in that PR is:
"This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and
get to see possible errors when the URI is loaded"
That PR then kept the store open until cache_objects is called and then
reused it. Unfortunately by the time cache_objects() is called we could be
in a multi-threaded scenario where the X509_STORE is being shared by
multiple threads. We then get a race condition where multiple threads are
all using (and ultimately closing) the same `OSSL_STORE_CTX`.
The purpose of keeping the `OSSL_STORE` object between by_store_ctrl_ex()
and `cache_objects` is presumably an optimisation to avoid having to open
the store twice. But this does not work because of the above issue.
We just take the hit and open it again.
Fixes #28171
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28198)
fips: upgrade self-test KATs to reduce SHA-1/SHA-224 usage
FIPS 140-3 IG states that SHA-224 needs standalone KAT, if it is
implemented without SHA-256. As OpenSSL implements SHA-256, upgrade
existing higher level KAT from SHA-224 to SHA-256 without adding
SHA-224 digest KAT.
Upgrade KATs that use SHA-1 to SHA-256, and add explicit SHA-1 KAT.
SHA-1 and SHA-224 are promised to be deprecated by 2030, as per draft
[NIST SP 800-131A Rev. 3](https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd).
With upgrades to these KATs it makes it easier to build a modules with
SHA-1 and SHA-224 marked as unapproved services, or removed
altogether.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28307)
Matt Caswell [Fri, 15 Aug 2025 16:12:11 +0000 (17:12 +0100)]
Test setting a client to send a key share not allowed in TLSv1.3
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)
Matt Caswell [Fri, 15 Aug 2025 15:43:49 +0000 (16:43 +0100)]
Fail immediately if we have no key shares to send
If we are configured in such a way that we have no valid key shares to
send in the ClientHello we should immediately abort the connection.
Fixes #28281
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)
BIO_dgram: Fix BIO_CTRL_DGRAM_QUERY_MTU for IPv4-mapped IPv6 addresses
Ensure the correct IP header size is subtracted by reusing
dgram_get_mtu_overhead(), which handles address families properly.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28088)
Neil Horman [Wed, 13 Aug 2025 14:12:38 +0000 (10:12 -0400)]
Add CRYPTO_FREE_REF to ossl_quic_free_token_store
ossl_quic_free_token_store doesn't call CRYPTO_FREE_REF on the
hdl->reference object, which could lead to memory leaks on platforms
that don't support atomics (where the call to CRYPTO_NEW_REF allocates a
mutex as part of its function. It wasn't caught before because all the
platforms we do ci on support threads.
Fixes #28241
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28247)
Bernd Edlinger [Sun, 10 Aug 2025 16:50:37 +0000 (18:50 +0200)]
Add test coverage for PKCS7_TEXT mode
This was inspired by the following commit 9882d389df71 ("crypto/pkcs7/pk7_smime.c: Add BIO_free() to avoid memory leak")
which discovered a bug in PKCS7_verify(..., PKCS7_TEXT).
While there is some test coverage for PKCS_verify by
./test/pkcs7_test.c, there is no test coverage whatsoever
of the PKCS7_TEXT flag for PKCS7_sign, PKCS7_encrypt and
PKCS7_decrypt.
So this adds some test coverage for those functions as well.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28223)
Bernd Edlinger [Sat, 21 Jun 2025 10:53:56 +0000 (12:53 +0200)]
DH private key size was one bit too large
In the case when no q parameter was given,
the function generate_key in dh_key.c did create
one bit too much, so the priv_key value was exceeding
the DH group size q = (p-1)/2.
When the length is used in this case the limit is also
one bit too high, but for backward compatibility this
limit was left as is, instead we have to silently reduce
the value by one.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27870)
Remove OSSL_CRYPTO_ALLOC attribute from CRYPTO_*dup routines
The __attribute__((malloc)) is for functions that return new memory,
and "the memory [returned by the function] has undefined content", which
is a property that doesn't hold for the *dup functions (the same reason
it doesn't apply to realloc).
Fixes: e1035957eba1 "OSSL_CRYPTO_ALLOC attribute introduction proposal." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28220)
Andrew Dinh [Mon, 11 Aug 2025 10:07:15 +0000 (17:07 +0700)]
Add NULL check
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28221)
projects / thirdparty / openssl.git / log
