Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes #29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
doc: Add HISTORY entry for message signing functions in provider-signature(7)
The OSSL_FUNC_signature_{sign,verify}_message_* functions were added
in OpenSSL 3.4 but weren't documented in the HISTORY section of
provider-signature(7), while the corresponding EVP_PKEY_sign_message_*
functions are properly documented in EVP_PKEY_sign(3).
This adds the missing HISTORY entry to document when these provider
functions were introduced.
Fixes #29088
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29130)
Lars Erik Wik [Wed, 8 Oct 2025 15:06:39 +0000 (17:06 +0200)]
bio_ok.c: Fixed undefined identifier 'SIZE_MAX'
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
Leon Timmermans [Mon, 11 Aug 2025 20:25:59 +0000 (22:25 +0200)]
Allow get_params to return length of the AES-GCM tag parameter
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
tag parameter when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Leon Timmermans [Mon, 11 Aug 2025 20:08:39 +0000 (22:08 +0200)]
Allow get_params to return length of AES-GCM IV parameters
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
IV parameters when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Anton Moryakov [Tue, 4 Nov 2025 22:18:47 +0000 (01:18 +0300)]
Prevent NULL deref in BN_is_zero when cofactor is missing
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
KubaBoi [Tue, 28 Oct 2025 17:22:57 +0000 (18:22 +0100)]
asn1_gen: add ASN1_object_size() return check and fix else braces
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Joshua Rogers [Sat, 11 Oct 2025 22:34:40 +0000 (06:34 +0800)]
apps/s_socket: fix FD and addrinfo leak on SCTP failure in init_client
If BIO_new_dgram_sctp(*sock, BIO_NOCLOSE) fails we returned 0 directly,
skipping the out: cleanup and leaking the just created socket plus the
addrinfo lists.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28917)
Joshua Rogers [Sat, 11 Oct 2025 21:43:38 +0000 (05:43 +0800)]
crypto/bio/bss_acpt: set b->init only on successful BIO_parse_hostserv
BIO_C_SET_ACCEPT with num == 0 unconditionally set b->init = 1 even if
BIO_parse_hostserv failed. Only mark the BIO initialized when parsing
succeeds to avoid inconsistent state.
This change includes bss_sock.c to deal with introduction of EPROTO use.
Reroll of rsa_ossl.c changes made at 3.5 downward.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Update bioprinttest.c to handle missing PTRxPRT definitions from inttypes.h.
Fixes: #29023 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29090)
Angel Baez [Wed, 12 Nov 2025 12:46:28 +0000 (07:46 -0500)]
TLS 1.3 session resumption convert nonce_label to ASCII hex
Fixes #27815
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29127)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29129)
doc/man3/X509_STORE_get0_param.pod: mention how to free the returned objects
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
Clarify processing of CRYPTO frame in SSL_set_quic_tls_cbs(3ossl)
We should remind 3rd-party QUIC stack implementors their QUIC stack
must ensure to provide all CRYPTO frames to OpeNSSL/TLS for processing.
The CRYPTO frames keeping coming even after confirmation of TLS
hanndshake.
Fixes #28963
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29070)
Lidong Yan [Fri, 31 Oct 2025 06:40:06 +0000 (14:40 +0800)]
slh_dsa: fix leak in early return of slh_sign_internal()
In slh_sign_internal(), if calling PACKET_buf_init() failed, this
function return without free wpkt. Replace `return 0` with `goto err`
to free wpkt before return.
CLA: trivial Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29041)
Matteo [Mon, 27 Oct 2025 17:08:14 +0000 (18:08 +0100)]
Correction of grammar error in doc/man1/openssl-req.pod.in
I changed the word "most" with the correct word "must" at the line 406.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29009)
Ryan Hooper [Tue, 30 Sep 2025 16:56:33 +0000 (12:56 -0400)]
Properly error out when AEAD Algorithms are used with Encrypted Data
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Bernd Edlinger [Mon, 6 Oct 2025 06:37:20 +0000 (08:37 +0200)]
Improve the CPUINFO display for RISC-V
Prefix the base architecture to the displayed RISC-V
architecture string, so the displayed OPENSSL_riscvcap
environment value can be used as is, since otherwise
the OPENSSL_cpuid_setup would ignore the first extension,
as it is expected to be the base architecture, usually
"RV64GC" or similar.
See the comment at parse_env in crypto/riscvcap.c
Furthermore also print the VLEN value, if the V-extension
is given, since that makes a significant difference
which assembler modules are activated by the V-extension.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28760)
Matt Caswell [Tue, 28 Oct 2025 15:27:42 +0000 (15:27 +0000)]
Add a test for mismatch between the pkey and sigalg
We add a test for sending an mldsa65 sigalg while using an mldsa44 key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Matt Caswell [Tue, 28 Oct 2025 14:53:11 +0000 (14:53 +0000)]
Use the actual NID for provided signature algorithms
Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.
Fixes #28762
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29050)
Igor Ustinov [Sun, 2 Nov 2025 16:37:00 +0000 (17:37 +0100)]
Modernize header macros for C23 compatibility
Replace old-style (int (*)()) and (char *(*)()) casts with proper typed
prototypes (i2d_of_void *, d2i_of_void *, void *(*)(void)) to comply
with stricter C23 function pointer rules.
Fixes #27938
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29048)
Richard Levitte [Wed, 29 Oct 2025 09:12:33 +0000 (10:12 +0100)]
Rename SSL_CERT_LOOKUP.nid to pkey_nid
Hopefully, this will help further clarify the intent of this
SSL_CERT_LOOKUP field to future developer.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Richard Levitte [Wed, 29 Oct 2025 09:03:51 +0000 (10:03 +0100)]
Fix NID bug in SSL_CERT_LOOKUP array construction
The SSL_CERT_LOOKUP NID should be for the public key algorithm (what is
often called the "key type". Yet, when populating the SSL_CERT_LOOKUP
table with 'ssl_load_sigalgs', only the sigalg name is used to find a
NID.
This is perfectly OK to do, *if* the sigalg and the associated key type
share the same name. However, that's not always the case.
This change infers the key type name in 'ssl_load_sigalgs' the same way
as it was already done in 'add_provider_sigalgs'.
Related-to: https://github.com/openssl/openssl/pull/29019#discussion_r2472219647 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Some files in @except_env_files are located in the build directory,
not the source directory.
Furthermore, because the files and directories in @except_dirs and
@except_env_files may look different than the elements in what find()
returns, realpath() must be used to ensure that file name comparison
matches when it should.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28601)
Dmitry Misharov [Mon, 27 Oct 2025 15:21:58 +0000 (16:21 +0100)]
Move CI jobs with macos large runners
Running CI jobs on MacOS large runner on each pull request
is problematic for forks. These runners are not free and require
billing to setup. Therefore it makes more sense move macos-14-large
and macos-15-large into os-zoo.yml which is scheduled to run nightly.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29007)
Gleb Popov [Fri, 10 Oct 2025 13:31:47 +0000 (16:31 +0300)]
rc4: Remove the pointless if() operator, its condition is always true
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28827)
Joshua Rogers [Mon, 13 Oct 2025 23:59:04 +0000 (07:59 +0800)]
apps/s_time: reset reused SSL with SSL_clear in doConnection
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28911)
Joshua Rogers [Sun, 12 Oct 2025 13:39:42 +0000 (21:39 +0800)]
comp/zstd: make bio_zstd_read return -1 on hard errors
Split NULL out param from zero outl. Return -1 on malloc failure and
NULL parameter. Keep 0 only for outl <= 0 and clean EOF. This lets
callers distinguish errors from empty reads without inspecting the
error queue.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28908)
If the call to ASN1_item_ex_d2i() from x509_pubkey_ex_d2i_ex() fails
*pval is freed by asn1_item_ex_d2i_intern()->ASN1_item_ex_free()->ossl_asn1_item_embed_free()
inside the ASN1_item_ex_d2i() function without freeing the
string buffer X509_PUBKEY::propq that was previously allocated
in x509_pubkey_ex_new_ex() and we lose the pointer to this buffer.
The function we are fixing here is one of the functions used
to define X509_PUBKEY - so any operations that work directly
on X509_PUBKEY_INTERNAL should be prevented from freeing
the structure because they don't know how to handle it.
Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27333)
Neil Horman [Wed, 8 Oct 2025 12:20:36 +0000 (08:20 -0400)]
Copy impls stack when calling ossl_method_store_do_all
PR https://github.com/openssl/openssl/pull/24782 introduced a copying of
the algs stack in ossl_method_store_do all, so that the subsequent
iteration of elements through alg_do_one could be done without a lock,
and without triggering a tsan error as reported in:
https://github.com/openssl/openssl/issues/24672
However, the problem wasn't completely fixed. Issue:
https://github.com/openssl/openssl/issues/27726
Noted that, sometimes we still get a crash when iterating over each algs
impls stack. This occurs because, even though we've cloned the algs to
a private data area, the impls stack for each alg still points to shared
data, which we are accessing without the benefit of a lock. Because of
that, if some other thread calls a function that mutates the impl stack
(say ossl_method_store_remove()), we may encounter a NULL or garbage
value in one of the impl stack values, leading to an unexpected NULL
pointer or simmilar, which in turn leads to a crash.
Unfortunately we can't use a lock to create exclusive access here, as
there are several paths that lead to a recursive mutation of the stack,
which would deadlock.
So the only way that I see to prevent this (which is admittedly ugly),
is to not only clone the alg stack, but to duplicate each algs impl
stack with the read lock held, prior to doing the iteration.
Further, we've been unable to test this, as the problem is rare, and we
don't have a solid reproducer for the issue, but visual inspection
suggests this should fix that. Hopefully:
Fixes #27726
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28783)
Nikola Pajkovsky [Wed, 15 Oct 2025 10:48:06 +0000 (12:48 +0200)]
clang deprecates sprintf on macos
test/threadstest.c:1376:9: error: 'sprintf' is deprecated.
The same issues is in the ossl-nghttp3-demo.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28903)
Joshua Rogers [Fri, 10 Oct 2025 22:57:01 +0000 (06:57 +0800)]
CMP client: fix three memory leaks in error handling of the polling mechanism added in 3.3
These are in poll_for_response(), OSSL_CMP_try_certreq(), and OSSL_CMP_exec_certreq().
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28840)
Fixes for NonStop builds on 3.5 to handle OS platform header file changes.
This changes handles the introduction of _POSIX_VERSION into the NonStop x86
header files that tricks OpenSSL into thinking that ucontext.h is available.
Fixes #28498
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28769)
Joshua Rogers [Sat, 11 Oct 2025 06:11:07 +0000 (14:11 +0800)]
freebsd ktls: avoid unaligned 16 bit length store in ktls_read_record
This prevents SIGBUS on strict alignment architectures when p+3 is not aligned
for 16 bit access. Behavior is unchanged on x86 and matches the Linux path.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28860)
It was referenced, but the relevant link hasn't been added to the Links
session. Fix that omission.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28732)
Joshua Rogers [Fri, 10 Oct 2025 11:55:31 +0000 (19:55 +0800)]
Fix off-by-one overflow in the AST resubmit
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28811)
Joshua Rogers [Wed, 8 Oct 2025 07:31:18 +0000 (15:31 +0800)]
Disallow Message sequence number 2 in DTLSv1_listen
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28788)
Joshua Rogers [Wed, 8 Oct 2025 22:14:15 +0000 (06:14 +0800)]
ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers
When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
Igor Ustinov [Tue, 14 Oct 2025 18:30:49 +0000 (20:30 +0200)]
Correct assembler version checking in perlasm scripts
Fixes #20520
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28901)
Update size check condition for probable primes to align with FIPS 186-5.
Fixes #28540
In FIPS 186-4 (Table B.1), the upper bounds for probable primes p and q were
defined using strict inequalities. In FIPS 186-5, Table A.1 replaces the
previous Table B.1 (dropping the nlen=1024 case) and revises the upper bound
condition to use weak inequalities.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28540)
Joshua Rogers [Sat, 11 Oct 2025 11:53:07 +0000 (19:53 +0800)]
ssl: call SSLfatal on realloc failures in extract_keyshares
Initial malloc path already does this. Realloc path went to failure
without recording a fatal alert.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28873)
Theo Buehler [Wed, 1 Oct 2025 22:56:41 +0000 (00:56 +0200)]
Fix an error check for EVP_PBE_CipherInit_ex()
As pointed out during the review for the recent security issue in this
file, this error check is incorrect: as documented, this function has
the usual Boolean return values.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28727)
Ulrich Weber [Thu, 26 Jun 2025 14:16:06 +0000 (16:16 +0200)]
ktls: move ktls_enable() within ktls_start()
On linux ktls can only be enabled on established TCP sockets.
When SSL_set_fd() is called before the connection is established
ktls_enable() fails and ktls is not setup.
This moves ktls_enable() call within then ktls_start() function.
Multiple calls to ktls_start() will trigger additional ktls_enable()
calls which fail with EEXIST, but do not affect the ktls socket.
CLA: trivial
Signed-off-by: Ulrich Weber <ulrich.weber@gmail.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27908)
sashan [Mon, 6 Oct 2025 19:58:08 +0000 (21:58 +0200)]
- remove CYGWWIN (requested by Brandt)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28759)
sashan [Mon, 6 Oct 2025 13:27:18 +0000 (15:27 +0200)]
- fix suggested by Bernd
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28759)
OPENSSL_SYS_WINDOWS is also enabled for mingw build
the test_n() in bioprinttest.c must differentiate between
MSVC runtime libc and ming runtime libc. The function
_set_printf_count_output() must be called when openssl
is linked with MSVC libc only.
Fixes #28679
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28759)
Norbert Pocs [Sun, 5 Oct 2025 07:39:22 +0000 (09:39 +0200)]
Check return code of BIO_ADDR_rawaddress
Fixes coverity issue: https://scan5.scan.coverity.com/#/project-view/64471/10222?selectedIssue=1666584
Thank you for the report!
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28751)
It looks pretty straightforward (I think). The fuzzer input buffer is
used in this particular case to randomly issue commands to the lcidm
hash table (add/delete/query/flush/etc).
The loop for the command processing (based on the input buffer), is
limited to 10k commands. However the fuzzer will on occasion provide
very large buffers (500k) which easily saturate that limit. If the
input buffer happens to do something like get biased toward mostly
additions, we wind up with a huge hashtable that has to constantly grow
and rehash, which we've seen leads to timeouts in the past.
Most direct fix I think here, given that this is something of an
artificial failure in the fuzzer, is to simply clamp the command limit
more.
Fixes openssl/project#1664
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28724)
Ondrej Moris [Wed, 1 Oct 2025 05:03:27 +0000 (07:03 +0200)]
tests: temporarily skip MLDSA pkcs11-provider test
External pkcs11-provider test requires at least kryoptic 1.2 for
MLDSA tests. But the current fedora:latest (42) still contains
kryoptic 1.1 and hence we need to temporarily disable MLDSA tests
until Fedora 43 is released.
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28716)
Signed-off-by: Ondrej Moris <omoris@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28716)
The linux-riscv64 test machine crashes due to unaligned data,
when the V extension is enabled, while QEMU seems to have no
problems with unaligned data.
So check for aligned data and fall back to C code in case the
input or output values are unaligned.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28684)
and also fix the unintentional omission of the ZBA extension,
since the first word in the OPENSSL_riscvcap environment variable
is ignored, because it is assumed to be the processor base
architecture, e.g. something like RV64GC.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28684)
Ryan Hooper [Thu, 25 Sep 2025 16:42:24 +0000 (12:42 -0400)]
Fix Memory leak in CMS_EncryptedData_set1_key
When CMS_EncryptedData_set1_key is called repeatedly it will
leak data on the second call. This was because
cms->d.encryptedData was already set and needed to be cleared
before the call to M_ASN1_new_of.
Fixes: #28606 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28668)
projects / thirdparty / openssl.git / log
