Matt Caswell [Thu, 5 Jun 2025 13:41:55 +0000 (14:41 +0100)]
Introduce the PACKET_msg_start() function
This gives us the start of the buffer in use for the PACKET.
We then use this information when calculating the TLS PSK binder.
Previously we were assuming knowledge about where the buffer starts.
However, with ECH, we may be using a different buffer to normal so it is
better to ask the PACKET where the start of the buffer is.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27776)
Stephen Farrell [Tue, 6 Aug 2024 22:16:58 +0000 (23:16 +0100)]
Documents initial agreed APIs for Encrypted Client Hello (ECH)
and includes a minimal demo for some of those APIs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Stephen Farrell [Wed, 26 Jun 2024 11:55:17 +0000 (12:55 +0100)]
add ech-api.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Daniel Kubec [Mon, 16 Feb 2026 12:09:41 +0000 (13:09 +0100)]
CRL: reject malformed CRL Number and CRL Delta Indicator
Previously, a malformed ASN.1 INTEGER in the CRL Number or Delta CRL Indicator
extension would cause a parse error but the CRL would not be explicitly
rejected. Existing code discards the error and continues, accepting a CRL it
cannot fully parse, unlike other libraries and implementations that reject the
CRL outright.
Malformed encoding suggests a corrupt or tampered CRL, data that cannot be
parsed cannot be trusted. Reject the CRL outright if either extension cannot be
decoded, regardless of whether the extension is marked critical. This prevents
silent soft-fail behavior where revoked certificates could pass validation
unchecked.
Fixes #27374
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 16:24:44 2026
(Merged from https://github.com/openssl/openssl/pull/30024)
Milan Broz [Thu, 19 Feb 2026 09:47:33 +0000 (10:47 +0100)]
Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set
These functions are exported, but undocumented.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 13:06:58 2026
(Merged from https://github.com/openssl/openssl/pull/30080)
Neil Horman [Wed, 18 Feb 2026 20:34:31 +0000 (15:34 -0500)]
constify X509_check_trust, X509_TRUST_add
Turn the X509 parameters to X509_check_trust and X509_TRUST_add into
consts.
Interesting side notes: X509_TRUST_add and some others that we're
modified as a result of this pr, are listed as public functions, but
have no documentation for them, and make doc-nits doesn't complain about
it. Unsure as to why, but we should probably look at that eventually
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 20 13:04:04 2026
(Merged from https://github.com/openssl/openssl/pull/30071)
Whilst this is still useful with pre-3.2 providers, it is actually unlikely to be deployed. And there are now openssl fips providers getting validated with statically linked jitterentropy source already.
See background info at:
- https://github.com/openssl/openssl/pull/25930
Fixes: https://github.com/openssl/openssl/issues/26903 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Fri Feb 20 11:15:25 2026
(Merged from https://github.com/openssl/openssl/pull/29641)
Milan Broz [Mon, 16 Feb 2026 20:30:28 +0000 (21:30 +0100)]
Add CHANGES.md entry for SM-based cipher suites.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:25 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Mon, 16 Feb 2026 15:04:28 +0000 (16:04 +0100)]
Add tests for TLS1.3 TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:20 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Sun, 15 Feb 2026 17:29:57 +0000 (18:29 +0100)]
Add TLS1.3 ciphersuites from RFC8998
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
as defined in RFC 8998.
Fixes openssl/project#1871
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:15 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Neil Horman [Tue, 17 Feb 2026 20:14:47 +0000 (15:14 -0500)]
Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN
As part of our effort to not allow mutable x509 objects where they
aren't needed, constify the parameters to these two functions
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Feb 19 13:08:11 2026
(Merged from https://github.com/openssl/openssl/pull/30053)
This prevents potential crashes when print_keyspec is called with a NULL algorithm
pointer, improving the robustness of the CMP application.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Feb 19 12:56:01 2026
(Merged from https://github.com/openssl/openssl/pull/30046)
Michael Baentsch [Wed, 23 Jul 2025 08:37:41 +0000 (10:37 +0200)]
SSL_CONF_cmd.pod: Add PQC algs to recommended TLS 1.3 groups
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:14:06 2026
(Merged from https://github.com/openssl/openssl/pull/28076)
Bob Beck [Mon, 16 Feb 2026 22:42:14 +0000 (15:42 -0700)]
Remove the "msie-hack" option from openssl ca
This has been documented as a deprecated option for
a long time, as we are not even certain this does what
was originally intended anymore, as it has no tests and
it's time of usefulness has long since past.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:09:33 2026
(Merged from https://github.com/openssl/openssl/pull/30033)
Neil Horman [Wed, 18 Feb 2026 19:35:22 +0000 (14:35 -0500)]
Fix unit tests when run under fuzz builds
PR https://github.com/openssl/openssl/pull/30045
Fixed an oss-fuzz failure that occured because we feed random data into
the pkcs12 kdf, which sometimes results in a huge iteration count, that
leads to timeouts in oss-fuzz.
The fix was to simply limit the number of iterations that we go through
during derivation. This breaks the kdf of course, but it doesn't really
matter during fuzzing, because we don't expect random input data to
produce reasonable results, so no harm, no foul.
except.
We also, in our CI, build our fuzzer tests and run them through our
regular CI unit tests, during which we both provide valid data, and
expect valid results, and pr 30045 breaks that expectation.
The conventional wisdom is to simply skip unit tests that break under
these sorts of conditions (we do this for things like
70-test_quic_record.t already).
however, the tests that broke here are 25_test_x509, 30_test_evp,
80_test_pkcs12, and 90_test_store_cases. It seems like we would want to
keep testing those unless we absolutely have to skip them.
So instead, lets indicate that we are running the unit tests with an
environment variable, and check that variable when we have an
UNSAFE_FOR_PRODUCTION build, skiping the iteration clamp in pkcs12kdf if
it is. This allows us to continue running these unit tests, while still
getting the oss-fuzz runs to pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Feb 19 08:49:56 2026
(Merged from https://github.com/openssl/openssl/pull/30070)
Simo Sorce [Tue, 17 Feb 2026 08:09:44 +0000 (03:09 -0500)]
Annotate benign race in FIPS deferred self test
Move TSAN definitions to threads_common.h to make them available
globally and introduce the ANNOTATE_BENIGN_RACE macro.
Apply this annotation to the state check in ossl_deferred_self_test()
to suppress a benign race warning from ThreadSanitizer, as the race
is intentional and accepted to avoid cpu contention.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Mon, 16 Feb 2026 17:37:36 +0000 (12:37 -0500)]
Relax unnecessary atomic reads in FIPS provider
Replace calls to ossl_get_self_test_state() with direct access to
st_all_tests[].state in the FIPS self-test code.
Atomic reads are unnecessary in functions like FIPS_kat_deferred()
and SELF_TEST_kats_execute() because they are executed with the
relevant lock already held.
For ossl_deferred_self_test(), removing the atomic read avoids
contention. The common case is that tests are already passed. If a
race occurs, the function safely falls back to the locked path in
FIPS_kat_deferred() which re-verifies the state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Sat, 14 Feb 2026 03:38:26 +0000 (22:38 -0500)]
Make FIPS self test state access atomic
Direct access to the FIPS self-test state array caused race conditions in
multi-threaded environments when checking or updating test status.
Introduce atomic accessor functions `ossl_get_self_test_state` and
`ossl_set_self_test_state`, backed by a global lock, to ensure thread-safe
state transitions. Replace all direct structure accesses with these new
functions.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Fri, 13 Feb 2026 19:09:06 +0000 (14:09 -0500)]
Fix race in FIPS on-demand self test
The on-demand self-tests could race with deferred tests executing
concurrently in another thread.
Pass the FIPS global state to SELF_TEST_post() to allow locking
around the critical section where module integrity is checked and
test states are modified. This ensures thread safety when resetting
and executing tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Gleb Smirnoff [Fri, 23 Jan 2026 18:44:23 +0000 (10:44 -0800)]
SSL_sendfile: make it more like bio/bss_sock.c:sock_write()
First, use BIO_sock_should_retry().
Second, clear BIO retry flags. Otherwise after an SSL_sendfile that
failed, no matter how many succeded after, the flags would still be up.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:24 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Tue, 17 Feb 2026 19:21:31 +0000 (11:21 -0800)]
sockets: list EBUSY as a retryable socket error code.
This is a documented error code for sendfile(2) in FreeBSD. Being on a
conservative side embrace into ifdef for now.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:21 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Fri, 23 Jan 2026 18:42:42 +0000 (10:42 -0800)]
SSL_sendfile: let ktls_sendfile() pass more data up to SSL_sendfile()
Before this change ktls_sendfile() is basically 1:1 wrapper around Linux
sendfile(2). FreeBSD sendfile(2) API is richer than Linux, and reducing
it down to Linux API loses meaningful data. Instead, make ktls_sendfile()
more like FreeBSD sendfile(2) and adopt Linux version to that.
With this change we will be raising BIO_should_retry() flag after a short
write due to lack of buffer space in a non-blocking socket on FreeBSD.
That will allow an application to tell a short write due to lack of buffer
space from a short write due to end of file. Before this change, the only
way to tell between these two kinds of short writes was to immediately
retry the operation.
This change allows to cut nearly in half the number of sendfile(2)
syscalls when sending a large file over a non-blocking socket on FreeBSD.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:18 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Daniel Kubec [Tue, 10 Feb 2026 12:36:03 +0000 (13:36 +0100)]
X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set
- Raise X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER when AKID is not present.
- Raise X509_V_ERR_EMPTY_AUTHORITY_KEY_IDENTIFIER when AKID has no attributes.
- Raise X509_V_ERR_AKID_ISSUER_SERIAL_NOT_PAIRED when authorityCertIssuer
and authorityCertSerialNumber fields are not paired.
RFC 5280 section 4.2.1.1: The authorityCertIssuer and authorityCertSerialNumber
fields are paired and MUST either both be present or both be absent.
- Issuer without serial is ambiguous, and serial without issuer is meaningless,
leading to unresolvable and misleading issuer identification.
Fixes #27114
Fixes #27360
Fixes #20027
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 18:17:03 2026
(Merged from https://github.com/openssl/openssl/pull/29971)
Neil Horman [Tue, 17 Feb 2026 15:01:12 +0000 (10:01 -0500)]
limit number of iterations for fuzzer in pkcs12kdf
OSS-FUZZ tripped over a timeout:
https://issues.oss-fuzz.com/issues/477959320
It occurs because the pkcs12 data the fuzzer feeds into the mac
verification routine requests a large number of iterations (I think gdb
read it as 15346721 or some such), which causes very long processing
times while verifying the mac. This is something of an artificial
problem unique to the fuzzer, as the fuzzer contains a 60 second timeout
on any single test iteration.
Fix it by limiting the iteration count to 100 only when running the
fuzzer tests.
Fixes openssl/srt#89
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:07:05 2026
(Merged from https://github.com/openssl/openssl/pull/30045)
Igor Ustinov [Wed, 28 Jan 2026 22:41:57 +0000 (23:41 +0100)]
Bugfix of bn_sqr_mont procedure on SPARC sun4v
The fix for sparcv9-mont.pl came from Andy Polyakov (@dot-asm)
Fixes #15587
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/29948)
Neil Horman [Mon, 16 Feb 2026 23:04:37 +0000 (18:04 -0500)]
Use the appropriate libctx when executing CMS_SignerInfo_verify
@beldmit found some odd fips behavior when running cms tests after
attempting to remove the EVP_get_digestbyname call from the find routine
in cms when doing certificate signer validation.
It was occuring because the cms app, being an applet in openssl uses the
app libctx to load all the provided configuration, which implies the
fips and base providers are loaded to that ctx. However, in the find
routine (part of cms), it only ever fetches algorithms from the default
libctx, leading to failed lookups, and consequently, CMS errors.
Fix it by using the appropriate libctx, which in this case can be
fetched from the SignerInfo data, which initializes its libctx member to
the app libctx in all cases.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Wed Feb 18 16:28:44 2026
(Merged from https://github.com/openssl/openssl/pull/30034)
Milan Broz [Tue, 17 Feb 2026 12:18:10 +0000 (13:18 +0100)]
Use defined TLS cipher suite names in SSL trace
This should use #define strings instead of duplication.
Not everything is defined, though.
Fixes openssl/project#1875
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 18 16:01:18 2026
(Merged from https://github.com/openssl/openssl/pull/30042)
Bernd Edlinger [Fri, 13 Feb 2026 06:42:48 +0000 (07:42 +0100)]
Alternate fix for CVE-2025-69419
This affects the function OPENSSL_uni2utf8
which caused heap buffer overflow when certain
unicode characters are converted.
The current fix is incomplete and does only prevent the
crash by making OPENSSL_uni2utf8 return a NULL pointer.
But with this change the OPENSSL_uni2utf8 will return the
correct utf8 string instead of a NULL pointer.
Additionally we add a simple test case that demonstrates
the original CVE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:46:35 2026
(Merged from https://github.com/openssl/openssl/pull/29997)
Igor Ustinov [Sat, 7 Feb 2026 09:21:22 +0000 (10:21 +0100)]
SSL_get_error(): Do not depend on the state of the error stack
We check in relevant functions (SSL_handshake(), SSL_read(), etc.) whether
a new error has been pushed onto the error stack, and if so, memorise this
fact in the SSL structure. After that SSL_get_error() uses this memorised
information instead of checking the error stack itself.
Fixes #11889
Fixes openssl/project#1715
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:27:38 2026
(Merged from https://github.com/openssl/openssl/pull/29991)
giorgiopapini [Thu, 12 Feb 2026 21:34:51 +0000 (22:34 +0100)]
Move typedef 'RSA_OEAP_PARAMS' to openssl/types.h
This avoids redefinition of the type.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:09:26 2026
(Merged from https://github.com/openssl/openssl/pull/29994)
Bob Beck [Mon, 16 Feb 2026 20:25:20 +0000 (13:25 -0700)]
Deprecate X509_NAME_get_text_by NID and X509_NAME_get_text_by_OBJ
As they were already documented as "should be considered deprecated".
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:06:18 2026
(Merged from https://github.com/openssl/openssl/pull/30031)
Neil Horman [Thu, 12 Feb 2026 16:30:46 +0000 (11:30 -0500)]
don't include the asm code for ppc aes-gcm on big endian
Its dead code on that platform since we don't use it
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue Feb 17 14:11:49 2026
(Merged from https://github.com/openssl/openssl/pull/29968)
Neil Horman [Mon, 9 Feb 2026 17:55:50 +0000 (12:55 -0500)]
don't use asm accelerated path on big endian power9
https://github.com/openssl/openssl/issues/29845
Found that our hardware accelerated path doesn't work on big endian
systems, so make sure that we only use it when little endian is defined
We also noted that PPC_AES_GCM_CAPABLE gets defined to zero when the
capabilities register notes that the hardware isn't capable of the
needed instructions, but that still includes the asm path as
PPC_AES_GCM_CAPABLE is still defined.
Fix both issues
Fixes #29845
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue Feb 17 14:11:46 2026
(Merged from https://github.com/openssl/openssl/pull/29968)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 17 14:09:07 2026
(Merged from https://github.com/openssl/openssl/pull/29782)
Tomas Mraz [Wed, 11 Feb 2026 14:55:46 +0000 (15:55 +0100)]
X509V3_EXT_print(): Return only 0 or 1 as the callers expect
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue Feb 17 09:17:37 2026
(Merged from https://github.com/openssl/openssl/pull/29981)
slontis [Fri, 17 Oct 2025 05:32:06 +0000 (16:32 +1100)]
SLH-DSA speed up hash calculations.
SLH-DSA spends a significant amount of time performing large
numbers of hash calculations. Initially this was done using
EVP layer calls. The overhead is significant when there are thousands
of calls. To reduce this overhead the lower level sha functions for
KECCAK1600_CTX, SHA256_CTX and SHA512_CTX are accessed directly.
Profiling showed that a significant amount of time is spent in
"WOTS+ Public key generation" (FIPS 205 Section 5.1 Algorithm 6) so
this was inlined for shake and sha2 (See slh_wots_pk_gen_sha2()).
In FIPS 205 Section 11 there is a list of Hash functions.
Many of these functions use a pattern of
Trunc(n)(SHA256(PK.Seed || toByte(0, 64-n) || ....)
Because this operation is done many times, this prehashed
value is calculated once and stored into a low level SHA256_CTX or
KECCAK1600_CTX.
This can then be block copied to stack based KECCAK1600_CTX or
SHA256_CTX that we can then perform low level SHA functions on.
The md_len field is written to directly before the SHA final() to
control the length of the output (which avoids performing a memcpy).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:21:54 +0000 (16:21 +1100)]
SHA256: Document SHA256_CTX, HASH_UPDATE() and HASH_FINAL()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:15:03 +0000 (16:15 +1100)]
SHA512 : Change SHA512_Final() so that it handles 192 bits.
SLH-DSA uses SHA-512 truncated to n when (n = 24 or 32).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:11:11 +0000 (16:11 +1100)]
SHA3 - Move the buffered absorb function into sha3.c
This code was sitting inside the sha3 provider where it could not be
called directly.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 13 Feb 2026 08:55:52 +0000 (19:55 +1100)]
SRTP: Fixup settable input limits and test them.
Reported by https://github.com/1seal
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
slontis [Fri, 13 Feb 2026 08:54:07 +0000 (19:54 +1100)]
Doc: SRTP updates to reflect the limits on settable parameters
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
Aayush [Tue, 17 Jun 2025 13:10:05 +0000 (18:40 +0530)]
Clarify SSL_CERT_DIR list separator on Windows
Fixes #27698
OpenSSL uses `;` as the path delimiter on Windows.
Update the manpage to state this explicitly instead of implying
`:` everywhere.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sat Feb 14 23:54:32 2026
(Merged from https://github.com/openssl/openssl/pull/27844)
The shlibloadtest used atexit() handler to verify
library pinning works as expected. The libcrypto
no longer arms atexit handler which also used to
fire upon shlib unload. We can not use the atexit
mechansim to test shared library pinning.
If the shlibload test does not crash on exit, then
library pinning must work.
Fixes openssl/project#1869
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:15:04 2026
(Merged from https://github.com/openssl/openssl/pull/29987)
kovan [Tue, 27 Jan 2026 10:22:54 +0000 (11:22 +0100)]
doc: fix NAME section formatting in EVP_SIGNATURE documentation
Ensure consistent formatting in NAME sections across all EVP_SIGNATURE
documentation pages. The algorithm name should be bold (B<ALG>) rather
than EVP_PKEY, following the pattern:
"- The EVP_PKEY B<ALG> signature implementation"
Fixes #29328
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:09:54 2026
(Merged from https://github.com/openssl/openssl/pull/29789)
kovan [Fri, 6 Feb 2026 18:58:54 +0000 (19:58 +0100)]
fix: update remaining 3.5.0 references to 3.6.0 in README-FIPS.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Mon, 2 Feb 2026 10:26:52 +0000 (11:26 +0100)]
doc: add OpenSSL 3.6 to README documentation links
Update README.md to include OpenSSL 3.6 in the documentation links.
Update README-FIPS.md examples to use 3.6.0 as the latest release.
Fixes #29876
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:19 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Thu, 29 Jan 2026 12:46:46 +0000 (13:46 +0100)]
doc: clarify -cipher option syntax in man pages
Users reading the documentation for the -<cipher> option often
misunderstand the syntax. The notation "B<-I<cipher>>" renders as
"-cipher" with "cipher" in italics, leading users to think they
should type "-cipher aes-128-cbc" when the correct usage is
"-aes-128-cbc" (the cipher name directly as the option).
Update the documentation in openssl-genpkey, openssl-enc, and
openssl-pkey to explicitly state that the cipher name is prepended
with a hyphen and used directly as the option, not as an argument
to a "-cipher" flag.
Also add a reference to "openssl list -cipher-algorithms" to help
users discover available ciphers, and fix a typo in openssl-pkey
("and and" -> "and").
Fixes #26089
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:52:00 2026
(Merged from https://github.com/openssl/openssl/pull/29843)
kovan [Thu, 29 Jan 2026 11:12:38 +0000 (12:12 +0100)]
doc: rename .pod.in files that don't use templating to .pod
These man page source files only used the output_do_not_edit_headers()
template function, which just generates a comment. Since they don't
use any meaningful templating, rename them from .pod.in to .pod and
remove the template line and build.info generation rules.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Fri Feb 13 14:50:16 2026
(Merged from https://github.com/openssl/openssl/pull/29838)
kovan [Mon, 2 Feb 2026 10:22:44 +0000 (11:22 +0100)]
doc: add CHANGES.md entry for const-correct X509_ATTRIBUTE functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:30 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const-qualified pointers for return values.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:28 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const pointers for the return values.
Fixes #29811
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Zijie Zhao [Fri, 16 Jan 2026 23:41:46 +0000 (17:41 -0600)]
Add test for EVP_KEYMGMT leak in evp_pkey_signature_init() error paths
Verify that calling EVP_PKEY_sign_init_ex2() with a mismatched
key/signature algorithm (RSA key with ECDSA signature) does not leak
EVP_KEYMGMT references. The test repeats the operation 100 times so
that ASAN can detect accumulating leaks.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Feb 13 14:42:40 2026
(Merged from https://github.com/openssl/openssl/pull/29810)
kovan [Tue, 27 Jan 2026 10:45:30 +0000 (11:45 +0100)]
doc: note that PBKDF2 does not support XOF digests
PBKDF2 uses HMAC internally, which does not support eXtendable Output
Function (XOF) digests such as SHAKE128 or SHAKE256. Document this
limitation to prevent user confusion when attempting to use XOF
digests with PBKDF2.
Fixes #22877
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:39:07 2026
(Merged from https://github.com/openssl/openssl/pull/29792)
kovan [Tue, 3 Feb 2026 09:32:56 +0000 (10:32 +0100)]
doc: clarify SSL_SESSION ownership in PSK use session callback
Document that when the psk_use_session callback is invoked multiple times
and wishes to return the same SSL_SESSION pointer, it must call
SSL_SESSION_up_ref() first since ownership is transferred on each call.
This prevents use-after-free errors from incorrect callback implementations.
Fixes #28267
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:36:50 2026
(Merged from https://github.com/openssl/openssl/pull/29771)
Simo Sorce [Mon, 1 Dec 2025 21:36:40 +0000 (16:36 -0500)]
Add support for deferred FIPS self-tests
Add a new -defer_tests option to openssl fipsinstall and a corresponding
defer-tests configuration parameter for the FIPS provider.
This allows the execution of self-tests to be postponed until the
first time an algorithm is used, instead of running all tests
during module initialization. This reduces startup time.
Update the self-test framework to handle the new SELF_TEST_STATE_DEFER
state, ensuring deferred tests are skipped at load and run on demand.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 21:38:51 +0000 (16:38 -0500)]
fips: Reorder self-tests by complexity
Reorganize the FIPS self-tests to group them by complexity.
The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 17:44:56 +0000 (12:44 -0500)]
Relax PBKDF2 iteration check for FIPS self-test
FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.
This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 19:06:57 +0000 (14:06 -0500)]
Refactor FIPS self-test dependencies and states
Introduce `SELF_TEST_STATE_IMPLICIT` to handle recursive self-test calls
when an algorithm is used by another algorithm's self-test (e.g., KDF
using HMAC). This prevents unnecessarily running tests when they are
effectively covered by a parent test.
Refactor `SELF_TEST_kats` and `SELF_TEST_kats_execute` to unify
execution logic, dependency resolution, and RNG setup. Remove the
`deferred` flag from test definitions in favor of dynamic state
evaluation. Explicitly add a dependency for AES-128-ECB on AES-256-GCM.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 16:04:13 +0000 (11:04 -0500)]
Add an ID to the self test structure
Add a self test id to the self test definition structure. This is used as a
sanity check to ensure that a test's enum ID matches its index in the
`st_all_tests` array.
This helps prevent programming errors when adding, removing, or reordering
tests in the future, improving the robustness of the self-test mechanism.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 9 Dec 2025 19:29:43 +0000 (14:29 -0500)]
Refactor FIPS integrity check to use KAT framework
The FIPS module integrity check (HMAC-SHA256) is refactored to use the
generic Known Answer Test (KAT) framework instead of a standalone
function.
- Remove `integrity_self_test` and use `ST_ID_MAC_HMAC` with
`SELF_TEST_kats_single`.
- Add `self_test_mac` to `self_test_kats.c` to support MAC tests.
- Move HMAC test data to `self_test_data.c`.
- Rename the self-test type from "KAT_Integrity" to "KAT_Mac".
- Ensure on-demand tests reset state so they can be repeated.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 22:16:50 +0000 (17:16 -0500)]
Switch FIPS self tests to deferred execution
Update the FIPS module to run self-tests on demand (deferred) rather
than on module load. Change the test definitions in self_test_data.c
from SELF_TEST_ONLOAD to SELF_TEST_DEFERRED.
Add calls to ossl_deferred_self_test() in the newctx functions for
ciphers, digests, signatures, KDFs, KEMs and DRBGs to trigger execution
upon first instantiation. Introduce CIPHER_PROV_CHECK and
DIGEST_PROV_CHECK macros in common headers to facilitate these checks.
Define dependencies for composite tests to ensure prerequisite tests
run when needed.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 19:06:17 +0000 (14:06 -0500)]
Move deferred self-test lock to FIPS_GLOBAL
The lock for the deferred FIPS self-tests was previously a static
global variable, initialized with CRYPTO_ONCE. This is problematic
when multiple library contexts are used in a single application.
This change moves the lock into the FIPS_GLOBAL structure, making it
per-library-context. The lock is now initialized when the FIPS
provider is initialized and freed when its context is torn down.
This improves encapsulation and avoids global state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Fri, 5 Dec 2025 04:14:47 +0000 (23:14 -0500)]
Add dependency handling for FIPS self-tests
Some FIPS Known Answer Tests (KATs) rely on other cryptographic algorithms
that also have their own KATs. This change introduces a formal mechanism to
ensure these dependencies are met before a test is run.
A `depends_on` field is added to the self-test definition to declare
prerequisites. A new recursive function, `FIPS_kat_deferred_execute`,
traverses this dependency chain, executing any required tests first.
This new logic also prevents tests from being run multiple times if they are a
dependency for several other tests. The `FIPS_kat_deferred` function is
updated to use this new dependency-aware execution function.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 18:24:41 +0000 (13:24 -0500)]
Refactor FIPS self-tests to use ID-based lookup
Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.
This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 20:19:52 +0000 (15:19 -0500)]
Initialize DRBG for single FIPS KATs
The SELF_TEST_kats_single() function runs an individual FIPS Known Answer Test
(KAT) on demand. These tests require a deterministic random bit generator
(DRBG) to be properly initialized to function correctly.
This change ensures a dedicated DRBG is set up for the single test run. The
existing private RNG is saved before the test and restored afterward,
isolating the test's random context from the rest of the library.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Thu, 4 Dec 2025 19:07:06 +0000 (14:07 -0500)]
Unify FIPS self-test KAT data structures
Refactor the FIPS self-test Known Answer Test (KAT) data definitions to use a
single, unified structure.
A new generic `ST_DEFINITION` struct is introduced to replace the various
algorithm-specific `ST_KAT_*` structs. This new struct contains fields common
to all tests and uses a union to hold the parameters specific to each test
category (cipher, digest, KEM, etc.).
A helper `ST_BUFFER` struct is also added to combine data pointers and their
lengths, simplifying data handling. This refactoring makes the self-test
framework more consistent, easier to maintain, and more extensible.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 3 Dec 2025 20:04:28 +0000 (15:04 -0500)]
docs: Simplify FIPS deferred test equivalency
This commit refines the design for FIPS deferred self-tests by simplifying how
test equivalencies are handled.
The explicit `also_satisfies` list has been removed from the design. Instead
of manually listing which tests are satisfied by another, the new approach
relies on implicit discovery. When a high-level self-test runs, it records all
the underlying cryptographic algorithms that are invoked during its execution.
Upon successful completion of the high-level test, the tests for all recorded
algorithms are automatically marked as passed. This approach is more direct,
less error-prone, and removes the complex logic associated with the previous
explicit dependency lists.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 18:19:35 +0000 (13:19 -0500)]
Move FIPS self-test data into a separate .c file
The Known Answer Test (KAT) data, previously in `self_test_data.inc`, is moved
into its own compilation unit, `self_test_data.c`. This separates the large
data definitions from the test execution logic.
This refactoring improves code organization and modularity. A new header,
`self_test_data.h`, is added to declare the data arrays for external linkage.
The shared data structure definitions are moved to `self_test.h` to be
accessible by both the test logic and the data files.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Matt Caswell [Mon, 9 Feb 2026 13:25:58 +0000 (13:25 +0000)]
Add a newdata_ex function which takes params and use it
The keymgmt->newdata function does not accept params. We introduce a
newdata_ex function that does, and we use that instead as a thread local
to pass legacy objects to the default provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:28 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Matt Caswell [Fri, 6 Feb 2026 14:51:42 +0000 (14:51 +0000)]
Pass low level RSA objects to the default provider
If a low level RSA object has been assigned a custom RSA_METHOD and is
then assigned to an EVP_PKEY object, then we still want the default
provider to use that RSA_METHOD. To ensure this occurs we pass the low
level object across the provider boundary. We can only get away with this
because it is the default provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
projects / thirdparty / openssl.git / log
