CHANGES.md, NEWS.md: updates for 4.0.0 final release
NEWS.md is amended to include the following PRs:
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
Overall, CHANGES.md includes the following:
* https://github.com/openssl/openssl/pull/8136
"Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit
set in unsigned BN"
* https://github.com/openssl/openssl/pull/17495
"4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure"
* https://github.com/openssl/openssl/pull/18229
"public API: Remove needless `const` from scalar types"
* https://github.com/openssl/openssl/pull/22304
"4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters"
* https://github.com/openssl/openssl/pull/24551
"Enable RFC 7919 FFDHE groups for TLS 1.2 server"
* https://github.com/openssl/openssl/pull/24738
"add ech-api.md"
* https://github.com/openssl/openssl/pull/25193
"ECH build artefacts and a bit of code"
* https://github.com/openssl/openssl/pull/25420
"ECH CLI implementation"
* https://github.com/openssl/openssl/pull/25663
"ECH external APIs"
* https://github.com/openssl/openssl/pull/25991
"preserve data constness when getting issuer name's and subject's hash"
* https://github.com/openssl/openssl/pull/26011
"ECH client side"
* https://github.com/openssl/openssl/pull/27397
"create SSL_listen_ex api"
* https://github.com/openssl/openssl/pull/27431
"fips: Enforce lower bounds checks for password protected files when using
FIPS providers, by default"
* https://github.com/openssl/openssl/pull/27540
"ECH client sending mulitple key shares"
* https://github.com/openssl/openssl/pull/27561
"ECH both sides now"
* https://github.com/openssl/openssl/pull/27776
"Introduce the PACKET_msg_start() function"
* https://github.com/openssl/openssl/pull/28033
"Constify further X509 functions; remove OSSL_FUTURE_CONST"
* https://github.com/openssl/openssl/pull/28041
"Remove support for SSLv2 Client Hello"
* https://github.com/openssl/openssl/pull/28108
"Add a way to cleanse params arrays"
* https://github.com/openssl/openssl/pull/28160
"New options for reading MAC key from environment variable, file and standard
input were added."
* https://github.com/openssl/openssl/pull/28270
"s_client and s_server command line options for ECH (plus some wndows
CI fixes)"
* https://github.com/openssl/openssl/pull/28278
"Implementing store support for EVP_SKEY"
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/28432
"Add support for CSHAKE."
* https://github.com/openssl/openssl/pull/28445
"Updated s_server's verify_return_error option to enable peer verification"
* https://github.com/openssl/openssl/pull/28535
"Print PowerPC CPUINFO"
* https://github.com/openssl/openssl/pull/28623
"Combining time validation with comparison return values considered harmful"
* https://github.com/openssl/openssl/pull/28837
"Add support to serialize/deserialize digest state for export/import"
* https://github.com/openssl/openssl/pull/29018
"CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE"
* https://github.com/openssl/openssl/pull/29057
"Avoid empty AKID/SKID extensions in CSRs and certs"
* https://github.com/openssl/openssl/pull/29107
"CRL: Enforce proper handling of ASN1_TIME validation results"
* https://github.com/openssl/openssl/pull/29116
"info: Print CPUINFO for SPARCv9 processors"
* https://github.com/openssl/openssl/pull/29152
"Add new public API for checking certificate times."
* https://github.com/openssl/openssl/pull/29187
"Remove the ASN1_STRING_FLAG_X509_TIME flag"
* https://github.com/openssl/openssl/pull/29195
"Add SNMPKDF implementation"
* https://github.com/openssl/openssl/pull/29200
"Add tests and documentation and fix some issues resulting"
* https://github.com/openssl/openssl/pull/29206
"Per-key encoding formats for ML-KEM and ML-DSA"
* https://github.com/openssl/openssl/pull/29222
"Implementation of Deferred FIPS Self-Tests"
* https://github.com/openssl/openssl/pull/29223
"ML-DSA: Add a digest that can calculate external mu."
* https://github.com/openssl/openssl/pull/29230
"doc/man3: Add OPENSSL_ppccap.pod
* https://github.com/openssl/openssl/pull/29266
"make PEM hexdump width a multiple of 8 bytes"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29305
"Feature/engineremoval"
* https://github.com/openssl/openssl/pull/29311
"Documentation for BIO flags and related functions"
* https://github.com/openssl/openssl/pull/29338
"merge feature/removesslv3"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29380
"Remove crypto-mdebug-backtrace option from config"
* https://github.com/openssl/openssl/pull/29381
" Added LMS support for OpenSSL commandline signature verification using
pkeyutl."
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/29385
"Atexit.final draft.cleanup"
* https://github.com/openssl/openssl/pull/29387
"Add ASN1_BIT_STRING_get_length()"
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
* https://github.com/openssl/openssl/pull/29427
"Remove the c_rehash script"
* https://github.com/openssl/openssl/pull/29428
"Constify return value of X509_get_X509_PUBKEY()"
* https://github.com/openssl/openssl/pull/29435
"Add SRTP KDF"
* https://github.com/openssl/openssl/pull/29445
"Remove BIO_f_reliable() as it is broken"
* https://github.com/openssl/openssl/pull/29465
"Constify X509_get_ext() and friends.."
* https://github.com/openssl/openssl/pull/29468
"constify X509_NAME."
* https://github.com/openssl/openssl/pull/29488
"Constify the X509_STORE_CTX argument to the lookup_certs functions."
* https://github.com/openssl/openssl/pull/29576
"KDF: Add configuration options to disable many of the KDF algorithms."
* https://github.com/openssl/openssl/pull/29612
"Support multiple names for certificate verification"
* https://github.com/openssl/openssl/pull/29635
"SSL_CTX_is_server() was added"
* https://github.com/openssl/openssl/pull/29639
"Disabling explicit EC curves encoding"
* https://github.com/openssl/openssl/pull/29640
"add thunking for compare function to OPENSSL_STACK"
* https://github.com/openssl/openssl/pull/29646
"Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()"
* https://github.com/openssl/openssl/pull/29653
"Drop darwin-i386(-cc) targets from Configurations"
* https://github.com/openssl/openssl/pull/29658
"Disable support of weak elliptic curves in TLS by default"
* https://github.com/openssl/openssl/pull/29672
"Drop darwin-ppc{,64} targets"
* https://github.com/openssl/openssl/pull/29721
"Make OPENSSL_cleanup() G A"
* https://github.com/openssl/openssl/pull/29813
"Make X509_ATTRIBUTE accessor functions const-correct"
* https://github.com/openssl/openssl/pull/29862
"Make ASN1_STRING opaque"
* https://github.com/openssl/openssl/pull/29874
"Take OPENSSL_atexit() for a walk behind the barn."
* https://github.com/openssl/openssl/pull/29926
"Provide ASN1_BIT_STRING_set1()"
* https://github.com/openssl/openssl/pull/29953
"Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid."
* https://github.com/openssl/openssl/pull/29971
"X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set"
* https://github.com/openssl/openssl/pull/29982
"Improved reporting of shared and peer sigalgs"
* https://github.com/openssl/openssl/pull/29991
"Fix of SSL_get_error() so that it no longer depends on the state
of the error stack"
* https://github.com/openssl/openssl/pull/29995
"Add abilty to use static vcruntime"
* https://github.com/openssl/openssl/pull/30005
"Make ERR_STATE opaque and remove related deprecated functions"
* https://github.com/openssl/openssl/pull/30011
"Deprecate ASN1_OBJECT_new()."
* https://github.com/openssl/openssl/pull/30020
"Const correct time parameter for X509_cmp_time(), X509_time_adj()
and X509_time_adj_ex()."
* https://github.com/openssl/openssl/pull/30024
"CRL: reject malformed CRL Number and CRL Delta Indicator"
* https://github.com/openssl/openssl/pull/30028
"Add TLS 1.3 SM ciphersuites"
* https://github.com/openssl/openssl/pull/30031
"Mostly deprecated is slightly not deprecated...."
* https://github.com/openssl/openssl/pull/30033
"Remove the "msie-hack" option from openssl ca"
* https://github.com/openssl/openssl/pull/30034
"Use the appropriate libctx when executing CMS_SignerInfo_verify"
* https://github.com/openssl/openssl/pull/30035
"Constify X509_verify"
* https://github.com/openssl/openssl/pull/30036
"Constify more X509 arguments and return values"
* https://github.com/openssl/openssl/pull/30044
"Added BIO_set_send_flags() function to set flags passed to send(),
sendto(), and sendmsg()"
* https://github.com/openssl/openssl/pull/30048
"change from I-D to RFC 9849 and resolve TODO(ECH) cases"
* https://github.com/openssl/openssl/pull/30053
"Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN"
* https://github.com/openssl/openssl/pull/30054
"Consity X509_add_cert and X509_self_signed"
* https://github.com/openssl/openssl/pull/30055
"Constify various functions that were non const due to extension cache"
* https://github.com/openssl/openssl/pull/30056
"Constify X509_build_chain"
* https://github.com/openssl/openssl/pull/30058
"Constify X509_chain_check_suiteb"
* https://github.com/openssl/openssl/pull/30067
"Constify X509_check_issued and friends"
* https://github.com/openssl/openssl/pull/30071
"constify X509_check_trust, X509_TRUST_add"
* https://github.com/openssl/openssl/pull/30072
"Constify X509_to_X509_REQ and X509_REQ_to_X509"
* https://github.com/openssl/openssl/pull/30073
"Constify X509_print_fp and X509_print_ex_fp"
* https://github.com/openssl/openssl/pull/30074
"Constify X509_STORE_add_cert()"
* https://github.com/openssl/openssl/pull/30076
"Constify X509_STORE_CTX functions invoving X509 *"
* https://github.com/openssl/openssl/pull/30079
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30080
"Constify X509v3_asid_validate_resource_set
and X509v3_addr_validate_resource_set"
* https://github.com/openssl/openssl/pull/30082
"Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp."
* https://github.com/openssl/openssl/pull/30084
"Constify X509_issuer_and_serial_hash"
* https://github.com/openssl/openssl/pull/30089
"Added -expected-rpks s_client/server option"
* https://github.com/openssl/openssl/pull/30090
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30092
"constify X509_find_by_issuer_and_serial"
* https://github.com/openssl/openssl/pull/30096
"Constify X509_find_by_subject"
* https://github.com/openssl/openssl/pull/30098
"Add a changes entry for the x509 time function changes"
* https://github.com/openssl/openssl/pull/30113
"Add keyshare floating"
* https://github.com/openssl/openssl/pull/30117
"Constify X509_OBJECT_[get0|set1]_X509 and friends"
* https://github.com/openssl/openssl/pull/30127
"Constify a bunch of seldom used X509 functions. "
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/30140
"Ensure TLS 1.3 ciphersuites are actually for TLS 1.3"
* https://github.com/openssl/openssl/pull/30171
"CRL: Reject CRLs with malformed Issuing Distribution Point"
* https://github.com/openssl/openssl/pull/30200
"Remove remnant SSL_FIPS flag"
* https://github.com/openssl/openssl/pull/30229
"X509 returned by X509_REQ_to_X509() should not be (const ...)"
* https://github.com/openssl/openssl/pull/30235
"Make X509_up_ref and X509_free take const X509 *"
* https://github.com/openssl/openssl/pull/30249
"x509: remove erroneous critical extension enforcement"
* https://github.com/openssl/openssl/pull/30252
"Some more X509 extension add/del polish"
* https://github.com/openssl/openssl/pull/30263
"Restrict the number of keyshares/groups/sigalgs a server is willing
to accept"
* https://github.com/openssl/openssl/pull/30265
"Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()"
* https://github.com/openssl/openssl/pull/30272
"Partially revert "Constify X509_STORE_CTX functions invoving X509
*""
* https://github.com/openssl/openssl/pull/30273
"Revert "Make X509_up_ref and X509_free take const X509 *""
* https://github.com/openssl/openssl/pull/30276
"Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509"
The changes associated with these PRs are already mentioned in 3.6.x changes:
* https://github.com/openssl/openssl/pull/28760
"Improve the CPUINFO display for RISC-V"
* https://github.com/openssl/openssl/pull/28797
"Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set"
* https://github.com/openssl/openssl/pull/28955
"Fix for TLS handshake issue with GnuTLS #28902"
* https://github.com/openssl/openssl/pull/29155
"fix(x509.c): fixed -checkend return values"
* https://github.com/openssl/openssl/pull/29214
"s390x: Check and fail on invalid malformed ECDSA signatures"
* https://github.com/openssl/openssl/pull/29242
"Clang format head"
* https://github.com/openssl/openssl/pull/29251
"Fix change of behavior of the single stapled OCSP response API"
* https://github.com/openssl/openssl/pull/30204
"Fix detection of plaintext HTTP over TLS"
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
style: fix clang-format issues in chacha_internal_test.c
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:13:01 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
test/chacha: added ELFv2 ABI FPR preservation check for POWER10 8x path
On POWER10, ChaCha20_ctr32_vsx_8x is activated for buffers over 255
bytes and uses vxxlor to alias FPR14-FPR25 as temporary storage. Add a
test to chacha_internal_test that pins known values in f14-f25 via
inline asm, calls through ChaCha20_ctr32 with a 512-byte buffer to
trigger the 8x path, and verifies the registers still hold their
original values. The test is gated on PPC_BRD31 (POWER10 capability
flag) so it is skipped silently on older hardware.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:13:00 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
chacha/asm: save f17 in 8x prologue for contiguous f14-f25 range
f17 is not directly clobbered by any vxxlor in this function, but
saving the full contiguous range f14-f25 is cleaner and avoids any
future ambiguity if the code is modified. Adjust all subsequent FPR
slot offsets and the VMX base offset accordingly, and update the frame
size comment.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:12:58 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
chacha/asm: fix ELFv2 ABI violation in ChaCha20_ctr32_vsx_8x
The 8-block POWER10 ChaCha20 path uses vxxlor to spill VMX values into
VSR0-VSR26, which aliases FPR0-FPR26. FPR14-FPR31 are callee-saved per
the ELFv2 ABI, but the function was never saving or restoring them,
silently corrupting 11 FPRs (12 on big-endian) across any call with a
buffer larger than 255 bytes. VMX registers v20-v23, also
callee-saved, had the same problem.
Fix by increasing the frame size to accommodate save slots for
FPR14-FPR25 (and FPR26 on BE) and VMX v20-v23, and adding the
corresponding stfd/lfd and stvx/lvx pairs in the prologue and
epilogue. The VRSAVE save offset is updated to a fixed expression so
it stays clear of the new save area.
Fix for the bug #30584
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:12:57 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
Ethan [Fri, 27 Mar 2026 19:15:52 +0000 (15:15 -0400)]
doc: updates no-pinshared description
The current documentation heavily references the now removed
`atexit()` handlers. This updates the description to better reflect
it's current utility (removal of `-Wl,-znodelete` linker flags on
Linux and Hurd).
Fixes #30586
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Sat Apr 11 19:47:12 2026
(Merged from https://github.com/openssl/openssl/pull/30606)
Igor Ustinov [Tue, 31 Mar 2026 14:35:49 +0000 (16:35 +0200)]
Setting statem.error_state more carefully
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sat Apr 11 19:34:25 2026
(Merged from https://github.com/openssl/openssl/pull/30647)
Viktor Dukhovni [Sat, 4 Apr 2026 14:19:07 +0000 (01:19 +1100)]
SSL_use_cert_and_key NPE with provided keys
SSL_use_cert_and_key(3) dereferenced a NULL SSL_CTX pointer
via ssl_cert_lookup_by_pkey() when the private key type was
not one of the builtin ones, but was provider-based.
Bug introduced in Postfix 3.2 (commit ee58915cfd9).
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Apr 11 19:07:52 2026
(Merged from https://github.com/openssl/openssl/pull/30683)
3.6.2 CHANGES.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30411
"Fix detection of plaintext HTTP over TLS (3.6/3.5 backport)"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
3.6.2 NEWS.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 18:55:47 2026
(Merged from https://github.com/openssl/openssl/pull/30720)
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Sat Apr 11 18:34:40 2026
(Merged from https://github.com/openssl/openssl/pull/30727)
Matt Caswell [Wed, 8 Apr 2026 15:36:42 +0000 (16:36 +0100)]
Fix off-by-one s_client overflows
There are one byte buffer overflows possible in s_client's handling
of STARTTLS in various protocols. If a server's response fills the entire
buffer (16k) then we attempt to add a NUL terminator one byte off the end
of the buffer.
This was reported by Igor Morgenstern from AISLE to openssl-security and
assessed by the security team as "bug or hardening only".
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Apr 11 16:25:52 2026
(Merged from https://github.com/openssl/openssl/pull/30731)
Co-authored-by: Bob Beck <beck@obtuse.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Apr 11 15:47:10 2026
(Merged from https://github.com/openssl/openssl/pull/30596)
Co-authored-by: Bob Beck <beck@obtuse.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Apr 11 15:47:09 2026
(Merged from https://github.com/openssl/openssl/pull/30596)
fix BIO_vsnprintf() with NULL string arg crash on Solaris 10
Issue was kindly reported and fixes suggested by @rainerjung
Fixes #30402
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Apr 11 15:47:08 2026
(Merged from https://github.com/openssl/openssl/pull/30596)
Add its mentions to NAME, SYNOPSIS, and RETURN VALUES sections.
Also, while at it, put OPENSSL_{str,strn,mem}dup() with the other
OPENSSL_* interfaces, and add mentions of OPENSSL_str{,n}dup()
to RETURN VALUES.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:23:55 2026
(Merged from https://github.com/openssl/openssl/pull/30623)
Sunwoo Lee [Fri, 27 Mar 2026 23:58:41 +0000 (08:58 +0900)]
quic: remove unused scid from port_default_packet_handler
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Jun Aruga [Fri, 27 Mar 2026 18:16:55 +0000 (18:16 +0000)]
crypto/pkcs12/p12_add.c: Restore ERR_set_mark and ERR_pop_to_mark
The commit <2ea6e785f526f88f913cc6f49372aae9dc54bc63> removed the
ERR_set_mark and ERR_pop_to_mark calls before and after the EVP_CIPHER_fetch
call in several files.
However, in PKCS12_pack_p7encdata_ex, crypto/pkcs12/p12_add.c, there is a valid
case that EVP_CIPHER_fetch returns NULL, raising an error, and calls
PKCS5_pbe_set_ex. The case is such as PBE-SHA1-3DES.
Original-Commit: 7b371d80d959 "Prepare for release of 3.6.0"
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:00:08 2026
(Merged from https://github.com/openssl/openssl/pull/30686)
CHANGES.md: move SSL_CTX_is_server() entry to the 4.0 section
Also reword it to match the style of other entries.
Complements: ca20e54e8674 "SSL_CTX_is_server() was added." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:00:05 2026
(Merged from https://github.com/openssl/openssl/pull/30686)
Arne Schwabe [Wed, 25 Mar 2026 15:28:46 +0000 (16:28 +0100)]
Make ext argument of X509V3_EXT_print_fp const
Commit e75bd84ffc7 made the ext argument of 509V3_EXT_print const
but did not give 509V3_EXT_print_fp which is essentially is a wrapper
around X509V3_EXT_print the same treatment.
This commit aligns the two functions again.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 09:15:11 2026
(Merged from https://github.com/openssl/openssl/pull/30572)
Tomas Mraz [Mon, 6 Apr 2026 20:09:20 +0000 (22:09 +0200)]
80-test_cms.t: Accept success in malformed RSA decryption
The decryption of the malformed encrypted message might succeed
with some probability. We accept that as the testcase tries to
trigger a crash which does not happen.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 7 07:16:44 2026
(cherry picked from commit 7b5ece69dee3fb78fcd2618df3bce5064a04c6dc)
Nikola Pajkovsky [Thu, 19 Mar 2026 11:17:45 +0000 (12:17 +0100)]
rsa_kem: test RSA_public_encrypt() result in RSASVE
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure.
Add regression coverage in evp_extra_test using custom low-level RSA
methods to exercise the provider/legacy boundary. The new tests verify
that encapsulation fails when RSA_public_encrypt() returns:
* -1, which is the documented failure result, and
* a short positive length, which is also invalid for RSASVE with
RSA_NO_PADDING because the ciphertext must be exactly nlen bytes.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:45:39 2026
(cherry picked from commit 4c92661c45b6af78a901ee97db6f29a2ce90ae29)
Nikola Pajkovsky [Thu, 19 Mar 2026 11:16:08 +0000 (12:16 +0100)]
rsa_kem: validate RSA_public_encrypt() result in RSASVE
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.
Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.
Fixes CVE-2026-31790 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:45:38 2026
(cherry picked from commit 89dde74b69debbf0c4d0a0ee925de87638bbfe16)
Daniel Kubec [Wed, 18 Mar 2026 10:27:52 +0000 (11:27 +0100)]
Out-of-bounds read in AES-CFB-128 on X86-64 with AVX-512 support
The partial-block pre-processing code in ossl_aes_cfb128_vaes_enc and
ossl_aes_cfb128_vaes_dec unconditionally loads 16 bytes from the input buffer
using unmasked vmovdqu8 instructions, even when fewer bytes are valid.
This can read 1–15 bytes beyond the provided buffer. The post-processing code
in the same file correctly uses masked loads to avoid this issue.
Fixes CVE-2026-28386
Co-Authored-by: Stanislav Fort <stanislav.fort@aisle.com> Co-Authored-by: Pavel Kohout <pavel.kohout@aisle.com> Co-Authored-by: Alex Gaynor <gaynor@anthropic.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:16:26 2026
(cherry picked from commit 7464ccdd43f600decd0af571556a1fc56ccd6419)
Neil Horman [Wed, 1 Apr 2026 08:56:44 +0000 (10:56 +0200)]
Fix NULL deref in rsa_cms_decrypt
Very simmilar to CVE-2026-28389, ensure that if we are missing
parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
we don't segfault when decrypting.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28390
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Apr 6 18:58:30 2026
(cherry picked from commit b388240d34fb913e91171bb665a82867dca68be9)
Neil Horman [Tue, 31 Mar 2026 18:38:03 +0000 (14:38 -0400)]
Test for DH/ECDH CMS KARI processing NULL pointer dereference
Test to ensure that, if we attempt to decrypt a CMS message with a
missing parameter field of KeyEncryptionAlgorithmIdentifier
we fail, rather than segfault.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Apr 6 18:58:29 2026
(cherry picked from commit 6e257effe0bc482415532ef7a627cc8725fe3dcd)
Neil Horman [Mon, 16 Mar 2026 17:49:07 +0000 (13:49 -0400)]
Fix NULL deref in [ec]dh_cms_set_shared_info
Multiple independent reports indicated a SIGSEGV was possible in CMS
processing when a crafted CMS EnvelopedData message using A Key
Agreement Recipient Info field. If the
KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the
referenced functions above will attempt to dereference the
alg->parameter data prior to checking if the parameter field is NULL.
Confirmed to resolve the issues using the reproducers provided in the
security reports.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28389
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Apr 6 18:58:28 2026
(cherry picked from commit dea5c521a6a78a1caed451e53a149d327d2a928d)
kovan [Mon, 2 Feb 2026 14:47:35 +0000 (15:47 +0100)]
doc: document PKCS12 password prompting for certificates
Document that commands reading certificates from PKCS#12 files may
prompt for a password. The existing documentation only mentioned
password prompting for private keys.
Fixes #21292
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:52:28 2026
(Merged from https://github.com/openssl/openssl/pull/29918)
quic: fix NULL deref in ossl_quic_new_from_listener()
ossl_quic_port_create_outgoing() can return NULL under memory pressure.
The result was used immediately by ossl_quic_channel_set_msg_callback()
without a NULL check, causing a crash on the SSL_new_from_listener()
API path.
The correct pattern already exists in create_channel() (same file): check
the return value and raise a non-normal error before jumping to cleanup.
Apply the same pattern here.
Fixes: 0b15147a37c ("Implement SSL_new_from_listener()") Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:46:54 2026
(Merged from https://github.com/openssl/openssl/pull/30667)
Apparently, it has not been caught after a29d157fdb6d "Replace homebrewed
implementation of *printf*() functions with libc" due to non-working symbol
checks.
Fixes: a29d157fdb6d "Replace homebrewed implementation of *printf*() functions with libc" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:42:24 2026
(Merged from https://github.com/openssl/openssl/pull/30635)
Update Windows CI workflow to supply correct DLLs to checkplatformsyms.pl
The check was broken in several ways, which was concealed by the fact
that checkplatformsyms.pl returned success in many cases before:
* Hard-coded file name suffixes (-3-x64) meant that the check
was not performed on OpenSSL 4.0+ and never for 32-bit builds.
* dumpbin also wasn't in PATH in some configurations, which also led
to skipped checks.
Fix that by supplying proper file names based on OpenSSL major version
and ABI, add missing VCVars calls and working dir setups.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:42:23 2026
(Merged from https://github.com/openssl/openssl/pull/30635)
.github/workflows/windows_comp.yml: drop platform symbol usage check
It has never worked, as an attempt to make it work leads to this error:
Symbol ZSTD_compressStream2 not in the allowed platform symbols list
Symbol ZSTD_CStreamInSize not in the allowed platform symbols list
Symbol ZSTD_initCStream not in the allowed platform symbols list
Symbol ZSTD_freeCStream not in the allowed platform symbols list
Symbol ZSTD_endStream not in the allowed platform symbols list
Symbol ZSTD_freeDStream not in the allowed platform symbols list
Symbol ZSTD_initDStream not in the allowed platform symbols list
Symbol ZSTD_decompressStream not in the allowed platform symbols list
Symbol ZSTD_getErrorName not in the allowed platform symbols list
Symbol ZSTD_DStreamInSize not in the allowed platform symbols list
Symbol ZSTD_decompress not in the allowed platform symbols list
Symbol ZSTD_flushStream not in the allowed platform symbols list
Symbol ZSTD_isError not in the allowed platform symbols list
Symbol ZSTD_createCStream_advanced not in the allowed platform symbols list
Symbol ZSTD_createDStream_advanced not in the allowed platform symbols list
Symbol ZSTD_compress not in the allowed platform symbols list
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:42:22 2026
(Merged from https://github.com/openssl/openssl/pull/30635)
util/checkplatformsyms.pl: do not hard-code "libcrypto-3-x64" library name
Ideally, it should probably passed to the script as a parameter,
but, in the meantime, follow the relaxed attitude of the Unix
counterpart and match against any version and all expected arch
suffixes.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:42:21 2026
(Merged from https://github.com/openssl/openssl/pull/30635)
Igor Ustinov [Sat, 28 Mar 2026 12:49:00 +0000 (13:49 +0100)]
evp_decodeblock_int(): Bugfix of padding check
The padding check didn't take into account that by this point the f pointer
had already shifted by 4 positions. Luckily, the original f[2] and f[3]
were saved in c and d .
This code is not reachable in normal operation, but that is not a reason
not to fix it.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:31:13 2026
(Merged from https://github.com/openssl/openssl/pull/30618)
huanghuihui0904 [Mon, 16 Mar 2026 03:05:36 +0000 (11:05 +0800)]
crypto/x509/pcy_tree.c: fix leak of tree in X509_policy_check()
When init_ret indicates both X509_PCY_TREE_EXPLICIT and X509_PCY_TREE_EMPTY,
the function returns without freeing the initialized policy tree.
Free the tree before returning, consistent with the earlier TREE_EMPTY branch.
Also defer *ptree = tree assignment and free the tree when user policies
are empty to avoid returning invalid memory.
Fixes #30435
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 3 15:03:37 2026
(Merged from https://github.com/openssl/openssl/pull/30436)
Herman Malik [Wed, 11 Mar 2026 21:49:18 +0000 (14:49 -0700)]
doc: clarify X509_STORE thread safety and lifetime contract
Improve the description of X509_STORE_lock() in X509_STORE_new.pod to
emphasize it acquires an exclusive write lock.
Add a NOTES section to X509_STORE_new.pod covering which operations are
internally thread-safe and which are not, as well as documentation on
lifetime management and reference counting.
Add a NOTES section to X509_STORE_CTX_get_by_subject.pod explaining
that the store's internal lock is released before the found object's
reference count is incremented, so the caller must ensure the store
outlives the lookup.
Clarify the reference counting and the caller's responsibilities.
Remove internal details for conciseness.
Related to #30310
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 3 15:00:55 2026
(Merged from https://github.com/openssl/openssl/pull/30382)
eclipse07077 [Mon, 9 Mar 2026 12:35:43 +0000 (21:35 +0900)]
Fix integer overflow in EVP_ENCODE_LENGTH and base64 encoding paths
The EVP_ENCODE_LENGTH macro performs all arithmetic in the type of
its argument. When the argument is int and exceeds approximately
1.6 billion, intermediate results overflow signed int, potentially
wrapping to a smaller positive value rather than a negative one.
In b64_write() (crypto/evp/bio_b64.c), this causes OPENSSL_malloc
to allocate a buffer smaller than the actual encoded output size.
EVP_EncodeUpdate then writes past the end of the undersized buffer.
Changes:
- Cast macro argument to size_t in EVP_ENCODE_LENGTH to prevent
signed integer overflow
- Change encoded_length in b64_write() from int to size_t and add
an explicit overflow sanity check before allocation
- Change return type of evp_encodeblock_int() and
encode_base64_avx2() from int to size_t so that large encoded
output lengths are not truncated
- Update EVP_EncodeUpdate() to use size_t for the encoder return
value accumulator (j), consistent with the existing size_t total
- Add explicit (int) casts in EVP_EncodeBlock() and EVP_EncodeFinal()
where the public API requires int return values
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:55:29 2026
(Merged from https://github.com/openssl/openssl/pull/30321)
Arne Schwabe [Tue, 31 Mar 2026 11:30:38 +0000 (13:30 +0200)]
Fix names of X509_V_ERR_ERROR_IN_CERT_* constants in man page
The names of the X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD and
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD in the man page have
the first _ERR_ spelt out as _ERROR_ instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr 1 17:06:53 2026
(Merged from https://github.com/openssl/openssl/pull/30643)
Viktor Dukhovni [Thu, 26 Mar 2026 17:02:34 +0000 (04:02 +1100)]
Refactor ML-KEM decap, also cleanse failure_key
Pedantically cleanse the typically unused decap failure_key's stack
copy.
When actually used, it is copied into the caller's shared secret result,
perhaps to be cleansed there after use, or not, that's the callers
business.
While at it, slightly refactor the internal decap() implementation to
consolidate all the data to be cleansed into a single buffer, but now
avoid copying the public key hash, instead, when computing "K || r" as
"G(m || h)" include "h" via a separate EVP_DigestUpdate() call.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 31 05:35:12 2026
(Merged from https://github.com/openssl/openssl/pull/30598)
Collin Funk [Sat, 28 Mar 2026 07:41:01 +0000 (00:41 -0700)]
Fix -Wdiscarded-qualifiers warnings shown when glibc-2.43 is used
When building with glibc-2.43 there is the following warning:
crypto/x509/x509_vpm.c: In function 'validate_email_name':
crypto/x509/x509_vpm.c:317:13: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
317 | if ((at = memchr(name, '@', len)) == NULL)
| ^
This is due to a change described in the NEWS file of glibc-2.43:
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type.
Systems using this recent glibc version will likely also be using GCC 15
or later which default to `-std=gnu23`, meaning that this warning will
show up without modifying `CFLAGS`.
We can make these pointers const since we never write to them.
Complements: f584ae959cbc "Let's support multiple names for certificate verification"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 31 02:38:14 2026
(Merged from https://github.com/openssl/openssl/pull/30613)
Pranavjeet-Naidu [Tue, 24 Mar 2026 23:45:30 +0000 (05:15 +0530)]
Add negative length validation in EVP_EncryptUpdate and EVP_DecryptUpdate
Added input length validation checks to prevent potential security issues
when negative values are passed to EVP_EncryptUpdate and EVP_DecryptUpdate.
These functions cast inl (int) to size_t without validation, which could lead
to unexpectedly large buffer allocation attempts or unintended behavior with
negative inputs.
Validation is performed early in both functions to ensure only valid,
non-negative lengths are processed. Error is reported via EVP_R_INVALID_LENGTH.
Fixes: https://github.com/openssl/openssl/issues/30486 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 02:10:52 2026
(Merged from https://github.com/openssl/openssl/pull/30560)
Milan Broz [Fri, 27 Mar 2026 09:38:52 +0000 (10:38 +0100)]
Remove superfluous volatile for RCU on Windows
When compiling on the MINGW platform, there are many warnings like this:
warning: passing argument 1 of 'CRYPTO_atomic_add64' discards 'volatile'
qualifier from pointer target type [-Wdiscarded-qualifiers]
CRYPTO_atomic_add64(&lock->qp_group[qp_idx].users, (uint64_t)1, &tmp64,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning actually shows several issues with volatile in struct rcu_qp:
- all handling functions using it do not use the volatile modifier,
so that the compiler can treat this pointer as non-volatile already
(Posix pthread variant does not use volatile here at all.)
- thread safety is already guaranteed by using locks
(NO_INTERLOCKEDOR64) or Interlocked*64 Win32 API functions.
- the volatile removal modifier should always be explicit
In short, I think the volatile in struct rcu_qp on Windows
has no additional value and can be removed.
This also fixes the warnings mentioned above :-)
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:25:56 2026
(Merged from https://github.com/openssl/openssl/pull/30602)
kovan [Tue, 27 Jan 2026 11:11:08 +0000 (12:11 +0100)]
doc: fix -signcert grouping in CA.pl documentation
The -signcert option was incorrectly grouped with -sign and -xsign at
line 109, which implied they were equivalent. However, -signcert is
different: it expects a self-signed certificate (not a certificate
request) in newreq.pem, and converts it to a request before signing.
This is correctly documented in its own separate section at line 123,
which states "-signcert is the same as -sign except it expects a self
signed certificate".
Remove -signcert from the -sign/-xsign grouping to eliminate the
contradiction.
Resolves: https://github.com/openssl/openssl/issues/29165 Fixes: 022696cab014 "Allow CA.pl script user to pass extra arguments to openssl command" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:10:50 2026
(Merged from https://github.com/openssl/openssl/pull/29794)
Update the documentation to include that added const qualifiers
to the arguments of X509_EXTENSION_get_object(), X509_EXTENSION_get_data(),
and X509v3_add_ext().
References: https://github.com/openssl/openssl/pull/30595
Complements: e75bd84ffc73 "Constify X509_get_ext() and friends.." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Tue Mar 31 00:47:35 2026
(Merged from https://github.com/openssl/openssl/pull/30601)
Abhinav Agarwal [Tue, 24 Mar 2026 02:17:04 +0000 (19:17 -0700)]
quic: add missing return 0 after raise_protocol_error for NEW_CONN_ID
Every other frame type handler in depack_process_frames() returns 0
after calling ossl_quic_channel_raise_protocol_error(), but the
NEW_CONN_ID case falls through to depack_do_frame_new_conn_id().
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:48:44 2026
(Merged from https://github.com/openssl/openssl/pull/30550)
Amaan Qureshi [Fri, 20 Mar 2026 00:40:20 +0000 (20:40 -0400)]
s390x: set minimum architecture level to z10
The keccak1600 perlasm file (`keccak1600-s390x.pl`) emits `cijne`, a
z10 compare-immediate-and-branch instruction, without declaring a
minimum architecture level. GCC defaults to `-march=z900` on s390x,
causing assembler errors when building with the default toolchain
flags:
z900 has been out of service since 2014, the Linux kernel requires
z196 minimum, and clang already defaults to z10 on s390x. A
`.machine "z10"` GAS directive in the generated assembly resolves the
error by declaring the architecture level the file already requires.
Ref: #27323
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:32:22 2026
(Merged from https://github.com/openssl/openssl/pull/30507)
Weidong Wang [Sat, 21 Mar 2026 15:41:49 +0000 (10:41 -0500)]
Fix missing EVP_CIPHER_get_iv_length() guard in PKCS5_pbe2_set_scrypt
Store the return value of EVP_CIPHER_get_iv_length() in a local variable
and guard with (ivlen > 0) before passing to memcpy/RAND_bytes, matching
the pattern already used in p5_pbev2.c. Without this, a negative return
value (-1) is implicitly converted to SIZE_MAX when cast to size_t,
causing a stack buffer overflow on iv[EVP_MAX_IV_LENGTH].
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:14:09 2026
(Merged from https://github.com/openssl/openssl/pull/30510)
This is a workaround for an issue that lead to fuzz-checker CI failures;
the preliminary solution is to disable the inessential test case
test_exec_KUR_bad_pkiConf_protection.
References: https://github.com/openssl/openssl/pull/28973 Fixes: 525a4f1efbab "cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu Mar 26 15:58:42 2026
(Merged from https://github.com/openssl/openssl/pull/30567)
cmp_vfy.c: on error trying to use cached CMP message sender cert, make sure to print diagnostics
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
projects / thirdparty / openssl.git / log
