Ingo Franzki [Wed, 20 May 2026 14:57:07 +0000 (16:57 +0200)]
s390x: Selectively re-format s390xcap.c
The clang formatter made some code places unreadable. Selectively revert
the formatting to how it was before the re-formatting, and mark those places
with '/* clang-format off */' so that it does not get reformatted again.
While at it, change it to use designated initializers allowed with C-99.
No functional change intended.
Resolves: https://github.com/openssl/openssl/issues/31247 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:49:58 2026
(Merged from https://github.com/openssl/openssl/pull/31263)
007bsd [Tue, 26 May 2026 18:11:27 +0000 (21:11 +0300)]
poly1305: prevent crash on final without a key
EVP_MAC_init with a NULL key followed by EVP_MAC_final on a
Poly1305 context crashed with a NULL function-pointer dispatch
because poly1305_init accepted the no-key case as success, and
poly1305_final had no guard before dispatching through the
uninitialised Poly1305 state.
Add a key_set field to struct poly1305_data_st (matching
OCB/CCM/GCM), set it in poly1305_setkey, and refuse init and
final if no key has been installed.
Added a regression test asserting EVP_MAC_init with a NULL key
returns 0.
##### Checklist
- [ ] documentation is added or updated
- [x] tests are added or updated
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:35:02 2026
(Merged from https://github.com/openssl/openssl/pull/31298)
Jakub Zelenka [Thu, 28 May 2026 17:13:01 +0000 (19:13 +0200)]
quic: fix keyslot cctx leak by not checking EL state in teardown
el_teardown_keyslot() decided whether to free a keyslot by calling
ossl_qrl_enc_level_set_has_keyslot() against the EL's current state.
On error paths the state does not yet match the slots that were
provisioned, so the check returned 0 and the cctx and iv were leaked.
The fix drops the state check and rely on the existing cctx != NULL
check which is sufficient for all callers of el_teardown_keyslot().
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Mon Jun 1 07:32:33 2026
(Merged from https://github.com/openssl/openssl/pull/31323)
Ilya Maximets [Mon, 11 May 2026 21:41:04 +0000 (23:41 +0200)]
ktls: Fix invalid memory access on retry with moving write buffer
kTLS write is using application buffer always without a memory copy.
And it completely ignores SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as a
result. If the user frees or re-uses the original buffer and retries
the send on SSL_ERROR_WANT_WRITE, the code will read and send the data
from the original already freed buffer sending whatever happens to be
in that memory now and corrupting the message, potentially crashing
the application as well.
Fix by making a copy if we can't send the whole thing right away and
the moving write buffer is configured.
This preserves the zero-copy semantics for the happy path and avoids
the invalid memory access and data corruption when retry is necessary.
The copy is done in the common code as it is hard to preserve the
zero-copy behavior otherwise.
Test is added that reproduces the issue. It may be possible to modify
the existing kTLS test to conditionally enable the modes and do the
BIO swap, but it feels like the issue deserves a separate one.
The test doesn't rely on any specific cypher or TLS version, so only
one combination is checked, but it should be enough.
There is no TLS_BUFFER_set_len() and the original kTLS code never
sets it, so not setting it on the copy either for now.
Fixes: 50ec750567e0 "ssl: Linux TLS Tx Offload"
Fixes #21202
Assisted-by: claude-opus-4.6 Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:29:13 2026
(Merged from https://github.com/openssl/openssl/pull/31146)
Herman Semenoff [Sat, 25 Apr 2026 04:22:54 +0000 (07:22 +0300)]
ssl: avoid integer overflow by casting sum terms to size_t and not the result
Avoid possible integer overflow: instead of casting the sum to size_t,
each operand of the sum is cast to size_t before addition to avoid int
overflow.
Signed-off-by: Herman Semenoff <GermanAizek@yandex.ru> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:24:21 2026
(Merged from https://github.com/openssl/openssl/pull/30972)
rootvector2 [Wed, 27 May 2026 18:14:23 +0000 (23:44 +0530)]
crypto/evp: fix double free of tmp_keymgmt in sig/kem/asym init
Commit ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free
on error path in do_sigver_init" has fixed double-free of tmp_keymgmt
in do_sigver_init() by setting it to NULL after EVP_KEYMGMT_free() call;
the same issue present in evp_kem_init(), evp_pkey_asym_cipher_init(),
and evp_pkey_signature_init(). Address it similarly, by setting
the pointers to NULL after *_free() calls.
Complements: ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init" Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun May 31 11:03:15 2026
(Merged from https://github.com/openssl/openssl/pull/31312)
Jakub Zelenka [Thu, 28 May 2026 10:19:30 +0000 (12:19 +0200)]
quic: fix handling of the first rxe mfail in qrx_process_pkt
When qrx_ensure_free_rxe() fails at the start of qrx_process_pkt() the
function returned 0 without advancing the PACKET cursor and, for the
first packet in the datagram, without setting first_dcid. The
qrx_process_datagram() loop then re-entered qrx_process_pkt() for the
same bytes with pkt_idx >= 1 and the sentinel first_dcid (id_len = 255),
tripping the assertion in qrx_validate_hdr_early() that asserts
first_dcid->id_len to be lower than QUIC_MAX_CONN_ID_LEN.
The fix goes to malformed label instead. The header has not been decoded
at this point so eop is NULL, which makes the malformed path discard the
rest of the datagram. This is because without an RXE we can process
neither this packet nor any that follow it. This also advances the
cursor and, when the failure is on the first packet, avoids leaving
first_dcid unset for the next iteration. It is consistent with the
other allocation-failure site in the function, which already routes
through malformed.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Fri May 29 14:08:56 2026
(Merged from https://github.com/openssl/openssl/pull/31316)
yangxuqing [Sat, 23 May 2026 01:56:18 +0000 (09:56 +0800)]
slh_dsa: Remove redundant cleanup to prevent double free
Since SLH_DSA_KEY is allocated with OPENSSL_zalloc, its members are
NULL-initialized. Removing the redundant slh_dsa_key_hash_cleanup()
inside the err path of slh_dsa_key_hash_init() prevents the
double free while allowing the outer ossl_slh_dsa_key_free() to
safely handle the cleanup.
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:45:46 2026
(Merged from https://github.com/openssl/openssl/pull/31274)
That pattern alone trips up anyone who associates 'm' with modulus, and
and finds themselves using BN_nnmod() incorrectly.
This change modifies the argument names to match documentation.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Igor Ustinov <igus@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri May 29 07:25:31 2026
(Merged from https://github.com/openssl/openssl/pull/31304)
Jakub Zelenka [Thu, 21 May 2026 17:07:14 +0000 (19:07 +0200)]
quic: delay el keyslot teardown after creation in setup
There is an issue for key update in TX path if any of the operation
fails during keyslot setup (e.g. due to memory failure), the cctx stays
set to NULL which results in failed assertion in qtx_encrypt_into_txe.
The fix splits the build and installation steps in
ossl_qrl_enc_level_set_key_update so the cctx teardown is done only
after the build is successful. The install is then non fallible so it
cannot end up with empty cctx.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:18:36 2026
(Merged from https://github.com/openssl/openssl/pull/31268)
Nikola Pajkovsky [Mon, 25 May 2026 07:33:00 +0000 (09:33 +0200)]
crypto/aes/asm/asm-sha{1,256}-armv8.pl: add missing function alignment
clang-22 reported missing alignment on MacOS:
ld: warning: arm64 function not 4-byte aligned: _asm_sha1_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha1-armv8.o)
ld: warning: arm64 function not 4-byte aligned: _asm_sha256_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha256-armv8.o)
Add ".align 4" directives to the affected functions.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu May 28 08:31:59 2026
(Merged from https://github.com/openssl/openssl/pull/31284)
Jakub Zelenka [Mon, 18 May 2026 16:19:48 +0000 (18:19 +0200)]
Split mfail output into counting and injection subtests
Counting now always runs and is always checked, including when
hooks are not installed or skip-all is set. Only injection is
skipped in those cases.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu May 28 07:33:05 2026
(Merged from https://github.com/openssl/openssl/pull/31219)
quic: make ch_cleanup() idempotent and simplify channel error path
ch_init() calls ch_cleanup() on its own failure, after which
port_make_channel() may still call ossl_quic_channel_free() (which calls
ch_cleanup() again). The second call double-freed fields such as
ch->qlog_title.
To handle this, ch_cleanup() now NULLs every owned pointer after its
free and clears the have_statm / have_qsm flags after their destructors,
making it safe to invoke twice on the same channel.
With ch_cleanup() idempotent, port_make_channel() no longer needs the
ch_cleaned flag and the bare OPENSSL_free(ch) branch: the error path
unconditionally calls ossl_quic_channel_free() regardless of whether
ch_init() succeeded, partially initialized the channel, or already ran
ch_cleanup() on itself.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu May 28 07:26:22 2026
(Merged from https://github.com/openssl/openssl/pull/31177)
Daniel Kubec [Fri, 20 Mar 2026 20:14:11 +0000 (21:14 +0100)]
TLS: Verify session ID to prevent incorrect session resumption
When a TLS 1.2 session is resumed via an external server-side cache
SSL_CTX_sess_set_get_cb(), the session ID stored in an SSL_SESSION is assigned
by the server at the end of the original full handshake and never modified
afterwards. The client-supplied session ID in ClientHello is copied verbatim
from the session the client cached after that same handshake. If both sides
behaved correctly, the two values are guaranteed to be identical.
This commit adds an explicit comparison inside ssl_get_prev_session() between
the session ID the client offered in ClientHello and the session ID embedded in
the SSL_SESSION returned by the external cache. If they do not match, the cached
session is released and ssl_get_prev_session() returns as a cache miss, forcing
a full handshake. Catching the mismatch here ensures the server never sends a
ServerHello that claims resumption of a session ID it cannot legitimately echo.
A mismatch unambiguously indicates one of the following:
- a corrupt cache entry
- an external cache implementation that returned the wrong session
- an active tampering attempt
In all three cases refusing resumption and falling back to a full handshake is
the correct response.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 12:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30517)
The RSA PKCS#1 verify-recover provider path did not validate routsize
before passing the caller buffer to ossl_rsa_verify().
The X9.31 verify-recover path already rejects undersized output buffers,
but the PKCS#1 path could proceed with too little output space and rely
on the lower layer to write the recovered digest.
Check the expected digest size before calling ossl_rsa_verify() and
return PROV_R_OUTPUT_BUFFER_TOO_SMALL when the caller-provided buffer is
too small.
Add a regression test that covers both successful recovery with a
properly sized buffer and failure with a 1-byte output buffer, while
also checking that the short buffer is left unchanged.
Co-authored-by: Kushal <72255307+Kushalkhemka@users.noreply.github.com> Co-authored-by: Mayank <175295782+mayank-jangid-moon@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 11:46:40 2026
(Merged from https://github.com/openssl/openssl/pull/30917)
Bob Beck [Wed, 20 May 2026 13:54:06 +0000 (07:54 -0600)]
Convert use of artisinally made hand crafted integer types
to use the stdint.h ones.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
Bob Beck [Wed, 20 May 2026 13:27:08 +0000 (07:27 -0600)]
use stdint in modes.h
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
yangxuqing [Sat, 23 May 2026 02:33:35 +0000 (10:33 +0800)]
crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init
In do_sigver_init(), if the for loop proceeds to its second iteration
(iter = 2), the results from the first iteration (signature and
tmp_keymgmt) are explicitly freed at the beginning of the loop.
However, the pointers are not set to NULL after being freed.
If an error occurs subsequently during this second iteration (for
example, if evp_signature_fetch_from_prov() returns NULL, triggering a
goto notsupported), the control flow jumps to the generic cleanup block
at the end of the function. This cleanup block calls
EVP_KEYMGMT_free(tmp_keymgmt) again on the dangling pointer, resulting
in a double free.
This commit resolves the issue by explicitly nullifying these pointers
immediately after they are freed at the start of the loop iteration.
(Note: This issue was discussed with the OpenSSL Security Team, who
classified it as a regular bug due to lack of attacker control and
requested a public PR.)
Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:28:15 2026
(Merged from https://github.com/openssl/openssl/pull/31276)
Daniel Kubec [Mon, 18 May 2026 23:44:34 +0000 (01:44 +0200)]
test/tls13tickettest.c: check SSL_TICKET_NO_DECRYPT path in tls_parse_ctos_psk()
Add a test that rotates ticket keys so that the previously issued ticket
can no longer be decrypted: if session resumption fails
due to a NO_DECRYPT, it is expected to fall back to a full handshake,
and a new session ticket is issued.
Complements: 6115286faeb8 "TLSv1.3: reissue session ticket after full handshake on ciphersuite mismatch"
References: https://github.com/openssl/openssl/pull/30626
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:20:59 2026
(Merged from https://github.com/openssl/openssl/pull/31223)
crypto/cmp/cmp_genm.c: avoid strcat() in get_genm_itav()
There is no need to use strcat() there, as it concatenates into a string
that is used in a format string anyway. Put the literal prefix
into the format string and avoid literal string copying.
Fixes: d477484d33b7 "CMP: add support for genm/genp messages with id-it-caCerts" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue May 26 14:54:19 2026
(Merged from https://github.com/openssl/openssl/pull/31230)
Andrew Dinh [Wed, 29 Apr 2026 17:44:17 +0000 (00:44 +0700)]
util: add acvp-test util
Add a Python script acvp-test to the util/ directory, that tests
an OpenSSL binary against the NIST ACVTS demo server. acvp-test util
supports most major algorithms, including PQC algorithms added in 3.5.
Test an OpenSSL binary against the NIST ACVTS demo server.
options:
-h, --help show this help message and exit
--algorithm ALGO Algorithm to test (default: ACVP-AES-CBC)
--direction {encrypt,decrypt} [{encrypt,decrypt} ...]
Direction(s) for symmetric algorithms (default: both)
--key-len BITS [BITS ...]
Key length(s) in bits for symmetric algorithms (default: all)
--production Run as a production validation (default: sample/demo mode)
--save-vectors Save downloaded vector sets to vectors_vsNNN.json
Andrew Dinh [Wed, 20 May 2026 16:09:48 +0000 (23:09 +0700)]
quic_impl.c: pass correct SSL to ossl_ssl_connection_new_int in ossl_quic_new_from_listener
In ossl_quic_new_from_listener(), the call to ossl_ssl_connection_new_int()
was passing NULL for the user_ssl parameter. NULL causes s->user_ssl
to be set to the inner TLS ssl object, so the inner SSL object points
to itself rather than to the outer QUIC connection object.
The fix passes &qc->obj.ssl instead of NULL. Afterwards,
ossl_quic_obj_init() will initialize &qc->obj.ssl in place.
Resolves: https://github.com/openssl/project/issues/989 Fixes: 0b15147a37c5 "Implement SSL_new_from_listener()" Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 14:12:45 2026
(Merged from https://github.com/openssl/openssl/pull/31257)
kovan [Thu, 29 Jan 2026 14:13:28 +0000 (15:13 +0100)]
doc: add SSL/SSL_CTX thread safety section to openssl-threads
Add explicit documentation about thread safety of SSL and SSL_CTX
objects, clarifying that:
- SSL_CTX can be shared among threads but should be treated as
read-only after creating SSL objects or sharing across threads
- SSL connection objects should only be used by one thread at a time
- Each thread handling TLS connections should create its own SSL object
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Tue May 26 13:19:35 2026
(Merged from https://github.com/openssl/openssl/pull/29847)
yangxuqing [Sat, 23 May 2026 02:06:41 +0000 (10:06 +0800)]
providers: Nullify BIO pointer after free to prevent double free
In providers/implementations/storemgmt/file_store_any2obj.c, if the
control flow reaches the err label after BIO_free(in) is called, a
double free will occur in the generic cleanup block.
Currently, the only path to this specific err jump is if
BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team,
this failure is currently impossible because the buffer is being
shrunk (max_len >= len).
However, as requested by the security team via email, this commit
explicitly nullifies the in pointer after the first free to
future-proof the function and prevent a double free in case the
semantics of BUF_MEM_grow() or the surrounding logic change in
the future.
Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY"
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 10:14:50 2026
(Merged from https://github.com/openssl/openssl/pull/31275)
Ahmed Rabea [Thu, 21 May 2026 13:24:11 +0000 (16:24 +0300)]
crypto/dso/dso_win32.c: fix win32_joiner buffer sizing for dir-only paths
win32_joiner() always emits a trailing '\' when file_split->dir
is present, even if file_split->file is NULL. The previous length
calculation only reserved that byte when file_split->file was also
non-NULL, which could cause a one-byte overflow.
Resolves: https://github.com/openssl/openssl/issues/31260 Fixes: cbecb3ac3763 "There's an ongoing project to bring some kind of path selection mechanism to the ENGINE framework. This means there there are going to be new functionality for the DSO part, and ultimately some way of merging two file specifications together.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:36:02 2026
(Merged from https://github.com/openssl/openssl/pull/31266)
As these are public by necessity, we may as well allow folks
to use them to selectively disable deprecation warnings if they
wish to temporarily use deprecated functions in limited locations
in their code.
Complements: 4036f4b0e324 "Add new public API for checking certificate times."
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:22:58 2026
(Merged from https://github.com/openssl/openssl/pull/31270)
crypto/objects/obj_dat.c: return strlcpy result in OBJ_obj2txt()
strlcpy() (and OPENSSL_strlcpy() after it) returns the length
of the input string as a result, don't throw it away just to calculate
it once again on return.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue May 26 08:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/31226)
mat [Wed, 29 Apr 2026 06:09:24 +0000 (09:09 +0300)]
test: add regression test for ciphersuite_cb() with empty list elements
Cover the three cases where CONF_parse_list() produces a NULL/empty
element: leading separator, trailing separator, and consecutive
separators (double colon). Before the fix these would crash via a
NULL memcpy inside ciphersuite_cb().
Each case also verifies via SSL_CTX_get_ciphers() that the valid
ciphersuite(s) in the same string were actually applied, not just
that the call returned without crashing.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:53 2026
(Merged from https://github.com/openssl/openssl/pull/31023)
mat [Wed, 29 Apr 2026 06:08:44 +0000 (09:08 +0300)]
ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list
CONF_parse_list() invokes its callback with elem=NULL and len=0 for
empty list elements (e.g. consecutive separators like "A::B").
ciphersuite_cb() passed elem directly to memcpy() without checking for
NULL, triggering undefined behaviour on any input containing an empty
ciphersuite token.
Skip empty elements early by returning 1 before any pointer dereference.
Fixes #30919
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:52 2026
(Merged from https://github.com/openssl/openssl/pull/31023)
Bob Beck [Sat, 16 May 2026 16:34:52 +0000 (10:34 -0600)]
Make IPAddressFamily_cmp safe for 0 length objects with NULL data.
Found while adjusting the fuzzer to test for the requirement to
add NUL bytes on the end of ASN1 Strings. If we end up with a 0
length object here we can end up in a crash with memcmp.
This makes this cmp function test comparison like our others
that are 0 length object safe.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 26 08:51:35 2026
(Merged from https://github.com/openssl/openssl/pull/31201)
d2i_* docs: clarify how reuse is used, and how to set libctx and propq
Also removed BUGS section
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu May 21 09:14:32 2026
(Merged from https://github.com/openssl/openssl/pull/28456)
Jakub Zelenka [Tue, 12 May 2026 18:27:38 +0000 (20:27 +0200)]
Add mfail test for ossl_ht_free
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:09:37 2026
(Merged from https://github.com/openssl/openssl/pull/31237)
Jakub Zelenka [Tue, 19 May 2026 10:02:28 +0000 (12:02 +0200)]
Optimize hashtable without rcu freeing
It is not necessary to flush table for hash tables without rcu.
This is follow up to https://github.com/openssl/openssl/pull/31163
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:09:36 2026
(Merged from https://github.com/openssl/openssl/pull/31237)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:03:28 2026
(Merged from https://github.com/openssl/openssl/pull/31216)
Jakub Zelenka [Thu, 7 May 2026 20:38:01 +0000 (22:38 +0200)]
Fix null derefs in ossl_quic_new_listener on mfail
This is caused incorrect err cleanup of mutex even if ql does not exist
(allocation failed).
It also fixes missing freeing of ports that result in assertion failure
because engine port list is not empty.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 08:52:14 2026
(Merged from https://github.com/openssl/openssl/pull/31112)
Bob Beck [Sat, 16 May 2026 17:29:07 +0000 (11:29 -0600)]
fix cmp mock server to not depend on NUL bytes in ASN1_STRING
ASN1_STRING is documented that the behavior of NUL byte addition
should not be depended upon.
The mock server calls strcmp on the bare data from an ASN1_STRING.
This only works if the data is NUL terminated.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Wed May 20 16:01:47 2026
(Merged from https://github.com/openssl/openssl/pull/31202)
Nikola Pajkovsky [Tue, 12 May 2026 06:49:31 +0000 (08:49 +0200)]
stack: use a copy thunk for typed stack deep copies
typed safestack wrappers pass type-specific copy callbacks such as
TYPE *(*)(const TYPE *) to OPENSSL_sk_deep_copy(). The generic stack code
then called those callbacks through OPENSSL_sk_copyfunc,
void *(*)(const void *), which is an incompatible function pointer type and
triggers UBSan.
Add an OPENSSL_sk_copyfunc_thunk and store it on typed stacks, mirroring the
existing compare/free thunk pattern. Generated safestack helpers now install
a per-type copy thunk when constructing a stack, and internal_copy() uses that
thunk when deep-copying typed stacks. This preserves the generic stack API
while ensuring typed copy callbacks are invoked through their real signature.
Fixes: https://github.com/openssl/project/issues/1951 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:45 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Tue, 12 May 2026 09:32:10 +0000 (11:32 +0200)]
stack: use free thunk when deep copy cleanup fails
internal_copy() used the generic OPENSSL_sk_freefunc directly when a deep
copy failed after copying some elements. For typed stacks, callers pass
type-specific free callbacks that have been cast to OPENSSL_sk_freefunc, so
calling them through the generic function pointer type is undefined behavior.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:43 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Mon, 11 May 2026 13:14:17 +0000 (15:14 +0200)]
stack: sk_<t1>_new_null() constructor is missing the OPENSSL_sk_set_cmp_thunks()
crypto/bsearch.c:33:17: runtime error: call to function int_compare through pointer to incorrect function type 'int (*)(const void *, const void *)'
/home/npajkovsky/openssl/openssl/test/stack_test.c:46: note: int_compare defined here
Fixes: https://github.com/openssl/project/issues/1950 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:41 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Mon, 11 May 2026 09:43:28 +0000 (11:43 +0200)]
evp: avoid function-pointer-type UB in EVP_*_do_all_provided
evp_generic_do_all() invokes its callback through a fixed pointer type
of the form "void (*)(void *method, void *arg)". The public
EVP_*_do_all_provided() wrappers were handing it user callbacks of type
for example:
Calling a function through a pointer whose type does not match the
function's actual definition is undefined behavior in C and is flagged
by UBSan's -fsanitize=function.
Introduce a per-type thunk generated by EVP_DO_ALL_PROVIDED_THUNK that
has the exact signature evp_generic_do_all() expects. The thunk
receives the user's typed callback and arg in a small on-stack struct
and forwards them with the correct types, so every indirect call now
matches the pointee's real prototype.
No functional change intended.
Fixes: https://github.com/openssl/project/issues/1949 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:38 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Daniel Kubec [Mon, 30 Mar 2026 11:43:41 +0000 (13:43 +0200)]
TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set.
Do not issue TLS 1.3 session tickets if the server has explicitly disabled
them via SSL_OP_NO_TICKET and also disabled the session cache with
SSL_SESS_CACHE_OFF. Together, these settings clearly indicate an intent to
suppress session resumption; sending NewSessionTicket messages in this case
would be wasteful and misleading.
From the server’s perspective, a client that does not advertise
psk_key_exchange_modes in TLS 1.3, or that sends it with RFC 9149 parameters
such as new_session_count = 0 or resumption_count = 0, is effectively
signaling no interest in session tickets or resumption.
RFC 8446 section 4.2.9: Servers MUST NOT select a key exchange mode that is
not listed by the client. This extension also restricts the modes for use
with PSK resumption. Servers SHOULD NOT send NewSessionTicket with tickets
that are not compatible with the advertised modes; however, if a server does
so, the impact will just be that the client's attempts at resumption fail.
Fixes #8077
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 20 15:42:00 2026
(Merged from https://github.com/openssl/openssl/pull/30639)
Weidong Wang [Wed, 18 Mar 2026 11:00:06 +0000 (06:00 -0500)]
Add test for SSL_SESSION leak on ticket abort in tls_parse_ctos_psk()
Add test_ticket_abort_session_leak() to verify that returning
SSL_TICKET_RETURN_ABORT from the decrypt ticket callback during TLS 1.3
resumption does not leak the SSL_SESSION allocated by tls_decrypt_ticket().
This exercises the error path fixed in commit 96f424c439.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:04 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Weidong Wang [Tue, 17 Mar 2026 17:23:58 +0000 (12:23 -0500)]
Fix SSL_SESSION leak in tls_parse_ctos_psk() on ticket error paths
Two early 'return 0' statements bypass the err: label cleanup that
calls SSL_SESSION_free(sess). When tls_decrypt_ticket() allocates an
SSL_SESSION but the decrypt_ticket_cb returns ABORT, the session is
leaked. Replace 'return 0' with 'goto err' so the existing cleanup
handles it.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:01 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Nikola Pajkovsky [Mon, 18 May 2026 07:48:59 +0000 (09:48 +0200)]
fix UB in priority_queue
clang-22 reports UB during test make test V=0 TESTS=test_priority_queue
ssl/priority_queue.c:159:13: runtime error: call to function size_t_compare through pointer to incorrect function type 'int (*)(const void *, const void *)'
/home/npajkovsky/openssl/openssl/test/priority_queue_test.c:28: note: size_t_compare defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ssl/priority_queue.c:159:13
Fixes: https://github.com/openssl/project/issues/1953 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 19 10:43:59 2026
(Merged from https://github.com/openssl/openssl/pull/31209)
Configure: update $apitable with the recent versions
Fill $apitable with all the major.minor.0 versions up to the current one
in development. Note that while 3.5 hasn't had any APIs deprecated,
it still makes sense to support passing it as an "API level".
Resolves: https://github.com/openssl/openssl/issues/31196 Reported-by: Oliver Roberts <oliver@futaura.co.uk> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue May 19 09:33:49 2026
(Merged from https://github.com/openssl/openssl/pull/31198)
Moryakhin Stas [Wed, 13 May 2026 13:06:34 +0000 (16:06 +0300)]
Fix app param memory cleaning
Fixes #31149
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31170)
Its last actual user was removed in 1620a2e49c77 "Fix dtls_query_mtu
so that it will always either complete with an mtu that is at least
the minimum or it will fail.", and the only remaining user,
dtls1_link_min_mtu(), just returns its last element unconditionally.
Remove g_probable_mtu and convert dtls1_link_min_mtu into a static const
containing the value.
Complements: 1620a2e49c77 "Fix dtls_query_mtu so that it will always either complete with an mtu that is at least the minimum or it will fail." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon May 18 11:09:52 2026
(Merged from https://github.com/openssl/openssl/pull/31175)
Abel Tom [Wed, 13 May 2026 16:18:45 +0000 (18:18 +0200)]
OBJ_bsearch_ex_(): Fix const qualifier warning with CHARSET_EBCDIC
Fixes #31161
When building with CHARSET_EBCDIC defined,the compiler warns about
discarding the 'const' qualifier when assigning from base_[i * size]
to the non-const pointer p1:
`warning: assignment discards 'const' qualifier from pointer target type`
Change p1 from 'char *' to 'const char *' to maintain const-correctness
since the data being pointed to should not be modified through this
pointer.
Additionally, remove the unused variables l and h that were left over
from a previous implementation of the fallback linear search. These
variables served no purpose and only generated unused variable warnings.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/31173)
Jakub Zelenka [Thu, 7 May 2026 17:13:30 +0000 (19:13 +0200)]
Fix UAF if QUIC channel init fails
This happens because port does not get reset on the first freeing in
channel block so when it is being freed again in ossl_quic_new, it
tries to access item in port.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 10:50:23 2026
(Merged from https://github.com/openssl/openssl/pull/31109)
Norbert Pocs [Wed, 13 May 2026 14:10:55 +0000 (16:10 +0200)]
Use valid DH peer pubkey in the KAT tests
Co-authored-by: Viktor Dukhovni <viktor@openssl.org> Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:34:16 2026
(Merged from https://github.com/openssl/openssl/pull/31171)
test/mem_alloc_test.c: fix my_malloc/my_realloc behaviour on size == 0
That puts them more in line with CRYPTO_malloc() and CRYPTO_realloc()
behaviour, whose behaviour for the requested size of 0 is well-documented
and not "implementation-defined", as POSIX allows.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:49 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
test/mem_alloc_test.c: increase alloc size for triggering OOM malloc failure
While half of the address space is enough to make malloc() fail on
kernels of the same bitness, 32-bit compat can have enough to accommodate
such a request, and even three fourth of the address space. Bump
the requested size closer to the type's upper limit.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:48 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:27:55 2026
(Merged from https://github.com/openssl/openssl/pull/31022)
Jakub Zelenka [Mon, 11 May 2026 15:57:16 +0000 (17:57 +0200)]
Extend and separate mfail test framework
Separate the mfail framework so it can be used beyond testutil.
Specifically, this is a step toward using it in fuzzing.
This change also improves the way mfail tests are executed. It first
counts the number of allocations and then iterates through them.
This has a couple of advantages:
- It allows removal of MFAIL_SLOW_TEST by identifying slow tests based
on the number of allocations.
- It allows non-failing tests to be ignored.
In addition, it adds a new environment variable to print a backtrace on
memory failure.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:23:52 2026
(Merged from https://github.com/openssl/openssl/pull/31144)
Norbert Pocs [Thu, 7 May 2026 14:00:10 +0000 (16:00 +0200)]
providers/implementation: Generate header includes for .inc files
Make these headers self contained even as they are .inc files. This
approach makes it a lot easier to achieve self contained files and
protects from include reorders. (where the .inc can get above the
dependent headers)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:48 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
Norbert Pocs [Tue, 5 May 2026 10:36:23 +0000 (12:36 +0200)]
a_strnid: put includes together
clang-tidy calculates where to place the headers to be added. The
maximum is the latest include present in the file. Therefore the
algorithm sometimes addes the includes wrongly in the middle of the
file.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:47 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ECX keys
ossl_ecx_key_free is declared as void(ECX_KEY *) but registered
directly in the X25519/X448/Ed25519/Ed448 keymgmt OSSL_DISPATCH
tables for OSSL_FUNC_KEYMGMT_FREE, which is invoked through a
void(*)(void *) pointer in evp_keymgmt_freedata. Calling a function
through a pointer to an incompatible function type is undefined
behavior and is reported by UndefinedBehaviorSanitizer on every
ECX key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ecx_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ec/ecx_key.c:65: note: ossl_ecx_key_free defined here
All four algorithms share the same MAKE_KEYMGMT_FUNCTIONS dispatch
macro, so they hit the same UB; UBSan just deduplicates the report
on the first call.
Mirror the wrapper pattern used by ml_kem_free_key, ml_dsa_free_key,
slh_dsa_free_key, dsa_freedata, ec_freedata, and lms_free_key: add
a small static ecx_free_key with the correct OSSL_FUNC_keymgmt_free_fn
signature that forwards to ossl_ecx_key_free, and register the
wrapper in the dispatch macro. The existing direct callers of
ossl_ecx_key_free in ecx_kmgmt.c are unchanged since they pass a
typed ECX_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:58 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ML-KEM keys
ossl_ml_kem_key_free is declared as void(ML_KEM_KEY *) but registered
directly in the ML-KEM keymgmt OSSL_DISPATCH table for
OSSL_FUNC_KEYMGMT_FREE, which is invoked through a void(*)(void *)
pointer in evp_keymgmt_freedata. Calling a function through a pointer
to an incompatible function type is undefined behavior and is
reported by UndefinedBehaviorSanitizer on every ML-KEM key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ml_kem_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ml_kem/ml_kem.c:1751: note: ossl_ml_kem_key_free defined here
Mirror the wrapper pattern used by ml_dsa_free_key, slh_dsa_free_key,
dsa_freedata, ec_freedata, and lms_free_key: add a small static
ml_kem_free_key with the correct OSSL_FUNC_keymgmt_free_fn signature
that forwards to ossl_ml_kem_key_free, and register the wrapper in
the dispatch table. The existing direct callers of
ossl_ml_kem_key_free in ml_kem_kmgmt.c are unchanged since they pass
a typed ML_KEM_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:57 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
Tomas Mraz [Tue, 12 May 2026 12:39:06 +0000 (14:39 +0200)]
Use CRYPTO_memcmp() when comparing the private keys
ML-DSA and SLH-DSA used regular memcmp, use CRYPTO_memcmp()
just in case.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Thu May 14 09:29:14 2026
(Merged from https://github.com/openssl/openssl/pull/31155)
Jakub Zelenka [Tue, 12 May 2026 17:36:34 +0000 (19:36 +0200)]
Fix memleak in hashtable free if flush fails
This happens because free_oldmd is not run when flush fails
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 14 09:26:11 2026
(Merged from https://github.com/openssl/openssl/pull/31163)
Remove trailing whitespace to address the following find-doc-nits
warnings:
WARNING: line containing nothing but whitespace in paragraph at line 65 in file doc/man7/EVP_CIPHER-DES.pod
WARNING: line containing nothing but whitespace in paragraph at line 69 in file doc/man7/EVP_CIPHER-DES.pod
Fixes: 5ff19a7297ea "docs: Document required output buffer length in EVP_CIPHER-DES" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Thu May 14 09:24:31 2026
(Merged from https://github.com/openssl/openssl/pull/31141)
PR #27706 (that this PR reverts) was intended to fix nginx/nginx#711
The problem was that when calling SSL_set_SSL_CTX() from an SNI callback
when using a QUIC object, the QUIC custom extensions were not being
handled correctly. The fix attempted to resolve this to make sure that
they were correctly being copied.
However, in reality there was a bug in the SNI callback code that meant when
we called it from a QUIC connection we were passing the *inner* TLS
object instead of the real QUIC one. The *inner* TLS object should be
entirely internal and not exposed to user callbacks. This bug was fixed in dc84829cc5.
Once the above fix was in place `SSL_set_SSL_CTX()` immediately fails when
called with a QUIC object via the SNI callback. This was always the
intended behaviour - its use with a QUIC object was blocked since the very
beginning - but the fact that we passed the inner TLS object by mistake
circumvented the check when it was invoked from the SNI callback.
The fix in dc84829cc5 actually landed *before* the commit that this PR
reverts. So, in reality the nginx bug was already "fixed" by the time
that PR #27706 was merged (fixed in the sense that the invocation of
`SSL_set_SSL_CTX()` fails gracefully). The code that it introduced can not
be reached (and never could be) because calling `SSL_set_SSL_CTX()` is
explicitly blocked when using a QUIC object. Therefore we should remove
this dead code.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 13 16:23:24 2026
(Merged from https://github.com/openssl/openssl/pull/31159)
Tomas Mraz [Wed, 13 May 2026 08:39:14 +0000 (10:39 +0200)]
test/ffc_internal_test.c: The ffc_params_copy_mfail test needs DSA enabled
Instead of having disabled with no-dh, we need to disable it
with no-dsa.
Fixes: df53ee4fa00b "Add mfail test for ossl_ffc_params_copy" Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 09:46:34 2026
(Merged from https://github.com/openssl/openssl/pull/31168)
Matt Caswell [Tue, 21 Apr 2026 16:34:55 +0000 (17:34 +0100)]
Treat an unknown PSK identity the same way as a binder validation failure
Doing things this way removes the possibility of an attacker probing for
valid PSK identities as described in Appendix E.6 of RFC8446. This only
make a difference in a PSK only server configuration. The signal will still
exist if the server can fallback to a full handshake.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 07:38:32 2026
(Merged from https://github.com/openssl/openssl/pull/31026)
Daniel Kubec [Tue, 10 Mar 2026 16:44:58 +0000 (17:44 +0100)]
CRL: Refactoring and tests for extensions, entries, and serial number duplicates
Refactoring and added tests for extensions, entries, and serial number
duplicates. The tests intentionally reflect the current behavior and existing
error states, which are not always clearly distinguished (e.g., duplicate
extensions vs. parsing errors). This serves as a baseline; follow-up work may
improve error handling or explicitly mark some cases as wontfix.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Wed May 13 07:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30349)
projects / thirdparty / openssl.git / log
