Bob Beck [Thu, 18 Jun 2026 17:50:37 +0000 (11:50 -0600)]
Drop Windows CE support.
Windows CE has been out of mainstream support since 2018
and will not have a modern toolchain capable of compiling
a modern OpenSSL.
The vc_wince_info Perl helper, the crypto/LPdir_wince.c
directory backend, and a long tail of _WIN32_WCE
/ OPENSSL_SYS_WINCE guards across the Windows code paths
get removed.
Spotted by idrassi.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 25 07:27:18 2026
(Merged from https://github.com/openssl/openssl/pull/31601)
crypto/ctype.c: fix off-by-one OOB in ossl_toascii()/ossl_fromascii()
Incorrect check for the upper bound allowed the value of 256 to slip
through, which could lead to OOB read one element beyound the end
of the os_toascii/os_toebcdic arrays. Fix that by changing
the comparison with 256 from strictly great to great-or-equal.
Found by cppcheck.
Fixes: a1df06b36347 "This has been added to avoid the situation where some host ctype.h functions return true for characters > 127. I.e. they are allowing extended ASCII characters through which then cause problems. E.g. marking superscript '2' as a number then causes the common (ch - '0') conversion to number to fail miserably. Likewise letters with diacritical marks can also cause problems." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Thu Jun 25 07:19:30 2026
(Merged from https://github.com/openssl/openssl/pull/31661)
rec_layer_s3.c: prevent max_early_data overflow in ossl_early_data_count_ok()
Apply change similar to the one made in d41a9225196b "tls_common.c: prevent
max_early_data overflow in rlayer_early_data_count_ok()"
to ossl_early_data_count_ok(), that has similar logic in it
(as rlayer_early_data_count_ok() has been copied
from ossl_early_data_count_ok() in 9dd90232d537 "Move early data counting
out of the SSL object and into the record layer").
Complements: d41a9225196b "tls_common.c: prevent max_early_data overflow in rlayer_early_data_count_ok()" Fixes: 70ef40a05e06 "Check max_early_data against the amount of early data we actually receive" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Thu Jun 25 07:13:07 2026
(Merged from https://github.com/openssl/openssl/pull/31628)
Jakub Zelenka [Mon, 22 Jun 2026 19:33:12 +0000 (21:33 +0200)]
apps: add error-path test recipe for skeyutl
Cover the help, option-parsing and error paths of the skeyutl command.
The successful -genkey path is not exercised as no built-in provider
implements opaque symmetric key generation yet.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Thu Jun 25 07:10:05 2026
(Merged from https://github.com/openssl/openssl/pull/31648)
Jakub Zelenka [Thu, 18 Jun 2026 17:26:47 +0000 (19:26 +0200)]
quic: add mfail tests for QUIC SRTM
This cover various function for SRTM.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 25 07:06:31 2026
(Merged from https://github.com/openssl/openssl/pull/31593)
Daniel Kubec [Tue, 23 Jun 2026 12:10:45 +0000 (14:10 +0200)]
AEAD: reject late AAD in ChaCha20-Poly1305 after plaintext update
Align behavior with AES GCM, which already rejects this misuse with a hard
error, by tracking whether plaintext processing has started and returning an
error if AAD is supplied afterwards.
Fixes #31188
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 25 07:01:44 2026
(Merged from https://github.com/openssl/openssl/pull/31673)
Nikola Pajkovsky [Tue, 23 Jun 2026 09:05:18 +0000 (11:05 +0200)]
crypto/armcap.c: reformat MIDR CPU-model conditionals for readability
break long chain of MIDR_IS_CPU_MODEL() alternatives packed onto a
single line, which was effectively unreadable and impossible to review
or diff one model at a time.
move the OPENSSL_armcap_P feature-flag test to the front of the
expression so the guard is obvious before the model list. This is a
formatting-only change.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 25 06:10:45 2026
(Merged from https://github.com/openssl/openssl/pull/31664)
Jakub Zelenka [Mon, 22 Jun 2026 21:30:49 +0000 (23:30 +0200)]
apps: cover the ec -conv_form option in the test recipe
The -conv_form option was not covered. Add a subtest that checks a
valid form changes the public key encoding and that an invalid form
is rejected. The DER encodings are also compared against committed
reference files, as they are deterministic for testec-p256.pem.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 25 06:08:38 2026
(Merged from https://github.com/openssl/openssl/pull/31652)
Viktor Dukhovni [Sat, 14 Mar 2026 09:47:06 +0000 (20:47 +1100)]
Once initialised, ML-DSA keys should be immutable
ML-DSA keys should become immutable once key material has been added.
This is already the case for at least ML-KEM keys, and should generally
be the case across all key types.
- Added the requisite check in the key management provider ml_dsa_import()
function.
- Also, consolidated the ML-KEM checks in ml_kem_import(). These were
previously partly in ml_kem_key_fromdata().
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jun 25 02:03:35 2026
(Merged from https://github.com/openssl/openssl/pull/30421)
Kirill Ermoshin [Mon, 22 Jun 2026 09:52:39 +0000 (12:52 +0300)]
Remove aliases for IANA-GOST2012-GOST8912-GOST8912
"gost2012_256/512" sigalgs aliases of IANA-GOST2012-GOST8912-GOST8912 equals
to sigalgs of LEAGACY-GOST2012-GOST8912-GOST8912 so we can't distinguish
between them for the legacy algorithm
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 24 15:07:04 2026
(Merged from https://github.com/openssl/openssl/pull/31562)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 24 15:07:02 2026
(Merged from https://github.com/openssl/openssl/pull/31562)
Tomas Mraz [Tue, 23 Jun 2026 07:57:32 +0000 (09:57 +0200)]
Always ignore the contents of the legacy record version
As per RFC8446 this value must be ignored.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Wed Jun 24 13:06:55 2026
(Merged from https://github.com/openssl/openssl/pull/31662)
Bob Beck [Fri, 29 May 2026 11:39:40 +0000 (05:39 -0600)]
Add documentation for NAME_CONSTRAINTS_check
We document which names and name constraints will be evaluated
as well as the limits that will be placed on the evauluation on
a per certificate basis.
We call out in the BUGS section that the RFC 5280 requires a byte
per byte match of name constraints unless the higher level protocol
has defines a different matching method for wildcards. This
"deferall of specification" and corresponding lack of specification
by upper level protocols means that across implementations encountering
the default behaviour is to be expected, and that therefore relying
on excluded names to constrain signers in a PKI from signing wildcards
is ill advised.
This is then cross referenced in the documentation for X509_verify_cert
and the maximum possible comparisons which can be forces in a certificate
validtion noted in the BUGS section of X509_verify_cert.
Fixes: https://github.com/openssl/openssl/issues/30706 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Jun 24 13:03:54 2026
(Merged from https://github.com/openssl/openssl/pull/31334)
Mounir IDRASSI [Wed, 17 Jun 2026 11:35:05 +0000 (20:35 +0900)]
Reject HelloRequest in TLS 1.3
TLS 1.3 reserves handshake message type 0 and must not silently
ignore HelloRequest records. The legacy client-side HelloRequest skip
path in tls_get_message_header() could run before the TLS 1.3 state
machine had a chance to reject the message, so a zero-length
HelloRequest injected after ClientHello was discarded instead of
triggering unexpected_message.
Restrict the skip to cases where TLS 1.3 is no longer possible.
Before ServerHello selects a version, s->version is the configured
maximum; after ServerHello or during renegotiation, it is the
negotiated version. Skip only when that value is below TLS 1.3,
preserving the existing TLS 1.2-and-below behavior.
Add TLSProxy regression tests covering rejection while TLS 1.3 is
possible and the preserved TLS 1.2 skip after ServerHello.
Fixes #31531
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 24 13:01:12 2026
(Merged from https://github.com/openssl/openssl/pull/31577)
Bernd Edlinger [Mon, 15 Jun 2026 18:10:07 +0000 (20:10 +0200)]
Prevent integer overflow in ASN1_mbstring_ncopy
This prevents a theoretically possible integer overflow
in OPENSSL_malloc(outlen + 1) at the end of ASN1_mbstring_ncopy,
when outlen is exactly INT_MAX.
That affects conversions from MBSTRING_ASC to MBSTRING_UTF8
and MBSTRING_UTF8 to MBSTRING_ASC,
because a terminating zero has to be added to the result.
And also conversions MBSTRING_BMP to MBSTRING_UTF8
in cases when UTF8 characters 0x800..0xFFFF are encoded
as 3-byte UTF8-characters and the resulting UTF8-string
is exactly INT_MAX in size.
Fixes: 97f6b621f7af ("Reject oversized inputs in ASN1_mbstring_ncopy()") Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 24 12:49:08 2026
(Merged from https://github.com/openssl/openssl/pull/31527)
Billy Brumley [Wed, 17 Jun 2026 06:17:45 +0000 (02:17 -0400)]
[test] various zero-length message positive and negative tests for AEAD ciphers
A zero-length AEAD message driven through the one-shot EVP_Cipher() interface
must agree with the streaming EVP_CipherFinal_ex() path. This checks:
- an empty message yields the same tag via both interfaces
- the true tag passes verification on decrypt
- the modified tag fails verification on decrypt
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 24 12:47:11 2026
(Merged from https://github.com/openssl/openssl/pull/31555)
pkcs7: Fix negative index handling in PKCS7_get_issuer_and_serial()
Reject negative indices before looking up the recipient info stack
entry. This makes negative out-of-range indices match the existing
behavior for too-large positive indices and avoids dereferencing
a NULL recipient info.
Add a regression test for the negative index case.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Wed Jun 24 09:10:22 2026
(Merged from https://github.com/openssl/openssl/pull/30914)
Fix unqualified reference to openssl in 25-test_verify_store.t
This problem resulted in the wrong location of openssl being used
for one step in subtest 7. The error condition is hidden if openssl
appears in the PATH.
Resolves: https://github.com/openssl/openssl/issues/31496 Fixes: 3638ffc38015 "Refactor cache_objects() loop and object type handling" Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Wed Jun 24 08:47:58 2026
(Merged from https://github.com/openssl/openssl/pull/31647)
Haiyang Huang [Thu, 18 Jun 2026 01:19:42 +0000 (09:19 +0800)]
quic: reject ACK of an unsent packet number
ossl_ackm_on_rx_ack_frame() stored ack_ranges[0].end into
largest_acked_pkt[pkt_space] without checking it against the highest
packet number actually sent in that space. Because largest_acked_pkt
only ever increases and drives loss detection, an ACK acknowledging a
packet number that was never sent (up to 2**62 - 1) pins the value and
causes every in-flight and subsequently-sent packet to be declared lost,
permanently corrupting loss detection for the connection.
RFC 9000 s. 13.1 recommends treating an acknowledgment for a packet the
endpoint did not send as a connection error of type PROTOCOL_VIOLATION,
where it can be detected.
Reject any ACK whose largest acknowledged packet number exceeds the
highest packet number sent in that space; the bound, highest_sent, is
already tracked. The depacketiser raises PROTOCOL_VIOLATION when the ACK
manager rejects the frame.
Update the QUIC tests for the new behaviour: cases 7 and 8 now assert
rejection, case 14 covers the 2**62 - 1 boundary, two pre-existing
fixtures that acknowledged one packet past the highest sent are
corrected, and the "fictional PN" script now expects a PROTOCOL_VIOLATION
close.
Fixes: fa4e92a70a5f "QUIC ACK Manager, Statistics Manager and Congestion Control API" Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Jun 23 16:36:27 2026
(Merged from https://github.com/openssl/openssl/pull/31582)
Avoid NULL dereference if RSA_PSS_PARAMS_dup() fails in ossl_rsa_dup()
RSA_PSS_PARAMS_dup() can return NULL on failure (e.g. memory
allocation failure). The subsequent code dereferenced dupkey->pss
unconditionally when checking dupkey->pss->maskGenAlgorithm, which
would result in a NULL pointer dereference.
Check the return value and jump to the error handling instead, which
properly frees the partially constructed key.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Jun 23 16:32:24 2026
(Merged from https://github.com/openssl/openssl/pull/31619)
Update signature_tls13_scheme_list array in accordance with the current
state of the "TLS SignatureScheme" table at [1]; leave TLS 1.2 GOST
definitions be for now.
Note: these are used only for debugging output when -security_debug
option is provided to s_client/s_server commands.
ssl/t1_trce.c: use macros from tlssigalgs.h, reorder accordingly
The macro definitions for the SignatureScheme values and names
are available "include/internal/tlssigalgs.h" (contrary to what comment
says), use them and also order the items in the order they are present
in the header file.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Jun 23 16:29:59 2026
(Merged from https://github.com/openssl/openssl/pull/31248)
007bsd [Fri, 15 May 2026 09:04:58 +0000 (12:04 +0300)]
Fix key2ms_newctx() pointer type mismatch in MSBLOB/PVK key encoder
key2ms_newctx() returned struct key2ms_ctx_st *, but is registered
as OSSL_FUNC_ENCODER_NEWCTX and called through OSSL_FUNC_encoder_newctx_fn
(void *(*)(void *)), which is a case of undefined behavior, flagged
by -fsanitize=function. Same class as [1], missed there.
Give it the correct signature and add the self-check forward
declaration, as key2ms_freectx() already has.
[1] https://github.com/openssl/openssl/pull/31078
CLA: trivial Fixes: 0cc0164d193f "PROV: Add MSBLOB and PVK encoders" Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jun 23 14:45:54 2026
(Merged from https://github.com/openssl/openssl/pull/31189)
Jakub Zelenka [Thu, 18 Jun 2026 16:02:05 +0000 (18:02 +0200)]
quic: add mfail test for QUIC SRT generator
This slightly improves its coverage.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Jun 23 14:01:21 2026
(Merged from https://github.com/openssl/openssl/pull/31589)
Jakub Zelenka [Thu, 7 May 2026 17:22:49 +0000 (19:22 +0200)]
Add mfail test for SSL_new() with ctx QUIC client method
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Jun 23 13:16:52 2026
(Merged from https://github.com/openssl/openssl/pull/31249)
This change should allow us to move QUIC test scripts from
quic_multistream test to radix without dealing with conflict+rebase.
the idea is there will be one PR for each script, so more people
will be able to submit those PRs without rsiking a conflicts around
the scripts array. This should allow for smoot reciew/git push
flow.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Jun 23 12:21:25 2026
(Merged from https://github.com/openssl/openssl/pull/31547)
Bob Beck [Tue, 16 Jun 2026 18:49:52 +0000 (12:49 -0600)]
doc/man3/ASN1_aux_cb.pod: correct return code documentation for the callbacks
Attempt to make the documentation match the code.
Not attempting to change what the code does at this point, it's
all very random, and since it's been there, it is effectively established
public API now.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 22 11:56:58 2026
(Merged from https://github.com/openssl/openssl/pull/31549)
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 22 10:36:52 2026
(Merged from https://github.com/openssl/openssl/pull/31604)
Bob Beck [Thu, 18 Jun 2026 18:02:06 +0000 (12:02 -0600)]
Fix OSSL_ATOMICS_LOCKLESS detection for Windows toolchains
The check referenced USE_INTERLOCKEDOR64, but the macro defined above
for MSVC (with the right architecture/version) and 64-bit MinGW is
OSSL_USE_INTERLOCKEDOR64. As a result, OSSL_ATOMICS_LOCKLESS was
never defined on Windows, even though those toolchains do provide
lockless atomics.
Reported-by: Mounir IDRASSI <mounir.idrassi@idrix.fr> Fixes: 26c57423933c "Use the actually correct define for solaris and gcc" Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 22 07:22:31 2026
(Merged from https://github.com/openssl/openssl/pull/31600)
Abel Tom [Thu, 18 Jun 2026 11:58:35 +0000 (13:58 +0200)]
tls_common.c: prevent max_early_data overflow in rlayer_early_data_count_ok()
Make the local max_early_data variable uint64_t so an overflow
cannot occur if the max_early_data field in the record layer struct
has the maximum value: UNT32_MAX (0xFFFFFFFF).
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Sun Jun 21 23:50:02 2026
(Merged from https://github.com/openssl/openssl/pull/31538)
Nikola Pajkovsky [Tue, 16 Jun 2026 10:58:45 +0000 (12:58 +0200)]
asn1: centralize aux const-callback dispatch to avoid function pointer cast
Replace the per-call-site `(ASN1_aux_const_cb *)aux->asn1_cb` cast in
ASN1_item_ex_i2d() and asn1_item_print_ctx() with a shared helper,
ossl_asn1_aux_const_cb(), which invokes the legacy non-const callback
through its real type. This avoids the UBSAN function-pointer-type
mismatch while preserving backward compatibility.
Fixes: https://github.com/openssl/project/issues/1970 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 23:38:12 2026
(Merged from https://github.com/openssl/openssl/pull/31541)
Correct a number of typos found in the man pages:
* doc/man3/SSL_CTX_set1_curves.pod: attenion -> attention
* doc/man3/CMS_EncryptedData_decrypt.pod: decypted -> decrypted
* doc/man3/X509_get_default_cert_file.pod: delimeter -> delimiter
* doc/man3/SSL_CTX_set_msg_callback.pod: diagostic -> diagnostic
* doc/man7/openssl-core_dispatch.h.pod: dipatch -> dispatch
* doc/man3/BIO_s_datagram.pod: hecause -> because
* doc/man3/ASN1_aux_cb.pod: auxiliarly -> auxiliary
CLA: trivial Fixes: 3d9d1ce52904 "Add documentation for newly added ASN1 functions" Fixes: 408622b73a18 "BIO_s_dgram: add documentation and hazard warnings" Fixes: e2f6960fc5fe "CMS: Export CMS_EnvelopedData and add CMS_EnvelopedData_decrypt()" Fixes: 9efd7e9e98a9 "Fix group tuple handling in DEFAULT expansion" Fixes: bfcf1356f9fd "Update the msg_callback documentation" Fixes: 606e0426a148 "Add support for loading root CAs from Windows crypto API" Fixes: 329b2a2cde48 "DOCS: add openssl-core_numbers.h(7)" Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Jun 21 22:50:14 2026
(Merged from https://github.com/openssl/openssl/pull/31596)
Shmael13 [Mon, 15 Jun 2026 16:07:37 +0000 (21:07 +0500)]
demos/http3: fix missing NUL terminator on h3ssl->url
In the HTTP/3 demo server's :path handler, when the path value does not
begin with '/', the value is copied into the fixed-size url[MAXURL]
buffer with memcpy(h3ssl->url, vvalue.base, len) and no terminator is
written. len is capped at MAXURL, so a :path value of MAXURL or more
bytes fills the entire buffer, overwriting the zeroes from the preceding
memset and leaving url without a NUL terminator. The buffer is later
used as a C string by strcat() and strcmp() when building the file name,
resulting in a heap out-of-bounds read and a possible overflow of the
filename[PATH_MAX] buffer. This is reachable from a client-supplied
:path header.
Cap the length at MAXURL - 1 so that the trailing byte zeroed by the
memset always remains, guaranteeing url is NUL-terminated in every
branch. The '/'-prefixed branches are unaffected as they already write
an explicit terminator within the smaller bound.
Fixes #31516
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 16:19:08 2026
(Merged from https://github.com/openssl/openssl/pull/31520)
Jakub Zelenka [Mon, 15 Jun 2026 16:11:30 +0000 (18:11 +0200)]
apps: test pkeyutl -derive peer key setup
This tests currently uncovered setup_peer function and some failure
scenarios in it.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 16:04:59 2026
(Merged from https://github.com/openssl/openssl/pull/31518)
sunnyqeen [Wed, 7 Feb 2024 10:58:44 +0000 (11:58 +0100)]
Fix unix Makefile template to avoid command line too long error on windows
On cygwin/msys systems that run on Windows, command line length is limited. using response file instead of putting objects on the command line will avoid this error
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 15:56:08 2026
(Merged from https://github.com/openssl/openssl/pull/23077)
Ingo Franzki [Fri, 12 Jun 2026 13:30:54 +0000 (15:30 +0200)]
s390x: Don't ignore errors from s390x_mod_exp_hw() and s390x_crt()
Currently errors from s390x_mod_exp_hw() and s390x_crt() are silently
ignored and the software path is used as fallback.
Change this to only take the software path if s390x_mod_exp_hw() and
s390x_crt() returns 0 to indicate that it does not support the RSA
acceleration. In case of errors, return them to the caller. Errors could
be memory allocation failures or errors during BIGNUM calls. Those should
not be ignored, but reported as failure.
Note that it can happen that the ioctl's fail, but this is not to be
reported as error. Those are situations where for example no suitable
crypto adapter is available, or the file descriptor has been closed
by a sandbox. Those situations disable the RSA acceleration for further
RSA requests, but the current operation should still be performed via the
software fallback. For cases where the RSA key size is too large for
acceleration, the operation must also be performed via the software
fallback, and not reported as an error.
This also fixes failures of the test_rsa_pkcs1_mfail test case that found
the memory allocation failures that got ignored.
Resolves: https://github.com/openssl/openssl/issues/31480 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Jun 21 14:19:54 2026
(Merged from https://github.com/openssl/openssl/pull/31482)
Ingo Franzki [Fri, 12 Jun 2026 12:58:30 +0000 (14:58 +0200)]
s390x: Don't ignore errors from s390x_HMAC_init()
Currently errors from s390x_HMAC_init() are silently ignored and the software
path is used as fallback.
Change this to only take the software path if s390x_HMAC_init() returns -1
to indicate that it does not support the HMAC acceleration. In case of
errors, return them to the caller. Errors could be memory allocation
failures or errors during digest operations. Those should not be ignored,
but reported as failure.
This also fixes failures of the test_rsa_pkcs1_mfail test case that found
the memory allocation failures that got ignored.
References: https://github.com/openssl/openssl/issues/31480 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Jun 21 14:19:53 2026
(Merged from https://github.com/openssl/openssl/pull/31482)
Tomas Mraz [Thu, 18 Jun 2026 13:51:58 +0000 (15:51 +0200)]
Remove direct includes of windows.h where possible
It should be included via e_os.h instead.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Jun 20 11:00:42 2026
(Merged from https://github.com/openssl/openssl/pull/31587)
Jakub Zelenka [Wed, 17 Jun 2026 16:04:39 +0000 (18:04 +0200)]
pkcs11-provider: enable tls test
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu Jun 18 18:02:35 2026
(Merged from https://github.com/openssl/openssl/pull/31568)
Jakub Zelenka [Wed, 17 Jun 2026 15:59:40 +0000 (17:59 +0200)]
property: do not overwrite the NULL-provider cache entry on set
ossl_method_store_cache_set inserts two entries per method: one keyed
on (nid, prop_query, prov) and one keyed on (nid, prop_query) with a
NULL provider, used to match "any provider" lookups.
Previously the set path always replaced the NULL-provider entry. When a
second provider cached the same nid, its method became the result for
"any provider" lookups, even though an earlier provider was already
cached. A shared nid could then resolve to the wrong provider: a
certificate's SPKI would decode through that provider's keymgmt and
X509_check_private_key would fail with a key value mismatch.
Only insert the NULL-provider entry when one does not already exist, so
the first provider to cache the nid owns it, matching the order
ossl_method_store_fetch would select.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu Jun 18 18:02:32 2026
(Merged from https://github.com/openssl/openssl/pull/31568)
Neil Horman [Mon, 15 Jun 2026 18:01:37 +0000 (14:01 -0400)]
fix type casting in ossl_cmp_mock_srv_set1 functions
newer versions of clang trigger ubsan warnings on the following
functions:
ossl_cmp_mock_srv_set1_refCert
ossl_cmp_mock_srv_set1_chainOut
ossl_cmp_mock_srv_set1_certOut
ossl_cmp_mock_srv_set1_newWithNew
ossl_cmp_mock_srv_set1_newWithOld
ossl_cmp_mock_srv_set1_oldWithNew
ossl_cmp_mock_srv_set1_caPubsOut
Due to the fact that the respective function prototypes don't match the
callback function pointer prototypes (the former use concrete strucuture
types while the latter uses a void pointer).
Fix it by bifurcating setup_cert[s] (the call-in fuctions) to have
variants that accept the expected type and corresponding callback
signature so that the above functions can be used without thunking
Fixes openssl/project#1969
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Jun 18 14:03:41 2026
(Merged from https://github.com/openssl/openssl/pull/31526)
4.0.1 CHANGES.md includes the following:
* CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181,
CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, CVE-2026-42764,
CVE-2026-42765, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768,
CVE-2026-42769, CVE-2026-42770, CVE-2026-42771, CVE-2026-45445,
CVE-2026-45446, CVE-2026-45447
* https://github.com/openssl/openssl/pull/30626
"TLSv1.3: Fix server not sending NewSessionTicket after ciphersuite mismatch"
* https://github.com/openssl/openssl/pull/30904
"pkey(1) missing setup for interactive pass prompt"
* https://github.com/openssl/openssl/pull/31058
"Validate that a PSK identity is at least one byte long"
* https://github.com/openssl/openssl/pull/31146
"ktls: Fix invalid memory access on retry with moving write buffer"
* https://github.com/openssl/openssl/pull/31413
"apps/s_client.c: read one byte less to avoid triggerring overflow
protection"
4.0.1 NEWS.md includes the following:
* CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181,
CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, CVE-2026-42764,
CVE-2026-42765, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768,
CVE-2026-42769, CVE-2026-42770, CVE-2026-42771, CVE-2026-45445,
CVE-2026-45446, CVE-2026-45447
* https://github.com/openssl/openssl/pull/30904
"pkey(1) missing setup for interactive pass prompt"
* https://github.com/openssl/openssl/pull/31413
"apps/s_client.c: read one byte less to avoid triggerring overflow
protection"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 13:13:58 2026
(Merged from https://github.com/openssl/openssl/pull/31509)
Matt Caswell [Wed, 17 Jun 2026 10:18:12 +0000 (11:18 +0100)]
Fix intermittent failure in check_pc_flood radix test
check_flood_stats read the path challenge/response counters immediately
after the client's write returned, but the flood is delivered over a
real socket and processed by the connection's assist thread
asynchronously. Spin until the counters reach their expected values,
the same way check_rejected already does, instead of failing on the
first observation.
Assisted-by: Claude:claude-sonnet-4-6 Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Thu Jun 18 13:07:27 2026
(Merged from https://github.com/openssl/openssl/pull/31561)
doc/man3/EVP_PKEY_get_size.pod: add man for the security categories table
Commit 73188a01bd99 "doc: document EVP_PKEY_get_security_category function"
has added security level definitions as a table, that has been implemented
raw via "=begin" POD directives; while the formatting for "html"
and "text" (that is not even generated by the build system)
has been provided, "man" (arguably, the most relevant one)
has been omitted, surprisingly. Rescind that omission by providing
the respective table formatting for man.
Complements: 73188a01bd99 "doc: document EVP_PKEY_get_security_category function" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 12:35:47 2026
(Merged from https://github.com/openssl/openssl/pull/31410)
Jakub Zelenka [Tue, 19 May 2026 17:24:33 +0000 (19:24 +0200)]
Add indirect CRL path validation tests
This covers currently uncovered check_crl_path and check_crl_chain
in x509_vfy.c. The mfail test tests the happy path and all memory
failures in it. In addition 3 error scenarios are tested.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:31:56 2026
(Merged from https://github.com/openssl/openssl/pull/31244)
Abel Tom [Wed, 17 Jun 2026 07:56:46 +0000 (09:56 +0200)]
Enforce RFC 8446 ticket lifetime limit for TLS 1.3 client
Add client-side validation to check if session ticket lifetime
hints exceeds 7 days in TLS1.3 connections and caps it to the
maximum value of 7 days(604800 seconds).
Modified `CHANGES.md` with the description of updated change.
Resolves: #30808
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:25:33 2026
(Merged from https://github.com/openssl/openssl/pull/31174)
zhoulu [Sat, 16 May 2026 07:08:34 +0000 (15:08 +0800)]
Further improve the decryption performance of AES-128-CBC on the RISC-V architecture
The decryption performance of AES-128-CBC is improved by 6% to 15%, with the main optimizations as follows:
1.The block processing mode is adjusted to single-block loop + 4-block loop + 8-block loop.
2.The backup of ciphertext using vmv_v_v for XOR operations is replaced with reloading using vle32_v.
3.Key loading and decryption computation are interleaved in a loop.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:22:19 2026
(Merged from https://github.com/openssl/openssl/pull/31116)
Configurations/50-nonstop.conf: remove 'atexit' from disable maps
Since there is no atexit() handler installation after [1],
the associated configuratoin option (that was initially introduced
to support the configurations in question[2]) has no effect
and can be removed from NonStop configurations.
[1] https://github.com/openssl/openssl/pull/29385
[2] 99fb31c167e3 "Add atexit configuration option to using atexit() in libcrypto at build-time."
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jun 18 12:20:36 2026
(Merged from https://github.com/openssl/openssl/pull/30767)
Configure, INSTALL.md: make atexit deprecated disablable
As the atexit handler was removed in [1], no-atexit configuration option
has no effect, make that explicit by disallowing enabling atexit, and
update the documentation accordingly.
Old OpenSSL had a FIPS_mode() function. AWS-LC-FIPS and BoringSSL-FIPS
still have the FIPS_mode() API. RHEL-derived systems also still provide
FIPS_mode() as a define in up-to-date OpenSSL. And feedback from
multiple large commercial software vendors is that there is a lot of
code out there that still has FIPS_mode() sprinkled all over the place.
Add `FIPS_mode()` as a convenience define to
`EVP_default_properties_is_fips_enabled(NULL)` which is a short-hand
to check if `fips=yes` property is currently enabled on the default
library context.
It is a hint of intent, but not a proof. If you are looking to
validate whether the default configuration is using a validated module,
many additional checks are needed; please consult the security policy
of the module you are using. We heavily discourage using this macro.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Jun 18 11:58:15 2026
(Merged from https://github.com/openssl/openssl/pull/30339)
Viktor Dukhovni [Mon, 8 Jun 2026 07:49:14 +0000 (17:49 +1000)]
Clear unused seed when expanded key is chosen
The transient "seedbuf" value should not persist in keys that that are
loaded from the "expanded" form when "prefer_seed = no".
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:39 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
Viktor Dukhovni [Sun, 24 May 2026 13:12:21 +0000 (23:12 +1000)]
LMS, DH: harden empty fromdata
EVP_PKEY_fromdata for the LMS keymgmt accepted an OSSL_PARAM[] that
omits OSSL_PKEY_PARAM_PUB_KEY, returning success with an LMS_KEY
whose lms_params and ots_params remain NULL. Without even basic
algorithm parameters (derived from the key content) the key is
malformed.
EVP_PKEY_fromdata for DH/DHX accepts an empty array and yields a
DH with NULL params.p / params.g. Several DH check entry points
(DH_check, DH_check_params, DH_check_pub_key) then read
dh->params.p / .g via BN_num_bits or BN_is_odd before any NULL
check. Add defensive guards at the top of each that report
failure via *ret without dereferencing NULL; the existing
return-1-with-flags contract is preserved.
A new test_fromdata in endecode_test drives every supported
keymgmt with an empty OSSL_PARAM[] for both EVP_PKEY_PUBLIC_KEY
and EVP_PKEY_KEYPAIR selections, and tests that any returned key
is sufficiently well behaved.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
Viktor Dukhovni [Wed, 20 May 2026 12:59:19 +0000 (22:59 +1000)]
Fix EVP_PKEY_dup() for ML-KEM keys
ossl_ml_kem_key_dup() left the (PUB|PRIV) selection case
unhandled, so EVP_PKEY_dup() silently returned NULL for
ML-KEM-512/768/1024. add_storage() also zeroed the duplicated
rho_pkhash, leaving the dup unequal to the original.
Add a parameterised dup sweep to test/endecode_test.c covering
every supported public-key algorithm in three shapes: full
keypair, public-only, and embryonic (parameters-only).
While here, stop endecode_test from silently passing when key
generation fails: setup_tests() now returns its accumulated
status, MAKE_*KEYS no longer short-circuits, and each
ADD_TEST_SUITE is now conditional on keygen success. Guard the
explicit-EC-curve tests with OPENSSL_NO_EC_EXPLICIT_CURVES.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:28 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
currently only amd64 is supported. it's useful
to test regressions of .rodata sections in
perlasm files.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Wed Jun 17 16:27:10 2026
(Merged from https://github.com/openssl/openssl/pull/28735)
Mounir IDRASSI [Thu, 11 Jun 2026 15:17:10 +0000 (00:17 +0900)]
Fix s_client Sieve STARTTLS response parsing
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Jun 17 16:22:20 2026
(Merged from https://github.com/openssl/openssl/pull/31468)
Neil Horman [Mon, 15 Jun 2026 14:04:16 +0000 (10:04 -0400)]
restore "oldest wins" behavior in method store
We expressly define EVP_*fetch apis as not guaranteeing which provider
and algorithm is sourced from. However, its likely that some users have
some inadvertent reliance on getting the same provider for a non
provider specific (and non property specific) fetch. While thats
generally bad practice (since we don't guarantee it), its particularly
hard to provide that behavior in the new cache infrastructure, so lets
save everyone some trouble by not changing that behavior needlessly.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:43 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
Neil Horman [Fri, 12 Jun 2026 16:59:42 +0000 (12:59 -0400)]
make ossl_method_store use cmp_exch_ptr when cleaning archive
from the conversation here:
https://github.com/openssl/openssl/pull/31018#discussion_r3386832056
@mattcaswell noted that while cleaning QUERY items and moving them to
the archive list, we do an atomic load of a QUERY's next pointer to
another shared query's next pointer. While its not been observed, it
may be possible for the clean operation to move an element to the
archive while a concurrent thread is prepending to the list, the result
being that the active (cache_list) list has a head pointer whos next
pointer points into the archive list.
The result of this would be subsequent lookups fail to find anything not
archived in the cache, and need to go through the slow
ossl_method_construct path again to slowly rebuild the cache. Thats not
catastrophic, but its definately a bug that will result in additional
memory allocations, along with entries that never get used again, and
possible memory leaks.
Switch the load_ptr call to be an atomic cmp_exch_ptr call to ensure
that the node being visited isn't mutated concurrently by both a thread
doing a clean and a list insert. This ensures that only one thread wins
the update, while the other restarts their operation.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:41 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
Neil Horman [Fri, 12 Jun 2026 15:24:08 +0000 (11:24 -0400)]
convert ossl method store cache to do full prop_query comparison
As noted in this conversation:
https://github.com/openssl/openssl/pull/31018#discussion_r3386478127
While unlikely, it is possible that a single provider may provide an
algorithm for the same <name,operation_id,provider> tuple, differing
only by property query string. If, somehow the property strings for
those two algorithms hash to the same value, the property cache may
return the wrong algorithm.
This was mitigated prior to the introduction of the atomic link list
implementation by having the internal hash table do a collision check,
in which the full property string (along with the nid and provider
pointer) were compared byte-for-byte.
Fix this by re-introducing the same comparison. We already do a
comparison check on the exact nid value and provider pointer, so we now
store the property query for each QUERY and compare it to the query
string requsted using strcmp.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:39 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
get_crl_score() is used when selecting a complete/base CRL. Its delta CRL rejection was chained after the extended CRL and IDP reason handling, so it could be skipped when extended CRL support was disabled, or when an IDP onlySomeReasons branch was taken.
As a result, a CRL with a Delta CRL Indicator could be scored as a complete/base CRL candidate. Since a delta CRL contains only changes relative to a base CRL, this could cause a previously revoked certificate to be accepted as valid when only the delta CRL is presented to the verifier.
Reject CRLs with base_crl_number unconditionally in get_crl_score() before IDP reason filtering. Delta CRLs are still considered by get_delta_sk() after a complete CRL is selected and check_delta_base() confirms compatibility.
Add verify recipe coverage for a delta CRL being rejected as a complete CRL, and for a delta CRL with IssuingDistributionPoint.onlySomeReasons being rejected under -extended_crl.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 08:53:02 2026
(Merged from https://github.com/openssl/openssl/pull/31044)
Jakub Zelenka [Mon, 15 Jun 2026 16:29:43 +0000 (18:29 +0200)]
pkcs11-provider: update to latest version
This fixes accidental version update in e2bd9f8c28 which is causing CI
failure for pkcs11-provider tests.
It needs to add xxd package that is used in the new hkdf test.
Fixes: e2bd9f8c28c0 "ml_kem: return an error on catastrophic failure in decap" Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Mon Jun 15 20:23:25 2026
(Merged from https://github.com/openssl/openssl/pull/31522)
Andrew Dinh [Tue, 9 Jun 2026 10:59:25 +0000 (17:59 +0700)]
Use %zu for printing size_t values
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Mon Jun 15 19:24:43 2026
(Merged from https://github.com/openssl/openssl/pull/31454)
Bob Beck [Tue, 9 Jun 2026 21:18:56 +0000 (15:18 -0600)]
Fix BIO_write on file BIOs to report partial writes.
This makes it have the same behaviour as it does on all other
BIOs.
Due to a longstanding workaround that should no longer be needed
a partial write of the data (before a write error or end of file)
was reported as no data being written out.
Fixes: https://github.com/openssl/openssl/issues/31355 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 14:42:25 2026
(Merged from https://github.com/openssl/openssl/pull/31434)
Port script_2 from test/quic_multistream.c to test/radix/quic_tests.c
The multistream tests use so-called t-server to test QUIC connection
and stream functionality. With introduction of QUIC SSL listener
object and QUIC TLS server method, using t-server is no longer
necessary (and welcomed). All multisttream tests should be
ported to QUIC radix test infratructure.
Co-authored-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Mon Jun 15 14:38:19 2026
(Merged from https://github.com/openssl/openssl/pull/30935)
Daniel Kubec [Fri, 29 May 2026 14:08:11 +0000 (16:08 +0200)]
DOC: document ticket suppression for SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF
Complements: e5a1892 "TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set."
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 14:13:25 2026
(Merged from https://github.com/openssl/openssl/pull/31335)
Jakub Zelenka [Tue, 9 Jun 2026 19:07:39 +0000 (21:07 +0200)]
ml_kem: return an error on catastrophic failure in decap
ML-KEM decapsulation applies implicit rejection by copying the failure
key into the shared secret when the FO re-encryption check fails. This
is correct for a syntactically valid but incorrect ciphertext, and must
stay constant-time and ciphertext-dependent.
However, the same path was also taken when hash_kr() or encrypt_cpa()
failed outright, for example on a memory allocation failure inside
EVP_DigestInit_ex(). In that case decap() copied the failure key and
still returned success, so the caller derived a wrong shared secret with
no error reported. For QUIC this produces a handshake that cannot
converge: the derived keys diverge from the peer, packets fail to
decrypt, and the connection stalls until it times out, with no
diagnostic pointing at the real cause.
These primitive failures are not dependent on the ciphertext, so
reporting them as a hard error does not create a chosen-ciphertext
oracle and does not weaken the constant-time implicit rejection that
happens later via CRYPTO_memcmp() and constant_time_select_8(). Treat
them the same way the existing kdf() failure is already treated, by
raising an error and returning 0.
Also fix the comment, which referred to hash_g() where the code actually
calls hash_kr().
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:58:32 2026
(Merged from https://github.com/openssl/openssl/pull/31432)
Jakub Zelenka [Tue, 2 Jun 2026 18:24:38 +0000 (20:24 +0200)]
test: add pkey -ec_conv_form coverage
Cover the previously untested EC point conversion form path for
uncompressed, compressed and hybrid output, as well as the non-EC key
rejection. Verified by the leading octet of the encoded point in the
SubjectPublicKeyInfo.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:54:50 2026
(Merged from https://github.com/openssl/openssl/pull/31370)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:53:40 2026
(Merged from https://github.com/openssl/openssl/pull/31192)
Jakub Zelenka [Fri, 15 May 2026 15:22:35 +0000 (17:22 +0200)]
Test s_time with new -testmode option
Adds -testmode to s_time, mirroring the option in openssl speed.
It bypasses the -time window and runs a minimal number of iterations
(1 for new connections, 2 for session reuse).
Adds test_stime covering the new, reuse, and TLSv1.2/TLSv1.3 paths.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:53:39 2026
(Merged from https://github.com/openssl/openssl/pull/31192)
Fix use-after-free issue in radix test framework for QUIC.
The test for client_hello and new_pending connection should
be using its own dedicated SSL context. The thing is we should
not be arming (and testing) those callbacks for every listener
the RADIX test framework creates.
This changeset moves the test from test/radix/quic_ops.c
to test/radix/quic_tests.c. The test uses check_ctx_cbks
RADIX script now.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 07:29:02 2026
(Merged from https://github.com/openssl/openssl/pull/31421)
Milan Broz [Sun, 14 Jun 2026 17:04:46 +0000 (19:04 +0200)]
ci: Switch to VS 2026 for windows-2025 image
GitHub no longer supports Visual Studio 2022 on windows-2025
image, switch to VS 2026.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 07:23:17 2026
(Merged from https://github.com/openssl/openssl/pull/31497)
Add a Windows-only RIO notifier test that exercises initialization,
signalling, unsignalling, and cleanup without test-only hooks.
The RIO WSA lifecycle fix itself landed via #31339. This keeps the
remaining PR focused on coverage and removes the stale ssl_init.c include
for the deleted WSA cleanup path.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Fri Jun 12 13:54:17 2026
(Merged from https://github.com/openssl/openssl/pull/30918)
curve448: make locally-used functions static and remove unused ones
ossl_c448_ed448_derive_public_key(), ossl_c448_ed448_sign(),
and ossl_c448_ed448_verify() are only called from within the compilation
unit, while ossl_c448_ed448_convert_private_key_to_x448(),
ossl_c448_ed448_sign_prehash() and ossl_c448_ed448_verify_prehash()
are not used anywhere, seemingly. Make the former static (removing
them from the header, removing the ossl_ prefix, and moving
the descriptions to the definitions) and remove the latter.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Jun 12 13:11:48 2026
(Merged from https://github.com/openssl/openssl/pull/31362)
Dmitry Misharov [Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)]
ci: Verify jom/NASM downloads and fall back to upstream on forks
Move the OpenSSL-hosted jom and NASM downloads under the /ci-deps/
path and verify them against SHA256 sums recorded in
.github/ci-deps.json before installing. Forks, which can't reach the
mirror reliably, download from the upstream Qt and NASM locations
instead.
ci: Download jom and NASM from OpenSSL-hosted mirror
Chocolatey-hosted packages for jom and NASM occasionally become
unavailable, causing CI failures on Windows builds. Host these
tools on our own infrastructure to eliminate this external
dependency.
David Foster [Fri, 5 Jun 2026 02:02:44 +0000 (22:02 -0400)]
Add constant-time validation for CRYPTO_memcmp
Add test/crypto_memcmp_test.c which provides functional coverage for
CRYPTO_memcmp under regular builds and constant-time coverage under
enable-ct-validation builds.
The added constant-time coverage checks:
- there are no data dependent branches or memory accesses,
on x86_64 and aarch64 architectures
The added constant-time coverage does NOT check:
- there are no data-dependent variable-time instructions, such as
instructions NOT on the x86 Data Operand Independent Timing list
or NOT on the ARM Data-Independent Timing list
- any architectures beyond x86_64 and aarch64
New CONSTTIME_SECRET annotations live only in the test rather than in
the generic C version of CRYPTO_memcmp so that both the C and
assembler versions of CRYPTO_memcmp are constant-time covered.
CRYPTO_memcmp directly backs CPython's secrets.compare_digest() and
hmac.compare_digest(), so a timing leak in it is high impact, yet it had
essentially no direct test coverage.
References #15076.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 11 16:11:58 2026
(Merged from https://github.com/openssl/openssl/pull/31398)
projects / thirdparty / openssl.git / log
