Neil Horman [Wed, 14 Jan 2026 15:10:21 +0000 (10:10 -0500)]
add a compare thunk function to the STACK of macros
Now that ossl_bsearch is capable of using a thunking function, lets
create a thunking function to use for the STACK_OF macros.
The problem we're addressing is one that gives rise to ubsan issues.
clang-16 forward have a ubsan test that confirms that the target symbol
that we call through a pointer matches the type of the pointer itself.
for instance
int foo(void *a, void *b)
{
...
}
int (*fooptr)(char *ac, int *bc) = foo;
fooptr(&charval, &intval);
is strictly speaking in C undefined behavior (even though in normal
operation this works as expected). Newer compilers are strict about
this however, as several security frameworks operate with an expectation
that this constraint is met.
See https://github.com/openssl/openssl/issues/22896#issuecomment-1837266357
for details.
So we need to create a thunking function. The sole purpose of this
thunking function is to accept the "real" comparison function for the
STACK_OF macros, along with the two items to compare of the type that
they are passed as from the calling function, and do the convervsion of
both the comparison function and the data pointers to the types that the
real comparison function expects
So we:
1) Modify the DEFINE_STACK_OF macros to create this thunking function
2) Add an OPENSSL_sk_set_cmp_thunks api to set the comparison function
3) modify the requisite places in the stack code to use the thunking
function when available
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:14 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Tue, 13 Jan 2026 21:25:21 +0000 (16:25 -0500)]
add cmp_thunk function to ossl_bsearch
Add the initial groundwork to allow for the use of a thunking function
with bsearch. Normally our comparison function signature doesn't match
the type of the pointer we call it through, leading to ubsan errors,
this lets those signatures match and gives us a place to do the proper
casting
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:11 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 7 13:05:48 2026
(Merged from https://github.com/openssl/openssl/pull/29932)
kovan [Thu, 5 Feb 2026 15:41:02 +0000 (16:41 +0100)]
doc: Fix typos and grammar in BIO_s_accept documentation
- Fix "and attempt" to "an attempt"
- Fix "BIO_BIN_NORMAL" typo to "BIO_BIND_NORMAL"
- Add missing B<> formatting around BIO_BIND_NORMAL and BIO_RR_ACCEPT
- Fix "at then end" to "at the end"
- Fix incomplete sentence about BIO_should_io_special()
- Update copyright year
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Fri Feb 6 13:34:18 2026
(Merged from https://github.com/openssl/openssl/pull/29910)
Neil Horman [Mon, 2 Feb 2026 15:33:22 +0000 (10:33 -0500)]
replace curl in our interop testing
Since curl dropped support for using the OpenSSL quic stack, we have no
use for it anymore in our interop testing. Replace it with our own
http3 demonstration client.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
Neil Horman [Mon, 2 Feb 2026 15:24:56 +0000 (10:24 -0500)]
Update ossl-http3-demo to support multiple requests
In order to use our http3 demo to do interop testing, said demo needs to
be able to handle multiple requests and responses written to specific
output files.
Add that code here, allowing us to specify optionally a list of requests
on the command line to send to the server, as well as a download
directory, so that requests made get written locally to the same name as
the request in the specified download directory.
while we're at it, also clean up the code infrastructure to use SSL_poll
to do read-ready checking, rather than iterating/mutating the internal
hash table, which is questionable to do (i.e. we shouldn't be removing
elements from the hash table while iterating over it).
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:24 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
slontis [Wed, 4 Feb 2026 22:35:43 +0000 (09:35 +1100)]
AES-WRAP fixes.
Partially fixes issue in Discussion 22861
AES-WRAP pad is documented as only working for non streaming cases.
It did not however enforce this, so a user could potentially
wrap something incorrectly without an error and then not be able to
unwrap it without an error. The code now checks that update is only
called once.
An internal function returned an int which could be negative for bad
input values, and the return value was assigned to a size_t which
ignored the error condition.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
slontis [Wed, 4 Feb 2026 22:28:34 +0000 (09:28 +1100)]
BIO_f_cipher(): Increase internal buffer size used by CipherUpdate()
Previously running the commandline "openssl enc -id-aes256-wrap-pad ...'
with a large PQ private key failed since AES-WRAP is not streamable,
and multiple calls to CipherUpdate() are not allowed. Increasing the
size causes CipherUpdate() to only be called once.
The size of the buffer has been changed from 4K to 8K.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
Ethan [Tue, 3 Feb 2026 14:10:45 +0000 (09:10 -0500)]
doc: changed data_size value for OSSL_PARAM_octet_string() in EVP_SIGNATURE-SLH-DSA.pod
CLA: trivial
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29933)
Bob Beck [Thu, 22 Jan 2026 19:22:34 +0000 (12:22 -0700)]
Make OPENSSL_cleanup() G A
(Your choice of G and A words)
This installs a global destructor if we have destructor support.
The global destructor does nothing and immediately returns under
normal operation. If a global flag indicating that global cleanup
is wanted, it does what OPENSSL_cleanup() used to do.
OPENSSL_cleanup() is then modified to set the global flag indicating
that global cleanup is wanted. At this point if we have destructor
support, it immeditely returns. If we do not have destructor support,
it manually calls the destructor function (meaning without destructor
support it does exactly what it used to do).
This ensures that if we have destructor support, the actions of an
OPENSSL_cleanup() requested by an application will only happen
after any subordinate library destructors which could call into
OpenSSL functions have already run.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 19:19:17 2026
(Merged from https://github.com/openssl/openssl/pull/29721)
Neil Horman [Wed, 28 Jan 2026 20:25:20 +0000 (15:25 -0500)]
Don't setup a default context while tearing down private contexts
In providers/applications that create custom libctx'es via
OSSL_LIB_CTX_new, its possible, if the default provider has never been
initaialized during the lifetime of the linked libcrypto, that we
actually wind up creating the default libctx when we free the
aforementioned custom libctx via, as an example:
While this isn't catastrophic, its needless, and in some cases has the
potential to leak memory (for instance if a provider is loaded and
unloaded repeatedly in an environment in which the provider is linked to
libcrypto.so while the calling application is statically linked to
libcrypto.a
Its also fairly easy to clean up, by adding an internal parameter to
gate the creation of the default libctx on the request of the caller, so
do that here
Fixes openssl/project#1846
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 5 17:08:13 2026
(Merged from https://github.com/openssl/openssl/pull/29830)
Milan Broz [Tue, 20 Jan 2026 15:49:06 +0000 (16:49 +0100)]
Fix const spec in test
This patch fixes several const specifiers and unneeded casts
(visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:13:46 2026
(Merged from https://github.com/openssl/openssl/pull/29800)
Viktor Dukhovni [Tue, 16 Dec 2025 16:48:06 +0000 (03:48 +1100)]
Advertise FFDHE groups also with TLS 1.2-only
When the TLS max version is TLS 1.2, include supported RFC7919 FFDHE
groups in the supported_groups extension, provided we support at least
one DHE key exchange ciphersuite.
Also skip the EC point formats extension when the minimum (D)TLS version
is greater than 1.2. That extension is obsolete as of (D)TLS 1.3.
Finally, folded some extant long lines from the previous RFC7919 commits.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:43 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
RFC 7919 states:
If a compatible TLS server receives a Supported Groups extension from
a client that includes any FFDHE group (i.e., any codepoint between
256 and 511, inclusive, even if unknown to the server), and if none
of the client-proposed FFDHE groups are known and acceptable to the
server, then the server MUST NOT select an FFDHE cipher suite.
We implement this behavior by adding a new function that checks this
condition as its inverse: only select FFDHE cipher suites if at least
one of the client-proposed FFDHE groups is known and acceptable, or
if the client did _not_ send any FFDHE groups.
Also add a test to verify two possible outcomes:
1) The client proposes FFDHE and non-FFDHE ciphersuites -> the server
will select a non-FFDHE ciphersuite.
2) The client only proposes FFDHE ciphersuites -> the server will end
the connection.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:40 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Milan Broz [Tue, 20 Jan 2026 13:18:14 +0000 (14:18 +0100)]
Fix const spec in apps
This patch fixes several const specifiers
(visible with non-default const-qual warning).
- Functions like SSL_set_tlsext_host_name takes
non-cost hostname parameter.
- packet buffer is read in BIO_read, so it
cannot be const
The rest is missing const specifiers where casting
to non-cost is not needed.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 4 19:49:15 2026
(Merged from https://github.com/openssl/openssl/pull/29796)
Guard RWLOCK methods by USE_RWLOCK in threads_pthread.c
Fixes: #29883 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 4 15:55:47 2026
(Merged from https://github.com/openssl/openssl/pull/29924)
Milan Broz [Tue, 20 Jan 2026 15:35:25 +0000 (16:35 +0100)]
Fix const spec in ssl
This patch fixes several const specifiers and undeeded
casts (visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 17:26:31 2026
(Merged from https://github.com/openssl/openssl/pull/29799)
Ml-dsa provider module requires der_digests.h which is generated
from der_digets.h.in. The dependency must be explicitly set in
build.info otherwise the .h file is missing when
providers/common/der/der_ml_dsa_key.c gets compiled.
The issue seems to affect only make found in base system on OpenBSD.
gnu-make (a.k.a gmake) is not affected.
public API: Remove needless 'const' from scalar types
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18229)
Milan Broz [Tue, 20 Jan 2026 14:40:18 +0000 (15:40 +0100)]
Fix const spec in providers
This patch fixes several const specifiers
(visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Feb 3 14:12:00 2026
(Merged from https://github.com/openssl/openssl/pull/29798)
kovan [Tue, 27 Jan 2026 06:44:55 +0000 (07:44 +0100)]
doc: add return value documentation for EVP_CIPHER_*_params functions
Document that EVP_CIPHER_get_params(), EVP_CIPHER_CTX_get_params() and
EVP_CIPHER_CTX_set_params() return 1 for success and 0 for failure.
Fixes #29725
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Feb 3 09:51:47 2026
(Merged from https://github.com/openssl/openssl/pull/29779)
kovan [Tue, 27 Jan 2026 05:01:49 +0000 (06:01 +0100)]
doc: clarify OSSL_DISPATCH array usage in provider-base
The previous wording "arrays are indexed by numbers" was misleading
as it suggested direct array indexing. Clarify that OSSL_DISPATCH
entries contain a function_id field that identifies the function.
Fixes #27125
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Feb 3 09:48:02 2026
(Merged from https://github.com/openssl/openssl/pull/29769)
Tommy Chiang [Sun, 25 Jan 2026 13:12:28 +0000 (21:12 +0800)]
SSL_CONF_FLAG: Prevent setting both CMDLINE and FILE flags
The `SSL_CONF_CTX_set_flags` function did not prevent setting both
`SSL_CONF_FLAG_CMDLINE` and `SSL_CONF_FLAG_FILE` flags, which is an
invalid combination. This commit adds a check to prevent this and
updates the documentation to clarify that only one of these flags
can be set.
A new test case is also added to verify the correct behavior.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 09:40:04 2026
(Merged from https://github.com/openssl/openssl/pull/29752)
Daniel Kubec [Sat, 24 Jan 2026 19:50:42 +0000 (20:50 +0100)]
ASN.1: Raise additional errors in crl_set_issuers()
Additional ASN.1 parsing errors are now raised to the error stack,
allowing invalid CRLs to be rejected early with detailed error messages.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 09:02:15 2026
(Merged from https://github.com/openssl/openssl/pull/29750)
Tomas Mraz [Thu, 22 Jan 2026 10:23:26 +0000 (11:23 +0100)]
check_cert_crl(): Avoid potential UAF when using the value of current_crl
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue Feb 3 08:50:53 2026
(Merged from https://github.com/openssl/openssl/pull/29679)
Bob Beck [Wed, 21 Jan 2026 18:47:37 +0000 (11:47 -0700)]
Ensure current_crl always points to the crl we are considering
As mentioned by Viktor Dukhovni, the desired behaviour is:
The current_crl is NULL when the running callback invocation is about errors
unrelated to validation failures via a particular CRL a user may want to
report the issuer of.
The current_crl is (whenever possible) not NULL when reporting errors
specifically related to that CRL.
The problem with this happens when we call check_crl with something that
is not what current_crl is set to. We can potentially enter the time check
code, and we then need to call the callback with the certificate that
failed the time check which is not current_crl.
Correct this by removing the dance in the time check code, and always
setting current_crl whenver we call check_crl.
This means that when we are considering a delta crl, we report the
correct crl to the callback, instead of possibly handing them NULL
(if they get called after a failing time check clobbers it), or the
non-delta crl (because we are looking at a delta while having
current_crl set to crl - which was why we had the dance in the time code
to begin with. We don't need to change current_crl in the time check
code if we always have current_crl set to the thing we are evaluting.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 08:50:52 2026
(Merged from https://github.com/openssl/openssl/pull/29679)
noctuelles [Mon, 19 Jan 2026 17:19:08 +0000 (18:19 +0100)]
BIO_get_data.pod: Warn about use outside of a custom BIO implementation
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Feb 3 08:47:06 2026
(Merged from https://github.com/openssl/openssl/pull/29675)
Danny Tsen [Wed, 28 Jan 2026 12:23:13 +0000 (07:23 -0500)]
aes-gcm-ppc.pl: Removed .localentry directive
Otherwise there is mixing of ELFv1 ABI and ELFv2 ABI directives
and PPC64 big endian builds fail.
Fixes #29815
Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 08:39:50 2026
(Merged from https://github.com/openssl/openssl/pull/29827)
Curl dropped support for using the quic-tls interface to use our quic
stack. Because our interop testing relies on using curl to do testing,
our builds broke.
Until we can find an alternate client to do https transfers over
http3/quic, we need to back off our quic build point to a commit prior
to the above so we can maintain our interop testing.
Long term, we need to enhance our own http3 demo client to support the
download/resumption/etc features that we need for interop. We're
tracking that effort in:
https://github.com/openssl/project/issues/1850
Fixes openssl/project#1848
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Fri Jan 30 12:20:11 2026
(Merged from https://github.com/openssl/openssl/pull/29857)
Neil Horman [Thu, 15 Jan 2026 18:27:34 +0000 (13:27 -0500)]
Exclude some tests from valgrind
Some tests (liek the mem_alloc and abort tests do things with malloc
intentionally as sanity checks that valgrind complains about, and so we
just shouldn't run those tests under valgrind at all
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jan 29 16:37:30 2026
(Merged from https://github.com/openssl/openssl/pull/29573)
rainerjung [Wed, 28 Jan 2026 11:00:35 +0000 (12:00 +0100)]
Fix coding style check by adding clang format exclusions
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jan 29 14:22:55 2026
(Merged from https://github.com/openssl/openssl/pull/29817)
rainerjung [Wed, 28 Jan 2026 10:15:53 +0000 (11:15 +0100)]
Sparc asm: remove whitespace that breaks asm syntax in generated files
This fixes #29808.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jan 29 14:22:50 2026
(Merged from https://github.com/openssl/openssl/pull/29817)
Ingo Franzki [Fri, 23 Jan 2026 07:43:54 +0000 (08:43 +0100)]
s390x: EC: use OpenSSL's RNG for ECDSA nonce 'k' for FIPS module
The KDSA instruction can operate in 2 different modes:
- Deterministic mode - nonce 'k' is supplied by user.
- Non-deterministic mode - nonce 'k' is randomly generated by the instruction
itself.
When running in the FIPS-Module, do not use KDSA's non-deterministic mode,
but generate the nonce 'k' using OpenSSL's random number generator. This
ensures that the nonce is generated using a FIPS-approved random number
generator.
It also makes the FIPS KAT tests work, because those use a pre-setup
deterministic random number generator to produce deterministic ECDSA
signatures even for non-deterministic mode.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29754)
kovan [Tue, 27 Jan 2026 05:02:00 +0000 (06:02 +0100)]
doc: Add const to SSL_CTX_set1_groups/curves documentation
The set1_groups and set1_curves functions do not modify their input
arrays, so the documentation should reflect const-correct signatures.
Fixes #27422
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29762)
Document that the returned pointer is internal, reference count is not
incremented, and should not be freed. Mention SSL_CTX_up_ref() for
callers who need to retain the SSL_CTX.
Fixes #28298
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29767)
kovan [Tue, 27 Jan 2026 05:01:51 +0000 (06:01 +0100)]
doc: add missing DH_check_pub_key documentation and fix typo
Add DH_check_pub_key to NAME and SYNOPSIS sections. Fix typo where
DH_check_params() was incorrectly written instead of DH_check_params_ex()
in the description of the _ex functions.
Also remove DH_check_pub_key from util/missingcrypto.txt since it is
now documented.
Fixes #8473
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29768)
test/evp_test.c: avoid resource leak in digest_test_run()
The function can return on ctrl2params() returning 0 without freeing
the allocated memory associated with the got pointer. Fix it by jumping
to the err label that performs the cleanup instead of returning
immediately.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1680647 Fixes: 9c738431411e "Add support for CSHAKE." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jan 28 12:57:04 2026
(Merged from https://github.com/openssl/openssl/pull/29757)
Neil Horman [Mon, 26 Jan 2026 16:41:23 +0000 (11:41 -0500)]
Update doc/man3/OPENSSL_init_crypto.pod
Co-authored-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jan 27 20:43:01 2026
(Merged from https://github.com/openssl/openssl/pull/29648)
Neil Horman [Thu, 15 Jan 2026 16:36:02 +0000 (11:36 -0500)]
Fix documentation for OPENSSL_cleanup in pod files
Fixes openssl/project#1826
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jan 27 20:42:58 2026
(Merged from https://github.com/openssl/openssl/pull/29648)
When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path
encrypts/decrypts full blocks but does not advance in/out pointers. The
tail-handling code then operates on the base pointers, effectively reprocessing
the beginning of the buffer while leaving the actual trailing bytes
unencrypted (encryption) or using the wrong plaintext (decryption). The
authentication checksum excludes the true tail.
Neil Horman [Wed, 7 Jan 2026 16:52:09 +0000 (11:52 -0500)]
Fix heap buffer overflow in BIO_f_linebuffer
When a FIO_f_linebuffer is part of a bio chain, and the next BIO
preforms short writes, the remainder of the unwritten buffer is copied
unconditionally to the internal buffer ctx->obuf, which may not be
sufficiently sized to handle the remaining data, resulting in a buffer
overflow.
Fix it by only copying data when ctx->obuf has space, flushing to the
next BIO to increase available storage if needed.
Fixes openssl/srt#48
Fixes CVE-2025-68160
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:41:40 2026
Daniel Kubec [Thu, 22 Jan 2026 13:54:10 +0000 (14:54 +0100)]
ASN1: Fix type handling in AKID serial number conversion
The Authority Key Identifier's serial number field is an ASN1 integer, so use
the appropriate i2s_ASN1_INTEGER function instead of i2s_ASN1_OCTET_STRING
for string conversion. This fixes handling of negative serial numbers
which were previously displayed incorrectly.
While negative serial numbers are not RFC-compliant, we want to process
existing CRLs and certificates that may contain them, as this does not cause
any security issues. Rejecting invalid serial numbers during
generation is out of scope for this change.
Fixes #27406
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 15:29:33 2026
(Merged from https://github.com/openssl/openssl/pull/29717)
Anton Moryakov [Thu, 22 Jan 2026 14:51:12 +0000 (17:51 +0300)]
crypto: x509: fix unreachable code in X509V3_get_section and X509V3_get_string
The functions X509V3_get_section() and X509V3_get_string() contain a
redundant null check after an identical check has already guaranteed
that the function pointer (ctx->db_meth->get_section / get_string) is
non-NULL. As a result, the final 'return NULL;' statement is unreachable.
This change removes the redundant condition and the dead code, improving
code clarity and eliminating warnings from static analyzers.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Mon Jan 26 15:28:01 2026
(Merged from https://github.com/openssl/openssl/pull/29692)
Daniel Kubec [Thu, 15 Jan 2026 14:18:31 +0000 (14:18 +0000)]
Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()
Fixes #4952
Co-authored-by: Pauli <ppzgs1@gmail.com> Co-authored-by: Tomáš Mráz <tm@t8m.info> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 15:26:21 2026
(Merged from https://github.com/openssl/openssl/pull/29646)
Unlike SHAKE this has default values set for the xof length.
CSHAKE uses either SHAKE or KECCAK[c] depending on whether
custom strings are set or not. If either string is set, it encodes
the strings and uses KECCAK[c], otherwise it behaves the same as
SHAKE (without the default xof length problem).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Jan 23 14:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/28432)
Milan Broz [Thu, 22 Jan 2026 11:07:42 +0000 (12:07 +0100)]
Remove disabled-optimization warning again
This warning does not play well in combination with sanitizers
and its value is dubious. Instead of complicated decisions
based on configuration flags just remove it from global list.
Fixes: #29673 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Jan 23 14:00:29 2026
(Merged from https://github.com/openssl/openssl/pull/29714)
Tomas Mraz [Wed, 21 Jan 2026 17:50:07 +0000 (18:50 +0100)]
Correct alert when extended master secret support is dropped
When resuming session with the extended master secret support
dropped we should use SSL_AD_HANDSHAKE_FAILURE instead of
SSL_AD_ILLEGAL_PARAMETER according to the RFC7627 section 5.
Fixes #9791
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/29706)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Jan 23 10:27:16 2026
(Merged from https://github.com/openssl/openssl/pull/29704)
Neil Horman [Wed, 21 Jan 2026 15:12:15 +0000 (10:12 -0500)]
check-news-changes.yml: Fix the label check
The yaml for the check-news-changes CI job had an error in the step
conditional that prevented skipping the check if the
no_news_changes_needed flag was set. Fix that.
While we're add it, also add some debug code so that we can better see
what the checks are looking at during the CI job.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:19:07 2026
(Merged from https://github.com/openssl/openssl/pull/29705)
Igor Ustinov [Mon, 15 Dec 2025 14:13:42 +0000 (15:13 +0100)]
Fix of EOF and retry handling in BIO implementations
Added handling for negative length in read functions.
Fixes openssl/project#1739
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:12:37 2026
(Merged from https://github.com/openssl/openssl/pull/29401)
SiteRelEnby [Wed, 21 Jan 2026 02:57:52 +0000 (02:57 +0000)]
Fix NULL pointer dereference when zlib DSO fails to load
When ZLIB_SHARED is defined and DSO_load() fails to load the zlib
library, ossl_comp_zlib_init() incorrectly returns 1 (success) while
leaving all function pointers (p_compress, p_uncompress, etc.) as NULL.
This causes COMP_zlib() and COMP_zlib_oneshot() to return valid-looking
COMP_METHOD pointers, but when these methods are used (e.g., during
TLS 1.3 certificate decompression), the NULL function pointers are
dereferenced, causing a SIGSEGV crash.
The bug occurs because the NULL pointer check (lines 297-303) was inside
the `if (zlib_dso != NULL)` block, so it was skipped entirely when
DSO_load() returned NULL.
The fix moves the NULL pointer check outside the conditional block,
consistent with how c_brotli.c and c_zstd.c handle this case. Now if
the DSO fails to load, all function pointers remain NULL, the check
catches this, and the function correctly returns 0 (failure).
This also fixes an incorrect cast of p_uncompress from compress_ft to
the correct uncompress_ft type.
PoC demonstrating the bug: https://github.com/SiteRelEnby/openssl-zlib-poc
Fixes #23563
CLA: trivial
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:00:50 2026
(Merged from https://github.com/openssl/openssl/pull/29699)
JohnnySavages [Fri, 19 Dec 2025 03:43:41 +0000 (22:43 -0500)]
Remove unnecessary post-increment
Found by Linux Verification Center (linuxtesting.org) with SVACE.
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Jan 22 10:10:51 2026
(Merged from https://github.com/openssl/openssl/pull/29456)
projects / thirdparty / openssl.git / log
