Matt Caswell [Thu, 5 Jun 2025 13:41:55 +0000 (14:41 +0100)]
Introduce the PACKET_msg_start() function
This gives us the start of the buffer in use for the PACKET.
We then use this information when calculating the TLS PSK binder.
Previously we were assuming knowledge about where the buffer starts.
However, with ECH, we may be using a different buffer to normal so it is
better to ask the PACKET where the start of the buffer is.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27776)
Stephen Farrell [Tue, 6 Aug 2024 22:16:58 +0000 (23:16 +0100)]
Documents initial agreed APIs for Encrypted Client Hello (ECH)
and includes a minimal demo for some of those APIs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Stephen Farrell [Wed, 26 Jun 2024 11:55:17 +0000 (12:55 +0100)]
add ech-api.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Bob Beck [Wed, 22 Oct 2025 03:34:56 +0000 (21:34 -0600)]
Simplify x509 time checking
This changes x509 verification to use int64 values of epoch
seconds internally instead of time_t. While time values from
a system will still come from/to a platform dependant time_t
which could be range constrained, we can simplify this
to convert the certificate time to a posix time and then
just do a normal comparison of the int64_t values. This
removes the need to do further computation to compare values
which potentially do not cover the range of certificate times,
and makes the internal functions a bit more readable.
This also modifies the tests to ensure the full range of
times are tested, without depending on time_t, and adds
tests for checking CRL expiry, which were lacking before.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28987)
Angel Baez [Wed, 12 Nov 2025 12:46:28 +0000 (07:46 -0500)]
TLS 1.3 session resumption convert nonce_label to ASCII hex
Fixes #27815
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29127)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29129)
slontis [Wed, 27 Aug 2025 04:24:59 +0000 (14:24 +1000)]
RSA: Update RSA keygen.
The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4,
and clarifies the keygen method used.
This PR also adds the new FIPS 186-5 2 optional parameters that allow
the generated probable primes to be congruent to a value mod 8.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28349)
doc/man3/X509_STORE_get0_param.pod: mention how to free the returned objects
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
Orgad Shaneh [Thu, 6 Nov 2025 11:52:51 +0000 (13:52 +0200)]
Configure: Add missing variables in build.info
Fixes the following warnings:
No value given for CMAKECONFIGDIR
No value given for PKGCONFIGDIR
No value given for libdir
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29084)
Clarify processing of CRYPTO frame in SSL_set_quic_tls_cbs(3ossl)
We should remind 3rd-party QUIC stack implementors their QUIC stack
must ensure to provide all CRYPTO frames to OpeNSSL/TLS for processing.
The CRYPTO frames keeping coming even after confirmation of TLS
hanndshake.
Fixes #28963
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29070)
Enable ARMV8_UNROLL12_EOR3 optimization for Neoverse N2/N3
Unlike Neoverse N1, the Neoverse N2 and Neoverse N3 cores support the
EOR3 instruction. Enabling ARMV8_UNROLL12_EOR3 on these cores gives
performance uplift of 9-10% for AES-CTR 128/192/256 ciphers at larger
block sizes.
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29044)
Paul Elliott [Thu, 25 Sep 2025 10:41:33 +0000 (11:41 +0100)]
Add support for Arm V3_AE platform
Add cpu MIDR and ensure relevant optimisations are enabled.
Signed-off-by: Paul Elliott <paul.elliott@arm.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29044)
Lidong Yan [Fri, 31 Oct 2025 06:40:06 +0000 (14:40 +0800)]
slh_dsa: fix leak in early return of slh_sign_internal()
In slh_sign_internal(), if calling PACKET_buf_init() failed, this
function return without free wpkt. Replace `return 0` with `goto err`
to free wpkt before return.
CLA: trivial Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29041)
crypto/bn/rsaz_exp.h: use constant_time_select_bn in bn_select_words
MSVC complained about possible loss of data on assignment, and it seems
that constant_time_select_bn is more suitable here than
constant_time_select_64, change the call to the former.
Fixes: 6d702cebfce3 "Add an extra reduction step to RSAZ mod_exp implementations" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/29040)
Daniel Kubec [Tue, 28 Oct 2025 14:18:53 +0000 (15:18 +0100)]
CRL: RFC 5280 compliance for Certificate Issuer extension
Add validation to ensure Certificate Issuer extensions in CRL entries
only appear when the Indirect CRL flag is TRUE in the Issuing
Distribution Point (IDP) extension, as required by RFC 5280 section
5.3.3.
Fixes #27465
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29018)
Matteo [Mon, 27 Oct 2025 17:08:14 +0000 (18:08 +0100)]
Correction of grammar error in doc/man1/openssl-req.pod.in
I changed the word "most" with the correct word "must" at the line 406.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29009)
Nikola Pajkovsky [Fri, 24 Oct 2025 09:11:29 +0000 (11:11 +0200)]
namemap: use NID_undef instead of hardcoded 0
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28991)
Ryan Hooper [Tue, 30 Sep 2025 16:56:33 +0000 (12:56 -0400)]
Properly error out when AEAD Algorithms are used with Encrypted Data
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Alex Gaynor [Sun, 19 Oct 2025 16:30:09 +0000 (12:30 -0400)]
In the RFC6979 test vectors, ensure private keys are correctly encoded
The encoding of these keys is supposed to have a fixed length based on the curve (this enables constant time processing, see oss-security this week). Several of these have private scalars that have leading 0s, but were encoded with the 0s truncated off. This adds back the 0s.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28956)
Bernd Edlinger [Mon, 6 Oct 2025 06:37:20 +0000 (08:37 +0200)]
Improve the CPUINFO display for RISC-V
Prefix the base architecture to the displayed RISC-V
architecture string, so the displayed OPENSSL_riscvcap
environment value can be used as is, since otherwise
the OPENSSL_cpuid_setup would ignore the first extension,
as it is expected to be the base architecture, usually
"RV64GC" or similar.
See the comment at parse_env in crypto/riscvcap.c
Furthermore also print the VLEN value, if the V-extension
is given, since that makes a significant difference
which assembler modules are activated by the V-extension.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28760)
slontis [Fri, 7 Nov 2025 04:22:48 +0000 (15:22 +1100)]
AES-GCM: Allow the IV getter to generate the IV if it is not set yet.
The EVP_CipherInit API allows mutiple calls to set up parameters such as
the key and iv. If the iv is not specified for encryption, then it is generated
internally during the update phase. If you try to get the IV before the
update it would return an error.
This PR allows the getter to generate the IV early for this case.
This also means that the gen_rand variable needs to be reset to 0 if an
iv is manually set after the getter is called.
Issue found by @davidmakepeace
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29094)
Dmitry Misharov [Thu, 23 Oct 2025 10:29:34 +0000 (12:29 +0200)]
remove workflow_run trigger in fips and abiddif workflows
workflow_run runs in the context of the target
repository rather than the fork repository, while
also being typically triggerable by the latter.
This can lead to attacker controlled code execution
or unexpected action runs with context controlled
by a malicious fork.
https://docs.zizmor.sh/audits/#dangerous-triggers
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28982)
Dmitry Misharov [Thu, 23 Oct 2025 10:26:31 +0000 (12:26 +0200)]
remove workflow_run trigger in quic workflows
workflow_run runs in the context of the target
repository rather than the fork repository, while
also being typically triggerable by the latter.
This can lead to attacker controlled code execution
or unexpected action runs with context controlled
by a malicious fork.
https://docs.zizmor.sh/audits/#dangerous-triggers
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28982)
This change includes bss_sock.c to deal with introduction of EPROTO use.
Reroll of rsa_ossl.c changes made at 3.5 downward.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Update bioprinttest.c to handle missing PTRxPRT definitions from inttypes.h.
Fixes: #29023 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29024)
Dmitry Misharov [Mon, 3 Nov 2025 15:01:39 +0000 (16:01 +0100)]
CI: replace paid runners with free one
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29052)
Orgad Shaneh [Fri, 31 Oct 2025 08:28:37 +0000 (10:28 +0200)]
CI: Prevent scheduled jobs from running in forks
There is no reason to run them in forks, and some of them fail because
they try to run on macos-15-large which is not generally available.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29042)
Neil Horman [Wed, 29 Oct 2025 15:45:03 +0000 (11:45 -0400)]
Fix lock contention checker for MACOS
The lock contention checker uses the gettid() syscall to get a unique
thread id for each thread contending on a lock. While MACOS has this
syscall, it does something completely different:
https://elliotth.blogspot.com/2012/04/gettid-on-mac-os.html
Resulting in -1 being returned for all threads. Use a macos specific
call to get the thread id instead
Fixes openssl/project#1699
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29031)
Matt Caswell [Tue, 28 Oct 2025 15:27:42 +0000 (15:27 +0000)]
Add a test for mismatch between the pkey and sigalg
We add a test for sending an mldsa65 sigalg while using an mldsa44 key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Matt Caswell [Tue, 28 Oct 2025 14:53:11 +0000 (14:53 +0000)]
Use the actual NID for provided signature algorithms
Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.
Fixes #28762
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Igor Ustinov [Sun, 2 Nov 2025 16:37:00 +0000 (17:37 +0100)]
Modernize header macros for C23 compatibility
Replace old-style (int (*)()) and (char *(*)()) casts with proper typed
prototypes (i2d_of_void *, d2i_of_void *, void *(*)(void)) to comply
with stricter C23 function pointer rules.
Fixes #27938
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29048)
Richard Levitte [Mon, 27 Oct 2025 19:47:44 +0000 (20:47 +0100)]
Set the 'tmp' flag BN_FLG_FIXED_TOP in bn_mod_exp_mont_fixed_top()
If not set, bn_check_top() trips when BN_DEBUG is defined
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28801)
Richard Levitte [Thu, 9 Oct 2025 17:56:59 +0000 (19:56 +0200)]
Test BN_DEBUG in CI
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28801)
Richard Levitte [Thu, 9 Oct 2025 17:55:47 +0000 (19:55 +0200)]
Fix BN_DEBUG: ossl_assert() → assert()
ossl_assert() has been modified so much that it no longer fits the
purpose of bn_check_top() when BN_DEBUG is defined in a debug build,
which is to abort and tell where the BIGNUM is inconsistent. This
is by design.
This has remained undiscovered because no one has tried BN_DEBUG
for quite a while.
Assertions in bn_check_top() are also rearranged to better show what
the actual problem is.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28801)
Richard Levitte [Wed, 29 Oct 2025 09:12:33 +0000 (10:12 +0100)]
Rename SSL_CERT_LOOKUP.nid to pkey_nid
Hopefully, this will help further clarify the intent of this
SSL_CERT_LOOKUP field to future developer.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Richard Levitte [Wed, 29 Oct 2025 09:03:51 +0000 (10:03 +0100)]
Fix NID bug in SSL_CERT_LOOKUP array construction
The SSL_CERT_LOOKUP NID should be for the public key algorithm (what is
often called the "key type". Yet, when populating the SSL_CERT_LOOKUP
table with 'ssl_load_sigalgs', only the sigalg name is used to find a
NID.
This is perfectly OK to do, *if* the sigalg and the associated key type
share the same name. However, that's not always the case.
This change infers the key type name in 'ssl_load_sigalgs' the same way
as it was already done in 'add_provider_sigalgs'.
Related-to: https://github.com/openssl/openssl/pull/29019#discussion_r2472219647 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Pauli [Tue, 28 Oct 2025 05:05:59 +0000 (16:05 +1100)]
macctx: remove unused function
The `ossl_prov_macctx_load_from_params()` function is no longer used.
Since it isn't public, it can be removed.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29013)
Tomas Mraz [Mon, 20 Oct 2025 14:17:38 +0000 (16:17 +0200)]
Drop symbol numbers as we are doing a new major version
Also recreate the .num files from scratch as that makes the
symbols sorted.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28959)
Some files in @except_env_files are located in the build directory,
not the source directory.
Furthermore, because the files and directories in @except_dirs and
@except_env_files may look different than the elements in what find()
returns, realpath() must be used to ensure that file name comparison
matches when it should.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28601)
Dmitry Misharov [Mon, 27 Oct 2025 15:21:58 +0000 (16:21 +0100)]
Move CI jobs with macos large runners
Running CI jobs on MacOS large runner on each pull request
is problematic for forks. These runners are not free and require
billing to setup. Therefore it makes more sense move macos-14-large
and macos-15-large into os-zoo.yml which is scheduled to run nightly.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29007)
Neil Horman [Wed, 22 Oct 2025 14:54:15 +0000 (10:54 -0400)]
Add lock contention graph script to openssl
Add a script to use gnuplot to graph lock contention events as reported
by the REPORT_RWLOCK_CONTENTION feature vs time so we can see an
application run time based view of where lock contention occurs.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28974)
Gleb Popov [Fri, 10 Oct 2025 13:31:47 +0000 (16:31 +0300)]
rc4: Remove the pointless if() operator, its condition is always true
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28827)
projects / thirdparty / openssl.git / log
