Richard Levitte [Thu, 18 Dec 2025 08:52:11 +0000 (09:52 +0100)]
Use 'codespell:ignore' where justifiable
There's this one random string where we have the word "Hellow". It's a
random string, "correct" spelling is really not important, so we tell
codespell to just ignore that line.
There were also two struct field names...
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29463)
Danny Tsen [Thu, 23 Oct 2025 20:51:05 +0000 (16:51 -0400)]
ppc64le: Restore VSX registers in AES/GCM ppc64le encrypt/decrypt
The implementation failed to restore VSX vector registers from vs14-vs22.
Re-implemented based on Linux kernel version.
Fixes #28961
Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28990)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29432)
Weizhi Ao [Thu, 11 Dec 2025 13:06:23 +0000 (21:06 +0800)]
Fix silent failure in ASYNC_start_job when size is 0
When ASYNC_start_job is called with args != NULL but size == 0,
OPENSSL_malloc(0) is called. Depending on the libc implementation,
malloc(0) may return NULL, causing a silent failure.
This patch modifies the logic to skip allocation if size is 0.
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29377)
Matthias Kraft [Wed, 10 Dec 2025 16:02:54 +0000 (17:02 +0100)]
Ensure path to libcrypto can be resolved on AIX.
On AIX, the environment of the test executable for test_includes doesn't
contain a resolvable search path to the just built libcrypto. Setup
LIBPATH to point to the build results.
Fixes #29352.
Signed-off-by: Matthias Kraft <Matthias.Kraft@ibm.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29375)
Norbert Pocs [Thu, 11 Dec 2025 11:49:00 +0000 (12:49 +0100)]
Check return code of UTF8_putc
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29376)
Norbert Pocs [Thu, 11 Dec 2025 11:38:16 +0000 (12:38 +0100)]
Harden ASN1_mbstring_ncopy
Reported by Murali Aniruddhan
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29376)
Paul Elliott [Mon, 15 Dec 2025 13:05:00 +0000 (13:05 +0000)]
Fix error in PAC/BTI AArch64 build
Clang format removes a space here, which creates a compiler error when
building for PAC/BTI. Fix this and Turn off clang format for this line
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/29399)
Igor Ustinov [Thu, 4 Dec 2025 16:05:59 +0000 (17:05 +0100)]
Documentation for BIO flags and related functions.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29311)
Matthias Kraft [Fri, 5 Dec 2025 16:52:28 +0000 (17:52 +0100)]
Enable send-/recvmmsg for AIX >= 7.2 and disable SUPPORT_LOCAL_ADDR.
AIX doesn't support this implementation for local addresses. The AF_INET
case is unimplemented when sending. The AF_INET6 case is limited to 110
messages. The limiting factor is currently unclear.
Fixes #29292
Signed-off-by: Matthias Kraft <Matthias.Kraft@ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29334)
Niels Dossche [Mon, 8 Dec 2025 14:17:56 +0000 (15:17 +0100)]
Fix memory leak in error path of ec_gen_init()
ec_gen_set_params() can fail after some big numbers have already been
copied over. Those need to be cleaned to avoid a memory leak on failure.
This can be done with ec_gen_cleanup(), which is also consistent in how
the ecx_gen code does it.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29335)
Dmitry Misharov [Tue, 9 Dec 2025 16:39:14 +0000 (17:39 +0100)]
run codespell pre-commit hook on staged files only
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29360)
Matt Caswell [Tue, 9 Dec 2025 12:22:02 +0000 (12:22 +0000)]
Fix array formatting in evp_extra_test.c
The reformat did something silly with some of the arrays in evp_extra_test.c
Fix the arrays such that clang-format is still happy.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29349)
Bob Beck [Tue, 9 Dec 2025 10:17:44 +0000 (03:17 -0700)]
3.3-POST-CLANG-FORMAT-WEBKIT
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29258)
Bob Beck [Tue, 9 Dec 2025 10:15:25 +0000 (03:15 -0700)]
3.3-PRE-CLANG-FORMAT-WEBKIT
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29258)
Bob Beck [Tue, 2 Sep 2025 16:07:08 +0000 (10:07 -0600)]
Fix cmp_ctx_test.c to be less sensitive to line wrapping.
Similar to the previous errtest.c fix this also is not broken
by any reformatting today, but this change makes this follow
the same pattern as the other things that test OPENSSL_LINE
after the fact so we maintain the same paradigm everywhere.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29257)
Bob Beck [Fri, 29 Aug 2025 17:37:36 +0000 (11:37 -0600)]
fix errtest to be less sensitive to line wrapping changes
(in it's final form it will work with either compiler
because it's currently one line, but was tripped up before
by the #ifdef, so redid it to be consistent with the
other changes previously in this stack)
While I am here correct the test to test for all possible
return values of ERR_get_error_all, without the #ifdefs
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29257)
check_cert_crl(): Set CRL score for CRLs returned by get_crl callback
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29199)
Matthias Kraft [Fri, 28 Nov 2025 14:30:01 +0000 (15:30 +0100)]
Skip symbol_presence test on AIX
AIX `nm` reports symbols in a different way.
Fix for: #29247
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29276)
Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.
But we fix the potentially problematic code anyway.
Reported Joshua Rogers. It was found with the ZeroPath security
tooling.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)
Holger Dengler [Wed, 26 Nov 2025 15:18:49 +0000 (16:18 +0100)]
s390x: Check and fail on invalid malformed ECDSA signatures
Check parameters of ECDSA signatures on verify and fail for invalid
malformed signatures in the code path for s390x accelerators. Handle
condition code of kdsa instruction for detecting invalid parameters.
For NIST P521 curves, kdsa ignores completely the upper 14 bytes of
the sections for r and s in the parameter-block, so adapt the offset
and length for bignum conversions for these curves. This will detect
cases of malformed signatures which are not covered by the kdsa
parameter checking.
Fixes: #29173 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
Holger Dengler [Wed, 26 Nov 2025 15:18:37 +0000 (16:18 +0100)]
s390x: Return condition code of kdsa instruction
The kdsa instruction is doing some parameter checking for the verify
function codes, like r/s equals zero and range checks. To handle these
cases correctly in the calling functions, the asm returns now also
condition code 2.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
Bernd Edlinger [Sun, 25 Feb 2024 15:33:33 +0000 (16:33 +0100)]
CIFuzz: Remove some unnecessary files to free up space
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29061)
Neil Horman [Thu, 20 Nov 2025 16:49:19 +0000 (11:49 -0500)]
ensure destructor key is created prior to any other thread specific key
https://github.com/openssl/openssl/issues/29077 found that, in the event
that a pthread key is created prior to the destructor_key, glibc will
NULL-ify any thread specific data before the init_thread_destructor
runs, leading to leaks.
Ensure that we always create the destructor key prior to any other
thread local storage keys
Fixes #29907
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29182)
Igor Ustinov [Thu, 27 Nov 2025 12:08:02 +0000 (13:08 +0100)]
Branch 3.2 was removed from and branch 3.6 was added to the
"Provider compatibility for PRs" test.
Do not test the provider from the PR against modified branches.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29236)
Shohei YOSHIDA [Mon, 24 Nov 2025 08:55:06 +0000 (17:55 +0900)]
DOC: fix typo in openssl-cmp
RAVERIFED -> RAVERIFIED
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29202)
Bernd Edlinger [Mon, 3 Nov 2025 13:00:15 +0000 (14:00 +0100)]
Document CVE-2021-4160
This was fixed in openssl 3.0.1 by #17258 and assigned
CVE-2021-4160 but unfortunately forgotten to mention
in the CHANGES and/or NEWS.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29051)
David Benjamin [Mon, 20 Oct 2025 21:38:14 +0000 (17:38 -0400)]
doc: Discuss calling X509_verify_cert in cert_verify_callback
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
Igor Ustinov [Wed, 19 Nov 2025 15:21:30 +0000 (16:21 +0100)]
Correct information about the default value of the -md parameter
of the openssl cms command.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29175)
doc/man3/OPENSSL_malloc.pod: mention rationale for OPENSSL_cleanse()
It was not entirely clear from the sole description, what is the reason
for preferring OPENSSL_cleanse() over memset(). Add a note about situations
in which OPENSSL_cleanse() should be chosen.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29174)
Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes #29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
Lars Erik Wik [Wed, 8 Oct 2025 15:06:39 +0000 (17:06 +0200)]
bio_ok.c: Fixed undefined identifier 'SIZE_MAX'
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
Fixes for NonStop builds on 3.4 to handle OS platform header file changes
This changes handles the introduction of _POSIX_VERSION into the NonStop x86
header files that tricks OpenSSL into thinking that ucontext.h is available.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Fixes #28498
Fixes #29023
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29106)
Anton Moryakov [Tue, 4 Nov 2025 22:18:47 +0000 (01:18 +0300)]
Prevent NULL deref in BN_is_zero when cofactor is missing
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
KubaBoi [Tue, 28 Oct 2025 17:22:57 +0000 (18:22 +0100)]
asn1_gen: add ASN1_object_size() return check and fix else braces
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Joshua Rogers [Sat, 11 Oct 2025 22:34:40 +0000 (06:34 +0800)]
apps/s_socket: fix FD and addrinfo leak on SCTP failure in init_client
If BIO_new_dgram_sctp(*sock, BIO_NOCLOSE) fails we returned 0 directly,
skipping the out: cleanup and leaking the just created socket plus the
addrinfo lists.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28917)
Joshua Rogers [Sat, 11 Oct 2025 21:43:38 +0000 (05:43 +0800)]
crypto/bio/bss_acpt: set b->init only on successful BIO_parse_hostserv
BIO_C_SET_ACCEPT with num == 0 unconditionally set b->init = 1 even if
BIO_parse_hostserv failed. Only mark the BIO initialized when parsing
succeeds to avoid inconsistent state.
Angel Baez [Wed, 12 Nov 2025 12:46:28 +0000 (07:46 -0500)]
TLS 1.3 session resumption convert nonce_label to ASCII hex
Fixes #27815
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29127)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29129)
doc/man3/X509_STORE_get0_param.pod: mention how to free the returned objects
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
Ryan Hooper [Tue, 30 Sep 2025 16:56:33 +0000 (12:56 -0400)]
Properly error out when AEAD Algorithms are used with Encrypted Data
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29050)
Igor Ustinov [Sun, 2 Nov 2025 16:37:00 +0000 (17:37 +0100)]
Modernize header macros for C23 compatibility
Replace old-style (int (*)()) and (char *(*)()) casts with proper typed
prototypes (i2d_of_void *, d2i_of_void *, void *(*)(void)) to comply
with stricter C23 function pointer rules.
Fixes #27938
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29048)
Richard Levitte [Wed, 29 Oct 2025 09:12:33 +0000 (10:12 +0100)]
Rename SSL_CERT_LOOKUP.nid to pkey_nid
Hopefully, this will help further clarify the intent of this
SSL_CERT_LOOKUP field to future developer.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Richard Levitte [Wed, 29 Oct 2025 09:03:51 +0000 (10:03 +0100)]
Fix NID bug in SSL_CERT_LOOKUP array construction
The SSL_CERT_LOOKUP NID should be for the public key algorithm (what is
often called the "key type". Yet, when populating the SSL_CERT_LOOKUP
table with 'ssl_load_sigalgs', only the sigalg name is used to find a
NID.
This is perfectly OK to do, *if* the sigalg and the associated key type
share the same name. However, that's not always the case.
This change infers the key type name in 'ssl_load_sigalgs' the same way
as it was already done in 'add_provider_sigalgs'.
Related-to: https://github.com/openssl/openssl/pull/29019#discussion_r2472219647 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29027)
Dmitry Misharov [Mon, 27 Oct 2025 15:21:58 +0000 (16:21 +0100)]
Move CI jobs with macos large runners
Running CI jobs on MacOS large runner on each pull request
is problematic for forks. These runners are not free and require
billing to setup. Therefore it makes more sense move macos-14-large
and macos-15-large into os-zoo.yml which is scheduled to run nightly.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29007)
Gleb Popov [Fri, 10 Oct 2025 13:31:47 +0000 (16:31 +0300)]
rc4: Remove the pointless if() operator, its condition is always true
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28827)
Joshua Rogers [Mon, 13 Oct 2025 23:59:04 +0000 (07:59 +0800)]
apps/s_time: reset reused SSL with SSL_clear in doConnection
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28911)
Joshua Rogers [Sun, 12 Oct 2025 13:39:42 +0000 (21:39 +0800)]
comp/zstd: make bio_zstd_read return -1 on hard errors
Split NULL out param from zero outl. Return -1 on malloc failure and
NULL parameter. Keep 0 only for outl <= 0 and clean EOF. This lets
callers distinguish errors from empty reads without inspecting the
error queue.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/28908)
If the call to ASN1_item_ex_d2i() from x509_pubkey_ex_d2i_ex() fails
*pval is freed by asn1_item_ex_d2i_intern()->ASN1_item_ex_free()->ossl_asn1_item_embed_free()
inside the ASN1_item_ex_d2i() function without freeing the
string buffer X509_PUBKEY::propq that was previously allocated
in x509_pubkey_ex_new_ex() and we lose the pointer to this buffer.
The function we are fixing here is one of the functions used
to define X509_PUBKEY - so any operations that work directly
on X509_PUBKEY_INTERNAL should be prevented from freeing
the structure because they don't know how to handle it.
Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27333)
Neil Horman [Wed, 8 Oct 2025 12:20:36 +0000 (08:20 -0400)]
Copy impls stack when calling ossl_method_store_do_all
PR https://github.com/openssl/openssl/pull/24782 introduced a copying of
the algs stack in ossl_method_store_do all, so that the subsequent
iteration of elements through alg_do_one could be done without a lock,
and without triggering a tsan error as reported in:
https://github.com/openssl/openssl/issues/24672
However, the problem wasn't completely fixed. Issue:
https://github.com/openssl/openssl/issues/27726
Noted that, sometimes we still get a crash when iterating over each algs
impls stack. This occurs because, even though we've cloned the algs to
a private data area, the impls stack for each alg still points to shared
data, which we are accessing without the benefit of a lock. Because of
that, if some other thread calls a function that mutates the impl stack
(say ossl_method_store_remove()), we may encounter a NULL or garbage
value in one of the impl stack values, leading to an unexpected NULL
pointer or simmilar, which in turn leads to a crash.
Unfortunately we can't use a lock to create exclusive access here, as
there are several paths that lead to a recursive mutation of the stack,
which would deadlock.
So the only way that I see to prevent this (which is admittedly ugly),
is to not only clone the alg stack, but to duplicate each algs impl
stack with the read lock held, prior to doing the iteration.
Further, we've been unable to test this, as the problem is rare, and we
don't have a solid reproducer for the issue, but visual inspection
suggests this should fix that. Hopefully:
Fixes #27726
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28783)
Joshua Rogers [Fri, 10 Oct 2025 22:57:01 +0000 (06:57 +0800)]
CMP client: fix three memory leaks in error handling of the polling mechanism added in 3.3
These are in poll_for_response(), OSSL_CMP_try_certreq(), and OSSL_CMP_exec_certreq().
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28840)
Joshua Rogers [Sat, 11 Oct 2025 06:11:07 +0000 (14:11 +0800)]
freebsd ktls: avoid unaligned 16 bit length store in ktls_read_record
This prevents SIGBUS on strict alignment architectures when p+3 is not aligned
for 16 bit access. Behavior is unchanged on x86 and matches the Linux path.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28860)
Joshua Rogers [Fri, 10 Oct 2025 11:55:31 +0000 (19:55 +0800)]
Fix off-by-one overflow in the AST resubmit
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28811)
Joshua Rogers [Wed, 8 Oct 2025 07:31:18 +0000 (15:31 +0800)]
Disallow Message sequence number 2 in DTLSv1_listen
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28788)
Joshua Rogers [Wed, 8 Oct 2025 22:14:15 +0000 (06:14 +0800)]
ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers
When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
Igor Ustinov [Tue, 14 Oct 2025 18:30:49 +0000 (20:30 +0200)]
Correct assembler version checking in perlasm scripts
Fixes #20520
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28901)
projects / thirdparty / openssl.git / log
