CHANGES.md, NEWS.md: sort links in lexicographical order
A specific order makes link addition more consistent moving forward.
The links were sorted with "LC_ALL=C sort -V" command, "sort"
is from GNU coreutils.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Apr 7 12:08:40 2026
Tomas Mraz [Mon, 6 Apr 2026 20:09:20 +0000 (22:09 +0200)]
80-test_cms.t: Accept success in malformed RSA decryption
The decryption of the malformed encrypted message might succeed
with some probability. We accept that as the testcase tries to
trigger a crash which does not happen.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 7 07:16:44 2026
(cherry picked from commit 7b5ece69dee3fb78fcd2618df3bce5064a04c6dc)
Nikola Pajkovsky [Thu, 19 Mar 2026 11:16:08 +0000 (12:16 +0100)]
rsa_kem: validate RSA_public_encrypt() result in RSASVE
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.
Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.
Fixes CVE-2026-31790 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:51:30 2026
(cherry picked from commit 001e01db3e996e13ffc72386fe79d03a6683b5ac)
Neil Horman [Wed, 1 Apr 2026 08:56:44 +0000 (10:56 +0200)]
Fix NULL deref in rsa_cms_decrypt
Very simmilar to CVE-2026-28389, ensure that if we are missing
parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
we don't segfault when decrypting.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28390
Neil Horman [Tue, 31 Mar 2026 18:38:03 +0000 (14:38 -0400)]
Test for DH/ECDH CMS KARI processing NULL pointer dereference
Test to ensure that, if we attempt to decrypt a CMS message with a
missing parameter field of KeyEncryptionAlgorithmIdentifier
we fail, rather than segfault.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Apr 6 19:09:04 2026
Neil Horman [Mon, 16 Mar 2026 17:49:07 +0000 (13:49 -0400)]
Fix NULL deref in [ec]dh_cms_set_shared_info
Multiple independent reports indicated a SIGSEGV was possible in CMS
processing when a crafted CMS EnvelopedData message using A Key
Agreement Recipient Info field. If the
KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the
referenced functions above will attempt to dereference the
alg->parameter data prior to checking if the parameter field is NULL.
Confirmed to resolve the issues using the reproducers provided in the
security reports.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28389
kovan [Mon, 2 Feb 2026 14:47:35 +0000 (15:47 +0100)]
doc: document PKCS12 password prompting for certificates
Document that commands reading certificates from PKCS#12 files may
prompt for a password. The existing documentation only mentioned
password prompting for private keys.
Fixes #21292
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:52:28 2026
(Merged from https://github.com/openssl/openssl/pull/29918)
huanghuihui0904 [Mon, 16 Mar 2026 03:05:36 +0000 (11:05 +0800)]
crypto/x509/pcy_tree.c: fix leak of tree in X509_policy_check()
When init_ret indicates both X509_PCY_TREE_EXPLICIT and X509_PCY_TREE_EMPTY,
the function returns without freeing the initialized policy tree.
Free the tree before returning, consistent with the earlier TREE_EMPTY branch.
Also defer *ptree = tree assignment and free the tree when user policies
are empty to avoid returning invalid memory.
Fixes #30435
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 3 15:03:37 2026
(Merged from https://github.com/openssl/openssl/pull/30436)
Ensure that all the source files are formatted with the current
.clang-format configuration, to avoid spurious clang-format checker
errors when arbitrary files are touched.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:52:06 2026
(Merged from https://github.com/openssl/openssl/pull/29824)
slontis [Mon, 12 Jan 2026 05:58:34 +0000 (16:58 +1100)]
Add clang-format file exclusions for generated files related to OBJ objects.
Original-PR: https://github.com/openssl/openssl/pull/29599
Original-Commit: a62d247888d6 "Add clang-format file exclusions for generated files related to OBJ"
Original-Merge-Date: Tue Jan 13 10:13:37 2026
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:52:03 2026
(Merged from https://github.com/openssl/openssl/pull/29824)
slontis [Wed, 14 Jan 2026 06:31:41 +0000 (17:31 +1100)]
Make OpenSSL generated error files use the current clang-format.
Anytime a new error code is added it generates error related files.
These are generated using a perl script which used readable indenting.
The indenting has been removed.
Original-PR: https://github.com/openssl/openssl/pull/29631
Original-Commit: 8424f565dcbb "Make OpenSSL generated error files use the current clang-format."
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:52:02 2026
(Merged from https://github.com/openssl/openssl/pull/29824)
It is cherry-picked from commit 1afb05b6035c "Add serialization for SHA-2
digest contexts" to ensure that .clang-format configuration are in sync
between branches.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:51:54 2026
(Merged from https://github.com/openssl/openssl/pull/29824)
Pranavjeet-Naidu [Tue, 24 Mar 2026 23:45:30 +0000 (05:15 +0530)]
Add negative length validation in EVP_EncryptUpdate and EVP_DecryptUpdate
Added input length validation checks to prevent potential security issues
when negative values are passed to EVP_EncryptUpdate and EVP_DecryptUpdate.
These functions cast inl (int) to size_t without validation, which could lead
to unexpectedly large buffer allocation attempts or unintended behavior with
negative inputs.
Validation is performed early in both functions to ensure only valid,
non-negative lengths are processed. Error is reported via EVP_R_INVALID_LENGTH.
Fixes: https://github.com/openssl/openssl/issues/30486 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 02:10:52 2026
(Merged from https://github.com/openssl/openssl/pull/30560)
kovan [Tue, 27 Jan 2026 11:11:08 +0000 (12:11 +0100)]
doc: fix -signcert grouping in CA.pl documentation
The -signcert option was incorrectly grouped with -sign and -xsign at
line 109, which implied they were equivalent. However, -signcert is
different: it expects a self-signed certificate (not a certificate
request) in newreq.pem, and converts it to a request before signing.
This is correctly documented in its own separate section at line 123,
which states "-signcert is the same as -sign except it expects a self
signed certificate".
Remove -signcert from the -sign/-xsign grouping to eliminate the
contradiction.
Resolves: https://github.com/openssl/openssl/issues/29165 Fixes: 022696cab014 "Allow CA.pl script user to pass extra arguments to openssl command" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:10:50 2026
(Merged from https://github.com/openssl/openssl/pull/29794)
Abhinav Agarwal [Tue, 24 Mar 2026 02:17:04 +0000 (19:17 -0700)]
quic: add missing return 0 after raise_protocol_error for NEW_CONN_ID
Every other frame type handler in depack_process_frames() returns 0
after calling ossl_quic_channel_raise_protocol_error(), but the
NEW_CONN_ID case falls through to depack_do_frame_new_conn_id().
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:48:44 2026
(Merged from https://github.com/openssl/openssl/pull/30550)
Amaan Qureshi [Fri, 20 Mar 2026 00:40:20 +0000 (20:40 -0400)]
s390x: set minimum architecture level to z10
The keccak1600 perlasm file (`keccak1600-s390x.pl`) emits `cijne`, a
z10 compare-immediate-and-branch instruction, without declaring a
minimum architecture level. GCC defaults to `-march=z900` on s390x,
causing assembler errors when building with the default toolchain
flags:
z900 has been out of service since 2014, the Linux kernel requires
z196 minimum, and clang already defaults to z10 on s390x. A
`.machine "z10"` GAS directive in the generated assembly resolves the
error by declaring the architecture level the file already requires.
Ref: #27323
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:32:22 2026
(Merged from https://github.com/openssl/openssl/pull/30507)
Weidong Wang [Sat, 21 Mar 2026 15:41:49 +0000 (10:41 -0500)]
Fix missing EVP_CIPHER_get_iv_length() guard in PKCS5_pbe2_set_scrypt
Store the return value of EVP_CIPHER_get_iv_length() in a local variable
and guard with (ivlen > 0) before passing to memcpy/RAND_bytes, matching
the pattern already used in p5_pbev2.c. Without this, a negative return
value (-1) is implicitly converted to SIZE_MAX when cast to size_t,
causing a stack buffer overflow on iv[EVP_MAX_IV_LENGTH].
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:14:09 2026
(Merged from https://github.com/openssl/openssl/pull/30510)
crypto/idea/i_ofb64.c: mask the num value after negativity check
Commit 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB
implementations" introduced masking of the user-supplied num value
in several functions, which rendered the exiting *num negativity check
introduced in 1634b2df9f12 "enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value"
ineffectual. While commit b73a5743253d "crypto/idea/i_cfb64.c:
condition 'n < 0' can never be met after doing 'n = n & 0x07'"
has addressed the issue in crypto/idea/i_cfb64.c:IDEA_cfb64_encrypt(),
this commit addresses the same issue
in crypto/idea/i_ofb64.c:IDEA_ofb64_encrypt() in similar fashion,
by postponing the masking after the negativity check.
The issue has initially reported by Coverity, ID 1689815.
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689815 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations"
References: b73a5743253d "crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'" Co-Authored-by: Alexandr Nedvedicky <sashan@openssl.org> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 24 17:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30528)
1seal [Tue, 17 Mar 2026 09:14:32 +0000 (10:14 +0100)]
test: add regression tests for unauthorized OCSP response signers
This is a backport of commit 355ea2ba25f4 "test: add regression tests
for unauthorized OCSP response signers" that includes only parts
pertaining the openssl ocsp command testing. The original commit
message:
extend test_tlsext_status_type() with a handshake that serves a
leaf-signed stapled OCSP response and verifies the connection fails
when X509_V_FLAG_OCSP_RESP_CHECK is enabled.
generalize ocsp_server_cb_single() to use configurable signer
cert/key instead of hardcoded paths so the same callback serves
both authorized and unauthorized signer test cases.
add a test_ocsp() subtest covering the -issuer CLI option with
an untrusted issuer hint.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:50:49 2026
(Merged from https://github.com/openssl/openssl/pull/30527)
1seal [Tue, 17 Mar 2026 09:14:21 +0000 (10:14 +0100)]
x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths
This is backport of 8a630915c045 "x509: remove OCSP_TRUSTOTHER from stapled
response and issuer fallback paths" that includes only parts pertaining
the openssl ocsp command. Original commit message:
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Link: https://github.com/openssl/openssl/pull/30323
References: 8a630915c045 "x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths" Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command" Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:50:48 2026
(Merged from https://github.com/openssl/openssl/pull/30527)
easonysliu [Wed, 18 Mar 2026 08:22:24 +0000 (16:22 +0800)]
conf: guard NULL group in NCONF_get_string() error path
NCONF_get_string() passes the group parameter directly to
ERR_raise_data() with a %s format specifier. The CONF API
explicitly allows group to be NULL (meaning "default section"),
and multiple internal callers use this, such as conf_diagnostics()
and CONF_modules_load().
When the lookup fails and the error path is reached, passing NULL
to %s is undefined behavior per the C standard. On Linux/glibc
it happens to print "(null)", but on platforms like Solaris 10 it
crashes in strlen() inside vsnprintf().
This was exposed after commit #28305 replaced the custom _dopr()
(which had an explicit NULL-to-"<NULL>" guard in fmtstr()) with
the platform's native vsnprintf().
Guard the NULL by using an empty string in the format argument.
Fixes #30402
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:39:02 2026
(Merged from https://github.com/openssl/openssl/pull/30484)
huanghuihui0904 [Thu, 12 Mar 2026 13:01:30 +0000 (21:01 +0800)]
apps/cmp.c: fix leak of out_trusted in setup_verification_ctx()
setup_verification_ctx() allocates out_trusted via load_trusted() and passes
it to OSSL_CMP_CTX_set_certConf_cb_arg(). Since the argument is not consumed,
it must be freed on failure. The fix is to free out_trusted if
OSSL_CMP_CTX_set_certConf_cb_arg() fails.
Fixes #30377
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:34:49 2026
(Merged from https://github.com/openssl/openssl/pull/30392)
Peter Zhang [Wed, 11 Mar 2026 22:59:48 +0000 (22:59 +0000)]
Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect
When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
wrap it in square brackets for the CONNECT request line (e.g.,
CONNECT [::1]:443 HTTP/1.0). Also handle the case where the server
string already includes brackets (as returned by OSSL_HTTP_parse_url).
Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c") Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:32:06 2026
(Merged from https://github.com/openssl/openssl/pull/30384)
crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689816 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:06:11 2026
(Merged from https://github.com/openssl/openssl/pull/30500)
huanghuihui0904 [Mon, 16 Mar 2026 07:16:21 +0000 (15:16 +0800)]
ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:30:44 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
Abhinav Agarwal [Wed, 18 Mar 2026 16:01:07 +0000 (09:01 -0700)]
quic: fix NULL pointer dereference in ossl_uint_set_remove()
In the range-splitting path, create_set_item() can return NULL under
memory pressure. The result was passed directly to
ossl_list_uint_set_insert_after() without a NULL check, causing an
immediate crash. This path is reachable during normal QUIC ACK
processing under memory exhaustion.
Check the allocation result before insertion and return 0 on failure.
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 19 20:12:37 2026
(Merged from https://github.com/openssl/openssl/pull/30490)
QUIC stack must disable hash table contraction before doing
lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.
One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.
call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)
frostb1ten [Mon, 16 Mar 2026 10:07:12 +0000 (05:07 -0500)]
Mask *num on entry in deprecated low-level OFB/CFB implementations
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 18 07:15:11 2026
(Merged from https://github.com/openssl/openssl/pull/30447)
Scott [Mon, 16 Mar 2026 17:30:50 +0000 (12:30 -0500)]
Fix incorrect error return in ppc_aes_gcm_cipher_update decrypt path
ppc_aes_gcm_cipher_update() returns 1 on success and 0 on failure.
The decrypt pre-alignment path (line 122) incorrectly returned -1
instead of 0 when CRYPTO_gcm128_decrypt() failed.
Since the caller checks `if (!hw->cipherupdate(...))`, and !(-1)
evaluates to 0 (false) in C, the error was silently swallowed and
GCM processing continued with potentially corrupt state.
The encrypt path at line 98 correctly returns 0. This was likely a
copy-paste error when the decrypt path was added.
Fixes #30380
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 07:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/30452)
Weidong Wang [Tue, 10 Mar 2026 17:42:35 +0000 (12:42 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_stream
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:56 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:15:22 +0000 (12:15 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_dataFinal
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:53 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:08:35 +0000 (12:08 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_ctrl
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:49 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Scott [Mon, 16 Mar 2026 03:53:04 +0000 (22:53 -0500)]
Fix integer truncation in ppc_aes_gcm_crypt
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt
return size_t, but their return values were stored in int variables,
causing truncation on PPC64 where size_t is 64-bit. This could lead
to incorrect results when processing inputs larger than 2GB via
EVP_Cipher() which accepts unsigned int lengths.
Change the types of s and ndone from int to size_t to match the
function return type and the return type of ppc_aes_gcm_crypt itself.
Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass,
AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 09:44:33 2026
(Merged from https://github.com/openssl/openssl/pull/30437)
Matt Caswell [Fri, 27 Feb 2026 12:25:04 +0000 (12:25 +0000)]
Add a test to confirm that we get the expected error with HTTP
If we send HTTP directly over a TLS connection then we expect to receive
the SSL_R_HTTP_REQUEST error. So we add a test to confirm that we do.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Mar 16 12:54:59 2026
(Merged from https://github.com/openssl/openssl/pull/30412)
Matt Caswell [Fri, 27 Feb 2026 11:57:41 +0000 (11:57 +0000)]
Defer the check that the record fits in our buffer
Previously we confirmed that the record we received from the peer
actually fits in our buffer before validating the record header. However,
this interferes with the checks that the "any" method does for accidental
use of HTTP because the record length will be wrong in this case. To solve
this we simply defer the check until after the record header has been
validated.
Fixes #30196
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Mar 16 12:54:58 2026
(Merged from https://github.com/openssl/openssl/pull/30412)
YZL0v3ZZ [Wed, 11 Mar 2026 14:31:47 +0000 (22:31 +0800)]
apps/cmp_mock_srv: fix resource leak in process_genm()
If pushing the generated rsp ITAV object into the out stack fails,
the error path frees the stack container but permanently abandons
the newly allocated rsp object.
Explicitly free the rsp structure if it exists and was not pushed
successfully to prevent this memory leak.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Mar 16 11:16:02 2026
(Merged from https://github.com/openssl/openssl/pull/30374)
Zenithal [Tue, 10 Mar 2026 00:44:01 +0000 (00:44 +0000)]
riscv: aes: fix checks on null keys
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:15:37 2026
(Merged from https://github.com/openssl/openssl/pull/30333)
kovan [Mon, 2 Feb 2026 11:35:29 +0000 (12:35 +0100)]
doc: Fix X509_NAME_print documentation to reflect actual behavior
The documentation claimed that X509_NAME_print() would indent each line
by obase characters and wrap lines exceeding 80 characters. However, the
implementation has never actually used obase for any purpose since the
line-wrapping code was removed in 2007 as unreachable.
Update the documentation to state that obase is ignored and the function
outputs on a single line.
Fixes #18004
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 13 08:22:52 2026
(Merged from https://github.com/openssl/openssl/pull/29900)
Joshua Rogers [Sun, 12 Oct 2025 14:08:04 +0000 (22:08 +0800)]
NonStop: reset hpns_connect_attempt at call start and on success
Ensure the NonStop fallback state does not leak across calls by clearing hpns_connect_attempt at the beginning of RAND_query_egd_bytes and after a successful connect. No impact on other platforms.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:22:00 2026
(Merged from https://github.com/openssl/openssl/pull/28909)
Joshua Rogers [Sun, 12 Oct 2025 13:52:21 +0000 (21:52 +0800)]
rand_egd: harden EGD I/O and bounds; defer fdopen until post connect
Tighten RAND_query_egd_bytes and fix edge cases:
* Reject nonpositive request sizes to avoid wrap when storing the
length byte in tempbuf[1].
* Treat server length byte as untrusted; bound by the requested size
and by sizeof(tempbuf) to avoid overrunning caller or stack buffers.
* Defer fdopen until after a successful connect. On HPE NonStop
(OPENSSL_SYS_TANDEM) the connect retry path may swap the socket fd;
creating the FILE* early could leave a stale stream pointing at a
closed descriptor, causing EBADF or short I/O, and leaking the new
socket. Creating the stream after connect avoids this.
* Initialize fd to -1 and close the raw fd when fdopen fails; ensure
we close either FILE* or the raw fd on all error paths.
* Remove unused code.
Behavior is unchanged on platforms that do not swap fds during connect.
On TANDEM it prevents stale I/O and descriptor leaks. Overall this
improves robustness and bounds checking for EGD interactions.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/28905)
Matt Caswell [Wed, 11 Mar 2026 15:06:32 +0000 (15:06 +0000)]
Fix a one byte buffer overflow in s_client
The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.
This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.
This issue was reported to use by Igor Morgenstern from AISLE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
It wasn't explicitly clear that it was safe to call OPENSSL_clear_free()
with a NULL because, as worded, it sounded like it may call
OPENSSL_cleanse() on NULL before calling OPENSSL_free().
CLA: trivial
Signed-off-by: dann frazier <dann.frazier@chainguard.dev> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:43:51 2026
(Merged from https://github.com/openssl/openssl/pull/28127)
OwenSanzas [Tue, 10 Mar 2026 00:05:35 +0000 (00:05 +0000)]
Fix stack buffer over-read in DES OFB/CFB64 via unchecked num parameter
The `num` parameter in DES OFB64/CFB64 functions tracks the byte offset
within an 8-byte DES block, so valid values are 0-7. However, neither
the EVP set_params path nor the low-level DES functions validated this
bound, allowing an out-of-range `num` to cause a stack buffer over-read
when used as an array index into the 8-byte keystream buffer.
Fix at two levels:
1. Provider layer: reject num >= blocksize in
ossl_cipher_common_set_ctx_params() before it reaches the cipher.
2. Low-level DES: mask `*num` with `& 0x07` on entry to
DES_ofb64_encrypt, DES_ede3_ofb64_encrypt, DES_cfb64_encrypt,
and DES_ede3_cfb64_encrypt, consistent with how `n` is already
masked at the end of these functions before being written back.
Fixes #30284
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 14:24:12 2026
(Merged from https://github.com/openssl/openssl/pull/30332)
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1684201
Complements: #adc8e4abd96 Fix Memory leak in app_passwd
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 11:33:37 2026
(Merged from https://github.com/openssl/openssl/pull/30365)
Pablo Rodríguez [Thu, 5 Mar 2026 16:49:12 +0000 (17:49 +0100)]
add an initial space to format a command in `openssl-cms.pod.in`
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:43:44 2026
(Merged from https://github.com/openssl/openssl/pull/30274)
Pauli [Wed, 4 Mar 2026 23:28:15 +0000 (10:28 +1100)]
safe_math: documentation example fix
The example was for an older version of the code which used triadic
macros to define the functions. The code was simplified making these
dyadic but the example was skipped. This fixes the example.
huanghuihui0904 [Mon, 9 Mar 2026 14:57:00 +0000 (22:57 +0800)]
Fix Memory leak in app_passwd
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 10 17:42:48 2026
(Merged from https://github.com/openssl/openssl/pull/30325)
Uni [Fri, 6 Mar 2026 20:24:28 +0000 (21:24 +0100)]
Fix memory leak of p and q in ossl_rsa_fromdata error path
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30298)
dane_match_cert() should X509_free() on ->mcert instead
of OPENSSL_free()
Fixes: 170b735820ac "DANE support for X509_verify_cert()" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 5 12:37:17 2026
(Merged from https://github.com/openssl/openssl/pull/30250)
SSL_get_shared_ciphers(): Return NUL-terminated buffer for no shared ciphers
Also validate the input buffer and length properly.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 09:30:18 2026
(Merged from https://github.com/openssl/openssl/pull/28859)
projects / thirdparty / openssl.git / log
