Igor Ustinov [Thu, 4 Dec 2025 16:05:59 +0000 (17:05 +0100)]
Documentation for BIO flags and related functions.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29311)
Bob Beck [Tue, 9 Dec 2025 16:01:16 +0000 (09:01 -0700)]
Add static_ASN1_SEQUENCE_END to the list of statment macros
This one is pretty special, we should ponder simplifying some of
the clever preprocessor stuff here, but for now..
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29359)
Matthias Kraft [Fri, 5 Dec 2025 16:52:28 +0000 (17:52 +0100)]
Enable send-/recvmmsg for AIX >= 7.2 and disable SUPPORT_LOCAL_ADDR.
AIX doesn't support this implementation for local addresses. The AF_INET
case is unimplemented when sending. The AF_INET6 case is limited to 110
messages. The limiting factor is currently unclear.
Fixes #29292
Signed-off-by: Matthias Kraft <Matthias.Kraft@ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29334)
Niels Dossche [Mon, 8 Dec 2025 14:17:56 +0000 (15:17 +0100)]
Fix memory leak in error path of ec_gen_init()
ec_gen_set_params() can fail after some big numbers have already been
copied over. Those need to be cleaned to avoid a memory leak on failure.
This can be done with ec_gen_cleanup(), which is also consistent in how
the ecx_gen code does it.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29335)
Viktor Dukhovni [Sat, 6 Dec 2025 04:04:36 +0000 (15:04 +1100)]
The return value of RSA_*_{en,de}crypt() is signed
The functions RSA_(public|private)_(en|de)crypt() return a signed
result, in particular `-1` may be returned on error, so the caller
MUST treat the value as signed.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29323)
George Wilson [Thu, 16 Oct 2025 15:41:26 +0000 (10:41 -0500)]
doc/man3: Add OPENSSL_ppccap.pod
This patch adds a man page documenting the OPENSSL_ppccap environment
variable that is analogous to capability environment variable man pages
for other architectures.
Fixes #17046
Signed-off-by: George Wilson <gcwilson@linux.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29230)
Carter Thaxton [Thu, 9 Oct 2025 02:20:25 +0000 (19:20 -0700)]
Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set, while X509_V_FLAG_CRL_CHECK is clear
Fixes #28758
When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored.
Prior to 3.6.0, this was indeed the case.
In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK.
This unfortunately breaks the majority of ruby installations, which relied on the documented behavior.
For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags,
which are still undocumented as of 3.6.0.
All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set.
We could add a new test for this regression. I'll leave that to another commit.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28797)
Dmitry Misharov [Tue, 9 Dec 2025 16:39:14 +0000 (17:39 +0100)]
run codespell pre-commit hook on staged files only
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29360)
Matt Caswell [Tue, 9 Dec 2025 12:22:02 +0000 (12:22 +0000)]
Fix array formatting in evp_extra_test.c
The reformat did something silly with some of the arrays in evp_extra_test.c
Fix the arrays such that clang-format is still happy.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29349)
Bob Beck [Tue, 9 Dec 2025 14:01:47 +0000 (07:01 -0700)]
Disable clang-format around this macro
clang-format sensibly thinks this is an arithmatic operation,
and formats the math. Sadly it does not know we eventually
stringify this behind several other layers of nested macros
and so putting spaces in here is bad.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29350)
Bob Beck [Tue, 9 Dec 2025 07:59:00 +0000 (00:59 -0700)]
3.6-POST-CLANG-FORMAT-WEBKIT
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29245)
Bob Beck [Tue, 9 Dec 2025 07:57:52 +0000 (00:57 -0700)]
3.6-PRE-CLANG-FORMAT-WEBKIT
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29245)
In a hypothetical scenario that jent_entropy_init_ex fails, or if
get_jitter_random-value fails, there are a few unexpected
posibilities.
If jent_entropy_init_ex fails, the seed initialisation may return NULL
and then DRBG will be initiated with NULL seed, which will
automatically fallback to os-seed, which will escape module boundary
(if this jitter rng is from the fips module), and call getrandom
syscall.
And separately if get_jitter_random_value fails, it may put DRBG in an
error state, but it might not put the FIPS module in error state, like
it should as per the ISO standard.
To instrument these things, I had to create tampered
jitterentropy-library that always returns errors for init_ex and
read_entropy apis, and then use gdb tracing on both libcrypto.so and
fips.so.
The most minimal solution to above hypothetical error code paths, is
to simply call ossl_set_error_state. It is either harmless, or in case
of fips-jitter will correctly put the FIPS module into error state and
prevent any further operation; and cruitially prevent silent fallback
to getrandom syscall.
Note it is unlikely that this ever was out of compliance, as often
enough getrandom syscall goes to a kernel with validated entropy
source; and openssl fips module still did reject sampling which is too
entropy source compliant.
Nonetheless it is good to fix this hypothetical error path, and
backport this to 3.5 and up.
This is similar / additional fixes, to this previous change:
- https://github.com/openssl/openssl/pull/25957
- https://github.com/openssl/openssl/commit/b9886a6f3483e0525596d3b3956416282038da82
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29226)
Bob Beck [Tue, 2 Sep 2025 16:07:08 +0000 (10:07 -0600)]
Fix cmp_ctx_test.c to be less sensitive to line wrapping.
Similar to the previous errtest.c fix this also is not broken
by any reformatting today, but this change makes this follow
the same pattern as the other things that test OPENSSL_LINE
after the fact so we maintain the same paradigm everywhere.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29243)
Bob Beck [Fri, 29 Aug 2025 17:37:36 +0000 (11:37 -0600)]
fix errtest to be less sensitive to line wrapping changes
(in it's final form it will work with either compiler
because it's currently one line, but was tripped up before
by the #ifdef, so redid it to be consistent with the
other changes previously in this stack)
While I am here correct the test to test for all possible
return values of ERR_get_error_all, without the #ifdefs
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29243)
check_cert_crl(): Set CRL score for CRLs returned by get_crl callback
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29199)
lan1120 [Tue, 2 Dec 2025 01:36:57 +0000 (09:36 +0800)]
mlx_kem_dup(): Set key state to MLX_HAVE_NOKEYS when not copying keypair
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29280)
Matthias Kraft [Fri, 28 Nov 2025 14:30:01 +0000 (15:30 +0100)]
Skip symbol_presence test on AIX
AIX `nm` reports symbols in a different way.
Fix for: #29247
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29276)
Dmitry Misharov [Mon, 1 Dec 2025 17:14:02 +0000 (18:14 +0100)]
add release notes from NEWS.md when making a release
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29271)
Fortunately due to the initial size of the allocated
buffer and the limit for unfragmented DTLS record size
the use-after-realloc cannot be triggered.
But we fix the potentially problematic code anyway.
Reported Joshua Rogers. It was found with the ZeroPath security
tooling.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29278)
Holger Dengler [Wed, 26 Nov 2025 15:18:49 +0000 (16:18 +0100)]
s390x: Check and fail on invalid malformed ECDSA signatures
Check parameters of ECDSA signatures on verify and fail for invalid
malformed signatures in the code path for s390x accelerators. Handle
condition code of kdsa instruction for detecting invalid parameters.
For NIST P521 curves, kdsa ignores completely the upper 14 bytes of
the sections for r and s in the parameter-block, so adapt the offset
and length for bignum conversions for these curves. This will detect
cases of malformed signatures which are not covered by the kdsa
parameter checking.
Fixes: #29173 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
Holger Dengler [Wed, 26 Nov 2025 15:18:37 +0000 (16:18 +0100)]
s390x: Return condition code of kdsa instruction
The kdsa instruction is doing some parameter checking for the verify
function codes, like r/s equals zero and range checks. To handle these
cases correctly in the calling functions, the asm returns now also
condition code 2.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29214)
- Add explicit links to related EVP_* functions for each signature method
- Clarify the differences between sign/verify, message sign/verify, and digest sign/verify functions
- Document TLS 1.3 requirements: digest_sign/verify functions are mandatory for libssl usage
- Provide guidance for provider developers on which functions to implement for different use cases
Fixes #27127
Signed-off-by: Samaresh Kumar Singh <ssam3003@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29166)
Bernd Edlinger [Sun, 25 Feb 2024 15:33:33 +0000 (16:33 +0100)]
CIFuzz: Remove some unnecessary files to free up space
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29061)
Neil Horman [Thu, 20 Nov 2025 16:49:19 +0000 (11:49 -0500)]
ensure destructor key is created prior to any other thread specific key
https://github.com/openssl/openssl/issues/29077 found that, in the event
that a pthread key is created prior to the destructor_key, glibc will
NULL-ify any thread specific data before the init_thread_destructor
runs, leading to leaks.
Ensure that we always create the destructor key prior to any other
thread local storage keys
Fixes #29907
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29182)
Instead of transferring the ownership of the single OCSP response
to the SSL object, the multi-stapling PR modified the semantics
of SSL_set_tlsext_status_ocsp_resp() to copying semantics.
This change reverts the behavior to the previous one.
Partially based on fix by Remi Gacogne:
https://github.com/openssl/openssl/pull/28894
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29251)
Igor Ustinov [Thu, 27 Nov 2025 12:08:02 +0000 (13:08 +0100)]
Branch 3.2 was removed from and branch 3.6 was added to the
"Provider compatibility for PRs" test.
Do not test the provider from the PR against modified branches.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29236)
Shohei YOSHIDA [Mon, 24 Nov 2025 08:55:06 +0000 (17:55 +0900)]
DOC: fix typo in openssl-cmp
RAVERIFED -> RAVERIFIED
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29202)
Shohei YOSHIDA [Mon, 24 Nov 2025 07:20:11 +0000 (16:20 +0900)]
DOC: put an empty line before '=for' directive
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29201)
Clemens Lang [Mon, 24 Nov 2025 10:11:33 +0000 (11:11 +0100)]
test: Add test for #29196
Add a test that will cause one of the problems reported in
https://github.com/openssl/openssl/issues/29196 and skip it on 32-bit
systems.
Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
Clemens Lang [Fri, 21 Nov 2025 15:00:08 +0000 (16:00 +0100)]
Do not make key share choice in tls1_set_groups()
tls1_set_groups(), which is used by SSL_CTX_set1_groups() does not check
whether the NIDs passed as argument actually have an implementation
available in any of the currently loaded providers. It is not simple to
add this check, either, because it would require access to the SSL_CTX,
which this function does not receive. There are legacy callers that do
not have an SSL_CTX pointer and are public API.
This becomes a problem, when an application sets the first group to one
that is not supported by the current configuration, and can trigger
sending of an empty key share.
Set the first entry of the key share list to 0 (and the key share list
length to 1) to signal to tls1_construct_ctos_key_share that it should
pick the first supported group and generate a key share for that. See
also tls1_get_requested_keyshare_groups, which documents this special
case.
See: https://issues.redhat.com/browse/RHEL-128018 Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
martin [Sun, 19 Oct 2025 16:37:06 +0000 (18:37 +0200)]
Fixed non-compliant handling of missing stapled OCSP responses
If the OCSP response was not present for a certificate the server
created a non-conforming empty CertificateStatus extension
instead of not sending the extension at all.
Bernd Edlinger [Mon, 3 Nov 2025 13:00:15 +0000 (14:00 +0100)]
Document CVE-2021-4160
This was fixed in openssl 3.0.1 by #17258 and assigned
CVE-2021-4160 but unfortunately forgotten to mention
in the CHANGES and/or NEWS.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29051)
Neil Horman [Sat, 25 Oct 2025 11:21:42 +0000 (07:21 -0400)]
Ignore RecordPadding option in config file for QUIC objects
QUIC connections always pad data at the packet level during packet
encryption, and so have no ability to do padding at the record level.
We want to be able to inform the user of this condition when
applications call SSL_set_block_padding_ex directly by returning an
error, we have no idea of what kind of SSL objects are created when the
config file is written.
As such, silently ignore this config file option when QUIC objects are created.
Fixes #28953
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29193)
Neil Horman [Fri, 21 Nov 2025 15:31:35 +0000 (10:31 -0500)]
Add SSL_CTX_is_quic API
Like SSL_is_quic, it would be helpful to know if SSL_CTX objects create
QUIC SSL's or not.
Note, this is a public function in the master branch, but is made
private for older stable branches, so as not to introduce new public
API's there (3.6-3.0)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29193)
David Benjamin [Mon, 20 Oct 2025 21:38:14 +0000 (17:38 -0400)]
doc: Discuss calling X509_verify_cert in cert_verify_callback
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
Igor Ustinov [Wed, 19 Nov 2025 15:21:30 +0000 (16:21 +0100)]
Correct information about the default value of the -md parameter
of the openssl cms command.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29175)
doc/man3/OPENSSL_malloc.pod: mention rationale for OPENSSL_cleanse()
It was not entirely clear from the sole description, what is the reason
for preferring OPENSSL_cleanse() over memset(). Add a note about situations
in which OPENSSL_cleanse() should be chosen.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29174)
Use ERR_LIB_RAND when reporting RAND_R_ALREADY_INSTANTIATED from
RAND_set_DRBG_type() and RAND_set_seed_source_type() so the error
message references the RAND subsystem instead of CRYPTO.
Fixes #29039
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29109)
doc: Add HISTORY entry for message signing functions in provider-signature(7)
The OSSL_FUNC_signature_{sign,verify}_message_* functions were added
in OpenSSL 3.4 but weren't documented in the HISTORY section of
provider-signature(7), while the corresponding EVP_PKEY_sign_message_*
functions are properly documented in EVP_PKEY_sign(3).
This adds the missing HISTORY entry to document when these provider
functions were introduced.
Fixes #29088
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29130)
Lars Erik Wik [Wed, 8 Oct 2025 15:06:39 +0000 (17:06 +0200)]
bio_ok.c: Fixed undefined identifier 'SIZE_MAX'
This fixes the following compilation error on HP-UX:
```
11:07:19 crypto/evp/bio_ok.c: In function 'block_in':
11:07:19 crypto/evp/bio_ok.c:579: error: 'SIZE_MAX' undeclared (first use in this function)
11:07:19 crypto/evp/bio_ok.c:579: error: (Each undeclared identifier is reported only once
11:07:19 crypto/evp/bio_ok.c:579: error: for each function it appears in.)
```
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28793)
Leon Timmermans [Mon, 11 Aug 2025 20:25:59 +0000 (22:25 +0200)]
Allow get_params to return length of the AES-GCM tag parameter
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
tag parameter when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Leon Timmermans [Mon, 11 Aug 2025 20:08:39 +0000 (22:08 +0200)]
Allow get_params to return length of AES-GCM IV parameters
Previously, EVP_CIPHER_CTX_get_params would not report the length of the
IV parameters when called with a NULL data pointer. This change makes the
function behave as documented.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28232)
Anton Moryakov [Tue, 4 Nov 2025 22:18:47 +0000 (01:18 +0300)]
Prevent NULL deref in BN_is_zero when cofactor is missing
In ossl_ec_curve_nid_from_params, EC_GROUP_get0_cofactor may return NULL,
but BN_is_zero was called on it unconditionally, leading to a potential
segmentation fault.
Now check that cofactor != NULL before calling BN_is_zero or BN_is_word,
aligning with safe practices used elsewhere in the codebase.
This fixes a critical NULL pointer dereference vulnerability that could
be triggered by EC groups with unset cofactor, preventing DoS via segfault.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29069)
KubaBoi [Tue, 28 Oct 2025 17:22:57 +0000 (18:22 +0100)]
asn1_gen: add ASN1_object_size() return check and fix else braces
Fixes: #6570
CLA: trivial
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29022)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29006)
Joshua Rogers [Sat, 11 Oct 2025 22:34:40 +0000 (06:34 +0800)]
apps/s_socket: fix FD and addrinfo leak on SCTP failure in init_client
If BIO_new_dgram_sctp(*sock, BIO_NOCLOSE) fails we returned 0 directly,
skipping the out: cleanup and leaking the just created socket plus the
addrinfo lists.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28917)
Joshua Rogers [Sat, 11 Oct 2025 21:43:38 +0000 (05:43 +0800)]
crypto/bio/bss_acpt: set b->init only on successful BIO_parse_hostserv
BIO_C_SET_ACCEPT with num == 0 unconditionally set b->init = 1 even if
BIO_parse_hostserv failed. Only mark the BIO initialized when parsing
succeeds to avoid inconsistent state.
This change includes bss_sock.c to deal with introduction of EPROTO use.
Reroll of rsa_ossl.c changes made at 3.5 downward.
Build a workaround in timing_load_creds.c on NonStop for lack of rusage.
This simulates getrusage() that is not available on NonStop.
Update bioprinttest.c to handle missing PTRxPRT definitions from inttypes.h.
Fixes: #29023 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29090)
Angel Baez [Wed, 12 Nov 2025 12:46:28 +0000 (07:46 -0500)]
TLS 1.3 session resumption convert nonce_label to ASCII hex
Fixes #27815
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29127)
Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29129)
doc/man3/X509_STORE_get0_param.pod: mention how to free the returned objects
It is not entirely obvious from the description how the objects returned
by X509_STORE_get1_objects() and X509_STORE_get1_all_certs() are
supposed to be freed, explicitly mention the relevant calls, and provide
a reference to DEFINE_STACK_OF(3).
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/29002)
Clarify processing of CRYPTO frame in SSL_set_quic_tls_cbs(3ossl)
We should remind 3rd-party QUIC stack implementors their QUIC stack
must ensure to provide all CRYPTO frames to OpeNSSL/TLS for processing.
The CRYPTO frames keeping coming even after confirmation of TLS
hanndshake.
Fixes #28963
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29070)
Lidong Yan [Fri, 31 Oct 2025 06:40:06 +0000 (14:40 +0800)]
slh_dsa: fix leak in early return of slh_sign_internal()
In slh_sign_internal(), if calling PACKET_buf_init() failed, this
function return without free wpkt. Replace `return 0` with `goto err`
to free wpkt before return.
CLA: trivial Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29041)
Matteo [Mon, 27 Oct 2025 17:08:14 +0000 (18:08 +0100)]
Correction of grammar error in doc/man1/openssl-req.pod.in
I changed the word "most" with the correct word "must" at the line 406.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29009)
Ryan Hooper [Tue, 30 Sep 2025 16:56:33 +0000 (12:56 -0400)]
Properly error out when AEAD Algorithms are used with Encrypted Data
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Bernd Edlinger [Mon, 6 Oct 2025 06:37:20 +0000 (08:37 +0200)]
Improve the CPUINFO display for RISC-V
Prefix the base architecture to the displayed RISC-V
architecture string, so the displayed OPENSSL_riscvcap
environment value can be used as is, since otherwise
the OPENSSL_cpuid_setup would ignore the first extension,
as it is expected to be the base architecture, usually
"RV64GC" or similar.
See the comment at parse_env in crypto/riscvcap.c
Furthermore also print the VLEN value, if the V-extension
is given, since that makes a significant difference
which assembler modules are activated by the V-extension.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28760)
Matt Caswell [Tue, 28 Oct 2025 15:27:42 +0000 (15:27 +0000)]
Add a test for mismatch between the pkey and sigalg
We add a test for sending an mldsa65 sigalg while using an mldsa44 key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Matt Caswell [Tue, 28 Oct 2025 14:53:11 +0000 (14:53 +0000)]
Use the actual NID for provided signature algorithms
Prior to this change we could confuse the nid used in the pkey with the
nid in the sigalg and mistakenly accept signatures by the wrong algorithm.
Fixes #28762
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29019)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29050)
projects / thirdparty / openssl.git / log
