Milan Broz [Sun, 1 Mar 2026 20:14:30 +0000 (21:14 +0100)]
windows-makefile: make clean target less noisy
Using del on files that are not present creates many warning
messages. Let's wrap them in "if exists" check to make
them silent if not present.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Mar 5 17:37:20 2026
(Merged from https://github.com/openssl/openssl/pull/30222)
Jon Ericson [Wed, 4 Mar 2026 01:58:18 +0000 (17:58 -0800)]
fix project spelling and capitalization
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Mar 5 16:35:20 2026
(Merged from https://github.com/openssl/openssl/pull/30259)
Critical extension enforcement (introduced in #8a639b9) is incorrect. These
checks were intended as CA requirements to prevent misinterpretation by
verifiers that don't support certain extensions. However, since we do support
these extensions, we have no requirement for them to be marked critical,
enforcing that is a mistake.
As noted in: #30233 (comment)
Co-authored-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:22:07 2026
(Merged from https://github.com/openssl/openssl/pull/30249)
Igor Ustinov [Wed, 4 Mar 2026 09:24:47 +0000 (10:24 +0100)]
Proxy.pm: Redirect s_server’s output to stderr
Under some circumstances, the test script's output was mixed with
s_server's, resulting in a false negative. To avoid this,
redirect s_server’s output to stderr.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:32 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
Igor Ustinov [Wed, 4 Mar 2026 09:23:44 +0000 (10:23 +0100)]
SSL_get_error(): Check the error stack only in MSG_FLOW_ERROR state
We need to avoid looking at the error stack unless we are in
error state.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:30 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
Igor Ustinov [Fri, 27 Feb 2026 10:41:49 +0000 (11:41 +0100)]
Ensure fatal errors from the record layer put the state machine into err
We fix a problem with the record layer handling code where a fatal error
in the record layer that does not have an alert code associated with it
caused us to not transition the state machine into the error state. If we
have a fatal error we should always do that.
This patch was developed by Matt Caswell <matt@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:27 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
dane_match_cert() should X509_free() on ->mcert instead
of OPENSSL_free()
Fixes: 170b735820ac "DANE support for X509_verify_cert()" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 5 12:37:17 2026
(Merged from https://github.com/openssl/openssl/pull/30250)
fips: Align PKCS5_PBKDF2_HMAC defaults with EVP_KDF-PBKDF2
EVP_KDF-PBKDF2 has provider-dependent runtime behaviour w.r.t. lower
bounds checks. The default provider does not enforce them, but can opt
into them. The fips provider does enforce them, but can opt out.
The same is not true for the PKCS5_PBKDF2_HMAC, which always opts out
of the lower bound checks.
This leads to unexpected behaviour without user consent, they may
expect in error that when using FIPS provider the lower bound checks
will be enforced by default.
One of them creates params and then calls the one-shot EVP_KDF_derive
api, whilst the other calls the PKCS5_PBKDF2_HMAC convenience
wrapper. For the same ACVP test vectors the two produce different
results: with and without lower bounds checks.
But it seems like PKCS5_PBKDF2_HMAC is popular, as it outnumbers
EVP_KDF_derive 8x when doing a global code search on github
(anecdotal, as results are skewed by the number of forks). This thus
comes down to the expectations end users have. And it feels like, at
least for this API, the FIPS 140-3 users expectation would be for the
lower bound checks to be enforced.
Modify the PKCS5_PBKDF2_HMAC wrapper around EVP_KDF_derive to not set
PKCS5 parameter, such that the provider implicit default is used
instead. Thus no change for default provider users, and FIPS
enforcement by default in the FIPS case like it always has done when
calling via EVP_KDF_derive.
Test fixes:
Tests with too short salt would fail with fips provider.
Add test that FIPS provider rejects invalid salt length.
test/certs: Re-encrypt leaf-encrypted.key with a longer salt.
This way test cases can work with a FIPS provider
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:25:55 2026
(Merged from https://github.com/openssl/openssl/pull/27431)
fips: Skip testing RFC 9579 good files as they use short salt & password
The RFC 9579 good files are always tested with the default provider.
The RFC 9579 good files use too short salt, and too short password
that a sticrly compliant FIPS provider with lower bounds enforcement
should no longer able to open.
If checking positive files is desired, these could be regenerated with
longer salt and password, but not too sure if it is worth it.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:25:53 2026
(Merged from https://github.com/openssl/openssl/pull/27431)
sftcd [Fri, 27 Feb 2026 23:27:21 +0000 (23:27 +0000)]
ECH: Add back code needed for correct ECH backend confirmation
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:11:17 2026
(Merged from https://github.com/openssl/openssl/pull/30214)
Samuel Sapalski [Wed, 14 Jan 2026 07:55:47 +0000 (08:55 +0100)]
FIPS: Disable time/request based reseeding for ECDSA KAT DRBG
The ECDSA KAT_Signature selftest can fail if the system time changes
after KAT DRBG initialization, this may trigger a time-based reseed
and break KAT determinism.
Disable time-based reseeding for the KAT DRBG to avoid spurious
selftest failures during e.g. fipsinstall.
In order to make this fix future proof we disable request based
reseeding as well to guarantee determinism during the selftest.
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 4 16:55:09 2026
(Merged from https://github.com/openssl/openssl/pull/29633)
Bob Beck [Mon, 2 Mar 2026 18:46:39 +0000 (11:46 -0700)]
Make X509_up_ref and X509_free take const X509 *
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 16:43:39 2026
(Merged from https://github.com/openssl/openssl/pull/30235)
Beat Bolli [Thu, 26 Feb 2026 21:20:32 +0000 (22:20 +0100)]
remove OPENSSL_BUILDING_OPENSSL from the config
Commit 262cda1cda ("Remove some safestack things that are no longer
needed", 2020-09-03) removed the last usage on this macro. Remove it in
the configuration as well.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 10:21:38 2026
(Merged from https://github.com/openssl/openssl/pull/30199)
Beat Bolli [Thu, 26 Feb 2026 21:20:16 +0000 (22:20 +0100)]
remove OPENSSL_USE_NODELETE from the config
Commits 31659fe326 (Introduce OPENSSL_ATEXIT_CLEANUP env. variable.,
2025-11-24) and 994413f995 (Update NEWS.md, 2025-12-15) removed the last
uses of this macro. Remove it in the configuration as well.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 10:21:36 2026
(Merged from https://github.com/openssl/openssl/pull/30199)
sftcd [Tue, 3 Mar 2026 00:59:40 +0000 (00:59 +0000)]
ech test retry-configs unavailable if server finished corrupted
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Mar 4 09:34:09 2026
(Merged from https://github.com/openssl/openssl/pull/30242)
SSL_get_shared_ciphers(): Return NUL-terminated buffer for no shared ciphers
Also validate the input buffer and length properly.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 09:30:18 2026
(Merged from https://github.com/openssl/openssl/pull/28859)
Neil Horman [Tue, 3 Mar 2026 19:47:00 +0000 (14:47 -0500)]
Fix bad length computation in HT_COPY_RAW_KEY_CASE
The new HT_KEY_COPY_RAW fails to account for copy lengths that exceed
the size of the configured buffer in a key, leading to stack overruns on
read.
Rectify that by claming the COPY macro to limit copies to the size of
the buffer
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Mar 4 07:04:07 2026
(Merged from https://github.com/openssl/openssl/pull/30257)
Adds fixed version tls methods to ossl-removed-api.pod
Fixes #30161
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 3 14:57:52 2026
(Merged from https://github.com/openssl/openssl/pull/30218)
Neil Horman [Fri, 27 Feb 2026 16:56:42 +0000 (11:56 -0500)]
Add support for dynamic key sizing in hashtable
Currently our internal hashtable suffers from a performance issue, as
discussed here:
https://github.com/openssl/openssl/pull/30188
The hashtable requires that keys be defined at build time, and moreover,
be defined to support the maximum possible key length you might try to
insert to a given hash table, even if they actual key you are using is
shorter.
As a result, that hashtable hash function (typically ossl_fnv1a_hash,
but any hash function really) receives a buffer that is specified as the
maximal length of the build-time defined key, which often means hashing
of many 0 bytes for byte elements in the key that may never have been
used. This causes performance problems as we are always hashing the
maximum number of elements, even if they key is truly only a few bytes
long.
Lets give users an opportunity to improve on that.
Keys are defined to be a struct, so that users can access individual
field names within the key, but under the covers its all just one
contiguous uint8_t buf. We can implement macros that allow users to,
instead of setting individual field names, just copy needed data into
the raw buffer, keeping track of how many bytes have been used as we go.
The result of using these macros is that the hash function, while it
will receive a buffer that is still maximally sized for that particular
key, gets a length value that only represents the number of bytes used
while writing the key value.
This results in the hash function having to do much less work, giving us
a significant opportunistic speedup.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 3 13:23:00 2026
(Merged from https://github.com/openssl/openssl/pull/30211)
slontis [Mon, 23 Feb 2026 05:00:32 +0000 (16:00 +1100)]
FIPS: Change EC_GROUP_check() so that it fails for explicit curves.
Reported by Luigino Camastra (Aisle Research).
Explicit curves returned a NID of NID_undef (which has a value of 0)
which resulted in the check >= 0 passing.
Changing the result to > addresses the issue.
Note that this is a NON issue in master since explicit curves are
now disabled by default. Note also that for any EC operation that
tries to use a loaded EC key, checks that the curve and security
strength are valid.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 2 19:37:04 2026
(Merged from https://github.com/openssl/openssl/pull/30138)
ossl_lms_key_to_text(): Fix NULL pointer dereference of `key` argument
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1682024
Complements: 3d82b990d1f Added LMS support for OpenSSL commandline signature verification using pkeyutl.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Mon Mar 2 19:33:33 2026
(Merged from https://github.com/openssl/openssl/pull/30215)
- Clarify comment on empty SKID/AKID vs. prior value
- Use B<default> not C<default> for unnamed section
- Polish (mostly CSR) extension handling
* In update_req_extensions() drop extraneous duplicate
X509at_delete_attr() call.
* Consolidate empty SKID/AKID detection in new
ossl_ignored_x509_extension().
* Handle empty SKID/AKID also in X509V3_add1_i2d().
* In test_drop_empty_csr_keyids() exercise the full NCONF extension
management stack, using X509_REQ_get_attr_count() to check that
after "subjectKeyIdentifier = none" not an even an empty extension
set remains as a CSR attribute (X509_REQ_get_extensions() always
returns at least an empty stack because NULL signals an error).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar 2 17:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/30217)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar 2 13:03:03 2026
(Merged from https://github.com/openssl/openssl/pull/30193)
slontis [Thu, 19 Feb 2026 04:38:42 +0000 (15:38 +1100)]
SHAKE - Fix 390x CI problems for SLH-DSA
Fixes #30039
In order to fix this, the ossl_sha3_ related functions have been
renamed so that ossl_sha3_XXX() functions are the high level
functions that contain calls to platform specific methods.
ossl_sha3_XXX_default() etc are the 'general' platform methods.
All of the state checking has been moved out of the platform specific
methods. The sha3 provider dispatch functions now share the
ossl_sha3_XXX() calls.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 2 11:58:44 2026
(Merged from https://github.com/openssl/openssl/pull/30104)
sftcd [Tue, 24 Feb 2026 13:12:40 +0000 (13:12 +0000)]
adds test of ECH fail then using retry configs
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Mar 2 09:58:58 2026
(Merged from https://github.com/openssl/openssl/pull/30155)
sftcd [Wed, 25 Feb 2026 14:24:00 +0000 (14:24 +0000)]
add check before releaseing retry-configs
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Mar 2 09:55:44 2026
(Merged from https://github.com/openssl/openssl/pull/30175)
kovan [Tue, 27 Jan 2026 10:05:00 +0000 (11:05 +0100)]
doc: document provider/library context cleanup order requirement
Document that providers must be unloaded with OSSL_PROVIDER_unload()
before their associated library context is freed with OSSL_LIB_CTX_free().
Calling OSSL_PROVIDER_unload() after the library context has been freed
results in undefined behavior (heap-use-after-free).
The warning is added to both OSSL_PROVIDER(3) and OSSL_LIB_CTX(3) man pages
to ensure users encounter it regardless of which documentation they consult.
Fixes #27522
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Mar 1 19:03:43 2026
(Merged from https://github.com/openssl/openssl/pull/29785)
Neil Horman [Tue, 24 Feb 2026 14:29:47 +0000 (09:29 -0500)]
Document PKCS7_dataVerify
Its older, and generally replaced by PKCS7_verify, but its not
deprecated, so we should document it.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Mar 1 14:18:17 2026
(Merged from https://github.com/openssl/openssl/pull/30158)
Neil Horman [Tue, 24 Feb 2026 13:36:08 +0000 (08:36 -0500)]
Fix return values on PKCS7_dataVerfiy
PKCS7_dataVerify returns 1 on success or 0 on failure, just like
PKCS7_verify.
except, if everything else goes right, it returns the value of
PKCS7_signatureVerify, which may be -1, which seems wrong.
Instead, check the retun of PKCS7_signatureVerify within this function
for an error, and make PKCS7_dataVerify return 0 in the event
signatureVerify fails.
This brings us into line with PKCS7_verify behavior
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Mar 1 14:18:14 2026
(Merged from https://github.com/openssl/openssl/pull/30158)
Viktor Dukhovni [Tue, 24 Feb 2026 14:27:38 +0000 (01:27 +1100)]
Fix doc name of ML-DSA-MU
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sun Mar 1 02:42:17 2026
(Merged from https://github.com/openssl/openssl/pull/30157)
Viktor Dukhovni [Wed, 25 Feb 2026 07:14:28 +0000 (18:14 +1100)]
Replace built-in AKID/SKID with configs
Add tests for suppression of skid/akid via explicit "none"
values and per-keyword "nonss" qualifiers and update docs.
Signing of X509 certs and X509_REQ CSRs rejects empty AKID/SKID
extensions, document and test this behaviour.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 15:22:53 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
the resulting extensions are not directly suppressed, instead they
are parsed respectively as an empty OCTET STRING or an empty SEQUENCE.
There was new code in "apps/" to then drop the extension when signing
certificates, but this did not address applications that sign
certificates via the API, nor did it avoid adding these in CSRs.
We now drop these specific empty extensions from both certificates and
CSRs as part of X509v3_add_ext(), with the parsed extension never added
to the extension stack.
This means that in the "apps" the default "hash" or "keyid, issuer"
values must now be created first, with config settings and command-line
options applied after replacing the default as requested (including
"none" to suppress the extensions if desired).
If somehow an application manages to construct a TBS cert or CSR with a
pending empty SKID or AKID extension, an error is raised and the TBS is
not signed.
When no SKID is present in a self-signed cert, attempts to
force an AKID keyid need to fail, rather than produce an AKID
that will never match.
Similarly, when issuer cert == subject cert (same object in memory), but
the issuer key is not the subject key (forced signing key), there is no
way to infer the unknown issuer's name or serial number, so, with
"issuer:always" we must fail, rather than record the subject's own
issuer name and serial.
New "keyid:nonss" and "issuer:nonss" syntax is now supported, which
allows either part of the AKID to be conditional on the certificate not
being self-signed. In the case if "issuer:nonss" this is also
conditional on there being no non-empty issuer keyid. To force
inclusion of issuer+serial in the AKID use "issuer:always".
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 15:22:47 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
Fallback implementation of tsan_add now returns value before addition to be consistent with other definitions
Fixes #28410
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Feb 28 14:10:25 2026
(Merged from https://github.com/openssl/openssl/pull/30180)
Pauli [Tue, 24 Feb 2026 00:13:00 +0000 (11:13 +1100)]
Add a note about commit message titles being 50-70 character in length
Requested by @levitte in #30075
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 14:04:35 2026
(Merged from https://github.com/openssl/openssl/pull/30148)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 13:23:47 2026
(Merged from https://github.com/openssl/openssl/pull/30189)
Pauli [Fri, 27 Feb 2026 02:24:07 +0000 (13:24 +1100)]
Add CHANGES entry noting the removal of the SSL_TXT_FIPS option
The option was a remnant of the FIPS canister and wasn't used anywhere.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30200)
Pauli [Fri, 27 Feb 2026 02:27:21 +0000 (13:27 +1100)]
Remove SSL_TXT_FIPS
This refers to an option that is no longer supported or available.
The option is a remnant of the old FIPS canister from OpenSSL 1.0.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30200)
Pauli [Thu, 26 Feb 2026 22:33:48 +0000 (09:33 +1100)]
Remove remnant SSL_FIPS flag
This flag was used to support the old FIPS canister and isn't used or
needed anymore. It's only set in the data structures and never queried
so it's removal is low impact.
Fixes #30156
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30200)
Viktor Dukhovni [Wed, 18 Feb 2026 10:59:04 +0000 (21:59 +1100)]
Added -expected-rpks s_client/server option
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Sat Feb 28 09:17:23 2026
(Merged from https://github.com/openssl/openssl/pull/30089)
Viktor Dukhovni [Mon, 23 Feb 2026 05:55:28 +0000 (16:55 +1100)]
Ensure TLS 1.3 ciphersuites are actually for TLS 1.3
- Also suppress duplicate ciphersuites
- Also ignore case in both TLS 1.3 and TLS 1.2 ciphers
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Sat Feb 28 09:11:33 2026
(Merged from https://github.com/openssl/openssl/pull/30140)
Daniel Kubec [Wed, 25 Feb 2026 09:51:08 +0000 (10:51 +0100)]
CRL: Reject CRLs with malformed Issuing Distribution Point
CRLs with a malformed Issuing Distribution Point are now rejected.
ASN.1 parsing errors from the IDP extension are propagated instead
of being suppressed.
Fixes #27251
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 27 20:06:59 2026
(Merged from https://github.com/openssl/openssl/pull/30171)
Bob Beck [Tue, 24 Feb 2026 18:49:26 +0000 (11:49 -0700)]
Describe X509 constification and ASN1_STRING changes
In a CHANGES.md entry and in ossl-guide-migration, to
cover the constification of the X509 related functions and
the change to ASN1_STRING to be opaque.
Fixes: #30060 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Feb 27 18:45:47 2026
(Merged from https://github.com/openssl/openssl/pull/30165)
slontis [Fri, 12 Dec 2025 03:02:42 +0000 (14:02 +1100)]
Added HSS/LMS OID id-alg-hss-lms-hashsig
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 27 14:40:27 2026
(Merged from https://github.com/openssl/openssl/pull/29381)
slontis [Fri, 12 Dec 2025 02:58:32 +0000 (13:58 +1100)]
Added additional TRACE information to Decoders.
This outputs the description field which is easier to understand than a
pointer.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 27 14:40:27 2026
(Merged from https://github.com/openssl/openssl/pull/29381)
slontis [Fri, 12 Dec 2025 02:56:38 +0000 (13:56 +1100)]
Added LMS SubjectPublicInfo related encoders and decoders.
Added a description to all encoder and decoder fields.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 27 14:40:27 2026
(Merged from https://github.com/openssl/openssl/pull/29381)
slontis [Fri, 12 Dec 2025 02:52:25 +0000 (13:52 +1100)]
Added LMS support for OpenSSL commandline signature verification using pkeyutl.
Added LMS 'SubjectPublicKeyInfo' encoder/decoder support.
Modified LMS keymanager and signature code to work with pkey and
pkeyutl.
Test data for public keys and signatures were generated by modifying
BouncyCastle code tests.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 27 14:40:27 2026
(Merged from https://github.com/openssl/openssl/pull/29381)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 26 15:05:37 2026
(Merged from https://github.com/openssl/openssl/pull/30169)
Neil Horman [Wed, 18 Feb 2026 15:31:50 +0000 (10:31 -0500)]
Constify X509_check_issued and friends
Constify this funcitons X509 parameter, as it generally doesn't modify
the structure, save for the caching information that it computes.
Note: As the caching opertions in ossl_x509v3_cache_extensions modify
X509 data all over the place, this change centralizes those updates,
which is something of an increase in complexity, but it does allow us to
reduce the critical section of the write lock there which (hopefully)
will make other accesses that take that lock a bit faster.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Feb 26 14:58:30 2026
(Merged from https://github.com/openssl/openssl/pull/30067)
William Faber [Thu, 19 Feb 2026 21:50:46 +0000 (16:50 -0500)]
Fix clean target to remove test-runs directory
Fixes: #29931 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
MergeDate: Thu Feb 26 14:26:16 2026
(Merged from https://github.com/openssl/openssl/pull/30100)
Neil Horman [Thu, 19 Feb 2026 17:07:21 +0000 (12:07 -0500)]
constify X509_find_by_issuer_and_serial
Constify the return value of X509_find_by_issuer_and_serial, and fix up
the callers to handle it properly (affects two pkcs7 functions)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Feb 25 15:05:11 2026
(Merged from https://github.com/openssl/openssl/pull/30092)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 25 14:23:45 2026
(Merged from https://github.com/openssl/openssl/pull/30174)
Daniel Kubec [Tue, 10 Feb 2026 16:18:07 +0000 (17:18 +0100)]
Improved reporting of shared and peer sigalgs
The existing SSL_get_sigalgs() and SSL_get_shared_sigalgs() are not a
good fit for TLS 1.3, because signature schemes are no longer generally
combinations of separate digest and signing algorithms encoded in the
two byte codepoint.
The new SSL_get0_sigalg() and SSL_get0_shared_sigalg() functions just
report the signature scheme name and codepoint.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:30:16 2026
(Merged from https://github.com/openssl/openssl/pull/29982)
ssl/ech/ech_store.c: do not raise errors on allocation failures
The default CRYPTO_malloc() implementation (with OPENSSL_malloc()
and OPENSSL_zalloc() being wrappers for it) raises an error
on allocation, and both OPENSSL_strdup() and OPENSSL_memdup() use
CRYPTO_malloc() internally for memory allocation, so there is no need
to explicitly raise an error on an allocation failure; remove these.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:20:14 2026
(Merged from https://github.com/openssl/openssl/pull/30146)
Weixie Cui [Mon, 23 Feb 2026 14:26:17 +0000 (22:26 +0800)]
evp_kem_init(): Fix copy paste bug when checking decapsulate_init
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:13:36 2026
(Merged from https://github.com/openssl/openssl/pull/30144)
test/ech_test.c: avoid memory leaks in ech_api_basic_calls()
rinner and router should be freed after successful SSL_ech_get1_status()
calls.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681465
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681466 Fixes: 5e5a76fc2c08 "Add tests and documentation and fix a couple of issues identified by added tests" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:58 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
test/ech_corrupt_test.c: avoid memory leak in tls_corrupt_write()
corrupt_or_copy() may return 0 while still setting returning the allocated
memory in copy, avoid leaking it by always calling OPENSSL_free() on it.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681460 Fixes: 5e5a76fc2c08 "Add tests and documentation and fix a couple of issues identified by added tests" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:57 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
ssl/ech/ech_store.c: check WPACKET_get_total_written return value
Check the return value of check WPACKET_get_total_written() call
in OSSL_ECHSTORE_new_config() and OSSL_ECHSTORE_write_pem(),
and error out on failure.
References: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1681451 Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:10:45 2026
(Merged from https://github.com/openssl/openssl/pull/30139)
Viktor Dukhovni [Mon, 23 Feb 2026 04:49:06 +0000 (15:49 +1100)]
Simplify and expand default group list
With keyshare floating, we no longer need CPP conditions to get the
right keyshare prediction defaults.
Also add "curveSM2" near the end of the list, after the stronger ECX and
EC groups, but before FFDHE.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:08:17 2026
(Merged from https://github.com/openssl/openssl/pull/30113)
Viktor Dukhovni [Mon, 16 Feb 2026 01:38:51 +0000 (12:38 +1100)]
Add keyshare floating
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:08:10 2026
(Merged from https://github.com/openssl/openssl/pull/30113)
Viktor Dukhovni [Sun, 15 Feb 2026 11:50:09 +0000 (22:50 +1100)]
Fix group tuple handling in DEFAULT expansion
Also fine-tune docs and add tests.
Fixes: #30109 Fixes: CVE-2026-2673 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:08:03 2026
(Merged from https://github.com/openssl/openssl/pull/30113)
Rudi Heitbaum [Mon, 23 Feb 2026 02:40:54 +0000 (02:40 +0000)]
Fix const qualifiers from strchr where discarded
This patch fixes several const qualifiers byu adding where required.
warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
Since glibc-2.43 and ISO C23, the functions bsearch, memchr, strchr,
strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr
that return pointers into their input arrays now have definitions as
macros that return a pointer to a const-qualified type when the input
argument is a pointer to a const-qualified type.
Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 25 11:04:09 2026
(Merged from https://github.com/openssl/openssl/pull/30136)
slontis [Wed, 18 Feb 2026 05:48:04 +0000 (16:48 +1100)]
FIPS self tests: fix config options when -no-bulk is used
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 11:02:07 2026
(Merged from https://github.com/openssl/openssl/pull/30103)
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 10:37:27 2026
(Merged from https://github.com/openssl/openssl/pull/30011)
kovan [Tue, 27 Jan 2026 10:18:08 +0000 (11:18 +0100)]
doc: fix algorithm and key type names in EVP_PKEY-SLH-DSA
The DESCRIPTION section had inconsistent naming - some algorithm names
incorrectly had the "EVP_PKEY-" prefix while others did not.
Rewrote the section to clearly separate:
- Algorithm names (e.g., SLH-DSA-SHA2-128s) using hyphens
- Key type identifiers (e.g., EVP_PKEY_SLH_DSA_SHA2_128S) using underscores
This matches the format used in EVP_PKEY-ML-DSA(7) and allows the names
to be used correctly in code.
Fixes #29329
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Wed Feb 25 10:26:59 2026
(Merged from https://github.com/openssl/openssl/pull/29788)
Bob Beck [Thu, 19 Feb 2026 22:42:33 +0000 (15:42 -0700)]
Patch the krb5 build for X509_STORE_CTX constification
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 10:24:17 2026
(Merged from https://github.com/openssl/openssl/pull/30076)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 10:24:15 2026
(Merged from https://github.com/openssl/openssl/pull/30076)
projects / thirdparty / openssl.git / log
