Simo Sorce [Wed, 17 Dec 2025 21:38:51 +0000 (16:38 -0500)]
fips: Reorder self-tests by complexity
Reorganize the FIPS self-tests to group them by complexity.
The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 17:44:56 +0000 (12:44 -0500)]
Relax PBKDF2 iteration check for FIPS self-test
FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.
This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 19:06:57 +0000 (14:06 -0500)]
Refactor FIPS self-test dependencies and states
Introduce `SELF_TEST_STATE_IMPLICIT` to handle recursive self-test calls
when an algorithm is used by another algorithm's self-test (e.g., KDF
using HMAC). This prevents unnecessarily running tests when they are
effectively covered by a parent test.
Refactor `SELF_TEST_kats` and `SELF_TEST_kats_execute` to unify
execution logic, dependency resolution, and RNG setup. Remove the
`deferred` flag from test definitions in favor of dynamic state
evaluation. Explicitly add a dependency for AES-128-ECB on AES-256-GCM.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 16:04:13 +0000 (11:04 -0500)]
Add an ID to the self test structure
Add a self test id to the self test definition structure. This is used as a
sanity check to ensure that a test's enum ID matches its index in the
`st_all_tests` array.
This helps prevent programming errors when adding, removing, or reordering
tests in the future, improving the robustness of the self-test mechanism.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 9 Dec 2025 19:29:43 +0000 (14:29 -0500)]
Refactor FIPS integrity check to use KAT framework
The FIPS module integrity check (HMAC-SHA256) is refactored to use the
generic Known Answer Test (KAT) framework instead of a standalone
function.
- Remove `integrity_self_test` and use `ST_ID_MAC_HMAC` with
`SELF_TEST_kats_single`.
- Add `self_test_mac` to `self_test_kats.c` to support MAC tests.
- Move HMAC test data to `self_test_data.c`.
- Rename the self-test type from "KAT_Integrity" to "KAT_Mac".
- Ensure on-demand tests reset state so they can be repeated.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 22:16:50 +0000 (17:16 -0500)]
Switch FIPS self tests to deferred execution
Update the FIPS module to run self-tests on demand (deferred) rather
than on module load. Change the test definitions in self_test_data.c
from SELF_TEST_ONLOAD to SELF_TEST_DEFERRED.
Add calls to ossl_deferred_self_test() in the newctx functions for
ciphers, digests, signatures, KDFs, KEMs and DRBGs to trigger execution
upon first instantiation. Introduce CIPHER_PROV_CHECK and
DIGEST_PROV_CHECK macros in common headers to facilitate these checks.
Define dependencies for composite tests to ensure prerequisite tests
run when needed.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 19:06:17 +0000 (14:06 -0500)]
Move deferred self-test lock to FIPS_GLOBAL
The lock for the deferred FIPS self-tests was previously a static
global variable, initialized with CRYPTO_ONCE. This is problematic
when multiple library contexts are used in a single application.
This change moves the lock into the FIPS_GLOBAL structure, making it
per-library-context. The lock is now initialized when the FIPS
provider is initialized and freed when its context is torn down.
This improves encapsulation and avoids global state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Fri, 5 Dec 2025 04:14:47 +0000 (23:14 -0500)]
Add dependency handling for FIPS self-tests
Some FIPS Known Answer Tests (KATs) rely on other cryptographic algorithms
that also have their own KATs. This change introduces a formal mechanism to
ensure these dependencies are met before a test is run.
A `depends_on` field is added to the self-test definition to declare
prerequisites. A new recursive function, `FIPS_kat_deferred_execute`,
traverses this dependency chain, executing any required tests first.
This new logic also prevents tests from being run multiple times if they are a
dependency for several other tests. The `FIPS_kat_deferred` function is
updated to use this new dependency-aware execution function.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 18:24:41 +0000 (13:24 -0500)]
Refactor FIPS self-tests to use ID-based lookup
Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.
This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 20:19:52 +0000 (15:19 -0500)]
Initialize DRBG for single FIPS KATs
The SELF_TEST_kats_single() function runs an individual FIPS Known Answer Test
(KAT) on demand. These tests require a deterministic random bit generator
(DRBG) to be properly initialized to function correctly.
This change ensures a dedicated DRBG is set up for the single test run. The
existing private RNG is saved before the test and restored afterward,
isolating the test's random context from the rest of the library.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Thu, 4 Dec 2025 19:07:06 +0000 (14:07 -0500)]
Unify FIPS self-test KAT data structures
Refactor the FIPS self-test Known Answer Test (KAT) data definitions to use a
single, unified structure.
A new generic `ST_DEFINITION` struct is introduced to replace the various
algorithm-specific `ST_KAT_*` structs. This new struct contains fields common
to all tests and uses a union to hold the parameters specific to each test
category (cipher, digest, KEM, etc.).
A helper `ST_BUFFER` struct is also added to combine data pointers and their
lengths, simplifying data handling. This refactoring makes the self-test
framework more consistent, easier to maintain, and more extensible.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 3 Dec 2025 20:04:28 +0000 (15:04 -0500)]
docs: Simplify FIPS deferred test equivalency
This commit refines the design for FIPS deferred self-tests by simplifying how
test equivalencies are handled.
The explicit `also_satisfies` list has been removed from the design. Instead
of manually listing which tests are satisfied by another, the new approach
relies on implicit discovery. When a high-level self-test runs, it records all
the underlying cryptographic algorithms that are invoked during its execution.
Upon successful completion of the high-level test, the tests for all recorded
algorithms are automatically marked as passed. This approach is more direct,
less error-prone, and removes the complex logic associated with the previous
explicit dependency lists.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 18:19:35 +0000 (13:19 -0500)]
Move FIPS self-test data into a separate .c file
The Known Answer Test (KAT) data, previously in `self_test_data.inc`, is moved
into its own compilation unit, `self_test_data.c`. This separates the large
data definitions from the test execution logic.
This refactoring improves code organization and modularity. A new header,
`self_test_data.h`, is added to declare the data arrays for external linkage.
The shared data structure definitions are moved to `self_test.h` to be
accessible by both the test logic and the data files.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Matt Caswell [Mon, 9 Feb 2026 13:25:58 +0000 (13:25 +0000)]
Add a newdata_ex function which takes params and use it
The keymgmt->newdata function does not accept params. We introduce a
newdata_ex function that does, and we use that instead as a thread local
to pass legacy objects to the default provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:28 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Matt Caswell [Fri, 6 Feb 2026 14:51:42 +0000 (14:51 +0000)]
Pass low level RSA objects to the default provider
If a low level RSA object has been assigned a custom RSA_METHOD and is
then assigned to an EVP_PKEY object, then we still want the default
provider to use that RSA_METHOD. To ensure this occurs we pass the low
level object across the provider boundary. We can only get away with this
because it is the default provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Theo Buehler [Mon, 2 Feb 2026 22:55:32 +0000 (15:55 -0700)]
Provide ASN1_BIT_STRING_set1()
Mostly work by @botovq with tests adapted to openssl by
@bob-beck
Fixes: https://github.com/openssl/openssl/issues/29185 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 12 20:41:13 2026
(Merged from https://github.com/openssl/openssl/pull/29926)
a wrapper around EVP_MD_fetch/EVP_CIPHER_fetch when engines are not
supported anymore. Let's remove the fallbacks that don't do anything
useful
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Thu Feb 12 18:22:57 2026
(Merged from https://github.com/openssl/openssl/pull/29969)
kovan [Mon, 2 Feb 2026 14:43:14 +0000 (15:43 +0100)]
doc: fix RSA_set_method return value documentation
The documentation incorrectly stated that RSA_set_method() returns
a pointer to the old RSA_METHOD. In fact, it returns int (1 for success).
The SYNOPSIS correctly shows 'int RSA_set_method(...)' but the
RETURN VALUES section was wrong.
Fixes #13884
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 12 15:18:38 2026
(Merged from https://github.com/openssl/openssl/pull/29916)
Igor Ustinov [Fri, 12 Dec 2025 15:26:58 +0000 (16:26 +0100)]
Fix the converters between the old and new BIO_read functions to handle
end-of-file state properly.
Related to openssl/project#1745
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Feb 12 08:34:31 2026
(Merged from https://github.com/openssl/openssl/pull/29290)
Daniel Kubec [Tue, 10 Feb 2026 16:18:07 +0000 (17:18 +0100)]
Fixed formatting and text alignment in CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 11 22:35:08 2026
(Merged from https://github.com/openssl/openssl/pull/29978)
Document that passing NULL to SSL_set_client_CA_list() does not clear
the CA list; instead, the SSL_CTX's setting is used. Also note that
passing an empty stack created with sk_X509_NAME_new_null() clears the
per-connection client CA list, but during the handshake the generic CA
list (set via SSL_CTX_set0_CA_list()) may still be used as a fallback.
Fixes #10795
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 11 20:02:47 2026
(Merged from https://github.com/openssl/openssl/pull/29917)
Update NOTES-VALGRIND.md to document valgrind compaints on reachable
memory blocks
Co-authored-by: Matt Caswell <matt@openssl.org> Co-authored-by: Tomáš Mráz <tm@t8m.info> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 11 19:40:10 2026
(Merged from https://github.com/openssl/openssl/pull/29966)
Bob Beck [Fri, 30 Jan 2026 22:33:45 +0000 (15:33 -0700)]
Remove OPENSSL_atexit();
OSSLINAPPL (OpenSSL Is Not A Public Portability Layer)
I blame @nhorman and @sashan, who made me update the adjacent
documentation, and it was sitting there like an unloved and
ignored chronically ill pet with no hope for any future
quality of life.
Since this really does not need an alternative API or a
deprecation stragegy, we can simply remove it. Anyone
who was using this can use libc atexit() if they must.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Wed Feb 11 17:37:33 2026
(Merged from https://github.com/openssl/openssl/pull/29874)
Ensure that all the source files are formatted with the current
.clang-format configuration, to avoid spurious clang-format checker
errors when arbitrary files are touched.
Complements: 1b0f21f0555c "Implementing store support for EVP_SKEY" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Feb 11 07:35:04 2026
(Merged from https://github.com/openssl/openssl/pull/29852)
We're getting a heap buffer overrun in the SRTP KDF.
Its caused by the fact that the fuzzer will occasionally generate salt
parameters that are very small, which passes the
OSSL_PARAM_get_octet_string function, but isn't long enough to be a
valid salt. Because of this, when we actually do the key derivation,
the SRTPKDF function assumes the salt is long enough and blindly
attempts to copy KDF_SRTP_SALT_LEN (14) bytes from the fetched parameter
into a local buffer, resulting in an overrun.
Fix it by checking the parameter length in the ctx_set_params method for
SRTPKDF, and if the octet string value is less than the required amount,
return an error to fail the ctx_set_params call.
While we're at it, based on review suggestions, also check that the
provided key parameter matches the requested cipher's expected key
length
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29938)
Document EC_curve_nist2nid and EC_curve_nid2nist functions
Add documentation for EC_curve_nist2nid() and EC_curve_nid2nist()
functions which were previously undocumented. These functions convert
between OpenSSL NIDs and NIST standardized curve names (e.g., "P-256",
"P-384", "P-521" for prime field curves and "B-163", "K-233", etc.
for binary field curves).
The documentation includes:
- Function prototypes in the SYNOPSIS section
- Detailed descriptions explaining the purpose and behavior
- Examples of NIST curve names
- Return value documentation
Fixes #29180
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Mon Feb 9 09:59:04 2026
(Merged from https://github.com/openssl/openssl/pull/29341)
-wholename is mostly alias to -path, and -path is more
portable. E.g. -wholename does not exist on NetBSD.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Feb 9 09:53:10 2026
(Merged from https://github.com/openssl/openssl/pull/29944)
Viktor Dukhovni [Sat, 7 Feb 2026 03:25:09 +0000 (14:25 +1100)]
Fix cross-version compatibility in RFC7919 changes
- Older versions of, e.g., the FIPS provider report the minimum
TLS version of the FFDHE groups as TLS 1.3, but we now need to
support these in TLS 1.2.
- Older OpenSSL runtimes may not be prepared to support the FFDHE groups
in TLS 1.2.
Therefore, instead of changing the default and FIPS providers to
advertise these groups as TLS 1.2 compatible, leave the capabilities
unchanged, and instead adjust the min(d)tls value when processing the
provider's capabilities in the new runtime.
This ensures cross-compatibility with everything except previous master
branch dev snapshots, but that's not a concern.
Fixes: #29958 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Feb 9 08:53:54 2026
(Merged from https://github.com/openssl/openssl/pull/29962)
Neil Horman [Wed, 21 Jan 2026 16:41:37 +0000 (11:41 -0500)]
wrap use of cmp_thunk for STACK_OF up in a macro
Based on suggestion from pauli here:
https://github.com/openssl/openssl/pull/29640#discussion_r2692068679
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:22 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 20:36:37 +0000 (15:36 -0500)]
Add NEWS/CHANGES for new OPENSSL_sk_set_cmp_thunks() api
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:19 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 20:28:37 +0000 (15:28 -0500)]
Add docs for OPENSSL_sk_set_cmp_thunks()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:16 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 15:10:21 +0000 (10:10 -0500)]
add a compare thunk function to the STACK of macros
Now that ossl_bsearch is capable of using a thunking function, lets
create a thunking function to use for the STACK_OF macros.
The problem we're addressing is one that gives rise to ubsan issues.
clang-16 forward have a ubsan test that confirms that the target symbol
that we call through a pointer matches the type of the pointer itself.
for instance
int foo(void *a, void *b)
{
...
}
int (*fooptr)(char *ac, int *bc) = foo;
fooptr(&charval, &intval);
is strictly speaking in C undefined behavior (even though in normal
operation this works as expected). Newer compilers are strict about
this however, as several security frameworks operate with an expectation
that this constraint is met.
See https://github.com/openssl/openssl/issues/22896#issuecomment-1837266357
for details.
So we need to create a thunking function. The sole purpose of this
thunking function is to accept the "real" comparison function for the
STACK_OF macros, along with the two items to compare of the type that
they are passed as from the calling function, and do the convervsion of
both the comparison function and the data pointers to the types that the
real comparison function expects
So we:
1) Modify the DEFINE_STACK_OF macros to create this thunking function
2) Add an OPENSSL_sk_set_cmp_thunks api to set the comparison function
3) modify the requisite places in the stack code to use the thunking
function when available
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:14 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Tue, 13 Jan 2026 21:25:21 +0000 (16:25 -0500)]
add cmp_thunk function to ossl_bsearch
Add the initial groundwork to allow for the use of a thunking function
with bsearch. Normally our comparison function signature doesn't match
the type of the pointer we call it through, leading to ubsan errors,
this lets those signatures match and gives us a place to do the proper
casting
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:11 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 7 13:05:48 2026
(Merged from https://github.com/openssl/openssl/pull/29932)
kovan [Thu, 5 Feb 2026 15:41:02 +0000 (16:41 +0100)]
doc: Fix typos and grammar in BIO_s_accept documentation
- Fix "and attempt" to "an attempt"
- Fix "BIO_BIN_NORMAL" typo to "BIO_BIND_NORMAL"
- Add missing B<> formatting around BIO_BIND_NORMAL and BIO_RR_ACCEPT
- Fix "at then end" to "at the end"
- Fix incomplete sentence about BIO_should_io_special()
- Update copyright year
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Fri Feb 6 13:34:18 2026
(Merged from https://github.com/openssl/openssl/pull/29910)
Neil Horman [Mon, 2 Feb 2026 15:33:22 +0000 (10:33 -0500)]
replace curl in our interop testing
Since curl dropped support for using the OpenSSL quic stack, we have no
use for it anymore in our interop testing. Replace it with our own
http3 demonstration client.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
Neil Horman [Mon, 2 Feb 2026 15:24:56 +0000 (10:24 -0500)]
Update ossl-http3-demo to support multiple requests
In order to use our http3 demo to do interop testing, said demo needs to
be able to handle multiple requests and responses written to specific
output files.
Add that code here, allowing us to specify optionally a list of requests
on the command line to send to the server, as well as a download
directory, so that requests made get written locally to the same name as
the request in the specified download directory.
while we're at it, also clean up the code infrastructure to use SSL_poll
to do read-ready checking, rather than iterating/mutating the internal
hash table, which is questionable to do (i.e. we shouldn't be removing
elements from the hash table while iterating over it).
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:24 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
slontis [Wed, 4 Feb 2026 22:35:43 +0000 (09:35 +1100)]
AES-WRAP fixes.
Partially fixes issue in Discussion 22861
AES-WRAP pad is documented as only working for non streaming cases.
It did not however enforce this, so a user could potentially
wrap something incorrectly without an error and then not be able to
unwrap it without an error. The code now checks that update is only
called once.
An internal function returned an int which could be negative for bad
input values, and the return value was assigned to a size_t which
ignored the error condition.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
slontis [Wed, 4 Feb 2026 22:28:34 +0000 (09:28 +1100)]
BIO_f_cipher(): Increase internal buffer size used by CipherUpdate()
Previously running the commandline "openssl enc -id-aes256-wrap-pad ...'
with a large PQ private key failed since AES-WRAP is not streamable,
and multiple calls to CipherUpdate() are not allowed. Increasing the
size causes CipherUpdate() to only be called once.
The size of the buffer has been changed from 4K to 8K.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
Ethan [Tue, 3 Feb 2026 14:10:45 +0000 (09:10 -0500)]
doc: changed data_size value for OSSL_PARAM_octet_string() in EVP_SIGNATURE-SLH-DSA.pod
CLA: trivial
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29933)
Bob Beck [Thu, 22 Jan 2026 19:22:34 +0000 (12:22 -0700)]
Make OPENSSL_cleanup() G A
(Your choice of G and A words)
This installs a global destructor if we have destructor support.
The global destructor does nothing and immediately returns under
normal operation. If a global flag indicating that global cleanup
is wanted, it does what OPENSSL_cleanup() used to do.
OPENSSL_cleanup() is then modified to set the global flag indicating
that global cleanup is wanted. At this point if we have destructor
support, it immeditely returns. If we do not have destructor support,
it manually calls the destructor function (meaning without destructor
support it does exactly what it used to do).
This ensures that if we have destructor support, the actions of an
OPENSSL_cleanup() requested by an application will only happen
after any subordinate library destructors which could call into
OpenSSL functions have already run.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 19:19:17 2026
(Merged from https://github.com/openssl/openssl/pull/29721)
Neil Horman [Wed, 28 Jan 2026 20:25:20 +0000 (15:25 -0500)]
Don't setup a default context while tearing down private contexts
In providers/applications that create custom libctx'es via
OSSL_LIB_CTX_new, its possible, if the default provider has never been
initaialized during the lifetime of the linked libcrypto, that we
actually wind up creating the default libctx when we free the
aforementioned custom libctx via, as an example:
While this isn't catastrophic, its needless, and in some cases has the
potential to leak memory (for instance if a provider is loaded and
unloaded repeatedly in an environment in which the provider is linked to
libcrypto.so while the calling application is statically linked to
libcrypto.a
Its also fairly easy to clean up, by adding an internal parameter to
gate the creation of the default libctx on the request of the caller, so
do that here
Fixes openssl/project#1846
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 5 17:08:13 2026
(Merged from https://github.com/openssl/openssl/pull/29830)
Milan Broz [Tue, 20 Jan 2026 15:49:06 +0000 (16:49 +0100)]
Fix const spec in test
This patch fixes several const specifiers and unneeded casts
(visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:13:46 2026
(Merged from https://github.com/openssl/openssl/pull/29800)
Viktor Dukhovni [Tue, 16 Dec 2025 16:48:06 +0000 (03:48 +1100)]
Advertise FFDHE groups also with TLS 1.2-only
When the TLS max version is TLS 1.2, include supported RFC7919 FFDHE
groups in the supported_groups extension, provided we support at least
one DHE key exchange ciphersuite.
Also skip the EC point formats extension when the minimum (D)TLS version
is greater than 1.2. That extension is obsolete as of (D)TLS 1.3.
Finally, folded some extant long lines from the previous RFC7919 commits.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:43 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
RFC 7919 states:
If a compatible TLS server receives a Supported Groups extension from
a client that includes any FFDHE group (i.e., any codepoint between
256 and 511, inclusive, even if unknown to the server), and if none
of the client-proposed FFDHE groups are known and acceptable to the
server, then the server MUST NOT select an FFDHE cipher suite.
We implement this behavior by adding a new function that checks this
condition as its inverse: only select FFDHE cipher suites if at least
one of the client-proposed FFDHE groups is known and acceptable, or
if the client did _not_ send any FFDHE groups.
Also add a test to verify two possible outcomes:
1) The client proposes FFDHE and non-FFDHE ciphersuites -> the server
will select a non-FFDHE ciphersuite.
2) The client only proposes FFDHE ciphersuites -> the server will end
the connection.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:40 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Milan Broz [Tue, 20 Jan 2026 13:18:14 +0000 (14:18 +0100)]
Fix const spec in apps
This patch fixes several const specifiers
(visible with non-default const-qual warning).
- Functions like SSL_set_tlsext_host_name takes
non-cost hostname parameter.
- packet buffer is read in BIO_read, so it
cannot be const
The rest is missing const specifiers where casting
to non-cost is not needed.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 4 19:49:15 2026
(Merged from https://github.com/openssl/openssl/pull/29796)
Guard RWLOCK methods by USE_RWLOCK in threads_pthread.c
Fixes: #29883 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 4 15:55:47 2026
(Merged from https://github.com/openssl/openssl/pull/29924)
Milan Broz [Tue, 20 Jan 2026 15:35:25 +0000 (16:35 +0100)]
Fix const spec in ssl
This patch fixes several const specifiers and undeeded
casts (visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 17:26:31 2026
(Merged from https://github.com/openssl/openssl/pull/29799)
Ml-dsa provider module requires der_digests.h which is generated
from der_digets.h.in. The dependency must be explicitly set in
build.info otherwise the .h file is missing when
providers/common/der/der_ml_dsa_key.c gets compiled.
The issue seems to affect only make found in base system on OpenBSD.
gnu-make (a.k.a gmake) is not affected.
public API: Remove needless 'const' from scalar types
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18229)
Milan Broz [Tue, 20 Jan 2026 14:40:18 +0000 (15:40 +0100)]
Fix const spec in providers
This patch fixes several const specifiers
(visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Feb 3 14:12:00 2026
(Merged from https://github.com/openssl/openssl/pull/29798)
kovan [Tue, 27 Jan 2026 06:44:55 +0000 (07:44 +0100)]
doc: add return value documentation for EVP_CIPHER_*_params functions
Document that EVP_CIPHER_get_params(), EVP_CIPHER_CTX_get_params() and
EVP_CIPHER_CTX_set_params() return 1 for success and 0 for failure.
Fixes #29725
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Feb 3 09:51:47 2026
(Merged from https://github.com/openssl/openssl/pull/29779)
kovan [Tue, 27 Jan 2026 05:01:49 +0000 (06:01 +0100)]
doc: clarify OSSL_DISPATCH array usage in provider-base
The previous wording "arrays are indexed by numbers" was misleading
as it suggested direct array indexing. Clarify that OSSL_DISPATCH
entries contain a function_id field that identifies the function.
Fixes #27125
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Feb 3 09:48:02 2026
(Merged from https://github.com/openssl/openssl/pull/29769)
Tommy Chiang [Sun, 25 Jan 2026 13:12:28 +0000 (21:12 +0800)]
SSL_CONF_FLAG: Prevent setting both CMDLINE and FILE flags
The `SSL_CONF_CTX_set_flags` function did not prevent setting both
`SSL_CONF_FLAG_CMDLINE` and `SSL_CONF_FLAG_FILE` flags, which is an
invalid combination. This commit adds a check to prevent this and
updates the documentation to clarify that only one of these flags
can be set.
A new test case is also added to verify the correct behavior.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 09:40:04 2026
(Merged from https://github.com/openssl/openssl/pull/29752)
Daniel Kubec [Sat, 24 Jan 2026 19:50:42 +0000 (20:50 +0100)]
ASN.1: Raise additional errors in crl_set_issuers()
Additional ASN.1 parsing errors are now raised to the error stack,
allowing invalid CRLs to be rejected early with detailed error messages.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 09:02:15 2026
(Merged from https://github.com/openssl/openssl/pull/29750)
Tomas Mraz [Thu, 22 Jan 2026 10:23:26 +0000 (11:23 +0100)]
check_cert_crl(): Avoid potential UAF when using the value of current_crl
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue Feb 3 08:50:53 2026
(Merged from https://github.com/openssl/openssl/pull/29679)
Bob Beck [Wed, 21 Jan 2026 18:47:37 +0000 (11:47 -0700)]
Ensure current_crl always points to the crl we are considering
As mentioned by Viktor Dukhovni, the desired behaviour is:
The current_crl is NULL when the running callback invocation is about errors
unrelated to validation failures via a particular CRL a user may want to
report the issuer of.
The current_crl is (whenever possible) not NULL when reporting errors
specifically related to that CRL.
The problem with this happens when we call check_crl with something that
is not what current_crl is set to. We can potentially enter the time check
code, and we then need to call the callback with the certificate that
failed the time check which is not current_crl.
Correct this by removing the dance in the time check code, and always
setting current_crl whenver we call check_crl.
This means that when we are considering a delta crl, we report the
correct crl to the callback, instead of possibly handing them NULL
(if they get called after a failing time check clobbers it), or the
non-delta crl (because we are looking at a delta while having
current_crl set to crl - which was why we had the dance in the time code
to begin with. We don't need to change current_crl in the time check
code if we always have current_crl set to the thing we are evaluting.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 08:50:52 2026
(Merged from https://github.com/openssl/openssl/pull/29679)
noctuelles [Mon, 19 Jan 2026 17:19:08 +0000 (18:19 +0100)]
BIO_get_data.pod: Warn about use outside of a custom BIO implementation
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Feb 3 08:47:06 2026
(Merged from https://github.com/openssl/openssl/pull/29675)
Danny Tsen [Wed, 28 Jan 2026 12:23:13 +0000 (07:23 -0500)]
aes-gcm-ppc.pl: Removed .localentry directive
Otherwise there is mixing of ELFv1 ABI and ELFv2 ABI directives
and PPC64 big endian builds fail.
Fixes #29815
Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Feb 3 08:39:50 2026
(Merged from https://github.com/openssl/openssl/pull/29827)
Curl dropped support for using the quic-tls interface to use our quic
stack. Because our interop testing relies on using curl to do testing,
our builds broke.
Until we can find an alternate client to do https transfers over
http3/quic, we need to back off our quic build point to a commit prior
to the above so we can maintain our interop testing.
Long term, we need to enhance our own http3 demo client to support the
download/resumption/etc features that we need for interop. We're
tracking that effort in:
https://github.com/openssl/project/issues/1850
Fixes openssl/project#1848
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Fri Jan 30 12:20:11 2026
(Merged from https://github.com/openssl/openssl/pull/29857)
projects / thirdparty / openssl.git / log
