Neil Horman [Thu, 19 Feb 2026 20:17:10 +0000 (15:17 -0500)]
Constify X509_find_by_subject
Transitively, this also requires the constification of OCSP_resp_get0_signer
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Feb 24 12:45:57 2026
(Merged from https://github.com/openssl/openssl/pull/30096)
Pauli [Thu, 19 Feb 2026 00:29:23 +0000 (11:29 +1100)]
Update documentation with guidelines for commit and PR messages
The CONTRIBUTING.md and PULL_REQUEST_TEMPLATE.md files have been updated
to include guidelines on what makes a desirable commit message and
PR description.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/30075)
Bob Beck [Wed, 18 Feb 2026 23:43:33 +0000 (16:43 -0700)]
Constify X509_STORE_add_cert()
For #30050
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Feb 23 22:45:42 2026
(Merged from https://github.com/openssl/openssl/pull/30074)
Bob Beck [Tue, 17 Feb 2026 21:28:01 +0000 (14:28 -0700)]
Constify various functions that were non const due to extension cache
for https://github.com/openssl/openssl/issues/30052
This is a blatent cheat. While I can get pretty close to getting
around cheating by cacheing extensions as X509 objects are created it's
too fragile at the moment. In a future with a better not-copying all
the things X509, we would endeavour to not need this.
In the meantime, in the interest of getting the public API ready to
do that, we instead make a blatent cheat in the internal function of
int ossl_x509v3_cache_extensions(const X509 *x);
Which in a future world we can work to make go away.
And then the public API all changes to const.
long X509_get_pathlen(const X509 *x);
int X509_check_ca(const X509 *x);
int X509_check_purpose(const X509 *x, int id, int ca);
long X509_get_proxy_pathlen(const X509 *x);
uint32_t X509_get_extension_flags(const X509 *x);
uint32_t X509_get_key_usage(const X509 *x);
uint32_t X509_get_extended_key_usage(const X509 *x);
onst ASN1_OCTET_STRING *X509_get0_subject_key_id(const X509 *x);
const ASN1_OCTET_STRING *X509_get0_authority_key_id(const X509 *x);
const GENERAL_NAMES *X509_get0_authority_issuer(const X509 *x);
const ASN1_INTEGER *X509_get0_authority_serial(const X509 *x);
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Feb 23 16:34:29 2026
(Merged from https://github.com/openssl/openssl/pull/30055)
Richard Levitte [Thu, 19 Feb 2026 15:30:45 +0000 (16:30 +0100)]
Fix the uses of X509_check_certificate_times
The "error" parameter to 'X509_check_certificate_times' gets an X509 error
value, which isn't a OpenSSL ERR reason code. Unfortunately, this was
conflated.
This restores the behaviour in the places of conflation to something
similar enough to what was done before 'X509_check_certificate_times'
was implemented.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Feb 23 15:43:21 2026
(Merged from https://github.com/openssl/openssl/pull/30088)
Bob Beck [Fri, 20 Feb 2026 23:26:51 +0000 (16:26 -0700)]
Correct the instructions for how to run the krb5 external test.
What is there is a trap. I fell into it. I was sad.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 21:47:54 2026
(Merged from https://github.com/openssl/openssl/pull/30122)
Angel Yankov [Thu, 19 Feb 2026 08:27:21 +0000 (10:27 +0200)]
Constify X509_CRL_get0_by_cert
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:57:56 2026
(Merged from https://github.com/openssl/openssl/pull/30079)
Neil Horman [Thu, 19 Feb 2026 15:52:31 +0000 (10:52 -0500)]
Constify X509_CRL_get0_by_cert
Update the X509 parameter to be const
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Feb 22 17:55:12 2026
(Merged from https://github.com/openssl/openssl/pull/30090)
Bob Beck [Thu, 19 Feb 2026 20:20:20 +0000 (13:20 -0700)]
Return the correct error message in ossl_X509_print_ex_brief
X509_verify_cert_times returns a verify error code,
so X509_verify_cert_error_string() must be used to
convert it to text.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Sun Feb 22 17:52:13 2026
(Merged from https://github.com/openssl/openssl/pull/30097)
Bob Beck [Thu, 19 Feb 2026 20:59:17 +0000 (13:59 -0700)]
Add a changes entry for the x509 time function changes
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:49:25 2026
(Merged from https://github.com/openssl/openssl/pull/30098)
Neil Horman [Fri, 20 Feb 2026 10:48:53 +0000 (05:48 -0500)]
Fix broken strict-warnings build in sskdf and x963kdf
when configuring with:
./Configure no-sskdf --strict-warnings
The build breaks as sskdf_new is defined but not used (as the same sskdf
file is used to implement x963kdf with a different new dispatch
function). i.e. we will build the file when sskdf is disabled but
x963kdf is enabled, omitting any use of sskdf_new
Easy fix, just gate the inclusion of sskdf_new on #ifndef
OPENSSL_NO_SSKDF.
Do the same for X963KDF, which has the same problem (thank you for
pointing that out @t8m)
Fixes #30105
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sun Feb 22 17:46:00 2026
(Merged from https://github.com/openssl/openssl/pull/30106)
Bob Beck [Tue, 17 Feb 2026 22:37:15 +0000 (15:37 -0700)]
Constify X509_chain_check_suiteb
For https://github.com/openssl/openssl/issues/30052
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:37:38 2026
(Merged from https://github.com/openssl/openssl/pull/30058)
X509V3_set_nconf(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
X509V3_set_ctx(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
Viktor Dukhovni [Wed, 18 Feb 2026 04:27:55 +0000 (15:27 +1100)]
CHANGE log additions
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:53 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 11:51:15 +0000 (22:51 +1100)]
Refactor openssl-speed(1)
- Adding support for "curveSM2" ECDH
- Integrating EdDSA and SM2 signature support into existing ECDSA code.
This removes ~500 lines of duplicated code.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Wed, 11 Feb 2026 18:55:51 +0000 (05:55 +1100)]
New SSL tests for SM2 cert and key exchange
Also some additional tests for other MLKEM hybrids.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:36 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Milan Broz [Wed, 11 Feb 2026 12:02:26 +0000 (13:02 +0100)]
Add curveSM2 and curveSM2MLKEM768 TLS test.
This extends sslapi test for SM2-based key exchange.
Also add comments for #endif to clearly mark disabled code blocks.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Sat Feb 21 13:26:27 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Sun, 8 Feb 2026 13:45:03 +0000 (00:45 +1100)]
Document ECDH over SM2 key exchange.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:15 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 16:32:17 +0000 (03:32 +1100)]
Support for RFC8998 curveSM2 + hybrid
This adds support for the "sm2sig_sm3" TLS 1.3 signature algorithm, the
"curveSM2" key exchange group (ECDH over SM2) and the associated
post-quantum/traditional (PQ/T) hybrid "curveSM2MLKEM768" key exchange.
The default key agreement group list is expanded to add two additional
PQ groups, immediately after X25519MLKEM768. These are the P-256-based
SecP256r1MLKEM768 and the SM2-based curveSMMLKEM768. Neither of the new
groups is a default client keyshare group, these would only come into
play after a server HRR, if for some reason X25519MLKEM768 is not
supported by the server, X25519 is not then the server's most
preferred group, and the server supports and prefers one of these
of X25519.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:07 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:58:43 +0000 (02:58 +1100)]
Use algorithm name macros instead of literals
In the default and FIPS provider dispatch tables use corresponding
macros instead of string literals.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:57 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:53:51 +0000 (02:53 +1100)]
Pass tls-version to cert sign/verify algorithms
Most signature algorithms will ignore this parameter, but for SM2 this
makes it possible to set the RFC8998 distinguished identifier.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:47 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:45:02 +0000 (02:45 +1100)]
New SM2 "tls-version" signature parameter
When the version is TLS 1.3, this sets the SM2 distinguished identifier to
the RFC8998 specified value: "TLSv1.3+GM+Cipher+Suite".
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:39 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Wed, 11 Feb 2026 18:49:33 +0000 (05:49 +1100)]
Implement default SM2 distinguished identifier
This is needed for certificate verification to work correctly.
Removed unnecessary explicit instances of the distid in most tests, and
documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:30 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 14:55:02 +0000 (01:55 +1100)]
SM2 digest sign/verify context initialisation fix
SM digest sign/verify context initialisation needs to set the
"compute_z_digest" flag earlier, before calling sm2sig_signature_init(),
to process the provided parameters, because otherwise attempts to set
the "distinguished identifier" will erroneously fail.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:19 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Mon, 9 Feb 2026 09:28:39 +0000 (20:28 +1100)]
New decoder generator returns matched field count
It can be useful to know how many parameters matched a decoded field,
(or at least whether that number is non-zero).
Tne new `produce_param_decoder_with_count` generator produces code that
updates a count output variable.
In particular, an RSA parameter handler did not handle requests for only
unexpected parameter as gracefully as one might want. It can now
return early when none of the provided parameters are relevant.
[ The number reported is a count of matching parameter values, not a
count of the resulting decoded fields, so if a parameter key occurs
more than once, the count can be larger than the number of fields
actually set. ]
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:11 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Milan Broz [Thu, 19 Feb 2026 12:05:21 +0000 (13:05 +0100)]
Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp.
Functions seem not documented, but exported.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 17:07:41 2026
(Merged from https://github.com/openssl/openssl/pull/30082)
sftcd [Tue, 17 Feb 2026 23:09:01 +0000 (23:09 +0000)]
require manual build for external ECH tests
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 14:16:40 2026
(Merged from https://github.com/openssl/openssl/pull/30059)
Tomas Mraz [Wed, 18 Feb 2026 14:09:37 +0000 (15:09 +0100)]
ECH: Remove whitespace at EOL or EOF
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 10:11:21 2026
(Merged from https://github.com/openssl/openssl/pull/30066)
Tomas Mraz [Wed, 18 Feb 2026 14:09:11 +0000 (15:09 +0100)]
ECH: Use BIO_puts when appropriate
And also a few additional code cleanups.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 10:11:20 2026
(Merged from https://github.com/openssl/openssl/pull/30066)
sftcd [Tue, 17 Feb 2026 16:48:18 +0000 (16:48 +0000)]
ECH: change from I-D to RFC 9849 and resolve TODO(ECH) cases
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/30048)
sftcd [Tue, 17 Feb 2026 19:11:50 +0000 (19:11 +0000)]
ECH: avoid pointer aliasing in tls_construct_ctos_psk()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:20:46 2026
(Merged from https://github.com/openssl/openssl/pull/30051)
sftcd [Tue, 17 Feb 2026 18:37:04 +0000 (18:37 +0000)]
ech_check_format(): Fix potential out of bounds read
strspn() is called on likely non-NUL-terminated BIO buffer.
Copy it and add NUL-termination before calling the function.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:17:54 2026
(Merged from https://github.com/openssl/openssl/pull/30050)
sftcd [Sun, 23 Nov 2025 23:19:16 +0000 (23:19 +0000)]
Add tests and documentation and fix a couple of issues identified by added tests
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Feb 16 15:41:15 2026
(Merged from https://github.com/openssl/openssl/pull/29200)
sftcd [Thu, 18 Dec 2025 14:39:10 +0000 (14:39 +0000)]
ossl_ech_get_retry_configs(): Check for integer overflow
Fixes DEF-02-010
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:16 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 14:16:10 +0000 (14:16 +0000)]
tls_process_server_hello(): With retry config validate the outer hostname
Call SSL_set1_host() to apply the outer hostname to the certificate
validation.
Fixes DEF-02-009
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:14 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 13:48:28 +0000 (13:48 +0000)]
ech_test.c: Add test for trying ECH with TLSv1.2
Fixes DEF-02-006
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:13 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 02:10:38 +0000 (02:10 +0000)]
ssl_choose_server_version(): With ECH check if connection is TLSv1.3
Fixes DEF-02-005
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:11 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Tue, 25 Nov 2025 23:39:33 +0000 (23:39 +0000)]
Document that SSL_OP_ECH_TRIALDECRYPT can cause DoS in some circumstances
Fixes DEF-02-002
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:10 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Tue, 25 Nov 2025 22:41:23 +0000 (22:41 +0000)]
ech_read_priv_echconfiglist(): Pass encodedlen to BIO_new_mem_buf()
Fixes DEF-02-001
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:08 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
Matt Caswell [Thu, 5 Jun 2025 13:41:55 +0000 (14:41 +0100)]
Introduce the PACKET_msg_start() function
This gives us the start of the buffer in use for the PACKET.
We then use this information when calculating the TLS PSK binder.
Previously we were assuming knowledge about where the buffer starts.
However, with ECH, we may be using a different buffer to normal so it is
better to ask the PACKET where the start of the buffer is.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27776)
Stephen Farrell [Tue, 6 Aug 2024 22:16:58 +0000 (23:16 +0100)]
Documents initial agreed APIs for Encrypted Client Hello (ECH)
and includes a minimal demo for some of those APIs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Stephen Farrell [Wed, 26 Jun 2024 11:55:17 +0000 (12:55 +0100)]
add ech-api.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Daniel Kubec [Mon, 16 Feb 2026 12:09:41 +0000 (13:09 +0100)]
CRL: reject malformed CRL Number and CRL Delta Indicator
Previously, a malformed ASN.1 INTEGER in the CRL Number or Delta CRL Indicator
extension would cause a parse error but the CRL would not be explicitly
rejected. Existing code discards the error and continues, accepting a CRL it
cannot fully parse, unlike other libraries and implementations that reject the
CRL outright.
Malformed encoding suggests a corrupt or tampered CRL, data that cannot be
parsed cannot be trusted. Reject the CRL outright if either extension cannot be
decoded, regardless of whether the extension is marked critical. This prevents
silent soft-fail behavior where revoked certificates could pass validation
unchecked.
Fixes #27374
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 16:24:44 2026
(Merged from https://github.com/openssl/openssl/pull/30024)
Milan Broz [Thu, 19 Feb 2026 09:47:33 +0000 (10:47 +0100)]
Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set
These functions are exported, but undocumented.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 13:06:58 2026
(Merged from https://github.com/openssl/openssl/pull/30080)
Neil Horman [Wed, 18 Feb 2026 20:34:31 +0000 (15:34 -0500)]
constify X509_check_trust, X509_TRUST_add
Turn the X509 parameters to X509_check_trust and X509_TRUST_add into
consts.
Interesting side notes: X509_TRUST_add and some others that we're
modified as a result of this pr, are listed as public functions, but
have no documentation for them, and make doc-nits doesn't complain about
it. Unsure as to why, but we should probably look at that eventually
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 20 13:04:04 2026
(Merged from https://github.com/openssl/openssl/pull/30071)
Whilst this is still useful with pre-3.2 providers, it is actually unlikely to be deployed. And there are now openssl fips providers getting validated with statically linked jitterentropy source already.
See background info at:
- https://github.com/openssl/openssl/pull/25930
Fixes: https://github.com/openssl/openssl/issues/26903 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Fri Feb 20 11:15:25 2026
(Merged from https://github.com/openssl/openssl/pull/29641)
Milan Broz [Mon, 16 Feb 2026 20:30:28 +0000 (21:30 +0100)]
Add CHANGES.md entry for SM-based cipher suites.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:25 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Mon, 16 Feb 2026 15:04:28 +0000 (16:04 +0100)]
Add tests for TLS1.3 TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:20 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Sun, 15 Feb 2026 17:29:57 +0000 (18:29 +0100)]
Add TLS1.3 ciphersuites from RFC8998
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
as defined in RFC 8998.
Fixes openssl/project#1871
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:15 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Neil Horman [Tue, 17 Feb 2026 20:14:47 +0000 (15:14 -0500)]
Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN
As part of our effort to not allow mutable x509 objects where they
aren't needed, constify the parameters to these two functions
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Feb 19 13:08:11 2026
(Merged from https://github.com/openssl/openssl/pull/30053)
This prevents potential crashes when print_keyspec is called with a NULL algorithm
pointer, improving the robustness of the CMP application.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Feb 19 12:56:01 2026
(Merged from https://github.com/openssl/openssl/pull/30046)
Michael Baentsch [Wed, 23 Jul 2025 08:37:41 +0000 (10:37 +0200)]
SSL_CONF_cmd.pod: Add PQC algs to recommended TLS 1.3 groups
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:14:06 2026
(Merged from https://github.com/openssl/openssl/pull/28076)
Bob Beck [Mon, 16 Feb 2026 22:42:14 +0000 (15:42 -0700)]
Remove the "msie-hack" option from openssl ca
This has been documented as a deprecated option for
a long time, as we are not even certain this does what
was originally intended anymore, as it has no tests and
it's time of usefulness has long since past.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:09:33 2026
(Merged from https://github.com/openssl/openssl/pull/30033)
Neil Horman [Wed, 18 Feb 2026 19:35:22 +0000 (14:35 -0500)]
Fix unit tests when run under fuzz builds
PR https://github.com/openssl/openssl/pull/30045
Fixed an oss-fuzz failure that occured because we feed random data into
the pkcs12 kdf, which sometimes results in a huge iteration count, that
leads to timeouts in oss-fuzz.
The fix was to simply limit the number of iterations that we go through
during derivation. This breaks the kdf of course, but it doesn't really
matter during fuzzing, because we don't expect random input data to
produce reasonable results, so no harm, no foul.
except.
We also, in our CI, build our fuzzer tests and run them through our
regular CI unit tests, during which we both provide valid data, and
expect valid results, and pr 30045 breaks that expectation.
The conventional wisdom is to simply skip unit tests that break under
these sorts of conditions (we do this for things like
70-test_quic_record.t already).
however, the tests that broke here are 25_test_x509, 30_test_evp,
80_test_pkcs12, and 90_test_store_cases. It seems like we would want to
keep testing those unless we absolutely have to skip them.
So instead, lets indicate that we are running the unit tests with an
environment variable, and check that variable when we have an
UNSAFE_FOR_PRODUCTION build, skiping the iteration clamp in pkcs12kdf if
it is. This allows us to continue running these unit tests, while still
getting the oss-fuzz runs to pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Feb 19 08:49:56 2026
(Merged from https://github.com/openssl/openssl/pull/30070)
Simo Sorce [Tue, 17 Feb 2026 08:09:44 +0000 (03:09 -0500)]
Annotate benign race in FIPS deferred self test
Move TSAN definitions to threads_common.h to make them available
globally and introduce the ANNOTATE_BENIGN_RACE macro.
Apply this annotation to the state check in ossl_deferred_self_test()
to suppress a benign race warning from ThreadSanitizer, as the race
is intentional and accepted to avoid cpu contention.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Mon, 16 Feb 2026 17:37:36 +0000 (12:37 -0500)]
Relax unnecessary atomic reads in FIPS provider
Replace calls to ossl_get_self_test_state() with direct access to
st_all_tests[].state in the FIPS self-test code.
Atomic reads are unnecessary in functions like FIPS_kat_deferred()
and SELF_TEST_kats_execute() because they are executed with the
relevant lock already held.
For ossl_deferred_self_test(), removing the atomic read avoids
contention. The common case is that tests are already passed. If a
race occurs, the function safely falls back to the locked path in
FIPS_kat_deferred() which re-verifies the state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Sat, 14 Feb 2026 03:38:26 +0000 (22:38 -0500)]
Make FIPS self test state access atomic
Direct access to the FIPS self-test state array caused race conditions in
multi-threaded environments when checking or updating test status.
Introduce atomic accessor functions `ossl_get_self_test_state` and
`ossl_set_self_test_state`, backed by a global lock, to ensure thread-safe
state transitions. Replace all direct structure accesses with these new
functions.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Fri, 13 Feb 2026 19:09:06 +0000 (14:09 -0500)]
Fix race in FIPS on-demand self test
The on-demand self-tests could race with deferred tests executing
concurrently in another thread.
Pass the FIPS global state to SELF_TEST_post() to allow locking
around the critical section where module integrity is checked and
test states are modified. This ensures thread safety when resetting
and executing tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Gleb Smirnoff [Fri, 23 Jan 2026 18:44:23 +0000 (10:44 -0800)]
SSL_sendfile: make it more like bio/bss_sock.c:sock_write()
First, use BIO_sock_should_retry().
Second, clear BIO retry flags. Otherwise after an SSL_sendfile that
failed, no matter how many succeded after, the flags would still be up.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:24 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Tue, 17 Feb 2026 19:21:31 +0000 (11:21 -0800)]
sockets: list EBUSY as a retryable socket error code.
This is a documented error code for sendfile(2) in FreeBSD. Being on a
conservative side embrace into ifdef for now.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:21 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Fri, 23 Jan 2026 18:42:42 +0000 (10:42 -0800)]
SSL_sendfile: let ktls_sendfile() pass more data up to SSL_sendfile()
Before this change ktls_sendfile() is basically 1:1 wrapper around Linux
sendfile(2). FreeBSD sendfile(2) API is richer than Linux, and reducing
it down to Linux API loses meaningful data. Instead, make ktls_sendfile()
more like FreeBSD sendfile(2) and adopt Linux version to that.
With this change we will be raising BIO_should_retry() flag after a short
write due to lack of buffer space in a non-blocking socket on FreeBSD.
That will allow an application to tell a short write due to lack of buffer
space from a short write due to end of file. Before this change, the only
way to tell between these two kinds of short writes was to immediately
retry the operation.
This change allows to cut nearly in half the number of sendfile(2)
syscalls when sending a large file over a non-blocking socket on FreeBSD.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:18 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Daniel Kubec [Tue, 10 Feb 2026 12:36:03 +0000 (13:36 +0100)]
X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set
- Raise X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER when AKID is not present.
- Raise X509_V_ERR_EMPTY_AUTHORITY_KEY_IDENTIFIER when AKID has no attributes.
- Raise X509_V_ERR_AKID_ISSUER_SERIAL_NOT_PAIRED when authorityCertIssuer
and authorityCertSerialNumber fields are not paired.
RFC 5280 section 4.2.1.1: The authorityCertIssuer and authorityCertSerialNumber
fields are paired and MUST either both be present or both be absent.
- Issuer without serial is ambiguous, and serial without issuer is meaningless,
leading to unresolvable and misleading issuer identification.
Fixes #27114
Fixes #27360
Fixes #20027
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 18:17:03 2026
(Merged from https://github.com/openssl/openssl/pull/29971)
Neil Horman [Tue, 17 Feb 2026 15:01:12 +0000 (10:01 -0500)]
limit number of iterations for fuzzer in pkcs12kdf
OSS-FUZZ tripped over a timeout:
https://issues.oss-fuzz.com/issues/477959320
It occurs because the pkcs12 data the fuzzer feeds into the mac
verification routine requests a large number of iterations (I think gdb
read it as 15346721 or some such), which causes very long processing
times while verifying the mac. This is something of an artificial
problem unique to the fuzzer, as the fuzzer contains a 60 second timeout
on any single test iteration.
Fix it by limiting the iteration count to 100 only when running the
fuzzer tests.
Fixes openssl/srt#89
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:07:05 2026
(Merged from https://github.com/openssl/openssl/pull/30045)
Igor Ustinov [Wed, 28 Jan 2026 22:41:57 +0000 (23:41 +0100)]
Bugfix of bn_sqr_mont procedure on SPARC sun4v
The fix for sparcv9-mont.pl came from Andy Polyakov (@dot-asm)
Fixes #15587
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/29948)
Neil Horman [Mon, 16 Feb 2026 23:04:37 +0000 (18:04 -0500)]
Use the appropriate libctx when executing CMS_SignerInfo_verify
@beldmit found some odd fips behavior when running cms tests after
attempting to remove the EVP_get_digestbyname call from the find routine
in cms when doing certificate signer validation.
It was occuring because the cms app, being an applet in openssl uses the
app libctx to load all the provided configuration, which implies the
fips and base providers are loaded to that ctx. However, in the find
routine (part of cms), it only ever fetches algorithms from the default
libctx, leading to failed lookups, and consequently, CMS errors.
Fix it by using the appropriate libctx, which in this case can be
fetched from the SignerInfo data, which initializes its libctx member to
the app libctx in all cases.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Wed Feb 18 16:28:44 2026
(Merged from https://github.com/openssl/openssl/pull/30034)
Milan Broz [Tue, 17 Feb 2026 12:18:10 +0000 (13:18 +0100)]
Use defined TLS cipher suite names in SSL trace
This should use #define strings instead of duplication.
Not everything is defined, though.
Fixes openssl/project#1875
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 18 16:01:18 2026
(Merged from https://github.com/openssl/openssl/pull/30042)
Bernd Edlinger [Fri, 13 Feb 2026 06:42:48 +0000 (07:42 +0100)]
Alternate fix for CVE-2025-69419
This affects the function OPENSSL_uni2utf8
which caused heap buffer overflow when certain
unicode characters are converted.
The current fix is incomplete and does only prevent the
crash by making OPENSSL_uni2utf8 return a NULL pointer.
But with this change the OPENSSL_uni2utf8 will return the
correct utf8 string instead of a NULL pointer.
Additionally we add a simple test case that demonstrates
the original CVE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:46:35 2026
(Merged from https://github.com/openssl/openssl/pull/29997)
Igor Ustinov [Sat, 7 Feb 2026 09:21:22 +0000 (10:21 +0100)]
SSL_get_error(): Do not depend on the state of the error stack
We check in relevant functions (SSL_handshake(), SSL_read(), etc.) whether
a new error has been pushed onto the error stack, and if so, memorise this
fact in the SSL structure. After that SSL_get_error() uses this memorised
information instead of checking the error stack itself.
Fixes #11889
Fixes openssl/project#1715
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:27:38 2026
(Merged from https://github.com/openssl/openssl/pull/29991)
giorgiopapini [Thu, 12 Feb 2026 21:34:51 +0000 (22:34 +0100)]
Move typedef 'RSA_OEAP_PARAMS' to openssl/types.h
This avoids redefinition of the type.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:09:26 2026
(Merged from https://github.com/openssl/openssl/pull/29994)
Bob Beck [Mon, 16 Feb 2026 20:25:20 +0000 (13:25 -0700)]
Deprecate X509_NAME_get_text_by NID and X509_NAME_get_text_by_OBJ
As they were already documented as "should be considered deprecated".
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:06:18 2026
(Merged from https://github.com/openssl/openssl/pull/30031)
projects / thirdparty / openssl.git / log
