If the call to ASN1_item_ex_d2i() from x509_pubkey_ex_d2i_ex() fails
*pval is freed by asn1_item_ex_d2i_intern()->ASN1_item_ex_free()->ossl_asn1_item_embed_free()
inside the ASN1_item_ex_d2i() function without freeing the
string buffer X509_PUBKEY::propq that was previously allocated
in x509_pubkey_ex_new_ex() and we lose the pointer to this buffer.
The function we are fixing here is one of the functions used
to define X509_PUBKEY - so any operations that work directly
on X509_PUBKEY_INTERNAL should be prevented from freeing
the structure because they don't know how to handle it.
Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27333)
Neil Horman [Wed, 8 Oct 2025 12:20:36 +0000 (08:20 -0400)]
Copy impls stack when calling ossl_method_store_do_all
PR https://github.com/openssl/openssl/pull/24782 introduced a copying of
the algs stack in ossl_method_store_do all, so that the subsequent
iteration of elements through alg_do_one could be done without a lock,
and without triggering a tsan error as reported in:
https://github.com/openssl/openssl/issues/24672
However, the problem wasn't completely fixed. Issue:
https://github.com/openssl/openssl/issues/27726
Noted that, sometimes we still get a crash when iterating over each algs
impls stack. This occurs because, even though we've cloned the algs to
a private data area, the impls stack for each alg still points to shared
data, which we are accessing without the benefit of a lock. Because of
that, if some other thread calls a function that mutates the impl stack
(say ossl_method_store_remove()), we may encounter a NULL or garbage
value in one of the impl stack values, leading to an unexpected NULL
pointer or simmilar, which in turn leads to a crash.
Unfortunately we can't use a lock to create exclusive access here, as
there are several paths that lead to a recursive mutation of the stack,
which would deadlock.
So the only way that I see to prevent this (which is admittedly ugly),
is to not only clone the alg stack, but to duplicate each algs impl
stack with the read lock held, prior to doing the iteration.
Further, we've been unable to test this, as the problem is rare, and we
don't have a solid reproducer for the issue, but visual inspection
suggests this should fix that. Hopefully:
Fixes #27726
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28783)
Tomas Mraz [Wed, 22 Oct 2025 13:07:10 +0000 (15:07 +0200)]
Disable also argon2, scrypt and slh-dsa with no-bulk
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28970)
Tomas Mraz [Wed, 22 Oct 2025 13:03:24 +0000 (15:03 +0200)]
scrypt.c: Do not include the param with OPENSSL_NO_SCRYPT
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28970)
Simo Sorce [Mon, 28 Jul 2025 19:32:06 +0000 (15:32 -0400)]
Clear keymgmt params containing sensitive data
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28108)
Simo Sorce [Mon, 28 Jul 2025 14:59:54 +0000 (10:59 -0400)]
Test OSSL_PARAM_clear_free()
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28108)
Simo Sorce [Mon, 28 Jul 2025 12:32:54 +0000 (08:32 -0400)]
Add a way to cleanse params arrays
This uses the return_size field of the last terminating parameter
similaraly to how secure memory uses the data and data_size fields,
to hold the total size of memory allocated for params.
This is then used to be able to call OPENSSL_cleanse on the params
fields via the new OSSL_PARAM_clear_free() call.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28108)
Bernd Edlinger [Tue, 21 Oct 2025 11:42:00 +0000 (13:42 +0200)]
Fix heap-buffer-overflow in CI fuzzing tests
The ASN1_STRING is not supposed to be used as a
zero-terminated string. Therefore we need to check
the string length explicitly and use memcmp instead of
strcmp in ossl_x509_check_cert_time.
Fixes a regression introduced by #28623
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28962)
Bob Beck [Sat, 4 Oct 2025 13:34:11 +0000 (07:34 -0600)]
Adapt the tests to not care about failures from platform gmtime()
Now that we don't use gmtime, timegm and friends from the platform
we should be able to handle all values the same on any platform
with no concerns other than what the platform has decided to use
for time_t.
The hpux #ifdef is removed, as looking at f5e3115361f shows this
was added due to a gmtime() failure on the platform.
This then clears out all the platform specific chaos in helper.c
as an example of why the public API being added is actually
generally useful, as it has been noticed that users of OpenSSL
frequently end up dealing with the same issues in the same really
awful ways in their own software as were were doing in that file
in the tests.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28748)
Bob Beck [Fri, 3 Oct 2025 12:16:33 +0000 (06:16 -0600)]
Bring in posix time conversion functions, originally from BoringSSL
This is effectively a Julien date computation, but done as seconds since
the POSIX epoch, all checked for overflow and limited to dates from year
0000 to 9999.
This is advantageous as it removed the need to use the operating system provided
timegm() and gmtime() functions which are only semi-standardized in any case and
when they aren't there or don't work other nastiness needs to be tried to do
the same thing. Even when they are there, you need to worry about the size of
time_t and if the bad idea bears of unsigned time_t have visited this platform.
By simply doing the conversion ourselves, to and from and int64, this can be
done the same everywhere, and bounds checked when being put into a time_t.
This adds public API that is already added in libre and boring in
<openssl/posix_time.h>:
These are added in the forks due to noticing a fair bit of software needing
to perform similar error-prone conversions themselves when dealing with
ASN1 times (such as what we have to do in the tests). While I intend to
use some of this API for further simplification in a follow on changes in
several places (such as ocsp and X509) For now we only use it to simplify
the test helpers and clean that up a bunch
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28748)
Nikola Pajkovsky [Thu, 16 Oct 2025 06:25:06 +0000 (08:25 +0200)]
provider: reduce lock contention in ossl_provider_find
There's really no point to always take write lock, and sort the
store->providers every time. Instead, check if store->providers is
sorted, and if not, then upgrade to the write lock, otherwise use read
lock.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28927)
Nikola Pajkovsky [Wed, 15 Oct 2025 10:48:06 +0000 (12:48 +0200)]
clang deprecates sprintf on macos
test/threadstest.c:1376:9: error: 'sprintf' is deprecated.
The same issues is in the ossl-nghttp3-demo.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28903)
Simo Sorce [Thu, 16 Oct 2025 19:48:09 +0000 (15:48 -0400)]
signature: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:09 +0000 (15:48 -0400)]
rands: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:08 +0000 (15:48 -0400)]
macs: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:08 +0000 (15:48 -0400)]
keymgmt: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Fri, 17 Oct 2025 02:57:36 +0000 (22:57 -0400)]
Fix handling of include files in libtemplate
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:08 +0000 (15:48 -0400)]
kem: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:07 +0000 (15:48 -0400)]
kdfs: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:07 +0000 (15:48 -0400)]
exchange: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:07 +0000 (15:48 -0400)]
encode_decode: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:07 +0000 (15:48 -0400)]
digests: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:06 +0000 (15:48 -0400)]
ciphers: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Fri, 17 Oct 2025 02:26:33 +0000 (22:26 -0400)]
Fix handling of include files in libcommon
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Thu, 16 Oct 2025 19:48:06 +0000 (15:48 -0400)]
asymciphers: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Mon, 13 Oct 2025 21:48:54 +0000 (17:48 -0400)]
storemgmt: Use include file for generated code
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Simo Sorce [Fri, 10 Oct 2025 20:32:27 +0000 (16:32 -0400)]
Move generic skeymgmt param decoder to .inc file
The Perl-generated code for the generic symmetric key import parameter decoder
is extracted from `generic.c.in` into a new `generic.inc.in` template.
The main `generic.c` file now includes the generated `generic.inc` file. This
change separates the auto-generated code from the handwritten C code,
improving modularity and readability.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28838)
Joshua Rogers [Fri, 10 Oct 2025 22:57:01 +0000 (06:57 +0800)]
CMP client: fix three memory leaks in error handling of the polling mechanism added in 3.3
These are in poll_for_response(), OSSL_CMP_try_certreq(), and OSSL_CMP_exec_certreq().
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28840)
Fixes for NonStop builds on 3.5 to handle OS platform header file changes.
This changes handles the introduction of _POSIX_VERSION into the NonStop x86
header files that tricks OpenSSL into thinking that ucontext.h is available.
Fixes #28498
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28769)
Joshua Rogers [Sat, 11 Oct 2025 12:10:48 +0000 (20:10 +0800)]
SMIME_text() and SMIME_crlf_copy() small refactoring
When out is NULL, SMIME_text() now skips BIO_write entirely and continues
to return success based on the read loop result. This matches existing
and expected semantics while avoiding a pointless write and any error masking.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28879)
Joshua Rogers [Sat, 11 Oct 2025 06:11:07 +0000 (14:11 +0800)]
freebsd ktls: avoid unaligned 16 bit length store in ktls_read_record
This prevents SIGBUS on strict alignment architectures when p+3 is not aligned
for 16 bit access. Behavior is unchanged on x86 and matches the Linux path.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28860)
Joshua Rogers [Fri, 10 Oct 2025 16:48:52 +0000 (00:48 +0800)]
ssl/statem: write 16-bit ECDHE group id in SKE
tls_construct_server_key_exchange wrote the named group as two u8 bytes with the high byte set to 0. TLS requires a 16-bit NamedGroup. Use WPACKET_put_bytes_u16(curve_id) so ids >= 256 are encoded correctly. No change for groups < 256.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28835)
Joshua Rogers [Fri, 10 Oct 2025 12:36:31 +0000 (20:36 +0800)]
Resetting the cookie_len should set the cookie_len to 0.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28817)
Joshua Rogers [Fri, 10 Oct 2025 11:55:31 +0000 (19:55 +0800)]
Fix off-by-one overflow in the AST resubmit
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28811)
Joshua Rogers [Wed, 8 Oct 2025 07:31:18 +0000 (15:31 +0800)]
Disallow Message sequence number 2 in DTLSv1_listen
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28788)
Joshua Rogers [Wed, 8 Oct 2025 22:14:15 +0000 (06:14 +0800)]
ssl: fix OOB write in SSL_get_shared_ciphers when no shared ciphers
When no cipher names are appended, p remains at buf and the unconditional
p[-1] = '\0' underflows. Only NUL-terminate if at least one cipher was written;
otherwise return an empty string safely.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28785)
* Adding missing periods.
* Consistently using "OpenSSL" as the project's name.
* Fixing the "`EVP_SKEY`" formatting reverted by a merge resolution
in f815ee19e066 "Harden RSA public encrypt".
* Fitting the lines in 80 characters, do a bit more semantic line breaks.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28734)
Joshua Rogers [Wed, 8 Oct 2025 07:37:35 +0000 (15:37 +0800)]
APPS/cmp: fix wrong CLI option reference for -ref_cert
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28786)
Joshua Rogers [Fri, 10 Oct 2025 12:58:46 +0000 (20:58 +0800)]
APPS/ocsp: avoid memory leaks on error
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28823)
Igor Ustinov [Tue, 14 Oct 2025 18:30:49 +0000 (20:30 +0200)]
Correct assembler version checking in perlasm scripts
Fixes #20520
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28901)
Bob Beck [Sun, 5 Oct 2025 01:25:40 +0000 (19:25 -0600)]
Be fully RFC 5280 pedantic about notAfter
May as well catch this case too. Any such certificate which
is valid for the notBefore at the time in quesion should be
considered valid no mater what the time is even if the system
time has been set to something beyond the range of ASN1_TIME values.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28623)
Nikola Pajkovsky [Thu, 18 Sep 2025 09:13:45 +0000 (11:13 +0200)]
x509store: reduce lock contention in X509_STORE
X509_STORE was using STACK_OF(X509_OBJECT) which is not ideal structure. The
better solution is to use hashmap. The performance gains come from the fact that
sorting was removed and therefore read lock is just enough for looking up
objects/cert/crls from hashmap.
When X509_STORE_get0_objects() is called, the hashmap converts back to
the STACK_OF(X509_OBJECT), and goes back to the original
implementation with the performance hit on lookup side because stack is not
sorted anymore.
Note, hashmap maps X509_NAME to STACK_OF(X509_OBJECT), and the stack is never
sorted which may lead to performance impact if stack contains a huge of objects.
Nikola Pajkovsky [Thu, 18 Sep 2025 08:42:42 +0000 (10:42 +0200)]
Move handy test functions to testutil
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28599)
Update size check condition for probable primes to align with FIPS 186-5.
Fixes #28540
In FIPS 186-4 (Table B.1), the upper bounds for probable primes p and q were
defined using strict inequalities. In FIPS 186-5, Table A.1 replaces the
previous Table B.1 (dropping the nlen=1024 case) and revises the upper bound
condition to use weak inequalities.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28540)
Joshua Rogers [Sat, 11 Oct 2025 11:53:07 +0000 (19:53 +0800)]
ssl: call SSLfatal on realloc failures in extract_keyshares
Initial malloc path already does this. Realloc path went to failure
without recording a fatal alert.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28873)
slontis [Mon, 6 Oct 2025 00:03:36 +0000 (11:03 +1100)]
Add no-argon2 option to daily build.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28756)
evp_test.c: Switch the logic to skip ARGON2 EVP tests to PREFIX
The names have ARGON2 as PREFIX rather than SUFFIX.
This covers the argon algorithms ARGON2D, ARGON2I, and ARGON2ID.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/28756)
slontis [Fri, 3 Oct 2025 02:00:35 +0000 (12:00 +1000)]
Update CI macos runners
Github have notified that the macos 13 runner image is deprecated and
will be retired on the 4th December 2025. It will also fail temporarily
intermittently during November on specific days as a warning.
Notes:
- The macos-14 and macos-15 labels correspond to arm64, and
macos-14-large and macos-15-large correspond to x86_64 (intel).
- macos x86_64 intel will no longer be supported after
the macos 15 runner image is retired in the Fall of 2027.
For now we should continue to support this.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28737)
Theo Buehler [Wed, 1 Oct 2025 22:56:41 +0000 (00:56 +0200)]
Fix an error check for EVP_PBE_CipherInit_ex()
As pointed out during the review for the recent security issue in this
file, this error check is incorrect: as documented, this function has
the usual Boolean return values.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28727)
Page 27 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf mentions
the Input: Signature length depending on the parameters, so the signature
length should be checked before we proceed with decode.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28093)
Ulrich Weber [Thu, 26 Jun 2025 14:16:06 +0000 (16:16 +0200)]
ktls: move ktls_enable() within ktls_start()
On linux ktls can only be enabled on established TCP sockets.
When SSL_set_fd() is called before the connection is established
ktls_enable() fails and ktls is not setup.
This moves ktls_enable() call within then ktls_start() function.
Multiple calls to ktls_start() will trigger additional ktls_enable()
calls which fail with EEXIST, but do not affect the ktls socket.
CLA: trivial
Signed-off-by: Ulrich Weber <ulrich.weber@gmail.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27908)
Adjust the http3 demo client so it works better on dual stack hosts. This
fixes the case when DNS returns both IPv4 and IPv6 addresses for host we try to
reach. The current code just uses the first address found in DNS answer. If
things are unfortunate and the service (port number) demo client tries to reach
does not listen on the address then demo gives up and exits.
Demo can do better. The RFC 6555 suggests application should try to reach the
service on the next address returned by DNS, when the first attempt fails for
the first address returned by DNS. This change helps with situation when DNS
prefers, let' say, IPv6 address, but the service is reachable via IPv4 only.
In that case application sees the failure on the first attempt to connect to
remote server over IPv6, but the second attempt that uses IPv4 is going to
succeed.
This extra handling is required for QUIC which uses UDP protocol. For TLS
client which uses TCP all this happens inside BIO layer which tries to
establish TCP connection. There is no TCP-handshake on UDP protocol so
BIO can not see the service is not reachable on requested address.
Fixes: #28331 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28802)
sashan [Mon, 6 Oct 2025 19:58:08 +0000 (21:58 +0200)]
- remove CYGWWIN (requested by Brandt)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28759)
projects / thirdparty / openssl.git / log
