Tomas Mraz [Wed, 11 Feb 2026 14:55:46 +0000 (15:55 +0100)]
X509V3_EXT_print(): Return only 0 or 1 as the callers expect
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue Feb 17 09:17:37 2026
(Merged from https://github.com/openssl/openssl/pull/29981)
slontis [Fri, 17 Oct 2025 05:32:06 +0000 (16:32 +1100)]
SLH-DSA speed up hash calculations.
SLH-DSA spends a significant amount of time performing large
numbers of hash calculations. Initially this was done using
EVP layer calls. The overhead is significant when there are thousands
of calls. To reduce this overhead the lower level sha functions for
KECCAK1600_CTX, SHA256_CTX and SHA512_CTX are accessed directly.
Profiling showed that a significant amount of time is spent in
"WOTS+ Public key generation" (FIPS 205 Section 5.1 Algorithm 6) so
this was inlined for shake and sha2 (See slh_wots_pk_gen_sha2()).
In FIPS 205 Section 11 there is a list of Hash functions.
Many of these functions use a pattern of
Trunc(n)(SHA256(PK.Seed || toByte(0, 64-n) || ....)
Because this operation is done many times, this prehashed
value is calculated once and stored into a low level SHA256_CTX or
KECCAK1600_CTX.
This can then be block copied to stack based KECCAK1600_CTX or
SHA256_CTX that we can then perform low level SHA functions on.
The md_len field is written to directly before the SHA final() to
control the length of the output (which avoids performing a memcpy).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:21:54 +0000 (16:21 +1100)]
SHA256: Document SHA256_CTX, HASH_UPDATE() and HASH_FINAL()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:15:03 +0000 (16:15 +1100)]
SHA512 : Change SHA512_Final() so that it handles 192 bits.
SLH-DSA uses SHA-512 truncated to n when (n = 24 or 32).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:11:11 +0000 (16:11 +1100)]
SHA3 - Move the buffered absorb function into sha3.c
This code was sitting inside the sha3 provider where it could not be
called directly.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 13 Feb 2026 08:55:52 +0000 (19:55 +1100)]
SRTP: Fixup settable input limits and test them.
Reported by https://github.com/1seal
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
slontis [Fri, 13 Feb 2026 08:54:07 +0000 (19:54 +1100)]
Doc: SRTP updates to reflect the limits on settable parameters
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
Aayush [Tue, 17 Jun 2025 13:10:05 +0000 (18:40 +0530)]
Clarify SSL_CERT_DIR list separator on Windows
Fixes #27698
OpenSSL uses `;` as the path delimiter on Windows.
Update the manpage to state this explicitly instead of implying
`:` everywhere.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sat Feb 14 23:54:32 2026
(Merged from https://github.com/openssl/openssl/pull/27844)
The shlibloadtest used atexit() handler to verify
library pinning works as expected. The libcrypto
no longer arms atexit handler which also used to
fire upon shlib unload. We can not use the atexit
mechansim to test shared library pinning.
If the shlibload test does not crash on exit, then
library pinning must work.
Fixes openssl/project#1869
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:15:04 2026
(Merged from https://github.com/openssl/openssl/pull/29987)
kovan [Tue, 27 Jan 2026 10:22:54 +0000 (11:22 +0100)]
doc: fix NAME section formatting in EVP_SIGNATURE documentation
Ensure consistent formatting in NAME sections across all EVP_SIGNATURE
documentation pages. The algorithm name should be bold (B<ALG>) rather
than EVP_PKEY, following the pattern:
"- The EVP_PKEY B<ALG> signature implementation"
Fixes #29328
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:09:54 2026
(Merged from https://github.com/openssl/openssl/pull/29789)
kovan [Fri, 6 Feb 2026 18:58:54 +0000 (19:58 +0100)]
fix: update remaining 3.5.0 references to 3.6.0 in README-FIPS.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Mon, 2 Feb 2026 10:26:52 +0000 (11:26 +0100)]
doc: add OpenSSL 3.6 to README documentation links
Update README.md to include OpenSSL 3.6 in the documentation links.
Update README-FIPS.md examples to use 3.6.0 as the latest release.
Fixes #29876
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:19 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Thu, 29 Jan 2026 12:46:46 +0000 (13:46 +0100)]
doc: clarify -cipher option syntax in man pages
Users reading the documentation for the -<cipher> option often
misunderstand the syntax. The notation "B<-I<cipher>>" renders as
"-cipher" with "cipher" in italics, leading users to think they
should type "-cipher aes-128-cbc" when the correct usage is
"-aes-128-cbc" (the cipher name directly as the option).
Update the documentation in openssl-genpkey, openssl-enc, and
openssl-pkey to explicitly state that the cipher name is prepended
with a hyphen and used directly as the option, not as an argument
to a "-cipher" flag.
Also add a reference to "openssl list -cipher-algorithms" to help
users discover available ciphers, and fix a typo in openssl-pkey
("and and" -> "and").
Fixes #26089
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:52:00 2026
(Merged from https://github.com/openssl/openssl/pull/29843)
kovan [Thu, 29 Jan 2026 11:12:38 +0000 (12:12 +0100)]
doc: rename .pod.in files that don't use templating to .pod
These man page source files only used the output_do_not_edit_headers()
template function, which just generates a comment. Since they don't
use any meaningful templating, rename them from .pod.in to .pod and
remove the template line and build.info generation rules.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Fri Feb 13 14:50:16 2026
(Merged from https://github.com/openssl/openssl/pull/29838)
kovan [Mon, 2 Feb 2026 10:22:44 +0000 (11:22 +0100)]
doc: add CHANGES.md entry for const-correct X509_ATTRIBUTE functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:30 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const-qualified pointers for return values.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:28 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const pointers for the return values.
Fixes #29811
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Zijie Zhao [Fri, 16 Jan 2026 23:41:46 +0000 (17:41 -0600)]
Add test for EVP_KEYMGMT leak in evp_pkey_signature_init() error paths
Verify that calling EVP_PKEY_sign_init_ex2() with a mismatched
key/signature algorithm (RSA key with ECDSA signature) does not leak
EVP_KEYMGMT references. The test repeats the operation 100 times so
that ASAN can detect accumulating leaks.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Feb 13 14:42:40 2026
(Merged from https://github.com/openssl/openssl/pull/29810)
kovan [Tue, 27 Jan 2026 10:45:30 +0000 (11:45 +0100)]
doc: note that PBKDF2 does not support XOF digests
PBKDF2 uses HMAC internally, which does not support eXtendable Output
Function (XOF) digests such as SHAKE128 or SHAKE256. Document this
limitation to prevent user confusion when attempting to use XOF
digests with PBKDF2.
Fixes #22877
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:39:07 2026
(Merged from https://github.com/openssl/openssl/pull/29792)
kovan [Tue, 3 Feb 2026 09:32:56 +0000 (10:32 +0100)]
doc: clarify SSL_SESSION ownership in PSK use session callback
Document that when the psk_use_session callback is invoked multiple times
and wishes to return the same SSL_SESSION pointer, it must call
SSL_SESSION_up_ref() first since ownership is transferred on each call.
This prevents use-after-free errors from incorrect callback implementations.
Fixes #28267
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:36:50 2026
(Merged from https://github.com/openssl/openssl/pull/29771)
Simo Sorce [Mon, 1 Dec 2025 21:36:40 +0000 (16:36 -0500)]
Add support for deferred FIPS self-tests
Add a new -defer_tests option to openssl fipsinstall and a corresponding
defer-tests configuration parameter for the FIPS provider.
This allows the execution of self-tests to be postponed until the
first time an algorithm is used, instead of running all tests
during module initialization. This reduces startup time.
Update the self-test framework to handle the new SELF_TEST_STATE_DEFER
state, ensuring deferred tests are skipped at load and run on demand.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 21:38:51 +0000 (16:38 -0500)]
fips: Reorder self-tests by complexity
Reorganize the FIPS self-tests to group them by complexity.
The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 17:44:56 +0000 (12:44 -0500)]
Relax PBKDF2 iteration check for FIPS self-test
FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.
This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 19:06:57 +0000 (14:06 -0500)]
Refactor FIPS self-test dependencies and states
Introduce `SELF_TEST_STATE_IMPLICIT` to handle recursive self-test calls
when an algorithm is used by another algorithm's self-test (e.g., KDF
using HMAC). This prevents unnecessarily running tests when they are
effectively covered by a parent test.
Refactor `SELF_TEST_kats` and `SELF_TEST_kats_execute` to unify
execution logic, dependency resolution, and RNG setup. Remove the
`deferred` flag from test definitions in favor of dynamic state
evaluation. Explicitly add a dependency for AES-128-ECB on AES-256-GCM.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 16:04:13 +0000 (11:04 -0500)]
Add an ID to the self test structure
Add a self test id to the self test definition structure. This is used as a
sanity check to ensure that a test's enum ID matches its index in the
`st_all_tests` array.
This helps prevent programming errors when adding, removing, or reordering
tests in the future, improving the robustness of the self-test mechanism.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 9 Dec 2025 19:29:43 +0000 (14:29 -0500)]
Refactor FIPS integrity check to use KAT framework
The FIPS module integrity check (HMAC-SHA256) is refactored to use the
generic Known Answer Test (KAT) framework instead of a standalone
function.
- Remove `integrity_self_test` and use `ST_ID_MAC_HMAC` with
`SELF_TEST_kats_single`.
- Add `self_test_mac` to `self_test_kats.c` to support MAC tests.
- Move HMAC test data to `self_test_data.c`.
- Rename the self-test type from "KAT_Integrity" to "KAT_Mac".
- Ensure on-demand tests reset state so they can be repeated.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 22:16:50 +0000 (17:16 -0500)]
Switch FIPS self tests to deferred execution
Update the FIPS module to run self-tests on demand (deferred) rather
than on module load. Change the test definitions in self_test_data.c
from SELF_TEST_ONLOAD to SELF_TEST_DEFERRED.
Add calls to ossl_deferred_self_test() in the newctx functions for
ciphers, digests, signatures, KDFs, KEMs and DRBGs to trigger execution
upon first instantiation. Introduce CIPHER_PROV_CHECK and
DIGEST_PROV_CHECK macros in common headers to facilitate these checks.
Define dependencies for composite tests to ensure prerequisite tests
run when needed.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Mon, 8 Dec 2025 19:06:17 +0000 (14:06 -0500)]
Move deferred self-test lock to FIPS_GLOBAL
The lock for the deferred FIPS self-tests was previously a static
global variable, initialized with CRYPTO_ONCE. This is problematic
when multiple library contexts are used in a single application.
This change moves the lock into the FIPS_GLOBAL structure, making it
per-library-context. The lock is now initialized when the FIPS
provider is initialized and freed when its context is torn down.
This improves encapsulation and avoids global state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Fri, 5 Dec 2025 04:14:47 +0000 (23:14 -0500)]
Add dependency handling for FIPS self-tests
Some FIPS Known Answer Tests (KATs) rely on other cryptographic algorithms
that also have their own KATs. This change introduces a formal mechanism to
ensure these dependencies are met before a test is run.
A `depends_on` field is added to the self-test definition to declare
prerequisites. A new recursive function, `FIPS_kat_deferred_execute`,
traverses this dependency chain, executing any required tests first.
This new logic also prevents tests from being run multiple times if they are a
dependency for several other tests. The `FIPS_kat_deferred` function is
updated to use this new dependency-aware execution function.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 18:24:41 +0000 (13:24 -0500)]
Refactor FIPS self-tests to use ID-based lookup
Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.
This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 2 Dec 2025 20:19:52 +0000 (15:19 -0500)]
Initialize DRBG for single FIPS KATs
The SELF_TEST_kats_single() function runs an individual FIPS Known Answer Test
(KAT) on demand. These tests require a deterministic random bit generator
(DRBG) to be properly initialized to function correctly.
This change ensures a dedicated DRBG is set up for the single test run. The
existing private RNG is saved before the test and restored afterward,
isolating the test's random context from the rest of the library.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Thu, 4 Dec 2025 19:07:06 +0000 (14:07 -0500)]
Unify FIPS self-test KAT data structures
Refactor the FIPS self-test Known Answer Test (KAT) data definitions to use a
single, unified structure.
A new generic `ST_DEFINITION` struct is introduced to replace the various
algorithm-specific `ST_KAT_*` structs. This new struct contains fields common
to all tests and uses a union to hold the parameters specific to each test
category (cipher, digest, KEM, etc.).
A helper `ST_BUFFER` struct is also added to combine data pointers and their
lengths, simplifying data handling. This refactoring makes the self-test
framework more consistent, easier to maintain, and more extensible.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 3 Dec 2025 20:04:28 +0000 (15:04 -0500)]
docs: Simplify FIPS deferred test equivalency
This commit refines the design for FIPS deferred self-tests by simplifying how
test equivalencies are handled.
The explicit `also_satisfies` list has been removed from the design. Instead
of manually listing which tests are satisfied by another, the new approach
relies on implicit discovery. When a high-level self-test runs, it records all
the underlying cryptographic algorithms that are invoked during its execution.
Upon successful completion of the high-level test, the tests for all recorded
algorithms are automatically marked as passed. This approach is more direct,
less error-prone, and removes the complex logic associated with the previous
explicit dependency lists.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Tue, 25 Nov 2025 18:19:35 +0000 (13:19 -0500)]
Move FIPS self-test data into a separate .c file
The Known Answer Test (KAT) data, previously in `self_test_data.inc`, is moved
into its own compilation unit, `self_test_data.c`. This separates the large
data definitions from the test execution logic.
This refactoring improves code organization and modularity. A new header,
`self_test_data.h`, is added to declare the data arrays for external linkage.
The shared data structure definitions are moved to `self_test.h` to be
accessible by both the test logic and the data files.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Matt Caswell [Mon, 9 Feb 2026 13:25:58 +0000 (13:25 +0000)]
Add a newdata_ex function which takes params and use it
The keymgmt->newdata function does not accept params. We introduce a
newdata_ex function that does, and we use that instead as a thread local
to pass legacy objects to the default provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:28 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Matt Caswell [Fri, 6 Feb 2026 14:51:42 +0000 (14:51 +0000)]
Pass low level RSA objects to the default provider
If a low level RSA object has been assigned a custom RSA_METHOD and is
then assigned to an EVP_PKEY object, then we still want the default
provider to use that RSA_METHOD. To ensure this occurs we pass the low
level object across the provider boundary. We can only get away with this
because it is the default provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Theo Buehler [Mon, 2 Feb 2026 22:55:32 +0000 (15:55 -0700)]
Provide ASN1_BIT_STRING_set1()
Mostly work by @botovq with tests adapted to openssl by
@bob-beck
Fixes: https://github.com/openssl/openssl/issues/29185 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 12 20:41:13 2026
(Merged from https://github.com/openssl/openssl/pull/29926)
a wrapper around EVP_MD_fetch/EVP_CIPHER_fetch when engines are not
supported anymore. Let's remove the fallbacks that don't do anything
useful
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Thu Feb 12 18:22:57 2026
(Merged from https://github.com/openssl/openssl/pull/29969)
kovan [Mon, 2 Feb 2026 14:43:14 +0000 (15:43 +0100)]
doc: fix RSA_set_method return value documentation
The documentation incorrectly stated that RSA_set_method() returns
a pointer to the old RSA_METHOD. In fact, it returns int (1 for success).
The SYNOPSIS correctly shows 'int RSA_set_method(...)' but the
RETURN VALUES section was wrong.
Fixes #13884
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 12 15:18:38 2026
(Merged from https://github.com/openssl/openssl/pull/29916)
Igor Ustinov [Fri, 12 Dec 2025 15:26:58 +0000 (16:26 +0100)]
Fix the converters between the old and new BIO_read functions to handle
end-of-file state properly.
Related to openssl/project#1745
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Feb 12 08:34:31 2026
(Merged from https://github.com/openssl/openssl/pull/29290)
Daniel Kubec [Tue, 10 Feb 2026 16:18:07 +0000 (17:18 +0100)]
Fixed formatting and text alignment in CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 11 22:35:08 2026
(Merged from https://github.com/openssl/openssl/pull/29978)
Document that passing NULL to SSL_set_client_CA_list() does not clear
the CA list; instead, the SSL_CTX's setting is used. Also note that
passing an empty stack created with sk_X509_NAME_new_null() clears the
per-connection client CA list, but during the handshake the generic CA
list (set via SSL_CTX_set0_CA_list()) may still be used as a fallback.
Fixes #10795
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 11 20:02:47 2026
(Merged from https://github.com/openssl/openssl/pull/29917)
Update NOTES-VALGRIND.md to document valgrind compaints on reachable
memory blocks
Co-authored-by: Matt Caswell <matt@openssl.org> Co-authored-by: Tomáš Mráz <tm@t8m.info> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 11 19:40:10 2026
(Merged from https://github.com/openssl/openssl/pull/29966)
Bob Beck [Fri, 30 Jan 2026 22:33:45 +0000 (15:33 -0700)]
Remove OPENSSL_atexit();
OSSLINAPPL (OpenSSL Is Not A Public Portability Layer)
I blame @nhorman and @sashan, who made me update the adjacent
documentation, and it was sitting there like an unloved and
ignored chronically ill pet with no hope for any future
quality of life.
Since this really does not need an alternative API or a
deprecation stragegy, we can simply remove it. Anyone
who was using this can use libc atexit() if they must.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Wed Feb 11 17:37:33 2026
(Merged from https://github.com/openssl/openssl/pull/29874)
Ensure that all the source files are formatted with the current
.clang-format configuration, to avoid spurious clang-format checker
errors when arbitrary files are touched.
Complements: 1b0f21f0555c "Implementing store support for EVP_SKEY" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Feb 11 07:35:04 2026
(Merged from https://github.com/openssl/openssl/pull/29852)
We're getting a heap buffer overrun in the SRTP KDF.
Its caused by the fact that the fuzzer will occasionally generate salt
parameters that are very small, which passes the
OSSL_PARAM_get_octet_string function, but isn't long enough to be a
valid salt. Because of this, when we actually do the key derivation,
the SRTPKDF function assumes the salt is long enough and blindly
attempts to copy KDF_SRTP_SALT_LEN (14) bytes from the fetched parameter
into a local buffer, resulting in an overrun.
Fix it by checking the parameter length in the ctx_set_params method for
SRTPKDF, and if the octet string value is less than the required amount,
return an error to fail the ctx_set_params call.
While we're at it, based on review suggestions, also check that the
provided key parameter matches the requested cipher's expected key
length
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29938)
Document EC_curve_nist2nid and EC_curve_nid2nist functions
Add documentation for EC_curve_nist2nid() and EC_curve_nid2nist()
functions which were previously undocumented. These functions convert
between OpenSSL NIDs and NIST standardized curve names (e.g., "P-256",
"P-384", "P-521" for prime field curves and "B-163", "K-233", etc.
for binary field curves).
The documentation includes:
- Function prototypes in the SYNOPSIS section
- Detailed descriptions explaining the purpose and behavior
- Examples of NIST curve names
- Return value documentation
Fixes #29180
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Mon Feb 9 09:59:04 2026
(Merged from https://github.com/openssl/openssl/pull/29341)
-wholename is mostly alias to -path, and -path is more
portable. E.g. -wholename does not exist on NetBSD.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Feb 9 09:53:10 2026
(Merged from https://github.com/openssl/openssl/pull/29944)
Viktor Dukhovni [Sat, 7 Feb 2026 03:25:09 +0000 (14:25 +1100)]
Fix cross-version compatibility in RFC7919 changes
- Older versions of, e.g., the FIPS provider report the minimum
TLS version of the FFDHE groups as TLS 1.3, but we now need to
support these in TLS 1.2.
- Older OpenSSL runtimes may not be prepared to support the FFDHE groups
in TLS 1.2.
Therefore, instead of changing the default and FIPS providers to
advertise these groups as TLS 1.2 compatible, leave the capabilities
unchanged, and instead adjust the min(d)tls value when processing the
provider's capabilities in the new runtime.
This ensures cross-compatibility with everything except previous master
branch dev snapshots, but that's not a concern.
Fixes: #29958 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Feb 9 08:53:54 2026
(Merged from https://github.com/openssl/openssl/pull/29962)
Neil Horman [Wed, 21 Jan 2026 16:41:37 +0000 (11:41 -0500)]
wrap use of cmp_thunk for STACK_OF up in a macro
Based on suggestion from pauli here:
https://github.com/openssl/openssl/pull/29640#discussion_r2692068679
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:22 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 20:36:37 +0000 (15:36 -0500)]
Add NEWS/CHANGES for new OPENSSL_sk_set_cmp_thunks() api
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:19 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 20:28:37 +0000 (15:28 -0500)]
Add docs for OPENSSL_sk_set_cmp_thunks()
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:16 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Wed, 14 Jan 2026 15:10:21 +0000 (10:10 -0500)]
add a compare thunk function to the STACK of macros
Now that ossl_bsearch is capable of using a thunking function, lets
create a thunking function to use for the STACK_OF macros.
The problem we're addressing is one that gives rise to ubsan issues.
clang-16 forward have a ubsan test that confirms that the target symbol
that we call through a pointer matches the type of the pointer itself.
for instance
int foo(void *a, void *b)
{
...
}
int (*fooptr)(char *ac, int *bc) = foo;
fooptr(&charval, &intval);
is strictly speaking in C undefined behavior (even though in normal
operation this works as expected). Newer compilers are strict about
this however, as several security frameworks operate with an expectation
that this constraint is met.
See https://github.com/openssl/openssl/issues/22896#issuecomment-1837266357
for details.
So we need to create a thunking function. The sole purpose of this
thunking function is to accept the "real" comparison function for the
STACK_OF macros, along with the two items to compare of the type that
they are passed as from the calling function, and do the convervsion of
both the comparison function and the data pointers to the types that the
real comparison function expects
So we:
1) Modify the DEFINE_STACK_OF macros to create this thunking function
2) Add an OPENSSL_sk_set_cmp_thunks api to set the comparison function
3) modify the requisite places in the stack code to use the thunking
function when available
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:14 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Neil Horman [Tue, 13 Jan 2026 21:25:21 +0000 (16:25 -0500)]
add cmp_thunk function to ossl_bsearch
Add the initial groundwork to allow for the use of a thunking function
with bsearch. Normally our comparison function signature doesn't match
the type of the pointer we call it through, leading to ubsan errors,
this lets those signatures match and gives us a place to do the proper
casting
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:11 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 7 13:05:48 2026
(Merged from https://github.com/openssl/openssl/pull/29932)
kovan [Thu, 5 Feb 2026 15:41:02 +0000 (16:41 +0100)]
doc: Fix typos and grammar in BIO_s_accept documentation
- Fix "and attempt" to "an attempt"
- Fix "BIO_BIN_NORMAL" typo to "BIO_BIND_NORMAL"
- Add missing B<> formatting around BIO_BIND_NORMAL and BIO_RR_ACCEPT
- Fix "at then end" to "at the end"
- Fix incomplete sentence about BIO_should_io_special()
- Update copyright year
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Fri Feb 6 13:34:18 2026
(Merged from https://github.com/openssl/openssl/pull/29910)
Neil Horman [Mon, 2 Feb 2026 15:33:22 +0000 (10:33 -0500)]
replace curl in our interop testing
Since curl dropped support for using the OpenSSL quic stack, we have no
use for it anymore in our interop testing. Replace it with our own
http3 demonstration client.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
Neil Horman [Mon, 2 Feb 2026 15:24:56 +0000 (10:24 -0500)]
Update ossl-http3-demo to support multiple requests
In order to use our http3 demo to do interop testing, said demo needs to
be able to handle multiple requests and responses written to specific
output files.
Add that code here, allowing us to specify optionally a list of requests
on the command line to send to the server, as well as a download
directory, so that requests made get written locally to the same name as
the request in the specified download directory.
while we're at it, also clean up the code infrastructure to use SSL_poll
to do read-ready checking, rather than iterating/mutating the internal
hash table, which is questionable to do (i.e. we shouldn't be removing
elements from the hash table while iterating over it).
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 6 12:46:24 2026
(Merged from https://github.com/openssl/openssl/pull/29922)
slontis [Wed, 4 Feb 2026 22:35:43 +0000 (09:35 +1100)]
AES-WRAP fixes.
Partially fixes issue in Discussion 22861
AES-WRAP pad is documented as only working for non streaming cases.
It did not however enforce this, so a user could potentially
wrap something incorrectly without an error and then not be able to
unwrap it without an error. The code now checks that update is only
called once.
An internal function returned an int which could be negative for bad
input values, and the return value was assigned to a size_t which
ignored the error condition.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
slontis [Wed, 4 Feb 2026 22:28:34 +0000 (09:28 +1100)]
BIO_f_cipher(): Increase internal buffer size used by CipherUpdate()
Previously running the commandline "openssl enc -id-aes256-wrap-pad ...'
with a large PQ private key failed since AES-WRAP is not streamable,
and multiple calls to CipherUpdate() are not allowed. Increasing the
size causes CipherUpdate() to only be called once.
The size of the buffer has been changed from 4K to 8K.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29940)
Ethan [Tue, 3 Feb 2026 14:10:45 +0000 (09:10 -0500)]
doc: changed data_size value for OSSL_PARAM_octet_string() in EVP_SIGNATURE-SLH-DSA.pod
CLA: trivial
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29933)
Bob Beck [Thu, 22 Jan 2026 19:22:34 +0000 (12:22 -0700)]
Make OPENSSL_cleanup() G A
(Your choice of G and A words)
This installs a global destructor if we have destructor support.
The global destructor does nothing and immediately returns under
normal operation. If a global flag indicating that global cleanup
is wanted, it does what OPENSSL_cleanup() used to do.
OPENSSL_cleanup() is then modified to set the global flag indicating
that global cleanup is wanted. At this point if we have destructor
support, it immeditely returns. If we do not have destructor support,
it manually calls the destructor function (meaning without destructor
support it does exactly what it used to do).
This ensures that if we have destructor support, the actions of an
OPENSSL_cleanup() requested by an application will only happen
after any subordinate library destructors which could call into
OpenSSL functions have already run.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 19:19:17 2026
(Merged from https://github.com/openssl/openssl/pull/29721)
Neil Horman [Wed, 28 Jan 2026 20:25:20 +0000 (15:25 -0500)]
Don't setup a default context while tearing down private contexts
In providers/applications that create custom libctx'es via
OSSL_LIB_CTX_new, its possible, if the default provider has never been
initaialized during the lifetime of the linked libcrypto, that we
actually wind up creating the default libctx when we free the
aforementioned custom libctx via, as an example:
While this isn't catastrophic, its needless, and in some cases has the
potential to leak memory (for instance if a provider is loaded and
unloaded repeatedly in an environment in which the provider is linked to
libcrypto.so while the calling application is statically linked to
libcrypto.a
Its also fairly easy to clean up, by adding an internal parameter to
gate the creation of the default libctx on the request of the caller, so
do that here
Fixes openssl/project#1846
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 5 17:08:13 2026
(Merged from https://github.com/openssl/openssl/pull/29830)
Milan Broz [Tue, 20 Jan 2026 15:49:06 +0000 (16:49 +0100)]
Fix const spec in test
This patch fixes several const specifiers and unneeded casts
(visible with non-default const-qual warning).
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:13:46 2026
(Merged from https://github.com/openssl/openssl/pull/29800)
Viktor Dukhovni [Tue, 16 Dec 2025 16:48:06 +0000 (03:48 +1100)]
Advertise FFDHE groups also with TLS 1.2-only
When the TLS max version is TLS 1.2, include supported RFC7919 FFDHE
groups in the supported_groups extension, provided we support at least
one DHE key exchange ciphersuite.
Also skip the EC point formats extension when the minimum (D)TLS version
is greater than 1.2. That extension is obsolete as of (D)TLS 1.3.
Finally, folded some extant long lines from the previous RFC7919 commits.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:43 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
RFC 7919 states:
If a compatible TLS server receives a Supported Groups extension from
a client that includes any FFDHE group (i.e., any codepoint between
256 and 511, inclusive, even if unknown to the server), and if none
of the client-proposed FFDHE groups are known and acceptable to the
server, then the server MUST NOT select an FFDHE cipher suite.
We implement this behavior by adding a new function that checks this
condition as its inverse: only select FFDHE cipher suites if at least
one of the client-proposed FFDHE groups is known and acceptable, or
if the client did _not_ send any FFDHE groups.
Also add a test to verify two possible outcomes:
1) The client proposes FFDHE and non-FFDHE ciphersuites -> the server
will select a non-FFDHE ciphersuite.
2) The client only proposes FFDHE ciphersuites -> the server will end
the connection.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:40 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Milan Broz [Tue, 20 Jan 2026 13:18:14 +0000 (14:18 +0100)]
Fix const spec in apps
This patch fixes several const specifiers
(visible with non-default const-qual warning).
- Functions like SSL_set_tlsext_host_name takes
non-cost hostname parameter.
- packet buffer is read in BIO_read, so it
cannot be const
The rest is missing const specifiers where casting
to non-cost is not needed.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 4 19:49:15 2026
(Merged from https://github.com/openssl/openssl/pull/29796)
projects / thirdparty / openssl.git / log
