Jakub Zelenka [Wed, 17 Jun 2026 16:04:39 +0000 (18:04 +0200)]
pkcs11-provider: enable tls test
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu Jun 18 18:02:35 2026
(Merged from https://github.com/openssl/openssl/pull/31568)
Jakub Zelenka [Wed, 17 Jun 2026 15:59:40 +0000 (17:59 +0200)]
property: do not overwrite the NULL-provider cache entry on set
ossl_method_store_cache_set inserts two entries per method: one keyed
on (nid, prop_query, prov) and one keyed on (nid, prop_query) with a
NULL provider, used to match "any provider" lookups.
Previously the set path always replaced the NULL-provider entry. When a
second provider cached the same nid, its method became the result for
"any provider" lookups, even though an earlier provider was already
cached. A shared nid could then resolve to the wrong provider: a
certificate's SPKI would decode through that provider's keymgmt and
X509_check_private_key would fail with a key value mismatch.
Only insert the NULL-provider entry when one does not already exist, so
the first provider to cache the nid owns it, matching the order
ossl_method_store_fetch would select.
Assisted-by: Claude:claude-opus-4-8 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu Jun 18 18:02:32 2026
(Merged from https://github.com/openssl/openssl/pull/31568)
Neil Horman [Mon, 15 Jun 2026 18:01:37 +0000 (14:01 -0400)]
fix type casting in ossl_cmp_mock_srv_set1 functions
newer versions of clang trigger ubsan warnings on the following
functions:
ossl_cmp_mock_srv_set1_refCert
ossl_cmp_mock_srv_set1_chainOut
ossl_cmp_mock_srv_set1_certOut
ossl_cmp_mock_srv_set1_newWithNew
ossl_cmp_mock_srv_set1_newWithOld
ossl_cmp_mock_srv_set1_oldWithNew
ossl_cmp_mock_srv_set1_caPubsOut
Due to the fact that the respective function prototypes don't match the
callback function pointer prototypes (the former use concrete strucuture
types while the latter uses a void pointer).
Fix it by bifurcating setup_cert[s] (the call-in fuctions) to have
variants that accept the expected type and corresponding callback
signature so that the above functions can be used without thunking
Fixes openssl/project#1969
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Jun 18 14:03:41 2026
(Merged from https://github.com/openssl/openssl/pull/31526)
4.0.1 CHANGES.md includes the following:
* CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181,
CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, CVE-2026-42764,
CVE-2026-42765, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768,
CVE-2026-42769, CVE-2026-42770, CVE-2026-42771, CVE-2026-45445,
CVE-2026-45446, CVE-2026-45447
* https://github.com/openssl/openssl/pull/30626
"TLSv1.3: Fix server not sending NewSessionTicket after ciphersuite mismatch"
* https://github.com/openssl/openssl/pull/30904
"pkey(1) missing setup for interactive pass prompt"
* https://github.com/openssl/openssl/pull/31058
"Validate that a PSK identity is at least one byte long"
* https://github.com/openssl/openssl/pull/31146
"ktls: Fix invalid memory access on retry with moving write buffer"
* https://github.com/openssl/openssl/pull/31413
"apps/s_client.c: read one byte less to avoid triggerring overflow
protection"
4.0.1 NEWS.md includes the following:
* CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181,
CVE-2026-34182, CVE-2026-34183, CVE-2026-35188, CVE-2026-42764,
CVE-2026-42765, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768,
CVE-2026-42769, CVE-2026-42770, CVE-2026-42771, CVE-2026-45445,
CVE-2026-45446, CVE-2026-45447
* https://github.com/openssl/openssl/pull/30904
"pkey(1) missing setup for interactive pass prompt"
* https://github.com/openssl/openssl/pull/31413
"apps/s_client.c: read one byte less to avoid triggerring overflow
protection"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 13:13:58 2026
(Merged from https://github.com/openssl/openssl/pull/31509)
Matt Caswell [Wed, 17 Jun 2026 10:18:12 +0000 (11:18 +0100)]
Fix intermittent failure in check_pc_flood radix test
check_flood_stats read the path challenge/response counters immediately
after the client's write returned, but the flood is delivered over a
real socket and processed by the connection's assist thread
asynchronously. Spin until the counters reach their expected values,
the same way check_rejected already does, instead of failing on the
first observation.
Assisted-by: Claude:claude-sonnet-4-6 Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Thu Jun 18 13:07:27 2026
(Merged from https://github.com/openssl/openssl/pull/31561)
doc/man3/EVP_PKEY_get_size.pod: add man for the security categories table
Commit 73188a01bd99 "doc: document EVP_PKEY_get_security_category function"
has added security level definitions as a table, that has been implemented
raw via "=begin" POD directives; while the formatting for "html"
and "text" (that is not even generated by the build system)
has been provided, "man" (arguably, the most relevant one)
has been omitted, surprisingly. Rescind that omission by providing
the respective table formatting for man.
Complements: 73188a01bd99 "doc: document EVP_PKEY_get_security_category function" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 12:35:47 2026
(Merged from https://github.com/openssl/openssl/pull/31410)
Jakub Zelenka [Tue, 19 May 2026 17:24:33 +0000 (19:24 +0200)]
Add indirect CRL path validation tests
This covers currently uncovered check_crl_path and check_crl_chain
in x509_vfy.c. The mfail test tests the happy path and all memory
failures in it. In addition 3 error scenarios are tested.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:31:56 2026
(Merged from https://github.com/openssl/openssl/pull/31244)
Abel Tom [Wed, 17 Jun 2026 07:56:46 +0000 (09:56 +0200)]
Enforce RFC 8446 ticket lifetime limit for TLS 1.3 client
Add client-side validation to check if session ticket lifetime
hints exceeds 7 days in TLS1.3 connections and caps it to the
maximum value of 7 days(604800 seconds).
Modified `CHANGES.md` with the description of updated change.
Resolves: #30808
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:25:33 2026
(Merged from https://github.com/openssl/openssl/pull/31174)
zhoulu [Sat, 16 May 2026 07:08:34 +0000 (15:08 +0800)]
Further improve the decryption performance of AES-128-CBC on the RISC-V architecture
The decryption performance of AES-128-CBC is improved by 6% to 15%, with the main optimizations as follows:
1.The block processing mode is adjusted to single-block loop + 4-block loop + 8-block loop.
2.The backup of ciphertext using vmv_v_v for XOR operations is replaced with reloading using vle32_v.
3.Key loading and decryption computation are interleaved in a loop.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 18 12:22:19 2026
(Merged from https://github.com/openssl/openssl/pull/31116)
Configurations/50-nonstop.conf: remove 'atexit' from disable maps
Since there is no atexit() handler installation after [1],
the associated configuratoin option (that was initially introduced
to support the configurations in question[2]) has no effect
and can be removed from NonStop configurations.
[1] https://github.com/openssl/openssl/pull/29385
[2] 99fb31c167e3 "Add atexit configuration option to using atexit() in libcrypto at build-time."
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jun 18 12:20:36 2026
(Merged from https://github.com/openssl/openssl/pull/30767)
Configure, INSTALL.md: make atexit deprecated disablable
As the atexit handler was removed in [1], no-atexit configuration option
has no effect, make that explicit by disallowing enabling atexit, and
update the documentation accordingly.
Old OpenSSL had a FIPS_mode() function. AWS-LC-FIPS and BoringSSL-FIPS
still have the FIPS_mode() API. RHEL-derived systems also still provide
FIPS_mode() as a define in up-to-date OpenSSL. And feedback from
multiple large commercial software vendors is that there is a lot of
code out there that still has FIPS_mode() sprinkled all over the place.
Add `FIPS_mode()` as a convenience define to
`EVP_default_properties_is_fips_enabled(NULL)` which is a short-hand
to check if `fips=yes` property is currently enabled on the default
library context.
It is a hint of intent, but not a proof. If you are looking to
validate whether the default configuration is using a validated module,
many additional checks are needed; please consult the security policy
of the module you are using. We heavily discourage using this macro.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Jun 18 11:58:15 2026
(Merged from https://github.com/openssl/openssl/pull/30339)
Viktor Dukhovni [Mon, 8 Jun 2026 07:49:14 +0000 (17:49 +1000)]
Clear unused seed when expanded key is chosen
The transient "seedbuf" value should not persist in keys that that are
loaded from the "expanded" form when "prefer_seed = no".
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:39 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
Viktor Dukhovni [Sun, 24 May 2026 13:12:21 +0000 (23:12 +1000)]
LMS, DH: harden empty fromdata
EVP_PKEY_fromdata for the LMS keymgmt accepted an OSSL_PARAM[] that
omits OSSL_PKEY_PARAM_PUB_KEY, returning success with an LMS_KEY
whose lms_params and ots_params remain NULL. Without even basic
algorithm parameters (derived from the key content) the key is
malformed.
EVP_PKEY_fromdata for DH/DHX accepts an empty array and yields a
DH with NULL params.p / params.g. Several DH check entry points
(DH_check, DH_check_params, DH_check_pub_key) then read
dh->params.p / .g via BN_num_bits or BN_is_odd before any NULL
check. Add defensive guards at the top of each that report
failure via *ret without dereferencing NULL; the existing
return-1-with-flags contract is preserved.
A new test_fromdata in endecode_test drives every supported
keymgmt with an empty OSSL_PARAM[] for both EVP_PKEY_PUBLIC_KEY
and EVP_PKEY_KEYPAIR selections, and tests that any returned key
is sufficiently well behaved.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
Viktor Dukhovni [Wed, 20 May 2026 12:59:19 +0000 (22:59 +1000)]
Fix EVP_PKEY_dup() for ML-KEM keys
ossl_ml_kem_key_dup() left the (PUB|PRIV) selection case
unhandled, so EVP_PKEY_dup() silently returned NULL for
ML-KEM-512/768/1024. add_storage() also zeroed the duplicated
rho_pkhash, leaving the dup unequal to the original.
Add a parameterised dup sweep to test/endecode_test.c covering
every supported public-key algorithm in three shapes: full
keypair, public-only, and embryonic (parameters-only).
While here, stop endecode_test from silently passing when key
generation fails: setup_tests() now returns its accumulated
status, MAKE_*KEYS no longer short-circuits, and each
ADD_TEST_SUITE is now conditional on keygen success. Guard the
explicit-EC-curve tests with OPENSSL_NO_EC_EXPLICIT_CURVES.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 18 08:02:28 2026
(Merged from https://github.com/openssl/openssl/pull/31252)
currently only amd64 is supported. it's useful
to test regressions of .rodata sections in
perlasm files.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Wed Jun 17 16:27:10 2026
(Merged from https://github.com/openssl/openssl/pull/28735)
Mounir IDRASSI [Thu, 11 Jun 2026 15:17:10 +0000 (00:17 +0900)]
Fix s_client Sieve STARTTLS response parsing
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Jun 17 16:22:20 2026
(Merged from https://github.com/openssl/openssl/pull/31468)
Neil Horman [Mon, 15 Jun 2026 14:04:16 +0000 (10:04 -0400)]
restore "oldest wins" behavior in method store
We expressly define EVP_*fetch apis as not guaranteeing which provider
and algorithm is sourced from. However, its likely that some users have
some inadvertent reliance on getting the same provider for a non
provider specific (and non property specific) fetch. While thats
generally bad practice (since we don't guarantee it), its particularly
hard to provide that behavior in the new cache infrastructure, so lets
save everyone some trouble by not changing that behavior needlessly.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:43 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
Neil Horman [Fri, 12 Jun 2026 16:59:42 +0000 (12:59 -0400)]
make ossl_method_store use cmp_exch_ptr when cleaning archive
from the conversation here:
https://github.com/openssl/openssl/pull/31018#discussion_r3386832056
@mattcaswell noted that while cleaning QUERY items and moving them to
the archive list, we do an atomic load of a QUERY's next pointer to
another shared query's next pointer. While its not been observed, it
may be possible for the clean operation to move an element to the
archive while a concurrent thread is prepending to the list, the result
being that the active (cache_list) list has a head pointer whos next
pointer points into the archive list.
The result of this would be subsequent lookups fail to find anything not
archived in the cache, and need to go through the slow
ossl_method_construct path again to slowly rebuild the cache. Thats not
catastrophic, but its definately a bug that will result in additional
memory allocations, along with entries that never get used again, and
possible memory leaks.
Switch the load_ptr call to be an atomic cmp_exch_ptr call to ensure
that the node being visited isn't mutated concurrently by both a thread
doing a clean and a list insert. This ensures that only one thread wins
the update, while the other restarts their operation.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:41 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
Neil Horman [Fri, 12 Jun 2026 15:24:08 +0000 (11:24 -0400)]
convert ossl method store cache to do full prop_query comparison
As noted in this conversation:
https://github.com/openssl/openssl/pull/31018#discussion_r3386478127
While unlikely, it is possible that a single provider may provide an
algorithm for the same <name,operation_id,provider> tuple, differing
only by property query string. If, somehow the property strings for
those two algorithms hash to the same value, the property cache may
return the wrong algorithm.
This was mitigated prior to the introduction of the atomic link list
implementation by having the internal hash table do a collision check,
in which the full property string (along with the nid and provider
pointer) were compared byte-for-byte.
Fix this by re-introducing the same comparison. We already do a
comparison check on the exact nid value and provider pointer, so we now
store the property query for each QUERY and compare it to the query
string requsted using strcmp.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 14:38:39 2026
(Merged from https://github.com/openssl/openssl/pull/31487)
get_crl_score() is used when selecting a complete/base CRL. Its delta CRL rejection was chained after the extended CRL and IDP reason handling, so it could be skipped when extended CRL support was disabled, or when an IDP onlySomeReasons branch was taken.
As a result, a CRL with a Delta CRL Indicator could be scored as a complete/base CRL candidate. Since a delta CRL contains only changes relative to a base CRL, this could cause a previously revoked certificate to be accepted as valid when only the delta CRL is presented to the verifier.
Reject CRLs with base_crl_number unconditionally in get_crl_score() before IDP reason filtering. Delta CRLs are still considered by get_delta_sk() after a complete CRL is selected and check_delta_base() confirms compatibility.
Add verify recipe coverage for a delta CRL being rejected as a complete CRL, and for a delta CRL with IssuingDistributionPoint.onlySomeReasons being rejected under -extended_crl.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 17 08:53:02 2026
(Merged from https://github.com/openssl/openssl/pull/31044)
Jakub Zelenka [Mon, 15 Jun 2026 16:29:43 +0000 (18:29 +0200)]
pkcs11-provider: update to latest version
This fixes accidental version update in e2bd9f8c28 which is causing CI
failure for pkcs11-provider tests.
It needs to add xxd package that is used in the new hkdf test.
Fixes: e2bd9f8c28c0 "ml_kem: return an error on catastrophic failure in decap" Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Mon Jun 15 20:23:25 2026
(Merged from https://github.com/openssl/openssl/pull/31522)
Andrew Dinh [Tue, 9 Jun 2026 10:59:25 +0000 (17:59 +0700)]
Use %zu for printing size_t values
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Mon Jun 15 19:24:43 2026
(Merged from https://github.com/openssl/openssl/pull/31454)
Bob Beck [Tue, 9 Jun 2026 21:18:56 +0000 (15:18 -0600)]
Fix BIO_write on file BIOs to report partial writes.
This makes it have the same behaviour as it does on all other
BIOs.
Due to a longstanding workaround that should no longer be needed
a partial write of the data (before a write error or end of file)
was reported as no data being written out.
Fixes: https://github.com/openssl/openssl/issues/31355 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 14:42:25 2026
(Merged from https://github.com/openssl/openssl/pull/31434)
Port script_2 from test/quic_multistream.c to test/radix/quic_tests.c
The multistream tests use so-called t-server to test QUIC connection
and stream functionality. With introduction of QUIC SSL listener
object and QUIC TLS server method, using t-server is no longer
necessary (and welcomed). All multisttream tests should be
ported to QUIC radix test infratructure.
Co-authored-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Mon Jun 15 14:38:19 2026
(Merged from https://github.com/openssl/openssl/pull/30935)
Daniel Kubec [Fri, 29 May 2026 14:08:11 +0000 (16:08 +0200)]
DOC: document ticket suppression for SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF
Complements: e5a1892 "TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set."
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 14:13:25 2026
(Merged from https://github.com/openssl/openssl/pull/31335)
Jakub Zelenka [Tue, 9 Jun 2026 19:07:39 +0000 (21:07 +0200)]
ml_kem: return an error on catastrophic failure in decap
ML-KEM decapsulation applies implicit rejection by copying the failure
key into the shared secret when the FO re-encryption check fails. This
is correct for a syntactically valid but incorrect ciphertext, and must
stay constant-time and ciphertext-dependent.
However, the same path was also taken when hash_kr() or encrypt_cpa()
failed outright, for example on a memory allocation failure inside
EVP_DigestInit_ex(). In that case decap() copied the failure key and
still returned success, so the caller derived a wrong shared secret with
no error reported. For QUIC this produces a handshake that cannot
converge: the derived keys diverge from the peer, packets fail to
decrypt, and the connection stalls until it times out, with no
diagnostic pointing at the real cause.
These primitive failures are not dependent on the ciphertext, so
reporting them as a hard error does not create a chosen-ciphertext
oracle and does not weaken the constant-time implicit rejection that
happens later via CRYPTO_memcmp() and constant_time_select_8(). Treat
them the same way the existing kdf() failure is already treated, by
raising an error and returning 0.
Also fix the comment, which referred to hash_g() where the code actually
calls hash_kr().
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:58:32 2026
(Merged from https://github.com/openssl/openssl/pull/31432)
Jakub Zelenka [Tue, 2 Jun 2026 18:24:38 +0000 (20:24 +0200)]
test: add pkey -ec_conv_form coverage
Cover the previously untested EC point conversion form path for
uncompressed, compressed and hybrid output, as well as the non-EC key
rejection. Verified by the leading octet of the encoded point in the
SubjectPublicKeyInfo.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:54:50 2026
(Merged from https://github.com/openssl/openssl/pull/31370)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:53:40 2026
(Merged from https://github.com/openssl/openssl/pull/31192)
Jakub Zelenka [Fri, 15 May 2026 15:22:35 +0000 (17:22 +0200)]
Test s_time with new -testmode option
Adds -testmode to s_time, mirroring the option in openssl speed.
It bypasses the -time window and runs a minimal number of iterations
(1 for new connections, 2 for session reuse).
Adds test_stime covering the new, reuse, and TLSv1.2/TLSv1.3 paths.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 13:53:39 2026
(Merged from https://github.com/openssl/openssl/pull/31192)
Fix use-after-free issue in radix test framework for QUIC.
The test for client_hello and new_pending connection should
be using its own dedicated SSL context. The thing is we should
not be arming (and testing) those callbacks for every listener
the RADIX test framework creates.
This changeset moves the test from test/radix/quic_ops.c
to test/radix/quic_tests.c. The test uses check_ctx_cbks
RADIX script now.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 07:29:02 2026
(Merged from https://github.com/openssl/openssl/pull/31421)
Milan Broz [Sun, 14 Jun 2026 17:04:46 +0000 (19:04 +0200)]
ci: Switch to VS 2026 for windows-2025 image
GitHub no longer supports Visual Studio 2022 on windows-2025
image, switch to VS 2026.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 15 07:23:17 2026
(Merged from https://github.com/openssl/openssl/pull/31497)
Add a Windows-only RIO notifier test that exercises initialization,
signalling, unsignalling, and cleanup without test-only hooks.
The RIO WSA lifecycle fix itself landed via #31339. This keeps the
remaining PR focused on coverage and removes the stale ssl_init.c include
for the deleted WSA cleanup path.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Fri Jun 12 13:54:17 2026
(Merged from https://github.com/openssl/openssl/pull/30918)
curve448: make locally-used functions static and remove unused ones
ossl_c448_ed448_derive_public_key(), ossl_c448_ed448_sign(),
and ossl_c448_ed448_verify() are only called from within the compilation
unit, while ossl_c448_ed448_convert_private_key_to_x448(),
ossl_c448_ed448_sign_prehash() and ossl_c448_ed448_verify_prehash()
are not used anywhere, seemingly. Make the former static (removing
them from the header, removing the ossl_ prefix, and moving
the descriptions to the definitions) and remove the latter.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Jun 12 13:11:48 2026
(Merged from https://github.com/openssl/openssl/pull/31362)
Dmitry Misharov [Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)]
ci: Verify jom/NASM downloads and fall back to upstream on forks
Move the OpenSSL-hosted jom and NASM downloads under the /ci-deps/
path and verify them against SHA256 sums recorded in
.github/ci-deps.json before installing. Forks, which can't reach the
mirror reliably, download from the upstream Qt and NASM locations
instead.
ci: Download jom and NASM from OpenSSL-hosted mirror
Chocolatey-hosted packages for jom and NASM occasionally become
unavailable, causing CI failures on Windows builds. Host these
tools on our own infrastructure to eliminate this external
dependency.
David Foster [Fri, 5 Jun 2026 02:02:44 +0000 (22:02 -0400)]
Add constant-time validation for CRYPTO_memcmp
Add test/crypto_memcmp_test.c which provides functional coverage for
CRYPTO_memcmp under regular builds and constant-time coverage under
enable-ct-validation builds.
The added constant-time coverage checks:
- there are no data dependent branches or memory accesses,
on x86_64 and aarch64 architectures
The added constant-time coverage does NOT check:
- there are no data-dependent variable-time instructions, such as
instructions NOT on the x86 Data Operand Independent Timing list
or NOT on the ARM Data-Independent Timing list
- any architectures beyond x86_64 and aarch64
New CONSTTIME_SECRET annotations live only in the test rather than in
the generic C version of CRYPTO_memcmp so that both the C and
assembler versions of CRYPTO_memcmp are constant-time covered.
CRYPTO_memcmp directly backs CPython's secrets.compare_digest() and
hmac.compare_digest(), so a timing leak in it is high impact, yet it had
essentially no direct test coverage.
References #15076.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 11 16:11:58 2026
(Merged from https://github.com/openssl/openssl/pull/31398)
slontis [Tue, 2 Jun 2026 01:21:54 +0000 (11:21 +1000)]
FIPS: Make keygen PCT failures recoverable
Key generation pairwise consistency tests (PCT) no longer cause the
FIPS provider to enter a non recoverable error state.
Originally I considered that the pairwise tests should never fail, so a
failure was considered as a fatal error. Unfortunately this is not true,
since the RSA pairwise test was changed to call
rsa_ossl_public_encrypt(). This function can return -1 based on the
values of n and e, resulting in a DOS for bad inputs.
Under NIST FIPS 186-5, the public exponent (e) must be an odd positive
integer greater than (e > 65536) and less than 2^256. The OpenSSL code
however returns an error if e > 2^64 when n > 3072.
(This check was added to prevent a CVE DOS).
While FIPS 140-3 mandates that a module must transition into an error
state upon self-test failures, a PCT is classified as a conditional
self-test, not a pre-operational self-test
(like an integrity test or a Known Answer Test)
The cryptographic module is only required to immediately discard the
faulty key pair and output a local error. The module is allowed to
immediately attempt generating a new key pair using fresh entropy,
without needing a full system reboot or module reset.
Detected by Oracle during Jipher testing.
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jun 11 16:03:42 2026
(Merged from https://github.com/openssl/openssl/pull/31359)
Jakub Zelenka [Tue, 19 May 2026 17:24:33 +0000 (19:24 +0200)]
Add indirect CRL path validation tests
This covers currently uncovered check_crl_path and check_crl_chain
in x509_vfy.c. The mfail test tests the happy path and all memory
failures in it. In addition 3 error scenarios are tested.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 15:58:37 2026
(Merged from https://github.com/openssl/openssl/pull/31244)
Jakub Zelenka [Fri, 15 May 2026 11:00:38 +0000 (13:00 +0200)]
Add apps test for external PSK callbacks
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 15:52:36 2026
(Merged from https://github.com/openssl/openssl/pull/31190)
Viktor Dukhovni [Mon, 18 May 2026 08:09:44 +0000 (18:09 +1000)]
Apply the buffered IV on the AES-OCB EVP_Cipher() path
aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot,
processed input without flushing the buffered IV into the OCB
context. Effective nonce was 0 regardless of the caller's IV;
EVP_*Final_ex() then emitted a tag depending only on (key, iv).
This gave (key, nonce) reuse and single-query universal forgery on
the EVP_Cipher() path.
Apply update_iv() at the head of aes_ocb_cipher() to mirror the
streaming handler. The matching GCM one-shot does this already.
Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and
ChaCha20-Poly1305 in test/evp_extra_test.c. Each cipher is
exercised with and without AAD; the no-AAD case is needed because
any prior EVP_CipherUpdate(NULL, aad, ...) routes through the
streaming handler and applies the IV itself, masking the bug.
Fixes CVE-2026-45445
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 20:02:00 2026
Norbert Pocs [Tue, 12 May 2026 13:16:04 +0000 (15:16 +0200)]
Match the local q DHX parameter against the peer's q
As FFC/DH peer public key validation uses the peer's q value instead
of checking against the local q, we must also check that these
q values match when setting the peer's public key.
Fixes CVE-2026-42770
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:56:27 2026
Bob Beck [Fri, 17 Apr 2026 20:09:52 +0000 (14:09 -0600)]
Use the correct issuer when validating rootCAKeyUpdate
This correctly uses the existing root, and not the same certificate
as the root of the chain to validate.
While we are here, we also turn on self signed certificate signature
checking as this case is actually bringing in trust anchors as
self signed certs, and fix a possible NULL deref.
Fixes CVE-2026-42769
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:54:01 2026
Daniel Kubec [Fri, 15 May 2026 23:04:30 +0000 (01:04 +0200)]
Fix NULL Dereference in Certificate Verification with OCSP Checking
When performing OCSP response checking for certificates in the verification
chain, the code always tries to access the next certificate as the issuer.
There is a check for a self-signed certificate. However with the partial
chain verification enabled when the chain does not have a self-signed trusted
anchor, the issuer will be NULL for the last certificate in the chain. A NULL
pointer dereference then happens.
This issue affects only applications which enable both OCSP verification
of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial
chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate
verification. Both flags are disabled by default. For that reason, we have
assigned Low severity to the issue.
Fixes CVE-2026-42765
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 18:55:29 2026
Daniel Kubec [Mon, 18 May 2026 13:01:25 +0000 (15:01 +0200)]
Fix Double-free When Checking OCSP Stapled Response
If OCSP stapling is enabled and the TLS client connects to a malicious server,
a crafted OCSP stapled response can trigger a double free in the TLS client
when the stapled response is checked.
The OCSP stapling is not enabled by default. Reliable code execution
through a double-free is technically complex and highly environment-dependent
but the Denial of Service impact is straightforward to achieve, warranting
Moderate severity.
Fixes CVE-2026-35188
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:44:58 2026
client injects 16 path challenge frames. Those are received
by server. Only one challenge frame of 16 received triggers
path challenge response. Remaining challenge frames are
discrded/ignored.
Test introduces two counters to channel object:
- path_challenge_rx which is bumped for every patch challenge
frame received
- path_response_tx which is bumped for every path response
frame transmitted
Succesuful test verifies server receives 16 path challenge frames,
but sends just one path response frmae as response.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:35:21 2026
QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX
Currently local QUIC stack allocates PATH_RESPONSE frame for every
PATH_CHALLENGE frame it receives in single packet from its remote peer.
The memory with PATH_RESPONSE frame is released after local QUIC stack
receives an ACK which confirms reception of PATH_RESPONSE by remote peer.
This gives remote peer too much control over memory resources local
QUIC stack may consume.
Quoting RFC 9000 section 9.2.1:
...an endpoint SHOULD NOT send multiple
PATH_CHALLENGE frames in a single packet.
Limiting the number of PATCH_CHALLENGE frames to 1 per QUIC packet received
helps to reduce heap memory overhead required to process PATH_CHALLENGE
frame.
Currently QUIC ACKM (ACK-manager) keeps all frames in retransmission
buffer until ACK is received. It can be changed such frames which
don't need to be ACKed don't need to be kept in retrans buffer,
those can be released right after transmission.
Fixes CVE-2026-34183
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:35:20 2026
Neil Horman [Tue, 5 May 2026 13:16:29 +0000 (09:16 -0400)]
Add tests for CVE-2026-34182
Test to ensure that for a given CMS message:
1) We do not allow the creation of a CMS message containing
AuthEnvelopedData with a non-AEAD cipher.
2) We do not accept a message containing AuthEnvelopedData with a
non-AEAD cipher specified in the AlgorithmIdentifier.
3) We do not allow tag lengths less that 4 bytes.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:27:03 2026
1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD
ciphers.
If a forged CMS message with AuthEnvelopedData is received with
a non-AEAD cipher specified, we silently accept that and decrypt
the message, skipping any authentication, which violates RFC 5083.
We also add checks to ensure we fail if we try to encrypt
AuthEnvelopedData without using an AEAD cipher.
2. Ensure that tag lengths on cms AEAD data is the recommended size.
RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM
and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not
algorith-specific we add a check for a minimal size and just use the
lower limit which is sufficient to prevent this attack.
Without this check, its possible to set the tag length to 1 and within
256 guesses, forge a CMS message.
Fixes CVE-2026-34182
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:27:02 2026
Short mac keys (as short as 1 byte) can be used to probe the
system under attack to accept a PKCS#12 file created by an attacker
even if the attacker doesn't know the password used for MAC protection.
Fixes CVE-2026-34181
(also update the reference to the PBMAC1 PKCS#12 RFC)
Signed-off-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:18:59 2026
Nikola Pajkovsky [Thu, 21 May 2026 12:18:11 +0000 (14:18 +0200)]
cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation
added EnvelopedData blob with a PasswordRecipientInfo using
id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher. CFB's 1-byte
effective block size let the inlen >= 2 * blocklen guard in
kek_unwrap_key() accept a wrapped key shorter than the seven octets
the check-byte test reads from tmp[1..6]; the encryptedKey OCTET
STRING here is only two bytes.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:06:38 2026
Nikola Pajkovsky [Thu, 21 May 2026 09:53:09 +0000 (11:53 +0200)]
cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6]
unconditionally, so the decrypted buffer must hold at least seven
octets. The pre-decryption size check enforces inlen >= 2 * blocklen,
which yields the required seven octets only when blocklen >= 4. For
a KEK cipher with a smaller block size, inlen can be as small as
2 * blocklen and the check-byte read overruns the inlen-sized tmp
allocation.
Reject blocklen < 4 in the early sanity check. All block ciphers
appropriate for CMS PasswordRecipientInfo key wrapping have a block
size of at least 8 octets (DES/3DES = 8, AES = 16), so this only
forbids ciphers that would not be valid KEK choices anyway, and the
existing inlen >= 2 * blocklen check then guarantees the seven-octet
lower bound the check-byte test relies on.
Fixes CVE-2026-9076
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:06:36 2026
For nchar large enough the result is not representable in int. In
the worst case (nchar == 0x40000000) nchar << 2 wraps to zero,
OPENSSL_malloc(1) is called, and traverse_string() then writes
4*nchar bytes into the one-byte allocation: a heap buffer
overflow. The MBSTRING_UTF8 path computes outlen by summing
per-character byte counts in out_utf8(), and that sum can overflow
the same int under similarly large inputs.
Neither path is reachable from code that processes X.509
certificates through the DIRSTRING_TYPE mask used by
ASN1_STRING_set_by_NID(): UNIVERSALSTRING is absent from that
mask, and the UTF-8 sum requires inputs on the order of half a
gigabyte. Reaching them needs an application that calls
ASN1_mbstring_copy()/ASN1_mbstring_ncopy() directly, or registers
a custom NID via ASN1_STRING_TABLE_add(), with an oversized
attacker-controlled input.
Add range checks before each shift and in out_utf8(), raising
ASN1_R_STRING_TOO_LONG at the point of detection. Move the
existing ASN1_R_INVALID_UTF8STRING raise into out_utf8() too so
the two failure modes report distinct codes; the MBSTRING_UTF8
caller is left with cleanup only and now frees dest on error,
matching the BMP/UNIV branches.
Fixes CVE-2026-7383
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 8 14:02:18 2026
CMP: Optionally accept missing or non-matching transactionID or recipNonce values
This is done for error messages received if OSSL_CMP_OPT_NONMATCHED_ERROR_NONCES
is set or the respective -nonmatched_error_nonces CLI option is given.
Can be helpful when the server (or other peer) cannot provide a proper error message header,
for instance if was unable to parse the ASN.1 encoding of a request message.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 14:56:49 2026
(Merged from https://github.com/openssl/openssl/pull/29043)
Steve Grubb [Tue, 9 Jun 2026 21:35:49 +0000 (17:35 -0400)]
doc: document SSL_set_*_state SSL argument
SSL_set_connect_state() and SSL_set_accept_state() have no return value to
report argument errors, but their documentation did not state the precondition
for the SSL argument. Passing NULL, or a pointer that is not a valid
SSL object, is a programmer error rather than a recoverable API error.
Document that the ssl argument must point to a valid SSL object and
must not be NULL.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Jun 11 09:04:23 2026
(Merged from https://github.com/openssl/openssl/pull/31435)
kovan [Thu, 29 Jan 2026 11:17:38 +0000 (12:17 +0100)]
doc: document deprecated engine configure options
Document that no-engine, no-static-engine, and no-dynamic-engine
configure options are deprecated and do nothing. These options are
retained for backwards compatibility only.
Fixes #27473
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Thu Jun 11 09:02:08 2026
(Merged from https://github.com/openssl/openssl/pull/29839)
Viktor Dukhovni [Mon, 18 May 2026 10:41:54 +0000 (20:41 +1000)]
x509: check inner/outer signatureAlgorithm match in X509_CRL_verify
RFC 5280 section 5.1.1.2 requires the signatureAlgorithm in the outer
CertificateList wrapper to be identical to the signature field inside
the signed TBSCertList. def_crl_verify() did not enforce this, unlike
X509_verify() and X509_ACERT_verify() which both carry an X509_ALGOR_cmp
guard.
Add the same guard to def_crl_verify(). A mismatch raises
X509_R_CRL_SIGNATURE_ALGORITHM_MISMATCH. No known attack results from
the missing check; this is a conformance and hardening fix only.
Add a regression test: a CRL with a valid RSA-SHA256 signature over a
TBSCertList whose inner signatureAlgorithm claims ecdsaWithSHA256 is
now rejected.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jun 11 08:45:41 2026
(Merged from https://github.com/openssl/openssl/pull/31213)
Neil Horman [Fri, 29 May 2026 13:59:21 +0000 (09:59 -0400)]
convert CRYPTO_THREAD_run_once to use InitOnceExecuteOnce api
Issue #22059 reported a race condition in CRYPTO_THREAD_run_once on
windows platforms. The most correct fix for this is to convert the
windows run_once implementation to use the Win32 InitOnceRunOnce
interface. Doing so requires at least Windows Vista/Windows Server 2008
to be available, and because WinXP hasn't built since 3.0 released, it
seems sensible to bump our minimal NT version to be 0x600 (Vista/2008)
Also, while we're at it, this change caught a bad programming practice
in the rio_notifier code, which attempts to reset the once variable
during shutdown. The windows static initalizer macro for this api is
constructed such that attempting to do so causes a build break. Since
once variables are not meant to be reset (since they are only triggered
once), remove that reset code to avoid the breakage.
Note that this problem was independently found and fixed in #30198.
We're taking the fix from this pr (as they are effectively identical),
and using that PR to add some much needed tests to the rio code.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Wed Jun 10 19:44:19 2026
(Merged from https://github.com/openssl/openssl/pull/31339)
Jakub Zelenka [Tue, 2 Jun 2026 15:09:09 +0000 (17:09 +0200)]
build: make enable-asan work for VC targets
Configure assumed GCC/Clang sanitizer spellings, so enable-asan was a
no-op on MSVC. Emit /fsanitize=address instead of -fsanitize=address
on VC targets.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Wed Jun 10 12:53:11 2026
(Merged from https://github.com/openssl/openssl/pull/31366)
Consistenly zeroize public parameters based on OPENSSL_PEDANTIC_ZEROIZATION
Commit fa338aa7cd1e "fips: zeroization of public security parameters (PSPs)"[1]
introduced zeroization of public security params, which then[2] switched
its usage to OPENSSL_PEDANTIC_ZEROIZATION; however, zeroization has
implemented inconsistently, leaving out public security parameter
updates. Consistently use newly introduced wrappers,
ossl_public_bn_free and ossl_public_param_free, for freeing such
parameters, and use them for FFC and RSA.
Complements: fa338aa7cd1e "fips: zeroization of public security parameters (PSPs)" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Jun 10 12:52:14 2026
(Merged from https://github.com/openssl/openssl/pull/31157)
Bob Beck [Wed, 27 May 2026 14:41:53 +0000 (08:41 -0600)]
Let's attempt to make real documentation for X509_verify_cert
I am doing this because I have need to add information that really does
belong here, and the current stuff is less documentation than more or
less some hand waving about how it works without any details
So to summarize the changes:
1) This documents the current way that X509_verify_cert goes about
building and verifying a chain, identifying the relevant flags that
can affect how this happens today, and cross references the correct page
to find the rest of the exhaustive list of verification flags and what they do.
2) This documents the verification callback and how it can be used
to affect the verification outcome, This includes warning potential
users of the callback of what returning values from it means,
the common ways to end up unintentionaly doing things you did not expect
with the callback, and that it depends upon internals and should not be
relied upon.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:33:13 2026
(Merged from https://github.com/openssl/openssl/pull/31314)
projects / thirdparty / openssl.git / log
