This is a workaround for an issue that lead to fuzz-checker CI failures;
the preliminary solution is to disable the inessential test case
test_exec_KUR_bad_pkiConf_protection.
References: https://github.com/openssl/openssl/pull/28973 Fixes: 525a4f1efbab "cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu Mar 26 15:55:34 2026
(Merged from https://github.com/openssl/openssl/pull/30567)
cmp_vfy.c: on error trying to use cached CMP message sender cert, make sure to print diagnostics
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
CMP doc: add missing text on OSSL_CMP_OPT_NO_CACHE_EXTRACERTS to OSSL_CMP_CTX_new.pod and ossl_cmp_msg_check_update.pod
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
crypto/cmp/: generalize info/debug messages and code comments from mentioning 'server' to 'sender'
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: minor code refactoring on -no_cache_extracerts, tweak mock server error message
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c: fix crash on attempting to use invalidated sender cert on producing diagnostic information
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: make sure that CMP mock server respects -ignore_keyusage and -no_cache_extracerts
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
Abhinav Agarwal [Sun, 22 Mar 2026 17:45:53 +0000 (10:45 -0700)]
quic: fix off-by-one in QUIC_MAX_MAX_ACK_DELAY
Should be 2^14-1 (16383) per RFC 9000 s. 18.2, not 2^14 (16384).
Fixes: 35dc6c353bfe ("QUIC: Make more transport parameters configurable") Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:55:50 2026
(Merged from https://github.com/openssl/openssl/pull/30531)
crypto/idea/i_ofb64.c: mask the num value after negativity check
Commit 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB
implementations" introduced masking of the user-supplied num value
in several functions, which rendered the exiting *num negativity check
introduced in 1634b2df9f12 "enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value"
ineffectual. While commit b73a5743253d "crypto/idea/i_cfb64.c:
condition 'n < 0' can never be met after doing 'n = n & 0x07'"
has addressed the issue in crypto/idea/i_cfb64.c:IDEA_cfb64_encrypt(),
this commit addresses the same issue
in crypto/idea/i_ofb64.c:IDEA_ofb64_encrypt() in similar fashion,
by postponing the masking after the negativity check.
The issue has initially reported by Coverity, ID 1689815.
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689815 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations"
References: b73a5743253d "crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'" Co-Authored-by: Alexandr Nedvedicky <sashan@openssl.org> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 24 17:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30528)
Aditya Patil [Fri, 20 Mar 2026 14:43:10 +0000 (10:43 -0400)]
threadstest: Check the return value of two memory allocations
Add a NULL check with OPENSSL_assert() before dereferencing the allocated pointer.
Fixes #30017
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:44:44 2026
(Merged from https://github.com/openssl/openssl/pull/30509)
easonysliu [Wed, 18 Mar 2026 08:22:24 +0000 (16:22 +0800)]
conf: guard NULL group in NCONF_get_string() error path
NCONF_get_string() passes the group parameter directly to
ERR_raise_data() with a %s format specifier. The CONF API
explicitly allows group to be NULL (meaning "default section"),
and multiple internal callers use this, such as conf_diagnostics()
and CONF_modules_load().
When the lookup fails and the error path is reached, passing NULL
to %s is undefined behavior per the C standard. On Linux/glibc
it happens to print "(null)", but on platforms like Solaris 10 it
crashes in strlen() inside vsnprintf().
This was exposed after commit #28305 replaced the custom _dopr()
(which had an explicit NULL-to-"<NULL>" guard in fmtstr()) with
the platform's native vsnprintf().
Guard the NULL by using an empty string in the format argument.
Fixes #30402
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:39:02 2026
(Merged from https://github.com/openssl/openssl/pull/30484)
Liu-ErMeng [Fri, 13 Mar 2026 09:29:28 +0000 (02:29 -0700)]
Fix vpsm4_ex-armv8.pl implementation bug
Load .Lsbox_magic base once via adrp+add and use plain immediate offsets for q loads,
avoiding potential low-12-bit truncation issues with #:lo12:symbol+offset.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:36:51 2026
(Merged from https://github.com/openssl/openssl/pull/30410)
huanghuihui0904 [Thu, 12 Mar 2026 13:01:30 +0000 (21:01 +0800)]
apps/cmp.c: fix leak of out_trusted in setup_verification_ctx()
setup_verification_ctx() allocates out_trusted via load_trusted() and passes
it to OSSL_CMP_CTX_set_certConf_cb_arg(). Since the argument is not consumed,
it must be freed on failure. The fix is to free out_trusted if
OSSL_CMP_CTX_set_certConf_cb_arg() fails.
Fixes #30377
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:34:49 2026
(Merged from https://github.com/openssl/openssl/pull/30392)
Peter Zhang [Wed, 11 Mar 2026 22:59:48 +0000 (22:59 +0000)]
Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect
When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
wrap it in square brackets for the CONNECT request line (e.g.,
CONNECT [::1]:443 HTTP/1.0). Also handle the case where the server
string already includes brackets (as returned by OSSL_HTTP_parse_url).
Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c") Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:32:06 2026
(Merged from https://github.com/openssl/openssl/pull/30384)
Neil Horman [Tue, 3 Mar 2026 15:04:04 +0000 (10:04 -0500)]
Fixup property test to have enough of a real provider struct
Now that ossl_method_store_cache_[set|get] query the provider name, we
need to make our property test account for that, by defining the
property query to be identical to what the internal definiton is.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:11 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Currently our property query lookup performance could be better. It
suffers from three major drawbacks,
1) The hashtable itself could be faster. our internal hashtable
implementation is generally quicker than our LHASH implementation
2) The lookup case a specific provider (i.e. when we do a cache lookup with
prov != NULL requires some signficant iteration over hash buckets with
LHASH, as we iterate over all entries that match the same query looking
for a matching provider pointer)
3) Stochastic flush is..not great. When we reach cache size limitations
(currently 512 entries spread over 4 shards), we randomly flush about
50% of the cache, which requires an iteration over the entire hash
table)
Lets address all of these
1) Is pretty straight forward. Replacing the LHASH hashtable with our
internal hash table is pretty easy, and lets us take advantage of the
hash computation caching introduced earlier.
2) With (1) we can do direct lookups of specific provider, by including
the provider name in the hash key. Provider agnostic (i.e. provider
== NULL) lookups are now handled by adding an extra hash entry for
each nid with the key being _only_ the property query. Prior entries
for the same key get evicted, so a lookup for prop_query = X, prov =
NULL returns the last QUERY that was added for that query string
against a particular nid.
3) I've never fully understood why we do random early discard of queries
when we reach capacity. It seems easier and more efficient to just
discard a single entry to keep us under our size limits. Especially
given that the sharding reduces the likelyhood that we need to flush
in any given shard. This also prevents us from needing to traverse
the entire hash table, as we can just discard a single QUERY and
abort the loop early.
In addition to the above we can also:
1) Migrate the QUERY hashtable from the ALGORITHM struct to the
STORED_ALGORITHMS struct. Currently we create a hash table per
ALGORITHM, and we have potentially hundreds of algorithms. While
this makes for really fast lookups, each QUERY cache only having a
few entries, its a huge waste of memory, consolidating all of the
nids to a single sharded STORED_ALGORITHMS struct saves a bunch of
memory and is still faster than what we have currently.
2) Add an lru-like linked list to QUERY entries. This serves two
purposes. Its not quite lru/lfu, but it allows us to more quickly do
an in-order traversal of a hash table on every node, and detect when
a QUERY has been looked up since the last query table update. By
detecting this, we can bias ourselves on cull operations toward
eliminating those entries which have not been referenced frequently.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:09 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Tue, 3 Mar 2026 14:45:19 +0000 (09:45 -0500)]
Add extern key buffer setup for hash table
One thing @npajkovsky noted in our recent discussion about the internal
hash table was that its unfortunate that keys have to be sized for the
maximal use case in our current hashtable code.
We can avoid that.
Introduce a new init mechanism that allows for keys to initalized using
an external buffer that can be setup and marshalled independently of the
key itself. This allows us to only allocate the amount of data needed
for the key, rather than a maximally sized buffer where appropriate and
adventageous.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:07 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Sun, 1 Mar 2026 20:18:30 +0000 (15:18 -0500)]
Add ability to extract computed hash from hashtable
One thing we can do to speed up hash table lookups is to cache/reuse
computed hash values when interrogating a hash table multiple times in
rapid succession.
We follow this pattern frequently when using hashtables:
value = lookup_hash(key)
if (value == NULL)
value = new_value()
insert_to_hash(key, value)
Note that we use the same key for the lookup and the insert. So if we
had a way to preserve the value this key hashed to, we can avoid having
to do a second hash computation during the lookup.
These new macros give us that. The HT_KEY structure now stores the
computed hash value in the key, which can be extracted and reused by the
caller with the HT_INIT_KEY_CACHED macro. When set, the cached hash
value is used, rather than needing to recompute the hash for any
subsequent operations
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:05 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
CHANGES.md: remove duplicating "Added support for RFC 8701 GREASE..." entry
A cleanup after merge conflict resolution in a1420a699d25 "Implement RFC 8701
GREASE for TLS ClientHello".
Fixes: a1420a699d25 "Implement RFC 8701 GREASE for TLS ClientHello". Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Mar 22 01:03:54 2026
(Merged from https://github.com/openssl/openssl/pull/30505)
Deven Dighe [Thu, 19 Mar 2026 13:54:21 +0000 (09:54 -0400)]
crypto/threads_win.c: type casted destination of InterlockedExchange{,64} calls
Explicitly cast dst argument of InterlockedExchange{,64} calls
in CRYPTO_atomic_store{,_int}() to LONG{64,} volatile *, respectively,
to work around incompatible pointer type errors on 64-bit MinGW builds.
Initially Reported by Splediferous.
[esyr: massaged the commit message a bit]
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/30451 Fixes: cc7195da3038 "Make FIPS self test state access atomic" Fixes: 7e45ac6891ad "Add CRYPTO_atomic_store api"
add cast to LONG volatile * for InterlockedExchange
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:56:36 2026
(Merged from https://github.com/openssl/openssl/pull/30504)
slontis [Tue, 17 Mar 2026 23:16:44 +0000 (10:16 +1100)]
SLH-DSA: Fix Integer overflow in msg_encode leading to buffer overflow
Reported by Zehua Qiao and me@snkth.com
An encode message buffer M = 00 || CXT_LEN || CTX || MSG was being
allocated followed by memcpy's into the buffer for CTX and MSG.
If len(MSG) was close to size_t the allocated buffer would be
overwritten.
The fix uses WPACKET to perform the message encoding M = 00 || CXT_LEN || CTX || MSG
Although ML_DSA does a similiar operation, SLH-DSA has to buffer the
encoding because the encoded message is processed multiple times for
PRF_MSG and H_MSG. FOr ML_DSA the encoded message can just be hashed.
Fixes: 2f9e152d86a7 "Add SLH_DSA signature verification." Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:15:47 2026
(Merged from https://github.com/openssl/openssl/pull/30477)
crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689816 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:50:41 2026
(Merged from https://github.com/openssl/openssl/pull/30500)
huanghuihui0904 [Mon, 16 Mar 2026 07:16:21 +0000 (15:16 +0800)]
ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:11:54 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
Weidong Wang [Tue, 17 Mar 2026 16:21:52 +0000 (11:21 -0500)]
Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()
In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.
The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.
Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:23:27 2026
(Merged from https://github.com/openssl/openssl/pull/30463)
1seal [Tue, 17 Mar 2026 09:14:32 +0000 (10:14 +0100)]
test: add regression tests for unauthorized OCSP response signers
extend test_tlsext_status_type() with a handshake that serves a
leaf-signed stapled OCSP response and verifies the connection fails
when X509_V_FLAG_OCSP_RESP_CHECK is enabled.
generalize ocsp_server_cb_single() to use configurable signer
cert/key instead of hardcoded paths so the same callback serves
both authorized and unauthorized signer test cases.
add a test_ocsp() subtest covering the -issuer CLI option with
an untrusted issuer hint.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:29 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
1seal [Tue, 17 Mar 2026 09:14:21 +0000 (10:14 +0100)]
x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command" Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
Jaeho Nam [Sun, 15 Mar 2026 08:31:49 +0000 (08:31 +0000)]
x509: fix bug in timeSpecification printing
Fix i2r_OSSL_DAY_TIME() to check dt->second before decoding the
optional seconds field. Add a regression certificate and x509 recipe
coverage for the periodic timeSpecification case with no seconds.
Resolves: https://github.com/openssl/openssl/issues/30424 Fixes: 70b17e5a00da "feat: support the timeSpecification X.509v3 extension" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Mar 20 18:47:04 2026
(Merged from https://github.com/openssl/openssl/pull/30425)
When extsoffset == clearlen - 1 the check passes, but the second read
clear[extsoffset + 1] is clear[clearlen], which is one byte beyond
the decrypted plaintext. The allocation is OPENSSL_malloc(cipherlen)
where cipherlen = clearlen + AEAD_overhead, so the address is valid,
but the byte is uninitialised after OSSL_HPKE_open returns.
Using Valgrind confirmed an uninitialised-value read at this location
via the full server handshake path:
The subsequent ch_len > clearlen check (line 1875) acts as a safety net
and prevents the stale byte from being used further, so the practical
impact is a forced decode error rather than memory disclosure.
Nevertheless, the read itself is incorrect and should be fixed.
Fix: change the guard to extsoffset + 2 so that both bytes
of the extensions length field are confirmed to be within the decrypted
buffer before either is read.
This issue was identified through AI-assisted structural analysis
(RAPTOR) using CodeQL database tooling (AST analysis, control flow
verification, dominator tree analysis) against the OpenSSL master
branch. The off-by-one was confirmed via AST inspection showing
GT(Add(extsoffset, 1), clearlen) instead of the expected
GT(Add(extsoffset, 2), clearlen).
Found by myself @danielcuthbert and validated
by Benjamin Rodes - Microsoft @bdrodes.
CLA: trivial Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 20 18:07:01 2026
(Merged from https://github.com/openssl/openssl/pull/30472)
slontis [Fri, 13 Mar 2026 04:13:40 +0000 (15:13 +1100)]
Fix windows build failure for arm64ec
The new b64 encoder code uses __m256 which is not currently supported in ARM64EC code,
since it does not natively support x64-specific instruction sets like AVX.
Disable the fast AVX path if arm64EC is used.
herbenderbler [Sat, 14 Mar 2026 23:34:03 +0000 (17:34 -0600)]
Remove unused vpaes_ecb_decrypt from ARMv8 vpaes assembly
vpaes_ecb_decrypt in vpaes-armv8.pl was never referenced. It also
contained a bug: the single-block path called _vpaes_encrypt_core
instead of _vpaes_decrypt_core. Delete the dead function.
Abhinav Agarwal [Wed, 18 Mar 2026 16:01:07 +0000 (09:01 -0700)]
quic: fix NULL pointer dereference in ossl_uint_set_remove()
In the range-splitting path, create_set_item() can return NULL under
memory pressure. The result was passed directly to
ossl_list_uint_set_insert_after() without a NULL check, causing an
immediate crash. This path is reachable during normal QUIC ACK
processing under memory exhaustion.
Check the allocation result before insertion and return 0 on failure.
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 19 19:24:09 2026
(Merged from https://github.com/openssl/openssl/pull/30490)
sftcd [Fri, 13 Mar 2026 22:02:29 +0000 (22:02 +0000)]
ECH: chunk-size bug fix and non-regression changes
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Mar 19 10:35:56 2026
(Merged from https://github.com/openssl/openssl/pull/30417)
Adds documentation of X509V3_EXT_print and X509V3_EXT_print_fp.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 19 09:20:07 2026
(Merged from https://github.com/openssl/openssl/pull/29996)
Milan Broz [Tue, 17 Mar 2026 13:09:47 +0000 (14:09 +0100)]
test: Increase timeout for QUIC multistream test
I can regularly hit timeout on Windows for QUIC multistream test.
While increasing is not the best solution, it eliminates many
failures during testing. This timeout only applies in specific
situation, so run time should not be actually used often.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Mar 19 09:17:57 2026
(Merged from https://github.com/openssl/openssl/pull/30461)
QUIC stack must disable hash table contraction before doing
lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.
One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.
call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)
slontis [Mon, 16 Mar 2026 04:32:01 +0000 (15:32 +1100)]
SLH_DSA: signing operation incorrectly returned 1 on failure.
Initially Reported by Zehua qiao
Fixes #30414
A block copy bug incorrectly set ret = 1 straight after assigning
ret.
Setting the *sig_len has been delayed to the err path in case
WPACKET_finish fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Mar 18 07:19:54 2026
(Merged from https://github.com/openssl/openssl/pull/30438)
frostb1ten [Mon, 16 Mar 2026 10:07:12 +0000 (05:07 -0500)]
Mask *num on entry in deprecated low-level OFB/CFB implementations
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 18 07:11:44 2026
(Merged from https://github.com/openssl/openssl/pull/30447)
Scott [Mon, 16 Mar 2026 17:30:50 +0000 (12:30 -0500)]
Fix incorrect error return in ppc_aes_gcm_cipher_update decrypt path
ppc_aes_gcm_cipher_update() returns 1 on success and 0 on failure.
The decrypt pre-alignment path (line 122) incorrectly returned -1
instead of 0 when CRYPTO_gcm128_decrypt() failed.
Since the caller checks `if (!hw->cipherupdate(...))`, and !(-1)
evaluates to 0 (false) in C, the error was silently swallowed and
GCM processing continued with potentially corrupt state.
The encrypt path at line 98 correctly returns 0. This was likely a
copy-paste error when the decrypt path was added.
Fixes #30380
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 07:03:41 2026
(Merged from https://github.com/openssl/openssl/pull/30452)
Weidong Wang [Tue, 10 Mar 2026 17:42:35 +0000 (12:42 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_stream
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:56 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:15:22 +0000 (12:15 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_dataFinal
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:53 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:08:35 +0000 (12:08 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_ctrl
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:49 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Stefan Berger [Thu, 12 Mar 2026 14:57:43 +0000 (09:57 -0500)]
openssl-cms.pod.in: Mention Ed448 signing with signed attributes in BUGS section
In the BUGS section mention that signing wtih an Ed448 key is not supported
when using signed-data with signed attributes due to missing support for
id-shake256-len.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:27 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:11:02 +0000 (18:11 -0500)]
cms: Make sha512 the required hash for CMS with signedAttributes
RFC 8419 requires that, when using an Ed25519 key for CMS signed-data with
signed attributes, SHA512 must be used. Modify the entry in the key2data
table to reflect this giving the user not other choice for a hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:24 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:07:16 +0000 (18:07 -0500)]
man: Mention Ed448 for CMS with signed attributes is not supported
Mention that Ed448 keys cannot currently be used for CMS with
signed attributes since RFC 8419 requires id-shake256-len be used,
which is not currently supported by OpenSSL.
Resolves: 30291 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:20 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Viktor Dukhovni [Mon, 16 Mar 2026 08:30:04 +0000 (19:30 +1100)]
Avoid premature short-circuit in check_email
- Also harden check_hosts() to handle NULL `vpm->hosts`,
currently checked by the caller.
- Also harden check_ips() to handle NULL `vpm->ips`,
currently checked by the caller.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 15:35:16 2026
(Merged from https://github.com/openssl/openssl/pull/30444)
mcrmck [Sun, 8 Mar 2026 02:51:17 +0000 (21:51 -0500)]
Implement RFC 8701 GREASE for TLS ClientHello
Add client-side GREASE (Generate Random Extensions And Sustain
Extensibility) support per RFC 8701. When SSL_OP_GREASE is set,
the TLS client injects reserved 0x?A?A-pattern values into the
ClientHello to prevent ecosystem ossification caused by servers
that reject unknown values.
GREASE values are injected into:
- Cipher suites (prepended)
- Supported versions extension (prepended)
- Supported groups extension (prepended)
- Signature algorithms extension (appended)
- Key share extension (prepended, 1 zero byte)
- Two standalone extensions (one empty, one with 1 zero byte)
The implementation uses lazy-seeded random values that remain
consistent across HelloRetryRequest retransmissions. GREASE values
from server responses are rejected as illegal parameters.
Add -grease option to s_client to enable GREASE from the command line.
Closes #9660
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 14:58:25 2026
(Merged from https://github.com/openssl/openssl/pull/30303)
Daniel Kubec [Mon, 2 Mar 2026 16:56:52 +0000 (17:56 +0100)]
x509: add EXFLAG_DUPLICATE and cheap O(1) extension duplicate check
In ossl_x509v3_cache_extensions(), introduce EXFLAG_DUPLICATE flag to
signal duplicate X.509 extensions. Add O(1) duplicate detection
using a bitset with minimal stack memory footprint, in compliance with
RFC 5280 Section 4.2.
Fixes #26325
Co-authored-by: Tomáš Mráz <tm@t8m.info> Co-authored-by: David von Oheimb <DDvO@users.noreply.github.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 13:43:13 2026
(Merged from https://github.com/openssl/openssl/pull/30233)
sftcd [Tue, 10 Mar 2026 15:33:36 +0000 (15:33 +0000)]
test-change: remove ec-point-formats from test vectors
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 17 11:54:06 2026
(Merged from https://github.com/openssl/openssl/pull/30416)
Tomas Mraz [Mon, 16 Mar 2026 09:55:25 +0000 (10:55 +0100)]
Configure: Re-add srtpkdf disablable
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 17 11:16:00 2026
(Merged from https://github.com/openssl/openssl/pull/30446)
Tomas Mraz [Mon, 16 Mar 2026 09:51:54 +0000 (10:51 +0100)]
ECDH and ECDSA cannot be really disabled standalone
We should not pretend it can.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 17 11:15:59 2026
(Merged from https://github.com/openssl/openssl/pull/30446)
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 17 11:15:57 2026
(Merged from https://github.com/openssl/openssl/pull/30446)
Scott [Mon, 16 Mar 2026 03:53:04 +0000 (22:53 -0500)]
Fix integer truncation in ppc_aes_gcm_crypt
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt
return size_t, but their return values were stored in int variables,
causing truncation on PPC64 where size_t is 64-bit. This could lead
to incorrect results when processing inputs larger than 2GB via
EVP_Cipher() which accepts unsigned int lengths.
Change the types of s and ndone from int to size_t to match the
function return type and the return type of ppc_aes_gcm_crypt itself.
Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass,
AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 09:44:33 2026
(Merged from https://github.com/openssl/openssl/pull/30437)
Bob Beck [Thu, 12 Mar 2026 17:17:16 +0000 (11:17 -0600)]
Clean up asn1/ca.c
Collapse a bunch of type calls down to a local variable
Fixes: 29974 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 16 11:27:08 2026
(Merged from https://github.com/openssl/openssl/pull/30397)
herbenderbler [Fri, 13 Mar 2026 04:28:41 +0000 (22:28 -0600)]
Enforce mandatory cipher get_params at dispatch parse
Reject provider ciphers that lack get_params when unpacking the dispatch
table in evp_cipher_from_algorithm(), failing with
EVP_R_INVALID_PROVIDER_FUNCTIONS instead of later with
EVP_R_CACHE_CONSTANTS_FAILED.
Revert the optional-functions sentence in provider-cipher.pod to "All
other functions are optional." so the doc does not imply only
get_params, newctx, and freectx are required; a consistent
encrypt/decrypt set is also required as described in the prior paragraph.
Move test_cipher_no_getparams from evp_skey_test.c to evp_fetch_prov_test.c
and add fake_cipherprov.c to the evp_fetch_prov_test build.
Drop the redundant newctx/freectx/get_params line from the
evp_cipher_from_algorithm() comment.
Fixes #19110
Made-with: Cursor
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Mar 16 11:22:05 2026
(Merged from https://github.com/openssl/openssl/pull/30383)
YZL0v3ZZ [Wed, 11 Mar 2026 14:31:47 +0000 (22:31 +0800)]
apps/cmp_mock_srv: fix resource leak in process_genm()
If pushing the generated rsp ITAV object into the out stack fails,
the error path frees the stack container but permanently abandons
the newly allocated rsp object.
Explicitly free the rsp structure if it exists and was not pushed
successfully to prevent this memory leak.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Mar 16 11:16:02 2026
(Merged from https://github.com/openssl/openssl/pull/30374)
tlhc [Fri, 6 Feb 2026 08:40:39 +0000 (16:40 +0800)]
dtls: buffer early CCS to handle UDP reorder
Cache early-arriving CCS in dtls1_state_st and replay it when the
handshake reaches the expected state. Clear the flag in
dtls1_clear_received_buffer().
Add dtls_ccs_reorder_test covering client/server reorder, resumption and mutual TLS.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Mar 16 11:01:55 2026
(Merged from https://github.com/openssl/openssl/pull/30225)
doc/man3/BIO_read.pod: clarify BIO_puts() semantics a bit
Mention that it doesn't write the terminating NUL byte (akin
to the way fputs(3) is documented[1][2]), and that it does not append
'\n', like puts(3) does.
Neil Horman [Thu, 12 Mar 2026 14:17:04 +0000 (10:17 -0400)]
Ensure that BIO_eof only returns 1, 0 or a negative value
Recently we uncovered the fact that some platforms (nonstop) return a
non-one positive value from feof to indicate end of file. This is in
compliance with posix standards, but we had some code that assumed 1
would always be the returned value for an EOF condition, causing various
failures.
Fix it by converting BIO_eof to only return 0 or 1 to reflect the EOF
state (or in the windows case -EINVAL if an invalid stream was passed
Fixes #30348
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Sun Mar 15 19:22:41 2026
(Merged from https://github.com/openssl/openssl/pull/30395)
Milan Broz [Wed, 11 Mar 2026 22:03:36 +0000 (23:03 +0100)]
Optimize Windows RCU thread signalling.
With the pthread variant, a thread truly wakes up after
the pthread_mutex_unlock call, even if pthread_cond_signal
is called before.
This is not true for the Windows variant. The thread is
woken up in WakeConditionVariable but goes back to sleep.
Reordering (signalling thread after unlocking) should save
some time during transitions and should be safe in this context.
The speedup is visible on lhash_test, running on many CPUs
(on 32 cores, a speedup from 1:40 to 1:05 minutes on test hw).
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:25:49 2026
(Merged from https://github.com/openssl/openssl/pull/30388)
Milan Broz [Wed, 11 Mar 2026 21:40:27 +0000 (22:40 +0100)]
Align Windows RCU implementation to the pthread variant
Unlike the pthread variant, Windows RCU uses broadcast instead
of targeted signal calls in some places, unnecessarily increasing
the number of used cycles.
The retire_qp should wake up only one thread to proceed, not
all of them. For update_qp, that signals the thread after
increasing writers_alloced, signalling all threads does not make
sense either.
The speedup is significant on lhash_test, running on many CPUs
(on 32 cores, a speedup from 6:20 to 1:40 minutes on test hw).
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:25:47 2026
(Merged from https://github.com/openssl/openssl/pull/30388)
This allows ML_KEM/ML_DSA keys to set a "properties" value
that is used to refetch the digests.
This may be used when doing an import using EVP_PKEY_fromdata().
Note that this is not used by EVP_PKEY_new_raw_private_key_ex() or
EVP_PKEY_new_raw_public_key_ex() since the propq used here is
associated with the keymanager (i.e. via EVP_PKEY_CTX_new_from_name())
not the propq associated with internal fetches used by the key to
fetch digest algorithms.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 17:24:41 2026
(Merged from https://github.com/openssl/openssl/pull/30243)
fengpengbo [Fri, 27 Feb 2026 03:18:22 +0000 (11:18 +0800)]
Add optimized Montgomery squaring for RV64GC
This PR adds an RV64GC-optimized Montgomery squaring assembly, ported from the ARMv8 __bn_sqr8x_mont algorithm, complementing the earlier multiplication optimization (#28012).
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 17:21:14 2026
(Merged from https://github.com/openssl/openssl/pull/29440)
Zenithal [Tue, 10 Mar 2026 00:44:01 +0000 (00:44 +0000)]
riscv: aes: fix checks on null keys
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:15:37 2026
(Merged from https://github.com/openssl/openssl/pull/30333)
Paul Louvel [Fri, 23 Jan 2026 13:22:55 +0000 (14:22 +0100)]
feat: Disabled features are generated during configure automatically
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 15:50:43 2026
(Merged from https://github.com/openssl/openssl/pull/30212)
Paul Louvel [Tue, 20 Jan 2026 13:11:35 +0000 (14:11 +0100)]
Added all the disabled algos/protocols into the output of list -disabled
Also separate algorithms and protocols in list -disabled
and display message in case of no disabled features.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 15:50:41 2026
(Merged from https://github.com/openssl/openssl/pull/30212)
Paul Louvel [Tue, 20 Jan 2026 15:22:30 +0000 (16:22 +0100)]
fix: disable of ECDH and ECDSA algorithms
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 15:50:40 2026
(Merged from https://github.com/openssl/openssl/pull/30212)
Paul Louvel [Mon, 19 Jan 2026 18:16:57 +0000 (19:16 +0100)]
fix: added missing conditional macro when disabling the SipHash algorithm
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 15:50:39 2026
(Merged from https://github.com/openssl/openssl/pull/30212)
huanghuihui0904 [Thu, 12 Mar 2026 11:16:12 +0000 (19:16 +0800)]
crypto/evp/exchange.c: fix memory leak in EVP_PKEY_derive_SKEY()
When mgmt == NULL, EVP_PKEY_derive_SKEY() fetches an EVP_SKEYMGMT into skeymgmt. Some early returns in the fallback derive path do not free this object, causing a leak. Route these paths through shared cleanup so skeymgmt is freed.
projects / thirdparty / openssl.git / log
