Nikolas Gauder [Sat, 30 May 2026 10:19:22 +0000 (12:19 +0200)]
quic: Add MFAIL coverage for stream map allocation and token caching
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:23:38 2026
(Merged from https://github.com/openssl/openssl/pull/31333)
Nikolas Gauder [Fri, 29 May 2026 12:56:39 +0000 (14:56 +0200)]
quic: add lhash insert error checks
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:23:37 2026
(Merged from https://github.com/openssl/openssl/pull/31333)
sucloudflare [Sat, 6 Jun 2026 20:40:23 +0000 (17:40 -0300)]
crypto/evp: align exchange.c cleanup with kem/sig/asymcipher pattern
Commit a21f77d added explicit null assignments after EVP_KEYMGMT_free()
calls at the err:, legacy:, and success exit paths in kem.c,
asymcipher.c and signature.c.
The identical exit paths in evp_keyexch_init() (crypto/evp/exchange.c)
were not updated at the same time, leaving exchange.c as the only
outlier in the family without these null assignments.
This patch brings exchange.c into consistency with its sibling files
by adding exchange = NULL and tmp_keymgmt = NULL after each free at
the exit paths, matching the established pattern from a21f77d.
No functional change intended.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 10 11:20:19 2026
(Merged from https://github.com/openssl/openssl/pull/31394)
kovan [Tue, 27 Jan 2026 10:32:12 +0000 (11:32 +0100)]
doc: document OSSL_PKEY_PARAM_BITS meaning for each key type
The EVP_PKEY_get_bits() documentation states that "the definition
of cryptographic length is specific to the key cryptosystem" but
doesn't explain what this means for each key type.
Add a detailed list explaining what "bits" represents for RSA, DSA,
DH, EC, X25519, X448, Ed25519, Ed448, ML-DSA, SLH-DSA, and ML-KEM
key types to help users understand the return value.
Fixes #28337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Wed Jun 10 11:15:17 2026
(Merged from https://github.com/openssl/openssl/pull/29790)
rootvector2 [Mon, 1 Jun 2026 14:28:09 +0000 (19:58 +0530)]
pvkfmt: check keylen before copying the BLOBHEADER
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31352)
Timo Keller [Mon, 16 Mar 2026 06:18:26 +0000 (07:18 +0100)]
Vectorize (inverse) NTT in ML-DSA
The vectorization is implemented using vector extensions (of gcc/clang)
and will work on any architecture with 128 bit vector registers that has
the builtin `vec_mulh` for the high part of a multiplication.
Enable this for s390x.
The speed-up factor on z17 is around 2--3.4.
Signed-off-by: Timo Keller <tkeller@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Wed Jun 10 09:25:58 2026
(Merged from https://github.com/openssl/openssl/pull/30812)
Neil Horman [Tue, 5 May 2026 20:53:49 +0000 (16:53 -0400)]
Disable tls test in pkcs11 provider
The head of the tree is broken due to a combined inability for openssl
and the provider to allow for duplication of MD contexts on an in flight
session
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:32 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 30 Apr 2026 18:01:37 +0000 (14:01 -0400)]
Opportunistiaclly move archived items to a separate list
if a provider is unloaded and reloaded to a context, all its algorithms
get archived, making them un-look-up-able. While this is good, having
all those effectively dead entries in the list slows down the linear
traversal in the lookup path, so periodically, while we have the write
lock held, migrate those entries to a separate archive list so that they
don't imact the normal hot path.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:26 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 30 Apr 2026 14:25:45 +0000 (10:25 -0400)]
Fix caching of EVP methods when NO_CACHED_FETCH is asserted
noticed during the debugging of this that, even though we may have
no-cached-fetch configured, we still put things in the method store,
which is wrong.
Don't cache things when we say we're not caching things
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:24 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Wed, 29 Apr 2026 23:07:11 +0000 (19:07 -0400)]
correct property_test
The duplicate property test has to change because we now archive QUERYs
instead of removing them immediately (i.e. we don't drop the ref count
until the store is freed).
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:21 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Wed, 29 Apr 2026 22:39:08 +0000 (18:39 -0400)]
Fix persniketyness in tsan
TSAN seems to be having a problem with atomic_load_ptr and
atomic_store_ptr. Both are, by default, __ATOMIC_RELAXED operations.
According to the tsan docs, it flags these operations as a race because,
while they are indivisible, they create no happens-before constraint,
meaning they can be reordered.
What tsan is saying here is that the memset in evp_md_new may get
re-ordered such that the contents of the EVP_MD may still be getting
zeroed at the time we have (a) found the EVP_MD in the method store
cache, and (b) attempted to do an up_ref on it.
This is plainly impossible, especially given that, in order to reach the
method store cache, it must be places in the method store algorithm
sparse array, which still requires the taking of the method store write
lock. But for some reason tsan fails to see the memory fence that
creates.
It seems the simplest solution to correct this is, if we are running
under tsan, use __ATOMIC_ACQUIRE and __ATOMIC_RELEASE on
CRYPTO_atomic_[load|store]_ptr to make sure tsan sees the proper memory
ordering.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:19 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 4 Jun 2026 13:29:31 +0000 (09:29 -0400)]
Fix missing dependency on ml_kem_keymgmt.c
ml_kem_keymgmt.c includes der_wrap.h, which is a generated file, but
doesn't include a depdency in its build.info file, meaning that if the
dependencies aren't run in the right order, ml_kem_keymgmt.c gets
compiled before der_wrap.h is generated, leading to a build break.
Fix it by including the needed dependency.
Fixes #31379
Reviewed-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jun 9 17:49:28 2026
(Merged from https://github.com/openssl/openssl/pull/31385)
Neil Horman [Thu, 28 May 2026 08:46:10 +0000 (04:46 -0400)]
Provide independent lock failure signal on cmp_exch_ptr
Our CRYPTO atomic api has a somewhat consistent problem in that its
possible in the case where locking fails to return an error while the
actual operation (store_int, store_ptr, etc), actually succeded.
cmp_exch is somewhat special here in that we may really need to know
independently if the function failed due to lock failure and if the
exchange occured (so we can know the output value of *expect). Add a
separate parameter to allow callers to be informed of these statuses
independently.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 17:46:07 2026
(Merged from https://github.com/openssl/openssl/pull/31319)
apps/s_client.c: read one byte less to avoid triggerring overflow protection
Commit e0e276b50a1e "Fix a one byte buffer overflow in s_client" added
a check for the buffer size before adding a terminating \0, which led
to full reads of BUFSIZZ resulting in session termination. Avoid that
by requesting one byte less.
Co-Autherd-by: Tomas Mraz <tomas@openssl.foundation>
Resolves: https://github.com/openssl/openssl/issues/30925 Fixes: e0e276b50a1e "Fix a one byte buffer overflow in s_client" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 09:12:53 2026
(Merged from https://github.com/openssl/openssl/pull/31413)
Minh Vu [Sun, 31 May 2026 18:34:17 +0000 (20:34 +0200)]
quic: cleanse derived IV on setup failure
el_build_keyslot() derives the QUIC IV before the success path stores
*out_iv_len. If a later step fails, the error cleanup currently uses
*out_iv_len and ends up cleansing zero bytes.
Cleanse the caller buffer using the local iv_len instead so the
derived IV is cleared on all post-derivation failure paths.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/31346)
Dmitry Misharov [Mon, 1 Jun 2026 19:24:59 +0000 (21:24 +0200)]
add fingerprint of the new PGP key
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 08:27:39 2026
(Merged from https://github.com/openssl/openssl/pull/31353)
Matt Caswell [Tue, 19 May 2026 10:24:58 +0000 (11:24 +0100)]
Check custom extensions are handled correct with 3rd party QUIC
We have some code to handle the case where we have custom 3rd party
extension and 3rd party QUIC. Test that this doesn't cause any problems.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:56 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
Matt Caswell [Tue, 19 May 2026 08:47:18 +0000 (09:47 +0100)]
There is no need to call custom_ext_copy_old_cb after reallocing dst->meths
In custom_exts_copy_conn we realloc'd the dst->meths buffer, and then
called `custom_ext_copy_old_cb` to transfer ownership of the all style
API wrapper allocations to the newly realloc'd buffer. But this makes
no sense. The buffer is realloc'd, and the old buffer is no longer freed,
so ownership of the old style API wrapper allocations transfer as well.
This is actually a use-after-free (we can no longer access the old buffer
once its been realloc'd), and also causes a leak. We just delete this
code.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:55 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:54 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
007bsd [Mon, 25 May 2026 21:10:43 +0000 (00:10 +0300)]
aes_wrap: prevent crash on update without a key
EVP_CipherInit_ex2 with a NULL key followed by EVP_CipherUpdate
on AES-WRAP/WRAP-PAD/WRAP-INV ciphers dereferenced an uninitialised
function pointer because aes_wrap_init installs ctx->block only
when a key is supplied. aes_wrap_cipher_internal had no guard
before dispatching.
Track key state in ctx->key_set, matching OCB/CCM/GCM/Poly1305,
and refuse update if no key has been installed.
Added a regression test covering AES-256-WRAP, AES-256-WRAP-PAD
and AES-256-WRAP-INV.
CLA: trivial
Fixes: ca392b294359 "Add aes_wrap cipher to providers" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 3 11:52:05 2026
(Merged from https://github.com/openssl/openssl/pull/31292)
kovan [Mon, 2 Feb 2026 11:01:51 +0000 (12:01 +0100)]
doc: Clarify SSL_CERT_DIR uses semicolon separator on Windows
The documentation for SSL_CERT_DIR stated that directories are
colon-separated, but on Windows the separator is semicolon.
Updated:
- openssl-rehash.pod.in: Added note about semicolon separator on Windows
- openssl-env.pod: Added note about multiple directories and Windows separator
Fixes: #27698 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Jun 3 11:44:35 2026
(Merged from https://github.com/openssl/openssl/pull/29894)
Bob Beck [Fri, 24 Apr 2026 20:28:54 +0000 (14:28 -0600)]
Provide ASN1_STRING_new_not_owned()
This function provides the ability to construct an ASN1_STRING
containing data that is not owned by the constructed ASN1_STRING. The
resulting ASN1_STRING, when freed, will not free the data, and it is
the caller's resposibility to ensure that the data lives past the
lifetime of any returned ASN1_STRING.
Why? you may ask? Many places where ->data and ->length were used
directly in the past before the opaquification of ASN1_STRING were
for this purpose, whether used for actual static data, or to turn
bytes created by and in control of the caller into an ASN1_STRING
for temporary use as an input. This function makes this easier
to do without making copies.
The function deliberately does not allow the creation of a BIT_STRING
as this would require also always providing unused bits, which is
annoying and unnecessary for almost all potential use cases.
rootvector2 [Mon, 1 Jun 2026 07:55:41 +0000 (13:25 +0530)]
quic: avoid one-byte over-read of conn close reason in copy_tcause
For a remote CONNECTION_CLOSE, src->reason points straight into the
received packet and holds exactly reason_len bytes with no guaranteed
trailing byte. copy_tcause() did OPENSSL_memdup(src->reason, l + 1),
reading one byte past the source. The +1 is only needed to make room
for the NUL written at r[l], so allocate l + 1 but copy only the l
valid bytes.
Fixes: 40c8c756c86f "QUIC APL/CHANNEL: Wire up connection closure reason" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Jun 3 11:39:47 2026
(Merged from https://github.com/openssl/openssl/pull/31349)
Teddy Engel [Mon, 18 May 2026 14:30:18 +0000 (15:30 +0100)]
Remove unused crl_dir setting from config files
The crl_dir setting in CA_default section is not used anywhere. Remove
it from the example config and test configs, update the VMSify-conf.pl
path conversion script to no longer reference it, and regenerate
openssl-vms.cnf.
Fixes #31103
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Wed Jun 3 11:37:02 2026
(Merged from https://github.com/openssl/openssl/pull/31215)
Jakub Zelenka [Fri, 29 May 2026 16:19:15 +0000 (18:19 +0200)]
statem: fix missing fatal if valid_flags mfail in process cert req
It is a contract of tls process functions to trigger fatal error if they
fail. This is not being done in checking result of s->s3.tmp.valid_flags
allocation. If this happens, it triggers alert in read_state_machine()
for READ_STATE_BODY state that calls this process function. It calls
check_fatal() if MSG_PROCESS_ERROR is returned and the assert in it
fails because no error is triggered.
The fix just adds the fatal and also uses MSG_PROCESS_ERROR macro as
return value instead of hard coded 0.
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Wed Jun 3 11:33:33 2026
(Merged from https://github.com/openssl/openssl/pull/31338)
Abel Tom [Thu, 28 May 2026 15:23:36 +0000 (17:23 +0200)]
crypto/hpke/hpke_util: Fixes redundant mdname is valid check.
Removed the redundant `mdname` is not NULL check.
Fixes #31299
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Jun 3 11:30:09 2026
(Merged from https://github.com/openssl/openssl/pull/31321)
Norbert Pocs [Fri, 29 May 2026 07:49:16 +0000 (09:49 +0200)]
Fix broken hex data by reformatting
The clang format broke some data in hexadecimal format. To make the tool
obedient, the trailing comma needs to be removed, then it interpretes
the data differently and therefore does not reformat it. The format can
then be changed to the correct form.
Fixes: https://github.com/openssl/project/issues/1959 Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Jun 3 07:46:14 2026
(Merged from https://github.com/openssl/openssl/pull/31350)
rootvector2 [Fri, 29 May 2026 19:16:16 +0000 (00:46 +0530)]
rsa_sig: reject short buffers in raw verify_recover
The md==NULL path of rsa_verify_recover passed the caller buffer to
RSA_public_decrypt without checking routsize, while the X9.31 and PKCS#1
paths already reject undersized output buffers. RSA_public_decrypt writes
up to RSA_size() bytes, so a short rout overflows. Validate routsize
against RSA_size() before the call.
Fixes: 6f4b7663150e "PROV: add RSA signature implementation" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Tue Jun 2 11:55:00 2026
(Merged from https://github.com/openssl/openssl/pull/31340)
Cristian Yxen [Sat, 30 May 2026 19:08:27 +0000 (21:08 +0200)]
doc: Add a missing comma in -traditional option explanation.
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Tue Jun 2 11:48:05 2026
(Merged from https://github.com/openssl/openssl/pull/31342)
Anton Moryakov [Sun, 31 May 2026 09:33:11 +0000 (12:33 +0300)]
test: fix unreachable code in test_kdf_pbkdf2_large_output in evp_kdf_test.c
The condition `if (sizeof(len) > 32)` was intended to set `len` to
SIZE_MAX on platforms where size_t can hold values larger than 32 bits.
However, sizeof() returns the size in bytes, not bits. Since sizeof(size_t)
is typically 4 or 8 bytes on all current platforms, the condition was
always false, leaving len at 0 and skipping the large-output test.
This commit fixes the check by comparing SIZE_MAX directly against
0xFFFFFFFFU, which correctly detects whether size_t can represent
values exceeding 32-bit range. This ensures the test properly validates
PBKDF2 behavior when requested output length is excessively large.
Fixes: 1cae59d14b9e "Make KDFs fail if requesting a zero-length key." Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Tue Jun 2 11:10:23 2026
(Merged from https://github.com/openssl/openssl/pull/31344)
Ingo Franzki [Wed, 20 May 2026 14:57:07 +0000 (16:57 +0200)]
s390x: Selectively re-format s390xcap.c
The clang formatter made some code places unreadable. Selectively revert
the formatting to how it was before the re-formatting, and mark those places
with '/* clang-format off */' so that it does not get reformatted again.
While at it, change it to use designated initializers allowed with C-99.
No functional change intended.
Resolves: https://github.com/openssl/openssl/issues/31247 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:49:58 2026
(Merged from https://github.com/openssl/openssl/pull/31263)
007bsd [Tue, 26 May 2026 18:11:27 +0000 (21:11 +0300)]
poly1305: prevent crash on final without a key
EVP_MAC_init with a NULL key followed by EVP_MAC_final on a
Poly1305 context crashed with a NULL function-pointer dispatch
because poly1305_init accepted the no-key case as success, and
poly1305_final had no guard before dispatching through the
uninitialised Poly1305 state.
Add a key_set field to struct poly1305_data_st (matching
OCB/CCM/GCM), set it in poly1305_setkey, and refuse init and
final if no key has been installed.
Added a regression test asserting EVP_MAC_init with a NULL key
returns 0.
##### Checklist
- [ ] documentation is added or updated
- [x] tests are added or updated
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:35:02 2026
(Merged from https://github.com/openssl/openssl/pull/31298)
Jakub Zelenka [Thu, 28 May 2026 17:13:01 +0000 (19:13 +0200)]
quic: fix keyslot cctx leak by not checking EL state in teardown
el_teardown_keyslot() decided whether to free a keyslot by calling
ossl_qrl_enc_level_set_has_keyslot() against the EL's current state.
On error paths the state does not yet match the slots that were
provisioned, so the check returned 0 and the cctx and iv were leaked.
The fix drops the state check and rely on the existing cctx != NULL
check which is sufficient for all callers of el_teardown_keyslot().
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Mon Jun 1 07:32:33 2026
(Merged from https://github.com/openssl/openssl/pull/31323)
Ilya Maximets [Mon, 11 May 2026 21:41:04 +0000 (23:41 +0200)]
ktls: Fix invalid memory access on retry with moving write buffer
kTLS write is using application buffer always without a memory copy.
And it completely ignores SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as a
result. If the user frees or re-uses the original buffer and retries
the send on SSL_ERROR_WANT_WRITE, the code will read and send the data
from the original already freed buffer sending whatever happens to be
in that memory now and corrupting the message, potentially crashing
the application as well.
Fix by making a copy if we can't send the whole thing right away and
the moving write buffer is configured.
This preserves the zero-copy semantics for the happy path and avoids
the invalid memory access and data corruption when retry is necessary.
The copy is done in the common code as it is hard to preserve the
zero-copy behavior otherwise.
Test is added that reproduces the issue. It may be possible to modify
the existing kTLS test to conditionally enable the modes and do the
BIO swap, but it feels like the issue deserves a separate one.
The test doesn't rely on any specific cypher or TLS version, so only
one combination is checked, but it should be enough.
There is no TLS_BUFFER_set_len() and the original kTLS code never
sets it, so not setting it on the copy either for now.
Fixes: 50ec750567e0 "ssl: Linux TLS Tx Offload"
Fixes #21202
Assisted-by: claude-opus-4.6 Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:29:13 2026
(Merged from https://github.com/openssl/openssl/pull/31146)
Herman Semenoff [Sat, 25 Apr 2026 04:22:54 +0000 (07:22 +0300)]
ssl: avoid integer overflow by casting sum terms to size_t and not the result
Avoid possible integer overflow: instead of casting the sum to size_t,
each operand of the sum is cast to size_t before addition to avoid int
overflow.
Signed-off-by: Herman Semenoff <GermanAizek@yandex.ru> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 1 07:24:21 2026
(Merged from https://github.com/openssl/openssl/pull/30972)
rootvector2 [Wed, 27 May 2026 18:14:23 +0000 (23:44 +0530)]
crypto/evp: fix double free of tmp_keymgmt in sig/kem/asym init
Commit ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free
on error path in do_sigver_init" has fixed double-free of tmp_keymgmt
in do_sigver_init() by setting it to NULL after EVP_KEYMGMT_free() call;
the same issue present in evp_kem_init(), evp_pkey_asym_cipher_init(),
and evp_pkey_signature_init(). Address it similarly, by setting
the pointers to NULL after *_free() calls.
Complements: ecb4757b377f "crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init" Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun May 31 11:03:15 2026
(Merged from https://github.com/openssl/openssl/pull/31312)
Jakub Zelenka [Thu, 28 May 2026 10:19:30 +0000 (12:19 +0200)]
quic: fix handling of the first rxe mfail in qrx_process_pkt
When qrx_ensure_free_rxe() fails at the start of qrx_process_pkt() the
function returned 0 without advancing the PACKET cursor and, for the
first packet in the datagram, without setting first_dcid. The
qrx_process_datagram() loop then re-entered qrx_process_pkt() for the
same bytes with pkt_idx >= 1 and the sentinel first_dcid (id_len = 255),
tripping the assertion in qrx_validate_hdr_early() that asserts
first_dcid->id_len to be lower than QUIC_MAX_CONN_ID_LEN.
The fix goes to malformed label instead. The header has not been decoded
at this point so eop is NULL, which makes the malformed path discard the
rest of the datagram. This is because without an RXE we can process
neither this packet nor any that follow it. This also advances the
cursor and, when the failure is on the first packet, avoids leaving
first_dcid unset for the next iteration. It is consistent with the
other allocation-failure site in the function, which already routes
through malformed.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Fri May 29 14:08:56 2026
(Merged from https://github.com/openssl/openssl/pull/31316)
yangxuqing [Sat, 23 May 2026 01:56:18 +0000 (09:56 +0800)]
slh_dsa: Remove redundant cleanup to prevent double free
Since SLH_DSA_KEY is allocated with OPENSSL_zalloc, its members are
NULL-initialized. Removing the redundant slh_dsa_key_hash_cleanup()
inside the err path of slh_dsa_key_hash_init() prevents the
double free while allowing the outer ossl_slh_dsa_key_free() to
safely handle the cleanup.
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:45:46 2026
(Merged from https://github.com/openssl/openssl/pull/31274)
That pattern alone trips up anyone who associates 'm' with modulus, and
and finds themselves using BN_nnmod() incorrectly.
This change modifies the argument names to match documentation.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Igor Ustinov <igus@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri May 29 07:25:31 2026
(Merged from https://github.com/openssl/openssl/pull/31304)
Jakub Zelenka [Thu, 21 May 2026 17:07:14 +0000 (19:07 +0200)]
quic: delay el keyslot teardown after creation in setup
There is an issue for key update in TX path if any of the operation
fails during keyslot setup (e.g. due to memory failure), the cctx stays
set to NULL which results in failed assertion in qtx_encrypt_into_txe.
The fix splits the build and installation steps in
ossl_qrl_enc_level_set_key_update so the cctx teardown is done only
after the build is successful. The install is then non fallible so it
cannot end up with empty cctx.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:18:36 2026
(Merged from https://github.com/openssl/openssl/pull/31268)
Nikola Pajkovsky [Mon, 25 May 2026 07:33:00 +0000 (09:33 +0200)]
crypto/aes/asm/asm-sha{1,256}-armv8.pl: add missing function alignment
clang-22 reported missing alignment on MacOS:
ld: warning: arm64 function not 4-byte aligned: _asm_sha1_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha1-armv8.o)
ld: warning: arm64 function not 4-byte aligned: _asm_sha256_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha256-armv8.o)
Add ".align 4" directives to the affected functions.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu May 28 08:31:59 2026
(Merged from https://github.com/openssl/openssl/pull/31284)
Jakub Zelenka [Mon, 18 May 2026 16:19:48 +0000 (18:19 +0200)]
Split mfail output into counting and injection subtests
Counting now always runs and is always checked, including when
hooks are not installed or skip-all is set. Only injection is
skipped in those cases.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu May 28 07:33:05 2026
(Merged from https://github.com/openssl/openssl/pull/31219)
quic: make ch_cleanup() idempotent and simplify channel error path
ch_init() calls ch_cleanup() on its own failure, after which
port_make_channel() may still call ossl_quic_channel_free() (which calls
ch_cleanup() again). The second call double-freed fields such as
ch->qlog_title.
To handle this, ch_cleanup() now NULLs every owned pointer after its
free and clears the have_statm / have_qsm flags after their destructors,
making it safe to invoke twice on the same channel.
With ch_cleanup() idempotent, port_make_channel() no longer needs the
ch_cleaned flag and the bare OPENSSL_free(ch) branch: the error path
unconditionally calls ossl_quic_channel_free() regardless of whether
ch_init() succeeded, partially initialized the channel, or already ran
ch_cleanup() on itself.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu May 28 07:26:22 2026
(Merged from https://github.com/openssl/openssl/pull/31177)
Daniel Kubec [Fri, 20 Mar 2026 20:14:11 +0000 (21:14 +0100)]
TLS: Verify session ID to prevent incorrect session resumption
When a TLS 1.2 session is resumed via an external server-side cache
SSL_CTX_sess_set_get_cb(), the session ID stored in an SSL_SESSION is assigned
by the server at the end of the original full handshake and never modified
afterwards. The client-supplied session ID in ClientHello is copied verbatim
from the session the client cached after that same handshake. If both sides
behaved correctly, the two values are guaranteed to be identical.
This commit adds an explicit comparison inside ssl_get_prev_session() between
the session ID the client offered in ClientHello and the session ID embedded in
the SSL_SESSION returned by the external cache. If they do not match, the cached
session is released and ssl_get_prev_session() returns as a cache miss, forcing
a full handshake. Catching the mismatch here ensures the server never sends a
ServerHello that claims resumption of a session ID it cannot legitimately echo.
A mismatch unambiguously indicates one of the following:
- a corrupt cache entry
- an external cache implementation that returned the wrong session
- an active tampering attempt
In all three cases refusing resumption and falling back to a full handshake is
the correct response.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 12:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30517)
The RSA PKCS#1 verify-recover provider path did not validate routsize
before passing the caller buffer to ossl_rsa_verify().
The X9.31 verify-recover path already rejects undersized output buffers,
but the PKCS#1 path could proceed with too little output space and rely
on the lower layer to write the recovered digest.
Check the expected digest size before calling ossl_rsa_verify() and
return PROV_R_OUTPUT_BUFFER_TOO_SMALL when the caller-provided buffer is
too small.
Add a regression test that covers both successful recovery with a
properly sized buffer and failure with a 1-byte output buffer, while
also checking that the short buffer is left unchanged.
Co-authored-by: Kushal <72255307+Kushalkhemka@users.noreply.github.com> Co-authored-by: Mayank <175295782+mayank-jangid-moon@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 11:46:40 2026
(Merged from https://github.com/openssl/openssl/pull/30917)
Bob Beck [Wed, 20 May 2026 13:54:06 +0000 (07:54 -0600)]
Convert use of artisinally made hand crafted integer types
to use the stdint.h ones.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
Bob Beck [Wed, 20 May 2026 13:27:08 +0000 (07:27 -0600)]
use stdint in modes.h
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
yangxuqing [Sat, 23 May 2026 02:33:35 +0000 (10:33 +0800)]
crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init
In do_sigver_init(), if the for loop proceeds to its second iteration
(iter = 2), the results from the first iteration (signature and
tmp_keymgmt) are explicitly freed at the beginning of the loop.
However, the pointers are not set to NULL after being freed.
If an error occurs subsequently during this second iteration (for
example, if evp_signature_fetch_from_prov() returns NULL, triggering a
goto notsupported), the control flow jumps to the generic cleanup block
at the end of the function. This cleanup block calls
EVP_KEYMGMT_free(tmp_keymgmt) again on the dangling pointer, resulting
in a double free.
This commit resolves the issue by explicitly nullifying these pointers
immediately after they are freed at the start of the loop iteration.
(Note: This issue was discussed with the OpenSSL Security Team, who
classified it as a regular bug due to lack of attacker control and
requested a public PR.)
Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:28:15 2026
(Merged from https://github.com/openssl/openssl/pull/31276)
Daniel Kubec [Mon, 18 May 2026 23:44:34 +0000 (01:44 +0200)]
test/tls13tickettest.c: check SSL_TICKET_NO_DECRYPT path in tls_parse_ctos_psk()
Add a test that rotates ticket keys so that the previously issued ticket
can no longer be decrypted: if session resumption fails
due to a NO_DECRYPT, it is expected to fall back to a full handshake,
and a new session ticket is issued.
Complements: 6115286faeb8 "TLSv1.3: reissue session ticket after full handshake on ciphersuite mismatch"
References: https://github.com/openssl/openssl/pull/30626
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:20:59 2026
(Merged from https://github.com/openssl/openssl/pull/31223)
crypto/cmp/cmp_genm.c: avoid strcat() in get_genm_itav()
There is no need to use strcat() there, as it concatenates into a string
that is used in a format string anyway. Put the literal prefix
into the format string and avoid literal string copying.
Fixes: d477484d33b7 "CMP: add support for genm/genp messages with id-it-caCerts" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue May 26 14:54:19 2026
(Merged from https://github.com/openssl/openssl/pull/31230)
Andrew Dinh [Wed, 29 Apr 2026 17:44:17 +0000 (00:44 +0700)]
util: add acvp-test util
Add a Python script acvp-test to the util/ directory, that tests
an OpenSSL binary against the NIST ACVTS demo server. acvp-test util
supports most major algorithms, including PQC algorithms added in 3.5.
Test an OpenSSL binary against the NIST ACVTS demo server.
options:
-h, --help show this help message and exit
--algorithm ALGO Algorithm to test (default: ACVP-AES-CBC)
--direction {encrypt,decrypt} [{encrypt,decrypt} ...]
Direction(s) for symmetric algorithms (default: both)
--key-len BITS [BITS ...]
Key length(s) in bits for symmetric algorithms (default: all)
--production Run as a production validation (default: sample/demo mode)
--save-vectors Save downloaded vector sets to vectors_vsNNN.json
Andrew Dinh [Wed, 20 May 2026 16:09:48 +0000 (23:09 +0700)]
quic_impl.c: pass correct SSL to ossl_ssl_connection_new_int in ossl_quic_new_from_listener
In ossl_quic_new_from_listener(), the call to ossl_ssl_connection_new_int()
was passing NULL for the user_ssl parameter. NULL causes s->user_ssl
to be set to the inner TLS ssl object, so the inner SSL object points
to itself rather than to the outer QUIC connection object.
The fix passes &qc->obj.ssl instead of NULL. Afterwards,
ossl_quic_obj_init() will initialize &qc->obj.ssl in place.
Resolves: https://github.com/openssl/project/issues/989 Fixes: 0b15147a37c5 "Implement SSL_new_from_listener()" Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 14:12:45 2026
(Merged from https://github.com/openssl/openssl/pull/31257)
kovan [Thu, 29 Jan 2026 14:13:28 +0000 (15:13 +0100)]
doc: add SSL/SSL_CTX thread safety section to openssl-threads
Add explicit documentation about thread safety of SSL and SSL_CTX
objects, clarifying that:
- SSL_CTX can be shared among threads but should be treated as
read-only after creating SSL objects or sharing across threads
- SSL connection objects should only be used by one thread at a time
- Each thread handling TLS connections should create its own SSL object
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Tue May 26 13:19:35 2026
(Merged from https://github.com/openssl/openssl/pull/29847)
yangxuqing [Sat, 23 May 2026 02:06:41 +0000 (10:06 +0800)]
providers: Nullify BIO pointer after free to prevent double free
In providers/implementations/storemgmt/file_store_any2obj.c, if the
control flow reaches the err label after BIO_free(in) is called, a
double free will occur in the generic cleanup block.
Currently, the only path to this specific err jump is if
BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team,
this failure is currently impossible because the buffer is being
shrunk (max_len >= len).
However, as requested by the security team via email, this commit
explicitly nullifies the in pointer after the first free to
future-proof the function and prevent a double free in case the
semantics of BUF_MEM_grow() or the surrounding logic change in
the future.
Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY"
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 10:14:50 2026
(Merged from https://github.com/openssl/openssl/pull/31275)
Ahmed Rabea [Thu, 21 May 2026 13:24:11 +0000 (16:24 +0300)]
crypto/dso/dso_win32.c: fix win32_joiner buffer sizing for dir-only paths
win32_joiner() always emits a trailing '\' when file_split->dir
is present, even if file_split->file is NULL. The previous length
calculation only reserved that byte when file_split->file was also
non-NULL, which could cause a one-byte overflow.
Resolves: https://github.com/openssl/openssl/issues/31260 Fixes: cbecb3ac3763 "There's an ongoing project to bring some kind of path selection mechanism to the ENGINE framework. This means there there are going to be new functionality for the DSO part, and ultimately some way of merging two file specifications together.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:36:02 2026
(Merged from https://github.com/openssl/openssl/pull/31266)
As these are public by necessity, we may as well allow folks
to use them to selectively disable deprecation warnings if they
wish to temporarily use deprecated functions in limited locations
in their code.
Complements: 4036f4b0e324 "Add new public API for checking certificate times."
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:22:58 2026
(Merged from https://github.com/openssl/openssl/pull/31270)
projects / thirdparty / openssl.git / log
