YZL0v3ZZ [Wed, 11 Mar 2026 14:16:48 +0000 (22:16 +0800)]
Fix memory leak in get_str_from_file()
If BIO_gets encounters an empty file or read error, the function
returns NULL without freeing the dynamically allocated heap block (buf).
Safely clear and free the allocated buffer before returning NULL on
the error path. Since get_str_from_file() may handle cryptographic
keys, OPENSSL_clear_free() is used to prevent leaking sensitive data.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30373)
Matt Caswell [Fri, 27 Feb 2026 12:25:04 +0000 (12:25 +0000)]
Add a test to confirm that we get the expected error with HTTP
If we send HTTP directly over a TLS connection then we expect to receive
the SSL_R_HTTP_REQUEST error. So we add a test to confirm that we do.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:44 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
Matt Caswell [Fri, 27 Feb 2026 11:57:41 +0000 (11:57 +0000)]
Defer the check that the record fits in our buffer
Previously we confirmed that the record we received from the peer
actually fits in our buffer before validating the record header. However,
this interferes with the checks that the "any" method does for accidental
use of HTTP because the record length will be wrong in this case. To solve
this we simply defer the check until after the record header has been
validated.
Fixes #30196
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:41 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
Matt Caswell [Fri, 27 Feb 2026 11:50:15 +0000 (11:50 +0000)]
Remove further remnants of SSLv2 ClientHello handling
We recently removed support for SSLv2 ClientHello messages - but some
remnants were still remaining in the record layer. We remove those too.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
YZL0v3ZZ [Wed, 11 Mar 2026 13:48:14 +0000 (21:48 +0800)]
Fix resource leak in crls_http_cb()
When the function fails to push the second CRL to the stack, it
incorrectly uses sk_X509_CRL_free() instead of sk_X509_CRL_pop_free().
This destroys the stack container but orphans previously pushed
X509_CRL objects.
Replace it with sk_X509_CRL_pop_free passing X509_CRL_free as the
cleanup routine to ensure deep deallocation of any pushed items.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30372)
Zhiguo Zhou [Fri, 6 Mar 2026 06:39:08 +0000 (14:39 +0800)]
bn: Save/restore non-volatile registers in RSAZ AVX-IFMA code for Win64
The Windows x64 calling convention requires that registers %rsi, %rdi,
and %xmm6 through %xmm15 be preserved by the callee. This patch updates
the RSAZ-2K, 3K, and 4K AVX-IFMA assembly routines to correctly push/pop
%rsi/%rdi and save/restore the non-volatile XMM registers to the stack
when building for Win64.
This ensures ABI compliance and prevents potential data corruption or
crashes in callers that rely on these registers being preserved across
function calls.
slontis [Wed, 18 Feb 2026 03:12:59 +0000 (14:12 +1100)]
Fix uninitialized variables in rsaz-3k-avxifma & rsaz-4k-avxifma
assembler.
This looks like a block copy bug, the 2k file uses both fields but the
3k & 4K variants only pass acc0_0 to functions.
Reported and proposed fix supplied by pyca (@reaperhulk and @alex).
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 08:48:11 2026
(Merged from https://github.com/openssl/openssl/pull/30061)
nkraetzschmar [Tue, 10 Mar 2026 21:33:59 +0000 (22:33 +0100)]
ml-kem: wipe full seed buffer in ml_kem_gen_cleanup
The gen ctx stores seed material in uint8_t seedbuf[ML_KEM_SEED_BYTES],
where ML_KEM_SEED_BYTES = ML_KEM_RANDOM_BYTES * 2.
When cleanup runs and gctx->seed != NULL, it wiped ML_KEM_RANDOM_BYTES
so clearing only half of the seed buffer.
This change wipes the entire buffer instead.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 13 08:42:00 2026
(Merged from https://github.com/openssl/openssl/pull/30355)
slontis [Tue, 10 Mar 2026 05:27:57 +0000 (16:27 +1100)]
Doc: Add additional information to the contributing page.
Updates for new users related to PR's.
Although some of this info is in other places, a new user should
not need to look at 'commiter' related docs.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Mar 13 08:28:19 2026
(Merged from https://github.com/openssl/openssl/pull/30336)
kovan [Mon, 2 Feb 2026 11:35:29 +0000 (12:35 +0100)]
doc: Fix X509_NAME_print documentation to reflect actual behavior
The documentation claimed that X509_NAME_print() would indent each line
by obase characters and wrap lines exceeding 80 characters. However, the
implementation has never actually used obase for any purpose since the
line-wrapping code was removed in 2007 as unreachable.
Update the documentation to state that obase is ignored and the function
outputs on a single line.
Fixes #18004
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 13 08:21:51 2026
(Merged from https://github.com/openssl/openssl/pull/29900)
Joshua Rogers [Sun, 12 Oct 2025 14:08:04 +0000 (22:08 +0800)]
NonStop: reset hpns_connect_attempt at call start and on success
Ensure the NonStop fallback state does not leak across calls by clearing hpns_connect_attempt at the beginning of RAND_query_egd_bytes and after a successful connect. No impact on other platforms.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:22:00 2026
(Merged from https://github.com/openssl/openssl/pull/28909)
QUIC LCID hash table collapse on Windows/32-bit due to SipHash digest size misuse
Using sizeof(unsigned long) as SipHash digest size; SipHash supports
only 8 or 16 bytes. On platforms where sizeof(unsigned long) == 4,
the call fails, and lcid_hash returns the zero-initialized value,
degrading the hash table into list.
The issue was kindly reported and fix provided by Stanislav Fort at Aisle Research.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:04:10 2026
(Merged from https://github.com/openssl/openssl/pull/29814)
Joshua Rogers [Sun, 12 Oct 2025 13:52:21 +0000 (21:52 +0800)]
rand_egd: harden EGD I/O and bounds; defer fdopen until post connect
Tighten RAND_query_egd_bytes and fix edge cases:
* Reject nonpositive request sizes to avoid wrap when storing the
length byte in tempbuf[1].
* Treat server length byte as untrusted; bound by the requested size
and by sizeof(tempbuf) to avoid overrunning caller or stack buffers.
* Defer fdopen until after a successful connect. On HPE NonStop
(OPENSSL_SYS_TANDEM) the connect retry path may swap the socket fd;
creating the FILE* early could leave a stale stream pointing at a
closed descriptor, causing EBADF or short I/O, and leaking the new
socket. Creating the stream after connect avoids this.
* Initialize fd to -1 and close the raw fd when fdopen fails; ensure
we close either FILE* or the raw fd on all error paths.
* Remove unused code.
Behavior is unchanged on platforms that do not swap fds during connect.
On TANDEM it prevents stale I/O and descriptor leaks. Overall this
improves robustness and bounds checking for EGD interactions.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/28905)
Matt Caswell [Wed, 11 Mar 2026 15:06:32 +0000 (15:06 +0000)]
Fix a one byte buffer overflow in s_client
The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.
This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.
This issue was reported to use by Igor Morgenstern from AISLE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
It wasn't explicitly clear that it was safe to call OPENSSL_clear_free()
with a NULL because, as worded, it sounded like it may call
OPENSSL_cleanse() on NULL before calling OPENSSL_free().
CLA: trivial
Signed-off-by: dann frazier <dann.frazier@chainguard.dev> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:43:51 2026
(Merged from https://github.com/openssl/openssl/pull/28127)
OwenSanzas [Tue, 10 Mar 2026 00:05:35 +0000 (00:05 +0000)]
Fix stack buffer over-read in DES OFB/CFB64 via unchecked num parameter
The `num` parameter in DES OFB64/CFB64 functions tracks the byte offset
within an 8-byte DES block, so valid values are 0-7. However, neither
the EVP set_params path nor the low-level DES functions validated this
bound, allowing an out-of-range `num` to cause a stack buffer over-read
when used as an array index into the 8-byte keystream buffer.
Fix at two levels:
1. Provider layer: reject num >= blocksize in
ossl_cipher_common_set_ctx_params() before it reaches the cipher.
2. Low-level DES: mask `*num` with `& 0x07` on entry to
DES_ofb64_encrypt, DES_ede3_ofb64_encrypt, DES_cfb64_encrypt,
and DES_ede3_cfb64_encrypt, consistent with how `n` is already
masked at the end of these functions before being written back.
Fixes #30284
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 14:24:12 2026
(Merged from https://github.com/openssl/openssl/pull/30332)
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1684201
Complements: #adc8e4abd96 Fix Memory leak in app_passwd
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 11:32:05 2026
(Merged from https://github.com/openssl/openssl/pull/30365)
slontis [Fri, 6 Mar 2026 04:07:51 +0000 (15:07 +1100)]
PKCS12 app fix
Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.
In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
rezhboyu [Tue, 10 Mar 2026 18:31:06 +0000 (02:31 +0800)]
refactor: remove redundant p/q retrieval in ossl_rsa_fromdata
The p and q parameters were being retrieved into local BIGNUM variables
but never actually used. This change removes the excess retrieval to improve maintainability, following the discussion in PR #30298.
Resolves #30340
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Mar 12 10:32:24 2026
(Merged from https://github.com/openssl/openssl/pull/30353)
asn1: use ASN1_STRING accessors in crypto/cmp, crypto/ct, crypto/sm2, crypto/ts
Replace direct ASN1_STRING struct member access (->data, ->length) with
public accessor functions ASN1_STRING_get0_data() and ASN1_STRING_length()
in consumer code across four subsystems.
Also fix i2d_SCT_LIST() in crypto/ct/ct_oct.c to heap-allocate
ASN1_OCTET_STRING via ASN1_OCTET_STRING_new() and ASN1_STRING_set0()
rather than stack-allocating it, since the struct is now opaque.
Removes #include <crypto/asn1.h> from all modified files except
crypto/cmp/cmp_protect.c, which retains it for ossl_X509_ALGOR_from_nid().
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:53:07 2026
(Merged from https://github.com/openssl/openssl/pull/30223)
Pablo Rodríguez [Thu, 5 Mar 2026 16:49:12 +0000 (17:49 +0100)]
add an initial space to format a command in `openssl-cms.pod.in`
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:42:31 2026
(Merged from https://github.com/openssl/openssl/pull/30274)
kovan [Sat, 7 Feb 2026 17:09:44 +0000 (18:09 +0100)]
doc: add return value documentation for EVP_CIPHER params functions
Document the return values for EVP_CIPHER_get_params(),
EVP_CIPHER_CTX_get_params() and EVP_CIPHER_CTX_set_params().
These functions return a positive value for success and 0 or a
negative value for failure, since provider callbacks return int.
Fixes #29725
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 21:03:58 2026
(Merged from https://github.com/openssl/openssl/pull/29915)
OwenSanzas [Tue, 10 Mar 2026 16:11:31 +0000 (16:11 +0000)]
Fix clang-format: remove leading space from err label
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Mar 11 20:58:54 2026
(Merged from https://github.com/openssl/openssl/pull/30331)
OwenSanzas [Tue, 10 Mar 2026 09:42:22 +0000 (09:42 +0000)]
Remove unnecessary comments and extra blank line
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Mar 11 20:58:51 2026
(Merged from https://github.com/openssl/openssl/pull/30331)
OwenSanzas [Tue, 10 Mar 2026 09:31:54 +0000 (09:31 +0000)]
Remove unnecessary caps in key/iv initialization loops
Drop the `&& i < 16` and `&& i < 8` guards that were carried over from
the original fixed-size arrays. The loops now fill the entire
heap-allocated buffer, with values wrapping naturally via unsigned char.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Mar 11 20:58:49 2026
(Merged from https://github.com/openssl/openssl/pull/30331)
OwenSanzas [Tue, 10 Mar 2026 07:57:47 +0000 (07:57 +0000)]
Refactor do_evp_cipher error paths to use goto err
Initialize key, iv, and ctx to NULL at declaration and consolidate
all cleanup into a single err label, as suggested by @npajkovsky.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Mar 11 20:58:47 2026
(Merged from https://github.com/openssl/openssl/pull/30331)
OwenSanzas [Mon, 9 Mar 2026 23:50:46 +0000 (23:50 +0000)]
fuzz/provider.c: fix API call order in do_evp_cipher and do_evp_md
Both do_evp_cipher() and do_evp_md() call the parameter-setting
function (EVP_CIPHER_CTX_set_params / EVP_MD_CTX_set_params) before
initializing the algorithm context (EVP_EncryptInit_ex2 /
EVP_DigestInit_ex2). Since the context has no algorithm associated
at that point, set_params always returns 0 and the function
early-returns, making the cipher and digest paths dead code (~20%
of all fuzzer inputs).
Fix by swapping the call order so the context is initialized first.
Additionally, heap-allocate key/iv buffers sized to the cipher's
actual key and IV length, since some ciphers (e.g. DES-EDE3-OFB)
require buffers larger than the previous fixed 16/8-byte arrays.
Fixes #30281
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Mar 11 20:58:44 2026
(Merged from https://github.com/openssl/openssl/pull/30331)
Tomasz Kantecki [Wed, 28 Jan 2026 16:50:38 +0000 (16:50 +0000)]
ML-DSA: optimize one vmovshdup from the NTT multiply operation
It applies to 7 out of 8 levels in NTT and NTT^-1.
It helps eliminate some zeta shuffles in NTT level 6 and NTT^-1 level 1.
Added small optimization in data shuffling between the levels.
Signed-off-by: Tomasz Kantecki <tomasz.kantecki@intel.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 15:47:46 2026
(Merged from https://github.com/openssl/openssl/pull/30160)
Tomasz Kantecki [Tue, 24 Feb 2026 13:39:47 +0000 (13:39 +0000)]
Add AVX2 optimized assembly for ML-DSA NTT
This commit introduces AVX2-vectorized assembly implementations of the
Number Theoretic Transform (NTT) operations used in ML-DSA (FIPS 204).
These optimizations improve performance of ML-DSA key generation,
signing, and verification operations on x86_64 platforms
with AVX2 support.
The implementation adds the following functions:
- ml_dsa_poly_ntt_avx2: Forward NTT transformation
- ml_dsa_poly_ntt_inverse_avx2: Inverse NTT transformation
- ml_dsa_poly_ntt_mult_avx2: NTT-domain polynomial multiplication
Key implementation details:
- Uses YMM registers to process 8 32-bit coefficients in parallel
- Employs Montgomery reduction for modular arithmetic
- Implements NTT butterfly operations across multiple transform levels
- Includes dedicated zeta table for INTT to reduce cycles
- Runtime capability check via ml_dsa_ntt_avx2_capable() using
OPENSSL_ia32cap_P to detect AVX2 support
The C code in ml_dsa_ntt.c is updated to dispatch to AVX2
implementations
at runtime when available, with automatic fallback to the portable C
implementation on platforms without AVX2 support.
Build system changes:
- Added GENERATE rule for ml_dsa_ntt-x86_64.s from Perl assembly
- Conditional assembly inclusion based on target architecture
- Works with both libcrypto and FIPS provider builds
Co-authored-by: Marcel Cornu <marcel.d.cornu@intel.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 15:47:40 2026
(Merged from https://github.com/openssl/openssl/pull/30160)
Simo Sorce [Mon, 2 Mar 2026 21:08:59 +0000 (16:08 -0500)]
Refactor FIPS parameter and indicator handling
Consolidate FIPS indicators and self-test parameters into a single
structure managed by `fipsparams.pm`. Replace individual accessor
functions with a generic `ossl_fips_config` function that retrieves
values by name. This removes repetitive boilerplate code and
simplifies parameter access within the FIPS provider.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30213)
Simo Sorce [Fri, 27 Feb 2026 22:44:31 +0000 (17:44 -0500)]
Generate FIPS parameter handling with Perl
Replace the C preprocessor macros used for FIPS indicators and self-test
parameters with a Perl-based code generation approach. This introduces
`util/perl/OpenSSL/fipsparams.pm` and `providers/fips/fipsparams.inc.in`
to generate the boilerplate code, simplifying `fipsprov.c` and reducing
macro complexity.
Co-authored-by: Gemini <gemini@google.com> Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/30213)
WANG Xuerui [Tue, 5 Aug 2025 11:45:14 +0000 (19:45 +0800)]
LoongArch: Accelerate SHA-512 message scheduling with LSX
Detect and use LSX (128-bit SIMD) to accelerate the message scheduling
stage of SHA-512. The main compression round is not amenable to SIMD
optimizations because horizontal data dependencies are very heavy.
In the current approach, 8 vector registers are used to store the 16
active message schedule array elements, with each 128-bit register fully
utilized holding 2 64-bit element each. Thankfully this means the data
dependency between x[n] and x[n-2] for rounds >= 16 (0-based) is
completely side-stepped, and with no computational power wasted.
Performance numbers on Loongson 3C6000 (LA664 uarch) @ 2.2GHz:
Before:
```
version: 3.6.0-dev
built on: Sun Aug 3 10:22:36 2025 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
CPUINFO: N/A
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha512 27701.14k 109625.41k 206773.00k 311351.64k 367442.71k 371401.72k
```
After:
```
version: 3.6.0-dev
built on: Sun Aug 3 10:22:36 2025 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
CPUINFO: N/A
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha512 33440.93k 132238.88k 272890.18k 429715.11k 518770.04k 526172.98k
```
Which is an improvement of between 20.63% (for 64B inputs; 20.72% for
16B which is very close) and 41.67% (for 16KiB inputs). This is much
larger an improvement than for SHA-256.
A similar attempt at utilizing LASX is also done, with 4 256-bit XRs
being used to store 4 64-bit elements each, and with the sigma1
computation unrolled twice; performance actually dropped by -12.56%
(64B; -12.59% for 16B) to -22.31% (16KiB) (!!). This large drop is most
likely due to the fact that LASX is incapable of efficiently
transferring data across the higher and lower 128-bit halves -- 3 cycles
latency for every instruction capable of doing so. Specifically, with
the unrolled sigma1 computation, one needs to swap halves and zero the
other unused half, and do this twice; and re-aligning "1234" and "9abc"
parts also requires two such moves, such as moving x[4] from m4567[0] to
m1234[3]. So, ultimately I decided to remove LASX from the patchset.
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:17 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
WANG Xuerui [Tue, 5 Aug 2025 06:16:43 +0000 (14:16 +0800)]
LoongArch: Accelerate SHA-256 message scheduling with LSX
Detect and use LSX (128-bit SIMD) to accelerate the message scheduling
stage of SHA-256. The main compression round is not amenable to SIMD
optimizations because horizontal data dependencies are very heavy.
Due to data dependencies between x[n] and x[n-2] for rounds >= 16
(0-based), at most 2 SIMD lanes can be efficiently utilized, which
unfortunately means half of space is wasted with LSX (128-bit = 4 32-bit
lanes), and LASX (256-bit, 8 32-bit lanes) is meaningless. In the
current approach, 8 vector registers are used to store the 16 active
message schedule array elements; only vr[0] and vr[2] are meaningful for
each VR.
Performance numbers on Loongson 3C6000 (LA664 uarch) @ 2.2GHz:
Before:
```
version: 3.6.0-dev
built on: Sun Aug 3 10:22:36 2025 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
CPUINFO: N/A
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha256 32676.25k 87543.16k 168349.71k 218342.74k 240099.57k 241639.34k
```
After:
```
version: 3.6.0-dev
built on: Sun Aug 3 10:22:36 2025 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
CPUINFO: N/A
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha256 37180.32k 104604.94k 206861.06k 276741.65k 306465.73k 308863.06k
```
Which is an improvement of between 13.78% (for 16B inputs) and 27.82%
(for 16KiB inputs).
I have also experimented with a denser storage of message elements, with
4 VRs each storing 4 elements, but performance dropped by 0.25% (16B) to
2.42% (16KiB) because sigma1 must be computed twice with this storage
layout: once on x[14..15], once on the fresh x[16..17].
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:15 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
WANG Xuerui [Tue, 5 Aug 2025 11:19:08 +0000 (19:19 +0800)]
LoongArch: Evaluate immediate operand values in perlasm
To make the emitted assembly easier to read. No functional change.
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:12 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
WANG Xuerui [Mon, 4 Aug 2025 10:01:31 +0000 (18:01 +0800)]
LoongArch: Loop-ify generation of SHA256 and SHA512 rounds
De-duplicate the rounds to make the code shorter. No functional change.
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:09 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
WANG Xuerui [Mon, 4 Aug 2025 09:38:16 +0000 (17:38 +0800)]
LoongArch: Use ABI names for perlasm scripts
ABI names (e.g. "$t0" instead of "$r12") on LoongArch are always
supported by mainline binutils and LLVM IAS, so use them for better
readability. No functional change.
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:06 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
WANG Xuerui [Mon, 4 Aug 2025 10:18:28 +0000 (18:18 +0800)]
LoongArch: Strip excess whitespace from SHA256 and SHA512 perlasm output
No functional change.
Signed-off-by: WANG Xuerui <git@xen0n.name> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 11 13:56:03 2026
(Merged from https://github.com/openssl/openssl/pull/28192)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
ossl_x509_likely_issued(): fix self-signature check in case issuer equals subject
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
25-test_req.t: add test cases pointing out that we won't fix #19095
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:34 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
v3_purp.c: refactor to improve code commenting of ossl_x509v3_cache_extensions() and X509_check_akid()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:32 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
openssl-verification-options.pod: clarify when a certificate is considered (supposedly) self-signed
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:31 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
X509_check_issued.pod: add doc of X509_check_akid(), complete X509_check_issued()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:30 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
Pauli [Wed, 4 Mar 2026 23:28:15 +0000 (10:28 +1100)]
safe_math: documentation example fix
The example was for an older version of the code which used triadic
macros to define the functions. The code was simplified making these
dyadic but the example was skipped. This fixes the example.
Found a use after free case in ossl_quic_accept_connection in the event
that we fail to up_ref the associated quic listener object.
If we fail to take the up ref on the listener object in this function,
we free the SSL object, which calls into
SSL_free->ossl_quic_free->qc_cleanup, which because we have an
associated listener, we free the mutex for, and then get a use-afer-free
when we try to unlock that mutex shortly thereafter.
We really need to fix 3 problems here:
1) The use after free. Handle this bt ensuring that the listener is
assigned first.
2) A deadlock, since we already hold the associated mutex, we need to
defer the free operation until after we unlock the mutex.
3) Don't drop the refcount on the listener object in ossl_quic_cleanup
(since we failed to up-ref it here). Handle this by adding a flag to
indicate up-ref failure in the quic-connection object.
Problem was confirmed by synthetically failing the up ref in local
testing, and this patch was confirmed to fix the issue.
Also, we need to adjust some of the tests in quicapitest here, as
several tests just assume that SSL_accept_connection will return a
non-null value.
Fixes #30307
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 09:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/30311)
kovan [Tue, 27 Jan 2026 10:08:06 +0000 (11:08 +0100)]
doc: clarify that SSL_CTX/SSL can hold multiple key/cert pairs
Improve the NOTES section of SSL_CTX_use_certificate(3) to make it
clearer that:
- The certificate store is specific to each SSL_CTX or SSL object,
not a global store
- Multiple key/certificate pairs of different types can be loaded
- This enables offering different certificate types (RSA, ECDSA, etc.)
on a single TLS server socket
- OpenSSL automatically selects the appropriate certificate during
the TLS handshake based on cipher suite and signature algorithms
- Loading multiple pairs is done by calling the loading functions
multiple times
This helps TLS server developers understand that their configuration
should allow multiple key/cert pairs per context.
Fixes #28425
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Wed Mar 11 03:20:37 2026
(Merged from https://github.com/openssl/openssl/pull/29786)
Milan Broz [Mon, 9 Mar 2026 13:02:03 +0000 (14:02 +0100)]
tests: fix configutl test on Windows
In Windows makefile, "del /Q /S /F test\*.exp" command is called.
Due to use of /S switch and old filenames compatibility
magic, it deletes also all *.expected files.
This make subsequent run of configtest to fail.
As this is the only test using these names (and cryptic
workarounds in makefile are unreadable), let's just
rename expected files to *-exp.out suffix.
Also fix two alien tabs in script.
Fixes: https://github.com/openssl/project/issues/1894 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 10 19:42:26 2026
(Merged from https://github.com/openssl/openssl/pull/30324)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:20 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Uni [Fri, 6 Mar 2026 17:19:31 +0000 (18:19 +0100)]
Fix intermittent hang in 82-test_ech_client_server.t
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:17 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Neil Horman [Fri, 6 Mar 2026 16:31:16 +0000 (11:31 -0500)]
Ensure entries in the neighborhood struct are 8 byte aligned
This struct is accessed via atomics, which on some platforms require 8
byte alignment. Generally compilers provide that alignment, since the
first element of the struct is a uint64_t, but it appears that not all
do.
Force the alignment to be correct
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 18:16:34 2026
(Merged from https://github.com/openssl/openssl/pull/30293)
huanghuihui0904 [Mon, 9 Mar 2026 14:57:00 +0000 (22:57 +0800)]
Fix Memory leak in app_passwd
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 10 17:42:48 2026
(Merged from https://github.com/openssl/openssl/pull/30325)
Uni [Fri, 6 Mar 2026 20:24:28 +0000 (21:24 +0100)]
Fix memory leak of p and q in ossl_rsa_fromdata error path
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30298)
Pauli [Sun, 8 Mar 2026 10:24:23 +0000 (21:24 +1100)]
Change free call to secure free call.
Freeing secure memory using OPENSSL_free causes badness. Use the proper
free call instead.
Fixes #30302
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:08:36 2026
(Merged from https://github.com/openssl/openssl/pull/30305)
CHANGES.md, NEWS.md: picking up changes from 3.6.1
Since it has been released before 4.0.0-alpha1.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:37 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:35 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:32 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Include various items from CHANGES.md, remove items pertaining
OPENSSL_sk_set_cmp_thunks() and crypto-mdebug-backtrace, split into new
features and significant/incompatible changes.
Also, while at it, added the leader to the 3.6.0 news entry.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:28 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Move the FIPS PKCS5_PBKDF2_HMAC limits description from NEWS.md to CHANGES.md
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:25 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Reorder entries, following general
additions-changes-deprecations-removals order.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:22 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
An attempt has been made to harmonise the language and style
of the changelog and news records a bit.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:20 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:17 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:14 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
CHANGES.md, NEWS.md: sort links in lexicographical order
A specific order makes link addition more consistent moving forward.
The links were sorted with "LC_ALL=C sort -V" command, "sort"
is from GNU coreutils.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:11 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
This reverts commit 0da29907e7da "Constify X509_find_by_subject",
as it operates on a stack of X509 (not const X509) objects, and returns
a pointer to one of them.
Fixes: 0da29907e7da "Constify X509_find_by_subject", Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:37 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
Un-constify the return value of X509_find_by_issuer_and_serial()
This partially reverts commit 07ee3d5db8a2 "constify
X509_find_by_issuer_and_serial", as it operates on a stack of X509
(not const X509 objects), and returns a pointer to one.
The constification of PKCS7_signatureVerify argument is sensible
(as the argument is read-only inside the function) and is remained
in place.
Fixes: 07ee3d5db8a2 "constify X509_find_by_issuer_and_serial" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:34 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
Wo'O Ideafarm [Wed, 18 Feb 2026 06:45:30 +0000 (22:45 -0800)]
document the new build option "enable-static-vcruntime"
I placed these new notes prominently based upon how important I think that they are for applications developers targeting Windows platforms. With this new option, contributed (but not documented) by @nhorman in Commit 9431cc2, standalone executable applications can be distributed that do not require an installer and do not require modification of the target computer.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 1:50:49 2026
(Merged from https://github.com/openssl/openssl/pull/30064)
Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509
This partially reverts commit 367c54ef1105 "Constify
X509_OBJECT_[get0|set1]_X509 and friends", as well as removes them from
the list added in c0f82d915f38 "Describe X509 constification and ASN1_STRING
changes". Constification of X509_get_pubkey() arguments remains in place.
Resolves: https://github.com/openssl/project/issues/1892
Complements: 367c54ef1105 "Constify X509_OBJECT_[get0|set1]_X509 and friends"
Complements: c0f82d915f38 "Describe X509 constification and ASN1_STRING changes" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:36:10 2026
(Merged from https://github.com/openssl/openssl/pull/30276)
doc/man7/ossl-guide-migration.pod: remove mentions of X509_STORE_CTX funcs
Remove mentions of un-constified X509_STORE_CTX_get_current_cert,
X509_STORE_CTX_get0_cert, X509_STORE_CTX_get0_current_issuer,
X509_STORE_CTX_init, X509_STORE_CTX_set_cert for the list of constified
functions.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:33:15 2026
(Merged from https://github.com/openssl/openssl/pull/30272)
This reverts constification of the return value types
of X509_STORE_CTX_get_current_cert(), X509_STORE_CTX_get0_current_issuer(),
X509_STORE_CTX_get0_cert() functions, and arguments
of X509_STORE_CTX_set_cert() and X509_STORE_CTX_init() functions.
Constification of users of these functions, as well as
X509_STORE_CTX_get_issuer_fn and X509_STORE_CTX_check_issued_fn types,
remained in place.
Complements: e5b563366b00 "Constify X509_STORE_CTX functions invoving X509 *" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/30272)
Fixes: https://github.com/openssl/project/issues/1893
messing with free is a bridge too far
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 17:50:22 2026
(Merged from https://github.com/openssl/openssl/pull/30273)
Matt Caswell [Tue, 3 Mar 2026 12:30:24 +0000 (12:30 +0000)]
Restrict the number of supported groups/sig algs
We restrict the number of supported groups and sig algs that the server
is willing to accept from the client to 128 (for both). Any more than
this are simply ignored. This number is significantly more than the total
amount of current codepoints assigned by IANA for these extensions.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 6 10:33:03 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
Matt Caswell [Tue, 3 Mar 2026 11:58:11 +0000 (11:58 +0000)]
Restrict the number of keyshares a server is willing to accept
A client that sends an excessive number of keyshares to the server can
cause us to check that the groups are both in the client and server lists,
which is expensive. In reality there should be no reason to send a large
number of keyshares, so we restrict this to a sensible number (16). Any
more than this are simply ignored.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 6 10:33:03 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
Tom Gautot [Tue, 27 Jan 2026 22:01:37 +0000 (23:01 +0100)]
OSSL_HTTP_REQ_CTX_nbio(): check for clear Content-Type mismatch
Fixes #29748
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 18:04:24 2026
(Merged from https://github.com/openssl/openssl/pull/29829)
slontis [Wed, 4 Mar 2026 03:59:09 +0000 (14:59 +1100)]
CSHAKE: Fix memory leak related to propq.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 17:41:05 2026
(Merged from https://github.com/openssl/openssl/pull/30261)
Viktor Dukhovni [Tue, 3 Mar 2026 14:35:36 +0000 (01:35 +1100)]
Some more X509 extension add/del polish
- In various structures with optional X.509 extensions, deallocate and
NULL out the extensions pointer when the extensions become empty after
an extension is deleted. This uses a new X509v3_delete_extension()
helper function. Added corresponding docs.
- Do the same in X509V3_EXT_add_nconf_sk() if after processing all
the pending updates the stack becomes empty.
- Handle resulting NULL stack in X509V3_EXT_REQ_add_nconf() and
update_req_extensions().
- Improved testing of certificate SKID/AKID addition and implicit
removal via "none" value.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 17:40:10 2026
(Merged from https://github.com/openssl/openssl/pull/30252)
Milan Broz [Sun, 1 Mar 2026 20:14:30 +0000 (21:14 +0100)]
windows-makefile: make clean target less noisy
Using del on files that are not present creates many warning
messages. Let's wrap them in "if exists" check to make
them silent if not present.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Mar 5 17:37:20 2026
(Merged from https://github.com/openssl/openssl/pull/30222)
Jon Ericson [Wed, 4 Mar 2026 01:58:18 +0000 (17:58 -0800)]
fix project spelling and capitalization
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Mar 5 16:35:20 2026
(Merged from https://github.com/openssl/openssl/pull/30259)
projects / thirdparty / openssl.git / log
