Neil Horman [Fri, 1 May 2026 12:23:27 +0000 (08:23 -0400)]
Limit job count on compiler zoo builds
The security repo keeps failing our compiler zoo jobs, consistently. It
appears to be happening because our compiler zoo jobs use make -j
without any limit on the number of jobs, leading to github aborting them
all when the workload gets too high. I suspect that we're using a
smaller runner in the security repo than we are in our public repo,
which is why we don't see it there.
Our other CI jobs all limit the job count to 4 during make, do the same
here.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Mon May 4 09:33:34 2026
(Merged from https://github.com/openssl/openssl/pull/31059)
kovan [Mon, 2 Feb 2026 11:32:04 +0000 (12:32 +0100)]
doc: Add documentation for X509_STORE_CTX_set_time
Document the X509_STORE_CTX_set_time() function which sets the
verification time for certificate chain validation. This is a
convenience wrapper around X509_VERIFY_PARAM_set_time().
Remove X509_STORE_CTX_set_time from missingcrypto.txt and
missingcrypto111.txt.
Fixes #21362
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sun May 3 15:38:26 2026
(Merged from https://github.com/openssl/openssl/pull/29899)
The Host Header comes with HTTP/1.1, not 1.0, and some
Web Server now doesn't want to answer to such requests.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Sun May 3 15:21:35 2026
(Merged from https://github.com/openssl/openssl/pull/30981)
Matt Caswell [Tue, 28 Apr 2026 08:56:20 +0000 (09:56 +0100)]
According to RFC8446 there must always be one identity in the list
We were silently accepting a list with zero identities. Technically this
is a syntax error so we should fail with a decode_error in this case.
Fixes #31006
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sun May 3 15:19:27 2026
(Merged from https://github.com/openssl/openssl/pull/31010)
Nikola Pajkovsky [Wed, 29 Apr 2026 18:15:32 +0000 (20:15 +0200)]
sparse_array: avoid ubsan violation in typed doall
clang-22 with enable-asan and enable-ubsan enabled fails with error
crypto/sparse_array.c:93:21: runtime error: call to function alg_copy
through pointer to incorrect function type 'void (*)(unsigned long, void *, void *)'
ossl_sa_##type##_doall(const SPARSE_ARRAY_OF(type) * sa,
void (*leaf)(ossl_uintmax_t, type *))
{
ossl_sa_doall((OPENSSL_SA *)sa,
(void (*)(ossl_uintmax_t, void *))leaf);
}
typed doall(_arg) expect leaf to have type, but generic code is using
void *, and the type-casting cases the error.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun May 3 15:17:58 2026
(Merged from https://github.com/openssl/openssl/pull/31035)
Fix the inverted cleanse guard in the SLH DSA provider signing path.
When randomized signing populates the local add_rand buffer, the cleanup step currently skips that stack buffer. Other signing modes do not create this transient buffer, so they should not drive this cleanup. Swap the guard so only the transient per signature buffer is cleansed, and cleanse the full fixed size buffer directly.
Fixes #30950
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sun May 3 14:49:20 2026
(Merged from https://github.com/openssl/openssl/pull/31029)
TPM 1.2 Endorsement Key certificates use id-RSAES-OAEP
(NID_rsaesOaep) as their SubjectPublicKeyInfo algorithm
identifier per TCG Credential Profiles V1.2 section 3.2.7.
The underlying key is a standard RSAPublicKey. Without
this mapping, X509_get_pubkey() fails with a decode error
and X509_verify_cert() cannot validate these certificates.
Add NID_rsaesOaep handling to the three SPKI decode paths,
each of which points at the other two so future changes stay
in sync:
- x509_pubkey_decode(): remap the NID to NID_rsaEncryption
for the legacy ameth lookup. This path is reached via
d2i_RSA_PUBKEY()/ossl_d2i_PUBKEY_legacy(), which is in
turn invoked by the provider RSA decoder's rsa_d2i_PUBKEY,
so it is load-bearing even when the provider path is in
use.
- x509_pubkey_ex_d2i_ex(): use "RSA" as the decoder keytype
name so OSSL_DECODER_CTX_new_for_pkey() selects the RSA
provider decoder. The NID check precedes OBJ_obj2txt()
so the text conversion is skipped when unused.
- ossl_spki2typespki_der_decode(): same remap in the
SPKI-to-type-SPKI provider decoder chain. Flatten the
existing SM2 special case while here: the original code
relied on a dangling else across the #endif, which made
the rsaesOaep branch awkward to add. The new structure
initializes dataname to empty, applies each special case
in turn, and falls back to OBJ_obj2txt() only when no
override applied. strcpy() is replaced with
OPENSSL_strlcpy() for consistency with surrounding code.
The OAEP AlgorithmIdentifier parameters (which carry a
TCG-specific pSourceAlgorithm "TCPA" for TPM EKs) are
deliberately not interpreted; only the RSAPublicKey body is
consumed.
Add a test using a real TPM 1.2 EK certificate. The test
exercises both the provider decoder path (via X509_from_strings
+ X509_get0_pubkey) and, when deprecated APIs are available,
the legacy path (via d2i_RSA_PUBKEY), confirming the key
decodes to an RSA EVP_PKEY of the expected size.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Sun May 3 14:44:24 2026
(Merged from https://github.com/openssl/openssl/pull/30961)
Matt Caswell [Fri, 1 May 2026 11:29:44 +0000 (12:29 +0100)]
Validate that a PSK identity is at least one byte long
RFC8446 requires that a PSK identity is at least one byte in length. We
should validate this.
Fixes #31007
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun May 3 13:46:21 2026
(Merged from https://github.com/openssl/openssl/pull/31058)
Joshua Rogers [Tue, 31 Mar 2026 16:17:34 +0000 (00:17 +0800)]
docs: Document required output buffer length in EVP_CIPHER-DES
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
MergeDate: Sun May 3 13:41:54 2026
(Merged from https://github.com/openssl/openssl/pull/30651)
ssl/record/methods/tls_common.c: call BIO_free_all() on rl->bio in tls_int_free
Since it is free'd using this call in tls_set1_bio().
Complements: 435feadaf4f9 "Fix record layer leak when swapping chained transport BIO" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Sat May 2 18:10:42 2026
(Merged from https://github.com/openssl/openssl/pull/31011)
Avoid needless casting away of const in X509_VERIFY_PARAM_get1_ip_asc
Instead of needlessly casting const away, simply update the prototype
of ossl_ipaddr_to_asc(), that doesn't modify the passed data in any way
anyway.
Fixes: f584ae959cbc "Let's support multiple names for certificate verification" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sat May 2 18:07:19 2026
(Merged from https://github.com/openssl/openssl/pull/31051)
Bob Beck [Thu, 30 Apr 2026 19:41:32 +0000 (13:41 -0600)]
Guard memcmp for ub in X509_vpm.c
Techincally unnecessary, since this thing won't let you add NULL
data to it, but this is harmless and then obviously following
the correct paradigm.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat May 2 18:05:04 2026
(Merged from https://github.com/openssl/openssl/pull/31049)
Jakub Zelenka [Wed, 29 Apr 2026 17:26:47 +0000 (19:26 +0200)]
Fix memory leak in asn_mime multi_split
The bpart is not freed if BIO_write or BIO_puts fails. It also makes the
error handling of that case consistent with other parts freeing the
bpart.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri May 1 13:06:32 2026
(Merged from https://github.com/openssl/openssl/pull/31033)
Jakub Zelenka [Tue, 28 Apr 2026 20:43:45 +0000 (22:43 +0200)]
Check wrlmethod existence before sending alert
If there is a memory failure during record wrlmethod allocation, then
the alert is attemted but it crashes because wrlmethod is NULL.
Found using memfail integration to fuzz tests: GH-30944
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Fri May 1 12:09:11 2026
(Merged from https://github.com/openssl/openssl/pull/31017)
Bob Beck [Sat, 25 Apr 2026 02:19:41 +0000 (20:19 -0600)]
Touch the perl miasma in self defense.
The symbol presence test fails for NO_DEPRECATED
builds if you use modern CPP practices for definitions.
This is the result of my accepting that doing so will be as PTSD
inducing as walking into my parents bedroom at an inopportune
time, and fixing it. Better me who has less time left to live
with the mental trauma than a younger developer.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri May 1 11:01:46 2026
(Merged from https://github.com/openssl/openssl/pull/31016)
Milan Broz [Wed, 22 Apr 2026 14:05:35 +0000 (16:05 +0200)]
Fix ignoring return value in RCU witn MINGW 32bit
For code that uses NO_INTERLOCKEDOR64 (Win32 32bit),
there is a warning in RCU code
error: ignoring return value of 'CRYPTO_THREAD_write_lock'
declared with attribute 'warn_unused_result' [-Werror=unused-result]
As the function cannot fail on that platform (and error
path would need some reverts leading to impossible dereference later),
just use trick to silence the warning.
Milan Broz [Wed, 22 Apr 2026 13:39:29 +0000 (15:39 +0200)]
Fix DSO symbol test with MINGW64 and pedantic warnings
GetProcAddress() cannot be simple cast to void* (SD_SYM)
under strict warnigs, as it produces this
error: ISO C forbids conversion of function pointer to
object pointer type [-Werror=pedantic]
Milan Broz [Wed, 22 Apr 2026 13:03:47 +0000 (15:03 +0200)]
Fix warning for incompatible function cast
With pedantic option (strict warnings) and MINGW64,
the GetProcAddress() cannot be simply casted, as it leads to
error: cast between incompatible function types from 'FARPROC' ...
Introduce local macro that will wrap all such calls
and silence benign warnings.
To make data structures opaque, replaced direct member access (->data,
->length) with the equivalent ASN1_STRING accessor functions in the
PKCS7 module.
Fixes #29861
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Thu Apr 30 07:19:58 2026
(Merged from https://github.com/openssl/openssl/pull/30896)
util: remove find-doc-nits -o option and missing*111.txt files
It seems that find-doc-nits -o option, that "count[s] symbols added
since 1.1.1 as new", has little use by now (it is not used in any
find-doc-nits invocations, so can only be used manually), and presence
of missing*111.txt files (and especially entries there) only creates
confusion these days. Remove the option and the associated files.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 30 07:02:41 2026
(Merged from https://github.com/openssl/openssl/pull/30978)
crypto/mem.c: perform the fail check right after counting calls
Otherwise the counting done by shouldfail() does not account for calls
that are diverted to non-standard implementation and zero-sized
allocations, making it diverge from the sum of malloc_count
and realloc_count.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Apr 30 06:59:07 2026
(Merged from https://github.com/openssl/openssl/pull/30991)
As currently implemented, the only txe passed to qtx_reserve_txe()
(and, subsequently, to qtx_resize_txe()) is qtx->cons one, so the check
"if (qtx->cons == txe)" is superfluous, and, more so, would lead
to a memory leak if it weren't the case, as was spotted by Coverity.
Moreover, the set of qtx_alloc_txe(), qtx_ensure_free_txe(),
qtx_ensure_cons(), qtx_resize_txe(), and qtx_reserve_txe() functions,
while being written in a relatively generic way, is actually called
from a single call site in ossl_qtx_write_pkt(), and contains several
duplicating checks and unnecessary logic (like, adding a newly allocated
TXE to the free list, only to remove it from there right away
in qtx_ensure_cons(), the only its user), so just merge the whole
aforementioned set of functions (except qtx_alloc_txe()) in a single
function, qtx_get_cons_txe().
Milan Broz [Wed, 22 Apr 2026 13:49:33 +0000 (15:49 +0200)]
Workaround Uplink compilation for MINGW 32bit
The uplink code breaks compilation with strict warnings
for MINGW (only for 32-bit).
error: ISO C forbids conversion of object pointer
to function pointer type [-Werror=pedantic]
or
error: ISO C forbids assignment between function pointer
and 'void *' [-Werror=pedantic]
and some other missing declarations and prototypes.
As uplink.h is included in cryptlib.h and used in BIO
code, using a pragma to disable warnings would touch
to much code.
With (uintptr_t) cast, it silences cast warnings with gcc.
For the rest of the code, just disable warnings, as this
code would need to be rewritten and heavily retested
on older systems.
NOTE: applink.c is INCLUDED from uplink.h.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Apr 28 16:02:22 2026
(Merged from https://github.com/openssl/openssl/pull/30963)
Milan Broz [Fri, 24 Apr 2026 18:58:41 +0000 (20:58 +0200)]
Fix always false comparison in asn1/a_strex.c
On 32bit platforms, some compilers like clang
produce this warning
error: result of comparison 'unsigned long' > 4294967295
is always false [-Werror,-Wtautological-type-limit-compare]
70 | if (c > 0xffffffffL)
Make SSL_get_stream_write_state() safe for concluded streams
QUIC stack may panic when application calls SSL_get_stream_write_state()
on cocluded QUIC stream onject. The sequence of action which leads
to NULL pointer dereference is as follows:
- application uses SSL_stream_conclude(ssl_stream, 0) to conclude
the stream (let remote peer know no to expect more data)
- application uses SSL_get_stream_write_state(ssl_stream)
to query stream state.
If underlying sstream object is gone by the time when
SSL_get_stream_wtite_state() is called, then application
may see NULL pointer dereference. The underlying sstream
object is freed when FIN sent on beahalf of SSL_stream_conclude()
is ACKed by remote peer.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Apr 28 12:35:41 2026
(Merged from https://github.com/openssl/openssl/pull/30913)
slontis [Tue, 24 Feb 2026 03:29:26 +0000 (14:29 +1100)]
FIPS: Add HMAC key size compliance check to the MAC legacy bridge.
The hmac fips provider implementation used by the EVP_MAC API handles key
size checks, but it only does the test for the internal case.
Previously HMAC was implemented using EVP_DigestSign related functions,
and these are implemented using a mac_legacy_sig bridge, because of this
the MAC is external. For external cases the caller is responsible for
doing any key checks, so a FIPS indicator has been added.
herbenderbler [Wed, 25 Mar 2026 02:38:48 +0000 (20:38 -0600)]
Fix record layer leak when swapping chained transport BIO
tls_set1_bio() freed only the top BIO (BIO_free). Use BIO_free_all so
a pushed transport chain is released when the record layer replaces
its BIO.
Add test_ssl_set_wbio_chain_no_leak in sslapitest (stacked BIO chain
via SSL_set0_wbio) per reviewer feedback on GH openssl#30483. Drop the
Perl s_client reconnect recipe and CHANGES entry (internal leak only).
Fixes #30458
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Apr 28 06:39:25 2026
(Merged from https://github.com/openssl/openssl/pull/30483)
Treat method-cache hash table inserts as successful only when they
return 1. This handles allocation/grow failures distinctly from
successful replacement and avoids using temporary QUERY entries after
failed insertion.
Separate cleanup for unlinked temporary QUERY objects from linked
cache entries, and release both the pending cache reference and
caller-visible method reference when deferred providerless cache
insertion fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Apr 28 06:33:15 2026
(Merged from https://github.com/openssl/openssl/pull/30891)
huanghuihui0904 [Mon, 16 Mar 2026 06:46:20 +0000 (14:46 +0800)]
ssl/quic/quic_port.c: fix leak in port_make_channel()
Free pre-existing ch->qlog_title before OPENSSL_strdup to avoid
leaking the value allocated in ossl_quic_channel_alloc(). Use
ossl_quic_channel_free() on strdup failure to ensure proper cleanup.
On s390x, the distribution of the query cache hash values is different
compared to other architectures, probably because of endianess and pointer
alignment being different (the hash key contains pointer values and integers).
This leads to the fact that ossl_ht_cache_QUERY_insert() is not always able to
add a query during the FIPS selftests, and thus ossl_ht_cache_QUERY_insert()
returns -1 is such cases.
Increase the number of retries inside ossl_ht_insert() to at least the
number elements per neighborhood plus 1. With this it is able to grow the
hash table enough so that the queries used during the FIPS selftest can
all be added to the hash table, even on s390x.
There is still no guarantee that the number of retries is enough for all
possible queries. It can still happen that certain queries can't be added to
the cache, even on other architectures. This does not really hurt, such
queries will just not be cached and are freshly fetched again the next time.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Apr 27 05:56:53 2026
(Merged from https://github.com/openssl/openssl/pull/30903)
Viktor Dukhovni [Wed, 22 Apr 2026 12:46:18 +0000 (22:46 +1000)]
Handle NULL-buffer size probe in ossl_param_build_set_bn_pad()
ossl_param_build_set_bn_pad() is reached by two distinct caller
populations. When an OSSL_PARAM_BLD template is supplied
(bld != NULL), the template allocates backing storage internally and
no caller-side sizing is required. When an explicit OSSL_PARAM[]
array is supplied (bld == NULL), the caller follows the standard
OSSL_PARAM size-probe contract: invoke the primitive once with
p->data == NULL to learn the required size via p->return_size, then
allocate a buffer of that size and invoke again with the real
storage.
The bld == NULL branch did not honour the size-probe contract: with
p->data == NULL and a non-zero sz it fell through to
OSSL_PARAM_set_BN() and raised CRYPTO_R_TOO_SMALL_BUFFER, so callers
could never discover the required size.
The defect has been latent across several releases. This primitive
is the *padded* BN setter: it emits a fixed-width encoding regardless
of the BN's actual magnitude, which is needed for the private key --
a minimal encoding would leak its bit-length through timing or
allocation side channels. In practice the private key is the only
provider parameter that reaches this primitive. Callers that want
private-key material have historically done so through
EVP_PKEY_todata() and its OSSL_PARAM_BLD template path, where the
bug is invisible. EVP_PKEY_get_params() callers exist but have not
previously needed the private-key BN. Any caller that does request
it on the explicit-params path -- whether by name or as part of
iterating a provider's full gettable list -- now sees the probe
behave as it does elsewhere.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Apr 26 13:35:32 2026
(Merged from https://github.com/openssl/openssl/pull/30942)
remove ossl_quic_detach_stream() and ossl_quic_attach_stream()
Those function used to be backends for SSL_attach_stream() and
SSL_detach_stream(). Both those functions were removed from
API back 2023. And it does not look like there is a plan
to revive them. This PR removes implementation of stream detach/attach
functions with their tests.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 13:26:58 2026
(Merged from https://github.com/openssl/openssl/pull/30956)
CHANGES.md, NEWS.md: updates for 4.0.0 final release
NEWS.md is amended to include the following PRs:
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
Overall, CHANGES.md includes the following:
* https://github.com/openssl/openssl/pull/8136
"Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit
set in unsigned BN"
* https://github.com/openssl/openssl/pull/17495
"4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure"
* https://github.com/openssl/openssl/pull/18229
"public API: Remove needless `const` from scalar types"
* https://github.com/openssl/openssl/pull/22304
"4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters"
* https://github.com/openssl/openssl/pull/24551
"Enable RFC 7919 FFDHE groups for TLS 1.2 server"
* https://github.com/openssl/openssl/pull/24738
"add ech-api.md"
* https://github.com/openssl/openssl/pull/25193
"ECH build artefacts and a bit of code"
* https://github.com/openssl/openssl/pull/25420
"ECH CLI implementation"
* https://github.com/openssl/openssl/pull/25663
"ECH external APIs"
* https://github.com/openssl/openssl/pull/25991
"preserve data constness when getting issuer name's and subject's hash"
* https://github.com/openssl/openssl/pull/26011
"ECH client side"
* https://github.com/openssl/openssl/pull/27397
"create SSL_listen_ex api"
* https://github.com/openssl/openssl/pull/27431
"fips: Enforce lower bounds checks for password protected files when using
FIPS providers, by default"
* https://github.com/openssl/openssl/pull/27540
"ECH client sending mulitple key shares"
* https://github.com/openssl/openssl/pull/27561
"ECH both sides now"
* https://github.com/openssl/openssl/pull/27776
"Introduce the PACKET_msg_start() function"
* https://github.com/openssl/openssl/pull/28033
"Constify further X509 functions; remove OSSL_FUTURE_CONST"
* https://github.com/openssl/openssl/pull/28041
"Remove support for SSLv2 Client Hello"
* https://github.com/openssl/openssl/pull/28108
"Add a way to cleanse params arrays"
* https://github.com/openssl/openssl/pull/28160
"New options for reading MAC key from environment variable, file and standard
input were added."
* https://github.com/openssl/openssl/pull/28270
"s_client and s_server command line options for ECH (plus some wndows
CI fixes)"
* https://github.com/openssl/openssl/pull/28278
"Implementing store support for EVP_SKEY"
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/28432
"Add support for CSHAKE."
* https://github.com/openssl/openssl/pull/28445
"Updated s_server's verify_return_error option to enable peer verification"
* https://github.com/openssl/openssl/pull/28535
"Print PowerPC CPUINFO"
* https://github.com/openssl/openssl/pull/28623
"Combining time validation with comparison return values considered harmful"
* https://github.com/openssl/openssl/pull/28837
"Add support to serialize/deserialize digest state for export/import"
* https://github.com/openssl/openssl/pull/29018
"CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE"
* https://github.com/openssl/openssl/pull/29057
"Avoid empty AKID/SKID extensions in CSRs and certs"
* https://github.com/openssl/openssl/pull/29107
"CRL: Enforce proper handling of ASN1_TIME validation results"
* https://github.com/openssl/openssl/pull/29116
"info: Print CPUINFO for SPARCv9 processors"
* https://github.com/openssl/openssl/pull/29152
"Add new public API for checking certificate times."
* https://github.com/openssl/openssl/pull/29187
"Remove the ASN1_STRING_FLAG_X509_TIME flag"
* https://github.com/openssl/openssl/pull/29195
"Add SNMPKDF implementation"
* https://github.com/openssl/openssl/pull/29200
"Add tests and documentation and fix some issues resulting"
* https://github.com/openssl/openssl/pull/29206
"Per-key encoding formats for ML-KEM and ML-DSA"
* https://github.com/openssl/openssl/pull/29222
"Implementation of Deferred FIPS Self-Tests"
* https://github.com/openssl/openssl/pull/29223
"ML-DSA: Add a digest that can calculate external mu."
* https://github.com/openssl/openssl/pull/29230
"doc/man3: Add OPENSSL_ppccap.pod
* https://github.com/openssl/openssl/pull/29266
"make PEM hexdump width a multiple of 8 bytes"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29305
"Feature/engineremoval"
* https://github.com/openssl/openssl/pull/29311
"Documentation for BIO flags and related functions"
* https://github.com/openssl/openssl/pull/29338
"merge feature/removesslv3"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29380
"Remove crypto-mdebug-backtrace option from config"
* https://github.com/openssl/openssl/pull/29381
" Added LMS support for OpenSSL commandline signature verification using
pkeyutl."
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/29385
"Atexit.final draft.cleanup"
* https://github.com/openssl/openssl/pull/29387
"Add ASN1_BIT_STRING_get_length()"
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
* https://github.com/openssl/openssl/pull/29427
"Remove the c_rehash script"
* https://github.com/openssl/openssl/pull/29428
"Constify return value of X509_get_X509_PUBKEY()"
* https://github.com/openssl/openssl/pull/29435
"Add SRTP KDF"
* https://github.com/openssl/openssl/pull/29445
"Remove BIO_f_reliable() as it is broken"
* https://github.com/openssl/openssl/pull/29465
"Constify X509_get_ext() and friends.."
* https://github.com/openssl/openssl/pull/29468
"constify X509_NAME."
* https://github.com/openssl/openssl/pull/29488
"Constify the X509_STORE_CTX argument to the lookup_certs functions."
* https://github.com/openssl/openssl/pull/29576
"KDF: Add configuration options to disable many of the KDF algorithms."
* https://github.com/openssl/openssl/pull/29612
"Support multiple names for certificate verification"
* https://github.com/openssl/openssl/pull/29635
"SSL_CTX_is_server() was added"
* https://github.com/openssl/openssl/pull/29639
"Disabling explicit EC curves encoding"
* https://github.com/openssl/openssl/pull/29640
"add thunking for compare function to OPENSSL_STACK"
* https://github.com/openssl/openssl/pull/29646
"Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()"
* https://github.com/openssl/openssl/pull/29653
"Drop darwin-i386(-cc) targets from Configurations"
* https://github.com/openssl/openssl/pull/29658
"Disable support of weak elliptic curves in TLS by default"
* https://github.com/openssl/openssl/pull/29672
"Drop darwin-ppc{,64} targets"
* https://github.com/openssl/openssl/pull/29721
"Make OPENSSL_cleanup() G A"
* https://github.com/openssl/openssl/pull/29813
"Make X509_ATTRIBUTE accessor functions const-correct"
* https://github.com/openssl/openssl/pull/29862
"Make ASN1_STRING opaque"
* https://github.com/openssl/openssl/pull/29874
"Take OPENSSL_atexit() for a walk behind the barn."
* https://github.com/openssl/openssl/pull/29926
"Provide ASN1_BIT_STRING_set1()"
* https://github.com/openssl/openssl/pull/29953
"Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid."
* https://github.com/openssl/openssl/pull/29971
"X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set"
* https://github.com/openssl/openssl/pull/29982
"Improved reporting of shared and peer sigalgs"
* https://github.com/openssl/openssl/pull/29991
"Fix of SSL_get_error() so that it no longer depends on the state
of the error stack"
* https://github.com/openssl/openssl/pull/29995
"Add abilty to use static vcruntime"
* https://github.com/openssl/openssl/pull/30005
"Make ERR_STATE opaque and remove related deprecated functions"
* https://github.com/openssl/openssl/pull/30011
"Deprecate ASN1_OBJECT_new()."
* https://github.com/openssl/openssl/pull/30020
"Const correct time parameter for X509_cmp_time(), X509_time_adj()
and X509_time_adj_ex()."
* https://github.com/openssl/openssl/pull/30024
"CRL: reject malformed CRL Number and CRL Delta Indicator"
* https://github.com/openssl/openssl/pull/30028
"Add TLS 1.3 SM ciphersuites"
* https://github.com/openssl/openssl/pull/30031
"Mostly deprecated is slightly not deprecated...."
* https://github.com/openssl/openssl/pull/30033
"Remove the "msie-hack" option from openssl ca"
* https://github.com/openssl/openssl/pull/30034
"Use the appropriate libctx when executing CMS_SignerInfo_verify"
* https://github.com/openssl/openssl/pull/30035
"Constify X509_verify"
* https://github.com/openssl/openssl/pull/30036
"Constify more X509 arguments and return values"
* https://github.com/openssl/openssl/pull/30044
"Added BIO_set_send_flags() function to set flags passed to send(),
sendto(), and sendmsg()"
* https://github.com/openssl/openssl/pull/30048
"change from I-D to RFC 9849 and resolve TODO(ECH) cases"
* https://github.com/openssl/openssl/pull/30053
"Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN"
* https://github.com/openssl/openssl/pull/30054
"Consity X509_add_cert and X509_self_signed"
* https://github.com/openssl/openssl/pull/30055
"Constify various functions that were non const due to extension cache"
* https://github.com/openssl/openssl/pull/30056
"Constify X509_build_chain"
* https://github.com/openssl/openssl/pull/30058
"Constify X509_chain_check_suiteb"
* https://github.com/openssl/openssl/pull/30067
"Constify X509_check_issued and friends"
* https://github.com/openssl/openssl/pull/30071
"constify X509_check_trust, X509_TRUST_add"
* https://github.com/openssl/openssl/pull/30072
"Constify X509_to_X509_REQ and X509_REQ_to_X509"
* https://github.com/openssl/openssl/pull/30073
"Constify X509_print_fp and X509_print_ex_fp"
* https://github.com/openssl/openssl/pull/30074
"Constify X509_STORE_add_cert()"
* https://github.com/openssl/openssl/pull/30076
"Constify X509_STORE_CTX functions invoving X509 *"
* https://github.com/openssl/openssl/pull/30079
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30080
"Constify X509v3_asid_validate_resource_set
and X509v3_addr_validate_resource_set"
* https://github.com/openssl/openssl/pull/30082
"Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp."
* https://github.com/openssl/openssl/pull/30084
"Constify X509_issuer_and_serial_hash"
* https://github.com/openssl/openssl/pull/30089
"Added -expected-rpks s_client/server option"
* https://github.com/openssl/openssl/pull/30090
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30092
"constify X509_find_by_issuer_and_serial"
* https://github.com/openssl/openssl/pull/30096
"Constify X509_find_by_subject"
* https://github.com/openssl/openssl/pull/30098
"Add a changes entry for the x509 time function changes"
* https://github.com/openssl/openssl/pull/30113
"Add keyshare floating"
* https://github.com/openssl/openssl/pull/30117
"Constify X509_OBJECT_[get0|set1]_X509 and friends"
* https://github.com/openssl/openssl/pull/30127
"Constify a bunch of seldom used X509 functions. "
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/30140
"Ensure TLS 1.3 ciphersuites are actually for TLS 1.3"
* https://github.com/openssl/openssl/pull/30171
"CRL: Reject CRLs with malformed Issuing Distribution Point"
* https://github.com/openssl/openssl/pull/30200
"Remove remnant SSL_FIPS flag"
* https://github.com/openssl/openssl/pull/30229
"X509 returned by X509_REQ_to_X509() should not be (const ...)"
* https://github.com/openssl/openssl/pull/30235
"Make X509_up_ref and X509_free take const X509 *"
* https://github.com/openssl/openssl/pull/30249
"x509: remove erroneous critical extension enforcement"
* https://github.com/openssl/openssl/pull/30252
"Some more X509 extension add/del polish"
* https://github.com/openssl/openssl/pull/30263
"Restrict the number of keyshares/groups/sigalgs a server is willing
to accept"
* https://github.com/openssl/openssl/pull/30265
"Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()"
* https://github.com/openssl/openssl/pull/30272
"Partially revert "Constify X509_STORE_CTX functions invoving X509
*""
* https://github.com/openssl/openssl/pull/30273
"Revert "Make X509_up_ref and X509_free take const X509 *""
* https://github.com/openssl/openssl/pull/30276
"Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509"
The changes associated with these PRs are already mentioned in 3.6.x changes:
* https://github.com/openssl/openssl/pull/28760
"Improve the CPUINFO display for RISC-V"
* https://github.com/openssl/openssl/pull/28797
"Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set"
* https://github.com/openssl/openssl/pull/28955
"Fix for TLS handshake issue with GnuTLS #28902"
* https://github.com/openssl/openssl/pull/29155
"fix(x509.c): fixed -checkend return values"
* https://github.com/openssl/openssl/pull/29214
"s390x: Check and fail on invalid malformed ECDSA signatures"
* https://github.com/openssl/openssl/pull/29242
"Clang format head"
* https://github.com/openssl/openssl/pull/29251
"Fix change of behavior of the single stapled OCSP response API"
* https://github.com/openssl/openssl/pull/30204
"Fix detection of plaintext HTTP over TLS"
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Original-PR: https://github.com/openssl/openssl/pull/30817)
Original-Commit: 8fba5d0d9c64 "CHANGES.md, NEWS.md: updates for 4.0.0 final release"
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Apr 26 13:17:07 2026
(Merged from https://github.com/openssl/openssl/pull/30847)
Use EVP_MD_fetch() instead of EVP_get_digestbynid() in X509/TLS paths
EVP_get_digestbynid() only searches the legacy built-in digest table and
cannot resolve provider-only digests, which breaks X509 signature info
computation, GOST TLS handshakes, and OCSP cert ID matching when the
digest is loaded exclusively through a provider. Switch the three affected
sites to use EVP_MD_fetch() (with the appropriate libctx/propq).
x509_sig_info_init() gains libctx/propq parameters propagated
from the X509 struct by its caller.
AIX header files don't properly expose sendmmsg/recvmmsg function
declarations. Disable these functions to avoid implicit declaration
errors with clang 16+.
This issue was discovered when building Node.js with clang.
CLA: trivial Fixes: 52cd2a49c53e "Enable send-/recvmmsg for AIX >= 7.2 and disable SUPPORT_LOCAL_ADDR."
References: https://github.com/nodejs/node/pull/62656
Resolves: https://github.com/openssl/openssl/issues/30806
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 12:02:58 2026
(Merged from https://github.com/openssl/openssl/pull/30832)
This patch adds an AArch64-specific extension cross-compile workflow.
This is inspired by the existing RISC-V extension cross-compile
workflow and applies the same matrix-driven approach to AArch64.
References: https://github.com/openssl/openssl/issues/29269 Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Misharov <dmitry@openssl.org>
MergeDate: Sun Apr 26 11:53:08 2026
(Merged from https://github.com/openssl/openssl/pull/30764)
Specifically they have observed the following behavior, as noted in the
above article:
When taking snapshots that include heaps and modules for a process other than
the current process, the CreateToolhelp32Snapshot function can fail or return
incorrect information for a variety of reasons. For example, if the loader data
table in the target process is corrupted or not initialized, or if the module
list changes during the function call as a result of DLLs being loaded or
unloaded, the function might fail with ERROR_BAD_LENGTH or other error code.
Ensure that the target process was not started in a suspended state, and try
calling the function again. If the function fails with ERROR_BAD_LENGTH when
called with TH32CS_SNAPMODULE or TH32CS_SNAPMODULE32, call the function again
until it succeeds.
This behavior necessitates calling DSO_pathbyaddr mutiple times to get a
succesful return code.
win32_pathbyaddr can be made more reliable, avoiding the need for multiple calls
by using alternate windows apis that are not/less succeptible to these transient
errors in multithreaded environments.
refactor win32_pathbyaddr here to implement that increased reliability.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 11:48:58 2026
(Merged from https://github.com/openssl/openssl/pull/30705)
The PATH_MAX define is needed on HURD which is now skipped since it is
winthin the _WIN32 block.
Move the PATH_MAX check+define outside of the _WIN32 block.
Fixes: a2e5848d9d11 "s_client and s_server options for ECH" Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sun Apr 26 11:35:52 2026
(Merged from https://github.com/openssl/openssl/pull/30520)
Weidong Wang [Fri, 20 Mar 2026 10:10:53 +0000 (05:10 -0500)]
Fix double-free in mlx_kem_dup() default case
Null mkey/xkey immediately after OPENSSL_memdup() so that any failure
path (including propq strdup) can safely call mlx_kem_key_free() without
risking a double-free on the source key's material. Use key->* rather
than ret->* for source-state checks to make ownership explicit.
Test that mlx_kem_dup() with partial key selection (e.g.
EVP_PKEY_PUBLIC_KEY) does not corrupt the original key's mkey/xkey
sub-objects. Covers X25519MLKEM768, SecP256r1MLKEM768,
and SecP384r1MLKEM1024.
Fixes: 4b1c73d2dd74 "ML-KEM hybrids for TLS" Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Sun Apr 26 11:14:12 2026
(Merged from https://github.com/openssl/openssl/pull/30511)
Jakub Zelenka [Thu, 16 Apr 2026 16:17:59 +0000 (18:17 +0200)]
Add memory allocation failure testing framework
Introduce ADD_MFAIL_TEST for exhaustive testing of allocation failure
handling in individual functions. The framework repeatedly calls the
test function, each time failing one allocation later within the
section bracketed by mfail_start() and mfail_end(), verifying that
every failure path returns 0 without crashing or leaking.
Custom allocators are installed once at startup via
CRYPTO_set_mem_functions(). When not armed, they pass through to
malloc/realloc/free. Installation can be disabled by setting
OPENSSL_TEST_MFAIL_DISABLE for tests that need the default allocator
(e.g. those using OPENSSL_MALLOC_FAILURES).
Additional environment variables control test execution:
OPENSSL_TEST_MFAIL_SKIP_ALL, OPENSSL_TEST_MFAIL_SKIP_SLOW,
OPENSSL_TEST_MFAIL_POINT, and OPENSSL_TEST_MFAIL_START.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 23 20:23:34 2026
(Merged from https://github.com/openssl/openssl/pull/30871)
Viktor Dukhovni [Thu, 16 Apr 2026 11:41:07 +0000 (21:41 +1000)]
Drop value barrier from ML-DSA reduce_once
This mirrors the corresponding code in ML-KEM and works under
the same conditions/assumptions. Also adjusted related
functions with unnecessary 2-layers of constant_time selects
where one suffices (now also matching BoringSSL).
Intentionally uses the constant time instrumentation PR as its
merge-base, so to be merged after than has baked in for a few
days and shows working CT tests in daily CI runs.
Sample before/after performance pairs and percent throughput
increases for one X86_64 CPU:
projects / thirdparty / openssl.git / log
