Bob Beck [Sun, 22 Feb 2026 18:44:21 +0000 (11:44 -0700)]
Patch the pkcs11 provider
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:15:08 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Sun, 22 Feb 2026 17:01:28 +0000 (10:01 -0700)]
Patch rpki-client-portable to handle bit string changes
We also disable warnings for now ro avoid realloc warning
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:15:06 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Sat, 21 Feb 2026 01:29:31 +0000 (18:29 -0700)]
Update rpki-client test to use current release instead of an old one
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:15:04 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Thu, 19 Feb 2026 22:42:33 +0000 (15:42 -0700)]
krb5 external test: Add patch to use accessors for ASN1_STRING
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:15:02 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Fri, 20 Feb 2026 23:11:57 +0000 (16:11 -0700)]
Skip the oqsprovider test temporarily because it is currently broken
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:15:00 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Fri, 20 Feb 2026 23:06:08 +0000 (16:06 -0700)]
Update oqs-provider to current, which support opaque asn1 strings
This then however breaks for other reasons
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:14:58 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Bob Beck [Thu, 29 Jan 2026 22:25:14 +0000 (15:25 -0700)]
Make ASN1_STRING opaque
This laudable goal, should it land, will be followed
with an issue raised to eat our own dogfood and find
every file with <crypto/asn1.h> added to it in this
commit, and change to the appropriate accessors,
which should be possible in most places we aren't
actually implementing things that change the values
Fixes: https://github.com/openssl/openssl/issues/29860 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 10:14:57 2026
(Merged from https://github.com/openssl/openssl/pull/29862)
Removes trailing whitespace from generated pkg-config .pc files
Fixes #29993
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 25 09:53:18 2026
(Merged from https://github.com/openssl/openssl/pull/30087)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 24 21:19:39 2026
(Merged from https://github.com/openssl/openssl/pull/30128)
Bob Beck [Sat, 21 Feb 2026 21:03:11 +0000 (14:03 -0700)]
Constify X509_get0_trust_*
These are undocumented and look to have only one internal use.
They should probably be deprecated with an eye to moving them
internal, but that's for later.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 24 19:33:01 2026
(Merged from https://github.com/openssl/openssl/pull/30127)
Bob Beck [Thu, 22 Jan 2026 00:02:12 +0000 (17:02 -0700)]
Remove implicit truncation behaviour in ossl_i2c_ASN1_BIT_STRING
and make ASN1_BIT_STRING_set_bit compute the unused bits of the
BIT_STRING.
The implicit trunction behaviour allows you to set a value without
keeping the unused bits consistent, using ASN1_STRING_set, and then
have it magically "fixed" to account for the unused bits in the last
octet on output.
As it turns out, after much searching, nothing is using this behavior,
As we now have the new ASN1_BIT_STRING_set1 to set the entire value
and keep the unused bits correct, we make ASN1_BIT_STRING_set_bit
also do the same. Now that both the setters change the object
correctly we remove the implicit trunctation in ossl_i2x_ASN1_BIT_STRING
and make the provided BIT_STRING argument const.
See discussion in https://github.com/openssl/openssl/issues/29185
and in https://github.com/openssl/openssl/issues/29117
For https://github.com/openssl/openssl/issues/29117
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 24 19:11:26 2026
(Merged from https://github.com/openssl/openssl/pull/29711)
Bob Beck [Mon, 29 Sep 2025 22:47:44 +0000 (16:47 -0600)]
Constify X509_get_ext() and friends..
These all took const, but returned non const, they should return const.
This then triggers constifying of a whole class of get_ext() functions.
Part of #28654 and #29117 Fixes: openssl/project#1779 Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 24 18:53:25 2026
(Merged from https://github.com/openssl/openssl/pull/29465)
are const "corrected" by making their argument non-const
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 24 16:32:45 2026
(Merged from https://github.com/openssl/openssl/pull/30036)
Neil Horman [Wed, 11 Feb 2026 20:42:49 +0000 (15:42 -0500)]
Add a ci job to validate our suppression file is up to date nightly
Now that we have a suppression file, lets make sure we keep it up to
date. Run a nightly job in CI that runs all our tests under valgrind
with our current suppression file, and fail if any new errors are
generated so that we can either address them or add them to the
suppression file
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Feb 24 15:11:19 2026
(Merged from https://github.com/openssl/openssl/pull/30003)
Neil Horman [Wed, 11 Feb 2026 18:38:56 +0000 (13:38 -0500)]
Fix a legitimate leak in v2i_issuer_sign_tool
Valgrind found a legitimate leak that, somehow asan missed.
v2i_issuer_sign_tool, when creating a new issuer sign tool,
automatically creates the member utf8 asn1 string objects for us.
However, based on configuration, this function will also create its own
utf8 asn1 strings, which overwrite those initial allocations, creating a
leak.
We don't need to create those strings at all in this fuction, just make
sure the ISSUER_SIGN_TOOL_new function did it for us, by checking them
all for NULL
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Feb 24 15:11:16 2026
(Merged from https://github.com/openssl/openssl/pull/30003)
Bob Beck [Mon, 23 Feb 2026 01:05:58 +0000 (18:05 -0700)]
Correct man page args to be consistant
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:25 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sun, 22 Feb 2026 19:55:06 +0000 (12:55 -0700)]
Correct synopsis for SSL_set1_ipaddr
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:22 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:20 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sun, 22 Feb 2026 19:47:59 +0000 (12:47 -0700)]
Fix being hoist on my own petard by my kind Irish friend.
(Use the now non-deprecated function)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:18 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sun, 22 Feb 2026 18:03:33 +0000 (11:03 -0700)]
Correct rename of variable that went one bikeshed too far
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:15 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:31:52 +0000 (09:31 -0700)]
Update CHANGES.md
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:13 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:31:35 +0000 (09:31 -0700)]
Update CHANGES.md
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:10 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:31:23 +0000 (09:31 -0700)]
Update CHANGES.md
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:08 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:31:08 +0000 (09:31 -0700)]
Update CHANGES.md
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:05 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:30:57 +0000 (09:30 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:03 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:30:46 +0000 (09:30 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:05:01 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:30:27 +0000 (09:30 -0700)]
Update ssl/ssl_lib.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:58 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:30:16 +0000 (09:30 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:55 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:30:06 +0000 (09:30 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:53 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 21 Feb 2026 16:29:54 +0000 (09:29 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:50 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 19 Feb 2026 01:17:39 +0000 (18:17 -0700)]
Add a changes entry
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 18 Feb 2026 16:55:17 +0000 (09:55 -0700)]
Fix misplaced check spotted by vitkor
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:45 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 18 Feb 2026 16:48:04 +0000 (09:48 -0700)]
Fix up bug found by nhorman on review. Thanks!
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:42 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:38:22 +0000 (08:38 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:40 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:38:03 +0000 (08:38 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:37 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:37:42 +0000 (08:37 -0700)]
Update crypto/x509/x509_vpm.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:35 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:37:18 +0000 (08:37 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:32 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:37:00 +0000 (08:37 -0700)]
Update crypto/x509/x509_vpm.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:30 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:36:42 +0000 (08:36 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:28 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:36:21 +0000 (08:36 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:25 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Thu, 5 Feb 2026 15:35:57 +0000 (08:35 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 4 Feb 2026 00:57:49 +0000 (17:57 -0700)]
Add a test for using a leading . for verification of a domain name
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:20 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 4 Feb 2026 00:51:37 +0000 (17:51 -0700)]
Allow for a leading . for wildcard like matches
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:17 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 4 Feb 2026 00:30:10 +0000 (17:30 -0700)]
Ensure we use the correct '@' in an email and raise an error when we fail
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:15 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 18:39:29 +0000 (11:39 -0700)]
Address Viktor's review around label checks
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:12 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:24:19 +0000 (10:24 -0700)]
Mention ASCII vs Non ASCII localparts
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:10 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:09:07 +0000 (10:09 -0700)]
derp
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:07 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:47:06 +0000 (10:47 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:04 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:14:49 +0000 (10:14 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:02 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:13:29 +0000 (10:13 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:04:00 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 17:09:46 +0000 (10:09 -0700)]
Update doc/man3/SSL_set1_host.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:57 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 16:44:09 +0000 (09:44 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:54 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 16:41:12 +0000 (09:41 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:52 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Tue, 3 Feb 2026 16:39:50 +0000 (09:39 -0700)]
Update doc/man3/X509_VERIFY_PARAM_set_flags.pod
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:49 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 28 Jan 2026 19:56:57 +0000 (12:56 -0700)]
Update crypto/x509/v3_utl.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:47 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Wed, 28 Jan 2026 19:56:47 +0000 (12:56 -0700)]
Update crypto/x509/v3_utl.c
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:44 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Bob Beck [Sat, 20 Dec 2025 19:21:40 +0000 (12:21 -0700)]
Let's support multiple names for certificate verification
This adds the functionality to VERIFY_PARAM to separately add multiple
ip's and email addresses for verification purposes.
We then mark the unfortunate SSL_add1_host API which unfortunately
aquired a confusing "maybe add an IP address" behaviour as deprecated.
We replace this with SSL_set1_<dnsname, email, ip, ip_asc> and
SSL_add1_<dnsname, email, ip, ip_asc> to set the things in the SSL
corresponding to the VERIFY_PARAM funcitons.
Fixes: https://github.com/openssl/openssl/issues/28418 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Tue Feb 24 14:03:42 2026
(Merged from https://github.com/openssl/openssl/pull/29612)
Neil Horman [Thu, 19 Feb 2026 19:14:40 +0000 (14:14 -0500)]
Ensure we don't leak heap in ossl_rcu_lock_free
BSD, when initializing a pthread_cond_t or pthread_mutex_t may allocate
additional heap. If we don't call pthread_[cond|mutex]_destroy on them,
those allocations leak.
clean that up here.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Feb 24 12:52:59 2026
(Merged from https://github.com/openssl/openssl/pull/30094)
Neil Horman [Thu, 19 Feb 2026 20:17:10 +0000 (15:17 -0500)]
Constify X509_find_by_subject
Transitively, this also requires the constification of OCSP_resp_get0_signer
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Feb 24 12:45:57 2026
(Merged from https://github.com/openssl/openssl/pull/30096)
Pauli [Thu, 19 Feb 2026 00:29:23 +0000 (11:29 +1100)]
Update documentation with guidelines for commit and PR messages
The CONTRIBUTING.md and PULL_REQUEST_TEMPLATE.md files have been updated
to include guidelines on what makes a desirable commit message and
PR description.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/30075)
Bob Beck [Wed, 18 Feb 2026 23:43:33 +0000 (16:43 -0700)]
Constify X509_STORE_add_cert()
For #30050
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Feb 23 22:45:42 2026
(Merged from https://github.com/openssl/openssl/pull/30074)
Bob Beck [Tue, 17 Feb 2026 21:28:01 +0000 (14:28 -0700)]
Constify various functions that were non const due to extension cache
for https://github.com/openssl/openssl/issues/30052
This is a blatent cheat. While I can get pretty close to getting
around cheating by cacheing extensions as X509 objects are created it's
too fragile at the moment. In a future with a better not-copying all
the things X509, we would endeavour to not need this.
In the meantime, in the interest of getting the public API ready to
do that, we instead make a blatent cheat in the internal function of
int ossl_x509v3_cache_extensions(const X509 *x);
Which in a future world we can work to make go away.
And then the public API all changes to const.
long X509_get_pathlen(const X509 *x);
int X509_check_ca(const X509 *x);
int X509_check_purpose(const X509 *x, int id, int ca);
long X509_get_proxy_pathlen(const X509 *x);
uint32_t X509_get_extension_flags(const X509 *x);
uint32_t X509_get_key_usage(const X509 *x);
uint32_t X509_get_extended_key_usage(const X509 *x);
onst ASN1_OCTET_STRING *X509_get0_subject_key_id(const X509 *x);
const ASN1_OCTET_STRING *X509_get0_authority_key_id(const X509 *x);
const GENERAL_NAMES *X509_get0_authority_issuer(const X509 *x);
const ASN1_INTEGER *X509_get0_authority_serial(const X509 *x);
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Feb 23 16:34:29 2026
(Merged from https://github.com/openssl/openssl/pull/30055)
Richard Levitte [Thu, 19 Feb 2026 15:30:45 +0000 (16:30 +0100)]
Fix the uses of X509_check_certificate_times
The "error" parameter to 'X509_check_certificate_times' gets an X509 error
value, which isn't a OpenSSL ERR reason code. Unfortunately, this was
conflated.
This restores the behaviour in the places of conflation to something
similar enough to what was done before 'X509_check_certificate_times'
was implemented.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Feb 23 15:43:21 2026
(Merged from https://github.com/openssl/openssl/pull/30088)
Bob Beck [Fri, 20 Feb 2026 23:26:51 +0000 (16:26 -0700)]
Correct the instructions for how to run the krb5 external test.
What is there is a trap. I fell into it. I was sad.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 21:47:54 2026
(Merged from https://github.com/openssl/openssl/pull/30122)
Angel Yankov [Thu, 19 Feb 2026 08:27:21 +0000 (10:27 +0200)]
Constify X509_CRL_get0_by_cert
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:57:56 2026
(Merged from https://github.com/openssl/openssl/pull/30079)
Neil Horman [Thu, 19 Feb 2026 15:52:31 +0000 (10:52 -0500)]
Constify X509_CRL_get0_by_cert
Update the X509 parameter to be const
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Feb 22 17:55:12 2026
(Merged from https://github.com/openssl/openssl/pull/30090)
Bob Beck [Thu, 19 Feb 2026 20:20:20 +0000 (13:20 -0700)]
Return the correct error message in ossl_X509_print_ex_brief
X509_verify_cert_times returns a verify error code,
so X509_verify_cert_error_string() must be used to
convert it to text.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Sun Feb 22 17:52:13 2026
(Merged from https://github.com/openssl/openssl/pull/30097)
Bob Beck [Thu, 19 Feb 2026 20:59:17 +0000 (13:59 -0700)]
Add a changes entry for the x509 time function changes
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:49:25 2026
(Merged from https://github.com/openssl/openssl/pull/30098)
Neil Horman [Fri, 20 Feb 2026 10:48:53 +0000 (05:48 -0500)]
Fix broken strict-warnings build in sskdf and x963kdf
when configuring with:
./Configure no-sskdf --strict-warnings
The build breaks as sskdf_new is defined but not used (as the same sskdf
file is used to implement x963kdf with a different new dispatch
function). i.e. we will build the file when sskdf is disabled but
x963kdf is enabled, omitting any use of sskdf_new
Easy fix, just gate the inclusion of sskdf_new on #ifndef
OPENSSL_NO_SSKDF.
Do the same for X963KDF, which has the same problem (thank you for
pointing that out @t8m)
Fixes #30105
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sun Feb 22 17:46:00 2026
(Merged from https://github.com/openssl/openssl/pull/30106)
Bob Beck [Tue, 17 Feb 2026 22:37:15 +0000 (15:37 -0700)]
Constify X509_chain_check_suiteb
For https://github.com/openssl/openssl/issues/30052
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Feb 22 17:37:38 2026
(Merged from https://github.com/openssl/openssl/pull/30058)
X509V3_set_nconf(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
X509V3_set_ctx(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
Viktor Dukhovni [Wed, 18 Feb 2026 04:27:55 +0000 (15:27 +1100)]
CHANGE log additions
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:53 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 11:51:15 +0000 (22:51 +1100)]
Refactor openssl-speed(1)
- Adding support for "curveSM2" ECDH
- Integrating EdDSA and SM2 signature support into existing ECDSA code.
This removes ~500 lines of duplicated code.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Wed, 11 Feb 2026 18:55:51 +0000 (05:55 +1100)]
New SSL tests for SM2 cert and key exchange
Also some additional tests for other MLKEM hybrids.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:36 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Milan Broz [Wed, 11 Feb 2026 12:02:26 +0000 (13:02 +0100)]
Add curveSM2 and curveSM2MLKEM768 TLS test.
This extends sslapi test for SM2-based key exchange.
Also add comments for #endif to clearly mark disabled code blocks.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Sat Feb 21 13:26:27 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Sun, 8 Feb 2026 13:45:03 +0000 (00:45 +1100)]
Document ECDH over SM2 key exchange.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:15 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 16:32:17 +0000 (03:32 +1100)]
Support for RFC8998 curveSM2 + hybrid
This adds support for the "sm2sig_sm3" TLS 1.3 signature algorithm, the
"curveSM2" key exchange group (ECDH over SM2) and the associated
post-quantum/traditional (PQ/T) hybrid "curveSM2MLKEM768" key exchange.
The default key agreement group list is expanded to add two additional
PQ groups, immediately after X25519MLKEM768. These are the P-256-based
SecP256r1MLKEM768 and the SM2-based curveSMMLKEM768. Neither of the new
groups is a default client keyshare group, these would only come into
play after a server HRR, if for some reason X25519MLKEM768 is not
supported by the server, X25519 is not then the server's most
preferred group, and the server supports and prefers one of these
of X25519.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:07 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:58:43 +0000 (02:58 +1100)]
Use algorithm name macros instead of literals
In the default and FIPS provider dispatch tables use corresponding
macros instead of string literals.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:57 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:53:51 +0000 (02:53 +1100)]
Pass tls-version to cert sign/verify algorithms
Most signature algorithms will ignore this parameter, but for SM2 this
makes it possible to set the RFC8998 distinguished identifier.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:47 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 15:45:02 +0000 (02:45 +1100)]
New SM2 "tls-version" signature parameter
When the version is TLS 1.3, this sets the SM2 distinguished identifier to
the RFC8998 specified value: "TLSv1.3+GM+Cipher+Suite".
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:39 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Wed, 11 Feb 2026 18:49:33 +0000 (05:49 +1100)]
Implement default SM2 distinguished identifier
This is needed for certificate verification to work correctly.
Removed unnecessary explicit instances of the distid in most tests, and
documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:30 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Tue, 10 Feb 2026 14:55:02 +0000 (01:55 +1100)]
SM2 digest sign/verify context initialisation fix
SM digest sign/verify context initialisation needs to set the
"compute_z_digest" flag earlier, before calling sm2sig_signature_init(),
to process the provided parameters, because otherwise attempts to set
the "distinguished identifier" will erroneously fail.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:19 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
Viktor Dukhovni [Mon, 9 Feb 2026 09:28:39 +0000 (20:28 +1100)]
New decoder generator returns matched field count
It can be useful to know how many parameters matched a decoded field,
(or at least whether that number is non-zero).
Tne new `produce_param_decoder_with_count` generator produces code that
updates a count output variable.
In particular, an RSA parameter handler did not handle requests for only
unexpected parameter as gracefully as one might want. It can now
return early when none of the provided parameters are relevant.
[ The number reported is a count of matching parameter values, not a
count of the resulting decoded fields, so if a parameter key occurs
more than once, the count can be larger than the number of fields
actually set. ]
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:25:11 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
projects / thirdparty / openssl.git / log
