Milan Broz [Thu, 19 Feb 2026 12:05:21 +0000 (13:05 +0100)]
Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp.
Functions seem not documented, but exported.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 17:07:41 2026
(Merged from https://github.com/openssl/openssl/pull/30082)
sftcd [Tue, 17 Feb 2026 23:09:01 +0000 (23:09 +0000)]
require manual build for external ECH tests
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 14:16:40 2026
(Merged from https://github.com/openssl/openssl/pull/30059)
Tomas Mraz [Wed, 18 Feb 2026 14:09:37 +0000 (15:09 +0100)]
ECH: Remove whitespace at EOL or EOF
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 10:11:21 2026
(Merged from https://github.com/openssl/openssl/pull/30066)
Tomas Mraz [Wed, 18 Feb 2026 14:09:11 +0000 (15:09 +0100)]
ECH: Use BIO_puts when appropriate
And also a few additional code cleanups.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Fri Feb 20 10:11:20 2026
(Merged from https://github.com/openssl/openssl/pull/30066)
sftcd [Tue, 17 Feb 2026 16:48:18 +0000 (16:48 +0000)]
ECH: change from I-D to RFC 9849 and resolve TODO(ECH) cases
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/30048)
sftcd [Tue, 17 Feb 2026 19:11:50 +0000 (19:11 +0000)]
ECH: avoid pointer aliasing in tls_construct_ctos_psk()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:20:46 2026
(Merged from https://github.com/openssl/openssl/pull/30051)
sftcd [Tue, 17 Feb 2026 18:37:04 +0000 (18:37 +0000)]
ech_check_format(): Fix potential out of bounds read
strspn() is called on likely non-NUL-terminated BIO buffer.
Copy it and add NUL-termination before calling the function.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 09:17:54 2026
(Merged from https://github.com/openssl/openssl/pull/30050)
sftcd [Sun, 23 Nov 2025 23:19:16 +0000 (23:19 +0000)]
Add tests and documentation and fix a couple of issues identified by added tests
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Feb 16 15:41:15 2026
(Merged from https://github.com/openssl/openssl/pull/29200)
sftcd [Thu, 18 Dec 2025 14:39:10 +0000 (14:39 +0000)]
ossl_ech_get_retry_configs(): Check for integer overflow
Fixes DEF-02-010
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:16 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 14:16:10 +0000 (14:16 +0000)]
tls_process_server_hello(): With retry config validate the outer hostname
Call SSL_set1_host() to apply the outer hostname to the certificate
validation.
Fixes DEF-02-009
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:14 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 13:48:28 +0000 (13:48 +0000)]
ech_test.c: Add test for trying ECH with TLSv1.2
Fixes DEF-02-006
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:13 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Thu, 18 Dec 2025 02:10:38 +0000 (02:10 +0000)]
ssl_choose_server_version(): With ECH check if connection is TLSv1.3
Fixes DEF-02-005
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:11 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Tue, 25 Nov 2025 23:39:33 +0000 (23:39 +0000)]
Document that SSL_OP_ECH_TRIALDECRYPT can cause DoS in some circumstances
Fixes DEF-02-002
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:10 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
sftcd [Tue, 25 Nov 2025 22:41:23 +0000 (22:41 +0000)]
ech_read_priv_echconfiglist(): Pass encodedlen to BIO_new_mem_buf()
Fixes DEF-02-001
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:08 2026
(Merged from https://github.com/openssl/openssl/pull/29593)
Matt Caswell [Thu, 5 Jun 2025 13:41:55 +0000 (14:41 +0100)]
Introduce the PACKET_msg_start() function
This gives us the start of the buffer in use for the PACKET.
We then use this information when calculating the TLS PSK binder.
Previously we were assuming knowledge about where the buffer starts.
However, with ECH, we may be using a different buffer to normal so it is
better to ask the PACKET where the start of the buffer is.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27776)
Stephen Farrell [Tue, 6 Aug 2024 22:16:58 +0000 (23:16 +0100)]
Documents initial agreed APIs for Encrypted Client Hello (ECH)
and includes a minimal demo for some of those APIs.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Stephen Farrell [Wed, 26 Jun 2024 11:55:17 +0000 (12:55 +0100)]
add ech-api.md
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24738)
Daniel Kubec [Mon, 16 Feb 2026 12:09:41 +0000 (13:09 +0100)]
CRL: reject malformed CRL Number and CRL Delta Indicator
Previously, a malformed ASN.1 INTEGER in the CRL Number or Delta CRL Indicator
extension would cause a parse error but the CRL would not be explicitly
rejected. Existing code discards the error and continues, accepting a CRL it
cannot fully parse, unlike other libraries and implementations that reject the
CRL outright.
Malformed encoding suggests a corrupt or tampered CRL, data that cannot be
parsed cannot be trusted. Reject the CRL outright if either extension cannot be
decoded, regardless of whether the extension is marked critical. This prevents
silent soft-fail behavior where revoked certificates could pass validation
unchecked.
Fixes #27374
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 16:24:44 2026
(Merged from https://github.com/openssl/openssl/pull/30024)
Milan Broz [Thu, 19 Feb 2026 09:47:33 +0000 (10:47 +0100)]
Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set
These functions are exported, but undocumented.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 13:06:58 2026
(Merged from https://github.com/openssl/openssl/pull/30080)
Neil Horman [Wed, 18 Feb 2026 20:34:31 +0000 (15:34 -0500)]
constify X509_check_trust, X509_TRUST_add
Turn the X509 parameters to X509_check_trust and X509_TRUST_add into
consts.
Interesting side notes: X509_TRUST_add and some others that we're
modified as a result of this pr, are listed as public functions, but
have no documentation for them, and make doc-nits doesn't complain about
it. Unsure as to why, but we should probably look at that eventually
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Feb 20 13:04:04 2026
(Merged from https://github.com/openssl/openssl/pull/30071)
Whilst this is still useful with pre-3.2 providers, it is actually unlikely to be deployed. And there are now openssl fips providers getting validated with statically linked jitterentropy source already.
See background info at:
- https://github.com/openssl/openssl/pull/25930
Fixes: https://github.com/openssl/openssl/issues/26903 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Fri Feb 20 11:15:25 2026
(Merged from https://github.com/openssl/openssl/pull/29641)
Milan Broz [Mon, 16 Feb 2026 20:30:28 +0000 (21:30 +0100)]
Add CHANGES.md entry for SM-based cipher suites.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:25 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Mon, 16 Feb 2026 15:04:28 +0000 (16:04 +0100)]
Add tests for TLS1.3 TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:20 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Milan Broz [Sun, 15 Feb 2026 17:29:57 +0000 (18:29 +0100)]
Add TLS1.3 ciphersuites from RFC8998
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
as defined in RFC 8998.
Fixes openssl/project#1871
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:15 2026
(Merged from https://github.com/openssl/openssl/pull/30028)
Neil Horman [Tue, 17 Feb 2026 20:14:47 +0000 (15:14 -0500)]
Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN
As part of our effort to not allow mutable x509 objects where they
aren't needed, constify the parameters to these two functions
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Feb 19 13:08:11 2026
(Merged from https://github.com/openssl/openssl/pull/30053)
This prevents potential crashes when print_keyspec is called with a NULL algorithm
pointer, improving the robustness of the CMP application.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Feb 19 12:56:01 2026
(Merged from https://github.com/openssl/openssl/pull/30046)
Michael Baentsch [Wed, 23 Jul 2025 08:37:41 +0000 (10:37 +0200)]
SSL_CONF_cmd.pod: Add PQC algs to recommended TLS 1.3 groups
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Reviewed-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:14:06 2026
(Merged from https://github.com/openssl/openssl/pull/28076)
Bob Beck [Mon, 16 Feb 2026 22:42:14 +0000 (15:42 -0700)]
Remove the "msie-hack" option from openssl ca
This has been documented as a deprecated option for
a long time, as we are not even certain this does what
was originally intended anymore, as it has no tests and
it's time of usefulness has long since past.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Feb 19 10:09:33 2026
(Merged from https://github.com/openssl/openssl/pull/30033)
Neil Horman [Wed, 18 Feb 2026 19:35:22 +0000 (14:35 -0500)]
Fix unit tests when run under fuzz builds
PR https://github.com/openssl/openssl/pull/30045
Fixed an oss-fuzz failure that occured because we feed random data into
the pkcs12 kdf, which sometimes results in a huge iteration count, that
leads to timeouts in oss-fuzz.
The fix was to simply limit the number of iterations that we go through
during derivation. This breaks the kdf of course, but it doesn't really
matter during fuzzing, because we don't expect random input data to
produce reasonable results, so no harm, no foul.
except.
We also, in our CI, build our fuzzer tests and run them through our
regular CI unit tests, during which we both provide valid data, and
expect valid results, and pr 30045 breaks that expectation.
The conventional wisdom is to simply skip unit tests that break under
these sorts of conditions (we do this for things like
70-test_quic_record.t already).
however, the tests that broke here are 25_test_x509, 30_test_evp,
80_test_pkcs12, and 90_test_store_cases. It seems like we would want to
keep testing those unless we absolutely have to skip them.
So instead, lets indicate that we are running the unit tests with an
environment variable, and check that variable when we have an
UNSAFE_FOR_PRODUCTION build, skiping the iteration clamp in pkcs12kdf if
it is. This allows us to continue running these unit tests, while still
getting the oss-fuzz runs to pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Feb 19 08:49:56 2026
(Merged from https://github.com/openssl/openssl/pull/30070)
Simo Sorce [Tue, 17 Feb 2026 08:09:44 +0000 (03:09 -0500)]
Annotate benign race in FIPS deferred self test
Move TSAN definitions to threads_common.h to make them available
globally and introduce the ANNOTATE_BENIGN_RACE macro.
Apply this annotation to the state check in ossl_deferred_self_test()
to suppress a benign race warning from ThreadSanitizer, as the race
is intentional and accepted to avoid cpu contention.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Mon, 16 Feb 2026 17:37:36 +0000 (12:37 -0500)]
Relax unnecessary atomic reads in FIPS provider
Replace calls to ossl_get_self_test_state() with direct access to
st_all_tests[].state in the FIPS self-test code.
Atomic reads are unnecessary in functions like FIPS_kat_deferred()
and SELF_TEST_kats_execute() because they are executed with the
relevant lock already held.
For ossl_deferred_self_test(), removing the atomic read avoids
contention. The common case is that tests are already passed. If a
race occurs, the function safely falls back to the locked path in
FIPS_kat_deferred() which re-verifies the state.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Sat, 14 Feb 2026 03:38:26 +0000 (22:38 -0500)]
Make FIPS self test state access atomic
Direct access to the FIPS self-test state array caused race conditions in
multi-threaded environments when checking or updating test status.
Introduce atomic accessor functions `ossl_get_self_test_state` and
`ossl_set_self_test_state`, backed by a global lock, to ensure thread-safe
state transitions. Replace all direct structure accesses with these new
functions.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Simo Sorce [Fri, 13 Feb 2026 19:09:06 +0000 (14:09 -0500)]
Fix race in FIPS on-demand self test
The on-demand self-tests could race with deferred tests executing
concurrently in another thread.
Pass the FIPS global state to SELF_TEST_post() to allow locking
around the critical section where module integrity is checked and
test states are modified. This ensures thread safety when resetting
and executing tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Gleb Smirnoff [Fri, 23 Jan 2026 18:44:23 +0000 (10:44 -0800)]
SSL_sendfile: make it more like bio/bss_sock.c:sock_write()
First, use BIO_sock_should_retry().
Second, clear BIO retry flags. Otherwise after an SSL_sendfile that
failed, no matter how many succeded after, the flags would still be up.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:24 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Tue, 17 Feb 2026 19:21:31 +0000 (11:21 -0800)]
sockets: list EBUSY as a retryable socket error code.
This is a documented error code for sendfile(2) in FreeBSD. Being on a
conservative side embrace into ifdef for now.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:21 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Gleb Smirnoff [Fri, 23 Jan 2026 18:42:42 +0000 (10:42 -0800)]
SSL_sendfile: let ktls_sendfile() pass more data up to SSL_sendfile()
Before this change ktls_sendfile() is basically 1:1 wrapper around Linux
sendfile(2). FreeBSD sendfile(2) API is richer than Linux, and reducing
it down to Linux API loses meaningful data. Instead, make ktls_sendfile()
more like FreeBSD sendfile(2) and adopt Linux version to that.
With this change we will be raising BIO_should_retry() flag after a short
write due to lack of buffer space in a non-blocking socket on FreeBSD.
That will allow an application to tell a short write due to lack of buffer
space from a short write due to end of file. Before this change, the only
way to tell between these two kinds of short writes was to immediately
retry the operation.
This change allows to cut nearly in half the number of sendfile(2)
syscalls when sending a large file over a non-blocking socket on FreeBSD.
Fixes: #29742 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:18 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
Daniel Kubec [Tue, 10 Feb 2026 12:36:03 +0000 (13:36 +0100)]
X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set
- Raise X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER when AKID is not present.
- Raise X509_V_ERR_EMPTY_AUTHORITY_KEY_IDENTIFIER when AKID has no attributes.
- Raise X509_V_ERR_AKID_ISSUER_SERIAL_NOT_PAIRED when authorityCertIssuer
and authorityCertSerialNumber fields are not paired.
RFC 5280 section 4.2.1.1: The authorityCertIssuer and authorityCertSerialNumber
fields are paired and MUST either both be present or both be absent.
- Issuer without serial is ambiguous, and serial without issuer is meaningless,
leading to unresolvable and misleading issuer identification.
Fixes #27114
Fixes #27360
Fixes #20027
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 18:17:03 2026
(Merged from https://github.com/openssl/openssl/pull/29971)
Neil Horman [Tue, 17 Feb 2026 15:01:12 +0000 (10:01 -0500)]
limit number of iterations for fuzzer in pkcs12kdf
OSS-FUZZ tripped over a timeout:
https://issues.oss-fuzz.com/issues/477959320
It occurs because the pkcs12 data the fuzzer feeds into the mac
verification routine requests a large number of iterations (I think gdb
read it as 15346721 or some such), which causes very long processing
times while verifying the mac. This is something of an artificial
problem unique to the fuzzer, as the fuzzer contains a 60 second timeout
on any single test iteration.
Fix it by limiting the iteration count to 100 only when running the
fuzzer tests.
Fixes openssl/srt#89
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:07:05 2026
(Merged from https://github.com/openssl/openssl/pull/30045)
Igor Ustinov [Wed, 28 Jan 2026 22:41:57 +0000 (23:41 +0100)]
Bugfix of bn_sqr_mont procedure on SPARC sun4v
The fix for sparcv9-mont.pl came from Andy Polyakov (@dot-asm)
Fixes #15587
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 18:02:33 2026
(Merged from https://github.com/openssl/openssl/pull/29948)
Neil Horman [Mon, 16 Feb 2026 23:04:37 +0000 (18:04 -0500)]
Use the appropriate libctx when executing CMS_SignerInfo_verify
@beldmit found some odd fips behavior when running cms tests after
attempting to remove the EVP_get_digestbyname call from the find routine
in cms when doing certificate signer validation.
It was occuring because the cms app, being an applet in openssl uses the
app libctx to load all the provided configuration, which implies the
fips and base providers are loaded to that ctx. However, in the find
routine (part of cms), it only ever fetches algorithms from the default
libctx, leading to failed lookups, and consequently, CMS errors.
Fix it by using the appropriate libctx, which in this case can be
fetched from the SignerInfo data, which initializes its libctx member to
the app libctx in all cases.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Wed Feb 18 16:28:44 2026
(Merged from https://github.com/openssl/openssl/pull/30034)
Milan Broz [Tue, 17 Feb 2026 12:18:10 +0000 (13:18 +0100)]
Use defined TLS cipher suite names in SSL trace
This should use #define strings instead of duplication.
Not everything is defined, though.
Fixes openssl/project#1875
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 18 16:01:18 2026
(Merged from https://github.com/openssl/openssl/pull/30042)
Bernd Edlinger [Fri, 13 Feb 2026 06:42:48 +0000 (07:42 +0100)]
Alternate fix for CVE-2025-69419
This affects the function OPENSSL_uni2utf8
which caused heap buffer overflow when certain
unicode characters are converted.
The current fix is incomplete and does only prevent the
crash by making OPENSSL_uni2utf8 return a NULL pointer.
But with this change the OPENSSL_uni2utf8 will return the
correct utf8 string instead of a NULL pointer.
Additionally we add a simple test case that demonstrates
the original CVE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:46:35 2026
(Merged from https://github.com/openssl/openssl/pull/29997)
Igor Ustinov [Sat, 7 Feb 2026 09:21:22 +0000 (10:21 +0100)]
SSL_get_error(): Do not depend on the state of the error stack
We check in relevant functions (SSL_handshake(), SSL_read(), etc.) whether
a new error has been pushed onto the error stack, and if so, memorise this
fact in the SSL structure. After that SSL_get_error() uses this memorised
information instead of checking the error stack itself.
Fixes #11889
Fixes openssl/project#1715
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:27:38 2026
(Merged from https://github.com/openssl/openssl/pull/29991)
giorgiopapini [Thu, 12 Feb 2026 21:34:51 +0000 (22:34 +0100)]
Move typedef 'RSA_OEAP_PARAMS' to openssl/types.h
This avoids redefinition of the type.
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:09:26 2026
(Merged from https://github.com/openssl/openssl/pull/29994)
Bob Beck [Mon, 16 Feb 2026 20:25:20 +0000 (13:25 -0700)]
Deprecate X509_NAME_get_text_by NID and X509_NAME_get_text_by_OBJ
As they were already documented as "should be considered deprecated".
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 13:06:18 2026
(Merged from https://github.com/openssl/openssl/pull/30031)
Neil Horman [Thu, 12 Feb 2026 16:30:46 +0000 (11:30 -0500)]
don't include the asm code for ppc aes-gcm on big endian
Its dead code on that platform since we don't use it
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue Feb 17 14:11:49 2026
(Merged from https://github.com/openssl/openssl/pull/29968)
Neil Horman [Mon, 9 Feb 2026 17:55:50 +0000 (12:55 -0500)]
don't use asm accelerated path on big endian power9
https://github.com/openssl/openssl/issues/29845
Found that our hardware accelerated path doesn't work on big endian
systems, so make sure that we only use it when little endian is defined
We also noted that PPC_AES_GCM_CAPABLE gets defined to zero when the
capabilities register notes that the hardware isn't capable of the
needed instructions, but that still includes the asm path as
PPC_AES_GCM_CAPABLE is still defined.
Fix both issues
Fixes #29845
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue Feb 17 14:11:46 2026
(Merged from https://github.com/openssl/openssl/pull/29968)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Feb 17 14:09:07 2026
(Merged from https://github.com/openssl/openssl/pull/29782)
Tomas Mraz [Wed, 11 Feb 2026 14:55:46 +0000 (15:55 +0100)]
X509V3_EXT_print(): Return only 0 or 1 as the callers expect
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue Feb 17 09:17:37 2026
(Merged from https://github.com/openssl/openssl/pull/29981)
slontis [Fri, 17 Oct 2025 05:32:06 +0000 (16:32 +1100)]
SLH-DSA speed up hash calculations.
SLH-DSA spends a significant amount of time performing large
numbers of hash calculations. Initially this was done using
EVP layer calls. The overhead is significant when there are thousands
of calls. To reduce this overhead the lower level sha functions for
KECCAK1600_CTX, SHA256_CTX and SHA512_CTX are accessed directly.
Profiling showed that a significant amount of time is spent in
"WOTS+ Public key generation" (FIPS 205 Section 5.1 Algorithm 6) so
this was inlined for shake and sha2 (See slh_wots_pk_gen_sha2()).
In FIPS 205 Section 11 there is a list of Hash functions.
Many of these functions use a pattern of
Trunc(n)(SHA256(PK.Seed || toByte(0, 64-n) || ....)
Because this operation is done many times, this prehashed
value is calculated once and stored into a low level SHA256_CTX or
KECCAK1600_CTX.
This can then be block copied to stack based KECCAK1600_CTX or
SHA256_CTX that we can then perform low level SHA functions on.
The md_len field is written to directly before the SHA final() to
control the length of the output (which avoids performing a memcpy).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:21:54 +0000 (16:21 +1100)]
SHA256: Document SHA256_CTX, HASH_UPDATE() and HASH_FINAL()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:15:03 +0000 (16:15 +1100)]
SHA512 : Change SHA512_Final() so that it handles 192 bits.
SLH-DSA uses SHA-512 truncated to n when (n = 24 or 32).
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 17 Oct 2025 05:11:11 +0000 (16:11 +1100)]
SHA3 - Move the buffered absorb function into sha3.c
This code was sitting inside the sha3 provider where it could not be
called directly.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
slontis [Fri, 13 Feb 2026 08:55:52 +0000 (19:55 +1100)]
SRTP: Fixup settable input limits and test them.
Reported by https://github.com/1seal
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
slontis [Fri, 13 Feb 2026 08:54:07 +0000 (19:54 +1100)]
Doc: SRTP updates to reflect the limits on settable parameters
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30001)
Aayush [Tue, 17 Jun 2025 13:10:05 +0000 (18:40 +0530)]
Clarify SSL_CERT_DIR list separator on Windows
Fixes #27698
OpenSSL uses `;` as the path delimiter on Windows.
Update the manpage to state this explicitly instead of implying
`:` everywhere.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sat Feb 14 23:54:32 2026
(Merged from https://github.com/openssl/openssl/pull/27844)
The shlibloadtest used atexit() handler to verify
library pinning works as expected. The libcrypto
no longer arms atexit handler which also used to
fire upon shlib unload. We can not use the atexit
mechansim to test shared library pinning.
If the shlibload test does not crash on exit, then
library pinning must work.
Fixes openssl/project#1869
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:15:04 2026
(Merged from https://github.com/openssl/openssl/pull/29987)
kovan [Tue, 27 Jan 2026 10:22:54 +0000 (11:22 +0100)]
doc: fix NAME section formatting in EVP_SIGNATURE documentation
Ensure consistent formatting in NAME sections across all EVP_SIGNATURE
documentation pages. The algorithm name should be bold (B<ALG>) rather
than EVP_PKEY, following the pattern:
"- The EVP_PKEY B<ALG> signature implementation"
Fixes #29328
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 15:09:54 2026
(Merged from https://github.com/openssl/openssl/pull/29789)
kovan [Fri, 6 Feb 2026 18:58:54 +0000 (19:58 +0100)]
fix: update remaining 3.5.0 references to 3.6.0 in README-FIPS.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Mon, 2 Feb 2026 10:26:52 +0000 (11:26 +0100)]
doc: add OpenSSL 3.6 to README documentation links
Update README.md to include OpenSSL 3.6 in the documentation links.
Update README-FIPS.md examples to use 3.6.0 as the latest release.
Fixes #29876
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:55:19 2026
(Merged from https://github.com/openssl/openssl/pull/29884)
kovan [Thu, 29 Jan 2026 12:46:46 +0000 (13:46 +0100)]
doc: clarify -cipher option syntax in man pages
Users reading the documentation for the -<cipher> option often
misunderstand the syntax. The notation "B<-I<cipher>>" renders as
"-cipher" with "cipher" in italics, leading users to think they
should type "-cipher aes-128-cbc" when the correct usage is
"-aes-128-cbc" (the cipher name directly as the option).
Update the documentation in openssl-genpkey, openssl-enc, and
openssl-pkey to explicitly state that the cipher name is prepended
with a hyphen and used directly as the option, not as an argument
to a "-cipher" flag.
Also add a reference to "openssl list -cipher-algorithms" to help
users discover available ciphers, and fix a typo in openssl-pkey
("and and" -> "and").
Fixes #26089
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Feb 13 14:52:00 2026
(Merged from https://github.com/openssl/openssl/pull/29843)
kovan [Thu, 29 Jan 2026 11:12:38 +0000 (12:12 +0100)]
doc: rename .pod.in files that don't use templating to .pod
These man page source files only used the output_do_not_edit_headers()
template function, which just generates a comment. Since they don't
use any meaningful templating, rename them from .pod.in to .pod and
remove the template line and build.info generation rules.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Fri Feb 13 14:50:16 2026
(Merged from https://github.com/openssl/openssl/pull/29838)
kovan [Mon, 2 Feb 2026 10:22:44 +0000 (11:22 +0100)]
doc: add CHANGES.md entry for const-correct X509_ATTRIBUTE functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:30 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const-qualified pointers for return values.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:28 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Update all callers to use const pointers for the return values.
Fixes #29811
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
Zijie Zhao [Fri, 16 Jan 2026 23:41:46 +0000 (17:41 -0600)]
Add test for EVP_KEYMGMT leak in evp_pkey_signature_init() error paths
Verify that calling EVP_PKEY_sign_init_ex2() with a mismatched
key/signature algorithm (RSA key with ECDSA signature) does not leak
EVP_KEYMGMT references. The test repeats the operation 100 times so
that ASAN can detect accumulating leaks.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Feb 13 14:42:40 2026
(Merged from https://github.com/openssl/openssl/pull/29810)
kovan [Tue, 27 Jan 2026 10:45:30 +0000 (11:45 +0100)]
doc: note that PBKDF2 does not support XOF digests
PBKDF2 uses HMAC internally, which does not support eXtendable Output
Function (XOF) digests such as SHAKE128 or SHAKE256. Document this
limitation to prevent user confusion when attempting to use XOF
digests with PBKDF2.
Fixes #22877
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:39:07 2026
(Merged from https://github.com/openssl/openssl/pull/29792)
kovan [Tue, 3 Feb 2026 09:32:56 +0000 (10:32 +0100)]
doc: clarify SSL_SESSION ownership in PSK use session callback
Document that when the psk_use_session callback is invoked multiple times
and wishes to return the same SSL_SESSION pointer, it must call
SSL_SESSION_up_ref() first since ownership is transferred on each call.
This prevents use-after-free errors from incorrect callback implementations.
Fixes #28267
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 14:36:50 2026
(Merged from https://github.com/openssl/openssl/pull/29771)
Simo Sorce [Mon, 1 Dec 2025 21:36:40 +0000 (16:36 -0500)]
Add support for deferred FIPS self-tests
Add a new -defer_tests option to openssl fipsinstall and a corresponding
defer-tests configuration parameter for the FIPS provider.
This allows the execution of self-tests to be postponed until the
first time an algorithm is used, instead of running all tests
during module initialization. This reduces startup time.
Update the self-test framework to handle the new SELF_TEST_STATE_DEFER
state, ensuring deferred tests are skipped at load and run on demand.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Simo Sorce [Wed, 17 Dec 2025 21:38:51 +0000 (16:38 -0500)]
fips: Reorder self-tests by complexity
Reorganize the FIPS self-tests to group them by complexity.
The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.
Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
projects / thirdparty / openssl.git / log
