QUIC LCID hash table collapse on Windows/32-bit due to SipHash digest size misuse
Using sizeof(unsigned long) as SipHash digest size; SipHash supports
only 8 or 16 bytes. On platforms where sizeof(unsigned long) == 4,
the call fails, and lcid_hash returns the zero-initialized value,
degrading the hash table into list.
The issue was kindly reported and fix provided by Stanislav Fort at Aisle Research.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:04:10 2026
(Merged from https://github.com/openssl/openssl/pull/29814)
Joshua Rogers [Sun, 12 Oct 2025 13:52:21 +0000 (21:52 +0800)]
rand_egd: harden EGD I/O and bounds; defer fdopen until post connect
Tighten RAND_query_egd_bytes and fix edge cases:
* Reject nonpositive request sizes to avoid wrap when storing the
length byte in tempbuf[1].
* Treat server length byte as untrusted; bound by the requested size
and by sizeof(tempbuf) to avoid overrunning caller or stack buffers.
* Defer fdopen until after a successful connect. On HPE NonStop
(OPENSSL_SYS_TANDEM) the connect retry path may swap the socket fd;
creating the FILE* early could leave a stale stream pointing at a
closed descriptor, causing EBADF or short I/O, and leaking the new
socket. Creating the stream after connect avoids this.
* Initialize fd to -1 and close the raw fd when fdopen fails; ensure
we close either FILE* or the raw fd on all error paths.
* Remove unused code.
Behavior is unchanged on platforms that do not swap fds during connect.
On TANDEM it prevents stale I/O and descriptor leaks. Overall this
improves robustness and bounds checking for EGD interactions.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/28905)
Matt Caswell [Wed, 11 Mar 2026 15:06:32 +0000 (15:06 +0000)]
Fix a one byte buffer overflow in s_client
The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.
This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.
This issue was reported to use by Igor Morgenstern from AISLE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
It wasn't explicitly clear that it was safe to call OPENSSL_clear_free()
with a NULL because, as worded, it sounded like it may call
OPENSSL_cleanse() on NULL before calling OPENSSL_free().
CLA: trivial
Signed-off-by: dann frazier <dann.frazier@chainguard.dev> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:43:51 2026
(Merged from https://github.com/openssl/openssl/pull/28127)
OwenSanzas [Tue, 10 Mar 2026 00:05:35 +0000 (00:05 +0000)]
Fix stack buffer over-read in DES OFB/CFB64 via unchecked num parameter
The `num` parameter in DES OFB64/CFB64 functions tracks the byte offset
within an 8-byte DES block, so valid values are 0-7. However, neither
the EVP set_params path nor the low-level DES functions validated this
bound, allowing an out-of-range `num` to cause a stack buffer over-read
when used as an array index into the 8-byte keystream buffer.
Fix at two levels:
1. Provider layer: reject num >= blocksize in
ossl_cipher_common_set_ctx_params() before it reaches the cipher.
2. Low-level DES: mask `*num` with `& 0x07` on entry to
DES_ofb64_encrypt, DES_ede3_ofb64_encrypt, DES_cfb64_encrypt,
and DES_ede3_cfb64_encrypt, consistent with how `n` is already
masked at the end of these functions before being written back.
Fixes #30284
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 14:24:12 2026
(Merged from https://github.com/openssl/openssl/pull/30332)
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1684201
Complements: #adc8e4abd96 Fix Memory leak in app_passwd
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 11:34:53 2026
(Merged from https://github.com/openssl/openssl/pull/30365)
slontis [Fri, 6 Mar 2026 04:07:51 +0000 (15:07 +1100)]
PKCS12 app fix
Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.
In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
asn1: use ASN1_STRING accessors in crypto/cmp, crypto/ct, crypto/sm2, crypto/ts
Replace direct ASN1_STRING struct member access (->data, ->length) with
public accessor functions ASN1_STRING_get0_data() and ASN1_STRING_length()
in consumer code across four subsystems.
Also fix i2d_SCT_LIST() in crypto/ct/ct_oct.c to heap-allocate
ASN1_OCTET_STRING via ASN1_OCTET_STRING_new() and ASN1_STRING_set0()
rather than stack-allocating it, since the struct is now opaque.
Removes #include <crypto/asn1.h> from all modified files except
crypto/cmp/cmp_protect.c, which retains it for ossl_X509_ALGOR_from_nid().
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/30223)
Pablo Rodríguez [Thu, 5 Mar 2026 16:49:12 +0000 (17:49 +0100)]
add an initial space to format a command in `openssl-cms.pod.in`
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:44:57 2026
(Merged from https://github.com/openssl/openssl/pull/30274)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
ossl_x509_likely_issued(): fix self-signature check in case issuer equals subject
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
25-test_req.t: add test cases pointing out that we won't fix #19095
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:34 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
v3_purp.c: refactor to improve code commenting of ossl_x509v3_cache_extensions() and X509_check_akid()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:32 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
openssl-verification-options.pod: clarify when a certificate is considered (supposedly) self-signed
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:31 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
X509_check_issued.pod: add doc of X509_check_akid(), complete X509_check_issued()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:30 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
Pauli [Wed, 4 Mar 2026 23:28:15 +0000 (10:28 +1100)]
safe_math: documentation example fix
The example was for an older version of the code which used triadic
macros to define the functions. The code was simplified making these
dyadic but the example was skipped. This fixes the example.
Found a use after free case in ossl_quic_accept_connection in the event
that we fail to up_ref the associated quic listener object.
If we fail to take the up ref on the listener object in this function,
we free the SSL object, which calls into
SSL_free->ossl_quic_free->qc_cleanup, which because we have an
associated listener, we free the mutex for, and then get a use-afer-free
when we try to unlock that mutex shortly thereafter.
We really need to fix 3 problems here:
1) The use after free. Handle this bt ensuring that the listener is
assigned first.
2) A deadlock, since we already hold the associated mutex, we need to
defer the free operation until after we unlock the mutex.
3) Don't drop the refcount on the listener object in ossl_quic_cleanup
(since we failed to up-ref it here). Handle this by adding a flag to
indicate up-ref failure in the quic-connection object.
Problem was confirmed by synthetically failing the up ref in local
testing, and this patch was confirmed to fix the issue.
Also, we need to adjust some of the tests in quicapitest here, as
several tests just assume that SSL_accept_connection will return a
non-null value.
Fixes #30307
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 09:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/30311)
Milan Broz [Mon, 9 Mar 2026 13:02:03 +0000 (14:02 +0100)]
tests: fix configutl test on Windows
In Windows makefile, "del /Q /S /F test\*.exp" command is called.
Due to use of /S switch and old filenames compatibility
magic, it deletes also all *.expected files.
This make subsequent run of configtest to fail.
As this is the only test using these names (and cryptic
workarounds in makefile are unreadable), let's just
rename expected files to *-exp.out suffix.
Also fix two alien tabs in script.
Fixes: https://github.com/openssl/project/issues/1894 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 10 19:42:26 2026
(Merged from https://github.com/openssl/openssl/pull/30324)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:20 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Uni [Fri, 6 Mar 2026 17:19:31 +0000 (18:19 +0100)]
Fix intermittent hang in 82-test_ech_client_server.t
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:17 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Neil Horman [Fri, 6 Mar 2026 16:31:16 +0000 (11:31 -0500)]
Ensure entries in the neighborhood struct are 8 byte aligned
This struct is accessed via atomics, which on some platforms require 8
byte alignment. Generally compilers provide that alignment, since the
first element of the struct is a uint64_t, but it appears that not all
do.
Force the alignment to be correct
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 18:16:34 2026
(Merged from https://github.com/openssl/openssl/pull/30293)
huanghuihui0904 [Mon, 9 Mar 2026 14:57:00 +0000 (22:57 +0800)]
Fix Memory leak in app_passwd
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 10 17:42:48 2026
(Merged from https://github.com/openssl/openssl/pull/30325)
Uni [Fri, 6 Mar 2026 20:24:28 +0000 (21:24 +0100)]
Fix memory leak of p and q in ossl_rsa_fromdata error path
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30298)
Pauli [Sun, 8 Mar 2026 10:24:23 +0000 (21:24 +1100)]
Change free call to secure free call.
Freeing secure memory using OPENSSL_free causes badness. Use the proper
free call instead.
Fixes #30302
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:08:36 2026
(Merged from https://github.com/openssl/openssl/pull/30305)
CHANGES.md, NEWS.md: picking up changes from 3.6.1
Since it has been released before 4.0.0-alpha1.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:37 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:35 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:32 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Include various items from CHANGES.md, remove items pertaining
OPENSSL_sk_set_cmp_thunks() and crypto-mdebug-backtrace, split into new
features and significant/incompatible changes.
Also, while at it, added the leader to the 3.6.0 news entry.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:28 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Move the FIPS PKCS5_PBKDF2_HMAC limits description from NEWS.md to CHANGES.md
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:25 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Reorder entries, following general
additions-changes-deprecations-removals order.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:22 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
An attempt has been made to harmonise the language and style
of the changelog and news records a bit.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:20 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:17 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:14 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
CHANGES.md, NEWS.md: sort links in lexicographical order
A specific order makes link addition more consistent moving forward.
The links were sorted with "LC_ALL=C sort -V" command, "sort"
is from GNU coreutils.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:11 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
This reverts commit 0da29907e7da "Constify X509_find_by_subject",
as it operates on a stack of X509 (not const X509) objects, and returns
a pointer to one of them.
Fixes: 0da29907e7da "Constify X509_find_by_subject", Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:37 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
Un-constify the return value of X509_find_by_issuer_and_serial()
This partially reverts commit 07ee3d5db8a2 "constify
X509_find_by_issuer_and_serial", as it operates on a stack of X509
(not const X509 objects), and returns a pointer to one.
The constification of PKCS7_signatureVerify argument is sensible
(as the argument is read-only inside the function) and is remained
in place.
Fixes: 07ee3d5db8a2 "constify X509_find_by_issuer_and_serial" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:34 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
Wo'O Ideafarm [Wed, 18 Feb 2026 06:45:30 +0000 (22:45 -0800)]
document the new build option "enable-static-vcruntime"
I placed these new notes prominently based upon how important I think that they are for applications developers targeting Windows platforms. With this new option, contributed (but not documented) by @nhorman in Commit 9431cc2, standalone executable applications can be distributed that do not require an installer and do not require modification of the target computer.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 1:50:49 2026
(Merged from https://github.com/openssl/openssl/pull/30064)
Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509
This partially reverts commit 367c54ef1105 "Constify
X509_OBJECT_[get0|set1]_X509 and friends", as well as removes them from
the list added in c0f82d915f38 "Describe X509 constification and ASN1_STRING
changes". Constification of X509_get_pubkey() arguments remains in place.
Resolves: https://github.com/openssl/project/issues/1892
Complements: 367c54ef1105 "Constify X509_OBJECT_[get0|set1]_X509 and friends"
Complements: c0f82d915f38 "Describe X509 constification and ASN1_STRING changes" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:36:10 2026
(Merged from https://github.com/openssl/openssl/pull/30276)
doc/man7/ossl-guide-migration.pod: remove mentions of X509_STORE_CTX funcs
Remove mentions of un-constified X509_STORE_CTX_get_current_cert,
X509_STORE_CTX_get0_cert, X509_STORE_CTX_get0_current_issuer,
X509_STORE_CTX_init, X509_STORE_CTX_set_cert for the list of constified
functions.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:33:15 2026
(Merged from https://github.com/openssl/openssl/pull/30272)
This reverts constification of the return value types
of X509_STORE_CTX_get_current_cert(), X509_STORE_CTX_get0_current_issuer(),
X509_STORE_CTX_get0_cert() functions, and arguments
of X509_STORE_CTX_set_cert() and X509_STORE_CTX_init() functions.
Constification of users of these functions, as well as
X509_STORE_CTX_get_issuer_fn and X509_STORE_CTX_check_issued_fn types,
remained in place.
Complements: e5b563366b00 "Constify X509_STORE_CTX functions invoving X509 *" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 18:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/30272)
Fixes: https://github.com/openssl/project/issues/1893
messing with free is a bridge too far
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 17:50:22 2026
(Merged from https://github.com/openssl/openssl/pull/30273)
Matt Caswell [Tue, 3 Mar 2026 12:30:24 +0000 (12:30 +0000)]
Restrict the number of supported groups/sig algs
We restrict the number of supported groups and sig algs that the server
is willing to accept from the client to 128 (for both). Any more than
this are simply ignored. This number is significantly more than the total
amount of current codepoints assigned by IANA for these extensions.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 6 10:33:03 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
Matt Caswell [Tue, 3 Mar 2026 11:58:11 +0000 (11:58 +0000)]
Restrict the number of keyshares a server is willing to accept
A client that sends an excessive number of keyshares to the server can
cause us to check that the groups are both in the client and server lists,
which is expensive. In reality there should be no reason to send a large
number of keyshares, so we restrict this to a sensible number (16). Any
more than this are simply ignored.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 6 10:33:03 2026
(Merged from https://github.com/openssl/openssl/pull/30263)
Tom Gautot [Tue, 27 Jan 2026 22:01:37 +0000 (23:01 +0100)]
OSSL_HTTP_REQ_CTX_nbio(): check for clear Content-Type mismatch
Fixes #29748
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 18:04:24 2026
(Merged from https://github.com/openssl/openssl/pull/29829)
slontis [Wed, 4 Mar 2026 03:59:09 +0000 (14:59 +1100)]
CSHAKE: Fix memory leak related to propq.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 17:41:05 2026
(Merged from https://github.com/openssl/openssl/pull/30261)
Viktor Dukhovni [Tue, 3 Mar 2026 14:35:36 +0000 (01:35 +1100)]
Some more X509 extension add/del polish
- In various structures with optional X.509 extensions, deallocate and
NULL out the extensions pointer when the extensions become empty after
an extension is deleted. This uses a new X509v3_delete_extension()
helper function. Added corresponding docs.
- Do the same in X509V3_EXT_add_nconf_sk() if after processing all
the pending updates the stack becomes empty.
- Handle resulting NULL stack in X509V3_EXT_REQ_add_nconf() and
update_req_extensions().
- Improved testing of certificate SKID/AKID addition and implicit
removal via "none" value.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 17:40:10 2026
(Merged from https://github.com/openssl/openssl/pull/30252)
Milan Broz [Sun, 1 Mar 2026 20:14:30 +0000 (21:14 +0100)]
windows-makefile: make clean target less noisy
Using del on files that are not present creates many warning
messages. Let's wrap them in "if exists" check to make
them silent if not present.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Mar 5 17:37:20 2026
(Merged from https://github.com/openssl/openssl/pull/30222)
Jon Ericson [Wed, 4 Mar 2026 01:58:18 +0000 (17:58 -0800)]
fix project spelling and capitalization
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Thu Mar 5 16:35:20 2026
(Merged from https://github.com/openssl/openssl/pull/30259)
Critical extension enforcement (introduced in #8a639b9) is incorrect. These
checks were intended as CA requirements to prevent misinterpretation by
verifiers that don't support certain extensions. However, since we do support
these extensions, we have no requirement for them to be marked critical,
enforcing that is a mistake.
As noted in: #30233 (comment)
Co-authored-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:22:07 2026
(Merged from https://github.com/openssl/openssl/pull/30249)
Igor Ustinov [Wed, 4 Mar 2026 09:24:47 +0000 (10:24 +0100)]
Proxy.pm: Redirect s_server’s output to stderr
Under some circumstances, the test script's output was mixed with
s_server's, resulting in a false negative. To avoid this,
redirect s_server’s output to stderr.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:32 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
Igor Ustinov [Wed, 4 Mar 2026 09:23:44 +0000 (10:23 +0100)]
SSL_get_error(): Check the error stack only in MSG_FLOW_ERROR state
We need to avoid looking at the error stack unless we are in
error state.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:30 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
Igor Ustinov [Fri, 27 Feb 2026 10:41:49 +0000 (11:41 +0100)]
Ensure fatal errors from the record layer put the state machine into err
We fix a problem with the record layer handling code where a fatal error
in the record layer that does not have an alert code associated with it
caused us to not transition the state machine into the error state. If we
have a fatal error we should always do that.
This patch was developed by Matt Caswell <matt@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 5 14:03:27 2026
(Merged from https://github.com/openssl/openssl/pull/30230)
dane_match_cert() should X509_free() on ->mcert instead
of OPENSSL_free()
Fixes: 170b735820ac "DANE support for X509_verify_cert()" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 5 12:37:17 2026
(Merged from https://github.com/openssl/openssl/pull/30250)
fips: Align PKCS5_PBKDF2_HMAC defaults with EVP_KDF-PBKDF2
EVP_KDF-PBKDF2 has provider-dependent runtime behaviour w.r.t. lower
bounds checks. The default provider does not enforce them, but can opt
into them. The fips provider does enforce them, but can opt out.
The same is not true for the PKCS5_PBKDF2_HMAC, which always opts out
of the lower bound checks.
This leads to unexpected behaviour without user consent, they may
expect in error that when using FIPS provider the lower bound checks
will be enforced by default.
One of them creates params and then calls the one-shot EVP_KDF_derive
api, whilst the other calls the PKCS5_PBKDF2_HMAC convenience
wrapper. For the same ACVP test vectors the two produce different
results: with and without lower bounds checks.
But it seems like PKCS5_PBKDF2_HMAC is popular, as it outnumbers
EVP_KDF_derive 8x when doing a global code search on github
(anecdotal, as results are skewed by the number of forks). This thus
comes down to the expectations end users have. And it feels like, at
least for this API, the FIPS 140-3 users expectation would be for the
lower bound checks to be enforced.
Modify the PKCS5_PBKDF2_HMAC wrapper around EVP_KDF_derive to not set
PKCS5 parameter, such that the provider implicit default is used
instead. Thus no change for default provider users, and FIPS
enforcement by default in the FIPS case like it always has done when
calling via EVP_KDF_derive.
Test fixes:
Tests with too short salt would fail with fips provider.
Add test that FIPS provider rejects invalid salt length.
test/certs: Re-encrypt leaf-encrypted.key with a longer salt.
This way test cases can work with a FIPS provider
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:25:55 2026
(Merged from https://github.com/openssl/openssl/pull/27431)
fips: Skip testing RFC 9579 good files as they use short salt & password
The RFC 9579 good files are always tested with the default provider.
The RFC 9579 good files use too short salt, and too short password
that a sticrly compliant FIPS provider with lower bounds enforcement
should no longer able to open.
If checking positive files is desired, these could be regenerated with
longer salt and password, but not too sure if it is worth it.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:25:53 2026
(Merged from https://github.com/openssl/openssl/pull/27431)
sftcd [Fri, 27 Feb 2026 23:27:21 +0000 (23:27 +0000)]
ECH: Add back code needed for correct ECH backend confirmation
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 17:11:17 2026
(Merged from https://github.com/openssl/openssl/pull/30214)
Samuel Sapalski [Wed, 14 Jan 2026 07:55:47 +0000 (08:55 +0100)]
FIPS: Disable time/request based reseeding for ECDSA KAT DRBG
The ECDSA KAT_Signature selftest can fail if the system time changes
after KAT DRBG initialization, this may trigger a time-based reseed
and break KAT determinism.
Disable time-based reseeding for the KAT DRBG to avoid spurious
selftest failures during e.g. fipsinstall.
In order to make this fix future proof we disable request based
reseeding as well to guarantee determinism during the selftest.
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 4 16:55:09 2026
(Merged from https://github.com/openssl/openssl/pull/29633)
Bob Beck [Mon, 2 Mar 2026 18:46:39 +0000 (11:46 -0700)]
Make X509_up_ref and X509_free take const X509 *
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 16:43:39 2026
(Merged from https://github.com/openssl/openssl/pull/30235)
Beat Bolli [Thu, 26 Feb 2026 21:20:32 +0000 (22:20 +0100)]
remove OPENSSL_BUILDING_OPENSSL from the config
Commit 262cda1cda ("Remove some safestack things that are no longer
needed", 2020-09-03) removed the last usage on this macro. Remove it in
the configuration as well.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 10:21:38 2026
(Merged from https://github.com/openssl/openssl/pull/30199)
Beat Bolli [Thu, 26 Feb 2026 21:20:16 +0000 (22:20 +0100)]
remove OPENSSL_USE_NODELETE from the config
Commits 31659fe326 (Introduce OPENSSL_ATEXIT_CLEANUP env. variable.,
2025-11-24) and 994413f995 (Update NEWS.md, 2025-12-15) removed the last
uses of this macro. Remove it in the configuration as well.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 10:21:36 2026
(Merged from https://github.com/openssl/openssl/pull/30199)
sftcd [Tue, 3 Mar 2026 00:59:40 +0000 (00:59 +0000)]
ech test retry-configs unavailable if server finished corrupted
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Mar 4 09:34:09 2026
(Merged from https://github.com/openssl/openssl/pull/30242)
SSL_get_shared_ciphers(): Return NUL-terminated buffer for no shared ciphers
Also validate the input buffer and length properly.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 4 09:30:18 2026
(Merged from https://github.com/openssl/openssl/pull/28859)
Neil Horman [Tue, 3 Mar 2026 19:47:00 +0000 (14:47 -0500)]
Fix bad length computation in HT_COPY_RAW_KEY_CASE
The new HT_KEY_COPY_RAW fails to account for copy lengths that exceed
the size of the configured buffer in a key, leading to stack overruns on
read.
Rectify that by claming the COPY macro to limit copies to the size of
the buffer
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Mar 4 07:04:07 2026
(Merged from https://github.com/openssl/openssl/pull/30257)
Adds fixed version tls methods to ossl-removed-api.pod
Fixes #30161
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 3 14:57:52 2026
(Merged from https://github.com/openssl/openssl/pull/30218)
Neil Horman [Fri, 27 Feb 2026 16:56:42 +0000 (11:56 -0500)]
Add support for dynamic key sizing in hashtable
Currently our internal hashtable suffers from a performance issue, as
discussed here:
https://github.com/openssl/openssl/pull/30188
The hashtable requires that keys be defined at build time, and moreover,
be defined to support the maximum possible key length you might try to
insert to a given hash table, even if they actual key you are using is
shorter.
As a result, that hashtable hash function (typically ossl_fnv1a_hash,
but any hash function really) receives a buffer that is specified as the
maximal length of the build-time defined key, which often means hashing
of many 0 bytes for byte elements in the key that may never have been
used. This causes performance problems as we are always hashing the
maximum number of elements, even if they key is truly only a few bytes
long.
Lets give users an opportunity to improve on that.
Keys are defined to be a struct, so that users can access individual
field names within the key, but under the covers its all just one
contiguous uint8_t buf. We can implement macros that allow users to,
instead of setting individual field names, just copy needed data into
the raw buffer, keeping track of how many bytes have been used as we go.
The result of using these macros is that the hash function, while it
will receive a buffer that is still maximally sized for that particular
key, gets a length value that only represents the number of bytes used
while writing the key value.
This results in the hash function having to do much less work, giving us
a significant opportunistic speedup.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 3 13:23:00 2026
(Merged from https://github.com/openssl/openssl/pull/30211)
slontis [Mon, 23 Feb 2026 05:00:32 +0000 (16:00 +1100)]
FIPS: Change EC_GROUP_check() so that it fails for explicit curves.
Reported by Luigino Camastra (Aisle Research).
Explicit curves returned a NID of NID_undef (which has a value of 0)
which resulted in the check >= 0 passing.
Changing the result to > addresses the issue.
Note that this is a NON issue in master since explicit curves are
now disabled by default. Note also that for any EC operation that
tries to use a loaded EC key, checks that the curve and security
strength are valid.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 2 19:37:04 2026
(Merged from https://github.com/openssl/openssl/pull/30138)
ossl_lms_key_to_text(): Fix NULL pointer dereference of `key` argument
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1682024
Complements: 3d82b990d1f Added LMS support for OpenSSL commandline signature verification using pkeyutl.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Mon Mar 2 19:33:33 2026
(Merged from https://github.com/openssl/openssl/pull/30215)
- Clarify comment on empty SKID/AKID vs. prior value
- Use B<default> not C<default> for unnamed section
- Polish (mostly CSR) extension handling
* In update_req_extensions() drop extraneous duplicate
X509at_delete_attr() call.
* Consolidate empty SKID/AKID detection in new
ossl_ignored_x509_extension().
* Handle empty SKID/AKID also in X509V3_add1_i2d().
* In test_drop_empty_csr_keyids() exercise the full NCONF extension
management stack, using X509_REQ_get_attr_count() to check that
after "subjectKeyIdentifier = none" not an even an empty extension
set remains as a CSR attribute (X509_REQ_get_extensions() always
returns at least an empty stack because NULL signals an error).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar 2 17:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/30217)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar 2 13:03:03 2026
(Merged from https://github.com/openssl/openssl/pull/30193)
slontis [Thu, 19 Feb 2026 04:38:42 +0000 (15:38 +1100)]
SHAKE - Fix 390x CI problems for SLH-DSA
Fixes #30039
In order to fix this, the ossl_sha3_ related functions have been
renamed so that ossl_sha3_XXX() functions are the high level
functions that contain calls to platform specific methods.
ossl_sha3_XXX_default() etc are the 'general' platform methods.
All of the state checking has been moved out of the platform specific
methods. The sha3 provider dispatch functions now share the
ossl_sha3_XXX() calls.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 2 11:58:44 2026
(Merged from https://github.com/openssl/openssl/pull/30104)
sftcd [Tue, 24 Feb 2026 13:12:40 +0000 (13:12 +0000)]
adds test of ECH fail then using retry configs
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Mar 2 09:58:58 2026
(Merged from https://github.com/openssl/openssl/pull/30155)
sftcd [Wed, 25 Feb 2026 14:24:00 +0000 (14:24 +0000)]
add check before releaseing retry-configs
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Mar 2 09:55:44 2026
(Merged from https://github.com/openssl/openssl/pull/30175)
projects / thirdparty / openssl.git / log
