Deven Dighe [Thu, 19 Mar 2026 13:54:21 +0000 (09:54 -0400)]
crypto/threads_win.c: type casted destination of InterlockedExchange{,64} calls
Explicitly cast dst argument of InterlockedExchange{,64} calls
in CRYPTO_atomic_store{,_int}() to LONG{64,} volatile *, respectively,
to work around incompatible pointer type errors on 64-bit MinGW builds.
Initially Reported by Splediferous.
[esyr: massaged the commit message a bit]
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/30451 Fixes: cc7195da3038 "Make FIPS self test state access atomic" Fixes: 7e45ac6891ad "Add CRYPTO_atomic_store api" Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:59:42 2026
(Merged from https://github.com/openssl/openssl/pull/30504)
slontis [Tue, 17 Mar 2026 23:16:44 +0000 (10:16 +1100)]
SLH-DSA: Fix Integer overflow in msg_encode leading to buffer overflow
Reported by Zehua Qiao and me@snkth.com
An encode message buffer M = 00 || CXT_LEN || CTX || MSG was being
allocated followed by memcpy's into the buffer for CTX and MSG.
If len(MSG) was close to size_t the allocated buffer would be
overwritten.
The fix uses WPACKET to perform the message encoding M = 00 || CXT_LEN || CTX || MSG
Although ML_DSA does a similiar operation, SLH-DSA has to buffer the
encoding because the encoded message is processed multiple times for
PRF_MSG and H_MSG. FOr ML_DSA the encoded message can just be hashed.
Fixes: 2f9e152d86a7 "Add SLH_DSA signature verification." Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:19:24 2026
(Merged from https://github.com/openssl/openssl/pull/30477)
crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689816 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:54:01 2026
(Merged from https://github.com/openssl/openssl/pull/30500)
huanghuihui0904 [Mon, 16 Mar 2026 07:16:21 +0000 (15:16 +0800)]
ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:14:42 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
Weidong Wang [Tue, 17 Mar 2026 16:21:52 +0000 (11:21 -0500)]
Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()
In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.
The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.
Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:26:50 2026
(Merged from https://github.com/openssl/openssl/pull/30463)
1seal [Tue, 17 Mar 2026 09:14:32 +0000 (10:14 +0100)]
test: add regression tests for unauthorized OCSP response signers
extend test_tlsext_status_type() with a handshake that serves a
leaf-signed stapled OCSP response and verifies the connection fails
when X509_V_FLAG_OCSP_RESP_CHECK is enabled.
generalize ocsp_server_cb_single() to use configurable signer
cert/key instead of hardcoded paths so the same callback serves
both authorized and unauthorized signer test cases.
add a test_ocsp() subtest covering the -issuer CLI option with
an untrusted issuer hint.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 21:02:54 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
1seal [Tue, 17 Mar 2026 09:14:21 +0000 (10:14 +0100)]
x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command" Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 21:02:52 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
Jaeho Nam [Sun, 15 Mar 2026 08:31:49 +0000 (08:31 +0000)]
x509: fix bug in timeSpecification printing
Fix i2r_OSSL_DAY_TIME() to check dt->second before decoding the
optional seconds field. Add a regression certificate and x509 recipe
coverage for the periodic timeSpecification case with no seconds.
Resolves: https://github.com/openssl/openssl/issues/30424 Fixes: 70b17e5a00da "feat: support the timeSpecification X.509v3 extension" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Mar 20 18:51:31 2026
(Merged from https://github.com/openssl/openssl/pull/30425)
When extsoffset == clearlen - 1 the check passes, but the second read
clear[extsoffset + 1] is clear[clearlen], which is one byte beyond
the decrypted plaintext. The allocation is OPENSSL_malloc(cipherlen)
where cipherlen = clearlen + AEAD_overhead, so the address is valid,
but the byte is uninitialised after OSSL_HPKE_open returns.
Using Valgrind confirmed an uninitialised-value read at this location
via the full server handshake path:
The subsequent ch_len > clearlen check (line 1875) acts as a safety net
and prevents the stale byte from being used further, so the practical
impact is a forced decode error rather than memory disclosure.
Nevertheless, the read itself is incorrect and should be fixed.
Fix: change the guard to extsoffset + 2 so that both bytes
of the extensions length field are confirmed to be within the decrypted
buffer before either is read.
This issue was identified through AI-assisted structural analysis
(RAPTOR) using CodeQL database tooling (AST analysis, control flow
verification, dominator tree analysis) against the OpenSSL master
branch. The off-by-one was confirmed via AST inspection showing
GT(Add(extsoffset, 1), clearlen) instead of the expected
GT(Add(extsoffset, 2), clearlen).
Found by myself @danielcuthbert and validated
by Benjamin Rodes - Microsoft @bdrodes.
CLA: trivial Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 20 18:10:19 2026
(Merged from https://github.com/openssl/openssl/pull/30472)
slontis [Fri, 13 Mar 2026 04:13:40 +0000 (15:13 +1100)]
Fix windows build failure for arm64ec
The new b64 encoder code uses __m256 which is not currently supported in ARM64EC code,
since it does not natively support x64-specific instruction sets like AVX.
Disable the fast AVX path if arm64EC is used.
Abhinav Agarwal [Wed, 18 Mar 2026 16:01:07 +0000 (09:01 -0700)]
quic: fix NULL pointer dereference in ossl_uint_set_remove()
In the range-splitting path, create_set_item() can return NULL under
memory pressure. The result was passed directly to
ossl_list_uint_set_insert_after() without a NULL check, causing an
immediate crash. This path is reachable during normal QUIC ACK
processing under memory exhaustion.
Check the allocation result before insertion and return 0 on failure.
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 19 19:32:52 2026
(Merged from https://github.com/openssl/openssl/pull/30490)
sftcd [Fri, 13 Mar 2026 22:02:29 +0000 (22:02 +0000)]
ECH: chunk-size bug fix and non-regression changes
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Mar 19 10:37:16 2026
(Merged from https://github.com/openssl/openssl/pull/30417)
Adds documentation of X509V3_EXT_print and X509V3_EXT_print_fp.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 19 09:22:30 2026
(Merged from https://github.com/openssl/openssl/pull/29996)
Milan Broz [Tue, 17 Mar 2026 13:09:47 +0000 (14:09 +0100)]
test: Increase timeout for QUIC multistream test
I can regularly hit timeout on Windows for QUIC multistream test.
While increasing is not the best solution, it eliminates many
failures during testing. This timeout only applies in specific
situation, so run time should not be actually used often.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Mar 19 09:18:32 2026
(Merged from https://github.com/openssl/openssl/pull/30461)
QUIC stack must disable hash table contraction before doing
lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.
One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.
call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)
slontis [Mon, 16 Mar 2026 04:32:01 +0000 (15:32 +1100)]
SLH_DSA: signing operation incorrectly returned 1 on failure.
Initially Reported by Zehua qiao
Fixes #30414
A block copy bug incorrectly set ret = 1 straight after assigning
ret.
Setting the *sig_len has been delayed to the err path in case
WPACKET_finish fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Mar 18 07:21:32 2026
(Merged from https://github.com/openssl/openssl/pull/30438)
frostb1ten [Mon, 16 Mar 2026 10:07:12 +0000 (05:07 -0500)]
Mask *num on entry in deprecated low-level OFB/CFB implementations
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 18 07:17:33 2026
(Merged from https://github.com/openssl/openssl/pull/30447)
Scott [Mon, 16 Mar 2026 17:30:50 +0000 (12:30 -0500)]
Fix incorrect error return in ppc_aes_gcm_cipher_update decrypt path
ppc_aes_gcm_cipher_update() returns 1 on success and 0 on failure.
The decrypt pre-alignment path (line 122) incorrectly returned -1
instead of 0 when CRYPTO_gcm128_decrypt() failed.
Since the caller checks `if (!hw->cipherupdate(...))`, and !(-1)
evaluates to 0 (false) in C, the error was silently swallowed and
GCM processing continued with potentially corrupt state.
The encrypt path at line 98 correctly returns 0. This was likely a
copy-paste error when the decrypt path was added.
Fixes #30380
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 07:06:12 2026
(Merged from https://github.com/openssl/openssl/pull/30452)
Weidong Wang [Tue, 10 Mar 2026 17:42:35 +0000 (12:42 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_stream
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:56 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:15:22 +0000 (12:15 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_dataFinal
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:53 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:08:35 +0000 (12:08 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_ctrl
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:49 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Stefan Berger [Thu, 12 Mar 2026 14:57:43 +0000 (09:57 -0500)]
openssl-cms.pod.in: Mention Ed448 signing with signed attributes in BUGS section
In the BUGS section mention that signing wtih an Ed448 key is not supported
when using signed-data with signed attributes due to missing support for
id-shake256-len.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:27 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:11:02 +0000 (18:11 -0500)]
cms: Make sha512 the required hash for CMS with signedAttributes
RFC 8419 requires that, when using an Ed25519 key for CMS signed-data with
signed attributes, SHA512 must be used. Modify the entry in the key2data
table to reflect this giving the user not other choice for a hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:24 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:07:16 +0000 (18:07 -0500)]
man: Mention Ed448 for CMS with signed attributes is not supported
Mention that Ed448 keys cannot currently be used for CMS with
signed attributes since RFC 8419 requires id-shake256-len be used,
which is not currently supported by OpenSSL.
Resolves: 30291 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:20 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Viktor Dukhovni [Mon, 16 Mar 2026 08:30:04 +0000 (19:30 +1100)]
Avoid premature short-circuit in check_email
- Also harden check_hosts() to handle NULL `vpm->hosts`,
currently checked by the caller.
- Also harden check_ips() to handle NULL `vpm->ips`,
currently checked by the caller.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 15:35:16 2026
(Merged from https://github.com/openssl/openssl/pull/30444)
sftcd [Tue, 10 Mar 2026 15:33:36 +0000 (15:33 +0000)]
test-change: remove ec-point-formats from test vectors
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 17 11:54:06 2026
(Merged from https://github.com/openssl/openssl/pull/30416)
Scott [Mon, 16 Mar 2026 03:53:04 +0000 (22:53 -0500)]
Fix integer truncation in ppc_aes_gcm_crypt
The assembly functions ppc_aes_gcm_encrypt and ppc_aes_gcm_decrypt
return size_t, but their return values were stored in int variables,
causing truncation on PPC64 where size_t is 64-bit. This could lead
to incorrect results when processing inputs larger than 2GB via
EVP_Cipher() which accepts unsigned int lengths.
Change the types of s and ndone from int to size_t to match the
function return type and the return type of ppc_aes_gcm_crypt itself.
Tested on POWER8 S824 (ppc64le) — all EVP and cipher tests pass,
AES-128-GCM benchmarks at 2.94 GB/s with hardware acceleration.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 09:44:33 2026
(Merged from https://github.com/openssl/openssl/pull/30437)
YZL0v3ZZ [Wed, 11 Mar 2026 14:31:47 +0000 (22:31 +0800)]
apps/cmp_mock_srv: fix resource leak in process_genm()
If pushing the generated rsp ITAV object into the out stack fails,
the error path frees the stack container but permanently abandons
the newly allocated rsp object.
Explicitly free the rsp structure if it exists and was not pushed
successfully to prevent this memory leak.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Mar 16 11:16:02 2026
(Merged from https://github.com/openssl/openssl/pull/30374)
doc/man3/BIO_read.pod: clarify BIO_puts() semantics a bit
Mention that it doesn't write the terminating NUL byte (akin
to the way fputs(3) is documented[1][2]), and that it does not append
'\n', like puts(3) does.
Neil Horman [Thu, 12 Mar 2026 14:17:04 +0000 (10:17 -0400)]
Ensure that BIO_eof only returns 1, 0 or a negative value
Recently we uncovered the fact that some platforms (nonstop) return a
non-one positive value from feof to indicate end of file. This is in
compliance with posix standards, but we had some code that assumed 1
would always be the returned value for an EOF condition, causing various
failures.
Fix it by converting BIO_eof to only return 0 or 1 to reflect the EOF
state (or in the windows case -EINVAL if an invalid stream was passed
Fixes #30348
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Sun Mar 15 19:22:41 2026
(Merged from https://github.com/openssl/openssl/pull/30395)
Milan Broz [Wed, 11 Mar 2026 22:03:36 +0000 (23:03 +0100)]
Optimize Windows RCU thread signalling.
With the pthread variant, a thread truly wakes up after
the pthread_mutex_unlock call, even if pthread_cond_signal
is called before.
This is not true for the Windows variant. The thread is
woken up in WakeConditionVariable but goes back to sleep.
Reordering (signalling thread after unlocking) should save
some time during transitions and should be safe in this context.
The speedup is visible on lhash_test, running on many CPUs
(on 32 cores, a speedup from 1:40 to 1:05 minutes on test hw).
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:25:49 2026
(Merged from https://github.com/openssl/openssl/pull/30388)
Milan Broz [Wed, 11 Mar 2026 21:40:27 +0000 (22:40 +0100)]
Align Windows RCU implementation to the pthread variant
Unlike the pthread variant, Windows RCU uses broadcast instead
of targeted signal calls in some places, unnecessarily increasing
the number of used cycles.
The retire_qp should wake up only one thread to proceed, not
all of them. For update_qp, that signals the thread after
increasing writers_alloced, signalling all threads does not make
sense either.
The speedup is significant on lhash_test, running on many CPUs
(on 32 cores, a speedup from 6:20 to 1:40 minutes on test hw).
Co-Authored-By: Claude Opus 4.6 Extended <noreply@anthropic.com> Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:25:47 2026
(Merged from https://github.com/openssl/openssl/pull/30388)
Zenithal [Tue, 10 Mar 2026 00:44:01 +0000 (00:44 +0000)]
riscv: aes: fix checks on null keys
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 17:15:37 2026
(Merged from https://github.com/openssl/openssl/pull/30333)
huanghuihui0904 [Thu, 12 Mar 2026 11:16:12 +0000 (19:16 +0800)]
crypto/evp/exchange.c: fix memory leak in EVP_PKEY_derive_SKEY()
When mgmt == NULL, EVP_PKEY_derive_SKEY() fetches an EVP_SKEYMGMT into skeymgmt. Some early returns in the fallback derive path do not free this object, causing a leak. Route these paths through shared cleanup so skeymgmt is freed.
YZL0v3ZZ [Wed, 11 Mar 2026 14:16:48 +0000 (22:16 +0800)]
Fix memory leak in get_str_from_file()
If BIO_gets encounters an empty file or read error, the function
returns NULL without freeing the dynamically allocated heap block (buf).
Safely clear and free the allocated buffer before returning NULL on
the error path. Since get_str_from_file() may handle cryptographic
keys, OPENSSL_clear_free() is used to prevent leaking sensitive data.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30373)
Matt Caswell [Fri, 27 Feb 2026 12:25:04 +0000 (12:25 +0000)]
Add a test to confirm that we get the expected error with HTTP
If we send HTTP directly over a TLS connection then we expect to receive
the SSL_R_HTTP_REQUEST error. So we add a test to confirm that we do.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:44 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
Matt Caswell [Fri, 27 Feb 2026 11:57:41 +0000 (11:57 +0000)]
Defer the check that the record fits in our buffer
Previously we confirmed that the record we received from the peer
actually fits in our buffer before validating the record header. However,
this interferes with the checks that the "any" method does for accidental
use of HTTP because the record length will be wrong in this case. To solve
this we simply defer the check until after the record header has been
validated.
Fixes #30196
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:41 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
Matt Caswell [Fri, 27 Feb 2026 11:50:15 +0000 (11:50 +0000)]
Remove further remnants of SSLv2 ClientHello handling
We recently removed support for SSLv2 ClientHello messages - but some
remnants were still remaining in the record layer. We remove those too.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Mar 13 15:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/30204)
YZL0v3ZZ [Wed, 11 Mar 2026 13:48:14 +0000 (21:48 +0800)]
Fix resource leak in crls_http_cb()
When the function fails to push the second CRL to the stack, it
incorrectly uses sk_X509_CRL_free() instead of sk_X509_CRL_pop_free().
This destroys the stack container but orphans previously pushed
X509_CRL objects.
Replace it with sk_X509_CRL_pop_free passing X509_CRL_free as the
cleanup routine to ensure deep deallocation of any pushed items.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30372)
Zhiguo Zhou [Fri, 6 Mar 2026 06:39:08 +0000 (14:39 +0800)]
bn: Save/restore non-volatile registers in RSAZ AVX-IFMA code for Win64
The Windows x64 calling convention requires that registers %rsi, %rdi,
and %xmm6 through %xmm15 be preserved by the callee. This patch updates
the RSAZ-2K, 3K, and 4K AVX-IFMA assembly routines to correctly push/pop
%rsi/%rdi and save/restore the non-volatile XMM registers to the stack
when building for Win64.
This ensures ABI compliance and prevents potential data corruption or
crashes in callers that rely on these registers being preserved across
function calls.
slontis [Wed, 18 Feb 2026 03:12:59 +0000 (14:12 +1100)]
Fix uninitialized variables in rsaz-3k-avxifma & rsaz-4k-avxifma
assembler.
This looks like a block copy bug, the 2k file uses both fields but the
3k & 4K variants only pass acc0_0 to functions.
Reported and proposed fix supplied by pyca (@reaperhulk and @alex).
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 13 08:49:40 2026
(Merged from https://github.com/openssl/openssl/pull/30061)
nkraetzschmar [Tue, 10 Mar 2026 21:33:59 +0000 (22:33 +0100)]
ml-kem: wipe full seed buffer in ml_kem_gen_cleanup
The gen ctx stores seed material in uint8_t seedbuf[ML_KEM_SEED_BYTES],
where ML_KEM_SEED_BYTES = ML_KEM_RANDOM_BYTES * 2.
When cleanup runs and gctx->seed != NULL, it wiped ML_KEM_RANDOM_BYTES
so clearing only half of the seed buffer.
This change wipes the entire buffer instead.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 13 08:43:12 2026
(Merged from https://github.com/openssl/openssl/pull/30355)
slontis [Tue, 10 Mar 2026 05:27:57 +0000 (16:27 +1100)]
Doc: Add additional information to the contributing page.
Updates for new users related to PR's.
Although some of this info is in other places, a new user should
not need to look at 'commiter' related docs.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Mar 13 08:30:10 2026
(Merged from https://github.com/openssl/openssl/pull/30336)
kovan [Mon, 2 Feb 2026 11:35:29 +0000 (12:35 +0100)]
doc: Fix X509_NAME_print documentation to reflect actual behavior
The documentation claimed that X509_NAME_print() would indent each line
by obase characters and wrap lines exceeding 80 characters. However, the
implementation has never actually used obase for any purpose since the
line-wrapping code was removed in 2007 as unreachable.
Update the documentation to state that obase is ignored and the function
outputs on a single line.
Fixes #18004
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 13 08:24:57 2026
(Merged from https://github.com/openssl/openssl/pull/29900)
Joshua Rogers [Sun, 12 Oct 2025 14:08:04 +0000 (22:08 +0800)]
NonStop: reset hpns_connect_attempt at call start and on success
Ensure the NonStop fallback state does not leak across calls by clearing hpns_connect_attempt at the beginning of RAND_query_egd_bytes and after a successful connect. No impact on other platforms.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:22:00 2026
(Merged from https://github.com/openssl/openssl/pull/28909)
QUIC LCID hash table collapse on Windows/32-bit due to SipHash digest size misuse
Using sizeof(unsigned long) as SipHash digest size; SipHash supports
only 8 or 16 bytes. On platforms where sizeof(unsigned long) == 4,
the call fails, and lcid_hash returns the zero-initialized value,
degrading the hash table into list.
The issue was kindly reported and fix provided by Stanislav Fort at Aisle Research.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 18:04:10 2026
(Merged from https://github.com/openssl/openssl/pull/29814)
Joshua Rogers [Sun, 12 Oct 2025 13:52:21 +0000 (21:52 +0800)]
rand_egd: harden EGD I/O and bounds; defer fdopen until post connect
Tighten RAND_query_egd_bytes and fix edge cases:
* Reject nonpositive request sizes to avoid wrap when storing the
length byte in tempbuf[1].
* Treat server length byte as untrusted; bound by the requested size
and by sizeof(tempbuf) to avoid overrunning caller or stack buffers.
* Defer fdopen until after a successful connect. On HPE NonStop
(OPENSSL_SYS_TANDEM) the connect retry path may swap the socket fd;
creating the FILE* early could leave a stale stream pointing at a
closed descriptor, causing EBADF or short I/O, and leaking the new
socket. Creating the stream after connect avoids this.
* Initialize fd to -1 and close the raw fd when fdopen fails; ensure
we close either FILE* or the raw fd on all error paths.
* Remove unused code.
Behavior is unchanged on platforms that do not swap fds during connect.
On TANDEM it prevents stale I/O and descriptor leaks. Overall this
improves robustness and bounds checking for EGD interactions.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/28905)
Matt Caswell [Wed, 11 Mar 2026 15:06:32 +0000 (15:06 +0000)]
Fix a one byte buffer overflow in s_client
The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.
This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.
This issue was reported to use by Igor Morgenstern from AISLE.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
It wasn't explicitly clear that it was safe to call OPENSSL_clear_free()
with a NULL because, as worded, it sounded like it may call
OPENSSL_cleanse() on NULL before calling OPENSSL_free().
CLA: trivial
Signed-off-by: dann frazier <dann.frazier@chainguard.dev> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 12 17:43:51 2026
(Merged from https://github.com/openssl/openssl/pull/28127)
OwenSanzas [Tue, 10 Mar 2026 00:05:35 +0000 (00:05 +0000)]
Fix stack buffer over-read in DES OFB/CFB64 via unchecked num parameter
The `num` parameter in DES OFB64/CFB64 functions tracks the byte offset
within an 8-byte DES block, so valid values are 0-7. However, neither
the EVP set_params path nor the low-level DES functions validated this
bound, allowing an out-of-range `num` to cause a stack buffer over-read
when used as an array index into the 8-byte keystream buffer.
Fix at two levels:
1. Provider layer: reject num >= blocksize in
ossl_cipher_common_set_ctx_params() before it reaches the cipher.
2. Low-level DES: mask `*num` with `& 0x07` on entry to
DES_ofb64_encrypt, DES_ede3_ofb64_encrypt, DES_cfb64_encrypt,
and DES_ede3_cfb64_encrypt, consistent with how `n` is already
masked at the end of these functions before being written back.
Fixes #30284
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 14:24:12 2026
(Merged from https://github.com/openssl/openssl/pull/30332)
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1684201
Complements: #adc8e4abd96 Fix Memory leak in app_passwd
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 11:34:53 2026
(Merged from https://github.com/openssl/openssl/pull/30365)
slontis [Fri, 6 Mar 2026 04:07:51 +0000 (15:07 +1100)]
PKCS12 app fix
Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.
In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
asn1: use ASN1_STRING accessors in crypto/cmp, crypto/ct, crypto/sm2, crypto/ts
Replace direct ASN1_STRING struct member access (->data, ->length) with
public accessor functions ASN1_STRING_get0_data() and ASN1_STRING_length()
in consumer code across four subsystems.
Also fix i2d_SCT_LIST() in crypto/ct/ct_oct.c to heap-allocate
ASN1_OCTET_STRING via ASN1_OCTET_STRING_new() and ASN1_STRING_set0()
rather than stack-allocating it, since the struct is now opaque.
Removes #include <crypto/asn1.h> from all modified files except
crypto/cmp/cmp_protect.c, which retains it for ossl_X509_ALGOR_from_nid().
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/30223)
Pablo Rodríguez [Thu, 5 Mar 2026 16:49:12 +0000 (17:49 +0100)]
add an initial space to format a command in `openssl-cms.pod.in`
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 12 08:44:57 2026
(Merged from https://github.com/openssl/openssl/pull/30274)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
ossl_x509_likely_issued(): fix self-signature check in case issuer equals subject
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
25-test_req.t: add test cases pointing out that we won't fix #19095
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:34 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
v3_purp.c: refactor to improve code commenting of ossl_x509v3_cache_extensions() and X509_check_akid()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:32 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
openssl-verification-options.pod: clarify when a certificate is considered (supposedly) self-signed
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:31 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
X509_check_issued.pod: add doc of X509_check_akid(), complete X509_check_issued()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 11:22:30 2026
(Merged from https://github.com/openssl/openssl/pull/28373)
Pauli [Wed, 4 Mar 2026 23:28:15 +0000 (10:28 +1100)]
safe_math: documentation example fix
The example was for an older version of the code which used triadic
macros to define the functions. The code was simplified making these
dyadic but the example was skipped. This fixes the example.
Found a use after free case in ossl_quic_accept_connection in the event
that we fail to up_ref the associated quic listener object.
If we fail to take the up ref on the listener object in this function,
we free the SSL object, which calls into
SSL_free->ossl_quic_free->qc_cleanup, which because we have an
associated listener, we free the mutex for, and then get a use-afer-free
when we try to unlock that mutex shortly thereafter.
We really need to fix 3 problems here:
1) The use after free. Handle this bt ensuring that the listener is
assigned first.
2) A deadlock, since we already hold the associated mutex, we need to
defer the free operation until after we unlock the mutex.
3) Don't drop the refcount on the listener object in ossl_quic_cleanup
(since we failed to up-ref it here). Handle this by adding a flag to
indicate up-ref failure in the quic-connection object.
Problem was confirmed by synthetically failing the up ref in local
testing, and this patch was confirmed to fix the issue.
Also, we need to adjust some of the tests in quicapitest here, as
several tests just assume that SSL_accept_connection will return a
non-null value.
Fixes #30307
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar 11 09:22:35 2026
(Merged from https://github.com/openssl/openssl/pull/30311)
Milan Broz [Mon, 9 Mar 2026 13:02:03 +0000 (14:02 +0100)]
tests: fix configutl test on Windows
In Windows makefile, "del /Q /S /F test\*.exp" command is called.
Due to use of /S switch and old filenames compatibility
magic, it deletes also all *.expected files.
This make subsequent run of configtest to fail.
As this is the only test using these names (and cryptic
workarounds in makefile are unreadable), let's just
rename expected files to *-exp.out suffix.
Also fix two alien tabs in script.
Fixes: https://github.com/openssl/project/issues/1894 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 10 19:42:26 2026
(Merged from https://github.com/openssl/openssl/pull/30324)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:20 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Uni [Fri, 6 Mar 2026 17:19:31 +0000 (18:19 +0100)]
Fix intermittent hang in 82-test_ech_client_server.t
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Mar 10 18:22:17 2026
(Merged from https://github.com/openssl/openssl/pull/30289)
Neil Horman [Fri, 6 Mar 2026 16:31:16 +0000 (11:31 -0500)]
Ensure entries in the neighborhood struct are 8 byte aligned
This struct is accessed via atomics, which on some platforms require 8
byte alignment. Generally compilers provide that alignment, since the
first element of the struct is a uint64_t, but it appears that not all
do.
Force the alignment to be correct
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 18:16:34 2026
(Merged from https://github.com/openssl/openssl/pull/30293)
huanghuihui0904 [Mon, 9 Mar 2026 14:57:00 +0000 (22:57 +0800)]
Fix Memory leak in app_passwd
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 10 17:42:48 2026
(Merged from https://github.com/openssl/openssl/pull/30325)
Uni [Fri, 6 Mar 2026 20:24:28 +0000 (21:24 +0100)]
Fix memory leak of p and q in ossl_rsa_fromdata error path
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30298)
Pauli [Sun, 8 Mar 2026 10:24:23 +0000 (21:24 +1100)]
Change free call to secure free call.
Freeing secure memory using OPENSSL_free causes badness. Use the proper
free call instead.
Fixes #30302
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 10 15:08:36 2026
(Merged from https://github.com/openssl/openssl/pull/30305)
CHANGES.md, NEWS.md: picking up changes from 3.6.1
Since it has been released before 4.0.0-alpha1.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:37 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 10 13:39:35 2026
(Merged from https://github.com/openssl/openssl/pull/30338)
projects / thirdparty / openssl.git / log
