Daniel Kubec [Mon, 30 Mar 2026 11:43:41 +0000 (13:43 +0200)]
TLSv1.3: reissue session ticket after full handshake on ciphersuite mismatch
When session resumption falls back to a full handshake due to a ciphersuite
mismatch, ensure a new session ticket is issued with the newly negotiated
ciphersuite.
Fixes #18549
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 16 11:27:51 2026
(Merged from https://github.com/openssl/openssl/pull/30626)
ssl: Fix ssl_do_config to clean up errors on success with ERR_set_mark
ssl_do_config() could leave stale errors on the error stack even on
success, so that later error checking operations could mistakenly
surface these errors. Use ERR_set_mark()/ERR_pop_to_mark() to cleanly
discard errors when the function succeeds or when system config errors
are non-fatal.
jlg1061 [Mon, 2 Mar 2026 13:37:16 +0000 (13:37 +0000)]
Add regression tests to `test/evp_extra_test.c` that dynamically
discover all provided ciphers with non-zero IV length and verify
correct multi-step initialization semantics.
The EVP API permits key and IV to be supplied in separate
`EVP_CipherInit_ex()` calls (e.g. key-only followed by IV-only).
A recent bug (PR #29934, ASCON-AEAD128) demonstrated that a
provider may silently ignore a key-only init, resulting in reuse
of a previously loaded key during a subsequent IV-only init.
To prevent similar regressions, this change introduces three
generic tests that automatically cover all IV-taking ciphers:
produce identical ciphertext (and authentication tag for AEAD
ciphers) compared to single-call `init(key, iv)`.
Primes a context with `key1/iv1`, then re-initializes via
`init(key2) → init(iv2)` and verifies the output matches a fresh
`encrypt(key2, iv2)` operation, ensuring that no previously stored
key is reused.
Encrypts using single-call initialization and then decrypts using
multi-step initialization, verifying plaintext recovery. For AEAD
ciphers, this also exercises tag verification through the
multi-step path.
Ciphers are discovered using `EVP_CIPHER_do_all_provided()`,
requiring no maintenance when new IV-taking ciphers are added.
SIV mode is skipped due to its synthetic IV semantics. CCM mode
handling includes required length declarations.
This provides broad regression coverage for the provider
implementations that support multi-step EVP initialization.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Apr 16 07:08:17 2026
(Merged from https://github.com/openssl/openssl/pull/30141)
test/quicapitest.c: restore array formatting butchered by clang-format
Shut off clang-format, as it is incapable of formatting arrays properly,
and just mangles everything instead. Also, while at it, drop the trailing
commas from TPARAM_CHECK_* definitions, as they are pretty confusing.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:37 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
Avoid creating TLSProxy on IPv6 loopback address is IPv6 is disabled
Add a parameter to TLSProxy::Proxy->new()
and TLSProxy::Proxy->new_dtls() that indicates IPv6 usage preference
and pass have_IPv6() to it, so IPv6 usage is avoided when it is disabled.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:33 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
kovan [Mon, 2 Feb 2026 12:30:15 +0000 (13:30 +0100)]
doc: clarify -hex option behavior in openssl prime
The -hex option description was ambiguous about its exact behavior.
Clarify that:
- With -generate: outputs the prime in hex instead of decimal
- When checking: interprets input as hex instead of decimal
- Output when checking is always hex regardless of this option
Fixes #19208
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 15 12:33:18 2026
(Merged from https://github.com/openssl/openssl/pull/29913)
kovan [Tue, 27 Jan 2026 05:16:06 +0000 (06:16 +0100)]
doc: Clarify that BN_CTX must not be NULL for BN arithmetic functions
The documentation for BN_add and related functions did not explicitly
state that the ctx parameter cannot be NULL. Users may assume NULL is
acceptable since some other OpenSSL functions allow it, but passing
NULL to functions like BN_mod_add() or BN_mod() causes a crash.
Update the documentation to explicitly state that ctx must not be NULL.
Fixes #12092
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 15 11:47:59 2026
(Merged from https://github.com/openssl/openssl/pull/29773)
There is a missing call to OPENSSL_free() in the branch
where existing sets are merged to new range. There is
no evidence/POC OpenSSL poject is aware of the leak can
be triggered by QUIC protocol operation.
The issue has been kindly reported by Abhinav Agarwal (@abhinavagarwal07)
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 11:28:41 2026
(Merged from https://github.com/openssl/openssl/pull/30718)
riscv: fix missing VLEN >= 128 guard in AES-GCM dispatch
ossl_prov_aes_hw_gcm() returned &rv64i_zvkned_gcm when
RISCV_HAS_ZVKNED() was true but RISCV_HAS_ZVKB()/RISCV_HAS_ZVKG()
were false, without checking riscv_vlen() >= 128. All Zvkned
instructions require VLEN >= 128; on VLEN=64 hardware this would
cause illegal-instruction traps.
All other Zvk* dispatch sites already guard on riscv_vlen() >= 128.
Hoist the check to the outer if (RISCV_HAS_ZVKNED()) condition to
cover both return paths uniformly.
Fixes: d056e90ee58a "riscv: Provide vector crypto implementation of AES-GCM mode." Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Apr 15 11:24:50 2026
(Merged from https://github.com/openssl/openssl/pull/30714)
Sunwoo Lee [Fri, 27 Mar 2026 23:22:02 +0000 (08:22 +0900)]
quic: fix channel leak when ossl_quic_provide_initial_secret fails
In port_bind_channel(), when ossl_quic_provide_initial_secret()
fails, the function returns without freeing the QUIC_CHANNEL
that was just created by port_make_channel(). The caller sees
new_ch == NULL and cannot free it, leaking the channel and all
its sub-allocations (QRX, QTX, TXP, ACKM).
Add ossl_quic_channel_free(ch) before the early return, matching
the cleanup pattern already used by the other error paths in the
same function (lines 864, 873).
CWE-401
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Work around "Use of uninitialized value..." in mkinstallvars.pl
Avoid "Use of uninitialized value in concatenation (.) or string
at util/mkinstallvars.pl line 139." message by supplying COMMENT
in the mkinstallvars.pl call exporters/build.info.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:54:11 2026
(Merged from https://github.com/openssl/openssl/pull/30768)
Neil Horman [Wed, 1 Apr 2026 18:37:52 +0000 (14:37 -0400)]
convert rand_meth_lock to atomics
Using our previously created atomic ops, we can (almost) eliminate the
use of the rand_meth_lock. This lock guards reads/write on the
RAND_default_meth global variable, which is generally written only once
during a process lifetime. By replacing the lock with an atomic read
for reads, and an atomic compare and exchange or atomic store for
writes, we can significantly improve the execution time of
RAND_get_rand_method, which is called every time a process calls
RAND_bytes_ex()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:29:31 2026
(Merged from https://github.com/openssl/openssl/pull/30670)
Neil Horman [Wed, 1 Apr 2026 16:32:40 +0000 (12:32 -0400)]
Add some crypto atomic pointer ops
CRYPTO_atomic_load_ptr - load a pointer value with relaxed semantics
CRYPTO_atomic_store_ptr - store a pointer value with relaxed semantics
CRYPTO_atomic_cmp_exch_ptr - cmp/exch a pointer with relaxed or acq/rel
semantics
The addition of these functions enables us to better use atomics to
replace read/write locks where we are almost always doing reads
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:29:30 2026
(Merged from https://github.com/openssl/openssl/pull/30670)
Modified build.info to support ppc64le assembly implementation.
Added new definitions of MLKEM_NTT_ASM for NTT and inverse NTT for
optimized assembly implementation.
This is the initial archtecture specific implementation so can be mdified
to adapt to a new build structures.
Brenda So [Mon, 30 Mar 2026 21:32:47 +0000 (14:32 -0700)]
Skip parsing OCSP status_request when no status call is registered
When no ext.status_cb is set, the server will not produce a stapled
OCSP response. This patch returns early from tls_parse_ctos_status_request
before parsing the extension body to save memory.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Apr 13 09:40:08 2026
(Merged from https://github.com/openssl/openssl/pull/30630)
Tomas Mraz [Thu, 19 Mar 2026 09:58:56 +0000 (10:58 +0100)]
We now have ml-dsa asm, add it to fips-checksums
We also add other PQC algorithm directories that might
appear in future so they are picked-up by the script
once they appear. This requires checking whether the
directory exists.
Also update the fips sources and checksums.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Apr 13 09:35:17 2026
(Merged from https://github.com/openssl/openssl/pull/30502)
The "sha1" and "md5" handles are no longer used, and those fields are
removed.
The `SSL_HMAC` objects used internally are now stack allocated, and the
associated "new" and "free" functions are now called "construct" and
"destruct" respectively.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Apr 13 09:03:45 2026
(Merged from https://github.com/openssl/openssl/pull/30696)
Milan Broz [Thu, 2 Apr 2026 10:51:46 +0000 (12:51 +0200)]
Windows: Use /Z7 compiler flag to enable parallel builds
MSVC compilation on Windows cannot be reliably parallelized
with tools like jom (an nmake replacement) due to contention
on shared .pdb files used for debug info. Writes to a shared
.pdb must be serialized.
The /FS compiler flag serializes concurrent compiler writes,
but does not resolve contention when the compiler and linker
access the same .pdb file. With shared .pdb files (e.g. app.pdb),
the makefile does not prevent races between the linker and
compilation of multiple targets.
This can be resolved either by restructuring the makefile
to introduce sentinel dependencies that serialize the conflicting
steps, or by eliminating the shared .pdb entirely.
This patch takes the latter approach: it replaces /Zi with /Z7,
which embeds debug info directly into each .obj file and avoids
any shared-file contention. /Z7 is supported by all MSVC versions.
The linker-generated .pdb is unaffected.
Side effects: object files are slightly larger, and all .pdb files
are now named after their target — the shared app.pdb, ossl_static.pdb,
and dso.pdb no longer exist.
With this change, jom can be used to parallelize the build.
Fixes: #9931 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Mon Apr 13 08:46:20 2026
(Merged from https://github.com/openssl/openssl/pull/30703)
style: fix clang-format issues in chacha_internal_test.c
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:07 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
test/chacha: added ELFv2 ABI FPR preservation check for POWER10 8x path
On POWER10, ChaCha20_ctr32_vsx_8x is activated for buffers over 255
bytes and uses vxxlor to alias FPR14-FPR25 as temporary storage. Add a
test to chacha_internal_test that pins known values in f14-f25 via
inline asm, calls through ChaCha20_ctr32 with a 512-byte buffer to
trigger the 8x path, and verifies the registers still hold their
original values. The test is gated on PPC_BRD31 (POWER10 capability
flag) so it is skipped silently on older hardware.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:05 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
chacha/asm: save f17 in 8x prologue for contiguous f14-f25 range
f17 is not directly clobbered by any vxxlor in this function, but
saving the full contiguous range f14-f25 is cleaner and avoids any
future ambiguity if the code is modified. Adjust all subsequent FPR
slot offsets and the VMX base offset accordingly, and update the frame
size comment.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:04 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
chacha/asm: fix ELFv2 ABI violation in ChaCha20_ctr32_vsx_8x
The 8-block POWER10 ChaCha20 path uses vxxlor to spill VMX values into
VSR0-VSR26, which aliases FPR0-FPR26. FPR14-FPR31 are callee-saved per
the ELFv2 ABI, but the function was never saving or restoring them,
silently corrupting 11 FPRs (12 on big-endian) across any call with a
buffer larger than 255 bytes. VMX registers v20-v23, also
callee-saved, had the same problem.
Fix by increasing the frame size to accommodate save slots for
FPR14-FPR25 (and FPR26 on BE) and VMX v20-v23, and adding the
corresponding stfd/lfd and stvx/lvx pairs in the prologue and
epilogue. The VRSAVE save offset is updated to a fixed expression so
it stays clear of the new save area.
Fix for the bug #30584
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:02 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
Ethan [Fri, 27 Mar 2026 19:15:52 +0000 (15:15 -0400)]
doc: updates no-pinshared description
The current documentation heavily references the now removed
`atexit()` handlers. This updates the description to better reflect
it's current utility (removal of `-Wl,-znodelete` linker flags on
Linux and Hurd).
Fixes #30586
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Sat Apr 11 19:44:00 2026
(Merged from https://github.com/openssl/openssl/pull/30606)
Igor Ustinov [Tue, 31 Mar 2026 14:35:49 +0000 (16:35 +0200)]
Setting statem.error_state more carefully
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sat Apr 11 19:31:39 2026
(Merged from https://github.com/openssl/openssl/pull/30647)
Viktor Dukhovni [Sat, 4 Apr 2026 14:19:07 +0000 (01:19 +1100)]
SSL_use_cert_and_key NPE with provided keys
SSL_use_cert_and_key(3) dereferenced a NULL SSL_CTX pointer
via ssl_cert_lookup_by_pkey() when the private key type was
not one of the builtin ones, but was provider-based.
Bug introduced in Postfix 3.2 (commit ee58915cfd9).
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Apr 11 19:04:12 2026
(Merged from https://github.com/openssl/openssl/pull/30683)
3.6.2 CHANGES.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30411
"Fix detection of plaintext HTTP over TLS (3.6/3.5 backport)"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
3.6.2 NEWS.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 18:51:42 2026
(Merged from https://github.com/openssl/openssl/pull/30720)
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Sat Apr 11 18:29:37 2026
(Merged from https://github.com/openssl/openssl/pull/30727)
Matt Caswell [Wed, 8 Apr 2026 15:36:42 +0000 (16:36 +0100)]
Fix off-by-one s_client overflows
There are one byte buffer overflows possible in s_client's handling
of STARTTLS in various protocols. If a server's response fills the entire
buffer (16k) then we attempt to add a NUL terminator one byte off the end
of the buffer.
This was reported by Igor Morgenstern from AISLE to openssl-security and
assessed by the security team as "bug or hardening only".
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Apr 11 16:16:24 2026
(Merged from https://github.com/openssl/openssl/pull/30731)
Add its mentions to NAME, SYNOPSIS, and RETURN VALUES sections.
Also, while at it, put OPENSSL_{str,strn,mem}dup() with the other
OPENSSL_* interfaces, and add mentions of OPENSSL_str{,n}dup()
to RETURN VALUES.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:23:55 2026
(Merged from https://github.com/openssl/openssl/pull/30623)
Sunwoo Lee [Fri, 27 Mar 2026 23:58:41 +0000 (08:58 +0900)]
quic: remove unused scid from port_default_packet_handler
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Jun Aruga [Fri, 27 Mar 2026 18:16:55 +0000 (18:16 +0000)]
crypto/pkcs12/p12_add.c: Restore ERR_set_mark and ERR_pop_to_mark
The commit <2ea6e785f526f88f913cc6f49372aae9dc54bc63> removed the
ERR_set_mark and ERR_pop_to_mark calls before and after the EVP_CIPHER_fetch
call in several files.
However, in PKCS12_pack_p7encdata_ex, crypto/pkcs12/p12_add.c, there is a valid
case that EVP_CIPHER_fetch returns NULL, raising an error, and calls
PKCS5_pbe_set_ex. The case is such as PBE-SHA1-3DES.
quic_channel.c: avoid clipping in ack_delay_exponent/disable_active_migration setters
Avoid clipping of the provided values in setters due to type casting
by checking the values agains the type-specific maximum beforehand.
Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:05:27 2026
(Merged from https://github.com/openssl/openssl/pull/30485)
quic_channel.c: avoid integer overflow in ossl_quic_channel_set_max_data_request
Check that DEFAULT_CONN_RXFC_MAX_WND_MUL * max_data multiplication
will not overflow uint64_t data type before performing it.
Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:05:26 2026
(Merged from https://github.com/openssl/openssl/pull/30485)
...and call them before updating QUIC_CHANNEL parameters.
Unchecked return value has been initially reported by Coverity
for ossl_quic_rxfc_init() call in ossl_quic_channel_set_max_data_request(),
but also seems to be relevant for ossl_quic_channel_set_max_streams_request()
and ossl_quic_channel_set_ack_delay_exponent_request().
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1689768 Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:05:25 2026
(Merged from https://github.com/openssl/openssl/pull/30485)
slontis [Tue, 10 Mar 2026 03:17:55 +0000 (14:17 +1100)]
Deprecate EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num().
Suggested to be added in OpenSSL 4.1.
Since engines have been removed, these are redundant functions.
End users should not generally be accessing this internal field.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:02:58 2026
(Merged from https://github.com/openssl/openssl/pull/30335)
Original-Commit: 7b371d80d959 "Prepare for release of 3.6.0"
Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:00:08 2026
(Merged from https://github.com/openssl/openssl/pull/30686)
CHANGES.md: move SSL_CTX_is_server() entry to the 4.0 section
Also reword it to match the style of other entries.
Complements: ca20e54e8674 "SSL_CTX_is_server() was added." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:00:05 2026
(Merged from https://github.com/openssl/openssl/pull/30686)
Arne Schwabe [Wed, 25 Mar 2026 15:28:46 +0000 (16:28 +0100)]
Make ext argument of X509V3_EXT_print_fp const
Commit e75bd84ffc7 made the ext argument of 509V3_EXT_print const
but did not give 509V3_EXT_print_fp which is essentially is a wrapper
around X509V3_EXT_print the same treatment.
This commit aligns the two functions again.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 09:15:11 2026
(Merged from https://github.com/openssl/openssl/pull/30572)
Tomas Mraz [Mon, 6 Apr 2026 20:09:20 +0000 (22:09 +0200)]
80-test_cms.t: Accept success in malformed RSA decryption
The decryption of the malformed encrypted message might succeed
with some probability. We accept that as the testcase tries to
trigger a crash which does not happen.
Nikola Pajkovsky [Thu, 19 Mar 2026 11:17:45 +0000 (12:17 +0100)]
rsa_kem: test RSA_public_encrypt() result in RSASVE
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure.
Add regression coverage in evp_extra_test using custom low-level RSA
methods to exercise the provider/legacy boundary. The new tests verify
that encapsulation fails when RSA_public_encrypt() returns:
* -1, which is the documented failure result, and
* a short positive length, which is also invalid for RSASVE with
RSA_NO_PADDING because the ciphertext must be exactly nlen bytes.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:45:39 2026
Nikola Pajkovsky [Thu, 19 Mar 2026 11:16:08 +0000 (12:16 +0100)]
rsa_kem: validate RSA_public_encrypt() result in RSASVE
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.
Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.
Fixes CVE-2026-31790 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:45:38 2026
Daniel Kubec [Wed, 18 Mar 2026 10:27:52 +0000 (11:27 +0100)]
Out-of-bounds read in AES-CFB-128 on X86-64 with AVX-512 support
The partial-block pre-processing code in ossl_aes_cfb128_vaes_enc and
ossl_aes_cfb128_vaes_dec unconditionally loads 16 bytes from the input buffer
using unmasked vmovdqu8 instructions, even when fewer bytes are valid.
This can read 1–15 bytes beyond the provided buffer. The post-processing code
in the same file correctly uses masked loads to avoid this issue.
Fixes CVE-2026-28386
Co-Authored-by: Stanislav Fort <stanislav.fort@aisle.com> Co-Authored-by: Pavel Kohout <pavel.kohout@aisle.com> Co-Authored-by: Alex Gaynor <gaynor@anthropic.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:16:26 2026
Neil Horman [Wed, 1 Apr 2026 08:56:44 +0000 (10:56 +0200)]
Fix NULL deref in rsa_cms_decrypt
Very simmilar to CVE-2026-28389, ensure that if we are missing
parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
we don't segfault when decrypting.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28390
Neil Horman [Tue, 31 Mar 2026 18:38:03 +0000 (14:38 -0400)]
Test for DH/ECDH CMS KARI processing NULL pointer dereference
Test to ensure that, if we attempt to decrypt a CMS message with a
missing parameter field of KeyEncryptionAlgorithmIdentifier
we fail, rather than segfault.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon Apr 6 18:58:29 2026
Neil Horman [Mon, 16 Mar 2026 17:49:07 +0000 (13:49 -0400)]
Fix NULL deref in [ec]dh_cms_set_shared_info
Multiple independent reports indicated a SIGSEGV was possible in CMS
processing when a crafted CMS EnvelopedData message using A Key
Agreement Recipient Info field. If the
KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the
referenced functions above will attempt to dereference the
alg->parameter data prior to checking if the parameter field is NULL.
Confirmed to resolve the issues using the reproducers provided in the
security reports.
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Fixes CVE-2026-28389
kovan [Mon, 2 Feb 2026 14:47:35 +0000 (15:47 +0100)]
doc: document PKCS12 password prompting for certificates
Document that commands reading certificates from PKCS#12 files may
prompt for a password. The existing documentation only mentioned
password prompting for private keys.
Fixes #21292
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:52:28 2026
(Merged from https://github.com/openssl/openssl/pull/29918)
Matt Caswell [Thu, 2 Apr 2026 08:01:00 +0000 (09:01 +0100)]
Fix a CHANGES.md entry added to the wrong section
This fixes the CHANGES.md entry added via #30225 which erroneously added
the entry in the "Changes between 3.6 and 4.0" section instead of the
"Changes between 4.0 and 4.1" section
quic: fix NULL deref in ossl_quic_new_from_listener()
ossl_quic_port_create_outgoing() can return NULL under memory pressure.
The result was used immediately by ossl_quic_channel_set_msg_callback()
without a NULL check, causing a crash on the SSL_new_from_listener()
API path.
The correct pattern already exists in create_channel() (same file): check
the return value and raise a non-normal error before jumping to cleanup.
Apply the same pattern here.
Fixes: 0b15147a37c ("Implement SSL_new_from_listener()") Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:46:54 2026
(Merged from https://github.com/openssl/openssl/pull/30667)
Apparently, it has not been caught after a29d157fdb6d "Replace homebrewed
implementation of *printf*() functions with libc" due to non-working symbol
checks.
Fixes: a29d157fdb6d "Replace homebrewed implementation of *printf*() functions with libc" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:42:24 2026
(Merged from https://github.com/openssl/openssl/pull/30635)
projects / thirdparty / openssl.git / log
