Jakub Zelenka [Thu, 28 May 2026 10:19:30 +0000 (12:19 +0200)]
quic: fix handling of the first rxe mfail in qrx_process_pkt
When qrx_ensure_free_rxe() fails at the start of qrx_process_pkt() the
function returned 0 without advancing the PACKET cursor and, for the
first packet in the datagram, without setting first_dcid. The
qrx_process_datagram() loop then re-entered qrx_process_pkt() for the
same bytes with pkt_idx >= 1 and the sentinel first_dcid (id_len = 255),
tripping the assertion in qrx_validate_hdr_early() that asserts
first_dcid->id_len to be lower than QUIC_MAX_CONN_ID_LEN.
The fix goes to malformed label instead. The header has not been decoded
at this point so eop is NULL, which makes the malformed path discard the
rest of the datagram. This is because without an RXE we can process
neither this packet nor any that follow it. This also advances the
cursor and, when the failure is on the first packet, avoids leaving
first_dcid unset for the next iteration. It is consistent with the
other allocation-failure site in the function, which already routes
through malformed.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Fri May 29 14:08:56 2026
(Merged from https://github.com/openssl/openssl/pull/31316)
yangxuqing [Sat, 23 May 2026 01:56:18 +0000 (09:56 +0800)]
slh_dsa: Remove redundant cleanup to prevent double free
Since SLH_DSA_KEY is allocated with OPENSSL_zalloc, its members are
NULL-initialized. Removing the redundant slh_dsa_key_hash_cleanup()
inside the err path of slh_dsa_key_hash_init() prevents the
double free while allowing the outer ossl_slh_dsa_key_free() to
safely handle the cleanup.
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:45:46 2026
(Merged from https://github.com/openssl/openssl/pull/31274)
That pattern alone trips up anyone who associates 'm' with modulus, and
and finds themselves using BN_nnmod() incorrectly.
This change modifies the argument names to match documentation.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Igor Ustinov <igus@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri May 29 07:25:31 2026
(Merged from https://github.com/openssl/openssl/pull/31304)
Jakub Zelenka [Thu, 21 May 2026 17:07:14 +0000 (19:07 +0200)]
quic: delay el keyslot teardown after creation in setup
There is an issue for key update in TX path if any of the operation
fails during keyslot setup (e.g. due to memory failure), the cctx stays
set to NULL which results in failed assertion in qtx_encrypt_into_txe.
The fix splits the build and installation steps in
ossl_qrl_enc_level_set_key_update so the cctx teardown is done only
after the build is successful. The install is then non fallible so it
cannot end up with empty cctx.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri May 29 07:18:36 2026
(Merged from https://github.com/openssl/openssl/pull/31268)
Nikola Pajkovsky [Mon, 25 May 2026 07:33:00 +0000 (09:33 +0200)]
crypto/aes/asm/asm-sha{1,256}-armv8.pl: add missing function alignment
clang-22 reported missing alignment on MacOS:
ld: warning: arm64 function not 4-byte aligned: _asm_sha1_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha1-armv8.o)
ld: warning: arm64 function not 4-byte aligned: _asm_sha256_hmac_aescbc_dec from libcrypto.a(libcrypto-lib-aes-sha256-armv8.o)
Add ".align 4" directives to the affected functions.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu May 28 08:31:59 2026
(Merged from https://github.com/openssl/openssl/pull/31284)
Jakub Zelenka [Mon, 18 May 2026 16:19:48 +0000 (18:19 +0200)]
Split mfail output into counting and injection subtests
Counting now always runs and is always checked, including when
hooks are not installed or skip-all is set. Only injection is
skipped in those cases.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu May 28 07:33:05 2026
(Merged from https://github.com/openssl/openssl/pull/31219)
quic: make ch_cleanup() idempotent and simplify channel error path
ch_init() calls ch_cleanup() on its own failure, after which
port_make_channel() may still call ossl_quic_channel_free() (which calls
ch_cleanup() again). The second call double-freed fields such as
ch->qlog_title.
To handle this, ch_cleanup() now NULLs every owned pointer after its
free and clears the have_statm / have_qsm flags after their destructors,
making it safe to invoke twice on the same channel.
With ch_cleanup() idempotent, port_make_channel() no longer needs the
ch_cleaned flag and the bare OPENSSL_free(ch) branch: the error path
unconditionally calls ossl_quic_channel_free() regardless of whether
ch_init() succeeded, partially initialized the channel, or already ran
ch_cleanup() on itself.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu May 28 07:26:22 2026
(Merged from https://github.com/openssl/openssl/pull/31177)
Daniel Kubec [Fri, 20 Mar 2026 20:14:11 +0000 (21:14 +0100)]
TLS: Verify session ID to prevent incorrect session resumption
When a TLS 1.2 session is resumed via an external server-side cache
SSL_CTX_sess_set_get_cb(), the session ID stored in an SSL_SESSION is assigned
by the server at the end of the original full handshake and never modified
afterwards. The client-supplied session ID in ClientHello is copied verbatim
from the session the client cached after that same handshake. If both sides
behaved correctly, the two values are guaranteed to be identical.
This commit adds an explicit comparison inside ssl_get_prev_session() between
the session ID the client offered in ClientHello and the session ID embedded in
the SSL_SESSION returned by the external cache. If they do not match, the cached
session is released and ssl_get_prev_session() returns as a cache miss, forcing
a full handshake. Catching the mismatch here ensures the server never sends a
ServerHello that claims resumption of a session ID it cannot legitimately echo.
A mismatch unambiguously indicates one of the following:
- a corrupt cache entry
- an external cache implementation that returned the wrong session
- an active tampering attempt
In all three cases refusing resumption and falling back to a full handshake is
the correct response.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 12:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30517)
The RSA PKCS#1 verify-recover provider path did not validate routsize
before passing the caller buffer to ossl_rsa_verify().
The X9.31 verify-recover path already rejects undersized output buffers,
but the PKCS#1 path could proceed with too little output space and rely
on the lower layer to write the recovered digest.
Check the expected digest size before calling ossl_rsa_verify() and
return PROV_R_OUTPUT_BUFFER_TOO_SMALL when the caller-provided buffer is
too small.
Add a regression test that covers both successful recovery with a
properly sized buffer and failure with a 1-byte output buffer, while
also checking that the short buffer is left unchanged.
Co-authored-by: Kushal <72255307+Kushalkhemka@users.noreply.github.com> Co-authored-by: Mayank <175295782+mayank-jangid-moon@users.noreply.github.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 11:46:40 2026
(Merged from https://github.com/openssl/openssl/pull/30917)
Bob Beck [Wed, 20 May 2026 13:54:06 +0000 (07:54 -0600)]
Convert use of artisinally made hand crafted integer types
to use the stdint.h ones.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
Bob Beck [Wed, 20 May 2026 13:27:08 +0000 (07:27 -0600)]
use stdint in modes.h
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 27 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/31254)
yangxuqing [Sat, 23 May 2026 02:33:35 +0000 (10:33 +0800)]
crypto/evp/m_sigver.c: fix potential double free on error path in do_sigver_init
In do_sigver_init(), if the for loop proceeds to its second iteration
(iter = 2), the results from the first iteration (signature and
tmp_keymgmt) are explicitly freed at the beginning of the loop.
However, the pointers are not set to NULL after being freed.
If an error occurs subsequently during this second iteration (for
example, if evp_signature_fetch_from_prov() returns NULL, triggering a
goto notsupported), the control flow jumps to the generic cleanup block
at the end of the function. This cleanup block calls
EVP_KEYMGMT_free(tmp_keymgmt) again on the dangling pointer, resulting
in a double free.
This commit resolves the issue by explicitly nullifying these pointers
immediately after they are freed at the start of the loop iteration.
(Note: This issue was discussed with the OpenSSL Security Team, who
classified it as a regular bug due to lack of attacker control and
requested a public PR.)
Fixes: 839ffdd11cd4 "EVP: Allow a fallback for operations that work with an EVP_PKEY"
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:28:15 2026
(Merged from https://github.com/openssl/openssl/pull/31276)
Daniel Kubec [Mon, 18 May 2026 23:44:34 +0000 (01:44 +0200)]
test/tls13tickettest.c: check SSL_TICKET_NO_DECRYPT path in tls_parse_ctos_psk()
Add a test that rotates ticket keys so that the previously issued ticket
can no longer be decrypted: if session resumption fails
due to a NO_DECRYPT, it is expected to fall back to a full handshake,
and a new session ticket is issued.
Complements: 6115286faeb8 "TLSv1.3: reissue session ticket after full handshake on ciphersuite mismatch"
References: https://github.com/openssl/openssl/pull/30626
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 15:20:59 2026
(Merged from https://github.com/openssl/openssl/pull/31223)
crypto/cmp/cmp_genm.c: avoid strcat() in get_genm_itav()
There is no need to use strcat() there, as it concatenates into a string
that is used in a format string anyway. Put the literal prefix
into the format string and avoid literal string copying.
Fixes: d477484d33b7 "CMP: add support for genm/genp messages with id-it-caCerts" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Tue May 26 14:54:19 2026
(Merged from https://github.com/openssl/openssl/pull/31230)
Andrew Dinh [Wed, 29 Apr 2026 17:44:17 +0000 (00:44 +0700)]
util: add acvp-test util
Add a Python script acvp-test to the util/ directory, that tests
an OpenSSL binary against the NIST ACVTS demo server. acvp-test util
supports most major algorithms, including PQC algorithms added in 3.5.
Test an OpenSSL binary against the NIST ACVTS demo server.
options:
-h, --help show this help message and exit
--algorithm ALGO Algorithm to test (default: ACVP-AES-CBC)
--direction {encrypt,decrypt} [{encrypt,decrypt} ...]
Direction(s) for symmetric algorithms (default: both)
--key-len BITS [BITS ...]
Key length(s) in bits for symmetric algorithms (default: all)
--production Run as a production validation (default: sample/demo mode)
--save-vectors Save downloaded vector sets to vectors_vsNNN.json
Andrew Dinh [Wed, 20 May 2026 16:09:48 +0000 (23:09 +0700)]
quic_impl.c: pass correct SSL to ossl_ssl_connection_new_int in ossl_quic_new_from_listener
In ossl_quic_new_from_listener(), the call to ossl_ssl_connection_new_int()
was passing NULL for the user_ssl parameter. NULL causes s->user_ssl
to be set to the inner TLS ssl object, so the inner SSL object points
to itself rather than to the outer QUIC connection object.
The fix passes &qc->obj.ssl instead of NULL. Afterwards,
ossl_quic_obj_init() will initialize &qc->obj.ssl in place.
Resolves: https://github.com/openssl/project/issues/989 Fixes: 0b15147a37c5 "Implement SSL_new_from_listener()" Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 14:12:45 2026
(Merged from https://github.com/openssl/openssl/pull/31257)
kovan [Thu, 29 Jan 2026 14:13:28 +0000 (15:13 +0100)]
doc: add SSL/SSL_CTX thread safety section to openssl-threads
Add explicit documentation about thread safety of SSL and SSL_CTX
objects, clarifying that:
- SSL_CTX can be shared among threads but should be treated as
read-only after creating SSL objects or sharing across threads
- SSL connection objects should only be used by one thread at a time
- Each thread handling TLS connections should create its own SSL object
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Tue May 26 13:19:35 2026
(Merged from https://github.com/openssl/openssl/pull/29847)
yangxuqing [Sat, 23 May 2026 02:06:41 +0000 (10:06 +0800)]
providers: Nullify BIO pointer after free to prevent double free
In providers/implementations/storemgmt/file_store_any2obj.c, if the
control flow reaches the err label after BIO_free(in) is called, a
double free will occur in the generic cleanup block.
Currently, the only path to this specific err jump is if
BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team,
this failure is currently impossible because the buffer is being
shrunk (max_len >= len).
However, as requested by the security team via email, this commit
explicitly nullifies the in pointer after the first free to
future-proof the function and prevent a double free in case the
semantics of BUF_MEM_grow() or the surrounding logic change in
the future.
Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY"
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 10:14:50 2026
(Merged from https://github.com/openssl/openssl/pull/31275)
Ahmed Rabea [Thu, 21 May 2026 13:24:11 +0000 (16:24 +0300)]
crypto/dso/dso_win32.c: fix win32_joiner buffer sizing for dir-only paths
win32_joiner() always emits a trailing '\' when file_split->dir
is present, even if file_split->file is NULL. The previous length
calculation only reserved that byte when file_split->file was also
non-NULL, which could cause a one-byte overflow.
Resolves: https://github.com/openssl/openssl/issues/31260 Fixes: cbecb3ac3763 "There's an ongoing project to bring some kind of path selection mechanism to the ENGINE framework. This means there there are going to be new functionality for the DSO part, and ultimately some way of merging two file specifications together.
CLA: trivial
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:36:02 2026
(Merged from https://github.com/openssl/openssl/pull/31266)
As these are public by necessity, we may as well allow folks
to use them to selectively disable deprecation warnings if they
wish to temporarily use deprecated functions in limited locations
in their code.
Complements: 4036f4b0e324 "Add new public API for checking certificate times."
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 09:22:58 2026
(Merged from https://github.com/openssl/openssl/pull/31270)
crypto/objects/obj_dat.c: return strlcpy result in OBJ_obj2txt()
strlcpy() (and OPENSSL_strlcpy() after it) returns the length
of the input string as a result, don't throw it away just to calculate
it once again on return.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Tue May 26 08:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/31226)
mat [Wed, 29 Apr 2026 06:09:24 +0000 (09:09 +0300)]
test: add regression test for ciphersuite_cb() with empty list elements
Cover the three cases where CONF_parse_list() produces a NULL/empty
element: leading separator, trailing separator, and consecutive
separators (double colon). Before the fix these would crash via a
NULL memcpy inside ciphersuite_cb().
Each case also verifies via SSL_CTX_get_ciphers() that the valid
ciphersuite(s) in the same string were actually applied, not just
that the call returned without crashing.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:53 2026
(Merged from https://github.com/openssl/openssl/pull/31023)
mat [Wed, 29 Apr 2026 06:08:44 +0000 (09:08 +0300)]
ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list
CONF_parse_list() invokes its callback with elem=NULL and len=0 for
empty list elements (e.g. consecutive separators like "A::B").
ciphersuite_cb() passed elem directly to memcpy() without checking for
NULL, triggering undefined behaviour on any input containing an empty
ciphersuite token.
Skip empty elements early by returning 1 before any pointer dereference.
Fixes #30919
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:52 2026
(Merged from https://github.com/openssl/openssl/pull/31023)
Bob Beck [Sat, 16 May 2026 16:34:52 +0000 (10:34 -0600)]
Make IPAddressFamily_cmp safe for 0 length objects with NULL data.
Found while adjusting the fuzzer to test for the requirement to
add NUL bytes on the end of ASN1 Strings. If we end up with a 0
length object here we can end up in a crash with memcmp.
This makes this cmp function test comparison like our others
that are 0 length object safe.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 26 08:51:35 2026
(Merged from https://github.com/openssl/openssl/pull/31201)
d2i_* docs: clarify how reuse is used, and how to set libctx and propq
Also removed BUGS section
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu May 21 09:14:32 2026
(Merged from https://github.com/openssl/openssl/pull/28456)
Jakub Zelenka [Tue, 12 May 2026 18:27:38 +0000 (20:27 +0200)]
Add mfail test for ossl_ht_free
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:09:37 2026
(Merged from https://github.com/openssl/openssl/pull/31237)
Jakub Zelenka [Tue, 19 May 2026 10:02:28 +0000 (12:02 +0200)]
Optimize hashtable without rcu freeing
It is not necessary to flush table for hash tables without rcu.
This is follow up to https://github.com/openssl/openssl/pull/31163
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:09:36 2026
(Merged from https://github.com/openssl/openssl/pull/31237)
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 09:03:28 2026
(Merged from https://github.com/openssl/openssl/pull/31216)
Jakub Zelenka [Thu, 7 May 2026 20:38:01 +0000 (22:38 +0200)]
Fix null derefs in ossl_quic_new_listener on mfail
This is caused incorrect err cleanup of mutex even if ql does not exist
(allocation failed).
It also fixes missing freeing of ports that result in assertion failure
because engine port list is not empty.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 08:52:14 2026
(Merged from https://github.com/openssl/openssl/pull/31112)
Bob Beck [Sat, 16 May 2026 17:29:07 +0000 (11:29 -0600)]
fix cmp mock server to not depend on NUL bytes in ASN1_STRING
ASN1_STRING is documented that the behavior of NUL byte addition
should not be depended upon.
The mock server calls strcmp on the bare data from an ASN1_STRING.
This only works if the data is NUL terminated.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Wed May 20 16:01:47 2026
(Merged from https://github.com/openssl/openssl/pull/31202)
Nikola Pajkovsky [Tue, 12 May 2026 06:49:31 +0000 (08:49 +0200)]
stack: use a copy thunk for typed stack deep copies
typed safestack wrappers pass type-specific copy callbacks such as
TYPE *(*)(const TYPE *) to OPENSSL_sk_deep_copy(). The generic stack code
then called those callbacks through OPENSSL_sk_copyfunc,
void *(*)(const void *), which is an incompatible function pointer type and
triggers UBSan.
Add an OPENSSL_sk_copyfunc_thunk and store it on typed stacks, mirroring the
existing compare/free thunk pattern. Generated safestack helpers now install
a per-type copy thunk when constructing a stack, and internal_copy() uses that
thunk when deep-copying typed stacks. This preserves the generic stack API
while ensuring typed copy callbacks are invoked through their real signature.
Fixes: https://github.com/openssl/project/issues/1951 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:45 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Tue, 12 May 2026 09:32:10 +0000 (11:32 +0200)]
stack: use free thunk when deep copy cleanup fails
internal_copy() used the generic OPENSSL_sk_freefunc directly when a deep
copy failed after copying some elements. For typed stacks, callers pass
type-specific free callbacks that have been cast to OPENSSL_sk_freefunc, so
calling them through the generic function pointer type is undefined behavior.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:43 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Mon, 11 May 2026 13:14:17 +0000 (15:14 +0200)]
stack: sk_<t1>_new_null() constructor is missing the OPENSSL_sk_set_cmp_thunks()
crypto/bsearch.c:33:17: runtime error: call to function int_compare through pointer to incorrect function type 'int (*)(const void *, const void *)'
/home/npajkovsky/openssl/openssl/test/stack_test.c:46: note: int_compare defined here
Fixes: https://github.com/openssl/project/issues/1950 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:41 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Nikola Pajkovsky [Mon, 11 May 2026 09:43:28 +0000 (11:43 +0200)]
evp: avoid function-pointer-type UB in EVP_*_do_all_provided
evp_generic_do_all() invokes its callback through a fixed pointer type
of the form "void (*)(void *method, void *arg)". The public
EVP_*_do_all_provided() wrappers were handing it user callbacks of type
for example:
Calling a function through a pointer whose type does not match the
function's actual definition is undefined behavior in C and is flagged
by UBSan's -fsanitize=function.
Introduce a per-type thunk generated by EVP_DO_ALL_PROVIDED_THUNK that
has the exact signature evp_generic_do_all() expects. The thunk
receives the user's typed callback and arg in a small on-stack struct
and forwards them with the correct types, so every indirect call now
matches the pointee's real prototype.
No functional change intended.
Fixes: https://github.com/openssl/project/issues/1949 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 20 15:53:38 2026
(Merged from https://github.com/openssl/openssl/pull/31151)
Daniel Kubec [Mon, 30 Mar 2026 11:43:41 +0000 (13:43 +0200)]
TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set.
Do not issue TLS 1.3 session tickets if the server has explicitly disabled
them via SSL_OP_NO_TICKET and also disabled the session cache with
SSL_SESS_CACHE_OFF. Together, these settings clearly indicate an intent to
suppress session resumption; sending NewSessionTicket messages in this case
would be wasteful and misleading.
From the server’s perspective, a client that does not advertise
psk_key_exchange_modes in TLS 1.3, or that sends it with RFC 9149 parameters
such as new_session_count = 0 or resumption_count = 0, is effectively
signaling no interest in session tickets or resumption.
RFC 8446 section 4.2.9: Servers MUST NOT select a key exchange mode that is
not listed by the client. This extension also restricts the modes for use
with PSK resumption. Servers SHOULD NOT send NewSessionTicket with tickets
that are not compatible with the advertised modes; however, if a server does
so, the impact will just be that the client's attempts at resumption fail.
Fixes #8077
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 20 15:42:00 2026
(Merged from https://github.com/openssl/openssl/pull/30639)
Weidong Wang [Wed, 18 Mar 2026 11:00:06 +0000 (06:00 -0500)]
Add test for SSL_SESSION leak on ticket abort in tls_parse_ctos_psk()
Add test_ticket_abort_session_leak() to verify that returning
SSL_TICKET_RETURN_ABORT from the decrypt ticket callback during TLS 1.3
resumption does not leak the SSL_SESSION allocated by tls_decrypt_ticket().
This exercises the error path fixed in commit 96f424c439.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:04 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Weidong Wang [Tue, 17 Mar 2026 17:23:58 +0000 (12:23 -0500)]
Fix SSL_SESSION leak in tls_parse_ctos_psk() on ticket error paths
Two early 'return 0' statements bypass the err: label cleanup that
calls SSL_SESSION_free(sess). When tls_decrypt_ticket() allocates an
SSL_SESSION but the decrypt_ticket_cb returns ABORT, the session is
leaked. Replace 'return 0' with 'goto err' so the existing cleanup
handles it.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:01 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Nikola Pajkovsky [Mon, 18 May 2026 07:48:59 +0000 (09:48 +0200)]
fix UB in priority_queue
clang-22 reports UB during test make test V=0 TESTS=test_priority_queue
ssl/priority_queue.c:159:13: runtime error: call to function size_t_compare through pointer to incorrect function type 'int (*)(const void *, const void *)'
/home/npajkovsky/openssl/openssl/test/priority_queue_test.c:28: note: size_t_compare defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ssl/priority_queue.c:159:13
Fixes: https://github.com/openssl/project/issues/1953 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 19 10:43:59 2026
(Merged from https://github.com/openssl/openssl/pull/31209)
Configure: update $apitable with the recent versions
Fill $apitable with all the major.minor.0 versions up to the current one
in development. Note that while 3.5 hasn't had any APIs deprecated,
it still makes sense to support passing it as an "API level".
Resolves: https://github.com/openssl/openssl/issues/31196 Reported-by: Oliver Roberts <oliver@futaura.co.uk> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue May 19 09:33:49 2026
(Merged from https://github.com/openssl/openssl/pull/31198)
Moryakhin Stas [Wed, 13 May 2026 13:06:34 +0000 (16:06 +0300)]
Fix app param memory cleaning
Fixes #31149
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31170)
Its last actual user was removed in 1620a2e49c77 "Fix dtls_query_mtu
so that it will always either complete with an mtu that is at least
the minimum or it will fail.", and the only remaining user,
dtls1_link_min_mtu(), just returns its last element unconditionally.
Remove g_probable_mtu and convert dtls1_link_min_mtu into a static const
containing the value.
Complements: 1620a2e49c77 "Fix dtls_query_mtu so that it will always either complete with an mtu that is at least the minimum or it will fail." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon May 18 11:09:52 2026
(Merged from https://github.com/openssl/openssl/pull/31175)
Abel Tom [Wed, 13 May 2026 16:18:45 +0000 (18:18 +0200)]
OBJ_bsearch_ex_(): Fix const qualifier warning with CHARSET_EBCDIC
Fixes #31161
When building with CHARSET_EBCDIC defined,the compiler warns about
discarding the 'const' qualifier when assigning from base_[i * size]
to the non-const pointer p1:
`warning: assignment discards 'const' qualifier from pointer target type`
Change p1 from 'char *' to 'const char *' to maintain const-correctness
since the data being pointed to should not be modified through this
pointer.
Additionally, remove the unused variables l and h that were left over
from a previous implementation of the fallback linear search. These
variables served no purpose and only generated unused variable warnings.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/31173)
Jakub Zelenka [Thu, 7 May 2026 17:13:30 +0000 (19:13 +0200)]
Fix UAF if QUIC channel init fails
This happens because port does not get reset on the first freeing in
channel block so when it is being freed again in ossl_quic_new, it
tries to access item in port.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 10:50:23 2026
(Merged from https://github.com/openssl/openssl/pull/31109)
Norbert Pocs [Wed, 13 May 2026 14:10:55 +0000 (16:10 +0200)]
Use valid DH peer pubkey in the KAT tests
Co-authored-by: Viktor Dukhovni <viktor@openssl.org> Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:34:16 2026
(Merged from https://github.com/openssl/openssl/pull/31171)
test/mem_alloc_test.c: fix my_malloc/my_realloc behaviour on size == 0
That puts them more in line with CRYPTO_malloc() and CRYPTO_realloc()
behaviour, whose behaviour for the requested size of 0 is well-documented
and not "implementation-defined", as POSIX allows.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:49 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
test/mem_alloc_test.c: increase alloc size for triggering OOM malloc failure
While half of the address space is enough to make malloc() fail on
kernels of the same bitness, 32-bit compat can have enough to accommodate
such a request, and even three fourth of the address space. Bump
the requested size closer to the type's upper limit.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:48 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:27:55 2026
(Merged from https://github.com/openssl/openssl/pull/31022)
Jakub Zelenka [Mon, 11 May 2026 15:57:16 +0000 (17:57 +0200)]
Extend and separate mfail test framework
Separate the mfail framework so it can be used beyond testutil.
Specifically, this is a step toward using it in fuzzing.
This change also improves the way mfail tests are executed. It first
counts the number of allocations and then iterates through them.
This has a couple of advantages:
- It allows removal of MFAIL_SLOW_TEST by identifying slow tests based
on the number of allocations.
- It allows non-failing tests to be ignored.
In addition, it adds a new environment variable to print a backtrace on
memory failure.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:23:52 2026
(Merged from https://github.com/openssl/openssl/pull/31144)
Norbert Pocs [Thu, 7 May 2026 14:00:10 +0000 (16:00 +0200)]
providers/implementation: Generate header includes for .inc files
Make these headers self contained even as they are .inc files. This
approach makes it a lot easier to achieve self contained files and
protects from include reorders. (where the .inc can get above the
dependent headers)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:48 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
Norbert Pocs [Tue, 5 May 2026 10:36:23 +0000 (12:36 +0200)]
a_strnid: put includes together
clang-tidy calculates where to place the headers to be added. The
maximum is the latest include present in the file. Therefore the
algorithm sometimes addes the includes wrongly in the middle of the
file.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:47 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ECX keys
ossl_ecx_key_free is declared as void(ECX_KEY *) but registered
directly in the X25519/X448/Ed25519/Ed448 keymgmt OSSL_DISPATCH
tables for OSSL_FUNC_KEYMGMT_FREE, which is invoked through a
void(*)(void *) pointer in evp_keymgmt_freedata. Calling a function
through a pointer to an incompatible function type is undefined
behavior and is reported by UndefinedBehaviorSanitizer on every
ECX key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ecx_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ec/ecx_key.c:65: note: ossl_ecx_key_free defined here
All four algorithms share the same MAKE_KEYMGMT_FUNCTIONS dispatch
macro, so they hit the same UB; UBSan just deduplicates the report
on the first call.
Mirror the wrapper pattern used by ml_kem_free_key, ml_dsa_free_key,
slh_dsa_free_key, dsa_freedata, ec_freedata, and lms_free_key: add
a small static ecx_free_key with the correct OSSL_FUNC_keymgmt_free_fn
signature that forwards to ossl_ecx_key_free, and register the
wrapper in the dispatch macro. The existing direct callers of
ossl_ecx_key_free in ecx_kmgmt.c are unchanged since they pass a
typed ECX_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:58 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ML-KEM keys
ossl_ml_kem_key_free is declared as void(ML_KEM_KEY *) but registered
directly in the ML-KEM keymgmt OSSL_DISPATCH table for
OSSL_FUNC_KEYMGMT_FREE, which is invoked through a void(*)(void *)
pointer in evp_keymgmt_freedata. Calling a function through a pointer
to an incompatible function type is undefined behavior and is
reported by UndefinedBehaviorSanitizer on every ML-KEM key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ml_kem_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ml_kem/ml_kem.c:1751: note: ossl_ml_kem_key_free defined here
Mirror the wrapper pattern used by ml_dsa_free_key, slh_dsa_free_key,
dsa_freedata, ec_freedata, and lms_free_key: add a small static
ml_kem_free_key with the correct OSSL_FUNC_keymgmt_free_fn signature
that forwards to ossl_ml_kem_key_free, and register the wrapper in
the dispatch table. The existing direct callers of
ossl_ml_kem_key_free in ml_kem_kmgmt.c are unchanged since they pass
a typed ML_KEM_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:57 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
Tomas Mraz [Tue, 12 May 2026 12:39:06 +0000 (14:39 +0200)]
Use CRYPTO_memcmp() when comparing the private keys
ML-DSA and SLH-DSA used regular memcmp, use CRYPTO_memcmp()
just in case.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Thu May 14 09:29:14 2026
(Merged from https://github.com/openssl/openssl/pull/31155)
Jakub Zelenka [Tue, 12 May 2026 17:36:34 +0000 (19:36 +0200)]
Fix memleak in hashtable free if flush fails
This happens because free_oldmd is not run when flush fails
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 14 09:26:11 2026
(Merged from https://github.com/openssl/openssl/pull/31163)
Remove trailing whitespace to address the following find-doc-nits
warnings:
WARNING: line containing nothing but whitespace in paragraph at line 65 in file doc/man7/EVP_CIPHER-DES.pod
WARNING: line containing nothing but whitespace in paragraph at line 69 in file doc/man7/EVP_CIPHER-DES.pod
Fixes: 5ff19a7297ea "docs: Document required output buffer length in EVP_CIPHER-DES" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Thu May 14 09:24:31 2026
(Merged from https://github.com/openssl/openssl/pull/31141)
PR #27706 (that this PR reverts) was intended to fix nginx/nginx#711
The problem was that when calling SSL_set_SSL_CTX() from an SNI callback
when using a QUIC object, the QUIC custom extensions were not being
handled correctly. The fix attempted to resolve this to make sure that
they were correctly being copied.
However, in reality there was a bug in the SNI callback code that meant when
we called it from a QUIC connection we were passing the *inner* TLS
object instead of the real QUIC one. The *inner* TLS object should be
entirely internal and not exposed to user callbacks. This bug was fixed in dc84829cc5.
Once the above fix was in place `SSL_set_SSL_CTX()` immediately fails when
called with a QUIC object via the SNI callback. This was always the
intended behaviour - its use with a QUIC object was blocked since the very
beginning - but the fact that we passed the inner TLS object by mistake
circumvented the check when it was invoked from the SNI callback.
The fix in dc84829cc5 actually landed *before* the commit that this PR
reverts. So, in reality the nginx bug was already "fixed" by the time
that PR #27706 was merged (fixed in the sense that the invocation of
`SSL_set_SSL_CTX()` fails gracefully). The code that it introduced can not
be reached (and never could be) because calling `SSL_set_SSL_CTX()` is
explicitly blocked when using a QUIC object. Therefore we should remove
this dead code.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 13 16:23:24 2026
(Merged from https://github.com/openssl/openssl/pull/31159)
Tomas Mraz [Wed, 13 May 2026 08:39:14 +0000 (10:39 +0200)]
test/ffc_internal_test.c: The ffc_params_copy_mfail test needs DSA enabled
Instead of having disabled with no-dh, we need to disable it
with no-dsa.
Fixes: df53ee4fa00b "Add mfail test for ossl_ffc_params_copy" Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 09:46:34 2026
(Merged from https://github.com/openssl/openssl/pull/31168)
Matt Caswell [Tue, 21 Apr 2026 16:34:55 +0000 (17:34 +0100)]
Treat an unknown PSK identity the same way as a binder validation failure
Doing things this way removes the possibility of an attacker probing for
valid PSK identities as described in Appendix E.6 of RFC8446. This only
make a difference in a PSK only server configuration. The signal will still
exist if the server can fallback to a full handshake.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 07:38:32 2026
(Merged from https://github.com/openssl/openssl/pull/31026)
Daniel Kubec [Tue, 10 Mar 2026 16:44:58 +0000 (17:44 +0100)]
CRL: Refactoring and tests for extensions, entries, and serial number duplicates
Refactoring and added tests for extensions, entries, and serial number
duplicates. The tests intentionally reflect the current behavior and existing
error states, which are not always clearly distinguished (e.g., duplicate
extensions vs. parsing errors). This serves as a baseline; follow-up work may
improve error handling or explicitly mark some cases as wontfix.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Wed May 13 07:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30349)
port_make_channel() builds an incoming QUIC channel in stages: allocate
the channel, create the user SSL and inner TLS objects, optionally copy
qlog state, then initialise the channel. Under the mfail allocator,
failures in the middle of that sequence could leave ownership split
between the partially-created channel and the user SSL, leaking
allocations from ossl_quic_channel_alloc().
Make port_new_handshake_layer() return the created user SSL to
port_make_channel() and detach the borrowed channel before cleaning up
its own failures. port_make_channel() now owns the error path: it
detaches any created user SSL from the channel, frees the channel exactly
once according to whether channel initialisation already ran cleanup, and
then frees the user SSL.
Also make QUIC stream map cleanup tolerate a NULL map during partial
channel cleanup, and add a focused mfail regression test for
ossl_quic_port_create_incoming().
Fixes: https://github.com/openssl/openssl/issues/31014 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue May 12 12:01:04 2026
(Merged from https://github.com/openssl/openssl/pull/31038)
quic: check lh_QUIC_STREAM_new() return value in stream_map_init
ossl_quic_stream_map_init() did not check whether lh_QUIC_STREAM_new()
succeeded. On allocation failure qsm->map would be NULL and subsequent
operations on the stream map would dereference it.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue May 12 12:01:02 2026
(Merged from https://github.com/openssl/openssl/pull/31038)
Bob Beck [Wed, 15 Apr 2026 19:31:42 +0000 (13:31 -0600)]
Deprecate the ASN1_BIT_STRING name related funcitons.
These seem to have been from something long long ago
that nothing uses anymore. It seems like this is just something
we should not be doing in this way.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Mon May 11 09:23:13 2026
(Merged from https://github.com/openssl/openssl/pull/30853)
Harry Betts [Sat, 9 May 2026 06:54:52 +0000 (16:54 +1000)]
Fix OOB read in EC_GROUP_new_from_params() with zero-length generator
When OSSL_PKEY_PARAM_EC_GENERATOR is provided as an octet string of
length 0, buf[0] is read before validating data_size, causing a
heap-buffer-overflow detectable under ASan.
Reject zero-length generator octet strings before the dereference.
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/31125 Fixes: c0f39ded68ba "Add Explicit EC parameter support to providers." Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon May 11 08:34:15 2026
(Merged from https://github.com/openssl/openssl/pull/31128)
Jakub Zelenka [Tue, 5 May 2026 17:56:34 +0000 (19:56 +0200)]
Add various MFAIL tests to excercise ht insert
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 11 08:21:56 2026
(Merged from https://github.com/openssl/openssl/pull/31092)
Jakub Zelenka [Tue, 5 May 2026 17:50:11 +0000 (19:50 +0200)]
Fix ignored call in ossl_rcu_call when cb item alloc fails
Currently when allocation of cb item fails, the actual cb function is
not called. The is used just in hashtable when the cb function frees
the old item which result in memory leak.
To fix this, the allocation needs to be separated and happen before the
assign operation is done.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 11 08:21:55 2026
(Merged from https://github.com/openssl/openssl/pull/31092)
Jakub Zelenka [Fri, 8 May 2026 14:42:01 +0000 (16:42 +0200)]
Add mfail test for new BIO dgram mem
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon May 11 08:09:16 2026
(Merged from https://github.com/openssl/openssl/pull/31121)
Reject CR and LF characters before serializing request lines and HTTP
headers. This prevents malformed URL or caller supplied components
from altering the generated HTTP request.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Mon May 11 07:44:19 2026
(Merged from https://github.com/openssl/openssl/pull/31100)
Jakub Zelenka [Wed, 6 May 2026 16:22:47 +0000 (18:22 +0200)]
Fix memleak in ossl_ffc_params_copy if alloc fails
If allocation fails in ossl_ffc_params_copy, then the params that were
previously allocated are not freed. This results in a memory leak.
Fixes: dc8de3e6f1ee "Modify DSA and DH keys to use a shared FFC_PARAMS struct" Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon May 11 07:21:45 2026
(Merged from https://github.com/openssl/openssl/pull/31098)
projects / thirdparty / openssl.git / log
