Daniel Kubec [Mon, 30 Mar 2026 11:43:41 +0000 (13:43 +0200)]
TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set.
Do not issue TLS 1.3 session tickets if the server has explicitly disabled
them via SSL_OP_NO_TICKET and also disabled the session cache with
SSL_SESS_CACHE_OFF. Together, these settings clearly indicate an intent to
suppress session resumption; sending NewSessionTicket messages in this case
would be wasteful and misleading.
From the server’s perspective, a client that does not advertise
psk_key_exchange_modes in TLS 1.3, or that sends it with RFC 9149 parameters
such as new_session_count = 0 or resumption_count = 0, is effectively
signaling no interest in session tickets or resumption.
RFC 8446 section 4.2.9: Servers MUST NOT select a key exchange mode that is
not listed by the client. This extension also restricts the modes for use
with PSK resumption. Servers SHOULD NOT send NewSessionTicket with tickets
that are not compatible with the advertised modes; however, if a server does
so, the impact will just be that the client's attempts at resumption fail.
Fixes #8077
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 20 15:42:00 2026
(Merged from https://github.com/openssl/openssl/pull/30639)
Weidong Wang [Wed, 18 Mar 2026 11:00:06 +0000 (06:00 -0500)]
Add test for SSL_SESSION leak on ticket abort in tls_parse_ctos_psk()
Add test_ticket_abort_session_leak() to verify that returning
SSL_TICKET_RETURN_ABORT from the decrypt ticket callback during TLS 1.3
resumption does not leak the SSL_SESSION allocated by tls_decrypt_ticket().
This exercises the error path fixed in commit 96f424c439.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:04 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Weidong Wang [Tue, 17 Mar 2026 17:23:58 +0000 (12:23 -0500)]
Fix SSL_SESSION leak in tls_parse_ctos_psk() on ticket error paths
Two early 'return 0' statements bypass the err: label cleanup that
calls SSL_SESSION_free(sess). When tls_decrypt_ticket() allocates an
SSL_SESSION but the decrypt_ticket_cb returns ABORT, the session is
leaked. Replace 'return 0' with 'goto err' so the existing cleanup
handles it.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:01 2026
(Merged from https://github.com/openssl/openssl/pull/30464)
Nikola Pajkovsky [Mon, 18 May 2026 07:48:59 +0000 (09:48 +0200)]
fix UB in priority_queue
clang-22 reports UB during test make test V=0 TESTS=test_priority_queue
ssl/priority_queue.c:159:13: runtime error: call to function size_t_compare through pointer to incorrect function type 'int (*)(const void *, const void *)'
/home/npajkovsky/openssl/openssl/test/priority_queue_test.c:28: note: size_t_compare defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ssl/priority_queue.c:159:13
Fixes: https://github.com/openssl/project/issues/1953 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 19 10:43:59 2026
(Merged from https://github.com/openssl/openssl/pull/31209)
Configure: update $apitable with the recent versions
Fill $apitable with all the major.minor.0 versions up to the current one
in development. Note that while 3.5 hasn't had any APIs deprecated,
it still makes sense to support passing it as an "API level".
Resolves: https://github.com/openssl/openssl/issues/31196 Reported-by: Oliver Roberts <oliver@futaura.co.uk> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue May 19 09:33:49 2026
(Merged from https://github.com/openssl/openssl/pull/31198)
Moryakhin Stas [Wed, 13 May 2026 13:06:34 +0000 (16:06 +0300)]
Fix app param memory cleaning
Fixes #31149
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31170)
Its last actual user was removed in 1620a2e49c77 "Fix dtls_query_mtu
so that it will always either complete with an mtu that is at least
the minimum or it will fail.", and the only remaining user,
dtls1_link_min_mtu(), just returns its last element unconditionally.
Remove g_probable_mtu and convert dtls1_link_min_mtu into a static const
containing the value.
Complements: 1620a2e49c77 "Fix dtls_query_mtu so that it will always either complete with an mtu that is at least the minimum or it will fail." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon May 18 11:09:52 2026
(Merged from https://github.com/openssl/openssl/pull/31175)
Abel Tom [Wed, 13 May 2026 16:18:45 +0000 (18:18 +0200)]
OBJ_bsearch_ex_(): Fix const qualifier warning with CHARSET_EBCDIC
Fixes #31161
When building with CHARSET_EBCDIC defined,the compiler warns about
discarding the 'const' qualifier when assigning from base_[i * size]
to the non-const pointer p1:
`warning: assignment discards 'const' qualifier from pointer target type`
Change p1 from 'char *' to 'const char *' to maintain const-correctness
since the data being pointed to should not be modified through this
pointer.
Additionally, remove the unused variables l and h that were left over
from a previous implementation of the fallback linear search. These
variables served no purpose and only generated unused variable warnings.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 11:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/31173)
Jakub Zelenka [Thu, 7 May 2026 17:13:30 +0000 (19:13 +0200)]
Fix UAF if QUIC channel init fails
This happens because port does not get reset on the first freeing in
channel block so when it is being freed again in ossl_quic_new, it
tries to access item in port.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 10:50:23 2026
(Merged from https://github.com/openssl/openssl/pull/31109)
Norbert Pocs [Wed, 13 May 2026 14:10:55 +0000 (16:10 +0200)]
Use valid DH peer pubkey in the KAT tests
Co-authored-by: Viktor Dukhovni <viktor@openssl.org> Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:34:16 2026
(Merged from https://github.com/openssl/openssl/pull/31171)
test/mem_alloc_test.c: fix my_malloc/my_realloc behaviour on size == 0
That puts them more in line with CRYPTO_malloc() and CRYPTO_realloc()
behaviour, whose behaviour for the requested size of 0 is well-documented
and not "implementation-defined", as POSIX allows.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:49 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
test/mem_alloc_test.c: increase alloc size for triggering OOM malloc failure
While half of the address space is enough to make malloc() fail on
kernels of the same bitness, 32-bit compat can have enough to accommodate
such a request, and even three fourth of the address space. Bump
the requested size closer to the type's upper limit.
Fixes: d090695101a9 "test: add a sanity test for memory allocation functions" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:30:48 2026
(Merged from https://github.com/openssl/openssl/pull/31158)
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 07:27:55 2026
(Merged from https://github.com/openssl/openssl/pull/31022)
Jakub Zelenka [Mon, 11 May 2026 15:57:16 +0000 (17:57 +0200)]
Extend and separate mfail test framework
Separate the mfail framework so it can be used beyond testutil.
Specifically, this is a step toward using it in fuzzing.
This change also improves the way mfail tests are executed. It first
counts the number of allocations and then iterates through them.
This has a couple of advantages:
- It allows removal of MFAIL_SLOW_TEST by identifying slow tests based
on the number of allocations.
- It allows non-failing tests to be ignored.
In addition, it adds a new environment variable to print a backtrace on
memory failure.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:23:52 2026
(Merged from https://github.com/openssl/openssl/pull/31144)
Norbert Pocs [Thu, 7 May 2026 14:00:10 +0000 (16:00 +0200)]
providers/implementation: Generate header includes for .inc files
Make these headers self contained even as they are .inc files. This
approach makes it a lot easier to achieve self contained files and
protects from include reorders. (where the .inc can get above the
dependent headers)
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:48 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
Norbert Pocs [Tue, 5 May 2026 10:36:23 +0000 (12:36 +0200)]
a_strnid: put includes together
clang-tidy calculates where to place the headers to be added. The
maximum is the latest include present in the file. Therefore the
algorithm sometimes addes the includes wrongly in the middle of the
file.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon May 18 07:03:47 2026
(Merged from https://github.com/openssl/openssl/pull/31153)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ECX keys
ossl_ecx_key_free is declared as void(ECX_KEY *) but registered
directly in the X25519/X448/Ed25519/Ed448 keymgmt OSSL_DISPATCH
tables for OSSL_FUNC_KEYMGMT_FREE, which is invoked through a
void(*)(void *) pointer in evp_keymgmt_freedata. Calling a function
through a pointer to an incompatible function type is undefined
behavior and is reported by UndefinedBehaviorSanitizer on every
ECX key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ecx_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ec/ecx_key.c:65: note: ossl_ecx_key_free defined here
All four algorithms share the same MAKE_KEYMGMT_FUNCTIONS dispatch
macro, so they hit the same UB; UBSan just deduplicates the report
on the first call.
Mirror the wrapper pattern used by ml_kem_free_key, ml_dsa_free_key,
slh_dsa_free_key, dsa_freedata, ec_freedata, and lms_free_key: add
a small static ecx_free_key with the correct OSSL_FUNC_keymgmt_free_fn
signature that forwards to ossl_ecx_key_free, and register the
wrapper in the dispatch macro. The existing direct callers of
ossl_ecx_key_free in ecx_kmgmt.c are unchanged since they pass a
typed ECX_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:58 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
007bsd [Mon, 4 May 2026 17:07:29 +0000 (20:07 +0300)]
Fix function pointer type mismatch when freeing ML-KEM keys
ossl_ml_kem_key_free is declared as void(ML_KEM_KEY *) but registered
directly in the ML-KEM keymgmt OSSL_DISPATCH table for
OSSL_FUNC_KEYMGMT_FREE, which is invoked through a void(*)(void *)
pointer in evp_keymgmt_freedata. Calling a function through a pointer
to an incompatible function type is undefined behavior and is
reported by UndefinedBehaviorSanitizer on every ML-KEM key free:
crypto/evp/keymgmt_meth.c:392:5: runtime error: call to function
ossl_ml_kem_key_free through pointer to incorrect function type
'void (*)(void *)'
crypto/ml_kem/ml_kem.c:1751: note: ossl_ml_kem_key_free defined here
Mirror the wrapper pattern used by ml_dsa_free_key, slh_dsa_free_key,
dsa_freedata, ec_freedata, and lms_free_key: add a small static
ml_kem_free_key with the correct OSSL_FUNC_keymgmt_free_fn signature
that forwards to ossl_ml_kem_key_free, and register the wrapper in
the dispatch table. The existing direct callers of
ossl_ml_kem_key_free in ml_kem_kmgmt.c are unchanged since they pass
a typed ML_KEM_KEY *.
CLA: trivial
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 14 09:31:57 2026
(Merged from https://github.com/openssl/openssl/pull/31078)
Tomas Mraz [Tue, 12 May 2026 12:39:06 +0000 (14:39 +0200)]
Use CRYPTO_memcmp() when comparing the private keys
ML-DSA and SLH-DSA used regular memcmp, use CRYPTO_memcmp()
just in case.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
MergeDate: Thu May 14 09:29:14 2026
(Merged from https://github.com/openssl/openssl/pull/31155)
Jakub Zelenka [Tue, 12 May 2026 17:36:34 +0000 (19:36 +0200)]
Fix memleak in hashtable free if flush fails
This happens because free_oldmd is not run when flush fails
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 14 09:26:11 2026
(Merged from https://github.com/openssl/openssl/pull/31163)
Remove trailing whitespace to address the following find-doc-nits
warnings:
WARNING: line containing nothing but whitespace in paragraph at line 65 in file doc/man7/EVP_CIPHER-DES.pod
WARNING: line containing nothing but whitespace in paragraph at line 69 in file doc/man7/EVP_CIPHER-DES.pod
Fixes: 5ff19a7297ea "docs: Document required output buffer length in EVP_CIPHER-DES" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Thu May 14 09:24:31 2026
(Merged from https://github.com/openssl/openssl/pull/31141)
PR #27706 (that this PR reverts) was intended to fix nginx/nginx#711
The problem was that when calling SSL_set_SSL_CTX() from an SNI callback
when using a QUIC object, the QUIC custom extensions were not being
handled correctly. The fix attempted to resolve this to make sure that
they were correctly being copied.
However, in reality there was a bug in the SNI callback code that meant when
we called it from a QUIC connection we were passing the *inner* TLS
object instead of the real QUIC one. The *inner* TLS object should be
entirely internal and not exposed to user callbacks. This bug was fixed in dc84829cc5.
Once the above fix was in place `SSL_set_SSL_CTX()` immediately fails when
called with a QUIC object via the SNI callback. This was always the
intended behaviour - its use with a QUIC object was blocked since the very
beginning - but the fact that we passed the inner TLS object by mistake
circumvented the check when it was invoked from the SNI callback.
The fix in dc84829cc5 actually landed *before* the commit that this PR
reverts. So, in reality the nginx bug was already "fixed" by the time
that PR #27706 was merged (fixed in the sense that the invocation of
`SSL_set_SSL_CTX()` fails gracefully). The code that it introduced can not
be reached (and never could be) because calling `SSL_set_SSL_CTX()` is
explicitly blocked when using a QUIC object. Therefore we should remove
this dead code.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 13 16:23:24 2026
(Merged from https://github.com/openssl/openssl/pull/31159)
Tomas Mraz [Wed, 13 May 2026 08:39:14 +0000 (10:39 +0200)]
test/ffc_internal_test.c: The ffc_params_copy_mfail test needs DSA enabled
Instead of having disabled with no-dh, we need to disable it
with no-dsa.
Fixes: df53ee4fa00b "Add mfail test for ossl_ffc_params_copy" Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 09:46:34 2026
(Merged from https://github.com/openssl/openssl/pull/31168)
Matt Caswell [Tue, 21 Apr 2026 16:34:55 +0000 (17:34 +0100)]
Treat an unknown PSK identity the same way as a binder validation failure
Doing things this way removes the possibility of an attacker probing for
valid PSK identities as described in Appendix E.6 of RFC8446. This only
make a difference in a PSK only server configuration. The signal will still
exist if the server can fallback to a full handshake.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 07:38:32 2026
(Merged from https://github.com/openssl/openssl/pull/31026)
Daniel Kubec [Tue, 10 Mar 2026 16:44:58 +0000 (17:44 +0100)]
CRL: Refactoring and tests for extensions, entries, and serial number duplicates
Refactoring and added tests for extensions, entries, and serial number
duplicates. The tests intentionally reflect the current behavior and existing
error states, which are not always clearly distinguished (e.g., duplicate
extensions vs. parsing errors). This serves as a baseline; follow-up work may
improve error handling or explicitly mark some cases as wontfix.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Wed May 13 07:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30349)
port_make_channel() builds an incoming QUIC channel in stages: allocate
the channel, create the user SSL and inner TLS objects, optionally copy
qlog state, then initialise the channel. Under the mfail allocator,
failures in the middle of that sequence could leave ownership split
between the partially-created channel and the user SSL, leaking
allocations from ossl_quic_channel_alloc().
Make port_new_handshake_layer() return the created user SSL to
port_make_channel() and detach the borrowed channel before cleaning up
its own failures. port_make_channel() now owns the error path: it
detaches any created user SSL from the channel, frees the channel exactly
once according to whether channel initialisation already ran cleanup, and
then frees the user SSL.
Also make QUIC stream map cleanup tolerate a NULL map during partial
channel cleanup, and add a focused mfail regression test for
ossl_quic_port_create_incoming().
Fixes: https://github.com/openssl/openssl/issues/31014 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue May 12 12:01:04 2026
(Merged from https://github.com/openssl/openssl/pull/31038)
quic: check lh_QUIC_STREAM_new() return value in stream_map_init
ossl_quic_stream_map_init() did not check whether lh_QUIC_STREAM_new()
succeeded. On allocation failure qsm->map would be NULL and subsequent
operations on the stream map would dereference it.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue May 12 12:01:02 2026
(Merged from https://github.com/openssl/openssl/pull/31038)
Bob Beck [Wed, 15 Apr 2026 19:31:42 +0000 (13:31 -0600)]
Deprecate the ASN1_BIT_STRING name related funcitons.
These seem to have been from something long long ago
that nothing uses anymore. It seems like this is just something
we should not be doing in this way.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Mon May 11 09:23:13 2026
(Merged from https://github.com/openssl/openssl/pull/30853)
Harry Betts [Sat, 9 May 2026 06:54:52 +0000 (16:54 +1000)]
Fix OOB read in EC_GROUP_new_from_params() with zero-length generator
When OSSL_PKEY_PARAM_EC_GENERATOR is provided as an octet string of
length 0, buf[0] is read before validating data_size, causing a
heap-buffer-overflow detectable under ASan.
Reject zero-length generator octet strings before the dereference.
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/31125 Fixes: c0f39ded68ba "Add Explicit EC parameter support to providers." Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon May 11 08:34:15 2026
(Merged from https://github.com/openssl/openssl/pull/31128)
Jakub Zelenka [Tue, 5 May 2026 17:56:34 +0000 (19:56 +0200)]
Add various MFAIL tests to excercise ht insert
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 11 08:21:56 2026
(Merged from https://github.com/openssl/openssl/pull/31092)
Jakub Zelenka [Tue, 5 May 2026 17:50:11 +0000 (19:50 +0200)]
Fix ignored call in ossl_rcu_call when cb item alloc fails
Currently when allocation of cb item fails, the actual cb function is
not called. The is used just in hashtable when the cb function frees
the old item which result in memory leak.
To fix this, the allocation needs to be separated and happen before the
assign operation is done.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 11 08:21:55 2026
(Merged from https://github.com/openssl/openssl/pull/31092)
Jakub Zelenka [Fri, 8 May 2026 14:42:01 +0000 (16:42 +0200)]
Add mfail test for new BIO dgram mem
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon May 11 08:09:16 2026
(Merged from https://github.com/openssl/openssl/pull/31121)
Reject CR and LF characters before serializing request lines and HTTP
headers. This prevents malformed URL or caller supplied components
from altering the generated HTTP request.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Mon May 11 07:44:19 2026
(Merged from https://github.com/openssl/openssl/pull/31100)
Jakub Zelenka [Wed, 6 May 2026 16:22:47 +0000 (18:22 +0200)]
Fix memleak in ossl_ffc_params_copy if alloc fails
If allocation fails in ossl_ffc_params_copy, then the params that were
previously allocated are not freed. This results in a memory leak.
Fixes: dc8de3e6f1ee "Modify DSA and DH keys to use a shared FFC_PARAMS struct" Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon May 11 07:21:45 2026
(Merged from https://github.com/openssl/openssl/pull/31098)
Bob Beck [Thu, 7 May 2026 21:30:03 +0000 (15:30 -0600)]
Correct ASN1_STRING_set() behaviour to match the documentation
ASN1_STRING_set() has never promised to call strlen() for other
negative values. Other values here likely indicate an error,
such as an integer overflow. Call strlen() only if the length
provided is -1.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon May 11 00:34:25 2026
(Merged from https://github.com/openssl/openssl/pull/31113)
crypto/evp/evp_lib.c: call va_end() in EVP_PKEY_Q_keygen() on error
Instead of returning NULL immediately, jump to the cleanup at the end
of the function. Reported by Coverity.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1593754 Fixes: 18472994f065 "The EVP_PKEY_Q_keygen function now explicitly handles NULL curve name" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 11 00:28:25 2026
(Merged from https://github.com/openssl/openssl/pull/31107)
quic_channel.c: fix potential memory leak on failure in ossl_quic_channel_alloc
Add missing OPENSSL_free() in error path.
Fixes: 35dc6c353bf "QUIC: Make more transport parameters configurable" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Mon May 11 00:23:13 2026
(Merged from https://github.com/openssl/openssl/pull/30754)
Bob Beck [Thu, 29 Jan 2026 18:31:40 +0000 (11:31 -0700)]
Deprecate the X509_check_{email,host,ip,ip_asc} family of functions
Our own documentation for quite some time has indicated
that you should call X509_verify_cert() instead of using these.
Actually deprecate them and make apps not use the now deprecated
functions.
Zoey Chapell [Tue, 24 Mar 2026 15:30:52 +0000 (11:30 -0400)]
doc: clarify algorithm discovery in openssl-genpkey.pod.in
Add a reference to 'openssl list -public-key-algorithms' in the
-algorithm description to improve discoverability and long term
consistency. Documentation only change.
Add clarification for how to select the naming output in the correct spot.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Sun May 10 23:59:03 2026
(Merged from https://github.com/openssl/openssl/pull/30556)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Sun May 10 23:52:21 2026
(Merged from https://github.com/openssl/openssl/pull/29851)
Milan Broz [Mon, 4 May 2026 14:13:27 +0000 (14:13 +0000)]
bn_nist.c: remove unreachable BN_BITS2 == 64
The block in BN_nist_mod_224() is gated by
#if defined(NIST_INT64) && BN_BITS2 != 64
so the #if
#if BN_BITS2 == 64
rp[7] = carry;
#endif
is unreachable. Remove it.
The code is actualy relic of an earlier design where the NIST_INT64
accumulator path was meant 64-bit too.
Disabling 64-bit path above with BN_BITS2 != 64 resulted in
#if BN_BITS2 == 64 was left unreachable
The outer condition is correct, it is meant to be 32bit only,
otherwise it would need to introduce load_u32/store_lo32 as in other
functions to avoid clang strict-aliasing optimizer issues.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 7 20:11:12 2026
(Merged from https://github.com/openssl/openssl/pull/31076)
Norbert Pocs [Mon, 4 May 2026 13:51:50 +0000 (15:51 +0200)]
Merge .inc files with header
When the .inc is only used once, include the file at place.
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu May 7 19:30:01 2026
(Merged from https://github.com/openssl/openssl/pull/31075)
Bob Beck [Mon, 9 Mar 2026 20:30:02 +0000 (14:30 -0600)]
Forbid GEN_OTHERNAME SMTP UTF8 email name constraints.
RFC 9598 States:
Certificate Authorities that wish to issue CA certificates with email
address name constraints MUST use rfc822Name subject alternative names
only. These MUST be IDNA2008-conformant names with no mappings and with
non-ASCII domains encoded in A-labels only.
This appears to be to get around the confusion created if someone
attempts to encode a name constraint for an email address into the
UTF-8 version of the name
Were someone to attempt to support this, not only would you now have
to check two separate sets of name constraints for the same thing, but
would now have to decide what to do if they said different things.
So we just flag any such certficiate as invalid
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 7 16:09:44 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Bob Beck [Thu, 30 Apr 2026 16:34:28 +0000 (10:34 -0600)]
Don't rely on cmp of uninitialized values in obj_dat.pl
Since we use this for a sort, in theory this could become
inconsistent if we were to do a make update, re-generate
the output, and check it in from a different development
platform that returns different inconsistencies in how
cmp behaves on uninitialized values.
Rather than ponder this, just make this consistent
by ensuring undefined values have 0 length, and remove
the disabling of the warnings in obj_cmp
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 7 15:41:12 2026
(Merged from https://github.com/openssl/openssl/pull/31046)
Tomas Mraz [Tue, 5 May 2026 15:01:42 +0000 (17:01 +0200)]
The tag value must fit into int
We cannot allow an unbounded tag value as this is an O(n^2) algorithm
and the tag cannot be larger than INT_MAX anyway.
Fixes 35852da1d9e24cb74034b2f418cef3a58203b127
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Simo Sorce <simo@redhat.com>
MergeDate: Thu May 7 12:12:25 2026
(Merged from https://github.com/openssl/openssl/pull/31091)
Jakub Zelenka [Mon, 4 May 2026 09:50:48 +0000 (11:50 +0200)]
Add coverage files clean up make targets
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu May 7 07:09:02 2026
(Merged from https://github.com/openssl/openssl/pull/31071)
Igor Ustinov [Tue, 14 Apr 2026 14:55:02 +0000 (16:55 +0200)]
Moved the EVP_EC_gen macro to evp.h
Also fixed the potential NULL pointer dereference in this macro.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 6 16:47:58 2026
(Merged from https://github.com/openssl/openssl/pull/30597)
Igor Ustinov [Tue, 14 Apr 2026 14:46:51 +0000 (16:46 +0200)]
Added the EVP_EC_affine2oct() helper function
This function converts affine coordinates of an EC point
to an octet string conforming to Sec. 2.3.4
of the SECG SEC 1 ("Elliptic Curve Cryptography") standard.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 6 16:47:57 2026
(Merged from https://github.com/openssl/openssl/pull/30597)
Igor Ustinov [Tue, 14 Apr 2026 14:39:38 +0000 (16:39 +0200)]
The EVP_PKEY_Q_keygen function now explicitly handles NULL curve name
It errors out with ERR_R_PASSED_NULL_PARAMETER in such case.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 6 16:47:55 2026
(Merged from https://github.com/openssl/openssl/pull/30597)
Bob Beck [Wed, 22 Apr 2026 18:37:29 +0000 (12:37 -0600)]
Allow 0 length comparisons in OBJ_CMP to return 0 without UB memcmp
X509_verify is documented to return -1 if the algorithm is invalid
or can't be compared for any reason.
Sadly this implies that it is legitimate to pass it an incorrect X509
object and it should see this. If we hand it a new X509 object with
nothing filled in, it will memcmp(NULL...) at the end of a stack of
FOO_cmp abstractions, which is UB.
Fix this by permitting the 0 length case to return equal without
a memcmp, as suggested by slontis@ and botovq@
Fixes: https://github.com/openssl/openssl/issues/30922 Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 6 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/30943)
kovan [Thu, 29 Jan 2026 14:28:59 +0000 (15:28 +0100)]
doc: add documentation for BIO_nread0, BIO_nread, BIO_nwrite0, BIO_nwrite
Document the non-copying interface functions for BIO pairs that allow
direct access to the internal buffer:
- BIO_nread0/BIO_nread for zero-copy reading
- BIO_nwrite0/BIO_nwrite for zero-copy writing
Also add return value documentation for these functions and remove
the placeholder "[XXXXX: More return values need to be added here]".
Fixes #16366
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 6 14:51:27 2026
(Merged from https://github.com/openssl/openssl/pull/29849)
Fix missing pointers in SSL_CTX_set_session_cache_mode synopsis
SSL_CTX_set_session_cache_mode and SSL_CTX_get_session_cache_mode
were documented with SSL_CTX ctx instead of SSL_CTX *ctx in their
synopsis.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 6 11:53:35 2026
(Merged from https://github.com/openssl/openssl/pull/30965)
projects / thirdparty / openssl.git / log
