Add a Windows-only RIO notifier test that exercises initialization,
signalling, unsignalling, and cleanup without test-only hooks.
The RIO WSA lifecycle fix itself landed via #31339. This keeps the
remaining PR focused on coverage and removes the stale ssl_init.c include
for the deleted WSA cleanup path.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Fri Jun 12 13:54:17 2026
(Merged from https://github.com/openssl/openssl/pull/30918)
curve448: make locally-used functions static and remove unused ones
ossl_c448_ed448_derive_public_key(), ossl_c448_ed448_sign(),
and ossl_c448_ed448_verify() are only called from within the compilation
unit, while ossl_c448_ed448_convert_private_key_to_x448(),
ossl_c448_ed448_sign_prehash() and ossl_c448_ed448_verify_prehash()
are not used anywhere, seemingly. Make the former static (removing
them from the header, removing the ossl_ prefix, and moving
the descriptions to the definitions) and remove the latter.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Jun 12 13:11:48 2026
(Merged from https://github.com/openssl/openssl/pull/31362)
Dmitry Misharov [Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)]
ci: Verify jom/NASM downloads and fall back to upstream on forks
Move the OpenSSL-hosted jom and NASM downloads under the /ci-deps/
path and verify them against SHA256 sums recorded in
.github/ci-deps.json before installing. Forks, which can't reach the
mirror reliably, download from the upstream Qt and NASM locations
instead.
ci: Download jom and NASM from OpenSSL-hosted mirror
Chocolatey-hosted packages for jom and NASM occasionally become
unavailable, causing CI failures on Windows builds. Host these
tools on our own infrastructure to eliminate this external
dependency.
David Foster [Fri, 5 Jun 2026 02:02:44 +0000 (22:02 -0400)]
Add constant-time validation for CRYPTO_memcmp
Add test/crypto_memcmp_test.c which provides functional coverage for
CRYPTO_memcmp under regular builds and constant-time coverage under
enable-ct-validation builds.
The added constant-time coverage checks:
- there are no data dependent branches or memory accesses,
on x86_64 and aarch64 architectures
The added constant-time coverage does NOT check:
- there are no data-dependent variable-time instructions, such as
instructions NOT on the x86 Data Operand Independent Timing list
or NOT on the ARM Data-Independent Timing list
- any architectures beyond x86_64 and aarch64
New CONSTTIME_SECRET annotations live only in the test rather than in
the generic C version of CRYPTO_memcmp so that both the C and
assembler versions of CRYPTO_memcmp are constant-time covered.
CRYPTO_memcmp directly backs CPython's secrets.compare_digest() and
hmac.compare_digest(), so a timing leak in it is high impact, yet it had
essentially no direct test coverage.
References #15076.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Thu Jun 11 16:11:58 2026
(Merged from https://github.com/openssl/openssl/pull/31398)
slontis [Tue, 2 Jun 2026 01:21:54 +0000 (11:21 +1000)]
FIPS: Make keygen PCT failures recoverable
Key generation pairwise consistency tests (PCT) no longer cause the
FIPS provider to enter a non recoverable error state.
Originally I considered that the pairwise tests should never fail, so a
failure was considered as a fatal error. Unfortunately this is not true,
since the RSA pairwise test was changed to call
rsa_ossl_public_encrypt(). This function can return -1 based on the
values of n and e, resulting in a DOS for bad inputs.
Under NIST FIPS 186-5, the public exponent (e) must be an odd positive
integer greater than (e > 65536) and less than 2^256. The OpenSSL code
however returns an error if e > 2^64 when n > 3072.
(This check was added to prevent a CVE DOS).
While FIPS 140-3 mandates that a module must transition into an error
state upon self-test failures, a PCT is classified as a conditional
self-test, not a pre-operational self-test
(like an integrity test or a Known Answer Test)
The cryptographic module is only required to immediately discard the
faulty key pair and output a local error. The module is allowed to
immediately attempt generating a new key pair using fresh entropy,
without needing a full system reboot or module reset.
Detected by Oracle during Jipher testing.
Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jun 11 16:03:42 2026
(Merged from https://github.com/openssl/openssl/pull/31359)
Jakub Zelenka [Tue, 19 May 2026 17:24:33 +0000 (19:24 +0200)]
Add indirect CRL path validation tests
This covers currently uncovered check_crl_path and check_crl_chain
in x509_vfy.c. The mfail test tests the happy path and all memory
failures in it. In addition 3 error scenarios are tested.
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 15:58:37 2026
(Merged from https://github.com/openssl/openssl/pull/31244)
Jakub Zelenka [Fri, 15 May 2026 11:00:38 +0000 (13:00 +0200)]
Add apps test for external PSK callbacks
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 15:52:36 2026
(Merged from https://github.com/openssl/openssl/pull/31190)
Viktor Dukhovni [Mon, 18 May 2026 08:09:44 +0000 (18:09 +1000)]
Apply the buffered IV on the AES-OCB EVP_Cipher() path
aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot,
processed input without flushing the buffered IV into the OCB
context. Effective nonce was 0 regardless of the caller's IV;
EVP_*Final_ex() then emitted a tag depending only on (key, iv).
This gave (key, nonce) reuse and single-query universal forgery on
the EVP_Cipher() path.
Apply update_iv() at the head of aes_ocb_cipher() to mirror the
streaming handler. The matching GCM one-shot does this already.
Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and
ChaCha20-Poly1305 in test/evp_extra_test.c. Each cipher is
exercised with and without AAD; the no-AAD case is needed because
any prior EVP_CipherUpdate(NULL, aad, ...) routes through the
streaming handler and applies the IV itself, masking the bug.
Fixes CVE-2026-45445
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 20:02:00 2026
Norbert Pocs [Tue, 12 May 2026 13:16:04 +0000 (15:16 +0200)]
Match the local q DHX parameter against the peer's q
As FFC/DH peer public key validation uses the peer's q value instead
of checking against the local q, we must also check that these
q values match when setting the peer's public key.
Fixes CVE-2026-42770
Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:56:27 2026
Bob Beck [Fri, 17 Apr 2026 20:09:52 +0000 (14:09 -0600)]
Use the correct issuer when validating rootCAKeyUpdate
This correctly uses the existing root, and not the same certificate
as the root of the chain to validate.
While we are here, we also turn on self signed certificate signature
checking as this case is actually bringing in trust anchors as
self signed certs, and fix a possible NULL deref.
Fixes CVE-2026-42769
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:54:01 2026
Daniel Kubec [Fri, 15 May 2026 23:04:30 +0000 (01:04 +0200)]
Fix NULL Dereference in Certificate Verification with OCSP Checking
When performing OCSP response checking for certificates in the verification
chain, the code always tries to access the next certificate as the issuer.
There is a check for a self-signed certificate. However with the partial
chain verification enabled when the chain does not have a self-signed trusted
anchor, the issuer will be NULL for the last certificate in the chain. A NULL
pointer dereference then happens.
This issue affects only applications which enable both OCSP verification
of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial
chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate
verification. Both flags are disabled by default. For that reason, we have
assigned Low severity to the issue.
Fixes CVE-2026-42765
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 18:55:29 2026
Daniel Kubec [Mon, 18 May 2026 13:01:25 +0000 (15:01 +0200)]
Fix Double-free When Checking OCSP Stapled Response
If OCSP stapling is enabled and the TLS client connects to a malicious server,
a crafted OCSP stapled response can trigger a double free in the TLS client
when the stapled response is checked.
The OCSP stapling is not enabled by default. Reliable code execution
through a double-free is technically complex and highly environment-dependent
but the Denial of Service impact is straightforward to achieve, warranting
Moderate severity.
Fixes CVE-2026-35188
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:44:58 2026
client injects 16 path challenge frames. Those are received
by server. Only one challenge frame of 16 received triggers
path challenge response. Remaining challenge frames are
discrded/ignored.
Test introduces two counters to channel object:
- path_challenge_rx which is bumped for every patch challenge
frame received
- path_response_tx which is bumped for every path response
frame transmitted
Succesuful test verifies server receives 16 path challenge frames,
but sends just one path response frmae as response.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:35:21 2026
QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX
Currently local QUIC stack allocates PATH_RESPONSE frame for every
PATH_CHALLENGE frame it receives in single packet from its remote peer.
The memory with PATH_RESPONSE frame is released after local QUIC stack
receives an ACK which confirms reception of PATH_RESPONSE by remote peer.
This gives remote peer too much control over memory resources local
QUIC stack may consume.
Quoting RFC 9000 section 9.2.1:
...an endpoint SHOULD NOT send multiple
PATH_CHALLENGE frames in a single packet.
Limiting the number of PATCH_CHALLENGE frames to 1 per QUIC packet received
helps to reduce heap memory overhead required to process PATH_CHALLENGE
frame.
Currently QUIC ACKM (ACK-manager) keeps all frames in retransmission
buffer until ACK is received. It can be changed such frames which
don't need to be ACKed don't need to be kept in retrans buffer,
those can be released right after transmission.
Fixes CVE-2026-34183
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:35:20 2026
Neil Horman [Tue, 5 May 2026 13:16:29 +0000 (09:16 -0400)]
Add tests for CVE-2026-34182
Test to ensure that for a given CMS message:
1) We do not allow the creation of a CMS message containing
AuthEnvelopedData with a non-AEAD cipher.
2) We do not accept a message containing AuthEnvelopedData with a
non-AEAD cipher specified in the AlgorithmIdentifier.
3) We do not allow tag lengths less that 4 bytes.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:27:03 2026
1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD
ciphers.
If a forged CMS message with AuthEnvelopedData is received with
a non-AEAD cipher specified, we silently accept that and decrypt
the message, skipping any authentication, which violates RFC 5083.
We also add checks to ensure we fail if we try to encrypt
AuthEnvelopedData without using an AEAD cipher.
2. Ensure that tag lengths on cms AEAD data is the recommended size.
RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM
and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not
algorith-specific we add a check for a minimal size and just use the
lower limit which is sufficient to prevent this attack.
Without this check, its possible to set the tag length to 1 and within
256 guesses, forge a CMS message.
Fixes CVE-2026-34182
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:27:02 2026
Short mac keys (as short as 1 byte) can be used to probe the
system under attack to accept a PKCS#12 file created by an attacker
even if the attacker doesn't know the password used for MAC protection.
Fixes CVE-2026-34181
(also update the reference to the PBMAC1 PKCS#12 RFC)
Signed-off-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:18:59 2026
Nikola Pajkovsky [Thu, 21 May 2026 12:18:11 +0000 (14:18 +0200)]
cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation
added EnvelopedData blob with a PasswordRecipientInfo using
id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher. CFB's 1-byte
effective block size let the inlen >= 2 * blocklen guard in
kek_unwrap_key() accept a wrapped key shorter than the seven octets
the check-byte test reads from tmp[1..6]; the encryptedKey OCTET
STRING here is only two bytes.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:06:38 2026
Nikola Pajkovsky [Thu, 21 May 2026 09:53:09 +0000 (11:53 +0200)]
cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6]
unconditionally, so the decrypted buffer must hold at least seven
octets. The pre-decryption size check enforces inlen >= 2 * blocklen,
which yields the required seven octets only when blocklen >= 4. For
a KEK cipher with a smaller block size, inlen can be as small as
2 * blocklen and the check-byte read overruns the inlen-sized tmp
allocation.
Reject blocklen < 4 in the early sanity check. All block ciphers
appropriate for CMS PasswordRecipientInfo key wrapping have a block
size of at least 8 octets (DES/3DES = 8, AES = 16), so this only
forbids ciphers that would not be valid KEK choices anyway, and the
existing inlen >= 2 * blocklen check then guarantees the seven-octet
lower bound the check-byte test relies on.
Fixes CVE-2026-9076
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 14:06:36 2026
For nchar large enough the result is not representable in int. In
the worst case (nchar == 0x40000000) nchar << 2 wraps to zero,
OPENSSL_malloc(1) is called, and traverse_string() then writes
4*nchar bytes into the one-byte allocation: a heap buffer
overflow. The MBSTRING_UTF8 path computes outlen by summing
per-character byte counts in out_utf8(), and that sum can overflow
the same int under similarly large inputs.
Neither path is reachable from code that processes X.509
certificates through the DIRSTRING_TYPE mask used by
ASN1_STRING_set_by_NID(): UNIVERSALSTRING is absent from that
mask, and the UTF-8 sum requires inputs on the order of half a
gigabyte. Reaching them needs an application that calls
ASN1_mbstring_copy()/ASN1_mbstring_ncopy() directly, or registers
a custom NID via ASN1_STRING_TABLE_add(), with an oversized
attacker-controlled input.
Add range checks before each shift and in out_utf8(), raising
ASN1_R_STRING_TOO_LONG at the point of detection. Move the
existing ASN1_R_INVALID_UTF8STRING raise into out_utf8() too so
the two failure modes report distinct codes; the MBSTRING_UTF8
caller is left with cleanup only and now frees dest on error,
matching the BMP/UNIV branches.
Fixes CVE-2026-7383
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Jun 8 14:02:18 2026
CMP: Optionally accept missing or non-matching transactionID or recipNonce values
This is done for error messages received if OSSL_CMP_OPT_NONMATCHED_ERROR_NONCES
is set or the respective -nonmatched_error_nonces CLI option is given.
Can be helpful when the server (or other peer) cannot provide a proper error message header,
for instance if was unable to parse the ASN.1 encoding of a request message.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Jun 11 14:56:49 2026
(Merged from https://github.com/openssl/openssl/pull/29043)
Steve Grubb [Tue, 9 Jun 2026 21:35:49 +0000 (17:35 -0400)]
doc: document SSL_set_*_state SSL argument
SSL_set_connect_state() and SSL_set_accept_state() have no return value to
report argument errors, but their documentation did not state the precondition
for the SSL argument. Passing NULL, or a pointer that is not a valid
SSL object, is a programmer error rather than a recoverable API error.
Document that the ssl argument must point to a valid SSL object and
must not be NULL.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Jun 11 09:04:23 2026
(Merged from https://github.com/openssl/openssl/pull/31435)
kovan [Thu, 29 Jan 2026 11:17:38 +0000 (12:17 +0100)]
doc: document deprecated engine configure options
Document that no-engine, no-static-engine, and no-dynamic-engine
configure options are deprecated and do nothing. These options are
retained for backwards compatibility only.
Fixes #27473
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Thu Jun 11 09:02:08 2026
(Merged from https://github.com/openssl/openssl/pull/29839)
Viktor Dukhovni [Mon, 18 May 2026 10:41:54 +0000 (20:41 +1000)]
x509: check inner/outer signatureAlgorithm match in X509_CRL_verify
RFC 5280 section 5.1.1.2 requires the signatureAlgorithm in the outer
CertificateList wrapper to be identical to the signature field inside
the signed TBSCertList. def_crl_verify() did not enforce this, unlike
X509_verify() and X509_ACERT_verify() which both carry an X509_ALGOR_cmp
guard.
Add the same guard to def_crl_verify(). A mismatch raises
X509_R_CRL_SIGNATURE_ALGORITHM_MISMATCH. No known attack results from
the missing check; this is a conformance and hardening fix only.
Add a regression test: a CRL with a valid RSA-SHA256 signature over a
TBSCertList whose inner signatureAlgorithm claims ecdsaWithSHA256 is
now rejected.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jun 11 08:45:41 2026
(Merged from https://github.com/openssl/openssl/pull/31213)
Neil Horman [Fri, 29 May 2026 13:59:21 +0000 (09:59 -0400)]
convert CRYPTO_THREAD_run_once to use InitOnceExecuteOnce api
Issue #22059 reported a race condition in CRYPTO_THREAD_run_once on
windows platforms. The most correct fix for this is to convert the
windows run_once implementation to use the Win32 InitOnceRunOnce
interface. Doing so requires at least Windows Vista/Windows Server 2008
to be available, and because WinXP hasn't built since 3.0 released, it
seems sensible to bump our minimal NT version to be 0x600 (Vista/2008)
Also, while we're at it, this change caught a bad programming practice
in the rio_notifier code, which attempts to reset the once variable
during shutdown. The windows static initalizer macro for this api is
constructed such that attempting to do so causes a build break. Since
once variables are not meant to be reset (since they are only triggered
once), remove that reset code to avoid the breakage.
Note that this problem was independently found and fixed in #30198.
We're taking the fix from this pr (as they are effectively identical),
and using that PR to add some much needed tests to the rio code.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Bob Beck <beck@openssl.org>
MergeDate: Wed Jun 10 19:44:19 2026
(Merged from https://github.com/openssl/openssl/pull/31339)
Jakub Zelenka [Tue, 2 Jun 2026 15:09:09 +0000 (17:09 +0200)]
build: make enable-asan work for VC targets
Configure assumed GCC/Clang sanitizer spellings, so enable-asan was a
no-op on MSVC. Emit /fsanitize=address instead of -fsanitize=address
on VC targets.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Wed Jun 10 12:53:11 2026
(Merged from https://github.com/openssl/openssl/pull/31366)
Consistenly zeroize public parameters based on OPENSSL_PEDANTIC_ZEROIZATION
Commit fa338aa7cd1e "fips: zeroization of public security parameters (PSPs)"[1]
introduced zeroization of public security params, which then[2] switched
its usage to OPENSSL_PEDANTIC_ZEROIZATION; however, zeroization has
implemented inconsistently, leaving out public security parameter
updates. Consistently use newly introduced wrappers,
ossl_public_bn_free and ossl_public_param_free, for freeing such
parameters, and use them for FFC and RSA.
Complements: fa338aa7cd1e "fips: zeroization of public security parameters (PSPs)" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Jun 10 12:52:14 2026
(Merged from https://github.com/openssl/openssl/pull/31157)
Bob Beck [Wed, 27 May 2026 14:41:53 +0000 (08:41 -0600)]
Let's attempt to make real documentation for X509_verify_cert
I am doing this because I have need to add information that really does
belong here, and the current stuff is less documentation than more or
less some hand waving about how it works without any details
So to summarize the changes:
1) This documents the current way that X509_verify_cert goes about
building and verifying a chain, identifying the relevant flags that
can affect how this happens today, and cross references the correct page
to find the rest of the exhaustive list of verification flags and what they do.
2) This documents the verification callback and how it can be used
to affect the verification outcome, This includes warning potential
users of the callback of what returning values from it means,
the common ways to end up unintentionaly doing things you did not expect
with the callback, and that it depends upon internals and should not be
relied upon.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:33:13 2026
(Merged from https://github.com/openssl/openssl/pull/31314)
Nikolas Gauder [Sat, 30 May 2026 10:19:22 +0000 (12:19 +0200)]
quic: Add MFAIL coverage for stream map allocation and token caching
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:23:38 2026
(Merged from https://github.com/openssl/openssl/pull/31333)
Nikolas Gauder [Fri, 29 May 2026 12:56:39 +0000 (14:56 +0200)]
quic: add lhash insert error checks
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:23:37 2026
(Merged from https://github.com/openssl/openssl/pull/31333)
sucloudflare [Sat, 6 Jun 2026 20:40:23 +0000 (17:40 -0300)]
crypto/evp: align exchange.c cleanup with kem/sig/asymcipher pattern
Commit a21f77d added explicit null assignments after EVP_KEYMGMT_free()
calls at the err:, legacy:, and success exit paths in kem.c,
asymcipher.c and signature.c.
The identical exit paths in evp_keyexch_init() (crypto/evp/exchange.c)
were not updated at the same time, leaving exchange.c as the only
outlier in the family without these null assignments.
This patch brings exchange.c into consistency with its sibling files
by adding exchange = NULL and tmp_keymgmt = NULL after each free at
the exit paths, matching the established pattern from a21f77d.
No functional change intended.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 10 11:20:19 2026
(Merged from https://github.com/openssl/openssl/pull/31394)
kovan [Tue, 27 Jan 2026 10:32:12 +0000 (11:32 +0100)]
doc: document OSSL_PKEY_PARAM_BITS meaning for each key type
The EVP_PKEY_get_bits() documentation states that "the definition
of cryptographic length is specific to the key cryptosystem" but
doesn't explain what this means for each key type.
Add a detailed list explaining what "bits" represents for RSA, DSA,
DH, EC, X25519, X448, Ed25519, Ed448, ML-DSA, SLH-DSA, and ML-KEM
key types to help users understand the return value.
Fixes #28337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Wed Jun 10 11:15:17 2026
(Merged from https://github.com/openssl/openssl/pull/29790)
rootvector2 [Mon, 1 Jun 2026 14:28:09 +0000 (19:58 +0530)]
pvkfmt: check keylen before copying the BLOBHEADER
Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31352)
Timo Keller [Mon, 16 Mar 2026 06:18:26 +0000 (07:18 +0100)]
Vectorize (inverse) NTT in ML-DSA
The vectorization is implemented using vector extensions (of gcc/clang)
and will work on any architecture with 128 bit vector registers that has
the builtin `vec_mulh` for the high part of a multiplication.
Enable this for s390x.
The speed-up factor on z17 is around 2--3.4.
Signed-off-by: Timo Keller <tkeller@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Wed Jun 10 09:25:58 2026
(Merged from https://github.com/openssl/openssl/pull/30812)
Neil Horman [Tue, 5 May 2026 20:53:49 +0000 (16:53 -0400)]
Disable tls test in pkcs11 provider
The head of the tree is broken due to a combined inability for openssl
and the provider to allow for duplication of MD contexts on an in flight
session
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:32 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 30 Apr 2026 18:01:37 +0000 (14:01 -0400)]
Opportunistiaclly move archived items to a separate list
if a provider is unloaded and reloaded to a context, all its algorithms
get archived, making them un-look-up-able. While this is good, having
all those effectively dead entries in the list slows down the linear
traversal in the lookup path, so periodically, while we have the write
lock held, migrate those entries to a separate archive list so that they
don't imact the normal hot path.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:26 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 30 Apr 2026 14:25:45 +0000 (10:25 -0400)]
Fix caching of EVP methods when NO_CACHED_FETCH is asserted
noticed during the debugging of this that, even though we may have
no-cached-fetch configured, we still put things in the method store,
which is wrong.
Don't cache things when we say we're not caching things
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:24 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Wed, 29 Apr 2026 23:07:11 +0000 (19:07 -0400)]
correct property_test
The duplicate property test has to change because we now archive QUERYs
instead of removing them immediately (i.e. we don't drop the ref count
until the store is freed).
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:21 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Wed, 29 Apr 2026 22:39:08 +0000 (18:39 -0400)]
Fix persniketyness in tsan
TSAN seems to be having a problem with atomic_load_ptr and
atomic_store_ptr. Both are, by default, __ATOMIC_RELAXED operations.
According to the tsan docs, it flags these operations as a race because,
while they are indivisible, they create no happens-before constraint,
meaning they can be reordered.
What tsan is saying here is that the memset in evp_md_new may get
re-ordered such that the contents of the EVP_MD may still be getting
zeroed at the time we have (a) found the EVP_MD in the method store
cache, and (b) attempted to do an up_ref on it.
This is plainly impossible, especially given that, in order to reach the
method store cache, it must be places in the method store algorithm
sparse array, which still requires the taking of the method store write
lock. But for some reason tsan fails to see the memory fence that
creates.
It seems the simplest solution to correct this is, if we are running
under tsan, use __ATOMIC_ACQUIRE and __ATOMIC_RELEASE on
CRYPTO_atomic_[load|store]_ptr to make sure tsan sees the proper memory
ordering.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:19 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
Neil Horman [Thu, 4 Jun 2026 13:29:31 +0000 (09:29 -0400)]
Fix missing dependency on ml_kem_keymgmt.c
ml_kem_keymgmt.c includes der_wrap.h, which is a generated file, but
doesn't include a depdency in its build.info file, meaning that if the
dependencies aren't run in the right order, ml_kem_keymgmt.c gets
compiled before der_wrap.h is generated, leading to a build break.
Fix it by including the needed dependency.
Fixes #31379
Reviewed-by: Alicja Kario <hkario@redhat.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jun 9 17:49:28 2026
(Merged from https://github.com/openssl/openssl/pull/31385)
Neil Horman [Thu, 28 May 2026 08:46:10 +0000 (04:46 -0400)]
Provide independent lock failure signal on cmp_exch_ptr
Our CRYPTO atomic api has a somewhat consistent problem in that its
possible in the case where locking fails to return an error while the
actual operation (store_int, store_ptr, etc), actually succeded.
cmp_exch is somewhat special here in that we may really need to know
independently if the function failed due to lock failure and if the
exchange occured (so we can know the output value of *expect). Add a
separate parameter to allow callers to be informed of these statuses
independently.
Reviewed-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 17:46:07 2026
(Merged from https://github.com/openssl/openssl/pull/31319)
apps/s_client.c: read one byte less to avoid triggerring overflow protection
Commit e0e276b50a1e "Fix a one byte buffer overflow in s_client" added
a check for the buffer size before adding a terminating \0, which led
to full reads of BUFSIZZ resulting in session termination. Avoid that
by requesting one byte less.
Co-Autherd-by: Tomas Mraz <tomas@openssl.foundation>
Resolves: https://github.com/openssl/openssl/issues/30925 Fixes: e0e276b50a1e "Fix a one byte buffer overflow in s_client" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 09:12:53 2026
(Merged from https://github.com/openssl/openssl/pull/31413)
Minh Vu [Sun, 31 May 2026 18:34:17 +0000 (20:34 +0200)]
quic: cleanse derived IV on setup failure
el_build_keyslot() derives the QUIC IV before the success path stores
*out_iv_len. If a later step fails, the error cleanup currently uses
*out_iv_len and ends up cleansing zero bytes.
Cleanse the caller buffer using the local iv_len instead so the
derived IV is cleared on all post-derivation failure paths.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 08:53:50 2026
(Merged from https://github.com/openssl/openssl/pull/31346)
Dmitry Misharov [Mon, 1 Jun 2026 19:24:59 +0000 (21:24 +0200)]
add fingerprint of the new PGP key
Reviewed-by: Milan Broz <mbroz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 08:27:39 2026
(Merged from https://github.com/openssl/openssl/pull/31353)
Matt Caswell [Tue, 19 May 2026 10:24:58 +0000 (11:24 +0100)]
Check custom extensions are handled correct with 3rd party QUIC
We have some code to handle the case where we have custom 3rd party
extension and 3rd party QUIC. Test that this doesn't cause any problems.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:56 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
Matt Caswell [Tue, 19 May 2026 08:47:18 +0000 (09:47 +0100)]
There is no need to call custom_ext_copy_old_cb after reallocing dst->meths
In custom_exts_copy_conn we realloc'd the dst->meths buffer, and then
called `custom_ext_copy_old_cb` to transfer ownership of the all style
API wrapper allocations to the newly realloc'd buffer. But this makes
no sense. The buffer is realloc'd, and the old buffer is no longer freed,
so ownership of the old style API wrapper allocations transfer as well.
This is actually a use-after-free (we can no longer access the old buffer
once its been realloc'd), and also causes a leak. We just delete this
code.
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:55 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
Reviewed-by: Bob Beck <beck@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 07:51:54 2026
(Merged from https://github.com/openssl/openssl/pull/31238)
007bsd [Mon, 25 May 2026 21:10:43 +0000 (00:10 +0300)]
aes_wrap: prevent crash on update without a key
EVP_CipherInit_ex2 with a NULL key followed by EVP_CipherUpdate
on AES-WRAP/WRAP-PAD/WRAP-INV ciphers dereferenced an uninitialised
function pointer because aes_wrap_init installs ctx->block only
when a key is supplied. aes_wrap_cipher_internal had no guard
before dispatching.
Track key state in ctx->key_set, matching OCB/CCM/GCM/Poly1305,
and refuse update if no key has been installed.
Added a regression test covering AES-256-WRAP, AES-256-WRAP-PAD
and AES-256-WRAP-INV.
CLA: trivial
Fixes: ca392b294359 "Add aes_wrap cipher to providers" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jun 3 11:52:05 2026
(Merged from https://github.com/openssl/openssl/pull/31292)
kovan [Mon, 2 Feb 2026 11:01:51 +0000 (12:01 +0100)]
doc: Clarify SSL_CERT_DIR uses semicolon separator on Windows
The documentation for SSL_CERT_DIR stated that directories are
colon-separated, but on Windows the separator is semicolon.
Updated:
- openssl-rehash.pod.in: Added note about semicolon separator on Windows
- openssl-env.pod: Added note about multiple directories and Windows separator
Fixes: #27698 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Jun 3 11:44:35 2026
(Merged from https://github.com/openssl/openssl/pull/29894)
Bob Beck [Fri, 24 Apr 2026 20:28:54 +0000 (14:28 -0600)]
Provide ASN1_STRING_new_not_owned()
This function provides the ability to construct an ASN1_STRING
containing data that is not owned by the constructed ASN1_STRING. The
resulting ASN1_STRING, when freed, will not free the data, and it is
the caller's resposibility to ensure that the data lives past the
lifetime of any returned ASN1_STRING.
Why? you may ask? Many places where ->data and ->length were used
directly in the past before the opaquification of ASN1_STRING were
for this purpose, whether used for actual static data, or to turn
bytes created by and in control of the caller into an ASN1_STRING
for temporary use as an input. This function makes this easier
to do without making copies.
The function deliberately does not allow the creation of a BIT_STRING
as this would require also always providing unused bits, which is
annoying and unnecessary for almost all potential use cases.
projects / thirdparty / openssl.git / log
