Milan Broz [Fri, 27 Mar 2026 09:38:52 +0000 (10:38 +0100)]
Remove superfluous volatile for RCU on Windows
When compiling on the MINGW platform, there are many warnings like this:
warning: passing argument 1 of 'CRYPTO_atomic_add64' discards 'volatile'
qualifier from pointer target type [-Wdiscarded-qualifiers]
CRYPTO_atomic_add64(&lock->qp_group[qp_idx].users, (uint64_t)1, &tmp64,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning actually shows several issues with volatile in struct rcu_qp:
- all handling functions using it do not use the volatile modifier,
so that the compiler can treat this pointer as non-volatile already
(Posix pthread variant does not use volatile here at all.)
- thread safety is already guaranteed by using locks
(NO_INTERLOCKEDOR64) or Interlocked*64 Win32 API functions.
- the volatile removal modifier should always be explicit
In short, I think the volatile in struct rcu_qp on Windows
has no additional value and can be removed.
This also fixes the warnings mentioned above :-)
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:25:56 2026
(Merged from https://github.com/openssl/openssl/pull/30602)
kovan [Tue, 27 Jan 2026 11:11:08 +0000 (12:11 +0100)]
doc: fix -signcert grouping in CA.pl documentation
The -signcert option was incorrectly grouped with -sign and -xsign at
line 109, which implied they were equivalent. However, -signcert is
different: it expects a self-signed certificate (not a certificate
request) in newreq.pem, and converts it to a request before signing.
This is correctly documented in its own separate section at line 123,
which states "-signcert is the same as -sign except it expects a self
signed certificate".
Remove -signcert from the -sign/-xsign grouping to eliminate the
contradiction.
Resolves: https://github.com/openssl/openssl/issues/29165 Fixes: 022696cab014 "Allow CA.pl script user to pass extra arguments to openssl command" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:10:50 2026
(Merged from https://github.com/openssl/openssl/pull/29794)
Update the documentation to include that added const qualifiers
to the arguments of X509_EXTENSION_get_object(), X509_EXTENSION_get_data(),
and X509v3_add_ext().
References: https://github.com/openssl/openssl/pull/30595
Complements: e75bd84ffc73 "Constify X509_get_ext() and friends.." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Tue Mar 31 00:47:35 2026
(Merged from https://github.com/openssl/openssl/pull/30601)
ikev2kdf.c: expand missing secret check in kdf_ikev2kdf_derive()
The seemingly impossible (and erroneous) case of (secret == NULL &&
secret_len != 0) is not accounted for in sanity checks, which provoked
Coverity to report potential NULL dereference in ikev2_check_secret_and_pad()
afterwards. Placate it by expanding the check to cover that improbable
situation and echo the seedkey check from the previous case.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1690439
Complements: 0dd1c50fc070 "Add IKEV2KDF implementation" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 31 00:33:22 2026
(Merged from https://github.com/openssl/openssl/pull/30566)
Milan Broz [Sat, 28 Mar 2026 11:37:32 +0000 (12:37 +0100)]
Use OPENSSL_assert for Windows RCU for missing lock
If NO_INTERLOCKEDOR64 is define, Windows RCU code must
use thread locks.
The lock *must* be provided in that case otherwise it is
an internal code error, not a runtime error.
Use OPENSSL_assert here.
This also fixes several unititialized variable warnings
as analyzer no longer see this impossible paths in code.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:28:20 2026
(Merged from https://github.com/openssl/openssl/pull/30619)
Milan Broz [Fri, 27 Mar 2026 09:40:35 +0000 (10:40 +0100)]
Silence MINGW warning about INVALID_SOCKET
On Windows, SOCKET is defined as unsigned (UINT_PTR).
In OpenSSL, the socket abstraction uses int, see
discussion in https://github.com/openssl/openssl/issues/7282.
MINGW for some time uses a signed definition of INVALID_SOCKET,
then switched back to unsigned, see for example
https://sourceforge.net/p/mingw-w64/discussion/723797/thread/71522d10/
Currently, it is defined as unsigned, creating many warnings like
warning: overflow in conversion from 'long long unsigned int' to 'int'
changes value from '18446744073709551615' to '-1' [-Woverflow]
*sock = INVALID_SOCKET;
As we use INVALID_SOCKET only in our code, we can safely silence
this warning just by redefining INVALID_SOCKET to signed
(version that is commented out in MINGW headers).
While this is only a workaround, it has been here for years and
allows focus on more important warnings.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:22:27 2026
(Merged from https://github.com/openssl/openssl/pull/30616)
Milan Broz [Fri, 27 Mar 2026 09:39:56 +0000 (10:39 +0100)]
Define static set_cloexec() only when really used
Statically defined set_cloexec helper is used only
if RIO_NOTIFIER_METHOD_SOCKET is set (for non-Windows branch)
and if RIO_NOTIFIER_METHOD_SOCKETPAIR is set
(always).
This avoids unused code warnings.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:22:26 2026
(Merged from https://github.com/openssl/openssl/pull/30616)
openssl-machine [Tue, 24 Mar 2026 15:13:42 +0000 (15:13 +0000)]
Update ordinals from 4.0.0-beta1
This is a partial forward-port of commit 3c4194022cc4 "make update"
from the openssl-4.0 branch, that includes updates to util/libcrypto.num
and util/libssl.num files.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:52:22 2026
(Merged from https://github.com/openssl/openssl/pull/30555)
Abhinav Agarwal [Tue, 24 Mar 2026 02:17:04 +0000 (19:17 -0700)]
quic: add missing return 0 after raise_protocol_error for NEW_CONN_ID
Every other frame type handler in depack_process_frames() returns 0
after calling ossl_quic_channel_raise_protocol_error(), but the
NEW_CONN_ID case falls through to depack_do_frame_new_conn_id().
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:48:44 2026
(Merged from https://github.com/openssl/openssl/pull/30550)
Adds NULL checks for EVP_MD_CTX_get_pkey_ctx() return values
Guard against potential NULL pointer dereferences when
EVP_MD_CTX_get_pkey_ctx() is called and its result is used
without validation. Store the return value in a local variable,
check for NULL before passing it to subsequent functions, and
remove redundant repeated calls.
Fixes #27735
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:39:04 2026
(Merged from https://github.com/openssl/openssl/pull/30522)
Amaan Qureshi [Fri, 20 Mar 2026 00:40:20 +0000 (20:40 -0400)]
s390x: set minimum architecture level to z10
The keccak1600 perlasm file (`keccak1600-s390x.pl`) emits `cijne`, a
z10 compare-immediate-and-branch instruction, without declaring a
minimum architecture level. GCC defaults to `-march=z900` on s390x,
causing assembler errors when building with the default toolchain
flags:
z900 has been out of service since 2014, the Linux kernel requires
z196 minimum, and clang already defaults to z10 on s390x. A
`.machine "z10"` GAS directive in the generated assembly resolves the
error by declaring the architecture level the file already requires.
Ref: #27323
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:32:22 2026
(Merged from https://github.com/openssl/openssl/pull/30507)
herbenderbler [Wed, 25 Mar 2026 06:49:06 +0000 (00:49 -0600)]
Use mmap for pkeyutl -rawin and dgst one-shot input
When using openssl pkeyutl -rawin or openssl dgst for one-shot sign/verify
(e.g. Ed25519, Ed448), file input is now read via mmap() on Unix where
supported, avoiding a full buffer allocation and copy. Large files are
supported without doubling memory use; on failure of the mmap path we
do not fall back to the buffer path.
- Add app_mmap_file() in apps/lib/apps.c: stat/open/mmap/close, tri-state
return (1 mapped, 0 size zero, -1 error). Parameter err_bio avoids
shadowing global bio_err (-Wshadow).
- apps/pkeyutl.c and apps/dgst.c: use app_mmap_file(); single exit for
mmap path in pkeyutl; dgst includes apps.h first for _FILE_OFFSET_BITS;
do_fp_oneshot_sign returns EXIT_SUCCESS/EXIT_FAILURE like do_fp(); no
fallback when mmap attempted but fails.
- pkeyutl mmap/buffer path: pass filesize to EVP_DigestVerify and
EVP_DigestSign (review suggestion, avoids casting buf_len).
- Error messages: per-file messages for stat/size (dgst, pkeyutl); CHANGES.md
"Unix-like" and "16 MB" (documentation style).
- Centralize _FILE_OFFSET_BITS and mmap includes in apps/include/apps.h.
- Tests: pkeyutl/dgst oneshot from file, no-fallback regression tests;
use srctop_dir for test paths; stderr patterns for mmap errors.
- Docs: man pages and CHANGES.md.
CI fixes: return failure from dgst one-shot sign when mmap fails; treat
non-regular paths as mmap errors in app_mmap_file() and pkeyutl; reject
directories before mmap.
Addresses review feedback from DDvO, npajkovsky, and vdukhovni (PR #30429).
Fixes #11677
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Co-authored-by: David von Oheimb <DDvO@users.noreply.github.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 27 16:25:33 2026
(Merged from https://github.com/openssl/openssl/pull/30429)
Weidong Wang [Sat, 21 Mar 2026 15:41:49 +0000 (10:41 -0500)]
Fix missing EVP_CIPHER_get_iv_length() guard in PKCS5_pbe2_set_scrypt
Store the return value of EVP_CIPHER_get_iv_length() in a local variable
and guard with (ivlen > 0) before passing to memcpy/RAND_bytes, matching
the pattern already used in p5_pbev2.c. Without this, a negative return
value (-1) is implicitly converted to SIZE_MAX when cast to size_t,
causing a stack buffer overflow on iv[EVP_MAX_IV_LENGTH].
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:14:09 2026
(Merged from https://github.com/openssl/openssl/pull/30510)
CMS/PKCS#7 doc: Fix inconsistencies and missing detail w.r.t. smimesign and smimeencrypt purposes
* Fix inconsistent doc (so far using purpose names smime_sign and smime_encrypt) vs. implementation
* Add the info that "smimesign" is the default purpose here.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Fri Mar 27 06:25:20 2026
(Merged from https://github.com/openssl/openssl/pull/18914)
This is a workaround for an issue that lead to fuzz-checker CI failures;
the preliminary solution is to disable the inessential test case
test_exec_KUR_bad_pkiConf_protection.
References: https://github.com/openssl/openssl/pull/28973 Fixes: 525a4f1efbab "cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu Mar 26 15:55:34 2026
(Merged from https://github.com/openssl/openssl/pull/30567)
cmp_vfy.c: on error trying to use cached CMP message sender cert, make sure to print diagnostics
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
CMP doc: add missing text on OSSL_CMP_OPT_NO_CACHE_EXTRACERTS to OSSL_CMP_CTX_new.pod and ossl_cmp_msg_check_update.pod
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
crypto/cmp/: generalize info/debug messages and code comments from mentioning 'server' to 'sender'
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: minor code refactoring on -no_cache_extracerts, tweak mock server error message
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c: fix crash on attempting to use invalidated sender cert on producing diagnostic information
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: make sure that CMP mock server respects -ignore_keyusage and -no_cache_extracerts
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
Abhinav Agarwal [Sun, 22 Mar 2026 17:45:53 +0000 (10:45 -0700)]
quic: fix off-by-one in QUIC_MAX_MAX_ACK_DELAY
Should be 2^14-1 (16383) per RFC 9000 s. 18.2, not 2^14 (16384).
Fixes: 35dc6c353bfe ("QUIC: Make more transport parameters configurable") Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:55:50 2026
(Merged from https://github.com/openssl/openssl/pull/30531)
crypto/idea/i_ofb64.c: mask the num value after negativity check
Commit 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB
implementations" introduced masking of the user-supplied num value
in several functions, which rendered the exiting *num negativity check
introduced in 1634b2df9f12 "enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value"
ineffectual. While commit b73a5743253d "crypto/idea/i_cfb64.c:
condition 'n < 0' can never be met after doing 'n = n & 0x07'"
has addressed the issue in crypto/idea/i_cfb64.c:IDEA_cfb64_encrypt(),
this commit addresses the same issue
in crypto/idea/i_ofb64.c:IDEA_ofb64_encrypt() in similar fashion,
by postponing the masking after the negativity check.
The issue has initially reported by Coverity, ID 1689815.
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689815 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations"
References: b73a5743253d "crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'" Co-Authored-by: Alexandr Nedvedicky <sashan@openssl.org> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 24 17:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30528)
Aditya Patil [Fri, 20 Mar 2026 14:43:10 +0000 (10:43 -0400)]
threadstest: Check the return value of two memory allocations
Add a NULL check with OPENSSL_assert() before dereferencing the allocated pointer.
Fixes #30017
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:44:44 2026
(Merged from https://github.com/openssl/openssl/pull/30509)
easonysliu [Wed, 18 Mar 2026 08:22:24 +0000 (16:22 +0800)]
conf: guard NULL group in NCONF_get_string() error path
NCONF_get_string() passes the group parameter directly to
ERR_raise_data() with a %s format specifier. The CONF API
explicitly allows group to be NULL (meaning "default section"),
and multiple internal callers use this, such as conf_diagnostics()
and CONF_modules_load().
When the lookup fails and the error path is reached, passing NULL
to %s is undefined behavior per the C standard. On Linux/glibc
it happens to print "(null)", but on platforms like Solaris 10 it
crashes in strlen() inside vsnprintf().
This was exposed after commit #28305 replaced the custom _dopr()
(which had an explicit NULL-to-"<NULL>" guard in fmtstr()) with
the platform's native vsnprintf().
Guard the NULL by using an empty string in the format argument.
Fixes #30402
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:39:02 2026
(Merged from https://github.com/openssl/openssl/pull/30484)
Liu-ErMeng [Fri, 13 Mar 2026 09:29:28 +0000 (02:29 -0700)]
Fix vpsm4_ex-armv8.pl implementation bug
Load .Lsbox_magic base once via adrp+add and use plain immediate offsets for q loads,
avoiding potential low-12-bit truncation issues with #:lo12:symbol+offset.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:36:51 2026
(Merged from https://github.com/openssl/openssl/pull/30410)
huanghuihui0904 [Thu, 12 Mar 2026 13:01:30 +0000 (21:01 +0800)]
apps/cmp.c: fix leak of out_trusted in setup_verification_ctx()
setup_verification_ctx() allocates out_trusted via load_trusted() and passes
it to OSSL_CMP_CTX_set_certConf_cb_arg(). Since the argument is not consumed,
it must be freed on failure. The fix is to free out_trusted if
OSSL_CMP_CTX_set_certConf_cb_arg() fails.
Fixes #30377
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:34:49 2026
(Merged from https://github.com/openssl/openssl/pull/30392)
Peter Zhang [Wed, 11 Mar 2026 22:59:48 +0000 (22:59 +0000)]
Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect
When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
wrap it in square brackets for the CONNECT request line (e.g.,
CONNECT [::1]:443 HTTP/1.0). Also handle the case where the server
string already includes brackets (as returned by OSSL_HTTP_parse_url).
Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c") Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:32:06 2026
(Merged from https://github.com/openssl/openssl/pull/30384)
Neil Horman [Tue, 3 Mar 2026 15:04:04 +0000 (10:04 -0500)]
Fixup property test to have enough of a real provider struct
Now that ossl_method_store_cache_[set|get] query the provider name, we
need to make our property test account for that, by defining the
property query to be identical to what the internal definiton is.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:11 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Currently our property query lookup performance could be better. It
suffers from three major drawbacks,
1) The hashtable itself could be faster. our internal hashtable
implementation is generally quicker than our LHASH implementation
2) The lookup case a specific provider (i.e. when we do a cache lookup with
prov != NULL requires some signficant iteration over hash buckets with
LHASH, as we iterate over all entries that match the same query looking
for a matching provider pointer)
3) Stochastic flush is..not great. When we reach cache size limitations
(currently 512 entries spread over 4 shards), we randomly flush about
50% of the cache, which requires an iteration over the entire hash
table)
Lets address all of these
1) Is pretty straight forward. Replacing the LHASH hashtable with our
internal hash table is pretty easy, and lets us take advantage of the
hash computation caching introduced earlier.
2) With (1) we can do direct lookups of specific provider, by including
the provider name in the hash key. Provider agnostic (i.e. provider
== NULL) lookups are now handled by adding an extra hash entry for
each nid with the key being _only_ the property query. Prior entries
for the same key get evicted, so a lookup for prop_query = X, prov =
NULL returns the last QUERY that was added for that query string
against a particular nid.
3) I've never fully understood why we do random early discard of queries
when we reach capacity. It seems easier and more efficient to just
discard a single entry to keep us under our size limits. Especially
given that the sharding reduces the likelyhood that we need to flush
in any given shard. This also prevents us from needing to traverse
the entire hash table, as we can just discard a single QUERY and
abort the loop early.
In addition to the above we can also:
1) Migrate the QUERY hashtable from the ALGORITHM struct to the
STORED_ALGORITHMS struct. Currently we create a hash table per
ALGORITHM, and we have potentially hundreds of algorithms. While
this makes for really fast lookups, each QUERY cache only having a
few entries, its a huge waste of memory, consolidating all of the
nids to a single sharded STORED_ALGORITHMS struct saves a bunch of
memory and is still faster than what we have currently.
2) Add an lru-like linked list to QUERY entries. This serves two
purposes. Its not quite lru/lfu, but it allows us to more quickly do
an in-order traversal of a hash table on every node, and detect when
a QUERY has been looked up since the last query table update. By
detecting this, we can bias ourselves on cull operations toward
eliminating those entries which have not been referenced frequently.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:09 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Tue, 3 Mar 2026 14:45:19 +0000 (09:45 -0500)]
Add extern key buffer setup for hash table
One thing @npajkovsky noted in our recent discussion about the internal
hash table was that its unfortunate that keys have to be sized for the
maximal use case in our current hashtable code.
We can avoid that.
Introduce a new init mechanism that allows for keys to initalized using
an external buffer that can be setup and marshalled independently of the
key itself. This allows us to only allocate the amount of data needed
for the key, rather than a maximally sized buffer where appropriate and
adventageous.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:07 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Sun, 1 Mar 2026 20:18:30 +0000 (15:18 -0500)]
Add ability to extract computed hash from hashtable
One thing we can do to speed up hash table lookups is to cache/reuse
computed hash values when interrogating a hash table multiple times in
rapid succession.
We follow this pattern frequently when using hashtables:
value = lookup_hash(key)
if (value == NULL)
value = new_value()
insert_to_hash(key, value)
Note that we use the same key for the lookup and the insert. So if we
had a way to preserve the value this key hashed to, we can avoid having
to do a second hash computation during the lookup.
These new macros give us that. The HT_KEY structure now stores the
computed hash value in the key, which can be extracted and reused by the
caller with the HT_INIT_KEY_CACHED macro. When set, the cached hash
value is used, rather than needing to recompute the hash for any
subsequent operations
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:05 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
CHANGES.md: remove duplicating "Added support for RFC 8701 GREASE..." entry
A cleanup after merge conflict resolution in a1420a699d25 "Implement RFC 8701
GREASE for TLS ClientHello".
Fixes: a1420a699d25 "Implement RFC 8701 GREASE for TLS ClientHello". Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Mar 22 01:03:54 2026
(Merged from https://github.com/openssl/openssl/pull/30505)
Deven Dighe [Thu, 19 Mar 2026 13:54:21 +0000 (09:54 -0400)]
crypto/threads_win.c: type casted destination of InterlockedExchange{,64} calls
Explicitly cast dst argument of InterlockedExchange{,64} calls
in CRYPTO_atomic_store{,_int}() to LONG{64,} volatile *, respectively,
to work around incompatible pointer type errors on 64-bit MinGW builds.
Initially Reported by Splediferous.
[esyr: massaged the commit message a bit]
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/30451 Fixes: cc7195da3038 "Make FIPS self test state access atomic" Fixes: 7e45ac6891ad "Add CRYPTO_atomic_store api"
add cast to LONG volatile * for InterlockedExchange
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:56:36 2026
(Merged from https://github.com/openssl/openssl/pull/30504)
slontis [Tue, 17 Mar 2026 23:16:44 +0000 (10:16 +1100)]
SLH-DSA: Fix Integer overflow in msg_encode leading to buffer overflow
Reported by Zehua Qiao and me@snkth.com
An encode message buffer M = 00 || CXT_LEN || CTX || MSG was being
allocated followed by memcpy's into the buffer for CTX and MSG.
If len(MSG) was close to size_t the allocated buffer would be
overwritten.
The fix uses WPACKET to perform the message encoding M = 00 || CXT_LEN || CTX || MSG
Although ML_DSA does a similiar operation, SLH-DSA has to buffer the
encoding because the encoded message is processed multiple times for
PRF_MSG and H_MSG. FOr ML_DSA the encoded message can just be hashed.
Fixes: 2f9e152d86a7 "Add SLH_DSA signature verification." Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:15:47 2026
(Merged from https://github.com/openssl/openssl/pull/30477)
crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689816 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:50:41 2026
(Merged from https://github.com/openssl/openssl/pull/30500)
huanghuihui0904 [Mon, 16 Mar 2026 07:16:21 +0000 (15:16 +0800)]
ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:11:54 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
Weidong Wang [Tue, 17 Mar 2026 16:21:52 +0000 (11:21 -0500)]
Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()
In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.
The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.
Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:23:27 2026
(Merged from https://github.com/openssl/openssl/pull/30463)
1seal [Tue, 17 Mar 2026 09:14:32 +0000 (10:14 +0100)]
test: add regression tests for unauthorized OCSP response signers
extend test_tlsext_status_type() with a handshake that serves a
leaf-signed stapled OCSP response and verifies the connection fails
when X509_V_FLAG_OCSP_RESP_CHECK is enabled.
generalize ocsp_server_cb_single() to use configurable signer
cert/key instead of hardcoded paths so the same callback serves
both authorized and unauthorized signer test cases.
add a test_ocsp() subtest covering the -issuer CLI option with
an untrusted issuer hint.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:29 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
1seal [Tue, 17 Mar 2026 09:14:21 +0000 (10:14 +0100)]
x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command" Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
Jaeho Nam [Sun, 15 Mar 2026 08:31:49 +0000 (08:31 +0000)]
x509: fix bug in timeSpecification printing
Fix i2r_OSSL_DAY_TIME() to check dt->second before decoding the
optional seconds field. Add a regression certificate and x509 recipe
coverage for the periodic timeSpecification case with no seconds.
Resolves: https://github.com/openssl/openssl/issues/30424 Fixes: 70b17e5a00da "feat: support the timeSpecification X.509v3 extension" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Mar 20 18:47:04 2026
(Merged from https://github.com/openssl/openssl/pull/30425)
When extsoffset == clearlen - 1 the check passes, but the second read
clear[extsoffset + 1] is clear[clearlen], which is one byte beyond
the decrypted plaintext. The allocation is OPENSSL_malloc(cipherlen)
where cipherlen = clearlen + AEAD_overhead, so the address is valid,
but the byte is uninitialised after OSSL_HPKE_open returns.
Using Valgrind confirmed an uninitialised-value read at this location
via the full server handshake path:
The subsequent ch_len > clearlen check (line 1875) acts as a safety net
and prevents the stale byte from being used further, so the practical
impact is a forced decode error rather than memory disclosure.
Nevertheless, the read itself is incorrect and should be fixed.
Fix: change the guard to extsoffset + 2 so that both bytes
of the extensions length field are confirmed to be within the decrypted
buffer before either is read.
This issue was identified through AI-assisted structural analysis
(RAPTOR) using CodeQL database tooling (AST analysis, control flow
verification, dominator tree analysis) against the OpenSSL master
branch. The off-by-one was confirmed via AST inspection showing
GT(Add(extsoffset, 1), clearlen) instead of the expected
GT(Add(extsoffset, 2), clearlen).
Found by myself @danielcuthbert and validated
by Benjamin Rodes - Microsoft @bdrodes.
CLA: trivial Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 20 18:07:01 2026
(Merged from https://github.com/openssl/openssl/pull/30472)
slontis [Fri, 13 Mar 2026 04:13:40 +0000 (15:13 +1100)]
Fix windows build failure for arm64ec
The new b64 encoder code uses __m256 which is not currently supported in ARM64EC code,
since it does not natively support x64-specific instruction sets like AVX.
Disable the fast AVX path if arm64EC is used.
herbenderbler [Sat, 14 Mar 2026 23:34:03 +0000 (17:34 -0600)]
Remove unused vpaes_ecb_decrypt from ARMv8 vpaes assembly
vpaes_ecb_decrypt in vpaes-armv8.pl was never referenced. It also
contained a bug: the single-block path called _vpaes_encrypt_core
instead of _vpaes_decrypt_core. Delete the dead function.
Abhinav Agarwal [Wed, 18 Mar 2026 16:01:07 +0000 (09:01 -0700)]
quic: fix NULL pointer dereference in ossl_uint_set_remove()
In the range-splitting path, create_set_item() can return NULL under
memory pressure. The result was passed directly to
ossl_list_uint_set_insert_after() without a NULL check, causing an
immediate crash. This path is reachable during normal QUIC ACK
processing under memory exhaustion.
Check the allocation result before insertion and return 0 on failure.
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 19 19:24:09 2026
(Merged from https://github.com/openssl/openssl/pull/30490)
sftcd [Fri, 13 Mar 2026 22:02:29 +0000 (22:02 +0000)]
ECH: chunk-size bug fix and non-regression changes
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Mar 19 10:35:56 2026
(Merged from https://github.com/openssl/openssl/pull/30417)
Adds documentation of X509V3_EXT_print and X509V3_EXT_print_fp.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar 19 09:20:07 2026
(Merged from https://github.com/openssl/openssl/pull/29996)
Milan Broz [Tue, 17 Mar 2026 13:09:47 +0000 (14:09 +0100)]
test: Increase timeout for QUIC multistream test
I can regularly hit timeout on Windows for QUIC multistream test.
While increasing is not the best solution, it eliminates many
failures during testing. This timeout only applies in specific
situation, so run time should not be actually used often.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Mar 19 09:17:57 2026
(Merged from https://github.com/openssl/openssl/pull/30461)
QUIC stack must disable hash table contraction before doing
lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.
One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.
call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)
slontis [Mon, 16 Mar 2026 04:32:01 +0000 (15:32 +1100)]
SLH_DSA: signing operation incorrectly returned 1 on failure.
Initially Reported by Zehua qiao
Fixes #30414
A block copy bug incorrectly set ret = 1 straight after assigning
ret.
Setting the *sig_len has been delayed to the err path in case
WPACKET_finish fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Mar 18 07:19:54 2026
(Merged from https://github.com/openssl/openssl/pull/30438)
frostb1ten [Mon, 16 Mar 2026 10:07:12 +0000 (05:07 -0500)]
Mask *num on entry in deprecated low-level OFB/CFB implementations
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Mar 18 07:11:44 2026
(Merged from https://github.com/openssl/openssl/pull/30447)
Scott [Mon, 16 Mar 2026 17:30:50 +0000 (12:30 -0500)]
Fix incorrect error return in ppc_aes_gcm_cipher_update decrypt path
ppc_aes_gcm_cipher_update() returns 1 on success and 0 on failure.
The decrypt pre-alignment path (line 122) incorrectly returned -1
instead of 0 when CRYPTO_gcm128_decrypt() failed.
Since the caller checks `if (!hw->cipherupdate(...))`, and !(-1)
evaluates to 0 (false) in C, the error was silently swallowed and
GCM processing continued with potentially corrupt state.
The encrypt path at line 98 correctly returns 0. This was likely a
copy-paste error when the decrypt path was added.
Fixes #30380
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 07:03:41 2026
(Merged from https://github.com/openssl/openssl/pull/30452)
Weidong Wang [Tue, 10 Mar 2026 17:42:35 +0000 (12:42 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_stream
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:56 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:15:22 +0000 (12:15 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_dataFinal
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:53 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Weidong Wang [Tue, 10 Mar 2026 17:08:35 +0000 (12:08 -0500)]
pkcs7: fix NULL contents dereference in PKCS7_ctrl
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:49 2026
(Merged from https://github.com/openssl/openssl/pull/30351)
Stefan Berger [Thu, 12 Mar 2026 14:57:43 +0000 (09:57 -0500)]
openssl-cms.pod.in: Mention Ed448 signing with signed attributes in BUGS section
In the BUGS section mention that signing wtih an Ed448 key is not supported
when using signed-data with signed attributes due to missing support for
id-shake256-len.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:27 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:11:02 +0000 (18:11 -0500)]
cms: Make sha512 the required hash for CMS with signedAttributes
RFC 8419 requires that, when using an Ed25519 key for CMS signed-data with
signed attributes, SHA512 must be used. Modify the entry in the key2data
table to reflect this giving the user not other choice for a hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:24 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Stefan Berger [Sun, 8 Mar 2026 23:07:16 +0000 (18:07 -0500)]
man: Mention Ed448 for CMS with signed attributes is not supported
Mention that Ed448 keys cannot currently be used for CMS with
signed attributes since RFC 8419 requires id-shake256-len be used,
which is not currently supported by OpenSSL.
Resolves: 30291 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:20 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
Viktor Dukhovni [Mon, 16 Mar 2026 08:30:04 +0000 (19:30 +1100)]
Avoid premature short-circuit in check_email
- Also harden check_hosts() to handle NULL `vpm->hosts`,
currently checked by the caller.
- Also harden check_ips() to handle NULL `vpm->ips`,
currently checked by the caller.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Mar 17 15:35:16 2026
(Merged from https://github.com/openssl/openssl/pull/30444)
mcrmck [Sun, 8 Mar 2026 02:51:17 +0000 (21:51 -0500)]
Implement RFC 8701 GREASE for TLS ClientHello
Add client-side GREASE (Generate Random Extensions And Sustain
Extensibility) support per RFC 8701. When SSL_OP_GREASE is set,
the TLS client injects reserved 0x?A?A-pattern values into the
ClientHello to prevent ecosystem ossification caused by servers
that reject unknown values.
GREASE values are injected into:
- Cipher suites (prepended)
- Supported versions extension (prepended)
- Supported groups extension (prepended)
- Signature algorithms extension (appended)
- Key share extension (prepended, 1 zero byte)
- Two standalone extensions (one empty, one with 1 zero byte)
The implementation uses lazy-seeded random values that remain
consistent across HelloRetryRequest retransmissions. GREASE values
from server responses are rejected as illegal parameters.
Add -grease option to s_client to enable GREASE from the command line.
Closes #9660
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 14:58:25 2026
(Merged from https://github.com/openssl/openssl/pull/30303)
Daniel Kubec [Mon, 2 Mar 2026 16:56:52 +0000 (17:56 +0100)]
x509: add EXFLAG_DUPLICATE and cheap O(1) extension duplicate check
In ossl_x509v3_cache_extensions(), introduce EXFLAG_DUPLICATE flag to
signal duplicate X.509 extensions. Add O(1) duplicate detection
using a bitset with minimal stack memory footprint, in compliance with
RFC 5280 Section 4.2.
Fixes #26325
Co-authored-by: Tomáš Mráz <tm@t8m.info> Co-authored-by: David von Oheimb <DDvO@users.noreply.github.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 13:43:13 2026
(Merged from https://github.com/openssl/openssl/pull/30233)
projects / thirdparty / openssl.git / log
