AIX header files don't properly expose sendmmsg/recvmmsg function
declarations. Disable these functions to avoid implicit declaration
errors with clang 16+.
This issue was discovered when building Node.js with clang.
CLA: trivial Fixes: 52cd2a49c53e "Enable send-/recvmmsg for AIX >= 7.2 and disable SUPPORT_LOCAL_ADDR."
References: https://github.com/nodejs/node/pull/62656
Resolves: https://github.com/openssl/openssl/issues/30806
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 12:02:58 2026
(Merged from https://github.com/openssl/openssl/pull/30832)
This patch adds an AArch64-specific extension cross-compile workflow.
This is inspired by the existing RISC-V extension cross-compile
workflow and applies the same matrix-driven approach to AArch64.
References: https://github.com/openssl/openssl/issues/29269 Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Dmitry Misharov <dmitry@openssl.org>
MergeDate: Sun Apr 26 11:53:08 2026
(Merged from https://github.com/openssl/openssl/pull/30764)
Specifically they have observed the following behavior, as noted in the
above article:
When taking snapshots that include heaps and modules for a process other than
the current process, the CreateToolhelp32Snapshot function can fail or return
incorrect information for a variety of reasons. For example, if the loader data
table in the target process is corrupted or not initialized, or if the module
list changes during the function call as a result of DLLs being loaded or
unloaded, the function might fail with ERROR_BAD_LENGTH or other error code.
Ensure that the target process was not started in a suspended state, and try
calling the function again. If the function fails with ERROR_BAD_LENGTH when
called with TH32CS_SNAPMODULE or TH32CS_SNAPMODULE32, call the function again
until it succeeds.
This behavior necessitates calling DSO_pathbyaddr mutiple times to get a
succesful return code.
win32_pathbyaddr can be made more reliable, avoiding the need for multiple calls
by using alternate windows apis that are not/less succeptible to these transient
errors in multithreaded environments.
refactor win32_pathbyaddr here to implement that increased reliability.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 11:48:58 2026
(Merged from https://github.com/openssl/openssl/pull/30705)
The PATH_MAX define is needed on HURD which is now skipped since it is
winthin the _WIN32 block.
Move the PATH_MAX check+define outside of the _WIN32 block.
Fixes: a2e5848d9d11 "s_client and s_server options for ECH" Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sun Apr 26 11:35:52 2026
(Merged from https://github.com/openssl/openssl/pull/30520)
Weidong Wang [Fri, 20 Mar 2026 10:10:53 +0000 (05:10 -0500)]
Fix double-free in mlx_kem_dup() default case
Null mkey/xkey immediately after OPENSSL_memdup() so that any failure
path (including propq strdup) can safely call mlx_kem_key_free() without
risking a double-free on the source key's material. Use key->* rather
than ret->* for source-state checks to make ownership explicit.
Test that mlx_kem_dup() with partial key selection (e.g.
EVP_PKEY_PUBLIC_KEY) does not corrupt the original key's mkey/xkey
sub-objects. Covers X25519MLKEM768, SecP256r1MLKEM768,
and SecP384r1MLKEM1024.
Fixes: 4b1c73d2dd74 "ML-KEM hybrids for TLS" Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Sun Apr 26 11:14:12 2026
(Merged from https://github.com/openssl/openssl/pull/30511)
Jakub Zelenka [Thu, 16 Apr 2026 16:17:59 +0000 (18:17 +0200)]
Add memory allocation failure testing framework
Introduce ADD_MFAIL_TEST for exhaustive testing of allocation failure
handling in individual functions. The framework repeatedly calls the
test function, each time failing one allocation later within the
section bracketed by mfail_start() and mfail_end(), verifying that
every failure path returns 0 without crashing or leaking.
Custom allocators are installed once at startup via
CRYPTO_set_mem_functions(). When not armed, they pass through to
malloc/realloc/free. Installation can be disabled by setting
OPENSSL_TEST_MFAIL_DISABLE for tests that need the default allocator
(e.g. those using OPENSSL_MALLOC_FAILURES).
Additional environment variables control test execution:
OPENSSL_TEST_MFAIL_SKIP_ALL, OPENSSL_TEST_MFAIL_SKIP_SLOW,
OPENSSL_TEST_MFAIL_POINT, and OPENSSL_TEST_MFAIL_START.
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 23 20:23:34 2026
(Merged from https://github.com/openssl/openssl/pull/30871)
Viktor Dukhovni [Thu, 16 Apr 2026 11:41:07 +0000 (21:41 +1000)]
Drop value barrier from ML-DSA reduce_once
This mirrors the corresponding code in ML-KEM and works under
the same conditions/assumptions. Also adjusted related
functions with unnecessary 2-layers of constant_time selects
where one suffices (now also matching BoringSSL).
Intentionally uses the constant time instrumentation PR as its
merge-base, so to be merged after than has baked in for a few
days and shows working CT tests in daily CI runs.
Sample before/after performance pairs and percent throughput
increases for one X86_64 CPU:
doc: correct X509v3_get_ext_by_NID.pod to reflect CRL/REVOKED extension behavior
The man page previously stated that X509_CRL_delete_ext() and
X509_REVOKED_add_ext() are 'otherwise identical to the X509v3 functions,'
which is inaccurate. These routines use X509v3_delete_extension(), not
X509v3_delete_ext(), following the changes in #30350 and #30518.
Update the documentation to accurately describe this difference.
CLA: trivial
Signed-off-by: legin hpesoj <ncj2394@rit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Apr 22 08:10:46 2026
(Merged from https://github.com/openssl/openssl/pull/30677)
Viktor Dukhovni [Thu, 16 Apr 2026 08:28:33 +0000 (18:28 +1000)]
Add valgrind CT support to ML-DSA
Also slightly refactor the ML-KEM version to share the necesasry
defines, and add a daily CI run to check both (presently, for just some
platforms with known working valgrind support).
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Wed Apr 22 07:55:14 2026
(Merged from https://github.com/openssl/openssl/pull/30863)
RFC 8446 defines the Cookie extension as containing a non-empty cookie
vector. The client-side HRR parser accepted a zero-length cookie
because PACKET_memdup() treats an empty packet as success, which
deferred failure until later in the handshake.
Reject an empty cookie during HRR parsing with decode_error and add a
regression test.
Fixes #30868 Fixes: cfef5027bf27 "Add basic TLSv1.3 cookie support" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr 22 07:50:25 2026
(Merged from https://github.com/openssl/openssl/pull/30892)
Viktor Dukhovni [Mon, 20 Apr 2026 12:41:44 +0000 (22:41 +1000)]
pkey(1) missing setup for interactive pass prompt
The changes in #29324 neglected some setup needed for interactive
password prompting, leading to a segfaul when pkey(1) is asked to
encrypt, but not given an explicit `-pass` argument.
The required plumbing is added.
Fixes: #30889 Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 22 07:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/30904)
herbenderbler [Mon, 16 Mar 2026 17:14:52 +0000 (11:14 -0600)]
Fix memory leak in load_key_certs_crls() when add/push fails
When X509_add_cert() or sk_X509_CRL_push() failed, the cert or CRL from
OSSL_STORE was not freed. Free on failure to avoid a leak.
Fix 90-test_memfail.t parsing of count output so the memfail suite runs
correctly: parse 'skip: N count M' with a regex (handles '# ' prefix),
return (0,0) if the count file cannot be opened, and skip with a clear
message when total malloc count is 0 instead of planning 0 tests.
Apply clang-format to test/load_key_certs_crls_memfail.c.
- apps/lib/apps.c: free cert/CRL on add/push failure
- test/build.info: add load_key_certs_crls_memfail (allocfail-tests)
- test/load_key_certs_crls_memfail.c: regression test for issue #30364
- test/recipes/90-test_memfail.t: fix get_count_info parsing and plan
Issue #30364
Fixes: 6d382c74b375 "Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c" Fixes: d7fcee3b3b5fa "OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 21 08:50:18 2026
(Merged from https://github.com/openssl/openssl/pull/30428)
The [FIPS 140-3I.G.](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf)
Section D.S Key Encapsulation Mechanisms have been substantially
update on April 9, 2026.
It now explicitely lists that hybrid mechanisms must be fixed
combinations with both portions being in boundary, and the intent
should be to use them with an approved combiner such as HKDF as part
of a protocol. With the combinations from the
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem
explicitely mentioned that they can reach appoved or allowed claims.
Note that consensus for TLS group for X448MLKEM1024 failed to reach on
the [pqc forum](https://mailarchive.ietf.org/arch/browse/tls/?gbt=1&index=YIHJrbWVPdXIr8q57nsEUUmuaIo) and is not part of the
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem. And there
are no other protocols defined that use this hybrid with an approved
combiner.
Also on https://test.openquantumsafe.org/ there is x448_mlkem768 but
no X448MLKEM1024.
To avoid any confusion, it is best to mark this hybrid as non-approved
going forward. It is likely also worthfile to deprecate X448MLKEM1024
altogether.
Fixes: https://github.com/openssl/openssl/pull/26220 Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Apr 20 10:08:09 2026
(Merged from https://github.com/openssl/openssl/pull/30856)
sock_read: check ret==0 before BIO_sock_should_retry()
POSIX states errno is only valid when the return value indicates an
error. recv() sets errno only on -1; when it returns 0 (peer closed)
errno is unspecified.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Apr 20 09:59:27 2026
(Merged from https://github.com/openssl/openssl/pull/30877)
Matt Caswell [Tue, 17 Mar 2026 13:41:21 +0000 (13:41 +0000)]
Grow the init_buf incrementally as we receive data
Instead of growing the init_buf buffer immediately to the full size of the
expected message, we grow it incrementally as we receive the data. This
prevents abuse where the remote peer claims a very large message size, but
then doesn't send it.
This change is as a result of a security issue reported to the
openssl-security team by Okta Red Team. The openssl-security
team have decided to handle this as a "bug or hardening" only fix.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 17 10:08:34 2026
(Merged from https://github.com/openssl/openssl/pull/30792)
Viktor Dukhovni [Wed, 15 Apr 2026 09:14:48 +0000 (19:14 +1000)]
Fix off-by-one in "groups list" parser
When parsing the configured TLS supported groups list reallocating of the list
of "tuples" happened one element too late. The current tuple count is the
number of "closed" (completed) tuples, the currently active tuple occupies
one more slot, so we need space for `tuple count + 1` elements.
This is only an issue while parsing configurations (not attacker controlled),
and only if the group list somehow manages to contain 32 or distinct elements
(each in its own tuple, and even though OpenSSL does not implement that many
groups in typical builds).
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:17:38 2026
(Merged from https://github.com/openssl/openssl/pull/30838)
riscv: weaken capscheck for rv64gc_v_zvkned_hwprobe entry
QEMU 8.2.2 (ubuntu-latest) does not report ZVKNED via hwprobe
despite zvkned=true being set in QEMU_CPU, so the _V_ZVKNED
assertion would fail in CI for a reason unrelated to OpenSSL.
Weaken the check to _V, which QEMU 8.2.2 does report correctly.
The ZVKNED assertion can be restored once the CI moves to a QEMU
version with full Zvk* hwprobe coverage.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:03:43 2026
(Merged from https://github.com/openssl/openssl/pull/30713)
riscv: add capscheck assertion to hwprobe CI entries
The two hwprobe-based matrix entries exercise hwprobe_to_cap() but
previously contained no assertion to verify that expected extensions
were actually detected; tests pass regardless of which code path is
taken because both the optimised and fallback paths produce correct
output.
Add an optional capscheck field to the matrix schema. When set, a
new "check detected capabilities" step runs
"openssl info -cpusettings" and asserts the output matches the
given extended regular expression.
Set capscheck for the two hwprobe entries:
- rv64gc_novector_hwprobe: assert "_ZBB" is present.
With the IS_IN_DEPEND_VECTOR bug, scalar extensions are gated on
VECTOR_CAPABLE (false when V is absent), so ZBB is not detected
and the assertion fails.
- rv64gc_v_zvkned_hwprobe: assert "_V_ZVKNED" is present.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:03:42 2026
(Merged from https://github.com/openssl/openssl/pull/30713)
riscv: add hwprobe-based CI entries for capability detection
All existing RISC-V cross-compile matrix entries set OPENSSL_riscvcap,
which causes OPENSSL_cpuid_setup() to call parse_env() and skip the
hwprobe_to_cap() code path entirely. That path has never been exercised
by CI, leaving bugs in it undetectable.
Add two matrix entries that omit opensslcapsname so OPENSSL_riscvcap is
not set and hwprobe_to_cap() is called:
- rv64gc_novector_hwprobe: rv64 with ZBB/ZBC/ZBS/ZBKB, V disabled.
AT_HWCAP V bit is clear (VECTOR_CAPABLE=false). Exercises the
scalar-extension detection branch of hwprobe_to_cap().
- rv64gc_v_zvkned_hwprobe: rv64 with V (vlen=128) and ZVKNED.
AT_HWCAP V bit is set (VECTOR_CAPABLE=true). Exercises the
vector-extension detection branch and the IS_IN_DEPEND_VECTOR
guard that gates Zvk* extensions on V availability.
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:03:41 2026
(Merged from https://github.com/openssl/openssl/pull/30713)
The macro checked (ZVX_MIN >= offset) which is equivalent to
(offset <= ZVX_MIN), making it true for offsets 0-15 instead of
the intended range [ZVX_MIN, ZVX_MAX] = [15, 23].
The practical effect in hwprobe_to_cap() was inverted:
- Scalar extensions (ZBA..ZKT, offsets 0-14) were incorrectly
treated as vector-dependent and suppressed when VECTOR_CAPABLE
was false, preventing their detection via hwprobe.
- Vector extensions ZVBC..ZVKSH (offsets 16-23) were not treated
as vector-dependent, allowing them to be enabled via hwprobe
even when the V extension was absent.
Fix by changing >= to <= so the macro correctly tests whether
offset falls in [ZVX_MIN, ZVX_MAX].
Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:03:40 2026
(Merged from https://github.com/openssl/openssl/pull/30713)
Daniel Kubec [Thu, 2 Apr 2026 13:25:29 +0000 (14:25 +0100)]
EAP-FAST: echo Session ID on PAC-based session resumption
Ensure that when a ClientHello includes both a Session ID and a PAC-Opaque
in the SessionTicket extension, the server echoes the same Session ID in
the ServerHello if the session is resumed based on the PAC-Opaque.
Fixes #29095
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Co-authored-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:01:03 2026
(Merged from https://github.com/openssl/openssl/pull/30695)
Matt Caswell [Mon, 13 Apr 2026 13:27:58 +0000 (14:27 +0100)]
Clarify the set_session_id_context functions
Clarify when they can be used, and introduce some warnings about using
them too late in the handshake. In particular using them in the server
name callback is too late.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 16:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/30797)
Fix constant-time violation in ossl_curve448_scalar_halve
Add a value barrier to the mask variable in ossl_curve448_scalar_halve()
to prevent LLVM SimpleLoopUnswitchPass from introducing a
secret-dependent branch.
When compiled with Clang >= 17 at -O3, the mask which is static during
the loop (derived from the secret scalar LSB) is used by SimpleLoopUnswitchPass
to clone the loop body into two versions guarded by a branch on the secret bit.
This produces a side-channel that leaks nonce parity.
The value barrier forces the compiler to treat the mask as opaque,
preventing loop unswitching while maintaining identical performance.
A portable value_barrier_c448 macro is added to word.h to select the
appropriate barrier width (32 or 64 bit) based on C448_WORD_BITS.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 16:43:22 2026
(Merged from https://github.com/openssl/openssl/pull/30845)
Daniel Kubec [Mon, 30 Mar 2026 11:43:41 +0000 (13:43 +0200)]
TLSv1.3: reissue session ticket after full handshake on ciphersuite mismatch
When session resumption falls back to a full handshake due to a ciphersuite
mismatch, ensure a new session ticket is issued with the newly negotiated
ciphersuite.
Fixes #18549
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 16 11:27:51 2026
(Merged from https://github.com/openssl/openssl/pull/30626)
ssl: Fix ssl_do_config to clean up errors on success with ERR_set_mark
ssl_do_config() could leave stale errors on the error stack even on
success, so that later error checking operations could mistakenly
surface these errors. Use ERR_set_mark()/ERR_pop_to_mark() to cleanly
discard errors when the function succeeds or when system config errors
are non-fatal.
jlg1061 [Mon, 2 Mar 2026 13:37:16 +0000 (13:37 +0000)]
Add regression tests to `test/evp_extra_test.c` that dynamically
discover all provided ciphers with non-zero IV length and verify
correct multi-step initialization semantics.
The EVP API permits key and IV to be supplied in separate
`EVP_CipherInit_ex()` calls (e.g. key-only followed by IV-only).
A recent bug (PR #29934, ASCON-AEAD128) demonstrated that a
provider may silently ignore a key-only init, resulting in reuse
of a previously loaded key during a subsequent IV-only init.
To prevent similar regressions, this change introduces three
generic tests that automatically cover all IV-taking ciphers:
produce identical ciphertext (and authentication tag for AEAD
ciphers) compared to single-call `init(key, iv)`.
Primes a context with `key1/iv1`, then re-initializes via
`init(key2) → init(iv2)` and verifies the output matches a fresh
`encrypt(key2, iv2)` operation, ensuring that no previously stored
key is reused.
Encrypts using single-call initialization and then decrypts using
multi-step initialization, verifying plaintext recovery. For AEAD
ciphers, this also exercises tag verification through the
multi-step path.
Ciphers are discovered using `EVP_CIPHER_do_all_provided()`,
requiring no maintenance when new IV-taking ciphers are added.
SIV mode is skipped due to its synthetic IV semantics. CCM mode
handling includes required length declarations.
This provides broad regression coverage for the provider
implementations that support multi-step EVP initialization.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Apr 16 07:08:17 2026
(Merged from https://github.com/openssl/openssl/pull/30141)
test/quicapitest.c: restore array formatting butchered by clang-format
Shut off clang-format, as it is incapable of formatting arrays properly,
and just mangles everything instead. Also, while at it, drop the trailing
commas from TPARAM_CHECK_* definitions, as they are pretty confusing.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:37 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
Avoid creating TLSProxy on IPv6 loopback address is IPv6 is disabled
Add a parameter to TLSProxy::Proxy->new()
and TLSProxy::Proxy->new_dtls() that indicates IPv6 usage preference
and pass have_IPv6() to it, so IPv6 usage is avoided when it is disabled.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:33 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
kovan [Mon, 2 Feb 2026 12:30:15 +0000 (13:30 +0100)]
doc: clarify -hex option behavior in openssl prime
The -hex option description was ambiguous about its exact behavior.
Clarify that:
- With -generate: outputs the prime in hex instead of decimal
- When checking: interprets input as hex instead of decimal
- Output when checking is always hex regardless of this option
Fixes #19208
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 15 12:33:18 2026
(Merged from https://github.com/openssl/openssl/pull/29913)
kovan [Tue, 27 Jan 2026 05:16:06 +0000 (06:16 +0100)]
doc: Clarify that BN_CTX must not be NULL for BN arithmetic functions
The documentation for BN_add and related functions did not explicitly
state that the ctx parameter cannot be NULL. Users may assume NULL is
acceptable since some other OpenSSL functions allow it, but passing
NULL to functions like BN_mod_add() or BN_mod() causes a crash.
Update the documentation to explicitly state that ctx must not be NULL.
Fixes #12092
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 15 11:47:59 2026
(Merged from https://github.com/openssl/openssl/pull/29773)
There is a missing call to OPENSSL_free() in the branch
where existing sets are merged to new range. There is
no evidence/POC OpenSSL poject is aware of the leak can
be triggered by QUIC protocol operation.
The issue has been kindly reported by Abhinav Agarwal (@abhinavagarwal07)
Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 11:28:41 2026
(Merged from https://github.com/openssl/openssl/pull/30718)
riscv: fix missing VLEN >= 128 guard in AES-GCM dispatch
ossl_prov_aes_hw_gcm() returned &rv64i_zvkned_gcm when
RISCV_HAS_ZVKNED() was true but RISCV_HAS_ZVKB()/RISCV_HAS_ZVKG()
were false, without checking riscv_vlen() >= 128. All Zvkned
instructions require VLEN >= 128; on VLEN=64 hardware this would
cause illegal-instruction traps.
All other Zvk* dispatch sites already guard on riscv_vlen() >= 128.
Hoist the check to the outer if (RISCV_HAS_ZVKNED()) condition to
cover both return paths uniformly.
Fixes: d056e90ee58a "riscv: Provide vector crypto implementation of AES-GCM mode." Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Apr 15 11:24:50 2026
(Merged from https://github.com/openssl/openssl/pull/30714)
Sunwoo Lee [Fri, 27 Mar 2026 23:22:02 +0000 (08:22 +0900)]
quic: fix channel leak when ossl_quic_provide_initial_secret fails
In port_bind_channel(), when ossl_quic_provide_initial_secret()
fails, the function returns without freeing the QUIC_CHANNEL
that was just created by port_make_channel(). The caller sees
new_ch == NULL and cannot free it, leaking the channel and all
its sub-allocations (QRX, QTX, TXP, ACKM).
Add ossl_quic_channel_free(ch) before the early return, matching
the cleanup pattern already used by the other error paths in the
same function (lines 864, 873).
CWE-401
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Work around "Use of uninitialized value..." in mkinstallvars.pl
Avoid "Use of uninitialized value in concatenation (.) or string
at util/mkinstallvars.pl line 139." message by supplying COMMENT
in the mkinstallvars.pl call exporters/build.info.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:54:11 2026
(Merged from https://github.com/openssl/openssl/pull/30768)
Neil Horman [Wed, 1 Apr 2026 18:37:52 +0000 (14:37 -0400)]
convert rand_meth_lock to atomics
Using our previously created atomic ops, we can (almost) eliminate the
use of the rand_meth_lock. This lock guards reads/write on the
RAND_default_meth global variable, which is generally written only once
during a process lifetime. By replacing the lock with an atomic read
for reads, and an atomic compare and exchange or atomic store for
writes, we can significantly improve the execution time of
RAND_get_rand_method, which is called every time a process calls
RAND_bytes_ex()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:29:31 2026
(Merged from https://github.com/openssl/openssl/pull/30670)
Neil Horman [Wed, 1 Apr 2026 16:32:40 +0000 (12:32 -0400)]
Add some crypto atomic pointer ops
CRYPTO_atomic_load_ptr - load a pointer value with relaxed semantics
CRYPTO_atomic_store_ptr - store a pointer value with relaxed semantics
CRYPTO_atomic_cmp_exch_ptr - cmp/exch a pointer with relaxed or acq/rel
semantics
The addition of these functions enables us to better use atomics to
replace read/write locks where we are almost always doing reads
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 14 08:29:30 2026
(Merged from https://github.com/openssl/openssl/pull/30670)
Modified build.info to support ppc64le assembly implementation.
Added new definitions of MLKEM_NTT_ASM for NTT and inverse NTT for
optimized assembly implementation.
This is the initial archtecture specific implementation so can be mdified
to adapt to a new build structures.
Brenda So [Mon, 30 Mar 2026 21:32:47 +0000 (14:32 -0700)]
Skip parsing OCSP status_request when no status call is registered
When no ext.status_cb is set, the server will not produce a stapled
OCSP response. This patch returns early from tls_parse_ctos_status_request
before parsing the extension body to save memory.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Apr 13 09:40:08 2026
(Merged from https://github.com/openssl/openssl/pull/30630)
Tomas Mraz [Thu, 19 Mar 2026 09:58:56 +0000 (10:58 +0100)]
We now have ml-dsa asm, add it to fips-checksums
We also add other PQC algorithm directories that might
appear in future so they are picked-up by the script
once they appear. This requires checking whether the
directory exists.
Also update the fips sources and checksums.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Apr 13 09:35:17 2026
(Merged from https://github.com/openssl/openssl/pull/30502)
The "sha1" and "md5" handles are no longer used, and those fields are
removed.
The `SSL_HMAC` objects used internally are now stack allocated, and the
associated "new" and "free" functions are now called "construct" and
"destruct" respectively.
Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Mon Apr 13 09:03:45 2026
(Merged from https://github.com/openssl/openssl/pull/30696)
Milan Broz [Thu, 2 Apr 2026 10:51:46 +0000 (12:51 +0200)]
Windows: Use /Z7 compiler flag to enable parallel builds
MSVC compilation on Windows cannot be reliably parallelized
with tools like jom (an nmake replacement) due to contention
on shared .pdb files used for debug info. Writes to a shared
.pdb must be serialized.
The /FS compiler flag serializes concurrent compiler writes,
but does not resolve contention when the compiler and linker
access the same .pdb file. With shared .pdb files (e.g. app.pdb),
the makefile does not prevent races between the linker and
compilation of multiple targets.
This can be resolved either by restructuring the makefile
to introduce sentinel dependencies that serialize the conflicting
steps, or by eliminating the shared .pdb entirely.
This patch takes the latter approach: it replaces /Zi with /Z7,
which embeds debug info directly into each .obj file and avoids
any shared-file contention. /Z7 is supported by all MSVC versions.
The linker-generated .pdb is unaffected.
Side effects: object files are slightly larger, and all .pdb files
are now named after their target — the shared app.pdb, ossl_static.pdb,
and dso.pdb no longer exist.
With this change, jom can be used to parallelize the build.
Fixes: #9931 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Mon Apr 13 08:46:20 2026
(Merged from https://github.com/openssl/openssl/pull/30703)
style: fix clang-format issues in chacha_internal_test.c
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:07 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
test/chacha: added ELFv2 ABI FPR preservation check for POWER10 8x path
On POWER10, ChaCha20_ctr32_vsx_8x is activated for buffers over 255
bytes and uses vxxlor to alias FPR14-FPR25 as temporary storage. Add a
test to chacha_internal_test that pins known values in f14-f25 via
inline asm, calls through ChaCha20_ctr32 with a 512-byte buffer to
trigger the 8x path, and verifies the registers still hold their
original values. The test is gated on PPC_BRD31 (POWER10 capability
flag) so it is skipped silently on older hardware.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:05 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
chacha/asm: save f17 in 8x prologue for contiguous f14-f25 range
f17 is not directly clobbered by any vxxlor in this function, but
saving the full contiguous range f14-f25 is cleaner and avoids any
future ambiguity if the code is modified. Adjust all subsequent FPR
slot offsets and the VMX base offset accordingly, and update the frame
size comment.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:04 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
projects / thirdparty / openssl.git / log
