Igor Ustinov [Sat, 28 Mar 2026 12:49:00 +0000 (13:49 +0100)]
evp_decodeblock_int(): Bugfix of padding check
The padding check didn't take into account that by this point the f pointer
had already shifted by 4 positions. Luckily, the original f[2] and f[3]
were saved in c and d .
This code is not reachable in normal operation, but that is not a reason
not to fix it.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:31:13 2026
(Merged from https://github.com/openssl/openssl/pull/30618)
Koda Reef [Sun, 22 Mar 2026 21:44:21 +0000 (21:44 +0000)]
Add INT_MAX bounds check to d2i_ASN1_UINTEGER before (int)len cast
d2i_ASN1_UINTEGER uses (int)len for OPENSSL_malloc, memcpy, and
ASN1_STRING_set0 where len is a long. On LP64 platforms (long is
64-bit, int is 32-bit), values exceeding INT_MAX are silently
truncated, causing undersized allocation and heap buffer overflow.
The sibling function ossl_c2i_ASN1_BIT_STRING in a_bitstr.c already
has this guard (line 92: if (len > INT_MAX)). This adds the same
check to d2i_ASN1_UINTEGER for consistency.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Fri Apr 3 15:22:30 2026
(Merged from https://github.com/openssl/openssl/pull/30532)
Matt Caswell [Thu, 19 Mar 2026 10:38:22 +0000 (10:38 +0000)]
Fix a Use-After-Free bug in the DTLS code
The newly added #30225 introduced a UAF bug in the master branch found
by the dtlsserver fuzzer. If a CCS arrives early and there is trailing
data left in the current record at the point that we change epoch then
the buffer holding the trailing data is freed as part of setting up the
new record layer, but we still have dangling references into that buffer
causing the UAF.
Fixes #30487
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 15:06:50 2026
(Merged from https://github.com/openssl/openssl/pull/30503)
huanghuihui0904 [Mon, 16 Mar 2026 03:05:36 +0000 (11:05 +0800)]
crypto/x509/pcy_tree.c: fix leak of tree in X509_policy_check()
When init_ret indicates both X509_PCY_TREE_EXPLICIT and X509_PCY_TREE_EMPTY,
the function returns without freeing the initialized policy tree.
Free the tree before returning, consistent with the earlier TREE_EMPTY branch.
Also defer *ptree = tree assignment and free the tree when user policies
are empty to avoid returning invalid memory.
Fixes #30435
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 3 15:03:37 2026
(Merged from https://github.com/openssl/openssl/pull/30436)
Herman Malik [Wed, 11 Mar 2026 21:49:18 +0000 (14:49 -0700)]
doc: clarify X509_STORE thread safety and lifetime contract
Improve the description of X509_STORE_lock() in X509_STORE_new.pod to
emphasize it acquires an exclusive write lock.
Add a NOTES section to X509_STORE_new.pod covering which operations are
internally thread-safe and which are not, as well as documentation on
lifetime management and reference counting.
Add a NOTES section to X509_STORE_CTX_get_by_subject.pod explaining
that the store's internal lock is released before the found object's
reference count is incremented, so the caller must ensure the store
outlives the lookup.
Clarify the reference counting and the caller's responsibilities.
Remove internal details for conciseness.
Related to #30310
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Apr 3 15:00:55 2026
(Merged from https://github.com/openssl/openssl/pull/30382)
eclipse07077 [Mon, 9 Mar 2026 12:35:43 +0000 (21:35 +0900)]
Fix integer overflow in EVP_ENCODE_LENGTH and base64 encoding paths
The EVP_ENCODE_LENGTH macro performs all arithmetic in the type of
its argument. When the argument is int and exceeds approximately
1.6 billion, intermediate results overflow signed int, potentially
wrapping to a smaller positive value rather than a negative one.
In b64_write() (crypto/evp/bio_b64.c), this causes OPENSSL_malloc
to allocate a buffer smaller than the actual encoded output size.
EVP_EncodeUpdate then writes past the end of the undersized buffer.
Changes:
- Cast macro argument to size_t in EVP_ENCODE_LENGTH to prevent
signed integer overflow
- Change encoded_length in b64_write() from int to size_t and add
an explicit overflow sanity check before allocation
- Change return type of evp_encodeblock_int() and
encode_base64_avx2() from int to size_t so that large encoded
output lengths are not truncated
- Update EVP_EncodeUpdate() to use size_t for the encoder return
value accumulator (j), consistent with the existing size_t total
- Add explicit (int) casts in EVP_EncodeBlock() and EVP_EncodeFinal()
where the public API requires int return values
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 3 14:55:29 2026
(Merged from https://github.com/openssl/openssl/pull/30321)
Arne Schwabe [Tue, 31 Mar 2026 11:30:38 +0000 (13:30 +0200)]
Fix names of X509_V_ERR_ERROR_IN_CERT_* constants in man page
The names of the X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD and
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD in the man page have
the first _ERR_ spelt out as _ERROR_ instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr 1 17:06:53 2026
(Merged from https://github.com/openssl/openssl/pull/30643)
apps/lib/apps.c: use fstat on an opened fd in app_mmap_file()
Coverity has rightfully complained that using stat() before opening file
leads to TOCTOU issues, refactor the code to open the file first and
then perform stat checks on the opened file descriptor. It is still far
from foolproof, as the file is not locked, and stat() is used elsewhere,
but at least it seems to be a step in the right direction.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1690686 Fixes: 80b7e49c273f "Use mmap for pkeyutl -rawin and dgst one-shot input" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Apr 1 12:46:08 2026
(Merged from https://github.com/openssl/openssl/pull/30624)
Viktor Dukhovni [Thu, 26 Mar 2026 17:02:34 +0000 (04:02 +1100)]
Refactor ML-KEM decap, also cleanse failure_key
Pedantically cleanse the typically unused decap failure_key's stack
copy.
When actually used, it is copied into the caller's shared secret result,
perhaps to be cleansed there after use, or not, that's the callers
business.
While at it, slightly refactor the internal decap() implementation to
consolidate all the data to be cleansed into a single buffer, but now
avoid copying the public key hash, instead, when computing "K || r" as
"G(m || h)" include "h" via a separate EVP_DigestUpdate() call.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 31 05:19:40 2026
(Merged from https://github.com/openssl/openssl/pull/30598)
Collin Funk [Sat, 28 Mar 2026 07:41:01 +0000 (00:41 -0700)]
Fix -Wdiscarded-qualifiers warnings shown when glibc-2.43 is used
When building with glibc-2.43 there is the following warning:
crypto/x509/x509_vpm.c: In function 'validate_email_name':
crypto/x509/x509_vpm.c:317:13: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
317 | if ((at = memchr(name, '@', len)) == NULL)
| ^
This is due to a change described in the NEWS file of glibc-2.43:
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type.
Systems using this recent glibc version will likely also be using GCC 15
or later which default to `-std=gnu23`, meaning that this warning will
show up without modifying `CFLAGS`.
We can make these pointers const since we never write to them.
Complements: f584ae959cbc "Let's support multiple names for certificate verification"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 31 02:38:14 2026
(Merged from https://github.com/openssl/openssl/pull/30613)
Pranavjeet-Naidu [Tue, 24 Mar 2026 23:45:30 +0000 (05:15 +0530)]
Add negative length validation in EVP_EncryptUpdate and EVP_DecryptUpdate
Added input length validation checks to prevent potential security issues
when negative values are passed to EVP_EncryptUpdate and EVP_DecryptUpdate.
These functions cast inl (int) to size_t without validation, which could lead
to unexpectedly large buffer allocation attempts or unintended behavior with
negative inputs.
Validation is performed early in both functions to ensure only valid,
non-negative lengths are processed. Error is reported via EVP_R_INVALID_LENGTH.
Fixes: https://github.com/openssl/openssl/issues/30486 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 02:10:52 2026
(Merged from https://github.com/openssl/openssl/pull/30560)
Milan Broz [Fri, 27 Mar 2026 09:38:52 +0000 (10:38 +0100)]
Remove superfluous volatile for RCU on Windows
When compiling on the MINGW platform, there are many warnings like this:
warning: passing argument 1 of 'CRYPTO_atomic_add64' discards 'volatile'
qualifier from pointer target type [-Wdiscarded-qualifiers]
CRYPTO_atomic_add64(&lock->qp_group[qp_idx].users, (uint64_t)1, &tmp64,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The warning actually shows several issues with volatile in struct rcu_qp:
- all handling functions using it do not use the volatile modifier,
so that the compiler can treat this pointer as non-volatile already
(Posix pthread variant does not use volatile here at all.)
- thread safety is already guaranteed by using locks
(NO_INTERLOCKEDOR64) or Interlocked*64 Win32 API functions.
- the volatile removal modifier should always be explicit
In short, I think the volatile in struct rcu_qp on Windows
has no additional value and can be removed.
This also fixes the warnings mentioned above :-)
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:25:56 2026
(Merged from https://github.com/openssl/openssl/pull/30602)
kovan [Tue, 27 Jan 2026 11:11:08 +0000 (12:11 +0100)]
doc: fix -signcert grouping in CA.pl documentation
The -signcert option was incorrectly grouped with -sign and -xsign at
line 109, which implied they were equivalent. However, -signcert is
different: it expects a self-signed certificate (not a certificate
request) in newreq.pem, and converts it to a request before signing.
This is correctly documented in its own separate section at line 123,
which states "-signcert is the same as -sign except it expects a self
signed certificate".
Remove -signcert from the -sign/-xsign grouping to eliminate the
contradiction.
Resolves: https://github.com/openssl/openssl/issues/29165 Fixes: 022696cab014 "Allow CA.pl script user to pass extra arguments to openssl command" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 01:10:50 2026
(Merged from https://github.com/openssl/openssl/pull/29794)
Update the documentation to include that added const qualifiers
to the arguments of X509_EXTENSION_get_object(), X509_EXTENSION_get_data(),
and X509v3_add_ext().
References: https://github.com/openssl/openssl/pull/30595
Complements: e75bd84ffc73 "Constify X509_get_ext() and friends.." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Tue Mar 31 00:47:35 2026
(Merged from https://github.com/openssl/openssl/pull/30601)
ikev2kdf.c: expand missing secret check in kdf_ikev2kdf_derive()
The seemingly impossible (and erroneous) case of (secret == NULL &&
secret_len != 0) is not accounted for in sanity checks, which provoked
Coverity to report potential NULL dereference in ikev2_check_secret_and_pad()
afterwards. Placate it by expanding the check to cover that improbable
situation and echo the seedkey check from the previous case.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1690439
Complements: 0dd1c50fc070 "Add IKEV2KDF implementation" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 31 00:33:22 2026
(Merged from https://github.com/openssl/openssl/pull/30566)
Milan Broz [Sat, 28 Mar 2026 11:37:32 +0000 (12:37 +0100)]
Use OPENSSL_assert for Windows RCU for missing lock
If NO_INTERLOCKEDOR64 is define, Windows RCU code must
use thread locks.
The lock *must* be provided in that case otherwise it is
an internal code error, not a runtime error.
Use OPENSSL_assert here.
This also fixes several unititialized variable warnings
as analyzer no longer see this impossible paths in code.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:28:20 2026
(Merged from https://github.com/openssl/openssl/pull/30619)
Milan Broz [Fri, 27 Mar 2026 09:40:35 +0000 (10:40 +0100)]
Silence MINGW warning about INVALID_SOCKET
On Windows, SOCKET is defined as unsigned (UINT_PTR).
In OpenSSL, the socket abstraction uses int, see
discussion in https://github.com/openssl/openssl/issues/7282.
MINGW for some time uses a signed definition of INVALID_SOCKET,
then switched back to unsigned, see for example
https://sourceforge.net/p/mingw-w64/discussion/723797/thread/71522d10/
Currently, it is defined as unsigned, creating many warnings like
warning: overflow in conversion from 'long long unsigned int' to 'int'
changes value from '18446744073709551615' to '-1' [-Woverflow]
*sock = INVALID_SOCKET;
As we use INVALID_SOCKET only in our code, we can safely silence
this warning just by redefining INVALID_SOCKET to signed
(version that is commented out in MINGW headers).
While this is only a workaround, it has been here for years and
allows focus on more important warnings.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:22:27 2026
(Merged from https://github.com/openssl/openssl/pull/30616)
Milan Broz [Fri, 27 Mar 2026 09:39:56 +0000 (10:39 +0100)]
Define static set_cloexec() only when really used
Statically defined set_cloexec helper is used only
if RIO_NOTIFIER_METHOD_SOCKET is set (for non-Windows branch)
and if RIO_NOTIFIER_METHOD_SOCKETPAIR is set
(always).
This avoids unused code warnings.
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:22:26 2026
(Merged from https://github.com/openssl/openssl/pull/30616)
openssl-machine [Tue, 24 Mar 2026 15:13:42 +0000 (15:13 +0000)]
Update ordinals from 4.0.0-beta1
This is a partial forward-port of commit 3c4194022cc4 "make update"
from the openssl-4.0 branch, that includes updates to util/libcrypto.num
and util/libssl.num files.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:52:22 2026
(Merged from https://github.com/openssl/openssl/pull/30555)
Abhinav Agarwal [Tue, 24 Mar 2026 02:17:04 +0000 (19:17 -0700)]
quic: add missing return 0 after raise_protocol_error for NEW_CONN_ID
Every other frame type handler in depack_process_frames() returns 0
after calling ossl_quic_channel_raise_protocol_error(), but the
NEW_CONN_ID case falls through to depack_do_frame_new_conn_id().
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:48:44 2026
(Merged from https://github.com/openssl/openssl/pull/30550)
Adds NULL checks for EVP_MD_CTX_get_pkey_ctx() return values
Guard against potential NULL pointer dereferences when
EVP_MD_CTX_get_pkey_ctx() is called and its result is used
without validation. Store the return value in a local variable,
check for NULL before passing it to subsequent functions, and
remove redundant repeated calls.
Fixes #27735
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:39:04 2026
(Merged from https://github.com/openssl/openssl/pull/30522)
Amaan Qureshi [Fri, 20 Mar 2026 00:40:20 +0000 (20:40 -0400)]
s390x: set minimum architecture level to z10
The keccak1600 perlasm file (`keccak1600-s390x.pl`) emits `cijne`, a
z10 compare-immediate-and-branch instruction, without declaring a
minimum architecture level. GCC defaults to `-march=z900` on s390x,
causing assembler errors when building with the default toolchain
flags:
z900 has been out of service since 2014, the Linux kernel requires
z196 minimum, and clang already defaults to z10 on s390x. A
`.machine "z10"` GAS directive in the generated assembly resolves the
error by declaring the architecture level the file already requires.
Ref: #27323
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Mar 27 16:32:22 2026
(Merged from https://github.com/openssl/openssl/pull/30507)
herbenderbler [Wed, 25 Mar 2026 06:49:06 +0000 (00:49 -0600)]
Use mmap for pkeyutl -rawin and dgst one-shot input
When using openssl pkeyutl -rawin or openssl dgst for one-shot sign/verify
(e.g. Ed25519, Ed448), file input is now read via mmap() on Unix where
supported, avoiding a full buffer allocation and copy. Large files are
supported without doubling memory use; on failure of the mmap path we
do not fall back to the buffer path.
- Add app_mmap_file() in apps/lib/apps.c: stat/open/mmap/close, tri-state
return (1 mapped, 0 size zero, -1 error). Parameter err_bio avoids
shadowing global bio_err (-Wshadow).
- apps/pkeyutl.c and apps/dgst.c: use app_mmap_file(); single exit for
mmap path in pkeyutl; dgst includes apps.h first for _FILE_OFFSET_BITS;
do_fp_oneshot_sign returns EXIT_SUCCESS/EXIT_FAILURE like do_fp(); no
fallback when mmap attempted but fails.
- pkeyutl mmap/buffer path: pass filesize to EVP_DigestVerify and
EVP_DigestSign (review suggestion, avoids casting buf_len).
- Error messages: per-file messages for stat/size (dgst, pkeyutl); CHANGES.md
"Unix-like" and "16 MB" (documentation style).
- Centralize _FILE_OFFSET_BITS and mmap includes in apps/include/apps.h.
- Tests: pkeyutl/dgst oneshot from file, no-fallback regression tests;
use srctop_dir for test paths; stderr patterns for mmap errors.
- Docs: man pages and CHANGES.md.
CI fixes: return failure from dgst one-shot sign when mmap fails; treat
non-regular paths as mmap errors in app_mmap_file() and pkeyutl; reject
directories before mmap.
Addresses review feedback from DDvO, npajkovsky, and vdukhovni (PR #30429).
Fixes #11677
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org> Co-authored-by: David von Oheimb <DDvO@users.noreply.github.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 27 16:25:33 2026
(Merged from https://github.com/openssl/openssl/pull/30429)
Weidong Wang [Sat, 21 Mar 2026 15:41:49 +0000 (10:41 -0500)]
Fix missing EVP_CIPHER_get_iv_length() guard in PKCS5_pbe2_set_scrypt
Store the return value of EVP_CIPHER_get_iv_length() in a local variable
and guard with (ivlen > 0) before passing to memcpy/RAND_bytes, matching
the pattern already used in p5_pbev2.c. Without this, a negative return
value (-1) is implicitly converted to SIZE_MAX when cast to size_t,
causing a stack buffer overflow on iv[EVP_MAX_IV_LENGTH].
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 27 16:14:09 2026
(Merged from https://github.com/openssl/openssl/pull/30510)
CMS/PKCS#7 doc: Fix inconsistencies and missing detail w.r.t. smimesign and smimeencrypt purposes
* Fix inconsistent doc (so far using purpose names smime_sign and smime_encrypt) vs. implementation
* Add the info that "smimesign" is the default purpose here.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Fri Mar 27 06:25:20 2026
(Merged from https://github.com/openssl/openssl/pull/18914)
This is a workaround for an issue that lead to fuzz-checker CI failures;
the preliminary solution is to disable the inessential test case
test_exec_KUR_bad_pkiConf_protection.
References: https://github.com/openssl/openssl/pull/28973 Fixes: 525a4f1efbab "cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Thu Mar 26 15:55:34 2026
(Merged from https://github.com/openssl/openssl/pull/30567)
cmp_vfy.c: on error trying to use cached CMP message sender cert, make sure to print diagnostics
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c,doc/,test/: when trying to use cached CMP message sender cert, no more check its revocation and chain
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
CMP doc: add missing text on OSSL_CMP_OPT_NO_CACHE_EXTRACERTS to OSSL_CMP_CTX_new.pod and ossl_cmp_msg_check_update.pod
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
crypto/cmp/: generalize info/debug messages and code comments from mentioning 'server' to 'sender'
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: minor code refactoring on -no_cache_extracerts, tweak mock server error message
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
cmp_vfy.c: fix crash on attempting to use invalidated sender cert on producing diagnostic information
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
apps/cmp.c: make sure that CMP mock server respects -ignore_keyusage and -no_cache_extracerts
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28973)
Abhinav Agarwal [Sun, 22 Mar 2026 17:45:53 +0000 (10:45 -0700)]
quic: fix off-by-one in QUIC_MAX_MAX_ACK_DELAY
Should be 2^14-1 (16383) per RFC 9000 s. 18.2, not 2^14 (16384).
Fixes: 35dc6c353bfe ("QUIC: Make more transport parameters configurable") Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:55:50 2026
(Merged from https://github.com/openssl/openssl/pull/30531)
crypto/idea/i_ofb64.c: mask the num value after negativity check
Commit 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB
implementations" introduced masking of the user-supplied num value
in several functions, which rendered the exiting *num negativity check
introduced in 1634b2df9f12 "enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value"
ineffectual. While commit b73a5743253d "crypto/idea/i_cfb64.c:
condition 'n < 0' can never be met after doing 'n = n & 0x07'"
has addressed the issue in crypto/idea/i_cfb64.c:IDEA_cfb64_encrypt(),
this commit addresses the same issue
in crypto/idea/i_ofb64.c:IDEA_ofb64_encrypt() in similar fashion,
by postponing the masking after the negativity check.
The issue has initially reported by Coverity, ID 1689815.
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689815 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations"
References: b73a5743253d "crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'" Co-Authored-by: Alexandr Nedvedicky <sashan@openssl.org> Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 24 17:52:35 2026
(Merged from https://github.com/openssl/openssl/pull/30528)
Aditya Patil [Fri, 20 Mar 2026 14:43:10 +0000 (10:43 -0400)]
threadstest: Check the return value of two memory allocations
Add a NULL check with OPENSSL_assert() before dereferencing the allocated pointer.
Fixes #30017
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 24 17:44:44 2026
(Merged from https://github.com/openssl/openssl/pull/30509)
easonysliu [Wed, 18 Mar 2026 08:22:24 +0000 (16:22 +0800)]
conf: guard NULL group in NCONF_get_string() error path
NCONF_get_string() passes the group parameter directly to
ERR_raise_data() with a %s format specifier. The CONF API
explicitly allows group to be NULL (meaning "default section"),
and multiple internal callers use this, such as conf_diagnostics()
and CONF_modules_load().
When the lookup fails and the error path is reached, passing NULL
to %s is undefined behavior per the C standard. On Linux/glibc
it happens to print "(null)", but on platforms like Solaris 10 it
crashes in strlen() inside vsnprintf().
This was exposed after commit #28305 replaced the custom _dopr()
(which had an explicit NULL-to-"<NULL>" guard in fmtstr()) with
the platform's native vsnprintf().
Guard the NULL by using an empty string in the format argument.
Fixes #30402
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:39:02 2026
(Merged from https://github.com/openssl/openssl/pull/30484)
Liu-ErMeng [Fri, 13 Mar 2026 09:29:28 +0000 (02:29 -0700)]
Fix vpsm4_ex-armv8.pl implementation bug
Load .Lsbox_magic base once via adrp+add and use plain immediate offsets for q loads,
avoiding potential low-12-bit truncation issues with #:lo12:symbol+offset.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:36:51 2026
(Merged from https://github.com/openssl/openssl/pull/30410)
huanghuihui0904 [Thu, 12 Mar 2026 13:01:30 +0000 (21:01 +0800)]
apps/cmp.c: fix leak of out_trusted in setup_verification_ctx()
setup_verification_ctx() allocates out_trusted via load_trusted() and passes
it to OSSL_CMP_CTX_set_certConf_cb_arg(). Since the argument is not consumed,
it must be freed on failure. The fix is to free out_trusted if
OSSL_CMP_CTX_set_certConf_cb_arg() fails.
Fixes #30377
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:34:49 2026
(Merged from https://github.com/openssl/openssl/pull/30392)
Peter Zhang [Wed, 11 Mar 2026 22:59:48 +0000 (22:59 +0000)]
Fix CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect
When server contains a bare IPv6 address, OSSL_HTTP_proxy_connect() must
wrap it in square brackets for the CONNECT request line (e.g.,
CONNECT [::1]:443 HTTP/1.0). Also handle the case where the server
string already includes brackets (as returned by OSSL_HTTP_parse_url).
Fixes: 29f178bddfdb ("Generalize the HTTP client so far implemented mostly in crypto/ocsp/ocsp_ht.c") Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:32:06 2026
(Merged from https://github.com/openssl/openssl/pull/30384)
Neil Horman [Tue, 3 Mar 2026 15:04:04 +0000 (10:04 -0500)]
Fixup property test to have enough of a real provider struct
Now that ossl_method_store_cache_[set|get] query the provider name, we
need to make our property test account for that, by defining the
property query to be identical to what the internal definiton is.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:11 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Currently our property query lookup performance could be better. It
suffers from three major drawbacks,
1) The hashtable itself could be faster. our internal hashtable
implementation is generally quicker than our LHASH implementation
2) The lookup case a specific provider (i.e. when we do a cache lookup with
prov != NULL requires some signficant iteration over hash buckets with
LHASH, as we iterate over all entries that match the same query looking
for a matching provider pointer)
3) Stochastic flush is..not great. When we reach cache size limitations
(currently 512 entries spread over 4 shards), we randomly flush about
50% of the cache, which requires an iteration over the entire hash
table)
Lets address all of these
1) Is pretty straight forward. Replacing the LHASH hashtable with our
internal hash table is pretty easy, and lets us take advantage of the
hash computation caching introduced earlier.
2) With (1) we can do direct lookups of specific provider, by including
the provider name in the hash key. Provider agnostic (i.e. provider
== NULL) lookups are now handled by adding an extra hash entry for
each nid with the key being _only_ the property query. Prior entries
for the same key get evicted, so a lookup for prop_query = X, prov =
NULL returns the last QUERY that was added for that query string
against a particular nid.
3) I've never fully understood why we do random early discard of queries
when we reach capacity. It seems easier and more efficient to just
discard a single entry to keep us under our size limits. Especially
given that the sharding reduces the likelyhood that we need to flush
in any given shard. This also prevents us from needing to traverse
the entire hash table, as we can just discard a single QUERY and
abort the loop early.
In addition to the above we can also:
1) Migrate the QUERY hashtable from the ALGORITHM struct to the
STORED_ALGORITHMS struct. Currently we create a hash table per
ALGORITHM, and we have potentially hundreds of algorithms. While
this makes for really fast lookups, each QUERY cache only having a
few entries, its a huge waste of memory, consolidating all of the
nids to a single sharded STORED_ALGORITHMS struct saves a bunch of
memory and is still faster than what we have currently.
2) Add an lru-like linked list to QUERY entries. This serves two
purposes. Its not quite lru/lfu, but it allows us to more quickly do
an in-order traversal of a hash table on every node, and detect when
a QUERY has been looked up since the last query table update. By
detecting this, we can bias ourselves on cull operations toward
eliminating those entries which have not been referenced frequently.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:09 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Tue, 3 Mar 2026 14:45:19 +0000 (09:45 -0500)]
Add extern key buffer setup for hash table
One thing @npajkovsky noted in our recent discussion about the internal
hash table was that its unfortunate that keys have to be sized for the
maximal use case in our current hashtable code.
We can avoid that.
Introduce a new init mechanism that allows for keys to initalized using
an external buffer that can be setup and marshalled independently of the
key itself. This allows us to only allocate the amount of data needed
for the key, rather than a maximally sized buffer where appropriate and
adventageous.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:07 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
Neil Horman [Sun, 1 Mar 2026 20:18:30 +0000 (15:18 -0500)]
Add ability to extract computed hash from hashtable
One thing we can do to speed up hash table lookups is to cache/reuse
computed hash values when interrogating a hash table multiple times in
rapid succession.
We follow this pattern frequently when using hashtables:
value = lookup_hash(key)
if (value == NULL)
value = new_value()
insert_to_hash(key, value)
Note that we use the same key for the lookup and the insert. So if we
had a way to preserve the value this key hashed to, we can avoid having
to do a second hash computation during the lookup.
These new macros give us that. The HT_KEY structure now stores the
computed hash value in the key, which can be extracted and reused by the
caller with the HT_INIT_KEY_CACHED macro. When set, the cached hash
value is used, rather than needing to recompute the hash for any
subsequent operations
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:05 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
CHANGES.md: remove duplicating "Added support for RFC 8701 GREASE..." entry
A cleanup after merge conflict resolution in a1420a699d25 "Implement RFC 8701
GREASE for TLS ClientHello".
Fixes: a1420a699d25 "Implement RFC 8701 GREASE for TLS ClientHello". Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Mar 22 01:03:54 2026
(Merged from https://github.com/openssl/openssl/pull/30505)
Deven Dighe [Thu, 19 Mar 2026 13:54:21 +0000 (09:54 -0400)]
crypto/threads_win.c: type casted destination of InterlockedExchange{,64} calls
Explicitly cast dst argument of InterlockedExchange{,64} calls
in CRYPTO_atomic_store{,_int}() to LONG{64,} volatile *, respectively,
to work around incompatible pointer type errors on 64-bit MinGW builds.
Initially Reported by Splediferous.
[esyr: massaged the commit message a bit]
CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/30451 Fixes: cc7195da3038 "Make FIPS self test state access atomic" Fixes: 7e45ac6891ad "Add CRYPTO_atomic_store api"
add cast to LONG volatile * for InterlockedExchange
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:56:36 2026
(Merged from https://github.com/openssl/openssl/pull/30504)
slontis [Tue, 17 Mar 2026 23:16:44 +0000 (10:16 +1100)]
SLH-DSA: Fix Integer overflow in msg_encode leading to buffer overflow
Reported by Zehua Qiao and me@snkth.com
An encode message buffer M = 00 || CXT_LEN || CTX || MSG was being
allocated followed by memcpy's into the buffer for CTX and MSG.
If len(MSG) was close to size_t the allocated buffer would be
overwritten.
The fix uses WPACKET to perform the message encoding M = 00 || CXT_LEN || CTX || MSG
Although ML_DSA does a similiar operation, SLH-DSA has to buffer the
encoding because the encoded message is processed multiple times for
PRF_MSG and H_MSG. FOr ML_DSA the encoded message can just be hashed.
Fixes: 2f9e152d86a7 "Add SLH_DSA signature verification." Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Mar 22 00:15:47 2026
(Merged from https://github.com/openssl/openssl/pull/30477)
crypto/idea/i_cfb64.c: condition 'n < 0' can never be met after doing 'n = n & 0x07'
Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1689816 Fixes: 5ba9029bc7b3 "Mask *num on entry in deprecated low-level OFB/CFB implementations" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:50:41 2026
(Merged from https://github.com/openssl/openssl/pull/30500)
huanghuihui0904 [Mon, 16 Mar 2026 07:16:21 +0000 (15:16 +0800)]
ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.
Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:11:54 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
Weidong Wang [Tue, 17 Mar 2026 16:21:52 +0000 (11:21 -0500)]
Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()
In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.
The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.
Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:23:27 2026
(Merged from https://github.com/openssl/openssl/pull/30463)
1seal [Tue, 17 Mar 2026 09:14:32 +0000 (10:14 +0100)]
test: add regression tests for unauthorized OCSP response signers
extend test_tlsext_status_type() with a handshake that serves a
leaf-signed stapled OCSP response and verifies the connection fails
when X509_V_FLAG_OCSP_RESP_CHECK is enabled.
generalize ocsp_server_cb_single() to use configurable signer
cert/key instead of hardcoded paths so the same callback serves
both authorized and unauthorized signer test cases.
add a test_ocsp() subtest covering the -issuer CLI option with
an untrusted issuer hint.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:29 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
1seal [Tue, 17 Mar 2026 09:14:21 +0000 (10:14 +0100)]
x509: remove OCSP_TRUSTOTHER from stapled response and issuer fallback paths
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e267f "RT2206: Add -issuer flag to ocsp command" Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs" Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
Jaeho Nam [Sun, 15 Mar 2026 08:31:49 +0000 (08:31 +0000)]
x509: fix bug in timeSpecification printing
Fix i2r_OSSL_DAY_TIME() to check dt->second before decoding the
optional seconds field. Add a regression certificate and x509 recipe
coverage for the periodic timeSpecification case with no seconds.
Resolves: https://github.com/openssl/openssl/issues/30424 Fixes: 70b17e5a00da "feat: support the timeSpecification X.509v3 extension" Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Mar 20 18:47:04 2026
(Merged from https://github.com/openssl/openssl/pull/30425)
When extsoffset == clearlen - 1 the check passes, but the second read
clear[extsoffset + 1] is clear[clearlen], which is one byte beyond
the decrypted plaintext. The allocation is OPENSSL_malloc(cipherlen)
where cipherlen = clearlen + AEAD_overhead, so the address is valid,
but the byte is uninitialised after OSSL_HPKE_open returns.
Using Valgrind confirmed an uninitialised-value read at this location
via the full server handshake path:
The subsequent ch_len > clearlen check (line 1875) acts as a safety net
and prevents the stale byte from being used further, so the practical
impact is a forced decode error rather than memory disclosure.
Nevertheless, the read itself is incorrect and should be fixed.
Fix: change the guard to extsoffset + 2 so that both bytes
of the extensions length field are confirmed to be within the decrypted
buffer before either is read.
This issue was identified through AI-assisted structural analysis
(RAPTOR) using CodeQL database tooling (AST analysis, control flow
verification, dominator tree analysis) against the OpenSSL master
branch. The off-by-one was confirmed via AST inspection showing
GT(Add(extsoffset, 1), clearlen) instead of the expected
GT(Add(extsoffset, 2), clearlen).
Found by myself @danielcuthbert and validated
by Benjamin Rodes - Microsoft @bdrodes.
CLA: trivial Fixes: 6c3edd4f3a8a "Add server-side handling of Encrypted Client Hello" Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Mar 20 18:07:01 2026
(Merged from https://github.com/openssl/openssl/pull/30472)
slontis [Fri, 13 Mar 2026 04:13:40 +0000 (15:13 +1100)]
Fix windows build failure for arm64ec
The new b64 encoder code uses __m256 which is not currently supported in ARM64EC code,
since it does not natively support x64-specific instruction sets like AVX.
Disable the fast AVX path if arm64EC is used.
projects / thirdparty / openssl.git / log
