RFC 9598 States:
Certificate Authorities that wish to issue CA certificates with email
address name constraints MUST use rfc822Name subject alternative names
only. These MUST be IDNA2008-conformant names with no mappings and with
non-ASCII domains encoded in A-labels only.
This appears to be to get around the confusion created if someone
attempts to encode a name constraint for an email address into the
UTF-8 version of the name
Were someone to attempt to support this, not only would you now have
to check two separate sets of name constraints for the same thing, but
would now have to decide what to do if they said different things.
So we just flag any such certficiate as invalid
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 7 16:09:44 2026
(Merged from https://github.com/openssl/openssl/pull/30329)
Since we use this for a sort, in theory this could become
inconsistent if we were to do a make update, re-generate
the output, and check it in from a different development
platform that returns different inconsistencies in how
cmp behaves on uninitialized values.
Rather than ponder this, just make this consistent
by ensuring undefined values have 0 length, and remove
the disabling of the warnings in obj_cmp
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu May 7 15:41:12 2026
(Merged from https://github.com/openssl/openssl/pull/31046)
The function previously returned `NID_des_cfb64` even when nid of the
passed cipher was NID_des_ede3_cfb64, NID_des_ede3_cfb8,
NID_des_ede3_cfb1.
Corrected now to return `NID_des_ede3_cfb64`.
Added an extra test to verify the change.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 6 18:58:09 2026
(Merged from https://github.com/openssl/openssl/pull/30977)
The SM2 encryption may write past the caller-provided output buffer
when the required ciphertext size exceeds the supplied buffer length.
Reject outputs that do not fit in the caller-provided buffer.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 6 16:51:00 2026
(Merged from https://github.com/openssl/openssl/pull/30614)
X509_verify is documented to return -1 if the algorithm is invalid
or can't be compared for any reason.
Sadly this implies that it is legitimate to pass it an incorrect X509
object and it should see this. If we hand it a new X509 object with
nothing filled in, it will memcmp(NULL...) at the end of a stack of
FOO_cmp abstractions, which is UB.
Fix this by permitting the 0 length case to return equal without
a memcmp, as suggested by slontis@ and botovq@
Fixes: https://github.com/openssl/openssl/issues/30922
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 6 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/30943)
Document the non-copying interface functions for BIO pairs that allow
direct access to the internal buffer:
- BIO_nread0/BIO_nread for zero-copy reading
- BIO_nwrite0/BIO_nwrite for zero-copy writing
Also add return value documentation for these functions and remove
the placeholder "[XXXXX: More return values need to be added here]".
Fixes#16366
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 6 14:51:27 2026
(Merged from https://github.com/openssl/openssl/pull/29849)
SSL_CTX_set_session_cache_mode and SSL_CTX_get_session_cache_mode
were documented with SSL_CTX ctx instead of SSL_CTX *ctx in their
synopsis.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed May 6 11:53:35 2026
(Merged from https://github.com/openssl/openssl/pull/30965)
The security repo keeps failing our compiler zoo jobs, consistently. It
appears to be happening because our compiler zoo jobs use make -j
without any limit on the number of jobs, leading to github aborting them
all when the workload gets too high. I suspect that we're using a
smaller runner in the security repo than we are in our public repo,
which is why we don't see it there.
Our other CI jobs all limit the job count to 4 during make, do the same
here.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Mon May 4 09:33:34 2026
(Merged from https://github.com/openssl/openssl/pull/31059)
Document the X509_STORE_CTX_set_time() function which sets the
verification time for certificate chain validation. This is a
convenience wrapper around X509_VERIFY_PARAM_set_time().
Remove X509_STORE_CTX_set_time from missingcrypto.txt and
missingcrypto111.txt.
Fixes#21362
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sun May 3 15:38:26 2026
(Merged from https://github.com/openssl/openssl/pull/29899)
clang-22 with enable-asan and enable-ubsan enabled fails with error
crypto/sparse_array.c:93:21: runtime error: call to function alg_copy
through pointer to incorrect function type 'void (*)(unsigned long, void *, void *)'
ossl_sa_##type##_doall(const SPARSE_ARRAY_OF(type) * sa,
void (*leaf)(ossl_uintmax_t, type *))
{
ossl_sa_doall((OPENSSL_SA *)sa,
(void (*)(ossl_uintmax_t, void *))leaf);
}
typed doall(_arg) expect leaf to have type, but generic code is using
void *, and the type-casting cases the error.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun May 3 15:17:58 2026
(Merged from https://github.com/openssl/openssl/pull/31035)
Fix the inverted cleanse guard in the SLH DSA provider signing path.
When randomized signing populates the local add_rand buffer, the cleanup step currently skips that stack buffer. Other signing modes do not create this transient buffer, so they should not drive this cleanup. Swap the guard so only the transient per signature buffer is cleansed, and cleanse the full fixed size buffer directly.
Fixes#30950
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sun May 3 14:49:20 2026
(Merged from https://github.com/openssl/openssl/pull/31029)
TPM 1.2 Endorsement Key certificates use id-RSAES-OAEP
(NID_rsaesOaep) as their SubjectPublicKeyInfo algorithm
identifier per TCG Credential Profiles V1.2 section 3.2.7.
The underlying key is a standard RSAPublicKey. Without
this mapping, X509_get_pubkey() fails with a decode error
and X509_verify_cert() cannot validate these certificates.
Add NID_rsaesOaep handling to the three SPKI decode paths,
each of which points at the other two so future changes stay
in sync:
- x509_pubkey_decode(): remap the NID to NID_rsaEncryption
for the legacy ameth lookup. This path is reached via
d2i_RSA_PUBKEY()/ossl_d2i_PUBKEY_legacy(), which is in
turn invoked by the provider RSA decoder's rsa_d2i_PUBKEY,
so it is load-bearing even when the provider path is in
use.
- x509_pubkey_ex_d2i_ex(): use "RSA" as the decoder keytype
name so OSSL_DECODER_CTX_new_for_pkey() selects the RSA
provider decoder. The NID check precedes OBJ_obj2txt()
so the text conversion is skipped when unused.
- ossl_spki2typespki_der_decode(): same remap in the
SPKI-to-type-SPKI provider decoder chain. Flatten the
existing SM2 special case while here: the original code
relied on a dangling else across the #endif, which made
the rsaesOaep branch awkward to add. The new structure
initializes dataname to empty, applies each special case
in turn, and falls back to OBJ_obj2txt() only when no
override applied. strcpy() is replaced with
OPENSSL_strlcpy() for consistency with surrounding code.
The OAEP AlgorithmIdentifier parameters (which carry a
TCG-specific pSourceAlgorithm "TCPA" for TPM EKs) are
deliberately not interpreted; only the RSAPublicKey body is
consumed.
Add a test using a real TPM 1.2 EK certificate. The test
exercises both the provider decoder path (via X509_from_strings
+ X509_get0_pubkey) and, when deprecated APIs are available,
the legacy path (via d2i_RSA_PUBKEY), confirming the key
decodes to an RSA EVP_PKEY of the expected size.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Sun May 3 14:44:24 2026
(Merged from https://github.com/openssl/openssl/pull/30961)
Norbert Pocs
Bob Beck
Bob Beck
Tomas Mraz
Jakub Zelenka
Moryakhin Stas
Abel Tom
GGAutomaton
Igor Ustinov
kovan
Nyveruus
slontis
Neil Horman
Mounir IDRASSI
Eugene Adell
Matt Caswell
Nikola Pajkovsky
Craig Lorentzen