The changes in #29324 neglected some setup needed for interactive
password prompting, leading to a segfaul when pkey(1) is asked to
encrypt, but not given an explicit `-pass` argument.
The required plumbing is added.
Fixes: #30889
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 22 07:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/30904)
When X509_add_cert() or sk_X509_CRL_push() failed, the cert or CRL from
OSSL_STORE was not freed. Free on failure to avoid a leak.
Fix 90-test_memfail.t parsing of count output so the memfail suite runs
correctly: parse 'skip: N count M' with a regex (handles '# ' prefix),
return (0,0) if the count file cannot be opened, and skip with a clear
message when total malloc count is 0 instead of planning 0 tests.
Apply clang-format to test/load_key_certs_crls_memfail.c.
- apps/lib/apps.c: free cert/CRL on add/push failure
- test/build.info: add load_key_certs_crls_memfail (allocfail-tests)
- test/load_key_certs_crls_memfail.c: regression test for issue #30364
- test/recipes/90-test_memfail.t: fix get_count_info parsing and plan
Issue #30364
Fixes: 6d382c74b3 "Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c"
Fixes: d7fcee3b3b "OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 21 08:50:18 2026
(Merged from https://github.com/openssl/openssl/pull/30428)
Improve 'verify' option help messages.
integer value parsing formats are:
- 'n' is any integer
- 'N' is a non-negative integer (i.e. value >= 0)
- 'p' is a positive integer (i.e. value > 0)
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon Apr 13 09:30:22 2026
(Merged from https://github.com/openssl/openssl/pull/30476)
There are one byte buffer overflows possible in s_client's handling
of STARTTLS in various protocols. If a server's response fills the entire
buffer (16k) then we attempt to add a NUL terminator one byte off the end
of the buffer.
This was reported by Igor Morgenstern from AISLE to openssl-security and
assessed by the security team as "bug or hardening only".
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Apr 11 16:16:24 2026
(Merged from https://github.com/openssl/openssl/pull/30731)
When using openssl pkeyutl -rawin or openssl dgst for one-shot sign/verify
(e.g. Ed25519, Ed448), file input is now read via mmap() on Unix where
supported, avoiding a full buffer allocation and copy. Large files are
supported without doubling memory use; on failure of the mmap path we
do not fall back to the buffer path.
- Add app_mmap_file() in apps/lib/apps.c: stat/open/mmap/close, tri-state
return (1 mapped, 0 size zero, -1 error). Parameter err_bio avoids
shadowing global bio_err (-Wshadow).
- apps/pkeyutl.c and apps/dgst.c: use app_mmap_file(); single exit for
mmap path in pkeyutl; dgst includes apps.h first for _FILE_OFFSET_BITS;
do_fp_oneshot_sign returns EXIT_SUCCESS/EXIT_FAILURE like do_fp(); no
fallback when mmap attempted but fails.
- pkeyutl mmap/buffer path: pass filesize to EVP_DigestVerify and
EVP_DigestSign (review suggestion, avoids casting buf_len).
- Error messages: per-file messages for stat/size (dgst, pkeyutl); CHANGES.md
"Unix-like" and "16 MB" (documentation style).
- Centralize _FILE_OFFSET_BITS and mmap includes in apps/include/apps.h.
- Tests: pkeyutl/dgst oneshot from file, no-fallback regression tests;
use srctop_dir for test paths; stderr patterns for mmap errors.
- Docs: man pages and CHANGES.md.
CI fixes: return failure from dgst one-shot sign when mmap fails; treat
non-regular paths as mmap errors in app_mmap_file() and pkeyutl; reject
directories before mmap.
Addresses review feedback from DDvO, npajkovsky, and vdukhovni (PR #30429).
Fixes#11677
Co-authored-by: Viktor Dukhovni <viktor1ghub@dukhovni.org>
Co-authored-by: David von Oheimb <DDvO@users.noreply.github.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Mar 27 16:25:33 2026
(Merged from https://github.com/openssl/openssl/pull/30429)
setup_verification_ctx() allocates out_trusted via load_trusted() and passes
it to OSSL_CMP_CTX_set_certConf_cb_arg(). Since the argument is not consumed,
it must be freed on failure. The fix is to free out_trusted if
OSSL_CMP_CTX_set_certConf_cb_arg() fails.
Fixes#30377
Signed-off-by: huanghuihui0904 <625173@qq.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:34:49 2026
(Merged from https://github.com/openssl/openssl/pull/30392)
check_cert_ocsp_resp() verified stapled OCSP responses with
OCSP_TRUSTOTHER while passing the peer-provided chain (ctx->chain),
which allowed certificates from that chain to be treated as trusted
OCSP responder signers.
similarly, the ocsp CLI issuer fallback path unconditionally used
OCSP_TRUSTOTHER, making certificates given via -issuer implicitly
trusted regardless of verify_flags.
remove OCSP_TRUSTOTHER from both paths so that responder authorization
is validated against the trust store.
Fixes: c6724060e2 "RT2206: Add -issuer flag to ocsp command"
Fixes: b1b4b154fd "Add support for TLS 1.3 OCSP multi-stapling for server certs"
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 20:58:27 2026
(Merged from https://github.com/openssl/openssl/pull/30323)
Add client-side GREASE (Generate Random Extensions And Sustain
Extensibility) support per RFC 8701. When SSL_OP_GREASE is set,
the TLS client injects reserved 0x?A?A-pattern values into the
ClientHello to prevent ecosystem ossification caused by servers
that reject unknown values.
GREASE values are injected into:
- Cipher suites (prepended)
- Supported versions extension (prepended)
- Supported groups extension (prepended)
- Signature algorithms extension (appended)
- Key share extension (prepended, 1 zero byte)
- Two standalone extensions (one empty, one with 1 zero byte)
The implementation uses lazy-seeded random values that remain
consistent across HelloRetryRequest retransmissions. GREASE values
from server responses are rejected as illegal parameters.
Add -grease option to s_client to enable GREASE from the command line.
Closes#9660
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 14:58:25 2026
(Merged from https://github.com/openssl/openssl/pull/30303)
If pushing the generated rsp ITAV object into the out stack fails,
the error path frees the stack container but permanently abandons
the newly allocated rsp object.
Explicitly free the rsp structure if it exists and was not pushed
successfully to prevent this memory leak.
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Mon Mar 16 11:16:02 2026
(Merged from https://github.com/openssl/openssl/pull/30374)
If BIO_gets encounters an empty file or read error, the function
returns NULL without freeing the dynamically allocated heap block (buf).
Safely clear and free the allocated buffer before returning NULL on
the error path. Since get_str_from_file() may handle cryptographic
keys, OPENSSL_clear_free() is used to prevent leaking sensitive data.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30373)
When the function fails to push the second CRL to the stack, it
incorrectly uses sk_X509_CRL_free() instead of sk_X509_CRL_pop_free().
This destroys the stack container but orphans previously pushed
X509_CRL objects.
Replace it with sk_X509_CRL_pop_free passing X509_CRL_free as the
cleanup routine to ensure deep deallocation of any pushed items.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30372)
The buffer used to process user commands when using advanced mode ("-adv")
can overflow the buffer by one byte if the the read buffer is exactly
BUFSIZZ bytes in length (16k). When processing the buffer we add a NUL
terminator to the buffer, so if the buffer is already full then we
overwrite by one byte when we add the NUL terminator.
This does not represent a security issue because this is entirely local
and would be "self-inflicted", i.e. not under attacker control.
This issue was reported to use by Igor Morgenstern from AISLE.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 17:56:37 2026
(Merged from https://github.com/openssl/openssl/pull/30376)
Do not call PKCS12_verify_mac() twice if the UTF8 password matches the mac
password.
In the case of an error in the verify path do not print
"Mac verify error: invalid password?" if there is already an error on the
error stack. An error means something failed in PKCS12_verify_mac(),
If only the password was wrong it does not raise an error.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:29 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
- Drop empty requestExtensions CSR attributes
While `attributes` is a required CSR field, its `requestExtensions`
attribute is optional, and should be avoided if empty.
- Detail documentation of req extension section selection
- Fixed req CI test case naming nits
- Refer to config(5) for meaning of "variable"
- In code comments, note possibility of fewer extensions after adding
an ignored empty extension while deleting a previous value.
- Mention new "nonss" AKID qualifier in CHANGES
- I x509_config(5) Clarify AKID issuer as fallback (unless ":always")
- In stock config file, comment proxy cert issuer SKID expectation.
- Clarify comment on empty SKID/AKID vs. prior value
- Use B<default> not C<default> for unnamed section
- Polish (mostly CSR) extension handling
* In update_req_extensions() drop extraneous duplicate
X509at_delete_attr() call.
* Consolidate empty SKID/AKID detection in new
ossl_ignored_x509_extension().
* Handle empty SKID/AKID also in X509V3_add1_i2d().
* In test_drop_empty_csr_keyids() exercise the full NCONF extension
management stack, using X509_REQ_get_attr_count() to check that
after "subjectKeyIdentifier = none" not an even an empty extension
set remains as a CSR attribute (X509_REQ_get_extensions() always
returns at least an empty stack because NULL signals an error).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar 2 17:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/30217)
Add tests for suppression of skid/akid via explicit "none"
values and per-keyword "nonss" qualifiers and update docs.
Signing of X509 certs and X509_REQ CSRs rejects empty AKID/SKID
extensions, document and test this behaviour.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 15:22:53 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
With the advent of the new AKID and SKID value syntax:
- subjectKeyIdentifier = none
- authorityKeyIdentifier = none
the resulting extensions are not directly suppressed, instead they
are parsed respectively as an empty OCTET STRING or an empty SEQUENCE.
There was new code in "apps/" to then drop the extension when signing
certificates, but this did not address applications that sign
certificates via the API, nor did it avoid adding these in CSRs.
We now drop these specific empty extensions from both certificates and
CSRs as part of X509v3_add_ext(), with the parsed extension never added
to the extension stack.
This means that in the "apps" the default "hash" or "keyid, issuer"
values must now be created first, with config settings and command-line
options applied after replacing the default as requested (including
"none" to suppress the extensions if desired).
If somehow an application manages to construct a TBS cert or CSR with a
pending empty SKID or AKID extension, an error is raised and the TBS is
not signed.
When no SKID is present in a self-signed cert, attempts to
force an AKID keyid need to fail, rather than produce an AKID
that will never match.
Similarly, when issuer cert == subject cert (same object in memory), but
the issuer key is not the subject key (forced signing key), there is no
way to infer the unknown issuer's name or serial number, so, with
"issuer:always" we must fail, rather than record the subject's own
issuer name and serial.
New "keyid:nonss" and "issuer:nonss" syntax is now supported, which
allows either part of the AKID to be conditional on the certificate not
being self-signed. In the case if "issuer:nonss" this is also
conditional on there being no non-empty issuer keyid. To force
inclusion of issuer+serial in the AKID use "issuer:always".
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sat Feb 28 15:22:47 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
The existing SSL_get_sigalgs() and SSL_get_shared_sigalgs() are not a
good fit for TLS 1.3, because signature schemes are no longer generally
combinations of separate digest and signing algorithms encoded in the
two byte codepoint.
The new SSL_get0_sigalg() and SSL_get0_shared_sigalg() functions just
report the signature scheme name and codepoint.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:30:16 2026
(Merged from https://github.com/openssl/openssl/pull/29982)
This patch fixes several const qualifiers byu adding where required.
warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
Since glibc-2.43 and ISO C23, the functions bsearch, memchr, strchr,
strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr
that return pointers into their input arrays now have definitions as
macros that return a pointer to a const-qualified type when the input
argument is a pointer to a const-qualified type.
Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Feb 25 11:04:09 2026
(Merged from https://github.com/openssl/openssl/pull/30136)
Bob Beck
Milan Broz
Sebastian Andrzej Siewior
ndossche
Viktor Dukhovni
herbenderbler
Eugene Syromiatnikov
F. R. Da Silva
Matt Caswell
Sashan
Alexandr Nedvedicky
Dr. David von Oheimb
huanghuihui0904
1seal
sftcd
Tomas Mraz
mcrmck
YZL0v3ZZ
Paul Louvel
Brittany Morris
slontis
openssl-machine
Daniel Kubec
Rudi Heitbaum