Instead of needlessly casting const away, simply update the prototype
of ossl_ipaddr_to_asc(), that doesn't modify the passed data in any way
anyway.
Fixes: f584ae959c "Let's support multiple names for certificate verification"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sat May 2 18:07:19 2026
(Merged from https://github.com/openssl/openssl/pull/31051)
QUIC stack may panic when application calls SSL_get_stream_write_state()
on cocluded QUIC stream onject. The sequence of action which leads
to NULL pointer dereference is as follows:
- application uses SSL_stream_conclude(ssl_stream, 0) to conclude
the stream (let remote peer know no to expect more data)
- application uses SSL_get_stream_write_state(ssl_stream)
to query stream state.
If underlying sstream object is gone by the time when
SSL_get_stream_wtite_state() is called, then application
may see NULL pointer dereference. The underlying sstream
object is freed when FIN sent on beahalf of SSL_stream_conclude()
is ACKed by remote peer.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Apr 28 12:35:41 2026
(Merged from https://github.com/openssl/openssl/pull/30913)
Treat method-cache hash table inserts as successful only when they
return 1. This handles allocation/grow failures distinctly from
successful replacement and avoids using temporary QUERY entries after
failed insertion.
Separate cleanup for unlinked temporary QUERY objects from linked
cache entries, and release both the pending cache reference and
caller-visible method reference when deferred providerless cache
insertion fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Apr 28 06:33:15 2026
(Merged from https://github.com/openssl/openssl/pull/30891)
Those function used to be backends for SSL_attach_stream() and
SSL_detach_stream(). Both those functions were removed from
API back 2023. And it does not look like there is a plan
to revive them. This PR removes implementation of stream detach/attach
functions with their tests.
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 13:26:58 2026
(Merged from https://github.com/openssl/openssl/pull/30956)
Also slightly refactor the ML-KEM version to share the necesasry
defines, and add a daily CI run to check both (presently, for just some
platforms with known working valgrind support).
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Wed Apr 22 07:55:14 2026
(Merged from https://github.com/openssl/openssl/pull/30863)
Remove the scid variable entirely from port_default_packet_handler()
and all functions that accept it as a parameter. The scid was never
used meaningfully — cur_remote_dcid is set later during the handshake.
Remove scid parameter from:
- port_bind_channel()
- port_validate_token()
- ossl_quic_channel_on_new_conn()
- ossl_quic_bind_channel()
- ch_on_new_conn_common()
Remove the cur_remote_dcid = *peer_scid assignment in
ch_on_new_conn_common() as it wrote dead data.
CWE-457
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 8 10:21:55 2026
(Merged from https://github.com/openssl/openssl/pull/30611)
On Windows, SOCKET is defined as unsigned (UINT_PTR).
In OpenSSL, the socket abstraction uses int, see
discussion in https://github.com/openssl/openssl/issues/7282.
MINGW for some time uses a signed definition of INVALID_SOCKET,
then switched back to unsigned, see for example
https://sourceforge.net/p/mingw-w64/discussion/723797/thread/71522d10/
Currently, it is defined as unsigned, creating many warnings like
warning: overflow in conversion from 'long long unsigned int' to 'int'
changes value from '18446744073709551615' to '-1' [-Woverflow]
*sock = INVALID_SOCKET;
As we use INVALID_SOCKET only in our code, we can safely silence
this warning just by redefining INVALID_SOCKET to signed
(version that is commented out in MINGW headers).
While this is only a workaround, it has been here for years and
allows focus on more important warnings.
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue Mar 31 00:22:27 2026
(Merged from https://github.com/openssl/openssl/pull/30616)
One thing @npajkovsky noted in our recent discussion about the internal
hash table was that its unfortunate that keys have to be sized for the
maximal use case in our current hashtable code.
We can avoid that.
Introduce a new init mechanism that allows for keys to initalized using
an external buffer that can be setup and marshalled independently of the
key itself. This allows us to only allocate the amount of data needed
for the key, rather than a maximally sized buffer where appropriate and
adventageous.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:07 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
One thing we can do to speed up hash table lookups is to cache/reuse
computed hash values when interrogating a hash table multiple times in
rapid succession.
We follow this pattern frequently when using hashtables:
value = lookup_hash(key)
if (value == NULL)
value = new_value()
insert_to_hash(key, value)
Note that we use the same key for the lookup and the insert. So if we
had a way to preserve the value this key hashed to, we can avoid having
to do a second hash computation during the lookup.
These new macros give us that. The HT_KEY structure now stores the
computed hash value in the key, which can be extracted and reused by the
caller with the HT_INIT_KEY_CACHED macro. When set, the cached hash
value is used, rather than needing to recompute the hash for any
subsequent operations
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 24 16:23:05 2026
(Merged from https://github.com/openssl/openssl/pull/30254)
The following QUIC transport parameters are now configurable via
SSL_get_value_uint() / SSL_set_value_uint():
max_udp_payload_size
initial_max_data
initial_max_stream_data_{uni, bidi_local, bidi_remote}
initial_max_streams_{uni, bidi}
ack_delay_exponent
max_ack_delay
disable_active_migration
active_connection_id_limit
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Tue Mar 17 13:15:29 2026
(Merged from https://github.com/openssl/openssl/pull/29664)
The new HT_KEY_COPY_RAW fails to account for copy lengths that exceed
the size of the configured buffer in a key, leading to stack overruns on
read.
Rectify that by claming the COPY macro to limit copies to the size of
the buffer
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Mar 4 07:04:07 2026
(Merged from https://github.com/openssl/openssl/pull/30257)
Currently our internal hashtable suffers from a performance issue, as
discussed here:
https://github.com/openssl/openssl/pull/30188
The hashtable requires that keys be defined at build time, and moreover,
be defined to support the maximum possible key length you might try to
insert to a given hash table, even if they actual key you are using is
shorter.
As a result, that hashtable hash function (typically ossl_fnv1a_hash,
but any hash function really) receives a buffer that is specified as the
maximal length of the build-time defined key, which often means hashing
of many 0 bytes for byte elements in the key that may never have been
used. This causes performance problems as we are always hashing the
maximum number of elements, even if they key is truly only a few bytes
long.
Lets give users an opportunity to improve on that.
Keys are defined to be a struct, so that users can access individual
field names within the key, but under the covers its all just one
contiguous uint8_t buf. We can implement macros that allow users to,
instead of setting individual field names, just copy needed data into
the raw buffer, keeping track of how many bytes have been used as we go.
The result of using these macros is that the hash function, while it
will receive a buffer that is still maximally sized for that particular
key, gets a length value that only represents the number of bytes used
while writing the key value.
This results in the hash function having to do much less work, giving us
a significant opportunistic speedup.
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Mar 3 13:23:00 2026
(Merged from https://github.com/openssl/openssl/pull/30211)
Fixes#30039
In order to fix this, the ossl_sha3_ related functions have been
renamed so that ossl_sha3_XXX() functions are the high level
functions that contain calls to platform specific methods.
ossl_sha3_XXX_default() etc are the 'general' platform methods.
All of the state checking has been moved out of the platform specific
methods. The sha3 provider dispatch functions now share the
ossl_sha3_XXX() calls.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Mar 2 11:58:44 2026
(Merged from https://github.com/openssl/openssl/pull/30104)
This adds support for the "sm2sig_sm3" TLS 1.3 signature algorithm, the
"curveSM2" key exchange group (ECDH over SM2) and the associated
post-quantum/traditional (PQ/T) hybrid "curveSM2MLKEM768" key exchange.
The default key agreement group list is expanded to add two additional
PQ groups, immediately after X25519MLKEM768. These are the P-256-based
SecP256r1MLKEM768 and the SM2-based curveSMMLKEM768. Neither of the new
groups is a default client keyshare group, these would only come into
play after a server HRR, if for some reason X25519MLKEM768 is not
supported by the server, X25519 is not then the server's most
preferred group, and the server supports and prefers one of these
of X25519.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
MergeDate: Sat Feb 21 13:26:07 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
This gives us the start of the buffer in use for the PACKET.
We then use this information when calculating the TLS PSK binder.
Previously we were assuming knowledge about where the buffer starts.
However, with ECH, we may be using a different buffer to normal so it is
better to ask the PACKET where the start of the buffer is.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27776)
Move TSAN definitions to threads_common.h to make them available
globally and introduce the ANNOTATE_BENIGN_RACE macro.
Apply this annotation to the state check in ossl_deferred_self_test()
to suppress a benign race warning from ThreadSanitizer, as the race
is intentional and accepted to avoid cpu contention.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/30009)
Before this change ktls_sendfile() is basically 1:1 wrapper around Linux
sendfile(2). FreeBSD sendfile(2) API is richer than Linux, and reducing
it down to Linux API loses meaningful data. Instead, make ktls_sendfile()
more like FreeBSD sendfile(2) and adopt Linux version to that.
With this change we will be raising BIO_should_retry() flag after a short
write due to lack of buffer space in a non-blocking socket on FreeBSD.
That will allow an application to tell a short write due to lack of buffer
space from a short write due to end of file. Before this change, the only
way to tell between these two kinds of short writes was to immediately
retry the operation.
This change allows to cut nearly in half the number of sendfile(2)
syscalls when sending a large file over a non-blocking socket on FreeBSD.
Fixes: #29742
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Wed Feb 18 23:31:18 2026
(Merged from https://github.com/openssl/openssl/pull/29744)
We check in relevant functions (SSL_handshake(), SSL_read(), etc.) whether
a new error has been pushed onto the error stack, and if so, memorise this
fact in the SSL structure. After that SSL_get_error() uses this memorised
information instead of checking the error stack itself.
Fixes#11889Fixesopenssl/project#1715
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 18 15:27:38 2026
(Merged from https://github.com/openssl/openssl/pull/29991)
SLH-DSA spends a significant amount of time performing large
numbers of hash calculations. Initially this was done using
EVP layer calls. The overhead is significant when there are thousands
of calls. To reduce this overhead the lower level sha functions for
KECCAK1600_CTX, SHA256_CTX and SHA512_CTX are accessed directly.
Profiling showed that a significant amount of time is spent in
"WOTS+ Public key generation" (FIPS 205 Section 5.1 Algorithm 6) so
this was inlined for shake and sha2 (See slh_wots_pk_gen_sha2()).
In FIPS 205 Section 11 there is a list of Hash functions.
Many of these functions use a pattern of
Trunc(n)(SHA256(PK.Seed || toByte(0, 64-n) || ....)
Because this operation is done many times, this prehashed
value is calculated once and stored into a low level SHA256_CTX or
KECCAK1600_CTX.
This can then be block copied to stack based KECCAK1600_CTX or
SHA256_CTX that we can then perform low level SHA functions on.
The md_len field is written to directly before the SHA final() to
control the length of the output (which avoids performing a memcpy).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28941)
Reorganize the FIPS self-tests to group them by complexity.
The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
The FIPS module integrity check (HMAC-SHA256) is refactored to use the
generic Known Answer Test (KAT) framework instead of a standalone
function.
- Remove `integrity_self_test` and use `ST_ID_MAC_HMAC` with
`SELF_TEST_kats_single`.
- Add `self_test_mac` to `self_test_kats.c` to support MAC tests.
- Move HMAC test data to `self_test_data.c`.
- Rename the self-test type from "KAT_Integrity" to "KAT_Mac".
- Ensure on-demand tests reset state so they can be repeated.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Update the FIPS module to run self-tests on demand (deferred) rather
than on module load. Change the test definitions in self_test_data.c
from SELF_TEST_ONLOAD to SELF_TEST_DEFERRED.
Add calls to ossl_deferred_self_test() in the newctx functions for
ciphers, digests, signatures, KDFs, KEMs and DRBGs to trigger execution
upon first instantiation. Introduce CIPHER_PROV_CHECK and
DIGEST_PROV_CHECK macros in common headers to facilitate these checks.
Define dependencies for composite tests to ensure prerequisite tests
run when needed.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.
This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
The keymgmt->newdata function does not accept params. We introduce a
newdata_ex function that does, and we use that instead as a thread local
to pass legacy objects to the default provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:28 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
If a low level RSA object has been assigned a custom RSA_METHOD and is
then assigned to an EVP_PKEY object, then we still want the default
provider to use that RSA_METHOD. To ensure this occurs we pass the low
level object across the provider boundary. We can only get away with this
because it is the default provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Feb 13 07:58:21 2026
(Merged from https://github.com/openssl/openssl/pull/29960)
Add the initial groundwork to allow for the use of a thunking function
with bsearch. Normally our comparison function signature doesn't match
the type of the pointer we call it through, leading to ubsan errors,
this lets those signatures match and gives us a place to do the proper
casting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Sat Feb 7 18:11:11 2026
(Merged from https://github.com/openssl/openssl/pull/29640)
(Your choice of G and A words)
This installs a global destructor if we have destructor support.
The global destructor does nothing and immediately returns under
normal operation. If a global flag indicating that global cleanup
is wanted, it does what OPENSSL_cleanup() used to do.
OPENSSL_cleanup() is then modified to set the global flag indicating
that global cleanup is wanted. At this point if we have destructor
support, it immeditely returns. If we do not have destructor support,
it manually calls the destructor function (meaning without destructor
support it does exactly what it used to do).
This ensures that if we have destructor support, the actions of an
OPENSSL_cleanup() requested by an application will only happen
after any subordinate library destructors which could call into
OpenSSL functions have already run.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 19:19:17 2026
(Merged from https://github.com/openssl/openssl/pull/29721)
In providers/applications that create custom libctx'es via
OSSL_LIB_CTX_new, its possible, if the default provider has never been
initaialized during the lifetime of the linked libcrypto, that we
actually wind up creating the default libctx when we free the
aforementioned custom libctx via, as an example:
legacy_teardown->
OSSL_LIB_CTX_free->
ossl_lib_ctx_is_default->
get_default_context->
get_thread_default_context->
default_context_do_init
While this isn't catastrophic, its needless, and in some cases has the
potential to leak memory (for instance if a provider is loaded and
unloaded repeatedly in an environment in which the provider is linked to
libcrypto.so while the calling application is statically linked to
libcrypto.a
Its also fairly easy to clean up, by adding an internal parameter to
gate the creation of the default libctx on the request of the caller, so
do that here
Fixesopenssl/project#1846
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 5 17:08:13 2026
(Merged from https://github.com/openssl/openssl/pull/29830)
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Unlike SHAKE this has default values set for the xof length.
CSHAKE uses either SHAKE or KECCAK[c] depending on whether
custom strings are set or not. If either string is set, it encodes
the strings and uses KECCAK[c], otherwise it behaves the same as
SHAKE (without the default xof length problem).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Jan 23 14:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/28432)
Bob Beck
Eugene Syromiatnikov
Alexandr Nedvedicky
Mounir IDRASSI
Viktor Dukhovni
Sunwoo Lee
Milan Broz
Abhinav Agarwal
Helen Zhang
Neil Horman
Nikolas Gauder
openssl-machine
slontis
Frederik Wedel-Heinen
Igor Ustinov
sftcd
Matt Caswell
Simo Sorce
Gleb Smirnoff
Tomas Mraz
Joachim Vandersmissen