The function previously returned `NID_des_cfb64` even when nid of the
passed cipher was NID_des_ede3_cfb64, NID_des_ede3_cfb8,
NID_des_ede3_cfb1.
Corrected now to return `NID_des_ede3_cfb64`.
Added an extra test to verify the change.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 6 18:58:09 2026
(Merged from https://github.com/openssl/openssl/pull/30977)
X509_verify is documented to return -1 if the algorithm is invalid
or can't be compared for any reason.
Sadly this implies that it is legitimate to pass it an incorrect X509
object and it should see this. If we hand it a new X509 object with
nothing filled in, it will memcmp(NULL...) at the end of a stack of
FOO_cmp abstractions, which is UB.
Fix this by permitting the 0 length case to return equal without
a memcmp, as suggested by slontis@ and botovq@
Fixes: https://github.com/openssl/openssl/issues/30922
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed May 6 14:55:20 2026
(Merged from https://github.com/openssl/openssl/pull/30943)
TPM 1.2 Endorsement Key certificates use id-RSAES-OAEP
(NID_rsaesOaep) as their SubjectPublicKeyInfo algorithm
identifier per TCG Credential Profiles V1.2 section 3.2.7.
The underlying key is a standard RSAPublicKey. Without
this mapping, X509_get_pubkey() fails with a decode error
and X509_verify_cert() cannot validate these certificates.
Add NID_rsaesOaep handling to the three SPKI decode paths,
each of which points at the other two so future changes stay
in sync:
- x509_pubkey_decode(): remap the NID to NID_rsaEncryption
for the legacy ameth lookup. This path is reached via
d2i_RSA_PUBKEY()/ossl_d2i_PUBKEY_legacy(), which is in
turn invoked by the provider RSA decoder's rsa_d2i_PUBKEY,
so it is load-bearing even when the provider path is in
use.
- x509_pubkey_ex_d2i_ex(): use "RSA" as the decoder keytype
name so OSSL_DECODER_CTX_new_for_pkey() selects the RSA
provider decoder. The NID check precedes OBJ_obj2txt()
so the text conversion is skipped when unused.
- ossl_spki2typespki_der_decode(): same remap in the
SPKI-to-type-SPKI provider decoder chain. Flatten the
existing SM2 special case while here: the original code
relied on a dangling else across the #endif, which made
the rsaesOaep branch awkward to add. The new structure
initializes dataname to empty, applies each special case
in turn, and falls back to OBJ_obj2txt() only when no
override applied. strcpy() is replaced with
OPENSSL_strlcpy() for consistency with surrounding code.
The OAEP AlgorithmIdentifier parameters (which carry a
TCG-specific pSourceAlgorithm "TCPA" for TPM EKs) are
deliberately not interpreted; only the RSAPublicKey body is
consumed.
Add a test using a real TPM 1.2 EK certificate. The test
exercises both the provider decoder path (via X509_from_strings
+ X509_get0_pubkey) and, when deprecated APIs are available,
the legacy path (via d2i_RSA_PUBKEY), confirming the key
decodes to an RSA EVP_PKEY of the expected size.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Sun May 3 14:44:24 2026
(Merged from https://github.com/openssl/openssl/pull/30961)
GetProcAddress() cannot be simple cast to void* (SD_SYM)
under strict warnigs, as it produces this
error: ISO C forbids conversion of function pointer to
object pointer type [-Werror=pedantic]
Use common trick with cast to (uintptr_t).
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Apr 30 11:42:33 2026
(Merged from https://github.com/openssl/openssl/pull/30941)
mfail allocator hooks installation affect memory allocation counts,
so it should be disabled for both "count" and "run" test calls.
Fixes: 3cff7c2181 "Add memory allocation failure testing framework"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Apr 30 06:59:06 2026
(Merged from https://github.com/openssl/openssl/pull/30991)
The hmac fips provider implementation used by the EVP_MAC API handles key
size checks, but it only does the test for the internal case.
Previously HMAC was implemented using EVP_DigestSign related functions,
and these are implemented using a mac_legacy_sig bridge, because of this
the MAC is external. For external cases the caller is responsible for
doing any key checks, so a FIPS indicator has been added.
Reported-by: https://github.com/taha2samyFixes: #30012
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Apr 28 07:13:24 2026
(Merged from https://github.com/openssl/openssl/pull/30150)
tls_set1_bio() freed only the top BIO (BIO_free). Use BIO_free_all so
a pushed transport chain is released when the record layer replaces
its BIO.
Add test_ssl_set_wbio_chain_no_leak in sslapitest (stacked BIO chain
via SSL_set0_wbio) per reviewer feedback on GH openssl#30483. Drop the
Perl s_client reconnect recipe and CHANGES entry (internal leak only).
Fixes#30458
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Apr 28 06:39:25 2026
(Merged from https://github.com/openssl/openssl/pull/30483)
Add coverage for duplicate property cache insertion and
allocation-failure handling in the property method cache.
The memfail exerciser covers cache set, providerless cache deletion,
providerless cache rebuild, and cleanup of method references when
cache insertion fails.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Apr 28 06:33:15 2026
(Merged from https://github.com/openssl/openssl/pull/30891)
ossl_param_build_set_bn_pad() is reached by two distinct caller
populations. When an OSSL_PARAM_BLD template is supplied
(bld != NULL), the template allocates backing storage internally and
no caller-side sizing is required. When an explicit OSSL_PARAM[]
array is supplied (bld == NULL), the caller follows the standard
OSSL_PARAM size-probe contract: invoke the primitive once with
p->data == NULL to learn the required size via p->return_size, then
allocate a buffer of that size and invoke again with the real
storage.
The bld == NULL branch did not honour the size-probe contract: with
p->data == NULL and a non-zero sz it fell through to
OSSL_PARAM_set_BN() and raised CRYPTO_R_TOO_SMALL_BUFFER, so callers
could never discover the required size.
The defect has been latent across several releases. This primitive
is the *padded* BN setter: it emits a fixed-width encoding regardless
of the BN's actual magnitude, which is needed for the private key --
a minimal encoding would leak its bit-length through timing or
allocation side channels. In practice the private key is the only
provider parameter that reaches this primitive. Callers that want
private-key material have historically done so through
EVP_PKEY_todata() and its OSSL_PARAM_BLD template path, where the
bug is invisible. EVP_PKEY_get_params() callers exist but have not
previously needed the private-key BN. Any caller that does request
it on the explicit-params path -- whether by name or as part of
iterating a provider's full gettable list -- now sees the probe
behave as it does elsewhere.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun Apr 26 13:35:32 2026
(Merged from https://github.com/openssl/openssl/pull/30942)
Those function used to be backends for SSL_attach_stream() and
SSL_detach_stream(). Both those functions were removed from
API back 2023. And it does not look like there is a plan
to revive them. This PR removes implementation of stream detach/attach
functions with their tests.
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sun Apr 26 13:26:58 2026
(Merged from https://github.com/openssl/openssl/pull/30956)
Null mkey/xkey immediately after OPENSSL_memdup() so that any failure
path (including propq strdup) can safely call mlx_kem_key_free() without
risking a double-free on the source key's material. Use key->* rather
than ret->* for source-state checks to make ownership explicit.
Test that mlx_kem_dup() with partial key selection (e.g.
EVP_PKEY_PUBLIC_KEY) does not corrupt the original key's mkey/xkey
sub-objects. Covers X25519MLKEM768, SecP256r1MLKEM768,
and SecP384r1MLKEM1024.
Fixes: 4b1c73d2dd "ML-KEM hybrids for TLS"
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Sun Apr 26 11:14:12 2026
(Merged from https://github.com/openssl/openssl/pull/30511)
Introduce ADD_MFAIL_TEST for exhaustive testing of allocation failure
handling in individual functions. The framework repeatedly calls the
test function, each time failing one allocation later within the
section bracketed by mfail_start() and mfail_end(), verifying that
every failure path returns 0 without crashing or leaking.
Custom allocators are installed once at startup via
CRYPTO_set_mem_functions(). When not armed, they pass through to
malloc/realloc/free. Installation can be disabled by setting
OPENSSL_TEST_MFAIL_DISABLE for tests that need the default allocator
(e.g. those using OPENSSL_MALLOC_FAILURES).
Additional environment variables control test execution:
OPENSSL_TEST_MFAIL_SKIP_ALL, OPENSSL_TEST_MFAIL_SKIP_SLOW,
OPENSSL_TEST_MFAIL_POINT, and OPENSSL_TEST_MFAIL_START.
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Thu Apr 23 20:23:34 2026
(Merged from https://github.com/openssl/openssl/pull/30871)
Also slightly refactor the ML-KEM version to share the necesasry
defines, and add a daily CI run to check both (presently, for just some
platforms with known working valgrind support).
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Wed Apr 22 07:55:14 2026
(Merged from https://github.com/openssl/openssl/pull/30863)
RFC 8446 defines the Cookie extension as containing a non-empty cookie
vector. The client-side HRR parser accepted a zero-length cookie
because PACKET_memdup() treats an empty packet as success, which
deferred failure until later in the handshake.
Reject an empty cookie during HRR parsing with decode_error and add a
regression test.
Fixes#30868
Fixes: cfef5027bf "Add basic TLSv1.3 cookie support"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Apr 22 07:50:25 2026
(Merged from https://github.com/openssl/openssl/pull/30892)
When X509_add_cert() or sk_X509_CRL_push() failed, the cert or CRL from
OSSL_STORE was not freed. Free on failure to avoid a leak.
Fix 90-test_memfail.t parsing of count output so the memfail suite runs
correctly: parse 'skip: N count M' with a regex (handles '# ' prefix),
return (0,0) if the count file cannot be opened, and skip with a clear
message when total malloc count is 0 instead of planning 0 tests.
Apply clang-format to test/load_key_certs_crls_memfail.c.
- apps/lib/apps.c: free cert/CRL on add/push failure
- test/build.info: add load_key_certs_crls_memfail (allocfail-tests)
- test/load_key_certs_crls_memfail.c: regression test for issue #30364
- test/recipes/90-test_memfail.t: fix get_count_info parsing and plan
Issue #30364
Fixes: 6d382c74b3 "Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.c"
Fixes: d7fcee3b3b "OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Apr 21 08:50:18 2026
(Merged from https://github.com/openssl/openssl/pull/30428)
ssl_do_config() could leave stale errors on the error stack even on
success, so that later error checking operations could mistakenly
surface these errors. Use ERR_set_mark()/ERR_pop_to_mark() to cleanly
discard errors when the function succeeds or when system config errors
are non-fatal.
Fixes#30760
Co-authored-by: Brandon Allard <brandon@redpanda.com>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
MergeDate: Thu Apr 16 11:24:56 2026
(Merged from https://github.com/openssl/openssl/pull/30765)
discover all provided ciphers with non-zero IV length and verify
correct multi-step initialization semantics.
The EVP API permits key and IV to be supplied in separate
`EVP_CipherInit_ex()` calls (e.g. key-only followed by IV-only).
A recent bug (PR #29934, ASCON-AEAD128) demonstrated that a
provider may silently ignore a key-only init, resulting in reuse
of a previously loaded key during a subsequent IV-only init.
To prevent similar regressions, this change introduces three
generic tests that automatically cover all IV-taking ciphers:
Verifies that:
- `init(key) → init(iv)`
- `init(iv) → init(key)`
produce identical ciphertext (and authentication tag for AEAD
ciphers) compared to single-call `init(key, iv)`.
Primes a context with `key1/iv1`, then re-initializes via
`init(key2) → init(iv2)` and verifies the output matches a fresh
`encrypt(key2, iv2)` operation, ensuring that no previously stored
key is reused.
Encrypts using single-call initialization and then decrypts using
multi-step initialization, verifying plaintext recovery. For AEAD
ciphers, this also exercises tag verification through the
multi-step path.
Ciphers are discovered using `EVP_CIPHER_do_all_provided()`,
requiring no maintenance when new IV-taking ciphers are added.
SIV mode is skipped due to its synthetic IV semantics. CCM mode
handling includes required length declarations.
This provides broad regression coverage for the provider
implementations that support multi-step EVP initialization.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Apr 16 07:08:17 2026
(Merged from https://github.com/openssl/openssl/pull/30141)
Shut off clang-format, as it is incapable of formatting arrays properly,
and just mangles everything instead. Also, while at it, drop the trailing
commas from TPARAM_CHECK_* definitions, as they are pretty confusing.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Apr 15 12:45:37 2026
(Merged from https://github.com/openssl/openssl/pull/30580)
On POWER10, ChaCha20_ctr32_vsx_8x is activated for buffers over 255
bytes and uses vxxlor to alias FPR14-FPR25 as temporary storage. Add a
test to chacha_internal_test that pins known values in f14-f25 via
inline asm, calls through ChaCha20_ctr32 with a 512-byte buffer to
trigger the 8x path, and verifies the registers still hold their
original values. The test is gated on PPC_BRD31 (POWER10 capability
flag) so it is skipped silently on older hardware.
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Sat Apr 11 20:06:05 2026
(Merged from https://github.com/openssl/openssl/pull/30587)
SSL_use_cert_and_key(3) dereferenced a NULL SSL_CTX pointer
via ssl_cert_lookup_by_pkey() when the private key type was
not one of the builtin ones, but was provider-based.
Bug introduced in Postfix 3.2 (commit ee58915cfd).
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Apr 11 19:04:12 2026
(Merged from https://github.com/openssl/openssl/pull/30683)
Bob Beck
Abel Tom
GGAutomaton
Igor Ustinov
Mounir IDRASSI
Craig Lorentzen
Milan Broz
Eugene Syromiatnikov
andrei2308
Alexandr Nedvedicky
slontis
herbenderbler
Viktor Dukhovni
Norbert Pocs
Weidong Wang
Frederik Wedel-Heinen
ndossche
Jakub Zelenka
Viktor Dukhovni
Kelvin Lee
Matt Caswell
Daniel Kubec
Dr. David von Oheimb
Daniel Kubec
Gellért Peresztegi-Nagy
jlg1061
Tomas Mraz
Nikolas Gauder
Samaresh Kumar Singh
sftcd
Joshua Rogers