As part of 6aaac9dd388a64d0f511544496608693e1105d13 in
https://github.com/curl/curl.git
Curl dropped support for using the quic-tls interface to use our quic
stack. Because our interop testing relies on using curl to do testing,
our builds broke.
Until we can find an alternate client to do https transfers over
http3/quic, we need to back off our quic build point to a commit prior
to the above so we can maintain our interop testing.
Long term, we need to enhance our own http3 demo client to support the
download/resumption/etc features that we need for interop. We're
tracking that effort in:
https://github.com/openssl/project/issues/1850Fixesopenssl/project#1848
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Fri Jan 30 12:20:11 2026
(Merged from https://github.com/openssl/openssl/pull/29857)
valgrind gripes about this, as its possible to reach the TEST_mem_eq
test without ever having initalized the buffer
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jan 29 16:37:35 2026
(Merged from https://github.com/openssl/openssl/pull/29573)
Passing uninitalized data to a syscall result in valgrind warnings, and
probably shouldn't be done anyway. Fix that
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jan 29 16:37:32 2026
(Merged from https://github.com/openssl/openssl/pull/29573)
Some tests (liek the mem_alloc and abort tests do things with malloc
intentionally as sanity checks that valgrind complains about, and so we
just shouldn't run those tests under valgrind at all
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jan 29 16:37:30 2026
(Merged from https://github.com/openssl/openssl/pull/29573)
As part of our effort to provide a supression file for valgrind that we
can maintain, we should have the ability to run our tests under
valgrind.
Add an environment variable OSSL_USE_VALGRIND to prefix all our app and
test executions with the valgrind tool so that we can run it
automatically
Fixesopenssl/project#1801
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Jan 29 16:37:26 2026
(Merged from https://github.com/openssl/openssl/pull/29573)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jan 29 14:22:55 2026
(Merged from https://github.com/openssl/openssl/pull/29817)
This fixes#29808.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Jan 29 14:22:50 2026
(Merged from https://github.com/openssl/openssl/pull/29817)
The KDSA instruction can operate in 2 different modes:
- Deterministic mode - nonce 'k' is supplied by user.
- Non-deterministic mode - nonce 'k' is randomly generated by the instruction
itself.
When running in the FIPS-Module, do not use KDSA's non-deterministic mode,
but generate the nonce 'k' using OpenSSL's random number generator. This
ensures that the nonce is generated using a FIPS-approved random number
generator.
It also makes the FIPS KAT tests work, because those use a pre-setup
deterministic random number generator to produce deterministic ECDSA
signatures even for non-deterministic mode.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29754)
The set1_groups and set1_curves functions do not modify their input
arrays, so the documentation should reflect const-correct signatures.
Fixes#27422
CLA: trivial
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29762)
Document that the returned pointer is internal, reference count is not
incremented, and should not be freed. Mention SSL_CTX_up_ref() for
callers who need to retain the SSL_CTX.
Fixes#28298
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29767)
Add DH_check_pub_key to NAME and SYNOPSIS sections. Fix typo where
DH_check_params() was incorrectly written instead of DH_check_params_ex()
in the description of the _ex functions.
Also remove DH_check_pub_key from util/missingcrypto.txt since it is
now documented.
Fixes#8473
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29768)
The "key" parameter documentation referenced a non-existent "algorithm"
parameter. Change to reference the actual "cipher" and "digest" parameters.
Fixes#12580
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29766)
The function can return on ctrl2params() returning 0 without freeing
the allocated memory associated with the got pointer. Fix it by jumping
to the err label that performs the cleanup instead of returning
immediately.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1680647
Fixes: 9c73843141 "Add support for CSHAKE."
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jan 28 12:57:04 2026
(Merged from https://github.com/openssl/openssl/pull/29757)
ctx is dereferenced before NULL check to obtain libctx. Fix it
by moving the dereference after the NULL check.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1680648
Fixes: fe67753da4 "Add SRTPKDF implementation"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jan 28 12:57:00 2026
(Merged from https://github.com/openssl/openssl/pull/29757)
b->ptr cannot be NULL, so, the check is not needed, drop it.
Reported by Coverity as a potential NULL dereference in ctx->ibuf_len
access.
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1680636
Fixes: f17230ae6c "Fix of EOF and retry handling in BIO implementations"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jan 28 12:56:56 2026
(Merged from https://github.com/openssl/openssl/pull/29757)
Co-authored-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Jan 27 20:43:01 2026
(Merged from https://github.com/openssl/openssl/pull/29648)
ubsan reports an error in the free callback function for
OPENSSL_sk_pop_free.
Need to add a thunking shim to cast the pointer data types to their
proper types
Fixes#29616
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Jan 27 17:25:34 2026
(Merged from https://github.com/openssl/openssl/pull/29690)
as a particular type
Issue was reported in ossl_ess_get_signing_cert but is also present in
ossl_ess_get_signing_cert_v2.
Fixes: https://github.com/openssl/srt/issues/61
Fixes CVE-2025-69420
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:53:36 2026
When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path
encrypts/decrypts full blocks but does not advance in/out pointers. The
tail-handling code then operates on the base pointers, effectively reprocessing
the beginning of the buffer while leaving the actual trailing bytes
unencrypted (encryption) or using the wrong plaintext (decryption). The
authentication checksum excludes the true tail.
CVE-2025-69418
Fixes: https://github.com/openssl/srt/issues/58
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:48:35 2026
pre-decompression allocation.
The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research).
Fixes: CVE-2025-66199
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:45:21 2026
When a FIO_f_linebuffer is part of a bio chain, and the next BIO
preforms short writes, the remainder of the unwritten buffer is copied
unconditionally to the internal buffer ctx->obuf, which may not be
sufficiently sized to handle the remaining data, resulting in a buffer
overflow.
Fix it by only copying data when ctx->obuf has space, flushing to the
next BIO to increase available storage if needed.
Fixesopenssl/srt#48
Fixes CVE-2025-68160
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:41:40 2026
Previously input was silently truncated at 16MB, now if the input is
longer than limit, an error is reported.
The bio_to_mem() apps helper function was changed to return 0 or 1,
and return the size of the result via an output size_t pointer.
Fixes CVE-2025-15469
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:37:41 2026
The keylength value must be present and we accept
EVP_MAX_MD_SIZE at maximum.
The salt ASN.1 type must be OCTET STRING.
Fixes CVE-2025-11187
Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research).
Reported independently also by Hamza (Metadust).
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Alicja Kario <hkario@redhat.com>
MergeDate: Mon Jan 26 16:14:15 2026
There is no reason to run it in forks.
Similar to 6e5ce1ebb5.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 15:47:57 2026
(Merged from https://github.com/openssl/openssl/pull/29660)
The Authority Key Identifier's serial number field is an ASN1 integer, so use
the appropriate i2s_ASN1_INTEGER function instead of i2s_ASN1_OCTET_STRING
for string conversion. This fixes handling of negative serial numbers
which were previously displayed incorrectly.
While negative serial numbers are not RFC-compliant, we want to process
existing CRLs and certificates that may contain them, as this does not cause
any security issues. Rejecting invalid serial numbers during
generation is out of scope for this change.
Fixes#27406
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 15:29:33 2026
(Merged from https://github.com/openssl/openssl/pull/29717)
The functions X509V3_get_section() and X509V3_get_string() contain a
redundant null check after an identical check has already guaranteed
that the function pointer (ctx->db_meth->get_section / get_string) is
non-NULL. As a result, the final 'return NULL;' statement is unreachable.
This change removes the redundant condition and the dead code, improving
code clarity and eliminating warnings from static analyzers.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Mon Jan 26 15:28:01 2026
(Merged from https://github.com/openssl/openssl/pull/29692)
Fixes#4952
Co-authored-by: Pauli <ppzgs1@gmail.com>
Co-authored-by: Tomáš Mráz <tm@t8m.info>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 15:26:21 2026
(Merged from https://github.com/openssl/openssl/pull/29646)
Unlike SHAKE this has default values set for the xof length.
CSHAKE uses either SHAKE or KECCAK[c] depending on whether
custom strings are set or not. If either string is set, it encodes
the strings and uses KECCAK[c], otherwise it behaves the same as
SHAKE (without the default xof length problem).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Jan 23 14:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/28432)
This warning does not play well in combination with sanitizers
and its value is dubious. Instead of complicated decisions
based on configuration flags just remove it from global list.
Fixes: #29673
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Fri Jan 23 14:00:29 2026
(Merged from https://github.com/openssl/openssl/pull/29714)
Otherwise UAF and doublefree appears when the duplicate
is freed.
Reported by Tomas Dulka and Stanislav Fort (Aisle Research)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:37:36 2026
(Merged from https://github.com/openssl/openssl/pull/29707)
Otherwise UAF and doublefree appears when the duplicate
is freed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:37:34 2026
(Merged from https://github.com/openssl/openssl/pull/29707)
When resuming session with the extended master secret support
dropped we should use SSL_AD_HANDSHAKE_FAILURE instead of
SSL_AD_ILLEGAL_PARAMETER according to the RFC7627 section 5.
Fixes#9791
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/29706)
In compliance with RFC 3711, Section 4.3.3
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
MergeDate: Fri Jan 23 10:19:32 2026
(Merged from https://github.com/openssl/openssl/pull/29435)
The yaml for the check-news-changes CI job had an error in the step
conditional that prevented skipping the check if the
no_news_changes_needed flag was set. Fix that.
While we're add it, also add some debug code so that we can better see
what the checks are looking at during the CI job.
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:19:07 2026
(Merged from https://github.com/openssl/openssl/pull/29705)
Dr. David von Oheimb
Neil Horman
rainerjung
Ingo Franzki
kovan
Eugene Syromiatnikov
Andrew Dinh
Bob Beck
Norbert Pocs
Igor Ustinov
Viktor Dukhovni
Daniel Kubec
Alicja Kario
Tomas Mraz
Orgad Shaneh
Anton Moryakov
slontis
Milan Broz
Helen Zhang