Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#27397)

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#27397)

folow the using_peeloff get/set routines to just a set routine that
fails if the set is for a mode that doesn't match the current mode

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#27397)

Various review fixups to clarify meaning of variables and fix unwinding
of operations should we encounter errors in some operations.

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#27397)

Fixes 0c2a196

Fixes Coverity issue 1675312

Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29306)

GOST provider is in a good shape already, so keep the mentions rewritten
to provider instead of the engine.

Resolves: openssl/project#1733

Signed-off-by: Norbert Pocs <[email protected]>

Reviewed-by: Viktor Dukhovni <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29286)

This includes adding a little internal procedure for when functions
are removed, and a special ossl-ex-api page to document what API has
been removed.

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
(Merged from openssl#29220)

Resolves: https://scan5.scan.coverity.com/#/project-view/65138/10222?selectedIssue=1675327
Signed-off-by: Nikola Pajkovsky <[email protected]>

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Viktor Dukhovni <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
(Merged from openssl#29317)

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
(Merged from openssl#29242)

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
(Merged from openssl#29242)

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from openssl#29343)

clang-format sensibly thinks this is an arithmatic operation,
and formats the math. Sadly it does not know we eventually
stringify this behind several other layers of nested macros
and so putting spaces in here is bad.

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from openssl#29350)

The reformat did something silly with some of the arrays in evp_extra_test.c
Fix the arrays such that clang-format is still happy.

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from openssl#29349)

Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Saša Nedvědický <[email protected]>
(Merged from openssl#29282)

We have a few cases in which one of the paramters passed to
ASN1_TIME_diff is null (i.e. the caller doesn't care about the psec
differnce and so passes NULL as that pointer parameter).

However, OPENSSL_gmtime_diff assumes both pointers are valid, and so
writes to them unilaterally resulting in a crash as observed here:
openssl#29333 (comment)

Check the pointers before writing to them.

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
(Merged from openssl#29337)

  In compliance with SP800-135 and RFC7860

Reviewed-by: Shane Lontis <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#29195)

Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
(Merged from openssl#28278)

Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
(Merged from openssl#28278)

Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from openssl#29360)

…transaction (also pkiconf); update doc

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28015)

…st anchors in IP extracerts according to 3GPP TS 33.310

Fixes openssl#27888

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28015)

…AG_CRL_CHECK is clear

Fixes openssl#28758

When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored.
Prior to 3.6.0, this was indeed the case.

In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK.
This unfortunately breaks the majority of ruby installations, which relied on the documented behavior.

For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags,
which are still undocumented as of 3.6.0.

All existing tests continue to pass.  They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set.
We could add a new test for this regression.  I'll leave that to another commit.

CLA: trivial

Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28797)

(cherry picked from commit cbaf28c)

- drop tag subtraction in recv buffer sizing
- enforce MSG_EOR and reject MSG_CTRUNC
- zero prepended header bytes before recvmsg

Signed-off-by: Joshua Rogers <[email protected]>

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28861)

DTLSv1_listen built the HelloVerifyRequest in wbuf but invoked
msg_callback with buf and DTLS1_RT_HEADER_LENGTH, and version 0.
That caused incorrect logging and could disclose the ClientHello
to write callbacks. Use wbuf and the actual record version for the
record header, and add a second callback that reports the handshake
message bytes. No change to on-wire behavior.

Signed-off-by: Joshua Rogers <[email protected]>

Reviewed-by: Frederik Wedel-Heinen <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#28916)

This patch adds a man page documenting the OPENSSL_ppccap environment
variable that is analogous to capability environment variable man pages
for other architectures.

Fixes openssl#17046

Signed-off-by: George Wilson <[email protected]>

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Eugene Syromiatnikov <[email protected]>
(Merged from openssl#29230)

This is largely cosmetic, since the macro expands to "seed" either way,
but it is best to avoid this type of error.

Reviewed-by: Kurt Roeckx <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29313)

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29318)

The functions RSA_(public|private)_(en|de)crypt() return a signed
result, in particular `-1` may be returned on error, so the caller
MUST treat the value as signed.

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29323)

ec_gen_set_params() can fail after some big numbers have already been
copied over. Those need to be cleaned to avoid a memory leak on failure.
This can be done with ec_gen_cleanup(), which is also consistent in how
the ecx_gen code does it.

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#29335)

Expose the EC field degree as a gettable parameter for both provided
and legacy EC keys.  In the latter case, drop a spurious assertion,
since even in debug builds an application may try to get an unknown
parameter, and this should return an error rather than abort.

In the EC `TEXT` encoding format, instead of reporting the bit count of
the group order, report the field degree (which matches the size number
in the curve's name when present) and also the symmetric-equivalent
security-bits (adjusted down the the standard numbers (80, 112, 128,
192, 256).

Along the way, add a missing getter method for the EC_GROUP security
bits.

Reviewed-by: Kurt Roeckx <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Saša Nedvědický <[email protected]>
MergeDate: Thu Jan 15 16:10:26 2026
(Merged from openssl#29539)

These flags seems not to be part of -Wextra, but looks like
could be useful in CI. According to gcc man page:

 disabled-optimization
  Warn if a requested optimization pass is disabled.

 pointer-arith
  Warn about anything that depends on the "size of" a function
  type or of "void".

Fixes: openssl/project#1809

Signed-off-by: Milan Broz <[email protected]>

Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Saša Nedvědický <[email protected]>
MergeDate: Thu Jan 15 16:16:40 2026
(Merged from openssl#29622)

The check for impacting a public api had an incorrect pattern in the
search, leading to erroneous failures.  Fix it up.

Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
MergeDate: Thu Jan 15 17:14:30 2026
(Merged from openssl#29636)

Their semantics are poorly defined and they are rarely used.  The _ne
version being completely unused & tricky to define properly.

Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Frederik Wedel-Heinen <[email protected]>
(Merged from openssl#29627)

Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Frederik Wedel-Heinen <[email protected]>
(Merged from openssl#29627)

Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Nikola Pajkovsky <[email protected]>
Reviewed-by: Frederik Wedel-Heinen <[email protected]>
(Merged from openssl#29627)

Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
MergeDate: Fri Jan 16 13:19:25 2026
(Merged from openssl#29635)

With our move to clang-format we no longer have a check-format script,
and so this make target is broken.

Fix it up to use clang-format-diff instead

Fixes openssl#29594

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
MergeDate: Fri Jan 16 14:37:09 2026
(Merged from openssl#29634)

Drop support for the SSLv2 Client Hello. We allowed that a client send
an SSLv2 compatible Client Hello.

Reviewed-by: Dmitry Belyavskiy <[email protected]>
Reviewed-by: Alicja Kario <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#28041)

In case the parameters don't exactly match the well-known ones

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
(Merged from openssl#29639)

If a custom seed source is specified in the config file, it can be
silently ignored. For example if it is missing, fails to be created,
or fails to initialize it can be silently ignored and fallback to os
entropy instead.

To reproduce this, perform default configuration of openssl without
jitter entropy source, and then specify jitter entropy
source. Currently entropy will fall back to getrandom, instead of
erroring out.

This is not unique to jitter entropy source, there are a few other
entropy source providers out there on the market, and in all cases if
one is configuring OpenSSL to use a given seed source by name, it
should be honored.

Currently this will output a fresh rsa key, with this change however
it will now result in an error:

```
./Configure
make
./util/wrap.pl -jitter ./apps/openssl genrsa
Warning: generating random key material may take a long time
if the system has a poor entropy source
genrsa: Error generating RSA key
80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>)
80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613:
80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>)
80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613:
```

IMHO, if a user is configuring a custom seed source, it should be
honored without silently eating errors.

Note this partially reverts 1d180bb
"rand: allow seed-src to be missing", which as far as I understand was
done to ensure that fallback seedsource is allowed to be missing. This
new implementation preserves this behaviour by ensuring error is not
raised if SEED-SRC (which since the above commit was changed to a
macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it
fails to be fetched. Previously all errors were popped unconditionaly,
thus same behaviour is preserved if SEED-SRC is completely missing and
it wasn't configured in the config file. cc @paulidale, also see: -
openssl#13640

Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#29316)

Anytime a new error code is added it generates error related files.
These are generated using a perl script which used readable indenting.
The indenting has been removed.

Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
(Merged from openssl#29631)

This includes KDF's for ss,x963,hmac-drbg,KB,KRB5,PVK,SNMP,SSH and X942.
SSKDF/X963KDF Changes: Modify code to handle algorithms being disabled via configuration options.

Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#29576)

…k-format.pl

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Richard Levitte <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
(Merged from openssl#29655)

Signed-off-by: Nikola Pajkovsky <[email protected]>

Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Kurt Roeckx <[email protected]>
(Merged from openssl#29670)

Signed-off-by: Joshua Rogers <[email protected]>

Reviewed-by: Frederik Wedel-Heinen <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28915)

Signed-off-by: Joshua Rogers <[email protected]>

Reviewed-by: Frederik Wedel-Heinen <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#28915)

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
MergeDate: Mon Jan 19 11:55:58 2026
(Merged from openssl#29297)

Fix this error:
```
rmdir "$PREFIX/lib64/cmake/OpenSSL"
rmdir "$PREFIX/lib64"
rmdir: failed to remove '$PREFIX/lib64': Directory not empty
```
Because `rmdir $PREFIX/lib64/cmake` is missing

CLA: trivial
Signed-off-by: Ryan Keane <[email protected]>

Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
MergeDate: Mon Jan 19 11:58:05 2026
(Merged from openssl#29472)

The justification for this not being const was because of
lookup_certs_sk(). The reasons this function could not have a
const store, is that it set the ctx's error code
when we could not allocate memory and returned NULL.

However, the other lookup_certs function, X509_STORE_CTX_get1_certs,
already does not set this error code when failing to allocate
memory on a return.

Given that you can't depend on the out of memory error code being
set in the general case, and the Beyonce rule appears to indicate
that nobody likes this behaviour (as nobody put a test on it) I
think it's safe to say we should just not modify the ctx, and
constify it.

For openssl#28654

Reviewed-by: Neil Horman <[email protected]>
Reviewed-by: Norbert Pocs <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
MergeDate: Mon Jan 19 12:03:05 2026
(Merged from openssl#29488)

Fixes openssl#29509

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
MergeDate: Mon Jan 19 14:12:01 2026
(Merged from openssl#29546)

The BIO_CTRL_FLUSH should just forward the call to the underlying
BIOs when not writing.

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
MergeDate: Mon Jan 19 14:20:35 2026
(Merged from openssl#29550)

It is never changed anywhere.

Fixes openssl#29518

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
MergeDate: Mon Jan 19 14:20:35 2026
(Merged from openssl#29550)

The new name is better for consistency with other tests.

Reviewed-by: Saša Nedvědický <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
MergeDate: Mon Jan 19 14:20:35 2026
(Merged from openssl#29550)

Fixes openssl#18515

Reviewed-by: Eugene Syromiatnikov <[email protected]>
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
MergeDate: Tue Jan 20 12:12:43 2026
(Merged from openssl#29653)