Unlike SHAKE this has default values set for the xof length.
CSHAKE uses either SHAKE or KECCAK[c] depending on whether
custom strings are set or not. If either string is set, it encodes
the strings and uses KECCAK[c], otherwise it behaves the same as
SHAKE (without the default xof length problem).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Jan 23 14:07:53 2026
(Merged from https://github.com/openssl/openssl/pull/28432)
When resuming session with the extended master secret support
dropped we should use SSL_AD_HANDSHAKE_FAILURE instead of
SSL_AD_ILLEGAL_PARAMETER according to the RFC7627 section 5.
Fixes#9791
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:33:12 2026
(Merged from https://github.com/openssl/openssl/pull/29706)
The yaml for the check-news-changes CI job had an error in the step
conditional that prevented skipping the check if the
no_news_changes_needed flag was set. Fix that.
While we're add it, also add some debug code so that we can better see
what the checks are looking at during the CI job.
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:19:07 2026
(Merged from https://github.com/openssl/openssl/pull/29705)
When ZLIB_SHARED is defined and DSO_load() fails to load the zlib
library, ossl_comp_zlib_init() incorrectly returns 1 (success) while
leaving all function pointers (p_compress, p_uncompress, etc.) as NULL.
This causes COMP_zlib() and COMP_zlib_oneshot() to return valid-looking
COMP_METHOD pointers, but when these methods are used (e.g., during
TLS 1.3 certificate decompression), the NULL function pointers are
dereferenced, causing a SIGSEGV crash.
The bug occurs because the NULL pointer check (lines 297-303) was inside
the `if (zlib_dso != NULL)` block, so it was skipped entirely when
DSO_load() returned NULL.
The fix moves the NULL pointer check outside the conditional block,
consistent with how c_brotli.c and c_zstd.c handle this case. Now if
the DSO fails to load, all function pointers remain NULL, the check
catches this, and the function correctly returns 0 (failure).
This also fixes an incorrect cast of p_uncompress from compress_ft to
the correct uncompress_ft type.
PoC demonstrating the bug: https://github.com/SiteRelEnby/openssl-zlib-pocFixes#23563
CLA: trivial
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:00:50 2026
(Merged from https://github.com/openssl/openssl/pull/29699)
As discussed, bad-function-cast and conversion produces strange results.
Add at least float-conversion - Warn for implicit conversions that reduce
the precision of a real value.
Also fix ct_test absolute value seconds calculation (without using math.h)
and then converts is to time_t.
(n.b. this is not stricly needed for the relaxed warnings, but it is more readable)
Fixes: https://github.com/openssl/project/issues/1816
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Thu Jan 22 09:58:07 2026
(Merged from https://github.com/openssl/openssl/pull/29663)
The SHA256_Update function (in fact all functions implemented via the
HASH_UPDATE macro) have mismatched prototypes with the
OSSL_FUNC_digest_update_fn.
This leads to ubsan errors with more recent versions of clang
Create a Thunk that does the proper casting on those function pointer
callbacks
Fixes#29615
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29650)
Upgrade prime ECDSA self tests from secp224r1 to prime256v1.
Upgrade binary ECDSA self tests from sect233r1 to sect283r1.
This is forward looking change to allow raising the lower bound in
ossl_ec_check_security_strength() /
OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS in case legacy/deprecated
behaviour is not needed to be supported (for example builds with
support for primary curves only of P-256 or higher).
Did a test build to ensure that updating
OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS to 128 passes fips
selftests. Note not currently recommended.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29674)
Early returns when signature/key type are incompatible bypass cleanup
of `tmp_keymgmt` allocated via `evp_keymgmt_fetch_from_prov()`. Use goto
to ensure `EVP_KEYMGMT_free()` is called on all error paths.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Jan 20 19:01:17 2026
(Merged from https://github.com/openssl/openssl/pull/29651)
When changing the digest from MD5-SHA1 to a non-MD5-SHA1 digest,
`ctx->P_sha1` is freed but not set to NULL. If `ossl_prov_macctx_load()`
subsequently fails, `ctx->P_sha1` remains as a dangling pointer.
When the context is later freed via `kdf_tls1_prf_reset()`, this
causes a double-free.
Fix by setting `ctx->P_sha1` to NULL immediately after freeing it.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Tue Jan 20 18:21:38 2026
(Merged from https://github.com/openssl/openssl/pull/29649)
The justification for this not being const was because of
lookup_certs_sk(). The reasons this function could not have a
const store, is that it set the ctx's error code
when we could not allocate memory and returned NULL.
However, the other lookup_certs function, X509_STORE_CTX_get1_certs,
already does not set this error code when failing to allocate
memory on a return.
Given that you can't depend on the out of memory error code being
set in the general case, and the Beyonce rule appears to indicate
that nobody likes this behaviour (as nobody put a test on it) I
think it's safe to say we should just not modify the ctx, and
constify it.
For #28654
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Jan 19 12:03:05 2026
(Merged from https://github.com/openssl/openssl/pull/29488)
Fix this error:
```
rmdir "$PREFIX/lib64/cmake/OpenSSL"
rmdir "$PREFIX/lib64"
rmdir: failed to remove '$PREFIX/lib64': Directory not empty
```
Because `rmdir $PREFIX/lib64/cmake` is missing
CLA: trivial
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Mon Jan 19 11:58:05 2026
(Merged from https://github.com/openssl/openssl/pull/29472)
If a custom seed source is specified in the config file, it can be
silently ignored. For example if it is missing, fails to be created,
or fails to initialize it can be silently ignored and fallback to os
entropy instead.
To reproduce this, perform default configuration of openssl without
jitter entropy source, and then specify jitter entropy
source. Currently entropy will fall back to getrandom, instead of
erroring out.
This is not unique to jitter entropy source, there are a few other
entropy source providers out there on the market, and in all cases if
one is configuring OpenSSL to use a given seed source by name, it
should be honored.
Currently this will output a fresh rsa key, with this change however
it will now result in an error:
```
./Configure
make
./util/wrap.pl -jitter ./apps/openssl genrsa
Warning: generating random key material may take a long time
if the system has a poor entropy source
genrsa: Error generating RSA key
80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>)
80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613:
80ABAB8F9F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (JITTER : 0), Properties (<null>)
80ABAB8F9F7F0000:error:12000090:random number generator:rand_new_seed:unable to fetch drbg:crypto/rand/rand_lib.c:613:
```
IMHO, if a user is configuring a custom seed source, it should be
honored without silently eating errors.
Note this partially reverts 1d180bbe8e
"rand: allow seed-src to be missing", which as far as I understand was
done to ensure that fallback seedsource is allowed to be missing. This
new implementation preserves this behaviour by ensuring error is not
raised if SEED-SRC (which since the above commit was changed to a
macro define OPENSSL_DEFAULT_SEED_SRC) is used as a fallback, and it
fails to be fetched. Previously all errors were popped unconditionaly,
thus same behaviour is preserved if SEED-SRC is completely missing and
it wasn't configured in the config file. cc @paulidale, also see: -
https://github.com/openssl/openssl/pull/13640
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29316)
