git: 1523ccfd9c8c - main - MFV: openssl 3.5.7
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 10 Jun 2026 15:33:05 UTC
The branch main has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=1523ccfd9c8c254f7928143d31c305384b05fd11
commit 1523ccfd9c8c254f7928143d31c305384b05fd11
Merge: 4bdcff554368 3a71a35ad9da
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2026-06-10 15:25:28 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2026-06-10 15:31:07 +0000
MFV: openssl 3.5.7
This change is a security release which resolves several issues with OpenSSL 3.5,
the highest severity issue being ranked "High". Users are strongly encouraged to
update to this release.
More information about the release (from a high level) can be found in
the release notes [1].
1. https://github.com/openssl/openssl/blob/openssl-3.5.7/NEWS.md
All conflicts were resolved with `--theirs`, taking the release diff
over the local diff; the conflicts occurred due to preemptive security
fixes applied by so@ in e508c343.
MFC after: 3 days (the important security issues have been
preemptively addressed)
Merge commit '3a71a35ad9dad0e5d2cad8efecc8ba9d57c42d43'
Conflicts:
crypto/openssl/include/internal/quic_channel.h
crypto/openssl/ssl/quic/quic_channel_local.h
crypto/openssl/ssl/quic/quic_rx_depack.c
crypto/openssl/test/cmsapitest.c
crypto/openssl/test/evp_extra_test.c
crypto/openssl/CHANGES.md | 316 +
crypto/openssl/Configurations/README.md | 2 +-
crypto/openssl/Configure | 25 +-
crypto/openssl/NEWS.md | 72 +-
crypto/openssl/VERSION.dat | 4 +-
crypto/openssl/apps/enc.c | 4 +-
crypto/openssl/apps/lib/apps.c | 15 +-
crypto/openssl/apps/lib/cmp_mock_srv.c | 4 +-
crypto/openssl/apps/list.c | 5 +-
crypto/openssl/apps/s_client.c | 14 +-
crypto/openssl/apps/skeyutl.c | 4 +-
crypto/openssl/apps/speed.c | 7 +-
crypto/openssl/apps/testdsa.h | 1476 +--
crypto/openssl/apps/testrsa.h | 4916 +---------
crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl | 17 +-
crypto/openssl/crypto/asn1/a_d2i_fp.c | 66 +-
crypto/openssl/crypto/asn1/a_mbstr.c | 2 +-
crypto/openssl/crypto/asn1/asn1_lib.c | 4 +-
crypto/openssl/crypto/asn1/asn_mime.c | 16 +-
crypto/openssl/crypto/asn1/tasn_dec.c | 2 +-
crypto/openssl/crypto/bio/bss_dgram.c | 4 +-
crypto/openssl/crypto/bio/bss_dgram_pair.c | 3 +-
crypto/openssl/crypto/bn/bn_const.c | 249 +-
crypto/openssl/crypto/bn/bn_mod.c | 14 +-
crypto/openssl/crypto/cast/cast_s.h | 2306 +----
crypto/openssl/crypto/chacha/asm/chachap10-ppc.pl | 50 +-
crypto/openssl/crypto/cmp/cmp_genm.c | 13 +-
crypto/openssl/crypto/cms/cms_enc.c | 2 +-
crypto/openssl/crypto/cms/cms_env.c | 2 +-
crypto/openssl/crypto/cms/cms_pwri.c | 2 +-
crypto/openssl/crypto/crmf/crmf_lib.c | 2 +-
crypto/openssl/crypto/des/fcrypt.c | 143 +-
crypto/openssl/crypto/dso/dso_win32.c | 4 +-
crypto/openssl/crypto/ec/curve448/scalar.c | 3 +-
crypto/openssl/crypto/ec/curve448/word.h | 9 +-
crypto/openssl/crypto/ec/ec_curve.c | 236 +-
crypto/openssl/crypto/ec/ec_lib.c | 3 +-
crypto/openssl/crypto/ec/ecp_s390x_nistp.c | 36 +-
crypto/openssl/crypto/ec/ecp_sm2p256.c | 7 +-
crypto/openssl/crypto/evp/asymcipher.c | 4 +-
crypto/openssl/crypto/evp/e_aes.c | 2 +-
crypto/openssl/crypto/evp/encode.c | 282 +-
crypto/openssl/crypto/evp/evp_lib.c | 2 +-
crypto/openssl/crypto/evp/kem.c | 2 +
crypto/openssl/crypto/evp/m_sigver.c | 4 +-
crypto/openssl/crypto/evp/signature.c | 2 +
crypto/openssl/crypto/ffc/ffc_params.c | 10 +-
crypto/openssl/crypto/hashtable/hashtable.c | 55 +-
crypto/openssl/crypto/hpke/hpke_util.c | 7 +-
crypto/openssl/crypto/http/http_client.c | 28 +-
crypto/openssl/crypto/http/http_lib.c | 3 +
crypto/openssl/crypto/initthread.c | 30 +-
crypto/openssl/crypto/md2/md2_dgst.c | 284 +-
crypto/openssl/crypto/ml_dsa/ml_dsa_key.c | 4 +-
crypto/openssl/crypto/modes/wrap128.c | 15 +-
crypto/openssl/crypto/objects/obj_dat.c | 6 +-
crypto/openssl/crypto/objects/obj_lib.c | 4 +-
crypto/openssl/crypto/param_build.c | 6 +-
crypto/openssl/crypto/param_build_set.c | 7 +-
crypto/openssl/crypto/pkcs12/p12_decr.c | 2 +-
crypto/openssl/crypto/pkcs7/pk7_smime.c | 2 +-
crypto/openssl/crypto/rc2/rc2_skey.c | 284 +-
crypto/openssl/crypto/slh_dsa/slh_dsa_key.c | 5 +-
crypto/openssl/crypto/sm2/sm2_crypt.c | 17 +-
crypto/openssl/crypto/sm2/sm2_sign.c | 7 +-
crypto/openssl/crypto/threads_none.c | 30 +-
crypto/openssl/crypto/threads_pthread.c | 36 +-
crypto/openssl/crypto/threads_win.c | 36 +-
crypto/openssl/crypto/x509/v3_ist.c | 6 +-
crypto/openssl/demos/cipher/aeskeywrap.c | 100 +-
crypto/openssl/demos/cipher/ariacbc.c | 20 +-
crypto/openssl/demos/digest/EVP_MD_demo.c | 73 +-
crypto/openssl/demos/encrypt/rsa_encrypt.h | 1638 +---
crypto/openssl/demos/mac/cmac-aes256.c | 56 +-
crypto/openssl/demos/mac/hmac-sha512.c | 144 +-
.../demos/signature/EVP_EC_Signature_demo.h | 772 +-
crypto/openssl/doc/fingerprints.txt | 3 +
.../doc/internal/man3/ossl_rcu_lock_new.pod | 86 +-
crypto/openssl/doc/man1/openssl-format-options.pod | 4 +-
crypto/openssl/doc/man1/openssl-pkcs8.pod.in | 4 +-
crypto/openssl/doc/man1/openssl-rehash.pod.in | 6 +-
crypto/openssl/doc/man1/openssl-s_client.pod.in | 11 +-
crypto/openssl/doc/man1/openssl-s_server.pod.in | 19 +-
crypto/openssl/doc/man1/openssl-smime.pod.in | 7 +-
crypto/openssl/doc/man3/BIO_s_bio.pod | 83 +-
crypto/openssl/doc/man3/BN_add.pod | 8 +-
crypto/openssl/doc/man3/CMS_decrypt.pod | 2 +-
crypto/openssl/doc/man3/EVP_EncryptInit.pod | 3 +-
crypto/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod | 6 +-
crypto/openssl/doc/man3/OSSL_HTTP_parse_url.pod | 18 +-
crypto/openssl/doc/man3/OSSL_HTTP_transfer.pod | 5 +-
crypto/openssl/doc/man3/PKCS7_decrypt.pod | 5 +-
.../doc/man3/SSL_CTX_set_session_cache_mode.pod | 6 +-
.../doc/man3/SSL_CTX_set_session_id_context.pod | 28 +-
.../SSL_CTX_set_tlsext_servername_callback.pod | 8 +-
crypto/openssl/doc/man3/d2i_X509.pod | 40 +-
crypto/openssl/doc/man7/EVP_CIPHER-AES.pod | 6 +-
crypto/openssl/doc/man7/openssl-env.pod | 2 +
crypto/openssl/doc/man7/provider-asym_cipher.pod | 6 +-
crypto/openssl/doc/man7/provider-signature.pod | 3 +-
crypto/openssl/fuzz/dtlsserver.c | 3407 +------
crypto/openssl/fuzz/server.c | 2213 +----
crypto/openssl/include/crypto/riscv_arch.h | 4 +-
crypto/openssl/include/internal/cryptlib.h | 4 +-
crypto/openssl/include/internal/quic_cfq.h | 2 +-
crypto/openssl/include/internal/quic_channel.h | 8 +-
crypto/openssl/include/internal/quic_fifd.h | 2 +-
crypto/openssl/include/internal/quic_stream_map.h | 5 +-
crypto/openssl/include/internal/rcu.h | 9 +-
crypto/openssl/include/openssl/bn.h | 6 +-
crypto/openssl/include/openssl/ssl.h.in | 4 +-
crypto/openssl/include/openssl/x509_acert.h.in | 10 +-
crypto/openssl/providers/defltprov.c | 10 +-
crypto/openssl/providers/fips-sources.checksums | 66 +-
crypto/openssl/providers/fips.checksum | 2 +-
crypto/openssl/providers/fips.module.sources | 2 +-
crypto/openssl/providers/fips/self_test_data.inc | 203 +-
.../ciphers/cipher_aes_gcm_hw_rv64i.inc | 7 +-
.../ciphers/cipher_aes_gcm_siv_hw.c | 2 +-
.../implementations/ciphers/cipher_aes_siv.c | 2 +-
.../implementations/encode_decode/ml_dsa_codecs.c | 308 +-
.../implementations/encode_decode/ml_dsa_codecs.h | 12 +-
.../implementations/encode_decode/ml_kem_codecs.h | 12 +-
.../providers/implementations/exchange/dh_exch.c | 2 +-
.../implementations/include/prov/implementations.h | 4 +-
.../providers/implementations/keymgmt/ecx_kmgmt.c | 46 +-
.../implementations/keymgmt/ml_kem_kmgmt.c | 8 +-
.../providers/implementations/keymgmt/mlx_kmgmt.c | 13 +-
.../providers/implementations/macs/poly1305_prov.c | 8 +-
.../providers/implementations/signature/rsa_sig.c | 21 +-
.../implementations/signature/slh_dsa_sig.c | 7 +-
crypto/openssl/ssl/quic/quic_ackm.c | 4 +-
crypto/openssl/ssl/quic/quic_cfq.c | 2 +-
crypto/openssl/ssl/quic/quic_channel.c | 18 +-
crypto/openssl/ssl/quic/quic_channel_local.h | 4 +
crypto/openssl/ssl/quic/quic_fifd.c | 2 +-
crypto/openssl/ssl/quic/quic_impl.c | 20 +-
crypto/openssl/ssl/quic/quic_port.c | 36 +-
crypto/openssl/ssl/quic/quic_record_rx.c | 10 +-
crypto/openssl/ssl/quic/quic_record_shared.c | 103 +-
crypto/openssl/ssl/quic/quic_record_tx.c | 62 +-
crypto/openssl/ssl/quic/quic_rx_depack.c | 12 +
crypto/openssl/ssl/quic/quic_stream_map.c | 7 +
crypto/openssl/ssl/quic/quic_txp.c | 2 +-
crypto/openssl/ssl/quic/uint_set.c | 1 +
crypto/openssl/ssl/record/methods/ktls_meth.c | 22 +-
crypto/openssl/ssl/record/methods/tls_common.c | 26 +-
crypto/openssl/ssl/ssl_ciph.c | 6 +-
crypto/openssl/ssl/ssl_rsa.c | 6 +-
crypto/openssl/ssl/statem/extensions_cust.c | 5 +-
crypto/openssl/ssl/statem/extensions_srvr.c | 17 +-
crypto/openssl/ssl/statem/statem.c | 28 +-
crypto/openssl/ssl/statem/statem_clnt.c | 8 +-
crypto/openssl/ssl/statem/statem_lib.c | 40 +-
crypto/openssl/ssl/statem/statem_srvr.c | 15 +-
crypto/openssl/ssl/t1_lib.c | 35 +-
crypto/openssl/ssl/t1_trce.c | 43 +-
crypto/openssl/test/asn1_decode_test.c | 32 +-
crypto/openssl/test/bad_dtls_test.c | 193 +-
crypto/openssl/test/bio_tfo_test.c | 16 +-
crypto/openssl/test/build.info | 7 +
crypto/openssl/test/chacha_internal_test.c | 82 +-
crypto/openssl/test/cipherlist_test.c | 57 +-
.../openssl/test/cms-msg/make_missing_kdf_der.py | 137 +
crypto/openssl/test/cms-msg/missing-kdf.der | Bin 0 -> 190 bytes
crypto/openssl/test/cmsapitest.c | 188 +
crypto/openssl/test/destest.c | 118 +-
crypto/openssl/test/dsatest.c | 188 +-
crypto/openssl/test/ectest.c | 511 +-
crypto/openssl/test/endecode_test.c | 35 +-
crypto/openssl/test/enginetest.c | 13 +-
crypto/openssl/test/evp_extra_test.c | 451 +-
crypto/openssl/test/evp_extra_test2.c | 2438 +----
crypto/openssl/test/evp_kdf_test.c | 420 +-
crypto/openssl/test/evp_libctx_test.c | 180 +-
crypto/openssl/test/evp_pkey_provided_test.c | 81 +-
crypto/openssl/test/evp_skey_test.c | 20 +-
crypto/openssl/test/helpers/predefined_dhparams.c | 525 +-
crypto/openssl/test/hpke_test.c | 146 +-
crypto/openssl/test/http_test.c | 62 +
crypto/openssl/test/ideatest.c | 20 +-
crypto/openssl/test/ml_kem_evp_extra_test.c | 77 +-
crypto/openssl/test/param_build_test.c | 12 +-
crypto/openssl/test/pbetest.c | 101 +-
crypto/openssl/test/pkcs12_format_test.c | 3105 +-----
crypto/openssl/test/quic_record_test.c | 9871 +++-----------------
crypto/openssl/test/quic_txp_test.c | 20 +-
crypto/openssl/test/quic_wire_test.c | 18 +-
crypto/openssl/test/quicapitest.c | 150 +
crypto/openssl/test/radix/quic_tests.c | 193 +-
crypto/openssl/test/radix/terp.c | 4 +-
crypto/openssl/test/recipes/70-test_tls13ticket.t | 26 +
crypto/openssl/test/recipes/80-test_cms.t | 38 +-
crypto/openssl/test/siphash_internal_test.c | 1922 +---
.../test/smime-eml/pkcs7-empty-digest-set.eml | 45 +
crypto/openssl/test/sslapitest.c | 452 +-
crypto/openssl/test/stack_test.c | 64 +-
crypto/openssl/test/threadstest.c | 11 +-
crypto/openssl/test/tls13tickettest.c | 157 +
crypto/openssl/test/x509_test.c | 18 +-
crypto/openssl/util/missingcrypto.txt | 4 -
crypto/openssl/util/missingcrypto111.txt | 4 -
202 files changed, 7952 insertions(+), 35616 deletions(-)
diff --cc crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl
index 27233d03af7b,372778e424e7..372778e424e7
mode 100755,100644..100755
--- a/crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl
+++ b/crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl
diff --cc crypto/openssl/test/cms-msg/make_missing_kdf_der.py
index 000000000000,5b3fc0f6eeda..5b3fc0f6eeda
mode 000000,100755..100755
--- a/crypto/openssl/test/cms-msg/make_missing_kdf_der.py
+++ b/crypto/openssl/test/cms-msg/make_missing_kdf_der.py
diff --cc crypto/openssl/test/cms-msg/missing-kdf.der
index 000000000000,3db602e47c23..3db602e47c23
mode 000000,100644..100644
Binary files differ
diff --cc crypto/openssl/test/recipes/70-test_tls13ticket.t
index 000000000000,0fb782bd0d84..0fb782bd0d84
mode 000000,100644..100644
--- a/crypto/openssl/test/recipes/70-test_tls13ticket.t
+++ b/crypto/openssl/test/recipes/70-test_tls13ticket.t
diff --cc crypto/openssl/test/smime-eml/pkcs7-empty-digest-set.eml
index 000000000000,a6db2c38adfa..a6db2c38adfa
mode 000000,100644..100644
--- a/crypto/openssl/test/smime-eml/pkcs7-empty-digest-set.eml
+++ b/crypto/openssl/test/smime-eml/pkcs7-empty-digest-set.eml
diff --cc crypto/openssl/test/tls13tickettest.c
index 000000000000,9470f4169633..9470f4169633
mode 000000,100644..100644
--- a/crypto/openssl/test/tls13tickettest.c
+++ b/crypto/openssl/test/tls13tickettest.c