src/crypto/openssl/providers/implementations/encode_decode, branch main FreeBSD source tree openssl: import 3.5.5 2026-01-31T22:00:39+00:00 Enji Cooper ngie@FreeBSD.org 2026-01-31T22:00:39+00:00 f25b8c9fb4f58cf61adb47d7570abe7caa6d385d This change adds OpenSSL 3.5.5 from upstream [1]. The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. All of the CVE-worthy issues have already been addressed on the target branch(es), so the net-result is that this is a bugfix release. More information about the release (from a high level) can be found in the release notes [4]. MFC after: 1 week 1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz 2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc 3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md Merge commit '808413da28df9fb93e1f304e6016b15e660f54c8' 
This change adds OpenSSL 3.5.5 from upstream [1].

The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3].

This is a security release, but also contains several bugfixes. All of
the CVE-worthy issues have already been addressed on the target
branch(es), so the net-result is that this is a bugfix release.

More information about the release (from a high level) can be found in
the release notes [4].

MFC after:	1 week

1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md

Merge commit '808413da28df9fb93e1f304e6016b15e660f54c8'
crypto/openssl: update component to 3.5.3 2025-09-22T22:31:10+00:00 Enji Cooper ngie@FreeBSD.org 2025-09-22T22:31:10+00:00 88b8b7f0c4e9948667a2279e78e975a784049cba This change updates the sources for crypto/openssl. The subsequent commit will update the build artifacts to match the 3.5.3 release. More details about the update can be found in the related vendor branch commits. MFC after: 1 week Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572' 
This change updates the sources for crypto/openssl. The subsequent
commit will update the build artifacts to match the 3.5.3 release.

More details about the update can be found in the related vendor branch
commits.

MFC after:	1 week
Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572'
Merge commit '1095efe41feed8ea5a6fe5ca123c347ae0914801' 2025-08-07T13:50:32+00:00 Pierre Pronchery khorben@FreeBSD.org 2025-08-07T13:50:32+00:00 e7be843b4a162e68651d3911f0357ed464915629 Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation 
Approved by:	philip (mentor)
Sponsored by:	Alpha-Omega Beach Cleaning Project
Sponsored by:	The FreeBSD Foundation
openssl: Import OpenSSL 3.0.16 2025-03-14T06:40:59+00:00 Enji Cooper ngie@FreeBSD.org 2025-03-14T06:40:59+00:00 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49296 
This release incorporates the following bug fixes and mitigations:
- [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
- [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143)

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D49296
openssl: Import OpenSSL 3.0.15. 2024-09-08T04:31:22+00:00 Enji Cooper ngie@FreeBSD.org 2024-09-08T04:30:17+00:00 a7148ab39c03abd4d1a84997c70bf96f15dd2a09 This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' 
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

Co-authored-by:	gordon
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D46602

Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
OpenSSL: Vendor import of OpenSSL 3.0.13 2024-02-02T21:21:36+00:00 Cy Schubert cy@FreeBSD.org 2024-02-02T21:10:22+00:00 e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678]) Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html. Approved by: emaste MFC after: 3 days Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a' 
 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727])
 * Fixed Excessive time spent checking invalid RSA public keys
   ([CVE-2023-6237])
 * Fixed POLY1305 MAC implementation corrupting vector registers on
   PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129])
 * Fix excessive time spent in DH check / generation with large Q
   parameter value ([CVE-2023-5678])

Release notes can be found at
            https://www.openssl.org/news/openssl-3.0-notes.html.

Approved by:	emaste
MFC after:	3 days

Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'
OpenSSL: update to 3.0.12 2023-10-24T18:55:56+00:00 Ed Maste emaste@FreeBSD.org 2023-10-24T18:55:56+00:00 ad991e4c142ebabad7aef488ad97b189ecabb270 OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length ([CVE-2023-5363]). Relnotes: Yes Sponsored by: The FreeBSD Foundation 
OpenSSL 3.0.12 addresses:

 * Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
OpenSSL: update to 3.0.11 2023-10-09T19:00:26+00:00 Pierre Pronchery pierre@freebsdfoundation.org 2023-10-09T19:00:25+00:00 6f1af0d7d2af54b339b5212434cd6d4fda628d80 OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation 
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	https://github.com/freebsd/freebsd-src/pull/852
Sponsored by:	The FreeBSD Foundation
Merge OpenSSL 3.0.9 2023-06-23T22:53:36+00:00 Pierre Pronchery pierre@freebsdfoundation.org 2023-06-23T22:53:35+00:00 b077aed33b7b6aefca7b17ddb250cf521f938613 Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation 
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0.  OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0.  For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0.  Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1.  The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit.  Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g.  haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR:		271615
PR:		271656 [exp-run]
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation