Dev news

Commit b238d36c50 for openssl.org

commit b238d36c50a177eb8d5fb384e51fe03c9e81001a
Author: Milan Broz <gmazyland@gmail.com>
Date:   Tue Mar 24 14:50:21 2026 +0100

    Fix certificate read from stdin on Windows

    On Windows, reading certificate from stdin could fail like

        > type cert.der| openssl.exe x509 -inform DER -outform PEM
        Could not find or decode certificate from <stdin>

    The decoder already tries to insert BIO_f_readbuffer
    in this case, unfortunately it depends on undefined behavior
    of ftell() on Windows.

    Fix it by adding check for non-seekable input case
    to BIO file control.

    Note, the added testcase tests binary input certificate,
    but does not trigger this issue explicitly.

    Fixes: https://github.com/openssl/openssl/issues/19508
    Signed-off-by: Milan Broz <gmazyland@gmail.com>

    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Tue Mar 31 01:38:21 2026
    (Merged from https://github.com/openssl/openssl/pull/30559)

diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
index 75f163148e..963d9dad79 100644
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -218,8 +218,19 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_INFO:
         if (b->flags & BIO_FLAGS_UPLINK_INTERNAL)
             ret = UP_ftell(b->ptr);
-        else
+        else {
+#if defined(OPENSSL_SYS_WINDOWS)
+            /*
+             * On Windows, for non-seekable files (stdin), ftell() is undefined.
+             */
+            if (GetFileType((HANDLE)_get_osfhandle(_fileno(fp))) != FILE_TYPE_DISK)
+                ret = -1;
+            else
+                ret = ftell(fp);
+#else
             ret = ftell(fp);
+#endif
+        }
         break;
     case BIO_C_SET_FILE_PTR:
         file_free(b);
diff --git a/test/recipes/61-test_bio_readbuffer.t b/test/recipes/61-test_bio_readbuffer.t
index e10ab746ae..72027f722f 100644
--- a/test/recipes/61-test_bio_readbuffer.t
+++ b/test/recipes/61-test_bio_readbuffer.t
@@ -16,7 +16,7 @@ setup('test_bio_readbuffer');
 my $pemfile = srctop_file("test", "certs", "leaf.pem");
 my $derfile = 'readbuffer_leaf.der';

-plan tests => 3;
+plan tests => 4;

 ok(run(app([ 'openssl', 'x509', '-inform', 'PEM', '-in', $pemfile,
              '-outform', 'DER', '-out', $derfile])),
@@ -27,3 +27,7 @@ ok(run(test(["bio_readbuffer_test", $derfile])),

 ok(run(test(["bio_readbuffer_test", $pemfile])),
    "Running bio_readbuffer_test $pemfile");
+
+ok(run(app([ 'openssl', 'x509', '-inform', 'DER', '-outform', 'PEM',
+             '-noout' ], stdin => $derfile)),
+   "Test stdin read buffer in openssl app");