Merge b35a39f53d into 296f1f6dd8

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28113)

.github/CODEOWNERS

@@ -0,0 +1 @@
+/.github/workflows/ @quarckster

.github/workflows/build_quic_interop_container.yml

@@ -1,4 +1,4 @@
-name: "Build openssl interop container from master"
+name: "Build openssl interop containers"
 
 on:
   schedule:
@@ -24,3 +24,24 @@ jobs:
         run: |
           docker push quay.io/openssl-ci/openssl-quic-interop:latest
 
+  update_msquic_quay_container:
+    if: github.repository == 'openssl/openssl'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: microsoft/msquic
+          ref: main
+          submodules: recursive
+      - name: "log in to quay.io"
+        run: |
+          docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
+      - name: Patch qns.Dockerfile
+        run: |
+          sed 's/RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on ../RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl ../' ./scripts/qns.Dockerfile
+      - name: "Build container"
+        run: |
+          docker build -f ./scripts/qns.Dockerfile -t quay.io/openssl-ci/msquic-openssl:latest .
+      - name: "Push to quay"
+        run: |
+          docker push quay.io/openssl-ci/msquic-openssl:latest

.github/workflows/ci.yml

@@ -156,7 +156,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: config
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
@@ -165,21 +165,21 @@ jobs:
           sudo pkg install -y gcc perl5
           ./config --strict-warnings enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
     - name: config dump
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
         shutdown_vm: false
         run: ./configdata.pm --dump
     - name: make
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
         shutdown_vm: false
         run: make -j4
     - name: make test
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
@@ -630,7 +630,7 @@ jobs:
         sudo apt-get update
         sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy gdb libtls-dev
     - name: install cpanm and Test2::V0 for gost_engine testing
-      uses: perl-actions/install-with-cpanm@stable
+      uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1.7
       with:
         install: Test2::V0
     - name: setup hostname workaround
@@ -639,7 +639,7 @@ jobs:
       run: ./config --strict-warnings --banner=Configured --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
-    - uses: dtolnay/rust-toolchain@stable
+    - uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4
     - name: get cpu info
       run: |
         cat /proc/cpuinfo
@@ -728,9 +728,9 @@ jobs:
       uses: actions/setup-python@v5.3.0
       with:
         python-version: ${{ matrix.PYTHON }}
-    - uses: dtolnay/rust-toolchain@stable
+    - uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4
       with:
-        toolchain: stable 
+        toolchain: stable
     - name: get cpu info
       run: |
         cat /proc/cpuinfo

.github/workflows/coveralls.yml

@@ -93,7 +93,7 @@ jobs:
         sudo apt-get -yq install lcov
         sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
     - name: install Test2::V0 for gost_engine testing
-      uses: perl-actions/install-with-cpanm@stable
+      uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d #v1.7
       with:
         install: Test2::V0
     - name: setup hostname workaround
@@ -119,7 +119,7 @@ jobs:
              --branch-coverage
               -o ./lcov.info
     - name: Coveralls upload
-      uses: coverallsapp/github-action@v2.3.2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b #v2.3.6
       with:
         github-token: ${{ secrets.github_token }}
         git-branch: ${{ matrix.branches.branch }}

.github/workflows/os-zoo.yml

@@ -56,19 +56,21 @@ jobs:
       fail-fast: false
       matrix:
         zoo:
-          - image: docker.io/library/debian:10
-            install: apt-get update && apt-get install -y gcc make perl
           - image: docker.io/library/debian:11
             install: apt-get update && apt-get install -y gcc make perl
           - image: docker.io/library/debian:12
             install: apt-get update && apt-get install -y gcc make perl
+          - image: docker.io/library/debian:trixie
+            install: apt-get update && apt-get install -y gcc make perl
           - image: docker.io/library/ubuntu:20.04
             install: apt-get update && apt-get install -y gcc make perl
           - image: docker.io/library/ubuntu:22.04
             install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/fedora:38
+          - image: docker.io/library/ubuntu:24.04
+            install: apt-get update && apt-get install -y gcc make perl
+          - image: docker.io/library/fedora:41
             install: dnf install -y gcc make perl-core
-          - image: docker.io/library/fedora:39
+          - image: docker.io/library/fedora:42
             install: dnf install -y gcc make perl-core
           - image: docker.io/library/centos:8
             install: |
@@ -125,13 +127,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [windows-2022, windows-2025]
-    runs-on: ${{ matrix.os }}
+        platform:
+          - os: windows-2022
+            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
+          - os: windows-2025
+            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
+    runs-on: ${{ matrix.platform.os }}
     steps:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
     - name: install nasm
       run: |
         choco install nasm
@@ -140,18 +145,21 @@ jobs:
       run: mkdir _build
     - name: config
       working-directory: _build
-      run: perl ..\Configure --banner=Configured --strict-warnings no-makedepend enable-fips
-    - name: config dump
-      working-directory: _build
-      run: ./configdata.pm --dump
+      shell: cmd
+      run: |
+        call "${{ matrix.platform.vcvars }}"
+        perl ..\Configure --banner=Configured --strict-warnings no-makedepend enable-fips
+        perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake /S
+      shell: cmd
+      run: |
+        call "${{ matrix.platform.vcvars }}"
+        nmake /S
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: get cpu info
       working-directory: _build
       run: |
@@ -160,7 +168,10 @@ jobs:
         apps/openssl.exe version -c
     - name: test
       working-directory: _build
-      run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
+      shell: cmd
+      run: |
+        call "${{ matrix.platform.vcvars }}"
+        nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
 
   linux-arm64:
     runs-on: linux-arm64
@@ -237,7 +248,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: config
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
@@ -246,21 +257,21 @@ jobs:
           sudo pkg install -y gcc perl5
           ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
     - name: config dump
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
         shutdown_vm: false
         run: ./configdata.pm --dump
     - name: make
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"
         shutdown_vm: false
         run: make -j4
     - name: make test
-      uses: cross-platform-actions/action@v0.26.0
+      uses: cross-platform-actions/action@fe0167d8082ac584754ef3ffb567fded22642c7d #v0.27.0
       with:
         operating_system: freebsd
         version: "13.4"

.github/workflows/perl-minimal-checker.yml

@@ -0,0 +1,51 @@
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# Jobs run per pull request submission
+name: Perl-minimal-checker CI
+on: [pull_request, push]
+permissions:
+  contents: read
+
+jobs:
+  perl-minimal-checker:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install perl 5.10
+      run: |
+        pushd /tmp
+        mkdir perl
+        wget https://www.cpan.org/src/5.0/perl-5.10.1.tar.bz2
+        tar xf perl-5.10.1.tar.bz2
+        cd perl-5.10.1
+        ./Configure -des -Dprefix=/tmp/perl -A ccflags='-Wno-incompatible-pointer-types' -A define:malloctype='void *' -A define:freetype='void' -Dlibs='-ldl -lm -lutil -lc'
+        make -j $(nproc) perl
+        make install
+        popd
+    - name: Install Test::More 0.96
+      run: |
+        pushd /tmp
+        wget https://cpan.metacpan.org/authors/id/M/MS/MSCHWERN/Test-Simple-0.96.tar.gz
+        tar xf Test-Simple-0.96.tar.gz
+        cd Test-Simple-0.96
+        PATH="/tmp/perl/bin:$PATH"
+        perl Makefile.PL
+        make -j$(nproc) && make install
+        perl -MTest::More -e 'print "$Test::More::VERSION\n"'
+        popd
+    - uses: actions/checkout@v4
+    - name: Build openssl
+      run: ./config && make -j $(nproc)
+    - name: Install sed
+      run: sudo apt update && sudo apt install sed
+    - name: Check minimal version compliance
+      run: |
+        PM_FILES=($(find . -name "*.pm"))
+        perl -v
+        status=0
+        for p in "${PM_FILES[@]}"; do perl -I"$(pwd)/util/perl" -I"$(pwd)" -I"$(pwd)/external/perl/Text-Template-1.56/lib" -c "$p" | sed -n '/@INC/{p; q1}' || status=1; done;
+        exit $status

.github/workflows/run-checker-ci.yml

@@ -32,7 +32,7 @@ jobs:
           no-http,
           no-legacy,
           no-sock,
-          no-ssl-trace,
+          no-sm2,
           no-stdio,
           no-threads,
           no-thread-pool,

.github/workflows/run-checker-daily.yml

@@ -102,13 +102,13 @@ jobs:
           no-shared,
           no-siphash,
           no-siv,
-          no-sm2,
           no-sm2-precomp,
           no-sm3,
           no-sm4,
           no-sock,
           no-sse2,
           no-ssl,
+          no-ssl-trace,
           enable-ssl3,
           enable-ssl3-method,
           enable-sslkeylog,

.github/workflows/run_quic_interop.yml

@@ -2,7 +2,7 @@ name: "Run openssl quic interop testing"
 
 on:
   workflow_run:
-    workflows: ["Build openssl interop container from master"]
+    workflows: ["Build openssl interop containers"]
     types: [completed]
   workflow_dispatch:
 
@@ -11,10 +11,12 @@ jobs:
     strategy:
       matrix:
         tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
-        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy]
+        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy, msquic-openssl]
         exclude:
           - servers: msquic
             tests: retry
+          - servers: msquic-openssl
+            tests: retry
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
@@ -36,10 +38,15 @@ jobs:
           for i in {1..3}; do sudo apt-get install -y tshark && break; sleep 10; done
       - name: Patch implementations file
         run: |
-          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
-                         , url: "https://github.com/openssl/openssl"
-                         , role: "both"
-                         }' ./implementations.json > ./implementations.tmp
+          jq '. + {
+            "openssl": { image: "quay.io/openssl-ci/openssl-quic-interop"
+                       , url: "https://github.com/openssl/openssl"
+                       , role: "both"
+                       },
+            "msquic-openssl": { image: "quay.io/openssl-ci/msquic-openssl"
+                              , url: "https://github.com/microsoft/msquic"
+                              , role: "both"
+                              }}' ./implementations.json > ./implementations.tmp
           mv ./implementations.tmp implementations.json
       - name: "Update to docker-compose 2.36 and docker engine 28.1.1"
         run: |
@@ -69,7 +76,7 @@ jobs:
     strategy:
       matrix:
         tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome]
+        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome, msquic-openssl]
         exclude:
           - clients: mvfst
             tests: amplificationlimit
@@ -94,10 +101,15 @@ jobs:
           for i in {1..3}; do sudo apt-get install -y tshark && break; done
       - name: Patch implementations file
         run: |
-          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
-                         , url: "https://github.com/openssl/openssl"
-                         , role: "both"
-                         }' ./implementations.json > ./implementations.tmp
+          jq '. + {
+            "openssl": { image: "quay.io/openssl-ci/openssl-quic-interop"
+                       , url: "https://github.com/openssl/openssl"
+                       , role: "both"
+                       },
+            "msquic-openssl": { image: "quay.io/openssl-ci/msquic-openssl"
+                              , url: "https://github.com/microsoft/msquic"
+                              , role: "both"
+                              }}' ./implementations.json > ./implementations.tmp
           mv ./implementations.tmp implementations.json
       - name: "Update to docker-compose 2.36 and docker engine 28.1.1"
         run: |

.github/workflows/windows.yml

@@ -18,42 +18,46 @@ jobs:
     strategy:
       matrix:
         platform:
-          - arch: win64
+          - arch: amd64
             os: windows-2022
             config: enable-lms enable-fips
-          - arch: win64
+            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
+          - arch: amd64
             os: windows-2025
             config: enable-lms enable-fips no-thread-pool no-quic
-          - arch: win32
-            os: windows-2025
-            config: --strict-warnings enable-lms no-fips
+            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
+          - arch: x86
+            os: windows-2022
+            config: --strict-warnings no-fips enable-lms
+            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars32.bat
     runs-on: ${{ matrix.platform.os }}
     steps:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
-      with:
-        arch: ${{ matrix.platform.arch }}
     - name: install nasm
       run: |
-        choco install nasm ${{ matrix.platform.arch == 'win32' && '--x86' || '' }}
-        "C:\Program Files${{ matrix.platform.arch == 'win32' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+        choco install nasm ${{ matrix.platform.arch == 'x86' && '--x86' || '' }}
+        "C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
     - name: prepare the build directory
       run: mkdir _build
     - name: config
       working-directory: _build
+      shell: cmd
       run: |
+        call "${{ matrix.platform.vcvars }}"
         perl ..\Configure --banner=Configured --strict-warnings no-makedepend -DOSSL_WINCTX=openssl ${{ matrix.platform.config }}
         perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake /S
+      shell: cmd
+      run: |
+        call "${{ matrix.platform.vcvars }}"
+        nmake /S
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: Gather openssl version info
       working-directory: _build
       run: |
@@ -81,40 +85,45 @@ jobs:
       run: perl ../util/checkplatformsyms.pl ../util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll
     - name: test
       working-directory: _build
-      run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
+      shell: cmd
+      run: |
+        call "${{ matrix.platform.vcvars }}"
+        nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
     - name: install
       # Run on 64 bit only as 32 bit is slow enough already
-      if: ${{ matrix.platform.arch == 'win64' }}
+      if: ${{ matrix.platform.arch == 'amd64' }}
+      working-directory: _build
+      shell: cmd
       run: |
+        call "${{ matrix.platform.vcvars }}"
         mkdir _dest
         nmake install DESTDIR=_dest
-      working-directory: _build
+
   plain:
-    strategy:
-      matrix:
-        os:
-          - windows-2022
-    runs-on: ${{ matrix.os }}
+    runs-on: windows-2022
     steps:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
     - name: prepare the build directory
       run: mkdir _build
     - name: config
       working-directory: _build
+      shell: cmd
       run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         perl ..\Configure --banner=Configured --strict-warnings enable-demos no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug -DOSSL_WINCTX=openssl VC-WIN64A-masm
         perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake /S
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake /S
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: get cpu info
       working-directory: _build
       continue-on-error: true
@@ -124,33 +133,36 @@ jobs:
         ./apps/openssl.exe version -c
     - name: test
       working-directory: _build
-      run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
+
   minimal:
-    strategy:
-      matrix:
-        os:
-          - windows-2022
-    runs-on: ${{ matrix.os }}
+    runs-on: windows-2022
     steps:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
     - name: prepare the build directory
       run: mkdir _build
     - name: config
       working-directory: _build
+      shell: cmd
       run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         perl ..\Configure --banner=Configured --strict-warnings enable-demos no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT -DOSSL_WINCTX=openssl
         perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake # verbose, so no /S here
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: get cpu info
       working-directory: _build
       continue-on-error: true
@@ -160,7 +172,11 @@ jobs:
         ./apps/openssl.exe version -c
     - name: test
       working-directory: _build
-      run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
+
   cygwin:
     # Run a job for each of the specified target architectures:
     strategy:
@@ -182,7 +198,7 @@ jobs:
     steps:
 # Checkout before cygwin can mess with PATH...
     - uses: actions/checkout@v4
-    - uses: cygwin/cygwin-install-action@master
+    - uses: cygwin/cygwin-install-action@f61179d72284ceddc397ed07ddb444d82bf9e559 #v5
       with:
          packages: perl git make gcc-core
     - name: Check repo

.github/workflows/windows_comp.yml

@@ -26,7 +26,6 @@ jobs:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
     - name: install nasm
       run: |
         choco install nasm
@@ -34,21 +33,25 @@ jobs:
     - name: prepare the build directory
       run: mkdir _build
     - name: Get zstd
-      working-directory: _build
       run: |
         vcpkg install zstd:x64-windows
+        "C:\vcpkg\packages\zstd_x64-windows\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append
     - name: config
       working-directory: _build
+      shell: cmd
       run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         perl ..\Configure --strict-warnings enable-comp enable-zstd --with-zstd-include=C:\vcpkg\packages\zstd_x64-windows\include --with-zstd-lib=C:\vcpkg\packages\zstd_x64-windows\lib\zstd.lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
         perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake
     - name: Gather openssl version info
       working-directory: _build
       run: |
-        $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin"
         apps/openssl.exe version -v
         apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
         apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
@@ -62,15 +65,13 @@ jobs:
         reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
         reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: get cpu info
       working-directory: _build
       continue-on-error: true
       run: |
-        $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin"
         7z.exe x coreinfo/Coreinfo.zip
         ./Coreinfo64.exe -accepteula -f
         ./apps/openssl.exe version -c
@@ -79,16 +80,17 @@ jobs:
         perl ./util/checkplatformsyms.pl ./util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll
     - name: test
       working-directory: _build
+      shell: cmd
       run: |
-        $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin"
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4
+
   brotli:
     runs-on: windows-latest
     steps:
     - uses: actions/checkout@v4
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
-    - uses: ilammy/msvc-dev-cmd@v1
     - name: install nasm
       run: |
         choco install nasm
@@ -96,21 +98,25 @@ jobs:
     - name: prepare the build directory
       run: mkdir _build
     - name: Get brotli
-      working-directory: _build
       run: |
         vcpkg install brotli:x64-windows
+        "C:\vcpkg\packages\brotli_x64-windows\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append
     - name: config
       working-directory: _build
+      shell: cmd
       run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         perl ..\Configure --strict-warnings enable-comp enable-brotli --with-brotli-include=C:\vcpkg\packages\brotli_x64-windows\include --with-brotli-lib=C:\vcpkg\packages\brotli_x64-windows\lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
         perl configdata.pm --dump
     - name: build
       working-directory: _build
-      run: nmake
+      shell: cmd
+      run: |
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
+        nmake
     - name: Gather openssl version info
       working-directory: _build
       run: |
-        $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin"
         apps/openssl.exe version -v
         apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
         apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
@@ -124,20 +130,19 @@ jobs:
         reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
         reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
     - name: download coreinfo
-      uses: suisei-cn/actions-download-file@v1.6.0
-      with:
-        url: "https://download.sysinternals.com/files/Coreinfo.zip"
-        target: _build/coreinfo/
+      run: |
+        mkdir _build\coreinfo
+        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
     - name: get cpu info
       working-directory: _build
       continue-on-error: true
       run: |
-        $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin"
         7z.exe x coreinfo/Coreinfo.zip
         ./Coreinfo64.exe -accepteula -f
         ./apps/openssl.exe version -c
     - name: test
       working-directory: _build
+      shell: cmd
       run: |
-        $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin"
+        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
         nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4

.gitignore

@@ -75,6 +75,7 @@ providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
 providers/common/der/der_ml_dsa_gen.c
+providers/common/der/der_hkdf_gen.c
 providers/common/include/prov/der_slh_dsa.h
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
@@ -84,6 +85,7 @@ providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
 providers/common/include/prov/der_ml_dsa.h
+providers/common/include/prov/der_hkdf.h
 providers/implementations/keymgmt/ml_dsa_kmgmt.c
 providers/implementations/keymgmt/ml_kem_kmgmt.c
 providers/implementations/keymgmt/mlx_kmgmt.c

CHANGES.md

@@ -127,6 +127,29 @@ OpenSSL 3.6
 
    *Daniel Van Geest (CryptoNext Security)*
 
+ * Added Intel AVX-512 and VAES optimizations for AES-CFB128 algorithms.
+   Encryption performance on large buffers improved by 1.5-1.7x,
+   while decryption speed increased by 20-23x.
+
+   *Adrian Stanciu*
+
+ * Added support for TLS 1.3 OCSP multi-stapling for server certs.
+     * new `s_client` options:
+       * `-ocsp_check_leaf`: Checks the status of the leaf (server) certificate.
+       * `-ocsp_check_all`: Checks the status of all certificates in the server chain.
+     * new `s_server` option:
+       * `-status_all` Provides OCSP status information for the entire server certificate chain (multi-stapling) for TLS 1.3 and later.
+
+     * Improved `-status_file` option can now be given multiple times to provide
+       multiple files containing OCSP responses.
+
+   *Michael Krueger, Martin Rauch*
+
+ * Added KEMRecipientInfo (RFC 9629) and ML-KEM (draft-ietf-lamps-cms-kyber)
+   support to CMS.
+
+   *Daniel Van Geest (CryptoNext Security)*
+
 OpenSSL 3.5
 -----------
 

Configurations/unix-Makefile.tmpl

@@ -1180,7 +1180,7 @@ generate_buildinfo: generate_doc_buildinfo
 
 .PHONY: doc-nits md-nits
 doc-nits: build_generated_pods ## Evaluate OpenSSL documentation
-	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e -i
+	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e -i -a
 
 # This uses "mdl", the markdownlint application, which is written in ruby.
 # The source is at https://github.com/markdownlint/markdownlint

apps/cms.c

@@ -53,6 +53,7 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 static int verify_err = 0;
 
 typedef struct cms_key_param_st cms_key_param;
+typedef struct cms_recip_opt_st cms_recip_opt;
 
 struct cms_key_param_st {
     int idx;
@@ -60,6 +61,14 @@ struct cms_key_param_st {
     cms_key_param *next;
 };
 
+struct cms_recip_opt_st {
+    int idx;
+    const char *kdf;
+    unsigned char *ukm_data;
+    long ukm_data_length;
+    cms_recip_opt *next;
+};
+
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
@@ -85,7 +94,8 @@ typedef enum OPTION_choice {
     OPT_PROV_ENUM, OPT_CONFIG,
     OPT_V_ENUM,
     OPT_CIPHER, OPT_KEKCIPHER,
-    OPT_ORIGINATOR
+    OPT_ORIGINATOR,
+    OPT_RECIP_UKM, OPT_RECIP_KDF
 } OPTION_CHOICE;
 
 const OPTIONS cms_options[] = {
@@ -167,13 +177,15 @@ const OPTIONS cms_options[] = {
     {"kekcipher", OPT_KEKCIPHER, 's',
      "The key encryption algorithm to use"},
     {"wrap", OPT_WRAP, 's',
-     "Key wrap algorithm to use when encrypting with key agreement"},
+     "Key wrap algorithm to use when encrypting with key agreement or key encapsulation"},
     {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
     {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
     {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
     {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
     {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
      "Disable MMA protection, return error if no recipient found (see doc)"},
+    {"recip_kdf", OPT_RECIP_KDF, 's', "Set KEMRecipientInfo KDF for current recipient"},
+    {"recip_ukm", OPT_RECIP_UKM, 's', "KEMRecipientInfo user keying material for current recipient, in hex notation"},
 
     OPT_SECTION("Signing"),
     {"md", OPT_MD, 's', "Digest algorithm to use"},
@@ -281,6 +293,19 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
     return NULL;
 }
 
+static cms_recip_opt *alloc_recip_opt(int recipidx)
+{
+    cms_recip_opt *opt;
+
+    opt = app_malloc(sizeof(*opt), "recipient options buffer");
+    opt->idx = recipidx;
+    opt->next = NULL;
+    opt->kdf = NULL;
+    opt->ukm_data = NULL;
+    opt->ukm_data_length = 0;
+    return opt;
+}
+
 int cms_main(int argc, char **argv)
 {
     CONF *conf = NULL;
@@ -319,6 +344,8 @@ int cms_main(int argc, char **argv)
     size_t secret_keylen = 0, secret_keyidlen = 0;
     unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     unsigned char *secret_key = NULL, *secret_keyid = NULL;
+    cms_recip_opt *recip_first = NULL, *recip_opt = NULL;
+    int recipidx = -1;
     long ltmp;
     const char *mime_eol = "\n";
     OPTION_CHOICE o;
@@ -653,6 +680,46 @@ int cms_main(int argc, char **argv)
                 recipfile = opt_arg();
             }
             break;
+        case OPT_RECIP_KDF:
+        case OPT_RECIP_UKM:
+            recipidx = -1;
+            if (operation == SMIME_ENCRYPT) {
+                if (sk_X509_num(encerts) > 0)
+                    recipidx += sk_X509_num(encerts);
+            }
+            if (recipidx < 0) {
+                BIO_printf(bio_err, "No recipient specified\n");
+                goto opthelp;
+            }
+            if (recip_opt == NULL || recip_opt->idx != recipidx) {
+                cms_recip_opt *nopt;
+
+                nopt = alloc_recip_opt(recipidx);
+                if (recip_first == NULL)
+                    recip_first = nopt;
+                else
+                    recip_opt->next = nopt;
+                recip_opt = nopt;
+            }
+            if (o == OPT_RECIP_KDF) {
+                if (recip_opt->kdf != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_kdf for one -recip\n");
+                    goto end;
+                }
+                recip_opt->kdf = opt_arg();
+            } else {
+                if (recip_opt->ukm_data != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_ukm for one -recip\n");
+                    goto end;
+                }
+                recip_opt->ukm_data = OPENSSL_hexstr2buf(opt_arg(),
+                                                         &recip_opt->ukm_data_length);
+                if (recip_opt->ukm_data == NULL) {
+                    BIO_printf(bio_err, "Invalid hex value after -recip_ukm\n");
+                    goto end;
+                }
+            }
+            break;
         case OPT_CIPHER:
             ciphername = opt_unknown();
             break;
@@ -831,6 +898,9 @@ int cms_main(int argc, char **argv)
     if (operation != SMIME_ENCRYPT && *argv != NULL)
         BIO_printf(bio_err,
                    "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
+    if (operation != SMIME_ENCRYPT && recip_first != NULL)
+        BIO_printf(bio_err,
+                   "Warning: -recip_kdf and -recip_ukm parameters ignored for operation other than -encrypt\n");
 
     if ((flags & CMS_BINARY) != 0) {
         if (!(operation & SMIME_OP))
@@ -990,7 +1060,9 @@ int cms_main(int argc, char **argv)
             goto end;
         for (i = 0; i < sk_X509_num(encerts); i++) {
             CMS_RecipientInfo *ri;
+            int ri_type;
             cms_key_param *kparam;
+            cms_recip_opt *ropt;
             int tflags = flags | CMS_KEY_PARAM;
             /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
             EVP_PKEY_CTX *pctx;
@@ -998,14 +1070,19 @@ int cms_main(int argc, char **argv)
             int res;
 
             for (kparam = key_first; kparam; kparam = kparam->next) {
-                if (kparam->idx == i) {
+                if (kparam->idx == i)
+                    break;
+            }
+            for (ropt = recip_first; ropt; ropt = ropt->next) {
+                if (ropt->idx == i)
                     break;
-                }
             }
             ri = CMS_add1_recipient(cms, x, key, originator, tflags);
             if (ri == NULL)
                 goto end;
 
+            ri_type = CMS_RecipientInfo_type(ri);
+
             pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
             if (pctx != NULL && kparam != NULL) {
                 if (!cms_set_pkey_param(pctx, kparam->param))
@@ -1018,12 +1095,39 @@ int cms_main(int argc, char **argv)
             if (res <= 0 && res != -2)
                 goto end;
 
-            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
-                    && wrap_cipher != NULL) {
-                EVP_CIPHER_CTX *wctx;
-                wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-                if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
-                    goto end;
+            if (wrap_cipher != NULL) {
+                EVP_CIPHER_CTX *wctx = NULL;
+
+                if (ri_type == CMS_RECIPINFO_AGREE)
+                    wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+                else if (ri_type == CMS_RECIPINFO_KEM)
+                    wctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+                if (wctx != NULL) {
+                    if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
+                        goto end;
+                }
+            }
+
+            if (ropt != NULL && ri_type == CMS_RECIPINFO_KEM) {
+                if (ropt->ukm_data != NULL) {
+                    if (!CMS_RecipientInfo_kemri_set_ukm(ri, ropt->ukm_data,
+                                                         (int)ropt->ukm_data_length))
+                        goto end;
+                }
+                if (ropt->kdf != NULL) {
+                    X509_ALGOR *kdf_algo;
+                    ASN1_OBJECT *kdf_obj;
+
+                    kdf_algo = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+                    kdf_obj = OBJ_txt2obj(ropt->kdf, 0);
+                    if (kdf_obj == NULL) {
+                        BIO_printf(bio_err, "Unknown KDF %s\n", ropt->kdf);
+                        goto end;
+                    }
+                    /* Only works for OIDs without params */
+                    if (!X509_ALGOR_set0(kdf_algo, kdf_obj, V_ASN1_UNDEF, NULL))
+                        goto end;
+                }
             }
         }
 
@@ -1315,6 +1419,14 @@ int cms_main(int argc, char **argv)
         OPENSSL_free(key_param);
         key_param = tparam;
     }
+    for (recip_opt = recip_first; recip_opt != NULL;) {
+        cms_recip_opt *topt;
+
+        OPENSSL_free(recip_opt->ukm_data);
+        topt = recip_opt->next;
+        OPENSSL_free(recip_opt);
+        recip_opt = topt;
+    }
     X509_STORE_free(store);
     X509_free(cert);
     X509_free(recip);

apps/genpkey.c

@@ -374,17 +374,21 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
                  OSSL_LIB_CTX *libctx, const char *propq)
 {
     EVP_PKEY_CTX *ctx = NULL;
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     int pkey_id;
+#endif
 
     if (*pctx) {
         BIO_puts(bio_err, "Algorithm already set!\n");
         return 0;
     }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     pkey_id = get_legacy_pkey_id(libctx, algname, e);
     if (pkey_id != NID_undef)
         ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
     else
+#endif
         ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq);
 
     if (ctx == NULL)

apps/include/apps.h

@@ -184,7 +184,9 @@ int init_engine(ENGINE *e);
 int finish_engine(ENGINE *e);
 char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc);
 
+# ifndef OPENSSL_NO_DEPRECATED_3_6
 int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
+# endif
 const EVP_MD *get_digest_from_engine(const char *name);
 const EVP_CIPHER *get_cipher_from_engine(const char *name);
 

apps/lib/apps.c

@@ -3047,15 +3047,11 @@ BIO *dup_bio_out(int format)
 {
     BIO *b = BIO_new_fp(stdout,
                         BIO_NOCLOSE | (FMT_istext(format) ? BIO_FP_TEXT : 0));
-    void *prefix = NULL;
-    BIO *btmp;
-
-    if (b == NULL)
-        return NULL;
 
 #ifdef OPENSSL_SYS_VMS
-    if (FMT_istext(format)) {
-        btmp = BIO_new(BIO_f_linebuffer());
+    if (b != NULL && FMT_istext(format)) {
+        BIO *btmp = BIO_new(BIO_f_linebuffer());
+
         if (btmp == NULL) {
             BIO_free(b);
             return NULL;
@@ -3064,17 +3060,6 @@ BIO *dup_bio_out(int format)
     }
 #endif
 
-    if (FMT_istext(format)
-        && (prefix = getenv("HARNESS_OSSL_PREFIX")) != NULL) {
-        btmp = BIO_new(BIO_f_prefix());
-        if (btmp == NULL) {
-            BIO_free_all(b);
-            return NULL;
-        }
-        b = BIO_push(btmp, b);
-        BIO_set_prefix(b, prefix);
-    }
-
     return b;
 }
 

apps/lib/engine.c

@@ -135,6 +135,7 @@ char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
     return new_uri;
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_6
 int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
 {
     const EVP_PKEY_ASN1_METHOD *ameth;
@@ -163,6 +164,7 @@ int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
 
     return pkey_id;
 }
+#endif
 
 const EVP_MD *get_digest_from_engine(const char *name)
 {

apps/lib/s_cb.c

@@ -106,6 +106,10 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
         if (!verify_args.quiet)
             policies_print(ctx);
         break;
+    case X509_V_ERR_OCSP_NO_RESPONSE:
+        if (!verify_args.quiet)
+            BIO_printf(bio_err, "no OCSP response(s) for certificate(s) found.\n");
+        break;
     }
     if (err == X509_V_OK && ok == 2 && !verify_args.quiet)
         policies_print(ctx);
@@ -1547,12 +1551,9 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
                 if (pkey == NULL) {
                     BIO_printf(sdb->out, "Public key missing");
                 } else {
-                    const char *algname = "";
-
-                    EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
-                                            &algname, EVP_PKEY_get0_asn1(pkey));
                     BIO_printf(sdb->out, "%s, bits=%d",
-                            algname, EVP_PKEY_get_bits(pkey));
+                               EVP_PKEY_get0_type_name(pkey),
+                               EVP_PKEY_get_bits(pkey));
                 }
             }
             break;

apps/openssl.c

@@ -247,6 +247,10 @@ int main(int argc, char *argv[])
     int global_help = 0;
     int global_version = 0;
     int ret = 0;
+    char *sec_mem_char = NULL;
+#ifndef OPENSSL_NO_SECURE_MEMORY
+    char *sec_mem_minsize_char = NULL;
+#endif
 
     arg.argv = NULL;
     arg.size = 0;
@@ -267,6 +271,54 @@ int main(int argc, char *argv[])
     setup_trace(getenv("OPENSSL_TRACE"));
 #endif
 
+    sec_mem_char = getenv("OPENSSL_SEC_MEM");
+    if (sec_mem_char != NULL) {
+#ifndef OPENSSL_NO_SECURE_MEMORY
+        long sec_mem = 0;
+        long sec_mem_minsize = 0;
+        char *end = NULL;
+
+        errno = 0;
+        sec_mem = strtol(sec_mem_char, &end, 0);
+        if (errno != 0 || *end != 0 || end == sec_mem_char) {
+            BIO_printf(bio_err,
+                       "FATAL: could not convert OPENSSL_SEC_MEM (%s) to number\n",
+                       sec_mem_char);
+            ret = EXIT_FAILURE;
+            goto end;
+        }
+
+        /*
+         * Try to fetch the minsize if given, if not use the default value.
+         */
+        sec_mem_minsize_char = getenv("OPENSSL_SEC_MEM_MINSIZE");
+        if (sec_mem_minsize_char != NULL) {
+            errno = 0;
+            sec_mem_minsize = strtol(sec_mem_minsize_char, &end, 0);
+            if (errno != 0 || *end != 0 || end == sec_mem_minsize_char) {
+                BIO_printf(bio_err,
+                           "FATAL: could not convert OPENSSL_SEC_MEM_MINSIZE (%s) to number\n",
+                           sec_mem_minsize_char);
+                ret = 1;
+                goto end;
+            }
+        }
+
+        ret = CRYPTO_secure_malloc_init(sec_mem, sec_mem_minsize);
+        if (ret != 1) {
+            BIO_printf(bio_err,
+                       "FATAL: could not initialize secure memory\n");
+            ERR_print_errors(bio_err);
+            ret = 1;
+            goto end;
+        }
+#else
+        BIO_printf(bio_err,
+                   "FATAL: OPENSSL_SEC_MEM environment variable was set, but "
+                   "openssl was compiled without secure memory support.\n");
+#endif
+    }
+
     if ((fname = "apps_startup", !apps_startup())
             || (fname = "prog_init", (prog = prog_init()) == NULL)) {
         BIO_printf(bio_err,
@@ -322,6 +374,9 @@ int main(int argc, char *argv[])
     BIO_free_all(bio_out);
     apps_shutdown();
     BIO_free_all(bio_err);
+#ifndef OPENSSL_NO_SECURE_MEMORY
+    CRYPTO_secure_malloc_done();
+#endif
     EXIT(ret);
 }
 

apps/progs.pl

@@ -93,7 +93,6 @@ EOF
 
     my %cmd_disabler = (
         ciphers  => "sock",
-        genrsa   => "rsa",
         gendsa   => "dsa",
         dsaparam => "dsa",
         gendh    => "dh",
@@ -107,7 +106,7 @@ EOF
 #   [2] = preprocessor conditional for excluding irrespective of deprecation
 #        rsa      => [ "pkey",      "3_0", "rsa" ],
 #        genrsa   => [ "genpkey",   "3_0", "rsa" ],
-        rsautl   => [ "pkeyutl",   "3_0", "rsa" ],
+        rsautl   => [ "pkeyutl",   "3_0", "" ],
 #        dhparam  => [ "pkeyparam", "3_0", "dh"  ],
 #        dsaparam => [ "pkeyparam", "3_0", "dsa" ],
 #        dsa      => [ "pkey",      "3_0", "dsa" ],

apps/rand.c

@@ -199,7 +199,7 @@ int rand_main(int argc, char **argv)
         int chunk;
 
         chunk = scaled_num > buflen ? (int)buflen : (int)scaled_num;
-        r = RAND_bytes(buf, chunk);
+        r = RAND_bytes_ex(app_get0_libctx(), buf, chunk, 0);
         if (r <= 0)
             goto end;
         if (format != FORMAT_TEXT) {

apps/req.c

@@ -1608,6 +1608,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
         *pkeylen = EVP_PKEY_get_bits(param);
         EVP_PKEY_free(param);
     } else {
+#ifndef OPENSSL_NO_DEPRECATED_3_6
         if (keygen_engine != NULL) {
             int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype,
                                              keygen_engine);
@@ -1615,9 +1616,12 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
             if (pkey_id != NID_undef)
                 gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine);
         } else {
+#endif
             gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(),
                                               *pkeytype, app_get0_propq());
+#ifndef OPENSSL_NO_DEPRECATED_3_6
         }
+#endif
     }
 
     if (gctx == NULL) {

apps/s_client.c

@@ -110,9 +110,10 @@ static char *sess_out = NULL;
 static SSL_SESSION *psksess = NULL;
 
 static void print_stuff(BIO *berr, SSL *con, int full);
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg);
-#endif
+static void print_ocsp_response(BIO *bp, OCSP_RESPONSE *rsp);
+# endif
 static int ldap_ExtendedResponse_parse(const char *buf, long rem);
 static int is_dNS_name(const char *host);
 
@@ -483,7 +484,10 @@ typedef enum OPTION_choice {
     OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
     OPT_BRIEF, OPT_PREXIT, OPT_NO_INTERACTIVE, OPT_CRLF, OPT_QUIET, OPT_NBIO,
     OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
-    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
+    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_WDEBUG,
+# ifndef OPENSSL_NO_OCSP
+    OPT_STATUS, OPT_STATUS_OCSP_CHECK_LEAF, OPT_STATUS_OCSP_CHECK_ALL,
+# endif
     OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
     OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
     OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
@@ -625,6 +629,17 @@ const OPTIONS s_client_options[] = {
     {"no-interactive", OPT_NO_INTERACTIVE, '-',
      "Don't run the client in the interactive mode"},
 
+# ifndef OPENSSL_NO_OCSP
+    OPT_SECTION("OCSP stapling"),
+    {"status", OPT_STATUS, '-',
+     "Sends a certificate status request to the server (OCSP stapling) " \
+     "The server response (if any) will be printed out."},
+    {"ocsp_check_leaf", OPT_STATUS_OCSP_CHECK_LEAF, '-',
+     "Require checking leaf certificate status, attempting to use OCSP stapling first"},
+    {"ocsp_check_all", OPT_STATUS_OCSP_CHECK_ALL, '-',
+     "Require checking status of full chain, attempting to use OCSP stapling first"},
+# endif
+
     OPT_SECTION("Debug"),
     {"showcerts", OPT_SHOWCERTS, '-',
      "Show all certificates sent by the server"},
@@ -659,9 +674,6 @@ const OPTIONS s_client_options[] = {
      "Hex dump of all TLS extensions received"},
     {"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
      "Do not treat lack of close_notify from a peer as an error"},
-#ifndef OPENSSL_NO_OCSP
-    {"status", OPT_STATUS, '-', "Request certificate status from server"},
-#endif
     {"serverinfo", OPT_SERVERINFO, 's',
      "types  Send empty ClientHello extensions (comma-separated numbers)"},
     {"alpn", OPT_ALPN, 's',
@@ -1195,11 +1207,23 @@ int s_client_main(int argc, char **argv)
         case OPT_TLSEXTDEBUG:
             c_tlsextdebug = 1;
             break;
+# ifndef OPENSSL_NO_OCSP
         case OPT_STATUS:
-#ifndef OPENSSL_NO_OCSP
             c_status_req = 1;
-#endif
             break;
+        case OPT_STATUS_OCSP_CHECK_LEAF:
+            c_status_req = 1;
+            X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_OCSP_RESP_CHECK);
+            vpmtouched++;
+            break;
+        case OPT_STATUS_OCSP_CHECK_ALL:
+            c_status_req = 1;
+            X509_VERIFY_PARAM_set_flags(vpm,
+                                        X509_V_FLAG_OCSP_RESP_CHECK |
+                                        X509_V_FLAG_OCSP_RESP_CHECK_ALL);
+            vpmtouched++;
+            break;
+# endif
         case OPT_WDEBUG:
 #ifdef WATT32
             dbug_init();
@@ -3626,27 +3650,58 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 # ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
-    const unsigned char *p;
-    int len;
+    int num, i;
+    STACK_OF(OCSP_RESPONSE) *sk_resp = NULL;
     OCSP_RESPONSE *rsp;
-    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
-    BIO_puts(arg, "OCSP response: ");
-    if (p == NULL) {
-        BIO_puts(arg, "no response sent\n");
-        return 1;
+
+    if (SSL_version(s) >= TLS1_3_VERSION) {
+        (void)SSL_get0_tlsext_status_ocsp_resp_ex(s, &sk_resp);
+
+        BIO_puts(arg, "OCSP responses: ");
+
+        if (sk_resp == NULL) {
+            BIO_puts(arg, "no responses sent\n");
+            return 1;
+        }
+
+        num = sk_OCSP_RESPONSE_num(sk_resp);
+
+        BIO_printf(arg, "number of responses: %d", num);
+        for (i = 0; i < num; i++)
+            print_ocsp_response(arg, sk_OCSP_RESPONSE_value(sk_resp, i));
+    } else {
+        const unsigned char *p;
+        int len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+
+        BIO_puts(arg, "OCSP response: ");
+        if (p == NULL) {
+            BIO_puts(arg, "no OCSP response received\n");
+            return 1;
+        }
+        rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+        if (rsp == NULL) {
+            BIO_puts(arg, "OCSP response parse error\n");
+            BIO_dump_indent(arg, (char *)p, len, 4);
+            return 0;
+        }
+        print_ocsp_response(arg, rsp);
+        OCSP_RESPONSE_free(rsp);
     }
-    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
-    if (rsp == NULL) {
-        BIO_puts(arg, "response parse error\n");
-        BIO_dump_indent(arg, (char *)p, len, 4);
-        return 0;
-    }
-    BIO_puts(arg, "\n======================================\n");
-    OCSP_RESPONSE_print(arg, rsp, 0);
-    BIO_puts(arg, "======================================\n");
-    OCSP_RESPONSE_free(rsp);
+
     return 1;
 }
+
+static void print_ocsp_response(BIO *bp, OCSP_RESPONSE *rsp)
+{
+    if (rsp == NULL) {
+        BIO_puts(bp, "no OCSP response to print\n");
+        return;
+    }
+
+    BIO_puts(bp, "\n======================================\n");
+    OCSP_RESPONSE_print(bp, rsp, 0);
+    BIO_puts(bp, "\n======================================\n");
+}
 # endif
 
 static int ldap_ExtendedResponse_parse(const char *buf, long rem)

apps/s_server.c

@@ -54,9 +54,10 @@ typedef unsigned int u_int;
 #include "s_apps.h"
 #include "timeouts.h"
 #ifdef CHARSET_EBCDIC
-#include <openssl/ebcdic.h>
+# include <openssl/ebcdic.h>
 #endif
 #include "internal/sockets.h"
+#include "internal/statem.h"
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
 static int sv_body(int s, int stype, int prot, unsigned char *context);
@@ -454,16 +455,20 @@ static int ssl_servername_cb(SSL *s, int *ad, void *arg)
 /* Structure passed to cert status callback */
 typedef struct tlsextstatusctx_st {
     int timeout;
-    /* File to load OCSP Response from (or NULL if no file) */
-    char *respin;
+    /*
+     * List of filenames, from which we are loading each OCSP Response to
+     * staple during handshake (or NULL if no file)
+     */
+    STACK_OF(OPENSSL_STRING) *sk_resp_in;
     /* Default responder to use */
     char *host, *path, *port;
     char *proxy, *no_proxy;
     int use_ssl;
     int verbose;
+    int status_all;
 } tlsextstatusctx;
 
-static tlsextstatusctx tlscstatp = { -1 };
+static tlsextstatusctx tlscstatp = { -1, NULL };
 
 #ifndef OPENSSL_NO_OCSP
 
@@ -474,14 +479,15 @@ static tlsextstatusctx tlscstatp = { -1 };
  * the OCSP certificate IDs and minimise the number of OCSP responses by caching
  * them until they were considered "expired".
  */
-static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
-                                        OCSP_RESPONSE **resp)
+static int get_ocsp_resp_from_responder_single(SSL *s, X509 *x,
+                                               tlsextstatusctx *srctx,
+                                               OCSP_RESPONSE **resp)
 {
     char *host = NULL, *port = NULL, *path = NULL;
     char *proxy = NULL, *no_proxy = NULL;
     int use_ssl;
     STACK_OF(OPENSSL_STRING) *aia = NULL;
-    X509 *x = NULL, *cert;
+    X509 *cert;
     X509_NAME *iname;
     STACK_OF(X509) *chain = NULL;
     SSL_CTX *ssl_ctx;
@@ -494,7 +500,6 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
     int i;
 
     /* Build up OCSP query from server certificate */
-    x = SSL_get_certificate(s);
     iname = X509_get_issuer_name(x);
     aia = X509_get1_ocsp(x);
     if (aia != NULL) {
@@ -559,6 +564,7 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
     SSL_get_tlsext_status_exts(s, &exts);
     for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
         X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+
         if (!OCSP_REQUEST_add_ext(req, ext, -1))
             goto err;
     }
@@ -591,6 +597,214 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
     return ret;
 }
 
+static int bring_ocsp_resp_in_correct_order(SSL *s, tlsextstatusctx *srctx,
+                                            STACK_OF(OCSP_RESPONSE) *sk_resp_unordered,
+                                            STACK_OF(OCSP_RESPONSE) **sk_resp)
+{
+    STACK_OF(X509) *server_certs = NULL;
+    X509 *ssl_cert = NULL;
+    X509 *issuer = NULL;
+    OCSP_RESPONSE *resp = NULL;
+    OCSP_BASICRESP *bs = NULL;
+    OCSP_CERTID *cert_id = NULL;
+    int found = -1;
+    int i, j, num = 1;
+
+    if (*sk_resp != NULL)
+        sk_OCSP_RESPONSE_pop_free(*sk_resp, OCSP_RESPONSE_free);
+
+    SSL_get0_chain_certs(s, &server_certs);
+    /*
+     * TODO(DTLS-1.3): in future DTLS should also be considered
+     */
+    if (server_certs != NULL && srctx->status_all &&
+        !SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION) {
+        /* certificate chain is available */
+        num = sk_X509_num(server_certs) + 1;
+    }
+
+    /* get OCSP response for server certificate first */
+    ssl_cert = SSL_get_certificate(s);
+
+    /*
+     * OpenSSL servers with TLS < 1.3 can be configured with no certificate
+     */
+    if (ssl_cert == NULL)
+        return SSL_TLSEXT_ERR_OK;
+
+    /* reserve enough space so the pushes to the stack would not fail */
+    *sk_resp = sk_OCSP_RESPONSE_new_reserve(NULL, num);
+
+    if (*sk_resp == NULL)
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+    for (i = 0; i < num; i++) {
+        if (i != 0) /* for each certificate in chain (except root) get the OCSP response */
+            ssl_cert = sk_X509_value(server_certs, i - 1);
+
+        /* issuer certificate is next in chain */
+        issuer = sk_X509_value(server_certs, i);
+
+        if (issuer == NULL
+            || (cert_id = OCSP_cert_to_id(NULL, ssl_cert, issuer)) == NULL) {
+            sk_OCSP_RESPONSE_push(*sk_resp, NULL);
+            continue;
+        }
+
+        /* find the correct OCSP response for the requested certificate */
+        found = -1;
+        for (j = 0; j < sk_OCSP_RESPONSE_num(sk_resp_unordered); j++) {
+            if ((resp = sk_OCSP_RESPONSE_value(sk_resp_unordered, j)) == NULL)
+                continue;
+            if ((bs = OCSP_response_get1_basic(resp)) == NULL)
+                continue;
+            found = OCSP_resp_find(bs, cert_id, -1);
+            OCSP_BASICRESP_free(bs);
+            if (found > -1) {
+                /* remove the found OCSP response to prevent freeing it with the remaining list */
+                sk_OCSP_RESPONSE_delete(sk_resp_unordered, j);
+                break;
+            }
+        }
+        if (found < 0)
+            resp = NULL;
+
+        OCSP_CERTID_free(cert_id);
+
+        /* add response to stack; also insert null response */
+        (void)sk_OCSP_RESPONSE_push(*sk_resp, resp);
+    }
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
+/*
+ * Helper function to get a list OCSP_RESPONSE from the files specified using
+ * -status_file options for the server certificate and the chain certificates,
+ * in the same order as the list of certs returned by SSL_get0_chain_certs().
+ * In case of a missing entry, the respective list element will be NULL.
+ */
+static int get_ocsp_resp_from_files(SSL *s, tlsextstatusctx *srctx,
+                                    STACK_OF(OCSP_RESPONSE) **sk_resp)
+{
+    STACK_OF(OCSP_RESPONSE) *sk_resp_unordered = NULL;
+    char *respfile = NULL;
+    OCSP_RESPONSE *resp = NULL;
+    BIO *derbio;
+    int i;
+    int num = sk_OPENSSL_STRING_num(srctx->sk_resp_in);
+    int ret = SSL_TLSEXT_ERR_OK;
+
+    sk_resp_unordered = sk_OCSP_RESPONSE_new_reserve(NULL, num);
+
+    if (sk_resp_unordered == NULL) {
+        BIO_puts(bio_err, "cert_status: Cannot reserve memory for OCSP responses\n");
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
+    /* reading as many responses as files given */
+    for (i = 0; i < num; i++) {
+        respfile = sk_OPENSSL_STRING_value(srctx->sk_resp_in, i);
+
+        derbio = bio_open_default(respfile, 'r', FORMAT_ASN1);
+
+        if (derbio == NULL) {
+            BIO_printf(bio_err, "cert_status: Cannot open OCSP response file %s\n", respfile);
+            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+            goto err;
+        }
+
+        resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
+        BIO_free(derbio);
+        if (resp == NULL) {
+            BIO_printf(bio_err, "cert_status: Error reading OCSP response from file %s\n",
+                       respfile);
+            ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+            goto err;
+        }
+
+        sk_OCSP_RESPONSE_push(sk_resp_unordered, resp);
+    }
+
+    ret = bring_ocsp_resp_in_correct_order(s, srctx, sk_resp_unordered, sk_resp);
+
+err:
+    /* free the unordered list, including all remaining OCSP responses */
+    sk_OCSP_RESPONSE_pop_free(sk_resp_unordered, OCSP_RESPONSE_free);
+
+    return ret;
+}
+
+/*
+ * Helper function to get a list of OCSP_RESPONSE from a responder
+ * for the server certificate and the chain certificates
+ * in the same order as the list of certs returned by SSL_get0_chain_certs().
+ * The function get_ocsp_resp_from_responder_single is called for each
+ * certificate.
+ * In case of a missing response, the respective list element will be NULL.
+ * This is a simplified version. It examines certificates each time and
+ * makes one OCSP responder query for each request. A full version would
+ * store details such as the OCSP certificate IDs and minimise the number of
+ * OCSP queries by caching responses until they were considered "expired".
+ */
+static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
+                                        STACK_OF(OCSP_RESPONSE) **sk_resp)
+{
+    X509 *ssl_cert = NULL;
+    int i, num = 0;
+    STACK_OF(X509) *server_certs = NULL;
+    OCSP_RESPONSE *resp = NULL;
+
+    if (*sk_resp != NULL) {
+        sk_OCSP_RESPONSE_pop_free(*sk_resp, OCSP_RESPONSE_free);
+        *sk_resp = NULL;
+    }
+
+    SSL_get0_chain_certs(s, &server_certs);
+    /*
+     * TODO(DTLS-1.3): in future DTLS should also be considered
+     */
+    if (server_certs != NULL && srctx->status_all &&
+        !SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION) {
+        /* certificate chain is available */
+        num = sk_X509_num(server_certs) + 1;
+    } else {
+        /*
+         * certificate chain is not available,
+         * set num to 1 for server certificate
+         */
+        num = 1;
+    }
+
+    ssl_cert = SSL_get_certificate(s);
+
+    /*
+     * OpenSSL servers with TLS < 1.3 can be configured with no certificate
+     */
+    if (ssl_cert == NULL)
+        return SSL_TLSEXT_ERR_OK;
+
+    *sk_resp = sk_OCSP_RESPONSE_new_reserve(NULL, num);
+
+    if (*sk_resp == NULL)
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+    /* for each certificate in chain (except root) get the OCSP response */
+    for (i = 0; i < num; i++) {
+        if (i != 0) /* get OCSP response for server certificate first */
+            ssl_cert = sk_X509_value(server_certs, i - 1);
+
+        resp = NULL;
+        if (get_ocsp_resp_from_responder_single(s, ssl_cert, srctx, &resp) != SSL_TLSEXT_ERR_OK)
+            resp = NULL;
+
+        /* add response to stack; also insert null response */
+        sk_OCSP_RESPONSE_push(*sk_resp, resp);
+    }
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
 /*
  * Certificate Status callback. This is called when a client includes a
  * certificate status request extension. The response is either obtained from a
@@ -600,48 +814,48 @@ static int cert_status_cb(SSL *s, void *arg)
 {
     tlsextstatusctx *srctx = arg;
     OCSP_RESPONSE *resp = NULL;
-    unsigned char *rspder = NULL;
-    int rspderlen;
+    STACK_OF(OCSP_RESPONSE) *sk_resp = NULL;
     int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+    int i;
 
     if (srctx->verbose)
         BIO_puts(bio_err, "cert_status: callback called\n");
 
-    if (srctx->respin != NULL) {
-        BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN1);
-        if (derbio == NULL) {
-            BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
-            goto err;
+    SSL_get0_tlsext_status_ocsp_resp_ex(s, &sk_resp);
+
+    if (sk_resp == NULL || sk_OCSP_RESPONSE_num(sk_resp) <= 0) {
+        if (srctx->sk_resp_in != NULL) {
+            get_ocsp_resp_from_files(s, srctx, &sk_resp);
+        } else {
+            ret = get_ocsp_resp_from_responder(s, srctx, &sk_resp);
+            if (ret != SSL_TLSEXT_ERR_OK)
+                goto err;
         }
-        resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
-        BIO_free(derbio);
-        if (resp == NULL) {
-            BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
-            goto err;
-        }
-    } else {
-        ret = get_ocsp_resp_from_responder(s, srctx, &resp);
-        if (ret != SSL_TLSEXT_ERR_OK)
-            goto err;
+
+        (void)SSL_set0_tlsext_status_ocsp_resp_ex(s, sk_resp);
     }
 
-    rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
-    if (rspderlen <= 0)
-        goto err;
-
-    SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
     if (srctx->verbose) {
         BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
-        OCSP_RESPONSE_print(bio_err, resp, 2);
+        BIO_printf(bio_err, "cert_status: number of responses: %d\n",
+                   sk_OCSP_RESPONSE_num(sk_resp));
+        for (i = 0; i < sk_OCSP_RESPONSE_num(sk_resp); i++) {
+            resp = sk_OCSP_RESPONSE_value(sk_resp, i);
+            if (resp != NULL)
+                OCSP_RESPONSE_print(bio_err, resp, 2);
+            else
+                BIO_printf(bio_err,
+                           "cert_status: no ocsp response for certificate with index %d\n", i);
+        }
     }
 
     ret = SSL_TLSEXT_ERR_OK;
 
  err:
-    if (ret != SSL_TLSEXT_ERR_OK)
+    if (ret != SSL_TLSEXT_ERR_OK) {
         ERR_print_errors(bio_err);
-
-    OCSP_RESPONSE_free(resp);
+        sk_OCSP_RESPONSE_pop_free(sk_resp, OCSP_RESPONSE_free);
+    }
 
     return ret;
 }
@@ -680,6 +894,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
     if (!s_quiet) {
         /* We can assume that |in| is syntactically valid. */
         unsigned int i;
+
         BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
         for (i = 0; i < inlen;) {
             if (i)
@@ -692,9 +907,8 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
 
     if (SSL_select_next_proto
         ((unsigned char **)out, outlen, alpn_ctx->data,
-         (unsigned int)alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED) {
+         (unsigned int)alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED)
         return SSL_TLSEXT_ERR_ALERT_FATAL;
-    }
 
     if (!s_quiet) {
         BIO_printf(bio_s_out, "ALPN protocols selected: ");
@@ -725,9 +939,9 @@ typedef enum OPTION_choice {
     OPT_VERIFYCAFILE,
     OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
     OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
-    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
-    OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
-    OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
+    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_ALL,
+    OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY,
+    OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
     OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
     OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
@@ -876,9 +1090,12 @@ const OPTIONS s_server_options[] = {
     {"cert_comp", OPT_CERT_COMP, '-', "Pre-compress server certificates"},
 #endif
 
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
     OPT_SECTION("OCSP"),
-    {"status", OPT_STATUS, '-', "Request certificate status from server"},
+    {"status", OPT_STATUS, '-',
+     "Provide certificate status response if requested, for server cert only"},
+    {"status_all", OPT_STATUS_ALL, '-',
+     "Provide certificate status response(s) if requested, for the whole chain"},
     {"status_verbose", OPT_STATUS_VERBOSE, '-',
      "Print more output in certificate status callback"},
     {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
@@ -891,8 +1108,8 @@ const OPTIONS s_server_options[] = {
     {OPT_MORE_STR, 0, 0,
      "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
     {"status_file", OPT_STATUS_FILE, '<',
-     "File containing DER encoded OCSP Response"},
-#endif
+     "File containing DER encoded OCSP Response (can be specified multiple times)"},
+# endif
 
     OPT_SECTION("Debug"),
     {"security_debug", OPT_SECURITY_DEBUG, '-',
@@ -1076,9 +1293,9 @@ int s_server_main(int argc, char *argv[])
     const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL;
     const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
     char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
     int s_tlsextstatus = 0;
-#endif
+# endif
     int no_resume_ephemeral = 0;
     unsigned int max_send_fragment = 0;
     unsigned int split_send_fragment = 0, max_pipelines = 0;
@@ -1390,33 +1607,40 @@ int s_server_main(int argc, char *argv[])
             s_tlsextdebug = 1;
             break;
         case OPT_STATUS:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
-#endif
+            tlscstatp.status_all = 0;
+# endif
             break;
+        case OPT_STATUS_ALL:
+# ifndef OPENSSL_NO_OCSP
+            s_tlsextstatus = tlscstatp.status_all = 1;
+# endif
+            break;
+
         case OPT_STATUS_VERBOSE:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = tlscstatp.verbose = 1;
-#endif
+# endif
             break;
         case OPT_STATUS_TIMEOUT:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
             tlscstatp.timeout = atoi(opt_arg());
-#endif
+# endif
             break;
         case OPT_PROXY:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             tlscstatp.proxy = opt_arg();
-#endif
+# endif
             break;
         case OPT_NO_PROXY:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             tlscstatp.no_proxy = opt_arg();
-#endif
+# endif
             break;
         case OPT_STATUS_URL:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
             if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL,
                                      &tlscstatp.host, &tlscstatp.port, NULL,
@@ -1424,13 +1648,16 @@ int s_server_main(int argc, char *argv[])
                 BIO_printf(bio_err, "Error parsing -status_url argument\n");
                 goto end;
             }
-#endif
+# endif
             break;
         case OPT_STATUS_FILE:
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
-            tlscstatp.respin = opt_arg();
-#endif
+            if (tlscstatp.sk_resp_in == NULL
+                && (tlscstatp.sk_resp_in = sk_OPENSSL_STRING_new_null()) == NULL)
+                goto end;
+            sk_OPENSSL_STRING_push(tlscstatp.sk_resp_in, opt_arg());
+# endif
             break;
         case OPT_MSG:
             s_msg = 1;
@@ -2358,6 +2585,7 @@ int s_server_main(int argc, char *argv[])
     OPENSSL_free(port);
     X509_VERIFY_PARAM_free(vpm);
     free_sessions();
+    sk_OPENSSL_STRING_free(tlscstatp.sk_resp_in);
     OPENSSL_free(tlscstatp.host);
     OPENSSL_free(tlscstatp.port);
     OPENSSL_free(tlscstatp.path);

crypto/aes/build.info

@@ -10,7 +10,7 @@ IF[{- !$disabled{asm} -}]
   $AESASM_x86_64=\
         aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s \
         aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s \
-        aesni-xts-avx512.s
+        aesni-xts-avx512.s aes-cfb-avx512.s
   $AESDEF_x86_64=AES_ASM VPAES_ASM BSAES_ASM
 
   $AESASM_ia64=aes_core.c aes_cbc.c aes-ia64.s
@@ -107,6 +107,7 @@ GENERATE[aes-x86_64.s]=asm/aes-x86_64.pl
 GENERATE[vpaes-x86_64.s]=asm/vpaes-x86_64.pl
 GENERATE[bsaes-x86_64.s]=asm/bsaes-x86_64.pl
 GENERATE[aesni-x86_64.s]=asm/aesni-x86_64.pl
+GENERATE[aes-cfb-avx512.s]=asm/aes-cfb-avx512.pl
 GENERATE[aesni-sha1-x86_64.s]=asm/aesni-sha1-x86_64.pl
 GENERATE[aesni-sha256-x86_64.s]=asm/aesni-sha256-x86_64.pl
 GENERATE[aesni-mb-x86_64.s]=asm/aesni-mb-x86_64.pl

crypto/asn1/ameth_lib.c

@@ -7,8 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
+/*
+ * We need to use some engine deprecated APIs
+ */
+#include "internal/deprecated.h"
 
 #include "internal/cryptlib.h"
 #include <stdio.h>

crypto/asn1/standard_methods.h

@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#ifndef OPENSSL_NO_DEPRECATED_3_6
 /*
  * This table MUST be kept in ascending order of the NID each method
  * represents (corresponding to the pkey_id field) as OBJ_bsearch
@@ -41,3 +42,4 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
     &ossl_sm2_asn1_meth,
 #endif
 };
+#endif

crypto/bn/bn_gf2m.c

@@ -344,7 +344,7 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
         d0 = p[0] % BN_BITS2;
         d1 = BN_BITS2 - d0;
         z[j - n] ^= (zz >> d0);
-        if (d0)
+        if (ossl_likely(d0))
             z[j - n - 1] ^= (zz << d1);
     }
 
@@ -358,7 +358,7 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
         d1 = BN_BITS2 - d0;
 
         /* clear up the top d1 bits */
-        if (d0)
+        if (ossl_likely(d0))
             z[dN] = (z[dN] << d1) >> d1;
         else
             z[dN] = 0;

crypto/bn/bn_lib.c

@@ -194,7 +194,7 @@ int BN_num_bits(const BIGNUM *a)
         return bn_num_bits_consttime(a);
     }
 
-    if (BN_is_zero(a))
+    if (ossl_unlikely(BN_is_zero(a)))
         return 0;
 
     return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
@@ -267,11 +267,11 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 {
     BN_ULONG *a = NULL;
 
-    if (words > (INT_MAX / (4 * BN_BITS2))) {
+    if (ossl_unlikely(words > (INT_MAX / (4 * BN_BITS2)))) {
         ERR_raise(ERR_LIB_BN, BN_R_BIGNUM_TOO_LONG);
         return NULL;
     }
-    if (BN_get_flags(b, BN_FLG_STATIC_DATA)) {
+    if (ossl_unlikely(BN_get_flags(b, BN_FLG_STATIC_DATA))) {
         ERR_raise(ERR_LIB_BN, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
         return NULL;
     }
@@ -279,7 +279,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
         a = OPENSSL_secure_zalloc(words * sizeof(*a));
     else
         a = OPENSSL_zalloc(words * sizeof(*a));
-    if (a == NULL)
+    if (ossl_unlikely(a == NULL))
         return NULL;
 
     assert(b->top <= words);
@@ -299,9 +299,10 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 
 BIGNUM *bn_expand2(BIGNUM *b, int words)
 {
-    if (words > b->dmax) {
+    if (ossl_likely(words > b->dmax)) {
         BN_ULONG *a = bn_expand_internal(b, words);
-        if (!a)
+
+        if (ossl_unlikely(!a))
             return NULL;
         if (b->d != NULL)
             bn_free_d(b, 1);
@@ -339,17 +340,17 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
 
     bn_words = BN_get_flags(b, BN_FLG_CONSTTIME) ? b->dmax : b->top;
 
-    if (a == b)
+    if (ossl_unlikely(a == b))
         return a;
-    if (bn_wexpand(a, bn_words) == NULL)
+    if (ossl_unlikely(bn_wexpand(a, bn_words) == NULL))
         return NULL;
 
-    if (b->top > 0)
+    if (ossl_likely(b->top > 0))
         memcpy(a->d, b->d, sizeof(b->d[0]) * bn_words);
 
     a->neg = b->neg;
     a->top = b->top;
-    a->flags |= b->flags & BN_FLG_FIXED_TOP;
+    a->flags |= b->flags & (BN_FLG_FIXED_TOP | BN_FLG_CONSTTIME);
     bn_check_top(a);
     return a;
 }
@@ -835,11 +836,11 @@ int BN_is_bit_set(const BIGNUM *a, int n)
     int i, j;
 
     bn_check_top(a);
-    if (n < 0)
+    if (ossl_unlikely(n < 0))
         return 0;
     i = n / BN_BITS2;
     j = n % BN_BITS2;
-    if (a->top <= i)
+    if (ossl_unlikely(a->top <= i))
         return 0;
     return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
 }
@@ -889,12 +890,12 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
     int i;
     BN_ULONG aa, bb;
 
-    if (n == 0)
+    if (ossl_unlikely(n == 0))
         return 0;
 
     aa = a[n - 1];
     bb = b[n - 1];
-    if (aa != bb)
+    if (ossl_likely(aa != bb))
         return ((aa > bb) ? 1 : -1);
     for (i = n - 2; i >= 0; i--) {
         aa = a[i];
@@ -1176,7 +1177,7 @@ void bn_correct_top(BIGNUM *a)
     BN_ULONG *ftl;
     int tmp_top = a->top;
 
-    if (tmp_top > 0) {
+    if (ossl_likely(tmp_top > 0)) {
         for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
             ftl--;
             if (*ftl != 0)

crypto/bn/bn_mont.c

@@ -272,8 +272,6 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     R = &(mont->RR);            /* grab RR as a temp */
     if (!BN_copy(&(mont->N), mod))
         goto err;               /* Set N */
-    if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
-        BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
     mont->N.neg = 0;
 
 #ifdef MONT_WORD

crypto/cms/build.info

@@ -2,4 +2,4 @@ LIBS=../../libcrypto
 SOURCE[../../libcrypto]= \
         cms_lib.c cms_asn1.c cms_att.c cms_io.c cms_smime.c cms_err.c \
         cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c \
-        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c
+        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c cms_kem.c cms_kemri.c

crypto/cms/cms_asn1.c

@@ -201,10 +201,52 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = {
         ASN1_SIMPLE(CMS_PasswordRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(CMS_PasswordRecipientInfo)
 
+static int cms_kemri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                        void *exarg)
+{
+    CMS_KEMRecipientInfo *kemri = (CMS_KEMRecipientInfo *)*pval;
+
+    if (operation == ASN1_OP_NEW_POST) {
+        kemri->ctx = EVP_CIPHER_CTX_new();
+        if (kemri->ctx == NULL)
+            return 0;
+        EVP_CIPHER_CTX_set_flags(kemri->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+        kemri->pctx = NULL;
+    } else if (operation == ASN1_OP_FREE_POST) {
+        EVP_PKEY_CTX_free(kemri->pctx);
+        EVP_CIPHER_CTX_free(kemri->ctx);
+        ASN1_OCTET_STRING_free(kemri->ukm);
+    }
+    return 1;
+}
+
+ASN1_SEQUENCE_cb(CMS_KEMRecipientInfo, cms_kemri_cb) = {
+        ASN1_EMBED(CMS_KEMRecipientInfo, version, INT32),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, rid, CMS_SignerIdentifier),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kem, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kemct, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kdf, X509_ALGOR),
+        ASN1_EMBED(CMS_KEMRecipientInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_KEMRecipientInfo, ukm, ASN1_OCTET_STRING, 0),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, wrap, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(CMS_KEMRecipientInfo, CMS_KEMRecipientInfo)
+
+ASN1_ADB_TEMPLATE(ori_def) = ASN1_SIMPLE(CMS_OtherRecipientInfo, d.other, ASN1_ANY);
+
+ASN1_ADB(CMS_OtherRecipientInfo) = {
+        ADB_ENTRY(NID_id_smime_ori_kem, ASN1_SIMPLE(CMS_OtherRecipientInfo, d.kemri,
+                  CMS_KEMRecipientInfo))
+} ASN1_ADB_END(CMS_OtherRecipientInfo, 0, oriType, 0, &ori_def_tt, NULL);
+
+DECLARE_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
+
 ASN1_SEQUENCE(CMS_OtherRecipientInfo) = {
   ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT),
-  ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY)
-} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+  ASN1_ADB_OBJECT(CMS_OtherRecipientInfo)
+} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+
+IMPLEMENT_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
 
 /* Free up RecipientInfo additional data */
 static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -224,6 +266,23 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
             OPENSSL_clear_free(pwri->pass, pwri->passlen);
         }
+    } else if (operation == ASN1_OP_D2I_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
+        if (ri->type == CMS_RECIPINFO_OTHER) {
+            int nid;
+
+            nid = OBJ_obj2nid(ri->d.ori->oriType);
+            /* For ORI, map NID to specific type */
+            if (nid == NID_id_smime_ori_kem)
+                ri->type = CMS_RECIPINFO_KEM;
+            /* Otherwise stay with generic CMS_RECIPINFO_OTHER type */
+        }
+    } else if (operation == ASN1_OP_NEW_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
     }
     return 1;
 }
@@ -234,7 +293,7 @@ ASN1_CHOICE_cb(CMS_RecipientInfo, cms_ri_cb) = {
         ASN1_IMP(CMS_RecipientInfo, d.kekri, CMS_KEKRecipientInfo, 2),
         ASN1_IMP(CMS_RecipientInfo, d.pwri, CMS_PasswordRecipientInfo, 3),
         ASN1_IMP(CMS_RecipientInfo, d.ori, CMS_OtherRecipientInfo, 4)
-} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, type)
+} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, encoded_type)
 
 ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = {
         ASN1_EMBED(CMS_EnvelopedData, version, INT32),
@@ -430,3 +489,33 @@ int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
     intsi.pecsi = &ecsi;
     return ASN1_item_i2d(intsi.a, pder, ASN1_ITEM_rptr(CMS_SharedInfo));
 }
+
+/*
+ * Utilities to encode the CMS_CMSORIforKEMOtherInfo structure used during key
+ * derivation.
+ */
+
+typedef struct {
+    X509_ALGOR *wrap;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+} CMS_CMSORIforKEMOtherInfo;
+
+ASN1_SEQUENCE(CMS_CMSORIforKEMOtherInfo) = {
+        ASN1_SIMPLE(CMS_CMSORIforKEMOtherInfo, wrap, X509_ALGOR),
+        ASN1_EMBED(CMS_CMSORIforKEMOtherInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_CMSORIforKEMOtherInfo, ukm, ASN1_OCTET_STRING, 0),
+} static_ASN1_SEQUENCE_END(CMS_CMSORIforKEMOtherInfo)
+
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen)
+{
+    CMS_CMSORIforKEMOtherInfo kem_otherinfo;
+
+    kem_otherinfo.wrap = wrap;
+    kem_otherinfo.kekLength = keylen;
+    kem_otherinfo.ukm = ukm;
+
+    return ASN1_item_i2d((ASN1_VALUE *)&kem_otherinfo, pder,
+                         ASN1_ITEM_rptr(CMS_CMSORIforKEMOtherInfo));
+}

crypto/cms/cms_env.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Low level key APIs (DH etc) are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -14,6 +20,7 @@
 #include <openssl/err.h>
 #include <openssl/cms.h>
 #include <openssl/evp.h>
+#include <openssl/core_names.h>
 #include "internal/sizes.h"
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
@@ -111,9 +118,12 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
 {
     EVP_PKEY *pkey;
     int i;
-    if (ri->type == CMS_RECIPINFO_TRANS)
+
+    switch (ri->type) {
+    case CMS_RECIPINFO_TRANS:
         pkey = ri->d.ktri->pkey;
-    else if (ri->type == CMS_RECIPINFO_AGREE) {
+        break;
+    case CMS_RECIPINFO_AGREE: {
         EVP_PKEY_CTX *pctx = ri->d.kari->pctx;
 
         if (pctx == NULL)
@@ -121,8 +131,13 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
         pkey = EVP_PKEY_CTX_get0_pkey(pctx);
         if (pkey == NULL)
             return 0;
-    } else
+        break;
+    }
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_kem_envelope(ri, cmd);
+    default:
         return 0;
+    }
 
     if (EVP_PKEY_is_a(pkey, "DHX") || EVP_PKEY_is_a(pkey, "DH"))
         return ossl_cms_dh_envelope(ri, cmd);
@@ -202,6 +217,9 @@ void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
             case CMS_RECIPINFO_PASS:
                 ri->d.pwri->cms_ctx = ctx;
                 break;
+            case CMS_RECIPINFO_KEM:
+                ri->d.ori->d.kemri->cms_ctx = ctx;
+                break;
             default:
                 break;
             }
@@ -220,6 +238,8 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri)
         return ri->d.ktri->pctx;
     else if (ri->type == CMS_RECIPINFO_AGREE)
         return ri->d.kari->pctx;
+    else if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->pctx;
     return NULL;
 }
 
@@ -336,7 +356,7 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
     ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
     if (!ri->d.ktri)
         return 0;
-    ri->type = CMS_RECIPINFO_TRANS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_TRANS;
 
     ktri = ri->d.ktri;
     ktri->cms_ctx = ctx;
@@ -423,6 +443,11 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
             goto err;
         break;
 
+    case CMS_RECIPINFO_KEM:
+        if (!ossl_cms_RecipientInfo_kemri_init(ri, recip, pk, flags, ctx))
+            goto err;
+        break;
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
         goto err;
@@ -750,7 +775,7 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_KEK;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_KEK;
 
     kekri = ri->d.kekri;
 
@@ -1025,6 +1050,9 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 0);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_decrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
         return 0;
@@ -1046,6 +1074,9 @@ int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 1);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_encrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
         return 0;
@@ -1100,7 +1131,8 @@ static void cms_env_set_version(CMS_EnvelopedData *env)
 
     for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) {
         ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i);
-        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) {
+        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER
+            || ri->type == CMS_RECIPINFO_KEM) {
             env->version = 3;
             return;
         } else if (ri->type != CMS_RECIPINFO_TRANS
@@ -1337,6 +1369,18 @@ err:
  */
 int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
 {
+    int ri_type;
+    EVP_PKEY_CTX *ctx = NULL;
+
+    /*
+     * First check the provider for RecipientInfo support since a key may support
+     * multiple types, e.g. an RSA key and provider may support RSA key transport
+     * and/or RSA-KEM.
+     */
+    if (evp_pkey_is_provided(pk)
+        && EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_CMS_RI_TYPE, &ri_type))
+        return ri_type;
+
     /* Check types that we know about */
     if (EVP_PKEY_is_a(pk, "DH"))
         return CMS_RECIPINFO_AGREE;
@@ -1350,7 +1394,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         return CMS_RECIPINFO_TRANS;
 
     /*
-     * Otherwise this might ben an engine implementation, so see if we can get
+     * Otherwise this might be an engine implementation, so see if we can get
      * the type from the ameth.
      */
     if (pk->ameth && pk->ameth->pkey_ctrl) {
@@ -1359,7 +1403,25 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         if (i > 0)
             return r;
     }
-    return CMS_RECIPINFO_TRANS;
+
+    /*
+     * Otherwise try very hard to figure out what RecipientInfo the key supports.
+     */
+    ri_type = CMS_RECIPINFO_TRANS;
+    ctx = EVP_PKEY_CTX_new(pk, NULL);
+    if (ctx != NULL) {
+        ERR_set_mark();
+        if (EVP_PKEY_encrypt_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_TRANS;
+        else if (EVP_PKEY_derive_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_AGREE;
+        else if (EVP_PKEY_encapsulate_init(ctx, NULL) > 0)
+            ri_type = CMS_RECIPINFO_KEM;
+        ERR_pop_to_mark();
+    }
+    EVP_PKEY_CTX_free(ctx);
+
+    return ri_type;
 }
 
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
@@ -1381,3 +1443,79 @@ int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
 
     return (supportedRiType == ri_type);
 }
+
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri,
+                                     const EVP_CIPHER *cipher)
+{
+    const CMS_CTX *cms_ctx;
+    EVP_CIPHER_CTX *ctx;
+    const EVP_CIPHER *kekcipher;
+    EVP_CIPHER *fetched_kekcipher;
+    const char *kekcipher_name;
+    int keylen;
+    int ret;
+
+    if (ri->type == CMS_RECIPINFO_AGREE) {
+        cms_ctx = ri->d.kari->cms_ctx;
+        ctx = ri->d.kari->ctx;
+    } else if (ri->type == CMS_RECIPINFO_KEM) {
+        cms_ctx = ri->d.ori->d.kemri->cms_ctx;
+        ctx = ri->d.ori->d.kemri->ctx;
+    } else {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
+        return 0;
+    }
+
+    /* If a suitable wrap algorithm is already set nothing to do */
+    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
+    if (kekcipher != NULL) {
+        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
+            return 0;
+        return 1;
+    }
+    if (cipher == NULL)
+        return 0;
+    keylen = EVP_CIPHER_get_key_length(cipher);
+    if (keylen <= 0) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        return 0;
+    }
+    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
+        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
+                                               0, &kekcipher);
+        if (ret <= 0)
+            return 0;
+
+        if (kekcipher != NULL) {
+            if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+                return 0;
+            kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
+            goto enc;
+        }
+    }
+
+    /*
+     * Pick a cipher based on content encryption cipher. If it is DES3 use
+     * DES3 wrap otherwise use AES wrap similar to key size.
+     */
+#ifndef OPENSSL_NO_DES
+    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
+        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
+    else
+#endif
+    if (keylen <= 16)
+        kekcipher_name = SN_id_aes128_wrap;
+    else if (keylen <= 24)
+        kekcipher_name = SN_id_aes192_wrap;
+    else
+        kekcipher_name = SN_id_aes256_wrap;
+enc:
+    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
+                                         kekcipher_name,
+                                         ossl_cms_ctx_get0_propq(cms_ctx));
+    if (fetched_kekcipher == NULL)
+        return 0;
+    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
+    EVP_CIPHER_free(fetched_kekcipher);
+    return ret;
+}

crypto/cms/cms_err.c

@@ -88,6 +88,7 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "not a signed receipt"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEM), "not kem"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"},
@@ -140,6 +141,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM),
      "unknown digest algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_KDF_ALGORITHM),
+     "unknown kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
      "unsupported compression algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM),
@@ -148,6 +151,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "unsupported content type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE),
      "unsupported encryption type"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KDF_ALGORITHM),
+     "unsupported kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM),
      "unsupported kek algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM),

crypto/cms/cms_kari.c

@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * Low level key APIs (DH etc) are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -349,7 +343,7 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
     if (ri->d.kari == NULL)
         return 0;
-    ri->type = CMS_RECIPINFO_AGREE;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_AGREE;
 
     kari = ri->d.kari;
     kari->version = 3;
@@ -412,67 +406,6 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     return 1;
 }
 
-static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
-                         const EVP_CIPHER *cipher)
-{
-    const CMS_CTX *cms_ctx = kari->cms_ctx;
-    EVP_CIPHER_CTX *ctx = kari->ctx;
-    const EVP_CIPHER *kekcipher;
-    EVP_CIPHER *fetched_kekcipher;
-    const char *kekcipher_name;
-    int keylen;
-    int ret;
-
-    /* If a suitable wrap algorithm is already set nothing to do */
-    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
-    if (kekcipher != NULL) {
-        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
-            return 0;
-        return 1;
-    }
-    if (cipher == NULL)
-        return 0;
-    keylen = EVP_CIPHER_get_key_length(cipher);
-    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
-        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
-                                               0, &kekcipher);
-        if (ret <= 0)
-             return 0;
-
-        if (kekcipher != NULL) {
-             if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
-                 return 0;
-             kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
-             goto enc;
-        }
-    }
-
-    /*
-     * Pick a cipher based on content encryption cipher. If it is DES3 use
-     * DES3 wrap otherwise use AES wrap similar to key size.
-     */
-#ifndef OPENSSL_NO_DES
-    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
-        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
-    else
-#endif
-    if (keylen <= 16)
-        kekcipher_name = SN_id_aes128_wrap;
-    else if (keylen <= 24)
-        kekcipher_name = SN_id_aes192_wrap;
-    else
-        kekcipher_name = SN_id_aes256_wrap;
-enc:
-    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
-                                         kekcipher_name,
-                                         ossl_cms_ctx_get0_propq(cms_ctx));
-    if (fetched_kekcipher == NULL)
-        return 0;
-    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
-    EVP_CIPHER_free(fetched_kekcipher);
-    return ret;
-}
-
 /* Encrypt content key in key agreement recipient info */
 
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
@@ -492,7 +425,7 @@ int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
     reks = kari->recipientEncryptedKeys;
     ec = ossl_cms_get0_env_enc_content(cms);
     /* Initialise wrap algorithm parameters */
-    if (!cms_wrap_init(kari, ec->cipher))
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
         return 0;
     /*
      * If no originator key set up initialise for ephemeral key the public key

crypto/cms/cms_kem.c

@@ -0,0 +1,163 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <assert.h>
+#include <limits.h>
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/err.h>
+#include <openssl/decoder.h>
+#include "internal/sizes.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "cms_local.h"
+
+static int kem_cms_decrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    EVP_PKEY_CTX *pctx;
+    EVP_CIPHER_CTX *kekctx;
+    uint32_t cipher_length;
+    char name[OSSL_MAX_NAME_SIZE];
+    EVP_CIPHER *kekcipher = NULL;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+
+    OBJ_obj2txt(name, sizeof(name), wrap->algorithm, 0);
+    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
+    if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+        goto err;
+    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
+        goto err;
+    if (EVP_CIPHER_asn1_to_param(kekctx, wrap->parameter) <= 0)
+        goto err;
+
+    cipher_length = EVP_CIPHER_CTX_get_key_length(kekctx);
+    if (cipher_length != *kekLength) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    rv = 1;
+err:
+    EVP_CIPHER_free(kekcipher);
+    return rv;
+}
+
+static int kem_cms_encrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    X509_ALGOR *kdf;
+    EVP_PKEY_CTX *pctx;
+    EVP_PKEY *pkey;
+    int security_bits;
+    const ASN1_OBJECT *kdf_obj = NULL;
+    unsigned char kemri_x509_algor[OSSL_MAX_ALGORITHM_ID_SIZE];
+    OSSL_PARAM params[2];
+    X509_ALGOR *x509_algor = NULL;
+    EVP_CIPHER_CTX *kekctx;
+    int wrap_nid;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    kdf = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+    if (kdf == NULL)
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+    if (pkey == NULL)
+        goto err;
+
+    security_bits = EVP_PKEY_get_security_bits(pkey);
+    if (security_bits == 0)
+        goto err;
+
+    X509_ALGOR_get0(&kdf_obj, NULL, NULL, kdf);
+    if (kdf_obj == NULL || OBJ_obj2nid(kdf_obj) == NID_undef) {
+        /*
+         * If the KDF OID hasn't already been set, then query the provider
+         * for a default KDF.
+         */
+        params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM,
+                                                      kemri_x509_algor, sizeof(kemri_x509_algor));
+        params[1] = OSSL_PARAM_construct_end();
+        if (!EVP_PKEY_get_params(pkey, params))
+            goto err;
+        if (OSSL_PARAM_modified(&params[0])) {
+            const unsigned char *p = kemri_x509_algor;
+
+            x509_algor = d2i_X509_ALGOR(NULL, &p, (long)params[0].return_size);
+            if (x509_algor == NULL)
+                goto err;
+            if (!X509_ALGOR_copy(kdf, x509_algor))
+                goto err;
+        } else {
+            if (!X509_ALGOR_set0(kdf, OBJ_nid2obj(NID_HKDF_SHA256), V_ASN1_UNDEF, NULL))
+                return 0;
+        }
+    }
+
+    /* Get wrap NID */
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+    *kekLength = EVP_CIPHER_CTX_get_key_length(kekctx);
+    wrap_nid = EVP_CIPHER_CTX_get_type(kekctx);
+
+    /* Package wrap algorithm in an AlgorithmIdentifier */
+    ASN1_OBJECT_free(wrap->algorithm);
+    ASN1_TYPE_free(wrap->parameter);
+    wrap->algorithm = OBJ_nid2obj(wrap_nid);
+    wrap->parameter = ASN1_TYPE_new();
+    if (wrap->parameter == NULL)
+        goto err;
+    if (EVP_CIPHER_param_to_asn1(kekctx, wrap->parameter) <= 0)
+        goto err;
+    if (ASN1_TYPE_get(wrap->parameter) == NID_undef) {
+        ASN1_TYPE_free(wrap->parameter);
+        wrap->parameter = NULL;
+    }
+
+    rv = 1;
+err:
+    X509_ALGOR_free(x509_algor);
+    return rv;
+}
+
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt)
+{
+    assert(decrypt == 0 || decrypt == 1);
+
+    if (decrypt == 1)
+        return kem_cms_decrypt(ri);
+
+    if (decrypt == 0)
+        return kem_cms_encrypt(ri);
+
+    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+    return 0;
+}

crypto/cms/cms_kemri.c

@@ -0,0 +1,409 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/x509.h>
+#include "cms_local.h"
+#include "crypto/evp.h"
+#include "internal/sizes.h"
+
+/* KEM Recipient Info (KEMRI) routines */
+
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+    if (pkekLength)
+        *pkekLength = &ri->d.ori->d.kemri->kekLength;
+    if (pwrap)
+        *pwrap = ri->d.ori->d.kemri->wrap;
+    return 1;
+}
+
+int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return -2;
+    }
+    return ossl_cms_SignerIdentifier_cert_cmp(ri->d.ori->d.kemri->rid, cert);
+}
+
+int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+{
+    EVP_PKEY_CTX *pctx = NULL;
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+
+    if (pk != NULL) {
+        pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), pk,
+                                          ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+        if (pctx == NULL || EVP_PKEY_decapsulate_init(pctx, NULL) <= 0)
+            goto err;
+
+        kemri->pctx = pctx;
+    }
+
+    return 1;
+err:
+    EVP_PKEY_CTX_free(pctx);
+    return 0;
+}
+
+/* Initialise a kemri based on passed certificate and key */
+
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx)
+{
+    CMS_OtherRecipientInfo *ori;
+    CMS_KEMRecipientInfo *kemri;
+    int idtype;
+    X509_PUBKEY *x_pubkey;
+    X509_ALGOR *x_alg;
+
+    ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
+    if (ri->d.ori == NULL)
+        return 0;
+    ri->encoded_type = CMS_RECIPINFO_OTHER;
+    ri->type = CMS_RECIPINFO_KEM;
+
+    ori = ri->d.ori;
+    ori->oriType = OBJ_nid2obj(NID_id_smime_ori_kem);
+    if (ori->oriType == NULL)
+        return 0;
+    ori->d.kemri = M_ASN1_new_of(CMS_KEMRecipientInfo);
+    if (ori->d.kemri == NULL)
+        return 0;
+
+    kemri = ori->d.kemri;
+    kemri->version = 0;
+    kemri->cms_ctx = ctx;
+
+    /*
+     * Not a typo: RecipientIdentifier and SignerIdentifier are the same
+     * structure.
+     */
+
+    idtype = (flags & CMS_USE_KEYID) ? CMS_RECIPINFO_KEYIDENTIFIER : CMS_RECIPINFO_ISSUER_SERIAL;
+    if (!ossl_cms_set1_SignerIdentifier(kemri->rid, recip, idtype, ctx))
+        return 0;
+
+    x_pubkey = X509_get_X509_PUBKEY(recip);
+    if (x_pubkey == NULL)
+        return 0;
+    if (!X509_PUBKEY_get0_param(NULL, NULL, NULL, &x_alg, x_pubkey))
+        return 0;
+    if (!X509_ALGOR_copy(kemri->kem, x_alg))
+        return 0;
+
+    kemri->pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx),
+                                             recipPubKey,
+                                             ossl_cms_ctx_get0_propq(ctx));
+    if (kemri->pctx == NULL)
+        return 0;
+    if (EVP_PKEY_encapsulate_init(kemri->pctx, NULL) <= 0)
+        return 0;
+
+    return 1;
+}
+
+EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->ctx;
+    return NULL;
+}
+
+X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->kdf;
+    return NULL;
+}
+
+int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                    const unsigned char *ukm,
+                                    int ukmLength)
+{
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    if (ukm == NULL && ukmLength != 0) {
+        ERR_raise(ERR_LIB_CMS, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ASN1_OCTET_STRING_free(kemri->ukm);
+    kemri->ukm = ASN1_OCTET_STRING_new();
+    if (kemri->ukm == NULL)
+        return 0;
+    ASN1_OCTET_STRING_set(kemri->ukm, ukm, ukmLength);
+    return 1;
+}
+
+static EVP_KDF_CTX *create_kdf_ctx(CMS_KEMRecipientInfo *kemri)
+{
+    const ASN1_OBJECT *kdf_oid;
+    int ptype;
+    char kdf_alg[OSSL_MAX_NAME_SIZE];
+    EVP_KDF *kdf = NULL;
+    EVP_KDF_CTX *kctx = NULL;
+
+    /*
+     * KDFs with algorithm identifier parameters are not supported yet. To
+     * support this, EVP_KDF_CTX_set_algor_params from
+     * `doc/designs/passing-algorithmidentifier-parameters.md` needs to be
+     * implemented.
+     */
+    X509_ALGOR_get0(&kdf_oid, &ptype, NULL, kemri->kdf);
+    if (ptype != V_ASN1_UNDEF && ptype != V_ASN1_NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM);
+        goto err;
+    }
+    if (OBJ_obj2txt(kdf_alg, sizeof(kdf_alg), kdf_oid, 1) < 0)
+        goto err;
+
+    kdf = EVP_KDF_fetch(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), kdf_alg,
+                        ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+    if (kdf == NULL)
+        goto err;
+
+    kctx = EVP_KDF_CTX_new(kdf);
+err:
+    EVP_KDF_free(kdf);
+    return kctx;
+}
+
+static int kdf_derive(unsigned char *kek, size_t keklen,
+                      const unsigned char *ss, size_t sslen,
+                      CMS_KEMRecipientInfo *kemri)
+{
+    EVP_KDF_CTX *kctx = NULL;
+    OSSL_PARAM params[3];
+    unsigned char *infoder = NULL;
+    int infolen = 0;
+    int rv = 0;
+
+    infolen = CMS_CMSORIforKEMOtherInfo_encode(&infoder, kemri->wrap, kemri->ukm,
+                                               kemri->kekLength);
+    if (infolen <= 0)
+        goto err;
+
+    kctx = create_kdf_ctx(kemri);
+    if (kctx == NULL)
+        goto err;
+
+    params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
+                                                  (unsigned char *)ss, sslen);
+    params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
+                                                  (char *)infoder, infolen);
+    params[2] = OSSL_PARAM_construct_end();
+
+    if (EVP_KDF_derive(kctx, kek, keklen, params) <= 0)
+        goto err;
+
+    rv = 1;
+err:
+    OPENSSL_free(infoder);
+    EVP_KDF_CTX_free(kctx);
+
+    return rv;
+}
+
+/*
+ * Derive KEK and decrypt/encrypt with it to produce either the original CEK
+ * or the encrypted CEK.
+ */
+
+static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
+                          const unsigned char *ss, size_t sslen,
+                          const unsigned char *in, size_t inlen,
+                          CMS_KEMRecipientInfo *kemri, int enc)
+{
+    /* Key encryption key */
+    unsigned char kek[EVP_MAX_KEY_LENGTH];
+    size_t keklen = kemri->kekLength;
+    unsigned char *out = NULL;
+    int outlen = 0;
+    int rv = 0;
+
+    if (keklen > sizeof(kek)) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    if (!kdf_derive(kek, keklen, ss, sslen, kemri))
+        goto err;
+
+    /* Set KEK in context */
+    if (!EVP_CipherInit_ex(kemri->ctx, NULL, NULL, kek, NULL, enc))
+        goto err;
+    /* obtain output length of ciphered key */
+    if (!EVP_CipherUpdate(kemri->ctx, NULL, &outlen, in, (int)inlen))
+        goto err;
+    out = OPENSSL_malloc(outlen);
+    if (out == NULL)
+        goto err;
+    if (!EVP_CipherUpdate(kemri->ctx, out, &outlen, in, (int)inlen))
+        goto err;
+    *pout = out;
+    out = NULL;
+    *poutlen = (size_t)outlen;
+
+    rv = 1;
+err:
+    OPENSSL_free(out);
+    OPENSSL_cleanse(kek, keklen);
+    EVP_CIPHER_CTX_reset(kemri->ctx);
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+    return rv;
+}
+
+/* Encrypt content key in KEM recipient info */
+
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey;
+    size_t enckeylen;
+    int rv = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+    /* Initialise wrap algorithm parameters */
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
+        return 0;
+
+    /* Initialise KDF algorithm */
+    if (!ossl_cms_env_asn1_ctrl(ri, 0))
+        return 0;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, NULL, &kem_ct_len, NULL, &kem_secret_len) <= 0)
+        return 0;
+    kem_ct = OPENSSL_malloc(kem_ct_len);
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_ct == NULL || kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, kem_ct, &kem_ct_len, kem_secret, &kem_secret_len) <= 0)
+        goto err;
+
+    ASN1_STRING_set0(kemri->kemct, kem_ct, (int)kem_ct_len);
+    kem_ct = NULL;
+
+    if (!cms_kek_cipher(&enckey, &enckeylen, kem_secret, kem_secret_len, ec->key, ec->keylen,
+                        kemri, 1))
+        goto err;
+    ASN1_STRING_set0(kemri->encryptedKey, enckey, (int)enckeylen);
+
+    rv = 1;
+err:
+    OPENSSL_free(kem_ct);
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return rv;
+}
+
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    const unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey = NULL;
+    size_t enckeylen;
+    unsigned char *cek = NULL;
+    size_t ceklen;
+    int ret = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+
+    if (kemri->pctx == NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NO_PRIVATE_KEY);
+        return 0;
+    }
+
+    /* Setup all parameters to derive KEK */
+    if (!ossl_cms_env_asn1_ctrl(ri, 1))
+        goto err;
+
+    kem_ct = ASN1_STRING_get0_data(kemri->kemct);
+    kem_ct_len = ASN1_STRING_length(kemri->kemct);
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, NULL, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        return 0;
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, kem_secret, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        goto err;
+
+    /* Attempt to decrypt CEK */
+    enckeylen = kemri->encryptedKey->length;
+    enckey = kemri->encryptedKey->data;
+    if (!cms_kek_cipher(&cek, &ceklen, kem_secret, kem_secret_len, enckey, enckeylen, kemri, 0))
+        goto err;
+    ec = ossl_cms_get0_env_enc_content(cms);
+    OPENSSL_clear_free(ec->key, ec->keylen);
+    ec->key = cek;
+    ec->keylen = ceklen;
+
+    ret = 1;
+err:
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return ret;
+}

crypto/cms/cms_local.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@ typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
+typedef struct CMS_KEMRecipientInfo_st CMS_KEMRecipientInfo;
 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
 typedef struct CMS_CTX_st CMS_CTX;
 
@@ -142,7 +143,11 @@ struct CMS_EncryptedContentInfo_st {
 };
 
 struct CMS_RecipientInfo_st {
-    int type;
+    /*
+     * Type which the RecipientInfo is encoded with. OtherRecipientInfo
+     * encompasses different types, specified by 'type' below.
+     */
+    int encoded_type;
     union {
         CMS_KeyTransRecipientInfo *ktri;
         CMS_KeyAgreeRecipientInfo *kari;
@@ -150,6 +155,8 @@ struct CMS_RecipientInfo_st {
         CMS_PasswordRecipientInfo *pwri;
         CMS_OtherRecipientInfo *ori;
     } d;
+    /* internal type, including ORI types */
+    int type;
 };
 
 typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
@@ -245,7 +252,29 @@ struct CMS_PasswordRecipientInfo_st {
 
 struct CMS_OtherRecipientInfo_st {
     ASN1_OBJECT *oriType;
-    ASN1_TYPE *oriValue;
+    union {
+        /* NID_id_smime_ori_kem */
+        CMS_KEMRecipientInfo *kemri;
+        /* anything else */
+        ASN1_TYPE *other;
+    } d;
+};
+
+struct CMS_KEMRecipientInfo_st {
+    int32_t version;
+    CMS_RecipientIdentifier *rid;
+    X509_ALGOR *kem;
+    ASN1_OCTET_STRING *kemct;
+    X509_ALGOR *kdf;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+    X509_ALGOR *wrap;
+    ASN1_OCTET_STRING *encryptedKey;
+    /* Public key context associated with current operation */
+    EVP_PKEY_CTX *pctx;
+    /* Cipher context for CEK wrapping */
+    EVP_CIPHER_CTX *ctx;
+    const CMS_CTX *cms_ctx;
 };
 
 struct CMS_DigestedData_st {
@@ -460,6 +489,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk);
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
 
 void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri, const EVP_CIPHER *cipher);
 
 /* KARI routines */
 int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
@@ -470,6 +500,20 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
                                         CMS_RecipientInfo *ri);
 
+/* KEMRI routines */
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap);
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx);
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen);
+
 /* PWRI routines */
 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
                                       CMS_RecipientInfo *ri, int en_de);
@@ -486,6 +530,7 @@ int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify);
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt);
 
 int ossl_cms_get1_certs_ex(CMS_ContentInfo *cms, STACK_OF(X509) **certs);
 int ossl_cms_get1_crls_ex(CMS_ContentInfo *cms, STACK_OF(X509_CRL) **crls);
@@ -496,10 +541,12 @@ DECLARE_ASN1_ITEM(CMS_EncryptedData)
 DECLARE_ASN1_ITEM(CMS_EnvelopedData)
 DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData)
 DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
+DECLARE_ASN1_ITEM(CMS_KEMRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
 DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
+DECLARE_ASN1_ITEM(CMS_OtherRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_Receipt)
 DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)

crypto/cms/cms_pwri.c

@@ -138,7 +138,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_PASS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_PASS;
 
     pwri = ri->d.pwri;
     pwri->cms_ctx = cms_ctx;

crypto/cms/cms_smime.c

@@ -750,6 +750,14 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
                 return 1;
             if (r < 0)
                 return 0;
+        } else if (ri_type == CMS_RECIPINFO_KEM) {
+            if (cert == NULL || !CMS_RecipientInfo_kemri_cert_cmp(ri, cert)) {
+                CMS_RecipientInfo_kemri_set0_pkey(ri, pk);
+                r = CMS_RecipientInfo_decrypt(cms, ri);
+                CMS_RecipientInfo_kemri_set0_pkey(ri, NULL);
+                if (cert != NULL || r > 0)
+                    return r;
+            }
         }
         /* If we have a cert, try matching RecipientInfo, else try them all */
         else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {

crypto/core_namemap.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * For EVP_PKEY_asn1_get0_info(), EVP_PKEY_asn1_get_count() and
+ * EVP_PKEY_asn1_get0()
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include "internal/namemap.h"
 #include "internal/tsan_assist.h"
 #include "internal/hashtable.h"
@@ -432,6 +438,7 @@ static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
         get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
 }
 
+# ifndef OPENSSL_NO_DEPRECATED_3_6
 static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
                                        void *arg)
 {
@@ -470,6 +477,7 @@ static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
         }
     }
 }
+# endif /* OPENSSL_NO_DEPRECATED_3_6 */
 #endif
 
 /*-
@@ -498,7 +506,7 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
         return NULL;
     }
     if (nms == 1) {
-        int i, end;
+        int num;
 
         /* Before pilfering, we make sure the legacy database is populated */
         OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
@@ -509,9 +517,26 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx)
         OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH,
                         get_legacy_md_names, namemap);
 
-        /* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
-        for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
-            get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
+        /*
+         * Some old providers (<= 3.5) may not have the rsassaPSS alias which
+         * may cause problems in some cases. We add it manually here
+         */
+        num = ossl_namemap_add_name(namemap, 0, "RSA-PSS");
+        if (num != 0) {
+            ossl_namemap_add_name(namemap, num, "rsassaPss");
+            /* Add other RSA-PSS aliases as well */
+            ossl_namemap_add_name(namemap, num, "RSASSA-PSS");
+            ossl_namemap_add_name(namemap, num, "1.2.840.113549.1.1.10");
+        }
+# ifndef OPENSSL_NO_DEPRECATED_3_6
+        {
+            int i, end;
+
+            /* We also pilfer data from the legacy EVP_PKEY_ASN1_METHODs */
+            for (i = 0, end = EVP_PKEY_asn1_get_count(); i < end; i++)
+                get_legacy_pkey_meth_names(EVP_PKEY_asn1_get0(i), namemap);
+        }
+# endif
     }
 #endif
 

crypto/dh/dh_backend.c

@@ -80,6 +80,12 @@ int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[], int include_private)
     if (!DH_set0_key(dh, pub_key, priv_key))
         goto err;
 
+#ifdef FIPS_MODULE
+    if (pub_key != NULL && priv_key != NULL)
+        if (ossl_dh_check_pairwise(dh) == 0)
+            return 0;
+#endif
+
     return 1;
 
  err:

crypto/err/openssl.txt

@@ -354,6 +354,7 @@ CMS_R_NEED_ONE_SIGNER:164:need one signer
 CMS_R_NOT_A_SIGNED_RECEIPT:165:not a signed receipt
 CMS_R_NOT_ENCRYPTED_DATA:122:not encrypted data
 CMS_R_NOT_KEK:123:not kek
+CMS_R_NOT_KEM:197:not kem
 CMS_R_NOT_KEY_AGREEMENT:181:not key agreement
 CMS_R_NOT_KEY_TRANSPORT:124:not key transport
 CMS_R_NOT_PWRI:177:not pwri
@@ -394,11 +395,13 @@ CMS_R_UNABLE_TO_FINALIZE_CONTEXT:147:unable to finalize context
 CMS_R_UNKNOWN_CIPHER:148:unknown cipher
 CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm
 CMS_R_UNKNOWN_ID:150:unknown id
+CMS_R_UNKNOWN_KDF_ALGORITHM:198:unknown kdf algorithm
 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm
 CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\
 	unsupported content encryption algorithm
 CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type
 CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type
+CMS_R_UNSUPPORTED_KDF_ALGORITHM:199:unsupported kdf algorithm
 CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm
 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
 	unsupported key encryption algorithm

crypto/evp/asymcipher.c

@@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s encrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s decrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
 
     return ret;
 

crypto/evp/build.info

@@ -3,7 +3,8 @@ $COMMON=digest.c evp_enc.c evp_lib.c evp_fetch.c evp_utils.c \
         mac_lib.c mac_meth.c keymgmt_meth.c keymgmt_lib.c kdf_lib.c kdf_meth.c \
         skeymgmt_meth.c \
         pmeth_lib.c signature.c p_lib.c s_lib.c pmeth_gn.c exchange.c \
-        evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c
+        evp_rand.c asymcipher.c kem.c dh_support.c ec_support.c pmeth_check.c \
+        evp_pkey_type.c
 
 SOURCE[../../libcrypto]=$COMMON\
         encode.c evp_key.c evp_cnf.c \

crypto/evp/digest.c

@@ -186,7 +186,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
     if (type != NULL) {
         ctx->reqdigest = type;
     } else {
-        if (ctx->digest == NULL) {
+        if (ossl_unlikely(ctx->digest == NULL)) {
             ERR_raise(ERR_LIB_EVP, EVP_R_NO_DIGEST_SET);
             return 0;
         }
@@ -201,7 +201,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
      * previous handle, re-querying for an ENGINE, and having a
      * reinitialisation, when it may all be unnecessary.
      */
-    if (ctx->engine != NULL
+    if (ossl_unlikely(ctx->engine != NULL)
             && ctx->digest != NULL
             && type->type == ctx->digest->type)
         goto skip_to_init;
@@ -246,8 +246,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
     cleanup_old_md_data(ctx, 1);
 
     /* Start of non-legacy code below */
-    if (ctx->digest == type) {
-        if (!ossl_assert(type->prov != NULL)) {
+    if (ossl_likely(ctx->digest == type)) {
+        if (ossl_unlikely(!ossl_assert(type->prov != NULL))) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
             return 0;
         }
@@ -256,7 +256,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
             return 0;
     }
 
-    if (type->prov == NULL) {
+    if (ossl_unlikely(type->prov == NULL)) {
 #ifdef FIPS_MODULE
         /* We only do explicit fetches inside the FIPS module */
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -277,8 +277,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
 #endif
     }
 
-    if (type->prov != NULL && ctx->fetched_digest != type) {
-        if (!EVP_MD_up_ref((EVP_MD *)type)) {
+    if (ossl_unlikely(type->prov != NULL && ctx->fetched_digest != type)) {
+        if (ossl_unlikely(!EVP_MD_up_ref((EVP_MD *)type))) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
             return 0;
         }
@@ -384,15 +384,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    if (count == 0)
+    if (ossl_unlikely(count == 0))
         return 1;
 
-    if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
+    if (ossl_unlikely((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
         return 0;
     }
 
-    if (ctx->pctx != NULL
+    if (ossl_unlikely(ctx->pctx != NULL)
             && EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx->pctx)
             && ctx->pctx->op.sig.algctx != NULL) {
 #ifndef FIPS_MODULE
@@ -415,10 +415,10 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 
     if (ctx->digest == NULL
             || ctx->digest->prov == NULL
-            || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0)
+            || ossl_unlikely((ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0))
         goto legacy;
 
-    if (ctx->digest->dupdate == NULL) {
+    if (ossl_unlikely(ctx->digest->dupdate == NULL)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
         return 0;
     }
@@ -445,22 +445,22 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize)
     size_t size = 0;
     size_t mdsize = 0;
 
-    if (ctx->digest == NULL)
+    if (ossl_unlikely(ctx->digest == NULL))
         return 0;
 
     sz = EVP_MD_CTX_get_size(ctx);
-    if (sz < 0)
+    if (ossl_unlikely(sz < 0))
         return 0;
     mdsize = sz;
-    if (ctx->digest->prov == NULL)
+    if (ossl_unlikely(ctx->digest->prov == NULL))
         goto legacy;
 
-    if (ctx->digest->dfinal == NULL) {
+    if (ossl_unlikely(ctx->digest->dfinal == NULL)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
 
-    if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
+    if (ossl_unlikely((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
@@ -470,7 +470,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize)
     ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
 
     if (isize != NULL) {
-        if (size <= UINT_MAX) {
+        if (ossl_likely(size <= UINT_MAX)) {
             *isize = (unsigned int)size;
         } else {
             ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
@@ -501,20 +501,20 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
     OSSL_PARAM params[2];
     size_t i = 0;
 
-    if (ctx->digest == NULL) {
+    if (ossl_unlikely(ctx->digest == NULL)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_NULL_ALGORITHM);
         return 0;
     }
 
-    if (ctx->digest->prov == NULL)
+    if (ossl_unlikely(ctx->digest->prov == NULL))
         goto legacy;
 
-    if (ctx->digest->dfinal == NULL) {
+    if (ossl_unlikely(ctx->digest->dfinal == NULL)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
 
-    if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
+    if (ossl_unlikely((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0)) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
@@ -527,7 +527,7 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
     params[i++] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &size);
     params[i++] = OSSL_PARAM_construct_end();
 
-    if (EVP_MD_CTX_set_params(ctx, params) >= 0)
+    if (ossl_likely(EVP_MD_CTX_set_params(ctx, params) >= 0))
         ret = ctx->digest->dfinal(ctx->algctx, md, &size, size);
 
     ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
@@ -778,7 +778,7 @@ int EVP_MD_CTX_set_params(EVP_MD_CTX *ctx, const OSSL_PARAM params[])
     EVP_PKEY_CTX *pctx = ctx->pctx;
 
     /* If we have a pctx then we should try that first */
-    if (pctx != NULL
+    if (ossl_unlikely(pctx != NULL)
             && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
                 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
             && pctx->op.sig.algctx != NULL
@@ -786,7 +786,7 @@ int EVP_MD_CTX_set_params(EVP_MD_CTX *ctx, const OSSL_PARAM params[])
         return pctx->op.sig.signature->set_ctx_md_params(pctx->op.sig.algctx,
                                                          params);
 
-    if (ctx->digest != NULL && ctx->digest->set_ctx_params != NULL)
+    if (ossl_likely(ctx->digest != NULL && ctx->digest->set_ctx_params != NULL))
         return ctx->digest->set_ctx_params(ctx->algctx, params);
 
     return 0;
@@ -864,12 +864,12 @@ const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx)
     EVP_PKEY_CTX *pctx;
     void *provctx;
 
-    if (ctx == NULL)
+    if (ossl_unlikely(ctx == NULL))
         return NULL;
 
     /* If we have a pctx then we should try that first */
     pctx = ctx->pctx;
-    if (pctx != NULL
+    if (ossl_unlikely(pctx != NULL)
             && (pctx->operation == EVP_PKEY_OP_VERIFYCTX
                 || pctx->operation == EVP_PKEY_OP_SIGNCTX)
             && pctx->op.sig.algctx != NULL
@@ -877,7 +877,8 @@ const OSSL_PARAM *EVP_MD_CTX_gettable_params(EVP_MD_CTX *ctx)
         return pctx->op.sig.signature->gettable_ctx_md_params(
                     pctx->op.sig.algctx);
 
-    if (ctx->digest != NULL && ctx->digest->gettable_ctx_params != NULL) {
+    if (ossl_unlikely(ctx->digest != NULL
+                      && ctx->digest->gettable_ctx_params != NULL)) {
         provctx = ossl_provider_ctx(EVP_MD_get0_provider(ctx->digest));
         return ctx->digest->gettable_ctx_params(ctx->algctx, provctx);
     }

crypto/evp/evp_pkey.c

@@ -7,6 +7,11 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Needed for EVP_PKEY_get0_asn1 and EVP_PKEY_asn1_get0_info
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <stdio.h>
 #include <stdlib.h>
 #include "internal/cryptlib.h"
@@ -244,17 +249,21 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
 
 const char *EVP_PKEY_get0_type_name(const EVP_PKEY *key)
 {
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     const EVP_PKEY_ASN1_METHOD *ameth;
+#endif
     const char *name = NULL;
 
     if (key->keymgmt != NULL)
         return EVP_KEYMGMT_get0_name(key->keymgmt);
 
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     /* Otherwise fallback to legacy */
     ameth = EVP_PKEY_get0_asn1(key);
     if (ameth != NULL)
         EVP_PKEY_asn1_get0_info(NULL, NULL,
                                 NULL, NULL, &name, ameth);
+#endif
 
     return name;
 }

crypto/evp/evp_pkey_type.c

@@ -0,0 +1,88 @@
+/*
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#define OPENSSL_SUPPRESS_DEPRECATED
+
+#include "crypto/evp.h"
+#include <openssl/core_names.h>
+#include <openssl/macros.h>
+#ifndef OPENSSL_NO_DEPRECATED_3_6
+# include <openssl/engine.h>
+# include "crypto/asn1.h"
+#include <openssl/types.h>
+#else
+# include "internal/nelem.h"
+#endif
+
+#ifdef OPENSSL_NO_DEPRECATED_3_6
+/*
+ * This is a hardcoded conversion table for legacy ASN1_METHOD and pkey type.
+ * As the deprecated ASN1 should not enable to add any asn1 method, therefore
+ * this should work.
+ */
+struct pkid2bid {
+    int pkey_id;
+    int pkey_base_id;
+};
+
+static const struct pkid2bid base_id_conversion[] = {
+    {EVP_PKEY_RSA, EVP_PKEY_RSA},
+    {EVP_PKEY_RSA2, EVP_PKEY_RSA},
+    {EVP_PKEY_RSA_PSS, EVP_PKEY_RSA_PSS},
+#ifndef OPENSSL_NO_DH
+    {EVP_PKEY_DH, EVP_PKEY_DH},
+    {EVP_PKEY_DHX, EVP_PKEY_DHX},
+#endif
+#ifndef OPENSSL_NO_DSA
+    {EVP_PKEY_DSA1, EVP_PKEY_DSA},
+    {EVP_PKEY_DSA4, EVP_PKEY_DSA2},
+    {EVP_PKEY_DSA3, EVP_PKEY_DSA2},
+    {EVP_PKEY_DSA, EVP_PKEY_DSA},
+#endif
+#ifndef OPENSSL_NO_EC
+    {EVP_PKEY_EC, EVP_PKEY_EC},
+#endif
+#ifndef OPENSSL_NO_ECX
+    {EVP_PKEY_X25519, EVP_PKEY_X25519},
+    {EVP_PKEY_X448, EVP_PKEY_X448},
+    {EVP_PKEY_ED25519, EVP_PKEY_ED25519},
+    {EVP_PKEY_ED448, EVP_PKEY_ED448},
+#endif
+#ifndef OPENSSL_NO_SM2
+    {EVP_PKEY_SM2, EVP_PKEY_EC},
+#endif
+};
+#endif
+
+int EVP_PKEY_type(int type)
+{
+#ifndef OPENSSL_NO_DEPRECATED_3_6
+    int ret;
+    const EVP_PKEY_ASN1_METHOD *ameth;
+    ENGINE *e;
+
+    ameth = EVP_PKEY_asn1_find(&e, type);
+    if (ameth)
+        ret = ameth->pkey_id;
+    else
+        ret = NID_undef;
+# ifndef OPENSSL_NO_ENGINE
+    ENGINE_finish(e);
+# endif
+    return ret;
+#else
+    size_t i;
+
+    for (i = 0; i < OSSL_NELEM(base_id_conversion); i++) {
+        if (type == base_id_conversion[i].pkey_id)
+            return base_id_conversion[i].pkey_base_id;
+    }
+    return NID_undef;
+#endif
+}

crypto/evp/keymgmt_meth.c

@@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,
         return NULL;
     }
 
+    ERR_set_mark();
     ret = keymgmt->gen(genctx, cb, cbarg);
-    if (ret == NULL)
+    if (ret == NULL && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE,
                        "%s key generation:%s", keymgmt->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 }
 

crypto/evp/m_sigver.c

@@ -426,14 +426,20 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
     if (pctx != NULL) {
+        if (pctx->pmeth == NULL) {
+            ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+            return 0;
+        }
         /* do_sigver_init() checked that |digest_custom| is non-NULL */
         if (pctx->flag_call_digest_custom
             && !ctx->pctx->pmeth->digest_custom(ctx->pctx, ctx))
@@ -470,10 +476,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -523,11 +531,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen,
                                      sigret == NULL ? 0 : *siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL && sigret != NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -634,11 +644,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
 
             if (sigret != NULL)
                 ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen,
                                          sigret == NULL ? 0 : *siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_sign:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {
@@ -689,10 +701,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -765,10 +779,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
             int ret;
 
             ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_verify:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {

crypto/evp/p_lib.c

@@ -1022,22 +1022,6 @@ DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
 }
 # endif
 
-int EVP_PKEY_type(int type)
-{
-    int ret;
-    const EVP_PKEY_ASN1_METHOD *ameth;
-    ENGINE *e;
-    ameth = EVP_PKEY_asn1_find(&e, type);
-    if (ameth)
-        ret = ameth->pkey_id;
-    else
-        ret = NID_undef;
-# ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(e);
-# endif
-    return ret;
-}
-
 int EVP_PKEY_get_id(const EVP_PKEY *pkey)
 {
     return pkey->type;
@@ -1558,7 +1542,7 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
 {
 #ifndef FIPS_MODULE
     const EVP_PKEY_ASN1_METHOD *ameth = NULL;
-    ENGINE **eptr = (e == NULL) ? &e :  NULL;
+    ENGINE **eptr = (e == NULL) ? &e : NULL;
 #endif
 
     /*

crypto/evp/pmeth_gn.c

@@ -192,7 +192,7 @@ int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
 
     ctx->keygen_info = NULL;
 
-#ifndef FIPS_MODULE
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_DEPRECATED_3_6)
     /* In case |*ppkey| was originally a legacy key */
     if (ret)
         evp_pkey_free_legacy(*ppkey);

crypto/init.c

@@ -502,7 +502,7 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
     int aloaddone = 0;
 
    /* Applications depend on 0 being returned when cleanup was already done */
-    if (stopped) {
+    if (ossl_unlikely(stopped)) {
         if (!(opts & OPENSSL_INIT_BASE_ONLY))
             ERR_raise(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL);
         return 0;
@@ -521,7 +521,7 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
      * unnecessarily - but all the critical code is contained in RUN_ONCE
      * functions anyway so we are safe.
      */
-    if (CRYPTO_atomic_load(&optsdone, &tmp, NULL)) {
+    if (ossl_likely(CRYPTO_atomic_load(&optsdone, &tmp, NULL))) {
         if ((tmp & opts) == opts)
             return 1;
         aloaddone = 1;
@@ -541,7 +541,7 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
      * If we remain the only caller of err_shelve_state() the recursion should
      * perhaps be removed, but if in doubt, it can be left in place.
      */
-    if (!RUN_ONCE(&base, ossl_init_base))
+    if (ossl_unlikely(!RUN_ONCE(&base, ossl_init_base)))
         return 0;
 
     if (opts & OPENSSL_INIT_BASE_ONLY)

crypto/mem.c

@@ -195,7 +195,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
         goto err;
     }
 
-    if (num == 0)
+    if (ossl_unlikely(num == 0))
         return NULL;
 
     FAILTEST();
@@ -209,7 +209,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
     }
 
     ptr = malloc(num);
-    if (ptr != NULL)
+    if (ossl_likely(ptr != NULL))
         return ptr;
  err:
     /*

crypto/objects/obj_dat.c

@@ -37,13 +37,16 @@ struct added_obj_st {
     ASN1_OBJECT *obj;
 };
 
+static unsigned long added_obj_hash(const ADDED_OBJ *ca);
+static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb);
+
 static LHASH_OF(ADDED_OBJ) *added = NULL;
 static CRYPTO_RWLOCK *ossl_obj_lock = NULL;
 #ifdef TSAN_REQUIRES_LOCKING
 static CRYPTO_RWLOCK *ossl_obj_nid_lock = NULL;
 #endif
 
-static CRYPTO_ONCE ossl_obj_lock_init = CRYPTO_ONCE_STATIC_INIT;
+static CRYPTO_ONCE ossl_obj_api_init = CRYPTO_ONCE_STATIC_INIT;
 
 static ossl_inline void objs_free_locks(void)
 {
@@ -55,7 +58,7 @@ static ossl_inline void objs_free_locks(void)
 #endif
 }
 
-DEFINE_RUN_ONCE_STATIC(obj_lock_initialise)
+DEFINE_RUN_ONCE_STATIC(obj_api_initialise)
 {
     ossl_obj_lock = CRYPTO_THREAD_lock_new();
     if (ossl_obj_lock == NULL)
@@ -68,40 +71,41 @@ DEFINE_RUN_ONCE_STATIC(obj_lock_initialise)
         return 0;
     }
 #endif
+    added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp);
+    if (added == NULL) {
+        objs_free_locks();
+        return 0;
+    }
+
     return 1;
 }
 
-static ossl_inline int ossl_init_added_lock(void)
+static ossl_inline int ossl_init_added_api(void)
 {
 #ifndef OPENSSL_NO_AUTOLOAD_CONFIG
     /* Make sure we've loaded config before checking for any "added" objects */
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
 #endif
-    return RUN_ONCE(&ossl_obj_lock_init, obj_lock_initialise);
+    return RUN_ONCE(&ossl_obj_api_init, obj_api_initialise);
 }
 
-static ossl_inline int ossl_obj_write_lock(int lock)
+static ossl_inline int ossl_obj_write_lock(void)
 {
-    if (!lock)
-        return 1;
-    if (!ossl_init_added_lock())
+    if (!ossl_init_added_api())
         return 0;
     return CRYPTO_THREAD_write_lock(ossl_obj_lock);
 }
 
-static ossl_inline int ossl_obj_read_lock(int lock)
+static ossl_inline int ossl_obj_read_lock(void)
 {
-    if (!lock)
-        return 1;
-    if (!ossl_init_added_lock())
+    if (!ossl_init_added_api())
         return 0;
     return CRYPTO_THREAD_read_lock(ossl_obj_lock);
 }
 
-static ossl_inline void ossl_obj_unlock(int lock)
+static ossl_inline void ossl_obj_unlock(void)
 {
-    if (lock)
-        CRYPTO_THREAD_unlock(ossl_obj_lock);
+    CRYPTO_THREAD_unlock(ossl_obj_lock);
 }
 
 static int sn_cmp(const ASN1_OBJECT *const *a, const unsigned int *b)
@@ -221,112 +225,22 @@ void ossl_obj_cleanup_int(void)
     objs_free_locks();
 }
 
-/*
- * Requires that the ossl_obj_lock be held
- * if TSAN_REQUIRES_LOCKING defined
- */
-static int obj_new_nid_unlocked(int num)
+int OBJ_new_nid(int num)
 {
     static TSAN_QUALIFIER int new_nid = NUM_NID;
 #ifdef TSAN_REQUIRES_LOCKING
     int i;
 
+    ossl_obj_write_lock();
     i = new_nid;
     new_nid += num;
-
+    ossl_obj_unlock();
     return i;
 #else
     return tsan_add(&new_nid, num);
 #endif
 }
 
-int OBJ_new_nid(int num)
-{
-#ifdef TSAN_REQUIRES_LOCKING
-    int i;
-
-    if (!ossl_obj_write_lock(1)) {
-        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
-        return NID_undef;
-    }
-
-    i = obj_new_nid_unlocked(num);
-
-    ossl_obj_unlock(1);
-
-    return i;
-#else
-    return obj_new_nid_unlocked(num);
-#endif
-}
-
-static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock)
-{
-    ASN1_OBJECT *o = NULL;
-    ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop[4];
-    int i;
-
-    if ((o = OBJ_dup(obj)) == NULL)
-        return NID_undef;
-    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL
-            || (o->length != 0
-                && obj->data != NULL
-                && (ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
-            || (o->sn != NULL
-                && (ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
-            || (o->ln != NULL
-                && (ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL))
-        goto err2;
-
-    if (!ossl_obj_write_lock(lock)) {
-        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
-        goto err2;
-    }
-    if (added == NULL) {
-        added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp);
-        if (added == NULL) {
-            ERR_raise(ERR_LIB_OBJ, ERR_R_CRYPTO_LIB);
-            goto err;
-        }
-    }
-
-    for (i = ADDED_DATA; i <= ADDED_NID; i++) {
-        if (ao[i] != NULL) {
-            ao[i]->type = i;
-            ao[i]->obj = o;
-            aop[i] = lh_ADDED_OBJ_retrieve(added, ao[i]);
-            if (aop[i] != NULL)
-                aop[i]->type = -1;
-            (void)lh_ADDED_OBJ_insert(added, ao[i]);
-            if (lh_ADDED_OBJ_error(added)) {
-                if (aop[i] != NULL)
-                    aop[i]->type = i;
-                while (i-- > ADDED_DATA) {
-                    lh_ADDED_OBJ_delete(added, ao[i]);
-                    if (aop[i] != NULL)
-                        aop[i]->type = i;
-                }
-                ERR_raise(ERR_LIB_OBJ, ERR_R_CRYPTO_LIB);
-                goto err;
-            }
-        }
-    }
-    o->flags &=
-        ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
-          ASN1_OBJECT_FLAG_DYNAMIC_DATA);
-
-    ossl_obj_unlock(lock);
-    return o->nid;
-
- err:
-    ossl_obj_unlock(lock);
- err2:
-    for (i = ADDED_DATA; i <= ADDED_NID; i++)
-        OPENSSL_free(ao[i]);
-    ASN1_OBJECT_free(o);
-    return NID_undef;
-}
-
 ASN1_OBJECT *OBJ_nid2obj(int n)
 {
     ADDED_OBJ ad, *adp = NULL;
@@ -339,13 +253,12 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
     ad.type = ADDED_NID;
     ad.obj = &ob;
     ob.nid = n;
-    if (!ossl_obj_read_lock(1)) {
+    if (!ossl_obj_read_lock()) {
         ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK);
         return NULL;
     }
-    if (added != NULL)
-        adp = lh_ADDED_OBJ_retrieve(added, &ad);
-    ossl_obj_unlock(1);
+    adp = lh_ADDED_OBJ_retrieve(added, &ad);
+    ossl_obj_unlock();
     if (adp != NULL)
         return adp->obj;
 
@@ -383,7 +296,7 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp)
 
 IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj);
 
-static int ossl_obj_obj2nid(const ASN1_OBJECT *a, const int lock)
+static int ossl_obj_obj2nid(const ASN1_OBJECT *a)
 {
     int nid = NID_undef;
     const unsigned int *op;
@@ -399,18 +312,16 @@ static int ossl_obj_obj2nid(const ASN1_OBJECT *a, const int lock)
     op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ);
     if (op != NULL)
         return nid_objs[*op].nid;
-    if (!ossl_obj_read_lock(lock)) {
+    if (!ossl_obj_read_lock()) {
         ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK);
         return NID_undef;
     }
-    if (added != NULL) {
-        ad.type = ADDED_DATA;
-        ad.obj = (ASN1_OBJECT *)a; /* casting away const is harmless here */
-        adp = lh_ADDED_OBJ_retrieve(added, &ad);
-        if (adp != NULL)
-            nid = adp->obj->nid;
-    }
-    ossl_obj_unlock(lock);
+    ad.type = ADDED_DATA;
+    ad.obj = (ASN1_OBJECT *)a; /* casting away const is harmless here */
+    adp = lh_ADDED_OBJ_retrieve(added, &ad);
+    if (adp != NULL)
+        nid = adp->obj->nid;
+    ossl_obj_unlock();
     return nid;
 }
 
@@ -645,18 +556,16 @@ int OBJ_ln2nid(const char *s)
     op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN);
     if (op != NULL)
         return nid_objs[*op].nid;
-    if (!ossl_obj_read_lock(1)) {
+    if (!ossl_obj_read_lock()) {
         ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK);
         return NID_undef;
     }
-    if (added != NULL) {
-        ad.type = ADDED_LNAME;
-        ad.obj = &o;
-        adp = lh_ADDED_OBJ_retrieve(added, &ad);
-        if (adp != NULL)
-            nid = adp->obj->nid;
-    }
-    ossl_obj_unlock(1);
+    ad.type = ADDED_LNAME;
+    ad.obj = &o;
+    adp = lh_ADDED_OBJ_retrieve(added, &ad);
+    if (adp != NULL)
+        nid = adp->obj->nid;
+    ossl_obj_unlock();
     return nid;
 }
 
@@ -672,18 +581,16 @@ int OBJ_sn2nid(const char *s)
     op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN);
     if (op != NULL)
         return nid_objs[*op].nid;
-    if (!ossl_obj_read_lock(1)) {
+    if (!ossl_obj_read_lock()) {
         ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK);
         return NID_undef;
     }
-    if (added != NULL) {
-        ad.type = ADDED_SNAME;
-        ad.obj = &o;
-        adp = lh_ADDED_OBJ_retrieve(added, &ad);
-        if (adp != NULL)
-            nid = adp->obj->nid;
-    }
-    ossl_obj_unlock(1);
+    ad.type = ADDED_SNAME;
+    ad.obj = &o;
+    adp = lh_ADDED_OBJ_retrieve(added, &ad);
+    if (adp != NULL)
+        nid = adp->obj->nid;
+    ossl_obj_unlock();
     return nid;
 }
 
@@ -808,20 +715,14 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
         }
     }
 
-    if (!ossl_obj_write_lock(1)) {
-        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
-        ASN1_OBJECT_free(tmpoid);
-        return 0;
-    }
-
     /* If NID is not NID_undef then object already exists */
     if (oid != NULL
-        && ossl_obj_obj2nid(tmpoid, 0) != NID_undef) {
+        && ossl_obj_obj2nid(tmpoid) != NID_undef) {
         ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS);
         goto err;
     }
 
-    tmpoid->nid = obj_new_nid_unlocked(1);
+    tmpoid->nid = OBJ_new_nid(1);
 
     if (tmpoid->nid == NID_undef)
         goto err;
@@ -829,13 +730,14 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
     tmpoid->sn = (char *)sn;
     tmpoid->ln = (char *)ln;
 
-    ok = ossl_obj_add_object(tmpoid, 0);
+    if (OBJ_add_object(tmpoid) != NID_undef)
+        ok = 1;
+
 
     tmpoid->sn = NULL;
     tmpoid->ln = NULL;
 
  err:
-    ossl_obj_unlock(1);
     ASN1_OBJECT_free(tmpoid);
     return ok;
 }
@@ -856,10 +758,65 @@ const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj)
 
 int OBJ_add_object(const ASN1_OBJECT *obj)
 {
-    return ossl_obj_add_object(obj, 1);
+    ASN1_OBJECT *o = NULL;
+    ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop[4];
+    int i;
+
+    if ((o = OBJ_dup(obj)) == NULL)
+        return NID_undef;
+    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL
+            || (o->length != 0
+                && obj->data != NULL
+                && (ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+            || (o->sn != NULL
+                && (ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+            || (o->ln != NULL
+                && (ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL))
+        goto err2;
+
+    if (!ossl_obj_write_lock()) {
+        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
+        goto err2;
+    }
+
+    for (i = ADDED_DATA; i <= ADDED_NID; i++) {
+        if (ao[i] != NULL) {
+            ao[i]->type = i;
+            ao[i]->obj = o;
+            aop[i] = lh_ADDED_OBJ_retrieve(added, ao[i]);
+            if (aop[i] != NULL)
+                aop[i]->type = -1;
+            (void)lh_ADDED_OBJ_insert(added, ao[i]);
+            if (lh_ADDED_OBJ_error(added)) {
+                if (aop[i] != NULL)
+                    aop[i]->type = i;
+                while (i-- > ADDED_DATA) {
+                    lh_ADDED_OBJ_delete(added, ao[i]);
+                    if (aop[i] != NULL)
+                        aop[i]->type = i;
+                }
+                ERR_raise(ERR_LIB_OBJ, ERR_R_CRYPTO_LIB);
+                goto err;
+            }
+        }
+    }
+    o->flags &=
+        ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
+          ASN1_OBJECT_FLAG_DYNAMIC_DATA);
+
+    ossl_obj_unlock();
+    return o->nid;
+
+ err:
+    ossl_obj_unlock();
+ err2:
+    for (i = ADDED_DATA; i <= ADDED_NID; i++)
+        OPENSSL_free(ao[i]);
+    ASN1_OBJECT_free(o);
+    return NID_undef;
 }
 
 int OBJ_obj2nid(const ASN1_OBJECT *a)
 {
-    return ossl_obj_obj2nid(a, 1);
+    return ossl_obj_obj2nid(a);
 }

crypto/objects/obj_dat.h

@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[9550] = {
+static const unsigned char so[9571] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1351,9 +1351,11 @@ static const unsigned char so[9550] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1C,  /* [ 9516] OBJ_HKDF_SHA256 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1D,  /* [ 9527] OBJ_HKDF_SHA384 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1E,  /* [ 9538] OBJ_HKDF_SHA512 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,  /* [ 9549] OBJ_id_smime_ori */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,0x03,  /* [ 9559] OBJ_id_smime_ori_kem */
 };
 
-#define NUM_NID 1499
+#define NUM_NID 1501
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2854,9 +2856,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"id-alg-hkdf-with-sha256", "HKDF-SHA256", NID_HKDF_SHA256, 11, &so[9516]},
     {"id-alg-hkdf-with-sha384", "HKDF-SHA384", NID_HKDF_SHA384, 11, &so[9527]},
     {"id-alg-hkdf-with-sha512", "HKDF-SHA512", NID_HKDF_SHA512, 11, &so[9538]},
+    {"id-smime-ori", "id-smime-ori", NID_id_smime_ori, 10, &so[9549]},
+    {"id-smime-ori-kem", "id-smime-ori-kem", NID_id_smime_ori_kem, 11, &so[9559]},
 };
 
-#define NUM_SN 1490
+#define NUM_SN 1492
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -3744,6 +3748,8 @@ static const unsigned int sn_objs[NUM_SN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -4350,7 +4356,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1490
+#define NUM_LN 1492
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -5367,6 +5373,8 @@ static const unsigned int ln_objs[NUM_LN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -5844,7 +5852,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1347
+#define NUM_OBJ 1349
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -7051,6 +7059,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      193,    /* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
      194,    /* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
      195,    /* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
+    1499,    /* OBJ_id_smime_ori                 1 2 840 113549 1 9 16 13 */
      158,    /* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
      159,    /* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
      160,    /* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
@@ -7169,6 +7178,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      254,    /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
      255,    /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
      256,    /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
+    1500,    /* OBJ_id_smime_ori_kem             1 2 840 113549 1 9 16 13 3 */
      150,    /* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
      151,    /* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
      152,    /* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */

crypto/objects/obj_mac.num

@@ -1496,3 +1496,5 @@ aes_256_cbc_hmac_sha512_etm		1495
 HKDF_SHA256		1496
 HKDF_SHA384		1497
 HKDF_SHA512		1498
+id_smime_ori		1499
+id_smime_ori_kem		1500

crypto/objects/objects.txt

@@ -251,6 +251,7 @@ SMIME 3			: id-smime-alg
 SMIME 4			: id-smime-cd
 SMIME 5			: id-smime-spq
 SMIME 6			: id-smime-cti
+SMIME 13		: id-smime-ori
 
 # S/MIME Modules
 id-smime-mod 1		: id-smime-mod-cms
@@ -355,6 +356,9 @@ id-smime-cti 4		: id-smime-cti-ets-proofOfSender
 id-smime-cti 5		: id-smime-cti-ets-proofOfApproval
 id-smime-cti 6		: id-smime-cti-ets-proofOfCreation
 
+# S/MIME OtherRecipientInfo Type Identifier
+id-smime-ori 3		: id-smime-ori-kem
+
 pkcs9 20		:			: friendlyName
 pkcs9 21		:			: localKeyID
 !Alias ms-corp 1 3 6 1 4 1 311

crypto/params.c

@@ -16,6 +16,7 @@
 #include "internal/endian.h"
 #include "internal/params.h"
 #include "internal/packet.h"
+#include "internal/common.h"
 
 /* Shortcuts for raising errors that are widely used */
 #define err_unsigned_negative \
@@ -52,7 +53,7 @@ static unsigned int real_shift(void)
 
 OSSL_PARAM *OSSL_PARAM_locate(OSSL_PARAM *p, const char *key)
 {
-    if (p != NULL && key != NULL)
+    if (ossl_likely(p != NULL && key != NULL))
         for (; p->key != NULL; p++)
             if (strcmp(key, p->key) == 0)
                 return p;
@@ -868,7 +869,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
         return 0;
     }
 
-    if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) {
+    if (ossl_likely(p->data_type == OSSL_PARAM_UNSIGNED_INTEGER)) {
 #ifndef OPENSSL_SMALL_FOOTPRINT
         switch (p->data_size) {
         case sizeof(uint32_t):

crypto/pem/pem_lib.c

@@ -7,8 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
+/*
+ * We need to use some engine deprecated APIs
+ */
+#include "internal/deprecated.h"
 
 #include <stdio.h>
 #include "crypto/ctype.h"

crypto/pem/pem_pkey.c

@@ -7,8 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use some deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
+/*
+ * We need to use some deprecated APIs
+ */
+#include "internal/deprecated.h"
 
 #include <stdio.h>
 #include <openssl/buffer.h>

crypto/perlasm/s390x.pm

@@ -3172,4 +3172,4 @@ sub err {
 	return $ERR{$_[0]};
 }
 
-1;
+no warnings 'void'; 1;

crypto/perlasm/x86_64-xlate.pl

@@ -440,6 +440,7 @@ my %globals;
 	    ($self->{asterisk})				&& ($sz="q") ||
 	    ($mnemonic =~ /^v?mov([qd])$/)		&& ($sz=$1)  ||
 	    ($mnemonic =~ /^v?pinsr([qdwb])$/)		&& ($sz=$1)  ||
+	    ($mnemonic =~ /^vbroadcasti32x4$/)		&& ($sz="x") ||
 	    ($mnemonic =~ /^vpbroadcast([qdwb])$/)	&& ($sz=$1)  ||
 	    ($mnemonic =~ /^v(?!perm)[a-z]+[fi]128$/)	&& ($sz="x");
 

crypto/provider_core.c

@@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle)
     return ERR_pop_to_mark();
 }
 
+static int core_count_to_mark(const OSSL_CORE_HANDLE *handle)
+{
+    return ERR_count_to_mark();
+}
+
 static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx,
                                         OSSL_INDICATOR_CALLBACK **cb)
 {
@@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,
       (void (*)(void))core_clear_last_error_mark },
     { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },
+    { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark },
     { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file },
     { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf },
     { OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex },

crypto/sha/asm/sha256-loongarch64.pl

@@ -0,0 +1,360 @@
+#! /usr/bin/env perl
+# This file is dual-licensed, meaning that you can use it under your
+# choice of either of the following two licenses:
+#
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You can obtain
+# a copy in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# or
+#
+# Copyright (c) 2025, Julian Zhu <jz531210@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use warnings;
+
+# $output is the last argument if it looks like a file (it has an extension)
+# $flavour is the first argument if it doesn't look like a file
+my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
+my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+
+$output and open STDOUT,">$output";
+
+my $code=<<___;
+.text
+___
+
+my $K256 = "K256";
+
+# Function arguments
+my ($zero,$ra,$tp,$sp,$fp)=map("\$r$_",(0..3,22));
+my ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11));
+my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$x)=map("\$r$_",(12..21));
+my ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8)=map("\$r$_",(23..31));
+
+my ($INP, $LEN, $ADDR) = ($a1, $a2, $sp);
+my ($KT, $T1, $T2, $T3, $T4, $T5, $T6) = ($t0, $t1, $t2, $t3, $t4, $t5, $t6);
+my ($A, $B, $C, $D ,$E ,$F ,$G ,$H) = ($s0, $s1, $s2, $s3, $s4, $s5, $s6, $s7);
+
+sub MSGSCHEDULE0 {
+    my ($index) = @_;
+    my $code=<<___;
+    ld.w $T1, $INP, 4*$index
+    revb.2w $T1, $T1
+    st.w $T1, $ADDR, 4*$index
+___
+    return $code;
+}
+
+sub MSGSCHEDULE1 {
+    my ($index) = @_;
+    my $code=<<___;
+    ld.w $T1, $ADDR, (($index-2)&0x0f)*4
+    ld.w $T2, $ADDR, (($index-15)&0x0f)*4
+    ld.w $T3, $ADDR, (($index-7)&0x0f)*4
+    ld.w $T4, $ADDR, ($index&0x0f)*4
+    rotri.w $T5, $T1, 17
+    rotri.w $T6, $T1, 19
+    srli.w $T1, $T1, 10
+    xor $T1, $T1, $T5
+    xor $T1, $T1, $T6
+    add.w $T1, $T1, $T3
+    rotri.w $T5, $T2, 7
+    rotri.w $T6, $T2, 18
+    srli.w $T2, $T2, 3
+    xor $T2, $T2, $T5
+    xor $T2, $T2, $T6
+    add.w $T1, $T1, $T2
+    add.w $T1, $T1, $T4
+    st.w $T1, $ADDR, ($index&0x0f)*4
+___
+    return $code;
+}
+
+sub sha256_T1 {
+    my ($index, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    ld.w $T4, $KT, 4*$index
+    add.w $h, $h, $T1
+    add.w $h, $h, $T4
+    rotri.w $T2, $e, 6
+    rotri.w $T3, $e, 11
+    rotri.w $T4, $e, 25
+    xor $T2, $T2, $T3
+    xor $T1, $f, $g
+    xor $T2, $T2, $T4
+    and $T1, $T1, $e
+    add.w $h, $h, $T2
+    xor $T1, $T1, $g
+    add.w $T1, $T1, $h
+___
+    return $code;
+}
+
+sub sha256_T2 {
+    my ($a, $b, $c) = @_;
+    my $code=<<___;
+    rotri.w $T2, $a, 2
+    rotri.w $T3, $a, 13
+    rotri.w $T4, $a, 22
+    xor $T2, $T2, $T3
+    xor $T2, $T2, $T4
+    xor $T4, $b, $c
+    and $T3, $b, $c
+    and $T4, $T4, $a
+    xor $T4, $T4, $T3
+    add.w $T2, $T2, $T4
+___
+    return $code;
+}
+
+sub SHA256ROUND {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[sha256_T1 $index, $e, $f, $g, $h]}
+    @{[sha256_T2 $a, $b, $c]}
+    add.w $d, $d, $T1
+    add.w $h, $T2, $T1
+___
+    return $code;
+}
+
+sub SHA256ROUND0 {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[MSGSCHEDULE0 $index]}
+    @{[SHA256ROUND $index, $a, $b, $c, $d, $e, $f, $g, $h]}
+___
+    return $code;
+}
+
+sub SHA256ROUND1 {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[MSGSCHEDULE1 $index]}
+    @{[SHA256ROUND $index, $a, $b, $c, $d, $e, $f, $g, $h]}
+___
+    return $code;
+}
+
+################################################################################
+# void sha256_block_data_order(void *c, const void *p, size_t len)
+$code .= <<___;
+.p2align 3
+.globl sha256_block_data_order
+.type   sha256_block_data_order,\@function
+sha256_block_data_order:
+
+    addi.d $sp, $sp, -80
+
+    st.d $s0, $sp, 0
+    st.d $s1, $sp, 8
+    st.d $s2, $sp, 16
+    st.d $s3, $sp, 24
+    st.d $s4, $sp, 32
+    st.d $s5, $sp, 40
+    st.d $s6, $sp, 48
+    st.d $s7, $sp, 56
+    st.d $s8, $sp, 64
+    st.d $fp, $sp, 72
+
+    addi.d $sp, $sp, -64
+
+    la $KT, $K256
+
+    # load ctx
+    ld.w $A, $a0, 0
+    ld.w $B, $a0, 4
+    ld.w $C, $a0, 8
+    ld.w $D, $a0, 12
+    ld.w $E, $a0, 16
+    ld.w $F, $a0, 20
+    ld.w $G, $a0, 24
+    ld.w $H, $a0, 28
+
+L_round_loop:
+    # Decrement length by 1
+    addi.d $LEN, $LEN, -1
+
+    @{[SHA256ROUND0 0, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND0 1, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND0 2, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND0 3, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND0 4, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND0 5, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND0 6, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND0 7, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND0 8, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND0 9, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND0 10, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND0 11, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND0 12, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND0 13, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND0 14, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND0 15, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 16, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 17, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 18, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 19, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 20, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 21, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 22, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 23, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 24, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 25, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 26, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 27, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 28, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 29, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 30, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 31, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 32, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 33, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 34, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 35, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 36, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 37, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 38, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 39, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 40, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 41, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 42, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 43, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 44, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 45, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 46, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 47, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 48, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 49, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 50, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 51, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 52, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 53, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 54, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 55, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA256ROUND1 56, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA256ROUND1 57, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA256ROUND1 58, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA256ROUND1 59, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA256ROUND1 60, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA256ROUND1 61, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA256ROUND1 62, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA256ROUND1 63, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    ld.w $T1, $a0, 0
+    ld.w $T2, $a0, 4
+    ld.w $T3, $a0, 8
+    ld.w $T4, $a0, 12
+
+    add.w $A, $A, $T1
+    add.w $B, $B, $T2
+    add.w $C, $C, $T3
+    add.w $D, $D, $T4
+
+    st.w $A, $a0, 0
+    st.w $B, $a0, 4
+    st.w $C, $a0, 8
+    st.w $D, $a0, 12
+
+    ld.w $T1, $a0, 16
+    ld.w $T2, $a0, 20
+    ld.w $T3, $a0, 24
+    ld.w $T4, $a0, 28
+
+    add.w $E, $E, $T1
+    add.w $F, $F, $T2
+    add.w $G, $G, $T3
+    add.w $H, $H, $T4
+
+    st.w $E, $a0, 16
+    st.w $F, $a0, 20
+    st.w $G, $a0, 24
+    st.w $H, $a0, 28
+
+    addi.d $INP, $INP, 64
+
+    bnez $LEN, L_round_loop
+
+    addi.d $sp, $sp, 64
+
+    ld.d $s0, $sp, 0
+    ld.d $s1, $sp, 8
+    ld.d $s2, $sp, 16
+    ld.d $s3, $sp, 24
+    ld.d $s4, $sp, 32
+    ld.d $s5, $sp, 40
+    ld.d $s6, $sp, 48
+    ld.d $s7, $sp, 56
+    ld.d $s8, $sp, 64
+    ld.d $fp, $sp, 72
+
+    addi.d $sp, $sp, 80
+
+    ret
+.size sha256_block_data_order,.-sha256_block_data_order
+
+.section .rodata
+.p2align 3
+.type $K256,\@object
+$K256:
+    .word 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5
+    .word 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5
+    .word 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3
+    .word 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174
+    .word 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc
+    .word 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da
+    .word 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7
+    .word 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967
+    .word 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13
+    .word 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85
+    .word 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3
+    .word 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070
+    .word 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5
+    .word 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3
+    .word 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208
+    .word 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+.size $K256,.-$K256
+___
+
+print $code;
+
+close STDOUT or die "error closing STDOUT: $!";

crypto/sha/asm/sha512-loongarch64.pl

@@ -0,0 +1,405 @@
+#! /usr/bin/env perl
+# This file is dual-licensed, meaning that you can use it under your
+# choice of either of the following two licenses:
+#
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You can obtain
+# a copy in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# or
+#
+# Copyright (c) 2025, Julian Zhu <jz531210@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use warnings;
+
+# $output is the last argument if it looks like a file (it has an extension)
+# $flavour is the first argument if it doesn't look like a file
+my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
+my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+
+$output and open STDOUT,">$output";
+
+my $code=<<___;
+.text
+___
+
+my $K512 = "K512";
+
+# Function arguments
+
+my ($zero,$ra,$tp,$sp,$fp)=map("\$r$_",(0..3,22));
+my ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11));
+my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$x)=map("\$r$_",(12..21));
+my ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8)=map("\$r$_",(23..31));
+
+my ($INP, $LEN, $ADDR) = ($a1, $a2, $sp);
+my ($KT, $T1, $T2, $T3, $T4, $T5, $T6) = ($t0, $t1, $t2, $t3, $t4, $t5, $t6);
+my ($A, $B, $C, $D ,$E ,$F ,$G ,$H) = ($s0, $s1, $s2, $s3, $s4, $s5, $s6, $s7);
+
+sub MSGSCHEDULE0 {
+    my ($index) = @_;
+    my $code=<<___;
+    ld.d $T1, $INP, 8*$index
+    revb.d $T1, $T1
+    st.d $T1, $ADDR, 8*$index
+___
+    return $code;
+}
+
+sub MSGSCHEDULE1 {
+    my ($index) = @_;
+    my $code=<<___;
+    ld.d $T1, $ADDR, (($index-2)&0x0f)*8
+    ld.d $T2, $ADDR, (($index-15)&0x0f)*8
+    ld.d $T3, $ADDR, (($index-7)&0x0f)*8
+    ld.d $T4, $ADDR, ($index&0x0f)*8
+    rotri.d $T5, $T1, 19
+    rotri.d $T6, $T1, 61
+    srli.d $T1, $T1, 6
+    xor $T1, $T1, $T5
+    xor $T1, $T1, $T6
+    add.d $T1, $T1, $T3
+    rotri.d $T5, $T2, 1
+    rotri.d $T6, $T2, 8
+    srli.d $T2, $T2, 7
+    xor $T2, $T2, $T5
+    xor $T2, $T2, $T6
+    add.d $T1, $T1, $T2
+    add.d $T1, $T1, $T4
+    st.d $T1, $ADDR, 8*($index&0x0f)
+___
+    return $code;
+}
+
+sub sha512_T1 {
+    my ($index, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    ld.d $T4, $KT, 8*$index
+    add.d $h, $h, $T1
+    add.d $h, $h, $T4
+    rotri.d $T2, $e, 14
+    rotri.d $T3, $e, 18
+    rotri.d $T4, $e, 41
+    xor $T2, $T2, $T3
+    xor $T1, $f, $g
+    xor $T2, $T2, $T4
+    and $T1, $T1, $e
+    add.d $h, $h, $T2
+    xor $T1, $T1, $g
+    add.d $T1, $T1, $h
+___
+    return $code;
+}
+
+sub sha512_T2 {
+    my ($a, $b, $c) = @_;
+    my $code=<<___;
+    rotri.d $T2, $a, 28
+    rotri.d $T3, $a, 34
+    rotri.d $T4, $a, 39
+    xor $T2, $T2, $T3
+    xor $T5, $b, $c
+    and $T3, $b, $c
+    and $T5, $T5, $a
+    xor $T2, $T2, $T4
+    xor $T3, $T3, $T5
+    add.d $T2, $T2, $T3
+___
+    return $code;
+}
+
+sub SHA512ROUND {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[sha512_T1 $index, $e, $f, $g, $h]}
+    @{[sha512_T2 $a, $b, $c]}
+    add.d $d, $d, $T1
+    add.d $h, $T2, $T1
+___
+    return $code;
+}
+
+sub SHA512ROUND0 {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[MSGSCHEDULE0 $index]}
+    @{[SHA512ROUND $index, $a, $b, $c, $d, $e, $f, $g, $h]}
+___
+    return $code;
+}
+
+sub SHA512ROUND1 {
+    my ($index, $a, $b, $c, $d, $e, $f, $g, $h) = @_;
+    my $code=<<___;
+    @{[MSGSCHEDULE1 $index]}
+    @{[SHA512ROUND $index, $a, $b, $c, $d, $e, $f, $g, $h]}
+___
+    return $code;
+}
+
+################################################################################
+# void sha512_block_data_order(void *c, const void *p, size_t len)
+$code .= <<___;
+.p2align 3
+.globl sha512_block_data_order
+.type   sha512_block_data_order,\@function
+sha512_block_data_order:
+
+    addi.d $sp, $sp, -80
+
+    st.d $s0, $sp, 0
+    st.d $s1, $sp, 8
+    st.d $s2, $sp, 16
+    st.d $s3, $sp, 24
+    st.d $s4, $sp, 32
+    st.d $s5, $sp, 40
+    st.d $s6, $sp, 48
+    st.d $s7, $sp, 56
+    st.d $s8, $sp, 64
+    st.d $fp, $sp, 72
+
+    addi.d $sp, $sp, -128
+
+    la $KT, $K512
+
+    # load ctx
+    ld.d $A, $a0, 0
+    ld.d $B, $a0, 8
+    ld.d $C, $a0, 16
+    ld.d $D, $a0, 24
+    ld.d $E, $a0, 32
+    ld.d $F, $a0, 40
+    ld.d $G, $a0, 48
+    ld.d $H, $a0, 56
+
+L_round_loop:
+    # Decrement length by 1
+    addi.d $LEN, $LEN, -1
+
+    @{[SHA512ROUND0 0, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND0 1, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND0 2, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND0 3, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND0 4, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND0 5, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND0 6, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND0 7, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND0 8, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND0 9, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND0 10, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND0 11, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND0 12, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND0 13, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND0 14, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND0 15, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 16, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 17, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 18, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 19, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 20, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 21, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 22, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 23, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 24, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 25, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 26, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 27, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 28, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 29, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 30, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 31, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 32, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 33, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 34, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 35, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 36, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 37, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 38, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 39, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 40, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 41, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 42, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 43, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 44, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 45, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 46, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 47, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 48, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 49, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 50, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 51, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 52, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 53, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 54, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 55, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 56, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 57, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 58, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 59, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 60, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 61, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 62, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 63, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 64, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 65, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 66, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 67, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 68, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 69, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 70, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 71, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    @{[SHA512ROUND1 72, $A, $B, $C, $D, $E, $F, $G, $H]}
+    @{[SHA512ROUND1 73, $H, $A, $B, $C, $D, $E, $F, $G]}
+    @{[SHA512ROUND1 74, $G, $H, $A, $B, $C, $D, $E, $F]}
+    @{[SHA512ROUND1 75, $F, $G, $H, $A, $B, $C, $D, $E]}
+
+    @{[SHA512ROUND1 76, $E, $F, $G, $H, $A, $B, $C, $D]}
+    @{[SHA512ROUND1 77, $D, $E, $F, $G, $H, $A, $B, $C]}
+    @{[SHA512ROUND1 78, $C, $D, $E, $F, $G, $H, $A, $B]}
+    @{[SHA512ROUND1 79, $B, $C, $D, $E, $F, $G, $H, $A]}
+
+    ld.d $T1, $a0, 0
+    ld.d $T2, $a0, 8
+    ld.d $T3, $a0, 16
+    ld.d $T4, $a0, 24
+
+    add.d $A, $A, $T1
+    add.d $B, $B, $T2
+    add.d $C, $C, $T3
+    add.d $D, $D, $T4
+
+    st.d $A, $a0, 0
+    st.d $B, $a0, 8
+    st.d $C, $a0, 16
+    st.d $D, $a0, 24
+
+    ld.d $T1, $a0, 32
+    ld.d $T2, $a0, 40
+    ld.d $T3, $a0, 48
+    ld.d $T4, $a0, 56
+
+    add.d $E, $E, $T1
+    add.d $F, $F, $T2
+    add.d $G, $G, $T3
+    add.d $H, $H, $T4
+
+    st.d $E, $a0, 32
+    st.d $F, $a0, 40
+    st.d $G, $a0, 48
+    st.d $H, $a0, 56
+
+    addi.d $INP, $INP, 128
+
+    bnez $LEN, L_round_loop
+
+    addi.d $sp, $sp, 128
+
+    ld.d $s0, $sp, 0
+    ld.d $s1, $sp, 8
+    ld.d $s2, $sp, 16
+    ld.d $s3, $sp, 24
+    ld.d $s4, $sp, 32
+    ld.d $s5, $sp, 40
+    ld.d $s6, $sp, 48
+    ld.d $s7, $sp, 56
+    ld.d $s8, $sp, 64
+    ld.d $fp, $sp, 72
+
+    addi.d $sp, $sp, 80
+
+    ret
+.size sha512_block_data_order,.-sha512_block_data_order
+
+.section .rodata
+.p2align 3
+.type $K512,\@object
+$K512:
+    .dword 0x428a2f98d728ae22, 0x7137449123ef65cd
+    .dword 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc
+    .dword 0x3956c25bf348b538, 0x59f111f1b605d019
+    .dword 0x923f82a4af194f9b, 0xab1c5ed5da6d8118
+    .dword 0xd807aa98a3030242, 0x12835b0145706fbe
+    .dword 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2
+    .dword 0x72be5d74f27b896f, 0x80deb1fe3b1696b1
+    .dword 0x9bdc06a725c71235, 0xc19bf174cf692694
+    .dword 0xe49b69c19ef14ad2, 0xefbe4786384f25e3
+    .dword 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65
+    .dword 0x2de92c6f592b0275, 0x4a7484aa6ea6e483
+    .dword 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5
+    .dword 0x983e5152ee66dfab, 0xa831c66d2db43210
+    .dword 0xb00327c898fb213f, 0xbf597fc7beef0ee4
+    .dword 0xc6e00bf33da88fc2, 0xd5a79147930aa725
+    .dword 0x06ca6351e003826f, 0x142929670a0e6e70
+    .dword 0x27b70a8546d22ffc, 0x2e1b21385c26c926
+    .dword 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df
+    .dword 0x650a73548baf63de, 0x766a0abb3c77b2a8
+    .dword 0x81c2c92e47edaee6, 0x92722c851482353b
+    .dword 0xa2bfe8a14cf10364, 0xa81a664bbc423001
+    .dword 0xc24b8b70d0f89791, 0xc76c51a30654be30
+    .dword 0xd192e819d6ef5218, 0xd69906245565a910
+    .dword 0xf40e35855771202a, 0x106aa07032bbd1b8
+    .dword 0x19a4c116b8d2d0c8, 0x1e376c085141ab53
+    .dword 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8
+    .dword 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb
+    .dword 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3
+    .dword 0x748f82ee5defb2fc, 0x78a5636f43172f60
+    .dword 0x84c87814a1f0ab72, 0x8cc702081a6439ec
+    .dword 0x90befffa23631e28, 0xa4506cebde82bde9
+    .dword 0xbef9a3f7b2c67915, 0xc67178f2e372532b
+    .dword 0xca273eceea26619c, 0xd186b8c721c0c207
+    .dword 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178
+    .dword 0x06f067aa72176fba, 0x0a637dc5a2c898a6
+    .dword 0x113f9804bef90dae, 0x1b710b35131c471b
+    .dword 0x28db77f523047d84, 0x32caab7b40c72493
+    .dword 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c
+    .dword 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a
+    .dword 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
+.size $K512,.-$K512
+___
+
+print $code;
+
+close STDOUT or die "error closing STDOUT: $!";

crypto/sha/build.info

@@ -18,6 +18,9 @@ IF[{- !$disabled{asm} -}]
   $SHA1ASM_alpha=sha1-alpha.S
   $SHA1DEF_alpha=SHA1_ASM
 
+  $SHA1ASM_loongarch64=sha256-loongarch64.S sha512-loongarch64.S
+  $SHA1DEF_loongarch64=SHA256_ASM SHA512_ASM
+
   $SHA1ASM_mips32=sha1-mips.S sha256-mips.S
   $SHA1DEF_mips32=SHA1_ASM SHA256_ASM
   $SHA1ASM_mips64=$SHA1ASM_mips32 sha512-mips.S
@@ -133,6 +136,11 @@ GENERATE[sha1-parisc.s]=asm/sha1-parisc.pl
 GENERATE[sha256-parisc.s]=asm/sha512-parisc.pl
 GENERATE[sha512-parisc.s]=asm/sha512-parisc.pl
 
+GENERATE[sha256-loongarch64.S]=asm/sha256-loongarch64.pl
+INCLUDE[sha256-loongarch64.o]=..
+GENERATE[sha512-loongarch64.S]=asm/sha512-loongarch64.pl
+INCLUDE[sha512-loongarch64.o]=..
+
 GENERATE[sha1-mips.S]=asm/sha1-mips.pl
 INCLUDE[sha1-mips.o]=..
 GENERATE[sha256-mips.S]=asm/sha512-mips.pl

crypto/sm2/sm2_sign.c

@@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
     BIGNUM *tmp = NULL;
     OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
 
+    if (dA == NULL) {
+        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY);
+        goto done;
+    }
     kG = EC_POINT_new(group);
     if (kG == NULL) {
         ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);

crypto/store/store_lib.c

@@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
     if (ctx->loader != NULL)
         OSSL_TRACE(STORE, "Loading next object\n");
 
-    if (ctx->cached_info != NULL
-        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
-        sk_OSSL_STORE_INFO_free(ctx->cached_info);
-        ctx->cached_info = NULL;
-    }
-
     if (ctx->cached_info != NULL) {
         v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
     } else {
@@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
 
 int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
 {
-    int ret = 1;
+    int ret = 0;
 
-    if (ctx->fetched_loader != NULL)
-        ret = ctx->loader->p_eof(ctx->loader_ctx);
+    if (ctx->cached_info != NULL
+        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
+        sk_OSSL_STORE_INFO_free(ctx->cached_info);
+        ctx->cached_info = NULL;
+    }
+
+    if (ctx->cached_info == NULL) {
+        ret = 1;
+        if (ctx->fetched_loader != NULL)
+            ret = ctx->loader->p_eof(ctx->loader_ctx);
 #ifndef OPENSSL_NO_DEPRECATED_3_0
-    if (ctx->fetched_loader == NULL)
-        ret = ctx->loader->eof(ctx->loader_ctx);
+        if (ctx->fetched_loader == NULL)
+            ret = ctx->loader->eof(ctx->loader_ctx);
 #endif
+    }
     return ret != 0;
 }
 

crypto/threads_pthread.c

@@ -901,7 +901,7 @@ void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock)
 
 int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void))
 {
-    if (pthread_once(once, init) != 0)
+    if (ossl_unlikely(pthread_once(once, init) != 0))
         return 0;
 
     return 1;

crypto/x509/t_x509.c

@@ -7,6 +7,11 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * because of EVP_PKEY_asn1_find deprecation
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/buffer.h>
@@ -287,7 +292,9 @@ int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
 int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
                          const ASN1_STRING *sig)
 {
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     int sig_nid;
+#endif
     int indent = 4;
     if (BIO_printf(bp, "%*sSignature Algorithm: ", indent, "") <= 0)
         return 0;
@@ -296,6 +303,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
 
     if (sig && BIO_printf(bp, "\n%*sSignature Value:", indent, "") <= 0)
         return 0;
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     sig_nid = OBJ_obj2nid(sigalg->algorithm);
     if (sig_nid != NID_undef) {
         int pkey_nid, dig_nid;
@@ -306,6 +314,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
                 return ameth->sig_print(bp, sigalg, sig, indent + 4, 0);
         }
     }
+#endif
     if (BIO_write(bp, "\n", 1) != 1)
         return 0;
     if (sig)

crypto/x509/v3_ac_tgt.c

@@ -7,6 +7,11 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Needed for EVP_PKEY_asn1_find
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <stdio.h>
 #include <openssl/x509_acert.h>
 #include <crypto/x509_acert.h>
@@ -103,15 +108,16 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                            BIO *out, int indent)
 {
     int64_t dot = 0;
+#ifndef OPENSSL_NO_DEPRECATED_3_6
     int sig_nid;
     X509_ALGOR *digalg;
+#endif
     ASN1_STRING *sig;
 
     if (odi == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    digalg = &odi->digestAlgorithm;
     sig = &odi->objectDigest;
     if (!ASN1_ENUMERATED_get_int64(&dot, &odi->digestedObjectType)) {
         return 0;
@@ -139,6 +145,8 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
     BIO_puts(out, "\n");
     if (BIO_printf(out, "\n%*sSignature Value: ", indent, "") <= 0)
         return 0;
+#ifndef OPENSSL_NO_DEPRECATED_3_6
+    digalg = &odi->digestAlgorithm;
     sig_nid = OBJ_obj2nid(odi->digestAlgorithm.algorithm);
     if (sig_nid != NID_undef) {
         int pkey_nid, dig_nid;
@@ -149,6 +157,7 @@ static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                 return ameth->sig_print(out, digalg, sig, indent + 4, 0);
         }
     }
+#endif
     if (BIO_write(out, "\n", 1) != 1)
         return 0;
     if (sig)

crypto/x509/x509_set.c

@@ -7,6 +7,11 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * because of EVP_PKEY_asn1_find deprecation
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include "internal/refcount.h"

crypto/x509/x509_txt.c

@@ -174,6 +174,16 @@ const char *X509_verify_cert_error_string(long n)
         return "OCSP verification failed";
     case X509_V_ERR_OCSP_CERT_UNKNOWN:
         return "OCSP unknown cert";
+    case X509_V_ERR_OCSP_RESP_INVALID:
+        return "OCSP response(s) invalid";
+    case X509_V_ERR_OCSP_SIGNATURE_FAILURE:
+        return "OCSP response signature verification failure";
+    case X509_V_ERR_OCSP_NOT_YET_VALID:
+        return "OCSP response not yet valid (contains a date in the future)";
+    case X509_V_ERR_OCSP_HAS_EXPIRED:
+        return "OCSP response has expired";
+    case X509_V_ERR_OCSP_NO_RESPONSE:
+        return "no OCSP response available for certificate";
     case X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM:
         return "Cannot find certificate signature algorithm";
     case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH:

crypto/x509/x509_vfy.c

@@ -22,6 +22,7 @@
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/core_names.h>
 #include "internal/dane.h"
@@ -55,7 +56,10 @@ static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_id(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
 static int check_revocation(X509_STORE_CTX *ctx);
-static int check_cert(X509_STORE_CTX *ctx);
+#ifndef OPENSSL_NO_OCSP
+static int check_cert_ocsp_resp(X509_STORE_CTX *ctx);
+#endif
+static int check_cert_crl(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
 static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
 static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert);
@@ -184,6 +188,24 @@ static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
     return ctx->verify_cb(0, ctx);
 }
 
+#ifndef OPENSSL_NO_OCSP
+/*
+ * Inform the verify callback of an error, OCSP-specific variant.
+ * It is called also on OCSP response errors, if the
+ * X509_V_FLAG_OCSP_RESP_CHECK or X509_V_FLAG_OCSP_RESP_CHECK_ALL flag
+ * is set.
+ * Here, the error depth and certificate are already set, we just specify
+ * the error number.
+ *
+ * Returns 0 to abort verification with an error, non-zero to continue.
+ */
+static int verify_cb_ocsp(X509_STORE_CTX *ctx, int err)
+{
+    ctx->error = err;
+    return ctx->verify_cb(0, ctx);
+}
+#endif
+
 /* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
 static int check_auth_level(X509_STORE_CTX *ctx)
 {
@@ -225,7 +247,6 @@ static int verify_rpk(X509_STORE_CTX *ctx)
     return !!ctx->verify_cb(ctx->error == X509_V_OK, ctx);
 }
 
-
 /*-
  * Returns -1 on internal error.
  * Sadly, returns 0 also on internal error in ctx->verify_cb().
@@ -1037,28 +1058,209 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
 static int check_revocation(X509_STORE_CTX *ctx)
 {
     int i = 0, last = 0, ok = 0;
+    int crl_check_enabled =
+        (ctx->param->flags &
+         (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL)) != 0;
+    int crl_check_all_enabled =
+        (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) != 0;
+    int ocsp_check_enabled =
+        (ctx->param->flags &
+         (X509_V_FLAG_OCSP_RESP_CHECK | X509_V_FLAG_OCSP_RESP_CHECK_ALL)) != 0;
+    int ocsp_check_all_enabled =
+        (ctx->param->flags & X509_V_FLAG_OCSP_RESP_CHECK_ALL) != 0;
 
-    if ((ctx->param->flags & X509_V_FLAG_CRL_CHECK) == 0)
+    if (!crl_check_enabled && !ocsp_check_enabled)
         return 1;
-    if ((ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) != 0) {
-        last = sk_X509_num(ctx->chain) - 1;
-    } else {
-        /* If checking CRL paths this isn't the EE certificate */
-        if (ctx->parent != NULL)
-            return 1;
-        last = 0;
+
+    if (ocsp_check_enabled) {
+#ifndef OPENSSL_NO_OCSP
+        /*
+         * certificate status checking with OCSP
+         */
+        if (ocsp_check_all_enabled)
+            last = sk_X509_num(ctx->chain) - 1;
+        else if (!crl_check_all_enabled && ctx->parent != NULL)
+            return 1; /* If checking CRL paths this isn't the EE certificate */
+
+        for (i = 0; i <= last; i++) {
+            ctx->error_depth = i;
+            ctx->current_cert = sk_X509_value(ctx->chain, i);
+
+            /* skip if cert is apparently self-signed */
+            if (ctx->current_cert->ex_flags & EXFLAG_SS)
+                continue;
+
+            /* the issuer certificate is the next in the chain */
+            ctx->current_issuer = sk_X509_value(ctx->chain, i + 1);
+
+            ok = check_cert_ocsp_resp(ctx);
+
+            /*
+             * In the case the certificate status is REVOKED, the verification
+             * can stop here.
+             */
+            if (ok == V_OCSP_CERTSTATUS_REVOKED) {
+                return verify_cb_ocsp(ctx, ctx->error != 0
+                                      ? ctx->error
+                                      : X509_V_ERR_OCSP_VERIFY_FAILED);
+            }
+
+            /*
+             * In the case the certificate status is GOOD, continue with the next
+             * certificate.
+             */
+            if (ok == V_OCSP_CERTSTATUS_GOOD)
+                continue;
+
+            /*
+             * As stated in RFC 6961 section 2.2:
+             * If OCSP is not enabled or the client receives a "ocsp_response_list"
+             * that does not contain a response for one or more of the certificates
+             * in the completed certificate chain, the client SHOULD attempt to
+             * validate the certificate using an alternative retrieval method,
+             * such as downloading the relevant CRL;
+             */
+            if (crl_check_all_enabled || (crl_check_enabled && i == 0)) {
+                ok = check_cert_crl(ctx);
+                if (!ok)
+                    return ok;
+            } else {
+                ok = verify_cb_ocsp(ctx, X509_V_ERR_OCSP_VERIFY_FAILED);
+                if (!ok)
+                    return ok;
+            }
+        }
+#endif
     }
-    for (i = 0; i <= last; i++) {
-        ctx->error_depth = i;
-        ok = check_cert(ctx);
-        if (!ok)
-            return ok;
+
+    if (crl_check_enabled && !ocsp_check_all_enabled) {
+        /* certificate status check with CRLs */
+        if (crl_check_all_enabled) {
+            last = sk_X509_num(ctx->chain) - 1;
+        } else {
+            /* If checking CRL paths this isn't the EE certificate */
+            if (ctx->parent != NULL)
+                return 1;
+            last = 0;
+        }
+
+        /*
+         * in the case that OCSP is only enabled for the server certificate
+         * and CRL for the complete chain, the rest of the chain has to be
+         * checked here
+         */
+        if (ocsp_check_enabled && crl_check_all_enabled)
+            i = 1;
+        else
+            i = 0;
+        for (; i <= last; i++) {
+            ctx->error_depth = i;
+            ok = check_cert_crl(ctx);
+            if (!ok)
+                return ok;
+        }
     }
+
     return 1;
 }
 
+#ifndef OPENSSL_NO_OCSP
+static int check_cert_ocsp_resp(X509_STORE_CTX *ctx)
+{
+    int cert_status, crl_reason;
+    int i;
+    OCSP_RESPONSE *resp = NULL;
+    OCSP_BASICRESP *bs = NULL;
+    OCSP_SINGLERESP *sr = NULL;
+    OCSP_CERTID *sr_cert_id = NULL;
+    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+    ASN1_OBJECT *cert_id_md_oid;
+    EVP_MD *cert_id_md;
+    OCSP_CERTID *cert_id = NULL;
+    int ret = V_OCSP_CERTSTATUS_UNKNOWN;
+    int num;
+
+    num = sk_OCSP_RESPONSE_num(ctx->ocsp_resp);
+
+    if (num < 0 || num <= ctx->error_depth)
+        return X509_V_ERR_OCSP_NO_RESPONSE;
+
+    if ((resp = sk_OCSP_RESPONSE_value(ctx->ocsp_resp, ctx->error_depth)) == NULL
+        || (bs = OCSP_response_get1_basic(resp)) == NULL
+        || (num = OCSP_resp_count(bs)) < 1)
+        return X509_V_ERR_OCSP_NO_RESPONSE;
+
+    if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+        OCSP_BASICRESP_free(bs);
+        ret = X509_V_ERR_OCSP_RESP_INVALID;
+        goto end;
+    }
+
+    if (OCSP_basic_verify(bs, ctx->chain, ctx->store, OCSP_TRUSTOTHER) <= 0) {
+        ret = X509_V_ERR_OCSP_SIGNATURE_FAILURE;
+        goto end;
+    }
+
+    /* find the right single response in the OCSP response */
+    for (i = 0; i < num; i++) {
+        sr = OCSP_resp_get0(bs, i);
+
+        /* determine the md algorithm which was used to create cert id */
+        sr_cert_id = (OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sr);
+        OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, sr_cert_id);
+        if (cert_id_md_oid != NULL)
+            cert_id_md = (EVP_MD *)EVP_get_digestbyobj(cert_id_md_oid);
+        else
+            cert_id_md = NULL;
+
+        /* search the stack for the requested OCSP response */
+        cert_id = OCSP_cert_to_id(cert_id_md, ctx->current_cert, ctx->current_issuer);
+        if (cert_id == NULL) {
+            ret = X509_V_ERR_OCSP_RESP_INVALID;
+            goto end;
+        }
+
+        if (!OCSP_id_cmp(cert_id, sr_cert_id))
+            break;
+
+        OCSP_CERTID_free(cert_id);
+        cert_id = NULL;
+    }
+
+    if (cert_id == NULL) {
+        ret = X509_V_ERR_OCSP_NO_RESPONSE;
+        goto end;
+    }
+
+    if (OCSP_resp_find_status(bs, cert_id, &cert_status, &crl_reason, &rev,
+                              &thisupd, &nextupd) <= 0) {
+        ret = X509_V_ERR_OCSP_RESP_INVALID;
+        goto end;
+    }
+
+    if (cert_status == V_OCSP_CERTSTATUS_GOOD) {
+        /*
+         * Note:
+         * A OCSP stapling result will be accepted up to 5 minutes
+         * after it expired!
+         */
+        if (!OCSP_check_validity(thisupd, nextupd, 300L, -1L))
+            ret = X509_V_ERR_OCSP_HAS_EXPIRED;
+        else
+            ret = V_OCSP_CERTSTATUS_GOOD;
+    } else {
+        ret = cert_status;
+    }
+
+end:
+    OCSP_CERTID_free(cert_id);
+    OCSP_BASICRESP_free(bs);
+    return ret;
+}
+#endif
+
 /* Sadly, returns 0 also on internal error. */
-static int check_cert(X509_STORE_CTX *ctx)
+static int check_cert_crl(X509_STORE_CTX *ctx)
 {
     X509_CRL *crl = NULL, *dcrl = NULL;
     int ok = 0;
@@ -1070,6 +1272,9 @@ static int check_cert(X509_STORE_CTX *ctx)
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
 
+    /* skip if cert is apparently self-signed */
+    if (ctx->current_cert->ex_flags & EXFLAG_SS)
+        return 1;
     if ((x->ex_flags & EXFLAG_PROXY) != 0)
         return 1;
 
@@ -1645,7 +1850,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
 
     sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
 
- done:
+done:
     /* If we got any kind of CRL use it and return success */
     if (crl != NULL) {
         ctx->current_issuer = issuer;
@@ -2374,6 +2579,13 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
     ctx->crls = sk;
 }
 
+#ifndef OPENSSL_NO_OCSP
+void X509_STORE_CTX_set_ocsp_resp(X509_STORE_CTX *ctx, STACK_OF(OCSP_RESPONSE) *sk)
+{
+    ctx->ocsp_resp = sk;
+}
+#endif
+
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
 {
     /*
@@ -2490,7 +2702,6 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
     OPENSSL_free(ctx);
 }
 
-
 int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *store, EVP_PKEY *rpk)
 {
     if (!X509_STORE_CTX_init(ctx, store, NULL, NULL))
@@ -2531,6 +2742,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     ctx->rpk = NULL;
     /* Zero ex_data to make sure we're cleanup-safe */
     memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
+    ctx->ocsp_resp = NULL;
 
     /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */
     if (store != NULL)
@@ -2690,7 +2902,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
 void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx,
                                         unsigned int current_reasons)
 {
-   ctx->current_reasons = current_reasons;
+    ctx->current_reasons = current_reasons;
 }
 
 X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
@@ -2767,7 +2979,7 @@ X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx)
 void X509_STORE_CTX_set_get_crl(X509_STORE_CTX *ctx,
                                 X509_STORE_CTX_get_crl_fn get_crl)
 {
-   ctx->get_crl = get_crl;
+    ctx->get_crl = get_crl;
 }
 
 X509_STORE_CTX_check_crl_fn

crypto/x509/x_crl.c

@@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
 {
     int idp_only = 0;
+    int ret = 0;
 
     /* Set various flags according to IDP */
     crl->idp_flags |= IDP_PRESENT;
@@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
         crl->idp_reasons &= CRLDP_ALL_REASONS;
     }
 
-    return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
+    ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
+
+    /*
+     * RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts,
+     * indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must
+     * be either a distributionPoint field or an onlySomeReasons field present.
+     */
+    if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL)
+        crl->idp_flags |= IDP_INVALID;
+
+    return ret;
 }
 
 ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {

doc/man1/openssl-cms.pod.in

@@ -75,6 +75,8 @@ Encryption options:
 [B<-aes256-wrap>]
 [B<-des3-wrap>]
 [B<-debug_decrypt>]
+[B<-recip_kdf> I<kdf>]
+[B<-recip_ukm> I<ukm>]
 
 Signing options:
 
@@ -450,6 +452,19 @@ Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
 with caution: see the notes section below.
 
+=item B<-recip_kdf>
+
+This option sets the KDF used to generate the key encryption key in the
+B<KEMRecipientInfo> type. Any KDF that takes B<OSSL_KDF_PARAM_KEY> and
+B<OSSL_KDF_PARAM_INFO> parameters and is otherwise fully defined by its name or
+OID can be used, for example B<HKDF-SHA256>.
+
+=item B<-recip_ukm>
+
+This option sets the B<KEMRecipientInfo> type's optional user keying material (UKM)
+in hexadecimal form. The UKM will be encoded, along with other information, into the
+B<OSSL_KDF_PARAM_INFO> parameter of the B<KEMRecipientInfo> type's KDF.
+
 =back
 
 =head2 Signing options
@@ -937,6 +952,8 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
 
 The B<-digest> option was added in OpenSSL 3.2.
 
+The B<-recip_kdf> and B<-recip_ukm> options were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man1/openssl-rehash.pod.in

@@ -133,6 +133,13 @@ By default, this command only lists each directory as it is processed.
 The path to an executable to use to generate hashes and
 fingerprints (see above).
 
+=item B<PATH>
+
+List of paths, separated by colons (or semicolons, on Windows platforms),
+where the B<openssl> executable is searched in case the path to the hash
+generating executable is not provided in the B<OPENSSL> environment variable
+or it is not usable (that is, does not exist or is not executable).
+
 =item B<SSL_CERT_DIR>
 
 Colon separated list of directories to operate on.

doc/man1/openssl-s_client.pod.in

@@ -94,6 +94,8 @@ B<openssl> B<s_client>
 [B<-sess_in> I<filename>]
 [B<-serverinfo> I<types>]
 [B<-status>]
+[B<-ocsp_check_leaf>]
+[B<-ocsp_check_all>]
 [B<-alpn> I<protocols>]
 [B<-nextprotoneg> I<protocols>]
 [B<-ct>]
@@ -671,6 +673,24 @@ file.
 Sends a certificate status request to the server (OCSP stapling). The server
 response (if any) is printed out.
 
+=item B<-ocsp_check_leaf>
+
+Require performing server (end-entity) certificate status checking, where any
+OCSP response provided in the TLS handshake (by so-called "OCSP stapling") is tried
+first.
+If no valid and conclusive OCSP response can be found, CRL-based checking
+is attempted as fallback if enabled, otherwise the status check fails.
+
+This implies B<-status>.
+
+=item B<-ocsp_check_all>
+
+As the option before, but require performing certificate status checking also
+for the issuer chain of the server certificate (i.e., intermediate CA certificates,
+excluding the trust anchor).
+
+This implies the B<-status> and B<-ocsp_check_leaf>.
+
 =item B<-alpn> I<protocols>, B<-nextprotoneg> I<protocols>
 
 These flags enable the Enable the Application-Layer Protocol Negotiation
@@ -1023,6 +1043,11 @@ B<-no_tx_cert_comp>,
 and B<-tfo>
 options were added in OpenSSL 3.2.
 
+The
+<-ocsp_check_leaf>
+and B<-ocsp_check_all>
+options were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man1/openssl-s_server.pod.in

@@ -74,6 +74,7 @@ B<openssl> B<s_server>
 [B<-no_ign_eof>]
 [B<-no_ems>]
 [B<-status>]
+[B<-status_all>]
 [B<-status_verbose>]
 [B<-status_timeout> I<int>]
 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
@@ -487,7 +488,15 @@ Disable Extended master secret negotiation.
 
 =item B<-status>
 
-Enables certificate status request support (aka OCSP stapling).
+Enables certificate status request support (aka OCSP stapling):
+an OCSP response is provided for the leaf (server) certificate
+if requested by the client side.
+
+=item B<-status_all>
+
+Like before, but for TLS v1.3 and beyond, status responses for all
+certificates in the chain (except the trust anchor) are provided
+if requested by the client side.
 
 =item B<-status_verbose>
 
@@ -530,6 +539,8 @@ Any given query component is handled as part of the path component.
 
 Overrides any OCSP responder URLs from the certificate and always provides the
 OCSP Response stored in the file. The file must be in DER format.
+This option may be used multiple times to specify OCSP responses for all
+certificates in the server certificate chain.
 
 =item B<-ssl_config> I<val>
 
@@ -925,6 +936,8 @@ B<-no_tx_cert_comp>,
 and B<-tfo>
 options were added in OpenSSL 3.2.
 
+The B<-status_all> option was added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man1/openssl-s_time.pod.in

@@ -134,6 +134,18 @@ See L<openssl(1)/TLS Version Options>.
 
 =back
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<SSL_CIPHER>
+
+If the B<-cipher> option is not specified, the contents of this environment
+variable are used to modify the TLSv1.2 and below cipher list sent
+by the client the same way the aforementioned option does.
+
+=back
+
 =head1 NOTES
 
 This command can be used to measure the performance of an SSL connection.

doc/man3/CMS_add1_recipient_cert.pod

@@ -30,7 +30,8 @@ The originator-related fields are relevant only in case when the keyAgreement
 method of providing of the shared key is in use.
 
 CMS_add1_recipient_cert() adds recipient B<recip> to CMS_ContentInfo enveloped
-data structure B<cms> as a KeyTransRecipientInfo structure.
+data structure B<cms> as a KeyTransRecipientInfo or KEMRecipientInfo structure,
+or as a KeyAgreeRecipientInfo structure with an ephemeral key.
 
 CMS_add0_recipient_key() adds symmetric key B<key> of length B<keylen> using
 wrapping algorithm B<nid>, identifier B<id> of length B<idlen> and optional

doc/man3/CMS_encrypt.pod

@@ -78,10 +78,12 @@ BIO_new_CMS().
 
 The recipients specified in B<certs> use a CMS KeyTransRecipientInfo info
 structure. KEKRecipientInfo is also supported using the flag B<CMS_PARTIAL>
-and CMS_add0_recipient_key().
+and CMS_add0_recipient_key(). KEMRecipientInfo is also supported using the
+flag B<CMS_PARTIAL> and CMS_add1_recipient().
 
 The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
-added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
+are added later using CMS_add1_recipient() or CMS_add1_recipient_cert() with
+CMS_add0_recipient_key().
 
 CMS_encrypt() is similar to CMS_encrypt_ex() but uses default values
 of NULL for the library context I<libctx> and the property query I<propq>.
@@ -104,7 +106,7 @@ The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/CMS_get0_RecipientInfos.pod

@@ -6,9 +6,12 @@ CMS_get0_RecipientInfos, CMS_RecipientInfo_type,
 CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp,
 CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id,
 CMS_RecipientInfo_kari_set0_pkey_and_peer,
-CMS_RecipientInfo_kari_set0_pkey,
+CMS_RecipientInfo_kari_set0_pkey, CMS_RecipientInfo_kari_get0_ctx,
 CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key,
-CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
+CMS_RecipientInfo_kemri_cert_cmp, CMS_RecipientInfo_kemri_set0_pkey,
+CMS_RecipientInfo_kemri_get0_ctx, CMS_RecipientInfo_kemri_get0_kdf_alg,
+CMS_RecipientInfo_kemri_set_ukm, CMS_RecipientInfo_decrypt,
+CMS_RecipientInfo_encrypt
 - CMS envelopedData RecipientInfo routines
 
 =head1 SYNOPSIS
@@ -27,6 +30,7 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
  int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri,
                                                EVP_PKEY *pk, X509 *peer);
  int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
                                      ASN1_OCTET_STRING **pid,
                                      ASN1_GENERALIZEDTIME **pdate,
@@ -36,6 +40,13 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
                                     const unsigned char *id, size_t idlen);
  int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
                                 unsigned char *key, size_t keylen);
+ int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+ int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri);
+ X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri);
+ int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                     const unsigned char *ukm,
+                                     int ukmLength);
 
  int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
@@ -47,7 +58,8 @@ structures associated with a CMS EnvelopedData structure.
 
 CMS_RecipientInfo_type() returns the type of CMS_RecipientInfo structure B<ri>.
 It will currently return CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
-CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER.
+CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, CMS_RECIPINFO_KEM, or
+CMS_RECIPINFO_OTHER.
 
 CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient
 identifier associated with a specific CMS_RecipientInfo structure B<ri>, which
@@ -69,6 +81,10 @@ must be of type CMS_RECIPINFO_AGREE.
 CMS_RecipientInfo_kari_set0_pkey() associates the private key B<pkey> with the
 CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_AGREE.
 
+CMS_RecipientInfo_kari_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_AGREE.
+
 CMS_RecipientInfo_kekri_get0_id() retrieves the key information from the
 CMS_RecipientInfo structure B<ri> which must be of type CMS_RECIPINFO_KEK.  Any
 of the remaining parameters can be NULL if the application is not interested in
@@ -88,6 +104,27 @@ CMS_RecipientInfo_set0_key() associates the symmetric key B<key> of length
 B<keylen> with the CMS_RecipientInfo structure B<ri>, which must be of type
 CMS_RECIPINFO_KEK.
 
+CMS_RecipientInfo_kemri_cert_cmp() compares the certificate B<cert> against the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+It returns zero if the comparison is successful and non zero if not.
+
+CMS_RecipientInfo_kemri_set0_pkey() associates the private key B<pkey> with the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the X509_ALGOR for the
+RecipientInfo's KDF, allowing the caller to specify the KDF algorithm.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM. If the
+caller doesn't specify a KDF algorithm, B<HKDF-SHA256> will be used.
+
+CMS_RecipientInfo_kemri_set_ukm() sets the RecipientInfo's optional user
+keying material (UKM).  The UKM is encoded, along with other information, into
+the B<OSSL_KDF_PARAM_INFO> parameter of the RecipientInfo's KDF. The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
 CMS_RecipientInfo_decrypt() attempts to decrypt CMS_RecipientInfo structure
 B<ri> in structure B<cms>. A key must have been associated with the structure
 first.
@@ -125,12 +162,20 @@ CMS_get0_RecipientInfos() returns all CMS_RecipientInfo structures, or NULL if
 an error occurs.
 
 CMS_RecipientInfo_ktri_get0_signer_id(), CMS_RecipientInfo_set0_pkey(),
-CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key() and
-CMS_RecipientInfo_decrypt() return 1 for success or 0 if an error occurs.
-CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.
+CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key(),
+CMS_RecipientInfo_kemri_set0_pkey(), CMS_RecipientInfo_kemri_set_ukm(),
+CMS_RecipientInfo_decrypt() and CMS_RecipientInfo_encrypt() return 1 for
+success or 0 if an error occurs.
 
-CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_cmp() return 0
-for a successful comparison and non zero otherwise.
+CMS_RecipientInfo_ktri_cert_cmp(), CMS_RecipientInfo_kemri_cert_cmp() and
+CMS_RecipientInfo_kekri_cmp() return 0 for a successful comparison and non zero
+otherwise.
+
+CMS_RecipientInfo_kemri_get0_ctx() and CMS_RecipientInfo_kari_get0_ctx return
+the RecipientInfo's EVP_CIPHER_CTX or NULL if an error occurred.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the RecipientInfo's KDF's
+X509_ALGOR or NULL if an error occurred.
 
 Any error can be obtained from L<ERR_get_error(3)>.
 
@@ -143,9 +188,13 @@ L<ERR_get_error(3)>, L<CMS_decrypt(3)>
 B<CMS_RecipientInfo_kari_set0_pkey_and_peer> and B<CMS_RecipientInfo_kari_set0_pkey>
 were added in OpenSSL 3.0.
 
+B<CMS_RecipientInfo_kemri_cert_cmp>, B<CMS_RecipientInfo_kemri_set0_pkey>,
+B<CMS_RecipientInfo_kemri_get0_ctx>, B<CMS_RecipientInfo_kemri_get0_kdf_alg>
+and B<CMS_RecipientInfo_kemri_set_ukm> were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/EVP_PKEY_ASN1_METHOD.pod

@@ -28,6 +28,10 @@ EVP_PKEY_get0_asn1
 
 =head1 SYNOPSIS
 
+The following functions have been deprecated since OpenSSL 3.6, and can be
+hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
+see L<openssl_user_macros(7)>; use the provider API instead.
+
  #include <openssl/evp.h>
 
  typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
@@ -437,6 +441,8 @@ The signature of the I<pub_decode> functional argument of
 EVP_PKEY_asn1_set_public() has changed in OpenSSL 3.0 so its I<pub>
 parameter is now constified.
 
+All of these functions were deprecated in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/EVP_PKEY_asn1_get_count.pod

@@ -11,6 +11,10 @@ EVP_PKEY_asn1_get0_info
 
 =head1 SYNOPSIS
 
+The following functions have been deprecated since OpenSSL 3.6, and can be
+hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
+see L<openssl_user_macros(7)>; use the provider API instead.
+
  #include <openssl/evp.h>
 
  int EVP_PKEY_asn1_get_count(void);
@@ -68,6 +72,10 @@ EVP_PKEY_asn1_get0_info() returns 0 on failure, 1 on success.
 
 L<EVP_PKEY_asn1_new(3)>, L<EVP_PKEY_asn1_add0(3)>
 
+=head1 HISTORY
+
+These functions were deprecated in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/OPENSSL_malloc.pod

@@ -18,7 +18,8 @@ CRYPTO_get_alloc_counts,
 CRYPTO_set_mem_debug, CRYPTO_mem_ctrl,
 CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp, CRYPTO_mem_leaks_cb,
 OPENSSL_MALLOC_FAILURES,
-OPENSSL_MALLOC_FD
+OPENSSL_MALLOC_FD,
+OPENSSL_MALLOC_SEED
 - Memory allocation functions
 
 =head1 SYNOPSIS
@@ -69,6 +70,7 @@ OPENSSL_MALLOC_FD
 
  env OPENSSL_MALLOC_FAILURES=... <application>
  env OPENSSL_MALLOC_FD=... <application>
+ env OPENSSL_MALLOC_SEED=... <application>
 
 The following functions have been deprecated since OpenSSL 3.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
@@ -155,9 +157,9 @@ with CRYPTO_set_mem_functions(), it's recommended to swap them all out
 at once.
 
 If the library is built with the C<crypto-mdebug> option, then one
-function, CRYPTO_get_alloc_counts(), and two additional environment
-variables, B<OPENSSL_MALLOC_FAILURES> and B<OPENSSL_MALLOC_FD>,
-are available.
+function, CRYPTO_get_alloc_counts(), and three additional environment
+variables, B<OPENSSL_MALLOC_FAILURES>, B<OPENSSL_MALLOC_FD>,
+and B<OPENSSL_MALLOC_SEED>, are available.
 
 The function CRYPTO_get_alloc_counts() fills in the number of times
 each of CRYPTO_malloc(), CRYPTO_realloc(), and CRYPTO_free() have been
@@ -167,12 +169,14 @@ respectively.  If a pointer is NULL, then the corresponding count is not stored.
 The variable
 B<OPENSSL_MALLOC_FAILURES> controls how often allocations should fail.
 It is a set of fields separated by semicolons, which each field is a count
-(defaulting to zero) and an optional atsign and percentage (defaulting
-to 100).  If the count is zero, then it lasts forever.  For example,
-C<100;@25> or C<100@0;0@25> means the first 100 allocations pass, then all
-other allocations (until the program exits or crashes) have a 25% chance of
-failing. The length of the value of B<OPENSSL_MALLOC_FAILURES> must be 256 or
-fewer characters.
+(defaulting to zero) and an optional atsign and percentage (interpreted
+as a floating point number that is rounded up to two decimal digits
+of precision, defaulting to 100).  If the count is zero, then it lasts forever.
+For example, C<100;@0.258> or C<100@0;0@0.258> means the first 100 allocations
+pass, then all other allocations (until the program exits or crashes) have
+a 0.26% chance of failing, with random(3) used as a source of randomness.
+The length of the value of B<OPENSSL_MALLOC_FAILURES> must be 256 or fewer
+characters.
 
 If the variable B<OPENSSL_MALLOC_FD> is parsed as a positive integer, then
 it is taken as an open file descriptor. This is used in conjunction with
@@ -188,6 +192,10 @@ work on all platforms):
   export OPENSSL_MALLOC_FD
   ...app invocation... 3>/tmp/log$$
 
+If the environment variable B<OPENSSL_MALLOC_SEED> is set, its value
+is interpreted as an integer using atoi(3) and supplied to the srandom(3)
+call for the random number generator initialisation.
+
 =head1 RETURN VALUES
 
 OPENSSL_malloc_init(), OPENSSL_free(), OPENSSL_clear_free()

doc/man3/PKCS12_gen_mac.pod

@@ -67,6 +67,28 @@ given passphrase. See L<passphrase-encoding(7)> for more information.
 
 All functions returning an integer return 1 on success and 0 if an error occurred.
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<LEGACY_GOST_PKCS12>
+
+=for comment
+https://tc26.ru/standarts/metodicheskie-rekomendatsii/transportnyy-klyuchevoy-konteyner.html section 5.1
+https://tc26.ru/standard/rs/%D0%A0%2050.1.112-2016.pdf section 5
+https://meganorm.ru/mega_doc/norm/prikaz/25/r_1323565_1_041-2022_rekomendatsii_po_standartizatsii.html section 7.1
+
+If this environment variable is set, MAC generation that utilises
+GOST R 34.11-94 or GOST 34.11-2012 hashing algorithms is performed the usual
+way and not in accordance with the specification provided in the methodical
+recommendation MP 26.2.002-2012 (or in its later versions, standartisation
+recommendation P 50.1.112-2016 or P 1323565.1.041-2022)
+of Technical Committee 26, that specifies that the key used for MAC
+generation should be the last 32 bytes of the 96-byte sequence generated
+by L<PKCS5_PBKDF2_HMAC(3)> and not the whole sequence.
+
+=back
+
 =head1 CONFORMING TO
 
 IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)

doc/man3/SSL_CTX_set_tlsext_status_cb.pod

@@ -11,7 +11,9 @@ SSL_CTX_get_tlsext_status_type,
 SSL_set_tlsext_status_type,
 SSL_get_tlsext_status_type,
 SSL_get_tlsext_status_ocsp_resp,
-SSL_set_tlsext_status_ocsp_resp
+SSL_set_tlsext_status_ocsp_resp,
+SSL_get0_tlsext_status_ocsp_resp_ex,
+SSL_set0_tlsext_status_ocsp_resp_ex
 - OCSP Certificate Status Request functions
 
 =head1 SYNOPSIS
@@ -33,9 +35,12 @@ SSL_set_tlsext_status_ocsp_resp
  long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
  long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
 
+ long SSL_get0_tlsext_status_ocsp_resp_ex(ssl, STACK_OF(OCSP_RESPONSE) **resp);
+ long SSL_set0_tlsext_status_ocsp_resp_ex(ssl, STACK_OF(OCSP_RESPONSE) *resp);
+
 =head1 DESCRIPTION
 
-A client application may request that a server send back an OCSP status response
+A client application may request that a server send back OCSP status response(s)
 (also known as OCSP stapling). To do so the client should call the
 SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL
 objects. Alternatively an application can call the SSL_set_tlsext_status_type()
@@ -45,9 +50,13 @@ should be passed in the B<type> argument. Calling
 SSL_CTX_get_tlsext_status_type() will return the type B<TLSEXT_STATUSTYPE_ocsp>
 previously set via SSL_CTX_set_tlsext_status_type() or -1 if not set.
 
+For TLS versions before 1.3 only a single OCSP status response is sent back
+by the server. TLS 1.3 specifies that the server can send OCSP status responses
+for the whole chain (OCSP multi-stapling).
+
 The client should additionally provide a callback function to decide what to do
 with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The
-callback function should determine whether the returned OCSP response is
+callback function should determine whether the returned OCSP response(s) are
 acceptable or not. The callback will be passed as an argument the value
 previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
 callback will not be called in the event of a handshake where session resumption
@@ -63,22 +72,48 @@ side SSL_get_tlsext_status_type() can be used to determine whether the client
 requested OCSP stapling. If the client requested it then this function will
 return B<TLSEXT_STATUSTYPE_ocsp>, or -1 otherwise.
 
-The response returned by the server can be obtained via a call to
-SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
-to the OCSP response data and the return value will be the length of that data.
-Typically a callback would obtain an OCSP_RESPONSE object from this data via a
-call to the d2i_OCSP_RESPONSE() function. If the server has not provided any
-response data then B<*resp> will be NULL and the return value from
+A single response returned by the server (TLS < 1.3) can be obtained via a call
+to SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to
+point to the OCSP response data and the return value will be the length of that
+data. Typically a callback would obtain an OCSP_RESPONSE object from this data
+via a call to the d2i_OCSP_RESPONSE() function. If the server has not provided
+any response data then B<*resp> will be NULL and the return value from
 SSL_get_tlsext_status_ocsp_resp() will be -1.
 
+A server application must also call the SSL_CTX_set_tlsext_status_cb() function
+if it wants to be able to provide clients with (single) OCSP response for the
+server certificate. Typically the server callback would obtain the server
+certificate that is being sent back to the client via a call to
+SSL_get_certificate(); retrieve the related OCSP response to be sent back; and
+then set that response data by calling SSL_set_tlsext_status_ocsp_resp(). A
+pointer to the response data should be provided in the B<resp> argument, and
+the length of that data should be in the B<len> argument.
+
+In the case of multi-stapling the responses to be returned by the server can be
+obtained via a call to SSL_get0_tlsext_status_ocsp_resp_ex(). The value B<*resp>
+will be updated to point to the OCSP response stack and the return value will
+be the number of responses on the stack.
+The OCSP responses on the stack are expected to be in the same order as the
+certificates in the chain. If no OCSP response is available for a certificate
+in the chain, a NULL element in the stack will represent this.
+Typically a callback would obtain an OCSP_RESPONSE object from the stack via a
+call to sk_OCSP_RESPONSE_pop. If the server has not provided any response data
+then B<*resp> will be NULL and the return value from
+SSL_get0_tlsext_status_ocsp_resp_ex() will be -1.
+
 A server application must also call the SSL_CTX_set_tlsext_status_cb() function
 if it wants to be able to provide clients with OCSP Certificate Status
-responses. Typically the server callback would obtain the server certificate
-that is being sent back to the client via a call to SSL_get_certificate();
-obtain the OCSP response to be sent back; and then set that response data by
-calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should
-be provided in the B<resp> argument, and the length of that data should be in
-the B<len> argument.
+responses, where TLS 1.3 allows for multi-stapling, i.e., providing responses
+for all certificates in the chain of the server certificate (excluding the root
+CA certificate).
+The certificates sent back to the client and for which OCSP response(s)
+should be acquired could be obtained via call to SSL_get_certificate() resp.
+SSL_get0_chain_certs(). OCSP response(s) then set by calling
+SSL_set0_tlsext_status_ocsp_resp_ex(). A stack of OCSP responses should be
+provided in the B<resp> argument.
+The OCSP responses on the stack are expected to be in the same order as the
+certificate in the chain. If no OCSP response is available for a certificate in
+the chain, a NULL element in the stack will represent this.
 
 =head1 RETURN VALUES
 
@@ -93,8 +128,9 @@ returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has
 occurred).
 
 SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(),
-SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and
+SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type(),
 SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success.
+SSL_set0_tlsext_status_ocsp_resp_ex() will return always 1.
 
 SSL_CTX_get_tlsext_status_type() returns the value previously set by
 SSL_CTX_set_tlsext_status_type(), or -1 if not set.
@@ -102,6 +138,9 @@ SSL_CTX_set_tlsext_status_type(), or -1 if not set.
 SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data
 or -1 if there is no OCSP response data.
 
+SSL_get0_tlsext_status_ocsp_resp_ex() returns the number of the OCSP responses
+on the stack or -1 if there is no OCSP response data.
+
 SSL_get_tlsext_status_type() returns B<TLSEXT_STATUSTYPE_ocsp> on the client
 side if SSL_set_tlsext_status_type() was previously called, or on the server
 side if the client requested OCSP stapling. Otherwise -1 is returned.
@@ -115,6 +154,9 @@ L<ssl(7)>
 The SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type()
 and SSL_CTX_set_tlsext_status_type() functions were added in OpenSSL 1.1.0.
 
+The SSL_get0_tlsext_status_ocsp_resp_ex() and SSL_set0_tlsext_status_ocsp_resp_ex()
+macros were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/X509_STORE_CTX_get_error.pod

@@ -440,6 +440,32 @@ Returned by the verify callback to indicate OCSP verification failed.
 Returned by the verify callback to indicate that the certificate is not
 recognized by the OCSP responder.
 
+=item B<X509_V_ERR_OCSP_RESP_INVALID: OCSP response(s) invalid>
+
+Returned by the verify callback to indicate that one or more OCSP
+responses are invalid.
+
+=item B<X509_V_ERR_OCSP_SIGNATURE_FAILURE: OCSP response signature failure>
+
+Returned by the verify callback to indicate OCSP response signature
+verification failed.
+
+=item B<X509_V_ERR_OCSP_NOT_YET_VALID: OCSP response not yet valid>
+OCSP response not yet valid (contains a date in the future)>
+
+Returned by the verify callback to indicate that OCSP response has a
+I<thisUpdate> date in the future.
+
+=item B<X509_V_ERR_OCSP_HAS_EXPIRED: OCSP response has expired>
+
+Returned by the verify callback to indicate that the OCSP response has expired.
+
+=item B<X509_V_ERR_OCSP_NO_RESPONSE:
+no OCSP response available for certificate>
+
+Returned by the verify callback to indicate that no OCSP response is available
+for the certificate.
+
 =item B<X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM:
 unsupported signature algorithm>
 

doc/man3/X509_STORE_CTX_new.pod

@@ -16,6 +16,7 @@ X509_STORE_CTX_get0_rpk,
 X509_STORE_CTX_set_default,
 X509_STORE_CTX_set_verify,
 X509_STORE_CTX_verify_fn,
+X509_STORE_CTX_set_ocsp_resp,
 X509_STORE_CTX_set_purpose,
 X509_STORE_CTX_set_trust,
 X509_STORE_CTX_purpose_inherit
@@ -56,6 +57,7 @@ X509_STORE_CTX_purpose_inherit
  typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
  void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
 
+ void X509_STORE_CTX_set_ocsp_resp(X509_STORE_CTX *ctx, STACK_OF(OCSP_RESPONSE) *sk);
  int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
  int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
  int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
@@ -217,6 +219,12 @@ validate extended key usage information in certificates will need to define a
 custom "purpose" (see below) or supply a nondefault verification callback
 (L<X509_STORE_set_verify_cb_func(3)>).
 
+X509_STORE_CTX_set_ocsp_resp() sets the OCSP response(s) for the verification
+of a certificate chain or for including in the TLS handshake, when the client
+requests OCSP stapling. The stack of OCSP responses I<sk> is not copied but
+just stored to the context.
+I<ctx> holds a pointer to the stack, so the stack must outlive the I<ctx>.
+
 X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being
 verified in the I<ctx>. Built-in available values for the I<purpose> argument
 are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>,
@@ -314,6 +322,7 @@ The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
 The X509_STORE_CTX_new_ex() function was added in OpenSSL 3.0.
 The X509_STORE_CTX_init_rpk(), X509_STORE_CTX_get0_rpk(), and
 X509_STORE_CTX_set0_rpk() functions were added in OpenSSL 3.2.
+X509_STORE_CTX_set_ocsp_resp() function was added in OpenSSL 3.6.
 
 There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0.
 

doc/man7/EVP_PKEY-X25519.pod

@@ -13,7 +13,21 @@ implemented in OpenSSL's default and FIPS providers.  These implementations
 support the associated key, containing the public key I<pub> and the
 private key I<priv>.
 
-=head2 Keygen Parameters
+=head2 Common Keygen Parameters for X25519, X448, ED25519 and ED448
+
+The following parameters can be used during key generation by calling
+EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init().
+
+=over 4
+
+=item "properties" (B<OSSL_PKEY_PARAM_PROPERTIES>) <octet string>
+
+The property query to use when fetching algorithms during the key generation
+operation.
+
+=back
+
+=head2 Keygen Parameters for X25519 and X448
 
 =over 4
 
@@ -23,20 +37,16 @@ DHKEM requires the generation of a keypair using an input key material (seed).
 Use this to specify the key material used for generation of the private key.
 This value should not be reused for other purposes.
 It should have a length of at least 32 for X25519, and 56 for X448.
-This is only supported by X25519 and X448.
 
-=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
+=item "group" (B<OSSL_PKEY_PARAM_GROUP_NAME>) <UTF8 string>
 
-This getter is only supported by X25519 and X448 for the FIPS provider.
-Since X25519 and X448 are unapproved in FIPS 140-3 this getter return 0.
-
-See L<provider-keymgmt(7)/Common Information Parameters> for further information.
+The group name must be "x25519" or "x448" respectively for those algorithms.
+This is only present for consistency with other key exchange algorithms and is
+typically not needed.
 
 =back
 
-Use EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init().
-
-=head2 Common X25519, X448, ED25519 and ED448 parameters
+=head2 Common Parameters for X25519, X448, ED25519 and ED448
 
 In addition to the common parameters that all keytypes should support (see
 L<provider-keymgmt(7)/Common parameters>), the implementation of these keytypes
@@ -44,12 +54,6 @@ support the following.
 
 =over 4
 
-=item "group" (B<OSSL_PKEY_PARAM_GROUP_NAME>) <UTF8 string>
-
-This is only supported by X25519 and X448. The group name must be "x25519" or
-"x448" respectively for those algorithms. This is only present for consistency
-with other key exchange algorithms and is typically not needed.
-
 =item "pub" (B<OSSL_PKEY_PARAM_PUB_KEY>) <octet string>
 
 The public key value.
@@ -58,15 +62,26 @@ The public key value.
 
 The private key value.
 
+=back
+
+=head2 Parameters for X25519 and X448
+
+=over 4
+
 =item "encoded-pub-key" (B<OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY>) <octet string>
 
 Used for getting and setting the encoding of a public key for the B<X25519> and
 B<X448> key types. Public keys are expected be encoded in a format as defined by
 RFC7748.
 
+=item "fips-indicator" (B<OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR>) <integer>
+
+This getter is only supported by X25519 and X448 OpenSSL FIPS provider.
+Since X25519 and X448 are unapproved in FIPS 140-3 this getter returns 0.
+
 =back
 
-=head2 ED25519 and ED448 parameters
+=head2 Parameters for ED25519 and ED448
 
 =over 4
 

doc/man7/openssl-env.pod

@@ -6,10 +6,11 @@ openssl-env - OpenSSL environment variables
 
 =head1 DESCRIPTION
 
-The OpenSSL libraries use environment variables to override the
-compiled-in default paths for various data.
-To avoid security risks, the environment is usually not consulted when
-the executable is set-user-ID or set-group-ID.
+The OpenSSL libraries and commands use environment variables to override
+compiled-in defaults for various aspects of their behaviour.
+To avoid security risks, the environment is not consulted
+for security-sensitive environment variables when the executable
+is set-user-ID or set-group-ID.
 
 =over 4
 
@@ -18,39 +19,111 @@ the executable is set-user-ID or set-group-ID.
 Specifies the path to a certificate transparency log list.
 See L<CTLOG_STORE_new(3)>.
 
+This variable is considered a security-sensitive environment variable.
+
+=item B<HOME>, B<SYSTEMROOT>, B<USERPROFILE>
+
+Path which L<RAND_file_name(3)> uses as a directory for the random seed file
+name when the B<RANDFILE> environment variable is not set.
+B<HOME> is the only variable that is considered on Unix-like systems;
+B<USERPROFILE> and B<SYSTEMROOT> are used as fallbacks on Windows platforms.
+
+B<HOME> variable is considered a security-sensitive environment variable.
+
+=item B<HTTPS_PROXY>, B<HTTP_PROXY>, B<NO_PROXY>, B<https_proxy>, B<http_proxy>, B<no_proxy>
+
+Specify a proxy hostname.
+See L<OSSL_HTTP_parse_url(3)>.
+
+These variables are considered security-sensitive environment variables.
+
+=item B<LEGACY_GOST_PKCS12>
+
+Affects the way MAC is generated in PKCS#12 containers for GOST algorithms.
+See L<PKCS12_gen_mac(3)>.
+
+This variable is considered a security-sensitive environment variable.
+
 =item B<OPENSSL>
 
 Specifies the path to the B<openssl> executable. Used by
 the B<rehash> script (see L<openssl-rehash(1)/Script Configuration>)
 and by the B<CA.pl> script (see L<CA.pl(1)/NOTES>
 
+This variable is not considered security-sensitive.
+
 =item B<OPENSSL_CONF>, B<OPENSSL_CONF_INCLUDE>
 
 Specifies the path to a configuration file and the directory for
 included files.
 See L<config(5)>.
 
+These variables are considered security-sensitive environment variables.
+
 =item B<OPENSSL_CONFIG>
 
 Specifies a configuration option and filename for the B<req> and B<ca>
 commands invoked by the B<CA.pl> script.
 See L<CA.pl(1)>.
 
+This variable is not considered security-sensitive.
+
+=item B<OPENSSL_DEBUG_DECC_INIT>
+
+On VMS only:  if this variable is set, enables verbose output of parsing
+of C<DECC$*> logical names, that contain C RTL features, during library
+initialisation (C<LIB$INITIALIZE>).  If the value of the variable is more
+than 1, outputs information about every processed feature.
+
+This variable is not considered security-sensitive.
+
 =item B<OPENSSL_ENGINES>
 
 Specifies the directory from which dynamic engines are loaded.
 See L<openssl-engine(1)>.
 
-=item B<OPENSSL_MALLOC_FD>, B<OPENSSL_MALLOC_FAILURES>
+This variable is considered a security-sensitive environment variable.
+
+=item B<OPENSSL_MALLOC_FAILURES>, B<OPENSSL_MALLOC_FD>, B<OPENSSL_MALLOC_SEED>
 
 If built with debugging, this allows memory allocation to fail.
 See L<OPENSSL_malloc(3)>.
 
+These variables are not considered security-sensitive.
+
 =item B<OPENSSL_MODULES>
 
 Specifies the directory from which cryptographic providers are loaded.
 Equivalently, the generic B<-provider-path> command-line option may be used.
 
+This variable is considered a security-sensitive environment variable.
+
+=item B<OPENSSL_SEC_MEM>
+
+Initializes the secure memory at the beginning of the application which makes
+the secure memory calls not to fall back to regular memory calls. The value
+indicates the B<size> parameter in bytes. The value can be expressed in
+binary, octal, decimal and hexadecimal. For formatting see B<strtol(3)>.
+For further restrictions see L<CRYPTO_secure_malloc_init(3)>.
+
+This variable is not considered security-sensitive.
+
+=item B<OPENSSL_SEC_MEM_MINSIZE>
+
+An optional variable used with B<OPENSSL_SEC_MEM>. The value indicates
+B<minsize> parameter in bytes. The same formatting applies as above.
+Default is 0. For more info see L<CRYPTO_secure_malloc_init(3)>.
+
+This variable is not considered security-sensitive.
+
+=item B<OPENSSL_TEST_LIBCTX>
+
+This test-only environment variable, that is recognised by the L<openssl(1)>
+command, when is set to "1", leads to creation of a nondefault library context
+by the command, for which the B<-config> option then takes effect.
+
+This variable is not considered security-sensitive.
+
 =item B<OPENSSL_TRACE>
 
 By default the OpenSSL trace feature is disabled statically.
@@ -61,58 +134,14 @@ Unless OpenSSL tracing support is generally disabled,
 enable trace output of specific parts of OpenSSL libraries, by name.
 This output usually makes sense only if you know OpenSSL internals well.
 
-The value of this environment varialble is a comma-separated list of names,
+The value of this environment variable is a comma-separated list of names,
 with the following available:
 
 =over 4
 
-=item B<TRACE>
+=item B<ALL>
 
-Traces the OpenSSL trace API itself.
-
-=item B<INIT>
-
-Traces OpenSSL library initialization and cleanup.
-
-=item B<TLS>
-
-Traces the TLS/SSL protocol.
-
-=item B<TLS_CIPHER>
-
-Traces the ciphers used by the TLS/SSL protocol.
-
-=item B<CONF>
-
-Show details about provider and engine configuration.
-
-=item B<ENGINE_TABLE>
-
-The function that is used by RSA, DSA (etc) code to select registered
-ENGINEs, cache defaults and functional references (etc), will generate
-debugging summaries.
-
-=item B<ENGINE_REF_COUNT>
-
-Reference counts in the ENGINE structure will be monitored with a line
-of generated for each change.
-
-=item B<PKCS5V2>
-
-Traces PKCS#5 v2 key generation.
-
-=item B<PKCS12_KEYGEN>
-
-Traces PKCS#12 key generation.
-
-=item B<PKCS12_DECRYPT>
-
-Traces PKCS#12 decryption.
-
-=item B<X509V3_POLICY>
-
-Generates the complete policy tree at various points during X.509 v3
-policy evaluation.
+Traces everything.
 
 =item B<BN_CTX>
 
@@ -122,9 +151,9 @@ Traces BIGNUM context operations.
 
 Traces CMP client and server activity.
 
-=item B<STORE>
+=item B<CONF>
 
-Traces STORE operations.
+Show details about provider and engine configuration.
 
 =item B<DECODER>
 
@@ -134,16 +163,81 @@ Traces decoder operations.
 
 Traces encoder operations.
 
-=item B<REF_COUNT>
+=item B<ENGINE_REF_COUNT>
 
-Traces decrementing certain ASN.1 structure references.
+Reference counts in the ENGINE structure will be monitored with a line
+of generated for each change.
+
+=item B<ENGINE_TABLE>
+
+The function that is used by RSA, DSA (etc) code to select registered
+ENGINEs, cache defaults and functional references (etc), will generate
+debugging summaries.
 
 =item B<HTTP>
 
 Traces the HTTP client and server, such as messages being sent and received.
 
+=item B<INIT>
+
+Traces OpenSSL library initialization and cleanup.
+
+=item B<PKCS12_DECRYPT>
+
+Traces PKCS#12 decryption.
+
+=item B<PKCS12_KEYGEN>
+
+Traces PKCS#12 key generation.
+
+=item B<PKCS5V2>
+
+Traces PKCS#5 v2 key generation.
+
+=item B<PROVIDER>
+
+Traces various operations that are performed on OpenSSL providers during their
+handling by the library (see L<provider(7)>), such as initialisation, tear down,
+parameter and capability retrieval, self-test, and so on.
+
+=item B<QUERY>
+
+Traces operation related to addition, removal, and fetching of methods
+in the so-called method store, that holds pointers to functions provided
+by various providers.
+
+=item B<REF_COUNT>
+
+Traces reference count changes in various structures,
+including C<BIO>, C<DH>, C<DSA>, C<EC_KEY>, C<ECX_KEY>,
+C<EVP_PKEY>, C<EVP_SKEY>, C<RSA>, C<SSL>, C<SSL_CTX>, C<SSL_SESSION>,
+C<X509_CRL>, C<X509_STORE>, C<X509>, and some others.
+
+=item B<STORE>
+
+Traces STORE operations.
+
+=item B<TLS>
+
+Traces the TLS/SSL protocol.
+
+=item B<TLS_CIPHER>
+
+Traces the ciphers used by the TLS/SSL protocol.
+
+=item B<TRACE>
+
+Traces the OpenSSL trace API itself.
+
+=item B<X509V3_POLICY>
+
+Generates the complete policy tree at various points during X.509 v3
+policy evaluation.
+
 =back
 
+This variable is not considered security-sensitive.
+
 =item B<OPENSSL_WIN32_UTF8>
 
 If set, then L<UI_OpenSSL(3)> returns UTF-8 encoded strings, rather than
@@ -152,41 +246,35 @@ the L<openssl(1)> program also transcodes the command-line parameters
 from the current code page to UTF-8.
 This environment variable is only checked on Microsoft Windows platforms.
 
+=item B<OPENSSL_armcap>, B<OPENSSL_ia32cap>, B<OPENSSL_ppccap>, B<OPENSSL_riscvcap>, B<OPENSSL_s390xcap>, B<OPENSSL_sparcv9cap>
+
+OpenSSL supports a number of different algorithm implementations for
+various machines and, by default, it determines which to use based on the
+processor capabilities and run time feature enquiry.  These environment
+variables can be used to exert more control over this selection process.
+See L<OPENSSL_ia32cap(3)>, L<OPENSSL_riscvcap(3)>, and L<OPENSSL_s390xcap(3)>.
+
+These variables are not considered security-sensitive.
+
+=item B<OSSL_QFILTER>
+
+Used to set a QUIC qlog filter specification. See L<openssl-qlog(7)>.
+
+This variable is considered a security-sensitive environment variable.
+
+=item B<QLOGDIR>
+
+Specifies a QUIC qlog output directory. See L<openssl-qlog(7)>.
+
+This variable is considered a security-sensitive environment variable.
+
 =item B<RANDFILE>
 
 The state file for the random number generator.
 This should not be needed in normal use.
 See L<RAND_load_file(3)>.
 
-=item B<SSL_CERT_DIR>, B<SSL_CERT_FILE>
-
-Specify the default directory or file containing CA certificates.
-See L<SSL_CTX_load_verify_locations(3)>.
-
-=item B<TSGET>
-
-Additional arguments for the L<tsget(1)> command.
-
-=item B<OPENSSL_ia32cap>, B<OPENSSL_sparcv9cap>, B<OPENSSL_ppccap>, B<OPENSSL_armcap>, B<OPENSSL_s390xcap>, B<OPENSSL_riscvcap>
-
-OpenSSL supports a number of different algorithm implementations for
-various machines and, by default, it determines which to use based on the
-processor capabilities and run time feature enquiry.  These environment
-variables can be used to exert more control over this selection process.
-See L<OPENSSL_ia32cap(3)>, L<OPENSSL_s390xcap(3)> and L<OPENSSL_riscvcap(3)>.
-
-=item B<NO_PROXY>, B<HTTPS_PROXY>, B<HTTP_PROXY>
-
-Specify a proxy hostname.
-See L<OSSL_HTTP_parse_url(3)>.
-
-=item B<QLOGDIR>
-
-Specifies a QUIC qlog output directory. See L<openssl-qlog(7)>.
-
-=item B<OSSL_QFILTER>
-
-Used to set a QUIC qlog filter specification. See L<openssl-qlog(7)>.
+This variable is considered a security-sensitive environment variable.
 
 =item B<SSLKEYLOGFILE>
 
@@ -200,6 +288,49 @@ the exchanged keys during an SSL session, it allows any available party with
 read access to the file to decrypt application traffic sent over that session.
 Use of this feature should be restricted to test and debug environments only.
 
+This variable is considered a security-sensitive environment variable.
+
+=item B<SSL_CERT_DIR>, B<SSL_CERT_FILE>
+
+Specify the default directory or file containing CA certificates.
+See L<SSL_CTX_load_verify_locations(3)>.
+
+These variables are considered security-sensitive environment variables,
+except in L<openssl-rehash(1)>, where B<SSL_CERT_DIR> is not considered
+security-sensitive.
+
+=item B<SSL_CIPHER>
+
+Used by L<openssl-s_time(1)> in case B<-cipher> option (that allows modifying
+TLSv1.2 and below cipher list sent by the client) is not provided,
+for specification of the aforementioned ciphers.
+
+This variable is not considered security-sensitive.
+
+=item B<TSGET>
+
+Additional arguments for the L<tsget(1)> command.
+
+This variable is not considered security-sensitive.
+
+=back
+
+=head1 HISTORY
+
+This section contains environment variables that are no longer considered
+by the OpenSSL libraries and commands.
+
+=over 4
+
+=item B<HARNESS_OSSL_PREFIX>
+
+This environment variable, existed in OpenSSL versions from 1.1.1 up to 3.5,
+allowed specification of a prefix prepended to each line sent to the I<stdout>
+by L<openssl(1)>, used by the test harness to avoid commingling the command
+under test output with the output for the TAP consumer.
+
+This variable was not considered security-sensitive.
+
 =back
 
 =head1 COPYRIGHT

doc/man7/ossl-guide-migration.pod

@@ -17,6 +17,14 @@ L<https://github.com/openssl/openssl/blob/master/CHANGES.md>.
 For an overview of some of the key concepts introduced in OpenSSL 3.0 see
 L<crypto(7)>.
 
+=head1 OPENSSL 3.6
+
+=head2 Main Changes from OpenSSL 3.5
+
+The functions EVP_PKEY_asn1_*() and L<EVP_PKEY_get0_asn1(3)> were deprecated in
+favour of the provider API. EVP_PKEY_assign_[DSA|SIPHASH]() were also deprecated.
+Please use the new high level and provider API.
+
 =head1 OPENSSL 3.1
 
 =head2 Main Changes from OpenSSL 3.0

doc/man7/provider-base.pod

@@ -154,6 +154,10 @@ provider):
  core_new_error                 OSSL_FUNC_CORE_NEW_ERROR
  core_set_error_debug           OSSL_FUNC_CORE_SET_ERROR_DEBUG
  core_vset_error                OSSL_FUNC_CORE_VSET_ERROR
+ core_set_error_mark            OSSL_FUNC_CORE_SET_ERROR_MARK
+ core_clear_last_error_mark     OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK
+ core_pop_error_to_mark         OSSL_FUNC_CORE_POP_ERROR_TO_MARK
+ core_count_to_mark             OSSL_FUNC_CORE_COUNT_TO_MARK
  core_obj_add_sigid             OSSL_FUNC_CORE_OBJ_ADD_SIGID
  core_obj_create                OSSL_FUNC_CORE_OBJ_CREATE
  CRYPTO_malloc                  OSSL_FUNC_CRYPTO_MALLOC
@@ -270,6 +274,33 @@ error occurred or was reported.
 
 This corresponds to the OpenSSL function L<ERR_vset_error(3)>.
 
+=item core_set_error_mark()
+
+sets a mark on the current topmost error record if there is one.
+
+This corresponds to the OpenSSL function L<ERR_set_mark(3)>.
+
+=item core_clear_last_error_mark()
+
+removes the last mark added if there is one.
+
+This corresponds to the OpenSSL function L<ERR_clear_last_mark(3)>.
+
+=item core_pop_error_to_mark()
+
+pops the top of the error stack until a mark is found. The mark is then removed.
+If there is no mark, the whole stack is removed.
+
+This corresponds to the OpenSSL function L<ERR_pop_to_mark(3)>.
+
+=item core_count_to_mark()
+
+returns the number of entries on the error stack above the most recently
+marked entry, not including that entry. If there is no mark in the error stack,
+the number of entries in the error stack is returned.
+
+This corresponds to the OpenSSL function L<ERR_count_to_mark(3)>.
+
 =back
 
 The core_obj_create() function registers a new OID and associated short name

doc/man7/provider-keymgmt.pod

@@ -442,6 +442,30 @@ its argument I<mdname>.  This signifies that no digest has to be specified
 with the corresponding signature operation, but may be specified as an
 option.
 
+=item "ri-type" (B<OSSL_PKEY_PARAM_CMS_RI_TYPE>) <integer>
+
+The value should be the CMS RecipientInfo type for the given key, for example
+B<CMS_RECIPINFO_KEM> or B<CMS_RECIPINFO_AGREE>.
+The value that can be given through this parameter is found in
+F<< <openssl/cms.h> >>, with the macros having names starting with
+C<CMS_RECIPINFO_>.
+
+CMS will query this parameter first to determine the RecipientInfo type.  If
+this parameter is not filled in, CMS will check for known key types and map
+them to the appropriate RecipientInfo type. Otherwise, CMS will default to
+using B<CMS_RECIPINFO_TRANS>.
+
+=item "kemri-kdf-alg" (B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM>) <UTF8 string>
+
+The value should be the DER-encoded X509_ALGOR for the default KDF for this key
+if it supports the KEMRecipientInfo (B<CMS_RECIPINFO_KEM>) type.
+
+Any KDF that takes B<OSSL_KDF_PARAM_KEY> and B<OSSL_KDF_PARAM_INFO> parameters
+and is otherwise fully defined by its OID can be used, for example B<HKDF-SHA256>.
+
+If B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM> is not implemented, B<HKDF-SHA256>
+will be used as the default KDF.
+
 =back
 
 The OpenSSL FIPS provider also supports the following parameters:

engines/e_loader_attic.c

@@ -11,7 +11,9 @@
 
 /* This file has quite some overlap with providers/implementations/storemgmt/file_store.c */
 
-/* We need to use some engine deprecated APIs */
+/*
+ * We need to use some asn1_meth deprecated APIs
+ */
 #define OPENSSL_SUPPRESS_DEPRECATED
 
 #include "internal/e_os.h" /* for stat */