Squashed 'openssl/' changes from c1eeb9406b6..7b371d80d95

7b371d80d95 Prepare for release of 3.6.0
554b600091f make update
5de8d3eb6d4 Copyright year updates
f3ade11ef24 CHANGES.md, NEWS.md: update for 3.6.0
27357781e0a CHANGES.md, NEWS.md: update for 3.5.4
deef067261e Add CHANGES.md and NEWS.md updates
506451cb6b0 use_proxy(): Add missing terminating NUL byte
ed5ba489102 ecp_sm2p256.c: Remove unused code
3b66c974c45 SM2: Use constant time modular inversion
caa664ea5bb kek_unwrap_key(): Fix incorrect check of unwrapped key size
1fd7ebe7e42 Revert "fips: remove redundant RSA encrypt/decrypt KAT"
4ea5644a67e krb5kdf.c.in: Check the key size before applying the key
2dbcae3b084 Add test for using KRB5KDF with erroneous key size
84432e9b6cb test/radix/terp.c: avoid accessing uninitialised terp on error
651abe1eb55 apps/storeutl.c: avoid signed integer overflow in indent_printf()
2be1b400e77 crypto/evp/ctrl_params_translate.c: fix a typo in the error message
d6514ce319a crypto/bio/bss_file.c: add missing cast in format arg in ERR_raise_data()
732a0a5df83 test/wpackettest.c: remove bogus cleanup() in test_WPACKET_quic_vlint_random()
d650e962d8f crypto/x509/t_x509.c: check i2d_X509_NAME() return value in X509_ocspid_print()
9bb53c7f04d Fix EVP_PKEY_can_sign() handling of NULL from query_operation_name()
e70c3efd7c3 Check for OBJ_create() conflicts after write lock.
174c992b15e Add a test for multi-threaded OBJ_create
9403c7d768f Fix length of digestinfo_sm3_der
9f773c24ff6 Fix doublefree after failure in ossl_siv128_init()
f8f3573a061 Print PowerPC CPUINFO
07e70f951e7 Correct the documentation for OPENSSL_sk_find
34063dff601 Close small race condition on error raising in QUIC
d72ab742430 CHANGES.md, NEWS.md: various ffixes
d06993cb896 NEWS.md: remove PCT on key import for SLH-DSA mention
8d509b0326e CHANGES.md, NEWS.md: sync 3.5 changes/news with 3.5.3
ba0062ee23c Skip LMS tests if fetch for the LMS algorithm fails
3c28b593806 Do not use RW mutexes on RISC-V arch
874f7684beb x509: fix mem leak on error path
b9cb0b2dbe2 Re-enable the ssl_trace_test()
19c96a8d61c sslapitest.c: Skip test_ssl_trace() with FIPS providers older than 3.5
ea373a3e533 tls_common.c: Handle inner content type properly on Big Endian
7a8cbd1c4ff Fix the abnormal branch memory leak in ssl_set_cert_and_key function
3718a89e0bd bio_ok.c: Integer Overflow in BIO_f_reliable record parser leads to Out-of-Bounds Read
a518be8aa82 Added test suggested by Shane Lontis
f4779b86af6 Harden property put_str() helper corner case
1d35a9e8709 Add unsupported features in NOTES-C99.md: complex.h and variable length array
7232f244956 Fix OPENSSL_VERSION_NUMBER to always have zero status bits
3dd0e254db8 Fix CI Pipeline by Disabling SSL_TRACE_TEST
d19a67d67fd Fix another memory order issue
3cf5e10317c Fix ML-KEM key equality check when either unset
18597ff4ec3 Revert "rsa: expose pairwise consistency test API"
9d115a5a261 Fix cipher protocol ID type in docs
bb04366d366 Updated SSL Trace to display the name for all MLKEM-based groups
a8a2d8e5367 doc: clarify SSL_SESSION_get0_hostname() DESCRIPTION
588bc2ebb39 providers/implementations/keymgmt/ecx_kmgmt.c.in: remove PCT on ECX import
c5c70f370c0 crypto/ml_dsa: fix public_from_private() error path to return failure
8ca96550ad7 Fix logic errors in torture_rw_high/low test
3af97cd9142 25-test_verify.t: fix partly case-sensitive matching for Windows OS: s/MsWin32/MSWin32/
106bb67f783 Add OSSL_ prefix back onto param names
630352ad88b Prepare for 3.6 beta 2
34c61a5df27 Prepare for release of 3.6 beta 1
c840dde2431 make update
681e5631f75 Copyright year updates
567cbe4e2ab Enable LMS on provider compat fips build for 3.6
75c7aae5fc8 Test failure of rsa_encrypt when buffer too short
f815ee19e06 Harden RSA public encrypt
ea3ee7e0832 Update our CI jobs to cover the 3.6 stable branch
c51691b1a34 CHANGES.md, NEWS.md: update for 3.6.0-beta1
fe923758ffa CHANGES.md, NEWS.md: ffix
98e17292227 crypto/bio/bio_print.c: improve handling of unreasonably large widths/precisions
cffbccf5eaf crypto/bio/bio_print.c: avoid signed int overflow in desc->pos in doapr_outch
7ff5df10142 crypto/bio/bio_print.c: avoid signed int overow in padlen calculation in fmtstr
56f67a6d618 OSSL_CALLBACK.pod: add missing info on required return values of callback functions
f293c33af9c doc: Add missing commas
a09a68cef79 Add one more trace message to the torture_rcu_high test
f5fe2366af5 Add key_type to the derive_skey function
7ab59773e60 doc/man3/RAND_load_file.pod: RAND_load_file on non-regular files with bytes=-1
d4f65dc909c crypto/rand/randfile.c: avoid signed integer overflow in RAND_load_file
943b4943192 util/find-doc-nits: do not check files in submodules in check_env_vars
a3474ee8af2 Make the Unix build process more repeatable
43cd3773a33 openssl-enc.pod.in: We actually use PKCS#7 padding
686b7178854 RISC-V: Use address for vlenb CSR
4620e09c54c Add a helper function to delete the extension list
30930f86157 Clear the extension list when removing the last extension
7c34118055e Fix typo in BN_generate_prime docs
226be71931e doc: Update documentation of SSL_CTX_set_dh_auto()
cd108496a69 docs: Be case specific with links to man headers
16b1c664648 Pick libcrypto.num/libssl.num number assignments from 3.5
edbee2a6634 hmac: stop using secure memory for the HMAC key
255003535b3 slh-dsa: omit test of import PCT
32e9437c563 import pct: remove import PCTs for most algorithms
860147225e9 Only unlock in rsa_get_blinding when locking was successful
55209aab56d Add missing unlock to ossl_provider_new
a7f9f316641 FIPS: Don't allow SHA512-224 and SHA512-256 for ECDSA/DSA signatures
b22df6529a5 slh-dsa: enter FIPS error state if pairwise test fails
a3e30b83543 Prepare for 3.6 alpha 2
eccb480c11c Prepare for release of 3.6 alpha 1
1792368190f make update
e66332418f8 Copyright year updates
145e909a698 Release news and changelog for version 3.6
47a3cf5308f Make update
55b2bf1abc3 Implement EVP_KDF_CTX_set_SKEY
7d42becc0d3 Implement EVP_PKEY_derive_SKEY
b5d0d061d1c Implement EVP_KDF_derive_SKEY
3425da502dd We use evp_skey_alloc from several source files
0de951ba9a5 Correctly dealing with refcount in EVP_SKEY
1351299d601 Implementation of EVP_SKEY_import_SKEYMGMT
8c3c2f5cd8f Add GENERIC SKEYMGMT to the legacy provider
034cd838938 Design document of using opaque object as symmetric key
99680401949 Fix typos and whitespace
dc442241b2b Document the OSSL_SELF_TEST_TYPE_PCT_IMPORT failure state
eaba675c4b3 ml-kem: convert to transient error state on import failure in FIPS provider
56a791209c1 ml-dsa: convert to transient error state on import failure in FIPS provider
811f68ffe2c ecx: convert to transient error state on import failure in FIPS provider
d6f398cc957 ec: convert to transient error state on import failure in FIPS provider
c2ebeeeff67 dh: convert to transient error state on import failure in FIPS provider
864a5f6641c rsa: convert to transient error state on import failure in FIPS provider
1dc1de78617 Add OSSL_SELF_TEST_TYPE_PCT_IMPORT transient error state
9013cca9258 add new error
0b00e23df82 test/bioprinttest.c: move the %n result to the field that is later checked
e489bfbcd58 test/bioprinttest.c: fix sloppy length modifier usage in int_data
79037022801 slh-dsa: add a PCT for key import when in FIPS mode
9deaf838333 test/bioprinttest.c: add some checks for integer and string printing
8d8a8aac533 test/bioprinttest.c: check the output against libc's one as well
f5bb94918f2 test/bioprinttest.c: constify test vectors
dc415d9ff18 test/bioprinttest.c: use the whole buffer for checks
c5e3e7bfb67 crypto/bio/bio_print.c: handle the case of 0 with zero precision
ac492027221 crypto/bio/bio_print.c: improve the precision handling in fmtint
2b16781c5b8 crypto/bio/bio_print.c: bring back the length modifier support for %n
228ef5f5472 crypto/bio/bio_print.c: make %n in line with other libc implementations
a8d02c5ca70 crypto/bio/bio_print.c: avoid integer overflow when reading width/precision
7777db81f89 crypto/bio/bio_print.c: always terminate output with \0
fff4b181bf3 crypto/bio/bio_print.c: consolidating print arguments in a structure
cbb0a561e64 crypto/bio/bio_print.c: reset max to zero if empty precision string is provided
779346f2ec5 crypto/bio/bio_print.c: add 't' (ptrdiff_t) length modifier
badbcc66319 crypto/bio/bio_print.c: fix space padding calculation
95af148e148 crypto/bio/bio_print.c: '-' flag has priority over '0'
0f107c709c7 crypto/bio/bio_print.c: avoid superfluous zero padding in %#o
0f6e826f7b7 crypto/bio/bio_print.c: no prefix for zero value in alternative form
7eb18e768db crypto/bio/bio_print.c: handle negative width argument
96e021dffff crypto/bio/bio_print.c: correctly print 0X prefix for X conversion
6f8beb7ce9b crypto/bio/bio_print.c: support hh length modifier in _dopr
f289c45b16a Add SKEYMGMT support to the FIPS provider
0b091c88d7d NOTES-WINDOWS.md: correct the Windows context macro name
5ea22d199bd doc: Fix function name in example code
899623b29ca aes-s390x.pl: Initialize reserved and unused memory
b930ea87dfc doc/man3/SSL_poll.pod: mention SSL_POLL_EVENT_{EL,IC} in SYNOPSIS
b7e4e17645b Add targets to skip build of non-installable programs
92bfd358c9b rebase to master fixing some missing group references
f9afb3a07eb Fix: Add free to avoid memory leak.
045a158e616 Correct fixed cert validity end date in oqsprovider testing
c66d9760a77 Fix `VC-WIN64-CLANGASM-ARM` target
53eb2363a1e params: add features to param parser generator
b561837ee9b dh: add FIPS 140-3 PCT on key generation
8563f27d49c fix(pkcs12): prevent PKCS7 memleak in p12_npas.c
da9a6c6ebd8 Add design doc for rfc4514 DN output format
fb295aa65c1 crypto\cms\cms_kem.c: Add ASN1_TYPE_free when EVP_CIPHER_param_to_asn1() fails
fc84d46d722 Fix null pointer check in pkey_dh_derive to ensure both keys are set
bc28ca499ef Fix: Check for wrong object. The converted sc should be checked instead of the original s
dfaea0aa4bd Ignore generated assembler files for cpuid functions
220f5be6908 Fix reallocation failure condition in qtx_resize_txe()
3ec265978c0 Android: Enable 16 KB ELF alignment for `arm64-v8a` and `x86_64` platforms
730c2d9ccca changes: add a CHANGES.md entry covering the generated parameter name decoding
3f5561a9f42 keymgmt: update template
accc7ce60ea ecx: convert to using generated parameter decoding
326c36c418e lms: convert to using generated parameter decoding
47282279929 slh-dsa: convert to using a generated decoder
ef77afe58be key management: rename key management files in anticipations of generated decoding
3e2f54a718f Make error checks on RSA_public_decrypt() consistent
1d92f3b8b0e Make SSL_poll() and SSL_shutdown() better friends
07f65e16c20 Fix a race in by_store_subject
994774b4ca6 Add a test for accessing an X509_STORE from multiple threads
08951fb2730 Don't keep the store open in by_store_ctrl_ex
546c5b3eadd Fix S390 ECDSA Deterministic mode fails tests in FIPS mode.
5bb4a4860e2 fips: upgrade self-test KATs to reduce SHA-1/SHA-224 usage
833a34dac36 fips: add news & changes entry for DetECDSA
9346a88a8fd fips: update provider-signature docs for DetECDSA
0b9f7885700 Add DetECDSA self test, signature is one byte shorter somehow
cfc2a07fdab fips: enabled deterministic ecdsa tests
71d3703e5d3 fips: make PROV_NAMES_HMAC_DRBG_KDF internal only
c281a7303c4 fips: implement deterministic ECDSA
39e286bd26c apps/speed.c: Support more signature algorithms
dab850f4999 apps/speed.c: Disable testing of composite signature algorithms
eaacf56ba97 Avoid doublefree of OCSP_SINGLERESP
141ad51b464 Remove unnecessary fetch-depth in GitHub Actions workflow
9226b3e8f4c Test setting a client to send a key share not allowed in TLSv1.3
47b0f172aa6 Fail immediately if we have no key shares to send
257ac127987 test/stack_test.c: check sk_sint_push result in test_int_stack
a0a73f52ad5 test/mem_alloc_test.c: tfix in test_xaligned_alloc
2b76895152f test/mem_alloc_test.c: avoid referencing potentially freed old_ret
abebeb1bb00 test/sslapitest.c: tfix in row allocation in create_new_vfile
5e34d647601 Fix the return value of OBJ_create
a71b4fae432 BIO_dgram: Fix BIO_CTRL_DGRAM_QUERY_MTU for IPv4-mapped IPv6 addresses
eec435695e9 We should not remove symlinks in submodules
851b0c88680 Missing .gitignore entries
ff9d70b9ee3 CI: cross-compile: riscv: enable more tests on extensions
389728876b5 set SSLfatal if tls1_set_shared_sigalgs has a malloc failure
084a6273470 docs: fix typos
18f822f6a6d rsa: made the padding and salt length parameter decoding more straightforward
c33bce64405 hkdf: make the mode decoding more straightforward
e676a87a279 asym cipher: make the pad type decoding more straightforward
1aae0a40161 rsa sig: make indicator parameter conditional on FIPS
ecc3491d536 ecdsa sig: make indicator parameter conditional on FIPS
a9d7e696ec9 dsa sig: make indicator parameter conditional on FIPS
fc7a72db242 hmac drbg: make indicator parameter conditional on FIPS
4e1eaa17c74 hash drbg: make indicator parameter conditional on FIPS
226b5a5ea48 ctr drbg: make indicator parameter conditional on FIPS
2f205fc496e crng test: make indicator parameter conditional on FIPS
b830ebaf62c test_rng: make indicator parameter conditional on FIPS
40dd58e0164 kmac: make parameters conditional on FIPS
60f8ff15112 hmac: make parameters conditional on FIPS
2d1280e5ee1 cmac: make parameters conditional on FIPS
3473f699fdc rsa kem: make parameters conditional on FIPS
b27f8403517 ecx: make parameters conditional on FIPS
f9bf224ef98 ecdh: make parameters conditional on FIPS
d01910a4f9a dh: make parameters conditional on FIPS
b411ef0b530 rsa: make parameters conditional on FIPS
2b7c555fecf params: fix conditionals in param parser generation script
d6fcaa5658b test/ml_kem_internal_test.c: Add EVP_MD_free() in the error path to avoid memory leak
d2a71ed94e8 Add CRYPTO_FREE_REF to ossl_quic_free_token_store
d582adc672b Add test coverage for PKCS7_TEXT mode
d6510d99ae4 DH private key size was one bit too large
80c664db430 RISC-V: Add MD5 assembly implementation with rv64gc and Zbb
5a68746099c RISC-V: Add Zbb orn and its pseudo instruction opcode to rv64gc in riscv.pm
ba2c314a60d Correct the synthetisized OPENSSL_VERSION_NUMBER
861eea47381 git: add x942kdf.c to gitignore
f4de265c0f1 encode_key2ms: convert to use generated parameter parsing
66968306093 encode_key2any: convert to use generated parameter parsing
3b69c40a276 decode_spki2typespki: convert to use generated parameter parsing
f9a57963576 decode_pvk2key: convert to use generated parameter parsing
70e33aef6ea decode_pem2der: convert to use generated parameter parsing
324fc17017e decode_epki2pki: convert to use generated parameter parsing
360388e55d9 decode_der2key: convert to use generated parameter parsing
33651beaf7c encode_decode: rename files for generated param parsing
a14e2f417eb rsa: update to use generated param decoders for signature operations
79197465e3b sm2: update to use generated param decoders for signature operations
74ccf8ce976 slh_dsa: update to use generated param decoders for signature operations
3c9ad1dba94 ecdsa: update to use generated param decoders for signature operations
c1fd9a4f8b5 dsa: update to use generated param decoders for signature operations
2c214751fe7 signatures: rename files in anticipation of generated param decoding
ea5c3c284e3 rsa kem: convert to using generated param decoders
af841adf9fb ml_kem kem: convert to using generated param decoders
d6d2cc75096 ecx kem: convert to using generated param decoders
c90eb152687 ec kem: convert to using generated param decoders
47a305bc782 kem: rename files for autogeneration of param parsing
213135a758c ecx: convert key exchange to using generated param decoder
fcb7e772fbe ecdh: convert key exchange to using generated param decoder
fa4545f4218 dh: convert key exchange to using generated param decoder
6928f97b7c1 exchange: rename files for generated param decoders
0247b0ada1c file_store_any: convert to using generated param decoder
6218a0a8229 win store: convert to using generated param decoder
1fd364bd292 file_store: convert to using generated param decoder
2849a80e331 storemgmt: rename files for generate param decoders
fb96193b4b5 rsa: update sm asymmetric cipher to use generated param parser
ffe236850c3 sm2: update sm asymmetric cipher to use generated param parser
dbe9a6825f1 asym: rename RSA and SM2 asymmetric cipher files
2044bc76793 drbg: convert DRBGs to use generated ctx get param decoders
a6b9070822d drbg: convert DRBGs to use generated ctx set param decoders
e77b362e87b crngt: update to use generated param handling
404da0b5e79 drbg: move drbg_local.h to somewhere it can be found by generated files
0ff53efc990 seed: update to use generated param handling
3f38832475e jitter: update to use generated param handling
fbdde4c799b test rand: update to use generated param handling
14cb7e65717 rands: rename files for autogeneration of param parser
96e96280ae8 blake2: use generated param decoder
d11c9541ef9 blake2: add generated param decoder
acb316bc20f poly1305: convert poly1305 to use param decoder
969011c3c57 siphash: convert siphash to use param decoder
5de2b13b2da gmac: convert GMAC to use param decoder
404f19838fa cmac: convert CMAC to use param decoder
483a18ae9ed kmac: convert KMAC to use param decoder
aad2304aa90 hmac: convert HMAC to use param decoder
d02ece1f5a2 hmac: remove two unsupported params
4761aea3fe1 Rename MAC files for autogeneration of param parsers
b508df7875b kdf: put back argument null checks
85bba74789f Remove OSSL_CRYPTO_ALLOC attribute from CRYPTO_*dup routines
24f72a5aaab Add NULL check
c0527256d2e Fix missing unlock in decoder_pkey.c
7d78cd722b6 Assert SSLFatal on keylog failure
0a15d71f671 Remove assert in core_namemap.c
f446bf79515 Fix SKEYMGMT enumeration, add tests
076f7b24fee Increment sleep time in quic_tserver_test less
2b618a13cf4 doc/man3/SSL_CTX_set_domain_flags: fix version in HISTORY section
1b1a859d3d8 test/sanitytest.c: fix setitimer usage in timer disarmament
bda2473a44e Fix memory leak on EVP_CIPHER_param_to_asn1 failure
d68986f1e60 fix: Apply cascade-disables before showing status
ae92a945dcd fix: restore missing --help in Configure
c4c1f6c7e6b ossl_prov_drbg_generate(): Move syscalls out of the write locked section
c79e1b212a6 Fix RSA key size validation in EVP_PKEY_RSA_keygen demo
e729d7c7329 cms_kemri.c: Fix Coverity issues
ef63a77758e crypto/{cmp,crmf}/: clean up unneeded #include directives
6b93db7bfd5 x509: Accept 'contentCommitment' as alias
c5ef06f4abc quic_channel.c: NULL check SSL_CONNECTION
760929f6ba1 crypto/sleep.c: avoid returning early due to signal
00f4228524c s/veirfy/verify
001ce7c281b - veirfy downloaded package
111978d42dc - add --no-check-certificate option to wget, pointed out by @esyr
b5157f29a92 the rpki-client external test should use relase version not a master branch on github
036a46d2a4b Fix failure checking on rcu_read_lock
7f780be2160 Fix failure checking on thread_local storage assignment in rand_lib
d090695101a test: add a sanity test for memory allocation functions
39029a1bb0c test/testutil/main.c: move global_init before test_open_streams
78b10493a91 OPENSSL_secure_malloc.pod: articulate possibly non-secure pointer being returned
14a24fd14ff doc/man3/OPENSSL_malloc.pod: explicitly document freeptr value on failures
704ee1348c4 doc/man3/OPENSSL_malloc.pod: document OPENSSL_aligned_alloc peculiarity
1e13b390db6 OPENSSL_malloc.pod: tfix, wfix in OPENSSL_aligned_alloc description
89f1f9bd733 crypto/mem.c: check for overflow in size calculation in CRYPTO_aligned_alloc
ff3caae4d28 crypto/mem.c: bump alignment to sizeof(void *) when posix_memaling() is used
26dc3d98369 crypto/mem.c: report posix_memalign() errors in CRYPTO_aligned_alloc
1104e80c8df crypto/mem.c: check the alignment for being a power of 2 in CRYPTO_aligned_alloc
648803a17e4 crypto/mem.c: don't use aligned_alloc in CRYPTO_aligned_alloc
1b742083e37 crypto/mem.c: simplify OPENSSL_SMALL_FOOTPRINT handling in CRYPTO_aligned_alloc
35a3958dc6c crypto/mem.c: tfix in CRYPTO_aligned_alloc
2c59dc90295 Call ctags on *.inc files as well
14737252a1e util/ctags.sh: tfix in a "set --" call
f3a4d05c588 apps, fuzz, providers: use array memory (re)allocation routines
5fab189ddd0 test: use array memory (re)allocation routines
351caebeac7 ssl: use array memory (re)allocation routines
b692380651d demos: use array memory (re)allocation routines
7867bf1523b crypto: use array memory (re)allocation routines
5398d5cbd90 crypto/ec: use array memory (re)allocation routines
354e78c1771 crypto/bn: use array memory (re)allocation routines
731fc629085 crypto/params_dup.c: add overflow check to ossl_param_buf_alloc
fa9b7b930e3 Add array memory allocation routines
af6a8fdf750 include/openssl/crypto.h.in: fix alignment for OPENSSL_*alloc macros
1f859bb5927 crypto/ec/ecp_nistp256.c: use OPENSSL_zalloc instead of malloc+memset
c4a91d5c261 ssl: drop multiplication by sizeof(char) in allocation size calculations
313c12125e3 crypto/mem.c: report realloc_impl failures
a83b85333ce crypto/mem.c: report realloc failures
bd1c59739d5 crypto/mem.c: factor out memory allocation failure reporting
4a518cebffe Fix msquic-openssl workflow to build container correctly
7eee9d543e4 Fixes for build failures on OS X 10.4 Tiger
8821d020500 skey: include extra error header file
1b71051b864 x942kdf: introduce conditionals on the FIPS only parameters
88d544c8306 tls1_prf: introduce conditionals on the FIPS only parameters
472ead8be38 sskdf: introduce conditionals on the FIPS only parameters
fd3a6a49ee9 sshkdf: introduce conditionals on the FIPS only parameters
c098acb0542 pbkdf2: introduce conditionals on the FIPS only parameters
ba2b292e966 kbkdf: introduce conditionals on the FIPS only parameters
004077be1bd hkdf: introduce conditionals on the FIPS only parameters
85e12cecbb7 params: produce an error if a parameter is repeated
5614c6f7e4c error: add new repeated parameter error
0c833c46cf4 params: add conditional params to the generation script
5f99d76e285 [RISC-V] Further optimization for AES-128-CBC decryption performance
252046cfc2c Coverity nits
0c1c243a80e Ensure that the largest_pn values are migrated to our channel qrx
4b6e6554b29 quic_channel: Handle HRR and the second transport params extension
605eda60ae1 quicapitest: Check if we can handle HRR
d0b69fa74bf util/analyze-contention-log.sh: print status output to stderr
99d0d23e05b crypto/threads_pthread: rewrite contention data storage to per-tid
0d6b1f50cbf util/analyze-contention-log: call the bash interpreter with -eu flags
b1303b115ef crypto/threads_lock_contention: factor out lock contention recording
c47c16ee400 crypto/threads_lock_contention: factor out obtaining the stack traces data pointer
1178184e96b crypto/threads_lock_contention: condition file suffix on FIPS_MODULE and not fopen() call
bd0b53a32c2 crypto/threads_lock_contention: typo: s/stack_info/stack_traces/ in ossl_init_rwlock_contention_data
10ce7f45cd3 crypto/threads_lock_contention: Remove duplicating code
e3d98f5bd4f Factor out the lock contention reporting facility implementation
1bbb0d7b530 .github/workflows/run_quic_interop.yml: remove superfluous docker-compose.yml patching
3f540b6def5 bn: save space in bn_mont_ctx_st by reordering elements
22d7d1d7d0f Add mdebug config for coveralls on master branch
3c3f0da9bdb Add a daily memory allocation failure test
437cde84a7e add a handshake memory failure test
95efe41d2e7 ssl/quic/quic_channel.c: Fix endianness of supported versions from received version negotiation packets
2b24455a9fb ssl/quic/quic_port.c: Fix endianness of supported versions in sent version negotiation packets
5286b175adb Improve english in endian comment
eea63154088 Eliminate indentation tabs from *.c and *.h files
8778245052b util/perl/OpenSSL/Test.pm: consistently use 4 spaces for indentation
dc044f616ee shake: update to use generated param decoders
1c5780ee521 blake2: update to use generated param decoders
9edc4746767 blake2: rename files for generated param decoding
b7c3a0c3fc8 sha3: rename files for generated param decoding
b7a38a14ef8 argon2: avoid searching for "size" parameter
3af4c99cd45 skey: update build infrastructure for generate param name parsing
d1d94e0fbe2 skey: convert generic SKEY to use generated param parser
b20da232801 Revert "Pairwise check for DH keys import as part of FIPS"
1afc4e8baa3 dh: add extra argument to ossl_dh_check_pairwise
db969c3ab08 dh: add FIPS 140-3 PCT on key import.
88a13095667 fips: add DH PCT name
32ff539daf8 changes: add note about PCT on key import to the FIPS provider
57230da2bd0 rsa (fips): add PCT for key import
a177798e0b8 ec (fips): add PCT for key import
58ab3b0ffee ecx (fips): add PCT for key import
dc5cd6f70a0 rsa: expose pairwise consistency test API
eac588ac360 apps/asn1parse.c: correct help text order for -genstr option
c07da07ebb5 pbkdf2: remove second compiled file
0b8c7b936eb macsig: call updated ossl_prov_set_macctx function
39868ab1bf1 params: emit an error if a parameter array overflows
454119a6257 params: revert error checking when params are duplicated
df981828f1b hkdf: changes to incorporate the fixed digest HkDF flavours
d847a472225 kdf: use generated param name alias handling
1d221516cdf params: allow param name aliases
35cc673927d tls1-prf: process multiple seed parameters with a single realloc call
b196aa8fa0b paramnames: factor out common code after successful match
f852b874653 kdfs: make the 'engine' parameter hidden
d417579e95d params: add support for 'hidden' parameters
e5d7e4f42a2 hmacdrbg_kdf: convert to generated OSSL_PARAM parser
4e183652cb4 hmacdrbg_kdf: update build infrastructure
049219fb08e hmacdrbg_kdf: rename C file for conversion to generated param name decoding
5a4a43a60ac evp_kdf_test: skip "engine" parameters when checking for updatability.
9aec76e6f9c argon2: convert to generated OSSL_PARAM parser
1996a28f7f3 argon2: update build infrastructure
a338a155c89 argon2: rename C file for conversion to generated param name decoding
c30b67748a7 krb5kdf: convert to generated OSSL_PARAM parser
fbb0a743739 krb5kdf: update build infrastructure
8248e6951f3 krb5kdf: rename C file for conversion to generated param name decoding
d77651bc099 pbkdf1: convert to generated OSSL_PARAM parser
431e85edeab pbkdf1: update build infrastructure
326c45f447a pbkdf1: rename C file for conversion to generated param name decoding
ee3ada89b77 pkcs12kdf: convert to generated OSSL_PARAM parser
bd9497f527f pkcs12kdf: update build infrastructure
e3b4ae67e71 pkcs12kdf: rename C file for conversion to generated param name decoding
1f6adcb9cce scrypt: convert to generated OSSL_PARAM parser
bf5c21ae161 scrypt: update build infrastructure
eb7a9943b27 scrypt: rename C file for conversion to generated param name decodering
2ab50514778 pbkdf2: convert to generated OSSL_PARAM parser
a4bd3d17197 pbkdf2: build infrastructure changes
de18f5b83bf pbkdf2: rename for autogeneration of param name parsing
61e4e10caa1 x9.42kdf: convert to generated OSSL_PARAM parser
546492d67e5 build infrastructure changes for X9.42 KDF
2ac0c48266f rename X9.42 KDF for autogeneration of param name parsing
cb6ab5b78a1 pvkkdf: convert to generated OSSL_PARAM parser
552f57e5e23 sshkdf: convert to generated OSSL_PARAM parser
290173caa4d build infrastructure for PVK KDF
0c5bb0feff4 build infrastructure changes for SSH KDF
d8d0421bc28 rename sshkdf for autogeneration of param name parsing
387c033a702 tls1prf: update to use generated param decoders
f04db6af459 kdf: remove max argument to the param concatenation helper
91b7d047073 tls1_prf: update build infrastructure for generated param parsers
fcc2dd27321 rename tls1 PRF C file
682f0e19d8b kbkdf: conversion to use generated param parsers
a6fe57013a2 sskdf: conversion to use generated param parsers
688d0bc5905 util: add helper functions that don't locate the parameters
b5828dbbf27 params: add helper functions that don't locate the parameters
dd266b44268 fips: update FIPS indicator functions so non-locating flavours are available
dc294270c00 hkdf: conversion to use generated param parsers
8050507a05a kdf: rename SSKDF and KBKDF for param parser generation
7144de2c653 hkdf: rename file for Perl processing
439f0243c1f params: update param parser generator script to support duplicated parameters
b00941ceb1a build infrastructure changes for KBKDF and SSKDF to use generated param parsers
575fcf5bae1 Update build infrastructure for generated hkdf.c file
1c0c2008f28 test: seperate the integer and string fetches of the 'mode' parameter
e44d7cb43a0 params: add additional error checking to generated param name parsers
f5c3b94d736 params: update generated decoder based implementations to handle return code
a7b9fa86657 params: generated decoder functions return an error state on failure
b8c46cba5fa CMS KEMRecipientInfo support requires HKDF with fixed digests
296f1f6dd8e Remove unnecessary OPENSSL_NO_RSA remnants
fd7fc903463 fuzz/dtlsserver.c: Remove incorrect ifdef guard
fcb5e20ac74 test_tlsext_status_type(): Avoid leaking of previously allocated data
b9ff440dd61 Only report generic error if provider did not put an error on the error queue
f77fafd16e9 Make ERR_count_to_mark() available to providers via 'in' dispatch array
f12f8cc035e Fix hanging of test_external_cf_quiche
d0899abb1b7 Implement KEMRecipientInfo (RFC9629) in CMS
daa004d4843 crypto: evp: fix potential null pointer dereference in EVP_DigestSignUpdate in m_sigver.c
3c4f009959c Fix NULL check in get_ocsp_resp_from_responder
bd1a14bcaf7 Set *sk_resp to NULL when freeing.
8ceae5a6226 Fix NULL check in bring_oscp_resp_in_correct_order
88a1fbb8d1b reduce lock contention when adding objects to ADDED_OBJ hash table
cff80311639 move added creation to happen outside of write lock
758ca8acf03 unix-Makefile.tmpl: Run find-doc-nits with env var checker too
ead653be8b8 find-doc-nits: Check env var documentation
dcf009cd897 doc/man1/openssl-rehash.pod.in: document PATH environment variable
3f633775e48 doc/man7/openssl-env: document HOME environment variable usage
2f41923d2d6 doc/man7/openssl-env: document OPENSSL_TEST_LIBCTX environment variable
1df3a8a80e8 doc/man7/openssl-env: OPENSSL_TRACE: tfix
30740298b6c doc/man7/openssl-env: sort OPENSSL_TRACE categories lexicographically
10e26ab1224 doc/man7/openssl-env: update REF_COUNT OPENSSL_TRACE category description
9ccd3886640 doc/man7/openssl-env: document QUERY OPENSSL_TRACE category
62c4633851c doc/man7/openssl-env: document PROVIDER OPENSSL_TRACE category
707f6124160 doc/man7/openssl-env: reword the description
f5fdbb8fffd doc/man7/openssl-env: document which variables are considered security-sensitive
6de54753c28 doc/man7/openssl-env: document OPENSSL_DEBUG_DECC_INIT environment variable
133889218e2 Document LEGACY_GOST_PKCS12 environment variable
2f531a742df Document OPENSSL_MALLOC_SEED environment variable
63e526a4d82 doc/man3/OPENSSL_malloc: improve OPENSSL_MALLOC_FAILURES documentation
1109bc12372 doc/man7/openssl-env.pod: document HARNESS_OSSL_PREFIX environment variable
e914d23642f doc/man7/openssl-env: sort *_PROXY environment variables, add lowercase variants
0afaa27df79 Document SSL_CIPHER environment variable
deed2379a76 doc/man7/openssl-env: sort the variables in lexicographical order
09fa39899ba doc/man7/openssl-env: sort the capability envvars/links lexicographically
5e34e6a5739 util/other.syms: sort OPENSSL_*cap lexicographically, add missing variables
082a81404cd apps/lib/apps.c: remove HARNESS_OSSL_PREFIX envvar handling
70c05fcde53 Remove HARNESS_OSSL_PREFIX manipulation in the test harness
e08b83cbb3b Pairwise check for DH keys import as part of FIPS
9c09d2076aa Update dh_pub to be pairwise consistent with dh_priv
1a1c10f5d74 Exchange no-sm2 and no-ssl-trace between on PR and daily jobs
981d6776a33 test-ec: Skip SM2 key import test if SM2 is disabled
44ef69cffbe Fixed #27506, now the behavior with an empty IDN is the same as with an incorrect IDN.
d777deffbae - adding a missing file
92330c8f80e - changes suggested by @t8m
a43b926fd2c - fix RFC reference and indentation
b0836134764 Update ssl/quic/quic_ackm.c
4a3c954a0cd Update ssl/quic/quic_ackm.c
cdbfacead0d ACK manager must avoid infinite probe time when waiting handshake confirmation
49f8db53274 Add a test of 'openssl storeutl' with a BER-encoded PKCS#12 file
1f3af48c312 Fix OSSL_STORE to consider cached info in the EOF check.
9665baf0f98 Update workflows to test msquic with OpenSSL
b1b4b154fd3 Add support for TLS 1.3 OCSP multi-stapling for server certs
c108ead2840 sm2: sm2_sign.c: check EC_KEY_get0_private_key() for NULL in sm2_sig_gen()
bd172dd0e1b fix SM2 privatekey decode(PEM format, ECPrivateKey).
e7d5398aa13 openssl rand command should use the loaded library context
d3e781b764b test/timing_load_creds.c: Add fclose() if error occurs
c64b6af5e20 LoongArch: Add SHA-512 assembly implementation for better performance on small-size data
895f8f6ad1f LoongArch: Add SHA-256 assembly implementation for better performance
d217b499948 --amend
d9044daf1ee replace GitHub Actions in Windows jobs
d05ac3becdc Fix perl warnings on various scripts
499f6553370 sm2: add some signing tests.
d73d40af375 evp_test: add a new global "Test-Entropy" line to allow deterministic `random` input.
7bf4b30bcc8 sm2 test: remove unnecessary available in lines
bde55d421b1 ECX/ED keymanager param getter fixes.
5d0c6c52e72 Raise PROV_R_NULL_OUTPUT_BUFFER if shsec is NULL in ml_kem_encapsulate()
b3187ab5a75 Add CODEOWNERS file
9ee9a519be8 pin GitHub Actions revisions from untrusted vendors
a9a7e017b8c Update container images in OS Zoo CI workflow
c315f98f715 evp_pkey_type: Make base_id_conversion table static
055dd1d8bb2 Add AES-CFB128 optimizations with Intel AVX-512 and VAES
886396462dd Extract AES CFB implementation to cipher_aes_cfb*
b89ab15f133 Add workflow to check perl core modules for 5.10.1
3a90d5f83cb Deprecate ASN1_METH related tests
af2aaf3271c Deprecate ASN1_METH internal usage
6b5540c21c0 libcrypto.num: Deprecate EVP_PKEY_ASN1_METHOD related functions
23de79343f0 Update documentation on EVP_PKEY_ASN1_METHOD deprecation
52d212dd700 Deprecate EVP_PKEY_ASN1_METHOD related function declarations and definitions
1bc3191b684 Add deprecation macros for 3.6.0
704a2108ab9 providers/implementations/digests/sha3_prov.c optimize ossl_(un)likely
682f7019852 crypto/params.c optimize ossl_(un)likely
340827c819f crypto/init.c optimize ossl_(un)likely
e7408649765 crypto/threads_pthread.c optimize ossl_(un)likely
296e4d3c95b crypto/mem.c optimize ossl_(un)likely
d083024b733 crypto/bn/bn_gf2m.c: optimize ossl_(un)likely
d1facb48581 include/crypto/md32_common.h: optimize ossl_(un)likely
6c9712e6b73 crypto/bn/bn_lib.c: optimize - seems to bring not much benefit
112f3afd21e crypto/evp/digest.c: optimize ossl_(un)likely
342c0f340c2 Update doc on CRYPTO_MEM_SEC(_MINSIZE)
91d34f408cd openssl: Add option to init sec mem at startup
ac87f6b3a36 LMS: Coverity Fix 1659010 (Unused Value)
43f4da917ac LMS Coverity fix 1659009
215167fe7e4 const up ERR_str_libraries
b8cc3276606 sec_mem: add note about the perf implications
4337989667b ci: enable lms only on master
ab021b624f1 Add lock contention checking to our pthreads implementation
8253b58d60e Make the lock in CRYPTO_secure_actual_size a read lock
b2ac43b0d89 Add note about use of EVP_PKEY in different libctxs
9a6376dd759 PEM_read_CMS.pod: Correct the deprecation notice
21f1b677d54 Provide X509_CRL_get0_tbs_sigalg()
13259a758ad test/quic-openssl-docker/hq-interop/quic-hq-interop.c: Move BIO_free() to err label to avoid memory leak
e6c20588efa QUIC receiver may accidentally ACK packet it fails to process
07675d28de7 DOC: Fixup FIPS provider documentation.
6b5fd48ee4f LMS code review fixups
e6c81104834 Add LMS evp_test using NIST ACVP test data.
d3081a52e87 test: get the LMS test recipe run non-FIPS tests
2bcfff8509b ci: enable LMS in a number of different builds
17a1637a3f0 Make LMS disabled by default
34520fd5452 lms_test: add key gen negative test
57267e2bcf6 lms: add negative tests
dff36957a42 lms: add signing negative test
19126fcf230 packet: add new utility function PACKET_get_4_len()
8b449d01a7d test: get provider compatibily tests working
25171e08031 Add changes entry for LMS verification
3f0d4ffd33b doc: document the additional LMS self test description
d3a29ad1354 fips: add self test CAST for LMS verify
0c534426236 fips: add LMS description
bd9dc16fc2d Fix indentation
a3b9edcb790 Add LMS documentation
48af66aef72 Add LMS to the fips provider.
1c2fc7c3e04 Allow SHA256-192 to be used internally in the FIPS provider.
7be3137fb5d Add LMS Signature verification.
c64558ede85 Add LMS public key decoder.
2a6a2adc8d9 Add base code to load a LMS public key.
495f5fa0ba6 Add Configurable "lms" option
c6a1d8ea744 HKDF updates
2671a68a271 Add fixed-digest HKDF documentation
d1a8d5a8330 Add HKDF algorithms with fixed digests.
162089af7c6 Address coverity issue 1655295
f13abf37fd8 Address coverity issue 1655294
51ce5499f9b Introduce SSL_OP_SERVER_PREFERENCE to replace SSL_OP_CIPHER_SERVER_PREFERENCE misnomer
b321bf25c88 Fixup non-optional use of IO::Socket::IP
fa5e688cc85 Update rpki-client-portable to fix build
36614faa98c crypto/slh_dsa/slh_hash.c: Add check for EVP_MD_get_size()
b4fedba43ca Separate public and private ML-KEM allocations
815dde3e205 Use secure memory allocation for ML-KEM and ML-DSA private key storage areas
4dbb537bd1e RISC-V: Provide optimized SM3 implementation using Zbb extension
2b56a00eb9d Add CI for backports to be run when respective branch label is set
517c1d6fa0a Add .[ch].in files to ctags
28836147728 Update util/analyze-contention-log.sh
84e719bc2b7 Add lock contention log analyzer
ac6178c3f18 Fix some conversion from size_t to const int errors
0d5c7766946 The check-ansi job is failing in the openssl-3.5 branch as a result of commit 60775e3. Fix that.
e8d6e0460b9 Extend create_accept_stream test
20c3988bcd3 Add test for SSL_accept_stream
74a0ec3c08e Add stream type flags to SSL_accept_stream
902568bbd98 Remove need for BN_BLINDING lock
8067e713a16 demos: Silence warnings on Win64 builds
9f08f30f1dd CI: Enable strict warnings on all Windows CI builds
a3af1c036cd test: Silence warnings on Win64 builds
c2482c68e5c fuzz: Silence warnings on Win64 builds
c62cd07d142 apps: Silence warnings on Win64 builds
a0fcbcb282c engines: Silence warnings on Win64 builds
abdbad370cd libssl: Silence warnings on Win64 builds
6f9683d6519 providers: Silence warnings on Win64 builds
bb86c43fa88 libapps + libcrypto: Silence warnings on Win64 builds
2d978786f3e Remove accidentally left debug statements from ec.c
efa2d85571a test/quic-openssl-docker/hq-interop/quic-hq-interop.c: Add check for OPENSSL_zalloc()
b63b019f660 test/quic_multistream_test.c: Add OPENSSL_free() to avoid memory leak
b2e7c4e2baa apps/openssl.c: Add OPENSSL_free() to avoid memory leak
f2e45b6418f Remove unused data from self test.
b63adfc58ac Update FIPS provider doc to match the current code.
2ad09ef4139 test/bio_pw_callback_test.c: Add BIO_free() to avoid memory leak
881ff0c2253 demos/cms/cms_denc.c: Add check for BIO_new_file()
8a7545607e8 demos/cms/cms_ddec.c: Replace "in" with "dcont" to correctly check the success of BIO_new_file()
2fccd17e8fe apps/lib/apps.c: Add check for BIO_new()
bdb769841a3 Fix internal documentation of ossl_namemap_num2name()
60775e31123 decoders: Fix prioritization of decoders via property query
f3867bb25be Introduce cms kekcipher option to select cipher for pwri
f6c400f4cca CHANGES.md / NEWS.md fixups ahead of release
b3161bd9a93 Fixes #27831: Decreased NAMEMAP_HT_BUCKETS to 512.
de5a619aa01 fix: msg callback in dtls1_do_write that incorrectly shows message (like a certificate) that spans over multiple fragments.
63cb8f99a13 Fix nullpointer dereference in OSSL_PARAM_merge
e7e79509986 Enforce permissions 0600 for SSLKEYLOGFILE
fa0c67a28a5 Better lookup for openssl executable
7bdc0d13d2b speed: Increase MAX_SIG_NUM and fix its usage in loopargs_t fields
5876f3f52a9 test/build.info: minimize use of static libcrypto.a and libssl.a
2e1b046d9af eddsa: convert to using struct based TRIE decoder for params processing
ff9fb929151 update build infrastructure to support generated eddsa_sig.c
da5fec07972 rename eddsa_sig.c for autogeneration
7cd75929f16 eddsa: remove impossible parameters from gettable array
07399c25663 digest: convert algorithm gettable parameters to use struct based TRIE decoding
64743597ecf update build infrastructure for digestcommon.c.in
cf13e665221 mlx: use TRIE & struct based param decoding
b622ae3917b update build instructions for mlx key management
587134913bb rename mlx_kmgmt.c to mlx_kmgmt.c.in
3bb06ce7980 ml-dsa: use TRIE & struct based param name decoders
a1a08a4a254 build infrastructure updates for ml_dsa signatures
0ef373bd34f rename ml_dsa_sig.c to ml_dsa_sig.c.in
d09a7cad9ab cipher: use table based param decoding for ciphers
f9865ab9eed cipher: declare common OSSL_PARAM structures and helper functions
08ca4fdf9f8 paramnams: add new line to break long function declaration
2d226c389ce 3des: remove redundant OSSL_PARAMs from settable list
c45ab5b8de0 init_master_key(): Check return of CRYPTO_THREAD_init_local()
53a83a79217 evp_extra_test2.c: Fix doublefree of PKEY and leak of RSA
cdd01b5e073 Nit: macro parameters should always be parenthesised in expressions
b6ff5598539 Fix exit code for s_time when -new command line switch specified
c09b86749b6 Clean up thread_local function names in initthread.c
d259b8b8556 Refactor init_get_thread_local to be more understandable
5466197f16f Restore use of crypto_thread_default_context
32559a6035b Fix fips cleanup of master key
24f0715e00a Allow for differentiating between default and NULL context
4ed9a38a906 Check setting of master key value
68c1fcc99e3 reduce memory overhead of CTX_TABLE_ENTRY
bbd886c501e convert master_key to use a top level fixed array
21980b98139 Move the async-job api to use the new thread-local api
d6d5170ed20 Update ERR lib to use new thread-local storage api
2e74a3045b4 Move thread-event handlers to the new thread-local api
ce990ce83b5 Adjust rand_lib to use new thread-local mgmt api
2cb068fb225 update RCU to use the new thread-local key mgmt api
c1c2a333d34 Add new CRYPTO_THREAD_[get|set]_local_ex api
be7467f5a0a Add return check to BIO_new, SSL_CTX_new and EVP_PKEY_new
0fe6c21a7da fix: difference between parameter name between doc and header file.
a9cb68ee8fa Skip CI jobs for custom runners in forks
837592dcd99 Fix buggy stringop-overflow error on s390
4a341e08301 Add params precondition in ASN1_STRING_TABLE_add, ASN1_STRING_TABLE_get
403ba31a02e Preserve connection custom extensions in SSL_set_SSL_CTX()
f7b10004dce Add a helper function to copy custom extensions with old style arguments
e8df1d12455 The comment should refer `ossl_quic_stream_has_recv_buffer()` and `ossl_quic_stream_has_send_buffer()` explicitly.
27eea04b061 Update pkeyutl documentation for PQC algorithms (Fixes #27415)
48e3fe08639 Avoid potential double close of client_skt in sslecho
03839dc6ef6 Add a target to generate local coverage reports
78051ae9e54 Add target for local coverage report generation
1187df53287 Add branch coverage to our coveralls run
d8277a6fba7 Add pgo build type
effba0ee654 change _ettable to _list
4b0e0cc84db params: sort structure fields for repeatability
f50e9ef5105 params: remove obsolete functionality from param generator script
b0dcb391d2d ciphercommon: rework to support improved parameter handling
e20800d744b chacha20: update to use improved parameter handling
dce3a00be60 gcm: update to use improved parameter handling
e40d5752061 ccm: update to use improved parameter handling
fa92dd94276 prov: rework cipher include files to support improved parameter handling
61d20724a66 ml-dsa: update to use improved parameter handling
4fc06921b7f ml-kem: update to use improved parameter handling
85cfd18d1c9 build: build struct based param files
51425094b5f params: update TRIE builder script to emit structs of param pointers
ddf1f14105b Remove param_names.h
74794539620 rename CCM and GCM mode common code files
c296e1ce24d Add strlen to symbols allowed on Windows
d56e2450c16 CI: Remove -Wno-stringop-overflow for s390x builds
8721def7fce Report errors in ML-KEM pkey hash
d9b02304602 test/evp_extra_test.c: Add OPENSSL_free() to avoid memory leak if EVP_PKEY_CTX_set0_rsa_oaep_label() fails
6bb81f9294c armv*-mont.pl: Correct a carry flag comment
fbb2a207322 Add a test for SSL_set_verify with QUIC
4b148ebb66c Ensure we pass the user SSL object for the SSL_set_verify callback
4a3809f7056 check-format.pl: prevent false positive on typedef with space and '(' after type name
e925b99f943 check-format-test-negatives.c: add 2nd macro indent test and hint on how known false positives are marked
f21a8391dd0 check-format.pl: prevent reporting "{ 1 stmt }" on "else if" branch unless -1 or --1-stmt option is given
560ea7ffbf5 check-format.pl: allow block for switch case/default
58eb08985c4 check-format-test-positives.c slightly improve comment describing the '*@' tags
e6476de58d8 adapt check-format-test-positives.c for too long lines after limit was relaxed from 80 to 100
52dba1c098d Begin incorporating stdbool usage when json encoding
49885aebe7c fix: Better documentation on DTLS_set_timer_cb()
5ee8248d083 ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation
de1e4989d56 test/helpers/quictestlib.c: Use goto instead of return to avoid memory leak
339ced70da1 s390x: Fix HMAC to fail update or final call when already finalized
443298e0f0e return NULL if gctx allocation fails.
02f9c9342d5 check gctx for NULL before cleanup.
fcc5df53697 Allow our *_gen_cleanup functions to tolerate a NULL ctx
53e5071f340 Document transition from ANSI-C towards C-99
a4c5096d16a genpkey.c: Fix filename copy & paste bug in error output
9a788281d91 Silence -Wstringop-overflow warnings with gcc 14 on s390x
2c74a8d1ef4 Allow keygen after dup of minimal PKEY ctx
bef03c6a24f Fix SHAKE AlgorithmIdentifier encodings
8e787b10284 fix: add parsing check in TLS compress_certificate extension handler
c37b9e3425c crypto/evp/ctrl_params_translate.c: prevent clashes of generic names NONE, GET, SET
a2cd7ecd75d rand: add argument error checking to EVP_RAND_nonce()
e81b252a955 rand: document the EVP_RAND_nonce() return correctly
a2b9120d150 rand: produce correct return from EVP_RAND_nonce
da585e214cf rand: fix memory overrun bug
6d490a92fe4 rand: add unit test exhibiting memory overrun
b994ce4088f Add a test to confirm that we can repeatedly create and destroy keys
b6d01d1b1fe Allow for reuse of thread_local keys in threads_none
07c772847de Fix NIST ACVP server URLs in SLH-DSA test files
b0d363a2cb0 Remove _strlen31
ae404a9b3bd Fix use of IO::Socket::IP on windows 2025
3991ade5a5b ml-dsa: update to use TRIE decoder
60f9c9d804d ml-kem: update to use TRIE decoder
0ecaf8191e6 update build.info with new .in files
23c87cef520 rename ml_dsa_kmgmt.c & ml_kem_kmgmt.c to ml_dsa_kmgmt.c.in & ml_kem_kmgmt.c.in
f78f824c8e4 Test randomly selected client port for availabilty in sslrecords test
fb6ae00713e doc: fix misspellings of certificate(s)
ac85974bc34 apps/x509.c: re-add ERR queue printing on errors
287bbb28b09 Split arguments taking quotes into account
0b1bdef38ef Avoid shell commandline processing in CA.pl
df5dff26efb Add a CHANGES.md entry regarding no_renegotiation alert
0db6a59ea79 Update documentation regarding no_renegotiation handling
7f6e66b048c Test that a no_renegotiation alert is handled correctly
e5feca0659e Fix DTLS handling when receiving a no_renegotiation alert
83fa1b8b94d chacha20_poly1305: use the new name/type code generator
04e969d1f67 cipher: use the new name/type code generator for ciphers
973322d6729 paramnames: add new function to handle names and types.
19dfc4672a3 ci: remove windows-2019 runner images
9bad2b86e89 Reset qtls->local_transport_params_consumed to 0 on SSL_clear()
9a5ac069213 Add test for yielding of write secrets before read
098cfd216b9 Ensure client read app data secret change occurs after write for QUIC
c7f9c4d7d18 Implement explicit storing of the server_finished_hash
86e75792622 Ensure client read handshake secret change occurs after write for QUIC
4579a18cf51 Implement explicit storing of the handshake_traffic_hash
857156910d8 - drop s/-ansi/-std=c99
a5d1eadde1d Regression test for incorrect HMAC API usage
1c1ce2a6eeb Handle 0 return values from DH key computations as errors
8a9e0d0f499 Use value barrier for constant_time_cond_swap_*
7c6d9da45f3 DOC: update references to obsolete RFC 2459 (updated by RFC 5280 and DSA parts taken over by RFC 3370)
f426dd1311e initial implementation of http/1.0 server to benchmark OpenSSL QUIC stack. The server currently replies with HTTP 200 OK only. It provides text/plain response body.
005f545f645 - fix copyright years
eee2d0610b7 - install libtls-dev
f92157d340d - s/libtls/libretls
fa43c8c059d - install libtls
abe1014d0de - fix typo in github action
f50e0694245 - adding rpki test to ci workflow
1eb79b51e74 - adding rpki-client-portable repository as submodule
f1305ea551e - rpki external test
9465cbf68b4 add rpki-client external test
6c3e1110168 Add generated cipher implementation files to gitignore
0b968a3572d Cleanup - this constant and functions are no longer in use
9ed90fd44cc sslapitest: Add failing test for quic double free
258d3a695e3 quic_tls.c: Precede double free on EVP_MD variable
66454bf8bac [design] Functions for explicitly fetched signature algorithms
08b2042a20e Document that FIPS provider cannot be used by multiple libcryptos
e8deb32af48 test/evp_test.c: Free fetched_digest on error to avoid memory leak
00c531a5e32 crypto/property/property.c: Free impl->method to avoid memory leak
3161f460fa7 apps: lib: Prevent potential NULL dereference in init_client()
8ad37051e28 README.md: Improve links to GH workflow badges
005fa3e00e1 Note finished state in cipher BIO EOF
864333b455e Attempt to fix occasional failure of quicapi test in ci
3423c30db3a Document EVP_CIPHER failure for missing provider function
e0ae8017287 apps/cmp.c: Free bio on error to avoid memory leak
0873cd1b680 OSSL_CMP_MSG_http_perform(): Remove extraneous %s from debug log print
9882d389df7 crypto/pkcs7/pk7_smime.c: Add BIO_free() to avoid memory leak
0dc6ea55a13 apps/pkeyutl.c: Add OPENSSL_free() to avoid a memory leak
fa2e4f7bada test: use EVP_PKEY_get_security_category function in tests
73188a01bd9 doc: document EVP_PKEY_get_security_category function
445e2797e6f add EVP_PKEY_get_security_category to exported symbols
8bdb1228770 evp: add EVP_PKEY_get_security_category function
bb05bf76dc9 slh-dsa: add security category checks to evp_test data
1d4d18daae5 rsa: add security category checks to evp_test data
0bc71fd5195 ml-kem: add security category checks to evp_test data
1f000a41125 ml-dsa: add security category checks to evp_test data
6cc9a3fd0bd ecx: add security category checks to evp_test data
ae36afee115 ec: add security category checks to evp_test data
fdc0c8a3ab2 dsa: add security category checks to evp_test data
17e7e85d153 dh: add security category checks to evp_test data
3b9f957c790 slh-dsa: add security category support
4da326af2a7 rsa: add security category support
32bc8e3434b ml-kem: add security category support
64328438f6c ml-dsa: add security category support
2f1890eb181 ecx/ml-kem: add security category support
077ed48edf6 ecx: add security category support
5dcf3806e25 ec: add security category support
38517717920 dsa: add security category support
4577a4a59f5 dh: add security category support
c3215ac5738 evp_test: support security-category for public key operations
8f373f11d23 doc: document the security category param for pkeys
c58085d4a9c Add security-category param name
a0d1af6574a quic-interop-ci: Fix docker install
8bd89f15c96 Add more instructions in HACKING.md
52a2b3d82f3 Avoid leaking duplicated EVP_PKEY_CTX in case of error
6543f34dda8 Fix memory leaks after failure of PKCS7_add_signed_attribute()
afd32bcb545 Updated Windows notes on the use of “no-makedepend” for new builds
d7be888244f quic-interop-ci: Fix failing CI
0eb9acc24fe apps/x509.c: Fix the -addreject option adding trust instead of rejection
a198caa5e34 Update pkcs11-provider submodule
edd3f47fd76 test: reduce the scope of pkcs11-provider external test
031b4b7c25e test: skip tlsfuzzer tests pkcs11-provider test
402380d3e1f ci: run all non-external tests on fedora:latest
29e7e1dcb6b ci: run pkcs11-provider external test on Fedora
016d6deb850 ci: re-enable pkcs11-provider external test
8626a716b07 crypto/evp/signature.c: add checks for consistent presence of 'update' and 'final' functions
1146b74a8a5 provider-signature.pod: add missing doc of OSSL_FUNC_signature_query_key_types(), fix doc of return types, etc.
4a9a59cb075 crypto/evp/signature.c: add more specific diagnostic data in case provider does not implement functions needed
3a57fb1386d crypto/evp/signature.c: compensate for providers not adding error queue entries on operation failure
72351b0d180 crypto/evp: compensate for providers not adding error queue entries for keymgmt, sigver, and asymcipher
1fc96a3cff1 store_result.c: add to error queue which provider failed to load credential and hint on using default provider
3a50b5ec684 80-test_cms.t: Fix indentation by replacing tabs with spaces
8fd0d230fdf Fix some typos in the man pages
00480f1def8 The condition that is never checked has been removed. If criterion == OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT, the criterion !=0 condition will be triggered.
b9282ecafa3 Check NASM version for {vex} prefix support
de4a7fad9ef Remove redundant space in effective address
4189992f5bd Pick up {vex} in x86_64 assembler translator
6a6a098bf1d apps/prime.c: Remove unused assignment
55d8d859797 demos/bio/sconnect.c: Free ssl_bio on error to avoid memory leak
5f661e4e96b crypto/x509/v3_lib.c: Free tmpext if X509V3_EXT_add() fails to avoid memory leak
c54fd95918c Workaround for issue with assembler on OS X 10.4
235092d7808 Fix AIX build in test/radix/quic_tests.c
e11fdd8293c Fix build failure on AIX
0ba71c0a24b ssl/t1_lib.c: Free gix if sk_TLS_GROUP_IX_push() fails to avoid memory leak
10bd6fa8ca9 demos/guide/tls-client-block.c Spelling correction
e66097fc668 s3_lib.c: Use illegal_parameter for failing encapsulation in ml_kem
1094db3c4e5 Fix trace output for provider algorithm names
0d3f0876ac1 prime.c: Remove uneeded if check for NULL value
1e27fb5d5b1 cipher_chacha20_poly1305.c: Remove unneeded check
7cc69ec4cf5 configutl.c: Resolve possible resource leak of config file
677ded75473 configutl.c: Remove dead code
99ea6b38430 Add NULL check in ossl_quic_get_peer_token
5da4ea10be8 s3_lib.c: Handle weak x keys as illegal_parameter alert
dca67c0aa17 APPS/x509: add -multi option for outputting all certs found in input
913ee3af63e d2i_X509.pod: add missing doc of return value of i2d_ASN1_bio_stream()
1a8cc7fab0f asn_mime.c multi_split(): add missing I/O error checking
3f953185b2a SMIME_text(): add missing I/O error checking
1d5d4634ee2 SMIME_crlf_copy(): add missing I/O error checking
7084d167aae PEM_write_bio_ASN1_stream(): complete I/O error checking
88777599a6f apps/cms.c: add failure handling for I/O errors of 'BIO_printf(out, ...)'
c3da4b584e0 apps/cms.c: clarify treatment of 'ret' variable in cms_main()
98b6df79fb1 apps/cms.c: remove needless ERR_print_errors() calls
cc7084a5ee2 apps/cms.c: add missing error messages in various error cases
ea7b971563c fix asn1_write_micalg() in asn_mime.c on GostR3411 and SHAKE, also return 0 on I/O errors
d8e87f9c2f1 SMIME_write_ASN1_ex() used for CMS: add error checking for calls to BIO_printf(), BIO_puts(), and asn1_write_micalg()
1beaf112e53 apps/cms.c: add missing error message on error writing CMS output (ret == 6)
c1ab5734ab5 Return SLH-DSA public key when requested
3e82012b39e Return ML-DSA public key when requested
b87f4407c72 chacha_poly: use TRIE based param name decoder
3818f7779ef test/testutil/testutil_init.c: Add OPENSSL_free() to avoid memory leak
aa8bca2e810 Stop a TLSv1.3 server emitting an unsolicited PSK extension
831cbbb5dd4 statem_srvr.c: Add check for empty ecdhe encoded key
35e431ed6da APPS/cmp.c: fix char encoding of subject, issuer, sender, and recipient DN
4eb3eea7a38 Check rand_meth_lock existence before trying to lock it
53ea500c49d Raise an error if PBKDF2 iteration count set to zero on check disabled in default provider
5810149e656 Add retry capability to apt commands in quic interop
ce767149662 SHA512/x86_64: Fix SIGSEGV on $avx=0 path
f4d9904763e test/timing_load_creds.c: Free contents in error handling to avoid memory leak
d521ed9ea56 chacha_poly: fix settable ctx param list
a6d5af4fb52 Update IMPL_*_SIGALG to not have to stringify parameter
1afcc27f945 Add a test for app data received too early
d2a33efd394 Ensure we properly release DTLS buffered app data records
4dca928a29c test/bio_comp_test.c: Initialize pointer to avoid undefined behavior
8109618a1ce CHANGES/NEWS entries for configutl
b43913be7ea Configutl tests
08616b09e02 configutl documentation
78ca45cef09 Utility for dumping OpenSSL config file
d56f9b4d894 Fix memory management in port_make_channel
fe01b4d2f62 Add a test for sending an empty app data record in DTLS
a23d5e20f16 Drop empty app data records in DTLS
cba510ab862 Align PBKDF2 indicator behavior with other implementations
9884f1dc116 crypto/provider_conf.c: Fix possible memory leak
3f5dc064d02 ccm: update CCM mode ciphers to use the TRIE param name decoder for AEAD ciphers
0d969379cb2 gcm: use TRIE based param name decoder
bf0f1b5d6f3 AEAD params: generate a TRIE to decode AEAD cipher parameter names
c9c7bfcd424 rename ciphercommon.c
7a10ecd4051 params: update generation script to support multiple TRIE output
b747a48bb17 params: don't build removed file
9d80e50df5f params: don't build global param name TRIE
67ad6a08980 Fixed chacha20 get updated IV
fda4777c140 Enable AES and SHA3 optimisations on Qualcomm Snapdragon X systems
1eee02d3e71 Fix SSL_{set1,add1}_host() handling of host name/IP address and related documentation
eb909d785f8 SSL_set1_host.pod: add recommendation to use SSL_{set1,add1}_host() and SSL_set_tlsext_host_name()
49a3e7adc39 RISC-V: Provide generic optimized SHA-256 implementation for rv64gc
995e9489e62 pkcs12: increase macsaltlen from 8 to 16 as per NIST SP 800-132
3f98e949d3e Removed references to vxworks because it is an unsupported platform
81e8b5a5038 Fix use after free bugs for public_keys and private_keys in evp_test
9da1a9c30e1 Add a target config for MINGW on ARM64
af5952d533b Drop "by store"'s by_store_subject_ex()
927debaf7b4 Add test_verify tests
0c48ee2bf51 Rework the "by store" X509_LOOKUP method to open the given URI early
3513a830cc1 Run tests nightly on riscv64 runner
d08d77789e2 Disable unterminated-string-initialization in strict-warnings
3847b4920a6 apps/prime.c: Remove dead code
5b800192f2f Expand gettable params for HKDF
934086fb916 Update test/ossl_store_test.c
1dc52b4f7d8 Update test/ossl_store_test.c
52e8814de3b Adding winstore open test
305bbc1837f bio_b64.c: Replace OPENSSL_assert() calls with ossl_assert()
81ce3d3ae8f sslecho: Rename bool to flag to avoid C23 conflict
29464b4c15d Fix a typo in evpciph_des3_common.txt
01ea0804981 Fix a deadlock while attempting to get the Primary EVP_RAND_CTX
6ff4c1d8746 Ensure that our fips internal provider is always loaded
606de509e38 Assert that we successfully obtained a lock
273c75e8636 Add a test for calling RAND_get0_primary()
77624f0c5bc Fix aesv8 arm assembler code not working on 32 bit Android
0e418628998 ossl_json_f64() seems to be unused, remove it to avoid libm dependency
70d7194bf5c doc/man3: Document missing macro function history
f3f0194954c doc/man3: Change formulation to let the script to catch it
9c23bcb9905 other.syms: These functions were deprecated
ef9c289996e util/find-doc-nits: Check function macros in history
20fb5dcb1e2 Clarify how s_client -ign_eof and -quiet impact command processing
290fd4a0c87 Test+fix handling "wrong" downgrade signals
7535f26210a Repair downgrade tests
1d770fc6a9a Make cpuid_setup non-constructor
bf4c8528934 Improve documentation for -cipher option in openssl genpkey
4d3ec3d9595 doc: OSSL_PROV_PARAM_STATUS is signed integer
573db120795 apps/prime.c: Fix memory leak of a BIGNUM
d6dc0f1cacd Update to use BIO_get_line() with support for multiple primes per in file
585a1e6f8ba Address and add tests for edge cases involving short or empty files
f15a2a43ef2 Fix issue where file is not read correctly with Windows line endings
0b7a16fe09c Add 20-test_prime unit test
d18526cb942 Add -in option to prime function to allow input from file for primality testing. Update -hex option documentation to reflect use with input and output.
978a4e199d6 Added quotes to mask spaces in the path when building
56c739816f3 BIO_dump_indent_cb(): Check for negative return from BIO_snprintf()
b56dd5bfec8 Fix also BIO_printf formatting for INF and NAN
f417a91f2f2 Fix POD indentation in OSSL_CMP_CTX_new
406ce5909be Fix typo in SHA256 RISC-V64 Zbb comments: Sigma0 -> Sum0
3f28cc6e63c Test ML-DSA, SLH-DSA, and ML-KEM PCT implementations
17cacc1a1c8 Move to error state if ML-DSA / SLH-DSA PCT fails
89b5a9b8bcf Facilitate corruption in ML-DSA PCT
9123684c817 Add verbose output to 'openssl list -store-loaders'
04b59c41993 poll builder: add dummy field
1c1c9dc11b5 app/s_client.c: clean up and broaden use of ERR_print_errors()
9636f9a4318 file_store.c: give detail on file_set_ctx_params() error
a6f858b1912 by_store.c: suppress in cache_objects() likely non-relevant error queue entries calling OSSL_STORE_find()
29864f2b0f1 Fix P-384 curve on lower-than-P9 PPC64 targets
e8b03fbcdab Add test to check SKEYMGMT interfaces
273ceaa7c32 SKEYMGMT: Expose settable params
6683c886f27 Relax absolut path checking in our 'file' scheme implementation
5d44f67aafb Properly zeroize ML-KEM z and d values
b637fbe781a Add a test for calling SSL_accept() on a listener
cb5bb8916fa Fix errors on SSL_accept() and SSL_get_error()
fb555eb7a1d Fix BIO_printf formatting for negative numbers formatted with %e
b83b67fe595 docs: update OSSL_PARAM_int documentation
0efc439a3be Improved error message for X509_V_ERR_CERT_NOT_YET_VALID
f492649b990 Fix default pkey(1) DER output
8f99bcdbb80 Advertize signature setting in settable_ctx fn
dfc03679f51 Add test for ML-DSA sig/ver message update
341f1b7f705 Add ml_dsa msg_update functions to provider code
5c16db8cdcd Make public ml_dsa_mu_.. helpers
90f0137453a Split the ML-DSA internal sigver functions
58dfbe34e1b Fix EVP_PKEY_verify man page
f9879c864e3 Fix mldsa'a msg_inits operation type
56910e72113 Fix URL parsing to handle missing ports and ISO 8601 timestamps in paths
bab1e882a99 s390x: Add new machine generation z17
9eb2c13432a Typo in TLS introduction
1ad186986c8 Replace ilammy/setup-nasm with nasm install from choco
871182d29dc Document SSL_CTX_set_min_proto_version defaults
7d14d1c46a6 provider-signature.pod: fix typos (digeset -> digest)
23e3b3c0c5d provider-signature.pod: fix doc of OSSL_SIGNATURE_PARAM_ALGORITHM_ID, describing its relevance
b13b8eb95e7 ASN1_item_sign.pod: fix description of the algor1, algor2, and signature in/out-parameters
727117960c0 test: test for setting hkdf salt to null
12eb6c58ff2 hkdf: allow salt to be set to null
ac01b9a9fdd params: refactor some of the param helper code
fad8c04dedb commands: fix parameter value output
6f26301c83b Fix fips provider compatibility regression
29eb7e0689b Serialize install process to avoid multiple make depend operations
5857bdbb766 80-test_cms.t: Add test case for verification of multiple signatures
ada231523f6 Fix OSSL_FUNC_keymgmt_load declaration in man7/provider-keymgmt
8419baf3122 Fix winstore provider to work with recent decoder changes
a0ff819e537 Fix silent error in EVP_CIPHER_CTX_get_updated_iv.
418609e115b Test that there is no silent error in EVP_CIPHER_CTX_get_updated_iv in evp_test
24bc185439a Remove unused assembly function OPENSSL_wipe_cpu
86a6d1f9b45 Document update for keys.txt
f014892d9f0 Point to new docs location
de67f90815f Fix duplicate cipher definition in ssl/t1_trce.c
3c22da73465 Fix EVP_PKEY_CTX_dup() so that it copies the keymanager.
cb3fde9728b Update cms_pwri.c
4f81470afad Fix PKCS7_sign and CMS_sign default hash documentation
6509f18c9fd Updated the change log to include SSLv3 being disabled by default.
51d194483ee added deprecated note to OPENSSL_instrument_bus docs
7e53ffa1442 rio: add RIO_POLL_METHOD_NONE
44e9c5a3edd hashfunc: add stddef.h include
57f94478060 crypto: disable OSSL_PARAM_REAL on UEFI
d890ad2b96e Remove DAYS argument
ee52d7d327e Prevent CI jobs with secrets from running in forks
28de1f5004c Fix potential NULL pointer dereference in final_maxfragmentlen()
1a81d509a00 Fix test failures on big endian ARMv9 target
7f6cc862c69 ssl/ssl_lib.c: Avoid crash when SSL_CONNECTION is NULL
8f06efe234c crypto/ui/ui_lib.c: Add OPENSSL_free to avoid memory leaks
7bf52a6f6f0 fixed multiline output bug in crl command, ensuring use of global variable to set changes
03541d7302d Add SSL_CTX_set_ec_point_formats() and SSL_set_ec_point_formats()
24f32f14e96 Implement AES-CBC-HMAC-SHA512 on aarch64
86408fa8de6 Implement interleaving aes-cbc-hmac-sha on aarch64
44af96b9c57 Add a test for calling SSL_accept() on an accepted connection
6d8e516e087 Document the state of the object you get from SSL_accept_connection()
38bf6f3036d Fix SSL_accept()
8d2e4d6d8c9 Implement i2d_PKCS8PrivateKey
85a8eba5676 Test that SSL_poll does not report a stream as writable if it isn't
4efd1a26822 Prevent SSL_poll from reporting a stream as writeable if it isn't
172076029c0 Revert "Temporarily disable gost-engine tests in ci"
ae139648872 up…

Author: Futaura

.ctags.d/langmap.ctags

@@ -0,0 +1,11 @@
+#
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+
+--langmap=C:+.h
+--langmap=C:+.inc

.github/workflows/backport.yml

@@ -0,0 +1,66 @@
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: Backports CI
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  check_backports:
+    strategy:
+      fail-fast: false
+      matrix:
+        release: [
+          {
+            branch: '3.6',
+            cppflags: ''
+          }, {
+            branch: '3.5',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.4',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.3',
+            cppflags: 'CPPFLAGS=-ansi',
+          }, {
+            branch: '3.2',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.0',
+            cppflags: 'CPPFLAGS=-ansi'
+          }
+        ]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+    - name: cherry-pick
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: |
+           REFEND=$(git rev-parse HEAD)
+           REFSTART=$(git rev-parse $REFEND~${{ github.event.pull_request.commits }})
+           git checkout ${{ format('openssl-{0}', matrix.release.branch) }}
+           git config user.name "OpenSSL Machine"
+           git config user.email "openssl-machine@openssl.org"
+           echo Cherry-picking $REFSTART..$REFEND
+           git cherry-pick $REFSTART..$REFEND
+    - name: config
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: ${{ matrix.release.cppflags }} ./config --strict-warnings --banner=Configured no-asm enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
+    - name: make
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: make -s -j4
+    - name: make test
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/build_quic_interop_container.yml

@@ -1,4 +1,4 @@
-name: "Build openssl interop container from master"
+name: "Build openssl interop containers"
 
 on:
   schedule:
@@ -7,11 +7,10 @@ on:
 
 jobs:
   update_quay_container:
+    if: github.repository == 'openssl/openssl'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-        with:
-         fetch-depth: 0
       - name: "log in to quay.io"
         run: |
           docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
@@ -23,3 +22,25 @@ jobs:
         run: |
           docker push quay.io/openssl-ci/openssl-quic-interop:latest
 
+  update_msquic_quay_container:
+    if: github.repository == 'openssl/openssl'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: microsoft/msquic
+          ref: main
+          submodules: recursive
+      - name: "log in to quay.io"
+        run: |
+          docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
+      - name: Patch qns.Dockerfile
+        run: |
+          sed -i 's/RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on ../RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl ../' ./scripts/qns.Dockerfile
+          if grep -q "RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl .." ./scripts/qns.Dockerfile; then echo "Patched successfully"; else exit 1; fi
+      - name: "Build container"
+        run: |
+          docker build -f ./scripts/qns.Dockerfile -t quay.io/openssl-ci/msquic-openssl:latest .
+      - name: "Push to quay"
+        run: |
+          docker push quay.io/openssl-ci/msquic-openssl:latest