Move the Handshake read secret change earlier in the process for QUIC 0-RTT

On the server side we were changing the handshake rx secret a little late.
This meant the application was forced to call SSL_do_handshake() again
even if there was nothing to read in order to get the secret. We move it
a little earlier int the process to avoid this.

Fixes the issue described in:
https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27101)

(cherry picked from commit 95051052b3)

.github/workflows/cross-compiles.yml

@@ -103,10 +103,7 @@ jobs:
           }, {
             arch: powerpc64le-linux-gnu,
             libs: libc6-dev-ppc64el-cross,
-            # The default compiler for this platform on Ubuntu 20.04 seems
-            # buggy and causes test failures. Dropping the optimisation level
-            # resolves it.
-            target: -O2 linux-ppc64le,
+            target: linux-ppc64le,
             fips: no
           }, {
             arch: riscv64-linux-gnu,

.github/workflows/make-release.yml

@@ -38,4 +38,5 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
       run: |
         VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-)
-        gh release create ${{ github.ref_name }} -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
+        PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "")
+        gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*

.github/workflows/run_quic_interop.yml

@@ -12,6 +12,9 @@ jobs:
       matrix:
         tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
         servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy]
+        exclude:
+          - servers: msquic
+            tests: retry
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
@@ -39,7 +42,7 @@ jobs:
     strategy:
       matrix:
         tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl]
+        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome]
         exclude:
           - clients: mvfst
             tests: amplificationlimit

VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=5
 PATCH=0
-PRE_RELEASE_TAG=dev
+PRE_RELEASE_TAG=alpha2-dev
 BUILD_METADATA=
 RELEASE_DATE=""
 SHLIB_VERSION=3

apps/cms.c

@@ -1011,7 +1011,7 @@ int cms_main(int argc, char **argv)
                 goto end;
 
             pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-            if (kparam != NULL) {
+            if (pctx != NULL && kparam != NULL) {
                 if (!cms_set_pkey_param(pctx, kparam->param))
                     goto end;
             }

apps/ocsp.c

@@ -1049,6 +1049,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
     }
 
     bs = OCSP_BASICRESP_new();
+    if (bs == NULL) {
+        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+        goto end;
+    }
     thisupd = X509_gmtime_adj(NULL, 0);
     if (ndays != -1)
         nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);

crypto/aes/asm/aesni-xts-avx512.pl

@@ -36,7 +36,7 @@ die "can't locate x86_64-xlate.pl";
 
 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
         =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-    $avx512vaes = ($1>=2.26);
+    $avx512vaes = ($1>=2.30);
 }
 
 if (!$avx512vaes && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&

crypto/asn1/p8_pkey.c

@@ -17,11 +17,25 @@
 static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                    void *exarg)
 {
-    /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
-    if (operation == ASN1_OP_FREE_PRE) {
-        PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
+    PKCS8_PRIV_KEY_INFO *key;
+    int version;
+
+    switch (operation) {
+    case ASN1_OP_FREE_PRE:
+        /* The structure is still valid during ASN1_OP_FREE_PRE */
+        key = (PKCS8_PRIV_KEY_INFO *)*pval;
         if (key->pkey)
             OPENSSL_cleanse(key->pkey->data, key->pkey->length);
+        break;
+    case ASN1_OP_D2I_POST:
+        /* Insist on a valid version now that the structure is decoded */
+        key = (PKCS8_PRIV_KEY_INFO *)*pval;
+        version = ASN1_INTEGER_get(key->version);
+        if (version < 0 || version > 1)
+            return 0;
+        if (version == 0 && key->kpub != NULL)
+            return 0;
+        break;
     }
     return 1;
 }
@@ -30,7 +44,8 @@ ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
         ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
         ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
         ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING),
-        ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
+        ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0),
+        ASN1_IMP_OPT(PKCS8_PRIV_KEY_INFO, kpub, ASN1_BIT_STRING, 1)
 } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 
 IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
@@ -40,6 +55,9 @@ int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
                     int ptype, void *pval, unsigned char *penc, int penclen)
 {
     if (version >= 0) {
+        /* We only support PKCS#8 v1 (0) and v2 (1). */
+        if (version > 1)
+            return 0;
         if (!ASN1_INTEGER_set(priv->version, version))
             return 0;
     }

crypto/bn/bn_ppc.c

@@ -41,12 +41,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
      */
 
 #if defined(_ARCH_PPC64) && !defined(__ILP32__)
+    /* Minerva side-channel fix danny */
+# if defined(USE_FIXED_N6)
     if (num == 6) {
         if (OPENSSL_ppccap_P & PPC_MADD300)
             return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
         else
             return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
     }
+# endif
 #endif
 
     return bn_mul_mont_int(rp, ap, bp, np, n0, num);

crypto/cms/cms_lib.c

@@ -14,6 +14,7 @@
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
+#include <openssl/core_names.h>
 #include "internal/sizes.h"
 #include "internal/cryptlib.h"
 #include "crypto/x509.h"
@@ -407,6 +408,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
     const EVP_MD *digest = NULL;
     EVP_MD *fetched_digest = NULL;
     char alg[OSSL_MAX_NAME_SIZE];
+    size_t xof_len = 0;
 
     X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
     OBJ_obj2txt(alg, sizeof(alg), digestoid, 0);
@@ -431,6 +433,24 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
         ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR);
         goto err;
     }
+    if (EVP_MD_xof(digest)) {
+        if (EVP_MD_is_a(digest, SN_shake128))
+            xof_len = 32;
+        else if (EVP_MD_is_a(digest, SN_shake256))
+            xof_len = 64;
+        if (xof_len > 0) {
+            EVP_MD_CTX *mdctx;
+            OSSL_PARAM params[2];
+
+            if (BIO_get_md_ctx(mdbio, &mdctx) <= 0 || mdctx == NULL)
+                goto err;
+            params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN,
+                                                    &xof_len);
+            params[1] = OSSL_PARAM_construct_end();
+            if (!EVP_MD_CTX_set_params(mdctx, params))
+                goto err;
+        }
+    }
     EVP_MD_free(fetched_digest);
     return mdbio;
  err:

crypto/ec/ecp_nistp384.c

@@ -252,6 +252,16 @@ static void felem_neg(felem out, const felem in)
     out[6] = two60m4 - in[6];
 }
 
+#if defined(ECP_NISTP384_ASM)
+void p384_felem_diff64(felem out, const felem in);
+void p384_felem_diff128(widefelem out, const widefelem in);
+void p384_felem_diff_128_64(widefelem out, const felem in);
+
+# define felem_diff64           p384_felem_diff64
+# define felem_diff128          p384_felem_diff128
+# define felem_diff_128_64      p384_felem_diff_128_64
+
+#else
 /*-
  * felem_diff64 subtracts |in| from |out|
  * On entry:
@@ -369,6 +379,7 @@ static void felem_diff128(widefelem out, const widefelem in)
     for (i = 0; i < 2*NLIMBS-1; i++)
         out[i] -= in[i];
 }
+#endif /* ECP_NISTP384_ASM */
 
 static void felem_square_ref(widefelem out, const felem in)
 {
@@ -503,7 +514,7 @@ static void felem_mul_ref(widefelem out, const felem in1, const felem in2)
  * [3]: Y = 2^48 (acc[6] >> 48)
  * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d)
  */
-static void felem_reduce(felem out, const widefelem in)
+static void felem_reduce_ref(felem out, const widefelem in)
 {
     /*
      * In order to prevent underflow, we add a multiple of p before subtracting.
@@ -682,8 +693,11 @@ static void (*felem_square_p)(widefelem out, const felem in) =
 static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
     felem_mul_wrapper;
 
+static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
+
 void p384_felem_square(widefelem out, const felem in);
 void p384_felem_mul(widefelem out, const felem in1, const felem in2);
+void p384_felem_reduce(felem out, const widefelem in);
 
 # if defined(_ARCH_PPC64)
 #  include "crypto/ppc_arch.h"
@@ -695,6 +709,7 @@ static void felem_select(void)
     if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
         felem_square_p = p384_felem_square;
         felem_mul_p = p384_felem_mul;
+        felem_reduce_p = p384_felem_reduce;
 
         return;
     }
@@ -703,6 +718,7 @@ static void felem_select(void)
     /* Default */
     felem_square_p = felem_square_ref;
     felem_mul_p = felem_mul_ref;
+    felem_reduce_p = p384_felem_reduce;
 }
 
 static void felem_square_wrapper(widefelem out, const felem in)
@@ -719,10 +735,17 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
 
 # define felem_square felem_square_p
 # define felem_mul felem_mul_p
+# define felem_reduce felem_reduce_p
+
+void p384_felem_square_reduce(felem out, const felem in);
+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
+
+# define felem_square_reduce p384_felem_square_reduce
+# define felem_mul_reduce p384_felem_mul_reduce
 #else
 # define felem_square felem_square_ref
 # define felem_mul felem_mul_ref
-#endif
+# define felem_reduce felem_reduce_ref
 
 static ossl_inline void felem_square_reduce(felem out, const felem in)
 {
@@ -739,6 +762,7 @@ static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem
     felem_mul(tmp, in1, in2);
     felem_reduce(out, tmp);
 }
+#endif
 
 /*-
  * felem_inv calculates |out| = |in|^{-1}

crypto/evp/ctrl_params_translate.c

@@ -2895,11 +2895,15 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
 
 int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
 {
+    if (ctx->keymgmt != NULL)
+        return 0;
     return evp_pkey_ctx_setget_params_to_ctrl(ctx, SET, (OSSL_PARAM *)params);
 }
 
 int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
 {
+    if (ctx->keymgmt != NULL)
+        return 0;
     return evp_pkey_ctx_setget_params_to_ctrl(ctx, GET, params);
 }
 

crypto/evp/exchange.c

@@ -442,7 +442,10 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
      */
     if (provkey == NULL)
         goto legacy;
-    return ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
+    ret = ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
+    if (ret <= 0)
+        return ret;
+    goto common;
 
  legacy:
 #ifdef FIPS_MODULE
@@ -497,6 +500,9 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
     ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
     if (ret <= 0)
         return ret;
+#endif
+
+ common:
     if (!EVP_PKEY_up_ref(peer))
         return -1;
 
@@ -504,7 +510,6 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
     ctx->peerkey = peer;
 
     return 1;
-#endif
 }
 
 int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer)

crypto/evp/pmeth_lib.c

@@ -701,8 +701,9 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
                 ctx->op.encap.kem->set_ctx_params(ctx->op.encap.algctx,
                                                   params);
         break;
-#ifndef FIPS_MODULE
     case EVP_PKEY_STATE_UNKNOWN:
+        break;
+#ifndef FIPS_MODULE
     case EVP_PKEY_STATE_LEGACY:
         return evp_pkey_ctx_set_params_to_ctrl(ctx, params);
 #endif
@@ -745,8 +746,9 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
                 evp_keymgmt_gen_get_params(ctx->keymgmt, ctx->op.keymgmt.genctx,
                                            params);
         break;
-#ifndef FIPS_MODULE
     case EVP_PKEY_STATE_UNKNOWN:
+        break;
+#ifndef FIPS_MODULE
     case EVP_PKEY_STATE_LEGACY:
         return evp_pkey_ctx_get_params_to_ctrl(ctx, params);
 #endif

crypto/threads_pthread.c

@@ -217,13 +217,12 @@ struct rcu_lock_st {
     /* The context we are being created against */
     OSSL_LIB_CTX *ctx;
 
-    /* rcu generation counter for in-order retirement */
-    uint32_t id_ctr;
-
-    /* TODO: can be moved before id_ctr for better alignment */
     /* Array of quiescent points for synchronization */
     struct rcu_qp *qp_group;
 
+    /* rcu generation counter for in-order retirement */
+    uint32_t id_ctr;
+
     /* Number of elements in qp_group array */
     uint32_t group_count;
 
@@ -262,6 +261,8 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)
 
     /* get the current qp index */
     for (;;) {
+        qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_RELAXED);
+
         /*
          * Notes on use of __ATOMIC_ACQUIRE
          * We need to ensure the following:
@@ -272,10 +273,7 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)
          * of the lock is flushed from a local cpu cache so that we see any
          * updates prior to the load.  This is a non-issue on cache coherent
          * systems like x86, but is relevant on other arches
-         * Note: This applies to the reload below as well
          */
-        qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_ACQUIRE);
-
         ATOMIC_ADD_FETCH(&lock->qp_group[qp_idx].users, (uint64_t)1,
                          __ATOMIC_ACQUIRE);
 
@@ -408,6 +406,13 @@ static struct rcu_qp *update_qp(CRYPTO_RCU_LOCK *lock, uint32_t *curr_id)
     ATOMIC_STORE_N(uint32_t, &lock->reader_idx, lock->current_alloc_idx,
                    __ATOMIC_RELAXED);
 
+    /*
+     * this should make sure that the new value of reader_idx is visible in
+     * get_hold_current_qp, directly after incrementing the users count
+     */
+    ATOMIC_ADD_FETCH(&lock->qp_group[current_idx].users, (uint64_t)0,
+                     __ATOMIC_RELEASE);
+
     /* wake up any waiters */
     pthread_cond_signal(&lock->alloc_signal);
     pthread_mutex_unlock(&lock->alloc_lock);
@@ -422,10 +427,8 @@ static void retire_qp(CRYPTO_RCU_LOCK *lock, struct rcu_qp *qp)
     pthread_mutex_unlock(&lock->alloc_lock);
 }
 
-/* TODO: count should be unsigned, e.g uint32_t */
-/* a negative value could result in unexpected behaviour */
 static struct rcu_qp *allocate_new_qp_group(CRYPTO_RCU_LOCK *lock,
-                                            int count)
+                                            uint32_t count)
 {
     struct rcu_qp *new =
         OPENSSL_zalloc(sizeof(*new) * count);
@@ -471,6 +474,8 @@ void ossl_synchronize_rcu(CRYPTO_RCU_LOCK *lock)
      * prior __ATOMIC_RELEASE write operation in ossl_rcu_read_unlock
      * is visible prior to our read
      * however this is likely just necessary to silence a tsan warning
+     * because the read side should not do any write operation
+     * outside the atomic itself
      */
     do {
         count = ATOMIC_LOAD_N(uint64_t, &qp->users, __ATOMIC_ACQUIRE);
@@ -527,10 +532,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
     struct rcu_lock_st *new;
 
     /*
-     * We need a minimum of 3 qp's
+     * We need a minimum of 2 qp's
      */
-    if (num_writers < 3)
-        num_writers = 3;
+    if (num_writers < 2)
+        num_writers = 2;
 
     ctx = ossl_lib_ctx_get_concrete(ctx);
     if (ctx == NULL)
@@ -546,8 +551,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
     pthread_mutex_init(&new->alloc_lock, NULL);
     pthread_cond_init(&new->prior_signal, NULL);
     pthread_cond_init(&new->alloc_signal, NULL);
-    /* By default our first writer is already alloced */
-    new->writers_alloced = 1;
 
     new->qp_group = allocate_new_qp_group(new, num_writers);
     if (new->qp_group == NULL) {

crypto/threads_win.c

@@ -83,13 +83,12 @@ struct rcu_lock_st {
     /* The context we are being created against */
     OSSL_LIB_CTX *ctx;
 
-    /* rcu generation counter for in-order retirement */
-    uint32_t id_ctr;
-
-    /* TODO: can be moved before id_ctr for better alignment */
     /* Array of quiescent points for synchronization */
     struct rcu_qp *qp_group;
 
+    /* rcu generation counter for in-order retirement */
+    uint32_t id_ctr;
+
     /* Number of elements in qp_group array */
     uint32_t group_count;
 
@@ -124,10 +123,8 @@ struct rcu_lock_st {
     CRYPTO_RWLOCK *rw_lock;
 };
 
-/* TODO: count should be unsigned, e.g uint32_t */
-/* a negative value could result in unexpected behaviour */
 static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock,
-                                            int count)
+                                            uint32_t count)
 {
     struct rcu_qp *new =
         OPENSSL_zalloc(sizeof(*new) * count);
@@ -141,10 +138,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
     struct rcu_lock_st *new;
 
     /*
-     * We need a minimum of 3 qps
+     * We need a minimum of 2 qps
      */
-    if (num_writers < 3)
-        num_writers = 3;
+    if (num_writers < 2)
+        num_writers = 2;
 
     ctx = ossl_lib_ctx_get_concrete(ctx);
     if (ctx == NULL)
@@ -163,8 +160,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
     new->alloc_lock = ossl_crypto_mutex_new();
     new->prior_lock = ossl_crypto_mutex_new();
     new->qp_group = allocate_new_qp_group(new, num_writers);
-    /* By default the first qp is already alloced */
-    new->writers_alloced = 1;
     if (new->qp_group == NULL
         || new->alloc_signal == NULL
         || new->prior_signal == NULL

doc/man7/EVP_PKEY-ML-DSA.pod

@@ -285,7 +285,7 @@ L<provider-keymgmt(7)>,
 L<EVP_PKEY_get_raw_private_key(3)>,
 L<EVP_PKEY_get_raw_public_key(3)>,
 L<EVP_PKEY_get1_encoded_public_key(3)>,
-LOSSL_PROVIDER_add_conf_parameter(3)>,
+L<OSSL_PROVIDER_add_conf_parameter(3)>,
 L<provider-keymgmt(7)>,
 L<EVP_SIGNATURE-ML-DSA(7)>
 

doc/man7/EVP_PKEY-ML-KEM.pod

@@ -305,7 +305,7 @@ L<EVP_PKEY(3)>,
 L<EVP_PKEY_get_raw_private_key(3)>,
 L<EVP_PKEY_get_raw_public_key(3)>,
 L<EVP_PKEY_get1_encoded_public_key(3)>,
-LOSSL_PROVIDER_add_conf_parameter(3)>,
+L<OSSL_PROVIDER_add_conf_parameter(3)>,
 L<provider-keymgmt(7)>,
 L<EVP_KEM-ML-KEM(7)>
 

doc/man7/provider-base.pod

@@ -977,6 +977,12 @@ L<provider(7)>
 The concept of providers and everything surrounding them was
 introduced in OpenSSL 3.0.
 
+Definitions for
+B<OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS>
+and
+B<OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS>
+were added in OpenSSL 3.5.
+
 =head1 COPYRIGHT
 
 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man7/provider-digest.pod

@@ -94,7 +94,8 @@ macros in L<openssl-core_dispatch.h(7)>, as follows:
 
 A digest algorithm implementation may not implement all of these functions.
 In order to be usable all or none of OSSL_FUNC_digest_newctx, OSSL_FUNC_digest_freectx,
-OSSL_FUNC_digest_init, OSSL_FUNC_digest_update and OSSL_FUNC_digest_final should be implemented.
+OSSL_FUNC_digest_init, OSSL_FUNC_digest_update, OSSL_FUNC_digest_final
+and OSSL_FUNC_digest_get_params should be implemented.
 All other functions are optional.
 
 =head2 Context Management Functions

include/crypto/x509.h

@@ -292,6 +292,7 @@ struct pkcs8_priv_key_info_st {
     X509_ALGOR *pkeyalg;
     ASN1_OCTET_STRING *pkey;
     STACK_OF(X509_ATTRIBUTE) *attributes;
+    ASN1_OCTET_STRING *kpub;
 };
 
 struct X509_sig_st {

include/internal/sockets.h

@@ -98,7 +98,6 @@ typedef size_t socklen_t;        /* Currently appears to be missing on VMS */
 #   include <in.h>
 #   include <inet.h>
 #  else
-#   include <poll.h>
 #   include <sys/socket.h>
 #   if !defined(NO_SYS_UN_H) && defined(AF_UNIX) && !defined(OPENSSL_NO_UNIX_SOCK)
 #    include <sys/un.h>

include/internal/ssl.h

@@ -20,5 +20,7 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err);
 
 /* Set if this is the QUIC handshake layer */
 # define TLS1_FLAGS_QUIC                         0x2000
+/* Set if this is our QUIC handshake layer */
+# define TLS1_FLAGS_QUIC_INTERNAL                0x4000
 
 #endif

include/internal/statem.h

@@ -26,6 +26,8 @@ typedef enum {
     WORK_FINISHED_STOP,
     /* We're done working move onto the next thing */
     WORK_FINISHED_CONTINUE,
+    /* We're done writing, start reading (or vice versa) */
+    WORK_FINISHED_SWAP,
     /* We're working on phase A */
     WORK_MORE_A,
     /* We're working on phase B */

include/openssl/ssl3.h

@@ -308,6 +308,7 @@ extern "C" {
 # define TLS1_FLAGS_REQUIRED_EXTMS               0x1000
 
 /* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */
+/* 0x4000 is reserved for TLS1_FLAGS_QUIC_INTERNAL (internal) */
 
 # define SSL3_MT_HELLO_REQUEST                   0
 # define SSL3_MT_CLIENT_HELLO                    1

providers/implementations/keymgmt/ecx_kmgmt.c

@@ -359,7 +359,6 @@ static const OSSL_PARAM ecx_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
     ECX_KEY_TYPES(),
     OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
@@ -370,6 +369,7 @@ static const OSSL_PARAM ed_gettable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
     OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
     ECX_KEY_TYPES(),
     OSSL_PARAM_END
 };

ssl/quic/quic_impl.c

@@ -583,7 +583,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
     }
 
     /* override the user_ssl of the inner connection */
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     sc->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
@@ -4436,7 +4436,7 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
         goto err;
     }
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     qc->default_ssl_options = OSSL_QUIC_PERMITTED_OPTIONS;
     qc->last_error = SSL_ERROR_NONE;

ssl/quic/quic_port.c

@@ -490,7 +490,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
         }
 
     /* Override the user_ssl of the inner connection. */
-    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;
+    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;
 
     /* Restrict options derived from the SSL_CTX. */
     tls_conn->options       &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;

ssl/quic/quic_tls.c

@@ -423,18 +423,15 @@ static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
         return OSSL_RECORD_RETURN_FATAL;
     }
 
-    rl->recunreleased -= length;
-
-    if (rl->recunreleased > 0)
-        return OSSL_RECORD_RETURN_SUCCESS;
-
-    if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
-                                              rl->qtls->args.crypto_release_rcd_cb_arg)) {
-        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-        return OSSL_RECORD_RETURN_FATAL;
+    if (rl->recunreleased == length) {
+        if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
+                                                  rl->qtls->args.crypto_release_rcd_cb_arg)) {
+            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+            return OSSL_RECORD_RETURN_FATAL;
+        }
+        rl->recread = 0;
     }
-
-    rl->recread = 0;
+    rl->recunreleased -= length;
     return OSSL_RECORD_RETURN_SUCCESS;
 }
 
@@ -711,10 +708,21 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
 int ossl_quic_tls_configure(QUIC_TLS *qtls)
 {
     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
+    BIO *nullbio;
 
     if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
         return RAISE_INTERNAL_ERROR(qtls);
 
+    nullbio = BIO_new(BIO_s_null());
+    if (nullbio == NULL)
+        return RAISE_INTERNAL_ERROR(qtls);
+
+    /*
+     * Our custom record layer doesn't use the BIO - but libssl generally
+     * expects one to be present.
+     */
+    SSL_set_bio(qtls->args.s, nullbio, nullbio);
+
     SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
     ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
 
@@ -771,7 +779,6 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
     if (!qtls->configured) {
         SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
         SSL_CTX *sctx;
-        BIO *nullbio;
 
         if (sc == NULL)
             return RAISE_INTERNAL_ERROR(qtls);
@@ -795,15 +802,7 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
         if (!ossl_quic_tls_configure(qtls))
             return RAISE_INTERNAL_ERROR(qtls);
 
-        nullbio = BIO_new(BIO_s_null());
-        if (nullbio == NULL)
-            return RAISE_INTERNAL_ERROR(qtls);
-
-        /*
-         * Our custom record layer doesn't use the BIO - but libssl generally
-         * expects one to be present.
-         */
-        SSL_set_bio(qtls->args.s, nullbio, nullbio);
+        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;
 
         if (qtls->args.is_server)
             SSL_set_accept_state(qtls->args.s);

ssl/s3_lib.c

@@ -3498,7 +3498,7 @@ int ssl3_clear(SSL *s)
      * NULL/zero-out everything in the s3 struct, but remember if we are doing
      * QUIC.
      */
-    flags = sc->s3.flags & TLS1_FLAGS_QUIC;
+    flags = sc->s3.flags & (TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL);
     memset(&sc->s3, 0, sizeof(sc->s3));
     sc->s3.flags |= flags;
 

ssl/ssl_lib.c

@@ -1428,11 +1428,10 @@ void SSL_free(SSL *s)
         return;
     REF_ASSERT_ISNT(i < 0);
 
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-
     if (s->method != NULL)
         s->method->ssl_free(s);
 
+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
     SSL_CTX_free(s->ctx);
     CRYPTO_THREAD_lock_free(s->lock);
     CRYPTO_FREE_REF(&s->references);
@@ -1448,15 +1447,17 @@ void ossl_ssl_connection_free(SSL *ssl)
     if (s == NULL)
         return;
 
+    /*
+     * Ignore return values. This could result in user callbacks being called
+     * e.g. for the QUIC TLS record layer. So we do this early before we have
+     * freed other things.
+     */
+    ssl_free_wbio_buffer(s);
+    RECORD_LAYER_clear(&s->rlayer);
+
     X509_VERIFY_PARAM_free(s->param);
     dane_final(&s->dane);
 
-    /* Ignore return value */
-    ssl_free_wbio_buffer(s);
-
-    /* Ignore return value */
-    RECORD_LAYER_clear(&s->rlayer);
-
     BUF_MEM_free(s->init_buf);
 
     /* add extra stuff */
@@ -4967,12 +4968,6 @@ int SSL_do_handshake(SSL *s)
         }
     }
 
-    if (ret == 1 && SSL_IS_QUIC_HANDSHAKE(sc) && !SSL_is_init_finished(s)) {
-        sc->rwstate = SSL_READING;
-        BIO_clear_retry_flags(SSL_get_rbio(s));
-        BIO_set_retry_read(SSL_get_rbio(s));
-        ret = 0;
-    }
     return ret;
 }
 

ssl/ssl_local.h

@@ -315,6 +315,7 @@
 # define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
 
 # define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)
+# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0)
 
 /* no end of early data */
 # define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s)

ssl/statem/statem.c

@@ -244,15 +244,6 @@ int ossl_statem_skip_early_data(SSL_CONNECTION *s)
  */
 int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending)
 {
-    int i = SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ;
-
-    if (s->server && SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
-        && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING
-            && s->statem.hand_state == TLS_ST_EARLY_DATA) {
-        s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
-        if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, i))
-            return 0;
-    }
     if (sending == -1) {
         if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
                 || s->statem.hand_state == TLS_ST_EARLY_DATA) {
@@ -737,6 +728,7 @@ static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s)
                 st->read_state = READ_STATE_HEADER;
                 break;
 
+            case WORK_FINISHED_SWAP:
             case WORK_FINISHED_STOP:
                 if (SSL_CONNECTION_IS_DTLS(s)) {
                     dtls1_stop_timer(s);
@@ -882,6 +874,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
                 st->write_state = WRITE_STATE_SEND;
                 break;
 
+            case WORK_FINISHED_SWAP:
+                return SUB_STATE_FINISHED;
+
             case WORK_FINISHED_STOP:
                 return SUB_STATE_END_HANDSHAKE;
             }
@@ -955,6 +950,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
                 st->write_state = WRITE_STATE_TRANSITION;
                 break;
 
+            case WORK_FINISHED_SWAP:
+                return SUB_STATE_FINISHED;
+
             case WORK_FINISHED_STOP:
                 return SUB_STATE_END_HANDSHAKE;
             }

ssl/statem/statem_clnt.c

@@ -573,7 +573,8 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s)
         return WRITE_TRAN_CONTINUE;
 
     case TLS_ST_CW_CLNT_HELLO:
-        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
+        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
+                && !SSL_IS_QUIC_HANDSHAKE(s)) {
             /*
              * We are assuming this is a TLSv1.3 connection, although we haven't
              * actually selected a version yet.

ssl/statem/statem_srvr.c

@@ -839,6 +839,21 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
         if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
                 && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
             return WORK_FINISHED_CONTINUE;
+
+        /*
+         * In QUIC with 0-RTT we just carry on when otherwise we would stop
+         * to allow the server to read early data
+         */
+        if (SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
+            && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING) {
+            s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
+            if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE
+                                                               | SSL3_CHANGE_CIPHER_SERVER_READ)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+                return WORK_ERROR;
+            }
+            return WORK_FINISHED_SWAP;
+        }
         /* Fall through */
 
     case TLS_ST_OK:

ssl/t1_lib.c

@@ -2874,7 +2874,7 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
     if (s->s3.tmp.max_ver == 0)
         return 1;
 
-    if (SSL_IS_QUIC_HANDSHAKE(s))
+    if (SSL_IS_QUIC_INT_HANDSHAKE(s))
         /* For QUIC, only allow these ciphersuites. */
         switch (SSL_CIPHER_get_id(c)) {
         case TLS1_3_CK_AES_128_GCM_SHA256:

test/evp_extra_test.c

@@ -459,7 +459,7 @@ static const unsigned char kSignature[] = {
 };
 
 /*
- * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
+ * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v1
  * PrivateKeyInfo.
  */
 static const unsigned char kExampleRSAKeyPKCS8[] = {
@@ -518,6 +518,79 @@ static const unsigned char kExampleRSAKeyPKCS8[] = {
     0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
 };
 
+/*
+ * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v2
+ * PrivateKeyInfo (with an optional public key).
+ */
+static const unsigned char kExampleRSAKeyPKCS8_v2[] = {
+    0x30, 0x82, 0x03, 0x06, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+    0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
+    0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
+    0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
+    0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
+    0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
+    0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
+    0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
+    0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
+    0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
+    0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
+    0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
+    0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
+    0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
+    0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
+    0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
+    0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
+    0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
+    0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
+    0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
+    0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
+    0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
+    0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
+    0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
+    0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
+    0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
+    0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
+    0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
+    0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
+    0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
+    0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
+    0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
+    0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
+    0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
+    0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
+    0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
+    0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
+    0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
+    0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
+    0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
+    0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
+    0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
+    0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
+    0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
+    0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
+    0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
+    0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
+    0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
+    0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
+    0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
+    0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
+    0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
+    /* Implicit optional Public key BIT STRING */
+    0x81, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8,
+    0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
+    0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
+    0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
+    0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
+    0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
+    0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
+    0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
+    0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
+    0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
+    0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
+    0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+
 #ifndef OPENSSL_NO_EC
 /*
  * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
@@ -537,6 +610,28 @@ static const unsigned char kExampleECKeyDER[] = {
     0xc1,
 };
 
+static const unsigned char kExampleECKeyPKCS8_v2[] = {
+    0x30, 0x81, 0xcb, 0x02, 0x01, 0x01, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+    0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+    0x07, 0x0f, 0x08, 0x72, 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9,
+    0x4d, 0x89, 0x68, 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e,
+    0xe8, 0xd1, 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a, 0xa1, 0x44, 0x03, 0x42,
+    0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f,
+    0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d,
+    0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7,
+    0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2,
+    0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94,
+    0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1,
+    /* Optional implicit public key BIT STRING */
+    0x81, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97,
+    0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9,
+    0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a,
+    0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e,
+    0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e,
+    0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1
+};
+
 /*
  * kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
  * structure. The private key is equal to the order and will fail to import
@@ -765,6 +860,13 @@ static APK_DATA keydata[] = {
 #endif
 };
 
+static APK_DATA keydata_v2[] = {
+    {kExampleRSAKeyPKCS8_v2, sizeof(kExampleRSAKeyPKCS8_v2), "RSA", EVP_PKEY_RSA},
+#ifndef OPENSSL_NO_EC
+    {kExampleECKeyPKCS8_v2, sizeof(kExampleECKeyPKCS8_v2), "EC", EVP_PKEY_EC}
+#endif
+};
+
 static APK_DATA keycheckdata[] = {
     {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1,
      0},
@@ -945,7 +1047,9 @@ static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params)
 
     if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq)))
         goto err;
-    if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+    /* Check that premature EVP_PKEY_CTX_set_params() fails gracefully */
+    if (!TEST_int_eq(EVP_PKEY_CTX_set_params(pctx, params), 0)
+        || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
         || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR,
                                           params), 0))
         goto err;
@@ -2126,7 +2230,6 @@ static int test_invalide_ec_char2_pub_range_decode(int id)
     return ret;
 }
 
-/* Tests loading a bad key in PKCS8 format */
 static int test_EVP_PKCS82PKEY(void)
 {
     int ret = 0;
@@ -2155,6 +2258,30 @@ static int test_EVP_PKCS82PKEY(void)
 }
 
 #endif
+
+static int test_EVP_PKCS82PKEY_v2(int i)
+{
+    int ret = 0;
+    const unsigned char *p;
+    const APK_DATA *ak = &keydata_v2[i];
+    const unsigned char *input = ak->kder;
+    size_t input_len = ak->size;
+    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+
+    /* Can we parse PKCS#8 v2, ignoring the public key for now? */
+    p = input;
+    p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, input_len);
+    if (!TEST_ptr(p8inf)
+        || !TEST_true(p == input + input_len))
+        goto done;
+
+    ret = 1;
+ done:
+    PKCS8_PRIV_KEY_INFO_free(p8inf);
+    return ret;
+}
+
+/* Tests loading a bad key in PKCS8 format */
 static int test_EVP_PKCS82PKEY_wrong_tag(void)
 {
     EVP_PKEY *pkey = NULL;
@@ -6595,6 +6722,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
     ADD_TEST(test_privatekey_to_pkcs8);
     ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);
+    ADD_ALL_TESTS(test_EVP_PKCS82PKEY_v2, OSSL_NELEM(keydata_v2));
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_EVP_PKCS82PKEY);
 #endif

test/recipes/15-test_dsaparam.t

@@ -11,7 +11,7 @@ use warnings;
 
 use File::Spec;
 use File::Copy;
-use File::Compare qw/compare/;
+use File::Compare qw/compare_text/;
 use OpenSSL::Glob;
 use OpenSSL::Test qw/:DEFAULT data_file/;
 use OpenSSL::Test::Utils;
@@ -84,4 +84,4 @@ my $inout = "inout.pem";
 copy($input, $inout);
 ok(run(app(['openssl', 'dsaparam', '-in', $inout, '-out', $inout])),
     "identical infile and outfile");
-ok(!compare($input, $inout), "converted file $inout did not change");
+ok(!compare_text($input, $inout), "converted file $inout did not change");

test/recipes/15-test_ml_dsa_codecs.t

@@ -63,7 +63,7 @@ foreach my $alg (@algs) {
         ok(run(app(['openssl', 'genpkey', '-out', $pem,
                     '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-dsa-$alg",
                     '-provparam', "ml-dsa.output_formats=$f"])));
-        ok(!compare($in, $pem),
+        ok(!compare_text($in, $pem),
             sprintf("prvkey PEM match: %s, %s", $alg, $f));
 
         ok(run(app(['openssl', 'pkey', '-in', $in, '-noout',
@@ -95,7 +95,7 @@ foreach my $alg (@algs) {
     ok(run(app([qw(openssl genpkey -provparam ml-dsa.retain_seed=no),
                 '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                 '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
         sprintf("seedless via cli key match: %s", $alg));
     {
         local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf");
@@ -104,14 +104,14 @@ foreach my $alg (@algs) {
         ok(run(app(['openssl', 'genpkey',
                     '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                     '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
             sprintf("seedless via config match: %s", $alg));
 
         my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg);
         ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-dsa.retain_seed=yes',
                     '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                     '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
             sprintf("seedfull via cli vs. conf key match: %s", $alg));
     }
 
@@ -120,7 +120,7 @@ foreach my $alg (@algs) {
     $seedless = sprintf("seedless-%s.dec.cli.pem", $alg);
     ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=no',
                 '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
         sprintf("seedless via provparam key match: %s", $alg));
     {
         local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf");
@@ -128,13 +128,13 @@ foreach my $alg (@algs) {
         $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg);
         ok(run(app(['openssl', 'pkey',
                     '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
             sprintf("seedless via config match: %s", $alg));
 
         my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg);
         ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=yes',
                     '-in', data_file($formats{'seed-only'}), '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
             sprintf("seedfull via cli vs. conf key match: %s", $alg));
     }
 
@@ -143,7 +143,7 @@ foreach my $alg (@algs) {
     my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg);
     ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.prefer_seed=no',
                 '-in', data_file($formats{'seed-priv'}), '-out', $privpref])));
-    ok(!compare(data_file($formats{'priv-only'}), $privpref),
+    ok(!compare_text(data_file($formats{'priv-only'}), $privpref),
         sprintf("seed non-preference via provparam key match: %s", $alg));
 
     # (2 * @formats) tests
@@ -154,7 +154,7 @@ foreach my $alg (@algs) {
         my $out = sprintf("prv-%s-%s.txt", $alg, $f);
         ok(run(app(['openssl', 'pkey', '-in', data_file($kf),
                     '-noout', '-text', '-out', $out])));
-        ok(!compare(data_file($txt), $out),
+        ok(!compare_text(data_file($txt), $out),
             sprintf("text form private key: %s with %s", $alg, $f));
     }
 

test/recipes/15-test_ml_kem_codecs.t

@@ -59,7 +59,7 @@ foreach my $alg (@algs) {
         ok(run(app(['openssl', 'genpkey', '-out', $pem,
                     '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-kem-$alg",
                     '-provparam', "ml-kem.output_formats=$f"])));
-        ok(!compare($in, $pem),
+        ok(!compare_text($in, $pem),
             sprintf("prvkey PEM match: %s, %s", $alg, $f));
 
         ok(run(app(['openssl', 'pkey', '-in', $in, '-noout',
@@ -97,7 +97,7 @@ foreach my $alg (@algs) {
     ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=no',
                 '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                 '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
         sprintf("seedless via cli key match: %s", $alg));
     {
         local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf");
@@ -106,14 +106,14 @@ foreach my $alg (@algs) {
         ok(run(app(['openssl', 'genpkey',
                     '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                     '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
             sprintf("seedless via config match: %s", $alg));
 
         my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg);
         ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=yes',
                     '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                     '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
             sprintf("seedfull via cli vs. conf key match: %s", $alg));
     }
 
@@ -122,7 +122,7 @@ foreach my $alg (@algs) {
     $seedless = sprintf("seedless-%s.dec.cli.pem", $alg);
     ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=no',
                 '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
         sprintf("seedless via provparam key match: %s", $alg));
     {
         local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf");
@@ -130,13 +130,13 @@ foreach my $alg (@algs) {
         $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg);
         ok(run(app(['openssl', 'pkey',
                     '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
             sprintf("seedless via config match: %s", $alg));
 
         my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg);
         ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=yes',
                     '-in', data_file($formats{'seed-only'}), '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
             sprintf("seedfull via cli vs. conf key match: %s", $alg));
     }
 
@@ -145,7 +145,7 @@ foreach my $alg (@algs) {
     my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg);
     ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.prefer_seed=no',
                 '-in', data_file($formats{'seed-priv'}), '-out', $privpref])));
-    ok(!compare(data_file($formats{'priv-only'}), $privpref),
+    ok(!compare_text(data_file($formats{'priv-only'}), $privpref),
         sprintf("seed non-preference via provparam key match: %s", $alg));
 
     # (2 * @formats) tests
@@ -156,7 +156,7 @@ foreach my $alg (@algs) {
         my $out = sprintf("prv-%s-%s.txt", $alg, $f);
         ok(run(app(['openssl', 'pkey', '-in', data_file($k),
                     '-noout', '-text', '-out', $out])));
-        ok(!compare(data_file($txt), $out),
+        ok(!compare_text(data_file($txt), $out),
             sprintf("text form private key: %s with %s", $alg, $f));
     }
 

test/recipes/15-test_pkey.t

@@ -11,7 +11,7 @@ use warnings;
 
 use OpenSSL::Test::Utils;
 use File::Copy;
-use File::Compare qw(compare);
+use File::Compare qw(compare_text);
 use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_pkey");
@@ -40,7 +40,7 @@ subtest "=== pkey typical en-/decryption (using AES256-CBC) ===" => sub {
     ok(run(app([@app, '-in', $encrypted_key, '-out', $decrypted_key,
                 '-passin', $pass])),
        "decrypt key");
-    is(compare($in_key, $decrypted_key), 0,
+    is(compare_text($in_key, $decrypted_key), 0,
        "Same file contents after encrypting and decrypting in separate files");
 };
 
@@ -61,7 +61,7 @@ subtest "=== pkey handling of identical input and output files (using 3DES) and
 
     ok(run(app([@app, '-in', $inout, '-out', $inout, '-passin', $pass])),
        "decrypt using identical infile and outfile");
-    is(compare($in_key, $inout), 0,
+    is(compare_text($in_key, $inout), 0,
        "Same file contents after encrypting and decrypting using same file");
 };
 
@@ -75,19 +75,19 @@ subtest "=== pkey handling of public keys (Ed25519) ===" => sub {
     my $pub_out1 = 'pub1.pem';
     ok(run(app([@app, '-in', $in_ed_key, '-pubout', '-out', $pub_out1])),
        "extract public key");
-    is(compare($in_pubkey, $pub_out1), 0,
+    is(compare_text($in_pubkey, $pub_out1), 0,
        "extracted public key is same as original public key");
 
     my $pub_out2 = 'pub2.pem';
     ok(run(app([@app, '-in', $in_pubkey, '-pubin', '-pubout', '-out', $pub_out2])),
        "read public key from pubfile");
-    is(compare($in_pubkey, $pub_out2), 0,
+    is(compare_text($in_pubkey, $pub_out2), 0,
        "public key read using pubfile is same as original public key");
 
     my $pub_out3 = 'pub3.pem';
     ok(run(app([@app, '-in', $in_ed_key, '-pubin', '-pubout', '-out', $pub_out3])),
        "extract public key from pkey file with -pubin");
-    is(compare($in_pubkey, $pub_out3), 0,
+    is(compare_text($in_pubkey, $pub_out3), 0,
        "public key extraced from pkey file with -pubin is same as original");
 };
 
@@ -108,7 +108,7 @@ subtest "=== pkey handling of DER encoding ===" => sub {
     ok(run(app([@app, '-in', $der_out, '-inform', 'DER',
                  '-out', $pem_out])),
        "read DER-encoded key");
-    is(compare($in_key, $pem_out), 0,
+    is(compare_text($in_key, $pem_out), 0,
        "Same file contents after converting to DER and back");
 };
 

test/recipes/20-test_dhparam.t

@@ -11,7 +11,7 @@ use strict;
 use warnings;
 
 use File::Copy;
-use File::Compare qw/compare/;
+use File::Compare qw/compare_text/;
 use OpenSSL::Test qw(:DEFAULT data_file srctop_file);
 use OpenSSL::Test::Utils;
 
@@ -221,4 +221,4 @@ my $inout = "inout.pem";
 copy($input, $inout);
 ok(run(app(['openssl', 'dhparam', '-in', $inout, '-out', $inout])),
     "identical infile and outfile");
-ok(!compare($input, $inout), "converted file $inout did not change");
+ok(!compare_text($input, $inout), "converted file $inout did not change");

test/recipes/25-test_pkcs8.t

@@ -28,7 +28,7 @@ ok(run(app(['openssl', 'pkcs8', '-topk8', '-in', $inout,
 ok(run(app(['openssl', 'pkcs8', '-in', $inout,
             '-out', $inout, '-passin', 'pass:password'])),
    "identical infile and outfile, from PKCS#8");
-is(compare($pc5_key, $inout), 0,
+is(compare_text($pc5_key, $inout), 0,
    "Same file contents after converting forth and back");
 
 ok(run(app(([ 'openssl', 'pkcs8', '-topk8',

test/recipes/80-test_cms.t

@@ -52,7 +52,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
 
 $no_rc2 = 1 if disabled("legacy");
 
-plan tests => 28;
+plan tests => 30;
 
 ok(run(test(["pkcs7_test"])), "test pkcs7");
 
@@ -1398,3 +1398,65 @@ subtest "EdDSA tests for CMS \n" => sub {
            "accept CMS verify with Ed25519");
     }
 };
+
+subtest "ML-DSA tests for CMS \n" => sub {
+    plan tests => 2;
+
+    SKIP: {
+        skip "ML-DSA is not supported in this build", 2
+            if disabled("ml-dsa");
+
+        my $sig1 = "sig1.cms";
+
+        # draft-ietf-lamps-cms-ml-dsa: use SHA512 with ML-DSA
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_mldsa44.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with ML-DSA-44");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with ML-DSA-44");
+    }
+};
+
+subtest "SLH-DSA tests for CMS \n" => sub {
+    plan tests => 6;
+
+    SKIP: {
+        skip "SLH-DSA is not supported in this build", 6
+            if disabled("slh-dsa");
+
+        my $sig1 = "sig1.cms";
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHA512 with SLH-DSA-SHA2
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_sha2_128s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHA2-128s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHA2-128s");
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHAKE128 with SLH-DSA-SHAKE-128*
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake128", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_128s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHAKE-128s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHAKE-128s");
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHAKE256 with SLH-DSA-SHAKE-256*
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake256", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_256s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHAKE-256s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHAKE-256s");
+    }
+};

test/smime-certs/mksmime-certs.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -67,3 +67,16 @@ gen smdh.pem "/CN=Test SMIME EE DH" dh_cert >>smdh.pem
 # EE RSA code signing end entity certificate with respective extensions
 cp ../certs/ee-key.pem csrsa1.pem
 gen csrsa1.pem "/CN=Test CodeSign EE RSA" codesign_cert >>csrsa1.pem
+
+# Create PQ certificates with respective extensions
+$OPENSSL genpkey -algorithm ML-DSA-44 -out sm_mldsa44.pem
+gen sm_mldsa44.pem "/CN=Test SMIME EE ML-DSA-44" signer_cert >>sm_mldsa44.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHA2-128s -out sm_slhdsa_sha2_128s.pem
+gen sm_slhdsa_sha2_128s.pem "/CN=Test SMIME EE SLH-DSA-SHA2-128s" \
+    signer_cert >>sm_slhdsa_sha2_128s.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-128s -out sm_slhdsa_shake_128s.pem
+gen sm_slhdsa_shake_128s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-128s" \
+    signer_cert >>sm_slhdsa_shake_128s.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-256s -out sm_slhdsa_shake_256s.pem
+gen sm_slhdsa_shake_256s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-256s" \
+    signer_cert >>sm_slhdsa_shake_256s.pem

test/smime-certs/sm_mldsa44.pem

@@ -0,0 +1,99 @@
+-----BEGIN PRIVATE KEY-----
+MIIKPgIBADALBglghkgBZQMEAxEEggoqMIIKJgQgmsSm9eI30++j5lPGc4VSUHl8
+RHdUYZ2HyINZ2noG/FsEggoAdnnaWN8r8QxVgVFSizuW+sZ0zqlCUOM5HFD0RYnm
+ueIk3OZUr/c53pCu4pz8eiyfhhlwToeroamymUVGZF984cjWlyIbK7sm0WwPstIw
+4cTMACIvOBspVFrxHib0IoyIb8RdM0a8EVdE7+5gUuwm3fwZ/TjTpi1PW+k2L6zP
+z5AhF0gTJIUjwmUEBQVCABECh2WKtonKQm0ZRS1byIHhMCFQCIlYEgoQo00SAxIA
+AokMBGLUNGYAAmAKiYXMNCIYhGmQMpEIsGQJAUxUMIyMQJIKKSHYwDHUpogUICIY
+NiDkqC0Uo1EbMyjjCC3gRIgZFSBgyAkasWEZBnIDOZAjwzBDGCxhGGnbQElLQoHE
+BCUkRUAJISwUhlESRXKLxgHMRhBKFEwBsGDKEgqQEg3JCI1ICCUjyU0UtpCSBAmb
+hmDbBoGRpm2BlAkQx0jDMoGAQiVKRkQIKSHJkAWKIiYCqUSSsCiTOCJQQI1BJi1C
+MJIZQIBLsCyUpgiYECAkRJDbCCwYQCQDR2nbhGgZCC6MAiRjpGWBNgnCQmzbEAjb
+mICYOIjUIpDIliwZOW6Eom0LuYkkSBLksm1iEiRiIlECtiWAAnCiMCkSMZESkQ2B
+AALjxJFgRGRbFAlMNGwLpknLMDFLImjiFmQIgGCDAo2kJErhRFALuSiiAg5QKAFT
+OE6iFgwQSFBCCFKLSALRwGRkAIrjAggjgIWKhkgkhmXkxIULgpHZBFAAFUwbCW0A
+RAHIlCkJljGaQoBKIpLRoDEbFIVbMAWKloEIE3GjGGYiBCxMMEESMCUDRWlAomgS
+NXIkNjBaqECbsihAEinAlokZyQDJBoAQpFEMAS2DAFIZtgiQtBAIoGkaRHGUmCDR
+kkkRhRHEwiTYtkkgOGFIgmGcgo0TskkQRCQTEUxiMGlQSG1SIoqiCG6kpCXcpAgK
+xEgBxRBgRihZRHGgAkQBqEEkgi0CNymQKGBQiCmJMIwQkZEZRA4IMC4YRXAKGU1c
+pgFYFCXLRoBBSAESM0IBQWnAxgGbwoghRUUSESpBogRjFI4Ig1FaEI7jwAHbxAjj
+IGLAhmzSBGIIQ0pTpE2gMo5bqAxMtCQLxhGCMAjcsIkRRkFTRhEkpwiDGGBDlgAU
+BS0iNTIRhSkiQ0kIuIxRwGiAQmwRtHAZt1FQkAxLlE2RIkEZtiEJImpcAmwCQijE
+sgFeAKKEuHpy3oMPABBvFJQoBB5V1/+oelrPmUyEuaDw3/Yrlh1OM28QYLO0tbBD
++Xp9mDfAOF9jT/RT9x5QZUOaVfCctxPAkzfXwX9SZ9ClyOZwOGzB64bfxXw6EEvB
+37tO8wBlEtddXkpsQ/cx9C1nuMxGmlscSiA6L0pRkNme7JneAjDKY5IDVPrMUkoY
+wjNtI0CQ5FrE9E0PnbL7Sj+671QIZM77HA1FUOxbmqcKOtSeZY9QrEezt8plwX+8
+uY8QTr0mUcvVODvO5498J/qBTnlQrjLBx2SxyeYIYEClfdO8nWax4VgQT7ZMK/vR
+if0ijT+Q0qx+UYyEdALMp8US8d64njeggh3L6m8TX6+y1I9ezAi14Q8ofH4lSoWL
+o0YDlsi41LWxyHJDr88Nyd7ordFFp4x+yChxHJYoxxJOezP89uLev526aP40oUsL
+i3wXbFd+7g0p8rXl4PYBAcifxj/WBVUk9oa1MLdkKO54PTFZWFLWqnVVMgFS25w7
+Ldf+41pQUVP8RzfpyDvoHIsNNhrgZ8fZtssVtj0OBAsSQ1u5TJZjJDwXSh6LLUsW
+QpFeWS5Jw/gaZG9K3IuMjSDGvqTYL+CewC7AYH+B7S6Gc7bgtbu71osE/U2hHSfo
+nDGFdAk9se5RCfTiv7L6XquAqNvraZPOhlgX0dYmX8GpTgNNs+ryu/q8BdxnkiQO
+uUBjOxC4rKKNip2pOdVVpThIlGW03nE1oPiwW06HMmkfinto8dDN14a2hp1Zg+4B
+vNunwUU/sJ3OeHIxiOkCvEbORb+TUwwJGyHMmT7b+eEgYMoX0awAUP+QGBtNtHFi
+0cDftErapblEwsZEjBNurYF/XGijFUp03q/L/KN2obHTjg/rwLiQa98J74CSLJAh
+qUwWoqqhh6NGYb68ysT35xfZcf+OzhK0U26GGDIoqCqyOVU90YD2qQrGG4DGGH+i
+Dxjn2x5MjArscY62chnMcsgIesdlZfoHNOeGA0j7hD1u+OkBksOH5h6IJ+vl69Xv
+8Gg6Hw3R03TsifCaOg3TfoZ6vsczgKLeHxqJVcKWAsQmaBqFNsFYeZGjTGOGe85I
+yR46NvKXITVgeiyKDF743XctQniZrg8zKTygkERZELsB9lZd3l+qmdjY9Sk+1G7r
+mwpVfONDIpZmJUvLhrz8la4wwcaTKov5ib1KESQLbti4vTtM00LV4fgNGdlpoGsd
+9KTEOUi66j1ES82N16fClA53ULSlathgi66YgGu/1MHDc39zG5W1fUMcDPW3ufgv
+0u35/FvF4POrcAcx37n8bzLmqk2/+j4d39DUuViti9QFctK2jsbtQqthjRhRcaat
+l86Pn2f+fZHWhr7tQGx8bMcQnqVmVfMm6osQoaKNqdrrIQ9ACDVQlpSVIpR5bCeG
+CzcQu09NFS+GsESmZyMm5B2/WDPno6U5cGF6vP9v1oyrJt+/O+5Bwo3U6i+RRnkJ
+73AhkocMF4cIPBVtslMPwDK1dP3tlbp+e0dvq/vKdELIuoFY4Tyw1OAawXuwF85J
+MJUctKM44X8LMeADxPJvJN5XLYKCRCunoA3+MSUIHQT5oy2czouIwWKIv+F7FI/D
+8SBa9klkCT6mZrAKL1YCRg2WxjLzlgB5Tw4TEEi3FUlD6s5sCPT4OxkzaVqaWvpU
+9D2Vd4HfY6p0yjJiuLUjR4cjrRCJBP3A1XTYWvRgSu7uUqjK6z5HgkwWBJlZisJ7
+U1W6YCmWHhwC0Y9mjGahXPJx4FhA5btLX9EYCB9whTyBXicM6MrSa2aM5jCo9JIf
+ExDoCqBpDmZ+5kjFyDeTtYyUtwWCU+9tIKvtmFGYnzdERTf8w/vWszU6QugYn1FW
+WB4fGc/xKOz58xIm/I2B7NnQxmA5HvAEHDvF9n2mrHMRUYkoSsMjUhSAg1scMAFP
+vmvaQQ+AWOylhYQaQgx41y2oTw+9Iievm0hg2lB9qDORem/nwx1a8+4gP1wfjqSW
+xwiUz0Cy/0TtTfZrZGqxQtn02OIKInBpabGH0RSTtBPruNk/XotdSVm5uSN9mBQE
+2xiPnjF48auRYIUH8giNNN7MjZ4z5T40+mJHctegwllavzWKlEjTI5sC8g/pSkJV
+CD8i49DLVGf5sbfEAJB2xDW2f+6l65SpJYV7dY0dhK7R2KT2NrqABk/7w/6wb7VY
+bPVseTnHfXpVTRGdUSFLb5hyaNTiWFlMTX0OmfqQ6R9iOA==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIHYzCCBkugAwIBAgIUTrKnsAj5Isy6498h/MK7WAAxIQEwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjAiMSAwHgYDVQQDDBdUZXN0IFNNSU1FIEVFIE1MLURTQS00NDCC
+BTIwCwYJYIZIAWUDBAMRA4IFIQB2edpY3yvxDFWBUVKLO5b6xnTOqUJQ4zkcUPRF
+iea54lR2/8XNOhJQ4oWszhrbSHpB1+DZ76n1tez5wc6N5X6s3BEOsp+IPj8W8D7F
+ppWAqoCvbHHflfEVh8mvy4MtPUVGf6XoIl9QgV/afzTZGec+G7GytiEHNBhld2Yq
+POfKPP/IK9mPbnFcPUpPscbHX84TFq8IM6VLgoFnakbQuID/G71nPTFo9f4k3EcT
+kVGIQnWK4lgQW+1WDh8yamFnvg+Du111jA1/c5So3EH++DJDspq03/ALgbMOROuN
+zSYPt6w6EVnqyx8sTWL52lQGx23Q0T8H0WtITz0KbGjgrOsfkrR1qL7DXP8aC83i
+LKMZMitt1OpsKngyBRdQ3fuBOU/bYkmyaWnMR2MuC40XNnKzd41IpO2mjAOyVhe+
+WlhDgABOzsxOjC/WI0oHYTOewTSsjqQhNYU513poeyC5g00QrJYt5HqCwvlPRCb8
+wCsc4ahj+NIdVCOR9KrPh0aXVqQn/Yz7njL76tzQezX7gaoSr3vhr6eQ8In/75bD
+UFRVSJW/6A0sVnQXc4dKyHQQMl9vVTWvoeM8njgMrwHsUT0fjKdJQQGetKGKl1YL
+L9kTnHMem8Zo1gwhs51iecIzj9hwN54ZoawidJy0CNt81Pzin0OaqH8MuI8/RaYy
+3LYMgswpsAXpwYHRY9R4BzrvVXLlNusuba4fHK6x5shr2pDFKe6CJOl5OgsIp9nY
+7+YkIuqOXEMtPrLFNkpgReN0Wj8i5+kNm6V4rviF5Bo67d3dNeIK68O+ZJQditdr
+wixBwhshLTZNp6UzYUJ7ZrfIZoj4wOyDEzWLO9Je1J3bcJzRUVt2hH/DN/Buslrj
+2md4X/MYJjAGQyzBYVVxf9HIH409JPOlb/J4uhL7oeTymdD14wtf2khZRq28kheO
+I3169hxfQo2sq05Me93J/nAglPXstMIPLKIW//544tkluzjn0CoCaHH6nS749TmM
+4QcEQ3ttPy7PmhjAJii+tJ08OoMdVwZ2UWH8R5FwEN4sF0Yb4CeM18AjWS45QNBR
+GDDOoCCN9BnnblyKd697L99KvhrQTy0v9XNXH6BFzuuAyPQ5khlgnlsSJyMhnTMo
+Zeh8WCu+zC7+z4vEAYJlMRVmKMIPH/GqPkNDhxTMc+FSsKSjEOfkZQh1JZ38oOdO
+RM4FJ4htsMHpn2g8OQuGSgUQo5dyqLpB8k/6sY//pGua3Y/PGjeBdYpydTUzAprU
+YMuFxVe+ymDSpQrB9OALRe9UwPbiUtaVJHlRchX7H1YB+RX6zywHH2sTD5NQfcwm
+3/To0Fe1Xw3dVczekXqN246GetDMwy4RYp1RsPIBRICaAwGEuDs1gX9aM5tLLaw1
+3RpF76+JruAICXZ2v8Q7wHZkM+MPZ6E4/l4zjXk5PJM/R3SfuOdQiEICbmmp8GL8
+c3Scu8Pi4TSvq0ajrpnKo//aNPaVJI3DQWDQf6+h29QyHqrbpjZ2nkrMmT34aVUl
+R0XI95qdjAB4U7neWx3AZVQd+MhP76aXvB/DvefVfnGOn2hQQd77VC9EB7FwTk5l
+m+DGBzzI1C5nKTfeTIeTdG69VB5BmU/AitRzu90X3ef2IrMuL+kIzWsPFixaqRX5
+7WFHx76mwanDgxgHgbNh5/AuVHT4nJ2bBe+U2fR2Q+ggVWwjs+gGUZLLby8FLOl/
+WRrb2shpJIs8yl6ReeaMj9j3NlpHQ8ETfslf3g0f1kPLJBrWo10wWzAJBgNVHRME
+AjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUlJUkGXaMnS/r8k6VzIDQ3EcK
+TBQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQEL
+BQADggEBAEgW7XK6cZJcSdRTIuRTbZ9ssJZj6WwLYJmygldKQg6hnYWpPYLNCxqb
+AOO2xicCa9hv3HkgvyYK1tqbwFtuef/KSk+wOlDfgqtFVryVyK0js3x5r3mpCbmk
+5ihpTIuSVTgMCFlx4AXgLZGacei7hvCCP05bnhUvQmdu96bKnwlxvjLHgn3X5Cfw
++7b0q60oZTkOn4PStVnuOVTgLzs6Ta/KHh5M9OVVyEsRz2m3lmG2idXX/pTWXkE3
+VNSJCepP45RBFuxPSeEHW4EM/JPDqhBY5H19NHxcM42uXDykpR1ChSIhKruzjijA
+wme8H314QJnFKfUcGNNrNN/dElirhmU=
+-----END CERTIFICATE-----

test/smime-certs/sm_slhdsa_sha2_128s.pem

@@ -0,0 +1,19 @@
+-----BEGIN PRIVATE KEY-----
+MFICAQAwCwYJYIZIAWUDBAMUBECT5RmZe6OO8vsKNkthvx+UPRB8d7wbvTJB1UgM
+zLwGZWYszdtLdA++kdkjuW5vJNeZVVKuVhhsqT7/bm5Rdz2I
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICZzCCAU+gAwIBAgIUDjFC0337VoVD3qOifcn8/v6cYSowDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjAqMSgwJgYDVQQDDB9UZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+Mi0xMjhzMDAwCwYJYIZIAWUDBAMUAyEAZizN20t0D76R2SO5bm8k15lVUq5WGGyp
+Pv9ublF3PYijXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQW
+BBThF4u5GJ2SIU/Uq8ZC97+3tZMX6DAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg
+1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAajeFlF3LMr6Z3i0YF+guYeY7+o6O
+Q7VVBKyaFWfb+m8IMo0iM7fvYeP1B+VXRO0bPrvCE8jsgv+kkZn5PUTkZApaLbkj
+eu0Pj1ik4/A7/en3aGGjzHRGrcjScE18SPrB8KtoDWuq7nb0PQX1LPDEJLAkJt8F
+qD4uGGHXkFHse2IE+wlCXC8xOoaMmVmdbCz+lz1TNIpmFYAgv9gsMOlEDN/lcFL4
+DGebKespZapcDBVROVWZceOSY/3o8CdnFjrsm9F/q6SUoq08Lf595+THace+N1nB
+rYn6Enlx7OLoONpjsas50h28tTKKnuFHFd+emD7ga3GEwjDwMnOQ2bOFrQ==
+-----END CERTIFICATE-----

test/smime-certs/sm_slhdsa_shake_128s.pem

@@ -0,0 +1,19 @@
+-----BEGIN PRIVATE KEY-----
+MFICAQAwCwYJYIZIAWUDBAMaBEBtEDfB3z2GkApieWwYEcUwym4LqAn+f3ekIXpy
+3Ih301cGLuxKkbFlC18GqkEFy2hrtjlDrRImYToCJ1S4HlzY
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICaDCCAVCgAwIBAgIUP4qMOjsrV/JbvCEgSaqBovSvz1cwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+S0UtMTI4czAwMAsGCWCGSAFlAwQDGgMhAFcGLuxKkbFlC18GqkEFy2hrtjlDrRIm
+YToCJ1S4HlzYo10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4E
+FgQUO+o1zTM0Z+/LQz6qk3AWGA1jlTQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1X
+INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAEumBy00rMY5HqpqoTRjVj3TNhXH
+i42pLoOXkAlNDpyHAkn5nM4iPeefHOha521RYiIIPv8XZIiAixHtZJjXtZnMgD6G
+XsdCtci82Lgry/6pzg3hPb/LuaC7ochG4RSNv6QdIFgB+YcD6qaQnvtWuK3zsMQQ
+1Fr2qGRljbgDdreaViIJxEXYakXnHvLHYn9UOT8punXsM6jksugvt8wysUucHMA5
+KhB1o1yYgXFbE3IcAmsX8cQpIDHwSPDdnYmxBptTKld3SOKt0O0TjLzjgix/3IQm
+8l1MHH0UEuLdhXCOiSbQiXqYfWJig+2AmM5VLeWAysX6BixVKxG25jSsAZE=
+-----END CERTIFICATE-----

test/smime-certs/sm_slhdsa_shake_256s.pem

@@ -0,0 +1,22 @@
+-----BEGIN PRIVATE KEY-----
+MIGTAgEAMAsGCWCGSAFlAwQDHgSBgG4ItImtx5rfHYI99Xo2Wl4PSpqyeMaZrjtW
+QYKovvW2pKvcIc4Re7OnKKHMjIvow/1TaRQUHRUQQFQC/DygeacNpVdWjGZ1/jnc
+D0XfWgfvX0KwATwmXO9NM7Rq7B5OZ1uyykT3e8mPhn5afbRkNvfhKgID07Ukiz1c
+/6XQf7nU
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICiDCCAXCgAwIBAgIUStYfQbEa4PtzChfKNmTE65EId3YwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODEyNDExMFoYDzIxMjUw
+MzE4MTI0MTEwWjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+S0UtMjU2czBQMAsGCWCGSAFlAwQDHgNBAA2lV1aMZnX+OdwPRd9aB+9fQrABPCZc
+700ztGrsHk5nW7LKRPd7yY+Gflp9tGQ29+EqAgPTtSSLPVz/pdB/udSjXTBbMAkG
+A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTSJYn48biBTinA1pDo
+k2odLpFi0zAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG
+9w0BAQsFAAOCAQEARP3DGNCSUHkAsQCgWgIF50k3qe8t2cjFnpMBdpoSTFo0VSIo
+58cCN0yusCzHvrtVSXXf/B9t4kLunmXKH5+4nAbnc7Yi2PxiN30qPfr1XYqfKcUd
+k04xB7pJF1YjNqVOlrPSA4O5Mi7aXgmkv7pyHFbY8056u1Ea3xcm2Ib5cpCBQd90
+47ARf8XH/94zhBebFALffrWRn1NgsOgwSq3GAZSvEkWpZHyr4XWpCvHXZ0ImfghU
+BqM077E+r/uLk3kT+L1FoUwLXtQkNrtWJtrSBdp5AexOZqqjqjRR+oG9tAG1KUnl
++4+ts3nVjUeEsRdGMv+gl3/926nsxozJtUO5OA==
+-----END CERTIFICATE-----

test/sslapitest.c

@@ -12588,8 +12588,25 @@ struct quic_tls_test_data {
     size_t params_len;
     int alert;
     int err;
+    int forcefail;
 };
 
+static int clientquicdata = 0xff, serverquicdata = 0xfe;
+
+static int check_app_data(SSL *s)
+{
+    int *data, *comparedata;
+
+    /* Check app data works */
+    data = (int *)SSL_get_app_data(s);
+    comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
+
+    if (!TEST_true(comparedata == data))
+        return 0;
+
+    return 1;
+}
+
 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
                           size_t *consumed, void *arg)
 {
@@ -12598,6 +12615,11 @@ static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
     size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
                      - peer->rcd_data_len[data->wenc_level];
 
+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
     if (buf_len > max_len)
         buf_len = max_len;
 
@@ -12618,6 +12640,11 @@ static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
 {
     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
 
+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
     *bytes_read = data->rcd_data_len[data->renc_level];
     *buf = data->rcd_data[data->renc_level];
     return 1;
@@ -12627,6 +12654,18 @@ static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
 {
     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
 
+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
+    /* See if we need to force a failure in this callback */
+    if (data->forcefail) {
+        data->forcefail = 0;
+        data->err = 1;
+        return 0;
+    }
+
     if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
             || !TEST_size_t_gt(bytes_read, 0)) {
         data->err = 1;
@@ -12643,6 +12682,9 @@ static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
 {
     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
 
+    if (!check_app_data(s))
+        goto err;
+
     if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
             || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
         goto err;
@@ -12680,6 +12722,11 @@ static int got_transport_params_cb(SSL *s, const unsigned char *params,
 {
     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
 
+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
     if (!TEST_size_t_le(params_len, sizeof(data->params))) {
         data->err = 1;
         return 0;
@@ -12695,14 +12742,22 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
 {
     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
 
+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
     data->alert = 1;
     return 1;
 }
 
 /*
  * Test the QUIC TLS API
+ * Test 0: Normal run
+ * Test 1: Force a failure
+ * Test 3: Use a CCM based ciphersuite
  */
-static int test_quic_tls(void)
+static int test_quic_tls(int idx)
 {
     SSL_CTX *sctx = NULL, *cctx = NULL;
     SSL *serverssl = NULL, *clientssl = NULL;
@@ -12733,6 +12788,8 @@ static int test_quic_tls(void)
     memset(&cdata, 0, sizeof(cdata));
     sdata.peer = &cdata;
     cdata.peer = &sdata;
+    if (idx == 1)
+        sdata.forcefail = 1;
 
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(), TLS1_3_VERSION, 0,
@@ -12743,6 +12800,20 @@ static int test_quic_tls(void)
                                       NULL)))
         goto end;
 
+    /* Reset the BIOs we set in create_ssl_objects. We should not need them */
+    SSL_set_bio(serverssl, NULL, NULL);
+    SSL_set_bio(clientssl, NULL, NULL);
+
+    if (idx == 2) {
+        if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
+                || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
+            goto end;
+    }
+
+    if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
+            || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
+        goto end;
+
     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
             || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
             || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
@@ -12751,8 +12822,17 @@ static int test_quic_tls(void)
                                                             sizeof(sparams))))
         goto end;
 
-    if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+    if (idx != 1) {
+        if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+            goto end;
+    } else {
+        /* We expect this connection to fail */
+        if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+            goto end;
+        testresult = 1;
+        sdata.err = 0;
         goto end;
+    }
 
     /* Check no problems during the handshake */
     if (!TEST_false(sdata.alert)
@@ -12790,6 +12870,10 @@ static int test_quic_tls(void)
     SSL_CTX_free(sctx);
     SSL_CTX_free(cctx);
 
+    /* Check that we didn't suddenly hit an unexpected failure during cleanup */
+    if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
+        testresult = 0;
+
     return testresult;
 }
 
@@ -12861,7 +12945,15 @@ static int test_quic_tls_early_data(void)
     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
                                       &clientssl, NULL, NULL))
             || !TEST_true(SSL_set_session(clientssl, sess)))
-        return 0;
+        goto end;
+
+    /* Reset the BIOs we set in create_ssl_objects. We should not need them */
+    SSL_set_bio(serverssl, NULL, NULL);
+    SSL_set_bio(clientssl, NULL, NULL);
+
+    if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
+        || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
+        goto end;
 
     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
             || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
@@ -12877,15 +12969,15 @@ static int test_quic_tls_early_data(void)
     SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
     SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
 
-    if (!TEST_int_eq(SSL_connect(clientssl), 0)
-            || !TEST_int_eq(SSL_accept(serverssl), 0)
+    if (!TEST_int_eq(SSL_connect(clientssl), -1)
+            || !TEST_int_eq(SSL_accept(serverssl), -1)
             || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
             || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
         goto end;
 
     /* Check the encryption levels are what we expect them to be */
-    if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY)
+    if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
             || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
             || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
             || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
@@ -13267,7 +13359,7 @@ int setup_tests(void)
 #endif
     ADD_ALL_TESTS(test_alpn, 4);
 #if !defined(OSSL_NO_USABLE_TLS1_3)
-    ADD_TEST(test_quic_tls);
+    ADD_ALL_TESTS(test_quic_tls, 3);
     ADD_TEST(test_quic_tls_early_data);
 #endif
     return 1;