Move the Handshake read secret change earlier in the process for QUIC 0-RTT

On the server side we were changing the handshake rx secret a little late. This meant the application was forced to call SSL_do_handshake() again even if there was nothing to read in order to get the secret. We move it a little earlier int the process to avoid this. Fixes the issue described in: https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27101) (cherry picked from commit 95051052b3)
Fix use of SHAKE as a digest in CMS
2025-03-20 20:22:53 +01:00 · 2025-03-20 12:20:58 +01:00 · 2025-03-20 11:33:43 +01:00 · 2025-03-20 11:31:39 +01:00 · 2025-03-20 11:25:01 +01:00 · 2025-03-20 11:25:00 +01:00
51 changed files with 2188 additions and 408 deletions
--- a/.github/workflows/cross-compiles.yml
+++ b/.github/workflows/cross-compiles.yml
@ -103,10 +103,7 @@ jobs:
          }, {
            arch: powerpc64le-linux-gnu,
            libs: libc6-dev-ppc64el-cross,
-            # The default compiler for this platform on Ubuntu 20.04 seems
-            # buggy and causes test failures. Dropping the optimisation level
-            # resolves it.
-            target: -O2 linux-ppc64le,
+            target: linux-ppc64le,
            fips: no
          }, {
            arch: riscv64-linux-gnu,
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@ -38,4 +38,5 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
      run: |
        VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-)
-        gh release create ${{ github.ref_name }} -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
+        PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "")
+        gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
--- a/.github/workflows/run_quic_interop.yml
+++ b/.github/workflows/run_quic_interop.yml
@ -12,6 +12,9 @@ jobs:
      matrix:
        tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy]
+        exclude:
+          - servers: msquic
+            tests: retry
      fail-fast: false
    runs-on: ubuntu-latest
    steps:
@ -39,7 +42,7 @@ jobs:
    strategy:
      matrix:
        tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl]
+        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome]
        exclude:
          - clients: mvfst
            tests: amplificationlimit
--- a/VERSION.dat
+++ b/VERSION.dat
@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=5
 PATCH=0
-PRE_RELEASE_TAG=dev
+PRE_RELEASE_TAG=alpha2-dev
 BUILD_METADATA=
 RELEASE_DATE=""
 SHLIB_VERSION=3
--- a/apps/cms.c
+++ b/apps/cms.c
@ -1011,7 +1011,7 @@ int cms_main(int argc, char **argv)
                goto end;

            pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-            if (kparam != NULL) {
+            if (pctx != NULL && kparam != NULL) {
                if (!cms_set_pkey_param(pctx, kparam->param))
                    goto end;
            }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -1049,6 +1049,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
    }

    bs = OCSP_BASICRESP_new();
+    if (bs == NULL) {
+        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+        goto end;
+    }
    thisupd = X509_gmtime_adj(NULL, 0);
    if (ndays != -1)
        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
--- a/crypto/aes/asm/aesni-xts-avx512.pl
+++ b/crypto/aes/asm/aesni-xts-avx512.pl
@ -36,7 +36,7 @@ die "can't locate x86_64-xlate.pl";

 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
        =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-    $avx512vaes = ($1>=2.26);
+    $avx512vaes = ($1>=2.30);
 }

 if (!$avx512vaes && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
--- a/crypto/asn1/p8_pkey.c
+++ b/crypto/asn1/p8_pkey.c
@ -17,11 +17,25 @@
 static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                   void *exarg)
 {
-    /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
-    if (operation == ASN1_OP_FREE_PRE) {
-        PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
+    PKCS8_PRIV_KEY_INFO *key;
+    int version;
+
+    switch (operation) {
+    case ASN1_OP_FREE_PRE:
+        /* The structure is still valid during ASN1_OP_FREE_PRE */
+        key = (PKCS8_PRIV_KEY_INFO *)*pval;
        if (key->pkey)
            OPENSSL_cleanse(key->pkey->data, key->pkey->length);
+        break;
+    case ASN1_OP_D2I_POST:
+        /* Insist on a valid version now that the structure is decoded */
+        key = (PKCS8_PRIV_KEY_INFO *)*pval;
+        version = ASN1_INTEGER_get(key->version);
+        if (version < 0 || version > 1)
+            return 0;
+        if (version == 0 && key->kpub != NULL)
+            return 0;
+        break;
    }
    return 1;
 }
@ -30,7 +44,8 @@ ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING),
-        ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
+        ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0),
+        ASN1_IMP_OPT(PKCS8_PRIV_KEY_INFO, kpub, ASN1_BIT_STRING, 1)
 } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)

 IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
@ -40,6 +55,9 @@ int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
                    int ptype, void *pval, unsigned char *penc, int penclen)
 {
    if (version >= 0) {
+        /* We only support PKCS#8 v1 (0) and v2 (1). */
+        if (version > 1)
+            return 0;
        if (!ASN1_INTEGER_set(priv->version, version))
            return 0;
    }
--- a/crypto/bn/bn_ppc.c
+++ b/crypto/bn/bn_ppc.c
@ -41,12 +41,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
     */

 #if defined(_ARCH_PPC64) && !defined(__ILP32__)
+    /* Minerva side-channel fix danny */
+# if defined(USE_FIXED_N6)
    if (num == 6) {
        if (OPENSSL_ppccap_P & PPC_MADD300)
            return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
        else
            return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
    }
+# endif
 #endif

    return bn_mul_mont_int(rp, ap, bp, np, n0, num);
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@ -14,6 +14,7 @@
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
+#include <openssl/core_names.h>
 #include "internal/sizes.h"
 #include "internal/cryptlib.h"
 #include "crypto/x509.h"
@ -407,6 +408,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
    const EVP_MD *digest = NULL;
    EVP_MD *fetched_digest = NULL;
    char alg[OSSL_MAX_NAME_SIZE];
+    size_t xof_len = 0;

    X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
    OBJ_obj2txt(alg, sizeof(alg), digestoid, 0);
@ -431,6 +433,24 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
        ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR);
        goto err;
    }
+    if (EVP_MD_xof(digest)) {
+        if (EVP_MD_is_a(digest, SN_shake128))
+            xof_len = 32;
+        else if (EVP_MD_is_a(digest, SN_shake256))
+            xof_len = 64;
+        if (xof_len > 0) {
+            EVP_MD_CTX *mdctx;
+            OSSL_PARAM params[2];
+
+            if (BIO_get_md_ctx(mdbio, &mdctx) <= 0 || mdctx == NULL)
+                goto err;
+            params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN,
+                                                    &xof_len);
+            params[1] = OSSL_PARAM_construct_end();
+            if (!EVP_MD_CTX_set_params(mdctx, params))
+                goto err;
+        }
+    }
    EVP_MD_free(fetched_digest);
    return mdbio;
 err:
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@ -252,6 +252,16 @@ static void felem_neg(felem out, const felem in)
    out[6] = two60m4 - in[6];
 }

+#if defined(ECP_NISTP384_ASM)
+void p384_felem_diff64(felem out, const felem in);
+void p384_felem_diff128(widefelem out, const widefelem in);
+void p384_felem_diff_128_64(widefelem out, const felem in);
+
+# define felem_diff64           p384_felem_diff64
+# define felem_diff128          p384_felem_diff128
+# define felem_diff_128_64      p384_felem_diff_128_64
+
+#else
 /*-
 * felem_diff64 subtracts |in| from |out|
 * On entry:
@ -369,6 +379,7 @@ static void felem_diff128(widefelem out, const widefelem in)
    for (i = 0; i < 2*NLIMBS-1; i++)
        out[i] -= in[i];
 }
+#endif /* ECP_NISTP384_ASM */

 static void felem_square_ref(widefelem out, const felem in)
 {
@ -503,7 +514,7 @@ static void felem_mul_ref(widefelem out, const felem in1, const felem in2)
 * [3]: Y = 2^48 (acc[6] >> 48)
 * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d)
 */
-static void felem_reduce(felem out, const widefelem in)
+static void felem_reduce_ref(felem out, const widefelem in)
 {
    /*
     * In order to prevent underflow, we add a multiple of p before subtracting.
@ -682,8 +693,11 @@ static void (*felem_square_p)(widefelem out, const felem in) =
 static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
    felem_mul_wrapper;

+static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
+
 void p384_felem_square(widefelem out, const felem in);
 void p384_felem_mul(widefelem out, const felem in1, const felem in2);
+void p384_felem_reduce(felem out, const widefelem in);

 # if defined(_ARCH_PPC64)
 #  include "crypto/ppc_arch.h"
@ -695,6 +709,7 @@ static void felem_select(void)
    if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
        felem_square_p = p384_felem_square;
        felem_mul_p = p384_felem_mul;
+        felem_reduce_p = p384_felem_reduce;

        return;
    }
@ -703,6 +718,7 @@ static void felem_select(void)
    /* Default */
    felem_square_p = felem_square_ref;
    felem_mul_p = felem_mul_ref;
+    felem_reduce_p = p384_felem_reduce;
 }

 static void felem_square_wrapper(widefelem out, const felem in)
@ -719,10 +735,17 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)

 # define felem_square felem_square_p
 # define felem_mul felem_mul_p
+# define felem_reduce felem_reduce_p
+
+void p384_felem_square_reduce(felem out, const felem in);
+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
+
+# define felem_square_reduce p384_felem_square_reduce
+# define felem_mul_reduce p384_felem_mul_reduce
 #else
 # define felem_square felem_square_ref
 # define felem_mul felem_mul_ref
-#endif
+# define felem_reduce felem_reduce_ref

 static ossl_inline void felem_square_reduce(felem out, const felem in)
 {
@ -739,6 +762,7 @@ static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem
    felem_mul(tmp, in1, in2);
    felem_reduce(out, tmp);
 }
+#endif

 /*-
 * felem_inv calculates |out| = |in|^{-1}
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@ -2895,11 +2895,15 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,

 int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
 {
+    if (ctx->keymgmt != NULL)
+        return 0;
    return evp_pkey_ctx_setget_params_to_ctrl(ctx, SET, (OSSL_PARAM *)params);
 }

 int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
 {
+    if (ctx->keymgmt != NULL)
+        return 0;
    return evp_pkey_ctx_setget_params_to_ctrl(ctx, GET, params);
 }

--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@ -442,7 +442,10 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
     */
    if (provkey == NULL)
        goto legacy;
-    return ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
+    ret = ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
+    if (ret <= 0)
+        return ret;
+    goto common;

 legacy:
 #ifdef FIPS_MODULE
@ -497,6 +500,9 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
    ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
    if (ret <= 0)
        return ret;
+#endif
+
+ common:
    if (!EVP_PKEY_up_ref(peer))
        return -1;

@ -504,7 +510,6 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
    ctx->peerkey = peer;

    return 1;
-#endif
 }

 int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer)
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@ -701,8 +701,9 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params)
                ctx->op.encap.kem->set_ctx_params(ctx->op.encap.algctx,
                                                  params);
        break;
-#ifndef FIPS_MODULE
    case EVP_PKEY_STATE_UNKNOWN:
+        break;
+#ifndef FIPS_MODULE
    case EVP_PKEY_STATE_LEGACY:
        return evp_pkey_ctx_set_params_to_ctrl(ctx, params);
 #endif
@ -745,8 +746,9 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params)
                evp_keymgmt_gen_get_params(ctx->keymgmt, ctx->op.keymgmt.genctx,
                                           params);
        break;
-#ifndef FIPS_MODULE
    case EVP_PKEY_STATE_UNKNOWN:
+        break;
+#ifndef FIPS_MODULE
    case EVP_PKEY_STATE_LEGACY:
        return evp_pkey_ctx_get_params_to_ctrl(ctx, params);
 #endif
--- a/crypto/threads_pthread.c
+++ b/crypto/threads_pthread.c
@ -217,13 +217,12 @@ struct rcu_lock_st {
    /* The context we are being created against */
    OSSL_LIB_CTX *ctx;

-    /* rcu generation counter for in-order retirement */
-    uint32_t id_ctr;
-
-    /* TODO: can be moved before id_ctr for better alignment */
    /* Array of quiescent points for synchronization */
    struct rcu_qp *qp_group;

+    /* rcu generation counter for in-order retirement */
+    uint32_t id_ctr;
+
    /* Number of elements in qp_group array */
    uint32_t group_count;

@ -262,6 +261,8 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)

    /* get the current qp index */
    for (;;) {
+        qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_RELAXED);
+
        /*
         * Notes on use of __ATOMIC_ACQUIRE
         * We need to ensure the following:
@ -272,10 +273,7 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)
         * of the lock is flushed from a local cpu cache so that we see any
         * updates prior to the load.  This is a non-issue on cache coherent
         * systems like x86, but is relevant on other arches
-         * Note: This applies to the reload below as well
         */
-        qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_ACQUIRE);
-
        ATOMIC_ADD_FETCH(&lock->qp_group[qp_idx].users, (uint64_t)1,
                         __ATOMIC_ACQUIRE);

@ -408,6 +406,13 @@ static struct rcu_qp *update_qp(CRYPTO_RCU_LOCK *lock, uint32_t *curr_id)
    ATOMIC_STORE_N(uint32_t, &lock->reader_idx, lock->current_alloc_idx,
                   __ATOMIC_RELAXED);

+    /*
+     * this should make sure that the new value of reader_idx is visible in
+     * get_hold_current_qp, directly after incrementing the users count
+     */
+    ATOMIC_ADD_FETCH(&lock->qp_group[current_idx].users, (uint64_t)0,
+                     __ATOMIC_RELEASE);
+
    /* wake up any waiters */
    pthread_cond_signal(&lock->alloc_signal);
    pthread_mutex_unlock(&lock->alloc_lock);
@ -422,10 +427,8 @@ static void retire_qp(CRYPTO_RCU_LOCK *lock, struct rcu_qp *qp)
    pthread_mutex_unlock(&lock->alloc_lock);
 }

-/* TODO: count should be unsigned, e.g uint32_t */
-/* a negative value could result in unexpected behaviour */
 static struct rcu_qp *allocate_new_qp_group(CRYPTO_RCU_LOCK *lock,
-                                            int count)
+                                            uint32_t count)
 {
    struct rcu_qp *new =
        OPENSSL_zalloc(sizeof(*new) * count);
@ -471,6 +474,8 @@ void ossl_synchronize_rcu(CRYPTO_RCU_LOCK *lock)
     * prior __ATOMIC_RELEASE write operation in ossl_rcu_read_unlock
     * is visible prior to our read
     * however this is likely just necessary to silence a tsan warning
+     * because the read side should not do any write operation
+     * outside the atomic itself
     */
    do {
        count = ATOMIC_LOAD_N(uint64_t, &qp->users, __ATOMIC_ACQUIRE);
@ -527,10 +532,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
    struct rcu_lock_st *new;

    /*
-     * We need a minimum of 3 qp's
+     * We need a minimum of 2 qp's
     */
-    if (num_writers < 3)
-        num_writers = 3;
+    if (num_writers < 2)
+        num_writers = 2;

    ctx = ossl_lib_ctx_get_concrete(ctx);
    if (ctx == NULL)
@ -546,8 +551,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
    pthread_mutex_init(&new->alloc_lock, NULL);
    pthread_cond_init(&new->prior_signal, NULL);
    pthread_cond_init(&new->alloc_signal, NULL);
-    /* By default our first writer is already alloced */
-    new->writers_alloced = 1;

    new->qp_group = allocate_new_qp_group(new, num_writers);
    if (new->qp_group == NULL) {
--- a/crypto/threads_win.c
+++ b/crypto/threads_win.c
@ -83,13 +83,12 @@ struct rcu_lock_st {
    /* The context we are being created against */
    OSSL_LIB_CTX *ctx;

-    /* rcu generation counter for in-order retirement */
-    uint32_t id_ctr;
-
-    /* TODO: can be moved before id_ctr for better alignment */
    /* Array of quiescent points for synchronization */
    struct rcu_qp *qp_group;

+    /* rcu generation counter for in-order retirement */
+    uint32_t id_ctr;
+
    /* Number of elements in qp_group array */
    uint32_t group_count;

@ -124,10 +123,8 @@ struct rcu_lock_st {
    CRYPTO_RWLOCK *rw_lock;
 };

-/* TODO: count should be unsigned, e.g uint32_t */
-/* a negative value could result in unexpected behaviour */
 static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock,
-                                            int count)
+                                            uint32_t count)
 {
    struct rcu_qp *new =
        OPENSSL_zalloc(sizeof(*new) * count);
@ -141,10 +138,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
    struct rcu_lock_st *new;

    /*
-     * We need a minimum of 3 qps
+     * We need a minimum of 2 qps
     */
-    if (num_writers < 3)
-        num_writers = 3;
+    if (num_writers < 2)
+        num_writers = 2;

    ctx = ossl_lib_ctx_get_concrete(ctx);
    if (ctx == NULL)
@ -163,8 +160,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
    new->alloc_lock = ossl_crypto_mutex_new();
    new->prior_lock = ossl_crypto_mutex_new();
    new->qp_group = allocate_new_qp_group(new, num_writers);
-    /* By default the first qp is already alloced */
-    new->writers_alloced = 1;
    if (new->qp_group == NULL
        || new->alloc_signal == NULL
        || new->prior_signal == NULL
--- a/doc/man7/EVP_PKEY-ML-DSA.pod
+++ b/doc/man7/EVP_PKEY-ML-DSA.pod
@ -285,7 +285,7 @@ L<provider-keymgmt(7)>,
 L<EVP_PKEY_get_raw_private_key(3)>,
 L<EVP_PKEY_get_raw_public_key(3)>,
 L<EVP_PKEY_get1_encoded_public_key(3)>,
-LOSSL_PROVIDER_add_conf_parameter(3)>,
+L<OSSL_PROVIDER_add_conf_parameter(3)>,
 L<provider-keymgmt(7)>,
 L<EVP_SIGNATURE-ML-DSA(7)>

--- a/doc/man7/EVP_PKEY-ML-KEM.pod
+++ b/doc/man7/EVP_PKEY-ML-KEM.pod
@ -305,7 +305,7 @@ L<EVP_PKEY(3)>,
 L<EVP_PKEY_get_raw_private_key(3)>,
 L<EVP_PKEY_get_raw_public_key(3)>,
 L<EVP_PKEY_get1_encoded_public_key(3)>,
-LOSSL_PROVIDER_add_conf_parameter(3)>,
+L<OSSL_PROVIDER_add_conf_parameter(3)>,
 L<provider-keymgmt(7)>,
 L<EVP_KEM-ML-KEM(7)>

--- a/doc/man7/provider-base.pod
+++ b/doc/man7/provider-base.pod
@ -977,6 +977,12 @@ L<provider(7)>
 The concept of providers and everything surrounding them was
 introduced in OpenSSL 3.0.

+Definitions for
+B<OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS>
+and
+B<OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS>
+were added in OpenSSL 3.5.
+
 =head1 COPYRIGHT

 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
--- a/doc/man7/provider-digest.pod
+++ b/doc/man7/provider-digest.pod
@ -94,7 +94,8 @@ macros in L<openssl-core_dispatch.h(7)>, as follows:

 A digest algorithm implementation may not implement all of these functions.
 In order to be usable all or none of OSSL_FUNC_digest_newctx, OSSL_FUNC_digest_freectx,
-OSSL_FUNC_digest_init, OSSL_FUNC_digest_update and OSSL_FUNC_digest_final should be implemented.
+OSSL_FUNC_digest_init, OSSL_FUNC_digest_update, OSSL_FUNC_digest_final
+and OSSL_FUNC_digest_get_params should be implemented.
 All other functions are optional.

 =head2 Context Management Functions
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@ -292,6 +292,7 @@ struct pkcs8_priv_key_info_st {
    X509_ALGOR *pkeyalg;
    ASN1_OCTET_STRING *pkey;
    STACK_OF(X509_ATTRIBUTE) *attributes;
+    ASN1_OCTET_STRING *kpub;
 };

 struct X509_sig_st {
--- a/include/internal/sockets.h
+++ b/include/internal/sockets.h
@ -98,7 +98,6 @@ typedef size_t socklen_t;        /* Currently appears to be missing on VMS */
 #   include <in.h>
 #   include <inet.h>
 #  else
-#   include <poll.h>
 #   include <sys/socket.h>
 #   if !defined(NO_SYS_UN_H) && defined(AF_UNIX) && !defined(OPENSSL_NO_UNIX_SOCK)
 #    include <sys/un.h>
--- a/include/internal/ssl.h
+++ b/include/internal/ssl.h
@ -20,5 +20,7 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err);

 /* Set if this is the QUIC handshake layer */
 # define TLS1_FLAGS_QUIC                         0x2000
+/* Set if this is our QUIC handshake layer */
+# define TLS1_FLAGS_QUIC_INTERNAL                0x4000

 #endif
--- a/include/internal/statem.h
+++ b/include/internal/statem.h
@ -26,6 +26,8 @@ typedef enum {
    WORK_FINISHED_STOP,
    /* We're done working move onto the next thing */
    WORK_FINISHED_CONTINUE,
+    /* We're done writing, start reading (or vice versa) */
+    WORK_FINISHED_SWAP,
    /* We're working on phase A */
    WORK_MORE_A,
    /* We're working on phase B */
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@ -308,6 +308,7 @@ extern "C" {
 # define TLS1_FLAGS_REQUIRED_EXTMS               0x1000

 /* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */
+/* 0x4000 is reserved for TLS1_FLAGS_QUIC_INTERNAL (internal) */

 # define SSL3_MT_HELLO_REQUEST                   0
 # define SSL3_MT_CLIENT_HELLO                    1
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@ -359,7 +359,6 @@ static const OSSL_PARAM ecx_gettable_params[] = {
    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
-    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
    ECX_KEY_TYPES(),
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
@ -370,6 +369,7 @@ static const OSSL_PARAM ed_gettable_params[] = {
    OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
    OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
    OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0),
    ECX_KEY_TYPES(),
    OSSL_PARAM_END
 };
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -583,7 +583,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx)
    }

    /* override the user_ssl of the inner connection */
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;

    /* Restrict options derived from the SSL_CTX. */
    sc->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
@ -4436,7 +4436,7 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
        goto err;
    }
-    sc->s3.flags |= TLS1_FLAGS_QUIC;
+    sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;

    qc->default_ssl_options = OSSL_QUIC_PERMITTED_OPTIONS;
    qc->last_error = SSL_ERROR_NONE;
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@ -490,7 +490,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch)
        }

    /* Override the user_ssl of the inner connection. */
-    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC;
+    tls_conn->s3.flags      |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL;

    /* Restrict options derived from the SSL_CTX. */
    tls_conn->options       &= OSSL_QUIC_PERMITTED_OPTIONS_CONN;
--- a/ssl/quic/quic_tls.c
+++ b/ssl/quic/quic_tls.c
@ -423,18 +423,15 @@ static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle,
        return OSSL_RECORD_RETURN_FATAL;
    }

-    rl->recunreleased -= length;
-
-    if (rl->recunreleased > 0)
-        return OSSL_RECORD_RETURN_SUCCESS;
-
+    if (rl->recunreleased == length) {
        if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread,
                                                  rl->qtls->args.crypto_release_rcd_cb_arg)) {
            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
            return OSSL_RECORD_RETURN_FATAL;
        }
-
        rl->recread = 0;
+    }
+    rl->recunreleased -= length;
    return OSSL_RECORD_RETURN_SUCCESS;
 }

@ -711,10 +708,21 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
 int ossl_quic_tls_configure(QUIC_TLS *qtls)
 {
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
+    BIO *nullbio;

    if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
        return RAISE_INTERNAL_ERROR(qtls);

+    nullbio = BIO_new(BIO_s_null());
+    if (nullbio == NULL)
+        return RAISE_INTERNAL_ERROR(qtls);
+
+    /*
+     * Our custom record layer doesn't use the BIO - but libssl generally
+     * expects one to be present.
+     */
+    SSL_set_bio(qtls->args.s, nullbio, nullbio);
+
    SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
    ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);

@ -771,7 +779,6 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
    if (!qtls->configured) {
        SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
        SSL_CTX *sctx;
-        BIO *nullbio;

        if (sc == NULL)
            return RAISE_INTERNAL_ERROR(qtls);
@ -795,15 +802,7 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
        if (!ossl_quic_tls_configure(qtls))
            return RAISE_INTERNAL_ERROR(qtls);

-        nullbio = BIO_new(BIO_s_null());
-        if (nullbio == NULL)
-            return RAISE_INTERNAL_ERROR(qtls);
-
-        /*
-         * Our custom record layer doesn't use the BIO - but libssl generally
-         * expects one to be present.
-         */
-        SSL_set_bio(qtls->args.s, nullbio, nullbio);
+        sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL;

        if (qtls->args.is_server)
            SSL_set_accept_state(qtls->args.s);
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -3498,7 +3498,7 @@ int ssl3_clear(SSL *s)
     * NULL/zero-out everything in the s3 struct, but remember if we are doing
     * QUIC.
     */
-    flags = sc->s3.flags & TLS1_FLAGS_QUIC;
+    flags = sc->s3.flags & (TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL);
    memset(&sc->s3, 0, sizeof(sc->s3));
    sc->s3.flags |= flags;

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1428,11 +1428,10 @@ void SSL_free(SSL *s)
        return;
    REF_ASSERT_ISNT(i < 0);

-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-
    if (s->method != NULL)
        s->method->ssl_free(s);

+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
    SSL_CTX_free(s->ctx);
    CRYPTO_THREAD_lock_free(s->lock);
    CRYPTO_FREE_REF(&s->references);
@ -1448,15 +1447,17 @@ void ossl_ssl_connection_free(SSL *ssl)
    if (s == NULL)
        return;

+    /*
+     * Ignore return values. This could result in user callbacks being called
+     * e.g. for the QUIC TLS record layer. So we do this early before we have
+     * freed other things.
+     */
+    ssl_free_wbio_buffer(s);
+    RECORD_LAYER_clear(&s->rlayer);
+
    X509_VERIFY_PARAM_free(s->param);
    dane_final(&s->dane);

-    /* Ignore return value */
-    ssl_free_wbio_buffer(s);
-
-    /* Ignore return value */
-    RECORD_LAYER_clear(&s->rlayer);
-
    BUF_MEM_free(s->init_buf);

    /* add extra stuff */
@ -4967,12 +4968,6 @@ int SSL_do_handshake(SSL *s)
        }
    }

-    if (ret == 1 && SSL_IS_QUIC_HANDSHAKE(sc) && !SSL_is_init_finished(s)) {
-        sc->rwstate = SSL_READING;
-        BIO_clear_retry_flags(SSL_get_rbio(s));
-        BIO_set_retry_read(SSL_get_rbio(s));
-        ret = 0;
-    }
    return ret;
 }

--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -315,6 +315,7 @@
 # define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)

 # define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)
+# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0)

 /* no end of early data */
 # define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s)
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@ -244,15 +244,6 @@ int ossl_statem_skip_early_data(SSL_CONNECTION *s)
 */
 int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending)
 {
-    int i = SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ;
-
-    if (s->server && SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
-        && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING
-            && s->statem.hand_state == TLS_ST_EARLY_DATA) {
-        s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
-        if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, i))
-            return 0;
-    }
    if (sending == -1) {
        if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
                || s->statem.hand_state == TLS_ST_EARLY_DATA) {
@ -737,6 +728,7 @@ static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s)
                st->read_state = READ_STATE_HEADER;
                break;

+            case WORK_FINISHED_SWAP:
            case WORK_FINISHED_STOP:
                if (SSL_CONNECTION_IS_DTLS(s)) {
                    dtls1_stop_timer(s);
@ -882,6 +874,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
                st->write_state = WRITE_STATE_SEND;
                break;

+            case WORK_FINISHED_SWAP:
+                return SUB_STATE_FINISHED;
+
            case WORK_FINISHED_STOP:
                return SUB_STATE_END_HANDSHAKE;
            }
@ -955,6 +950,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)
                st->write_state = WRITE_STATE_TRANSITION;
                break;

+            case WORK_FINISHED_SWAP:
+                return SUB_STATE_FINISHED;
+
            case WORK_FINISHED_STOP:
                return SUB_STATE_END_HANDSHAKE;
            }
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -573,7 +573,8 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s)
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_CW_CLNT_HELLO:
-        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
+        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
+                && !SSL_IS_QUIC_HANDSHAKE(s)) {
            /*
             * We are assuming this is a TLSv1.3 connection, although we haven't
             * actually selected a version yet.
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -839,6 +839,21 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
        if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
                && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
            return WORK_FINISHED_CONTINUE;
+
+        /*
+         * In QUIC with 0-RTT we just carry on when otherwise we would stop
+         * to allow the server to read early data
+         */
+        if (SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
+            && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING) {
+            s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
+            if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE
+                                                               | SSL3_CHANGE_CIPHER_SERVER_READ)) {
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+                return WORK_ERROR;
+            }
+            return WORK_FINISHED_SWAP;
+        }
        /* Fall through */

    case TLS_ST_OK:
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -2874,7 +2874,7 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
    if (s->s3.tmp.max_ver == 0)
        return 1;

-    if (SSL_IS_QUIC_HANDSHAKE(s))
+    if (SSL_IS_QUIC_INT_HANDSHAKE(s))
        /* For QUIC, only allow these ciphersuites. */
        switch (SSL_CIPHER_get_id(c)) {
        case TLS1_3_CK_AES_128_GCM_SHA256:
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@ -459,7 +459,7 @@ static const unsigned char kSignature[] = {
 };

 /*
- * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
+ * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v1
 * PrivateKeyInfo.
 */
 static const unsigned char kExampleRSAKeyPKCS8[] = {
@ -518,6 +518,79 @@ static const unsigned char kExampleRSAKeyPKCS8[] = {
    0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
 };

+/*
+ * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v2
+ * PrivateKeyInfo (with an optional public key).
+ */
+static const unsigned char kExampleRSAKeyPKCS8_v2[] = {
+    0x30, 0x82, 0x03, 0x06, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+    0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
+    0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
+    0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
+    0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
+    0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
+    0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
+    0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
+    0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
+    0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
+    0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
+    0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
+    0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
+    0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
+    0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
+    0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
+    0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
+    0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
+    0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
+    0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
+    0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
+    0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
+    0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
+    0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
+    0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
+    0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
+    0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
+    0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
+    0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
+    0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
+    0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
+    0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
+    0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
+    0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
+    0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
+    0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
+    0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
+    0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
+    0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
+    0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
+    0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
+    0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
+    0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
+    0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
+    0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
+    0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
+    0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
+    0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
+    0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
+    0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
+    0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
+    0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
+    /* Implicit optional Public key BIT STRING */
+    0x81, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8,
+    0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
+    0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
+    0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
+    0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
+    0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
+    0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
+    0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
+    0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
+    0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
+    0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
+    0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+
 #ifndef OPENSSL_NO_EC
 /*
 * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
@ -537,6 +610,28 @@ static const unsigned char kExampleECKeyDER[] = {
    0xc1,
 };

+static const unsigned char kExampleECKeyPKCS8_v2[] = {
+    0x30, 0x81, 0xcb, 0x02, 0x01, 0x01, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+    0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+    0x07, 0x0f, 0x08, 0x72, 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9,
+    0x4d, 0x89, 0x68, 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e,
+    0xe8, 0xd1, 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a, 0xa1, 0x44, 0x03, 0x42,
+    0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f,
+    0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d,
+    0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7,
+    0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2,
+    0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94,
+    0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1,
+    /* Optional implicit public key BIT STRING */
+    0x81, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97,
+    0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9,
+    0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a,
+    0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e,
+    0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e,
+    0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1
+};
+
 /*
 * kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
 * structure. The private key is equal to the order and will fail to import
@ -765,6 +860,13 @@ static APK_DATA keydata[] = {
 #endif
 };

+static APK_DATA keydata_v2[] = {
+    {kExampleRSAKeyPKCS8_v2, sizeof(kExampleRSAKeyPKCS8_v2), "RSA", EVP_PKEY_RSA},
+#ifndef OPENSSL_NO_EC
+    {kExampleECKeyPKCS8_v2, sizeof(kExampleECKeyPKCS8_v2), "EC", EVP_PKEY_EC}
+#endif
+};
+
 static APK_DATA keycheckdata[] = {
    {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1,
     0},
@ -945,7 +1047,9 @@ static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params)

    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq)))
        goto err;
-    if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+    /* Check that premature EVP_PKEY_CTX_set_params() fails gracefully */
+    if (!TEST_int_eq(EVP_PKEY_CTX_set_params(pctx, params), 0)
+        || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR,
                                          params), 0))
        goto err;
@ -2126,7 +2230,6 @@ static int test_invalide_ec_char2_pub_range_decode(int id)
    return ret;
 }

-/* Tests loading a bad key in PKCS8 format */
 static int test_EVP_PKCS82PKEY(void)
 {
    int ret = 0;
@ -2155,6 +2258,30 @@ static int test_EVP_PKCS82PKEY(void)
 }

 #endif
+
+static int test_EVP_PKCS82PKEY_v2(int i)
+{
+    int ret = 0;
+    const unsigned char *p;
+    const APK_DATA *ak = &keydata_v2[i];
+    const unsigned char *input = ak->kder;
+    size_t input_len = ak->size;
+    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+
+    /* Can we parse PKCS#8 v2, ignoring the public key for now? */
+    p = input;
+    p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, input_len);
+    if (!TEST_ptr(p8inf)
+        || !TEST_true(p == input + input_len))
+        goto done;
+
+    ret = 1;
+ done:
+    PKCS8_PRIV_KEY_INFO_free(p8inf);
+    return ret;
+}
+
+/* Tests loading a bad key in PKCS8 format */
 static int test_EVP_PKCS82PKEY_wrong_tag(void)
 {
    EVP_PKEY *pkey = NULL;
@ -6595,6 +6722,7 @@ int setup_tests(void)
    ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
    ADD_TEST(test_privatekey_to_pkcs8);
    ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);
+    ADD_ALL_TESTS(test_EVP_PKCS82PKEY_v2, OSSL_NELEM(keydata_v2));
 #ifndef OPENSSL_NO_EC
    ADD_TEST(test_EVP_PKCS82PKEY);
 #endif
--- a/test/recipes/15-test_dsaparam.t
+++ b/test/recipes/15-test_dsaparam.t
@ -11,7 +11,7 @@ use warnings;

 use File::Spec;
 use File::Copy;
-use File::Compare qw/compare/;
+use File::Compare qw/compare_text/;
 use OpenSSL::Glob;
 use OpenSSL::Test qw/:DEFAULT data_file/;
 use OpenSSL::Test::Utils;
@ -84,4 +84,4 @@ my $inout = "inout.pem";
 copy($input, $inout);
 ok(run(app(['openssl', 'dsaparam', '-in', $inout, '-out', $inout])),
    "identical infile and outfile");
-ok(!compare($input, $inout), "converted file $inout did not change");
+ok(!compare_text($input, $inout), "converted file $inout did not change");
--- a/test/recipes/15-test_ml_dsa_codecs.t
+++ b/test/recipes/15-test_ml_dsa_codecs.t
@ -63,7 +63,7 @@ foreach my $alg (@algs) {
        ok(run(app(['openssl', 'genpkey', '-out', $pem,
                    '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-dsa-$alg",
                    '-provparam', "ml-dsa.output_formats=$f"])));
-        ok(!compare($in, $pem),
+        ok(!compare_text($in, $pem),
            sprintf("prvkey PEM match: %s, %s", $alg, $f));

        ok(run(app(['openssl', 'pkey', '-in', $in, '-noout',
@ -95,7 +95,7 @@ foreach my $alg (@algs) {
    ok(run(app([qw(openssl genpkey -provparam ml-dsa.retain_seed=no),
                '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
        sprintf("seedless via cli key match: %s", $alg));
    {
        local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf");
@ -104,14 +104,14 @@ foreach my $alg (@algs) {
        ok(run(app(['openssl', 'genpkey',
                    '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                    '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
            sprintf("seedless via config match: %s", $alg));

        my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg);
        ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-dsa.retain_seed=yes',
                    '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed",
                    '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
            sprintf("seedfull via cli vs. conf key match: %s", $alg));
    }

@ -120,7 +120,7 @@ foreach my $alg (@algs) {
    $seedless = sprintf("seedless-%s.dec.cli.pem", $alg);
    ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=no',
                '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
        sprintf("seedless via provparam key match: %s", $alg));
    {
        local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf");
@ -128,13 +128,13 @@ foreach my $alg (@algs) {
        $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg);
        ok(run(app(['openssl', 'pkey',
                    '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
            sprintf("seedless via config match: %s", $alg));

        my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg);
        ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=yes',
                    '-in', data_file($formats{'seed-only'}), '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
            sprintf("seedfull via cli vs. conf key match: %s", $alg));
    }

@ -143,7 +143,7 @@ foreach my $alg (@algs) {
    my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg);
    ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.prefer_seed=no',
                '-in', data_file($formats{'seed-priv'}), '-out', $privpref])));
-    ok(!compare(data_file($formats{'priv-only'}), $privpref),
+    ok(!compare_text(data_file($formats{'priv-only'}), $privpref),
        sprintf("seed non-preference via provparam key match: %s", $alg));

    # (2 * @formats) tests
@ -154,7 +154,7 @@ foreach my $alg (@algs) {
        my $out = sprintf("prv-%s-%s.txt", $alg, $f);
        ok(run(app(['openssl', 'pkey', '-in', data_file($kf),
                    '-noout', '-text', '-out', $out])));
-        ok(!compare(data_file($txt), $out),
+        ok(!compare_text(data_file($txt), $out),
            sprintf("text form private key: %s with %s", $alg, $f));
    }

--- a/test/recipes/15-test_ml_kem_codecs.t
+++ b/test/recipes/15-test_ml_kem_codecs.t
@ -59,7 +59,7 @@ foreach my $alg (@algs) {
        ok(run(app(['openssl', 'genpkey', '-out', $pem,
                    '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-kem-$alg",
                    '-provparam', "ml-kem.output_formats=$f"])));
-        ok(!compare($in, $pem),
+        ok(!compare_text($in, $pem),
            sprintf("prvkey PEM match: %s, %s", $alg, $f));

        ok(run(app(['openssl', 'pkey', '-in', $in, '-noout',
@ -97,7 +97,7 @@ foreach my $alg (@algs) {
    ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=no',
                '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
        sprintf("seedless via cli key match: %s", $alg));
    {
        local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf");
@ -106,14 +106,14 @@ foreach my $alg (@algs) {
        ok(run(app(['openssl', 'genpkey',
                    '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                    '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
            sprintf("seedless via config match: %s", $alg));

        my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg);
        ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=yes',
                    '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed",
                    '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
            sprintf("seedfull via cli vs. conf key match: %s", $alg));
    }

@ -122,7 +122,7 @@ foreach my $alg (@algs) {
    $seedless = sprintf("seedless-%s.dec.cli.pem", $alg);
    ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=no',
                '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-    ok(!compare(data_file($formats{'priv-only'}), $seedless),
+    ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
        sprintf("seedless via provparam key match: %s", $alg));
    {
        local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf");
@ -130,13 +130,13 @@ foreach my $alg (@algs) {
        $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg);
        ok(run(app(['openssl', 'pkey',
                    '-in', data_file($formats{'seed-only'}), '-out', $seedless])));
-        ok(!compare(data_file($formats{'priv-only'}), $seedless),
+        ok(!compare_text(data_file($formats{'priv-only'}), $seedless),
            sprintf("seedless via config match: %s", $alg));

        my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg);
        ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=yes',
                    '-in', data_file($formats{'seed-only'}), '-out', $seedfull])));
-        ok(!compare(data_file($formats{'seed-priv'}), $seedfull),
+        ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull),
            sprintf("seedfull via cli vs. conf key match: %s", $alg));
    }

@ -145,7 +145,7 @@ foreach my $alg (@algs) {
    my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg);
    ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.prefer_seed=no',
                '-in', data_file($formats{'seed-priv'}), '-out', $privpref])));
-    ok(!compare(data_file($formats{'priv-only'}), $privpref),
+    ok(!compare_text(data_file($formats{'priv-only'}), $privpref),
        sprintf("seed non-preference via provparam key match: %s", $alg));

    # (2 * @formats) tests
@ -156,7 +156,7 @@ foreach my $alg (@algs) {
        my $out = sprintf("prv-%s-%s.txt", $alg, $f);
        ok(run(app(['openssl', 'pkey', '-in', data_file($k),
                    '-noout', '-text', '-out', $out])));
-        ok(!compare(data_file($txt), $out),
+        ok(!compare_text(data_file($txt), $out),
            sprintf("text form private key: %s with %s", $alg, $f));
    }

--- a/test/recipes/15-test_pkey.t
+++ b/test/recipes/15-test_pkey.t
@ -11,7 +11,7 @@ use warnings;

 use OpenSSL::Test::Utils;
 use File::Copy;
-use File::Compare qw(compare);
+use File::Compare qw(compare_text);
 use OpenSSL::Test qw/:DEFAULT srctop_file/;

 setup("test_pkey");
@ -40,7 +40,7 @@ subtest "=== pkey typical en-/decryption (using AES256-CBC) ===" => sub {
    ok(run(app([@app, '-in', $encrypted_key, '-out', $decrypted_key,
                '-passin', $pass])),
       "decrypt key");
-    is(compare($in_key, $decrypted_key), 0,
+    is(compare_text($in_key, $decrypted_key), 0,
       "Same file contents after encrypting and decrypting in separate files");
 };

@ -61,7 +61,7 @@ subtest "=== pkey handling of identical input and output files (using 3DES) and

    ok(run(app([@app, '-in', $inout, '-out', $inout, '-passin', $pass])),
       "decrypt using identical infile and outfile");
-    is(compare($in_key, $inout), 0,
+    is(compare_text($in_key, $inout), 0,
       "Same file contents after encrypting and decrypting using same file");
 };

@ -75,19 +75,19 @@ subtest "=== pkey handling of public keys (Ed25519) ===" => sub {
    my $pub_out1 = 'pub1.pem';
    ok(run(app([@app, '-in', $in_ed_key, '-pubout', '-out', $pub_out1])),
       "extract public key");
-    is(compare($in_pubkey, $pub_out1), 0,
+    is(compare_text($in_pubkey, $pub_out1), 0,
       "extracted public key is same as original public key");

    my $pub_out2 = 'pub2.pem';
    ok(run(app([@app, '-in', $in_pubkey, '-pubin', '-pubout', '-out', $pub_out2])),
       "read public key from pubfile");
-    is(compare($in_pubkey, $pub_out2), 0,
+    is(compare_text($in_pubkey, $pub_out2), 0,
       "public key read using pubfile is same as original public key");

    my $pub_out3 = 'pub3.pem';
    ok(run(app([@app, '-in', $in_ed_key, '-pubin', '-pubout', '-out', $pub_out3])),
       "extract public key from pkey file with -pubin");
-    is(compare($in_pubkey, $pub_out3), 0,
+    is(compare_text($in_pubkey, $pub_out3), 0,
       "public key extraced from pkey file with -pubin is same as original");
 };

@ -108,7 +108,7 @@ subtest "=== pkey handling of DER encoding ===" => sub {
    ok(run(app([@app, '-in', $der_out, '-inform', 'DER',
                 '-out', $pem_out])),
       "read DER-encoded key");
-    is(compare($in_key, $pem_out), 0,
+    is(compare_text($in_key, $pem_out), 0,
       "Same file contents after converting to DER and back");
 };

--- a/test/recipes/20-test_dhparam.t
+++ b/test/recipes/20-test_dhparam.t
@ -11,7 +11,7 @@ use strict;
 use warnings;

 use File::Copy;
-use File::Compare qw/compare/;
+use File::Compare qw/compare_text/;
 use OpenSSL::Test qw(:DEFAULT data_file srctop_file);
 use OpenSSL::Test::Utils;

@ -221,4 +221,4 @@ my $inout = "inout.pem";
 copy($input, $inout);
 ok(run(app(['openssl', 'dhparam', '-in', $inout, '-out', $inout])),
    "identical infile and outfile");
-ok(!compare($input, $inout), "converted file $inout did not change");
+ok(!compare_text($input, $inout), "converted file $inout did not change");
--- a/test/recipes/25-test_pkcs8.t
+++ b/test/recipes/25-test_pkcs8.t
@ -28,7 +28,7 @@ ok(run(app(['openssl', 'pkcs8', '-topk8', '-in', $inout,
 ok(run(app(['openssl', 'pkcs8', '-in', $inout,
            '-out', $inout, '-passin', 'pass:password'])),
   "identical infile and outfile, from PKCS#8");
-is(compare($pc5_key, $inout), 0,
+is(compare_text($pc5_key, $inout), 0,
   "Same file contents after converting forth and back");

 ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@ -52,7 +52,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)

 $no_rc2 = 1 if disabled("legacy");

-plan tests => 28;
+plan tests => 30;

 ok(run(test(["pkcs7_test"])), "test pkcs7");

@ -1398,3 +1398,65 @@ subtest "EdDSA tests for CMS \n" => sub {
           "accept CMS verify with Ed25519");
    }
 };
+
+subtest "ML-DSA tests for CMS \n" => sub {
+    plan tests => 2;
+
+    SKIP: {
+        skip "ML-DSA is not supported in this build", 2
+            if disabled("ml-dsa");
+
+        my $sig1 = "sig1.cms";
+
+        # draft-ietf-lamps-cms-ml-dsa: use SHA512 with ML-DSA
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_mldsa44.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with ML-DSA-44");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with ML-DSA-44");
+    }
+};
+
+subtest "SLH-DSA tests for CMS \n" => sub {
+    plan tests => 6;
+
+    SKIP: {
+        skip "SLH-DSA is not supported in this build", 6
+            if disabled("slh-dsa");
+
+        my $sig1 = "sig1.cms";
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHA512 with SLH-DSA-SHA2
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_sha2_128s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHA2-128s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHA2-128s");
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHAKE128 with SLH-DSA-SHAKE-128*
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake128", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_128s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHAKE-128s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHAKE-128s");
+
+        # draft-ietf-lamps-cms-sphincs-plus: use SHAKE256 with SLH-DSA-SHAKE-256*
+        ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake256", "-in", $smcont,
+                    "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_256s.pem"),
+                    "-out", $sig1])),
+           "accept CMS signature with SLH-DSA-SHAKE-256s");
+
+        ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1,
+                    "-CAfile", $smroot, "-content", $smcont])),
+           "accept CMS verify with SLH-DSA-SHAKE-256s");
+    }
+};
--- a/test/smime-certs/mksmime-certs.sh
+++ b/test/smime-certs/mksmime-certs.sh
@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -67,3 +67,16 @@ gen smdh.pem "/CN=Test SMIME EE DH" dh_cert >>smdh.pem
 # EE RSA code signing end entity certificate with respective extensions
 cp ../certs/ee-key.pem csrsa1.pem
 gen csrsa1.pem "/CN=Test CodeSign EE RSA" codesign_cert >>csrsa1.pem
+
+# Create PQ certificates with respective extensions
+$OPENSSL genpkey -algorithm ML-DSA-44 -out sm_mldsa44.pem
+gen sm_mldsa44.pem "/CN=Test SMIME EE ML-DSA-44" signer_cert >>sm_mldsa44.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHA2-128s -out sm_slhdsa_sha2_128s.pem
+gen sm_slhdsa_sha2_128s.pem "/CN=Test SMIME EE SLH-DSA-SHA2-128s" \
+    signer_cert >>sm_slhdsa_sha2_128s.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-128s -out sm_slhdsa_shake_128s.pem
+gen sm_slhdsa_shake_128s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-128s" \
+    signer_cert >>sm_slhdsa_shake_128s.pem
+$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-256s -out sm_slhdsa_shake_256s.pem
+gen sm_slhdsa_shake_256s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-256s" \
+    signer_cert >>sm_slhdsa_shake_256s.pem
--- a/test/smime-certs/sm_mldsa44.pem
+++ b/test/smime-certs/sm_mldsa44.pem
@ -0,0 +1,99 @@
+-----BEGIN PRIVATE KEY-----
+MIIKPgIBADALBglghkgBZQMEAxEEggoqMIIKJgQgmsSm9eI30++j5lPGc4VSUHl8
+RHdUYZ2HyINZ2noG/FsEggoAdnnaWN8r8QxVgVFSizuW+sZ0zqlCUOM5HFD0RYnm
+ueIk3OZUr/c53pCu4pz8eiyfhhlwToeroamymUVGZF984cjWlyIbK7sm0WwPstIw
+4cTMACIvOBspVFrxHib0IoyIb8RdM0a8EVdE7+5gUuwm3fwZ/TjTpi1PW+k2L6zP
+z5AhF0gTJIUjwmUEBQVCABECh2WKtonKQm0ZRS1byIHhMCFQCIlYEgoQo00SAxIA
+AokMBGLUNGYAAmAKiYXMNCIYhGmQMpEIsGQJAUxUMIyMQJIKKSHYwDHUpogUICIY
+NiDkqC0Uo1EbMyjjCC3gRIgZFSBgyAkasWEZBnIDOZAjwzBDGCxhGGnbQElLQoHE
+BCUkRUAJISwUhlESRXKLxgHMRhBKFEwBsGDKEgqQEg3JCI1ICCUjyU0UtpCSBAmb
+hmDbBoGRpm2BlAkQx0jDMoGAQiVKRkQIKSHJkAWKIiYCqUSSsCiTOCJQQI1BJi1C
+MJIZQIBLsCyUpgiYECAkRJDbCCwYQCQDR2nbhGgZCC6MAiRjpGWBNgnCQmzbEAjb
+mICYOIjUIpDIliwZOW6Eom0LuYkkSBLksm1iEiRiIlECtiWAAnCiMCkSMZESkQ2B
+AALjxJFgRGRbFAlMNGwLpknLMDFLImjiFmQIgGCDAo2kJErhRFALuSiiAg5QKAFT
+OE6iFgwQSFBCCFKLSALRwGRkAIrjAggjgIWKhkgkhmXkxIULgpHZBFAAFUwbCW0A
+RAHIlCkJljGaQoBKIpLRoDEbFIVbMAWKloEIE3GjGGYiBCxMMEESMCUDRWlAomgS
+NXIkNjBaqECbsihAEinAlokZyQDJBoAQpFEMAS2DAFIZtgiQtBAIoGkaRHGUmCDR
+kkkRhRHEwiTYtkkgOGFIgmGcgo0TskkQRCQTEUxiMGlQSG1SIoqiCG6kpCXcpAgK
+xEgBxRBgRihZRHGgAkQBqEEkgi0CNymQKGBQiCmJMIwQkZEZRA4IMC4YRXAKGU1c
+pgFYFCXLRoBBSAESM0IBQWnAxgGbwoghRUUSESpBogRjFI4Ig1FaEI7jwAHbxAjj
+IGLAhmzSBGIIQ0pTpE2gMo5bqAxMtCQLxhGCMAjcsIkRRkFTRhEkpwiDGGBDlgAU
+BS0iNTIRhSkiQ0kIuIxRwGiAQmwRtHAZt1FQkAxLlE2RIkEZtiEJImpcAmwCQijE
+sgFeAKKEuHpy3oMPABBvFJQoBB5V1/+oelrPmUyEuaDw3/Yrlh1OM28QYLO0tbBD
+Xp9mDfAOF9jT/RT9x5QZUOaVfCctxPAkzfXwX9SZ9ClyOZwOGzB64bfxXw6EEvB
+37tO8wBlEtddXkpsQ/cx9C1nuMxGmlscSiA6L0pRkNme7JneAjDKY5IDVPrMUkoY
+wjNtI0CQ5FrE9E0PnbL7Sj+671QIZM77HA1FUOxbmqcKOtSeZY9QrEezt8plwX+8
+uY8QTr0mUcvVODvO5498J/qBTnlQrjLBx2SxyeYIYEClfdO8nWax4VgQT7ZMK/vR
+if0ijT+Q0qx+UYyEdALMp8US8d64njeggh3L6m8TX6+y1I9ezAi14Q8ofH4lSoWL
+o0YDlsi41LWxyHJDr88Nyd7ordFFp4x+yChxHJYoxxJOezP89uLev526aP40oUsL
+i3wXbFd+7g0p8rXl4PYBAcifxj/WBVUk9oa1MLdkKO54PTFZWFLWqnVVMgFS25w7
+Ldf+41pQUVP8RzfpyDvoHIsNNhrgZ8fZtssVtj0OBAsSQ1u5TJZjJDwXSh6LLUsW
+QpFeWS5Jw/gaZG9K3IuMjSDGvqTYL+CewC7AYH+B7S6Gc7bgtbu71osE/U2hHSfo
+nDGFdAk9se5RCfTiv7L6XquAqNvraZPOhlgX0dYmX8GpTgNNs+ryu/q8BdxnkiQO
+uUBjOxC4rKKNip2pOdVVpThIlGW03nE1oPiwW06HMmkfinto8dDN14a2hp1Zg+4B
+vNunwUU/sJ3OeHIxiOkCvEbORb+TUwwJGyHMmT7b+eEgYMoX0awAUP+QGBtNtHFi
+0cDftErapblEwsZEjBNurYF/XGijFUp03q/L/KN2obHTjg/rwLiQa98J74CSLJAh
+qUwWoqqhh6NGYb68ysT35xfZcf+OzhK0U26GGDIoqCqyOVU90YD2qQrGG4DGGH+i
+Dxjn2x5MjArscY62chnMcsgIesdlZfoHNOeGA0j7hD1u+OkBksOH5h6IJ+vl69Xv
+8Gg6Hw3R03TsifCaOg3TfoZ6vsczgKLeHxqJVcKWAsQmaBqFNsFYeZGjTGOGe85I
+yR46NvKXITVgeiyKDF743XctQniZrg8zKTygkERZELsB9lZd3l+qmdjY9Sk+1G7r
+mwpVfONDIpZmJUvLhrz8la4wwcaTKov5ib1KESQLbti4vTtM00LV4fgNGdlpoGsd
+9KTEOUi66j1ES82N16fClA53ULSlathgi66YgGu/1MHDc39zG5W1fUMcDPW3ufgv
+0u35/FvF4POrcAcx37n8bzLmqk2/+j4d39DUuViti9QFctK2jsbtQqthjRhRcaat
+l86Pn2f+fZHWhr7tQGx8bMcQnqVmVfMm6osQoaKNqdrrIQ9ACDVQlpSVIpR5bCeG
+CzcQu09NFS+GsESmZyMm5B2/WDPno6U5cGF6vP9v1oyrJt+/O+5Bwo3U6i+RRnkJ
+73AhkocMF4cIPBVtslMPwDK1dP3tlbp+e0dvq/vKdELIuoFY4Tyw1OAawXuwF85J
+MJUctKM44X8LMeADxPJvJN5XLYKCRCunoA3+MSUIHQT5oy2czouIwWKIv+F7FI/D
+8SBa9klkCT6mZrAKL1YCRg2WxjLzlgB5Tw4TEEi3FUlD6s5sCPT4OxkzaVqaWvpU
+9D2Vd4HfY6p0yjJiuLUjR4cjrRCJBP3A1XTYWvRgSu7uUqjK6z5HgkwWBJlZisJ7
+U1W6YCmWHhwC0Y9mjGahXPJx4FhA5btLX9EYCB9whTyBXicM6MrSa2aM5jCo9JIf
+ExDoCqBpDmZ+5kjFyDeTtYyUtwWCU+9tIKvtmFGYnzdERTf8w/vWszU6QugYn1FW
+WB4fGc/xKOz58xIm/I2B7NnQxmA5HvAEHDvF9n2mrHMRUYkoSsMjUhSAg1scMAFP
+vmvaQQ+AWOylhYQaQgx41y2oTw+9Iievm0hg2lB9qDORem/nwx1a8+4gP1wfjqSW
+xwiUz0Cy/0TtTfZrZGqxQtn02OIKInBpabGH0RSTtBPruNk/XotdSVm5uSN9mBQE
+2xiPnjF48auRYIUH8giNNN7MjZ4z5T40+mJHctegwllavzWKlEjTI5sC8g/pSkJV
+CD8i49DLVGf5sbfEAJB2xDW2f+6l65SpJYV7dY0dhK7R2KT2NrqABk/7w/6wb7VY
+bPVseTnHfXpVTRGdUSFLb5hyaNTiWFlMTX0OmfqQ6R9iOA==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIHYzCCBkugAwIBAgIUTrKnsAj5Isy6498h/MK7WAAxIQEwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjAiMSAwHgYDVQQDDBdUZXN0IFNNSU1FIEVFIE1MLURTQS00NDCC
+BTIwCwYJYIZIAWUDBAMRA4IFIQB2edpY3yvxDFWBUVKLO5b6xnTOqUJQ4zkcUPRF
+iea54lR2/8XNOhJQ4oWszhrbSHpB1+DZ76n1tez5wc6N5X6s3BEOsp+IPj8W8D7F
+ppWAqoCvbHHflfEVh8mvy4MtPUVGf6XoIl9QgV/afzTZGec+G7GytiEHNBhld2Yq
+POfKPP/IK9mPbnFcPUpPscbHX84TFq8IM6VLgoFnakbQuID/G71nPTFo9f4k3EcT
+kVGIQnWK4lgQW+1WDh8yamFnvg+Du111jA1/c5So3EH++DJDspq03/ALgbMOROuN
+zSYPt6w6EVnqyx8sTWL52lQGx23Q0T8H0WtITz0KbGjgrOsfkrR1qL7DXP8aC83i
+LKMZMitt1OpsKngyBRdQ3fuBOU/bYkmyaWnMR2MuC40XNnKzd41IpO2mjAOyVhe+
+WlhDgABOzsxOjC/WI0oHYTOewTSsjqQhNYU513poeyC5g00QrJYt5HqCwvlPRCb8
+wCsc4ahj+NIdVCOR9KrPh0aXVqQn/Yz7njL76tzQezX7gaoSr3vhr6eQ8In/75bD
+UFRVSJW/6A0sVnQXc4dKyHQQMl9vVTWvoeM8njgMrwHsUT0fjKdJQQGetKGKl1YL
+L9kTnHMem8Zo1gwhs51iecIzj9hwN54ZoawidJy0CNt81Pzin0OaqH8MuI8/RaYy
+3LYMgswpsAXpwYHRY9R4BzrvVXLlNusuba4fHK6x5shr2pDFKe6CJOl5OgsIp9nY
+7+YkIuqOXEMtPrLFNkpgReN0Wj8i5+kNm6V4rviF5Bo67d3dNeIK68O+ZJQditdr
+wixBwhshLTZNp6UzYUJ7ZrfIZoj4wOyDEzWLO9Je1J3bcJzRUVt2hH/DN/Buslrj
+2md4X/MYJjAGQyzBYVVxf9HIH409JPOlb/J4uhL7oeTymdD14wtf2khZRq28kheO
+I3169hxfQo2sq05Me93J/nAglPXstMIPLKIW//544tkluzjn0CoCaHH6nS749TmM
+4QcEQ3ttPy7PmhjAJii+tJ08OoMdVwZ2UWH8R5FwEN4sF0Yb4CeM18AjWS45QNBR
+GDDOoCCN9BnnblyKd697L99KvhrQTy0v9XNXH6BFzuuAyPQ5khlgnlsSJyMhnTMo
+Zeh8WCu+zC7+z4vEAYJlMRVmKMIPH/GqPkNDhxTMc+FSsKSjEOfkZQh1JZ38oOdO
+RM4FJ4htsMHpn2g8OQuGSgUQo5dyqLpB8k/6sY//pGua3Y/PGjeBdYpydTUzAprU
+YMuFxVe+ymDSpQrB9OALRe9UwPbiUtaVJHlRchX7H1YB+RX6zywHH2sTD5NQfcwm
+3/To0Fe1Xw3dVczekXqN246GetDMwy4RYp1RsPIBRICaAwGEuDs1gX9aM5tLLaw1
+3RpF76+JruAICXZ2v8Q7wHZkM+MPZ6E4/l4zjXk5PJM/R3SfuOdQiEICbmmp8GL8
+c3Scu8Pi4TSvq0ajrpnKo//aNPaVJI3DQWDQf6+h29QyHqrbpjZ2nkrMmT34aVUl
+R0XI95qdjAB4U7neWx3AZVQd+MhP76aXvB/DvefVfnGOn2hQQd77VC9EB7FwTk5l
+m+DGBzzI1C5nKTfeTIeTdG69VB5BmU/AitRzu90X3ef2IrMuL+kIzWsPFixaqRX5
+7WFHx76mwanDgxgHgbNh5/AuVHT4nJ2bBe+U2fR2Q+ggVWwjs+gGUZLLby8FLOl/
+WRrb2shpJIs8yl6ReeaMj9j3NlpHQ8ETfslf3g0f1kPLJBrWo10wWzAJBgNVHRME
+AjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUlJUkGXaMnS/r8k6VzIDQ3EcK
+TBQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQEL
+BQADggEBAEgW7XK6cZJcSdRTIuRTbZ9ssJZj6WwLYJmygldKQg6hnYWpPYLNCxqb
+AOO2xicCa9hv3HkgvyYK1tqbwFtuef/KSk+wOlDfgqtFVryVyK0js3x5r3mpCbmk
+5ihpTIuSVTgMCFlx4AXgLZGacei7hvCCP05bnhUvQmdu96bKnwlxvjLHgn3X5Cfw
+7b0q60oZTkOn4PStVnuOVTgLzs6Ta/KHh5M9OVVyEsRz2m3lmG2idXX/pTWXkE3
+VNSJCepP45RBFuxPSeEHW4EM/JPDqhBY5H19NHxcM42uXDykpR1ChSIhKruzjijA
+wme8H314QJnFKfUcGNNrNN/dElirhmU=
+-----END CERTIFICATE-----
--- a/test/smime-certs/sm_slhdsa_sha2_128s.pem
+++ b/test/smime-certs/sm_slhdsa_sha2_128s.pem
@ -0,0 +1,19 @@
+-----BEGIN PRIVATE KEY-----
+MFICAQAwCwYJYIZIAWUDBAMUBECT5RmZe6OO8vsKNkthvx+UPRB8d7wbvTJB1UgM
+zLwGZWYszdtLdA++kdkjuW5vJNeZVVKuVhhsqT7/bm5Rdz2I
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICZzCCAU+gAwIBAgIUDjFC0337VoVD3qOifcn8/v6cYSowDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjAqMSgwJgYDVQQDDB9UZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+Mi0xMjhzMDAwCwYJYIZIAWUDBAMUAyEAZizN20t0D76R2SO5bm8k15lVUq5WGGyp
+Pv9ublF3PYijXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQW
+BBThF4u5GJ2SIU/Uq8ZC97+3tZMX6DAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg
+1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAajeFlF3LMr6Z3i0YF+guYeY7+o6O
+Q7VVBKyaFWfb+m8IMo0iM7fvYeP1B+VXRO0bPrvCE8jsgv+kkZn5PUTkZApaLbkj
+eu0Pj1ik4/A7/en3aGGjzHRGrcjScE18SPrB8KtoDWuq7nb0PQX1LPDEJLAkJt8F
+qD4uGGHXkFHse2IE+wlCXC8xOoaMmVmdbCz+lz1TNIpmFYAgv9gsMOlEDN/lcFL4
+DGebKespZapcDBVROVWZceOSY/3o8CdnFjrsm9F/q6SUoq08Lf595+THace+N1nB
+rYn6Enlx7OLoONpjsas50h28tTKKnuFHFd+emD7ga3GEwjDwMnOQ2bOFrQ==
+-----END CERTIFICATE-----
--- a/test/smime-certs/sm_slhdsa_shake_128s.pem
+++ b/test/smime-certs/sm_slhdsa_shake_128s.pem
@ -0,0 +1,19 @@
+-----BEGIN PRIVATE KEY-----
+MFICAQAwCwYJYIZIAWUDBAMaBEBtEDfB3z2GkApieWwYEcUwym4LqAn+f3ekIXpy
+3Ih301cGLuxKkbFlC18GqkEFy2hrtjlDrRImYToCJ1S4HlzY
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICaDCCAVCgAwIBAgIUP4qMOjsrV/JbvCEgSaqBovSvz1cwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw
+MzE4MDgzMjE4WjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+S0UtMTI4czAwMAsGCWCGSAFlAwQDGgMhAFcGLuxKkbFlC18GqkEFy2hrtjlDrRIm
+YToCJ1S4HlzYo10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4E
+FgQUO+o1zTM0Z+/LQz6qk3AWGA1jlTQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1X
+INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAEumBy00rMY5HqpqoTRjVj3TNhXH
+i42pLoOXkAlNDpyHAkn5nM4iPeefHOha521RYiIIPv8XZIiAixHtZJjXtZnMgD6G
+XsdCtci82Lgry/6pzg3hPb/LuaC7ochG4RSNv6QdIFgB+YcD6qaQnvtWuK3zsMQQ
+1Fr2qGRljbgDdreaViIJxEXYakXnHvLHYn9UOT8punXsM6jksugvt8wysUucHMA5
+KhB1o1yYgXFbE3IcAmsX8cQpIDHwSPDdnYmxBptTKld3SOKt0O0TjLzjgix/3IQm
+8l1MHH0UEuLdhXCOiSbQiXqYfWJig+2AmM5VLeWAysX6BixVKxG25jSsAZE=
+-----END CERTIFICATE-----
--- a/test/smime-certs/sm_slhdsa_shake_256s.pem
+++ b/test/smime-certs/sm_slhdsa_shake_256s.pem
@ -0,0 +1,22 @@
+-----BEGIN PRIVATE KEY-----
+MIGTAgEAMAsGCWCGSAFlAwQDHgSBgG4ItImtx5rfHYI99Xo2Wl4PSpqyeMaZrjtW
+QYKovvW2pKvcIc4Re7OnKKHMjIvow/1TaRQUHRUQQFQC/DygeacNpVdWjGZ1/jnc
+D0XfWgfvX0KwATwmXO9NM7Rq7B5OZ1uyykT3e8mPhn5afbRkNvfhKgID07Ukiz1c
+/6XQf7nU
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICiDCCAXCgAwIBAgIUStYfQbEa4PtzChfKNmTE65EId3YwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODEyNDExMFoYDzIxMjUw
+MzE4MTI0MTEwWjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB
+S0UtMjU2czBQMAsGCWCGSAFlAwQDHgNBAA2lV1aMZnX+OdwPRd9aB+9fQrABPCZc
+700ztGrsHk5nW7LKRPd7yY+Gflp9tGQ29+EqAgPTtSSLPVz/pdB/udSjXTBbMAkG
+A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTSJYn48biBTinA1pDo
+k2odLpFi0zAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG
+9w0BAQsFAAOCAQEARP3DGNCSUHkAsQCgWgIF50k3qe8t2cjFnpMBdpoSTFo0VSIo
+58cCN0yusCzHvrtVSXXf/B9t4kLunmXKH5+4nAbnc7Yi2PxiN30qPfr1XYqfKcUd
+k04xB7pJF1YjNqVOlrPSA4O5Mi7aXgmkv7pyHFbY8056u1Ea3xcm2Ib5cpCBQd90
+47ARf8XH/94zhBebFALffrWRn1NgsOgwSq3GAZSvEkWpZHyr4XWpCvHXZ0ImfghU
+BqM077E+r/uLk3kT+L1FoUwLXtQkNrtWJtrSBdp5AexOZqqjqjRR+oG9tAG1KUnl
+4+ts3nVjUeEsRdGMv+gl3/926nsxozJtUO5OA==
+-----END CERTIFICATE-----
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@ -12588,8 +12588,25 @@ struct quic_tls_test_data {
    size_t params_len;
    int alert;
    int err;
+    int forcefail;
 };

+static int clientquicdata = 0xff, serverquicdata = 0xfe;
+
+static int check_app_data(SSL *s)
+{
+    int *data, *comparedata;
+
+    /* Check app data works */
+    data = (int *)SSL_get_app_data(s);
+    comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
+
+    if (!TEST_true(comparedata == data))
+        return 0;
+
+    return 1;
+}
+
 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
                          size_t *consumed, void *arg)
 {
@ -12598,6 +12615,11 @@ static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
    size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
                     - peer->rcd_data_len[data->wenc_level];

+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
    if (buf_len > max_len)
        buf_len = max_len;

@ -12618,6 +12640,11 @@ static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
 {
    struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;

+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
    *bytes_read = data->rcd_data_len[data->renc_level];
    *buf = data->rcd_data[data->renc_level];
    return 1;
@ -12627,6 +12654,18 @@ static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
 {
    struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;

+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
+    /* See if we need to force a failure in this callback */
+    if (data->forcefail) {
+        data->forcefail = 0;
+        data->err = 1;
+        return 0;
+    }
+
    if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
            || !TEST_size_t_gt(bytes_read, 0)) {
        data->err = 1;
@ -12643,6 +12682,9 @@ static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
 {
    struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;

+    if (!check_app_data(s))
+        goto err;
+
    if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
            || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
        goto err;
@ -12680,6 +12722,11 @@ static int got_transport_params_cb(SSL *s, const unsigned char *params,
 {
    struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;

+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
    if (!TEST_size_t_le(params_len, sizeof(data->params))) {
        data->err = 1;
        return 0;
@ -12695,14 +12742,22 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
 {
    struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;

+    if (!check_app_data(s)) {
+        data->err = 1;
+        return 0;
+    }
+
    data->alert = 1;
    return 1;
 }

 /*
 * Test the QUIC TLS API
+ * Test 0: Normal run
+ * Test 1: Force a failure
+ * Test 3: Use a CCM based ciphersuite
 */
-static int test_quic_tls(void)
+static int test_quic_tls(int idx)
 {
    SSL_CTX *sctx = NULL, *cctx = NULL;
    SSL *serverssl = NULL, *clientssl = NULL;
@ -12733,6 +12788,8 @@ static int test_quic_tls(void)
    memset(&cdata, 0, sizeof(cdata));
    sdata.peer = &cdata;
    cdata.peer = &sdata;
+    if (idx == 1)
+        sdata.forcefail = 1;

    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                       TLS_client_method(), TLS1_3_VERSION, 0,
@ -12743,6 +12800,20 @@ static int test_quic_tls(void)
                                      NULL)))
        goto end;

+    /* Reset the BIOs we set in create_ssl_objects. We should not need them */
+    SSL_set_bio(serverssl, NULL, NULL);
+    SSL_set_bio(clientssl, NULL, NULL);
+
+    if (idx == 2) {
+        if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
+                || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
+            goto end;
+    }
+
+    if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
+            || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
+        goto end;
+
    if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
            || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
            || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
@ -12751,8 +12822,17 @@ static int test_quic_tls(void)
                                                            sizeof(sparams))))
        goto end;

+    if (idx != 1) {
        if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
            goto end;
+    } else {
+        /* We expect this connection to fail */
+        if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+            goto end;
+        testresult = 1;
+        sdata.err = 0;
+        goto end;
+    }

    /* Check no problems during the handshake */
    if (!TEST_false(sdata.alert)
@ -12790,6 +12870,10 @@ static int test_quic_tls(void)
    SSL_CTX_free(sctx);
    SSL_CTX_free(cctx);

+    /* Check that we didn't suddenly hit an unexpected failure during cleanup */
+    if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
+        testresult = 0;
+
    return testresult;
 }

@ -12861,7 +12945,15 @@ static int test_quic_tls_early_data(void)
    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
                                      &clientssl, NULL, NULL))
            || !TEST_true(SSL_set_session(clientssl, sess)))
-        return 0;
+        goto end;
+
+    /* Reset the BIOs we set in create_ssl_objects. We should not need them */
+    SSL_set_bio(serverssl, NULL, NULL);
+    SSL_set_bio(clientssl, NULL, NULL);
+
+    if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
+        || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
+        goto end;

    if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
            || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
@ -12877,15 +12969,15 @@ static int test_quic_tls_early_data(void)
    SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
    SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);

-    if (!TEST_int_eq(SSL_connect(clientssl), 0)
-            || !TEST_int_eq(SSL_accept(serverssl), 0)
+    if (!TEST_int_eq(SSL_connect(clientssl), -1)
+            || !TEST_int_eq(SSL_accept(serverssl), -1)
            || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
            || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
            || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
        goto end;

    /* Check the encryption levels are what we expect them to be */
-    if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY)
+    if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
            || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
            || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
            || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
@ -13267,7 +13359,7 @@ int setup_tests(void)
 #endif
    ADD_ALL_TESTS(test_alpn, 4);
 #if !defined(OSSL_NO_USABLE_TLS1_3)
-    ADD_TEST(test_quic_tls);
+    ADD_ALL_TESTS(test_quic_tls, 3);
    ADD_TEST(test_quic_tls_early_data);
 #endif
    return 1;
Author	SHA1	Message	Date
Matt Caswell	fb55383c65	Move the Handshake read secret change earlier in the process for QUIC 0-RTT On the server side we were changing the handshake rx secret a little late. This meant the application was forced to call SSL_do_handshake() again even if there was nothing to read in order to get the secret. We move it a little earlier int the process to avoid this. Fixes the issue described in: https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27101) (cherry picked from commit `95051052b3`)	2025-03-20 20:22:53 +01:00
Daniel Van Geest	c3d43037b4	Fix use of SHAKE as a digest in CMS draft-ietf-lamps-cms-sphincs-plus-19 specifies SHAKE as the message digest algorithm for SLH-DSA-SHAKE-* in CMS. SHAKE doesn't have a default digest length, so this adds a SHAKE-specific kludge in CMS. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27087) (cherry picked from commit `c1d27789e9`)	2025-03-20 12:20:58 +01:00
Viktor Dukhovni	ac20f5c90c	Avoid erroneous legacy code path when provided Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27075) (cherry picked from commit `27b88364e4`)	2025-03-20 11:33:43 +01:00
Ankit Kekre	195d67780e	apps/cms.c, apps/ocsp.c: Added NULL pointer checks Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27059) (cherry picked from commit `952d9b83b2`)	2025-03-20 11:31:39 +01:00
Matt Caswell	6e4ddabd98	Fix the use of CCM ciphersuites with QUIC TLS API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `207cd5bb97`)	2025-03-20 11:25:01 +01:00
Matt Caswell	4c80bf56bb	Add a test for using CCM ciphersuites with QUIC TLS API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `366b2643cb`)	2025-03-20 11:25:00 +01:00
Matt Caswell	688cea710d	Always use NULL BIOs when using the QUIC TLS API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `228a26fde4`)	2025-03-20 11:24:59 +01:00
Matt Caswell	c25f0780a5	Test that using the QUIC TLS API does not require BIOs to be set When using the QUIC TLS API it does not make sense to require BIOs to be set. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `445c0942cd`)	2025-03-20 11:24:58 +01:00
Matt Caswell	d8ce455a3d	Ensure SSL_get_app_data() continues to work even in SSL_free() During SSL_free() we may get a QUIC TLS callback being called to clean up any remaining record data. We should ensure that SSL_get_app_data() continues to work, even in this scenario. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `2100cf2ee0`)	2025-03-20 11:24:57 +01:00
Matt Caswell	81789a05b7	Don't decrement the unreleased counter if we failed to release a record In a failure situation we may incorrectly decrement the amount of data released. Only decrement the counter if we successfully released. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `4ad45969b0`)	2025-03-20 11:24:57 +01:00
Matt Caswell	a9b87830c9	Check SSL_get_app_data() from QUIC cb in a failure situation Ensure SSL_get_app_data() works even in a failure situation from SSL_free() Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `f2488a567b`)	2025-03-20 11:24:56 +01:00
Matt Caswell	948c776ba7	Add a test for calling SSL_get_app_data() from QUIC TLS callbacks Check that we get the expected app data when using the QUIC TLS callbacks. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit `2ebae654d5`)	2025-03-20 11:24:54 +01:00
Bernd Edlinger	3e9790a255	Remove workaround for an old ppc64le compiler bug Lowering the optimization level is no longer needed, since the old compiler bug from ubuntu-20.04 has been fixed meanwhile. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27033) (cherry picked from commit `c658a60aae`)	2025-03-20 11:17:46 +01:00
Dmitry Misharov	2a6d875c90	correctly mark the release as prerelease release must be marked as prerelease if "alpha" or "beta" is in tag name Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27092) (cherry picked from commit `1bf328edf9`)	2025-03-20 11:15:28 +01:00
Viktor Dukhovni	d46923327f	Tolerate PKCS#8 V2 with optional public keys - Presently any included public key is unused. - We don't check that v1 PKCS#8 structures omit the public key. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27076) (cherry picked from commit `064bb16454`)	2025-03-19 12:03:02 +01:00
Jon Spillett	0615d3afc1	Use text compare for PEM and text files - Fix ml_dsa_codecs test - Fix ml_kem_codecs test - Fix pkey test - Fix dsaparam test - Fix dhparam test - Fix pkcs8 test Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27082) (cherry picked from commit `58d548d84e`)	2025-03-19 11:50:31 +01:00
Ingo Franzki	50debdf12c	Doc fix in EVP_PKEY-ML-DSA/KEM.pod files Fix the references to OSSL_PROVIDER_add_conf_parameter in the 'SEE ALSO' section. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27077) (cherry picked from commit `05c05d43bf`)	2025-03-19 11:47:36 +01:00
Martin Oliveira	0639c3618c	Fix gettable_params() for ECX The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the ed25519_get_params() and ed448_get_params(). The x25519 and x448 versions of get_params() always ignore that parameter, so it should not be in the list of gettable params. Fixes: `1a7328c882` ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest") cla: trivial Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/27043) (cherry picked from commit `482d3f9338`)	2025-03-19 10:55:51 +01:00
ak4153	e08d6e9338	Fix missing OSSL_FUNC_DIGEST_GET_PARAMS in provider-digest.pod Fixes #26626 CLA: trivial Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/27009) (cherry picked from commit `978e23a472`)	2025-03-19 10:42:05 +01:00
sashan	4a1d897190	require GNU assembler 2.30 or higher to build aesni-xtx-avx512.pl The peralsm in aesni-xts-avx512 currently checks for GNU assembler 2.26 or higher. According to reporters it looks like we need 2.30. This PR just attempts fix version check so people with older tool chains can build OpenSSL. Fixes #27049 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/27078) (cherry picked from commit `108079fcbb`)	2025-03-19 08:07:40 +11:00
Nicola Tuveri	fd1faa0ec7	docs(provider-base): Add HISTORY note for OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS (and MAX) This commit adds a small note about definitions for `OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS` and `OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS` being first added in OpenSSL 3.5. PR #26975 added these definitions for OpenSSL 3.5, but the documentation update omitted a history note for the addition. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27063) (cherry picked from commit `2d50cb660c`)	2025-03-18 18:59:26 +01:00
Bernd Edlinger	126d3209b3	Do some more cleanup in the RCU code Only a minimum of 2 qp's are necessary: one for the readers, and at least one that writers can wait on for retirement. There is no need for one additional qp that is always unused. Also only one ACQUIRE barrier is necessary in get_hold_current_qp, so the ATOMIC_LOAD of the reader_idx can be changed to RELAXED. And finally clarify some comments. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27012) (cherry picked from commit `a532f2302d`)	2025-03-18 18:52:48 +01:00
Bernd Edlinger	82f7dbbf38	Fix a memory order issue with weakly ordered systems this adds a dummy atomic release operation to update_qp, which should make sure that the new value of reader_idx is visible in get_hold_current_qp, directly after incrementing the users count. Fixes: #26875 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26964) (cherry picked from commit `4a1a7fe5ce`)	2025-03-17 08:22:57 -04:00
Neil Horman	7c9829053d	Fix interop ci yaml Somehow I mistakenly listed clients in the exlude list, when it should have been servers, resulting in an invalid yml file Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/27066) (cherry picked from commit `5db7b99914`)	2025-03-15 06:37:40 -04:00
Danny Tsen	080c6be0b1	Fix Minerva timing side-channel signal for P-384 curve on PPC 1. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6() for Montgomery multiplication. 2. ecp_nistp384-ppc64.pl: - Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with minumum perl wrapper. - Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce. - Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly. 3. ecp_nistp384.c: - Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce. Signed-off-by: Danny Tsen <dtsen@us.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26709) (cherry picked from commit `85cabd9495`)	2025-03-14 17:22:19 +01:00
Tomas Mraz	cb286b6e09	Keep the provided peer EVP_PKEY in the EVP_PKEY_CTX too Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26976) (cherry picked from commit `c8654f79f4`)	2025-03-14 17:10:17 +01:00
Andrew Dinh	3cd8141715	Fix RCU TODOs - Update allocate_new_qp_group to take unsigned int - Move id_ctr in rcu_lock_st for better stack alignment Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26972) (cherry picked from commit `7097d2e00e`)	2025-03-14 17:04:31 +01:00
Randall S. Becker	dbb5c73f90	Wrap use of poll.h to prevent including on NonStop. Fixes: #26724 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/26726) (cherry picked from commit `ff030ad5bd`)	2025-03-14 07:49:48 -04:00
Neil Horman	97fbbc2f1f	Exclude retry test with msquic server from interop With the addition of larger ml-kem keys in our tls handshake, we've uncovered a interop failure, as described here: https://github.com/microsoft/msquic/issues/4905 In short, when we send a client hello that spans multiple datagrams, the servers sends an ACK frame in a datagram prior to sending its server hello. msquic however, recomputes a new SCID always when sending its sserver hello, which is fine nominally, but because in this test the server sends a retry frame to update the SCID, followed by an ACK using that SCID (which is an initial packet), msquic violates the RFC in section 7.2 which states: Once a client has received a valid Initial packet from the server, it MUST discard any subsequent packet it receives on that connection with a different Source Connection ID Because msquic sent an initial packet with that ACK frame, we are required to discard subsequent frames on the connection containing a different SCID. Until msquic fixes that in their implementation we are going to fail the retry interop test, so for now, lets exclude the test. Also, while we're at it, re-add chrome into the client list for our server tests, as that seems to have been lost during the merge. Fixes openssl/project#1132 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27014) (cherry picked from commit `2fb4cfe143`)	2025-03-12 10:39:06 -04:00
openssl-machine	156e0f345c	Prepare for 3.5 alpha 2 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-03-12 13:37:29 +00:00
openssl-machine	8fabfd8109	Prepare for release of 3.5 alpha 1 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-03-12 13:37:20 +00:00