Avoid erroneous legacy code path when provided

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27075)

(cherry picked from commit 27b88364e4)

.gitattributes

@@ -2,8 +2,6 @@
 *.der binary
 /fuzz/corpora/** binary
 *.pfx binary
-test/recipes/15-test_ml_dsa_codecs_data/*.dat   binary
-test/recipes/15-test_ml_kem_codecs_data/*.dat binary
 
 # For git archive
 fuzz/corpora/**                         export-ignore

.github/dependabot.yml

@@ -4,12 +4,13 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-    commit-message:
-      prefix: "Dependabot update\n\nCLA: trivial\n\n"
-      include: "scope"
-    labels:
-      - "dependencies"
-      - "cla: trivial"
-      - "approval: review pending"
-    reviewers:
-      - "openssl/committers"
+      commit-message:
+        prefix: "Dependabot update\n\nCLA: trivial\n\n"
+        include: "scope"
+      labels:
+        - "dependencies"
+        - "cla: trivial"
+        - "approval: review pending"
+        - "approval: otc review pending"
+      reviewers:
+        - "openssl/committers"

.github/workflows/build_quic_interop_container.yml

@@ -1,25 +0,0 @@
-name: "Build openssl interop container from master"
-
-on:
-  schedule:
-    - cron:  '40 02 * * *'
-  workflow_dispatch:
-
-jobs:
-  update_quay_container:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-         fetch-depth: 0
-      - name: "log in to quay.io"
-        run: |
-          docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
-      - name: "Build container"
-        run: |
-          cd test/quic-openssl-docker/
-          docker build -t quay.io/openssl-ci/openssl-quic-interop:latest .
-      - name: "Push to quay"
-        run: |
-          docker push quay.io/openssl-ci/openssl-quic-interop:latest
-

.github/workflows/ci.yml

@@ -69,7 +69,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: config
-      run: CPPFLAGS='-ansi -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips --strict-warnings && perl configdata.pm --dump
+      run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
     - name: make
       run: make -s -j4
 
@@ -81,12 +81,9 @@ jobs:
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: localegen
       run: sudo locale-gen tr_TR.UTF-8
-    - name: fipsvendor
-      # Make one fips build use a customized FIPS vendor
-      run: echo "FIPS_VENDOR=CI" >> VERSION.dat
     - name: config
       # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
-      run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-sslkeylog enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
+      run: CC=gcc ./config --banner=Configured enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -95,9 +92,6 @@ jobs:
         ./util/opensslwrap.sh version -c
     - name: make test
       run: .github/workflows/make-test
-    - name: check fipsvendor
-      run: |
-        util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$'
     - name: save artifacts
       uses: actions/upload-artifact@v4
       with:
@@ -111,7 +105,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: CC=clang ./config --banner=Configured enable-demos enable-h3demo no-fips --strict-warnings && perl configdata.pm --dump
+      run: CC=clang ./config --banner=Configured no-fips --strict-warnings && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -131,7 +125,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: config
-      run: ./config enable-demos enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
+      run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
     - name: config dump
       run: ./configdata.pm --dump
     - name: make
@@ -196,7 +190,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump
     - name: make
       run: make -j4 # verbose, so no -s here
     - name: get cpu info
@@ -218,7 +212,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-deprecated enable-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -240,7 +234,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -266,7 +260,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -292,7 +286,7 @@ jobs:
         sudo cat /proc/sys/vm/mmap_rnd_bits
         sudo sysctl -w vm.mmap_rnd_bits=28
     - name: config
-      run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump
+      run: ./config --banner=Configured --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -318,7 +312,7 @@ jobs:
         sudo cat /proc/sys/vm/mmap_rnd_bits
         sudo sysctl -w vm.mmap_rnd_bits=28
     - name: config
-      run: ./config --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -372,7 +366,7 @@ jobs:
         sudo sysctl -w vm.mmap_rnd_bits=28
     - name: config
       # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
-      run: CC=clang ./config --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips no-slh-dsa && perl configdata.pm --dump
+      run: CC=clang ./config --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -422,7 +416,7 @@ jobs:
     - name: modprobe tls
       run: sudo modprobe tls
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -452,7 +446,7 @@ jobs:
     - name: install extra config support
       run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -474,7 +468,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured --strict-warnings enable-demos enable-h3demo no-legacy enable-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured --strict-warnings no-legacy enable-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -496,7 +490,7 @@ jobs:
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
-      run: ./config --banner=Configured -Werror --debug no-afalgeng enable-demos enable-h3demo no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump
+      run: ./config --banner=Configured -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
     - name: get cpu info
@@ -533,7 +527,7 @@ jobs:
         mkdir ./install
     - name: config
       run: |
-        ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
+        ../source/config --banner=Configured enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
         perl configdata.pm --dump
       working-directory: ./build
     - name: make
@@ -577,7 +571,7 @@ jobs:
         mkdir ./install
     - name: config
       run: |
-        ../source/config --banner=Configured enable-fips enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
+        ../source/config --banner=Configured enable-fips enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
         perl configdata.pm --dump
       working-directory: ./build
     - name: make
@@ -600,7 +594,7 @@ jobs:
       run: make install
       working-directory: ./build
 
-  external-tests-misc:
+  external-tests:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -609,7 +603,7 @@ jobs:
     - name: package installs
       run: |
         sudo apt-get update
-        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy gdb
+        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
     - name: install cpanm and Test2::V0 for gost_engine testing
       uses: perl-actions/install-with-cpanm@stable
       with:
@@ -620,7 +614,6 @@ jobs:
       run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
     - name: make
       run: make -s -j4
-    - uses: dtolnay/rust-toolchain@stable
     - name: get cpu info
       run: |
         cat /proc/cpuinfo
@@ -629,41 +622,12 @@ jobs:
       run: make test TESTS="test_external_gost_engine"
     - name: test external krb5
       run: make test TESTS="test_external_krb5"
-    - name: test external tlsfuzzer
+    - name: test external_tlsfuzzer
       run: make test TESTS="test_external_tlsfuzzer"
-    - name: test external Cloudflare quiche
-      run: make test TESTS="test_external_cf_quiche" VERBOSE=1
-    - name: test ability to produce debuginfo files
-      run: |
-        make debuginfo
-        gdb < <(echo -e "file ./libcrypto.so.3\nquit") > ./results
-        grep -q "Reading symbols from.*libcrypto\.so\.3\.debug" results
-
-  external-tests-providers:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - name: package installs
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq install meson pkg-config gnutls-bin libnss3-tools libnss3-dev libsofthsm2 opensc expect
-    - name: config
-      run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
     - name: test external oqs-provider
       run: make test TESTS="test_external_oqsprovider"
-    # Disabled temporarily: https://github.com/latchset/pkcs11-provider/pull/525#discussion_r1982805969
-    # - name: test external pkcs11-provider
-    #   run: make test TESTS="test_external_pkcs11_provider" VERBOSE=1
 
-  external-tests-pyca:
+  external-test-pyca:
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -692,3 +656,21 @@ jobs:
         ./util/opensslwrap.sh version -c
     - name: test external pyca
       run: make test TESTS="test_external_pyca" VERBOSE=1
+
+  external-test-cf-quiche:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: recursive
+    - name: Configure OpenSSL
+      run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - uses: dtolnay/rust-toolchain@stable
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: test external Cloudflare quiche
+      run: make test TESTS="test_external_cf_quiche" VERBOSE=1

.github/workflows/compiler-zoo.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy

.github/workflows/coveralls.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -7,74 +7,34 @@
 
 name: Coverage
 
+# Run once a day
 on:
   schedule:
-    - cron: '15 02 * * *'
-  workflow_dispatch:
-    inputs:
-      branch:
-        description: Branch to measure coverage
-        required: true
-        default: master
-      extra_config:
-        description: Extra options for configuration script
-        default: ""
+    - cron:  '49 0 * * *'
 
 permissions:
   contents: read
 
 jobs:
-  define-matrix:
-    runs-on: ubuntu-latest
-    outputs:
-      branches: ${{ steps.branches.outputs.branches }}
-    steps:
-      - name: Define branches
-        id: branches
-        run: |
-          if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then
-          MATRIX=$(cat << EOF
-          [{
-            "branch": "${{ github.event.inputs.branch }}",
-            "extra_config": "${{ github.event.inputs.extra_config }}"
-          }]
-          EOF
-          )
-          else
-          MATRIX=$(cat << EOF
-          [{
-              "branch": "openssl-3.4",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.3",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.2",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.1",
-              "extra_config": "no-afalgeng enable-fips"
-            }, {
-              "branch": "openssl-3.0",
-              "extra_config": "no-afalgeng enable-fips"
-            }, {
-              "branch": "master",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-          }]
-          EOF
-          )
-          fi
-          echo "branches<<EOF"$'\n'"$MATRIX"$'\n'EOF >> "$GITHUB_OUTPUT"
-
   coverage:
-    needs: define-matrix
     permissions:
       checks: write     # for coverallsapp/github-action to create new checks
       contents: read    # for actions/checkout to fetch code
     strategy:
       fail-fast: false
       matrix:
-        branches: ${{ fromJSON(needs.define-matrix.outputs.branches) }}
+        branches: [
+          {
+            branch: openssl-3.1,
+            extra_config: no-afalgeng enable-fips
+          }, {
+            branch: openssl-3.0,
+            extra_config: no-afalgeng enable-fips
+          }, {
+            branch: master,
+            extra_config: no-afalgeng enable-fips enable-tfo
+          }
+        ]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -106,13 +66,14 @@ jobs:
         cat /proc/cpuinfo
         ./util/opensslwrap.sh version -c
     - name: make test
-      run: make test TESTS='-test_external_krb5' EVP_TEST_EXTENDED=1
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5'
     - name: generate coverage info
       run: lcov -d . -c
              --exclude "${PWD}/test/*"
+             --exclude "${PWD}/test/helpers/*"
+             --exclude "${PWD}/test/testutil/*"
              --exclude "${PWD}/fuzz/*"
              --exclude "/usr/include/*"
-             --ignore-errors mismatch
               -o ./lcov.info
     - name: Coveralls upload
       uses: coverallsapp/github-action@v2.3.2

.github/workflows/cross-compiles.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -50,31 +50,25 @@ jobs:
           }, {
             arch: aarch64-linux-gnu,
             libs: libc6-dev-arm64-cross,
-            target: linux-aarch64,
-            fips: no
+            target: linux-aarch64
           }, {
             arch: alpha-linux-gnu,
             libs: libc6.1-dev-alpha-cross,
-            target: linux-alpha-gcc,
-            fips: no
+            target: linux-alpha-gcc
           }, {
             arch: arm-linux-gnueabi,
             libs: libc6-dev-armel-cross,
             target: linux-armv4,
-            fips: no,
             tests: -test_includes -test_store -test_x509_store
           }, {
             arch: arm-linux-gnueabihf,
             libs: libc6-dev-armhf-cross,
             target: linux-armv4,
-            fips: no,
             tests: -test_includes -test_store -test_x509_store
           }, {
-            # gcc hppa seems to have some potential compiler issues
-            # with -O2 on this platform, reduce optimization to -01
             arch: hppa-linux-gnu,
             libs: libc6-dev-hppa-cross,
-            target: -static -O1 linux-generic32,
+            target: -static linux-generic32,
             fips: no,
             tests: -test_includes -test_store -test_x509_store
           }, {
@@ -98,28 +92,23 @@ jobs:
             arch: mipsel-linux-gnu,
             libs: libc6-dev-mipsel-cross,
             target: linux-mips32,
-            fips: no,
             tests: -test_includes -test_store -test_x509_store
           }, {
             arch: powerpc64le-linux-gnu,
             libs: libc6-dev-ppc64el-cross,
-            target: linux-ppc64le,
-            fips: no
+            target: linux-ppc64le
           }, {
             arch: riscv64-linux-gnu,
             libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no
+            target: linux64-riscv64
           }, {
             arch: s390x-linux-gnu,
             libs: libc6-dev-s390x-cross,
-            target: linux64-s390x -Wno-stringop-overflow,
-            fips: no
+            target: linux64-s390x -Wno-stringop-overflow
           }, {
             arch: sh4-linux-gnu,
             libs: libc6-dev-sh4-cross,
             target: no-async linux-latomic,
-            fips: no,
             tests: -test_includes -test_store -test_x509_store
           },
 

.github/workflows/interop-tests.yml

@@ -6,14 +6,12 @@
 name: Interoperability tests with GnuTLS and NSS
 on:
   schedule:
-    - cron: '55 02 * * *'
-  workflow_dispatch:
-
+    - cron: '0 6 * * *'
 jobs:
   test:
     runs-on: ubuntu-22.04
     container:
-      image: docker.io/fedora:40
+      image: docker.io/fedora:39
       options: --sysctl net.ipv6.conf.lo.disable_ipv6=0
     timeout-minutes: 90
     strategy:
@@ -50,6 +48,6 @@ jobs:
       - name: Run interop tests
         run: |
           cd interop
-          tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local --feeling-safe execute -h tmt --interactive
+          tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local execute -h tmt --interactive
           openssl version
           echo "Finished - important to prevent unwanted output truncating"

.github/workflows/make-release.yml

@@ -38,5 +38,4 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
       run: |
         VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-)
-        PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "")
-        gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
+        gh release create ${{ github.ref_name }} -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*

.github/workflows/make-test

@@ -38,6 +38,6 @@ echo "Test suite exited with $RESULT, artifacts path is $OSSL_CI_ARTIFACTS_PATH"
 echo "::endgroup::"
 
 echo "Archive artifacts"
-tar -czf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH
+tar -czvf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH
 
 exit $RESULT

.github/workflows/os-zoo.yml

@@ -9,8 +9,7 @@ name: OS Zoo CI
 
 on:
   schedule:
-    - cron: '50 02 * * *'
-  workflow_dispatch:
+    - cron: '0 5 * * *'
 
 permissions:
   contents: read
@@ -22,23 +21,23 @@ jobs:
       matrix:
         tag: [edge, latest]
         cc: [gcc, clang]
+        branch: [openssl-3.0, openssl-3.1, master]
     runs-on: ubuntu-latest
     container:
       image: docker.io/library/alpine:${{ matrix.tag }}
     env:
-      # See https://www.openwall.com/lists/musl/2022/02/16/14
-      # for the reason why -Wno-sign-compare is needed with clang
-      # -Wno-stringop-overflow is needed to silence a bogus
-      # warning on new fortify-headers with gcc
-      EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || matrix.tag == 'edge' && '-Wno-stringop-overflow' || '' }}
+      # https://www.openwall.com/lists/musl/2022/02/16/14
+      EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || '' }}
       CC: ${{ matrix.cc }}
     steps:
     - name: install packages
       run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }}
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.branch }}
     - name: config
       run: |
-        ./config --banner=Configured no-shared -Wall -Werror enable-fips --strict-warnings \
+        ./config --banner=Configured no-shared -Wall -Werror enable-fips --strict-warnings -DOPENSSL_USE_IPV6=0 \
                  ${EXTRA_CFLAGS}
     - name: config dump
       run: ./configdata.pm --dump
@@ -55,6 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        branch: [openssl-3.0, openssl-3.1, master]
         zoo:
           - image: docker.io/library/debian:10
             install: apt-get update && apt-get install -y gcc make perl
@@ -83,6 +83,8 @@ jobs:
     container: ${{ matrix.zoo.image }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.branch }}
     - name: install packages
       run: ${{ matrix.zoo.install }}
     - name: config
@@ -102,10 +104,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        branch: [openssl-3.0, openssl-3.1, master]
         os: [macos-13, macos-14, macos-15]
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.branch }}
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - name: config
@@ -125,10 +130,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        branch: [openssl-3.0, openssl-3.1, master]
         os: [windows-2019, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ matrix.branch }}
     - name: checkout fuzz/corpora submodule
       run: git submodule update --init --depth 1 fuzz/corpora
     - uses: ilammy/msvc-dev-cmd@v1
@@ -174,40 +182,6 @@ jobs:
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
 
-  linux-ppc64le:
-    runs-on: linux-ppc64le
-    steps:
-    - uses: actions/checkout@v4
-    - name: config
-      run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  linux-s390x:
-    runs-on: linux-s390x
-    steps:
-    - uses: actions/checkout@v4
-    - name: config
-      run: ./config enable-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
   freebsd-x86_64:
     runs-on: ubuntu-latest
     steps:

.github/workflows/prov-compat-label.yml

@@ -125,10 +125,6 @@ jobs:
             name: openssl-3.3,
             dir: branch-3.3,
             tgz: branch-3.3.tar.gz,
-          }, {
-            name: openssl-3.4,
-            dir: branch-3.4,
-            tgz: branch-3.4.tar.gz,
           }, {
             name: master,
             dir: branch-master,
@@ -197,14 +193,12 @@ jobs:
         # Note that releases are not used as a test environment for
         # later providers.  Problems in these situations ought to be
         # caught by cross branch testing before the release.
-        tree_a: [ branch-3.4, branch-3.3, branch-3.2, branch-3.1, branch-3.0,
+        tree_a: [ branch-master, branch-3.3, branch-3.2, branch-3.1, branch-3.0,
                   openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
         tree_b: [ PR ]
         include:
           - tree_a: PR
             tree_b: branch-master
-          - tree_a: PR
-            tree_b: branch-3.4
           - tree_a: PR
             tree_b: branch-3.3
           - tree_a: PR

.github/workflows/provider-compatibility.yml

@@ -10,15 +10,12 @@
 
 name: Provider compatibility across versions
 
-# Please note there is no point in running this job on PR as the tests
-# will always run against the tips of the branches in the main repository
-# and not the branch from the PR.
-# Use the `extended tests` label to run provider compatibility checks
-# on PRs.
-on:
+# NOTE: if this is being run on pull_request, it will **not** use the pull
+#       request's branch.  It is hardcoded to use the master branch.
+#
+on: #[pull_request]
   schedule:
-    - cron: '10 02 * * *'
-  workflow_dispatch:
+    - cron: '0 15 * * *'
 
 permissions:
   contents: read
@@ -34,7 +31,7 @@ jobs:
           # Formally released versions should be added here.
           #     `dir' it the directory inside the tarball.
           #     `tgz' is the name of the tarball.
-          #     `url' is the download URL.
+          #     `utl' is the download URL.
           {
             dir: openssl-3.0.0,
             tgz: openssl-3.0.0.tar.gz,
@@ -119,18 +116,6 @@ jobs:
             name: openssl-3.1,
             dir: branch-3.1,
             tgz: branch-3.1.tar.gz,
-          }, {
-            name: openssl-3.2,
-            dir: branch-3.2,
-            tgz: branch-3.2.tar.gz,
-          }, {
-            name: openssl-3.3,
-            dir: branch-3.3,
-            tgz: branch-3.3.tar.gz,
-          }, {
-            name: openssl-3.4,
-            dir: branch-3.4,
-            tgz: branch-3.4.tar.gz,
           }, {
             name: master,
             dir: branch-master,
@@ -202,11 +187,9 @@ jobs:
         # Note that releases are not used as a test environment for
         # later providers.  Problems in these situations ought to be
         # caught by cross branch testing before the release.
-        tree_a: [ branch-master, branch-3.4, branch-3.3,
-                  branch-3.2, branch-3.1, branch-3.0,
+        tree_a: [ branch-master, branch-3.1, branch-3.0,
                   openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
-        tree_b: [ branch-master, branch-3.4, branch-3.3,
-                  branch-3.2, branch-3.1, branch-3.0  ]
+        tree_b: [ branch-master, branch-3.1, branch-3.0  ]
     steps:
       - name: early exit checks
         id: early_exit

.github/workflows/run-checker-ci.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -27,12 +27,10 @@ jobs:
           no-dtls,
           no-ec,
           no-ecx,
-          no-ml-dsa,
-          no-ml-kem,
           no-http,
           no-legacy,
           no-sock,
-          no-ssl-trace,
+          enable-ssl-trace,
           no-stdio,
           no-threads,
           no-thread-pool,

.github/workflows/run-checker-daily.yml

@@ -1,4 +1,4 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -10,9 +10,7 @@ name: Run-checker daily
 
 on:
   schedule:
-    - cron: '30 02 * * *'
-  workflow_dispatch:
-
+    - cron: '0 6 * * *'
 permissions:
   contents: read
 
@@ -45,12 +43,12 @@ jobs:
           no-cmac,
           no-comp,
           enable-crypto-mdebug,
+          no-crypto-mdebug,
           enable-crypto-mdebug-backtrace,
-          no-ct,
-          enable-demos,
+          no-crypto-mdebug-backtrace,
           no-deprecated,
           no-des,
-#          enable-devcryptoeng,  # Cannot work on Linux
+          no-devcryptoeng,
           no-docs,
           no-dsa,
           no-dtls1,
@@ -60,24 +58,25 @@ jobs:
           no-ecdh,
           no-ecdsa,
           enable-ec_nistp_64_gcc_128,
+          no-ec_nistp_64_gcc_128,
           enable-egd,
+          no-egd,
           no-engine,
-#          enable-external-tests,  # Requires extra setup
+          no-external-tests,
           enable-fips,
           enable-fips enable-acvp-tests,
           enable-fips no-tls1_3,
-          enable-fips no-des no-dsa no-ec2m,
-#          enable-fuzz-afl,        # Requires extra setup
-#          enable-fuzz-libfuzzer,  # Requires extra setup
+          no-fuzz-afl,
+          no-fuzz-libfuzzer,
           no-gost,
-          enable-h3demo,
           enable-heartbeats,
-          enable-hqinterop,
+          no-heartbeats,
           no-hw,
           no-hw-padlock,
           no-idea,
           no-makedepend,
           enable-md2,
+          no-md2,
           no-md4,
           no-mdc2,
           no-msan,
@@ -90,7 +89,9 @@ jobs:
           no-posix-io,
           no-psk,
           no-rc2,
+          no-rc4,
           enable-rc5,
+          no-rc5,
           no-rdrand,
           no-rfc3779,
           no-ripemd,
@@ -108,9 +109,9 @@ jobs:
           no-sock,
           no-sse2,
           no-ssl,
-          enable-ssl3,
-          enable-ssl3-method,
-          enable-sslkeylog,
+          no-ssl3,
+          no-ssl3-method,
+          no-ssl-trace,
           no-static-engine no-shared,
           no-tests,
           enable-tfo,
@@ -119,19 +120,19 @@ jobs:
           no-tls1_1-method,
           no-tls1_2-method,
           no-tls1-method,
-          enable-trace,
+          no-trace,
           no-ubsan,
           no-ui-console,
+          no-unit-test,
           enable-unit-test,
           no-uplink,
           no-weak-ssl-ciphers,
           no-whirlpool,
+          no-zlib,
           enable-zlib-dynamic,
-          -DOPENSSL_PEDANTIC_ZEROIZATION,
-          -DOPENSSL_PEDANTIC_ZEROIZATION enable-fips,
+          no-zlib-dynamic,
           -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING,
-          -DSSL3_ALIGN_PAYLOAD=4,
-          -DOPENSSL_TLS_SECURITY_LEVEL=0
+          -DSSL3_ALIGN_PAYLOAD=4
         ]
     runs-on: ubuntu-latest
     steps:
@@ -343,25 +344,3 @@ jobs:
         ./util/opensslwrap.sh version -c
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  memory_sanitizer_slh_dsa:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
-      run: CC=clang ./config --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0

.github/workflows/run-checker-merge.yml

@@ -19,9 +19,10 @@ jobs:
       matrix:
         opt: [
           enable-asan enable-ubsan no-shared no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=function,
+          no-ct,
           no-dso,
           no-dynamic-engine,
-          no-ec2m enable-fips,
+          no-ec2m,
           no-engine no-shared,
           no-err,
           no-filenames,
@@ -32,10 +33,8 @@ jobs:
           no-srp,
           no-srtp,
           no-ts,
-          no-integrity-only-ciphers,
           enable-weak-ssl-ciphers,
           enable-zlib,
-          enable-pie,
         ]
     runs-on: ubuntu-latest
     steps:
@@ -59,32 +58,6 @@ jobs:
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
 
-  jitter:
-    runs-on: ubuntu-latest
-    steps:
-    - name: checkout openssl
-      uses: actions/checkout@v4
-    - name: checkout jitter
-      uses: actions/checkout@v4
-      with:
-        repository: smuellerDD/jitterentropy-library
-        ref: v3.5.0
-        path: jitter
-    - name: build jitter
-      run: make -C jitter/
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --with-rand-seed=none enable-jitter enable-fips-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC=JITTER && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
   threads_sanitizer_atomic_fallback:
     runs-on: ubuntu-latest
     steps:

.github/workflows/run_quic_interop.yml

@@ -1,71 +0,0 @@
-name: "Run openssl quic interop testing"
-
-on:
-  workflow_run:
-    workflows: ["Build openssl interop container from master"]
-    types: [completed]
-  workflow_dispatch:
-
-jobs:
-  run_quic_interop_openssl_client:
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
-        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy]
-        exclude:
-          - servers: msquic
-            tests: retry
-      fail-fast: false
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-         repository: 'quic-interop/quic-interop-runner'
-         fetch-depth: 0
-      - name: Install dependencies
-        run: |
-          pip install -r requirements.txt
-          sudo add-apt-repository ppa:wireshark-dev/stable
-          sudo apt-get update
-          sudo apt-get install -y tshark
-      - name: Patch implementations file
-        run: |
-          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
-                         , url: "https://github.com/openssl/openssl"
-                         , role: "both"
-                         }' ./implementations.json > ./implementations.tmp
-          mv ./implementations.tmp implementations.json
-      - name: "run interop with openssl client"
-        run: |
-          python3 ./run.py -c openssl -t ${{ matrix.tests }} -s ${{ matrix.servers }} --log-dir ./logs-client -d
-  run_quic_interop_openssl_server:
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome]
-        exclude:
-          - clients: mvfst
-            tests: amplificationlimit
-      fail-fast: false
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-         repository: 'quic-interop/quic-interop-runner'
-         fetch-depth: 0
-      - name: Install dependencies
-        run: |
-          pip install -r requirements.txt
-          sudo add-apt-repository ppa:wireshark-dev/stable
-          sudo apt-get update
-          sudo apt-get install -y tshark
-      - name: Patch implementations file
-        run: |
-          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
-                         , url: "https://github.com/openssl/openssl"
-                         , role: "both"
-                         }' ./implementations.json > ./implementations.tmp
-          mv ./implementations.tmp implementations.json
-      - name: "run interop with openssl server"
-        run: |
-          python3 ./run.py -s openssl -t ${{ matrix.tests }} -c ${{ matrix.clients }} --log-dir ./logs-server -d

.github/workflows/static-analysis-on-prem.yml

@@ -1,39 +0,0 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Static Analysis On Prem
-
-on:
-  schedule:
-    - cron:  '25 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  coverity-analysis:
-    runs-on: ubuntu-latest
-    container: quay.io/openssl-ci/coverity-analysis:2024.3.1
-    steps:
-    - name: Put license
-      run: echo ${{ secrets.COVERITY_LICENSE }} | base64 -d > /opt/coverity-analysis/bin/license.dat
-    - name: Put auth key file
-      run: |
-        echo ${{ secrets.COVERITY_AUTH_KEY }} | base64 -d > /auth_key_file.txt
-        chmod 0600 /auth_key_file.txt
-    - uses: actions/checkout@v4
-    - name: Config
-      run: CC=gcc ./config --banner=Configured --debug enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC
-    - name: Config dump
-      run: ./configdata.pm --dump
-    - name: Make
-      run: cov-build --dir cov-int make -s -j4
-    - name: Analyze
-      run: cov-analyze --dir cov-int --strip-path $(pwd)
-    - name: Commit defects
-      run: cov-commit-defects --url https://coverity.openssl.org:443 --stream OpenSSL --dir cov-int --auth-key-file /auth_key_file.txt

.github/workflows/static-analysis.yml

@@ -10,8 +10,7 @@ name: Static Analysis
 #Run once a day
 on:
   schedule:
-    - cron:  '20 02 * * *'
-  workflow_dispatch:
+    - cron:  '20 0 * * *'
 
 permissions:
   contents: read

.github/workflows/style-checks.yml

@@ -33,15 +33,18 @@ jobs:
         REFSTART=$(git rev-parse $GITHUB_BASE_REF)
         REFEND=$(git rev-parse HEAD)
         echo "Checking from $REFSTART to $REFEND"
-        echo "::group::Style report for commits $REFSTART..$REFEND"
-        set +e
-        ./util/check-format-commit.sh $REFSTART..$REFEND
-        if [ $? -ne 0 ]
-        then
-          ERRORS_FOUND=1
-        fi
-        set -e
-        echo "::endgroup::"
+        for i in $(git log --no-merges --format=%H $REFSTART..$REFEND)
+        do
+          echo "::group::Style report for commit $i"
+          set +e
+          ./util/check-format-commit.sh $i
+          if [ $? -ne 0 ]
+          then
+            ERRORS_FOUND=1
+          fi
+          set -e
+          echo "::endgroup::"
+        done
         SKIP_TEST=$(gh pr view $PR_NUMBER --json labels --jq '.labels[] | select(.name == "style: waived") | .name')
         if [ -z "$SKIP_TEST" ]
         then

.github/workflows/windows.yml

@@ -43,7 +43,7 @@ jobs:
     - name: config
       working-directory: _build
       run: |
-        perl ..\Configure --banner=Configured no-makedepend -DOSSL_WINCTX=openssl ${{ matrix.platform.config }}
+        perl ..\Configure --banner=Configured no-makedepend ${{ matrix.platform.config }}
         perl configdata.pm --dump
     - name: build
       working-directory: _build
@@ -53,21 +53,6 @@ jobs:
       with:
         url: "https://download.sysinternals.com/files/Coreinfo.zip"
         target: _build/coreinfo/
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]} 
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'} 
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
     - name: get cpu info
       working-directory: _build
       continue-on-error: true
@@ -83,7 +68,7 @@ jobs:
       run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
     - name: install
       # Run on 64 bit only as 32 bit is slow enough already
-      if: ${{ matrix.platform.arch == 'win64' }}
+      if: $${{ matrix.platform.arch == 'win64' }}
       run: |
         mkdir _dest
         nmake install DESTDIR=_dest
@@ -105,7 +90,7 @@ jobs:
     - name: config
       working-directory: _build
       run: |
-        perl ..\Configure --banner=Configured enable-demos no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug -DOSSL_WINCTX=openssl VC-WIN64A-masm
+        perl ..\Configure --banner=Configured no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug VC-WIN64A-masm
         perl configdata.pm --dump
     - name: build
       working-directory: _build
@@ -142,7 +127,7 @@ jobs:
     - name: config
       working-directory: _build
       run: |
-        perl ..\Configure --banner=Configured enable-demos no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT -DOSSL_WINCTX=openssl
+        perl ..\Configure --banner=Configured no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT
         perl configdata.pm --dump
     - name: build
       working-directory: _build
@@ -172,7 +157,7 @@ jobs:
 #          - windows-2022
         platform:
           - arch: win64
-            config: -DCMAKE_C_COMPILER=gcc --strict-warnings enable-demos no-fips
+            config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips
 # are we really learning sth new from win32? So let's save some CO2 for now disabling this
 #          - arch: win32
 #            config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips

.github/workflows/windows_comp.yml

@@ -11,7 +11,6 @@ on:
   pull_request:
     paths:
       - 'crypto/comp/*.c'
-      - '.github/workflows/windows_comp.yml'
   push:
     paths:
       - '**.c'
@@ -37,27 +36,11 @@ jobs:
     - name: config
       working-directory: _build
       run: |
-        perl ..\Configure enable-comp enable-zstd --with-zstd-include=C:\vcpkg\packages\zstd_x64-windows\include --with-zstd-lib=C:\vcpkg\packages\zstd_x64-windows\lib\zstd.lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
+        perl ..\Configure enable-comp enable-zstd --with-zstd-include=C:\vcpkg\packages\zstd_x64-windows\include --with-zstd-lib=C:\vcpkg\packages\zstd_x64-windows\lib\zstd.lib no-makedepend VC-WIN64A
         perl configdata.pm --dump
     - name: build
       working-directory: _build
       run: nmake
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin"
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
     - name: download coreinfo
       uses: suisei-cn/actions-download-file@v1.6.0
       with:
@@ -67,7 +50,6 @@ jobs:
       working-directory: _build
       continue-on-error: true
       run: |
-        $env:Path+=";C:\vcpkg\packages\zstd_x64-windows\bin"
         7z.exe x coreinfo/Coreinfo.zip
         ./Coreinfo64.exe -accepteula -f
         ./apps/openssl.exe version -c
@@ -96,27 +78,11 @@ jobs:
     - name: config
       working-directory: _build
       run: |
-        perl ..\Configure enable-comp enable-brotli --with-brotli-include=C:\vcpkg\packages\brotli_x64-windows\include --with-brotli-lib=C:\vcpkg\packages\brotli_x64-windows\lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
+        perl ..\Configure enable-comp enable-brotli --with-brotli-include=C:\vcpkg\packages\brotli_x64-windows\include --with-brotli-lib=C:\vcpkg\packages\brotli_x64-windows\lib no-makedepend VC-WIN64A
         perl configdata.pm --dump
     - name: build
       working-directory: _build
       run: nmake
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin"
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v ENGINESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
     - name: download coreinfo
       uses: suisei-cn/actions-download-file@v1.6.0
       with:
@@ -126,7 +92,6 @@ jobs:
       working-directory: _build
       continue-on-error: true
       run: |
-        $env:Path+=";C:\vcpkg\packages\brotli_x64-windows\bin"
         7z.exe x coreinfo/Coreinfo.zip
         ./Coreinfo64.exe -accepteula -f
         ./apps/openssl.exe version -c

.gitignore

@@ -35,7 +35,6 @@
 /include/openssl/bio.h
 /include/openssl/cmp.h
 /include/openssl/cms.h
-/include/openssl/comp.h
 /include/openssl/conf.h
 /include/openssl/configuration.h
 /include/openssl/crmf.h
@@ -55,7 +54,6 @@
 /include/openssl/ui.h
 /include/openssl/x509.h
 /include/openssl/x509v3.h
-/include/openssl/x509_acert.h
 /include/openssl/x509_vfy.h
 /include/openssl/core_names.h
 /include/internal/param_names.h
@@ -67,7 +65,6 @@
 doc/man1/openssl-*.pod
 
 # Auto generated der files
-providers/common/der/der_slh_dsa_gen.c
 providers/common/der/der_digests_gen.c
 providers/common/der/der_dsa_gen.c
 providers/common/der/der_ec_gen.c
@@ -75,8 +72,6 @@ providers/common/der/der_ecx_gen.c
 providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
-providers/common/der/der_ml_dsa_gen.c
-providers/common/include/prov/der_slh_dsa.h
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
 providers/common/include/prov/der_ecx.h
@@ -84,7 +79,6 @@ providers/common/include/prov/der_rsa.h
 providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
-providers/common/include/prov/der_ml_dsa.h
 
 # error code files
 /crypto/err/openssl.txt.old
@@ -122,70 +116,6 @@ providers/common/include/prov/der_ml_dsa.h
 /test/threadstest_fips
 /test/timing_load_creds
 
-# Demo applications
-/demos/bio/client-arg
-/demos/bio/client-conf
-/demos/bio/saccept
-/demos/bio/sconnect
-/demos/bio/server-arg
-/demos/bio/server-cmod
-/demos/bio/server-conf
-/demos/cipher/aesccm
-/demos/cipher/aesgcm
-/demos/cipher/aeskeywrap
-/demos/cipher/ariacbc
-/demos/cms/cms_comp
-/demos/cms/cms_ddec
-/demos/cms/cms_dec
-/demos/cms/cms_denc
-/demos/cms/cms_enc
-/demos/cms/cms_sign
-/demos/cms/cms_sign2
-/demos/cms/cms_uncomp
-/demos/cms/cms_ver
-/demos/digest/BIO_f_md
-/demos/digest/EVP_MD_demo
-/demos/digest/EVP_MD_stdin
-/demos/digest/EVP_MD_xof
-/demos/encode/ec_encode
-/demos/encode/rsa_encode
-/demos/encrypt/rsa_encrypt
-/demos/guide/quic-client-block
-/demos/guide/quic-client-non-block
-/demos/guide/quic-hq-interop
-/demos/guide/quic-multi-stream
-/demos/guide/tls-client-block
-/demos/guide/tls-client-non-block
-/demos/http3/libnghttp3.pc
-/demos/http3/nghttp3/
-/demos/http3/ossl-nghttp3-demo
-/demos/kdf/argon2
-/demos/kdf/hkdf
-/demos/kdf/pbkdf2
-/demos/kdf/scrypt
-/demos/keyexch/x25519
-/demos/mac/cmac-aes256
-/demos/mac/gmac
-/demos/mac/hmac-sha512
-/demos/mac/poly1305
-/demos/pkey/EVP_PKEY_DSA_keygen
-/demos/pkey/EVP_PKEY_DSA_paramfromdata
-/demos/pkey/EVP_PKEY_DSA_paramgen
-/demos/pkey/EVP_PKEY_DSA_paramvalidate
-/demos/pkey/EVP_PKEY_EC_keygen
-/demos/pkey/EVP_PKEY_RSA_keygen
-/demos/signature/EVP_DSA_Signature_demo
-/demos/signature/EVP_EC_Signature_demo
-/demos/signature/EVP_ED_Signature_demo
-/demos/signature/rsa_pss_direct
-/demos/signature/rsa_pss_hash
-/demos/smime/smdec
-/demos/smime/smenc
-/demos/smime/smsign
-/demos/smime/smsign2
-/demos/smime/smver
-/demos/sslecho/sslecho
-
 # Certain files that get created by tests on the fly
 /test-runs
 /test/buildtest_*
@@ -209,6 +139,7 @@ providers/common/include/prov/der_ml_dsa.h
 /tools/c_rehash.pl
 /util/shlib_wrap.sh
 /util/wrap.pl
+/util/quicserver
 /tags
 /TAGS
 *.map
@@ -239,6 +170,7 @@ providers/common/include/prov/der_ml_dsa.h
 
 # Files created on other branches that are not held in git, and are not
 # needed on this branch
+/include/openssl/asn1_mac.h
 /include/openssl/des_old.h
 /include/openssl/fips.h
 /include/openssl/fips_rand.h

.gitmodules

@@ -32,6 +32,3 @@
 	path = fuzz/corpora
 	url = https://github.com/openssl/fuzz-corpora
 	branch = main
-[submodule "pkcs11-provider"]
-	path = pkcs11-provider
-	url = https://github.com/latchset/pkcs11-provider.git

AUTHORS.md

@@ -12,7 +12,6 @@ Groups
 
  * OpenSSL Software Services, Inc.
  * OpenSSL Software Foundation, Inc.
- * Google LLC
 
 Individuals
 -----------
@@ -49,5 +48,4 @@ Individuals
  * Tim Hudson
  * Tomáš Mráz
  * Ulf Möller
- * Valerii Krygin
  * Viktor Dukhovni

CHANGES.md

@@ -12,8 +12,6 @@ appropriate release branch.
 OpenSSL Releases
 ----------------
 
- - [OpenSSL 3.5](#openssl-35)
- - [OpenSSL 3.4](#openssl-34)
  - [OpenSSL 3.3](#openssl-33)
  - [OpenSSL 3.2](#openssl-32)
  - [OpenSSL 3.1](#openssl-31)
@@ -25,248 +23,17 @@ OpenSSL Releases
  - [OpenSSL 1.0.0](#openssl-100)
  - [OpenSSL 0.9.x](#openssl-09x)
 
-OpenSSL 3.5
+OpenSSL 3.3
 -----------
 
-### Changes between 3.5 and 3.6 [xx XXX xxxx]
-
- * none yet
-
-### Changes between 3.4 and 3.5 [xx XXX xxxx]
-
-* Added server side support for QUIC
-
-   *Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha Nedvedicky, Andrew Dinh*
-
- * Added a `no-tls-deprecated-ec` configuration option.
-
-   The `no-tls-deprecated-ec` option disables support for TLS elliptic curve
-   groups deprecated in RFC8422 at compile time.  This does not affect use of
-   the associated curves outside TLS.  By default support for these groups is
-   compiled in, but, as before, they are not included in the default run-time
-   list of supported groups.
-
-   With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
-   compile time even if the default configuration is changed, provided the
-   underlying EC curves remain implemented.
-
-   *Viktor Dukhovni*
-
- * Added new API to enable 0-RTT for 3rd party QUIC stacks.
-
-   *Cheng Zhang*
-
- * Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`,
-   which allows for application notification of new connection SSL object
-   creation, which occurs independently of calls to `SSL_accept_connection()`.
-   Note: QUIC objects passed through SSL callbacks should not have their state
-   mutated via calls back into the SSL api until such time as they have been
-   received via a call to `SSL_accept_connection()`.
-
-   *Neil Horman*
-
- * Add SLH-DSA as specified in FIPS 205.
-
-   *Shane Lontis and Dr Paul Dale*
-
- * ML-KEM as specified in FIPS 203.
-
-   Based on the original implementation in BoringSSL, ported from C++ to C,
-   refactored, and integrated into the OpenSSL default and FIPS providers.
-   Including also the X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024
-   TLS hybrid key post-quantum/classical key agreement schemes.
-
-   *Michael Baentsch, Viktor Dukhovni, Shane Lontis and Paul Dale*
-
- * Add ML-DSA as specified in FIPS 204.
-
-   The base code was derived from BoringSSL C++ code.
-
-   *Shane Lontis, Viktor Dukhovni and Paul Dale*
-
- * Added new API calls to enable 3rd party QUIC stacks to use the OpenSSL TLS
-   implementation.
-
-   *Matt Caswell*
-
- * The default DRBG implementations have been changed to prefer to fetch
-   algorithm implementations from the default provider (the provider the
-   DRBG implementation is built in) regardless of the default properties
-   set in the configuration file. The code will still fallback to find
-   an implementation, as done previously, if needed.
-
-   *Simo Sorce*
-
- * Initial support for opaque symmetric keys objects.  These replace the ad-hoc byte
-   arrays that are pervasive throughout the library.
-
-   *Dmitry Belyavskiy and Simo Sorce*
-
- * For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of
-   `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection.
-   Extend the server-side key exchange group selection algorithm and related group list syntax
-   to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs.
-
-   *David Kelsey*, *Martin Schmatz*
-
- * The default TLS group list setting is now set to:
-   `?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072`
-
-   This means two key shares (X25519MLKEM768 and X25519) will be sent by
-   default by the TLS client. GOST groups and FFDHE groups larger than 3072
-   bits are no longer enabled by default.
-
-   *Viktor Dukhovni*
-
- * A new random generation API has been introduced which modifies all
-   of the L<RAND_bytes(3)> family of calls so they are routed through a
-   specific named provider instead of being resolved via the normal DRBG
-   chaining.  In a future OpenSSL release, this will obsolete RAND_METHOD.
-
-   *Dr Paul Dale*
-
- * New inline functions were added to support loads and stores of unsigned
-   16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
-   form, regardless of the host byte-order.  See the `OPENSSL_load_u16_le(3)`
-   manpage for details.
-
-   *Viktor Dukhovni*
-
- * All the `BIO_meth_get_*()` functions allowing reuse of the internal OpenSSL
-   BIO method implementations were deprecated. The reuse is unsafe due to
-   dependency on the code of the internal methods not changing.
-
-   *Tomáš Mráz*
-
- * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
-   `SSL_CTX_set1_groups_list()` now supports the DEFAULT keyword which sets the
-   available groups to the default selection. The '-' prefix allows the calling
-   application to remove a group from the selection.
-
-   *Frederik Wedel-Heinen*
-
- * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
-   from `des-ede3-cbc` to `aes-256-cbc`.
-
-   AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
-
-   *Aditya*
-
- * Enhanced PKCS#7 inner contents verification.
-   In the `PKCS7_verify()` function, the BIO *indata parameter refers to the
-   signed data if the content is detached from p7. Otherwise, indata should be
-   NULL, and then the signed data must be in p7.
-
-   The previous OpenSSL implementation only supported MIME inner content
-   [RFC 5652, section 5.2].
-
-   The added functionality now enables support for PKCS#7 inner content
-   [RFC 2315, section 7].
-
-   *Małgorzata Olszówka*
-
- * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
-   longer required) when using `-digest` or when signing or verifying with an
-   Ed25519 or Ed448 key.
-   The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
-
-   *David von Oheimb*
-
- * `X509_PURPOSE_add()` has been modified
-   to take `sname` instead of `id` as the primary purpose identifier.
-   For its convenient use, `X509_PURPOSE_get_unused_id()` has been added.
-
-   This work was sponsored by Siemens AG.
-
-   *David von Oheimb*
-
- * Added support for central key generation in CMP.
-
-   This work was sponsored by Siemens AG.
-
-   *Rajeev Ranjan*
-
- * Optionally allow the FIPS provider to use the `JITTER` entropy source.
-   Note that using this option will require the resulting FIPS provider
-   to undergo entropy source validation [ESV] by the [CMVP], without this
-   the FIPS provider will not be FIPS compliant.  Enable this using the
-   configuration option `enable-fips-jitter`.
-
-   *Paul Dale*
-
- * Extended `OPENSSL_ia32cap` support to accommodate additional `CPUID`
-   feature/capability bits in leaf `0x7` (Extended Feature Flags) as well
-   as leaf `0x24` (Converged Vector ISA).
-
-   *Dan Zimmerman, Alina Elizarova*
-
- * Cipher pipelining support for provided ciphers with new API functions
-   EVP_CIPHER_can_pipeline(), EVP_CipherPipelineEncryptInit(),
-   EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate(),
-   and EVP_CipherPipelineFinal(). Cipher pipelining support allows application to
-   submit multiple chunks of data in one cipher update call, thereby allowing the
-   provided implementation to take advantage of parallel computing. There are
-   currently no built-in ciphers that support pipelining. This new API replaces
-   the legacy pipeline API [SSL_CTX_set_max_pipelines](https://docs.openssl.org/3.3/man3/SSL_CTX_set_split_send_fragment/) used with Engines.
-
-   *Ramkumar*
-
- * Add CMS_NO_SIGNING_TIME flag to CMS_sign(), CMS_add1_signer()
-
-   Previously there was no way to create a CMS SignedData signature without a
-   signing time attribute, because CMS_SignerInfo_sign added it unconditionally.
-   However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf) )
-   where this attribute is not allowed, so a new flag was added to the CMS API
-   that causes this attribute to be omitted at signing time.
-
-   The new `-no_signing_time` option of the `cms` command enables this flag.
-
-   *Juhász Péter*
-
- * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
-   AVX_IFMA capable processors (Intel Sierra Forest and its successor).
-
-   This optimization brings performance enhancement, ranging from 1.8 to 2.2
-   times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`)
-   on the Intel Sierra Forest.
-
-   *Zhiguo Zhou, Wangyang Guo (Intel Corp)*
-
- * VAES/AVX-512 support for AES-XTS.
-
-   For capable processors (>= Intel Icelake), this provides a
-   vectorized implementation of AES-XTS with a throughput improvement
-   between 1.3x to 2x, depending on the block size.
-
-   *Pablo De Lara Guarch, Dan Pittman*
-
- * Fix EVP_DecodeUpdate(): do not write padding zeros to the decoded output.
-
-   According to the documentation,
-   for every 4 valid base64 bytes processed (ignoring whitespace, carriage returns and line feeds),
-   EVP_DecodeUpdate() produces 3 bytes of binary output data
-   (except at the end of data terminated with one or two padding characters).
-   However, the function behaved like an EVP_DecodeBlock():
-   produces exactly 3 output bytes for every 4 input bytes.
-   Such behaviour could cause writes to a non-allocated output buffer
-   if a user allocates its size based on the documentation and knowing the padding size.
-
-   The fix makes EVP_DecodeUpdate() produce
-   exactly as many output bytes as in the initial non-encoded message.
-
-   *Valerii Krygin*
-
-OpenSSL 3.4
------------
-
-### Changes between 3.4.1 and 3.4.2 [xx XXX xxxx]
+### Changes between 3.3.3 and 3.3.4 [xx XXX xxxx]
 
  * When displaying distinguished names in the openssl application escape control
    characters by default.
 
    *Tomáš Mráz*
 
-### Changes between 3.4.0 and 3.4.1 [11 Feb 2025]
+### Changes between 3.3.2 and 3.3.3 [11 Feb 2025]
 
  * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
 
@@ -292,191 +59,6 @@ OpenSSL 3.4
 
    *Tomáš Mráz*
 
- * Reverted the behavior change of CMS_get1_certs() and CMS_get1_crls()
-   that happened in the 3.4.0 release. These functions now return NULL
-   again if there are no certs or crls in the CMS object.
-
-   *Tomáš Mráz*
-
-### Changes between 3.3 and 3.4.0 [22 Oct 2024]
-
- * For the FIPS provider only, replaced the primary DRBG with a continuous
-   health check module.  This also removes the now forbidden DRBG chaining.
-
-   *Paul Dale*
-
- * Improved base64 BIO correctness and error reporting.
-
-   *Viktor Dukhovni*
-
- * Added support for directly fetched composite signature algorithms such as
-   RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
-   EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
-
-   *Richard Levitte*
-
- * XOF Digest API improvements
-
-   EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
-   EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE
-   have an output size that is not fixed, so calling EVP_MD_get_size() is not
-   sufficent. The existing macros now point to the new function
-   EVP_MD_CTX_get_size_ex() which will retrieve the "size" for a XOF digest,
-   otherwise it falls back to calling EVP_MD_get_size(). Note that the SHAKE
-   implementation did not have a context getter previously, so the "size" will
-   only be able to be retrieved with new providers.
-
-   Also added a EVP_xof() helper.
-
-   *Shane Lontis*
-
- * Added FIPS indicators to the FIPS provider.
-
-   FIPS 140-3 requires indicators to be used if the FIPS provider allows
-   non-approved algorithms. An algorithm is approved if it passes all
-   required checks such as minimum key size. By default an error will
-   occur if any check fails. For backwards compatibility individual
-   algorithms may override the checks by using either an option in the
-   FIPS configuration OR in code using an algorithm context setter.
-   Overriding the check means that the algorithm is not FIPS compliant.
-   OSSL_INDICATOR_set_callback() can be called to register a callback
-   to log unapproved algorithms. At the end of any algorithm operation
-   the approved status can be queried using an algorithm context getter.
-   FIPS provider configuration options are set using 'openssl fipsinstall'.
-
-   Note that new FIPS 140-3 restrictions have been enforced such as
-   RSA Encryption using PKCS1 padding is no longer approved.
-   Documentation related to the changes can be found on the [fips_module(7)]
-   manual page.
-
-   [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators
-
-   *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
-
- * Added support for hardware acceleration for HMAC on S390x architecture.
-
-   *Ingo Franzki*
-
- * Added debuginfo Makefile target for unix platforms to produce
-   a separate DWARF info file from the corresponding shared libs.
-
-   *Neil Horman*
-
- * Added support for encapsulation and decapsulation operations in the
-   pkeyutl command.
-
-   *Dmitry Belyavskiy*
-
- * Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
-
-   *Dmitry Belyavskiy*
-
- * Add a new random seed source RNG `JITTER` using a statically linked
-   jitterentropy library.
-
-   *Dimitri John Ledkov*
-
- * Added a feature to retrieve configured TLS signature algorithms,
-   e.g., via the openssl list command.
-
-   *Michael Baentsch*
-
- * Deprecated TS_VERIFY_CTX_set_* functions and added replacement
-   TS_VERIFY_CTX_set0_* functions with improved semantics.
-
-   *Tobias Erbsland*
-
- * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that
-   what were formerly build time locations can now be defined at run time
-   with registry keys. See NOTES-WINDOWS.md.
-
-   *Neil Horman*
-
- * Added options `-not_before` and `-not_after` for explicit setting
-   start and end dates of certificates created with the `req` and `x509`
-   commands. Added the same options also to `ca` command as alias for
-   `-startdate` and `-enddate` options.
-
-   *Stephan Wurm*
-
- * The X25519 and X448 key exchange implementation in the FIPS provider
-   is unapproved and has `fips=no` property.
-
-   *Tomáš Mráz*
-
- * SHAKE-128 and SHAKE-256 implementations have no default digest length
-   anymore. That means these algorithms cannot be used with
-   EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
-
-   This change was necessary because the preexisting default lengths were
-   half the size necessary for full collision resistance supported by these
-   algorithms.
-
-   *Tomáš Mráz*
-
- * Setting `config_diagnostics=1` in the config file will cause errors to
-   be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
-   in the ssl module configuration.
-
-   *Tomáš Mráz*
-
- * An empty renegotiate extension will be used in TLS client hellos instead
-   of the empty renegotiation SCSV, for all connections with a minimum TLS
-   version > 1.0.
-
-   *Tim Perry*
-
- * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
-   TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
-
-   This work was sponsored by Siemens AG.
-
-   *Rajeev Ranjan*
-
- * Added support for retrieving certificate request templates and CRLs in CMP,
-   with the respective CLI options `-template`,
-   `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
-
-   This work was sponsored by Siemens AG.
-
-   *Rajeev Ranjan*
-
- * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
-   userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
-   subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints,
-   holderNameConstraints and targetingInformation X.509v3 extensions.
-
-   *Jonathan M. Wilbur*
-
- * Added Attribute Certificate (RFC 5755) support. Attribute
-   Certificates can be created, parsed, modified and printed via the
-   public API. There is no command-line tool support at this time.
-
-   *Damian Hobson-Garcia*
-
- * Added support to build Position Independent Executables (PIE). Configuration
-   option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
-   support Address Space Layout Randomization (ASLR) in the openssl executable,
-   removes reliance on external toolchain configurations.
-
-   *Craig Lorentzen*
-
- * SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions() have
-   been deprecated in favour of their respective ..._ex() replacement functions
-   which are Y2038-safe.
-
-   *Alexander Kanavin*
-
- * ECC groups may now customize their initialization to save CPU by using
-   precomputed values. This is used by the P-256 implementation.
-
-   *Watson Ladd*
-
-OpenSSL 3.3
------------
-
-### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
-
  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters.
 
@@ -641,8 +223,6 @@ OpenSSL 3.3
    - `certProfile` request message header and respective `-profile` CLI option
    - support for delayed delivery of all types of response messages
 
-   This work was sponsored by Siemens AG.
-
    *David von Oheimb*
 
  * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
@@ -734,7 +314,7 @@ OpenSSL 3.3
 
    *Fisher Yu*
 
- * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
    similar to M1/M2.
 
    *Tom Cosgrove*
@@ -948,6 +528,11 @@ OpenSSL 3.2
 
    *Fergus Dall*
 
+ * Added support for securely getting root CA certificate update in
+   CMP.
+
+   *David von Oheimb*
+
  * Improved contention on global write locks by using more read locks where
    appropriate.
 
@@ -1200,24 +785,21 @@ OpenSSL 3.2
 
    * Lutz Jänicke*
 
- * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates.
+ * The `x509`, `ca`, and `req` apps now produce X.509 v3 certificates.
    The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
    `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has
    X.509 version 3 if the certificate information includes X.509 extensions.
 
    *David von Oheimb*
 
- * Fix and extend certificate handling and the commands `x509`, `verify` etc.
+ * Fix and extend certificate handling and the apps `x509`, `verify` etc.
    such as adding a trace facility for debugging certificate chain building.
 
    *David von Oheimb*
 
  * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app
-   in particular supporting various types of genm/genp exchanges such as getting
-   CA certificates and root CA cert updates defined in CMP Updates [RFC 9480],
-   as well as the `-srvcertout` and `-serial` CLI options.
-
-   This work was sponsored by Siemens AG.
+   in particular supporting requests for central key generation, generalized
+   polling, and various types of genm/genp exchanges defined in CMP Updates.
 
    *David von Oheimb*
 
@@ -1516,7 +1098,7 @@ OpenSSL 3.1
 
  * Add FIPS provider configuration option to enforce the
    Extended Master Secret (EMS) check during the TLS1_PRF KDF.
-   The option '-ems_check' can optionally be supplied to
+   The option '-ems-check' can optionally be supplied to
    'openssl fipsinstall'.
 
    *Shane Lontis*
@@ -1539,7 +1121,7 @@ OpenSSL 3.1
 
    *Orr Toledano*
 
- * `s_client` and `s_server` commands now explicitly say when the TLS version
+ * s_client and s_server apps now explicitly say when the TLS version
    does not include the renegotiation mechanism. This avoids confusion
    between that scenario versus when the TLS version includes secure
    renegotiation but the peer lacks support for it.
@@ -2590,8 +2172,7 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Nicola Tuveri*
 
- * Behavior of the `pkey` command is changed,
-   when using the `-check` or `-pubcheck`
+ * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
    switches: a validation failure triggers an early exit, returning a failure
    exit status to the parent process.
 
@@ -3507,7 +3088,7 @@ breaking changes, and mappings for the large list of deprecated functions.
    this switch breaks interoperability with correct implementations.
 
  * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
-   reused X509_PUBKEY object if the second PUBKEY is malformed.
+   re-used X509_PUBKEY object if the second PUBKEY is malformed.
 
    *Bernd Edlinger*
 
@@ -4841,7 +4422,7 @@ OpenSSL 1.1.0
    *Billy Bob Brumley, Nicola Tuveri*
 
  * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
-   reused X509_PUBKEY object if the second PUBKEY is malformed.
+   re-used X509_PUBKEY object if the second PUBKEY is malformed.
 
    *Bernd Edlinger*
 
@@ -8831,7 +8412,7 @@ OpenSSL 1.0.1
    *Matt Caswell*
 
  * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
-   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
+   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
    method would be set to NULL which could later result in a NULL pointer
    dereference. Thanks to Frank Schmirler for reporting this issue.
    ([CVE-2014-3569])
@@ -9896,7 +9477,7 @@ OpenSSL 1.0.0
    *Matt Caswell*
 
  * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
-   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
+   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
    method would be set to NULL which could later result in a NULL pointer
    dereference. Thanks to Frank Schmirler for reporting this issue.
    ([CVE-2014-3569])
@@ -16027,7 +15608,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
    *stefank@valicert.com via Richard Levitte*
 
- * Add an SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+ * Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
    the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
    doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
    the bitwise-OR of the two for use by the majority of applications
@@ -16576,7 +16157,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 ### Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
 
  * Change ssleay_rand_bytes (crypto/rand/md_rand.c)
-   to avoid an SSLeay/OpenSSL PRNG weakness pointed out by
+   to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
    Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
    PRNG state recovery was possible based on the output of
    one PRNG request appropriately sized to gain knowledge on
@@ -16961,7 +16542,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
    *Bodo Moeller*
 
  * Store verify_result within SSL_SESSION also for client side to
-   avoid potential security hole. (Reused sessions on the client side
+   avoid potential security hole. (Re-used sessions on the client side
    always resulted in verify_result==X509_V_OK, not using the original
    result of the server certificate verification.)
 
@@ -19177,7 +18758,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  * Bugfix: ssl23_get_client_hello did not work properly when called in
    state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
-   an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
+   a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
    but a retry condition occurred while trying to read the rest.
 
    *Bodo Moeller*
@@ -21348,5 +20929,3 @@ ndif
 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
-[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
-[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations

Configurations/00-base-templates.conf

@@ -59,8 +59,6 @@ my %targets=(
         includes        =>
             sub {
                 my @incs = ();
-                push @incs, $withargs{jitter_include}
-                    if !$disabled{jitter} && $withargs{jitter_include};
                 push @incs, $withargs{brotli_include}
                     if !$disabled{brotli} && $withargs{brotli_include};
                 push @incs, $withargs{zlib_include}
@@ -78,27 +76,9 @@ my %targets=(
         AR              => "ar",
         ARFLAGS         => "qc",
         CC              => "cc",
-        OBJCOPY         => "objcopy",
-        bin_cflags      =>
-            sub {
-                my @flags = ();
-                if (!defined($disabled{pie})) {
-                    push(@flags, "-fPIE");
-                }
-                return join(" ", @flags);
-            },
-        bin_lflags      =>
-            sub {
-                my @flags = ();
-                if (!defined($disabled{pie})) {
-                    push(@flags, "-pie");
-                }
-                return join(" ", @flags);
-            },
         lflags          =>
             sub {
                 my @libs = ();
-                push(@libs, "-L".$withargs{jitter_lib}) if $withargs{jitter_lib};
                 push(@libs, "-L".$withargs{zlib_lib}) if $withargs{zlib_lib};
                 push(@libs, "-L".$withargs{brotli_lib}) if $withargs{brotli_lib};
                 push(@libs, "-L".$withargs{zstd_lib}) if $withargs{zstd_lib};
@@ -107,7 +87,6 @@ my %targets=(
         ex_libs         =>
             sub {
                 my @libs = ();
-                push(@libs, "-l:libjitterentropy.a") if !defined($disabled{jitter});
                 push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
                 if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
                     push(@libs, "-lbrotlienc");

Configurations/50-cppbuilder.conf

@@ -58,64 +58,5 @@ my %targets = (
         shared_defflag   => '',
         perl_platform    => 'Windows::cppbuilder',
         uplink_arch      => 'common',
-    },
-    "BC-64" => {
-        inherit_from     => [ "BASE_Windows" ],
-        sys_id           => "WIN64",
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "winthreads",
-        cc               => "bcc64",
-        CPP              => "cpp64 -oCON -Sc -Sr",
-        defines          => add("WIN32_LEAN_AND_MEAN", "OPENSSL_SYS_WIN64",
-                                "L_ENDIAN", "DSO_WIN32", "_stricmp=stricmp",
-                                "_strnicmp=strnicmp", "_setmode=setmode"),
-        cflags           => picker(default => add("-q -c",
-                                                  threads("-tM"),
-                                                  shared("-tR")),
-                                   debug   => "-Od -v -vi- -D_DEBUG",
-                                   release => "-O2"),
-        bin_cflags       => "-tWC",
-        lib_cflags       => shared("-tWD -D_WINDLL -D_DLL"),
-        coutflag         => "-o",
-
-        # -Sx isn't documented, but 'cpp64 -H -S' explains it:
-        #
-        # -Sx     Omit preprocessed text in output
-        makedepcmd       => "cpp64 -oCON -Sx -Hp",
-        makedep_scheme   => "embarcadero",
-
-        LD               => "ilink64",
-        LDFLAGS          => picker(default => "-x -Gn -q -w-dup",
-                                   debug   => '-j"$(BDS)\lib\win64\debug" ' .
-                                              '-L"$(BDS)\lib\win64\debug" -v',
-                                   release => '-j"$(BDS)\lib\win64\release" ' .
-                                              '-L"$(BDS)\lib\win64\release"'),
-        bin_lflags       => "-ap -Tpe c0x64.o wildargs.o",
-        ldoutflag        => ",",
-        ldpostoutflag    => ",,",
-        ld_resp_delim    => " +\n",
-        ex_libs          => add(sub {
-            my @ex_libs = ("import64.a",
-                           ($disabled{shared}
-                            ? ($disabled{threads} ? "cw64.a" : "cw64mt.a")
-                            : ($disabled{threads} ? "cw64i.a" : "cw64mti.a")));
-            push @ex_libs, "ws2_32.a" unless $disabled{sock};
-            return join(" ", @ex_libs);
-        }),
-        AR               => "tlib",
-        ARFLAGS          => "/P256 /N /u",
-        ar_resp_delim    => " &\n",
-        RC               => "brcc32",
-        RCFLAGS          => '-i"$(BDS)\include\windows\sdk"',
-        rcoutflag        => "-fo",
-        shared_target    => "win-shared",
-        shared_ldflag    => "-aa -Tpd c0d64.o",
-        lddefflag        => ",",
-        ldresflag        => ",",
-        ld_implib_rule   => 'implib -a $< $**',
-        dso_scheme       => "win64",
-        shared_defflag   => '',
-        perl_platform    => 'Windows::cppbuilder',
-        uplink_arch      => 'common',
     }
 );

Configurations/50-nonstop.conf

@@ -173,15 +173,6 @@
         ex_libs          => '-lput',
     },
 
-    ######################################################################
-    # Build models
-    'nonstop-model-klt' => {
-        template         => 1,
-        defines          => ['_KLT_MODEL_',
-                             '_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
-        ex_libs          => '-lklt',
-    },
-
     ######################################################################
     # Now for the entries themselves, let's combine things!
     'nonstop-nsx' => {
@@ -220,16 +211,6 @@
         multibin         => '64-put',
         disable          => ['atexit'],
     },
-    'nonstop-nsx_64_klt' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-lp64-x86_64',
-                              'nonstop-efloat-x86_64',
-                              'nonstop-model-klt' ],
-        multilib         => '64-klt',
-        multibin         => '64-klt',
-        disable          => ['atexit'],
-    },
     'nonstop-nsx_g' => {
         inherit_from     => [ 'nonstop-common',
                               'nonstop-archenv-x86_64-guardian',
@@ -281,3 +262,16 @@
         multibin         => '64-put',
         disable          => ['atexit'],
     },
+    'nonstop-nse_g' => {
+        inherit_from     => [ 'nonstop-common',
+                              'nonstop-archenv-itanium-guardian',
+                              'nonstop-ilp32', 'nonstop-nfloat-itanium' ],
+        disable          => ['threads','atexit'],
+    },
+
+    'nonstop-nse_g_tandem' => {
+        inherit_from     => [ 'nonstop-common',
+                              'nonstop-archenv-itanium-guardian',
+                              'nonstop-ilp32', 'nonstop-tfloat-itanium' ],
+        disable          => ['threads','atexit'],
+    },

Configurations/unix-Makefile.tmpl

@@ -373,7 +373,6 @@ CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
 CXXFLAGS={- join(' ', @{$config{CXXFLAGS}}) -}
 LDFLAGS= {- join(' ', @{$config{LDFLAGS}}) -}
 EX_LIBS= {- join(' ', @{$config{LDLIBS}}) -}
-OBJCOPY={- $config{OBJCOPY} -}
 
 MAKEDEPEND={- $config{makedepcmd} -}
 
@@ -534,11 +533,6 @@ LANG=C
 {- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
 
 all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
-debuginfo: $(SHLIBS)
-	@set -e; for i in $(SHLIBS); do \
-		$(OBJCOPY) --only-keep-debug $$i $$i.debug; \
-		$(OBJCOPY) --strip-debug --add-gnu-debuglink=$$i.debug $$i; \
-	done;
 
 ##@ Documentation
 build_generated_pods: $(GENERATED_PODS)
@@ -1173,7 +1167,7 @@ generate_buildinfo: generate_doc_buildinfo
 
 .PHONY: doc-nits md-nits
 doc-nits: build_generated_pods ## Evaluate OpenSSL documentation
-	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e -i
+	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e
 
 # This uses "mdl", the markdownlint application, which is written in ruby.
 # The source is at https://github.com/markdownlint/markdownlint
@@ -1338,7 +1332,8 @@ errors:
            include/internal/asn1.h
            include/internal/sslconf.h );
    my @cryptoskipheaders = ( @sslheaders_tmpl,
-       qw( include/openssl/conf_api.h
+       qw( include/openssl/asn1_mac.h
+           include/openssl/conf_api.h
            include/openssl/ebcdic.h
            include/openssl/opensslconf.h
            include/openssl/symhacks.h ) );

Configure

@@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -77,15 +77,6 @@ EOF
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
 #               support isn't compiled.
-#
-# enable-demos  Enable the building of the example code in the demos directory
-# enable-h3demo Enable the http3 demo, which currently only links to the
-#               external nghttp3 library on unix platforms
-#
-# enable-hqinterop
-#               Enable the building of the hq-interop code for construction
-#               of the interop container
-#
 # no-hw         do not compile support for any crypto hardware.
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
@@ -451,9 +442,6 @@ my @disablables = (
     "crypto-mdebug",
     "ct",
     "default-thread-pool",
-    "demos",
-    "h3demo",
-    "hqinterop",
     "deprecated",
     "des",
     "devcryptoeng",
@@ -477,15 +465,11 @@ my @disablables = (
     "filenames",
     "fips",
     "fips-securitychecks",
-    "fips-post",
-    "fips-jitter",
     "fuzz-afl",
     "fuzz-libfuzzer",
     "gost",
     "http",
     "idea",
-    "integrity-only-ciphers",
-    "jitter",
     "ktls",
     "legacy",
     "loadereng",
@@ -493,8 +477,6 @@ my @disablables = (
     "md2",
     "md4",
     "mdc2",
-    "ml-dsa",
-    "ml-kem",
     "module",
     "msan",
     "multiblock",
@@ -503,7 +485,6 @@ my @disablables = (
     "ocsp",
     "padlockeng",
     "pic",
-    "pie",
     "pinshared",
     "poly1305",
     "posix-io",
@@ -523,7 +504,6 @@ my @disablables = (
     "shared",
     "siphash",
     "siv",
-    "slh-dsa",
     "sm2",
     "sm2-precomp",
     "sm3",
@@ -536,13 +516,11 @@ my @disablables = (
     "ssl-trace",
     "static-engine",
     "stdio",
-    "sslkeylog",
     "tests",
     "tfo",
     "thread-pool",
     "threads",
     "tls",
-    "tls-deprecated-ec",
     "trace",
     "ts",
     "ubsan",
@@ -585,24 +563,18 @@ my %deprecated_disablables = (
 
 our %disabled = ( # "what"         => "comment"
                   "fips"                => "default",
-                  "fips-jitter"         => "default",
                   "asan"                => "default",
                   "brotli"              => "default",
                   "brotli-dynamic"      => "default",
                   "buildtest-c++"       => "default",
                   "crypto-mdebug"       => "default",
                   "crypto-mdebug-backtrace" => "default",
-                  "demos"               => "default",
-                  "h3demo"              => "default",
-                  "hqinterop"           => "default",
                   "devcryptoeng"        => "default",
                   "ec_nistp_64_gcc_128" => "default",
                   "egd"                 => "default",
                   "external-tests"      => "default",
                   "fuzz-afl"            => "default",
                   "fuzz-libfuzzer"      => "default",
-                  "pie"                 => "default",
-                  "jitter"              => "default",
                   "ktls"                => "default",
                   "md2"                 => "default",
                   "msan"                => "default",
@@ -610,7 +582,6 @@ our %disabled = ( # "what"         => "comment"
                   "sctp"                => "default",
                   "ssl3"                => "default",
                   "ssl3-method"         => "default",
-                  "sslkeylog"           => "default",
                   "tfo"                 => "default",
                   "trace"               => "default",
                   "ubsan"               => "default",
@@ -633,8 +604,8 @@ my @disable_cascades = (
                              "ec", "engine",
                              "filenames",
                              "idea", "ktls",
-                             "md4", "ml-dsa", "ml-kem", "multiblock",
-                             "nextprotoneg", "ocsp", "ocb", "poly1305", "psk",
+                             "md4", "multiblock", "nextprotoneg",
+                             "ocsp", "ocb", "poly1305", "psk",
                              "rc2", "rc4", "rmd160",
                              "seed", "siphash", "siv",
                              "sm3", "sm4", "srp",
@@ -650,8 +621,7 @@ my @disable_cascades = (
     "brotli"            => [ "brotli-dynamic" ],
     "zstd"              => [ "zstd-dynamic" ],
     "des"               => [ "mdc2" ],
-    "deprecated"        => [ "tls-deprecated-ec" ],
-    "ec"                => [ qw(ec2m ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
+    "ec"                => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ],
     "dgram"             => [ "dtls", "quic", "sctp" ],
     "sock"              => [ "dgram", "tfo" ],
     "dtls"              => [ @dtls ],
@@ -705,8 +675,7 @@ my @disable_cascades = (
 
     "cmp"               => [ "crmf" ],
 
-    "fips"              => [ "fips-securitychecks", "fips-post", "acvp-tests",
-                             "fips-jitter" ],
+    "fips"              => [ "fips-securitychecks", "acvp-tests" ],
 
     "threads"           => [ "thread-pool" ],
     "thread-pool"       => [ "default-thread-pool" ],
@@ -775,7 +744,6 @@ my %user = (
     RANLIB      => env('RANLIB'),
     RC          => env('RC') || env('WINDRES'),
     RCFLAGS     => [ env('RCFLAGS') || () ],
-    OBJCOPY     => undef,
     RM          => undef,
    );
 # Info about what "make variables" may be prefixed with the cross compiler
@@ -836,7 +804,7 @@ my %cmdvars = ();               # Stores FOO='blah' type arguments
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -966,19 +934,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"brotli"};
                         }
-                elsif ($1 eq "pie")
-                        {
-                        delete $disabled{"pie"};
-                        }
                 elsif ($1 eq "zstd-dynamic")
                         {
                         delete $disabled{"zstd"};
                         }
-                elsif ($1 eq "fips-jitter")
-                        {
-                        delete $disabled{"fips"};
-                        delete $disabled{"jitter"};
-                        }
                 my $algo = $1;
                 delete $disabled{$algo};
 
@@ -1045,14 +1004,6 @@ while (@argvcopy)
                         {
                         $config{openssldir}=$1;
                         }
-                elsif (/^--with-jitter-include=(.*)$/)
-                        {
-                        $withargs{jitter_include}=$1;
-                        }
-                elsif (/^--with-jitter-lib=(.*)$/)
-                        {
-                        $withargs{jitter_lib}=$1;
-                        }
                 elsif (/^--with-zlib-lib=(.*)$/)
                         {
                         $withargs{zlib_lib}=$1;
@@ -1345,15 +1296,11 @@ if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
 
 ============================== WARNING ===============================
 You have selected the --with-rand-seed=none option, which effectively
-disables automatic reseeding of the OpenSSL SEED-SRC random generator.
+disables automatic reseeding of the OpenSSL random generator.
 All operations depending on the random generator such as creating keys
 will not work unless the random generator is seeded manually by the
 application.
 
-Instead of manually seeding, a different random generator can be set
-at runtime in openssl.cnf or configured at build time with
--DOPENSSL_DEFAULT_SEED_SRC.
-
 Please read the 'Note on random number generation' section in the
 INSTALL.md instructions and the RAND_DRBG(7) manual page for more
 details.
@@ -1365,11 +1312,6 @@ push @{$config{openssl_feature_defines}},
      map { (my $x = $_) =~ tr|[\-a-z]|[_A-Z]|; "OPENSSL_RAND_SEED_$x" }
         @seed_sources;
 
-my $provider_string = $disabled{"fips-post"} ? "non-compliant FIPS Provider" : "FIPS Provider";
-
-$config{FIPS_VENDOR} =
-    (defined $version{FIPS_VENDOR} ? "$version{FIPS_VENDOR} $provider_string for OpenSSL" : "OpenSSL $provider_string");
-
 # Backward compatibility?
 if ($target =~ m/^CygWin32(-.*)$/) {
     $target = "Cygwin".$1;
@@ -1940,7 +1882,7 @@ foreach my $what (sort keys %disabled) {
 
         $skipdir{engines} = $what if $what eq 'engine';
         $skipdir{"crypto/$skipdir"} = $what
-            unless $what eq 'async' || $what eq 'err' || $what eq 'dso' || $what eq 'http';
+            unless $what eq 'async' || $what eq 'err' || $what eq 'dso';
     }
 }
 

INSTALL.md

@@ -52,8 +52,6 @@ To install OpenSSL, you will need:
  * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md))
  * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md))
  * an ANSI C compiler
- * POSIX C library (at least POSIX.1-2008), or compatible types and
-   functionality.
  * a development environment in the form of development libraries and C
    header files
  * a supported operating system
@@ -67,7 +65,6 @@ issues and other details, please read one of these:
  * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
  * [Notes for the OpenVMS platform](NOTES-VMS.md)
  * [Notes for the HPE NonStop platform](NOTES-NONSTOP.md)
- * [Notes on POSIX](NOTES-POSIX.md)
  * [Notes on Perl](NOTES-PERL.md)
  * [Notes on Valgrind](NOTES-VALGRIND.md)
 
@@ -510,6 +507,11 @@ This source is ignored by the FIPS provider.
 Use the `RDSEED` or `RDRAND` command on x86 or `RNDRRS` command on aarch64
 if provided by the CPU.
 
+### librandom
+
+Use librandom (not implemented yet).
+This source is ignored by the FIPS provider.
+
 ### none
 
 Disable automatic seeding.  This is the default on some operating systems where
@@ -521,35 +523,6 @@ at the end of this document.
 
 [rng]: #notes-on-random-number-generation
 
-### jitter
-
-When configured with `enable-jitter`, a "JITTER" RNG is compiled that
-can provide an alternative software seed source. It can be configured
-by setting `seed` option in `openssl.cnf`. A minimal `openssl.cnf` is
-shown below:
-
-    openssl_conf = openssl_init
-
-    [openssl_init]
-    random = random
-
-    [random]
-    seed=JITTER
-
-It uses a statically linked [jitterentropy-library] as the seed source.
-
-Additional configuration flags available:
-
-    --with-jitter-include=DIR
-
-The directory for the location of the jitterentropy.h include file, if
-it is outside the system include path.
-
-    --with-jitter-lib=DIR
-
-This is the directory containing the static libjitterentropy.a
-library, if it is outside the system library path.
-
 Setting the FIPS HMAC key
 -------------------------
 
@@ -781,12 +754,6 @@ Don't build support for Elliptic Curves.
 
 Don't build support for binary Elliptic Curves
 
-### no-tls-deprecated-ec
-
-Disable legacy TLS EC groups that were deprecated in RFC8422.  These are the
-Koblitz curves, B<secp160r1>, B<secp160r2>, B<secp192r1>, B<secp224r1>, and the
-binary Elliptic curves that would also be disabled by C<no-ec2m>.
-
 ### enable-ec_nistp_64_gcc_128
 
 Enable support for optimised implementations of some commonly used NIST
@@ -840,26 +807,6 @@ Build (and install) the FIPS provider
 Don't perform FIPS module run-time checks related to enforcement of security
 parameters such as minimum security strength of keys.
 
-### no-fips-post
-
-Don't perform FIPS module Power On Self Tests.
-
-This option MUST be used for debugging only as it makes the FIPS provider
-non-compliant. It is useful when setting breakpoints in FIPS algorithms.
-
-### enable-fips-jitter
-
-Use the CPU Jitter library as a FIPS validated entropy source.
-
-This option will only produce a compliant FIPS provider if you have:
-
-1. independently performed the required [SP 800-90B] entropy assessments;
-2. meet the minimum required entropy as specified by [jitterentropy-library];
-3. obtain an [ESV] certificate for the [jitterentropy-library] and
-4. have had the resulting FIPS provider certified by the [CMVP].
-
-Failure to do all of these will produce a non-compliant FIPS provider.
-
 ### enable-fuzz-libfuzzer, enable-fuzz-afl
 
 Build with support for fuzzing using either libfuzzer or AFL.
@@ -891,16 +838,6 @@ Disabling this also disables the legacy algorithms: MD2 (already disabled by def
 
 Don't generate dependencies.
 
-### no-ml-dsa
-
-Disable Module-Lattice-Based Digital Signature Standard (ML-DSA) support.
-ML-DSA is based on CRYSTALS-DILITHIUM. See [FIPS 204].
-
-### no-ml-kem
-
-Disable Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)
-support.  ML-KEM is based on CRYSTALS-KYBER. See [FIPS 203].
-
 ### no-module
 
 Don't build any dynamically loadable engines.
@@ -933,10 +870,6 @@ As synonym for `no-padlockeng`.  Deprecated and should not be used.
 
 Don't build with support for Position Independent Code.
 
-### enable-pie
-
-Build with support for Position Independent Execution.
-
 ### no-pinshared
 
 Don't pin the shared libraries.
@@ -990,11 +923,6 @@ Do not create shared libraries, only static ones.
 
 See [Notes on shared libraries](#notes-on-shared-libraries) below.
 
-### no-slh-dsa
-
-Disable Stateless Hash Based Digital Signature Standard support.
-(SLH-DSA is based on SPHINCS+. See [FIPS 205])
-
 ### no-sm2-precomp
 
 Disable using the SM2 precomputed table on aarch64 to make the library smaller.
@@ -1099,17 +1027,6 @@ Build with support for the integrated tracing api.
 
 See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.
 
-### enable-sslkeylog
-
-Build with support for the SSLKEYLOGFILE environment variable
-
-When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
-during a TLS handshake for use in analysis tools like wireshark.  Note that the
-use of this mechanism allows for decryption of application payloads found in
-captured packets using keys from the key log file and therefore has significant
-security consequences.  See Section 3 of
-[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
-
 ### no-ts
 
 Don't build Time Stamping (TS) Authority support.
@@ -1196,10 +1113,6 @@ synonymous with `no-ssl3`.  Note this only affects version negotiation.
 OpenSSL will still provide the methods for applications to explicitly select
 the individual protocol versions.
 
-### no-integrity-only-ciphers
-
-Don't build support for integrity only ciphers in tls.
-
 ### no-{protocol}-method
 
     no-{ssl3|tls1|tls1_1|tls1_2|dtls1|dtls1_2}-method
@@ -1221,9 +1134,9 @@ Build with support for the specified algorithm.
 ### no-{algorithm}
 
     no-{aria|bf|blake2|camellia|cast|chacha|cmac|
-        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ml-dsa|
-        ml-kem|ocb|poly1305|rc2|rc4|rmd160|scrypt|
-        seed|siphash|siv|sm2|sm3|sm4|whirlpool}
+        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
+        poly1305|rc2|rc4|rmd160|scrypt|seed|
+        siphash|siv|sm2|sm3|sm4|whirlpool}
 
 Build without support for the specified algorithm.
 
@@ -1721,12 +1634,6 @@ described here.  Examine the Makefiles themselves for the full list.
     build_docs
                    Build all documentation components.
 
-    debuginfo
-                    On unix platforms, this target can be used to create .debug
-                    libraries, which separate the DWARF information in the
-                    shared library ELF files into a separate file for use
-                    in post-mortem (core dump) debugging
-
     clean
                    Remove all build artefacts and return the directory to a "clean"
                    state.
@@ -2051,24 +1958,3 @@ is used, as it is the version of the GNU assembler that will be checked.
 
 [10-main.conf]:
     Configurations/10-main.conf
-
-[CMVP]:
-    <https://csrc.nist.gov/projects/cryptographic-module-validation-program>
-
-[ESV]:
-    <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
-
-[FIPS 203]:
-    <https://csrc.nist.gov/pubs/fips/203/final>
-
-[FIPS 204]:
-    <https://csrc.nist.gov/pubs/fips/204/final>
-
-[SP 800-90B]:
-    <https://csrc.nist.gov/pubs/sp/800/90/b/final>
-
-[jitterentropy-library]:
-    <https://github.com/smuellerDD/jitterentropy-library>
-
-[FIPS 205]:
-    <https://csrc.nist.gov/pubs/fips/205/final>

NEWS.md

@@ -7,8 +7,6 @@ release. For more details please read the CHANGES file.
 OpenSSL Releases
 ----------------
 
- - [OpenSSL 3.5](#openssl-35)
- - [OpenSSL 3.4](#openssl-34)
  - [OpenSSL 3.3](#openssl-33)
  - [OpenSSL 3.2](#openssl-32)
  - [OpenSSL 3.1](#openssl-31)
@@ -20,57 +18,16 @@ OpenSSL Releases
  - [OpenSSL 1.0.0](#openssl-100)
  - [OpenSSL 0.9.x](#openssl-09x)
 
-OpenSSL 3.5
+OpenSSL 3.3
 -----------
 
-### Major changes between OpenSSL 3.5 and OpenSSL 3.6 [under development]
+### Major changes between OpenSSL 3.3.3 and OpenSSL 3.3.4 [under development]
 
   * none
 
-### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development]
+### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [11 Feb 2025]
 
-OpenSSL 3.5.0 is a feature release adding significant new functionality to
-OpenSSL.
-
-This release incorporates the following potentially significant or incompatible
-changes:
-
-  * Default encryption cipher for the `req`, `cms`, and `smime` applications
-    changed from `des-ede3-cbc` to `aes-256-cbc`.
-
-  * The TLS supported groups list has been changed in favor of PQC support.
-
-  * The default TLS keyshares have been changed to offer X25519MLKEM768 and
-    and X25519.
-
-This release adds the following new features:
-
-  * Support for server side QUIC (RFC 9000)
-
-  * Support for 3rd party QUIC stacks
-
-  * Support for PQC algorithms (ML-KEM, ML-DSA, SLH-DSA)
-
-  * Allow the FIPS provider to optionally use the `JITTER` seed source.
-    Because this seed source is not part of the OpenSSL FIPS validations,
-    it should only be enabled after the [jitterentropy-library] has been
-    assessed for entropy quality.  Moreover, the FIPS provider including
-    this entropy source will need to obtain an [ESV] from the [CMVP] before
-    FIPS compliance can be claimed.  Enable this using the configuration
-    option `enable-fips-jitter`.
-
-  * Support for central key generation in CMP
-
-  * Support added for opaque symmetric key objects (EVP_SKEY).
-
-  * Support for multiple TLS keyshares.
-
-OpenSSL 3.4
------------
-
-### Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [11 Feb 2025]
-
-OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this
+OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
 release is High.
 
 This release incorporates the following bug fixes and mitigations:
@@ -81,78 +38,6 @@ This release incorporates the following bug fixes and mitigations:
   * Fixed timing side-channel in ECDSA signature computation.
     ([CVE-2024-13176])
 
-### Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]
-
-OpenSSL 3.4.0 is a feature release adding significant new functionality to
-OpenSSL.
-
-This release incorporates the following potentially significant or incompatible
-changes:
-
-  * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement
-    TS_VERIFY_CTX_set0_* functions with improved semantics
-
-  * Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that
-    what were formerly build time locations can now be defined at run time
-    with registry keys
-
-  * The X25519 and X448 key exchange implementation in the FIPS provider
-    is unapproved and has `fips=no` property.
-
-  * SHAKE-128 and SHAKE-256 implementations have no default digest length
-    anymore. That means these algorithms cannot be used with
-    EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
-
-  * Setting `config_diagnostics=1` in the config file will cause errors to
-    be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
-    in the ssl module configuration.
-
-  * An empty renegotiate extension will be used in TLS client hellos instead
-    of the empty renegotiation SCSV, for all connections with a minimum TLS
-    version > 1.0.
-
-  * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
-    SSL_CTX_flush_sessions() functions in favor of their respective `_ex`
-    functions which are Y2038-safe on platforms with Y2038-safe `time_t`
-
-This release adds the following new features:
-
-  * Support for directly fetched composite signature algorithms such as
-    RSA-SHA2-256 including new API functions
-
-  * FIPS indicators support in the FIPS provider and various updates of the FIPS
-    provider required for future FIPS 140-3 validations
-
-  * Implementation of RFC 9579 (PBMAC1) in PKCS#12
-
-  * An optional additional random seed source RNG `JITTER` using a statically
-    linked jitterentropy library
-
-  * New options `-not_before` and `-not_after` for explicit setting start and
-    end dates of certificates created with the `req` and `x509` apps
-
-  * Support for integrity-only cipher suites TLS_SHA256_SHA256 and
-    TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
-
-  * Support for retrieving certificate request templates and CRLs in CMP
-
-  * Support for additional X.509v3 extensions related to Attribute Certificates
-
-  * Initial Attribute Certificate (RFC 5755) support
-
-  * Possibility to customize ECC groups initialization to use precomputed values
-    to save CPU time and use of this feature by the P-256 implementation
-
-OpenSSL 3.3
------------
-
-### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development]
-
-OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
-release is Low.
-
-This release incorporates the following bug fixes and mitigations:
-
   * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
     curve parameters.
     ([CVE-2024-9143])
@@ -246,8 +131,6 @@ This release adds the following new features:
   * Added X509_STORE_get1_objects to avoid issues with the existing
     X509_STORE_get0_objects API in multi-threaded applications.
 
-  * Support for using certificate profiles and extened delayed delivery in CMP
-
 This release incorporates the following potentially significant or incompatible
 changes:
 
@@ -255,7 +138,7 @@ changes:
 
   * Optimized AES-CTR for ARM Neoverse V1 and V2
 
-  * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
+  * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
     similar to M1/M2.
 
   * Various optimizations for cryptographic routines using RISC-V vector crypto
@@ -2059,6 +1942,3 @@ OpenSSL 0.9.x
 [CHANGES.md]: ./CHANGES.md
 [README-QUIC.md]: ./README-QUIC.md
 [issue tracker]: https://github.com/openssl/openssl/issues
-[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
-[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
-[jitterentropy-library]: https://github.com/smuellerDD/jitterentropy-library

NOTES-ANSI.md

@@ -1,33 +0,0 @@
-Notes on ANSI C
-===============
-
-When building for pure ANSI C (C89/C90), you must configure with at least
-the following configuration settings:
-
--   `no-asm`
-
-    There are cases of `asm()` calls in our C source, which isn't supported
-    in pure ANSI C.
-
--   `no-secure-memory`
-
-    The secure memory calls aren't supported with ANSI C.
-
--   `-D_XOPEN_SOURCE=1`
-
-    This macro enables the use of the following types, functions and global
-    variables:
-
-    -   `timezone`
-
--   `-D_POSIX_C_SOURCE=200809L`
-
-    This macro enables the use of the following types, functions and global
-    variables:
-
-    -   `ssize_t`
-    -   `strdup()`
-
-It's arguable that with gcc and clang, all of these issues are removed when
-defining the macro `_DEFAULT_SOURCE`.  However, that effectively sets the C
-language level to C99, which isn't ANSI C.

NOTES-NONSTOP.md

@@ -30,16 +30,9 @@ for each on the TNS/X (L-Series) platform:
 
  * `nonstop-nsx` or default will select an unthreaded 32-bit build.
  * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build.
- * `nonstop-nsx_64_klt` selects the 64-bit memory and file length KLT build.
  * `nonstop-nsx_put` selects the PUT build.
  * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build.
 
-The KLT threading model is a newly released model on NonStop. It implements
-kernel-level threading. KLT provides much closer threading to what OpenSSL
-uses for Linux-like threading models. KLT continues to use the pthread library
-API. There is no supported 32-bit or Guardian builds for KLT. Note: KLT is
-not currently available but is planned for post-2024.
-
 The SPT threading model is no longer supported as of OpenSSL 3.2.
 
 The PUT model is incompatible with the QUIC capability. This capability should
@@ -221,12 +214,15 @@ Example Configure Targets
 -------------------------
 
 For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
-The following assumes that your PWD is set according to your installation
-standards.
+For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
+assumes that your PWD is set according to your installation standards.
 
     ./Configure nonstop-nsx           --prefix=${PWD} \
         --openssldir=${PWD}/ssl no-threads \
         --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
+    ./Configure nonstop-nsx_g         --prefix=${PWD} \
+        --openssldir=${PWD}/ssl no-threads \
+        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
     ./Configure nonstop-nsx_put       --prefix=${PWD} \
         --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
         --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
@@ -236,6 +232,9 @@ standards.
     ./Configure nonstop-nsx_64_put    --prefix=${PWD} \
         --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
         --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
+    ./Configure nonstop-nsx_g_tandem  --prefix=${PWD} \
+        --openssldir=${PWD}/ssl no-threads \
+        --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
 
     ./Configure nonstop-nse           --prefix=${PWD} \
         --openssldir=${PWD}/ssl no-threads \
@@ -252,3 +251,6 @@ standards.
     ./Configure nonstop-nse_64_put    --prefix=${PWD} \
         --openssldir=${PWD}/ssl threads "-D_REENTRANT"
         --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
+    ./Configure nonstop-nse_g_tandem  --prefix=${PWD} \
+        --openssldir=${PWD}/ssl no-threads \
+        --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}

NOTES-POSIX.md

@@ -1,20 +0,0 @@
-Notes on POSIX
-==============
-
-There are few instances where OpenSSL requires a POSIX C library, at least
-version 1-2008, or compatible enough functionality.
-
-There are exceptions, though, for platforms that do not have a POSIX
-library, or where there are quirks that need working around.  A notable
-platform is Windows, where POSIX functionality may be available, but where
-the function names are prefixed with an underscore, and where some POSIX
-types are not present (such as `ssize_t`).
-
-Platforms that do have a POSIX library may still not have them accessible
-unless the following macros are defined:
-
-    _POSIX_C_SOURCE=200809L
-    _XOPEN_SOURCE=1
-
-This is, for example, the case when building with gcc or clang and using the
-flag `-ansi`.

NOTES-VALGRIND.md

@@ -1,9 +1,9 @@
 Notes on Valgrind
 =================
 
-[Valgrind](https://valgrind.org/) is a test harness that includes many tools such as memcheck,
+Valgrind is a test harness that includes many tools such as memcheck,
 which is commonly used to check for memory leaks, etc. The default tool
-run by Valgrind is memcheck. There are [other tools available](https://valgrind.org/info/tools.html), but this
+run by Valgrind is memcheck. There are other tools available, but this
 will focus on memcheck.
 
 Valgrind runs programs in a virtual machine, this means OpenSSL unit
@@ -13,11 +13,11 @@ Requirements
 ------------
 
 1. Platform supported by Valgrind
-   - See [Valgrind Supported Platforms](http://valgrind.org/info/platforms.html)
+   See <http://valgrind.org/info/platforms.html>
 2. Valgrind installed on the platform
-   - See [Valgrind Current Releases](http://valgrind.org/downloads/current.html)
+   See <http://valgrind.org/downloads/current.html>
 3. OpenSSL compiled
-   - See [INSTALL.md](INSTALL.md)
+   See [INSTALL.md](INSTALL.md)
 
 Running Tests
 -------------
@@ -32,7 +32,7 @@ to allow programs to find shared libraries. The variable can be modified
 to specify a different executable environment.
 
     EXE_SHELL=\
-    "$(/bin/pwd)/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"
+    "`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"
 
 This will start up Valgrind with the default checker (`memcheck`).
 The `--error-exitcode=1` option specifies that Valgrind should exit with an
@@ -62,11 +62,11 @@ file [test/README.md](test/README.md).
 
 Example command line:
 
-    $ make test EXE_SHELL="$(/bin/pwd)/util/wrap.pl valgrind --error-exitcode=1 \
+    $ make test EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 \
         --leak-check=full -q" OPENSSL_ia32cap=":0"
 
 If an error occurs, you can then run the specific test via the `TESTS` variable
 with the `VERBOSE` or `VF` or `VFP` options to gather additional information.
 
-    $ make test VERBOSE=1 TESTS=test_test EXE_SHELL="$(/bin/pwd)/util/wrap.pl \
+    $ make test VERBOSE=1 TESTS=test_test EXE_SHELL="`/bin/pwd`/util/wrap.pl \
        valgrind --error-exitcode=1 --leak-check=full -q" OPENSSL_ia32cap=":0"

NOTES-WINDOWS.md

@@ -99,41 +99,31 @@ check the INSTALL.md file.
 Installation directories
 ------------------------
 
-On most Unix platforms installation directories are determined at build time via
-constant defines.  On Windows platforms however, installation directories are
-determined via registry keys, as it is common practice to build OpenSSL and
-install it to a variety of locations.
+The default installation directories are derived from environment
+variables.
 
-The following keys:
+For VC-WIN32, the following defaults are use:
 
-    `\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenSSL-<version>-<ctx>\OPENSSLDIR`
-    `\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenSSL-<version>-<ctx>\ENGINESDIR`
-    `\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenSSL-<version>-<ctx>\MODULESDIR`
+    PREFIX:      %ProgramFiles(x86)%\OpenSSL
+    OPENSSLDIR:  %CommonProgramFiles(x86)%\SSL
 
-Can be administratively set, and openssl will take the paths found there as the
-values for OPENSSLDIR, ENGINESDIR and MODULESDIR respectively.
+For VC-WIN64, the following defaults are use:
 
-To enable the reading of registry keys from windows builds, add
-`-DOSSL_WINCTX=<string>`to the Configure command line.  This define is used
-at build-time to construct library build specific registry key paths of the
-format:
-`\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\OpenSSL-<version>-<ctx>`
+    PREFIX:      %ProgramW6432%\OpenSSL
+    OPENSSLDIR:  %CommonProgramW6432%\SSL
 
-Where `<version>` is the major.minor version of the library being
-built, and `<ctx>` is the value specified by `-DOPENSSL_WINCTX`.  This allows
-for multiple openssl builds to be created and installed on a single system, in
-which each library can use its own set of registry keys.
+Should those environment variables not exist (on a pure Win32
+installation for examples), these fallbacks are used:
 
-Note the installer available at <https://github.com/openssl/installer> will set
-these keys when the installer is run.
+    PREFIX:      %ProgramFiles%\OpenSSL
+    OPENSSLDIR:  %CommonProgramFiles%\SSL
 
-A summary table of behavior on Windows platforms
-
-|`OSSL_WINCTX`|Registry key|OpenSSL Behavior                          |
-|-------------|------------|------------------------------------------|
-|Defined      | Defined    |OpenSSL Reads Paths from Registry         |
-|Defined      | Undefined  |OpenSSL returns errors on module/conf load|
-|Undefined    | N/A        |OpenSSL uses build time defaults          |
+ALSO NOTE that those directories are usually write protected, even if
+your account is in the Administrators group.  To work around that,
+start the command prompt by right-clicking on it and choosing "Run as
+Administrator" before running `nmake install`.  The other solution
+is, of course, to choose a different set of directories by using
+`--prefix` and `--openssldir` when configuring.
 
 Special notes for Universal Windows Platform builds, aka `VC-*-UWP`
 -------------------------------------------------------------------
@@ -148,8 +138,8 @@ Native builds using Embarcadero C++Builder
 =========================================
 
 This toolchain (a descendant of Turbo/Borland C++) is an alternative to MSVC.
-OpenSSL currently includes experimental 32-bit and 64-bit configurations targeting the
-Clang-based compiler (`bcc32c.exe` and `bcc64.exe`) in v10.3.3 Community Edition.
+OpenSSL currently includes an experimental 32-bit configuration targeting the
+Clang-based compiler (`bcc32c.exe`) in v10.3.3 Community Edition.
 <https://www.embarcadero.com/products/cbuilder/starter>
 
  1. Install Perl.
@@ -158,8 +148,6 @@ Clang-based compiler (`bcc32c.exe` and `bcc64.exe`) in v10.3.3 Community Edition
 
  3. Go to the root of the OpenSSL source directory and run:
     `perl Configure BC-32 --prefix=%CD%`
-    for Win64 builds use:
-    `perl Configure BC-64 --prefix=%CD%`
 
  4. `make -N`
 

README-FIPS.md

@@ -166,33 +166,3 @@ Documentation about using the FIPS module is available on the [fips_module(7)]
 manual page.
 
  [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html
-
-Entropy Source
-==============
-
-The FIPS provider typically relies on an external entropy source,
-specified during OpenSSL build configuration (default: `os`).  However, by
-enabling the `enable-fips-jitter` option during configuration, an internal
-jitter entropy source will be used instead.  Note that this will cause
-the FIPS provider to operate in a non-compliant mode unless an entropy
-assessment [ESV] and validation through the [CMVP] are additionally conducted.
-
-Note that the `enable-fips-jitter` option is only available in OpenSSL
-versions 3.5 and later.
-
- [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
- [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
-
-3rd-Party Vendor Builds
-=====================================
-
-Some Vendors choose to patch/modify/build their own FIPS provider,
-test it with a Security Laboratory and submit it under their own CMVP
-certificate, instead of using OpenSSL Project submissions. When doing
-so, FIPS provider should uniquely identify its own name and version
-number. The build infrastructure allows to customize FIPS provider
-build information via changes to strings in `VERSION.dat`.
-
-Setting "PRE_RELEASE_TAG" (dashed suffix), "BUILD_METADATA" (plus
-suffix), and "FIPS_VENDOR" allow to control reported FIPS provider
-name and build version as required for CMVP submission.

README.md

@@ -4,10 +4,7 @@ Welcome to the OpenSSL Project
 [![openssl logo]][www.openssl.org]
 
 [![github actions ci badge]][github actions ci]
-![Nightly OS Zoo ci badge](https://github.com/openssl/openssl/actions/workflows/os-zoo.yml/badge.svg)
-![Provider Compatibility](https://github.com/openssl/openssl/actions/workflows/provider-compatibility.yml/badge.svg)
-![Quic Interop](https://github.com/openssl/openssl/actions/workflows/run_quic_interop.yml/badge.svg)
-![Daily checks](https://github.com/openssl/openssl/actions/workflows/run-checker-daily.yml/badge.svg)
+[![appveyor badge]][appveyor jobs]
 
 OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
 for the TLS (formerly SSL), DTLS and QUIC (currently client side only)

VERSION.dat

@@ -1,6 +1,6 @@
 MAJOR=3
-MINOR=6
-PATCH=0
+MINOR=3
+PATCH=4
 PRE_RELEASE_TAG=dev
 BUILD_METADATA=
 RELEASE_DATE=""

apps/asn1parse.c

@@ -217,9 +217,6 @@ int asn1parse_main(int argc, char **argv)
                 i = BIO_read(in, &(buf->data[num]), BUFSIZ);
                 if (i <= 0)
                     break;
-                /* make sure num doesn't overflow */
-                if (i > LONG_MAX - num)
-                    goto end;
                 num += i;
             }
         }

apps/build.info

@@ -16,7 +16,7 @@ $OPENSSLSRC=\
         enc.c errstr.c \
         genpkey.c kdf.c mac.c nseq.c passwd.c pkcs7.c \
         pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
-        s_client.c s_server.c s_time.c sess_id.c skeyutl.c smime.c speed.c \
+        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
         spkac.c verify.c version.c x509.c rehash.c storeutl.c \
         list.c info.c fipsinstall.c pkcs12.c
 IF[{- !$disabled{'ec'} -}]

apps/ca.c

@@ -1,13 +1,11 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
  */
-#include "internal/e_os.h"
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -152,7 +150,7 @@ typedef enum OPTION_choice {
     OPT_IN, OPT_INFORM, OPT_OUT, OPT_DATEOPT, OPT_OUTDIR, OPT_VFYOPT,
     OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
     OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
-    OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, OPT_NOT_BEFORE, OPT_NOT_AFTER,
+    OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
     OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
     OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
     OPT_RAND_SERIAL, OPT_QUIET,
@@ -201,13 +199,10 @@ const OPTIONS ca_options[] = {
      "Always create a random serial; do not store it"},
     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
      "Deprecated; multi-valued RDNs support is always on."},
-    {"startdate", OPT_STARTDATE, 's',
-     "[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
-    {"not_before", OPT_NOT_BEFORE, 's', "An alias for -startdate"},
+    {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
     {"enddate", OPT_ENDDATE, 's',
-     "[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
-    {"not_after", OPT_NOT_AFTER, 's', "An alias for -enddate"},
-    {"days", OPT_DAYS, 'p', "Number of days from today to certify the cert for"},
+     "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
+    {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
     {"extensions", OPT_EXTENSIONS, 's',
      "Extension section (override value in config file)"},
     {"extfile", OPT_EXTFILE, '<',
@@ -364,11 +359,9 @@ opthelp:
             /* obsolete */
             break;
         case OPT_STARTDATE:
-        case OPT_NOT_BEFORE:
             startdate = opt_arg();
             break;
         case OPT_ENDDATE:
-        case OPT_NOT_AFTER:
             enddate = opt_arg();
             break;
         case OPT_DAYS:
@@ -881,8 +874,22 @@ end_of_options:
         if (startdate == NULL)
             startdate =
                 app_conf_try_string(conf, section, ENV_DEFAULT_STARTDATE);
+        if (startdate != NULL && !ASN1_TIME_set_string_X509(NULL, startdate)) {
+            BIO_printf(bio_err,
+                       "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
+            goto end;
+        }
+        if (startdate == NULL)
+            startdate = "today";
+
         if (enddate == NULL)
             enddate = app_conf_try_string(conf, section, ENV_DEFAULT_ENDDATE);
+        if (enddate != NULL && !ASN1_TIME_set_string_X509(NULL, enddate)) {
+            BIO_printf(bio_err,
+                       "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
+            goto end;
+        }
+
         if (days == 0) {
             if (!app_conf_try_number(conf, section, ENV_DEFAULT_DAYS, &days))
                 days = 0;
@@ -891,9 +898,6 @@ end_of_options:
             BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
             goto end;
         }
-        if (days != 0 && enddate != NULL)
-            BIO_printf(bio_err,
-                       "Warning: -enddate or -not_after option overriding -days option\n");
 
         if (rand_ser) {
             if ((serial = BN_new()) == NULL || !rand_serial(serial, NULL)) {
@@ -1667,7 +1671,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
             goto end;
     }
 
-    if (!set_cert_times(ret, startdate, enddate, days, 0))
+    if (!set_cert_times(ret, startdate, enddate, days))
         goto end;
 
     if (enddate != NULL) {

apps/cmp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
  *
@@ -10,7 +10,6 @@
  */
 
 /* This app is disabled when OPENSSL_NO_CMP is defined. */
-#include "internal/e_os.h"
 
 #include <string.h>
 #include <ctype.h>
@@ -95,11 +94,6 @@ static char *opt_oldwithold = NULL;
 static char *opt_newwithnew = NULL;
 static char *opt_newwithold = NULL;
 static char *opt_oldwithnew = NULL;
-static char *opt_crlcert = NULL;
-static char *opt_oldcrl = NULL;
-static char *opt_crlout = NULL;
-static char *opt_template = NULL;
-static char *opt_keyspec = NULL;
 
 /* client authentication */
 static char *opt_ref = NULL;
@@ -124,8 +118,6 @@ static char *opt_profile = NULL;
 /* certificate enrollment */
 static char *opt_newkey = NULL;
 static char *opt_newkeypass = NULL;
-static int opt_centralkeygen = 0;
-static char *opt_newkeyout = NULL;
 static char *opt_subject = NULL;
 static int opt_days = 0;
 static char *opt_reqexts = NULL;
@@ -151,12 +143,6 @@ static int opt_revreason = CRL_REASON_NONE;
 /* credentials format */
 static char *opt_certform_s = "PEM";
 static int opt_certform = FORMAT_PEM;
-/* 
- * DER format is the preferred choice for saving a CRL because it allows for
- * more efficient storage, especially when dealing with large CRLs.
- */
-static char *opt_crlform_s = "DER";
-static int opt_crlform = FORMAT_ASN1;
 static char *opt_keyform_s = NULL;
 static int opt_keyform = FORMAT_UNDEF;
 static char *opt_otherpass = NULL;
@@ -201,9 +187,6 @@ static char *opt_srv_trusted = NULL;
 static char *opt_srv_untrusted = NULL;
 static char *opt_ref_cert = NULL;
 static char *opt_rsp_cert = NULL;
-static char *opt_rsp_key = NULL;
-static char *opt_rsp_keypass = NULL;
-static char *opt_rsp_crl = NULL;
 static char *opt_rsp_extracerts = NULL;
 static char *opt_rsp_capubs = NULL;
 static char *opt_rsp_newwithnew = NULL;
@@ -232,10 +215,8 @@ typedef enum OPTION_choice {
     OPT_CONFIG, OPT_SECTION, OPT_VERBOSITY,
 
     OPT_CMD, OPT_INFOTYPE, OPT_PROFILE, OPT_GENINFO,
-    OPT_TEMPLATE, OPT_KEYSPEC,
 
-    OPT_NEWKEY, OPT_NEWKEYPASS, OPT_CENTRALKEYGEN,
-    OPT_NEWKEYOUT, OPT_SUBJECT,
+    OPT_NEWKEY, OPT_NEWKEYPASS, OPT_SUBJECT,
     OPT_DAYS, OPT_REQEXTS,
     OPT_SANS, OPT_SAN_NODEFAULT,
     OPT_POLICIES, OPT_POLICY_OIDS, OPT_POLICY_OIDS_CRITICAL,
@@ -256,13 +237,12 @@ typedef enum OPTION_choice {
     OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, OPT_NO_CACHE_EXTRACERTS,
     OPT_SRVCERTOUT, OPT_EXTRACERTSOUT, OPT_CACERTSOUT,
     OPT_OLDWITHOLD, OPT_NEWWITHNEW, OPT_NEWWITHOLD, OPT_OLDWITHNEW,
-    OPT_CRLCERT, OPT_OLDCRL, OPT_CRLOUT,
 
     OPT_REF, OPT_SECRET, OPT_CERT, OPT_OWN_TRUSTED, OPT_KEY, OPT_KEYPASS,
     OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS,
     OPT_UNPROTECTED_REQUESTS,
 
-    OPT_CERTFORM, OPT_CRLFORM, OPT_KEYFORM,
+    OPT_CERTFORM, OPT_KEYFORM,
     OPT_OTHERPASS,
 #ifndef OPENSSL_NO_ENGINE
     OPT_ENGINE,
@@ -287,8 +267,7 @@ typedef enum OPTION_choice {
     OPT_SRV_REF, OPT_SRV_SECRET,
     OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
     OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
-    OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_KEY, OPT_RSP_KEYPASS,
-    OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
+    OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
     OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW,
     OPT_POLL_COUNT, OPT_CHECK_AFTER,
     OPT_GRANT_IMPLICITCONF,
@@ -323,19 +302,11 @@ const OPTIONS cmp_options[] = {
      "Comma-separated list of OID and value to place in generalInfo PKIHeader"},
     {OPT_MORE_STR, 0, 0,
      "of form <OID>:int:<n> or <OID>:str:<s>, e.g. \'1.2.3.4:int:56789, id-kp:str:name'"},
-    { "template", OPT_TEMPLATE, 's',
-      "File to save certTemplate received in genp of type certReqTemplate"},
-    { "keyspec", OPT_KEYSPEC, 's',
-      "Optional file to save Key specification received in genp of type certReqTemplate"},
 
     OPT_SECTION("Certificate enrollment"),
     {"newkey", OPT_NEWKEY, 's',
      "Private or public key for the requested cert. Default: CSR key or client key"},
     {"newkeypass", OPT_NEWKEYPASS, 's', "New private key pass phrase source"},
-    {"centralkeygen", OPT_CENTRALKEYGEN, '-',
-     "Request central (server-side) key generation. Default is local generation"},
-    {"newkeyout", OPT_NEWKEYOUT, 's',
-     "File to save centrally generated key, in PEM format"},
     {"subject", OPT_SUBJECT, 's',
      "Distinguished Name (DN) of subject to use in the requested cert template"},
     {OPT_MORE_STR, 0, 0,
@@ -457,12 +428,6 @@ const OPTIONS cmp_options[] = {
       "File to save NewWithOld cert received in genp of type rootCaKeyUpdate"},
     { "oldwithnew", OPT_OLDWITHNEW, 's',
       "File to save OldWithNew cert received in genp of type rootCaKeyUpdate"},
-    { "crlcert", OPT_CRLCERT, 's',
-      "certificate to request a CRL for in genm of type crlStatusList"},
-    { "oldcrl", OPT_OLDCRL, 's',
-      "CRL to request update for in genm of type crlStatusList"},
-    { "crlout", OPT_CRLOUT, 's',
-      "File to save new CRL received in genp of type 'crls'"},
 
     OPT_SECTION("Client authentication"),
     {"ref", OPT_REF, 's',
@@ -494,8 +459,6 @@ const OPTIONS cmp_options[] = {
     OPT_SECTION("Credentials format"),
     {"certform", OPT_CERTFORM, 's',
      "Format (PEM or DER) to use when saving a certificate to a file. Default PEM"},
-    {"crlform", OPT_CRLFORM, 's',
-     "Format (PEM or DER) to use when saving a CRL to a file. Default DER"},
     {"keyform", OPT_KEYFORM, 's',
      "Format of the key input (ENGINE, other values ignored)"},
     {"otherpass", OPT_OTHERPASS, 's',
@@ -581,14 +544,6 @@ const OPTIONS cmp_options[] = {
      "Certificate to be expected for rr and any oldCertID in kur messages"},
     {"rsp_cert", OPT_RSP_CERT, 's',
      "Certificate to be returned as mock enrollment result"},
-    {"rsp_key", OPT_RSP_KEY, 's',
-     "Private key for the certificate to be returned as mock enrollment result"},
-    {OPT_MORE_STR, 0, 0,
-     "Key to be returned for central key pair generation"},
-    {"rsp_keypass", OPT_RSP_KEYPASS, 's',
-     "Response private key (and cert) pass phrase source"},
-    {"rsp_crl", OPT_RSP_CRL, 's',
-     "CRL to be returned in genp of type crls"},
     {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
      "Extra certificates to be included in mock certification responses"},
     {"rsp_capubs", OPT_RSP_CAPUBS, 's',
@@ -644,10 +599,9 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_config}, {&opt_section}, {(char **)&opt_verbosity},
 
     {&opt_cmd_s}, {&opt_infotype_s}, {&opt_profile}, {&opt_geninfo},
-    {&opt_template}, {&opt_keyspec},
 
-    {&opt_newkey}, {&opt_newkeypass}, {(char **)&opt_centralkeygen},
-    {&opt_newkeyout}, {&opt_subject}, {(char **)&opt_days}, {&opt_reqexts},
+    {&opt_newkey}, {&opt_newkeypass}, {&opt_subject},
+    {(char **)&opt_days}, {&opt_reqexts},
     {&opt_sans}, {(char **)&opt_san_nodefault},
     {&opt_policies}, {&opt_policy_oids}, {(char **)&opt_policy_oids_critical},
     {(char **)&opt_popo}, {&opt_csr},
@@ -669,14 +623,13 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {(char **)&opt_no_cache_extracerts},
     {&opt_srvcertout}, {&opt_extracertsout}, {&opt_cacertsout},
     {&opt_oldwithold}, {&opt_newwithnew}, {&opt_newwithold}, {&opt_oldwithnew},
-    {&opt_crlcert}, {&opt_oldcrl}, {&opt_crlout},
 
     {&opt_ref}, {&opt_secret},
     {&opt_cert}, {&opt_own_trusted}, {&opt_key}, {&opt_keypass},
     {&opt_digest}, {&opt_mac}, {&opt_extracerts},
     {(char **)&opt_unprotected_requests},
 
-    {&opt_certform_s}, {&opt_crlform_s}, {&opt_keyform_s},
+    {&opt_certform_s}, {&opt_keyform_s},
     {&opt_otherpass},
 #ifndef OPENSSL_NO_ENGINE
     {&opt_engine},
@@ -699,8 +652,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
     {&opt_srv_ref}, {&opt_srv_secret},
     {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
     {&opt_srv_trusted}, {&opt_srv_untrusted},
-    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_key}, {&opt_rsp_keypass},
-    {&opt_rsp_crl}, {&opt_rsp_extracerts}, {&opt_rsp_capubs},
+    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_extracerts}, {&opt_rsp_capubs},
     {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew},
 
     {(char **)&opt_poll_count}, {(char **)&opt_check_after},
@@ -1058,19 +1010,6 @@ static int setup_certs(char *files, const char *desc, void *ctx,
     return ok;
 }
 
-static int setup_mock_crlout(void *ctx, const char *file, const char *desc)
-{
-    X509_CRL *crl;
-    int ok;
-
-    if (file == NULL)
-        return 1;
-    if ((crl = load_crl(file, FORMAT_UNDEF, 0, desc)) == NULL)
-        return 0;
-    ok = ossl_cmp_mock_srv_set1_crlOut(ctx, crl);
-    X509_CRL_free(crl);
-    return ok;
-}
 /*
  * parse and transform some options, checking their syntax.
  * Returns 1 on success, 0 on error
@@ -1118,11 +1057,6 @@ static int transform_opts(void)
         CMP_err("unknown option given for certificate storing format");
         return 0;
     }
-    if (opt_crlform_s != NULL
-            && !opt_format(opt_crlform_s, OPT_FMT_PEMDER, &opt_crlform)) {
-        CMP_err("unknown option given for CRL storing format");
-        return 0;
-    }
 
     return 1;
 }
@@ -1213,28 +1147,11 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
     if (opt_rsp_cert == NULL) {
         CMP_warn("no -rsp_cert given for mock server");
     } else {
-        if (!setup_cert(srv_ctx, opt_rsp_cert, opt_rsp_keypass,
+        if (!setup_cert(srv_ctx, opt_rsp_cert, opt_keypass,
                         "cert the mock server returns on certificate requests",
                         (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut))
             goto err;
     }
-    if (opt_rsp_key != NULL) {
-        EVP_PKEY *pkey = load_key_pwd(opt_rsp_key, opt_keyform,
-                                      opt_rsp_keypass, engine,
-                                      "private key for enrollment cert");
-
-        if (pkey == NULL
-            || !ossl_cmp_mock_srv_set1_keyOut(srv_ctx, pkey)) {
-            EVP_PKEY_free(pkey);
-            goto err;
-        }
-        EVP_PKEY_free(pkey);
-    }
-    cleanse(opt_rsp_keypass);
-
-    if (!setup_mock_crlout(srv_ctx, opt_rsp_crl,
-                           "CRL to be returned by the mock server"))
-        goto err;
     if (!setup_certs(opt_rsp_extracerts,
                      "CMP extra certificates for mock server", srv_ctx,
                      (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut))
@@ -1702,27 +1619,11 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
     if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
         return 0;
     if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
-        if (opt_reqin == NULL && opt_newkey == NULL && !opt_centralkeygen
+        if (opt_reqin == NULL && opt_newkey == NULL
             && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
-            CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key."
-                    " Neither central key generation is requested.");
+            CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key");
             return 0;
         }
-        if (opt_popo == OSSL_CRMF_POPO_NONE && !opt_centralkeygen) {
-            CMP_info("POPO is disabled, which implies -centralkeygen");
-            opt_centralkeygen = 1;
-        }
-        if (opt_centralkeygen) {
-            if (opt_popo > OSSL_CRMF_POPO_NONE) {
-                CMP_err1("-popo value %d is inconsistent with -centralkeygen", opt_popo);
-                return 0;
-            }
-            if (opt_newkeyout == NULL) {
-                CMP_err("-newkeyout not given, nowhere to save centrally generated key");
-                return 0;
-            }
-            opt_popo = OSSL_CRMF_POPO_NONE;
-        }
         if (opt_newkey == NULL
             && opt_popo != OSSL_CRMF_POPO_NONE
             && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
@@ -1770,12 +1671,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             CMP_warn1("-policies %s", msg);
         if (opt_policy_oids != NULL)
             CMP_warn1("-policy_oids %s", msg);
-        if (opt_popo != OSSL_CRMF_POPO_NONE - 1)
-            CMP_warn1("-popo %s", msg);
-        if (opt_centralkeygen)
-            CMP_warn1("-popo -1 or -centralkeygen %s", msg);
-        if (opt_newkeyout != NULL)
-            CMP_warn1("-newkeyout %s", msg);
         if (opt_cmd != CMP_P10CR) {
             if (opt_implicit_confirm)
                 CMP_warn1("-implicit_confirm %s, and 'p10cr'", msg);
@@ -1880,14 +1775,13 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             pkey = load_pubkey(file, format, 0, pass, engine, desc);
             priv = 0;
         }
-
+        cleanse(opt_newkeypass);
         if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
             EVP_PKEY_free(pkey);
             return 0;
         }
     } else if (opt_reqin != NULL
-               && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL
-               && !opt_centralkeygen) {
+               && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
         if (!set_fallback_pubkey(ctx))
             return 0;
     }
@@ -2021,20 +1915,20 @@ static int add_certProfile(OSSL_CMP_CTX *ctx, const char *name)
 
     if ((sk = sk_ASN1_UTF8STRING_new_reserve(NULL, 1)) == NULL)
         return 0;
-    if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
-        goto err;
-    if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
-        ASN1_STRING_free(utf8string);
-        goto err;
-    }
-    /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
-    (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
-    if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
-        goto err;
-    if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
-        return 1;
-    OSSL_CMP_ITAV_free(itav);
-    return 0;
+   if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
+       goto err;
+   if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
+       ASN1_STRING_free(utf8string);
+       goto err;
+   }
+   /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
+   (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
+   if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
+       goto err;
+   if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
+       return 1;
+   OSSL_CMP_ITAV_free(itav);
+   return 0;
 
  err:
     sk_ASN1_UTF8STRING_pop_free(sk, ASN1_UTF8STRING_free);
@@ -2079,7 +1973,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
             if (*ptr != '\0') {
                 if (*ptr != ',') {
                     CMP_err1("Missing ',' or end of -geninfo arg after int at %.40s",
-                             ptr);
+                        ptr);
                     goto err;
                 }
                 ptr++;
@@ -2238,17 +2132,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         if (opt_oldwithnew != NULL)
             CMP_warn1("-oldwithnew %s", msg);
     }
-    if (opt_cmd != CMP_GENM || opt_infotype != NID_id_it_certReqTemplate) {
-        const char *msg = "option is ignored unless -cmd 'genm' and -infotype 'certReqTemplate' is given";
-
-        if (opt_template != NULL)
-            CMP_warn1("-template %s", msg);
-        if (opt_keyspec != NULL)
-            CMP_warn1("-keyspec %s", msg);
-    } else {
-        if (opt_template == NULL)
-            CMP_err("missing -template option for genm with infotype certReqTemplate");
-    }
 
     if (!setup_verification_ctx(ctx))
         goto err;
@@ -2365,18 +2248,6 @@ static int write_cert(BIO *bio, X509 *cert)
     return 0;
 }
 
-static int write_crl(BIO *bio, X509_CRL *crl)
-{
-    if (opt_crlform != FORMAT_PEM && opt_crlform != FORMAT_ASN1) {
-        BIO_printf(bio_err, "error: unsupported type '%s' for writing CRLs\n",
-                   opt_crlform_s);
-        return 0;
-    }
-
-    return opt_crlform == FORMAT_PEM ? PEM_write_bio_X509_CRL(bio, crl)
-                                      : i2d_X509_CRL_bio(bio, crl);
-}
-
 /*
  * If file != NULL writes out a stack of certs to the given file.
  * If certs is NULL, the file is emptied.
@@ -2424,35 +2295,6 @@ static int save_free_certs(STACK_OF(X509) *certs,
     return n;
 }
 
-static int save_crl(X509_CRL *crl,
-                    const char *file, const char *desc)
-{
-    BIO *bio = NULL;
-    int res = 0;
-
-    if (file == NULL)
-        return 1;
-    if (crl != NULL)
-        CMP_info2("received %s, saving to file '%s'", desc, file);
-
-    if ((bio = BIO_new(BIO_s_file())) == NULL
-            || !BIO_write_filename(bio, (char *)file)) {
-        CMP_err2("could not open file '%s' for writing %s",
-                 file, desc);
-        goto end;
-    }
-
-    if (!write_crl(bio, crl)) {
-        CMP_err2("cannot write %s to file '%s'", desc, file);
-        goto end;
-    }
-    res = 1;
-
- end:
-    BIO_free(bio);
-    return res;
-}
-
 static int delete_file(const char *file, const char *desc)
 {
     if (file == NULL)
@@ -2486,64 +2328,6 @@ static int save_cert_or_delete(X509 *cert, const char *file, const char *desc)
     }
 }
 
-static int save_crl_or_delete(X509_CRL *crl, const char *file, const char *desc)
-{
-    if (file == NULL)
-        return 1;
-    return (crl == NULL) ? delete_file(file, desc) : save_crl(crl, file, desc);
-}
-
-static int save_template(const char *file, const OSSL_CRMF_CERTTEMPLATE *tmpl)
-{
-    BIO *bio = BIO_new_file(file, "wb");
-
-    if (bio == NULL) {
-        CMP_err1("error saving certTemplate from genp: cannot open file %s",
-                 file);
-        return 0;
-    }
-    if (!ASN1_i2d_bio_of(OSSL_CRMF_CERTTEMPLATE, i2d_OSSL_CRMF_CERTTEMPLATE,
-                         bio, tmpl)) {
-        CMP_err1("error saving certTemplate from genp: cannot write file %s",
-                 file);
-        return 0;
-    } else {
-        CMP_info1("stored certTemplate from genp to file '%s'", file);
-    }
-    BIO_free(bio);
-    return 1;
-}
-
-static int save_keyspec(const char *file, const OSSL_CMP_ATAVS *keyspec)
-{
-    BIO *bio = BIO_new_file(file, "wb");
-
-    if (bio == NULL) {
-        CMP_err1("error saving keySpec from genp: cannot open file %s", file);
-        return 0;
-    }
-
-    if (!ASN1_i2d_bio_of(OSSL_CMP_ATAVS, i2d_OSSL_CMP_ATAVS, bio, keyspec)) {
-        CMP_err1("error saving keySpec from genp: cannot write file %s", file);
-        return 0;
-    } else {
-        CMP_info1("stored keySpec from genp to file '%s'", file);
-    }
-    BIO_free(bio);
-    return 1;
-}
-
-static const char *nid_name(int nid)
-{
-    const char *name = OBJ_nid2ln(nid);
-
-    if (name == NULL)
-        name = OBJ_nid2sn(nid);
-    if (name == NULL)
-        name = "<unknown OID>";
-    return name;
-}
-
 static int print_itavs(const STACK_OF(OSSL_CMP_ITAV) *itavs)
 {
     int i, ret = 1;
@@ -2943,15 +2727,6 @@ static int get_opts(int argc, char **argv)
         case OPT_OLDWITHNEW:
             opt_oldwithnew = opt_str();
             break;
-        case OPT_CRLCERT:
-            opt_crlcert = opt_str();
-            break;
-        case OPT_OLDCRL:
-            opt_oldcrl = opt_str();
-            break;
-        case OPT_CRLOUT:
-            opt_crlout = opt_str();
-            break;
 
         case OPT_V_CASES:
             if (!opt_verify(o, vpm))
@@ -2969,24 +2744,13 @@ static int get_opts(int argc, char **argv)
         case OPT_GENINFO:
             opt_geninfo = opt_str();
             break;
-        case OPT_TEMPLATE:
-            opt_template = opt_str();
-            break;
-        case OPT_KEYSPEC:
-            opt_keyspec = opt_str();
-            break;
+
         case OPT_NEWKEY:
             opt_newkey = opt_str();
             break;
         case OPT_NEWKEYPASS:
             opt_newkeypass = opt_str();
             break;
-        case OPT_CENTRALKEYGEN:
-            opt_centralkeygen = 1;
-            break;
-        case OPT_NEWKEYOUT:
-            opt_newkeyout = opt_str();
-            break;
         case OPT_SUBJECT:
             opt_subject = opt_str();
             break;
@@ -3058,9 +2822,6 @@ static int get_opts(int argc, char **argv)
         case OPT_CERTFORM:
             opt_certform_s = opt_str();
             break;
-        case OPT_CRLFORM:
-            opt_crlform_s = opt_str();
-            break;
         case OPT_KEYFORM:
             opt_keyform_s = opt_str();
             break;
@@ -3144,15 +2905,6 @@ static int get_opts(int argc, char **argv)
         case OPT_RSP_CERT:
             opt_rsp_cert = opt_str();
             break;
-        case OPT_RSP_KEY:
-            opt_rsp_key = opt_str();
-            break;
-        case OPT_RSP_KEYPASS:
-            opt_rsp_keypass = opt_str();
-            break;
-        case OPT_RSP_CRL:
-            opt_rsp_crl = opt_str();
-            break;
         case OPT_RSP_EXTRACERTS:
             opt_rsp_extracerts = opt_str();
             break;
@@ -3295,71 +3047,6 @@ static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx)
 }
 #endif
 
-static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
-{
-    const char *desc = "specifications contained in keySpec from genp";
-    BIO *mem;
-    int i;
-    const char *p;
-    long len;
-
-    if (keySpec == NULL) {
-        CMP_info1("No %s", desc);
-        return;
-    }
-
-    mem = BIO_new(BIO_s_mem());
-    if (mem == NULL) {
-        CMP_err1("Out of memory - cannot dump key %s", desc);
-        return;
-    }
-    BIO_printf(mem, "Key %s:\n", desc);
-
-    for (i = 0; i < sk_OSSL_CMP_ATAV_num(keySpec); i++) {
-        OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(keySpec, i);
-        ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */);
-        int nid = OBJ_obj2nid(type);
-
-        switch (nid) {
-        case NID_id_regCtrl_algId:
-            {
-                X509_ALGOR *alg = OSSL_CMP_ATAV_get0_algId(atav);
-                const ASN1_OBJECT *oid;
-                int paramtype;
-                const void *param;
-
-                X509_ALGOR_get0(&oid, &paramtype, &param, alg);
-                BIO_printf(mem, "Key algorithm: ");
-                i2a_ASN1_OBJECT(mem, oid);
-                if (paramtype == V_ASN1_UNDEF || alg->parameter == NULL) {
-                    BIO_printf(mem, "\n");
-                } else {
-                    BIO_printf(mem, " - ");
-                    ASN1_item_print(mem, (ASN1_VALUE *)alg,
-                                    0, ASN1_ITEM_rptr(X509_ALGOR), NULL);
-                }
-            }
-            break;
-        case NID_id_regCtrl_rsaKeyLen:
-            BIO_printf(mem, "Key algorithm: RSA %d\n",
-                       OSSL_CMP_ATAV_get_rsaKeyLen(atav));
-            break;
-        default:
-            BIO_printf(mem, "Invalid key spec: %s\n", nid_name(nid));
-            break;
-        }
-    }
-    BIO_printf(mem, "End of key %s", desc);
-
-    len = BIO_get_mem_data(mem, &p);
-    if (len > INT_MAX)
-        CMP_err1("Info too large - cannot dump key %s", desc);
-    else
-        CMP_info2("%.*s", (int)len, p);
-    BIO_free(mem);
-    return;
-}
-
 static void print_status(void)
 {
     /* print PKIStatusInfo */
@@ -3454,94 +3141,6 @@ static int do_genm(OSSL_CMP_CTX *ctx)
     end_upd:
         X509_free(oldwithold);
         return res;
-    } else if (opt_infotype == NID_id_it_crlStatusList) {
-        X509_CRL *oldcrl = NULL, *crl = NULL;
-        X509 *crlcert = NULL;
-        int res = 0;
-        const char *desc = "CRL from genp of type 'crls'";
-
-        if (opt_oldcrl == NULL && opt_crlcert == NULL) {
-            CMP_err("Missing -oldcrl and no -crlcert given for -infotype crlStatusList");
-            return 0;
-        }
-        if (opt_crlout == NULL) {
-            CMP_err("Missing -crlout for -infotype crlStatusList");
-            return 0;
-        }
-
-        if (opt_crlcert != NULL) {
-            crlcert = load_cert_pwd(opt_crlcert, opt_otherpass,
-                                    "Cert for genm with -infotype crlStatusList");
-            if (crlcert == NULL)
-                goto end_crlupd;
-        }
-
-        if (opt_oldcrl != NULL) {
-            oldcrl = load_crl(opt_oldcrl, FORMAT_UNDEF, 0,
-                              "CRL for genm with -infotype crlStatusList");
-            if (oldcrl == NULL)
-                goto end_crlupd;
-        }
-
-        if (opt_oldcrl != NULL && opt_crlcert != NULL) {
-            if (X509_NAME_cmp(X509_CRL_get_issuer(oldcrl),
-                              X509_get_issuer_name(crlcert))
-                != 0)
-                CMP_warn("-oldcrl and -crlcert have different issuer");
-        }
-
-        if (!OSSL_CMP_get1_crlUpdate(ctx, crlcert, oldcrl, &crl))
-            goto end_crlupd;
-
-        if (crl == NULL)
-            CMP_info("no CRL update available");
-        if (!save_crl_or_delete(crl, opt_crlout, desc))
-            goto end_crlupd;
-
-        res = 1;
-
-    end_crlupd:
-        X509_free(crlcert);
-        X509_CRL_free(oldcrl);
-        X509_CRL_free(crl);
-        return res;
-
-    } else if (opt_infotype == NID_id_it_certReqTemplate) {
-        OSSL_CRMF_CERTTEMPLATE *certTemplate;
-        OSSL_CMP_ATAVS *keySpec;
-        int res = 0;
-
-        if (!OSSL_CMP_get1_certReqTemplate(ctx, &certTemplate, &keySpec))
-            return 0;
-
-        if (certTemplate == NULL) {
-            CMP_warn("no certificate request template available");
-            if (!delete_file(opt_template, "certTemplate from genp"))
-                return 0;
-            if (opt_keyspec != NULL
-                && !delete_file(opt_keyspec, "keySpec from genp"))
-                return 0;
-            return 1;
-        }
-        if (!save_template(opt_template, certTemplate))
-            goto tmpl_end;
-
-        print_keyspec(keySpec);
-        if (opt_keyspec != NULL) {
-            if (keySpec == NULL) {
-                CMP_warn("no key specifications available");
-                if (!delete_file(opt_keyspec, "keySpec from genp"))
-                    goto tmpl_end;
-            } else if (!save_keyspec(opt_keyspec, keySpec)) {
-                goto tmpl_end;
-            }
-        }
-
-        res = 1;
-    tmpl_end:
-        OSSL_CRMF_CERTTEMPLATE_free(certTemplate);
-        sk_OSSL_CMP_ATAV_pop_free(keySpec, OSSL_CMP_ATAV_free);
-        return res;
     } else {
         OSSL_CMP_ITAV *req;
         STACK_OF(OSSL_CMP_ITAV) *itavs;
@@ -3759,10 +3358,10 @@ int cmp_main(int argc, char **argv)
     if (opt_reqout_only != NULL) {
         const char *msg = "option is ignored since -reqout_only option is given";
 
-# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server != NULL)
             CMP_warn1("-server %s", msg);
-# endif
+#endif
         if (opt_use_mock_srv)
             CMP_warn1("-use_mock_srv %s", msg);
         if (opt_reqout != NULL)
@@ -3857,34 +3456,6 @@ int cmp_main(int argc, char **argv)
             if (save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
                                 opt_cacertsout, "CA") < 0)
                 goto err;
-            if (opt_centralkeygen) {
-                EVP_CIPHER *cipher = NULL;
-                char *pass_string = NULL;
-                BIO *out;
-                int result = 1;
-                EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(cmp_ctx, 1 /* priv */);
-
-                if (new_key == NULL)
-                    goto err;
-                if ((out = bio_open_owner(opt_newkeyout, FORMAT_PEM, 1)) == NULL)
-                    goto err;
-                if (opt_newkeypass != NULL) {
-                    pass_string = get_passwd(opt_newkeypass,
-                                             "Centrally generated private key password");
-                    cipher = EVP_CIPHER_fetch(app_get0_libctx(), SN_aes_256_cbc, app_get0_propq());
-                }
-
-                CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout);
-                if (PEM_write_bio_PrivateKey(out, new_key, cipher, NULL, 0, NULL,
-                                             (void *)pass_string) <= 0)
-                    result = 0;
-
-                BIO_free(out);
-                clear_free(pass_string);
-                EVP_CIPHER_free(cipher);
-                if (!result)
-                    goto err;
-            }
         }
         if (!OSSL_CMP_CTX_reinit(cmp_ctx))
             goto err;

apps/cms.c

@@ -69,8 +69,7 @@ typedef enum OPTION_choice {
     OPT_DIGEST, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
     OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
     OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
-    OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_NO_SIGNING_TIME,
-    OPT_BINARY, OPT_KEYID,
+    OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
     OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
     OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
     OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
@@ -176,10 +175,7 @@ const OPTIONS cms_options[] = {
     OPT_SECTION("Signing"),
     {"md", OPT_MD, 's', "Digest algorithm to use"},
     {"signer", OPT_SIGNER, 's', "Signer certificate input file"},
-    {"certfile", OPT_CERTFILE, '<',
-     "Extra signer and intermediate CA certificates to include when signing"},
-    {OPT_MORE_STR, 0, 0,
-     "or to use as preferred signer certs and for chain building when verifying"},
+    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
     {"cades", OPT_CADES, '-',
      "Include signingCertificate attribute (CAdES-BES)"},
     {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
@@ -187,8 +183,6 @@ const OPTIONS cms_options[] = {
      "Don't include signer's certificate when signing"},
     {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
     {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
-    {"no_signing_time", OPT_NO_SIGNING_TIME, '-',
-     "Omit the signing time attribute"},
     {"receipt_request_all", OPT_RR_ALL, '-',
      "When signing, create a receipt request for all recipients"},
     {"receipt_request_first", OPT_RR_FIRST, '-',
@@ -432,9 +426,6 @@ int cms_main(int argc, char **argv)
         case OPT_NOSMIMECAP:
             flags |= CMS_NOSMIMECAP;
             break;
-        case OPT_NO_SIGNING_TIME:
-            flags |= CMS_NO_SIGNING_TIME;
-            break;
         case OPT_BINARY:
             flags |= CMS_BINARY;
             break;
@@ -730,6 +721,7 @@ int cms_main(int argc, char **argv)
     }
 
     /* Remaining args are files to process. */
+    argc = opt_num_rest();
     argv = opt_rest();
 
     if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) {
@@ -836,8 +828,15 @@ int cms_main(int argc, char **argv)
     }
 
     if (operation == SMIME_ENCRYPT) {
-        if (!cipher)
-            cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
+        if (!cipher) {
+#ifndef OPENSSL_NO_DES
+            cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+#else
+            BIO_printf(bio_err, "No cipher selected\n");
+            goto end;
+#endif
+        }
+
         if (secret_key && !secret_keyid) {
             BIO_printf(bio_err, "No secret key id\n");
             goto end;

apps/crl2pkcs7.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -138,9 +138,7 @@ int crl2pkcs7_main(int argc, char **argv)
         if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
             goto end;
         p7s->crl = crl_stack;
-
-        if (!sk_X509_CRL_push(crl_stack, crl))
-            goto end;
+        sk_X509_CRL_push(crl_stack, crl);
         crl = NULL;             /* now part of p7 for OPENSSL_freeing */
     }
 
@@ -218,10 +216,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
     while (sk_X509_INFO_num(sk)) {
         xi = sk_X509_INFO_shift(sk);
         if (xi->x509 != NULL) {
-            if (!sk_X509_push(stack, xi->x509)) {
-                X509_INFO_free(xi);
-                goto end;
-            }
+            sk_X509_push(stack, xi->x509);
             xi->x509 = NULL;
             count++;
         }

apps/demoSRP/srp_verifier.txt

@@ -1,6 +1,6 @@
 # This is a file that will be filled by the openssl srp routine.
 # You can initialize the file with additional groups, these are
-# records starting with an 'I' followed by the 'g' and 'N' values and the ID.
+# records starting with an I followed by the g and N values and the id.
 # The exact values ... you have to dig this out from the source of srp.c
 # or srp_vfy.c
-# The last value of an 'I' is used as the default group for new users.
+# The last value of an I is used as the default group for new users.

apps/dgst.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -24,9 +24,6 @@
 #undef BUFSIZE
 #define BUFSIZE 1024*8
 
-static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
-                              EVP_PKEY *key, unsigned char *sigin, int siglen,
-                              const char *sig_name, const char *file);
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
@@ -96,7 +93,7 @@ const OPTIONS dgst_options[] = {
 
 int dgst_main(int argc, char **argv)
 {
-    BIO *in = NULL, *inp = NULL, *bmd = NULL, *out = NULL;
+    BIO *in = NULL, *inp, *bmd = NULL, *out = NULL;
     ENGINE *e = NULL, *impl = NULL;
     EVP_PKEY *sigkey = NULL;
     STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
@@ -114,8 +111,6 @@ int dgst_main(int argc, char **argv)
     unsigned char *buf = NULL, *sigbuf = NULL;
     int engine_impl = 0;
     struct doall_dgst_digests dec;
-    EVP_MD_CTX *signctx = NULL;
-    int oneshot_sign = 0;
 
     buf = app_malloc(BUFSIZE, "I/O buffer");
     md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
@@ -283,6 +278,8 @@ int dgst_main(int argc, char **argv)
     }
 
     if (keyfile != NULL) {
+        int type;
+
         if (want_pub)
             sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
         else
@@ -293,16 +290,14 @@ int dgst_main(int argc, char **argv)
              */
             goto end;
         }
-        {
-            char def_md[80];
-
-            if (EVP_PKEY_get_default_digest_name(sigkey, def_md,
-                                                 sizeof(def_md)) == 2
-                    && strcmp(def_md, "UNDEF") == 0)
-                oneshot_sign = 1;
-            signctx = EVP_MD_CTX_new();
-            if (signctx == NULL)
-                goto end;
+        type = EVP_PKEY_get_id(sigkey);
+        if (type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448) {
+            /*
+             * We implement PureEdDSA for these which doesn't have a separate
+             * digest, and only supports one shot.
+             */
+            BIO_printf(bio_err, "Key type not supported for this operation\n");
+            goto end;
         }
     }
 
@@ -347,9 +342,7 @@ int dgst_main(int argc, char **argv)
         EVP_PKEY_CTX *pctx = NULL;
         int res;
 
-        if (oneshot_sign) {
-            mctx = signctx;
-        } else if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
+        if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
             BIO_printf(bio_err, "Error getting context\n");
             goto end;
         }
@@ -386,11 +379,6 @@ int dgst_main(int argc, char **argv)
     /* we use md as a filter, reading from 'in' */
     else {
         EVP_MD_CTX *mctx = NULL;
-
-        if (oneshot_sign) {
-            BIO_printf(bio_err, "Oneshot algorithms don't use a digest\n");
-            goto end;
-        }
         if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
             BIO_printf(bio_err, "Error getting context\n");
             goto end;
@@ -419,20 +407,19 @@ int dgst_main(int argc, char **argv)
             goto end;
         }
     }
-    if (!oneshot_sign) {
-        inp = BIO_push(bmd, in);
+    inp = BIO_push(bmd, in);
 
-        if (md == NULL) {
-            EVP_MD_CTX *tctx;
+    if (md == NULL) {
+        EVP_MD_CTX *tctx;
 
-            BIO_get_md_ctx(bmd, &tctx);
-            md = EVP_MD_CTX_get1_md(tctx);
-        }
-        if (md != NULL)
-            md_name = EVP_MD_get0_name(md);
+        BIO_get_md_ctx(bmd, &tctx);
+        md = EVP_MD_CTX_get1_md(tctx);
     }
+    if (md != NULL)
+        md_name = EVP_MD_get0_name(md);
+
     if (xoflen > 0) {
-        if (!EVP_MD_xof(md)) {
+        if (!(EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF)) {
             BIO_printf(bio_err, "Length can only be specified for XOF\n");
             goto end;
         }
@@ -449,12 +436,8 @@ int dgst_main(int argc, char **argv)
 
     if (argc == 0) {
         BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        if (oneshot_sign)
-            ret = do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
-                                     sigkey, sigbuf, siglen, NULL, "stdin");
-        else
-            ret = do_fp(out, buf, inp, separator, out_bin, xoflen,
-                        sigkey, sigbuf, siglen, NULL, md_name, "stdin");
+        ret = do_fp(out, buf, inp, separator, out_bin, xoflen, sigkey, sigbuf,
+                    siglen, NULL, md_name, "stdin");
     } else {
         const char *sig_name = NULL;
 
@@ -469,16 +452,9 @@ int dgst_main(int argc, char **argv)
                 ret = EXIT_FAILURE;
                 continue;
             } else {
-                if (oneshot_sign) {
-                    if (do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
-                                           sigkey, sigbuf, siglen, sig_name,
-                                           argv[i]))
-                        ret = EXIT_FAILURE;
-                } else {
-                    if (do_fp(out, buf, inp, separator, out_bin, xoflen,
-                              sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
-                        ret = EXIT_FAILURE;
-                }
+                if (do_fp(out, buf, inp, separator, out_bin, xoflen,
+                          sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
+                    ret = EXIT_FAILURE;
             }
             (void)BIO_reset(bmd);
         }
@@ -492,7 +468,6 @@ int dgst_main(int argc, char **argv)
     BIO_free_all(out);
     EVP_MD_free(md);
     EVP_PKEY_free(sigkey);
-    EVP_MD_CTX_free(signctx);
     sk_OPENSSL_STRING_free(sigopts);
     sk_OPENSSL_STRING_free(macopts);
     OPENSSL_free(sigbuf);
@@ -569,54 +544,6 @@ static const char *newline_escape_filename(const char *file, int *backslash)
     return (const char*)file_cpy;
 }
 
-static void print_out(BIO *out, unsigned char *buf, size_t len,
-                      int sep, int binout,
-                      const char *sig_name, const char *md_name, const char *file)
-{
-    int i, backslash = 0;
-
-    if (binout) {
-        BIO_write(out, buf, len);
-    } else if (sep == 2) {
-        file = newline_escape_filename(file, &backslash);
-
-        if (backslash == 1)
-            BIO_puts(out, "\\");
-
-        for (i = 0; i < (int)len; i++)
-            BIO_printf(out, "%02x", buf[i]);
-
-        BIO_printf(out, " *%s\n", file);
-        OPENSSL_free((char *)file);
-    } else {
-        if (sig_name != NULL) {
-            BIO_puts(out, sig_name);
-            if (md_name != NULL)
-                BIO_printf(out, "-%s", md_name);
-            BIO_printf(out, "(%s)= ", file);
-        } else if (md_name != NULL) {
-            BIO_printf(out, "%s(%s)= ", md_name, file);
-        } else {
-            BIO_printf(out, "(%s)= ", file);
-        }
-        for (i = 0; i < (int)len; i++) {
-            if (sep && (i != 0))
-                BIO_printf(out, ":");
-            BIO_printf(out, "%02x", buf[i]);
-        }
-        BIO_printf(out, "\n");
-    }
-}
-
-static void print_verify_result(BIO *out, int i)
-{
-    if (i > 0)
-        BIO_printf(out, "Verified OK\n");
-    else if (i == 0)
-        BIO_printf(out, "Verification failure\n");
-    else
-        BIO_printf(bio_err, "Error verifying data\n");
-}
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
@@ -624,7 +551,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
           const char *file)
 {
     size_t len = BUFSIZE;
-    int i, ret = EXIT_FAILURE;
+    int i, backslash = 0, ret = EXIT_FAILURE;
     unsigned char *allocated_buf = NULL;
 
     while (BIO_pending(bp) || !BIO_eof(bp)) {
@@ -640,9 +567,16 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
         EVP_MD_CTX *ctx;
         BIO_get_md_ctx(bp, &ctx);
         i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
-        print_verify_result(out, i);
-        if (i > 0)
-            ret = EXIT_SUCCESS;
+        if (i > 0) {
+            BIO_printf(out, "Verified OK\n");
+        } else if (i == 0) {
+            BIO_printf(out, "Verification failure\n");
+            goto end;
+        } else {
+            BIO_printf(bio_err, "Error verifying data\n");
+            goto end;
+        }
+        ret = EXIT_SUCCESS;
         goto end;
     }
     if (key != NULL) {
@@ -683,7 +617,39 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
         if ((int)len < 0)
             goto end;
     }
-    print_out(out, buf, len, sep, binout, sig_name, md_name, file);
+
+    if (binout) {
+        BIO_write(out, buf, len);
+    } else if (sep == 2) {
+        file = newline_escape_filename(file, &backslash);
+
+        if (backslash == 1)
+            BIO_puts(out, "\\");
+
+        for (i = 0; i < (int)len; i++)
+            BIO_printf(out, "%02x", buf[i]);
+
+        BIO_printf(out, " *%s\n", file);
+        OPENSSL_free((char *)file);
+    } else {
+        if (sig_name != NULL) {
+            BIO_puts(out, sig_name);
+            if (md_name != NULL)
+                BIO_printf(out, "-%s", md_name);
+            BIO_printf(out, "(%s)= ", file);
+        } else if (md_name != NULL) {
+            BIO_printf(out, "%s(%s)= ", md_name, file);
+        } else {
+            BIO_printf(out, "(%s)= ", file);
+        }
+        for (i = 0; i < (int)len; i++) {
+            if (sep && (i != 0))
+                BIO_printf(out, ":");
+            BIO_printf(out, "%02x", buf[i]);
+        }
+        BIO_printf(out, "\n");
+    }
+
     ret = EXIT_SUCCESS;
  end:
     if (allocated_buf != NULL)
@@ -691,55 +657,3 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
 
     return ret;
 }
-
-/*
- * Some new algorithms only support one shot operations.
- * For these we need to buffer all input and then do the sign on the
- * total buffered input. These algorithms set a NULL digest name which is
- * then used inside EVP_DigestVerify() and EVP_DigestSign().
- */
-static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
-                              EVP_PKEY *key, unsigned char *sigin, int siglen,
-                              const char *sig_name, const char *file)
-{
-    int res, ret = EXIT_FAILURE;
-    size_t len = 0;
-    int buflen = 0;
-    int maxlen = 16 * 1024 * 1024;
-    uint8_t *buf = NULL, *sig = NULL;
-
-    buflen = bio_to_mem(&buf, maxlen, in);
-    if (buflen <= 0) {
-        BIO_printf(bio_err, "Read error in %s\n", file);
-        return ret;
-    }
-    if (sigin != NULL) {
-        res = EVP_DigestVerify(ctx, sigin, siglen, buf, buflen);
-        print_verify_result(out, res);
-        if (res > 0)
-            ret = EXIT_SUCCESS;
-        goto end;
-    }
-    if (key != NULL) {
-        if (EVP_DigestSign(ctx, NULL, &len, buf, buflen) != 1) {
-            BIO_printf(bio_err, "Error getting maximum length of signed data\n");
-            goto end;
-        }
-        sig = app_malloc(len, "Signature buffer");
-        if (EVP_DigestSign(ctx, sig, &len, buf, buflen) != 1) {
-            BIO_printf(bio_err, "Error signing data\n");
-            goto end;
-        }
-        print_out(out, sig, len, sep, binout, sig_name, NULL, file);
-        ret = EXIT_SUCCESS;
-    } else {
-        BIO_printf(bio_err, "key must be set for one-shot algorithms\n");
-        goto end;
-    }
-
- end:
-    OPENSSL_free(sig);
-    OPENSSL_clear_free(buf, buflen);
-
-    return ret;
-}

apps/dhparam.c

@@ -179,6 +179,10 @@ int dhparam_main(int argc, char **argv)
         goto end;
     }
 
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
+        goto end;
+
     /* DH parameters */
     if (num && !g)
         g = 2;
@@ -318,10 +322,6 @@ int dhparam_main(int argc, char **argv)
         }
     }
 
-    out = bio_open_default(outfile, 'w', outformat);
-    if (out == NULL)
-        goto end;
-
     if (text)
         EVP_PKEY_print_params(out, pkey, 4, NULL);
 

apps/dsaparam.c

@@ -150,6 +150,10 @@ int dsaparam_main(int argc, char **argv)
     numbits = num;
     private = genkey ? 1 : 0;
 
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
     ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err,
@@ -196,10 +200,6 @@ int dsaparam_main(int argc, char **argv)
         goto end;
     }
 
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
     if (text) {
         EVP_PKEY_print_params(out, params, 0, NULL);
     }

apps/ecparam.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -67,11 +67,13 @@ const OPTIONS ecparam_options[] = {
 
 static int list_builtin_curves(BIO *out)
 {
+    int ret = 0;
     EC_builtin_curve *curves = NULL;
     size_t n, crv_len = EC_get_builtin_curves(NULL, 0);
 
     curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
-    EC_get_builtin_curves(curves, crv_len);
+    if (!EC_get_builtin_curves(curves, crv_len))
+        goto end;
 
     for (n = 0; n < crv_len; n++) {
         const char *comment = curves[n].comment;
@@ -85,8 +87,10 @@ static int list_builtin_curves(BIO *out)
         BIO_printf(out, "  %-10s: ", sname);
         BIO_printf(out, "%s\n", comment);
     }
+    ret = 1;
+end:
     OPENSSL_free(curves);
-    return 1;
+    return ret;
 }
 
 int ecparam_main(int argc, char **argv)
@@ -188,18 +192,18 @@ int ecparam_main(int argc, char **argv)
     if (!app_RAND_load())
         goto end;
 
-    if (list_curves) {
-        out = bio_open_owner(outfile, outformat, private);
-        if (out == NULL)
-            goto end;
+    private = genkey ? 1 : 0;
 
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
+    if (list_curves) {
         if (list_builtin_curves(out))
             ret = 0;
         goto end;
     }
 
-    private = genkey ? 1 : 0;
-
     if (curve_name != NULL) {
         OSSL_PARAM params[4];
         OSSL_PARAM *p = params;
@@ -272,12 +276,8 @@ int ecparam_main(int argc, char **argv)
         goto end;
     }
 
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
     if (text
-        && EVP_PKEY_print_params(out, params_key, 0, NULL) <= 0) {
+        && !EVP_PKEY_print_params(out, params_key, 0, NULL)) {
         BIO_printf(bio_err, "unable to print params\n");
         goto end;
     }

apps/enc.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -49,8 +49,7 @@ typedef enum OPTION_choice {
     OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
     OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
     OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
-    OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM,
-    OPT_SKEYOPT, OPT_SKEYMGMT
+    OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
 const OPTIONS enc_options[] = {
@@ -106,8 +105,6 @@ const OPTIONS enc_options[] = {
 #ifndef OPENSSL_NO_ZLIB
     {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
 #endif
-    {"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque symmetric key handling"},
-    {"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque symmetric key handling"},
     {"", OPT_CIPHER, '-', "Any supported cipher"},
 
     OPT_R_OPTIONS,
@@ -137,7 +134,6 @@ int enc_main(int argc, char **argv)
     int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
     int ret = 1, inl, nopad = 0;
     unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-    int rawkey_set = 0;
     unsigned char *buff = NULL, salt[EVP_MAX_IV_LENGTH];
     int saltlen = 0;
     int pbkdf2 = 0;
@@ -154,10 +150,6 @@ int enc_main(int argc, char **argv)
     BIO *bbrot = NULL;
     int do_zstd = 0;
     BIO *bzstd = NULL;
-    STACK_OF(OPENSSL_STRING) *skeyopts = NULL;
-    const char *skeymgmt = NULL;
-    EVP_SKEY *skey = NULL;
-    EVP_SKEYMGMT *mgmt = NULL;
 
     /* first check the command name */
     if (strcmp(argv[0], "base64") == 0)
@@ -318,17 +310,6 @@ int enc_main(int argc, char **argv)
         case OPT_NONE:
             cipher = NULL;
             break;
-        case OPT_SKEYOPT:
-            if ((skeyopts == NULL &&
-                 (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
-                sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
-                BIO_printf(bio_err, "%s: out of memory\n", prog);
-                goto end;
-            }
-            break;
-        case OPT_SKEYMGMT:
-            skeymgmt = opt_arg();
-            break;
         case OPT_R_CASES:
             if (!opt_rand(o))
                 goto end;
@@ -410,7 +391,7 @@ int enc_main(int argc, char **argv)
         str = pass;
     }
 
-    if ((str == NULL) && (cipher != NULL) && (hkey == NULL) && (skeyopts == NULL)) {
+    if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
         if (1) {
 #ifndef OPENSSL_NO_UI_CONSOLE
             for (;;) {
@@ -590,7 +571,6 @@ int enc_main(int argc, char **argv)
                 /* split and move data back to global buffer */
                 memcpy(key, tmpkeyiv, iklen);
                 memcpy(iv, tmpkeyiv+iklen, ivlen);
-                rawkey_set = 1;
             } else {
                 BIO_printf(bio_err, "*** WARNING : "
                                     "deprecated key derivation used.\n"
@@ -601,7 +581,6 @@ int enc_main(int argc, char **argv)
                     BIO_printf(bio_err, "EVP_BytesToKey failed\n");
                     goto end;
                 }
-                rawkey_set = 1;
             }
             /*
              * zero the complete buffer or the string passed from the command
@@ -639,16 +618,6 @@ int enc_main(int argc, char **argv)
             }
             /* wiping secret data as we no longer need it */
             cleanse(hkey);
-            rawkey_set = 1;
-        }
-
-        /*
-         * At this moment we know whether we trying to use raw bytes as the key
-         * or an opaque symmetric key. We do not allow both options simultaneously.
-         */
-        if (rawkey_set > 0 && skeyopts != NULL) {
-            BIO_printf(bio_err, "Either a raw key or the 'skeyopt' args must be used.\n");
-            goto end;
         }
 
         if ((benc = BIO_new(BIO_f_cipher())) == NULL)
@@ -664,51 +633,24 @@ int enc_main(int argc, char **argv)
         if (wrap == 1)
             EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
 
-        if (rawkey_set) {
-            if (!EVP_CipherInit_ex(ctx, cipher, e, key,
-                                   (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
-                BIO_printf(bio_err, "Error setting cipher %s\n",
-                           EVP_CIPHER_get0_name(cipher));
-                ERR_print_errors(bio_err);
-                goto end;
-            }
-        } else {
-            OSSL_PARAM *params = NULL;
-
-            mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
-                                      skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
-                                      app_get0_propq());
-            if (mgmt == NULL)
-                goto end;
-
-            params = app_params_new_from_opts(skeyopts,
-                                              EVP_SKEYMGMT_get0_imp_settable_params(mgmt));
-            if (params == NULL)
-                goto end;
-
-            skey = EVP_SKEY_import(app_get0_libctx(), EVP_SKEYMGMT_get0_name(mgmt),
-                                   app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
-            OSSL_PARAM_free(params);
-            if (skey == NULL) {
-                BIO_printf(bio_err, "Error creating opaque key object for skeymgmt %s\n",
-                           skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
-                ERR_print_errors(bio_err);
-                goto end;
-            }
-
-            if (!EVP_CipherInit_SKEY(ctx, cipher, skey,
-                                     (hiv == NULL && wrap == 1 ? NULL : iv),
-                                     EVP_CIPHER_get_iv_length(cipher), enc, NULL)) {
-                BIO_printf(bio_err, "Error setting an opaque key for cipher %s\n",
-                           EVP_CIPHER_get0_name(cipher));
-                ERR_print_errors(bio_err);
-                goto end;
-            }
+        if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
+            BIO_printf(bio_err, "Error setting cipher %s\n",
+                       EVP_CIPHER_get0_name(cipher));
+            ERR_print_errors(bio_err);
+            goto end;
         }
 
         if (nopad)
             EVP_CIPHER_CTX_set_padding(ctx, 0);
 
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
+                               (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
+            BIO_printf(bio_err, "Error setting cipher %s\n",
+                       EVP_CIPHER_get0_name(cipher));
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
         if (debug) {
             BIO_set_callback_ex(benc, BIO_debug_callback_ex);
             BIO_set_callback_arg(benc, (char *)bio_err);
@@ -774,9 +716,6 @@ int enc_main(int argc, char **argv)
     }
  end:
     ERR_print_errors(bio_err);
-    sk_OPENSSL_STRING_free(skeyopts);
-    EVP_SKEYMGMT_free(mgmt);
-    EVP_SKEY_free(skey);
     OPENSSL_free(strbuf);
     OPENSSL_free(buff);
     BIO_free(in);

apps/engine.c

@@ -316,8 +316,7 @@ int engine_main(int argc, char **argv)
      * names, and then setup to parse the rest of the line as flags. */
     prog = argv[0];
     while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
-        if (!sk_OPENSSL_CSTRING_push(engines, argv1))
-            goto end;
+        sk_OPENSSL_CSTRING_push(engines, argv1);
         argc--;
         argv++;
     }
@@ -373,14 +372,12 @@ int engine_main(int argc, char **argv)
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         }
-        if (!sk_OPENSSL_CSTRING_push(engines, *argv))
-            goto end;
+        sk_OPENSSL_CSTRING_push(engines, *argv);
     }
 
     if (sk_OPENSSL_CSTRING_num(engines) == 0) {
         for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-            if (!sk_OPENSSL_CSTRING_push(engines, ENGINE_get_id(e)))
-                goto end;
+            sk_OPENSSL_CSTRING_push(engines, ENGINE_get_id(e));
         }
     }
 

apps/fipsinstall.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -38,30 +38,8 @@ typedef enum OPTION_choice {
     OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
     OPT_NO_CONDITIONAL_ERRORS,
     OPT_NO_SECURITY_CHECKS,
-    OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC,
-    OPT_DISALLOW_PKCS15_PADDING, OPT_RSA_PSS_SALTLEN_CHECK,
-    OPT_DISALLOW_SIGNATURE_X931_PADDING,
-    OPT_HMAC_KEY_CHECK, OPT_KMAC_KEY_CHECK,
+    OPT_TLS_PRF_EMS_CHECK,
     OPT_DISALLOW_DRGB_TRUNC_DIGEST,
-    OPT_SIGNATURE_DIGEST_CHECK,
-    OPT_HKDF_DIGEST_CHECK,
-    OPT_TLS13_KDF_DIGEST_CHECK,
-    OPT_TLS1_PRF_DIGEST_CHECK,
-    OPT_SSHKDF_DIGEST_CHECK,
-    OPT_SSKDF_DIGEST_CHECK,
-    OPT_X963KDF_DIGEST_CHECK,
-    OPT_DISALLOW_DSA_SIGN,
-    OPT_DISALLOW_TDES_ENCRYPT,
-    OPT_HKDF_KEY_CHECK,
-    OPT_KBKDF_KEY_CHECK,
-    OPT_TLS13_KDF_KEY_CHECK,
-    OPT_TLS1_PRF_KEY_CHECK,
-    OPT_SSHKDF_KEY_CHECK,
-    OPT_SSKDF_KEY_CHECK,
-    OPT_X963KDF_KEY_CHECK,
-    OPT_X942KDF_KEY_CHECK,
-    OPT_NO_PBKDF2_LOWER_BOUND_CHECK,
-    OPT_ECDH_COFACTOR_CHECK,
     OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
 } OPTION_CHOICE;
 
@@ -70,7 +48,7 @@ const OPTIONS fipsinstall_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
     {"verify", OPT_VERIFY, '-',
-     "Verify a config file instead of generating one"},
+        "Verify a config file instead of generating one"},
     {"module", OPT_MODULE, '<', "File name of the provider module"},
     {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
     {"section_name", OPT_SECTION_NAME, 's',
@@ -86,55 +64,8 @@ const OPTIONS fipsinstall_options[] = {
      "Forces self tests to run once on module installation"},
     {"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
      "Enable the run-time FIPS check for EMS during TLS1_PRF"},
-    {"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"},
     {"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
      "Disallow truncated digests with Hash and HMAC DRBGs"},
-    {"signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
-     "Enable checking for approved digests for signatures"},
-    {"hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC"},
-    {"kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC"},
-    {"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
-     "Enable digest check for HKDF"},
-    {"tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
-     "Enable digest check for TLS13-KDF"},
-    {"tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
-     "Enable digest check for TLS1-PRF"},
-    {"sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
-     "Enable digest check for SSHKDF"},
-    {"sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
-     "Enable digest check for SSKDF"},
-    {"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
-     "Enable digest check for X963KDF"},
-    {"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
-     "Disallow DSA signing"},
-    {"tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
-     "Disallow Triple-DES encryption"},
-    {"rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
-     "Disallow PKCS#1 version 1.5 padding for RSA encryption"},
-    {"rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
-     "Enable salt length check for RSA-PSS signature operations"},
-    {"rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
-     "Disallow X931 Padding for RSA signing"},
-    {"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
-     "Enable key check for HKDF"},
-    {"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
-     "Enable key check for KBKDF"},
-    {"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
-     "Enable key check for TLS13-KDF"},
-    {"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
-     "Enable key check for TLS1-PRF"},
-    {"sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
-     "Enable key check for SSHKDF"},
-    {"sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
-     "Enable key check for SSKDF"},
-    {"x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
-     "Enable key check for X963KDF"},
-    {"x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
-     "Enable key check for X942KDF"},
-    {"no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
-     "Disable lower bound check for PBKDF2"},
-    {"ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
-     "Enable Cofactor check for ECDH"},
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input config file, used when verifying"},
 
@@ -155,33 +86,8 @@ typedef struct {
     unsigned int self_test_onload : 1;
     unsigned int conditional_errors : 1;
     unsigned int security_checks : 1;
-    unsigned int hmac_key_check : 1;
-    unsigned int kmac_key_check : 1;
     unsigned int tls_prf_ems_check : 1;
-    unsigned int no_short_mac : 1;
     unsigned int drgb_no_trunc_dgst : 1;
-    unsigned int signature_digest_check : 1;
-    unsigned int hkdf_digest_check : 1;
-    unsigned int tls13_kdf_digest_check : 1;
-    unsigned int tls1_prf_digest_check : 1;
-    unsigned int sshkdf_digest_check : 1;
-    unsigned int sskdf_digest_check : 1;
-    unsigned int x963kdf_digest_check : 1;
-    unsigned int dsa_sign_disabled : 1;
-    unsigned int tdes_encrypt_disabled : 1;
-    unsigned int rsa_pkcs15_padding_disabled : 1;
-    unsigned int rsa_pss_saltlen_check : 1;
-    unsigned int sign_x931_padding_disabled : 1;
-    unsigned int hkdf_key_check : 1;
-    unsigned int kbkdf_key_check : 1;
-    unsigned int tls13_kdf_key_check : 1;
-    unsigned int tls1_prf_key_check : 1;
-    unsigned int sshkdf_key_check : 1;
-    unsigned int sskdf_key_check : 1;
-    unsigned int x963kdf_key_check : 1;
-    unsigned int x942kdf_key_check : 1;
-    unsigned int pbkdf2_lower_bound_check : 1;
-    unsigned int ecdh_cofactor_check : 1;
 } FIPS_OPTS;
 
 /* Pedantic FIPS compliance */
@@ -189,33 +95,8 @@ static const FIPS_OPTS pedantic_opts = {
     1,      /* self_test_onload */
     1,      /* conditional_errors */
     1,      /* security_checks */
-    1,      /* hmac_key_check */
-    1,      /* kmac_key_check */
     1,      /* tls_prf_ems_check */
-    1,      /* no_short_mac */
     1,      /* drgb_no_trunc_dgst */
-    1,      /* signature_digest_check */
-    1,      /* hkdf_digest_check */
-    1,      /* tls13_kdf_digest_check */
-    1,      /* tls1_prf_digest_check */
-    1,      /* sshkdf_digest_check */
-    1,      /* sskdf_digest_check */
-    1,      /* x963kdf_digest_check */
-    1,      /* dsa_sign_disabled */
-    1,      /* tdes_encrypt_disabled */
-    1,      /* rsa_pkcs15_padding_disabled */
-    1,      /* rsa_pss_saltlen_check */
-    1,      /* sign_x931_padding_disabled */
-    1,      /* hkdf_key_check */
-    1,      /* kbkdf_key_check */
-    1,      /* tls13_kdf_key_check */
-    1,      /* tls1_prf_key_check */
-    1,      /* sshkdf_key_check */
-    1,      /* sskdf_key_check */
-    1,      /* x963kdf_key_check */
-    1,      /* x942kdf_key_check */
-    1,      /* pbkdf2_lower_bound_check */
-    1,      /* ecdh_cofactor_check */
 };
 
 /* Default FIPS settings for backward compatibility */
@@ -223,33 +104,8 @@ static FIPS_OPTS fips_opts = {
     1,      /* self_test_onload */
     1,      /* conditional_errors */
     1,      /* security_checks */
-    0,      /* hmac_key_check */
-    0,      /* kmac_key_check */
     0,      /* tls_prf_ems_check */
-    0,      /* no_short_mac */
     0,      /* drgb_no_trunc_dgst */
-    0,      /* signature_digest_check */
-    0,      /* hkdf_digest_check */
-    0,      /* tls13_kdf_digest_check */
-    0,      /* tls1_prf_digest_check */
-    0,      /* sshkdf_digest_check */
-    0,      /* sskdf_digest_check */
-    0,      /* x963kdf_digest_check */
-    0,      /* dsa_sign_disabled */
-    0,      /* tdes_encrypt_disabled */
-    0,      /* rsa_pkcs15_padding_disabled */
-    0,      /* rsa_pss_saltlen_check */
-    0,      /* sign_x931_padding_disabled */
-    0,      /* hkdf_key_check */
-    0,      /* kbkdf_key_check */
-    0,      /* tls13_kdf_key_check */
-    0,      /* tls1_prf_key_check */
-    0,      /* sshkdf_key_check */
-    0,      /* sskdf_key_check */
-    0,      /* x963kdf_key_check */
-    0,      /* x942kdf_key_check */
-    1,      /* pbkdf2_lower_bound_check */
-    0,      /* ecdh_cofactor_check */
 };
 
 static int check_non_pedantic_fips(int pedantic, const char *name)
@@ -284,8 +140,7 @@ err:
     return ret;
 }
 
-static int load_fips_prov_and_run_self_test(const char *prov_name,
-                                            int *is_fips_140_2_prov)
+static int load_fips_prov_and_run_self_test(const char *prov_name)
 {
     int ret = 0;
     OSSL_PROVIDER *prov = NULL;
@@ -315,16 +170,7 @@ static int load_fips_prov_and_run_self_test(const char *prov_name,
             BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
         if (OSSL_PARAM_modified(params + 2))
             BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
-    } else {
-        *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
-                                             &vers, sizeof(vers));
-        *p = OSSL_PARAM_construct_end();
-        if (!OSSL_PROVIDER_get_params(prov, params)) {
-            BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
-            goto end;
-        }
     }
-    *is_fips_140_2_prov = (strncmp("3.0.", vers, 4) == 0);
     ret = 1;
 end:
     OSSL_PROVIDER_unload(prov);
@@ -377,83 +223,22 @@ static int write_config_fips_section(BIO *out, const char *section,
                       VERSION_VAL) <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
                       opts->conditional_errors ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
                       opts->security_checks ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
-                      opts->hmac_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
-                      opts->kmac_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
                       opts->tls_prf_ems_check ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
-                      opts->no_short_mac ? "1" : "0") <= 0
         || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
                       opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
-                      opts->signature_digest_check ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
-                      opts->hkdf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
-                      opts->tls13_kdf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
-                      opts->tls1_prf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
-                      opts->sshkdf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
-                      opts->sskdf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
-                      opts->x963kdf_digest_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
-                      opts->dsa_sign_disabled ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
-                      opts->tdes_encrypt_disabled ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
-                      opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
-                      opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
-                      opts->sign_x931_padding_disabled ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
-                      opts->hkdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
-                      opts->kbkdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
-                      opts->tls13_kdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
-                      opts->tls1_prf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
-                      opts->sshkdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
-                      opts->sskdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
-                      opts->x963kdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X942KDF_KEY_CHECK,
-                      opts->x942kdf_key_check ? "1": "0") <= 0
-        || BIO_printf(out, "%s = %s\n",
-                      OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
-                      opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
-        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
-                      opts->ecdh_cofactor_check ? "1": "0") <= 0
         || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
                       module_mac_len))
         goto end;
 
-    if (install_mac != NULL
-            && install_mac_len > 0
-            && opts->self_test_onload == 0) {
+    if (install_mac != NULL && install_mac_len > 0) {
         if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
                        install_mac_len)
             || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
                           INSTALL_STATUS_VAL) <= 0)
-            goto end;
+        goto end;
     }
     ret = 1;
 end:
@@ -470,12 +255,12 @@ static CONF *generate_config_and_load(const char *prov_name,
     CONF *conf = NULL;
 
     mem_bio = BIO_new(BIO_s_mem());
-    if (mem_bio == NULL)
+    if (mem_bio  == NULL)
         return 0;
     if (!write_config_header(mem_bio, prov_name, section)
-        || !write_config_fips_section(mem_bio, section,
-                                      module_mac, module_mac_len,
-                                      opts, NULL, 0))
+         || !write_config_fips_section(mem_bio, section,
+                                       module_mac, module_mac_len,
+                                       opts, NULL, 0))
         goto end;
 
     conf = app_load_config_bio(mem_bio, NULL);
@@ -571,7 +356,6 @@ end:
 int fipsinstall_main(int argc, char **argv)
 {
     int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0;
-    int is_fips_140_2_prov = 0, set_selftest_onload_option = 0;
     const char *section_name = "fips_sect";
     const char *mac_name = "HMAC";
     const char *prov_name = "fips";
@@ -598,7 +382,7 @@ int fipsinstall_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
- opthelp:
+opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto cleanup;
         case OPT_HELP:
@@ -625,89 +409,12 @@ int fipsinstall_main(int argc, char **argv)
                 goto end;
             fips_opts.security_checks = 0;
             break;
-        case OPT_HMAC_KEY_CHECK:
-            fips_opts.hmac_key_check = 1;
-            break;
-        case OPT_KMAC_KEY_CHECK:
-            fips_opts.kmac_key_check = 1;
-            break;
         case OPT_TLS_PRF_EMS_CHECK:
             fips_opts.tls_prf_ems_check = 1;
             break;
-        case OPT_NO_SHORT_MAC:
-            fips_opts.no_short_mac = 1;
-            break;
         case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
             fips_opts.drgb_no_trunc_dgst = 1;
             break;
-        case OPT_SIGNATURE_DIGEST_CHECK:
-            fips_opts.signature_digest_check = 1;
-            break;
-        case OPT_HKDF_DIGEST_CHECK:
-            fips_opts.hkdf_digest_check = 1;
-            break;
-        case OPT_TLS13_KDF_DIGEST_CHECK:
-            fips_opts.tls13_kdf_digest_check = 1;
-            break;
-        case OPT_TLS1_PRF_DIGEST_CHECK:
-            fips_opts.tls1_prf_digest_check = 1;
-            break;
-        case OPT_SSHKDF_DIGEST_CHECK:
-            fips_opts.sshkdf_digest_check = 1;
-            break;
-        case OPT_SSKDF_DIGEST_CHECK:
-            fips_opts.sskdf_digest_check = 1;
-            break;
-        case OPT_X963KDF_DIGEST_CHECK:
-            fips_opts.x963kdf_digest_check = 1;
-            break;
-        case OPT_DISALLOW_DSA_SIGN:
-            fips_opts.dsa_sign_disabled = 1;
-            break;
-        case OPT_DISALLOW_TDES_ENCRYPT:
-            fips_opts.tdes_encrypt_disabled = 1;
-            break;
-        case OPT_RSA_PSS_SALTLEN_CHECK:
-            fips_opts.rsa_pss_saltlen_check = 1;
-            break;
-        case OPT_DISALLOW_SIGNATURE_X931_PADDING:
-            fips_opts.sign_x931_padding_disabled = 1;
-            break;
-        case OPT_DISALLOW_PKCS15_PADDING:
-            fips_opts.rsa_pkcs15_padding_disabled = 1;
-            break;
-        case OPT_HKDF_KEY_CHECK:
-            fips_opts.hkdf_key_check = 1;
-            break;
-        case OPT_KBKDF_KEY_CHECK:
-            fips_opts.kbkdf_key_check = 1;
-            break;
-        case OPT_TLS13_KDF_KEY_CHECK:
-            fips_opts.tls13_kdf_key_check = 1;
-            break;
-        case OPT_TLS1_PRF_KEY_CHECK:
-            fips_opts.tls1_prf_key_check = 1;
-            break;
-        case OPT_SSHKDF_KEY_CHECK:
-            fips_opts.sshkdf_key_check = 1;
-            break;
-        case OPT_SSKDF_KEY_CHECK:
-            fips_opts.sskdf_key_check = 1;
-            break;
-        case OPT_X963KDF_KEY_CHECK:
-            fips_opts.x963kdf_key_check = 1;
-            break;
-        case OPT_X942KDF_KEY_CHECK:
-            fips_opts.x942kdf_key_check = 1;
-            break;
-        case OPT_NO_PBKDF2_LOWER_BOUND_CHECK:
-            if (!check_non_pedantic_fips(pedantic, "no_pbkdf2_lower_bound_check"))
-                goto end;
-            fips_opts.pbkdf2_lower_bound_check = 0;
-            break;
-        case OPT_ECDH_COFACTOR_CHECK:
-            fips_opts.ecdh_cofactor_check = 1;
-            break;
         case OPT_QUIET:
             quiet = 1;
             /* FALLTHROUGH */
@@ -747,13 +454,11 @@ int fipsinstall_main(int argc, char **argv)
             verify = 1;
             break;
         case OPT_SELF_TEST_ONLOAD:
-            set_selftest_onload_option = 1;
             fips_opts.self_test_onload = 1;
             break;
         case OPT_SELF_TEST_ONINSTALL:
             if (!check_non_pedantic_fips(pedantic, "self_test_oninstall"))
                 goto end;
-            set_selftest_onload_option = 1;
             fips_opts.self_test_onload = 0;
             break;
         }
@@ -773,7 +478,7 @@ int fipsinstall_main(int argc, char **argv)
             ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
             if (!quiet) {
                 BIO_printf(bio_err, "FIPS provider is %s\n",
-                           ret == 0 ? "available" : "not available");
+                           ret == 0 ? "available" : " not available");
             }
         }
         goto end;
@@ -851,43 +556,34 @@ int fipsinstall_main(int argc, char **argv)
     if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
         goto end;
 
-    /* Calculate the MAC for the indicator status - it may not be used */
-    mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
-                              strlen(INSTALL_STATUS_VAL));
-    if (mem_bio == NULL) {
-        BIO_printf(bio_err, "Unable to create memory BIO\n");
-        goto end;
+    if (fips_opts.self_test_onload == 0) {
+        mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
+                                  strlen(INSTALL_STATUS_VAL));
+        if (mem_bio == NULL) {
+            BIO_printf(bio_err, "Unable to create memory BIO\n");
+            goto end;
+        }
+        if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
+            goto end;
+    } else {
+        install_mac_len = 0;
     }
-    if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
-        goto end;
 
     if (verify) {
-        if (fips_opts.self_test_onload == 1)
-            install_mac_len = 0;
         if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
                            install_mac, install_mac_len))
             goto end;
         if (!quiet)
             BIO_printf(bio_err, "VERIFY PASSED\n");
     } else {
+
         conf = generate_config_and_load(prov_name, section_name, module_mac,
                                         module_mac_len, &fips_opts);
         if (conf == NULL)
             goto end;
-        if (!load_fips_prov_and_run_self_test(prov_name, &is_fips_140_2_prov))
+        if (!load_fips_prov_and_run_self_test(prov_name))
             goto end;
 
-        /*
-         * In OpenSSL 3.1 the code was changed so that the status indicator is
-         * not written out by default since this is a FIPS 140-3 requirement.
-         * For backwards compatibility - if the detected FIPS provider is 3.0.X
-         * (Which was a FIPS 140-2 validation), then the indicator status will
-         * be written to the config file unless 'self_test_onload' is set on the
-         * command line.
-         */
-        if (set_selftest_onload_option == 0 && is_fips_140_2_prov)
-            fips_opts.self_test_onload = 0;
-
         fout =
             out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
                               : bio_open_default(out_fname, 'w', FORMAT_TEXT);
@@ -895,7 +591,6 @@ int fipsinstall_main(int argc, char **argv)
             BIO_printf(bio_err, "Failed to open file\n");
             goto end;
         }
-
         if (!write_config_fips_section(fout, section_name,
                                        module_mac, module_mac_len, &fips_opts,
                                        install_mac, install_mac_len))

apps/genpkey.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -106,7 +106,7 @@ cleanup:
 int genpkey_main(int argc, char **argv)
 {
     CONF *conf = NULL;
-    BIO *mem_out = NULL, *mem_outpubkey = NULL;
+    BIO *in = NULL, *out = NULL, *outpubkey = NULL;
     ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
@@ -237,16 +237,14 @@ int genpkey_main(int argc, char **argv)
         goto end;
     }
 
-    mem_out = BIO_new(BIO_s_mem());
-    if (mem_out == NULL)
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
         goto end;
-    BIO_set_mem_eof_return(mem_out, 0);
 
     if (outpubkeyfile != NULL) {
-        mem_outpubkey = BIO_new(BIO_s_mem());
-        if (mem_outpubkey == NULL)
+        outpubkey = bio_open_owner(outpubkeyfile, outformat, private);
+        if (outpubkey == NULL)
             goto end;
-        BIO_set_mem_eof_return(mem_outpubkey, 0);
     }
 
     if (verbose)
@@ -259,17 +257,17 @@ int genpkey_main(int argc, char **argv)
         goto end;
 
     if (do_param) {
-        rv = PEM_write_bio_Parameters(mem_out, pkey);
+        rv = PEM_write_bio_Parameters(out, pkey);
     } else if (outformat == FORMAT_PEM) {
         assert(private);
-        rv = PEM_write_bio_PrivateKey(mem_out, pkey, cipher, NULL, 0, NULL, pass);
-        if (rv > 0 && mem_outpubkey != NULL)
-            rv = PEM_write_bio_PUBKEY(mem_outpubkey, pkey);
+        rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
+        if (rv > 0 && outpubkey != NULL)
+           rv = PEM_write_bio_PUBKEY(outpubkey, pkey);
     } else if (outformat == FORMAT_ASN1) {
         assert(private);
-        rv = i2d_PrivateKey_bio(mem_out, pkey);
-        if (rv > 0 && mem_outpubkey != NULL)
-            rv = i2d_PUBKEY_bio(mem_outpubkey, pkey);
+        rv = i2d_PrivateKey_bio(out, pkey);
+        if (rv > 0 && outpubkey != NULL)
+           rv = i2d_PUBKEY_bio(outpubkey, pkey);
     } else {
         BIO_printf(bio_err, "Bad format specified for key\n");
         goto end;
@@ -284,9 +282,9 @@ int genpkey_main(int argc, char **argv)
 
     if (text) {
         if (do_param)
-            rv = EVP_PKEY_print_params(mem_out, pkey, 0, NULL);
+            rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
         else
-            rv = EVP_PKEY_print_private(mem_out, pkey, 0, NULL);
+            rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
 
         if (rv <= 0) {
             BIO_puts(bio_err, "Error printing key\n");
@@ -296,25 +294,14 @@ int genpkey_main(int argc, char **argv)
 
  end:
     sk_OPENSSL_STRING_free(keyopt);
-    if (ret != 0) {
+    if (ret != 0)
         ERR_print_errors(bio_err);
-    } else {
-        if (mem_outpubkey != NULL) {
-            rv = mem_bio_to_file(mem_outpubkey, outpubkeyfile, outformat, private);
-            if (!rv)
-                BIO_printf(bio_err, "Error writing to outpubkey: '%s'. Error: %s\n", outpubkeyfile, strerror(errno));
-        }
-        if (mem_out != NULL) {
-            rv = mem_bio_to_file(mem_out, outfile, outformat, private);
-            if (!rv)
-                BIO_printf(bio_err, "Error writing to outfile: '%s'. Error: %s\n", outpubkeyfile, strerror(errno));
-        }
-    }
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(ctx);
     EVP_CIPHER_free(cipher);
-    BIO_free_all(mem_out);
-    BIO_free_all(mem_outpubkey);
+    BIO_free_all(out);
+    BIO_free_all(outpubkey);
+    BIO_free(in);
     release_engine(e);
     OPENSSL_free(pass);
     NCONF_free(conf);

apps/include/apps.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,8 +10,10 @@
 #ifndef OSSL_APPS_H
 # define OSSL_APPS_H
 
+# include "internal/e_os.h" /* struct timeval for DTLS */
 # include "internal/common.h" /* for HAS_PREFIX */
 # include "internal/nelem.h"
+# include "internal/sockets.h" /* for openssl_fdset() */
 # include <assert.h>
 
 # include <stdarg.h>
@@ -63,7 +65,6 @@ BIO *dup_bio_err(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
-int mem_bio_to_file(BIO *in, const char *filename, int format, int private);
 char *app_conf_try_string(const CONF *cnf, const char *group, const char *name);
 int app_conf_try_number(const CONF *conf, const char *group, const char *name,
                         long *result);
@@ -81,12 +82,8 @@ int has_stdin_waiting(void);
 # endif
 
 void corrupt_signature(const ASN1_STRING *signature);
-
-/* Helpers for setting X509v3 certificate fields notBefore and notAfter */
-int check_cert_time_string(const char *time, const char *desc);
 int set_cert_times(X509 *x, const char *startdate, const char *enddate,
-                   int days, int strict_compare_times);
-
+                   int days);
 int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
 int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
                        long days, long hours, long secs);

apps/include/cmp_mock_srv.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Siemens AG 2018-2020
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -22,8 +22,6 @@ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
 
 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
-int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey);
-int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl);
 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
                                     STACK_OF(X509) *chain);
 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,

apps/include/opt.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -295,7 +295,6 @@
 # define OPT_PROV_ENUM \
         OPT_PROV__FIRST=1600, \
         OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
-        OPT_PROV_PARAM, \
         OPT_PROV__LAST
 
 # define OPT_CONFIG_OPTION \
@@ -305,14 +304,12 @@
         OPT_SECTION("Provider"), \
         { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
         { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
-        { "provparam", OPT_PROV_PARAM, 's', "Set a provider key-value parameter" }, \
         { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
 
 # define OPT_PROV_CASES \
         OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
         case OPT_PROV_PROVIDER: \
         case OPT_PROV_PROVIDER_PATH: \
-        case OPT_PROV_PARAM: \
         case OPT_PROV_PROPQUERY
 
 /*

apps/include/platform.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -16,7 +16,7 @@
 /*
  * VMS C only for now, implemented in vms_decc_init.c
  * If other C compilers forget to terminate argv with NULL, this function
- * can be reused.
+ * can be re-used.
  */
 char **copy_argv(int *argc, char *argv[]);
 # endif

apps/info.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -14,7 +14,7 @@
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
-    OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS, OPT_WINDOWSCONTEXT
+    OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS
 } OPTION_CHOICE;
 
 const OPTIONS info_options[] = {
@@ -32,7 +32,6 @@ const OPTIONS info_options[] = {
     {"listsep", OPT_LISTSEP, '-', "List separator character"},
     {"seeds", OPT_SEEDS, '-', "Seed sources"},
     {"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
-    {"windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context"},
     {NULL}
 };
 
@@ -41,7 +40,6 @@ int info_main(int argc, char **argv)
     int ret = 1, dirty = 0, type = 0;
     char *prog;
     OPTION_CHOICE o;
-    const char *typedata;
 
     prog = opt_init(argc, argv, info_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -86,10 +84,6 @@ opthelp:
             type = OPENSSL_INFO_CPU_SETTINGS;
             dirty++;
             break;
-        case OPT_WINDOWSCONTEXT:
-            type = OPENSSL_INFO_WINDOWS_CONTEXT;
-            dirty++;
-            break;
         }
     }
     if (!opt_check_rest_arg(NULL))
@@ -103,8 +97,7 @@ opthelp:
         goto opthelp;
     }
 
-    typedata = OPENSSL_info(type);
-    BIO_printf(bio_out, "%s\n", typedata == NULL ? "Undefined" : typedata);
+    BIO_printf(bio_out, "%s\n", OPENSSL_info(type));
     ret = 0;
  end:
     return ret;

apps/lib/app_provider.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -8,7 +8,6 @@
  */
 
 #include "apps.h"
-#include <ctype.h>
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/provider.h>
@@ -66,78 +65,6 @@ static int opt_provider_path(const char *path)
     return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
 }
 
-struct prov_param_st {
-    char *name;
-    char *key;
-    char *val;
-    int found;
-};
-
-static int set_prov_param(OSSL_PROVIDER *prov, void *vp)
-{
-    struct prov_param_st *p = (struct prov_param_st *)vp;
-
-    if (p->name != NULL && strcmp(OSSL_PROVIDER_get0_name(prov), p->name) != 0)
-        return 1;
-    p->found = 1;
-    return OSSL_PROVIDER_add_conf_parameter(prov, p->key, p->val);
-}
-
-static int opt_provider_param(const char *arg)
-{
-    struct prov_param_st p;
-    char *copy, *tmp;
-    int ret = 0;
-
-    if ((copy = OPENSSL_strdup(arg)) == NULL
-        || (p.val = strchr(copy, '=')) == NULL) {
-        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
-                          opt_getprog(), arg);
-        goto end;
-    }
-
-    /* Drop whitespace on both sides of the '=' sign */
-    *(tmp = p.val++) = '\0';
-    while (tmp > copy && isspace(_UC(*--tmp)))
-        *tmp = '\0';
-    while (isspace(_UC(*p.val)))
-        ++p.val;
-
-    /*
-     * Split the key on ':', to get the optional provider, empty or missing
-     * means all.
-     */
-    if ((p.key = strchr(copy, ':')) != NULL) {
-        *p.key++ = '\0';
-        p.name = *copy != '\0' ? copy : NULL;
-    } else {
-        p.name = NULL;
-        p.key = copy;
-    }
-
-    /* The key must not be empty */
-    if (*p.key == '\0') {
-        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
-                          opt_getprog(), arg);
-        goto end;
-    }
-
-    p.found = 0;
-    ret = OSSL_PROVIDER_do_all(app_get0_libctx(), set_prov_param, (void *)&p);
-    if (ret == 0) {
-        opt_printf_stderr("%s: Error setting provider '%s' parameter '%s'\n",
-                          opt_getprog(), p.name, p.key);
-    } else if (p.found == 0) {
-        opt_printf_stderr("%s: No provider named '%s' is loaded\n",
-                          opt_getprog(), p.name);
-        ret = 0;
-    }
-
-  end:
-    OPENSSL_free(copy);
-    return ret;
-}
-
 int opt_provider(int opt)
 {
     const int given = provider_option_given;
@@ -151,8 +78,6 @@ int opt_provider(int opt)
         return app_provider_load(app_get0_libctx(), opt_arg());
     case OPT_PROV_PROVIDER_PATH:
         return opt_provider_path(opt_arg());
-    case OPT_PROV_PARAM:
-        return opt_provider_param(opt_arg());
     case OPT_PROV_PROPQUERY:
         return app_set_propq(opt_arg());
     }

apps/lib/app_rand.c

@@ -7,7 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "internal/e_os.h" /* LIST_SEPARATOR_CHAR */
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>

apps/lib/apps.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -48,9 +48,6 @@
 #include "s_apps.h"
 #include "apps.h"
 
-#include "internal/sockets.h" /* for openssl_fdset() */
-#include "internal/e_os.h"
-
 #ifdef _WIN32
 static int WIN32_rename(const char *from, const char *to);
 # define rename(from, to) WIN32_rename((from), (to))
@@ -902,15 +899,11 @@ static const char *format2string(int format)
         return "PEM";
     case FORMAT_ASN1:
         return "DER";
-    case FORMAT_PVK:
-        return "PVK";
-    case FORMAT_MSBLOB:
-        return "MSBLOB";
     }
     return NULL;
 }
 
-/* Set type expectation, but set to 0 if objects of multiple types expected. */
+/* Set type expectation, but clear it if objects of different types expected. */
 #define SET_EXPECT(val) \
     (expect = expect < 0 ? (val) : (expect == (val) ? (val) : 0))
 #define SET_EXPECT1(pvar, val) \
@@ -918,7 +911,6 @@ static const char *format2string(int format)
         *(pvar) = NULL; \
         SET_EXPECT(val); \
     }
-/* Provide (error msg) text for some of the credential types to be loaded. */
 #define FAIL_NAME \
     (ppkey != NULL ? "private key" : ppubkey != NULL ? "public key" :  \
      pparams != NULL ? "key parameters" :                              \
@@ -926,9 +918,7 @@ static const char *format2string(int format)
      pcrl != NULL ? "CRL" : pcrls != NULL ? "CRLs" : NULL)
 /*
  * Load those types of credentials for which the result pointer is not NULL.
- * Reads from stdin if 'uri' is NULL and 'maybe_stdin' is nonzero.
- * 'format' parameter may be FORMAT_PEM, FORMAT_ASN1, or 0 for no hint.
- * desc may contain more detail on the credential(s) to be loaded for error msg
+ * Reads from stdio if uri is NULL and maybe_stdin is nonzero.
  * For non-NULL ppkey, pcert, and pcrl the first suitable value found is loaded.
  * If pcerts is non-NULL and *pcerts == NULL then a new cert list is allocated.
  * If pcerts is non-NULL then all available certificates are appended to *pcerts
@@ -956,38 +946,24 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
     OSSL_PARAM itp[2];
     const OSSL_PARAM *params = NULL;
 
-    /* 'failed' describes type of credential to load for potential error msg */
     if (failed == NULL) {
         if (!quiet)
-            BIO_printf(bio_err, "Internal error: nothing was requested to load from %s\n",
+            BIO_printf(bio_err, "Internal error: nothing to load from %s\n",
                        uri != NULL ? uri : "<stdin>");
         return 0;
     }
-    /* suppress any extraneous errors left over from failed parse attempts */
     ERR_set_mark();
 
     SET_EXPECT1(ppkey, OSSL_STORE_INFO_PKEY);
     SET_EXPECT1(ppubkey, OSSL_STORE_INFO_PUBKEY);
     SET_EXPECT1(pparams, OSSL_STORE_INFO_PARAMS);
     SET_EXPECT1(pcert, OSSL_STORE_INFO_CERT);
-    /*
-     * Up to here, the follwing holds.
-     * If just one of the ppkey, ppubkey, pparams, and pcert function parameters
-     * is nonzero, expect > 0 indicates which type of credential is expected.
-     * If expect == 0, more than one of them is nonzero (multiple types expected).
-     */
-
     if (pcerts != NULL) {
         if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) {
             if (!quiet)
                 BIO_printf(bio_err, "Out of memory loading");
             goto end;
         }
-        /*
-         * Adapt the 'expect' variable:
-         * set to OSSL_STORE_INFO_CERT if no other type is expected so far,
-         * otherwise set to 0 (indicating that multiple types are expected).
-         */
         SET_EXPECT(OSSL_STORE_INFO_CERT);
     }
     SET_EXPECT1(pcrl, OSSL_STORE_INFO_CRL);
@@ -997,11 +973,6 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
                 BIO_printf(bio_err, "Out of memory loading");
             goto end;
         }
-        /*
-         * Adapt the 'expect' variable:
-         * set to OSSL_STORE_INFO_CRL if no other type is expected so far,
-         * otherwise set to 0 (indicating that multiple types are expected).
-         */
         SET_EXPECT(OSSL_STORE_INFO_CRL);
     }
 
@@ -1041,7 +1012,6 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
             BIO_printf(bio_err, "Could not open file or uri for loading");
         goto end;
     }
-    /* expect == 0 means here multiple types of credentials are to be loaded */
     if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) {
         if (!quiet)
             BIO_printf(bio_err, "Internal error trying to load");
@@ -1049,8 +1019,6 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
     }
 
     failed = NULL;
-    /* from here, failed != NULL only if actually an error has been detected */
-
     while ((ppkey != NULL || ppubkey != NULL || pparams != NULL
             || pcert != NULL || pcerts != NULL || pcrl != NULL || pcrls != NULL)
            && !OSSL_STORE_eof(ctx)) {
@@ -1120,7 +1088,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
             ncrls += ok;
             break;
         default:
-            /* skip any other type; ok stays == 1 */
+            /* skip any other type */
             break;
         }
         OSSL_STORE_INFO_free(info);
@@ -1134,22 +1102,18 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
 
  end:
     OSSL_STORE_close(ctx);
-
-    /* see if any of the requested types of credentials was not found */
+    if (ncerts > 0)
+        pcerts = NULL;
+    if (ncrls > 0)
+        pcrls = NULL;
     if (failed == NULL) {
-        if (ncerts > 0)
-            pcerts = NULL;
-        if (ncrls > 0)
-            pcrls = NULL;
         failed = FAIL_NAME;
         if (failed != NULL && !quiet)
             BIO_printf(bio_err, "Could not find");
     }
-
     if (failed != NULL && !quiet) {
         unsigned long err = ERR_peek_last_error();
 
-        /* continue the error message with the type of credential affected */
         if (desc != NULL && strstr(desc, failed) != NULL) {
             BIO_printf(bio_err, " %s", desc);
         } else {
@@ -1610,9 +1574,9 @@ int save_serial(const char *serialfile, const char *suffix,
         OPENSSL_strlcpy(buf[0], serialfile, BSIZE);
     } else {
 #ifndef OPENSSL_SYS_VMS
-        BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix);
+        j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix);
 #else
-        BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix);
+        j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix);
 #endif
     }
     out = BIO_new_file(buf[0], "w");
@@ -1654,11 +1618,11 @@ int rotate_serial(const char *serialfile, const char *new_suffix,
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix);
 #else
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix);
 #endif
     if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1810,13 +1774,13 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
-    BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix);
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix);
+    j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix);
 #else
-    BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix);
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix);
+    j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix);
 #endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
@@ -1860,17 +1824,17 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
-    BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile);
-    BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix);
-    BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix);
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile);
+    j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix);
 #else
-    BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile);
-    BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix);
-    BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix);
-    BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix);
-    BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile);
+    j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix);
 #endif
     if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -2224,7 +2188,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
         if (print)
             BIO_printf(bio, "Hostname %s does%s match certificate\n",
                        checkhost, valid_host == 1 ? "" : " NOT");
-        ret = ret && valid_host > 0;
+        ret = ret && valid_host;
     }
 
     if (checkemail != NULL) {
@@ -2232,7 +2196,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
         if (print)
             BIO_printf(bio, "Email %s does%s match certificate\n",
                        checkemail, valid_mail ? "" : " NOT");
-        ret = ret && valid_mail > 0;
+        ret = ret && valid_mail;
     }
 
     if (checkip != NULL) {
@@ -2240,7 +2204,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
         if (print)
             BIO_printf(bio, "IP %s does%s match certificate\n",
                        checkip, valid_ip ? "" : " NOT");
-        ret = ret && valid_ip > 0;
+        ret = ret && valid_ip;
     }
 
     return ret;
@@ -2523,24 +2487,18 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
     crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
     crl = load_crl_crldp(crldp);
     sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-
-    if (crl == NULL || !sk_X509_CRL_push(crls, crl))
-        goto error;
-
+    if (!crl) {
+        sk_X509_CRL_free(crls);
+        return NULL;
+    }
+    sk_X509_CRL_push(crls, crl);
     /* Try to download delta CRL */
     crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
     crl = load_crl_crldp(crldp);
     sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-
-    if (crl != NULL && !sk_X509_CRL_push(crls, crl))
-        goto error;
-
+    if (crl)
+        sk_X509_CRL_push(crls, crl);
     return crls;
-
-error:
-    X509_CRL_free(crl);
-    sk_X509_CRL_free(crls);
-    return NULL;
 }
 
 void store_setup_crl_download(X509_STORE *st)
@@ -3239,32 +3197,6 @@ BIO *bio_open_default_quiet(const char *filename, char mode, int format)
     return bio_open_default_(filename, mode, format, 1);
 }
 
-int mem_bio_to_file(BIO *in, const char *filename, int format, int private)
-{
-    int rv = 0, ret = 0;
-    BIO *out = NULL;
-    BUF_MEM *mem_buffer = NULL;
-
-    rv = BIO_get_mem_ptr(in, &mem_buffer);
-    if (rv <= 0) {
-        BIO_puts(bio_err, "Error reading mem buffer\n");
-        goto end;
-    }
-    out = bio_open_owner(filename, format, private);
-    if (out == NULL)
-        goto end;
-    rv = BIO_write(out, mem_buffer->data, mem_buffer->length);
-    if (rv < 0 || (size_t)rv != mem_buffer->length)
-        BIO_printf(bio_err, "Error writing to output file: '%s'\n", filename);
-    else
-        ret = 1;
-end:
-    if (!ret)
-        ERR_print_errors(bio_err);
-    BIO_free_all(out);
-    return ret;
-}
-
 void wait_for_async(SSL *s)
 {
     /* On Windows select only works for sockets, so we simply don't wait  */
@@ -3332,54 +3264,23 @@ void corrupt_signature(const ASN1_STRING *signature)
     s[signature->length - 1] ^= 0x1;
 }
 
-int check_cert_time_string(const char *time, const char *desc)
-{
-    if (time == NULL || strcmp(time, "today") == 0
-            || ASN1_TIME_set_string_X509(NULL, time))
-        return 1;
-    BIO_printf(bio_err,
-               "%s is invalid, it should be \"today\" or have format [CC]YYMMDDHHMMSSZ\n",
-               desc);
-    return 0;
-}
-
 int set_cert_times(X509 *x, const char *startdate, const char *enddate,
-                   int days, int strict_compare_times)
+                   int days)
 {
-    if (!check_cert_time_string(startdate, "start date"))
-        return 0;
-    if (!check_cert_time_string(enddate, "end date"))
-        return 0;
     if (startdate == NULL || strcmp(startdate, "today") == 0) {
-        if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) {
-            BIO_printf(bio_err, "Error setting notBefore certificate field\n");
+        if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL)
             return 0;
-        }
     } else {
-        if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) {
-            BIO_printf(bio_err, "Error setting notBefore certificate field\n");
+        if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate))
             return 0;
-        }
-    }
-    if (enddate != NULL && strcmp(enddate, "today") == 0) {
-        enddate = NULL;
-        days = 0;
     }
     if (enddate == NULL) {
-        if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) == NULL) {
-            BIO_printf(bio_err, "Error setting notAfter certificate field\n");
+        if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL)
+            == NULL)
             return 0;
-        }
     } else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) {
-        BIO_printf(bio_err, "Error setting notAfter certificate field\n");
         return 0;
     }
-    if (ASN1_TIME_compare(X509_get0_notAfter(x), X509_get0_notBefore(x)) < 0) {
-        BIO_printf(bio_err, "%s: end date before start date\n",
-                   strict_compare_times ? "Error" : "Warning");
-        if (strict_compare_times)
-            return 0;
-    }
     return 1;
 }
 
@@ -3536,7 +3437,6 @@ int opt_legacy_okay(void)
 {
     int provider_options = opt_provider_option_given();
     int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
-
     /*
      * Having a provider option specified or a custom library context or
      * property query, is a sure sign we're not using legacy.

apps/lib/cmp_mock_srv.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Siemens AG 2018-2020
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -16,11 +16,10 @@
 #include <openssl/cmperr.h>
 
 /* the context for the CMP mock server */
-typedef struct {
+typedef struct
+{
     X509 *refCert;             /* cert to expect for oldCertID in kur/rr msg */
     X509 *certOut;             /* certificate to be returned in cp/ip/kup msg */
-    EVP_PKEY *keyOut;          /* Private key to be returned for central keygen */
-    X509_CRL *crlOut;          /* CRL to be returned in genp for crls */
     STACK_OF(X509) *chainOut;  /* chain of certOut to add to extraCerts field */
     STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
     X509 *newWithNew;          /* to return in newWithNew of rootKeyUpdate */
@@ -88,37 +87,6 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
 DEFINE_OSSL_SET1_CERT(refCert)
 DEFINE_OSSL_SET1_CERT(certOut)
 
-int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey)
-{
-    mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (pkey != NULL && !EVP_PKEY_up_ref(pkey))
-        return 0;
-    EVP_PKEY_free(ctx->keyOut);
-    ctx->keyOut = pkey;
-    return 1;
-}
-
-int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
-                                  X509_CRL *crl)
-{
-    mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (crl != NULL && !X509_CRL_up_ref(crl))
-        return 0;
-    X509_CRL_free(ctx->crlOut);
-    ctx->crlOut = crl;
-    return 1;
-}
-
 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
                                     STACK_OF(X509) *chain)
 {
@@ -289,9 +257,8 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
                                             STACK_OF(X509) **caPubs)
 {
     mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
-    int bodytype, central_keygen;
+    int bodytype;
     OSSL_CMP_PKISI *si = NULL;
-    EVP_PKEY *keyOut = NULL;
 
     if (ctx == NULL || cert_req == NULL
             || certOut == NULL || chainOut == NULL || caPubs == NULL) {
@@ -375,23 +342,6 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
             && (*certOut = X509_dup(ctx->certOut)) == NULL)
         /* Should return a cert produced from request template, see FR #16054 */
         goto err;
-
-    central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
-    if (central_keygen < 0)
-        goto err;
-    if (central_keygen == 1
-        && (ctx->keyOut == NULL
-            || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
-            || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
-                                          1 /* priv */, keyOut))) {
-        EVP_PKEY_free(keyOut);
-        goto err;
-    }
-    /*
-     * Note that this uses newPkey to return the private key
-     * and does not check whether the 'popo' field is absent.
-     */
-
     if (ctx->chainOut != NULL
             && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
         goto err;
@@ -441,50 +391,10 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
     return OSSL_CMP_PKISI_dup(ctx->statusOut);
 }
 
-/* return -1 for error, 0 for no update available */
-static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
-                            const X509_CRL *crl)
-{
-    OSSL_CMP_CRLSTATUS *crlstatus;
-    DIST_POINT_NAME *dpn = NULL;
-    GENERAL_NAMES *issuer = NULL;
-    ASN1_TIME *thisupd = NULL;
-
-    if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST);
-        return -1;
-    }
-    if (crl == NULL)
-        return 0;
-
-    crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
-    if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd))
-        return -1;
-
-    if (issuer != NULL) {
-        GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0);
-
-        if (gn != NULL && gn->type == GEN_DIRNAME) {
-            X509_NAME *gen_name = gn->d.dirn;
-
-            if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
-                ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
-                return -1;
-            }
-        } else {  
-            ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);  
-            return -1; /* error according to RFC 9483 section 4.3.4 */  
-        }
-    }
-
-    return thisupd == NULL
-        || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0;
-}
-
 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
                                         const OSSL_CMP_ITAV *req)
 {
-    OSSL_CMP_ITAV *rsp = NULL;
+    OSSL_CMP_ITAV *rsp;
 
     switch (req_nid) {
     case NID_id_it_caCerts:
@@ -508,63 +418,6 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
                                                         ctx->oldWithNew);
         }
         break;
-    case NID_id_it_crlStatusList:
-        {
-            STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
-            int res = 0;
-
-            if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
-                return NULL;
-
-            res = check_client_crl(crlstatuslist, ctx->crlOut);
-            if (res < 0)
-                rsp = NULL;
-            else
-                rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
-        }
-        break;
-    case NID_id_it_certReqTemplate:
-        {
-            OSSL_CRMF_CERTTEMPLATE *reqtemp;
-            OSSL_CMP_ATAVS *keyspec = NULL;
-            X509_ALGOR *keyalg = NULL;
-            OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
-            int ok = 0;
-
-            if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
-                return NULL;
-
-            if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
-                                             X509_get_issuer_name(ctx->refCert),
-                                             NULL))
-                goto crt_err;
-
-            if ((keyalg = X509_ALGOR_new()) == NULL)
-                goto crt_err;
-
-            (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
-                                  V_ASN1_UNDEF, NULL); /* cannot fail */
-
-            eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
-            rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
-            ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
-                 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
-            OSSL_CMP_ATAV_free(eckeyalg);
-            OSSL_CMP_ATAV_free(rsakeylen);
-            X509_ALGOR_free(keyalg);
-
-            if (!ok)
-                goto crt_err;
-
-            rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
-            return rsp;
-
-        crt_err:
-            OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
-            OSSL_CMP_ATAVS_free(keyspec);
-            return NULL;
-        }
-        break;
     default:
         rsp = OSSL_CMP_ITAV_dup(req);
     }

apps/lib/engine_loader.c

@@ -14,7 +14,6 @@
  */
 #define OPENSSL_SUPPRESS_DEPRECATED
 
-#include "internal/e_os.h"
 #include "apps.h"
 
 #ifndef OPENSSL_NO_ENGINE

apps/lib/http_server.c

@@ -18,10 +18,8 @@
 #endif
 
 #include <ctype.h>
-#include "internal/e_os.h"
 #include "http_server.h"
-#include "internal/sockets.h" /* for openssl_fdset() */
-
+#include "internal/sockets.h"
 #include <openssl/err.h>
 #include <openssl/trace.h>
 #include <openssl/rand.h>

apps/lib/names.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -22,8 +22,7 @@ void collect_names(const char *name, void *vdata)
 {
     STACK_OF(OPENSSL_CSTRING) *names = vdata;
 
-    /* A failure to push cannot be handled so we ignore the result. */
-    (void)sk_OPENSSL_CSTRING_push(names, name);
+    sk_OPENSSL_CSTRING_push(names, name);
 }
 
 void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names)

apps/lib/s_cb.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -416,28 +416,16 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
 
 int ssl_print_tmp_key(BIO *out, SSL *s)
 {
-    const char *keyname;
     EVP_PKEY *key;
 
-    if (!SSL_get_peer_tmp_key(s, &key)) {
-        if (SSL_version(s) == TLS1_3_VERSION)
-            BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
-                       SSL_group_to_name(s, SSL_get_negotiated_group(s)));
+    if (!SSL_get_peer_tmp_key(s, &key))
         return 1;
-    }
-
-    BIO_puts(out, "Peer Temp Key: ");
+    BIO_puts(out, "Server Temp Key: ");
     switch (EVP_PKEY_get_id(key)) {
     case EVP_PKEY_RSA:
         BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_get_bits(key));
         break;
 
-    case EVP_PKEY_KEYMGMT:
-        if ((keyname = EVP_PKEY_get0_type_name(key)) == NULL)
-            keyname = "?";
-        BIO_printf(out, "%s\n", keyname);
-        break;
-
     case EVP_PKEY_DH:
         BIO_printf(out, "DH, %d bits\n", EVP_PKEY_get_bits(key));
         break;
@@ -1306,7 +1294,6 @@ void print_verify_detail(SSL *s, BIO *bio)
 
 void print_ssl_summary(SSL *s)
 {
-    const char *sigalg;
     const SSL_CIPHER *c;
     X509 *peer = SSL_get0_peer_certificate(s);
     EVP_PKEY *peer_rpk = SSL_get0_peer_rpk(s);
@@ -1324,13 +1311,13 @@ void print_ssl_summary(SSL *s)
         BIO_puts(bio_err, "\n");
         if (SSL_get_peer_signature_nid(s, &nid))
             BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
-        if (SSL_get0_peer_signature_name(s, &sigalg))
-            BIO_printf(bio_err, "Signature type: %s\n", sigalg);
+        if (SSL_get_peer_signature_type_nid(s, &nid))
+            BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
         print_verify_detail(s, bio_err);
     } else if (peer_rpk != NULL) {
         BIO_printf(bio_err, "Peer used raw public key\n");
-        if (SSL_get0_peer_signature_name(s, &sigalg))
-            BIO_printf(bio_err, "Signature type: %s\n", sigalg);
+        if (SSL_get_peer_signature_type_nid(s, &nid))
+            BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
         print_verify_detail(s, bio_err);
     } else {
         BIO_puts(bio_err, "No peer certificate or raw public key\n");
@@ -1339,8 +1326,12 @@ void print_ssl_summary(SSL *s)
     ssl_print_point_formats(bio_err, s);
     if (SSL_is_server(s))
         ssl_print_groups(bio_err, s, 1);
+    else
+        ssl_print_tmp_key(bio_err, s);
+#else
+    if (!SSL_is_server(s))
+        ssl_print_tmp_key(bio_err, s);
 #endif
-    ssl_print_tmp_key(bio_err, s);
 }
 
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,

apps/lib/s_socket.c

@@ -37,10 +37,9 @@ typedef unsigned int u_int;
 
 #ifndef OPENSSL_NO_SOCK
 
-# include "internal/e_os.h"
 # include "apps.h"
 # include "s_apps.h"
-# include "internal/sockets.h" /* for openssl_fdset() */
+# include "internal/sockets.h"
 
 # include <openssl/bio.h>
 # include <openssl/err.h>

apps/lib/tlssrp_depr.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -178,7 +178,7 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
         goto err;
     }
     BIO_printf(bio_err,
-               "SRP parameters set: username = \"%s\" info=\"%s\"\n",
+               "SRP parameters set: username = \"%s\" info=\"%s\" \n",
                p->login, p->user->info);
     ret = SSL_ERROR_NONE;
 
@@ -199,7 +199,7 @@ int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
     srp_callback_parm->login = NULL;
 
     if (srp_callback_parm->vb == NULL) {
-        BIO_printf(bio_err, "Failed to initialize SRP verifier file\n");
+        BIO_printf(bio_err, "Failed to initialize SRP verifier file \n");
         return 0;
     }
     if ((ret =

apps/list.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,8 +10,6 @@
 /* We need to use some deprecated APIs */
 #define OPENSSL_SUPPRESS_DEPRECATED
 
-#include "internal/e_os.h"
-
 #include <string.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -23,9 +21,6 @@
 #include <openssl/store.h>
 #include <openssl/core_names.h>
 #include <openssl/rand.h>
-#include <openssl/safestack.h>
-#include <openssl/ssl.h>
-#include <openssl/tls1.h>
 #include "apps.h"
 #include "app_params.h"
 #include "progs.h"
@@ -58,7 +53,6 @@ IS_FETCHABLE(mac, EVP_MAC)
 IS_FETCHABLE(kdf, EVP_KDF)
 IS_FETCHABLE(rand, EVP_RAND)
 IS_FETCHABLE(keymgmt, EVP_KEYMGMT)
-IS_FETCHABLE(skeymgmt, EVP_SKEYMGMT)
 IS_FETCHABLE(signature, EVP_SIGNATURE)
 IS_FETCHABLE(kem, EVP_KEM)
 IS_FETCHABLE(asym_cipher, EVP_ASYM_CIPHER)
@@ -77,7 +71,7 @@ static void legacy_cipher_fn(const EVP_CIPHER *c,
 {
     if (select_name != NULL
         && (c == NULL
-            || OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0))
+            || OPENSSL_strcasecmp(select_name,  EVP_CIPHER_get0_name(c)) != 0))
         return;
     if (c != NULL) {
         BIO_printf(arg, "  %s\n", EVP_CIPHER_get0_name(c));
@@ -104,9 +98,8 @@ static void collect_ciphers(EVP_CIPHER *cipher, void *stack)
     STACK_OF(EVP_CIPHER) *cipher_stack = stack;
 
     if (is_cipher_fetchable(cipher)
-            && EVP_CIPHER_up_ref(cipher)
-            && sk_EVP_CIPHER_push(cipher_stack, cipher) <= 0)
-        EVP_CIPHER_free(cipher); /* up-ref successful but push to stack failed */
+            && sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)
+        EVP_CIPHER_up_ref(cipher);
 }
 
 static void list_ciphers(const char *prefix)
@@ -189,9 +182,8 @@ static void collect_digests(EVP_MD *digest, void *stack)
     STACK_OF(EVP_MD) *digest_stack = stack;
 
     if (is_digest_fetchable(digest)
-            && EVP_MD_up_ref(digest)
-            && sk_EVP_MD_push(digest_stack, digest) <= 0)
-        EVP_MD_free(digest); /* up-ref successful but push to stack failed */
+            && sk_EVP_MD_push(digest_stack, digest) > 0)
+        EVP_MD_up_ref(digest);
 }
 
 static void list_digests(const char *prefix)
@@ -322,9 +314,8 @@ static void collect_kdfs(EVP_KDF *kdf, void *stack)
     STACK_OF(EVP_KDF) *kdf_stack = stack;
 
     if (is_kdf_fetchable(kdf)
-            && EVP_KDF_up_ref(kdf)
-            && sk_EVP_KDF_push(kdf_stack, kdf) <= 0)
-        EVP_KDF_free(kdf); /* up-ref successful but push to stack failed */
+            && sk_EVP_KDF_push(kdf_stack, kdf) > 0)
+        EVP_KDF_up_ref(kdf);
 }
 
 static void list_kdfs(void)
@@ -393,9 +384,8 @@ static void collect_rands(EVP_RAND *rand, void *stack)
     STACK_OF(EVP_RAND) *rand_stack = stack;
 
     if (is_rand_fetchable(rand)
-            && EVP_RAND_up_ref(rand)
-            && sk_EVP_RAND_push(rand_stack, rand) <= 0)
-        EVP_RAND_free(rand); /* up-ref successful but push to stack failed */
+            && sk_EVP_RAND_push(rand_stack, rand) > 0)
+        EVP_RAND_up_ref(rand);
 }
 
 static void list_random_generators(void)
@@ -520,9 +510,8 @@ static void collect_encoders(OSSL_ENCODER *encoder, void *stack)
     STACK_OF(OSSL_ENCODER) *encoder_stack = stack;
 
     if (is_encoder_fetchable(encoder)
-            && OSSL_ENCODER_up_ref(encoder)
-            && sk_OSSL_ENCODER_push(encoder_stack, encoder) <= 0)
-        OSSL_ENCODER_free(encoder); /* up-ref successful but push to stack failed */
+            && sk_OSSL_ENCODER_push(encoder_stack, encoder) > 0)
+        OSSL_ENCODER_up_ref(encoder);
 }
 
 static void list_encoders(void)
@@ -586,9 +575,8 @@ static void collect_decoders(OSSL_DECODER *decoder, void *stack)
     STACK_OF(OSSL_DECODER) *decoder_stack = stack;
 
     if (is_decoder_fetchable(decoder)
-            && OSSL_DECODER_up_ref(decoder)
-            && sk_OSSL_DECODER_push(decoder_stack, decoder) <= 0)
-        OSSL_DECODER_free(decoder); /* up-ref successful but push to stack failed */
+            && sk_OSSL_DECODER_push(decoder_stack, decoder) > 0)
+        OSSL_DECODER_up_ref(decoder);
 }
 
 static void list_decoders(void)
@@ -649,9 +637,8 @@ static void collect_keymanagers(EVP_KEYMGMT *km, void *stack)
     STACK_OF(EVP_KEYMGMT) *km_stack = stack;
 
     if (is_keymgmt_fetchable(km)
-            && EVP_KEYMGMT_up_ref(km)
-            && sk_EVP_KEYMGMT_push(km_stack, km) <= 0)
-        EVP_KEYMGMT_free(km); /* up-ref successful but push to stack failed */
+            && sk_EVP_KEYMGMT_push(km_stack, km) > 0)
+        EVP_KEYMGMT_up_ref(km);
 }
 
 static void list_keymanagers(void)
@@ -700,61 +687,6 @@ static void list_keymanagers(void)
     sk_EVP_KEYMGMT_pop_free(km_stack, EVP_KEYMGMT_free);
 }
 
-DEFINE_STACK_OF(EVP_SKEYMGMT)
-static int skeymanager_cmp(const EVP_SKEYMGMT * const *a,
-                           const EVP_SKEYMGMT * const *b)
-{
-    return strcmp(OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(*a)),
-                  OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(*b)));
-}
-
-static void collect_skeymanagers(EVP_SKEYMGMT *km, void *stack)
-{
-    STACK_OF(EVP_SKEYMGMT) *km_stack = stack;
-
-    if (is_skeymgmt_fetchable(km)
-            && sk_EVP_SKEYMGMT_push(km_stack, km) > 0)
-        EVP_SKEYMGMT_up_ref(km);
-}
-
-static void list_skeymanagers(void)
-{
-    int i;
-    STACK_OF(EVP_SKEYMGMT) *km_stack = sk_EVP_SKEYMGMT_new(skeymanager_cmp);
-
-    EVP_SKEYMGMT_do_all_provided(app_get0_libctx(), collect_skeymanagers,
-                                 km_stack);
-    sk_EVP_SKEYMGMT_sort(km_stack);
-
-    for (i = 0; i < sk_EVP_SKEYMGMT_num(km_stack); i++) {
-        EVP_SKEYMGMT *k = sk_EVP_SKEYMGMT_value(km_stack, i);
-        STACK_OF(OPENSSL_CSTRING) *names = NULL;
-
-        if (select_name != NULL && !EVP_SKEYMGMT_is_a(k, select_name))
-            continue;
-
-        names = sk_OPENSSL_CSTRING_new(name_cmp);
-        if (names != NULL && EVP_SKEYMGMT_names_do_all(k, collect_names, names)) {
-            const char *desc = EVP_SKEYMGMT_get0_description(k);
-
-            BIO_printf(bio_out, "  Name: ");
-            if (desc != NULL)
-                BIO_printf(bio_out, "%s", desc);
-            else
-                BIO_printf(bio_out, "%s", sk_OPENSSL_CSTRING_value(names, 0));
-            BIO_printf(bio_out, "\n");
-            BIO_printf(bio_out, "    Type: Provider Algorithm\n");
-            BIO_printf(bio_out, "    IDs: ");
-            print_names(bio_out, names);
-            BIO_printf(bio_out, " @ %s\n",
-                       OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(k)));
-
-        }
-        sk_OPENSSL_CSTRING_free(names);
-    }
-    sk_EVP_SKEYMGMT_pop_free(km_stack, EVP_SKEYMGMT_free);
-}
-
 DEFINE_STACK_OF(EVP_SIGNATURE)
 static int signature_cmp(const EVP_SIGNATURE * const *a,
                          const EVP_SIGNATURE * const *b)
@@ -768,9 +700,8 @@ static void collect_signatures(EVP_SIGNATURE *sig, void *stack)
     STACK_OF(EVP_SIGNATURE) *sig_stack = stack;
 
     if (is_signature_fetchable(sig)
-            && EVP_SIGNATURE_up_ref(sig)
-            && sk_EVP_SIGNATURE_push(sig_stack, sig) <= 0)
-        EVP_SIGNATURE_free(sig); /* up-ref successful but push to stack failed */
+            && sk_EVP_SIGNATURE_push(sig_stack, sig) > 0)
+        EVP_SIGNATURE_up_ref(sig);
 }
 
 static void list_signatures(void)
@@ -816,90 +747,6 @@ static void list_signatures(void)
         BIO_printf(bio_out, " -\n");
 }
 
-static int list_provider_tls_sigalgs(const OSSL_PARAM params[], void *data)
-{
-    const OSSL_PARAM *p;
-
-    /* Get registered IANA name */
-    p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME);
-    if (p != NULL && p->data_type == OSSL_PARAM_UTF8_STRING) {
-        if (*((int *)data) > 0)
-            BIO_printf(bio_out, ":");
-        BIO_printf(bio_out, "%s", (char *)(p->data));
-        /* mark presence of a provider-based sigalg */
-        *((int *)data) = 2;
-    }
-    /* As built-in providers don't have this capability, never error */
-    return 1;
-}
-
-static int list_tls_sigalg_caps(OSSL_PROVIDER *provider, void *cbdata)
-{
-    OSSL_PROVIDER_get_capabilities(provider, "TLS-SIGALG",
-                                   list_provider_tls_sigalgs,
-                                   cbdata);
-    /* As built-in providers don't have this capability, never error */
-    return 1;
-}
-
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-static void list_tls_groups(int version, int all)
-{
-    SSL_CTX *ctx = NULL;
-    STACK_OF(OPENSSL_CSTRING) *groups;
-    size_t i, num;
-
-    if ((groups = sk_OPENSSL_CSTRING_new_null()) == NULL) {
-        BIO_printf(bio_err, "ERROR: Memory allocation\n");
-        return;
-    }
-    if ((ctx = SSL_CTX_new(TLS_method())) == NULL) {
-        BIO_printf(bio_err, "ERROR: Memory allocation\n");
-        goto err;
-    }
-    if (!SSL_CTX_set_min_proto_version(ctx, version)
-        || !SSL_CTX_set_max_proto_version(ctx, version)) {
-        BIO_printf(bio_err, "ERROR: setting TLS protocol version\n");
-        goto err;
-    }
-    if (!SSL_CTX_get0_implemented_groups(ctx, all, groups)) {
-        BIO_printf(bio_err, "ERROR: getting implemented TLS group list\n");
-        goto err;
-    }
-    num = sk_OPENSSL_CSTRING_num(groups);
-    for (i = 0; i < num; ++i) {
-        BIO_printf(bio_out, "%s%c", sk_OPENSSL_CSTRING_value(groups, i),
-                   (i < num - 1) ? ':' : '\n');
-    }
-  err:
-    SSL_CTX_free(ctx);
-    sk_OPENSSL_CSTRING_free(groups);
-    return;
-}
-#endif
-
-static void list_tls_signatures(void)
-{
-    int tls_sigalg_listed = 0;
-    char *builtin_sigalgs = SSL_get1_builtin_sigalgs(app_get0_libctx());
-
-    if (builtin_sigalgs != NULL) {
-        if (builtin_sigalgs[0] != 0) {
-            BIO_printf(bio_out, "%s", builtin_sigalgs);
-            tls_sigalg_listed = 1;
-        }
-        OPENSSL_free(builtin_sigalgs);
-    }
-
-    if (!OSSL_PROVIDER_do_all(NULL, list_tls_sigalg_caps, &tls_sigalg_listed))
-        BIO_printf(bio_err,
-                   "ERROR: could not list all provider signature algorithms\n");
-    if (tls_sigalg_listed < 2)
-        BIO_printf(bio_out,
-                   "\nNo TLS sig algs registered by currently active providers");
-    BIO_printf(bio_out, "\n");
-}
-
 DEFINE_STACK_OF(EVP_KEM)
 static int kem_cmp(const EVP_KEM * const *a,
                    const EVP_KEM * const *b)
@@ -913,9 +760,8 @@ static void collect_kem(EVP_KEM *kem, void *stack)
     STACK_OF(EVP_KEM) *kem_stack = stack;
 
     if (is_kem_fetchable(kem)
-            && EVP_KEM_up_ref(kem)
-            && sk_EVP_KEM_push(kem_stack, kem) <= 0)
-        EVP_KEM_free(kem); /* up-ref successful but push to stack failed */
+            && sk_EVP_KEM_push(kem_stack, kem) > 0)
+        EVP_KEM_up_ref(kem);
 }
 
 static void list_kems(void)
@@ -973,9 +819,8 @@ static void collect_asymciph(EVP_ASYM_CIPHER *asym_cipher, void *stack)
     STACK_OF(EVP_ASYM_CIPHER) *asym_cipher_stack = stack;
 
     if (is_asym_cipher_fetchable(asym_cipher)
-            && EVP_ASYM_CIPHER_up_ref(asym_cipher)
-            && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) <= 0)
-        EVP_ASYM_CIPHER_free(asym_cipher); /* up-ref successful but push to stack failed */
+            && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) > 0)
+        EVP_ASYM_CIPHER_up_ref(asym_cipher);
 }
 
 static void list_asymciphers(void)
@@ -1036,9 +881,8 @@ static void collect_kex(EVP_KEYEXCH *kex, void *stack)
     STACK_OF(EVP_KEYEXCH) *kex_stack = stack;
 
     if (is_keyexch_fetchable(kex)
-            && EVP_KEYEXCH_up_ref(kex)
-            && sk_EVP_KEYEXCH_push(kex_stack, kex) <= 0)
-        EVP_KEYEXCH_free(kex); /* up-ref successful but push to stack failed */
+            && sk_EVP_KEYEXCH_push(kex_stack, kex) > 0)
+        EVP_KEYEXCH_up_ref(kex);
 }
 
 static void list_keyexchanges(void)
@@ -1317,9 +1161,8 @@ static void collect_store_loaders(OSSL_STORE_LOADER *store, void *stack)
 {
     STACK_OF(OSSL_STORE_LOADER) *store_stack = stack;
 
-    if (OSSL_STORE_LOADER_up_ref(store)
-            && sk_OSSL_STORE_LOADER_push(store_stack, store) <= 0)
-        OSSL_STORE_LOADER_free(store); /* up-ref successful but push to stack failed */
+    if (sk_OSSL_STORE_LOADER_push(store_stack, store) > 0)
+        OSSL_STORE_LOADER_up_ref(store);
 }
 
 static void list_store_loaders(void)
@@ -1366,7 +1209,6 @@ static int provider_cmp(const OSSL_PROVIDER * const *a,
 static int collect_providers(OSSL_PROVIDER *provider, void *stack)
 {
     STACK_OF(OSSL_PROVIDER) *provider_stack = stack;
-
     /*
      * If OK - result is the index of inserted data
      * Error - result is -1 or 0
@@ -1617,22 +1459,11 @@ typedef enum HELPLIST_CHOICE {
     OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_DISABLED,
     OPT_KDF_ALGORITHMS, OPT_RANDOM_INSTANCES, OPT_RANDOM_GENERATORS,
     OPT_ENCODERS, OPT_DECODERS, OPT_KEYMANAGERS, OPT_KEYEXCHANGE_ALGORITHMS,
-    OPT_SKEYMANAGERS,
-    OPT_KEM_ALGORITHMS, OPT_SIGNATURE_ALGORITHMS,
-    OPT_TLS_SIGNATURE_ALGORITHMS, OPT_ASYM_CIPHER_ALGORITHMS,
-    OPT_STORE_LOADERS, OPT_PROVIDER_INFO, OPT_OBJECTS,
-    OPT_SELECT_NAME,
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-    OPT_ALL_TLS_GROUPS, OPT_TLS_GROUPS,
-# if !defined(OPENSSL_NO_TLS1_2)
-    OPT_TLS1_2,
-# endif
-# if !defined(OPENSSL_NO_TLS1_3)
-    OPT_TLS1_3,
-# endif
-#endif
+    OPT_KEM_ALGORITHMS, OPT_SIGNATURE_ALGORITHMS, OPT_ASYM_CIPHER_ALGORITHMS,
+    OPT_STORE_LOADERS, OPT_PROVIDER_INFO,
+    OPT_OBJECTS, OPT_SELECT_NAME,
 #ifndef OPENSSL_NO_DEPRECATED_3_0
-    OPT_ENGINES,
+    OPT_ENGINES, 
 #endif
     OPT_PROV_ENUM
 } HELPLIST_CHOICE;
@@ -1664,23 +1495,20 @@ const OPTIONS list_options[] = {
     {"mac-algorithms", OPT_MAC_ALGORITHMS, '-',
      "List of message authentication code algorithms"},
 #ifndef OPENSSL_NO_DEPRECATED_3_0
-    {"cipher-commands", OPT_CIPHER_COMMANDS, '-',
-     "List of cipher commands (deprecated)"},
+    {"cipher-commands", OPT_CIPHER_COMMANDS, '-', 
+    "List of cipher commands (deprecated)"},
 #endif
     {"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-',
      "List of symmetric cipher algorithms"},
     {"encoders", OPT_ENCODERS, '-', "List of encoding methods" },
     {"decoders", OPT_DECODERS, '-', "List of decoding methods" },
     {"key-managers", OPT_KEYMANAGERS, '-', "List of key managers" },
-    {"skey-managers", OPT_SKEYMANAGERS, '-', "List of symmetric key managers" },
     {"key-exchange-algorithms", OPT_KEYEXCHANGE_ALGORITHMS, '-',
      "List of key exchange algorithms" },
     {"kem-algorithms", OPT_KEM_ALGORITHMS, '-',
      "List of key encapsulation mechanism algorithms" },
     {"signature-algorithms", OPT_SIGNATURE_ALGORITHMS, '-',
      "List of signature algorithms" },
-    {"tls-signature-algorithms", OPT_TLS_SIGNATURE_ALGORITHMS, '-',
-     "List of TLS signature algorithms" },
     {"asymcipher-algorithms", OPT_ASYM_CIPHER_ALGORITHMS, '-',
       "List of asymmetric cipher algorithms" },
     {"public-key-algorithms", OPT_PK_ALGORITHMS, '-',
@@ -1689,20 +1517,6 @@ const OPTIONS list_options[] = {
      "List of public key methods"},
     {"store-loaders", OPT_STORE_LOADERS, '-',
      "List of store loaders"},
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
-    {"tls-groups", OPT_TLS_GROUPS, '-',
-     "List implemented TLS key exchange 'groups'" },
-    {"all-tls-groups", OPT_ALL_TLS_GROUPS, '-',
-     "List implemented TLS key exchange 'groups' and all aliases" },
-# ifndef OPENSSL_NO_TLS1_2
-    {"tls1_2", OPT_TLS1_2, '-',
-     "When listing 'groups', list those compatible with TLS1.2"},
-# endif
-# ifndef OPENSSL_NO_TLS1_3
-    {"tls1_3", OPT_TLS1_3, '-',
-     "When listing 'groups', list those compatible with TLS1.3"},
-# endif
-#endif
     {"providers", OPT_PROVIDER_INFO, '-',
      "List of provider information"},
 #ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -1725,14 +1539,6 @@ int list_main(int argc, char **argv)
     HELPLIST_CHOICE o;
     int one = 0, done = 0;
     int print_newline = 0;
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-    int all_tls_groups = 0;
-# if !defined(OPENSSL_NO_TLS1_3)
-    unsigned int tls_version = TLS1_3_VERSION;
-# else
-    unsigned int tls_version = TLS1_2_VERSION;
-# endif
-#endif
     struct {
         unsigned int commands:1;
         unsigned int all_algorithms:1;
@@ -1747,12 +1553,9 @@ int list_main(int argc, char **argv)
         unsigned int encoder_algorithms:1;
         unsigned int decoder_algorithms:1;
         unsigned int keymanager_algorithms:1;
-        unsigned int skeymanager_algorithms:1;
         unsigned int signature_algorithms:1;
-        unsigned int tls_signature_algorithms:1;
         unsigned int keyexchange_algorithms:1;
         unsigned int kem_algorithms:1;
-        unsigned int tls_groups:1;
         unsigned int asym_cipher_algorithms:1;
         unsigned int pk_algorithms:1;
         unsigned int pk_method:1;
@@ -1821,40 +1624,15 @@ opthelp:
         case OPT_KEYMANAGERS:
             todo.keymanager_algorithms = 1;
             break;
-        case OPT_SKEYMANAGERS:
-            todo.skeymanager_algorithms = 1;
-            break;
         case OPT_SIGNATURE_ALGORITHMS:
             todo.signature_algorithms = 1;
             break;
-        case OPT_TLS_SIGNATURE_ALGORITHMS:
-            todo.tls_signature_algorithms = 1;
-            break;
         case OPT_KEYEXCHANGE_ALGORITHMS:
             todo.keyexchange_algorithms = 1;
             break;
         case OPT_KEM_ALGORITHMS:
             todo.kem_algorithms = 1;
             break;
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-        case OPT_TLS_GROUPS:
-            todo.tls_groups = 1;
-            break;
-        case OPT_ALL_TLS_GROUPS:
-            all_tls_groups = 1;
-            todo.tls_groups = 1;
-            break;
-# if !defined(OPENSSL_NO_TLS1_2)
-        case OPT_TLS1_2:
-            tls_version = TLS1_2_VERSION;
-            break;
-# endif
-# if !defined(OPENSSL_NO_TLS1_3)
-        case OPT_TLS1_3:
-            tls_version = TLS1_3_VERSION;
-            break;
-# endif
-#endif
         case OPT_ASYM_CIPHER_ALGORITHMS:
             todo.asym_cipher_algorithms = 1;
             break;
@@ -1908,7 +1686,7 @@ opthelp:
             BIO_printf(bio_out, "\n"); \
         } \
         cmd; \
-    } while (0)
+    } while(0)
 
     if (todo.commands)
         MAYBE_ADD_NL(list_type(FT_general, one));
@@ -1964,22 +1742,14 @@ opthelp:
         MAYBE_ADD_NL(list_decoders());
     if (todo.keymanager_algorithms)
         MAYBE_ADD_NL(list_keymanagers());
-    if (todo.skeymanager_algorithms)
-        MAYBE_ADD_NL(list_skeymanagers());
     if (todo.signature_algorithms)
         MAYBE_ADD_NL(list_signatures());
-    if (todo.tls_signature_algorithms)
-        MAYBE_ADD_NL(list_tls_signatures());
     if (todo.asym_cipher_algorithms)
         MAYBE_ADD_NL(list_asymciphers());
     if (todo.keyexchange_algorithms)
         MAYBE_ADD_NL(list_keyexchanges());
     if (todo.kem_algorithms)
         MAYBE_ADD_NL(list_kems());
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-    if (todo.tls_groups)
-        MAYBE_ADD_NL(list_tls_groups(tls_version, all_tls_groups));
-#endif
     if (todo.pk_algorithms)
         MAYBE_ADD_NL(list_pkey());
     if (todo.pk_method)

apps/ocsp.c

@@ -553,6 +553,10 @@ int ocsp_main(int argc, char **argv)
         && respin == NULL && !(port != NULL && ridx_filename != NULL))
         goto opthelp;
 
+    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
+    if (out == NULL)
+        goto end;
+
     if (req == NULL && (add_nonce != 2))
         add_nonce = 0;
 
@@ -705,10 +709,6 @@ redo_accept:
         }
     }
 
-    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
-    if (out == NULL)
-        goto end;
-
     if (req_text && req != NULL)
         OCSP_REQUEST_print(out, req, 0);
 

apps/openssl-vms.cnf

@@ -342,8 +342,8 @@ path = pkix/
 
 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
-ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
-unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+ignore_keyusage = 1 # potentially needed quirk
+unprotected_errors = 1 # potentially needed quirk
 extracertsout = insta.extracerts.pem
 
 # Client authentication

apps/openssl.c

@@ -7,8 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "internal/e_os.h"
-
 #include <stdio.h>
 #include <stdlib.h>
 #include "internal/common.h"

apps/openssl.cnf

@@ -342,8 +342,8 @@ path = pkix/
 
 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
-ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
-unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+ignore_keyusage = 1 # potentially needed quirk
+unprotected_errors = 1 # potentially needed quirk
 extracertsout = insta.extracerts.pem
 
 # Client authentication

apps/passwd.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -369,7 +369,8 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
     if (magic_len > 0)
         salt_out += 2 + magic_len;
 
-    assert(salt_len <= 8);
+    if (salt_len > 8)
+        goto err;
 
     md = EVP_MD_CTX_new();
     if (md == NULL
@@ -706,14 +707,15 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
     cp = out_buf + strlen(out_buf);
     *cp++ = ascii_dollar[0];
 
-# define b64_from_24bit(B2, B1, B0, N)                                  \
+# define b64_from_24bit(B2, B1, B0, N)                                   \
     do {                                                                \
         unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);             \
         int i = (N);                                                    \
-        while (i-- > 0) {                                               \
-            *cp++ = cov_2char[w & 0x3f];                                \
-            w >>= 6;                                                    \
-        }                                                               \
+        while (i-- > 0)                                                 \
+            {                                                           \
+                *cp++ = cov_2char[w & 0x3f];                            \
+                w >>= 6;                                                \
+            }                                                           \
     } while (0)
 
     switch (magic[0]) {

apps/pkcs12.c

@@ -70,7 +70,7 @@ typedef enum OPTION_choice {
     OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
     OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
-    OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD,
+    OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST,
 #ifndef OPENSSL_NO_DES
     OPT_LEGACY_ALG
 #endif
@@ -147,8 +147,6 @@ const OPTIONS pkcs12_options[] = {
 #endif
     {"macalg", OPT_MACALG, 's',
      "Digest algorithm to use in MAC (default SHA256)"},
-    {"pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC"},
-    {"pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)"},
     {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"},
     {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
     {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)"},
@@ -172,14 +170,14 @@ int pkcs12_main(int argc, char **argv)
     int use_legacy = 0;
 #endif
     /* use library defaults for the iter, maciter, cert, and key PBE */
-    int iter = 0, maciter = 0, pbmac1_pbkdf2 = 0;
+    int iter = 0, maciter = 0;
     int macsaltlen = PKCS12_SALT_LEN;
     int cert_pbe = NID_undef;
     int key_pbe = NID_undef;
     int ret = 1, macver = 1, add_lmk = 0, private = 0;
     int noprompt = 0;
     char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
-    char *passin = NULL, *passout = NULL, *macalg = NULL, *pbmac1_pbkdf2_md = NULL;
+    char *passin = NULL, *passout = NULL, *macalg = NULL;
     char *cpass = NULL, *mpass = NULL, *badpass = NULL;
     const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog;
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
@@ -285,12 +283,6 @@ int pkcs12_main(int argc, char **argv)
         case OPT_MACALG:
             macalg = opt_arg();
             break;
-        case OPT_PBMAC1_PBKDF2:
-            pbmac1_pbkdf2 = 1;
-            break;
-        case OPT_PBMAC1_PBKDF2_MD:
-            pbmac1_pbkdf2_md = opt_arg();
-            break;
         case OPT_CERTPBE:
             if (!set_pbe(&cert_pbe, opt_arg()))
                 goto opthelp;
@@ -709,20 +701,10 @@ int pkcs12_main(int argc, char **argv)
         }
 
         if (maciter != -1) {
-            if (pbmac1_pbkdf2 == 1) {
-                if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
-                                              macsaltlen, maciter,
-                                              macmd, pbmac1_pbkdf2_md)) {
-                    BIO_printf(bio_err, "Error creating PBMAC1\n");
-                    goto export_end;
-                }
-            } else {
-                if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) {
-                    BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
-                    BIO_printf(bio_err,
-                               "Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n");
-                    goto export_end;
-                }
+            if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) {
+                BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
+                BIO_printf(bio_err, "Use -nomac if MAC not required and PKCS12KDF support not available.\n");
+                goto export_end;
             }
         }
         assert(private);
@@ -793,64 +775,23 @@ int pkcs12_main(int argc, char **argv)
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
         BIO_puts(bio_err, "MAC: ");
         i2a_ASN1_OBJECT(bio_err, macobj);
-        if (OBJ_obj2nid(macobj) == NID_pbmac1) {
-            PBKDF2PARAM *pbkdf2_param = PBMAC1_get1_pbkdf2_param(macalgid);
-
-            if (pbkdf2_param == NULL) {
-                BIO_printf(bio_err, ", Unsupported KDF or params for PBMAC1\n");
-            } else {
-                const ASN1_OBJECT *prfobj;
-                int prfnid;
-
-                BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n",
-                           ASN1_INTEGER_get(pbkdf2_param->iter));
-                BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n",
-                           ASN1_INTEGER_get(pbkdf2_param->keylength),
-                           ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
-                if (pbkdf2_param->prf == NULL) {
-                    prfnid = NID_hmacWithSHA1;
-                } else {
-                    X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf);
-                    prfnid = OBJ_obj2nid(prfobj);
-                }
-                BIO_printf(bio_err, "PBKDF2 PRF: %s\n", OBJ_nid2sn(prfnid));
-            }
-            PBKDF2PARAM_free(pbkdf2_param);
-        } else {
-            BIO_printf(bio_err, ", Iteration %ld\n",
-                       tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
-            BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n",
-                       tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
-                       tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
-        }
+        BIO_printf(bio_err, ", Iteration %ld\n",
+                   tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
+        BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n",
+                   tmac != NULL ? ASN1_STRING_length(tmac) : 0L,
+                   tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
     }
-
     if (macver) {
-        const X509_ALGOR *macalgid;
-        const ASN1_OBJECT *macobj;
+        EVP_KDF *pkcs12kdf;
 
-        PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
-
-        if (macalgid == NULL) {
-            BIO_printf(bio_err, "Warning: MAC is absent!\n");
-            goto dump;
+        pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
+                                  app_get0_propq());
+        if (pkcs12kdf == NULL) {
+            BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
+            BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+            goto end;
         }
-
-        X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
-
-        if (OBJ_obj2nid(macobj) != NID_pbmac1) {
-            EVP_KDF *pkcs12kdf;
-
-            pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
-                                      app_get0_propq());
-            if (pkcs12kdf == NULL) {
-                BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
-                BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
-                goto end;
-            }
-            EVP_KDF_free(pkcs12kdf);
-        }
-
+        EVP_KDF_free(pkcs12kdf);
         /* If we enter empty password try no password first */
         if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
             /* If mac and crypto pass the same set it to NULL too */
@@ -1317,7 +1258,8 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
         }
 
         if (X509_ATTRIBUTE_count(attr)) {
-            for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) {
+            for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
+            {
                 av = X509_ATTRIBUTE_get0_type(attr, j);
                 print_attribute(out, av);
             }

apps/pkcs8.c

@@ -227,6 +227,9 @@ int pkcs8_main(int argc, char **argv)
                           informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
     if (in == NULL)
         goto end;
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
     if (topk8) {
         pkey = load_key(infile, informat, 1, passin, e, "key");
@@ -237,8 +240,6 @@ int pkcs8_main(int argc, char **argv)
             ERR_print_errors(bio_err);
             goto end;
         }
-        if ((out = bio_open_owner(outfile, outformat, private)) == NULL)
-            goto end;
         if (nocrypt) {
             assert(private);
             if (outformat == FORMAT_PEM) {
@@ -360,9 +361,6 @@ int pkcs8_main(int argc, char **argv)
     }
 
     assert(private);
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
     if (outformat == FORMAT_PEM) {
         if (traditional)
             PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0,

apps/pkey.c

@@ -208,6 +208,10 @@ int pkey_main(int argc, char **argv)
         goto end;
     }
 
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
     if (pubin)
         pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
     else
@@ -215,10 +219,6 @@ int pkey_main(int argc, char **argv)
     if (pkey == NULL)
         goto end;
 
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
 #ifndef OPENSSL_NO_EC
     if (asn1_encoding != NULL || point_format != NULL) {
         OSSL_PARAM params[3], *p = params;

apps/pkeyparam.c

@@ -97,6 +97,9 @@ int pkeyparam_main(int argc, char **argv)
     in = bio_open_default(infile, 'r', FORMAT_PEM);
     if (in == NULL)
         goto end;
+    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+    if (out == NULL)
+        goto end;
     pkey = PEM_read_bio_Parameters_ex(in, NULL, app_get0_libctx(),
                                       app_get0_propq());
     if (pkey == NULL) {
@@ -104,9 +107,6 @@ int pkeyparam_main(int argc, char **argv)
         ERR_print_errors(bio_err);
         goto end;
     }
-    out = bio_open_default(outfile, 'w', FORMAT_PEM);
-    if (out == NULL)
-        goto end;
 
     if (check) {
         if (e == NULL)

apps/pkeyutl.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -20,40 +20,25 @@
 #define KEY_PUBKEY      2
 #define KEY_CERT        3
 
-static EVP_PKEY *get_pkey(const char *kdfalg,
-                          const char *keyfile, int keyform, int key_type,
-                          char *passinarg, int pkey_op, ENGINE *e);
 static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
-                              int pkey_op, ENGINE *e,
-                              const int engine_impl, int rawin,
-                              EVP_PKEY *pkey /* ownership is passed to ctx */,
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int impl, int rawin, EVP_PKEY **ppkey,
                               EVP_MD_CTX *mctx, const char *digestname,
-                              const char *kemop, OSSL_LIB_CTX *libctx, const char *propq);
+                              OSSL_LIB_CTX *libctx, const char *propq);
 
 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                       ENGINE *e);
 
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                     unsigned char *out, size_t *poutlen,
-                    const unsigned char *in, size_t inlen,
-                    unsigned char *secret, size_t *psecretlen);
+                    const unsigned char *in, size_t inlen);
 
 static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
                         EVP_PKEY *pkey, BIO *in,
                         int filesize, unsigned char *sig, int siglen,
                         unsigned char **out, size_t *poutlen);
 
-static int only_nomd(EVP_PKEY *pkey)
-{
-#define MADE_UP_MAX_MD_NAME_LEN 100
-    char defname[MADE_UP_MAX_MD_NAME_LEN];
-    int deftype;
-
-    deftype = EVP_PKEY_get_default_digest_name(pkey, defname, sizeof(defname));
-    return deftype == 2 /* Mandatory */
-        && strcmp(defname, "UNDEF") == 0;
-}
-
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
@@ -62,7 +47,6 @@ typedef enum OPTION_choice {
     OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
     OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
     OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
-    OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
     OPT_CONFIG,
     OPT_RAWIN, OPT_DIGEST
 } OPTION_CHOICE;
@@ -79,13 +63,12 @@ const OPTIONS pkeyutl_options[] = {
     {"verify", OPT_VERIFY, '-', "Verify with public key"},
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
-    {"derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys"},
-    {"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
-    {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
+    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
     OPT_CONFIG_OPTION,
 
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input file - default stdin"},
+    {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
     {"inkey", OPT_INKEY, 's', "Input key, by default private key"},
     {"pubin", OPT_PUBIN, '-', "Input key is a public key"},
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
@@ -98,24 +81,20 @@ const OPTIONS pkeyutl_options[] = {
 
     OPT_SECTION("Output"),
     {"out", OPT_OUT, '>', "Output file - default stdout"},
-    {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
     {"asn1parse", OPT_ASN1PARSE, '-',
      "parse the output as ASN.1 data to check its DER encoding and print errors"},
     {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
     {"verifyrecover", OPT_VERIFYRECOVER, '-',
      "Verify RSA signature, recovering original signature input data"},
 
-    OPT_SECTION("Signing/Derivation/Encapsulation"),
-    {"rawin", OPT_RAWIN, '-',
-     "Indicate that the signature/verification input data is not yet hashed"},
+    OPT_SECTION("Signing/Derivation"),
     {"digest", OPT_DIGEST, 's',
-     "The digest algorithm to use for signing/verifying raw input data. Implies -rawin"},
+     "Specify the digest algorithm when signing the raw input data"},
     {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
     {"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
      "Public key option that is read as a passphrase argument opt:passphrase"},
     {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
     {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
-    {"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
 
     OPT_R_OPTIONS,
     OPT_PROV_OPTIONS,
@@ -125,23 +104,23 @@ const OPTIONS pkeyutl_options[] = {
 int pkeyutl_main(int argc, char **argv)
 {
     CONF *conf = NULL;
-    BIO *in = NULL, *out = NULL, *secout = NULL;
+    BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     EVP_PKEY *pkey = NULL;
-    char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL;
+    char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
     char hexdump = 0, asn1parse = 0, rev = 0, *prog;
-    unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
+    unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
     OPTION_CHOICE o;
     int buf_inlen = 0, siglen = -1;
     int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
     int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
     int engine_impl = 0;
     int ret = 1, rv = -1;
-    size_t buf_outlen = 0, secretlen = 0;
+    size_t buf_outlen;
     const char *inkey = NULL;
     const char *peerkey = NULL;
-    const char *kdfalg = NULL, *digestname = NULL, *kemop = NULL;
+    const char *kdfalg = NULL, *digestname = NULL;
     int kdflen = 0;
     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
     STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
@@ -169,9 +148,6 @@ int pkeyutl_main(int argc, char **argv)
         case OPT_OUT:
             outfile = opt_arg();
             break;
-        case OPT_SECOUT:
-            secoutfile = opt_arg();
-            break;
         case OPT_SIGFILE:
             sigfile = opt_arg();
             break;
@@ -241,16 +217,6 @@ int pkeyutl_main(int argc, char **argv)
         case OPT_DERIVE:
             pkey_op = EVP_PKEY_OP_DERIVE;
             break;
-        case OPT_DECAP:
-            pkey_op = EVP_PKEY_OP_DECAPSULATE;
-            break;
-        case OPT_ENCAP:
-            key_type = KEY_PUBKEY;
-            pkey_op = EVP_PKEY_OP_ENCAPSULATE;
-            break;
-        case OPT_KEMOP:
-            kemop = opt_arg();
-            break;
         case OPT_KDF:
             pkey_op = EVP_PKEY_OP_DERIVE;
             key_type = KEY_NONE;
@@ -294,8 +260,25 @@ int pkeyutl_main(int argc, char **argv)
     if (!app_RAND_load())
         goto end;
 
-    if (digestname != NULL)
-        rawin = 1;
+    if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
+        BIO_printf(bio_err,
+                   "%s: -rawin can only be used with -sign or -verify\n",
+                   prog);
+        goto opthelp;
+    }
+
+    if (digestname != NULL && !rawin) {
+        BIO_printf(bio_err,
+                   "%s: -digest can only be used with -rawin\n",
+                   prog);
+        goto opthelp;
+    }
+
+    if (rawin && rev) {
+        BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n",
+                   prog);
+        goto opthelp;
+    }
 
     if (kdfalg != NULL) {
         if (kdflen == 0) {
@@ -309,41 +292,7 @@ int pkeyutl_main(int argc, char **argv)
         goto opthelp;
     } else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) {
         BIO_printf(bio_err,
-                   "%s: -peerkey option not allowed without -derive.\n", prog);
-        goto opthelp;
-    } else if (peerkey == NULL && pkey_op == EVP_PKEY_OP_DERIVE) {
-        BIO_printf(bio_err,
-                   "%s: missing -peerkey option for -derive operation.\n", prog);
-        goto opthelp;
-    }
-
-    pkey = get_pkey(kdfalg, inkey, keyform, key_type, passinarg, pkey_op, e);
-
-    if (pkey_op == EVP_PKEY_OP_VERIFYRECOVER && !EVP_PKEY_is_a(pkey, "RSA")) {
-        BIO_printf(bio_err, "%s: -verifyrecover can be used only with RSA\n", prog);
-        goto end;
-    }
-
-    if (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY) {
-        if (only_nomd(pkey)) {
-            if (digestname != NULL) {
-                const char *alg = EVP_PKEY_get0_type_name(pkey);
-
-                BIO_printf(bio_err,
-                           "%s: -digest (prehash) is not supported with %s\n",
-                           prog, alg != NULL ? alg : "(unknown key type)");
-                goto end;
-            }
-            rawin = 1;
-        }
-    } else if (digestname != NULL || rawin) {
-        BIO_printf(bio_err,
-                   "%s: -digest and -rawin can only be used with -sign or -verify\n", prog);
-        goto opthelp;
-    }
-
-    if (rawin && rev) {
-        BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n", prog);
+                   "%s: no peer key given (-peerkey parameter).\n", prog);
         goto opthelp;
     }
 
@@ -353,8 +302,9 @@ int pkeyutl_main(int argc, char **argv)
             goto end;
         }
     }
-    ctx = init_ctx(kdfalg, &keysize, pkey_op, e, engine_impl, rawin, pkey,
-                   mctx, digestname, kemop, libctx, app_get0_propq());
+    ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
+                   passinarg, pkey_op, e, engine_impl, rawin, &pkey,
+                   mctx, digestname, libctx, app_get0_propq());
     if (ctx == NULL) {
         BIO_printf(bio_err, "%s: Error initializing context\n", prog);
         goto end;
@@ -407,10 +357,8 @@ int pkeyutl_main(int argc, char **argv)
                     goto end;
                 }
             } else {
-                /*
-                 * Get password as a passin argument: First split option name
-                 * and passphrase argument into two strings
-                 */
+                /* Get password as a passin argument: First split option name
+                 * and passphrase argument into two strings */
                 *passin = 0;
                 passin++;
                 if (app_passwd(passin, NULL, &passwd, NULL) == 0) {
@@ -440,7 +388,7 @@ int pkeyutl_main(int argc, char **argv)
         goto end;
     }
 
-    if (pkey_op != EVP_PKEY_OP_DERIVE && pkey_op != EVP_PKEY_OP_ENCAPSULATE) {
+    if (pkey_op != EVP_PKEY_OP_DERIVE) {
         in = bio_open_default(infile, 'r', FORMAT_BINARY);
         if (infile != NULL) {
             struct stat st;
@@ -451,33 +399,9 @@ int pkeyutl_main(int argc, char **argv)
         if (in == NULL)
             goto end;
     }
-    if (pkey_op == EVP_PKEY_OP_DECAPSULATE && outfile != NULL) {
-        if (secoutfile != NULL) {
-            BIO_printf(bio_err, "%s: Decapsulation produces only a shared "
-                                "secret and no output. The '-out' option "
-                                "is not applicable.\n", prog);
-            goto end;
-        }
-        if ((out = bio_open_owner(outfile, 'w', FORMAT_BINARY)) == NULL)
-            goto end;
-    } else {
-        out = bio_open_default(outfile, 'w', FORMAT_BINARY);
-        if (out == NULL)
-            goto end;
-    }
-
-    if (pkey_op == EVP_PKEY_OP_ENCAPSULATE
-        || pkey_op == EVP_PKEY_OP_DECAPSULATE) {
-        if (secoutfile == NULL && pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
-            BIO_printf(bio_err, "KEM-based shared-secret derivation requires "
-                                "the '-secret <file>' option\n");
-            goto end;
-        }
-        /* For backwards compatibility, default decap secrets to the output */
-        if (secoutfile != NULL
-            && (secout = bio_open_owner(secoutfile, 'w', FORMAT_BINARY)) == NULL)
-            goto end;
-    }
+    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+    if (out == NULL)
+        goto end;
 
     if (sigfile != NULL) {
         BIO *sigbio = BIO_new_file(sigfile, "rb");
@@ -506,7 +430,6 @@ int pkeyutl_main(int argc, char **argv)
             size_t i;
             unsigned char ctmp;
             size_t l = (size_t)buf_inlen;
-
             for (i = 0; i < l / 2; i++) {
                 ctmp = buf_in[i];
                 buf_in[i] = buf_in[l - 1 - i];
@@ -517,13 +440,12 @@ int pkeyutl_main(int argc, char **argv)
 
     /* Sanity check the input if the input is not raw */
     if (!rawin
-        && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
-        if (buf_inlen > EVP_MAX_MD_SIZE) {
-            BIO_printf(bio_err,
-                       "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n",
-                       buf_inlen, EVP_MAX_MD_SIZE);
-            goto end;
-        }
+            && buf_inlen > EVP_MAX_MD_SIZE
+            && (pkey_op == EVP_PKEY_OP_SIGN
+                || pkey_op == EVP_PKEY_OP_VERIFY)) {
+        BIO_printf(bio_err,
+                   "Error: The input data looks too long to be a hash\n");
+        goto end;
     }
 
     if (pkey_op == EVP_PKEY_OP_VERIFY) {
@@ -552,19 +474,13 @@ int pkeyutl_main(int argc, char **argv)
             rv = 1;
         } else {
             rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
-                          buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
+                          buf_in, (size_t)buf_inlen);
         }
-        if (rv > 0
-            && (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE
-                                  && pkey_op != EVP_PKEY_OP_DECAPSULATE))
-            && (buf_outlen > 0 || pkey_op == EVP_PKEY_OP_DECAPSULATE)) {
-            if (buf_outlen > 0)
-                buf_out = app_malloc(buf_outlen, "buffer output");
-            if (secretlen > 0)
-                secret = app_malloc(secretlen, "secret output");
+        if (rv > 0 && buf_outlen != 0) {
+            buf_out = app_malloc(buf_outlen, "buffer output");
             rv = do_keyop(ctx, pkey_op,
                           buf_out, (size_t *)&buf_outlen,
-                          buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
+                          buf_in, (size_t)buf_inlen);
         }
     }
     if (rv <= 0) {
@@ -585,48 +501,48 @@ int pkeyutl_main(int argc, char **argv)
     } else {
         BIO_write(out, buf_out, buf_outlen);
     }
-    /* Backwards compatible decap output fallback */
-    if (secretlen > 0)
-        BIO_write(secout ? secout : out, secret, secretlen);
 
  end:
     if (ret != 0)
         ERR_print_errors(bio_err);
     EVP_MD_CTX_free(mctx);
     EVP_PKEY_CTX_free(ctx);
-    EVP_PKEY_free(pkey);
     EVP_MD_free(md);
     release_engine(e);
     BIO_free(in);
     BIO_free_all(out);
-    BIO_free_all(secout);
     OPENSSL_free(buf_in);
     OPENSSL_free(buf_out);
     OPENSSL_free(sig);
-    OPENSSL_free(secret);
     sk_OPENSSL_STRING_free(pkeyopts);
     sk_OPENSSL_STRING_free(pkeyopts_passin);
     NCONF_free(conf);
     return ret;
 }
 
-static EVP_PKEY *get_pkey(const char *kdfalg,
-                          const char *keyfile, int keyform, int key_type,
-                          char *passinarg, int pkey_op, ENGINE *e)
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int engine_impl, int rawin,
+                              EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
+                              OSSL_LIB_CTX *libctx, const char *propq)
 {
     EVP_PKEY *pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    ENGINE *impl = NULL;
     char *passin = NULL;
+    int rv = -1;
     X509 *x;
 
     if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
          || (pkey_op == EVP_PKEY_OP_DERIVE))
         && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
-        return NULL;
+        goto end;
     }
     if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");
-        return NULL;
+        goto end;
     }
     switch (key_type) {
     case KEY_PRIVKEY:
@@ -649,20 +565,6 @@ static EVP_PKEY *get_pkey(const char *kdfalg,
         break;
 
     }
-    OPENSSL_free(passin);
-    return pkey;
-}
-
-static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
-                              int pkey_op, ENGINE *e,
-                              const int engine_impl, int rawin,
-                              EVP_PKEY *pkey /* ownership is passed to ctx */,
-                              EVP_MD_CTX *mctx, const char *digestname,
-                              const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
-{
-    EVP_PKEY_CTX *ctx = NULL;
-    ENGINE *impl = NULL;
-    int rv = -1;
 
 #ifndef OPENSSL_NO_ENGINE
     if (engine_impl)
@@ -677,7 +579,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
             if (kdfnid == NID_undef) {
                 BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
                            kdfalg);
-                return NULL;
+                goto end;
             }
         }
         if (impl != NULL)
@@ -686,17 +588,20 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
             ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq);
     } else {
         if (pkey == NULL)
-            return NULL;
+            goto end;
 
         *pkeysize = EVP_PKEY_get_size(pkey);
         if (impl != NULL)
             ctx = EVP_PKEY_CTX_new(pkey, impl);
         else
             ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
+        if (ppkey != NULL)
+            *ppkey = pkey;
+        EVP_PKEY_free(pkey);
     }
 
     if (ctx == NULL)
-        return NULL;
+        goto end;
 
     if (rawin) {
         EVP_MD_CTX_set_pkey_ctx(mctx, ctx);
@@ -738,18 +643,6 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
         case EVP_PKEY_OP_DERIVE:
             rv = EVP_PKEY_derive_init(ctx);
             break;
-
-        case EVP_PKEY_OP_ENCAPSULATE:
-            rv = EVP_PKEY_encapsulate_init(ctx, NULL);
-            if (rv > 0 && kemop != NULL)
-                rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
-            break;
-
-        case EVP_PKEY_OP_DECAPSULATE:
-            rv = EVP_PKEY_decapsulate_init(ctx, NULL);
-            if (rv > 0 && kemop != NULL)
-                rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
-            break;
         }
     }
 
@@ -758,16 +651,18 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
         ctx = NULL;
     }
 
+ end:
+    OPENSSL_free(passin);
     return ctx;
+
 }
 
 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                       ENGINE *e)
 {
-    EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
     EVP_PKEY *peer = NULL;
     ENGINE *engine = NULL;
-    int ret = 1;
+    int ret;
 
     if (peerform == FORMAT_ENGINE)
         engine = e;
@@ -776,14 +671,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
         BIO_printf(bio_err, "Error reading peer key %s\n", file);
         return 0;
     }
-    if (strcmp(EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey)) != 0) {
-        BIO_printf(bio_err,
-                   "Type of peer public key: %s does not match type of private key: %s\n",
-                   EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
-        ret = 0;
-    } else {
-        ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
-    }
+
+    ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
 
     EVP_PKEY_free(peer);
     return ret;
@@ -791,11 +680,9 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
 
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                     unsigned char *out, size_t *poutlen,
-                    const unsigned char *in, size_t inlen,
-                    unsigned char *secret, size_t *pseclen)
+                    const unsigned char *in, size_t inlen)
 {
     int rv = 0;
-
     switch (pkey_op) {
     case EVP_PKEY_OP_VERIFYRECOVER:
         rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
@@ -817,14 +704,6 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
         rv = EVP_PKEY_derive(ctx, out, poutlen);
         break;
 
-    case EVP_PKEY_OP_ENCAPSULATE:
-        rv = EVP_PKEY_encapsulate(ctx, out, poutlen, secret, pseclen);
-        break;
-
-    case EVP_PKEY_OP_DECAPSULATE:
-        rv = EVP_PKEY_decapsulate(ctx, secret, pseclen, in, inlen);
-        break;
-
     }
     return rv;
 }
@@ -842,7 +721,8 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
     int buf_len = 0;
 
     /* Some algorithms only support oneshot digests */
-    if (only_nomd(pkey)) {
+    if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED25519
+            || EVP_PKEY_get_id(pkey) == EVP_PKEY_ED448) {
         if (filesize < 0) {
             BIO_printf(bio_err,
                        "Error: unable to determine file size for oneshot operation\n");

apps/prime.c

@@ -145,14 +145,10 @@ opthelp:
             }
 
             BN_print(bio_out, bn);
-            r = BN_check_prime(bn, NULL, NULL);
-            if (r < 0) {
-                BIO_printf(bio_err, "Error checking prime\n");
-                goto end;
-            }
             BIO_printf(bio_out, " (%s) %s prime\n",
                        argv[0],
-                       r == 1 ? "is" : "is not");
+                       BN_check_prime(bn, NULL, NULL)
+                           ? "is" : "is not");
         }
     }
 

apps/rehash.c

@@ -8,7 +8,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "internal/e_os.h" /* LIST_SEPARATOR_CHAR */
 #include "apps.h"
 #include "progs.h"
 
@@ -141,7 +140,7 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
     }
 
     for (ep = bp->first_entry; ep; ep = ep->next) {
-        if (digest && memcmp(digest, ep->digest, (size_t)evpmdsize) == 0) {
+        if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) {
             BIO_printf(bio_err,
                        "%s: warning: skipping duplicate %s in %s\n",
                        opt_getprog(),
@@ -184,7 +183,7 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
     if (need_symlink && !ep->need_symlink) {
         ep->need_symlink = 1;
         bp->num_needed++;
-        memcpy(ep->digest, digest, (size_t)evpmdsize);
+        memcpy(ep->digest, digest, evpmdsize);
     }
     return 0;
 }
@@ -554,9 +553,6 @@ int rehash_main(int argc, char **argv)
     evpmd = EVP_sha1();
     evpmdsize = EVP_MD_get_size(evpmd);
 
-    if (evpmdsize <= 0 || evpmdsize > EVP_MAX_MD_SIZE)
-        goto end;
-
     if (*argv != NULL) {
         while (*argv != NULL)
             errs += do_dir(*argv++, h);

apps/req.c

@@ -30,7 +30,6 @@
 #ifndef OPENSSL_NO_DSA
 # include <openssl/dsa.h>
 #endif
-#include "internal/e_os.h"    /* For isatty() */
 
 #define BITS               "default_bits"
 #define KEYFILE            "default_keyfile"
@@ -44,7 +43,7 @@
 
 #define DEFAULT_KEY_LENGTH 2048
 #define MIN_KEY_LENGTH     512
-#define DEFAULT_DAYS       30 /* default certificate validity period in days */
+#define DEFAULT_DAYS       30 /* default cert validity period in days */
 #define UNSET_DAYS         -2 /* -1 may be used for testing expiration checks */
 #define EXT_COPY_UNSET     -1
 
@@ -81,7 +80,6 @@ static int batch = 0;
 
 typedef enum OPTION_choice {
     OPT_COMMON,
-    OPT_CIPHER,
     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
     OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
     OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
@@ -89,7 +87,7 @@ typedef enum OPTION_choice {
     OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT,
     OPT_X509, OPT_X509V1, OPT_CA, OPT_CAKEY,
-    OPT_MULTIVALUE_RDN, OPT_NOT_BEFORE, OPT_NOT_AFTER, OPT_DAYS, OPT_SET_SERIAL,
+    OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL,
     OPT_COPY_EXTENSIONS, OPT_EXTENSIONS, OPT_REQEXTS, OPT_ADDEXT,
     OPT_PRECERT, OPT_MD,
     OPT_SECTION, OPT_QUIET,
@@ -99,7 +97,6 @@ typedef enum OPTION_choice {
 const OPTIONS req_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
-    {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
     {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
@@ -130,11 +127,7 @@ const OPTIONS req_options[] = {
      "Print the subject of the output request or cert"},
     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
      "Deprecated; multi-valued RDNs support is always on."},
-    {"not_before", OPT_NOT_BEFORE, 's',
-     "[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
-    {"not_after", OPT_NOT_AFTER, 's',
-     "[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
-    {"days", OPT_DAYS, 'p', "Number of days certificate is valid for"},
+    {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
     {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
     {"copy_extensions", OPT_COPY_EXTENSIONS, 's',
      "copy extensions from request when using -x509"},
@@ -252,7 +245,7 @@ int req_main(int argc, char **argv)
     LHASH_OF(OPENSSL_STRING) *addexts = NULL;
     X509 *new_x509 = NULL, *CAcert = NULL;
     X509_REQ *req = NULL;
-    const EVP_CIPHER *cipher = NULL;
+    EVP_CIPHER *cipher = NULL;
     int ext_copy = EXT_COPY_UNSET;
     BIO *addext_bio = NULL;
     char *extsect = NULL;
@@ -266,7 +259,6 @@ int req_main(int argc, char **argv)
     char *template = default_config_file, *keyout = NULL;
     const char *keyalg = NULL;
     OPTION_CHOICE o;
-    char *not_before = NULL, *not_after = NULL;
     int days = UNSET_DAYS;
     int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0, progress = 1;
     int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF;
@@ -275,7 +267,9 @@ int req_main(int argc, char **argv)
     long newkey_len = -1;
     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
 
-    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
+#ifndef OPENSSL_NO_DES
+    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+#endif
 
     opt_set_unknown_name("digest");
     prog = opt_init(argc, argv, req_options);
@@ -429,15 +423,9 @@ int req_main(int argc, char **argv)
         case OPT_CAKEY:
             CAkeyfile = opt_arg();
             break;
-        case OPT_NOT_BEFORE:
-            not_before = opt_arg();
-            break;
-        case OPT_NOT_AFTER:
-            not_after = opt_arg();
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
-            if (days <= UNSET_DAYS) {
+            if (days < -1) {
                 BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",
                            prog);
                 goto end;
@@ -482,7 +470,7 @@ int req_main(int argc, char **argv)
             }
             i = duplicated(addexts, p);
             if (i == 1)
-                goto end;
+                goto opthelp;
             if (i == -1)
                 BIO_printf(bio_err, "Internal error handling -addext %s\n", p);
             if (i < 0 || BIO_printf(addext_bio, "%s\n", p) < 0)
@@ -491,13 +479,6 @@ int req_main(int argc, char **argv)
         case OPT_PRECERT:
             newreq = precert = 1;
             break;
-        case OPT_CIPHER:
-            cipher = EVP_get_cipherbyname(opt_arg());
-            if (cipher == NULL) {
-                BIO_printf(bio_err, "Unknown cipher: %s\n", opt_arg());
-                goto opthelp;
-            }
-            break;
         case OPT_MD:
             digest = opt_unknown();
             break;
@@ -513,18 +494,14 @@ int req_main(int argc, char **argv)
 
     if (!gen_x509) {
         if (days != UNSET_DAYS)
-            BIO_printf(bio_err, "Warning: Ignoring -days without -x509; not generating a certificate\n");
-        if (not_before != NULL)
-            BIO_printf(bio_err, "Warning: Ignoring -not_before without -x509; not generating a certificate\n");
-        if (not_after != NULL)
-            BIO_printf(bio_err, "Warning: Ignoring -not_after without -x509; not generating a certificate\n");
+            BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n");
         if (ext_copy == EXT_COPY_NONE)
-            BIO_printf(bio_err, "Warning: Ignoring -copy_extensions 'none' when -x509 is not given\n");
+            BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
     }
     if (infile == NULL) {
         if (gen_x509)
             newreq = 1;
-        else if (!newreq && isatty(fileno_stdin()))
+        else if (!newreq)
             BIO_printf(bio_err,
                        "Warning: Will read cert request from stdin since no -in option is given\n");
     }
@@ -825,11 +802,10 @@ int req_main(int argc, char **argv)
 
             if (!X509_set_issuer_name(new_x509, issuer))
                 goto end;
-            if (days == UNSET_DAYS)
+            if (days == UNSET_DAYS) {
                 days = DEFAULT_DAYS;
-            else if (not_after != NULL)
-                BIO_printf(bio_err,"Warning: -not_after option overriding -days option\n");
-            if (!set_cert_times(new_x509, not_before, not_after, days, 1))
+            }
+            if (!set_cert_times(new_x509, NULL, NULL, days))
                 goto end;
             if (!X509_set_subject_name(new_x509, n_subj))
                 goto end;

apps/s_client.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -16,7 +16,6 @@
 #include <errno.h>
 #include <openssl/e_os2.h>
 #include "internal/nelem.h"
-#include "internal/sockets.h" /* for openssl_fdset() */
 
 #ifndef OPENSSL_NO_SOCK
 
@@ -56,7 +55,7 @@ typedef unsigned int u_int;
 #endif
 
 #undef BUFSIZZ
-#define BUFSIZZ 1024*16
+#define BUFSIZZ 1024*8
 #define S_CLIENT_IRC_READ_TIMEOUT 8
 
 #define USER_DATA_MODE_NONE     0
@@ -208,8 +207,7 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md,
     const SSL_CIPHER *cipher = NULL;
 
     if (psksess != NULL) {
-        if (!SSL_SESSION_up_ref(psksess))
-            goto err;
+        SSL_SESSION_up_ref(psksess);
         usesess = psksess;
     } else {
         long key_len;
@@ -3177,7 +3175,7 @@ int s_client_main(int argc, char **argv)
                 }
             }
 #endif
-            k = SSL_read(con, sbuf, BUFSIZZ);
+            k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
 
             switch (SSL_get_error(con, k)) {
             case SSL_ERROR_NONE:
@@ -3488,7 +3486,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     c = SSL_get_current_cipher(s);
     BIO_printf(bio, "%s, Cipher is %s\n",
                SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
-    BIO_printf(bio, "Protocol: %s\n", SSL_get_version(s));
     if (peer != NULL) {
         EVP_PKEY *pktmp;
 

apps/s_server.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -9,8 +9,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "internal/e_os.h"
-
 #include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -24,7 +22,6 @@
 #include <openssl/async.h>
 #include <openssl/ssl.h>
 #include <openssl/decoder.h>
-#include "internal/sockets.h" /* for openssl_fdset() */
 
 #ifndef OPENSSL_NO_SOCK
 
@@ -209,9 +206,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
     }
 
     if (psksess != NULL) {
-        if (!SSL_SESSION_up_ref(psksess))
-            return 0;
-
+        SSL_SESSION_up_ref(psksess);
         *sess = psksess;
         return 1;
     }
@@ -1759,9 +1754,9 @@ int s_server_main(int argc, char *argv[])
         goto end;
     }
 #endif
-    if (early_data && rev) {
+    if (early_data && (www > 0 || rev)) {
         BIO_printf(bio_err,
-                   "Can't use -early_data in combination with -rev\n");
+                   "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
         goto end;
     }
 
@@ -3158,7 +3153,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
     int i, j, k, dot;
     SSL *con;
     const SSL_CIPHER *c;
-    BIO *io, *ssl_bio, *sbio, *edio;
+    BIO *io, *ssl_bio, *sbio;
 #ifdef RENEG
     int total_bytes = 0;
 #endif
@@ -3180,8 +3175,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
     p = buf = app_malloc(bufsize + 1, "server www buffer");
     io = BIO_new(BIO_f_buffer());
     ssl_bio = BIO_new(BIO_f_ssl());
-    edio = BIO_new(BIO_s_mem());
-    if ((io == NULL) || (ssl_bio == NULL) || (edio == NULL))
+    if ((io == NULL) || (ssl_bio == NULL))
         goto err;
 
     if (s_nbio) {
@@ -3241,12 +3235,6 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
         goto err;
 
     io = BIO_push(filter, io);
-
-    filter = BIO_new(BIO_f_ebcdic_filter());
-    if (filter == NULL)
-        goto err;
-
-    edio = BIO_push(filter, edio);
 #endif
 
     if (s_debug) {
@@ -3263,35 +3251,8 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
         SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
     }
 
-    if (early_data) {
-        int edret = SSL_READ_EARLY_DATA_ERROR;
-        size_t readbytes;
-
-        while (edret != SSL_READ_EARLY_DATA_FINISH) {
-            for (;;) {
-                edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
-                if (edret != SSL_READ_EARLY_DATA_ERROR)
-                    break;
-
-                switch (SSL_get_error(con, 0)) {
-                case SSL_ERROR_WANT_WRITE:
-                case SSL_ERROR_WANT_ASYNC:
-                case SSL_ERROR_WANT_READ:
-                    /* Just keep trying - busy waiting */
-                    continue;
-                default:
-                    BIO_printf(bio_err, "Error reading early data\n");
-                    ERR_print_errors(bio_err);
-                    goto err;
-                }
-            }
-            if (readbytes > 0)
-                BIO_write(edio, buf, (int)readbytes);
-        }
-    }
-
     for (;;) {
-        i = BIO_gets(!BIO_eof(edio) ? edio : io, buf, bufsize + 1);
+        i = BIO_gets(io, buf, bufsize + 1);
         if (i < 0) {            /* error */
             if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
                 if (!s_quiet)
@@ -3631,7 +3592,6 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
     OPENSSL_free(buf);
     BIO_free(ssl_bio);
     BIO_free_all(io);
-    BIO_free_all(edio);
     return ret;
 }
 

apps/skeyutl.c

@@ -1,135 +0,0 @@
-/*
- * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include "apps.h"
-#include "progs.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-typedef enum OPTION_choice {
-    OPT_COMMON,
-    OPT_PROV_ENUM,
-    OPT_CIPHER,
-    OPT_SKEYOPT, OPT_SKEYMGMT, OPT_GENKEY
-} OPTION_CHOICE;
-
-const OPTIONS skeyutl_options[] = {
-    OPT_SECTION("General"),
-    {"help", OPT_HELP, '-', "Display this summary"},
-    {"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque keys handling"},
-    {"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque keys handling"},
-    {"genkey", OPT_GENKEY, '-', "Generate an opaque symmetric key"},
-    {"cipher", OPT_CIPHER, 's', "The cipher to generate key for"},
-    OPT_PROV_OPTIONS,
-    {NULL}
-};
-
-int skeyutl_main(int argc, char **argv)
-{
-    EVP_CIPHER *cipher = NULL;
-    int ret = 1;
-    OPTION_CHOICE o;
-    int genkey = 0;
-    char *prog, *ciphername = NULL;
-    STACK_OF(OPENSSL_STRING) *skeyopts = NULL;
-    const char *skeymgmt = NULL;
-    EVP_SKEY *skey = NULL;
-    EVP_SKEYMGMT *mgmt = NULL;
-
-    prog = opt_init(argc, argv, skeyutl_options);
-    while ((o = opt_next()) != OPT_EOF) {
-        switch (o) {
-        case OPT_EOF:
-        case OPT_ERR:
- opthelp:
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-            goto end;
-        case OPT_HELP:
-            opt_help(skeyutl_options);
-            ret = 0;
-            goto end;
-        case OPT_GENKEY:
-            genkey = 1;
-            break;
-        case OPT_CIPHER:
-            ciphername = opt_arg();
-            break;
-        case OPT_SKEYOPT:
-            if ((skeyopts == NULL &&
-                 (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
-                sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
-                BIO_printf(bio_err, "%s: out of memory\n", prog);
-                goto end;
-            }
-            break;
-        case OPT_SKEYMGMT:
-            skeymgmt = opt_arg();
-            break;
-        case OPT_PROV_CASES:
-            if (!opt_provider(o))
-                goto end;
-            break;
-        }
-    }
-
-    /* Get the cipher name, either from progname (if set) or flag. */
-    if (!opt_cipher_any(ciphername, &cipher))
-        goto opthelp;
-
-    if (cipher == NULL && skeymgmt == NULL) {
-        BIO_printf(bio_err, "Either -skeymgmt -or -cipher option should be specified\n");
-        goto end;
-    }
-
-    if (genkey) {
-        OSSL_PARAM *params = NULL;
-
-        mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
-                                  skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
-                                  app_get0_propq());
-        if (mgmt == NULL)
-            goto end;
-        params = app_params_new_from_opts(skeyopts,
-                                          EVP_SKEYMGMT_get0_gen_settable_params(mgmt));
-
-        skey = EVP_SKEY_generate(app_get0_libctx(),
-                                 skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
-                                 app_get0_propq(), params);
-        OSSL_PARAM_free(params);
-        if (skey == NULL) {
-            BIO_printf(bio_err, "Error creating opaque key for skeymgmt %s\n",
-                       skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
-            ERR_print_errors(bio_err);
-        } else {
-            const char *key_name = EVP_SKEY_get0_key_id(skey);
-
-            BIO_printf(bio_out, "An opaque key identified by %s is created\n",
-                       key_name ? key_name : "<unknown>");
-            BIO_printf(bio_out, "Provider: %s\n", EVP_SKEY_get0_provider_name(skey));
-            BIO_printf(bio_out, "Key management: %s\n", EVP_SKEY_get0_skeymgmt_name(skey));
-            ret = 0;
-        }
-        goto end;
-    } else {
-        BIO_printf(bio_err, "Key generation is the only supported operation as of now\n");
-    }
-
- end:
-    ERR_print_errors(bio_err);
-    sk_OPENSSL_STRING_free(skeyopts);
-    EVP_SKEYMGMT_free(mgmt);
-    EVP_SKEY_free(skey);
-    EVP_CIPHER_free(cipher);
-    return ret;
-}

apps/smime.c

@@ -96,10 +96,7 @@ const OPTIONS smime_options[] = {
     {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
     {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
 
-    {"certfile", OPT_CERTFILE, '<',
-     "Extra signer and intermediate CA certificates to include when signing"},
-    {OPT_MORE_STR, 0, 0,
-     "or to use as preferred signer certs and for chain building when verifying"},
+    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
     {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
 
     OPT_SECTION("Email"),
@@ -477,8 +474,14 @@ int smime_main(int argc, char **argv)
     }
 
     if (operation == SMIME_ENCRYPT) {
-        if (cipher == NULL)
-            cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
+        if (cipher == NULL) {
+#ifndef OPENSSL_NO_DES
+            cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+#else
+            BIO_printf(bio_err, "No cipher selected\n");
+            goto end;
+#endif
+        }
         encerts = sk_X509_new_null();
         if (encerts == NULL)
             goto end;

apps/storeutl.c

@@ -18,11 +18,9 @@
 
 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                    int expected, int criterion, OSSL_STORE_SEARCH *search,
-                   int text, int noout, int recursive, int indent, const char *outfile,
+                   int text, int noout, int recursive, int indent, BIO *out,
                    const char *prog, OSSL_LIB_CTX *libctx);
 
-static BIO *out = NULL;
-
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_ENGINE, OPT_OUT, OPT_PASSIN,
@@ -73,6 +71,7 @@ int storeutl_main(int argc, char *argv[])
 {
     int ret = 1, noout = 0, text = 0, recursive = 0;
     char *outfile = NULL, *passin = NULL, *passinarg = NULL;
+    BIO *out = NULL;
     ENGINE *e = NULL;
     OPTION_CHOICE o;
     char *prog;
@@ -312,9 +311,13 @@ int storeutl_main(int argc, char *argv[])
     pw_cb_data.password = passin;
     pw_cb_data.prompt_info = argv[0];
 
+    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
+    if (out == NULL)
+        goto end;
+
     ret = process(argv[0], get_ui_method(), &pw_cb_data,
                   expected, criterion, search,
-                  text, noout, recursive, 0, outfile, prog, libctx);
+                  text, noout, recursive, 0, out, prog, libctx);
 
  end:
     EVP_MD_free(digest);
@@ -345,7 +348,7 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...)
 
 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                    int expected, int criterion, OSSL_STORE_SEARCH *search,
-                   int text, int noout, int recursive, int indent, const char *outfile,
+                   int text, int noout, int recursive, int indent, BIO *out,
                    const char *prog, OSSL_LIB_CTX *libctx)
 {
     OSSL_STORE_CTX *store_ctx = NULL;
@@ -424,13 +427,6 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
             indent_printf(indent, bio_out, "%d: %s\n", items, infostr);
         }
 
-        if (out == NULL) {
-            if ((out = bio_open_default(outfile, 'w', FORMAT_TEXT)) == NULL) {
-                ret++;
-                goto end2;
-            }
-        }
-
         /*
          * Unfortunately, PEM_X509_INFO_write_bio() is sorely lacking in
          * functionality, so we must figure out how exactly to write things
@@ -442,7 +438,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                 const char *suburi = OSSL_STORE_INFO_get0_NAME(info);
                 ret += process(suburi, uimeth, uidata,
                                expected, criterion, search,
-                               text, noout, recursive, indent + 2, outfile, prog,
+                               text, noout, recursive, indent + 2, out, prog,
                                libctx);
             }
             break;

apps/ts.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -513,7 +513,7 @@ static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
     EVP_MD_CTX *md_ctx = NULL;
 
     md_value_len = EVP_MD_get_size(md);
-    if (md_value_len <= 0)
+    if (md_value_len < 0)
         return 0;
 
     if (input != NULL) {
@@ -920,7 +920,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
             f |= TS_VFY_DATA;
             if ((out = BIO_new_file(data, "rb")) == NULL)
                 goto err;
-            if (!TS_VERIFY_CTX_set0_data(ctx, out)) {
+            if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
                 BIO_free_all(out);
                 goto err;
             }
@@ -928,7 +928,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
             long imprint_len;
             unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
             f |= TS_VFY_IMPRINT;
-            if (!TS_VERIFY_CTX_set0_imprint(ctx, hexstr, imprint_len)) {
+            if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
                 BIO_printf(bio_err, "invalid digest string\n");
                 goto err;
             }
@@ -949,15 +949,16 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
 
     /* Initialising the X509_STORE object. */
-    if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile,
-                                                            CAstore, vpm)))
+    if (TS_VERIFY_CTX_set_store(ctx,
+                                create_cert_store(CApath, CAfile, CAstore, vpm))
+            == NULL)
         goto err;
 
     /* Loading any extra untrusted certificates. */
     if (untrusted != NULL) {
         certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
                                      vpm);
-        if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs))
+        if (certs == NULL || TS_VERIFY_CTX_set_certs(ctx, certs) == NULL)
             goto err;
     }
     ret = 1;

apps/version.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -19,9 +19,6 @@
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_B, OPT_D, OPT_E, OPT_M, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A, OPT_R, OPT_C
-#if defined(_WIN32)
-    ,OPT_W
-#endif
 } OPTION_CHOICE;
 
 const OPTIONS version_options[] = {
@@ -40,9 +37,6 @@ const OPTIONS version_options[] = {
     {"r", OPT_R, '-', "Show random seeding options"},
     {"v", OPT_V, '-', "Show library version"},
     {"c", OPT_C, '-', "Show CPU settings info"},
-#if defined(_WIN32)
-    {"w", OPT_W, '-', "Show Windows install context"},
-#endif
     {NULL}
 };
 
@@ -51,9 +45,6 @@ int version_main(int argc, char **argv)
     int ret = 1, dirty = 0, seed = 0;
     int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
     int engdir = 0, moddir = 0, cpuinfo = 0;
-#if defined(_WIN32)
-    int windows = 0;
-#endif
     char *prog;
     OPTION_CHOICE o;
 
@@ -99,11 +90,6 @@ opthelp:
         case OPT_C:
             dirty = cpuinfo = 1;
             break;
-#if defined(_WIN32)
-        case OPT_W:
-            dirty = windows = 1;
-            break;
-#endif
         case OPT_A:
             seed = options = cflags = version = date = platform
                 = dir = engdir = moddir = cpuinfo
@@ -145,10 +131,6 @@ opthelp:
     }
     if (cpuinfo)
         printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO));
-#if defined(_WIN32)
-    if (windows)
-        printf("%s\n", OpenSSL_version(OPENSSL_WINCTX));
-#endif
     ret = 0;
  end:
     return ret;

apps/x509.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -29,8 +29,8 @@
 
 #undef POSTFIX
 #define POSTFIX ".srl"
-#define DEFAULT_DAYS       30 /* default certificate validity period in days */
-#define UNSET_DAYS         -2 /* -1 may be used for testing expiration checks */
+#define DEFAULT_DAYS    30 /* default cert validity period in days */
+#define UNSET_DAYS      -2 /* -1 is used for testing expiration checks */
 #define EXT_COPY_UNSET     -1
 
 static int callb(int ok, X509_STORE_CTX *ctx);
@@ -54,7 +54,6 @@ typedef enum OPTION_choice {
     OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
     OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, OPT_COPY_EXTENSIONS,
     OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES,
-    OPT_NOT_BEFORE, OPT_NOT_AFTER,
     OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT
 } OPTION_CHOICE;
 
@@ -136,10 +135,6 @@ const OPTIONS x509_options[] = {
      "Serial number to use, overrides -CAserial"},
     {"next_serial", OPT_NEXT_SERIAL, '-',
      "Increment current certificate serial number"},
-    {"not_before", OPT_NOT_BEFORE, 's',
-     "[CC]YYMMDDHHMMSSZ value for notBefore certificate field"},
-    {"not_after", OPT_NOT_AFTER, 's',
-     "[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
     {"days", OPT_DAYS, 'n',
      "Number of days until newly generated certificate expires - default 30"},
     {"preserve_dates", OPT_PRESERVE_DATES, '-',
@@ -284,7 +279,7 @@ int x509_main(int argc, char **argv)
     char *ext_names = NULL;
     char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
     char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL;
-    char *prog, *not_before = NULL, *not_after = NULL;
+    char *prog;
     int days = UNSET_DAYS; /* not explicitly set */
     int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
     int CAformat = FORMAT_UNDEF, CAkeyformat = FORMAT_UNDEF;
@@ -381,15 +376,9 @@ int x509_main(int argc, char **argv)
             if (!vfyopts || !sk_OPENSSL_STRING_push(vfyopts, opt_arg()))
                 goto opthelp;
             break;
-        case OPT_NOT_BEFORE:
-            not_before = opt_arg();
-            break;
-        case OPT_NOT_AFTER:
-            not_after = opt_arg();
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
-            if (days <= UNSET_DAYS) {
+            if (days < -1) {
                 BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",
                            prog);
                 goto err;
@@ -453,8 +442,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
-                goto end;
+            sk_ASN1_OBJECT_push(trust, objtmp);
             trustout = 1;
             break;
         case OPT_ADDREJECT:
@@ -465,8 +453,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
-                goto end;
+            sk_ASN1_OBJECT_push(reject, objtmp);
             trustout = 1;
             break;
         case OPT_SETALIAS:
@@ -623,22 +610,12 @@ int x509_main(int argc, char **argv)
     if (!opt_check_md(digest))
         goto opthelp;
 
-    if (preserve_dates && not_before != NULL) {
-        BIO_printf(bio_err, "Cannot use -preserve_dates with -not_before option\n");
-        goto err;
-    }
-    if (preserve_dates && not_after != NULL) {
-        BIO_printf(bio_err, "Cannot use -preserve_dates with -not_after option\n");
-        goto err;
-    }
     if (preserve_dates && days != UNSET_DAYS) {
         BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");
         goto err;
     }
     if (days == UNSET_DAYS)
         days = DEFAULT_DAYS;
-    else if (not_after != NULL)
-        BIO_printf(bio_err, "Warning: -not_after option overriding -days option\n");
 
     if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");
@@ -860,7 +837,7 @@ int x509_main(int argc, char **argv)
         goto end;
 
     if (reqfile || newcert || privkey != NULL || CAfile != NULL) {
-        if (!preserve_dates && !set_cert_times(x, not_before, not_after, days, 1))
+        if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
             goto end;
         if (fissu != NULL) {
             if (!X509_set_issuer_name(x, fissu))

build.info

@@ -5,9 +5,6 @@ SUBDIRS=crypto ssl apps util tools fuzz providers doc
 IF[{- !$disabled{tests} -}]
   SUBDIRS=test
 ENDIF
-IF[{- !$disabled{demos} -}]
-  SUBDIRS=demos
-ENDIF
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SUBDIRS=engines
 ENDIF
@@ -26,7 +23,6 @@ DEPEND[]=include/openssl/asn1.h \
          include/openssl/cmp.h \
          include/openssl/cms.h \
          include/openssl/conf.h \
-         include/openssl/comp.h \
          include/openssl/core_names.h \
          include/openssl/crmf.h \
          include/openssl/crypto.h \
@@ -45,7 +41,6 @@ DEPEND[]=include/openssl/asn1.h \
          include/openssl/ui.h \
          include/openssl/x509.h \
          include/openssl/x509v3.h \
-         include/openssl/x509_acert.h \
          include/openssl/x509_vfy.h \
          include/crypto/bn_conf.h include/crypto/dso_conf.h \
          include/internal/param_names.h crypto/params_idx.c
@@ -56,7 +51,6 @@ GENERATE[include/openssl/bio.h]=include/openssl/bio.h.in
 GENERATE[include/openssl/cmp.h]=include/openssl/cmp.h.in
 GENERATE[include/openssl/cms.h]=include/openssl/cms.h.in
 GENERATE[include/openssl/conf.h]=include/openssl/conf.h.in
-GENERATE[include/openssl/comp.h]=include/openssl/comp.h.in
 # include/openssl/configuration.h is generated by configdata.pm
 # We still need this information for the FIPS module checksum, but the attribute
 # 'skip' ensures that nothing is actually done with it.
@@ -78,7 +72,6 @@ GENERATE[include/openssl/ssl.h]=include/openssl/ssl.h.in
 GENERATE[include/openssl/ui.h]=include/openssl/ui.h.in
 GENERATE[include/openssl/x509.h]=include/openssl/x509.h.in
 GENERATE[include/openssl/x509v3.h]=include/openssl/x509v3.h.in
-GENERATE[include/openssl/x509_acert.h]=include/openssl/x509_acert.h.in
 GENERATE[include/openssl/x509_vfy.h]=include/openssl/x509_vfy.h.in
 GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
 GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in

crypto/aes/asm/aes-x86_64.pl

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2221,7 +2221,6 @@ ___
 }
 
 $code.=<<___;
-.section .rodata align=64
 .align	64
 .LAES_Te:
 ___
@@ -2644,7 +2643,6 @@ $code.=<<___;
 	.long	0x1b1b1b1b, 0x1b1b1b1b, 0, 0
 .asciz  "AES for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
 .align	64
-.previous
 ___
 
 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,

crypto/aes/asm/aesni-sha1-x86_64.pl

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2011-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -1738,7 +1738,6 @@ ___
 						}}}
 }
 $code.=<<___;
-.section .rodata align=64
 .align	64
 K_XX_XX:
 .long	0x5a827999,0x5a827999,0x5a827999,0x5a827999	# K_00_19
@@ -1750,7 +1749,6 @@ K_XX_XX:
 
 .asciz	"AESNI-CBC+SHA1 stitch for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
 .align	64
-.previous
 ___
 						if ($shaext) {{{
 ($in0,$out,$len,$key,$ivp,$ctx,$inp)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9","%r10");

crypto/aes/asm/aesni-sha256-x86_64.pl

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2013-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -168,7 +168,6 @@ $code.=<<___;
 .cfi_endproc
 .size	$func,.-$func
 
-.section .rodata align=64
 .align	64
 .type	$TABLE,\@object
 $TABLE:
@@ -211,7 +210,6 @@ $TABLE:
 	.long	0,0,0,0,   0,0,0,0
 	.asciz	"AESNI-CBC+SHA256 stitch for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
 .align	64
-.previous
 ___
 
 ######################################################################

crypto/aes/asm/aesni-x86_64.pl

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2009-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -4743,7 +4743,6 @@ ___
 }
 
 $code.=<<___;
-.section .rodata align=64
 .align	64
 .Lbswap_mask:
 	.byte	15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
@@ -4766,7 +4765,6 @@ $code.=<<___;
 
 .asciz  "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
 .align	64
-.previous
 ___
 
 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,