Move the Handshake read secret change earlier in the process for QUIC 0-RTT

On the server side we were changing the handshake rx secret a little late. This meant the application was forced to call SSL_do_handshake() again even if there was nothing to read in order to get the secret. We move it a little earlier int the process to avoid this. Fixes the issue described in: https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27101)
Fix use of SHAKE as a digest in CMS
2025-03-20 20:22:39 +01:00 · 2025-03-20 12:20:37 +01:00 · 2025-03-20 11:33:23 +01:00 · 2025-03-20 11:30:57 +01:00 · 2025-03-20 11:24:26 +01:00 · 2025-03-20 11:24:26 +01:00
1303 changed files with 131943 additions and 11038 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -2,6 +2,8 @@
 *.der binary
 /fuzz/corpora/** binary
 *.pfx binary
+test/recipes/15-test_ml_dsa_codecs_data/*.dat   binary
+test/recipes/15-test_ml_kem_codecs_data/*.dat binary

 # For git archive
 fuzz/corpora/**                         export-ignore
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -11,6 +11,5 @@ updates:
      - "dependencies"
      - "cla: trivial"
      - "approval: review pending"
-      - "approval: otc review pending"
    reviewers:
      - "openssl/committers"
--- a/.github/workflows/build_quic_interop_container.yml
+++ b/.github/workflows/build_quic_interop_container.yml
@ -2,7 +2,7 @@ name: "Build openssl interop container from master"

 on:
  schedule:
-    - cron:  '20 0 * * *'
+    - cron:  '40 02 * * *'
  workflow_dispatch:

 jobs:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -26,7 +26,7 @@ env:

 jobs:
  check_update:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - name: install unifdef
      run: |
@ -45,7 +45,7 @@ jobs:
      run: git diff --exit-code

  check_docs:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: config
@ -65,16 +65,16 @@ jobs:
  # We are not as strict with libraries, but rather adapt to what's
  # expected to be available in a certain version of each platform.
  check-ansi:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: config
-      run: CPPFLAGS='-ansi -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --banner=Configured no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips --strict-warnings && perl configdata.pm --dump
+      run: CPPFLAGS='-ansi -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips --strict-warnings && perl configdata.pm --dump
    - name: make
      run: make -s -j4

  basic_gcc:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -86,7 +86,7 @@ jobs:
      run: echo "FIPS_VENDOR=CI" >> VERSION.dat
    - name: config
      # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
-      run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
+      run: CC=gcc ./config --banner=Configured enable-demos enable-h3demo enable-sslkeylog enable-fips enable-quic --strict-warnings && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
@ -99,13 +99,13 @@ jobs:
      run: |
        util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$'
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@basic-gcc"
        path: artifacts.tar.gz

  basic_clang:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -121,18 +121,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@basic-clang"
        path: artifacts.tar.gz

-  self-hosted:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      matrix:
-        os: [freebsd-13.2, ubuntu-arm64-22.04]
-    runs-on: ${{ matrix.os }}-self-hosted
-    continue-on-error: true
+  linux-arm64:
+    runs-on: ${{ github.repository == 'openssl/openssl' && 'linux-arm64' || 'ubuntu-24.04-arm' }}
    steps:
    - uses: actions/checkout@v4
    - name: config
@ -142,17 +137,60 @@ jobs:
    - name: make
      run: make -j4
    - name: get cpu info
-      run: ./util/opensslwrap.sh version -c
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
-        name: "ci@self-hosted-${{ matrix.os }}"
+        name: "ci@linux-arm64"
+        path: artifacts.tar.gz
+
+  freebsd-x86_64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: config
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: |
+          sudo pkg install -y gcc perl5
+          ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
+    - name: config dump
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: ./configdata.pm --dump
+    - name: make
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: make -j4
+    - name: make test
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        run: |
+          ./util/opensslwrap.sh version -c
+          .github/workflows/make-test
+    - name: save artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: "ci@BSD-x86_64"
        path: artifacts.tar.gz

  minimal:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -168,13 +206,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@minimal"
        path: artifacts.tar.gz

  no-deprecated:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -190,13 +228,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@no-deprecated"
        path: artifacts.tar.gz

  no-shared-ubuntu:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -212,7 +250,7 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@no-shared-ubuntu"
        path: artifacts.tar.gz
@ -222,7 +260,6 @@ jobs:
      fail-fast: false
      matrix:
        os: [macos-13, macos-14]
-    if: github.server_url == 'https://github.com'
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
@ -239,13 +276,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@no-shared-${{ matrix.os }}"
        path: artifacts.tar.gz

  non-caching:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -265,13 +302,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]"
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@non-caching"
        path: artifacts.tar.gz

  address_ub_sanitizer:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -291,13 +328,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@address_ub_sanitizer"
        path: artifacts.tar.gz

  fuzz_tests:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -317,14 +354,14 @@ jobs:
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*"
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@fuzz_tests"
        path: artifacts.tar.gz
        if-no-files-found: ignore

  memory_sanitizer:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -335,7 +372,7 @@ jobs:
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
-      run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
+      run: CC=clang ./config --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips no-slh-dsa && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
@ -345,13 +382,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@memory_sanitizer"
        path: artifacts.tar.gz

  threads_sanitizer:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -361,7 +398,7 @@ jobs:
        sudo cat /proc/sys/vm/mmap_rnd_bits
        sudo sysctl -w vm.mmap_rnd_bits=28
    - name: config
-      run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump
+      run: CC=clang ./config --banner=Configured no-shared no-fips --strict-warnings -g -fsanitize=thread && perl configdata.pm --dump
    - name: make
      run: make -s -j4
    - name: get cpu info
@ -369,15 +406,15 @@ jobs:
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
-      run: .github/workflows/make-test V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"
+      run: .github/workflows/make-test V=1 TESTS="test_lhash test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@threads_sanitizer"
        path: artifacts.tar.gz

  enable_non-default_options:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -395,13 +432,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@enable_non-default_options"
        path: artifacts.tar.gz

  full_featured:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -411,7 +448,7 @@ jobs:
    - name: Enable sctp
      run: sudo modprobe sctp
    - name: Enable auth in sctp
-      run: sudo sysctl -w net.sctp.auth_enable=1 
+      run: sudo sysctl -w net.sctp.auth_enable=1
    - name: install extra config support
      run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
    - name: config
@ -425,13 +462,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@full_featured"
        path: artifacts.tar.gz

  no-legacy:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -447,13 +484,13 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@no-legacy"
        path: artifacts.tar.gz

  legacy:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -469,7 +506,7 @@ jobs:
    - name: make test
      run: .github/workflows/make-test
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@legacy"
        path: artifacts.tar.gz
@ -480,7 +517,7 @@ jobs:
  # - That building, testing and installing works with a read-only source
  #   tree
  out-of-readonly-source-and-install-ubuntu:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
@ -511,7 +548,7 @@ jobs:
      run: ../source/.github/workflows/make-test
      working-directory: ./build
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@out-of-readonly-source-and-install-ubuntu"
        path: build/artifacts.tar.gz
@ -525,7 +562,6 @@ jobs:
      matrix:
        os: [macos-13, macos-14]
    runs-on: ${{ matrix.os }}
-    if: github.server_url == 'https://github.com'
    steps:
    - uses: actions/checkout@v4
      with:
@ -556,7 +592,7 @@ jobs:
      run: ../source/.github/workflows/make-test
      working-directory: ./build
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "ci@out-of-readonly-source-and-install-${{ matrix.os }}"
        path: build/artifacts.tar.gz
@ -564,8 +600,8 @@ jobs:
      run: make install
      working-directory: ./build

-  external-tests:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+  external-tests-misc:
+    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
@ -584,6 +620,7 @@ jobs:
      run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
    - name: make
      run: make -s -j4
+    - uses: dtolnay/rust-toolchain@stable
    - name: get cpu info
      run: |
        cat /proc/cpuinfo
@ -592,18 +629,42 @@ jobs:
      run: make test TESTS="test_external_gost_engine"
    - name: test external krb5
      run: make test TESTS="test_external_krb5"
-    - name: test external_tlsfuzzer
+    - name: test external tlsfuzzer
      run: make test TESTS="test_external_tlsfuzzer"
-    - name: test external oqs-provider
-      run: make test TESTS="test_external_oqsprovider"
+    - name: test external Cloudflare quiche
+      run: make test TESTS="test_external_cf_quiche" VERBOSE=1
    - name: test ability to produce debuginfo files
      run: |
        make debuginfo
        gdb < <(echo -e "file ./libcrypto.so.3\nquit") > ./results
        grep -q "Reading symbols from.*libcrypto\.so\.3\.debug" results

-  external-test-pyca:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+  external-tests-providers:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: recursive
+    - name: package installs
+      run: |
+        sudo apt-get update
+        sudo apt-get -yq install meson pkg-config gnutls-bin libnss3-tools libnss3-dev libsofthsm2 opensc expect
+    - name: config
+      run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: test external oqs-provider
+      run: make test TESTS="test_external_oqsprovider"
+    # Disabled temporarily: https://github.com/latchset/pkcs11-provider/pull/525#discussion_r1982805969
+    # - name: test external pkcs11-provider
+    #   run: make test TESTS="test_external_pkcs11_provider" VERBOSE=1
+
+  external-tests-pyca:
+    runs-on: ubuntu-latest
    strategy:
      matrix:
        RUST:
@ -619,7 +680,7 @@ jobs:
    - name: make
      run: make -s -j4
    - name: Setup Python
-      uses: actions/setup-python@v5.1.1
+      uses: actions/setup-python@v5.3.0
      with:
        python-version: ${{ matrix.PYTHON }}
    - uses: dtolnay/rust-toolchain@master
@ -631,21 +692,3 @@ jobs:
        ./util/opensslwrap.sh version -c
    - name: test external pyca
      run: make test TESTS="test_external_pyca" VERBOSE=1
-
-  external-test-cf-quiche:
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - name: Configure OpenSSL
-      run: ./config --banner=Configured --strict-warnings enable-external-tests && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - uses: dtolnay/rust-toolchain@stable
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: test external Cloudflare quiche
-      run: make test TESTS="test_external_cf_quiche" VERBOSE=1
--- a/.github/workflows/compiler-zoo.yml
+++ b/.github/workflows/compiler-zoo.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -19,17 +19,11 @@ jobs:
      matrix:
        zoo: [
          {
-            cc: gcc-7,
-            distro: ubuntu-20.04
-          }, {
-            cc: gcc-8,
-            distro: ubuntu-20.04
-          }, {
            cc: gcc-9,
-            distro: ubuntu-20.04
+            distro: ubuntu-22.04
          }, {
            cc: gcc-10,
-            distro: ubuntu-20.04
+            distro: ubuntu-22.04
          }, {
            cc: gcc-11,
            distro: ubuntu-22.04
@ -40,27 +34,12 @@ jobs:
            cc: gcc-13,
            distro: ubuntu-22.04,
            gcc-ppa-name: ubuntu-toolchain-r/test
-          }, {
-            cc: clang-6.0,
-            distro: ubuntu-20.04
-          }, {
-            cc: clang-7,
-            distro: ubuntu-20.04
-          }, {
-            cc: clang-8,
-            distro: ubuntu-20.04
-          }, {
-            cc: clang-9,
-            distro: ubuntu-20.04
-          }, {
-            cc: clang-10,
-            distro: ubuntu-20.04
          }, {
            cc: clang-11,
-            distro: ubuntu-20.04
+            distro: ubuntu-22.04
          }, {
            cc: clang-12,
-            distro: ubuntu-20.04
+            distro: ubuntu-22.04
          }, {
            cc: clang-13,
            distro: ubuntu-22.04
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -7,40 +7,74 @@

 name: Coverage

-# Run once a day
 on:
  schedule:
-    - cron:  '49 0 * * *'
+    - cron: '15 02 * * *'
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch to measure coverage
+        required: true
+        default: master
+      extra_config:
+        description: Extra options for configuration script
+        default: ""

 permissions:
  contents: read

 jobs:
+  define-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      branches: ${{ steps.branches.outputs.branches }}
+    steps:
+      - name: Define branches
+        id: branches
+        run: |
+          if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then
+          MATRIX=$(cat << EOF
+          [{
+            "branch": "${{ github.event.inputs.branch }}",
+            "extra_config": "${{ github.event.inputs.extra_config }}"
+          }]
+          EOF
+          )
+          else
+          MATRIX=$(cat << EOF
+          [{
+              "branch": "openssl-3.4",
+              "extra_config": "no-afalgeng enable-fips enable-tfo"
+            }, {
+              "branch": "openssl-3.3",
+              "extra_config": "no-afalgeng enable-fips enable-tfo"
+            }, {
+              "branch": "openssl-3.2",
+              "extra_config": "no-afalgeng enable-fips enable-tfo"
+            }, {
+              "branch": "openssl-3.1",
+              "extra_config": "no-afalgeng enable-fips"
+            }, {
+              "branch": "openssl-3.0",
+              "extra_config": "no-afalgeng enable-fips"
+            }, {
+              "branch": "master",
+              "extra_config": "no-afalgeng enable-fips enable-tfo"
+          }]
+          EOF
+          )
+          fi
+          echo "branches<<EOF"$'\n'"$MATRIX"$'\n'EOF >> "$GITHUB_OUTPUT"
+
  coverage:
+    needs: define-matrix
    permissions:
      checks: write     # for coverallsapp/github-action to create new checks
      contents: read    # for actions/checkout to fetch code
    strategy:
      fail-fast: false
      matrix:
-        branches: [
-          {
-            branch: openssl-3.3,
-            extra_config: no-afalgeng enable-fips enable-tfo
-          }, {
-            branch: openssl-3.2,
-            extra_config: no-afalgeng enable-fips enable-tfo
-          }, {
-            branch: openssl-3.1,
-            extra_config: no-afalgeng enable-fips
-          }, {
-            branch: openssl-3.0,
-            extra_config: no-afalgeng enable-fips
-          }, {
-            branch: master,
-            extra_config: no-afalgeng enable-fips enable-tfo
-          }
-        ]
+        branches: ${{ fromJSON(needs.define-matrix.outputs.branches) }}
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
@ -72,17 +106,16 @@ jobs:
        cat /proc/cpuinfo
        ./util/opensslwrap.sh version -c
    - name: make test
-      run: make test TESTS='-test_external_krb5'
+      run: make test TESTS='-test_external_krb5' EVP_TEST_EXTENDED=1
    - name: generate coverage info
      run: lcov -d . -c
             --exclude "${PWD}/test/*"
-             --exclude "${PWD}/test/helpers/*"
-             --exclude "${PWD}/test/testutil/*"
             --exclude "${PWD}/fuzz/*"
             --exclude "/usr/include/*"
+             --ignore-errors mismatch
              -o ./lcov.info
    - name: Coveralls upload
-      uses: coverallsapp/github-action@v2.3.0
+      uses: coverallsapp/github-action@v2.3.2
      with:
        github-token: ${{ secrets.github_token }}
        git-branch: ${{ matrix.branches.branch }}
--- a/.github/workflows/cross-compiles.yml
+++ b/.github/workflows/cross-compiles.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -50,20 +50,24 @@ jobs:
          }, {
            arch: aarch64-linux-gnu,
            libs: libc6-dev-arm64-cross,
-            target: linux-aarch64
+            target: linux-aarch64,
+            fips: no
          }, {
            arch: alpha-linux-gnu,
            libs: libc6.1-dev-alpha-cross,
-            target: linux-alpha-gcc
+            target: linux-alpha-gcc,
+            fips: no
          }, {
            arch: arm-linux-gnueabi,
            libs: libc6-dev-armel-cross,
            target: linux-armv4,
+            fips: no,
            tests: -test_includes -test_store -test_x509_store
          }, {
            arch: arm-linux-gnueabihf,
            libs: libc6-dev-armhf-cross,
            target: linux-armv4,
+            fips: no,
            tests: -test_includes -test_store -test_x509_store
          }, {
            # gcc hppa seems to have some potential compiler issues
@ -94,26 +98,28 @@ jobs:
            arch: mipsel-linux-gnu,
            libs: libc6-dev-mipsel-cross,
            target: linux-mips32,
+            fips: no,
            tests: -test_includes -test_store -test_x509_store
          }, {
            arch: powerpc64le-linux-gnu,
            libs: libc6-dev-ppc64el-cross,
-            # The default compiler for this platform on Ubuntu 20.04 seems
-            # buggy and causes test failures. Dropping the optimisation level
-            # resolves it.
-            target: -O2 linux-ppc64le
+            target: linux-ppc64le,
+            fips: no
          }, {
            arch: riscv64-linux-gnu,
            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64
+            target: linux64-riscv64,
+            fips: no
          }, {
            arch: s390x-linux-gnu,
            libs: libc6-dev-s390x-cross,
-            target: linux64-s390x -Wno-stringop-overflow
+            target: linux64-s390x -Wno-stringop-overflow,
+            fips: no
          }, {
            arch: sh4-linux-gnu,
            libs: libc6-dev-sh4-cross,
            target: no-async linux-latomic,
+            fips: no,
            tests: -test_includes -test_store -test_x509_store
          },

@ -150,7 +156,7 @@ jobs:
            tests: none
          }
        ]
-    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    runs-on: ubuntu-latest
    steps:
    - name: install package repository
      if: matrix.platform.ppa != ''
@ -219,7 +225,7 @@ jobs:
                  TESTS="test_evp*" \
                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
    - name: save artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: "cross-compiles@${{ matrix.platform.arch }}"
        path: artifacts.tar.gz
--- a/.github/workflows/fips-checksums.yml
+++ b/.github/workflows/fips-checksums.yml
@ -69,7 +69,7 @@ jobs:
      - name: save PR number
        run: echo ${{ github.event.number }} > ./artifact/pr_num
      - name: save artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: fips_checksum
          path: artifact/
@ -113,7 +113,7 @@ jobs:
      - name: save PR number
        run: echo ${{ github.event.number }} > ./artifact/pr_num
      - name: save artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: abidiff
          path: artifact/
--- a/.github/workflows/fips-label.yml
+++ b/.github/workflows/fips-label.yml
@ -80,6 +80,7 @@ jobs:
              }
            }
      - name: 'Cleanup artifact'
+        if: ${{ github.event.workflow_run.conclusion == 'success' }}
        run: rm artifact.zip pr_num

      - name: 'Download abidiff artifact'
@ -133,7 +134,7 @@ jobs:
                    issue_number: pr_num,
                    owner: context.repo.owner,
                    repo: context.repo.repo,
-                    name: 'severity: fips change'
+                    name: 'severity: ABI change'
                  });
                }
              }
--- a/.github/workflows/fuzz-checker.yml
+++ b/.github/workflows/fuzz-checker.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -21,28 +21,28 @@ jobs:
          {
            name: AFL,
            config: enable-fuzz-afl no-module,
-            install: afl++-clang,
+            install: afl++,
            cc: afl-clang-fast
          }, {
            name: libFuzzer,
-            config: enable-fuzz-libfuzzer enable-asan enable-ubsan,
-            libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/12/include/fuzzer,
-            install: libfuzzer-12-dev,
-            cc: clang-12,
-            linker: clang++-12,
+            config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fno-sanitize=function,
+            libs: --with-fuzzer-lib=/usr/lib/llvm-18/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/18/include/fuzzer,
+            install: libfuzzer-18-dev,
+            cc: clang-18,
+            linker: clang++-18,
            tests: -test_memleak
          }, {
            name: libFuzzer+,
-            config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION,
-            libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/12/include/fuzzer,
+            config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fno-sanitize=function -fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION,
+            libs: --with-fuzzer-lib=/usr/lib/llvm-18/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/18/include/fuzzer,
            extra: enable-fips enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg,
-            install: libfuzzer-12-dev,
-            cc: clang-12,
-            linker: clang++-12,
+            install: libfuzzer-18-dev,
+            cc: clang-18,
+            linker: clang++-18,
            tests: -test_memleak
          }
        ]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
    - name: install packages
      run: |
--- a/.github/workflows/interop-tests.yml
+++ b/.github/workflows/interop-tests.yml
@ -6,12 +6,14 @@
 name: Interoperability tests with GnuTLS and NSS
 on:
  schedule:
-    - cron: '0 6 * * *'
+    - cron: '55 02 * * *'
+  workflow_dispatch:
+
 jobs:
  test:
    runs-on: ubuntu-22.04
    container:
-      image: docker.io/fedora:39
+      image: docker.io/fedora:40
      options: --sysctl net.ipv6.conf.lo.disable_ipv6=0
    timeout-minutes: 90
    strategy:
@ -48,6 +50,6 @@ jobs:
      - name: Run interop tests
        run: |
          cd interop
-          tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local execute -h tmt --interactive
+          tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local --feeling-safe execute -h tmt --interactive
          openssl version
          echo "Finished - important to prevent unwanted output truncating"
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -26,7 +26,7 @@ jobs:
        fuzz-seconds: 600
        dry-run: false
    - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: failure()
      with:
        name: artifacts
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@ -0,0 +1,42 @@
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: "Make release"
+
+on:
+  push:
+    tags:
+      - "openssl-*"
+
+jobs:
+  release:
+    runs-on: "releaser"
+    steps:
+    - name: "Checkout"
+      uses: "actions/checkout@v4"
+      with:
+        fetch-depth: 1
+        ref: ${{ github.ref_name }}
+        github-server-url: "https://github.openssl.org/"
+        repository: "openssl/openssl"
+        token: ${{ secrets.GHE_TOKEN }}
+        path: ${{ github.ref_name }}
+    - name: "Prepare assets"
+      run: |
+        cd ${{ github.ref_name }}
+        ./util/mktar.sh
+        mkdir assets && mv ${{ github.ref_name }}.tar.gz assets/ && cd assets
+        openssl sha1 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha1
+        openssl sha256 -r ${{ github.ref_name }}.tar.gz > ${{ github.ref_name }}.tar.gz.sha256
+        gpg -u ${{ vars.signing_key_uid }} -o ${{ github.ref_name }}.tar.gz.asc -sba ${{ github.ref_name }}.tar.gz
+    - name: "Create release"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+      run: |
+        VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-)
+        PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "")
+        gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/*
--- a/.github/workflows/make-test
+++ b/.github/workflows/make-test
@ -38,6 +38,6 @@ echo "Test suite exited with $RESULT, artifacts path is $OSSL_CI_ARTIFACTS_PATH"
 echo "::endgroup::"

 echo "Archive artifacts"
-tar -czvf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH
+tar -czf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH

 exit $RESULT
--- a/.github/workflows/os-zoo.yml
+++ b/.github/workflows/os-zoo.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -9,7 +9,8 @@ name: OS Zoo CI

 on:
  schedule:
-    - cron: '0 5 * * *'
+    - cron: '50 02 * * *'
+  workflow_dispatch:

 permissions:
  contents: read
@ -21,20 +22,20 @@ jobs:
      matrix:
        tag: [edge, latest]
        cc: [gcc, clang]
-        branch: [openssl-3.0, openssl-3.1, master]
    runs-on: ubuntu-latest
    container:
      image: docker.io/library/alpine:${{ matrix.tag }}
    env:
-      # https://www.openwall.com/lists/musl/2022/02/16/14
-      EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || '' }}
+      # See https://www.openwall.com/lists/musl/2022/02/16/14
+      # for the reason why -Wno-sign-compare is needed with clang
+      # -Wno-stringop-overflow is needed to silence a bogus
+      # warning on new fortify-headers with gcc
+      EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || matrix.tag == 'edge' && '-Wno-stringop-overflow' || '' }}
      CC: ${{ matrix.cc }}
    steps:
    - name: install packages
      run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }}
    - uses: actions/checkout@v4
-      with:
-        ref: ${{ matrix.branch }}
    - name: config
      run: |
        ./config --banner=Configured no-shared -Wall -Werror enable-fips --strict-warnings \
@ -54,7 +55,6 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branch: [openssl-3.0, openssl-3.1, master]
        zoo:
          - image: docker.io/library/debian:10
            install: apt-get update && apt-get install -y gcc make perl
@ -83,8 +83,6 @@ jobs:
    container: ${{ matrix.zoo.image }}
    steps:
    - uses: actions/checkout@v4
-      with:
-        ref: ${{ matrix.branch }}
    - name: install packages
      run: ${{ matrix.zoo.install }}
    - name: config
@ -104,13 +102,10 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branch: [openssl-3.0, openssl-3.1, master]
-        os: [macos-12, macos-13, macos-14]
+        os: [macos-13, macos-14, macos-15]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
-      with:
-        ref: ${{ matrix.branch }}
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - name: config
@ -130,13 +125,10 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branch: [openssl-3.0, openssl-3.1, master]
        os: [windows-2019, windows-2022]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
-      with:
-        ref: ${{ matrix.branch }}
    - name: checkout fuzz/corpora submodule
      run: git submodule update --init --depth 1 fuzz/corpora
    - uses: ilammy/msvc-dev-cmd@v1
@ -167,12 +159,8 @@ jobs:
      working-directory: _build
      run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4

-  self-hosted:
-    strategy:
-      matrix:
-        os: [freebsd-13.2, ubuntu-arm64-22.04]
-    runs-on: ${{ matrix.os }}-self-hosted
-    continue-on-error: true
+  linux-arm64:
+    runs-on: linux-arm64
    steps:
    - uses: actions/checkout@v4
    - name: config
@ -185,3 +173,73 @@ jobs:
      run: ./util/opensslwrap.sh version -c
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  linux-ppc64le:
+    runs-on: linux-ppc64le
+    steps:
+    - uses: actions/checkout@v4
+    - name: config
+      run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
+    - name: config dump
+      run: ./configdata.pm --dump
+    - name: make
+      run: make -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  linux-s390x:
+    runs-on: linux-s390x
+    steps:
+    - uses: actions/checkout@v4
+    - name: config
+      run: ./config enable-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
+    - name: config dump
+      run: ./configdata.pm --dump
+    - name: make
+      run: make -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  freebsd-x86_64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: config
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: |
+          sudo pkg install -y gcc perl5
+          ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
+    - name: config dump
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: ./configdata.pm --dump
+    - name: make
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        shutdown_vm: false
+        run: make -j4
+    - name: make test
+      uses: cross-platform-actions/action@v0.26.0
+      with:
+        operating_system: freebsd
+        version: "13.4"
+        run: |
+          ./util/opensslwrap.sh version -c
+          .github/workflows/make-test
--- a/.github/workflows/prov-compat-label.yml
+++ b/.github/workflows/prov-compat-label.yml
@ -125,6 +125,10 @@ jobs:
            name: openssl-3.3,
            dir: branch-3.3,
            tgz: branch-3.3.tar.gz,
+          }, {
+            name: openssl-3.4,
+            dir: branch-3.4,
+            tgz: branch-3.4.tar.gz,
          }, {
            name: master,
            dir: branch-master,
@ -193,12 +197,14 @@ jobs:
        # Note that releases are not used as a test environment for
        # later providers.  Problems in these situations ought to be
        # caught by cross branch testing before the release.
-        tree_a: [ branch-3.3, branch-3.2, branch-3.1, branch-3.0,
+        tree_a: [ branch-3.4, branch-3.3, branch-3.2, branch-3.1, branch-3.0,
                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
        tree_b: [ PR ]
        include:
          - tree_a: PR
            tree_b: branch-master
+          - tree_a: PR
+            tree_b: branch-3.4
          - tree_a: PR
            tree_b: branch-3.3
          - tree_a: PR
@ -218,7 +224,7 @@ jobs:
          fi
        continue-on-error: true

-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/download-artifact@v4.1.8
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_a }}.tar.gz
@ -226,7 +232,7 @@ jobs:
        if: steps.early_exit.outcome == 'success'
        run: tar xzf "${{ matrix.tree_a }}.tar.gz"

-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/download-artifact@v4.1.8
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_b }}.tar.gz
--- a/.github/workflows/provider-compatibility.yml
+++ b/.github/workflows/provider-compatibility.yml
@ -10,12 +10,15 @@

 name: Provider compatibility across versions

-# NOTE: if this is being run on pull_request, it will **not** use the pull
-#       request's branch.  It is hardcoded to use the master branch.
-#
-on: #[pull_request]
+# Please note there is no point in running this job on PR as the tests
+# will always run against the tips of the branches in the main repository
+# and not the branch from the PR.
+# Use the `extended tests` label to run provider compatibility checks
+# on PRs.
+on:
  schedule:
-    - cron: '0 15 * * *'
+    - cron: '10 02 * * *'
+  workflow_dispatch:

 permissions:
  contents: read
@ -124,6 +127,10 @@ jobs:
            name: openssl-3.3,
            dir: branch-3.3,
            tgz: branch-3.3.tar.gz,
+          }, {
+            name: openssl-3.4,
+            dir: branch-3.4,
+            tgz: branch-3.4.tar.gz,
          }, {
            name: master,
            dir: branch-master,
@ -195,10 +202,11 @@ jobs:
        # Note that releases are not used as a test environment for
        # later providers.  Problems in these situations ought to be
        # caught by cross branch testing before the release.
-        tree_a: [ branch-master, branch-3.3, branch-3.2, branch-3.1, branch-3.0,
+        tree_a: [ branch-master, branch-3.4, branch-3.3,
+                  branch-3.2, branch-3.1, branch-3.0,
                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
-        tree_b: [ branch-master, branch-3.3, branch-3.2, branch-3.1,
-                  branch-3.0  ]
+        tree_b: [ branch-master, branch-3.4, branch-3.3,
+                  branch-3.2, branch-3.1, branch-3.0  ]
    steps:
      - name: early exit checks
        id: early_exit
@ -210,7 +218,7 @@ jobs:
          fi
        continue-on-error: true

-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/download-artifact@v4.1.8
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_a }}.tar.gz
@ -218,7 +226,7 @@ jobs:
        if: steps.early_exit.outcome == 'success'
        run: tar xzf "${{ matrix.tree_a }}.tar.gz"

-      - uses: actions/download-artifact@v4.1.7
+      - uses: actions/download-artifact@v4.1.8
        if: steps.early_exit.outcome == 'success'
        with:
          name: ${{ matrix.tree_b }}.tar.gz
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -27,10 +27,12 @@ jobs:
          no-dtls,
          no-ec,
          no-ecx,
+          no-ml-dsa,
+          no-ml-kem,
          no-http,
          no-legacy,
          no-sock,
-          enable-ssl-trace,
+          no-ssl-trace,
          no-stdio,
          no-threads,
          no-thread-pool,
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -10,7 +10,9 @@ name: Run-checker daily

 on:
  schedule:
-    - cron: '0 6 * * *'
+    - cron: '30 02 * * *'
+  workflow_dispatch:
+
 permissions:
  contents: read

@ -43,12 +45,12 @@ jobs:
          no-cmac,
          no-comp,
          enable-crypto-mdebug,
-          no-crypto-mdebug,
          enable-crypto-mdebug-backtrace,
-          no-crypto-mdebug-backtrace,
+          no-ct,
+          enable-demos,
          no-deprecated,
          no-des,
-          no-devcryptoeng,
+#          enable-devcryptoeng,  # Cannot work on Linux
          no-docs,
          no-dsa,
          no-dtls1,
@ -58,25 +60,24 @@ jobs:
          no-ecdh,
          no-ecdsa,
          enable-ec_nistp_64_gcc_128,
-          no-ec_nistp_64_gcc_128,
          enable-egd,
-          no-egd,
          no-engine,
-          no-external-tests,
+#          enable-external-tests,  # Requires extra setup
          enable-fips,
          enable-fips enable-acvp-tests,
          enable-fips no-tls1_3,
-          no-fuzz-afl,
-          no-fuzz-libfuzzer,
+          enable-fips no-des no-dsa no-ec2m,
+#          enable-fuzz-afl,        # Requires extra setup
+#          enable-fuzz-libfuzzer,  # Requires extra setup
          no-gost,
+          enable-h3demo,
          enable-heartbeats,
-          no-heartbeats,
+          enable-hqinterop,
          no-hw,
          no-hw-padlock,
          no-idea,
          no-makedepend,
          enable-md2,
-          no-md2,
          no-md4,
          no-mdc2,
          no-msan,
@ -89,9 +90,7 @@ jobs:
          no-posix-io,
          no-psk,
          no-rc2,
-          no-rc4,
          enable-rc5,
-          no-rc5,
          no-rdrand,
          no-rfc3779,
          no-ripemd,
@ -109,9 +108,9 @@ jobs:
          no-sock,
          no-sse2,
          no-ssl,
-          no-ssl3,
-          no-ssl3-method,
-          no-ssl-trace,
+          enable-ssl3,
+          enable-ssl3-method,
+          enable-sslkeylog,
          no-static-engine no-shared,
          no-tests,
          enable-tfo,
@ -120,19 +119,19 @@ jobs:
          no-tls1_1-method,
          no-tls1_2-method,
          no-tls1-method,
-          no-trace,
+          enable-trace,
          no-ubsan,
          no-ui-console,
-          no-unit-test,
          enable-unit-test,
          no-uplink,
          no-weak-ssl-ciphers,
          no-whirlpool,
-          no-zlib,
          enable-zlib-dynamic,
-          no-zlib-dynamic,
+          -DOPENSSL_PEDANTIC_ZEROIZATION,
+          -DOPENSSL_PEDANTIC_ZEROIZATION enable-fips,
          -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING,
-          -DSSL3_ALIGN_PAYLOAD=4
+          -DSSL3_ALIGN_PAYLOAD=4,
+          -DOPENSSL_TLS_SECURITY_LEVEL=0
        ]
    runs-on: ubuntu-latest
    steps:
@ -191,32 +190,6 @@ jobs:
      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

-  jitter:
-    runs-on: ubuntu-latest
-    steps:
-    - name: checkout openssl
-      uses: actions/checkout@v4
-    - name: checkout jitter
-      uses: actions/checkout@v4
-      with:
-        repository: smuellerDD/jitterentropy-library
-        ref: v3.5.0
-        path: jitter
-    - name: build jitter
-      run: make -C jitter/
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --with-rand-seed=none enable-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC=JITTER && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
  enable_brotli_dynamic:
    runs-on: ubuntu-latest
    steps:
@ -370,3 +343,25 @@ jobs:
        ./util/opensslwrap.sh version -c
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  memory_sanitizer_slh_dsa:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: checkout fuzz/corpora submodule
+      run: git submodule update --init --depth 1 fuzz/corpora
+    - name: Adjust ASLR for sanitizer
+      run: |
+        sudo cat /proc/sys/vm/mmap_rnd_bits
+        sudo sysctl -w vm.mmap_rnd_bits=28
+    - name: config
+      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
+      run: CC=clang ./config --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@ -1,4 +1,4 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -18,15 +18,14 @@ jobs:
      fail-fast: false
      matrix:
        opt: [
-          enable-asan enable-ubsan no-shared no-asm -DOPENSSL_SMALL_FOOTPRINT,
-          no-ct,
+          enable-asan enable-ubsan no-shared no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=function,
          no-dso,
          no-dynamic-engine,
-          no-ec2m,
+          no-ec2m enable-fips,
          no-engine no-shared,
          no-err,
          no-filenames,
-          enable-ubsan no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=alignment,
+          enable-ubsan no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=function,
          no-module,
          no-ocsp,
          no-pinshared,
@ -59,3 +58,50 @@ jobs:
        if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi
    - name: make test
      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  jitter:
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout openssl
+      uses: actions/checkout@v4
+    - name: checkout jitter
+      uses: actions/checkout@v4
+      with:
+        repository: smuellerDD/jitterentropy-library
+        ref: v3.5.0
+        path: jitter
+    - name: build jitter
+      run: make -C jitter/
+    - name: checkout fuzz/corpora submodule
+      run: git submodule update --init --depth 1 fuzz/corpora
+    - name: config
+      run: ./config --with-rand-seed=none enable-jitter enable-fips-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC=JITTER && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
+  threads_sanitizer_atomic_fallback:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: checkout fuzz/corpora submodule
+      run: git submodule update --init --depth 1 fuzz/corpora
+    - name: Adjust ASLR for sanitizer
+      run: |
+        sudo cat /proc/sys/vm/mmap_rnd_bits
+        sudo sysctl -w vm.mmap_rnd_bits=28
+    - name: config
+      run: CC=clang ./config --banner=Configured no-shared no-fips --strict-warnings -g -fsanitize=thread -DBROKEN_CLANG_ATOMICS && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: make test
+      run: make test V=1 TESTS="test_lhash test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"
--- a/.github/workflows/run_quic_interop.yml
+++ b/.github/workflows/run_quic_interop.yml
@ -0,0 +1,71 @@
+name: "Run openssl quic interop testing"
+
+on:
+  workflow_run:
+    workflows: ["Build openssl interop container from master"]
+    types: [completed]
+  workflow_dispatch:
+
+jobs:
+  run_quic_interop_openssl_client:
+    strategy:
+      matrix:
+        tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
+        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy]
+        exclude:
+          - servers: msquic
+            tests: retry
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+         repository: 'quic-interop/quic-interop-runner'
+         fetch-depth: 0
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          sudo add-apt-repository ppa:wireshark-dev/stable
+          sudo apt-get update
+          sudo apt-get install -y tshark
+      - name: Patch implementations file
+        run: |
+          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
+                         , url: "https://github.com/openssl/openssl"
+                         , role: "both"
+                         }' ./implementations.json > ./implementations.tmp
+          mv ./implementations.tmp implementations.json
+      - name: "run interop with openssl client"
+        run: |
+          python3 ./run.py -c openssl -t ${{ matrix.tests }} -s ${{ matrix.servers }} --log-dir ./logs-client -d
+  run_quic_interop_openssl_server:
+    strategy:
+      matrix:
+        tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
+        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome]
+        exclude:
+          - clients: mvfst
+            tests: amplificationlimit
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+         repository: 'quic-interop/quic-interop-runner'
+         fetch-depth: 0
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          sudo add-apt-repository ppa:wireshark-dev/stable
+          sudo apt-get update
+          sudo apt-get install -y tshark
+      - name: Patch implementations file
+        run: |
+          jq '.openssl = { image: "quay.io/openssl-ci/openssl-quic-interop"
+                         , url: "https://github.com/openssl/openssl"
+                         , role: "both"
+                         }' ./implementations.json > ./implementations.tmp
+          mv ./implementations.tmp implementations.json
+      - name: "run interop with openssl server"
+        run: |
+          python3 ./run.py -s openssl -t ${{ matrix.tests }} -c ${{ matrix.clients }} --log-dir ./logs-server -d
--- a/.github/workflows/static-analysis-on-prem.yml
+++ b/.github/workflows/static-analysis-on-prem.yml
@ -9,7 +9,7 @@ name: Static Analysis On Prem

 on:
  schedule:
-    - cron:  '20 0 * * *'
+    - cron:  '25 02 * * *'
  workflow_dispatch:

 permissions:
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@ -10,7 +10,8 @@ name: Static Analysis
 #Run once a day
 on:
  schedule:
-    - cron:  '20 0 * * *'
+    - cron:  '20 02 * * *'
+  workflow_dispatch:

 permissions:
  contents: read
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -17,15 +17,17 @@ jobs:
    # Run a job for each of the specified target architectures:
    strategy:
      matrix:
-        os:
-          - windows-2019
-          - windows-2022
        platform:
          - arch: win64
+            os: windows-2019
            config: enable-fips
+          - arch: win64
+            os: windows-2022
+            config: enable-fips no-thread-pool no-quic
          - arch: win32
+            os: windows-2022
            config: --strict-warnings no-fips
-    runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }}
+    runs-on: ${{ matrix.platform.os }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -90,9 +92,9 @@ jobs:
    strategy:
      matrix:
        os:
-          - windows-2019
+# Reducing CI footprint  - windows-2019
          - windows-2022
-    runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }}
+    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -128,8 +130,8 @@ jobs:
      matrix:
        os:
          - windows-2019
-          - windows-2022
-    runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }}
+# Reducing CI footprint  - windows-2022
+    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
    - name: checkout fuzz/corpora submodule
@ -174,7 +176,7 @@ jobs:
 # are we really learning sth new from win32? So let's save some CO2 for now disabling this
 #          - arch: win32
 #            config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips
-    runs-on: ${{ github.server_url == 'https://github.com' && matrix.os || format('{0}-self-hosted', matrix.os) }}
+    runs-on: ${{ matrix.os }}
    env:
      CYGWIN_NOWINPATH: 1
      SHELLOPTS: igncr
--- a/.gitignore
+++ b/.gitignore
@ -67,6 +67,7 @@
 doc/man1/openssl-*.pod

 # Auto generated der files
+providers/common/der/der_slh_dsa_gen.c
 providers/common/der/der_digests_gen.c
 providers/common/der/der_dsa_gen.c
 providers/common/der/der_ec_gen.c
@ -74,6 +75,8 @@ providers/common/der/der_ecx_gen.c
 providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
+providers/common/der/der_ml_dsa_gen.c
+providers/common/include/prov/der_slh_dsa.h
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
 providers/common/include/prov/der_ecx.h
@ -81,6 +84,7 @@ providers/common/include/prov/der_rsa.h
 providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
+providers/common/include/prov/der_ml_dsa.h

 # error code files
 /crypto/err/openssl.txt.old
@ -118,6 +122,70 @@ providers/common/include/prov/der_sm2.h
 /test/threadstest_fips
 /test/timing_load_creds

+# Demo applications
+/demos/bio/client-arg
+/demos/bio/client-conf
+/demos/bio/saccept
+/demos/bio/sconnect
+/demos/bio/server-arg
+/demos/bio/server-cmod
+/demos/bio/server-conf
+/demos/cipher/aesccm
+/demos/cipher/aesgcm
+/demos/cipher/aeskeywrap
+/demos/cipher/ariacbc
+/demos/cms/cms_comp
+/demos/cms/cms_ddec
+/demos/cms/cms_dec
+/demos/cms/cms_denc
+/demos/cms/cms_enc
+/demos/cms/cms_sign
+/demos/cms/cms_sign2
+/demos/cms/cms_uncomp
+/demos/cms/cms_ver
+/demos/digest/BIO_f_md
+/demos/digest/EVP_MD_demo
+/demos/digest/EVP_MD_stdin
+/demos/digest/EVP_MD_xof
+/demos/encode/ec_encode
+/demos/encode/rsa_encode
+/demos/encrypt/rsa_encrypt
+/demos/guide/quic-client-block
+/demos/guide/quic-client-non-block
+/demos/guide/quic-hq-interop
+/demos/guide/quic-multi-stream
+/demos/guide/tls-client-block
+/demos/guide/tls-client-non-block
+/demos/http3/libnghttp3.pc
+/demos/http3/nghttp3/
+/demos/http3/ossl-nghttp3-demo
+/demos/kdf/argon2
+/demos/kdf/hkdf
+/demos/kdf/pbkdf2
+/demos/kdf/scrypt
+/demos/keyexch/x25519
+/demos/mac/cmac-aes256
+/demos/mac/gmac
+/demos/mac/hmac-sha512
+/demos/mac/poly1305
+/demos/pkey/EVP_PKEY_DSA_keygen
+/demos/pkey/EVP_PKEY_DSA_paramfromdata
+/demos/pkey/EVP_PKEY_DSA_paramgen
+/demos/pkey/EVP_PKEY_DSA_paramvalidate
+/demos/pkey/EVP_PKEY_EC_keygen
+/demos/pkey/EVP_PKEY_RSA_keygen
+/demos/signature/EVP_DSA_Signature_demo
+/demos/signature/EVP_EC_Signature_demo
+/demos/signature/EVP_ED_Signature_demo
+/demos/signature/rsa_pss_direct
+/demos/signature/rsa_pss_hash
+/demos/smime/smdec
+/demos/smime/smenc
+/demos/smime/smsign
+/demos/smime/smsign2
+/demos/smime/smver
+/demos/sslecho/sslecho
+
 # Certain files that get created by tests on the fly
 /test-runs
 /test/buildtest_*
@ -141,7 +209,6 @@ providers/common/include/prov/der_sm2.h
 /tools/c_rehash.pl
 /util/shlib_wrap.sh
 /util/wrap.pl
-/util/quicserver
 /tags
 /TAGS
 *.map
@ -172,7 +239,6 @@ providers/common/include/prov/der_sm2.h

 # Files created on other branches that are not held in git, and are not
 # needed on this branch
-/include/openssl/asn1_mac.h
 /include/openssl/des_old.h
 /include/openssl/fips.h
 /include/openssl/fips_rand.h
--- a/.gitmodules
+++ b/.gitmodules
@ -32,3 +32,6 @@
 	path = fuzz/corpora
 	url = https://github.com/openssl/fuzz-corpora
 	branch = main
+[submodule "pkcs11-provider"]
+	path = pkcs11-provider
+	url = https://github.com/latchset/pkcs11-provider.git
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -12,6 +12,7 @@ Groups

 * OpenSSL Software Services, Inc.
 * OpenSSL Software Foundation, Inc.
+ * Google LLC

 Individuals
 -----------
@ -48,4 +49,5 @@ Individuals
 * Tim Hudson
 * Tomáš Mráz
 * Ulf Möller
+ * Valerii Krygin
 * Viktor Dukhovni
--- a/CHANGES.md
+++ b/CHANGES.md
@ -12,6 +12,7 @@ appropriate release branch.
 OpenSSL Releases
 ----------------

+ - [OpenSSL 3.5](#openssl-35)
 - [OpenSSL 3.4](#openssl-34)
 - [OpenSSL 3.3](#openssl-33)
 - [OpenSSL 3.2](#openssl-32)
@ -24,10 +25,285 @@ OpenSSL Releases
 - [OpenSSL 1.0.0](#openssl-100)
 - [OpenSSL 0.9.x](#openssl-09x)

+OpenSSL 3.5
+-----------
+
+### Changes between 3.5 and 3.6 [xx XXX xxxx]
+
+ * none yet
+
+### Changes between 3.4 and 3.5 [xx XXX xxxx]
+
+* Added server side support for QUIC
+
+   *Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha Nedvedicky, Andrew Dinh*
+
+ * Added a `no-tls-deprecated-ec` configuration option.
+
+   The `no-tls-deprecated-ec` option disables support for TLS elliptic curve
+   groups deprecated in RFC8422 at compile time.  This does not affect use of
+   the associated curves outside TLS.  By default support for these groups is
+   compiled in, but, as before, they are not included in the default run-time
+   list of supported groups.
+
+   With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
+   compile time even if the default configuration is changed, provided the
+   underlying EC curves remain implemented.
+
+   *Viktor Dukhovni*
+
+ * Added new API to enable 0-RTT for 3rd party QUIC stacks.
+
+   *Cheng Zhang*
+
+ * Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`,
+   which allows for application notification of new connection SSL object
+   creation, which occurs independently of calls to `SSL_accept_connection()`.
+   Note: QUIC objects passed through SSL callbacks should not have their state
+   mutated via calls back into the SSL api until such time as they have been
+   received via a call to `SSL_accept_connection()`.
+
+   *Neil Horman*
+
+ * Add SLH-DSA as specified in FIPS 205.
+
+   *Shane Lontis and Dr Paul Dale*
+
+ * ML-KEM as specified in FIPS 203.
+
+   Based on the original implementation in BoringSSL, ported from C++ to C,
+   refactored, and integrated into the OpenSSL default and FIPS providers.
+   Including also the X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024
+   TLS hybrid key post-quantum/classical key agreement schemes.
+
+   *Michael Baentsch, Viktor Dukhovni, Shane Lontis and Paul Dale*
+
+ * Add ML-DSA as specified in FIPS 204.
+
+   The base code was derived from BoringSSL C++ code.
+
+   *Shane Lontis, Viktor Dukhovni and Paul Dale*
+
+ * Added new API calls to enable 3rd party QUIC stacks to use the OpenSSL TLS
+   implementation.
+
+   *Matt Caswell*
+
+ * The default DRBG implementations have been changed to prefer to fetch
+   algorithm implementations from the default provider (the provider the
+   DRBG implementation is built in) regardless of the default properties
+   set in the configuration file. The code will still fallback to find
+   an implementation, as done previously, if needed.
+
+   *Simo Sorce*
+
+ * Initial support for opaque symmetric keys objects.  These replace the ad-hoc byte
+   arrays that are pervasive throughout the library.
+
+   *Dmitry Belyavskiy and Simo Sorce*
+
+ * For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of
+   `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection.
+   Extend the server-side key exchange group selection algorithm and related group list syntax
+   to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs.
+
+   *David Kelsey*, *Martin Schmatz*
+
+ * The default TLS group list setting is now set to:
+   `?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072`
+
+   This means two key shares (X25519MLKEM768 and X25519) will be sent by
+   default by the TLS client. GOST groups and FFDHE groups larger than 3072
+   bits are no longer enabled by default.
+
+   *Viktor Dukhovni*
+
+ * A new random generation API has been introduced which modifies all
+   of the L<RAND_bytes(3)> family of calls so they are routed through a
+   specific named provider instead of being resolved via the normal DRBG
+   chaining.  In a future OpenSSL release, this will obsolete RAND_METHOD.
+
+   *Dr Paul Dale*
+
+ * New inline functions were added to support loads and stores of unsigned
+   16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
+   form, regardless of the host byte-order.  See the `OPENSSL_load_u16_le(3)`
+   manpage for details.
+
+   *Viktor Dukhovni*
+
+ * All the `BIO_meth_get_*()` functions allowing reuse of the internal OpenSSL
+   BIO method implementations were deprecated. The reuse is unsafe due to
+   dependency on the code of the internal methods not changing.
+
+   *Tomáš Mráz*
+
+ * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
+   `SSL_CTX_set1_groups_list()` now supports the DEFAULT keyword which sets the
+   available groups to the default selection. The '-' prefix allows the calling
+   application to remove a group from the selection.
+
+   *Frederik Wedel-Heinen*
+
+ * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
+   from `des-ede3-cbc` to `aes-256-cbc`.
+
+   AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
+
+   *Aditya*
+
+ * Enhanced PKCS#7 inner contents verification.
+   In the `PKCS7_verify()` function, the BIO *indata parameter refers to the
+   signed data if the content is detached from p7. Otherwise, indata should be
+   NULL, and then the signed data must be in p7.
+
+   The previous OpenSSL implementation only supported MIME inner content
+   [RFC 5652, section 5.2].
+
+   The added functionality now enables support for PKCS#7 inner content
+   [RFC 2315, section 7].
+
+   *Małgorzata Olszówka*
+
+ * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
+   longer required) when using `-digest` or when signing or verifying with an
+   Ed25519 or Ed448 key.
+   The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
+
+   *David von Oheimb*
+
+ * `X509_PURPOSE_add()` has been modified
+   to take `sname` instead of `id` as the primary purpose identifier.
+   For its convenient use, `X509_PURPOSE_get_unused_id()` has been added.
+
+   This work was sponsored by Siemens AG.
+
+   *David von Oheimb*
+
+ * Added support for central key generation in CMP.
+
+   This work was sponsored by Siemens AG.
+
+   *Rajeev Ranjan*
+
+ * Optionally allow the FIPS provider to use the `JITTER` entropy source.
+   Note that using this option will require the resulting FIPS provider
+   to undergo entropy source validation [ESV] by the [CMVP], without this
+   the FIPS provider will not be FIPS compliant.  Enable this using the
+   configuration option `enable-fips-jitter`.
+
+   *Paul Dale*
+
+ * Extended `OPENSSL_ia32cap` support to accommodate additional `CPUID`
+   feature/capability bits in leaf `0x7` (Extended Feature Flags) as well
+   as leaf `0x24` (Converged Vector ISA).
+
+   *Dan Zimmerman, Alina Elizarova*
+
+ * Cipher pipelining support for provided ciphers with new API functions
+   EVP_CIPHER_can_pipeline(), EVP_CipherPipelineEncryptInit(),
+   EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate(),
+   and EVP_CipherPipelineFinal(). Cipher pipelining support allows application to
+   submit multiple chunks of data in one cipher update call, thereby allowing the
+   provided implementation to take advantage of parallel computing. There are
+   currently no built-in ciphers that support pipelining. This new API replaces
+   the legacy pipeline API [SSL_CTX_set_max_pipelines](https://docs.openssl.org/3.3/man3/SSL_CTX_set_split_send_fragment/) used with Engines.
+
+   *Ramkumar*
+
+ * Add CMS_NO_SIGNING_TIME flag to CMS_sign(), CMS_add1_signer()
+
+   Previously there was no way to create a CMS SignedData signature without a
+   signing time attribute, because CMS_SignerInfo_sign added it unconditionally.
+   However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf) )
+   where this attribute is not allowed, so a new flag was added to the CMS API
+   that causes this attribute to be omitted at signing time.
+
+   The new `-no_signing_time` option of the `cms` command enables this flag.
+
+   *Juhász Péter*
+
+ * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
+   AVX_IFMA capable processors (Intel Sierra Forest and its successor).
+
+   This optimization brings performance enhancement, ranging from 1.8 to 2.2
+   times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`)
+   on the Intel Sierra Forest.
+
+   *Zhiguo Zhou, Wangyang Guo (Intel Corp)*
+
+ * VAES/AVX-512 support for AES-XTS.
+
+   For capable processors (>= Intel Icelake), this provides a
+   vectorized implementation of AES-XTS with a throughput improvement
+   between 1.3x to 2x, depending on the block size.
+
+   *Pablo De Lara Guarch, Dan Pittman*
+
+ * Fix EVP_DecodeUpdate(): do not write padding zeros to the decoded output.
+
+   According to the documentation,
+   for every 4 valid base64 bytes processed (ignoring whitespace, carriage returns and line feeds),
+   EVP_DecodeUpdate() produces 3 bytes of binary output data
+   (except at the end of data terminated with one or two padding characters).
+   However, the function behaved like an EVP_DecodeBlock():
+   produces exactly 3 output bytes for every 4 input bytes.
+   Such behaviour could cause writes to a non-allocated output buffer
+   if a user allocates its size based on the documentation and knowing the padding size.
+
+   The fix makes EVP_DecodeUpdate() produce
+   exactly as many output bytes as in the initial non-encoded message.
+
+   *Valerii Krygin*
+
 OpenSSL 3.4
 -----------

-### Changes between 3.3 and 3.4 [xx XXX xxxx]
+### Changes between 3.4.1 and 3.4.2 [xx XXX xxxx]
+
+ * When displaying distinguished names in the openssl application escape control
+   characters by default.
+
+   *Tomáš Mráz*
+
+### Changes between 3.4.0 and 3.4.1 [11 Feb 2025]
+
+ * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+
+   Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
+   server may fail to notice that the server was not authenticated, because
+   handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode
+   is set.
+
+   ([CVE-2024-12797])
+
+   *Viktor Dukhovni*
+
+ * Fixed timing side-channel in ECDSA signature computation.
+
+   There is a timing signal of around 300 nanoseconds when the top word of
+   the inverted ECDSA nonce value is zero. This can happen with significant
+   probability only for some of the supported elliptic curves. In particular
+   the NIST P-521 curve is affected. To be able to measure this leak, the
+   attacker process must either be located in the same physical computer or
+   must have a very fast network connection with low latency.
+
+   ([CVE-2024-13176])
+
+   *Tomáš Mráz*
+
+ * Reverted the behavior change of CMS_get1_certs() and CMS_get1_crls()
+   that happened in the 3.4.0 release. These functions now return NULL
+   again if there are no certs or crls in the CMS object.
+
+   *Tomáš Mráz*
+
+### Changes between 3.3 and 3.4.0 [22 Oct 2024]
+
+ * For the FIPS provider only, replaced the primary DRBG with a continuous
+   health check module.  This also removes the now forbidden DRBG chaining.
+
+   *Paul Dale*

 * Improved base64 BIO correctness and error reporting.

@ -75,7 +351,7 @@ OpenSSL 3.4

   [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators

-   *Shane Lontis, Paul Dale and Po-Hsing Wu*
+   *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*

 * Added support for hardware acceleration for HMAC on S390x architecture.

@ -118,7 +394,7 @@ OpenSSL 3.4

 * Added options `-not_before` and `-not_after` for explicit setting
   start and end dates of certificates created with the `req` and `x509`
-   apps. Added the same options also to `ca` app as alias for
+   commands. Added the same options also to `ca` command as alias for
   `-startdate` and `-enddate` options.

   *Stephan Wurm*
@ -157,7 +433,9 @@ OpenSSL 3.4

   *Rajeev Ranjan*

- * Added support for requesting CRL in CMP.
+ * Added support for retrieving certificate request templates and CRLs in CMP,
+   with the respective CLI options `-template`,
+   `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.

   This work was sponsored by Siemens AG.

@ -197,7 +475,25 @@ OpenSSL 3.4
 OpenSSL 3.3
 -----------

-### Changes between 3.3.1 and 3.3.2 [xx XXX xxxx]
+### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
+
+ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+   curve parameters.
+
+   Use of the low-level GF(2^m) elliptic curve APIs with untrusted
+   explicit values for the field polynomial can lead to out-of-bounds memory
+   reads or writes.
+   Applications working with "exotic" explicit binary (GF(2^m)) curve
+   parameters, that make it possible to represent invalid field polynomials
+   with a zero constant term, via the above or similar APIs, may terminate
+   abruptly as a result of reading or writing outside of array bounds. Remote
+   code execution cannot easily be ruled out.
+
+   ([CVE-2024-9143])
+
+   *Viktor Dukhovni*
+
+### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]

 * Fixed possible denial of service in X.509 name checks.

@ -345,6 +641,8 @@ OpenSSL 3.3
   - `certProfile` request message header and respective `-profile` CLI option
   - support for delayed delivery of all types of response messages

+   This work was sponsored by Siemens AG.
+
   *David von Oheimb*

 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
@ -650,11 +948,6 @@ OpenSSL 3.2

   *Fergus Dall*

- * Added support for securely getting root CA certificate update in
-   CMP.
-
-   *David von Oheimb*
-
 * Improved contention on global write locks by using more read locks where
   appropriate.

@ -907,21 +1200,24 @@ OpenSSL 3.2

   * Lutz Jänicke*

- * The `x509`, `ca`, and `req` apps now produce X.509 v3 certificates.
+ * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates.
   The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
   `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has
   X.509 version 3 if the certificate information includes X.509 extensions.

   *David von Oheimb*

- * Fix and extend certificate handling and the apps `x509`, `verify` etc.
+ * Fix and extend certificate handling and the commands `x509`, `verify` etc.
   such as adding a trace facility for debugging certificate chain building.

   *David von Oheimb*

 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app
-   in particular supporting requests for central key generation, generalized
-   polling, and various types of genm/genp exchanges defined in CMP Updates.
+   in particular supporting various types of genm/genp exchanges such as getting
+   CA certificates and root CA cert updates defined in CMP Updates [RFC 9480],
+   as well as the `-srvcertout` and `-serial` CLI options.
+
+   This work was sponsored by Siemens AG.

   *David von Oheimb*

@ -1243,7 +1539,7 @@ OpenSSL 3.1

   *Orr Toledano*

- * s_client and s_server apps now explicitly say when the TLS version
+ * `s_client` and `s_server` commands now explicitly say when the TLS version
   does not include the renegotiation mechanism. This avoids confusion
   between that scenario versus when the TLS version includes secure
   renegotiation but the peer lacks support for it.
@ -2294,7 +2590,8 @@ breaking changes, and mappings for the large list of deprecated functions.

   *Nicola Tuveri*

- * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
+ * Behavior of the `pkey` command is changed,
+   when using the `-check` or `-pubcheck`
   switches: a validation failure triggers an early exit, returning a failure
   exit status to the parent process.

@ -8534,7 +8831,7 @@ OpenSSL 1.0.1
   *Matt Caswell*

 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
-   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
   method would be set to NULL which could later result in a NULL pointer
   dereference. Thanks to Frank Schmirler for reporting this issue.
   ([CVE-2014-3569])
@ -9599,7 +9896,7 @@ OpenSSL 1.0.0
   *Matt Caswell*

 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
-   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
   method would be set to NULL which could later result in a NULL pointer
   dereference. Thanks to Frank Schmirler for reporting this issue.
   ([CVE-2014-3569])
@ -15730,7 +16027,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

   *stefank@valicert.com via Richard Levitte*

- * Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+ * Add an SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
   the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
   doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
   the bitwise-OR of the two for use by the majority of applications
@ -16279,7 +16576,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 ### Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]

 * Change ssleay_rand_bytes (crypto/rand/md_rand.c)
-   to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
+   to avoid an SSLeay/OpenSSL PRNG weakness pointed out by
   Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
   PRNG state recovery was possible based on the output of
   one PRNG request appropriately sized to gain knowledge on
@ -18880,7 +19177,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

 * Bugfix: ssl23_get_client_hello did not work properly when called in
   state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
-   a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
+   an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
   but a retry condition occurred while trying to read the rest.

   *Bodo Moeller*
@ -20856,6 +21153,8 @@ ndif

 <!-- Links -->

+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
@ -21049,3 +21348,5 @@ ndif
 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
+[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
--- a/Configurations/50-cppbuilder.conf
+++ b/Configurations/50-cppbuilder.conf
@ -58,5 +58,64 @@ my %targets = (
        shared_defflag   => '',
        perl_platform    => 'Windows::cppbuilder',
        uplink_arch      => 'common',
+    },
+    "BC-64" => {
+        inherit_from     => [ "BASE_Windows" ],
+        sys_id           => "WIN64",
+        bn_ops           => "BN_LLONG",
+        thread_scheme    => "winthreads",
+        cc               => "bcc64",
+        CPP              => "cpp64 -oCON -Sc -Sr",
+        defines          => add("WIN32_LEAN_AND_MEAN", "OPENSSL_SYS_WIN64",
+                                "L_ENDIAN", "DSO_WIN32", "_stricmp=stricmp",
+                                "_strnicmp=strnicmp", "_setmode=setmode"),
+        cflags           => picker(default => add("-q -c",
+                                                  threads("-tM"),
+                                                  shared("-tR")),
+                                   debug   => "-Od -v -vi- -D_DEBUG",
+                                   release => "-O2"),
+        bin_cflags       => "-tWC",
+        lib_cflags       => shared("-tWD -D_WINDLL -D_DLL"),
+        coutflag         => "-o",
+
+        # -Sx isn't documented, but 'cpp64 -H -S' explains it:
+        #
+        # -Sx     Omit preprocessed text in output
+        makedepcmd       => "cpp64 -oCON -Sx -Hp",
+        makedep_scheme   => "embarcadero",
+
+        LD               => "ilink64",
+        LDFLAGS          => picker(default => "-x -Gn -q -w-dup",
+                                   debug   => '-j"$(BDS)\lib\win64\debug" ' .
+                                              '-L"$(BDS)\lib\win64\debug" -v',
+                                   release => '-j"$(BDS)\lib\win64\release" ' .
+                                              '-L"$(BDS)\lib\win64\release"'),
+        bin_lflags       => "-ap -Tpe c0x64.o wildargs.o",
+        ldoutflag        => ",",
+        ldpostoutflag    => ",,",
+        ld_resp_delim    => " +\n",
+        ex_libs          => add(sub {
+            my @ex_libs = ("import64.a",
+                           ($disabled{shared}
+                            ? ($disabled{threads} ? "cw64.a" : "cw64mt.a")
+                            : ($disabled{threads} ? "cw64i.a" : "cw64mti.a")));
+            push @ex_libs, "ws2_32.a" unless $disabled{sock};
+            return join(" ", @ex_libs);
+        }),
+        AR               => "tlib",
+        ARFLAGS          => "/P256 /N /u",
+        ar_resp_delim    => " &\n",
+        RC               => "brcc32",
+        RCFLAGS          => '-i"$(BDS)\include\windows\sdk"',
+        rcoutflag        => "-fo",
+        shared_target    => "win-shared",
+        shared_ldflag    => "-aa -Tpd c0d64.o",
+        lddefflag        => ",",
+        ldresflag        => ",",
+        ld_implib_rule   => 'implib -a $< $**',
+        dso_scheme       => "win64",
+        shared_defflag   => '',
+        perl_platform    => 'Windows::cppbuilder',
+        uplink_arch      => 'common',
    }
 );
--- a/Configurations/50-nonstop.conf
+++ b/Configurations/50-nonstop.conf
@ -173,6 +173,15 @@
        ex_libs          => '-lput',
    },

+    ######################################################################
+    # Build models
+    'nonstop-model-klt' => {
+        template         => 1,
+        defines          => ['_KLT_MODEL_',
+                             '_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
+        ex_libs          => '-lklt',
+    },
+
    ######################################################################
    # Now for the entries themselves, let's combine things!
    'nonstop-nsx' => {
@ -211,6 +220,28 @@
        multibin         => '64-put',
        disable          => ['atexit'],
    },
+    'nonstop-nsx_64_klt' => {
+        inherit_from     => [ 'nonstop-common',
+                              'nonstop-archenv-x86_64-oss',
+                              'nonstop-lp64-x86_64',
+                              'nonstop-efloat-x86_64',
+                              'nonstop-model-klt' ],
+        multilib         => '64-klt',
+        multibin         => '64-klt',
+        disable          => ['atexit'],
+    },
+    'nonstop-nsx_g' => {
+        inherit_from     => [ 'nonstop-common',
+                              'nonstop-archenv-x86_64-guardian',
+                              'nonstop-ilp32', 'nonstop-nfloat-x86_64' ],
+        disable          => ['threads','atexit'],
+    },
+    'nonstop-nsx_g_tandem' => {
+        inherit_from     => [ 'nonstop-common',
+                              'nonstop-archenv-x86_64-guardian',
+                              'nonstop-ilp32', 'nonstop-tfloat-x86_64' ],
+        disable          => ['threads','atexit'],
+    },
    'nonstop-nsv' => {
        inherit_from     => [ 'nonstop-nsx' ],
    },
--- a/Configurations/50-win-clang-cl.conf
+++ b/Configurations/50-win-clang-cl.conf
@ -11,7 +11,7 @@ my %targets = (
        multilib        => "-arm64",
        asm_arch        => "aarch64",
        AS        => "clang-cl.exe",
-        ASFLAGS   => "/nologo /Zi",
+        ASFLAGS   => "/nologo /Zi --target=arm64-pc-windows-msvc",
        asflags   => "/c",
        asoutflag => "/Fo",
        perlasm_scheme => "win64",
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@ -1173,7 +1173,7 @@ generate_buildinfo: generate_doc_buildinfo

 .PHONY: doc-nits md-nits
 doc-nits: build_generated_pods ## Evaluate OpenSSL documentation
-	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e
+	$(PERL) $(SRCDIR)/util/find-doc-nits -c -n -l -e -i

 # This uses "mdl", the markdownlint application, which is written in ruby.
 # The source is at https://github.com/markdownlint/markdownlint
@ -1338,8 +1338,7 @@ errors:
           include/internal/asn1.h
           include/internal/sslconf.h );
   my @cryptoskipheaders = ( @sslheaders_tmpl,
-       qw( include/openssl/asn1_mac.h
-           include/openssl/conf_api.h
+       qw( include/openssl/conf_api.h
           include/openssl/ebcdic.h
           include/openssl/opensslconf.h
           include/openssl/symhacks.h ) );
@ -1746,7 +1745,7 @@ EOF
      } elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) {
          $recipe .= <<"EOF";
 $obj: $deps
-	$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs
+	$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs
 	\@touch $dep.tmp
 	\@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\
 		rm -f $dep.tmp; \\
--- a/36
+++ b/36
@ -1,6 +1,6 @@
 #! /usr/bin/env perl
 # -*- mode: perl; -*-
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -81,6 +81,11 @@ EOF
 # enable-demos  Enable the building of the example code in the demos directory
 # enable-h3demo Enable the http3 demo, which currently only links to the
 #               external nghttp3 library on unix platforms
+#
+# enable-hqinterop
+#               Enable the building of the hq-interop code for construction
+#               of the interop container
+#
 # no-hw         do not compile support for any crypto hardware.
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
@ -448,6 +453,7 @@ my @disablables = (
    "default-thread-pool",
    "demos",
    "h3demo",
+    "hqinterop",
    "deprecated",
    "des",
    "devcryptoeng",
@ -472,11 +478,13 @@ my @disablables = (
    "fips",
    "fips-securitychecks",
    "fips-post",
+    "fips-jitter",
    "fuzz-afl",
    "fuzz-libfuzzer",
    "gost",
    "http",
    "idea",
+    "integrity-only-ciphers",
    "jitter",
    "ktls",
    "legacy",
@ -485,6 +493,8 @@ my @disablables = (
    "md2",
    "md4",
    "mdc2",
+    "ml-dsa",
+    "ml-kem",
    "module",
    "msan",
    "multiblock",
@ -513,6 +523,7 @@ my @disablables = (
    "shared",
    "siphash",
    "siv",
+    "slh-dsa",
    "sm2",
    "sm2-precomp",
    "sm3",
@ -525,12 +536,13 @@ my @disablables = (
    "ssl-trace",
    "static-engine",
    "stdio",
+    "sslkeylog",
    "tests",
    "tfo",
    "thread-pool",
    "threads",
    "tls",
-    "integrity-only-ciphers",
+    "tls-deprecated-ec",
    "trace",
    "ts",
    "ubsan",
@ -573,6 +585,7 @@ my %deprecated_disablables = (

 our %disabled = ( # "what"         => "comment"
                  "fips"                => "default",
+                  "fips-jitter"         => "default",
                  "asan"                => "default",
                  "brotli"              => "default",
                  "brotli-dynamic"      => "default",
@ -581,6 +594,7 @@ our %disabled = ( # "what"         => "comment"
                  "crypto-mdebug-backtrace" => "default",
                  "demos"               => "default",
                  "h3demo"              => "default",
+                  "hqinterop"           => "default",
                  "devcryptoeng"        => "default",
                  "ec_nistp_64_gcc_128" => "default",
                  "egd"                 => "default",
@ -596,6 +610,7 @@ our %disabled = ( # "what"         => "comment"
                  "sctp"                => "default",
                  "ssl3"                => "default",
                  "ssl3-method"         => "default",
+                  "sslkeylog"           => "default",
                  "tfo"                 => "default",
                  "trace"               => "default",
                  "ubsan"               => "default",
@ -618,8 +633,8 @@ my @disable_cascades = (
                             "ec", "engine",
                             "filenames",
                             "idea", "ktls",
-                             "md4", "multiblock", "nextprotoneg",
-                             "ocsp", "ocb", "poly1305", "psk",
+                             "md4", "ml-dsa", "ml-kem", "multiblock",
+                             "nextprotoneg", "ocsp", "ocb", "poly1305", "psk",
                             "rc2", "rc4", "rmd160",
                             "seed", "siphash", "siv",
                             "sm3", "sm4", "srp",
@ -635,7 +650,8 @@ my @disable_cascades = (
    "brotli"            => [ "brotli-dynamic" ],
    "zstd"              => [ "zstd-dynamic" ],
    "des"               => [ "mdc2" ],
-    "ec"                => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ],
+    "deprecated"        => [ "tls-deprecated-ec" ],
+    "ec"                => [ qw(ec2m ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
    "dgram"             => [ "dtls", "quic", "sctp" ],
    "sock"              => [ "dgram", "tfo" ],
    "dtls"              => [ @dtls ],
@ -689,7 +705,8 @@ my @disable_cascades = (

    "cmp"               => [ "crmf" ],

-    "fips"              => [ "fips-securitychecks", "fips-post", "acvp-tests" ],
+    "fips"              => [ "fips-securitychecks", "fips-post", "acvp-tests",
+                             "fips-jitter" ],

    "threads"           => [ "thread-pool" ],
    "thread-pool"       => [ "default-thread-pool" ],
@ -957,6 +974,11 @@ while (@argvcopy)
                        {
                        delete $disabled{"zstd"};
                        }
+                elsif ($1 eq "fips-jitter")
+                        {
+                        delete $disabled{"fips"};
+                        delete $disabled{"jitter"};
+                        }
                my $algo = $1;
                delete $disabled{$algo};

@ -1918,7 +1940,7 @@ foreach my $what (sort keys %disabled) {

        $skipdir{engines} = $what if $what eq 'engine';
        $skipdir{"crypto/$skipdir"} = $what
-            unless $what eq 'async' || $what eq 'err' || $what eq 'dso';
+            unless $what eq 'async' || $what eq 'err' || $what eq 'dso' || $what eq 'http';
    }
 }

--- a/INSTALL.md
+++ b/INSTALL.md
@ -536,7 +536,7 @@ shown below:
    [random]
    seed=JITTER

-It uses a statically linked [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) as the seed source.
+It uses a statically linked [jitterentropy-library] as the seed source.

 Additional configuration flags available:

@ -781,6 +781,12 @@ Don't build support for Elliptic Curves.

 Don't build support for binary Elliptic Curves

+### no-tls-deprecated-ec
+
+Disable legacy TLS EC groups that were deprecated in RFC8422.  These are the
+Koblitz curves, B<secp160r1>, B<secp160r2>, B<secp192r1>, B<secp224r1>, and the
+binary Elliptic curves that would also be disabled by C<no-ec2m>.
+
 ### enable-ec_nistp_64_gcc_128

 Enable support for optimised implementations of some commonly used NIST
@ -841,6 +847,19 @@ Don't perform FIPS module Power On Self Tests.
 This option MUST be used for debugging only as it makes the FIPS provider
 non-compliant. It is useful when setting breakpoints in FIPS algorithms.

+### enable-fips-jitter
+
+Use the CPU Jitter library as a FIPS validated entropy source.
+
+This option will only produce a compliant FIPS provider if you have:
+
+1. independently performed the required [SP 800-90B] entropy assessments;
+2. meet the minimum required entropy as specified by [jitterentropy-library];
+3. obtain an [ESV] certificate for the [jitterentropy-library] and
+4. have had the resulting FIPS provider certified by the [CMVP].
+
+Failure to do all of these will produce a non-compliant FIPS provider.
+
 ### enable-fuzz-libfuzzer, enable-fuzz-afl

 Build with support for fuzzing using either libfuzzer or AFL.
@ -872,6 +891,16 @@ Disabling this also disables the legacy algorithms: MD2 (already disabled by def

 Don't generate dependencies.

+### no-ml-dsa
+
+Disable Module-Lattice-Based Digital Signature Standard (ML-DSA) support.
+ML-DSA is based on CRYSTALS-DILITHIUM. See [FIPS 204].
+
+### no-ml-kem
+
+Disable Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)
+support.  ML-KEM is based on CRYSTALS-KYBER. See [FIPS 203].
+
 ### no-module

 Don't build any dynamically loadable engines.
@ -961,6 +990,11 @@ Do not create shared libraries, only static ones.

 See [Notes on shared libraries](#notes-on-shared-libraries) below.

+### no-slh-dsa
+
+Disable Stateless Hash Based Digital Signature Standard support.
+(SLH-DSA is based on SPHINCS+. See [FIPS 205])
+
 ### no-sm2-precomp

 Disable using the SM2 precomputed table on aarch64 to make the library smaller.
@ -1065,6 +1099,17 @@ Build with support for the integrated tracing api.

 See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.

+### enable-sslkeylog
+
+Build with support for the SSLKEYLOGFILE environment variable
+
+When enabled, setting SSLKEYLOGFILE to a file path records the keys exchanged
+during a TLS handshake for use in analysis tools like wireshark.  Note that the
+use of this mechanism allows for decryption of application payloads found in
+captured packets using keys from the key log file and therefore has significant
+security consequences.  See Section 3 of
+[the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
+
 ### no-ts

 Don't build Time Stamping (TS) Authority support.
@ -1176,9 +1221,9 @@ Build with support for the specified algorithm.
 ### no-{algorithm}

    no-{aria|bf|blake2|camellia|cast|chacha|cmac|
-        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
-        poly1305|rc2|rc4|rmd160|scrypt|seed|
-        siphash|siv|sm2|sm3|sm4|whirlpool}
+        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ml-dsa|
+        ml-kem|ocb|poly1305|rc2|rc4|rmd160|scrypt|
+        seed|siphash|siv|sm2|sm3|sm4|whirlpool}

 Build without support for the specified algorithm.

@ -2006,3 +2051,24 @@ is used, as it is the version of the GNU assembler that will be checked.

 [10-main.conf]:
    Configurations/10-main.conf
+
+[CMVP]:
+    <https://csrc.nist.gov/projects/cryptographic-module-validation-program>
+
+[ESV]:
+    <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
+
+[FIPS 203]:
+    <https://csrc.nist.gov/pubs/fips/203/final>
+
+[FIPS 204]:
+    <https://csrc.nist.gov/pubs/fips/204/final>
+
+[SP 800-90B]:
+    <https://csrc.nist.gov/pubs/sp/800/90/b/final>
+
+[jitterentropy-library]:
+    <https://github.com/smuellerDD/jitterentropy-library>
+
+[FIPS 205]:
+    <https://csrc.nist.gov/pubs/fips/205/final>
--- a/NEWS.md
+++ b/NEWS.md
@ -7,6 +7,8 @@ release. For more details please read the CHANGES file.
 OpenSSL Releases
 ----------------

+ - [OpenSSL 3.5](#openssl-35)
+ - [OpenSSL 3.4](#openssl-34)
 - [OpenSSL 3.3](#openssl-33)
 - [OpenSSL 3.2](#openssl-32)
 - [OpenSSL 3.1](#openssl-31)
@ -18,16 +20,72 @@ OpenSSL Releases
 - [OpenSSL 1.0.0](#openssl-100)
 - [OpenSSL 0.9.x](#openssl-09x)

+OpenSSL 3.5
+-----------
+
+### Major changes between OpenSSL 3.5 and OpenSSL 3.6 [under development]
+
+  * none
+
+### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development]
+
+OpenSSL 3.5.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release incorporates the following potentially significant or incompatible
+changes:
+
+  * Default encryption cipher for the `req`, `cms`, and `smime` applications
+    changed from `des-ede3-cbc` to `aes-256-cbc`.
+
+  * The TLS supported groups list has been changed in favor of PQC support.
+
+  * The default TLS keyshares have been changed to offer X25519MLKEM768 and
+    and X25519.
+
+This release adds the following new features:
+
+  * Support for server side QUIC (RFC 9000)
+
+  * Support for 3rd party QUIC stacks
+
+  * Support for PQC algorithms (ML-KEM, ML-DSA, SLH-DSA)
+
+  * Allow the FIPS provider to optionally use the `JITTER` seed source.
+    Because this seed source is not part of the OpenSSL FIPS validations,
+    it should only be enabled after the [jitterentropy-library] has been
+    assessed for entropy quality.  Moreover, the FIPS provider including
+    this entropy source will need to obtain an [ESV] from the [CMVP] before
+    FIPS compliance can be claimed.  Enable this using the configuration
+    option `enable-fips-jitter`.
+
+  * Support for central key generation in CMP
+
+  * Support added for opaque symmetric key objects (EVP_SKEY).
+
+  * Support for multiple TLS keyshares.
+
 OpenSSL 3.4
 -----------

-### Major changes between OpenSSL 3.3 and OpenSSL 3.4 [under development]
+### Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [11 Feb 2025]
+
+OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this
+release is High.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected.
+    ([CVE-2024-12797])
+
+  * Fixed timing side-channel in ECDSA signature computation.
+    ([CVE-2024-13176])
+
+### Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

 OpenSSL 3.4.0 is a feature release adding significant new functionality to
 OpenSSL.

-This release is in development.
-
 This release incorporates the following potentially significant or incompatible
 changes:

@ -76,7 +134,7 @@ This release adds the following new features:
  * Support for integrity-only cipher suites TLS_SHA256_SHA256 and
    TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150

-  * Support for requesting CRL in CMP
+  * Support for retrieving certificate request templates and CRLs in CMP

  * Support for additional X.509v3 extensions related to Attribute Certificates

@ -88,7 +146,18 @@ This release adds the following new features:
 OpenSSL 3.3
 -----------

-### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [under development]
+### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development]
+
+OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+    curve parameters.
+    ([CVE-2024-9143])
+
+### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024]

 OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
 release is Moderate.
@ -177,6 +246,8 @@ This release adds the following new features:
  * Added X509_STORE_get1_objects to avoid issues with the existing
    X509_STORE_get0_objects API in multi-threaded applications.

+  * Support for using certificate profiles and extened delayed delivery in CMP
+
 This release incorporates the following potentially significant or incompatible
 changes:

@ -1809,6 +1880,8 @@ OpenSSL 0.9.x

 <!-- Links -->

+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
@ -1986,3 +2059,6 @@ OpenSSL 0.9.x
 [CHANGES.md]: ./CHANGES.md
 [README-QUIC.md]: ./README-QUIC.md
 [issue tracker]: https://github.com/openssl/openssl/issues
+[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+[jitterentropy-library]: https://github.com/smuellerDD/jitterentropy-library
--- a/NOTES-NONSTOP.md
+++ b/NOTES-NONSTOP.md
@ -30,9 +30,16 @@ for each on the TNS/X (L-Series) platform:

 * `nonstop-nsx` or default will select an unthreaded 32-bit build.
 * `nonstop-nsx_64` selects an unthreaded 64-bit memory and file length build.
+ * `nonstop-nsx_64_klt` selects the 64-bit memory and file length KLT build.
 * `nonstop-nsx_put` selects the PUT build.
 * `nonstop-nsx_64_put` selects the 64-bit memory and file length PUT build.

+The KLT threading model is a newly released model on NonStop. It implements
+kernel-level threading. KLT provides much closer threading to what OpenSSL
+uses for Linux-like threading models. KLT continues to use the pthread library
+API. There is no supported 32-bit or Guardian builds for KLT. Note: KLT is
+not currently available but is planned for post-2024.
+
 The SPT threading model is no longer supported as of OpenSSL 3.2.

 The PUT model is incompatible with the QUIC capability. This capability should
@ -124,12 +131,9 @@ correctly, you also need the `COMP_ROOT` set, as in:

 `COMP_ROOT` needs to be in Windows form.

-`Configure` must specify the `no-makedepend` option otherwise errors will
-result when running the build because the c99 cross-compiler does not support
-the `gcc -MT` option. An example of a `Configure` command to be run from the
-OpenSSL directory is:
+An example of a `Configure` command to be run from the OpenSSL directory is:

-    ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
+    ./Configure nonstop-nsx_64 --with-rand-seed=rdcpu

 Do not forget to include any OpenSSL cross-compiling prefix and certificate
 options when creating your libraries.
--- a/NOTES-WINDOWS.md
+++ b/NOTES-WINDOWS.md
@ -114,7 +114,7 @@ Can be administratively set, and openssl will take the paths found there as the
 values for OPENSSLDIR, ENGINESDIR and MODULESDIR respectively.

 To enable the reading of registry keys from windows builds, add
-`-DOPENSSL_WINCTX=<string>`to the Configure command line.  This define is used
+`-DOSSL_WINCTX=<string>`to the Configure command line.  This define is used
 at build-time to construct library build specific registry key paths of the
 format:
 `\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\OpenSSL-<version>-<ctx>`
@ -148,8 +148,8 @@ Native builds using Embarcadero C++Builder
 =========================================

 This toolchain (a descendant of Turbo/Borland C++) is an alternative to MSVC.
-OpenSSL currently includes an experimental 32-bit configuration targeting the
-Clang-based compiler (`bcc32c.exe`) in v10.3.3 Community Edition.
+OpenSSL currently includes experimental 32-bit and 64-bit configurations targeting the
+Clang-based compiler (`bcc32c.exe` and `bcc64.exe`) in v10.3.3 Community Edition.
 <https://www.embarcadero.com/products/cbuilder/starter>

 1. Install Perl.
@ -158,6 +158,8 @@ Clang-based compiler (`bcc32c.exe`) in v10.3.3 Community Edition.

 3. Go to the root of the OpenSSL source directory and run:
    `perl Configure BC-32 --prefix=%CD%`
+    for Win64 builds use:
+    `perl Configure BC-64 --prefix=%CD%`

 4. `make -N`

--- a/README-FIPS.md
+++ b/README-FIPS.md
@ -167,6 +167,22 @@ manual page.

 [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html

+Entropy Source
+==============
+
+The FIPS provider typically relies on an external entropy source,
+specified during OpenSSL build configuration (default: `os`).  However, by
+enabling the `enable-fips-jitter` option during configuration, an internal
+jitter entropy source will be used instead.  Note that this will cause
+the FIPS provider to operate in a non-compliant mode unless an entropy
+assessment [ESV] and validation through the [CMVP] are additionally conducted.
+
+Note that the `enable-fips-jitter` option is only available in OpenSSL
+versions 3.5 and later.
+
+ [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+ [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+
 3rd-Party Vendor Builds
 =====================================

--- a/README.md
+++ b/README.md
@ -5,7 +5,8 @@ Welcome to the OpenSSL Project

 [![github actions ci badge]][github actions ci]
 ![Nightly OS Zoo ci badge](https://github.com/openssl/openssl/actions/workflows/os-zoo.yml/badge.svg)
-![Provider Compatibility]( https://github.com/openssl/openssl/actions/workflows/provider-compatibility.yml/badge.svg)
+![Provider Compatibility](https://github.com/openssl/openssl/actions/workflows/provider-compatibility.yml/badge.svg)
+![Quic Interop](https://github.com/openssl/openssl/actions/workflows/run_quic_interop.yml/badge.svg)
 ![Daily checks](https://github.com/openssl/openssl/actions/workflows/run-checker-daily.yml/badge.svg)

 OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
@ -66,7 +67,7 @@ For Production Use
 ------------------

 Source code tarballs of the official releases can be downloaded from
-[www.openssl.org/source](https://www.openssl.org/source).
+[openssl-library.org/source/](https://openssl-library.org/source/).
 The OpenSSL project does not distribute the toolkit in binary form.

 However, for a large variety of operating systems precompiled versions
@ -86,22 +87,18 @@ the source tarballs, having a local copy of the git repository with
 the entire project history gives you much more insight into the
 code base.

-The official OpenSSL Git Repository is located at [git.openssl.org].
-There is a GitHub mirror of the repository at [github.com/openssl/openssl],
+The main OpenSSL Git repository is private.
+There is a public GitHub mirror of it at [github.com/openssl/openssl],
 which is updated automatically from the former on every commit.

-A local copy of the Git Repository can be obtained by cloning it from
-the original OpenSSL repository using
-
-    git clone git://git.openssl.org/openssl.git
-
-or from the GitHub mirror using
+A local copy of the Git repository can be obtained by cloning it from
+the GitHub mirror using

    git clone https://github.com/openssl/openssl.git

 If you intend to contribute to OpenSSL, either to fix bugs or contribute
-new features, you need to fork the OpenSSL repository openssl/openssl on
-GitHub and clone your public fork instead.
+new features, you need to fork the GitHub mirror and clone your public fork
+instead.

    git clone https://github.com/yourname/openssl.git

@ -161,7 +158,7 @@ available online.
 Demos
 -----

-The are numerous source code demos for using various OpenSSL capabilities in the
+There are numerous source code demos for using various OpenSSL capabilities in the
 [demos subfolder](./demos).

 Wiki
@ -201,7 +198,7 @@ attempting to develop or distribute cryptographic code.
 Copyright
 =========

-Copyright (c) 1998-2024 The OpenSSL Project Authors
+Copyright (c) 1998-2025 The OpenSSL Project Authors

 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

@ -213,14 +210,6 @@ All rights reserved.
    <https://www.openssl.org>
    "OpenSSL Homepage"

-[git.openssl.org]:
-    <https://git.openssl.org>
-    "OpenSSL Git Repository"
-
-[git.openssl.org]:
-    <https://git.openssl.org>
-    "OpenSSL Git Repository"
-
 [github.com/openssl/openssl]:
    <https://github.com/openssl/openssl>
    "OpenSSL GitHub Mirror"
--- a/VERSION.dat
+++ b/VERSION.dat
@ -1,7 +1,7 @@
 MAJOR=3
-MINOR=4
+MINOR=6
 PATCH=0
-PRE_RELEASE_TAG=beta1-dev
+PRE_RELEASE_TAG=dev
 BUILD_METADATA=
 RELEASE_DATE=""
 SHLIB_VERSION=3
--- a/apps/asn1parse.c
+++ b/apps/asn1parse.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -127,7 +127,8 @@ int asn1parse_main(int argc, char **argv)
            dump = strtol(opt_arg(), NULL, 0);
            break;
        case OPT_STRPARSE:
-            sk_OPENSSL_STRING_push(osk, opt_arg());
+            if (sk_OPENSSL_STRING_push(osk, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_GENSTR:
            genstr = opt_arg();
--- a/apps/build.info
+++ b/apps/build.info
@ -16,7 +16,7 @@ $OPENSSLSRC=\
        enc.c errstr.c \
        genpkey.c kdf.c mac.c nseq.c passwd.c pkcs7.c \
        pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
-        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
+        s_client.c s_server.c s_time.c sess_id.c skeyutl.c smime.c speed.c \
        spkac.c verify.c version.c x509.c rehash.c storeutl.c \
        list.c info.c fipsinstall.c pkcs12.c
 IF[{- !$disabled{'ec'} -}]
--- a/apps/ca.c
+++ b/apps/ca.c
@ -6,6 +6,8 @@
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
+#include "internal/e_os.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Nokia 2007-2019
 * Copyright Siemens AG 2015-2019
 *
@ -10,6 +10,7 @@
 */

 /* This app is disabled when OPENSSL_NO_CMP is defined. */
+#include "internal/e_os.h"

 #include <string.h>
 #include <ctype.h>
@ -123,6 +124,8 @@ static char *opt_profile = NULL;
 /* certificate enrollment */
 static char *opt_newkey = NULL;
 static char *opt_newkeypass = NULL;
+static int opt_centralkeygen = 0;
+static char *opt_newkeyout = NULL;
 static char *opt_subject = NULL;
 static int opt_days = 0;
 static char *opt_reqexts = NULL;
@ -198,6 +201,8 @@ static char *opt_srv_trusted = NULL;
 static char *opt_srv_untrusted = NULL;
 static char *opt_ref_cert = NULL;
 static char *opt_rsp_cert = NULL;
+static char *opt_rsp_key = NULL;
+static char *opt_rsp_keypass = NULL;
 static char *opt_rsp_crl = NULL;
 static char *opt_rsp_extracerts = NULL;
 static char *opt_rsp_capubs = NULL;
@ -229,7 +234,8 @@ typedef enum OPTION_choice {
    OPT_CMD, OPT_INFOTYPE, OPT_PROFILE, OPT_GENINFO,
    OPT_TEMPLATE, OPT_KEYSPEC,

-    OPT_NEWKEY, OPT_NEWKEYPASS, OPT_SUBJECT,
+    OPT_NEWKEY, OPT_NEWKEYPASS, OPT_CENTRALKEYGEN,
+    OPT_NEWKEYOUT, OPT_SUBJECT,
    OPT_DAYS, OPT_REQEXTS,
    OPT_SANS, OPT_SAN_NODEFAULT,
    OPT_POLICIES, OPT_POLICY_OIDS, OPT_POLICY_OIDS_CRITICAL,
@ -281,7 +287,8 @@ typedef enum OPTION_choice {
    OPT_SRV_REF, OPT_SRV_SECRET,
    OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
    OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
-    OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
+    OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_KEY, OPT_RSP_KEYPASS,
+    OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
    OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW,
    OPT_POLL_COUNT, OPT_CHECK_AFTER,
    OPT_GRANT_IMPLICITCONF,
@ -325,6 +332,10 @@ const OPTIONS cmp_options[] = {
    {"newkey", OPT_NEWKEY, 's',
     "Private or public key for the requested cert. Default: CSR key or client key"},
    {"newkeypass", OPT_NEWKEYPASS, 's', "New private key pass phrase source"},
+    {"centralkeygen", OPT_CENTRALKEYGEN, '-',
+     "Request central (server-side) key generation. Default is local generation"},
+    {"newkeyout", OPT_NEWKEYOUT, 's',
+     "File to save centrally generated key, in PEM format"},
    {"subject", OPT_SUBJECT, 's',
     "Distinguished Name (DN) of subject to use in the requested cert template"},
    {OPT_MORE_STR, 0, 0,
@ -570,6 +581,12 @@ const OPTIONS cmp_options[] = {
     "Certificate to be expected for rr and any oldCertID in kur messages"},
    {"rsp_cert", OPT_RSP_CERT, 's',
     "Certificate to be returned as mock enrollment result"},
+    {"rsp_key", OPT_RSP_KEY, 's',
+     "Private key for the certificate to be returned as mock enrollment result"},
+    {OPT_MORE_STR, 0, 0,
+     "Key to be returned for central key pair generation"},
+    {"rsp_keypass", OPT_RSP_KEYPASS, 's',
+     "Response private key (and cert) pass phrase source"},
    {"rsp_crl", OPT_RSP_CRL, 's',
     "CRL to be returned in genp of type crls"},
    {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
@ -629,8 +646,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
    {&opt_cmd_s}, {&opt_infotype_s}, {&opt_profile}, {&opt_geninfo},
    {&opt_template}, {&opt_keyspec},

-    {&opt_newkey}, {&opt_newkeypass}, {&opt_subject},
-    {(char **)&opt_days}, {&opt_reqexts},
+    {&opt_newkey}, {&opt_newkeypass}, {(char **)&opt_centralkeygen},
+    {&opt_newkeyout}, {&opt_subject}, {(char **)&opt_days}, {&opt_reqexts},
    {&opt_sans}, {(char **)&opt_san_nodefault},
    {&opt_policies}, {&opt_policy_oids}, {(char **)&opt_policy_oids_critical},
    {(char **)&opt_popo}, {&opt_csr},
@ -682,8 +699,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */
    {&opt_srv_ref}, {&opt_srv_secret},
    {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
    {&opt_srv_trusted}, {&opt_srv_untrusted},
-    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl},
-    {&opt_rsp_extracerts}, {&opt_rsp_capubs},
+    {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_key}, {&opt_rsp_keypass},
+    {&opt_rsp_crl}, {&opt_rsp_extracerts}, {&opt_rsp_capubs},
    {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew},

    {(char **)&opt_poll_count}, {(char **)&opt_check_after},
@ -1196,11 +1213,25 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
    if (opt_rsp_cert == NULL) {
        CMP_warn("no -rsp_cert given for mock server");
    } else {
-        if (!setup_cert(srv_ctx, opt_rsp_cert, opt_keypass,
+        if (!setup_cert(srv_ctx, opt_rsp_cert, opt_rsp_keypass,
                        "cert the mock server returns on certificate requests",
                        (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut))
            goto err;
    }
+    if (opt_rsp_key != NULL) {
+        EVP_PKEY *pkey = load_key_pwd(opt_rsp_key, opt_keyform,
+                                      opt_rsp_keypass, engine,
+                                      "private key for enrollment cert");
+
+        if (pkey == NULL
+            || !ossl_cmp_mock_srv_set1_keyOut(srv_ctx, pkey)) {
+            EVP_PKEY_free(pkey);
+            goto err;
+        }
+        EVP_PKEY_free(pkey);
+    }
+    cleanse(opt_rsp_keypass);
+
    if (!setup_mock_crlout(srv_ctx, opt_rsp_crl,
                           "CRL to be returned by the mock server"))
        goto err;
@ -1671,11 +1702,27 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
    if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
        return 0;
    if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
-        if (opt_reqin == NULL && opt_newkey == NULL
+        if (opt_reqin == NULL && opt_newkey == NULL && !opt_centralkeygen
            && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
-            CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key");
+            CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key."
+                    " Neither central key generation is requested.");
            return 0;
        }
+        if (opt_popo == OSSL_CRMF_POPO_NONE && !opt_centralkeygen) {
+            CMP_info("POPO is disabled, which implies -centralkeygen");
+            opt_centralkeygen = 1;
+        }
+        if (opt_centralkeygen) {
+            if (opt_popo > OSSL_CRMF_POPO_NONE) {
+                CMP_err1("-popo value %d is inconsistent with -centralkeygen", opt_popo);
+                return 0;
+            }
+            if (opt_newkeyout == NULL) {
+                CMP_err("-newkeyout not given, nowhere to save centrally generated key");
+                return 0;
+            }
+            opt_popo = OSSL_CRMF_POPO_NONE;
+        }
        if (opt_newkey == NULL
            && opt_popo != OSSL_CRMF_POPO_NONE
            && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
@ -1723,6 +1770,12 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
            CMP_warn1("-policies %s", msg);
        if (opt_policy_oids != NULL)
            CMP_warn1("-policy_oids %s", msg);
+        if (opt_popo != OSSL_CRMF_POPO_NONE - 1)
+            CMP_warn1("-popo %s", msg);
+        if (opt_centralkeygen)
+            CMP_warn1("-popo -1 or -centralkeygen %s", msg);
+        if (opt_newkeyout != NULL)
+            CMP_warn1("-newkeyout %s", msg);
        if (opt_cmd != CMP_P10CR) {
            if (opt_implicit_confirm)
                CMP_warn1("-implicit_confirm %s, and 'p10cr'", msg);
@ -1827,13 +1880,14 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
            pkey = load_pubkey(file, format, 0, pass, engine, desc);
            priv = 0;
        }
-        cleanse(opt_newkeypass);
+
        if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
            EVP_PKEY_free(pkey);
            return 0;
        }
    } else if (opt_reqin != NULL
-               && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
+               && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL
+               && !opt_centralkeygen) {
        if (!set_fallback_pubkey(ctx))
            return 0;
    }
@ -2921,13 +2975,18 @@ static int get_opts(int argc, char **argv)
        case OPT_KEYSPEC:
            opt_keyspec = opt_str();
            break;
-
        case OPT_NEWKEY:
            opt_newkey = opt_str();
            break;
        case OPT_NEWKEYPASS:
            opt_newkeypass = opt_str();
            break;
+        case OPT_CENTRALKEYGEN:
+            opt_centralkeygen = 1;
+            break;
+        case OPT_NEWKEYOUT:
+            opt_newkeyout = opt_str();
+            break;
        case OPT_SUBJECT:
            opt_subject = opt_str();
            break;
@ -3085,6 +3144,12 @@ static int get_opts(int argc, char **argv)
        case OPT_RSP_CERT:
            opt_rsp_cert = opt_str();
            break;
+        case OPT_RSP_KEY:
+            opt_rsp_key = opt_str();
+            break;
+        case OPT_RSP_KEYPASS:
+            opt_rsp_keypass = opt_str();
+            break;
        case OPT_RSP_CRL:
            opt_rsp_crl = opt_str();
            break;
@ -3792,6 +3857,34 @@ int cmp_main(int argc, char **argv)
            if (save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
                                opt_cacertsout, "CA") < 0)
                goto err;
+            if (opt_centralkeygen) {
+                EVP_CIPHER *cipher = NULL;
+                char *pass_string = NULL;
+                BIO *out;
+                int result = 1;
+                EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(cmp_ctx, 1 /* priv */);
+
+                if (new_key == NULL)
+                    goto err;
+                if ((out = bio_open_owner(opt_newkeyout, FORMAT_PEM, 1)) == NULL)
+                    goto err;
+                if (opt_newkeypass != NULL) {
+                    pass_string = get_passwd(opt_newkeypass,
+                                             "Centrally generated private key password");
+                    cipher = EVP_CIPHER_fetch(app_get0_libctx(), SN_aes_256_cbc, app_get0_propq());
+                }
+
+                CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout);
+                if (PEM_write_bio_PrivateKey(out, new_key, cipher, NULL, 0, NULL,
+                                             (void *)pass_string) <= 0)
+                    result = 0;
+
+                BIO_free(out);
+                clear_free(pass_string);
+                EVP_CIPHER_free(cipher);
+                if (!result)
+                    goto err;
+            }
        }
        if (!OSSL_CMP_CTX_reinit(cmp_ctx))
            goto err;
--- a/apps/cms.c
+++ b/apps/cms.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -69,7 +69,8 @@ typedef enum OPTION_choice {
    OPT_DIGEST, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
    OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
    OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
-    OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
+    OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_NO_SIGNING_TIME,
+    OPT_BINARY, OPT_KEYID,
    OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
    OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
    OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
@ -186,6 +187,8 @@ const OPTIONS cms_options[] = {
     "Don't include signer's certificate when signing"},
    {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
    {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+    {"no_signing_time", OPT_NO_SIGNING_TIME, '-',
+     "Omit the signing time attribute"},
    {"receipt_request_all", OPT_RR_ALL, '-',
     "When signing, create a receipt request for all recipients"},
    {"receipt_request_first", OPT_RR_FIRST, '-',
@ -429,6 +432,9 @@ int cms_main(int argc, char **argv)
        case OPT_NOSMIMECAP:
            flags |= CMS_NOSMIMECAP;
            break;
+        case OPT_NO_SIGNING_TIME:
+            flags |= CMS_NO_SIGNING_TIME;
+            break;
        case OPT_BINARY:
            flags |= CMS_BINARY;
            break;
@ -505,13 +511,15 @@ int cms_main(int argc, char **argv)
            if (rr_from == NULL
                && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            sk_OPENSSL_STRING_push(rr_from, opt_arg());
+            if (sk_OPENSSL_STRING_push(rr_from, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_RR_TO:
            if (rr_to == NULL
                && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            sk_OPENSSL_STRING_push(rr_to, opt_arg());
+            if (sk_OPENSSL_STRING_push(rr_to, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_PRINT:
            noout = print = 1;
@ -588,13 +596,15 @@ int cms_main(int argc, char **argv)
                if (sksigners == NULL
                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                if (keyfile == NULL)
                    keyfile = signerfile;
                if (skkeys == NULL
                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
                keyfile = NULL;
            }
            signerfile = opt_arg();
@ -612,12 +622,14 @@ int cms_main(int argc, char **argv)
                if (sksigners == NULL
                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                signerfile = NULL;
                if (skkeys == NULL
                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
            }
            keyfile = opt_arg();
            break;
@ -671,7 +683,8 @@ int cms_main(int argc, char **argv)
                    key_param->next = nparam;
                key_param = nparam;
            }
-            sk_OPENSSL_STRING_push(key_param->param, opt_arg());
+            if (sk_OPENSSL_STRING_push(key_param->param, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_V_CASES:
            if (!opt_verify(o, vpm))
@ -717,7 +730,6 @@ int cms_main(int argc, char **argv)
    }

    /* Remaining args are files to process. */
-    argc = opt_num_rest();
    argv = opt_rest();

    if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) {
@ -758,12 +770,14 @@ int cms_main(int argc, char **argv)
            if (sksigners == NULL
                && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                goto end;
            if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
            if (keyfile == NULL)
                keyfile = signerfile;
-            sk_OPENSSL_STRING_push(skkeys, keyfile);
+            if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                goto end;
        }
        if (sksigners == NULL) {
            BIO_printf(bio_err, "No signer certificate specified\n");
@ -822,15 +836,8 @@ int cms_main(int argc, char **argv)
    }

    if (operation == SMIME_ENCRYPT) {
-        if (!cipher) {
-#ifndef OPENSSL_NO_DES
-            cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-#else
-            BIO_printf(bio_err, "No cipher selected\n");
-            goto end;
-#endif
-        }
-
+        if (!cipher)
+            cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
        if (secret_key && !secret_keyid) {
            BIO_printf(bio_err, "No secret key id\n");
            goto end;
@ -1004,7 +1011,7 @@ int cms_main(int argc, char **argv)
                goto end;

            pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-            if (kparam != NULL) {
+            if (pctx != NULL && kparam != NULL) {
                if (!cms_set_pkey_param(pctx, kparam->param))
                    goto end;
            }
@ -1045,8 +1052,15 @@ int cms_main(int argc, char **argv)
            pwri_tmp = NULL;
        }
        if (!(flags & CMS_STREAM)) {
-            if (!CMS_final(cms, in, NULL, flags))
+            if (!CMS_final(cms, in, NULL, flags)) {
+                if (originator != NULL
+                    && ERR_GET_REASON(ERR_peek_error())
+                    == CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
+                    BIO_printf(bio_err, "Cannot use originator for encryption\n");
+                    goto end;
+                }
                goto end;
+            }
        }
    } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
        cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
@ -1297,6 +1311,7 @@ int cms_main(int argc, char **argv)
    X509_free(cert);
    X509_free(recip);
    X509_free(signer);
+    X509_free(originator);
    EVP_PKEY_free(key);
    EVP_CIPHER_free(cipher);
    EVP_CIPHER_free(wrap_cipher);
--- a/apps/crl2pkcs7.c
+++ b/apps/crl2pkcs7.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -138,7 +138,9 @@ int crl2pkcs7_main(int argc, char **argv)
        if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
            goto end;
        p7s->crl = crl_stack;
-        sk_X509_CRL_push(crl_stack, crl);
+
+        if (!sk_X509_CRL_push(crl_stack, crl))
+            goto end;
        crl = NULL;             /* now part of p7 for OPENSSL_freeing */
    }

@ -216,7 +218,10 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
    while (sk_X509_INFO_num(sk)) {
        xi = sk_X509_INFO_shift(sk);
        if (xi->x509 != NULL) {
-            sk_X509_push(stack, xi->x509);
+            if (!sk_X509_push(stack, xi->x509)) {
+                X509_INFO_free(xi);
+                goto end;
+            }
            xi->x509 = NULL;
            count++;
        }
--- a/apps/dgst.c
+++ b/apps/dgst.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -24,6 +24,9 @@
 #undef BUFSIZE
 #define BUFSIZE 1024*8

+static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
+                              EVP_PKEY *key, unsigned char *sigin, int siglen,
+                              const char *sig_name, const char *file);
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
          EVP_PKEY *key, unsigned char *sigin, int siglen,
          const char *sig_name, const char *md_name,
@ -93,7 +96,7 @@ const OPTIONS dgst_options[] = {

 int dgst_main(int argc, char **argv)
 {
-    BIO *in = NULL, *inp, *bmd = NULL, *out = NULL;
+    BIO *in = NULL, *inp = NULL, *bmd = NULL, *out = NULL;
    ENGINE *e = NULL, *impl = NULL;
    EVP_PKEY *sigkey = NULL;
    STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
@ -111,6 +114,8 @@ int dgst_main(int argc, char **argv)
    unsigned char *buf = NULL, *sigbuf = NULL;
    int engine_impl = 0;
    struct doall_dgst_digests dec;
+    EVP_MD_CTX *signctx = NULL;
+    int oneshot_sign = 0;

    buf = app_malloc(BUFSIZE, "I/O buffer");
    md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
@ -278,8 +283,6 @@ int dgst_main(int argc, char **argv)
    }

    if (keyfile != NULL) {
-        int type;
-
        if (want_pub)
            sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
        else
@ -290,14 +293,16 @@ int dgst_main(int argc, char **argv)
             */
            goto end;
        }
-        type = EVP_PKEY_get_id(sigkey);
-        if (type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448) {
-            /*
-             * We implement PureEdDSA for these which doesn't have a separate
-             * digest, and only supports one shot.
-             */
-            BIO_printf(bio_err, "Key type not supported for this operation\n");
-            goto end;
+        {
+            char def_md[80];
+
+            if (EVP_PKEY_get_default_digest_name(sigkey, def_md,
+                                                 sizeof(def_md)) == 2
+                    && strcmp(def_md, "UNDEF") == 0)
+                oneshot_sign = 1;
+            signctx = EVP_MD_CTX_new();
+            if (signctx == NULL)
+                goto end;
        }
    }

@ -342,7 +347,9 @@ int dgst_main(int argc, char **argv)
        EVP_PKEY_CTX *pctx = NULL;
        int res;

-        if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
+        if (oneshot_sign) {
+            mctx = signctx;
+        } else if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
            BIO_printf(bio_err, "Error getting context\n");
            goto end;
        }
@ -379,6 +386,11 @@ int dgst_main(int argc, char **argv)
    /* we use md as a filter, reading from 'in' */
    else {
        EVP_MD_CTX *mctx = NULL;
+
+        if (oneshot_sign) {
+            BIO_printf(bio_err, "Oneshot algorithms don't use a digest\n");
+            goto end;
+        }
        if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
            BIO_printf(bio_err, "Error getting context\n");
            goto end;
@ -407,17 +419,18 @@ int dgst_main(int argc, char **argv)
            goto end;
        }
    }
-    inp = BIO_push(bmd, in);
+    if (!oneshot_sign) {
+        inp = BIO_push(bmd, in);

-    if (md == NULL) {
-        EVP_MD_CTX *tctx;
+        if (md == NULL) {
+            EVP_MD_CTX *tctx;

-        BIO_get_md_ctx(bmd, &tctx);
-        md = EVP_MD_CTX_get1_md(tctx);
+            BIO_get_md_ctx(bmd, &tctx);
+            md = EVP_MD_CTX_get1_md(tctx);
+        }
+        if (md != NULL)
+            md_name = EVP_MD_get0_name(md);
    }
-    if (md != NULL)
-        md_name = EVP_MD_get0_name(md);
-
    if (xoflen > 0) {
        if (!EVP_MD_xof(md)) {
            BIO_printf(bio_err, "Length can only be specified for XOF\n");
@ -436,8 +449,12 @@ int dgst_main(int argc, char **argv)

    if (argc == 0) {
        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        ret = do_fp(out, buf, inp, separator, out_bin, xoflen, sigkey, sigbuf,
-                    siglen, NULL, md_name, "stdin");
+        if (oneshot_sign)
+            ret = do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
+                                     sigkey, sigbuf, siglen, NULL, "stdin");
+        else
+            ret = do_fp(out, buf, inp, separator, out_bin, xoflen,
+                        sigkey, sigbuf, siglen, NULL, md_name, "stdin");
    } else {
        const char *sig_name = NULL;

@ -452,9 +469,16 @@ int dgst_main(int argc, char **argv)
                ret = EXIT_FAILURE;
                continue;
            } else {
-                if (do_fp(out, buf, inp, separator, out_bin, xoflen,
-                          sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
-                    ret = EXIT_FAILURE;
+                if (oneshot_sign) {
+                    if (do_fp_oneshot_sign(out, signctx, in, separator, out_bin,
+                                           sigkey, sigbuf, siglen, sig_name,
+                                           argv[i]))
+                        ret = EXIT_FAILURE;
+                } else {
+                    if (do_fp(out, buf, inp, separator, out_bin, xoflen,
+                              sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
+                        ret = EXIT_FAILURE;
+                }
            }
            (void)BIO_reset(bmd);
        }
@ -468,6 +492,7 @@ int dgst_main(int argc, char **argv)
    BIO_free_all(out);
    EVP_MD_free(md);
    EVP_PKEY_free(sigkey);
+    EVP_MD_CTX_free(signctx);
    sk_OPENSSL_STRING_free(sigopts);
    sk_OPENSSL_STRING_free(macopts);
    OPENSSL_free(sigbuf);
@ -544,6 +569,54 @@ static const char *newline_escape_filename(const char *file, int *backslash)
    return (const char*)file_cpy;
 }

+static void print_out(BIO *out, unsigned char *buf, size_t len,
+                      int sep, int binout,
+                      const char *sig_name, const char *md_name, const char *file)
+{
+    int i, backslash = 0;
+
+    if (binout) {
+        BIO_write(out, buf, len);
+    } else if (sep == 2) {
+        file = newline_escape_filename(file, &backslash);
+
+        if (backslash == 1)
+            BIO_puts(out, "\\");
+
+        for (i = 0; i < (int)len; i++)
+            BIO_printf(out, "%02x", buf[i]);
+
+        BIO_printf(out, " *%s\n", file);
+        OPENSSL_free((char *)file);
+    } else {
+        if (sig_name != NULL) {
+            BIO_puts(out, sig_name);
+            if (md_name != NULL)
+                BIO_printf(out, "-%s", md_name);
+            BIO_printf(out, "(%s)= ", file);
+        } else if (md_name != NULL) {
+            BIO_printf(out, "%s(%s)= ", md_name, file);
+        } else {
+            BIO_printf(out, "(%s)= ", file);
+        }
+        for (i = 0; i < (int)len; i++) {
+            if (sep && (i != 0))
+                BIO_printf(out, ":");
+            BIO_printf(out, "%02x", buf[i]);
+        }
+        BIO_printf(out, "\n");
+    }
+}
+
+static void print_verify_result(BIO *out, int i)
+{
+    if (i > 0)
+        BIO_printf(out, "Verified OK\n");
+    else if (i == 0)
+        BIO_printf(out, "Verification failure\n");
+    else
+        BIO_printf(bio_err, "Error verifying data\n");
+}

 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
          EVP_PKEY *key, unsigned char *sigin, int siglen,
@ -551,7 +624,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
          const char *file)
 {
    size_t len = BUFSIZE;
-    int i, backslash = 0, ret = EXIT_FAILURE;
+    int i, ret = EXIT_FAILURE;
    unsigned char *allocated_buf = NULL;

    while (BIO_pending(bp) || !BIO_eof(bp)) {
@ -567,16 +640,9 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
        EVP_MD_CTX *ctx;
        BIO_get_md_ctx(bp, &ctx);
        i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
-        if (i > 0) {
-            BIO_printf(out, "Verified OK\n");
-        } else if (i == 0) {
-            BIO_printf(out, "Verification failure\n");
-            goto end;
-        } else {
-            BIO_printf(bio_err, "Error verifying data\n");
-            goto end;
-        }
-        ret = EXIT_SUCCESS;
+        print_verify_result(out, i);
+        if (i > 0)
+            ret = EXIT_SUCCESS;
        goto end;
    }
    if (key != NULL) {
@ -617,39 +683,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen
        if ((int)len < 0)
            goto end;
    }
-
-    if (binout) {
-        BIO_write(out, buf, len);
-    } else if (sep == 2) {
-        file = newline_escape_filename(file, &backslash);
-
-        if (backslash == 1)
-            BIO_puts(out, "\\");
-
-        for (i = 0; i < (int)len; i++)
-            BIO_printf(out, "%02x", buf[i]);
-
-        BIO_printf(out, " *%s\n", file);
-        OPENSSL_free((char *)file);
-    } else {
-        if (sig_name != NULL) {
-            BIO_puts(out, sig_name);
-            if (md_name != NULL)
-                BIO_printf(out, "-%s", md_name);
-            BIO_printf(out, "(%s)= ", file);
-        } else if (md_name != NULL) {
-            BIO_printf(out, "%s(%s)= ", md_name, file);
-        } else {
-            BIO_printf(out, "(%s)= ", file);
-        }
-        for (i = 0; i < (int)len; i++) {
-            if (sep && (i != 0))
-                BIO_printf(out, ":");
-            BIO_printf(out, "%02x", buf[i]);
-        }
-        BIO_printf(out, "\n");
-    }
-
+    print_out(out, buf, len, sep, binout, sig_name, md_name, file);
    ret = EXIT_SUCCESS;
 end:
    if (allocated_buf != NULL)
@ -657,3 +691,55 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen

    return ret;
 }
+
+/*
+ * Some new algorithms only support one shot operations.
+ * For these we need to buffer all input and then do the sign on the
+ * total buffered input. These algorithms set a NULL digest name which is
+ * then used inside EVP_DigestVerify() and EVP_DigestSign().
+ */
+static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int binout,
+                              EVP_PKEY *key, unsigned char *sigin, int siglen,
+                              const char *sig_name, const char *file)
+{
+    int res, ret = EXIT_FAILURE;
+    size_t len = 0;
+    int buflen = 0;
+    int maxlen = 16 * 1024 * 1024;
+    uint8_t *buf = NULL, *sig = NULL;
+
+    buflen = bio_to_mem(&buf, maxlen, in);
+    if (buflen <= 0) {
+        BIO_printf(bio_err, "Read error in %s\n", file);
+        return ret;
+    }
+    if (sigin != NULL) {
+        res = EVP_DigestVerify(ctx, sigin, siglen, buf, buflen);
+        print_verify_result(out, res);
+        if (res > 0)
+            ret = EXIT_SUCCESS;
+        goto end;
+    }
+    if (key != NULL) {
+        if (EVP_DigestSign(ctx, NULL, &len, buf, buflen) != 1) {
+            BIO_printf(bio_err, "Error getting maximum length of signed data\n");
+            goto end;
+        }
+        sig = app_malloc(len, "Signature buffer");
+        if (EVP_DigestSign(ctx, sig, &len, buf, buflen) != 1) {
+            BIO_printf(bio_err, "Error signing data\n");
+            goto end;
+        }
+        print_out(out, sig, len, sep, binout, sig_name, NULL, file);
+        ret = EXIT_SUCCESS;
+    } else {
+        BIO_printf(bio_err, "key must be set for one-shot algorithms\n");
+        goto end;
+    }
+
+ end:
+    OPENSSL_free(sig);
+    OPENSSL_clear_free(buf, buflen);
+
+    return ret;
+}
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@ -179,10 +179,6 @@ int dhparam_main(int argc, char **argv)
        goto end;
    }

-    out = bio_open_default(outfile, 'w', outformat);
-    if (out == NULL)
-        goto end;
-
    /* DH parameters */
    if (num && !g)
        g = 2;
@ -322,6 +318,10 @@ int dhparam_main(int argc, char **argv)
        }
    }

+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
+        goto end;
+
    if (text)
        EVP_PKEY_print_params(out, pkey, 4, NULL);

--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@ -150,10 +150,6 @@ int dsaparam_main(int argc, char **argv)
    numbits = num;
    private = genkey ? 1 : 0;

-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
    ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
    if (ctx == NULL) {
        BIO_printf(bio_err,
@ -200,6 +196,10 @@ int dsaparam_main(int argc, char **argv)
        goto end;
    }

+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
    if (text) {
        EVP_PKEY_print_params(out, params, 0, NULL);
    }
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
@ -67,13 +67,11 @@ const OPTIONS ecparam_options[] = {

 static int list_builtin_curves(BIO *out)
 {
-    int ret = 0;
    EC_builtin_curve *curves = NULL;
    size_t n, crv_len = EC_get_builtin_curves(NULL, 0);

    curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
-    if (!EC_get_builtin_curves(curves, crv_len))
-        goto end;
+    EC_get_builtin_curves(curves, crv_len);

    for (n = 0; n < crv_len; n++) {
        const char *comment = curves[n].comment;
@ -87,10 +85,8 @@ static int list_builtin_curves(BIO *out)
        BIO_printf(out, "  %-10s: ", sname);
        BIO_printf(out, "%s\n", comment);
    }
-    ret = 1;
-end:
    OPENSSL_free(curves);
-    return ret;
+    return 1;
 }

 int ecparam_main(int argc, char **argv)
@ -192,18 +188,18 @@ int ecparam_main(int argc, char **argv)
    if (!app_RAND_load())
        goto end;

-    private = genkey ? 1 : 0;
-
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
    if (list_curves) {
+        out = bio_open_owner(outfile, outformat, private);
+        if (out == NULL)
+            goto end;
+
        if (list_builtin_curves(out))
            ret = 0;
        goto end;
    }

+    private = genkey ? 1 : 0;
+
    if (curve_name != NULL) {
        OSSL_PARAM params[4];
        OSSL_PARAM *p = params;
@ -276,8 +272,12 @@ int ecparam_main(int argc, char **argv)
        goto end;
    }

+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
    if (text
-        && !EVP_PKEY_print_params(out, params_key, 0, NULL)) {
+        && EVP_PKEY_print_params(out, params_key, 0, NULL) <= 0) {
        BIO_printf(bio_err, "unable to print params\n");
        goto end;
    }
--- a/apps/enc.c
+++ b/apps/enc.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -49,7 +49,8 @@ typedef enum OPTION_choice {
    OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
    OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
-    OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM
+    OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM,
+    OPT_SKEYOPT, OPT_SKEYMGMT
 } OPTION_CHOICE;

 const OPTIONS enc_options[] = {
@ -105,6 +106,8 @@ const OPTIONS enc_options[] = {
 #ifndef OPENSSL_NO_ZLIB
    {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
 #endif
+    {"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque symmetric key handling"},
+    {"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque symmetric key handling"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},

    OPT_R_OPTIONS,
@ -134,6 +137,7 @@ int enc_main(int argc, char **argv)
    int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
    int ret = 1, inl, nopad = 0;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+    int rawkey_set = 0;
    unsigned char *buff = NULL, salt[EVP_MAX_IV_LENGTH];
    int saltlen = 0;
    int pbkdf2 = 0;
@ -150,6 +154,10 @@ int enc_main(int argc, char **argv)
    BIO *bbrot = NULL;
    int do_zstd = 0;
    BIO *bzstd = NULL;
+    STACK_OF(OPENSSL_STRING) *skeyopts = NULL;
+    const char *skeymgmt = NULL;
+    EVP_SKEY *skey = NULL;
+    EVP_SKEYMGMT *mgmt = NULL;

    /* first check the command name */
    if (strcmp(argv[0], "base64") == 0)
@ -310,6 +318,17 @@ int enc_main(int argc, char **argv)
        case OPT_NONE:
            cipher = NULL;
            break;
+        case OPT_SKEYOPT:
+            if ((skeyopts == NULL &&
+                 (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
+                BIO_printf(bio_err, "%s: out of memory\n", prog);
+                goto end;
+            }
+            break;
+        case OPT_SKEYMGMT:
+            skeymgmt = opt_arg();
+            break;
        case OPT_R_CASES:
            if (!opt_rand(o))
                goto end;
@ -391,7 +410,7 @@ int enc_main(int argc, char **argv)
        str = pass;
    }

-    if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
+    if ((str == NULL) && (cipher != NULL) && (hkey == NULL) && (skeyopts == NULL)) {
        if (1) {
 #ifndef OPENSSL_NO_UI_CONSOLE
            for (;;) {
@ -571,6 +590,7 @@ int enc_main(int argc, char **argv)
                /* split and move data back to global buffer */
                memcpy(key, tmpkeyiv, iklen);
                memcpy(iv, tmpkeyiv+iklen, ivlen);
+                rawkey_set = 1;
            } else {
                BIO_printf(bio_err, "*** WARNING : "
                                    "deprecated key derivation used.\n"
@ -581,6 +601,7 @@ int enc_main(int argc, char **argv)
                    BIO_printf(bio_err, "EVP_BytesToKey failed\n");
                    goto end;
                }
+                rawkey_set = 1;
            }
            /*
             * zero the complete buffer or the string passed from the command
@ -618,6 +639,16 @@ int enc_main(int argc, char **argv)
            }
            /* wiping secret data as we no longer need it */
            cleanse(hkey);
+            rawkey_set = 1;
+        }
+
+        /*
+         * At this moment we know whether we trying to use raw bytes as the key
+         * or an opaque symmetric key. We do not allow both options simultaneously.
+         */
+        if (rawkey_set > 0 && skeyopts != NULL) {
+            BIO_printf(bio_err, "Either a raw key or the 'skeyopt' args must be used.\n");
+            goto end;
        }

        if ((benc = BIO_new(BIO_f_cipher())) == NULL)
@ -633,24 +664,51 @@ int enc_main(int argc, char **argv)
        if (wrap == 1)
            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);

-        if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
-            BIO_printf(bio_err, "Error setting cipher %s\n",
-                       EVP_CIPHER_get0_name(cipher));
-            ERR_print_errors(bio_err);
-            goto end;
+        if (rawkey_set) {
+            if (!EVP_CipherInit_ex(ctx, cipher, e, key,
+                                   (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
+                BIO_printf(bio_err, "Error setting cipher %s\n",
+                           EVP_CIPHER_get0_name(cipher));
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else {
+            OSSL_PARAM *params = NULL;
+
+            mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
+                                      skeymgmt != NULL ? skeymgmt : EVP_CIPHER_name(cipher),
+                                      app_get0_propq());
+            if (mgmt == NULL)
+                goto end;
+
+            params = app_params_new_from_opts(skeyopts,
+                                              EVP_SKEYMGMT_get0_imp_settable_params(mgmt));
+            if (params == NULL)
+                goto end;
+
+            skey = EVP_SKEY_import(app_get0_libctx(), EVP_SKEYMGMT_get0_name(mgmt),
+                                   app_get0_propq(), OSSL_SKEYMGMT_SELECT_ALL, params);
+            OSSL_PARAM_free(params);
+            if (skey == NULL) {
+                BIO_printf(bio_err, "Error creating opaque key object for skeymgmt %s\n",
+                           skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+
+            if (!EVP_CipherInit_SKEY(ctx, cipher, skey,
+                                     (hiv == NULL && wrap == 1 ? NULL : iv),
+                                     EVP_CIPHER_get_iv_length(cipher), enc, NULL)) {
+                BIO_printf(bio_err, "Error setting an opaque key for cipher %s\n",
+                           EVP_CIPHER_get0_name(cipher));
+                ERR_print_errors(bio_err);
+                goto end;
+            }
        }

        if (nopad)
            EVP_CIPHER_CTX_set_padding(ctx, 0);

-        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key,
-                               (hiv == NULL && wrap == 1 ? NULL : iv), enc)) {
-            BIO_printf(bio_err, "Error setting cipher %s\n",
-                       EVP_CIPHER_get0_name(cipher));
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-
        if (debug) {
            BIO_set_callback_ex(benc, BIO_debug_callback_ex);
            BIO_set_callback_arg(benc, (char *)bio_err);
@ -716,6 +774,9 @@ int enc_main(int argc, char **argv)
    }
 end:
    ERR_print_errors(bio_err);
+    sk_OPENSSL_STRING_free(skeyopts);
+    EVP_SKEYMGMT_free(mgmt);
+    EVP_SKEY_free(skey);
    OPENSSL_free(strbuf);
    OPENSSL_free(buff);
    BIO_free(in);
--- a/apps/engine.c
+++ b/apps/engine.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -316,7 +316,8 @@ int engine_main(int argc, char **argv)
     * names, and then setup to parse the rest of the line as flags. */
    prog = argv[0];
    while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
-        sk_OPENSSL_CSTRING_push(engines, argv1);
+        if (!sk_OPENSSL_CSTRING_push(engines, argv1))
+            goto end;
        argc--;
        argv++;
    }
@ -352,10 +353,12 @@ int engine_main(int argc, char **argv)
            test_avail++;
            break;
        case OPT_PRE:
-            sk_OPENSSL_STRING_push(pre_cmds, opt_arg());
+            if (sk_OPENSSL_STRING_push(pre_cmds, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_POST:
-            sk_OPENSSL_STRING_push(post_cmds, opt_arg());
+            if (sk_OPENSSL_STRING_push(post_cmds, opt_arg()) <= 0)
+                goto end;
            break;
        }
    }
@ -370,12 +373,14 @@ int engine_main(int argc, char **argv)
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        }
-        sk_OPENSSL_CSTRING_push(engines, *argv);
+        if (!sk_OPENSSL_CSTRING_push(engines, *argv))
+            goto end;
    }

    if (sk_OPENSSL_CSTRING_num(engines) == 0) {
        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-            sk_OPENSSL_CSTRING_push(engines, ENGINE_get_id(e));
+            if (!sk_OPENSSL_CSTRING_push(engines, ENGINE_get_id(e)))
+                goto end;
        }
    }

--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@ -59,6 +59,7 @@ typedef enum OPTION_choice {
    OPT_SSHKDF_KEY_CHECK,
    OPT_SSKDF_KEY_CHECK,
    OPT_X963KDF_KEY_CHECK,
+    OPT_X942KDF_KEY_CHECK,
    OPT_NO_PBKDF2_LOWER_BOUND_CHECK,
    OPT_ECDH_COFACTOR_CHECK,
    OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
@ -128,6 +129,8 @@ const OPTIONS fipsinstall_options[] = {
     "Enable key check for SSKDF"},
    {"x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
     "Enable key check for X963KDF"},
+    {"x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
+     "Enable key check for X942KDF"},
    {"no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
     "Disable lower bound check for PBKDF2"},
    {"ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
@ -176,6 +179,7 @@ typedef struct {
    unsigned int sshkdf_key_check : 1;
    unsigned int sskdf_key_check : 1;
    unsigned int x963kdf_key_check : 1;
+    unsigned int x942kdf_key_check : 1;
    unsigned int pbkdf2_lower_bound_check : 1;
    unsigned int ecdh_cofactor_check : 1;
 } FIPS_OPTS;
@ -209,6 +213,7 @@ static const FIPS_OPTS pedantic_opts = {
    1,      /* sshkdf_key_check */
    1,      /* sskdf_key_check */
    1,      /* x963kdf_key_check */
+    1,      /* x942kdf_key_check */
    1,      /* pbkdf2_lower_bound_check */
    1,      /* ecdh_cofactor_check */
 };
@ -242,6 +247,7 @@ static FIPS_OPTS fips_opts = {
    0,      /* sshkdf_key_check */
    0,      /* sskdf_key_check */
    0,      /* x963kdf_key_check */
+    0,      /* x942kdf_key_check */
    1,      /* pbkdf2_lower_bound_check */
    0,      /* ecdh_cofactor_check */
 };
@ -278,7 +284,8 @@ err:
    return ret;
 }

-static int load_fips_prov_and_run_self_test(const char *prov_name)
+static int load_fips_prov_and_run_self_test(const char *prov_name,
+                                            int *is_fips_140_2_prov)
 {
    int ret = 0;
    OSSL_PROVIDER *prov = NULL;
@ -308,7 +315,16 @@ static int load_fips_prov_and_run_self_test(const char *prov_name)
            BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
        if (OSSL_PARAM_modified(params + 2))
            BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
+    } else {
+        *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
+                                             &vers, sizeof(vers));
+        *p = OSSL_PARAM_construct_end();
+        if (!OSSL_PROVIDER_get_params(prov, params)) {
+            BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
+            goto end;
+        }
    }
+    *is_fips_140_2_prov = (strncmp("3.0.", vers, 4) == 0);
    ret = 1;
 end:
    OSSL_PROVIDER_unload(prov);
@ -419,6 +435,8 @@ static int write_config_fips_section(BIO *out, const char *section,
                      opts->sskdf_key_check ? "1": "0") <= 0
        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
                      opts->x963kdf_key_check ? "1": "0") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X942KDF_KEY_CHECK,
+                      opts->x942kdf_key_check ? "1": "0") <= 0
        || BIO_printf(out, "%s = %s\n",
                      OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
                      opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
@ -428,7 +446,9 @@ static int write_config_fips_section(BIO *out, const char *section,
                      module_mac_len))
        goto end;

-    if (install_mac != NULL && install_mac_len > 0) {
+    if (install_mac != NULL
+            && install_mac_len > 0
+            && opts->self_test_onload == 0) {
        if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
                       install_mac_len)
            || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
@ -551,6 +571,7 @@ end:
 int fipsinstall_main(int argc, char **argv)
 {
    int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0;
+    int is_fips_140_2_prov = 0, set_selftest_onload_option = 0;
    const char *section_name = "fips_sect";
    const char *mac_name = "HMAC";
    const char *prov_name = "fips";
@ -676,6 +697,9 @@ int fipsinstall_main(int argc, char **argv)
        case OPT_X963KDF_KEY_CHECK:
            fips_opts.x963kdf_key_check = 1;
            break;
+        case OPT_X942KDF_KEY_CHECK:
+            fips_opts.x942kdf_key_check = 1;
+            break;
        case OPT_NO_PBKDF2_LOWER_BOUND_CHECK:
            if (!check_non_pedantic_fips(pedantic, "no_pbkdf2_lower_bound_check"))
                goto end;
@ -723,11 +747,13 @@ int fipsinstall_main(int argc, char **argv)
            verify = 1;
            break;
        case OPT_SELF_TEST_ONLOAD:
+            set_selftest_onload_option = 1;
            fips_opts.self_test_onload = 1;
            break;
        case OPT_SELF_TEST_ONINSTALL:
            if (!check_non_pedantic_fips(pedantic, "self_test_oninstall"))
                goto end;
+            set_selftest_onload_option = 1;
            fips_opts.self_test_onload = 0;
            break;
        }
@ -825,34 +851,43 @@ int fipsinstall_main(int argc, char **argv)
    if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
        goto end;

-    if (fips_opts.self_test_onload == 0) {
-        mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
-                                  strlen(INSTALL_STATUS_VAL));
-        if (mem_bio == NULL) {
-            BIO_printf(bio_err, "Unable to create memory BIO\n");
-            goto end;
-        }
-        if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
-            goto end;
-    } else {
-        install_mac_len = 0;
+    /* Calculate the MAC for the indicator status - it may not be used */
+    mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
+                              strlen(INSTALL_STATUS_VAL));
+    if (mem_bio == NULL) {
+        BIO_printf(bio_err, "Unable to create memory BIO\n");
+        goto end;
    }
+    if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
+        goto end;

    if (verify) {
+        if (fips_opts.self_test_onload == 1)
+            install_mac_len = 0;
        if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
                           install_mac, install_mac_len))
            goto end;
        if (!quiet)
            BIO_printf(bio_err, "VERIFY PASSED\n");
    } else {
-
        conf = generate_config_and_load(prov_name, section_name, module_mac,
                                        module_mac_len, &fips_opts);
        if (conf == NULL)
            goto end;
-        if (!load_fips_prov_and_run_self_test(prov_name))
+        if (!load_fips_prov_and_run_self_test(prov_name, &is_fips_140_2_prov))
            goto end;

+        /*
+         * In OpenSSL 3.1 the code was changed so that the status indicator is
+         * not written out by default since this is a FIPS 140-3 requirement.
+         * For backwards compatibility - if the detected FIPS provider is 3.0.X
+         * (Which was a FIPS 140-2 validation), then the indicator status will
+         * be written to the config file unless 'self_test_onload' is set on the
+         * command line.
+         */
+        if (set_selftest_onload_option == 0 && is_fips_140_2_prov)
+            fips_opts.self_test_onload = 0;
+
        fout =
            out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
                              : bio_open_default(out_fname, 'w', FORMAT_TEXT);
@ -860,6 +895,7 @@ int fipsinstall_main(int argc, char **argv)
            BIO_printf(bio_err, "Failed to open file\n");
            goto end;
        }
+
        if (!write_config_fips_section(fout, section_name,
                                       module_mac, module_mac_len, &fips_opts,
                                       install_mac, install_mac_len))
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -106,7 +106,7 @@ cleanup:
 int genpkey_main(int argc, char **argv)
 {
    CONF *conf = NULL;
-    BIO *in = NULL, *out = NULL, *outpubkey = NULL;
+    BIO *mem_out = NULL, *mem_outpubkey = NULL;
    ENGINE *e = NULL;
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
@ -237,14 +237,16 @@ int genpkey_main(int argc, char **argv)
        goto end;
    }

-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
+    mem_out = BIO_new(BIO_s_mem());
+    if (mem_out == NULL)
        goto end;
+    BIO_set_mem_eof_return(mem_out, 0);

    if (outpubkeyfile != NULL) {
-        outpubkey = bio_open_owner(outpubkeyfile, outformat, private);
-        if (outpubkey == NULL)
+        mem_outpubkey = BIO_new(BIO_s_mem());
+        if (mem_outpubkey == NULL)
            goto end;
+        BIO_set_mem_eof_return(mem_outpubkey, 0);
    }

    if (verbose)
@ -257,17 +259,17 @@ int genpkey_main(int argc, char **argv)
        goto end;

    if (do_param) {
-        rv = PEM_write_bio_Parameters(out, pkey);
+        rv = PEM_write_bio_Parameters(mem_out, pkey);
    } else if (outformat == FORMAT_PEM) {
        assert(private);
-        rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
-        if (rv > 0 && outpubkey != NULL)
-           rv = PEM_write_bio_PUBKEY(outpubkey, pkey);
+        rv = PEM_write_bio_PrivateKey(mem_out, pkey, cipher, NULL, 0, NULL, pass);
+        if (rv > 0 && mem_outpubkey != NULL)
+            rv = PEM_write_bio_PUBKEY(mem_outpubkey, pkey);
    } else if (outformat == FORMAT_ASN1) {
        assert(private);
-        rv = i2d_PrivateKey_bio(out, pkey);
-        if (rv > 0 && outpubkey != NULL)
-           rv = i2d_PUBKEY_bio(outpubkey, pkey);
+        rv = i2d_PrivateKey_bio(mem_out, pkey);
+        if (rv > 0 && mem_outpubkey != NULL)
+            rv = i2d_PUBKEY_bio(mem_outpubkey, pkey);
    } else {
        BIO_printf(bio_err, "Bad format specified for key\n");
        goto end;
@ -282,9 +284,9 @@ int genpkey_main(int argc, char **argv)

    if (text) {
        if (do_param)
-            rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
+            rv = EVP_PKEY_print_params(mem_out, pkey, 0, NULL);
        else
-            rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
+            rv = EVP_PKEY_print_private(mem_out, pkey, 0, NULL);

        if (rv <= 0) {
            BIO_puts(bio_err, "Error printing key\n");
@ -294,14 +296,25 @@ int genpkey_main(int argc, char **argv)

 end:
    sk_OPENSSL_STRING_free(keyopt);
-    if (ret != 0)
+    if (ret != 0) {
        ERR_print_errors(bio_err);
+    } else {
+        if (mem_outpubkey != NULL) {
+            rv = mem_bio_to_file(mem_outpubkey, outpubkeyfile, outformat, private);
+            if (!rv)
+                BIO_printf(bio_err, "Error writing to outpubkey: '%s'. Error: %s\n", outpubkeyfile, strerror(errno));
+        }
+        if (mem_out != NULL) {
+            rv = mem_bio_to_file(mem_out, outfile, outformat, private);
+            if (!rv)
+                BIO_printf(bio_err, "Error writing to outfile: '%s'. Error: %s\n", outpubkeyfile, strerror(errno));
+        }
+    }
    EVP_PKEY_free(pkey);
    EVP_PKEY_CTX_free(ctx);
    EVP_CIPHER_free(cipher);
-    BIO_free_all(out);
-    BIO_free_all(outpubkey);
-    BIO_free(in);
+    BIO_free_all(mem_out);
+    BIO_free_all(mem_outpubkey);
    release_engine(e);
    OPENSSL_free(pass);
    NCONF_free(conf);
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -10,10 +10,8 @@
 #ifndef OSSL_APPS_H
 # define OSSL_APPS_H

-# include "internal/e_os.h" /* struct timeval for DTLS */
 # include "internal/common.h" /* for HAS_PREFIX */
 # include "internal/nelem.h"
-# include "internal/sockets.h" /* for openssl_fdset() */
 # include <assert.h>

 # include <stdarg.h>
@ -65,6 +63,7 @@ BIO *dup_bio_err(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
+int mem_bio_to_file(BIO *in, const char *filename, int format, int private);
 char *app_conf_try_string(const CONF *cnf, const char *group, const char *name);
 int app_conf_try_number(const CONF *conf, const char *group, const char *name,
                        long *result);
--- a/apps/include/cmp_mock_srv.h
+++ b/apps/include/cmp_mock_srv.h
@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Siemens AG 2018-2020
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
@ -22,6 +22,7 @@ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);

 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
+int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey);
 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl);
 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
                                    STACK_OF(X509) *chain);
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -295,6 +295,7 @@
 # define OPT_PROV_ENUM \
        OPT_PROV__FIRST=1600, \
        OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
+        OPT_PROV_PARAM, \
        OPT_PROV__LAST

 # define OPT_CONFIG_OPTION \
@ -304,12 +305,14 @@
        OPT_SECTION("Provider"), \
        { "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
        { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
+        { "provparam", OPT_PROV_PARAM, 's', "Set a provider key-value parameter" }, \
        { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }

 # define OPT_PROV_CASES \
        OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
        case OPT_PROV_PROVIDER: \
        case OPT_PROV_PROVIDER_PATH: \
+        case OPT_PROV_PARAM: \
        case OPT_PROV_PROPQUERY

 /*
--- a/apps/info.c
+++ b/apps/info.c
@ -14,7 +14,7 @@
 typedef enum OPTION_choice {
    OPT_COMMON,
    OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
-    OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS
+    OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS, OPT_WINDOWSCONTEXT
 } OPTION_CHOICE;

 const OPTIONS info_options[] = {
@ -32,6 +32,7 @@ const OPTIONS info_options[] = {
    {"listsep", OPT_LISTSEP, '-', "List separator character"},
    {"seeds", OPT_SEEDS, '-', "Seed sources"},
    {"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
+    {"windowscontext", OPT_WINDOWSCONTEXT, '-', "Windows install context"},
    {NULL}
 };

@ -85,6 +86,10 @@ opthelp:
            type = OPENSSL_INFO_CPU_SETTINGS;
            dirty++;
            break;
+        case OPT_WINDOWSCONTEXT:
+            type = OPENSSL_INFO_WINDOWS_CONTEXT;
+            dirty++;
+            break;
        }
    }
    if (!opt_check_rest_arg(NULL))
--- a/apps/lib/app_provider.c
+++ b/apps/lib/app_provider.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -8,6 +8,7 @@
 */

 #include "apps.h"
+#include <ctype.h>
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/provider.h>
@ -65,6 +66,78 @@ static int opt_provider_path(const char *path)
    return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
 }

+struct prov_param_st {
+    char *name;
+    char *key;
+    char *val;
+    int found;
+};
+
+static int set_prov_param(OSSL_PROVIDER *prov, void *vp)
+{
+    struct prov_param_st *p = (struct prov_param_st *)vp;
+
+    if (p->name != NULL && strcmp(OSSL_PROVIDER_get0_name(prov), p->name) != 0)
+        return 1;
+    p->found = 1;
+    return OSSL_PROVIDER_add_conf_parameter(prov, p->key, p->val);
+}
+
+static int opt_provider_param(const char *arg)
+{
+    struct prov_param_st p;
+    char *copy, *tmp;
+    int ret = 0;
+
+    if ((copy = OPENSSL_strdup(arg)) == NULL
+        || (p.val = strchr(copy, '=')) == NULL) {
+        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
+                          opt_getprog(), arg);
+        goto end;
+    }
+
+    /* Drop whitespace on both sides of the '=' sign */
+    *(tmp = p.val++) = '\0';
+    while (tmp > copy && isspace(_UC(*--tmp)))
+        *tmp = '\0';
+    while (isspace(_UC(*p.val)))
+        ++p.val;
+
+    /*
+     * Split the key on ':', to get the optional provider, empty or missing
+     * means all.
+     */
+    if ((p.key = strchr(copy, ':')) != NULL) {
+        *p.key++ = '\0';
+        p.name = *copy != '\0' ? copy : NULL;
+    } else {
+        p.name = NULL;
+        p.key = copy;
+    }
+
+    /* The key must not be empty */
+    if (*p.key == '\0') {
+        opt_printf_stderr("%s: malformed '-provparam' option value: '%s'\n",
+                          opt_getprog(), arg);
+        goto end;
+    }
+
+    p.found = 0;
+    ret = OSSL_PROVIDER_do_all(app_get0_libctx(), set_prov_param, (void *)&p);
+    if (ret == 0) {
+        opt_printf_stderr("%s: Error setting provider '%s' parameter '%s'\n",
+                          opt_getprog(), p.name, p.key);
+    } else if (p.found == 0) {
+        opt_printf_stderr("%s: No provider named '%s' is loaded\n",
+                          opt_getprog(), p.name);
+        ret = 0;
+    }
+
+  end:
+    OPENSSL_free(copy);
+    return ret;
+}
+
 int opt_provider(int opt)
 {
    const int given = provider_option_given;
@ -78,6 +151,8 @@ int opt_provider(int opt)
        return app_provider_load(app_get0_libctx(), opt_arg());
    case OPT_PROV_PROVIDER_PATH:
        return opt_provider_path(opt_arg());
+    case OPT_PROV_PARAM:
+        return opt_provider_param(opt_arg());
    case OPT_PROV_PROPQUERY:
        return app_set_propq(opt_arg());
    }
--- a/apps/lib/app_rand.c
+++ b/apps/lib/app_rand.c
@ -7,6 +7,7 @@
 * https://www.openssl.org/source/license.html
 */

+#include "internal/e_os.h" /* LIST_SEPARATOR_CHAR */
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -48,6 +48,9 @@
 #include "s_apps.h"
 #include "apps.h"

+#include "internal/sockets.h" /* for openssl_fdset() */
+#include "internal/e_os.h"
+
 #ifdef _WIN32
 static int WIN32_rename(const char *from, const char *to);
 # define rename(from, to) WIN32_rename((from), (to))
@ -189,7 +192,11 @@ int set_nameopt(const char *arg)
 unsigned long get_nameopt(void)
 {
    return
-        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT;
+        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
+                              | ASN1_STRFLGS_ESC_CTRL
+                              | ASN1_STRFLGS_UTF8_CONVERT
+                              | ASN1_STRFLGS_DUMP_UNKNOWN
+                              | ASN1_STRFLGS_DUMP_DER;
 }

 void dump_cert_text(BIO *out, X509 *x)
@ -895,11 +902,15 @@ static const char *format2string(int format)
        return "PEM";
    case FORMAT_ASN1:
        return "DER";
+    case FORMAT_PVK:
+        return "PVK";
+    case FORMAT_MSBLOB:
+        return "MSBLOB";
    }
    return NULL;
 }

-/* Set type expectation, but clear it if objects of different types expected. */
+/* Set type expectation, but set to 0 if objects of multiple types expected. */
 #define SET_EXPECT(val) \
    (expect = expect < 0 ? (val) : (expect == (val) ? (val) : 0))
 #define SET_EXPECT1(pvar, val) \
@ -907,6 +918,7 @@ static const char *format2string(int format)
        *(pvar) = NULL; \
        SET_EXPECT(val); \
    }
+/* Provide (error msg) text for some of the credential types to be loaded. */
 #define FAIL_NAME \
    (ppkey != NULL ? "private key" : ppubkey != NULL ? "public key" :  \
     pparams != NULL ? "key parameters" :                              \
@ -914,7 +926,9 @@ static const char *format2string(int format)
     pcrl != NULL ? "CRL" : pcrls != NULL ? "CRLs" : NULL)
 /*
 * Load those types of credentials for which the result pointer is not NULL.
- * Reads from stdio if uri is NULL and maybe_stdin is nonzero.
+ * Reads from stdin if 'uri' is NULL and 'maybe_stdin' is nonzero.
+ * 'format' parameter may be FORMAT_PEM, FORMAT_ASN1, or 0 for no hint.
+ * desc may contain more detail on the credential(s) to be loaded for error msg
 * For non-NULL ppkey, pcert, and pcrl the first suitable value found is loaded.
 * If pcerts is non-NULL and *pcerts == NULL then a new cert list is allocated.
 * If pcerts is non-NULL then all available certificates are appended to *pcerts
@ -942,24 +956,38 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
    OSSL_PARAM itp[2];
    const OSSL_PARAM *params = NULL;

+    /* 'failed' describes type of credential to load for potential error msg */
    if (failed == NULL) {
        if (!quiet)
-            BIO_printf(bio_err, "Internal error: nothing to load from %s\n",
+            BIO_printf(bio_err, "Internal error: nothing was requested to load from %s\n",
                       uri != NULL ? uri : "<stdin>");
        return 0;
    }
+    /* suppress any extraneous errors left over from failed parse attempts */
    ERR_set_mark();

    SET_EXPECT1(ppkey, OSSL_STORE_INFO_PKEY);
    SET_EXPECT1(ppubkey, OSSL_STORE_INFO_PUBKEY);
    SET_EXPECT1(pparams, OSSL_STORE_INFO_PARAMS);
    SET_EXPECT1(pcert, OSSL_STORE_INFO_CERT);
+    /*
+     * Up to here, the follwing holds.
+     * If just one of the ppkey, ppubkey, pparams, and pcert function parameters
+     * is nonzero, expect > 0 indicates which type of credential is expected.
+     * If expect == 0, more than one of them is nonzero (multiple types expected).
+     */
+
    if (pcerts != NULL) {
        if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) {
            if (!quiet)
                BIO_printf(bio_err, "Out of memory loading");
            goto end;
        }
+        /*
+         * Adapt the 'expect' variable:
+         * set to OSSL_STORE_INFO_CERT if no other type is expected so far,
+         * otherwise set to 0 (indicating that multiple types are expected).
+         */
        SET_EXPECT(OSSL_STORE_INFO_CERT);
    }
    SET_EXPECT1(pcrl, OSSL_STORE_INFO_CRL);
@ -969,6 +997,11 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
                BIO_printf(bio_err, "Out of memory loading");
            goto end;
        }
+        /*
+         * Adapt the 'expect' variable:
+         * set to OSSL_STORE_INFO_CRL if no other type is expected so far,
+         * otherwise set to 0 (indicating that multiple types are expected).
+         */
        SET_EXPECT(OSSL_STORE_INFO_CRL);
    }

@ -1008,6 +1041,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
            BIO_printf(bio_err, "Could not open file or uri for loading");
        goto end;
    }
+    /* expect == 0 means here multiple types of credentials are to be loaded */
    if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) {
        if (!quiet)
            BIO_printf(bio_err, "Internal error trying to load");
@ -1015,6 +1049,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
    }

    failed = NULL;
+    /* from here, failed != NULL only if actually an error has been detected */
+
    while ((ppkey != NULL || ppubkey != NULL || pparams != NULL
            || pcert != NULL || pcerts != NULL || pcrl != NULL || pcrls != NULL)
           && !OSSL_STORE_eof(ctx)) {
@ -1084,7 +1120,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
            ncrls += ok;
            break;
        default:
-            /* skip any other type */
+            /* skip any other type; ok stays == 1 */
            break;
        }
        OSSL_STORE_INFO_free(info);
@ -1098,18 +1134,22 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,

 end:
    OSSL_STORE_close(ctx);
-    if (ncerts > 0)
-        pcerts = NULL;
-    if (ncrls > 0)
-        pcrls = NULL;
+
+    /* see if any of the requested types of credentials was not found */
    if (failed == NULL) {
+        if (ncerts > 0)
+            pcerts = NULL;
+        if (ncrls > 0)
+            pcrls = NULL;
        failed = FAIL_NAME;
        if (failed != NULL && !quiet)
            BIO_printf(bio_err, "Could not find");
    }
+
    if (failed != NULL && !quiet) {
        unsigned long err = ERR_peek_last_error();

+        /* continue the error message with the type of credential affected */
        if (desc != NULL && strstr(desc, failed) != NULL) {
            BIO_printf(bio_err, " %s", desc);
        } else {
@ -2184,7 +2224,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
        if (print)
            BIO_printf(bio, "Hostname %s does%s match certificate\n",
                       checkhost, valid_host == 1 ? "" : " NOT");
-        ret = ret && valid_host;
+        ret = ret && valid_host > 0;
    }

    if (checkemail != NULL) {
@ -2192,7 +2232,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
        if (print)
            BIO_printf(bio, "Email %s does%s match certificate\n",
                       checkemail, valid_mail ? "" : " NOT");
-        ret = ret && valid_mail;
+        ret = ret && valid_mail > 0;
    }

    if (checkip != NULL) {
@ -2200,7 +2240,7 @@ int check_cert_attributes(BIO *bio, X509 *x, const char *checkhost,
        if (print)
            BIO_printf(bio, "IP %s does%s match certificate\n",
                       checkip, valid_ip ? "" : " NOT");
-        ret = ret && valid_ip;
+        ret = ret && valid_ip > 0;
    }

    return ret;
@ -2483,18 +2523,24 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
    crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
    crl = load_crl_crldp(crldp);
    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (!crl) {
-        sk_X509_CRL_free(crls);
-        return NULL;
-    }
-    sk_X509_CRL_push(crls, crl);
+
+    if (crl == NULL || !sk_X509_CRL_push(crls, crl))
+        goto error;
+
    /* Try to download delta CRL */
    crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
    crl = load_crl_crldp(crldp);
    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (crl)
-        sk_X509_CRL_push(crls, crl);
+
+    if (crl != NULL && !sk_X509_CRL_push(crls, crl))
+        goto error;
+
    return crls;
+
+error:
+    X509_CRL_free(crl);
+    sk_X509_CRL_free(crls);
+    return NULL;
 }

 void store_setup_crl_download(X509_STORE *st)
@ -3193,6 +3239,32 @@ BIO *bio_open_default_quiet(const char *filename, char mode, int format)
    return bio_open_default_(filename, mode, format, 1);
 }

+int mem_bio_to_file(BIO *in, const char *filename, int format, int private)
+{
+    int rv = 0, ret = 0;
+    BIO *out = NULL;
+    BUF_MEM *mem_buffer = NULL;
+
+    rv = BIO_get_mem_ptr(in, &mem_buffer);
+    if (rv <= 0) {
+        BIO_puts(bio_err, "Error reading mem buffer\n");
+        goto end;
+    }
+    out = bio_open_owner(filename, format, private);
+    if (out == NULL)
+        goto end;
+    rv = BIO_write(out, mem_buffer->data, mem_buffer->length);
+    if (rv < 0 || (size_t)rv != mem_buffer->length)
+        BIO_printf(bio_err, "Error writing to output file: '%s'\n", filename);
+    else
+        ret = 1;
+end:
+    if (!ret)
+        ERR_print_errors(bio_err);
+    BIO_free_all(out);
+    return ret;
+}
+
 void wait_for_async(SSL *s)
 {
    /* On Windows select only works for sockets, so we simply don't wait  */
@ -3464,6 +3536,7 @@ int opt_legacy_okay(void)
 {
    int provider_options = opt_provider_option_given();
    int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
+
    /*
     * Having a provider option specified or a custom library context or
     * property query, is a sure sign we're not using legacy.
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright Siemens AG 2018-2020
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
@ -19,6 +19,7 @@
 typedef struct {
    X509 *refCert;             /* cert to expect for oldCertID in kur/rr msg */
    X509 *certOut;             /* certificate to be returned in cp/ip/kup msg */
+    EVP_PKEY *keyOut;          /* Private key to be returned for central keygen */
    X509_CRL *crlOut;          /* CRL to be returned in genp for crls */
    STACK_OF(X509) *chainOut;  /* chain of certOut to add to extraCerts field */
    STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
@ -87,6 +88,21 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
 DEFINE_OSSL_SET1_CERT(refCert)
 DEFINE_OSSL_SET1_CERT(certOut)

+int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey)
+{
+    mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+
+    if (ctx == NULL) {
+        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (pkey != NULL && !EVP_PKEY_up_ref(pkey))
+        return 0;
+    EVP_PKEY_free(ctx->keyOut);
+    ctx->keyOut = pkey;
+    return 1;
+}
+
 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
                                  X509_CRL *crl)
 {
@ -273,8 +289,9 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
                                            STACK_OF(X509) **caPubs)
 {
    mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
-    int bodytype;
+    int bodytype, central_keygen;
    OSSL_CMP_PKISI *si = NULL;
+    EVP_PKEY *keyOut = NULL;

    if (ctx == NULL || cert_req == NULL
            || certOut == NULL || chainOut == NULL || caPubs == NULL) {
@ -358,6 +375,23 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
            && (*certOut = X509_dup(ctx->certOut)) == NULL)
        /* Should return a cert produced from request template, see FR #16054 */
        goto err;
+
+    central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
+    if (central_keygen < 0)
+        goto err;
+    if (central_keygen == 1
+        && (ctx->keyOut == NULL
+            || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
+            || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
+                                          1 /* priv */, keyOut))) {
+        EVP_PKEY_free(keyOut);
+        goto err;
+    }
+    /*
+     * Note that this uses newPkey to return the private key
+     * and does not check whether the 'popo' field is absent.
+     */
+
    if (ctx->chainOut != NULL
            && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
        goto err;
--- a/apps/lib/engine_loader.c
+++ b/apps/lib/engine_loader.c
@ -14,6 +14,7 @@
 */
 #define OPENSSL_SUPPRESS_DEPRECATED

+#include "internal/e_os.h"
 #include "apps.h"

 #ifndef OPENSSL_NO_ENGINE
--- a/apps/lib/http_server.c
+++ b/apps/lib/http_server.c
@ -18,8 +18,10 @@
 #endif

 #include <ctype.h>
+#include "internal/e_os.h"
 #include "http_server.h"
-#include "internal/sockets.h"
+#include "internal/sockets.h" /* for openssl_fdset() */
+
 #include <openssl/err.h>
 #include <openssl/trace.h>
 #include <openssl/rand.h>
@ -202,8 +204,9 @@ BIO *http_server_init(const char *prog, const char *port, int verb)
        goto err;
    acbio = BIO_new(BIO_s_accept());
    if (acbio == NULL
-        || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
-        || BIO_set_accept_name(acbio, name) < 0) {
+        || BIO_set_accept_ip_family(acbio, BIO_FAMILY_IPANY) <= 0 /* IPv4/6 */
+        || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) <= 0
+        || BIO_set_accept_name(acbio, name) <= 0) {
        log_HTTP(prog, LOG_ERR, "error setting up accept BIO");
        goto err;
    }
--- a/apps/lib/names.c
+++ b/apps/lib/names.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -22,7 +22,8 @@ void collect_names(const char *name, void *vdata)
 {
    STACK_OF(OPENSSL_CSTRING) *names = vdata;

-    sk_OPENSSL_CSTRING_push(names, name);
+    /* A failure to push cannot be handled so we ignore the result. */
+    (void)sk_OPENSSL_CSTRING_push(names, name);
 }

 void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names)
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -243,10 +243,10 @@ static const char *get_sigtype(int nid)
        return "ECDSA";

    case NID_ED25519:
-        return "Ed25519";
+        return "ed25519";

    case NID_ED448:
-        return "Ed448";
+        return "ed448";

    case NID_id_GostR3410_2001:
        return "gost2001";
@ -292,6 +292,26 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
            SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
        if (i)
            BIO_puts(out, ":");
+        switch (rsign | rhash << 8) {
+        case 0x0809:
+            BIO_puts(out, "rsa_pss_pss_sha256");
+            continue;
+        case 0x080a:
+            BIO_puts(out, "rsa_pss_pss_sha384");
+            continue;
+        case 0x080b:
+            BIO_puts(out, "rsa_pss_pss_sha512");
+            continue;
+        case 0x081a:
+            BIO_puts(out, "ecdsa_brainpoolP256r1_sha256");
+            continue;
+        case 0x081b:
+            BIO_puts(out, "ecdsa_brainpoolP384r1_sha384");
+            continue;
+        case 0x081c:
+            BIO_puts(out, "ecdsa_brainpoolP512r1_sha512");
+            continue;
+        }
        sstr = get_sigtype(sign_nid);
        if (sstr)
            BIO_printf(out, "%s", sstr);
@ -396,16 +416,28 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)

 int ssl_print_tmp_key(BIO *out, SSL *s)
 {
+    const char *keyname;
    EVP_PKEY *key;

-    if (!SSL_get_peer_tmp_key(s, &key))
+    if (!SSL_get_peer_tmp_key(s, &key)) {
+        if (SSL_version(s) == TLS1_3_VERSION)
+            BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
+                       SSL_group_to_name(s, SSL_get_negotiated_group(s)));
        return 1;
-    BIO_puts(out, "Server Temp Key: ");
+    }
+
+    BIO_puts(out, "Peer Temp Key: ");
    switch (EVP_PKEY_get_id(key)) {
    case EVP_PKEY_RSA:
        BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_get_bits(key));
        break;

+    case EVP_PKEY_KEYMGMT:
+        if ((keyname = EVP_PKEY_get0_type_name(key)) == NULL)
+            keyname = "?";
+        BIO_printf(out, "%s\n", keyname);
+        break;
+
    case EVP_PKEY_DH:
        BIO_printf(out, "DH, %d bits\n", EVP_PKEY_get_bits(key));
        break;
@ -1274,6 +1306,7 @@ void print_verify_detail(SSL *s, BIO *bio)

 void print_ssl_summary(SSL *s)
 {
+    const char *sigalg;
    const SSL_CIPHER *c;
    X509 *peer = SSL_get0_peer_certificate(s);
    EVP_PKEY *peer_rpk = SSL_get0_peer_rpk(s);
@ -1291,13 +1324,13 @@ void print_ssl_summary(SSL *s)
        BIO_puts(bio_err, "\n");
        if (SSL_get_peer_signature_nid(s, &nid))
            BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
-        if (SSL_get_peer_signature_type_nid(s, &nid))
-            BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
+        if (SSL_get0_peer_signature_name(s, &sigalg))
+            BIO_printf(bio_err, "Signature type: %s\n", sigalg);
        print_verify_detail(s, bio_err);
    } else if (peer_rpk != NULL) {
        BIO_printf(bio_err, "Peer used raw public key\n");
-        if (SSL_get_peer_signature_type_nid(s, &nid))
-            BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
+        if (SSL_get0_peer_signature_name(s, &sigalg))
+            BIO_printf(bio_err, "Signature type: %s\n", sigalg);
        print_verify_detail(s, bio_err);
    } else {
        BIO_puts(bio_err, "No peer certificate or raw public key\n");
@ -1306,12 +1339,8 @@ void print_ssl_summary(SSL *s)
    ssl_print_point_formats(bio_err, s);
    if (SSL_is_server(s))
        ssl_print_groups(bio_err, s, 1);
-    else
-        ssl_print_tmp_key(bio_err, s);
-#else
-    if (!SSL_is_server(s))
-        ssl_print_tmp_key(bio_err, s);
 #endif
+    ssl_print_tmp_key(bio_err, s);
 }

 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
--- a/apps/lib/s_socket.c
+++ b/apps/lib/s_socket.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -37,9 +37,10 @@ typedef unsigned int u_int;

 #ifndef OPENSSL_NO_SOCK

+# include "internal/e_os.h"
 # include "apps.h"
 # include "s_apps.h"
-# include "internal/sockets.h"
+# include "internal/sockets.h" /* for openssl_fdset() */

 # include <openssl/bio.h>
 # include <openssl/err.h>
@ -410,6 +411,12 @@ int do_server(int *accept_sock, const char *host, const char *port,
                BIO_closesocket(asock);
                break;
            }
+
+            if (naccept != -1)
+                naccept--;
+            if (naccept == 0)
+                BIO_closesocket(asock);
+
            BIO_set_tcp_ndelay(sock, 1);
            i = (*cb)(sock, type, protocol, context);

@ -440,11 +447,12 @@ int do_server(int *accept_sock, const char *host, const char *port,

            BIO_closesocket(sock);
        } else {
+            if (naccept != -1)
+                naccept--;
+
            i = (*cb)(asock, type, protocol, context);
        }

-        if (naccept != -1)
-            naccept--;
        if (i < 0 || naccept == 0) {
            BIO_closesocket(asock);
            ret = i;
--- a/apps/lib/vms_term_sock.c
+++ b/apps/lib/vms_term_sock.c
@ -353,7 +353,7 @@ static int CreateSocketPair (int SocketFamily,
    /*
    ** Get the binary (64-bit) time of the specified timeout value
    */
-    sprintf (AscTimeBuff, "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
+    BIO_snprintf(AscTimeBuff, sizeof(AscTimeBuff), "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
    AscTimeDesc.dsc$w_length = strlen (AscTimeBuff);
    AscTimeDesc.dsc$a_pointer = AscTimeBuff;
    status = sys$bintim (&AscTimeDesc, BinTimeBuff);
@ -567,10 +567,10 @@ static void LogMessage (char *msg, ...)
    /*
    ** Format the message buffer
    */
-    sprintf (MsgBuff, "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
-             LocTime->tm_mday, Month[LocTime->tm_mon],
-             (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
-             LocTime->tm_sec, pid, msg);
+    BIO_snprintf(MsgBuff, sizeof(MsgBuff), "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
+                 LocTime->tm_mday, Month[LocTime->tm_mon],
+                 (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
+                 LocTime->tm_sec, pid, msg);

    /*
    ** Get any variable arguments and add them to the print of the message
--- a/apps/list.c
+++ b/apps/list.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -10,6 +10,8 @@
 /* We need to use some deprecated APIs */
 #define OPENSSL_SUPPRESS_DEPRECATED

+#include "internal/e_os.h"
+
 #include <string.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -21,6 +23,8 @@
 #include <openssl/store.h>
 #include <openssl/core_names.h>
 #include <openssl/rand.h>
+#include <openssl/safestack.h>
+#include <openssl/ssl.h>
 #include <openssl/tls1.h>
 #include "apps.h"
 #include "app_params.h"
@ -54,6 +58,7 @@ IS_FETCHABLE(mac, EVP_MAC)
 IS_FETCHABLE(kdf, EVP_KDF)
 IS_FETCHABLE(rand, EVP_RAND)
 IS_FETCHABLE(keymgmt, EVP_KEYMGMT)
+IS_FETCHABLE(skeymgmt, EVP_SKEYMGMT)
 IS_FETCHABLE(signature, EVP_SIGNATURE)
 IS_FETCHABLE(kem, EVP_KEM)
 IS_FETCHABLE(asym_cipher, EVP_ASYM_CIPHER)
@ -99,8 +104,9 @@ static void collect_ciphers(EVP_CIPHER *cipher, void *stack)
    STACK_OF(EVP_CIPHER) *cipher_stack = stack;

    if (is_cipher_fetchable(cipher)
-            && sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)
-        EVP_CIPHER_up_ref(cipher);
+            && EVP_CIPHER_up_ref(cipher)
+            && sk_EVP_CIPHER_push(cipher_stack, cipher) <= 0)
+        EVP_CIPHER_free(cipher); /* up-ref successful but push to stack failed */
 }

 static void list_ciphers(const char *prefix)
@ -183,8 +189,9 @@ static void collect_digests(EVP_MD *digest, void *stack)
    STACK_OF(EVP_MD) *digest_stack = stack;

    if (is_digest_fetchable(digest)
-            && sk_EVP_MD_push(digest_stack, digest) > 0)
-        EVP_MD_up_ref(digest);
+            && EVP_MD_up_ref(digest)
+            && sk_EVP_MD_push(digest_stack, digest) <= 0)
+        EVP_MD_free(digest); /* up-ref successful but push to stack failed */
 }

 static void list_digests(const char *prefix)
@ -315,8 +322,9 @@ static void collect_kdfs(EVP_KDF *kdf, void *stack)
    STACK_OF(EVP_KDF) *kdf_stack = stack;

    if (is_kdf_fetchable(kdf)
-            && sk_EVP_KDF_push(kdf_stack, kdf) > 0)
-        EVP_KDF_up_ref(kdf);
+            && EVP_KDF_up_ref(kdf)
+            && sk_EVP_KDF_push(kdf_stack, kdf) <= 0)
+        EVP_KDF_free(kdf); /* up-ref successful but push to stack failed */
 }

 static void list_kdfs(void)
@ -385,8 +393,9 @@ static void collect_rands(EVP_RAND *rand, void *stack)
    STACK_OF(EVP_RAND) *rand_stack = stack;

    if (is_rand_fetchable(rand)
-            && sk_EVP_RAND_push(rand_stack, rand) > 0)
-        EVP_RAND_up_ref(rand);
+            && EVP_RAND_up_ref(rand)
+            && sk_EVP_RAND_push(rand_stack, rand) <= 0)
+        EVP_RAND_free(rand); /* up-ref successful but push to stack failed */
 }

 static void list_random_generators(void)
@ -511,8 +520,9 @@ static void collect_encoders(OSSL_ENCODER *encoder, void *stack)
    STACK_OF(OSSL_ENCODER) *encoder_stack = stack;

    if (is_encoder_fetchable(encoder)
-            && sk_OSSL_ENCODER_push(encoder_stack, encoder) > 0)
-        OSSL_ENCODER_up_ref(encoder);
+            && OSSL_ENCODER_up_ref(encoder)
+            && sk_OSSL_ENCODER_push(encoder_stack, encoder) <= 0)
+        OSSL_ENCODER_free(encoder); /* up-ref successful but push to stack failed */
 }

 static void list_encoders(void)
@ -576,8 +586,9 @@ static void collect_decoders(OSSL_DECODER *decoder, void *stack)
    STACK_OF(OSSL_DECODER) *decoder_stack = stack;

    if (is_decoder_fetchable(decoder)
-            && sk_OSSL_DECODER_push(decoder_stack, decoder) > 0)
-        OSSL_DECODER_up_ref(decoder);
+            && OSSL_DECODER_up_ref(decoder)
+            && sk_OSSL_DECODER_push(decoder_stack, decoder) <= 0)
+        OSSL_DECODER_free(decoder); /* up-ref successful but push to stack failed */
 }

 static void list_decoders(void)
@ -638,8 +649,9 @@ static void collect_keymanagers(EVP_KEYMGMT *km, void *stack)
    STACK_OF(EVP_KEYMGMT) *km_stack = stack;

    if (is_keymgmt_fetchable(km)
-            && sk_EVP_KEYMGMT_push(km_stack, km) > 0)
-        EVP_KEYMGMT_up_ref(km);
+            && EVP_KEYMGMT_up_ref(km)
+            && sk_EVP_KEYMGMT_push(km_stack, km) <= 0)
+        EVP_KEYMGMT_free(km); /* up-ref successful but push to stack failed */
 }

 static void list_keymanagers(void)
@ -688,6 +700,61 @@ static void list_keymanagers(void)
    sk_EVP_KEYMGMT_pop_free(km_stack, EVP_KEYMGMT_free);
 }

+DEFINE_STACK_OF(EVP_SKEYMGMT)
+static int skeymanager_cmp(const EVP_SKEYMGMT * const *a,
+                           const EVP_SKEYMGMT * const *b)
+{
+    return strcmp(OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(*a)),
+                  OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(*b)));
+}
+
+static void collect_skeymanagers(EVP_SKEYMGMT *km, void *stack)
+{
+    STACK_OF(EVP_SKEYMGMT) *km_stack = stack;
+
+    if (is_skeymgmt_fetchable(km)
+            && sk_EVP_SKEYMGMT_push(km_stack, km) > 0)
+        EVP_SKEYMGMT_up_ref(km);
+}
+
+static void list_skeymanagers(void)
+{
+    int i;
+    STACK_OF(EVP_SKEYMGMT) *km_stack = sk_EVP_SKEYMGMT_new(skeymanager_cmp);
+
+    EVP_SKEYMGMT_do_all_provided(app_get0_libctx(), collect_skeymanagers,
+                                 km_stack);
+    sk_EVP_SKEYMGMT_sort(km_stack);
+
+    for (i = 0; i < sk_EVP_SKEYMGMT_num(km_stack); i++) {
+        EVP_SKEYMGMT *k = sk_EVP_SKEYMGMT_value(km_stack, i);
+        STACK_OF(OPENSSL_CSTRING) *names = NULL;
+
+        if (select_name != NULL && !EVP_SKEYMGMT_is_a(k, select_name))
+            continue;
+
+        names = sk_OPENSSL_CSTRING_new(name_cmp);
+        if (names != NULL && EVP_SKEYMGMT_names_do_all(k, collect_names, names)) {
+            const char *desc = EVP_SKEYMGMT_get0_description(k);
+
+            BIO_printf(bio_out, "  Name: ");
+            if (desc != NULL)
+                BIO_printf(bio_out, "%s", desc);
+            else
+                BIO_printf(bio_out, "%s", sk_OPENSSL_CSTRING_value(names, 0));
+            BIO_printf(bio_out, "\n");
+            BIO_printf(bio_out, "    Type: Provider Algorithm\n");
+            BIO_printf(bio_out, "    IDs: ");
+            print_names(bio_out, names);
+            BIO_printf(bio_out, " @ %s\n",
+                       OSSL_PROVIDER_get0_name(EVP_SKEYMGMT_get0_provider(k)));
+
+        }
+        sk_OPENSSL_CSTRING_free(names);
+    }
+    sk_EVP_SKEYMGMT_pop_free(km_stack, EVP_SKEYMGMT_free);
+}
+
 DEFINE_STACK_OF(EVP_SIGNATURE)
 static int signature_cmp(const EVP_SIGNATURE * const *a,
                         const EVP_SIGNATURE * const *b)
@ -701,8 +768,9 @@ static void collect_signatures(EVP_SIGNATURE *sig, void *stack)
    STACK_OF(EVP_SIGNATURE) *sig_stack = stack;

    if (is_signature_fetchable(sig)
-            && sk_EVP_SIGNATURE_push(sig_stack, sig) > 0)
-        EVP_SIGNATURE_up_ref(sig);
+            && EVP_SIGNATURE_up_ref(sig)
+            && sk_EVP_SIGNATURE_push(sig_stack, sig) <= 0)
+        EVP_SIGNATURE_free(sig); /* up-ref successful but push to stack failed */
 }

 static void list_signatures(void)
@ -774,6 +842,42 @@ static int list_tls_sigalg_caps(OSSL_PROVIDER *provider, void *cbdata)
    return 1;
 }

+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+static void list_tls_groups(int version, int all)
+{
+    SSL_CTX *ctx = NULL;
+    STACK_OF(OPENSSL_CSTRING) *groups;
+    size_t i, num;
+
+    if ((groups = sk_OPENSSL_CSTRING_new_null()) == NULL) {
+        BIO_printf(bio_err, "ERROR: Memory allocation\n");
+        return;
+    }
+    if ((ctx = SSL_CTX_new(TLS_method())) == NULL) {
+        BIO_printf(bio_err, "ERROR: Memory allocation\n");
+        goto err;
+    }
+    if (!SSL_CTX_set_min_proto_version(ctx, version)
+        || !SSL_CTX_set_max_proto_version(ctx, version)) {
+        BIO_printf(bio_err, "ERROR: setting TLS protocol version\n");
+        goto err;
+    }
+    if (!SSL_CTX_get0_implemented_groups(ctx, all, groups)) {
+        BIO_printf(bio_err, "ERROR: getting implemented TLS group list\n");
+        goto err;
+    }
+    num = sk_OPENSSL_CSTRING_num(groups);
+    for (i = 0; i < num; ++i) {
+        BIO_printf(bio_out, "%s%c", sk_OPENSSL_CSTRING_value(groups, i),
+                   (i < num - 1) ? ':' : '\n');
+    }
+  err:
+    SSL_CTX_free(ctx);
+    sk_OPENSSL_CSTRING_free(groups);
+    return;
+}
+#endif
+
 static void list_tls_signatures(void)
 {
    int tls_sigalg_listed = 0;
@ -787,8 +891,9 @@ static void list_tls_signatures(void)
        OPENSSL_free(builtin_sigalgs);
    }

-    /* As built-in providers don't have this capability, never error */
-    OSSL_PROVIDER_do_all(NULL, list_tls_sigalg_caps, &tls_sigalg_listed);
+    if (!OSSL_PROVIDER_do_all(NULL, list_tls_sigalg_caps, &tls_sigalg_listed))
+        BIO_printf(bio_err,
+                   "ERROR: could not list all provider signature algorithms\n");
    if (tls_sigalg_listed < 2)
        BIO_printf(bio_out,
                   "\nNo TLS sig algs registered by currently active providers");
@ -808,8 +913,9 @@ static void collect_kem(EVP_KEM *kem, void *stack)
    STACK_OF(EVP_KEM) *kem_stack = stack;

    if (is_kem_fetchable(kem)
-            && sk_EVP_KEM_push(kem_stack, kem) > 0)
-        EVP_KEM_up_ref(kem);
+            && EVP_KEM_up_ref(kem)
+            && sk_EVP_KEM_push(kem_stack, kem) <= 0)
+        EVP_KEM_free(kem); /* up-ref successful but push to stack failed */
 }

 static void list_kems(void)
@ -867,8 +973,9 @@ static void collect_asymciph(EVP_ASYM_CIPHER *asym_cipher, void *stack)
    STACK_OF(EVP_ASYM_CIPHER) *asym_cipher_stack = stack;

    if (is_asym_cipher_fetchable(asym_cipher)
-            && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) > 0)
-        EVP_ASYM_CIPHER_up_ref(asym_cipher);
+            && EVP_ASYM_CIPHER_up_ref(asym_cipher)
+            && sk_EVP_ASYM_CIPHER_push(asym_cipher_stack, asym_cipher) <= 0)
+        EVP_ASYM_CIPHER_free(asym_cipher); /* up-ref successful but push to stack failed */
 }

 static void list_asymciphers(void)
@ -929,8 +1036,9 @@ static void collect_kex(EVP_KEYEXCH *kex, void *stack)
    STACK_OF(EVP_KEYEXCH) *kex_stack = stack;

    if (is_keyexch_fetchable(kex)
-            && sk_EVP_KEYEXCH_push(kex_stack, kex) > 0)
-        EVP_KEYEXCH_up_ref(kex);
+            && EVP_KEYEXCH_up_ref(kex)
+            && sk_EVP_KEYEXCH_push(kex_stack, kex) <= 0)
+        EVP_KEYEXCH_free(kex); /* up-ref successful but push to stack failed */
 }

 static void list_keyexchanges(void)
@ -1209,8 +1317,9 @@ static void collect_store_loaders(OSSL_STORE_LOADER *store, void *stack)
 {
    STACK_OF(OSSL_STORE_LOADER) *store_stack = stack;

-    if (sk_OSSL_STORE_LOADER_push(store_stack, store) > 0)
-        OSSL_STORE_LOADER_up_ref(store);
+    if (OSSL_STORE_LOADER_up_ref(store)
+            && sk_OSSL_STORE_LOADER_push(store_stack, store) <= 0)
+        OSSL_STORE_LOADER_free(store); /* up-ref successful but push to stack failed */
 }

 static void list_store_loaders(void)
@ -1508,10 +1617,20 @@ typedef enum HELPLIST_CHOICE {
    OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_DISABLED,
    OPT_KDF_ALGORITHMS, OPT_RANDOM_INSTANCES, OPT_RANDOM_GENERATORS,
    OPT_ENCODERS, OPT_DECODERS, OPT_KEYMANAGERS, OPT_KEYEXCHANGE_ALGORITHMS,
+    OPT_SKEYMANAGERS,
    OPT_KEM_ALGORITHMS, OPT_SIGNATURE_ALGORITHMS,
    OPT_TLS_SIGNATURE_ALGORITHMS, OPT_ASYM_CIPHER_ALGORITHMS,
    OPT_STORE_LOADERS, OPT_PROVIDER_INFO, OPT_OBJECTS,
    OPT_SELECT_NAME,
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+    OPT_ALL_TLS_GROUPS, OPT_TLS_GROUPS,
+# if !defined(OPENSSL_NO_TLS1_2)
+    OPT_TLS1_2,
+# endif
+# if !defined(OPENSSL_NO_TLS1_3)
+    OPT_TLS1_3,
+# endif
+#endif
 #ifndef OPENSSL_NO_DEPRECATED_3_0
    OPT_ENGINES,
 #endif
@ -1553,6 +1672,7 @@ const OPTIONS list_options[] = {
    {"encoders", OPT_ENCODERS, '-', "List of encoding methods" },
    {"decoders", OPT_DECODERS, '-', "List of decoding methods" },
    {"key-managers", OPT_KEYMANAGERS, '-', "List of key managers" },
+    {"skey-managers", OPT_SKEYMANAGERS, '-', "List of symmetric key managers" },
    {"key-exchange-algorithms", OPT_KEYEXCHANGE_ALGORITHMS, '-',
     "List of key exchange algorithms" },
    {"kem-algorithms", OPT_KEM_ALGORITHMS, '-',
@ -1569,6 +1689,20 @@ const OPTIONS list_options[] = {
     "List of public key methods"},
    {"store-loaders", OPT_STORE_LOADERS, '-',
     "List of store loaders"},
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+    {"tls-groups", OPT_TLS_GROUPS, '-',
+     "List implemented TLS key exchange 'groups'" },
+    {"all-tls-groups", OPT_ALL_TLS_GROUPS, '-',
+     "List implemented TLS key exchange 'groups' and all aliases" },
+# ifndef OPENSSL_NO_TLS1_2
+    {"tls1_2", OPT_TLS1_2, '-',
+     "When listing 'groups', list those compatible with TLS1.2"},
+# endif
+# ifndef OPENSSL_NO_TLS1_3
+    {"tls1_3", OPT_TLS1_3, '-',
+     "When listing 'groups', list those compatible with TLS1.3"},
+# endif
+#endif
    {"providers", OPT_PROVIDER_INFO, '-',
     "List of provider information"},
 #ifndef OPENSSL_NO_DEPRECATED_3_0
@ -1591,6 +1725,14 @@ int list_main(int argc, char **argv)
    HELPLIST_CHOICE o;
    int one = 0, done = 0;
    int print_newline = 0;
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+    int all_tls_groups = 0;
+# if !defined(OPENSSL_NO_TLS1_3)
+    unsigned int tls_version = TLS1_3_VERSION;
+# else
+    unsigned int tls_version = TLS1_2_VERSION;
+# endif
+#endif
    struct {
        unsigned int commands:1;
        unsigned int all_algorithms:1;
@ -1605,10 +1747,12 @@ int list_main(int argc, char **argv)
        unsigned int encoder_algorithms:1;
        unsigned int decoder_algorithms:1;
        unsigned int keymanager_algorithms:1;
+        unsigned int skeymanager_algorithms:1;
        unsigned int signature_algorithms:1;
        unsigned int tls_signature_algorithms:1;
        unsigned int keyexchange_algorithms:1;
        unsigned int kem_algorithms:1;
+        unsigned int tls_groups:1;
        unsigned int asym_cipher_algorithms:1;
        unsigned int pk_algorithms:1;
        unsigned int pk_method:1;
@ -1677,6 +1821,9 @@ opthelp:
        case OPT_KEYMANAGERS:
            todo.keymanager_algorithms = 1;
            break;
+        case OPT_SKEYMANAGERS:
+            todo.skeymanager_algorithms = 1;
+            break;
        case OPT_SIGNATURE_ALGORITHMS:
            todo.signature_algorithms = 1;
            break;
@ -1689,6 +1836,25 @@ opthelp:
        case OPT_KEM_ALGORITHMS:
            todo.kem_algorithms = 1;
            break;
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+        case OPT_TLS_GROUPS:
+            todo.tls_groups = 1;
+            break;
+        case OPT_ALL_TLS_GROUPS:
+            all_tls_groups = 1;
+            todo.tls_groups = 1;
+            break;
+# if !defined(OPENSSL_NO_TLS1_2)
+        case OPT_TLS1_2:
+            tls_version = TLS1_2_VERSION;
+            break;
+# endif
+# if !defined(OPENSSL_NO_TLS1_3)
+        case OPT_TLS1_3:
+            tls_version = TLS1_3_VERSION;
+            break;
+# endif
+#endif
        case OPT_ASYM_CIPHER_ALGORITHMS:
            todo.asym_cipher_algorithms = 1;
            break;
@ -1798,6 +1964,8 @@ opthelp:
        MAYBE_ADD_NL(list_decoders());
    if (todo.keymanager_algorithms)
        MAYBE_ADD_NL(list_keymanagers());
+    if (todo.skeymanager_algorithms)
+        MAYBE_ADD_NL(list_skeymanagers());
    if (todo.signature_algorithms)
        MAYBE_ADD_NL(list_signatures());
    if (todo.tls_signature_algorithms)
@ -1808,6 +1976,10 @@ opthelp:
        MAYBE_ADD_NL(list_keyexchanges());
    if (todo.kem_algorithms)
        MAYBE_ADD_NL(list_kems());
+#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+    if (todo.tls_groups)
+        MAYBE_ADD_NL(list_tls_groups(tls_version, all_tls_groups));
+#endif
    if (todo.pk_algorithms)
        MAYBE_ADD_NL(list_pkey());
    if (todo.pk_method)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -553,10 +553,6 @@ int ocsp_main(int argc, char **argv)
        && respin == NULL && !(port != NULL && ridx_filename != NULL))
        goto opthelp;

-    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
-    if (out == NULL)
-        goto end;
-
    if (req == NULL && (add_nonce != 2))
        add_nonce = 0;

@ -709,6 +705,10 @@ redo_accept:
        }
    }

+    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
+    if (out == NULL)
+        goto end;
+
    if (req_text && req != NULL)
        OCSP_REQUEST_print(out, req, 0);

@ -1049,6 +1049,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
    }

    bs = OCSP_BASICRESP_new();
+    if (bs == NULL) {
+        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+        goto end;
+    }
    thisupd = X509_gmtime_adj(NULL, 0);
    if (ndays != -1)
        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@ -342,8 +342,8 @@ path = pkix/

 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
-ignore_keyusage = 1 # potentially needed quirk
-unprotected_errors = 1 # potentially needed quirk
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
 extracertsout = insta.extracerts.pem

 # Client authentication
--- a/apps/openssl.c
+++ b/apps/openssl.c
@ -7,6 +7,8 @@
 * https://www.openssl.org/source/license.html
 */

+#include "internal/e_os.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include "internal/common.h"
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@ -342,8 +342,8 @@ path = pkix/

 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
-ignore_keyusage = 1 # potentially needed quirk
-unprotected_errors = 1 # potentially needed quirk
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
 extracertsout = insta.extracerts.pem

 # Client authentication
--- a/apps/passwd.c
+++ b/apps/passwd.c
@ -369,8 +369,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
    if (magic_len > 0)
        salt_out += 2 + magic_len;

-    if (salt_len > 8)
-        goto err;
+    assert(salt_len <= 8);

    md = EVP_MD_CTX_new();
    if (md == NULL
@ -589,7 +588,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
    OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
    if (rounds_custom) {
        char tmp_buf[80]; /* "rounds=999999999" */
-        sprintf(tmp_buf, "rounds=%u", rounds);
+
+        BIO_snprintf(tmp_buf, sizeof(tmp_buf), "rounds=%u", rounds);
 #ifdef CHARSET_EBCDIC
        /* In case we're really on a ASCII based platform and just pretend */
        if (tmp_buf[0] != 0x72)  /* ASCII 'r' */
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -328,7 +328,8 @@ int pkcs12_main(int argc, char **argv)
            if (canames == NULL
                && (canames = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            sk_OPENSSL_STRING_push(canames, opt_arg());
+            if (sk_OPENSSL_STRING_push(canames, opt_arg()) <= 0)
+                goto end;
            break;
        case OPT_IN:
            infile = opt_arg();
@ -799,16 +800,20 @@ int pkcs12_main(int argc, char **argv)
                BIO_printf(bio_err, ", Unsupported KDF or params for PBMAC1\n");
            } else {
                const ASN1_OBJECT *prfobj;
+                int prfnid;

                BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n",
                           ASN1_INTEGER_get(pbkdf2_param->iter));
                BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n",
                           ASN1_INTEGER_get(pbkdf2_param->keylength),
                           ASN1_STRING_length(pbkdf2_param->salt->value.octet_string));
-                X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf);
-                BIO_printf(bio_err, "PBKDF2 PRF: ");
-                i2a_ASN1_OBJECT(bio_err, prfobj);
-                BIO_printf(bio_err, "\n");
+                if (pbkdf2_param->prf == NULL) {
+                    prfnid = NID_hmacWithSHA1;
+                } else {
+                    X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf);
+                    prfnid = OBJ_obj2nid(prfobj);
+                }
+                BIO_printf(bio_err, "PBKDF2 PRF: %s\n", OBJ_nid2sn(prfnid));
            }
            PBKDF2PARAM_free(pbkdf2_param);
        } else {
@ -825,6 +830,12 @@ int pkcs12_main(int argc, char **argv)
        const ASN1_OBJECT *macobj;

        PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
+
+        if (macalgid == NULL) {
+            BIO_printf(bio_err, "Warning: MAC is absent!\n");
+            goto dump;
+        }
+
        X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);

        if (OBJ_obj2nid(macobj) != NID_pbmac1) {
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@ -227,9 +227,6 @@ int pkcs8_main(int argc, char **argv)
                          informat == FORMAT_UNDEF ? FORMAT_PEM : informat);
    if (in == NULL)
        goto end;
-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;

    if (topk8) {
        pkey = load_key(infile, informat, 1, passin, e, "key");
@ -240,6 +237,8 @@ int pkcs8_main(int argc, char **argv)
            ERR_print_errors(bio_err);
            goto end;
        }
+        if ((out = bio_open_owner(outfile, outformat, private)) == NULL)
+            goto end;
        if (nocrypt) {
            assert(private);
            if (outformat == FORMAT_PEM) {
@ -361,6 +360,9 @@ int pkcs8_main(int argc, char **argv)
    }

    assert(private);
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
    if (outformat == FORMAT_PEM) {
        if (traditional)
            PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0,
--- a/apps/pkey.c
+++ b/apps/pkey.c
@ -208,10 +208,6 @@ int pkey_main(int argc, char **argv)
        goto end;
    }

-    out = bio_open_owner(outfile, outformat, private);
-    if (out == NULL)
-        goto end;
-
    if (pubin)
        pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
    else
@ -219,6 +215,10 @@ int pkey_main(int argc, char **argv)
    if (pkey == NULL)
        goto end;

+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
+
 #ifndef OPENSSL_NO_EC
    if (asn1_encoding != NULL || point_format != NULL) {
        OSSL_PARAM params[3], *p = params;
--- a/apps/pkeyparam.c
+++ b/apps/pkeyparam.c
@ -97,9 +97,6 @@ int pkeyparam_main(int argc, char **argv)
    in = bio_open_default(infile, 'r', FORMAT_PEM);
    if (in == NULL)
        goto end;
-    out = bio_open_default(outfile, 'w', FORMAT_PEM);
-    if (out == NULL)
-        goto end;
    pkey = PEM_read_bio_Parameters_ex(in, NULL, app_get0_libctx(),
                                      app_get0_propq());
    if (pkey == NULL) {
@ -107,6 +104,9 @@ int pkeyparam_main(int argc, char **argv)
        ERR_print_errors(bio_err);
        goto end;
    }
+    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+    if (out == NULL)
+        goto end;

    if (check) {
        if (e == NULL)
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -20,12 +20,15 @@
 #define KEY_PUBKEY      2
 #define KEY_CERT        3

+static EVP_PKEY *get_pkey(const char *kdfalg,
+                          const char *keyfile, int keyform, int key_type,
+                          char *passinarg, int pkey_op, ENGINE *e);
 static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
-                              const char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e,
-                              const int impl, int rawin, EVP_PKEY **ppkey,
-                              EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
-                              OSSL_LIB_CTX *libctx, const char *propq);
+                              int pkey_op, ENGINE *e,
+                              const int engine_impl, int rawin,
+                              EVP_PKEY *pkey /* ownership is passed to ctx */,
+                              EVP_MD_CTX *mctx, const char *digestname,
+                              const char *kemop, OSSL_LIB_CTX *libctx, const char *propq);

 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                      ENGINE *e);
@ -40,6 +43,17 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
                        int filesize, unsigned char *sig, int siglen,
                        unsigned char **out, size_t *poutlen);

+static int only_nomd(EVP_PKEY *pkey)
+{
+#define MADE_UP_MAX_MD_NAME_LEN 100
+    char defname[MADE_UP_MAX_MD_NAME_LEN];
+    int deftype;
+
+    deftype = EVP_PKEY_get_default_digest_name(pkey, defname, sizeof(defname));
+    return deftype == 2 /* Mandatory */
+        && strcmp(defname, "UNDEF") == 0;
+}
+
 typedef enum OPTION_choice {
    OPT_COMMON,
    OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
@ -65,14 +79,13 @@ const OPTIONS pkeyutl_options[] = {
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
-    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
+    {"derive", OPT_DERIVE, '-', "Derive shared secret from own and peer (EC)DH keys"},
    {"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
    {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
    OPT_CONFIG_OPTION,

    OPT_SECTION("Input"),
    {"in", OPT_IN, '<', "Input file - default stdin"},
-    {"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
    {"inkey", OPT_INKEY, 's', "Input key, by default private key"},
    {"pubin", OPT_PUBIN, '-', "Input key is a public key"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
@ -86,14 +99,17 @@ const OPTIONS pkeyutl_options[] = {
    OPT_SECTION("Output"),
    {"out", OPT_OUT, '>', "Output file - default stdout"},
    {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
-    {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
+    {"asn1parse", OPT_ASN1PARSE, '-',
+     "parse the output as ASN.1 data to check its DER encoding and print errors"},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
    {"verifyrecover", OPT_VERIFYRECOVER, '-',
-     "Verify with public key, recover original data"},
+     "Verify RSA signature, recovering original signature input data"},

    OPT_SECTION("Signing/Derivation/Encapsulation"),
+    {"rawin", OPT_RAWIN, '-',
+     "Indicate that the signature/verification input data is not yet hashed"},
    {"digest", OPT_DIGEST, 's',
-     "Specify the digest algorithm when signing the raw input data"},
+     "The digest algorithm to use for signing/verifying raw input data. Implies -rawin"},
    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
    {"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
     "Public key option that is read as a passphrase argument opt:passphrase"},
@ -229,6 +245,7 @@ int pkeyutl_main(int argc, char **argv)
            pkey_op = EVP_PKEY_OP_DECAPSULATE;
            break;
        case OPT_ENCAP:
+            key_type = KEY_PUBKEY;
            pkey_op = EVP_PKEY_OP_ENCAPSULATE;
            break;
        case OPT_KEMOP:
@ -277,25 +294,8 @@ int pkeyutl_main(int argc, char **argv)
    if (!app_RAND_load())
        goto end;

-    if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
-        BIO_printf(bio_err,
-                   "%s: -rawin can only be used with -sign or -verify\n",
-                   prog);
-        goto opthelp;
-    }
-
-    if (digestname != NULL && !rawin) {
-        BIO_printf(bio_err,
-                   "%s: -digest can only be used with -rawin\n",
-                   prog);
-        goto opthelp;
-    }
-
-    if (rawin && rev) {
-        BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n",
-                   prog);
-        goto opthelp;
-    }
+    if (digestname != NULL)
+        rawin = 1;

    if (kdfalg != NULL) {
        if (kdflen == 0) {
@ -309,7 +309,41 @@ int pkeyutl_main(int argc, char **argv)
        goto opthelp;
    } else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) {
        BIO_printf(bio_err,
-                   "%s: no peer key given (-peerkey parameter).\n", prog);
+                   "%s: -peerkey option not allowed without -derive.\n", prog);
+        goto opthelp;
+    } else if (peerkey == NULL && pkey_op == EVP_PKEY_OP_DERIVE) {
+        BIO_printf(bio_err,
+                   "%s: missing -peerkey option for -derive operation.\n", prog);
+        goto opthelp;
+    }
+
+    pkey = get_pkey(kdfalg, inkey, keyform, key_type, passinarg, pkey_op, e);
+
+    if (pkey_op == EVP_PKEY_OP_VERIFYRECOVER && !EVP_PKEY_is_a(pkey, "RSA")) {
+        BIO_printf(bio_err, "%s: -verifyrecover can be used only with RSA\n", prog);
+        goto end;
+    }
+
+    if (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY) {
+        if (only_nomd(pkey)) {
+            if (digestname != NULL) {
+                const char *alg = EVP_PKEY_get0_type_name(pkey);
+
+                BIO_printf(bio_err,
+                           "%s: -digest (prehash) is not supported with %s\n",
+                           prog, alg != NULL ? alg : "(unknown key type)");
+                goto end;
+            }
+            rawin = 1;
+        }
+    } else if (digestname != NULL || rawin) {
+        BIO_printf(bio_err,
+                   "%s: -digest and -rawin can only be used with -sign or -verify\n", prog);
+        goto opthelp;
+    }
+
+    if (rawin && rev) {
+        BIO_printf(bio_err, "%s: -rev cannot be used with raw input\n", prog);
        goto opthelp;
    }

@ -319,8 +353,7 @@ int pkeyutl_main(int argc, char **argv)
            goto end;
        }
    }
-    ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
-                   passinarg, pkey_op, e, engine_impl, rawin, &pkey,
+    ctx = init_ctx(kdfalg, &keysize, pkey_op, e, engine_impl, rawin, pkey,
                   mctx, digestname, kemop, libctx, app_get0_propq());
    if (ctx == NULL) {
        BIO_printf(bio_err, "%s: Error initializing context\n", prog);
@ -374,8 +407,10 @@ int pkeyutl_main(int argc, char **argv)
                    goto end;
                }
            } else {
-                /* Get password as a passin argument: First split option name
-                 * and passphrase argument into two strings */
+                /*
+                 * Get password as a passin argument: First split option name
+                 * and passphrase argument into two strings
+                 */
                *passin = 0;
                passin++;
                if (app_passwd(passin, NULL, &passwd, NULL) == 0) {
@ -416,17 +451,31 @@ int pkeyutl_main(int argc, char **argv)
        if (in == NULL)
            goto end;
    }
-    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
-    if (out == NULL)
-        goto end;
-
-    if (pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
-        if (secoutfile == NULL) {
-            BIO_printf(bio_err, "Encapsulation requires '-secret' argument\n");
+    if (pkey_op == EVP_PKEY_OP_DECAPSULATE && outfile != NULL) {
+        if (secoutfile != NULL) {
+            BIO_printf(bio_err, "%s: Decapsulation produces only a shared "
+                                "secret and no output. The '-out' option "
+                                "is not applicable.\n", prog);
            goto end;
        }
-        secout = bio_open_default(secoutfile, 'w', FORMAT_BINARY);
-        if (secout == NULL)
+        if ((out = bio_open_owner(outfile, 'w', FORMAT_BINARY)) == NULL)
+            goto end;
+    } else {
+        out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+        if (out == NULL)
+            goto end;
+    }
+
+    if (pkey_op == EVP_PKEY_OP_ENCAPSULATE
+        || pkey_op == EVP_PKEY_OP_DECAPSULATE) {
+        if (secoutfile == NULL && pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
+            BIO_printf(bio_err, "KEM-based shared-secret derivation requires "
+                                "the '-secret <file>' option\n");
+            goto end;
+        }
+        /* For backwards compatibility, default decap secrets to the output */
+        if (secoutfile != NULL
+            && (secout = bio_open_owner(secoutfile, 'w', FORMAT_BINARY)) == NULL)
            goto end;
    }

@ -457,6 +506,7 @@ int pkeyutl_main(int argc, char **argv)
            size_t i;
            unsigned char ctmp;
            size_t l = (size_t)buf_inlen;
+
            for (i = 0; i < l / 2; i++) {
                ctmp = buf_in[i];
                buf_in[i] = buf_in[l - 1 - i];
@ -467,12 +517,13 @@ int pkeyutl_main(int argc, char **argv)

    /* Sanity check the input if the input is not raw */
    if (!rawin
-            && buf_inlen > EVP_MAX_MD_SIZE
-            && (pkey_op == EVP_PKEY_OP_SIGN
-                || pkey_op == EVP_PKEY_OP_VERIFY)) {
-        BIO_printf(bio_err,
-                   "Error: The input data looks too long to be a hash\n");
-        goto end;
+        && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
+        if (buf_inlen > EVP_MAX_MD_SIZE) {
+            BIO_printf(bio_err,
+                       "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n",
+                       buf_inlen, EVP_MAX_MD_SIZE);
+            goto end;
+        }
    }

    if (pkey_op == EVP_PKEY_OP_VERIFY) {
@ -503,8 +554,12 @@ int pkeyutl_main(int argc, char **argv)
            rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
                          buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
        }
-        if (rv > 0 && buf_outlen != 0) {
-            buf_out = app_malloc(buf_outlen, "buffer output");
+        if (rv > 0
+            && (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE
+                                  && pkey_op != EVP_PKEY_OP_DECAPSULATE))
+            && (buf_outlen > 0 || pkey_op == EVP_PKEY_OP_DECAPSULATE)) {
+            if (buf_outlen > 0)
+                buf_out = app_malloc(buf_outlen, "buffer output");
            if (secretlen > 0)
                secret = app_malloc(secretlen, "secret output");
            rv = do_keyop(ctx, pkey_op,
@ -530,14 +585,16 @@ int pkeyutl_main(int argc, char **argv)
    } else {
        BIO_write(out, buf_out, buf_outlen);
    }
+    /* Backwards compatible decap output fallback */
    if (secretlen > 0)
-        BIO_write(secout, secret, secretlen);
+        BIO_write(secout ? secout : out, secret, secretlen);

 end:
    if (ret != 0)
        ERR_print_errors(bio_err);
    EVP_MD_CTX_free(mctx);
    EVP_PKEY_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
    EVP_MD_free(md);
    release_engine(e);
    BIO_free(in);
@ -553,29 +610,23 @@ int pkeyutl_main(int argc, char **argv)
    return ret;
 }

-static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
-                              const char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e,
-                              const int engine_impl, int rawin,
-                              EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
-                              const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
+static EVP_PKEY *get_pkey(const char *kdfalg,
+                          const char *keyfile, int keyform, int key_type,
+                          char *passinarg, int pkey_op, ENGINE *e)
 {
    EVP_PKEY *pkey = NULL;
-    EVP_PKEY_CTX *ctx = NULL;
-    ENGINE *impl = NULL;
    char *passin = NULL;
-    int rv = -1;
    X509 *x;

    if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
         || (pkey_op == EVP_PKEY_OP_DERIVE))
        && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
        BIO_printf(bio_err, "A private key is needed for this operation\n");
-        goto end;
+        return NULL;
    }
    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
        BIO_printf(bio_err, "Error getting password\n");
-        goto end;
+        return NULL;
    }
    switch (key_type) {
    case KEY_PRIVKEY:
@ -598,6 +649,20 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
        break;

    }
+    OPENSSL_free(passin);
+    return pkey;
+}
+
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
+                              int pkey_op, ENGINE *e,
+                              const int engine_impl, int rawin,
+                              EVP_PKEY *pkey /* ownership is passed to ctx */,
+                              EVP_MD_CTX *mctx, const char *digestname,
+                              const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
+{
+    EVP_PKEY_CTX *ctx = NULL;
+    ENGINE *impl = NULL;
+    int rv = -1;

 #ifndef OPENSSL_NO_ENGINE
    if (engine_impl)
@ -612,7 +677,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
            if (kdfnid == NID_undef) {
                BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
                           kdfalg);
-                goto end;
+                return NULL;
            }
        }
        if (impl != NULL)
@ -621,20 +686,17 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
            ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq);
    } else {
        if (pkey == NULL)
-            goto end;
+            return NULL;

        *pkeysize = EVP_PKEY_get_size(pkey);
        if (impl != NULL)
            ctx = EVP_PKEY_CTX_new(pkey, impl);
        else
            ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
-        if (ppkey != NULL)
-            *ppkey = pkey;
-        EVP_PKEY_free(pkey);
    }

    if (ctx == NULL)
-        goto end;
+        return NULL;

    if (rawin) {
        EVP_MD_CTX_set_pkey_ctx(mctx, ctx);
@ -696,18 +758,16 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
        ctx = NULL;
    }

- end:
-    OPENSSL_free(passin);
    return ctx;
-
 }

 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
                      ENGINE *e)
 {
+    EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
    EVP_PKEY *peer = NULL;
    ENGINE *engine = NULL;
-    int ret;
+    int ret = 1;

    if (peerform == FORMAT_ENGINE)
        engine = e;
@ -716,8 +776,14 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
        BIO_printf(bio_err, "Error reading peer key %s\n", file);
        return 0;
    }
-
-    ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
+    if (strcmp(EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey)) != 0) {
+        BIO_printf(bio_err,
+                   "Type of peer public key: %s does not match type of private key: %s\n",
+                   EVP_PKEY_get0_type_name(peer), EVP_PKEY_get0_type_name(pkey));
+        ret = 0;
+    } else {
+        ret = EVP_PKEY_derive_set_peer(ctx, peer) > 0;
+    }

    EVP_PKEY_free(peer);
    return ret;
@ -729,6 +795,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                    unsigned char *secret, size_t *pseclen)
 {
    int rv = 0;
+
    switch (pkey_op) {
    case EVP_PKEY_OP_VERIFYRECOVER:
        rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
@ -755,7 +822,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
        break;

    case EVP_PKEY_OP_DECAPSULATE:
-        rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen);
+        rv = EVP_PKEY_decapsulate(ctx, secret, pseclen, in, inlen);
        break;

    }
@ -775,8 +842,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
    int buf_len = 0;

    /* Some algorithms only support oneshot digests */
-    if (EVP_PKEY_get_id(pkey) == EVP_PKEY_ED25519
-            || EVP_PKEY_get_id(pkey) == EVP_PKEY_ED448) {
+    if (only_nomd(pkey)) {
        if (filesize < 0) {
            BIO_printf(bio_err,
                       "Error: unable to determine file size for oneshot operation\n");
--- a/apps/prime.c
+++ b/apps/prime.c
@ -145,10 +145,14 @@ opthelp:
            }

            BN_print(bio_out, bn);
+            r = BN_check_prime(bn, NULL, NULL);
+            if (r < 0) {
+                BIO_printf(bio_err, "Error checking prime\n");
+                goto end;
+            }
            BIO_printf(bio_out, " (%s) %s prime\n",
                       argv[0],
-                       BN_check_prime(bn, NULL, NULL)
-                           ? "is" : "is not");
+                       r == 1 ? "is" : "is not");
        }
    }

--- a/apps/rehash.c
+++ b/apps/rehash.c
@ -8,6 +8,7 @@
 * https://www.openssl.org/source/license.html
 */

+#include "internal/e_os.h" /* LIST_SEPARATOR_CHAR */
 #include "apps.h"
 #include "progs.h"

@ -562,6 +563,11 @@ int rehash_main(int argc, char **argv)
    } else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) {
        char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' };
        m = OPENSSL_strdup(env);
+        if (m == NULL) {
+            BIO_puts(bio_err, "out of memory\n");
+            errs = 1;
+            goto end;
+        }
        for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc))
            errs += do_dir(e, h);
        OPENSSL_free(m);
--- a/apps/req.c
+++ b/apps/req.c
@ -81,6 +81,7 @@ static int batch = 0;

 typedef enum OPTION_choice {
    OPT_COMMON,
+    OPT_CIPHER,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
    OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
    OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
@ -98,6 +99,7 @@ typedef enum OPTION_choice {
 const OPTIONS req_options[] = {
    OPT_SECTION("General"),
    {"help", OPT_HELP, '-', "Display this summary"},
+    {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
@ -250,7 +252,7 @@ int req_main(int argc, char **argv)
    LHASH_OF(OPENSSL_STRING) *addexts = NULL;
    X509 *new_x509 = NULL, *CAcert = NULL;
    X509_REQ *req = NULL;
-    EVP_CIPHER *cipher = NULL;
+    const EVP_CIPHER *cipher = NULL;
    int ext_copy = EXT_COPY_UNSET;
    BIO *addext_bio = NULL;
    char *extsect = NULL;
@ -273,9 +275,7 @@ int req_main(int argc, char **argv)
    long newkey_len = -1;
    unsigned long chtype = MBSTRING_ASC, reqflag = 0;

-#ifndef OPENSSL_NO_DES
-    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-#endif
+    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();

    opt_set_unknown_name("digest");
    prog = opt_init(argc, argv, req_options);
@ -491,6 +491,13 @@ int req_main(int argc, char **argv)
        case OPT_PRECERT:
            newreq = precert = 1;
            break;
+        case OPT_CIPHER:
+            cipher = EVP_get_cipherbyname(opt_arg());
+            if (cipher == NULL) {
+                BIO_printf(bio_err, "Unknown cipher: %s\n", opt_arg());
+                goto opthelp;
+            }
+            break;
        case OPT_MD:
            digest = opt_unknown();
            break;
--- a/apps/s_client.c
+++ b/apps/s_client.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2005 Nokia. All rights reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
@ -16,6 +16,7 @@
 #include <errno.h>
 #include <openssl/e_os2.h>
 #include "internal/nelem.h"
+#include "internal/sockets.h" /* for openssl_fdset() */

 #ifndef OPENSSL_NO_SOCK

@ -207,7 +208,8 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md,
    const SSL_CIPHER *cipher = NULL;

    if (psksess != NULL) {
-        SSL_SESSION_up_ref(psksess);
+        if (!SSL_SESSION_up_ref(psksess))
+            goto err;
        usesess = psksess;
    } else {
        long key_len;
--- a/apps/s_server.c
+++ b/apps/s_server.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 * Copyright 2005 Nokia. All rights reserved.
 *
@ -9,6 +9,8 @@
 * https://www.openssl.org/source/license.html
 */

+#include "internal/e_os.h"
+
 #include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
@ -22,6 +24,7 @@
 #include <openssl/async.h>
 #include <openssl/ssl.h>
 #include <openssl/decoder.h>
+#include "internal/sockets.h" /* for openssl_fdset() */

 #ifndef OPENSSL_NO_SOCK

@ -206,7 +209,9 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
    }

    if (psksess != NULL) {
-        SSL_SESSION_up_ref(psksess);
+        if (!SSL_SESSION_up_ref(psksess))
+            return 0;
+
        *sess = psksess;
        return 1;
    }
@ -1754,9 +1759,9 @@ int s_server_main(int argc, char *argv[])
        goto end;
    }
 #endif
-    if (early_data && (www > 0 || rev)) {
+    if (early_data && rev) {
        BIO_printf(bio_err,
-                   "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
+                   "Can't use -early_data in combination with -rev\n");
        goto end;
    }

@ -3153,7 +3158,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
    int i, j, k, dot;
    SSL *con;
    const SSL_CIPHER *c;
-    BIO *io, *ssl_bio, *sbio;
+    BIO *io, *ssl_bio, *sbio, *edio;
 #ifdef RENEG
    int total_bytes = 0;
 #endif
@ -3175,7 +3180,8 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
    p = buf = app_malloc(bufsize + 1, "server www buffer");
    io = BIO_new(BIO_f_buffer());
    ssl_bio = BIO_new(BIO_f_ssl());
-    if ((io == NULL) || (ssl_bio == NULL))
+    edio = BIO_new(BIO_s_mem());
+    if ((io == NULL) || (ssl_bio == NULL) || (edio == NULL))
        goto err;

    if (s_nbio) {
@ -3235,6 +3241,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
        goto err;

    io = BIO_push(filter, io);
+
+    filter = BIO_new(BIO_f_ebcdic_filter());
+    if (filter == NULL)
+        goto err;
+
+    edio = BIO_push(filter, edio);
 #endif

    if (s_debug) {
@ -3251,8 +3263,35 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
        SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
    }

+    if (early_data) {
+        int edret = SSL_READ_EARLY_DATA_ERROR;
+        size_t readbytes;
+
+        while (edret != SSL_READ_EARLY_DATA_FINISH) {
+            for (;;) {
+                edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
+                if (edret != SSL_READ_EARLY_DATA_ERROR)
+                    break;
+
+                switch (SSL_get_error(con, 0)) {
+                case SSL_ERROR_WANT_WRITE:
+                case SSL_ERROR_WANT_ASYNC:
+                case SSL_ERROR_WANT_READ:
+                    /* Just keep trying - busy waiting */
+                    continue;
+                default:
+                    BIO_printf(bio_err, "Error reading early data\n");
+                    ERR_print_errors(bio_err);
+                    goto err;
+                }
+            }
+            if (readbytes > 0)
+                BIO_write(edio, buf, (int)readbytes);
+        }
+    }
+
    for (;;) {
-        i = BIO_gets(io, buf, bufsize + 1);
+        i = BIO_gets(!BIO_eof(edio) ? edio : io, buf, bufsize + 1);
        if (i < 0) {            /* error */
            if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
                if (!s_quiet)
@ -3592,6 +3631,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
    OPENSSL_free(buf);
    BIO_free(ssl_bio);
    BIO_free_all(io);
+    BIO_free_all(edio);
    return ret;
 }

--- a/apps/skeyutl.c
+++ b/apps/skeyutl.c
@ -0,0 +1,135 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+typedef enum OPTION_choice {
+    OPT_COMMON,
+    OPT_PROV_ENUM,
+    OPT_CIPHER,
+    OPT_SKEYOPT, OPT_SKEYMGMT, OPT_GENKEY
+} OPTION_CHOICE;
+
+const OPTIONS skeyutl_options[] = {
+    OPT_SECTION("General"),
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"skeyopt", OPT_SKEYOPT, 's', "Key options as opt:value for opaque keys handling"},
+    {"skeymgmt", OPT_SKEYMGMT, 's', "Symmetric key management name for opaque keys handling"},
+    {"genkey", OPT_GENKEY, '-', "Generate an opaque symmetric key"},
+    {"cipher", OPT_CIPHER, 's', "The cipher to generate key for"},
+    OPT_PROV_OPTIONS,
+    {NULL}
+};
+
+int skeyutl_main(int argc, char **argv)
+{
+    EVP_CIPHER *cipher = NULL;
+    int ret = 1;
+    OPTION_CHOICE o;
+    int genkey = 0;
+    char *prog, *ciphername = NULL;
+    STACK_OF(OPENSSL_STRING) *skeyopts = NULL;
+    const char *skeymgmt = NULL;
+    EVP_SKEY *skey = NULL;
+    EVP_SKEYMGMT *mgmt = NULL;
+
+    prog = opt_init(argc, argv, skeyutl_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(skeyutl_options);
+            ret = 0;
+            goto end;
+        case OPT_GENKEY:
+            genkey = 1;
+            break;
+        case OPT_CIPHER:
+            ciphername = opt_arg();
+            break;
+        case OPT_SKEYOPT:
+            if ((skeyopts == NULL &&
+                 (skeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                sk_OPENSSL_STRING_push(skeyopts, opt_arg()) == 0) {
+                BIO_printf(bio_err, "%s: out of memory\n", prog);
+                goto end;
+            }
+            break;
+        case OPT_SKEYMGMT:
+            skeymgmt = opt_arg();
+            break;
+        case OPT_PROV_CASES:
+            if (!opt_provider(o))
+                goto end;
+            break;
+        }
+    }
+
+    /* Get the cipher name, either from progname (if set) or flag. */
+    if (!opt_cipher_any(ciphername, &cipher))
+        goto opthelp;
+
+    if (cipher == NULL && skeymgmt == NULL) {
+        BIO_printf(bio_err, "Either -skeymgmt -or -cipher option should be specified\n");
+        goto end;
+    }
+
+    if (genkey) {
+        OSSL_PARAM *params = NULL;
+
+        mgmt = EVP_SKEYMGMT_fetch(app_get0_libctx(),
+                                  skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
+                                  app_get0_propq());
+        if (mgmt == NULL)
+            goto end;
+        params = app_params_new_from_opts(skeyopts,
+                                          EVP_SKEYMGMT_get0_gen_settable_params(mgmt));
+
+        skey = EVP_SKEY_generate(app_get0_libctx(),
+                                 skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher),
+                                 app_get0_propq(), params);
+        OSSL_PARAM_free(params);
+        if (skey == NULL) {
+            BIO_printf(bio_err, "Error creating opaque key for skeymgmt %s\n",
+                       skeymgmt ? skeymgmt : EVP_CIPHER_name(cipher));
+            ERR_print_errors(bio_err);
+        } else {
+            const char *key_name = EVP_SKEY_get0_key_id(skey);
+
+            BIO_printf(bio_out, "An opaque key identified by %s is created\n",
+                       key_name ? key_name : "<unknown>");
+            BIO_printf(bio_out, "Provider: %s\n", EVP_SKEY_get0_provider_name(skey));
+            BIO_printf(bio_out, "Key management: %s\n", EVP_SKEY_get0_skeymgmt_name(skey));
+            ret = 0;
+        }
+        goto end;
+    } else {
+        BIO_printf(bio_err, "Key generation is the only supported operation as of now\n");
+    }
+
+ end:
+    ERR_print_errors(bio_err);
+    sk_OPENSSL_STRING_free(skeyopts);
+    EVP_SKEYMGMT_free(mgmt);
+    EVP_SKEY_free(skey);
+    EVP_CIPHER_free(cipher);
+    return ret;
+}
--- a/apps/smime.c
+++ b/apps/smime.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -315,13 +315,15 @@ int smime_main(int argc, char **argv)
                if (sksigners == NULL
                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                if (keyfile == NULL)
                    keyfile = signerfile;
                if (skkeys == NULL
                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
                keyfile = NULL;
            }
            signerfile = opt_arg();
@ -346,12 +348,14 @@ int smime_main(int argc, char **argv)
                if (sksigners == NULL
                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                signerfile = NULL;
                if (skkeys == NULL
                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                    goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
            }
            keyfile = opt_arg();
            break;
@ -424,12 +428,14 @@ int smime_main(int argc, char **argv)
            if (sksigners == NULL
                && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                goto end;
            if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
            if (!keyfile)
                keyfile = signerfile;
-            sk_OPENSSL_STRING_push(skkeys, keyfile);
+            if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                goto end;
        }
        if (sksigners == NULL) {
            BIO_printf(bio_err, "No signer certificate specified\n");
@ -471,14 +477,8 @@ int smime_main(int argc, char **argv)
    }

    if (operation == SMIME_ENCRYPT) {
-        if (cipher == NULL) {
-#ifndef OPENSSL_NO_DES
-            cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-#else
-            BIO_printf(bio_err, "No cipher selected\n");
-            goto end;
-#endif
-        }
+        if (cipher == NULL)
+            cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
        encerts = sk_X509_new_null();
        if (encerts == NULL)
            goto end;
--- a/apps/speed.c
+++ b/apps/speed.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
@ -26,6 +26,7 @@

 /* We need to use some deprecated APIs */
 #define OPENSSL_SUPPRESS_DEPRECATED
+#include "internal/e_os.h"

 #include <stdio.h>
 #include <stdlib.h>
@ -514,6 +515,14 @@ static double sigs_results[MAX_SIG_NUM][3];  /* keygen, sign, verify */
 #define COND(unused_cond) (run && count < (testmode ? 1 : INT_MAX))
 #define COUNT(d) (count)

+#define TAG_LEN 16 /* 16 bytes tag length works for all AEAD modes */
+#define AEAD_IVLEN 12 /* 12 bytes iv length works for all AEAD modes */
+
+static unsigned int mode_op; /* AE Mode of operation */
+static unsigned int aead = 0; /* AEAD flag */
+static unsigned char aead_iv[AEAD_IVLEN]; /* For AEAD modes */
+static unsigned char aad[EVP_AEAD_TLS1_AAD_LEN] = { 0xcc };
+
 typedef struct loopargs_st {
    ASYNC_JOB *inprogress_job;
    ASYNC_WAIT_CTX *wait_ctx;
@ -522,6 +531,7 @@ typedef struct loopargs_st {
    unsigned char *buf_malloc;
    unsigned char *buf2_malloc;
    unsigned char *key;
+    unsigned char tag[TAG_LEN];
    size_t buflen;
    size_t sigsize;
    size_t encsize;
@ -874,12 +884,8 @@ static int EVP_Update_loop(void *args)
    unsigned char *buf = tempargs->buf;
    EVP_CIPHER_CTX *ctx = tempargs->ctx;
    int outl, count, rc;
-    unsigned char faketag[16] = { 0xcc };

    if (decrypt) {
-        if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-            (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag);
-        }
        for (count = 0; COND(c[D_EVP][testnum]); count++) {
            rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
            if (rc != 1) {
@ -907,44 +913,71 @@ static int EVP_Update_loop(void *args)
 }

 /*
+ * To make AEAD benchmarking more relevant perform TLS-like operations,
+ * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as
+ * payload length is not actually limited by 16KB...
 * CCM does not support streaming. For the purpose of performance measurement,
 * each message is encrypted using the same (key,iv)-pair. Do not use this
 * code in your application.
 */
-static int EVP_Update_loop_ccm(void *args)
+static int EVP_Update_loop_aead_enc(void *args)
 {
    loopargs_t *tempargs = *(loopargs_t **) args;
    unsigned char *buf = tempargs->buf;
+    unsigned char *key = tempargs->key;
    EVP_CIPHER_CTX *ctx = tempargs->ctx;
-    int outl, count, realcount = 0, final;
-    unsigned char tag[12];
+    int outl, count, realcount = 0;

-    if (decrypt) {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(tag),
-                                      tag) > 0
-                /* reset iv */
-                && EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) > 0
-                /* counter is reset on every update */
-                && EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]) > 0)
-                realcount++;
+    for (count = 0; COND(c[D_EVP][testnum]); count++) {
+        /* Set length of iv (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
+                                     sizeof(aead_iv), NULL)) {
+                BIO_printf(bio_err, "\nFailed to set iv length\n");
+                dofail();
+                exit(1);
+            }
        }
-    } else {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            /* restore iv length field */
-            if (EVP_EncryptUpdate(ctx, NULL, &outl, NULL, lengths[testnum]) > 0
-                /* counter is reset on every update */
-                && EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]) > 0)
-                realcount++;
+        /* Set tag_len (Not for GCM/SIV at encryption stage) */
+        if (mode_op != EVP_CIPH_GCM_MODE
+            && mode_op != EVP_CIPH_SIV_MODE
+            && mode_op != EVP_CIPH_GCM_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+                                     TAG_LEN, NULL)) {
+                BIO_printf(bio_err, "\nFailed to set tag length\n");
+                dofail();
+                exit(1);
+            }
        }
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, aead_iv, -1)) {
+            BIO_printf(bio_err, "\nFailed to set key and iv\n");
+            dofail();
+            exit(1);
+        }
+        /* Set total length of input. Only required for CCM */
+        if (mode_op == EVP_CIPH_CCM_MODE) {
+            if (!EVP_EncryptUpdate(ctx, NULL, &outl,
+                                   NULL, lengths[testnum])) {
+                BIO_printf(bio_err, "\nCouldn't set input text length\n");
+                dofail();
+                exit(1);
+            }
+        }
+        if (aead) {
+            if (!EVP_EncryptUpdate(ctx, NULL, &outl, aad, sizeof(aad))) {
+                BIO_printf(bio_err, "\nCouldn't insert AAD when encrypting\n");
+                dofail();
+                exit(1);
+            }
+        }
+        if (!EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum])) {
+            BIO_printf(bio_err, "\nFailed to encrypt the data\n");
+            dofail();
+            exit(1);
+        }
+        if (EVP_EncryptFinal_ex(ctx, buf, &outl))
+            realcount++;
    }
-    if (decrypt)
-        final = EVP_DecryptFinal_ex(ctx, buf, &outl);
-    else
-        final = EVP_EncryptFinal_ex(ctx, buf, &outl);
-
-    if (final == 0)
-        BIO_printf(bio_err, "Error finalizing ccm loop\n");
    return realcount;
 }

@ -952,34 +985,87 @@ static int EVP_Update_loop_ccm(void *args)
 * To make AEAD benchmarking more relevant perform TLS-like operations,
 * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as
 * payload length is not actually limited by 16KB...
+ * CCM does not support streaming. For the purpose of performance measurement,
+ * each message is decrypted using the same (key,iv)-pair. Do not use this
+ * code in your application.
+ * For decryption, we will use buf2 to preserve the input text in buf.
 */
-static int EVP_Update_loop_aead(void *args)
+static int EVP_Update_loop_aead_dec(void *args)
 {
    loopargs_t *tempargs = *(loopargs_t **) args;
    unsigned char *buf = tempargs->buf;
+    unsigned char *outbuf = tempargs->buf2;
+    unsigned char *key = tempargs->key;
+    unsigned char tag[TAG_LEN];
    EVP_CIPHER_CTX *ctx = tempargs->ctx;
    int outl, count, realcount = 0;
-    unsigned char aad[13] = { 0xcc };
-    unsigned char faketag[16] = { 0xcc };

-    if (decrypt) {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) > 0
-                && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
-                                    sizeof(faketag), faketag) > 0
-                && EVP_DecryptUpdate(ctx, NULL, &outl, aad, sizeof(aad)) > 0
-                && EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]) > 0
-                && EVP_DecryptFinal_ex(ctx, buf + outl, &outl) > 0)
-                realcount++;
+    for (count = 0; COND(c[D_EVP][testnum]); count++) {
+        /* Set the length of iv (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
+                                     sizeof(aead_iv), NULL)) {
+                BIO_printf(bio_err, "\nFailed to set iv length\n");
+                dofail();
+                exit(1);
+            }
        }
-    } else {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) > 0
-                && EVP_EncryptUpdate(ctx, NULL, &outl, aad, sizeof(aad)) > 0
-                && EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]) > 0
-                && EVP_EncryptFinal_ex(ctx, buf + outl, &outl) > 0)
-                realcount++;
+
+        /* Set the tag length (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE
+            && mode_op != EVP_CIPH_GCM_MODE
+            && mode_op != EVP_CIPH_GCM_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+                                     TAG_LEN, NULL)) {
+                BIO_printf(bio_err, "\nFailed to set tag length\n");
+                dofail();
+                exit(1);
+            }
        }
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, aead_iv, -1)) {
+            BIO_printf(bio_err, "\nFailed to set key and iv\n");
+            dofail();
+            exit(1);
+        }
+        /* Set iv before decryption (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE) {
+            if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, aead_iv)) {
+                BIO_printf(bio_err, "\nFailed to set iv\n");
+                dofail();
+                exit(1);
+            }
+        }
+        memcpy(tag, tempargs->tag, TAG_LEN);
+
+        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+                                 TAG_LEN, tag)) {
+            BIO_printf(bio_err, "\nFailed to set tag\n");
+            dofail();
+            exit(1);
+        }
+        /* Set the total length of cipher text. Only required for CCM */
+        if (mode_op == EVP_CIPH_CCM_MODE) {
+            if (!EVP_DecryptUpdate(ctx, NULL, &outl,
+                                   NULL, lengths[testnum])) {
+                BIO_printf(bio_err, "\nCouldn't set cipher text length\n");
+                dofail();
+                exit(1);
+            }
+        }
+        if (aead) {
+            if (!EVP_DecryptUpdate(ctx, NULL, &outl, aad, sizeof(aad))) {
+                BIO_printf(bio_err, "\nCouldn't insert AAD when decrypting\n");
+                dofail();
+                exit(1);
+            }
+        }
+        if (!EVP_DecryptUpdate(ctx, outbuf, &outl, buf, lengths[testnum])) {
+            BIO_printf(bio_err, "\nFailed to decrypt the data\n");
+            dofail();
+            exit(1);
+        }
+        if (EVP_DecryptFinal_ex(ctx, outbuf, &outl))
+            realcount++;
    }
    return realcount;
 }
@ -1444,6 +1530,24 @@ static int SIG_verify_loop(void *args)
    return count;
 }

+static int check_block_size(EVP_CIPHER_CTX *ctx, int length)
+{
+    const EVP_CIPHER *ciph = EVP_CIPHER_CTX_get0_cipher(ctx);
+    int blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
+
+    if (ciph == NULL || blocksize <= 0) {
+        BIO_printf(bio_err, "\nInvalid cipher!\n");
+        return 0;
+    }
+    if (length % blocksize != 0) {
+        BIO_printf(bio_err,
+                   "\nRequested encryption length not a multiple of block size for %s!\n",
+                   EVP_CIPHER_get0_name(ciph));
+        return 0;
+    }
+    return 1;
+}
+
 static int run_benchmark(int async_jobs,
                         int (*loop_function) (void *), loopargs_t *loopargs)
 {
@ -1713,9 +1817,9 @@ static void collect_kem(EVP_KEM *kem, void *stack)
    STACK_OF(EVP_KEM) *kem_stack = stack;

    if (is_kem_fetchable(kem)
-            && sk_EVP_KEM_push(kem_stack, kem) > 0) {
-        EVP_KEM_up_ref(kem);
-    }
+            && EVP_KEM_up_ref(kem)
+            && sk_EVP_KEM_push(kem_stack, kem) <= 0)
+        EVP_KEM_free(kem); /* up-ref successful but push to stack failed */
 }

 static int kem_locate(const char *algo, unsigned int *idx)
@ -1745,8 +1849,9 @@ static void collect_signatures(EVP_SIGNATURE *sig, void *stack)
    STACK_OF(EVP_SIGNATURE) *sig_stack = stack;

    if (is_signature_fetchable(sig)
-            && sk_EVP_SIGNATURE_push(sig_stack, sig) > 0)
-        EVP_SIGNATURE_up_ref(sig);
+            && EVP_SIGNATURE_up_ref(sig)
+            && sk_EVP_SIGNATURE_push(sig_stack, sig) <= 0)
+        EVP_SIGNATURE_free(sig); /* up-ref successful but push to stack failed */
 }

 static int sig_locate(const char *algo, unsigned int *idx)
@ -1784,14 +1889,14 @@ int speed_main(int argc, char **argv)
    OPTION_CHOICE o;
    int async_init = 0, multiblock = 0, pr_header = 0;
    uint8_t doit[ALGOR_NUM] = { 0 };
-    int ret = 1, misalign = 0, lengths_single = 0, aead = 0;
+    int ret = 1, misalign = 0, lengths_single = 0;
    STACK_OF(EVP_KEM) *kem_stack = NULL;
    STACK_OF(EVP_SIGNATURE) *sig_stack = NULL;
    long count = 0;
    unsigned int size_num = SIZE_NUM;
    unsigned int i, k, loopargs_len = 0, async_jobs = 0;
    unsigned int idx;
-    int keylen;
+    int keylen = 0;
    int buflen;
    size_t declen;
    BIGNUM *bn = NULL;
@ -2623,13 +2728,13 @@ int speed_main(int argc, char **argv)
    if (doit[D_HMAC]) {
        static const char hmac_key[] = "This is a key...";
        int len = strlen(hmac_key);
+        size_t hmac_name_len = sizeof("hmac()") + strlen(evp_mac_mdname);
        OSSL_PARAM params[3];

        if (evp_mac_mdname == NULL)
            goto end;
-        evp_hmac_name = app_malloc(sizeof("hmac()") + strlen(evp_mac_mdname),
-                                   "HMAC name");
-        sprintf(evp_hmac_name, "hmac(%s)", evp_mac_mdname);
+        evp_hmac_name = app_malloc(hmac_name_len, "HMAC name");
+        BIO_snprintf(evp_hmac_name, hmac_name_len, "hmac(%s)", evp_mac_mdname);
        names[D_HMAC] = evp_hmac_name;

        params[0] =
@ -2664,6 +2769,8 @@ int speed_main(int argc, char **argv)
        }
        algindex = D_CBC_DES;
        for (testnum = 0; st && testnum < size_num; testnum++) {
+            if (!check_block_size(loopargs[0].ctx, lengths[testnum]))
+                break;
            print_message(names[D_CBC_DES], lengths[testnum], seconds.sym);
            Time_F(START);
            count = run_benchmark(async_jobs, EVP_Cipher_loop, loopargs);
@ -2684,6 +2791,8 @@ int speed_main(int argc, char **argv)
        }
        algindex = D_EDE3_DES;
        for (testnum = 0; st && testnum < size_num; testnum++) {
+            if (!check_block_size(loopargs[0].ctx, lengths[testnum]))
+                break;
            print_message(names[D_EDE3_DES], lengths[testnum], seconds.sym);
            Time_F(START);
            count =
@ -2708,6 +2817,8 @@ int speed_main(int argc, char **argv)
            }

            for (testnum = 0; st && testnum < size_num; testnum++) {
+                if (!check_block_size(loopargs[0].ctx, lengths[testnum]))
+                    break;
                print_message(names[algindex], lengths[testnum], seconds.sym);
                Time_F(START);
                count =
@ -2733,6 +2844,8 @@ int speed_main(int argc, char **argv)
            }

            for (testnum = 0; st && testnum < size_num; testnum++) {
+                if (!check_block_size(loopargs[0].ctx, lengths[testnum]))
+                    break;
                print_message(names[algindex], lengths[testnum], seconds.sym);
                Time_F(START);
                count =
@ -2757,6 +2870,8 @@ int speed_main(int argc, char **argv)
            }

            for (testnum = 0; st && testnum < size_num; testnum++) {
+                if (!check_block_size(loopargs[0].ctx, lengths[testnum]))
+                    break;
                print_message(names[algindex], lengths[testnum], seconds.sym);
                Time_F(START);
                count =
@ -2810,12 +2925,20 @@ int speed_main(int argc, char **argv)
        }
    }

+    /*-
+     * There are three scenarios for D_EVP:
+     * 1- Using authenticated encryption (AE) e.g. CCM, GCM, OCB etc.
+     * 2- Using AE + associated data (AD) i.e. AEAD using CCM, GCM, OCB etc.
+     * 3- Not using AE or AD e.g. ECB, CBC, CFB etc.
+     */
    if (doit[D_EVP]) {
        if (evp_cipher != NULL) {
-            int (*loopfunc) (void *) = EVP_Update_loop;
+            int (*loopfunc) (void *);
+            int outlen = 0;
+            unsigned int ae_mode = 0;

-            if (multiblock && (EVP_CIPHER_get_flags(evp_cipher) &
-                               EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
+            if (multiblock && (EVP_CIPHER_get_flags(evp_cipher)
+                               & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
                multiblock_speed(evp_cipher, lengths_single, &seconds);
                ret = 0;
                goto end;
@ -2823,16 +2946,27 @@ int speed_main(int argc, char **argv)

            names[D_EVP] = EVP_CIPHER_get0_name(evp_cipher);

-            if (EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_CCM_MODE) {
-                loopfunc = EVP_Update_loop_ccm;
-            } else if (aead && (EVP_CIPHER_get_flags(evp_cipher) &
-                                EVP_CIPH_FLAG_AEAD_CIPHER)) {
-                loopfunc = EVP_Update_loop_aead;
+            mode_op = EVP_CIPHER_get_mode(evp_cipher);
+
+            if (aead) {
                if (lengths == lengths_list) {
                    lengths = aead_lengths_list;
                    size_num = OSSL_NELEM(aead_lengths_list);
                }
            }
+            if (mode_op == EVP_CIPH_GCM_MODE
+                || mode_op == EVP_CIPH_CCM_MODE
+                || mode_op == EVP_CIPH_OCB_MODE
+                || mode_op == EVP_CIPH_SIV_MODE
+                || mode_op == EVP_CIPH_GCM_SIV_MODE) {
+                ae_mode = 1;
+                if (decrypt)
+                    loopfunc = EVP_Update_loop_aead_dec;
+                else
+                    loopfunc = EVP_Update_loop_aead_enc;
+            } else {
+                loopfunc = EVP_Update_loop;
+            }

            for (testnum = 0; testnum < size_num; testnum++) {
                print_message(names[D_EVP], lengths[testnum], seconds.sym);
@ -2843,38 +2977,145 @@ int speed_main(int argc, char **argv)
                        BIO_printf(bio_err, "\nEVP_CIPHER_CTX_new failure\n");
                        exit(1);
                    }
+
+                    /*
+                     * For AE modes, we must first encrypt the data to get
+                     * a valid tag that enables us to decrypt. If we don't
+                     * encrypt first, we won't have a valid tag that enables
+                     * authenticity and hence decryption will fail.
+                     */
                    if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL,
-                                           NULL, iv, decrypt ? 0 : 1)) {
-                        BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
+                                           NULL, NULL, ae_mode ? 1 : !decrypt)) {
+                        BIO_printf(bio_err, "\nCouldn't init the context\n");
                        dofail();
                        exit(1);
                    }

+                    /* Padding isn't needed */
                    EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0);

                    keylen = EVP_CIPHER_CTX_get_key_length(loopargs[k].ctx);
                    loopargs[k].key = app_malloc(keylen, "evp_cipher key");
                    EVP_CIPHER_CTX_rand_key(loopargs[k].ctx, loopargs[k].key);
-                    if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
-                                           loopargs[k].key, NULL, -1)) {
-                        BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
-                        dofail();
-                        exit(1);
-                    }
-                    OPENSSL_clear_free(loopargs[k].key, keylen);

-                    /* GCM-SIV/SIV mode only allows for a single Update operation */
-                    if (EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_SIV_MODE
-                            || EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_GCM_SIV_MODE)
-                        (void)EVP_CIPHER_CTX_ctrl(loopargs[k].ctx,
-                                                  EVP_CTRL_SET_SPEED, 1, NULL);
+                    if (!ae_mode) {
+                        if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
+                                               loopargs[k].key, iv, -1)) {
+                            BIO_printf(bio_err, "\nFailed to set the key\n");
+                            dofail();
+                            exit(1);
+                        }
+                    } else if (mode_op == EVP_CIPH_SIV_MODE
+                               || mode_op == EVP_CIPH_GCM_SIV_MODE) {
+                        EVP_CIPHER_CTX_ctrl(loopargs[k].ctx,
+                                            EVP_CTRL_SET_SPEED, 1, NULL);
+                    }
+                    if (ae_mode && decrypt) {
+                        /* Set length of iv (Doesn't apply to SIV mode) */
+                        if (mode_op != EVP_CIPH_SIV_MODE) {
+                            if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx,
+                                                     EVP_CTRL_AEAD_SET_IVLEN,
+                                                     sizeof(aead_iv), NULL)) {
+                                BIO_printf(bio_err, "\nFailed to set iv length\n");
+                                dofail();
+                                exit(1);
+                            }
+                        }
+                        /* Set tag_len (Not for GCM/SIV at encryption stage) */
+                        if (mode_op != EVP_CIPH_GCM_MODE
+                            && mode_op != EVP_CIPH_SIV_MODE
+                            && mode_op != EVP_CIPH_GCM_SIV_MODE) {
+                            if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx,
+                                                     EVP_CTRL_AEAD_SET_TAG,
+                                                     TAG_LEN, NULL)) {
+                                BIO_printf(bio_err,
+                                           "\nFailed to set tag length\n");
+                                dofail();
+                                exit(1);
+                            }
+                        }
+                        if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
+                                               loopargs[k].key, aead_iv, -1)) {
+                            BIO_printf(bio_err, "\nFailed to set the key\n");
+                            dofail();
+                            exit(1);
+                        }
+                        /* Set total length of input. Only required for CCM */
+                        if (mode_op == EVP_CIPH_CCM_MODE) {
+                            if (!EVP_EncryptUpdate(loopargs[k].ctx, NULL,
+                                                   &outlen, NULL,
+                                                   lengths[testnum])) {
+                                BIO_printf(bio_err,
+                                           "\nCouldn't set input text length\n");
+                                dofail();
+                                exit(1);
+                            }
+                        }
+                        if (aead) {
+                            if (!EVP_EncryptUpdate(loopargs[k].ctx, NULL,
+                                                   &outlen, aad, sizeof(aad))) {
+                                BIO_printf(bio_err,
+                                           "\nCouldn't insert AAD when encrypting\n");
+                                dofail();
+                                exit(1);
+                            }
+                        }
+                        if (!EVP_EncryptUpdate(loopargs[k].ctx, loopargs[k].buf,
+                                               &outlen, loopargs[k].buf,
+                                               lengths[testnum])) {
+                            BIO_printf(bio_err,
+                                       "\nFailed to to encrypt the data\n");
+                            dofail();
+                            exit(1);
+                        }
+
+                        if (!EVP_EncryptFinal_ex(loopargs[k].ctx,
+                                                 loopargs[k].buf, &outlen)) {
+                            BIO_printf(bio_err,
+                                       "\nFailed finalize the encryption\n");
+                            dofail();
+                            exit(1);
+                        }
+
+                        if (!EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_AEAD_GET_TAG,
+                                                 TAG_LEN, &loopargs[k].tag)) {
+                            BIO_printf(bio_err, "\nFailed to get the tag\n");
+                            dofail();
+                            exit(1);
+                        }
+
+                        EVP_CIPHER_CTX_free(loopargs[k].ctx);
+                        loopargs[k].ctx = EVP_CIPHER_CTX_new();
+                        if (loopargs[k].ctx == NULL) {
+                            BIO_printf(bio_err,
+                                       "\nEVP_CIPHER_CTX_new failure\n");
+                            exit(1);
+                        }
+                        if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher,
+                                               NULL, NULL, NULL, 0)) {
+                            BIO_printf(bio_err,
+                                       "\nFailed initializing the context\n");
+                            dofail();
+                            exit(1);
+                        }
+
+                        EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0);
+
+                        /* GCM-SIV/SIV only allows for a single Update operation */
+                        if (mode_op == EVP_CIPH_SIV_MODE
+                            || mode_op == EVP_CIPH_GCM_SIV_MODE)
+                            EVP_CIPHER_CTX_ctrl(loopargs[k].ctx,
+                                                EVP_CTRL_SET_SPEED, 1, NULL);
+                    }
                }

                Time_F(START);
                count = run_benchmark(async_jobs, loopfunc, loopargs);
                d = Time_F(STOP);
-                for (k = 0; k < loopargs_len; k++)
+                for (k = 0; k < loopargs_len; k++) {
+                    OPENSSL_clear_free(loopargs[k].key, keylen);
                    EVP_CIPHER_CTX_free(loopargs[k].ctx);
+                }
                print_result(D_EVP, testnum, count, d);
            }
        } else if (evp_md_name != NULL) {
@ -2893,6 +3134,7 @@ int speed_main(int argc, char **argv)
    }

    if (doit[D_EVP_CMAC]) {
+        size_t len = sizeof("cmac()") + strlen(evp_mac_ciphername);
        OSSL_PARAM params[3];
        EVP_CIPHER *cipher = NULL;

@ -2905,9 +3147,8 @@ int speed_main(int argc, char **argv)
            BIO_printf(bio_err, "\nRequested CMAC cipher with unsupported key length.\n");
            goto end;
        }
-        evp_cmac_name = app_malloc(sizeof("cmac()")
-                                   + strlen(evp_mac_ciphername), "CMAC name");
-        sprintf(evp_cmac_name, "cmac(%s)", evp_mac_ciphername);
+        evp_cmac_name = app_malloc(len, "CMAC name");
+        BIO_snprintf(evp_cmac_name, len, "cmac(%s)", evp_mac_ciphername);
        names[D_EVP_CMAC] = evp_cmac_name;

        params[0] = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_CIPHER,
@ -2992,7 +3233,7 @@ int speed_main(int argc, char **argv)
                && EVP_PKEY_CTX_set_rsa_keygen_bits(genctx, rsa_keys[testnum].bits) > 0
                && EVP_PKEY_CTX_set1_rsa_keygen_pubexp(genctx, bn) > 0
                && EVP_PKEY_CTX_set_rsa_keygen_primes(genctx, primes) > 0
-                && EVP_PKEY_keygen(genctx, &rsa_key);
+                && EVP_PKEY_keygen(genctx, &rsa_key) > 0;
            BN_free(bn);
            bn = NULL;
            EVP_PKEY_CTX_free(genctx);
@ -4852,7 +5093,6 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
        print_message(alg_name, mblengths[j], seconds->sym);
        Time_F(START);
        for (count = 0; run && COND(count); count++) {
-            unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
            EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
            size_t len = mblengths[j];
            int packlen;
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@ -18,9 +18,11 @@

 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                   int expected, int criterion, OSSL_STORE_SEARCH *search,
-                   int text, int noout, int recursive, int indent, BIO *out,
+                   int text, int noout, int recursive, int indent, const char *outfile,
                   const char *prog, OSSL_LIB_CTX *libctx);

+static BIO *out = NULL;
+
 typedef enum OPTION_choice {
    OPT_COMMON,
    OPT_ENGINE, OPT_OUT, OPT_PASSIN,
@ -71,7 +73,6 @@ int storeutl_main(int argc, char *argv[])
 {
    int ret = 1, noout = 0, text = 0, recursive = 0;
    char *outfile = NULL, *passin = NULL, *passinarg = NULL;
-    BIO *out = NULL;
    ENGINE *e = NULL;
    OPTION_CHOICE o;
    char *prog;
@ -311,13 +312,9 @@ int storeutl_main(int argc, char *argv[])
    pw_cb_data.password = passin;
    pw_cb_data.prompt_info = argv[0];

-    out = bio_open_default(outfile, 'w', FORMAT_TEXT);
-    if (out == NULL)
-        goto end;
-
    ret = process(argv[0], get_ui_method(), &pw_cb_data,
                  expected, criterion, search,
-                  text, noout, recursive, 0, out, prog, libctx);
+                  text, noout, recursive, 0, outfile, prog, libctx);

 end:
    EVP_MD_free(digest);
@ -348,7 +345,7 @@ static int indent_printf(int indent, BIO *bio, const char *format, ...)

 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                   int expected, int criterion, OSSL_STORE_SEARCH *search,
-                   int text, int noout, int recursive, int indent, BIO *out,
+                   int text, int noout, int recursive, int indent, const char *outfile,
                   const char *prog, OSSL_LIB_CTX *libctx)
 {
    OSSL_STORE_CTX *store_ctx = NULL;
@ -427,6 +424,13 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
            indent_printf(indent, bio_out, "%d: %s\n", items, infostr);
        }

+        if (out == NULL) {
+            if ((out = bio_open_default(outfile, 'w', FORMAT_TEXT)) == NULL) {
+                ret++;
+                goto end2;
+            }
+        }
+
        /*
         * Unfortunately, PEM_X509_INFO_write_bio() is sorely lacking in
         * functionality, so we must figure out how exactly to write things
@ -438,7 +442,7 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
                const char *suburi = OSSL_STORE_INFO_get0_NAME(info);
                ret += process(suburi, uimeth, uidata,
                               expected, criterion, search,
-                               text, noout, recursive, indent + 2, out, prog,
+                               text, noout, recursive, indent + 2, outfile, prog,
                               libctx);
            }
            break;
--- a/apps/ts.c
+++ b/apps/ts.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -1017,7 +1017,7 @@ static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
            BIO_printf(bio_err, "memory allocation failure\n");
            goto err;
        }
-        if (X509_LOOKUP_load_store_ex(lookup, CAstore, libctx, propq) <= 0) {
+        if (X509_LOOKUP_add_store_ex(lookup, CAstore, libctx, propq) <= 0) {
            BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
            goto err;
        }
--- a/apps/version.c
+++ b/apps/version.c
@ -56,7 +56,6 @@ int version_main(int argc, char **argv)
 #endif
    char *prog;
    OPTION_CHOICE o;
-    const char *tmp;

    prog = opt_init(argc, argv, version_options);
    while ((o = opt_next()) != OPT_EOF) {
@ -134,18 +133,12 @@ opthelp:
    }
    if (cflags)
        printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
-    if (dir) {
-        tmp = OpenSSL_version(OPENSSL_DIR);
-        printf("OPENSSLDIR: %s\n", tmp == NULL ? "Undefined" : tmp);
-    }
-    if (engdir) {
-        tmp = OpenSSL_version(OPENSSL_ENGINES_DIR);
-        printf("ENGINESDIR: %s\n", tmp == NULL ? "Undefined" : tmp);
-    }
-    if (moddir) {
-        tmp = OpenSSL_version(OPENSSL_MODULES_DIR);
-        printf("MODULESDIR: %s\n", tmp == NULL ? "Undefined" : tmp);
-    }
+    if (dir)
+        printf("%s\n", OpenSSL_version(OPENSSL_DIR));
+    if (engdir)
+        printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
+    if (moddir)
+        printf("%s\n", OpenSSL_version(OPENSSL_MODULES_DIR));
    if (seed) {
        const char *src = OPENSSL_info(OPENSSL_INFO_SEED_SOURCE);
        printf("Seeding source: %s\n", src ? src : "N/A");
@ -154,7 +147,7 @@ opthelp:
        printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO));
 #if defined(_WIN32)
    if (windows)
-        printf("OSSL_WINCTX: %s\n", OpenSSL_version(OPENSSL_WINCTX));
+        printf("%s\n", OpenSSL_version(OPENSSL_WINCTX));
 #endif
    ret = 0;
 end:
--- a/apps/x509.c
+++ b/apps/x509.c
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -453,7 +453,8 @@ int x509_main(int argc, char **argv)
                           prog, opt_arg());
                goto opthelp;
            }
-            sk_ASN1_OBJECT_push(trust, objtmp);
+            if (!sk_ASN1_OBJECT_push(trust, objtmp))
+                goto end;
            trustout = 1;
            break;
        case OPT_ADDREJECT:
@ -464,7 +465,8 @@ int x509_main(int argc, char **argv)
                           prog, opt_arg());
                goto opthelp;
            }
-            sk_ASN1_OBJECT_push(reject, objtmp);
+            if (!sk_ASN1_OBJECT_push(trust, objtmp))
+                goto end;
            trustout = 1;
            break;
        case OPT_SETALIAS:
--- a/configdata.pm.in
+++ b/configdata.pm.in
@ -145,7 +145,7 @@ _____
                       # defined in one template stick around for the
                       # next, making them combinable
                       PACKAGE => 'OpenSSL::safe')
-            or die $Text::Template::ERROR;
+            or die $OpenSSL::Template::ERROR;
        close BUILDFILE;
        rename("$buildfile.new", $buildfile)
            or die "Trying to rename $buildfile.new to $buildfile: $!";
@ -167,7 +167,7 @@ _____
                       # defined in one template stick around for the
                       # next, making them combinable
                       PACKAGE => 'OpenSSL::safe')
-            or die $Text::Template::ERROR;
+            or die $OpenSSL::Template::ERROR;
        close CONFIGURATION_H;

        # When using stat() on Windows, we can get it to perform better by
--- a/crypto/aes/asm/aesni-xts-avx512.pl
+++ b/crypto/aes/asm/aesni-xts-avx512.pl
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -106,13 +106,21 @@ my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
 	$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));


+#
+# This file generates .s file for 64-bit and 32-bit CPUs.
+# We don't implement .rodata on 32-bit CPUs yet.
+#
+$code.=".rodata\n"	if ($flavour =~ /64/);
 $code.=<<___;
 .align	5
 .Lrcon:
 .long	0x01,0x01,0x01,0x01
 .long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
 .long	0x1b,0x1b,0x1b,0x1b
+___
+$code.=".previous\n"	if ($flavour =~ /64/);

+$code.=<<___;
 .globl	${prefix}_set_encrypt_key
 .type	${prefix}_set_encrypt_key,%function
 .align	5
@ -139,7 +147,15 @@ $code.=<<___;
 	tst	$bits,#0x3f
 	b.ne	.Lenc_key_abort

+___
+$code.=<<___	if ($flavour =~ /64/);
+	adrp	$ptr,.Lrcon
+	add	$ptr,$ptr,:lo12:.Lrcon
+___
+$code.=<<___	if ($flavour =~ /32/);
 	adr	$ptr,.Lrcon
+___
+$code.=<<___;
 	cmp	$bits,#192

 	veor	$zero,$zero,$zero
@ -2493,7 +2509,7 @@ ${prefix}_ctr32_encrypt_blocks_unroll12_eor3:
 	ldp		d8,d9,[sp, #16]
 	ldp		d10,d11,[sp, #32]
 	ldp		d12,d13,[sp, #48]
-	ldp		d15,d16,[sp, #64]
+	ldp		d14,d15,[sp, #64]
 	ldr		x29,[sp],#80
 	ret
 .size	${prefix}_ctr32_encrypt_blocks_unroll12_eor3,.-${prefix}_ctr32_encrypt_blocks_unroll12_eor3
--- a/crypto/aes/asm/bsaes-armv8.pl
+++ b/crypto/aes/asm/bsaes-armv8.pl
@ -1,5 +1,5 @@
 #!/usr/bin/env perl
-# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -32,7 +32,7 @@ sub data
 }

 __END__
-// Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+// Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
 //
 // Licensed under the OpenSSL license (the "License").  You may not use
 // this file except in compliance with the License.  You can obtain a copy
@ -78,7 +78,8 @@ __END__
 //   other SIMD registers corrupted
 _bsaes_decrypt8:
        ldr     q8, [x9], #16
-        adr     x11, .LM0ISR
+        adrp    x11, .LM0ISR
+        add     x11, x11, #:lo12:.LM0ISR
        movi    v9.16b, #0x55
        ldr     q10, [x11], #16
        movi    v16.16b, #0x33
@ -494,9 +495,10 @@ _bsaes_decrypt8:
        ret
 .size   _bsaes_decrypt8,.-_bsaes_decrypt8

-.type   _bsaes_const,%object
+.rodata
+.type   _bsaes_consts,%object
 .align  6
-_bsaes_const:
+_bsaes_consts:
 // InvShiftRows constants
 // Used in _bsaes_decrypt8, which assumes contiguity
 // .LM0ISR used with round 0 key
@ -532,7 +534,9 @@ _bsaes_const:
 .quad   0x090d01050c000408, 0x03070b0f060a0e02

 .align  6
-.size   _bsaes_const,.-_bsaes_const
+.size   _bsaes_consts,.-_bsaes_consts
+
+.previous

 .type   _bsaes_encrypt8,%function
 .align  4
@ -548,7 +552,8 @@ _bsaes_const:
 //   other SIMD registers corrupted
 _bsaes_encrypt8:
        ldr     q8, [x9], #16
-        adr     x11, .LM0SR
+        adrp    x11, .LM0SR
+        add     x11, x11, #:lo12:.LM0SR
        ldr     q9, [x11], #16
 _bsaes_encrypt8_alt:
        eor     v0.16b, v0.16b, v8.16b
@ -952,9 +957,11 @@ _bsaes_encrypt8_alt:
 //   other SIMD registers corrupted
 _bsaes_key_convert:
 #ifdef __AARCH64EL__
-        adr     x11, .LM0_littleendian
+        adrp    x11, .LM0_littleendian
+        add     x11, x11, #:lo12:.LM0_littleendian
 #else
-        adr     x11, .LM0_bigendian
+        adrp    x11, .LM0_bigendian
+        add     x11, x11, #:lo12:.LM0_bigendian
 #endif
        ldr     q0, [x9], #16               // load round 0 key
        ldr     q1, [x11]                   // .LM0
@ -998,7 +1005,8 @@ _bsaes_key_convert:
        // don't save last round key
 #ifdef __AARCH64EL__
        rev32   v15.16b, v15.16b
-        adr     x11, .LM0_bigendian
+        adrp    x11, .LM0_bigendian
+        add     x11, x11, #:lo12:.LM0_bigendian
 #endif
        ret
 .size   _bsaes_key_convert,.-_bsaes_key_convert
--- a/crypto/aes/asm/vpaes-armv8.pl
+++ b/crypto/aes/asm/vpaes-armv8.pl
@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -55,7 +55,7 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\""
 $code.=<<___;
 #include "arm_arch.h"

-.text
+.rodata

 .type	_vpaes_consts,%object
 .align	7	// totally strategic alignment
@ -146,6 +146,9 @@ _vpaes_consts:
 .asciz  "Vector Permutation AES for ARMv8, Mike Hamburg (Stanford University)"
 .size	_vpaes_consts,.-_vpaes_consts
 .align	6
+
+.text
+
 ___

 {
@ -165,7 +168,8 @@ $code.=<<___;
 .type	_vpaes_encrypt_preheat,%function
 .align	4
 _vpaes_encrypt_preheat:
-	adr	x10, .Lk_inv
+	adrp	x10, .Lk_inv
+	add	x10, x10, :lo12:.Lk_inv
 	movi	v17.16b, #0x0f
 	ld1	{v18.2d-v19.2d}, [x10],#32	// .Lk_inv
 	ld1	{v20.2d-v23.2d}, [x10],#64	// .Lk_ipt, .Lk_sbo
@ -193,7 +197,8 @@ _vpaes_encrypt_preheat:
 _vpaes_encrypt_core:
 	mov	x9, $key
 	ldr	w8, [$key,#240]			// pull rounds
-	adr	x11, .Lk_mc_forward+16
+	adrp	x11, .Lk_mc_forward+16
+	add	x11, x11, :lo12:.Lk_mc_forward+16
 						// vmovdqa	.Lk_ipt(%rip),	%xmm2	# iptlo
 	ld1	{v16.2d}, [x9], #16		// vmovdqu	(%r9),	%xmm5		# round0 key
 	and	v1.16b, v7.16b, v17.16b		// vpand	%xmm9,	%xmm0,	%xmm1
@ -280,7 +285,8 @@ vpaes_encrypt:
 _vpaes_encrypt_2x:
 	mov	x9, $key
 	ldr	w8, [$key,#240]			// pull rounds
-	adr	x11, .Lk_mc_forward+16
+	adrp	x11, .Lk_mc_forward+16
+	add	x11, x11, :lo12:.Lk_mc_forward+16
 						// vmovdqa	.Lk_ipt(%rip),	%xmm2	# iptlo
 	ld1	{v16.2d}, [x9], #16		// vmovdqu	(%r9),	%xmm5		# round0 key
 	and	v1.16b,  v14.16b,  v17.16b	// vpand	%xmm9,	%xmm0,	%xmm1
@ -383,9 +389,11 @@ _vpaes_encrypt_2x:
 .type	_vpaes_decrypt_preheat,%function
 .align	4
 _vpaes_decrypt_preheat:
-	adr	x10, .Lk_inv
+	adrp	x10, .Lk_inv
+	add	x10, x10, :lo12:.Lk_inv
 	movi	v17.16b, #0x0f
-	adr	x11, .Lk_dipt
+	adrp	x11, .Lk_dipt
+	add	x11, x11, :lo12:.Lk_dipt
 	ld1	{v18.2d-v19.2d}, [x10],#32	// .Lk_inv
 	ld1	{v20.2d-v23.2d}, [x11],#64	// .Lk_dipt, .Lk_dsbo
 	ld1	{v24.2d-v27.2d}, [x11],#64	// .Lk_dsb9, .Lk_dsbd
@ -407,10 +415,12 @@ _vpaes_decrypt_core:
 						// vmovdqa	.Lk_dipt(%rip), %xmm2	# iptlo
 	lsl	x11, x8, #4			// mov	%rax,	%r11;	shl	\$4, %r11
 	eor	x11, x11, #0x30			// xor		\$0x30,	%r11
-	adr	x10, .Lk_sr
+	adrp	x10, .Lk_sr
+	add	x10, x10, :lo12:.Lk_sr
 	and	x11, x11, #0x30			// and		\$0x30,	%r11
 	add	x11, x11, x10
-	adr	x10, .Lk_mc_forward+48
+	adrp	x10, .Lk_mc_forward+48
+	add	x10, x10, :lo12:.Lk_mc_forward+48

 	ld1	{v16.2d}, [x9],#16		// vmovdqu	(%r9),	%xmm4		# round0 key
 	and	v1.16b, v7.16b, v17.16b		// vpand	%xmm9,	%xmm0,	%xmm1
@ -518,10 +528,12 @@ _vpaes_decrypt_2x:
 						// vmovdqa	.Lk_dipt(%rip), %xmm2	# iptlo
 	lsl	x11, x8, #4			// mov	%rax,	%r11;	shl	\$4, %r11
 	eor	x11, x11, #0x30			// xor		\$0x30,	%r11
-	adr	x10, .Lk_sr
+	adrp	x10, .Lk_sr
+	add	x10, x10, :lo12:.Lk_sr
 	and	x11, x11, #0x30			// and		\$0x30,	%r11
 	add	x11, x11, x10
-	adr	x10, .Lk_mc_forward+48
+	adrp	x10, .Lk_mc_forward+48
+	add	x10, x10, :lo12:.Lk_mc_forward+48

 	ld1	{v16.2d}, [x9],#16		// vmovdqu	(%r9),	%xmm4		# round0 key
 	and	v1.16b,  v14.16b, v17.16b	// vpand	%xmm9,	%xmm0,	%xmm1
@ -657,14 +669,18 @@ $code.=<<___;
 .type	_vpaes_key_preheat,%function
 .align	4
 _vpaes_key_preheat:
-	adr	x10, .Lk_inv
+	adrp	x10, .Lk_inv
+	add	x10, x10, :lo12:.Lk_inv
 	movi	v16.16b, #0x5b			// .Lk_s63
-	adr	x11, .Lk_sb1
+	adrp	x11, .Lk_sb1
+	add	x11, x11, :lo12:.Lk_sb1
 	movi	v17.16b, #0x0f			// .Lk_s0F
 	ld1	{v18.2d-v21.2d}, [x10]		// .Lk_inv, .Lk_ipt
-	adr	x10, .Lk_dksd
+	adrp	x10, .Lk_dksd
+	add	x10, x10, :lo12:.Lk_dksd
 	ld1	{v22.2d-v23.2d}, [x11]		// .Lk_sb1
-	adr	x11, .Lk_mc_forward
+	adrp	x11, .Lk_mc_forward
+	add	x11, x11, :lo12:.Lk_mc_forward
 	ld1	{v24.2d-v27.2d}, [x10],#64	// .Lk_dksd, .Lk_dksb
 	ld1	{v28.2d-v31.2d}, [x10],#64	// .Lk_dkse, .Lk_dks9
 	ld1	{v8.2d}, [x10]			// .Lk_rcon
@ -688,7 +704,8 @@ _vpaes_schedule_core:
 	bl	_vpaes_schedule_transform
 	mov	v7.16b, v0.16b			// vmovdqa	%xmm0,	%xmm7

-	adr	x10, .Lk_sr			// lea	.Lk_sr(%rip),%r10
+	adrp	x10, .Lk_sr			// lea	.Lk_sr(%rip),%r10
+	add	x10, x10, :lo12:.Lk_sr
 	add	x8, x8, x10
 	cbnz	$dir, .Lschedule_am_decrypting

@ -814,12 +831,14 @@ _vpaes_schedule_core:
 .align	4
 .Lschedule_mangle_last:
 	// schedule last round key from xmm0
-	adr	x11, .Lk_deskew			// lea	.Lk_deskew(%rip),%r11	# prepare to deskew
+	adrp	x11, .Lk_deskew			// lea	.Lk_deskew(%rip),%r11	# prepare to deskew
+	add	x11, x11, :lo12:.Lk_deskew
 	cbnz	$dir, .Lschedule_mangle_last_dec

 	// encrypting
 	ld1	{v1.2d}, [x8]			// vmovdqa	(%r8,%r10),%xmm1
-	adr	x11, .Lk_opt			// lea	.Lk_opt(%rip),	%r11		# prepare to output transform
+	adrp	x11, .Lk_opt			// lea	.Lk_opt(%rip),	%r11		# prepare to output transform
+	add	x11, x11, :lo12:.Lk_opt
 	add	$out, $out, #32			// add	\$32,	%rdx
 	tbl	v0.16b, {v0.16b}, v1.16b	// vpshufb	%xmm1,	%xmm0,	%xmm0		# output permute

--- a/crypto/aes/asm/vpaes-loongarch64.pl
+++ b/crypto/aes/asm/vpaes-loongarch64.pl
@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@ -29,9 +29,9 @@
 ($vr0,$vr1,$vr2,$vr3,$vr4,$vr5,$vr6,$vr7,$vr8,$vr9,$vr10,$vr11,$vr12,$vr13,$vr14,$vr15,$vr16,$vr17,$vr18,$vr19)=map("\$vr$_",(0..19));
 ($fp)=map("\$r$_",(22));

-for (@ARGV) {   $output=$_ if (/\w[\w\-]*\.\w+$/);      }
-open STDOUT,">$output";
-while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+# $output is the last argument if it looks like a file (it has an extension)
+my $output;
+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
 open STDOUT,">$output";

 $PREFIX="vpaes";
--- a/crypto/aes/build.info
+++ b/crypto/aes/build.info
@ -9,7 +9,8 @@ IF[{- !$disabled{asm} -}]

  $AESASM_x86_64=\
        aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s \
-        aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s
+        aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s \
+        aesni-xts-avx512.s
  $AESDEF_x86_64=AES_ASM VPAES_ASM BSAES_ASM

  $AESASM_ia64=aes_core.c aes_cbc.c aes-ia64.s
@ -145,6 +146,8 @@ INCLUDE[bsaes-armv7.o]=..
 GENERATE[aes-s390x.S]=asm/aes-s390x.pl
 INCLUDE[aes-s390x.o]=..

+GENERATE[aesni-xts-avx512.s]=asm/aesni-xts-avx512.pl
+
 GENERATE[aes-c64xplus.S]=asm/aes-c64xplus.pl

 GENERATE[vpaes-loongarch64.S]=asm/vpaes-loongarch64.pl
--- a/crypto/armcap.c
+++ b/crypto/armcap.c
@ -300,7 +300,8 @@ void OPENSSL_cpuid_setup(void)
            if ((sysctlbyname("machdep.cpu.brand_string", uarch, &len, NULL, 0) == 0) &&
               ((strncmp(uarch, "Apple M1", 8) == 0) ||
                (strncmp(uarch, "Apple M2", 8) == 0) ||
-                (strncmp(uarch, "Apple M3", 8) == 0))) {
+                (strncmp(uarch, "Apple M3", 8) == 0) ||
+                (strncmp(uarch, "Apple M4", 8) == 0))) {
                OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3;
                OPENSSL_armcap_P |= ARMV8_HAVE_SHA3_AND_WORTH_USING;
            }
--- a/crypto/armv4cpuid.pl
+++ b/crypto/armv4cpuid.pl
@ -293,6 +293,7 @@ atomic_add_spinlock:
 #endif

 .extern	OPENSSL_armcap_P
+.hidden	OPENSSL_armcap_P
 ___

 print $code;
--- a/Show more
+++ b/Show more