Closed
Conversation
mbroz
added
extended tests
mbroz
removed
the
no_news_changes_needed
Member
Author
mbroz
added
branch: master
paulidale
previously approved these changes
Feb 16, 2026
xnox
reviewed
Feb 16, 2026
Contributor
I interpret above is a typo, and you mean to say the SM provider in this message. |
Contributor
|
Yeah, a typo. Russia, China ... |
vdukhovni
requested changes
Feb 17, 2026
vdukhovni
left a comment
vdukhovni
left a comment
There was a problem hiding this comment.
Pretty close, just two minor issues.
mbroz
force-pushed
the
tls-sm-ciphersuites
branch
3 times, most recently
from
8b0e410 to
62a9334
Compare
nhorman
previously approved these changes
Feb 17, 2026
vdukhovni
requested changes
Feb 17, 2026
vdukhovni
left a comment
vdukhovni
left a comment
There was a problem hiding this comment.
Just a nit with the CHANGES.md file.
mbroz
force-pushed
the
tls-sm-ciphersuites
branch
from
62a9334 to
7c333ca
Compare
mbroz
force-pushed
the
tls-sm-ciphersuites
branch
from
8df4176 to
f00c1c1
Compare
mbroz
requested review from
mattcaswell,
paulidale,
t-j-h,
t8m and
vdukhovni
Member
Author
|
Rebased due to conflicts with master. |
t8m
approved these changes
Feb 19, 2026
mattcaswell
approved these changes
Feb 19, 2026
vdukhovni
approved these changes
Feb 19, 2026
Collaborator
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
nhorman
added
approval: ready to merge
Contributor
|
merged to master, thank you |
openssl-machine
pushed a commit
that referenced
this pull request
Feb 19, 2026
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3 as defined in RFC 8998. Fixes openssl/project#1871 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:15 2026 (Merged from #30028)
openssl-machine
pushed a commit
that referenced
this pull request
Feb 19, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:20 2026 (Merged from #30028)
openssl-machine
pushed a commit
that referenced
this pull request
Feb 19, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:25 2026 (Merged from #30028)
bob-beck
pushed a commit
to bob-beck/openssl
that referenced
this pull request
Feb 24, 2026
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3 as defined in RFC 8998. Fixes openssl/project#1871 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:15 2026 (Merged from openssl#30028)
bob-beck
pushed a commit
to bob-beck/openssl
that referenced
this pull request
Feb 24, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:20 2026 (Merged from openssl#30028)
bob-beck
pushed a commit
to bob-beck/openssl
that referenced
this pull request
Feb 24, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:25 2026 (Merged from openssl#30028)
Sashan
pushed a commit
to Sashan/openssl
that referenced
this pull request
Feb 25, 2026
This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3 as defined in RFC 8998. Fixes openssl/project#1871 Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:15 2026 (Merged from openssl#30028)
Sashan
pushed a commit
to Sashan/openssl
that referenced
this pull request
Feb 25, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:20 2026 (Merged from openssl#30028)
Sashan
pushed a commit
to Sashan/openssl
that referenced
this pull request
Feb 25, 2026
Signed-off-by: Milan Broz <gmazyland@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Thu Feb 19 15:11:25 2026 (Merged from openssl#30028)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Apr 14, 2026
Overall, CHANGES.md includes the following: * openssl#8136 "Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit set in unsigned BN" * openssl#17495 "4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure" * openssl#18229 "public API: Remove needless `const` from scalar types" * openssl#22304 "4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters" * openssl#24551 "Enable RFC 7919 FFDHE groups for TLS 1.2 server" * openssl#24738 "add ech-api.md" * openssl#25193 "ECH build artefacts and a bit of code" * openssl#25420 "ECH CLI implementation" * openssl#25663 "ECH external APIs" * openssl#25991 "preserve data constness when getting issuer name's and subject's hash" * openssl#26011 "ECH client side" * openssl#27397 "create SSL_listen_ex api" * openssl#27431 "fips: Enforce lower bounds checks for password protected files when using FIPS providers, by default" * openssl#27540 "ECH client sending mulitple key shares" * openssl#27561 "ECH both sides now" * openssl#27776 "Introduce the PACKET_msg_start() function" * openssl#28033 "Constify further X509 functions; remove OSSL_FUTURE_CONST" * openssl#28041 "Remove support for SSLv2 Client Hello" * openssl#28108 "Add a way to cleanse params arrays" * openssl#28160 "New options for reading MAC key from environment variable, file and standard input were added." * openssl#28270 "s_client and s_server command line options for ECH (plus some wndows CI fixes)" * openssl#28278 "Implementing store support for EVP_SKEY" * openssl#28305 "Replace homebrewed implementation of *printf*() functions with libc" * openssl#28432 "Add support for CSHAKE." * openssl#28445 "Updated s_server's verify_return_error option to enable peer verification" * openssl#28535 "Print PowerPC CPUINFO" * openssl#28623 "Combining time validation with comparison return values considered harmful" * openssl#28837 "Add support to serialize/deserialize digest state for export/import" * openssl#29018 "CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE" * openssl#29057 "Avoid empty AKID/SKID extensions in CSRs and certs" * openssl#29107 "CRL: Enforce proper handling of ASN1_TIME validation results" * openssl#29116 "info: Print CPUINFO for SPARCv9 processors" * openssl#29136 "DOC: CRL Certificate Issuer and IDP extensions" * openssl#29152 "Add new public API for checking certificate times." * openssl#29187 "Remove the ASN1_STRING_FLAG_X509_TIME flag" * openssl#29195 "Add SNMPKDF implementation" * openssl#29200 "Add tests and documentation and fix some issues resulting" * openssl#29206 "Per-key encoding formats for ML-KEM and ML-DSA" * openssl#29222 "Implementation of Deferred FIPS Self-Tests" * openssl#29223 "ML-DSA: Add a digest that can calculate external mu." * openssl#29230 "doc/man3: Add OPENSSL_ppccap.pod * openssl#29266 "make PEM hexdump width a multiple of 8 bytes" * openssl#29299 "Remove support for custom EVP_CIPHERs" * openssl#29305 "Feature/engineremoval" * openssl#29311 "Documentation for BIO flags and related functions" * openssl#29338 "merge feature/removesslv3" * openssl#29366 "Remove support for custom EVP_MDs" * openssl#29380 "Remove crypto-mdebug-backtrace option from config" * openssl#29381 " Added LMS support for OpenSSL commandline signature verification using pkeyutl." * openssl#29384 "Remove support for custom EVP_PKEY_METHODs" * openssl#29385 "Atexit.final draft.cleanup" * openssl#29387 "Add ASN1_BIT_STRING_get_length()" * openssl#29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" * openssl#29427 "Remove the c_rehash script" * openssl#29428 "Constify return value of X509_get_X509_PUBKEY()" * openssl#29435 "Add SRTP KDF" * openssl#29445 "Remove BIO_f_reliable() as it is broken" * openssl#29465 "Constify X509_get_ext() and friends.." * openssl#29468 "constify X509_NAME." * openssl#29488 "Constify the X509_STORE_CTX argument to the lookup_certs functions." * openssl#29576 "KDF: Add configuration options to disable many of the KDF algorithms." * openssl#29612 "Support multiple names for certificate verification" * openssl#29635 "SSL_CTX_is_server() was added" * openssl#29639 "Disabling explicit EC curves encoding" * openssl#29640 "add thunking for compare function to OPENSSL_STACK" * openssl#29646 "Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()" * openssl#29653 "Drop darwin-i386(-cc) targets from Configurations" * openssl#29658 "Disable support of weak elliptic curves in TLS by default" * openssl#29672 "Drop darwin-ppc{,64} targets" * openssl#29721 "Make OPENSSL_cleanup() G A" * openssl#29813 "Make X509_ATTRIBUTE accessor functions const-correct" * openssl#29862 "Make ASN1_STRING opaque" * openssl#29874 "Take OPENSSL_atexit() for a walk behind the barn." * openssl#29926 "Provide ASN1_BIT_STRING_set1()" * openssl#29953 "Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid." * openssl#29971 "X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set" * openssl#29982 "Improved reporting of shared and peer sigalgs" * openssl#29991 "Fix of SSL_get_error() so that it no longer depends on the state of the error stack" * openssl#29995 "Add abilty to use static vcruntime" * openssl#30005 "Make ERR_STATE opaque and remove related deprecated functions" * openssl#30011 "Deprecate ASN1_OBJECT_new()." * openssl#30020 "Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex()." * openssl#30024 "CRL: reject malformed CRL Number and CRL Delta Indicator" * openssl#30028 "Add TLS 1.3 SM ciphersuites" * openssl#30031 "Mostly deprecated is slightly not deprecated...." * openssl#30033 "Remove the "msie-hack" option from openssl ca" * openssl#30034 "Use the appropriate libctx when executing CMS_SignerInfo_verify" * openssl#30035 "Constify X509_verify" * openssl#30036 "Constify more X509 arguments and return values" * openssl#30044 "Added BIO_set_send_flags() function to set flags passed to send(), sendto(), and sendmsg()" * openssl#30048 "change from I-D to RFC 9849 and resolve TODO(ECH) cases" * openssl#30053 "Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN" * openssl#30054 "Consity X509_add_cert and X509_self_signed" * openssl#30055 "Constify various functions that were non const due to extension cache" * openssl#30056 "Constify X509_build_chain" * openssl#30058 "Constify X509_chain_check_suiteb" * openssl#30064 "document the new build option "enable-static-vcruntime"" * openssl#30067 "Constify X509_check_issued and friends" * openssl#30071 "constify X509_check_trust, X509_TRUST_add" * openssl#30072 "Constify X509_to_X509_REQ and X509_REQ_to_X509" * openssl#30073 "Constify X509_print_fp and X509_print_ex_fp" * openssl#30074 "Constify X509_STORE_add_cert()" * openssl#30076 "Constify X509_STORE_CTX functions invoving X509 *" * openssl#30079 "Constify X509_CRL_get0_by_cert" * openssl#30080 "Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set" * openssl#30082 "Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp." * openssl#30084 "Constify X509_issuer_and_serial_hash" * openssl#30089 "Added -expected-rpks s_client/server option" * openssl#30090 "Constify X509_CRL_get0_by_cert" * openssl#30092 "constify X509_find_by_issuer_and_serial" * openssl#30096 "Constify X509_find_by_subject" * openssl#30098 "Add a changes entry for the x509 time function changes" * openssl#30113 "Add keyshare floating" * openssl#30117 "Constify X509_OBJECT_[get0|set1]_X509 and friends" * openssl#30127 "Constify a bunch of seldom used X509 functions. " * openssl#30128 "Removes fixed version TLS methods." * openssl#30140 "Ensure TLS 1.3 ciphersuites are actually for TLS 1.3" * openssl#30171 "CRL: Reject CRLs with malformed Issuing Distribution Point" * openssl#30200 "Remove remnant SSL_FIPS flag" * openssl#30217 "Akid skid fixup" * openssl#30229 "X509 returned by X509_REQ_to_X509() should not be (const ...)" * openssl#30235 "Make X509_up_ref and X509_free take const X509 *" * openssl#30249 "x509: remove erroneous critical extension enforcement" * openssl#30252 "Some more X509 extension add/del polish" * openssl#30263 "Restrict the number of keyshares/groups/sigalgs a server is willing to accept" * openssl#30265 "Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()" * openssl#30272 "Partially revert "Constify X509_STORE_CTX functions invoving X509 *"" * openssl#30273 "Revert "Make X509_up_ref and X509_free take const X509 *"" * openssl#30276 "Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509" The changes associated with these PRs are already mentioned in 3.6.x changes: * openssl#28760 "Improve the CPUINFO display for RISC-V" * openssl#28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * openssl#28955 "Fix for TLS handshake issue with GnuTLS openssl#28902" * openssl#29155 "fix(x509.c): fixed -checkend return values" * openssl#29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * openssl#29242 "Clang format head" * openssl#29251 "Fix change of behavior of the single stapled OCSP response API" * openssl#30204 "Fix detection of plaintext HTTP over TLS" * openssl#30384 "Fix openssl#19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect" * openssl#30557 "re-constructorize the cpuid stuff, but fix riscv to not depend on BIO_snprintf." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Apr 14, 2026
NEWS.md is amended to include the following PRs: * openssl#28305 "Replace homebrewed implementation of *printf*() functions with libc" * openssl#29299 "Remove support for custom EVP_CIPHERs" * openssl#29366 "Remove support for custom EVP_MDs" * openssl#29384 "Remove support for custom EVP_PKEY_METHODs" * openssl#30128 "Removes fixed version TLS methods." * openssl#29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" Overall, CHANGES.md includes the following: * openssl#8136 "Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit set in unsigned BN" * openssl#17495 "4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure" * openssl#18229 "public API: Remove needless `const` from scalar types" * openssl#22304 "4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters" * openssl#24551 "Enable RFC 7919 FFDHE groups for TLS 1.2 server" * openssl#24738 "add ech-api.md" * openssl#25193 "ECH build artefacts and a bit of code" * openssl#25420 "ECH CLI implementation" * openssl#25663 "ECH external APIs" * openssl#25991 "preserve data constness when getting issuer name's and subject's hash" * openssl#26011 "ECH client side" * openssl#27397 "create SSL_listen_ex api" * openssl#27431 "fips: Enforce lower bounds checks for password protected files when using FIPS providers, by default" * openssl#27540 "ECH client sending mulitple key shares" * openssl#27561 "ECH both sides now" * openssl#27776 "Introduce the PACKET_msg_start() function" * openssl#28033 "Constify further X509 functions; remove OSSL_FUTURE_CONST" * openssl#28041 "Remove support for SSLv2 Client Hello" * openssl#28108 "Add a way to cleanse params arrays" * openssl#28160 "New options for reading MAC key from environment variable, file and standard input were added." * openssl#28270 "s_client and s_server command line options for ECH (plus some wndows CI fixes)" * openssl#28278 "Implementing store support for EVP_SKEY" * openssl#28305 "Replace homebrewed implementation of *printf*() functions with libc" * openssl#28432 "Add support for CSHAKE." * openssl#28445 "Updated s_server's verify_return_error option to enable peer verification" * openssl#28535 "Print PowerPC CPUINFO" * openssl#28623 "Combining time validation with comparison return values considered harmful" * openssl#28837 "Add support to serialize/deserialize digest state for export/import" * openssl#29018 "CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE" * openssl#29057 "Avoid empty AKID/SKID extensions in CSRs and certs" * openssl#29107 "CRL: Enforce proper handling of ASN1_TIME validation results" * openssl#29116 "info: Print CPUINFO for SPARCv9 processors" * openssl#29136 "DOC: CRL Certificate Issuer and IDP extensions" * openssl#29152 "Add new public API for checking certificate times." * openssl#29187 "Remove the ASN1_STRING_FLAG_X509_TIME flag" * openssl#29195 "Add SNMPKDF implementation" * openssl#29200 "Add tests and documentation and fix some issues resulting" * openssl#29206 "Per-key encoding formats for ML-KEM and ML-DSA" * openssl#29222 "Implementation of Deferred FIPS Self-Tests" * openssl#29223 "ML-DSA: Add a digest that can calculate external mu." * openssl#29230 "doc/man3: Add OPENSSL_ppccap.pod * openssl#29266 "make PEM hexdump width a multiple of 8 bytes" * openssl#29299 "Remove support for custom EVP_CIPHERs" * openssl#29305 "Feature/engineremoval" * openssl#29311 "Documentation for BIO flags and related functions" * openssl#29338 "merge feature/removesslv3" * openssl#29366 "Remove support for custom EVP_MDs" * openssl#29380 "Remove crypto-mdebug-backtrace option from config" * openssl#29381 " Added LMS support for OpenSSL commandline signature verification using pkeyutl." * openssl#29384 "Remove support for custom EVP_PKEY_METHODs" * openssl#29385 "Atexit.final draft.cleanup" * openssl#29387 "Add ASN1_BIT_STRING_get_length()" * openssl#29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" * openssl#29427 "Remove the c_rehash script" * openssl#29428 "Constify return value of X509_get_X509_PUBKEY()" * openssl#29435 "Add SRTP KDF" * openssl#29445 "Remove BIO_f_reliable() as it is broken" * openssl#29465 "Constify X509_get_ext() and friends.." * openssl#29468 "constify X509_NAME." * openssl#29488 "Constify the X509_STORE_CTX argument to the lookup_certs functions." * openssl#29576 "KDF: Add configuration options to disable many of the KDF algorithms." * openssl#29612 "Support multiple names for certificate verification" * openssl#29635 "SSL_CTX_is_server() was added" * openssl#29639 "Disabling explicit EC curves encoding" * openssl#29640 "add thunking for compare function to OPENSSL_STACK" * openssl#29646 "Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()" * openssl#29653 "Drop darwin-i386(-cc) targets from Configurations" * openssl#29658 "Disable support of weak elliptic curves in TLS by default" * openssl#29672 "Drop darwin-ppc{,64} targets" * openssl#29721 "Make OPENSSL_cleanup() G A" * openssl#29813 "Make X509_ATTRIBUTE accessor functions const-correct" * openssl#29862 "Make ASN1_STRING opaque" * openssl#29874 "Take OPENSSL_atexit() for a walk behind the barn." * openssl#29926 "Provide ASN1_BIT_STRING_set1()" * openssl#29953 "Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid." * openssl#29971 "X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set" * openssl#29982 "Improved reporting of shared and peer sigalgs" * openssl#29991 "Fix of SSL_get_error() so that it no longer depends on the state of the error stack" * openssl#29995 "Add abilty to use static vcruntime" * openssl#30005 "Make ERR_STATE opaque and remove related deprecated functions" * openssl#30011 "Deprecate ASN1_OBJECT_new()." * openssl#30020 "Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex()." * openssl#30024 "CRL: reject malformed CRL Number and CRL Delta Indicator" * openssl#30028 "Add TLS 1.3 SM ciphersuites" * openssl#30031 "Mostly deprecated is slightly not deprecated...." * openssl#30033 "Remove the "msie-hack" option from openssl ca" * openssl#30034 "Use the appropriate libctx when executing CMS_SignerInfo_verify" * openssl#30035 "Constify X509_verify" * openssl#30036 "Constify more X509 arguments and return values" * openssl#30044 "Added BIO_set_send_flags() function to set flags passed to send(), sendto(), and sendmsg()" * openssl#30048 "change from I-D to RFC 9849 and resolve TODO(ECH) cases" * openssl#30053 "Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN" * openssl#30054 "Consity X509_add_cert and X509_self_signed" * openssl#30055 "Constify various functions that were non const due to extension cache" * openssl#30056 "Constify X509_build_chain" * openssl#30058 "Constify X509_chain_check_suiteb" * openssl#30064 "document the new build option "enable-static-vcruntime"" * openssl#30067 "Constify X509_check_issued and friends" * openssl#30071 "constify X509_check_trust, X509_TRUST_add" * openssl#30072 "Constify X509_to_X509_REQ and X509_REQ_to_X509" * openssl#30073 "Constify X509_print_fp and X509_print_ex_fp" * openssl#30074 "Constify X509_STORE_add_cert()" * openssl#30076 "Constify X509_STORE_CTX functions invoving X509 *" * openssl#30079 "Constify X509_CRL_get0_by_cert" * openssl#30080 "Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set" * openssl#30082 "Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp." * openssl#30084 "Constify X509_issuer_and_serial_hash" * openssl#30089 "Added -expected-rpks s_client/server option" * openssl#30090 "Constify X509_CRL_get0_by_cert" * openssl#30092 "constify X509_find_by_issuer_and_serial" * openssl#30096 "Constify X509_find_by_subject" * openssl#30098 "Add a changes entry for the x509 time function changes" * openssl#30113 "Add keyshare floating" * openssl#30117 "Constify X509_OBJECT_[get0|set1]_X509 and friends" * openssl#30127 "Constify a bunch of seldom used X509 functions. " * openssl#30128 "Removes fixed version TLS methods." * openssl#30140 "Ensure TLS 1.3 ciphersuites are actually for TLS 1.3" * openssl#30171 "CRL: Reject CRLs with malformed Issuing Distribution Point" * openssl#30200 "Remove remnant SSL_FIPS flag" * openssl#30217 "Akid skid fixup" * openssl#30229 "X509 returned by X509_REQ_to_X509() should not be (const ...)" * openssl#30235 "Make X509_up_ref and X509_free take const X509 *" * openssl#30249 "x509: remove erroneous critical extension enforcement" * openssl#30252 "Some more X509 extension add/del polish" * openssl#30263 "Restrict the number of keyshares/groups/sigalgs a server is willing to accept" * openssl#30265 "Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()" * openssl#30272 "Partially revert "Constify X509_STORE_CTX functions invoving X509 *"" * openssl#30273 "Revert "Make X509_up_ref and X509_free take const X509 *"" * openssl#30276 "Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509" The changes associated with these PRs are already mentioned in 3.6.x changes: * openssl#28760 "Improve the CPUINFO display for RISC-V" * openssl#28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * openssl#28955 "Fix for TLS handshake issue with GnuTLS openssl#28902" * openssl#29155 "fix(x509.c): fixed -checkend return values" * openssl#29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * openssl#29242 "Clang format head" * openssl#29251 "Fix change of behavior of the single stapled OCSP response API" * openssl#30204 "Fix detection of plaintext HTTP over TLS" * openssl#30384 "Fix openssl#19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect" * openssl#30557 "re-constructorize the cpuid stuff, but fix riscv to not depend on BIO_snprintf." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Apr 14, 2026
NEWS.md is amended to include the following PRs: * openssl#28305 "Replace homebrewed implementation of *printf*() functions with libc" * openssl#29299 "Remove support for custom EVP_CIPHERs" * openssl#29366 "Remove support for custom EVP_MDs" * openssl#29384 "Remove support for custom EVP_PKEY_METHODs" * openssl#30128 "Removes fixed version TLS methods." * openssl#29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" Overall, CHANGES.md includes the following: * openssl#8136 "Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit set in unsigned BN" * openssl#17495 "4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure" * openssl#18229 "public API: Remove needless `const` from scalar types" * openssl#22304 "4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters" * openssl#24551 "Enable RFC 7919 FFDHE groups for TLS 1.2 server" * openssl#24738 "add ech-api.md" * openssl#25193 "ECH build artefacts and a bit of code" * openssl#25420 "ECH CLI implementation" * openssl#25663 "ECH external APIs" * openssl#25991 "preserve data constness when getting issuer name's and subject's hash" * openssl#26011 "ECH client side" * openssl#27397 "create SSL_listen_ex api" * openssl#27431 "fips: Enforce lower bounds checks for password protected files when using FIPS providers, by default" * openssl#27540 "ECH client sending mulitple key shares" * openssl#27561 "ECH both sides now" * openssl#27776 "Introduce the PACKET_msg_start() function" * openssl#28033 "Constify further X509 functions; remove OSSL_FUTURE_CONST" * openssl#28041 "Remove support for SSLv2 Client Hello" * openssl#28108 "Add a way to cleanse params arrays" * openssl#28160 "New options for reading MAC key from environment variable, file and standard input were added." * openssl#28270 "s_client and s_server command line options for ECH (plus some wndows CI fixes)" * openssl#28278 "Implementing store support for EVP_SKEY" * openssl#28305 "Replace homebrewed implementation of *printf*() functions with libc" * openssl#28432 "Add support for CSHAKE." * openssl#28445 "Updated s_server's verify_return_error option to enable peer verification" * openssl#28535 "Print PowerPC CPUINFO" * openssl#28623 "Combining time validation with comparison return values considered harmful" * openssl#28837 "Add support to serialize/deserialize digest state for export/import" * openssl#29018 "CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE" * openssl#29057 "Avoid empty AKID/SKID extensions in CSRs and certs" * openssl#29107 "CRL: Enforce proper handling of ASN1_TIME validation results" * openssl#29116 "info: Print CPUINFO for SPARCv9 processors" * openssl#29152 "Add new public API for checking certificate times." * openssl#29187 "Remove the ASN1_STRING_FLAG_X509_TIME flag" * openssl#29195 "Add SNMPKDF implementation" * openssl#29200 "Add tests and documentation and fix some issues resulting" * openssl#29206 "Per-key encoding formats for ML-KEM and ML-DSA" * openssl#29222 "Implementation of Deferred FIPS Self-Tests" * openssl#29223 "ML-DSA: Add a digest that can calculate external mu." * openssl#29230 "doc/man3: Add OPENSSL_ppccap.pod * openssl#29266 "make PEM hexdump width a multiple of 8 bytes" * openssl#29299 "Remove support for custom EVP_CIPHERs" * openssl#29305 "Feature/engineremoval" * openssl#29311 "Documentation for BIO flags and related functions" * openssl#29338 "merge feature/removesslv3" * openssl#29366 "Remove support for custom EVP_MDs" * openssl#29380 "Remove crypto-mdebug-backtrace option from config" * openssl#29381 " Added LMS support for OpenSSL commandline signature verification using pkeyutl." * openssl#29384 "Remove support for custom EVP_PKEY_METHODs" * openssl#29385 "Atexit.final draft.cleanup" * openssl#29387 "Add ASN1_BIT_STRING_get_length()" * openssl#29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" * openssl#29427 "Remove the c_rehash script" * openssl#29428 "Constify return value of X509_get_X509_PUBKEY()" * openssl#29435 "Add SRTP KDF" * openssl#29445 "Remove BIO_f_reliable() as it is broken" * openssl#29465 "Constify X509_get_ext() and friends.." * openssl#29468 "constify X509_NAME." * openssl#29488 "Constify the X509_STORE_CTX argument to the lookup_certs functions." * openssl#29576 "KDF: Add configuration options to disable many of the KDF algorithms." * openssl#29612 "Support multiple names for certificate verification" * openssl#29635 "SSL_CTX_is_server() was added" * openssl#29639 "Disabling explicit EC curves encoding" * openssl#29640 "add thunking for compare function to OPENSSL_STACK" * openssl#29646 "Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()" * openssl#29653 "Drop darwin-i386(-cc) targets from Configurations" * openssl#29658 "Disable support of weak elliptic curves in TLS by default" * openssl#29672 "Drop darwin-ppc{,64} targets" * openssl#29721 "Make OPENSSL_cleanup() G A" * openssl#29813 "Make X509_ATTRIBUTE accessor functions const-correct" * openssl#29862 "Make ASN1_STRING opaque" * openssl#29874 "Take OPENSSL_atexit() for a walk behind the barn." * openssl#29926 "Provide ASN1_BIT_STRING_set1()" * openssl#29953 "Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid." * openssl#29971 "X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set" * openssl#29982 "Improved reporting of shared and peer sigalgs" * openssl#29991 "Fix of SSL_get_error() so that it no longer depends on the state of the error stack" * openssl#29995 "Add abilty to use static vcruntime" * openssl#30005 "Make ERR_STATE opaque and remove related deprecated functions" * openssl#30011 "Deprecate ASN1_OBJECT_new()." * openssl#30020 "Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex()." * openssl#30024 "CRL: reject malformed CRL Number and CRL Delta Indicator" * openssl#30028 "Add TLS 1.3 SM ciphersuites" * openssl#30031 "Mostly deprecated is slightly not deprecated...." * openssl#30033 "Remove the "msie-hack" option from openssl ca" * openssl#30034 "Use the appropriate libctx when executing CMS_SignerInfo_verify" * openssl#30035 "Constify X509_verify" * openssl#30036 "Constify more X509 arguments and return values" * openssl#30044 "Added BIO_set_send_flags() function to set flags passed to send(), sendto(), and sendmsg()" * openssl#30048 "change from I-D to RFC 9849 and resolve TODO(ECH) cases" * openssl#30053 "Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN" * openssl#30054 "Consity X509_add_cert and X509_self_signed" * openssl#30055 "Constify various functions that were non const due to extension cache" * openssl#30056 "Constify X509_build_chain" * openssl#30058 "Constify X509_chain_check_suiteb" * openssl#30067 "Constify X509_check_issued and friends" * openssl#30071 "constify X509_check_trust, X509_TRUST_add" * openssl#30072 "Constify X509_to_X509_REQ and X509_REQ_to_X509" * openssl#30073 "Constify X509_print_fp and X509_print_ex_fp" * openssl#30074 "Constify X509_STORE_add_cert()" * openssl#30076 "Constify X509_STORE_CTX functions invoving X509 *" * openssl#30079 "Constify X509_CRL_get0_by_cert" * openssl#30080 "Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set" * openssl#30082 "Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp." * openssl#30084 "Constify X509_issuer_and_serial_hash" * openssl#30089 "Added -expected-rpks s_client/server option" * openssl#30090 "Constify X509_CRL_get0_by_cert" * openssl#30092 "constify X509_find_by_issuer_and_serial" * openssl#30096 "Constify X509_find_by_subject" * openssl#30098 "Add a changes entry for the x509 time function changes" * openssl#30113 "Add keyshare floating" * openssl#30117 "Constify X509_OBJECT_[get0|set1]_X509 and friends" * openssl#30127 "Constify a bunch of seldom used X509 functions. " * openssl#30128 "Removes fixed version TLS methods." * openssl#30140 "Ensure TLS 1.3 ciphersuites are actually for TLS 1.3" * openssl#30171 "CRL: Reject CRLs with malformed Issuing Distribution Point" * openssl#30200 "Remove remnant SSL_FIPS flag" * openssl#30229 "X509 returned by X509_REQ_to_X509() should not be (const ...)" * openssl#30235 "Make X509_up_ref and X509_free take const X509 *" * openssl#30249 "x509: remove erroneous critical extension enforcement" * openssl#30252 "Some more X509 extension add/del polish" * openssl#30263 "Restrict the number of keyshares/groups/sigalgs a server is willing to accept" * openssl#30265 "Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()" * openssl#30272 "Partially revert "Constify X509_STORE_CTX functions invoving X509 *"" * openssl#30273 "Revert "Make X509_up_ref and X509_free take const X509 *"" * openssl#30276 "Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509" The changes associated with these PRs are already mentioned in 3.6.x changes: * openssl#28760 "Improve the CPUINFO display for RISC-V" * openssl#28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * openssl#28955 "Fix for TLS handshake issue with GnuTLS openssl#28902" * openssl#29155 "fix(x509.c): fixed -checkend return values" * openssl#29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * openssl#29242 "Clang format head" * openssl#29251 "Fix change of behavior of the single stapled OCSP response API" * openssl#30204 "Fix detection of plaintext HTTP over TLS" * openssl#30384 "Fix openssl#19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect" * openssl#30557 "re-constructorize the cpuid stuff, but fix riscv to not depend on BIO_snprintf." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
openssl-machine
pushed a commit
that referenced
this pull request
Apr 14, 2026
NEWS.md is amended to include the following PRs: * #28305 "Replace homebrewed implementation of *printf*() functions with libc" * #29299 "Remove support for custom EVP_CIPHERs" * #29366 "Remove support for custom EVP_MDs" * #29384 "Remove support for custom EVP_PKEY_METHODs" * #30128 "Removes fixed version TLS methods." * #29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" Overall, CHANGES.md includes the following: * #8136 "Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit set in unsigned BN" * #17495 "4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure" * #18229 "public API: Remove needless `const` from scalar types" * #22304 "4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters" * #24551 "Enable RFC 7919 FFDHE groups for TLS 1.2 server" * #24738 "add ech-api.md" * #25193 "ECH build artefacts and a bit of code" * #25420 "ECH CLI implementation" * #25663 "ECH external APIs" * #25991 "preserve data constness when getting issuer name's and subject's hash" * #26011 "ECH client side" * #27397 "create SSL_listen_ex api" * #27431 "fips: Enforce lower bounds checks for password protected files when using FIPS providers, by default" * #27540 "ECH client sending mulitple key shares" * #27561 "ECH both sides now" * #27776 "Introduce the PACKET_msg_start() function" * #28033 "Constify further X509 functions; remove OSSL_FUTURE_CONST" * #28041 "Remove support for SSLv2 Client Hello" * #28108 "Add a way to cleanse params arrays" * #28160 "New options for reading MAC key from environment variable, file and standard input were added." * #28270 "s_client and s_server command line options for ECH (plus some wndows CI fixes)" * #28278 "Implementing store support for EVP_SKEY" * #28305 "Replace homebrewed implementation of *printf*() functions with libc" * #28432 "Add support for CSHAKE." * #28445 "Updated s_server's verify_return_error option to enable peer verification" * #28535 "Print PowerPC CPUINFO" * #28623 "Combining time validation with comparison return values considered harmful" * #28837 "Add support to serialize/deserialize digest state for export/import" * #29018 "CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE" * #29057 "Avoid empty AKID/SKID extensions in CSRs and certs" * #29107 "CRL: Enforce proper handling of ASN1_TIME validation results" * #29116 "info: Print CPUINFO for SPARCv9 processors" * #29152 "Add new public API for checking certificate times." * #29187 "Remove the ASN1_STRING_FLAG_X509_TIME flag" * #29195 "Add SNMPKDF implementation" * #29200 "Add tests and documentation and fix some issues resulting" * #29206 "Per-key encoding formats for ML-KEM and ML-DSA" * #29222 "Implementation of Deferred FIPS Self-Tests" * #29223 "ML-DSA: Add a digest that can calculate external mu." * #29230 "doc/man3: Add OPENSSL_ppccap.pod * #29266 "make PEM hexdump width a multiple of 8 bytes" * #29299 "Remove support for custom EVP_CIPHERs" * #29305 "Feature/engineremoval" * #29311 "Documentation for BIO flags and related functions" * #29338 "merge feature/removesslv3" * #29366 "Remove support for custom EVP_MDs" * #29380 "Remove crypto-mdebug-backtrace option from config" * #29381 " Added LMS support for OpenSSL commandline signature verification using pkeyutl." * #29384 "Remove support for custom EVP_PKEY_METHODs" * #29385 "Atexit.final draft.cleanup" * #29387 "Add ASN1_BIT_STRING_get_length()" * #29405 "Remove support EVP_PKEY_ASN1_METHODs from the public API" * #29427 "Remove the c_rehash script" * #29428 "Constify return value of X509_get_X509_PUBKEY()" * #29435 "Add SRTP KDF" * #29445 "Remove BIO_f_reliable() as it is broken" * #29465 "Constify X509_get_ext() and friends.." * #29468 "constify X509_NAME." * #29488 "Constify the X509_STORE_CTX argument to the lookup_certs functions." * #29576 "KDF: Add configuration options to disable many of the KDF algorithms." * #29612 "Support multiple names for certificate verification" * #29635 "SSL_CTX_is_server() was added" * #29639 "Disabling explicit EC curves encoding" * #29640 "add thunking for compare function to OPENSSL_STACK" * #29646 "Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()" * #29653 "Drop darwin-i386(-cc) targets from Configurations" * #29658 "Disable support of weak elliptic curves in TLS by default" * #29672 "Drop darwin-ppc{,64} targets" * #29721 "Make OPENSSL_cleanup() G A" * #29813 "Make X509_ATTRIBUTE accessor functions const-correct" * #29862 "Make ASN1_STRING opaque" * #29874 "Take OPENSSL_atexit() for a walk behind the barn." * #29926 "Provide ASN1_BIT_STRING_set1()" * #29953 "Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid." * #29971 "X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set" * #29982 "Improved reporting of shared and peer sigalgs" * #29991 "Fix of SSL_get_error() so that it no longer depends on the state of the error stack" * #29995 "Add abilty to use static vcruntime" * #30005 "Make ERR_STATE opaque and remove related deprecated functions" * #30011 "Deprecate ASN1_OBJECT_new()." * #30020 "Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex()." * #30024 "CRL: reject malformed CRL Number and CRL Delta Indicator" * #30028 "Add TLS 1.3 SM ciphersuites" * #30031 "Mostly deprecated is slightly not deprecated...." * #30033 "Remove the "msie-hack" option from openssl ca" * #30034 "Use the appropriate libctx when executing CMS_SignerInfo_verify" * #30035 "Constify X509_verify" * #30036 "Constify more X509 arguments and return values" * #30044 "Added BIO_set_send_flags() function to set flags passed to send(), sendto(), and sendmsg()" * #30048 "change from I-D to RFC 9849 and resolve TODO(ECH) cases" * #30053 "Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN" * #30054 "Consity X509_add_cert and X509_self_signed" * #30055 "Constify various functions that were non const due to extension cache" * #30056 "Constify X509_build_chain" * #30058 "Constify X509_chain_check_suiteb" * #30067 "Constify X509_check_issued and friends" * #30071 "constify X509_check_trust, X509_TRUST_add" * #30072 "Constify X509_to_X509_REQ and X509_REQ_to_X509" * #30073 "Constify X509_print_fp and X509_print_ex_fp" * #30074 "Constify X509_STORE_add_cert()" * #30076 "Constify X509_STORE_CTX functions invoving X509 *" * #30079 "Constify X509_CRL_get0_by_cert" * #30080 "Constify X509v3_asid_validate_resource_set and X509v3_addr_validate_resource_set" * #30082 "Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp." * #30084 "Constify X509_issuer_and_serial_hash" * #30089 "Added -expected-rpks s_client/server option" * #30090 "Constify X509_CRL_get0_by_cert" * #30092 "constify X509_find_by_issuer_and_serial" * #30096 "Constify X509_find_by_subject" * #30098 "Add a changes entry for the x509 time function changes" * #30113 "Add keyshare floating" * #30117 "Constify X509_OBJECT_[get0|set1]_X509 and friends" * #30127 "Constify a bunch of seldom used X509 functions. " * #30128 "Removes fixed version TLS methods." * #30140 "Ensure TLS 1.3 ciphersuites are actually for TLS 1.3" * #30171 "CRL: Reject CRLs with malformed Issuing Distribution Point" * #30200 "Remove remnant SSL_FIPS flag" * #30229 "X509 returned by X509_REQ_to_X509() should not be (const ...)" * #30235 "Make X509_up_ref and X509_free take const X509 *" * #30249 "x509: remove erroneous critical extension enforcement" * #30252 "Some more X509 extension add/del polish" * #30263 "Restrict the number of keyshares/groups/sigalgs a server is willing to accept" * #30265 "Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()" * #30272 "Partially revert "Constify X509_STORE_CTX functions invoving X509 *"" * #30273 "Revert "Make X509_up_ref and X509_free take const X509 *"" * #30276 "Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509" The changes associated with these PRs are already mentioned in 3.6.x changes: * #28760 "Improve the CPUINFO display for RISC-V" * #28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * #28955 "Fix for TLS handshake issue with GnuTLS #28902" * #29155 "fix(x509.c): fixed -checkend return values" * #29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * #29242 "Clang format head" * #29251 "Fix change of behavior of the single stapled OCSP response API" * #30204 "Fix detection of plaintext HTTP over TLS" * #30384 "Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect" * #30557 "re-constructorize the cpuid stuff, but fix riscv to not depend on BIO_snprintf." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> Reviewed-by: Norbert Pocs <norbertp@openssl.org> MergeDate: Tue Apr 14 11:56:03 2026 (Merged from #30817)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds SM-based TLS 1.3 ciphersuites as defined in RFC 8998, namely
Together with #29953 it implements defined SM-based TLS additions.