git: cb29db243bd0 - stable/14 - openssl: Import OpenSSL 3.0.16
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 25 Mar 2025 21:09:54 UTC
The branch stable/14 has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=cb29db243bd09d16604435639ae43ef7af0ea254
commit cb29db243bd09d16604435639ae43ef7af0ea254
Author:     Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2025-03-14 06:40:59 +0000
Commit:     Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2025-03-25 21:07:59 +0000
    openssl: Import OpenSSL 3.0.16
    
    This release incorporates the following bug fixes and mitigations:
    - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
    - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143)
    
    Release notes can be found at:
    https://openssl-library.org/news/openssl-3.0-notes/index.html
    
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D49296
    
    (cherry picked from commit 0d0c8621fd181e507f0fb50ffcca606faf66a8c2)
---
 crypto/openssl/CHANGES.md                          |  33 ++
 crypto/openssl/Configurations/unix-Makefile.tmpl   |   2 +-
 crypto/openssl/NEWS.md                             |  16 +
 crypto/openssl/NOTES-NONSTOP.md                    |   7 +-
 crypto/openssl/README.md                           |  28 +-
 crypto/openssl/VERSION.dat                         |   4 +-
 crypto/openssl/apps/asn1parse.c                    |   5 +-
 crypto/openssl/apps/cms.c                          |  39 ++-
 crypto/openssl/apps/engine.c                       |   8 +-
 crypto/openssl/apps/lib/http_server.c              |   7 +-
 crypto/openssl/apps/lib/s_cb.c                     |  24 +-
 crypto/openssl/apps/lib/s_socket.c                 |  13 +-
 crypto/openssl/apps/lib/vms_term_sock.c            |  10 +-
 crypto/openssl/apps/passwd.c                       |   3 +-
 crypto/openssl/apps/pkcs12.c                       |   5 +-
 crypto/openssl/apps/pkeyutl.c                      |   5 +-
 crypto/openssl/apps/rehash.c                       |   5 +
 crypto/openssl/apps/smime.c                        |  20 +-
 crypto/openssl/apps/speed.c                        | 373 ++++++++++++++++-----
 crypto/openssl/configdata.pm.in                    |   4 +-
 crypto/openssl/crypto/asn1/a_bitstr.c              |  41 ++-
 crypto/openssl/crypto/asn1/a_strnid.c              |  10 +-
 crypto/openssl/crypto/asn1/a_time.c                |  57 ++--
 crypto/openssl/crypto/asn1/asn1_gen.c              |   5 +-
 crypto/openssl/crypto/asn1/asn_mime.c              |   2 +
 crypto/openssl/crypto/bio/bio_addr.c               |   9 +-
 crypto/openssl/crypto/bio/bio_sock.c               |   4 +-
 crypto/openssl/crypto/bio/bss_log.c                |   2 +-
 crypto/openssl/crypto/bn/asm/armv8-mont.pl         |   4 +-
 crypto/openssl/crypto/bn/bn_exp.c                  |  23 +-
 crypto/openssl/crypto/bn/bn_gf2m.c                 |  28 +-
 crypto/openssl/crypto/bn/rsaz_exp_x2.c             |   8 +-
 crypto/openssl/crypto/cmp/cmp_client.c             |   5 +-
 crypto/openssl/crypto/cms/cms_asn1.c               |  19 +-
 crypto/openssl/crypto/cms/cms_dh.c                 |   2 +-
 crypto/openssl/crypto/cms/cms_env.c                |   9 -
 crypto/openssl/crypto/cms/cms_err.c                | 102 +++---
 crypto/openssl/crypto/cms/cms_kari.c               |   9 +-
 crypto/openssl/crypto/cms/cms_lib.c                |  15 +-
 crypto/openssl/crypto/cms/cms_local.h              |   2 +-
 crypto/openssl/crypto/cms/cms_rsa.c                |   5 +-
 crypto/openssl/crypto/cms/cms_sd.c                 |  20 +-
 crypto/openssl/crypto/cms/cms_smime.c              |   3 +-
 crypto/openssl/crypto/core_fetch.c                 |   5 +-
 crypto/openssl/crypto/dso/dso_dl.c                 |  13 +-
 crypto/openssl/crypto/dso/dso_dlfcn.c              |   9 +-
 crypto/openssl/crypto/dso/dso_win32.c              |  16 +-
 crypto/openssl/crypto/ec/ec_asn1.c                 |   2 +-
 crypto/openssl/crypto/ec/ec_backend.c              |   8 +-
 crypto/openssl/crypto/ec/ec_lib.c                  |   9 +-
 crypto/openssl/crypto/ec/ec_oct.c                  |   4 +
 crypto/openssl/crypto/encode_decode/encoder_pkey.c |   6 +-
 crypto/openssl/crypto/err/openssl.txt              |   4 +-
 crypto/openssl/crypto/evp/ctrl_params_translate.c  |  12 +-
 crypto/openssl/crypto/evp/m_sigver.c               |  12 +-
 crypto/openssl/crypto/http/http_client.c           |  19 +-
 crypto/openssl/crypto/http/http_lib.c              |  22 +-
 crypto/openssl/crypto/pem/pem_pk8.c                |   4 +-
 crypto/openssl/crypto/pkcs12/p12_crt.c             |   6 +-
 crypto/openssl/crypto/pkcs7/pk7_doit.c             |   6 +-
 crypto/openssl/crypto/pkcs7/pk7_lib.c              |   5 +
 crypto/openssl/crypto/sm2/sm2_sign.c               |  10 +-
 crypto/openssl/crypto/srp/srp_vfy.c                |   2 +
 crypto/openssl/crypto/threads_win.c                |   3 +-
 crypto/openssl/crypto/trace.c                      |   2 +-
 crypto/openssl/crypto/ui/ui_util.c                 |  12 +-
 crypto/openssl/crypto/x509/v3_admis.c              |  34 +-
 crypto/openssl/crypto/x509/v3_san.c                |   3 +-
 crypto/openssl/crypto/x509/x509_cmp.c              |   4 +-
 crypto/openssl/crypto/x509/x_all.c                 |   4 +-
 crypto/openssl/demos/cipher/aesccm.c               |   2 +-
 crypto/openssl/doc/man1/openssl-ca.pod.in          |   2 +-
 crypto/openssl/doc/man1/openssl-cmp.pod.in         |  11 +-
 crypto/openssl/doc/man1/openssl-cms.pod.in         |   9 +-
 crypto/openssl/doc/man1/openssl-fipsinstall.pod.in |   4 +
 crypto/openssl/doc/man1/openssl-ocsp.pod.in        |  30 +-
 crypto/openssl/doc/man1/openssl-pkeyutl.pod.in     |  77 +++--
 crypto/openssl/doc/man1/openssl-req.pod.in         |   4 +-
 crypto/openssl/doc/man1/openssl-s_client.pod.in    |  77 ++++-
 crypto/openssl/doc/man1/openssl-s_server.pod.in    |  11 +-
 crypto/openssl/doc/man1/openssl-s_time.pod.in      |   1 +
 crypto/openssl/doc/man1/openssl-smime.pod.in       |   4 +-
 crypto/openssl/doc/man1/openssl-ts.pod.in          |   2 +
 .../doc/man1/openssl-verification-options.pod      | 194 ++++++-----
 crypto/openssl/doc/man1/openssl.pod                | 107 +-----
 crypto/openssl/doc/man3/ASN1_TIME_set.pod          |  10 +-
 crypto/openssl/doc/man3/ASN1_aux_cb.pod            |   6 +-
 crypto/openssl/doc/man3/BIO_s_accept.pod           |   6 +-
 crypto/openssl/doc/man3/BIO_s_connect.pod          |   2 +-
 crypto/openssl/doc/man3/ECDSA_sign.pod             |   4 +-
 crypto/openssl/doc/man3/EVP_EncryptInit.pod        |  16 +-
 crypto/openssl/doc/man3/EVP_PKEY_decapsulate.pod   |   9 +-
 crypto/openssl/doc/man3/EVP_PKEY_encapsulate.pod   |   7 +-
 crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod       |   6 +-
 crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod  |   4 +-
 crypto/openssl/doc/man3/OSSL_HTTP_parse_url.pod    |  11 +-
 crypto/openssl/doc/man3/OSSL_HTTP_transfer.pod     |   6 +-
 crypto/openssl/doc/man3/OSSL_PARAM.pod             |   2 +-
 crypto/openssl/doc/man3/OSSL_trace_enabled.pod     |   8 +-
 crypto/openssl/doc/man3/SSL_CTX_new.pod            |  10 +-
 crypto/openssl/doc/man3/SSL_get_shared_sigalgs.pod |   2 +-
 crypto/openssl/doc/man3/SSL_set_bio.pod            |   9 +
 crypto/openssl/doc/man3/X509V3_set_ctx.pod         |   5 +-
 crypto/openssl/doc/man3/X509_STORE_CTX_new.pod     |  19 +-
 crypto/openssl/doc/man3/X509_add_cert.pod          |   3 +-
 crypto/openssl/doc/man3/X509_load_http.pod         |   3 +
 crypto/openssl/doc/man7/EVP_KDF-HKDF.pod           |   2 +
 crypto/openssl/doc/man7/EVP_KDF-KB.pod             |   2 +
 crypto/openssl/doc/man7/EVP_KDF-PBKDF2.pod         |   2 +
 crypto/openssl/doc/man7/EVP_KDF-SS.pod             |   2 +
 crypto/openssl/doc/man7/EVP_KDF-SSHKDF.pod         |   2 +
 crypto/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod      |   2 +
 crypto/openssl/doc/man7/EVP_KDF-TLS1_PRF.pod       |   2 +
 crypto/openssl/doc/man7/EVP_KDF-X942-ASN1.pod      |   2 +
 crypto/openssl/doc/man7/EVP_KDF-X963.pod           |   2 +
 crypto/openssl/doc/man7/EVP_SIGNATURE-DSA.pod      |   4 +-
 crypto/openssl/doc/man7/openssl-env.pod            |  93 +++++
 crypto/openssl/doc/man7/provider.pod               |  12 +
 crypto/openssl/engines/e_afalg.c                   |   4 +-
 crypto/openssl/engines/e_loader_attic.c            |   2 +-
 crypto/openssl/include/crypto/bn.h                 |   5 +-
 crypto/openssl/include/crypto/cmserr.h             |   2 +-
 crypto/openssl/include/openssl/cmserr.h            |   3 +-
 crypto/openssl/include/openssl/http.h              |   5 +-
 crypto/openssl/providers/fips-sources.checksums    | 254 +++++++-------
 crypto/openssl/providers/fips.checksum             |   2 +-
 .../implementations/ciphers/cipher_aes_ocb.c       |  12 +-
 .../encode_decode/encode_key2text.c                |   3 +-
 .../openssl/providers/implementations/kdfs/hkdf.c  |   2 +-
 .../providers/implementations/kdfs/scrypt.c        |   5 +-
 .../providers/implementations/kem/rsa_kem.c        |  54 ++-
 .../providers/implementations/keymgmt/dsa_kmgmt.c  |   2 +-
 .../providers/implementations/keymgmt/ecx_kmgmt.c  |   2 +-
 .../implementations/keymgmt/mac_legacy_kmgmt.c     |   6 +-
 .../implementations/signature/eddsa_sig.c          |   3 +-
 .../implementations/storemgmt/file_store.c         |   2 +-
 crypto/openssl/ssl/statem/extensions_srvr.c        |   2 +-
 crypto/openssl/ssl/statem/statem_srvr.c            |   6 +-
 crypto/openssl/test/acvp_test.c                    |   2 +-
 crypto/openssl/test/build.info                     |   6 +-
 crypto/openssl/test/cmactest.c                     |   8 +-
 crypto/openssl/test/conf_include_test.c            |   2 +-
 crypto/openssl/test/drbgtest.c                     |   2 +-
 crypto/openssl/test/ec_internal_test.c             |  51 +++
 crypto/openssl/test/enginetest.c                   |   4 +-
 crypto/openssl/test/evp_kdf_test.c                 |  28 +-
 crypto/openssl/test/evp_libctx_test.c              | 126 ++++---
 crypto/openssl/test/hmactest.c                     |  12 +-
 crypto/openssl/test/memleaktest.c                  |   4 +-
 crypto/openssl/test/p_test.c                       |  34 +-
 crypto/openssl/test/pkcs12_format_test.c           |   9 +-
 crypto/openssl/test/property_test.c                |  41 ++-
 crypto/openssl/test/recipes/03-test_fipsinstall.t  |   4 +
 .../openssl/test/recipes/04-test_encoder_decoder.t |  29 +-
 crypto/openssl/test/recipes/25-test_verify.t       |   8 +-
 .../recipes/30-test_evp_data/evpkdf_tls13_kdf.txt  |  10 +
 crypto/openssl/test/recipes/80-test_cmp_http.t     |   4 +-
 .../80-test_cmp_http_data/test_connection.csv      |   4 +-
 crypto/openssl/test/recipes/80-test_cms.t          |  81 ++++-
 crypto/openssl/test/sslapitest.c                   |   5 +-
 crypto/openssl/test/testutil/tests.c               |   3 +-
 crypto/openssl/test/threadstest.c                  |   2 +-
 crypto/openssl/util/check-format-commit.sh         | 193 ++++++-----
 crypto/openssl/util/check-format.pl                |  14 +-
 crypto/openssl/util/mkbuildinf.pl                  |  12 +-
 crypto/openssl/util/perl/OpenSSL/Template.pm       |   9 +
 166 files changed, 2042 insertions(+), 1082 deletions(-)
diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md
index e41181b5bbb0..5b0193bc3955 100644
--- a/crypto/openssl/CHANGES.md
+++ b/crypto/openssl/CHANGES.md
@@ -28,6 +28,37 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
+### Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
+
+ * Fixed timing side-channel in ECDSA signature computation.
+
+   There is a timing signal of around 300 nanoseconds when the top word of
+   the inverted ECDSA nonce value is zero. This can happen with significant
+   probability only for some of the supported elliptic curves. In particular
+   the NIST P-521 curve is affected. To be able to measure this leak, the
+   attacker process must either be located in the same physical computer or
+   must have a very fast network connection with low latency.
+
+   ([CVE-2024-13176])
+
+   *Tomáš Mráz*
+
+ * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+   curve parameters.
+
+   Use of the low-level GF(2^m) elliptic curve APIs with untrusted
+   explicit values for the field polynomial can lead to out-of-bounds memory
+   reads or writes.
+   Applications working with "exotic" explicit binary (GF(2^m)) curve
+   parameters, that make it possible to represent invalid field polynomials
+   with a zero constant term, via the above or similar APIs, may terminate
+   abruptly as a result of reading or writing outside of array bounds. Remote
+   code execution cannot easily be ruled out.
+
+   ([CVE-2024-9143])
+
+   *Viktor Dukhovni*
+
 ### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
 
  * Fixed possible denial of service in X.509 name checks.
@@ -19922,6 +19953,8 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl
index 644540397de5..d2b0797a7edf 100644
--- a/crypto/openssl/Configurations/unix-Makefile.tmpl
+++ b/crypto/openssl/Configurations/unix-Makefile.tmpl
@@ -1688,7 +1688,7 @@ EOF
       } elsif ($makedep_scheme eq 'gcc' && !grep /\.rc$/, @srcs) {
           $recipe .= <<"EOF";
 $obj: $deps
-	$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -MT \$\@ -c -o \$\@ $srcs
+	$cmd $incs $defs $cmdflags -MMD -MF $dep.tmp -c -o \$\@ $srcs
 	\@touch $dep.tmp
 	\@if cmp $dep.tmp $dep > /dev/null 2> /dev/null; then \\
 		rm -f $dep.tmp; \\
diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md
index e0a81703ee8d..007fc9786ef8 100644
--- a/crypto/openssl/NEWS.md
+++ b/crypto/openssl/NEWS.md
@@ -18,6 +18,20 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
 
+### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [11 Feb 2025]
+
+OpenSSL 3.0.16 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed timing side-channel in ECDSA signature computation.
+    ([CVE-2024-13176])
+
+  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
+    curve parameters.
+    ([CVE-2024-9143])
+
 ### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
 
 OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
@@ -1495,6 +1509,8 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
diff --git a/crypto/openssl/NOTES-NONSTOP.md b/crypto/openssl/NOTES-NONSTOP.md
index ab13de7d3a76..9441647604c7 100644
--- a/crypto/openssl/NOTES-NONSTOP.md
+++ b/crypto/openssl/NOTES-NONSTOP.md
@@ -119,12 +119,9 @@ correctly, you also need the `COMP_ROOT` set, as in:
 
 `COMP_ROOT` needs to be in Windows form.
 
-`Configure` must specify the `no-makedepend` option otherwise errors will
-result when running the build because the c99 cross-compiler does not support
-the `gcc -MT` option. An example of a `Configure` command to be run from the
-OpenSSL directory is:
+An example of a `Configure` command to be run from the OpenSSL directory is:
 
-    ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
+    ./Configure nonstop-nsx_64 --with-rand-seed=rdcpu
 
 Do not forget to include any OpenSSL cross-compiling prefix and certificate
 options when creating your libraries.
diff --git a/crypto/openssl/README.md b/crypto/openssl/README.md
index 5184a461bb17..477f5cbb7d12 100644
--- a/crypto/openssl/README.md
+++ b/crypto/openssl/README.md
@@ -59,7 +59,7 @@ For Production Use
 ------------------
 
 Source code tarballs of the official releases can be downloaded from
-[www.openssl.org/source](https://www.openssl.org/source).
+[openssl-library.org/source/](https://openssl-library.org/source/).
 The OpenSSL project does not distribute the toolkit in binary form.
 
 However, for a large variety of operating systems precompiled versions
@@ -75,22 +75,18 @@ the source tarballs, having a local copy of the git repository with
 the entire project history gives you much more insight into the
 code base.
 
-The official OpenSSL Git Repository is located at [git.openssl.org].
-There is a GitHub mirror of the repository at [github.com/openssl/openssl],
+The main OpenSSL Git repository is private.
+There is a public GitHub mirror of it at [github.com/openssl/openssl],
 which is updated automatically from the former on every commit.
 
-A local copy of the Git Repository can be obtained by cloning it from
-the original OpenSSL repository using
-
-    git clone git://git.openssl.org/openssl.git
-
-or from the GitHub mirror using
+A local copy of the Git repository can be obtained by cloning it from
+the GitHub mirror using
 
     git clone https://github.com/openssl/openssl.git
 
 If you intend to contribute to OpenSSL, either to fix bugs or contribute
-new features, you need to fork the OpenSSL repository openssl/openssl on
-GitHub and clone your public fork instead.
+new features, you need to fork the GitHub mirror and clone your public fork
+instead.
 
     git clone https://github.com/yourname/openssl.git
 
@@ -166,7 +162,7 @@ attempting to develop or distribute cryptographic code.
 Copyright
 =========
 
-Copyright (c) 1998-2024 The OpenSSL Project
+Copyright (c) 1998-2025 The OpenSSL Project
 
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 
@@ -178,14 +174,6 @@ All rights reserved.
     <https://www.openssl.org>
     "OpenSSL Homepage"
 
-[git.openssl.org]:
-    <https://git.openssl.org>
-    "OpenSSL Git Repository"
-
-[git.openssl.org]:
-    <https://git.openssl.org>
-    "OpenSSL Git Repository"
-
 [github.com/openssl/openssl]:
     <https://github.com/openssl/openssl>
     "OpenSSL GitHub Mirror"
diff --git a/crypto/openssl/VERSION.dat b/crypto/openssl/VERSION.dat
index 0942ddc200ca..4b7eb91a451a 100644
--- a/crypto/openssl/VERSION.dat
+++ b/crypto/openssl/VERSION.dat
@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=0
-PATCH=15
+PATCH=16
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="3 Sep 2024"
+RELEASE_DATE="11 Feb 2025"
 SHLIB_VERSION=3
diff --git a/crypto/openssl/apps/asn1parse.c b/crypto/openssl/apps/asn1parse.c
index f0bfd1d45fc4..129b867c8cc7 100644
--- a/crypto/openssl/apps/asn1parse.c
+++ b/crypto/openssl/apps/asn1parse.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -127,7 +127,8 @@ int asn1parse_main(int argc, char **argv)
             dump = strtol(opt_arg(), NULL, 0);
             break;
         case OPT_STRPARSE:
-            sk_OPENSSL_STRING_push(osk, opt_arg());
+            if (sk_OPENSSL_STRING_push(osk, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_GENSTR:
             genstr = opt_arg();
diff --git a/crypto/openssl/apps/cms.c b/crypto/openssl/apps/cms.c
index abb9f196a760..dce227ef2db5 100644
--- a/crypto/openssl/apps/cms.c
+++ b/crypto/openssl/apps/cms.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -494,13 +494,15 @@ int cms_main(int argc, char **argv)
             if (rr_from == NULL
                 && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            sk_OPENSSL_STRING_push(rr_from, opt_arg());
+            if (sk_OPENSSL_STRING_push(rr_from, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_RR_TO:
             if (rr_to == NULL
                 && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            sk_OPENSSL_STRING_push(rr_to, opt_arg());
+            if (sk_OPENSSL_STRING_push(rr_to, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_PRINT:
             noout = print = 1;
@@ -577,13 +579,15 @@ int cms_main(int argc, char **argv)
                 if (sksigners == NULL
                     && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                 if (keyfile == NULL)
                     keyfile = signerfile;
                 if (skkeys == NULL
                     && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
                 keyfile = NULL;
             }
             signerfile = opt_arg();
@@ -601,12 +605,14 @@ int cms_main(int argc, char **argv)
                 if (sksigners == NULL
                     && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                 signerfile = NULL;
                 if (skkeys == NULL
                     && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
             }
             keyfile = opt_arg();
             break;
@@ -660,7 +666,8 @@ int cms_main(int argc, char **argv)
                     key_param->next = nparam;
                 key_param = nparam;
             }
-            sk_OPENSSL_STRING_push(key_param->param, opt_arg());
+            if (sk_OPENSSL_STRING_push(key_param->param, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_V_CASES:
             if (!opt_verify(o, vpm))
@@ -749,12 +756,14 @@ int cms_main(int argc, char **argv)
             if (sksigners == NULL
                 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                goto end;
             if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
             if (keyfile == NULL)
                 keyfile = signerfile;
-            sk_OPENSSL_STRING_push(skkeys, keyfile);
+            if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                goto end;
         }
         if (sksigners == NULL) {
             BIO_printf(bio_err, "No signer certificate specified\n");
@@ -1014,8 +1023,15 @@ int cms_main(int argc, char **argv)
             pwri_tmp = NULL;
         }
         if (!(flags & CMS_STREAM)) {
-            if (!CMS_final(cms, in, NULL, flags))
+            if (!CMS_final(cms, in, NULL, flags)) {
+                if (originator != NULL
+                    && ERR_GET_REASON(ERR_peek_error())
+                    == CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT) {
+                    BIO_printf(bio_err, "Cannot use originator for encryption\n");
+                    goto end;
+                }
                 goto end;
+            }
         }
     } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
         cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
@@ -1261,6 +1277,7 @@ int cms_main(int argc, char **argv)
     X509_free(cert);
     X509_free(recip);
     X509_free(signer);
+    X509_free(originator);
     EVP_PKEY_free(key);
     EVP_CIPHER_free(cipher);
     EVP_CIPHER_free(wrap_cipher);
diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c
index 1b0f64309c6f..c83bdfc150c3 100644
--- a/crypto/openssl/apps/engine.c
+++ b/crypto/openssl/apps/engine.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -352,10 +352,12 @@ int engine_main(int argc, char **argv)
             test_avail++;
             break;
         case OPT_PRE:
-            sk_OPENSSL_STRING_push(pre_cmds, opt_arg());
+            if (sk_OPENSSL_STRING_push(pre_cmds, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_POST:
-            sk_OPENSSL_STRING_push(post_cmds, opt_arg());
+            if (sk_OPENSSL_STRING_push(post_cmds, opt_arg()) <= 0)
+                goto end;
             break;
         }
     }
diff --git a/crypto/openssl/apps/lib/http_server.c b/crypto/openssl/apps/lib/http_server.c
index a7fe5e1a58b0..33ae886d4a1c 100644
--- a/crypto/openssl/apps/lib/http_server.c
+++ b/crypto/openssl/apps/lib/http_server.c
@@ -220,14 +220,17 @@ BIO *http_server_init_bio(const char *prog, const char *port)
 {
     BIO *acbio = NULL, *bufbio;
     int asock;
+    char name[40];
 
+    snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */
     bufbio = BIO_new(BIO_f_buffer());
     if (bufbio == NULL)
         goto err;
     acbio = BIO_new(BIO_s_accept());
     if (acbio == NULL
-        || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
-        || BIO_set_accept_port(acbio, port) < 0) {
+        || BIO_set_accept_ip_family(acbio, BIO_FAMILY_IPANY) <= 0 /* IPv4/6 */
+        || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) <= 0
+        || BIO_set_accept_name(acbio, name) <= 0) {
         log_message(prog, LOG_ERR, "Error setting up accept BIO");
         goto err;
     }
diff --git a/crypto/openssl/apps/lib/s_cb.c b/crypto/openssl/apps/lib/s_cb.c
index 6440b496099e..9f33c24c4e35 100644
--- a/crypto/openssl/apps/lib/s_cb.c
+++ b/crypto/openssl/apps/lib/s_cb.c
@@ -240,10 +240,10 @@ static const char *get_sigtype(int nid)
         return "ECDSA";
 
     case NID_ED25519:
-        return "Ed25519";
+        return "ed25519";
 
     case NID_ED448:
-        return "Ed448";
+        return "ed448";
 
     case NID_id_GostR3410_2001:
         return "gost2001";
@@ -288,6 +288,26 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
             SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
         if (i)
             BIO_puts(out, ":");
+        switch (rsign | rhash << 8) {
+        case 0x0809:
+            BIO_puts(out, "rsa_pss_pss_sha256");
+            continue;
+        case 0x080a:
+            BIO_puts(out, "rsa_pss_pss_sha384");
+            continue;
+        case 0x080b:
+            BIO_puts(out, "rsa_pss_pss_sha512");
+            continue;
+        case 0x081a:
+            BIO_puts(out, "ecdsa_brainpoolP256r1_sha256");
+            continue;
+        case 0x081b:
+            BIO_puts(out, "ecdsa_brainpoolP384r1_sha384");
+            continue;
+        case 0x081c:
+            BIO_puts(out, "ecdsa_brainpoolP512r1_sha512");
+            continue;
+        }
         sstr = get_sigtype(sign_nid);
         if (sstr)
             BIO_printf(out, "%s", sstr);
diff --git a/crypto/openssl/apps/lib/s_socket.c b/crypto/openssl/apps/lib/s_socket.c
index 059afe47b904..8c6020d01692 100644
--- a/crypto/openssl/apps/lib/s_socket.c
+++ b/crypto/openssl/apps/lib/s_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -380,6 +380,12 @@ int do_server(int *accept_sock, const char *host, const char *port,
                 BIO_closesocket(asock);
                 break;
             }
+
+            if (naccept != -1)
+                naccept--;
+            if (naccept == 0)
+                BIO_closesocket(asock);
+
             BIO_set_tcp_ndelay(sock, 1);
             i = (*cb)(sock, type, protocol, context);
 
@@ -410,11 +416,12 @@ int do_server(int *accept_sock, const char *host, const char *port,
 
             BIO_closesocket(sock);
         } else {
+            if (naccept != -1)
+                naccept--;
+
             i = (*cb)(asock, type, protocol, context);
         }
 
-        if (naccept != -1)
-            naccept--;
         if (i < 0 || naccept == 0) {
             BIO_closesocket(asock);
             ret = i;
diff --git a/crypto/openssl/apps/lib/vms_term_sock.c b/crypto/openssl/apps/lib/vms_term_sock.c
index 97fb3943265c..1a413376b20b 100644
--- a/crypto/openssl/apps/lib/vms_term_sock.c
+++ b/crypto/openssl/apps/lib/vms_term_sock.c
@@ -353,7 +353,7 @@ static int CreateSocketPair (int SocketFamily,
     /*
     ** Get the binary (64-bit) time of the specified timeout value
     */
-    sprintf (AscTimeBuff, "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
+    BIO_snprintf(AscTimeBuff, sizeof(AscTimeBuff), "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
     AscTimeDesc.dsc$w_length = strlen (AscTimeBuff);
     AscTimeDesc.dsc$a_pointer = AscTimeBuff;
     status = sys$bintim (&AscTimeDesc, BinTimeBuff);
@@ -567,10 +567,10 @@ static void LogMessage (char *msg, ...)
     /*
     ** Format the message buffer
     */
-    sprintf (MsgBuff, "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
-             LocTime->tm_mday, Month[LocTime->tm_mon],
-             (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
-             LocTime->tm_sec, pid, msg);
+    BIO_snprintf(MsgBuff, sizeof(MsgBuff), "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
+                 LocTime->tm_mday, Month[LocTime->tm_mon],
+                 (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
+                 LocTime->tm_sec, pid, msg);
 
     /*
     ** Get any variable arguments and add them to the print of the message
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
index 64b2e76c147a..31d8bdd87cb6 100644
--- a/crypto/openssl/apps/passwd.c
+++ b/crypto/openssl/apps/passwd.c
@@ -589,7 +589,8 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
     OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
     if (rounds_custom) {
         char tmp_buf[80]; /* "rounds=999999999" */
-        sprintf(tmp_buf, "rounds=%u", rounds);
+
+        BIO_snprintf(tmp_buf, sizeof(tmp_buf), "rounds=%u", rounds);
 #ifdef CHARSET_EBCDIC
         /* In case we're really on a ASCII based platform and just pretend */
         if (tmp_buf[0] != 0x72)  /* ASCII 'r' */
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index ab78903ee9cd..5146699f1672 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -305,7 +305,8 @@ int pkcs12_main(int argc, char **argv)
             if (canames == NULL
                 && (canames = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            sk_OPENSSL_STRING_push(canames, opt_arg());
+            if (sk_OPENSSL_STRING_push(canames, opt_arg()) <= 0)
+                goto end;
             break;
         case OPT_IN:
             infile = opt_arg();
diff --git a/crypto/openssl/apps/pkeyutl.c b/crypto/openssl/apps/pkeyutl.c
index 3c9f9025a160..5e5047137632 100644
--- a/crypto/openssl/apps/pkeyutl.c
+++ b/crypto/openssl/apps/pkeyutl.c
@@ -81,10 +81,11 @@ const OPTIONS pkeyutl_options[] = {
 
     OPT_SECTION("Output"),
     {"out", OPT_OUT, '>', "Output file - default stdout"},
-    {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
+    {"asn1parse", OPT_ASN1PARSE, '-',
+     "parse the output as ASN.1 data to check its DER encoding and print errors"},
     {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
     {"verifyrecover", OPT_VERIFYRECOVER, '-',
-     "Verify with public key, recover original data"},
+     "Verify RSA signature, recovering original signature input data"},
 
     OPT_SECTION("Signing/Derivation"),
     {"digest", OPT_DIGEST, 's',
diff --git a/crypto/openssl/apps/rehash.c b/crypto/openssl/apps/rehash.c
index 85eee3857942..6e0ca3642c40 100644
--- a/crypto/openssl/apps/rehash.c
+++ b/crypto/openssl/apps/rehash.c
@@ -559,6 +559,11 @@ int rehash_main(int argc, char **argv)
     } else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) {
         char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' };
         m = OPENSSL_strdup(env);
+        if (m == NULL) {
+            BIO_puts(bio_err, "out of memory\n");
+            errs = 1;
+            goto end;
+        }
         for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc))
             errs += do_dir(e, h);
         OPENSSL_free(m);
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
index 651294e46daa..790a8d06ad0c 100644
--- a/crypto/openssl/apps/smime.c
+++ b/crypto/openssl/apps/smime.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -279,13 +279,15 @@ int smime_main(int argc, char **argv)
                 if (sksigners == NULL
                     && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                 if (keyfile == NULL)
                     keyfile = signerfile;
                 if (skkeys == NULL
                     && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
                 keyfile = NULL;
             }
             signerfile = opt_arg();
@@ -310,12 +312,14 @@ int smime_main(int argc, char **argv)
                 if (sksigners == NULL
                     && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                    goto end;
                 signerfile = NULL;
                 if (skkeys == NULL
                     && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                     goto end;
-                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                    goto end;
             }
             keyfile = opt_arg();
             break;
@@ -390,12 +394,14 @@ int smime_main(int argc, char **argv)
             if (sksigners == NULL
                 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (sk_OPENSSL_STRING_push(sksigners, signerfile) <= 0)
+                goto end;
             if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
             if (!keyfile)
                 keyfile = signerfile;
-            sk_OPENSSL_STRING_push(skkeys, keyfile);
+            if (sk_OPENSSL_STRING_push(skkeys, keyfile) <= 0)
+                goto end;
         }
         if (sksigners == NULL) {
             BIO_printf(bio_err, "No signer certificate specified\n");
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index d8e2c70e6128..bafcacf7775e 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -456,6 +456,14 @@ static double sm2_results[SM2_NUM][2];    /* 2 ops: sign then verify */
 #define COND(unused_cond) (run && count < INT_MAX)
 #define COUNT(d) (count)
 
+#define TAG_LEN 16
+
+static unsigned int mode_op; /* AE Mode of operation */
+static unsigned int aead = 0; /* AEAD flag */
+static unsigned char aead_iv[12]; /* For AEAD modes */
+static unsigned char aad[EVP_AEAD_TLS1_AAD_LEN] = { 0xcc };
+static int aead_ivlen = sizeof(aead_iv);
+
 typedef struct loopargs_st {
     ASYNC_JOB *inprogress_job;
     ASYNC_WAIT_CTX *wait_ctx;
@@ -464,6 +472,7 @@ typedef struct loopargs_st {
     unsigned char *buf_malloc;
     unsigned char *buf2_malloc;
     unsigned char *key;
+    unsigned char tag[TAG_LEN];
     size_t buflen;
     size_t sigsize;
     EVP_PKEY_CTX *rsa_sign_ctx[RSA_NUM];
@@ -727,12 +736,8 @@ static int EVP_Update_loop(void *args)
     unsigned char *buf = tempargs->buf;
     EVP_CIPHER_CTX *ctx = tempargs->ctx;
     int outl, count, rc;
-    unsigned char faketag[16] = { 0xcc };
 
     if (decrypt) {
-        if (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-            (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(faketag), faketag);
-        }
         for (count = 0; COND(c[D_EVP][testnum]); count++) {
             rc = EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
             if (rc != 1) {
@@ -757,74 +762,159 @@ static int EVP_Update_loop(void *args)
 }
 
 /*
+ * To make AEAD benchmarking more relevant perform TLS-like operations,
+ * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as
+ * payload length is not actually limited by 16KB...
  * CCM does not support streaming. For the purpose of performance measurement,
  * each message is encrypted using the same (key,iv)-pair. Do not use this
  * code in your application.
  */
-static int EVP_Update_loop_ccm(void *args)
+static int EVP_Update_loop_aead_enc(void *args)
 {
     loopargs_t *tempargs = *(loopargs_t **) args;
     unsigned char *buf = tempargs->buf;
+    unsigned char *key = tempargs->key;
     EVP_CIPHER_CTX *ctx = tempargs->ctx;
-    int outl, count;
-    unsigned char tag[12];
-
-    if (decrypt) {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(tag),
-                                      tag);
-            /* reset iv */
-            (void)EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv);
-            /* counter is reset on every update */
-            (void)EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
+    int outl, count, realcount = 0;
+
+    for (count = 0; COND(c[D_EVP][testnum]); count++) {
+        /* Set length of iv (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN,
+                                     aead_ivlen, NULL)) {
+                BIO_printf(bio_err, "\nFailed to set iv length\n");
+                ERR_print_errors(bio_err);
+                exit(1);
+            }
         }
-    } else {
-        for (count = 0; COND(c[D_EVP][testnum]); count++) {
-            /* restore iv length field */
-            (void)EVP_EncryptUpdate(ctx, NULL, &outl, NULL, lengths[testnum]);
-            /* counter is reset on every update */
-            (void)EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]);
+        /* Set tag_len (Not for GCM/SIV at encryption stage) */
+        if (mode_op != EVP_CIPH_GCM_MODE
+            && mode_op != EVP_CIPH_SIV_MODE) {
+            if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+                                     TAG_LEN, NULL)) {
+                BIO_printf(bio_err, "\nFailed to set tag length\n");
+                ERR_print_errors(bio_err);
+                exit(1);
+            }
+        }
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, aead_iv, -1)) {
+            BIO_printf(bio_err, "\nFailed to set key and iv\n");
+            ERR_print_errors(bio_err);
+            exit(1);
+        }
+        /* Set total length of input. Only required for CCM */
+        if (mode_op == EVP_CIPH_CCM_MODE) {
+            if (!EVP_EncryptUpdate(ctx, NULL, &outl,
+                                   NULL, lengths[testnum])) {
+                BIO_printf(bio_err, "\nCouldn't set input text length\n");
+                ERR_print_errors(bio_err);
+                exit(1);
+            }
         }
+        if (aead) {
+            if (!EVP_EncryptUpdate(ctx, NULL, &outl, aad, sizeof(aad))) {
+                BIO_printf(bio_err, "\nCouldn't insert AAD when encrypting\n");
+                ERR_print_errors(bio_err);
+                exit(1);
+            }
+        }
+        if (!EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum])) {
+            BIO_printf(bio_err, "\nFailed to encrypt the data\n");
+            ERR_print_errors(bio_err);
+            exit(1);
+        }
+        if (EVP_EncryptFinal_ex(ctx, buf, &outl))
+            realcount++;
     }
-    if (decrypt)
-        (void)EVP_DecryptFinal_ex(ctx, buf, &outl);
-    else
-        (void)EVP_EncryptFinal_ex(ctx, buf, &outl);
-    return count;
+    return realcount;
 }
 
 /*
  * To make AEAD benchmarking more relevant perform TLS-like operations,
  * 13-byte AAD followed by payload. But don't use TLS-formatted AAD, as
  * payload length is not actually limited by 16KB...
+ * CCM does not support streaming. For the purpose of performance measurement,
+ * each message is decrypted using the same (key,iv)-pair. Do not use this
+ * code in your application.
+ * For decryption, we will use buf2 to preserve the input text in buf.
  */
-static int EVP_Update_loop_aead(void *args)
+static int EVP_Update_loop_aead_dec(void *args)
 {
     loopargs_t *tempargs = *(loopargs_t **) args;
     unsigned char *buf = tempargs->buf;
+    unsigned char *outbuf = tempargs->buf2;
+    unsigned char *key = tempargs->key;
+    unsigned char tag[TAG_LEN];
     EVP_CIPHER_CTX *ctx = tempargs->ctx;
-    int outl, count;
-    unsigned char aad[13] = { 0xcc };
-    unsigned char faketag[16] = { 0xcc };
+    int outl, count, realcount = 0;
+
+    for (count = 0; COND(c[D_EVP][testnum]); count++) {
+        /* Set the length of iv (Doesn't apply to SIV mode) */
+        if (mode_op != EVP_CIPH_SIV_MODE) {
*** 6017 LINES SKIPPED ***