deps: update OpenSSL to 3.5.6

deps/openssl/openssl/CONTRIBUTING.md

@@ -27,6 +27,18 @@ communication before submitting many pull requests. In addition,
 contributors should personally evaluate potential patches generated by
 automated tools.
 
+Provide a clear description of the issue or feature being addressed,
+including any relevant implementation details and, for performance
+improvements, benchmark results.
+
+Pull requests and commits should be self-contained, enabling readers to
+understand what changed and why without needing to reference related
+issues or having prior knowledge.  Commit messages should include all
+relevant details to help future contributors follow the git history,
+with clear explanations of what is changing and why.  Long descriptions
+are encouraged if they aid understanding.  Commit message titles (their
+first line) should be kept to 50-70 characters if possible.
+
 To make it easier to review and accept your pull request, please follow these
 guidelines:
 

deps/openssl/openssl/Configurations/10-main.conf

@@ -5,7 +5,8 @@
 my $vc_win64a_info = {};
 sub vc_win64a_info {
     unless (%$vc_win64a_info) {
-        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
+        # Minimum NASM version is 2.09 otherwise SHA3 might be miscompiled
+        if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+)\.([0-9]+)/ && ($1 > 2 || ($1 == 2 && $2 >= 9))) {
             $vc_win64a_info = { AS        => "nasm",
                                 ASFLAGS   => "-g",
                                 asflags   => "-Ox -f win64 -DNEAR",

deps/openssl/openssl/Configurations/unix-Makefile.tmpl

@@ -72,6 +72,7 @@ OPTIONS={- $config{options} -}
 CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)/test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -642,7 +643,7 @@ clean: libclean ## Clean the workspace, keep the configuration
 	-find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
 	$(RM) core
 	$(RM) tags TAGS doc-nits md-nits
-	$(RM) -r test/test-runs
+	$(RM) -r $(RESULT_D)
 	$(RM) providers/fips*.new
 	-find . -type l \! -name '.*' -exec $(RM) {} \;
 

deps/openssl/openssl/Configurations/windows-makefile.tmpl

@@ -38,6 +38,7 @@
 PLATFORM={- $config{target} -}
 SRCDIR={- $config{sourcedir} -}
 BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)\test-runs
 FIPSKEY={- $config{FIPSKEY} -}
 
 VERSION={- "$config{full_version}" -}
@@ -222,7 +223,7 @@ OPENSSLDIR_dir={- canonpath($openssldir_dir) -}
 LIBDIR={- our $libdir = $config{libdir} || "lib";
           file_name_is_absolute($libdir) ? "" : $libdir -}
 MODULESDIR_dev={- use File::Spec::Functions qw(:DEFAULT splitpath catpath);
-                  our $modulesprefix = catdir($prefix,$libdir);
+                  our $modulesprefix = file_name_is_absolute($libdir) ? $libdir : catdir($prefix,$libdir);
                   our ($modulesprefix_dev, $modulesprefix_dir,
                        $modulesprefix_file) =
                       splitpath($modulesprefix, 1);
@@ -484,7 +485,7 @@ clean: libclean
 	-del /Q /S /F engines\*.lib engines\*.exp
 	-del /Q /S /F apps\*.lib apps\*.rc apps\*.res apps\*.exp
 	-del /Q /S /F test\*.exp
-	-rd /Q /S test\test-runs
+	-@if exist "$(RESULT_D)" rd /Q /S "$(RESULT_D)"
 
 distclean: clean
 	-del /Q /F include\openssl\configuration.h

deps/openssl/openssl/VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=5
-PATCH=5
+PATCH=6
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="27 Jan 2026"
+RELEASE_DATE="7 Apr 2026"
 SHLIB_VERSION=3

deps/openssl/openssl/apps/cmp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2026 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
  *
@@ -1421,7 +1421,10 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
         out_vpm = X509_STORE_get0_param(out_trusted);
         X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);
 
-        (void)OSSL_CMP_CTX_set_certConf_cb_arg(ctx, out_trusted);
+        if (!OSSL_CMP_CTX_set_certConf_cb_arg(ctx, out_trusted)) {
+            X509_STORE_free(out_trusted);
+            return 0;
+        }
     }
 
     if (opt_disable_confirm)
@@ -3390,6 +3393,12 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
             int paramtype;
             const void *param;
 
+            /* NULL check to prevent dereferencing a NULL pointer when print_keyspec is called */
+            if (alg == NULL) {
+                BIO_puts(mem, "Key algorithm: <absent>\n");
+                break;
+            }
+
             X509_ALGOR_get0(&oid, &paramtype, &param, alg);
             BIO_printf(mem, "Key algorithm: ");
             i2a_ASN1_OBJECT(mem, oid);
@@ -3789,8 +3798,7 @@ int cmp_main(int argc, char **argv)
     if (opt_ignore_keyusage)
         (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1);
     if (opt_no_cache_extracerts)
-        (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS,
-            1);
+        (void)OSSL_CMP_CTX_set_option(cmp_ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, 1);
 
     if (opt_reqout_only == NULL && (opt_use_mock_srv
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
@@ -3806,7 +3814,7 @@ int cmp_main(int argc, char **argv)
 
         srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
         if (!OSSL_CMP_CTX_set_log_cb(srv_cmp_ctx, print_to_bio_err)) {
-            CMP_err1("cannot set up error reporting and logging for %s", prog);
+            CMP_err1("cannot set up server-side error reporting and logging for %s", prog);
             goto err;
         }
         OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);

deps/openssl/openssl/apps/include/cmp_mock_srv.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2026 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Siemens AG 2018-2020
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -19,6 +19,8 @@
 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
     const char *propq);
 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
+OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx,
+    const OSSL_CMP_MSG *req);
 
 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
@@ -34,6 +36,7 @@ int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
     int fail_info, const char *text);
 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
+int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
 

deps/openssl/openssl/apps/lib/app_provider.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2026 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,6 +47,7 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
         app_providers = sk_OSSL_PROVIDER_new_null();
     if (app_providers == NULL
         || !sk_OSSL_PROVIDER_push(app_providers, prov)) {
+        OSSL_PROVIDER_unload(prov);
         app_providers_cleanup();
         return 0;
     }

deps/openssl/openssl/apps/lib/apps.c

@@ -191,8 +191,13 @@ int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
     }
     if (arg2 != NULL) {
         *pass2 = app_get_pass(arg2, same ? 2 : 0);
-        if (*pass2 == NULL)
+        if (*pass2 == NULL) {
+            if (pass1 != NULL) {
+                clear_free(*pass1);
+                *pass1 = NULL;
+            }
             return 0;
+        }
     } else if (pass2 != NULL) {
         *pass2 = NULL;
     }
@@ -263,15 +268,15 @@ static char *app_get_pass(const char *arg, int keepbio)
             }
         } else {
             /* argument syntax error; do not reveal too much about arg */
-            tmp = strchr(arg, ':');
-            if (tmp == NULL || tmp - arg > PASS_SOURCE_SIZE_MAX)
+            const char *arg_ptr = strchr(arg, ':');
+            if (arg_ptr == NULL || arg_ptr - arg > PASS_SOURCE_SIZE_MAX)
                 BIO_printf(bio_err,
                     "Invalid password argument, missing ':' within the first %d chars\n",
                     PASS_SOURCE_SIZE_MAX + 1);
             else
                 BIO_printf(bio_err,
                     "Invalid password argument, starting with \"%.*s\"\n",
-                    (int)(tmp - arg + 1), arg);
+                    (int)(arg_ptr - arg + 1), arg);
             return NULL;
         }
     }
@@ -2494,7 +2499,7 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
 
 error:
     X509_CRL_free(crl);
-    sk_X509_CRL_free(crls);
+    sk_X509_CRL_pop_free(crls, X509_CRL_free);
     return NULL;
 }
 

deps/openssl/openssl/apps/lib/cmp_mock_srv.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2026 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Siemens AG 2018-2020
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -10,6 +10,7 @@
 
 #include "apps.h"
 #include "cmp_mock_srv.h"
+#include "../../crypto/cmp/cmp_local.h" /* for access to msg->protection */
 
 #include <openssl/cmp.h>
 #include <openssl/err.h>
@@ -28,6 +29,7 @@ typedef struct {
     X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
     OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
     int sendError; /* send error response on given request type */
+    int useBadProtection; /* use bad protection on given response type */
     OSSL_CMP_MSG *req; /* original request message during polling */
     int pollCount; /* number of polls before actual cert response */
     int curr_pollCount; /* number of polls so far for current request */
@@ -59,6 +61,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void)
         goto err;
 
     ctx->sendError = -1;
+    ctx->useBadProtection = -1;
 
     /* all other elements are initialized to 0 or NULL, respectively */
     return ctx;
@@ -187,6 +190,19 @@ int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
     return 1;
 }
 
+int ossl_cmp_mock_srv_set_useBadProtection(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
+{
+    mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+
+    if (ctx == NULL) {
+        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    /* might check bodytype, but this would require exporting all body types */
+    ctx->useBadProtection = bodytype;
+    return 1;
+}
+
 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
 {
     mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
@@ -591,6 +607,7 @@ static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
         if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp))
             return 1;
         sk_OSSL_CMP_ITAV_free(*out);
+        OSSL_CMP_ITAV_free(rsp);
         return 0;
     }
 
@@ -712,6 +729,25 @@ static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
     return 1;
 }
 
+OSSL_CMP_MSG *ossl_cmp_mock_server_perform(OSSL_CMP_CTX *ctx,
+    const OSSL_CMP_MSG *req)
+{
+    OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(ctx);
+    OSSL_CMP_MSG *rsp = OSSL_CMP_CTX_server_perform(ctx, req);
+
+    if (srv_ctx != NULL && rsp != NULL) {
+        mock_srv_ctx *mock_ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
+
+        if (mock_ctx != NULL && OSSL_CMP_MSG_get_bodytype(rsp) == mock_ctx->useBadProtection) {
+            ASN1_BIT_STRING *prot = rsp->protection;
+
+            if (prot != NULL && prot->length != 0 && prot->data != NULL)
+                prot->data[0] ^= 0x80; /* flip most significant bit of the first byte */
+        }
+    }
+    return rsp;
+}
+
 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
 {
     OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);

deps/openssl/openssl/apps/lib/win32_init.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,7 +10,6 @@
 #include <windows.h>
 #include <stdlib.h>
 #include <string.h>
-#include <malloc.h>
 
 #if defined(CP_UTF8)
 

deps/openssl/openssl/apps/ocsp.c

@@ -876,7 +876,7 @@ int ocsp_main(int argc, char **argv)
 
         i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
         if (i <= 0 && issuers) {
-            i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
+            i = OCSP_basic_verify(bs, issuers, store, verify_flags);
             if (i > 0)
                 ERR_clear_error();
         }

deps/openssl/openssl/apps/s_client.c

@@ -3892,7 +3892,11 @@ static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf,
 
 static int user_data_add(struct user_data_st *user_data, size_t i)
 {
-    if (user_data->buflen != 0 || i > user_data->bufmax)
+    /*
+     * We must allow one byte for a NUL terminator so i must be less than
+     * bufmax
+     */
+    if (user_data->buflen != 0 || i >= user_data->bufmax)
         return 0;
 
     user_data->buflen = i;

deps/openssl/openssl/apps/ts.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2026 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -348,7 +348,7 @@ int ts_main(int argc, char **argv)
         if ((in != NULL) && (queryfile != NULL))
             goto opthelp;
         if (in == NULL) {
-            if ((conf == NULL) || (token_in != 0))
+            if (conf == NULL || token_in != 0 || queryfile == NULL)
                 goto opthelp;
         }
         ret = !reply_command(conf, section, engine, queryfile,

deps/openssl/openssl/build.info

@@ -108,20 +108,21 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
   SHARED_SOURCE[libssl]=libssl.rc
 ENDIF
 
-# This file sets the build directory up for CMake inclusion
-# Note: This generation of OpenSSLConfig[Version].cmake is used
-# for building openssl locally, and so the build variables are 
-# taken from builddata.pm rather than installdata.pm.  For exportable
-# versions of these generated files, you'll find them in the exporters
-# directory
+# These files set the build directory up for CMake inclusion.
+# To achieve this, their variables are taken from builddata.pm.
+# These files are not installed; you will find the installable
+# versions in the 'exporters' directory.
 GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in
 DEPEND[OpenSSLConfig.cmake]=builddata.pm
 GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in
 DEPEND[OpenSSLConfigVersion.cmake]=builddata.pm
 DEPEND[OpenSSLConfigVersion.cmake]=OpenSSLConfig.cmake
 DEPEND[""]=OpenSSLConfigVersion.cmake
 
-# This file sets the build directory up for pkg-config
+# These files set the build directory up for pkg-config use.
+# To achieve this, their variables are taken from builddata.pm.
+# These files are not installed; you will find the installable
+# versions in the 'exporters' directory.
 GENERATE[libcrypto.pc]=exporters/pkg-config/libcrypto.pc.in
 DEPEND[libcrypto.pc]=builddata.pm
 GENERATE[libssl.pc]=exporters/pkg-config/libssl.pc.in
@@ -131,6 +132,7 @@ DEPEND[openssl.pc]=builddata.pm
 DEPEND[openssl.pc]=libcrypto.pc libssl.pc
 
 GENERATE[builddata.pm]=util/mkinstallvars.pl \
+    COMMENT="This file should be used when building against this OpenSSL build, and should never be installed" \
     PREFIX=. BINDIR=apps APPLINKDIR=ms \
     LIBDIR= INCLUDEDIR=include "INCLUDEDIR=$(SRCDIR)/include" \
     ENGINESDIR=engines MODULESDIR=providers \