4.0.0-alpha1 release commits

.ctags.d/exclude.ctags

@@ -1,5 +1,5 @@
 #
-# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2023-2026 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -10,4 +10,3 @@
 # List file names or patterns you want ctags to ignore.
 --exclude=.ctags.d
 --exclude=test
---exclude=check-format-test-positives.c

engines/e_dasync.txt → .ctags.d/langmap.ctags

@@ -1,9 +1,11 @@
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
+#
 
-#Reason codes
-DASYNC_R_INIT_FAILED:100:init failed
+--langmap=C:+.h
+--langmap=C:+.inc

.git-blame-ignore-revs

@@ -1,2 +1,4 @@
 # Run util/openssl-format-source -v -c .
 0f113f3ee4d629ef9a4a30911b22b224772085e5
+# 4.0-POST-CLANG-FORMAT-WEBKIT
+2fab90bb5e1937f1c2125eab144f7f6c39e70087

.github/CODEOWNERS

@@ -0,0 +1 @@
+/.github/workflows/ @quarckster

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,7 +3,11 @@ Thank you for your pull request. Please review these requirements:
 
 Contributors guide: https://github.com/openssl/openssl/blob/master/CONTRIBUTING.md
 
-Other than that, provide a description above this comment if there isn't one already
+Include a clear description of the issue or feature above this comment if not already provided. This should briefly outline the issue or feature being addressed, along with any relevant implementation details. For performance improvements, include benchmark results as well.
+
+Please always add meaningful commit messages.  Commit message titles (the first line of each commit message which should be separated by an empty line from the rest of the message) should be kept to 50-70 characters if possible.  Further details and Fixes #issue number annotations should be placed in the commit message body (i.e, after the empty line).
+
+Pull requests and commits should be self-contained, allowing readers to understand what changed and why without needing to reference related issues or having prior knowledge. Individual commit messages should include all relevant details to ensure future contributors can easily follow the git history. Clearly explain what is changing and why, and feel free to include detailed (long) descriptions when beneficial to understanding.
 
 If this fixes a GitHub issue, make sure to have a line saying 'Fixes #XXXX' (without quotes) in the commit message.
 -->

.github/dependabot.yml

@@ -13,3 +13,5 @@ updates:
       - "approval: review pending"
     reviewers:
       - "openssl/committers"
+    cooldown:
+      default-days: 7

.github/workflows/backport.yml

@@ -0,0 +1,67 @@
+# Copyright 2021-2026 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: Backports CI
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  check_backports:
+    strategy:
+      fail-fast: false
+      matrix:
+        release: [
+          {
+            branch: '3.6',
+            cppflags: ''
+          }, {
+            branch: '3.5',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.4',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.3',
+            cppflags: 'CPPFLAGS=-ansi',
+          }, {
+            branch: '3.2',
+            cppflags: 'CPPFLAGS=-ansi'
+          }, {
+            branch: '3.0',
+            cppflags: 'CPPFLAGS=-ansi'
+          }
+        ]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+        persist-credentials: false
+    - name: cherry-pick
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: |
+           REFEND=$(git rev-parse HEAD)
+           REFSTART=$(git rev-parse $REFEND~${{ github.event.pull_request.commits }})
+           git checkout ${{ format('openssl-{0}', matrix.release.branch) }}
+           git config user.name "OpenSSL Machine"
+           git config user.email "openssl-machine@openssl.org"
+           echo Cherry-picking $REFSTART..$REFEND
+           git cherry-pick $REFSTART..$REFEND
+    - name: config
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: ${{ matrix.release.cppflags }} ./config --strict-warnings --banner=Configured no-asm enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
+    - name: make
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: make -s -j4
+    - name: make test
+      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/check-news-changes.yml

@@ -0,0 +1,105 @@
+# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+name: "Scan to check for NEWS/CHANGES suggestions"
+
+on: pull_request
+env:
+  NEED_NEWS_CHANGES: "no"
+  SKIP_NEWS_CHECK: "no"
+  PR_NUMBER: ${{ github.event.number }}
+  GH_TOKEN: ${{ github.token }}
+permissions: {}
+
+jobs:
+  scan_for_news_changes:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: "Check if we have the label to skip this test"
+        run: |
+          SKIP_TEST=$(gh pr view $PR_NUMBER --json labels --jq '.labels[] | select(.name == "no_news_changes_needed") | .name')
+          if [ -n "$SKIP_TEST" ]; then
+            echo "SKIP_NEWS_CHECK=yes" >> $GITHUB_ENV
+          fi
+
+      - name: "Check if we already have a NEWS/CHANGES entry"
+        if: ${{ env.SKIP_NEWS_CHECK == 'no' }}
+        run: |
+          git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./names.txt
+          echo "changed files between ${{ github.event.pull_request.base.sha }} and ${{ github.event.pull_request.head.sha }}"
+          cat ./names.txt
+          set +e
+          grep -q "NEWS\.md" names.txt
+          if [ $? -eq 0 ]; then
+            echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV
+          else
+            grep -q "CHANGES\.md" names.txt
+            if [ $? -eq 0 ]; then
+              echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV
+            else
+              echo "FOUND_NEWS_CHANGES_ADDITION=no" >> $GITHUB_ENV
+            fi
+          fi
+      - name: "Check if this PR affects a CVE"
+        if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' && env.SKIP_NEWS_CHECK == 'no' }}
+        run: |
+          git log ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./log.txt
+          set +e
+          grep -q "CVE-" ./log.txt
+          if [ $? -eq 0 ]; then
+            echo "Changes in this PR reference a CVE"
+            echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+          fi
+      - name: "Check if this PR impacts a public API"
+        if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' && env.SKIP_NEWS_CHECK == 'no' }}
+        run: |
+          set +e
+          git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./names.txt
+          echo "changed files between ${{ github.event.pull_request.base.sha }} and ${{ github.event.pull_request.head.sha }}"
+          cat ./names.txt
+          grep -q "include/openssl" ./names.txt
+          if [ $? -eq 0 ]; then
+            echo "Changes in this PR may impact public APIS's"
+            echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+          fi
+      - name: "Check if this is a feature branch merge"
+        if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' && env.SKIP_NEWS_CHECK == 'no' }}
+        run: |
+          set +e
+          echo ${{ github.head_ref }} | grep -q "feature"
+          if [ $? -eq 0 ]; then
+            echo "Feature branch found"
+            echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+          fi
+      - name: "Check if configuration options have changed"
+        if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' && env.SKIP_NEWS_CHECK == 'no' }}
+        run: | 
+          git checkout ${{ github.event.pull_request.base.sha }}
+          set +e
+          ./Configure --help > ./before.txt 2>&1
+          git checkout ${{ github.event.pull_request.head.sha }}
+          ./Configure --help > ./after.txt 2>&1
+          set -e
+          CONF_CHANGE=$(diff ./before.txt ./after.txt | wc -l)
+          if [ $CONF_CHANGE -ne 0 ]; then
+            echo "Configuration options changes"
+            echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+          fi
+      - name: "Report Results"
+        if: ${{ env.SKIP_NEWS_CHECK == 'no' }}
+        run: |
+          if [ "${{ env.NEED_NEWS_CHANGES }}" == "yes" ]; then
+            echo "Suggest that you add a NEWS/CHANGES entry for this PR"
+            echo "Alternatively, quiet this suggestion by applying the no_news_changes_needed label"
+            exit 1
+          fi
+
+