Dev news

Commit 8d9c8b3ff1 for openssl.org

commit 8d9c8b3ff1e983891d6807b128d291f7ba948965
Author: Dr. David von Oheimb <dev@ddvo.net>
Date:   Wed Oct 22 16:38:37 2025 +0200

    CMP doc: add missing text on OSSL_CMP_OPT_NO_CACHE_EXTRACERTS to OSSL_CMP_CTX_new.pod and ossl_cmp_msg_check_update.pod

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/28973)

diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod
index 2a6a9fccb0..eab0247492 100644
--- a/doc/internal/man3/ossl_cmp_msg_check_update.pod
+++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod
@@ -51,6 +51,7 @@ The callback is passed also the arguments B<ctx>, B<msg>, and <cb_arg>
 The callback should return 1 on acceptance, 0 on rejection, or -1 on error.
 It should not put an error on the error stack since this could be misleading.

+Unless the B<OSSL_CMP_OPT_NO_CACHE_EXTRACERTS> is set in the B<ctx>,
 ossl_cmp_msg_check_update() adds all extraCerts contained in the <msg> to
 the list of untrusted certificates in B<ctx> such that they are already usable
 for OSSL_CMP_validate_msg(), which is called internally, and for future use.
@@ -58,7 +59,7 @@ Thus they are available also to the certificate confirmation callback, and the
 peer does not need to send them again (at least not in the same transaction).
 Note that it does not help validating the message before storing the extraCerts
 because they are not part of the protected portion of the message anyway.
-For efficiency, the extraCerts are prepended to the list so they get used first.
+For efficiency, the extraCerts being cached are prepended to the list so they get used first.

 If all checks pass then ossl_cmp_msg_check_update()
 records in B<ctx> the senderNonce of the received message as the new recipNonce
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index f395db9e39..a99702b83a 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -882,7 +882,8 @@ OSSL_CMP_CTX_set1_serialNumber(),
 OSSL_CMP_CTX_get0_libctx(), OSSL_CMP_CTX_get0_propq(), and
 OSSL_CMP_CTX_get0_validatedSrvCert() were added in OpenSSL 3.2.

-OSSL_CMP_CTX_get0_geninfo_ITAVs() was added in OpenSSL 3.3.
+OSSL_CMP_CTX_get0_geninfo_ITAVs() and
+the B<OSSL_CMP_OPT_NO_CACHE_EXTRACERTS> option were added in OpenSSL 3.3.

 Support for central key generation, requested via B<OSSL_CRMF_POPO_NONE>,
 was added in OpenSSL 3.5.