EVP_get_default_properties - implementation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

EVP_get_default_properties - implementation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25434)

show more ...

Copyright year updates


Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes

XOF / EVP_MD_size() changes.

Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ct

XOF / EVP_MD_size() changes.

Added the function EVP_MD_CTX_get_size_ex() which checks for XOF and
does a ctx get rather than just returning EVP_MD_size().
SHAKE did not have a get_ctx_params() so that had to be added to return the xoflen.

Added a helper function EVP_MD_xof()
EVP_MD_CTX_size() was just an aliased macro for EVP_MD_size(), so to
keep it the same I added an extra function.

EVP_MD_size() always returns 0 for SHAKE now, since it caches the value
of md_size at the time of an EVP_MD_fetch(). This is probably better
than returning the incorrect initial value it was before e.g (16 for
SHAKE128) and returning tht always instead of the set xoflen.

Note BLAKE2B uses "size" instead of "xoflen" to do a similar thing.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)

show more ...

feat: Implement EVP_PKEY_CTX_{set,get}_algor_params() and EVP_PKEY_CTX_get_algor()

This should be sufficient to cover the intent with the following legacy ctrls:

- EVP_PKEY_CTRL_PKC

feat: Implement EVP_PKEY_CTX_{set,get}_algor_params() and EVP_PKEY_CTX_get_algor()

This should be sufficient to cover the intent with the following legacy ctrls:

- EVP_PKEY_CTRL_PKCS7_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_PKCS7_SIGN (through EVP_SIGNATURE implementations)
- EVP_PKEY_CTRL_CMS_ENCRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_DECRYPT (through EVP_ASYM_CIPHER implementations)
- EVP_PKEY_CTRL_CMS_SIGN (through EVP_SIGNATURE implementations)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)

show more ...

feat: Implement EVP_CIPHER_CTX_{set,get}_algor_params() and EVP_CIPHER_CTX_get_algor()

EVP_CIPHER_CTX_set_algor_params() and EVP_CIPHER_CTX_set_algor_params() can
be used instead of EVP_

feat: Implement EVP_CIPHER_CTX_{set,get}_algor_params() and EVP_CIPHER_CTX_get_algor()

EVP_CIPHER_CTX_set_algor_params() and EVP_CIPHER_CTX_set_algor_params() can
be used instead of EVP_CIPHER_asn1_to_param() and EVP_CIPHER_param_to_asn1().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25000)

show more ...

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow

Implement functionality for direct use of composite signature algorithms

The following API groups are extended with a new init function, as well
as an update and final function, to allow the use of explicitly fetched
signature implementations for any composite signature algorithm, like
"sha1WithRSAEncryption":

- EVP_PKEY_sign
- EVP_PKEY_verify
- EVP_PKEY_verify_recover

To support this, providers are required to add a few new functions, not
the least one that declares what key types an signature implementation
supports.

While at this, the validity check in evp_signature_from_algorithm() is
also refactored; the SIGNATURE provider functionality is too complex for
counters. It's better, or at least more readable, to check function
combinations.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23416)

show more ...

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicat

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicator parameter to be queried after keygen.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

fix: style nits

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Sho

fix: style nits

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24854)

show more ...

fix: refactor the EVP_PKEY_OP checks

On the one hand, we have public macros that are collections of EVP_PKEY_OP
bits, like EVP_PKEY_OP_TYPE_SIG, obviously meant to be used like this:

fix: refactor the EVP_PKEY_OP checks

On the one hand, we have public macros that are collections of EVP_PKEY_OP
bits, like EVP_PKEY_OP_TYPE_SIG, obviously meant to be used like this:

if ((ctx->operation & EVP_PKEY_OP_TYPE_SIG) == 0) ...

On the other hand, we also have internal test macros, like
EVP_PKEY_CTX_IS_SIGNATURE_OP(), obviously meant to be used like this:

if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)) ...

Unfortunately, these two sets of macros were completely separate, forcing
developers to keep them both sync, manually.

This refactor makes the internal macros use the corresponding public macros,
and adds the missing public macros, for consistency.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24854)

show more ...

Add EVP_DigestSqueeze() API.

Fixes #7894

This allows SHAKE to squeeze multiple times with different output sizes.

The existing EVP_DigestFinalXOF() API has been left as a o

Add EVP_DigestSqueeze() API.

Fixes #7894

This allows SHAKE to squeeze multiple times with different output sizes.

The existing EVP_DigestFinalXOF() API has been left as a one shot
operation. A similar interface is used by another toolkit.

The low level SHA3_Squeeze() function needed to change slightly so
that it can handle multiple squeezes. This involves changing the
assembler code so that it passes a boolean to indicate whether
the Keccak function should be called on entry.
At the provider level, the squeeze is buffered, so that it only requests
a multiple of the blocksize when SHA3_Squeeze() is called. On the first
call the value is zero, on subsequent calls the value passed is 1.

This PR is derived from the excellent work done by @nmathewson in
https://github.com/openssl/openssl/pull/7921

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21511)

show more ...

Add additional internal HPKE hardening checks resulting from code audit.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://g

Add additional internal HPKE hardening checks resulting from code audit.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22493)

show more ...

Restore the meaning of EVP_PKEY_print_private()

With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD
function "priv_print", effectively asking the backend to pri

Restore the meaning of EVP_PKEY_print_private()

With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD
function "priv_print", effectively asking the backend to print whatever it
regards as private key components.

In all backends that were built into libcrypto, this function printed what
was included in the private key structure, which usually includes the
public key components as well.

With OpenSSL 3.0, some of the corresponding key2text encoders got a
slightly different behavior, where the presence of the selector
OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector
OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be
regarded as private key components printed. This isn't entirely consistent,
though, as the RSA key2text encoder will still print the public key
components regardless.

To compensate for the changed backend behavior, EVP_PKEY_print_private()
was made to ask the encoder to print the keypair rather than just the
private key, thereby moving the backend semantics to the application API.
Unfortunately, this causes confusion for providers where the key2text
encoder really should print the private key only.

This change restores the built-in 1.1.1 backend behavior in the encoders
that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its
documented behavior, leaving it to the backend to decide what it regards as
"private key components".

Fixes #22233

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22237)

show more ...

Copyright year updates


Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Add a flag so finalised contexts are not reused

The EVP layer should not rely on the underlying low level code to
handle catching incorrect reuse of contexts.
Add a flag to mark a co

Add a flag so finalised contexts are not reused

The EVP layer should not rely on the underlying low level code to
handle catching incorrect reuse of contexts.
Add a flag to mark a context as finalised as needed and then catch and
immediately error on Update/Final operations if called improperly.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20375)

show more ...

Enable some disabled __owurs

Fixes #15902

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>

Enable some disabled __owurs

Fixes #15902

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/15905)

show more ...

rand: add set0 calls for the private and public DRBGs

The FIPS 140-3 DSA and ECDSA tests need to be known answer tests which means
the entropy needs to be cooked. This permits this.

rand: add set0 calls for the private and public DRBGs

The FIPS 140-3 DSA and ECDSA tests need to be known answer tests which means
the entropy needs to be cooked. This permits this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)

show more ...

Add HPKE DHKEM provider support for EC, X25519 and X448.

The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorit

Add HPKE DHKEM provider support for EC, X25519 and X448.

The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorithms for EC and ECX.

This PR only implements the DHKEM component of HPKE as specified in
RFC 9180.

crypto/hpke/hpke_util.c has been added for fuctions that will
be shared between DHKEM and HPKE.

API's for EVP_PKEY_auth_encapsulate_init() and EVP_PKEY_auth_decapsulate_init()
have been added to support authenticated encapsulation. auth_init() functions
were chosen rather that a EVP_PKEY_KEM_set_auth() interface to support
future algorithms that could possibly need different init functions.

Internal code has been refactored, so that it can be shared between the DHKEM
and other systems. Since DHKEM operates on low level keys it needs to be
able to do low level ECDH and ECXDH calls without converting the keys
back into EVP_PKEY/EVP_PKEY_CTX form. See ossl_ecx_compute_key(),
ossl_ec_public_from_private()

DHKEM requires API's to derive a key using a seed (IKM). This did not sit
well inside the DHKEM itself as dispatch functions. This functionality
fits better inside the EC and ECX keymanagers keygen, since
they are just variations of keygen where the private key is generated
in a different manner. This should mainly be used for testing purposes.
See ossl_ec_generate_key_dhkem().
It supports this by allowing a settable param to be passed to keygen
(See OSSL_PKEY_PARAM_DHKEM_IKM).
The keygen calls code within ec and ecx dhkem implementation to handle this.
See ossl_ecx_dhkem_derive_private() and ossl_ec_dhkem_derive_private().
These 2 functions are also used by the EC/ECX DHKEM implementations to generate
the sender ephemeral keys.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19068)

show more ...

Implement AES-GCM-SIV (RFC8452)

Fixes #16721

This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement

Implement AES-GCM-SIV (RFC8452)

Fixes #16721

This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.

This implementation lives only in the default provider; there is no legacy
implementation.

The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.

Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Add context dup functions for digests and ciphers

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

Add a comment to indicate ineffective macro

EVP_MD_CTX_FLAG_NON_FIPS_ALLOW macro is obsolete and unused from
openssl-3.0 onwards

CLA: trivial

Signed-off-by: Shreenidhi

Add a comment to indicate ineffective macro

EVP_MD_CTX_FLAG_NON_FIPS_ALLOW macro is obsolete and unused from
openssl-3.0 onwards

CLA: trivial

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17484)

show more ...

Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs

Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to

Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs

Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to be consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16128)

show more ...

EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()

Fixes #16058

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merge

EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()

Fixes #16058

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16063)

show more ...

evp: constify some OSSL_PARAM arguments

These were missed when the initialisation params were added

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/o

evp: constify some OSSL_PARAM arguments

These were missed when the initialisation params were added

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16072)

show more ...

EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac()

This makes them more consistent with other new interfaces.

Fixes #15839

Reviewed-by: David von Oheimb <da

EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac()

This makes them more consistent with other new interfaces.

Fixes #15839

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15861)

show more ...