Changes made recently in commit 31b5f3f made changes to how a default
decoder was created, in which ossl_decoder_instance_new() started
returning null. Other storemgmt providers were updated to start using
ossl_decoder_instance_new_forprov, but the winstore manager seems to
have got missed. Fix it up properly
Fixes#27355
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27384)
(cherry picked from commit 8419baf31222c5f439b09ceb41f7a6e1916eab3b)
Reported by David Makepeace
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27203)
(cherry picked from commit 0a78595eac55cc9ec9d2046c704404ec52752b8c)
Issue reported by Apple Inc on 2025-03-26.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27173)
(cherry picked from commit 02cada2e45a2867e304542f9c5440bfb29af0283)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27175)
(cherry picked from commit 60f2a714002365256dba1c55bb4dd46802ea14d6)
Reported by @romen
It was off by a factor of 8.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27110)
(cherry picked from commit 3c1f50ad6f3d9dbbce095e83a59e6cd64cabe65e)
The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the
ed25519_get_params() and ed448_get_params(). The x25519 and x448
versions of get_params() always ignore that parameter, so it should not
be in the list of gettable params.
Fixes: 1a7328c88256 ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest")
cla: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27043)
(cherry picked from commit 482d3f9338b3d4c7537a1d112dce9c8e370c8d9f)
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
- The decoder should consider fewer options based on
more precise tracking of the desired input type
(DER, PVK, MSBLOB), algorithm (RSA, EC, ...),
input structure (SPKI, P8, ...).
How much this affects actual use-cases is harder to estimate, we'll just
have to run before/after perf tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26927)
When both seed and key are provided compare the full ML-KEM private key
with the seed keygen output, not just the public key.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26905)
The decoders in some cases failed to capture or propagate
information about what is being decoded, causing more work
happen to try unrelated decoders as a fallback.
We now try harder to keep track of the expected object (private key or
public key, if known), and the algorithm determined from the OID of a
PKCS8 object or SPKI. This leads in many cases to fewer decoder
invocations. With so many more algorithms now, trying every decoder
is increasingly best avoided.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26892)
Also move the deprecated curves to the end of the list, and order the
soon most preferred groups first.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26873)
Fixes#26876
The issue here is that the pbkdf2 'lower_bounds_checks' currently errors by default
in FIPS mode if iterations < 1000.
i.e. the "pkcs5" flag = 0 triggers an error..
Turning the flag on means the FIPS indicator is triggered (which is probably correct behaviour)
Not sure testing the fips state here is a good idea (i.e. taking a TSAN hit).
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26887)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
FIPS 3.0.9 provider does not honor runtime seed configuration, thus if
one desires to use JITTER entropy source with FIPS 3.0.9 provider
something like this needs to be applied to the core (libcrypto) build.
Not sure if this is at all suitable for upstream.
With fips-jitter (3.5+) config, also ensure that core<->provider
callback for entropy uses jitter entropy source, rather than os seed
(getrandom syscall).
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
There is only one operating mode supported for each of RSA, EC and ECX.
We should not require an explicit setting for the obvious default.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26872)
- Check seed/key consistency when generating from a seed and the private
key is also given.
- Improve error reporting when the private key does not match an
explicit public key.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26865)
It was allowing the seed to be larger, and then just ignoring the
trailing bytes.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26858)
The private key is defined in FIPS 205 as containing the public key,
so we return this also. This also matches what happens in fromdata.
Updated Documentation for SLH_DSA.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26839)
This code was duplicated multiple times throughout the self tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Encapsulation and decapsulation remain as their own CAST.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
oqsprovider did not use dashes in the algorithm names for ML-DSA. Make
the transition smoother by also accepting the names without dashes as
aliases.
See also #26326 for the same thing for ML-KEM.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26853)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26837)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26821)
This brings it inline with the same parameter for ML-KEM and ML-DSA.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26750)
- Cross-check seed `z` value on import as well as load.
- In import/load When re-generating from a seed, check hash of any
explicit private key when both provided.
- Avoid leak of expanded key encoding when load fails.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26812)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26701)
- Added sigid_algs for SLH_DSA such that OBJ_find_sigid_algs() works.
- OBJ_sn2nid() was also being called, so the SN form of SLH_DSA
algorithms needed to be added to the provider dispatch tables.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26625)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
custom encoders for SLH_DSA decode_der2key.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Addressed some review comments.
- Ref counting has been removed from SLH_DSA_KEY (EVP_PKEY is responsible
for the keys ref counting).
- Moved constants and prefetched objects into SLH_DSA_KEY.
- The SLH_DSA_HASH_CTX is still required since there are multiple
contexts that need to propagate to a lot of functions, but it no
longer contains the constants. Note that it also holds a pointer to
the SLH_DSA_KEY.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
The pairwise test requires that the computed PK_ROOT key matches the
keys PK_ROOT value. The public and private key tests just require the
key elements to exist.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
This requires a keygen test, as well as Sign/Verify tests for at least 1
sha2 algorithm and 1 shake related algorithm.
A pairwise consistency test has also been added to the key generation.
Note that self test datat for the signature is currently stored as a
sha256 digest in order to reduce the memory footprint.
(Since the signature size for sha2/shake using 128s = ~8K, and for 128f = ~17K)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
