The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the
ed25519_get_params() and ed448_get_params(). The x25519 and x448
versions of get_params() always ignore that parameter, so it should not
be in the list of gettable params.
Fixes: 1a7328c882 ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest")
cla: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27043)
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
- The decoder should consider fewer options based on
more precise tracking of the desired input type
(DER, PVK, MSBLOB), algorithm (RSA, EC, ...),
input structure (SPKI, P8, ...).
How much this affects actual use-cases is harder to estimate, we'll just
have to run before/after perf tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26927)
When both seed and key are provided compare the full ML-KEM private key
with the seed keygen output, not just the public key.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26905)
The decoders in some cases failed to capture or propagate
information about what is being decoded, causing more work
happen to try unrelated decoders as a fallback.
We now try harder to keep track of the expected object (private key or
public key, if known), and the algorithm determined from the OID of a
PKCS8 object or SPKI. This leads in many cases to fewer decoder
invocations. With so many more algorithms now, trying every decoder
is increasingly best avoided.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26892)
Also move the deprecated curves to the end of the list, and order the
soon most preferred groups first.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26873)
Fixes#26876
The issue here is that the pbkdf2 'lower_bounds_checks' currently errors by default
in FIPS mode if iterations < 1000.
i.e. the "pkcs5" flag = 0 triggers an error..
Turning the flag on means the FIPS indicator is triggered (which is probably correct behaviour)
Not sure testing the fips state here is a good idea (i.e. taking a TSAN hit).
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26887)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
FIPS 3.0.9 provider does not honor runtime seed configuration, thus if
one desires to use JITTER entropy source with FIPS 3.0.9 provider
something like this needs to be applied to the core (libcrypto) build.
Not sure if this is at all suitable for upstream.
With fips-jitter (3.5+) config, also ensure that core<->provider
callback for entropy uses jitter entropy source, rather than os seed
(getrandom syscall).
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25930)
There is only one operating mode supported for each of RSA, EC and ECX.
We should not require an explicit setting for the obvious default.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26872)
- Check seed/key consistency when generating from a seed and the private
key is also given.
- Improve error reporting when the private key does not match an
explicit public key.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26865)
It was allowing the seed to be larger, and then just ignoring the
trailing bytes.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26858)
The private key is defined in FIPS 205 as containing the public key,
so we return this also. This also matches what happens in fromdata.
Updated Documentation for SLH_DSA.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26839)
This code was duplicated multiple times throughout the self tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Encapsulation and decapsulation remain as their own CAST.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
oqsprovider did not use dashes in the algorithm names for ML-DSA. Make
the transition smoother by also accepting the names without dashes as
aliases.
See also #26326 for the same thing for ML-KEM.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26853)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26837)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26821)
This brings it inline with the same parameter for ML-KEM and ML-DSA.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26750)
- Cross-check seed `z` value on import as well as load.
- In import/load When re-generating from a seed, check hash of any
explicit private key when both provided.
- Avoid leak of expanded key encoding when load fails.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26812)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26701)
- Added sigid_algs for SLH_DSA such that OBJ_find_sigid_algs() works.
- OBJ_sn2nid() was also being called, so the SN form of SLH_DSA
algorithms needed to be added to the provider dispatch tables.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26625)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
custom encoders for SLH_DSA decode_der2key.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Addressed some review comments.
- Ref counting has been removed from SLH_DSA_KEY (EVP_PKEY is responsible
for the keys ref counting).
- Moved constants and prefetched objects into SLH_DSA_KEY.
- The SLH_DSA_HASH_CTX is still required since there are multiple
contexts that need to propagate to a lot of functions, but it no
longer contains the constants. Note that it also holds a pointer to
the SLH_DSA_KEY.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
The pairwise test requires that the computed PK_ROOT key matches the
keys PK_ROOT value. The public and private key tests just require the
key elements to exist.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
This requires a keygen test, as well as Sign/Verify tests for at least 1
sha2 algorithm and 1 shake related algorithm.
A pairwise consistency test has also been added to the key generation.
Note that self test datat for the signature is currently stored as a
sha256 digest in order to reduce the memory footprint.
(Since the signature size for sha2/shake using 128s = ~8K, and for 128f = ~17K)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
This required adding additional EVP_PKEY_ASN1_METHOD methods.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
prehashed variant.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
- Make slh_dsa_sign() return the siglen when sig is NULL.
- Remove the ability in fromdata to generate the public key root
given the private key and public key seed. This was messy and can
be done by key generation instead.
- Add common EVP_PKEY gettablesto SLH_DSA keys
(OSSL_PKEY_PARAM_BITS, OSSL_PKEY_PARAM_SECURITY_BITS, and
OSSL_PKEY_PARAM_MAX_SIZE).
- Update tests based on the above changes.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
The keygen tests required "entropy" to be added via an additional
parameter for ACVP testing. This is required because TEST_RAND cant be
used to pass entropy to the FIPS provider, due to it not knowing the
lib ctx of the FIPS provider.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Also updated function comments.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
Also made fromdata able to generate the public root key if the private
key seed + prf as well as the public key seed are passed to from data.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
This uses a SLH_DSA_CTX that is passed to most functions.
It contains information related to a parameter set (such as constants,
hash functions, prefetched EVP_MD/EVP_MAC objects, as well as ADDRESS
functions). This context is seperated from the SLH_DSA_KEY since
multiple signature operations could be performed using the same keys.
This only implements functions required for SLH-DSA-SHA2-128s
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
This loads a SLH_DSA public key from data.
A simple SLH_DSA keymanager imports this key.
Initially this only has a parameter set for
SLH-DSA-SHA2-128s
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25882)
