Expose the EC field degree as a gettable parameter for both provided
and legacy EC keys. In the latter case, drop a spurious assertion,
since even in debug builds an application may try to get an unknown
parameter, and this should return an error rather than abort.
In the EC `TEXT` encoding format, instead of reporting the bit count of
the group order, report the field degree (which matches the size number
in the curve's name when present) and also the symmetric-equivalent
security-bits (adjusted down the the standard numbers (80, 112, 128,
192, 256).
Along the way, add a missing getter method for the EC_GROUP security
bits.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Thu Jan 15 16:10:26 2026
(Merged from https://github.com/openssl/openssl/pull/29539)
Now that the ability to register a custom EVP_PKEY_ASN1_METHOD has
been removed in an earlier commit, we can now remove the functions that
are used to create a custom EVP_PKEY_ASN1_METHOD.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29405)
We remove the ability to add application defined EVP_PKEY_ASN1_METHODs
via the `EVP_PKEY_asn1_add0()` function. We also remove the related function
`EVP_PKEY_asn1_add_alias()`.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29405)
OpenSSL's build file (Makefile) handles library directories via two
variables, 'LIBDIR' and 'libdir', where the former is empty when the
path given through ./Configure's '--libdir' is absolute.
This was forgotten when treating the resulting values in,
util/mkinstallvars.pl, which got libdir in exporters/libcrypto.pc
to not be quite right if .Configure was called with a '--libdir'
with an absolute path.
The fix turns out to be quite easy.
Resolves: https://github.com/openssl/openssl/issues/28779
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29540)
Fixes: #1631
This changes the previously internal ossl_x509_check_certificate_times()
to be the public X509_check_certificate_times(). It adds documentation
for the new function and marks X509_cmp_time, X509_cmp_timeframe,
and X509_cmp_current_time as deprecated in 4.0, as discussed in #1631.
Since the function is now public, we can replace the remaining
uses of deprecated stuff with this function.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29152)
This allows setting the ML-KEM and ML-DSA output formats.
At the same fixing surprising lack of password encryption
of PKCS#8 private keys in DER output form in the CLI apps.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29324)
Custom MD methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29366)
Custom cipher methods are considered legacy and have been deprecated
since 3.0. With the removal of ENGINEs they become a lot less useful
and add significant complexity to the code. We should therefore remove
them in 4.0.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29299)
This commit introduces two new functions, EVP_MD_CTX_serialize and
EVP_MD_CTX_deserialize, to the EVP digest API.
These functions allow an application to save the state of a digest
context (EVP_MD_CTX) and restore it later. This is useful for
checkpointing long-running computations, enabling them to be paused
and resumed without starting over.
The implementation adds the OSSL_FUNC_DIGEST_SERIALIZE and
OSSL_FUNC_DIGEST_DESERIALIZE dispatch functions for providers to
supply this functionality.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28837)
We recently found that the addition of a git config command in
util/find-doc-nits is broken in some cases, sepecifically because git
around version 2.46 broke command line compatibility, replacing the
--regexp option with the --get-regexp option. So to maintain usage of
this specific command to parse the .gitconfig file, we would need to do
some extra version detection to construct the proper command line.
However, find-doc-nits already has a fallback condition, which does some
pure perl parsing of the gitconfig file, which works perfectly well.
Instead of trying to do version matching to construct the right form of
the git config command line, just remove it all, and rely on the perl
parrse to do this work for us, which works currently in all cases.
Fixes#29197
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29304)
In was premature to make OSSL_(EN|DE)CODER_CTX_[sg]et_finalized() be
public interfaces. Forunately, these have not yet appeared outside the
"master" branch, so we can still retract them.
Also, in the case of decoders, the implementation failed to take into
account that the context was duplicated before it was returned to the
user, and the duplicated copy failed to copy the "finalized" field.
This commit also renames "finalized" to "frozen", because
finalisation is a misleading term in this context, it suggests
resource reclamation during garbage collection or deallocation,
not marking a structure partly immutable.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29206)
We support selection of ML-KEM and ML-DSA key formats on input and
output at the provider level, these are essentially global defaults,
in effect for the lifetime of the process.
Unfortunately, the JAVA interface in openssl-jostle needs to be able to
output a specific key in seed-only form. To that end, this PR
introduces a new "output-formats" PKEY encoding parameter, that can be used
with OSSL_ENCODER_CTX_set_params(3) when encoding a key to PKCS#8, after
using OSSL_ENCODER_CTX_new_for_key(3), rather than i2d_PrivateKey(3),
i2d_PKCS8PrivateKey(3) or PEM equivalents.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29206)
The markdownlint rule MD032, which checks for blank lines surrounding lists,
is disabled because it is buggy and produces false positives. This change
prevents unnecessary build failures caused by incorrect linting.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29004)
Implement EVP_SIGNATURE_hash_message_update() to check for support
of EVP_PKEY_sign_message_update() and EVP_PKEY_verify_message_update() and
use this function to replace the has_msg_update column in CMS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable signature verification for hashless signing schemes, such as ML-DSA
and EdDSA, for the non-attribute case of CMS. Also in this case the BIO
with the plain input data needs to be passed through to the signature
verification function so that the pure-mode signature verification method
can hash the plain data itself.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
Enable the ability to sign with a hashless signing schemes, such as ML-DSA
in pure mode, in case no attributes are used in CMS. To support this, pass
the BIO with the plain data through to the signing function so that key's
pure mode signing scheme can hash the data itself.
The current implementation relies on a seek'able BIO so that the data
stream can be read multiple times for support of multiple keys.
Some signing schemes, such as ML-DSA, support the message_update function
when signing data, others, such as EdDSA keys do not support it. The former
allows for reading data in smaller chunks and calling
EVP_PKEY_sign_message_update with the data, while the latter requires that
all data are all read into memory and then passed for signing. This latter
method could run into out-of-memory issue when signing very large files.
Fixes: #28279
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28923)
The documentation now reference(s) FIPS 186-5 instead of FIPS 186-4,
and clarifies the keygen method used.
This PR also adds the new FIPS 186-5 2 optional parameters that allow
the generated probable primes to be congruent to a value mod 8.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28349)
Encrypted Data does not support AEAD algorithms. If you wish to
use AEAD algorithms you will have to use a CMS_AuthEnvelopedData
structure. Therefore, when AEAD algorithms are used with
CMS_EncryptedData_set1_key will now return an error.
Fixes: #28607
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28711)
Some files in @except_env_files are located in the build directory,
not the source directory.
Furthermore, because the files and directories in @except_dirs and
@except_env_files may look different than the elements in what find()
returns, realpath() must be used to ensure that file name comparison
matches when it should.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28601)
