4156 Commits

Author	SHA1	Message	Date
Richard Levitte	be00136419	Fix OPENSSL_VERSION_NUMBER to always have zero status bits ... The documentation suggested that they were always zero, while the implementation in <openssl/opensslv.h> suggested that it could be 0xf in OpenSSL releases... which (almost) never happened because of a bug in said implementation. Therefore, we solidify that the status bits are indeed always zero, at least in all OpenSSL 3 versions. Resolves: https://github.com/openssl/project/issues/1621 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28603) (cherry picked from commit 60c4feacce)	2025-09-20 09:27:41 +02:00
Eugene Syromiatnikov	cc73038ab4	Revert "rsa: expose pairwise consistency test API" ... This reverts commit dc5cd6f70a "rsa: expose pairwise consistency test API", that has introduced ossl_rsa_key_pairwise_test() function, as the only user has been removed in 7f7f75816f "import pct: remove import PCTs for most algorithms". Complements: 7f7f75816f "import pct: remove import PCTs for most algorithms" Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28557) (cherry picked from commit 5a299cb0d4)	2025-09-18 17:31:52 +02:00
openssl-machine	c836d8f2b1	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-09-16 12:03:50 +00:00
Pauli	d4dfefef6a	Add OSSL_SELF_TEST_TYPE_PCT_IMPORT transient error state ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28376) (cherry picked from commit 1dc1de7861)	2025-08-30 09:23:31 -04:00
Pauli	a6747a8b44	add new error ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28376) (cherry picked from commit 9013cca925)	2025-08-30 09:23:29 -04:00
Pauli	2ead3ab8ca	slh-dsa: add a PCT for key import when in FIPS mode ... Fixes #28182 Co-Authored-By: slontis <shane.lontis@oracle.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28276) (cherry picked from commit 7903702280)	2025-08-29 14:39:14 -04:00
Richard Levitte	229bc34313	Correct the synthetisized OPENSSL_VERSION_NUMBER ... The last hex digit always became 0x0L, even of OPENSSL_VERSION_PRE_RELEASE was the empty string. Resolves: https://github.com/openssl/openssl/issues/28227 Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28230) (cherry picked from commit ba2c314a60)	2025-08-13 06:07:38 +02:00
Eugene Syromiatnikov	f2adaa2b60	Remove OSSL_CRYPTO_ALLOC attribute from CRYPTO_*dup routines ... The __attribute__((malloc)) is for functions that return new memory, and "the memory [returned by the function] has undefined content", which is a property that doesn't hold for the *dup functions (the same reason it doesn't apply to realloc). Fixes: e1035957eb "OSSL_CRYPTO_ALLOC attribute introduction proposal." Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28220) (cherry picked from commit 85bba74789)	2025-08-12 15:02:18 -04:00
Neil Horman	0fa07898e1	Ensure that the largest_pn values are migrated to our channel qrx ... Recently, our overnight QUIC interop runs began failing in CI when an openssl server was tested against an ngtcp2 client: https://github.com/openssl/openssl/actions/runs/16739736813 The underlying cause bears some explination for historical purposes The problem began happening with a recent update to ngtcp2 in which ngtcp2 updated its wolfssl tls backend to support ML-KEM, which caused ngtcp to emit a client hello message that offered several groups (including X25519MLKEM768) but only provided a keyshare for x25519. This in turn triggered the openssl server to respond with a hello retry request (HRR), requesting an ML-KEM keyshare instead, which ngtcp2 obliged. However all subsequent frames from the client were discarded by the server, due to failing packet body decryption. The problem was tracked down to a mismatch in the initial vectors used by the client and server, leading to an AEAD tag mismatch. Packet protection keys generate their IV's in QUIC by xoring the packet number of the received frame with the base IV as derived via HKDF in the tls layer. The underlying problem was that openssl hit a very odd corner case with how we compute the packet number of the received frame. To save space, QUIC encodes packet numbers using a variable length integer, and only sends the changed bits in the packet number. This requires that the receiver (openssl) store the largest received pn of the connection, which we nominally do. However, in default_port_packet_handler (where QUIC frames are processed prior to having an established channel allocated) we use a temporary qrx to validate the packet protection of those frames. This temporary qrx may be incorporated into the channel in some cases, but is not in the case of a valid frame that generates an HRR at the TLS layer. In this case, the channel allocates its own qrx independently. When this occurs, the largest_pn value of the temporary qrx is lost, and subsequent frames are unable to be received, as the newly allocated qrx belives that the larges_pn for a given pn_space is 0, rather than the value received in the initial frame (which was a complete 32 bit value, rather than just the changed lower 8 bits). As a result the IV construction produced the wrong value, and the decrypt failed on those subsequent frames. Up to this point, that wasn't even a problem, as most quic implementations start their packet numbering at 0, so the next packet could still have its packet number computed properly. The combination of ngtcp using large random values for initial packet numbers, along with the HRR triggering a separate qrx creation on a channel led to the discovery of this discrepancy. The fix seems pretty straightforward. When we detect in port_default_packet_handler, that we have a separate qrx in the new channel, we migrate processed packets from the temporary qrx to the canonical channel qrx. In addition to doing that, we also need to migrate the largest_pn array from the temporary qrx to the channel_qrx so that subsequent frame reception is guaranteed to compute the received frame packet number properly, and as such, compute the proper IV for packet protection decryption. Fixes openssl/project#1296 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28189)	2025-08-07 10:39:28 +02:00
openssl-machine	8f9d7c283e	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-08-05 12:07:41 +00:00
Pauli	566f7c9188	dh: add FIPS 140-3 PCT on key import. ... This is mandated by FIPS 140-3 IG 10.3.A additional comment 1 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28122) (cherry picked from commit db969c3ab0)	2025-07-31 20:42:04 +02:00
Pauli	b8ebde18e4	fips: add DH PCT name ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28122) (cherry picked from commit 88a1309566)	2025-07-31 20:42:03 +02:00
Pauli	6d904c9b34	rsa: expose pairwise consistency test API ... This is only used by the FIPS provider as part of importing keys. At least at the moment. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28122) (cherry picked from commit dc5cd6f70a)	2025-07-31 20:40:10 +02:00
Ingo Franzki	de13aae14a	Make ERR_count_to_mark() available to providers via 'in' dispatch array ... Functions like ERR_set_mark(), ERR_clear_last_mark(), and ERR_pop_to_mark() are already passed to the a provider via the 'in' dispatch array of the provider initialization function (although the documentation did not mention them). Also pass ERR_count_to_mark() to the provider the same way, and update the documentation to mention all four functions. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28073) (cherry picked from commit f77fafd16e)	2025-07-30 18:27:52 +02:00
Alexandr Nedvedicky	f6075ab7ee	- changes suggested by @t8m ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit 92330c8f80)	2025-07-27 05:01:17 -04:00
sashan	e068624ee1	ACK manager must avoid infinite probe time when waiting handshake confirmation ... According to RFC 9002, section 6.2.2.1 the client the client must keep PTO (probe time out) armed if it has not seen HANDSHAKE_DONE quic message from server. Not following RFC spec here may cause the QUIC session to stale during TLS handshake. Fixes openssl/project#1266 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit cdbfacead0)	2025-07-27 05:01:07 -04:00
Alen Yan	7342621a33	fix SM2 privatekey decode(PEM format, ECPrivateKey). ... Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27963) (cherry picked from commit bd172dd0e1)	2025-07-25 09:51:15 +02:00
openssl-machine	ed2e04f18a	Copyright year updates ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes	2025-07-01 11:50:25 +00:00
Richard Levitte	9276d41b09	Nit: macro parameters should always be parenthesised in expressions ... Affected macros: ossl_likely and ossl_unlikely Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27862) (cherry picked from commit cdd01b5e07)	2025-06-21 18:24:44 -04:00
Neil Horman	64edd8cdd9	Remove _strlen31 ... This function is old and fairly broken. Code archeology in our git tree hasn't revealed why it was creted (though it may have possibly been to support older win32 systems that couldn't do 64 bit integers properly, like windows 95/98). There seems to be no good reason to keep it around, and given that it has potentially serious side effects, lets just remove it. Fixes #27761 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27763) (cherry picked from commit b0d363a2cb)	2025-06-06 10:07:16 +02:00
Andrew Dinh	61ff9d94b3	Reset qtls->local_transport_params_consumed to 0 on SSL_clear() ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27656) (cherry picked from commit 9bad2b86e8)	2025-06-03 18:30:09 +02:00
Jai S	b3fdf0fdec	Use value barrier for constant_time_cond_swap_* ... Resolves #27497 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27581) (cherry picked from commit 8a9e0d0f49)	2025-06-03 14:25:14 +02:00
Dr. David von Oheimb	ae538c4307	crypto/evp: compensate for providers not adding error queue entries for keymgmt, sigver, and asymcipher ... Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27367) (cherry picked from commit 72351b0d18)	2025-05-20 21:20:15 +02:00
Dr. David von Oheimb	29fb842065	Fix SSL_{set1,add1}_host() handling of host name/IP address and related documentation ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27457) (cherry picked from commit 1eee02d3e7)	2025-05-06 15:11:49 +02:00
Matt Caswell	aa824cb9e8	Ensure that our fips internal provider is always loaded ... The fips provider has an internal provider. In some circumstances we could end up trying to find it, but failing because it hasn't been loaded yet. We just always ensure it is loaded early to avoid this. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27408) (cherry picked from commit 6ff4c1d874)	2025-04-30 10:56:16 +02:00
sashan	5bb2abc26a	ossl_json_f64() seems to be unused, remove it to avoid libm dependency ... Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27434) (cherry picked from commit 0e41862899)	2025-04-29 19:39:37 +02:00
Matt Caswell	6bb3e506b0	Fix errors on SSL_accept() and SSL_get_error() ... Calling SSL_accept() was raising two errors on the stack if you passed the wrong object type. Similarly SSL_get_error() was adding an error to the stack if the wrong object type was passed and returning the wrong result. We also ensure SSL_set_accept_state() and SSL_set_connect_state() don't raise spurious errors since these are void functions. Fixes #27347 Fixes #27348 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27351) (cherry picked from commit cb5bb8916f)	2025-04-24 20:11:04 +02:00
Gerd Hoffmann	65ac7698ba	hashfunc: add stddef.h include ... size_t is declared in stddef.h, so include the header file to make sure it is available. Fixes build on UEFI. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27284) (cherry picked from commit 44e9c5a3ed)	2025-04-15 15:29:06 +01:00
openssl-machine	b17e3bb6ce	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes	2025-03-25 14:59:38 +00:00
Matt Caswell	fb55383c65	Move the Handshake read secret change earlier in the process for QUIC 0-RTT ... On the server side we were changing the handshake rx secret a little late. This meant the application was forced to call SSL_do_handshake() again even if there was nothing to read in order to get the secret. We move it a little earlier int the process to avoid this. Fixes the issue described in: https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27101) (cherry picked from commit 95051052b3)	2025-03-20 20:22:53 +01:00
Matt Caswell	6e4ddabd98	Fix the use of CCM ciphersuites with QUIC TLS API ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27091) (cherry picked from commit 207cd5bb97)	2025-03-20 11:25:01 +01:00
Viktor Dukhovni	d46923327f	Tolerate PKCS#8 V2 with optional public keys ... - Presently any included public key is unused. - We don't check that v1 PKCS#8 structures omit the public key. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27076) (cherry picked from commit 064bb16454)	2025-03-19 12:03:02 +01:00
Randall S. Becker	dbb5c73f90	Wrap use of poll.h to prevent including on NonStop. ... Fixes: #26724 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/26726) (cherry picked from commit ff030ad5bd)	2025-03-14 07:49:48 -04:00
openssl-machine	0c679f5566	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-03-12 13:35:59 +00:00
Neil Horman	9a308a89a4	Orphan packets from qrx ... It may occur that the qrx we allocate in port_default_packet handler to do AEAD validation isn't the one the channel ultimately uses (like if we turn off address validation). In that event, we need to ensure that anything we have on that qrx isn't returned to its free list to avoid early freeing when we free the qrx at the end of port_default_packet_handler, while those frames are still pending on the channel qrx Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27004)	2025-03-09 18:44:53 +01:00
Ivan Stanković	e599893a9f	x509: allow SAN URIs to contain userinfo ... The way we're currently handling SAN URIs does not allow for userinfo, meaning the name constraint check on such URIs will fail. Fix this by skipping over the userinfo component: authority = [ userinfo "@" ] host [ ":" port ] (per RFC 3986). Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25861)	2025-03-04 17:30:34 +01:00
Viktor Dukhovni	31b5f3f382	Further decoder tuning possibly better perf ... - The decoder should consider fewer options based on more precise tracking of the desired input type (DER, PVK, MSBLOB), algorithm (RSA, EC, ...), input structure (SPKI, P8, ...). How much this affects actual use-cases is harder to estimate, we'll just have to run before/after perf tests. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26927)	2025-03-02 02:04:09 +11:00
Ian Spence	d4430ef9fc	Delete include/openssl/asn1_mac.h ... See https://github.com/openssl/openssl/discussions/26886 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26900)	2025-03-01 09:27:54 -05:00
Dan Pittman	b4116b9372	add an AVX-512-optimized ASM XTS implementation for x86_64 ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26410)	2025-02-27 08:31:16 -05:00
Andrew Dinh	054f6c0fc1	Optimize ossl_namemap_name2num_n to avoid strndup ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26870)	2025-02-26 13:32:59 -05:00
Viktor Dukhovni	44a64029c3	Use better data type info in decoders ... The decoders in some cases failed to capture or propagate information about what is being decoded, causing more work happen to try unrelated decoders as a fallback. We now try harder to keep track of the expected object (private key or public key, if known), and the algorithm determined from the OID of a PKCS8 object or SPKI. This leads in many cases to fewer decoder invocations. With so many more algorithms now, trying every decoder is increasingly best avoided. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26892)	2025-02-26 15:13:57 +01:00
Tomas Mraz	87b5aa737d	Rename fnv1a_hash() to ossl_fnv1a_hash() ... It is no longer static. Also add it to libssl only with quic enabled. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26882)	2025-02-25 15:45:42 +01:00
Alexandr Nedvedicky	96075a6a40	Fix AEAD validation of initial packets in port ... The interoperability tests disable client ip address validation done by RETRY packet. All tests done in CI take code path which sends a retry packet. The first initial packet sent by client uses a different initial encryption level keys to protect packet integrity. The keys are derived from DCID chosen by client. When server accepts connection on behalf of initial packet, the 'DCID' gets changed which means the initial level encryption keys are changing too. So when server skips sending a retry packet, it must forget the qrx which was used to validate initial packet sent by client. Forgetting qrx is not straightforward, we must salvage the unencrypted packets left there after they were validated. Those unencrypted packets must be injected to newly created channel. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26808)	2025-02-25 12:05:10 +01:00
Alexandr Nedvedicky	c14ae04613	Perform initial AEAD validation before creating a channel ... We let port to create qrx object and use it for packet validation. If packet validates, we then create channel and pass pre-created qrx to channel's constructor. Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26808)	2025-02-25 12:04:09 +01:00
daichengrong	7fb4a323f1	riscv: add dl_hwcap for capability detection ... Availability of ZVK* should be determined with dl_hwcap and hwcap. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26811)	2025-02-25 12:01:59 +01:00
Viktor Dukhovni	64a27c24d8	More seed and private key checks for ML-DSA ... - Check seed/key consistency when generating from a seed and the private key is also given. - Improve error reporting when the private key does not match an explicit public key. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/26865)	2025-02-25 12:49:49 +11:00
slontis	6e770d38c7	SLH-DSA - restrict keygen seed length to exact value of 3*n ... It was allowing the seed to be larger, and then just ignoring the trailing bytes. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26858)	2025-02-22 22:46:44 +11:00
Pauli	92a54f4d59	fips: update FIPS self test defines ... Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26859)	2025-02-22 17:31:43 +11:00
Pauli	a5cc141bbc	fips: add key generation name for ML-KEM CASTs ... Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26859)	2025-02-22 17:31:43 +11:00
Dmitry Belyavskiy	17bbc16383	EVP_SKEY_get_raw_key => EVP_SKEY_get0_raw_key ... Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26832)	2025-02-21 17:58:41 +01:00