Merge d770139b1b into b8c46cba5f

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

.ctags.d/langmap.ctags

@@ -0,0 +1,11 @@
+#
+# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+
+--langmap=C:+.h
+--langmap=C:+.inc

.gitignore

@@ -75,6 +75,7 @@ providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
 providers/common/der/der_ml_dsa_gen.c
+providers/common/der/der_hkdf_gen.c
 providers/common/include/prov/der_slh_dsa.h
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
@@ -84,6 +85,7 @@ providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
 providers/common/include/prov/der_ml_dsa.h
+providers/common/include/prov/der_hkdf.h
 providers/implementations/keymgmt/ml_dsa_kmgmt.c
 providers/implementations/keymgmt/ml_kem_kmgmt.c
 providers/implementations/keymgmt/mlx_kmgmt.c

CHANGES.md

@@ -145,6 +145,11 @@ OpenSSL 3.6
 
    *Michael Krueger, Martin Rauch*
 
+ * Added KEMRecipientInfo (RFC 9629) and ML-KEM (draft-ietf-lamps-cms-kyber)
+   support to CMS.
+
+   *Daniel Van Geest (CryptoNext Security)*
+
 OpenSSL 3.5
 -----------
 

Configurations/unix-Makefile.tmpl

@@ -1422,7 +1422,7 @@ test_ordinals:
 tags TAGS: FORCE build_generated
 	rm -f TAGS tags
 	-( cd $(SRCDIR); util/ctags.sh )
-	-etags `find . -name '*.[ch]' -o -name '*.pm'`
+	-etags `find . -name '*.[ch]' -o -name '*.pm' -o -name '*.inc'`
 
 providers/fips.checksum.new: providers/fips.module.sources.new
 	@which unifdef > /dev/null || \

apps/cms.c

@@ -53,6 +53,7 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 static int verify_err = 0;
 
 typedef struct cms_key_param_st cms_key_param;
+typedef struct cms_recip_opt_st cms_recip_opt;
 
 struct cms_key_param_st {
     int idx;
@@ -60,6 +61,14 @@ struct cms_key_param_st {
     cms_key_param *next;
 };
 
+struct cms_recip_opt_st {
+    int idx;
+    const char *kdf;
+    unsigned char *ukm_data;
+    long ukm_data_length;
+    cms_recip_opt *next;
+};
+
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
@@ -85,7 +94,8 @@ typedef enum OPTION_choice {
     OPT_PROV_ENUM, OPT_CONFIG,
     OPT_V_ENUM,
     OPT_CIPHER, OPT_KEKCIPHER,
-    OPT_ORIGINATOR
+    OPT_ORIGINATOR,
+    OPT_RECIP_UKM, OPT_RECIP_KDF
 } OPTION_CHOICE;
 
 const OPTIONS cms_options[] = {
@@ -167,13 +177,15 @@ const OPTIONS cms_options[] = {
     {"kekcipher", OPT_KEKCIPHER, 's',
      "The key encryption algorithm to use"},
     {"wrap", OPT_WRAP, 's',
-     "Key wrap algorithm to use when encrypting with key agreement"},
+     "Key wrap algorithm to use when encrypting with key agreement or key encapsulation"},
     {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
     {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
     {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
     {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
     {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
      "Disable MMA protection, return error if no recipient found (see doc)"},
+    {"recip_kdf", OPT_RECIP_KDF, 's', "Set KEMRecipientInfo KDF for current recipient"},
+    {"recip_ukm", OPT_RECIP_UKM, 's', "KEMRecipientInfo user keying material for current recipient, in hex notation"},
 
     OPT_SECTION("Signing"),
     {"md", OPT_MD, 's', "Digest algorithm to use"},
@@ -281,6 +293,19 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
     return NULL;
 }
 
+static cms_recip_opt *alloc_recip_opt(int recipidx)
+{
+    cms_recip_opt *opt;
+
+    opt = app_malloc(sizeof(*opt), "recipient options buffer");
+    opt->idx = recipidx;
+    opt->next = NULL;
+    opt->kdf = NULL;
+    opt->ukm_data = NULL;
+    opt->ukm_data_length = 0;
+    return opt;
+}
+
 int cms_main(int argc, char **argv)
 {
     CONF *conf = NULL;
@@ -319,6 +344,8 @@ int cms_main(int argc, char **argv)
     size_t secret_keylen = 0, secret_keyidlen = 0;
     unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     unsigned char *secret_key = NULL, *secret_keyid = NULL;
+    cms_recip_opt *recip_first = NULL, *recip_opt = NULL;
+    int recipidx = -1;
     long ltmp;
     const char *mime_eol = "\n";
     OPTION_CHOICE o;
@@ -653,6 +680,46 @@ int cms_main(int argc, char **argv)
                 recipfile = opt_arg();
             }
             break;
+        case OPT_RECIP_KDF:
+        case OPT_RECIP_UKM:
+            recipidx = -1;
+            if (operation == SMIME_ENCRYPT) {
+                if (sk_X509_num(encerts) > 0)
+                    recipidx += sk_X509_num(encerts);
+            }
+            if (recipidx < 0) {
+                BIO_printf(bio_err, "No recipient specified\n");
+                goto opthelp;
+            }
+            if (recip_opt == NULL || recip_opt->idx != recipidx) {
+                cms_recip_opt *nopt;
+
+                nopt = alloc_recip_opt(recipidx);
+                if (recip_first == NULL)
+                    recip_first = nopt;
+                else
+                    recip_opt->next = nopt;
+                recip_opt = nopt;
+            }
+            if (o == OPT_RECIP_KDF) {
+                if (recip_opt->kdf != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_kdf for one -recip\n");
+                    goto end;
+                }
+                recip_opt->kdf = opt_arg();
+            } else {
+                if (recip_opt->ukm_data != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_ukm for one -recip\n");
+                    goto end;
+                }
+                recip_opt->ukm_data = OPENSSL_hexstr2buf(opt_arg(),
+                                                         &recip_opt->ukm_data_length);
+                if (recip_opt->ukm_data == NULL) {
+                    BIO_printf(bio_err, "Invalid hex value after -recip_ukm\n");
+                    goto end;
+                }
+            }
+            break;
         case OPT_CIPHER:
             ciphername = opt_unknown();
             break;
@@ -831,6 +898,9 @@ int cms_main(int argc, char **argv)
     if (operation != SMIME_ENCRYPT && *argv != NULL)
         BIO_printf(bio_err,
                    "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
+    if (operation != SMIME_ENCRYPT && recip_first != NULL)
+        BIO_printf(bio_err,
+                   "Warning: -recip_kdf and -recip_ukm parameters ignored for operation other than -encrypt\n");
 
     if ((flags & CMS_BINARY) != 0) {
         if (!(operation & SMIME_OP))
@@ -990,7 +1060,9 @@ int cms_main(int argc, char **argv)
             goto end;
         for (i = 0; i < sk_X509_num(encerts); i++) {
             CMS_RecipientInfo *ri;
+            int ri_type;
             cms_key_param *kparam;
+            cms_recip_opt *ropt;
             int tflags = flags | CMS_KEY_PARAM;
             /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
             EVP_PKEY_CTX *pctx;
@@ -998,14 +1070,19 @@ int cms_main(int argc, char **argv)
             int res;
 
             for (kparam = key_first; kparam; kparam = kparam->next) {
-                if (kparam->idx == i) {
+                if (kparam->idx == i)
+                    break;
+            }
+            for (ropt = recip_first; ropt; ropt = ropt->next) {
+                if (ropt->idx == i)
                     break;
-                }
             }
             ri = CMS_add1_recipient(cms, x, key, originator, tflags);
             if (ri == NULL)
                 goto end;
 
+            ri_type = CMS_RecipientInfo_type(ri);
+
             pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
             if (pctx != NULL && kparam != NULL) {
                 if (!cms_set_pkey_param(pctx, kparam->param))
@@ -1018,12 +1095,39 @@ int cms_main(int argc, char **argv)
             if (res <= 0 && res != -2)
                 goto end;
 
-            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
-                    && wrap_cipher != NULL) {
-                EVP_CIPHER_CTX *wctx;
-                wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-                if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
-                    goto end;
+            if (wrap_cipher != NULL) {
+                EVP_CIPHER_CTX *wctx = NULL;
+
+                if (ri_type == CMS_RECIPINFO_AGREE)
+                    wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+                else if (ri_type == CMS_RECIPINFO_KEM)
+                    wctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+                if (wctx != NULL) {
+                    if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
+                        goto end;
+                }
+            }
+
+            if (ropt != NULL && ri_type == CMS_RECIPINFO_KEM) {
+                if (ropt->ukm_data != NULL) {
+                    if (!CMS_RecipientInfo_kemri_set_ukm(ri, ropt->ukm_data,
+                                                         (int)ropt->ukm_data_length))
+                        goto end;
+                }
+                if (ropt->kdf != NULL) {
+                    X509_ALGOR *kdf_algo;
+                    ASN1_OBJECT *kdf_obj;
+
+                    kdf_algo = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+                    kdf_obj = OBJ_txt2obj(ropt->kdf, 0);
+                    if (kdf_obj == NULL) {
+                        BIO_printf(bio_err, "Unknown KDF %s\n", ropt->kdf);
+                        goto end;
+                    }
+                    /* Only works for OIDs without params */
+                    if (!X509_ALGOR_set0(kdf_algo, kdf_obj, V_ASN1_UNDEF, NULL))
+                        goto end;
+                }
             }
         }
 
@@ -1315,6 +1419,14 @@ int cms_main(int argc, char **argv)
         OPENSSL_free(key_param);
         key_param = tparam;
     }
+    for (recip_opt = recip_first; recip_opt != NULL;) {
+        cms_recip_opt *topt;
+
+        OPENSSL_free(recip_opt->ukm_data);
+        topt = recip_opt->next;
+        OPENSSL_free(recip_opt);
+        recip_opt = topt;
+    }
     X509_STORE_free(store);
     X509_free(cert);
     X509_free(recip);

apps/lib/apps.c

@@ -106,7 +106,8 @@ int chopup_args(ARGS *arg, char *buf)
             char **tmp;
 
             arg->size += 20;
-            tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
+            tmp = OPENSSL_realloc_array(arg->argv,
+                                        arg->size, sizeof(*arg->argv));
             if (tmp == NULL)
                 return 0;
             arg->argv = tmp;
@@ -3461,7 +3462,7 @@ OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
     if (opts == NULL)
         return NULL;
 
-    params = OPENSSL_zalloc(sizeof(OSSL_PARAM) * (sz + 1));
+    params = OPENSSL_calloc(sz + 1, sizeof(OSSL_PARAM));
     if (params == NULL)
         return NULL;
 

apps/lib/vms_decc_argv.c

@@ -56,7 +56,7 @@ char **copy_argv(int *argc, char *argv[])
      * get them when linking with all of libapps.a.
      * See comment in test/build.info.
      */
-    newargv = OPENSSL_malloc(sizeof(*newargv) * (count + 1));
+    newargv = OPENSSL_malloc_array(count + 1, sizeof(*newargv));
     if (newargv == NULL)
         return NULL;
 

apps/progs.pl

@@ -93,7 +93,6 @@ EOF
 
     my %cmd_disabler = (
         ciphers  => "sock",
-        genrsa   => "rsa",
         gendsa   => "dsa",
         dsaparam => "dsa",
         gendh    => "dh",
@@ -107,7 +106,7 @@ EOF
 #   [2] = preprocessor conditional for excluding irrespective of deprecation
 #        rsa      => [ "pkey",      "3_0", "rsa" ],
 #        genrsa   => [ "genpkey",   "3_0", "rsa" ],
-        rsautl   => [ "pkeyutl",   "3_0", "rsa" ],
+        rsautl   => [ "pkeyutl",   "3_0", "" ],
 #        dhparam  => [ "pkeyparam", "3_0", "dh"  ],
 #        dsaparam => [ "pkeyparam", "3_0", "dsa" ],
 #        dsa      => [ "pkey",      "3_0", "dsa" ],

apps/x509.c

@@ -1303,7 +1303,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names)
         BIO_printf(bio, "Invalid extension names: %s\n", ext_names);
         goto end;
     }
-    if ((names = OPENSSL_malloc(sizeof(char *) * nn)) == NULL)
+    if ((names = OPENSSL_malloc_array(nn, sizeof(char *))) == NULL)
         goto end;
     parse_ext_names(tmp_ext_names, names);
 

crypto/bio/bio_print.c

@@ -68,11 +68,12 @@ static int _dopr(char **sbuffer, char **buffer,
 #define DP_F_UNSIGNED   (1 << 6)
 
 /* conversion flags */
-#define DP_C_SHORT      1
-#define DP_C_LONG       2
-#define DP_C_LDOUBLE    3
-#define DP_C_LLONG      4
-#define DP_C_SIZE       5
+#define DP_C_CHAR       1
+#define DP_C_SHORT      2
+#define DP_C_LONG       3
+#define DP_C_LDOUBLE    4
+#define DP_C_LLONG      5
+#define DP_C_SIZE       6
 
 /* Floating point formats */
 #define F_FORMAT        0
@@ -182,7 +183,12 @@ _dopr(char **sbuffer,
         case DP_S_MOD:
             switch (ch) {
             case 'h':
-                cflags = DP_C_SHORT;
+                if (*format == 'h') {
+                    cflags = DP_C_CHAR;
+                    format++;
+                } else {
+                    cflags = DP_C_SHORT;
+                }
                 ch = *format++;
                 break;
             case 'l':
@@ -216,6 +222,9 @@ _dopr(char **sbuffer,
             case 'd':
             case 'i':
                 switch (cflags) {
+                case DP_C_CHAR:
+                    value = (char)va_arg(args, int);
+                    break;
                 case DP_C_SHORT:
                     value = (short int)va_arg(args, int);
                     break;
@@ -244,6 +253,9 @@ _dopr(char **sbuffer,
             case 'u':
                 flags |= DP_F_UNSIGNED;
                 switch (cflags) {
+                case DP_C_CHAR:
+                    value = (unsigned char)va_arg(args, unsigned int);
+                    break;
                 case DP_C_SHORT:
                     value = (unsigned short int)va_arg(args, unsigned int);
                     break;
@@ -461,7 +473,7 @@ fmtint(char **sbuffer,
         if (base == 8)
             prefix = "0";
         if (base == 16)
-            prefix = "0x";
+            prefix = flags & DP_F_UP ? "0X" : "0x";
     }
     if (flags & DP_F_UP)
         caps = 1;

crypto/bn/bn_conv.c

@@ -63,7 +63,7 @@ char *BN_bn2dec(const BIGNUM *a)
     num = (i / 10 + i / 1000 + 1) + 1;
     tbytes = num + 3;   /* negative and terminator and one spare? */
     bn_data_num = num / BN_DEC_NUM + 1;
-    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+    bn_data = OPENSSL_malloc_array(bn_data_num, sizeof(BN_ULONG));
     buf = OPENSSL_malloc(tbytes);
     if (buf == NULL || bn_data == NULL)
         goto err;

crypto/bn/bn_ctx.c

@@ -266,7 +266,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx)
             st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
         unsigned int *newitems;
 
-        if ((newitems = OPENSSL_malloc(sizeof(*newitems) * newsize)) == NULL)
+        if ((newitems = OPENSSL_malloc_array(newsize, sizeof(*newitems))) == NULL)
             return 0;
         if (st->depth)
             memcpy(newitems, st->indexes, sizeof(*newitems) * st->depth);

crypto/bn/bn_gf2m.c

@@ -474,7 +474,7 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     bn_check_top(b);
     bn_check_top(p);
 
-    arr = OPENSSL_malloc(sizeof(*arr) * max);
+    arr = OPENSSL_malloc_array(max, sizeof(*arr));
     if (arr == NULL)
         return 0;
     ret = BN_GF2m_poly2arr(p, arr, max);
@@ -534,7 +534,7 @@ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     bn_check_top(a);
     bn_check_top(p);
 
-    arr = OPENSSL_malloc(sizeof(*arr) * max);
+    arr = OPENSSL_malloc_array(max, sizeof(*arr));
     if (arr == NULL)
         return 0;
     ret = BN_GF2m_poly2arr(p, arr, max);
@@ -917,7 +917,7 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     bn_check_top(b);
     bn_check_top(p);
 
-    arr = OPENSSL_malloc(sizeof(*arr) * max);
+    arr = OPENSSL_malloc_array(max, sizeof(*arr));
     if (arr == NULL)
         return 0;
     ret = BN_GF2m_poly2arr(p, arr, max);
@@ -979,7 +979,7 @@ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     bn_check_top(a);
     bn_check_top(p);
 
-    arr = OPENSSL_malloc(sizeof(*arr) * max);
+    arr = OPENSSL_malloc_array(max, sizeof(*arr));
     if (arr == NULL)
         return 0;
     ret = BN_GF2m_poly2arr(p, arr, max);
@@ -1113,7 +1113,7 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     bn_check_top(a);
     bn_check_top(p);
 
-    arr = OPENSSL_malloc(sizeof(*arr) * max);
+    arr = OPENSSL_malloc_array(max, sizeof(*arr));
     if (arr == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);

crypto/bn/bn_lib.c

@@ -276,9 +276,9 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
         return NULL;
     }
     if (BN_get_flags(b, BN_FLG_SECURE))
-        a = OPENSSL_secure_zalloc(words * sizeof(*a));
+        a = OPENSSL_secure_calloc(words, sizeof(*a));
     else
-        a = OPENSSL_zalloc(words * sizeof(*a));
+        a = OPENSSL_calloc(words, sizeof(*a));
     if (ossl_unlikely(a == NULL))
         return NULL;
 

crypto/bn/bn_mod.c

@@ -63,7 +63,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
         return 0;
 
     if (mtop > OSSL_NELEM(storage)) {
-        tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG));
+        tp = OPENSSL_malloc_array(mtop, sizeof(BN_ULONG));
         if (tp == NULL)
             return 0;
     }

crypto/bn/bn_prime.c

@@ -144,7 +144,7 @@ int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe,
         return 0;
     }
 
-    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
+    mods = OPENSSL_calloc(NUMPRIMES, sizeof(*mods));
     if (mods == NULL)
         return 0;
 

crypto/bn/bn_s390x.c

@@ -31,7 +31,7 @@ static int s390x_mod_exp_hw(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     if (OPENSSL_s390xcex == -1 || OPENSSL_s390xcex_nodev)
         return 0;
     size = BN_num_bytes(m);
-    buffer = OPENSSL_zalloc(4 * size);
+    buffer = OPENSSL_calloc(size, 4);
     if (buffer == NULL)
         return 0;
     me.inputdata = buffer;

crypto/cms/build.info

@@ -2,4 +2,4 @@ LIBS=../../libcrypto
 SOURCE[../../libcrypto]= \
         cms_lib.c cms_asn1.c cms_att.c cms_io.c cms_smime.c cms_err.c \
         cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c \
-        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c
+        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c cms_kem.c cms_kemri.c

crypto/cms/cms_asn1.c

@@ -201,10 +201,52 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = {
         ASN1_SIMPLE(CMS_PasswordRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(CMS_PasswordRecipientInfo)
 
+static int cms_kemri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                        void *exarg)
+{
+    CMS_KEMRecipientInfo *kemri = (CMS_KEMRecipientInfo *)*pval;
+
+    if (operation == ASN1_OP_NEW_POST) {
+        kemri->ctx = EVP_CIPHER_CTX_new();
+        if (kemri->ctx == NULL)
+            return 0;
+        EVP_CIPHER_CTX_set_flags(kemri->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+        kemri->pctx = NULL;
+    } else if (operation == ASN1_OP_FREE_POST) {
+        EVP_PKEY_CTX_free(kemri->pctx);
+        EVP_CIPHER_CTX_free(kemri->ctx);
+        ASN1_OCTET_STRING_free(kemri->ukm);
+    }
+    return 1;
+}
+
+ASN1_SEQUENCE_cb(CMS_KEMRecipientInfo, cms_kemri_cb) = {
+        ASN1_EMBED(CMS_KEMRecipientInfo, version, INT32),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, rid, CMS_SignerIdentifier),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kem, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kemct, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kdf, X509_ALGOR),
+        ASN1_EMBED(CMS_KEMRecipientInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_KEMRecipientInfo, ukm, ASN1_OCTET_STRING, 0),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, wrap, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(CMS_KEMRecipientInfo, CMS_KEMRecipientInfo)
+
+ASN1_ADB_TEMPLATE(ori_def) = ASN1_SIMPLE(CMS_OtherRecipientInfo, d.other, ASN1_ANY);
+
+ASN1_ADB(CMS_OtherRecipientInfo) = {
+        ADB_ENTRY(NID_id_smime_ori_kem, ASN1_SIMPLE(CMS_OtherRecipientInfo, d.kemri,
+                  CMS_KEMRecipientInfo))
+} ASN1_ADB_END(CMS_OtherRecipientInfo, 0, oriType, 0, &ori_def_tt, NULL);
+
+DECLARE_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
+
 ASN1_SEQUENCE(CMS_OtherRecipientInfo) = {
   ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT),
-  ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY)
-} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+  ASN1_ADB_OBJECT(CMS_OtherRecipientInfo)
+} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+
+IMPLEMENT_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
 
 /* Free up RecipientInfo additional data */
 static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -224,6 +266,23 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
             OPENSSL_clear_free(pwri->pass, pwri->passlen);
         }
+    } else if (operation == ASN1_OP_D2I_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
+        if (ri->type == CMS_RECIPINFO_OTHER) {
+            int nid;
+
+            nid = OBJ_obj2nid(ri->d.ori->oriType);
+            /* For ORI, map NID to specific type */
+            if (nid == NID_id_smime_ori_kem)
+                ri->type = CMS_RECIPINFO_KEM;
+            /* Otherwise stay with generic CMS_RECIPINFO_OTHER type */
+        }
+    } else if (operation == ASN1_OP_NEW_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
     }
     return 1;
 }
@@ -234,7 +293,7 @@ ASN1_CHOICE_cb(CMS_RecipientInfo, cms_ri_cb) = {
         ASN1_IMP(CMS_RecipientInfo, d.kekri, CMS_KEKRecipientInfo, 2),
         ASN1_IMP(CMS_RecipientInfo, d.pwri, CMS_PasswordRecipientInfo, 3),
         ASN1_IMP(CMS_RecipientInfo, d.ori, CMS_OtherRecipientInfo, 4)
-} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, type)
+} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, encoded_type)
 
 ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = {
         ASN1_EMBED(CMS_EnvelopedData, version, INT32),
@@ -430,3 +489,33 @@ int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
     intsi.pecsi = &ecsi;
     return ASN1_item_i2d(intsi.a, pder, ASN1_ITEM_rptr(CMS_SharedInfo));
 }
+
+/*
+ * Utilities to encode the CMS_CMSORIforKEMOtherInfo structure used during key
+ * derivation.
+ */
+
+typedef struct {
+    X509_ALGOR *wrap;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+} CMS_CMSORIforKEMOtherInfo;
+
+ASN1_SEQUENCE(CMS_CMSORIforKEMOtherInfo) = {
+        ASN1_SIMPLE(CMS_CMSORIforKEMOtherInfo, wrap, X509_ALGOR),
+        ASN1_EMBED(CMS_CMSORIforKEMOtherInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_CMSORIforKEMOtherInfo, ukm, ASN1_OCTET_STRING, 0),
+} static_ASN1_SEQUENCE_END(CMS_CMSORIforKEMOtherInfo)
+
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen)
+{
+    CMS_CMSORIforKEMOtherInfo kem_otherinfo;
+
+    kem_otherinfo.wrap = wrap;
+    kem_otherinfo.kekLength = keylen;
+    kem_otherinfo.ukm = ukm;
+
+    return ASN1_item_i2d((ASN1_VALUE *)&kem_otherinfo, pder,
+                         ASN1_ITEM_rptr(CMS_CMSORIforKEMOtherInfo));
+}

crypto/cms/cms_env.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Low level key APIs (DH etc) are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -14,6 +20,7 @@
 #include <openssl/err.h>
 #include <openssl/cms.h>
 #include <openssl/evp.h>
+#include <openssl/core_names.h>
 #include "internal/sizes.h"
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
@@ -111,9 +118,12 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
 {
     EVP_PKEY *pkey;
     int i;
-    if (ri->type == CMS_RECIPINFO_TRANS)
+
+    switch (ri->type) {
+    case CMS_RECIPINFO_TRANS:
         pkey = ri->d.ktri->pkey;
-    else if (ri->type == CMS_RECIPINFO_AGREE) {
+        break;
+    case CMS_RECIPINFO_AGREE: {
         EVP_PKEY_CTX *pctx = ri->d.kari->pctx;
 
         if (pctx == NULL)
@@ -121,8 +131,13 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
         pkey = EVP_PKEY_CTX_get0_pkey(pctx);
         if (pkey == NULL)
             return 0;
-    } else
+        break;
+    }
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_kem_envelope(ri, cmd);
+    default:
         return 0;
+    }
 
     if (EVP_PKEY_is_a(pkey, "DHX") || EVP_PKEY_is_a(pkey, "DH"))
         return ossl_cms_dh_envelope(ri, cmd);
@@ -202,6 +217,9 @@ void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
             case CMS_RECIPINFO_PASS:
                 ri->d.pwri->cms_ctx = ctx;
                 break;
+            case CMS_RECIPINFO_KEM:
+                ri->d.ori->d.kemri->cms_ctx = ctx;
+                break;
             default:
                 break;
             }
@@ -220,6 +238,8 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri)
         return ri->d.ktri->pctx;
     else if (ri->type == CMS_RECIPINFO_AGREE)
         return ri->d.kari->pctx;
+    else if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->pctx;
     return NULL;
 }
 
@@ -336,7 +356,7 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
     ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
     if (!ri->d.ktri)
         return 0;
-    ri->type = CMS_RECIPINFO_TRANS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_TRANS;
 
     ktri = ri->d.ktri;
     ktri->cms_ctx = ctx;
@@ -423,6 +443,11 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
             goto err;
         break;
 
+    case CMS_RECIPINFO_KEM:
+        if (!ossl_cms_RecipientInfo_kemri_init(ri, recip, pk, flags, ctx))
+            goto err;
+        break;
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
         goto err;
@@ -750,7 +775,7 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_KEK;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_KEK;
 
     kekri = ri->d.kekri;
 
@@ -1025,6 +1050,9 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 0);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_decrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
         return 0;
@@ -1046,6 +1074,9 @@ int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 1);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_encrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
         return 0;
@@ -1100,7 +1131,8 @@ static void cms_env_set_version(CMS_EnvelopedData *env)
 
     for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) {
         ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i);
-        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) {
+        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER
+            || ri->type == CMS_RECIPINFO_KEM) {
             env->version = 3;
             return;
         } else if (ri->type != CMS_RECIPINFO_TRANS
@@ -1337,6 +1369,18 @@ err:
  */
 int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
 {
+    int ri_type;
+    EVP_PKEY_CTX *ctx = NULL;
+
+    /*
+     * First check the provider for RecipientInfo support since a key may support
+     * multiple types, e.g. an RSA key and provider may support RSA key transport
+     * and/or RSA-KEM.
+     */
+    if (evp_pkey_is_provided(pk)
+        && EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_CMS_RI_TYPE, &ri_type))
+        return ri_type;
+
     /* Check types that we know about */
     if (EVP_PKEY_is_a(pk, "DH"))
         return CMS_RECIPINFO_AGREE;
@@ -1350,7 +1394,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         return CMS_RECIPINFO_TRANS;
 
     /*
-     * Otherwise this might ben an engine implementation, so see if we can get
+     * Otherwise this might be an engine implementation, so see if we can get
      * the type from the ameth.
      */
     if (pk->ameth && pk->ameth->pkey_ctrl) {
@@ -1359,7 +1403,25 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         if (i > 0)
             return r;
     }
-    return CMS_RECIPINFO_TRANS;
+
+    /*
+     * Otherwise try very hard to figure out what RecipientInfo the key supports.
+     */
+    ri_type = CMS_RECIPINFO_TRANS;
+    ctx = EVP_PKEY_CTX_new(pk, NULL);
+    if (ctx != NULL) {
+        ERR_set_mark();
+        if (EVP_PKEY_encrypt_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_TRANS;
+        else if (EVP_PKEY_derive_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_AGREE;
+        else if (EVP_PKEY_encapsulate_init(ctx, NULL) > 0)
+            ri_type = CMS_RECIPINFO_KEM;
+        ERR_pop_to_mark();
+    }
+    EVP_PKEY_CTX_free(ctx);
+
+    return ri_type;
 }
 
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
@@ -1381,3 +1443,79 @@ int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
 
     return (supportedRiType == ri_type);
 }
+
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri,
+                                     const EVP_CIPHER *cipher)
+{
+    const CMS_CTX *cms_ctx;
+    EVP_CIPHER_CTX *ctx;
+    const EVP_CIPHER *kekcipher;
+    EVP_CIPHER *fetched_kekcipher;
+    const char *kekcipher_name;
+    int keylen;
+    int ret;
+
+    if (ri->type == CMS_RECIPINFO_AGREE) {
+        cms_ctx = ri->d.kari->cms_ctx;
+        ctx = ri->d.kari->ctx;
+    } else if (ri->type == CMS_RECIPINFO_KEM) {
+        cms_ctx = ri->d.ori->d.kemri->cms_ctx;
+        ctx = ri->d.ori->d.kemri->ctx;
+    } else {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
+        return 0;
+    }
+
+    /* If a suitable wrap algorithm is already set nothing to do */
+    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
+    if (kekcipher != NULL) {
+        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
+            return 0;
+        return 1;
+    }
+    if (cipher == NULL)
+        return 0;
+    keylen = EVP_CIPHER_get_key_length(cipher);
+    if (keylen <= 0) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        return 0;
+    }
+    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
+        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
+                                               0, &kekcipher);
+        if (ret <= 0)
+            return 0;
+
+        if (kekcipher != NULL) {
+            if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+                return 0;
+            kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
+            goto enc;
+        }
+    }
+
+    /*
+     * Pick a cipher based on content encryption cipher. If it is DES3 use
+     * DES3 wrap otherwise use AES wrap similar to key size.
+     */
+#ifndef OPENSSL_NO_DES
+    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
+        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
+    else
+#endif
+    if (keylen <= 16)
+        kekcipher_name = SN_id_aes128_wrap;
+    else if (keylen <= 24)
+        kekcipher_name = SN_id_aes192_wrap;
+    else
+        kekcipher_name = SN_id_aes256_wrap;
+enc:
+    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
+                                         kekcipher_name,
+                                         ossl_cms_ctx_get0_propq(cms_ctx));
+    if (fetched_kekcipher == NULL)
+        return 0;
+    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
+    EVP_CIPHER_free(fetched_kekcipher);
+    return ret;
+}

crypto/cms/cms_err.c

@@ -88,6 +88,7 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "not a signed receipt"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEM), "not kem"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"},
@@ -140,6 +141,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM),
      "unknown digest algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_KDF_ALGORITHM),
+     "unknown kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
      "unsupported compression algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM),
@@ -148,6 +151,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "unsupported content type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE),
      "unsupported encryption type"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KDF_ALGORITHM),
+     "unsupported kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM),
      "unsupported kek algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM),

crypto/cms/cms_kari.c

@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * Low level key APIs (DH etc) are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -349,7 +343,7 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
     if (ri->d.kari == NULL)
         return 0;
-    ri->type = CMS_RECIPINFO_AGREE;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_AGREE;
 
     kari = ri->d.kari;
     kari->version = 3;
@@ -412,67 +406,6 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     return 1;
 }
 
-static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
-                         const EVP_CIPHER *cipher)
-{
-    const CMS_CTX *cms_ctx = kari->cms_ctx;
-    EVP_CIPHER_CTX *ctx = kari->ctx;
-    const EVP_CIPHER *kekcipher;
-    EVP_CIPHER *fetched_kekcipher;
-    const char *kekcipher_name;
-    int keylen;
-    int ret;
-
-    /* If a suitable wrap algorithm is already set nothing to do */
-    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
-    if (kekcipher != NULL) {
-        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
-            return 0;
-        return 1;
-    }
-    if (cipher == NULL)
-        return 0;
-    keylen = EVP_CIPHER_get_key_length(cipher);
-    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
-        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
-                                               0, &kekcipher);
-        if (ret <= 0)
-             return 0;
-
-        if (kekcipher != NULL) {
-             if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
-                 return 0;
-             kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
-             goto enc;
-        }
-    }
-
-    /*
-     * Pick a cipher based on content encryption cipher. If it is DES3 use
-     * DES3 wrap otherwise use AES wrap similar to key size.
-     */
-#ifndef OPENSSL_NO_DES
-    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
-        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
-    else
-#endif
-    if (keylen <= 16)
-        kekcipher_name = SN_id_aes128_wrap;
-    else if (keylen <= 24)
-        kekcipher_name = SN_id_aes192_wrap;
-    else
-        kekcipher_name = SN_id_aes256_wrap;
-enc:
-    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
-                                         kekcipher_name,
-                                         ossl_cms_ctx_get0_propq(cms_ctx));
-    if (fetched_kekcipher == NULL)
-        return 0;
-    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
-    EVP_CIPHER_free(fetched_kekcipher);
-    return ret;
-}
-
 /* Encrypt content key in key agreement recipient info */
 
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
@@ -492,7 +425,7 @@ int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
     reks = kari->recipientEncryptedKeys;
     ec = ossl_cms_get0_env_enc_content(cms);
     /* Initialise wrap algorithm parameters */
-    if (!cms_wrap_init(kari, ec->cipher))
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
         return 0;
     /*
      * If no originator key set up initialise for ephemeral key the public key

crypto/cms/cms_kem.c

@@ -0,0 +1,163 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <assert.h>
+#include <limits.h>
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/err.h>
+#include <openssl/decoder.h>
+#include "internal/sizes.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "cms_local.h"
+
+static int kem_cms_decrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    EVP_PKEY_CTX *pctx;
+    EVP_CIPHER_CTX *kekctx;
+    uint32_t cipher_length;
+    char name[OSSL_MAX_NAME_SIZE];
+    EVP_CIPHER *kekcipher = NULL;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+
+    OBJ_obj2txt(name, sizeof(name), wrap->algorithm, 0);
+    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
+    if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+        goto err;
+    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
+        goto err;
+    if (EVP_CIPHER_asn1_to_param(kekctx, wrap->parameter) <= 0)
+        goto err;
+
+    cipher_length = EVP_CIPHER_CTX_get_key_length(kekctx);
+    if (cipher_length != *kekLength) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    rv = 1;
+err:
+    EVP_CIPHER_free(kekcipher);
+    return rv;
+}
+
+static int kem_cms_encrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    X509_ALGOR *kdf;
+    EVP_PKEY_CTX *pctx;
+    EVP_PKEY *pkey;
+    int security_bits;
+    const ASN1_OBJECT *kdf_obj = NULL;
+    unsigned char kemri_x509_algor[OSSL_MAX_ALGORITHM_ID_SIZE];
+    OSSL_PARAM params[2];
+    X509_ALGOR *x509_algor = NULL;
+    EVP_CIPHER_CTX *kekctx;
+    int wrap_nid;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    kdf = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+    if (kdf == NULL)
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+    if (pkey == NULL)
+        goto err;
+
+    security_bits = EVP_PKEY_get_security_bits(pkey);
+    if (security_bits == 0)
+        goto err;
+
+    X509_ALGOR_get0(&kdf_obj, NULL, NULL, kdf);
+    if (kdf_obj == NULL || OBJ_obj2nid(kdf_obj) == NID_undef) {
+        /*
+         * If the KDF OID hasn't already been set, then query the provider
+         * for a default KDF.
+         */
+        params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM,
+                                                      kemri_x509_algor, sizeof(kemri_x509_algor));
+        params[1] = OSSL_PARAM_construct_end();
+        if (!EVP_PKEY_get_params(pkey, params))
+            goto err;
+        if (OSSL_PARAM_modified(&params[0])) {
+            const unsigned char *p = kemri_x509_algor;
+
+            x509_algor = d2i_X509_ALGOR(NULL, &p, (long)params[0].return_size);
+            if (x509_algor == NULL)
+                goto err;
+            if (!X509_ALGOR_copy(kdf, x509_algor))
+                goto err;
+        } else {
+            if (!X509_ALGOR_set0(kdf, OBJ_nid2obj(NID_HKDF_SHA256), V_ASN1_UNDEF, NULL))
+                return 0;
+        }
+    }
+
+    /* Get wrap NID */
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+    *kekLength = EVP_CIPHER_CTX_get_key_length(kekctx);
+    wrap_nid = EVP_CIPHER_CTX_get_type(kekctx);
+
+    /* Package wrap algorithm in an AlgorithmIdentifier */
+    ASN1_OBJECT_free(wrap->algorithm);
+    ASN1_TYPE_free(wrap->parameter);
+    wrap->algorithm = OBJ_nid2obj(wrap_nid);
+    wrap->parameter = ASN1_TYPE_new();
+    if (wrap->parameter == NULL)
+        goto err;
+    if (EVP_CIPHER_param_to_asn1(kekctx, wrap->parameter) <= 0)
+        goto err;
+    if (ASN1_TYPE_get(wrap->parameter) == NID_undef) {
+        ASN1_TYPE_free(wrap->parameter);
+        wrap->parameter = NULL;
+    }
+
+    rv = 1;
+err:
+    X509_ALGOR_free(x509_algor);
+    return rv;
+}
+
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt)
+{
+    assert(decrypt == 0 || decrypt == 1);
+
+    if (decrypt == 1)
+        return kem_cms_decrypt(ri);
+
+    if (decrypt == 0)
+        return kem_cms_encrypt(ri);
+
+    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+    return 0;
+}

crypto/cms/cms_kemri.c

@@ -0,0 +1,409 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/x509.h>
+#include "cms_local.h"
+#include "crypto/evp.h"
+#include "internal/sizes.h"
+
+/* KEM Recipient Info (KEMRI) routines */
+
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+    if (pkekLength)
+        *pkekLength = &ri->d.ori->d.kemri->kekLength;
+    if (pwrap)
+        *pwrap = ri->d.ori->d.kemri->wrap;
+    return 1;
+}
+
+int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return -2;
+    }
+    return ossl_cms_SignerIdentifier_cert_cmp(ri->d.ori->d.kemri->rid, cert);
+}
+
+int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+{
+    EVP_PKEY_CTX *pctx = NULL;
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+
+    if (pk != NULL) {
+        pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), pk,
+                                          ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+        if (pctx == NULL || EVP_PKEY_decapsulate_init(pctx, NULL) <= 0)
+            goto err;
+
+        kemri->pctx = pctx;
+    }
+
+    return 1;
+err:
+    EVP_PKEY_CTX_free(pctx);
+    return 0;
+}
+
+/* Initialise a kemri based on passed certificate and key */
+
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx)
+{
+    CMS_OtherRecipientInfo *ori;
+    CMS_KEMRecipientInfo *kemri;
+    int idtype;
+    X509_PUBKEY *x_pubkey;
+    X509_ALGOR *x_alg;
+
+    ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
+    if (ri->d.ori == NULL)
+        return 0;
+    ri->encoded_type = CMS_RECIPINFO_OTHER;
+    ri->type = CMS_RECIPINFO_KEM;
+
+    ori = ri->d.ori;
+    ori->oriType = OBJ_nid2obj(NID_id_smime_ori_kem);
+    if (ori->oriType == NULL)
+        return 0;
+    ori->d.kemri = M_ASN1_new_of(CMS_KEMRecipientInfo);
+    if (ori->d.kemri == NULL)
+        return 0;
+
+    kemri = ori->d.kemri;
+    kemri->version = 0;
+    kemri->cms_ctx = ctx;
+
+    /*
+     * Not a typo: RecipientIdentifier and SignerIdentifier are the same
+     * structure.
+     */
+
+    idtype = (flags & CMS_USE_KEYID) ? CMS_RECIPINFO_KEYIDENTIFIER : CMS_RECIPINFO_ISSUER_SERIAL;
+    if (!ossl_cms_set1_SignerIdentifier(kemri->rid, recip, idtype, ctx))
+        return 0;
+
+    x_pubkey = X509_get_X509_PUBKEY(recip);
+    if (x_pubkey == NULL)
+        return 0;
+    if (!X509_PUBKEY_get0_param(NULL, NULL, NULL, &x_alg, x_pubkey))
+        return 0;
+    if (!X509_ALGOR_copy(kemri->kem, x_alg))
+        return 0;
+
+    kemri->pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx),
+                                             recipPubKey,
+                                             ossl_cms_ctx_get0_propq(ctx));
+    if (kemri->pctx == NULL)
+        return 0;
+    if (EVP_PKEY_encapsulate_init(kemri->pctx, NULL) <= 0)
+        return 0;
+
+    return 1;
+}
+
+EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->ctx;
+    return NULL;
+}
+
+X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->kdf;
+    return NULL;
+}
+
+int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                    const unsigned char *ukm,
+                                    int ukmLength)
+{
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    if (ukm == NULL && ukmLength != 0) {
+        ERR_raise(ERR_LIB_CMS, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ASN1_OCTET_STRING_free(kemri->ukm);
+    kemri->ukm = ASN1_OCTET_STRING_new();
+    if (kemri->ukm == NULL)
+        return 0;
+    ASN1_OCTET_STRING_set(kemri->ukm, ukm, ukmLength);
+    return 1;
+}
+
+static EVP_KDF_CTX *create_kdf_ctx(CMS_KEMRecipientInfo *kemri)
+{
+    const ASN1_OBJECT *kdf_oid;
+    int ptype;
+    char kdf_alg[OSSL_MAX_NAME_SIZE];
+    EVP_KDF *kdf = NULL;
+    EVP_KDF_CTX *kctx = NULL;
+
+    /*
+     * KDFs with algorithm identifier parameters are not supported yet. To
+     * support this, EVP_KDF_CTX_set_algor_params from
+     * `doc/designs/passing-algorithmidentifier-parameters.md` needs to be
+     * implemented.
+     */
+    X509_ALGOR_get0(&kdf_oid, &ptype, NULL, kemri->kdf);
+    if (ptype != V_ASN1_UNDEF && ptype != V_ASN1_NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM);
+        goto err;
+    }
+    if (OBJ_obj2txt(kdf_alg, sizeof(kdf_alg), kdf_oid, 1) < 0)
+        goto err;
+
+    kdf = EVP_KDF_fetch(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), kdf_alg,
+                        ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+    if (kdf == NULL)
+        goto err;
+
+    kctx = EVP_KDF_CTX_new(kdf);
+err:
+    EVP_KDF_free(kdf);
+    return kctx;
+}
+
+static int kdf_derive(unsigned char *kek, size_t keklen,
+                      const unsigned char *ss, size_t sslen,
+                      CMS_KEMRecipientInfo *kemri)
+{
+    EVP_KDF_CTX *kctx = NULL;
+    OSSL_PARAM params[3];
+    unsigned char *infoder = NULL;
+    int infolen = 0;
+    int rv = 0;
+
+    infolen = CMS_CMSORIforKEMOtherInfo_encode(&infoder, kemri->wrap, kemri->ukm,
+                                               kemri->kekLength);
+    if (infolen <= 0)
+        goto err;
+
+    kctx = create_kdf_ctx(kemri);
+    if (kctx == NULL)
+        goto err;
+
+    params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
+                                                  (unsigned char *)ss, sslen);
+    params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
+                                                  (char *)infoder, infolen);
+    params[2] = OSSL_PARAM_construct_end();
+
+    if (EVP_KDF_derive(kctx, kek, keklen, params) <= 0)
+        goto err;
+
+    rv = 1;
+err:
+    OPENSSL_free(infoder);
+    EVP_KDF_CTX_free(kctx);
+
+    return rv;
+}
+
+/*
+ * Derive KEK and decrypt/encrypt with it to produce either the original CEK
+ * or the encrypted CEK.
+ */
+
+static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
+                          const unsigned char *ss, size_t sslen,
+                          const unsigned char *in, size_t inlen,
+                          CMS_KEMRecipientInfo *kemri, int enc)
+{
+    /* Key encryption key */
+    unsigned char kek[EVP_MAX_KEY_LENGTH];
+    size_t keklen = kemri->kekLength;
+    unsigned char *out = NULL;
+    int outlen = 0;
+    int rv = 0;
+
+    if (keklen > sizeof(kek)) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    if (!kdf_derive(kek, keklen, ss, sslen, kemri))
+        goto err;
+
+    /* Set KEK in context */
+    if (!EVP_CipherInit_ex(kemri->ctx, NULL, NULL, kek, NULL, enc))
+        goto err;
+    /* obtain output length of ciphered key */
+    if (!EVP_CipherUpdate(kemri->ctx, NULL, &outlen, in, (int)inlen))
+        goto err;
+    out = OPENSSL_malloc(outlen);
+    if (out == NULL)
+        goto err;
+    if (!EVP_CipherUpdate(kemri->ctx, out, &outlen, in, (int)inlen))
+        goto err;
+    *pout = out;
+    out = NULL;
+    *poutlen = (size_t)outlen;
+
+    rv = 1;
+err:
+    OPENSSL_free(out);
+    OPENSSL_cleanse(kek, keklen);
+    EVP_CIPHER_CTX_reset(kemri->ctx);
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+    return rv;
+}
+
+/* Encrypt content key in KEM recipient info */
+
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey;
+    size_t enckeylen;
+    int rv = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+    /* Initialise wrap algorithm parameters */
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
+        return 0;
+
+    /* Initialise KDF algorithm */
+    if (!ossl_cms_env_asn1_ctrl(ri, 0))
+        return 0;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, NULL, &kem_ct_len, NULL, &kem_secret_len) <= 0)
+        return 0;
+    kem_ct = OPENSSL_malloc(kem_ct_len);
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_ct == NULL || kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, kem_ct, &kem_ct_len, kem_secret, &kem_secret_len) <= 0)
+        goto err;
+
+    ASN1_STRING_set0(kemri->kemct, kem_ct, (int)kem_ct_len);
+    kem_ct = NULL;
+
+    if (!cms_kek_cipher(&enckey, &enckeylen, kem_secret, kem_secret_len, ec->key, ec->keylen,
+                        kemri, 1))
+        goto err;
+    ASN1_STRING_set0(kemri->encryptedKey, enckey, (int)enckeylen);
+
+    rv = 1;
+err:
+    OPENSSL_free(kem_ct);
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return rv;
+}
+
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    const unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey = NULL;
+    size_t enckeylen;
+    unsigned char *cek = NULL;
+    size_t ceklen;
+    int ret = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+
+    if (kemri->pctx == NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NO_PRIVATE_KEY);
+        return 0;
+    }
+
+    /* Setup all parameters to derive KEK */
+    if (!ossl_cms_env_asn1_ctrl(ri, 1))
+        goto err;
+
+    kem_ct = ASN1_STRING_get0_data(kemri->kemct);
+    kem_ct_len = ASN1_STRING_length(kemri->kemct);
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, NULL, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        return 0;
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, kem_secret, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        goto err;
+
+    /* Attempt to decrypt CEK */
+    enckeylen = kemri->encryptedKey->length;
+    enckey = kemri->encryptedKey->data;
+    if (!cms_kek_cipher(&cek, &ceklen, kem_secret, kem_secret_len, enckey, enckeylen, kemri, 0))
+        goto err;
+    ec = ossl_cms_get0_env_enc_content(cms);
+    OPENSSL_clear_free(ec->key, ec->keylen);
+    ec->key = cek;
+    ec->keylen = ceklen;
+
+    ret = 1;
+err:
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return ret;
+}

crypto/cms/cms_local.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@ typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
+typedef struct CMS_KEMRecipientInfo_st CMS_KEMRecipientInfo;
 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
 typedef struct CMS_CTX_st CMS_CTX;
 
@@ -142,7 +143,11 @@ struct CMS_EncryptedContentInfo_st {
 };
 
 struct CMS_RecipientInfo_st {
-    int type;
+    /*
+     * Type which the RecipientInfo is encoded with. OtherRecipientInfo
+     * encompasses different types, specified by 'type' below.
+     */
+    int encoded_type;
     union {
         CMS_KeyTransRecipientInfo *ktri;
         CMS_KeyAgreeRecipientInfo *kari;
@@ -150,6 +155,8 @@ struct CMS_RecipientInfo_st {
         CMS_PasswordRecipientInfo *pwri;
         CMS_OtherRecipientInfo *ori;
     } d;
+    /* internal type, including ORI types */
+    int type;
 };
 
 typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
@@ -245,7 +252,29 @@ struct CMS_PasswordRecipientInfo_st {
 
 struct CMS_OtherRecipientInfo_st {
     ASN1_OBJECT *oriType;
-    ASN1_TYPE *oriValue;
+    union {
+        /* NID_id_smime_ori_kem */
+        CMS_KEMRecipientInfo *kemri;
+        /* anything else */
+        ASN1_TYPE *other;
+    } d;
+};
+
+struct CMS_KEMRecipientInfo_st {
+    int32_t version;
+    CMS_RecipientIdentifier *rid;
+    X509_ALGOR *kem;
+    ASN1_OCTET_STRING *kemct;
+    X509_ALGOR *kdf;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+    X509_ALGOR *wrap;
+    ASN1_OCTET_STRING *encryptedKey;
+    /* Public key context associated with current operation */
+    EVP_PKEY_CTX *pctx;
+    /* Cipher context for CEK wrapping */
+    EVP_CIPHER_CTX *ctx;
+    const CMS_CTX *cms_ctx;
 };
 
 struct CMS_DigestedData_st {
@@ -460,6 +489,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk);
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
 
 void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri, const EVP_CIPHER *cipher);
 
 /* KARI routines */
 int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
@@ -470,6 +500,20 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
                                         CMS_RecipientInfo *ri);
 
+/* KEMRI routines */
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap);
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx);
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen);
+
 /* PWRI routines */
 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
                                       CMS_RecipientInfo *ri, int en_de);
@@ -486,6 +530,7 @@ int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify);
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt);
 
 int ossl_cms_get1_certs_ex(CMS_ContentInfo *cms, STACK_OF(X509) **certs);
 int ossl_cms_get1_crls_ex(CMS_ContentInfo *cms, STACK_OF(X509_CRL) **crls);
@@ -496,10 +541,12 @@ DECLARE_ASN1_ITEM(CMS_EncryptedData)
 DECLARE_ASN1_ITEM(CMS_EnvelopedData)
 DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData)
 DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
+DECLARE_ASN1_ITEM(CMS_KEMRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
 DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
+DECLARE_ASN1_ITEM(CMS_OtherRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_Receipt)
 DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)

crypto/cms/cms_pwri.c

@@ -138,7 +138,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_PASS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_PASS;
 
     pwri = ri->d.pwri;
     pwri->cms_ctx = cms_ctx;

crypto/cms/cms_smime.c

@@ -357,7 +357,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
     if ((flags & CMS_NO_SIGNER_CERT_VERIFY) == 0 || cadesVerify) {
         if (cadesVerify) {
             /* Certificate trust chain is required to check CAdES signature */
-            si_chains = OPENSSL_zalloc(scount * sizeof(si_chains[0]));
+            si_chains = OPENSSL_calloc(scount, sizeof(si_chains[0]));
             if (si_chains == NULL)
                 goto err;
         }
@@ -750,6 +750,14 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
                 return 1;
             if (r < 0)
                 return 0;
+        } else if (ri_type == CMS_RECIPINFO_KEM) {
+            if (cert == NULL || !CMS_RecipientInfo_kemri_cert_cmp(ri, cert)) {
+                CMS_RecipientInfo_kemri_set0_pkey(ri, pk);
+                r = CMS_RecipientInfo_decrypt(cms, ri);
+                CMS_RecipientInfo_kemri_set0_pkey(ri, NULL);
+                if (cert != NULL || r > 0)
+                    return r;
+            }
         }
         /* If we have a cert, try matching RecipientInfo, else try them all */
         else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {

crypto/comp/c_zlib.c

@@ -40,7 +40,7 @@ static void *zlib_zalloc(void *opaque, unsigned int no, unsigned int size)
 {
     void *p;
 
-    p = OPENSSL_zalloc(no * size);
+    p = OPENSSL_calloc(no, size);
     return p;
 }
 

crypto/conf/conf_ssl.c

@@ -78,7 +78,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
     }
     cnt = sk_CONF_VALUE_num(cmd_lists);
     ssl_module_free(md);
-    ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+    ssl_names = OPENSSL_calloc(cnt, sizeof(*ssl_names));
     if (ssl_names == NULL)
         goto err;
     ssl_names_count = cnt;
@@ -101,7 +101,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
         if (ssl_name->name == NULL)
             goto err;
         cnt = sk_CONF_VALUE_num(cmds);
-        ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st));
+        ssl_name->cmds = OPENSSL_calloc(cnt, sizeof(struct ssl_conf_cmd_st));
         if (ssl_name->cmds == NULL)
             goto err;
         ssl_name->cmd_count = cnt;

crypto/ec/ec_curve.c

@@ -3406,7 +3406,7 @@ int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
         param_len = len;
 
     /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
-    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
+    param_bytes = OPENSSL_malloc_array(NUM_BN_FIELDS, param_len);
     if (param_bytes == NULL)
         goto end;
 

crypto/ec/ec_mult.c

@@ -504,11 +504,11 @@ int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 
     totalnum = num + numblocks;
 
-    wsize = OPENSSL_malloc(totalnum * sizeof(wsize[0]));
-    wNAF_len = OPENSSL_malloc(totalnum * sizeof(wNAF_len[0]));
+    wsize = OPENSSL_malloc_array(totalnum, sizeof(wsize[0]));
+    wNAF_len = OPENSSL_malloc_array(totalnum, sizeof(wNAF_len[0]));
     /* include space for pivot */
-    wNAF = OPENSSL_malloc((totalnum + 1) * sizeof(wNAF[0]));
-    val_sub = OPENSSL_malloc(totalnum * sizeof(val_sub[0]));
+    wNAF = OPENSSL_malloc_array(totalnum + 1, sizeof(wNAF[0]));
+    val_sub = OPENSSL_malloc_array(totalnum, sizeof(val_sub[0]));
 
     /* Ensure wNAF is initialised in case we end up going to err */
     if (wNAF != NULL)
@@ -651,7 +651,7 @@ int ossl_ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
      * 'val_sub[i]' is a pointer to the subarray for the i-th point, or to a
      * subarray of 'pre_comp->points' if we already have precomputation.
      */
-    val = OPENSSL_malloc((num_val + 1) * sizeof(val[0]));
+    val = OPENSSL_malloc_array(num_val + 1, sizeof(val[0]));
     if (val == NULL)
         goto err;
     val[num_val] = NULL;        /* pivot element */
@@ -883,7 +883,7 @@ int ossl_ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
     num = pre_points_per_block * numblocks; /* number of points to compute
                                              * and store */
 
-    points = OPENSSL_malloc(sizeof(*points) * (num + 1));
+    points = OPENSSL_malloc_array(num + 1, sizeof(*points));
     if (points == NULL)
         goto err;
 

crypto/ec/ecp_nistp224.c

@@ -1475,11 +1475,11 @@ int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
              */
             mixed = 1;
         }
-        secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points);
+        secrets = OPENSSL_calloc(num_points, sizeof(*secrets));
+        pre_comp = OPENSSL_calloc(num_points, sizeof(*pre_comp));
         if (mixed)
             tmp_felems =
-                OPENSSL_malloc(sizeof(felem) * (num_points * 17 + 1));
+                OPENSSL_malloc_array(num_points * 17 + 1, sizeof(felem));
         if ((secrets == NULL) || (pre_comp == NULL)
             || (mixed && (tmp_felems == NULL)))
             goto err;

crypto/ec/ecp_nistp256.c

@@ -2088,11 +2088,11 @@ int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
              */
             mixed = 1;
         }
-        secrets = OPENSSL_malloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_malloc(sizeof(*pre_comp) * num_points);
+        secrets = OPENSSL_calloc(num_points, sizeof(*secrets));
+        pre_comp = OPENSSL_calloc(num_points, sizeof(*pre_comp));
         if (mixed)
-            tmp_smallfelems =
-              OPENSSL_malloc(sizeof(*tmp_smallfelems) * (num_points * 17 + 1));
+            tmp_smallfelems = OPENSSL_malloc_array(num_points * 17 + 1,
+                                                   sizeof(*tmp_smallfelems));
         if ((secrets == NULL) || (pre_comp == NULL)
             || (mixed && (tmp_smallfelems == NULL)))
             goto err;
@@ -2101,8 +2101,6 @@ int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
          * we treat NULL scalars as 0, and NULL points as points at infinity,
          * i.e., they contribute nothing to the linear combination
          */
-        memset(secrets, 0, sizeof(*secrets) * num_points);
-        memset(pre_comp, 0, sizeof(*pre_comp) * num_points);
         for (i = 0; i < num_points; ++i) {
             if (i == num) {
                 /*

crypto/ec/ecp_nistp384.c

@@ -1805,11 +1805,11 @@ int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r,
              */
             mixed = 1;
         }
-        secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points);
+        secrets = OPENSSL_calloc(num_points, sizeof(*secrets));
+        pre_comp = OPENSSL_calloc(num_points, sizeof(*pre_comp));
         if (mixed)
             tmp_felems =
-                OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1));
+                OPENSSL_malloc_array(num_points * 17 + 1, sizeof(*tmp_felems));
         if ((secrets == NULL) || (pre_comp == NULL)
             || (mixed && (tmp_felems == NULL)))
             goto err;

crypto/ec/ecp_nistp521.c

@@ -1978,11 +1978,11 @@ int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
              */
             mixed = 1;
         }
-        secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points);
+        secrets = OPENSSL_calloc(num_points, sizeof(*secrets));
+        pre_comp = OPENSSL_calloc(num_points, sizeof(*pre_comp));
         if (mixed)
             tmp_felems =
-                OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1));
+                OPENSSL_malloc_array(num_points * 17 + 1, sizeof(*tmp_felems));
         if ((secrets == NULL) || (pre_comp == NULL)
             || (mixed && (tmp_felems == NULL)))
             goto err;

crypto/ec/ecp_nistz256.c

@@ -625,9 +625,8 @@ __owur static int ecp_nistz256_windowed_mul(const EC_GROUP *group,
     if ((num * 16 + 6) > OPENSSL_MALLOC_MAX_NELEMS(P256_POINT)
         || (table_storage =
             OPENSSL_malloc((num * 16 + 5) * sizeof(P256_POINT) + 64)) == NULL
-        || (p_str =
-            OPENSSL_malloc(num * 33 * sizeof(unsigned char))) == NULL
-        || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL)
+        || (p_str = OPENSSL_malloc_array(num, 33)) == NULL
+        || (scalars = OPENSSL_malloc_array(num, sizeof(BIGNUM *))) == NULL)
         goto err;
 
     table = (void *)ALIGNPTR(table_storage, 64);
@@ -1109,11 +1108,11 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
          * Without a precomputed table for the generator, it has to be
          * handled like a normal point.
          */
-        new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *));
+        new_scalars = OPENSSL_malloc_array(num + 1, sizeof(BIGNUM *));
         if (new_scalars == NULL)
             goto err;
 
-        new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *));
+        new_points = OPENSSL_malloc_array(num + 1, sizeof(EC_POINT *));
         if (new_points == NULL)
             goto err;
 

crypto/ec/ecp_sm2p256.c

@@ -518,7 +518,7 @@ static int ecp_sm2p256_windowed_mul(const EC_GROUP *group,
     } t, p;
 
     if (num > OPENSSL_MALLOC_MAX_NELEMS(P256_POINT)
-        || (scalars = OPENSSL_malloc(num * sizeof(BIGNUM *))) == NULL) {
+        || (scalars = OPENSSL_malloc_array(num, sizeof(BIGNUM *))) == NULL) {
         ECerr(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
         goto err;
     }

crypto/ec/ecp_smpl.c

@@ -1227,7 +1227,7 @@ int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
     if (tmp_Z == NULL)
         goto err;
 
-    prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
+    prod_Z = OPENSSL_malloc_array(num, sizeof(prod_Z[0]));
     if (prod_Z == NULL)
         goto err;
     for (i = 0; i < num; i++) {

crypto/encode_decode/encoder_pkey.c

@@ -290,7 +290,7 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx,
         namemap = ossl_namemap_stored(libctx);
         end = sk_OPENSSL_CSTRING_num(encoder_data.names);
         if (end > 0) {
-            encoder_data.id_names = OPENSSL_malloc(end * sizeof(int));
+            encoder_data.id_names = OPENSSL_malloc_array(end, sizeof(int));
             if (encoder_data.id_names == NULL) {
                 sk_OPENSSL_CSTRING_free(keymgmt_data.names);
                 goto err;

crypto/err/openssl.txt

@@ -354,6 +354,7 @@ CMS_R_NEED_ONE_SIGNER:164:need one signer
 CMS_R_NOT_A_SIGNED_RECEIPT:165:not a signed receipt
 CMS_R_NOT_ENCRYPTED_DATA:122:not encrypted data
 CMS_R_NOT_KEK:123:not kek
+CMS_R_NOT_KEM:197:not kem
 CMS_R_NOT_KEY_AGREEMENT:181:not key agreement
 CMS_R_NOT_KEY_TRANSPORT:124:not key transport
 CMS_R_NOT_PWRI:177:not pwri
@@ -394,11 +395,13 @@ CMS_R_UNABLE_TO_FINALIZE_CONTEXT:147:unable to finalize context
 CMS_R_UNKNOWN_CIPHER:148:unknown cipher
 CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm
 CMS_R_UNKNOWN_ID:150:unknown id
+CMS_R_UNKNOWN_KDF_ALGORITHM:198:unknown kdf algorithm
 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm
 CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\
 	unsupported content encryption algorithm
 CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type
 CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type
+CMS_R_UNSUPPORTED_KDF_ALGORITHM:199:unsupported kdf algorithm
 CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm
 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
 	unsupported key encryption algorithm

crypto/evp/asymcipher.c

@@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s encrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s decrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
 
     return ret;
 

crypto/evp/keymgmt_meth.c

@@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,
         return NULL;
     }
 
+    ERR_set_mark();
     ret = keymgmt->gen(genctx, cb, cbarg);
-    if (ret == NULL)
+    if (ret == NULL && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE,
                        "%s key generation:%s", keymgmt->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 }
 

crypto/evp/m_sigver.c

@@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -474,10 +476,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -527,11 +531,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen,
                                      sigret == NULL ? 0 : *siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL && sigret != NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -638,11 +644,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
 
             if (sigret != NULL)
                 ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen,
                                          sigret == NULL ? 0 : *siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_sign:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {
@@ -693,10 +701,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -769,10 +779,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
             int ret;
 
             ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_verify:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {

crypto/ex_data.c

@@ -240,7 +240,7 @@ int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj,
         if (mx < (int)OSSL_NELEM(stack))
             storage = stack;
         else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
+            storage = OPENSSL_malloc_array(mx, sizeof(*storage));
         if (storage != NULL)
             for (i = 0; i < mx; i++)
                 storage[i] = sk_EX_CALLBACK_value(ip->meth, i);
@@ -302,7 +302,7 @@ int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
         if (mx < (int)OSSL_NELEM(stack))
             storage = stack;
         else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
+            storage = OPENSSL_malloc_array(mx, sizeof(*storage));
         if (storage != NULL)
             for (i = 0; i < mx; i++)
                 storage[i] = sk_EX_CALLBACK_value(ip->meth, i);
@@ -386,7 +386,7 @@ void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
         if (mx < (int)OSSL_NELEM(stack))
             storage = stack;
         else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
+            storage = OPENSSL_malloc_array(mx, sizeof(*storage));
         if (storage != NULL)
             for (i = 0; i < mx; i++) {
                 storage[i].excb = sk_EX_CALLBACK_value(ip->meth, i);

crypto/hashtable/hashtable.c

@@ -154,12 +154,13 @@ static struct ht_neighborhood_st *alloc_new_neighborhood_list(size_t len,
 {
     struct ht_neighborhood_st *ret;
 
-    ret = OPENSSL_aligned_alloc(sizeof(struct ht_neighborhood_st) * len,
-                                CACHE_LINE_BYTES, freeptr);
+    ret = OPENSSL_aligned_alloc_array(len, sizeof(struct ht_neighborhood_st),
+                                      CACHE_LINE_BYTES, freeptr);
 
     /* fall back to regular malloc */
     if (ret == NULL) {
-        ret = *freeptr = OPENSSL_malloc(sizeof(struct ht_neighborhood_st) * len);
+        ret = *freeptr =
+            OPENSSL_malloc_array(len, sizeof(struct ht_neighborhood_st));
         if (ret == NULL)
             return NULL;
     }

crypto/hmac/hmac_s390x.c

@@ -117,8 +117,8 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
         (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) {
         OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
         ctx->plat.s390x.size = 0;
-        ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size *
-                                             HMAC_S390X_BUF_NUM_BLOCKS);
+        ctx->plat.s390x.buf = OPENSSL_calloc(HMAC_S390X_BUF_NUM_BLOCKS,
+                                             ctx->plat.s390x.blk_size);
         if (ctx->plat.s390x.buf == NULL)
             return 0;
         ctx->plat.s390x.size = ctx->plat.s390x.blk_size *

crypto/lhash/lhash.c

@@ -66,7 +66,7 @@ OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c)
 
     if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
         return NULL;
-    if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL)
+    if ((ret->b = OPENSSL_calloc(MIN_NODES, sizeof(*ret->b))) == NULL)
         goto err;
     ret->comp = ((c == NULL) ? (OPENSSL_LH_COMPFUNC)strcmp : c);
     ret->hash = ((h == NULL) ? (OPENSSL_LH_HASHFUNC)OPENSSL_LH_strhash : h);
@@ -251,7 +251,7 @@ static int expand(OPENSSL_LHASH *lh)
     pmax = lh->pmax;
     if (p + 1 >= pmax) {
         j = nni * 2;
-        n = OPENSSL_realloc(lh->b, sizeof(OPENSSL_LH_NODE *) * j);
+        n = OPENSSL_realloc_array(lh->b, j, sizeof(OPENSSL_LH_NODE *));
         if (n == NULL) {
             lh->error++;
             return 0;
@@ -291,8 +291,7 @@ static void contract(OPENSSL_LHASH *lh)
     np = lh->b[lh->p + lh->pmax - 1];
     lh->b[lh->p + lh->pmax - 1] = NULL; /* 24/07-92 - eay - weird but :-( */
     if (lh->p == 0) {
-        n = OPENSSL_realloc(lh->b,
-                            (unsigned int)(sizeof(OPENSSL_LH_NODE *) * lh->pmax));
+        n = OPENSSL_realloc_array(lh->b, lh->pmax, sizeof(OPENSSL_LH_NODE *));
         if (n == NULL) {
             /* fputs("realloc error in lhash", stderr); */
             lh->error++;

crypto/mem.c

@@ -9,6 +9,7 @@
 
 #include "internal/e_os.h"
 #include "internal/cryptlib.h"
+#include "internal/mem_alloc_utils.h"
 #include "crypto/cryptlib.h"
 #include <stdio.h>
 #include <stdlib.h>
@@ -212,15 +213,7 @@ void *CRYPTO_malloc(size_t num, const char *file, int line)
     if (ossl_likely(ptr != NULL))
         return ptr;
  err:
-    /*
-     * ossl_err_get_state_int() in err.c uses CRYPTO_zalloc(num, NULL, 0) for
-     * ERR_STATE allocation. Prevent mem alloc error loop while reporting error.
-     */
-    if (file != NULL || line != 0) {
-        ERR_new();
-        ERR_set_debug(file, line, NULL);
-        ERR_set_error(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE, NULL);
-    }
+    ossl_report_alloc_err(file, line);
     return NULL;
 }
 
@@ -238,25 +231,43 @@ void *CRYPTO_zalloc(size_t num, const char *file, int line)
 void *CRYPTO_aligned_alloc(size_t num, size_t alignment, void **freeptr,
                            const char *file, int line)
 {
+    size_t alloc_bytes;
     void *ret;
 
     *freeptr = NULL;
 
 #if defined(OPENSSL_SMALL_FOOTPRINT)
-    ret = freeptr = NULL;
-    return ret;
+    return NULL;
 #endif
 
+    /* Ensure that alignment is a power of two */
+    if (!alignment || (alignment & (alignment - 1))) {
+        ossl_report_alloc_err_inv(file, line);
+        return NULL;
+    }
+
     /* Allow non-malloc() allocations as long as no malloc_impl is provided. */
     if (malloc_impl == CRYPTO_malloc) {
 #if defined(_BSD_SOURCE) || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L)
-        if (posix_memalign(&ret, alignment, num))
-            return NULL;
+        int memalign_ret;
+
+        /* posix_memalign() requires alignment to be at least sizeof(void *) */
+        if (alignment < sizeof(void *))
+            alignment = sizeof(void *);
+
+        if ((memalign_ret = posix_memalign(&ret, alignment, num))) {
+            ret = NULL;
+            switch (memalign_ret) {
+            case EINVAL:
+                ossl_report_alloc_err_inv(file, line);
+                break;
+            case ENOMEM:
+                ossl_report_alloc_err(file, line);
+                break;
+            }
+        }
         *freeptr = ret;
         return ret;
-#elif defined(_ISOC11_SOURCE)
-        ret = *freeptr = aligned_alloc(alignment, num);
-        return ret;
 #endif
     }
 
@@ -270,11 +281,14 @@ void *CRYPTO_aligned_alloc(size_t num, size_t alignment, void **freeptr,
      * via _aligned_malloc, just avoid its use entirely
      */
 
+    if (ossl_size_add_of(num, alignment, &alloc_bytes, file, line))
+        return NULL;
+
     /*
      * Step 1: Allocate an amount of memory that is <alignment>
      * bytes bigger than requested
      */
-    *freeptr = CRYPTO_malloc(num + alignment, file, line);
+    *freeptr = CRYPTO_malloc(alloc_bytes, file, line);
     if (*freeptr == NULL)
         return NULL;
 
@@ -299,9 +313,17 @@ void *CRYPTO_aligned_alloc(size_t num, size_t alignment, void **freeptr,
 
 void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
 {
+    void *ret;
+
     INCREMENT(realloc_count);
-    if (realloc_impl != CRYPTO_realloc)
-        return realloc_impl(str, num, file, line);
+    if (realloc_impl != CRYPTO_realloc) {
+        ret = realloc_impl(str, num, file, line);
+
+        if (!num || ret)
+            return ret;
+
+        goto err;
+    }
 
     if (str == NULL)
         return CRYPTO_malloc(num, file, line);
@@ -312,7 +334,13 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
     }
 
     FAILTEST();
-    return realloc(str, num);
+    ret = realloc(str, num);
+
+err:
+    if (num && !ret)
+        ossl_report_alloc_err(file, line);
+
+    return ret;
 }
 
 void *CRYPTO_clear_realloc(void *str, size_t old_len, size_t num,
@@ -342,6 +370,11 @@ void *CRYPTO_clear_realloc(void *str, size_t old_len, size_t num,
     return ret;
 }
 
+/*
+ * Array allocation wraper routines implementations.
+ */
+#include "internal/array_alloc.inc"
+
 void CRYPTO_free(void *str, const char *file, int line)
 {
     INCREMENT(free_count);

crypto/mem_sec.c

@@ -480,7 +480,7 @@ static int sh_init(size_t size, size_t minsize)
     for (i = sh.bittable_size; i; i >>= 1)
         sh.freelist_size++;
 
-    sh.freelist = OPENSSL_zalloc(sh.freelist_size * sizeof(char *));
+    sh.freelist = OPENSSL_calloc(sh.freelist_size, sizeof(char *));
     OPENSSL_assert(sh.freelist != NULL);
     if (sh.freelist == NULL)
         goto err;

crypto/ml_dsa/ml_dsa_key.c

@@ -326,7 +326,7 @@ static int public_from_private(const ML_DSA_KEY *key, EVP_MD_CTX *md_ctx,
     VECTOR s1_ntt;
     VECTOR t;
 
-    polys = OPENSSL_malloc(sizeof(*polys) * (k + l + k * l));
+    polys = OPENSSL_malloc_array(k + l + k * l, sizeof(*polys));
     if (polys == NULL)
         return 0;
 
@@ -388,7 +388,7 @@ int ossl_ml_dsa_key_pairwise_check(const ML_DSA_KEY *key)
     if (key->pub_encoding == NULL || key->priv_encoding == 0)
         return 0;
 
-    polys = OPENSSL_malloc(sizeof(*polys) * (2 * k));
+    polys = OPENSSL_malloc_array(2 * k, sizeof(*polys));
     if (polys == NULL)
         return 0;
     md_ctx = EVP_MD_CTX_new();

crypto/ml_dsa/ml_dsa_vector.h

@@ -33,7 +33,7 @@ void vector_init(VECTOR *v, POLY *polys, size_t num_polys)
 static ossl_inline ossl_unused
 int vector_alloc(VECTOR *v, size_t num_polys)
 {
-    v->poly = OPENSSL_malloc(num_polys * sizeof(POLY));
+    v->poly = OPENSSL_malloc_array(num_polys, sizeof(POLY));
     if (v->poly == NULL)
         return 0;
     v->num_poly = num_polys;
@@ -43,7 +43,7 @@ int vector_alloc(VECTOR *v, size_t num_polys)
 static ossl_inline ossl_unused
 int vector_secure_alloc(VECTOR *v, size_t num_polys)
 {
-    v->poly = OPENSSL_secure_malloc(num_polys * sizeof(POLY));
+    v->poly = OPENSSL_secure_malloc_array(num_polys, sizeof(POLY));
     if (v->poly == NULL)
         return 0;
     v->num_poly = num_polys;

crypto/modes/ocb128.c

@@ -110,7 +110,7 @@ static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
          * the index.
          */
         ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
-        tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
+        tmp_ptr = OPENSSL_realloc_array(ctx->l, ctx->max_l_index, sizeof(OCB_BLOCK));
         if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
             return NULL;
         ctx->l = tmp_ptr;
@@ -155,7 +155,7 @@ int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
     memset(ctx, 0, sizeof(*ctx));
     ctx->l_index = 0;
     ctx->max_l_index = 5;
-    if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL)
+    if ((ctx->l = OPENSSL_malloc_array(ctx->max_l_index, 16)) == NULL)
         return 0;
 
     /*
@@ -200,7 +200,7 @@ int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
     if (keydec)
         dest->keydec = keydec;
     if (src->l) {
-        if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL)
+        if ((dest->l = OPENSSL_malloc_array(src->max_l_index, 16)) == NULL)
             return 0;
         memcpy(dest->l, src->l, (src->l_index + 1) * 16);
     }

crypto/objects/o_names.c

@@ -333,7 +333,7 @@ void OBJ_NAME_do_all_sorted(int type,
 
     d.type = type;
     d.names =
-        OPENSSL_malloc(sizeof(*d.names) * lh_OBJ_NAME_num_items(names_lh));
+        OPENSSL_malloc_array(lh_OBJ_NAME_num_items(names_lh), sizeof(*d.names));
     /* Really should return an error if !d.names...but its a void function! */
     if (d.names != NULL) {
         d.n = 0;

crypto/objects/obj_dat.h

@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[9550] = {
+static const unsigned char so[9571] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1351,9 +1351,11 @@ static const unsigned char so[9550] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1C,  /* [ 9516] OBJ_HKDF_SHA256 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1D,  /* [ 9527] OBJ_HKDF_SHA384 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1E,  /* [ 9538] OBJ_HKDF_SHA512 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,  /* [ 9549] OBJ_id_smime_ori */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,0x03,  /* [ 9559] OBJ_id_smime_ori_kem */
 };
 
-#define NUM_NID 1499
+#define NUM_NID 1501
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2854,9 +2856,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"id-alg-hkdf-with-sha256", "HKDF-SHA256", NID_HKDF_SHA256, 11, &so[9516]},
     {"id-alg-hkdf-with-sha384", "HKDF-SHA384", NID_HKDF_SHA384, 11, &so[9527]},
     {"id-alg-hkdf-with-sha512", "HKDF-SHA512", NID_HKDF_SHA512, 11, &so[9538]},
+    {"id-smime-ori", "id-smime-ori", NID_id_smime_ori, 10, &so[9549]},
+    {"id-smime-ori-kem", "id-smime-ori-kem", NID_id_smime_ori_kem, 11, &so[9559]},
 };
 
-#define NUM_SN 1490
+#define NUM_SN 1492
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -3744,6 +3748,8 @@ static const unsigned int sn_objs[NUM_SN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -4350,7 +4356,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1490
+#define NUM_LN 1492
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -5367,6 +5373,8 @@ static const unsigned int ln_objs[NUM_LN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -5844,7 +5852,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1347
+#define NUM_OBJ 1349
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -7051,6 +7059,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      193,    /* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
      194,    /* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
      195,    /* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
+    1499,    /* OBJ_id_smime_ori                 1 2 840 113549 1 9 16 13 */
      158,    /* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
      159,    /* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
      160,    /* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
@@ -7169,6 +7178,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      254,    /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
      255,    /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
      256,    /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
+    1500,    /* OBJ_id_smime_ori_kem             1 2 840 113549 1 9 16 13 3 */
      150,    /* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
      151,    /* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
      152,    /* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */

crypto/objects/obj_mac.num

@@ -1496,3 +1496,5 @@ aes_256_cbc_hmac_sha512_etm		1495
 HKDF_SHA256		1496
 HKDF_SHA384		1497
 HKDF_SHA512		1498
+id_smime_ori		1499
+id_smime_ori_kem		1500

crypto/objects/objects.txt

@@ -251,6 +251,7 @@ SMIME 3			: id-smime-alg
 SMIME 4			: id-smime-cd
 SMIME 5			: id-smime-spq
 SMIME 6			: id-smime-cti
+SMIME 13		: id-smime-ori
 
 # S/MIME Modules
 id-smime-mod 1		: id-smime-mod-cms
@@ -355,6 +356,9 @@ id-smime-cti 4		: id-smime-cti-ets-proofOfSender
 id-smime-cti 5		: id-smime-cti-ets-proofOfApproval
 id-smime-cti 6		: id-smime-cti-ets-proofOfCreation
 
+# S/MIME OtherRecipientInfo Type Identifier
+id-smime-ori 3		: id-smime-ori-kem
+
 pkcs9 20		:			: friendlyName
 pkcs9 21		:			: localKeyID
 !Alias ms-corp 1 3 6 1 4 1 311

crypto/params_dup.c

@@ -10,6 +10,7 @@
 #include <string.h>
 #include <openssl/params.h>
 #include <openssl/param_build.h>
+#include "internal/mem_alloc_utils.h"
 #include "internal/param_build_set.h"
 
 #define OSSL_PARAM_ALLOCATED_END    127
@@ -34,7 +35,13 @@ size_t ossl_param_bytes_to_blocks(size_t bytes)
 static int ossl_param_buf_alloc(OSSL_PARAM_BUF *out, size_t extra_blocks,
                                 int is_secure)
 {
-    size_t sz = OSSL_PARAM_ALIGN_SIZE * (extra_blocks + out->blocks);
+    size_t num_blocks, sz;
+
+    if (ossl_size_add_of(extra_blocks, out->blocks, &num_blocks,
+                         OPENSSL_FILE, OPENSSL_LINE)
+        || ossl_size_mul_of(num_blocks, OSSL_PARAM_ALIGN_SIZE, &sz,
+                            OPENSSL_FILE, OPENSSL_LINE))
+        return 0;
 
     out->alloc = is_secure ? OPENSSL_secure_zalloc(sz) : OPENSSL_zalloc(sz);
     if (out->alloc == NULL)
@@ -181,7 +188,7 @@ OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2)
     qsort(list2, list2_sz, sizeof(OSSL_PARAM *), compare_params);
 
    /* Allocate enough space to store the merged parameters */
-    params = OPENSSL_zalloc((list1_sz + list2_sz + 1) * sizeof(*p1));
+    params = OPENSSL_calloc(list1_sz + list2_sz + 1, sizeof(*p1));
     if (params == NULL)
         return NULL;
     dst = params;

crypto/pem/pem_lib.c

@@ -665,7 +665,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
         }
     }
 
-    buf = OPENSSL_malloc(PEM_BUFSIZE * 8);
+    buf = OPENSSL_malloc_array(PEM_BUFSIZE, 8);
     if (buf == NULL)
         goto err;
 

crypto/provider_core.c

@@ -371,8 +371,8 @@ int ossl_provider_info_add_to_store(OSSL_LIB_CTX *libctx,
     if (!CRYPTO_THREAD_write_lock(store->lock))
         return 0;
     if (store->provinfosz == 0) {
-        store->provinfo = OPENSSL_zalloc(sizeof(*store->provinfo)
-                                         * BUILTINS_BLOCK_SIZE);
+        store->provinfo = OPENSSL_calloc(BUILTINS_BLOCK_SIZE,
+                                         sizeof(*store->provinfo));
         if (store->provinfo == NULL)
             goto err;
         store->provinfosz = BUILTINS_BLOCK_SIZE;
@@ -380,8 +380,8 @@ int ossl_provider_info_add_to_store(OSSL_LIB_CTX *libctx,
         OSSL_PROVIDER_INFO *tmpbuiltins;
         size_t newsz = store->provinfosz + BUILTINS_BLOCK_SIZE;
 
-        tmpbuiltins = OPENSSL_realloc(store->provinfo,
-                                      sizeof(*store->provinfo) * newsz);
+        tmpbuiltins = OPENSSL_realloc_array(store->provinfo,
+                                            newsz, sizeof(*store->provinfo));
         if (tmpbuiltins == NULL)
             goto err;
         store->provinfo = tmpbuiltins;
@@ -1119,7 +1119,7 @@ static int provider_init(OSSL_PROVIDER *prov)
 
         /* Allocate one extra item for the "library" name */
         prov->error_strings =
-            OPENSSL_zalloc(sizeof(ERR_STRING_DATA) * (cnt + 1));
+            OPENSSL_calloc(cnt + 1, sizeof(ERR_STRING_DATA));
         if (prov->error_strings == NULL)
             goto end;
 
@@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle)
     return ERR_pop_to_mark();
 }
 
+static int core_count_to_mark(const OSSL_CORE_HANDLE *handle)
+{
+    return ERR_count_to_mark();
+}
+
 static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx,
                                         OSSL_INDICATOR_CALLBACK **cb)
 {
@@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,
       (void (*)(void))core_clear_last_error_mark },
     { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },
+    { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark },
     { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file },
     { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf },
     { OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex },

crypto/rsa/rsa_gen.c

@@ -704,7 +704,7 @@ static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
      * decoded.
      */
     plaintxt_len = RSA_size(rsa);
-    plaintxt = OPENSSL_zalloc(plaintxt_len * 3);
+    plaintxt = OPENSSL_calloc(plaintxt_len, 3);
     if (plaintxt == NULL)
         goto err;
     ciphertxt = plaintxt + plaintxt_len;

crypto/sm2/sm2_crypt.c

@@ -177,7 +177,7 @@ int ossl_sm2_encrypt(const EC_KEY *key,
         goto done;
     }
 
-    x2y2 = OPENSSL_zalloc(2 * field_size);
+    x2y2 = OPENSSL_calloc(2, field_size);
     C3 = OPENSSL_zalloc(C3_size);
 
     if (x2y2 == NULL || C3 == NULL)
@@ -343,7 +343,7 @@ int ossl_sm2_decrypt(const EC_KEY *key,
     }
 
     msg_mask = OPENSSL_zalloc(msg_len);
-    x2y2 = OPENSSL_zalloc(2 * field_size);
+    x2y2 = OPENSSL_calloc(2, field_size);
     computed_C3 = OPENSSL_zalloc(hash_size);
 
     if (msg_mask == NULL || x2y2 == NULL || computed_C3 == NULL)

crypto/sparse_array.c

@@ -173,7 +173,7 @@ void *ossl_sa_get(const OPENSSL_SA *sa, ossl_uintmax_t n)
 
 static ossl_inline void **alloc_node(void)
 {
-    return OPENSSL_zalloc(SA_BLOCK_MAX * sizeof(void *));
+    return OPENSSL_calloc(SA_BLOCK_MAX, sizeof(void *));
 }
 
 int ossl_sa_set(OPENSSL_SA *sa, ossl_uintmax_t posn, void *val)

crypto/srp/srp_lib.c

@@ -39,7 +39,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N,
         goto err;
     if (y != N && BN_ucmp(y, N) >= 0)
         goto err;
-    if ((tmp = OPENSSL_malloc(numN * 2)) == NULL)
+    if ((tmp = OPENSSL_malloc_array(numN, 2)) == NULL)
         goto err;
     if (BN_bn2binpad(x, tmp, numN) < 0
         || BN_bn2binpad(y, tmp + numN, numN) < 0

crypto/srp/srp_vfy.c

@@ -681,9 +681,8 @@ char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt,
     if (*salt == NULL) {
         char *tmp_salt;
 
-        if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) {
+        if ((tmp_salt = OPENSSL_malloc_array(SRP_RANDOM_SALT_LEN, 2)) == NULL)
             goto err;
-        }
         if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) {
             OPENSSL_free(tmp_salt);
             goto err;

crypto/stack/stack.c

@@ -69,7 +69,7 @@ OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk)
     }
 
     /* duplicate |sk->data| content */
-    ret->data = OPENSSL_malloc(sizeof(*ret->data) * sk->num_alloc);
+    ret->data = OPENSSL_malloc_array(sk->num_alloc, sizeof(*ret->data));
     if (ret->data == NULL)
         goto err;
     memcpy(ret->data, sk->data, sizeof(void *) * sk->num);
@@ -107,7 +107,7 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,
     }
 
     ret->num_alloc = sk->num > min_nodes ? sk->num : min_nodes;
-    ret->data = OPENSSL_zalloc(sizeof(*ret->data) * ret->num_alloc);
+    ret->data = OPENSSL_calloc(ret->num_alloc, sizeof(*ret->data));
     if (ret->data == NULL)
         goto err;
 
@@ -197,7 +197,7 @@ static int sk_reserve(OPENSSL_STACK *st, int n, int exact)
          * At this point, |st->num_alloc| and |st->num| are 0;
          * so |num_alloc| value is |n| or |min_nodes| if greater than |n|.
          */
-        if ((st->data = OPENSSL_zalloc(sizeof(void *) * num_alloc)) == NULL)
+        if ((st->data = OPENSSL_calloc(num_alloc, sizeof(void *))) == NULL)
             return 0;
         st->num_alloc = num_alloc;
         return 1;
@@ -215,7 +215,7 @@ static int sk_reserve(OPENSSL_STACK *st, int n, int exact)
         return 1;
     }
 
-    tmpdata = OPENSSL_realloc((void *)st->data, sizeof(void *) * num_alloc);
+    tmpdata = OPENSSL_realloc_array((void *)st->data, num_alloc, sizeof(void *));
     if (tmpdata == NULL)
         return 0;
 

crypto/threads_common.c

@@ -355,7 +355,8 @@ int CRYPTO_THREAD_set_local_ex(CRYPTO_THREAD_LOCAL_KEY_ID id,
         /*
          * we didn't find one, but that's ok, just initialize it now
          */
-        mkey = OPENSSL_zalloc(sizeof(MASTER_KEY_ENTRY) * CRYPTO_THREAD_LOCAL_KEY_MAX);
+        mkey = OPENSSL_calloc(CRYPTO_THREAD_LOCAL_KEY_MAX,
+                              sizeof(MASTER_KEY_ENTRY));
         if (mkey == NULL)
             return 0;
         /*

crypto/threads_pthread.c

@@ -454,7 +454,7 @@ static struct rcu_qp *allocate_new_qp_group(CRYPTO_RCU_LOCK *lock,
                                             uint32_t count)
 {
     struct rcu_qp *new =
-        OPENSSL_zalloc(sizeof(*new) * count);
+        OPENSSL_calloc(count, sizeof(*new));
 
     lock->group_count = count;
     return new;

crypto/threads_win.c

@@ -128,7 +128,7 @@ static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock,
                                             uint32_t count)
 {
     struct rcu_qp *new =
-        OPENSSL_zalloc(sizeof(*new) * count);
+        OPENSSL_calloc(count, sizeof(*new));
 
     lock->group_count = count;
     return new;

crypto/txt_db/txt_db.c

@@ -40,9 +40,9 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
     ret->qual = NULL;
     if ((ret->data = sk_OPENSSL_PSTRING_new_null()) == NULL)
         goto err;
-    if ((ret->index = OPENSSL_malloc(sizeof(*ret->index) * num)) == NULL)
+    if ((ret->index = OPENSSL_malloc_array(num, sizeof(*ret->index))) == NULL)
         goto err;
-    if ((ret->qual = OPENSSL_malloc(sizeof(*(ret->qual)) * num)) == NULL)
+    if ((ret->qual = OPENSSL_malloc_array(num, sizeof(*(ret->qual)))) == NULL)
         goto err;
     for (i = 0; i < num; i++) {
         ret->index[i] = NULL;

crypto/x509/pcy_tree.c

@@ -186,7 +186,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
      * policies of anyPolicy.  (RFC 5280 has the TA at depth 0 and the leaf at
      * depth n, we have the leaf at depth 0 and the TA at depth n).
      */
-    if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) {
+    if ((tree->levels = OPENSSL_calloc(n + 1, sizeof(*tree->levels))) == NULL) {
         OPENSSL_free(tree);
         return X509_PCY_TREE_INTERNAL;
     }

crypto/x509/x509spki.c

@@ -61,7 +61,7 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
     if (der_len <= 0)
         return NULL;
     der_spki = OPENSSL_malloc(der_len);
-    b64_str = OPENSSL_malloc(der_len * 2);
+    b64_str = OPENSSL_malloc_array(der_len, 2);
     if (der_spki == NULL || b64_str == NULL) {
         OPENSSL_free(der_spki);
         OPENSSL_free(b64_str);

demos/quic/poll-server/quic-server-ssl-poll-http.c

@@ -975,7 +975,8 @@ create_poll_manager(void)
         return NULL;
 
     ossl_list_pe_init(&pm->pm_head);
-    pm->pm_poll_set = OPENSSL_malloc(sizeof (struct poll_event) * POLL_GROW);
+    pm->pm_poll_set = OPENSSL_malloc_array(POLL_GROW,
+                                           sizeof (struct poll_event));
     if (pm->pm_poll_set != NULL) {
         pm->pm_poll_set_sz = POLL_GROW;
         pm->pm_event_count = 0;
@@ -992,7 +993,6 @@ rebuild_poll_set(struct poll_manager *pm)
 {
     struct poll_event *new_poll_set;
     struct poll_event *pe;
-    size_t new_sz;
     size_t pe_num;
     size_t i;
 
@@ -1004,9 +1004,9 @@ rebuild_poll_set(struct poll_manager *pm)
         /*
          * grow poll set by POLL_GROW
          */
-        new_sz = sizeof (struct poll_event) * (pm->pm_poll_set_sz + POLL_GROW);
-        new_poll_set = (struct poll_event *)OPENSSL_realloc(pm->pm_poll_set,
-                                                            new_sz);
+        new_poll_set = OPENSSL_realloc_array(pm->pm_poll_set,
+                                             pm->pm_poll_set_sz + POLL_GROW,
+                                             sizeof (struct poll_event));
         if (new_poll_set == NULL)
             return -1;
         pm->pm_poll_set = new_poll_set;
@@ -1016,10 +1016,9 @@ rebuild_poll_set(struct poll_manager *pm)
         /*
          * shrink poll set by POLL_DOWNSIZ
          */
-        new_sz = sizeof (struct poll_event) *
-            (pm->pm_poll_set_sz - POLL_DOWNSIZ);
-        new_poll_set = (struct poll_event *)OPENSSL_realloc(pm->pm_poll_set,
-                                                            new_sz);
+        new_poll_set = OPENSSL_realloc_array(pm->pm_poll_set,
+                                             pm->pm_poll_set_sz - POLL_DOWNSIZ,
+                                             sizeof (struct poll_event));
         if (new_poll_set == NULL)
             return -1;
         pm->pm_poll_set = new_poll_set;

doc/man1/openssl-cms.pod.in

@@ -75,6 +75,8 @@ Encryption options:
 [B<-aes256-wrap>]
 [B<-des3-wrap>]
 [B<-debug_decrypt>]
+[B<-recip_kdf> I<kdf>]
+[B<-recip_ukm> I<ukm>]
 
 Signing options:
 
@@ -450,6 +452,19 @@ Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
 with caution: see the notes section below.
 
+=item B<-recip_kdf>
+
+This option sets the KDF used to generate the key encryption key in the
+B<KEMRecipientInfo> type. Any KDF that takes B<OSSL_KDF_PARAM_KEY> and
+B<OSSL_KDF_PARAM_INFO> parameters and is otherwise fully defined by its name or
+OID can be used, for example B<HKDF-SHA256>.
+
+=item B<-recip_ukm>
+
+This option sets the B<KEMRecipientInfo> type's optional user keying material (UKM)
+in hexadecimal form. The UKM will be encoded, along with other information, into the
+B<OSSL_KDF_PARAM_INFO> parameter of the B<KEMRecipientInfo> type's KDF.
+
 =back
 
 =head2 Signing options
@@ -937,6 +952,8 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
 
 The B<-digest> option was added in OpenSSL 3.2.
 
+The B<-recip_kdf> and B<-recip_ukm> options were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/CMS_add1_recipient_cert.pod

@@ -30,7 +30,8 @@ The originator-related fields are relevant only in case when the keyAgreement
 method of providing of the shared key is in use.
 
 CMS_add1_recipient_cert() adds recipient B<recip> to CMS_ContentInfo enveloped
-data structure B<cms> as a KeyTransRecipientInfo structure.
+data structure B<cms> as a KeyTransRecipientInfo or KEMRecipientInfo structure,
+or as a KeyAgreeRecipientInfo structure with an ephemeral key.
 
 CMS_add0_recipient_key() adds symmetric key B<key> of length B<keylen> using
 wrapping algorithm B<nid>, identifier B<id> of length B<idlen> and optional

doc/man3/CMS_encrypt.pod

@@ -78,10 +78,12 @@ BIO_new_CMS().
 
 The recipients specified in B<certs> use a CMS KeyTransRecipientInfo info
 structure. KEKRecipientInfo is also supported using the flag B<CMS_PARTIAL>
-and CMS_add0_recipient_key().
+and CMS_add0_recipient_key(). KEMRecipientInfo is also supported using the
+flag B<CMS_PARTIAL> and CMS_add1_recipient().
 
 The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
-added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
+are added later using CMS_add1_recipient() or CMS_add1_recipient_cert() with
+CMS_add0_recipient_key().
 
 CMS_encrypt() is similar to CMS_encrypt_ex() but uses default values
 of NULL for the library context I<libctx> and the property query I<propq>.
@@ -104,7 +106,7 @@ The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/CMS_get0_RecipientInfos.pod

@@ -6,9 +6,12 @@ CMS_get0_RecipientInfos, CMS_RecipientInfo_type,
 CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp,
 CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id,
 CMS_RecipientInfo_kari_set0_pkey_and_peer,
-CMS_RecipientInfo_kari_set0_pkey,
+CMS_RecipientInfo_kari_set0_pkey, CMS_RecipientInfo_kari_get0_ctx,
 CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key,
-CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
+CMS_RecipientInfo_kemri_cert_cmp, CMS_RecipientInfo_kemri_set0_pkey,
+CMS_RecipientInfo_kemri_get0_ctx, CMS_RecipientInfo_kemri_get0_kdf_alg,
+CMS_RecipientInfo_kemri_set_ukm, CMS_RecipientInfo_decrypt,
+CMS_RecipientInfo_encrypt
 - CMS envelopedData RecipientInfo routines
 
 =head1 SYNOPSIS
@@ -27,6 +30,7 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
  int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri,
                                                EVP_PKEY *pk, X509 *peer);
  int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
                                      ASN1_OCTET_STRING **pid,
                                      ASN1_GENERALIZEDTIME **pdate,
@@ -36,6 +40,13 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
                                     const unsigned char *id, size_t idlen);
  int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
                                 unsigned char *key, size_t keylen);
+ int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+ int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri);
+ X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri);
+ int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                     const unsigned char *ukm,
+                                     int ukmLength);
 
  int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
@@ -47,7 +58,8 @@ structures associated with a CMS EnvelopedData structure.
 
 CMS_RecipientInfo_type() returns the type of CMS_RecipientInfo structure B<ri>.
 It will currently return CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
-CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER.
+CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, CMS_RECIPINFO_KEM, or
+CMS_RECIPINFO_OTHER.
 
 CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient
 identifier associated with a specific CMS_RecipientInfo structure B<ri>, which
@@ -69,6 +81,10 @@ must be of type CMS_RECIPINFO_AGREE.
 CMS_RecipientInfo_kari_set0_pkey() associates the private key B<pkey> with the
 CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_AGREE.
 
+CMS_RecipientInfo_kari_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_AGREE.
+
 CMS_RecipientInfo_kekri_get0_id() retrieves the key information from the
 CMS_RecipientInfo structure B<ri> which must be of type CMS_RECIPINFO_KEK.  Any
 of the remaining parameters can be NULL if the application is not interested in
@@ -88,6 +104,27 @@ CMS_RecipientInfo_set0_key() associates the symmetric key B<key> of length
 B<keylen> with the CMS_RecipientInfo structure B<ri>, which must be of type
 CMS_RECIPINFO_KEK.
 
+CMS_RecipientInfo_kemri_cert_cmp() compares the certificate B<cert> against the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+It returns zero if the comparison is successful and non zero if not.
+
+CMS_RecipientInfo_kemri_set0_pkey() associates the private key B<pkey> with the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the X509_ALGOR for the
+RecipientInfo's KDF, allowing the caller to specify the KDF algorithm.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM. If the
+caller doesn't specify a KDF algorithm, B<HKDF-SHA256> will be used.
+
+CMS_RecipientInfo_kemri_set_ukm() sets the RecipientInfo's optional user
+keying material (UKM).  The UKM is encoded, along with other information, into
+the B<OSSL_KDF_PARAM_INFO> parameter of the RecipientInfo's KDF. The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
 CMS_RecipientInfo_decrypt() attempts to decrypt CMS_RecipientInfo structure
 B<ri> in structure B<cms>. A key must have been associated with the structure
 first.
@@ -125,12 +162,20 @@ CMS_get0_RecipientInfos() returns all CMS_RecipientInfo structures, or NULL if
 an error occurs.
 
 CMS_RecipientInfo_ktri_get0_signer_id(), CMS_RecipientInfo_set0_pkey(),
-CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key() and
-CMS_RecipientInfo_decrypt() return 1 for success or 0 if an error occurs.
-CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.
+CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key(),
+CMS_RecipientInfo_kemri_set0_pkey(), CMS_RecipientInfo_kemri_set_ukm(),
+CMS_RecipientInfo_decrypt() and CMS_RecipientInfo_encrypt() return 1 for
+success or 0 if an error occurs.
 
-CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_cmp() return 0
-for a successful comparison and non zero otherwise.
+CMS_RecipientInfo_ktri_cert_cmp(), CMS_RecipientInfo_kemri_cert_cmp() and
+CMS_RecipientInfo_kekri_cmp() return 0 for a successful comparison and non zero
+otherwise.
+
+CMS_RecipientInfo_kemri_get0_ctx() and CMS_RecipientInfo_kari_get0_ctx return
+the RecipientInfo's EVP_CIPHER_CTX or NULL if an error occurred.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the RecipientInfo's KDF's
+X509_ALGOR or NULL if an error occurred.
 
 Any error can be obtained from L<ERR_get_error(3)>.
 
@@ -143,9 +188,13 @@ L<ERR_get_error(3)>, L<CMS_decrypt(3)>
 B<CMS_RecipientInfo_kari_set0_pkey_and_peer> and B<CMS_RecipientInfo_kari_set0_pkey>
 were added in OpenSSL 3.0.
 
+B<CMS_RecipientInfo_kemri_cert_cmp>, B<CMS_RecipientInfo_kemri_set0_pkey>,
+B<CMS_RecipientInfo_kemri_get0_ctx>, B<CMS_RecipientInfo_kemri_get0_kdf_alg>
+and B<CMS_RecipientInfo_kemri_set_ukm> were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/OPENSSL_malloc.pod

@@ -4,14 +4,19 @@
 
 OPENSSL_malloc_init,
 OPENSSL_malloc, OPENSSL_aligned_alloc, OPENSSL_zalloc, OPENSSL_realloc,
-OPENSSL_free, OPENSSL_clear_realloc, OPENSSL_clear_free, OPENSSL_cleanse,
-CRYPTO_malloc, CRYPTO_aligned_alloc, CRYPTO_zalloc, CRYPTO_realloc, CRYPTO_free,
+OPENSSL_malloc_array, OPENSSL_aligned_alloc_array, OPENSSL_calloc,
+OPENSSL_realloc_array, OPENSSL_free,
+OPENSSL_clear_realloc, OPENSSL_clear_realloc_array,
+OPENSSL_clear_free, OPENSSL_cleanse,
+CRYPTO_malloc, CRYPTO_aligned_alloc, CRYPTO_zalloc,
+CRYPTO_malloc_array, CRYPTO_aligned_alloc_array, CRYPTO_calloc,
+CRYPTO_realloc, CRYPTO_realloc_array, CRYPTO_free,
 OPENSSL_strdup, OPENSSL_strndup,
 OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat, OPENSSL_strtoul,
 CRYPTO_strdup, CRYPTO_strndup,
 OPENSSL_mem_debug_push, OPENSSL_mem_debug_pop,
 CRYPTO_mem_debug_push, CRYPTO_mem_debug_pop,
-CRYPTO_clear_realloc, CRYPTO_clear_free,
+CRYPTO_clear_realloc, CRYPTO_clear_realloc_array, CRYPTO_clear_free,
 CRYPTO_malloc_fn, CRYPTO_realloc_fn, CRYPTO_free_fn,
 CRYPTO_get_mem_functions, CRYPTO_set_mem_functions,
 CRYPTO_get_alloc_counts,
@@ -32,6 +37,11 @@ OPENSSL_MALLOC_SEED
  void *OPENSSL_aligned_alloc(size_t num, size_t alignment, void **freeptr);
  void *OPENSSL_zalloc(size_t num);
  void *OPENSSL_realloc(void *addr, size_t num);
+ void *OPENSSL_malloc_array(size_t num, size_t size);
+ void *OPENSSL_aligned_alloc_array(size_t num, size_t size, size_t alignment,
+                                   void **freeptr);
+ void *OPENSSL_calloc(size_t num, size_t size);
+ void *OPENSSL_realloc_array(void *addr, size_t num, size_t size);
  void OPENSSL_free(void *addr);
  char *OPENSSL_strdup(const char *str);
  char *OPENSSL_strndup(const char *str, size_t s);
@@ -40,20 +50,30 @@ OPENSSL_MALLOC_SEED
  int OPENSSL_strtoul(char *src, char **endptr, int base, unsigned long *num);
  void *OPENSSL_memdup(void *data, size_t s);
  void *OPENSSL_clear_realloc(void *p, size_t old_len, size_t num);
+ void *OPENSSL_clear_realloc_array(void *p, size_t old_len, size_t num,
+                                   size_t size);
  void OPENSSL_clear_free(void *str, size_t num);
  void OPENSSL_cleanse(void *ptr, size_t len);
 
  void *CRYPTO_malloc(size_t num, const char *file, int line);
- void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr, 
+ void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr,
                             const char *file, int line);
  void *CRYPTO_zalloc(size_t num, const char *file, int line);
  void *CRYPTO_realloc(void *p, size_t num, const char *file, int line);
- void CRYPTO_free(void *str, const char *, int);
+ void *CRYPTO_malloc_array(size_t num, size_t size, const char *file, int line);
+ void *CRYPTO_aligned_alloc_array(size_t num, size_t size, size_t align,
+                                  void **freeptr, const char *file, int line);
+ void *CRYPTO_calloc(size_t num, size_t size, const char *file, int line);
+ void *CRYPTO_realloc_array(void *p, size_t num, size_t size,
+                            const char *file, int line);
+ void CRYPTO_free(void *str, const char *file, int line);
  char *CRYPTO_strdup(const char *p, const char *file, int line);
  char *CRYPTO_strndup(const char *p, size_t num, const char *file, int line);
  void *CRYPTO_clear_realloc(void *p, size_t old_len, size_t num,
                             const char *file, int line);
- void CRYPTO_clear_free(void *str, size_t num, const char *, int);
+ void *CRYPTO_clear_realloc_array(void *p, size_t old_len, size_t num,
+                                  size_t size, const char *file, int line);
+ void CRYPTO_clear_free(void *str, size_t num, const char *file, int line);
 
  typedef void *(*CRYPTO_malloc_fn)(size_t num, const char *file, int line);
  typedef void *(*CRYPTO_realloc_fn)(void *addr, size_t num, const char *file,
@@ -102,19 +122,37 @@ OPENSSL_malloc(), OPENSSL_realloc(), and OPENSSL_free() are like the
 C malloc(), realloc(), and free() functions.
 OPENSSL_zalloc() calls memset() to zero the memory before returning.
 
-OPENSSL_aligned_alloc() operates just as OPENSSL_malloc does, but it
+OPENSSL_aligned_alloc() operates just as OPENSSL_malloc() does, but it
 allows for the caller to specify an alignment value, for instances in
-which the default alignment of malloc is insufficient for the callers
+which the default alignment of malloc is insufficient for the caller's
 needs.  Note, the alignment value must be a power of 2, and the size
 specified must be a multiple of the alignment.
-NOTE: The call to OPENSSL_aligned_alloc() accepts a 3rd argument, I<freeptr>
+NOTES:
+
+=over 4
+
+=item *
+
+The call to OPENSSL_aligned_alloc() accepts a 3rd argument, I<freeptr>
 which must point to a void pointer.  On some platforms, there is no available
-library call to obtain memory allocations greater than what malloc provides.  In
-this case, OPENSSL_aligned_alloc implements its own alignment routine,
-allocating additional memory and offsetting the returned pointer to be on the
-requested alignment boundary.  In order to safely free allocations made by this
-method, the caller must return the value in the I<freeptr> variable, rather than
-the returned pointer.
+library call to obtain memory allocations with alignment greater than what
+malloc provides.  In this case, OPENSSL_aligned_alloc() implements its own
+alignment routine, allocating additional memory and offsetting the returned
+pointer to be on the requested alignment boundary.  In order to safely free
+allocations made by this method, the caller must return the value
+in the I<freeptr> variable, rather than the returned pointer.
+
+=item *
+
+The call to OPENSSL_aligned_alloc() may fail for reasons other than memory
+exhaustion, depending on the underlying implementation, and, most notably,
+OpenSSL library's build configuration:  for example, it always returns C<NULL>
+without setting any error if OpenSSL is built with C<OPENSSL_SMALL_FOOTPRINT>
+macro defined.  Consequently, caller may need to fall back to a non-aligned
+memory allocation (and open-code the alignment routine if the alignment
+is a requirement).
+
+=back
 
 OPENSSL_clear_realloc() and OPENSSL_clear_free() should be used
 when the buffer at B<addr> holds sensitive information.
@@ -122,6 +160,15 @@ The old buffer is filled with zero's by calling OPENSSL_cleanse()
 before ultimately calling OPENSSL_free(). If the argument to OPENSSL_free() is
 NULL, nothing is done.
 
+OPENSSL_malloc_array(), OPENSSL_calloc(), OPENSSL_aligned_alloc_array(),
+OPENSSL_realloc_array(), and OPENSSL_clear_realloc_array() are variants
+of OPENSSL_malloc(), OPENSSL_zalloc(), OPENSSL_aligned_alloc(),
+OPENSSL_realloc(), and OPENSSL_clear_realloc(), respectively, that accept
+an additional parameter, B<size>, which allows perform memory allocation
+operations for an array of B<num> members B<size> bytes each;
+these functions return an error if multiplication of B<num> and B<size>
+leads to an integer overflow, thus preventing allocations of an incorrect size.
+
 OPENSSL_cleanse() fills B<ptr> of size B<len> with a string of 0's.
 Use OPENSSL_cleanse() with care if the memory is a mapping of a file.
 If the storage controller uses write compression, then it's possible
@@ -203,12 +250,18 @@ CRYPTO_free(), CRYPTO_clear_free() and CRYPTO_get_mem_functions()
 return no value.
 
 OPENSSL_malloc(), OPENSSL_aligned_alloc(), OPENSSL_zalloc(), OPENSSL_realloc(),
-OPENSSL_clear_realloc(),
+OPENSSL_malloc_array(), OPENSSL_aligned_alloc_array(), OPENSSL_calloc(),
+OPENSSL_realloc_array(),
+OPENSSL_clear_realloc(), OPENSSL_clear_realloc_array(),
 CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_realloc(),
-CRYPTO_clear_realloc(),
+CRYPTO_malloc_array(), CRYPTO_calloc(), CRYPTO_realloc_array(),
+CRYPTO_clear_realloc(), CRYPTO_clear_realloc_array(),
 OPENSSL_strdup(), and OPENSSL_strndup()
 return a pointer to allocated memory or NULL on error.
 
+OPENSSL_aligned_alloc() and OPENSSL_aligned_alloc_array() set B<freeptr>
+to NULL on error.
+
 CRYPTO_set_mem_functions() returns 1 on success or 0 on failure (almost
 always because allocations have already happened).
 
@@ -259,6 +312,10 @@ The memory-leak checking has been deprecated in OpenSSL 3.0 in favor of
 clang's memory and leak sanitizer.
 OPENSSL_aligned_alloc(), CRYPTO_aligned_alloc(), OPENSSL_strtoul() were
 added in OpenSSL 3.4.
+OPENSSL_malloc_array(), OPENSSL_calloc(), OPENSSL_aligned_alloc_array(),
+OPENSSL_realloc_array(), OPENSSL_clear_realloc_array(), CRYPTO_malloc_array(),
+CRYPTO_calloc(), CRYPTO_aligned_alloc_array(), CRYPTO_realloc_array(),
+CRYPTO_clear_realloc_array() were added in OpenSSL 3.6.
 
 =head1 COPYRIGHT
 

doc/man3/OPENSSL_secure_malloc.pod

@@ -4,8 +4,9 @@
 
 CRYPTO_secure_malloc_init, CRYPTO_secure_malloc_initialized,
 CRYPTO_secure_malloc_done, OPENSSL_secure_malloc, CRYPTO_secure_malloc,
-OPENSSL_secure_zalloc, CRYPTO_secure_zalloc, OPENSSL_secure_free,
-CRYPTO_secure_free, OPENSSL_secure_clear_free,
+OPENSSL_secure_zalloc, CRYPTO_secure_zalloc, OPENSSL_secure_malloc_array,
+CRYPTO_secure_malloc_array, OPENSSL_secure_calloc, CRYPTO_secure_calloc,
+OPENSSL_secure_free, CRYPTO_secure_free, OPENSSL_secure_clear_free,
 CRYPTO_secure_clear_free, OPENSSL_secure_actual_size,
 CRYPTO_secure_allocated,
 CRYPTO_secure_used - secure heap storage
@@ -26,6 +27,14 @@ CRYPTO_secure_used - secure heap storage
  void *OPENSSL_secure_zalloc(size_t num);
  void *CRYPTO_secure_zalloc(size_t num, const char *file, int line);
 
+ void *OPENSSL_secure_malloc_array(size_t num, size_t size);
+ void *CRYPTO_secure_malloc_array(size_t num, size_t size,
+                                  const char *file, int line);
+
+ void *OPENSSL_secure_calloc(size_t num, size_t size);
+ void *CRYPTO_secure_calloc(size_t num, size_t size,
+                            const char *file, int line);
+
  void OPENSSL_secure_free(void* ptr);
  void CRYPTO_secure_free(void *ptr, const char *, int);
 
@@ -80,6 +89,15 @@ OPENSSL_secure_zalloc() and CRYPTO_secure_zalloc() are like
 OPENSSL_secure_malloc() and CRYPTO_secure_malloc(), respectively,
 except that they call memset() to zero the memory before returning.
 
+OPENSSL_secure_malloc_array(), CRYPTO_secure_malloc_array(),
+OPENSSL_secure_calloc(), and CRYPTO_secure_calloc() are variants
+of OPENSSL_secure_malloc(), CRYPTO_secure_malloc(),
+OPENSSL_secure_zalloc(), and CRYPTO_secure_zalloc(), respectively, that accept
+an additional parameter, B<size>, which allows perform memory allocation
+operations for an array of B<num> members B<size> bytes each;
+these functions return an error if multiplication of B<num> and B<size>
+leads to an integer overflow, thus preventing allocations of an incorrect size.
+
 OPENSSL_secure_free() releases the memory at C<ptr> back to the heap.
 It must be called with a value previously obtained from
 OPENSSL_secure_malloc().
@@ -116,9 +134,12 @@ CRYPTO_secure_malloc_initialized() returns 1 if the secure heap is
 available (that is, if CRYPTO_secure_malloc_init() has been called,
 but CRYPTO_secure_malloc_done() has not been called or failed) or 0 if not.
 
-OPENSSL_secure_malloc() and OPENSSL_secure_zalloc() return a pointer into
-the secure heap of the requested size, or C<NULL> if memory could not be
-allocated.
+OPENSSL_secure_malloc(), CRYPTO_secure_malloc(), OPENSSL_secure_zalloc(),
+CRYPTO_secure_zalloc(), OPENSSL_secure_malloc_array(),
+CRYPTO_secure_malloc_array(), OPENSSL_secure_calloc(), and CRYPTO_secure_calloc()
+return a pointer into the secure heap of the requested size, if it is
+initialised, a pointer returned by the underlying OPENSSL_malloc() call,
+if it is not, or C<NULL> on error.
 
 CRYPTO_secure_allocated() returns 1 if the pointer is in the secure heap, or 0 if not.
 
@@ -138,6 +159,10 @@ The OPENSSL_secure_clear_free() function was added in OpenSSL 1.1.0g.
 The second argument to CRYPTO_secure_malloc_init() was changed from an B<int> to
 a B<size_t> in OpenSSL 3.0.
 
+The OPENSSL_secure_malloc_array(), CRYPTO_secure_malloc_array(),
+OPENSSL_secure_calloc(), and CRYPTO_secure_calloc() functions were added
+in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man7/provider-base.pod

@@ -154,6 +154,10 @@ provider):
  core_new_error                 OSSL_FUNC_CORE_NEW_ERROR
  core_set_error_debug           OSSL_FUNC_CORE_SET_ERROR_DEBUG
  core_vset_error                OSSL_FUNC_CORE_VSET_ERROR
+ core_set_error_mark            OSSL_FUNC_CORE_SET_ERROR_MARK
+ core_clear_last_error_mark     OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK
+ core_pop_error_to_mark         OSSL_FUNC_CORE_POP_ERROR_TO_MARK
+ core_count_to_mark             OSSL_FUNC_CORE_COUNT_TO_MARK
  core_obj_add_sigid             OSSL_FUNC_CORE_OBJ_ADD_SIGID
  core_obj_create                OSSL_FUNC_CORE_OBJ_CREATE
  CRYPTO_malloc                  OSSL_FUNC_CRYPTO_MALLOC
@@ -270,6 +274,33 @@ error occurred or was reported.
 
 This corresponds to the OpenSSL function L<ERR_vset_error(3)>.
 
+=item core_set_error_mark()
+
+sets a mark on the current topmost error record if there is one.
+
+This corresponds to the OpenSSL function L<ERR_set_mark(3)>.
+
+=item core_clear_last_error_mark()
+
+removes the last mark added if there is one.
+
+This corresponds to the OpenSSL function L<ERR_clear_last_mark(3)>.
+
+=item core_pop_error_to_mark()
+
+pops the top of the error stack until a mark is found. The mark is then removed.
+If there is no mark, the whole stack is removed.
+
+This corresponds to the OpenSSL function L<ERR_pop_to_mark(3)>.
+
+=item core_count_to_mark()
+
+returns the number of entries on the error stack above the most recently
+marked entry, not including that entry. If there is no mark in the error stack,
+the number of entries in the error stack is returned.
+
+This corresponds to the OpenSSL function L<ERR_count_to_mark(3)>.
+
 =back
 
 The core_obj_create() function registers a new OID and associated short name

doc/man7/provider-keymgmt.pod

@@ -442,6 +442,30 @@ its argument I<mdname>.  This signifies that no digest has to be specified
 with the corresponding signature operation, but may be specified as an
 option.
 
+=item "ri-type" (B<OSSL_PKEY_PARAM_CMS_RI_TYPE>) <integer>
+
+The value should be the CMS RecipientInfo type for the given key, for example
+B<CMS_RECIPINFO_KEM> or B<CMS_RECIPINFO_AGREE>.
+The value that can be given through this parameter is found in
+F<< <openssl/cms.h> >>, with the macros having names starting with
+C<CMS_RECIPINFO_>.
+
+CMS will query this parameter first to determine the RecipientInfo type.  If
+this parameter is not filled in, CMS will check for known key types and map
+them to the appropriate RecipientInfo type. Otherwise, CMS will default to
+using B<CMS_RECIPINFO_TRANS>.
+
+=item "kemri-kdf-alg" (B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM>) <UTF8 string>
+
+The value should be the DER-encoded X509_ALGOR for the default KDF for this key
+if it supports the KEMRecipientInfo (B<CMS_RECIPINFO_KEM>) type.
+
+Any KDF that takes B<OSSL_KDF_PARAM_KEY> and B<OSSL_KDF_PARAM_INFO> parameters
+and is otherwise fully defined by its OID can be used, for example B<HKDF-SHA256>.
+
+If B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM> is not implemented, B<HKDF-SHA256>
+will be used as the default KDF.
+
 =back
 
 The OpenSSL FIPS provider also supports the following parameters:

fuzz/dtlsserver.c

@@ -590,10 +590,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     SSL *server;
     BIO *in;
     BIO *out;
-#if !defined(OPENSSL_NO_EC)                     \
-    || (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0))
     BIO *bio_buf;
-#endif
     SSL_CTX *ctx;
     int ret;
 #ifndef OPENSSL_NO_DEPRECATED_3_0

fuzz/hashtable.c

@@ -103,7 +103,7 @@ int FuzzerInitialize(int *argc, char ***argv)
 
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
     ERR_clear_error();
-    prediction_table = OPENSSL_zalloc(sizeof(FUZZER_VALUE) * 65537);
+    prediction_table = OPENSSL_calloc(65537, sizeof(FUZZER_VALUE));
     if (prediction_table == NULL)
         return -1;
     fuzzer_table = ossl_ht_new(&fuzz_conf);

fuzz/oids.txt

@@ -1347,3 +1347,5 @@ OBJ_SLH_DSA_SHAKE_256f_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2E"
 OBJ_HKDF_SHA256="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1C"
 OBJ_HKDF_SHA384="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1D"
 OBJ_HKDF_SHA512="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1E"
+OBJ_id_smime_ori="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D"
+OBJ_id_smime_ori_kem="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D\x03"

fuzz/provider.c

@@ -270,7 +270,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
     for (p = param; p != NULL && p->key != NULL; p++)
         p_num++;
 
-    fuzzed_parameters = OPENSSL_zalloc(sizeof(OSSL_PARAM) *(p_num + 1));
+    fuzzed_parameters = OPENSSL_calloc(p_num + 1, sizeof(OSSL_PARAM));
     p = fuzzed_parameters;
 
     for (; param != NULL && param->key != NULL; param++) {

include/internal/array_alloc.inc

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file provides implementation of various array allocation routines that
+ * perform integer overflow checking for size calculation.  They are provided
+ * in a separate file, so they can be included in various providers, such
+ * as FIPS, directly, and not pulled through the core interface (as these are
+ * mere wrappers for the existing allocation functions and a need
+ *  to have variability in their implementation is not fereseen at this point).
+ */
+
+#include "internal/mem_alloc_utils.h"
+
+void *CRYPTO_malloc_array(size_t num, size_t size, const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_malloc(bytes, file, line);
+}
+
+void *CRYPTO_calloc(size_t num, size_t size, const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_zalloc(bytes, file, line);
+}
+
+void *CRYPTO_aligned_alloc_array(size_t num, size_t size, size_t align,
+                                 void **freeptr, const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line)) {
+        *freeptr = NULL;
+
+        return NULL;
+    }
+
+    return CRYPTO_aligned_alloc(bytes, align, freeptr, file, line);
+}
+
+void *CRYPTO_realloc_array(void *addr, size_t num, size_t size,
+                           const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_realloc(addr, bytes, file, line);
+}
+
+void *CRYPTO_clear_realloc_array(void *addr, size_t old_num, size_t num,
+                                 size_t size, const char *file, int line)
+{
+    size_t old_bytes, bytes;
+
+    if (ossl_size_mul_of(old_num, size, &old_bytes, file, line) ||
+        ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_clear_realloc(addr, old_bytes, bytes, file, line);
+}
+
+void *CRYPTO_secure_malloc_array(size_t num, size_t size,
+                                 const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_secure_malloc(bytes, file, line);
+}
+
+void *CRYPTO_secure_calloc(size_t num, size_t size, const char *file, int line)
+{
+    size_t bytes;
+
+    if (ossl_size_mul_of(num, size, &bytes, file, line))
+        return NULL;
+
+    return CRYPTO_secure_zalloc(bytes, file, line);
+}

include/internal/mem_alloc_utils.h

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Utility overflow checking and reporting functions
+ */
+
+#ifndef OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H
+# define OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H
+
+# include <limits.h>
+# include <stdbool.h>
+# include <stdint.h>
+
+# include "internal/common.h"
+
+# include <openssl/cryptoerr.h>
+# include <openssl/err.h>
+
+/*
+ * A helper routine to report memory allocation errors.
+ * Similar to the ERR_raise() macro, but accepts explicit file/line arguments,
+ * pre-defines the library to ERR_LIB_CRYPTO, and avoids emitting an error
+ * if both file set to NULL and line set to 0.
+ */
+static ossl_inline ossl_unused void
+ossl_report_alloc_err_ex(const char * const file, const int line,
+                         const int reason)
+{
+    /*
+     * ossl_err_get_state_int() in err.c uses CRYPTO_zalloc(num, NULL, 0) for
+     * ERR_STATE allocation. Prevent mem alloc error loop while reporting error.
+     */
+    if (file != NULL || line != 0) {
+        ERR_new();
+        ERR_set_debug(file, line, NULL);
+        ERR_set_error(ERR_LIB_CRYPTO, reason, NULL);
+    }
+}
+
+/* Report a memory allocation failure. */
+static inline void
+ossl_report_alloc_err(const char * const file, const int line)
+{
+    ossl_report_alloc_err_ex(file, line, ERR_R_MALLOC_FAILURE);
+}
+
+/* Report an integer overflow during allocation size calculation. */
+static inline void
+ossl_report_alloc_err_of(const char * const file, const int line)
+{
+    ossl_report_alloc_err_ex(file, line, CRYPTO_R_INTEGER_OVERFLOW);
+}
+
+/* Report invalid memory allocation call arguments. */
+static inline void
+ossl_report_alloc_err_inv(const char * const file, const int line)
+{
+    ossl_report_alloc_err_ex(file, line, ERR_R_PASSED_INVALID_ARGUMENT);
+}
+
+/*
+ * A small (premature) optimisation:  do not check for multiplication overflow
+ * if neither of the operands is at least half the type size.
+ */
+# define SQRT_SIZE_T ((size_t) 1 << (sizeof(size_t) * (CHAR_BIT / 2)))
+
+/*
+ * Check the result of num and size multiplication for overflow
+ * and set error if it is the case.
+ */
+static ossl_inline ossl_unused bool
+ossl_size_mul_of(const size_t num, const size_t size, size_t *bytes,
+                 const char * const file, const int line)
+{
+    *bytes = num * size;
+
+    if (ossl_unlikely(((num | size) >= SQRT_SIZE_T)
+                      && size && ((*bytes / size) != num))) {
+        ossl_report_alloc_err_of(file, line);
+
+        return true;
+    }
+
+    return false;
+}
+
+/*
+ * Check the result of size1 and size2 addition for overflow
+ * and set error if it is the case.
+ */
+static ossl_inline ossl_unused bool
+ossl_size_add_of(const size_t size1, const size_t size2, size_t *bytes,
+                 const char * const file, const int line)
+{
+    *bytes = size1 + size2;
+
+    if (ossl_unlikely(*bytes < size1)) {
+        ossl_report_alloc_err_of(file, line);
+
+        return true;
+    }
+
+    return false;
+}
+
+#endif /* OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H */

include/openssl/cms.h.in

@@ -70,6 +70,7 @@ CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
 # define CMS_RECIPINFO_KEK               2
 # define CMS_RECIPINFO_PASS              3
 # define CMS_RECIPINFO_OTHER             4
+# define CMS_RECIPINFO_KEM               5
 
 /* S/MIME related flags */
 
@@ -401,6 +402,14 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
 int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
                           ASN1_OCTET_STRING *ukm, int keylen);
 
+int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri);
+X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri);
+int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                    const unsigned char *ukm,
+                                    int ukmLength);
+
 /* Backward compatibility for spelling errors. */
 # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM
 # define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE \

include/openssl/cmserr.h

@@ -67,6 +67,7 @@
 #  define CMS_R_NOT_A_SIGNED_RECEIPT                       165
 #  define CMS_R_NOT_ENCRYPTED_DATA                         122
 #  define CMS_R_NOT_KEK                                    123
+#  define CMS_R_NOT_KEM                                    197
 #  define CMS_R_NOT_KEY_AGREEMENT                          181
 #  define CMS_R_NOT_KEY_TRANSPORT                          124
 #  define CMS_R_NOT_PWRI                                   177
@@ -106,10 +107,12 @@
 #  define CMS_R_UNKNOWN_CIPHER                             148
 #  define CMS_R_UNKNOWN_DIGEST_ALGORITHM                   149
 #  define CMS_R_UNKNOWN_ID                                 150
+#  define CMS_R_UNKNOWN_KDF_ALGORITHM                      198
 #  define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM          151
 #  define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM   194
 #  define CMS_R_UNSUPPORTED_CONTENT_TYPE                   152
 #  define CMS_R_UNSUPPORTED_ENCRYPTION_TYPE                192
+#  define CMS_R_UNSUPPORTED_KDF_ALGORITHM                  199
 #  define CMS_R_UNSUPPORTED_KEK_ALGORITHM                  153
 #  define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM       179
 #  define CMS_R_UNSUPPORTED_LABEL_SOURCE                   193

include/openssl/core_dispatch.h

@@ -253,6 +253,10 @@ OSSL_CORE_MAKE_FUNC(int, provider_up_ref,
 OSSL_CORE_MAKE_FUNC(int, provider_free,
                     (const OSSL_CORE_HANDLE *prov, int deactivate))
 
+/* Additional error functions provided by the core */
+# define OSSL_FUNC_CORE_COUNT_TO_MARK          120
+OSSL_CORE_MAKE_FUNC(int, core_count_to_mark, (const OSSL_CORE_HANDLE *prov))
+
 /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
 # define OSSL_FUNC_PROVIDER_TEARDOWN           1024
 OSSL_CORE_MAKE_FUNC(void, provider_teardown, (void *provctx))

include/openssl/crypto.h.in

@@ -100,36 +100,52 @@ int CRYPTO_atomic_store(uint64_t *dst, uint64_t val, CRYPTO_RWLOCK *lock);
 #define OPENSSL_malloc_init() while(0) continue
 
 # define OPENSSL_malloc(num) \
-        CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_zalloc(num) \
-        CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_malloc_array(num, size) \
+    CRYPTO_malloc_array(num, size, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_calloc(num, size) \
+    CRYPTO_calloc(num, size, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_aligned_alloc(num, alignment, freeptr) \
-        CRYPTO_aligned_alloc(num, alignment, freeptr, \
-                             OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_aligned_alloc(num, alignment, freeptr, \
+                         OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_aligned_alloc_array(num, size, alignment, freeptr) \
+    CRYPTO_aligned_alloc_array(num, size, alignment, freeptr, \
+                               OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_realloc(addr, num) \
-        CRYPTO_realloc(addr, num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_realloc(addr, num, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_clear_realloc(addr, old_num, num) \
-        CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_realloc_array(addr, num, size) \
+    CRYPTO_realloc_array(addr, num, size, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_clear_realloc_array(addr, old_num, num, size) \
+    CRYPTO_clear_realloc_array(addr, old_num, num, size, \
+                               OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_clear_free(addr, num) \
-        CRYPTO_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_free(addr) \
-        CRYPTO_free(addr, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_free(addr, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_memdup(str, s) \
-        CRYPTO_memdup((str), s, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_memdup((str), s, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_strdup(str) \
-        CRYPTO_strdup(str, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_strdup(str, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_strndup(str, n) \
-        CRYPTO_strndup(str, n, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_strndup(str, n, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_secure_malloc(num) \
-        CRYPTO_secure_malloc(num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_secure_malloc(num, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_secure_zalloc(num) \
-        CRYPTO_secure_zalloc(num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_secure_zalloc(num, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_secure_malloc_array(num, size) \
+    CRYPTO_secure_malloc_array(num, size, OPENSSL_FILE, OPENSSL_LINE)
+# define OPENSSL_secure_calloc(num, size) \
+    CRYPTO_secure_calloc(num, size, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_secure_free(addr) \
-        CRYPTO_secure_free(addr, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_secure_free(addr, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_secure_clear_free(addr, num) \
-        CRYPTO_secure_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE)
+    CRYPTO_secure_clear_free(addr, num, OPENSSL_FILE, OPENSSL_LINE)
 # define OPENSSL_secure_actual_size(ptr) \
-        CRYPTO_secure_actual_size(ptr)
+    CRYPTO_secure_actual_size(ptr)
 
 size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz);
 size_t OPENSSL_strlcat(char *dst, const char *src, size_t siz);
@@ -332,9 +348,16 @@ void CRYPTO_get_mem_functions(CRYPTO_malloc_fn *malloc_fn,
 
 OSSL_CRYPTO_ALLOC void *CRYPTO_malloc(size_t num, const char *file, int line);
 OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line);
+OSSL_CRYPTO_ALLOC void *CRYPTO_malloc_array(size_t num, size_t size,
+                                            const char *file, int line);
+OSSL_CRYPTO_ALLOC void *CRYPTO_calloc(size_t num, size_t size,
+                                      const char *file, int line);
 OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc(size_t num, size_t align,
                                              void **freeptr, const char *file,
                                              int line);
+OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc_array(size_t num, size_t size,
+                                                   size_t align, void **freeptr,
+                                                   const char *file, int line);
 OSSL_CRYPTO_ALLOC void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line);
 OSSL_CRYPTO_ALLOC char *CRYPTO_strdup(const char *str, const char *file, int line);
 OSSL_CRYPTO_ALLOC char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line);
@@ -343,11 +366,19 @@ void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line);
 void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line);
 void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num,
                            const char *file, int line);
+void *CRYPTO_realloc_array(void *addr, size_t num, size_t size,
+                           const char *file, int line);
+void *CRYPTO_clear_realloc_array(void *addr, size_t old_num, size_t num,
+                                 size_t size, const char *file, int line);
 
 int CRYPTO_secure_malloc_init(size_t sz, size_t minsize);
 int CRYPTO_secure_malloc_done(void);
 OSSL_CRYPTO_ALLOC void *CRYPTO_secure_malloc(size_t num, const char *file, int line);
 OSSL_CRYPTO_ALLOC void *CRYPTO_secure_zalloc(size_t num, const char *file, int line);
+OSSL_CRYPTO_ALLOC void *CRYPTO_secure_malloc_array(size_t num, size_t size,
+                                                   const char *file, int line);
+OSSL_CRYPTO_ALLOC void *CRYPTO_secure_calloc(size_t num, size_t size,
+                                             const char *file, int line);
 void CRYPTO_secure_free(void *ptr, const char *file, int line);
 void CRYPTO_secure_clear_free(void *ptr, size_t num,
                               const char *file, int line);

include/openssl/obj_mac.h

@@ -778,6 +778,10 @@
 #define NID_id_smime_cti                195
 #define OBJ_id_smime_cti                OBJ_SMIME,6L
 
+#define SN_id_smime_ori         "id-smime-ori"
+#define NID_id_smime_ori                1499
+#define OBJ_id_smime_ori                OBJ_SMIME,13L
+
 #define SN_id_smime_mod_cms             "id-smime-mod-cms"
 #define NID_id_smime_mod_cms            196
 #define OBJ_id_smime_mod_cms            OBJ_id_smime_mod,1L
@@ -1113,6 +1117,10 @@
 #define NID_id_smime_cti_ets_proofOfCreation            256
 #define OBJ_id_smime_cti_ets_proofOfCreation            OBJ_id_smime_cti,6L
 
+#define SN_id_smime_ori_kem             "id-smime-ori-kem"
+#define NID_id_smime_ori_kem            1500
+#define OBJ_id_smime_ori_kem            OBJ_id_smime_ori,3L
+
 #define LN_friendlyName         "friendlyName"
 #define NID_friendlyName                156
 #define OBJ_friendlyName                OBJ_pkcs9,20L

providers/common/der/HKDF.asn1

@@ -0,0 +1,16 @@
+-- Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License 2.0 (the "License").  You may not use
+-- this file except in compliance with the License.  You can obtain a copy
+-- in the file LICENSE in the source distribution or at
+-- https://www.openssl.org/source/license.html
+
+-- -------------------------------------------------------------------
+-- Taken from https://datatracker.ietf.org/doc/rfc8619/
+
+id-smime OBJECT IDENTIFIER ::= { 1 2 840 113549 1 9 16 }
+id-alg OBJECT IDENTIFIER ::= { id-smime  3 }
+
+id-alg-hkdf-with-sha256 OBJECT IDENTIFIER ::= { id-alg 28 }
+id-alg-hkdf-with-sha384 OBJECT IDENTIFIER ::= { id-alg 29 }
+id-alg-hkdf-with-sha512 OBJECT IDENTIFIER ::= { id-alg 30 }

providers/common/der/build.info

@@ -127,9 +127,20 @@ IF[{- !$disabled{'slh-dsa'} -}]
   DEPEND[$DER_SLH_DSA_H]=oids_to_c.pm SLH_DSA.asn1
 ENDIF
 
+#----- HKDF
+$DER_HKDF_H=$INCDIR/der_hkdf.h
+$DER_HKDF_GEN=der_hkdf_gen.c
+
+GENERATE[$DER_HKDF_GEN]=der_hkdf_gen.c.in
+DEPEND[$DER_HKDF_GEN]=oids_to_c.pm HKDF.asn1
+
+DEPEND[${DER_HKDF_GEN/.c/.o}]=$DER_HKDF_H
+GENERATE[$DER_HKDF_H]=$INCDIR/der_hkdf.h.in
+DEPEND[$DER_HKDF_H]=oids_to_c.pm HKDF.asn1
+
 #----- Conclusion
 
-$COMMON= $DER_RSA_COMMON $DER_DIGESTS_GEN $DER_WRAP_GEN
+$COMMON= $DER_RSA_COMMON $DER_DIGESTS_GEN $DER_WRAP_GEN $DER_HKDF_GEN
 
 IF[{- !$disabled{dsa} -}]
   $COMMON = $COMMON $DER_DSA_GEN $DER_DSA_AUX

providers/common/der/der_hkdf_gen.c.in

@@ -0,0 +1,19 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "prov/der_hkdf.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/HKDF.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_C });
+-}

providers/common/include/prov/der_hkdf.h.in

@@ -0,0 +1,19 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/der.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/HKDF.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_H });
+-}

providers/fips/fipsprov.c

@@ -65,6 +65,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error;
 static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark;
 static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark;
 static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark;
+static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark;
 static OSSL_FUNC_CRYPTO_malloc_fn *c_CRYPTO_malloc;
 static OSSL_FUNC_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
 static OSSL_FUNC_CRYPTO_free_fn *c_CRYPTO_free;
@@ -834,6 +835,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
         case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
             set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(in));
             break;
+        case OSSL_FUNC_CORE_COUNT_TO_MARK:
+            set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in));
+            break;
         case OSSL_FUNC_CRYPTO_MALLOC:
             set_func(c_CRYPTO_malloc, OSSL_FUNC_CRYPTO_malloc(in));
             break;
@@ -1072,6 +1076,11 @@ int ERR_pop_to_mark(void)
     return c_pop_error_to_mark(NULL);
 }
 
+int ERR_count_to_mark(void)
+{
+    return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0;
+}
+
 /*
  * This must take a library context, since it's called from the depths
  * of crypto/initthread.c code, where it's (correctly) assumed that the
@@ -1152,6 +1161,11 @@ void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr,
     return NULL;
 }
 
+/*
+ * Include implementations of array allocation wrapper routines
+ */
+#include "internal/array_alloc.inc"
+
 int BIO_snprintf(char *buf, size_t n, const char *format, ...)
 {
     va_list args;

providers/implementations/encode_decode/ml_common_codecs.c

@@ -42,7 +42,7 @@ ossl_ml_common_pkcs8_fmt_order(const char *algorithm_name,
     const char *sep = "\t ,";
 
     /* Reserve an extra terminal slot with fmt == NULL */
-    if ((ret = OPENSSL_zalloc((NUM_PKCS8_FORMATS + 1) * sizeof(*ret))) == NULL)
+    if ((ret = OPENSSL_calloc(NUM_PKCS8_FORMATS + 1, sizeof(*ret))) == NULL)
         return NULL;
 
     /* Entries that match a format will get a non-zero preference. */

providers/implementations/kdfs/argon2.c

@@ -564,8 +564,8 @@ static int fill_mem_blocks_mt(KDF_ARGON2 *ctx)
     void **t;
     ARGON2_THREAD_DATA *t_data;
 
-    t = OPENSSL_zalloc(sizeof(void *)*ctx->lanes);
-    t_data = OPENSSL_zalloc(ctx->lanes * sizeof(ARGON2_THREAD_DATA));
+    t = OPENSSL_calloc(ctx->lanes, sizeof(void *));
+    t_data = OPENSSL_calloc(ctx->lanes, sizeof(ARGON2_THREAD_DATA));
 
     if (t == NULL || t_data == NULL)
         goto fail;
@@ -733,11 +733,9 @@ static int initialize(KDF_ARGON2 *ctx)
         return 0;
 
     if (ctx->type != ARGON2_D)
-        ctx->memory = OPENSSL_secure_zalloc(ctx->memory_blocks *
-                                            sizeof(BLOCK));
+        ctx->memory = OPENSSL_secure_calloc(ctx->memory_blocks, sizeof(BLOCK));
     else
-        ctx->memory = OPENSSL_zalloc(ctx->memory_blocks *
-                                     sizeof(BLOCK));
+        ctx->memory = OPENSSL_calloc(ctx->memory_blocks, sizeof(BLOCK));
 
     if (ctx->memory == NULL) {
         ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE,

providers/implementations/keymgmt/build.info

@@ -47,6 +47,7 @@ IF[{- !$disabled{'ml-kem'} -}]
     SOURCE[$TLS_ML_KEM_HYBRID_GOAL]=mlx_kmgmt.c
   ENDIF
   SOURCE[$ML_KEM_GOAL]=ml_kem_kmgmt.c
+  DEPEND[ml_kem_kmgmt.o]=../../common/include/prov/der_hkdf.h
 ENDIF
 
 SOURCE[$RSA_GOAL]=rsa_kmgmt.c

providers/implementations/keymgmt/ml_kem_kmgmt.c.in

@@ -19,9 +19,13 @@ use OpenSSL::paramnames qw(produce_param_decoder);
 #include <openssl/rand.h>
 #include <openssl/self_test.h>
 #include <openssl/param_build.h>
+#include <openssl/cms.h>
 #include "crypto/ml_kem.h"
 #include "internal/fips.h"
 #include "internal/param_build_set.h"
+#include "internal/sizes.h"
+#include "prov/der_hkdf.h"
+#include "prov/der_wrap.h"
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
@@ -494,7 +498,9 @@ static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[])
                           ['PKEY_PARAM_PRIV_KEY',           'privkey',   'octet_string'],
                           ['PKEY_PARAM_PUB_KEY',            'pubkey',    'octet_string'],
                           ['PKEY_PARAM_ENCODED_PUBLIC_KEY', 'encpubkey', 'octet_string'],
-                         )); -}
+                          ['PKEY_PARAM_CMS_RI_TYPE',        'ri_type',   'int'],
+                          ['PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM', 'kemri_kdf_alg', 'octet_string'],
+                          )); -}
 
 static const OSSL_PARAM *ml_kem_gettable_params(void *provctx)
 {
@@ -612,6 +618,36 @@ static int ml_kem_get_params(void *vkey, OSSL_PARAM params[])
                                   &ossl_ml_kem_encode_seed))
             return 0;
     }
+
+#ifndef OPENSSL_NO_CMS
+    if (p.ri_type != NULL && !OSSL_PARAM_set_int(p.ri_type, CMS_RECIPINFO_KEM))
+        return 0;
+
+    if (p.kemri_kdf_alg != NULL) {
+        uint8_t aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
+        int ret;
+        size_t aid_len = 0;
+        WPACKET pkt;
+        uint8_t *aid = NULL;
+
+        ret = WPACKET_init_der(&pkt, aid_buf, sizeof(aid_buf));
+        ret &= ossl_DER_w_begin_sequence(&pkt, -1)
+            && ossl_DER_w_precompiled(&pkt, -1, ossl_der_oid_id_alg_hkdf_with_sha256,
+                                      sizeof(ossl_der_oid_id_alg_hkdf_with_sha256))
+            && ossl_DER_w_end_sequence(&pkt, -1);
+        if (ret && WPACKET_finish(&pkt)) {
+            WPACKET_get_total_written(&pkt, &aid_len);
+            aid = WPACKET_get_curr(&pkt);
+        }
+        WPACKET_cleanup(&pkt);
+        if (!ret)
+            return 0;
+        if (aid != NULL && aid_len != 0 &&
+            !OSSL_PARAM_set_octet_string(p.kemri_kdf_alg, aid, aid_len))
+            return 0;
+    }
+#endif
+
     return 1;
 }