Merge 8cc004ab3a into d0899abb1b

Also add support for ML-KEM in CMS (draft-ietf-lamps-cms-kyber).

Add the -recip_kdf and -recip_ukm parameters to `openssl cms -encrypt`
to allow the user to specify the KDF algorithm and optional user
keying material for each recipient.

A provider may indicate which RecipientInfo type is supported
for a key, otherwise CMS will try to figure it out itself. A
provider may also indicate which KDF to use in KEMRecipientInfo
if the user hasn't specified one.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27681)

.gitignore

@@ -59,9 +59,6 @@
 /include/openssl/x509_vfy.h
 /include/openssl/core_names.h
 
-# Auto generated parameter name files
-/crypto/params_idx.c
-
 # Auto generated doc files
 doc/man1/openssl-*.pod
 
@@ -75,6 +72,7 @@ providers/common/der/der_rsa_gen.c
 providers/common/der/der_wrap_gen.c
 providers/common/der/der_sm2_gen.c
 providers/common/der/der_ml_dsa_gen.c
+providers/common/der/der_hkdf_gen.c
 providers/common/include/prov/der_slh_dsa.h
 providers/common/include/prov/der_dsa.h
 providers/common/include/prov/der_ec.h
@@ -84,6 +82,7 @@ providers/common/include/prov/der_digests.h
 providers/common/include/prov/der_wrap.h
 providers/common/include/prov/der_sm2.h
 providers/common/include/prov/der_ml_dsa.h
+providers/common/include/prov/der_hkdf.h
 providers/implementations/keymgmt/ml_dsa_kmgmt.c
 providers/implementations/keymgmt/ml_kem_kmgmt.c
 providers/implementations/keymgmt/mlx_kmgmt.c

CHANGES.md

@@ -52,6 +52,11 @@ OpenSSL 3.6
 
    *Alexandr Nedvedicky*
 
+ * Added NIST post-quantum security strength categories for cipher, digests
+   and public key algorithms.
+
+   *Dr Paul Dale*
+
  * The VxWorks platforms have been removed. These platforms were unadopted,
    unmaintained and reported to be non-functional.
 
@@ -145,6 +150,11 @@ OpenSSL 3.6
 
    *Michael Krueger, Martin Rauch*
 
+ * Added KEMRecipientInfo (RFC 9629) and ML-KEM (draft-ietf-lamps-cms-kyber)
+   support to CMS.
+
+   *Daniel Van Geest (CryptoNext Security)*
+
 OpenSSL 3.5
 -----------
 

apps/cms.c

@@ -53,6 +53,7 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 static int verify_err = 0;
 
 typedef struct cms_key_param_st cms_key_param;
+typedef struct cms_recip_opt_st cms_recip_opt;
 
 struct cms_key_param_st {
     int idx;
@@ -60,6 +61,14 @@ struct cms_key_param_st {
     cms_key_param *next;
 };
 
+struct cms_recip_opt_st {
+    int idx;
+    const char *kdf;
+    unsigned char *ukm_data;
+    long ukm_data_length;
+    cms_recip_opt *next;
+};
+
 typedef enum OPTION_choice {
     OPT_COMMON,
     OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
@@ -85,7 +94,8 @@ typedef enum OPTION_choice {
     OPT_PROV_ENUM, OPT_CONFIG,
     OPT_V_ENUM,
     OPT_CIPHER, OPT_KEKCIPHER,
-    OPT_ORIGINATOR
+    OPT_ORIGINATOR,
+    OPT_RECIP_UKM, OPT_RECIP_KDF
 } OPTION_CHOICE;
 
 const OPTIONS cms_options[] = {
@@ -167,13 +177,15 @@ const OPTIONS cms_options[] = {
     {"kekcipher", OPT_KEKCIPHER, 's',
      "The key encryption algorithm to use"},
     {"wrap", OPT_WRAP, 's',
-     "Key wrap algorithm to use when encrypting with key agreement"},
+     "Key wrap algorithm to use when encrypting with key agreement or key encapsulation"},
     {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
     {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
     {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
     {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
     {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
      "Disable MMA protection, return error if no recipient found (see doc)"},
+    {"recip_kdf", OPT_RECIP_KDF, 's', "Set KEMRecipientInfo KDF for current recipient"},
+    {"recip_ukm", OPT_RECIP_UKM, 's', "KEMRecipientInfo user keying material for current recipient, in hex notation"},
 
     OPT_SECTION("Signing"),
     {"md", OPT_MD, 's', "Digest algorithm to use"},
@@ -281,6 +293,19 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
     return NULL;
 }
 
+static cms_recip_opt *alloc_recip_opt(int recipidx)
+{
+    cms_recip_opt *opt;
+
+    opt = app_malloc(sizeof(*opt), "recipient options buffer");
+    opt->idx = recipidx;
+    opt->next = NULL;
+    opt->kdf = NULL;
+    opt->ukm_data = NULL;
+    opt->ukm_data_length = 0;
+    return opt;
+}
+
 int cms_main(int argc, char **argv)
 {
     CONF *conf = NULL;
@@ -319,6 +344,8 @@ int cms_main(int argc, char **argv)
     size_t secret_keylen = 0, secret_keyidlen = 0;
     unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     unsigned char *secret_key = NULL, *secret_keyid = NULL;
+    cms_recip_opt *recip_first = NULL, *recip_opt = NULL;
+    int recipidx = -1;
     long ltmp;
     const char *mime_eol = "\n";
     OPTION_CHOICE o;
@@ -653,6 +680,46 @@ int cms_main(int argc, char **argv)
                 recipfile = opt_arg();
             }
             break;
+        case OPT_RECIP_KDF:
+        case OPT_RECIP_UKM:
+            recipidx = -1;
+            if (operation == SMIME_ENCRYPT) {
+                if (sk_X509_num(encerts) > 0)
+                    recipidx += sk_X509_num(encerts);
+            }
+            if (recipidx < 0) {
+                BIO_printf(bio_err, "No recipient specified\n");
+                goto opthelp;
+            }
+            if (recip_opt == NULL || recip_opt->idx != recipidx) {
+                cms_recip_opt *nopt;
+
+                nopt = alloc_recip_opt(recipidx);
+                if (recip_first == NULL)
+                    recip_first = nopt;
+                else
+                    recip_opt->next = nopt;
+                recip_opt = nopt;
+            }
+            if (o == OPT_RECIP_KDF) {
+                if (recip_opt->kdf != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_kdf for one -recip\n");
+                    goto end;
+                }
+                recip_opt->kdf = opt_arg();
+            } else {
+                if (recip_opt->ukm_data != NULL) {
+                    BIO_puts(bio_err, "Illegal multiple -recip_ukm for one -recip\n");
+                    goto end;
+                }
+                recip_opt->ukm_data = OPENSSL_hexstr2buf(opt_arg(),
+                                                         &recip_opt->ukm_data_length);
+                if (recip_opt->ukm_data == NULL) {
+                    BIO_printf(bio_err, "Invalid hex value after -recip_ukm\n");
+                    goto end;
+                }
+            }
+            break;
         case OPT_CIPHER:
             ciphername = opt_unknown();
             break;
@@ -831,6 +898,9 @@ int cms_main(int argc, char **argv)
     if (operation != SMIME_ENCRYPT && *argv != NULL)
         BIO_printf(bio_err,
                    "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
+    if (operation != SMIME_ENCRYPT && recip_first != NULL)
+        BIO_printf(bio_err,
+                   "Warning: -recip_kdf and -recip_ukm parameters ignored for operation other than -encrypt\n");
 
     if ((flags & CMS_BINARY) != 0) {
         if (!(operation & SMIME_OP))
@@ -990,7 +1060,9 @@ int cms_main(int argc, char **argv)
             goto end;
         for (i = 0; i < sk_X509_num(encerts); i++) {
             CMS_RecipientInfo *ri;
+            int ri_type;
             cms_key_param *kparam;
+            cms_recip_opt *ropt;
             int tflags = flags | CMS_KEY_PARAM;
             /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
             EVP_PKEY_CTX *pctx;
@@ -998,14 +1070,19 @@ int cms_main(int argc, char **argv)
             int res;
 
             for (kparam = key_first; kparam; kparam = kparam->next) {
-                if (kparam->idx == i) {
+                if (kparam->idx == i)
                     break;
             }
+            for (ropt = recip_first; ropt; ropt = ropt->next) {
+                if (ropt->idx == i)
+                    break;
             }
             ri = CMS_add1_recipient(cms, x, key, originator, tflags);
             if (ri == NULL)
                 goto end;
 
+            ri_type = CMS_RecipientInfo_type(ri);
+
             pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
             if (pctx != NULL && kparam != NULL) {
                 if (!cms_set_pkey_param(pctx, kparam->param))
@@ -1018,15 +1095,42 @@ int cms_main(int argc, char **argv)
             if (res <= 0 && res != -2)
                 goto end;
 
-            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
-                    && wrap_cipher != NULL) {
-                EVP_CIPHER_CTX *wctx;
+            if (wrap_cipher != NULL) {
+                EVP_CIPHER_CTX *wctx = NULL;
+
+                if (ri_type == CMS_RECIPINFO_AGREE)
                     wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+                else if (ri_type == CMS_RECIPINFO_KEM)
+                    wctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+                if (wctx != NULL) {
                     if (EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL) != 1)
                         goto end;
                 }
             }
 
+            if (ropt != NULL && ri_type == CMS_RECIPINFO_KEM) {
+                if (ropt->ukm_data != NULL) {
+                    if (!CMS_RecipientInfo_kemri_set_ukm(ri, ropt->ukm_data,
+                                                         (int)ropt->ukm_data_length))
+                        goto end;
+                }
+                if (ropt->kdf != NULL) {
+                    X509_ALGOR *kdf_algo;
+                    ASN1_OBJECT *kdf_obj;
+
+                    kdf_algo = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+                    kdf_obj = OBJ_txt2obj(ropt->kdf, 0);
+                    if (kdf_obj == NULL) {
+                        BIO_printf(bio_err, "Unknown KDF %s\n", ropt->kdf);
+                        goto end;
+                    }
+                    /* Only works for OIDs without params */
+                    if (!X509_ALGOR_set0(kdf_algo, kdf_obj, V_ASN1_UNDEF, NULL))
+                        goto end;
+                }
+            }
+        }
+
         if (secret_key != NULL) {
             if (!CMS_add0_recipient_key(cms, NID_undef,
                                         secret_key, secret_keylen,
@@ -1315,6 +1419,14 @@ int cms_main(int argc, char **argv)
         OPENSSL_free(key_param);
         key_param = tparam;
     }
+    for (recip_opt = recip_first; recip_opt != NULL;) {
+        cms_recip_opt *topt;
+
+        OPENSSL_free(recip_opt->ukm_data);
+        topt = recip_opt->next;
+        OPENSSL_free(recip_opt);
+        recip_opt = topt;
+    }
     X509_STORE_free(store);
     X509_free(cert);
     X509_free(recip);

crypto/cms/build.info

@@ -2,4 +2,4 @@ LIBS=../../libcrypto
 SOURCE[../../libcrypto]= \
         cms_lib.c cms_asn1.c cms_att.c cms_io.c cms_smime.c cms_err.c \
         cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c \
-        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c
+        cms_pwri.c cms_kari.c cms_rsa.c cms_dh.c cms_ec.c cms_kem.c cms_kemri.c

crypto/cms/cms_asn1.c

@@ -201,10 +201,52 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = {
         ASN1_SIMPLE(CMS_PasswordRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(CMS_PasswordRecipientInfo)
 
+static int cms_kemri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                        void *exarg)
+{
+    CMS_KEMRecipientInfo *kemri = (CMS_KEMRecipientInfo *)*pval;
+
+    if (operation == ASN1_OP_NEW_POST) {
+        kemri->ctx = EVP_CIPHER_CTX_new();
+        if (kemri->ctx == NULL)
+            return 0;
+        EVP_CIPHER_CTX_set_flags(kemri->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+        kemri->pctx = NULL;
+    } else if (operation == ASN1_OP_FREE_POST) {
+        EVP_PKEY_CTX_free(kemri->pctx);
+        EVP_CIPHER_CTX_free(kemri->ctx);
+        ASN1_OCTET_STRING_free(kemri->ukm);
+    }
+    return 1;
+}
+
+ASN1_SEQUENCE_cb(CMS_KEMRecipientInfo, cms_kemri_cb) = {
+        ASN1_EMBED(CMS_KEMRecipientInfo, version, INT32),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, rid, CMS_SignerIdentifier),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kem, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kemct, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kdf, X509_ALGOR),
+        ASN1_EMBED(CMS_KEMRecipientInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_KEMRecipientInfo, ukm, ASN1_OCTET_STRING, 0),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, wrap, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(CMS_KEMRecipientInfo, CMS_KEMRecipientInfo)
+
+ASN1_ADB_TEMPLATE(ori_def) = ASN1_SIMPLE(CMS_OtherRecipientInfo, d.other, ASN1_ANY);
+
+ASN1_ADB(CMS_OtherRecipientInfo) = {
+        ADB_ENTRY(NID_id_smime_ori_kem, ASN1_SIMPLE(CMS_OtherRecipientInfo, d.kemri,
+                  CMS_KEMRecipientInfo))
+} ASN1_ADB_END(CMS_OtherRecipientInfo, 0, oriType, 0, &ori_def_tt, NULL);
+
+DECLARE_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
+
 ASN1_SEQUENCE(CMS_OtherRecipientInfo) = {
   ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT),
-  ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY)
-} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+  ASN1_ADB_OBJECT(CMS_OtherRecipientInfo)
+} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+
+IMPLEMENT_ASN1_FUNCTIONS(CMS_OtherRecipientInfo)
 
 /* Free up RecipientInfo additional data */
 static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -224,6 +266,23 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
             OPENSSL_clear_free(pwri->pass, pwri->passlen);
         }
+    } else if (operation == ASN1_OP_D2I_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
+        if (ri->type == CMS_RECIPINFO_OTHER) {
+            int nid;
+
+            nid = OBJ_obj2nid(ri->d.ori->oriType);
+            /* For ORI, map NID to specific type */
+            if (nid == NID_id_smime_ori_kem)
+                ri->type = CMS_RECIPINFO_KEM;
+            /* Otherwise stay with generic CMS_RECIPINFO_OTHER type */
+        }
+    } else if (operation == ASN1_OP_NEW_POST) {
+        CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval;
+
+        ri->type = ri->encoded_type;
     }
     return 1;
 }
@@ -234,7 +293,7 @@ ASN1_CHOICE_cb(CMS_RecipientInfo, cms_ri_cb) = {
         ASN1_IMP(CMS_RecipientInfo, d.kekri, CMS_KEKRecipientInfo, 2),
         ASN1_IMP(CMS_RecipientInfo, d.pwri, CMS_PasswordRecipientInfo, 3),
         ASN1_IMP(CMS_RecipientInfo, d.ori, CMS_OtherRecipientInfo, 4)
-} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, type)
+} ASN1_CHOICE_END_cb(CMS_RecipientInfo, CMS_RecipientInfo, encoded_type)
 
 ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = {
         ASN1_EMBED(CMS_EnvelopedData, version, INT32),
@@ -430,3 +489,33 @@ int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
     intsi.pecsi = &ecsi;
     return ASN1_item_i2d(intsi.a, pder, ASN1_ITEM_rptr(CMS_SharedInfo));
 }
+
+/*
+ * Utilities to encode the CMS_CMSORIforKEMOtherInfo structure used during key
+ * derivation.
+ */
+
+typedef struct {
+    X509_ALGOR *wrap;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+} CMS_CMSORIforKEMOtherInfo;
+
+ASN1_SEQUENCE(CMS_CMSORIforKEMOtherInfo) = {
+        ASN1_SIMPLE(CMS_CMSORIforKEMOtherInfo, wrap, X509_ALGOR),
+        ASN1_EMBED(CMS_CMSORIforKEMOtherInfo, kekLength, INT32),
+        ASN1_EXP_OPT(CMS_CMSORIforKEMOtherInfo, ukm, ASN1_OCTET_STRING, 0),
+} static_ASN1_SEQUENCE_END(CMS_CMSORIforKEMOtherInfo)
+
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen)
+{
+    CMS_CMSORIforKEMOtherInfo kem_otherinfo;
+
+    kem_otherinfo.wrap = wrap;
+    kem_otherinfo.kekLength = keylen;
+    kem_otherinfo.ukm = ukm;
+
+    return ASN1_item_i2d((ASN1_VALUE *)&kem_otherinfo, pder,
+                         ASN1_ITEM_rptr(CMS_CMSORIforKEMOtherInfo));
+}

crypto/cms/cms_env.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Low level key APIs (DH etc) are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -14,6 +20,7 @@
 #include <openssl/err.h>
 #include <openssl/cms.h>
 #include <openssl/evp.h>
+#include <openssl/core_names.h>
 #include "internal/sizes.h"
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
@@ -111,9 +118,12 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
 {
     EVP_PKEY *pkey;
     int i;
-    if (ri->type == CMS_RECIPINFO_TRANS)
+
+    switch (ri->type) {
+    case CMS_RECIPINFO_TRANS:
         pkey = ri->d.ktri->pkey;
-    else if (ri->type == CMS_RECIPINFO_AGREE) {
+        break;
+    case CMS_RECIPINFO_AGREE: {
         EVP_PKEY_CTX *pctx = ri->d.kari->pctx;
 
         if (pctx == NULL)
@@ -121,8 +131,13 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd)
         pkey = EVP_PKEY_CTX_get0_pkey(pctx);
         if (pkey == NULL)
             return 0;
-    } else
+        break;
+    }
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_kem_envelope(ri, cmd);
+    default:
         return 0;
+    }
 
     if (EVP_PKEY_is_a(pkey, "DHX") || EVP_PKEY_is_a(pkey, "DH"))
         return ossl_cms_dh_envelope(ri, cmd);
@@ -202,6 +217,9 @@ void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
             case CMS_RECIPINFO_PASS:
                 ri->d.pwri->cms_ctx = ctx;
                 break;
+            case CMS_RECIPINFO_KEM:
+                ri->d.ori->d.kemri->cms_ctx = ctx;
+                break;
             default:
                 break;
             }
@@ -220,6 +238,8 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri)
         return ri->d.ktri->pctx;
     else if (ri->type == CMS_RECIPINFO_AGREE)
         return ri->d.kari->pctx;
+    else if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->pctx;
     return NULL;
 }
 
@@ -336,7 +356,7 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
     ri->d.ktri = M_ASN1_new_of(CMS_KeyTransRecipientInfo);
     if (!ri->d.ktri)
         return 0;
-    ri->type = CMS_RECIPINFO_TRANS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_TRANS;
 
     ktri = ri->d.ktri;
     ktri->cms_ctx = ctx;
@@ -423,6 +443,11 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
             goto err;
         break;
 
+    case CMS_RECIPINFO_KEM:
+        if (!ossl_cms_RecipientInfo_kemri_init(ri, recip, pk, flags, ctx))
+            goto err;
+        break;
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
         goto err;
@@ -750,7 +775,7 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_KEK;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_KEK;
 
     kekri = ri->d.kekri;
 
@@ -1025,6 +1050,9 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 0);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_decrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
         return 0;
@@ -1046,6 +1074,9 @@ int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
     case CMS_RECIPINFO_PASS:
         return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 1);
 
+    case CMS_RECIPINFO_KEM:
+        return ossl_cms_RecipientInfo_kemri_encrypt(cms, ri);
+
     default:
         ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
         return 0;
@@ -1100,7 +1131,8 @@ static void cms_env_set_version(CMS_EnvelopedData *env)
 
     for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) {
         ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i);
-        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) {
+        if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER
+            || ri->type == CMS_RECIPINFO_KEM) {
             env->version = 3;
             return;
         } else if (ri->type != CMS_RECIPINFO_TRANS
@@ -1337,6 +1369,18 @@ err:
  */
 int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
 {
+    int ri_type;
+    EVP_PKEY_CTX *ctx = NULL;
+
+    /*
+     * First check the provider for RecipientInfo support since a key may support
+     * multiple types, e.g. an RSA key and provider may support RSA key transport
+     * and/or RSA-KEM.
+     */
+    if (evp_pkey_is_provided(pk)
+        && EVP_PKEY_get_int_param(pk, OSSL_PKEY_PARAM_CMS_RI_TYPE, &ri_type))
+        return ri_type;
+
     /* Check types that we know about */
     if (EVP_PKEY_is_a(pk, "DH"))
         return CMS_RECIPINFO_AGREE;
@@ -1350,7 +1394,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         return CMS_RECIPINFO_TRANS;
 
     /*
-     * Otherwise this might ben an engine implementation, so see if we can get
+     * Otherwise this might be an engine implementation, so see if we can get
      * the type from the ameth.
      */
     if (pk->ameth && pk->ameth->pkey_ctrl) {
@@ -1359,7 +1403,25 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk)
         if (i > 0)
             return r;
     }
-    return CMS_RECIPINFO_TRANS;
+
+    /*
+     * Otherwise try very hard to figure out what RecipientInfo the key supports.
+     */
+    ri_type = CMS_RECIPINFO_TRANS;
+    ctx = EVP_PKEY_CTX_new(pk, NULL);
+    if (ctx != NULL) {
+        ERR_set_mark();
+        if (EVP_PKEY_encrypt_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_TRANS;
+        else if (EVP_PKEY_derive_init(ctx) > 0)
+            ri_type = CMS_RECIPINFO_AGREE;
+        else if (EVP_PKEY_encapsulate_init(ctx, NULL) > 0)
+            ri_type = CMS_RECIPINFO_KEM;
+        ERR_pop_to_mark();
+    }
+    EVP_PKEY_CTX_free(ctx);
+
+    return ri_type;
 }
 
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
@@ -1381,3 +1443,79 @@ int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
 
     return (supportedRiType == ri_type);
 }
+
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri,
+                                     const EVP_CIPHER *cipher)
+{
+    const CMS_CTX *cms_ctx;
+    EVP_CIPHER_CTX *ctx;
+    const EVP_CIPHER *kekcipher;
+    EVP_CIPHER *fetched_kekcipher;
+    const char *kekcipher_name;
+    int keylen;
+    int ret;
+
+    if (ri->type == CMS_RECIPINFO_AGREE) {
+        cms_ctx = ri->d.kari->cms_ctx;
+        ctx = ri->d.kari->ctx;
+    } else if (ri->type == CMS_RECIPINFO_KEM) {
+        cms_ctx = ri->d.ori->d.kemri->cms_ctx;
+        ctx = ri->d.ori->d.kemri->ctx;
+    } else {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE);
+        return 0;
+    }
+
+    /* If a suitable wrap algorithm is already set nothing to do */
+    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
+    if (kekcipher != NULL) {
+        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
+            return 0;
+        return 1;
+    }
+    if (cipher == NULL)
+        return 0;
+    keylen = EVP_CIPHER_get_key_length(cipher);
+    if (keylen <= 0) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        return 0;
+    }
+    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
+        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
+                                               0, &kekcipher);
+        if (ret <= 0)
+            return 0;
+
+        if (kekcipher != NULL) {
+            if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+                return 0;
+            kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
+            goto enc;
+        }
+    }
+
+    /*
+     * Pick a cipher based on content encryption cipher. If it is DES3 use
+     * DES3 wrap otherwise use AES wrap similar to key size.
+     */
+#ifndef OPENSSL_NO_DES
+    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
+        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
+    else
+#endif
+    if (keylen <= 16)
+        kekcipher_name = SN_id_aes128_wrap;
+    else if (keylen <= 24)
+        kekcipher_name = SN_id_aes192_wrap;
+    else
+        kekcipher_name = SN_id_aes256_wrap;
+enc:
+    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
+                                         kekcipher_name,
+                                         ossl_cms_ctx_get0_propq(cms_ctx));
+    if (fetched_kekcipher == NULL)
+        return 0;
+    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
+    EVP_CIPHER_free(fetched_kekcipher);
+    return ret;
+}

crypto/cms/cms_err.c

@@ -88,6 +88,7 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "not a signed receipt"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEM), "not kem"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"},
@@ -140,6 +141,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM),
      "unknown digest algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_KDF_ALGORITHM),
+     "unknown kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
      "unsupported compression algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM),
@@ -148,6 +151,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
      "unsupported content type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE),
      "unsupported encryption type"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KDF_ALGORITHM),
+     "unsupported kdf algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM),
      "unsupported kek algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM),

crypto/cms/cms_kari.c

@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * Low level key APIs (DH etc) are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pem.h>
@@ -349,7 +343,7 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
     if (ri->d.kari == NULL)
         return 0;
-    ri->type = CMS_RECIPINFO_AGREE;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_AGREE;
 
     kari = ri->d.kari;
     kari->version = 3;
@@ -412,67 +406,6 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip,
     return 1;
 }
 
-static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
-                         const EVP_CIPHER *cipher)
-{
-    const CMS_CTX *cms_ctx = kari->cms_ctx;
-    EVP_CIPHER_CTX *ctx = kari->ctx;
-    const EVP_CIPHER *kekcipher;
-    EVP_CIPHER *fetched_kekcipher;
-    const char *kekcipher_name;
-    int keylen;
-    int ret;
-
-    /* If a suitable wrap algorithm is already set nothing to do */
-    kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx);
-    if (kekcipher != NULL) {
-        if (EVP_CIPHER_CTX_get_mode(ctx) != EVP_CIPH_WRAP_MODE)
-            return 0;
-        return 1;
-    }
-    if (cipher == NULL)
-        return 0;
-    keylen = EVP_CIPHER_get_key_length(cipher);
-    if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
-        ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
-                                               0, &kekcipher);
-        if (ret <= 0)
-             return 0;
-
-        if (kekcipher != NULL) {
-             if (EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
-                 return 0;
-             kekcipher_name = EVP_CIPHER_get0_name(kekcipher);
-             goto enc;
-        }
-    }
-
-    /*
-     * Pick a cipher based on content encryption cipher. If it is DES3 use
-     * DES3 wrap otherwise use AES wrap similar to key size.
-     */
-#ifndef OPENSSL_NO_DES
-    if (EVP_CIPHER_get_type(cipher) == NID_des_ede3_cbc)
-        kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
-    else
-#endif
-    if (keylen <= 16)
-        kekcipher_name = SN_id_aes128_wrap;
-    else if (keylen <= 24)
-        kekcipher_name = SN_id_aes192_wrap;
-    else
-        kekcipher_name = SN_id_aes256_wrap;
-enc:
-    fetched_kekcipher = EVP_CIPHER_fetch(ossl_cms_ctx_get0_libctx(cms_ctx),
-                                         kekcipher_name,
-                                         ossl_cms_ctx_get0_propq(cms_ctx));
-    if (fetched_kekcipher == NULL)
-        return 0;
-    ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
-    EVP_CIPHER_free(fetched_kekcipher);
-    return ret;
-}
-
 /* Encrypt content key in key agreement recipient info */
 
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
@@ -492,7 +425,7 @@ int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
     reks = kari->recipientEncryptedKeys;
     ec = ossl_cms_get0_env_enc_content(cms);
     /* Initialise wrap algorithm parameters */
-    if (!cms_wrap_init(kari, ec->cipher))
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
         return 0;
     /*
      * If no originator key set up initialise for ephemeral key the public key

crypto/cms/cms_kem.c

@@ -0,0 +1,163 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <assert.h>
+#include <limits.h>
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/err.h>
+#include <openssl/decoder.h>
+#include "internal/sizes.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "cms_local.h"
+
+static int kem_cms_decrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    EVP_PKEY_CTX *pctx;
+    EVP_CIPHER_CTX *kekctx;
+    uint32_t cipher_length;
+    char name[OSSL_MAX_NAME_SIZE];
+    EVP_CIPHER *kekcipher = NULL;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+
+    OBJ_obj2txt(name, sizeof(name), wrap->algorithm, 0);
+    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
+    if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
+        goto err;
+    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
+        goto err;
+    if (EVP_CIPHER_asn1_to_param(kekctx, wrap->parameter) <= 0)
+        goto err;
+
+    cipher_length = EVP_CIPHER_CTX_get_key_length(kekctx);
+    if (cipher_length != *kekLength) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    rv = 1;
+err:
+    EVP_CIPHER_free(kekcipher);
+    return rv;
+}
+
+static int kem_cms_encrypt(CMS_RecipientInfo *ri)
+{
+    uint32_t *kekLength;
+    X509_ALGOR *wrap;
+    X509_ALGOR *kdf;
+    EVP_PKEY_CTX *pctx;
+    EVP_PKEY *pkey;
+    int security_bits;
+    const ASN1_OBJECT *kdf_obj = NULL;
+    unsigned char kemri_x509_algor[OSSL_MAX_ALGORITHM_ID_SIZE];
+    OSSL_PARAM params[2];
+    X509_ALGOR *x509_algor = NULL;
+    EVP_CIPHER_CTX *kekctx;
+    int wrap_nid;
+    int rv = 0;
+
+    if (!ossl_cms_RecipientInfo_kemri_get0_alg(ri, &kekLength, &wrap))
+        goto err;
+
+    kdf = CMS_RecipientInfo_kemri_get0_kdf_alg(ri);
+    if (kdf == NULL)
+        goto err;
+
+    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+    if (pctx == NULL)
+        goto err;
+
+    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
+    if (pkey == NULL)
+        goto err;
+
+    security_bits = EVP_PKEY_get_security_bits(pkey);
+    if (security_bits == 0)
+        goto err;
+
+    X509_ALGOR_get0(&kdf_obj, NULL, NULL, kdf);
+    if (kdf_obj == NULL || OBJ_obj2nid(kdf_obj) == NID_undef) {
+        /*
+         * If the KDF OID hasn't already been set, then query the provider
+         * for a default KDF.
+         */
+        params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM,
+                                                      kemri_x509_algor, sizeof(kemri_x509_algor));
+        params[1] = OSSL_PARAM_construct_end();
+        if (!EVP_PKEY_get_params(pkey, params))
+            goto err;
+        if (OSSL_PARAM_modified(&params[0])) {
+            const unsigned char *p = kemri_x509_algor;
+
+            x509_algor = d2i_X509_ALGOR(NULL, &p, (long)params[0].return_size);
+            if (x509_algor == NULL)
+                goto err;
+            if (!X509_ALGOR_copy(kdf, x509_algor))
+                goto err;
+        } else {
+            if (!X509_ALGOR_set0(kdf, OBJ_nid2obj(NID_HKDF_SHA256), V_ASN1_UNDEF, NULL))
+                return 0;
+        }
+    }
+
+    /* Get wrap NID */
+    kekctx = CMS_RecipientInfo_kemri_get0_ctx(ri);
+    if (kekctx == NULL)
+        goto err;
+    *kekLength = EVP_CIPHER_CTX_get_key_length(kekctx);
+    wrap_nid = EVP_CIPHER_CTX_get_type(kekctx);
+
+    /* Package wrap algorithm in an AlgorithmIdentifier */
+    ASN1_OBJECT_free(wrap->algorithm);
+    ASN1_TYPE_free(wrap->parameter);
+    wrap->algorithm = OBJ_nid2obj(wrap_nid);
+    wrap->parameter = ASN1_TYPE_new();
+    if (wrap->parameter == NULL)
+        goto err;
+    if (EVP_CIPHER_param_to_asn1(kekctx, wrap->parameter) <= 0)
+        goto err;
+    if (ASN1_TYPE_get(wrap->parameter) == NID_undef) {
+        ASN1_TYPE_free(wrap->parameter);
+        wrap->parameter = NULL;
+    }
+
+    rv = 1;
+err:
+    X509_ALGOR_free(x509_algor);
+    return rv;
+}
+
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt)
+{
+    assert(decrypt == 0 || decrypt == 1);
+
+    if (decrypt == 1)
+        return kem_cms_decrypt(ri);
+
+    if (decrypt == 0)
+        return kem_cms_encrypt(ri);
+
+    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+    return 0;
+}

crypto/cms/cms_kemri.c

@@ -0,0 +1,409 @@
+/*
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/cms.h>
+#include <openssl/core_names.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/x509.h>
+#include "cms_local.h"
+#include "crypto/evp.h"
+#include "internal/sizes.h"
+
+/* KEM Recipient Info (KEMRI) routines */
+
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+    if (pkekLength)
+        *pkekLength = &ri->d.ori->d.kemri->kekLength;
+    if (pwrap)
+        *pwrap = ri->d.ori->d.kemri->wrap;
+    return 1;
+}
+
+int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert)
+{
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return -2;
+    }
+    return ossl_cms_SignerIdentifier_cert_cmp(ri->d.ori->d.kemri->rid, cert);
+}
+
+int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+{
+    EVP_PKEY_CTX *pctx = NULL;
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+
+    if (pk != NULL) {
+        pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), pk,
+                                          ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+        if (pctx == NULL || EVP_PKEY_decapsulate_init(pctx, NULL) <= 0)
+            goto err;
+
+        kemri->pctx = pctx;
+    }
+
+    return 1;
+err:
+    EVP_PKEY_CTX_free(pctx);
+    return 0;
+}
+
+/* Initialise a kemri based on passed certificate and key */
+
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx)
+{
+    CMS_OtherRecipientInfo *ori;
+    CMS_KEMRecipientInfo *kemri;
+    int idtype;
+    X509_PUBKEY *x_pubkey;
+    X509_ALGOR *x_alg;
+
+    ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
+    if (ri->d.ori == NULL)
+        return 0;
+    ri->encoded_type = CMS_RECIPINFO_OTHER;
+    ri->type = CMS_RECIPINFO_KEM;
+
+    ori = ri->d.ori;
+    ori->oriType = OBJ_nid2obj(NID_id_smime_ori_kem);
+    if (ori->oriType == NULL)
+        return 0;
+    ori->d.kemri = M_ASN1_new_of(CMS_KEMRecipientInfo);
+    if (ori->d.kemri == NULL)
+        return 0;
+
+    kemri = ori->d.kemri;
+    kemri->version = 0;
+    kemri->cms_ctx = ctx;
+
+    /*
+     * Not a typo: RecipientIdentifier and SignerIdentifier are the same
+     * structure.
+     */
+
+    idtype = (flags & CMS_USE_KEYID) ? CMS_RECIPINFO_KEYIDENTIFIER : CMS_RECIPINFO_ISSUER_SERIAL;
+    if (!ossl_cms_set1_SignerIdentifier(kemri->rid, recip, idtype, ctx))
+        return 0;
+
+    x_pubkey = X509_get_X509_PUBKEY(recip);
+    if (x_pubkey == NULL)
+        return 0;
+    if (!X509_PUBKEY_get0_param(NULL, NULL, NULL, &x_alg, x_pubkey))
+        return 0;
+    if (!X509_ALGOR_copy(kemri->kem, x_alg))
+        return 0;
+
+    kemri->pctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx),
+                                             recipPubKey,
+                                             ossl_cms_ctx_get0_propq(ctx));
+    if (kemri->pctx == NULL)
+        return 0;
+    if (EVP_PKEY_encapsulate_init(kemri->pctx, NULL) <= 0)
+        return 0;
+
+    return 1;
+}
+
+EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->ctx;
+    return NULL;
+}
+
+X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri)
+{
+    if (ri->type == CMS_RECIPINFO_KEM)
+        return ri->d.ori->d.kemri->kdf;
+    return NULL;
+}
+
+int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                    const unsigned char *ukm,
+                                    int ukmLength)
+{
+    CMS_KEMRecipientInfo *kemri;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    if (ukm == NULL && ukmLength != 0) {
+        ERR_raise(ERR_LIB_CMS, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ASN1_OCTET_STRING_free(kemri->ukm);
+    kemri->ukm = ASN1_OCTET_STRING_new();
+    if (kemri->ukm == NULL)
+        return 0;
+    ASN1_OCTET_STRING_set(kemri->ukm, ukm, ukmLength);
+    return 1;
+}
+
+static EVP_KDF_CTX *create_kdf_ctx(CMS_KEMRecipientInfo *kemri)
+{
+    const ASN1_OBJECT *kdf_oid;
+    int ptype;
+    char kdf_alg[OSSL_MAX_NAME_SIZE];
+    EVP_KDF *kdf = NULL;
+    EVP_KDF_CTX *kctx = NULL;
+
+    /*
+     * KDFs with algorithm identifier parameters are not supported yet. To
+     * support this, EVP_KDF_CTX_set_algor_params from
+     * `doc/designs/passing-algorithmidentifier-parameters.md` needs to be
+     * implemented.
+     */
+    X509_ALGOR_get0(&kdf_oid, &ptype, NULL, kemri->kdf);
+    if (ptype != V_ASN1_UNDEF && ptype != V_ASN1_NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_KDF_ALGORITHM);
+        goto err;
+    }
+    if (OBJ_obj2txt(kdf_alg, sizeof(kdf_alg), kdf_oid, 1) < 0)
+        goto err;
+
+    kdf = EVP_KDF_fetch(ossl_cms_ctx_get0_libctx(kemri->cms_ctx), kdf_alg,
+                        ossl_cms_ctx_get0_propq(kemri->cms_ctx));
+    if (kdf == NULL)
+        goto err;
+
+    kctx = EVP_KDF_CTX_new(kdf);
+err:
+    EVP_KDF_free(kdf);
+    return kctx;
+}
+
+static int kdf_derive(unsigned char *kek, size_t keklen,
+                      const unsigned char *ss, size_t sslen,
+                      CMS_KEMRecipientInfo *kemri)
+{
+    EVP_KDF_CTX *kctx = NULL;
+    OSSL_PARAM params[3];
+    unsigned char *infoder = NULL;
+    int infolen = 0;
+    int rv = 0;
+
+    infolen = CMS_CMSORIforKEMOtherInfo_encode(&infoder, kemri->wrap, kemri->ukm,
+                                               kemri->kekLength);
+    if (infolen <= 0)
+        goto err;
+
+    kctx = create_kdf_ctx(kemri);
+    if (kctx == NULL)
+        goto err;
+
+    params[0] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
+                                                  (unsigned char *)ss, sslen);
+    params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
+                                                  (char *)infoder, infolen);
+    params[2] = OSSL_PARAM_construct_end();
+
+    if (EVP_KDF_derive(kctx, kek, keklen, params) <= 0)
+        goto err;
+
+    rv = 1;
+err:
+    OPENSSL_free(infoder);
+    EVP_KDF_CTX_free(kctx);
+
+    return rv;
+}
+
+/*
+ * Derive KEK and decrypt/encrypt with it to produce either the original CEK
+ * or the encrypted CEK.
+ */
+
+static int cms_kek_cipher(unsigned char **pout, size_t *poutlen,
+                          const unsigned char *ss, size_t sslen,
+                          const unsigned char *in, size_t inlen,
+                          CMS_KEMRecipientInfo *kemri, int enc)
+{
+    /* Key encryption key */
+    unsigned char kek[EVP_MAX_KEY_LENGTH];
+    size_t keklen = kemri->kekLength;
+    unsigned char *out = NULL;
+    int outlen = 0;
+    int rv = 0;
+
+    if (keklen > sizeof(kek)) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH);
+        goto err;
+    }
+
+    if (!kdf_derive(kek, keklen, ss, sslen, kemri))
+        goto err;
+
+    /* Set KEK in context */
+    if (!EVP_CipherInit_ex(kemri->ctx, NULL, NULL, kek, NULL, enc))
+        goto err;
+    /* obtain output length of ciphered key */
+    if (!EVP_CipherUpdate(kemri->ctx, NULL, &outlen, in, (int)inlen))
+        goto err;
+    out = OPENSSL_malloc(outlen);
+    if (out == NULL)
+        goto err;
+    if (!EVP_CipherUpdate(kemri->ctx, out, &outlen, in, (int)inlen))
+        goto err;
+    *pout = out;
+    out = NULL;
+    *poutlen = (size_t)outlen;
+
+    rv = 1;
+err:
+    OPENSSL_free(out);
+    OPENSSL_cleanse(kek, keklen);
+    EVP_CIPHER_CTX_reset(kemri->ctx);
+    EVP_PKEY_CTX_free(kemri->pctx);
+    kemri->pctx = NULL;
+    return rv;
+}
+
+/* Encrypt content key in KEM recipient info */
+
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey;
+    size_t enckeylen;
+    int rv = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+    /* Initialise wrap algorithm parameters */
+    if (!ossl_cms_RecipientInfo_wrap_init(ri, ec->cipher))
+        return 0;
+
+    /* Initialise KDF algorithm */
+    if (!ossl_cms_env_asn1_ctrl(ri, 0))
+        return 0;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, NULL, &kem_ct_len, NULL, &kem_secret_len) <= 0)
+        return 0;
+    kem_ct = OPENSSL_malloc(kem_ct_len);
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_ct == NULL || kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_encapsulate(kemri->pctx, kem_ct, &kem_ct_len, kem_secret, &kem_secret_len) <= 0)
+        goto err;
+
+    ASN1_STRING_set0(kemri->kemct, kem_ct, (int)kem_ct_len);
+    kem_ct = NULL;
+
+    if (!cms_kek_cipher(&enckey, &enckeylen, kem_secret, kem_secret_len, ec->key, ec->keylen,
+                        kemri, 1))
+        goto err;
+    ASN1_STRING_set0(kemri->encryptedKey, enckey, (int)enckeylen);
+
+    rv = 1;
+err:
+    OPENSSL_free(kem_ct);
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return rv;
+}
+
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri)
+{
+    CMS_KEMRecipientInfo *kemri;
+    CMS_EncryptedContentInfo *ec;
+    const unsigned char *kem_ct = NULL;
+    size_t kem_ct_len;
+    unsigned char *kem_secret = NULL;
+    size_t kem_secret_len = 0;
+    unsigned char *enckey = NULL;
+    size_t enckeylen;
+    unsigned char *cek = NULL;
+    size_t ceklen;
+    int ret = 0;
+
+    if (ri->type != CMS_RECIPINFO_KEM) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM);
+        return 0;
+    }
+
+    kemri = ri->d.ori->d.kemri;
+
+    ec = ossl_cms_get0_env_enc_content(cms);
+
+    if (kemri->pctx == NULL) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_NO_PRIVATE_KEY);
+        return 0;
+    }
+
+    /* Setup all parameters to derive KEK */
+    if (!ossl_cms_env_asn1_ctrl(ri, 1))
+        goto err;
+
+    kem_ct = ASN1_STRING_get0_data(kemri->kemct);
+    kem_ct_len = ASN1_STRING_length(kemri->kemct);
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, NULL, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        return 0;
+    kem_secret = OPENSSL_malloc(kem_secret_len);
+    if (kem_secret == NULL)
+        goto err;
+
+    if (EVP_PKEY_decapsulate(kemri->pctx, kem_secret, &kem_secret_len, kem_ct, kem_ct_len) <= 0)
+        goto err;
+
+    /* Attempt to decrypt CEK */
+    enckeylen = kemri->encryptedKey->length;
+    enckey = kemri->encryptedKey->data;
+    if (!cms_kek_cipher(&cek, &ceklen, kem_secret, kem_secret_len, enckey, enckeylen, kemri, 0))
+        goto err;
+    ec = ossl_cms_get0_env_enc_content(cms);
+    OPENSSL_clear_free(ec->key, ec->keylen);
+    ec->key = cek;
+    ec->keylen = ceklen;
+
+    ret = 1;
+err:
+    OPENSSL_clear_free(kem_secret, kem_secret_len);
+    return ret;
+}

crypto/cms/cms_local.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@ typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
+typedef struct CMS_KEMRecipientInfo_st CMS_KEMRecipientInfo;
 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
 typedef struct CMS_CTX_st CMS_CTX;
 
@@ -142,7 +143,11 @@ struct CMS_EncryptedContentInfo_st {
 };
 
 struct CMS_RecipientInfo_st {
-    int type;
+    /*
+     * Type which the RecipientInfo is encoded with. OtherRecipientInfo
+     * encompasses different types, specified by 'type' below.
+     */
+    int encoded_type;
     union {
         CMS_KeyTransRecipientInfo *ktri;
         CMS_KeyAgreeRecipientInfo *kari;
@@ -150,6 +155,8 @@ struct CMS_RecipientInfo_st {
         CMS_PasswordRecipientInfo *pwri;
         CMS_OtherRecipientInfo *ori;
     } d;
+    /* internal type, including ORI types */
+    int type;
 };
 
 typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
@@ -245,7 +252,29 @@ struct CMS_PasswordRecipientInfo_st {
 
 struct CMS_OtherRecipientInfo_st {
     ASN1_OBJECT *oriType;
-    ASN1_TYPE *oriValue;
+    union {
+        /* NID_id_smime_ori_kem */
+        CMS_KEMRecipientInfo *kemri;
+        /* anything else */
+        ASN1_TYPE *other;
+    } d;
+};
+
+struct CMS_KEMRecipientInfo_st {
+    int32_t version;
+    CMS_RecipientIdentifier *rid;
+    X509_ALGOR *kem;
+    ASN1_OCTET_STRING *kemct;
+    X509_ALGOR *kdf;
+    uint32_t kekLength;
+    ASN1_OCTET_STRING *ukm;
+    X509_ALGOR *wrap;
+    ASN1_OCTET_STRING *encryptedKey;
+    /* Public key context associated with current operation */
+    EVP_PKEY_CTX *pctx;
+    /* Cipher context for CEK wrapping */
+    EVP_CIPHER_CTX *ctx;
+    const CMS_CTX *cms_ctx;
 };
 
 struct CMS_DigestedData_st {
@@ -460,6 +489,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk);
 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
 
 void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
+int ossl_cms_RecipientInfo_wrap_init(CMS_RecipientInfo *ri, const EVP_CIPHER *cipher);
 
 /* KARI routines */
 int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
@@ -470,6 +500,20 @@ int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
                                         CMS_RecipientInfo *ri);
 
+/* KEMRI routines */
+int ossl_cms_RecipientInfo_kemri_get0_alg(CMS_RecipientInfo *ri,
+                                          uint32_t **pkekLength,
+                                          X509_ALGOR **pwrap);
+int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
+                                      EVP_PKEY *recipPubKey, unsigned int flags,
+                                      const CMS_CTX *ctx);
+int ossl_cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int ossl_cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms,
+                                         CMS_RecipientInfo *ri);
+int CMS_CMSORIforKEMOtherInfo_encode(unsigned char **pder, X509_ALGOR *wrap,
+                                     ASN1_OCTET_STRING *ukm, int keylen);
+
 /* PWRI routines */
 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
                                       CMS_RecipientInfo *ri, int en_de);
@@ -486,6 +530,7 @@ int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt);
 int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify);
+int ossl_cms_kem_envelope(CMS_RecipientInfo *ri, int decrypt);
 
 int ossl_cms_get1_certs_ex(CMS_ContentInfo *cms, STACK_OF(X509) **certs);
 int ossl_cms_get1_crls_ex(CMS_ContentInfo *cms, STACK_OF(X509_CRL) **crls);
@@ -496,10 +541,12 @@ DECLARE_ASN1_ITEM(CMS_EncryptedData)
 DECLARE_ASN1_ITEM(CMS_EnvelopedData)
 DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData)
 DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
+DECLARE_ASN1_ITEM(CMS_KEMRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
 DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
+DECLARE_ASN1_ITEM(CMS_OtherRecipientInfo)
 DECLARE_ASN1_ITEM(CMS_Receipt)
 DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)

crypto/cms/cms_pwri.c

@@ -138,7 +138,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
         ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
         goto err;
     }
-    ri->type = CMS_RECIPINFO_PASS;
+    ri->encoded_type = ri->type = CMS_RECIPINFO_PASS;
 
     pwri = ri->d.pwri;
     pwri->cms_ctx = cms_ctx;

crypto/cms/cms_smime.c

@@ -750,6 +750,14 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
                 return 1;
             if (r < 0)
                 return 0;
+        } else if (ri_type == CMS_RECIPINFO_KEM) {
+            if (cert == NULL || !CMS_RecipientInfo_kemri_cert_cmp(ri, cert)) {
+                CMS_RecipientInfo_kemri_set0_pkey(ri, pk);
+                r = CMS_RecipientInfo_decrypt(cms, ri);
+                CMS_RecipientInfo_kemri_set0_pkey(ri, NULL);
+                if (cert != NULL || r > 0)
+                    return r;
+            }
         }
         /* If we have a cert, try matching RecipientInfo, else try them all */
         else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {

crypto/err/openssl.txt

@@ -354,6 +354,7 @@ CMS_R_NEED_ONE_SIGNER:164:need one signer
 CMS_R_NOT_A_SIGNED_RECEIPT:165:not a signed receipt
 CMS_R_NOT_ENCRYPTED_DATA:122:not encrypted data
 CMS_R_NOT_KEK:123:not kek
+CMS_R_NOT_KEM:197:not kem
 CMS_R_NOT_KEY_AGREEMENT:181:not key agreement
 CMS_R_NOT_KEY_TRANSPORT:124:not key transport
 CMS_R_NOT_PWRI:177:not pwri
@@ -394,11 +395,13 @@ CMS_R_UNABLE_TO_FINALIZE_CONTEXT:147:unable to finalize context
 CMS_R_UNKNOWN_CIPHER:148:unknown cipher
 CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm
 CMS_R_UNKNOWN_ID:150:unknown id
+CMS_R_UNKNOWN_KDF_ALGORITHM:198:unknown kdf algorithm
 CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm
 CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\
 	unsupported content encryption algorithm
 CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type
 CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type
+CMS_R_UNSUPPORTED_KDF_ALGORITHM:199:unsupported kdf algorithm
 CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm
 CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
 	unsupported key encryption algorithm

crypto/evp/digest.c

@@ -984,9 +984,10 @@ static void set_legacy_nid(const char *name, void *vlegacy_nid)
 static int evp_md_cache_constants(EVP_MD *md)
 {
     int ok, xof = 0, algid_absent = 0;
+    int seccat_collision = -1, seccat_preimage = -1;
     size_t blksz = 0;
     size_t mdsize = 0;
-    OSSL_PARAM params[5];
+    OSSL_PARAM params[7];
 
     /*
      * Note that these parameters are 'constants' that are only set up
@@ -998,13 +999,19 @@ static int evp_md_cache_constants(EVP_MD *md)
     params[2] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_XOF, &xof);
     params[3] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_ALGID_ABSENT,
                                          &algid_absent);
-    params[4] = OSSL_PARAM_construct_end();
+    params[4] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_SECURITY_CATEGORY_COLLISION,
+                                         &seccat_collision);
+    params[5] = OSSL_PARAM_construct_int(OSSL_DIGEST_PARAM_SECURITY_CATEGORY_PREIMAGE,
+                                         &seccat_preimage);
+    params[6] = OSSL_PARAM_construct_end();
     ok = evp_do_md_getparams(md, params) > 0;
     if (mdsize > INT_MAX || blksz > INT_MAX)
         ok = 0;
     if (ok) {
         md->block_size = (int)blksz;
         md->md_size = (int)mdsize;
+        md->security_category_collision = seccat_collision;
+        md->security_category_preimage = seccat_preimage;
         if (xof)
             md->flags |= EVP_MD_FLAG_XOF;
         if (algid_absent)

crypto/evp/e_aes.c

@@ -419,9 +419,9 @@ static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 # endif                        /* OPENSSL_NO_OCB */
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aesni_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aesni_init_key,                 \
@@ -431,7 +431,7 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \
         NULL,NULL,NULL,NULL }; \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,     \
-        keylen/8,ivlen,                 \
+        keylen/8,ivlen, seccat,         \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                 \
         aes_init_key,                   \
@@ -442,11 +442,11 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,seccat,mode,MODE,flags) \
 static const EVP_CIPHER aesni_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
-        ivlen,                          \
+        ivlen, seccat,                  \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aesni_##mode##_init_key,        \
@@ -457,7 +457,7 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
-        ivlen,                          \
+        ivlen, seccat,                  \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_##mode##_init_key,          \
@@ -805,9 +805,9 @@ static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #  define aes_t4_siv_cipher aes_siv_cipher
 # endif /* OPENSSL_NO_SIV */
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_t4_init_key,                \
@@ -817,7 +817,7 @@ static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
         NULL,NULL,NULL,NULL }; \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,     \
-        keylen/8,ivlen, \
+        keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_init_key,                   \
@@ -828,11 +828,11 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,seccat,mode,MODE,flags) \
 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
-        ivlen,                          \
+        ivlen, seccat,                  \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_t4_##mode##_init_key,       \
@@ -843,7 +843,7 @@ static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
-        ivlen,                          \
+        ivlen, seccat,                  \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_##mode##_init_key,          \
@@ -2282,12 +2282,12 @@ static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
 #  define s390x_aes_siv_ctrl aes_siv_ctrl
 # endif
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,    \
-                              MODE,flags)                               \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,        \
+                              nmode,mode,MODE,flags)                    \
 static const EVP_CIPHER s390x_aes_##keylen##_##mode = {                 \
     nid##_##keylen##_##nmode,blocksize,                                 \
     keylen / 8,                                                         \
-    ivlen,                                                              \
+    ivlen, seccat,                                                      \
     flags | EVP_CIPH_##MODE##_MODE,                                     \
     EVP_ORIG_GLOBAL,                                                    \
     s390x_aes_##mode##_init_key,                                        \
@@ -2303,7 +2303,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = {                       \
     nid##_##keylen##_##nmode,                                           \
     blocksize,                                                          \
     keylen / 8,                                                         \
-    ivlen,                                                              \
+    ivlen, seccat,                                                      \
     flags | EVP_CIPH_##MODE##_MODE,                                     \
     EVP_ORIG_GLOBAL,                                                    \
     aes_init_key,                                                       \
@@ -2321,12 +2321,12 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void)                       \
            &s390x_aes_##keylen##_##mode : &aes_##keylen##_##mode;       \
 }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags)\
+# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,seccat,mode,MODE,flags)\
 static const EVP_CIPHER s390x_aes_##keylen##_##mode = {                 \
     nid##_##keylen##_##mode,                                            \
     blocksize,                                                          \
     (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8,        \
-    ivlen,                                                              \
+    ivlen, seccat,                                                      \
     flags | EVP_CIPH_##MODE##_MODE,                                     \
     EVP_ORIG_GLOBAL,                                                    \
     s390x_aes_##mode##_init_key,                                        \
@@ -2341,7 +2341,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = {                 \
 static const EVP_CIPHER aes_##keylen##_##mode = {                       \
     nid##_##keylen##_##mode,blocksize,                                  \
     (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8,        \
-    ivlen,                                                              \
+    ivlen, seccat,                                                      \
     flags | EVP_CIPH_##MODE##_MODE,                                     \
     EVP_ORIG_GLOBAL,                                                    \
     aes_##mode##_init_key,                                              \
@@ -2361,9 +2361,9 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void)                       \
 
 #else
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_init_key,                   \
@@ -2374,11 +2374,11 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return &aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,seccat,mode,MODE,flags) \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \
-        ivlen,                          \
+        ivlen, seccat,                  \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aes_##mode##_init_key,          \
@@ -2391,14 +2391,14 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 
 #endif
 
-#define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
-        BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
-        BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
+#define BLOCK_CIPHER_generic_pack(nid,keylen,seccat,flags)             \
+        BLOCK_CIPHER_generic(nid,keylen,16,16,seccat,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
+        BLOCK_CIPHER_generic(nid,keylen,16,0,seccat,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb1,cfb1,CFB,flags)       \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb8,cfb8,CFB,flags)       \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,ctr,ctr,CTR,flags)
 
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
@@ -2632,9 +2632,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return 1;
 }
 
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
-    BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
-    BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 128, 1, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 192, 3, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 256, 5, 0)
 
 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
 {
@@ -3181,11 +3181,11 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
                 | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
 
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, 1, gcm, GCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, 3, gcm, GCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, 5, gcm, GCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
 
 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
@@ -3371,8 +3371,8 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
                          | EVP_CIPH_CUSTOM_COPY)
 
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, 1, xts, XTS, XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, 5, xts, XTS, XTS_FLAGS)
 
 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 {
@@ -3649,11 +3649,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 #define aes_ccm_cleanup NULL
 
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, 1, ccm, CCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, 3, ccm, CCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
+BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, 5, ccm, CCM,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
 
 typedef struct {
@@ -3761,7 +3761,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 static const EVP_CIPHER aes_128_wrap = {
     NID_id_aes128_wrap,
-    8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 16, 8, 1, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -3775,7 +3775,7 @@ const EVP_CIPHER *EVP_aes_128_wrap(void)
 
 static const EVP_CIPHER aes_192_wrap = {
     NID_id_aes192_wrap,
-    8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 24, 8, 3, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -3789,7 +3789,7 @@ const EVP_CIPHER *EVP_aes_192_wrap(void)
 
 static const EVP_CIPHER aes_256_wrap = {
     NID_id_aes256_wrap,
-    8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 32, 8, 5, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -3803,7 +3803,7 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
 
 static const EVP_CIPHER aes_128_wrap_pad = {
     NID_id_aes128_wrap_pad,
-    8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 16, 4, 1, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -3817,7 +3817,7 @@ const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
 
 static const EVP_CIPHER aes_192_wrap_pad = {
     NID_id_aes192_wrap_pad,
-    8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 24, 4, 3, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -3831,7 +3831,7 @@ const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
 
 static const EVP_CIPHER aes_256_wrap_pad = {
     NID_id_aes256_wrap_pad,
-    8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL,
+    8, 32, 4, 5, WRAP_FLAGS, EVP_ORIG_GLOBAL,
     aes_wrap_init_key, aes_wrap_cipher,
     NULL,
     sizeof(EVP_AES_WRAP_CTX),
@@ -4145,10 +4145,10 @@ static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
     return 1;
 }
 
-BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
+BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, 1, ocb, OCB,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
+BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, 3, ocb, OCB,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
+BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, 5, ocb, OCB,
                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
 #endif                         /* OPENSSL_NO_OCB */

crypto/evp/e_aes_cbc_hmac_sha1.c

@@ -912,13 +912,23 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
     }
 }
 
-static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
+/*
+ * Note about security categories.
+ *
+ * The security category of the combined algorithms will be the lower of
+ * the category for the cipher and the HMAC.  NIST has not defined security
+ * categories for HMACs at this stage but it seems reasonable to equate
+ * these to the pre-image security category of the underlying digest.  The
+ * pre-image category of SHA1 is less than or equal to the category for the
+ * AES flavour used, so we use it throughout.
+ */
+static const EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
 # ifdef NID_aes_128_cbc_hmac_sha1
     NID_aes_128_cbc_hmac_sha1,
 # else
     NID_undef,
 # endif
-    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE,
+    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, SHA1_PREIMAGE_CATEGORY,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     EVP_ORIG_GLOBAL,
@@ -932,13 +942,13 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
     NULL
 };
 
-static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = {
+static const EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = {
 # ifdef NID_aes_256_cbc_hmac_sha1
     NID_aes_256_cbc_hmac_sha1,
 # else
     NID_undef,
 # endif
-    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE,
+    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, SHA1_PREIMAGE_CATEGORY,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     EVP_ORIG_GLOBAL,

crypto/evp/e_aes_cbc_hmac_sha256.c

@@ -889,13 +889,23 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
     }
 }
 
-static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = {
+/*
+ * Note about security categories.
+ *
+ * The security category of the combined algorithms will be the lower of
+ * the category for the cipher and the HMAC.  NIST has not defined security
+ * categories for HMACs at this stage but it seems reasonable to equate
+ * these to the pre-image security category of the underlying digest.
+ */
+#define SEC_CAT(c) ((c) < SHA256_PREIMAGE_CATEGORY ? (c) : SHA256_PREIMAGE_CATEGORY)
+
+static const EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = {
 # ifdef NID_aes_128_cbc_hmac_sha256
     NID_aes_128_cbc_hmac_sha256,
 # else
     NID_undef,
 # endif
-    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE,
+    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, SEC_CAT(1),
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     EVP_ORIG_GLOBAL,
@@ -909,13 +919,13 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = {
     NULL
 };
 
-static EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = {
+static const EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = {
 # ifdef NID_aes_256_cbc_hmac_sha256
     NID_aes_256_cbc_hmac_sha256,
 # else
     NID_undef,
 # endif
-    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE,
+    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, SEC_CAT(5),
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     EVP_ORIG_GLOBAL,

crypto/evp/e_aria.c

@@ -132,36 +132,36 @@ static void aria_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 }
 
 IMPLEMENT_BLOCK_CIPHER(aria_128, ks, aria, EVP_ARIA_KEY,
-                        NID_aria_128, 16, 16, 16, 128,
+                        NID_aria_128, 16, 16, 16, 128, 1,
                         0, aria_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
                         NULL)
 IMPLEMENT_BLOCK_CIPHER(aria_192, ks, aria, EVP_ARIA_KEY,
-                        NID_aria_192, 16, 24, 16, 128,
+                        NID_aria_192, 16, 24, 16, 128, 3,
                         0, aria_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
                         NULL)
 IMPLEMENT_BLOCK_CIPHER(aria_256, ks, aria, EVP_ARIA_KEY,
-                        NID_aria_256, 16, 32, 16, 128,
+                        NID_aria_256, 16, 32, 16, 128, 5,
                         0, aria_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
                         NULL)
 
-# define IMPLEMENT_ARIA_CFBR(ksize,cbits) \
-                IMPLEMENT_CFBR(aria,aria,EVP_ARIA_KEY,ks,ksize,cbits,16,0)
-IMPLEMENT_ARIA_CFBR(128,1)
-IMPLEMENT_ARIA_CFBR(192,1)
-IMPLEMENT_ARIA_CFBR(256,1)
-IMPLEMENT_ARIA_CFBR(128,8)
-IMPLEMENT_ARIA_CFBR(192,8)
-IMPLEMENT_ARIA_CFBR(256,8)
+# define IMPLEMENT_ARIA_CFBR(ksize,cbits,seccat) \
+                IMPLEMENT_CFBR(aria,aria,EVP_ARIA_KEY,ks,ksize,cbits,16,seccat,0)
+IMPLEMENT_ARIA_CFBR(128,1,1)
+IMPLEMENT_ARIA_CFBR(192,1,3)
+IMPLEMENT_ARIA_CFBR(256,1,5)
+IMPLEMENT_ARIA_CFBR(128,8,1)
+IMPLEMENT_ARIA_CFBR(192,8,3)
+IMPLEMENT_ARIA_CFBR(256,8,5)
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aria_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         aria_init_key,                  \
@@ -190,9 +190,9 @@ static int aria_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return 1;
 }
 
-BLOCK_CIPHER_generic(NID_aria, 128, 1, 16, ctr, ctr, CTR, 0)
-BLOCK_CIPHER_generic(NID_aria, 192, 1, 16, ctr, ctr, CTR, 0)
-BLOCK_CIPHER_generic(NID_aria, 256, 1, 16, ctr, ctr, CTR, 0)
+BLOCK_CIPHER_generic(NID_aria, 128, 1, 16, 1, ctr, ctr, CTR, 0)
+BLOCK_CIPHER_generic(NID_aria, 192, 1, 16, 3, ctr, ctr, CTR, 0)
+BLOCK_CIPHER_generic(NID_aria, 256, 1, 16, 5, ctr, ctr, CTR, 0)
 
 /* Authenticated cipher modes (GCM/CCM) */
 
@@ -761,10 +761,10 @@ static int aria_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER \
                           | EVP_CIPH_CUSTOM_IV_LENGTH)
 
-#define BLOCK_CIPHER_aead(keylen,mode,MODE)        \
+#define BLOCK_CIPHER_aead(keylen,seccat,mode,MODE) \
 static const EVP_CIPHER aria_##keylen##_##mode = { \
         NID_aria_##keylen##_##mode,                \
-        1, keylen/8, 12,                           \
+        1, keylen/8, 12, seccat,                   \
         ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE,    \
         EVP_ORIG_GLOBAL,                           \
         aria_##mode##_init_key,                    \
@@ -775,12 +775,12 @@ static const EVP_CIPHER aria_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \
 { return (EVP_CIPHER*)&aria_##keylen##_##mode; }
 
-BLOCK_CIPHER_aead(128, gcm, GCM)
-BLOCK_CIPHER_aead(192, gcm, GCM)
-BLOCK_CIPHER_aead(256, gcm, GCM)
+BLOCK_CIPHER_aead(128, 1, gcm, GCM)
+BLOCK_CIPHER_aead(192, 3, gcm, GCM)
+BLOCK_CIPHER_aead(256, 5, gcm, GCM)
 
-BLOCK_CIPHER_aead(128, ccm, CCM)
-BLOCK_CIPHER_aead(192, ccm, CCM)
-BLOCK_CIPHER_aead(256, ccm, CCM)
+BLOCK_CIPHER_aead(128, 1, ccm, CCM)
+BLOCK_CIPHER_aead(192, 3, ccm, CCM)
+BLOCK_CIPHER_aead(256, 5, ccm, CCM)
 
 #endif

crypto/evp/e_bf.c

@@ -31,7 +31,7 @@ typedef struct {
 
 # define data(ctx)       EVP_C_DATA(EVP_BF_KEY,ctx)
 
-IMPLEMENT_BLOCK_CIPHER(bf, ks, BF, EVP_BF_KEY, NID_bf, 8, 16, 8, 64,
+IMPLEMENT_BLOCK_CIPHER(bf, ks, BF, EVP_BF_KEY, NID_bf, 8, 16, 8, 64, 0,
                        EVP_CIPH_VARIABLE_LENGTH, bf_init_key, NULL,
                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
 

crypto/evp/e_camellia.c

@@ -139,9 +139,9 @@ static int cmll_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int cmll_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, size_t len);
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER cmll_t4_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         cmll_t4_init_key,               \
@@ -151,7 +151,7 @@ static const EVP_CIPHER cmll_t4_##keylen##_##mode = { \
         NULL,NULL,NULL,NULL }; \
 static const EVP_CIPHER camellia_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,     \
-        keylen/8,ivlen, \
+        keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         camellia_init_key,              \
@@ -164,9 +164,9 @@ const EVP_CIPHER *EVP_camellia_##keylen##_##mode(void) \
 
 #else
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,seccat,nmode,mode,MODE,flags) \
 static const EVP_CIPHER camellia_##keylen##_##mode = { \
-        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
+        nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, seccat, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         camellia_init_key,              \
@@ -179,14 +179,14 @@ const EVP_CIPHER *EVP_camellia_##keylen##_##mode(void) \
 
 #endif
 
-#define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
-        BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
-        BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid, keylen, 1, 16, ctr, ctr, CTR, flags)
+#define BLOCK_CIPHER_generic_pack(nid,keylen,seccat,flags)             \
+        BLOCK_CIPHER_generic(nid,keylen,16,16,seccat,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
+        BLOCK_CIPHER_generic(nid,keylen,16,0,seccat,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb1,cfb1,CFB,flags)       \
+        BLOCK_CIPHER_generic(nid,keylen,1,16,seccat,cfb8,cfb8,CFB,flags)       \
+        BLOCK_CIPHER_generic(nid, keylen, 1, 16, seccat, ctr, ctr, CTR, flags)
 
 /* The subkey for Camellia is generated. */
 static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
@@ -344,6 +344,6 @@ static int camellia_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return 1;
 }
 
-BLOCK_CIPHER_generic_pack(NID_camellia, 128, 0)
-    BLOCK_CIPHER_generic_pack(NID_camellia, 192, 0)
-    BLOCK_CIPHER_generic_pack(NID_camellia, 256, 0)
+BLOCK_CIPHER_generic_pack(NID_camellia, 128, 1, 0)
+BLOCK_CIPHER_generic_pack(NID_camellia, 192, 3, 0)
+BLOCK_CIPHER_generic_pack(NID_camellia, 256, 5, 0)

crypto/evp/e_cast.c

@@ -33,7 +33,7 @@ typedef struct {
 # define data(ctx)       EVP_C_DATA(EVP_CAST_KEY,ctx)
 
 IMPLEMENT_BLOCK_CIPHER(cast5, ks, CAST, EVP_CAST_KEY,
-                       NID_cast5, 8, CAST_KEY_LENGTH, 8, 64,
+                       NID_cast5, 8, CAST_KEY_LENGTH, 8, 64, 0,
                        EVP_CIPH_VARIABLE_LENGTH, cast_init_key, NULL,
                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
 

crypto/evp/e_chacha20_poly1305.c

@@ -130,6 +130,7 @@ static const EVP_CIPHER chacha20 = {
     1,                      /* block_size */
     CHACHA_KEY_SIZE,        /* key_len */
     CHACHA_CTR_SIZE,        /* iv_len, 128-bit counter in the context */
+    5,                      /* PQ security strength category */
     EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
     EVP_ORIG_GLOBAL,
     chacha_init_key,
@@ -607,11 +608,12 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
     }
 }
 
-static EVP_CIPHER chacha20_poly1305 = {
+static const EVP_CIPHER chacha20_poly1305 = {
     NID_chacha20_poly1305,
     1,                  /* block_size */
     CHACHA_KEY_SIZE,    /* key_len */
     12,                 /* iv_len, 96-bit nonce in the context */
+    5,                  /* PQ security strength category */
     EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
     EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
     EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER |

crypto/evp/e_des.c

@@ -195,15 +195,15 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return 1;
 }
 
-BLOCK_CIPHER_defs(des, EVP_DES_KEY, NID_des, 8, 8, 8, 64,
+BLOCK_CIPHER_defs(des, EVP_DES_KEY, NID_des, 8, 8, 8, 64, 0,
                   EVP_CIPH_RAND_KEY, des_init_key, NULL,
                   EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, des_ctrl)
 
-    BLOCK_CIPHER_def_cfb(des, EVP_DES_KEY, NID_des, 8, 8, 1,
+BLOCK_CIPHER_def_cfb(des, EVP_DES_KEY, NID_des, 8, 8, 1, 0,
                  EVP_CIPH_RAND_KEY, des_init_key, NULL,
                  EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, des_ctrl)
 
-    BLOCK_CIPHER_def_cfb(des, EVP_DES_KEY, NID_des, 8, 8, 8,
+BLOCK_CIPHER_def_cfb(des, EVP_DES_KEY, NID_des, 8, 8, 8, 0,
                  EVP_CIPH_RAND_KEY, des_init_key, NULL,
                  EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, des_ctrl)
 

crypto/evp/e_des3.c

@@ -203,22 +203,22 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return 1;
 }
 
-BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
+BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, 0,
                   EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
                   des_ede_init_key, NULL, NULL, NULL, des3_ctrl)
 # define des_ede3_cfb64_cipher des_ede_cfb64_cipher
 # define des_ede3_ofb_cipher des_ede_ofb_cipher
 # define des_ede3_cbc_cipher des_ede_cbc_cipher
 # define des_ede3_ecb_cipher des_ede_ecb_cipher
-    BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
+    BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, 0,
                   EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
                   des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
 
-    BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
+    BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, 0,
                      EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
                      des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
 
-    BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
+    BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, 0,
                      EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
                      des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
 
@@ -410,7 +410,7 @@ static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 static const EVP_CIPHER des3_wrap = {
     NID_id_smime_alg_CMS3DESwrap,
-    8, 24, 0,
+    8, 24, 0, 0,
     EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
         | EVP_CIPH_FLAG_DEFAULT_ASN1,
     EVP_ORIG_GLOBAL,

crypto/evp/e_idea.c

@@ -50,7 +50,7 @@ BLOCK_CIPHER_func_cbc(idea, IDEA, EVP_IDEA_KEY, ks)
 BLOCK_CIPHER_func_ofb(idea, IDEA, 64, EVP_IDEA_KEY, ks)
 BLOCK_CIPHER_func_cfb(idea, IDEA, 64, EVP_IDEA_KEY, ks)
 
-BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64,
+BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64, 1,
                   0, idea_init_key, NULL,
                   EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
 

crypto/evp/e_null.c

@@ -19,7 +19,7 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        const unsigned char *in, size_t inl);
 static const EVP_CIPHER n_cipher = {
     NID_undef,
-    1, 0, 0, 0,
+    1, 0, 0, 0, 0,
     EVP_ORIG_GLOBAL,
     null_init_key,
     null_cipher,

crypto/evp/e_rc2.c

@@ -41,7 +41,7 @@ typedef struct {
 
 IMPLEMENT_BLOCK_CIPHER(rc2, ks, RC2, EVP_RC2_KEY, NID_rc2,
                        8,
-                       RC2_KEY_LENGTH, 8, 64,
+                       RC2_KEY_LENGTH, 8, 64, 0,
                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
                        rc2_init_key, NULL,
                        rc2_set_asn1_type_and_iv, rc2_get_asn1_type_and_iv,
@@ -51,7 +51,7 @@ IMPLEMENT_BLOCK_CIPHER(rc2, ks, RC2, EVP_RC2_KEY, NID_rc2,
 # define RC2_128_MAGIC   0x3a
 static const EVP_CIPHER r2_64_cbc_cipher = {
     NID_rc2_64_cbc,
-    8, 8 /* 64 bit */ , 8,
+    8, 8 /* 64 bit */ , 8, 0,
     EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
     EVP_ORIG_GLOBAL,
     rc2_init_key,
@@ -66,7 +66,7 @@ static const EVP_CIPHER r2_64_cbc_cipher = {
 
 static const EVP_CIPHER r2_40_cbc_cipher = {
     NID_rc2_40_cbc,
-    8, 5 /* 40 bit */ , 8,
+    8, 5 /* 40 bit */ , 8, 0,
     EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
     EVP_ORIG_GLOBAL,
     rc2_init_key,

crypto/evp/e_rc4.c

@@ -36,7 +36,7 @@ static int rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                       const unsigned char *in, size_t inl);
 static const EVP_CIPHER r4_cipher = {
     NID_rc4,
-    1, EVP_RC4_KEY_SIZE, 0,
+    1, EVP_RC4_KEY_SIZE, 0, 0,
     EVP_CIPH_VARIABLE_LENGTH,
     EVP_ORIG_GLOBAL,
     rc4_init_key,
@@ -51,7 +51,7 @@ static const EVP_CIPHER r4_cipher = {
 
 static const EVP_CIPHER r4_40_cipher = {
     NID_rc4_40,
-    1, 5 /* 40 bit */ , 0,
+    1, 5 /* 40 bit */ , 0, 0,
     EVP_CIPH_VARIABLE_LENGTH,
     EVP_ORIG_GLOBAL,
     rc4_init_key,

crypto/evp/e_rc4_hmac_md5.c

@@ -246,13 +246,13 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
     }
 }
 
-static EVP_CIPHER r4_hmac_md5_cipher = {
+static const EVP_CIPHER r4_hmac_md5_cipher = {
 # ifdef NID_rc4_hmac_md5
     NID_rc4_hmac_md5,
 # else
     NID_undef,
 # endif
-    1, EVP_RC4_KEY_SIZE, 0,
+    1, EVP_RC4_KEY_SIZE, 0, 0,
     EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH |
         EVP_CIPH_FLAG_AEAD_CIPHER,
     EVP_ORIG_GLOBAL,

crypto/evp/e_rc5.c

@@ -36,7 +36,7 @@ typedef struct {
 # define data(ctx)       EVP_C_DATA(EVP_RC5_KEY,ctx)
 
 IMPLEMENT_BLOCK_CIPHER(rc5_32_12_16, ks, RC5_32, EVP_RC5_KEY, NID_rc5,
-                       8, RC5_32_KEY_LENGTH, 8, 64,
+                       8, RC5_32_KEY_LENGTH, 8, 64, 0,
                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
                        r_32_12_16_init_key, NULL, NULL, NULL, rc5_ctrl)
 

crypto/evp/e_seed.c

@@ -30,7 +30,7 @@ typedef struct {
 } EVP_SEED_KEY;
 
 IMPLEMENT_BLOCK_CIPHER(seed, ks, SEED, EVP_SEED_KEY, NID_seed,
-                       16, 16, 16, 128, EVP_CIPH_FLAG_DEFAULT_ASN1,
+                       16, 16, 16, 128, 1, EVP_CIPH_FLAG_DEFAULT_ASN1,
                        seed_init_key, 0, 0, 0, 0)
 
 static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,

crypto/evp/e_sm4.c

@@ -35,7 +35,7 @@ typedef struct {
 
 # define BLOCK_CIPHER_generic(nid,blocksize,ivlen,nmode,mode,MODE,flags) \
 static const EVP_CIPHER sm4_##mode = { \
-        nid##_##nmode,blocksize,128/8,ivlen, \
+        nid##_##nmode,blocksize,128/8,ivlen, 1, \
         flags|EVP_CIPH_##MODE##_MODE,   \
         EVP_ORIG_GLOBAL,                \
         sm4_init_key,                   \

crypto/evp/e_xcbc_d.c

@@ -39,7 +39,7 @@ typedef struct {
 
 static const EVP_CIPHER d_xcbc_cipher = {
     NID_desx_cbc,
-    8, 24, 8,
+    8, 24, 8, 0,
     EVP_CIPH_CBC_MODE,
     EVP_ORIG_GLOBAL,
     desx_cbc_init_key,

crypto/evp/evp_lib.c

@@ -320,12 +320,13 @@ int EVP_CIPHER_get_type(const EVP_CIPHER *cipher)
 int evp_cipher_cache_constants(EVP_CIPHER *cipher)
 {
     int ok, aead = 0, custom_iv = 0, cts = 0, multiblock = 0, randkey = 0;
+    int security_category = -1;
     int encrypt_then_mac = 0;
     size_t ivlen = 0;
     size_t blksz = 0;
     size_t keylen = 0;
     unsigned int mode = 0;
-    OSSL_PARAM params[11];
+    OSSL_PARAM params[12];
 
     params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_BLOCK_SIZE, &blksz);
     params[1] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &ivlen);
@@ -341,13 +342,16 @@ int evp_cipher_cache_constants(EVP_CIPHER *cipher)
                                          &randkey);
     params[9] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_ENCRYPT_THEN_MAC,
                                          &encrypt_then_mac);
-    params[10] = OSSL_PARAM_construct_end();
+    params[10] = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_SECURITY_CATEGORY,
+                                         &security_category);
+    params[11] = OSSL_PARAM_construct_end();
     ok = evp_do_ciph_getparams(cipher, params) > 0;
     if (ok) {
         cipher->block_size = (int)blksz;
         cipher->iv_len = (int)ivlen;
         cipher->key_len = (int)keylen;
         cipher->flags = mode;
+        cipher->security_category = security_category;
         if (aead)
             cipher->flags |= EVP_CIPH_FLAG_AEAD_CIPHER;
         if (custom_iv)
@@ -672,6 +676,11 @@ int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx)
     return ctx->key_len;
 }
 
+int EVP_CIPHER_get_security_category(const EVP_CIPHER *cipher)
+{
+    return cipher->security_category;
+}
+
 int EVP_CIPHER_get_nid(const EVP_CIPHER *cipher)
 {
     return (cipher == NULL) ? NID_undef : cipher->nid;
@@ -819,6 +828,24 @@ int EVP_MD_get_size(const EVP_MD *md)
     return md->md_size;
 }
 
+int EVP_MD_get_security_category_collision(const EVP_MD *md)
+{
+    if (md == NULL) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_MESSAGE_DIGEST_IS_NULL);
+        return -1;
+    }
+    return md->security_category_collision;
+}
+
+int EVP_MD_get_security_category_preimage(const EVP_MD *md)
+{
+    if (md == NULL) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_MESSAGE_DIGEST_IS_NULL);
+        return -1;
+    }
+    return md->security_category_preimage;
+}
+
 int EVP_MD_xof(const EVP_MD *md)
 {
     return md != NULL && ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0);

crypto/evp/legacy_blake2.c

@@ -41,6 +41,7 @@ static const EVP_MD blake2b_md = {
     NID_blake2b512,
     0,
     BLAKE2B_DIGEST_LENGTH,
+    5, 5,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(blake2b_int_init, blake2b_int_update,
@@ -56,6 +57,7 @@ static const EVP_MD blake2s_md = {
     NID_blake2s256,
     0,
     BLAKE2S_DIGEST_LENGTH,
+    2, 5,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(blake2s_int_init, blake2s_int_update,

crypto/evp/legacy_md2.c

@@ -23,6 +23,7 @@ static const EVP_MD md2_md = {
     NID_md2,
     NID_md2WithRSAEncryption,
     MD2_DIGEST_LENGTH,
+    0, 0,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(md2_init, md2_update, md2_final, NULL, MD2_BLOCK)

crypto/evp/legacy_md4.c

@@ -23,6 +23,7 @@ static const EVP_MD md4_md = {
     NID_md4,
     NID_md4WithRSAEncryption,
     MD4_DIGEST_LENGTH,
+    0, 0,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(md4_init, md4_update, md4_final, NULL, MD4_CBLOCK),

crypto/evp/legacy_md5.c

@@ -23,6 +23,7 @@ static const EVP_MD md5_md = {
     NID_md5,
     NID_md5WithRSAEncryption,
     MD5_DIGEST_LENGTH,
+    0, 0,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(md5_init, md5_update, md5_final, NULL, MD5_CBLOCK)

crypto/evp/legacy_md5_sha1.c

@@ -28,6 +28,7 @@ static const EVP_MD md5_sha1_md = {
     NID_md5_sha1,
     NID_md5_sha1,
     MD5_SHA1_DIGEST_LENGTH,
+    SHA1_COLLISION_CATEGORY, SHA1_PREIMAGE_CATEGORY,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(md5_sha1_int_init, md5_sha1_int_update,

crypto/evp/legacy_mdc2.c

@@ -23,6 +23,7 @@ static const EVP_MD mdc2_md = {
     NID_mdc2,
     NID_mdc2WithRSA,
     MDC2_DIGEST_LENGTH,
+    0, 0,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(mdc2_init, mdc2_update, mdc2_final, NULL,

crypto/evp/legacy_ripemd.c

@@ -23,6 +23,7 @@ static const EVP_MD ripemd160_md = {
     NID_ripemd160,
     NID_ripemd160WithRSA,
     RIPEMD160_DIGEST_LENGTH,
+    0, 1,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(ripe_init, ripe_update, ripe_final, NULL,

crypto/evp/legacy_sha.c

@@ -93,6 +93,7 @@ static const EVP_MD sha1_md = {
     NID_sha1,
     NID_sha1WithRSAEncryption,
     SHA_DIGEST_LENGTH,
+    SHA1_COLLISION_CATEGORY, SHA1_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha1_init, sha1_update, sha1_final, sha1_int_ctrl,
@@ -108,6 +109,7 @@ static const EVP_MD sha224_md = {
     NID_sha224,
     NID_sha224WithRSAEncryption,
     SHA224_DIGEST_LENGTH,
+    SHA224_COLLISION_CATEGORY, SHA224_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha224_init, sha224_update, sha224_final, NULL,
@@ -123,6 +125,7 @@ static const EVP_MD sha256_md = {
     NID_sha256,
     NID_sha256WithRSAEncryption,
     SHA256_DIGEST_LENGTH,
+    SHA256_COLLISION_CATEGORY, SHA256_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha256_init, sha256_update, sha256_final, NULL,
@@ -138,6 +141,7 @@ static const EVP_MD sha512_224_md = {
     NID_sha512_224,
     NID_sha512_224WithRSAEncryption,
     SHA224_DIGEST_LENGTH,
+    SHA224_COLLISION_CATEGORY, SHA224_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha512_224_int_init, sha512_224_int_update,
@@ -153,6 +157,7 @@ static const EVP_MD sha512_256_md = {
     NID_sha512_256,
     NID_sha512_256WithRSAEncryption,
     SHA256_DIGEST_LENGTH,
+    SHA256_COLLISION_CATEGORY, SHA256_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha512_256_int_init, sha512_256_int_update,
@@ -168,6 +173,7 @@ static const EVP_MD sha384_md = {
     NID_sha384,
     NID_sha384WithRSAEncryption,
     SHA384_DIGEST_LENGTH,
+    SHA384_COLLISION_CATEGORY, SHA384_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha384_init, sha384_update, sha384_final, NULL,
@@ -183,6 +189,7 @@ static const EVP_MD sha512_md = {
     NID_sha512,
     NID_sha512WithRSAEncryption,
     SHA512_DIGEST_LENGTH,
+    SHA512_COLLISION_CATEGORY, SHA512_PREIMAGE_CATEGORY,
     EVP_MD_FLAG_DIGALGID_ABSENT,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sha512_init, sha512_update, sha512_final, NULL,
@@ -194,13 +201,14 @@ const EVP_MD *EVP_sha512(void)
     return &sha512_md;
 }
 
-#define EVP_MD_SHA3(bitlen)                                                    \
+#define EVP_MD_SHA3(bitlen, seccat_collision, seccat_preimage)                 \
 const EVP_MD *EVP_sha3_##bitlen(void)                                          \
 {                                                                              \
     static const EVP_MD sha3_##bitlen##_md = {                                 \
         NID_sha3_##bitlen,                                                     \
         NID_RSA_SHA3_##bitlen,                                                 \
         bitlen / 8,                                                            \
+        seccat_collision, seccat_preimage,                                     \
         EVP_MD_FLAG_DIGALGID_ABSENT,                                           \
         EVP_ORIG_GLOBAL,                                                       \
         LEGACY_EVP_MD_METH_TABLE(sha3_int_init, sha3_int_update,               \
@@ -209,13 +217,14 @@ const EVP_MD *EVP_sha3_##bitlen(void)                                          \
     };                                                                         \
     return &sha3_##bitlen##_md;                                                \
 }
-#define EVP_MD_SHAKE(bitlen)                                                   \
+#define EVP_MD_SHAKE(bitlen, seccat_collision, seccat_preimage)                \
 const EVP_MD *EVP_shake##bitlen(void)                                          \
 {                                                                              \
     static const EVP_MD shake##bitlen##_md = {                                 \
         NID_shake##bitlen,                                                     \
         0,                                                                     \
         bitlen / 8,                                                            \
+        seccat_collision, seccat_preimage,                                     \
         EVP_MD_FLAG_XOF | EVP_MD_FLAG_DIGALGID_ABSENT,                         \
         EVP_ORIG_GLOBAL,                                                       \
         LEGACY_EVP_MD_METH_TABLE(shake_init, sha3_int_update, sha3_int_final,  \
@@ -224,10 +233,10 @@ const EVP_MD *EVP_shake##bitlen(void)                                          \
     return &shake##bitlen##_md;                                                \
 }
 
-EVP_MD_SHA3(224)
-EVP_MD_SHA3(256)
-EVP_MD_SHA3(384)
-EVP_MD_SHA3(512)
+EVP_MD_SHA3(224, SHA3_224_COLLISION_CATEGORY, SHA3_224_PREIMAGE_CATEGORY)
+EVP_MD_SHA3(256, SHA3_256_COLLISION_CATEGORY, SHA3_256_PREIMAGE_CATEGORY)
+EVP_MD_SHA3(384, SHA3_384_COLLISION_CATEGORY, SHA3_384_PREIMAGE_CATEGORY)
+EVP_MD_SHA3(512, SHA3_512_COLLISION_CATEGORY, SHA3_512_PREIMAGE_CATEGORY)
 
-EVP_MD_SHAKE(128)
-EVP_MD_SHAKE(256)
+EVP_MD_SHAKE(128, SHAKE128_COLLISION_CATEGORY, SHAKE128_PREIMAGE_CATEGORY)
+EVP_MD_SHAKE(256, SHAKE256_COLLISION_CATEGORY, SHAKE256_PREIMAGE_CATEGORY)

crypto/evp/legacy_wp.c

@@ -23,6 +23,7 @@ static const EVP_MD whirlpool_md = {
     NID_whirlpool,
     0,
     WHIRLPOOL_DIGEST_LENGTH,
+    5, 5,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(wp_init, wp_update, wp_final, NULL,

crypto/evp/m_null.c

@@ -33,6 +33,8 @@ static const EVP_MD null_md = {
     NID_undef,
     NID_undef,
     0,
+    0,                  /* Collision security category */
+    0,                  /* Preimage security category */
     0,
     EVP_ORIG_GLOBAL,
     init,

crypto/objects/obj_dat.h

@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[9550] = {
+static const unsigned char so[9571] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1351,9 +1351,11 @@ static const unsigned char so[9550] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1C,  /* [ 9516] OBJ_HKDF_SHA256 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1D,  /* [ 9527] OBJ_HKDF_SHA384 */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1E,  /* [ 9538] OBJ_HKDF_SHA512 */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,  /* [ 9549] OBJ_id_smime_ori */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,0x03,  /* [ 9559] OBJ_id_smime_ori_kem */
 };
 
-#define NUM_NID 1499
+#define NUM_NID 1501
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2854,9 +2856,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"id-alg-hkdf-with-sha256", "HKDF-SHA256", NID_HKDF_SHA256, 11, &so[9516]},
     {"id-alg-hkdf-with-sha384", "HKDF-SHA384", NID_HKDF_SHA384, 11, &so[9527]},
     {"id-alg-hkdf-with-sha512", "HKDF-SHA512", NID_HKDF_SHA512, 11, &so[9538]},
+    {"id-smime-ori", "id-smime-ori", NID_id_smime_ori, 10, &so[9549]},
+    {"id-smime-ori-kem", "id-smime-ori-kem", NID_id_smime_ori_kem, 11, &so[9559]},
 };
 
-#define NUM_SN 1490
+#define NUM_SN 1492
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -3744,6 +3748,8 @@ static const unsigned int sn_objs[NUM_SN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -4350,7 +4356,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1490
+#define NUM_LN 1492
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -5367,6 +5373,8 @@ static const unsigned int ln_objs[NUM_LN] = {
      201,    /* "id-smime-mod-ets-eSignature-97" */
      199,    /* "id-smime-mod-msg-v3" */
      198,    /* "id-smime-mod-oid" */
+    1499,    /* "id-smime-ori" */
+    1500,    /* "id-smime-ori-kem" */
      194,    /* "id-smime-spq" */
      250,    /* "id-smime-spq-ets-sqt-unotice" */
      249,    /* "id-smime-spq-ets-sqt-uri" */
@@ -5844,7 +5852,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1347
+#define NUM_OBJ 1349
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -7051,6 +7059,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      193,    /* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
      194,    /* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
      195,    /* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
+    1499,    /* OBJ_id_smime_ori                 1 2 840 113549 1 9 16 13 */
      158,    /* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
      159,    /* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
      160,    /* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
@@ -7169,6 +7178,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      254,    /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
      255,    /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
      256,    /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
+    1500,    /* OBJ_id_smime_ori_kem             1 2 840 113549 1 9 16 13 3 */
      150,    /* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
      151,    /* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
      152,    /* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */

crypto/objects/obj_mac.num

@@ -1496,3 +1496,5 @@ aes_256_cbc_hmac_sha512_etm		1495
 HKDF_SHA256		1496
 HKDF_SHA384		1497
 HKDF_SHA512		1498
+id_smime_ori		1499
+id_smime_ori_kem		1500

crypto/objects/objects.txt

@@ -251,6 +251,7 @@ SMIME 3			: id-smime-alg
 SMIME 4			: id-smime-cd
 SMIME 5			: id-smime-spq
 SMIME 6			: id-smime-cti
+SMIME 13		: id-smime-ori
 
 # S/MIME Modules
 id-smime-mod 1		: id-smime-mod-cms
@@ -355,6 +356,9 @@ id-smime-cti 4		: id-smime-cti-ets-proofOfSender
 id-smime-cti 5		: id-smime-cti-ets-proofOfApproval
 id-smime-cti 6		: id-smime-cti-ets-proofOfCreation
 
+# S/MIME OtherRecipientInfo Type Identifier
+id-smime-ori 3		: id-smime-ori-kem
+
 pkcs9 20		:			: friendlyName
 pkcs9 21		:			: localKeyID
 !Alias ms-corp 1 3 6 1 4 1 311

crypto/sm3/legacy_sm3.c

@@ -19,6 +19,7 @@ static const EVP_MD sm3_md = {
     NID_sm3,
     NID_sm3WithRSAEncryption,
     SM3_DIGEST_LENGTH,
+    2, 5,
     0,
     EVP_ORIG_GLOBAL,
     LEGACY_EVP_MD_METH_TABLE(sm3_int_init, sm3_int_update, sm3_int_final, NULL,

doc/man1/openssl-cms.pod.in

@@ -75,6 +75,8 @@ Encryption options:
 [B<-aes256-wrap>]
 [B<-des3-wrap>]
 [B<-debug_decrypt>]
+[B<-recip_kdf> I<kdf>]
+[B<-recip_ukm> I<ukm>]
 
 Signing options:
 
@@ -450,6 +452,19 @@ Depending on the OpenSSL build options used, B<-des3-wrap> may not be supported.
 This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
 with caution: see the notes section below.
 
+=item B<-recip_kdf>
+
+This option sets the KDF used to generate the key encryption key in the
+B<KEMRecipientInfo> type. Any KDF that takes B<OSSL_KDF_PARAM_KEY> and
+B<OSSL_KDF_PARAM_INFO> parameters and is otherwise fully defined by its name or
+OID can be used, for example B<HKDF-SHA256>.
+
+=item B<-recip_ukm>
+
+This option sets the B<KEMRecipientInfo> type's optional user keying material (UKM)
+in hexadecimal form. The UKM will be encoded, along with other information, into the
+B<OSSL_KDF_PARAM_INFO> parameter of the B<KEMRecipientInfo> type's KDF.
+
 =back
 
 =head2 Signing options
@@ -937,6 +952,8 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
 
 The B<-digest> option was added in OpenSSL 3.2.
 
+The B<-recip_kdf> and B<-recip_ukm> options were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man3/CMS_add1_recipient_cert.pod

@@ -30,7 +30,8 @@ The originator-related fields are relevant only in case when the keyAgreement
 method of providing of the shared key is in use.
 
 CMS_add1_recipient_cert() adds recipient B<recip> to CMS_ContentInfo enveloped
-data structure B<cms> as a KeyTransRecipientInfo structure.
+data structure B<cms> as a KeyTransRecipientInfo or KEMRecipientInfo structure,
+or as a KeyAgreeRecipientInfo structure with an ephemeral key.
 
 CMS_add0_recipient_key() adds symmetric key B<key> of length B<keylen> using
 wrapping algorithm B<nid>, identifier B<id> of length B<idlen> and optional

doc/man3/CMS_encrypt.pod

@@ -78,10 +78,12 @@ BIO_new_CMS().
 
 The recipients specified in B<certs> use a CMS KeyTransRecipientInfo info
 structure. KEKRecipientInfo is also supported using the flag B<CMS_PARTIAL>
-and CMS_add0_recipient_key().
+and CMS_add0_recipient_key(). KEMRecipientInfo is also supported using the
+flag B<CMS_PARTIAL> and CMS_add1_recipient().
 
 The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
-added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
+are added later using CMS_add1_recipient() or CMS_add1_recipient_cert() with
+CMS_add0_recipient_key().
 
 CMS_encrypt() is similar to CMS_encrypt_ex() but uses default values
 of NULL for the library context I<libctx> and the property query I<propq>.
@@ -104,7 +106,7 @@ The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/CMS_get0_RecipientInfos.pod

@@ -6,9 +6,12 @@ CMS_get0_RecipientInfos, CMS_RecipientInfo_type,
 CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp,
 CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id,
 CMS_RecipientInfo_kari_set0_pkey_and_peer,
-CMS_RecipientInfo_kari_set0_pkey,
+CMS_RecipientInfo_kari_set0_pkey, CMS_RecipientInfo_kari_get0_ctx,
 CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key,
-CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
+CMS_RecipientInfo_kemri_cert_cmp, CMS_RecipientInfo_kemri_set0_pkey,
+CMS_RecipientInfo_kemri_get0_ctx, CMS_RecipientInfo_kemri_get0_kdf_alg,
+CMS_RecipientInfo_kemri_set_ukm, CMS_RecipientInfo_decrypt,
+CMS_RecipientInfo_encrypt
 - CMS envelopedData RecipientInfo routines
 
 =head1 SYNOPSIS
@@ -27,6 +30,7 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
  int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri,
                                                EVP_PKEY *pk, X509 *peer);
  int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
                                      ASN1_OCTET_STRING **pid,
                                      ASN1_GENERALIZEDTIME **pdate,
@@ -36,6 +40,13 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
                                     const unsigned char *id, size_t idlen);
  int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
                                 unsigned char *key, size_t keylen);
+ int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+ int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri);
+ X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri);
+ int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                     const unsigned char *ukm,
+                                     int ukmLength);
 
  int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
  int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
@@ -47,7 +58,8 @@ structures associated with a CMS EnvelopedData structure.
 
 CMS_RecipientInfo_type() returns the type of CMS_RecipientInfo structure B<ri>.
 It will currently return CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
-CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER.
+CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, CMS_RECIPINFO_KEM, or
+CMS_RECIPINFO_OTHER.
 
 CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient
 identifier associated with a specific CMS_RecipientInfo structure B<ri>, which
@@ -69,6 +81,10 @@ must be of type CMS_RECIPINFO_AGREE.
 CMS_RecipientInfo_kari_set0_pkey() associates the private key B<pkey> with the
 CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_AGREE.
 
+CMS_RecipientInfo_kari_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_AGREE.
+
 CMS_RecipientInfo_kekri_get0_id() retrieves the key information from the
 CMS_RecipientInfo structure B<ri> which must be of type CMS_RECIPINFO_KEK.  Any
 of the remaining parameters can be NULL if the application is not interested in
@@ -88,6 +104,27 @@ CMS_RecipientInfo_set0_key() associates the symmetric key B<key> of length
 B<keylen> with the CMS_RecipientInfo structure B<ri>, which must be of type
 CMS_RECIPINFO_KEK.
 
+CMS_RecipientInfo_kemri_cert_cmp() compares the certificate B<cert> against the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+It returns zero if the comparison is successful and non zero if not.
+
+CMS_RecipientInfo_kemri_set0_pkey() associates the private key B<pkey> with the
+CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_ctx() returns the EVP_CIPHER_CTX for the key
+encryption key, allowing the caller to specify the key wrap cipher.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the X509_ALGOR for the
+RecipientInfo's KDF, allowing the caller to specify the KDF algorithm.  The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM. If the
+caller doesn't specify a KDF algorithm, B<HKDF-SHA256> will be used.
+
+CMS_RecipientInfo_kemri_set_ukm() sets the RecipientInfo's optional user
+keying material (UKM).  The UKM is encoded, along with other information, into
+the B<OSSL_KDF_PARAM_INFO> parameter of the RecipientInfo's KDF. The
+CMS_RecipientInfo structure B<ri> must be of type CMS_RECIPINFO_KEM.
+
 CMS_RecipientInfo_decrypt() attempts to decrypt CMS_RecipientInfo structure
 B<ri> in structure B<cms>. A key must have been associated with the structure
 first.
@@ -125,12 +162,20 @@ CMS_get0_RecipientInfos() returns all CMS_RecipientInfo structures, or NULL if
 an error occurs.
 
 CMS_RecipientInfo_ktri_get0_signer_id(), CMS_RecipientInfo_set0_pkey(),
-CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key() and
-CMS_RecipientInfo_decrypt() return 1 for success or 0 if an error occurs.
-CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.
+CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key(),
+CMS_RecipientInfo_kemri_set0_pkey(), CMS_RecipientInfo_kemri_set_ukm(),
+CMS_RecipientInfo_decrypt() and CMS_RecipientInfo_encrypt() return 1 for
+success or 0 if an error occurs.
 
-CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_cmp() return 0
-for a successful comparison and non zero otherwise.
+CMS_RecipientInfo_ktri_cert_cmp(), CMS_RecipientInfo_kemri_cert_cmp() and
+CMS_RecipientInfo_kekri_cmp() return 0 for a successful comparison and non zero
+otherwise.
+
+CMS_RecipientInfo_kemri_get0_ctx() and CMS_RecipientInfo_kari_get0_ctx return
+the RecipientInfo's EVP_CIPHER_CTX or NULL if an error occurred.
+
+CMS_RecipientInfo_kemri_get0_kdf_alg() returns the RecipientInfo's KDF's
+X509_ALGOR or NULL if an error occurred.
 
 Any error can be obtained from L<ERR_get_error(3)>.
 
@@ -143,9 +188,13 @@ L<ERR_get_error(3)>, L<CMS_decrypt(3)>
 B<CMS_RecipientInfo_kari_set0_pkey_and_peer> and B<CMS_RecipientInfo_kari_set0_pkey>
 were added in OpenSSL 3.0.
 
+B<CMS_RecipientInfo_kemri_cert_cmp>, B<CMS_RecipientInfo_kemri_set0_pkey>,
+B<CMS_RecipientInfo_kemri_get0_ctx>, B<CMS_RecipientInfo_kemri_get0_kdf_alg>
+and B<CMS_RecipientInfo_kemri_set_ukm> were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/EVP_DigestInit.pod

@@ -16,6 +16,7 @@ EVP_DigestSqueeze,
 EVP_MD_is_a, EVP_MD_get0_name, EVP_MD_get0_description,
 EVP_MD_names_do_all, EVP_MD_get0_provider, EVP_MD_get_type,
 EVP_MD_get_pkey_type, EVP_MD_get_size, EVP_MD_get_block_size, EVP_MD_get_flags,
+EVP_MD_get_security_category_collision, EVP_MD_get_security_category_preimage,
 EVP_MD_CTX_get0_name, EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md,
 EVP_MD_CTX_get_type, EVP_MD_CTX_get_size_ex, EVP_MD_CTX_get_block_size,
 EVP_MD_CTX_get0_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
@@ -85,6 +86,8 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
  int EVP_MD_get_pkey_type(const EVP_MD *md);
  int EVP_MD_get_size(const EVP_MD *md);
  int EVP_MD_get_block_size(const EVP_MD *md);
+ int EVP_MD_get_security_category_collision(const EVP_MD *md);
+ int EVP_MD_get_security_category_preimage(const EVP_MD *md);
  unsigned long EVP_MD_get_flags(const EVP_MD *md);
  int EVP_MD_xof(const EVP_MD *md);
 
@@ -441,6 +444,48 @@ Returns the update function for I<ctx>.
 Returns the I<md> flags. Note that these are different from the B<EVP_MD_CTX>
 ones. See L<EVP_MD_meth_set_flags(3)> for more information.
 
+=item EVP_MD_get_security_category_collision(),
+EVP_MD_get_security_category_preimage()
+
+These functions return the
+L<post-quantum security categories|https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf>
+for the digest as defined by NIST.
+EVP_MD_get_security_category_collision() returns the security category with respect
+to the generation of two inputs that output an identical digest value.
+EVP_MD_get_security_category_preimage() returns the security category with respect
+to the generation of an input that outputs a specific digest value.
+The post-quantum security category is an integer value from 0 to 5 that
+is based on an algorithm's classification on the range of security strengths
+offered by the existing standards in symmetric cryptography:
+
+=begin text
+
+ Security       Attack
+ Category       Type
+ ==============================================================
+    0           Weak
+    1           Key search on a block cipher with a 128-bit key
+    2           Collision search on a 256-bit hash function
+    3           Key search on a block cipher with a 192-bit key
+    4           Collision search on a 384-bit hash function
+    5           Key search on a block cipher with a 256-bit key
+
+=end text
+
+=begin html
+
+<table>
+<tr><th>Security Category</th><th>Attack Type</th>></tr>
+<tr><td>0</td><td>Weak</td></tr>
+<tr><td>1</td><td>Key search on a block cipher with a 128-bit key</td></tr>
+<tr><td>2</td><td>Collision search on a 256-bit hash function</td></tr>
+<tr><td>3</td><td>Key search on a block cipher with a 192-bit key</td></tr>
+<tr><td>4</td><td>Collision search on a 384-bit hash function</td></tr>
+<tr><td>5</td><td>Key search on a block cipher with a 256-bit key</td></tr>
+</table>
+
+=end html
+
 =item EVP_MD_get_pkey_type()
 
 Returns the NID of the public key signing algorithm associated with this
@@ -692,6 +737,13 @@ This function has no return value.
 Returns 1 if the callback was called for all names. A return value of 0 means
 that the callback was not called for any names.
 
+=item EVP_MD_get_security_category_collision(),
+EVP_MD_get_security_category_preimage()
+
+Return the post-quantum security category which is an integer in the range
+zero to five inclusive.  They returns -1 if the security category information
+isn't available.
+
 =back
 
 =head1 NOTES
@@ -862,9 +914,12 @@ to be aliases for EVP_MD_CTX_get_size_ex(), previously they were aliases for
 EVP_MD_get_size which returned a constant value. This is required for XOF
 digests since they do not have a fixed size.
 
+The EVP_MD_get_security_category_collision() and
+EVP_MD_get_security_category_preimage() functions were added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/EVP_EncryptInit.pod

@@ -51,6 +51,7 @@ EVP_CIPHER_gettable_params,
 EVP_CIPHER_get_block_size,
 EVP_CIPHER_get_key_length,
 EVP_CIPHER_get_iv_length,
+EVP_CIPHER_get_security_category,
 EVP_CIPHER_get_flags,
 EVP_CIPHER_get_mode,
 EVP_CIPHER_get_type,
@@ -207,6 +208,7 @@ EVP_CIPHER_CTX_mode
  int EVP_CIPHER_get_block_size(const EVP_CIPHER *e);
  int EVP_CIPHER_get_key_length(const EVP_CIPHER *e);
  int EVP_CIPHER_get_iv_length(const EVP_CIPHER *e);
+ int EVP_CIPHER_get_security_category(const EVP_CIPHER *e);
  unsigned long EVP_CIPHER_get_flags(const EVP_CIPHER *e);
  unsigned long EVP_CIPHER_get_mode(const EVP_CIPHER *e);
  int EVP_CIPHER_get_type(const EVP_CIPHER *cipher);
@@ -613,6 +615,43 @@ the cipher has not yet been initialized within the B<EVP_CIPHER_CTX>, or if the
 passed cipher is NULL.  The constant B<EVP_MAX_IV_LENGTH> is the maximum IV
 length for all ciphers.
 
+=item EVP_CIPHER_get_security_category()
+
+EVP_CIPHER_get_security_category() returns the
+L<post-quantum security category|https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf>
+as defined by NIST.
+The post-quantum security category is an integer value from 0 to 5 that
+is based on an algorithm's classification on the range of security strengths
+offered by the existing standards in symmetric cryptography:
+
+=begin text
+
+ Security       Attack
+ Category       Type
+ ==============================================================
+    0           Weak
+    1           Key search on a block cipher with a 128-bit key
+    2           Collision search on a 256-bit hash function
+    3           Key search on a block cipher with a 192-bit key
+    4           Collision search on a 384-bit hash function
+    5           Key search on a block cipher with a 256-bit key
+
+=end text
+
+=begin html
+
+<table>
+<tr><th>Security Category</th><th>Attack Type</th>></tr>
+<tr><td>0</td><td>Weak</td></tr>
+<tr><td>1</td><td>Key search on a block cipher with a 128-bit key</td></tr>
+<tr><td>2</td><td>Collision search on a 256-bit hash function</td></tr>
+<tr><td>3</td><td>Key search on a block cipher with a 192-bit key</td></tr>
+<tr><td>4</td><td>Collision search on a 384-bit hash function</td></tr>
+<tr><td>5</td><td>Key search on a block cipher with a 256-bit key</td></tr>
+</table>
+
+=end html
+
 =item EVP_CIPHER_CTX_get_tag_length()
 
 Returns the tag length of an AEAD cipher when passed a B<EVP_CIPHER_CTX>. It will
@@ -766,6 +805,13 @@ Use EVP_CIPHER_get_key_length() to retrieve the cached value.
 Gets the IV length for the associated cipher algorithm I<cipher>.
 Use EVP_CIPHER_get_iv_length() to retrieve the cached value.
 
+=item "security-category" (B<OSSL_CIPHER_PARAM_SECURITY_CATEGORY>) <integer>
+
+The value is the NIST
+L<post-quantum security category|https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf>
+for the associated cipher algorithm.
+It is an integer value in the range [0, 5] inclusive.
+
 =item "blocksize" (B<OSSL_CIPHER_PARAM_BLOCK_SIZE>) <unsigned integer>
 
 Gets the block size for the associated cipher algorithm I<cipher>.
@@ -1429,6 +1475,10 @@ EVP_CIPHER_CTX_set_padding() always returns 1.
 EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length() return the IV
 length, zero if the cipher does not use an IV and a negative value on error.
 
+EVP_CIPHER_get_security_category() returns the post-quantum security category
+which is an integer in the range zero to five inclusive.  It returns -1 if
+the security category information isn't available.
+
 EVP_CIPHER_CTX_get_tag_length() return the tag length or zero if the cipher
 does not use a tag.
 
@@ -1958,6 +2008,8 @@ Prior to OpenSSL 3.5, passing a NULL I<ctx> to
 B<EVP_CIPHER_CTX_get_block_size()> would result in a NULL pointer dereference,
 rather than a 0 return value indicating an error.
 
+EVP_CIPHER_get_security_category() was added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.

doc/man7/provider-digest.pod

@@ -197,6 +197,24 @@ The length of the "blocksize" parameter should not exceed that of a B<size_t>.
 The digest output size.
 The length of the "size" parameter should not exceed that of a B<size_t>.
 
+=item "collision-security-category" (B<OSSL_DIGEST_PARAM_SECURITY_CATEGORY_COLLISION>) <integer>
+
+The value is the NIST
+L<post-quantum collision security category|https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf>
+for the algorithm.
+The digest collision security category represents the difficulty of producing two
+different inputs that result in an identical digested output.
+It is an integer value in the range [0, 5] inclusive.
+
+=item "preimage-security-category" (B<OSSL_DIGEST_PARAM_SECURITY_CATEGORY_PREIMAGE>) <integer>
+
+The value is the NIST
+L<post-quantum collision security category|https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf>
+for the algorithm.
+The digest collision security category represents the difficulty of producing an
+inputs that results in a specific digested output.
+It is an integer value in the range [0, 5] inclusive.
+
 =item "flags" (B<OSSL_DIGEST_PARAM_FLAGS>) <unsigned integer>
 
 Diverse flags that describe exceptional behaviour for the digest:

doc/man7/provider-keymgmt.pod

@@ -442,6 +442,30 @@ its argument I<mdname>.  This signifies that no digest has to be specified
 with the corresponding signature operation, but may be specified as an
 option.
 
+=item "ri-type" (B<OSSL_PKEY_PARAM_CMS_RI_TYPE>) <integer>
+
+The value should be the CMS RecipientInfo type for the given key, for example
+B<CMS_RECIPINFO_KEM> or B<CMS_RECIPINFO_AGREE>.
+The value that can be given through this parameter is found in
+F<< <openssl/cms.h> >>, with the macros having names starting with
+C<CMS_RECIPINFO_>.
+
+CMS will query this parameter first to determine the RecipientInfo type.  If
+this parameter is not filled in, CMS will check for known key types and map
+them to the appropriate RecipientInfo type. Otherwise, CMS will default to
+using B<CMS_RECIPINFO_TRANS>.
+
+=item "kemri-kdf-alg" (B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM>) <UTF8 string>
+
+The value should be the DER-encoded X509_ALGOR for the default KDF for this key
+if it supports the KEMRecipientInfo (B<CMS_RECIPINFO_KEM>) type.
+
+Any KDF that takes B<OSSL_KDF_PARAM_KEY> and B<OSSL_KDF_PARAM_INFO> parameters
+and is otherwise fully defined by its OID can be used, for example B<HKDF-SHA256>.
+
+If B<OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM> is not implemented, B<HKDF-SHA256>
+will be used as the default KDF.
+
 =back
 
 The OpenSSL FIPS provider also supports the following parameters:

fuzz/oids.txt

@@ -1347,3 +1347,5 @@ OBJ_SLH_DSA_SHAKE_256f_WITH_SHAKE256="\x60\x86\x48\x01\x65\x03\x04\x03\x2E"
 OBJ_HKDF_SHA256="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1C"
 OBJ_HKDF_SHA384="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1D"
 OBJ_HKDF_SHA512="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1E"
+OBJ_id_smime_ori="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D"
+OBJ_id_smime_ori_kem="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D\x03"

include/crypto/evp.h

@@ -253,6 +253,37 @@ struct evp_kdf_st {
 #define EVP_ORIG_GLOBAL     1
 #define EVP_ORIG_METH       2
 
+/* Security categories for SHA algorithms */
+# define SHA1_COLLISION_CATEGORY        0
+# define SHA256_192_COLLISION_CATEGORY  0
+# define SHA224_COLLISION_CATEGORY      0
+# define SHA256_COLLISION_CATEGORY      2
+# define SHA384_COLLISION_CATEGORY      4
+# define SHA512_COLLISION_CATEGORY      5
+# define SHA3_224_COLLISION_CATEGORY    0
+# define SHA3_256_COLLISION_CATEGORY    2
+# define SHA3_384_COLLISION_CATEGORY    4
+# define SHA3_512_COLLISION_CATEGORY    5
+# define SHAKE128_COLLISION_CATEGORY    2
+# define SHAKE256_COLLISION_CATEGORY    5
+# define KMAC128_COLLISION_CATEGORY     2
+# define KMAC256_COLLISION_CATEGORY     5
+
+# define SHA1_PREIMAGE_CATEGORY         1
+# define SHA256_192_PREIMAGE_CATEGORY   1
+# define SHA224_PREIMAGE_CATEGORY       3
+# define SHA256_PREIMAGE_CATEGORY       5
+# define SHA384_PREIMAGE_CATEGORY       5
+# define SHA512_PREIMAGE_CATEGORY       5
+# define SHA3_224_PREIMAGE_CATEGORY     3
+# define SHA3_256_PREIMAGE_CATEGORY     5
+# define SHA3_384_PREIMAGE_CATEGORY     5
+# define SHA3_512_PREIMAGE_CATEGORY     5
+# define SHAKE128_PREIMAGE_CATEGORY     2
+# define SHAKE256_PREIMAGE_CATEGORY     5
+# define KMAC128_PREIMAGE_CATEGORY      2
+# define KMAC256_PREIMAGE_CATEGORY      5
+
 struct evp_md_st {
     /* nid */
     int type;
@@ -260,6 +291,8 @@ struct evp_md_st {
     /* Legacy structure members */
     int pkey_type;
     int md_size;
+    int security_category_collision;
+    int security_category_preimage;
     unsigned long flags;
     int origin;
     int (*init) (EVP_MD_CTX *ctx);
@@ -304,6 +337,7 @@ struct evp_cipher_st {
     /* Default value for variable length ciphers */
     int key_len;
     int iv_len;
+    int security_category;
 
     /* Legacy structure members */
     /* Various flags */
@@ -445,10 +479,10 @@ static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched)
 
 #define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
-                          key_len, iv_len, flags, init_key, cleanup, \
+                          key_len, iv_len, seccat, flags, init_key, cleanup, \
                           set_asn1, get_asn1, ctrl) \
 static const EVP_CIPHER cname##_##mode = { \
-        nid##_##nmode, block_size, key_len, iv_len, \
+        nid##_##nmode, block_size, key_len, iv_len, seccat, \
         flags | EVP_CIPH_##MODE##_MODE, \
         EVP_ORIG_GLOBAL, \
         init_key, \
@@ -462,41 +496,43 @@ static const EVP_CIPHER cname##_##mode = { \
 const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
 
 #define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
-                             iv_len, flags, init_key, cleanup, set_asn1, \
-                             get_asn1, ctrl) \
+                             iv_len, seccat, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
-                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+                  iv_len, seccat, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
-                             iv_len, cbits, flags, init_key, cleanup, \
+                             iv_len, cbits, seccat, flags, init_key, cleanup, \
                              set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
-                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  key_len, iv_len, seccat, flags, init_key, cleanup, set_asn1, \
                   get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
-                             iv_len, cbits, flags, init_key, cleanup, \
+                             iv_len, cbits, seccat, flags, init_key, cleanup, \
                              set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
-                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  key_len, iv_len, seccat, flags, init_key, cleanup, set_asn1, \
                   get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
-                             flags, init_key, cleanup, set_asn1, \
+                             seccat, flags, init_key, cleanup, set_asn1, \
                              get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
-                  0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+                  0, seccat, flags, init_key, cleanup, set_asn1, get_asn1, \
+                  ctrl)
 
 #define BLOCK_CIPHER_defs(cname, kstruct, \
-                          nid, block_size, key_len, iv_len, cbits, flags, \
-                          init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
-                     init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
+                          nid, block_size, key_len, iv_len, cbits, seccat, \
                           flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, seccat, \
                      flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, seccat, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, seccat, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, seccat, flags, \
                      init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 /*-
@@ -563,18 +599,18 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
 
 #define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \
                                block_size, key_len, iv_len, cbits, \
-                               flags, init_key, \
+                               seccat, flags, init_key, \
                                cleanup, set_asn1, get_asn1, ctrl) \
         BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
         BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \
-                          cbits, flags, init_key, cleanup, set_asn1, \
+                          cbits, seccat, flags, init_key, cleanup, set_asn1, \
                           get_asn1, ctrl)
 
-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,seccat,fl) \
         BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
         BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
                              NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-                             (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
+                             seccat, (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
                              cipher##_init_key, NULL, NULL, NULL, NULL)
 
 typedef struct {

include/openssl/cms.h.in

@@ -70,6 +70,7 @@ CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
 # define CMS_RECIPINFO_KEK               2
 # define CMS_RECIPINFO_PASS              3
 # define CMS_RECIPINFO_OTHER             4
+# define CMS_RECIPINFO_KEM               5
 
 /* S/MIME related flags */
 
@@ -401,6 +402,14 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
 int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg,
                           ASN1_OCTET_STRING *ukm, int keylen);
 
+int CMS_RecipientInfo_kemri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+int CMS_RecipientInfo_kemri_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
+EVP_CIPHER_CTX *CMS_RecipientInfo_kemri_get0_ctx(CMS_RecipientInfo *ri);
+X509_ALGOR *CMS_RecipientInfo_kemri_get0_kdf_alg(CMS_RecipientInfo *ri);
+int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri,
+                                    const unsigned char *ukm,
+                                    int ukmLength);
+
 /* Backward compatibility for spelling errors. */
 # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM
 # define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE \

include/openssl/cmserr.h

@@ -67,6 +67,7 @@
 #  define CMS_R_NOT_A_SIGNED_RECEIPT                       165
 #  define CMS_R_NOT_ENCRYPTED_DATA                         122
 #  define CMS_R_NOT_KEK                                    123
+#  define CMS_R_NOT_KEM                                    197
 #  define CMS_R_NOT_KEY_AGREEMENT                          181
 #  define CMS_R_NOT_KEY_TRANSPORT                          124
 #  define CMS_R_NOT_PWRI                                   177
@@ -106,10 +107,12 @@
 #  define CMS_R_UNKNOWN_CIPHER                             148
 #  define CMS_R_UNKNOWN_DIGEST_ALGORITHM                   149
 #  define CMS_R_UNKNOWN_ID                                 150
+#  define CMS_R_UNKNOWN_KDF_ALGORITHM                      198
 #  define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM          151
 #  define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM   194
 #  define CMS_R_UNSUPPORTED_CONTENT_TYPE                   152
 #  define CMS_R_UNSUPPORTED_ENCRYPTION_TYPE                192
+#  define CMS_R_UNSUPPORTED_KDF_ALGORITHM                  199
 #  define CMS_R_UNSUPPORTED_KEK_ALGORITHM                  153
 #  define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM       179
 #  define CMS_R_UNSUPPORTED_LABEL_SOURCE                   193

include/openssl/evp.h

@@ -578,6 +578,8 @@ int EVP_MD_get_size(const EVP_MD *md);
 # define EVP_MD_size EVP_MD_get_size
 int EVP_MD_get_block_size(const EVP_MD *md);
 # define EVP_MD_block_size EVP_MD_get_block_size
+int EVP_MD_get_security_category_collision(const EVP_MD *md);
+int EVP_MD_get_security_category_preimage(const EVP_MD *md);
 unsigned long EVP_MD_get_flags(const EVP_MD *md);
 # define EVP_MD_flags EVP_MD_get_flags
 int EVP_MD_xof(const EVP_MD *md);
@@ -630,6 +632,7 @@ int EVP_CIPHER_get_key_length(const EVP_CIPHER *cipher);
 # define EVP_CIPHER_key_length EVP_CIPHER_get_key_length
 int EVP_CIPHER_get_iv_length(const EVP_CIPHER *cipher);
 # define EVP_CIPHER_iv_length EVP_CIPHER_get_iv_length
+int EVP_CIPHER_get_security_category(const EVP_CIPHER *cipher);
 unsigned long EVP_CIPHER_get_flags(const EVP_CIPHER *cipher);
 # define EVP_CIPHER_flags EVP_CIPHER_get_flags
 int EVP_CIPHER_get_mode(const EVP_CIPHER *cipher);

include/openssl/obj_mac.h

@@ -778,6 +778,10 @@
 #define NID_id_smime_cti                195
 #define OBJ_id_smime_cti                OBJ_SMIME,6L
 
+#define SN_id_smime_ori         "id-smime-ori"
+#define NID_id_smime_ori                1499
+#define OBJ_id_smime_ori                OBJ_SMIME,13L
+
 #define SN_id_smime_mod_cms             "id-smime-mod-cms"
 #define NID_id_smime_mod_cms            196
 #define OBJ_id_smime_mod_cms            OBJ_id_smime_mod,1L
@@ -1113,6 +1117,10 @@
 #define NID_id_smime_cti_ets_proofOfCreation            256
 #define OBJ_id_smime_cti_ets_proofOfCreation            OBJ_id_smime_cti,6L
 
+#define SN_id_smime_ori_kem             "id-smime-ori-kem"
+#define NID_id_smime_ori_kem            1500
+#define OBJ_id_smime_ori_kem            OBJ_id_smime_ori,3L
+
 #define LN_friendlyName         "friendlyName"
 #define NID_friendlyName                156
 #define OBJ_friendlyName                OBJ_pkcs9,20L

providers/common/der/HKDF.asn1

@@ -0,0 +1,16 @@
+-- Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License 2.0 (the "License").  You may not use
+-- this file except in compliance with the License.  You can obtain a copy
+-- in the file LICENSE in the source distribution or at
+-- https://www.openssl.org/source/license.html
+
+-- -------------------------------------------------------------------
+-- Taken from https://datatracker.ietf.org/doc/rfc8619/
+
+id-smime OBJECT IDENTIFIER ::= { 1 2 840 113549 1 9 16 }
+id-alg OBJECT IDENTIFIER ::= { id-smime  3 }
+
+id-alg-hkdf-with-sha256 OBJECT IDENTIFIER ::= { id-alg 28 }
+id-alg-hkdf-with-sha384 OBJECT IDENTIFIER ::= { id-alg 29 }
+id-alg-hkdf-with-sha512 OBJECT IDENTIFIER ::= { id-alg 30 }

providers/common/der/build.info

@@ -127,9 +127,20 @@ IF[{- !$disabled{'slh-dsa'} -}]
   DEPEND[$DER_SLH_DSA_H]=oids_to_c.pm SLH_DSA.asn1
 ENDIF
 
+#----- HKDF
+$DER_HKDF_H=$INCDIR/der_hkdf.h
+$DER_HKDF_GEN=der_hkdf_gen.c
+
+GENERATE[$DER_HKDF_GEN]=der_hkdf_gen.c.in
+DEPEND[$DER_HKDF_GEN]=oids_to_c.pm HKDF.asn1
+
+DEPEND[${DER_HKDF_GEN/.c/.o}]=$DER_HKDF_H
+GENERATE[$DER_HKDF_H]=$INCDIR/der_hkdf.h.in
+DEPEND[$DER_HKDF_H]=oids_to_c.pm HKDF.asn1
+
 #----- Conclusion
 
-$COMMON= $DER_RSA_COMMON $DER_DIGESTS_GEN $DER_WRAP_GEN
+$COMMON= $DER_RSA_COMMON $DER_DIGESTS_GEN $DER_WRAP_GEN $DER_HKDF_GEN
 
 IF[{- !$disabled{dsa} -}]
   $COMMON = $COMMON $DER_DSA_GEN $DER_DSA_AUX

providers/common/der/der_hkdf_gen.c.in

@@ -0,0 +1,19 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "prov/der_hkdf.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/HKDF.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_C });
+-}

providers/common/include/prov/der_hkdf.h.in

@@ -0,0 +1,19 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/der.h"
+
+/* Well known OIDs precompiled */
+{-
+    $OUT = oids_to_c::process_leaves('providers/common/der/HKDF.asn1',
+                                     { dir => $config{sourcedir},
+                                       filter => \&oids_to_c::filter_to_H });
+-}

providers/implementations/ciphers/cipher_aes.c

@@ -49,46 +49,46 @@ static void *aes_dupctx(void *ctx)
 }
 
 /* ossl_aes256ecb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 256, 128, 0, block)
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 256, 128, 0, 5, block)
 /* ossl_aes192ecb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 192, 128, 0, block)
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 192, 128, 0, 3, block)
 /* ossl_aes128ecb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 128, 128, 0, block)
+IMPLEMENT_generic_cipher(aes, AES, ecb, ECB, 0, 128, 128, 0, 1, block)
 /* ossl_aes256cbc_functions */
-IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 256, 128, 128, block)
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 256, 128, 128, 5, block)
 /* ossl_aes192cbc_functions */
-IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 192, 128, 128, block)
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 192, 128, 128, 3, block)
 /* ossl_aes128cbc_functions */
-IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 128, 128, 128, block)
+IMPLEMENT_generic_cipher(aes, AES, cbc, CBC, 0, 128, 128, 128, 1, block)
 /* ossl_aes256ofb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aes192ofb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aes128ofb_functions */
-IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ofb, OFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aes256cfb_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aes192cfb_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aes128cfb_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb,  CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aes256cfb1_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aes192cfb1_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aes128cfb1_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb1, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aes256cfb8_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aes192cfb8_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aes128cfb8_functions */
-IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, cfb8, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aes256ctr_functions */
-IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 256, 8, 128, 5, stream)
 /* ossl_aes192ctr_functions */
-IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 192, 8, 128, 3, stream)
 /* ossl_aes128ctr_functions */
-IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aes, AES, ctr, CTR, 0, 128, 8, 128, 1, stream)
 
 #include "cipher_aes_cts.inc"

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c

@@ -20,11 +20,12 @@
 #include <openssl/prov_ssl.h>
 #include <openssl/proverr.h>
 #include "cipher_aes_cbc_hmac_sha.h"
+#include "crypto/evp.h"
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 
 #ifndef AES_CBC_HMAC_SHA_CAPABLE
-# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags)              \
+# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, seccat, flags)      \
 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
     OSSL_DISPATCH_END                                                          \
 };
@@ -392,7 +393,7 @@ static void aes_cbc_hmac_sha256_freectx(void *vctx)
     }
 }
 
-# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags)              \
+# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, seccat, flags)      \
 static OSSL_FUNC_cipher_newctx_fn nm##_##kbits##_##sub##_newctx;               \
 static void *nm##_##kbits##_##sub##_newctx(void *provctx)                      \
 {                                                                              \
@@ -402,7 +403,8 @@ static OSSL_FUNC_cipher_get_params_fn nm##_##kbits##_##sub##_get_params;       \
 static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[])              \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_CBC_MODE,           \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits,       \
+                                          seccat);                             \
 }                                                                              \
 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
     { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\
@@ -430,11 +432,24 @@ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
 
 #endif /* AES_CBC_HMAC_SHA_CAPABLE */
 
+/*
+ * Note about security categories.
+ *
+ * The security category of the combined algorithms will be the lower of
+ * the category for the cipher and the HMAC.  NIST has not defined security
+ * categories for HMACs at this stage but it seems reasonable to equate
+ * these to the pre-image security category of the underlying digest.
+ */
+#define SC_SHA1(c) \
+    ((c) < SHA1_PREIMAGE_CATEGORY ? (c) : SHA1_PREIMAGE_CATEGORY)
+#define SC_SHA256(c)\
+    ((c) < SHA256_PREIMAGE_CATEGORY ? (c) : SHA256_PREIMAGE_CATEGORY)
+
 /* ossl_aes128cbc_hmac_sha1_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 128, 128, 128, SC_SHA1(1), AES_CBC_HMAC_SHA_FLAGS)
 /* ossl_aes256cbc_hmac_sha1_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha1, 256, 128, 128, SC_SHA1(5), AES_CBC_HMAC_SHA_FLAGS)
 /* ossl_aes128cbc_hmac_sha256_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 128, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 128, 128, 128, SC_SHA256(1), AES_CBC_HMAC_SHA_FLAGS)
 /* ossl_aes256cbc_hmac_sha256_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 256, 128, 128, AES_CBC_HMAC_SHA_FLAGS)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha256, 256, 128, 128, SC_SHA256(5), AES_CBC_HMAC_SHA_FLAGS)

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha_etm.c

@@ -9,12 +9,13 @@
 #include "internal/deprecated.h"
 
 #include "cipher_aes_cbc_hmac_sha_etm.h"
+#include "crypto/evp.h"
 #include "prov/providercommon.h"
 #include "prov/ciphercommon_aead.h"
 #include "prov/implementations.h"
 
 #ifndef AES_CBC_HMAC_SHA_ETM_CAPABLE
-# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags)              \
+# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, seccat, flags)      \
 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
     OSSL_DISPATCH_END                                                          \
 };
@@ -296,7 +297,7 @@ static void *aes_cbc_hmac_sha512_etm_dupctx(void *provctx)
     return OPENSSL_memdup(ctx, sizeof(*ctx));
 }
 
-# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, flags)              \
+# define IMPLEMENT_CIPHER(nm, sub, kbits, blkbits, ivbits, seccat, flags)      \
 static OSSL_FUNC_cipher_newctx_fn nm##_##kbits##_##sub##_newctx;               \
 static void *nm##_##kbits##_##sub##_newctx(void *provctx)                      \
 {                                                                              \
@@ -306,7 +307,8 @@ static OSSL_FUNC_cipher_get_params_fn nm##_##kbits##_##sub##_get_params;       \
 static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[])              \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_CBC_MODE,           \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits,       \
+                                          seccat);                             \
 }                                                                              \
 const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
     { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\
@@ -333,21 +335,36 @@ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
 };
 #endif /* AES_CBC_HMAC_SHA_ETM_CAPABLE */
 
+/*
+ * Note about security categories.
+ *
+ * The security category of the combined algorithms will be the lower of
+ * the category for the cipher and the HMAC.  NIST has not defined security
+ * categories for HMACs at this stage but it seems reasonable to equate
+ * these to the pre-image security category of the underlying digest.
+ */
+#define SC_SHA1(c) \
+    ((c) < SHA1_PREIMAGE_CATEGORY ? (c) : SHA1_PREIMAGE_CATEGORY)
+#define SC_SHA256(c)\
+    ((c) < SHA256_PREIMAGE_CATEGORY ? (c) : SHA256_PREIMAGE_CATEGORY)
+#define SC_SHA512(c)\
+    ((c) < SHA512_PREIMAGE_CATEGORY ? (c) : SHA512_PREIMAGE_CATEGORY)
+
 /* ossl_aes128cbc_hmac_sha1_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 128, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 128, 128, 128, SC_SHA1(1), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes192cbc_hmac_sha1_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 192, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 192, 128, 128, SC_SHA1(3), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes256cbc_hmac_sha1_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 256, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha1_etm, 256, 128, 128, SC_SHA1(5), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes128cbc_hmac_sha256_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 128, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 128, 128, 128, SC_SHA256(1), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes192cbc_hmac_sha256_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 192, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 192, 128, 128, SC_SHA256(3), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes256cbc_hmac_sha256_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 256, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha256_etm, 256, 128, 128, SC_SHA256(5), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes128cbc_hmac_sha512_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 128, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 128, 128, 128, SC_SHA512(1), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes192cbc_hmac_sha512_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 192, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 192, 128, 128, SC_SHA512(3), EVP_CIPH_FLAG_ENC_THEN_MAC)
 /* ossl_aes256cbc_hmac_sha512_etm_functions */
-IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 256, 128, 128, EVP_CIPH_FLAG_ENC_THEN_MAC)
+IMPLEMENT_CIPHER(aes, cbc_hmac_sha512_etm, 256, 128, 128, SC_SHA512(5), EVP_CIPH_FLAG_ENC_THEN_MAC)

providers/implementations/ciphers/cipher_aes_ccm.c

@@ -65,8 +65,8 @@ static void aes_ccm_freectx(void *vctx)
 }
 
 /* ossl_aes128ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 128, 8, 96, 1);
 /* ossl_aes192ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 192, 8, 96, 3);
 /* ossl_aes256ccm_functions */
-IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
+IMPLEMENT_aead_cipher(aes, ccm, CCM, AEAD_FLAGS, 256, 8, 96, 5);

providers/implementations/ciphers/cipher_aes_cts.inc

@@ -87,8 +87,8 @@ err:
 }
 
 /* ossl_aes256cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 256, 128, 128, 5, block)
 /* ossl_aes192cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 192, 128, 128, 3, block)
 /* ossl_aes128cbc_cts_functions */
-IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)
+IMPLEMENT_cts_cipher(aes, AES, cbc, CBC, CTS_FLAGS, 128, 128, 128, 1, block)

providers/implementations/ciphers/cipher_aes_gcm.c

@@ -61,8 +61,8 @@ static void aes_gcm_freectx(void *vctx)
 }
 
 /* ossl_aes128gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 128, 8, 96, 1);
 /* ossl_aes192gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 192, 8, 96, 3);
 /* ossl_aes256gcm_functions */
-IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
+IMPLEMENT_aead_cipher(aes, gcm, GCM, AEAD_FLAGS, 256, 8, 96, 5);

providers/implementations/ciphers/cipher_aes_gcm_siv.c

@@ -270,7 +270,7 @@ static const OSSL_PARAM *ossl_aes_gcm_siv_settable_ctx_params(ossl_unused void *
     return aes_gcm_siv_known_settable_ctx_params;
 }
 
-#define IMPLEMENT_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits)                                \
+#define IMPLEMENT_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits, seccat)                        \
 static OSSL_FUNC_cipher_newctx_fn              ossl_##alg##kbits##_##lc##_newctx;                       \
 static OSSL_FUNC_cipher_freectx_fn             ossl_##alg##_##lc##_freectx;                             \
 static OSSL_FUNC_cipher_dupctx_fn              ossl_##alg##_##lc##_dupctx;                              \
@@ -287,7 +287,7 @@ static OSSL_FUNC_cipher_settable_ctx_params_fn ossl_##alg##_##lc##_settable_ctx_
 static int ossl_##alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[])                                \
 {                                                                                                       \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,                             \
-                                          flags, kbits, blkbits, ivbits);                               \
+                                          flags, kbits, blkbits, ivbits, seccat);                       \
 }                                                                                                       \
 static void *ossl_##alg##kbits##_##lc##_newctx(void *provctx)                                           \
 {                                                                                                       \
@@ -311,6 +311,6 @@ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = {
     OSSL_DISPATCH_END                                                                                   \
 }
 
-IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 128, 8, 96);
-IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 192, 8, 96);
-IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 256, 8, 96);
+IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 128, 8, 96, 1);
+IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 192, 8, 96, 3);
+IMPLEMENT_cipher(aes, gcm_siv, GCM_SIV, AEAD_FLAGS, 256, 8, 96, 5);

providers/implementations/ciphers/cipher_aes_ocb.c

@@ -523,12 +523,13 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
     return 1;
 }
 
-#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits)          \
+#define IMPLEMENT_cipher(mode, UCMODE, flags, kbits, blkbits, ivbits, seccat)  \
 static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##mode##_get_params;       \
 static int aes_##kbits##_##mode##_get_params(OSSL_PARAM params[])              \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits,       \
+                                          seccat);                             \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn aes_##kbits##_##mode##_newctx;               \
 static void *aes_##kbits##_##mode##_newctx(void *provctx)                      \
@@ -561,6 +562,6 @@ const OSSL_DISPATCH ossl_##aes##kbits##mode##_functions[] = {                  \
     OSSL_DISPATCH_END                                                          \
 }
 
-IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8);
-IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8);
-IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8);
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 256, 128, OCB_DEFAULT_IV_LEN * 8, 5);
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 192, 128, OCB_DEFAULT_IV_LEN * 8, 3);
+IMPLEMENT_cipher(ocb, OCB, AES_OCB_FLAGS, 128, 128, OCB_DEFAULT_IV_LEN * 8, 1);

providers/implementations/ciphers/cipher_aes_siv.c

@@ -241,7 +241,7 @@ static const OSSL_PARAM *aes_siv_settable_ctx_params(ossl_unused void *cctx,
     return aes_siv_known_settable_ctx_params;
 }
 
-#define IMPLEMENT_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits)       \
+#define IMPLEMENT_cipher(alg, lc, UCMODE, flags, kbits, blkbits, ivbits, seccat) \
 static OSSL_FUNC_cipher_newctx_fn alg##kbits##lc##_newctx;                     \
 static OSSL_FUNC_cipher_freectx_fn alg##_##lc##_freectx;                       \
 static OSSL_FUNC_cipher_dupctx_fn lc##_dupctx;                                 \
@@ -260,7 +260,8 @@ static OSSL_FUNC_cipher_settable_ctx_params_fn                                 \
 static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[])              \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, 2*kbits, blkbits, ivbits);    \
+                                          flags, 2*kbits, blkbits, ivbits,     \
+                                          seccat);                             \
 }                                                                              \
 static void *alg##kbits##lc##_newctx(void *provctx)                            \
 {                                                                              \
@@ -291,6 +292,6 @@ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = {                    \
     OSSL_DISPATCH_END                                                          \
 };
 
-IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 128, 8, 0)
-IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 192, 8, 0)
-IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 256, 8, 0)
+IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 128, 8, 0, 1)
+IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 192, 8, 0, 3)
+IMPLEMENT_cipher(aes, siv, SIV, SIV_FLAGS, 256, 8, 0, 5)

providers/implementations/ciphers/cipher_aes_wrp.c

@@ -283,12 +283,13 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     return 1;
 }
 
-#define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits)   \
+#define IMPLEMENT_cipher(mode, fname, UCMODE, flags, kbits, blkbits, ivbits, seccat) \
     static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##fname##_get_params;  \
     static int aes_##kbits##_##fname##_get_params(OSSL_PARAM params[])         \
     {                                                                          \
         return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,\
-                                              flags, kbits, blkbits, ivbits);  \
+                                              flags, kbits, blkbits, ivbits,   \
+                                              seccat);                         \
     }                                                                          \
     static OSSL_FUNC_cipher_newctx_fn aes_##kbits##fname##_newctx;             \
     static void *aes_##kbits##fname##_newctx(void *provctx)                    \
@@ -320,16 +321,16 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
         OSSL_DISPATCH_END                                                      \
     }
 
-IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8);
+IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_NOPAD_IVLEN * 8, 5);
+IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_NOPAD_IVLEN * 8, 3);
+IMPLEMENT_cipher(wrap, wrap, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_NOPAD_IVLEN * 8, 1);
+IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 256, 64, AES_WRAP_PAD_IVLEN * 8, 5);
+IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 192, 64, AES_WRAP_PAD_IVLEN * 8, 3);
+IMPLEMENT_cipher(wrap, wrappad, WRAP, WRAP_FLAGS, 128, 64, AES_WRAP_PAD_IVLEN * 8, 1);
 
-IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_NOPAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_PAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_PAD_IVLEN * 8);
-IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_PAD_IVLEN * 8);
+IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_NOPAD_IVLEN * 8, 5);
+IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_NOPAD_IVLEN * 8, 3);
+IMPLEMENT_cipher(wrap, wrapinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_NOPAD_IVLEN * 8, 1);
+IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 256, 64, AES_WRAP_PAD_IVLEN * 8, 5);
+IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 192, 64, AES_WRAP_PAD_IVLEN * 8, 3);
+IMPLEMENT_cipher(wrap, wrappadinv, WRAP, WRAP_FLAGS_INV, 128, 64, AES_WRAP_PAD_IVLEN * 8, 1);

providers/implementations/ciphers/cipher_aes_xts.c

@@ -276,13 +276,13 @@ static int aes_xts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     return 1;
 }
 
-#define IMPLEMENT_cipher(lcmode, UCMODE, kbits, flags)                         \
+#define IMPLEMENT_cipher(lcmode, UCMODE, kbits, seccat, flags)                 \
 static OSSL_FUNC_cipher_get_params_fn aes_##kbits##_##lcmode##_get_params;     \
 static int aes_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])            \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
                                      flags, 2 * kbits, AES_XTS_BLOCK_BITS,     \
-                                     AES_XTS_IV_BITS);                         \
+                                     AES_XTS_IV_BITS, seccat);                 \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn aes_##kbits##_xts_newctx;                    \
 static void *aes_##kbits##_xts_newctx(void *provctx)                           \
@@ -314,5 +314,5 @@ const OSSL_DISPATCH ossl_aes##kbits##xts_functions[] = {                       \
     OSSL_DISPATCH_END                                                          \
 }
 
-IMPLEMENT_cipher(xts, XTS, 256, AES_XTS_FLAGS);
-IMPLEMENT_cipher(xts, XTS, 128, AES_XTS_FLAGS);
+IMPLEMENT_cipher(xts, XTS, 256, 5, AES_XTS_FLAGS);
+IMPLEMENT_cipher(xts, XTS, 128, 1, AES_XTS_FLAGS);

providers/implementations/ciphers/cipher_aria.c

@@ -41,44 +41,44 @@ static void *aria_dupctx(void *ctx)
 }
 
 /* ossl_aria256ecb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 256, 128, 0, block)
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 256, 128, 0, 5, block)
 /* ossl_aria192ecb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 192, 128, 0, block)
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 192, 128, 0, 3, block)
 /* ossl_aria128ecb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 128, 128, 0, block)
+IMPLEMENT_generic_cipher(aria, ARIA, ecb, ECB, 0, 128, 128, 0, 1, block)
 /* ossl_aria256cbc_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 256, 128, 128, block)
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 256, 128, 128, 5, block)
 /* ossl_aria192cbc_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 192, 128, 128, block)
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 192, 128, 128, 3, block)
 /* ossl_aria128cbc_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 128, 128, 128, block)
+IMPLEMENT_generic_cipher(aria, ARIA, cbc, CBC, 0, 128, 128, 128, 1, block)
 /* ossl_aria256ofb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aria192ofb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aria128ofb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ofb, OFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aria256cfb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aria192cfb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aria128cfb_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb,  CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aria256cfb1_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aria192cfb1_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aria128cfb1_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb1, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aria256cfb8_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_aria192cfb8_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_aria128cfb8_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, cfb8, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_aria256ctr_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 256, 8, 128, 5, stream)
 /* ossl_aria192ctr_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 192, 8, 128, 3, stream)
 /* ossl_aria128ctr_functions */
-IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(aria, ARIA, ctr, CTR, 0, 128, 8, 128, 1, stream)

providers/implementations/ciphers/cipher_aria_ccm.c

@@ -51,9 +51,9 @@ static void aria_ccm_freectx(void *vctx)
 }
 
 /* aria128ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 128, 8, 96, 1);
 /* aria192ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 192, 8, 96);
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 192, 8, 96, 3);
 /* aria256ccm functions */
-IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 256, 8, 96);
+IMPLEMENT_aead_cipher(aria, ccm, CCM, AEAD_FLAGS, 256, 8, 96, 5);
 

providers/implementations/ciphers/cipher_aria_gcm.c

@@ -51,9 +51,9 @@ static void aria_gcm_freectx(void *vctx)
 }
 
 /* ossl_aria128gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 128, 8, 96, 1);
 /* ossl_aria192gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 192, 8, 96);
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 192, 8, 96, 3);
 /* ossl_aria256gcm_functions */
-IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 256, 8, 96);
+IMPLEMENT_aead_cipher(aria, gcm, GCM, AEAD_FLAGS, 256, 8, 96, 5);
 

providers/implementations/ciphers/cipher_blowfish.c

@@ -49,10 +49,10 @@ static void *blowfish_dupctx(void *ctx)
 }
 
 /* bf_ecb_functions */
-IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, ecb, ECB, BF_FLAGS, 128, 64, 0, block)
+IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, ecb, ECB, BF_FLAGS, 128, 64, 0, 0, block)
 /* bf_cbc_functions */
-IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, cbc, CBC, BF_FLAGS, 128, 64, 64, block)
+IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, cbc, CBC, BF_FLAGS, 128, 64, 64, 0, block)
 /* bf_ofb_functions */
-IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, ofb64, OFB, BF_FLAGS, 128, 8, 64, stream)
+IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, ofb64, OFB, BF_FLAGS, 128, 8, 64, 0, stream)
 /* bf_cfb_functions */
-IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, cfb64,  CFB, BF_FLAGS, 128, 8, 64, stream)
+IMPLEMENT_var_keylen_cipher(blowfish, BLOWFISH, cfb64,  CFB, BF_FLAGS, 128, 8, 64, 0, stream)

providers/implementations/ciphers/cipher_camellia.c

@@ -47,46 +47,46 @@ static void *camellia_dupctx(void *ctx)
 }
 
 /* ossl_camellia256ecb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 256, 128, 0, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 256, 128, 0, 5, block)
 /* ossl_camellia192ecb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 192, 128, 0, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 192, 128, 0, 3, block)
 /* ossl_camellia128ecb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 128, 128, 0, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ecb, ECB, 0, 128, 128, 0, 1, block)
 /* ossl_camellia256cbc_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 256, 128, 128, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 256, 128, 128, 5, block)
 /* ossl_camellia192cbc_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 192, 128, 128, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 192, 128, 128, 3, block)
 /* ossl_camellia128cbc_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 128, 128, 128, block)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cbc, CBC, 0, 128, 128, 128, 1, block)
 /* ossl_camellia256ofb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 256, 8, 128, 5, stream)
 /* ossl_camellia192ofb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 192, 8, 128, 3, stream)
 /* ossl_camellia128ofb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ofb, OFB, 0, 128, 8, 128, 1, stream)
 /* ossl_camellia256cfb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_camellia192cfb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_camellia128cfb_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb,  CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_camellia256cfb1_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_camellia192cfb1_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_camellia128cfb1_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb1, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_camellia256cfb8_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 256, 8, 128, 5, stream)
 /* ossl_camellia192cfb8_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 192, 8, 128, 3, stream)
 /* ossl_camellia128cfb8_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, cfb8, CFB, 0, 128, 8, 128, 1, stream)
 /* ossl_camellia256ctr_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 256, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 256, 8, 128, 5, stream)
 /* ossl_camellia192ctr_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 192, 8, 128, 3, stream)
 /* ossl_camellia128ctr_functions */
-IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(camellia, CAMELLIA, ctr, CTR, 0, 128, 8, 128, 1, stream)
 
 #include "cipher_camellia_cts.inc"

providers/implementations/ciphers/cipher_camellia_cts.inc

@@ -87,8 +87,8 @@ err:
 }
 
 /* ossl_camellia256cbc_cts_functions */
-IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 256, 128, 128, block)
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 256, 128, 128, 5, block)
 /* ossl_camellia192cbc_cts_functions */
-IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 192, 128, 128, block)
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 192, 128, 128, 3, block)
 /* ossl_camellia128cbc_cts_functions */
-IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 128, 128, 128, block)
+IMPLEMENT_cts_cipher(camellia, CAMELLIA, cbc, CBC, CTS_FLAGS, 128, 128, 128, 1, block)

providers/implementations/ciphers/cipher_cast5.c

@@ -50,10 +50,10 @@ static void *cast5_dupctx(void *ctx)
 }
 
 /* ossl_cast5128ecb_functions */
-IMPLEMENT_var_keylen_cipher(cast5, CAST, ecb, ECB, CAST5_FLAGS, 128, 64, 0, block)
+IMPLEMENT_var_keylen_cipher(cast5, CAST, ecb, ECB, CAST5_FLAGS, 128, 64, 0, 0, block)
 /* ossl_cast5128cbc_functions */
-IMPLEMENT_var_keylen_cipher(cast5, CAST, cbc, CBC, CAST5_FLAGS, 128, 64, 64, block)
+IMPLEMENT_var_keylen_cipher(cast5, CAST, cbc, CBC, CAST5_FLAGS, 128, 64, 64, 0, block)
 /* ossl_cast5128ofb64_functions */
-IMPLEMENT_var_keylen_cipher(cast5, CAST, ofb64, OFB, CAST5_FLAGS, 128, 8, 64, stream)
+IMPLEMENT_var_keylen_cipher(cast5, CAST, ofb64, OFB, CAST5_FLAGS, 128, 8, 64, 0, stream)
 /* ossl_cast5128cfb64_functions */
-IMPLEMENT_var_keylen_cipher(cast5, CAST, cfb64,  CFB, CAST5_FLAGS, 128, 8, 64, stream)
+IMPLEMENT_var_keylen_cipher(cast5, CAST, cfb64,  CFB, CAST5_FLAGS, 128, 8, 64, 0, stream)

providers/implementations/ciphers/cipher_chacha20.c

@@ -97,7 +97,8 @@ static int chacha20_get_params(OSSL_PARAM params[])
     return ossl_cipher_generic_get_params(params, 0, CHACHA20_FLAGS,
                                           CHACHA20_KEYLEN * 8,
                                           CHACHA20_BLKLEN * 8,
-                                          CHACHA20_IVLEN * 8);
+                                          CHACHA20_IVLEN * 8,
+                                          5);
 }
 
 static int chacha20_get_ctx_params(void *vctx, OSSL_PARAM params[])

providers/implementations/ciphers/cipher_chacha20_poly1305.c.in

@@ -97,7 +97,8 @@ static int chacha20_poly1305_get_params(OSSL_PARAM params[])
     return ossl_cipher_generic_get_params(params, 0, CHACHA20_POLY1305_FLAGS,
                                           CHACHA20_POLY1305_KEYLEN * 8,
                                           CHACHA20_POLY1305_BLKLEN * 8,
-                                          CHACHA20_POLY1305_IVLEN * 8);
+                                          CHACHA20_POLY1305_IVLEN * 8,
+                                          5);
 }
 
 {- produce_param_decoder('chacha20_poly1305_get_ctx_params',

providers/implementations/ciphers/cipher_cts.h

@@ -11,12 +11,13 @@
 
 /* NOTE: The underlying block cipher is CBC so we reuse most of the code */
 #define IMPLEMENT_cts_cipher(alg, UCALG, lcmode, UCMODE, flags, kbits,         \
-                             blkbits, ivbits, typ)                             \
+                             blkbits, ivbits, seccat, typ)                     \
 static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params;   \
 static int alg##_cts_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])      \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits,       \
+                                          seccat);                             \
 }                                                                              \
 const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = {            \
     { OSSL_FUNC_CIPHER_NEWCTX,                                                 \

providers/implementations/ciphers/cipher_des.c

@@ -160,7 +160,7 @@ static OSSL_FUNC_cipher_get_params_fn des_##lcmode##_get_params;               \
 static int des_##lcmode##_get_params(OSSL_PARAM params[])                      \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits, 0);   \
 }                                                                              \
 const OSSL_DISPATCH ossl_##des_##lcmode##_functions[] = {                      \
     { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))des_einit },              \

providers/implementations/ciphers/cipher_idea.c

@@ -48,10 +48,10 @@ static void *idea_dupctx(void *ctx)
 }
 
 /* ossl_idea128ecb_functions */
-IMPLEMENT_generic_cipher(idea, IDEA, ecb, ECB, 0, 128, 64, 0, block)
+IMPLEMENT_generic_cipher(idea, IDEA, ecb, ECB, 0, 128, 64, 0, 1, block)
 /* ossl_idea128cbc_functions */
-IMPLEMENT_generic_cipher(idea, IDEA, cbc, CBC, 0, 128, 64, 64, block)
+IMPLEMENT_generic_cipher(idea, IDEA, cbc, CBC, 0, 128, 64, 64, 1, block)
 /* ossl_idea128ofb64_functions */
-IMPLEMENT_generic_cipher(idea, IDEA, ofb64, OFB, 0, 128, 8, 64, stream)
+IMPLEMENT_generic_cipher(idea, IDEA, ofb64, OFB, 0, 128, 8, 64, 1, stream)
 /* ossl_idea128cfb64_functions */
-IMPLEMENT_generic_cipher(idea, IDEA, cfb64,  CFB, 0, 128, 8, 64, stream)
+IMPLEMENT_generic_cipher(idea, IDEA, cfb64,  CFB, 0, 128, 8, 64, 1, stream)

providers/implementations/ciphers/cipher_null.c

@@ -102,7 +102,7 @@ static int null_final(void *vctx, unsigned char *out, size_t *outl,
 static OSSL_FUNC_cipher_get_params_fn null_get_params;
 static int null_get_params(OSSL_PARAM params[])
 {
-    return ossl_cipher_generic_get_params(params, 0, 0, 0, 8, 0);
+    return ossl_cipher_generic_get_params(params, 0, 0, 0, 8, 0, 0);
 }
 
 static const OSSL_PARAM null_known_gettable_ctx_params[] = {

providers/implementations/ciphers/cipher_rc2.c

@@ -237,7 +237,7 @@ static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params;   \
 static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])          \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits, 0);   \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx;           \
 static void *alg##_##kbits##_##lcmode##_newctx(void *provctx)                  \

providers/implementations/ciphers/cipher_rc4.c

@@ -73,7 +73,7 @@ static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_get_params;              \
 static int alg##_##kbits##_get_params(OSSL_PARAM params[])                     \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, 0, flags,                    \
-                                     kbits, blkbits, ivbits);                  \
+                                     kbits, blkbits, ivbits, 0);               \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_newctx;                      \
 static void *alg##_##kbits##_newctx(void *provctx)                             \

providers/implementations/ciphers/cipher_rc4_hmac_md5.c

@@ -218,7 +218,8 @@ static int rc4_hmac_md5_get_params(OSSL_PARAM params[])
                                           RC4_HMAC_MD5_FLAGS,
                                           RC4_HMAC_MD5_KEY_BITS,
                                           RC4_HMAC_MD5_BLOCK_BITS,
-                                          RC4_HMAC_MD5_IV_BITS);
+                                          RC4_HMAC_MD5_IV_BITS,
+                                          0);
 }
 
 const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = {

providers/implementations/ciphers/cipher_rc5.c

@@ -133,7 +133,7 @@ static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_##lcmode##_get_params;   \
 static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])          \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
-                                          flags, kbits, blkbits, ivbits);      \
+                                          flags, kbits, blkbits, ivbits, 0);   \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx;           \
 static void *alg##_##kbits##_##lcmode##_newctx(void *provctx)                  \

providers/implementations/ciphers/cipher_seed.c

@@ -47,10 +47,10 @@ static void *seed_dupctx(void *ctx)
 }
 
 /* ossl_seed128ecb_functions */
-IMPLEMENT_generic_cipher(seed, SEED, ecb, ECB, 0, 128, 128, 0, block)
+IMPLEMENT_generic_cipher(seed, SEED, ecb, ECB, 0, 128, 128, 0, 1, block)
 /* ossl_seed128cbc_functions */
-IMPLEMENT_generic_cipher(seed, SEED, cbc, CBC, 0, 128, 128, 128, block)
+IMPLEMENT_generic_cipher(seed, SEED, cbc, CBC, 0, 128, 128, 128, 1, block)
 /* ossl_seed128ofb128_functions */
-IMPLEMENT_generic_cipher(seed, SEED, ofb128, OFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(seed, SEED, ofb128, OFB, 0, 128, 8, 128, 1, stream)
 /* ossl_seed128cfb128_functions */
-IMPLEMENT_generic_cipher(seed, SEED, cfb128,  CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(seed, SEED, cfb128,  CFB, 0, 128, 8, 128, 1, stream)

providers/implementations/ciphers/cipher_sm4.c

@@ -41,12 +41,12 @@ static void *sm4_dupctx(void *ctx)
 }
 
 /* ossl_sm4128ecb_functions */
-IMPLEMENT_generic_cipher(sm4, SM4, ecb, ECB, 0, 128, 128, 0, block)
+IMPLEMENT_generic_cipher(sm4, SM4, ecb, ECB, 0, 128, 128, 0, 1, block)
 /* ossl_sm4128cbc_functions */
-IMPLEMENT_generic_cipher(sm4, SM4, cbc, CBC, 0, 128, 128, 128, block)
+IMPLEMENT_generic_cipher(sm4, SM4, cbc, CBC, 0, 128, 128, 128, 1, block)
 /* ossl_sm4128ctr_functions */
-IMPLEMENT_generic_cipher(sm4, SM4, ctr, CTR, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(sm4, SM4, ctr, CTR, 0, 128, 8, 128, 1, stream)
 /* ossl_sm4128ofb128_functions */
-IMPLEMENT_generic_cipher(sm4, SM4, ofb128, OFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(sm4, SM4, ofb128, OFB, 0, 128, 8, 128, 1, stream)
 /* ossl_sm4128cfb128_functions */
-IMPLEMENT_generic_cipher(sm4, SM4, cfb128,  CFB, 0, 128, 8, 128, stream)
+IMPLEMENT_generic_cipher(sm4, SM4, cfb128,  CFB, 0, 128, 8, 128, 1, stream)

providers/implementations/ciphers/cipher_sm4_ccm.c

@@ -51,4 +51,4 @@ static void sm4_ccm_freectx(void *vctx)
 }
 
 /* sm4128ccm functions */
-IMPLEMENT_aead_cipher(sm4, ccm, CCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(sm4, ccm, CCM, AEAD_FLAGS, 128, 8, 96, 1);

providers/implementations/ciphers/cipher_sm4_gcm.c

@@ -52,4 +52,4 @@ static void sm4_gcm_freectx(void *vctx)
 }
 
 /* ossl_sm4128gcm_functions */
-IMPLEMENT_aead_cipher(sm4, gcm, GCM, AEAD_FLAGS, 128, 8, 96);
+IMPLEMENT_aead_cipher(sm4, gcm, GCM, AEAD_FLAGS, 128, 8, 96, 1);

providers/implementations/ciphers/cipher_sm4_xts.c

@@ -246,7 +246,7 @@ static int sm4_##kbits##_##lcmode##_get_params(OSSL_PARAM params[])            \
 {                                                                              \
     return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE,    \
                                           flags, 2 * kbits, SM4_XTS_BLOCK_BITS,\
-                                          SM4_XTS_IV_BITS);                    \
+                                          SM4_XTS_IV_BITS, 1);                 \
 }                                                                              \
 static OSSL_FUNC_cipher_newctx_fn sm4_##kbits##_xts_newctx;                    \
 static void *sm4_##kbits##_xts_newctx(void *provctx)                           \