Add generic and AES SKEY support

[mamckee]

OpenSSL 3.5 added SKEYs for opaque symmetric key management. This PR adds support for the new key types to the SymCrypt provider.

• Add generic and AES SKEY keymgmt interfaces
• Add support for AES SKEYs to AES cipher interfaces
• Add support for AES SKEYs to CMAC interface

[Copilot]

Pull request overview

This PR adds OpenSSL 3.5 SKEY (opaque symmetric key) support to the SymCrypt provider by introducing SKEYMGMT implementations and wiring SKEY-based initialization into existing AES cipher and CMAC MAC implementations.

Changes:

• Added generic and AES SKEYMGMT implementations (import/export/generate) backed by secure key storage.
• Added AES cipher support for SKEY-based init across generic, AEAD (GCM/CCM), and XTS implementations.
• Added CMAC support for SKEY-based init and registered SKEYMGMT algorithms in the provider query interface.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
SymCryptProvider/src/skeymgmt/p_scossl_generic_skeymgmt.h	Declares generic SKEYMGMT entry points.
SymCryptProvider/src/skeymgmt/p_scossl_generic_skeymgmt.c	Implements generic secret key import/export/generation for SKEYs.
SymCryptProvider/src/skeymgmt/p_scossl_aes_skeymgmt.c	Wraps generic SKEYMGMT to enforce AES key sizing and type tagging.
SymCryptProvider/src/p_scossl_skey.h	Introduces the internal SCOSSL_SKEY representation.
SymCryptProvider/src/p_scossl_base.c	Registers SKEYMGMT algorithms under OSSL_OP_SKEYMGMT.
SymCryptProvider/src/mac/p_scossl_cmac.c	Adds OSSL_FUNC_MAC_INIT_SKEY path for CMAC.
SymCryptProvider/src/ciphers/p_scossl_aes.c	Adds OSSL_FUNC_CIPHER_*_SKEY_INIT support for AES non-AEAD modes.
SymCryptProvider/src/ciphers/p_scossl_aes_xts.c	Adds OSSL_FUNC_CIPHER_*_SKEY_INIT support for AES-XTS.
SymCryptProvider/src/ciphers/p_scossl_aes_aead.c	Adds OSSL_FUNC_CIPHER_*_SKEY_INIT support for AES-GCM/CCM.
SymCryptProvider/CMakeLists.txt	Conditionally compiles SKEYMGMT sources for OpenSSL >= 3.5.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[MS-megliu]

(see inline comments)

[MS-megliu]

Bug: If OSSL_SKEY_PARAM_KEY_LENGTH is not present in params, OSSL_PARAM_locate_const returns NULL, the function skips the entire key generation block, falls through to status = SCOSSL_SUCCESS here, and returns a NULL skey as success. The caller gets a NULL key with no error indication.

Same issue in p_scossl_generic_skeymgmt_import (line 89 of this file) — if OSSL_SKEY_PARAM_RAW_BYTES is absent, returns NULL without raising an error.

Suggestion: treat a missing required param as an error — ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY) or equivalent before goto cleanup.

[MS-megliu]

Nit: AES key length is validated after p_scossl_generic_skeymgmt_import has already allocated secure memory and copied the key material. For invalid lengths, the key is allocated, copied, then immediately freed. Consider validating the length from the OSSL_PARAM before calling the generic import to avoid the wasted OPENSSL_secure_malloc + memcpy. Same applies to p_scossl_aes_skeygen_generate below — SymCryptRandom is called for invalid lengths.

[MS-megliu]

Nit: Redundant cast — ctx is already declared as SCOSSL_AES_XTS_CTX *ctx in the function signature, so (SCOSSL_AES_XTS_CTX *)ctx is unnecessary.

[MS-megliu]

Question: This bumps the minimum OpenSSL requirement from any version to 3.5 globally, making the entire provider unbuildable with OpenSSL 3.0-3.4. The SKEYMGMT dispatch registration in p_scossl_base.c already uses #ifdef OSSL_OP_SKEYMGMT guards — was making 3.5 the hard minimum intentional? If not, the new source files could be conditionally compiled and the find_package left as-is.