diff options
| author | Rich Salz <rsalz@akamai.com> | 2021-02-16 17:51:56 -0500 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2021-04-18 10:03:07 +0200 |
| commit | f6c95e46c03025b2694241e1ad785d8bd3ac083b (patch) | |
| tree | 5dcfc46ad06713bc6b581f6bed3ce3e26b0c5970 | |
| parent | 543e740b95e303790f8fe6ec59458b4ecdcfb56c (diff) | |
| download | openssl-f6c95e46c03025b2694241e1ad785d8bd3ac083b.tar.gz | |
Add "origin" field to EVP_CIPHER, EVP_MD
Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch,
or via EVP_{CIPHER,MD}_meth_new. Update EVP_{CIPHER,MD}_free to handle all
three origins. The flag is deliberately right before some function pointers,
so that compile-time failures (int/pointer) will occur, as opposed to
taking a bit in the existing "flags" field. The "global variable" flag
is non-zero, so the default case of using OPENSSL_zalloc (for provider
ciphers), will do the right thing. Ref-counting is a no-op for
Make up_ref no-op for global MD and CIPHER objects
Deprecate EVP_MD_CTX_md(). Added EVP_MD_CTX_get0_md() (same semantics as
the deprecated function) and EVP_MD_CTX_get1_md(). Likewise, deprecate
EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add
EVP_CIPHER_CTX_get1_CIPHER().
Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common
evp_md_free_int() function.
Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common
evp_cipher_free_int() function.
Also change some flags tests to explicit test == or != zero. E.g.,
if (flags & x) --> if ((flags & x) != 0)
if (!(flags & x)) --> if ((flags & x) == 0)
Only done for those lines where "get0_cipher" calls were made.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)
57 files changed, 286 insertions, 112 deletions
diff --git a/apps/dgst.c b/apps/dgst.c index 1e09e90c84..5ddbef8bcc 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -405,7 +405,7 @@ int dgst_main(int argc, char **argv) if (md == NULL) { EVP_MD_CTX *tctx; BIO_get_md_ctx(bmd, &tctx); - md = EVP_MD_CTX_md(tctx); + md = EVP_MD_CTX_get0_md(tctx); } if (md != NULL) md_name = EVP_MD_name(md); diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index a3459e32c9..6ead2e2aca 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -159,7 +159,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, int signid, paramtype, buf_len = 0; int rv, pkey_id; - md = EVP_MD_CTX_md(ctx); + md = EVP_MD_CTX_get0_md(ctx); pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)); if (pkey == NULL) { diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 901813a3d1..01e32b6ee1 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -217,7 +217,7 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int t, rv = 0; SCRYPT_PARAMS *sparam = NULL; - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); goto err; } diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c index 12445c4a24..f666f34d44 100644 --- a/crypto/cmac/cmac.c +++ b/crypto/cmac/cmac.c @@ -137,7 +137,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, /* If anything fails then ensure we can't use this ctx */ ctx->nlast_block = -1; - if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) + if (!EVP_CIPHER_CTX_get0_cipher(ctx->cctx)) return 0; if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) return 0; diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index aa020cedfd..79efd67ba3 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1105,8 +1105,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) * If the selected cipher supports unprotected attributes, * deal with it using special ctrl function */ - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) - & EVP_CIPH_FLAG_CIPHER_WITH_MAC) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) { BIO_free(contentBio); @@ -1225,7 +1225,8 @@ int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) * If the selected cipher supports unprotected attributes, * deal with it using special ctrl function */ - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (env->unprotectedAttrs == NULL) env->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null(); diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 1422f350b0..2fee4784da 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -422,7 +422,7 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, int ret; /* If a suitable wrap algorithm is already set nothing to do */ - kekcipher = EVP_CIPHER_CTX_cipher(ctx); + kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx); if (kekcipher != NULL) { if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) return 0; diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 0c9a372832..33127cc88c 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -459,7 +459,7 @@ int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, * Workaround for broken implementations that use signature * algorithm OID instead of digest. */ - || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) + || EVP_MD_pkey_type(EVP_MD_CTX_get0_md(mtmp)) == nid) return EVP_MD_CTX_copy_ex(mctx, mtmp); chain = BIO_next(chain); } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 287021fc21..2b232aa700 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -923,7 +923,7 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) } else r = 1; } else { - const EVP_MD *md = EVP_MD_CTX_md(mctx); + const EVP_MD *md = EVP_MD_CTX_get0_md(mctx); const CMS_CTX *ctx = si->cms_ctx; pkctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c index f7970a91f3..bf1e8902a5 100644 --- a/crypto/evp/bio_md.c +++ b/crypto/evp/bio_md.c @@ -145,7 +145,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) switch (cmd) { case BIO_CTRL_RESET: if (BIO_get_init(b)) - ret = EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL); + ret = EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL); else ret = 0; if (ret > 0) @@ -154,7 +154,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_GET_MD: if (BIO_get_init(b)) { ppmd = ptr; - *ppmd = EVP_MD_CTX_md(ctx); + *ppmd = EVP_MD_CTX_get0_md(ctx); } else ret = 0; break; diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 3d31f19829..ce40082977 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -394,7 +394,7 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_GET_MD: if (BIO_get_init(b)) { ppmd = ptr; - *ppmd = EVP_MD_CTX_md(ctx->md); + *ppmd = EVP_MD_CTX_get0_md(ctx->md); } else ret = 0; break; @@ -442,7 +442,7 @@ static int sig_out(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); md_data = EVP_MD_CTX_md_data(md); @@ -486,7 +486,7 @@ static int sig_in(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); md_data = EVP_MD_CTX_md_data(md); @@ -532,7 +532,7 @@ static int block_out(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); tl = ctx->buf_len - OK_BLOCK_BLOCK; @@ -563,7 +563,7 @@ static int block_in(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - md_size = EVP_MD_size(EVP_MD_CTX_md(md)); + md_size = EVP_MD_size(EVP_MD_CTX_get0_md(md)); assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */ tl = ctx->buf[0]; diff --git a/crypto/evp/cmeth_lib.c b/crypto/evp/cmeth_lib.c index 7734295214..2541e5952b 100644 --- a/crypto/evp/cmeth_lib.c +++ b/crypto/evp/cmeth_lib.c @@ -28,6 +28,7 @@ EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len) cipher->nid = cipher_type; cipher->block_size = block_size; cipher->key_len = key_len; + cipher->origin = EVP_ORIG_METH; } return cipher; } @@ -55,7 +56,10 @@ EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher) void EVP_CIPHER_meth_free(EVP_CIPHER *cipher) { - EVP_CIPHER_free(cipher); + if (cipher == NULL || cipher->origin != EVP_ORIG_METH) + return; + + evp_cipher_free_int(cipher); } int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 82e43f2eb1..ef60fc1505 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1026,7 +1026,8 @@ int EVP_MD_up_ref(EVP_MD *md) { int ref = 0; - CRYPTO_UP_REF(&md->refcnt, &ref, md->lock); + if (md->origin == EVP_ORIG_DYNAMIC) + CRYPTO_UP_REF(&md->refcnt, &ref, md->lock); return 1; } @@ -1034,15 +1035,13 @@ void EVP_MD_free(EVP_MD *md) { int i; - if (md == NULL) + if (md == NULL || md->origin != EVP_ORIG_DYNAMIC) return; CRYPTO_DOWN_REF(&md->refcnt, &i, md->lock); if (i > 0) return; - ossl_provider_free(md->prov); - CRYPTO_THREAD_lock_free(md->lock); - OPENSSL_free(md); + evp_md_free_int(md); } void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index df74aca45d..ffafdbcc22 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -395,6 +395,7 @@ static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aesni_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aesni_init_key, \ aesni_##mode##_cipher, \ NULL, \ @@ -402,8 +403,9 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \ NULL,NULL,NULL,NULL }; \ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ - keylen/8,ivlen, \ + keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -418,6 +420,7 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aesni_##mode##_init_key, \ aesni_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -428,6 +431,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -749,6 +753,7 @@ static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_t4_init_key, \ aes_t4_##mode##_cipher, \ NULL, \ @@ -758,6 +763,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -772,6 +778,7 @@ static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_t4_##mode##_init_key, \ aes_t4_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -782,6 +789,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -2249,6 +2257,7 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -2263,6 +2272,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -3511,10 +3521,10 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) typedef struct { union { @@ -3613,7 +3623,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aes_128_wrap = { NID_id_aes128_wrap, - 8, 16, 8, WRAP_FLAGS, + 8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3627,7 +3637,7 @@ const EVP_CIPHER *EVP_aes_128_wrap(void) static const EVP_CIPHER aes_192_wrap = { NID_id_aes192_wrap, - 8, 24, 8, WRAP_FLAGS, + 8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3641,7 +3651,7 @@ const EVP_CIPHER *EVP_aes_192_wrap(void) static const EVP_CIPHER aes_256_wrap = { NID_id_aes256_wrap, - 8, 32, 8, WRAP_FLAGS, + 8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3655,7 +3665,7 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) static const EVP_CIPHER aes_128_wrap_pad = { NID_id_aes128_wrap_pad, - 8, 16, 4, WRAP_FLAGS, + 8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3669,7 +3679,7 @@ const EVP_CIPHER *EVP_aes_128_wrap_pad(void) static const EVP_CIPHER aes_192_wrap_pad = { NID_id_aes192_wrap_pad, - 8, 24, 4, WRAP_FLAGS, + 8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3683,7 +3693,7 @@ const EVP_CIPHER *EVP_aes_192_wrap_pad(void) static const EVP_CIPHER aes_256_wrap_pad = { NID_id_aes256_wrap_pad, - 8, 32, 4, WRAP_FLAGS, + 8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index cdf5985e8b..766f248718 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -914,6 +914,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, @@ -933,6 +934,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 906ec9f7fc..0413f66806 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -898,6 +898,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, @@ -917,6 +918,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index e56c4fd006..e7ba2df78f 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -159,6 +159,7 @@ IMPLEMENT_ARIA_CFBR(256,8) static const EVP_CIPHER aria_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aria_init_key, \ aria_##mode##_cipher, \ NULL, \ @@ -757,6 +758,7 @@ static const EVP_CIPHER aria_##keylen##_##mode = { \ nid##_##keylen##_##nmode, \ blocksize, keylen/8, ivlen, \ ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aria_##mode##_init_key, \ aria_##mode##_cipher, \ aria_##mode##_cleanup, \ diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c index 52c33d472e..db2057a660 100644 --- a/crypto/evp/e_camellia.c +++ b/crypto/evp/e_camellia.c @@ -144,6 +144,7 @@ static int cmll_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER cmll_t4_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ cmll_t4_init_key, \ cmll_t4_##mode##_cipher, \ NULL, \ @@ -153,6 +154,7 @@ static const EVP_CIPHER camellia_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ camellia_init_key, \ camellia_##mode##_cipher, \ NULL, \ @@ -167,6 +169,7 @@ const EVP_CIPHER *EVP_camellia_##keylen##_##mode(void) \ static const EVP_CIPHER camellia_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ camellia_init_key, \ camellia_##mode##_cipher, \ NULL, \ diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 8c69b3a736..9b5441cdb6 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -131,6 +131,7 @@ static const EVP_CIPHER chacha20 = { CHACHA_KEY_SIZE, /* key_len */ CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */ EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT, + EVP_ORIG_GLOBAL, chacha_init_key, chacha_cipher, NULL, @@ -614,6 +615,7 @@ static EVP_CIPHER chacha20_poly1305 = { EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_CUSTOM_IV_LENGTH, + EVP_ORIG_GLOBAL, chacha20_poly1305_init_key, chacha20_poly1305_cipher, chacha20_poly1305_cleanup, diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 7a433ec7af..e8182b628b 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -413,6 +413,7 @@ static const EVP_CIPHER des3_wrap = { 8, 24, 0, EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1, + EVP_ORIG_GLOBAL, des_ede3_init_key, des_ede3_wrap_cipher, NULL, sizeof(DES_EDE_KEY), diff --git a/crypto/evp/e_null.c b/crypto/evp/e_null.c index 2c8d27e3be..af1013e40d 100644 --- a/crypto/evp/e_null.c +++ b/crypto/evp/e_null.c @@ -20,6 +20,7 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER n_cipher = { NID_undef, 1, 0, 0, 0, + EVP_ORIG_GLOBAL, null_init_key, null_cipher, NULL, diff --git a/crypto/evp/e_rc2.c b/crypto/evp/e_rc2.c index 790b816345..7ee18ed1cb 100644 --- a/crypto/evp/e_rc2.c +++ b/crypto/evp/e_rc2.c @@ -53,6 +53,7 @@ static const EVP_CIPHER r2_64_cbc_cipher = { NID_rc2_64_cbc, 8, 8 /* 64 bit */ , 8, EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + EVP_ORIG_GLOBAL, rc2_init_key, rc2_cbc_cipher, NULL, @@ -67,6 +68,7 @@ static const EVP_CIPHER r2_40_cbc_cipher = { NID_rc2_40_cbc, 8, 5 /* 40 bit */ , 8, EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + EVP_ORIG_GLOBAL, rc2_init_key, rc2_cbc_cipher, NULL, diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index d81fb4cabd..ec07f028c5 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -38,6 +38,7 @@ static const EVP_CIPHER r4_cipher = { NID_rc4, 1, EVP_RC4_KEY_SIZE, 0, EVP_CIPH_VARIABLE_LENGTH, + EVP_ORIG_GLOBAL, rc4_init_key, rc4_cipher, NULL, @@ -52,6 +53,7 @@ static const EVP_CIPHER r4_40_cipher = { NID_rc4_40, 1, 5 /* 40 bit */ , 0, EVP_CIPH_VARIABLE_LENGTH, + EVP_ORIG_GLOBAL, rc4_init_key, rc4_cipher, NULL, diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index bde93f3ab7..6a38f95d5e 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -255,6 +255,7 @@ static EVP_CIPHER r4_hmac_md5_cipher = { 1, EVP_RC4_KEY_SIZE, 0, EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_FLAG_AEAD_CIPHER, + EVP_ORIG_GLOBAL, rc4_hmac_md5_init_key, rc4_hmac_md5_cipher, NULL, diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c index 45f94a19f5..a3767573ce 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -85,6 +85,7 @@ static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER sm4_ctr_mode = { NID_sm4_ctr, 1, 16, 16, EVP_CIPH_CTR_MODE, + EVP_ORIG_GLOBAL, sm4_init_key, sm4_ctr_cipher, NULL, diff --git a/crypto/evp/e_xcbc_d.c b/crypto/evp/e_xcbc_d.c index 20756211b0..b3956c10c6 100644 --- a/crypto/evp/e_xcbc_d.c +++ b/crypto/evp/e_xcbc_d.c @@ -41,6 +41,7 @@ static const EVP_CIPHER d_xcbc_cipher = { NID_desx_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, + EVP_ORIG_GLOBAL, desx_cbc_init_key, desx_cbc_cipher, NULL, diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 9073312dfd..2de2a11e5a 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -325,7 +325,8 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, return 0; } - if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_CUSTOM_IV) == 0) { switch (EVP_CIPHER_CTX_mode(ctx)) { case EVP_CIPH_STREAM_CIPHER: @@ -1602,23 +1603,29 @@ int EVP_CIPHER_up_ref(EVP_CIPHER *cipher) { int ref = 0; - CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock); + if (cipher->origin == EVP_ORIG_DYNAMIC) + CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock); return 1; } +void evp_cipher_free_int(EVP_CIPHER *cipher) +{ + ossl_provider_free(cipher->prov); + CRYPTO_THREAD_lock_free(cipher->lock); + OPENSSL_free(cipher); +} + void EVP_CIPHER_free(EVP_CIPHER *cipher) { int i; - if (cipher == NULL || cipher->prov == NULL) + if (cipher == NULL || cipher->origin != EVP_ORIG_DYNAMIC) return; CRYPTO_DOWN_REF(&cipher->refcnt, &i, cipher->lock); if (i > 0) return; - ossl_provider_free(cipher->prov); - CRYPTO_THREAD_lock_free(cipher->lock); - OPENSSL_free(cipher); + evp_cipher_free_int(cipher); } void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 6c578bd8ba..41209fa763 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -422,11 +422,34 @@ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return ctx->cipher->do_cipher(ctx, out, in, inl); } +#ifndef OPENSSL_NO_DEPRECATED_3_0 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { + if (ctx == NULL) + return NULL; + return ctx->cipher; +} +#endif + +const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx) +{ + if (ctx == NULL) + return NULL; return ctx->cipher; } +EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(EVP_CIPHER_CTX *ctx) +{ + EVP_CIPHER *cipher; + + if (ctx == NULL) + return NULL; + cipher = (EVP_CIPHER *)ctx->cipher; + if (!EVP_CIPHER_up_ref(cipher)) + return NULL; + return cipher; +} + int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) { return ctx->encrypt; @@ -767,6 +790,7 @@ EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type) if (md != NULL) { md->type = md_type; md->pkey_type = pkey_type; + md->origin = EVP_ORIG_METH; } return md; } @@ -791,10 +815,21 @@ EVP_MD *EVP_MD_meth_dup(const EVP_MD *md) return to; } +void evp_md_free_int(EVP_MD *md) +{ + ossl_provider_free(md->prov); + CRYPTO_THREAD_lock_free(md->lock); + OPENSSL_free(md); +} + void EVP_MD_meth_free(EVP_MD *md) { - EVP_MD_free(md); + if (md == NULL || md->origin != EVP_ORIG_METH) + return; + + evp_md_free_int(md); } + int EVP_MD_meth_set_input_blocksize(EVP_MD *md, int blocksize) { if (md->block_size != 0) @@ -927,12 +962,33 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd, return md->md_ctrl; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx) { if (ctx == NULL) return NULL; return ctx->reqdigest; } +#endif + +const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx) +{ + if (ctx == NULL) + return NULL; + return ctx->reqdigest; +} + +EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx) +{ + EVP_MD *md; + + if (ctx == NULL) + return NULL; + md = (EVP_MD *)ctx->reqdigest; + if (!EVP_MD_up_ref(md)) + return NULL; + return md; +} EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx) { diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 9473d54817..cdf89a62c0 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -317,6 +317,8 @@ OSSL_PARAM *evp_pkey_to_param(EVP_PKEY *pkey, size_t *sz); } void evp_pkey_ctx_free_old_ops(EVP_PKEY_CTX *ctx); +void evp_cipher_free_int(EVP_CIPHER *md); +void evp_md_free_int(EVP_MD *md); /* OSSL_PROVIDER * is only used to get the library context */ const char *evp_first_name(const OSSL_PROVIDER *prov, int name_id); diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index bdafd354b4..6a18e5fe01 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -22,6 +22,7 @@ static const EVP_MD blake2b_md = { 0, BLAKE2B_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(blake2b_int_init, blake2b_int_update, blake2b_int_final, NULL, BLAKE2B_BLOCKBYTES), }; @@ -36,6 +37,7 @@ static const EVP_MD blake2s_md = { 0, BLAKE2S_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(blake2s_int_init, blake2s_int_update, blake2s_int_final, NULL, BLAKE2S_BLOCKBYTES), }; diff --git a/crypto/evp/legacy_md2.c b/crypto/evp/legacy_md2.c index d22b3eb6b9..32cfdb82c8 100644 --- a/crypto/evp/legacy_md2.c +++ b/crypto/evp/legacy_md2.c @@ -24,6 +24,7 @@ static const EVP_MD md2_md = { NID_md2WithRSAEncryption, MD2_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md2_init, md2_update, md2_final, NULL, MD2_BLOCK) }; diff --git a/crypto/evp/legacy_md4.c b/crypto/evp/legacy_md4.c index f4351ffbce..0b3a2e6d31 100644 --- a/crypto/evp/legacy_md4.c +++ b/crypto/evp/legacy_md4.c @@ -24,6 +24,7 @@ static const EVP_MD md4_md = { NID_md4WithRSAEncryption, MD4_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md4_init, md4_update, md4_final, NULL, MD4_CBLOCK), }; diff --git a/crypto/evp/legacy_md5.c b/crypto/evp/legacy_md5.c index 3259179144..1bb9b88a2f 100644 --- a/crypto/evp/legacy_md5.c +++ b/crypto/evp/legacy_md5.c @@ -24,6 +24,7 @@ static const EVP_MD md5_md = { NID_md5WithRSAEncryption, MD5_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md5_init, md5_update, md5_final, NULL, MD5_CBLOCK) }; diff --git a/crypto/evp/legacy_md5_sha1.c b/crypto/evp/legacy_md5_sha1.c index 7002bc275c..f72cd37526 100644 --- a/crypto/evp/legacy_md5_sha1.c +++ b/crypto/evp/legacy_md5_sha1.c @@ -29,6 +29,7 @@ static const EVP_MD md5_sha1_md = { NID_md5_sha1, MD5_SHA1_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md5_sha1_int_init, md5_sha1_int_update, md5_sha1_int_final, md5_sha1_int_ctrl, MD5_SHA1_CBLOCK), diff --git a/crypto/evp/legacy_mdc2.c b/crypto/evp/legacy_mdc2.c index 2593124d72..3f78059a0d 100644 --- a/crypto/evp/legacy_mdc2.c +++ b/crypto/evp/legacy_mdc2.c @@ -24,6 +24,7 @@ static const EVP_MD mdc2_md = { NID_mdc2WithRSA, MDC2_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(mdc2_init, mdc2_update, mdc2_final, NULL, MDC2_BLOCK), }; diff --git a/crypto/evp/legacy_ripemd.c b/crypto/evp/legacy_ripemd.c index 92c814caca..93d1c0531a 100644 --- a/crypto/evp/legacy_ripemd.c +++ b/crypto/evp/legacy_ripemd.c @@ -24,6 +24,7 @@ static const EVP_MD ripemd160_md = { NID_ripemd160WithRSA, RIPEMD160_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(ripe_init, ripe_update, ripe_final, NULL, RIPEMD160_CBLOCK), }; diff --git a/crypto/evp/legacy_sha.c b/crypto/evp/legacy_sha.c index 158591e9ab..72335cae75 100644 --- a/crypto/evp/legacy_sha.c +++ b/crypto/evp/legacy_sha.c @@ -89,6 +89,7 @@ static const EVP_MD sha1_md = { NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha1_init, sha1_update, sha1_final, sha1_int_ctrl, SHA_CBLOCK), }; @@ -103,6 +104,7 @@ static const EVP_MD sha224_md = { NID_sha224WithRSAEncryption, SHA224_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha224_init, sha224_update, sha224_final, NULL, SHA256_CBLOCK), }; @@ -117,6 +119,7 @@ static const EVP_MD sha256_md = { NID_sha256WithRSAEncryption, SHA256_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha256_init, sha256_update, sha256_final, NULL, SHA256_CBLOCK), }; @@ -131,6 +134,7 @@ static const EVP_MD sha512_224_md = { NID_sha512_224WithRSAEncryption, SHA224_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_224_int_init, sha512_224_int_update, sha512_224_int_final, NULL, SHA512_CBLOCK), }; @@ -145,6 +149,7 @@ static const EVP_MD sha512_256_md = { NID_sha512_256WithRSAEncryption, SHA256_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_256_int_init, sha512_256_int_update, sha512_256_int_final, NULL, SHA512_CBLOCK), }; @@ -159,6 +164,7 @@ static const EVP_MD sha384_md = { NID_sha384WithRSAEncryption, SHA384_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha384_init, sha384_update, sha384_final, NULL, SHA512_CBLOCK), }; @@ -173,6 +179,7 @@ static const EVP_MD sha512_md = { NID_sha512WithRSAEncryption, SHA512_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_init, sha512_update, sha512_final, NULL, SHA512_CBLOCK), }; @@ -190,6 +197,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ EVP_MD_FLAG_DIGALGID_ABSENT, \ + EVP_ORIG_GLOBAL, \ LEGACY_EVP_MD_METH_TABLE(sha3_int_init, sha3_int_update, \ sha3_int_final, NULL, \ (KECCAK1600_WIDTH - bitlen * 2) / 8), \ @@ -204,6 +212,7 @@ const EVP_MD *EVP_shake##bitlen(void) \ 0, \ bitlen / 8, \ EVP_MD_FLAG_XOF, \ + EVP_ORIG_GLOBAL, \ LEGACY_EVP_MD_METH_TABLE(shake_init, sha3_int_update, sha3_int_final, \ shake_ctrl, (KECCAK1600_WIDTH - bitlen * 2) / 8), \ }; \ diff --git a/crypto/evp/legacy_wp.c b/crypto/evp/legacy_wp.c index a85c8ba756..d564c758ea 100644 --- a/crypto/evp/legacy_wp.c +++ b/crypto/evp/legacy_wp.c @@ -24,6 +24,7 @@ static const EVP_MD whirlpool_md = { 0, WHIRLPOOL_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(wp_init, wp_update, wp_final, NULL, WHIRLPOOL_BBLOCK / 8), }; diff --git a/crypto/evp/m_null.c b/crypto/evp/m_null.c index 51c93c0dc4..ac889955fe 100644 --- a/crypto/evp/m_null.c +++ b/crypto/evp/m_null.c @@ -34,6 +34,7 @@ static const EVP_MD null_md = { NID_undef, 0, 0, + EVP_ORIG_GLOBAL, init, update, final, diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 3fca9bc529..0a51493efb 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -175,7 +175,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, /* legacy code support for engines */ ERR_set_mark(); /* - * This might be requested by a later call to EVP_MD_CTX_md(). + * This might be requested by a later call to EVP_MD_CTX_get0_md(). * In that case the "explicit fetch" rules apply for that * function (as per man pages), i.e. the ref count is not updated * so the EVP_MD should not be used beyound the lifetime of the diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index 183c1f6074..d2fe56a87f 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -161,7 +161,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, PBKDF2PARAM *kdf = NULL; const EVP_MD *prfmd; - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); goto err; } diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c index c4badb5ffe..6a0ff52451 100644 --- a/crypto/evp/p_sign.c +++ b/crypto/evp/p_sign.c @@ -51,7 +51,7 @@ int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *sigret, goto err; if (EVP_PKEY_sign_init(pkctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_get0_md(ctx)) <= 0) goto err; if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index 016a5f2e8c..3a50e2de1d 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -48,7 +48,7 @@ int EVP_VerifyFinal_ex(EVP_MD_CTX *ctx, const unsigned char *sigbuf, goto err; if (EVP_PKEY_verify_init(pkctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_get0_md(ctx)) <= 0) goto err; i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index b942b0cd52..e7a32f9cd6 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -43,7 +43,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, * MAC should be processed on decrypting separately from plain text */ max_out_len = inlen + EVP_CIPHER_CTX_block_size(ctx); - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, 0, &mac_len) < 0) { ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR); goto err; @@ -87,7 +88,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, goto err; } outlen += i; - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (EVP_CIPHER_CTX_encrypting(ctx)) { if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, (int)mac_len, out+outlen) < 0) { diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 964b1367b2..832b4a39b3 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1049,7 +1049,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, * Workaround for some broken clients that put the signature OID * instead of the digest OID in digest_alg->algorithm */ - if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) + if (EVP_MD_pkey_type(EVP_MD_CTX_get0_md(mdc)) == md_type) break; btmp = BIO_next(btmp); } diff --git a/crypto/sm3/legacy_sm3.c b/crypto/sm3/legacy_sm3.c index 8041681b43..c81f3b4ab4 100644 --- a/crypto/sm3/legacy_sm3.c +++ b/crypto/sm3/legacy_sm3.c @@ -20,6 +20,7 @@ static const EVP_MD sm3_md = { NID_sm3WithRSAEncryption, SM3_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sm3_int_init, sm3_int_update, sm3_int_final, NULL, SM3_CBLOCK), }; diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index d01414e5e6..a405c2be59 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -16,7 +16,8 @@ EVP_MD_is_a, EVP_MD_name, EVP_MD_description, EVP_MD_number, EVP_MD_names_do_all, EVP_MD_provider, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags, EVP_MD_CTX_name, -EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, +EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md, +EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn, EVP_md_null, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, @@ -78,7 +79,8 @@ EVP_MD_do_all_provided int EVP_MD_block_size(const EVP_MD *md); unsigned long EVP_MD_flags(const EVP_MD *md); - const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx); + EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx); const char *EVP_MD_CTX_name(const EVP_MD_CTX *ctx); int EVP_MD_CTX_size(const EVP_MD_CTX *ctx); int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); @@ -102,6 +104,8 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value, see L<openssl_user_macros(7)>: + const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, const void *data, size_t count); @@ -351,14 +355,17 @@ Return the digest method private data for the passed B<EVP_MD_CTX>. The space is allocated by OpenSSL and has the size originally set with EVP_MD_meth_set_app_datasize(). -=item EVP_MD_CTX_md() +=item EVP_MD_CTX_get0_md(), EVP_MD_CTX_get1_md() -Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. This +EVP_MD_CTX_get0_md() returns +the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. This will be the same B<EVP_MD> object originally passed to EVP_DigestInit_ex2() (or other similar function) when the EVP_MD_CTX was first initialised. Note that where explicit fetch is in use (see L<EVP_MD_fetch(3)>) the value returned from this function will not have its reference count incremented and therefore it should not be used after the EVP_MD_CTX is freed. +EVP_MD_CTX_get1_md() is the same except the ownership is passed to the +caller and is from the passed B<EVP_MD_CTX>. =item EVP_MD_CTX_set_update_fn() @@ -697,7 +704,9 @@ EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(), EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and EVP_MD_CTX_gettable_params() functions were added in OpenSSL 3.0. -The EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated +The EVP_MD_CTX_md() function was deprecated in OpenSSL 3.0; use +EVP_MD_CTX_get0_md() instead. +EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index b07c102e04..b4a00cf76c 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -48,6 +48,8 @@ EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, +EVP_CIPHER_CTX_get0_cipher, +EVP_CIPHER_CTX_get1_cipher, EVP_CIPHER_CTX_name, EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_get_params, @@ -153,7 +155,8 @@ EVP_CIPHER_do_all_provided unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e); int EVP_CIPHER_type(const EVP_CIPHER *cipher); - const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); + const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx); + EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); const char *EVP_CIPHER_CTX_name(const EVP_CIPHER_CTX *ctx); @@ -181,6 +184,12 @@ EVP_CIPHER_do_all_provided void (*fn)(EVP_CIPHER *cipher, void *arg), void *arg); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B<OPENSSL_API_COMPAT> with a suitable version value, see +L<openssl_user_macros(7)>: + + const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); + =head1 DESCRIPTION The EVP cipher routines are a high-level interface to certain @@ -417,8 +426,10 @@ cipher implementation. EVP_CIPHER_provider() returns an B<OSSL_PROVIDER> pointer to the provider that implements the given B<EVP_CIPHER>. -EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed +EVP_CIPHER_CTX_get0_cipher() returns the B<EVP_CIPHER> structure when passed an B<EVP_CIPHER_CTX> structure. +EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to +the caller. EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode: EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, @@ -938,8 +949,12 @@ EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup() disappeared. EVP_CIPHER_CTX_init() remains as an alias for EVP_CIPHER_CTX_reset(). +The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use +EVP_CIPHER_CTX_get0_cipher() instead. + The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(), EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(), +EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(), EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(), EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(), EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(), diff --git a/engines/e_afalg.c b/engines/e_afalg.c index ac85f523d4..db73873911 100644 --- a/engines/e_afalg.c +++ b/engines/e_afalg.c @@ -553,7 +553,7 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 0; } - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ALG_WARN("%s(%d): Cipher object NULL\n", __FILE__, __LINE__); return 0; } diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 88a1c3d857..0cd0434774 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -232,6 +232,10 @@ struct evp_kdf_st { OSSL_FUNC_kdf_set_ctx_params_fn *set_ctx_params; }; +#define EVP_ORIG_DYNAMIC 0 +#define EVP_ORIG_GLOBAL 1 +#define EVP_ORIG_METH 2 + struct evp_md_st { /* nid */ int type; @@ -240,6 +244,7 @@ struct evp_md_st { int pkey_type; int md_size; unsigned long flags; + int origin; int (*init) (EVP_MD_CTX *ctx); int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); int (*final) (EVP_MD_CTX *ctx, unsigned char *md); @@ -284,6 +289,8 @@ struct evp_cipher_st { /* Legacy structure members */ /* Various flags */ unsigned long flags; + /* How the EVP_CIPHER was created. */ + int origin; /* init key */ int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); @@ -335,7 +342,7 @@ struct evp_cipher_st { #define BLOCK_CIPHER_ecb_loop() \ size_t i, bl; \ - bl = EVP_CIPHER_CTX_cipher(ctx)->block_size; \ + bl = EVP_CIPHER_CTX_get0_cipher(ctx)->block_size; \ if (inl < bl) return 1;\ inl -= bl; \ for (i=0; i <= inl; i+=bl) @@ -420,6 +427,7 @@ static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER cname##_##mode = { \ nid##_##nmode, block_size, key_len, iv_len, \ flags | EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ init_key, \ cname##_##mode##_cipher, \ cleanup, \ @@ -475,6 +483,7 @@ BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \ static const EVP_CIPHER cname##_cbc = {\ nid##_cbc, block_size, key_len, iv_len, \ flags | EVP_CIPH_CBC_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_cbc_cipher,\ cleanup,\ @@ -488,6 +497,7 @@ const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\ static const EVP_CIPHER cname##_cfb = {\ nid##_cfb64, 1, key_len, iv_len, \ flags | EVP_CIPH_CFB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_cfb_cipher,\ cleanup,\ @@ -501,6 +511,7 @@ const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\ static const EVP_CIPHER cname##_ofb = {\ nid##_ofb64, 1, key_len, iv_len, \ flags | EVP_CIPH_OFB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_ofb_cipher,\ cleanup,\ @@ -514,6 +525,7 @@ const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\ static const EVP_CIPHER cname##_ecb = {\ nid##_ecb, block_size, key_len, iv_len, \ flags | EVP_CIPH_ECB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_ecb_cipher,\ cleanup,\ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 6fd895a221..40e50666fe 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -538,9 +538,12 @@ int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); unsigned long EVP_MD_flags(const EVP_MD *md); -const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx); +EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 +const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, const void *data, size_t count); OSSL_DEPRECATEDIN_3_0 @@ -548,10 +551,10 @@ void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count)); # endif -# define EVP_MD_CTX_name(e) EVP_MD_name(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e)) +# define EVP_MD_CTX_name(e) EVP_MD_name(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_get0_md(e)) EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); @@ -576,7 +579,8 @@ EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, int EVP_CIPHER_up_ref(EVP_CIPHER *cipher); void EVP_CIPHER_free(EVP_CIPHER *cipher); -const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx); +EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); @@ -584,6 +588,7 @@ int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_tag_length(const EVP_CIPHER_CTX *ctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 +const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); @@ -598,12 +603,12 @@ void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx); void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data); -# define EVP_CIPHER_CTX_name(c) EVP_CIPHER_name(EVP_CIPHER_CTX_cipher(c)) -# define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_name(c) EVP_CIPHER_name(EVP_CIPHER_CTX_get0_cipher(c)) +# define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_get0_cipher(c)) # ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define EVP_CIPHER_CTX_flags(c) EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_flags(c) EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(c)) # endif -# define EVP_CIPHER_CTX_mode(c) EVP_CIPHER_mode(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_mode(c) EVP_CIPHER_mode(EVP_CIPHER_CTX_get0_cipher(c)) # define EVP_ENCODE_LENGTH(l) ((((l)+2)/3*4)+((l)/48+1)*2+80) # define EVP_DECODE_LENGTH(l) (((l)+3)/4*3+80) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 4614a67f24..6713ff72f5 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -829,8 +829,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, sess = s->session; - if ((sess == NULL) || - (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) + if ((sess == NULL) + || (s->enc_write_ctx == NULL) + || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) clear = 1; if (clear) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 17ee8bd483..f416b15861 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -432,13 +432,15 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * jumbo buffer to accommodate up to 8 records, but the * compromise is considered worthy. */ - if (type == SSL3_RT_APPLICATION_DATA && - len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && - s->compress == NULL && s->msg_callback == NULL && - !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && - (BIO_get_ktls_send(s->wbio) == 0) && - EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & - EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { + if (type == SSL3_RT_APPLICATION_DATA + && len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) + && s->compress == NULL + && s->msg_callback == NULL + && !SSL_WRITE_ETM(s) + && SSL_USE_EXPLICIT_IV(s) + && BIO_get_ktls_send(s->wbio) == 0 + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) { unsigned char aad[13]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t packlen; @@ -586,12 +588,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, } if (maxpipes == 0 || s->enc_write_ctx == NULL - || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) - & EVP_CIPH_FLAG_PIPELINE) + || (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + & EVP_CIPH_FLAG_PIPELINE) == 0 || !SSL_USE_EXPLICIT_IV(s)) maxpipes = 1; - if (max_send_fragment == 0 || split_send_fragment == 0 - || split_send_fragment > max_send_fragment) { + if (max_send_fragment == 0 + || split_send_fragment == 0 + || split_send_fragment > max_send_fragment) { /* * We should have prevented this when we set/get the split and max send * fragments so we shouldn't get here @@ -713,8 +716,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, sess = s->session; - if ((sess == NULL) || - (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) { + if ((sess == NULL) + || (s->enc_write_ctx == NULL) + || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) { clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ mac_size = 0; } else { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 3b2ae1f835..ec7d448d39 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -480,8 +480,8 @@ int ssl3_get_record(SSL *s) && thisrr->type == SSL3_RT_APPLICATION_DATA && SSL_USE_EXPLICIT_IV(s) && s->enc_read_ctx != NULL - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) - & EVP_CIPH_FLAG_PIPELINE) + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx)) + & EVP_CIPH_FLAG_PIPELINE) != 0 && ssl3_record_app_data_waiting(s)); if (num_recs == 1 @@ -523,7 +523,7 @@ int ssl3_get_record(SSL *s) /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { - const EVP_MD *tmpmd = EVP_MD_CTX_md(s->read_hash); + const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); @@ -617,9 +617,9 @@ int ssl3_get_record(SSL *s) } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && - (s->enc_read_ctx != NULL) && - (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) { + if ((sess != NULL) + && (s->enc_read_ctx != NULL) + && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ for (j = 0; j < num_recs; j++) { @@ -842,13 +842,13 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, if (s->enc_write_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); } else { ds = s->enc_read_ctx; if (s->enc_read_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); } if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { @@ -967,7 +967,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } if (sending) { - if (EVP_MD_CTX_md(s->write_hash)) { + if (EVP_MD_CTX_get0_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -979,7 +979,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, enc = NULL; else { int ivlen; - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ if (SSL_USE_EXPLICIT_IV(s) && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) @@ -1004,7 +1005,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } } else { - if (EVP_MD_CTX_md(s->read_hash)) { + if (EVP_MD_CTX_get0_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -1015,7 +1016,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (s->enc_read_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); } if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { @@ -1026,11 +1027,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } else { int provided = (EVP_CIPHER_provider(enc) != NULL); - bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds)); + bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); if (n_recs > 1) { - if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_PIPELINE)) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_PIPELINE) == 0) { /* * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining @@ -1042,8 +1043,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, for (ctr = 0; ctr < n_recs; ctr++) { reclen[ctr] = recs[ctr].length; - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_AEAD_CIPHER) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) { unsigned char *seq; seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer) @@ -1214,8 +1215,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, /* TODO(size_t): Convert this call */ tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, (unsigned int)reclen[0]); - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_CUSTOM_CIPHER) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0 ? (tmpr < 0) : (tmpr == 0)) { /* AEAD can fail to verify MAC */ @@ -1353,7 +1354,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) header[j++] = (unsigned char)(rec->length & 0xff); /* Final param == is SSLv3 */ - if (ssl3_cbc_digest_record(EVP_MD_CTX_md(hash), + if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash), md, &md_size, header, rec->input, rec->length, rec->orig_len, @@ -1547,7 +1548,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { - const EVP_MD *tmpmd = EVP_MD_CTX_md(s->read_hash); + const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); @@ -1613,8 +1614,10 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && !SSL_READ_ETM(s) && - (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { + if ((sess != NULL) + && !SSL_READ_ETM(s) + && (s->enc_read_ctx != NULL) + && (EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 66676cd3b8..37568bb6fb 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -132,7 +132,7 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) mac_size = 0; else diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 24eff86c5d..2e061e3dd3 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1027,14 +1027,14 @@ static int test_EVP_Digest(void) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinal(md_ctx, md, NULL)) /* EVP_DigestFinal resets the EVP_MD_CTX. */ - || !TEST_ptr_eq(EVP_MD_CTX_md(md_ctx), NULL)) + || !TEST_ptr_eq(EVP_MD_CTX_get0_md(md_ctx), NULL)) goto out; if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL)) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinal_ex(md_ctx, md, NULL)) /* EVP_DigestFinal_ex does not reset the EVP_MD_CTX. */ - || !TEST_ptr(EVP_MD_CTX_md(md_ctx)) + || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx)) /* * EVP_DigestInit_ex with NULL type should work on * pre-initialized context. @@ -1046,7 +1046,7 @@ static int test_EVP_Digest(void) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinalXOF(md_ctx, md, sizeof(md))) /* EVP_DigestFinalXOF does not reset the EVP_MD_CTX. */ - || !TEST_ptr(EVP_MD_CTX_md(md_ctx)) + || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx)) || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL))) goto out; ret = 1; diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c index ec339ebbc3..a644390917 100644 --- a/test/evp_fetch_prov_test.c +++ b/test/evp_fetch_prov_test.c @@ -66,7 +66,7 @@ static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, || !TEST_true(EVP_DigestFinal_ex(ctx, out, NULL)) || !TEST_mem_eq(out, SHA256_DIGEST_LENGTH, exptd, SHA256_DIGEST_LENGTH) - || !TEST_true(md == EVP_MD_CTX_md(ctx))) + || !TEST_true(md == EVP_MD_CTX_get0_md(ctx))) goto err; ret = 1; diff --git a/util/libcrypto.num b/util/libcrypto.num index bf208e8414..1ec8ee6fd9 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -417,7 +417,7 @@ CRYPTO_ocb128_setiv 424 3_0_0 EXIST::FUNCTION:OCB X509_CRL_digest 425 3_0_0 EXIST::FUNCTION: EVP_aes_128_cbc_hmac_sha1 426 3_0_0 EXIST::FUNCTION: ERR_load_CMS_strings 427 3_0_0 EXIST::FUNCTION:CMS,DEPRECATEDIN_3_0 -EVP_MD_CTX_md 428 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_md 428 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_REVOKED_get_ext 429 3_0_0 EXIST::FUNCTION: d2i_RSA_PSS_PARAMS 430 3_0_0 EXIST::FUNCTION: USERNOTICE_free 431 3_0_0 EXIST::FUNCTION: @@ -2961,7 +2961,7 @@ X509_CRL_sign_ctx 3025 3_0_0 EXIST::FUNCTION: X509_STORE_add_crl 3026 3_0_0 EXIST::FUNCTION: PEM_write_RSAPrivateKey 3027 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,STDIO RC4_set_key 3028 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4 -EVP_CIPHER_CTX_cipher 3029 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_cipher 3029 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 PEM_write_bio_PKCS8PrivateKey_nid 3030 3_0_0 EXIST::FUNCTION: BN_MONT_CTX_new 3031 3_0_0 EXIST::FUNCTION: CRYPTO_free_ex_index 3032 3_0_0 EXIST::FUNCTION: @@ -5352,3 +5352,7 @@ OSSL_PARAM_merge ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_free ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_todata ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_export ? 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get0_md ? 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get1_md ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get0_cipher ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get1_cipher ? 3_0_0 EXIST::FUNCTION: |