Add "origin" field to EVP_CIPHER, EVP_MD

Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch,
or via EVP_{CIPHER,MD}_meth_new.  Update EVP_{CIPHER,MD}_free to handle all
three origins. The flag is deliberately right before some function pointers,
so that compile-time failures (int/pointer) will occur, as opposed to
taking a bit in the existing "flags" field.  The "global variable" flag
is non-zero, so the default case of using OPENSSL_zalloc (for provider
ciphers), will do the right thing. Ref-counting is a no-op for
Make up_ref no-op for global MD and CIPHER objects

Deprecate EVP_MD_CTX_md().  Added EVP_MD_CTX_get0_md() (same semantics as
the deprecated function) and EVP_MD_CTX_get1_md().  Likewise, deprecate
EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add
EVP_CIPHER_CTX_get1_CIPHER().

Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common
evp_md_free_int() function.
Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common
evp_cipher_free_int() function.

Also change some flags tests to explicit test == or != zero. E.g.,
        if (flags & x) --> if ((flags & x) != 0)
        if (!(flags & x)) --> if ((flags & x) == 0)
Only done for those lines where "get0_cipher" calls were made.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)

2 files changed, 31 insertions, 7 deletions

diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index d01414e5e6..a405c2be59 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -16,7 +16,8 @@ EVP_MD_is_a, EVP_MD_name, EVP_MD_description, EVP_MD_number,
 EVP_MD_names_do_all, EVP_MD_provider,
 EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags,
 EVP_MD_CTX_name,
-EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size,
+EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md,
+EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size,
 EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
 EVP_md_null,
 EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj,
@@ -78,7 +79,8 @@ EVP_MD_do_all_provided
  int EVP_MD_block_size(const EVP_MD *md);
  unsigned long EVP_MD_flags(const EVP_MD *md);
 
- const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
+ const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx);
+ EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx);
  const char *EVP_MD_CTX_name(const EVP_MD_CTX *ctx);
  int EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
  int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
@@ -102,6 +104,8 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining
 B<OPENSSL_API_COMPAT> with a suitable version value, see
 L<openssl_user_macros(7)>:
 
+ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
+
  int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
                                               const void *data, size_t count);
 
@@ -351,14 +355,17 @@ Return the digest method private data for the passed B<EVP_MD_CTX>.
 The space is allocated by OpenSSL and has the size originally set with
 EVP_MD_meth_set_app_datasize().
 
-=item EVP_MD_CTX_md()
+=item EVP_MD_CTX_get0_md(), EVP_MD_CTX_get1_md()
 
-Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. This
+EVP_MD_CTX_get0_md() returns
+the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. This
 will be the same B<EVP_MD> object originally passed to EVP_DigestInit_ex2() (or
 other similar function) when the EVP_MD_CTX was first initialised. Note that
 where explicit fetch is in use (see L<EVP_MD_fetch(3)>) the value returned from
 this function will not have its reference count incremented and therefore it
 should not be used after the EVP_MD_CTX is freed.
+EVP_MD_CTX_get1_md() is the same except the ownership is passed to the
+caller and is from the passed B<EVP_MD_CTX>.
 
 =item EVP_MD_CTX_set_update_fn()
 
@@ -697,7 +704,9 @@ EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(),
 EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and
 EVP_MD_CTX_gettable_params() functions were added in OpenSSL 3.0.
 
-The EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated
+The EVP_MD_CTX_md() function was deprecated in OpenSSL 3.0; use
+EVP_MD_CTX_get0_md() instead.
+EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated
 in OpenSSL 3.0.
 
 =head1 COPYRIGHT
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index b07c102e04..b4a00cf76c 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -48,6 +48,8 @@ EVP_CIPHER_flags,
 EVP_CIPHER_mode,
 EVP_CIPHER_type,
 EVP_CIPHER_CTX_cipher,
+EVP_CIPHER_CTX_get0_cipher,
+EVP_CIPHER_CTX_get1_cipher,
 EVP_CIPHER_CTX_name,
 EVP_CIPHER_CTX_nid,
 EVP_CIPHER_CTX_get_params,
@@ -153,7 +155,8 @@ EVP_CIPHER_do_all_provided
  unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e);
  int EVP_CIPHER_type(const EVP_CIPHER *cipher);
 
- const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
+ const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx);
+ EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx);
  int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
  const char *EVP_CIPHER_CTX_name(const EVP_CIPHER_CTX *ctx);
 
@@ -181,6 +184,12 @@ EVP_CIPHER_do_all_provided
                                  void (*fn)(EVP_CIPHER *cipher, void *arg),
                                  void *arg);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
+
 =head1 DESCRIPTION
 
 The EVP cipher routines are a high-level interface to certain
@@ -417,8 +426,10 @@ cipher implementation.
 EVP_CIPHER_provider() returns an B<OSSL_PROVIDER> pointer to the provider
 that implements the given B<EVP_CIPHER>.
 
-EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
+EVP_CIPHER_CTX_get0_cipher() returns the B<EVP_CIPHER> structure when passed
 an B<EVP_CIPHER_CTX> structure.
+EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to
+the caller.
 
 EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode:
 EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
@@ -938,8 +949,12 @@ EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
 disappeared.  EVP_CIPHER_CTX_init() remains as an alias for
 EVP_CIPHER_CTX_reset().
 
+The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use
+EVP_CIPHER_CTX_get0_cipher() instead.
+
 The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
 EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
+EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(),
 EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
 EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
 EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),