From f6c95e46c03025b2694241e1ad785d8bd3ac083b Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Tue, 16 Feb 2021 17:51:56 -0500 Subject: [PATCH] Add "origin" field to EVP_CIPHER, EVP_MD Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch, or via EVP_{CIPHER,MD}_meth_new. Update EVP_{CIPHER,MD}_free to handle all three origins. The flag is deliberately right before some function pointers, so that compile-time failures (int/pointer) will occur, as opposed to taking a bit in the existing "flags" field. The "global variable" flag is non-zero, so the default case of using OPENSSL_zalloc (for provider ciphers), will do the right thing. Ref-counting is a no-op for Make up_ref no-op for global MD and CIPHER objects Deprecate EVP_MD_CTX_md(). Added EVP_MD_CTX_get0_md() (same semantics as the deprecated function) and EVP_MD_CTX_get1_md(). Likewise, deprecate EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add EVP_CIPHER_CTX_get1_CIPHER(). Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common evp_md_free_int() function. Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common evp_cipher_free_int() function. Also change some flags tests to explicit test == or != zero. E.g., if (flags & x) --> if ((flags & x) != 0) if (!(flags & x)) --> if ((flags & x) == 0) Only done for those lines where "get0_cipher" calls were made. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14193) --- apps/dgst.c | 2 +- crypto/asn1/a_sign.c | 2 +- crypto/asn1/p5_scrypt.c | 2 +- crypto/cmac/cmac.c | 2 +- crypto/cms/cms_env.c | 7 ++-- crypto/cms/cms_kari.c | 2 +- crypto/cms/cms_lib.c | 2 +- crypto/cms/cms_sd.c | 2 +- crypto/evp/bio_md.c | 4 +-- crypto/evp/bio_ok.c | 10 +++--- crypto/evp/cmeth_lib.c | 6 +++- crypto/evp/digest.c | 9 +++-- crypto/evp/e_aes.c | 32 +++++++++++------ crypto/evp/e_aes_cbc_hmac_sha1.c | 2 ++ crypto/evp/e_aes_cbc_hmac_sha256.c | 2 ++ crypto/evp/e_aria.c | 2 ++ crypto/evp/e_camellia.c | 3 ++ crypto/evp/e_chacha20_poly1305.c | 2 ++ crypto/evp/e_des3.c | 1 + crypto/evp/e_null.c | 1 + crypto/evp/e_rc2.c | 2 ++ crypto/evp/e_rc4.c | 2 ++ crypto/evp/e_rc4_hmac_md5.c | 1 + crypto/evp/e_sm4.c | 1 + crypto/evp/e_xcbc_d.c | 1 + crypto/evp/evp_enc.c | 19 ++++++---- crypto/evp/evp_lib.c | 58 +++++++++++++++++++++++++++++- crypto/evp/evp_local.h | 2 ++ crypto/evp/legacy_blake2.c | 2 ++ crypto/evp/legacy_md2.c | 1 + crypto/evp/legacy_md4.c | 1 + crypto/evp/legacy_md5.c | 1 + crypto/evp/legacy_md5_sha1.c | 1 + crypto/evp/legacy_mdc2.c | 1 + crypto/evp/legacy_ripemd.c | 1 + crypto/evp/legacy_sha.c | 9 +++++ crypto/evp/legacy_wp.c | 1 + crypto/evp/m_null.c | 1 + crypto/evp/m_sigver.c | 2 +- crypto/evp/p5_crpt2.c | 2 +- crypto/evp/p_sign.c | 2 +- crypto/evp/p_verify.c | 2 +- crypto/pkcs12/p12_decr.c | 6 ++-- crypto/pkcs7/pk7_doit.c | 2 +- crypto/sm3/legacy_sm3.c | 1 + doc/man3/EVP_DigestInit.pod | 19 +++++++--- doc/man3/EVP_EncryptInit.pod | 19 ++++++++-- engines/e_afalg.c | 2 +- include/crypto/evp.h | 14 +++++++- include/openssl/evp.h | 25 +++++++------ ssl/record/rec_layer_d1.c | 5 +-- ssl/record/rec_layer_s3.c | 30 +++++++++------- ssl/record/ssl3_record.c | 49 +++++++++++++------------ ssl/statem/statem_dtls.c | 2 +- test/evp_extra_test.c | 6 ++-- test/evp_fetch_prov_test.c | 2 +- util/libcrypto.num | 8 +++-- 57 files changed, 286 insertions(+), 112 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index 1e09e90c84..5ddbef8bcc 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -405,7 +405,7 @@ int dgst_main(int argc, char **argv) if (md == NULL) { EVP_MD_CTX *tctx; BIO_get_md_ctx(bmd, &tctx); - md = EVP_MD_CTX_md(tctx); + md = EVP_MD_CTX_get0_md(tctx); } if (md != NULL) md_name = EVP_MD_name(md); diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index a3459e32c9..6ead2e2aca 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -159,7 +159,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, int signid, paramtype, buf_len = 0; int rv, pkey_id; - md = EVP_MD_CTX_md(ctx); + md = EVP_MD_CTX_get0_md(ctx); pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)); if (pkey == NULL) { diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 901813a3d1..01e32b6ee1 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -217,7 +217,7 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int t, rv = 0; SCRYPT_PARAMS *sparam = NULL; - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); goto err; } diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c index 12445c4a24..f666f34d44 100644 --- a/crypto/cmac/cmac.c +++ b/crypto/cmac/cmac.c @@ -137,7 +137,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, /* If anything fails then ensure we can't use this ctx */ ctx->nlast_block = -1; - if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) + if (!EVP_CIPHER_CTX_get0_cipher(ctx->cctx)) return 0; if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) return 0; diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index aa020cedfd..79efd67ba3 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1105,8 +1105,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) * If the selected cipher supports unprotected attributes, * deal with it using special ctrl function */ - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) - & EVP_CIPH_FLAG_CIPHER_WITH_MAC) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0 && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) { BIO_free(contentBio); @@ -1225,7 +1225,8 @@ int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) * If the selected cipher supports unprotected attributes, * deal with it using special ctrl function */ - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (env->unprotectedAttrs == NULL) env->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null(); diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 1422f350b0..2fee4784da 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -422,7 +422,7 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, int ret; /* If a suitable wrap algorithm is already set nothing to do */ - kekcipher = EVP_CIPHER_CTX_cipher(ctx); + kekcipher = EVP_CIPHER_CTX_get0_cipher(ctx); if (kekcipher != NULL) { if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) return 0; diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 0c9a372832..33127cc88c 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -459,7 +459,7 @@ int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, * Workaround for broken implementations that use signature * algorithm OID instead of digest. */ - || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) + || EVP_MD_pkey_type(EVP_MD_CTX_get0_md(mtmp)) == nid) return EVP_MD_CTX_copy_ex(mctx, mtmp); chain = BIO_next(chain); } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 287021fc21..2b232aa700 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -923,7 +923,7 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) } else r = 1; } else { - const EVP_MD *md = EVP_MD_CTX_md(mctx); + const EVP_MD *md = EVP_MD_CTX_get0_md(mctx); const CMS_CTX *ctx = si->cms_ctx; pkctx = EVP_PKEY_CTX_new_from_pkey(ossl_cms_ctx_get0_libctx(ctx), diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c index f7970a91f3..bf1e8902a5 100644 --- a/crypto/evp/bio_md.c +++ b/crypto/evp/bio_md.c @@ -145,7 +145,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) switch (cmd) { case BIO_CTRL_RESET: if (BIO_get_init(b)) - ret = EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL); + ret = EVP_DigestInit_ex(ctx, EVP_MD_CTX_get0_md(ctx), NULL); else ret = 0; if (ret > 0) @@ -154,7 +154,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_GET_MD: if (BIO_get_init(b)) { ppmd = ptr; - *ppmd = EVP_MD_CTX_md(ctx); + *ppmd = EVP_MD_CTX_get0_md(ctx); } else ret = 0; break; diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 3d31f19829..ce40082977 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -394,7 +394,7 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_GET_MD: if (BIO_get_init(b)) { ppmd = ptr; - *ppmd = EVP_MD_CTX_md(ctx->md); + *ppmd = EVP_MD_CTX_get0_md(ctx->md); } else ret = 0; break; @@ -442,7 +442,7 @@ static int sig_out(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); md_data = EVP_MD_CTX_md_data(md); @@ -486,7 +486,7 @@ static int sig_in(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); md_data = EVP_MD_CTX_md_data(md); @@ -532,7 +532,7 @@ static int block_out(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - digest = EVP_MD_CTX_md(md); + digest = EVP_MD_CTX_get0_md(md); md_size = EVP_MD_size(digest); tl = ctx->buf_len - OK_BLOCK_BLOCK; @@ -563,7 +563,7 @@ static int block_in(BIO *b) ctx = BIO_get_data(b); md = ctx->md; - md_size = EVP_MD_size(EVP_MD_CTX_md(md)); + md_size = EVP_MD_size(EVP_MD_CTX_get0_md(md)); assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */ tl = ctx->buf[0]; diff --git a/crypto/evp/cmeth_lib.c b/crypto/evp/cmeth_lib.c index 7734295214..2541e5952b 100644 --- a/crypto/evp/cmeth_lib.c +++ b/crypto/evp/cmeth_lib.c @@ -28,6 +28,7 @@ EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len) cipher->nid = cipher_type; cipher->block_size = block_size; cipher->key_len = key_len; + cipher->origin = EVP_ORIG_METH; } return cipher; } @@ -55,7 +56,10 @@ EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher) void EVP_CIPHER_meth_free(EVP_CIPHER *cipher) { - EVP_CIPHER_free(cipher); + if (cipher == NULL || cipher->origin != EVP_ORIG_METH) + return; + + evp_cipher_free_int(cipher); } int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 82e43f2eb1..ef60fc1505 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1026,7 +1026,8 @@ int EVP_MD_up_ref(EVP_MD *md) { int ref = 0; - CRYPTO_UP_REF(&md->refcnt, &ref, md->lock); + if (md->origin == EVP_ORIG_DYNAMIC) + CRYPTO_UP_REF(&md->refcnt, &ref, md->lock); return 1; } @@ -1034,15 +1035,13 @@ void EVP_MD_free(EVP_MD *md) { int i; - if (md == NULL) + if (md == NULL || md->origin != EVP_ORIG_DYNAMIC) return; CRYPTO_DOWN_REF(&md->refcnt, &i, md->lock); if (i > 0) return; - ossl_provider_free(md->prov); - CRYPTO_THREAD_lock_free(md->lock); - OPENSSL_free(md); + evp_md_free_int(md); } void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index df74aca45d..ffafdbcc22 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -395,6 +395,7 @@ static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aesni_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aesni_init_key, \ aesni_##mode##_cipher, \ NULL, \ @@ -402,8 +403,9 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \ NULL,NULL,NULL,NULL }; \ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ - keylen/8,ivlen, \ + keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -418,6 +420,7 @@ static const EVP_CIPHER aesni_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aesni_##mode##_init_key, \ aesni_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -428,6 +431,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -749,6 +753,7 @@ static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_t4_init_key, \ aes_t4_##mode##_cipher, \ NULL, \ @@ -758,6 +763,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -772,6 +778,7 @@ static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_t4_##mode##_init_key, \ aes_t4_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -782,6 +789,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -2249,6 +2257,7 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_init_key, \ aes_##mode##_cipher, \ NULL, \ @@ -2263,6 +2272,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE?2:1)*keylen/8, \ ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aes_##mode##_init_key, \ aes_##mode##_cipher, \ aes_##mode##_cleanup, \ @@ -3511,10 +3521,10 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) typedef struct { union { @@ -3613,7 +3623,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER aes_128_wrap = { NID_id_aes128_wrap, - 8, 16, 8, WRAP_FLAGS, + 8, 16, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3627,7 +3637,7 @@ const EVP_CIPHER *EVP_aes_128_wrap(void) static const EVP_CIPHER aes_192_wrap = { NID_id_aes192_wrap, - 8, 24, 8, WRAP_FLAGS, + 8, 24, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3641,7 +3651,7 @@ const EVP_CIPHER *EVP_aes_192_wrap(void) static const EVP_CIPHER aes_256_wrap = { NID_id_aes256_wrap, - 8, 32, 8, WRAP_FLAGS, + 8, 32, 8, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3655,7 +3665,7 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) static const EVP_CIPHER aes_128_wrap_pad = { NID_id_aes128_wrap_pad, - 8, 16, 4, WRAP_FLAGS, + 8, 16, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3669,7 +3679,7 @@ const EVP_CIPHER *EVP_aes_128_wrap_pad(void) static const EVP_CIPHER aes_192_wrap_pad = { NID_id_aes192_wrap_pad, - 8, 24, 4, WRAP_FLAGS, + 8, 24, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), @@ -3683,7 +3693,7 @@ const EVP_CIPHER *EVP_aes_192_wrap_pad(void) static const EVP_CIPHER aes_256_wrap_pad = { NID_id_aes256_wrap_pad, - 8, 32, 4, WRAP_FLAGS, + 8, 32, 4, WRAP_FLAGS, EVP_ORIG_GLOBAL, aes_wrap_init_key, aes_wrap_cipher, NULL, sizeof(EVP_AES_WRAP_CTX), diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index cdf5985e8b..766f248718 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -914,6 +914,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, @@ -933,6 +934,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 906ec9f7fc..0413f66806 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -898,6 +898,7 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, @@ -917,6 +918,7 @@ static EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK, + EVP_ORIG_GLOBAL, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL, diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index e56c4fd006..e7ba2df78f 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -159,6 +159,7 @@ IMPLEMENT_ARIA_CFBR(256,8) static const EVP_CIPHER aria_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aria_init_key, \ aria_##mode##_cipher, \ NULL, \ @@ -757,6 +758,7 @@ static const EVP_CIPHER aria_##keylen##_##mode = { \ nid##_##keylen##_##nmode, \ blocksize, keylen/8, ivlen, \ ARIA_AUTH_FLAGS|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ aria_##mode##_init_key, \ aria_##mode##_cipher, \ aria_##mode##_cleanup, \ diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c index 52c33d472e..db2057a660 100644 --- a/crypto/evp/e_camellia.c +++ b/crypto/evp/e_camellia.c @@ -144,6 +144,7 @@ static int cmll_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER cmll_t4_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ cmll_t4_init_key, \ cmll_t4_##mode##_cipher, \ NULL, \ @@ -153,6 +154,7 @@ static const EVP_CIPHER camellia_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize, \ keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ camellia_init_key, \ camellia_##mode##_cipher, \ NULL, \ @@ -167,6 +169,7 @@ const EVP_CIPHER *EVP_camellia_##keylen##_##mode(void) \ static const EVP_CIPHER camellia_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ camellia_init_key, \ camellia_##mode##_cipher, \ NULL, \ diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 8c69b3a736..9b5441cdb6 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -131,6 +131,7 @@ static const EVP_CIPHER chacha20 = { CHACHA_KEY_SIZE, /* key_len */ CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */ EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT, + EVP_ORIG_GLOBAL, chacha_init_key, chacha_cipher, NULL, @@ -614,6 +615,7 @@ static EVP_CIPHER chacha20_poly1305 = { EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_CUSTOM_IV_LENGTH, + EVP_ORIG_GLOBAL, chacha20_poly1305_init_key, chacha20_poly1305_cipher, chacha20_poly1305_cleanup, diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 7a433ec7af..e8182b628b 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -413,6 +413,7 @@ static const EVP_CIPHER des3_wrap = { 8, 24, 0, EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1, + EVP_ORIG_GLOBAL, des_ede3_init_key, des_ede3_wrap_cipher, NULL, sizeof(DES_EDE_KEY), diff --git a/crypto/evp/e_null.c b/crypto/evp/e_null.c index 2c8d27e3be..af1013e40d 100644 --- a/crypto/evp/e_null.c +++ b/crypto/evp/e_null.c @@ -20,6 +20,7 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER n_cipher = { NID_undef, 1, 0, 0, 0, + EVP_ORIG_GLOBAL, null_init_key, null_cipher, NULL, diff --git a/crypto/evp/e_rc2.c b/crypto/evp/e_rc2.c index 790b816345..7ee18ed1cb 100644 --- a/crypto/evp/e_rc2.c +++ b/crypto/evp/e_rc2.c @@ -53,6 +53,7 @@ static const EVP_CIPHER r2_64_cbc_cipher = { NID_rc2_64_cbc, 8, 8 /* 64 bit */ , 8, EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + EVP_ORIG_GLOBAL, rc2_init_key, rc2_cbc_cipher, NULL, @@ -67,6 +68,7 @@ static const EVP_CIPHER r2_40_cbc_cipher = { NID_rc2_40_cbc, 8, 5 /* 40 bit */ , 8, EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + EVP_ORIG_GLOBAL, rc2_init_key, rc2_cbc_cipher, NULL, diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index d81fb4cabd..ec07f028c5 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -38,6 +38,7 @@ static const EVP_CIPHER r4_cipher = { NID_rc4, 1, EVP_RC4_KEY_SIZE, 0, EVP_CIPH_VARIABLE_LENGTH, + EVP_ORIG_GLOBAL, rc4_init_key, rc4_cipher, NULL, @@ -52,6 +53,7 @@ static const EVP_CIPHER r4_40_cipher = { NID_rc4_40, 1, 5 /* 40 bit */ , 0, EVP_CIPH_VARIABLE_LENGTH, + EVP_ORIG_GLOBAL, rc4_init_key, rc4_cipher, NULL, diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index bde93f3ab7..6a38f95d5e 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -255,6 +255,7 @@ static EVP_CIPHER r4_hmac_md5_cipher = { 1, EVP_RC4_KEY_SIZE, 0, EVP_CIPH_STREAM_CIPHER | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_FLAG_AEAD_CIPHER, + EVP_ORIG_GLOBAL, rc4_hmac_md5_init_key, rc4_hmac_md5_cipher, NULL, diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c index 45f94a19f5..a3767573ce 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -85,6 +85,7 @@ static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER sm4_ctr_mode = { NID_sm4_ctr, 1, 16, 16, EVP_CIPH_CTR_MODE, + EVP_ORIG_GLOBAL, sm4_init_key, sm4_ctr_cipher, NULL, diff --git a/crypto/evp/e_xcbc_d.c b/crypto/evp/e_xcbc_d.c index 20756211b0..b3956c10c6 100644 --- a/crypto/evp/e_xcbc_d.c +++ b/crypto/evp/e_xcbc_d.c @@ -41,6 +41,7 @@ static const EVP_CIPHER d_xcbc_cipher = { NID_desx_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, + EVP_ORIG_GLOBAL, desx_cbc_init_key, desx_cbc_cipher, NULL, diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 9073312dfd..2de2a11e5a 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -325,7 +325,8 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, return 0; } - if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_CUSTOM_IV) == 0) { switch (EVP_CIPHER_CTX_mode(ctx)) { case EVP_CIPH_STREAM_CIPHER: @@ -1602,23 +1603,29 @@ int EVP_CIPHER_up_ref(EVP_CIPHER *cipher) { int ref = 0; - CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock); + if (cipher->origin == EVP_ORIG_DYNAMIC) + CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock); return 1; } +void evp_cipher_free_int(EVP_CIPHER *cipher) +{ + ossl_provider_free(cipher->prov); + CRYPTO_THREAD_lock_free(cipher->lock); + OPENSSL_free(cipher); +} + void EVP_CIPHER_free(EVP_CIPHER *cipher) { int i; - if (cipher == NULL || cipher->prov == NULL) + if (cipher == NULL || cipher->origin != EVP_ORIG_DYNAMIC) return; CRYPTO_DOWN_REF(&cipher->refcnt, &i, cipher->lock); if (i > 0) return; - ossl_provider_free(cipher->prov); - CRYPTO_THREAD_lock_free(cipher->lock); - OPENSSL_free(cipher); + evp_cipher_free_int(cipher); } void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx, diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 6c578bd8ba..41209fa763 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -422,10 +422,33 @@ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return ctx->cipher->do_cipher(ctx, out, in, inl); } +#ifndef OPENSSL_NO_DEPRECATED_3_0 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { + if (ctx == NULL) + return NULL; return ctx->cipher; } +#endif + +const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx) +{ + if (ctx == NULL) + return NULL; + return ctx->cipher; +} + +EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(EVP_CIPHER_CTX *ctx) +{ + EVP_CIPHER *cipher; + + if (ctx == NULL) + return NULL; + cipher = (EVP_CIPHER *)ctx->cipher; + if (!EVP_CIPHER_up_ref(cipher)) + return NULL; + return cipher; +} int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) { @@ -767,6 +790,7 @@ EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type) if (md != NULL) { md->type = md_type; md->pkey_type = pkey_type; + md->origin = EVP_ORIG_METH; } return md; } @@ -791,10 +815,21 @@ EVP_MD *EVP_MD_meth_dup(const EVP_MD *md) return to; } +void evp_md_free_int(EVP_MD *md) +{ + ossl_provider_free(md->prov); + CRYPTO_THREAD_lock_free(md->lock); + OPENSSL_free(md); +} + void EVP_MD_meth_free(EVP_MD *md) { - EVP_MD_free(md); + if (md == NULL || md->origin != EVP_ORIG_METH) + return; + + evp_md_free_int(md); } + int EVP_MD_meth_set_input_blocksize(EVP_MD *md, int blocksize) { if (md->block_size != 0) @@ -927,12 +962,33 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd, return md->md_ctrl; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx) { if (ctx == NULL) return NULL; return ctx->reqdigest; } +#endif + +const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx) +{ + if (ctx == NULL) + return NULL; + return ctx->reqdigest; +} + +EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx) +{ + EVP_MD *md; + + if (ctx == NULL) + return NULL; + md = (EVP_MD *)ctx->reqdigest; + if (!EVP_MD_up_ref(md)) + return NULL; + return md; +} EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx) { diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 9473d54817..cdf89a62c0 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -317,6 +317,8 @@ OSSL_PARAM *evp_pkey_to_param(EVP_PKEY *pkey, size_t *sz); } void evp_pkey_ctx_free_old_ops(EVP_PKEY_CTX *ctx); +void evp_cipher_free_int(EVP_CIPHER *md); +void evp_md_free_int(EVP_MD *md); /* OSSL_PROVIDER * is only used to get the library context */ const char *evp_first_name(const OSSL_PROVIDER *prov, int name_id); diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index bdafd354b4..6a18e5fe01 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -22,6 +22,7 @@ static const EVP_MD blake2b_md = { 0, BLAKE2B_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(blake2b_int_init, blake2b_int_update, blake2b_int_final, NULL, BLAKE2B_BLOCKBYTES), }; @@ -36,6 +37,7 @@ static const EVP_MD blake2s_md = { 0, BLAKE2S_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(blake2s_int_init, blake2s_int_update, blake2s_int_final, NULL, BLAKE2S_BLOCKBYTES), }; diff --git a/crypto/evp/legacy_md2.c b/crypto/evp/legacy_md2.c index d22b3eb6b9..32cfdb82c8 100644 --- a/crypto/evp/legacy_md2.c +++ b/crypto/evp/legacy_md2.c @@ -24,6 +24,7 @@ static const EVP_MD md2_md = { NID_md2WithRSAEncryption, MD2_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md2_init, md2_update, md2_final, NULL, MD2_BLOCK) }; diff --git a/crypto/evp/legacy_md4.c b/crypto/evp/legacy_md4.c index f4351ffbce..0b3a2e6d31 100644 --- a/crypto/evp/legacy_md4.c +++ b/crypto/evp/legacy_md4.c @@ -24,6 +24,7 @@ static const EVP_MD md4_md = { NID_md4WithRSAEncryption, MD4_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md4_init, md4_update, md4_final, NULL, MD4_CBLOCK), }; diff --git a/crypto/evp/legacy_md5.c b/crypto/evp/legacy_md5.c index 3259179144..1bb9b88a2f 100644 --- a/crypto/evp/legacy_md5.c +++ b/crypto/evp/legacy_md5.c @@ -24,6 +24,7 @@ static const EVP_MD md5_md = { NID_md5WithRSAEncryption, MD5_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md5_init, md5_update, md5_final, NULL, MD5_CBLOCK) }; diff --git a/crypto/evp/legacy_md5_sha1.c b/crypto/evp/legacy_md5_sha1.c index 7002bc275c..f72cd37526 100644 --- a/crypto/evp/legacy_md5_sha1.c +++ b/crypto/evp/legacy_md5_sha1.c @@ -29,6 +29,7 @@ static const EVP_MD md5_sha1_md = { NID_md5_sha1, MD5_SHA1_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(md5_sha1_int_init, md5_sha1_int_update, md5_sha1_int_final, md5_sha1_int_ctrl, MD5_SHA1_CBLOCK), diff --git a/crypto/evp/legacy_mdc2.c b/crypto/evp/legacy_mdc2.c index 2593124d72..3f78059a0d 100644 --- a/crypto/evp/legacy_mdc2.c +++ b/crypto/evp/legacy_mdc2.c @@ -24,6 +24,7 @@ static const EVP_MD mdc2_md = { NID_mdc2WithRSA, MDC2_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(mdc2_init, mdc2_update, mdc2_final, NULL, MDC2_BLOCK), }; diff --git a/crypto/evp/legacy_ripemd.c b/crypto/evp/legacy_ripemd.c index 92c814caca..93d1c0531a 100644 --- a/crypto/evp/legacy_ripemd.c +++ b/crypto/evp/legacy_ripemd.c @@ -24,6 +24,7 @@ static const EVP_MD ripemd160_md = { NID_ripemd160WithRSA, RIPEMD160_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(ripe_init, ripe_update, ripe_final, NULL, RIPEMD160_CBLOCK), }; diff --git a/crypto/evp/legacy_sha.c b/crypto/evp/legacy_sha.c index 158591e9ab..72335cae75 100644 --- a/crypto/evp/legacy_sha.c +++ b/crypto/evp/legacy_sha.c @@ -89,6 +89,7 @@ static const EVP_MD sha1_md = { NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha1_init, sha1_update, sha1_final, sha1_int_ctrl, SHA_CBLOCK), }; @@ -103,6 +104,7 @@ static const EVP_MD sha224_md = { NID_sha224WithRSAEncryption, SHA224_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha224_init, sha224_update, sha224_final, NULL, SHA256_CBLOCK), }; @@ -117,6 +119,7 @@ static const EVP_MD sha256_md = { NID_sha256WithRSAEncryption, SHA256_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha256_init, sha256_update, sha256_final, NULL, SHA256_CBLOCK), }; @@ -131,6 +134,7 @@ static const EVP_MD sha512_224_md = { NID_sha512_224WithRSAEncryption, SHA224_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_224_int_init, sha512_224_int_update, sha512_224_int_final, NULL, SHA512_CBLOCK), }; @@ -145,6 +149,7 @@ static const EVP_MD sha512_256_md = { NID_sha512_256WithRSAEncryption, SHA256_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_256_int_init, sha512_256_int_update, sha512_256_int_final, NULL, SHA512_CBLOCK), }; @@ -159,6 +164,7 @@ static const EVP_MD sha384_md = { NID_sha384WithRSAEncryption, SHA384_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha384_init, sha384_update, sha384_final, NULL, SHA512_CBLOCK), }; @@ -173,6 +179,7 @@ static const EVP_MD sha512_md = { NID_sha512WithRSAEncryption, SHA512_DIGEST_LENGTH, EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sha512_init, sha512_update, sha512_final, NULL, SHA512_CBLOCK), }; @@ -190,6 +197,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ EVP_MD_FLAG_DIGALGID_ABSENT, \ + EVP_ORIG_GLOBAL, \ LEGACY_EVP_MD_METH_TABLE(sha3_int_init, sha3_int_update, \ sha3_int_final, NULL, \ (KECCAK1600_WIDTH - bitlen * 2) / 8), \ @@ -204,6 +212,7 @@ const EVP_MD *EVP_shake##bitlen(void) \ 0, \ bitlen / 8, \ EVP_MD_FLAG_XOF, \ + EVP_ORIG_GLOBAL, \ LEGACY_EVP_MD_METH_TABLE(shake_init, sha3_int_update, sha3_int_final, \ shake_ctrl, (KECCAK1600_WIDTH - bitlen * 2) / 8), \ }; \ diff --git a/crypto/evp/legacy_wp.c b/crypto/evp/legacy_wp.c index a85c8ba756..d564c758ea 100644 --- a/crypto/evp/legacy_wp.c +++ b/crypto/evp/legacy_wp.c @@ -24,6 +24,7 @@ static const EVP_MD whirlpool_md = { 0, WHIRLPOOL_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(wp_init, wp_update, wp_final, NULL, WHIRLPOOL_BBLOCK / 8), }; diff --git a/crypto/evp/m_null.c b/crypto/evp/m_null.c index 51c93c0dc4..ac889955fe 100644 --- a/crypto/evp/m_null.c +++ b/crypto/evp/m_null.c @@ -34,6 +34,7 @@ static const EVP_MD null_md = { NID_undef, 0, 0, + EVP_ORIG_GLOBAL, init, update, final, diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 3fca9bc529..0a51493efb 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -175,7 +175,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, /* legacy code support for engines */ ERR_set_mark(); /* - * This might be requested by a later call to EVP_MD_CTX_md(). + * This might be requested by a later call to EVP_MD_CTX_get0_md(). * In that case the "explicit fetch" rules apply for that * function (as per man pages), i.e. the ref count is not updated * so the EVP_MD should not be used beyound the lifetime of the diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index 183c1f6074..d2fe56a87f 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -161,7 +161,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, PBKDF2PARAM *kdf = NULL; const EVP_MD *prfmd; - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); goto err; } diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c index c4badb5ffe..6a0ff52451 100644 --- a/crypto/evp/p_sign.c +++ b/crypto/evp/p_sign.c @@ -51,7 +51,7 @@ int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *sigret, goto err; if (EVP_PKEY_sign_init(pkctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_get0_md(ctx)) <= 0) goto err; if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) goto err; diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index 016a5f2e8c..3a50e2de1d 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -48,7 +48,7 @@ int EVP_VerifyFinal_ex(EVP_MD_CTX *ctx, const unsigned char *sigbuf, goto err; if (EVP_PKEY_verify_init(pkctx) <= 0) goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_get0_md(ctx)) <= 0) goto err; i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); err: diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index b942b0cd52..e7a32f9cd6 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -43,7 +43,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, * MAC should be processed on decrypting separately from plain text */ max_out_len = inlen + EVP_CIPHER_CTX_block_size(ctx); - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, 0, &mac_len) < 0) { ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR); goto err; @@ -87,7 +88,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, goto err; } outlen += i; - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ctx)) + & EVP_CIPH_FLAG_CIPHER_WITH_MAC) != 0) { if (EVP_CIPHER_CTX_encrypting(ctx)) { if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, (int)mac_len, out+outlen) < 0) { diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 964b1367b2..832b4a39b3 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1049,7 +1049,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, * Workaround for some broken clients that put the signature OID * instead of the digest OID in digest_alg->algorithm */ - if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) + if (EVP_MD_pkey_type(EVP_MD_CTX_get0_md(mdc)) == md_type) break; btmp = BIO_next(btmp); } diff --git a/crypto/sm3/legacy_sm3.c b/crypto/sm3/legacy_sm3.c index 8041681b43..c81f3b4ab4 100644 --- a/crypto/sm3/legacy_sm3.c +++ b/crypto/sm3/legacy_sm3.c @@ -20,6 +20,7 @@ static const EVP_MD sm3_md = { NID_sm3WithRSAEncryption, SM3_DIGEST_LENGTH, 0, + EVP_ORIG_GLOBAL, LEGACY_EVP_MD_METH_TABLE(sm3_int_init, sm3_int_update, sm3_int_final, NULL, SM3_CBLOCK), }; diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index d01414e5e6..a405c2be59 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -16,7 +16,8 @@ EVP_MD_is_a, EVP_MD_name, EVP_MD_description, EVP_MD_number, EVP_MD_names_do_all, EVP_MD_provider, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags, EVP_MD_CTX_name, -EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, +EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md, +EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn, EVP_md_null, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, @@ -78,7 +79,8 @@ EVP_MD_do_all_provided int EVP_MD_block_size(const EVP_MD *md); unsigned long EVP_MD_flags(const EVP_MD *md); - const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx); + EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx); const char *EVP_MD_CTX_name(const EVP_MD_CTX *ctx); int EVP_MD_CTX_size(const EVP_MD_CTX *ctx); int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); @@ -102,6 +104,8 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: + const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, const void *data, size_t count); @@ -351,14 +355,17 @@ Return the digest method private data for the passed B. The space is allocated by OpenSSL and has the size originally set with EVP_MD_meth_set_app_datasize(). -=item EVP_MD_CTX_md() +=item EVP_MD_CTX_get0_md(), EVP_MD_CTX_get1_md() -Returns the B structure corresponding to the passed B. This +EVP_MD_CTX_get0_md() returns +the B structure corresponding to the passed B. This will be the same B object originally passed to EVP_DigestInit_ex2() (or other similar function) when the EVP_MD_CTX was first initialised. Note that where explicit fetch is in use (see L) the value returned from this function will not have its reference count incremented and therefore it should not be used after the EVP_MD_CTX is freed. +EVP_MD_CTX_get1_md() is the same except the ownership is passed to the +caller and is from the passed B. =item EVP_MD_CTX_set_update_fn() @@ -697,7 +704,9 @@ EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(), EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and EVP_MD_CTX_gettable_params() functions were added in OpenSSL 3.0. -The EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated +The EVP_MD_CTX_md() function was deprecated in OpenSSL 3.0; use +EVP_MD_CTX_get0_md() instead. +EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index b07c102e04..b4a00cf76c 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -48,6 +48,8 @@ EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, +EVP_CIPHER_CTX_get0_cipher, +EVP_CIPHER_CTX_get1_cipher, EVP_CIPHER_CTX_name, EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_get_params, @@ -153,7 +155,8 @@ EVP_CIPHER_do_all_provided unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e); int EVP_CIPHER_type(const EVP_CIPHER *cipher); - const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); + const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx); + EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); const char *EVP_CIPHER_CTX_name(const EVP_CIPHER_CTX *ctx); @@ -181,6 +184,12 @@ EVP_CIPHER_do_all_provided void (*fn)(EVP_CIPHER *cipher, void *arg), void *arg); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + + const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); + =head1 DESCRIPTION The EVP cipher routines are a high-level interface to certain @@ -417,8 +426,10 @@ cipher implementation. EVP_CIPHER_provider() returns an B pointer to the provider that implements the given B. -EVP_CIPHER_CTX_cipher() returns the B structure when passed +EVP_CIPHER_CTX_get0_cipher() returns the B structure when passed an B structure. +EVP_CIPHER_CTX_get1_cipher() is the same except the ownership is passed to +the caller. EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode: EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, @@ -938,8 +949,12 @@ EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup() disappeared. EVP_CIPHER_CTX_init() remains as an alias for EVP_CIPHER_CTX_reset(). +The EVP_CIPHER_CTX_cipher() function was deprecated in OpenSSL 3.0; use +EVP_CIPHER_CTX_get0_cipher() instead. + The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(), EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(), +EVP_CIPHER_CTX_get0_cipher(), EVP_CIPHER_CTX_get1_cipher(), EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(), EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(), EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(), diff --git a/engines/e_afalg.c b/engines/e_afalg.c index ac85f523d4..db73873911 100644 --- a/engines/e_afalg.c +++ b/engines/e_afalg.c @@ -553,7 +553,7 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 0; } - if (EVP_CIPHER_CTX_cipher(ctx) == NULL) { + if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) { ALG_WARN("%s(%d): Cipher object NULL\n", __FILE__, __LINE__); return 0; } diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 88a1c3d857..0cd0434774 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -232,6 +232,10 @@ struct evp_kdf_st { OSSL_FUNC_kdf_set_ctx_params_fn *set_ctx_params; }; +#define EVP_ORIG_DYNAMIC 0 +#define EVP_ORIG_GLOBAL 1 +#define EVP_ORIG_METH 2 + struct evp_md_st { /* nid */ int type; @@ -240,6 +244,7 @@ struct evp_md_st { int pkey_type; int md_size; unsigned long flags; + int origin; int (*init) (EVP_MD_CTX *ctx); int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); int (*final) (EVP_MD_CTX *ctx, unsigned char *md); @@ -284,6 +289,8 @@ struct evp_cipher_st { /* Legacy structure members */ /* Various flags */ unsigned long flags; + /* How the EVP_CIPHER was created. */ + int origin; /* init key */ int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); @@ -335,7 +342,7 @@ struct evp_cipher_st { #define BLOCK_CIPHER_ecb_loop() \ size_t i, bl; \ - bl = EVP_CIPHER_CTX_cipher(ctx)->block_size; \ + bl = EVP_CIPHER_CTX_get0_cipher(ctx)->block_size; \ if (inl < bl) return 1;\ inl -= bl; \ for (i=0; i <= inl; i+=bl) @@ -420,6 +427,7 @@ static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static const EVP_CIPHER cname##_##mode = { \ nid##_##nmode, block_size, key_len, iv_len, \ flags | EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ init_key, \ cname##_##mode##_cipher, \ cleanup, \ @@ -475,6 +483,7 @@ BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \ static const EVP_CIPHER cname##_cbc = {\ nid##_cbc, block_size, key_len, iv_len, \ flags | EVP_CIPH_CBC_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_cbc_cipher,\ cleanup,\ @@ -488,6 +497,7 @@ const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\ static const EVP_CIPHER cname##_cfb = {\ nid##_cfb64, 1, key_len, iv_len, \ flags | EVP_CIPH_CFB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_cfb_cipher,\ cleanup,\ @@ -501,6 +511,7 @@ const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\ static const EVP_CIPHER cname##_ofb = {\ nid##_ofb64, 1, key_len, iv_len, \ flags | EVP_CIPH_OFB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_ofb_cipher,\ cleanup,\ @@ -514,6 +525,7 @@ const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\ static const EVP_CIPHER cname##_ecb = {\ nid##_ecb, block_size, key_len, iv_len, \ flags | EVP_CIPH_ECB_MODE,\ + EVP_ORIG_GLOBAL,\ init_key,\ cname##_ecb_cipher,\ cleanup,\ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 6fd895a221..40e50666fe 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -538,9 +538,12 @@ int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); unsigned long EVP_MD_flags(const EVP_MD *md); -const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx); +EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 OSSL_DEPRECATEDIN_3_0 +const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, const void *data, size_t count); OSSL_DEPRECATEDIN_3_0 @@ -548,10 +551,10 @@ void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count)); # endif -# define EVP_MD_CTX_name(e) EVP_MD_name(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) -# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e)) +# define EVP_MD_CTX_name(e) EVP_MD_name(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_get0_md(e)) +# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_get0_md(e)) EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); @@ -576,7 +579,8 @@ EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, int EVP_CIPHER_up_ref(EVP_CIPHER *cipher); void EVP_CIPHER_free(EVP_CIPHER *cipher); -const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +const EVP_CIPHER *EVP_CIPHER_CTX_get0_cipher(const EVP_CIPHER_CTX *ctx); +EVP_CIPHER *EVP_CIPHER_CTX_get1_cipher(EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); @@ -584,6 +588,7 @@ int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_tag_length(const EVP_CIPHER_CTX *ctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 +const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); @@ -598,12 +603,12 @@ void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx); void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data); -# define EVP_CIPHER_CTX_name(c) EVP_CIPHER_name(EVP_CIPHER_CTX_cipher(c)) -# define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_name(c) EVP_CIPHER_name(EVP_CIPHER_CTX_get0_cipher(c)) +# define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_get0_cipher(c)) # ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# define EVP_CIPHER_CTX_flags(c) EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_flags(c) EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(c)) # endif -# define EVP_CIPHER_CTX_mode(c) EVP_CIPHER_mode(EVP_CIPHER_CTX_cipher(c)) +# define EVP_CIPHER_CTX_mode(c) EVP_CIPHER_mode(EVP_CIPHER_CTX_get0_cipher(c)) # define EVP_ENCODE_LENGTH(l) ((((l)+2)/3*4)+((l)/48+1)*2+80) # define EVP_DECODE_LENGTH(l) (((l)+3)/4*3+80) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 4614a67f24..6713ff72f5 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -829,8 +829,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, sess = s->session; - if ((sess == NULL) || - (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) + if ((sess == NULL) + || (s->enc_write_ctx == NULL) + || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) clear = 1; if (clear) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 17ee8bd483..f416b15861 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -432,13 +432,15 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * jumbo buffer to accommodate up to 8 records, but the * compromise is considered worthy. */ - if (type == SSL3_RT_APPLICATION_DATA && - len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && - s->compress == NULL && s->msg_callback == NULL && - !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && - (BIO_get_ktls_send(s->wbio) == 0) && - EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & - EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { + if (type == SSL3_RT_APPLICATION_DATA + && len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) + && s->compress == NULL + && s->msg_callback == NULL + && !SSL_WRITE_ETM(s) + && SSL_USE_EXPLICIT_IV(s) + && BIO_get_ktls_send(s->wbio) == 0 + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) { unsigned char aad[13]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t packlen; @@ -586,12 +588,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, } if (maxpipes == 0 || s->enc_write_ctx == NULL - || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) - & EVP_CIPH_FLAG_PIPELINE) + || (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + & EVP_CIPH_FLAG_PIPELINE) == 0 || !SSL_USE_EXPLICIT_IV(s)) maxpipes = 1; - if (max_send_fragment == 0 || split_send_fragment == 0 - || split_send_fragment > max_send_fragment) { + if (max_send_fragment == 0 + || split_send_fragment == 0 + || split_send_fragment > max_send_fragment) { /* * We should have prevented this when we set/get the split and max send * fragments so we shouldn't get here @@ -713,8 +716,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, sess = s->session; - if ((sess == NULL) || - (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) { + if ((sess == NULL) + || (s->enc_write_ctx == NULL) + || (EVP_MD_CTX_get0_md(s->write_hash) == NULL)) { clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ mac_size = 0; } else { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 3b2ae1f835..ec7d448d39 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -480,8 +480,8 @@ int ssl3_get_record(SSL *s) && thisrr->type == SSL3_RT_APPLICATION_DATA && SSL_USE_EXPLICIT_IV(s) && s->enc_read_ctx != NULL - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) - & EVP_CIPH_FLAG_PIPELINE) + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx)) + & EVP_CIPH_FLAG_PIPELINE) != 0 && ssl3_record_app_data_waiting(s)); if (num_recs == 1 @@ -523,7 +523,7 @@ int ssl3_get_record(SSL *s) /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { - const EVP_MD *tmpmd = EVP_MD_CTX_md(s->read_hash); + const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); @@ -617,9 +617,9 @@ int ssl3_get_record(SSL *s) } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && - (s->enc_read_ctx != NULL) && - (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) { + if ((sess != NULL) + && (s->enc_read_ctx != NULL) + && (!SSL_READ_ETM(s) && EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ for (j = 0; j < num_recs; j++) { @@ -842,13 +842,13 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, if (s->enc_write_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); } else { ds = s->enc_read_ctx; if (s->enc_read_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); } if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { @@ -967,7 +967,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } if (sending) { - if (EVP_MD_CTX_md(s->write_hash)) { + if (EVP_MD_CTX_get0_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -979,7 +979,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, enc = NULL; else { int ivlen; - enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ if (SSL_USE_EXPLICIT_IV(s) && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) @@ -1004,7 +1005,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } } else { - if (EVP_MD_CTX_md(s->read_hash)) { + if (EVP_MD_CTX_get0_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -1015,7 +1016,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (s->enc_read_ctx == NULL) enc = NULL; else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + enc = EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx); } if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { @@ -1026,11 +1027,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } else { int provided = (EVP_CIPHER_provider(enc) != NULL); - bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_cipher(ds)); + bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); if (n_recs > 1) { - if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_PIPELINE)) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_PIPELINE) == 0) { /* * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining @@ -1042,8 +1043,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, for (ctr = 0; ctr < n_recs; ctr++) { reclen[ctr] = recs[ctr].length; - if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_AEAD_CIPHER) { + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) { unsigned char *seq; seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer) @@ -1214,8 +1215,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, /* TODO(size_t): Convert this call */ tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, (unsigned int)reclen[0]); - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) - & EVP_CIPH_FLAG_CUSTOM_CIPHER) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0 ? (tmpr < 0) : (tmpr == 0)) { /* AEAD can fail to verify MAC */ @@ -1353,7 +1354,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) header[j++] = (unsigned char)(rec->length & 0xff); /* Final param == is SSLv3 */ - if (ssl3_cbc_digest_record(EVP_MD_CTX_md(hash), + if (ssl3_cbc_digest_record(EVP_MD_CTX_get0_md(hash), md, &md_size, header, rec->input, rec->length, rec->orig_len, @@ -1547,7 +1548,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { - const EVP_MD *tmpmd = EVP_MD_CTX_md(s->read_hash); + const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { imac_size = EVP_MD_size(tmpmd); @@ -1613,8 +1614,10 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && !SSL_READ_ETM(s) && - (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { + if ((sess != NULL) + && !SSL_READ_ETM(s) + && (s->enc_read_ctx != NULL) + && (EVP_MD_CTX_get0_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 66676cd3b8..37568bb6fb 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -132,7 +132,7 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) mac_size = 0; else diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 24eff86c5d..2e061e3dd3 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1027,14 +1027,14 @@ static int test_EVP_Digest(void) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinal(md_ctx, md, NULL)) /* EVP_DigestFinal resets the EVP_MD_CTX. */ - || !TEST_ptr_eq(EVP_MD_CTX_md(md_ctx), NULL)) + || !TEST_ptr_eq(EVP_MD_CTX_get0_md(md_ctx), NULL)) goto out; if (!TEST_true(EVP_DigestInit_ex(md_ctx, sha256, NULL)) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinal_ex(md_ctx, md, NULL)) /* EVP_DigestFinal_ex does not reset the EVP_MD_CTX. */ - || !TEST_ptr(EVP_MD_CTX_md(md_ctx)) + || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx)) /* * EVP_DigestInit_ex with NULL type should work on * pre-initialized context. @@ -1046,7 +1046,7 @@ static int test_EVP_Digest(void) || !TEST_true(EVP_DigestUpdate(md_ctx, kMsg, sizeof(kMsg))) || !TEST_true(EVP_DigestFinalXOF(md_ctx, md, sizeof(md))) /* EVP_DigestFinalXOF does not reset the EVP_MD_CTX. */ - || !TEST_ptr(EVP_MD_CTX_md(md_ctx)) + || !TEST_ptr(EVP_MD_CTX_get0_md(md_ctx)) || !TEST_true(EVP_DigestInit_ex(md_ctx, NULL, NULL))) goto out; ret = 1; diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c index ec339ebbc3..a644390917 100644 --- a/test/evp_fetch_prov_test.c +++ b/test/evp_fetch_prov_test.c @@ -66,7 +66,7 @@ static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, || !TEST_true(EVP_DigestFinal_ex(ctx, out, NULL)) || !TEST_mem_eq(out, SHA256_DIGEST_LENGTH, exptd, SHA256_DIGEST_LENGTH) - || !TEST_true(md == EVP_MD_CTX_md(ctx))) + || !TEST_true(md == EVP_MD_CTX_get0_md(ctx))) goto err; ret = 1; diff --git a/util/libcrypto.num b/util/libcrypto.num index bf208e8414..1ec8ee6fd9 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -417,7 +417,7 @@ CRYPTO_ocb128_setiv 424 3_0_0 EXIST::FUNCTION:OCB X509_CRL_digest 425 3_0_0 EXIST::FUNCTION: EVP_aes_128_cbc_hmac_sha1 426 3_0_0 EXIST::FUNCTION: ERR_load_CMS_strings 427 3_0_0 EXIST::FUNCTION:CMS,DEPRECATEDIN_3_0 -EVP_MD_CTX_md 428 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_md 428 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_REVOKED_get_ext 429 3_0_0 EXIST::FUNCTION: d2i_RSA_PSS_PARAMS 430 3_0_0 EXIST::FUNCTION: USERNOTICE_free 431 3_0_0 EXIST::FUNCTION: @@ -2961,7 +2961,7 @@ X509_CRL_sign_ctx 3025 3_0_0 EXIST::FUNCTION: X509_STORE_add_crl 3026 3_0_0 EXIST::FUNCTION: PEM_write_RSAPrivateKey 3027 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,STDIO RC4_set_key 3028 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4 -EVP_CIPHER_CTX_cipher 3029 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_cipher 3029 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 PEM_write_bio_PKCS8PrivateKey_nid 3030 3_0_0 EXIST::FUNCTION: BN_MONT_CTX_new 3031 3_0_0 EXIST::FUNCTION: CRYPTO_free_ex_index 3032 3_0_0 EXIST::FUNCTION: @@ -5352,3 +5352,7 @@ OSSL_PARAM_merge ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_free ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_todata ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_export ? 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get0_md ? 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get1_md ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get0_cipher ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get1_cipher ? 3_0_0 EXIST::FUNCTION: