diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2020-06-19 18:43:58 -0700 |
|---|---|---|
| committer | Benjamin Kaduk <bkaduk@akamai.com> | 2020-08-11 07:07:56 -0700 |
| commit | 79f4417ed940793fe7d48d613c9b903d00630b69 (patch) | |
| tree | 9c5baacb912033464b21b32bf7d1111cea268268 /crypto/evp | |
| parent | 8489026850b38447d8e3e68c4d4260585b7e8e3a (diff) | |
Deprecate and replace EVP_CIPHER_CTX_iv()/etc.
The EVP_CIPHER_CTX_iv() family of functions are incompatible with
the libcrypto/provider separation, since the implied API contract
(they are undocumented) involves a pointer into the active cipher
context structure. However, the active IV data in a provider-side
context need not even be in the same address space as libcrypto,
so a replacement API is needed.
The existing functions for accessing the (even the "original") IV had
remained undocumented for quite some time, presumably due to unease
about exposing the internals of the cipher state in such a manner.
Provide more maintainable new APIs for accessing the initial ("oiv") and
current-state ("iv") IV data, that copy the value into a caller-provided
array, eliminating the need to provide a pointer into the internal
cipher context, which accordingly no longer provides the ability to
write to the internal cipher state.
Unfortunately, in order to maintain API compatibility with OpenSSL
1.1.1, the old functionality is still available, but is marked as
deprecated for future removal. This would entail removing the "octet
pointer" parameter access, leaving only the "octet string" parameter
type.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12233)
Diffstat (limited to 'crypto/evp')
| -rw-r--r-- | crypto/evp/evp_lib.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index e6902ac6f1..be20a348f2 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -436,6 +436,7 @@ int EVP_CIPHER_CTX_tag_length(const EVP_CIPHER_CTX *ctx) return ret == 1 ? (int)v : 0; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx) { int ok; @@ -480,6 +481,25 @@ unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) return ok != 0 ? v : NULL; } +#endif /* OPENSSL_NO_DEPRECATED_3_0_0 */ + +int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + params[0] = + OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV_STATE, buf, len); + return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); +} + +int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + params[0] = + OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV, buf, len); + return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); +} unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx) { |