diff options
| author | Richard Levitte <levitte@openssl.org> | 2015-12-13 22:08:41 +0100 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2016-01-12 13:52:22 +0100 |
| commit | 846ec07d904f9cc81d486db0db14fb84f61ff6e5 (patch) | |
| tree | 95f8e06e1e66296e20ade5ce79e098216ddbdf99 /ssl | |
| parent | 936166aff21dafed33aeb92bad0a5b46d730221d (diff) | |
Adapt all EVP_CIPHER_CTX users for it becoming opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 2 | ||||
| -rw-r--r-- | ssl/record/ssl3_record.c | 10 | ||||
| -rw-r--r-- | ssl/s3_enc.c | 12 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 6 | ||||
| -rw-r--r-- | ssl/statem/statem_dtls.c | 4 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 22 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 7 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 27 |
8 files changed, 44 insertions, 46 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 53989125d6..0ce5b9e618 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -498,7 +498,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) u_len >= 4 * (max_send_fragment = s->max_send_fragment) && s->compress == NULL && s->msg_callback == NULL && !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && - EVP_CIPHER_flags(s->enc_write_ctx->cipher) & + EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { unsigned char aad[13]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index fd982132c2..d8c7b1ea05 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -587,7 +587,7 @@ int ssl3_enc(SSL *s, int send) rec->input = rec->data; } else { l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); + bs = EVP_CIPHER_CTX_block_size(ds); /* COMPRESS */ @@ -690,9 +690,9 @@ int tls1_enc(SSL *s, int send) ret = 1; } else { l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); + bs = EVP_CIPHER_CTX_block_size(ds); - if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) & EVP_CIPH_FLAG_AEAD_CIPHER) { unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer) @@ -746,7 +746,7 @@ int tls1_enc(SSL *s, int send) } i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) + if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) return -1; /* AEAD can fail to verify MAC */ @@ -1064,7 +1064,7 @@ int tls1_cbc_remove_padding(const SSL *s, padding_length = rec->data[rec->length - 1]; - if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) { /* padding is already verified */ rec->length -= padding_length + 1; return 1; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index c20bff2e75..7a1e201cf4 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -228,14 +228,13 @@ int ssl3_change_cipher_state(SSL *s, int which) if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; - else if ((s->enc_read_ctx = - OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL) + else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); + EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; if (ssl_replace_hash(&s->read_hash, m) == NULL) { @@ -262,14 +261,13 @@ int ssl3_change_cipher_state(SSL *s, int which) } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; - else if ((s->enc_write_ctx = - OPENSSL_malloc(sizeof(*s->enc_write_ctx))) == NULL) + else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_write_ctx); + EVP_CIPHER_CTX_reset(s->enc_write_ctx); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); @@ -293,7 +291,7 @@ int ssl3_change_cipher_state(SSL *s, int which) } if (reuse_dd) - EVP_CIPHER_CTX_cleanup(dd); + EVP_CIPHER_CTX_reset(dd); p = s->s3->tmp.key_block; i = EVP_MD_size(m); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f3eb5b043f..ba52a517e5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3119,13 +3119,11 @@ SSL *SSL_dup(SSL *s) void ssl_clear_cipher_ctx(SSL *s) { if (s->enc_read_ctx != NULL) { - EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); - OPENSSL_free(s->enc_read_ctx); + EVP_CIPHER_CTX_free(s->enc_read_ctx); s->enc_read_ctx = NULL; } if (s->enc_write_ctx != NULL) { - EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); - OPENSSL_free(s->enc_write_ctx); + EVP_CIPHER_CTX_free(s->enc_write_ctx); s->enc_write_ctx = NULL; } #ifndef OPENSSL_NO_COMP diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 258c6fc077..627f20aab7 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -235,7 +235,7 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && (EVP_CIPHER_CTX_flags(s->enc_write_ctx) & + && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) mac_size = 0; else @@ -245,7 +245,7 @@ int dtls1_do_write(SSL *s, int type) if (s->enc_write_ctx && (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) - blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher); + blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx); else blocksize = 0; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index de20bcf9e8..78f9f5c7a9 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2926,7 +2926,7 @@ int tls_construct_server_certificate(SSL *s) int tls_construct_new_session_ticket(SSL *s) { unsigned char *senc = NULL; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; HMAC_CTX *hctx = NULL; unsigned char *p, *macstart; const unsigned char *const_p; @@ -2953,7 +2953,7 @@ int tls_construct_new_session_ticket(SSL *s) return 0; } - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); p = senc; @@ -3000,12 +3000,12 @@ int tls_construct_new_session_ticket(SSL *s) * all the work otherwise use generated values from parent ctx. */ if (tctx->tlsext_ticket_key_cb) { - if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, hctx, 1) < 0) + if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0) goto err; } else { if (RAND_bytes(iv, 16) <= 0) goto err; - if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, + if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv)) goto err; if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, @@ -3028,13 +3028,13 @@ int tls_construct_new_session_ticket(SSL *s) memcpy(p, key_name, 16); p += 16; /* output IV */ - memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); - p += EVP_CIPHER_CTX_iv_length(&ctx); + memcpy(p, iv, EVP_CIPHER_CTX_iv_length(ctx)); + p += EVP_CIPHER_CTX_iv_length(ctx); /* Encrypt session data */ - if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen)) + if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen)) goto err; p += len; - if (!EVP_EncryptFinal(&ctx, p, &len)) + if (!EVP_EncryptFinal(ctx, p, &len)) goto err; p += len; @@ -3043,8 +3043,10 @@ int tls_construct_new_session_ticket(SSL *s) if (!HMAC_Final(hctx, p, &hlen)) goto err; - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); + ctx = NULL; + hctx = NULL; p += hlen; /* Now write out lengths: p points to end of data written */ @@ -3060,7 +3062,7 @@ int tls_construct_new_session_ticket(SSL *s) return 1; err: OPENSSL_free(senc); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); ossl_statem_set_error(s); return 0; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 2d96330e82..9885f24fe8 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -330,14 +330,13 @@ int tls1_change_cipher_state(SSL *s, int which) if (s->enc_read_ctx != NULL) reuse_dd = 1; - else if ((s->enc_read_ctx = - OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL) + else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); + EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; mac_ctx = ssl_replace_hash(&s->read_hash, NULL); if (mac_ctx == NULL) @@ -405,7 +404,7 @@ int tls1_change_cipher_state(SSL *s, int which) } if (reuse_dd) - EVP_CIPHER_CTX_cleanup(dd); + EVP_CIPHER_CTX_reset(dd); p = s->s3->tmp.key_block; i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 908f8e909c..41b55c8d4b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3060,7 +3060,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int slen, mlen, renew_ticket = 0; unsigned char tick_hmac[EVP_MAX_MD_SIZE]; HMAC_CTX *hctx = NULL; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; /* Need at least keyname + iv + some encrypted data */ if (eticklen < 48) @@ -3069,11 +3069,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, hctx = HMAC_CTX_new(); if (hctx == NULL) return -2; - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, hctx, 0); + ctx, hctx, 0); if (rv < 0) return -1; if (rv == 0) @@ -3086,7 +3086,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, return 2; if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, EVP_sha256(), NULL) <= 0 - || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, + || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, etick + 16) <= 0) { goto err; @@ -3108,26 +3108,27 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, } HMAC_CTX_free(hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return 2; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); - eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); + p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx); + eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); if (sdec == NULL - || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { - EVP_CIPHER_CTX_cleanup(&ctx); + || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) { + EVP_CIPHER_CTX_free(ctx); return -1; } - if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { - EVP_CIPHER_CTX_cleanup(&ctx); + if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) { + EVP_CIPHER_CTX_free(ctx); OPENSSL_free(sdec); return 2; } slen += mlen; - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; p = sdec; sess = d2i_SSL_SESSION(NULL, &p, slen); @@ -3154,7 +3155,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, */ return 2; err: - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); return -1; } |