diff options
| -rw-r--r-- | CHANGES.md | 14 | ||||
| -rw-r--r-- | crypto/dh/dh_ameth.c | 5 | ||||
| -rw-r--r-- | crypto/ec/ec_ameth.c | 5 | ||||
| -rw-r--r-- | crypto/evp/ctrl_params_translate.c | 8 | ||||
| -rw-r--r-- | crypto/evp/p_dec.c | 3 | ||||
| -rw-r--r-- | crypto/evp/p_enc.c | 4 | ||||
| -rw-r--r-- | crypto/evp/p_legacy.c | 20 | ||||
| -rw-r--r-- | crypto/evp/p_lib.c | 36 | ||||
| -rw-r--r-- | crypto/pem/pvkfmt.c | 16 | ||||
| -rw-r--r-- | doc/man3/EVP_PKEY_set1_RSA.pod | 22 | ||||
| -rw-r--r-- | include/crypto/evp.h | 7 | ||||
| -rw-r--r-- | include/openssl/evp.h | 10 | ||||
| -rw-r--r-- | test/endecoder_legacy_test.c | 12 | ||||
| -rw-r--r-- | test/sslapitest.c | 14 |
14 files changed, 125 insertions, 51 deletions
diff --git a/CHANGES.md b/CHANGES.md index 0ff517f2d0..c8f8e503ee 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -36,9 +36,21 @@ OpenSSL 3.0 then these functions now return a cached copy of the key. Changes to the internal provider key that take place after the first time the cached key is accessed will not be reflected back in the cached copy. Similarly any - changed made to the cached copy by application code will not be reflected + changes made to the cached copy by application code will not be reflected back in the internal provider key. + For the above reasons the keys returned from these functions should typically + be treated as read-only. To emphasise this the value returned from + EVP_PKEY_get0(), EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), + EVP_PKEY_get0_EC_KEY() and EVP_PKEY_get0_DH() has been made const. This may + break some existing code. Applications broken by this change should be + modified. The preferred solution is to refactor the code to avoid the use of + these deprecated functions. Failing this the code should be modified to use a + const pointer instead. The EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), + EVP_PKEY_get1_EC_KEY() and EVP_PKEY_get1_DH() functions continue to return a + non-const pointer to enable them to be "freed". However they should also be + treated as read-only. + *Matt Caswell* * A number of functions handling low level keys or engines were deprecated diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 338f308934..18f4c9955e 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -433,7 +433,10 @@ static int dh_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: - return ossl_dh_buf2key(EVP_PKEY_get0_DH(pkey), arg2, arg1); + /* We should only be here if we have a legacy key */ + if (!ossl_assert(evp_pkey_is_legacy(pkey))) + return 0; + return ossl_dh_buf2key(evp_pkey_get0_DH_int(pkey), arg2, arg1); case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: return ossl_dh_key2buf(EVP_PKEY_get0_DH(pkey), arg2, 0, 1); default: diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 89241b97c1..694fcb3789 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -482,7 +482,10 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) return 1; case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: - return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); + /* We should only be here if we have a legacy key */ + if (!ossl_assert(evp_pkey_is_legacy(pkey))) + return 0; + return EC_KEY_oct2key(evp_pkey_get0_EC_KEY_int(pkey), arg2, arg1, NULL); case ASN1_PKEY_CTRL_GET1_TLS_ENCPT: return EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(pkey), diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index ae3340395d..966278171c 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1481,7 +1481,7 @@ static int get_payload_group_name(enum state state, #ifndef OPENSSL_NO_DH case EVP_PKEY_DH: { - DH *dh = EVP_PKEY_get0_DH(pkey); + const DH *dh = EVP_PKEY_get0_DH(pkey); int uid = DH_get_nid(dh); if (uid != NID_undef) { @@ -1531,7 +1531,7 @@ static int get_payload_private_key(enum state state, #ifndef OPENSSL_NO_DH case EVP_PKEY_DH: { - DH *dh = EVP_PKEY_get0_DH(pkey); + const DH *dh = EVP_PKEY_get0_DH(pkey); ctx->p2 = (BIGNUM *)DH_get0_priv_key(dh); } @@ -1540,7 +1540,7 @@ static int get_payload_private_key(enum state state, #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: { - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ctx->p2 = (BIGNUM *)EC_KEY_get0_private_key(ec); } @@ -1590,7 +1590,7 @@ static int get_payload_public_key(enum state state, #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: if (ctx->params->data_type == OSSL_PARAM_OCTET_STRING) { - EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); + const EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(eckey)); const EC_GROUP *ecg = EC_KEY_get0_group(eckey); const EC_POINT *point = EC_KEY_get0_public_key(eckey); diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c index 6ac344e394..2e90705656 100644 --- a/crypto/evp/p_dec.c +++ b/crypto/evp/p_dec.c @@ -16,6 +16,7 @@ #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> +#include "crypto/evp.h" int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl, EVP_PKEY *priv) @@ -28,7 +29,7 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl, } ret = - RSA_private_decrypt(ekl, ek, key, EVP_PKEY_get0_RSA(priv), + RSA_private_decrypt(ekl, ek, key, evp_pkey_get0_RSA_int(priv), RSA_PKCS1_PADDING); err: return ret; diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c index bdc490d884..5881153dbb 100644 --- a/crypto/evp/p_enc.c +++ b/crypto/evp/p_enc.c @@ -16,6 +16,7 @@ #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> +#include "crypto/evp.h" int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key, int key_len, EVP_PKEY *pubk) @@ -26,8 +27,9 @@ int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key, ERR_raise(ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA); goto err; } + ret = - RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk), + RSA_public_encrypt(key_len, key, ek, evp_pkey_get0_RSA_int(pubk), RSA_PKCS1_PADDING); err: return ret; diff --git a/crypto/evp/p_legacy.c b/crypto/evp/p_legacy.c index e478814065..af93288dcb 100644 --- a/crypto/evp/p_legacy.c +++ b/crypto/evp/p_legacy.c @@ -31,7 +31,7 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) return ret; } -RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) +RSA *evp_pkey_get0_RSA_int(const EVP_PKEY *pkey) { if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_AN_RSA_KEY); @@ -40,9 +40,14 @@ RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) return evp_pkey_get_legacy((EVP_PKEY *)pkey); } +const RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) +{ + return evp_pkey_get0_RSA_int(pkey); +} + RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey) { - RSA *ret = EVP_PKEY_get0_RSA(pkey); + RSA *ret = evp_pkey_get0_RSA_int(pkey); if (ret != NULL) RSA_up_ref(ret); @@ -59,18 +64,23 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) return ret; } -EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) +EC_KEY *evp_pkey_get0_EC_KEY_int(const EVP_PKEY *pkey) { if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { - EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY); + ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_EC_KEY); return NULL; } return evp_pkey_get_legacy((EVP_PKEY *)pkey); } +const EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) +{ + return evp_pkey_get0_EC_KEY_int(pkey); +} + EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey) { - EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey); + EC_KEY *ret = evp_pkey_get0_EC_KEY_int(pkey); if (ret != NULL) EC_KEY_up_ref(ret); diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 55214dd3d6..21fbc2ea4c 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -740,7 +740,7 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) } # endif -void *EVP_PKEY_get0(const EVP_PKEY *pkey) +const void *EVP_PKEY_get0(const EVP_PKEY *pkey) { if (pkey == NULL) return NULL; @@ -750,7 +750,7 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey) const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len) { - ASN1_OCTET_STRING *os = NULL; + const ASN1_OCTET_STRING *os = NULL; if (pkey->type != EVP_PKEY_HMAC) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_AN_HMAC_KEY); return NULL; @@ -763,7 +763,7 @@ const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len) # ifndef OPENSSL_NO_POLY1305 const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len) { - ASN1_OCTET_STRING *os = NULL; + const ASN1_OCTET_STRING *os = NULL; if (pkey->type != EVP_PKEY_POLY1305) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_POLY1305_KEY); return NULL; @@ -777,7 +777,7 @@ const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len) # ifndef OPENSSL_NO_SIPHASH const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len) { - ASN1_OCTET_STRING *os = NULL; + const ASN1_OCTET_STRING *os = NULL; if (pkey->type != EVP_PKEY_SIPHASH) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_SIPHASH_KEY); @@ -790,7 +790,7 @@ const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len) # endif # ifndef OPENSSL_NO_DSA -DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) +static DSA *evp_pkey_get0_DSA_int(const EVP_PKEY *pkey) { if (pkey->type != EVP_PKEY_DSA) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_DSA_KEY); @@ -799,6 +799,11 @@ DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) return evp_pkey_get_legacy((EVP_PKEY *)pkey); } +const DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) +{ + return evp_pkey_get0_DSA_int(pkey); +} + int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { int ret = EVP_PKEY_assign_DSA(pkey, key); @@ -808,7 +813,8 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) } DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey) { - DSA *ret = EVP_PKEY_get0_DSA(pkey); + DSA *ret = evp_pkey_get0_DSA_int(pkey); + if (ret != NULL) DSA_up_ref(ret); return ret; @@ -818,7 +824,7 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey) #ifndef FIPS_MODULE # ifndef OPENSSL_NO_EC -static ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type) +static const ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type) { if (EVP_PKEY_base_id(pkey) != type) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_ECX_KEY); @@ -829,7 +835,7 @@ static ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type) static ECX_KEY *evp_pkey_get1_ECX_KEY(EVP_PKEY *pkey, int type) { - ECX_KEY *ret = evp_pkey_get0_ECX_KEY(pkey, type); + ECX_KEY *ret = (ECX_KEY *)evp_pkey_get0_ECX_KEY(pkey, type); if (ret != NULL) ossl_ecx_key_up_ref(ret); return ret; @@ -859,7 +865,7 @@ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) return ret; } -DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) +DH *evp_pkey_get0_DH_int(const EVP_PKEY *pkey) { if (pkey->type != EVP_PKEY_DH && pkey->type != EVP_PKEY_DHX) { ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_DH_KEY); @@ -868,9 +874,15 @@ DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) return evp_pkey_get_legacy((EVP_PKEY *)pkey); } +const DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) +{ + return evp_pkey_get0_DH_int(pkey); +} + DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey) { - DH *ret = EVP_PKEY_get0_DH(pkey); + DH *ret = evp_pkey_get0_DH_int(pkey); + if (ret != NULL) DH_up_ref(ret); return ret; @@ -2166,7 +2178,7 @@ int EVP_PKEY_get_ec_point_conv_form(const EVP_PKEY *pkey) || pkey->keydata == NULL) { #ifndef OPENSSL_NO_EC /* Might work through the legacy route */ - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); if (ec == NULL) return 0; @@ -2206,7 +2218,7 @@ int EVP_PKEY_get_field_type(const EVP_PKEY *pkey) || pkey->keydata == NULL) { #ifndef OPENSSL_NO_EC /* Might work through the legacy route */ - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); const EC_GROUP *grp; if (ec == NULL) diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index de673be005..8006c64b3a 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -450,12 +450,12 @@ static void write_lebn(unsigned char **out, const BIGNUM *bn, int len) *out += len; } -static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic); -static void write_rsa(unsigned char **out, RSA *rsa, int ispub); +static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *magic); +static void write_rsa(unsigned char **out, const RSA *rsa, int ispub); #ifndef OPENSSL_NO_DSA -static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *magic); -static void write_dsa(unsigned char **out, DSA *dsa, int ispub); +static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *magic); +static void write_dsa(unsigned char **out, const DSA *dsa, int ispub); #endif static int do_i2b(unsigned char **out, const EVP_PKEY *pk, int ispub) @@ -542,7 +542,7 @@ static int do_i2b_bio(BIO *out, const EVP_PKEY *pk, int ispub) return -1; } -static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) +static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *pmagic) { int nbyte, hnbyte, bitlen; const BIGNUM *e; @@ -582,7 +582,7 @@ static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) return 0; } -static void write_rsa(unsigned char **out, RSA *rsa, int ispub) +static void write_rsa(unsigned char **out, const RSA *rsa, int ispub) { int nbyte, hnbyte; const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1; @@ -605,7 +605,7 @@ static void write_rsa(unsigned char **out, RSA *rsa, int ispub) } #ifndef OPENSSL_NO_DSA -static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) +static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *pmagic) { int bitlen; const BIGNUM *p = NULL, *q = NULL, *g = NULL; @@ -633,7 +633,7 @@ static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) return 0; } -static void write_dsa(unsigned char **out, DSA *dsa, int ispub) +static void write_dsa(unsigned char **out, const DSA *dsa, int ispub) { int nbyte; const BIGNUM *p = NULL, *q = NULL, *g = NULL; diff --git a/doc/man3/EVP_PKEY_set1_RSA.pod b/doc/man3/EVP_PKEY_set1_RSA.pod index 85cf5b6fe4..64760b2923 100644 --- a/doc/man3/EVP_PKEY_set1_RSA.pod +++ b/doc/man3/EVP_PKEY_set1_RSA.pod @@ -38,10 +38,10 @@ L<openssl_user_macros(7)>: const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len); const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len); const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len); - RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey); - DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey); - DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); - EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); + const RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey); + const DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey); + const DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); + const EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key); int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key); @@ -143,6 +143,17 @@ EVP_PKEY_id(), EVP_PKEY_base_id(), EVP_PKEY_type(), EVP_PKEY_set_alias_type() For EVP_PKEY key type checking purposes, L<EVP_PKEY_is_a(3)> is more generic. +The keys returned from the functions EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), +EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() were changed to have a "const" +return type in OpenSSL 3.0. As described above the keys returned may be cached +copies of the key held in a provider. Due to this, and unlike in earlier +versions of OpenSSL, they should be considered read-only copies of the key. +Updates to these keys will not be reflected back in the provider side key. The +EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and +EVP_PKEY_get1_EC_KEY() functions were not changed to have a "const" return type +in order that applications can "free" the return value. However applications +should still consider them as read-only copies. + =head1 NOTES In accordance with the OpenSSL naming convention the key obtained @@ -216,6 +227,9 @@ EVP_PKEY_get0_hmac, EVP_PKEY_get0_poly1305, EVP_PKEY_get0_siphash, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine and EVP_PKEY_get0_engine were deprecated in OpenSSL 3.0. +The return value from EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, +EVP_PKEY_get0_EC_KEY were made const in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/crypto/evp.h b/include/crypto/evp.h index c1cce43f80..70cc6fff1c 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -890,4 +890,11 @@ int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params); /* This must ONLY be called for legacy EVP_PKEYs */ int evp_pkey_get_params_to_ctrl(const EVP_PKEY *pkey, OSSL_PARAM *params); +/* Same as the public get0 functions but are not const */ +# ifndef OPENSSL_NO_DEPRECATED_3_0 +DH *evp_pkey_get0_DH_int(const EVP_PKEY *pkey); +EC_KEY *evp_pkey_get0_EC_KEY_int(const EVP_PKEY *pkey); +RSA *evp_pkey_get0_RSA_int(const EVP_PKEY *pkey); +# endif + #endif /* OSSL_CRYPTO_EVP_H */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 2688b690ea..ec8503e7d8 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1249,7 +1249,7 @@ ENGINE *EVP_PKEY_get0_engine(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); OSSL_DEPRECATEDIN_3_0 -void *EVP_PKEY_get0(const EVP_PKEY *pkey); +const void *EVP_PKEY_get0(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len); # ifndef OPENSSL_NO_POLY1305 @@ -1265,7 +1265,7 @@ struct rsa_st; OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key); OSSL_DEPRECATEDIN_3_0 -struct rsa_st *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey); +const struct rsa_st *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); @@ -1274,7 +1274,7 @@ struct dsa_st; OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key); OSSL_DEPRECATEDIN_3_0 -struct dsa_st *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey); +const struct dsa_st *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); # endif @@ -1282,7 +1282,7 @@ struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); # ifndef OPENSSL_NO_DH struct dh_st; OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key); -OSSL_DEPRECATEDIN_3_0 struct dh_st *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); +OSSL_DEPRECATEDIN_3_0 const struct dh_st *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); # endif @@ -1291,7 +1291,7 @@ struct ec_key_st; OSSL_DEPRECATEDIN_3_0 int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key); OSSL_DEPRECATEDIN_3_0 -struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); +const struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); OSSL_DEPRECATEDIN_3_0 struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); # endif diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c index cdf86530ce..c72d15bdaa 100644 --- a/test/endecoder_legacy_test.c +++ b/test/endecoder_legacy_test.c @@ -58,11 +58,11 @@ #include "testutil.h" -typedef int PEM_write_bio_of_void_protected(BIO *out, void *obj, +typedef int PEM_write_bio_of_void_protected(BIO *out, const void *obj, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); -typedef int PEM_write_bio_of_void_unprotected(BIO *out, void *obj); +typedef int PEM_write_bio_of_void_unprotected(BIO *out, const void *obj); typedef void *PEM_read_bio_of_void(BIO *out, void **obj, pem_password_cb *cb, void *u); typedef int EVP_PKEY_print_fn(BIO *out, const EVP_PKEY *pkey, @@ -294,7 +294,7 @@ static int test_membio_str_eq(BIO *bio_provided, BIO *bio_legacy) } static int test_protected_PEM(const char *keytype, int evp_type, - void *legacy_key, + const void *legacy_key, PEM_write_bio_of_void_protected *pem_write_bio, PEM_read_bio_of_void *pem_read_bio, EVP_PKEY_eq_fn *evp_pkey_eq, @@ -362,7 +362,7 @@ static int test_protected_PEM(const char *keytype, int evp_type, } static int test_unprotected_PEM(const char *keytype, int evp_type, - void *legacy_key, + const void *legacy_key, PEM_write_bio_of_void_unprotected *pem_write_bio, PEM_read_bio_of_void *pem_read_bio, EVP_PKEY_eq_fn *evp_pkey_eq, @@ -429,7 +429,7 @@ static int test_unprotected_PEM(const char *keytype, int evp_type, } static int test_DER(const char *keytype, int evp_type, - void *legacy_key, i2d_of_void *i2d, d2i_of_void *d2i, + const void *legacy_key, i2d_of_void *i2d, d2i_of_void *d2i, EVP_PKEY_eq_fn *evp_pkey_eq, EVP_PKEY_print_fn *evp_pkey_print, EVP_PKEY *provided_pkey, int selection, @@ -506,7 +506,7 @@ static int test_key(int idx) int ok = 0; size_t i; EVP_PKEY *pkey = NULL, *downgraded_pkey = NULL; - void *legacy_obj = NULL; + const void *legacy_obj = NULL; /* Get the test data */ if (!TEST_ptr(test_stanza = &test_stanzas[idx]) diff --git a/test/sslapitest.c b/test/sslapitest.c index 06d8e80200..b469d80a17 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8313,7 +8313,14 @@ static DH *tmp_dh_callback(SSL *s, int is_export, int keylen) if (!TEST_ptr(dhpkey)) return NULL; - ret = EVP_PKEY_get0_DH(dhpkey); + /* + * libssl does not free the returned DH, so we free it now knowing that even + * after we free dhpkey, there will still be a reference to the owning + * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length + * of time we need it for. + */ + ret = EVP_PKEY_get1_DH(dhpkey); + DH_free(ret); EVP_PKEY_free(dhpkey); @@ -8361,7 +8368,7 @@ static int test_set_tmp_dh(int idx) } # ifndef OPENSSL_NO_DEPRECATED_3_0 if (idx == 7 || idx == 8) { - dh = EVP_PKEY_get0_DH(dhpkey); + dh = EVP_PKEY_get1_DH(dhpkey); if (!TEST_ptr(dh)) goto end; } @@ -8431,6 +8438,9 @@ static int test_set_tmp_dh(int idx) testresult = 1; end: +# ifndef OPENSSL_NO_DEPRECATED_3_0 + DH_free(dh); +# endif SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); |