summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'ssl')
-rw-r--r--ssl/ktls.c23
-rw-r--r--ssl/record/rec_layer_d1.c6
-rw-r--r--ssl/record/rec_layer_s3.c10
-rw-r--r--ssl/record/ssl3_record.c60
-rw-r--r--ssl/record/ssl3_record_tls13.c2
-rw-r--r--ssl/s3_enc.c16
-rw-r--r--ssl/ssl_ciph.c15
-rw-r--r--ssl/ssl_lib.c16
-rw-r--r--ssl/statem/extensions.c4
-rw-r--r--ssl/statem/extensions_clnt.c6
-rw-r--r--ssl/statem/extensions_srvr.c5
-rw-r--r--ssl/statem/statem_clnt.c11
-rw-r--r--ssl/statem/statem_dtls.c8
-rw-r--r--ssl/statem/statem_lib.c17
-rw-r--r--ssl/statem/statem_srvr.c10
-rw-r--r--ssl/t1_enc.c32
-rw-r--r--ssl/t1_lib.c26
-rw-r--r--ssl/tls13_enc.c26
18 files changed, 150 insertions, 143 deletions
diff --git a/ssl/ktls.c b/ssl/ktls.c
index 4aece2e7b7..a5de8bd720 100644
--- a/ssl/ktls.c
+++ b/ssl/ktls.c
@@ -67,7 +67,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
case SSL_AES256GCM:
crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16;
if (s->version == TLS1_3_VERSION)
- crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd);
+ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd);
else
crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
break;
@@ -87,7 +87,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
return 0;
}
crypto_info->cipher_algorithm = CRYPTO_AES_CBC;
- crypto_info->iv_len = EVP_CIPHER_iv_length(c);
+ crypto_info->iv_len = EVP_CIPHER_get_iv_length(c);
crypto_info->auth_key = mac_key;
crypto_info->auth_key_len = mac_secret_size;
break;
@@ -95,7 +95,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
return 0;
}
crypto_info->cipher_key = key;
- crypto_info->cipher_key_len = EVP_CIPHER_key_length(c);
+ crypto_info->cipher_key_len = EVP_CIPHER_get_key_length(c);
crypto_info->iv = iv;
crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff;
crypto_info->tls_vminor = (s->version & 0x000000ff);
@@ -129,11 +129,11 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
/* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
* or Chacha20-Poly1305
*/
- switch (EVP_CIPHER_nid(c))
+ switch (EVP_CIPHER_get_nid(c))
{
# ifdef OPENSSL_KTLS_AES_CCM_128
case NID_aes_128_ccm:
- if (EVP_CIPHER_CTX_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
+ if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN)
return 0;
# endif
# ifdef OPENSSL_KTLS_AES_GCM_128
@@ -163,7 +163,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
unsigned char *iiv = iv;
if (s->version == TLS1_2_VERSION &&
- EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
+ EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv,
EVP_GCM_TLS_FIXED_IV_LEN
+ EVP_GCM_TLS_EXPLICIT_IV_LEN))
@@ -172,7 +172,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
}
memset(crypto_info, 0, sizeof(*crypto_info));
- switch (EVP_CIPHER_nid(c))
+ switch (EVP_CIPHER_get_nid(c))
{
# ifdef OPENSSL_KTLS_AES_GCM_128
case NID_aes_128_gcm:
@@ -182,7 +182,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm128.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN,
TLS_CIPHER_AES_GCM_128_IV_SIZE);
memcpy(crypto_info->gcm128.salt, iiv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
- memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_key_length(c));
+ memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
if (rec_seq != NULL)
@@ -197,7 +197,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm256.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN,
TLS_CIPHER_AES_GCM_256_IV_SIZE);
memcpy(crypto_info->gcm256.salt, iiv, TLS_CIPHER_AES_GCM_256_SALT_SIZE);
- memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_key_length(c));
+ memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
if (rec_seq != NULL)
@@ -212,7 +212,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->ccm128.iv, iiv + EVP_CCM_TLS_FIXED_IV_LEN,
TLS_CIPHER_AES_CCM_128_IV_SIZE);
memcpy(crypto_info->ccm128.salt, iiv, TLS_CIPHER_AES_CCM_128_SALT_SIZE);
- memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_key_length(c));
+ memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
if (rec_seq != NULL)
@@ -226,7 +226,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
memcpy(crypto_info->chacha20poly1305.iv, iiv,
TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
- memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c));
+ memcpy(crypto_info->chacha20poly1305.key, key,
+ EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
if (rec_seq != NULL)
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 6713ff72f5..336ebc8b79 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -837,7 +837,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
if (clear)
mac_size = 0;
else {
- mac_size = EVP_MD_CTX_size(s->write_hash);
+ mac_size = EVP_MD_CTX_get_size(s->write_hash);
if (mac_size < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE);
@@ -871,9 +871,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
/* Explicit IV length, block ciphers appropriate version flag */
if (s->enc_write_ctx) {
- int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+ int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx);
if (mode == EVP_CIPH_CBC_MODE) {
- eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+ eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx);
if (eivlen <= 1)
eivlen = 0;
}
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 8cd102ecae..a217db772a 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -439,7 +439,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
&& !SSL_WRITE_ETM(s)
&& SSL_USE_EXPLICIT_IV(s)
&& BIO_get_ktls_send(s->wbio) == 0
- && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
+ && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
& EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) {
unsigned char aad[13];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
@@ -588,7 +588,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
}
if (maxpipes == 0
|| s->enc_write_ctx == NULL
- || (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
+ || (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx))
& EVP_CIPH_FLAG_PIPELINE) == 0
|| !SSL_USE_EXPLICIT_IV(s))
maxpipes = 1;
@@ -723,7 +723,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
mac_size = 0;
} else {
/* TODO(siz_t): Convert me */
- mac_size = EVP_MD_CTX_size(s->write_hash);
+ mac_size = EVP_MD_CTX_get_size(s->write_hash);
if (mac_size < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
@@ -831,10 +831,10 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
/* Explicit IV length, block ciphers appropriate version flag */
if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) {
- int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+ int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx);
if (mode == EVP_CIPH_CBC_MODE) {
/* TODO(size_t): Convert me */
- eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+ eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx);
if (eivlen <= 1)
eivlen = 0;
} else if (mode == EVP_CIPH_GCM_MODE) {
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 8788d49e4c..8c4ff01dd1 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -480,7 +480,7 @@ int ssl3_get_record(SSL *s)
&& thisrr->type == SSL3_RT_APPLICATION_DATA
&& SSL_USE_EXPLICIT_IV(s)
&& s->enc_read_ctx != NULL
- && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx))
+ && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx))
& EVP_CIPH_FLAG_PIPELINE) != 0
&& ssl3_record_app_data_waiting(s));
@@ -526,7 +526,7 @@ int ssl3_get_record(SSL *s)
const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash);
if (tmpmd != NULL) {
- imac_size = EVP_MD_size(tmpmd);
+ imac_size = EVP_MD_get_size(tmpmd);
if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
return -1;
@@ -855,11 +855,11 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
memmove(rec->data, rec->input, rec->length);
rec->input = rec->data;
} else {
- int provided = (EVP_CIPHER_provider(enc) != NULL);
+ int provided = (EVP_CIPHER_get0_provider(enc) != NULL);
l = rec->length;
/* TODO(size_t): Convert this call */
- bs = EVP_CIPHER_CTX_block_size(ds);
+ bs = EVP_CIPHER_CTX_get_block_size(ds);
/* COMPRESS */
@@ -889,7 +889,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
/* otherwise, rec->length >= bs */
}
- if (EVP_CIPHER_provider(enc) != NULL) {
+ if (EVP_CIPHER_get0_provider(enc) != NULL) {
int outlen;
if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
@@ -968,7 +968,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
if (sending) {
if (EVP_MD_CTX_get0_md(s->write_hash)) {
- int n = EVP_MD_CTX_size(s->write_hash);
+ int n = EVP_MD_CTX_get_size(s->write_hash);
if (!ossl_assert(n >= 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
@@ -983,8 +983,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx);
/* For TLSv1.1 and later explicit IV */
if (SSL_USE_EXPLICIT_IV(s)
- && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
- ivlen = EVP_CIPHER_iv_length(enc);
+ && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
+ ivlen = EVP_CIPHER_get_iv_length(enc);
else
ivlen = 0;
if (ivlen > 1) {
@@ -1006,7 +1006,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
}
} else {
if (EVP_MD_CTX_get0_md(s->read_hash)) {
- int n = EVP_MD_CTX_size(s->read_hash);
+ int n = EVP_MD_CTX_get_size(s->read_hash);
if (!ossl_assert(n >= 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
@@ -1025,12 +1025,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
recs[ctr].input = recs[ctr].data;
}
} else {
- int provided = (EVP_CIPHER_provider(enc) != NULL);
+ int provided = (EVP_CIPHER_get0_provider(enc) != NULL);
- bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_get0_cipher(ds));
+ bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds));
if (n_recs > 1) {
- if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds))
+ if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
& EVP_CIPH_FLAG_PIPELINE) == 0) {
/*
* We shouldn't have been called with pipeline data if the
@@ -1043,7 +1043,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
for (ctr = 0; ctr < n_recs; ctr++) {
reclen[ctr] = recs[ctr].length;
- if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds))
+ if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
& EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
unsigned char *seq;
@@ -1177,10 +1177,10 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
* any explicit IV
*/
if (!sending) {
- if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
+ if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
- } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
+ } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
} else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
@@ -1215,7 +1215,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
/* TODO(size_t): Convert this call */
tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
(unsigned int)reclen[0]);
- if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds))
+ if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
& EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0
? (tmpr < 0)
: (tmpr == 0)) {
@@ -1225,13 +1225,13 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
if (!sending) {
/* Adjust the record to remove the explicit IV/MAC/Tag */
- if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
+ if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
for (ctr = 0; ctr < n_recs; ctr++) {
recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
}
- } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
+ } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
for (ctr = 0; ctr < n_recs; ctr++) {
recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
@@ -1261,7 +1261,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
: NULL,
bs,
macsize,
- (EVP_CIPHER_flags(enc)
+ (EVP_CIPHER_get_flags(enc)
& EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
s->ctx->libctx))
return 0;
@@ -1283,7 +1283,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
*/
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
{
- switch (EVP_MD_CTX_type(ctx)) {
+ switch (EVP_MD_CTX_get_type(ctx)) {
case NID_md5:
case NID_sha1:
case NID_sha224:
@@ -1315,15 +1315,15 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
hash = ssl->read_hash;
}
- t = EVP_MD_CTX_size(hash);
+ t = EVP_MD_CTX_get_size(hash);
if (t < 0)
return 0;
md_size = t;
npad = (48 / md_size) * md_size;
- if (!sending &&
- EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
- ssl3_cbc_record_digest_supported(hash)) {
+ if (!sending
+ && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE
+ && ssl3_cbc_record_digest_supported(hash)) {
#ifdef OPENSSL_NO_DEPRECATED_3_0
return 0;
#else
@@ -1418,7 +1418,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
hash = ssl->read_hash;
}
- t = EVP_MD_CTX_size(hash);
+ t = EVP_MD_CTX_get_size(hash);
if (!ossl_assert(t >= 0))
return 0;
md_size = t;
@@ -1457,16 +1457,16 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
header[11] = (unsigned char)(rec->length >> 8);
header[12] = (unsigned char)(rec->length & 0xff);
- if (!sending && !SSL_READ_ETM(ssl) &&
- EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
- ssl3_cbc_record_digest_supported(mac_ctx)) {
+ if (!sending && !SSL_READ_ETM(ssl)
+ && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE
+ && ssl3_cbc_record_digest_supported(mac_ctx)) {
OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params;
*p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE,
&rec->orig_len);
*p++ = OSSL_PARAM_construct_end();
- if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_pkey_ctx(mac_ctx),
+ if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx),
tls_hmac_params))
return 0;
}
@@ -1551,7 +1551,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash);
if (tmpmd != NULL) {
- imac_size = EVP_MD_size(tmpmd);
+ imac_size = EVP_MD_get_size(tmpmd);
if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
return -1;
diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index 0e4b310148..13c007ae23 100644
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -62,7 +62,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
return 1;
}
- ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+ ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
if (s->early_data_state == SSL_EARLY_DATA_WRITING
|| s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 88ac6e4205..64b246eb65 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -186,15 +186,15 @@ int ssl3_change_cipher_state(SSL *s, int which)
EVP_CIPHER_CTX_reset(dd);
p = s->s3.tmp.key_block;
- mdi = EVP_MD_size(m);
+ mdi = EVP_MD_get_size(m);
if (mdi < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
i = mdi;
- cl = EVP_CIPHER_key_length(c);
+ cl = EVP_CIPHER_get_key_length(c);
j = cl;
- k = EVP_CIPHER_iv_length(c);
+ k = EVP_CIPHER_get_iv_length(c);
if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
(which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
ms = &(p[0]);
@@ -225,7 +225,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
goto err;
}
- if (EVP_CIPHER_provider(c) != NULL
+ if (EVP_CIPHER_get0_provider(c) != NULL
&& !tls_provider_set_tls_params(s, dd, c, m)) {
/* SSLfatal already called */
goto err;
@@ -266,11 +266,11 @@ int ssl3_setup_key_block(SSL *s)
s->s3.tmp.new_compression = comp;
#endif
- num = EVP_MD_size(hash);
+ num = EVP_MD_get_size(hash);
if (num < 0)
return 0;
- num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
+ num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c);
num *= 2;
ssl3_cleanup_key_block(s);
@@ -424,7 +424,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len,
return 0;
}
- if (EVP_MD_CTX_type(s->s3.handshake_dgst) != NID_md5_sha1) {
+ if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST);
return 0;
}
@@ -440,7 +440,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len,
goto err;
}
- ret = EVP_MD_CTX_size(ctx);
+ ret = EVP_MD_CTX_get_size(ctx);
if (ret < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ret = 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 582124aa1f..d7c19feedf 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -346,7 +346,7 @@ int ssl_load_ciphers(SSL_CTX *ctx)
if (md == NULL) {
ctx->disabled_mac_mask |= t->mask;
} else {
- int tmpsize = EVP_MD_size(md);
+ int tmpsize = EVP_MD_get_size(md);
if (!ossl_assert(tmpsize >= 0))
return 0;
ctx->ssl_mac_secret_size[i] = tmpsize;
@@ -566,8 +566,9 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
*mac_secret_size = ctx->ssl_mac_secret_size[i];
}
- if ((*enc != NULL) &&
- (*md != NULL || (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
+ if ((*enc != NULL)
+ && (*md != NULL
+ || (EVP_CIPHER_get_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
&& (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
const EVP_CIPHER *evp = NULL;
@@ -2172,7 +2173,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
if (e_md == NULL)
return 0;
- mac = EVP_MD_size(e_md);
+ mac = EVP_MD_get_size(e_md);
if (c->algorithm_enc != SSL_eNULL) {
int cipher_nid = SSL_CIPHER_get_cipher_nid(c);
const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid);
@@ -2180,12 +2181,12 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
/* If it wasn't AEAD or SSL_eNULL, we expect it to be a
known CBC cipher. */
if (e_ciph == NULL ||
- EVP_CIPHER_mode(e_ciph) != EVP_CIPH_CBC_MODE)
+ EVP_CIPHER_get_mode(e_ciph) != EVP_CIPH_CBC_MODE)
return 0;
in = 1; /* padding length byte */
- out = EVP_CIPHER_iv_length(e_ciph);
- blk = EVP_CIPHER_block_size(e_ciph);
+ out = EVP_CIPHER_get_iv_length(e_ciph);
+ blk = EVP_CIPHER_get_block_size(e_ciph);
}
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index af95f2e056..c8ab4a66a0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -305,7 +305,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
}
}
- if (md != NULL && dlen != (size_t)EVP_MD_size(md)) {
+ if (md != NULL && dlen != (size_t)EVP_MD_get_size(md)) {
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH);
return 0;
}
@@ -4764,7 +4764,7 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
{
EVP_MD_CTX *ctx = NULL;
EVP_MD_CTX *hdgst = s->s3.handshake_dgst;
- int hashleni = EVP_MD_CTX_size(hdgst);
+ int hashleni = EVP_MD_CTX_get_size(hdgst);
int ret = 0;
if (hashleni < 0 || (size_t)hashleni > outlen) {
@@ -5898,7 +5898,7 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx,
int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
{
/* Don't up-ref an implicit EVP_CIPHER */
- if (EVP_CIPHER_provider(cipher) == NULL)
+ if (EVP_CIPHER_get0_provider(cipher) == NULL)
return 1;
/*
@@ -5913,7 +5913,7 @@ void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
if (cipher == NULL)
return;
- if (EVP_CIPHER_provider(cipher) != NULL) {
+ if (EVP_CIPHER_get0_provider(cipher) != NULL) {
/*
* The cipher was explicitly fetched and therefore it is safe to cast
* away the const
@@ -5942,7 +5942,7 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx,
int ssl_evp_md_up_ref(const EVP_MD *md)
{
/* Don't up-ref an implicit EVP_MD */
- if (EVP_MD_provider(md) == NULL)
+ if (EVP_MD_get0_provider(md) == NULL)
return 1;
/*
@@ -5957,7 +5957,7 @@ void ssl_evp_md_free(const EVP_MD *md)
if (md == NULL)
return;
- if (EVP_MD_provider(md) != NULL) {
+ if (EVP_MD_get0_provider(md) != NULL) {
/*
* The digest was explicitly fetched and therefore it is safe to cast
* away the const
@@ -5969,7 +5969,7 @@ void ssl_evp_md_free(const EVP_MD *md)
int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
{
if (!ssl_security(s, SSL_SECOP_TMP_DH,
- EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) {
+ EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(dhpkey);
return 0;
@@ -5982,7 +5982,7 @@ int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey)
int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey)
{
if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
- EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) {
+ EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) {
ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(dhpkey);
return 0;
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 42d591e11e..d12e940704 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1453,7 +1453,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
#endif
const unsigned char *label;
size_t bindersize, labelsize, hashsize;
- int hashsizei = EVP_MD_size(md);
+ int hashsizei = EVP_MD_get_size(md);
int ret = -1;
int usepskfored = 0;
@@ -1587,7 +1587,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
binderout = tmpbinder;
bindersize = hashsize;
- if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_name(md), s->ctx->libctx,
+ if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), s->ctx->libctx,
s->ctx->propq, mackey, NULL) <= 0
|| EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
|| EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index fe9f8a9de6..545b2d034f 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -937,7 +937,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
* length.
*/
hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
- + EVP_MD_size(md);
+ + EVP_MD_get_size(md);
}
}
@@ -1068,7 +1068,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
*/
agems += s->session->ext.tick_age_add;
- reshashsize = EVP_MD_size(mdres);
+ reshashsize = EVP_MD_get_size(mdres);
s->ext.tick_identity++;
dores = 1;
}
@@ -1097,7 +1097,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
return EXT_RETURN_FAIL;
}
- pskhashsize = EVP_MD_size(mdpsk);
+ pskhashsize = EVP_MD_get_size(mdpsk);
}
/* Create the extension, but skip over the binder for now */
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 6b3b33e239..51c3251635 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1164,7 +1164,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
md = ssl_md(s->ctx, sess->cipher->algorithm2);
if (!EVP_MD_is_a(md,
- EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
+ EVP_MD_get0_name(ssl_md(s->ctx,
+ s->s3.tmp.new_cipher->algorithm2)))) {
/* The ciphersuite is not compatible with this session. */
SSL_SESSION_free(sess);
sess = NULL;
@@ -1179,7 +1180,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 1;
binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
- hashsize = EVP_MD_size(md);
+ hashsize = EVP_MD_get_size(md);
if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 82bb013865..88b34c6ad1 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2083,7 +2083,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
goto err;
}
- if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
+ if (!ssl_security(s, SSL_SECOP_TMP_DH,
+ EVP_PKEY_get_security_bits(peer_tmp),
0, peer_tmp)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
goto err;
@@ -2258,7 +2259,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
}
if (SSL_USE_SIGALGS(s))
OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
- md == NULL ? "n/a" : EVP_MD_name(md));
+ md == NULL ? "n/a" : EVP_MD_get0_name(md));
if (!PACKET_get_length_prefixed_2(pkt, &signature)
|| PACKET_remaining(pkt) != 0) {
@@ -2273,7 +2274,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
}
if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
- md == NULL ? NULL : EVP_MD_name(md),
+ md == NULL ? NULL : EVP_MD_get0_name(md),
s->ctx->libctx, s->ctx->propq, pkey,
NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
@@ -2589,7 +2590,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
/* This is a standalone message in TLSv1.3, so there is no more to read */
if (SSL_IS_TLS13(s)) {
const EVP_MD *md = ssl_handshake_md(s);
- int hashleni = EVP_MD_size(md);
+ int hashleni = EVP_MD_get_size(md);
size_t hashlen;
static const unsigned char nonce_label[] = "resumption";
@@ -2942,7 +2943,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
* stack, we need to zero pad the DHE pub key to the same length
* as the prime.
*/
- prime_len = EVP_PKEY_size(ckey);
+ prime_len = EVP_PKEY_get_size(ckey);
pad_len = prime_len - encoded_pub_len;
if (pad_len > 0) {
if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) {