From 846ec07d904f9cc81d486db0db14fb84f61ff6e5 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 13 Dec 2015 22:08:41 +0100 Subject: Adapt all EVP_CIPHER_CTX users for it becoming opaque Reviewed-by: Rich Salz --- crypto/asn1/p5_pbev2.c | 17 ++++++++++------- crypto/asn1/p5_scrypt.c | 15 +++++++++------ crypto/cmac/cmac.c | 46 +++++++++++++++++++++++++--------------------- crypto/cms/cms_asn1.c | 8 +++++--- crypto/cms/cms_kari.c | 15 ++++++++------- crypto/cms/cms_lcl.h | 2 +- crypto/cms/cms_pwri.c | 39 ++++++++++++++++++++------------------- crypto/evp/bio_enc.c | 36 +++++++++++++++++++++--------------- crypto/evp/p_open.c | 2 +- crypto/evp/p_seal.c | 2 +- crypto/pem/pem_info.c | 2 -- crypto/pem/pem_lib.c | 27 ++++++++++++++------------- crypto/pem/pvkfmt.c | 30 ++++++++++++++---------------- crypto/pkcs12/p12_decr.c | 18 +++++++++++------- 14 files changed, 140 insertions(+), 119 deletions(-) (limited to 'crypto') diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index ba0c92aca8..f85096ba93 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -93,7 +93,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, { X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL; int alg_nid, keylen; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; PBE2PARAM *pbe2 = NULL; ASN1_OBJECT *obj; @@ -123,14 +123,15 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, goto err; } - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto merr; /* Dummy cipherinit to just setup the IV, and PRF */ - if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0)) + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0)) goto err; - if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { + if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); - EVP_CIPHER_CTX_cleanup(&ctx); goto err; } /* @@ -138,11 +139,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, * here: just means use default PRF. */ if ((prf_nid == -1) && - EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { ERR_clear_error(); prf_nid = NID_hmacWithSHA1; } - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; /* If its RC2 then we'd better setup the key length */ @@ -182,6 +184,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ERR_R_MALLOC_FAILURE); err: + EVP_CIPHER_CTX_free(ctx); PBE2PARAM_free(pbe2); /* Note 'scheme' is freed as part of pbe2 */ X509_ALGOR_free(kalg); diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 06bb2ac2c2..af7b902a85 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -103,7 +103,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL; int alg_nid; size_t keylen = 0; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; PBE2PARAM *pbe2 = NULL; ASN1_OBJECT *obj; @@ -146,18 +146,20 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, goto err; } - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto merr; /* Dummy cipherinit to just setup the IV */ - if (EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0) == 0) + if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0) goto err; - if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { + if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); - EVP_CIPHER_CTX_cleanup(&ctx); goto err; } - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; /* If its RC2 then we'd better setup the key length */ @@ -199,6 +201,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, PBE2PARAM_free(pbe2); X509_ALGOR_free(kalg); X509_ALGOR_free(ret); + EVP_CIPHER_CTX_free(ctx); return NULL; diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c index fc9e761266..15634a7960 100644 --- a/crypto/cmac/cmac.c +++ b/crypto/cmac/cmac.c @@ -60,7 +60,7 @@ struct CMAC_CTX_st { /* Cipher context to use */ - EVP_CIPHER_CTX cctx; + EVP_CIPHER_CTX *cctx; /* Keys k1 and k2 */ unsigned char k1[EVP_MAX_BLOCK_LENGTH]; unsigned char k2[EVP_MAX_BLOCK_LENGTH]; @@ -94,14 +94,18 @@ CMAC_CTX *CMAC_CTX_new(void) ctx = OPENSSL_malloc(sizeof(*ctx)); if (ctx == NULL) return NULL; - EVP_CIPHER_CTX_init(&ctx->cctx); + ctx->cctx = EVP_CIPHER_CTX_new(); + if (ctx->cctx == NULL) { + OPENSSL_free(ctx); + return NULL; + } ctx->nlast_block = -1; return ctx; } void CMAC_CTX_cleanup(CMAC_CTX *ctx) { - EVP_CIPHER_CTX_cleanup(&ctx->cctx); + EVP_CIPHER_CTX_free(ctx->cctx); OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH); @@ -111,7 +115,7 @@ void CMAC_CTX_cleanup(CMAC_CTX *ctx) EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx) { - return &ctx->cctx; + return ctx->cctx; } void CMAC_CTX_free(CMAC_CTX *ctx) @@ -127,9 +131,9 @@ int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) int bl; if (in->nlast_block == -1) return 0; - if (!EVP_CIPHER_CTX_copy(&out->cctx, &in->cctx)) + if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx)) return 0; - bl = M_EVP_CIPHER_CTX_block_size(&in->cctx); + bl = EVP_CIPHER_CTX_block_size(in->cctx); memcpy(out->k1, in->k1, bl); memcpy(out->k2, in->k2, bl); memcpy(out->tbl, in->tbl, bl); @@ -147,32 +151,32 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, /* Not initialised */ if (ctx->nlast_block == -1) return 0; - if (!M_EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv)) + if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) return 0; - memset(ctx->tbl, 0, M_EVP_CIPHER_CTX_block_size(&ctx->cctx)); + memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(ctx->cctx)); ctx->nlast_block = 0; return 1; } /* Initialiase context */ - if (cipher && !M_EVP_EncryptInit_ex(&ctx->cctx, cipher, impl, NULL, NULL)) + if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL)) return 0; /* Non-NULL key means initialisation complete */ if (key) { int bl; - if (!M_EVP_CIPHER_CTX_cipher(&ctx->cctx)) + if (!EVP_CIPHER_CTX_cipher(ctx->cctx)) return 0; - if (!EVP_CIPHER_CTX_set_key_length(&ctx->cctx, keylen)) + if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen)) return 0; - if (!M_EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, key, zero_iv)) + if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv)) return 0; - bl = M_EVP_CIPHER_CTX_block_size(&ctx->cctx); - if (!EVP_Cipher(&ctx->cctx, ctx->tbl, zero_iv, bl)) + bl = EVP_CIPHER_CTX_block_size(ctx->cctx); + if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl)) return 0; make_kn(ctx->k1, ctx->tbl, bl); make_kn(ctx->k2, ctx->k1, bl); OPENSSL_cleanse(ctx->tbl, bl); /* Reset context again ready for first data block */ - if (!M_EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv)) + if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv)) return 0; /* Zero tbl so resume works */ memset(ctx->tbl, 0, bl); @@ -189,7 +193,7 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) return 0; if (dlen == 0) return 1; - bl = M_EVP_CIPHER_CTX_block_size(&ctx->cctx); + bl = EVP_CIPHER_CTX_block_size(ctx->cctx); /* Copy into partial block if we need to */ if (ctx->nlast_block > 0) { size_t nleft; @@ -204,12 +208,12 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) return 1; data += nleft; /* Else not final block so encrypt it */ - if (!EVP_Cipher(&ctx->cctx, ctx->tbl, ctx->last_block, bl)) + if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl)) return 0; } /* Encrypt all but one of the complete blocks left */ while (dlen > bl) { - if (!EVP_Cipher(&ctx->cctx, ctx->tbl, data, bl)) + if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl)) return 0; dlen -= bl; data += bl; @@ -226,7 +230,7 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) int i, bl, lb; if (ctx->nlast_block == -1) return 0; - bl = M_EVP_CIPHER_CTX_block_size(&ctx->cctx); + bl = EVP_CIPHER_CTX_block_size(ctx->cctx); *poutlen = (size_t)bl; if (!out) return 1; @@ -242,7 +246,7 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) for (i = 0; i < bl; i++) out[i] = ctx->last_block[i] ^ ctx->k2[i]; } - if (!EVP_Cipher(&ctx->cctx, out, out, bl)) { + if (!EVP_Cipher(ctx->cctx, out, out, bl)) { OPENSSL_cleanse(out, bl); return 0; } @@ -260,5 +264,5 @@ int CMAC_resume(CMAC_CTX *ctx) * decrypted block will allow CMAC to continue after calling * CMAC_Final(). */ - return M_EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, ctx->tbl); + return M_EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl); } diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 3b9f7b5c5e..017f55c589 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -194,12 +194,14 @@ static int cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, { CMS_KeyAgreeRecipientInfo *kari = (CMS_KeyAgreeRecipientInfo *)*pval; if (operation == ASN1_OP_NEW_POST) { - EVP_CIPHER_CTX_init(&kari->ctx); - EVP_CIPHER_CTX_set_flags(&kari->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + kari->ctx = EVP_CIPHER_CTX_new(); + if (kari->ctx == NULL) + return 0; + EVP_CIPHER_CTX_set_flags(kari->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); kari->pctx = NULL; } else if (operation == ASN1_OP_FREE_POST) { EVP_PKEY_CTX_free(kari->pctx); - EVP_CIPHER_CTX_cleanup(&kari->ctx); + EVP_CIPHER_CTX_free(kari->ctx); } return 1; } diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index c6d45a0c2a..1355322710 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -220,7 +220,7 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk) EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri) { if (ri->type == CMS_RECIPINFO_AGREE) - return &ri->d.kari->ctx; + return ri->d.kari->ctx; return NULL; } @@ -239,22 +239,22 @@ static int cms_kek_cipher(unsigned char **pout, size_t *poutlen, int rv = 0; unsigned char *out = NULL; int outlen; - keklen = EVP_CIPHER_CTX_key_length(&kari->ctx); + keklen = EVP_CIPHER_CTX_key_length(kari->ctx); if (keklen > EVP_MAX_KEY_LENGTH) return 0; /* Derive KEK */ if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0) goto err; /* Set KEK in context */ - if (!EVP_CipherInit_ex(&kari->ctx, NULL, NULL, kek, NULL, enc)) + if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc)) goto err; /* obtain output length of ciphered key */ - if (!EVP_CipherUpdate(&kari->ctx, NULL, &outlen, in, inlen)) + if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen)) goto err; out = OPENSSL_malloc(outlen); if (out == NULL) goto err; - if (!EVP_CipherUpdate(&kari->ctx, out, &outlen, in, inlen)) + if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen)) goto err; *pout = out; *poutlen = (size_t)outlen; @@ -264,7 +264,8 @@ static int cms_kek_cipher(unsigned char **pout, size_t *poutlen, OPENSSL_cleanse(kek, keklen); if (!rv) OPENSSL_free(out); - EVP_CIPHER_CTX_cleanup(&kari->ctx); + EVP_CIPHER_CTX_reset(kari->ctx); + /* FIXME: WHY IS kari->pctx freed here? /RL */ EVP_PKEY_CTX_free(kari->pctx); kari->pctx = NULL; return rv; @@ -374,7 +375,7 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, const EVP_CIPHER *cipher) { - EVP_CIPHER_CTX *ctx = &kari->ctx; + EVP_CIPHER_CTX *ctx = kari->ctx; const EVP_CIPHER *kekcipher; int keylen = EVP_CIPHER_key_length(cipher); /* If a suitable wrap algorithm is already set nothing to do */ diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index e4b96d26eb..6926cdd41b 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -210,7 +210,7 @@ struct CMS_KeyAgreeRecipientInfo_st { /* Public key context associated with current operation */ EVP_PKEY_CTX *pctx; /* Cipher context for CEK wrapping */ - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; }; struct CMS_OriginatorIdentifierOrKey_st { diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index d662938768..750dc51ab5 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -90,7 +90,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, CMS_RecipientInfo *ri = NULL; CMS_EnvelopedData *env; CMS_PasswordRecipientInfo *pwri; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = NULL; X509_ALGOR *encalg = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; int ivlen; @@ -124,19 +124,19 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, if (encalg == NULL) { goto merr; } - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); - if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) { + if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); goto err; } - ivlen = EVP_CIPHER_CTX_iv_length(&ctx); + ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { if (RAND_bytes(iv, ivlen) <= 0) goto err; - if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { + if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); goto err; } @@ -145,16 +145,17 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); goto err; } - if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0) { + if (EVP_CIPHER_param_to_asn1(ctx, encalg->parameter) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } } - encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx)); + encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; /* Initialize recipient info */ ri = M_ASN1_new_of(CMS_RecipientInfo); @@ -204,7 +205,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, merr: CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE); err: - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); if (ri) M_ASN1_free_of(ri, CMS_RecipientInfo); X509_ALGOR_free(encalg); @@ -323,7 +324,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, CMS_PasswordRecipientInfo *pwri; int r = 0; X509_ALGOR *algtmp, *kekalg = NULL; - EVP_CIPHER_CTX kekctx; + EVP_CIPHER_CTX *kekctx; const EVP_CIPHER *kekcipher; unsigned char *key = NULL; size_t keylen; @@ -331,7 +332,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, ec = cms->d.envelopedData->encryptedContentInfo; pwri = ri->d.pwri; - EVP_CIPHER_CTX_init(&kekctx); + kekctx = EVP_CIPHER_CTX_new(); if (!pwri->pass) { CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD); @@ -362,10 +363,10 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, } /* Fixup cipher based on AlgorithmIdentifier to set IV etc */ - if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de)) + if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de)) goto err; - EVP_CIPHER_CTX_set_padding(&kekctx, 0); - if (EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0) { + EVP_CIPHER_CTX_set_padding(kekctx, 0); + if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) < 0) { CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; @@ -377,7 +378,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass, pwri->passlen, - algtmp->parameter, &kekctx, en_de) < 0) { + algtmp->parameter, kekctx, en_de) < 0) { CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB); goto err; } @@ -386,7 +387,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, if (en_de) { - if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx)) + if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx)) goto err; key = OPENSSL_malloc(keylen); @@ -394,7 +395,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, if (key == NULL) goto err; - if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx)) + if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx)) goto err; pwri->encryptedKey->data = key; pwri->encryptedKey->length = keylen; @@ -407,7 +408,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, } if (!kek_unwrap_key(key, &keylen, pwri->encryptedKey->data, - pwri->encryptedKey->length, &kekctx)) { + pwri->encryptedKey->length, kekctx)) { CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNWRAP_FAILURE); goto err; } @@ -421,7 +422,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, err: - EVP_CIPHER_CTX_cleanup(&kekctx); + EVP_CIPHER_CTX_free(kekctx); if (!r) OPENSSL_free(key); diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 2e6ce33e4e..c4daf8b691 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -83,7 +83,7 @@ typedef struct enc_struct { int cont; /* <= 0 when finished */ int finished; int ok; /* bad decrypt */ - EVP_CIPHER_CTX cipher; + EVP_CIPHER_CTX *cipher; /* * buf is larger than ENC_BLOCK_SIZE because EVP_DecryptUpdate can return * up to a block more data than is presented to it @@ -114,15 +114,19 @@ static int enc_new(BIO *bi) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) - return (0); + return 0; - EVP_CIPHER_CTX_init(&ctx->cipher); + ctx->cipher = EVP_CIPHER_CTX_new(); + if (ctx->cipher == NULL) { + OPENSSL_free(ctx); + return 0; + } ctx->cont = 1; ctx->ok = 1; bi->init = 0; bi->ptr = (char *)ctx; bi->flags = 0; - return (1); + return 1; } static int enc_free(BIO *a) @@ -132,7 +136,7 @@ static int enc_free(BIO *a) if (a == NULL) return (0); b = (BIO_ENC_CTX *)a->ptr; - EVP_CIPHER_CTX_cleanup(&(b->cipher)); + EVP_CIPHER_CTX_free(b->cipher); OPENSSL_clear_free(a->ptr, sizeof(BIO_ENC_CTX)); a->ptr = NULL; a->init = 0; @@ -186,7 +190,7 @@ static int enc_read(BIO *b, char *out, int outl) /* Should be continue next time we are called? */ if (!BIO_should_retry(b->next_bio)) { ctx->cont = i; - i = EVP_CipherFinal_ex(&(ctx->cipher), + i = EVP_CipherFinal_ex(ctx->cipher, (unsigned char *)ctx->buf, &(ctx->buf_len)); ctx->ok = i; @@ -196,7 +200,7 @@ static int enc_read(BIO *b, char *out, int outl) break; } } else { - if (!EVP_CipherUpdate(&(ctx->cipher), + if (!EVP_CipherUpdate(ctx->cipher, (unsigned char *)ctx->buf, &ctx->buf_len, (unsigned char *)&(ctx->buf[BUF_OFFSET]), i)) { @@ -259,7 +263,7 @@ static int enc_write(BIO *b, const char *in, int inl) ctx->buf_off = 0; while (inl > 0) { n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl; - if (!EVP_CipherUpdate(&(ctx->cipher), + if (!EVP_CipherUpdate(ctx->cipher, (unsigned char *)ctx->buf, &ctx->buf_len, (unsigned char *)in, n)) { BIO_clear_retry_flags(b); @@ -300,8 +304,8 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_RESET: ctx->ok = 1; ctx->finished = 0; - if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL, - ctx->cipher.encrypt)) + if (!EVP_CipherInit_ex(ctx->cipher, NULL, NULL, NULL, NULL, + EVP_CIPHER_CTX_encrypting(ctx->cipher))) return 0; ret = BIO_ctrl(b->next_bio, cmd, num, ptr); break; @@ -333,7 +337,7 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) if (!ctx->finished) { ctx->finished = 1; ctx->buf_off = 0; - ret = EVP_CipherFinal_ex(&(ctx->cipher), + ret = EVP_CipherFinal_ex(ctx->cipher, (unsigned char *)ctx->buf, &(ctx->buf_len)); ctx->ok = (int)ret; @@ -357,14 +361,16 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_C_GET_CIPHER_CTX: c_ctx = (EVP_CIPHER_CTX **)ptr; - (*c_ctx) = &(ctx->cipher); + *c_ctx = ctx->cipher; b->init = 1; break; case BIO_CTRL_DUP: dbio = (BIO *)ptr; dctx = (BIO_ENC_CTX *)dbio->ptr; - EVP_CIPHER_CTX_init(&dctx->cipher); - ret = EVP_CIPHER_CTX_copy(&dctx->cipher, &ctx->cipher); + dctx->cipher = EVP_CIPHER_CTX_new(); + if (dctx->cipher == NULL) + return 0; + ret = EVP_CIPHER_CTX_copy(dctx->cipher, ctx->cipher); if (ret) dbio->init = 1; break; @@ -424,7 +430,7 @@ int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k, b->init = 1; ctx = (BIO_ENC_CTX *)b->ptr; - if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e)) + if (!EVP_CipherInit_ex(ctx->cipher, c, NULL, k, i, e)) return 0; if (b->callback != NULL) diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index 02f61065c2..2b5c7d870e 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -74,7 +74,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, int i, size = 0, ret = 0; if (type) { - EVP_CIPHER_CTX_init(ctx); + EVP_CIPHER_CTX_reset(ctx); if (!EVP_DecryptInit_ex(ctx, type, NULL, NULL, NULL)) return 0; } diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index ff60bb5348..71231f4780 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -74,7 +74,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, int i; if (type) { - EVP_CIPHER_CTX_init(ctx); + EVP_CIPHER_CTX_reset(ctx); if (!EVP_EncryptInit_ex(ctx, type, NULL, NULL, NULL)) return 0; } diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 0cbd081b38..89321e8990 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -301,7 +301,6 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) { - EVP_CIPHER_CTX ctx; int i, ret = 0; unsigned char *data = NULL; const char *objstr = NULL; @@ -381,7 +380,6 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, ret = 1; err: - OPENSSL_cleanse((char *)&ctx, sizeof(ctx)); OPENSSL_cleanse(buf, PEM_BUFSIZE); return (ret); } diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 465e2eec8f..29b391f6ac 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -340,7 +340,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *callback, void *u) { - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = NULL; int dsize = 0, i = 0, j = 0, ret = 0; unsigned char *p, *data = NULL; const char *objstr = NULL; @@ -409,13 +409,12 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv); /* k=strlen(buf); */ - EVP_CIPHER_CTX_init(&ctx); ret = 1; - if (!EVP_EncryptInit_ex(&ctx, enc, NULL, key, iv) - || !EVP_EncryptUpdate(&ctx, data, &j, data, i) - || !EVP_EncryptFinal_ex(&ctx, &(data[j]), &i)) + if ((ctx = EVP_CIPHER_CTX_new()) == NULL + || !EVP_EncryptInit_ex(ctx, enc, NULL, key, iv) + || !EVP_EncryptUpdate(ctx, data, &j, data, i) + || !EVP_EncryptFinal_ex(ctx, &(data[j]), &i)) ret = 0; - EVP_CIPHER_CTX_cleanup(&ctx); if (ret == 0) goto err; i += j; @@ -429,7 +428,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, err: OPENSSL_cleanse(key, sizeof(key)); OPENSSL_cleanse(iv, sizeof(iv)); - OPENSSL_cleanse((char *)&ctx, sizeof(ctx)); + EVP_CIPHER_CTX_free(ctx); OPENSSL_cleanse(buf, PEM_BUFSIZE); OPENSSL_clear_free(data, (unsigned int)dsize); return (ret); @@ -440,7 +439,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, { int i = 0, j, o, klen; long len; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; unsigned char key[EVP_MAX_KEY_LENGTH]; char buf[PEM_BUFSIZE]; @@ -466,13 +465,15 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, return 0; j = (int)len; - EVP_CIPHER_CTX_init(&ctx); - o = EVP_DecryptInit_ex(&ctx, cipher->cipher, NULL, key, &(cipher->iv[0])); + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + return 0; + o = EVP_DecryptInit_ex(ctx, cipher->cipher, NULL, key, &(cipher->iv[0])); if (o) - o = EVP_DecryptUpdate(&ctx, data, &i, data, j); + o = EVP_DecryptUpdate(ctx, data, &i, data, j); if (o) - o = EVP_DecryptFinal_ex(&ctx, &(data[i]), &j); - EVP_CIPHER_CTX_cleanup(&ctx); + o = EVP_DecryptFinal_ex(ctx, &(data[i]), &j); + EVP_CIPHER_CTX_free(ctx); OPENSSL_cleanse((char *)buf, sizeof(buf)); OPENSSL_cleanse((char *)key, sizeof(key)); if (o) diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 58cbd07475..8aceb2bc03 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -672,8 +672,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, unsigned int magic; unsigned char *enctmp = NULL, *q; - EVP_CIPHER_CTX cctx; - EVP_CIPHER_CTX_init(&cctx); + EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); if (saltlen) { char psbuf[PEM_BUFSIZE]; unsigned char keybuf[20]; @@ -704,22 +703,22 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, } inlen = keylen - 8; q = enctmp + 8; - if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) + if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; - if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) + if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) goto err; - if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) + if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) goto err; magic = read_ledword((const unsigned char **)&q); if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { q = enctmp + 8; memset(keybuf + 5, 0, 11); - if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) + if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; OPENSSL_cleanse(keybuf, 20); - if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) + if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) goto err; - if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) + if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) goto err; magic = read_ledword((const unsigned char **)&q); if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { @@ -733,7 +732,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, ret = b2i_PrivateKey(&p, keylen); err: - EVP_CIPHER_CTX_cleanup(&cctx); + EVP_CIPHER_CTX_free(cctx); OPENSSL_free(enctmp); return ret; } @@ -776,8 +775,7 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel, { int outlen = 24, pklen; unsigned char *p, *salt = NULL; - EVP_CIPHER_CTX cctx; - EVP_CIPHER_CTX_init(&cctx); + EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new(); if (enclevel) outlen += PVK_SALTLEN; pklen = do_i2b(NULL, pk, 0); @@ -833,19 +831,19 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel, if (enclevel == 1) memset(keybuf + 5, 0, 11); p = salt + PVK_SALTLEN + 8; - if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) + if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto error; OPENSSL_cleanse(keybuf, 20); - if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) + if (!EVP_DecryptUpdate(cctx, p, &enctmplen, p, pklen - 8)) goto error; - if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) + if (!EVP_DecryptFinal_ex(cctx, p + enctmplen, &enctmplen)) goto error; } - EVP_CIPHER_CTX_cleanup(&cctx); + EVP_CIPHER_CTX_free(cctx); return outlen; error: - EVP_CIPHER_CTX_cleanup(&cctx); + EVP_CIPHER_CTX_free(cctx); return -1; } diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 8996b9ed84..33831e9237 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -77,24 +77,28 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, { unsigned char *out = NULL; int outlen, i; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + + if (ctx == NULL) { + PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); + goto err; + } - EVP_CIPHER_CTX_init(&ctx); /* Decrypt data */ if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, - algor->parameter, &ctx, en_de)) { + algor->parameter, ctx, en_de)) { PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR); goto err; } - if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx))) + if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx))) == NULL) { PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); goto err; } - if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) { + if (!EVP_CipherUpdate(ctx, out, &i, in, inlen)) { OPENSSL_free(out); out = NULL; PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB); @@ -102,7 +106,7 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, } outlen = i; - if (!EVP_CipherFinal_ex(&ctx, out + i, &i)) { + if (!EVP_CipherFinal_ex(ctx, out + i, &i)) { OPENSSL_free(out); out = NULL; PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, @@ -115,7 +119,7 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, if (data) *data = out; err: - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return out; } -- cgit v1.2.3