From ed576acdf591d4164905ab98e89ca5a3b99d90ab Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 21 May 2021 16:58:08 +0200 Subject: Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15405) --- ssl/ktls.c | 23 ++++++++-------- ssl/record/rec_layer_d1.c | 6 ++--- ssl/record/rec_layer_s3.c | 10 +++---- ssl/record/ssl3_record.c | 60 +++++++++++++++++++++--------------------- ssl/record/ssl3_record_tls13.c | 2 +- ssl/s3_enc.c | 16 +++++------ ssl/ssl_ciph.c | 15 ++++++----- ssl/ssl_lib.c | 16 +++++------ ssl/statem/extensions.c | 4 +-- ssl/statem/extensions_clnt.c | 6 ++--- ssl/statem/extensions_srvr.c | 5 ++-- ssl/statem/statem_clnt.c | 11 ++++---- ssl/statem/statem_dtls.c | 8 +++--- ssl/statem/statem_lib.c | 17 ++++++------ ssl/statem/statem_srvr.c | 10 +++---- ssl/t1_enc.c | 32 +++++++++++----------- ssl/t1_lib.c | 26 +++++++++--------- ssl/tls13_enc.c | 26 +++++++++--------- 18 files changed, 150 insertions(+), 143 deletions(-) (limited to 'ssl') diff --git a/ssl/ktls.c b/ssl/ktls.c index 4aece2e7b7..a5de8bd720 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -67,7 +67,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, case SSL_AES256GCM: crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16; if (s->version == TLS1_3_VERSION) - crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd); + crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); else crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; break; @@ -87,7 +87,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, return 0; } crypto_info->cipher_algorithm = CRYPTO_AES_CBC; - crypto_info->iv_len = EVP_CIPHER_iv_length(c); + crypto_info->iv_len = EVP_CIPHER_get_iv_length(c); crypto_info->auth_key = mac_key; crypto_info->auth_key_len = mac_secret_size; break; @@ -95,7 +95,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, return 0; } crypto_info->cipher_key = key; - crypto_info->cipher_key_len = EVP_CIPHER_key_length(c); + crypto_info->cipher_key_len = EVP_CIPHER_get_key_length(c); crypto_info->iv = iv; crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff; crypto_info->tls_vminor = (s->version & 0x000000ff); @@ -129,11 +129,11 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 * or Chacha20-Poly1305 */ - switch (EVP_CIPHER_nid(c)) + switch (EVP_CIPHER_get_nid(c)) { # ifdef OPENSSL_KTLS_AES_CCM_128 case NID_aes_128_ccm: - if (EVP_CIPHER_CTX_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) + if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128 @@ -163,7 +163,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, unsigned char *iiv = iv; if (s->version == TLS1_2_VERSION && - EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { + EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN)) @@ -172,7 +172,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, } memset(crypto_info, 0, sizeof(*crypto_info)); - switch (EVP_CIPHER_nid(c)) + switch (EVP_CIPHER_get_nid(c)) { # ifdef OPENSSL_KTLS_AES_GCM_128 case NID_aes_128_gcm: @@ -182,7 +182,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->gcm128.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN, TLS_CIPHER_AES_GCM_128_IV_SIZE); memcpy(crypto_info->gcm128.salt, iiv, TLS_CIPHER_AES_GCM_128_SALT_SIZE); - memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_key_length(c)); + memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->gcm128.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); if (rec_seq != NULL) @@ -197,7 +197,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->gcm256.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN, TLS_CIPHER_AES_GCM_256_IV_SIZE); memcpy(crypto_info->gcm256.salt, iiv, TLS_CIPHER_AES_GCM_256_SALT_SIZE); - memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_key_length(c)); + memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->gcm256.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); if (rec_seq != NULL) @@ -212,7 +212,7 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, memcpy(crypto_info->ccm128.iv, iiv + EVP_CCM_TLS_FIXED_IV_LEN, TLS_CIPHER_AES_CCM_128_IV_SIZE); memcpy(crypto_info->ccm128.salt, iiv, TLS_CIPHER_AES_CCM_128_SALT_SIZE); - memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_key_length(c)); + memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->ccm128.rec_seq, rl_sequence, TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); if (rec_seq != NULL) @@ -226,7 +226,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); memcpy(crypto_info->chacha20poly1305.iv, iiv, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); - memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c)); + memcpy(crypto_info->chacha20poly1305.key, key, + EVP_CIPHER_get_key_length(c)); memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); if (rec_seq != NULL) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 6713ff72f5..336ebc8b79 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -837,7 +837,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (clear) mac_size = 0; else { - mac_size = EVP_MD_CTX_size(s->write_hash); + mac_size = EVP_MD_CTX_get_size(s->write_hash); if (mac_size < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); @@ -871,9 +871,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* Explicit IV length, block ciphers appropriate version flag */ if (s->enc_write_ctx) { - int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); + int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { - eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); + eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); if (eivlen <= 1) eivlen = 0; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 8cd102ecae..a217db772a 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -439,7 +439,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, && !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && BIO_get_ktls_send(s->wbio) == 0 - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) != 0) { unsigned char aad[13]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; @@ -588,7 +588,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, } if (maxpipes == 0 || s->enc_write_ctx == NULL - || (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) + || (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_PIPELINE) == 0 || !SSL_USE_EXPLICIT_IV(s)) maxpipes = 1; @@ -723,7 +723,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, mac_size = 0; } else { /* TODO(siz_t): Convert me */ - mac_size = EVP_MD_CTX_size(s->write_hash); + mac_size = EVP_MD_CTX_get_size(s->write_hash); if (mac_size < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -831,10 +831,10 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* Explicit IV length, block ciphers appropriate version flag */ if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) { - int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); + int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { /* TODO(size_t): Convert me */ - eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); + eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); if (eivlen <= 1) eivlen = 0; } else if (mode == EVP_CIPH_GCM_MODE) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 8788d49e4c..8c4ff01dd1 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -480,7 +480,7 @@ int ssl3_get_record(SSL *s) && thisrr->type == SSL3_RT_APPLICATION_DATA && SSL_USE_EXPLICIT_IV(s) && s->enc_read_ctx != NULL - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx)) + && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_PIPELINE) != 0 && ssl3_record_app_data_waiting(s)); @@ -526,7 +526,7 @@ int ssl3_get_record(SSL *s) const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { - imac_size = EVP_MD_size(tmpmd); + imac_size = EVP_MD_get_size(tmpmd); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return -1; @@ -855,11 +855,11 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, memmove(rec->data, rec->input, rec->length); rec->input = rec->data; } else { - int provided = (EVP_CIPHER_provider(enc) != NULL); + int provided = (EVP_CIPHER_get0_provider(enc) != NULL); l = rec->length; /* TODO(size_t): Convert this call */ - bs = EVP_CIPHER_CTX_block_size(ds); + bs = EVP_CIPHER_CTX_get_block_size(ds); /* COMPRESS */ @@ -889,7 +889,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, /* otherwise, rec->length >= bs */ } - if (EVP_CIPHER_provider(enc) != NULL) { + if (EVP_CIPHER_get0_provider(enc) != NULL) { int outlen; if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input, @@ -968,7 +968,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (sending) { if (EVP_MD_CTX_get0_md(s->write_hash)) { - int n = EVP_MD_CTX_size(s->write_hash); + int n = EVP_MD_CTX_get_size(s->write_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; @@ -983,8 +983,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, enc = EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ if (SSL_USE_EXPLICIT_IV(s) - && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) - ivlen = EVP_CIPHER_iv_length(enc); + && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE) + ivlen = EVP_CIPHER_get_iv_length(enc); else ivlen = 0; if (ivlen > 1) { @@ -1006,7 +1006,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } else { if (EVP_MD_CTX_get0_md(s->read_hash)) { - int n = EVP_MD_CTX_size(s->read_hash); + int n = EVP_MD_CTX_get_size(s->read_hash); if (!ossl_assert(n >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; @@ -1025,12 +1025,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, recs[ctr].input = recs[ctr].data; } } else { - int provided = (EVP_CIPHER_provider(enc) != NULL); + int provided = (EVP_CIPHER_get0_provider(enc) != NULL); - bs = EVP_CIPHER_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); + bs = EVP_CIPHER_get_block_size(EVP_CIPHER_CTX_get0_cipher(ds)); if (n_recs > 1) { - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) & EVP_CIPH_FLAG_PIPELINE) == 0) { /* * We shouldn't have been called with pipeline data if the @@ -1043,7 +1043,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, for (ctr = 0; ctr < n_recs; ctr++) { reclen[ctr] = recs[ctr].length; - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) { unsigned char *seq; @@ -1177,10 +1177,10 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, * any explicit IV */ if (!sending) { - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { + if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { recs[0].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; recs[0].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; - } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) { + } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { recs[0].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; recs[0].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) { @@ -1215,7 +1215,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, /* TODO(size_t): Convert this call */ tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, (unsigned int)reclen[0]); - if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(ds)) + if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0 ? (tmpr < 0) : (tmpr == 0)) { @@ -1225,13 +1225,13 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (!sending) { /* Adjust the record to remove the explicit IV/MAC/Tag */ - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { + if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN; recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN; recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; } - } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) { + } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN; recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN; @@ -1261,7 +1261,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, : NULL, bs, macsize, - (EVP_CIPHER_flags(enc) + (EVP_CIPHER_get_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, s->ctx->libctx)) return 0; @@ -1283,7 +1283,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { - switch (EVP_MD_CTX_type(ctx)) { + switch (EVP_MD_CTX_get_type(ctx)) { case NID_md5: case NID_sha1: case NID_sha224: @@ -1315,15 +1315,15 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) hash = ssl->read_hash; } - t = EVP_MD_CTX_size(hash); + t = EVP_MD_CTX_get_size(hash); if (t < 0) return 0; md_size = t; npad = (48 / md_size) * md_size; - if (!sending && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(hash)) { + if (!sending + && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE + && ssl3_cbc_record_digest_supported(hash)) { #ifdef OPENSSL_NO_DEPRECATED_3_0 return 0; #else @@ -1418,7 +1418,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) hash = ssl->read_hash; } - t = EVP_MD_CTX_size(hash); + t = EVP_MD_CTX_get_size(hash); if (!ossl_assert(t >= 0)) return 0; md_size = t; @@ -1457,16 +1457,16 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) header[11] = (unsigned char)(rec->length >> 8); header[12] = (unsigned char)(rec->length & 0xff); - if (!sending && !SSL_READ_ETM(ssl) && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { + if (!sending && !SSL_READ_ETM(ssl) + && EVP_CIPHER_CTX_get_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE + && ssl3_cbc_record_digest_supported(mac_ctx)) { OSSL_PARAM tls_hmac_params[2], *p = tls_hmac_params; *p++ = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, &rec->orig_len); *p++ = OSSL_PARAM_construct_end(); - if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_pkey_ctx(mac_ctx), + if (!EVP_PKEY_CTX_set_params(EVP_MD_CTX_get_pkey_ctx(mac_ctx), tls_hmac_params)) return 0; } @@ -1551,7 +1551,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); if (tmpmd != NULL) { - imac_size = EVP_MD_size(tmpmd); + imac_size = EVP_MD_get_size(tmpmd); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return -1; diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 0e4b310148..13c007ae23 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -62,7 +62,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, return 1; } - ivlen = EVP_CIPHER_CTX_iv_length(ctx); + ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 88ac6e4205..64b246eb65 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -186,15 +186,15 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_reset(dd); p = s->s3.tmp.key_block; - mdi = EVP_MD_size(m); + mdi = EVP_MD_get_size(m); if (mdi < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } i = mdi; - cl = EVP_CIPHER_key_length(c); + cl = EVP_CIPHER_get_key_length(c); j = cl; - k = EVP_CIPHER_iv_length(c); + k = EVP_CIPHER_get_iv_length(c); if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms = &(p[0]); @@ -225,7 +225,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; } - if (EVP_CIPHER_provider(c) != NULL + if (EVP_CIPHER_get0_provider(c) != NULL && !tls_provider_set_tls_params(s, dd, c, m)) { /* SSLfatal already called */ goto err; @@ -266,11 +266,11 @@ int ssl3_setup_key_block(SSL *s) s->s3.tmp.new_compression = comp; #endif - num = EVP_MD_size(hash); + num = EVP_MD_get_size(hash); if (num < 0) return 0; - num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); + num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c); num *= 2; ssl3_cleanup_key_block(s); @@ -424,7 +424,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, return 0; } - if (EVP_MD_CTX_type(s->s3.handshake_dgst) != NID_md5_sha1) { + if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST); return 0; } @@ -440,7 +440,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, goto err; } - ret = EVP_MD_CTX_size(ctx); + ret = EVP_MD_CTX_get_size(ctx); if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ret = 0; diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 582124aa1f..d7c19feedf 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -346,7 +346,7 @@ int ssl_load_ciphers(SSL_CTX *ctx) if (md == NULL) { ctx->disabled_mac_mask |= t->mask; } else { - int tmpsize = EVP_MD_size(md); + int tmpsize = EVP_MD_get_size(md); if (!ossl_assert(tmpsize >= 0)) return 0; ctx->ssl_mac_secret_size[i] = tmpsize; @@ -566,8 +566,9 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, *mac_secret_size = ctx->ssl_mac_secret_size[i]; } - if ((*enc != NULL) && - (*md != NULL || (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)) + if ((*enc != NULL) + && (*md != NULL + || (EVP_CIPHER_get_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)) && (!mac_pkey_type || *mac_pkey_type != NID_undef)) { const EVP_CIPHER *evp = NULL; @@ -2172,7 +2173,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, if (e_md == NULL) return 0; - mac = EVP_MD_size(e_md); + mac = EVP_MD_get_size(e_md); if (c->algorithm_enc != SSL_eNULL) { int cipher_nid = SSL_CIPHER_get_cipher_nid(c); const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid); @@ -2180,12 +2181,12 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, /* If it wasn't AEAD or SSL_eNULL, we expect it to be a known CBC cipher. */ if (e_ciph == NULL || - EVP_CIPHER_mode(e_ciph) != EVP_CIPH_CBC_MODE) + EVP_CIPHER_get_mode(e_ciph) != EVP_CIPH_CBC_MODE) return 0; in = 1; /* padding length byte */ - out = EVP_CIPHER_iv_length(e_ciph); - blk = EVP_CIPHER_block_size(e_ciph); + out = EVP_CIPHER_get_iv_length(e_ciph); + blk = EVP_CIPHER_get_block_size(e_ciph); } } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index af95f2e056..c8ab4a66a0 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -305,7 +305,7 @@ static int dane_tlsa_add(SSL_DANE *dane, } } - if (md != NULL && dlen != (size_t)EVP_MD_size(md)) { + if (md != NULL && dlen != (size_t)EVP_MD_get_size(md)) { ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH); return 0; } @@ -4764,7 +4764,7 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, { EVP_MD_CTX *ctx = NULL; EVP_MD_CTX *hdgst = s->s3.handshake_dgst; - int hashleni = EVP_MD_CTX_size(hdgst); + int hashleni = EVP_MD_CTX_get_size(hdgst); int ret = 0; if (hashleni < 0 || (size_t)hashleni > outlen) { @@ -5898,7 +5898,7 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OSSL_LIB_CTX *libctx, int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher) { /* Don't up-ref an implicit EVP_CIPHER */ - if (EVP_CIPHER_provider(cipher) == NULL) + if (EVP_CIPHER_get0_provider(cipher) == NULL) return 1; /* @@ -5913,7 +5913,7 @@ void ssl_evp_cipher_free(const EVP_CIPHER *cipher) if (cipher == NULL) return; - if (EVP_CIPHER_provider(cipher) != NULL) { + if (EVP_CIPHER_get0_provider(cipher) != NULL) { /* * The cipher was explicitly fetched and therefore it is safe to cast * away the const @@ -5942,7 +5942,7 @@ const EVP_MD *ssl_evp_md_fetch(OSSL_LIB_CTX *libctx, int ssl_evp_md_up_ref(const EVP_MD *md) { /* Don't up-ref an implicit EVP_MD */ - if (EVP_MD_provider(md) == NULL) + if (EVP_MD_get0_provider(md) == NULL) return 1; /* @@ -5957,7 +5957,7 @@ void ssl_evp_md_free(const EVP_MD *md) if (md == NULL) return; - if (EVP_MD_provider(md) != NULL) { + if (EVP_MD_get0_provider(md) != NULL) { /* * The digest was explicitly fetched and therefore it is safe to cast * away the const @@ -5969,7 +5969,7 @@ void ssl_evp_md_free(const EVP_MD *md) int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey) { if (!ssl_security(s, SSL_SECOP_TMP_DH, - EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) { + EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(dhpkey); return 0; @@ -5982,7 +5982,7 @@ int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey) int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) { if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, - EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) { + EVP_PKEY_get_security_bits(dhpkey), 0, dhpkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(dhpkey); return 0; diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 42d591e11e..d12e940704 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1453,7 +1453,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, #endif const unsigned char *label; size_t bindersize, labelsize, hashsize; - int hashsizei = EVP_MD_size(md); + int hashsizei = EVP_MD_get_size(md); int ret = -1; int usepskfored = 0; @@ -1587,7 +1587,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, binderout = tmpbinder; bindersize = hashsize; - if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_name(md), s->ctx->libctx, + if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), s->ctx->libctx, s->ctx->propq, mackey, NULL) <= 0 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index fe9f8a9de6..545b2d034f 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -937,7 +937,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, * length. */ hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen - + EVP_MD_size(md); + + EVP_MD_get_size(md); } } @@ -1068,7 +1068,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, */ agems += s->session->ext.tick_age_add; - reshashsize = EVP_MD_size(mdres); + reshashsize = EVP_MD_get_size(mdres); s->ext.tick_identity++; dores = 1; } @@ -1097,7 +1097,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, return EXT_RETURN_FAIL; } - pskhashsize = EVP_MD_size(mdpsk); + pskhashsize = EVP_MD_get_size(mdpsk); } /* Create the extension, but skip over the binder for now */ diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 6b3b33e239..51c3251635 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1164,7 +1164,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, md = ssl_md(s->ctx, sess->cipher->algorithm2); if (!EVP_MD_is_a(md, - EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) { + EVP_MD_get0_name(ssl_md(s->ctx, + s->s3.tmp.new_cipher->algorithm2)))) { /* The ciphersuite is not compatible with this session. */ SSL_SESSION_free(sess); sess = NULL; @@ -1179,7 +1180,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 1; binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; - hashsize = EVP_MD_size(md); + hashsize = EVP_MD_get_size(md); if (!PACKET_get_length_prefixed_2(pkt, &binders)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 82bb013865..88b34c6ad1 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2083,7 +2083,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) goto err; } - if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), + if (!ssl_security(s, SSL_SECOP_TMP_DH, + EVP_PKEY_get_security_bits(peer_tmp), 0, peer_tmp)) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); goto err; @@ -2258,7 +2259,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) } if (SSL_USE_SIGALGS(s)) OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", - md == NULL ? "n/a" : EVP_MD_name(md)); + md == NULL ? "n/a" : EVP_MD_get0_name(md)); if (!PACKET_get_length_prefixed_2(pkt, &signature) || PACKET_remaining(pkt) != 0) { @@ -2273,7 +2274,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) } if (EVP_DigestVerifyInit_ex(md_ctx, &pctx, - md == NULL ? NULL : EVP_MD_name(md), + md == NULL ? NULL : EVP_MD_get0_name(md), s->ctx->libctx, s->ctx->propq, pkey, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); @@ -2589,7 +2590,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) /* This is a standalone message in TLSv1.3, so there is no more to read */ if (SSL_IS_TLS13(s)) { const EVP_MD *md = ssl_handshake_md(s); - int hashleni = EVP_MD_size(md); + int hashleni = EVP_MD_get_size(md); size_t hashlen; static const unsigned char nonce_label[] = "resumption"; @@ -2942,7 +2943,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) * stack, we need to zero pad the DHE pub key to the same length * as the prime. */ - prime_len = EVP_PKEY_size(ckey); + prime_len = EVP_PKEY_get_size(ckey); pad_len = prime_len - encoded_pub_len; if (pad_len > 0) { if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) { diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 1fcd064ea6..8c588fd590 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -132,17 +132,17 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && (EVP_CIPHER_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & + && (EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) mac_size = 0; else - mac_size = EVP_MD_CTX_size(s->write_hash); + mac_size = EVP_MD_CTX_get_size(s->write_hash); } else mac_size = 0; if (s->enc_write_ctx && - (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) - blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx); + (EVP_CIPHER_CTX_get_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) + blocksize = 2 * EVP_CIPHER_CTX_get_block_size(s->enc_write_ctx); else blocksize = 0; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 800a957ab2..eef2fe4367 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -309,7 +309,8 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md), + if (EVP_DigestSignInit_ex(mctx, &pctx, + md == NULL ? NULL : EVP_MD_get0_name(md), s->ctx->libctx, s->ctx->propq, pkey, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); @@ -451,7 +452,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) if (SSL_USE_SIGALGS(s)) OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", - md == NULL ? "n/a" : EVP_MD_name(md)); + md == NULL ? "n/a" : EVP_MD_get0_name(md)); /* Check for broken implementations of GOST ciphersuites */ /* @@ -461,10 +462,10 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) #ifndef OPENSSL_NO_GOST if (!SSL_USE_SIGALGS(s) && ((PACKET_remaining(pkt) == 64 - && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 - || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) + && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001 + || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) || (PACKET_remaining(pkt) == 128 - && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { + && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { len = PACKET_remaining(pkt); } else #endif @@ -484,10 +485,10 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } OSSL_TRACE1(TLS, "Using client verify alg %s\n", - md == NULL ? "n/a" : EVP_MD_name(md)); + md == NULL ? "n/a" : EVP_MD_get0_name(md)); if (EVP_DigestVerifyInit_ex(mctx, &pctx, - md == NULL ? NULL : EVP_MD_name(md), + md == NULL ? NULL : EVP_MD_get0_name(md), s->ctx->libctx, s->ctx->propq, pkey, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); @@ -495,7 +496,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_GOST { - int pktype = EVP_PKEY_id(pkey); + int pktype = EVP_PKEY_get_id(pkey); if (pktype == NID_id_GostR3410_2001 || pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_512) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 15bcdae387..a954097a39 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2480,7 +2480,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) goto err; } if (!ssl_security(s, SSL_SECOP_TMP_DH, - EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) { + EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); goto err; } @@ -2678,7 +2678,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } if (EVP_DigestSignInit_ex(md_ctx, &pctx, - md == NULL ? NULL : EVP_MD_name(md), + md == NULL ? NULL : EVP_MD_get0_name(md), s->ctx->libctx, s->ctx->propq, pkey, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -3766,7 +3766,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); goto err; } - iv_len = EVP_CIPHER_CTX_iv_length(ctx); + iv_len = EVP_CIPHER_CTX_get_iv_length(ctx); } else { EVP_CIPHER *cipher = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", s->ctx->propq); @@ -3777,7 +3777,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, goto err; } - iv_len = EVP_CIPHER_iv_length(cipher); + iv_len = EVP_CIPHER_get_iv_length(cipher); if (iv_len < 0 || RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, @@ -3875,7 +3875,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) uint64_t nonce; static const unsigned char nonce_label[] = "resumption"; const EVP_MD *md = ssl_handshake_md(s); - int hashleni = EVP_MD_size(md); + int hashleni = EVP_MD_get_size(md); /* Ensure cast to size_t is safe */ if (!ossl_assert(hashleni >= 0)) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 886709bf4a..03a83ee9a0 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -52,7 +52,7 @@ static int tls1_PRF(SSL *s, EVP_KDF_free(kdf); if (kctx == NULL) goto err; - mdname = EVP_MD_name(md); + mdname = EVP_MD_get0_name(md); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, @@ -146,14 +146,14 @@ int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, size_t macsize = 0; int imacsize = -1; - if ((EVP_CIPHER_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 + if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 /* * We look at s->ext.use_etm instead of SSL_READ_ETM() or * SSL_WRITE_ETM() because this test applies to both reading * and writing. */ && !s->ext.use_etm) - imacsize = EVP_MD_size(md); + imacsize = EVP_MD_get_size(md); if (imacsize >= 0) macsize = (size_t)imacsize; @@ -175,12 +175,12 @@ int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, static int tls_iv_length_within_key_block(const EVP_CIPHER *c) { /* If GCM/CCM mode only part of IV comes from PRF */ - if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) + if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) return EVP_GCM_TLS_FIXED_IV_LEN; - else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) + else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) return EVP_CCM_TLS_FIXED_IV_LEN; else - return EVP_CIPHER_iv_length(c); + return EVP_CIPHER_get_iv_length(c); } int tls1_change_cipher_state(SSL *s, int which) @@ -334,7 +334,7 @@ int tls1_change_cipher_state(SSL *s, int which) i = *mac_secret_size = s->s3.tmp.new_mac_secret_size; /* TODO(size_t): convert me */ - cl = EVP_CIPHER_key_length(c); + cl = EVP_CIPHER_get_key_length(c); j = cl; k = tls_iv_length_within_key_block(c); if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || @@ -362,7 +362,7 @@ int tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); - if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!(EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { if (mac_type == EVP_PKEY_HMAC) { mac_key = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", s->ctx->propq, mac_secret, @@ -377,7 +377,7 @@ int tls1_change_cipher_state(SSL *s, int which) (int)*mac_secret_size); } if (mac_key == NULL - || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_name(m), + || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_get0_name(m), s->ctx->libctx, s->ctx->propq, mac_key, NULL) <= 0) { EVP_PKEY_free(mac_key); @@ -392,14 +392,14 @@ int tls1_change_cipher_state(SSL *s, int which) BIO_dump_indent(trc_out, ms, i, 4); } OSSL_TRACE_END(TLS); - if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { + if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, iv)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) { + } else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) { int taglen; if (s->s3.tmp. new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) @@ -421,13 +421,14 @@ int tls1_change_cipher_state(SSL *s, int which) } } /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ - if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size + if ((EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) + && *mac_secret_size && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, (int)*mac_secret_size, mac_secret)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - if (EVP_CIPHER_provider(c) != NULL + if (EVP_CIPHER_get0_provider(c) != NULL && !tls_provider_set_tls_params(s, dd, c, m)) { /* SSLfatal already called */ goto err; @@ -510,7 +511,7 @@ int tls1_change_cipher_state(SSL *s, int which) OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "which = %04X, key:\n", which); - BIO_dump_indent(trc_out, key, EVP_CIPHER_key_length(c), 4); + BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); BIO_printf(trc_out, "iv:\n"); BIO_dump_indent(trc_out, iv, k, 4); } OSSL_TRACE_END(TLS); @@ -546,7 +547,8 @@ int tls1_setup_key_block(SSL *s) s->s3.tmp.new_hash = hash; s->s3.tmp.new_mac_pkey_type = mac_type; s->s3.tmp.new_mac_secret_size = mac_secret_size; - num = mac_secret_size + EVP_CIPHER_key_length(c) + tls_iv_length_within_key_block(c); + num = mac_secret_size + EVP_CIPHER_get_key_length(c) + + tls_iv_length_within_key_block(c); num *= 2; ssl3_cleanup_key_block(s); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1dc57af43a..d22a794d37 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -357,7 +357,7 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) * assumption to make (in which case perhaps we should document this * behaviour)? */ - if (EVP_KEYMGMT_provider(keymgmt) == provider) { + if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) { /* We have a match - so we will use this group */ ctx->group_list_len++; ginf = NULL; @@ -1235,7 +1235,7 @@ int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd) * SHA512 has a hash length of 64 bytes, which is incompatible * with a 128 byte (1024 bit) key. */ -#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) +#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2) static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, const SIGALG_LOOKUP *lu) { @@ -1245,7 +1245,7 @@ static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey, return 0; if (!tls1_lookup_md(ctx, lu, &md) || md == NULL) return 0; - if (EVP_PKEY_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) + if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md)) return 0; return 1; } @@ -1418,10 +1418,10 @@ static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu) return 0; if (md != NULL) { - int md_type = EVP_MD_type(md); + int md_type = EVP_MD_get_type(md); /* Security bits: half digest bits */ - secbits = EVP_MD_size(md) * 4; + secbits = EVP_MD_get_size(md) * 4; /* * SHA1 and MD5 are known to be broken. Reduce security bits so that * they're no longer accepted at security level 1. The real values don't @@ -1463,7 +1463,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) const SIGALG_LOOKUP *lu; int secbits = 0; - pkeyid = EVP_PKEY_id(pkey); + pkeyid = EVP_PKEY_get_id(pkey); /* Should never happen */ if (pkeyid == -1) return -1; @@ -1490,7 +1490,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) return 0; } /* Check the sigalg is consistent with the key OID */ - if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) + if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx) || lu->sig_idx != (int)cidx) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); return 0; @@ -1560,7 +1560,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) secbits = sigalg_security_bits(s->ctx, lu); if (secbits == 0 || !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, - md != NULL ? EVP_MD_type(md) : NID_undef, + md != NULL ? EVP_MD_get_type(md) : NID_undef, (void *)sigalgstr)) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); return 0; @@ -1893,7 +1893,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, /* Sanity check ticket length: must exceed keyname + IV + HMAC */ if (eticklen <= - TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx) + mlen) { ret = SSL_TICKET_NO_DECRYPT; goto end; } @@ -1911,8 +1911,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ - p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); - eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); + p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx); + eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, (int)eticklen) <= 0) { @@ -2898,7 +2898,7 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s) } else { if (s->s3.tmp.cert == NULL) return NULL; - dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey); + dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey); } } @@ -2950,7 +2950,7 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) * reject keys which omit parameters but this only affects DSA and * omission of parameters is never (?) done in practice. */ - secbits = EVP_PKEY_security_bits(pkey); + secbits = EVP_PKEY_get_security_bits(pkey); } if (s) return ssl_security(s, op, secbits, 0, x); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index dba1e5fb8c..53aeea446b 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -43,7 +43,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, EVP_KDF_CTX *kctx; OSSL_PARAM params[5], *p = params; int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; - const char *mdname = EVP_MD_name(md); + const char *mdname = EVP_MD_get0_name(md); int ret; size_t hkdflabellen; size_t hashlen; @@ -76,7 +76,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, return 0; } - hashlen = EVP_MD_size(md); + hashlen = EVP_MD_get_size(md); if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) || !WPACKET_put_bytes_u16(&pkt, outlen) @@ -185,7 +185,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, EVP_KDF_CTX *kctx; OSSL_PARAM params[5], *p = params; int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; - const char *mdname = EVP_MD_name(md); + const char *mdname = EVP_MD_get0_name(md); #ifdef CHARSET_EBCDIC static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; #else @@ -201,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, return 0; } - mdleni = EVP_MD_size(md); + mdleni = EVP_MD_get_size(md); /* Ensure cast to size_t is safe */ if (!ossl_assert(mdleni >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -293,7 +293,7 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out, { const EVP_MD *md = ssl_handshake_md(s); - *secret_size = EVP_MD_size(md); + *secret_size = EVP_MD_get_size(md); /* Calls SSLfatal() if required */ return tls13_generate_secret(s, md, prev, NULL, 0, out); } @@ -305,7 +305,7 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out, size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, unsigned char *out) { - const char *mdname = EVP_MD_name(ssl_handshake_md(s)); + const char *mdname = EVP_MD_get0_name(ssl_handshake_md(s)); unsigned char hash[EVP_MAX_MD_SIZE]; unsigned char finsecret[EVP_MAX_MD_SIZE]; unsigned char *key = NULL; @@ -386,7 +386,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, EVP_CIPHER_CTX *ciph_ctx) { size_t ivlen, keylen, taglen; - int hashleni = EVP_MD_size(md); + int hashleni = EVP_MD_get_size(md); size_t hashlen; /* Ensure cast to size_t is safe */ @@ -403,8 +403,8 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, } /* TODO(size_t): convert me */ - keylen = EVP_CIPHER_key_length(ciph); - if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { + keylen = EVP_CIPHER_get_key_length(ciph); + if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { uint32_t algenc; ivlen = EVP_CCM_TLS_IV_LEN; @@ -425,7 +425,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, else taglen = EVP_CCM_TLS_TAG_LEN; } else { - ivlen = EVP_CIPHER_iv_length(ciph); + ivlen = EVP_CIPHER_get_iv_length(ciph); taglen = 0; } @@ -611,7 +611,7 @@ int tls13_change_cipher_state(SSL *s, int which) } else if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; - finsecretlen = EVP_MD_size(ssl_handshake_md(s)); + finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; log_label = CLIENT_HANDSHAKE_LABEL; @@ -643,7 +643,7 @@ int tls13_change_cipher_state(SSL *s, int which) if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; - finsecretlen = EVP_MD_size(ssl_handshake_md(s)); + finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; log_label = SERVER_HANDSHAKE_LABEL; @@ -798,7 +798,7 @@ int tls13_update_key(SSL *s, int sending) static const unsigned char application_traffic[] = "traffic upd"; #endif const EVP_MD *md = ssl_handshake_md(s); - size_t hashlen = EVP_MD_size(md); + size_t hashlen = EVP_MD_get_size(md); unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char *insecret, *iv; unsigned char secret[EVP_MAX_MD_SIZE]; -- cgit v1.2.3