summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2016-05-30 13:42:55 +0000
committerBob Beck <beck@cvs.openbsd.org>2016-05-30 13:42:55 +0000
commit3609df57c2dabf2c1ad0313262296332169c5346 (patch)
treee5007b1715c8d5f5d0e8ee7fb4aa6fefa2ec7770 /lib
parent2b9b74cdf85d0ae1005ef61ca5bede7fbfcba050 (diff)
deprecate internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
14 years ago these were changed in OpenSSL to be the same as the _ex functions. We use the _ex functions only internally to ensure it is obvious the ctx must be cleared. ok bcook@
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypto/evp/evp.h14
-rw-r--r--lib/libcrypto/evp/evp_enc.c10
-rw-r--r--lib/libssl/s3_srvr.c4
-rw-r--r--lib/libssl/t1_lib.c4
4 files changed, 20 insertions, 12 deletions
diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h
index a0adbece014..75798dae8c8 100644
--- a/lib/libcrypto/evp/evp.h
+++ b/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.50 2016/04/28 16:06:53 jsing Exp $ */
+/* $OpenBSD: evp.h,v 1.51 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -575,7 +575,9 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl);
int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#ifndef LIBRESSL_INTERNAL
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#endif
int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
@@ -583,8 +585,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
ENGINE *impl, const unsigned char *key, const unsigned char *iv);
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl);
-int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#ifndef LIBRESSL_INTERNAL
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv, int enc);
@@ -592,9 +596,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl);
-int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
-
+#ifndef LIBRESSL_INTERNAL
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
+
int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
diff --git a/lib/libcrypto/evp/evp_enc.c b/lib/libcrypto/evp/evp_enc.c
index 556908fd106..f8d2cb78d4c 100644
--- a/lib/libcrypto/evp/evp_enc.c
+++ b/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -264,9 +264,9 @@ int
EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
if (ctx->encrypt)
- return EVP_EncryptFinal(ctx, out, outl);
+ return EVP_EncryptFinal_ex(ctx, out, outl);
else
- return EVP_DecryptFinal(ctx, out, outl);
+ return EVP_DecryptFinal_ex(ctx, out, outl);
}
int
@@ -371,6 +371,7 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int ret;
ret = EVP_EncryptFinal_ex(ctx, out, outl);
+ (void) EVP_CIPHER_CTX_cleanup(ctx);
return ret;
}
@@ -484,6 +485,7 @@ EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int ret;
ret = EVP_DecryptFinal_ex(ctx, out, outl);
+ (void) EVP_CIPHER_CTX_cleanup(ctx);
return ret;
}
@@ -571,7 +573,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
* functional reference we held for this reason. */
ENGINE_finish(c->engine);
#endif
- memset(c, 0, sizeof(EVP_CIPHER_CTX));
+ explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
return 1;
}
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 10b6312834f..9fe96de53e1 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2558,7 +2558,7 @@ ssl3_send_newsession_ticket(SSL *s)
/* Encrypt session data */
EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
p += len;
- EVP_EncryptFinal(&ctx, p, &len);
+ EVP_EncryptFinal_ex(&ctx, p, &len);
p += len;
EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 78553139141..7230dec6714 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2199,7 +2199,7 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
return -1;
}
EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
- if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
+ if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
free(sdec);
EVP_CIPHER_CTX_cleanup(&ctx);
return 2;