diff options
| author | Brent Cook <bcook@cvs.openbsd.org> | 2016-09-02 15:36:40 +0000 |
|---|---|---|
| committer | Brent Cook <bcook@cvs.openbsd.org> | 2016-09-02 15:36:40 +0000 |
| commit | 56cbad96f7a1c51745b9fa33340c705618f5010a (patch) | |
| tree | f1ca9e693b1389a1724c7440fb6beab223b9281e /lib | |
| parent | 3eabe6af2c0c1005617c1efd8cb3d5ddd2fff820 (diff) | |
warn on use of deprecated EVP functions
This adds a linker warning for EVP_EncryptFinal(), EVP_DecryptFinal(),
EVP_CipherFinal(), and documents the recent behavior updates.
ok beck@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libcrypto/doc/EVP_EncryptInit.pod | 12 | ||||
| -rw-r--r-- | lib/libcrypto/evp/evp_enc.c | 18 | ||||
| -rw-r--r-- | lib/libssl/src/crypto/evp/evp_enc.c | 18 | ||||
| -rw-r--r-- | lib/libssl/src/doc/crypto/EVP_EncryptInit.pod | 12 |
4 files changed, 46 insertions, 14 deletions
diff --git a/lib/libcrypto/doc/EVP_EncryptInit.pod b/lib/libcrypto/doc/EVP_EncryptInit.pod index 02d02ba5f57..e72c101c948 100644 --- a/lib/libcrypto/doc/EVP_EncryptInit.pod +++ b/lib/libcrypto/doc/EVP_EncryptInit.pod @@ -23,7 +23,7 @@ EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc, EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc, EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc, -EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, +EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, EVP_rc5_32_12_16_cbc, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_ofb @@ -168,9 +168,13 @@ initialized and they always use the default cipher implementation. EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() are identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and -EVP_CipherFinal_ex(). In previous releases they also used to clean up -the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean() -must be called to free any context resources. +EVP_CipherFinal_ex(). In previous releases of OpenSSL they also used to clean +up the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean() +must be called to free any context resources. As of LibreSSL 2.4, +EVP_EncryptFinal() and EVP_DecryptFinal() will always clean up, and +EVP_CipherFinal() also cleans up as of LibreSSL 2.5. The use of +EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() is not +recommended. EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() return an EVP_CIPHER structure when passed a cipher name, a NID or an diff --git a/lib/libcrypto/evp/evp_enc.c b/lib/libcrypto/evp/evp_enc.c index f8d2cb78d4c..5f710347ae1 100644 --- a/lib/libcrypto/evp/evp_enc.c +++ b/lib/libcrypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.32 2016/09/02 15:36:38 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -260,13 +260,19 @@ EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) return EVP_DecryptFinal_ex(ctx, out, outl); } +__warn_references(EVP_CipherFinal, + "warning: EVP_CipherFinal is often misused, please use EVP_CipherFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { + int ret; if (ctx->encrypt) - return EVP_EncryptFinal_ex(ctx, out, outl); + ret = EVP_EncryptFinal_ex(ctx, out, outl); else - return EVP_DecryptFinal_ex(ctx, out, outl); + ret = EVP_DecryptFinal_ex(ctx, out, outl); + (void) EVP_CIPHER_CTX_cleanup(ctx); + return ret; } int @@ -365,6 +371,9 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +__warn_references(EVP_EncryptFinal, + "warning: EVP_EncryptFinal is often misused, please use EVP_EncryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { @@ -479,6 +488,9 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +__warn_references(EVP_DecryptFinal, + "warning: EVP_DecryptFinal is often misused, please use EVP_DecryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { diff --git a/lib/libssl/src/crypto/evp/evp_enc.c b/lib/libssl/src/crypto/evp/evp_enc.c index f8d2cb78d4c..5f710347ae1 100644 --- a/lib/libssl/src/crypto/evp/evp_enc.c +++ b/lib/libssl/src/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.32 2016/09/02 15:36:38 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -260,13 +260,19 @@ EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) return EVP_DecryptFinal_ex(ctx, out, outl); } +__warn_references(EVP_CipherFinal, + "warning: EVP_CipherFinal is often misused, please use EVP_CipherFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { + int ret; if (ctx->encrypt) - return EVP_EncryptFinal_ex(ctx, out, outl); + ret = EVP_EncryptFinal_ex(ctx, out, outl); else - return EVP_DecryptFinal_ex(ctx, out, outl); + ret = EVP_DecryptFinal_ex(ctx, out, outl); + (void) EVP_CIPHER_CTX_cleanup(ctx); + return ret; } int @@ -365,6 +371,9 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +__warn_references(EVP_EncryptFinal, + "warning: EVP_EncryptFinal is often misused, please use EVP_EncryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { @@ -479,6 +488,9 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +__warn_references(EVP_DecryptFinal, + "warning: EVP_DecryptFinal is often misused, please use EVP_DecryptFinal_ex and EVP_CIPHER_CTX_cleanup"); + int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { diff --git a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod index 02d02ba5f57..e72c101c948 100644 --- a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod @@ -23,7 +23,7 @@ EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc, EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc, EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc, -EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, +EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, EVP_rc5_32_12_16_cbc, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_ofb @@ -168,9 +168,13 @@ initialized and they always use the default cipher implementation. EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() are identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and -EVP_CipherFinal_ex(). In previous releases they also used to clean up -the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean() -must be called to free any context resources. +EVP_CipherFinal_ex(). In previous releases of OpenSSL they also used to clean +up the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean() +must be called to free any context resources. As of LibreSSL 2.4, +EVP_EncryptFinal() and EVP_DecryptFinal() will always clean up, and +EVP_CipherFinal() also cleans up as of LibreSSL 2.5. The use of +EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() is not +recommended. EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() return an EVP_CIPHER structure when passed a cipher name, a NID or an |