From 3aeb93486588e7dd01379c50b8fd496d55cf8858 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 19 Jan 2016 00:21:12 +0000 Subject: [PATCH] make EVP_PKEY opaque Reviewed-by: Richard Levitte --- apps/req.c | 2 +- apps/x509.c | 8 ++++---- crypto/asn1/a_verify.c | 1 + crypto/asn1/ameth_lib.c | 1 + crypto/asn1/d2i_pr.c | 1 + crypto/asn1/d2i_pu.c | 13 +++++-------- crypto/asn1/i2d_pr.c | 1 + crypto/asn1/i2d_pu.c | 10 +++++----- crypto/asn1/x_pubkey.c | 1 + crypto/cmac/cm_ameth.c | 2 +- crypto/cms/cms_env.c | 1 + crypto/cms/cms_kari.c | 2 +- crypto/cms/cms_sd.c | 1 + crypto/dh/dh_ameth.c | 1 + crypto/dsa/dsa_ameth.c | 1 + crypto/ec/ec_ameth.c | 1 + crypto/evp/evp_pkey.c | 1 + crypto/evp/p_dec.c | 5 +++-- crypto/evp/p_enc.c | 4 ++-- crypto/evp/p_lib.c | 3 ++- crypto/evp/p_open.c | 4 ++-- crypto/hmac/hm_ameth.c | 4 ++-- crypto/include/internal/evp_int.h | 29 +++++++++++++++++++++++++++++ crypto/pem/pem_info.c | 2 +- crypto/pem/pem_pkey.c | 1 + crypto/pem/pvkfmt.c | 15 ++++++++------- crypto/pkcs7/pk7_lib.c | 3 ++- crypto/rsa/rsa_ameth.c | 1 + crypto/ts/ts_rsp_sign.c | 2 +- crypto/x509/x509_cmp.c | 4 ++-- crypto/x509/x509_req.c | 4 ++-- crypto/x509/x509type.c | 2 +- include/openssl/evp.h | 31 +------------------------------ ssl/ssl_cert.c | 2 +- ssl/ssl_rsa.c | 12 ++++++------ ssl/statem/statem_clnt.c | 19 +++++++++---------- ssl/statem/statem_lib.c | 2 +- ssl/statem/statem_srvr.c | 20 ++++++++++---------- ssl/t1_lib.c | 12 ++++++------ 39 files changed, 121 insertions(+), 108 deletions(-) diff --git a/apps/req.c b/apps/req.c index a0da788089..eddbc77839 100644 --- a/apps/req.c +++ b/apps/req.c @@ -811,7 +811,7 @@ int req_main(int argc, char **argv) fprintf(stdout, "Modulus="); #ifndef OPENSSL_NO_RSA if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) - BN_print(out, tpubkey->pkey.rsa->n); + BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n); else #endif fprintf(stdout, "Wrong Algorithm type"); diff --git a/apps/x509.c b/apps/x509.c index 37d3a71e4a..7a688a9dfe 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -731,13 +731,13 @@ int x509_main(int argc, char **argv) } BIO_printf(out, "Modulus="); #ifndef OPENSSL_NO_RSA - if (pkey->type == EVP_PKEY_RSA) - BN_print(out, pkey->pkey.rsa->n); + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) + BN_print(out, EVP_PKEY_get0_RSA(pkey)->n); else #endif #ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - BN_print(out, pkey->pkey.dsa->pub_key); + if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) + BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key); else #endif BIO_printf(out, "Wrong Algorithm type"); diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 4acee3eb84..2ec84309b9 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -71,6 +71,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" #ifndef NO_ASN1_OLD diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index a932028911..8458e811c9 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -64,6 +64,7 @@ # include #endif #include "internal/asn1_int.h" +#include "internal/evp_int.h" /* Keep this sorted in type order !! */ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 1b6f8ebe40..02efa83583 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -67,6 +67,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c index 11176f0e16..1b29f1c7f1 100644 --- a/crypto/asn1/d2i_pu.c +++ b/crypto/asn1/d2i_pu.c @@ -72,6 +72,8 @@ # include #endif +#include "internal/evp_int.h" + EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { @@ -93,10 +95,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, switch (EVP_PKEY_id(ret)) { #ifndef OPENSSL_NO_RSA case EVP_PKEY_RSA: - /* TMP UGLY CAST */ - if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL, - (const unsigned char **)pp, - length)) == NULL) { + if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL, pp, length)) == NULL) { ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB); goto err; } @@ -105,8 +104,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, #ifndef OPENSSL_NO_DSA case EVP_PKEY_DSA: /* TMP UGLY CAST */ - if (!d2i_DSAPublicKey(&(ret->pkey.dsa), - (const unsigned char **)pp, length)) { + if (!d2i_DSAPublicKey(&ret->pkey.dsa, pp, length)) { ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB); goto err; } @@ -114,8 +112,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, #endif #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: - if (!o2i_ECPublicKey(&(ret->pkey.ec), - (const unsigned char **)pp, length)) { + if (!o2i_ECPublicKey(&ret->pkey.ec, pp, length)) { ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB); goto err; } diff --git a/crypto/asn1/i2d_pr.c b/crypto/asn1/i2d_pr.c index 54a3d7b4bd..b7dfb65a31 100644 --- a/crypto/asn1/i2d_pr.c +++ b/crypto/asn1/i2d_pr.c @@ -61,6 +61,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp) { diff --git a/crypto/asn1/i2d_pu.c b/crypto/asn1/i2d_pu.c index e1f702acd8..94233cb8e9 100644 --- a/crypto/asn1/i2d_pu.c +++ b/crypto/asn1/i2d_pu.c @@ -73,21 +73,21 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp) { - switch (a->type) { + switch (EVP_PKEY_id(a)) { #ifndef OPENSSL_NO_RSA case EVP_PKEY_RSA: - return (i2d_RSAPublicKey(a->pkey.rsa, pp)); + return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(a), pp); #endif #ifndef OPENSSL_NO_DSA case EVP_PKEY_DSA: - return (i2d_DSAPublicKey(a->pkey.dsa, pp)); + return i2d_DSAPublicKey(EVP_PKEY_get0_DSA(a), pp); #endif #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: - return (i2o_ECPublicKey(a->pkey.ec, pp)); + return i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(a), pp); #endif default: ASN1err(ASN1_F_I2D_PUBLICKEY, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); - return (-1); + return -1; } } diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c index 36a130d6aa..baa34f0c9b 100644 --- a/crypto/asn1/x_pubkey.c +++ b/crypto/asn1/x_pubkey.c @@ -61,6 +61,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" #ifndef OPENSSL_NO_RSA # include #endif diff --git a/crypto/cmac/cm_ameth.c b/crypto/cmac/cm_ameth.c index 223631c3c0..d9a550e72b 100644 --- a/crypto/cmac/cm_ameth.c +++ b/crypto/cmac/cm_ameth.c @@ -69,7 +69,7 @@ static int cmac_size(const EVP_PKEY *pkey) static void cmac_key_free(EVP_PKEY *pkey) { - CMAC_CTX *cmctx = (CMAC_CTX *)pkey->pkey.ptr; + CMAC_CTX *cmctx = EVP_PKEY_get0(pkey); CMAC_CTX_free(cmctx); } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 0b765486b9..9ea5e06695 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -62,6 +62,7 @@ #include #include "cms_lcl.h" #include "internal/asn1_int.h" +#include "internal/evp_int.h" /* CMS EnvelopedData Utilities */ diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 1355322710..a8dc9ab72e 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -367,7 +367,7 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, if (!cms_kari_create_ephemeral_key(kari, pk)) return 0; - CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(pk); rek->pkey = pk; return 1; } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 5c39746b3c..b040d28465 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -61,6 +61,7 @@ #include #include "cms_lcl.h" #include "internal/asn1_int.h" +#include "internal/evp_int.h" /* CMS SignedData Utilities */ diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 64eaf4ca0a..f021b39647 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -63,6 +63,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" #ifndef OPENSSL_NO_CMS # include #endif diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 92976bc3d5..47aa9126df 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -66,6 +66,7 @@ # include #endif #include "internal/asn1_int.h" +#include "internal/evp_int.h" static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) { diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index fb07262466..bc77391ef4 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -66,6 +66,7 @@ #endif #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" #ifndef OPENSSL_NO_CMS static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index e0c689f158..65ccd5bac4 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -63,6 +63,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" /* Extract a private key from a PKCS8 structure */ diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c index f232934b93..218c674bc3 100644 --- a/crypto/evp/p_dec.c +++ b/crypto/evp/p_dec.c @@ -72,7 +72,7 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl, int ret = -1; #ifndef OPENSSL_NO_RSA - if (priv->type != EVP_PKEY_RSA) { + if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) { #endif EVPerr(EVP_F_EVP_PKEY_DECRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA); #ifndef OPENSSL_NO_RSA @@ -80,7 +80,8 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl, } ret = - RSA_private_decrypt(ekl, ek, key, priv->pkey.rsa, RSA_PKCS1_PADDING); + RSA_private_decrypt(ekl, ek, key, EVP_PKEY_get0_RSA(priv), + RSA_PKCS1_PADDING); err: #endif return (ret); diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c index d4ab14b354..d2069c9c7d 100644 --- a/crypto/evp/p_enc.c +++ b/crypto/evp/p_enc.c @@ -72,14 +72,14 @@ int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key, int ret = 0; #ifndef OPENSSL_NO_RSA - if (pubk->type != EVP_PKEY_RSA) { + if (EVP_PKEY_id(pubk) != EVP_PKEY_RSA) { #endif EVPerr(EVP_F_EVP_PKEY_ENCRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA); #ifndef OPENSSL_NO_RSA goto err; } ret = - RSA_public_encrypt(key_len, key, ek, pubk->pkey.rsa, + RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk), RSA_PKCS1_PADDING); err: #endif diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 7d255af582..c7a0b5ac4c 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -78,6 +78,7 @@ #endif #include "internal/asn1_int.h" +#include "internal/evp_int.h" static void EVP_PKEY_free_it(EVP_PKEY *x); @@ -275,7 +276,7 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) return (key != NULL); } -void *EVP_PKEY_get0(EVP_PKEY *pkey) +void *EVP_PKEY_get0(const EVP_PKEY *pkey) { return pkey->pkey.ptr; } diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index 2b5c7d870e..0f2bc02ad2 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -82,12 +82,12 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, if (!priv) return 1; - if (priv->type != EVP_PKEY_RSA) { + if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) { EVPerr(EVP_F_EVP_OPENINIT, EVP_R_PUBLIC_KEY_NOT_RSA); goto err; } - size = RSA_size(priv->pkey.rsa); + size = EVP_PKEY_size(priv); key = OPENSSL_malloc(size + 2); if (key == NULL) { /* ERROR */ diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c index df6bf0b3ef..98e73e937f 100644 --- a/crypto/hmac/hm_ameth.c +++ b/crypto/hmac/hm_ameth.c @@ -75,7 +75,7 @@ static int hmac_size(const EVP_PKEY *pkey) static void hmac_key_free(EVP_PKEY *pkey) { - ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr; + ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey); if (os) { if (os->data) OPENSSL_cleanse(os->data, os->length); @@ -121,7 +121,7 @@ static int old_hmac_decode(EVP_PKEY *pkey, static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder) { int inc; - ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr; + ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey); if (pder) { if (!*pder) { *pder = OPENSSL_malloc(os->length); diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index da73e70ff1..614ccca3f6 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -387,3 +387,32 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \ cipher##_init_key, NULL, NULL, NULL, NULL) + +/* + * Type needs to be a bit field Sub-type needs to be for variations on the + * method, as in, can it do arbitrary encryption.... + */ +struct evp_pkey_st { + int type; + int save_type; + int references; + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *engine; + union { + char *ptr; +# ifndef OPENSSL_NO_RSA + struct rsa_st *rsa; /* RSA */ +# endif +# ifndef OPENSSL_NO_DSA + struct dsa_st *dsa; /* DSA */ +# endif +# ifndef OPENSSL_NO_DH + struct dh_st *dh; /* DH */ +# endif +# ifndef OPENSSL_NO_EC + struct ec_key_st *ec; /* ECC */ +# endif + } pkey; + int save_parameters; + STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ +} /* EVP_PKEY */ ; diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 67cd99d13f..982dc161b9 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -362,7 +362,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, #ifndef OPENSSL_NO_RSA /* normal optionally encrypted stuff */ if (PEM_write_bio_RSAPrivateKey(bp, - xi->x_pkey->dec_pkey->pkey.rsa, + EVP_PKEY_get0_RSA(xi->x_pkey->dec_pkey), enc, kstr, klen, cb, u) <= 0) goto err; #endif diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 1a249f5588..e90f201bfa 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -72,6 +72,7 @@ # include #endif #include "internal/asn1_int.h" +#include "internal/evp_int.h" int pem_check_suffix(const char *pem_str, const char *suffix); diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 8aceb2bc03..625b488e34 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -450,11 +450,12 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) unsigned char *p; unsigned int bitlen, magic = 0, keyalg; int outlen, noinc = 0; - if (pk->type == EVP_PKEY_DSA) { - bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic); + int pktype = EVP_PKEY_id(pk); + if (pktype == EVP_PKEY_DSA) { + bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic); keyalg = MS_KEYALG_DSS_SIGN; - } else if (pk->type == EVP_PKEY_RSA) { - bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic); + } else if (pktype == EVP_PKEY_RSA) { + bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic); keyalg = MS_KEYALG_RSA_KEYX; } else return -1; @@ -484,9 +485,9 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub) write_ledword(&p, magic); write_ledword(&p, bitlen); if (keyalg == MS_KEYALG_DSS_SIGN) - write_dsa(&p, pk->pkey.dsa, ispub); + write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub); else - write_rsa(&p, pk->pkey.rsa, ispub); + write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub); if (!noinc) *out += outlen; return outlen; @@ -797,7 +798,7 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel, write_ledword(&p, MS_PVKMAGIC); write_ledword(&p, 0); - if (pk->type == EVP_PKEY_DSA) + if (EVP_PKEY_id(pk) == EVP_PKEY_DSA) write_ledword(&p, MS_KEYTYPE_SIGN); else write_ledword(&p, MS_KEYTYPE_KEYX); diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 17e4de221a..8c840a6fd5 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -61,6 +61,7 @@ #include #include #include "internal/asn1_int.h" +#include "internal/evp_int.h" long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg) { @@ -371,7 +372,7 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, goto err; /* lets keep the pkey around for a while */ - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; /* Set the algorithms */ diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 68b268ecb7..4433bf47de 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -67,6 +67,7 @@ # include #endif #include "internal/asn1_int.h" +#include "internal/evp_int.h" #ifndef OPENSSL_NO_CMS static int rsa_cms_sign(CMS_SignerInfo *si); diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index f84555d8fc..aa8ef167f2 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -212,7 +212,7 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) { EVP_PKEY_free(ctx->signer_key); ctx->signer_key = key; - CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(ctx->signer_key); return 1; } diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 20834a079f..2521e77b2a 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -367,8 +367,8 @@ static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) { const EC_GROUP *grp = NULL; int curve_nid; - if (pkey && pkey->type == EVP_PKEY_EC) - grp = EC_KEY_get0_group(pkey->pkey.ec); + if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC) + grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); if (!grp) return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; curve_nid = EC_GROUP_get_curve_name(grp); diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index b27f9f6010..8e60f84f88 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -140,13 +140,13 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) break; case -2: #ifndef OPENSSL_NO_EC - if (k->type == EVP_PKEY_EC) { + if (EVP_PKEY_id(k) == EVP_PKEY_EC) { X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); break; } #endif #ifndef OPENSSL_NO_DH - if (k->type == EVP_PKEY_DH) { + if (EVP_PKEY_id(k) == EVP_PKEY_DH) { /* No idea */ X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, X509_R_CANT_CHECK_DH_KEY); diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index a9116e7c77..07e5141f14 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -78,7 +78,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) if (pk == NULL) return (0); - switch (pk->type) { + switch (EVP_PKEY_id(pk)) { case EVP_PKEY_RSA: ret = EVP_PK_RSA | EVP_PKT_SIGN; /* if (!sign only extension) */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 2ed9faa24f..f6cb867fc3 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -114,35 +114,6 @@ extern "C" { #endif -/* - * Type needs to be a bit field Sub-type needs to be for variations on the - * method, as in, can it do arbitrary encryption.... - */ -struct evp_pkey_st { - int type; - int save_type; - int references; - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *engine; - union { - char *ptr; -# ifndef OPENSSL_NO_RSA - struct rsa_st *rsa; /* RSA */ -# endif -# ifndef OPENSSL_NO_DSA - struct dsa_st *dsa; /* DSA */ -# endif -# ifndef OPENSSL_NO_DH - struct dh_st *dh; /* DH */ -# endif -# ifndef OPENSSL_NO_EC - struct ec_key_st *ec; /* ECC */ -# endif - } pkey; - int save_parameters; - STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ -} /* EVP_PKEY */ ; - # define EVP_PKEY_MO_SIGN 0x0001 # define EVP_PKEY_MO_VERIFY 0x0002 # define EVP_PKEY_MO_ENCRYPT 0x0004 @@ -959,7 +930,7 @@ int EVP_PKEY_size(EVP_PKEY *pkey); int EVP_PKEY_set_type(EVP_PKEY *pkey, int type); int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len); int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); -void *EVP_PKEY_get0(EVP_PKEY *pkey); +void *EVP_PKEY_get0(const EVP_PKEY *pkey); # ifndef OPENSSL_NO_RSA struct rsa_st; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 75ccc72414..2aaf99cc23 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -214,7 +214,7 @@ CERT *ssl_cert_dup(CERT *cert) if (cpk->privatekey != NULL) { rpk->privatekey = cpk->privatekey; - CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(cpk->privatekey); } if (cpk->chain) { diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a02230d0f1..aa4959916b 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -196,8 +196,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) * Don't check the public/private key, this is mostly for smart * cards. */ - if ((pkey->type == EVP_PKEY_RSA) && - (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ; + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA + && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK); else #endif if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { @@ -208,7 +208,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) } EVP_PKEY_free(c->pkeys[i].privatekey); - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(pkey); c->pkeys[i].privatekey = pkey; c->key = &(c->pkeys[i]); return (1); @@ -392,9 +392,9 @@ static int ssl_set_cert(CERT *c, X509 *x) * Don't check the public/private key, this is mostly for smart * cards. */ - if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && - (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & - RSA_METHOD_FLAG_NO_CHECK)) ; + if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA + && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & + RSA_METHOD_FLAG_NO_CHECK) ; else #endif /* OPENSSL_NO_RSA */ if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5925923133..047bcf5d5b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1683,7 +1683,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - } else if (pkey->type == EVP_PKEY_RSA) { + } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { md = EVP_md5_sha1(); } else { md = EVP_sha1(); @@ -2191,8 +2191,7 @@ psk_err: } pkey = X509_get0_pubkey(s->session->peer); - if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) - || (pkey->pkey.rsa == NULL)) { + if (EVP_PKEY_get0_RSA(pkey) == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -2273,9 +2272,7 @@ psk_err: } else { /* Get the Server Public Key from Cert */ skey = X509_get0_pubkey(s->session->peer); - if ((skey == NULL) - || (skey->type != EVP_PKEY_EC) - || (skey->pkey.ec == NULL)) { + if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -2609,10 +2606,12 @@ int tls_construct_client_verify(SSL *s) goto err; } #ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_2001 - || pkey->type == NID_id_GostR3410_2012_256 - || pkey->type == NID_id_GostR3410_2012_512) { - BUF_reverse(p + 2, NULL, u); + { + int pktype = EVP_PKEY_id(pkey); + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) + BUF_reverse(p + 2, NULL, u); } #endif diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 984df19b58..70559666b0 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -612,7 +612,7 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) if (pk == NULL) goto err; - i = pk->type; + i = EVP_PKEY_id(pk); if (i == EVP_PKEY_RSA) { ret = SSL_PKEY_RSA_ENC; } else if (i == EVP_PKEY_DSA) { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 5ee0c94e17..2ac9dc3a59 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2080,7 +2080,6 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) unsigned long alg_k; #ifndef OPENSSL_NO_RSA RSA *rsa = NULL; - EVP_PKEY *pkey = NULL; #endif #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY *ckey = NULL; @@ -2173,15 +2172,13 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) size_t j; /* FIX THIS UP EAY EAY EAY EAY */ - pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; - if ((pkey == NULL) || - (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { + rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey); + if (rsa == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE); goto f_err; } - rsa = pkey->pkey.rsa; /* SSLv3 and pre-standard DTLS omit the length bytes. */ if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { @@ -2694,7 +2691,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) * length field (CryptoPro implementations at least till CSP 4.0) */ #ifndef OPENSSL_NO_GOST - if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) { + if (PACKET_remaining(pkt) == 64 + && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { len = 64; } else #endif @@ -2764,10 +2762,12 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_2001 - || pkey->type == NID_id_GostR3410_2012_256 - || pkey->type == NID_id_GostR3410_2012_512) { - BUF_reverse(data, NULL, len); + { + int pktype = EVP_PKEY_id(pkey); + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) + BUF_reverse(data, NULL, len); } #endif diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 41b55c8d4b..6937b45c61 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -793,9 +793,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) if (!pkey) return 0; /* If not EC nothing to do */ - if (pkey->type != EVP_PKEY_EC) + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) return 1; - rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); + rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)); if (!rv) return 0; /* @@ -990,10 +990,10 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, return 0; } #ifndef OPENSSL_NO_EC - if (pkey->type == EVP_PKEY_EC) { + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { unsigned char curve_id[2], comp_id; /* Check compression and curve matches extensions */ - if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) + if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); @@ -3227,7 +3227,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk) { - return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig)); + return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig)); } typedef struct { @@ -4110,7 +4110,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (!s->server && strict_mode) { STACK_OF(X509_NAME) *ca_dn; int check_type = 0; - switch (pk->type) { + switch (EVP_PKEY_id(pk)) { case EVP_PKEY_RSA: check_type = TLS_CT_RSA_SIGN; break; -- 2.39.2