[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Wed Jan 20 13:08:45 UTC 2016


The branch master has been updated
       via  3aeb93486588e7dd01379c50b8fd496d55cf8858 (commit)
      from  a8eda4312db1f98cffda38670e2d40d36566785a (commit)


- Log -----------------------------------------------------------------
commit 3aeb93486588e7dd01379c50b8fd496d55cf8858
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Jan 19 00:21:12 2016 +0000

    make EVP_PKEY opaque
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/req.c                        |  2 +-
 apps/x509.c                       |  8 ++++----
 crypto/asn1/a_verify.c            |  1 +
 crypto/asn1/ameth_lib.c           |  1 +
 crypto/asn1/d2i_pr.c              |  1 +
 crypto/asn1/d2i_pu.c              | 13 +++++--------
 crypto/asn1/i2d_pr.c              |  1 +
 crypto/asn1/i2d_pu.c              | 10 +++++-----
 crypto/asn1/x_pubkey.c            |  1 +
 crypto/cmac/cm_ameth.c            |  2 +-
 crypto/cms/cms_env.c              |  1 +
 crypto/cms/cms_kari.c             |  2 +-
 crypto/cms/cms_sd.c               |  1 +
 crypto/dh/dh_ameth.c              |  1 +
 crypto/dsa/dsa_ameth.c            |  1 +
 crypto/ec/ec_ameth.c              |  1 +
 crypto/evp/evp_pkey.c             |  1 +
 crypto/evp/p_dec.c                |  5 +++--
 crypto/evp/p_enc.c                |  4 ++--
 crypto/evp/p_lib.c                |  3 ++-
 crypto/evp/p_open.c               |  4 ++--
 crypto/hmac/hm_ameth.c            |  4 ++--
 crypto/include/internal/evp_int.h | 29 +++++++++++++++++++++++++++++
 crypto/pem/pem_info.c             |  2 +-
 crypto/pem/pem_pkey.c             |  1 +
 crypto/pem/pvkfmt.c               | 15 ++++++++-------
 crypto/pkcs7/pk7_lib.c            |  3 ++-
 crypto/rsa/rsa_ameth.c            |  1 +
 crypto/ts/ts_rsp_sign.c           |  2 +-
 crypto/x509/x509_cmp.c            |  4 ++--
 crypto/x509/x509_req.c            |  4 ++--
 crypto/x509/x509type.c            |  2 +-
 include/openssl/evp.h             | 31 +------------------------------
 ssl/ssl_cert.c                    |  2 +-
 ssl/ssl_rsa.c                     | 12 ++++++------
 ssl/statem/statem_clnt.c          | 19 +++++++++----------
 ssl/statem/statem_lib.c           |  2 +-
 ssl/statem/statem_srvr.c          | 20 ++++++++++----------
 ssl/t1_lib.c                      | 12 ++++++------
 39 files changed, 121 insertions(+), 108 deletions(-)

diff --git a/apps/req.c b/apps/req.c
index a0da788..eddbc77 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -811,7 +811,7 @@ int req_main(int argc, char **argv)
         fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
         if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
-            BN_print(out, tpubkey->pkey.rsa->n);
+            BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
         else
 #endif
             fprintf(stdout, "Wrong Algorithm type");
diff --git a/apps/x509.c b/apps/x509.c
index 37d3a71..7a688a9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -731,13 +731,13 @@ int x509_main(int argc, char **argv)
                 }
                 BIO_printf(out, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-                if (pkey->type == EVP_PKEY_RSA)
-                    BN_print(out, pkey->pkey.rsa->n);
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
+                    BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
                 else
 #endif
 #ifndef OPENSSL_NO_DSA
-                if (pkey->type == EVP_PKEY_DSA)
-                    BN_print(out, pkey->pkey.dsa->pub_key);
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
+                    BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
                 else
 #endif
                     BIO_printf(out, "Wrong Algorithm type");
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 4acee3e..2ec8430 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -71,6 +71,7 @@
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 #ifndef NO_ASN1_OLD
 
diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index a932028..8458e81 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -64,6 +64,7 @@
 # include <openssl/engine.h>
 #endif
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 /* Keep this sorted in type order !! */
 static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index 1b6f8eb..02efa83 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -67,6 +67,7 @@
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                          long length)
diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c
index 11176f0..1b29f1c 100644
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -72,6 +72,8 @@
 # include <openssl/ec.h>
 #endif
 
+#include "internal/evp_int.h"
+
 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
                         long length)
 {
@@ -93,10 +95,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
     switch (EVP_PKEY_id(ret)) {
 #ifndef OPENSSL_NO_RSA
     case EVP_PKEY_RSA:
-        /* TMP UGLY CAST */
-        if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL,
-                                              (const unsigned char **)pp,
-                                              length)) == NULL) {
+        if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL, pp, length)) == NULL) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
@@ -105,8 +104,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #ifndef OPENSSL_NO_DSA
     case EVP_PKEY_DSA:
         /* TMP UGLY CAST */
-        if (!d2i_DSAPublicKey(&(ret->pkey.dsa),
-                              (const unsigned char **)pp, length)) {
+        if (!d2i_DSAPublicKey(&ret->pkey.dsa, pp, length)) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
@@ -114,8 +112,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
-        if (!o2i_ECPublicKey(&(ret->pkey.ec),
-                             (const unsigned char **)pp, length)) {
+        if (!o2i_ECPublicKey(&ret->pkey.ec, pp, length)) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
diff --git a/crypto/asn1/i2d_pr.c b/crypto/asn1/i2d_pr.c
index 54a3d7b..b7dfb65 100644
--- a/crypto/asn1/i2d_pr.c
+++ b/crypto/asn1/i2d_pr.c
@@ -61,6 +61,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 {
diff --git a/crypto/asn1/i2d_pu.c b/crypto/asn1/i2d_pu.c
index e1f702a..94233cb 100644
--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -73,21 +73,21 @@
 
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 {
-    switch (a->type) {
+    switch (EVP_PKEY_id(a)) {
 #ifndef OPENSSL_NO_RSA
     case EVP_PKEY_RSA:
-        return (i2d_RSAPublicKey(a->pkey.rsa, pp));
+        return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(a), pp);
 #endif
 #ifndef OPENSSL_NO_DSA
     case EVP_PKEY_DSA:
-        return (i2d_DSAPublicKey(a->pkey.dsa, pp));
+        return i2d_DSAPublicKey(EVP_PKEY_get0_DSA(a), pp);
 #endif
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
-        return (i2o_ECPublicKey(a->pkey.ec, pp));
+        return i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(a), pp);
 #endif
     default:
         ASN1err(ASN1_F_I2D_PUBLICKEY, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
-        return (-1);
+        return -1;
     }
 }
diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c
index 36a130d..baa34f0 100644
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -61,6 +61,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 #ifndef OPENSSL_NO_RSA
 # include <openssl/rsa.h>
 #endif
diff --git a/crypto/cmac/cm_ameth.c b/crypto/cmac/cm_ameth.c
index 223631c..d9a550e 100644
--- a/crypto/cmac/cm_ameth.c
+++ b/crypto/cmac/cm_ameth.c
@@ -69,7 +69,7 @@ static int cmac_size(const EVP_PKEY *pkey)
 
 static void cmac_key_free(EVP_PKEY *pkey)
 {
-    CMAC_CTX *cmctx = (CMAC_CTX *)pkey->pkey.ptr;
+    CMAC_CTX *cmctx = EVP_PKEY_get0(pkey);
     CMAC_CTX_free(cmctx);
 }
 
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 0b76548..9ea5e06 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -62,6 +62,7 @@
 #include <openssl/aes.h>
 #include "cms_lcl.h"
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 /* CMS EnvelopedData Utilities */
 
diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 1355322..a8dc9ab 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -367,7 +367,7 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
     if (!cms_kari_create_ephemeral_key(kari, pk))
         return 0;
 
-    CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(pk);
     rek->pkey = pk;
     return 1;
 }
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 5c39746..b040d28 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -61,6 +61,7 @@
 #include <openssl/cms.h>
 #include "cms_lcl.h"
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 /* CMS SignedData Utilities */
 
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 64eaf4c..f021b39 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -63,6 +63,7 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 #ifndef OPENSSL_NO_CMS
 # include <openssl/cms.h>
 #endif
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 92976bc3..47aa912 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -66,6 +66,7 @@
 # include <openssl/cms.h>
 #endif
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 {
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index fb07262..bc77391 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -66,6 +66,7 @@
 #endif
 #include <openssl/asn1t.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 #ifndef OPENSSL_NO_CMS
 static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);
diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c
index e0c689f..65ccd5b 100644
--- a/crypto/evp/evp_pkey.c
+++ b/crypto/evp/evp_pkey.c
@@ -63,6 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 /* Extract a private key from a PKCS8 structure */
 
diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c
index f232934..218c674 100644
--- a/crypto/evp/p_dec.c
+++ b/crypto/evp/p_dec.c
@@ -72,7 +72,7 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl,
     int ret = -1;
 
 #ifndef OPENSSL_NO_RSA
-    if (priv->type != EVP_PKEY_RSA) {
+    if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) {
 #endif
         EVPerr(EVP_F_EVP_PKEY_DECRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA);
 #ifndef OPENSSL_NO_RSA
@@ -80,7 +80,8 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl,
     }
 
     ret =
-        RSA_private_decrypt(ekl, ek, key, priv->pkey.rsa, RSA_PKCS1_PADDING);
+        RSA_private_decrypt(ekl, ek, key, EVP_PKEY_get0_RSA(priv),
+                            RSA_PKCS1_PADDING);
  err:
 #endif
     return (ret);
diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c
index d4ab14b..d2069c9 100644
--- a/crypto/evp/p_enc.c
+++ b/crypto/evp/p_enc.c
@@ -72,14 +72,14 @@ int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key,
     int ret = 0;
 
 #ifndef OPENSSL_NO_RSA
-    if (pubk->type != EVP_PKEY_RSA) {
+    if (EVP_PKEY_id(pubk) != EVP_PKEY_RSA) {
 #endif
         EVPerr(EVP_F_EVP_PKEY_ENCRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA);
 #ifndef OPENSSL_NO_RSA
         goto err;
     }
     ret =
-        RSA_public_encrypt(key_len, key, ek, pubk->pkey.rsa,
+        RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk),
                            RSA_PKCS1_PADDING);
  err:
 #endif
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 7d255af..c7a0b5a 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -78,6 +78,7 @@
 #endif
 
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 static void EVP_PKEY_free_it(EVP_PKEY *x);
 
@@ -275,7 +276,7 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
     return (key != NULL);
 }
 
-void *EVP_PKEY_get0(EVP_PKEY *pkey)
+void *EVP_PKEY_get0(const EVP_PKEY *pkey)
 {
     return pkey->pkey.ptr;
 }
diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c
index 2b5c7d8..0f2bc02 100644
--- a/crypto/evp/p_open.c
+++ b/crypto/evp/p_open.c
@@ -82,12 +82,12 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
     if (!priv)
         return 1;
 
-    if (priv->type != EVP_PKEY_RSA) {
+    if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) {
         EVPerr(EVP_F_EVP_OPENINIT, EVP_R_PUBLIC_KEY_NOT_RSA);
         goto err;
     }
 
-    size = RSA_size(priv->pkey.rsa);
+    size = EVP_PKEY_size(priv);
     key = OPENSSL_malloc(size + 2);
     if (key == NULL) {
         /* ERROR */
diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
index df6bf0b..98e73e9 100644
--- a/crypto/hmac/hm_ameth.c
+++ b/crypto/hmac/hm_ameth.c
@@ -75,7 +75,7 @@ static int hmac_size(const EVP_PKEY *pkey)
 
 static void hmac_key_free(EVP_PKEY *pkey)
 {
-    ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr;
+    ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey);
     if (os) {
         if (os->data)
             OPENSSL_cleanse(os->data, os->length);
@@ -121,7 +121,7 @@ static int old_hmac_decode(EVP_PKEY *pkey,
 static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder)
 {
     int inc;
-    ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr;
+    ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey);
     if (pder) {
         if (!*pder) {
             *pder = OPENSSL_malloc(os->length);
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
index da73e70..614ccca 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -387,3 +387,32 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
                              (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
                              cipher##_init_key, NULL, NULL, NULL, NULL)
 
+
+/*
+ * Type needs to be a bit field Sub-type needs to be for variations on the
+ * method, as in, can it do arbitrary encryption....
+ */
+struct evp_pkey_st {
+    int type;
+    int save_type;
+    int references;
+    const EVP_PKEY_ASN1_METHOD *ameth;
+    ENGINE *engine;
+    union {
+        char *ptr;
+# ifndef OPENSSL_NO_RSA
+        struct rsa_st *rsa;     /* RSA */
+# endif
+# ifndef OPENSSL_NO_DSA
+        struct dsa_st *dsa;     /* DSA */
+# endif
+# ifndef OPENSSL_NO_DH
+        struct dh_st *dh;       /* DH */
+# endif
+# ifndef OPENSSL_NO_EC
+        struct ec_key_st *ec;   /* ECC */
+# endif
+    } pkey;
+    int save_parameters;
+    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+} /* EVP_PKEY */ ;
diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c
index 67cd99d..982dc16 100644
--- a/crypto/pem/pem_info.c
+++ b/crypto/pem/pem_info.c
@@ -362,7 +362,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
 #ifndef OPENSSL_NO_RSA
             /* normal optionally encrypted stuff */
             if (PEM_write_bio_RSAPrivateKey(bp,
-                                            xi->x_pkey->dec_pkey->pkey.rsa,
+                                            EVP_PKEY_get0_RSA(xi->x_pkey->dec_pkey),
                                             enc, kstr, klen, cb, u) <= 0)
                 goto err;
 #endif
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 1a249f5..e90f201 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -72,6 +72,7 @@
 # include <openssl/dh.h>
 #endif
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 int pem_check_suffix(const char *pem_str, const char *suffix);
 
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 8aceb2b..625b488 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -450,11 +450,12 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
     unsigned char *p;
     unsigned int bitlen, magic = 0, keyalg;
     int outlen, noinc = 0;
-    if (pk->type == EVP_PKEY_DSA) {
-        bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic);
+    int pktype = EVP_PKEY_id(pk);
+    if (pktype == EVP_PKEY_DSA) {
+        bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
         keyalg = MS_KEYALG_DSS_SIGN;
-    } else if (pk->type == EVP_PKEY_RSA) {
-        bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic);
+    } else if (pktype == EVP_PKEY_RSA) {
+        bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
         keyalg = MS_KEYALG_RSA_KEYX;
     } else
         return -1;
@@ -484,9 +485,9 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
     write_ledword(&p, magic);
     write_ledword(&p, bitlen);
     if (keyalg == MS_KEYALG_DSS_SIGN)
-        write_dsa(&p, pk->pkey.dsa, ispub);
+        write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
     else
-        write_rsa(&p, pk->pkey.rsa, ispub);
+        write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
     if (!noinc)
         *out += outlen;
     return outlen;
@@ -797,7 +798,7 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel,
 
     write_ledword(&p, MS_PVKMAGIC);
     write_ledword(&p, 0);
-    if (pk->type == EVP_PKEY_DSA)
+    if (EVP_PKEY_id(pk) == EVP_PKEY_DSA)
         write_ledword(&p, MS_KEYTYPE_SIGN);
     else
         write_ledword(&p, MS_KEYTYPE_KEYX);
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 17e4de2..8c840a6 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -61,6 +61,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
 {
@@ -371,7 +372,7 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
         goto err;
 
     /* lets keep the pkey around for a while */
-    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(pkey);
     p7i->pkey = pkey;
 
     /* Set the algorithms */
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 68b268e..4433bf4 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -67,6 +67,7 @@
 # include <openssl/cms.h>
 #endif
 #include "internal/asn1_int.h"
+#include "internal/evp_int.h"
 
 #ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si);
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index f84555d..aa8ef16 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -212,7 +212,7 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
 {
     EVP_PKEY_free(ctx->signer_key);
     ctx->signer_key = key;
-    CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(ctx->signer_key);
 
     return 1;
 }
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 20834a0..2521e77 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -367,8 +367,8 @@ static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
 {
     const EC_GROUP *grp = NULL;
     int curve_nid;
-    if (pkey && pkey->type == EVP_PKEY_EC)
-        grp = EC_KEY_get0_group(pkey->pkey.ec);
+    if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+        grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey));
     if (!grp)
         return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
     curve_nid = EC_GROUP_get_curve_name(grp);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index b27f9f6..8e60f84 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -140,13 +140,13 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
         break;
     case -2:
 #ifndef OPENSSL_NO_EC
-        if (k->type == EVP_PKEY_EC) {
+        if (EVP_PKEY_id(k) == EVP_PKEY_EC) {
             X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
             break;
         }
 #endif
 #ifndef OPENSSL_NO_DH
-        if (k->type == EVP_PKEY_DH) {
+        if (EVP_PKEY_id(k) == EVP_PKEY_DH) {
             /* No idea */
             X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,
                     X509_R_CANT_CHECK_DH_KEY);
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index a9116e7..07e5141 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -78,7 +78,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
     if (pk == NULL)
         return (0);
 
-    switch (pk->type) {
+    switch (EVP_PKEY_id(pk)) {
     case EVP_PKEY_RSA:
         ret = EVP_PK_RSA | EVP_PKT_SIGN;
 /*              if (!sign only extension) */
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 2ed9faa..f6cb867 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -114,35 +114,6 @@
 extern "C" {
 #endif
 
-/*
- * Type needs to be a bit field Sub-type needs to be for variations on the
- * method, as in, can it do arbitrary encryption....
- */
-struct evp_pkey_st {
-    int type;
-    int save_type;
-    int references;
-    const EVP_PKEY_ASN1_METHOD *ameth;
-    ENGINE *engine;
-    union {
-        char *ptr;
-# ifndef OPENSSL_NO_RSA
-        struct rsa_st *rsa;     /* RSA */
-# endif
-# ifndef OPENSSL_NO_DSA
-        struct dsa_st *dsa;     /* DSA */
-# endif
-# ifndef OPENSSL_NO_DH
-        struct dh_st *dh;       /* DH */
-# endif
-# ifndef OPENSSL_NO_EC
-        struct ec_key_st *ec;   /* ECC */
-# endif
-    } pkey;
-    int save_parameters;
-    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-} /* EVP_PKEY */ ;
-
 # define EVP_PKEY_MO_SIGN        0x0001
 # define EVP_PKEY_MO_VERIFY      0x0002
 # define EVP_PKEY_MO_ENCRYPT     0x0004
@@ -959,7 +930,7 @@ int EVP_PKEY_size(EVP_PKEY *pkey);
 int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
 int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len);
 int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key);
-void *EVP_PKEY_get0(EVP_PKEY *pkey);
+void *EVP_PKEY_get0(const EVP_PKEY *pkey);
 
 # ifndef OPENSSL_NO_RSA
 struct rsa_st;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 75ccc72..2aaf99c 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -214,7 +214,7 @@ CERT *ssl_cert_dup(CERT *cert)
 
         if (cpk->privatekey != NULL) {
             rpk->privatekey = cpk->privatekey;
-            CRYPTO_add(&cpk->privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+            EVP_PKEY_up_ref(cpk->privatekey);
         }
 
         if (cpk->chain) {
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index a02230d..aa49599 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -196,8 +196,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
          * Don't check the public/private key, this is mostly for smart
          * cards.
          */
-        if ((pkey->type == EVP_PKEY_RSA) &&
-            (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ;
+        if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
+            && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK);
         else
 #endif
         if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
@@ -208,7 +208,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
     }
 
     EVP_PKEY_free(c->pkeys[i].privatekey);
-    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    EVP_PKEY_up_ref(pkey);
     c->pkeys[i].privatekey = pkey;
     c->key = &(c->pkeys[i]);
     return (1);
@@ -392,9 +392,9 @@ static int ssl_set_cert(CERT *c, X509 *x)
          * Don't check the public/private key, this is mostly for smart
          * cards.
          */
-        if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
-            (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
-             RSA_METHOD_FLAG_NO_CHECK)) ;
+        if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
+            && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
+               RSA_METHOD_FLAG_NO_CHECK) ;
         else
 #endif                          /* OPENSSL_NO_RSA */
         if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5925923..047bcf5 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1683,7 +1683,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
 #ifdef SSL_DEBUG
             fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 #endif
-        } else if (pkey->type == EVP_PKEY_RSA) {
+        } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
             md = EVP_md5_sha1();
         } else {
             md = EVP_sha1();
@@ -2191,8 +2191,7 @@ psk_err:
         }
 
         pkey = X509_get0_pubkey(s->session->peer);
-        if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
-            || (pkey->pkey.rsa == NULL)) {
+        if (EVP_PKEY_get0_RSA(pkey) == NULL) {
             SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
                    ERR_R_INTERNAL_ERROR);
             goto err;
@@ -2273,9 +2272,7 @@ psk_err:
         } else {
             /* Get the Server Public Key from Cert */
             skey = X509_get0_pubkey(s->session->peer);
-            if ((skey == NULL)
-                || (skey->type != EVP_PKEY_EC)
-                || (skey->pkey.ec == NULL)) {
+            if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) {
                 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
                        ERR_R_INTERNAL_ERROR);
                 goto err;
@@ -2609,10 +2606,12 @@ int tls_construct_client_verify(SSL *s)
         goto err;
     }
 #ifndef OPENSSL_NO_GOST
-    if (pkey->type == NID_id_GostR3410_2001
-            || pkey->type == NID_id_GostR3410_2012_256
-            || pkey->type == NID_id_GostR3410_2012_512) {
-        BUF_reverse(p + 2, NULL, u);
+    {
+        int pktype = EVP_PKEY_id(pkey);
+        if (pktype == NID_id_GostR3410_2001
+            || pktype == NID_id_GostR3410_2012_256
+            || pktype == NID_id_GostR3410_2012_512)
+            BUF_reverse(p + 2, NULL, u);
     }
 #endif
 
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 984df19..7055966 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -612,7 +612,7 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
     if (pk == NULL)
         goto err;
 
-    i = pk->type;
+    i = EVP_PKEY_id(pk);
     if (i == EVP_PKEY_RSA) {
         ret = SSL_PKEY_RSA_ENC;
     } else if (i == EVP_PKEY_DSA) {
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5ee0c94..2ac9dc3 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2080,7 +2080,6 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
     unsigned long alg_k;
 #ifndef OPENSSL_NO_RSA
     RSA *rsa = NULL;
-    EVP_PKEY *pkey = NULL;
 #endif
 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
     EVP_PKEY *ckey = NULL;
@@ -2173,15 +2172,13 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
         size_t j;
 
         /* FIX THIS UP EAY EAY EAY EAY */
-        pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
-        if ((pkey == NULL) ||
-            (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
+        rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+        if (rsa == NULL) {
             al = SSL_AD_HANDSHAKE_FAILURE;
             SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                    SSL_R_MISSING_RSA_CERTIFICATE);
             goto f_err;
         }
-        rsa = pkey->pkey.rsa;
 
         /* SSLv3 and pre-standard DTLS omit the length bytes. */
         if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
@@ -2694,7 +2691,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
      * length field (CryptoPro implementations at least till CSP 4.0)
      */
 #ifndef OPENSSL_NO_GOST
-    if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) {
+    if (PACKET_remaining(pkt) == 64
+        && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
         len = 64;
     } else
 #endif
@@ -2764,10 +2762,12 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
     }
 
 #ifndef OPENSSL_NO_GOST
-    if (pkey->type == NID_id_GostR3410_2001
-            || pkey->type == NID_id_GostR3410_2012_256
-            || pkey->type == NID_id_GostR3410_2012_512) {
-        BUF_reverse(data, NULL, len);
+    {
+        int pktype = EVP_PKEY_id(pkey);
+        if (pktype == NID_id_GostR3410_2001
+            || pktype == NID_id_GostR3410_2012_256
+            || pktype == NID_id_GostR3410_2012_512)
+            BUF_reverse(data, NULL, len);
     }
 #endif
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 41b55c8..6937b45 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -793,9 +793,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
     if (!pkey)
         return 0;
     /* If not EC nothing to do */
-    if (pkey->type != EVP_PKEY_EC)
+    if (EVP_PKEY_id(pkey) != EVP_PKEY_EC)
         return 1;
-    rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
+    rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey));
     if (!rv)
         return 0;
     /*
@@ -990,10 +990,10 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
         return 0;
     }
 #ifndef OPENSSL_NO_EC
-    if (pkey->type == EVP_PKEY_EC) {
+    if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
         unsigned char curve_id[2], comp_id;
         /* Check compression and curve matches extensions */
-        if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
+        if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)))
             return 0;
         if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
             SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
@@ -3227,7 +3227,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
 
 int tls12_get_sigid(const EVP_PKEY *pk)
 {
-    return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig));
+    return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig));
 }
 
 typedef struct {
@@ -4110,7 +4110,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
     if (!s->server && strict_mode) {
         STACK_OF(X509_NAME) *ca_dn;
         int check_type = 0;
-        switch (pk->type) {
+        switch (EVP_PKEY_id(pk)) {
         case EVP_PKEY_RSA:
             check_type = TLS_CT_RSA_SIGN;
             break;


More information about the openssl-commits mailing list