[openssl] master update

tomas at openssl.org tomas at openssl.org
Thu Apr 1 12:40:27 UTC 2021


The branch master has been updated
       via  5050fd5b3b7d18eec966469726180efb6c72c594 (commit)
       via  b064eebb5080178de9641a0520e2f22b5846e0f3 (commit)
       via  83abd33cf7b3ed40fb94aa1338b6c40b44fa8ad3 (commit)
       via  e2e20129a9b9f898d382d199f9debdb549b882ff (commit)
       via  0a4a48a8b4eecc16a5c024492de09483370a7d5d (commit)
      from  9754665d6b0e7ba602878aa49dabaa6e8ee72632 (commit)


- Log -----------------------------------------------------------------
commit 5050fd5b3b7d18eec966469726180efb6c72c594
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri Mar 26 17:57:16 2021 +0100

    Avoid going through NID when unnecessary
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14703)

commit b064eebb5080178de9641a0520e2f22b5846e0f3
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri Mar 26 17:53:59 2021 +0100

    EVP_CIPHER_type: fix misleading argument name
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14703)

commit 83abd33cf7b3ed40fb94aa1338b6c40b44fa8ad3
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri Mar 26 17:53:00 2021 +0100

    Drop TODO 3.0 as we cannot get rid of legacy nids in 3.0
    
    Fixes #14393
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14703)

commit e2e20129a9b9f898d382d199f9debdb549b882ff
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri Mar 26 17:50:03 2021 +0100

    OBJ_nid2sn(NID_sha256) is completely equivalent to OSSL_DIGEST_NAME_SHA2_256
    
    The comment is bogus as that call for NID_sha256 does not do
    anything else than looking up the string in an internal table.
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14703)

commit 0a4a48a8b4eecc16a5c024492de09483370a7d5d
Author: Tomas Mraz <tomas at openssl.org>
Date:   Fri Mar 26 17:48:31 2021 +0100

    EVP_PKEY_CTRL_CIPHER can be used with encrypt/decrypt with GOST
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14703)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                          | 2 +-
 apps/crl.c                         | 3 +--
 apps/enc.c                         | 2 +-
 apps/speed.c                       | 8 ++++----
 apps/x509.c                        | 2 +-
 crypto/evp/ctrl_params_translate.c | 2 +-
 crypto/evp/evp_enc.c               | 3 +--
 crypto/evp/evp_lib.c               | 4 ++--
 crypto/pem/pem_info.c              | 4 ++--
 crypto/pem/pem_lib.c               | 2 +-
 doc/man3/EVP_EncryptInit.pod       | 2 +-
 include/openssl/evp.h              | 2 +-
 ssl/s3_lib.c                       | 6 +-----
 13 files changed, 18 insertions(+), 24 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index dbb4d15eb8..9cec43cf8b 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -821,7 +821,7 @@ end_of_options:
         }
         if (verbose)
             BIO_printf(bio_err, "message digest is %s\n",
-                       OBJ_nid2ln(EVP_MD_type(dgst)));
+                       EVP_MD_name(dgst));
         if (policy == NULL
             && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL)
             goto end;
diff --git a/apps/crl.c b/apps/crl.c
index e2ed9588e6..e8b501a8af 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -347,8 +347,7 @@ int crl_main(int argc, char **argv)
                     BIO_printf(bio_err, "out of memory\n");
                     goto end;
                 }
-                BIO_printf(bio_out, "%s Fingerprint=",
-                           OBJ_nid2sn(EVP_MD_type(digest)));
+                BIO_printf(bio_out, "%s Fingerprint=", EVP_MD_name(digest));
                 for (j = 0; j < (int)n; j++) {
                     BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
                                ? '\n' : ':');
diff --git a/apps/enc.c b/apps/enc.c
index c5766f05e8..498d0d500b 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -360,7 +360,7 @@ int enc_main(int argc, char **argv)
                 char prompt[200];
 
                 BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:",
-                        OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+                        EVP_CIPHER_name(cipher),
                         (enc) ? "encryption" : "decryption");
                 strbuf[0] = '\0';
                 i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
diff --git a/apps/speed.c b/apps/speed.c
index 727341a1e6..25c384d775 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1758,7 +1758,7 @@ int speed_main(int argc, char **argv)
         } else if (!(EVP_CIPHER_flags(evp_cipher) &
                      EVP_CIPH_FLAG_AEAD_CIPHER)) {
             BIO_printf(bio_err, "%s is not an AEAD cipher\n",
-                       OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher)));
+                       EVP_CIPHER_name(evp_cipher));
             goto end;
         }
     }
@@ -1770,7 +1770,7 @@ int speed_main(int argc, char **argv)
         } else if (!(EVP_CIPHER_flags(evp_cipher) &
                      EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
             BIO_printf(bio_err, "%s is not a multi-block capable\n",
-                       OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher)));
+                       EVP_CIPHER_name(evp_cipher));
             goto end;
         } else if (async_jobs > 0) {
             BIO_printf(bio_err, "Async mode is not supported with -mb");
@@ -2219,7 +2219,7 @@ int speed_main(int argc, char **argv)
                 goto end;
             }
 
-            names[D_EVP] = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher));
+            names[D_EVP] = EVP_CIPHER_name(evp_cipher);
 
             if (EVP_CIPHER_mode(evp_cipher) == EVP_CIPH_CCM_MODE) {
                 loopfunc = EVP_Update_loop_ccm;
@@ -3633,7 +3633,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
                              sizeof(no_key), no_key))
         app_bail_out("failed to set AEAD key\n");
-    if ((alg_name = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher))) == NULL)
+    if ((alg_name = EVP_CIPHER_name(evp_cipher)) == NULL)
         app_bail_out("failed to get cipher name\n");
 
     for (j = 0; j < num; j++) {
diff --git a/apps/x509.c b/apps/x509.c
index 163c1c8a67..abbffe37ab 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -978,7 +978,7 @@ int x509_main(int argc, char **argv)
                 BIO_printf(bio_err, "Out of memory\n");
                 goto end;
             }
-            BIO_printf(out, "%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig)));
+            BIO_printf(out, "%s Fingerprint=", EVP_MD_name(fdig));
             for (j = 0; j < (int)n; j++)
                 BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':');
         } else if (i == ocspid) {
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index 995e37a4e8..4863b81db9 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -2188,7 +2188,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
       EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, "maxmem_bytes", NULL,
       OSSL_KDF_PARAM_SCRYPT_MAXMEM, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
 
-    { SET, -1, -1, EVP_PKEY_OP_KEYGEN,
+    { SET, -1, -1, EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_TYPE_CRYPT,
       EVP_PKEY_CTRL_CIPHER, NULL, NULL,
       OSSL_PKEY_PARAM_CIPHER, OSSL_PARAM_UTF8_STRING, fix_cipher },
     { SET, -1, -1, EVP_PKEY_OP_KEYGEN,
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index c3d2b97594..79ffd2275f 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1415,7 +1415,7 @@ EVP_CIPHER *evp_cipher_new(void)
  * NIDs or any functionality that use them.
  */
 #ifndef FIPS_MODULE
-/* TODO(3.x) get rid of the need for legacy NIDs */
+/* After removal of legacy support get rid of the need for legacy NIDs */
 static void set_legacy_nid(const char *name, void *vlegacy_nid)
 {
     int nid;
@@ -1453,7 +1453,6 @@ static void *evp_cipher_from_dispatch(const int name_id,
     }
 
 #ifndef FIPS_MODULE
-    /* TODO(3.x) get rid of the need for legacy NIDs */
     cipher->nid = NID_undef;
     if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid)
             || cipher->nid == -1) {
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 48bf99d1f5..31d2a7392b 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -267,10 +267,10 @@ int evp_cipher_set_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
 #endif /* !defined(FIPS_MODULE) */
 
 /* Convert the various cipher NIDs and dummies to a proper OID NID */
-int EVP_CIPHER_type(const EVP_CIPHER *ctx)
+int EVP_CIPHER_type(const EVP_CIPHER *cipher)
 {
     int nid;
-    nid = EVP_CIPHER_nid(ctx);
+    nid = EVP_CIPHER_nid(cipher);
 
     switch (nid) {
 
diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c
index c615d24ed0..54e29ab41f 100644
--- a/crypto/pem/pem_info.c
+++ b/crypto/pem/pem_info.c
@@ -282,7 +282,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc,
     const unsigned char *iv = NULL;
 
     if (enc != NULL) {
-        objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
+        objstr = EVP_CIPHER_name(enc);
         if (objstr == NULL
                    /*
                     * Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n"
@@ -317,7 +317,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc,
              * than what the user has passed us ... as we have to match
              * exactly for some strange reason
              */
-            objstr = OBJ_nid2sn(EVP_CIPHER_nid(xi->enc_cipher.cipher));
+            objstr = EVP_CIPHER_name(xi->enc_cipher.cipher);
             if (objstr == NULL) {
                 ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
                 goto err;
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index c8e0b264da..16b65fa945 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -323,7 +323,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
     unsigned char iv[EVP_MAX_IV_LENGTH];
 
     if (enc != NULL) {
-        objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
+        objstr = EVP_CIPHER_name(enc);
         if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0
                 || EVP_CIPHER_iv_length(enc) > (int)sizeof(iv)
                    /*
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index d2880b20f2..9090dc8ad3 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -149,7 +149,7 @@ EVP_CIPHER_do_all_provided
  int EVP_CIPHER_iv_length(const EVP_CIPHER *e);
  unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e);
  unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e);
- int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+ int EVP_CIPHER_type(const EVP_CIPHER *cipher);
 
  const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
  int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 4268f1020d..7d1823dbac 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1396,7 +1396,7 @@ int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey,
 
 size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub);
 
-int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+int EVP_CIPHER_type(const EVP_CIPHER *cipher);
 
 /* calls methods */
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f5b063319b..1b491e7f92 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4275,12 +4275,8 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
             if (prefer_sha256) {
                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
 
-                /*
-                 * TODO: When there are no more legacy digests we can just use
-                 * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn
-                 */
                 if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2),
-                                       OBJ_nid2sn(NID_sha256))) {
+                                       OSSL_DIGEST_NAME_SHA2_256)) {
                     ret = tmp;
                     break;
                 }


More information about the openssl-commits mailing list