The branch master has been updated via 5050fd5b3b7d18eec966469726180efb6c72c594 (commit) via b064eebb5080178de9641a0520e2f22b5846e0f3 (commit) via 83abd33cf7b3ed40fb94aa1338b6c40b44fa8ad3 (commit) via e2e20129a9b9f898d382d199f9debdb549b882ff (commit) via 0a4a48a8b4eecc16a5c024492de09483370a7d5d (commit) from 9754665d6b0e7ba602878aa49dabaa6e8ee72632 (commit)
- Log ----------------------------------------------------------------- commit 5050fd5b3b7d18eec966469726180efb6c72c594 Author: Tomas Mraz <to...@openssl.org> Date: Fri Mar 26 17:57:16 2021 +0100 Avoid going through NID when unnecessary Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14703) commit b064eebb5080178de9641a0520e2f22b5846e0f3 Author: Tomas Mraz <to...@openssl.org> Date: Fri Mar 26 17:53:59 2021 +0100 EVP_CIPHER_type: fix misleading argument name Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14703) commit 83abd33cf7b3ed40fb94aa1338b6c40b44fa8ad3 Author: Tomas Mraz <to...@openssl.org> Date: Fri Mar 26 17:53:00 2021 +0100 Drop TODO 3.0 as we cannot get rid of legacy nids in 3.0 Fixes #14393 Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14703) commit e2e20129a9b9f898d382d199f9debdb549b882ff Author: Tomas Mraz <to...@openssl.org> Date: Fri Mar 26 17:50:03 2021 +0100 OBJ_nid2sn(NID_sha256) is completely equivalent to OSSL_DIGEST_NAME_SHA2_256 The comment is bogus as that call for NID_sha256 does not do anything else than looking up the string in an internal table. Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14703) commit 0a4a48a8b4eecc16a5c024492de09483370a7d5d Author: Tomas Mraz <to...@openssl.org> Date: Fri Mar 26 17:48:31 2021 +0100 EVP_PKEY_CTRL_CIPHER can be used with encrypt/decrypt with GOST Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14703) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 2 +- apps/crl.c | 3 +-- apps/enc.c | 2 +- apps/speed.c | 8 ++++---- apps/x509.c | 2 +- crypto/evp/ctrl_params_translate.c | 2 +- crypto/evp/evp_enc.c | 3 +-- crypto/evp/evp_lib.c | 4 ++-- crypto/pem/pem_info.c | 4 ++-- crypto/pem/pem_lib.c | 2 +- doc/man3/EVP_EncryptInit.pod | 2 +- include/openssl/evp.h | 2 +- ssl/s3_lib.c | 6 +----- 13 files changed, 18 insertions(+), 24 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index dbb4d15eb8..9cec43cf8b 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -821,7 +821,7 @@ end_of_options: } if (verbose) BIO_printf(bio_err, "message digest is %s\n", - OBJ_nid2ln(EVP_MD_type(dgst))); + EVP_MD_name(dgst)); if (policy == NULL && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) goto end; diff --git a/apps/crl.c b/apps/crl.c index e2ed9588e6..e8b501a8af 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -347,8 +347,7 @@ int crl_main(int argc, char **argv) BIO_printf(bio_err, "out of memory\n"); goto end; } - BIO_printf(bio_out, "%s Fingerprint=", - OBJ_nid2sn(EVP_MD_type(digest))); + BIO_printf(bio_out, "%s Fingerprint=", EVP_MD_name(digest)); for (j = 0; j < (int)n; j++) { BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); diff --git a/apps/enc.c b/apps/enc.c index c5766f05e8..498d0d500b 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -360,7 +360,7 @@ int enc_main(int argc, char **argv) char prompt[200]; BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:", - OBJ_nid2ln(EVP_CIPHER_nid(cipher)), + EVP_CIPHER_name(cipher), (enc) ? "encryption" : "decryption"); strbuf[0] = '\0'; i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); diff --git a/apps/speed.c b/apps/speed.c index 727341a1e6..25c384d775 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1758,7 +1758,7 @@ int speed_main(int argc, char **argv) } else if (!(EVP_CIPHER_flags(evp_cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { BIO_printf(bio_err, "%s is not an AEAD cipher\n", - OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher))); + EVP_CIPHER_name(evp_cipher)); goto end; } } @@ -1770,7 +1770,7 @@ int speed_main(int argc, char **argv) } else if (!(EVP_CIPHER_flags(evp_cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) { BIO_printf(bio_err, "%s is not a multi-block capable\n", - OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher))); + EVP_CIPHER_name(evp_cipher)); goto end; } else if (async_jobs > 0) { BIO_printf(bio_err, "Async mode is not supported with -mb"); @@ -2219,7 +2219,7 @@ int speed_main(int argc, char **argv) goto end; } - names[D_EVP] = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher)); + names[D_EVP] = EVP_CIPHER_name(evp_cipher); if (EVP_CIPHER_mode(evp_cipher) == EVP_CIPH_CCM_MODE) { loopfunc = EVP_Update_loop_ccm; @@ -3633,7 +3633,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key), no_key)) app_bail_out("failed to set AEAD key\n"); - if ((alg_name = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher))) == NULL) + if ((alg_name = EVP_CIPHER_name(evp_cipher)) == NULL) app_bail_out("failed to get cipher name\n"); for (j = 0; j < num; j++) { diff --git a/apps/x509.c b/apps/x509.c index 163c1c8a67..abbffe37ab 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -978,7 +978,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "Out of memory\n"); goto end; } - BIO_printf(out, "%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig))); + BIO_printf(out, "%s Fingerprint=", EVP_MD_name(fdig)); for (j = 0; j < (int)n; j++) BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); } else if (i == ocspid) { diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 995e37a4e8..4863b81db9 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -2188,7 +2188,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = { EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, "maxmem_bytes", NULL, OSSL_KDF_PARAM_SCRYPT_MAXMEM, OSSL_PARAM_UNSIGNED_INTEGER, NULL }, - { SET, -1, -1, EVP_PKEY_OP_KEYGEN, + { SET, -1, -1, EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_CIPHER, NULL, NULL, OSSL_PKEY_PARAM_CIPHER, OSSL_PARAM_UTF8_STRING, fix_cipher }, { SET, -1, -1, EVP_PKEY_OP_KEYGEN, diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index c3d2b97594..79ffd2275f 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1415,7 +1415,7 @@ EVP_CIPHER *evp_cipher_new(void) * NIDs or any functionality that use them. */ #ifndef FIPS_MODULE -/* TODO(3.x) get rid of the need for legacy NIDs */ +/* After removal of legacy support get rid of the need for legacy NIDs */ static void set_legacy_nid(const char *name, void *vlegacy_nid) { int nid; @@ -1453,7 +1453,6 @@ static void *evp_cipher_from_dispatch(const int name_id, } #ifndef FIPS_MODULE - /* TODO(3.x) get rid of the need for legacy NIDs */ cipher->nid = NID_undef; if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid) || cipher->nid == -1) { diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 48bf99d1f5..31d2a7392b 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -267,10 +267,10 @@ int evp_cipher_set_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type, #endif /* !defined(FIPS_MODULE) */ /* Convert the various cipher NIDs and dummies to a proper OID NID */ -int EVP_CIPHER_type(const EVP_CIPHER *ctx) +int EVP_CIPHER_type(const EVP_CIPHER *cipher) { int nid; - nid = EVP_CIPHER_nid(ctx); + nid = EVP_CIPHER_nid(cipher); switch (nid) { diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index c615d24ed0..54e29ab41f 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -282,7 +282,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc, const unsigned char *iv = NULL; if (enc != NULL) { - objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc)); + objstr = EVP_CIPHER_name(enc); if (objstr == NULL /* * Check "Proc-Type: 4,Encrypted\nDEK-Info: objstr,hex-iv\n" @@ -317,7 +317,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc, * than what the user has passed us ... as we have to match * exactly for some strange reason */ - objstr = OBJ_nid2sn(EVP_CIPHER_nid(xi->enc_cipher.cipher)); + objstr = EVP_CIPHER_name(xi->enc_cipher.cipher); if (objstr == NULL) { ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER); goto err; diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index c8e0b264da..16b65fa945 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -323,7 +323,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, unsigned char iv[EVP_MAX_IV_LENGTH]; if (enc != NULL) { - objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc)); + objstr = EVP_CIPHER_name(enc); if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0 || EVP_CIPHER_iv_length(enc) > (int)sizeof(iv) /* diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index d2880b20f2..9090dc8ad3 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -149,7 +149,7 @@ EVP_CIPHER_do_all_provided int EVP_CIPHER_iv_length(const EVP_CIPHER *e); unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e); unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e); - int EVP_CIPHER_type(const EVP_CIPHER *ctx); + int EVP_CIPHER_type(const EVP_CIPHER *cipher); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 4268f1020d..7d1823dbac 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1396,7 +1396,7 @@ int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub); -int EVP_CIPHER_type(const EVP_CIPHER *ctx); +int EVP_CIPHER_type(const EVP_CIPHER *cipher); /* calls methods */ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f5b063319b..1b491e7f92 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4275,12 +4275,8 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (prefer_sha256) { const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); - /* - * TODO: When there are no more legacy digests we can just use - * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn - */ if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2), - OBJ_nid2sn(NID_sha256))) { + OSSL_DIGEST_NAME_SHA2_256)) { ret = tmp; break; }