deprecate internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

14 years ago these were changed in OpenSSL to be the same as the _ex functions. We use the _ex functions only internally to ensure it is obvious the ctx must be cleared. ok bcook@
author: beck <> 2016-05-30 13:42:54 +0000
committer: beck <> 2016-05-30 13:42:54 +0000
commit: a35f44242c832a478373d4b9e7fc5c9119c07090 (patch)
tree: 362a819b53348b53df2eb57846da7fd93be3f866 /src
parent: 06b5312e6a3b5c470b0de3f0d4b272ded331ca5b (diff)
download: openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.tar.gz
openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.tar.bz2
openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.zip
8 files changed, 40 insertions, 24 deletions
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index a0adbece01..75798dae8c 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.50 2016/04/28 16:06:53 jsing Exp $ */
+/* $OpenBSD: evp.h,v 1.51 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -575,7 +575,9 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#ifndef LIBRESSL_INTERNAL
 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#endif
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    const unsigned char *key, const unsigned char *iv);
@@ -583,8 +585,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    ENGINE *impl, const unsigned char *key, const unsigned char *iv);
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
-int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#ifndef LIBRESSL_INTERNAL
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    const unsigned char *key, const unsigned char *iv, int enc);
@@ -592,9 +596,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
-int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#ifndef LIBRESSL_INTERNAL
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
+        
 int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
    EVP_PKEY *pkey);
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 556908fd10..f8d2cb78d4 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -264,9 +264,9 @@ int
 EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 {
        if (ctx->encrypt)
-                return EVP_EncryptFinal(ctx, out, outl);
+                return EVP_EncryptFinal_ex(ctx, out, outl);
        else
-                return EVP_DecryptFinal(ctx, out, outl);
+                return EVP_DecryptFinal_ex(ctx, out, outl);
 }
 int
@@ -371,6 +371,7 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        int ret;
        ret = EVP_EncryptFinal_ex(ctx, out, outl);
+        (void) EVP_CIPHER_CTX_cleanup(ctx);
        return ret;
 }
@@ -484,6 +485,7 @@ EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        int ret;
        ret = EVP_DecryptFinal_ex(ctx, out, outl);
+        (void) EVP_CIPHER_CTX_cleanup(ctx);
        return ret;
 }
@@ -571,7 +573,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                 * functional reference we held for this reason. */
                ENGINE_finish(c->engine);
 #endif
-        memset(c, 0, sizeof(EVP_CIPHER_CTX));
+        explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
        return 1;
 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 10b6312834..9fe96de53e 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2558,7 +2558,7 @@ ssl3_send_newsession_ticket(SSL *s)
                /* Encrypt session data */
                EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
                p += len;
-                EVP_EncryptFinal(&ctx, p, &len);
+                EVP_EncryptFinal_ex(&ctx, p, &len);
                p += len;
                EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/src/lib/libssl/src/crypto/evp/evp.h b/src/lib/libssl/src/crypto/evp/evp.h
index a0adbece01..75798dae8c 100644
--- a/src/lib/libssl/src/crypto/evp/evp.h
+++ b/src/lib/libssl/src/crypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.50 2016/04/28 16:06:53 jsing Exp $ */
+/* $OpenBSD: evp.h,v 1.51 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -575,7 +575,9 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#ifndef LIBRESSL_INTERNAL
 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+#endif
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    const unsigned char *key, const unsigned char *iv);
@@ -583,8 +585,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    ENGINE *impl, const unsigned char *key, const unsigned char *iv);
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
-int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#ifndef LIBRESSL_INTERNAL
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    const unsigned char *key, const unsigned char *iv, int enc);
@@ -592,9 +596,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
    const unsigned char *in, int inl);
-int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#ifndef LIBRESSL_INTERNAL
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+#endif
+        
 int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
    EVP_PKEY *pkey);
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 556908fd10..f8d2cb78d4 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -264,9 +264,9 @@ int
 EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 {
        if (ctx->encrypt)
-                return EVP_EncryptFinal(ctx, out, outl);
+                return EVP_EncryptFinal_ex(ctx, out, outl);
        else
-                return EVP_DecryptFinal(ctx, out, outl);
+                return EVP_DecryptFinal_ex(ctx, out, outl);
 }
 int
@@ -371,6 +371,7 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        int ret;
        ret = EVP_EncryptFinal_ex(ctx, out, outl);
+        (void) EVP_CIPHER_CTX_cleanup(ctx);
        return ret;
 }
@@ -484,6 +485,7 @@ EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        int ret;
        ret = EVP_DecryptFinal_ex(ctx, out, outl);
+        (void) EVP_CIPHER_CTX_cleanup(ctx);
        return ret;
 }
@@ -571,7 +573,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                 * functional reference we held for this reason. */
                ENGINE_finish(c->engine);
 #endif
-        memset(c, 0, sizeof(EVP_CIPHER_CTX));
+        explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
        return 1;
 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 10b6312834..9fe96de53e 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2558,7 +2558,7 @@ ssl3_send_newsession_ticket(SSL *s)
                /* Encrypt session data */
                EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
                p += len;
-                EVP_EncryptFinal(&ctx, p, &len);
+                EVP_EncryptFinal_ex(&ctx, p, &len);
                p += len;
                EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 7855313914..7230dec671 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2199,7 +2199,7 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
                return -1;
        }
        EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
-        if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
+        if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
                free(sdec);
                EVP_CIPHER_CTX_cleanup(&ctx);
                return 2;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 7855313914..7230dec671 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2199,7 +2199,7 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
                return -1;
        }
        EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
-        if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
+        if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
                free(sdec);
                EVP_CIPHER_CTX_cleanup(&ctx);
                return 2;
author	beck <>	2016-05-30 13:42:54 +0000
committer	beck <>	2016-05-30 13:42:54 +0000
commit	a35f44242c832a478373d4b9e7fc5c9119c07090 (patch)
tree	362a819b53348b53df2eb57846da7fd93be3f866 /src
parent	06b5312e6a3b5c470b0de3f0d4b272ded331ca5b (diff)
download	openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.tar.gz openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.tar.bz2 openbsd-a35f44242c832a478373d4b9e7fc5c9119c07090.zip

diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index a0adbece01..75798dae8c 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp.h,v 1.50 2016/04/28 16:06:53 jsing Exp $ */	1	/* $OpenBSD: evp.h,v 1.51 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -575,7 +575,9 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
575	int EVP_EncryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	575	int EVP_EncryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
576	const unsigned char *in, int inl);	576	const unsigned char *in, int inl);
577	int EVP_EncryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);	577	int EVP_EncryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);
		578	#ifndef LIBRESSL_INTERNAL
578	int EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);	579	int EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);
		580	#endif
579		581
580	int EVP_DecryptInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,	582	int EVP_DecryptInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
581	const unsigned char key, const unsigned char iv);	583	const unsigned char key, const unsigned char iv);
@@ -583,8 +585,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
583	ENGINE impl, const unsigned char key, const unsigned char *iv);	585	ENGINE impl, const unsigned char key, const unsigned char *iv);
584	int EVP_DecryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	586	int EVP_DecryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
585	const unsigned char *in, int inl);	587	const unsigned char *in, int inl);
586	int EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
587	int EVP_DecryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);	588	int EVP_DecryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		589	#ifndef LIBRESSL_INTERNAL
		590	int EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		591	#endif
588		592
589	int EVP_CipherInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,	593	int EVP_CipherInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
590	const unsigned char key, const unsigned char iv, int enc);	594	const unsigned char key, const unsigned char iv, int enc);
@@ -592,9 +596,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
592	ENGINE impl, const unsigned char key, const unsigned char *iv, int enc);	596	ENGINE impl, const unsigned char key, const unsigned char *iv, int enc);
593	int EVP_CipherUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	597	int EVP_CipherUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
594	const unsigned char *in, int inl);	598	const unsigned char *in, int inl);
595	int EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
596	int EVP_CipherFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);	599	int EVP_CipherFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
597		600	#ifndef LIBRESSL_INTERNAL
		601	int EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		602	#endif
		603
598	int EVP_SignFinal(EVP_MD_CTX ctx, unsigned char md, unsigned int *s,	604	int EVP_SignFinal(EVP_MD_CTX ctx, unsigned char md, unsigned int *s,
599	EVP_PKEY *pkey);	605	EVP_PKEY *pkey);
600		606


diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index 556908fd10..f8d2cb78d4 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */	1	/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -264,9 +264,9 @@ int
264	EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)	264	EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
265	{	265	{
266	if (ctx->encrypt)	266	if (ctx->encrypt)
267	return EVP_EncryptFinal(ctx, out, outl);	267	return EVP_EncryptFinal_ex(ctx, out, outl);
268	else	268	else
269	return EVP_DecryptFinal(ctx, out, outl);	269	return EVP_DecryptFinal_ex(ctx, out, outl);
270	}	270	}
271		271
272	int	272	int
@@ -371,6 +371,7 @@ EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
371	int ret;	371	int ret;
372		372
373	ret = EVP_EncryptFinal_ex(ctx, out, outl);	373	ret = EVP_EncryptFinal_ex(ctx, out, outl);
		374	(void) EVP_CIPHER_CTX_cleanup(ctx);
374	return ret;	375	return ret;
375	}	376	}
376		377
@@ -484,6 +485,7 @@ EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
484	int ret;	485	int ret;
485		486
486	ret = EVP_DecryptFinal_ex(ctx, out, outl);	487	ret = EVP_DecryptFinal_ex(ctx, out, outl);
		488	(void) EVP_CIPHER_CTX_cleanup(ctx);
487	return ret;	489	return ret;
488	}	490	}
489		491
@@ -571,7 +573,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
571	* functional reference we held for this reason. */	573	* functional reference we held for this reason. */
572	ENGINE_finish(c->engine);	574	ENGINE_finish(c->engine);
573	#endif	575	#endif
574	memset(c, 0, sizeof(EVP_CIPHER_CTX));	576	explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
575	return 1;	577	return 1;
576	}	578	}
577		579


diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 10b6312834..9fe96de53e 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2558,7 +2558,7 @@ ssl3_send_newsession_ticket(SSL *s)
2558	/* Encrypt session data */	2558	/* Encrypt session data */
2559	EVP_EncryptUpdate(&ctx, p, &len, senc, slen);	2559	EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2560	p += len;	2560	p += len;
2561	EVP_EncryptFinal(&ctx, p, &len);	2561	EVP_EncryptFinal_ex(&ctx, p, &len);
2562	p += len;	2562	p += len;
2563	EVP_CIPHER_CTX_cleanup(&ctx);	2563	EVP_CIPHER_CTX_cleanup(&ctx);
2564		2564


diff --git a/src/lib/libssl/src/crypto/evp/evp.h b/src/lib/libssl/src/crypto/evp/evp.h index a0adbece01..75798dae8c 100644 --- a/src/lib/libssl/src/crypto/evp/evp.h +++ b/src/lib/libssl/src/crypto/evp/evp.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp.h,v 1.50 2016/04/28 16:06:53 jsing Exp $ */	1	/* $OpenBSD: evp.h,v 1.51 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -575,7 +575,9 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
575	int EVP_EncryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	575	int EVP_EncryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
576	const unsigned char *in, int inl);	576	const unsigned char *in, int inl);
577	int EVP_EncryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);	577	int EVP_EncryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);
		578	#ifndef LIBRESSL_INTERNAL
578	int EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);	579	int EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl);
		580	#endif
579		581
580	int EVP_DecryptInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,	582	int EVP_DecryptInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
581	const unsigned char key, const unsigned char iv);	583	const unsigned char key, const unsigned char iv);
@@ -583,8 +585,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
583	ENGINE impl, const unsigned char key, const unsigned char *iv);	585	ENGINE impl, const unsigned char key, const unsigned char *iv);
584	int EVP_DecryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	586	int EVP_DecryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
585	const unsigned char *in, int inl);	587	const unsigned char *in, int inl);
586	int EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
587	int EVP_DecryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);	588	int EVP_DecryptFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		589	#ifndef LIBRESSL_INTERNAL
		590	int EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		591	#endif
588		592
589	int EVP_CipherInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,	593	int EVP_CipherInit(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
590	const unsigned char key, const unsigned char iv, int enc);	594	const unsigned char key, const unsigned char iv, int enc);
@@ -592,9 +596,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX ctx, const EVP_CIPHER cipher,
592	ENGINE impl, const unsigned char key, const unsigned char *iv, int enc);	596	ENGINE impl, const unsigned char key, const unsigned char *iv, int enc);
593	int EVP_CipherUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,	597	int EVP_CipherUpdate(EVP_CIPHER_CTX ctx, unsigned char out, int *outl,
594	const unsigned char *in, int inl);	598	const unsigned char *in, int inl);
595	int EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
596	int EVP_CipherFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);	599	int EVP_CipherFinal_ex(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
597		600	#ifndef LIBRESSL_INTERNAL
		601	int EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char outm, int *outl);
		602	#endif
		603
598	int EVP_SignFinal(EVP_MD_CTX ctx, unsigned char md, unsigned int *s,	604	int EVP_SignFinal(EVP_MD_CTX ctx, unsigned char md, unsigned int *s,
599	EVP_PKEY *pkey);	605	EVP_PKEY *pkey);
600		606


diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c index 556908fd10..f8d2cb78d4 100644 --- a/src/lib/libssl/src/crypto/evp/evp_enc.c +++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */	1	/* $OpenBSD: evp_enc.c,v 1.31 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -264,9 +264,9 @@ int
264	EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)	264	EVP_CipherFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
265	{	265	{
266	if (ctx->encrypt)	266	if (ctx->encrypt)
267	return EVP_EncryptFinal(ctx, out, outl);	267	return EVP_EncryptFinal_ex(ctx, out, outl);
268	else	268	else
269	return EVP_DecryptFinal(ctx, out, outl);	269	return EVP_DecryptFinal_ex(ctx, out, outl);
270	}	270	}
271		271
272	int	272	int
@@ -371,6 +371,7 @@ EVP_EncryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
371	int ret;	371	int ret;
372		372
373	ret = EVP_EncryptFinal_ex(ctx, out, outl);	373	ret = EVP_EncryptFinal_ex(ctx, out, outl);
		374	(void) EVP_CIPHER_CTX_cleanup(ctx);
374	return ret;	375	return ret;
375	}	376	}
376		377
@@ -484,6 +485,7 @@ EVP_DecryptFinal(EVP_CIPHER_CTX ctx, unsigned char out, int *outl)
484	int ret;	485	int ret;
485		486
486	ret = EVP_DecryptFinal_ex(ctx, out, outl);	487	ret = EVP_DecryptFinal_ex(ctx, out, outl);
		488	(void) EVP_CIPHER_CTX_cleanup(ctx);
487	return ret;	489	return ret;
488	}	490	}
489		491
@@ -571,7 +573,7 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
571	* functional reference we held for this reason. */	573	* functional reference we held for this reason. */
572	ENGINE_finish(c->engine);	574	ENGINE_finish(c->engine);
573	#endif	575	#endif
574	memset(c, 0, sizeof(EVP_CIPHER_CTX));	576	explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
575	return 1;	577	return 1;
576	}	578	}
577		579


diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 10b6312834..9fe96de53e 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2558,7 +2558,7 @@ ssl3_send_newsession_ticket(SSL *s)
2558	/* Encrypt session data */	2558	/* Encrypt session data */
2559	EVP_EncryptUpdate(&ctx, p, &len, senc, slen);	2559	EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2560	p += len;	2560	p += len;
2561	EVP_EncryptFinal(&ctx, p, &len);	2561	EVP_EncryptFinal_ex(&ctx, p, &len);
2562	p += len;	2562	p += len;
2563	EVP_CIPHER_CTX_cleanup(&ctx);	2563	EVP_CIPHER_CTX_cleanup(&ctx);
2564		2564


diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 7855313914..7230dec671 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2199,7 +2199,7 @@ tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,
2199	return -1;	2199	return -1;
2200	}	2200	}
2201	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);	2201	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2202	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {	2202	if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2203	free(sdec);	2203	free(sdec);
2204	EVP_CIPHER_CTX_cleanup(&ctx);	2204	EVP_CIPHER_CTX_cleanup(&ctx);
2205	return 2;	2205	return 2;


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 7855313914..7230dec671 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.86 2016/03/10 23:21:46 mmcc Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.87 2016/05/30 13:42:54 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2199,7 +2199,7 @@ tls_decrypt_ticket(SSL s, const unsigned char etick, int eticklen,
2199	return -1;	2199	return -1;
2200	}	2200	}
2201	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);	2201	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2202	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {	2202	if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) {
2203	free(sdec);	2203	free(sdec);
2204	EVP_CIPHER_CTX_cleanup(&ctx);	2204	EVP_CIPHER_CTX_cleanup(&ctx);
2205	return 2;	2205	return 2;