Remove unprotected global state from EVP_PBE

Nobody adds a custom password-based encryption algorithm, be it a PRF or one that can be an outermost AlgorithmIdentifier in CMS or its precursors. This makes the undocumented and unused EVP_PBE_alg_add{,_type}() always fail. They will be removed in the next major bump. Thus, we no longer need to maintain a global stack of PBE algorithms that one thread can happily modify while another one searches it. In subsequent steps we can then remove another rather pointless use of OBJ_bsearch_(). "Let's optimize the lookup in a table with two dozen entries using about as many glorious layers of obfuscating macros." ok jsing
author: tb <> 2023-12-15 14:16:44 +0000
committer: tb <> 2023-12-15 14:16:44 +0000
commit: 705e4d237c379c27211ff8d0c50e8ee5a58011e4 (patch)
tree: 957dad27389f335e4da4a61726a0596cd17370fd /src
parent: 97bbd96798da817300fbf00b33e26be7edd67163 (diff)
download: openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.tar.gz
openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.tar.bz2
openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.zip
1 files changed, 8 insertions, 76 deletions
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 4a23a98f8d..b5f83bf1f4 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.29 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.30 2023/12/15 14:16:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -70,11 +70,6 @@
 /* Password based encryption (PBE) functions */
-DECLARE_STACK_OF(EVP_PBE_CTL)
-static STACK_OF(EVP_PBE_CTL) *pbe_algs;
-/* Setup a cipher context from a PBE algorithm */
 typedef struct {
        int pbe_type;
        int pbe_nid;
@@ -202,68 +197,20 @@ OBJ_bsearch_pbe2(EVP_PBE_CTL *key, EVP_PBE_CTL const *base, int num)
            pbe2_cmp_BSEARCH_CMP_FN);
 }
-static int
-pbe_cmp(const EVP_PBE_CTL * const *a, const EVP_PBE_CTL * const *b)
-{
-        int ret = (*a)->pbe_type - (*b)->pbe_type;
-        if (ret)
-                return ret;
-        else
-                return (*a)->pbe_nid - (*b)->pbe_nid;
-}
-/* Add a PBE algorithm */
 int
 EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
    EVP_PBE_KEYGEN *keygen)
 {
-        EVP_PBE_CTL *pbe_tmp;
+        EVPerror(ERR_R_DISABLED);
+        return 0;
-        if (pbe_algs == NULL) {
-                pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp);
-                if (pbe_algs == NULL) {
-                        EVPerror(ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-        }
-        pbe_tmp = malloc(sizeof(EVP_PBE_CTL));
-        if (pbe_tmp == NULL) {
-                EVPerror(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        pbe_tmp->pbe_type = pbe_type;
-        pbe_tmp->pbe_nid = pbe_nid;
-        pbe_tmp->cipher_nid = cipher_nid;
-        pbe_tmp->md_nid = md_nid;
-        pbe_tmp->keygen = keygen;
-        if (sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp) == 0) {
-                free(pbe_tmp);
-                EVPerror(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        return 1;
 }
 int
 EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
    EVP_PBE_KEYGEN *keygen)
 {
-        int cipher_nid, md_nid;
+        EVPerror(ERR_R_DISABLED);
+        return 0;
-        if (cipher)
-                cipher_nid = EVP_CIPHER_nid(cipher);
-        else
-                cipher_nid = -1;
-        if (md)
-                md_nid = EVP_MD_type(md);
-        else
-                md_nid = -1;
-        return EVP_PBE_alg_add_type(EVP_PBE_TYPE_OUTER, nid,
-            cipher_nid, md_nid, keygen);
 }
 int
@@ -271,22 +218,15 @@ EVP_PBE_find(int type, int pbe_nid,
    int *pcnid, int *pmnid, EVP_PBE_KEYGEN **pkeygen)
 {
        EVP_PBE_CTL *pbetmp = NULL, pbelu;
-        int i;
        if (pbe_nid == NID_undef)
                return 0;
        pbelu.pbe_type = type;
        pbelu.pbe_nid = pbe_nid;
-        if (pbe_algs) {
+        pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
-                i = sk_EVP_PBE_CTL_find(pbe_algs, &pbelu);
+            sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL));
-                if (i != -1)
-                        pbetmp = sk_EVP_PBE_CTL_value (pbe_algs, i);
-        }
-        if (pbetmp == NULL) {
-                pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
-                    sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL));
-        }
        if (pbetmp == NULL)
                return 0;
        if (pcnid)
@@ -298,15 +238,7 @@ EVP_PBE_find(int type, int pbe_nid,
        return 1;
 }
-static void
-free_evp_pbe_ctl(EVP_PBE_CTL *pbe)
-{
-        free(pbe);
-}
 void
 EVP_PBE_cleanup(void)
 {
-        sk_EVP_PBE_CTL_pop_free(pbe_algs, free_evp_pbe_ctl);
-        pbe_algs = NULL;
 }
author	tb <>	2023-12-15 14:16:44 +0000
committer	tb <>	2023-12-15 14:16:44 +0000
commit	705e4d237c379c27211ff8d0c50e8ee5a58011e4 (patch)
tree	957dad27389f335e4da4a61726a0596cd17370fd /src
parent	97bbd96798da817300fbf00b33e26be7edd67163 (diff)
download	openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.tar.gz openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.tar.bz2 openbsd-705e4d237c379c27211ff8d0c50e8ee5a58011e4.zip

diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c index 4a23a98f8d..b5f83bf1f4 100644 --- a/src/lib/libcrypto/evp/evp_pbe.c +++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: evp_pbe.c,v 1.29 2023/07/07 19:37:53 beck Exp $ */	1	/* $OpenBSD: evp_pbe.c,v 1.30 2023/12/15 14:16:44 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -70,11 +70,6 @@
70		70
71	/* Password based encryption (PBE) functions */	71	/* Password based encryption (PBE) functions */
72		72
73	DECLARE_STACK_OF(EVP_PBE_CTL)
74	static STACK_OF(EVP_PBE_CTL) *pbe_algs;
75
76	/* Setup a cipher context from a PBE algorithm */
77
78	typedef struct {	73	typedef struct {
79	int pbe_type;	74	int pbe_type;
80	int pbe_nid;	75	int pbe_nid;
@@ -202,68 +197,20 @@ OBJ_bsearch_pbe2(EVP_PBE_CTL key, EVP_PBE_CTL const base, int num)
202	pbe2_cmp_BSEARCH_CMP_FN);	197	pbe2_cmp_BSEARCH_CMP_FN);
203	}	198	}
204		199
205	static int
206	pbe_cmp(const EVP_PBE_CTL * const a, const EVP_PBE_CTL const *b)
207	{
208	int ret = (a)->pbe_type - (b)->pbe_type;
209
210	if (ret)
211	return ret;
212	else
213	return (a)->pbe_nid - (b)->pbe_nid;
214	}
215
216	/* Add a PBE algorithm */
217
218	int	200	int
219	EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,	201	EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
220	EVP_PBE_KEYGEN *keygen)	202	EVP_PBE_KEYGEN *keygen)
221	{	203	{
222	EVP_PBE_CTL *pbe_tmp;	204	EVPerror(ERR_R_DISABLED);
223		205	return 0;
224	if (pbe_algs == NULL) {
225	pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp);
226	if (pbe_algs == NULL) {
227	EVPerror(ERR_R_MALLOC_FAILURE);
228	return 0;
229	}
230	}
231	pbe_tmp = malloc(sizeof(EVP_PBE_CTL));
232	if (pbe_tmp == NULL) {
233	EVPerror(ERR_R_MALLOC_FAILURE);
234	return 0;
235	}
236	pbe_tmp->pbe_type = pbe_type;
237	pbe_tmp->pbe_nid = pbe_nid;
238	pbe_tmp->cipher_nid = cipher_nid;
239	pbe_tmp->md_nid = md_nid;
240	pbe_tmp->keygen = keygen;
241
242	if (sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp) == 0) {
243	free(pbe_tmp);
244	EVPerror(ERR_R_MALLOC_FAILURE);
245	return 0;
246	}
247	return 1;
248	}	206	}
249		207
250	int	208	int
251	EVP_PBE_alg_add(int nid, const EVP_CIPHER cipher, const EVP_MD md,	209	EVP_PBE_alg_add(int nid, const EVP_CIPHER cipher, const EVP_MD md,
252	EVP_PBE_KEYGEN *keygen)	210	EVP_PBE_KEYGEN *keygen)
253	{	211	{
254	int cipher_nid, md_nid;	212	EVPerror(ERR_R_DISABLED);
255		213	return 0;
256	if (cipher)
257	cipher_nid = EVP_CIPHER_nid(cipher);
258	else
259	cipher_nid = -1;
260	if (md)
261	md_nid = EVP_MD_type(md);
262	else
263	md_nid = -1;
264
265	return EVP_PBE_alg_add_type(EVP_PBE_TYPE_OUTER, nid,
266	cipher_nid, md_nid, keygen);
267	}	214	}
268		215
269	int	216	int
@@ -271,22 +218,15 @@ EVP_PBE_find(int type, int pbe_nid,
271	int pcnid, int pmnid, EVP_PBE_KEYGEN **pkeygen)	218	int pcnid, int pmnid, EVP_PBE_KEYGEN **pkeygen)
272	{	219	{
273	EVP_PBE_CTL *pbetmp = NULL, pbelu;	220	EVP_PBE_CTL *pbetmp = NULL, pbelu;
274	int i;	221
275	if (pbe_nid == NID_undef)	222	if (pbe_nid == NID_undef)
276	return 0;	223	return 0;
277		224
278	pbelu.pbe_type = type;	225	pbelu.pbe_type = type;
279	pbelu.pbe_nid = pbe_nid;	226	pbelu.pbe_nid = pbe_nid;
280		227
281	if (pbe_algs) {	228	pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
282	i = sk_EVP_PBE_CTL_find(pbe_algs, &pbelu);	229	sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL));
283	if (i != -1)
284	pbetmp = sk_EVP_PBE_CTL_value (pbe_algs, i);
285	}
286	if (pbetmp == NULL) {
287	pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
288	sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL));
289	}
290	if (pbetmp == NULL)	230	if (pbetmp == NULL)
291	return 0;	231	return 0;
292	if (pcnid)	232	if (pcnid)
@@ -298,15 +238,7 @@ EVP_PBE_find(int type, int pbe_nid,
298	return 1;	238	return 1;
299	}	239	}
300		240
301	static void
302	free_evp_pbe_ctl(EVP_PBE_CTL *pbe)
303	{
304	free(pbe);
305	}
306
307	void	241	void
308	EVP_PBE_cleanup(void)	242	EVP_PBE_cleanup(void)
309	{	243	{
310	sk_EVP_PBE_CTL_pop_free(pbe_algs, free_evp_pbe_ctl);
311	pbe_algs = NULL;
312	}	244	}