Commit 2a21345036 for openssl.org
commit 2a213450363b403665962535a4d20897b7a11ae8
Author: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon Feb 16 14:43:41 2026 +0100
Removing some more EVP_get_smtbysmth calls
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(Merged from https://github.com/openssl/openssl/pull/30026)
diff --git a/apps/dgst.c b/apps/dgst.c
index cf4522e1b4..d598f594fd 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -133,7 +133,7 @@ int dgst_main(int argc, char **argv)
int oneshot_sign = 0;
buf = app_malloc(BUFSIZE, "I/O buffer");
- md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
+ md = EVP_MD_fetch(app_get0_libctx(), argv[0], app_get0_propq());
if (md != NULL)
digestname = argv[0];
diff --git a/apps/enc.c b/apps/enc.c
index 8f2bd72815..c09be421a5 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -854,18 +854,20 @@ end:
static void show_ciphers(const OBJ_NAME *name, void *arg)
{
struct doall_enc_ciphers *dec = (struct doall_enc_ciphers *)arg;
- const EVP_CIPHER *cipher;
+ EVP_CIPHER *cipher;
if (!islower((unsigned char)*name->name))
return;
/* Filter out ciphers that we cannot use */
- cipher = EVP_get_cipherbyname(name->name);
+ cipher = EVP_CIPHER_fetch(app_get0_libctx(), name->name, app_get0_propq());
if (cipher == NULL
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC) != 0
- || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
+ || EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE) {
+ EVP_CIPHER_free(cipher);
return;
+ }
BIO_printf(dec->bio, "-%-25s", name->name);
if (++dec->n == 3) {
@@ -873,6 +875,8 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
dec->n = 0;
} else
BIO_puts(dec->bio, " ");
+
+ EVP_CIPHER_free(cipher);
}
static int set_hex(const char *in, unsigned char *out, int size)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 02b0c19c6c..f74495fd15 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1117,7 +1117,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
int jj;
int found = 0;
ASN1_OBJECT *cert_id_md_oid;
- const EVP_MD *cert_id_md;
+ EVP_MD *cert_id_md;
OCSP_CERTID *cid_resp_md = NULL;
one = OCSP_request_onereq_get0(req, i);
@@ -1125,7 +1125,8 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
- cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
+ cert_id_md = EVP_MD_fetch(app_get0_libctx(), OBJ_nid2sn(OBJ_obj2nid(cert_id_md_oid)),
+ app_get0_propq());
if (cert_id_md == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
@@ -1138,6 +1139,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
if (ca_id == NULL) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
NULL);
+ EVP_MD_free(cert_id_md);
goto end;
}
@@ -1148,6 +1150,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
}
OCSP_CERTID_free(ca_id);
}
+ EVP_MD_free(cert_id_md);
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
inf = lookup_serial(db, serial);
diff --git a/apps/openssl.c b/apps/openssl.c
index 526f3692cc..5b9845c2bd 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -502,11 +502,18 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
f.name = argv[0];
fp = lh_FUNCTION_retrieve(prog, &f);
if (fp == NULL) {
- if (EVP_get_digestbyname(argv[0])) {
+ EVP_MD *md = NULL;
+ EVP_CIPHER *cipher = NULL;
+
+ if ((md = EVP_MD_fetch(app_get0_libctx(), argv[0], app_get0_propq())) != NULL) {
+ EVP_MD_free(md);
+ md = NULL;
f.type = FT_md;
f.func = dgst_main;
fp = &f;
- } else if (EVP_get_cipherbyname(argv[0])) {
+ } else if ((cipher = EVP_CIPHER_fetch(app_get0_libctx(), argv[0], app_get0_propq())) != NULL) {
+ EVP_CIPHER_free(cipher);
+ cipher = NULL;
f.type = FT_cipher;
f.func = enc_main;
fp = &f;
diff --git a/apps/ts.c b/apps/ts.c
index 3e7c9410ba..3d37857015 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -311,6 +311,8 @@ int ts_main(int argc, char **argv)
if (!app_RAND_load())
goto end;
+ if (digestname == NULL)
+ digestname = "sha256";
if (!opt_md(digestname, &md))
goto opthelp;
if (mode == OPT_REPLY && passin && !app_passwd(passin, NULL, &password, NULL)) {
@@ -462,8 +464,6 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL;
- if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
- goto err;
if ((ts_req = TS_REQ_new()) == NULL)
goto err;
if (!TS_REQ_set_version(ts_req, 1))
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index 1454e4758b..ef9d7001a6 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -409,28 +409,20 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
{
BIO *mdbio = NULL;
const ASN1_OBJECT *digestoid;
- const EVP_MD *digest = NULL;
- EVP_MD *fetched_digest = NULL;
+ EVP_MD *digest = NULL;
char alg[OSSL_MAX_NAME_SIZE];
size_t xof_len = 0;
X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
OBJ_obj2txt(alg, sizeof(alg), digestoid, 0);
- (void)ERR_set_mark();
- fetched_digest = EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), alg,
+ digest = EVP_MD_fetch(ossl_cms_ctx_get0_libctx(ctx), alg,
ossl_cms_ctx_get0_propq(ctx));
- if (fetched_digest != NULL)
- digest = fetched_digest;
- else
- digest = EVP_get_digestbyobj(digestoid);
if (digest == NULL) {
- (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_CMS, CMS_R_UNKNOWN_DIGEST_ALGORITHM);
goto err;
}
- (void)ERR_pop_to_mark();
mdbio = BIO_new(BIO_f_md());
if (mdbio == NULL || BIO_set_md(mdbio, digest) <= 0) {
@@ -455,10 +447,10 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
goto err;
}
}
- EVP_MD_free(fetched_digest);
+ EVP_MD_free(digest);
return mdbio;
err:
- EVP_MD_free(fetched_digest);
+ EVP_MD_free(digest);
BIO_free(mdbio);
return NULL;
}
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index 3792c2e83b..a615b1f775 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -780,16 +780,11 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *
/* select symmetric cipher based on algorithm given in message */
OBJ_obj2txt(name, sizeof(name), enc->symmAlg->algorithm, 0);
- (void)ERR_set_mark();
cipher = EVP_CIPHER_fetch(libctx, name, propq);
- if (cipher == NULL)
- cipher = (EVP_CIPHER *)EVP_get_cipherbyobj(enc->symmAlg->algorithm);
if (cipher == NULL) {
- (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
goto end;
}
- (void)ERR_pop_to_mark();
cikeysize = EVP_CIPHER_get_key_length(cipher);
/* first the symmetric key needs to be decrypted */
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 6cf5e5634a..c717f495b8 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -58,23 +58,8 @@ int ossl_prov_cipher_load(PROV_CIPHER *pc, const OSSL_PARAM *cipher,
return 0;
EVP_CIPHER_free(pc->alloc_cipher);
- ERR_set_mark();
pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, cipher->data,
propquery);
-#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
- if (pc->cipher == NULL) {
- const EVP_CIPHER *evp_cipher;
-
- evp_cipher = EVP_get_cipherbyname(cipher->data);
- /* Do not use global EVP_CIPHERs */
- if (evp_cipher != NULL && evp_cipher->origin != EVP_ORIG_GLOBAL)
- pc->cipher = evp_cipher;
- }
-#endif
- if (pc->cipher != NULL)
- ERR_pop_to_mark();
- else
- ERR_clear_last_mark();
return pc->cipher != NULL;
}
@@ -121,22 +106,7 @@ int ossl_prov_digest_load(PROV_DIGEST *pd, const OSSL_PARAM *digest,
if (digest->data_type != OSSL_PARAM_UTF8_STRING)
return 0;
- ERR_set_mark();
ossl_prov_digest_fetch(pd, ctx, digest->data, propquery);
-#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
- if (pd->md == NULL) {
- const EVP_MD *md;
-
- md = EVP_get_digestbyname(digest->data);
- /* Do not use global EVP_MDs */
- if (md != NULL && md->origin != EVP_ORIG_GLOBAL)
- pd->md = md;
- }
-#endif
- if (pd->md != NULL)
- ERR_pop_to_mark();
- else
- ERR_clear_last_mark();
return pd->md != NULL;
}
diff --git a/test/evp_test.c b/test/evp_test.c
index 64d7b52b5b..5e03139281 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -698,9 +698,7 @@ static int parse_bin_chunk(const char *value, size_t offset, size_t max,
**/
typedef struct digest_data_st {
- /* Digest this test is for */
- const EVP_MD *digest;
- EVP_MD *fetched_digest;
+ EVP_MD *digest;
/* Input to digest */
STACK_OF(EVP_TEST_BUFFER) *input;
/* Expected output */
@@ -718,8 +716,7 @@ typedef struct digest_data_st {
static int digest_test_init(EVP_TEST *t, const char *alg)
{
DIGEST_DATA *mdat;
- const EVP_MD *digest;
- EVP_MD *fetched_digest;
+ EVP_MD *digest;
if (is_digest_disabled(alg)) {
TEST_info("skipping, '%s' is disabled", alg);
@@ -727,20 +724,18 @@ static int digest_test_init(EVP_TEST *t, const char *alg)
return 1;
}
- if ((digest = fetched_digest = EVP_MD_fetch(libctx, alg, propquery)) == NULL
- && (digest = EVP_get_digestbyname(alg)) == NULL)
+ if ((digest = EVP_MD_fetch(libctx, alg, propquery)) == NULL)
return 0;
if (!TEST_ptr(mdat = OPENSSL_zalloc(sizeof(*mdat)))) {
- EVP_MD_free(fetched_digest);
+ EVP_MD_free(digest);
return 0;
}
t->data = mdat;
mdat->digest = digest;
- mdat->fetched_digest = fetched_digest;
mdat->pad_type = 0;
mdat->xof = 0;
mdat->controls = sk_OPENSSL_STRING_new_null();
- if (fetched_digest != NULL)
+ if (digest != NULL)
TEST_info("%s is fetched", alg);
return 1;
}
@@ -751,7 +746,7 @@ static void digest_test_cleanup(EVP_TEST *t)
sk_EVP_TEST_BUFFER_pop_free(mdat->input, evp_test_buffer_free);
OPENSSL_free(mdat->output);
- EVP_MD_free(mdat->fetched_digest);
+ EVP_MD_free(mdat->digest);
ctrlfree(mdat->controls);
}
@@ -910,7 +905,7 @@ static int digest_test_run(EVP_TEST *t)
&& !inbuf->count_set) {
OPENSSL_cleanse(got, got_len);
if (!TEST_true(EVP_Q_digest(libctx,
- EVP_MD_get0_name(expected->fetched_digest),
+ EVP_MD_get0_name(expected->digest),
NULL, inbuf->buf, inbuf->buflen,
got, &size))
|| !TEST_mem_eq(got, size,
@@ -940,8 +935,7 @@ static const EVP_TEST_METHOD digest_test_method = {
**/
typedef struct cipher_data_st {
- const EVP_CIPHER *cipher;
- EVP_CIPHER *fetched_cipher;
+ EVP_CIPHER *cipher;
int enc;
/* EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE or EVP_CIPH_OCB_MODE if AEAD */
int aead;
@@ -993,8 +987,7 @@ static int cipher_test_valid_fragmentation(CIPHER_DATA *cdat)
static int cipher_test_init(EVP_TEST *t, const char *alg)
{
- const EVP_CIPHER *cipher;
- EVP_CIPHER *fetched_cipher;
+ EVP_CIPHER *cipher;
CIPHER_DATA *cdat;
int m;
@@ -1005,8 +998,7 @@ static int cipher_test_init(EVP_TEST *t, const char *alg)
}
ERR_set_mark();
- if ((cipher = fetched_cipher = EVP_CIPHER_fetch(libctx, alg, propquery)) == NULL
- && (cipher = EVP_get_cipherbyname(alg)) == NULL) {
+ if ((cipher = EVP_CIPHER_fetch(libctx, alg, propquery)) == NULL) {
/* a stitched cipher might not be available */
if (strstr(alg, "HMAC") != NULL) {
ERR_pop_to_mark();
@@ -1024,7 +1016,6 @@ static int cipher_test_init(EVP_TEST *t, const char *alg)
cdat->init_controls = sk_OPENSSL_STRING_new_null();
cdat->cipher = cipher;
- cdat->fetched_cipher = fetched_cipher;
cdat->enc = -1;
m = EVP_CIPHER_get_mode(cipher);
if (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
@@ -1034,7 +1025,7 @@ static int cipher_test_init(EVP_TEST *t, const char *alg)
if (data_chunk_size != 0 && !cipher_test_valid_fragmentation(cdat)) {
ERR_pop_to_mark();
- EVP_CIPHER_free(fetched_cipher);
+ EVP_CIPHER_free(cipher);
OPENSSL_free(cdat);
t->skip = 1;
TEST_info("skipping, '%s' does not support fragmentation", alg);
@@ -1042,7 +1033,7 @@ static int cipher_test_init(EVP_TEST *t, const char *alg)
}
t->data = cdat;
- if (fetched_cipher != NULL)
+ if (cipher != NULL)
TEST_info("%s is fetched", alg);
return 1;
}
@@ -1061,7 +1052,7 @@ static void cipher_test_cleanup(EVP_TEST *t)
OPENSSL_free(cdat->aad[i]);
OPENSSL_free(cdat->tag);
OPENSSL_free(cdat->mac_key);
- EVP_CIPHER_free(cdat->fetched_cipher);
+ EVP_CIPHER_free(cdat->cipher);
ctrlfree(cdat->init_controls);
}
@@ -3541,7 +3532,7 @@ static int pbe_test_run(EVP_TEST *t)
{
PBE_DATA *expected = t->data;
unsigned char *key;
- EVP_MD *fetched_digest = NULL;
+ EVP_MD *digest = NULL;
OSSL_LIB_CTX *save_libctx;
save_libctx = OSSL_LIB_CTX_set0_default(libctx);
@@ -3571,16 +3562,16 @@ static int pbe_test_run(EVP_TEST *t)
}
#endif
} else if (expected->pbe_type == PBE_TYPE_PKCS12) {
- fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(expected->md),
+ digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(expected->md),
propquery);
- if (fetched_digest == NULL) {
+ if (digest == NULL) {
t->err = "PKCS12_ERROR";
goto err;
}
if (PKCS12_key_gen_uni(expected->pass, (int)expected->pass_len,
expected->salt, (int)expected->salt_len,
expected->id, expected->iter, (int)expected->key_len,
- key, fetched_digest)
+ key, digest)
== 0) {
t->err = "PKCS12_ERROR";
goto err;
@@ -3592,7 +3583,7 @@ static int pbe_test_run(EVP_TEST *t)
t->err = NULL;
err:
- EVP_MD_free(fetched_digest);
+ EVP_MD_free(digest);
OPENSSL_free(key);
OSSL_LIB_CTX_set0_default(save_libctx);
return 1;