Commit b2168cd81d for openssl.org
commit b2168cd81db0d571bc4f5de11a328aa9e98180a0
Author: Matt Caswell <matt@openssl.org>
Date: Fri Dec 19 13:42:23 2025 +0000
Remove some legacy fields from the EVP_MD_CTX structure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29460)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 63d103fd5b..85a0c634d9 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -498,7 +498,6 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
out->pctx = NULL;
out->flags = in->flags;
- out->update = in->update;
} else {
evp_md_ctx_reset_ex(out, 1);
digest_change = (out->fetched_digest != in->fetched_digest);
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 9eae1d421c..312452221d 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -909,23 +909,12 @@ void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
}
#endif /* !defined(FIPS_MODULE) */
+#ifndef OPENSSL_NO_DEPRECATED_4_0
void *EVP_MD_CTX_get0_md_data(const EVP_MD_CTX *ctx)
{
- return ctx->md_data;
-}
-
-int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
- const void *data, size_t count)
-{
- return ctx->update;
-}
-
-void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
- int (*update)(EVP_MD_CTX *ctx,
- const void *data, size_t count))
-{
- ctx->update = update;
+ return NULL;
}
+#endif
void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags)
{
diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h
index c5d55f05e5..08baae95d8 100644
--- a/crypto/evp/evp_local.h
+++ b/crypto/evp/evp_local.h
@@ -16,11 +16,9 @@ struct evp_md_ctx_st {
const EVP_MD *reqdigest; /* The original requested digest */
const EVP_MD *digest;
unsigned long flags;
- void *md_data;
+
/* Public key context for sign/verify */
EVP_PKEY_CTX *pctx;
- /* Update function: usually copied from EVP_MD */
- int (*update)(EVP_MD_CTX *ctx, const void *data, size_t count);
/*
* Opaque ctx returned from a providers digest algorithm implementation
diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index 54a9a92f7c..7178812f5b 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -19,7 +19,7 @@ EVP_MD_names_do_all, EVP_MD_get0_provider, EVP_MD_get_type,
EVP_MD_get_pkey_type, EVP_MD_get_size, EVP_MD_get_block_size, EVP_MD_get_flags,
EVP_MD_CTX_get0_name, EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md,
EVP_MD_CTX_get_type, EVP_MD_CTX_get_size_ex, EVP_MD_CTX_get_block_size,
-EVP_MD_CTX_get0_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
+EVP_MD_CTX_get0_md_data,
EVP_md_null,
EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj,
EVP_MD_CTX_get_pkey_ctx, EVP_MD_CTX_set_pkey_ctx,
@@ -97,7 +97,6 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
int EVP_MD_CTX_get_size_ex(const EVP_MD_CTX *ctx);
int EVP_MD_CTX_get_block_size(const EVP_MD_CTX *ctx);
int EVP_MD_CTX_get_type(const EVP_MD_CTX *ctx);
- void *EVP_MD_CTX_get0_md_data(const EVP_MD_CTX *ctx);
const EVP_MD *EVP_md_null(void);
@@ -124,7 +123,7 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
#define EVP_MD_CTX_block_size EVP_MD_CTX_get_block_size
#define EVP_MD_CTX_type EVP_MD_CTX_get_type
#define EVP_MD_CTX_pkey_ctx EVP_MD_CTX_get_pkey_ctx
- #define EVP_MD_CTX_md_data EVP_MD_CTX_get0_md_data
+
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
@@ -132,12 +131,13 @@ see L<openssl_user_macros(7)>:
const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
- int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
- const void *data, size_t count);
+The following functions have been deprecated since OpenSSL 4.0, and can be
+hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
+see L<openssl_user_macros(7)>:
+
+ void *EVP_MD_CTX_get0_md_data(const EVP_MD_CTX *ctx);
- void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
- int (*update)(EVP_MD_CTX *ctx,
- const void *data, size_t count));
+ #define EVP_MD_CTX_md_data EVP_MD_CTX_get0_md_data
=head1 DESCRIPTION
@@ -437,9 +437,8 @@ returns B<NID_sha1>. This function is normally used when setting ASN1 OIDs.
=item EVP_MD_CTX_get0_md_data()
-Return the digest method private data for the passed B<EVP_MD_CTX>. This
-function exists for legacy backward compatibility reasons and always returns
-NULL.
+This function is deprecated and exists for legacy backward compatibility reasons
+and always returns NULL.
=item EVP_MD_CTX_get0_md(), EVP_MD_CTX_get1_md()
@@ -453,16 +452,6 @@ should not be used after the EVP_MD_CTX is freed.
EVP_MD_CTX_get1_md() is the same except the ownership is passed to the
caller and is from the passed B<EVP_MD_CTX>.
-=item EVP_MD_CTX_set_update_fn()
-
-Sets the update function for I<ctx> to I<update>.
-This is the function that is called by EVP_DigestUpdate(). If not set, the
-update function from the B<EVP_MD> type specified at initialization is used.
-
-=item EVP_MD_CTX_update_fn()
-
-Returns the update function for I<ctx>.
-
=item EVP_MD_get_flags()
Returns the I<md> flags. Note that these are different from the B<EVP_MD_CTX>
diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod
index 64284c9091..c80955eb5c 100644
--- a/doc/man7/ossl-guide-migration.pod
+++ b/doc/man7/ossl-guide-migration.pod
@@ -37,11 +37,25 @@ features available in OpenSSL 4.0.
Some functions have been removed that were deprecated in previous
versions of OpenSSL. See L<ossl-removed-api(7)>.
+=head2 Upgrading from OpenSSL 3.x
+
+=head3 Removal of atexit() usage
+
libcrypto no longer arms OPENSSL_cleanup() function as atexit(3) handler.
Memory leak detectors may report there is allocated, but still reachable,
allocated memory at application exit. If clean report is desired, then
application must call OPENSSL_cleanup() explicitly before main() returns.
+=head3 Deprecation of EVP_MD_CTX_get0_md_data()
+
+The function EVP_MD_CTX_get0_md_data() has been deprecated in 4.0. This function
+is only useful in previous versions to obtain the data stored in an
+B<EVP_MD_CTX> by a custom EVP_MD implementation. However, the ability to create
+custom EVP_MD implementations has been removed in OpenSSL 4.0, so this function
+is no longer useful. It always returns NULL, so should simply be removed from
+applications that call it. Applications wishing to use a custom digest
+implementation should instead use the provider API.
+
=head1 OPENSSL 3.6
=head2 Main Changes from OpenSSL 3.5
diff --git a/doc/man7/ossl-removed-api.pod b/doc/man7/ossl-removed-api.pod
index 3189bdfeec..a0c5a5d14c 100644
--- a/doc/man7/ossl-removed-api.pod
+++ b/doc/man7/ossl-removed-api.pod
@@ -94,6 +94,8 @@ EVP_PKEY_meth_get_public_check,
EVP_PKEY_meth_get_param_check,
EVP_PKEY_meth_get_digest_custom,
BIO_f_reliable,
+EVP_MD_CTX_update_fn,
+EVP_MD_CTX_set_update_fn,
ossl-removed-api - API that has been removed from OpenSSL
=head1 SYNOPSIS
@@ -307,6 +309,10 @@ This includes consulting the L<ossl-guide-migration(7)> documentation.
=item BIO_f_reliable (Broken since 3.0.0) - removed without replacement
+=item EVP_MD_CTX_update_fn (Deprecated in 3.0.0) - consult L<ossl-guide-migration(7)>
+
+=item EVP_MD_CTX_set_update_fn (Deprecated in 3.0.0) - consult L<ossl-guide-migration(7)>
+
=back
=head1 SEE ALSO
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index d2a5736ad2..dd6ebe3b98 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -473,13 +473,7 @@ EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx);
#ifndef OPENSSL_NO_DEPRECATED_3_0
OSSL_DEPRECATEDIN_3_0
const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
-OSSL_DEPRECATEDIN_3_0
-int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
- const void *data, size_t count);
-OSSL_DEPRECATEDIN_3_0
-void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
- int (*update)(EVP_MD_CTX *ctx,
- const void *data, size_t count));
+
#endif
int EVP_MD_CTX_get_size_ex(const EVP_MD_CTX *ctx);
@@ -493,8 +487,11 @@ int EVP_MD_CTX_get_size_ex(const EVP_MD_CTX *ctx);
EVP_PKEY_CTX *EVP_MD_CTX_get_pkey_ctx(const EVP_MD_CTX *ctx);
#define EVP_MD_CTX_pkey_ctx EVP_MD_CTX_get_pkey_ctx
void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
+#ifndef OPENSSL_NO_DEPRECATED_4_0
+OSSL_DEPRECATEDIN_4_0
void *EVP_MD_CTX_get0_md_data(const EVP_MD_CTX *ctx);
#define EVP_MD_CTX_md_data EVP_MD_CTX_get0_md_data
+#endif
int EVP_CIPHER_get_nid(const EVP_CIPHER *cipher);
#define EVP_CIPHER_nid EVP_CIPHER_get_nid
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 78d5fa5114..0323b02e3f 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -841,12 +841,10 @@ EVP_MD_xof ? 4_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get0_md ? 4_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get1_md ? 4_0_0 EXIST::FUNCTION:
EVP_MD_CTX_md ? 4_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
-EVP_MD_CTX_update_fn ? 4_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
-EVP_MD_CTX_set_update_fn ? 4_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0
EVP_MD_CTX_get_size_ex ? 4_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get_pkey_ctx ? 4_0_0 EXIST::FUNCTION:
EVP_MD_CTX_set_pkey_ctx ? 4_0_0 EXIST::FUNCTION:
-EVP_MD_CTX_get0_md_data ? 4_0_0 EXIST::FUNCTION:
+EVP_MD_CTX_get0_md_data ? 4_0_0 EXIST::FUNCTION:DEPRECATEDIN_4_0
EVP_CIPHER_get_nid ? 4_0_0 EXIST::FUNCTION:
EVP_CIPHER_get0_name ? 4_0_0 EXIST::FUNCTION:
EVP_CIPHER_get0_description ? 4_0_0 EXIST::FUNCTION: