* assumption to make (in which case perhaps we should document this
* behaviour)?
*/
- if (EVP_KEYMGMT_provider(keymgmt) == provider) {
+ if (EVP_KEYMGMT_get0_provider(keymgmt) == provider) {
/* We have a match - so we will use this group */
ctx->group_list_len++;
ginf = NULL;
* SHA512 has a hash length of 64 bytes, which is incompatible
* with a 128 byte (1024 bit) key.
*/
-#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
+#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_get_size(md) + 2)
static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey,
const SIGALG_LOOKUP *lu)
{
return 0;
if (!tls1_lookup_md(ctx, lu, &md) || md == NULL)
return 0;
- if (EVP_PKEY_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md))
+ if (EVP_PKEY_get_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md))
return 0;
return 1;
}
return 0;
if (md != NULL)
{
- int md_type = EVP_MD_type(md);
+ int md_type = EVP_MD_get_type(md);
/* Security bits: half digest bits */
- secbits = EVP_MD_size(md) * 4;
+ secbits = EVP_MD_get_size(md) * 4;
/*
* SHA1 and MD5 are known to be broken. Reduce security bits so that
* they're no longer accepted at security level 1. The real values don't
const SIGALG_LOOKUP *lu;
int secbits = 0;
- pkeyid = EVP_PKEY_id(pkey);
+ pkeyid = EVP_PKEY_get_id(pkey);
/* Should never happen */
if (pkeyid == -1)
return -1;
return 0;
}
/* Check the sigalg is consistent with the key OID */
- if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx)
+ if (!ssl_cert_lookup_by_nid(EVP_PKEY_get_id(pkey), &cidx)
|| lu->sig_idx != (int)cidx) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
secbits = sigalg_security_bits(s->ctx, lu);
if (secbits == 0 ||
!ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_type(md) : NID_undef,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
(void *)sigalgstr)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
/* Sanity check ticket length: must exceed keyname + IV + HMAC */
if (eticklen <=
- TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
+ TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx) + mlen) {
ret = SSL_TICKET_NO_DECRYPT;
goto end;
}
}
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
- p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
- eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx);
+ p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx);
+ eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_get_iv_length(ctx);
sdec = OPENSSL_malloc(eticklen);
if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
(int)eticklen) <= 0) {
} else {
if (s->s3.tmp.cert == NULL)
return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3.tmp.cert->privatekey);
+ dh_secbits = EVP_PKEY_get_security_bits(s->s3.tmp.cert->privatekey);
}
}
* reject keys which omit parameters but this only affects DSA and
* omission of parameters is never (?) done in practice.
*/
- secbits = EVP_PKEY_security_bits(pkey);
+ secbits = EVP_PKEY_get_security_bits(pkey);
}
if (s)
return ssl_security(s, op, secbits, 0, x);