1 files changed, 21 insertions, 19 deletions

diff --git a/digest-openssl.c b/digest-openssl.c
index 13b63c2f..dbbea425 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */
+/* $OpenBSD: digest-openssl.c,v 1.7 2017/05/08 22:57:38 djm Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  *
@@ -32,18 +32,19 @@
 #include "digest.h"
 #include "ssherr.h"
 
-#ifndef HAVE_EVP_RIPEMD160
-# define EVP_ripemd160 NULL
-#endif /* HAVE_EVP_RIPEMD160 */
 #ifndef HAVE_EVP_SHA256
 # define EVP_sha256 NULL
+#endif
+#ifndef HAVE_EVP_SHA384
 # define EVP_sha384 NULL
+#endif
+#ifndef HAVE_EVP_SHA512
 # define EVP_sha512 NULL
-#endif /* HAVE_EVP_SHA256 */
+#endif
 
 struct ssh_digest_ctx {
 	int alg;
-	EVP_MD_CTX mdctx;
+	EVP_MD_CTX *mdctx;
 };
 
 struct ssh_digest {
@@ -56,7 +57,6 @@ struct ssh_digest {
 /* NB. Indexed directly by algorithm number */
 const struct ssh_digest digests[] = {
 	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },
-	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },
 	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },
 	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },
 	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
@@ -107,7 +107,7 @@ ssh_digest_bytes(int alg)
 size_t
 ssh_digest_blocksize(struct ssh_digest_ctx *ctx)
 {
-	return EVP_MD_CTX_block_size(&ctx->mdctx);
+	return EVP_MD_CTX_block_size(ctx->mdctx);
 }
 
 struct ssh_digest_ctx *
@@ -119,11 +119,14 @@ ssh_digest_start(int alg)
 	if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL))
 		return NULL;
 	ret->alg = alg;
-	EVP_MD_CTX_init(&ret->mdctx);
-	if (EVP_DigestInit_ex(&ret->mdctx, digest->mdfunc(), NULL) != 1) {
+	if ((ret->mdctx = EVP_MD_CTX_new()) == NULL) {
 		free(ret);
 		return NULL;
 	}
+	if (EVP_DigestInit_ex(ret->mdctx, digest->mdfunc(), NULL) != 1) {
+		ssh_digest_free(ret);
+		return NULL;
+	}
 	return ret;
 }
 
@@ -133,7 +136,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
 	if (from->alg != to->alg)
 		return SSH_ERR_INVALID_ARGUMENT;
 	/* we have bcopy-style order while openssl has memcpy-style */
-	if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
+	if (!EVP_MD_CTX_copy_ex(to->mdctx, from->mdctx))
 		return SSH_ERR_LIBCRYPTO_ERROR;
 	return 0;
 }
@@ -141,7 +144,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
 int
 ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
 {
-	if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
+	if (EVP_DigestUpdate(ctx->mdctx, m, mlen) != 1)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 	return 0;
 }
@@ -158,11 +161,11 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
 	const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
 	u_int l = dlen;
 
-	if (dlen > UINT_MAX)
+	if (digest == NULL || dlen > UINT_MAX)
 		return SSH_ERR_INVALID_ARGUMENT;
 	if (dlen < digest->digest_len) /* No truncation allowed */
 		return SSH_ERR_INVALID_ARGUMENT;
-	if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1)
+	if (EVP_DigestFinal_ex(ctx->mdctx, d, &l) != 1)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 	if (l != digest->digest_len) /* sanity */
 		return SSH_ERR_INTERNAL_ERROR;
@@ -172,11 +175,10 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
 void
 ssh_digest_free(struct ssh_digest_ctx *ctx)
 {
-	if (ctx != NULL) {
-		EVP_MD_CTX_cleanup(&ctx->mdctx);
-		explicit_bzero(ctx, sizeof(*ctx));
-		free(ctx);
-	}
+	if (ctx == NULL)
+		return;
+	EVP_MD_CTX_free(ctx->mdctx);
+	freezero(ctx, sizeof(*ctx));
 }
 
 int