Add various OpenSSL compatibility functions.

The non-_ex EVP_CIPHER_CTX Final functions are a bit interesting. Unlike
EVP_DigestFinal(_ex), where the non-_ex version calls EVP_MD_CTX_cleanup
for you, the EVP_CIPHER_CTX ones do not automatically cleanup.
EVP_CipherFinal and EVP_CipherFinal_ex are identical in all releases
where they exist.

This appears to date to OpenSSL 0.9.7:

Prior to OpenSSL 0.9.7, EVP_MD_CTX and EVP_CIPHER_CTX did not use void*
data fields. Instead, they just had a union of context structures for
every algorithm OpenSSL implemented.

EVP_MD_CTX was truly cleanup-less. There were no EVP_MD_CTX_init or
EVP_MD_CTX_cleanup functions at all. EVP_DigestInit filled things in
without reference to the previous state. EVP_DigestFinal didn't cleanup
because there was nothing to cleanup.

EVP_CIPHER_CTX was also a union, but for some reason did include
seemed to be optional: EVP_CipherInit with non-NULL EVP_CIPHER similarly
didn't reference the previous state. EVP_CipherFinal did not call
EVP_CIPHER_CTX_cleanup, but EVP_CIPHER_CTX_cleanup didn't do anything.
It called an optional cleanup hook on the EVP_CIPHER, but as far as I
can tell, no EVP_CIPHER implemented it.

Then OpenSSL 0.9.7 introduced ENGINE. The union didn't work anymore, so
EVP_MD_CTX and EVP_CIPHER_CTX contained void* with allocated
type-specific data. The introduced EVP_MD_CTX_init and
EVP_MD_CTX_cleanup. For (imperfect!) backwards compatibility,
EVP_DigestInit and EVP_DigestFinal transparently called init/cleanup for
you. EVP_DigestInit_ex and EVP_DigestFinal_ex became the more flexible
versions that left init/cleanup to the caller.

EVP_CIPHER_CTX got the same treatment with
EVP_CipherInit/EVP_CipherInit_ex, but *not*
EVP_CipherFinal/EVP_CipherFinal_ex. The latter did the same thing. The
history seems to be that 581f1c84940d77451c2592e9fa470893f6c3c3eb
introduced the Final/Final_ex split, with the former doing an
auto-cleanup, then 544a2aea4ba1fad76f0802fb70d92a5a8e6ad85a undid it.
Looks like the motivation is that EVP_CIPHER_CTX objects are often
reused to do multiple operations with a single key. But they missed that
the split functions are now unnecessary.

Amusingly, OpenSSL's documentation incorrectly said that EVP_CipherFinal
cleaned up after the call until it was fixed in
538860a3ce0b9fd142a7f1a62e597cccb74475d3. The fix says that some
releases cleaned up, but there were, as far as I can tell, no actual
releases with that behavior.

I've put the new Final functions in the deprecated section, purely
because there is no sense in recommending two different versions of the
same function to users, and Final_ex seems to be more popular. But there
isn't actually anything wrong with plain Final.

Change-Id: Ic2bfda48fdcf30f292141add8c5f745348036852
Reviewed-by: Adam Langley <>
diff --git a/crypto/base64/base64.c b/crypto/base64/base64.c
index 3d92059..6ce6007 100644
--- a/crypto/base64/base64.c
+++ b/crypto/base64/base64.c
@@ -122,6 +122,19 @@
   return 1;
+  EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX));
+  if (ret == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX));
+  return ret;
+void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) {
+  OPENSSL_free(ctx);
 void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {
   OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c
index c869568..8e77ea3 100644
--- a/crypto/dsa/dsa.c
+++ b/crypto/dsa/dsa.c
@@ -550,6 +550,27 @@
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,
+                  const BIGNUM **out_s) {
+  if (out_r != NULL) {
+    *out_r = sig->r;
+  }
+  if (out_s != NULL) {
+    *out_s = sig->s;
+  }
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
+  if (r == NULL || s == NULL) {
+    return 0;
+  }
+  BN_free(sig->r);
+  BN_free(sig->s);
+  sig->r = r;
+  sig->s = s;
+  return 1;
 // mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and
 // |b| as secret. This function internally uses Montgomery reduction, but
 // neither inputs nor outputs are in Montgomery form.
diff --git a/crypto/fipsmodule/cipher/cipher.c b/crypto/fipsmodule/cipher/cipher.c
index 51c96b4..64ee544 100644
--- a/crypto/fipsmodule/cipher/cipher.c
+++ b/crypto/fipsmodule/cipher/cipher.c
@@ -629,6 +629,18 @@
   return EVP_CipherInit(ctx, cipher, key, iv, 0);
+int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_CipherFinal_ex(ctx, out, out_len);
+int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_EncryptFinal_ex(ctx, out, out_len);
+int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
+  return EVP_DecryptFinal_ex(ctx, out, out_len);
 int EVP_add_cipher_alias(const char *a, const char *b) {
   return 1;
diff --git a/include/openssl/base64.h b/include/openssl/base64.h
index c88546d..369ba9c 100644
--- a/include/openssl/base64.h
+++ b/include/openssl/base64.h
@@ -111,6 +111,14 @@
 // very specific to PEM. It is also very lenient of invalid input. Use of any of
 // these functions is thus deprecated.
+// EVP_ENCODE_CTX_new returns a newly-allocated |EVP_ENCODE_CTX| or NULL on
+// error. The caller must release the result with |EVP_ENCODE_CTX_free|  when
+// done.
+// EVP_ENCODE_CTX_free releases memory associated with |ctx|.
 // EVP_EncodeInit initialises |*ctx|, which is typically stack
 // allocated, for an encoding operation.
diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index 09d72ec..2458847 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -201,7 +201,7 @@
 // WARNING: it is unsafe to call this function with unauthenticated
 // ciphertext if padding is enabled.
-OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
+OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,
                                        int *out_len);
 // EVP_Cipher performs a one-shot encryption/decryption operation. No partial
@@ -408,6 +408,18 @@
                                    const EVP_CIPHER *cipher, const uint8_t *key,
                                    const uint8_t *iv);
+// EVP_CipherFinal calls |EVP_CipherFinal_ex|.
+OPENSSL_EXPORT int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                   int *out_len);
+// EVP_EncryptFinal calls |EVP_EncryptFinal_ex|.
+OPENSSL_EXPORT int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                    int *out_len);
+// EVP_DecryptFinal calls |EVP_DecryptFinal_ex|.
+OPENSSL_EXPORT int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,
+                                    int *out_len);
 // EVP_add_cipher_alias does nothing and returns one.
 OPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b);
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 1665251..e6ddce6 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -189,6 +189,16 @@
 // DSA_SIG_free frees the contents of |sig| and then frees |sig| itself.
+// DSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two components
+// of |sig|.
+OPENSSL_EXPORT void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,
+                                 const BIGNUM **out_s);
+// DSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may be
+// NULL. On success, it takes ownership of each argument and returns one.
+// Otherwise, it returns zero.
 // DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
 // and returns an allocated, DSA_SIG structure, or NULL on error.
 OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,