tls_depr.c 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. /*
  2. * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* We need to use some engine and HMAC deprecated APIs */
  10. #define OPENSSL_SUPPRESS_DEPRECATED
  11. #include <openssl/engine.h>
  12. #include "ssl_local.h"
  13. /*
  14. * Engine APIs are only used to support applications that still use ENGINEs.
  15. * Once ENGINE is removed completely, all of this code can also be removed.
  16. */
  17. #ifndef OPENSSL_NO_ENGINE
  18. void tls_engine_finish(ENGINE *e)
  19. {
  20. ENGINE_finish(e);
  21. }
  22. #endif
  23. const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
  24. {
  25. const EVP_CIPHER *ret = NULL;
  26. #ifndef OPENSSL_NO_ENGINE
  27. ENGINE *eng;
  28. /*
  29. * If there is an Engine available for this cipher we use the "implicit"
  30. * form to ensure we use that engine later.
  31. */
  32. eng = ENGINE_get_cipher_engine(nid);
  33. if (eng != NULL) {
  34. ret = ENGINE_get_cipher(eng, nid);
  35. ENGINE_finish(eng);
  36. }
  37. #endif
  38. return ret;
  39. }
  40. const EVP_MD *tls_get_digest_from_engine(int nid)
  41. {
  42. const EVP_MD *ret = NULL;
  43. #ifndef OPENSSL_NO_ENGINE
  44. ENGINE *eng;
  45. /*
  46. * If there is an Engine available for this digest we use the "implicit"
  47. * form to ensure we use that engine later.
  48. */
  49. eng = ENGINE_get_digest_engine(nid);
  50. if (eng != NULL) {
  51. ret = ENGINE_get_digest(eng, nid);
  52. ENGINE_finish(eng);
  53. }
  54. #endif
  55. return ret;
  56. }
  57. #ifndef OPENSSL_NO_ENGINE
  58. int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
  59. EVP_PKEY **ppkey)
  60. {
  61. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  62. return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
  63. ssl,
  64. SSL_get_client_CA_list(ssl),
  65. px509, ppkey, NULL, NULL, NULL);
  66. }
  67. #endif
  68. #ifndef OPENSSL_NO_ENGINE
  69. int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
  70. {
  71. if (!ENGINE_init(e)) {
  72. ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
  73. return 0;
  74. }
  75. if (!ENGINE_get_ssl_client_cert_function(e)) {
  76. ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
  77. ENGINE_finish(e);
  78. return 0;
  79. }
  80. ctx->client_cert_engine = e;
  81. return 1;
  82. }
  83. #endif
  84. /*
  85. * The HMAC APIs below are only used to support the deprecated public API
  86. * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
  87. * takes an HMAC_CTX in its argument list. The preferred alternative is
  88. * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
  89. * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
  90. * be removed.
  91. */
  92. #ifndef OPENSSL_NO_DEPRECATED_3_0
  93. int ssl_hmac_old_new(SSL_HMAC *ret)
  94. {
  95. ret->old_ctx = HMAC_CTX_new();
  96. if (ret->old_ctx == NULL)
  97. return 0;
  98. return 1;
  99. }
  100. void ssl_hmac_old_free(SSL_HMAC *ctx)
  101. {
  102. HMAC_CTX_free(ctx->old_ctx);
  103. }
  104. int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
  105. {
  106. return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
  107. }
  108. int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
  109. {
  110. return HMAC_Update(ctx->old_ctx, data, len);
  111. }
  112. int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
  113. {
  114. unsigned int l;
  115. if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
  116. if (len != NULL)
  117. *len = l;
  118. return 1;
  119. }
  120. return 0;
  121. }
  122. size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
  123. {
  124. return HMAC_size(ctx->old_ctx);
  125. }
  126. HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
  127. {
  128. return ctx->old_ctx;
  129. }
  130. /* Some deprecated public APIs pass DH objects */
  131. EVP_PKEY *ssl_dh_to_pkey(DH *dh)
  132. {
  133. # ifndef OPENSSL_NO_DH
  134. EVP_PKEY *ret;
  135. if (dh == NULL)
  136. return NULL;
  137. ret = EVP_PKEY_new();
  138. if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
  139. EVP_PKEY_free(ret);
  140. return NULL;
  141. }
  142. return ret;
  143. # else
  144. return NULL;
  145. # endif
  146. }
  147. /* Some deprecated public APIs pass EC_KEY objects */
  148. int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
  149. void *key)
  150. {
  151. # ifndef OPENSSL_NO_EC
  152. const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
  153. int nid;
  154. if (group == NULL) {
  155. ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
  156. return 0;
  157. }
  158. nid = EC_GROUP_get_curve_name(group);
  159. if (nid == NID_undef)
  160. return 0;
  161. return tls1_set_groups(pext, pextlen, &nid, 1);
  162. # else
  163. return 0;
  164. # endif
  165. }
  166. /*
  167. * Set the callback for generating temporary DH keys.
  168. * ctx: the SSL context.
  169. * dh: the callback
  170. */
  171. # if !defined(OPENSSL_NO_DH)
  172. void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
  173. DH *(*dh) (SSL *ssl, int is_export,
  174. int keylength))
  175. {
  176. SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
  177. }
  178. void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
  179. int keylength))
  180. {
  181. SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
  182. }
  183. # endif
  184. #endif /* OPENSSL_NO_DEPRECATED */