[thirdparty/openssl.git] / ssl / tls_depr.c

/*
 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* We need to use some engine and HMAC deprecated APIs */
#define OPENSSL_SUPPRESS_DEPRECATED

#include <openssl/engine.h>
#include "ssl_local.h"

/*
 * Engine APIs are only used to support applications that still use ENGINEs.
 * Once ENGINE is removed completely, all of this code can also be removed.
 */

#ifndef OPENSSL_NO_ENGINE
void tls_engine_finish(ENGINE *e)
{
    ENGINE_finish(e);
}
#endif

const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
{
#ifndef OPENSSL_NO_ENGINE
    ENGINE *eng;

    /*
     * If there is an Engine available for this cipher we use the "implicit"
     * form to ensure we use that engine later.
     */
    eng = ENGINE_get_cipher_engine(nid);
    if (eng != NULL) {
        ENGINE_finish(eng);
        return EVP_get_cipherbynid(nid);
    }
#endif
    return NULL;
}

const EVP_MD *tls_get_digest_from_engine(int nid)
{
#ifndef OPENSSL_NO_ENGINE
    ENGINE *eng;

    /*
     * If there is an Engine available for this digest we use the "implicit"
     * form to ensure we use that engine later.
     */
    eng = ENGINE_get_digest_engine(nid);
    if (eng != NULL) {
        ENGINE_finish(eng);
        return EVP_get_digestbynid(nid);
    }
#endif
    return NULL;
}

#ifndef OPENSSL_NO_ENGINE
int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{
    return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
                                       SSL_get_client_CA_list(s),
                                       px509, ppkey, NULL, NULL, NULL);
}
#endif

#ifndef OPENSSL_NO_ENGINE
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
{
    if (!ENGINE_init(e)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
        return 0;
    }
    if (!ENGINE_get_ssl_client_cert_function(e)) {
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
        ENGINE_finish(e);
        return 0;
    }
    ctx->client_cert_engine = e;
    return 1;
}
#endif

/*
 * The HMAC APIs below are only used to support the deprecated public API
 * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
 * takes an HMAC_CTX in its argument list. The preferred alternative is
 * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
 * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
 * be removed.
 */
#ifndef OPENSSL_NO_DEPRECATED_3_0
int ssl_hmac_old_new(SSL_HMAC *ret)
{
    ret->old_ctx = HMAC_CTX_new();
    if (ret->old_ctx == NULL)
        return 0;

    return 1;
}

void ssl_hmac_old_free(SSL_HMAC *ctx)
{
    HMAC_CTX_free(ctx->old_ctx);
}

int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
{
    return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
}

int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
{
    return HMAC_Update(ctx->old_ctx, data, len);
}

int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
{
    unsigned int l;

    if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
        if (len != NULL)
            *len = l;
        return 1;
    }

    return 0;
}

size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
{
    return HMAC_size(ctx->old_ctx);
}

HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
{
    return ctx->old_ctx;
}

/* Some deprecated public APIs pass DH objects */
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
# ifndef OPENSSL_NO_DH
    EVP_PKEY *ret;

    if (dh == NULL)
        return NULL;
    ret = EVP_PKEY_new();
    if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
        EVP_PKEY_free(ret);
        return NULL;
    }
    return ret;
# else
    return NULL;
# endif
}

/* Some deprecated public APIs pass EC_KEY objects */
int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
                            void *key)
{
#  ifndef OPENSSL_NO_EC
    const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
    int nid;

    if (group == NULL) {
        ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
        return 0;
    }
    nid = EC_GROUP_get_curve_name(group);
    if (nid == NID_undef)
        return 0;
    return tls1_set_groups(pext, pextlen, &nid, 1);
#  else
    return 0;
#  endif
}

/*
 * Set the callback for generating temporary DH keys.
 * ctx: the SSL context.
 * dh: the callback
 */
# if !defined(OPENSSL_NO_DH)
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
                                 DH *(*dh) (SSL *ssl, int is_export,
                                            int keylength))
{
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}

void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
                                                  int keylength))
{
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}
# endif
#endif /* OPENSSL_NO_DEPRECATED */
Commit	Line	Data
301fcb28	1	/*
4333b89f	2	* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
301fcb28 MC	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/* We need to use some engine and HMAC deprecated APIs */
	11	#define OPENSSL_SUPPRESS_DEPRECATED
	12
	13	#include <openssl/engine.h>
	14	#include "ssl_local.h"
	15
	16	/*
	17	* Engine APIs are only used to support applications that still use ENGINEs.
	18	* Once ENGINE is removed completely, all of this code can also be removed.
	19	*/
	20
	21	#ifndef OPENSSL_NO_ENGINE
	22	void tls_engine_finish(ENGINE *e)
	23	{
	24	ENGINE_finish(e);
	25	}
	26	#endif
	27
	28	const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
	29	{
	30	#ifndef OPENSSL_NO_ENGINE
	31	ENGINE *eng;
	32
	33	/*
	34	* If there is an Engine available for this cipher we use the "implicit"
	35	* form to ensure we use that engine later.
	36	*/
	37	eng = ENGINE_get_cipher_engine(nid);
	38	if (eng != NULL) {
	39	ENGINE_finish(eng);
	40	return EVP_get_cipherbynid(nid);
	41	}
	42	#endif
	43	return NULL;
	44	}
	45
	46	const EVP_MD *tls_get_digest_from_engine(int nid)
	47	{
	48	#ifndef OPENSSL_NO_ENGINE
	49	ENGINE *eng;
	50
	51	/*
	52	* If there is an Engine available for this digest we use the "implicit"
	53	* form to ensure we use that engine later.
	54	*/
	55	eng = ENGINE_get_digest_engine(nid);
	56	if (eng != NULL) {
	57	ENGINE_finish(eng);
	58	return EVP_get_digestbynid(nid);
	59	}
	60	#endif
	61	return NULL;
	62	}
	63
	64	#ifndef OPENSSL_NO_ENGINE
	65	int tls_engine_load_ssl_client_cert(SSL s, X509 px509, EVP_PKEY *ppkey)
	66	{
67	return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
68	SSL_get_client_CA_list(s),
69	px509, ppkey, NULL, NULL, NULL);
70	}
71	#endif
72
73	#ifndef OPENSSL_NO_ENGINE
74	int SSL_CTX_set_client_cert_engine(SSL_CTX ctx, ENGINE e)
75	{
76	if (!ENGINE_init(e)) {
6849b73c	77	ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
301fcb28 MC	78	return 0;
	79	}
	80	if (!ENGINE_get_ssl_client_cert_function(e)) {
6849b73c	81	ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
301fcb28 MC	82	ENGINE_finish(e);
	83	return 0;
	84	}
	85	ctx->client_cert_engine = e;
	86	return 1;
	87	}
	88	#endif
	89
	90	/*
	91	* The HMAC APIs below are only used to support the deprecated public API
	92	* macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
	93	* takes an HMAC_CTX in its argument list. The preferred alternative is
	94	* SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
	95	* SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
	96	* be removed.
	97	*/
	98	#ifndef OPENSSL_NO_DEPRECATED_3_0
	99	int ssl_hmac_old_new(SSL_HMAC *ret)
	100	{
	101	ret->old_ctx = HMAC_CTX_new();
	102	if (ret->old_ctx == NULL)
	103	return 0;
	104
	105	return 1;
	106	}
	107
	108	void ssl_hmac_old_free(SSL_HMAC *ctx)
	109	{
	110	HMAC_CTX_free(ctx->old_ctx);
	111	}
	112
	113	int ssl_hmac_old_init(SSL_HMAC ctx, void key, size_t len, char *md)
	114	{
	115	return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
	116	}
	117
	118	int ssl_hmac_old_update(SSL_HMAC ctx, const unsigned char data, size_t len)
	119	{
	120	return HMAC_Update(ctx->old_ctx, data, len);
	121	}
	122
	123	int ssl_hmac_old_final(SSL_HMAC ctx, unsigned char md, size_t *len)
	124	{
	125	unsigned int l;
	126
	127	if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
	128	if (len != NULL)
	129	*len = l;
	130	return 1;
	131	}
	132
	133	return 0;
	134	}
	135
	136	size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
	137	{
	138	return HMAC_size(ctx->old_ctx);
	139	}
	140
	141	HMAC_CTX ssl_hmac_get0_HMAC_CTX(SSL_HMAC ctx)
	142	{
	143	return ctx->old_ctx;
	144	}
1b2b4755 MC	145
1b2b4755 MC	146	/* Some deprecated public APIs pass DH objects */
1b2b4755 MC	147	EVP_PKEY ssl_dh_to_pkey(DH dh)
1b2b4755 MC	148	{
5b64ce89	149	# ifndef OPENSSL_NO_DH
1b2b4755 MC	150	EVP_PKEY *ret;
	151
	152	if (dh == NULL)
	153	return NULL;
	154	ret = EVP_PKEY_new();
	155	if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
	156	EVP_PKEY_free(ret);
	157	return NULL;
	158	}
	159	return ret;
5b64ce89 MC	160	# else
5b64ce89 MC	161	return NULL;
163f6dc1	162	# endif
5b64ce89	163	}
301fcb28	164
5b5eea4b	165	/* Some deprecated public APIs pass EC_KEY objects */
0c8e98e6 TM	166	int ssl_set_tmp_ecdh_groups(uint16_t *pext, size_t pextlen,
0c8e98e6 TM	167	void *key)
5b5eea4b	168	{
5b64ce89	169	# ifndef OPENSSL_NO_EC
0c8e98e6 TM	170	const EC_GROUP group = EC_KEY_get0_group((const EC_KEY )key);
0c8e98e6 TM	171	int nid;
5b5eea4b	172
0c8e98e6 TM	173	if (group == NULL) {
	174	ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
	175	return 0;
5b5eea4b	176	}
0c8e98e6 TM	177	nid = EC_GROUP_get_curve_name(group);
	178	if (nid == NID_undef)
	179	return 0;
	180	return tls1_set_groups(pext, pextlen, &nid, 1);
5b64ce89 MC	181	# else
	182	return 0;
	183	# endif
	184	}
	185
	186	/*
	187	* Set the callback for generating temporary DH keys.
	188	* ctx: the SSL context.
	189	* dh: the callback
	190	*/
	191	# if !defined(OPENSSL_NO_DH)
	192	void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
	193	DH (dh) (SSL *ssl, int is_export,
	194	int keylength))
	195	{
	196	SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
	197	}
	198
	199	void SSL_set_tmp_dh_callback(SSL ssl, DH (dh) (SSL ssl, int is_export,
	200	int keylength))
	201	{
	202	SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
5b5eea4b SL	203	}
5b5eea4b SL	204	# endif
5b64ce89	205	#endif /* OPENSSL_NO_DEPRECATED */