ssl/tls_depr.c

   1 /*
   2  * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /* We need to use some engine and HMAC deprecated APIs */
  11 #define OPENSSL_SUPPRESS_DEPRECATED
  12
  13 #include <openssl/engine.h>
  14 #include "ssl_local.h"
  15
  16 /*
  17  * Engine APIs are only used to support applications that still use ENGINEs.
  18  * Once ENGINE is removed completely, all of this code can also be removed.
  19  */
  20
  21 #ifndef OPENSSL_NO_ENGINE
  22 void tls_engine_finish(ENGINE *e)
  23 {
  24     ENGINE_finish(e);
  25 }
  26 #endif
  27
  28 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
  29 {
  30 #ifndef OPENSSL_NO_ENGINE
  31     ENGINE *eng;
  32
  33     /*
  34      * If there is an Engine available for this cipher we use the "implicit"
  35      * form to ensure we use that engine later.
  36      */
  37     eng = ENGINE_get_cipher_engine(nid);
  38     if (eng != NULL) {
  39         ENGINE_finish(eng);
  40         return EVP_get_cipherbynid(nid);
  41     }
  42 #endif
  43     return NULL;
  44 }
  45
  46 const EVP_MD *tls_get_digest_from_engine(int nid)
  47 {
  48 #ifndef OPENSSL_NO_ENGINE
  49     ENGINE *eng;
  50
  51     /*
  52      * If there is an Engine available for this digest we use the "implicit"
  53      * form to ensure we use that engine later.
  54      */
  55     eng = ENGINE_get_digest_engine(nid);
  56     if (eng != NULL) {
  57         ENGINE_finish(eng);
  58         return EVP_get_digestbynid(nid);
  59     }
  60 #endif
  61     return NULL;
  62 }
  63
  64 #ifndef OPENSSL_NO_ENGINE
  65 int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
  66 {
  67     return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
  68                                        SSL_get_client_CA_list(s),
  69                                        px509, ppkey, NULL, NULL, NULL);
  70 }
  71 #endif
  72
  73 #ifndef OPENSSL_NO_ENGINE
  74 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
  75 {
  76     if (!ENGINE_init(e)) {
  77         ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
  78         return 0;
  79     }
  80     if (!ENGINE_get_ssl_client_cert_function(e)) {
  81         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
  82         ENGINE_finish(e);
  83         return 0;
  84     }
  85     ctx->client_cert_engine = e;
  86     return 1;
  87 }
  88 #endif
  89
  90 /*
  91  * The HMAC APIs below are only used to support the deprecated public API
  92  * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
  93  * takes an HMAC_CTX in its argument list. The preferred alternative is
  94  * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
  95  * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
  96  * be removed.
  97  */
  98 #ifndef OPENSSL_NO_DEPRECATED_3_0
  99 int ssl_hmac_old_new(SSL_HMAC *ret)
 100 {
 101     ret->old_ctx = HMAC_CTX_new();
 102     if (ret->old_ctx == NULL)
 103         return 0;
 104
 105     return 1;
 106 }
 107
 108 void ssl_hmac_old_free(SSL_HMAC *ctx)
 109 {
 110     HMAC_CTX_free(ctx->old_ctx);
 111 }
 112
 113 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
 114 {
 115     return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
 116 }
 117
 118 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
 119 {
 120     return HMAC_Update(ctx->old_ctx, data, len);
 121 }
 122
 123 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
 124 {
 125     unsigned int l;
 126
 127     if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
 128         if (len != NULL)
 129             *len = l;
 130         return 1;
 131     }
 132
 133     return 0;
 134 }
 135
 136 size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
 137 {
 138     return HMAC_size(ctx->old_ctx);
 139 }
 140
 141 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
 142 {
 143     return ctx->old_ctx;
 144 }
 145
 146 /* Some deprecated public APIs pass DH objects */
 147 EVP_PKEY *ssl_dh_to_pkey(DH *dh)
 148 {
 149 # ifndef OPENSSL_NO_DH
 150     EVP_PKEY *ret;
 151
 152     if (dh == NULL)
 153         return NULL;
 154     ret = EVP_PKEY_new();
 155     if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
 156         EVP_PKEY_free(ret);
 157         return NULL;
 158     }
 159     return ret;
 160 # else
 161     return NULL;
 162 # endif
 163 }
 164
 165 /* Some deprecated public APIs pass EC_KEY objects */
 166 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
 167                             void *key)
 168 {
 169 #  ifndef OPENSSL_NO_EC
 170     const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
 171     int nid;
 172
 173     if (group == NULL) {
 174         ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
 175         return 0;
 176     }
 177     nid = EC_GROUP_get_curve_name(group);
 178     if (nid == NID_undef)
 179         return 0;
 180     return tls1_set_groups(pext, pextlen, &nid, 1);
 181 #  else
 182     return 0;
 183 #  endif
 184 }
 185
 186 /*
 187  * Set the callback for generating temporary DH keys.
 188  * ctx: the SSL context.
 189  * dh: the callback
 190  */
 191 # if !defined(OPENSSL_NO_DH)
 192 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
 193                                  DH *(*dh) (SSL *ssl, int is_export,
 194                                             int keylength))
 195 {
 196     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
 197 }
 198
 199 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
 200                                                   int keylength))
 201 {
 202     SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
 203 }
 204 # endif
 205 #endif /* OPENSSL_NO_DEPRECATED */