bio_ssl.c ssl_err.c tls_srp.c t1_trce.c ssl_utst.c \
record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \
statem/statem.c record/ssl3_record_tls13.c record/tls_pad.c \
- $KTLSSRC
+ tls_depr.c $KTLSSRC
IF[{- !$disabled{'deprecated-3.0'} -}]
SOURCE[../libssl]=s3_cbc.c
ENDIF
* https://www.openssl.org/source/license.html
*/
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
ameth) <= 0)
pkey_id = 0;
}
- ENGINE_finish(tmpeng);
+ tls_engine_finish(tmpeng);
return pkey_id;
}
* https://www.openssl.org/source/license.html
*/
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <stdio.h>
#include "ssl_local.h"
#include "e_os.h"
SSL_CTX_SRP_CTX_free(a);
#endif
#ifndef OPENSSL_NO_ENGINE
- ENGINE_finish(a->client_cert_engine);
+ tls_engine_finish(a->client_cert_engine);
#endif
#ifndef OPENSSL_NO_EC
int nid,
const char *properties)
{
- EVP_CIPHER *ciph;
+ const EVP_CIPHER *ciph;
-#ifndef OPENSSL_NO_ENGINE
- ENGINE *eng;
+ ciph = tls_get_cipher_from_engine(nid);
+ if (ciph != NULL)
+ return ciph;
/*
- * If there is an Engine available for this cipher we use the "implicit"
- * form to ensure we use that engine later.
+ * If there is no engine cipher then we do an explicit fetch. This may fail
+ * and that could be ok
*/
- eng = ENGINE_get_cipher_engine(nid);
- if (eng != NULL) {
- ENGINE_finish(eng);
- return EVP_get_cipherbynid(nid);
- }
-#endif
-
- /* Otherwise we do an explicit fetch. This may fail and that could be ok */
ERR_set_mark();
ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
ERR_pop_to_mark();
int nid,
const char *properties)
{
- EVP_MD *md;
+ const EVP_MD *md;
-#ifndef OPENSSL_NO_ENGINE
- ENGINE *eng;
-
- /*
- * If there is an Engine available for this digest we use the "implicit"
- * form to ensure we use that engine later.
- */
- eng = ENGINE_get_digest_engine(nid);
- if (eng != NULL) {
- ENGINE_finish(eng);
- return EVP_get_digestbynid(nid);
- }
-#endif
+ md = tls_get_digest_from_engine(nid);
+ if (md != NULL)
+ return md;
/* Otherwise we do an explicit fetch */
ERR_set_mark();
const EVP_CIPHER *ciph,
const EVP_MD *md);
+void tls_engine_finish(ENGINE *e);
+const EVP_CIPHER *tls_get_cipher_from_engine(int nid);
+const EVP_MD *tls_get_digest_from_engine(int nid);
+int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey);
+int ssl_hmac_old_new(SSL_HMAC *ret);
+void ssl_hmac_old_free(SSL_HMAC *ctx);
+int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md);
+int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len);
+int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len);
+size_t ssl_hmac_old_size(const SSL_HMAC *ctx);
+
# else /* OPENSSL_UNIT_TEST */
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
* https://www.openssl.org/source/license.html
*/
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <stdio.h>
#include <openssl/rand.h>
#include <openssl/engine.h>
return ctx->client_cert_cb;
}
-#ifndef OPENSSL_NO_ENGINE
-int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
-{
- if (!ENGINE_init(e)) {
- SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
- return 0;
- }
- if (!ENGINE_get_ssl_client_cert_function(e)) {
- SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
- SSL_R_NO_CLIENT_CERT_METHOD);
- ENGINE_finish(e);
- return 0;
- }
- ctx->client_cert_engine = e;
- return 1;
-}
-#endif
-
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
int (*cb) (SSL *ssl,
unsigned char *cookie,
* https://www.openssl.org/source/license.html
*/
-/* We need to use some engine deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <stdio.h>
#include <time.h>
#include <assert.h>
int i = 0;
#ifndef OPENSSL_NO_ENGINE
if (s->ctx->client_cert_engine) {
- i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
- SSL_get_client_CA_list(s),
- px509, ppkey, NULL, NULL, NULL);
+ i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
if (i != 0)
return i;
}
* https://www.openssl.org/source/license.html
*/
-/* We need access to the deprecated low level HMAC APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
#include <stdio.h>
#include <stdlib.h>
#include <openssl/objects.h>
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (ctx->ext.ticket_key_evp_cb == NULL
&& ctx->ext.ticket_key_cb != NULL) {
- ret->old_ctx = HMAC_CTX_new();
- if (ret->old_ctx == NULL)
+ if (!ssl_hmac_old_new(ret))
goto err;
return ret;
}
if (ctx != NULL) {
EVP_MAC_CTX_free(ctx->ctx);
#ifndef OPENSSL_NO_DEPRECATED_3_0
- HMAC_CTX_free(ctx->old_ctx);
+ ssl_hmac_old_free(ctx);
#endif
OPENSSL_free(ctx);
}
}
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
-{
- return ctx->old_ctx;
-}
-#endif
-
EVP_MAC_CTX *ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC *ctx)
{
return ctx->ctx;
}
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (ctx->old_ctx != NULL)
- return HMAC_Init_ex(ctx->old_ctx, key, len,
- EVP_get_digestbyname(md), NULL);
+ return ssl_hmac_old_init(ctx, key, len, md);
#endif
return 0;
}
return EVP_MAC_update(ctx->ctx, data, len);
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (ctx->old_ctx != NULL)
- return HMAC_Update(ctx->old_ctx, data, len);
+ return ssl_hmac_old_update(ctx, data, len);
#endif
return 0;
}
if (ctx->ctx != NULL)
return EVP_MAC_final(ctx->ctx, md, len, max_size);
#ifndef OPENSSL_NO_DEPRECATED_3_0
- if (ctx->old_ctx != NULL) {
- unsigned int l;
-
- if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
- if (len != NULL)
- *len = l;
- return 1;
- }
- }
+ if (ctx->old_ctx != NULL)
+ return ssl_hmac_old_final(ctx, md, len);
#endif
return 0;
}
return EVP_MAC_size(ctx->ctx);
#ifndef OPENSSL_NO_DEPRECATED_3_0
if (ctx->old_ctx != NULL)
- return HMAC_size(ctx->old_ctx);
+ return ssl_hmac_old_size(ctx);
#endif
return 0;
}
--- /dev/null
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* We need to use some engine and HMAC deprecated APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
+#include <openssl/engine.h>
+#include "ssl_local.h"
+
+/*
+ * Engine APIs are only used to support applications that still use ENGINEs.
+ * Once ENGINE is removed completely, all of this code can also be removed.
+ */
+
+#ifndef OPENSSL_NO_ENGINE
+void tls_engine_finish(ENGINE *e)
+{
+ ENGINE_finish(e);
+}
+#endif
+
+const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
+{
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *eng;
+
+ /*
+ * If there is an Engine available for this cipher we use the "implicit"
+ * form to ensure we use that engine later.
+ */
+ eng = ENGINE_get_cipher_engine(nid);
+ if (eng != NULL) {
+ ENGINE_finish(eng);
+ return EVP_get_cipherbynid(nid);
+ }
+#endif
+ return NULL;
+}
+
+const EVP_MD *tls_get_digest_from_engine(int nid)
+{
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *eng;
+
+ /*
+ * If there is an Engine available for this digest we use the "implicit"
+ * form to ensure we use that engine later.
+ */
+ eng = ENGINE_get_digest_engine(nid);
+ if (eng != NULL) {
+ ENGINE_finish(eng);
+ return EVP_get_digestbynid(nid);
+ }
+#endif
+ return NULL;
+}
+
+#ifndef OPENSSL_NO_ENGINE
+int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+{
+ return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+ SSL_get_client_CA_list(s),
+ px509, ppkey, NULL, NULL, NULL);
+}
+#endif
+
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
+{
+ if (!ENGINE_init(e)) {
+ SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+ return 0;
+ }
+ if (!ENGINE_get_ssl_client_cert_function(e)) {
+ SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+ SSL_R_NO_CLIENT_CERT_METHOD);
+ ENGINE_finish(e);
+ return 0;
+ }
+ ctx->client_cert_engine = e;
+ return 1;
+}
+#endif
+
+/*
+ * The HMAC APIs below are only used to support the deprecated public API
+ * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
+ * takes an HMAC_CTX in its argument list. The preferred alternative is
+ * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
+ * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
+ * be removed.
+ */
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+int ssl_hmac_old_new(SSL_HMAC *ret)
+{
+ ret->old_ctx = HMAC_CTX_new();
+ if (ret->old_ctx == NULL)
+ return 0;
+
+ return 1;
+}
+
+void ssl_hmac_old_free(SSL_HMAC *ctx)
+{
+ HMAC_CTX_free(ctx->old_ctx);
+}
+
+int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
+{
+ return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
+}
+
+int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
+{
+ return HMAC_Update(ctx->old_ctx, data, len);
+}
+
+int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
+{
+ unsigned int l;
+
+ if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
+ if (len != NULL)
+ *len = l;
+ return 1;
+ }
+
+ return 0;
+}
+
+size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
+{
+ return HMAC_size(ctx->old_ctx);
+}
+
+HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
+{
+ return ctx->old_ctx;
+}
+#endif
+
projects / thirdparty / openssl.git / commitdiff
