1 /*
2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* We need to use some engine and HMAC deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12
13 #include <openssl/engine.h>
14 #include "ssl_local.h"
15
16 /*
17 * Engine APIs are only used to support applications that still use ENGINEs.
18 * Once ENGINE is removed completely, all of this code can also be removed.
19 */
20
21 #ifndef OPENSSL_NO_ENGINE
tls_engine_finish(ENGINE * e)22 void tls_engine_finish(ENGINE *e)
23 {
24 ENGINE_finish(e);
25 }
26 #endif
27
tls_get_cipher_from_engine(int nid)28 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
29 {
30 const EVP_CIPHER *ret = NULL;
31 #ifndef OPENSSL_NO_ENGINE
32 ENGINE *eng;
33
34 /*
35 * If there is an Engine available for this cipher we use the "implicit"
36 * form to ensure we use that engine later.
37 */
38 eng = ENGINE_get_cipher_engine(nid);
39 if (eng != NULL) {
40 ret = ENGINE_get_cipher(eng, nid);
41 ENGINE_finish(eng);
42 }
43 #endif
44 return ret;
45 }
46
tls_get_digest_from_engine(int nid)47 const EVP_MD *tls_get_digest_from_engine(int nid)
48 {
49 const EVP_MD *ret = NULL;
50 #ifndef OPENSSL_NO_ENGINE
51 ENGINE *eng;
52
53 /*
54 * If there is an Engine available for this digest we use the "implicit"
55 * form to ensure we use that engine later.
56 */
57 eng = ENGINE_get_digest_engine(nid);
58 if (eng != NULL) {
59 ret = ENGINE_get_digest(eng, nid);
60 ENGINE_finish(eng);
61 }
62 #endif
63 return ret;
64 }
65
66 #ifndef OPENSSL_NO_ENGINE
tls_engine_load_ssl_client_cert(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)67 int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
68 {
69 return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
70 SSL_get_client_CA_list(s),
71 px509, ppkey, NULL, NULL, NULL);
72 }
73 #endif
74
75 #ifndef OPENSSL_NO_ENGINE
SSL_CTX_set_client_cert_engine(SSL_CTX * ctx,ENGINE * e)76 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
77 {
78 if (!ENGINE_init(e)) {
79 ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
80 return 0;
81 }
82 if (!ENGINE_get_ssl_client_cert_function(e)) {
83 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
84 ENGINE_finish(e);
85 return 0;
86 }
87 ctx->client_cert_engine = e;
88 return 1;
89 }
90 #endif
91
92 /*
93 * The HMAC APIs below are only used to support the deprecated public API
94 * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
95 * takes an HMAC_CTX in its argument list. The preferred alternative is
96 * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
97 * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
98 * be removed.
99 */
100 #ifndef OPENSSL_NO_DEPRECATED_3_0
ssl_hmac_old_new(SSL_HMAC * ret)101 int ssl_hmac_old_new(SSL_HMAC *ret)
102 {
103 ret->old_ctx = HMAC_CTX_new();
104 if (ret->old_ctx == NULL)
105 return 0;
106
107 return 1;
108 }
109
ssl_hmac_old_free(SSL_HMAC * ctx)110 void ssl_hmac_old_free(SSL_HMAC *ctx)
111 {
112 HMAC_CTX_free(ctx->old_ctx);
113 }
114
ssl_hmac_old_init(SSL_HMAC * ctx,void * key,size_t len,char * md)115 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
116 {
117 return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
118 }
119
ssl_hmac_old_update(SSL_HMAC * ctx,const unsigned char * data,size_t len)120 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
121 {
122 return HMAC_Update(ctx->old_ctx, data, len);
123 }
124
ssl_hmac_old_final(SSL_HMAC * ctx,unsigned char * md,size_t * len)125 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
126 {
127 unsigned int l;
128
129 if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
130 if (len != NULL)
131 *len = l;
132 return 1;
133 }
134
135 return 0;
136 }
137
ssl_hmac_old_size(const SSL_HMAC * ctx)138 size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
139 {
140 return HMAC_size(ctx->old_ctx);
141 }
142
ssl_hmac_get0_HMAC_CTX(SSL_HMAC * ctx)143 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
144 {
145 return ctx->old_ctx;
146 }
147
148 /* Some deprecated public APIs pass DH objects */
ssl_dh_to_pkey(DH * dh)149 EVP_PKEY *ssl_dh_to_pkey(DH *dh)
150 {
151 # ifndef OPENSSL_NO_DH
152 EVP_PKEY *ret;
153
154 if (dh == NULL)
155 return NULL;
156 ret = EVP_PKEY_new();
157 if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
158 EVP_PKEY_free(ret);
159 return NULL;
160 }
161 return ret;
162 # else
163 return NULL;
164 # endif
165 }
166
167 /* Some deprecated public APIs pass EC_KEY objects */
ssl_set_tmp_ecdh_groups(uint16_t ** pext,size_t * pextlen,void * key)168 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
169 void *key)
170 {
171 # ifndef OPENSSL_NO_EC
172 const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
173 int nid;
174
175 if (group == NULL) {
176 ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
177 return 0;
178 }
179 nid = EC_GROUP_get_curve_name(group);
180 if (nid == NID_undef)
181 return 0;
182 return tls1_set_groups(pext, pextlen, &nid, 1);
183 # else
184 return 0;
185 # endif
186 }
187
188 /*
189 * Set the callback for generating temporary DH keys.
190 * ctx: the SSL context.
191 * dh: the callback
192 */
193 # if !defined(OPENSSL_NO_DH)
SSL_CTX_set_tmp_dh_callback(SSL_CTX * ctx,DH * (* dh)(SSL * ssl,int is_export,int keylength))194 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
195 DH *(*dh) (SSL *ssl, int is_export,
196 int keylength))
197 {
198 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
199 }
200
SSL_set_tmp_dh_callback(SSL * ssl,DH * (* dh)(SSL * ssl,int is_export,int keylength))201 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
202 int keylength))
203 {
204 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
205 }
206 # endif
207 #endif /* OPENSSL_NO_DEPRECATED */
208