xref: /freebsd/crypto/openssl/ssl/tls_depr.c (revision e7be843b4a162e68651d3911f0357ed464915629) 
1 /*
2  * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some engine and HMAC deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <openssl/engine.h>
14 #include "ssl_local.h"
15 #include "internal/ssl_unwrap.h"
16 
17 /*
18  * Engine APIs are only used to support applications that still use ENGINEs.
19  * Once ENGINE is removed completely, all of this code can also be removed.
20  */
21 
22 #ifndef OPENSSL_NO_ENGINE
tls_engine_finish(ENGINE * e)23 void tls_engine_finish(ENGINE *e)
24 {
25     ENGINE_finish(e);
26 }
27 #endif
28 
tls_get_cipher_from_engine(int nid)29 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
30 {
31     const EVP_CIPHER *ret = NULL;
32 #ifndef OPENSSL_NO_ENGINE
33     ENGINE *eng;
34 
35     /*
36      * If there is an Engine available for this cipher we use the "implicit"
37      * form to ensure we use that engine later.
38      */
39     eng = ENGINE_get_cipher_engine(nid);
40     if (eng != NULL) {
41         ret = ENGINE_get_cipher(eng, nid);
42         ENGINE_finish(eng);
43     }
44 #endif
45     return ret;
46 }
47 
tls_get_digest_from_engine(int nid)48 const EVP_MD *tls_get_digest_from_engine(int nid)
49 {
50     const EVP_MD *ret = NULL;
51 #ifndef OPENSSL_NO_ENGINE
52     ENGINE *eng;
53 
54     /*
55      * If there is an Engine available for this digest we use the "implicit"
56      * form to ensure we use that engine later.
57      */
58     eng = ENGINE_get_digest_engine(nid);
59     if (eng != NULL) {
60         ret = ENGINE_get_digest(eng, nid);
61         ENGINE_finish(eng);
62     }
63 #endif
64     return ret;
65 }
66 
67 #ifndef OPENSSL_NO_ENGINE
tls_engine_load_ssl_client_cert(SSL_CONNECTION * s,X509 ** px509,EVP_PKEY ** ppkey)68 int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
69                                     EVP_PKEY **ppkey)
70 {
71     SSL *ssl = SSL_CONNECTION_GET_SSL(s);
72 
73     return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
74                                        ssl,
75                                        SSL_get_client_CA_list(ssl),
76                                        px509, ppkey, NULL, NULL, NULL);
77 }
78 #endif
79 
80 #ifndef OPENSSL_NO_ENGINE
SSL_CTX_set_client_cert_engine(SSL_CTX * ctx,ENGINE * e)81 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
82 {
83     if (!ENGINE_init(e)) {
84         ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
85         return 0;
86     }
87     if (!ENGINE_get_ssl_client_cert_function(e)) {
88         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
89         ENGINE_finish(e);
90         return 0;
91     }
92     ctx->client_cert_engine = e;
93     return 1;
94 }
95 #endif
96 
97 /*
98  * The HMAC APIs below are only used to support the deprecated public API
99  * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
100  * takes an HMAC_CTX in its argument list. The preferred alternative is
101  * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
102  * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
103  * be removed.
104  */
105 #ifndef OPENSSL_NO_DEPRECATED_3_0
ssl_hmac_old_new(SSL_HMAC * ret)106 int ssl_hmac_old_new(SSL_HMAC *ret)
107 {
108     ret->old_ctx = HMAC_CTX_new();
109     if (ret->old_ctx == NULL)
110         return 0;
111 
112     return 1;
113 }
114 
ssl_hmac_old_free(SSL_HMAC * ctx)115 void ssl_hmac_old_free(SSL_HMAC *ctx)
116 {
117     HMAC_CTX_free(ctx->old_ctx);
118 }
119 
ssl_hmac_old_init(SSL_HMAC * ctx,void * key,size_t len,char * md)120 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
121 {
122     return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
123 }
124 
ssl_hmac_old_update(SSL_HMAC * ctx,const unsigned char * data,size_t len)125 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
126 {
127     return HMAC_Update(ctx->old_ctx, data, len);
128 }
129 
ssl_hmac_old_final(SSL_HMAC * ctx,unsigned char * md,size_t * len)130 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
131 {
132     unsigned int l;
133 
134     if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
135         if (len != NULL)
136             *len = l;
137         return 1;
138     }
139 
140     return 0;
141 }
142 
ssl_hmac_old_size(const SSL_HMAC * ctx)143 size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
144 {
145     return HMAC_size(ctx->old_ctx);
146 }
147 
ssl_hmac_get0_HMAC_CTX(SSL_HMAC * ctx)148 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
149 {
150     return ctx->old_ctx;
151 }
152 
153 /* Some deprecated public APIs pass DH objects */
ssl_dh_to_pkey(DH * dh)154 EVP_PKEY *ssl_dh_to_pkey(DH *dh)
155 {
156 # ifndef OPENSSL_NO_DH
157     EVP_PKEY *ret;
158 
159     if (dh == NULL)
160         return NULL;
161     ret = EVP_PKEY_new();
162     if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
163         EVP_PKEY_free(ret);
164         return NULL;
165     }
166     return ret;
167 # else
168     return NULL;
169 # endif
170 }
171 
172 /* Some deprecated public APIs pass EC_KEY objects */
ssl_set_tmp_ecdh_groups(uint16_t ** pext,size_t * pextlen,uint16_t ** ksext,size_t * ksextlen,size_t ** tplext,size_t * tplextlen,void * key)173 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
174                             uint16_t **ksext, size_t *ksextlen,
175                             size_t **tplext, size_t *tplextlen,
176                             void *key)
177 {
178 # ifndef OPENSSL_NO_EC
179     const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
180     int nid;
181 
182     if (group == NULL) {
183         ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
184         return 0;
185     }
186     nid = EC_GROUP_get_curve_name(group);
187     if (nid == NID_undef)
188         return 0;
189     return tls1_set_groups(pext, pextlen,
190                            ksext, ksextlen,
191                            tplext, tplextlen,
192                            &nid, 1);
193 # else
194     return 0;
195 # endif
196 }
197 
198 /*
199  * Set the callback for generating temporary DH keys.
200  * ctx: the SSL context.
201  * dh: the callback
202  */
203 # if !defined(OPENSSL_NO_DH)
SSL_CTX_set_tmp_dh_callback(SSL_CTX * ctx,DH * (* dh)(SSL * ssl,int is_export,int keylength))204 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
205                                  DH *(*dh) (SSL *ssl, int is_export,
206                                             int keylength))
207 {
208     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
209 }
210 
SSL_set_tmp_dh_callback(SSL * ssl,DH * (* dh)(SSL * ssl,int is_export,int keylength))211 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
212                                                   int keylength))
213 {
214     SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
215 }
216 # endif
217 #endif /* OPENSSL_NO_DEPRECATED */
218