xref: /freebsd/crypto/openssl/ssl/tls_depr.c (revision b3e7694832e81d7a904a10f525f8797b753bf0d3)
1 /*
2  * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some engine and HMAC deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <openssl/engine.h>
14 #include "ssl_local.h"
15 
16 /*
17  * Engine APIs are only used to support applications that still use ENGINEs.
18  * Once ENGINE is removed completely, all of this code can also be removed.
19  */
20 
21 #ifndef OPENSSL_NO_ENGINE
22 void tls_engine_finish(ENGINE *e)
23 {
24     ENGINE_finish(e);
25 }
26 #endif
27 
28 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
29 {
30     const EVP_CIPHER *ret = NULL;
31 #ifndef OPENSSL_NO_ENGINE
32     ENGINE *eng;
33 
34     /*
35      * If there is an Engine available for this cipher we use the "implicit"
36      * form to ensure we use that engine later.
37      */
38     eng = ENGINE_get_cipher_engine(nid);
39     if (eng != NULL) {
40         ret = ENGINE_get_cipher(eng, nid);
41         ENGINE_finish(eng);
42     }
43 #endif
44     return ret;
45 }
46 
47 const EVP_MD *tls_get_digest_from_engine(int nid)
48 {
49     const EVP_MD *ret = NULL;
50 #ifndef OPENSSL_NO_ENGINE
51     ENGINE *eng;
52 
53     /*
54      * If there is an Engine available for this digest we use the "implicit"
55      * form to ensure we use that engine later.
56      */
57     eng = ENGINE_get_digest_engine(nid);
58     if (eng != NULL) {
59         ret = ENGINE_get_digest(eng, nid);
60         ENGINE_finish(eng);
61     }
62 #endif
63     return ret;
64 }
65 
66 #ifndef OPENSSL_NO_ENGINE
67 int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
68 {
69     return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
70                                        SSL_get_client_CA_list(s),
71                                        px509, ppkey, NULL, NULL, NULL);
72 }
73 #endif
74 
75 #ifndef OPENSSL_NO_ENGINE
76 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
77 {
78     if (!ENGINE_init(e)) {
79         ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
80         return 0;
81     }
82     if (!ENGINE_get_ssl_client_cert_function(e)) {
83         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
84         ENGINE_finish(e);
85         return 0;
86     }
87     ctx->client_cert_engine = e;
88     return 1;
89 }
90 #endif
91 
92 /*
93  * The HMAC APIs below are only used to support the deprecated public API
94  * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
95  * takes an HMAC_CTX in its argument list. The preferred alternative is
96  * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
97  * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
98  * be removed.
99  */
100 #ifndef OPENSSL_NO_DEPRECATED_3_0
101 int ssl_hmac_old_new(SSL_HMAC *ret)
102 {
103     ret->old_ctx = HMAC_CTX_new();
104     if (ret->old_ctx == NULL)
105         return 0;
106 
107     return 1;
108 }
109 
110 void ssl_hmac_old_free(SSL_HMAC *ctx)
111 {
112     HMAC_CTX_free(ctx->old_ctx);
113 }
114 
115 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
116 {
117     return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
118 }
119 
120 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
121 {
122     return HMAC_Update(ctx->old_ctx, data, len);
123 }
124 
125 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
126 {
127     unsigned int l;
128 
129     if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
130         if (len != NULL)
131             *len = l;
132         return 1;
133     }
134 
135     return 0;
136 }
137 
138 size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
139 {
140     return HMAC_size(ctx->old_ctx);
141 }
142 
143 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
144 {
145     return ctx->old_ctx;
146 }
147 
148 /* Some deprecated public APIs pass DH objects */
149 EVP_PKEY *ssl_dh_to_pkey(DH *dh)
150 {
151 # ifndef OPENSSL_NO_DH
152     EVP_PKEY *ret;
153 
154     if (dh == NULL)
155         return NULL;
156     ret = EVP_PKEY_new();
157     if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
158         EVP_PKEY_free(ret);
159         return NULL;
160     }
161     return ret;
162 # else
163     return NULL;
164 # endif
165 }
166 
167 /* Some deprecated public APIs pass EC_KEY objects */
168 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
169                             void *key)
170 {
171 #  ifndef OPENSSL_NO_EC
172     const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
173     int nid;
174 
175     if (group == NULL) {
176         ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
177         return 0;
178     }
179     nid = EC_GROUP_get_curve_name(group);
180     if (nid == NID_undef)
181         return 0;
182     return tls1_set_groups(pext, pextlen, &nid, 1);
183 #  else
184     return 0;
185 #  endif
186 }
187 
188 /*
189  * Set the callback for generating temporary DH keys.
190  * ctx: the SSL context.
191  * dh: the callback
192  */
193 # if !defined(OPENSSL_NO_DH)
194 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
195                                  DH *(*dh) (SSL *ssl, int is_export,
196                                             int keylength))
197 {
198     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
199 }
200 
201 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
202                                                   int keylength))
203 {
204     SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
205 }
206 # endif
207 #endif /* OPENSSL_NO_DEPRECATED */
208