1 /* 2 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* We need to use some engine and HMAC deprecated APIs */ 11 #define OPENSSL_SUPPRESS_DEPRECATED 12 13 #include <openssl/engine.h> 14 #include "ssl_local.h" 15 #include "internal/ssl_unwrap.h" 16 17 /* 18 * Engine APIs are only used to support applications that still use ENGINEs. 19 * Once ENGINE is removed completely, all of this code can also be removed. 20 */ 21 22 #ifndef OPENSSL_NO_ENGINE 23 void tls_engine_finish(ENGINE *e) 24 { 25 ENGINE_finish(e); 26 } 27 #endif 28 29 const EVP_CIPHER *tls_get_cipher_from_engine(int nid) 30 { 31 const EVP_CIPHER *ret = NULL; 32 #ifndef OPENSSL_NO_ENGINE 33 ENGINE *eng; 34 35 /* 36 * If there is an Engine available for this cipher we use the "implicit" 37 * form to ensure we use that engine later. 38 */ 39 eng = ENGINE_get_cipher_engine(nid); 40 if (eng != NULL) { 41 ret = ENGINE_get_cipher(eng, nid); 42 ENGINE_finish(eng); 43 } 44 #endif 45 return ret; 46 } 47 48 const EVP_MD *tls_get_digest_from_engine(int nid) 49 { 50 const EVP_MD *ret = NULL; 51 #ifndef OPENSSL_NO_ENGINE 52 ENGINE *eng; 53 54 /* 55 * If there is an Engine available for this digest we use the "implicit" 56 * form to ensure we use that engine later. 57 */ 58 eng = ENGINE_get_digest_engine(nid); 59 if (eng != NULL) { 60 ret = ENGINE_get_digest(eng, nid); 61 ENGINE_finish(eng); 62 } 63 #endif 64 return ret; 65 } 66 67 #ifndef OPENSSL_NO_ENGINE 68 int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509, 69 EVP_PKEY **ppkey) 70 { 71 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 72 73 return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine, 74 ssl, 75 SSL_get_client_CA_list(ssl), 76 px509, ppkey, NULL, NULL, NULL); 77 } 78 #endif 79 80 #ifndef OPENSSL_NO_ENGINE 81 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) 82 { 83 if (!ENGINE_init(e)) { 84 ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB); 85 return 0; 86 } 87 if (!ENGINE_get_ssl_client_cert_function(e)) { 88 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD); 89 ENGINE_finish(e); 90 return 0; 91 } 92 ctx->client_cert_engine = e; 93 return 1; 94 } 95 #endif 96 97 /* 98 * The HMAC APIs below are only used to support the deprecated public API 99 * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback 100 * takes an HMAC_CTX in its argument list. The preferred alternative is 101 * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once 102 * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also 103 * be removed. 104 */ 105 #ifndef OPENSSL_NO_DEPRECATED_3_0 106 int ssl_hmac_old_new(SSL_HMAC *ret) 107 { 108 ret->old_ctx = HMAC_CTX_new(); 109 if (ret->old_ctx == NULL) 110 return 0; 111 112 return 1; 113 } 114 115 void ssl_hmac_old_free(SSL_HMAC *ctx) 116 { 117 HMAC_CTX_free(ctx->old_ctx); 118 } 119 120 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 121 { 122 return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL); 123 } 124 125 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 126 { 127 return HMAC_Update(ctx->old_ctx, data, len); 128 } 129 130 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len) 131 { 132 unsigned int l; 133 134 if (HMAC_Final(ctx->old_ctx, md, &l) > 0) { 135 if (len != NULL) 136 *len = l; 137 return 1; 138 } 139 140 return 0; 141 } 142 143 size_t ssl_hmac_old_size(const SSL_HMAC *ctx) 144 { 145 return HMAC_size(ctx->old_ctx); 146 } 147 148 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) 149 { 150 return ctx->old_ctx; 151 } 152 153 /* Some deprecated public APIs pass DH objects */ 154 EVP_PKEY *ssl_dh_to_pkey(DH *dh) 155 { 156 # ifndef OPENSSL_NO_DH 157 EVP_PKEY *ret; 158 159 if (dh == NULL) 160 return NULL; 161 ret = EVP_PKEY_new(); 162 if (EVP_PKEY_set1_DH(ret, dh) <= 0) { 163 EVP_PKEY_free(ret); 164 return NULL; 165 } 166 return ret; 167 # else 168 return NULL; 169 # endif 170 } 171 172 /* Some deprecated public APIs pass EC_KEY objects */ 173 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, 174 uint16_t **ksext, size_t *ksextlen, 175 size_t **tplext, size_t *tplextlen, 176 void *key) 177 { 178 # ifndef OPENSSL_NO_EC 179 const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); 180 int nid; 181 182 if (group == NULL) { 183 ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS); 184 return 0; 185 } 186 nid = EC_GROUP_get_curve_name(group); 187 if (nid == NID_undef) 188 return 0; 189 return tls1_set_groups(pext, pextlen, 190 ksext, ksextlen, 191 tplext, tplextlen, 192 &nid, 1); 193 # else 194 return 0; 195 # endif 196 } 197 198 /* 199 * Set the callback for generating temporary DH keys. 200 * ctx: the SSL context. 201 * dh: the callback 202 */ 203 # if !defined(OPENSSL_NO_DH) 204 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 205 DH *(*dh) (SSL *ssl, int is_export, 206 int keylength)) 207 { 208 SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 209 } 210 211 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, 212 int keylength)) 213 { 214 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 215 } 216 # endif 217 #endif /* OPENSSL_NO_DEPRECATED */ 218