xref: /openssl/ssl/tls_depr.c (revision 38b051a1)
1 /*
2  * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some engine and HMAC deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <openssl/engine.h>
14 #include "ssl_local.h"
15 
16 /*
17  * Engine APIs are only used to support applications that still use ENGINEs.
18  * Once ENGINE is removed completely, all of this code can also be removed.
19  */
20 
21 #ifndef OPENSSL_NO_ENGINE
tls_engine_finish(ENGINE * e)22 void tls_engine_finish(ENGINE *e)
23 {
24     ENGINE_finish(e);
25 }
26 #endif
27 
tls_get_cipher_from_engine(int nid)28 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
29 {
30     const EVP_CIPHER *ret = NULL;
31 #ifndef OPENSSL_NO_ENGINE
32     ENGINE *eng;
33 
34     /*
35      * If there is an Engine available for this cipher we use the "implicit"
36      * form to ensure we use that engine later.
37      */
38     eng = ENGINE_get_cipher_engine(nid);
39     if (eng != NULL) {
40         ret = ENGINE_get_cipher(eng, nid);
41         ENGINE_finish(eng);
42     }
43 #endif
44     return ret;
45 }
46 
tls_get_digest_from_engine(int nid)47 const EVP_MD *tls_get_digest_from_engine(int nid)
48 {
49     const EVP_MD *ret = NULL;
50 #ifndef OPENSSL_NO_ENGINE
51     ENGINE *eng;
52 
53     /*
54      * If there is an Engine available for this digest we use the "implicit"
55      * form to ensure we use that engine later.
56      */
57     eng = ENGINE_get_digest_engine(nid);
58     if (eng != NULL) {
59         ret = ENGINE_get_digest(eng, nid);
60         ENGINE_finish(eng);
61     }
62 #endif
63     return ret;
64 }
65 
66 #ifndef OPENSSL_NO_ENGINE
tls_engine_load_ssl_client_cert(SSL_CONNECTION * s,X509 ** px509,EVP_PKEY ** ppkey)67 int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
68                                     EVP_PKEY **ppkey)
69 {
70     SSL *ssl = SSL_CONNECTION_GET_SSL(s);
71 
72     return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
73                                        ssl,
74                                        SSL_get_client_CA_list(ssl),
75                                        px509, ppkey, NULL, NULL, NULL);
76 }
77 #endif
78 
79 #ifndef OPENSSL_NO_ENGINE
SSL_CTX_set_client_cert_engine(SSL_CTX * ctx,ENGINE * e)80 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
81 {
82     if (!ENGINE_init(e)) {
83         ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
84         return 0;
85     }
86     if (!ENGINE_get_ssl_client_cert_function(e)) {
87         ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
88         ENGINE_finish(e);
89         return 0;
90     }
91     ctx->client_cert_engine = e;
92     return 1;
93 }
94 #endif
95 
96 /*
97  * The HMAC APIs below are only used to support the deprecated public API
98  * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
99  * takes an HMAC_CTX in its argument list. The preferred alternative is
100  * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
101  * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
102  * be removed.
103  */
104 #ifndef OPENSSL_NO_DEPRECATED_3_0
ssl_hmac_old_new(SSL_HMAC * ret)105 int ssl_hmac_old_new(SSL_HMAC *ret)
106 {
107     ret->old_ctx = HMAC_CTX_new();
108     if (ret->old_ctx == NULL)
109         return 0;
110 
111     return 1;
112 }
113 
ssl_hmac_old_free(SSL_HMAC * ctx)114 void ssl_hmac_old_free(SSL_HMAC *ctx)
115 {
116     HMAC_CTX_free(ctx->old_ctx);
117 }
118 
ssl_hmac_old_init(SSL_HMAC * ctx,void * key,size_t len,char * md)119 int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
120 {
121     return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
122 }
123 
ssl_hmac_old_update(SSL_HMAC * ctx,const unsigned char * data,size_t len)124 int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
125 {
126     return HMAC_Update(ctx->old_ctx, data, len);
127 }
128 
ssl_hmac_old_final(SSL_HMAC * ctx,unsigned char * md,size_t * len)129 int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
130 {
131     unsigned int l;
132 
133     if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
134         if (len != NULL)
135             *len = l;
136         return 1;
137     }
138 
139     return 0;
140 }
141 
ssl_hmac_old_size(const SSL_HMAC * ctx)142 size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
143 {
144     return HMAC_size(ctx->old_ctx);
145 }
146 
ssl_hmac_get0_HMAC_CTX(SSL_HMAC * ctx)147 HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
148 {
149     return ctx->old_ctx;
150 }
151 
152 /* Some deprecated public APIs pass DH objects */
ssl_dh_to_pkey(DH * dh)153 EVP_PKEY *ssl_dh_to_pkey(DH *dh)
154 {
155 # ifndef OPENSSL_NO_DH
156     EVP_PKEY *ret;
157 
158     if (dh == NULL)
159         return NULL;
160     ret = EVP_PKEY_new();
161     if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
162         EVP_PKEY_free(ret);
163         return NULL;
164     }
165     return ret;
166 # else
167     return NULL;
168 # endif
169 }
170 
171 /* Some deprecated public APIs pass EC_KEY objects */
ssl_set_tmp_ecdh_groups(uint16_t ** pext,size_t * pextlen,void * key)172 int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
173                             void *key)
174 {
175 #  ifndef OPENSSL_NO_EC
176     const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
177     int nid;
178 
179     if (group == NULL) {
180         ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
181         return 0;
182     }
183     nid = EC_GROUP_get_curve_name(group);
184     if (nid == NID_undef)
185         return 0;
186     return tls1_set_groups(pext, pextlen, &nid, 1);
187 #  else
188     return 0;
189 #  endif
190 }
191 
192 /*
193  * Set the callback for generating temporary DH keys.
194  * ctx: the SSL context.
195  * dh: the callback
196  */
197 # if !defined(OPENSSL_NO_DH)
SSL_CTX_set_tmp_dh_callback(SSL_CTX * ctx,DH * (* dh)(SSL * ssl,int is_export,int keylength))198 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
199                                  DH *(*dh) (SSL *ssl, int is_export,
200                                             int keylength))
201 {
202     SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
203 }
204 
SSL_set_tmp_dh_callback(SSL * ssl,DH * (* dh)(SSL * ssl,int is_export,int keylength))205 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
206                                                   int keylength))
207 {
208     SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
209 }
210 # endif
211 #endif /* OPENSSL_NO_DEPRECATED */
212