1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci/* We need to use some engine and HMAC deprecated APIs */ 11e1051a39Sopenharmony_ci#define OPENSSL_SUPPRESS_DEPRECATED 12e1051a39Sopenharmony_ci 13e1051a39Sopenharmony_ci#include <openssl/engine.h> 14e1051a39Sopenharmony_ci#include "ssl_local.h" 15e1051a39Sopenharmony_ci 16e1051a39Sopenharmony_ci/* 17e1051a39Sopenharmony_ci * Engine APIs are only used to support applications that still use ENGINEs. 18e1051a39Sopenharmony_ci * Once ENGINE is removed completely, all of this code can also be removed. 19e1051a39Sopenharmony_ci */ 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 22e1051a39Sopenharmony_civoid tls_engine_finish(ENGINE *e) 23e1051a39Sopenharmony_ci{ 24e1051a39Sopenharmony_ci ENGINE_finish(e); 25e1051a39Sopenharmony_ci} 26e1051a39Sopenharmony_ci#endif 27e1051a39Sopenharmony_ci 28e1051a39Sopenharmony_ciconst EVP_CIPHER *tls_get_cipher_from_engine(int nid) 29e1051a39Sopenharmony_ci{ 30e1051a39Sopenharmony_ci const EVP_CIPHER *ret = NULL; 31e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 32e1051a39Sopenharmony_ci ENGINE *eng; 33e1051a39Sopenharmony_ci 34e1051a39Sopenharmony_ci /* 35e1051a39Sopenharmony_ci * If there is an Engine available for this cipher we use the "implicit" 36e1051a39Sopenharmony_ci * form to ensure we use that engine later. 37e1051a39Sopenharmony_ci */ 38e1051a39Sopenharmony_ci eng = ENGINE_get_cipher_engine(nid); 39e1051a39Sopenharmony_ci if (eng != NULL) { 40e1051a39Sopenharmony_ci ret = ENGINE_get_cipher(eng, nid); 41e1051a39Sopenharmony_ci ENGINE_finish(eng); 42e1051a39Sopenharmony_ci } 43e1051a39Sopenharmony_ci#endif 44e1051a39Sopenharmony_ci return ret; 45e1051a39Sopenharmony_ci} 46e1051a39Sopenharmony_ci 47e1051a39Sopenharmony_ciconst EVP_MD *tls_get_digest_from_engine(int nid) 48e1051a39Sopenharmony_ci{ 49e1051a39Sopenharmony_ci const EVP_MD *ret = NULL; 50e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 51e1051a39Sopenharmony_ci ENGINE *eng; 52e1051a39Sopenharmony_ci 53e1051a39Sopenharmony_ci /* 54e1051a39Sopenharmony_ci * If there is an Engine available for this digest we use the "implicit" 55e1051a39Sopenharmony_ci * form to ensure we use that engine later. 56e1051a39Sopenharmony_ci */ 57e1051a39Sopenharmony_ci eng = ENGINE_get_digest_engine(nid); 58e1051a39Sopenharmony_ci if (eng != NULL) { 59e1051a39Sopenharmony_ci ret = ENGINE_get_digest(eng, nid); 60e1051a39Sopenharmony_ci ENGINE_finish(eng); 61e1051a39Sopenharmony_ci } 62e1051a39Sopenharmony_ci#endif 63e1051a39Sopenharmony_ci return ret; 64e1051a39Sopenharmony_ci} 65e1051a39Sopenharmony_ci 66e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 67e1051a39Sopenharmony_ciint tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey) 68e1051a39Sopenharmony_ci{ 69e1051a39Sopenharmony_ci return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 70e1051a39Sopenharmony_ci SSL_get_client_CA_list(s), 71e1051a39Sopenharmony_ci px509, ppkey, NULL, NULL, NULL); 72e1051a39Sopenharmony_ci} 73e1051a39Sopenharmony_ci#endif 74e1051a39Sopenharmony_ci 75e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 76e1051a39Sopenharmony_ciint SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) 77e1051a39Sopenharmony_ci{ 78e1051a39Sopenharmony_ci if (!ENGINE_init(e)) { 79e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB); 80e1051a39Sopenharmony_ci return 0; 81e1051a39Sopenharmony_ci } 82e1051a39Sopenharmony_ci if (!ENGINE_get_ssl_client_cert_function(e)) { 83e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD); 84e1051a39Sopenharmony_ci ENGINE_finish(e); 85e1051a39Sopenharmony_ci return 0; 86e1051a39Sopenharmony_ci } 87e1051a39Sopenharmony_ci ctx->client_cert_engine = e; 88e1051a39Sopenharmony_ci return 1; 89e1051a39Sopenharmony_ci} 90e1051a39Sopenharmony_ci#endif 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_ci/* 93e1051a39Sopenharmony_ci * The HMAC APIs below are only used to support the deprecated public API 94e1051a39Sopenharmony_ci * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback 95e1051a39Sopenharmony_ci * takes an HMAC_CTX in its argument list. The preferred alternative is 96e1051a39Sopenharmony_ci * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once 97e1051a39Sopenharmony_ci * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also 98e1051a39Sopenharmony_ci * be removed. 99e1051a39Sopenharmony_ci */ 100e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_DEPRECATED_3_0 101e1051a39Sopenharmony_ciint ssl_hmac_old_new(SSL_HMAC *ret) 102e1051a39Sopenharmony_ci{ 103e1051a39Sopenharmony_ci ret->old_ctx = HMAC_CTX_new(); 104e1051a39Sopenharmony_ci if (ret->old_ctx == NULL) 105e1051a39Sopenharmony_ci return 0; 106e1051a39Sopenharmony_ci 107e1051a39Sopenharmony_ci return 1; 108e1051a39Sopenharmony_ci} 109e1051a39Sopenharmony_ci 110e1051a39Sopenharmony_civoid ssl_hmac_old_free(SSL_HMAC *ctx) 111e1051a39Sopenharmony_ci{ 112e1051a39Sopenharmony_ci HMAC_CTX_free(ctx->old_ctx); 113e1051a39Sopenharmony_ci} 114e1051a39Sopenharmony_ci 115e1051a39Sopenharmony_ciint ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md) 116e1051a39Sopenharmony_ci{ 117e1051a39Sopenharmony_ci return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL); 118e1051a39Sopenharmony_ci} 119e1051a39Sopenharmony_ci 120e1051a39Sopenharmony_ciint ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len) 121e1051a39Sopenharmony_ci{ 122e1051a39Sopenharmony_ci return HMAC_Update(ctx->old_ctx, data, len); 123e1051a39Sopenharmony_ci} 124e1051a39Sopenharmony_ci 125e1051a39Sopenharmony_ciint ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len) 126e1051a39Sopenharmony_ci{ 127e1051a39Sopenharmony_ci unsigned int l; 128e1051a39Sopenharmony_ci 129e1051a39Sopenharmony_ci if (HMAC_Final(ctx->old_ctx, md, &l) > 0) { 130e1051a39Sopenharmony_ci if (len != NULL) 131e1051a39Sopenharmony_ci *len = l; 132e1051a39Sopenharmony_ci return 1; 133e1051a39Sopenharmony_ci } 134e1051a39Sopenharmony_ci 135e1051a39Sopenharmony_ci return 0; 136e1051a39Sopenharmony_ci} 137e1051a39Sopenharmony_ci 138e1051a39Sopenharmony_cisize_t ssl_hmac_old_size(const SSL_HMAC *ctx) 139e1051a39Sopenharmony_ci{ 140e1051a39Sopenharmony_ci return HMAC_size(ctx->old_ctx); 141e1051a39Sopenharmony_ci} 142e1051a39Sopenharmony_ci 143e1051a39Sopenharmony_ciHMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) 144e1051a39Sopenharmony_ci{ 145e1051a39Sopenharmony_ci return ctx->old_ctx; 146e1051a39Sopenharmony_ci} 147e1051a39Sopenharmony_ci 148e1051a39Sopenharmony_ci/* Some deprecated public APIs pass DH objects */ 149e1051a39Sopenharmony_ciEVP_PKEY *ssl_dh_to_pkey(DH *dh) 150e1051a39Sopenharmony_ci{ 151e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_DH 152e1051a39Sopenharmony_ci EVP_PKEY *ret; 153e1051a39Sopenharmony_ci 154e1051a39Sopenharmony_ci if (dh == NULL) 155e1051a39Sopenharmony_ci return NULL; 156e1051a39Sopenharmony_ci ret = EVP_PKEY_new(); 157e1051a39Sopenharmony_ci if (EVP_PKEY_set1_DH(ret, dh) <= 0) { 158e1051a39Sopenharmony_ci EVP_PKEY_free(ret); 159e1051a39Sopenharmony_ci return NULL; 160e1051a39Sopenharmony_ci } 161e1051a39Sopenharmony_ci return ret; 162e1051a39Sopenharmony_ci# else 163e1051a39Sopenharmony_ci return NULL; 164e1051a39Sopenharmony_ci# endif 165e1051a39Sopenharmony_ci} 166e1051a39Sopenharmony_ci 167e1051a39Sopenharmony_ci/* Some deprecated public APIs pass EC_KEY objects */ 168e1051a39Sopenharmony_ciint ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, 169e1051a39Sopenharmony_ci void *key) 170e1051a39Sopenharmony_ci{ 171e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_EC 172e1051a39Sopenharmony_ci const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); 173e1051a39Sopenharmony_ci int nid; 174e1051a39Sopenharmony_ci 175e1051a39Sopenharmony_ci if (group == NULL) { 176e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS); 177e1051a39Sopenharmony_ci return 0; 178e1051a39Sopenharmony_ci } 179e1051a39Sopenharmony_ci nid = EC_GROUP_get_curve_name(group); 180e1051a39Sopenharmony_ci if (nid == NID_undef) 181e1051a39Sopenharmony_ci return 0; 182e1051a39Sopenharmony_ci return tls1_set_groups(pext, pextlen, &nid, 1); 183e1051a39Sopenharmony_ci# else 184e1051a39Sopenharmony_ci return 0; 185e1051a39Sopenharmony_ci# endif 186e1051a39Sopenharmony_ci} 187e1051a39Sopenharmony_ci 188e1051a39Sopenharmony_ci/* 189e1051a39Sopenharmony_ci * Set the callback for generating temporary DH keys. 190e1051a39Sopenharmony_ci * ctx: the SSL context. 191e1051a39Sopenharmony_ci * dh: the callback 192e1051a39Sopenharmony_ci */ 193e1051a39Sopenharmony_ci# if !defined(OPENSSL_NO_DH) 194e1051a39Sopenharmony_civoid SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 195e1051a39Sopenharmony_ci DH *(*dh) (SSL *ssl, int is_export, 196e1051a39Sopenharmony_ci int keylength)) 197e1051a39Sopenharmony_ci{ 198e1051a39Sopenharmony_ci SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 199e1051a39Sopenharmony_ci} 200e1051a39Sopenharmony_ci 201e1051a39Sopenharmony_civoid SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, 202e1051a39Sopenharmony_ci int keylength)) 203e1051a39Sopenharmony_ci{ 204e1051a39Sopenharmony_ci SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); 205e1051a39Sopenharmony_ci} 206e1051a39Sopenharmony_ci# endif 207e1051a39Sopenharmony_ci#endif /* OPENSSL_NO_DEPRECATED */ 208