| 1 | /*
|
|---|
| 2 | * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 3 | *
|
|---|
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
|---|
| 6 | * in the file LICENSE in the source distribution or at
|
|---|
| 7 | * https://www.openssl.org/source/license.html
|
|---|
| 8 | */
|
|---|
| 9 |
|
|---|
| 10 | /* We need to use some engine and HMAC deprecated APIs */
|
|---|
| 11 | #define OPENSSL_SUPPRESS_DEPRECATED
|
|---|
| 12 |
|
|---|
| 13 | #include <openssl/engine.h>
|
|---|
| 14 | #include "ssl_local.h"
|
|---|
| 15 |
|
|---|
| 16 | /*
|
|---|
| 17 | * Engine APIs are only used to support applications that still use ENGINEs.
|
|---|
| 18 | * Once ENGINE is removed completely, all of this code can also be removed.
|
|---|
| 19 | */
|
|---|
| 20 |
|
|---|
| 21 | #ifndef OPENSSL_NO_ENGINE
|
|---|
| 22 | void tls_engine_finish(ENGINE *e)
|
|---|
| 23 | {
|
|---|
| 24 | ENGINE_finish(e);
|
|---|
| 25 | }
|
|---|
| 26 | #endif
|
|---|
| 27 |
|
|---|
| 28 | const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
|
|---|
| 29 | {
|
|---|
| 30 | const EVP_CIPHER *ret = NULL;
|
|---|
| 31 | #ifndef OPENSSL_NO_ENGINE
|
|---|
| 32 | ENGINE *eng;
|
|---|
| 33 |
|
|---|
| 34 | /*
|
|---|
| 35 | * If there is an Engine available for this cipher we use the "implicit"
|
|---|
| 36 | * form to ensure we use that engine later.
|
|---|
| 37 | */
|
|---|
| 38 | eng = ENGINE_get_cipher_engine(nid);
|
|---|
| 39 | if (eng != NULL) {
|
|---|
| 40 | ret = ENGINE_get_cipher(eng, nid);
|
|---|
| 41 | ENGINE_finish(eng);
|
|---|
| 42 | }
|
|---|
| 43 | #endif
|
|---|
| 44 | return ret;
|
|---|
| 45 | }
|
|---|
| 46 |
|
|---|
| 47 | const EVP_MD *tls_get_digest_from_engine(int nid)
|
|---|
| 48 | {
|
|---|
| 49 | const EVP_MD *ret = NULL;
|
|---|
| 50 | #ifndef OPENSSL_NO_ENGINE
|
|---|
| 51 | ENGINE *eng;
|
|---|
| 52 |
|
|---|
| 53 | /*
|
|---|
| 54 | * If there is an Engine available for this digest we use the "implicit"
|
|---|
| 55 | * form to ensure we use that engine later.
|
|---|
| 56 | */
|
|---|
| 57 | eng = ENGINE_get_digest_engine(nid);
|
|---|
| 58 | if (eng != NULL) {
|
|---|
| 59 | ret = ENGINE_get_digest(eng, nid);
|
|---|
| 60 | ENGINE_finish(eng);
|
|---|
| 61 | }
|
|---|
| 62 | #endif
|
|---|
| 63 | return ret;
|
|---|
| 64 | }
|
|---|
| 65 |
|
|---|
| 66 | #ifndef OPENSSL_NO_ENGINE
|
|---|
| 67 | int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
|
|---|
| 68 | EVP_PKEY **ppkey)
|
|---|
| 69 | {
|
|---|
| 70 | SSL *ssl = SSL_CONNECTION_GET_SSL(s);
|
|---|
| 71 |
|
|---|
| 72 | return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
|
|---|
| 73 | ssl,
|
|---|
| 74 | SSL_get_client_CA_list(ssl),
|
|---|
| 75 | px509, ppkey, NULL, NULL, NULL);
|
|---|
| 76 | }
|
|---|
| 77 | #endif
|
|---|
| 78 |
|
|---|
| 79 | #ifndef OPENSSL_NO_ENGINE
|
|---|
| 80 | int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
|
|---|
| 81 | {
|
|---|
| 82 | if (!ENGINE_init(e)) {
|
|---|
| 83 | ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
|
|---|
| 84 | return 0;
|
|---|
| 85 | }
|
|---|
| 86 | if (!ENGINE_get_ssl_client_cert_function(e)) {
|
|---|
| 87 | ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
|
|---|
| 88 | ENGINE_finish(e);
|
|---|
| 89 | return 0;
|
|---|
| 90 | }
|
|---|
| 91 | ctx->client_cert_engine = e;
|
|---|
| 92 | return 1;
|
|---|
| 93 | }
|
|---|
| 94 | #endif
|
|---|
| 95 |
|
|---|
| 96 | /*
|
|---|
| 97 | * The HMAC APIs below are only used to support the deprecated public API
|
|---|
| 98 | * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
|
|---|
| 99 | * takes an HMAC_CTX in its argument list. The preferred alternative is
|
|---|
| 100 | * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
|
|---|
| 101 | * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
|
|---|
| 102 | * be removed.
|
|---|
| 103 | */
|
|---|
| 104 | #ifndef OPENSSL_NO_DEPRECATED_3_0
|
|---|
| 105 | int ssl_hmac_old_new(SSL_HMAC *ret)
|
|---|
| 106 | {
|
|---|
| 107 | ret->old_ctx = HMAC_CTX_new();
|
|---|
| 108 | if (ret->old_ctx == NULL)
|
|---|
| 109 | return 0;
|
|---|
| 110 |
|
|---|
| 111 | return 1;
|
|---|
| 112 | }
|
|---|
| 113 |
|
|---|
| 114 | void ssl_hmac_old_free(SSL_HMAC *ctx)
|
|---|
| 115 | {
|
|---|
| 116 | HMAC_CTX_free(ctx->old_ctx);
|
|---|
| 117 | }
|
|---|
| 118 |
|
|---|
| 119 | int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
|
|---|
| 120 | {
|
|---|
| 121 | return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
|
|---|
| 122 | }
|
|---|
| 123 |
|
|---|
| 124 | int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
|
|---|
| 125 | {
|
|---|
| 126 | return HMAC_Update(ctx->old_ctx, data, len);
|
|---|
| 127 | }
|
|---|
| 128 |
|
|---|
| 129 | int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
|
|---|
| 130 | {
|
|---|
| 131 | unsigned int l;
|
|---|
| 132 |
|
|---|
| 133 | if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
|
|---|
| 134 | if (len != NULL)
|
|---|
| 135 | *len = l;
|
|---|
| 136 | return 1;
|
|---|
| 137 | }
|
|---|
| 138 |
|
|---|
| 139 | return 0;
|
|---|
| 140 | }
|
|---|
| 141 |
|
|---|
| 142 | size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
|
|---|
| 143 | {
|
|---|
| 144 | return HMAC_size(ctx->old_ctx);
|
|---|
| 145 | }
|
|---|
| 146 |
|
|---|
| 147 | HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
|
|---|
| 148 | {
|
|---|
| 149 | return ctx->old_ctx;
|
|---|
| 150 | }
|
|---|
| 151 |
|
|---|
| 152 | /* Some deprecated public APIs pass DH objects */
|
|---|
| 153 | EVP_PKEY *ssl_dh_to_pkey(DH *dh)
|
|---|
| 154 | {
|
|---|
| 155 | # ifndef OPENSSL_NO_DH
|
|---|
| 156 | EVP_PKEY *ret;
|
|---|
| 157 |
|
|---|
| 158 | if (dh == NULL)
|
|---|
| 159 | return NULL;
|
|---|
| 160 | ret = EVP_PKEY_new();
|
|---|
| 161 | if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
|
|---|
| 162 | EVP_PKEY_free(ret);
|
|---|
| 163 | return NULL;
|
|---|
| 164 | }
|
|---|
| 165 | return ret;
|
|---|
| 166 | # else
|
|---|
| 167 | return NULL;
|
|---|
| 168 | # endif
|
|---|
| 169 | }
|
|---|
| 170 |
|
|---|
| 171 | /* Some deprecated public APIs pass EC_KEY objects */
|
|---|
| 172 | int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
|
|---|
| 173 | void *key)
|
|---|
| 174 | {
|
|---|
| 175 | # ifndef OPENSSL_NO_EC
|
|---|
| 176 | const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
|
|---|
| 177 | int nid;
|
|---|
| 178 |
|
|---|
| 179 | if (group == NULL) {
|
|---|
| 180 | ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
|
|---|
| 181 | return 0;
|
|---|
| 182 | }
|
|---|
| 183 | nid = EC_GROUP_get_curve_name(group);
|
|---|
| 184 | if (nid == NID_undef)
|
|---|
| 185 | return 0;
|
|---|
| 186 | return tls1_set_groups(pext, pextlen, &nid, 1);
|
|---|
| 187 | # else
|
|---|
| 188 | return 0;
|
|---|
| 189 | # endif
|
|---|
| 190 | }
|
|---|
| 191 |
|
|---|
| 192 | /*
|
|---|
| 193 | * Set the callback for generating temporary DH keys.
|
|---|
| 194 | * ctx: the SSL context.
|
|---|
| 195 | * dh: the callback
|
|---|
| 196 | */
|
|---|
| 197 | # if !defined(OPENSSL_NO_DH)
|
|---|
| 198 | void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
|
|---|
| 199 | DH *(*dh) (SSL *ssl, int is_export,
|
|---|
| 200 | int keylength))
|
|---|
| 201 | {
|
|---|
| 202 | SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|---|
| 203 | }
|
|---|
| 204 |
|
|---|
| 205 | void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
|
|---|
| 206 | int keylength))
|
|---|
| 207 | {
|
|---|
| 208 | SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|---|
| 209 | }
|
|---|
| 210 | # endif
|
|---|
| 211 | #endif /* OPENSSL_NO_DEPRECATED */
|
|---|
