1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
/*
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* We need to use some engine and HMAC deprecated APIs */
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/engine.h>
#include "ssl_local.h"
/*
* Engine APIs are only used to support applications that still use ENGINEs.
* Once ENGINE is removed completely, all of this code can also be removed.
*/
#ifndef OPENSSL_NO_ENGINE
void tls_engine_finish(ENGINE *e)
{
ENGINE_finish(e);
}
#endif
const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
{
const EVP_CIPHER *ret = NULL;
#ifndef OPENSSL_NO_ENGINE
ENGINE *eng;
/*
* If there is an Engine available for this cipher we use the "implicit"
* form to ensure we use that engine later.
*/
eng = ENGINE_get_cipher_engine(nid);
if (eng != NULL) {
ret = ENGINE_get_cipher(eng, nid);
ENGINE_finish(eng);
}
#endif
return ret;
}
const EVP_MD *tls_get_digest_from_engine(int nid)
{
const EVP_MD *ret = NULL;
#ifndef OPENSSL_NO_ENGINE
ENGINE *eng;
/*
* If there is an Engine available for this digest we use the "implicit"
* form to ensure we use that engine later.
*/
eng = ENGINE_get_digest_engine(nid);
if (eng != NULL) {
ret = ENGINE_get_digest(eng, nid);
ENGINE_finish(eng);
}
#endif
return ret;
}
#ifndef OPENSSL_NO_ENGINE
int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{
return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
SSL_get_client_CA_list(s),
px509, ppkey, NULL, NULL, NULL);
}
#endif
#ifndef OPENSSL_NO_ENGINE
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
{
if (!ENGINE_init(e)) {
ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
return 0;
}
if (!ENGINE_get_ssl_client_cert_function(e)) {
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
ENGINE_finish(e);
return 0;
}
ctx->client_cert_engine = e;
return 1;
}
#endif
/*
* The HMAC APIs below are only used to support the deprecated public API
* macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
* takes an HMAC_CTX in its argument list. The preferred alternative is
* SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
* SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
* be removed.
*/
#ifndef OPENSSL_NO_DEPRECATED_3_0
int ssl_hmac_old_new(SSL_HMAC *ret)
{
ret->old_ctx = HMAC_CTX_new();
if (ret->old_ctx == NULL)
return 0;
return 1;
}
void ssl_hmac_old_free(SSL_HMAC *ctx)
{
HMAC_CTX_free(ctx->old_ctx);
}
int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
{
return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
}
int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
{
return HMAC_Update(ctx->old_ctx, data, len);
}
int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
{
unsigned int l;
if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
if (len != NULL)
*len = l;
return 1;
}
return 0;
}
size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
{
return HMAC_size(ctx->old_ctx);
}
HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
{
return ctx->old_ctx;
}
/* Some deprecated public APIs pass DH objects */
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
# ifndef OPENSSL_NO_DH
EVP_PKEY *ret;
if (dh == NULL)
return NULL;
ret = EVP_PKEY_new();
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
EVP_PKEY_free(ret);
return NULL;
}
return ret;
# else
return NULL;
# endif
}
/* Some deprecated public APIs pass EC_KEY objects */
int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
void *key)
{
# ifndef OPENSSL_NO_EC
const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
int nid;
if (group == NULL) {
ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
return 0;
}
nid = EC_GROUP_get_curve_name(group);
if (nid == NID_undef)
return 0;
return tls1_set_groups(pext, pextlen, &nid, 1);
# else
return 0;
# endif
}
/*
* Set the callback for generating temporary DH keys.
* ctx: the SSL context.
* dh: the callback
*/
# if !defined(OPENSSL_NO_DH)
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
int keylength))
{
SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
int keylength))
{
SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
}
# endif
#endif /* OPENSSL_NO_DEPRECATED */
|
