1/*
2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/* We need to use some engine and HMAC deprecated APIs */
11#define OPENSSL_SUPPRESS_DEPRECATED
12
13#include <openssl/engine.h>
14#include "ssl_local.h"
15
16/*
17 * Engine APIs are only used to support applications that still use ENGINEs.
18 * Once ENGINE is removed completely, all of this code can also be removed.
19 */
20
21#ifndef OPENSSL_NO_ENGINE
22void tls_engine_finish(ENGINE *e)
23{
24    ENGINE_finish(e);
25}
26#endif
27
28const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
29{
30    const EVP_CIPHER *ret = NULL;
31#ifndef OPENSSL_NO_ENGINE
32    ENGINE *eng;
33
34    /*
35     * If there is an Engine available for this cipher we use the "implicit"
36     * form to ensure we use that engine later.
37     */
38    eng = ENGINE_get_cipher_engine(nid);
39    if (eng != NULL) {
40        ret = ENGINE_get_cipher(eng, nid);
41        ENGINE_finish(eng);
42    }
43#endif
44    return ret;
45}
46
47const EVP_MD *tls_get_digest_from_engine(int nid)
48{
49    const EVP_MD *ret = NULL;
50#ifndef OPENSSL_NO_ENGINE
51    ENGINE *eng;
52
53    /*
54     * If there is an Engine available for this digest we use the "implicit"
55     * form to ensure we use that engine later.
56     */
57    eng = ENGINE_get_digest_engine(nid);
58    if (eng != NULL) {
59        ret = ENGINE_get_digest(eng, nid);
60        ENGINE_finish(eng);
61    }
62#endif
63    return ret;
64}
65
66#ifndef OPENSSL_NO_ENGINE
67int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
68{
69    return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
70                                       SSL_get_client_CA_list(s),
71                                       px509, ppkey, NULL, NULL, NULL);
72}
73#endif
74
75#ifndef OPENSSL_NO_ENGINE
76int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
77{
78    if (!ENGINE_init(e)) {
79        ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
80        return 0;
81    }
82    if (!ENGINE_get_ssl_client_cert_function(e)) {
83        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
84        ENGINE_finish(e);
85        return 0;
86    }
87    ctx->client_cert_engine = e;
88    return 1;
89}
90#endif
91
92/*
93 * The HMAC APIs below are only used to support the deprecated public API
94 * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
95 * takes an HMAC_CTX in its argument list. The preferred alternative is
96 * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
97 * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
98 * be removed.
99 */
100#ifndef OPENSSL_NO_DEPRECATED_3_0
101int ssl_hmac_old_new(SSL_HMAC *ret)
102{
103    ret->old_ctx = HMAC_CTX_new();
104    if (ret->old_ctx == NULL)
105        return 0;
106
107    return 1;
108}
109
110void ssl_hmac_old_free(SSL_HMAC *ctx)
111{
112    HMAC_CTX_free(ctx->old_ctx);
113}
114
115int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
116{
117    return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
118}
119
120int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
121{
122    return HMAC_Update(ctx->old_ctx, data, len);
123}
124
125int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
126{
127    unsigned int l;
128
129    if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
130        if (len != NULL)
131            *len = l;
132        return 1;
133    }
134
135    return 0;
136}
137
138size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
139{
140    return HMAC_size(ctx->old_ctx);
141}
142
143HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
144{
145    return ctx->old_ctx;
146}
147
148/* Some deprecated public APIs pass DH objects */
149EVP_PKEY *ssl_dh_to_pkey(DH *dh)
150{
151# ifndef OPENSSL_NO_DH
152    EVP_PKEY *ret;
153
154    if (dh == NULL)
155        return NULL;
156    ret = EVP_PKEY_new();
157    if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
158        EVP_PKEY_free(ret);
159        return NULL;
160    }
161    return ret;
162# else
163    return NULL;
164# endif
165}
166
167/* Some deprecated public APIs pass EC_KEY objects */
168int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
169                            void *key)
170{
171#  ifndef OPENSSL_NO_EC
172    const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
173    int nid;
174
175    if (group == NULL) {
176        ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
177        return 0;
178    }
179    nid = EC_GROUP_get_curve_name(group);
180    if (nid == NID_undef)
181        return 0;
182    return tls1_set_groups(pext, pextlen, &nid, 1);
183#  else
184    return 0;
185#  endif
186}
187
188/*
189 * Set the callback for generating temporary DH keys.
190 * ctx: the SSL context.
191 * dh: the callback
192 */
193# if !defined(OPENSSL_NO_DH)
194void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
195                                 DH *(*dh) (SSL *ssl, int is_export,
196                                            int keylength))
197{
198    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
199}
200
201void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
202                                                  int keylength))
203{
204    SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
205}
206# endif
207#endif /* OPENSSL_NO_DEPRECATED */
208