1
/*
2
 * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/* We need to use some engine and HMAC deprecated APIs */
11
#define OPENSSL_SUPPRESS_DEPRECATED
12

13
#include <openssl/engine.h>
14
#include "ssl_local.h"
15
#include "internal/ssl_unwrap.h"
16

17
/*
18
 * Engine APIs are only used to support applications that still use ENGINEs.
19
 * Once ENGINE is removed completely, all of this code can also be removed.
20
 */
21

22
#ifndef OPENSSL_NO_ENGINE
23
void tls_engine_finish(ENGINE *e)
24
{
25
    ENGINE_finish(e);
26
}
27
#endif
28

29
const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
30
{
31
    const EVP_CIPHER *ret = NULL;
32
#ifndef OPENSSL_NO_ENGINE
33
    ENGINE *eng;
34

35
    /*
36
     * If there is an Engine available for this cipher we use the "implicit"
37
     * form to ensure we use that engine later.
38
     */
39
    eng = ENGINE_get_cipher_engine(nid);
40
    if (eng != NULL) {
41
        ret = ENGINE_get_cipher(eng, nid);
42
        ENGINE_finish(eng);
43
    }
44
#endif
45
    return ret;
46
}
47

48
const EVP_MD *tls_get_digest_from_engine(int nid)
49
{
50
    const EVP_MD *ret = NULL;
51
#ifndef OPENSSL_NO_ENGINE
52
    ENGINE *eng;
53

54
    /*
55
     * If there is an Engine available for this digest we use the "implicit"
56
     * form to ensure we use that engine later.
57
     */
58
    eng = ENGINE_get_digest_engine(nid);
59
    if (eng != NULL) {
60
        ret = ENGINE_get_digest(eng, nid);
61
        ENGINE_finish(eng);
62
    }
63
#endif
64
    return ret;
65
}
66

67
#ifndef OPENSSL_NO_ENGINE
68
int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
69
    EVP_PKEY **ppkey)
70
{
71
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
72

73
    return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
74
        ssl,
75
        SSL_get_client_CA_list(ssl),
76
        px509, ppkey, NULL, NULL, NULL);
77
}
78
#endif
79

80
#ifndef OPENSSL_NO_ENGINE
81
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
82
{
83
    if (!ENGINE_init(e)) {
84
        ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
85
        return 0;
86
    }
87
    if (!ENGINE_get_ssl_client_cert_function(e)) {
88
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
89
        ENGINE_finish(e);
90
        return 0;
91
    }
92
    ctx->client_cert_engine = e;
93
    return 1;
94
}
95
#endif
96

97
/*
98
 * The HMAC APIs below are only used to support the deprecated public API
99
 * macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
100
 * takes an HMAC_CTX in its argument list. The preferred alternative is
101
 * SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
102
 * SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
103
 * be removed.
104
 */
105
#ifndef OPENSSL_NO_DEPRECATED_3_0
106
int ssl_hmac_old_new(SSL_HMAC *ret)
107
{
108
    ret->old_ctx = HMAC_CTX_new();
109
    if (ret->old_ctx == NULL)
110
        return 0;
111

112
    return 1;
113
}
114

115
void ssl_hmac_old_free(SSL_HMAC *ctx)
116
{
117
    HMAC_CTX_free(ctx->old_ctx);
118
}
119

120
int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
121
{
122
    return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
123
}
124

125
int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
126
{
127
    return HMAC_Update(ctx->old_ctx, data, len);
128
}
129

130
int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
131
{
132
    unsigned int l;
133

134
    if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
135
        if (len != NULL)
136
            *len = l;
137
        return 1;
138
    }
139

140
    return 0;
141
}
142

143
size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
144
{
145
    return HMAC_size(ctx->old_ctx);
146
}
147

148
HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
149
{
150
    return ctx->old_ctx;
151
}
152

153
/* Some deprecated public APIs pass DH objects */
154
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
155
{
156
#ifndef OPENSSL_NO_DH
157
    EVP_PKEY *ret;
158

159
    if (dh == NULL)
160
        return NULL;
161
    ret = EVP_PKEY_new();
162
    if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
163
        EVP_PKEY_free(ret);
164
        return NULL;
165
    }
166
    return ret;
167
#else
168
    return NULL;
169
#endif
170
}
171

172
/* Some deprecated public APIs pass EC_KEY objects */
173
int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
174
    uint16_t **ksext, size_t *ksextlen,
175
    size_t **tplext, size_t *tplextlen,
176
    void *key)
177
{
178
#ifndef OPENSSL_NO_EC
179
    const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
180
    int nid;
181

182
    if (group == NULL) {
183
        ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
184
        return 0;
185
    }
186
    nid = EC_GROUP_get_curve_name(group);
187
    if (nid == NID_undef)
188
        return 0;
189
    return tls1_set_groups(pext, pextlen,
190
        ksext, ksextlen,
191
        tplext, tplextlen,
192
        &nid, 1);
193
#else
194
    return 0;
195
#endif
196
}
197

198
/*
199
 * Set the callback for generating temporary DH keys.
200
 * ctx: the SSL context.
201
 * dh: the callback
202
 */
203
#if !defined(OPENSSL_NO_DH)
204
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
205
    DH *(*dh)(SSL *ssl, int is_export,
206
        int keylength))
207
{
208
    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
209
}
210

211
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export, int keylength))
212
{
213
    SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
214
}
215
#endif
216
#endif /* OPENSSL_NO_DEPRECATED */
217

218