mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
38b051a1fe
Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
212 lines
5.2 KiB
C
212 lines
5.2 KiB
C
/*
|
|
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/* We need to use some engine and HMAC deprecated APIs */
|
|
#define OPENSSL_SUPPRESS_DEPRECATED
|
|
|
|
#include <openssl/engine.h>
|
|
#include "ssl_local.h"
|
|
|
|
/*
|
|
* Engine APIs are only used to support applications that still use ENGINEs.
|
|
* Once ENGINE is removed completely, all of this code can also be removed.
|
|
*/
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
void tls_engine_finish(ENGINE *e)
|
|
{
|
|
ENGINE_finish(e);
|
|
}
|
|
#endif
|
|
|
|
const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
|
|
{
|
|
const EVP_CIPHER *ret = NULL;
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
ENGINE *eng;
|
|
|
|
/*
|
|
* If there is an Engine available for this cipher we use the "implicit"
|
|
* form to ensure we use that engine later.
|
|
*/
|
|
eng = ENGINE_get_cipher_engine(nid);
|
|
if (eng != NULL) {
|
|
ret = ENGINE_get_cipher(eng, nid);
|
|
ENGINE_finish(eng);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
const EVP_MD *tls_get_digest_from_engine(int nid)
|
|
{
|
|
const EVP_MD *ret = NULL;
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
ENGINE *eng;
|
|
|
|
/*
|
|
* If there is an Engine available for this digest we use the "implicit"
|
|
* form to ensure we use that engine later.
|
|
*/
|
|
eng = ENGINE_get_digest_engine(nid);
|
|
if (eng != NULL) {
|
|
ret = ENGINE_get_digest(eng, nid);
|
|
ENGINE_finish(eng);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int tls_engine_load_ssl_client_cert(SSL_CONNECTION *s, X509 **px509,
|
|
EVP_PKEY **ppkey)
|
|
{
|
|
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
|
|
|
|
return ENGINE_load_ssl_client_cert(SSL_CONNECTION_GET_CTX(s)->client_cert_engine,
|
|
ssl,
|
|
SSL_get_client_CA_list(ssl),
|
|
px509, ppkey, NULL, NULL, NULL);
|
|
}
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
|
|
{
|
|
if (!ENGINE_init(e)) {
|
|
ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
|
|
return 0;
|
|
}
|
|
if (!ENGINE_get_ssl_client_cert_function(e)) {
|
|
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
|
|
ENGINE_finish(e);
|
|
return 0;
|
|
}
|
|
ctx->client_cert_engine = e;
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* The HMAC APIs below are only used to support the deprecated public API
|
|
* macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
|
|
* takes an HMAC_CTX in its argument list. The preferred alternative is
|
|
* SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
|
|
* SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
|
|
* be removed.
|
|
*/
|
|
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
|
int ssl_hmac_old_new(SSL_HMAC *ret)
|
|
{
|
|
ret->old_ctx = HMAC_CTX_new();
|
|
if (ret->old_ctx == NULL)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
void ssl_hmac_old_free(SSL_HMAC *ctx)
|
|
{
|
|
HMAC_CTX_free(ctx->old_ctx);
|
|
}
|
|
|
|
int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
|
|
{
|
|
return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
|
|
}
|
|
|
|
int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
|
|
{
|
|
return HMAC_Update(ctx->old_ctx, data, len);
|
|
}
|
|
|
|
int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
|
|
{
|
|
unsigned int l;
|
|
|
|
if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
|
|
if (len != NULL)
|
|
*len = l;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
|
|
{
|
|
return HMAC_size(ctx->old_ctx);
|
|
}
|
|
|
|
HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
|
|
{
|
|
return ctx->old_ctx;
|
|
}
|
|
|
|
/* Some deprecated public APIs pass DH objects */
|
|
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
|
|
{
|
|
# ifndef OPENSSL_NO_DH
|
|
EVP_PKEY *ret;
|
|
|
|
if (dh == NULL)
|
|
return NULL;
|
|
ret = EVP_PKEY_new();
|
|
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
|
|
EVP_PKEY_free(ret);
|
|
return NULL;
|
|
}
|
|
return ret;
|
|
# else
|
|
return NULL;
|
|
# endif
|
|
}
|
|
|
|
/* Some deprecated public APIs pass EC_KEY objects */
|
|
int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
|
|
void *key)
|
|
{
|
|
# ifndef OPENSSL_NO_EC
|
|
const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
|
|
int nid;
|
|
|
|
if (group == NULL) {
|
|
ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
|
|
return 0;
|
|
}
|
|
nid = EC_GROUP_get_curve_name(group);
|
|
if (nid == NID_undef)
|
|
return 0;
|
|
return tls1_set_groups(pext, pextlen, &nid, 1);
|
|
# else
|
|
return 0;
|
|
# endif
|
|
}
|
|
|
|
/*
|
|
* Set the callback for generating temporary DH keys.
|
|
* ctx: the SSL context.
|
|
* dh: the callback
|
|
*/
|
|
# if !defined(OPENSSL_NO_DH)
|
|
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
|
|
DH *(*dh) (SSL *ssl, int is_export,
|
|
int keylength))
|
|
{
|
|
SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|
}
|
|
|
|
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
|
|
int keylength))
|
|
{
|
|
SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|
}
|
|
# endif
|
|
#endif /* OPENSSL_NO_DEPRECATED */
|