]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
More tweaks for comments due indent issues
[thirdparty/openssl.git] / ssl / ssl_rsa.c
CommitLineData
d02b48c6 1/* ssl/ssl_rsa.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
7b63c0fa 60#include "ssl_locl.h"
ec577822
BM		 61#include <openssl/bio.h>
62#include <openssl/objects.h>
63#include <openssl/evp.h>
64#include <openssl/x509.h>
65#include <openssl/pem.h>
d02b48c6 66
d02b48c6
RE		 67static int ssl_set_cert(CERT *c, X509 *x509);
68static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
6b691a5c 69int SSL_use_certificate(SSL *ssl, X509 *x)
d02b48c6 70 {
b362ccab 71 int rv;
d02b48c6
RE		 72 if (x == NULL)
73 {
74 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
75 return(0);
76 }
b362ccab
DSH		 77 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
78 if (rv != 1)
79 {
80 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
81 return 0;
82 }
83
ca8e5b9b 84 if (!ssl_cert_inst(&ssl->cert))
d02b48c6 85 {
15d21c2d
RE		 86 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
87 return(0);
d02b48c6 88 }
15d21c2d 89 return(ssl_set_cert(ssl->cert,x));
d02b48c6
RE		 90 }
91
bc36ee62 92#ifndef OPENSSL_NO_STDIO
303c0028 93int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
d02b48c6
RE		 94 {
95 int j;
96 BIO *in;
97 int ret=0;
98 X509 *x=NULL;
99
58964a49 100 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 101 if (in == NULL)
102 {
103 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
104 goto end;
105 }
106
107 if (BIO_read_filename(in,file) <= 0)
108 {
d02b48c6
RE		 109 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
110 goto end;
111 }
112 if (type == SSL_FILETYPE_ASN1)
113 {
114 j=ERR_R_ASN1_LIB;
115 x=d2i_X509_bio(in,NULL);
116 }
117 else if (type == SSL_FILETYPE_PEM)
118 {
119 j=ERR_R_PEM_LIB;
74678cc2 120 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
d02b48c6
RE		 121 }
122 else
123 {
124 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
125 goto end;
126 }
127
128 if (x == NULL)
129 {
130 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
131 goto end;
132 }
133
134 ret=SSL_use_certificate(ssl,x);
135end:
136 if (x != NULL) X509_free(x);
137 if (in != NULL) BIO_free(in);
138 return(ret);
139 }
58964a49 140#endif
d02b48c6 141
875a644a 142int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
d02b48c6
RE		 143 {
144 X509 *x;
145 int ret;
146
147 x=d2i_X509(NULL,&d,(long)len);
148 if (x == NULL)
149 {
150 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
151 return(0);
152 }
153
154 ret=SSL_use_certificate(ssl,x);
155 X509_free(x);
156 return(ret);
157 }
158
bc36ee62 159#ifndef OPENSSL_NO_RSA
6b691a5c 160int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
d02b48c6 161 {
d02b48c6
RE		 162 EVP_PKEY *pkey;
163 int ret;
164
165 if (rsa == NULL)
166 {
167 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
168 return(0);
169 }
ca8e5b9b 170 if (!ssl_cert_inst(&ssl->cert))
15d21c2d
RE		 171 {
172 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
173 return(0);
d02b48c6 174 }
d02b48c6
RE		 175 if ((pkey=EVP_PKEY_new()) == NULL)
176 {
177 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
178 return(0);
179 }
180
6ac4e8bd 181 RSA_up_ref(rsa);
d02b48c6
RE		 182 EVP_PKEY_assign_RSA(pkey,rsa);
183
15d21c2d 184 ret=ssl_set_pkey(ssl->cert,pkey);
d02b48c6
RE		 185 EVP_PKEY_free(pkey);
186 return(ret);
187 }
188#endif
189
6b691a5c 190static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
d02b48c6 191 {
6049399b 192 int i;
8e1dc4d7
DSH		 193 /* Special case for DH: check two DH certificate types for a match.
194 * This means for DH certificates we must set the certificate first.
195 */
196 if (pkey->type == EVP_PKEY_DH)
197 {
198 X509 *x;
199 i = -1;
200 x = c->pkeys[SSL_PKEY_DH_RSA].x509;
201 if (x && X509_check_private_key(x, pkey))
202 i = SSL_PKEY_DH_RSA;
203 x = c->pkeys[SSL_PKEY_DH_DSA].x509;
204 if (i == -1 && x && X509_check_private_key(x, pkey))
205 i = SSL_PKEY_DH_DSA;
206 ERR_clear_error();
207 }
208 else
209 i=ssl_cert_type(NULL,pkey);
d02b48c6
RE		 210 if (i < 0)
211 {
212 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
213 return(0);
214 }
215
216 if (c->pkeys[i].x509 != NULL)
217 {
a8236c8c
DSH		 218 EVP_PKEY *pktmp;
219 pktmp = X509_get_pubkey(c->pkeys[i].x509);
220 EVP_PKEY_copy_parameters(pktmp,pkey);
221 EVP_PKEY_free(pktmp);
dfeab068
RE		 222 ERR_clear_error();
223
bc36ee62 224#ifndef OPENSSL_NO_RSA
58964a49
RE		 225 /* Don't check the public/private key, this is mostly
226 * for smart cards. */
227 if ((pkey->type == EVP_PKEY_RSA) &&
6049399b
NL		 228 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
229 ;
58964a49
RE		 230 else
231#endif
6049399b 232 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
d02b48c6 233 {
6049399b
NL		 234 X509_free(c->pkeys[i].x509);
235 c->pkeys[i].x509 = NULL;
236 return 0;
d02b48c6 237 }
d02b48c6
RE		 238 }
239
240 if (c->pkeys[i].privatekey != NULL)
241 EVP_PKEY_free(c->pkeys[i].privatekey);
242 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
243 c->pkeys[i].privatekey=pkey;
244 c->key= &(c->pkeys[i]);
245
246 c->valid=0;
247 return(1);
248 }
249
bc36ee62
RL		 250#ifndef OPENSSL_NO_RSA
251#ifndef OPENSSL_NO_STDIO
303c0028 252int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
d02b48c6
RE		 253 {
254 int j,ret=0;
255 BIO *in;
256 RSA *rsa=NULL;
257
58964a49 258 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 259 if (in == NULL)
260 {
261 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
262 goto end;
263 }
264
265 if (BIO_read_filename(in,file) <= 0)
266 {
d02b48c6
RE		 267 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
268 goto end;
269 }
270 if (type == SSL_FILETYPE_ASN1)
271 {
272 j=ERR_R_ASN1_LIB;
273 rsa=d2i_RSAPrivateKey_bio(in,NULL);
274 }
275 else if (type == SSL_FILETYPE_PEM)
276 {
277 j=ERR_R_PEM_LIB;
278 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
74678cc2 279 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
d02b48c6
RE		 280 }
281 else
282 {
283 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
284 goto end;
285 }
286 if (rsa == NULL)
287 {
288 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
289 goto end;
290 }
291 ret=SSL_use_RSAPrivateKey(ssl,rsa);
292 RSA_free(rsa);
293end:
294 if (in != NULL) BIO_free(in);
295 return(ret);
296 }
58964a49 297#endif
d02b48c6 298
693b71fa 299int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
d02b48c6
RE		 300 {
301 int ret;
5e4ca422 302 const unsigned char *p;
d02b48c6
RE		 303 RSA *rsa;
304
305 p=d;
306 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
307 {
308 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
309 return(0);
310 }
311
312 ret=SSL_use_RSAPrivateKey(ssl,rsa);
313 RSA_free(rsa);
314 return(ret);
315 }
bc36ee62 316#endif /* !OPENSSL_NO_RSA */
d02b48c6 317
6b691a5c 318int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
d02b48c6 319 {
d02b48c6
RE		 320 int ret;
321
322 if (pkey == NULL)
323 {
324 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
325 return(0);
326 }
ca8e5b9b 327 if (!ssl_cert_inst(&ssl->cert))
15d21c2d
RE		 328 {
329 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
330 return(0);
d02b48c6 331 }
15d21c2d 332 ret=ssl_set_pkey(ssl->cert,pkey);
d02b48c6
RE		 333 return(ret);
334 }
335
bc36ee62 336#ifndef OPENSSL_NO_STDIO
303c0028 337int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
d02b48c6
RE		 338 {
339 int j,ret=0;
340 BIO *in;
341 EVP_PKEY *pkey=NULL;
342
58964a49 343 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 344 if (in == NULL)
345 {
346 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
347 goto end;
348 }
349
350 if (BIO_read_filename(in,file) <= 0)
351 {
d02b48c6
RE		 352 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
353 goto end;
354 }
355 if (type == SSL_FILETYPE_PEM)
356 {
357 j=ERR_R_PEM_LIB;
358 pkey=PEM_read_bio_PrivateKey(in,NULL,
74678cc2 359 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
d02b48c6 360 }
dc0ed30c
NL		 361 else if (type == SSL_FILETYPE_ASN1)
362 {
363 j = ERR_R_ASN1_LIB;
364 pkey = d2i_PrivateKey_bio(in,NULL);
365 }
d02b48c6
RE		 366 else
367 {
368 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
369 goto end;
370 }
371 if (pkey == NULL)
372 {
373 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
374 goto end;
375 }
376 ret=SSL_use_PrivateKey(ssl,pkey);
377 EVP_PKEY_free(pkey);
378end:
379 if (in != NULL) BIO_free(in);
380 return(ret);
381 }
58964a49 382#endif
d02b48c6 383
875a644a 384int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
d02b48c6
RE		 385 {
386 int ret;
875a644a 387 const unsigned char *p;
d02b48c6
RE		 388 EVP_PKEY *pkey;
389
390 p=d;
391 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
392 {
393 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
394 return(0);
395 }
396
397 ret=SSL_use_PrivateKey(ssl,pkey);
398 EVP_PKEY_free(pkey);
399 return(ret);
400 }
401
6b691a5c 402int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
d02b48c6 403 {
b362ccab 404 int rv;
d02b48c6
RE		 405 if (x == NULL)
406 {
407 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
408 return(0);
409 }
b362ccab
DSH		 410 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
411 if (rv != 1)
412 {
413 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
414 return 0;
415 }
ca8e5b9b 416 if (!ssl_cert_inst(&ctx->cert))
d02b48c6 417 {
15d21c2d
RE		 418 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
419 return(0);
d02b48c6 420 }
ca8e5b9b 421 return(ssl_set_cert(ctx->cert, x));
d02b48c6
RE		 422 }
423
6b691a5c 424static int ssl_set_cert(CERT *c, X509 *x)
d02b48c6
RE		 425 {
426 EVP_PKEY *pkey;
6049399b 427 int i;
d02b48c6
RE		 428
429 pkey=X509_get_pubkey(x);
430 if (pkey == NULL)
431 {
58964a49 432 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
d02b48c6
RE		 433 return(0);
434 }
435
436 i=ssl_cert_type(x,pkey);
437 if (i < 0)
438 {
58964a49 439 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
a8236c8c 440 EVP_PKEY_free(pkey);
d02b48c6
RE		 441 return(0);
442 }
443
444 if (c->pkeys[i].privatekey != NULL)
dfeab068
RE		 445 {
446 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
447 ERR_clear_error();
448
bc36ee62 449#ifndef OPENSSL_NO_RSA
dfeab068
RE		 450 /* Don't check the public/private key, this is mostly
451 * for smart cards. */
452 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
453 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
454 RSA_METHOD_FLAG_NO_CHECK))
6049399b 455 ;
dfeab068 456 else
6049399b 457#endif /* OPENSSL_NO_RSA */
d02b48c6
RE		 458 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
459 {
6049399b
NL		 460 /* don't fail for a cert/key mismatch, just free
461 * current private key (when switching to a different
462 * cert & key, first this function should be used,
463 * then ssl_set_pkey */
464 EVP_PKEY_free(c->pkeys[i].privatekey);
465 c->pkeys[i].privatekey=NULL;
466 /* clear error queue */
467 ERR_clear_error();
d02b48c6 468 }
d02b48c6 469 }
d02b48c6 470
a8236c8c 471 EVP_PKEY_free(pkey);
d02b48c6
RE		 472
473 if (c->pkeys[i].x509 != NULL)
474 X509_free(c->pkeys[i].x509);
475 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
476 c->pkeys[i].x509=x;
477 c->key= &(c->pkeys[i]);
478
479 c->valid=0;
480 return(1);
481 }
482
bc36ee62 483#ifndef OPENSSL_NO_STDIO
303c0028 484int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
d02b48c6
RE		 485 {
486 int j;
487 BIO *in;
488 int ret=0;
489 X509 *x=NULL;
490
58964a49 491 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 492 if (in == NULL)
493 {
494 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
495 goto end;
496 }
497
498 if (BIO_read_filename(in,file) <= 0)
499 {
d02b48c6
RE		 500 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
501 goto end;
502 }
503 if (type == SSL_FILETYPE_ASN1)
504 {
505 j=ERR_R_ASN1_LIB;
506 x=d2i_X509_bio(in,NULL);
507 }
508 else if (type == SSL_FILETYPE_PEM)
509 {
510 j=ERR_R_PEM_LIB;
74678cc2 511 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
d02b48c6
RE		 512 }
513 else
514 {
515 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
516 goto end;
517 }
518
519 if (x == NULL)
520 {
521 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
522 goto end;
523 }
524
525 ret=SSL_CTX_use_certificate(ctx,x);
526end:
527 if (x != NULL) X509_free(x);
528 if (in != NULL) BIO_free(in);
529 return(ret);
530 }
58964a49 531#endif
d02b48c6 532
875a644a 533int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
d02b48c6
RE		 534 {
535 X509 *x;
536 int ret;
537
538 x=d2i_X509(NULL,&d,(long)len);
539 if (x == NULL)
540 {
541 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
542 return(0);
543 }
544
545 ret=SSL_CTX_use_certificate(ctx,x);
546 X509_free(x);
547 return(ret);
548 }
549
bc36ee62 550#ifndef OPENSSL_NO_RSA
6b691a5c 551int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
d02b48c6
RE		 552 {
553 int ret;
d02b48c6
RE		 554 EVP_PKEY *pkey;
555
556 if (rsa == NULL)
557 {
558 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
559 return(0);
560 }
ca8e5b9b 561 if (!ssl_cert_inst(&ctx->cert))
d02b48c6 562 {
15d21c2d
RE		 563 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
564 return(0);
d02b48c6 565 }
d02b48c6
RE		 566 if ((pkey=EVP_PKEY_new()) == NULL)
567 {
568 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
569 return(0);
570 }
571
6ac4e8bd 572 RSA_up_ref(rsa);
d02b48c6
RE		 573 EVP_PKEY_assign_RSA(pkey,rsa);
574
ca8e5b9b 575 ret=ssl_set_pkey(ctx->cert, pkey);
d02b48c6
RE		 576 EVP_PKEY_free(pkey);
577 return(ret);
578 }
579
bc36ee62 580#ifndef OPENSSL_NO_STDIO
303c0028 581int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
d02b48c6
RE		 582 {
583 int j,ret=0;
584 BIO *in;
585 RSA *rsa=NULL;
586
58964a49 587 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 588 if (in == NULL)
589 {
590 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
591 goto end;
592 }
593
594 if (BIO_read_filename(in,file) <= 0)
595 {
d02b48c6
RE		 596 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
597 goto end;
598 }
599 if (type == SSL_FILETYPE_ASN1)
600 {
601 j=ERR_R_ASN1_LIB;
602 rsa=d2i_RSAPrivateKey_bio(in,NULL);
603 }
604 else if (type == SSL_FILETYPE_PEM)
605 {
606 j=ERR_R_PEM_LIB;
607 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
74678cc2 608 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
d02b48c6
RE		 609 }
610 else
611 {
612 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
613 goto end;
614 }
615 if (rsa == NULL)
616 {
617 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
618 goto end;
619 }
620 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
621 RSA_free(rsa);
622end:
623 if (in != NULL) BIO_free(in);
624 return(ret);
625 }
58964a49 626#endif
d02b48c6 627
875a644a 628int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
d02b48c6
RE		 629 {
630 int ret;
5e4ca422 631 const unsigned char *p;
d02b48c6
RE		 632 RSA *rsa;
633
634 p=d;
635 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
636 {
637 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
638 return(0);
639 }
640
641 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
642 RSA_free(rsa);
643 return(ret);
644 }
bc36ee62 645#endif /* !OPENSSL_NO_RSA */
d02b48c6 646
6b691a5c 647int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
d02b48c6 648 {
d02b48c6
RE		 649 if (pkey == NULL)
650 {
651 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
652 return(0);
653 }
ca8e5b9b 654 if (!ssl_cert_inst(&ctx->cert))
d02b48c6 655 {
15d21c2d
RE		 656 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
657 return(0);
d02b48c6 658 }
ca8e5b9b 659 return(ssl_set_pkey(ctx->cert,pkey));
d02b48c6
RE		 660 }
661
bc36ee62 662#ifndef OPENSSL_NO_STDIO
303c0028 663int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
d02b48c6
RE		 664 {
665 int j,ret=0;
666 BIO *in;
667 EVP_PKEY *pkey=NULL;
668
58964a49 669 in=BIO_new(BIO_s_file_internal());
d02b48c6
RE		 670 if (in == NULL)
671 {
672 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
673 goto end;
674 }
675
676 if (BIO_read_filename(in,file) <= 0)
677 {
d02b48c6
RE		 678 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
679 goto end;
680 }
681 if (type == SSL_FILETYPE_PEM)
682 {
683 j=ERR_R_PEM_LIB;
684 pkey=PEM_read_bio_PrivateKey(in,NULL,
74678cc2 685 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
d02b48c6 686 }
dc0ed30c
NL		 687 else if (type == SSL_FILETYPE_ASN1)
688 {
689 j = ERR_R_ASN1_LIB;
690 pkey = d2i_PrivateKey_bio(in,NULL);
691 }
d02b48c6
RE		 692 else
693 {
694 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
695 goto end;
696 }
697 if (pkey == NULL)
698 {
699 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
700 goto end;
701 }
702 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
703 EVP_PKEY_free(pkey);
704end:
705 if (in != NULL) BIO_free(in);
706 return(ret);
707 }
58964a49 708#endif
d02b48c6 709
875a644a 710int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
6b691a5c 711 long len)
d02b48c6
RE		 712 {
713 int ret;
875a644a 714 const unsigned char *p;
d02b48c6
RE		 715 EVP_PKEY *pkey;
716
717 p=d;
718 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
719 {
720 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
721 return(0);
722 }
723
724 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
725 EVP_PKEY_free(pkey);
726 return(ret);
727 }
728
729
bc36ee62 730#ifndef OPENSSL_NO_STDIO
b3ca645f
BM		 731/* Read a file that contains our certificate in "PEM" format,
732 * possibly followed by a sequence of CA certificates that should be
733 * sent to the peer in the Certificate message.
734 */
735int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
736 {
737 BIO *in;
738 int ret=0;
739 X509 *x=NULL;
740
17a4a4df 741 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
c2c2e7a4 742
a9e1c50b 743 in = BIO_new(BIO_s_file_internal());
b3ca645f
BM		 744 if (in == NULL)
745 {
746 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
747 goto end;
748 }
749
750 if (BIO_read_filename(in,file) <= 0)
751 {
752 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
753 goto end;
754 }
755
a9e1c50b
BL		 756 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
757 ctx->default_passwd_callback_userdata);
b3ca645f
BM		 758 if (x == NULL)
759 {
760 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
761 goto end;
762 }
763
a9e1c50b
BL		 764 ret = SSL_CTX_use_certificate(ctx, x);
765
b3ca645f
BM		 766 if (ERR_peek_error() != 0)
767 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
768 if (ret)
769 {
770 /* If we could set up our certificate, now proceed to
771 * the CA certificates.
772 */
773 X509 *ca;
774 int r;
775 unsigned long err;
b3ca645f 776
a4339ea3
DSH		 777 SSL_CTX_clear_chain_certs(ctx);
778
a9e1c50b
BL		 779 while ((ca = PEM_read_bio_X509(in, NULL,
780 ctx->default_passwd_callback,
781 ctx->default_passwd_callback_userdata))
b3ca645f
BM		 782 != NULL)
783 {
a4339ea3 784 r = SSL_CTX_add0_chain_cert(ctx, ca);
b3ca645f
BM		 785 if (!r)
786 {
787 X509_free(ca);
788 ret = 0;
789 goto end;
790 }
b1816a04 791 /* Note that we must not free r if it was successfully
b3ca645f
BM		 792 * added to the chain (while we must free the main
793 * certificate, since its reference count is increased
794 * by SSL_CTX_use_certificate). */
795 }
796 /* When the while loop ends, it's usually just EOF. */
9437fef8 797 err = ERR_peek_last_error();
b3ca645f 798 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
48c832b6 799 ERR_clear_error();
b3ca645f
BM		 800 else
801 ret = 0; /* some real error */
802 }
803
804end:
805 if (x != NULL) X509_free(x);
806 if (in != NULL) BIO_free(in);
807 return(ret);
808 }
809#endif
a9e1c50b
BL		 810
811#ifndef OPENSSL_NO_TLSEXT
a398f821
T		 812static int serverinfo_find_extension(const unsigned char *serverinfo,
813 size_t serverinfo_length,
de2a9e38 814 unsigned int extension_type,
a398f821 815 const unsigned char **extension_data,
de2a9e38 816 size_t *extension_length)
a398f821
T		 817 {
818 *extension_data = NULL;
819 *extension_length = 0;
820 if (serverinfo == NULL || serverinfo_length == 0)
821 return 0;
822 for (;;)
823 {
de2a9e38
DSH		 824 unsigned int type = 0;
825 size_t len = 0;
a398f821
T		 826
827 /* end of serverinfo */
828 if (serverinfo_length == 0)
9cd50f73 829 return -1; /* Extension not found */
a398f821
T		 830
831 /* read 2-byte type field */
832 if (serverinfo_length < 2)
9cd50f73 833 return 0; /* Error */
a398f821
T		 834 type = (serverinfo[0] << 8) + serverinfo[1];
835 serverinfo += 2;
836 serverinfo_length -= 2;
837
838 /* read 2-byte len field */
839 if (serverinfo_length < 2)
9cd50f73 840 return 0; /* Error */
a398f821
T		 841 len = (serverinfo[0] << 8) + serverinfo[1];
842 serverinfo += 2;
843 serverinfo_length -= 2;
844
845 if (len > serverinfo_length)
9cd50f73 846 return 0; /* Error */
a398f821
T		 847
848 if (type == extension_type)
849 {
850 *extension_data = serverinfo;
851 *extension_length = len;
9cd50f73 852 return 1; /* Success */
a398f821
T		 853 }
854
855 serverinfo += len;
856 serverinfo_length -= len;
857 }
9cd50f73 858 return 0; /* Error */
a398f821
T		 859 }
860
de2a9e38 861static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
0a602875 862 const unsigned char *in,
de2a9e38 863 size_t inlen, int *al,
0a602875 864 void *arg)
9cd50f73 865 {
0a602875 866
9cd50f73
T		 867 if (inlen != 0)
868 {
869 *al = SSL_AD_DECODE_ERROR;
870 return 0;
871 }
0a602875 872
9cd50f73
T		 873 return 1;
874 }
875
de2a9e38 876static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
0cfefe4b
DSH		 877 const unsigned char **out, size_t *outlen,
878 int *al, void *arg)
a398f821
T		 879 {
880 const unsigned char *serverinfo = NULL;
881 size_t serverinfo_length = 0;
882
9cd50f73 883 /* Is there serverinfo data for the chosen server cert? */
a398f821 884 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
0a602875 885 &serverinfo_length)) != 0)
a398f821
T		 886 {
887 /* Find the relevant extension from the serverinfo */
9cd50f73 888 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
0a602875 889 ext_type, out, outlen);
9cd50f73
T		 890 if (retval == 0)
891 return 0; /* Error */
892 if (retval == -1)
893 return -1; /* No extension found, don't send extension */
894 return 1; /* Send extension */
895 }
896 return -1; /* No serverinfo data found, don't send extension */
a398f821
T		 897 }
898
9cd50f73
T		 899/* With a NULL context, this function just checks that the serverinfo data
900 parses correctly. With a non-NULL context, it registers callbacks for
901 the included extensions. */
902static int serverinfo_process_buffer(const unsigned char *serverinfo,
903 size_t serverinfo_length, SSL_CTX *ctx)
a398f821
T		 904 {
905 if (serverinfo == NULL || serverinfo_length == 0)
906 return 0;
907 for (;;)
908 {
de2a9e38
DSH		 909 unsigned int ext_type = 0;
910 size_t len = 0;
a398f821
T		 911
912 /* end of serverinfo */
913 if (serverinfo_length == 0)
914 return 1;
915
916 /* read 2-byte type field */
917 if (serverinfo_length < 2)
918 return 0;
919 /* FIXME: check for types we understand explicitly? */
920
921 /* Register callbacks for extensions */
922 ext_type = (serverinfo[0] << 8) + serverinfo[1];
8cafe9e8 923 if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
0cfefe4b
DSH		 924 serverinfo_srv_add_cb,
925 NULL, NULL,
926 serverinfo_srv_parse_cb,
927 NULL))
a398f821
T		 928 return 0;
929
930 serverinfo += 2;
931 serverinfo_length -= 2;
932
933 /* read 2-byte len field */
934 if (serverinfo_length < 2)
935 return 0;
936 len = (serverinfo[0] << 8) + serverinfo[1];
937 serverinfo += 2;
938 serverinfo_length -= 2;
939
940 if (len > serverinfo_length)
941 return 0;
942
943 serverinfo += len;
944 serverinfo_length -= len;
945 }
946 }
947
a398f821
T		 948int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
949 size_t serverinfo_length)
950 {
e9e688ef
JM		 951 unsigned char *new_serverinfo;
952
a398f821
T		 953 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)
954 {
955 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_PASSED_NULL_PARAMETER);
956 return 0;
957 }
9cd50f73 958 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
a398f821
T		 959 {
960 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
0b2bde70 961 return 0;
a398f821
T		 962 }
963 if (!ssl_cert_inst(&ctx->cert))
964 {
965 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_MALLOC_FAILURE);
966 return 0;
967 }
968 if (ctx->cert->key == NULL)
969 {
970 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_INTERNAL_ERROR);
971 return 0;
972 }
e9e688ef 973 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
5382adbf 974 serverinfo_length);
e9e688ef 975 if (new_serverinfo == NULL)
a398f821
T		 976 {
977 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_MALLOC_FAILURE);
978 return 0;
979 }
e9e688ef 980 ctx->cert->key->serverinfo = new_serverinfo;
a398f821
T		 981 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
982 ctx->cert->key->serverinfo_length = serverinfo_length;
983
984 /* Now that the serverinfo is validated and stored, go ahead and
985 * register callbacks. */
9cd50f73 986 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
a398f821
T		 987 {
988 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
0b2bde70 989 return 0;
a398f821
T		 990 }
991 return 1;
992 }
993
7a71af86 994#ifndef OPENSSL_NO_STDIO
a398f821
T		 995int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
996 {
997 unsigned char *serverinfo = NULL;
998 size_t serverinfo_length = 0;
999 unsigned char* extension = 0;
1000 long extension_length = 0;
1001 char* name = NULL;
1002 char* header = NULL;
c655f40e 1003 char namePrefix[] = "SERVERINFO FOR ";
a398f821
T		 1004 int ret = 0;
1005 BIO *bin = NULL;
1006 size_t num_extensions = 0;
1007
1008 if (ctx == NULL || file == NULL)
1009 {
1010 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,ERR_R_PASSED_NULL_PARAMETER);
1011 goto end;
1012 }
1013
1014 bin = BIO_new(BIO_s_file_internal());
1015 if (bin == NULL)
1016 {
1017 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
1018 goto end;
1019 }
1020 if (BIO_read_filename(bin, file) <= 0)
1021 {
1022 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
1023 goto end;
1024 }
1025
1026 for (num_extensions=0;; num_extensions++)
1027 {
1028 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0)
1029 {
1030 /* There must be at least one extension in this file */
1031 if (num_extensions == 0)
1032 {
9725bda7 1033 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_NO_PEM_EXTENSIONS);
a398f821
T		 1034 goto end;
1035 }
1036 else /* End of file, we're done */
1037 break;
1038 }
c655f40e
TP		 1039 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
1040 if (strlen(name) < strlen(namePrefix))
1041 {
9725bda7 1042 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
c655f40e
TP		 1043 goto end;
1044 }
1045 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
1046 {
9725bda7 1047 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_BAD_PREFIX);
c655f40e
TP		 1048 goto end;
1049 }
a398f821
T		 1050 /* Check that the decoded PEM data is plausible (valid length field) */
1051 if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
1052 {
9725bda7 1053 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
c655f40e 1054 goto end;
a398f821
T		 1055 }
1056 /* Append the decoded extension to the serverinfo buffer */
1057 serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
1058 if (serverinfo == NULL)
1059 {
1060 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
1061 goto end;
1062 }
1063 memcpy(serverinfo + serverinfo_length, extension, extension_length);
1064 serverinfo_length += extension_length;
1065
1066 OPENSSL_free(name); name = NULL;
1067 OPENSSL_free(header); header = NULL;
1068 OPENSSL_free(extension); extension = NULL;
1069 }
1070
1071 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
1072end:
1073 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1074 OPENSSL_free(name);
1075 OPENSSL_free(header);
1076 OPENSSL_free(extension);
1077 OPENSSL_free(serverinfo);
1078 if (bin != NULL)
1079 BIO_free(bin);
1080 return ret;
1081 }
7a71af86 1082#endif /* OPENSSL_NO_STDIO */
a9e1c50b 1083#endif /* OPENSSL_NO_TLSEXT */
A mirror of the official openssl repository