]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / ssl / ssl_rsa.c
CommitLineData
846e33c7 1/*
33388b44 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
d02b48c6
RE		 8 */
9
10#include <stdio.h>
706457b7 11#include "ssl_local.h"
0d345f0e 12#include "internal/packet.h"
ec577822
BM		 13#include <openssl/bio.h>
14#include <openssl/objects.h>
15#include <openssl/evp.h>
16#include <openssl/x509.h>
9f0f53b7 17#include <openssl/x509v3.h>
ec577822 18#include <openssl/pem.h>
d02b48c6 19
d02b48c6
RE		 20static int ssl_set_cert(CERT *c, X509 *x509);
21static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
bade29da 22
7a4e6a1e
MC		 23#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
24 | SSL_EXT_CLIENT_HELLO \
25 | SSL_EXT_TLS1_2_SERVER_HELLO \
26 | SSL_EXT_IGNORE_ON_RESUMPTION)
bade29da 27
6b691a5c 28int SSL_use_certificate(SSL *ssl, X509 *x)
0f113f3e
MC		 29{
30 int rv;
31 if (x == NULL) {
32 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 33 return 0;
0f113f3e 34 }
9f0f53b7
MC		 35 if (!X509v3_cache_extensions(x, ssl->ctx->libctx, ssl->ctx->propq)) {
36 SSLerr(0, ERR_LIB_X509);
37 return 0;
38 }
0f113f3e
MC		 39 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
40 if (rv != 1) {
41 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
42 return 0;
43 }
44
26a7d938 45 return ssl_set_cert(ssl->cert, x);
0f113f3e 46}
d02b48c6 47
303c0028 48int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 49{
50 int j;
51 BIO *in;
52 int ret = 0;
53 X509 *x = NULL;
54
9982cbbb 55 in = BIO_new(BIO_s_file());
0f113f3e
MC		 56 if (in == NULL) {
57 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
58 goto end;
59 }
60
61 if (BIO_read_filename(in, file) <= 0) {
62 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
63 goto end;
64 }
65 if (type == SSL_FILETYPE_ASN1) {
66 j = ERR_R_ASN1_LIB;
67 x = d2i_X509_bio(in, NULL);
68 } else if (type == SSL_FILETYPE_PEM) {
69 j = ERR_R_PEM_LIB;
d61461a7
P		 70 x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback,
71 ssl->default_passwd_callback_userdata);
0f113f3e
MC		 72 } else {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
74 goto end;
75 }
76
77 if (x == NULL) {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
79 goto end;
80 }
81
82 ret = SSL_use_certificate(ssl, x);
83 end:
222561fe 84 X509_free(x);
ca3a82c3 85 BIO_free(in);
26a7d938 86 return ret;
0f113f3e 87}
d02b48c6 88
875a644a 89int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
0f113f3e
MC		 90{
91 X509 *x;
92 int ret;
93
94 x = d2i_X509(NULL, &d, (long)len);
95 if (x == NULL) {
96 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
26a7d938 97 return 0;
0f113f3e
MC		 98 }
99
100 ret = SSL_use_certificate(ssl, x);
101 X509_free(x);
26a7d938 102 return ret;
0f113f3e 103}
d02b48c6 104
bc36ee62 105#ifndef OPENSSL_NO_RSA
6b691a5c 106int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
0f113f3e
MC		 107{
108 EVP_PKEY *pkey;
109 int ret;
110
111 if (rsa == NULL) {
112 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 113 return 0;
0f113f3e 114 }
0f113f3e
MC		 115 if ((pkey = EVP_PKEY_new()) == NULL) {
116 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
26a7d938 117 return 0;
0f113f3e
MC		 118 }
119
120 RSA_up_ref(rsa);
5f3d93e4
MC		 121 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
122 RSA_free(rsa);
563c1ec6 123 EVP_PKEY_free(pkey);
5f3d93e4
MC		 124 return 0;
125 }
0f113f3e
MC		 126
127 ret = ssl_set_pkey(ssl->cert, pkey);
128 EVP_PKEY_free(pkey);
26a7d938 129 return ret;
0f113f3e 130}
d02b48c6
RE		 131#endif
132
6b691a5c 133static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
0f113f3e 134{
52fd27f9
DSH		 135 size_t i;
136
137 if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {
0f113f3e 138 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
26a7d938 139 return 0;
0f113f3e
MC		 140 }
141
142 if (c->pkeys[i].x509 != NULL) {
143 EVP_PKEY *pktmp;
8382fd3a 144 pktmp = X509_get0_pubkey(c->pkeys[i].x509);
5f3d93e4
MC		 145 if (pktmp == NULL) {
146 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
5f3d93e4
MC		 147 return 0;
148 }
149 /*
150 * The return code from EVP_PKEY_copy_parameters is deliberately
151 * ignored. Some EVP_PKEY types cannot do this.
152 */
0f113f3e 153 EVP_PKEY_copy_parameters(pktmp, pkey);
0f113f3e 154 ERR_clear_error();
dfeab068 155
bc36ee62 156#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 157 /*
158 * Don't check the public/private key, this is mostly for smart
159 * cards.
160 */
3aeb9348 161 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
a230b26e 162 && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
0f113f3e 163 else
58964a49 164#endif
0f113f3e
MC		 165 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
166 X509_free(c->pkeys[i].x509);
167 c->pkeys[i].x509 = NULL;
168 return 0;
169 }
170 }
171
25aaa98a 172 EVP_PKEY_free(c->pkeys[i].privatekey);
3aeb9348 173 EVP_PKEY_up_ref(pkey);
0f113f3e 174 c->pkeys[i].privatekey = pkey;
52fd27f9
DSH		 175 c->key = &c->pkeys[i];
176 return 1;
0f113f3e 177}
d02b48c6 178
bc36ee62 179#ifndef OPENSSL_NO_RSA
303c0028 180int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 181{
182 int j, ret = 0;
183 BIO *in;
184 RSA *rsa = NULL;
185
9982cbbb 186 in = BIO_new(BIO_s_file());
0f113f3e
MC		 187 if (in == NULL) {
188 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
189 goto end;
190 }
191
192 if (BIO_read_filename(in, file) <= 0) {
193 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
194 goto end;
195 }
196 if (type == SSL_FILETYPE_ASN1) {
197 j = ERR_R_ASN1_LIB;
198 rsa = d2i_RSAPrivateKey_bio(in, NULL);
199 } else if (type == SSL_FILETYPE_PEM) {
200 j = ERR_R_PEM_LIB;
201 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
d61461a7
P		 202 ssl->default_passwd_callback,
203 ssl->default_passwd_callback_userdata);
0f113f3e
MC		 204 } else {
205 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
206 goto end;
207 }
208 if (rsa == NULL) {
209 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
210 goto end;
211 }
212 ret = SSL_use_RSAPrivateKey(ssl, rsa);
213 RSA_free(rsa);
214 end:
ca3a82c3 215 BIO_free(in);
26a7d938 216 return ret;
0f113f3e 217}
d02b48c6 218
693b71fa 219int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
0f113f3e
MC		 220{
221 int ret;
222 const unsigned char *p;
223 RSA *rsa;
224
225 p = d;
226 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
227 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 228 return 0;
0f113f3e
MC		 229 }
230
231 ret = SSL_use_RSAPrivateKey(ssl, rsa);
232 RSA_free(rsa);
26a7d938 233 return ret;
0f113f3e
MC		 234}
235#endif /* !OPENSSL_NO_RSA */
d02b48c6 236
6b691a5c 237int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
0f113f3e
MC		 238{
239 int ret;
240
241 if (pkey == NULL) {
242 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 243 return 0;
0f113f3e 244 }
0f113f3e 245 ret = ssl_set_pkey(ssl->cert, pkey);
26a7d938 246 return ret;
0f113f3e 247}
d02b48c6 248
303c0028 249int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 250{
251 int j, ret = 0;
252 BIO *in;
253 EVP_PKEY *pkey = NULL;
254
9982cbbb 255 in = BIO_new(BIO_s_file());
0f113f3e
MC		 256 if (in == NULL) {
257 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
258 goto end;
259 }
260
261 if (BIO_read_filename(in, file) <= 0) {
262 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
263 goto end;
264 }
265 if (type == SSL_FILETYPE_PEM) {
266 j = ERR_R_PEM_LIB;
d6a2bdf7
MC		 267 pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
268 ssl->default_passwd_callback,
269 ssl->default_passwd_callback_userdata,
270 ssl->ctx->libctx,
271 ssl->ctx->propq);
0f113f3e
MC		 272 } else if (type == SSL_FILETYPE_ASN1) {
273 j = ERR_R_ASN1_LIB;
d6a2bdf7
MC		 274 pkey = d2i_PrivateKey_ex_bio(in, NULL, ssl->ctx->libctx,
275 ssl->ctx->propq);
0f113f3e
MC		 276 } else {
277 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
278 goto end;
279 }
280 if (pkey == NULL) {
281 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
282 goto end;
283 }
284 ret = SSL_use_PrivateKey(ssl, pkey);
285 EVP_PKEY_free(pkey);
286 end:
ca3a82c3 287 BIO_free(in);
26a7d938 288 return ret;
0f113f3e 289}
d02b48c6 290
0f113f3e
MC		 291int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
292 long len)
293{
294 int ret;
295 const unsigned char *p;
296 EVP_PKEY *pkey;
d02b48c6 297
0f113f3e 298 p = d;
d6a2bdf7
MC		 299 if ((pkey = d2i_PrivateKey_ex(type, NULL, &p, (long)len, ssl->ctx->libctx,
300 ssl->ctx->propq)) == NULL) {
0f113f3e 301 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 302 return 0;
0f113f3e 303 }
d02b48c6 304
0f113f3e
MC		 305 ret = SSL_use_PrivateKey(ssl, pkey);
306 EVP_PKEY_free(pkey);
26a7d938 307 return ret;
0f113f3e 308}
d02b48c6 309
6b691a5c 310int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
0f113f3e
MC		 311{
312 int rv;
313 if (x == NULL) {
314 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 315 return 0;
0f113f3e 316 }
9f0f53b7
MC		 317 if (!X509v3_cache_extensions(x, ctx->libctx, ctx->propq)) {
318 SSLerr(0, ERR_LIB_X509);
319 return 0;
320 }
0f113f3e
MC		 321 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
322 if (rv != 1) {
323 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
324 return 0;
325 }
26a7d938 326 return ssl_set_cert(ctx->cert, x);
0f113f3e 327}
d02b48c6 328
6b691a5c 329static int ssl_set_cert(CERT *c, X509 *x)
0f113f3e
MC		 330{
331 EVP_PKEY *pkey;
52fd27f9 332 size_t i;
0f113f3e 333
8382fd3a 334 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 335 if (pkey == NULL) {
336 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
26a7d938 337 return 0;
0f113f3e
MC		 338 }
339
52fd27f9 340 if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {
0f113f3e 341 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
8382fd3a 342 return 0;
0f113f3e 343 }
760f317d 344#ifndef OPENSSL_NO_EC
c2041da8 345 if (i == SSL_PKEY_ECC && !EVP_PKEY_can_sign(pkey)) {
1db3107a
DSH		 346 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
347 return 0;
348 }
760f317d 349#endif
0f113f3e 350 if (c->pkeys[i].privatekey != NULL) {
5f3d93e4
MC		 351 /*
352 * The return code from EVP_PKEY_copy_parameters is deliberately
353 * ignored. Some EVP_PKEY types cannot do this.
354 */
0f113f3e
MC		 355 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
356 ERR_clear_error();
dfeab068 357
bc36ee62 358#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 359 /*
360 * Don't check the public/private key, this is mostly for smart
361 * cards.
362 */
3aeb9348
DSH		 363 if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
364 && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
a230b26e 365 RSA_METHOD_FLAG_NO_CHECK) ;
0f113f3e
MC		 366 else
367#endif /* OPENSSL_NO_RSA */
368 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
369 /*
370 * don't fail for a cert/key mismatch, just free current private
371 * key (when switching to a different cert & key, first this
372 * function should be used, then ssl_set_pkey
373 */
374 EVP_PKEY_free(c->pkeys[i].privatekey);
375 c->pkeys[i].privatekey = NULL;
376 /* clear error queue */
377 ERR_clear_error();
378 }
379 }
380
222561fe 381 X509_free(c->pkeys[i].x509);
05f0fb9f 382 X509_up_ref(x);
0f113f3e
MC		 383 c->pkeys[i].x509 = x;
384 c->key = &(c->pkeys[i]);
385
8382fd3a 386 return 1;
0f113f3e 387}
d02b48c6 388
303c0028 389int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 390{
391 int j;
392 BIO *in;
393 int ret = 0;
394 X509 *x = NULL;
395
9982cbbb 396 in = BIO_new(BIO_s_file());
0f113f3e
MC		 397 if (in == NULL) {
398 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
399 goto end;
400 }
401
402 if (BIO_read_filename(in, file) <= 0) {
403 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
404 goto end;
405 }
406 if (type == SSL_FILETYPE_ASN1) {
407 j = ERR_R_ASN1_LIB;
408 x = d2i_X509_bio(in, NULL);
409 } else if (type == SSL_FILETYPE_PEM) {
410 j = ERR_R_PEM_LIB;
411 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
412 ctx->default_passwd_callback_userdata);
413 } else {
414 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
415 goto end;
416 }
417
418 if (x == NULL) {
419 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
420 goto end;
421 }
422
423 ret = SSL_CTX_use_certificate(ctx, x);
424 end:
222561fe 425 X509_free(x);
ca3a82c3 426 BIO_free(in);
26a7d938 427 return ret;
0f113f3e 428}
d02b48c6 429
a230b26e 430int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
0f113f3e
MC		 431{
432 X509 *x;
433 int ret;
d02b48c6 434
0f113f3e
MC		 435 x = d2i_X509(NULL, &d, (long)len);
436 if (x == NULL) {
437 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
26a7d938 438 return 0;
0f113f3e 439 }
d02b48c6 440
0f113f3e
MC		 441 ret = SSL_CTX_use_certificate(ctx, x);
442 X509_free(x);
26a7d938 443 return ret;
0f113f3e 444}
d02b48c6 445
bc36ee62 446#ifndef OPENSSL_NO_RSA
6b691a5c 447int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
0f113f3e
MC		 448{
449 int ret;
450 EVP_PKEY *pkey;
451
452 if (rsa == NULL) {
453 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 454 return 0;
0f113f3e 455 }
0f113f3e
MC		 456 if ((pkey = EVP_PKEY_new()) == NULL) {
457 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
26a7d938 458 return 0;
0f113f3e
MC		 459 }
460
461 RSA_up_ref(rsa);
5f3d93e4
MC		 462 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
463 RSA_free(rsa);
563c1ec6 464 EVP_PKEY_free(pkey);
5f3d93e4
MC		 465 return 0;
466 }
0f113f3e
MC		 467
468 ret = ssl_set_pkey(ctx->cert, pkey);
469 EVP_PKEY_free(pkey);
26a7d938 470 return ret;
0f113f3e
MC		 471}
472
303c0028 473int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 474{
475 int j, ret = 0;
476 BIO *in;
477 RSA *rsa = NULL;
478
9982cbbb 479 in = BIO_new(BIO_s_file());
0f113f3e
MC		 480 if (in == NULL) {
481 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
482 goto end;
483 }
484
485 if (BIO_read_filename(in, file) <= 0) {
486 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
487 goto end;
488 }
489 if (type == SSL_FILETYPE_ASN1) {
490 j = ERR_R_ASN1_LIB;
491 rsa = d2i_RSAPrivateKey_bio(in, NULL);
492 } else if (type == SSL_FILETYPE_PEM) {
493 j = ERR_R_PEM_LIB;
494 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
495 ctx->default_passwd_callback,
496 ctx->default_passwd_callback_userdata);
497 } else {
498 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
499 goto end;
500 }
501 if (rsa == NULL) {
502 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
503 goto end;
504 }
505 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
506 RSA_free(rsa);
507 end:
ca3a82c3 508 BIO_free(in);
26a7d938 509 return ret;
0f113f3e 510}
0f113f3e
MC		 511
512int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
513 long len)
514{
515 int ret;
516 const unsigned char *p;
517 RSA *rsa;
518
519 p = d;
520 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
521 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 522 return 0;
0f113f3e
MC		 523 }
524
525 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
526 RSA_free(rsa);
26a7d938 527 return ret;
0f113f3e
MC		 528}
529#endif /* !OPENSSL_NO_RSA */
d02b48c6 530
6b691a5c 531int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
0f113f3e
MC		 532{
533 if (pkey == NULL) {
534 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 535 return 0;
0f113f3e 536 }
26a7d938 537 return ssl_set_pkey(ctx->cert, pkey);
0f113f3e 538}
d02b48c6 539
303c0028 540int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 541{
542 int j, ret = 0;
543 BIO *in;
544 EVP_PKEY *pkey = NULL;
545
9982cbbb 546 in = BIO_new(BIO_s_file());
0f113f3e
MC		 547 if (in == NULL) {
548 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
549 goto end;
550 }
551
552 if (BIO_read_filename(in, file) <= 0) {
553 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
554 goto end;
555 }
556 if (type == SSL_FILETYPE_PEM) {
557 j = ERR_R_PEM_LIB;
d6a2bdf7 558 pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
0f113f3e 559 ctx->default_passwd_callback,
d6a2bdf7
MC		 560 ctx->default_passwd_callback_userdata,
561 ctx->libctx, ctx->propq);
0f113f3e
MC		 562 } else if (type == SSL_FILETYPE_ASN1) {
563 j = ERR_R_ASN1_LIB;
d6a2bdf7 564 pkey = d2i_PrivateKey_ex_bio(in, NULL, ctx->libctx, ctx->propq);
0f113f3e
MC		 565 } else {
566 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
567 goto end;
568 }
569 if (pkey == NULL) {
570 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
571 goto end;
572 }
573 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
574 EVP_PKEY_free(pkey);
575 end:
ca3a82c3 576 BIO_free(in);
26a7d938 577 return ret;
0f113f3e 578}
d02b48c6 579
0f113f3e
MC		 580int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
581 const unsigned char *d, long len)
582{
583 int ret;
584 const unsigned char *p;
585 EVP_PKEY *pkey;
d02b48c6 586
0f113f3e 587 p = d;
d6a2bdf7
MC		 588 if ((pkey = d2i_PrivateKey_ex(type, NULL, &p, (long)len, ctx->libctx,
589 ctx->propq)) == NULL) {
0f113f3e 590 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 591 return 0;
0f113f3e 592 }
d02b48c6 593
0f113f3e
MC		 594 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
595 EVP_PKEY_free(pkey);
26a7d938 596 return ret;
0f113f3e 597}
d02b48c6 598
0f113f3e
MC		 599/*
600 * Read a file that contains our certificate in "PEM" format, possibly
601 * followed by a sequence of CA certificates that should be sent to the peer
602 * in the Certificate message.
b3ca645f 603 */
fae4772c 604static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
0f113f3e
MC		 605{
606 BIO *in;
607 int ret = 0;
608 X509 *x = NULL;
a974e64a
MC		 609 pem_password_cb *passwd_callback;
610 void *passwd_callback_userdata;
0f113f3e
MC		 611
612 ERR_clear_error(); /* clear error stack for
613 * SSL_CTX_use_certificate() */
614
a974e64a
MC		 615 if (ctx != NULL) {
616 passwd_callback = ctx->default_passwd_callback;
617 passwd_callback_userdata = ctx->default_passwd_callback_userdata;
618 } else {
619 passwd_callback = ssl->default_passwd_callback;
620 passwd_callback_userdata = ssl->default_passwd_callback_userdata;
621 }
622
9982cbbb 623 in = BIO_new(BIO_s_file());
0f113f3e 624 if (in == NULL) {
fae4772c 625 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
0f113f3e
MC		 626 goto end;
627 }
628
629 if (BIO_read_filename(in, file) <= 0) {
fae4772c 630 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
0f113f3e
MC		 631 goto end;
632 }
633
a974e64a
MC		 634 x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
635 passwd_callback_userdata);
0f113f3e 636 if (x == NULL) {
fae4772c 637 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
0f113f3e
MC		 638 goto end;
639 }
640
fae4772c
DSH		 641 if (ctx)
642 ret = SSL_CTX_use_certificate(ctx, x);
643 else
644 ret = SSL_use_certificate(ssl, x);
0f113f3e
MC		 645
646 if (ERR_peek_error() != 0)
647 ret = 0; /* Key/certificate mismatch doesn't imply
648 * ret==0 ... */
649 if (ret) {
650 /*
651 * If we could set up our certificate, now proceed to the CA
652 * certificates.
653 */
654 X509 *ca;
655 int r;
656 unsigned long err;
657
fae4772c
DSH		 658 if (ctx)
659 r = SSL_CTX_clear_chain_certs(ctx);
660 else
661 r = SSL_clear_chain_certs(ssl);
662
663 if (r == 0) {
69f68237
MC		 664 ret = 0;
665 goto end;
666 }
0f113f3e 667
a974e64a
MC		 668 while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
669 passwd_callback_userdata))
a230b26e 670 != NULL) {
fae4772c
DSH		 671 if (ctx)
672 r = SSL_CTX_add0_chain_cert(ctx, ca);
673 else
674 r = SSL_add0_chain_cert(ssl, ca);
675 /*
676 * Note that we must not free ca if it was successfully added to
677 * the chain (while we must free the main certificate, since its
678 * reference count is increased by SSL_CTX_use_certificate).
679 */
0f113f3e
MC		 680 if (!r) {
681 X509_free(ca);
682 ret = 0;
683 goto end;
684 }
0f113f3e
MC		 685 }
686 /* When the while loop ends, it's usually just EOF. */
687 err = ERR_peek_last_error();
688 if (ERR_GET_LIB(err) == ERR_LIB_PEM
689 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
690 ERR_clear_error();
691 else
692 ret = 0; /* some real error */
693 }
694
695 end:
25aaa98a 696 X509_free(x);
ca3a82c3 697 BIO_free(in);
26a7d938 698 return ret;
0f113f3e 699}
fae4772c
DSH		 700
701int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
702{
703 return use_certificate_chain_file(ctx, NULL, file);
704}
705
706int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
707{
708 return use_certificate_chain_file(NULL, ssl, file);
709}
a9e1c50b 710
a398f821 711static int serverinfo_find_extension(const unsigned char *serverinfo,
0f113f3e
MC		 712 size_t serverinfo_length,
713 unsigned int extension_type,
714 const unsigned char **extension_data,
715 size_t *extension_length)
716{
84c34ba8
MC		 717 PACKET pkt, data;
718
0f113f3e
MC		 719 *extension_data = NULL;
720 *extension_length = 0;
721 if (serverinfo == NULL || serverinfo_length == 0)
fae11ec7 722 return -1;
84c34ba8
MC		 723
724 if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))
725 return -1;
726
0f113f3e
MC		 727 for (;;) {
728 unsigned int type = 0;
84c34ba8 729 unsigned long context = 0;
0f113f3e
MC		 730
731 /* end of serverinfo */
84c34ba8 732 if (PACKET_remaining(&pkt) == 0)
fae11ec7 733 return 0; /* Extension not found */
0f113f3e 734
84c34ba8
MC		 735 if (!PACKET_get_net_4(&pkt, &context)
736 || !PACKET_get_net_2(&pkt, &type)
737 || !PACKET_get_length_prefixed_2(&pkt, &data))
738 return -1;
0f113f3e
MC		 739
740 if (type == extension_type) {
84c34ba8
MC		 741 *extension_data = PACKET_data(&data);
742 *extension_length = PACKET_remaining(&data);;
0f113f3e
MC		 743 return 1; /* Success */
744 }
0f113f3e 745 }
c6ef15c4 746 /* Unreachable */
0f113f3e 747}
a398f821 748
84c34ba8
MC		 749static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type,
750 unsigned int context,
751 const unsigned char *in,
752 size_t inlen, X509 *x, size_t chainidx,
753 int *al, void *arg)
0f113f3e 754{
0a602875 755
0f113f3e
MC		 756 if (inlen != 0) {
757 *al = SSL_AD_DECODE_ERROR;
758 return 0;
759 }
0a602875 760
0f113f3e
MC		 761 return 1;
762}
9cd50f73 763
84c34ba8
MC		 764static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
765 const unsigned char *in,
766 size_t inlen, int *al, void *arg)
767{
768 return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al,
769 arg);
770}
771
772static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type,
773 unsigned int context,
774 const unsigned char **out,
775 size_t *outlen, X509 *x, size_t chainidx,
776 int *al, void *arg)
0f113f3e
MC		 777{
778 const unsigned char *serverinfo = NULL;
779 size_t serverinfo_length = 0;
780
f233a9d1
MC		 781 /* We only support extensions for the first Certificate */
782 if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0)
783 return 0;
784
0f113f3e
MC		 785 /* Is there serverinfo data for the chosen server cert? */
786 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
787 &serverinfo_length)) != 0) {
788 /* Find the relevant extension from the serverinfo */
789 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
790 ext_type, out, outlen);
fae11ec7 791 if (retval == -1) {
fb34a0f4 792 *al = SSL_AD_INTERNAL_ERROR;
fae11ec7
KR		 793 return -1; /* Error */
794 }
0f113f3e 795 if (retval == 0)
fae11ec7 796 return 0; /* No extension found, don't send extension */
0f113f3e
MC		 797 return 1; /* Send extension */
798 }
5f18bc58 799 return 0; /* No serverinfo data found, don't send
0f113f3e
MC		 800 * extension */
801}
802
84c34ba8
MC		 803static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
804 const unsigned char **out, size_t *outlen,
805 int *al, void *arg)
806{
807 return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al,
808 arg);
809}
810
0f113f3e
MC		 811/*
812 * With a NULL context, this function just checks that the serverinfo data
813 * parses correctly. With a non-NULL context, it registers callbacks for
814 * the included extensions.
815 */
84c34ba8
MC		 816static int serverinfo_process_buffer(unsigned int version,
817 const unsigned char *serverinfo,
0f113f3e
MC		 818 size_t serverinfo_length, SSL_CTX *ctx)
819{
84c34ba8
MC		 820 PACKET pkt;
821
0f113f3e
MC		 822 if (serverinfo == NULL || serverinfo_length == 0)
823 return 0;
0f113f3e 824
2698bbfe 825 if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2)
84c34ba8 826 return 0;
0f113f3e 827
84c34ba8
MC		 828 if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))
829 return 0;
0f113f3e 830
84c34ba8
MC		 831 while (PACKET_remaining(&pkt)) {
832 unsigned long context = 0;
833 unsigned int ext_type = 0;
834 PACKET data;
0f113f3e 835
bade29da 836 if ((version == SSL_SERVERINFOV2 && !PACKET_get_net_4(&pkt, &context))
84c34ba8
MC		 837 || !PACKET_get_net_2(&pkt, &ext_type)
838 || !PACKET_get_length_prefixed_2(&pkt, &data))
0f113f3e
MC		 839 return 0;
840
84c34ba8
MC		 841 if (ctx == NULL)
842 continue;
843
bade29da
MC		 844 /*
845 * The old style custom extensions API could be set separately for
846 * server/client, i.e. you could set one custom extension for a client,
847 * and *for the same extension in the same SSL_CTX* you could set a
848 * custom extension for the server as well. It seems quite weird to be
849 * setting a custom extension for both client and server in a single
850 * SSL_CTX - but theoretically possible. This isn't possible in the
851 * new API. Therefore, if we have V1 serverinfo we use the old API. We
852 * also use the old API even if we have V2 serverinfo but the context
853 * looks like an old style <= TLSv1.2 extension.
854 */
7a4e6a1e 855 if (version == SSL_SERVERINFOV1 || context == SYNTHV1CONTEXT) {
84c34ba8
MC		 856 if (!SSL_CTX_add_server_custom_ext(ctx, ext_type,
857 serverinfo_srv_add_cb,
858 NULL, NULL,
859 serverinfo_srv_parse_cb,
860 NULL))
861 return 0;
862 } else {
863 if (!SSL_CTX_add_custom_ext(ctx, ext_type, context,
864 serverinfoex_srv_add_cb,
865 NULL, NULL,
866 serverinfoex_srv_parse_cb,
867 NULL))
868 return 0;
869 }
0f113f3e 870 }
84c34ba8
MC		 871
872 return 1;
0f113f3e 873}
a398f821 874
84c34ba8
MC		 875int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
876 const unsigned char *serverinfo,
877 size_t serverinfo_length)
0f113f3e
MC		 878{
879 unsigned char *new_serverinfo;
880
881 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
84c34ba8 882 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 883 return 0;
884 }
84c34ba8
MC		 885 if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,
886 NULL)) {
887 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);
0f113f3e
MC		 888 return 0;
889 }
0f113f3e 890 if (ctx->cert->key == NULL) {
84c34ba8 891 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 892 return 0;
893 }
894 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
895 serverinfo_length);
896 if (new_serverinfo == NULL) {
84c34ba8 897 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 898 return 0;
899 }
900 ctx->cert->key->serverinfo = new_serverinfo;
901 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
902 ctx->cert->key->serverinfo_length = serverinfo_length;
903
904 /*
905 * Now that the serverinfo is validated and stored, go ahead and
906 * register callbacks.
907 */
84c34ba8
MC		 908 if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,
909 ctx)) {
910 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);
0f113f3e
MC		 911 return 0;
912 }
913 return 1;
914}
915
84c34ba8
MC		 916int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
917 size_t serverinfo_length)
918{
2698bbfe 919 return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo,
84c34ba8
MC		 920 serverinfo_length);
921}
922
a398f821 923int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
0f113f3e
MC		 924{
925 unsigned char *serverinfo = NULL;
7c0ef843 926 unsigned char *tmp;
0f113f3e
MC		 927 size_t serverinfo_length = 0;
928 unsigned char *extension = 0;
929 long extension_length = 0;
930 char *name = NULL;
931 char *header = NULL;
4bac25e1 932 static const char namePrefix1[] = "SERVERINFO FOR ";
933 static const char namePrefix2[] = "SERVERINFOV2 FOR ";
934 unsigned int name_len;
0f113f3e
MC		 935 int ret = 0;
936 BIO *bin = NULL;
84c34ba8 937 size_t num_extensions = 0, contextoff = 0;
0f113f3e
MC		 938
939 if (ctx == NULL || file == NULL) {
a230b26e 940 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 941 goto end;
942 }
943
9982cbbb 944 bin = BIO_new(BIO_s_file());
0f113f3e
MC		 945 if (bin == NULL) {
946 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
947 goto end;
948 }
949 if (BIO_read_filename(bin, file) <= 0) {
950 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
951 goto end;
952 }
953
954 for (num_extensions = 0;; num_extensions++) {
7a4e6a1e
MC		 955 unsigned int version;
956
0f113f3e
MC		 957 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
958 == 0) {
959 /*
960 * There must be at least one extension in this file
961 */
962 if (num_extensions == 0) {
963 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
964 SSL_R_NO_PEM_EXTENSIONS);
965 goto end;
966 } else /* End of file, we're done */
967 break;
968 }
969 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
4bac25e1 970 name_len = strlen(name);
971 if (name_len < sizeof(namePrefix1) - 1) {
a230b26e 972 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
0f113f3e
MC		 973 goto end;
974 }
4bac25e1 975 if (strncmp(name, namePrefix1, sizeof(namePrefix1) - 1) == 0) {
2698bbfe 976 version = SSL_SERVERINFOV1;
84c34ba8 977 } else {
4bac25e1 978 if (name_len < sizeof(namePrefix2) - 1) {
84c34ba8
MC		 979 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
980 SSL_R_PEM_NAME_TOO_SHORT);
981 goto end;
982 }
4bac25e1 983 if (strncmp(name, namePrefix2, sizeof(namePrefix2) - 1) != 0) {
84c34ba8
MC		 984 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
985 SSL_R_PEM_NAME_BAD_PREFIX);
986 goto end;
987 }
2698bbfe 988 version = SSL_SERVERINFOV2;
0f113f3e
MC		 989 }
990 /*
991 * Check that the decoded PEM data is plausible (valid length field)
992 */
2698bbfe 993 if (version == SSL_SERVERINFOV1) {
84c34ba8
MC		 994 /* 4 byte header: 2 bytes type, 2 bytes len */
995 if (extension_length < 4
996 || (extension[2] << 8) + extension[3]
997 != extension_length - 4) {
998 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
999 goto end;
1000 }
1001 /*
1002 * File does not have a context value so we must take account of
1003 * this later.
1004 */
1005 contextoff = 4;
1006 } else {
1007 /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */
1008 if (extension_length < 8
1009 || (extension[6] << 8) + extension[7]
1010 != extension_length - 8) {
1011 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
1012 goto end;
1013 }
0f113f3e
MC		 1014 }
1015 /* Append the decoded extension to the serverinfo buffer */
84c34ba8
MC		 1016 tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length
1017 + contextoff);
7c0ef843 1018 if (tmp == NULL) {
0f113f3e
MC		 1019 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
1020 goto end;
1021 }
7c0ef843 1022 serverinfo = tmp;
84c34ba8 1023 if (contextoff > 0) {
84c34ba8
MC		 1024 unsigned char *sinfo = serverinfo + serverinfo_length;
1025
1026 /* We know this only uses the last 2 bytes */
1027 sinfo[0] = 0;
1028 sinfo[1] = 0;
7a4e6a1e
MC		 1029 sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff;
1030 sinfo[3] = SYNTHV1CONTEXT & 0xff;
84c34ba8
MC		 1031 }
1032 memcpy(serverinfo + serverinfo_length + contextoff,
1033 extension, extension_length);
1034 serverinfo_length += extension_length + contextoff;
0f113f3e
MC		 1035
1036 OPENSSL_free(name);
1037 name = NULL;
1038 OPENSSL_free(header);
1039 header = NULL;
1040 OPENSSL_free(extension);
1041 extension = NULL;
1042 }
1043
bade29da 1044 ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, serverinfo,
bb78552e 1045 serverinfo_length);
0f113f3e
MC		 1046 end:
1047 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1048 OPENSSL_free(name);
1049 OPENSSL_free(header);
1050 OPENSSL_free(extension);
1051 OPENSSL_free(serverinfo);
ca3a82c3 1052 BIO_free(bin);
0f113f3e
MC		 1053 return ret;
1054}
37933acb
TS		 1055
1056static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
1057 STACK_OF(X509) *chain, int override)
1058{
1059 int ret = 0;
1060 size_t i;
1061 int j;
1062 int rv;
1063 CERT *c = ssl != NULL ? ssl->cert : ctx->cert;
e66c37de 1064 SSL_CTX *actualctx = ssl == NULL ? ctx : ssl->ctx;
37933acb
TS		 1065 STACK_OF(X509) *dup_chain = NULL;
1066 EVP_PKEY *pubkey = NULL;
1067
e66c37de
MC		 1068 if (!X509v3_cache_extensions(x509, actualctx->libctx, actualctx->propq)) {
1069 SSLerr(0, ERR_R_X509_LIB);
1070 goto out;
1071 }
1072
37933acb
TS		 1073 /* Do all security checks before anything else */
1074 rv = ssl_security_cert(ssl, ctx, x509, 0, 1);
1075 if (rv != 1) {
1076 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);
1077 goto out;
1078 }
1079 for (j = 0; j < sk_X509_num(chain); j++) {
1080 rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0);
1081 if (rv != 1) {
1082 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);
1083 goto out;
1084 }
1085 }
1086
1087 pubkey = X509_get_pubkey(x509); /* bumps reference */
1088 if (pubkey == NULL)
1089 goto out;
1090 if (privatekey == NULL) {
1091 privatekey = pubkey;
1092 } else {
1093 /* For RSA, which has no parameters, missing returns 0 */
1094 if (EVP_PKEY_missing_parameters(privatekey)) {
1095 if (EVP_PKEY_missing_parameters(pubkey)) {
1096 /* nobody has parameters? - error */
1097 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS);
1098 goto out;
1099 } else {
1100 /* copy to privatekey from pubkey */
1101 EVP_PKEY_copy_parameters(privatekey, pubkey);
1102 }
1103 } else if (EVP_PKEY_missing_parameters(pubkey)) {
1104 /* copy to pubkey from privatekey */
1105 EVP_PKEY_copy_parameters(pubkey, privatekey);
1106 } /* else both have parameters */
1107
1108 /* Copied from ssl_set_cert/pkey */
1109#ifndef OPENSSL_NO_RSA
1110 if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
1111 ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
1112 /* no-op */ ;
1113 else
1114#endif
1115 /* check that key <-> cert match */
1116 if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
1117 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
1118 goto out;
1119 }
1120 }
1121 if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) {
1122 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1123 goto out;
1124 }
1125
1126 if (!override && (c->pkeys[i].x509 != NULL
1127 || c->pkeys[i].privatekey != NULL
1128 || c->pkeys[i].chain != NULL)) {
1129 /* No override, and something already there */
1130 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE);
1131 goto out;
1132 }
1133
1134 if (chain != NULL) {
1135 dup_chain = X509_chain_up_ref(chain);
1136 if (dup_chain == NULL) {
1137 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE);
1138 goto out;
1139 }
1140 }
1141
1142 sk_X509_pop_free(c->pkeys[i].chain, X509_free);
1143 c->pkeys[i].chain = dup_chain;
1144
1145 X509_free(c->pkeys[i].x509);
1146 X509_up_ref(x509);
1147 c->pkeys[i].x509 = x509;
1148
1149 EVP_PKEY_free(c->pkeys[i].privatekey);
1150 EVP_PKEY_up_ref(privatekey);
1151 c->pkeys[i].privatekey = privatekey;
1152
1153 c->key = &(c->pkeys[i]);
1154
1155 ret = 1;
1156 out:
1157 EVP_PKEY_free(pubkey);
1158 return ret;
1159}
1160
1161int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey,
1162 STACK_OF(X509) *chain, int override)
1163{
1164 return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override);
1165}
1166
1167int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
1168 STACK_OF(X509) *chain, int override)
1169{
1170 return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override);
1171}
A mirror of the official openssl repository