]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blob
? search:


f1280ad01fe29ac8e8dbfdf8fbf83ef51606ef36
[thirdparty/openssl.git] / ssl / ssl_rsa.c
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57
58 #include <stdio.h>
59 #include "ssl_locl.h"
60 #include <openssl/bio.h>
61 #include <openssl/objects.h>
62 #include <openssl/evp.h>
63 #include <openssl/x509.h>
64 #include <openssl/pem.h>
65
66 static int ssl_set_cert(CERT *c, X509 *x509);
67 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
68 int SSL_use_certificate(SSL *ssl, X509 *x)
69 {
70 int rv;
71 if (x == NULL) {
72 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
73 return (0);
74 }
75 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
76 if (rv != 1) {
77 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
78 return 0;
79 }
80
81 return (ssl_set_cert(ssl->cert, x));
82 }
83
84 #ifndef OPENSSL_NO_STDIO
85 int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
86 {
87 int j;
88 BIO *in;
89 int ret = 0;
90 X509 *x = NULL;
91
92 in = BIO_new(BIO_s_file());
93 if (in == NULL) {
94 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
95 goto end;
96 }
97
98 if (BIO_read_filename(in, file) <= 0) {
99 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
100 goto end;
101 }
102 if (type == SSL_FILETYPE_ASN1) {
103 j = ERR_R_ASN1_LIB;
104 x = d2i_X509_bio(in, NULL);
105 } else if (type == SSL_FILETYPE_PEM) {
106 j = ERR_R_PEM_LIB;
107 x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback,
108 ssl->ctx->default_passwd_callback_userdata);
109 } else {
110 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
111 goto end;
112 }
113
114 if (x == NULL) {
115 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
116 goto end;
117 }
118
119 ret = SSL_use_certificate(ssl, x);
120 end:
121 X509_free(x);
122 BIO_free(in);
123 return (ret);
124 }
125 #endif
126
127 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
128 {
129 X509 *x;
130 int ret;
131
132 x = d2i_X509(NULL, &d, (long)len);
133 if (x == NULL) {
134 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
135 return (0);
136 }
137
138 ret = SSL_use_certificate(ssl, x);
139 X509_free(x);
140 return (ret);
141 }
142
143 #ifndef OPENSSL_NO_RSA
144 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
145 {
146 EVP_PKEY *pkey;
147 int ret;
148
149 if (rsa == NULL) {
150 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
151 return (0);
152 }
153 if ((pkey = EVP_PKEY_new()) == NULL) {
154 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
155 return (0);
156 }
157
158 RSA_up_ref(rsa);
159 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
160 RSA_free(rsa);
161 return 0;
162 }
163
164 ret = ssl_set_pkey(ssl->cert, pkey);
165 EVP_PKEY_free(pkey);
166 return (ret);
167 }
168 #endif
169
170 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
171 {
172 int i;
173 i = ssl_cert_type(NULL, pkey);
174 if (i < 0) {
175 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
176 return (0);
177 }
178
179 if (c->pkeys[i].x509 != NULL) {
180 EVP_PKEY *pktmp;
181 pktmp = X509_get0_pubkey(c->pkeys[i].x509);
182 if (pktmp == NULL) {
183 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
184 return 0;
185 }
186 /*
187 * The return code from EVP_PKEY_copy_parameters is deliberately
188 * ignored. Some EVP_PKEY types cannot do this.
189 */
190 EVP_PKEY_copy_parameters(pktmp, pkey);
191 ERR_clear_error();
192
193 #ifndef OPENSSL_NO_RSA
194 /*
195 * Don't check the public/private key, this is mostly for smart
196 * cards.
197 */
198 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
199 && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK);
200 else
201 #endif
202 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
203 X509_free(c->pkeys[i].x509);
204 c->pkeys[i].x509 = NULL;
205 return 0;
206 }
207 }
208
209 EVP_PKEY_free(c->pkeys[i].privatekey);
210 EVP_PKEY_up_ref(pkey);
211 c->pkeys[i].privatekey = pkey;
212 c->key = &(c->pkeys[i]);
213 return (1);
214 }
215
216 #ifndef OPENSSL_NO_RSA
217 # ifndef OPENSSL_NO_STDIO
218 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
219 {
220 int j, ret = 0;
221 BIO *in;
222 RSA *rsa = NULL;
223
224 in = BIO_new(BIO_s_file());
225 if (in == NULL) {
226 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
227 goto end;
228 }
229
230 if (BIO_read_filename(in, file) <= 0) {
231 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
232 goto end;
233 }
234 if (type == SSL_FILETYPE_ASN1) {
235 j = ERR_R_ASN1_LIB;
236 rsa = d2i_RSAPrivateKey_bio(in, NULL);
237 } else if (type == SSL_FILETYPE_PEM) {
238 j = ERR_R_PEM_LIB;
239 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
240 ssl->ctx->default_passwd_callback,
241 ssl->
242 ctx->default_passwd_callback_userdata);
243 } else {
244 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
245 goto end;
246 }
247 if (rsa == NULL) {
248 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
249 goto end;
250 }
251 ret = SSL_use_RSAPrivateKey(ssl, rsa);
252 RSA_free(rsa);
253 end:
254 BIO_free(in);
255 return (ret);
256 }
257 # endif
258
259 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
260 {
261 int ret;
262 const unsigned char *p;
263 RSA *rsa;
264
265 p = d;
266 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
267 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
268 return (0);
269 }
270
271 ret = SSL_use_RSAPrivateKey(ssl, rsa);
272 RSA_free(rsa);
273 return (ret);
274 }
275 #endif /* !OPENSSL_NO_RSA */
276
277 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
278 {
279 int ret;
280
281 if (pkey == NULL) {
282 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
283 return (0);
284 }
285 ret = ssl_set_pkey(ssl->cert, pkey);
286 return (ret);
287 }
288
289 #ifndef OPENSSL_NO_STDIO
290 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
291 {
292 int j, ret = 0;
293 BIO *in;
294 EVP_PKEY *pkey = NULL;
295
296 in = BIO_new(BIO_s_file());
297 if (in == NULL) {
298 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
299 goto end;
300 }
301
302 if (BIO_read_filename(in, file) <= 0) {
303 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
304 goto end;
305 }
306 if (type == SSL_FILETYPE_PEM) {
307 j = ERR_R_PEM_LIB;
308 pkey = PEM_read_bio_PrivateKey(in, NULL,
309 ssl->ctx->default_passwd_callback,
310 ssl->
311 ctx->default_passwd_callback_userdata);
312 } else if (type == SSL_FILETYPE_ASN1) {
313 j = ERR_R_ASN1_LIB;
314 pkey = d2i_PrivateKey_bio(in, NULL);
315 } else {
316 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
317 goto end;
318 }
319 if (pkey == NULL) {
320 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
321 goto end;
322 }
323 ret = SSL_use_PrivateKey(ssl, pkey);
324 EVP_PKEY_free(pkey);
325 end:
326 BIO_free(in);
327 return (ret);
328 }
329 #endif
330
331 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
332 long len)
333 {
334 int ret;
335 const unsigned char *p;
336 EVP_PKEY *pkey;
337
338 p = d;
339 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
340 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
341 return (0);
342 }
343
344 ret = SSL_use_PrivateKey(ssl, pkey);
345 EVP_PKEY_free(pkey);
346 return (ret);
347 }
348
349 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
350 {
351 int rv;
352 if (x == NULL) {
353 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
354 return (0);
355 }
356 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
357 if (rv != 1) {
358 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
359 return 0;
360 }
361 return (ssl_set_cert(ctx->cert, x));
362 }
363
364 static int ssl_set_cert(CERT *c, X509 *x)
365 {
366 EVP_PKEY *pkey;
367 int i;
368
369 pkey = X509_get0_pubkey(x);
370 if (pkey == NULL) {
371 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
372 return (0);
373 }
374
375 i = ssl_cert_type(x, pkey);
376 if (i < 0) {
377 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
378 return 0;
379 }
380 #ifndef OPENSSL_NO_EC
381 if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {
382 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
383 return 0;
384 }
385 #endif
386 if (c->pkeys[i].privatekey != NULL) {
387 /*
388 * The return code from EVP_PKEY_copy_parameters is deliberately
389 * ignored. Some EVP_PKEY types cannot do this.
390 */
391 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
392 ERR_clear_error();
393
394 #ifndef OPENSSL_NO_RSA
395 /*
396 * Don't check the public/private key, this is mostly for smart
397 * cards.
398 */
399 if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
400 && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
401 RSA_METHOD_FLAG_NO_CHECK) ;
402 else
403 #endif /* OPENSSL_NO_RSA */
404 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
405 /*
406 * don't fail for a cert/key mismatch, just free current private
407 * key (when switching to a different cert & key, first this
408 * function should be used, then ssl_set_pkey
409 */
410 EVP_PKEY_free(c->pkeys[i].privatekey);
411 c->pkeys[i].privatekey = NULL;
412 /* clear error queue */
413 ERR_clear_error();
414 }
415 }
416
417 X509_free(c->pkeys[i].x509);
418 X509_up_ref(x);
419 c->pkeys[i].x509 = x;
420 c->key = &(c->pkeys[i]);
421
422 return 1;
423 }
424
425 #ifndef OPENSSL_NO_STDIO
426 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
427 {
428 int j;
429 BIO *in;
430 int ret = 0;
431 X509 *x = NULL;
432
433 in = BIO_new(BIO_s_file());
434 if (in == NULL) {
435 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
436 goto end;
437 }
438
439 if (BIO_read_filename(in, file) <= 0) {
440 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
441 goto end;
442 }
443 if (type == SSL_FILETYPE_ASN1) {
444 j = ERR_R_ASN1_LIB;
445 x = d2i_X509_bio(in, NULL);
446 } else if (type == SSL_FILETYPE_PEM) {
447 j = ERR_R_PEM_LIB;
448 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
449 ctx->default_passwd_callback_userdata);
450 } else {
451 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
452 goto end;
453 }
454
455 if (x == NULL) {
456 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
457 goto end;
458 }
459
460 ret = SSL_CTX_use_certificate(ctx, x);
461 end:
462 X509_free(x);
463 BIO_free(in);
464 return (ret);
465 }
466 #endif
467
468 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
469 const unsigned char *d)
470 {
471 X509 *x;
472 int ret;
473
474 x = d2i_X509(NULL, &d, (long)len);
475 if (x == NULL) {
476 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
477 return (0);
478 }
479
480 ret = SSL_CTX_use_certificate(ctx, x);
481 X509_free(x);
482 return (ret);
483 }
484
485 #ifndef OPENSSL_NO_RSA
486 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
487 {
488 int ret;
489 EVP_PKEY *pkey;
490
491 if (rsa == NULL) {
492 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
493 return (0);
494 }
495 if ((pkey = EVP_PKEY_new()) == NULL) {
496 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
497 return (0);
498 }
499
500 RSA_up_ref(rsa);
501 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
502 RSA_free(rsa);
503 return 0;
504 }
505
506 ret = ssl_set_pkey(ctx->cert, pkey);
507 EVP_PKEY_free(pkey);
508 return (ret);
509 }
510
511 # ifndef OPENSSL_NO_STDIO
512 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
513 {
514 int j, ret = 0;
515 BIO *in;
516 RSA *rsa = NULL;
517
518 in = BIO_new(BIO_s_file());
519 if (in == NULL) {
520 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
521 goto end;
522 }
523
524 if (BIO_read_filename(in, file) <= 0) {
525 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
526 goto end;
527 }
528 if (type == SSL_FILETYPE_ASN1) {
529 j = ERR_R_ASN1_LIB;
530 rsa = d2i_RSAPrivateKey_bio(in, NULL);
531 } else if (type == SSL_FILETYPE_PEM) {
532 j = ERR_R_PEM_LIB;
533 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
534 ctx->default_passwd_callback,
535 ctx->default_passwd_callback_userdata);
536 } else {
537 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
538 goto end;
539 }
540 if (rsa == NULL) {
541 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
542 goto end;
543 }
544 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
545 RSA_free(rsa);
546 end:
547 BIO_free(in);
548 return (ret);
549 }
550 # endif
551
552 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
553 long len)
554 {
555 int ret;
556 const unsigned char *p;
557 RSA *rsa;
558
559 p = d;
560 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
561 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
562 return (0);
563 }
564
565 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
566 RSA_free(rsa);
567 return (ret);
568 }
569 #endif /* !OPENSSL_NO_RSA */
570
571 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
572 {
573 if (pkey == NULL) {
574 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
575 return (0);
576 }
577 return (ssl_set_pkey(ctx->cert, pkey));
578 }
579
580 #ifndef OPENSSL_NO_STDIO
581 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
582 {
583 int j, ret = 0;
584 BIO *in;
585 EVP_PKEY *pkey = NULL;
586
587 in = BIO_new(BIO_s_file());
588 if (in == NULL) {
589 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
590 goto end;
591 }
592
593 if (BIO_read_filename(in, file) <= 0) {
594 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
595 goto end;
596 }
597 if (type == SSL_FILETYPE_PEM) {
598 j = ERR_R_PEM_LIB;
599 pkey = PEM_read_bio_PrivateKey(in, NULL,
600 ctx->default_passwd_callback,
601 ctx->default_passwd_callback_userdata);
602 } else if (type == SSL_FILETYPE_ASN1) {
603 j = ERR_R_ASN1_LIB;
604 pkey = d2i_PrivateKey_bio(in, NULL);
605 } else {
606 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
607 goto end;
608 }
609 if (pkey == NULL) {
610 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
611 goto end;
612 }
613 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
614 EVP_PKEY_free(pkey);
615 end:
616 BIO_free(in);
617 return (ret);
618 }
619 #endif
620
621 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
622 const unsigned char *d, long len)
623 {
624 int ret;
625 const unsigned char *p;
626 EVP_PKEY *pkey;
627
628 p = d;
629 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
630 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
631 return (0);
632 }
633
634 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
635 EVP_PKEY_free(pkey);
636 return (ret);
637 }
638
639 #ifndef OPENSSL_NO_STDIO
640 /*
641 * Read a file that contains our certificate in "PEM" format, possibly
642 * followed by a sequence of CA certificates that should be sent to the peer
643 * in the Certificate message.
644 */
645 static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
646 {
647 BIO *in;
648 int ret = 0;
649 X509 *x = NULL;
650 pem_password_cb *passwd_callback;
651 void *passwd_callback_userdata;
652
653 ERR_clear_error(); /* clear error stack for
654 * SSL_CTX_use_certificate() */
655
656 if (ctx != NULL) {
657 passwd_callback = ctx->default_passwd_callback;
658 passwd_callback_userdata = ctx->default_passwd_callback_userdata;
659 } else {
660 passwd_callback = ssl->default_passwd_callback;
661 passwd_callback_userdata = ssl->default_passwd_callback_userdata;
662 }
663
664 in = BIO_new(BIO_s_file());
665 if (in == NULL) {
666 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
667 goto end;
668 }
669
670 if (BIO_read_filename(in, file) <= 0) {
671 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
672 goto end;
673 }
674
675 x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
676 passwd_callback_userdata);
677 if (x == NULL) {
678 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
679 goto end;
680 }
681
682 if (ctx)
683 ret = SSL_CTX_use_certificate(ctx, x);
684 else
685 ret = SSL_use_certificate(ssl, x);
686
687 if (ERR_peek_error() != 0)
688 ret = 0; /* Key/certificate mismatch doesn't imply
689 * ret==0 ... */
690 if (ret) {
691 /*
692 * If we could set up our certificate, now proceed to the CA
693 * certificates.
694 */
695 X509 *ca;
696 int r;
697 unsigned long err;
698
699 if (ctx)
700 r = SSL_CTX_clear_chain_certs(ctx);
701 else
702 r = SSL_clear_chain_certs(ssl);
703
704 if (r == 0) {
705 ret = 0;
706 goto end;
707 }
708
709 while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
710 passwd_callback_userdata))
711 != NULL) {
712 if (ctx)
713 r = SSL_CTX_add0_chain_cert(ctx, ca);
714 else
715 r = SSL_add0_chain_cert(ssl, ca);
716 /*
717 * Note that we must not free ca if it was successfully added to
718 * the chain (while we must free the main certificate, since its
719 * reference count is increased by SSL_CTX_use_certificate).
720 */
721 if (!r) {
722 X509_free(ca);
723 ret = 0;
724 goto end;
725 }
726 }
727 /* When the while loop ends, it's usually just EOF. */
728 err = ERR_peek_last_error();
729 if (ERR_GET_LIB(err) == ERR_LIB_PEM
730 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
731 ERR_clear_error();
732 else
733 ret = 0; /* some real error */
734 }
735
736 end:
737 X509_free(x);
738 BIO_free(in);
739 return (ret);
740 }
741
742 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
743 {
744 return use_certificate_chain_file(ctx, NULL, file);
745 }
746
747 int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
748 {
749 return use_certificate_chain_file(NULL, ssl, file);
750 }
751 #endif
752
753 static int serverinfo_find_extension(const unsigned char *serverinfo,
754 size_t serverinfo_length,
755 unsigned int extension_type,
756 const unsigned char **extension_data,
757 size_t *extension_length)
758 {
759 *extension_data = NULL;
760 *extension_length = 0;
761 if (serverinfo == NULL || serverinfo_length == 0)
762 return -1;
763 for (;;) {
764 unsigned int type = 0;
765 size_t len = 0;
766
767 /* end of serverinfo */
768 if (serverinfo_length == 0)
769 return 0; /* Extension not found */
770
771 /* read 2-byte type field */
772 if (serverinfo_length < 2)
773 return -1; /* Error */
774 type = (serverinfo[0] << 8) + serverinfo[1];
775 serverinfo += 2;
776 serverinfo_length -= 2;
777
778 /* read 2-byte len field */
779 if (serverinfo_length < 2)
780 return -1; /* Error */
781 len = (serverinfo[0] << 8) + serverinfo[1];
782 serverinfo += 2;
783 serverinfo_length -= 2;
784
785 if (len > serverinfo_length)
786 return -1; /* Error */
787
788 if (type == extension_type) {
789 *extension_data = serverinfo;
790 *extension_length = len;
791 return 1; /* Success */
792 }
793
794 serverinfo += len;
795 serverinfo_length -= len;
796 }
797 /* Unreachable */
798 }
799
800 static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
801 const unsigned char *in,
802 size_t inlen, int *al, void *arg)
803 {
804
805 if (inlen != 0) {
806 *al = SSL_AD_DECODE_ERROR;
807 return 0;
808 }
809
810 return 1;
811 }
812
813 static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
814 const unsigned char **out, size_t *outlen,
815 int *al, void *arg)
816 {
817 const unsigned char *serverinfo = NULL;
818 size_t serverinfo_length = 0;
819
820 /* Is there serverinfo data for the chosen server cert? */
821 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
822 &serverinfo_length)) != 0) {
823 /* Find the relevant extension from the serverinfo */
824 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
825 ext_type, out, outlen);
826 if (retval == -1) {
827 *al = SSL_AD_DECODE_ERROR;
828 return -1; /* Error */
829 }
830 if (retval == 0)
831 return 0; /* No extension found, don't send extension */
832 return 1; /* Send extension */
833 }
834 return 0; /* No serverinfo data found, don't send
835 * extension */
836 }
837
838 /*
839 * With a NULL context, this function just checks that the serverinfo data
840 * parses correctly. With a non-NULL context, it registers callbacks for
841 * the included extensions.
842 */
843 static int serverinfo_process_buffer(const unsigned char *serverinfo,
844 size_t serverinfo_length, SSL_CTX *ctx)
845 {
846 if (serverinfo == NULL || serverinfo_length == 0)
847 return 0;
848 for (;;) {
849 unsigned int ext_type = 0;
850 size_t len = 0;
851
852 /* end of serverinfo */
853 if (serverinfo_length == 0)
854 return 1;
855
856 /* read 2-byte type field */
857 if (serverinfo_length < 2)
858 return 0;
859 /* FIXME: check for types we understand explicitly? */
860
861 /* Register callbacks for extensions */
862 ext_type = (serverinfo[0] << 8) + serverinfo[1];
863 if (ctx) {
864 int have_ext_cbs = 0;
865 size_t i;
866 custom_ext_methods *exts = &ctx->cert->srv_ext;
867 custom_ext_method *meth = exts->meths;
868
869 for (i = 0; i < exts->meths_count; i++, meth++) {
870 if (ext_type == meth->ext_type) {
871 have_ext_cbs = 1;
872 break;
873 }
874 }
875
876 if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
877 serverinfo_srv_add_cb,
878 NULL, NULL,
879 serverinfo_srv_parse_cb,
880 NULL))
881 return 0;
882 }
883
884 serverinfo += 2;
885 serverinfo_length -= 2;
886
887 /* read 2-byte len field */
888 if (serverinfo_length < 2)
889 return 0;
890 len = (serverinfo[0] << 8) + serverinfo[1];
891 serverinfo += 2;
892 serverinfo_length -= 2;
893
894 if (len > serverinfo_length)
895 return 0;
896
897 serverinfo += len;
898 serverinfo_length -= len;
899 }
900 }
901
902 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
903 size_t serverinfo_length)
904 {
905 unsigned char *new_serverinfo;
906
907 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
908 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER);
909 return 0;
910 }
911 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) {
912 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
913 return 0;
914 }
915 if (ctx->cert->key == NULL) {
916 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
917 return 0;
918 }
919 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
920 serverinfo_length);
921 if (new_serverinfo == NULL) {
922 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
923 return 0;
924 }
925 ctx->cert->key->serverinfo = new_serverinfo;
926 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
927 ctx->cert->key->serverinfo_length = serverinfo_length;
928
929 /*
930 * Now that the serverinfo is validated and stored, go ahead and
931 * register callbacks.
932 */
933 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) {
934 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
935 return 0;
936 }
937 return 1;
938 }
939
940 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
941 {
942 unsigned char *serverinfo = NULL;
943 size_t serverinfo_length = 0;
944 unsigned char *extension = 0;
945 long extension_length = 0;
946 char *name = NULL;
947 char *header = NULL;
948 char namePrefix[] = "SERVERINFO FOR ";
949 int ret = 0;
950 BIO *bin = NULL;
951 size_t num_extensions = 0;
952
953 if (ctx == NULL || file == NULL) {
954 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
955 ERR_R_PASSED_NULL_PARAMETER);
956 goto end;
957 }
958
959 bin = BIO_new(BIO_s_file());
960 if (bin == NULL) {
961 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
962 goto end;
963 }
964 if (BIO_read_filename(bin, file) <= 0) {
965 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
966 goto end;
967 }
968
969 for (num_extensions = 0;; num_extensions++) {
970 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
971 == 0) {
972 /*
973 * There must be at least one extension in this file
974 */
975 if (num_extensions == 0) {
976 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
977 SSL_R_NO_PEM_EXTENSIONS);
978 goto end;
979 } else /* End of file, we're done */
980 break;
981 }
982 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
983 if (strlen(name) < strlen(namePrefix)) {
984 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
985 SSL_R_PEM_NAME_TOO_SHORT);
986 goto end;
987 }
988 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
989 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
990 SSL_R_PEM_NAME_BAD_PREFIX);
991 goto end;
992 }
993 /*
994 * Check that the decoded PEM data is plausible (valid length field)
995 */
996 if (extension_length < 4
997 || (extension[2] << 8) + extension[3] != extension_length - 4) {
998 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
999 goto end;
1000 }
1001 /* Append the decoded extension to the serverinfo buffer */
1002 serverinfo =
1003 OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
1004 if (serverinfo == NULL) {
1005 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
1006 goto end;
1007 }
1008 memcpy(serverinfo + serverinfo_length, extension, extension_length);
1009 serverinfo_length += extension_length;
1010
1011 OPENSSL_free(name);
1012 name = NULL;
1013 OPENSSL_free(header);
1014 header = NULL;
1015 OPENSSL_free(extension);
1016 extension = NULL;
1017 }
1018
1019 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
1020 end:
1021 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1022 OPENSSL_free(name);
1023 OPENSSL_free(header);
1024 OPENSSL_free(extension);
1025 OPENSSL_free(serverinfo);
1026 BIO_free(bin);
1027 return ret;
1028 }
A mirror of the official openssl repository