]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Various custom extension fixes.
[thirdparty/openssl.git] / ssl / ssl_rsa.c
1 /* ssl/ssl_rsa.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "ssl_locl.h"
61 #include <openssl/bio.h>
62 #include <openssl/objects.h>
63 #include <openssl/evp.h>
64 #include <openssl/x509.h>
65 #include <openssl/pem.h>
66
67 static int ssl_set_cert(CERT *c, X509 *x509);
68 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69 #ifndef OPENSSL_NO_TLSEXT
70 static int ssl_set_authz(CERT *c, unsigned char *authz,
71 size_t authz_length);
72 #endif
73 int SSL_use_certificate(SSL *ssl, X509 *x)
74 {
75 if (x == NULL)
76 {
77 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
78 return(0);
79 }
80 if (!ssl_cert_inst(&ssl->cert))
81 {
82 SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
83 return(0);
84 }
85 return(ssl_set_cert(ssl->cert,x));
86 }
87
88 #ifndef OPENSSL_NO_STDIO
89 int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
90 {
91 int j;
92 BIO *in;
93 int ret=0;
94 X509 *x=NULL;
95
96 in=BIO_new(BIO_s_file_internal());
97 if (in == NULL)
98 {
99 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
100 goto end;
101 }
102
103 if (BIO_read_filename(in,file) <= 0)
104 {
105 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
106 goto end;
107 }
108 if (type == SSL_FILETYPE_ASN1)
109 {
110 j=ERR_R_ASN1_LIB;
111 x=d2i_X509_bio(in,NULL);
112 }
113 else if (type == SSL_FILETYPE_PEM)
114 {
115 j=ERR_R_PEM_LIB;
116 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
117 }
118 else
119 {
120 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
121 goto end;
122 }
123
124 if (x == NULL)
125 {
126 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE,j);
127 goto end;
128 }
129
130 ret=SSL_use_certificate(ssl,x);
131 end:
132 if (x != NULL) X509_free(x);
133 if (in != NULL) BIO_free(in);
134 return(ret);
135 }
136 #endif
137
138 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
139 {
140 X509 *x;
141 int ret;
142
143 x=d2i_X509(NULL,&d,(long)len);
144 if (x == NULL)
145 {
146 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
147 return(0);
148 }
149
150 ret=SSL_use_certificate(ssl,x);
151 X509_free(x);
152 return(ret);
153 }
154
155 #ifndef OPENSSL_NO_RSA
156 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
157 {
158 EVP_PKEY *pkey;
159 int ret;
160
161 if (rsa == NULL)
162 {
163 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
164 return(0);
165 }
166 if (!ssl_cert_inst(&ssl->cert))
167 {
168 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
169 return(0);
170 }
171 if ((pkey=EVP_PKEY_new()) == NULL)
172 {
173 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
174 return(0);
175 }
176
177 RSA_up_ref(rsa);
178 EVP_PKEY_assign_RSA(pkey,rsa);
179
180 ret=ssl_set_pkey(ssl->cert,pkey);
181 EVP_PKEY_free(pkey);
182 return(ret);
183 }
184 #endif
185
186 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
187 {
188 int i;
189 /* Special case for DH: check two DH certificate types for a match.
190 * This means for DH certificates we must set the certificate first.
191 */
192 if (pkey->type == EVP_PKEY_DH)
193 {
194 X509 *x;
195 i = -1;
196 x = c->pkeys[SSL_PKEY_DH_RSA].x509;
197 if (x && X509_check_private_key(x, pkey))
198 i = SSL_PKEY_DH_RSA;
199 x = c->pkeys[SSL_PKEY_DH_DSA].x509;
200 if (i == -1 && x && X509_check_private_key(x, pkey))
201 i = SSL_PKEY_DH_DSA;
202 ERR_clear_error();
203 }
204 else
205 i=ssl_cert_type(NULL,pkey);
206 if (i < 0)
207 {
208 SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
209 return(0);
210 }
211
212 if (c->pkeys[i].x509 != NULL)
213 {
214 EVP_PKEY *pktmp;
215 pktmp = X509_get_pubkey(c->pkeys[i].x509);
216 EVP_PKEY_copy_parameters(pktmp,pkey);
217 EVP_PKEY_free(pktmp);
218 ERR_clear_error();
219
220 #ifndef OPENSSL_NO_RSA
221 /* Don't check the public/private key, this is mostly
222 * for smart cards. */
223 if ((pkey->type == EVP_PKEY_RSA) &&
224 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
225 ;
226 else
227 #endif
228 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
229 {
230 X509_free(c->pkeys[i].x509);
231 c->pkeys[i].x509 = NULL;
232 return 0;
233 }
234 }
235
236 if (c->pkeys[i].privatekey != NULL)
237 EVP_PKEY_free(c->pkeys[i].privatekey);
238 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
239 c->pkeys[i].privatekey=pkey;
240 c->key= &(c->pkeys[i]);
241
242 c->valid=0;
243 return(1);
244 }
245
246 #ifndef OPENSSL_NO_RSA
247 #ifndef OPENSSL_NO_STDIO
248 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
249 {
250 int j,ret=0;
251 BIO *in;
252 RSA *rsa=NULL;
253
254 in=BIO_new(BIO_s_file_internal());
255 if (in == NULL)
256 {
257 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
258 goto end;
259 }
260
261 if (BIO_read_filename(in,file) <= 0)
262 {
263 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
264 goto end;
265 }
266 if (type == SSL_FILETYPE_ASN1)
267 {
268 j=ERR_R_ASN1_LIB;
269 rsa=d2i_RSAPrivateKey_bio(in,NULL);
270 }
271 else if (type == SSL_FILETYPE_PEM)
272 {
273 j=ERR_R_PEM_LIB;
274 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
275 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
276 }
277 else
278 {
279 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
280 goto end;
281 }
282 if (rsa == NULL)
283 {
284 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,j);
285 goto end;
286 }
287 ret=SSL_use_RSAPrivateKey(ssl,rsa);
288 RSA_free(rsa);
289 end:
290 if (in != NULL) BIO_free(in);
291 return(ret);
292 }
293 #endif
294
295 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
296 {
297 int ret;
298 const unsigned char *p;
299 RSA *rsa;
300
301 p=d;
302 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
303 {
304 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
305 return(0);
306 }
307
308 ret=SSL_use_RSAPrivateKey(ssl,rsa);
309 RSA_free(rsa);
310 return(ret);
311 }
312 #endif /* !OPENSSL_NO_RSA */
313
314 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
315 {
316 int ret;
317
318 if (pkey == NULL)
319 {
320 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
321 return(0);
322 }
323 if (!ssl_cert_inst(&ssl->cert))
324 {
325 SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
326 return(0);
327 }
328 ret=ssl_set_pkey(ssl->cert,pkey);
329 return(ret);
330 }
331
332 #ifndef OPENSSL_NO_STDIO
333 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
334 {
335 int j,ret=0;
336 BIO *in;
337 EVP_PKEY *pkey=NULL;
338
339 in=BIO_new(BIO_s_file_internal());
340 if (in == NULL)
341 {
342 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
343 goto end;
344 }
345
346 if (BIO_read_filename(in,file) <= 0)
347 {
348 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
349 goto end;
350 }
351 if (type == SSL_FILETYPE_PEM)
352 {
353 j=ERR_R_PEM_LIB;
354 pkey=PEM_read_bio_PrivateKey(in,NULL,
355 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
356 }
357 else if (type == SSL_FILETYPE_ASN1)
358 {
359 j = ERR_R_ASN1_LIB;
360 pkey = d2i_PrivateKey_bio(in,NULL);
361 }
362 else
363 {
364 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
365 goto end;
366 }
367 if (pkey == NULL)
368 {
369 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,j);
370 goto end;
371 }
372 ret=SSL_use_PrivateKey(ssl,pkey);
373 EVP_PKEY_free(pkey);
374 end:
375 if (in != NULL) BIO_free(in);
376 return(ret);
377 }
378 #endif
379
380 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
381 {
382 int ret;
383 const unsigned char *p;
384 EVP_PKEY *pkey;
385
386 p=d;
387 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
388 {
389 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
390 return(0);
391 }
392
393 ret=SSL_use_PrivateKey(ssl,pkey);
394 EVP_PKEY_free(pkey);
395 return(ret);
396 }
397
398 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
399 {
400 if (x == NULL)
401 {
402 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER);
403 return(0);
404 }
405 if (!ssl_cert_inst(&ctx->cert))
406 {
407 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE);
408 return(0);
409 }
410 return(ssl_set_cert(ctx->cert, x));
411 }
412
413 static int ssl_set_cert(CERT *c, X509 *x)
414 {
415 EVP_PKEY *pkey;
416 int i;
417
418 pkey=X509_get_pubkey(x);
419 if (pkey == NULL)
420 {
421 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_X509_LIB);
422 return(0);
423 }
424
425 i=ssl_cert_type(x,pkey);
426 if (i < 0)
427 {
428 SSLerr(SSL_F_SSL_SET_CERT,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
429 EVP_PKEY_free(pkey);
430 return(0);
431 }
432
433 if (c->pkeys[i].privatekey != NULL)
434 {
435 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
436 ERR_clear_error();
437
438 #ifndef OPENSSL_NO_RSA
439 /* Don't check the public/private key, this is mostly
440 * for smart cards. */
441 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
442 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
443 RSA_METHOD_FLAG_NO_CHECK))
444 ;
445 else
446 #endif /* OPENSSL_NO_RSA */
447 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
448 {
449 /* don't fail for a cert/key mismatch, just free
450 * current private key (when switching to a different
451 * cert & key, first this function should be used,
452 * then ssl_set_pkey */
453 EVP_PKEY_free(c->pkeys[i].privatekey);
454 c->pkeys[i].privatekey=NULL;
455 /* clear error queue */
456 ERR_clear_error();
457 }
458 }
459
460 EVP_PKEY_free(pkey);
461
462 if (c->pkeys[i].x509 != NULL)
463 X509_free(c->pkeys[i].x509);
464 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
465 c->pkeys[i].x509=x;
466 c->key= &(c->pkeys[i]);
467
468 c->valid=0;
469 return(1);
470 }
471
472 #ifndef OPENSSL_NO_STDIO
473 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
474 {
475 int j;
476 BIO *in;
477 int ret=0;
478 X509 *x=NULL;
479
480 in=BIO_new(BIO_s_file_internal());
481 if (in == NULL)
482 {
483 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_BUF_LIB);
484 goto end;
485 }
486
487 if (BIO_read_filename(in,file) <= 0)
488 {
489 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,ERR_R_SYS_LIB);
490 goto end;
491 }
492 if (type == SSL_FILETYPE_ASN1)
493 {
494 j=ERR_R_ASN1_LIB;
495 x=d2i_X509_bio(in,NULL);
496 }
497 else if (type == SSL_FILETYPE_PEM)
498 {
499 j=ERR_R_PEM_LIB;
500 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
501 }
502 else
503 {
504 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,SSL_R_BAD_SSL_FILETYPE);
505 goto end;
506 }
507
508 if (x == NULL)
509 {
510 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,j);
511 goto end;
512 }
513
514 ret=SSL_CTX_use_certificate(ctx,x);
515 end:
516 if (x != NULL) X509_free(x);
517 if (in != NULL) BIO_free(in);
518 return(ret);
519 }
520 #endif
521
522 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
523 {
524 X509 *x;
525 int ret;
526
527 x=d2i_X509(NULL,&d,(long)len);
528 if (x == NULL)
529 {
530 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,ERR_R_ASN1_LIB);
531 return(0);
532 }
533
534 ret=SSL_CTX_use_certificate(ctx,x);
535 X509_free(x);
536 return(ret);
537 }
538
539 #ifndef OPENSSL_NO_RSA
540 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
541 {
542 int ret;
543 EVP_PKEY *pkey;
544
545 if (rsa == NULL)
546 {
547 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
548 return(0);
549 }
550 if (!ssl_cert_inst(&ctx->cert))
551 {
552 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
553 return(0);
554 }
555 if ((pkey=EVP_PKEY_new()) == NULL)
556 {
557 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
558 return(0);
559 }
560
561 RSA_up_ref(rsa);
562 EVP_PKEY_assign_RSA(pkey,rsa);
563
564 ret=ssl_set_pkey(ctx->cert, pkey);
565 EVP_PKEY_free(pkey);
566 return(ret);
567 }
568
569 #ifndef OPENSSL_NO_STDIO
570 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
571 {
572 int j,ret=0;
573 BIO *in;
574 RSA *rsa=NULL;
575
576 in=BIO_new(BIO_s_file_internal());
577 if (in == NULL)
578 {
579 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_BUF_LIB);
580 goto end;
581 }
582
583 if (BIO_read_filename(in,file) <= 0)
584 {
585 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,ERR_R_SYS_LIB);
586 goto end;
587 }
588 if (type == SSL_FILETYPE_ASN1)
589 {
590 j=ERR_R_ASN1_LIB;
591 rsa=d2i_RSAPrivateKey_bio(in,NULL);
592 }
593 else if (type == SSL_FILETYPE_PEM)
594 {
595 j=ERR_R_PEM_LIB;
596 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
597 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
598 }
599 else
600 {
601 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
602 goto end;
603 }
604 if (rsa == NULL)
605 {
606 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,j);
607 goto end;
608 }
609 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
610 RSA_free(rsa);
611 end:
612 if (in != NULL) BIO_free(in);
613 return(ret);
614 }
615 #endif
616
617 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
618 {
619 int ret;
620 const unsigned char *p;
621 RSA *rsa;
622
623 p=d;
624 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
625 {
626 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
627 return(0);
628 }
629
630 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
631 RSA_free(rsa);
632 return(ret);
633 }
634 #endif /* !OPENSSL_NO_RSA */
635
636 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
637 {
638 if (pkey == NULL)
639 {
640 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
641 return(0);
642 }
643 if (!ssl_cert_inst(&ctx->cert))
644 {
645 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE);
646 return(0);
647 }
648 return(ssl_set_pkey(ctx->cert,pkey));
649 }
650
651 #ifndef OPENSSL_NO_STDIO
652 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
653 {
654 int j,ret=0;
655 BIO *in;
656 EVP_PKEY *pkey=NULL;
657
658 in=BIO_new(BIO_s_file_internal());
659 if (in == NULL)
660 {
661 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_BUF_LIB);
662 goto end;
663 }
664
665 if (BIO_read_filename(in,file) <= 0)
666 {
667 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,ERR_R_SYS_LIB);
668 goto end;
669 }
670 if (type == SSL_FILETYPE_PEM)
671 {
672 j=ERR_R_PEM_LIB;
673 pkey=PEM_read_bio_PrivateKey(in,NULL,
674 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
675 }
676 else if (type == SSL_FILETYPE_ASN1)
677 {
678 j = ERR_R_ASN1_LIB;
679 pkey = d2i_PrivateKey_bio(in,NULL);
680 }
681 else
682 {
683 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
684 goto end;
685 }
686 if (pkey == NULL)
687 {
688 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,j);
689 goto end;
690 }
691 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
692 EVP_PKEY_free(pkey);
693 end:
694 if (in != NULL) BIO_free(in);
695 return(ret);
696 }
697 #endif
698
699 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
700 long len)
701 {
702 int ret;
703 const unsigned char *p;
704 EVP_PKEY *pkey;
705
706 p=d;
707 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
708 {
709 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,ERR_R_ASN1_LIB);
710 return(0);
711 }
712
713 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
714 EVP_PKEY_free(pkey);
715 return(ret);
716 }
717
718
719 #ifndef OPENSSL_NO_STDIO
720 /* Read a file that contains our certificate in "PEM" format,
721 * possibly followed by a sequence of CA certificates that should be
722 * sent to the peer in the Certificate message.
723 */
724 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
725 {
726 BIO *in;
727 int ret=0;
728 X509 *x=NULL;
729
730 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
731
732 in = BIO_new(BIO_s_file_internal());
733 if (in == NULL)
734 {
735 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
736 goto end;
737 }
738
739 if (BIO_read_filename(in,file) <= 0)
740 {
741 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB);
742 goto end;
743 }
744
745 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
746 ctx->default_passwd_callback_userdata);
747 if (x == NULL)
748 {
749 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
750 goto end;
751 }
752
753 ret = SSL_CTX_use_certificate(ctx, x);
754
755 if (ERR_peek_error() != 0)
756 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
757 if (ret)
758 {
759 /* If we could set up our certificate, now proceed to
760 * the CA certificates.
761 */
762 X509 *ca;
763 int r;
764 unsigned long err;
765
766 if (ctx->extra_certs != NULL)
767 {
768 sk_X509_pop_free(ctx->extra_certs, X509_free);
769 ctx->extra_certs = NULL;
770 }
771
772 while ((ca = PEM_read_bio_X509(in, NULL,
773 ctx->default_passwd_callback,
774 ctx->default_passwd_callback_userdata))
775 != NULL)
776 {
777 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
778 if (!r)
779 {
780 X509_free(ca);
781 ret = 0;
782 goto end;
783 }
784 /* Note that we must not free r if it was successfully
785 * added to the chain (while we must free the main
786 * certificate, since its reference count is increased
787 * by SSL_CTX_use_certificate). */
788 }
789 /* When the while loop ends, it's usually just EOF. */
790 err = ERR_peek_last_error();
791 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
792 ERR_clear_error();
793 else
794 ret = 0; /* some real error */
795 }
796
797 end:
798 if (x != NULL) X509_free(x);
799 if (in != NULL) BIO_free(in);
800 return(ret);
801 }
802 #endif
803
804 #ifndef OPENSSL_NO_TLSEXT
805 /* authz_validate returns true iff authz is well formed, i.e. that it meets the
806 * wire format as documented in the CERT_PKEY structure and that there are no
807 * duplicate entries. */
808 static char authz_validate(const unsigned char *authz, size_t length)
809 {
810 unsigned char types_seen_bitmap[32];
811
812 if (!authz)
813 return 1;
814
815 memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap));
816
817 for (;;)
818 {
819 unsigned char type, byte, bit;
820 unsigned short len;
821
822 if (!length)
823 return 1;
824
825 type = *(authz++);
826 length--;
827
828 byte = type / 8;
829 bit = type & 7;
830 if (types_seen_bitmap[byte] & (1 << bit))
831 return 0;
832 types_seen_bitmap[byte] |= (1 << bit);
833
834 if (length < 2)
835 return 0;
836 len = ((unsigned short) authz[0]) << 8 |
837 ((unsigned short) authz[1]);
838 authz += 2;
839 length -= 2;
840
841 if (length < len)
842 return 0;
843
844 authz += len;
845 length -= len;
846 }
847 }
848
849 static int serverinfo_find_extension(const unsigned char *serverinfo,
850 size_t serverinfo_length,
851 unsigned short extension_type,
852 const unsigned char **extension_data,
853 unsigned short *extension_length)
854 {
855 *extension_data = NULL;
856 *extension_length = 0;
857 if (serverinfo == NULL || serverinfo_length == 0)
858 return 0;
859 for (;;)
860 {
861 unsigned short type = 0; /* uint16 */
862 unsigned short len = 0; /* uint16 */
863
864 /* end of serverinfo */
865 if (serverinfo_length == 0)
866 return -1; /* Extension not found */
867
868 /* read 2-byte type field */
869 if (serverinfo_length < 2)
870 return 0; /* Error */
871 type = (serverinfo[0] << 8) + serverinfo[1];
872 serverinfo += 2;
873 serverinfo_length -= 2;
874
875 /* read 2-byte len field */
876 if (serverinfo_length < 2)
877 return 0; /* Error */
878 len = (serverinfo[0] << 8) + serverinfo[1];
879 serverinfo += 2;
880 serverinfo_length -= 2;
881
882 if (len > serverinfo_length)
883 return 0; /* Error */
884
885 if (type == extension_type)
886 {
887 *extension_data = serverinfo;
888 *extension_length = len;
889 return 1; /* Success */
890 }
891
892 serverinfo += len;
893 serverinfo_length -= len;
894 }
895 return 0; /* Error */
896 }
897
898 static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type,
899 const unsigned char *in,
900 unsigned short inlen, int *al,
901 void *arg)
902 {
903 if (inlen != 0)
904 {
905 *al = SSL_AD_DECODE_ERROR;
906 return 0;
907 }
908 return 1;
909 }
910
911 static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type,
912 const unsigned char **out, unsigned short *outlen,
913 void *arg)
914 {
915 const unsigned char *serverinfo = NULL;
916 size_t serverinfo_length = 0;
917
918 /* Is there serverinfo data for the chosen server cert? */
919 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
920 &serverinfo_length)) != 0)
921 {
922 /* Find the relevant extension from the serverinfo */
923 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
924 ext_type, out, outlen);
925 if (retval == 0)
926 return 0; /* Error */
927 if (retval == -1)
928 return -1; /* No extension found, don't send extension */
929 return 1; /* Send extension */
930 }
931 return -1; /* No serverinfo data found, don't send extension */
932 }
933
934 /* With a NULL context, this function just checks that the serverinfo data
935 parses correctly. With a non-NULL context, it registers callbacks for
936 the included extensions. */
937 static int serverinfo_process_buffer(const unsigned char *serverinfo,
938 size_t serverinfo_length, SSL_CTX *ctx)
939 {
940 if (serverinfo == NULL || serverinfo_length == 0)
941 return 0;
942 for (;;)
943 {
944 unsigned short ext_type = 0; /* uint16 */
945 unsigned short len = 0; /* uint16 */
946
947 /* end of serverinfo */
948 if (serverinfo_length == 0)
949 return 1;
950
951 /* read 2-byte type field */
952 if (serverinfo_length < 2)
953 return 0;
954 /* FIXME: check for types we understand explicitly? */
955
956 /* Register callbacks for extensions */
957 ext_type = (serverinfo[0] << 8) + serverinfo[1];
958 if (ctx && !SSL_CTX_set_custom_srv_ext(ctx, ext_type,
959 serverinfo_srv_first_cb,
960 serverinfo_srv_second_cb, NULL))
961 return 0;
962
963 serverinfo += 2;
964 serverinfo_length -= 2;
965
966 /* read 2-byte len field */
967 if (serverinfo_length < 2)
968 return 0;
969 len = (serverinfo[0] << 8) + serverinfo[1];
970 serverinfo += 2;
971 serverinfo_length -= 2;
972
973 if (len > serverinfo_length)
974 return 0;
975
976 serverinfo += len;
977 serverinfo_length -= len;
978 }
979 }
980
981 static const unsigned char *authz_find_data(const unsigned char *authz,
982 size_t authz_length,
983 unsigned char data_type,
984 size_t *data_length)
985 {
986 if (authz == NULL) return NULL;
987 if (!authz_validate(authz, authz_length))
988 {
989 SSLerr(SSL_F_AUTHZ_FIND_DATA,SSL_R_INVALID_AUTHZ_DATA);
990 return NULL;
991 }
992
993 for (;;)
994 {
995 unsigned char type;
996 unsigned short len;
997 if (!authz_length)
998 return NULL;
999
1000 type = *(authz++);
1001 authz_length--;
1002
1003 /* We've validated the authz data, so we don't have to
1004 * check again that we have enough bytes left. */
1005 len = ((unsigned short) authz[0]) << 8 |
1006 ((unsigned short) authz[1]);
1007 authz += 2;
1008 authz_length -= 2;
1009 if (type == data_type)
1010 {
1011 *data_length = len;
1012 return authz;
1013 }
1014 authz += len;
1015 authz_length -= len;
1016 }
1017 /* No match */
1018 return NULL;
1019 }
1020
1021 static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length)
1022 {
1023 CERT_PKEY *current_key = c->key;
1024 if (current_key == NULL)
1025 return 0;
1026 if (!authz_validate(authz, authz_length))
1027 {
1028 SSLerr(SSL_F_SSL_SET_AUTHZ,SSL_R_INVALID_AUTHZ_DATA);
1029 return(0);
1030 }
1031 current_key->authz = OPENSSL_realloc(current_key->authz, authz_length);
1032 if (current_key->authz == NULL)
1033 {
1034 SSLerr(SSL_F_SSL_SET_AUTHZ,ERR_R_MALLOC_FAILURE);
1035 return 0;
1036 }
1037 current_key->authz_length = authz_length;
1038 memcpy(current_key->authz, authz, authz_length);
1039 return 1;
1040 }
1041
1042 int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz,
1043 size_t authz_length)
1044 {
1045 if (authz == NULL)
1046 {
1047 SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER);
1048 return 0;
1049 }
1050 if (!ssl_cert_inst(&ctx->cert))
1051 {
1052 SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_MALLOC_FAILURE);
1053 return 0;
1054 }
1055 return ssl_set_authz(ctx->cert, authz, authz_length);
1056 }
1057
1058 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
1059 size_t serverinfo_length)
1060 {
1061 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)
1062 {
1063 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_PASSED_NULL_PARAMETER);
1064 return 0;
1065 }
1066 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
1067 {
1068 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
1069 return 0;
1070 }
1071 if (!ssl_cert_inst(&ctx->cert))
1072 {
1073 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_MALLOC_FAILURE);
1074 return 0;
1075 }
1076 if (ctx->cert->key == NULL)
1077 {
1078 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_INTERNAL_ERROR);
1079 return 0;
1080 }
1081 ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
1082 serverinfo_length);
1083 if (ctx->cert->key->serverinfo == NULL)
1084 {
1085 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_MALLOC_FAILURE);
1086 return 0;
1087 }
1088 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
1089 ctx->cert->key->serverinfo_length = serverinfo_length;
1090
1091 /* Now that the serverinfo is validated and stored, go ahead and
1092 * register callbacks. */
1093 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
1094 {
1095 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
1096 return 0;
1097 }
1098 return 1;
1099 }
1100
1101 int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length)
1102 {
1103 if (authz == NULL)
1104 {
1105 SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER);
1106 return 0;
1107 }
1108 if (!ssl_cert_inst(&ssl->cert))
1109 {
1110 SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_MALLOC_FAILURE);
1111 return 0;
1112 }
1113 return ssl_set_authz(ssl->cert, authz, authz_length);
1114 }
1115
1116 const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type,
1117 size_t *data_length)
1118 {
1119 CERT_PKEY *current_key;
1120
1121 if (ctx->cert == NULL)
1122 return NULL;
1123 current_key = ctx->cert->key;
1124 if (current_key->authz == NULL)
1125 return NULL;
1126 return authz_find_data(current_key->authz,
1127 current_key->authz_length, type, data_length);
1128 }
1129
1130 #ifndef OPENSSL_NO_STDIO
1131 /* read_authz returns a newly allocated buffer with authz data */
1132 static unsigned char *read_authz(const char *file, size_t *authz_length)
1133 {
1134 BIO *authz_in = NULL;
1135 unsigned char *authz = NULL;
1136 /* Allow authzs up to 64KB. */
1137 static const size_t authz_limit = 65536;
1138 size_t read_length;
1139 unsigned char *ret = NULL;
1140
1141 authz_in = BIO_new(BIO_s_file_internal());
1142 if (authz_in == NULL)
1143 {
1144 SSLerr(SSL_F_READ_AUTHZ,ERR_R_BUF_LIB);
1145 goto end;
1146 }
1147
1148 if (BIO_read_filename(authz_in,file) <= 0)
1149 {
1150 SSLerr(SSL_F_READ_AUTHZ,ERR_R_SYS_LIB);
1151 goto end;
1152 }
1153
1154 authz = OPENSSL_malloc(authz_limit);
1155 read_length = BIO_read(authz_in, authz, authz_limit);
1156 if (read_length == authz_limit || read_length <= 0)
1157 {
1158 SSLerr(SSL_F_READ_AUTHZ,SSL_R_AUTHZ_DATA_TOO_LARGE);
1159 OPENSSL_free(authz);
1160 goto end;
1161 }
1162 *authz_length = read_length;
1163 ret = authz;
1164 end:
1165 if (authz_in != NULL) BIO_free(authz_in);
1166 return ret;
1167 }
1168
1169 int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file)
1170 {
1171 unsigned char *authz = NULL;
1172 size_t authz_length = 0;
1173 int ret;
1174
1175 authz = read_authz(file, &authz_length);
1176 if (authz == NULL)
1177 return 0;
1178
1179 ret = SSL_CTX_use_authz(ctx, authz, authz_length);
1180 /* SSL_CTX_use_authz makes a local copy of the authz. */
1181 OPENSSL_free(authz);
1182 return ret;
1183 }
1184
1185 int SSL_use_authz_file(SSL *ssl, const char *file)
1186 {
1187 unsigned char *authz = NULL;
1188 size_t authz_length = 0;
1189 int ret;
1190
1191 authz = read_authz(file, &authz_length);
1192 if (authz == NULL)
1193 return 0;
1194
1195 ret = SSL_use_authz(ssl, authz, authz_length);
1196 /* SSL_use_authz makes a local copy of the authz. */
1197 OPENSSL_free(authz);
1198 return ret;
1199 }
1200
1201 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
1202 {
1203 unsigned char *serverinfo = NULL;
1204 size_t serverinfo_length = 0;
1205 unsigned char* extension = 0;
1206 long extension_length = 0;
1207 char* name = NULL;
1208 char* header = NULL;
1209 int ret = 0;
1210 BIO *bin = NULL;
1211 size_t num_extensions = 0;
1212
1213 if (ctx == NULL || file == NULL)
1214 {
1215 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,ERR_R_PASSED_NULL_PARAMETER);
1216 goto end;
1217 }
1218
1219 bin = BIO_new(BIO_s_file_internal());
1220 if (bin == NULL)
1221 {
1222 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
1223 goto end;
1224 }
1225 if (BIO_read_filename(bin, file) <= 0)
1226 {
1227 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
1228 goto end;
1229 }
1230
1231 for (num_extensions=0;; num_extensions++)
1232 {
1233 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0)
1234 {
1235 /* There must be at least one extension in this file */
1236 if (num_extensions == 0)
1237 {
1238 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
1239 goto end;
1240 }
1241 else /* End of file, we're done */
1242 break;
1243 }
1244 /* Check that the decoded PEM data is plausible (valid length field) */
1245 if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
1246 {
1247 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
1248 goto end;
1249 }
1250 /* Append the decoded extension to the serverinfo buffer */
1251 serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
1252 if (serverinfo == NULL)
1253 {
1254 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
1255 goto end;
1256 }
1257 memcpy(serverinfo + serverinfo_length, extension, extension_length);
1258 serverinfo_length += extension_length;
1259
1260 OPENSSL_free(name); name = NULL;
1261 OPENSSL_free(header); header = NULL;
1262 OPENSSL_free(extension); extension = NULL;
1263 }
1264
1265 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
1266 end:
1267 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1268 OPENSSL_free(name);
1269 OPENSSL_free(header);
1270 OPENSSL_free(extension);
1271 OPENSSL_free(serverinfo);
1272 if (bin != NULL)
1273 BIO_free(bin);
1274 return ret;
1275 }
1276 #endif /* OPENSSL_NO_STDIO */
1277 #endif /* OPENSSL_NO_TLSEXT */
A mirror of the official openssl repository