]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix return values when adding serverinfo fails.
[thirdparty/openssl.git] / ssl / ssl_rsa.c
1 /* ssl/ssl_rsa.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "ssl_locl.h"
61 #include <openssl/bio.h>
62 #include <openssl/objects.h>
63 #include <openssl/evp.h>
64 #include <openssl/x509.h>
65 #include <openssl/pem.h>
66
67 static int ssl_set_cert(CERT *c, X509 *x509);
68 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69 int SSL_use_certificate(SSL *ssl, X509 *x)
70 {
71 int rv;
72 if (x == NULL) {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
74 return (0);
75 }
76 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
77 if (rv != 1) {
78 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
79 return 0;
80 }
81
82 return (ssl_set_cert(ssl->cert, x));
83 }
84
85 #ifndef OPENSSL_NO_STDIO
86 int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
87 {
88 int j;
89 BIO *in;
90 int ret = 0;
91 X509 *x = NULL;
92
93 in = BIO_new(BIO_s_file_internal());
94 if (in == NULL) {
95 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
96 goto end;
97 }
98
99 if (BIO_read_filename(in, file) <= 0) {
100 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
101 goto end;
102 }
103 if (type == SSL_FILETYPE_ASN1) {
104 j = ERR_R_ASN1_LIB;
105 x = d2i_X509_bio(in, NULL);
106 } else if (type == SSL_FILETYPE_PEM) {
107 j = ERR_R_PEM_LIB;
108 x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback,
109 ssl->ctx->default_passwd_callback_userdata);
110 } else {
111 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
112 goto end;
113 }
114
115 if (x == NULL) {
116 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
117 goto end;
118 }
119
120 ret = SSL_use_certificate(ssl, x);
121 end:
122 X509_free(x);
123 BIO_free(in);
124 return (ret);
125 }
126 #endif
127
128 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
129 {
130 X509 *x;
131 int ret;
132
133 x = d2i_X509(NULL, &d, (long)len);
134 if (x == NULL) {
135 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
136 return (0);
137 }
138
139 ret = SSL_use_certificate(ssl, x);
140 X509_free(x);
141 return (ret);
142 }
143
144 #ifndef OPENSSL_NO_RSA
145 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
146 {
147 EVP_PKEY *pkey;
148 int ret;
149
150 if (rsa == NULL) {
151 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
152 return (0);
153 }
154 if ((pkey = EVP_PKEY_new()) == NULL) {
155 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
156 return (0);
157 }
158
159 RSA_up_ref(rsa);
160 EVP_PKEY_assign_RSA(pkey, rsa);
161
162 ret = ssl_set_pkey(ssl->cert, pkey);
163 EVP_PKEY_free(pkey);
164 return (ret);
165 }
166 #endif
167
168 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
169 {
170 int i;
171 /*
172 * Special case for DH: check two DH certificate types for a match. This
173 * means for DH certificates we must set the certificate first.
174 */
175 if (pkey->type == EVP_PKEY_DH) {
176 X509 *x;
177 i = -1;
178 x = c->pkeys[SSL_PKEY_DH_RSA].x509;
179 if (x && X509_check_private_key(x, pkey))
180 i = SSL_PKEY_DH_RSA;
181 x = c->pkeys[SSL_PKEY_DH_DSA].x509;
182 if (i == -1 && x && X509_check_private_key(x, pkey))
183 i = SSL_PKEY_DH_DSA;
184 ERR_clear_error();
185 } else
186 i = ssl_cert_type(NULL, pkey);
187 if (i < 0) {
188 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
189 return (0);
190 }
191
192 if (c->pkeys[i].x509 != NULL) {
193 EVP_PKEY *pktmp;
194 pktmp = X509_get_pubkey(c->pkeys[i].x509);
195 EVP_PKEY_copy_parameters(pktmp, pkey);
196 EVP_PKEY_free(pktmp);
197 ERR_clear_error();
198
199 #ifndef OPENSSL_NO_RSA
200 /*
201 * Don't check the public/private key, this is mostly for smart
202 * cards.
203 */
204 if ((pkey->type == EVP_PKEY_RSA) &&
205 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ;
206 else
207 #endif
208 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
209 X509_free(c->pkeys[i].x509);
210 c->pkeys[i].x509 = NULL;
211 return 0;
212 }
213 }
214
215 EVP_PKEY_free(c->pkeys[i].privatekey);
216 CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
217 c->pkeys[i].privatekey = pkey;
218 c->key = &(c->pkeys[i]);
219 return (1);
220 }
221
222 #ifndef OPENSSL_NO_RSA
223 # ifndef OPENSSL_NO_STDIO
224 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
225 {
226 int j, ret = 0;
227 BIO *in;
228 RSA *rsa = NULL;
229
230 in = BIO_new(BIO_s_file_internal());
231 if (in == NULL) {
232 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
233 goto end;
234 }
235
236 if (BIO_read_filename(in, file) <= 0) {
237 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
238 goto end;
239 }
240 if (type == SSL_FILETYPE_ASN1) {
241 j = ERR_R_ASN1_LIB;
242 rsa = d2i_RSAPrivateKey_bio(in, NULL);
243 } else if (type == SSL_FILETYPE_PEM) {
244 j = ERR_R_PEM_LIB;
245 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
246 ssl->ctx->default_passwd_callback,
247 ssl->
248 ctx->default_passwd_callback_userdata);
249 } else {
250 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
251 goto end;
252 }
253 if (rsa == NULL) {
254 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
255 goto end;
256 }
257 ret = SSL_use_RSAPrivateKey(ssl, rsa);
258 RSA_free(rsa);
259 end:
260 BIO_free(in);
261 return (ret);
262 }
263 # endif
264
265 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
266 {
267 int ret;
268 const unsigned char *p;
269 RSA *rsa;
270
271 p = d;
272 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
273 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
274 return (0);
275 }
276
277 ret = SSL_use_RSAPrivateKey(ssl, rsa);
278 RSA_free(rsa);
279 return (ret);
280 }
281 #endif /* !OPENSSL_NO_RSA */
282
283 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
284 {
285 int ret;
286
287 if (pkey == NULL) {
288 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
289 return (0);
290 }
291 ret = ssl_set_pkey(ssl->cert, pkey);
292 return (ret);
293 }
294
295 #ifndef OPENSSL_NO_STDIO
296 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
297 {
298 int j, ret = 0;
299 BIO *in;
300 EVP_PKEY *pkey = NULL;
301
302 in = BIO_new(BIO_s_file_internal());
303 if (in == NULL) {
304 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
305 goto end;
306 }
307
308 if (BIO_read_filename(in, file) <= 0) {
309 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
310 goto end;
311 }
312 if (type == SSL_FILETYPE_PEM) {
313 j = ERR_R_PEM_LIB;
314 pkey = PEM_read_bio_PrivateKey(in, NULL,
315 ssl->ctx->default_passwd_callback,
316 ssl->
317 ctx->default_passwd_callback_userdata);
318 } else if (type == SSL_FILETYPE_ASN1) {
319 j = ERR_R_ASN1_LIB;
320 pkey = d2i_PrivateKey_bio(in, NULL);
321 } else {
322 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
323 goto end;
324 }
325 if (pkey == NULL) {
326 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
327 goto end;
328 }
329 ret = SSL_use_PrivateKey(ssl, pkey);
330 EVP_PKEY_free(pkey);
331 end:
332 BIO_free(in);
333 return (ret);
334 }
335 #endif
336
337 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
338 long len)
339 {
340 int ret;
341 const unsigned char *p;
342 EVP_PKEY *pkey;
343
344 p = d;
345 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
346 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
347 return (0);
348 }
349
350 ret = SSL_use_PrivateKey(ssl, pkey);
351 EVP_PKEY_free(pkey);
352 return (ret);
353 }
354
355 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
356 {
357 int rv;
358 if (x == NULL) {
359 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
360 return (0);
361 }
362 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
363 if (rv != 1) {
364 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
365 return 0;
366 }
367 return (ssl_set_cert(ctx->cert, x));
368 }
369
370 static int ssl_set_cert(CERT *c, X509 *x)
371 {
372 EVP_PKEY *pkey;
373 int i;
374
375 pkey = X509_get_pubkey(x);
376 if (pkey == NULL) {
377 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
378 return (0);
379 }
380
381 i = ssl_cert_type(x, pkey);
382 if (i < 0) {
383 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
384 EVP_PKEY_free(pkey);
385 return (0);
386 }
387
388 if (c->pkeys[i].privatekey != NULL) {
389 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
390 ERR_clear_error();
391
392 #ifndef OPENSSL_NO_RSA
393 /*
394 * Don't check the public/private key, this is mostly for smart
395 * cards.
396 */
397 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
398 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
399 RSA_METHOD_FLAG_NO_CHECK)) ;
400 else
401 #endif /* OPENSSL_NO_RSA */
402 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
403 /*
404 * don't fail for a cert/key mismatch, just free current private
405 * key (when switching to a different cert & key, first this
406 * function should be used, then ssl_set_pkey
407 */
408 EVP_PKEY_free(c->pkeys[i].privatekey);
409 c->pkeys[i].privatekey = NULL;
410 /* clear error queue */
411 ERR_clear_error();
412 }
413 }
414
415 EVP_PKEY_free(pkey);
416
417 X509_free(c->pkeys[i].x509);
418 X509_up_ref(x);
419 c->pkeys[i].x509 = x;
420 c->key = &(c->pkeys[i]);
421
422 return (1);
423 }
424
425 #ifndef OPENSSL_NO_STDIO
426 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
427 {
428 int j;
429 BIO *in;
430 int ret = 0;
431 X509 *x = NULL;
432
433 in = BIO_new(BIO_s_file_internal());
434 if (in == NULL) {
435 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
436 goto end;
437 }
438
439 if (BIO_read_filename(in, file) <= 0) {
440 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
441 goto end;
442 }
443 if (type == SSL_FILETYPE_ASN1) {
444 j = ERR_R_ASN1_LIB;
445 x = d2i_X509_bio(in, NULL);
446 } else if (type == SSL_FILETYPE_PEM) {
447 j = ERR_R_PEM_LIB;
448 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
449 ctx->default_passwd_callback_userdata);
450 } else {
451 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
452 goto end;
453 }
454
455 if (x == NULL) {
456 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
457 goto end;
458 }
459
460 ret = SSL_CTX_use_certificate(ctx, x);
461 end:
462 X509_free(x);
463 BIO_free(in);
464 return (ret);
465 }
466 #endif
467
468 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
469 const unsigned char *d)
470 {
471 X509 *x;
472 int ret;
473
474 x = d2i_X509(NULL, &d, (long)len);
475 if (x == NULL) {
476 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
477 return (0);
478 }
479
480 ret = SSL_CTX_use_certificate(ctx, x);
481 X509_free(x);
482 return (ret);
483 }
484
485 #ifndef OPENSSL_NO_RSA
486 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
487 {
488 int ret;
489 EVP_PKEY *pkey;
490
491 if (rsa == NULL) {
492 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
493 return (0);
494 }
495 if ((pkey = EVP_PKEY_new()) == NULL) {
496 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
497 return (0);
498 }
499
500 RSA_up_ref(rsa);
501 EVP_PKEY_assign_RSA(pkey, rsa);
502
503 ret = ssl_set_pkey(ctx->cert, pkey);
504 EVP_PKEY_free(pkey);
505 return (ret);
506 }
507
508 # ifndef OPENSSL_NO_STDIO
509 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
510 {
511 int j, ret = 0;
512 BIO *in;
513 RSA *rsa = NULL;
514
515 in = BIO_new(BIO_s_file_internal());
516 if (in == NULL) {
517 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
518 goto end;
519 }
520
521 if (BIO_read_filename(in, file) <= 0) {
522 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
523 goto end;
524 }
525 if (type == SSL_FILETYPE_ASN1) {
526 j = ERR_R_ASN1_LIB;
527 rsa = d2i_RSAPrivateKey_bio(in, NULL);
528 } else if (type == SSL_FILETYPE_PEM) {
529 j = ERR_R_PEM_LIB;
530 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
531 ctx->default_passwd_callback,
532 ctx->default_passwd_callback_userdata);
533 } else {
534 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
535 goto end;
536 }
537 if (rsa == NULL) {
538 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
539 goto end;
540 }
541 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
542 RSA_free(rsa);
543 end:
544 BIO_free(in);
545 return (ret);
546 }
547 # endif
548
549 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
550 long len)
551 {
552 int ret;
553 const unsigned char *p;
554 RSA *rsa;
555
556 p = d;
557 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
558 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
559 return (0);
560 }
561
562 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
563 RSA_free(rsa);
564 return (ret);
565 }
566 #endif /* !OPENSSL_NO_RSA */
567
568 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
569 {
570 if (pkey == NULL) {
571 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
572 return (0);
573 }
574 return (ssl_set_pkey(ctx->cert, pkey));
575 }
576
577 #ifndef OPENSSL_NO_STDIO
578 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
579 {
580 int j, ret = 0;
581 BIO *in;
582 EVP_PKEY *pkey = NULL;
583
584 in = BIO_new(BIO_s_file_internal());
585 if (in == NULL) {
586 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
587 goto end;
588 }
589
590 if (BIO_read_filename(in, file) <= 0) {
591 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
592 goto end;
593 }
594 if (type == SSL_FILETYPE_PEM) {
595 j = ERR_R_PEM_LIB;
596 pkey = PEM_read_bio_PrivateKey(in, NULL,
597 ctx->default_passwd_callback,
598 ctx->default_passwd_callback_userdata);
599 } else if (type == SSL_FILETYPE_ASN1) {
600 j = ERR_R_ASN1_LIB;
601 pkey = d2i_PrivateKey_bio(in, NULL);
602 } else {
603 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
604 goto end;
605 }
606 if (pkey == NULL) {
607 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
608 goto end;
609 }
610 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
611 EVP_PKEY_free(pkey);
612 end:
613 BIO_free(in);
614 return (ret);
615 }
616 #endif
617
618 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
619 const unsigned char *d, long len)
620 {
621 int ret;
622 const unsigned char *p;
623 EVP_PKEY *pkey;
624
625 p = d;
626 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
627 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
628 return (0);
629 }
630
631 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
632 EVP_PKEY_free(pkey);
633 return (ret);
634 }
635
636 #ifndef OPENSSL_NO_STDIO
637 /*
638 * Read a file that contains our certificate in "PEM" format, possibly
639 * followed by a sequence of CA certificates that should be sent to the peer
640 * in the Certificate message.
641 */
642 static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
643 {
644 BIO *in;
645 int ret = 0;
646 X509 *x = NULL;
647
648 ERR_clear_error(); /* clear error stack for
649 * SSL_CTX_use_certificate() */
650
651 in = BIO_new(BIO_s_file_internal());
652 if (in == NULL) {
653 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
654 goto end;
655 }
656
657 if (BIO_read_filename(in, file) <= 0) {
658 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
659 goto end;
660 }
661
662 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
663 ctx->default_passwd_callback_userdata);
664 if (x == NULL) {
665 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
666 goto end;
667 }
668
669 if (ctx)
670 ret = SSL_CTX_use_certificate(ctx, x);
671 else
672 ret = SSL_use_certificate(ssl, x);
673
674 if (ERR_peek_error() != 0)
675 ret = 0; /* Key/certificate mismatch doesn't imply
676 * ret==0 ... */
677 if (ret) {
678 /*
679 * If we could set up our certificate, now proceed to the CA
680 * certificates.
681 */
682 X509 *ca;
683 int r;
684 unsigned long err;
685
686 if (ctx)
687 r = SSL_CTX_clear_chain_certs(ctx);
688 else
689 r = SSL_clear_chain_certs(ssl);
690
691 if (r == 0) {
692 ret = 0;
693 goto end;
694 }
695
696 while ((ca = PEM_read_bio_X509(in, NULL,
697 ctx->default_passwd_callback,
698 ctx->default_passwd_callback_userdata))
699 != NULL) {
700 if (ctx)
701 r = SSL_CTX_add0_chain_cert(ctx, ca);
702 else
703 r = SSL_add0_chain_cert(ssl, ca);
704 /*
705 * Note that we must not free ca if it was successfully added to
706 * the chain (while we must free the main certificate, since its
707 * reference count is increased by SSL_CTX_use_certificate).
708 */
709 if (!r) {
710 X509_free(ca);
711 ret = 0;
712 goto end;
713 }
714 }
715 /* When the while loop ends, it's usually just EOF. */
716 err = ERR_peek_last_error();
717 if (ERR_GET_LIB(err) == ERR_LIB_PEM
718 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
719 ERR_clear_error();
720 else
721 ret = 0; /* some real error */
722 }
723
724 end:
725 X509_free(x);
726 BIO_free(in);
727 return (ret);
728 }
729
730 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
731 {
732 return use_certificate_chain_file(ctx, NULL, file);
733 }
734
735 int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
736 {
737 return use_certificate_chain_file(NULL, ssl, file);
738 }
739 #endif
740
741 static int serverinfo_find_extension(const unsigned char *serverinfo,
742 size_t serverinfo_length,
743 unsigned int extension_type,
744 const unsigned char **extension_data,
745 size_t *extension_length)
746 {
747 *extension_data = NULL;
748 *extension_length = 0;
749 if (serverinfo == NULL || serverinfo_length == 0)
750 return -1;
751 for (;;) {
752 unsigned int type = 0;
753 size_t len = 0;
754
755 /* end of serverinfo */
756 if (serverinfo_length == 0)
757 return 0; /* Extension not found */
758
759 /* read 2-byte type field */
760 if (serverinfo_length < 2)
761 return -1; /* Error */
762 type = (serverinfo[0] << 8) + serverinfo[1];
763 serverinfo += 2;
764 serverinfo_length -= 2;
765
766 /* read 2-byte len field */
767 if (serverinfo_length < 2)
768 return -1; /* Error */
769 len = (serverinfo[0] << 8) + serverinfo[1];
770 serverinfo += 2;
771 serverinfo_length -= 2;
772
773 if (len > serverinfo_length)
774 return -1; /* Error */
775
776 if (type == extension_type) {
777 *extension_data = serverinfo;
778 *extension_length = len;
779 return 1; /* Success */
780 }
781
782 serverinfo += len;
783 serverinfo_length -= len;
784 }
785 /* Unreachable */
786 }
787
788 static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
789 const unsigned char *in,
790 size_t inlen, int *al, void *arg)
791 {
792
793 if (inlen != 0) {
794 *al = SSL_AD_DECODE_ERROR;
795 return 0;
796 }
797
798 return 1;
799 }
800
801 static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
802 const unsigned char **out, size_t *outlen,
803 int *al, void *arg)
804 {
805 const unsigned char *serverinfo = NULL;
806 size_t serverinfo_length = 0;
807
808 /* Is there serverinfo data for the chosen server cert? */
809 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
810 &serverinfo_length)) != 0) {
811 /* Find the relevant extension from the serverinfo */
812 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
813 ext_type, out, outlen);
814 if (retval == -1) {
815 *al = SSL_AD_DECODE_ERROR;
816 return -1; /* Error */
817 }
818 if (retval == 0)
819 return 0; /* No extension found, don't send extension */
820 return 1; /* Send extension */
821 }
822 return -1; /* No serverinfo data found, don't send
823 * extension */
824 }
825
826 /*
827 * With a NULL context, this function just checks that the serverinfo data
828 * parses correctly. With a non-NULL context, it registers callbacks for
829 * the included extensions.
830 */
831 static int serverinfo_process_buffer(const unsigned char *serverinfo,
832 size_t serverinfo_length, SSL_CTX *ctx)
833 {
834 if (serverinfo == NULL || serverinfo_length == 0)
835 return 0;
836 for (;;) {
837 unsigned int ext_type = 0;
838 size_t len = 0;
839
840 /* end of serverinfo */
841 if (serverinfo_length == 0)
842 return 1;
843
844 /* read 2-byte type field */
845 if (serverinfo_length < 2)
846 return 0;
847 /* FIXME: check for types we understand explicitly? */
848
849 /* Register callbacks for extensions */
850 ext_type = (serverinfo[0] << 8) + serverinfo[1];
851 if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
852 serverinfo_srv_add_cb,
853 NULL, NULL,
854 serverinfo_srv_parse_cb,
855 NULL))
856 return 0;
857
858 serverinfo += 2;
859 serverinfo_length -= 2;
860
861 /* read 2-byte len field */
862 if (serverinfo_length < 2)
863 return 0;
864 len = (serverinfo[0] << 8) + serverinfo[1];
865 serverinfo += 2;
866 serverinfo_length -= 2;
867
868 if (len > serverinfo_length)
869 return 0;
870
871 serverinfo += len;
872 serverinfo_length -= len;
873 }
874 }
875
876 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
877 size_t serverinfo_length)
878 {
879 unsigned char *new_serverinfo;
880
881 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
882 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER);
883 return 0;
884 }
885 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) {
886 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
887 return 0;
888 }
889 if (ctx->cert->key == NULL) {
890 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
891 return 0;
892 }
893 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
894 serverinfo_length);
895 if (new_serverinfo == NULL) {
896 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
897 return 0;
898 }
899 ctx->cert->key->serverinfo = new_serverinfo;
900 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
901 ctx->cert->key->serverinfo_length = serverinfo_length;
902
903 /*
904 * Now that the serverinfo is validated and stored, go ahead and
905 * register callbacks.
906 */
907 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) {
908 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
909 return 0;
910 }
911 return 1;
912 }
913
914 #ifndef OPENSSL_NO_STDIO
915 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
916 {
917 unsigned char *serverinfo = NULL;
918 size_t serverinfo_length = 0;
919 unsigned char *extension = 0;
920 long extension_length = 0;
921 char *name = NULL;
922 char *header = NULL;
923 char namePrefix[] = "SERVERINFO FOR ";
924 int ret = 0;
925 BIO *bin = NULL;
926 size_t num_extensions = 0;
927
928 if (ctx == NULL || file == NULL) {
929 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
930 ERR_R_PASSED_NULL_PARAMETER);
931 goto end;
932 }
933
934 bin = BIO_new(BIO_s_file_internal());
935 if (bin == NULL) {
936 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
937 goto end;
938 }
939 if (BIO_read_filename(bin, file) <= 0) {
940 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
941 goto end;
942 }
943
944 for (num_extensions = 0;; num_extensions++) {
945 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
946 == 0) {
947 /*
948 * There must be at least one extension in this file
949 */
950 if (num_extensions == 0) {
951 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
952 SSL_R_NO_PEM_EXTENSIONS);
953 goto end;
954 } else /* End of file, we're done */
955 break;
956 }
957 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
958 if (strlen(name) < strlen(namePrefix)) {
959 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
960 SSL_R_PEM_NAME_TOO_SHORT);
961 goto end;
962 }
963 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
964 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
965 SSL_R_PEM_NAME_BAD_PREFIX);
966 goto end;
967 }
968 /*
969 * Check that the decoded PEM data is plausible (valid length field)
970 */
971 if (extension_length < 4
972 || (extension[2] << 8) + extension[3] != extension_length - 4) {
973 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
974 goto end;
975 }
976 /* Append the decoded extension to the serverinfo buffer */
977 serverinfo =
978 OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
979 if (serverinfo == NULL) {
980 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
981 goto end;
982 }
983 memcpy(serverinfo + serverinfo_length, extension, extension_length);
984 serverinfo_length += extension_length;
985
986 OPENSSL_free(name);
987 name = NULL;
988 OPENSSL_free(header);
989 header = NULL;
990 OPENSSL_free(extension);
991 extension = NULL;
992 }
993
994 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
995 end:
996 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
997 OPENSSL_free(name);
998 OPENSSL_free(header);
999 OPENSSL_free(extension);
1000 OPENSSL_free(serverinfo);
1001 BIO_free(bin);
1002 return ret;
1003 }
1004 #endif /* OPENSSL_NO_STDIO */
A mirror of the official openssl repository