]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssl_rsa.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove MAC cruft
[thirdparty/openssl.git] / ssl / ssl_rsa.c
CommitLineData
846e33c7 1/*
b0edda11 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
d02b48c6
RE		 8 */
9
10#include <stdio.h>
7b63c0fa 11#include "ssl_locl.h"
0d345f0e 12#include "internal/packet.h"
ec577822
BM		 13#include <openssl/bio.h>
14#include <openssl/objects.h>
15#include <openssl/evp.h>
16#include <openssl/x509.h>
17#include <openssl/pem.h>
d02b48c6 18
d02b48c6
RE		 19static int ssl_set_cert(CERT *c, X509 *x509);
20static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
bade29da 21
7a4e6a1e
MC		 22#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
23 | SSL_EXT_CLIENT_HELLO \
24 | SSL_EXT_TLS1_2_SERVER_HELLO \
25 | SSL_EXT_IGNORE_ON_RESUMPTION)
bade29da 26
6b691a5c 27int SSL_use_certificate(SSL *ssl, X509 *x)
0f113f3e
MC		 28{
29 int rv;
30 if (x == NULL) {
31 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 32 return 0;
0f113f3e
MC		 33 }
34 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
35 if (rv != 1) {
36 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
37 return 0;
38 }
39
26a7d938 40 return ssl_set_cert(ssl->cert, x);
0f113f3e 41}
d02b48c6 42
303c0028 43int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 44{
45 int j;
46 BIO *in;
47 int ret = 0;
48 X509 *x = NULL;
49
9982cbbb 50 in = BIO_new(BIO_s_file());
0f113f3e
MC		 51 if (in == NULL) {
52 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
53 goto end;
54 }
55
56 if (BIO_read_filename(in, file) <= 0) {
57 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
58 goto end;
59 }
60 if (type == SSL_FILETYPE_ASN1) {
61 j = ERR_R_ASN1_LIB;
62 x = d2i_X509_bio(in, NULL);
63 } else if (type == SSL_FILETYPE_PEM) {
64 j = ERR_R_PEM_LIB;
d61461a7
P		 65 x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback,
66 ssl->default_passwd_callback_userdata);
0f113f3e
MC		 67 } else {
68 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
69 goto end;
70 }
71
72 if (x == NULL) {
73 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
74 goto end;
75 }
76
77 ret = SSL_use_certificate(ssl, x);
78 end:
222561fe 79 X509_free(x);
ca3a82c3 80 BIO_free(in);
26a7d938 81 return ret;
0f113f3e 82}
d02b48c6 83
875a644a 84int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
0f113f3e
MC		 85{
86 X509 *x;
87 int ret;
88
89 x = d2i_X509(NULL, &d, (long)len);
90 if (x == NULL) {
91 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
26a7d938 92 return 0;
0f113f3e
MC		 93 }
94
95 ret = SSL_use_certificate(ssl, x);
96 X509_free(x);
26a7d938 97 return ret;
0f113f3e 98}
d02b48c6 99
bc36ee62 100#ifndef OPENSSL_NO_RSA
6b691a5c 101int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
0f113f3e
MC		 102{
103 EVP_PKEY *pkey;
104 int ret;
105
106 if (rsa == NULL) {
107 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 108 return 0;
0f113f3e 109 }
0f113f3e
MC		 110 if ((pkey = EVP_PKEY_new()) == NULL) {
111 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
26a7d938 112 return 0;
0f113f3e
MC		 113 }
114
115 RSA_up_ref(rsa);
5f3d93e4
MC		 116 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
117 RSA_free(rsa);
563c1ec6 118 EVP_PKEY_free(pkey);
5f3d93e4
MC		 119 return 0;
120 }
0f113f3e
MC		 121
122 ret = ssl_set_pkey(ssl->cert, pkey);
123 EVP_PKEY_free(pkey);
26a7d938 124 return ret;
0f113f3e 125}
d02b48c6
RE		 126#endif
127
6b691a5c 128static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
0f113f3e 129{
52fd27f9
DSH		 130 size_t i;
131
132 if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {
0f113f3e 133 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
26a7d938 134 return 0;
0f113f3e
MC		 135 }
136
137 if (c->pkeys[i].x509 != NULL) {
138 EVP_PKEY *pktmp;
8382fd3a 139 pktmp = X509_get0_pubkey(c->pkeys[i].x509);
5f3d93e4
MC		 140 if (pktmp == NULL) {
141 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
5f3d93e4
MC		 142 return 0;
143 }
144 /*
145 * The return code from EVP_PKEY_copy_parameters is deliberately
146 * ignored. Some EVP_PKEY types cannot do this.
147 */
0f113f3e 148 EVP_PKEY_copy_parameters(pktmp, pkey);
0f113f3e 149 ERR_clear_error();
dfeab068 150
bc36ee62 151#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 152 /*
153 * Don't check the public/private key, this is mostly for smart
154 * cards.
155 */
3aeb9348 156 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
a230b26e 157 && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
0f113f3e 158 else
58964a49 159#endif
0f113f3e
MC		 160 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
161 X509_free(c->pkeys[i].x509);
162 c->pkeys[i].x509 = NULL;
163 return 0;
164 }
165 }
166
25aaa98a 167 EVP_PKEY_free(c->pkeys[i].privatekey);
3aeb9348 168 EVP_PKEY_up_ref(pkey);
0f113f3e 169 c->pkeys[i].privatekey = pkey;
52fd27f9
DSH		 170 c->key = &c->pkeys[i];
171 return 1;
0f113f3e 172}
d02b48c6 173
bc36ee62 174#ifndef OPENSSL_NO_RSA
303c0028 175int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 176{
177 int j, ret = 0;
178 BIO *in;
179 RSA *rsa = NULL;
180
9982cbbb 181 in = BIO_new(BIO_s_file());
0f113f3e
MC		 182 if (in == NULL) {
183 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
184 goto end;
185 }
186
187 if (BIO_read_filename(in, file) <= 0) {
188 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
189 goto end;
190 }
191 if (type == SSL_FILETYPE_ASN1) {
192 j = ERR_R_ASN1_LIB;
193 rsa = d2i_RSAPrivateKey_bio(in, NULL);
194 } else if (type == SSL_FILETYPE_PEM) {
195 j = ERR_R_PEM_LIB;
196 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
d61461a7
P		 197 ssl->default_passwd_callback,
198 ssl->default_passwd_callback_userdata);
0f113f3e
MC		 199 } else {
200 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
201 goto end;
202 }
203 if (rsa == NULL) {
204 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
205 goto end;
206 }
207 ret = SSL_use_RSAPrivateKey(ssl, rsa);
208 RSA_free(rsa);
209 end:
ca3a82c3 210 BIO_free(in);
26a7d938 211 return ret;
0f113f3e 212}
d02b48c6 213
693b71fa 214int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
0f113f3e
MC		 215{
216 int ret;
217 const unsigned char *p;
218 RSA *rsa;
219
220 p = d;
221 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
222 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 223 return 0;
0f113f3e
MC		 224 }
225
226 ret = SSL_use_RSAPrivateKey(ssl, rsa);
227 RSA_free(rsa);
26a7d938 228 return ret;
0f113f3e
MC		 229}
230#endif /* !OPENSSL_NO_RSA */
d02b48c6 231
6b691a5c 232int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
0f113f3e
MC		 233{
234 int ret;
235
236 if (pkey == NULL) {
237 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 238 return 0;
0f113f3e 239 }
0f113f3e 240 ret = ssl_set_pkey(ssl->cert, pkey);
26a7d938 241 return ret;
0f113f3e 242}
d02b48c6 243
303c0028 244int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
0f113f3e
MC		 245{
246 int j, ret = 0;
247 BIO *in;
248 EVP_PKEY *pkey = NULL;
249
9982cbbb 250 in = BIO_new(BIO_s_file());
0f113f3e
MC		 251 if (in == NULL) {
252 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
253 goto end;
254 }
255
256 if (BIO_read_filename(in, file) <= 0) {
257 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
258 goto end;
259 }
260 if (type == SSL_FILETYPE_PEM) {
261 j = ERR_R_PEM_LIB;
262 pkey = PEM_read_bio_PrivateKey(in, NULL,
d61461a7
P		 263 ssl->default_passwd_callback,
264 ssl->default_passwd_callback_userdata);
0f113f3e
MC		 265 } else if (type == SSL_FILETYPE_ASN1) {
266 j = ERR_R_ASN1_LIB;
267 pkey = d2i_PrivateKey_bio(in, NULL);
268 } else {
269 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
270 goto end;
271 }
272 if (pkey == NULL) {
273 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
274 goto end;
275 }
276 ret = SSL_use_PrivateKey(ssl, pkey);
277 EVP_PKEY_free(pkey);
278 end:
ca3a82c3 279 BIO_free(in);
26a7d938 280 return ret;
0f113f3e 281}
d02b48c6 282
0f113f3e
MC		 283int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
284 long len)
285{
286 int ret;
287 const unsigned char *p;
288 EVP_PKEY *pkey;
d02b48c6 289
0f113f3e
MC		 290 p = d;
291 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
292 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 293 return 0;
0f113f3e 294 }
d02b48c6 295
0f113f3e
MC		 296 ret = SSL_use_PrivateKey(ssl, pkey);
297 EVP_PKEY_free(pkey);
26a7d938 298 return ret;
0f113f3e 299}
d02b48c6 300
6b691a5c 301int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
0f113f3e
MC		 302{
303 int rv;
304 if (x == NULL) {
305 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 306 return 0;
0f113f3e
MC		 307 }
308 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
309 if (rv != 1) {
310 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
311 return 0;
312 }
26a7d938 313 return ssl_set_cert(ctx->cert, x);
0f113f3e 314}
d02b48c6 315
6b691a5c 316static int ssl_set_cert(CERT *c, X509 *x)
0f113f3e
MC		 317{
318 EVP_PKEY *pkey;
52fd27f9 319 size_t i;
0f113f3e 320
8382fd3a 321 pkey = X509_get0_pubkey(x);
0f113f3e
MC		 322 if (pkey == NULL) {
323 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
26a7d938 324 return 0;
0f113f3e
MC		 325 }
326
52fd27f9 327 if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {
0f113f3e 328 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
8382fd3a 329 return 0;
0f113f3e 330 }
760f317d 331#ifndef OPENSSL_NO_EC
1db3107a
DSH		 332 if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {
333 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
334 return 0;
335 }
760f317d 336#endif
0f113f3e 337 if (c->pkeys[i].privatekey != NULL) {
5f3d93e4
MC		 338 /*
339 * The return code from EVP_PKEY_copy_parameters is deliberately
340 * ignored. Some EVP_PKEY types cannot do this.
341 */
0f113f3e
MC		 342 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
343 ERR_clear_error();
dfeab068 344
bc36ee62 345#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 346 /*
347 * Don't check the public/private key, this is mostly for smart
348 * cards.
349 */
3aeb9348
DSH		 350 if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
351 && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
a230b26e 352 RSA_METHOD_FLAG_NO_CHECK) ;
0f113f3e
MC		 353 else
354#endif /* OPENSSL_NO_RSA */
355 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
356 /*
357 * don't fail for a cert/key mismatch, just free current private
358 * key (when switching to a different cert & key, first this
359 * function should be used, then ssl_set_pkey
360 */
361 EVP_PKEY_free(c->pkeys[i].privatekey);
362 c->pkeys[i].privatekey = NULL;
363 /* clear error queue */
364 ERR_clear_error();
365 }
366 }
367
222561fe 368 X509_free(c->pkeys[i].x509);
05f0fb9f 369 X509_up_ref(x);
0f113f3e
MC		 370 c->pkeys[i].x509 = x;
371 c->key = &(c->pkeys[i]);
372
8382fd3a 373 return 1;
0f113f3e 374}
d02b48c6 375
303c0028 376int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 377{
378 int j;
379 BIO *in;
380 int ret = 0;
381 X509 *x = NULL;
382
9982cbbb 383 in = BIO_new(BIO_s_file());
0f113f3e
MC		 384 if (in == NULL) {
385 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
386 goto end;
387 }
388
389 if (BIO_read_filename(in, file) <= 0) {
390 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
391 goto end;
392 }
393 if (type == SSL_FILETYPE_ASN1) {
394 j = ERR_R_ASN1_LIB;
395 x = d2i_X509_bio(in, NULL);
396 } else if (type == SSL_FILETYPE_PEM) {
397 j = ERR_R_PEM_LIB;
398 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
399 ctx->default_passwd_callback_userdata);
400 } else {
401 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
402 goto end;
403 }
404
405 if (x == NULL) {
406 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
407 goto end;
408 }
409
410 ret = SSL_CTX_use_certificate(ctx, x);
411 end:
222561fe 412 X509_free(x);
ca3a82c3 413 BIO_free(in);
26a7d938 414 return ret;
0f113f3e 415}
d02b48c6 416
a230b26e 417int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
0f113f3e
MC		 418{
419 X509 *x;
420 int ret;
d02b48c6 421
0f113f3e
MC		 422 x = d2i_X509(NULL, &d, (long)len);
423 if (x == NULL) {
424 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
26a7d938 425 return 0;
0f113f3e 426 }
d02b48c6 427
0f113f3e
MC		 428 ret = SSL_CTX_use_certificate(ctx, x);
429 X509_free(x);
26a7d938 430 return ret;
0f113f3e 431}
d02b48c6 432
bc36ee62 433#ifndef OPENSSL_NO_RSA
6b691a5c 434int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
0f113f3e
MC		 435{
436 int ret;
437 EVP_PKEY *pkey;
438
439 if (rsa == NULL) {
440 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 441 return 0;
0f113f3e 442 }
0f113f3e
MC		 443 if ((pkey = EVP_PKEY_new()) == NULL) {
444 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
26a7d938 445 return 0;
0f113f3e
MC		 446 }
447
448 RSA_up_ref(rsa);
5f3d93e4
MC		 449 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
450 RSA_free(rsa);
563c1ec6 451 EVP_PKEY_free(pkey);
5f3d93e4
MC		 452 return 0;
453 }
0f113f3e
MC		 454
455 ret = ssl_set_pkey(ctx->cert, pkey);
456 EVP_PKEY_free(pkey);
26a7d938 457 return ret;
0f113f3e
MC		 458}
459
303c0028 460int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 461{
462 int j, ret = 0;
463 BIO *in;
464 RSA *rsa = NULL;
465
9982cbbb 466 in = BIO_new(BIO_s_file());
0f113f3e
MC		 467 if (in == NULL) {
468 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
469 goto end;
470 }
471
472 if (BIO_read_filename(in, file) <= 0) {
473 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
474 goto end;
475 }
476 if (type == SSL_FILETYPE_ASN1) {
477 j = ERR_R_ASN1_LIB;
478 rsa = d2i_RSAPrivateKey_bio(in, NULL);
479 } else if (type == SSL_FILETYPE_PEM) {
480 j = ERR_R_PEM_LIB;
481 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
482 ctx->default_passwd_callback,
483 ctx->default_passwd_callback_userdata);
484 } else {
485 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
486 goto end;
487 }
488 if (rsa == NULL) {
489 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
490 goto end;
491 }
492 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
493 RSA_free(rsa);
494 end:
ca3a82c3 495 BIO_free(in);
26a7d938 496 return ret;
0f113f3e 497}
0f113f3e
MC		 498
499int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
500 long len)
501{
502 int ret;
503 const unsigned char *p;
504 RSA *rsa;
505
506 p = d;
507 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
508 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 509 return 0;
0f113f3e
MC		 510 }
511
512 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
513 RSA_free(rsa);
26a7d938 514 return ret;
0f113f3e
MC		 515}
516#endif /* !OPENSSL_NO_RSA */
d02b48c6 517
6b691a5c 518int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
0f113f3e
MC		 519{
520 if (pkey == NULL) {
521 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
26a7d938 522 return 0;
0f113f3e 523 }
26a7d938 524 return ssl_set_pkey(ctx->cert, pkey);
0f113f3e 525}
d02b48c6 526
303c0028 527int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
0f113f3e
MC		 528{
529 int j, ret = 0;
530 BIO *in;
531 EVP_PKEY *pkey = NULL;
532
9982cbbb 533 in = BIO_new(BIO_s_file());
0f113f3e
MC		 534 if (in == NULL) {
535 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
536 goto end;
537 }
538
539 if (BIO_read_filename(in, file) <= 0) {
540 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
541 goto end;
542 }
543 if (type == SSL_FILETYPE_PEM) {
544 j = ERR_R_PEM_LIB;
545 pkey = PEM_read_bio_PrivateKey(in, NULL,
546 ctx->default_passwd_callback,
547 ctx->default_passwd_callback_userdata);
548 } else if (type == SSL_FILETYPE_ASN1) {
549 j = ERR_R_ASN1_LIB;
550 pkey = d2i_PrivateKey_bio(in, NULL);
551 } else {
552 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
553 goto end;
554 }
555 if (pkey == NULL) {
556 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
557 goto end;
558 }
559 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
560 EVP_PKEY_free(pkey);
561 end:
ca3a82c3 562 BIO_free(in);
26a7d938 563 return ret;
0f113f3e 564}
d02b48c6 565
0f113f3e
MC		 566int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
567 const unsigned char *d, long len)
568{
569 int ret;
570 const unsigned char *p;
571 EVP_PKEY *pkey;
d02b48c6 572
0f113f3e
MC		 573 p = d;
574 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
575 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
26a7d938 576 return 0;
0f113f3e 577 }
d02b48c6 578
0f113f3e
MC		 579 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
580 EVP_PKEY_free(pkey);
26a7d938 581 return ret;
0f113f3e 582}
d02b48c6 583
0f113f3e
MC		 584/*
585 * Read a file that contains our certificate in "PEM" format, possibly
586 * followed by a sequence of CA certificates that should be sent to the peer
587 * in the Certificate message.
b3ca645f 588 */
fae4772c 589static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
0f113f3e
MC		 590{
591 BIO *in;
592 int ret = 0;
593 X509 *x = NULL;
a974e64a
MC		 594 pem_password_cb *passwd_callback;
595 void *passwd_callback_userdata;
0f113f3e
MC		 596
597 ERR_clear_error(); /* clear error stack for
598 * SSL_CTX_use_certificate() */
599
a974e64a
MC		 600 if (ctx != NULL) {
601 passwd_callback = ctx->default_passwd_callback;
602 passwd_callback_userdata = ctx->default_passwd_callback_userdata;
603 } else {
604 passwd_callback = ssl->default_passwd_callback;
605 passwd_callback_userdata = ssl->default_passwd_callback_userdata;
606 }
607
9982cbbb 608 in = BIO_new(BIO_s_file());
0f113f3e 609 if (in == NULL) {
fae4772c 610 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
0f113f3e
MC		 611 goto end;
612 }
613
614 if (BIO_read_filename(in, file) <= 0) {
fae4772c 615 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
0f113f3e
MC		 616 goto end;
617 }
618
a974e64a
MC		 619 x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
620 passwd_callback_userdata);
0f113f3e 621 if (x == NULL) {
fae4772c 622 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
0f113f3e
MC		 623 goto end;
624 }
625
fae4772c
DSH		 626 if (ctx)
627 ret = SSL_CTX_use_certificate(ctx, x);
628 else
629 ret = SSL_use_certificate(ssl, x);
0f113f3e
MC		 630
631 if (ERR_peek_error() != 0)
632 ret = 0; /* Key/certificate mismatch doesn't imply
633 * ret==0 ... */
634 if (ret) {
635 /*
636 * If we could set up our certificate, now proceed to the CA
637 * certificates.
638 */
639 X509 *ca;
640 int r;
641 unsigned long err;
642
fae4772c
DSH		 643 if (ctx)
644 r = SSL_CTX_clear_chain_certs(ctx);
645 else
646 r = SSL_clear_chain_certs(ssl);
647
648 if (r == 0) {
69f68237
MC		 649 ret = 0;
650 goto end;
651 }
0f113f3e 652
a974e64a
MC		 653 while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
654 passwd_callback_userdata))
a230b26e 655 != NULL) {
fae4772c
DSH		 656 if (ctx)
657 r = SSL_CTX_add0_chain_cert(ctx, ca);
658 else
659 r = SSL_add0_chain_cert(ssl, ca);
660 /*
661 * Note that we must not free ca if it was successfully added to
662 * the chain (while we must free the main certificate, since its
663 * reference count is increased by SSL_CTX_use_certificate).
664 */
0f113f3e
MC		 665 if (!r) {
666 X509_free(ca);
667 ret = 0;
668 goto end;
669 }
0f113f3e
MC		 670 }
671 /* When the while loop ends, it's usually just EOF. */
672 err = ERR_peek_last_error();
673 if (ERR_GET_LIB(err) == ERR_LIB_PEM
674 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
675 ERR_clear_error();
676 else
677 ret = 0; /* some real error */
678 }
679
680 end:
25aaa98a 681 X509_free(x);
ca3a82c3 682 BIO_free(in);
26a7d938 683 return ret;
0f113f3e 684}
fae4772c
DSH		 685
686int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
687{
688 return use_certificate_chain_file(ctx, NULL, file);
689}
690
691int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
692{
693 return use_certificate_chain_file(NULL, ssl, file);
694}
a9e1c50b 695
a398f821 696static int serverinfo_find_extension(const unsigned char *serverinfo,
0f113f3e
MC		 697 size_t serverinfo_length,
698 unsigned int extension_type,
699 const unsigned char **extension_data,
700 size_t *extension_length)
701{
84c34ba8
MC		 702 PACKET pkt, data;
703
0f113f3e
MC		 704 *extension_data = NULL;
705 *extension_length = 0;
706 if (serverinfo == NULL || serverinfo_length == 0)
fae11ec7 707 return -1;
84c34ba8
MC		 708
709 if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))
710 return -1;
711
0f113f3e
MC		 712 for (;;) {
713 unsigned int type = 0;
84c34ba8 714 unsigned long context = 0;
0f113f3e
MC		 715
716 /* end of serverinfo */
84c34ba8 717 if (PACKET_remaining(&pkt) == 0)
fae11ec7 718 return 0; /* Extension not found */
0f113f3e 719
84c34ba8
MC		 720 if (!PACKET_get_net_4(&pkt, &context)
721 || !PACKET_get_net_2(&pkt, &type)
722 || !PACKET_get_length_prefixed_2(&pkt, &data))
723 return -1;
0f113f3e
MC		 724
725 if (type == extension_type) {
84c34ba8
MC		 726 *extension_data = PACKET_data(&data);
727 *extension_length = PACKET_remaining(&data);;
0f113f3e
MC		 728 return 1; /* Success */
729 }
0f113f3e 730 }
c6ef15c4 731 /* Unreachable */
0f113f3e 732}
a398f821 733
84c34ba8
MC		 734static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type,
735 unsigned int context,
736 const unsigned char *in,
737 size_t inlen, X509 *x, size_t chainidx,
738 int *al, void *arg)
0f113f3e 739{
0a602875 740
0f113f3e
MC		 741 if (inlen != 0) {
742 *al = SSL_AD_DECODE_ERROR;
743 return 0;
744 }
0a602875 745
0f113f3e
MC		 746 return 1;
747}
9cd50f73 748
84c34ba8
MC		 749static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
750 const unsigned char *in,
751 size_t inlen, int *al, void *arg)
752{
753 return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al,
754 arg);
755}
756
757static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type,
758 unsigned int context,
759 const unsigned char **out,
760 size_t *outlen, X509 *x, size_t chainidx,
761 int *al, void *arg)
0f113f3e
MC		 762{
763 const unsigned char *serverinfo = NULL;
764 size_t serverinfo_length = 0;
765
f233a9d1
MC		 766 /* We only support extensions for the first Certificate */
767 if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0)
768 return 0;
769
0f113f3e
MC		 770 /* Is there serverinfo data for the chosen server cert? */
771 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
772 &serverinfo_length)) != 0) {
773 /* Find the relevant extension from the serverinfo */
774 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
775 ext_type, out, outlen);
fae11ec7 776 if (retval == -1) {
fb34a0f4 777 *al = SSL_AD_INTERNAL_ERROR;
fae11ec7
KR		 778 return -1; /* Error */
779 }
0f113f3e 780 if (retval == 0)
fae11ec7 781 return 0; /* No extension found, don't send extension */
0f113f3e
MC		 782 return 1; /* Send extension */
783 }
5f18bc58 784 return 0; /* No serverinfo data found, don't send
0f113f3e
MC		 785 * extension */
786}
787
84c34ba8
MC		 788static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
789 const unsigned char **out, size_t *outlen,
790 int *al, void *arg)
791{
792 return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al,
793 arg);
794}
795
0f113f3e
MC		 796/*
797 * With a NULL context, this function just checks that the serverinfo data
798 * parses correctly. With a non-NULL context, it registers callbacks for
799 * the included extensions.
800 */
84c34ba8
MC		 801static int serverinfo_process_buffer(unsigned int version,
802 const unsigned char *serverinfo,
0f113f3e
MC		 803 size_t serverinfo_length, SSL_CTX *ctx)
804{
84c34ba8
MC		 805 PACKET pkt;
806
0f113f3e
MC		 807 if (serverinfo == NULL || serverinfo_length == 0)
808 return 0;
0f113f3e 809
2698bbfe 810 if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2)
84c34ba8 811 return 0;
0f113f3e 812
84c34ba8
MC		 813 if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))
814 return 0;
0f113f3e 815
84c34ba8
MC		 816 while (PACKET_remaining(&pkt)) {
817 unsigned long context = 0;
818 unsigned int ext_type = 0;
819 PACKET data;
0f113f3e 820
bade29da 821 if ((version == SSL_SERVERINFOV2 && !PACKET_get_net_4(&pkt, &context))
84c34ba8
MC		 822 || !PACKET_get_net_2(&pkt, &ext_type)
823 || !PACKET_get_length_prefixed_2(&pkt, &data))
0f113f3e
MC		 824 return 0;
825
84c34ba8
MC		 826 if (ctx == NULL)
827 continue;
828
bade29da
MC		 829 /*
830 * The old style custom extensions API could be set separately for
831 * server/client, i.e. you could set one custom extension for a client,
832 * and *for the same extension in the same SSL_CTX* you could set a
833 * custom extension for the server as well. It seems quite weird to be
834 * setting a custom extension for both client and server in a single
835 * SSL_CTX - but theoretically possible. This isn't possible in the
836 * new API. Therefore, if we have V1 serverinfo we use the old API. We
837 * also use the old API even if we have V2 serverinfo but the context
838 * looks like an old style <= TLSv1.2 extension.
839 */
7a4e6a1e 840 if (version == SSL_SERVERINFOV1 || context == SYNTHV1CONTEXT) {
84c34ba8
MC		 841 if (!SSL_CTX_add_server_custom_ext(ctx, ext_type,
842 serverinfo_srv_add_cb,
843 NULL, NULL,
844 serverinfo_srv_parse_cb,
845 NULL))
846 return 0;
847 } else {
848 if (!SSL_CTX_add_custom_ext(ctx, ext_type, context,
849 serverinfoex_srv_add_cb,
850 NULL, NULL,
851 serverinfoex_srv_parse_cb,
852 NULL))
853 return 0;
854 }
0f113f3e 855 }
84c34ba8
MC		 856
857 return 1;
0f113f3e 858}
a398f821 859
84c34ba8
MC		 860int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
861 const unsigned char *serverinfo,
862 size_t serverinfo_length)
0f113f3e
MC		 863{
864 unsigned char *new_serverinfo;
865
866 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
84c34ba8 867 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 868 return 0;
869 }
84c34ba8
MC		 870 if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,
871 NULL)) {
872 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);
0f113f3e
MC		 873 return 0;
874 }
0f113f3e 875 if (ctx->cert->key == NULL) {
84c34ba8 876 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 877 return 0;
878 }
879 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
880 serverinfo_length);
881 if (new_serverinfo == NULL) {
84c34ba8 882 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 883 return 0;
884 }
885 ctx->cert->key->serverinfo = new_serverinfo;
886 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
887 ctx->cert->key->serverinfo_length = serverinfo_length;
888
889 /*
890 * Now that the serverinfo is validated and stored, go ahead and
891 * register callbacks.
892 */
84c34ba8
MC		 893 if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,
894 ctx)) {
895 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);
0f113f3e
MC		 896 return 0;
897 }
898 return 1;
899}
900
84c34ba8
MC		 901int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
902 size_t serverinfo_length)
903{
2698bbfe 904 return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo,
84c34ba8
MC		 905 serverinfo_length);
906}
907
a398f821 908int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
0f113f3e
MC		 909{
910 unsigned char *serverinfo = NULL;
7c0ef843 911 unsigned char *tmp;
0f113f3e
MC		 912 size_t serverinfo_length = 0;
913 unsigned char *extension = 0;
914 long extension_length = 0;
915 char *name = NULL;
916 char *header = NULL;
84c34ba8
MC		 917 char namePrefix1[] = "SERVERINFO FOR ";
918 char namePrefix2[] = "SERVERINFOV2 FOR ";
0f113f3e
MC		 919 int ret = 0;
920 BIO *bin = NULL;
84c34ba8 921 size_t num_extensions = 0, contextoff = 0;
0f113f3e
MC		 922
923 if (ctx == NULL || file == NULL) {
a230b26e 924 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);
0f113f3e
MC		 925 goto end;
926 }
927
9982cbbb 928 bin = BIO_new(BIO_s_file());
0f113f3e
MC		 929 if (bin == NULL) {
930 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
931 goto end;
932 }
933 if (BIO_read_filename(bin, file) <= 0) {
934 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
935 goto end;
936 }
937
938 for (num_extensions = 0;; num_extensions++) {
7a4e6a1e
MC		 939 unsigned int version;
940
0f113f3e
MC		 941 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
942 == 0) {
943 /*
944 * There must be at least one extension in this file
945 */
946 if (num_extensions == 0) {
947 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
948 SSL_R_NO_PEM_EXTENSIONS);
949 goto end;
950 } else /* End of file, we're done */
951 break;
952 }
953 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
84c34ba8 954 if (strlen(name) < strlen(namePrefix1)) {
a230b26e 955 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
0f113f3e
MC		 956 goto end;
957 }
84c34ba8 958 if (strncmp(name, namePrefix1, strlen(namePrefix1)) == 0) {
2698bbfe 959 version = SSL_SERVERINFOV1;
84c34ba8
MC		 960 } else {
961 if (strlen(name) < strlen(namePrefix2)) {
962 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
963 SSL_R_PEM_NAME_TOO_SHORT);
964 goto end;
965 }
966 if (strncmp(name, namePrefix2, strlen(namePrefix2)) != 0) {
967 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
968 SSL_R_PEM_NAME_BAD_PREFIX);
969 goto end;
970 }
2698bbfe 971 version = SSL_SERVERINFOV2;
0f113f3e
MC		 972 }
973 /*
974 * Check that the decoded PEM data is plausible (valid length field)
975 */
2698bbfe 976 if (version == SSL_SERVERINFOV1) {
84c34ba8
MC		 977 /* 4 byte header: 2 bytes type, 2 bytes len */
978 if (extension_length < 4
979 || (extension[2] << 8) + extension[3]
980 != extension_length - 4) {
981 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
982 goto end;
983 }
984 /*
985 * File does not have a context value so we must take account of
986 * this later.
987 */
988 contextoff = 4;
989 } else {
990 /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */
991 if (extension_length < 8
992 || (extension[6] << 8) + extension[7]
993 != extension_length - 8) {
994 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
995 goto end;
996 }
0f113f3e
MC		 997 }
998 /* Append the decoded extension to the serverinfo buffer */
84c34ba8
MC		 999 tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length
1000 + contextoff);
7c0ef843 1001 if (tmp == NULL) {
0f113f3e
MC		 1002 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
1003 goto end;
1004 }
7c0ef843 1005 serverinfo = tmp;
84c34ba8 1006 if (contextoff > 0) {
84c34ba8
MC		 1007 unsigned char *sinfo = serverinfo + serverinfo_length;
1008
1009 /* We know this only uses the last 2 bytes */
1010 sinfo[0] = 0;
1011 sinfo[1] = 0;
7a4e6a1e
MC		 1012 sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff;
1013 sinfo[3] = SYNTHV1CONTEXT & 0xff;
84c34ba8
MC		 1014 }
1015 memcpy(serverinfo + serverinfo_length + contextoff,
1016 extension, extension_length);
1017 serverinfo_length += extension_length + contextoff;
0f113f3e
MC		 1018
1019 OPENSSL_free(name);
1020 name = NULL;
1021 OPENSSL_free(header);
1022 header = NULL;
1023 OPENSSL_free(extension);
1024 extension = NULL;
1025 }
1026
bade29da 1027 ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, serverinfo,
bb78552e 1028 serverinfo_length);
0f113f3e
MC		 1029 end:
1030 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1031 OPENSSL_free(name);
1032 OPENSSL_free(header);
1033 OPENSSL_free(extension);
1034 OPENSSL_free(serverinfo);
ca3a82c3 1035 BIO_free(bin);
0f113f3e
MC		 1036 return ret;
1037}
37933acb
TS		 1038
1039static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
1040 STACK_OF(X509) *chain, int override)
1041{
1042 int ret = 0;
1043 size_t i;
1044 int j;
1045 int rv;
1046 CERT *c = ssl != NULL ? ssl->cert : ctx->cert;
1047 STACK_OF(X509) *dup_chain = NULL;
1048 EVP_PKEY *pubkey = NULL;
1049
1050 /* Do all security checks before anything else */
1051 rv = ssl_security_cert(ssl, ctx, x509, 0, 1);
1052 if (rv != 1) {
1053 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);
1054 goto out;
1055 }
1056 for (j = 0; j < sk_X509_num(chain); j++) {
1057 rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0);
1058 if (rv != 1) {
1059 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);
1060 goto out;
1061 }
1062 }
1063
1064 pubkey = X509_get_pubkey(x509); /* bumps reference */
1065 if (pubkey == NULL)
1066 goto out;
1067 if (privatekey == NULL) {
1068 privatekey = pubkey;
1069 } else {
1070 /* For RSA, which has no parameters, missing returns 0 */
1071 if (EVP_PKEY_missing_parameters(privatekey)) {
1072 if (EVP_PKEY_missing_parameters(pubkey)) {
1073 /* nobody has parameters? - error */
1074 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS);
1075 goto out;
1076 } else {
1077 /* copy to privatekey from pubkey */
1078 EVP_PKEY_copy_parameters(privatekey, pubkey);
1079 }
1080 } else if (EVP_PKEY_missing_parameters(pubkey)) {
1081 /* copy to pubkey from privatekey */
1082 EVP_PKEY_copy_parameters(pubkey, privatekey);
1083 } /* else both have parameters */
1084
1085 /* Copied from ssl_set_cert/pkey */
1086#ifndef OPENSSL_NO_RSA
1087 if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
1088 ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
1089 /* no-op */ ;
1090 else
1091#endif
1092 /* check that key <-> cert match */
1093 if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
1094 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
1095 goto out;
1096 }
1097 }
1098 if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) {
1099 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1100 goto out;
1101 }
1102
1103 if (!override && (c->pkeys[i].x509 != NULL
1104 || c->pkeys[i].privatekey != NULL
1105 || c->pkeys[i].chain != NULL)) {
1106 /* No override, and something already there */
1107 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE);
1108 goto out;
1109 }
1110
1111 if (chain != NULL) {
1112 dup_chain = X509_chain_up_ref(chain);
1113 if (dup_chain == NULL) {
1114 SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE);
1115 goto out;
1116 }
1117 }
1118
1119 sk_X509_pop_free(c->pkeys[i].chain, X509_free);
1120 c->pkeys[i].chain = dup_chain;
1121
1122 X509_free(c->pkeys[i].x509);
1123 X509_up_ref(x509);
1124 c->pkeys[i].x509 = x509;
1125
1126 EVP_PKEY_free(c->pkeys[i].privatekey);
1127 EVP_PKEY_up_ref(privatekey);
1128 c->pkeys[i].privatekey = privatekey;
1129
1130 c->key = &(c->pkeys[i]);
1131
1132 ret = 1;
1133 out:
1134 EVP_PKEY_free(pubkey);
1135 return ret;
1136}
1137
1138int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey,
1139 STACK_OF(X509) *chain, int override)
1140{
1141 return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override);
1142}
1143
1144int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
1145 STACK_OF(X509) *chain, int override)
1146{
1147 return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override);
1148}
A mirror of the official openssl repository