Line data Source code
1 : /* ssl/ssl_rsa.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 :
59 : #include <stdio.h>
60 : #include "ssl_locl.h"
61 : #include <openssl/bio.h>
62 : #include <openssl/objects.h>
63 : #include <openssl/evp.h>
64 : #include <openssl/x509.h>
65 : #include <openssl/pem.h>
66 :
67 : static int ssl_set_cert(CERT *c, X509 *x509);
68 : static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
69 0 : int SSL_use_certificate(SSL *ssl, X509 *x)
70 : {
71 0 : if (x == NULL) {
72 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
73 0 : return (0);
74 : }
75 0 : if (!ssl_cert_inst(&ssl->cert)) {
76 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
77 0 : return (0);
78 : }
79 0 : return (ssl_set_cert(ssl->cert, x));
80 : }
81 :
82 : #ifndef OPENSSL_NO_STDIO
83 0 : int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
84 : {
85 : int j;
86 : BIO *in;
87 : int ret = 0;
88 : X509 *x = NULL;
89 :
90 0 : in = BIO_new(BIO_s_file_internal());
91 0 : if (in == NULL) {
92 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
93 0 : goto end;
94 : }
95 :
96 0 : if (BIO_read_filename(in, file) <= 0) {
97 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
98 0 : goto end;
99 : }
100 0 : if (type == SSL_FILETYPE_ASN1) {
101 : j = ERR_R_ASN1_LIB;
102 0 : x = d2i_X509_bio(in, NULL);
103 0 : } else if (type == SSL_FILETYPE_PEM) {
104 : j = ERR_R_PEM_LIB;
105 0 : x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback,
106 0 : ssl->ctx->default_passwd_callback_userdata);
107 : } else {
108 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
109 0 : goto end;
110 : }
111 :
112 0 : if (x == NULL) {
113 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
114 0 : goto end;
115 : }
116 :
117 0 : ret = SSL_use_certificate(ssl, x);
118 : end:
119 0 : if (x != NULL)
120 0 : X509_free(x);
121 0 : if (in != NULL)
122 0 : BIO_free(in);
123 0 : return (ret);
124 : }
125 : #endif
126 :
127 0 : int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
128 : {
129 : X509 *x;
130 : int ret;
131 :
132 0 : x = d2i_X509(NULL, &d, (long)len);
133 0 : if (x == NULL) {
134 0 : SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
135 0 : return (0);
136 : }
137 :
138 0 : ret = SSL_use_certificate(ssl, x);
139 0 : X509_free(x);
140 0 : return (ret);
141 : }
142 :
143 : #ifndef OPENSSL_NO_RSA
144 0 : int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
145 : {
146 : EVP_PKEY *pkey;
147 : int ret;
148 :
149 0 : if (rsa == NULL) {
150 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
151 0 : return (0);
152 : }
153 0 : if (!ssl_cert_inst(&ssl->cert)) {
154 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
155 0 : return (0);
156 : }
157 0 : if ((pkey = EVP_PKEY_new()) == NULL) {
158 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
159 0 : return (0);
160 : }
161 :
162 0 : RSA_up_ref(rsa);
163 0 : EVP_PKEY_assign_RSA(pkey, rsa);
164 :
165 0 : ret = ssl_set_pkey(ssl->cert, pkey);
166 0 : EVP_PKEY_free(pkey);
167 0 : return (ret);
168 : }
169 : #endif
170 :
171 438 : static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
172 : {
173 : int i;
174 : /*
175 : * Special case for DH: check two DH certificate types for a match. This
176 : * means for DH certificates we must set the certificate first.
177 : */
178 438 : if (pkey->type == EVP_PKEY_DH) {
179 : X509 *x;
180 : i = -1;
181 0 : x = c->pkeys[SSL_PKEY_DH_RSA].x509;
182 0 : if (x && X509_check_private_key(x, pkey))
183 : i = SSL_PKEY_DH_RSA;
184 0 : x = c->pkeys[SSL_PKEY_DH_DSA].x509;
185 0 : if (i == -1 && x && X509_check_private_key(x, pkey))
186 : i = SSL_PKEY_DH_DSA;
187 0 : ERR_clear_error();
188 : } else
189 438 : i = ssl_cert_type(NULL, pkey);
190 438 : if (i < 0) {
191 0 : SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
192 0 : return (0);
193 : }
194 :
195 438 : if (c->pkeys[i].x509 != NULL) {
196 : EVP_PKEY *pktmp;
197 438 : pktmp = X509_get_pubkey(c->pkeys[i].x509);
198 438 : EVP_PKEY_copy_parameters(pktmp, pkey);
199 438 : EVP_PKEY_free(pktmp);
200 438 : ERR_clear_error();
201 :
202 : #ifndef OPENSSL_NO_RSA
203 : /*
204 : * Don't check the public/private key, this is mostly for smart
205 : * cards.
206 : */
207 876 : if ((pkey->type == EVP_PKEY_RSA) &&
208 438 : (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ;
209 : else
210 : #endif
211 438 : if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
212 0 : X509_free(c->pkeys[i].x509);
213 0 : c->pkeys[i].x509 = NULL;
214 0 : return 0;
215 : }
216 : }
217 :
218 438 : if (c->pkeys[i].privatekey != NULL)
219 0 : EVP_PKEY_free(c->pkeys[i].privatekey);
220 438 : CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
221 438 : c->pkeys[i].privatekey = pkey;
222 438 : c->key = &(c->pkeys[i]);
223 :
224 438 : c->valid = 0;
225 438 : return (1);
226 : }
227 :
228 : #ifndef OPENSSL_NO_RSA
229 : # ifndef OPENSSL_NO_STDIO
230 0 : int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
231 : {
232 : int j, ret = 0;
233 : BIO *in;
234 : RSA *rsa = NULL;
235 :
236 0 : in = BIO_new(BIO_s_file_internal());
237 0 : if (in == NULL) {
238 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
239 0 : goto end;
240 : }
241 :
242 0 : if (BIO_read_filename(in, file) <= 0) {
243 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
244 0 : goto end;
245 : }
246 0 : if (type == SSL_FILETYPE_ASN1) {
247 : j = ERR_R_ASN1_LIB;
248 0 : rsa = d2i_RSAPrivateKey_bio(in, NULL);
249 0 : } else if (type == SSL_FILETYPE_PEM) {
250 : j = ERR_R_PEM_LIB;
251 0 : rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
252 : ssl->ctx->default_passwd_callback,
253 0 : ssl->
254 : ctx->default_passwd_callback_userdata);
255 : } else {
256 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
257 0 : goto end;
258 : }
259 0 : if (rsa == NULL) {
260 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
261 0 : goto end;
262 : }
263 0 : ret = SSL_use_RSAPrivateKey(ssl, rsa);
264 0 : RSA_free(rsa);
265 : end:
266 0 : if (in != NULL)
267 0 : BIO_free(in);
268 0 : return (ret);
269 : }
270 : # endif
271 :
272 0 : int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
273 : {
274 : int ret;
275 : const unsigned char *p;
276 : RSA *rsa;
277 :
278 0 : p = d;
279 0 : if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
280 0 : SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
281 0 : return (0);
282 : }
283 :
284 0 : ret = SSL_use_RSAPrivateKey(ssl, rsa);
285 0 : RSA_free(rsa);
286 0 : return (ret);
287 : }
288 : #endif /* !OPENSSL_NO_RSA */
289 :
290 0 : int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
291 : {
292 : int ret;
293 :
294 0 : if (pkey == NULL) {
295 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
296 0 : return (0);
297 : }
298 0 : if (!ssl_cert_inst(&ssl->cert)) {
299 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
300 0 : return (0);
301 : }
302 0 : ret = ssl_set_pkey(ssl->cert, pkey);
303 0 : return (ret);
304 : }
305 :
306 : #ifndef OPENSSL_NO_STDIO
307 0 : int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
308 : {
309 : int j, ret = 0;
310 : BIO *in;
311 : EVP_PKEY *pkey = NULL;
312 :
313 0 : in = BIO_new(BIO_s_file_internal());
314 0 : if (in == NULL) {
315 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
316 0 : goto end;
317 : }
318 :
319 0 : if (BIO_read_filename(in, file) <= 0) {
320 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
321 0 : goto end;
322 : }
323 0 : if (type == SSL_FILETYPE_PEM) {
324 : j = ERR_R_PEM_LIB;
325 0 : pkey = PEM_read_bio_PrivateKey(in, NULL,
326 : ssl->ctx->default_passwd_callback,
327 0 : ssl->
328 : ctx->default_passwd_callback_userdata);
329 0 : } else if (type == SSL_FILETYPE_ASN1) {
330 : j = ERR_R_ASN1_LIB;
331 0 : pkey = d2i_PrivateKey_bio(in, NULL);
332 : } else {
333 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
334 0 : goto end;
335 : }
336 0 : if (pkey == NULL) {
337 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
338 0 : goto end;
339 : }
340 0 : ret = SSL_use_PrivateKey(ssl, pkey);
341 0 : EVP_PKEY_free(pkey);
342 : end:
343 0 : if (in != NULL)
344 0 : BIO_free(in);
345 0 : return (ret);
346 : }
347 : #endif
348 :
349 0 : int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
350 : long len)
351 : {
352 : int ret;
353 : const unsigned char *p;
354 : EVP_PKEY *pkey;
355 :
356 0 : p = d;
357 0 : if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
358 0 : SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
359 0 : return (0);
360 : }
361 :
362 0 : ret = SSL_use_PrivateKey(ssl, pkey);
363 0 : EVP_PKEY_free(pkey);
364 0 : return (ret);
365 : }
366 :
367 438 : int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
368 : {
369 438 : if (x == NULL) {
370 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
371 0 : return (0);
372 : }
373 438 : if (!ssl_cert_inst(&ctx->cert)) {
374 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
375 0 : return (0);
376 : }
377 438 : return (ssl_set_cert(ctx->cert, x));
378 : }
379 :
380 438 : static int ssl_set_cert(CERT *c, X509 *x)
381 : {
382 : EVP_PKEY *pkey;
383 : int i;
384 :
385 438 : pkey = X509_get_pubkey(x);
386 438 : if (pkey == NULL) {
387 0 : SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
388 0 : return (0);
389 : }
390 :
391 438 : i = ssl_cert_type(x, pkey);
392 438 : if (i < 0) {
393 0 : SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
394 0 : EVP_PKEY_free(pkey);
395 0 : return (0);
396 : }
397 :
398 438 : if (c->pkeys[i].privatekey != NULL) {
399 0 : EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
400 0 : ERR_clear_error();
401 :
402 : #ifndef OPENSSL_NO_RSA
403 : /*
404 : * Don't check the public/private key, this is mostly for smart
405 : * cards.
406 : */
407 0 : if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
408 0 : (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
409 : RSA_METHOD_FLAG_NO_CHECK)) ;
410 : else
411 : #endif /* OPENSSL_NO_RSA */
412 0 : if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
413 : /*
414 : * don't fail for a cert/key mismatch, just free current private
415 : * key (when switching to a different cert & key, first this
416 : * function should be used, then ssl_set_pkey
417 : */
418 0 : EVP_PKEY_free(c->pkeys[i].privatekey);
419 0 : c->pkeys[i].privatekey = NULL;
420 : /* clear error queue */
421 0 : ERR_clear_error();
422 : }
423 : }
424 :
425 438 : EVP_PKEY_free(pkey);
426 :
427 438 : if (c->pkeys[i].x509 != NULL)
428 0 : X509_free(c->pkeys[i].x509);
429 438 : CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
430 438 : c->pkeys[i].x509 = x;
431 438 : c->key = &(c->pkeys[i]);
432 :
433 438 : c->valid = 0;
434 438 : return (1);
435 : }
436 :
437 : #ifndef OPENSSL_NO_STDIO
438 0 : int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
439 : {
440 : int j;
441 : BIO *in;
442 : int ret = 0;
443 : X509 *x = NULL;
444 :
445 0 : in = BIO_new(BIO_s_file_internal());
446 0 : if (in == NULL) {
447 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
448 0 : goto end;
449 : }
450 :
451 0 : if (BIO_read_filename(in, file) <= 0) {
452 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
453 0 : goto end;
454 : }
455 0 : if (type == SSL_FILETYPE_ASN1) {
456 : j = ERR_R_ASN1_LIB;
457 0 : x = d2i_X509_bio(in, NULL);
458 0 : } else if (type == SSL_FILETYPE_PEM) {
459 : j = ERR_R_PEM_LIB;
460 0 : x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
461 : ctx->default_passwd_callback_userdata);
462 : } else {
463 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
464 0 : goto end;
465 : }
466 :
467 0 : if (x == NULL) {
468 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
469 0 : goto end;
470 : }
471 :
472 0 : ret = SSL_CTX_use_certificate(ctx, x);
473 : end:
474 0 : if (x != NULL)
475 0 : X509_free(x);
476 0 : if (in != NULL)
477 0 : BIO_free(in);
478 0 : return (ret);
479 : }
480 : #endif
481 :
482 0 : int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
483 : const unsigned char *d)
484 : {
485 : X509 *x;
486 : int ret;
487 :
488 0 : x = d2i_X509(NULL, &d, (long)len);
489 0 : if (x == NULL) {
490 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
491 0 : return (0);
492 : }
493 :
494 0 : ret = SSL_CTX_use_certificate(ctx, x);
495 0 : X509_free(x);
496 0 : return (ret);
497 : }
498 :
499 : #ifndef OPENSSL_NO_RSA
500 0 : int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
501 : {
502 : int ret;
503 : EVP_PKEY *pkey;
504 :
505 0 : if (rsa == NULL) {
506 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
507 0 : return (0);
508 : }
509 0 : if (!ssl_cert_inst(&ctx->cert)) {
510 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
511 0 : return (0);
512 : }
513 0 : if ((pkey = EVP_PKEY_new()) == NULL) {
514 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
515 0 : return (0);
516 : }
517 :
518 0 : RSA_up_ref(rsa);
519 0 : EVP_PKEY_assign_RSA(pkey, rsa);
520 :
521 0 : ret = ssl_set_pkey(ctx->cert, pkey);
522 0 : EVP_PKEY_free(pkey);
523 0 : return (ret);
524 : }
525 :
526 : # ifndef OPENSSL_NO_STDIO
527 0 : int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
528 : {
529 : int j, ret = 0;
530 : BIO *in;
531 : RSA *rsa = NULL;
532 :
533 0 : in = BIO_new(BIO_s_file_internal());
534 0 : if (in == NULL) {
535 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
536 0 : goto end;
537 : }
538 :
539 0 : if (BIO_read_filename(in, file) <= 0) {
540 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
541 0 : goto end;
542 : }
543 0 : if (type == SSL_FILETYPE_ASN1) {
544 : j = ERR_R_ASN1_LIB;
545 0 : rsa = d2i_RSAPrivateKey_bio(in, NULL);
546 0 : } else if (type == SSL_FILETYPE_PEM) {
547 : j = ERR_R_PEM_LIB;
548 0 : rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
549 : ctx->default_passwd_callback,
550 : ctx->default_passwd_callback_userdata);
551 : } else {
552 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
553 0 : goto end;
554 : }
555 0 : if (rsa == NULL) {
556 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
557 0 : goto end;
558 : }
559 0 : ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
560 0 : RSA_free(rsa);
561 : end:
562 0 : if (in != NULL)
563 0 : BIO_free(in);
564 0 : return (ret);
565 : }
566 : # endif
567 :
568 0 : int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
569 : long len)
570 : {
571 : int ret;
572 : const unsigned char *p;
573 : RSA *rsa;
574 :
575 0 : p = d;
576 0 : if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
577 0 : SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
578 0 : return (0);
579 : }
580 :
581 0 : ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
582 0 : RSA_free(rsa);
583 0 : return (ret);
584 : }
585 : #endif /* !OPENSSL_NO_RSA */
586 :
587 438 : int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
588 : {
589 438 : if (pkey == NULL) {
590 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
591 0 : return (0);
592 : }
593 438 : if (!ssl_cert_inst(&ctx->cert)) {
594 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
595 0 : return (0);
596 : }
597 438 : return (ssl_set_pkey(ctx->cert, pkey));
598 : }
599 :
600 : #ifndef OPENSSL_NO_STDIO
601 0 : int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
602 : {
603 : int j, ret = 0;
604 : BIO *in;
605 : EVP_PKEY *pkey = NULL;
606 :
607 0 : in = BIO_new(BIO_s_file_internal());
608 0 : if (in == NULL) {
609 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
610 0 : goto end;
611 : }
612 :
613 0 : if (BIO_read_filename(in, file) <= 0) {
614 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
615 0 : goto end;
616 : }
617 0 : if (type == SSL_FILETYPE_PEM) {
618 : j = ERR_R_PEM_LIB;
619 0 : pkey = PEM_read_bio_PrivateKey(in, NULL,
620 : ctx->default_passwd_callback,
621 : ctx->default_passwd_callback_userdata);
622 0 : } else if (type == SSL_FILETYPE_ASN1) {
623 : j = ERR_R_ASN1_LIB;
624 0 : pkey = d2i_PrivateKey_bio(in, NULL);
625 : } else {
626 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
627 0 : goto end;
628 : }
629 0 : if (pkey == NULL) {
630 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
631 0 : goto end;
632 : }
633 0 : ret = SSL_CTX_use_PrivateKey(ctx, pkey);
634 0 : EVP_PKEY_free(pkey);
635 : end:
636 0 : if (in != NULL)
637 0 : BIO_free(in);
638 0 : return (ret);
639 : }
640 : #endif
641 :
642 0 : int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
643 : const unsigned char *d, long len)
644 : {
645 : int ret;
646 : const unsigned char *p;
647 : EVP_PKEY *pkey;
648 :
649 0 : p = d;
650 0 : if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
651 0 : SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
652 0 : return (0);
653 : }
654 :
655 0 : ret = SSL_CTX_use_PrivateKey(ctx, pkey);
656 0 : EVP_PKEY_free(pkey);
657 0 : return (ret);
658 : }
659 :
660 : #ifndef OPENSSL_NO_STDIO
661 : /*
662 : * Read a file that contains our certificate in "PEM" format, possibly
663 : * followed by a sequence of CA certificates that should be sent to the peer
664 : * in the Certificate message.
665 : */
666 0 : int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
667 : {
668 : BIO *in;
669 : int ret = 0;
670 : X509 *x = NULL;
671 :
672 0 : ERR_clear_error(); /* clear error stack for
673 : * SSL_CTX_use_certificate() */
674 :
675 0 : in = BIO_new(BIO_s_file_internal());
676 0 : if (in == NULL) {
677 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
678 0 : goto end;
679 : }
680 :
681 0 : if (BIO_read_filename(in, file) <= 0) {
682 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
683 0 : goto end;
684 : }
685 :
686 0 : x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
687 : ctx->default_passwd_callback_userdata);
688 0 : if (x == NULL) {
689 0 : SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
690 0 : goto end;
691 : }
692 :
693 0 : ret = SSL_CTX_use_certificate(ctx, x);
694 :
695 0 : if (ERR_peek_error() != 0)
696 : ret = 0; /* Key/certificate mismatch doesn't imply
697 : * ret==0 ... */
698 0 : if (ret) {
699 : /*
700 : * If we could set up our certificate, now proceed to the CA
701 : * certificates.
702 : */
703 : X509 *ca;
704 : int r;
705 : unsigned long err;
706 :
707 0 : SSL_CTX_clear_chain_certs(ctx);
708 :
709 0 : while ((ca = PEM_read_bio_X509(in, NULL,
710 : ctx->default_passwd_callback,
711 : ctx->default_passwd_callback_userdata))
712 : != NULL) {
713 0 : r = SSL_CTX_add0_chain_cert(ctx, ca);
714 0 : if (!r) {
715 0 : X509_free(ca);
716 : ret = 0;
717 0 : goto end;
718 : }
719 : /*
720 : * Note that we must not free r if it was successfully added to
721 : * the chain (while we must free the main certificate, since its
722 : * reference count is increased by SSL_CTX_use_certificate).
723 : */
724 : }
725 : /* When the while loop ends, it's usually just EOF. */
726 0 : err = ERR_peek_last_error();
727 0 : if (ERR_GET_LIB(err) == ERR_LIB_PEM
728 0 : && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
729 0 : ERR_clear_error();
730 : else
731 : ret = 0; /* some real error */
732 : }
733 :
734 : end:
735 0 : if (x != NULL)
736 0 : X509_free(x);
737 0 : if (in != NULL)
738 0 : BIO_free(in);
739 0 : return (ret);
740 : }
741 : #endif
742 :
743 : #ifndef OPENSSL_NO_TLSEXT
744 0 : static int serverinfo_find_extension(const unsigned char *serverinfo,
745 : size_t serverinfo_length,
746 : unsigned int extension_type,
747 : const unsigned char **extension_data,
748 : size_t *extension_length)
749 : {
750 0 : *extension_data = NULL;
751 0 : *extension_length = 0;
752 0 : if (serverinfo == NULL || serverinfo_length == 0)
753 : return 0;
754 : for (;;) {
755 : unsigned int type = 0;
756 : size_t len = 0;
757 :
758 : /* end of serverinfo */
759 0 : if (serverinfo_length == 0)
760 : return -1; /* Extension not found */
761 :
762 : /* read 2-byte type field */
763 0 : if (serverinfo_length < 2)
764 : return 0; /* Error */
765 0 : type = (serverinfo[0] << 8) + serverinfo[1];
766 : serverinfo += 2;
767 0 : serverinfo_length -= 2;
768 :
769 : /* read 2-byte len field */
770 0 : if (serverinfo_length < 2)
771 : return 0; /* Error */
772 0 : len = (serverinfo[0] << 8) + serverinfo[1];
773 0 : serverinfo += 2;
774 0 : serverinfo_length -= 2;
775 :
776 0 : if (len > serverinfo_length)
777 : return 0; /* Error */
778 :
779 0 : if (type == extension_type) {
780 0 : *extension_data = serverinfo;
781 0 : *extension_length = len;
782 0 : return 1; /* Success */
783 : }
784 :
785 0 : serverinfo += len;
786 0 : serverinfo_length -= len;
787 0 : }
788 : return 0; /* Error */
789 : }
790 :
791 0 : static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
792 : const unsigned char *in,
793 : size_t inlen, int *al, void *arg)
794 : {
795 :
796 0 : if (inlen != 0) {
797 0 : *al = SSL_AD_DECODE_ERROR;
798 0 : return 0;
799 : }
800 :
801 : return 1;
802 : }
803 :
804 0 : static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
805 : const unsigned char **out, size_t *outlen,
806 : int *al, void *arg)
807 : {
808 0 : const unsigned char *serverinfo = NULL;
809 0 : size_t serverinfo_length = 0;
810 :
811 : /* Is there serverinfo data for the chosen server cert? */
812 0 : if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
813 : &serverinfo_length)) != 0) {
814 : /* Find the relevant extension from the serverinfo */
815 0 : int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
816 : ext_type, out, outlen);
817 0 : if (retval == 0)
818 : return 0; /* Error */
819 0 : if (retval == -1)
820 : return -1; /* No extension found, don't send extension */
821 0 : return 1; /* Send extension */
822 : }
823 : return -1; /* No serverinfo data found, don't send
824 : * extension */
825 : }
826 :
827 : /*
828 : * With a NULL context, this function just checks that the serverinfo data
829 : * parses correctly. With a non-NULL context, it registers callbacks for
830 : * the included extensions.
831 : */
832 0 : static int serverinfo_process_buffer(const unsigned char *serverinfo,
833 : size_t serverinfo_length, SSL_CTX *ctx)
834 : {
835 0 : if (serverinfo == NULL || serverinfo_length == 0)
836 : return 0;
837 : for (;;) {
838 : unsigned int ext_type = 0;
839 : size_t len = 0;
840 :
841 : /* end of serverinfo */
842 0 : if (serverinfo_length == 0)
843 : return 1;
844 :
845 : /* read 2-byte type field */
846 0 : if (serverinfo_length < 2)
847 : return 0;
848 : /* FIXME: check for types we understand explicitly? */
849 :
850 : /* Register callbacks for extensions */
851 0 : ext_type = (serverinfo[0] << 8) + serverinfo[1];
852 0 : if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
853 : serverinfo_srv_add_cb,
854 : NULL, NULL,
855 : serverinfo_srv_parse_cb,
856 : NULL))
857 : return 0;
858 :
859 : serverinfo += 2;
860 0 : serverinfo_length -= 2;
861 :
862 : /* read 2-byte len field */
863 0 : if (serverinfo_length < 2)
864 : return 0;
865 0 : len = (serverinfo[0] << 8) + serverinfo[1];
866 0 : serverinfo += 2;
867 0 : serverinfo_length -= 2;
868 :
869 0 : if (len > serverinfo_length)
870 : return 0;
871 :
872 0 : serverinfo += len;
873 0 : serverinfo_length -= len;
874 0 : }
875 : }
876 :
877 0 : int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
878 : size_t serverinfo_length)
879 : {
880 0 : if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
881 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER);
882 0 : return 0;
883 : }
884 0 : if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) {
885 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
886 0 : return 0;
887 : }
888 0 : if (!ssl_cert_inst(&ctx->cert)) {
889 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
890 0 : return 0;
891 : }
892 0 : if (ctx->cert->key == NULL) {
893 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
894 0 : return 0;
895 : }
896 0 : ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
897 : serverinfo_length);
898 0 : if (ctx->cert->key->serverinfo == NULL) {
899 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
900 0 : return 0;
901 : }
902 0 : memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
903 0 : ctx->cert->key->serverinfo_length = serverinfo_length;
904 :
905 : /*
906 : * Now that the serverinfo is validated and stored, go ahead and
907 : * register callbacks.
908 : */
909 0 : if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) {
910 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
911 0 : return 0;
912 : }
913 : return 1;
914 : }
915 :
916 : # ifndef OPENSSL_NO_STDIO
917 0 : int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
918 : {
919 : unsigned char *serverinfo = NULL;
920 : size_t serverinfo_length = 0;
921 0 : unsigned char *extension = 0;
922 0 : long extension_length = 0;
923 0 : char *name = NULL;
924 0 : char *header = NULL;
925 0 : char namePrefix[] = "SERVERINFO FOR ";
926 : int ret = 0;
927 : BIO *bin = NULL;
928 : size_t num_extensions = 0;
929 :
930 0 : if (ctx == NULL || file == NULL) {
931 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
932 : ERR_R_PASSED_NULL_PARAMETER);
933 0 : goto end;
934 : }
935 :
936 0 : bin = BIO_new(BIO_s_file_internal());
937 0 : if (bin == NULL) {
938 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
939 0 : goto end;
940 : }
941 0 : if (BIO_read_filename(bin, file) <= 0) {
942 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
943 0 : goto end;
944 : }
945 :
946 0 : for (num_extensions = 0;; num_extensions++) {
947 0 : if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
948 : == 0) {
949 : /*
950 : * There must be at least one extension in this file
951 : */
952 0 : if (num_extensions == 0) {
953 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
954 : SSL_R_NO_PEM_EXTENSIONS);
955 0 : goto end;
956 : } else /* End of file, we're done */
957 : break;
958 : }
959 : /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
960 0 : if (strlen(name) < strlen(namePrefix)) {
961 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
962 : SSL_R_PEM_NAME_TOO_SHORT);
963 0 : goto end;
964 : }
965 0 : if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
966 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
967 : SSL_R_PEM_NAME_BAD_PREFIX);
968 0 : goto end;
969 : }
970 : /*
971 : * Check that the decoded PEM data is plausible (valid length field)
972 : */
973 0 : if (extension_length < 4
974 0 : || (extension[2] << 8) + extension[3] != extension_length - 4) {
975 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
976 0 : goto end;
977 : }
978 : /* Append the decoded extension to the serverinfo buffer */
979 0 : serverinfo =
980 0 : OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
981 0 : if (serverinfo == NULL) {
982 0 : SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
983 0 : goto end;
984 : }
985 0 : memcpy(serverinfo + serverinfo_length, extension, extension_length);
986 0 : serverinfo_length += extension_length;
987 :
988 0 : OPENSSL_free(name);
989 0 : name = NULL;
990 0 : OPENSSL_free(header);
991 0 : header = NULL;
992 0 : OPENSSL_free(extension);
993 0 : extension = NULL;
994 0 : }
995 :
996 0 : ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
997 : end:
998 : /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
999 0 : OPENSSL_free(name);
1000 0 : OPENSSL_free(header);
1001 0 : OPENSSL_free(extension);
1002 0 : OPENSSL_free(serverinfo);
1003 0 : if (bin != NULL)
1004 0 : BIO_free(bin);
1005 0 : return ret;
1006 : }
1007 : # endif /* OPENSSL_NO_STDIO */
1008 : #endif /* OPENSSL_NO_TLSEXT */
|