ssl_rsa.c 31 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048
  1. /* ssl/ssl_rsa.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include "ssl_locl.h"
  60. #include <openssl/bio.h>
  61. #include <openssl/objects.h>
  62. #include <openssl/evp.h>
  63. #include <openssl/x509.h>
  64. #include <openssl/pem.h>
  65. static int ssl_set_cert(CERT *c, X509 *x509);
  66. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
  67. int SSL_use_certificate(SSL *ssl, X509 *x)
  68. {
  69. if (x == NULL) {
  70. SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
  71. return (0);
  72. }
  73. if (!ssl_cert_inst(&ssl->cert)) {
  74. SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  75. return (0);
  76. }
  77. return (ssl_set_cert(ssl->cert, x));
  78. }
  79. #ifndef OPENSSL_NO_STDIO
  80. int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
  81. {
  82. int j;
  83. BIO *in;
  84. int ret = 0;
  85. X509 *x = NULL;
  86. in = BIO_new(BIO_s_file_internal());
  87. if (in == NULL) {
  88. SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
  89. goto end;
  90. }
  91. if (BIO_read_filename(in, file) <= 0) {
  92. SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
  93. goto end;
  94. }
  95. if (type == SSL_FILETYPE_ASN1) {
  96. j = ERR_R_ASN1_LIB;
  97. x = d2i_X509_bio(in, NULL);
  98. } else if (type == SSL_FILETYPE_PEM) {
  99. j = ERR_R_PEM_LIB;
  100. x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback,
  101. ssl->ctx->default_passwd_callback_userdata);
  102. } else {
  103. SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
  104. goto end;
  105. }
  106. if (x == NULL) {
  107. SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
  108. goto end;
  109. }
  110. ret = SSL_use_certificate(ssl, x);
  111. end:
  112. if (x != NULL)
  113. X509_free(x);
  114. if (in != NULL)
  115. BIO_free(in);
  116. return (ret);
  117. }
  118. #endif
  119. int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
  120. {
  121. X509 *x;
  122. int ret;
  123. x = d2i_X509(NULL, &d, (long)len);
  124. if (x == NULL) {
  125. SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
  126. return (0);
  127. }
  128. ret = SSL_use_certificate(ssl, x);
  129. X509_free(x);
  130. return (ret);
  131. }
  132. #ifndef OPENSSL_NO_RSA
  133. int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
  134. {
  135. EVP_PKEY *pkey;
  136. int ret;
  137. if (rsa == NULL) {
  138. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
  139. return (0);
  140. }
  141. if (!ssl_cert_inst(&ssl->cert)) {
  142. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
  143. return (0);
  144. }
  145. if ((pkey = EVP_PKEY_new()) == NULL) {
  146. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
  147. return (0);
  148. }
  149. RSA_up_ref(rsa);
  150. if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
  151. RSA_free(rsa);
  152. return 0;
  153. }
  154. ret = ssl_set_pkey(ssl->cert, pkey);
  155. EVP_PKEY_free(pkey);
  156. return (ret);
  157. }
  158. #endif
  159. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
  160. {
  161. int i;
  162. /*
  163. * Special case for DH: check two DH certificate types for a match. This
  164. * means for DH certificates we must set the certificate first.
  165. */
  166. if (pkey->type == EVP_PKEY_DH) {
  167. X509 *x;
  168. i = -1;
  169. x = c->pkeys[SSL_PKEY_DH_RSA].x509;
  170. if (x && X509_check_private_key(x, pkey))
  171. i = SSL_PKEY_DH_RSA;
  172. x = c->pkeys[SSL_PKEY_DH_DSA].x509;
  173. if (i == -1 && x && X509_check_private_key(x, pkey))
  174. i = SSL_PKEY_DH_DSA;
  175. ERR_clear_error();
  176. } else
  177. i = ssl_cert_type(NULL, pkey);
  178. if (i < 0) {
  179. SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  180. return (0);
  181. }
  182. if (c->pkeys[i].x509 != NULL) {
  183. EVP_PKEY *pktmp;
  184. pktmp = X509_get_pubkey(c->pkeys[i].x509);
  185. if (pktmp == NULL) {
  186. SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
  187. EVP_PKEY_free(pktmp);
  188. return 0;
  189. }
  190. /*
  191. * The return code from EVP_PKEY_copy_parameters is deliberately
  192. * ignored. Some EVP_PKEY types cannot do this.
  193. */
  194. EVP_PKEY_copy_parameters(pktmp, pkey);
  195. EVP_PKEY_free(pktmp);
  196. ERR_clear_error();
  197. #ifndef OPENSSL_NO_RSA
  198. /*
  199. * Don't check the public/private key, this is mostly for smart
  200. * cards.
  201. */
  202. if ((pkey->type == EVP_PKEY_RSA) &&
  203. (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ;
  204. else
  205. #endif
  206. if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
  207. X509_free(c->pkeys[i].x509);
  208. c->pkeys[i].x509 = NULL;
  209. return 0;
  210. }
  211. }
  212. if (c->pkeys[i].privatekey != NULL)
  213. EVP_PKEY_free(c->pkeys[i].privatekey);
  214. CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
  215. c->pkeys[i].privatekey = pkey;
  216. c->key = &(c->pkeys[i]);
  217. c->valid = 0;
  218. return (1);
  219. }
  220. #ifndef OPENSSL_NO_RSA
  221. # ifndef OPENSSL_NO_STDIO
  222. int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
  223. {
  224. int j, ret = 0;
  225. BIO *in;
  226. RSA *rsa = NULL;
  227. in = BIO_new(BIO_s_file_internal());
  228. if (in == NULL) {
  229. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
  230. goto end;
  231. }
  232. if (BIO_read_filename(in, file) <= 0) {
  233. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
  234. goto end;
  235. }
  236. if (type == SSL_FILETYPE_ASN1) {
  237. j = ERR_R_ASN1_LIB;
  238. rsa = d2i_RSAPrivateKey_bio(in, NULL);
  239. } else if (type == SSL_FILETYPE_PEM) {
  240. j = ERR_R_PEM_LIB;
  241. rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
  242. ssl->ctx->default_passwd_callback,
  243. ssl->
  244. ctx->default_passwd_callback_userdata);
  245. } else {
  246. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
  247. goto end;
  248. }
  249. if (rsa == NULL) {
  250. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
  251. goto end;
  252. }
  253. ret = SSL_use_RSAPrivateKey(ssl, rsa);
  254. RSA_free(rsa);
  255. end:
  256. if (in != NULL)
  257. BIO_free(in);
  258. return (ret);
  259. }
  260. # endif
  261. int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
  262. {
  263. int ret;
  264. const unsigned char *p;
  265. RSA *rsa;
  266. p = d;
  267. if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
  268. SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
  269. return (0);
  270. }
  271. ret = SSL_use_RSAPrivateKey(ssl, rsa);
  272. RSA_free(rsa);
  273. return (ret);
  274. }
  275. #endif /* !OPENSSL_NO_RSA */
  276. int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
  277. {
  278. int ret;
  279. if (pkey == NULL) {
  280. SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
  281. return (0);
  282. }
  283. if (!ssl_cert_inst(&ssl->cert)) {
  284. SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
  285. return (0);
  286. }
  287. ret = ssl_set_pkey(ssl->cert, pkey);
  288. return (ret);
  289. }
  290. #ifndef OPENSSL_NO_STDIO
  291. int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
  292. {
  293. int j, ret = 0;
  294. BIO *in;
  295. EVP_PKEY *pkey = NULL;
  296. in = BIO_new(BIO_s_file_internal());
  297. if (in == NULL) {
  298. SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
  299. goto end;
  300. }
  301. if (BIO_read_filename(in, file) <= 0) {
  302. SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
  303. goto end;
  304. }
  305. if (type == SSL_FILETYPE_PEM) {
  306. j = ERR_R_PEM_LIB;
  307. pkey = PEM_read_bio_PrivateKey(in, NULL,
  308. ssl->ctx->default_passwd_callback,
  309. ssl->
  310. ctx->default_passwd_callback_userdata);
  311. } else if (type == SSL_FILETYPE_ASN1) {
  312. j = ERR_R_ASN1_LIB;
  313. pkey = d2i_PrivateKey_bio(in, NULL);
  314. } else {
  315. SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
  316. goto end;
  317. }
  318. if (pkey == NULL) {
  319. SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
  320. goto end;
  321. }
  322. ret = SSL_use_PrivateKey(ssl, pkey);
  323. EVP_PKEY_free(pkey);
  324. end:
  325. if (in != NULL)
  326. BIO_free(in);
  327. return (ret);
  328. }
  329. #endif
  330. int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
  331. long len)
  332. {
  333. int ret;
  334. const unsigned char *p;
  335. EVP_PKEY *pkey;
  336. p = d;
  337. if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
  338. SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
  339. return (0);
  340. }
  341. ret = SSL_use_PrivateKey(ssl, pkey);
  342. EVP_PKEY_free(pkey);
  343. return (ret);
  344. }
  345. int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
  346. {
  347. if (x == NULL) {
  348. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
  349. return (0);
  350. }
  351. if (!ssl_cert_inst(&ctx->cert)) {
  352. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  353. return (0);
  354. }
  355. return (ssl_set_cert(ctx->cert, x));
  356. }
  357. static int ssl_set_cert(CERT *c, X509 *x)
  358. {
  359. EVP_PKEY *pkey;
  360. int i;
  361. pkey = X509_get_pubkey(x);
  362. if (pkey == NULL) {
  363. SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
  364. return (0);
  365. }
  366. i = ssl_cert_type(x, pkey);
  367. if (i < 0) {
  368. SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  369. EVP_PKEY_free(pkey);
  370. return (0);
  371. }
  372. if (c->pkeys[i].privatekey != NULL) {
  373. /*
  374. * The return code from EVP_PKEY_copy_parameters is deliberately
  375. * ignored. Some EVP_PKEY types cannot do this.
  376. */
  377. EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
  378. ERR_clear_error();
  379. #ifndef OPENSSL_NO_RSA
  380. /*
  381. * Don't check the public/private key, this is mostly for smart
  382. * cards.
  383. */
  384. if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
  385. (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
  386. RSA_METHOD_FLAG_NO_CHECK)) ;
  387. else
  388. #endif /* OPENSSL_NO_RSA */
  389. if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
  390. /*
  391. * don't fail for a cert/key mismatch, just free current private
  392. * key (when switching to a different cert & key, first this
  393. * function should be used, then ssl_set_pkey
  394. */
  395. EVP_PKEY_free(c->pkeys[i].privatekey);
  396. c->pkeys[i].privatekey = NULL;
  397. /* clear error queue */
  398. ERR_clear_error();
  399. }
  400. }
  401. EVP_PKEY_free(pkey);
  402. if (c->pkeys[i].x509 != NULL)
  403. X509_free(c->pkeys[i].x509);
  404. CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
  405. c->pkeys[i].x509 = x;
  406. c->key = &(c->pkeys[i]);
  407. c->valid = 0;
  408. return (1);
  409. }
  410. #ifndef OPENSSL_NO_STDIO
  411. int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
  412. {
  413. int j;
  414. BIO *in;
  415. int ret = 0;
  416. X509 *x = NULL;
  417. in = BIO_new(BIO_s_file_internal());
  418. if (in == NULL) {
  419. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
  420. goto end;
  421. }
  422. if (BIO_read_filename(in, file) <= 0) {
  423. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
  424. goto end;
  425. }
  426. if (type == SSL_FILETYPE_ASN1) {
  427. j = ERR_R_ASN1_LIB;
  428. x = d2i_X509_bio(in, NULL);
  429. } else if (type == SSL_FILETYPE_PEM) {
  430. j = ERR_R_PEM_LIB;
  431. x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
  432. ctx->default_passwd_callback_userdata);
  433. } else {
  434. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
  435. goto end;
  436. }
  437. if (x == NULL) {
  438. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
  439. goto end;
  440. }
  441. ret = SSL_CTX_use_certificate(ctx, x);
  442. end:
  443. if (x != NULL)
  444. X509_free(x);
  445. if (in != NULL)
  446. BIO_free(in);
  447. return (ret);
  448. }
  449. #endif
  450. int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
  451. const unsigned char *d)
  452. {
  453. X509 *x;
  454. int ret;
  455. x = d2i_X509(NULL, &d, (long)len);
  456. if (x == NULL) {
  457. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
  458. return (0);
  459. }
  460. ret = SSL_CTX_use_certificate(ctx, x);
  461. X509_free(x);
  462. return (ret);
  463. }
  464. #ifndef OPENSSL_NO_RSA
  465. int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
  466. {
  467. int ret;
  468. EVP_PKEY *pkey;
  469. if (rsa == NULL) {
  470. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
  471. return (0);
  472. }
  473. if (!ssl_cert_inst(&ctx->cert)) {
  474. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
  475. return (0);
  476. }
  477. if ((pkey = EVP_PKEY_new()) == NULL) {
  478. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
  479. return (0);
  480. }
  481. RSA_up_ref(rsa);
  482. if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
  483. RSA_free(rsa);
  484. return 0;
  485. }
  486. ret = ssl_set_pkey(ctx->cert, pkey);
  487. EVP_PKEY_free(pkey);
  488. return (ret);
  489. }
  490. # ifndef OPENSSL_NO_STDIO
  491. int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
  492. {
  493. int j, ret = 0;
  494. BIO *in;
  495. RSA *rsa = NULL;
  496. in = BIO_new(BIO_s_file_internal());
  497. if (in == NULL) {
  498. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
  499. goto end;
  500. }
  501. if (BIO_read_filename(in, file) <= 0) {
  502. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
  503. goto end;
  504. }
  505. if (type == SSL_FILETYPE_ASN1) {
  506. j = ERR_R_ASN1_LIB;
  507. rsa = d2i_RSAPrivateKey_bio(in, NULL);
  508. } else if (type == SSL_FILETYPE_PEM) {
  509. j = ERR_R_PEM_LIB;
  510. rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
  511. ctx->default_passwd_callback,
  512. ctx->default_passwd_callback_userdata);
  513. } else {
  514. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
  515. goto end;
  516. }
  517. if (rsa == NULL) {
  518. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
  519. goto end;
  520. }
  521. ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
  522. RSA_free(rsa);
  523. end:
  524. if (in != NULL)
  525. BIO_free(in);
  526. return (ret);
  527. }
  528. # endif
  529. int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
  530. long len)
  531. {
  532. int ret;
  533. const unsigned char *p;
  534. RSA *rsa;
  535. p = d;
  536. if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
  537. SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
  538. return (0);
  539. }
  540. ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
  541. RSA_free(rsa);
  542. return (ret);
  543. }
  544. #endif /* !OPENSSL_NO_RSA */
  545. int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
  546. {
  547. if (pkey == NULL) {
  548. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
  549. return (0);
  550. }
  551. if (!ssl_cert_inst(&ctx->cert)) {
  552. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
  553. return (0);
  554. }
  555. return (ssl_set_pkey(ctx->cert, pkey));
  556. }
  557. #ifndef OPENSSL_NO_STDIO
  558. int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
  559. {
  560. int j, ret = 0;
  561. BIO *in;
  562. EVP_PKEY *pkey = NULL;
  563. in = BIO_new(BIO_s_file_internal());
  564. if (in == NULL) {
  565. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
  566. goto end;
  567. }
  568. if (BIO_read_filename(in, file) <= 0) {
  569. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
  570. goto end;
  571. }
  572. if (type == SSL_FILETYPE_PEM) {
  573. j = ERR_R_PEM_LIB;
  574. pkey = PEM_read_bio_PrivateKey(in, NULL,
  575. ctx->default_passwd_callback,
  576. ctx->default_passwd_callback_userdata);
  577. } else if (type == SSL_FILETYPE_ASN1) {
  578. j = ERR_R_ASN1_LIB;
  579. pkey = d2i_PrivateKey_bio(in, NULL);
  580. } else {
  581. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
  582. goto end;
  583. }
  584. if (pkey == NULL) {
  585. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
  586. goto end;
  587. }
  588. ret = SSL_CTX_use_PrivateKey(ctx, pkey);
  589. EVP_PKEY_free(pkey);
  590. end:
  591. if (in != NULL)
  592. BIO_free(in);
  593. return (ret);
  594. }
  595. #endif
  596. int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
  597. const unsigned char *d, long len)
  598. {
  599. int ret;
  600. const unsigned char *p;
  601. EVP_PKEY *pkey;
  602. p = d;
  603. if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
  604. SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
  605. return (0);
  606. }
  607. ret = SSL_CTX_use_PrivateKey(ctx, pkey);
  608. EVP_PKEY_free(pkey);
  609. return (ret);
  610. }
  611. #ifndef OPENSSL_NO_STDIO
  612. /*
  613. * Read a file that contains our certificate in "PEM" format, possibly
  614. * followed by a sequence of CA certificates that should be sent to the peer
  615. * in the Certificate message.
  616. */
  617. int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
  618. {
  619. BIO *in;
  620. int ret = 0;
  621. X509 *x = NULL;
  622. ERR_clear_error(); /* clear error stack for
  623. * SSL_CTX_use_certificate() */
  624. in = BIO_new(BIO_s_file_internal());
  625. if (in == NULL) {
  626. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
  627. goto end;
  628. }
  629. if (BIO_read_filename(in, file) <= 0) {
  630. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
  631. goto end;
  632. }
  633. x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
  634. ctx->default_passwd_callback_userdata);
  635. if (x == NULL) {
  636. SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
  637. goto end;
  638. }
  639. ret = SSL_CTX_use_certificate(ctx, x);
  640. if (ERR_peek_error() != 0)
  641. ret = 0; /* Key/certificate mismatch doesn't imply
  642. * ret==0 ... */
  643. if (ret) {
  644. /*
  645. * If we could set up our certificate, now proceed to the CA
  646. * certificates.
  647. */
  648. X509 *ca;
  649. int r;
  650. unsigned long err;
  651. SSL_CTX_clear_chain_certs(ctx);
  652. while ((ca = PEM_read_bio_X509(in, NULL,
  653. ctx->default_passwd_callback,
  654. ctx->default_passwd_callback_userdata))
  655. != NULL) {
  656. r = SSL_CTX_add0_chain_cert(ctx, ca);
  657. if (!r) {
  658. X509_free(ca);
  659. ret = 0;
  660. goto end;
  661. }
  662. /*
  663. * Note that we must not free r if it was successfully added to
  664. * the chain (while we must free the main certificate, since its
  665. * reference count is increased by SSL_CTX_use_certificate).
  666. */
  667. }
  668. /* When the while loop ends, it's usually just EOF. */
  669. err = ERR_peek_last_error();
  670. if (ERR_GET_LIB(err) == ERR_LIB_PEM
  671. && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
  672. ERR_clear_error();
  673. else
  674. ret = 0; /* some real error */
  675. }
  676. end:
  677. if (x != NULL)
  678. X509_free(x);
  679. if (in != NULL)
  680. BIO_free(in);
  681. return (ret);
  682. }
  683. #endif
  684. #ifndef OPENSSL_NO_TLSEXT
  685. static int serverinfo_find_extension(const unsigned char *serverinfo,
  686. size_t serverinfo_length,
  687. unsigned int extension_type,
  688. const unsigned char **extension_data,
  689. size_t *extension_length)
  690. {
  691. *extension_data = NULL;
  692. *extension_length = 0;
  693. if (serverinfo == NULL || serverinfo_length == 0)
  694. return -1;
  695. for (;;) {
  696. unsigned int type = 0;
  697. size_t len = 0;
  698. /* end of serverinfo */
  699. if (serverinfo_length == 0)
  700. return 0; /* Extension not found */
  701. /* read 2-byte type field */
  702. if (serverinfo_length < 2)
  703. return -1; /* Error */
  704. type = (serverinfo[0] << 8) + serverinfo[1];
  705. serverinfo += 2;
  706. serverinfo_length -= 2;
  707. /* read 2-byte len field */
  708. if (serverinfo_length < 2)
  709. return -1; /* Error */
  710. len = (serverinfo[0] << 8) + serverinfo[1];
  711. serverinfo += 2;
  712. serverinfo_length -= 2;
  713. if (len > serverinfo_length)
  714. return -1; /* Error */
  715. if (type == extension_type) {
  716. *extension_data = serverinfo;
  717. *extension_length = len;
  718. return 1; /* Success */
  719. }
  720. serverinfo += len;
  721. serverinfo_length -= len;
  722. }
  723. return 0; /* Error */
  724. }
  725. static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
  726. const unsigned char *in,
  727. size_t inlen, int *al, void *arg)
  728. {
  729. if (inlen != 0) {
  730. *al = SSL_AD_DECODE_ERROR;
  731. return 0;
  732. }
  733. return 1;
  734. }
  735. static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
  736. const unsigned char **out, size_t *outlen,
  737. int *al, void *arg)
  738. {
  739. const unsigned char *serverinfo = NULL;
  740. size_t serverinfo_length = 0;
  741. /* Is there serverinfo data for the chosen server cert? */
  742. if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
  743. &serverinfo_length)) != 0) {
  744. /* Find the relevant extension from the serverinfo */
  745. int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
  746. ext_type, out, outlen);
  747. if (retval == -1) {
  748. *al = SSL_AD_DECODE_ERROR;
  749. return -1; /* Error */
  750. }
  751. if (retval == 0)
  752. return 0; /* No extension found, don't send extension */
  753. return 1; /* Send extension */
  754. }
  755. return 0; /* No serverinfo data found, don't send
  756. * extension */
  757. }
  758. /*
  759. * With a NULL context, this function just checks that the serverinfo data
  760. * parses correctly. With a non-NULL context, it registers callbacks for
  761. * the included extensions.
  762. */
  763. static int serverinfo_process_buffer(const unsigned char *serverinfo,
  764. size_t serverinfo_length, SSL_CTX *ctx)
  765. {
  766. if (serverinfo == NULL || serverinfo_length == 0)
  767. return 0;
  768. for (;;) {
  769. unsigned int ext_type = 0;
  770. size_t len = 0;
  771. /* end of serverinfo */
  772. if (serverinfo_length == 0)
  773. return 1;
  774. /* read 2-byte type field */
  775. if (serverinfo_length < 2)
  776. return 0;
  777. /* FIXME: check for types we understand explicitly? */
  778. /* Register callbacks for extensions */
  779. ext_type = (serverinfo[0] << 8) + serverinfo[1];
  780. if (ctx) {
  781. int have_ext_cbs = 0;
  782. size_t i;
  783. custom_ext_methods *exts = &ctx->cert->srv_ext;
  784. custom_ext_method *meth = exts->meths;
  785. for (i = 0; i < exts->meths_count; i++, meth++) {
  786. if (ext_type == meth->ext_type) {
  787. have_ext_cbs = 1;
  788. break;
  789. }
  790. }
  791. if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
  792. serverinfo_srv_add_cb,
  793. NULL, NULL,
  794. serverinfo_srv_parse_cb,
  795. NULL))
  796. return 0;
  797. }
  798. serverinfo += 2;
  799. serverinfo_length -= 2;
  800. /* read 2-byte len field */
  801. if (serverinfo_length < 2)
  802. return 0;
  803. len = (serverinfo[0] << 8) + serverinfo[1];
  804. serverinfo += 2;
  805. serverinfo_length -= 2;
  806. if (len > serverinfo_length)
  807. return 0;
  808. serverinfo += len;
  809. serverinfo_length -= len;
  810. }
  811. }
  812. int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
  813. size_t serverinfo_length)
  814. {
  815. unsigned char *new_serverinfo;
  816. if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
  817. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER);
  818. return 0;
  819. }
  820. if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) {
  821. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
  822. return 0;
  823. }
  824. if (!ssl_cert_inst(&ctx->cert)) {
  825. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
  826. return 0;
  827. }
  828. if (ctx->cert->key == NULL) {
  829. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
  830. return 0;
  831. }
  832. new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
  833. serverinfo_length);
  834. if (new_serverinfo == NULL) {
  835. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
  836. return 0;
  837. }
  838. ctx->cert->key->serverinfo = new_serverinfo;
  839. memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
  840. ctx->cert->key->serverinfo_length = serverinfo_length;
  841. /*
  842. * Now that the serverinfo is validated and stored, go ahead and
  843. * register callbacks.
  844. */
  845. if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) {
  846. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
  847. return 0;
  848. }
  849. return 1;
  850. }
  851. # ifndef OPENSSL_NO_STDIO
  852. int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
  853. {
  854. unsigned char *serverinfo = NULL;
  855. size_t serverinfo_length = 0;
  856. unsigned char *extension = 0;
  857. long extension_length = 0;
  858. char *name = NULL;
  859. char *header = NULL;
  860. char namePrefix[] = "SERVERINFO FOR ";
  861. int ret = 0;
  862. BIO *bin = NULL;
  863. size_t num_extensions = 0;
  864. unsigned char *new_serverinfo;
  865. if (ctx == NULL || file == NULL) {
  866. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
  867. ERR_R_PASSED_NULL_PARAMETER);
  868. goto end;
  869. }
  870. bin = BIO_new(BIO_s_file_internal());
  871. if (bin == NULL) {
  872. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
  873. goto end;
  874. }
  875. if (BIO_read_filename(bin, file) <= 0) {
  876. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
  877. goto end;
  878. }
  879. for (num_extensions = 0;; num_extensions++) {
  880. if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
  881. == 0) {
  882. /*
  883. * There must be at least one extension in this file
  884. */
  885. if (num_extensions == 0) {
  886. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
  887. SSL_R_NO_PEM_EXTENSIONS);
  888. goto end;
  889. } else /* End of file, we're done */
  890. break;
  891. }
  892. /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
  893. if (strlen(name) < strlen(namePrefix)) {
  894. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
  895. SSL_R_PEM_NAME_TOO_SHORT);
  896. goto end;
  897. }
  898. if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
  899. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
  900. SSL_R_PEM_NAME_BAD_PREFIX);
  901. goto end;
  902. }
  903. /*
  904. * Check that the decoded PEM data is plausible (valid length field)
  905. */
  906. if (extension_length < 4
  907. || (extension[2] << 8) + extension[3] != extension_length - 4) {
  908. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
  909. goto end;
  910. }
  911. /* Append the decoded extension to the serverinfo buffer */
  912. new_serverinfo =
  913. OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
  914. if (new_serverinfo == NULL) {
  915. SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
  916. goto end;
  917. }
  918. serverinfo = new_serverinfo;
  919. memcpy(serverinfo + serverinfo_length, extension, extension_length);
  920. serverinfo_length += extension_length;
  921. OPENSSL_free(name);
  922. name = NULL;
  923. OPENSSL_free(header);
  924. header = NULL;
  925. OPENSSL_free(extension);
  926. extension = NULL;
  927. }
  928. ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
  929. end:
  930. /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
  931. OPENSSL_free(name);
  932. OPENSSL_free(header);
  933. OPENSSL_free(extension);
  934. OPENSSL_free(serverinfo);
  935. if (bin != NULL)
  936. BIO_free(bin);
  937. return ret;
  938. }
  939. # endif /* OPENSSL_NO_STDIO */
  940. #endif /* OPENSSL_NO_TLSEXT */