1 /* ssl/ssl_rsa.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include "ssl_locl.h" 61 #include <openssl/bio.h> 62 #include <openssl/objects.h> 63 #include <openssl/evp.h> 64 #include <openssl/x509.h> 65 #include <openssl/pem.h> 66 67 static int ssl_set_cert(CERT *c, X509 *x509); 68 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); 69 int SSL_use_certificate(SSL *ssl, X509 *x) 70 { 71 if (x == NULL) { 72 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 73 return (0); 74 } 75 if (!ssl_cert_inst(&ssl->cert)) { 76 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 77 return (0); 78 } 79 return (ssl_set_cert(ssl->cert, x)); 80 } 81 82 #ifndef OPENSSL_NO_STDIO 83 int SSL_use_certificate_file(SSL *ssl, const char *file, int type) 84 { 85 int j; 86 BIO *in; 87 int ret = 0; 88 X509 *x = NULL; 89 90 in = BIO_new(BIO_s_file_internal()); 91 if (in == NULL) { 92 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 93 goto end; 94 } 95 96 if (BIO_read_filename(in, file) <= 0) { 97 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 98 goto end; 99 } 100 if (type == SSL_FILETYPE_ASN1) { 101 j = ERR_R_ASN1_LIB; 102 x = d2i_X509_bio(in, NULL); 103 } else if (type == SSL_FILETYPE_PEM) { 104 j = ERR_R_PEM_LIB; 105 x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback, 106 ssl->ctx->default_passwd_callback_userdata); 107 } else { 108 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 109 goto end; 110 } 111 112 if (x == NULL) { 113 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); 114 goto end; 115 } 116 117 ret = SSL_use_certificate(ssl, x); 118 end: 119 if (x != NULL) 120 X509_free(x); 121 if (in != NULL) 122 BIO_free(in); 123 return (ret); 124 } 125 #endif 126 127 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) 128 { 129 X509 *x; 130 int ret; 131 132 x = d2i_X509(NULL, &d, (long)len); 133 if (x == NULL) { 134 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 135 return (0); 136 } 137 138 ret = SSL_use_certificate(ssl, x); 139 X509_free(x); 140 return (ret); 141 } 142 143 #ifndef OPENSSL_NO_RSA 144 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 145 { 146 EVP_PKEY *pkey; 147 int ret; 148 149 if (rsa == NULL) { 150 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 151 return (0); 152 } 153 if (!ssl_cert_inst(&ssl->cert)) { 154 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 155 return (0); 156 } 157 if ((pkey = EVP_PKEY_new()) == NULL) { 158 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 159 return (0); 160 } 161 162 RSA_up_ref(rsa); 163 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 164 RSA_free(rsa); 165 return 0; 166 } 167 168 ret = ssl_set_pkey(ssl->cert, pkey); 169 EVP_PKEY_free(pkey); 170 return (ret); 171 } 172 #endif 173 174 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 175 { 176 int i; 177 /* 178 * Special case for DH: check two DH certificate types for a match. This 179 * means for DH certificates we must set the certificate first. 180 */ 181 if (pkey->type == EVP_PKEY_DH) { 182 X509 *x; 183 i = -1; 184 x = c->pkeys[SSL_PKEY_DH_RSA].x509; 185 if (x && X509_check_private_key(x, pkey)) 186 i = SSL_PKEY_DH_RSA; 187 x = c->pkeys[SSL_PKEY_DH_DSA].x509; 188 if (i == -1 && x && X509_check_private_key(x, pkey)) 189 i = SSL_PKEY_DH_DSA; 190 ERR_clear_error(); 191 } else 192 i = ssl_cert_type(NULL, pkey); 193 if (i < 0) { 194 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 195 return (0); 196 } 197 198 if (c->pkeys[i].x509 != NULL) { 199 EVP_PKEY *pktmp; 200 pktmp = X509_get_pubkey(c->pkeys[i].x509); 201 if (pktmp == NULL) { 202 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); 203 EVP_PKEY_free(pktmp); 204 return 0; 205 } 206 /* 207 * The return code from EVP_PKEY_copy_parameters is deliberately 208 * ignored. Some EVP_PKEY types cannot do this. 209 */ 210 EVP_PKEY_copy_parameters(pktmp, pkey); 211 EVP_PKEY_free(pktmp); 212 ERR_clear_error(); 213 214 #ifndef OPENSSL_NO_RSA 215 /* 216 * Don't check the public/private key, this is mostly for smart 217 * cards. 218 */ 219 if ((pkey->type == EVP_PKEY_RSA) && 220 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ; 221 else 222 #endif 223 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 224 X509_free(c->pkeys[i].x509); 225 c->pkeys[i].x509 = NULL; 226 return 0; 227 } 228 } 229 230 if (c->pkeys[i].privatekey != NULL) 231 EVP_PKEY_free(c->pkeys[i].privatekey); 232 CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); 233 c->pkeys[i].privatekey = pkey; 234 c->key = &(c->pkeys[i]); 235 236 c->valid = 0; 237 return (1); 238 } 239 240 #ifndef OPENSSL_NO_RSA 241 # ifndef OPENSSL_NO_STDIO 242 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 243 { 244 int j, ret = 0; 245 BIO *in; 246 RSA *rsa = NULL; 247 248 in = BIO_new(BIO_s_file_internal()); 249 if (in == NULL) { 250 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 251 goto end; 252 } 253 254 if (BIO_read_filename(in, file) <= 0) { 255 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 256 goto end; 257 } 258 if (type == SSL_FILETYPE_ASN1) { 259 j = ERR_R_ASN1_LIB; 260 rsa = d2i_RSAPrivateKey_bio(in, NULL); 261 } else if (type == SSL_FILETYPE_PEM) { 262 j = ERR_R_PEM_LIB; 263 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 264 ssl->ctx->default_passwd_callback, 265 ssl-> 266 ctx->default_passwd_callback_userdata); 267 } else { 268 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 269 goto end; 270 } 271 if (rsa == NULL) { 272 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); 273 goto end; 274 } 275 ret = SSL_use_RSAPrivateKey(ssl, rsa); 276 RSA_free(rsa); 277 end: 278 if (in != NULL) 279 BIO_free(in); 280 return (ret); 281 } 282 # endif 283 284 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) 285 { 286 int ret; 287 const unsigned char *p; 288 RSA *rsa; 289 290 p = d; 291 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 292 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 293 return (0); 294 } 295 296 ret = SSL_use_RSAPrivateKey(ssl, rsa); 297 RSA_free(rsa); 298 return (ret); 299 } 300 #endif /* !OPENSSL_NO_RSA */ 301 302 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 303 { 304 int ret; 305 306 if (pkey == NULL) { 307 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 308 return (0); 309 } 310 if (!ssl_cert_inst(&ssl->cert)) { 311 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 312 return (0); 313 } 314 ret = ssl_set_pkey(ssl->cert, pkey); 315 return (ret); 316 } 317 318 #ifndef OPENSSL_NO_STDIO 319 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) 320 { 321 int j, ret = 0; 322 BIO *in; 323 EVP_PKEY *pkey = NULL; 324 325 in = BIO_new(BIO_s_file_internal()); 326 if (in == NULL) { 327 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 328 goto end; 329 } 330 331 if (BIO_read_filename(in, file) <= 0) { 332 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 333 goto end; 334 } 335 if (type == SSL_FILETYPE_PEM) { 336 j = ERR_R_PEM_LIB; 337 pkey = PEM_read_bio_PrivateKey(in, NULL, 338 ssl->ctx->default_passwd_callback, 339 ssl-> 340 ctx->default_passwd_callback_userdata); 341 } else if (type == SSL_FILETYPE_ASN1) { 342 j = ERR_R_ASN1_LIB; 343 pkey = d2i_PrivateKey_bio(in, NULL); 344 } else { 345 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 346 goto end; 347 } 348 if (pkey == NULL) { 349 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); 350 goto end; 351 } 352 ret = SSL_use_PrivateKey(ssl, pkey); 353 EVP_PKEY_free(pkey); 354 end: 355 if (in != NULL) 356 BIO_free(in); 357 return (ret); 358 } 359 #endif 360 361 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, 362 long len) 363 { 364 int ret; 365 const unsigned char *p; 366 EVP_PKEY *pkey; 367 368 p = d; 369 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 370 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 371 return (0); 372 } 373 374 ret = SSL_use_PrivateKey(ssl, pkey); 375 EVP_PKEY_free(pkey); 376 return (ret); 377 } 378 379 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) 380 { 381 if (x == NULL) { 382 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 383 return (0); 384 } 385 if (!ssl_cert_inst(&ctx->cert)) { 386 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 387 return (0); 388 } 389 return (ssl_set_cert(ctx->cert, x)); 390 } 391 392 static int ssl_set_cert(CERT *c, X509 *x) 393 { 394 EVP_PKEY *pkey; 395 int i; 396 397 pkey = X509_get_pubkey(x); 398 if (pkey == NULL) { 399 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); 400 return (0); 401 } 402 403 i = ssl_cert_type(x, pkey); 404 if (i < 0) { 405 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 406 EVP_PKEY_free(pkey); 407 return (0); 408 } 409 410 if (c->pkeys[i].privatekey != NULL) { 411 /* 412 * The return code from EVP_PKEY_copy_parameters is deliberately 413 * ignored. Some EVP_PKEY types cannot do this. 414 */ 415 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 416 ERR_clear_error(); 417 418 #ifndef OPENSSL_NO_RSA 419 /* 420 * Don't check the public/private key, this is mostly for smart 421 * cards. 422 */ 423 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && 424 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & 425 RSA_METHOD_FLAG_NO_CHECK)) ; 426 else 427 #endif /* OPENSSL_NO_RSA */ 428 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 429 /* 430 * don't fail for a cert/key mismatch, just free current private 431 * key (when switching to a different cert & key, first this 432 * function should be used, then ssl_set_pkey 433 */ 434 EVP_PKEY_free(c->pkeys[i].privatekey); 435 c->pkeys[i].privatekey = NULL; 436 /* clear error queue */ 437 ERR_clear_error(); 438 } 439 } 440 441 EVP_PKEY_free(pkey); 442 443 if (c->pkeys[i].x509 != NULL) 444 X509_free(c->pkeys[i].x509); 445 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 446 c->pkeys[i].x509 = x; 447 c->key = &(c->pkeys[i]); 448 449 c->valid = 0; 450 return (1); 451 } 452 453 #ifndef OPENSSL_NO_STDIO 454 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) 455 { 456 int j; 457 BIO *in; 458 int ret = 0; 459 X509 *x = NULL; 460 461 in = BIO_new(BIO_s_file_internal()); 462 if (in == NULL) { 463 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 464 goto end; 465 } 466 467 if (BIO_read_filename(in, file) <= 0) { 468 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 469 goto end; 470 } 471 if (type == SSL_FILETYPE_ASN1) { 472 j = ERR_R_ASN1_LIB; 473 x = d2i_X509_bio(in, NULL); 474 } else if (type == SSL_FILETYPE_PEM) { 475 j = ERR_R_PEM_LIB; 476 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 477 ctx->default_passwd_callback_userdata); 478 } else { 479 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 480 goto end; 481 } 482 483 if (x == NULL) { 484 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); 485 goto end; 486 } 487 488 ret = SSL_CTX_use_certificate(ctx, x); 489 end: 490 if (x != NULL) 491 X509_free(x); 492 if (in != NULL) 493 BIO_free(in); 494 return (ret); 495 } 496 #endif 497 498 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, 499 const unsigned char *d) 500 { 501 X509 *x; 502 int ret; 503 504 x = d2i_X509(NULL, &d, (long)len); 505 if (x == NULL) { 506 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 507 return (0); 508 } 509 510 ret = SSL_CTX_use_certificate(ctx, x); 511 X509_free(x); 512 return (ret); 513 } 514 515 #ifndef OPENSSL_NO_RSA 516 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 517 { 518 int ret; 519 EVP_PKEY *pkey; 520 521 if (rsa == NULL) { 522 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 523 return (0); 524 } 525 if (!ssl_cert_inst(&ctx->cert)) { 526 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 527 return (0); 528 } 529 if ((pkey = EVP_PKEY_new()) == NULL) { 530 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 531 return (0); 532 } 533 534 RSA_up_ref(rsa); 535 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 536 RSA_free(rsa); 537 return 0; 538 } 539 540 ret = ssl_set_pkey(ctx->cert, pkey); 541 EVP_PKEY_free(pkey); 542 return (ret); 543 } 544 545 # ifndef OPENSSL_NO_STDIO 546 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) 547 { 548 int j, ret = 0; 549 BIO *in; 550 RSA *rsa = NULL; 551 552 in = BIO_new(BIO_s_file_internal()); 553 if (in == NULL) { 554 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 555 goto end; 556 } 557 558 if (BIO_read_filename(in, file) <= 0) { 559 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 560 goto end; 561 } 562 if (type == SSL_FILETYPE_ASN1) { 563 j = ERR_R_ASN1_LIB; 564 rsa = d2i_RSAPrivateKey_bio(in, NULL); 565 } else if (type == SSL_FILETYPE_PEM) { 566 j = ERR_R_PEM_LIB; 567 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 568 ctx->default_passwd_callback, 569 ctx->default_passwd_callback_userdata); 570 } else { 571 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 572 goto end; 573 } 574 if (rsa == NULL) { 575 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); 576 goto end; 577 } 578 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 579 RSA_free(rsa); 580 end: 581 if (in != NULL) 582 BIO_free(in); 583 return (ret); 584 } 585 # endif 586 587 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, 588 long len) 589 { 590 int ret; 591 const unsigned char *p; 592 RSA *rsa; 593 594 p = d; 595 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 596 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 597 return (0); 598 } 599 600 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 601 RSA_free(rsa); 602 return (ret); 603 } 604 #endif /* !OPENSSL_NO_RSA */ 605 606 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 607 { 608 if (pkey == NULL) { 609 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 610 return (0); 611 } 612 if (!ssl_cert_inst(&ctx->cert)) { 613 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 614 return (0); 615 } 616 return (ssl_set_pkey(ctx->cert, pkey)); 617 } 618 619 #ifndef OPENSSL_NO_STDIO 620 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) 621 { 622 int j, ret = 0; 623 BIO *in; 624 EVP_PKEY *pkey = NULL; 625 626 in = BIO_new(BIO_s_file_internal()); 627 if (in == NULL) { 628 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 629 goto end; 630 } 631 632 if (BIO_read_filename(in, file) <= 0) { 633 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 634 goto end; 635 } 636 if (type == SSL_FILETYPE_PEM) { 637 j = ERR_R_PEM_LIB; 638 pkey = PEM_read_bio_PrivateKey(in, NULL, 639 ctx->default_passwd_callback, 640 ctx->default_passwd_callback_userdata); 641 } else if (type == SSL_FILETYPE_ASN1) { 642 j = ERR_R_ASN1_LIB; 643 pkey = d2i_PrivateKey_bio(in, NULL); 644 } else { 645 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 646 goto end; 647 } 648 if (pkey == NULL) { 649 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); 650 goto end; 651 } 652 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 653 EVP_PKEY_free(pkey); 654 end: 655 if (in != NULL) 656 BIO_free(in); 657 return (ret); 658 } 659 #endif 660 661 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, 662 const unsigned char *d, long len) 663 { 664 int ret; 665 const unsigned char *p; 666 EVP_PKEY *pkey; 667 668 p = d; 669 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 670 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 671 return (0); 672 } 673 674 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 675 EVP_PKEY_free(pkey); 676 return (ret); 677 } 678 679 #ifndef OPENSSL_NO_STDIO 680 /* 681 * Read a file that contains our certificate in "PEM" format, possibly 682 * followed by a sequence of CA certificates that should be sent to the peer 683 * in the Certificate message. 684 */ 685 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) 686 { 687 BIO *in; 688 int ret = 0; 689 X509 *x = NULL; 690 691 ERR_clear_error(); /* clear error stack for 692 * SSL_CTX_use_certificate() */ 693 694 in = BIO_new(BIO_s_file_internal()); 695 if (in == NULL) { 696 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 697 goto end; 698 } 699 700 if (BIO_read_filename(in, file) <= 0) { 701 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); 702 goto end; 703 } 704 705 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, 706 ctx->default_passwd_callback_userdata); 707 if (x == NULL) { 708 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 709 goto end; 710 } 711 712 ret = SSL_CTX_use_certificate(ctx, x); 713 714 if (ERR_peek_error() != 0) 715 ret = 0; /* Key/certificate mismatch doesn't imply 716 * ret==0 ... */ 717 if (ret) { 718 /* 719 * If we could set up our certificate, now proceed to the CA 720 * certificates. 721 */ 722 X509 *ca; 723 int r; 724 unsigned long err; 725 726 SSL_CTX_clear_chain_certs(ctx); 727 728 while ((ca = PEM_read_bio_X509(in, NULL, 729 ctx->default_passwd_callback, 730 ctx->default_passwd_callback_userdata)) 731 != NULL) { 732 r = SSL_CTX_add0_chain_cert(ctx, ca); 733 if (!r) { 734 X509_free(ca); 735 ret = 0; 736 goto end; 737 } 738 /* 739 * Note that we must not free r if it was successfully added to 740 * the chain (while we must free the main certificate, since its 741 * reference count is increased by SSL_CTX_use_certificate). 742 */ 743 } 744 /* When the while loop ends, it's usually just EOF. */ 745 err = ERR_peek_last_error(); 746 if (ERR_GET_LIB(err) == ERR_LIB_PEM 747 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 748 ERR_clear_error(); 749 else 750 ret = 0; /* some real error */ 751 } 752 753 end: 754 if (x != NULL) 755 X509_free(x); 756 if (in != NULL) 757 BIO_free(in); 758 return (ret); 759 } 760 #endif 761 762 #ifndef OPENSSL_NO_TLSEXT 763 static int serverinfo_find_extension(const unsigned char *serverinfo, 764 size_t serverinfo_length, 765 unsigned int extension_type, 766 const unsigned char **extension_data, 767 size_t *extension_length) 768 { 769 *extension_data = NULL; 770 *extension_length = 0; 771 if (serverinfo == NULL || serverinfo_length == 0) 772 return -1; 773 for (;;) { 774 unsigned int type = 0; 775 size_t len = 0; 776 777 /* end of serverinfo */ 778 if (serverinfo_length == 0) 779 return 0; /* Extension not found */ 780 781 /* read 2-byte type field */ 782 if (serverinfo_length < 2) 783 return -1; /* Error */ 784 type = (serverinfo[0] << 8) + serverinfo[1]; 785 serverinfo += 2; 786 serverinfo_length -= 2; 787 788 /* read 2-byte len field */ 789 if (serverinfo_length < 2) 790 return -1; /* Error */ 791 len = (serverinfo[0] << 8) + serverinfo[1]; 792 serverinfo += 2; 793 serverinfo_length -= 2; 794 795 if (len > serverinfo_length) 796 return -1; /* Error */ 797 798 if (type == extension_type) { 799 *extension_data = serverinfo; 800 *extension_length = len; 801 return 1; /* Success */ 802 } 803 804 serverinfo += len; 805 serverinfo_length -= len; 806 } 807 return 0; /* Error */ 808 } 809 810 static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, 811 const unsigned char *in, 812 size_t inlen, int *al, void *arg) 813 { 814 815 if (inlen != 0) { 816 *al = SSL_AD_DECODE_ERROR; 817 return 0; 818 } 819 820 return 1; 821 } 822 823 static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, 824 const unsigned char **out, size_t *outlen, 825 int *al, void *arg) 826 { 827 const unsigned char *serverinfo = NULL; 828 size_t serverinfo_length = 0; 829 830 /* Is there serverinfo data for the chosen server cert? */ 831 if ((ssl_get_server_cert_serverinfo(s, &serverinfo, 832 &serverinfo_length)) != 0) { 833 /* Find the relevant extension from the serverinfo */ 834 int retval = serverinfo_find_extension(serverinfo, serverinfo_length, 835 ext_type, out, outlen); 836 if (retval == -1) { 837 *al = SSL_AD_DECODE_ERROR; 838 return -1; /* Error */ 839 } 840 if (retval == 0) 841 return 0; /* No extension found, don't send extension */ 842 return 1; /* Send extension */ 843 } 844 return -1; /* No serverinfo data found, don't send 845 * extension */ 846 } 847 848 /* 849 * With a NULL context, this function just checks that the serverinfo data 850 * parses correctly. With a non-NULL context, it registers callbacks for 851 * the included extensions. 852 */ 853 static int serverinfo_process_buffer(const unsigned char *serverinfo, 854 size_t serverinfo_length, SSL_CTX *ctx) 855 { 856 if (serverinfo == NULL || serverinfo_length == 0) 857 return 0; 858 for (;;) { 859 unsigned int ext_type = 0; 860 size_t len = 0; 861 862 /* end of serverinfo */ 863 if (serverinfo_length == 0) 864 return 1; 865 866 /* read 2-byte type field */ 867 if (serverinfo_length < 2) 868 return 0; 869 /* FIXME: check for types we understand explicitly? */ 870 871 /* Register callbacks for extensions */ 872 ext_type = (serverinfo[0] << 8) + serverinfo[1]; 873 if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type, 874 serverinfo_srv_add_cb, 875 NULL, NULL, 876 serverinfo_srv_parse_cb, 877 NULL)) 878 return 0; 879 880 serverinfo += 2; 881 serverinfo_length -= 2; 882 883 /* read 2-byte len field */ 884 if (serverinfo_length < 2) 885 return 0; 886 len = (serverinfo[0] << 8) + serverinfo[1]; 887 serverinfo += 2; 888 serverinfo_length -= 2; 889 890 if (len > serverinfo_length) 891 return 0; 892 893 serverinfo += len; 894 serverinfo_length -= len; 895 } 896 } 897 898 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 899 size_t serverinfo_length) 900 { 901 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { 902 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); 903 return 0; 904 } 905 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { 906 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 907 return 0; 908 } 909 if (!ssl_cert_inst(&ctx->cert)) { 910 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); 911 return 0; 912 } 913 if (ctx->cert->key == NULL) { 914 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); 915 return 0; 916 } 917 ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, 918 serverinfo_length); 919 if (ctx->cert->key->serverinfo == NULL) { 920 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); 921 return 0; 922 } 923 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); 924 ctx->cert->key->serverinfo_length = serverinfo_length; 925 926 /* 927 * Now that the serverinfo is validated and stored, go ahead and 928 * register callbacks. 929 */ 930 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { 931 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 932 return 0; 933 } 934 return 1; 935 } 936 937 # ifndef OPENSSL_NO_STDIO 938 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) 939 { 940 unsigned char *serverinfo = NULL; 941 size_t serverinfo_length = 0; 942 unsigned char *extension = 0; 943 long extension_length = 0; 944 char *name = NULL; 945 char *header = NULL; 946 char namePrefix[] = "SERVERINFO FOR "; 947 int ret = 0; 948 BIO *bin = NULL; 949 size_t num_extensions = 0; 950 951 if (ctx == NULL || file == NULL) { 952 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 953 ERR_R_PASSED_NULL_PARAMETER); 954 goto end; 955 } 956 957 bin = BIO_new(BIO_s_file_internal()); 958 if (bin == NULL) { 959 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB); 960 goto end; 961 } 962 if (BIO_read_filename(bin, file) <= 0) { 963 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB); 964 goto end; 965 } 966 967 for (num_extensions = 0;; num_extensions++) { 968 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) 969 == 0) { 970 /* 971 * There must be at least one extension in this file 972 */ 973 if (num_extensions == 0) { 974 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 975 SSL_R_NO_PEM_EXTENSIONS); 976 goto end; 977 } else /* End of file, we're done */ 978 break; 979 } 980 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ 981 if (strlen(name) < strlen(namePrefix)) { 982 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 983 SSL_R_PEM_NAME_TOO_SHORT); 984 goto end; 985 } 986 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { 987 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 988 SSL_R_PEM_NAME_BAD_PREFIX); 989 goto end; 990 } 991 /* 992 * Check that the decoded PEM data is plausible (valid length field) 993 */ 994 if (extension_length < 4 995 || (extension[2] << 8) + extension[3] != extension_length - 4) { 996 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); 997 goto end; 998 } 999 /* Append the decoded extension to the serverinfo buffer */ 1000 serverinfo = 1001 OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); 1002 if (serverinfo == NULL) { 1003 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); 1004 goto end; 1005 } 1006 memcpy(serverinfo + serverinfo_length, extension, extension_length); 1007 serverinfo_length += extension_length; 1008 1009 OPENSSL_free(name); 1010 name = NULL; 1011 OPENSSL_free(header); 1012 header = NULL; 1013 OPENSSL_free(extension); 1014 extension = NULL; 1015 } 1016 1017 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); 1018 end: 1019 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ 1020 OPENSSL_free(name); 1021 OPENSSL_free(header); 1022 OPENSSL_free(extension); 1023 OPENSSL_free(serverinfo); 1024 if (bin != NULL) 1025 BIO_free(bin); 1026 return ret; 1027 } 1028 # endif /* OPENSSL_NO_STDIO */ 1029 #endif /* OPENSSL_NO_TLSEXT */ 1030