1 /* ssl/ssl_rsa.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include "ssl_locl.h" 61 #include <openssl/bio.h> 62 #include <openssl/objects.h> 63 #include <openssl/evp.h> 64 #include <openssl/x509.h> 65 #include <openssl/pem.h> 66 67 static int ssl_set_cert(CERT *c, X509 *x509); 68 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); 69 int SSL_use_certificate(SSL *ssl, X509 *x) 70 { 71 if (x == NULL) { 72 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 73 return (0); 74 } 75 if (!ssl_cert_inst(&ssl->cert)) { 76 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 77 return (0); 78 } 79 return (ssl_set_cert(ssl->cert, x)); 80 } 81 82 #ifndef OPENSSL_NO_STDIO 83 int SSL_use_certificate_file(SSL *ssl, const char *file, int type) 84 { 85 int j; 86 BIO *in; 87 int ret = 0; 88 X509 *x = NULL; 89 90 in = BIO_new(BIO_s_file_internal()); 91 if (in == NULL) { 92 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 93 goto end; 94 } 95 96 if (BIO_read_filename(in, file) <= 0) { 97 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 98 goto end; 99 } 100 if (type == SSL_FILETYPE_ASN1) { 101 j = ERR_R_ASN1_LIB; 102 x = d2i_X509_bio(in, NULL); 103 } else if (type == SSL_FILETYPE_PEM) { 104 j = ERR_R_PEM_LIB; 105 x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback, 106 ssl->ctx->default_passwd_callback_userdata); 107 } else { 108 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 109 goto end; 110 } 111 112 if (x == NULL) { 113 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); 114 goto end; 115 } 116 117 ret = SSL_use_certificate(ssl, x); 118 end: 119 if (x != NULL) 120 X509_free(x); 121 if (in != NULL) 122 BIO_free(in); 123 return (ret); 124 } 125 #endif 126 127 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) 128 { 129 X509 *x; 130 int ret; 131 132 x = d2i_X509(NULL, &d, (long)len); 133 if (x == NULL) { 134 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 135 return (0); 136 } 137 138 ret = SSL_use_certificate(ssl, x); 139 X509_free(x); 140 return (ret); 141 } 142 143 #ifndef OPENSSL_NO_RSA 144 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 145 { 146 EVP_PKEY *pkey; 147 int ret; 148 149 if (rsa == NULL) { 150 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 151 return (0); 152 } 153 if (!ssl_cert_inst(&ssl->cert)) { 154 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 155 return (0); 156 } 157 if ((pkey = EVP_PKEY_new()) == NULL) { 158 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 159 return (0); 160 } 161 162 RSA_up_ref(rsa); 163 EVP_PKEY_assign_RSA(pkey, rsa); 164 165 ret = ssl_set_pkey(ssl->cert, pkey); 166 EVP_PKEY_free(pkey); 167 return (ret); 168 } 169 #endif 170 171 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 172 { 173 int i; 174 /* 175 * Special case for DH: check two DH certificate types for a match. This 176 * means for DH certificates we must set the certificate first. 177 */ 178 if (pkey->type == EVP_PKEY_DH) { 179 X509 *x; 180 i = -1; 181 x = c->pkeys[SSL_PKEY_DH_RSA].x509; 182 if (x && X509_check_private_key(x, pkey)) 183 i = SSL_PKEY_DH_RSA; 184 x = c->pkeys[SSL_PKEY_DH_DSA].x509; 185 if (i == -1 && x && X509_check_private_key(x, pkey)) 186 i = SSL_PKEY_DH_DSA; 187 ERR_clear_error(); 188 } else 189 i = ssl_cert_type(NULL, pkey); 190 if (i < 0) { 191 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 192 return (0); 193 } 194 195 if (c->pkeys[i].x509 != NULL) { 196 EVP_PKEY *pktmp; 197 pktmp = X509_get_pubkey(c->pkeys[i].x509); 198 EVP_PKEY_copy_parameters(pktmp, pkey); 199 EVP_PKEY_free(pktmp); 200 ERR_clear_error(); 201 202 #ifndef OPENSSL_NO_RSA 203 /* 204 * Don't check the public/private key, this is mostly for smart 205 * cards. 206 */ 207 if ((pkey->type == EVP_PKEY_RSA) && 208 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ; 209 else 210 #endif 211 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 212 X509_free(c->pkeys[i].x509); 213 c->pkeys[i].x509 = NULL; 214 return 0; 215 } 216 } 217 218 if (c->pkeys[i].privatekey != NULL) 219 EVP_PKEY_free(c->pkeys[i].privatekey); 220 CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); 221 c->pkeys[i].privatekey = pkey; 222 c->key = &(c->pkeys[i]); 223 224 c->valid = 0; 225 return (1); 226 } 227 228 #ifndef OPENSSL_NO_RSA 229 # ifndef OPENSSL_NO_STDIO 230 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 231 { 232 int j, ret = 0; 233 BIO *in; 234 RSA *rsa = NULL; 235 236 in = BIO_new(BIO_s_file_internal()); 237 if (in == NULL) { 238 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 239 goto end; 240 } 241 242 if (BIO_read_filename(in, file) <= 0) { 243 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 244 goto end; 245 } 246 if (type == SSL_FILETYPE_ASN1) { 247 j = ERR_R_ASN1_LIB; 248 rsa = d2i_RSAPrivateKey_bio(in, NULL); 249 } else if (type == SSL_FILETYPE_PEM) { 250 j = ERR_R_PEM_LIB; 251 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 252 ssl->ctx->default_passwd_callback, 253 ssl-> 254 ctx->default_passwd_callback_userdata); 255 } else { 256 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 257 goto end; 258 } 259 if (rsa == NULL) { 260 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); 261 goto end; 262 } 263 ret = SSL_use_RSAPrivateKey(ssl, rsa); 264 RSA_free(rsa); 265 end: 266 if (in != NULL) 267 BIO_free(in); 268 return (ret); 269 } 270 # endif 271 272 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) 273 { 274 int ret; 275 const unsigned char *p; 276 RSA *rsa; 277 278 p = d; 279 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 280 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 281 return (0); 282 } 283 284 ret = SSL_use_RSAPrivateKey(ssl, rsa); 285 RSA_free(rsa); 286 return (ret); 287 } 288 #endif /* !OPENSSL_NO_RSA */ 289 290 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 291 { 292 int ret; 293 294 if (pkey == NULL) { 295 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 296 return (0); 297 } 298 if (!ssl_cert_inst(&ssl->cert)) { 299 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 300 return (0); 301 } 302 ret = ssl_set_pkey(ssl->cert, pkey); 303 return (ret); 304 } 305 306 #ifndef OPENSSL_NO_STDIO 307 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) 308 { 309 int j, ret = 0; 310 BIO *in; 311 EVP_PKEY *pkey = NULL; 312 313 in = BIO_new(BIO_s_file_internal()); 314 if (in == NULL) { 315 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 316 goto end; 317 } 318 319 if (BIO_read_filename(in, file) <= 0) { 320 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 321 goto end; 322 } 323 if (type == SSL_FILETYPE_PEM) { 324 j = ERR_R_PEM_LIB; 325 pkey = PEM_read_bio_PrivateKey(in, NULL, 326 ssl->ctx->default_passwd_callback, 327 ssl-> 328 ctx->default_passwd_callback_userdata); 329 } else if (type == SSL_FILETYPE_ASN1) { 330 j = ERR_R_ASN1_LIB; 331 pkey = d2i_PrivateKey_bio(in, NULL); 332 } else { 333 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 334 goto end; 335 } 336 if (pkey == NULL) { 337 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); 338 goto end; 339 } 340 ret = SSL_use_PrivateKey(ssl, pkey); 341 EVP_PKEY_free(pkey); 342 end: 343 if (in != NULL) 344 BIO_free(in); 345 return (ret); 346 } 347 #endif 348 349 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, 350 long len) 351 { 352 int ret; 353 const unsigned char *p; 354 EVP_PKEY *pkey; 355 356 p = d; 357 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 358 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 359 return (0); 360 } 361 362 ret = SSL_use_PrivateKey(ssl, pkey); 363 EVP_PKEY_free(pkey); 364 return (ret); 365 } 366 367 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) 368 { 369 if (x == NULL) { 370 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 371 return (0); 372 } 373 if (!ssl_cert_inst(&ctx->cert)) { 374 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 375 return (0); 376 } 377 return (ssl_set_cert(ctx->cert, x)); 378 } 379 380 static int ssl_set_cert(CERT *c, X509 *x) 381 { 382 EVP_PKEY *pkey; 383 int i; 384 385 pkey = X509_get_pubkey(x); 386 if (pkey == NULL) { 387 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); 388 return (0); 389 } 390 391 i = ssl_cert_type(x, pkey); 392 if (i < 0) { 393 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 394 EVP_PKEY_free(pkey); 395 return (0); 396 } 397 398 if (c->pkeys[i].privatekey != NULL) { 399 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 400 ERR_clear_error(); 401 402 #ifndef OPENSSL_NO_RSA 403 /* 404 * Don't check the public/private key, this is mostly for smart 405 * cards. 406 */ 407 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && 408 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & 409 RSA_METHOD_FLAG_NO_CHECK)) ; 410 else 411 #endif /* OPENSSL_NO_RSA */ 412 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 413 /* 414 * don't fail for a cert/key mismatch, just free current private 415 * key (when switching to a different cert & key, first this 416 * function should be used, then ssl_set_pkey 417 */ 418 EVP_PKEY_free(c->pkeys[i].privatekey); 419 c->pkeys[i].privatekey = NULL; 420 /* clear error queue */ 421 ERR_clear_error(); 422 } 423 } 424 425 EVP_PKEY_free(pkey); 426 427 if (c->pkeys[i].x509 != NULL) 428 X509_free(c->pkeys[i].x509); 429 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 430 c->pkeys[i].x509 = x; 431 c->key = &(c->pkeys[i]); 432 433 c->valid = 0; 434 return (1); 435 } 436 437 #ifndef OPENSSL_NO_STDIO 438 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) 439 { 440 int j; 441 BIO *in; 442 int ret = 0; 443 X509 *x = NULL; 444 445 in = BIO_new(BIO_s_file_internal()); 446 if (in == NULL) { 447 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 448 goto end; 449 } 450 451 if (BIO_read_filename(in, file) <= 0) { 452 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 453 goto end; 454 } 455 if (type == SSL_FILETYPE_ASN1) { 456 j = ERR_R_ASN1_LIB; 457 x = d2i_X509_bio(in, NULL); 458 } else if (type == SSL_FILETYPE_PEM) { 459 j = ERR_R_PEM_LIB; 460 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 461 ctx->default_passwd_callback_userdata); 462 } else { 463 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 464 goto end; 465 } 466 467 if (x == NULL) { 468 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); 469 goto end; 470 } 471 472 ret = SSL_CTX_use_certificate(ctx, x); 473 end: 474 if (x != NULL) 475 X509_free(x); 476 if (in != NULL) 477 BIO_free(in); 478 return (ret); 479 } 480 #endif 481 482 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, 483 const unsigned char *d) 484 { 485 X509 *x; 486 int ret; 487 488 x = d2i_X509(NULL, &d, (long)len); 489 if (x == NULL) { 490 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 491 return (0); 492 } 493 494 ret = SSL_CTX_use_certificate(ctx, x); 495 X509_free(x); 496 return (ret); 497 } 498 499 #ifndef OPENSSL_NO_RSA 500 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 501 { 502 int ret; 503 EVP_PKEY *pkey; 504 505 if (rsa == NULL) { 506 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 507 return (0); 508 } 509 if (!ssl_cert_inst(&ctx->cert)) { 510 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 511 return (0); 512 } 513 if ((pkey = EVP_PKEY_new()) == NULL) { 514 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 515 return (0); 516 } 517 518 RSA_up_ref(rsa); 519 EVP_PKEY_assign_RSA(pkey, rsa); 520 521 ret = ssl_set_pkey(ctx->cert, pkey); 522 EVP_PKEY_free(pkey); 523 return (ret); 524 } 525 526 # ifndef OPENSSL_NO_STDIO 527 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) 528 { 529 int j, ret = 0; 530 BIO *in; 531 RSA *rsa = NULL; 532 533 in = BIO_new(BIO_s_file_internal()); 534 if (in == NULL) { 535 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 536 goto end; 537 } 538 539 if (BIO_read_filename(in, file) <= 0) { 540 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 541 goto end; 542 } 543 if (type == SSL_FILETYPE_ASN1) { 544 j = ERR_R_ASN1_LIB; 545 rsa = d2i_RSAPrivateKey_bio(in, NULL); 546 } else if (type == SSL_FILETYPE_PEM) { 547 j = ERR_R_PEM_LIB; 548 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 549 ctx->default_passwd_callback, 550 ctx->default_passwd_callback_userdata); 551 } else { 552 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 553 goto end; 554 } 555 if (rsa == NULL) { 556 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); 557 goto end; 558 } 559 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 560 RSA_free(rsa); 561 end: 562 if (in != NULL) 563 BIO_free(in); 564 return (ret); 565 } 566 # endif 567 568 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, 569 long len) 570 { 571 int ret; 572 const unsigned char *p; 573 RSA *rsa; 574 575 p = d; 576 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 577 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 578 return (0); 579 } 580 581 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 582 RSA_free(rsa); 583 return (ret); 584 } 585 #endif /* !OPENSSL_NO_RSA */ 586 587 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 588 { 589 if (pkey == NULL) { 590 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 591 return (0); 592 } 593 if (!ssl_cert_inst(&ctx->cert)) { 594 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 595 return (0); 596 } 597 return (ssl_set_pkey(ctx->cert, pkey)); 598 } 599 600 #ifndef OPENSSL_NO_STDIO 601 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) 602 { 603 int j, ret = 0; 604 BIO *in; 605 EVP_PKEY *pkey = NULL; 606 607 in = BIO_new(BIO_s_file_internal()); 608 if (in == NULL) { 609 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 610 goto end; 611 } 612 613 if (BIO_read_filename(in, file) <= 0) { 614 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 615 goto end; 616 } 617 if (type == SSL_FILETYPE_PEM) { 618 j = ERR_R_PEM_LIB; 619 pkey = PEM_read_bio_PrivateKey(in, NULL, 620 ctx->default_passwd_callback, 621 ctx->default_passwd_callback_userdata); 622 } else if (type == SSL_FILETYPE_ASN1) { 623 j = ERR_R_ASN1_LIB; 624 pkey = d2i_PrivateKey_bio(in, NULL); 625 } else { 626 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 627 goto end; 628 } 629 if (pkey == NULL) { 630 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); 631 goto end; 632 } 633 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 634 EVP_PKEY_free(pkey); 635 end: 636 if (in != NULL) 637 BIO_free(in); 638 return (ret); 639 } 640 #endif 641 642 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, 643 const unsigned char *d, long len) 644 { 645 int ret; 646 const unsigned char *p; 647 EVP_PKEY *pkey; 648 649 p = d; 650 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 651 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 652 return (0); 653 } 654 655 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 656 EVP_PKEY_free(pkey); 657 return (ret); 658 } 659 660 #ifndef OPENSSL_NO_STDIO 661 /* 662 * Read a file that contains our certificate in "PEM" format, possibly 663 * followed by a sequence of CA certificates that should be sent to the peer 664 * in the Certificate message. 665 */ 666 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) 667 { 668 BIO *in; 669 int ret = 0; 670 X509 *x = NULL; 671 672 ERR_clear_error(); /* clear error stack for 673 * SSL_CTX_use_certificate() */ 674 675 in = BIO_new(BIO_s_file_internal()); 676 if (in == NULL) { 677 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 678 goto end; 679 } 680 681 if (BIO_read_filename(in, file) <= 0) { 682 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); 683 goto end; 684 } 685 686 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, 687 ctx->default_passwd_callback_userdata); 688 if (x == NULL) { 689 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 690 goto end; 691 } 692 693 ret = SSL_CTX_use_certificate(ctx, x); 694 695 if (ERR_peek_error() != 0) 696 ret = 0; /* Key/certificate mismatch doesn't imply 697 * ret==0 ... */ 698 if (ret) { 699 /* 700 * If we could set up our certificate, now proceed to the CA 701 * certificates. 702 */ 703 X509 *ca; 704 int r; 705 unsigned long err; 706 707 SSL_CTX_clear_chain_certs(ctx); 708 709 while ((ca = PEM_read_bio_X509(in, NULL, 710 ctx->default_passwd_callback, 711 ctx->default_passwd_callback_userdata)) 712 != NULL) { 713 r = SSL_CTX_add0_chain_cert(ctx, ca); 714 if (!r) { 715 X509_free(ca); 716 ret = 0; 717 goto end; 718 } 719 /* 720 * Note that we must not free r if it was successfully added to 721 * the chain (while we must free the main certificate, since its 722 * reference count is increased by SSL_CTX_use_certificate). 723 */ 724 } 725 /* When the while loop ends, it's usually just EOF. */ 726 err = ERR_peek_last_error(); 727 if (ERR_GET_LIB(err) == ERR_LIB_PEM 728 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 729 ERR_clear_error(); 730 else 731 ret = 0; /* some real error */ 732 } 733 734 end: 735 if (x != NULL) 736 X509_free(x); 737 if (in != NULL) 738 BIO_free(in); 739 return (ret); 740 } 741 #endif 742 743 #ifndef OPENSSL_NO_TLSEXT 744 static int serverinfo_find_extension(const unsigned char *serverinfo, 745 size_t serverinfo_length, 746 unsigned int extension_type, 747 const unsigned char **extension_data, 748 size_t *extension_length) 749 { 750 *extension_data = NULL; 751 *extension_length = 0; 752 if (serverinfo == NULL || serverinfo_length == 0) 753 return 0; 754 for (;;) { 755 unsigned int type = 0; 756 size_t len = 0; 757 758 /* end of serverinfo */ 759 if (serverinfo_length == 0) 760 return -1; /* Extension not found */ 761 762 /* read 2-byte type field */ 763 if (serverinfo_length < 2) 764 return 0; /* Error */ 765 type = (serverinfo[0] << 8) + serverinfo[1]; 766 serverinfo += 2; 767 serverinfo_length -= 2; 768 769 /* read 2-byte len field */ 770 if (serverinfo_length < 2) 771 return 0; /* Error */ 772 len = (serverinfo[0] << 8) + serverinfo[1]; 773 serverinfo += 2; 774 serverinfo_length -= 2; 775 776 if (len > serverinfo_length) 777 return 0; /* Error */ 778 779 if (type == extension_type) { 780 *extension_data = serverinfo; 781 *extension_length = len; 782 return 1; /* Success */ 783 } 784 785 serverinfo += len; 786 serverinfo_length -= len; 787 } 788 return 0; /* Error */ 789 } 790 791 static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, 792 const unsigned char *in, 793 size_t inlen, int *al, void *arg) 794 { 795 796 if (inlen != 0) { 797 *al = SSL_AD_DECODE_ERROR; 798 return 0; 799 } 800 801 return 1; 802 } 803 804 static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, 805 const unsigned char **out, size_t *outlen, 806 int *al, void *arg) 807 { 808 const unsigned char *serverinfo = NULL; 809 size_t serverinfo_length = 0; 810 811 /* Is there serverinfo data for the chosen server cert? */ 812 if ((ssl_get_server_cert_serverinfo(s, &serverinfo, 813 &serverinfo_length)) != 0) { 814 /* Find the relevant extension from the serverinfo */ 815 int retval = serverinfo_find_extension(serverinfo, serverinfo_length, 816 ext_type, out, outlen); 817 if (retval == 0) 818 return 0; /* Error */ 819 if (retval == -1) 820 return -1; /* No extension found, don't send extension */ 821 return 1; /* Send extension */ 822 } 823 return -1; /* No serverinfo data found, don't send 824 * extension */ 825 } 826 827 /* 828 * With a NULL context, this function just checks that the serverinfo data 829 * parses correctly. With a non-NULL context, it registers callbacks for 830 * the included extensions. 831 */ 832 static int serverinfo_process_buffer(const unsigned char *serverinfo, 833 size_t serverinfo_length, SSL_CTX *ctx) 834 { 835 if (serverinfo == NULL || serverinfo_length == 0) 836 return 0; 837 for (;;) { 838 unsigned int ext_type = 0; 839 size_t len = 0; 840 841 /* end of serverinfo */ 842 if (serverinfo_length == 0) 843 return 1; 844 845 /* read 2-byte type field */ 846 if (serverinfo_length < 2) 847 return 0; 848 /* FIXME: check for types we understand explicitly? */ 849 850 /* Register callbacks for extensions */ 851 ext_type = (serverinfo[0] << 8) + serverinfo[1]; 852 if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type, 853 serverinfo_srv_add_cb, 854 NULL, NULL, 855 serverinfo_srv_parse_cb, 856 NULL)) 857 return 0; 858 859 serverinfo += 2; 860 serverinfo_length -= 2; 861 862 /* read 2-byte len field */ 863 if (serverinfo_length < 2) 864 return 0; 865 len = (serverinfo[0] << 8) + serverinfo[1]; 866 serverinfo += 2; 867 serverinfo_length -= 2; 868 869 if (len > serverinfo_length) 870 return 0; 871 872 serverinfo += len; 873 serverinfo_length -= len; 874 } 875 } 876 877 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 878 size_t serverinfo_length) 879 { 880 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { 881 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); 882 return 0; 883 } 884 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { 885 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 886 return 0; 887 } 888 if (!ssl_cert_inst(&ctx->cert)) { 889 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); 890 return 0; 891 } 892 if (ctx->cert->key == NULL) { 893 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); 894 return 0; 895 } 896 ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, 897 serverinfo_length); 898 if (ctx->cert->key->serverinfo == NULL) { 899 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); 900 return 0; 901 } 902 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); 903 ctx->cert->key->serverinfo_length = serverinfo_length; 904 905 /* 906 * Now that the serverinfo is validated and stored, go ahead and 907 * register callbacks. 908 */ 909 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { 910 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 911 return 0; 912 } 913 return 1; 914 } 915 916 # ifndef OPENSSL_NO_STDIO 917 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) 918 { 919 unsigned char *serverinfo = NULL; 920 size_t serverinfo_length = 0; 921 unsigned char *extension = 0; 922 long extension_length = 0; 923 char *name = NULL; 924 char *header = NULL; 925 char namePrefix[] = "SERVERINFO FOR "; 926 int ret = 0; 927 BIO *bin = NULL; 928 size_t num_extensions = 0; 929 930 if (ctx == NULL || file == NULL) { 931 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 932 ERR_R_PASSED_NULL_PARAMETER); 933 goto end; 934 } 935 936 bin = BIO_new(BIO_s_file_internal()); 937 if (bin == NULL) { 938 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB); 939 goto end; 940 } 941 if (BIO_read_filename(bin, file) <= 0) { 942 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB); 943 goto end; 944 } 945 946 for (num_extensions = 0;; num_extensions++) { 947 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) 948 == 0) { 949 /* 950 * There must be at least one extension in this file 951 */ 952 if (num_extensions == 0) { 953 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 954 SSL_R_NO_PEM_EXTENSIONS); 955 goto end; 956 } else /* End of file, we're done */ 957 break; 958 } 959 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ 960 if (strlen(name) < strlen(namePrefix)) { 961 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 962 SSL_R_PEM_NAME_TOO_SHORT); 963 goto end; 964 } 965 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { 966 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 967 SSL_R_PEM_NAME_BAD_PREFIX); 968 goto end; 969 } 970 /* 971 * Check that the decoded PEM data is plausible (valid length field) 972 */ 973 if (extension_length < 4 974 || (extension[2] << 8) + extension[3] != extension_length - 4) { 975 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); 976 goto end; 977 } 978 /* Append the decoded extension to the serverinfo buffer */ 979 serverinfo = 980 OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); 981 if (serverinfo == NULL) { 982 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); 983 goto end; 984 } 985 memcpy(serverinfo + serverinfo_length, extension, extension_length); 986 serverinfo_length += extension_length; 987 988 OPENSSL_free(name); 989 name = NULL; 990 OPENSSL_free(header); 991 header = NULL; 992 OPENSSL_free(extension); 993 extension = NULL; 994 } 995 996 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); 997 end: 998 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ 999 OPENSSL_free(name); 1000 OPENSSL_free(header); 1001 OPENSSL_free(extension); 1002 OPENSSL_free(serverinfo); 1003 if (bin != NULL) 1004 BIO_free(bin); 1005 return ret; 1006 } 1007 # endif /* OPENSSL_NO_STDIO */ 1008 #endif /* OPENSSL_NO_TLSEXT */ 1009