Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 95c29f3cd1f6c08c6c0927868683392eea727ccb / . / ssl / ssl_rsa.c
blob: 04bbabe3fbd336c01a756cf56d3e228ce766663f [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame^]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <stdio.h>
58
59#include <openssl/bio.h>
60#include <openssl/err.h>
61#include <openssl/evp.h>
62#include <openssl/mem.h>
63#include <openssl/obj.h>
64#include <openssl/pem.h>
65#include <openssl/x509.h>
66
67#include "ssl_locl.h"
68
69static int ssl_set_cert(CERT *c, X509 *x509);
70static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
71#ifndef OPENSSL_NO_TLSEXT
72static int ssl_set_authz(CERT *c, unsigned char *authz,
73 size_t authz_length);
74#endif
75int SSL_use_certificate(SSL *ssl, X509 *x)
76 {
77 if (x == NULL)
78 {
79 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_PASSED_NULL_PARAMETER);
80 return(0);
81 }
82 if (!ssl_cert_inst(&ssl->cert))
83 {
84 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_MALLOC_FAILURE);
85 return(0);
86 }
87 return(ssl_set_cert(ssl->cert,x));
88 }
89
90#ifndef OPENSSL_NO_STDIO
91int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
92 {
93 int reason_code;
94 BIO *in;
95 int ret=0;
96 X509 *x=NULL;
97
98 in=BIO_new(BIO_s_file());
99 if (in == NULL)
100 {
101 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, ERR_R_BUF_LIB);
102 goto end;
103 }
104
105 if (BIO_read_filename(in,file) <= 0)
106 {
107 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, ERR_R_SYS_LIB);
108 goto end;
109 }
110 if (type == SSL_FILETYPE_ASN1)
111 {
112 reason_code =ERR_R_ASN1_LIB;
113 x=d2i_X509_bio(in,NULL);
114 }
115 else if (type == SSL_FILETYPE_PEM)
116 {
117 reason_code=ERR_R_PEM_LIB;
118 x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
119 }
120 else
121 {
122 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, SSL_R_BAD_SSL_FILETYPE);
123 goto end;
124 }
125
126 if (x == NULL)
127 {
128 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file,reason_code);
129 goto end;
130 }
131
132 ret=SSL_use_certificate(ssl,x);
133end:
134 if (x != NULL) X509_free(x);
135 if (in != NULL) BIO_free(in);
136 return(ret);
137 }
138#endif
139
140int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
141 {
142 X509 *x;
143 int ret;
144
145 x=d2i_X509(NULL,&d,(long)len);
146 if (x == NULL)
147 {
148 OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_ASN1, ERR_R_ASN1_LIB);
149 return(0);
150 }
151
152 ret=SSL_use_certificate(ssl,x);
153 X509_free(x);
154 return(ret);
155 }
156
157#ifndef OPENSSL_NO_RSA
158int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
159 {
160 EVP_PKEY *pkey;
161 int ret;
162
163 if (rsa == NULL)
164 {
165 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_PASSED_NULL_PARAMETER);
166 return(0);
167 }
168 if (!ssl_cert_inst(&ssl->cert))
169 {
170 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
171 return(0);
172 }
173 if ((pkey=EVP_PKEY_new()) == NULL)
174 {
175 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_EVP_LIB);
176 return(0);
177 }
178
179 RSA_up_ref(rsa);
180 EVP_PKEY_assign_RSA(pkey,rsa);
181
182 ret=ssl_set_pkey(ssl->cert,pkey);
183 EVP_PKEY_free(pkey);
184 return(ret);
185 }
186#endif
187
188static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
189 {
190 int i;
191 /* Special case for DH: check two DH certificate types for a match.
192 * This means for DH certificates we must set the certificate first.
193 */
194 if (pkey->type == EVP_PKEY_DH)
195 {
196 X509 *x;
197 i = -1;
198 x = c->pkeys[SSL_PKEY_DH_RSA].x509;
199 if (x && X509_check_private_key(x, pkey))
200 i = SSL_PKEY_DH_RSA;
201 x = c->pkeys[SSL_PKEY_DH_DSA].x509;
202 if (i == -1 && x && X509_check_private_key(x, pkey))
203 i = SSL_PKEY_DH_DSA;
204 ERR_clear_error();
205 }
206 else
207 i=ssl_cert_type(NULL,pkey);
208 if (i < 0)
209 {
210 OPENSSL_PUT_ERROR(SSL, ssl_set_pkey, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
211 return(0);
212 }
213
214 if (c->pkeys[i].x509 != NULL)
215 {
216 EVP_PKEY *pktmp;
217 pktmp = X509_get_pubkey(c->pkeys[i].x509);
218 EVP_PKEY_copy_parameters(pktmp,pkey);
219 EVP_PKEY_free(pktmp);
220 ERR_clear_error();
221
222 /* TODO(fork): remove this? */
223#if 0
224#ifndef OPENSSL_NO_RSA
225 /* Don't check the public/private key, this is mostly
226 * for smart cards. */
227 if ((pkey->type == EVP_PKEY_RSA) &&
228 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
229 ;
230 else
231#endif
232#endif
233 if (!X509_check_private_key(c->pkeys[i].x509,pkey))
234 {
235 X509_free(c->pkeys[i].x509);
236 c->pkeys[i].x509 = NULL;
237 return 0;
238 }
239 }
240
241 if (c->pkeys[i].privatekey != NULL)
242 EVP_PKEY_free(c->pkeys[i].privatekey);
243 CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
244 c->pkeys[i].privatekey=pkey;
245 c->key= &(c->pkeys[i]);
246
247 c->valid=0;
248 return(1);
249 }
250
251#ifndef OPENSSL_NO_RSA
252#ifndef OPENSSL_NO_STDIO
253int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
254 {
255 int reason_code,ret=0;
256 BIO *in;
257 RSA *rsa=NULL;
258
259 in=BIO_new(BIO_s_file());
260 if (in == NULL)
261 {
262 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, ERR_R_BUF_LIB);
263 goto end;
264 }
265
266 if (BIO_read_filename(in,file) <= 0)
267 {
268 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, ERR_R_SYS_LIB);
269 goto end;
270 }
271 if (type == SSL_FILETYPE_ASN1)
272 {
273 reason_code=ERR_R_ASN1_LIB;
274 rsa=d2i_RSAPrivateKey_bio(in,NULL);
275 }
276 else if (type == SSL_FILETYPE_PEM)
277 {
278 reason_code=ERR_R_PEM_LIB;
279 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
280 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
281 }
282 else
283 {
284 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, SSL_R_BAD_SSL_FILETYPE);
285 goto end;
286 }
287 if (rsa == NULL)
288 {
289 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file,reason_code);
290 goto end;
291 }
292 ret=SSL_use_RSAPrivateKey(ssl,rsa);
293 RSA_free(rsa);
294end:
295 if (in != NULL) BIO_free(in);
296 return(ret);
297 }
298#endif
299
300int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
301 {
302 int ret;
303 const unsigned char *p;
304 RSA *rsa;
305
306 p=d;
307 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
308 {
309 OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_ASN1, ERR_R_ASN1_LIB);
310 return(0);
311 }
312
313 ret=SSL_use_RSAPrivateKey(ssl,rsa);
314 RSA_free(rsa);
315 return(ret);
316 }
317#endif /* !OPENSSL_NO_RSA */
318
319int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
320 {
321 int ret;
322
323 if (pkey == NULL)
324 {
325 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_PASSED_NULL_PARAMETER);
326 return(0);
327 }
328 if (!ssl_cert_inst(&ssl->cert))
329 {
330 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_MALLOC_FAILURE);
331 return(0);
332 }
333 ret=ssl_set_pkey(ssl->cert,pkey);
334 return(ret);
335 }
336
337#ifndef OPENSSL_NO_STDIO
338int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
339 {
340 int reason_code,ret=0;
341 BIO *in;
342 EVP_PKEY *pkey=NULL;
343
344 in=BIO_new(BIO_s_file());
345 if (in == NULL)
346 {
347 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, ERR_R_BUF_LIB);
348 goto end;
349 }
350
351 if (BIO_read_filename(in,file) <= 0)
352 {
353 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, ERR_R_SYS_LIB);
354 goto end;
355 }
356 if (type == SSL_FILETYPE_PEM)
357 {
358 reason_code=ERR_R_PEM_LIB;
359 pkey=PEM_read_bio_PrivateKey(in,NULL,
360 ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
361 }
362 else if (type == SSL_FILETYPE_ASN1)
363 {
364 reason_code = ERR_R_ASN1_LIB;
365 pkey = d2i_PrivateKey_bio(in,NULL);
366 }
367 else
368 {
369 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, SSL_R_BAD_SSL_FILETYPE);
370 goto end;
371 }
372 if (pkey == NULL)
373 {
374 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file,reason_code);
375 goto end;
376 }
377 ret=SSL_use_PrivateKey(ssl,pkey);
378 EVP_PKEY_free(pkey);
379end:
380 if (in != NULL) BIO_free(in);
381 return(ret);
382 }
383#endif
384
385int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
386 {
387 int ret;
388 const unsigned char *p;
389 EVP_PKEY *pkey;
390
391 p=d;
392 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
393 {
394 OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_ASN1, ERR_R_ASN1_LIB);
395 return(0);
396 }
397
398 ret=SSL_use_PrivateKey(ssl,pkey);
399 EVP_PKEY_free(pkey);
400 return(ret);
401 }
402
403int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
404 {
405 if (x == NULL)
406 {
407 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_PASSED_NULL_PARAMETER);
408 return(0);
409 }
410 if (!ssl_cert_inst(&ctx->cert))
411 {
412 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_MALLOC_FAILURE);
413 return(0);
414 }
415 return(ssl_set_cert(ctx->cert, x));
416 }
417
418static int ssl_set_cert(CERT *c, X509 *x)
419 {
420 EVP_PKEY *pkey;
421 int i;
422
423 pkey=X509_get_pubkey(x);
424 if (pkey == NULL)
425 {
426 OPENSSL_PUT_ERROR(SSL, ssl_set_cert, SSL_R_X509_LIB);
427 return(0);
428 }
429
430 i=ssl_cert_type(x,pkey);
431 if (i < 0)
432 {
433 OPENSSL_PUT_ERROR(SSL, ssl_set_cert, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
434 EVP_PKEY_free(pkey);
435 return(0);
436 }
437
438 if (c->pkeys[i].privatekey != NULL)
439 {
440 EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
441 ERR_clear_error();
442
443 /* TODO(fork): remove this? */
444#if 0
445#ifndef OPENSSL_NO_RSA
446 /* Don't check the public/private key, this is mostly
447 * for smart cards. */
448 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
449 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
450 RSA_METHOD_FLAG_NO_CHECK))
451 ;
452 else
453#endif /* OPENSSL_NO_RSA */
454#endif
455 if (!X509_check_private_key(x,c->pkeys[i].privatekey))
456 {
457 /* don't fail for a cert/key mismatch, just free
458 * current private key (when switching to a different
459 * cert & key, first this function should be used,
460 * then ssl_set_pkey */
461 EVP_PKEY_free(c->pkeys[i].privatekey);
462 c->pkeys[i].privatekey=NULL;
463 /* clear error queue */
464 ERR_clear_error();
465 }
466 }
467
468 EVP_PKEY_free(pkey);
469
470 if (c->pkeys[i].x509 != NULL)
471 X509_free(c->pkeys[i].x509);
472 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
473 c->pkeys[i].x509=x;
474 c->key= &(c->pkeys[i]);
475
476 c->valid=0;
477 return(1);
478 }
479
480#ifndef OPENSSL_NO_STDIO
481int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
482 {
483 int reason_code;
484 BIO *in;
485 int ret=0;
486 X509 *x=NULL;
487
488 in=BIO_new(BIO_s_file());
489 if (in == NULL)
490 {
491 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, ERR_R_BUF_LIB);
492 goto end;
493 }
494
495 if (BIO_read_filename(in,file) <= 0)
496 {
497 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, ERR_R_SYS_LIB);
498 goto end;
499 }
500 if (type == SSL_FILETYPE_ASN1)
501 {
502 reason_code=ERR_R_ASN1_LIB;
503 x=d2i_X509_bio(in,NULL);
504 }
505 else if (type == SSL_FILETYPE_PEM)
506 {
507 reason_code=ERR_R_PEM_LIB;
508 x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
509 }
510 else
511 {
512 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, SSL_R_BAD_SSL_FILETYPE);
513 goto end;
514 }
515
516 if (x == NULL)
517 {
518 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file,reason_code);
519 goto end;
520 }
521
522 ret=SSL_CTX_use_certificate(ctx,x);
523end:
524 if (x != NULL) X509_free(x);
525 if (in != NULL) BIO_free(in);
526 return(ret);
527 }
528#endif
529
530int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
531 {
532 X509 *x;
533 int ret;
534
535 x=d2i_X509(NULL,&d,(long)len);
536 if (x == NULL)
537 {
538 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_ASN1, ERR_R_ASN1_LIB);
539 return(0);
540 }
541
542 ret=SSL_CTX_use_certificate(ctx,x);
543 X509_free(x);
544 return(ret);
545 }
546
547#ifndef OPENSSL_NO_RSA
548int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
549 {
550 int ret;
551 EVP_PKEY *pkey;
552
553 if (rsa == NULL)
554 {
555 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_PASSED_NULL_PARAMETER);
556 return(0);
557 }
558 if (!ssl_cert_inst(&ctx->cert))
559 {
560 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
561 return(0);
562 }
563 if ((pkey=EVP_PKEY_new()) == NULL)
564 {
565 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_EVP_LIB);
566 return(0);
567 }
568
569 RSA_up_ref(rsa);
570 EVP_PKEY_assign_RSA(pkey,rsa);
571
572 ret=ssl_set_pkey(ctx->cert, pkey);
573 EVP_PKEY_free(pkey);
574 return(ret);
575 }
576
577#ifndef OPENSSL_NO_STDIO
578int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
579 {
580 int reason_code,ret=0;
581 BIO *in;
582 RSA *rsa=NULL;
583
584 in=BIO_new(BIO_s_file());
585 if (in == NULL)
586 {
587 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, ERR_R_BUF_LIB);
588 goto end;
589 }
590
591 if (BIO_read_filename(in,file) <= 0)
592 {
593 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, ERR_R_SYS_LIB);
594 goto end;
595 }
596 if (type == SSL_FILETYPE_ASN1)
597 {
598 reason_code=ERR_R_ASN1_LIB;
599 rsa=d2i_RSAPrivateKey_bio(in,NULL);
600 }
601 else if (type == SSL_FILETYPE_PEM)
602 {
603 reason_code=ERR_R_PEM_LIB;
604 rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
605 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
606 }
607 else
608 {
609 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, SSL_R_BAD_SSL_FILETYPE);
610 goto end;
611 }
612 if (rsa == NULL)
613 {
614 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file,reason_code);
615 goto end;
616 }
617 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
618 RSA_free(rsa);
619end:
620 if (in != NULL) BIO_free(in);
621 return(ret);
622 }
623#endif
624
625int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
626 {
627 int ret;
628 const unsigned char *p;
629 RSA *rsa;
630
631 p=d;
632 if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)
633 {
634 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_ASN1, ERR_R_ASN1_LIB);
635 return(0);
636 }
637
638 ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
639 RSA_free(rsa);
640 return(ret);
641 }
642#endif /* !OPENSSL_NO_RSA */
643
644int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
645 {
646 if (pkey == NULL)
647 {
648 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_PASSED_NULL_PARAMETER);
649 return(0);
650 }
651 if (!ssl_cert_inst(&ctx->cert))
652 {
653 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_MALLOC_FAILURE);
654 return(0);
655 }
656 return(ssl_set_pkey(ctx->cert,pkey));
657 }
658
659#ifndef OPENSSL_NO_STDIO
660int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
661 {
662 int reason_code,ret=0;
663 BIO *in;
664 EVP_PKEY *pkey=NULL;
665
666 in=BIO_new(BIO_s_file());
667 if (in == NULL)
668 {
669 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, ERR_R_BUF_LIB);
670 goto end;
671 }
672
673 if (BIO_read_filename(in,file) <= 0)
674 {
675 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, ERR_R_SYS_LIB);
676 goto end;
677 }
678 if (type == SSL_FILETYPE_PEM)
679 {
680 reason_code=ERR_R_PEM_LIB;
681 pkey=PEM_read_bio_PrivateKey(in,NULL,
682 ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
683 }
684 else if (type == SSL_FILETYPE_ASN1)
685 {
686 reason_code = ERR_R_ASN1_LIB;
687 pkey = d2i_PrivateKey_bio(in,NULL);
688 }
689 else
690 {
691 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, SSL_R_BAD_SSL_FILETYPE);
692 goto end;
693 }
694 if (pkey == NULL)
695 {
696 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file,reason_code);
697 goto end;
698 }
699 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
700 EVP_PKEY_free(pkey);
701end:
702 if (in != NULL) BIO_free(in);
703 return(ret);
704 }
705#endif
706
707int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
708 long len)
709 {
710 int ret;
711 const unsigned char *p;
712 EVP_PKEY *pkey;
713
714 p=d;
715 if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)
716 {
717 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_ASN1, ERR_R_ASN1_LIB);
718 return(0);
719 }
720
721 ret=SSL_CTX_use_PrivateKey(ctx,pkey);
722 EVP_PKEY_free(pkey);
723 return(ret);
724 }
725
726
727#ifndef OPENSSL_NO_STDIO
728/* Read a file that contains our certificate in "PEM" format,
729 * possibly followed by a sequence of CA certificates that should be
730 * sent to the peer in the Certificate message.
731 */
732int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
733 {
734 BIO *in;
735 int ret=0;
736 X509 *x=NULL;
737
738 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
739
740 in = BIO_new(BIO_s_file());
741 if (in == NULL)
742 {
743 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_BUF_LIB);
744 goto end;
745 }
746
747 if (BIO_read_filename(in,file) <= 0)
748 {
749 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_SYS_LIB);
750 goto end;
751 }
752
753 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
754 ctx->default_passwd_callback_userdata);
755 if (x == NULL)
756 {
757 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_PEM_LIB);
758 goto end;
759 }
760
761 ret = SSL_CTX_use_certificate(ctx, x);
762
763 if (ERR_peek_error() != 0)
764 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
765 if (ret)
766 {
767 /* If we could set up our certificate, now proceed to
768 * the CA certificates.
769 */
770 X509 *ca;
771 int r;
772 unsigned long err;
773
774 SSL_CTX_clear_chain_certs(ctx);
775
776 while ((ca = PEM_read_bio_X509(in, NULL,
777 ctx->default_passwd_callback,
778 ctx->default_passwd_callback_userdata))
779 != NULL)
780 {
781 r = SSL_CTX_add0_chain_cert(ctx, ca);
782 if (!r)
783 {
784 X509_free(ca);
785 ret = 0;
786 goto end;
787 }
788 /* Note that we must not free r if it was successfully
789 * added to the chain (while we must free the main
790 * certificate, since its reference count is increased
791 * by SSL_CTX_use_certificate). */
792 }
793 /* When the while loop ends, it's usually just EOF. */
794 err = ERR_peek_last_error();
795 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
796 ERR_clear_error();
797 else
798 ret = 0; /* some real error */
799 }
800
801end:
802 if (x != NULL) X509_free(x);
803 if (in != NULL) BIO_free(in);
804 return(ret);
805 }
806#endif
807
808#ifndef OPENSSL_NO_TLSEXT
809/* authz_validate returns true iff authz is well formed, i.e. that it meets the
810 * wire format as documented in the CERT_PKEY structure and that there are no
811 * duplicate entries. */
812static char authz_validate(const unsigned char *authz, size_t length)
813 {
814 unsigned char types_seen_bitmap[32];
815
816 if (!authz)
817 return 1;
818
819 memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap));
820
821 for (;;)
822 {
823 unsigned char type, byte, bit;
824 unsigned short len;
825
826 if (!length)
827 return 1;
828
829 type = *(authz++);
830 length--;
831
832 byte = type / 8;
833 bit = type & 7;
834 if (types_seen_bitmap[byte] & (1 << bit))
835 return 0;
836 types_seen_bitmap[byte] |= (1 << bit);
837
838 if (length < 2)
839 return 0;
840 len = ((unsigned short) authz[0]) << 8 |
841 ((unsigned short) authz[1]);
842 authz += 2;
843 length -= 2;
844
845 if (length < len)
846 return 0;
847
848 authz += len;
849 length -= len;
850 }
851 }
852
853static int serverinfo_find_extension(const unsigned char *serverinfo,
854 size_t serverinfo_length,
855 unsigned short extension_type,
856 const unsigned char **extension_data,
857 unsigned short *extension_length)
858 {
859 *extension_data = NULL;
860 *extension_length = 0;
861 if (serverinfo == NULL || serverinfo_length == 0)
862 return 0;
863 for (;;)
864 {
865 unsigned short type = 0; /* uint16 */
866 unsigned short len = 0; /* uint16 */
867
868 /* end of serverinfo */
869 if (serverinfo_length == 0)
870 return -1; /* Extension not found */
871
872 /* read 2-byte type field */
873 if (serverinfo_length < 2)
874 return 0; /* Error */
875 type = (serverinfo[0] << 8) + serverinfo[1];
876 serverinfo += 2;
877 serverinfo_length -= 2;
878
879 /* read 2-byte len field */
880 if (serverinfo_length < 2)
881 return 0; /* Error */
882 len = (serverinfo[0] << 8) + serverinfo[1];
883 serverinfo += 2;
884 serverinfo_length -= 2;
885
886 if (len > serverinfo_length)
887 return 0; /* Error */
888
889 if (type == extension_type)
890 {
891 *extension_data = serverinfo;
892 *extension_length = len;
893 return 1; /* Success */
894 }
895
896 serverinfo += len;
897 serverinfo_length -= len;
898 }
899 return 0; /* Error */
900 }
901
902static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type,
903 const unsigned char *in,
904 unsigned short inlen, int *al,
905 void *arg)
906 {
907 if (inlen != 0)
908 {
909 *al = SSL_AD_DECODE_ERROR;
910 return 0;
911 }
912 return 1;
913 }
914
915static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type,
916 const unsigned char **out, unsigned short *outlen,
917 void *arg)
918 {
919 const unsigned char *serverinfo = NULL;
920 size_t serverinfo_length = 0;
921
922 /* Is there serverinfo data for the chosen server cert? */
923 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
924 &serverinfo_length)) != 0)
925 {
926 /* Find the relevant extension from the serverinfo */
927 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
928 ext_type, out, outlen);
929 if (retval == 0)
930 return 0; /* Error */
931 if (retval == -1)
932 return -1; /* No extension found, don't send extension */
933 return 1; /* Send extension */
934 }
935 return -1; /* No serverinfo data found, don't send extension */
936 }
937
938/* With a NULL context, this function just checks that the serverinfo data
939 parses correctly. With a non-NULL context, it registers callbacks for
940 the included extensions. */
941static int serverinfo_process_buffer(const unsigned char *serverinfo,
942 size_t serverinfo_length, SSL_CTX *ctx)
943 {
944 if (serverinfo == NULL || serverinfo_length == 0)
945 return 0;
946 for (;;)
947 {
948 unsigned short ext_type = 0; /* uint16 */
949 unsigned short len = 0; /* uint16 */
950
951 /* end of serverinfo */
952 if (serverinfo_length == 0)
953 return 1;
954
955 /* read 2-byte type field */
956 if (serverinfo_length < 2)
957 return 0;
958 /* FIXME: check for types we understand explicitly? */
959
960 /* Register callbacks for extensions */
961 ext_type = (serverinfo[0] << 8) + serverinfo[1];
962 if (ctx && !SSL_CTX_set_custom_srv_ext(ctx, ext_type,
963 serverinfo_srv_first_cb,
964 serverinfo_srv_second_cb, NULL))
965 return 0;
966
967 serverinfo += 2;
968 serverinfo_length -= 2;
969
970 /* read 2-byte len field */
971 if (serverinfo_length < 2)
972 return 0;
973 len = (serverinfo[0] << 8) + serverinfo[1];
974 serverinfo += 2;
975 serverinfo_length -= 2;
976
977 if (len > serverinfo_length)
978 return 0;
979
980 serverinfo += len;
981 serverinfo_length -= len;
982 }
983 }
984
985static const unsigned char *authz_find_data(const unsigned char *authz,
986 size_t authz_length,
987 unsigned char data_type,
988 size_t *data_length)
989 {
990 if (authz == NULL) return NULL;
991 if (!authz_validate(authz, authz_length))
992 {
993 OPENSSL_PUT_ERROR(SSL, authz_find_data, SSL_R_INVALID_AUTHZ_DATA);
994 return NULL;
995 }
996
997 for (;;)
998 {
999 unsigned char type;
1000 unsigned short len;
1001 if (!authz_length)
1002 return NULL;
1003
1004 type = *(authz++);
1005 authz_length--;
1006
1007 /* We've validated the authz data, so we don't have to
1008 * check again that we have enough bytes left. */
1009 len = ((unsigned short) authz[0]) << 8 |
1010 ((unsigned short) authz[1]);
1011 authz += 2;
1012 authz_length -= 2;
1013 if (type == data_type)
1014 {
1015 *data_length = len;
1016 return authz;
1017 }
1018 authz += len;
1019 authz_length -= len;
1020 }
1021 /* No match */
1022 return NULL;
1023 }
1024
1025static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length)
1026 {
1027 CERT_PKEY *current_key = c->key;
1028 if (current_key == NULL)
1029 return 0;
1030 if (!authz_validate(authz, authz_length))
1031 {
1032 OPENSSL_PUT_ERROR(SSL, ssl_set_authz, SSL_R_INVALID_AUTHZ_DATA);
1033 return(0);
1034 }
1035 current_key->authz = OPENSSL_realloc(current_key->authz, authz_length);
1036 if (current_key->authz == NULL)
1037 {
1038 OPENSSL_PUT_ERROR(SSL, ssl_set_authz, ERR_R_MALLOC_FAILURE);
1039 return 0;
1040 }
1041 current_key->authz_length = authz_length;
1042 memcpy(current_key->authz, authz, authz_length);
1043 return 1;
1044 }
1045
1046int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz,
1047 size_t authz_length)
1048 {
1049 if (authz == NULL)
1050 {
1051 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_authz, ERR_R_PASSED_NULL_PARAMETER);
1052 return 0;
1053 }
1054 if (!ssl_cert_inst(&ctx->cert))
1055 {
1056 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_authz, ERR_R_MALLOC_FAILURE);
1057 return 0;
1058 }
1059 return ssl_set_authz(ctx->cert, authz, authz_length);
1060 }
1061
1062int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
1063 size_t serverinfo_length)
1064 {
1065 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)
1066 {
1067 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_PASSED_NULL_PARAMETER);
1068 return 0;
1069 }
1070 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
1071 {
1072 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);
1073 return 0;
1074 }
1075 if (!ssl_cert_inst(&ctx->cert))
1076 {
1077 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);
1078 return 0;
1079 }
1080 if (ctx->cert->key == NULL)
1081 {
1082 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_INTERNAL_ERROR);
1083 return 0;
1084 }
1085 ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
1086 serverinfo_length);
1087 if (ctx->cert->key->serverinfo == NULL)
1088 {
1089 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);
1090 return 0;
1091 }
1092 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
1093 ctx->cert->key->serverinfo_length = serverinfo_length;
1094
1095 /* Now that the serverinfo is validated and stored, go ahead and
1096 * register callbacks. */
1097 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
1098 {
1099 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);
1100 return 0;
1101 }
1102 return 1;
1103 }
1104
1105int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length)
1106 {
1107 if (authz == NULL)
1108 {
1109 OPENSSL_PUT_ERROR(SSL, SSL_use_authz, ERR_R_PASSED_NULL_PARAMETER);
1110 return 0;
1111 }
1112 if (!ssl_cert_inst(&ssl->cert))
1113 {
1114 OPENSSL_PUT_ERROR(SSL, SSL_use_authz, ERR_R_MALLOC_FAILURE);
1115 return 0;
1116 }
1117 return ssl_set_authz(ssl->cert, authz, authz_length);
1118 }
1119
1120const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type,
1121 size_t *data_length)
1122 {
1123 CERT_PKEY *current_key;
1124
1125 if (ctx->cert == NULL)
1126 return NULL;
1127 current_key = ctx->cert->key;
1128 if (current_key->authz == NULL)
1129 return NULL;
1130 return authz_find_data(current_key->authz,
1131 current_key->authz_length, type, data_length);
1132 }
1133
1134#ifndef OPENSSL_NO_STDIO
1135/* read_authz returns a newly allocated buffer with authz data */
1136static unsigned char *read_authz(const char *file, size_t *authz_length)
1137 {
1138 BIO *authz_in = NULL;
1139 unsigned char *authz = NULL;
1140 /* Allow authzs up to 64KB. */
1141 static const size_t authz_limit = 65536;
1142 size_t read_length;
1143 unsigned char *ret = NULL;
1144
1145 authz_in = BIO_new(BIO_s_file());
1146 if (authz_in == NULL)
1147 {
1148 OPENSSL_PUT_ERROR(SSL, read_authz, ERR_R_BUF_LIB);
1149 goto end;
1150 }
1151
1152 if (BIO_read_filename(authz_in,file) <= 0)
1153 {
1154 OPENSSL_PUT_ERROR(SSL, read_authz, ERR_R_SYS_LIB);
1155 goto end;
1156 }
1157
1158 authz = OPENSSL_malloc(authz_limit);
1159 read_length = BIO_read(authz_in, authz, authz_limit);
1160 if (read_length == authz_limit || read_length <= 0)
1161 {
1162 OPENSSL_PUT_ERROR(SSL, read_authz, SSL_R_AUTHZ_DATA_TOO_LARGE);
1163 OPENSSL_free(authz);
1164 goto end;
1165 }
1166 *authz_length = read_length;
1167 ret = authz;
1168end:
1169 if (authz_in != NULL) BIO_free(authz_in);
1170 return ret;
1171 }
1172
1173int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file)
1174 {
1175 unsigned char *authz = NULL;
1176 size_t authz_length = 0;
1177 int ret;
1178
1179 authz = read_authz(file, &authz_length);
1180 if (authz == NULL)
1181 return 0;
1182
1183 ret = SSL_CTX_use_authz(ctx, authz, authz_length);
1184 /* SSL_CTX_use_authz makes a local copy of the authz. */
1185 OPENSSL_free(authz);
1186 return ret;
1187 }
1188
1189int SSL_use_authz_file(SSL *ssl, const char *file)
1190 {
1191 unsigned char *authz = NULL;
1192 size_t authz_length = 0;
1193 int ret;
1194
1195 authz = read_authz(file, &authz_length);
1196 if (authz == NULL)
1197 return 0;
1198
1199 ret = SSL_use_authz(ssl, authz, authz_length);
1200 /* SSL_use_authz makes a local copy of the authz. */
1201 OPENSSL_free(authz);
1202 return ret;
1203 }
1204
1205int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
1206 {
1207 unsigned char *serverinfo = NULL;
1208 size_t serverinfo_length = 0;
1209 unsigned char* extension = 0;
1210 long extension_length = 0;
1211 char* name = NULL;
1212 char* header = NULL;
1213 char namePrefix[] = "SERVERINFO FOR ";
1214 int ret = 0;
1215 BIO *bin = NULL;
1216 size_t num_extensions = 0;
1217
1218 if (ctx == NULL || file == NULL)
1219 {
1220 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_PASSED_NULL_PARAMETER);
1221 goto end;
1222 }
1223
1224 bin = BIO_new(BIO_s_file());
1225 if (bin == NULL)
1226 {
1227 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_BUF_LIB);
1228 goto end;
1229 }
1230 if (BIO_read_filename(bin, file) <= 0)
1231 {
1232 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_SYS_LIB);
1233 goto end;
1234 }
1235
1236 for (num_extensions=0;; num_extensions++)
1237 {
1238 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0)
1239 {
1240 /* There must be at least one extension in this file */
1241 if (num_extensions == 0)
1242 {
1243 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_NO_PEM_EXTENSIONS);
1244 goto end;
1245 }
1246 else /* End of file, we're done */
1247 break;
1248 }
1249 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
1250 if (strlen(name) < strlen(namePrefix))
1251 {
1252 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_TOO_SHORT);
1253 goto end;
1254 }
1255 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
1256 {
1257 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_BAD_PREFIX);
1258 goto end;
1259 }
1260 /* Check that the decoded PEM data is plausible (valid length field) */
1261 if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
1262 {
1263 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_BAD_DATA);
1264 goto end;
1265 }
1266 /* Append the decoded extension to the serverinfo buffer */
1267 serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
1268 if (serverinfo == NULL)
1269 {
1270 OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_MALLOC_FAILURE);
1271 goto end;
1272 }
1273 memcpy(serverinfo + serverinfo_length, extension, extension_length);
1274 serverinfo_length += extension_length;
1275
1276 OPENSSL_free(name); name = NULL;
1277 OPENSSL_free(header); header = NULL;
1278 OPENSSL_free(extension); extension = NULL;
1279 }
1280
1281 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
1282end:
1283 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
1284 OPENSSL_free(name);
1285 OPENSSL_free(header);
1286 OPENSSL_free(extension);
1287 OPENSSL_free(serverinfo);
1288 if (bin != NULL)
1289 BIO_free(bin);
1290 return ret;
1291 }
1292#endif /* OPENSSL_NO_STDIO */
1293#endif /* OPENSSL_NO_TLSEXT */