1 |
|
|
/* $OpenBSD: ssl_rsa.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */ |
2 |
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 |
|
|
* All rights reserved. |
4 |
|
|
* |
5 |
|
|
* This package is an SSL implementation written |
6 |
|
|
* by Eric Young (eay@cryptsoft.com). |
7 |
|
|
* The implementation was written so as to conform with Netscapes SSL. |
8 |
|
|
* |
9 |
|
|
* This library is free for commercial and non-commercial use as long as |
10 |
|
|
* the following conditions are aheared to. The following conditions |
11 |
|
|
* apply to all code found in this distribution, be it the RC4, RSA, |
12 |
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 |
|
|
* included with this distribution is covered by the same copyright terms |
14 |
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 |
|
|
* |
16 |
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in |
17 |
|
|
* the code are not to be removed. |
18 |
|
|
* If this package is used in a product, Eric Young should be given attribution |
19 |
|
|
* as the author of the parts of the library used. |
20 |
|
|
* This can be in the form of a textual message at program startup or |
21 |
|
|
* in documentation (online or textual) provided with the package. |
22 |
|
|
* |
23 |
|
|
* Redistribution and use in source and binary forms, with or without |
24 |
|
|
* modification, are permitted provided that the following conditions |
25 |
|
|
* are met: |
26 |
|
|
* 1. Redistributions of source code must retain the copyright |
27 |
|
|
* notice, this list of conditions and the following disclaimer. |
28 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
29 |
|
|
* notice, this list of conditions and the following disclaimer in the |
30 |
|
|
* documentation and/or other materials provided with the distribution. |
31 |
|
|
* 3. All advertising materials mentioning features or use of this software |
32 |
|
|
* must display the following acknowledgement: |
33 |
|
|
* "This product includes cryptographic software written by |
34 |
|
|
* Eric Young (eay@cryptsoft.com)" |
35 |
|
|
* The word 'cryptographic' can be left out if the rouines from the library |
36 |
|
|
* being used are not cryptographic related :-). |
37 |
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from |
38 |
|
|
* the apps directory (application code) you must include an acknowledgement: |
39 |
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 |
|
|
* |
41 |
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 |
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 |
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 |
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 |
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 |
|
|
* SUCH DAMAGE. |
52 |
|
|
* |
53 |
|
|
* The licence and distribution terms for any publically available version or |
54 |
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be |
55 |
|
|
* copied and put under another distribution licence |
56 |
|
|
* [including the GNU Public Licence.] |
57 |
|
|
*/ |
58 |
|
|
|
59 |
|
|
#include <stdio.h> |
60 |
|
|
|
61 |
|
|
#include "ssl_locl.h" |
62 |
|
|
|
63 |
|
|
#include <openssl/bio.h> |
64 |
|
|
#include <openssl/evp.h> |
65 |
|
|
#include <openssl/objects.h> |
66 |
|
|
#include <openssl/pem.h> |
67 |
|
|
#include <openssl/x509.h> |
68 |
|
|
|
69 |
|
|
static int ssl_set_cert(CERT *c, X509 *x509); |
70 |
|
|
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); |
71 |
|
|
static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *); |
72 |
|
|
|
73 |
|
|
int |
74 |
|
|
SSL_use_certificate(SSL *ssl, X509 *x) |
75 |
|
|
{ |
76 |
|
|
if (x == NULL) { |
77 |
|
|
SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); |
78 |
|
|
return (0); |
79 |
|
|
} |
80 |
|
|
if (!ssl_cert_inst(&ssl->cert)) { |
81 |
|
|
SSLerror(ssl, ERR_R_MALLOC_FAILURE); |
82 |
|
|
return (0); |
83 |
|
|
} |
84 |
|
|
return (ssl_set_cert(ssl->cert, x)); |
85 |
|
|
} |
86 |
|
|
|
87 |
|
|
int |
88 |
|
|
SSL_use_certificate_file(SSL *ssl, const char *file, int type) |
89 |
|
|
{ |
90 |
|
|
int j; |
91 |
|
|
BIO *in; |
92 |
|
|
int ret = 0; |
93 |
|
|
X509 *x = NULL; |
94 |
|
|
|
95 |
|
|
in = BIO_new(BIO_s_file_internal()); |
96 |
|
|
if (in == NULL) { |
97 |
|
|
SSLerror(ssl, ERR_R_BUF_LIB); |
98 |
|
|
goto end; |
99 |
|
|
} |
100 |
|
|
|
101 |
|
|
if (BIO_read_filename(in, file) <= 0) { |
102 |
|
|
SSLerror(ssl, ERR_R_SYS_LIB); |
103 |
|
|
goto end; |
104 |
|
|
} |
105 |
|
|
if (type == SSL_FILETYPE_ASN1) { |
106 |
|
|
j = ERR_R_ASN1_LIB; |
107 |
|
|
x = d2i_X509_bio(in, NULL); |
108 |
|
|
} else if (type == SSL_FILETYPE_PEM) { |
109 |
|
|
j = ERR_R_PEM_LIB; |
110 |
|
|
x = PEM_read_bio_X509(in, NULL, |
111 |
|
|
ssl->ctx->default_passwd_callback, |
112 |
|
|
ssl->ctx->default_passwd_callback_userdata); |
113 |
|
|
} else { |
114 |
|
|
SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); |
115 |
|
|
goto end; |
116 |
|
|
} |
117 |
|
|
|
118 |
|
|
if (x == NULL) { |
119 |
|
|
SSLerror(ssl, j); |
120 |
|
|
goto end; |
121 |
|
|
} |
122 |
|
|
|
123 |
|
|
ret = SSL_use_certificate(ssl, x); |
124 |
|
|
end: |
125 |
|
|
X509_free(x); |
126 |
|
|
BIO_free(in); |
127 |
|
|
return (ret); |
128 |
|
|
} |
129 |
|
|
|
130 |
|
|
int |
131 |
|
|
SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) |
132 |
|
|
{ |
133 |
|
|
X509 *x; |
134 |
|
|
int ret; |
135 |
|
|
|
136 |
|
|
x = d2i_X509(NULL, &d,(long)len); |
137 |
|
|
if (x == NULL) { |
138 |
|
|
SSLerror(ssl, ERR_R_ASN1_LIB); |
139 |
|
|
return (0); |
140 |
|
|
} |
141 |
|
|
|
142 |
|
|
ret = SSL_use_certificate(ssl, x); |
143 |
|
|
X509_free(x); |
144 |
|
|
return (ret); |
145 |
|
|
} |
146 |
|
|
|
147 |
|
|
int |
148 |
|
|
SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) |
149 |
|
|
{ |
150 |
|
|
EVP_PKEY *pkey; |
151 |
|
|
int ret; |
152 |
|
|
|
153 |
|
|
if (rsa == NULL) { |
154 |
|
|
SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); |
155 |
|
|
return (0); |
156 |
|
|
} |
157 |
|
|
if (!ssl_cert_inst(&ssl->cert)) { |
158 |
|
|
SSLerror(ssl, ERR_R_MALLOC_FAILURE); |
159 |
|
|
return (0); |
160 |
|
|
} |
161 |
|
|
if ((pkey = EVP_PKEY_new()) == NULL) { |
162 |
|
|
SSLerror(ssl, ERR_R_EVP_LIB); |
163 |
|
|
return (0); |
164 |
|
|
} |
165 |
|
|
|
166 |
|
|
RSA_up_ref(rsa); |
167 |
|
|
EVP_PKEY_assign_RSA(pkey, rsa); |
168 |
|
|
|
169 |
|
|
ret = ssl_set_pkey(ssl->cert, pkey); |
170 |
|
|
EVP_PKEY_free(pkey); |
171 |
|
|
return (ret); |
172 |
|
|
} |
173 |
|
|
|
174 |
|
|
static int |
175 |
|
|
ssl_set_pkey(CERT *c, EVP_PKEY *pkey) |
176 |
|
|
{ |
177 |
|
|
int i; |
178 |
|
|
|
179 |
|
724 |
i = ssl_cert_type(NULL, pkey); |
180 |
✗✓ |
362 |
if (i < 0) { |
181 |
|
|
SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
182 |
|
|
return (0); |
183 |
|
|
} |
184 |
|
|
|
185 |
✓✗ |
362 |
if (c->pkeys[i].x509 != NULL) { |
186 |
|
|
EVP_PKEY *pktmp; |
187 |
|
362 |
pktmp = X509_get_pubkey(c->pkeys[i].x509); |
188 |
|
362 |
EVP_PKEY_copy_parameters(pktmp, pkey); |
189 |
|
362 |
EVP_PKEY_free(pktmp); |
190 |
|
362 |
ERR_clear_error(); |
191 |
|
|
|
192 |
|
|
/* |
193 |
|
|
* Don't check the public/private key, this is mostly |
194 |
|
|
* for smart cards. |
195 |
|
|
*/ |
196 |
✓✗✓✗
|
724 |
if ((pkey->type == EVP_PKEY_RSA) && |
197 |
|
362 |
(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) |
198 |
|
|
; |
199 |
|
|
else |
200 |
✗✓ |
362 |
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { |
201 |
|
|
X509_free(c->pkeys[i].x509); |
202 |
|
|
c->pkeys[i].x509 = NULL; |
203 |
|
|
return 0; |
204 |
|
|
} |
205 |
✓✗ |
362 |
} |
206 |
|
|
|
207 |
|
362 |
EVP_PKEY_free(c->pkeys[i].privatekey); |
208 |
|
362 |
CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); |
209 |
|
362 |
c->pkeys[i].privatekey = pkey; |
210 |
|
362 |
c->key = &(c->pkeys[i]); |
211 |
|
|
|
212 |
|
362 |
c->valid = 0; |
213 |
|
362 |
return (1); |
214 |
|
362 |
} |
215 |
|
|
|
216 |
|
|
int |
217 |
|
|
SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) |
218 |
|
|
{ |
219 |
|
|
int j, ret = 0; |
220 |
|
|
BIO *in; |
221 |
|
|
RSA *rsa = NULL; |
222 |
|
|
|
223 |
|
|
in = BIO_new(BIO_s_file_internal()); |
224 |
|
|
if (in == NULL) { |
225 |
|
|
SSLerror(ssl, ERR_R_BUF_LIB); |
226 |
|
|
goto end; |
227 |
|
|
} |
228 |
|
|
|
229 |
|
|
if (BIO_read_filename(in, file) <= 0) { |
230 |
|
|
SSLerror(ssl, ERR_R_SYS_LIB); |
231 |
|
|
goto end; |
232 |
|
|
} |
233 |
|
|
if (type == SSL_FILETYPE_ASN1) { |
234 |
|
|
j = ERR_R_ASN1_LIB; |
235 |
|
|
rsa = d2i_RSAPrivateKey_bio(in, NULL); |
236 |
|
|
} else if (type == SSL_FILETYPE_PEM) { |
237 |
|
|
j = ERR_R_PEM_LIB; |
238 |
|
|
rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
239 |
|
|
ssl->ctx->default_passwd_callback, |
240 |
|
|
ssl->ctx->default_passwd_callback_userdata); |
241 |
|
|
} else { |
242 |
|
|
SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); |
243 |
|
|
goto end; |
244 |
|
|
} |
245 |
|
|
if (rsa == NULL) { |
246 |
|
|
SSLerror(ssl, j); |
247 |
|
|
goto end; |
248 |
|
|
} |
249 |
|
|
ret = SSL_use_RSAPrivateKey(ssl, rsa); |
250 |
|
|
RSA_free(rsa); |
251 |
|
|
end: |
252 |
|
|
BIO_free(in); |
253 |
|
|
return (ret); |
254 |
|
|
} |
255 |
|
|
|
256 |
|
|
int |
257 |
|
|
SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) |
258 |
|
|
{ |
259 |
|
|
int ret; |
260 |
|
|
const unsigned char *p; |
261 |
|
|
RSA *rsa; |
262 |
|
|
|
263 |
|
|
p = d; |
264 |
|
|
if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { |
265 |
|
|
SSLerror(ssl, ERR_R_ASN1_LIB); |
266 |
|
|
return (0); |
267 |
|
|
} |
268 |
|
|
|
269 |
|
|
ret = SSL_use_RSAPrivateKey(ssl, rsa); |
270 |
|
|
RSA_free(rsa); |
271 |
|
|
return (ret); |
272 |
|
|
} |
273 |
|
|
|
274 |
|
|
int |
275 |
|
|
SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) |
276 |
|
|
{ |
277 |
|
|
int ret; |
278 |
|
|
|
279 |
|
|
if (pkey == NULL) { |
280 |
|
|
SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); |
281 |
|
|
return (0); |
282 |
|
|
} |
283 |
|
|
if (!ssl_cert_inst(&ssl->cert)) { |
284 |
|
|
SSLerror(ssl, ERR_R_MALLOC_FAILURE); |
285 |
|
|
return (0); |
286 |
|
|
} |
287 |
|
|
ret = ssl_set_pkey(ssl->cert, pkey); |
288 |
|
|
return (ret); |
289 |
|
|
} |
290 |
|
|
|
291 |
|
|
int |
292 |
|
|
SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) |
293 |
|
|
{ |
294 |
|
|
int j, ret = 0; |
295 |
|
|
BIO *in; |
296 |
|
|
EVP_PKEY *pkey = NULL; |
297 |
|
|
|
298 |
|
|
in = BIO_new(BIO_s_file_internal()); |
299 |
|
|
if (in == NULL) { |
300 |
|
|
SSLerror(ssl, ERR_R_BUF_LIB); |
301 |
|
|
goto end; |
302 |
|
|
} |
303 |
|
|
|
304 |
|
|
if (BIO_read_filename(in, file) <= 0) { |
305 |
|
|
SSLerror(ssl, ERR_R_SYS_LIB); |
306 |
|
|
goto end; |
307 |
|
|
} |
308 |
|
|
if (type == SSL_FILETYPE_PEM) { |
309 |
|
|
j = ERR_R_PEM_LIB; |
310 |
|
|
pkey = PEM_read_bio_PrivateKey(in, NULL, |
311 |
|
|
ssl->ctx->default_passwd_callback, |
312 |
|
|
ssl->ctx->default_passwd_callback_userdata); |
313 |
|
|
} else if (type == SSL_FILETYPE_ASN1) { |
314 |
|
|
j = ERR_R_ASN1_LIB; |
315 |
|
|
pkey = d2i_PrivateKey_bio(in, NULL); |
316 |
|
|
} else { |
317 |
|
|
SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE); |
318 |
|
|
goto end; |
319 |
|
|
} |
320 |
|
|
if (pkey == NULL) { |
321 |
|
|
SSLerror(ssl, j); |
322 |
|
|
goto end; |
323 |
|
|
} |
324 |
|
|
ret = SSL_use_PrivateKey(ssl, pkey); |
325 |
|
|
EVP_PKEY_free(pkey); |
326 |
|
|
end: |
327 |
|
|
BIO_free(in); |
328 |
|
|
return (ret); |
329 |
|
|
} |
330 |
|
|
|
331 |
|
|
int |
332 |
|
|
SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) |
333 |
|
|
{ |
334 |
|
|
int ret; |
335 |
|
|
const unsigned char *p; |
336 |
|
|
EVP_PKEY *pkey; |
337 |
|
|
|
338 |
|
|
p = d; |
339 |
|
|
if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { |
340 |
|
|
SSLerror(ssl, ERR_R_ASN1_LIB); |
341 |
|
|
return (0); |
342 |
|
|
} |
343 |
|
|
|
344 |
|
|
ret = SSL_use_PrivateKey(ssl, pkey); |
345 |
|
|
EVP_PKEY_free(pkey); |
346 |
|
|
return (ret); |
347 |
|
|
} |
348 |
|
|
|
349 |
|
|
int |
350 |
|
|
SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) |
351 |
|
|
{ |
352 |
✗✓ |
724 |
if (x == NULL) { |
353 |
|
|
SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); |
354 |
|
|
return (0); |
355 |
|
|
} |
356 |
✗✓ |
362 |
if (!ssl_cert_inst(&ctx->internal->cert)) { |
357 |
|
|
SSLerrorx(ERR_R_MALLOC_FAILURE); |
358 |
|
|
return (0); |
359 |
|
|
} |
360 |
|
362 |
return (ssl_set_cert(ctx->internal->cert, x)); |
361 |
|
362 |
} |
362 |
|
|
|
363 |
|
|
static int |
364 |
|
|
ssl_set_cert(CERT *c, X509 *x) |
365 |
|
|
{ |
366 |
|
|
EVP_PKEY *pkey; |
367 |
|
|
int i; |
368 |
|
|
|
369 |
|
724 |
pkey = X509_get_pubkey(x); |
370 |
✗✓ |
362 |
if (pkey == NULL) { |
371 |
|
|
SSLerrorx(SSL_R_X509_LIB); |
372 |
|
|
return (0); |
373 |
|
|
} |
374 |
|
|
|
375 |
|
362 |
i = ssl_cert_type(x, pkey); |
376 |
✗✓ |
362 |
if (i < 0) { |
377 |
|
|
SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
378 |
|
|
EVP_PKEY_free(pkey); |
379 |
|
|
return (0); |
380 |
|
|
} |
381 |
|
|
|
382 |
✗✓ |
362 |
if (c->pkeys[i].privatekey != NULL) { |
383 |
|
|
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); |
384 |
|
|
ERR_clear_error(); |
385 |
|
|
|
386 |
|
|
/* |
387 |
|
|
* Don't check the public/private key, this is mostly |
388 |
|
|
* for smart cards. |
389 |
|
|
*/ |
390 |
|
|
if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && |
391 |
|
|
(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & |
392 |
|
|
RSA_METHOD_FLAG_NO_CHECK)) |
393 |
|
|
; |
394 |
|
|
else |
395 |
|
|
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { |
396 |
|
|
/* |
397 |
|
|
* don't fail for a cert/key mismatch, just free |
398 |
|
|
* current private key (when switching to a different |
399 |
|
|
* cert & key, first this function should be used, |
400 |
|
|
* then ssl_set_pkey |
401 |
|
|
*/ |
402 |
|
|
EVP_PKEY_free(c->pkeys[i].privatekey); |
403 |
|
|
c->pkeys[i].privatekey = NULL; |
404 |
|
|
/* clear error queue */ |
405 |
|
|
ERR_clear_error(); |
406 |
|
|
} |
407 |
|
|
} |
408 |
|
|
|
409 |
|
362 |
EVP_PKEY_free(pkey); |
410 |
|
|
|
411 |
|
362 |
X509_free(c->pkeys[i].x509); |
412 |
|
362 |
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
413 |
|
362 |
c->pkeys[i].x509 = x; |
414 |
|
362 |
c->key = &(c->pkeys[i]); |
415 |
|
|
|
416 |
|
362 |
c->valid = 0; |
417 |
|
362 |
return (1); |
418 |
|
362 |
} |
419 |
|
|
|
420 |
|
|
int |
421 |
|
|
SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) |
422 |
|
|
{ |
423 |
|
|
int j; |
424 |
|
|
BIO *in; |
425 |
|
|
int ret = 0; |
426 |
|
|
X509 *x = NULL; |
427 |
|
|
|
428 |
|
480 |
in = BIO_new(BIO_s_file_internal()); |
429 |
✗✓ |
240 |
if (in == NULL) { |
430 |
|
|
SSLerrorx(ERR_R_BUF_LIB); |
431 |
|
|
goto end; |
432 |
|
|
} |
433 |
|
|
|
434 |
✗✓ |
240 |
if (BIO_read_filename(in, file) <= 0) { |
435 |
|
|
SSLerrorx(ERR_R_SYS_LIB); |
436 |
|
|
goto end; |
437 |
|
|
} |
438 |
✗✓ |
240 |
if (type == SSL_FILETYPE_ASN1) { |
439 |
|
|
j = ERR_R_ASN1_LIB; |
440 |
|
|
x = d2i_X509_bio(in, NULL); |
441 |
✓✗ |
240 |
} else if (type == SSL_FILETYPE_PEM) { |
442 |
|
|
j = ERR_R_PEM_LIB; |
443 |
|
480 |
x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, |
444 |
|
240 |
ctx->default_passwd_callback_userdata); |
445 |
|
|
} else { |
446 |
|
|
SSLerrorx(SSL_R_BAD_SSL_FILETYPE); |
447 |
|
|
goto end; |
448 |
|
|
} |
449 |
|
|
|
450 |
✗✓ |
240 |
if (x == NULL) { |
451 |
|
|
SSLerrorx(j); |
452 |
|
|
goto end; |
453 |
|
|
} |
454 |
|
|
|
455 |
|
240 |
ret = SSL_CTX_use_certificate(ctx, x); |
456 |
|
|
end: |
457 |
|
240 |
X509_free(x); |
458 |
|
240 |
BIO_free(in); |
459 |
|
240 |
return (ret); |
460 |
|
|
} |
461 |
|
|
|
462 |
|
|
int |
463 |
|
|
SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) |
464 |
|
|
{ |
465 |
|
|
X509 *x; |
466 |
|
|
int ret; |
467 |
|
|
|
468 |
|
|
x = d2i_X509(NULL, &d,(long)len); |
469 |
|
|
if (x == NULL) { |
470 |
|
|
SSLerrorx(ERR_R_ASN1_LIB); |
471 |
|
|
return (0); |
472 |
|
|
} |
473 |
|
|
|
474 |
|
|
ret = SSL_CTX_use_certificate(ctx, x); |
475 |
|
|
X509_free(x); |
476 |
|
|
return (ret); |
477 |
|
|
} |
478 |
|
|
|
479 |
|
|
int |
480 |
|
|
SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) |
481 |
|
|
{ |
482 |
|
|
int ret; |
483 |
|
|
EVP_PKEY *pkey; |
484 |
|
|
|
485 |
|
|
if (rsa == NULL) { |
486 |
|
|
SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); |
487 |
|
|
return (0); |
488 |
|
|
} |
489 |
|
|
if (!ssl_cert_inst(&ctx->internal->cert)) { |
490 |
|
|
SSLerrorx(ERR_R_MALLOC_FAILURE); |
491 |
|
|
return (0); |
492 |
|
|
} |
493 |
|
|
if ((pkey = EVP_PKEY_new()) == NULL) { |
494 |
|
|
SSLerrorx(ERR_R_EVP_LIB); |
495 |
|
|
return (0); |
496 |
|
|
} |
497 |
|
|
|
498 |
|
|
RSA_up_ref(rsa); |
499 |
|
|
EVP_PKEY_assign_RSA(pkey, rsa); |
500 |
|
|
|
501 |
|
|
ret = ssl_set_pkey(ctx->internal->cert, pkey); |
502 |
|
|
EVP_PKEY_free(pkey); |
503 |
|
|
return (ret); |
504 |
|
|
} |
505 |
|
|
|
506 |
|
|
int |
507 |
|
|
SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) |
508 |
|
|
{ |
509 |
|
|
int j, ret = 0; |
510 |
|
|
BIO *in; |
511 |
|
|
RSA *rsa = NULL; |
512 |
|
|
|
513 |
|
|
in = BIO_new(BIO_s_file_internal()); |
514 |
|
|
if (in == NULL) { |
515 |
|
|
SSLerrorx(ERR_R_BUF_LIB); |
516 |
|
|
goto end; |
517 |
|
|
} |
518 |
|
|
|
519 |
|
|
if (BIO_read_filename(in, file) <= 0) { |
520 |
|
|
SSLerrorx(ERR_R_SYS_LIB); |
521 |
|
|
goto end; |
522 |
|
|
} |
523 |
|
|
if (type == SSL_FILETYPE_ASN1) { |
524 |
|
|
j = ERR_R_ASN1_LIB; |
525 |
|
|
rsa = d2i_RSAPrivateKey_bio(in, NULL); |
526 |
|
|
} else if (type == SSL_FILETYPE_PEM) { |
527 |
|
|
j = ERR_R_PEM_LIB; |
528 |
|
|
rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
529 |
|
|
ctx->default_passwd_callback, |
530 |
|
|
ctx->default_passwd_callback_userdata); |
531 |
|
|
} else { |
532 |
|
|
SSLerrorx(SSL_R_BAD_SSL_FILETYPE); |
533 |
|
|
goto end; |
534 |
|
|
} |
535 |
|
|
if (rsa == NULL) { |
536 |
|
|
SSLerrorx(j); |
537 |
|
|
goto end; |
538 |
|
|
} |
539 |
|
|
ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); |
540 |
|
|
RSA_free(rsa); |
541 |
|
|
end: |
542 |
|
|
BIO_free(in); |
543 |
|
|
return (ret); |
544 |
|
|
} |
545 |
|
|
|
546 |
|
|
int |
547 |
|
|
SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) |
548 |
|
|
{ |
549 |
|
|
int ret; |
550 |
|
|
const unsigned char *p; |
551 |
|
|
RSA *rsa; |
552 |
|
|
|
553 |
|
|
p = d; |
554 |
|
|
if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { |
555 |
|
|
SSLerrorx(ERR_R_ASN1_LIB); |
556 |
|
|
return (0); |
557 |
|
|
} |
558 |
|
|
|
559 |
|
|
ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); |
560 |
|
|
RSA_free(rsa); |
561 |
|
|
return (ret); |
562 |
|
|
} |
563 |
|
|
|
564 |
|
|
int |
565 |
|
|
SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) |
566 |
|
|
{ |
567 |
✗✓ |
724 |
if (pkey == NULL) { |
568 |
|
|
SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); |
569 |
|
|
return (0); |
570 |
|
|
} |
571 |
✗✓ |
362 |
if (!ssl_cert_inst(&ctx->internal->cert)) { |
572 |
|
|
SSLerrorx(ERR_R_MALLOC_FAILURE); |
573 |
|
|
return (0); |
574 |
|
|
} |
575 |
|
362 |
return (ssl_set_pkey(ctx->internal->cert, pkey)); |
576 |
|
362 |
} |
577 |
|
|
|
578 |
|
|
int |
579 |
|
|
SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) |
580 |
|
|
{ |
581 |
|
|
int j, ret = 0; |
582 |
|
|
BIO *in; |
583 |
|
|
EVP_PKEY *pkey = NULL; |
584 |
|
|
|
585 |
|
692 |
in = BIO_new(BIO_s_file_internal()); |
586 |
✗✓ |
346 |
if (in == NULL) { |
587 |
|
|
SSLerrorx(ERR_R_BUF_LIB); |
588 |
|
|
goto end; |
589 |
|
|
} |
590 |
|
|
|
591 |
✗✓ |
346 |
if (BIO_read_filename(in, file) <= 0) { |
592 |
|
|
SSLerrorx(ERR_R_SYS_LIB); |
593 |
|
|
goto end; |
594 |
|
|
} |
595 |
✓✗ |
346 |
if (type == SSL_FILETYPE_PEM) { |
596 |
|
|
j = ERR_R_PEM_LIB; |
597 |
|
346 |
pkey = PEM_read_bio_PrivateKey(in, NULL, |
598 |
|
346 |
ctx->default_passwd_callback, |
599 |
|
346 |
ctx->default_passwd_callback_userdata); |
600 |
✗✗ |
346 |
} else if (type == SSL_FILETYPE_ASN1) { |
601 |
|
|
j = ERR_R_ASN1_LIB; |
602 |
|
|
pkey = d2i_PrivateKey_bio(in, NULL); |
603 |
|
|
} else { |
604 |
|
|
SSLerrorx(SSL_R_BAD_SSL_FILETYPE); |
605 |
|
|
goto end; |
606 |
|
|
} |
607 |
✗✓ |
346 |
if (pkey == NULL) { |
608 |
|
|
SSLerrorx(j); |
609 |
|
|
goto end; |
610 |
|
|
} |
611 |
|
346 |
ret = SSL_CTX_use_PrivateKey(ctx, pkey); |
612 |
|
346 |
EVP_PKEY_free(pkey); |
613 |
|
|
end: |
614 |
|
346 |
BIO_free(in); |
615 |
|
346 |
return (ret); |
616 |
|
|
} |
617 |
|
|
|
618 |
|
|
int |
619 |
|
|
SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, |
620 |
|
|
long len) |
621 |
|
|
{ |
622 |
|
|
int ret; |
623 |
|
|
const unsigned char *p; |
624 |
|
|
EVP_PKEY *pkey; |
625 |
|
|
|
626 |
|
|
p = d; |
627 |
|
|
if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { |
628 |
|
|
SSLerrorx(ERR_R_ASN1_LIB); |
629 |
|
|
return (0); |
630 |
|
|
} |
631 |
|
|
|
632 |
|
|
ret = SSL_CTX_use_PrivateKey(ctx, pkey); |
633 |
|
|
EVP_PKEY_free(pkey); |
634 |
|
|
return (ret); |
635 |
|
|
} |
636 |
|
|
|
637 |
|
|
|
638 |
|
|
/* |
639 |
|
|
* Read a bio that contains our certificate in "PEM" format, |
640 |
|
|
* possibly followed by a sequence of CA certificates that should be |
641 |
|
|
* sent to the peer in the Certificate message. |
642 |
|
|
*/ |
643 |
|
|
static int |
644 |
|
|
ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) |
645 |
|
|
{ |
646 |
|
|
int ret = 0; |
647 |
|
|
X509 *x = NULL; |
648 |
|
|
|
649 |
|
244 |
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ |
650 |
|
|
|
651 |
|
244 |
x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, |
652 |
|
122 |
ctx->default_passwd_callback_userdata); |
653 |
✗✓ |
122 |
if (x == NULL) { |
654 |
|
|
SSLerrorx(ERR_R_PEM_LIB); |
655 |
|
|
goto end; |
656 |
|
|
} |
657 |
|
|
|
658 |
|
122 |
ret = SSL_CTX_use_certificate(ctx, x); |
659 |
|
|
|
660 |
✗✓ |
122 |
if (ERR_peek_error() != 0) |
661 |
|
|
ret = 0; |
662 |
|
|
/* Key/certificate mismatch doesn't imply ret==0 ... */ |
663 |
✓✗ |
122 |
if (ret) { |
664 |
|
|
/* |
665 |
|
|
* If we could set up our certificate, now proceed to |
666 |
|
|
* the CA certificates. |
667 |
|
|
*/ |
668 |
|
|
X509 *ca; |
669 |
|
|
int r; |
670 |
|
|
unsigned long err; |
671 |
|
|
|
672 |
|
122 |
sk_X509_pop_free(ctx->extra_certs, X509_free); |
673 |
|
122 |
ctx->extra_certs = NULL; |
674 |
|
|
|
675 |
✗✓ |
366 |
while ((ca = PEM_read_bio_X509(in, NULL, |
676 |
|
122 |
ctx->default_passwd_callback, |
677 |
|
244 |
ctx->default_passwd_callback_userdata)) != NULL) { |
678 |
|
|
r = SSL_CTX_add_extra_chain_cert(ctx, ca); |
679 |
|
|
if (!r) { |
680 |
|
|
X509_free(ca); |
681 |
|
|
ret = 0; |
682 |
|
|
goto end; |
683 |
|
|
} |
684 |
|
|
/* |
685 |
|
|
* Note that we must not free r if it was successfully |
686 |
|
|
* added to the chain (while we must free the main |
687 |
|
|
* certificate, since its reference count is increased |
688 |
|
|
* by SSL_CTX_use_certificate). |
689 |
|
|
*/ |
690 |
|
|
} |
691 |
|
|
|
692 |
|
|
/* When the while loop ends, it's usually just EOF. */ |
693 |
|
122 |
err = ERR_peek_last_error(); |
694 |
✓✗✓✗
|
244 |
if (ERR_GET_LIB(err) == ERR_LIB_PEM && |
695 |
|
122 |
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) |
696 |
|
122 |
ERR_clear_error(); |
697 |
|
|
else |
698 |
|
|
ret = 0; /* some real error */ |
699 |
✗✓✓ |
122 |
} |
700 |
|
|
|
701 |
|
|
end: |
702 |
|
122 |
X509_free(x); |
703 |
|
122 |
return (ret); |
704 |
|
122 |
} |
705 |
|
|
|
706 |
|
|
int |
707 |
|
|
SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) |
708 |
|
|
{ |
709 |
|
|
BIO *in; |
710 |
|
|
int ret = 0; |
711 |
|
|
|
712 |
|
212 |
in = BIO_new(BIO_s_file_internal()); |
713 |
✗✓ |
106 |
if (in == NULL) { |
714 |
|
|
SSLerrorx(ERR_R_BUF_LIB); |
715 |
|
|
goto end; |
716 |
|
|
} |
717 |
|
|
|
718 |
✗✓ |
106 |
if (BIO_read_filename(in, file) <= 0) { |
719 |
|
|
SSLerrorx(ERR_R_SYS_LIB); |
720 |
|
|
goto end; |
721 |
|
|
} |
722 |
|
|
|
723 |
|
106 |
ret = ssl_ctx_use_certificate_chain_bio(ctx, in); |
724 |
|
|
|
725 |
|
|
end: |
726 |
|
106 |
BIO_free(in); |
727 |
|
106 |
return (ret); |
728 |
|
|
} |
729 |
|
|
|
730 |
|
|
int |
731 |
|
|
SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) |
732 |
|
|
{ |
733 |
|
|
BIO *in; |
734 |
|
|
int ret = 0; |
735 |
|
|
|
736 |
|
32 |
in = BIO_new_mem_buf(buf, len); |
737 |
✗✓ |
16 |
if (in == NULL) { |
738 |
|
|
SSLerrorx(ERR_R_BUF_LIB); |
739 |
|
|
goto end; |
740 |
|
|
} |
741 |
|
|
|
742 |
|
16 |
ret = ssl_ctx_use_certificate_chain_bio(ctx, in); |
743 |
|
|
|
744 |
|
|
end: |
745 |
|
16 |
BIO_free(in); |
746 |
|
16 |
return (ret); |
747 |
|
|
} |