Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	usr.sbin/smtpd/smtpd/../ssl.c	Lines:	0	185	0.0 %
Date:	2017-11-07	Branches:	0	90	0.0 %


/*	$OpenBSD: ssl.c,v 1.89 2017/05/17 14:00:06 deraadt Exp $	*/

/*
 * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
 * Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org>
 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>
#include <sys/queue.h>
#include <sys/tree.h>
#include <sys/socket.h>
#include <sys/stat.h>

#include <ctype.h>
#include <event.h>
#include <fcntl.h>
#include <imsg.h>
#include <limits.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <openssl/ssl.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/bn.h>

#include "log.h"
#include "ssl.h"

void
ssl_init(void)
{
	static int	inited = 0;

	if (inited)
		return;

	SSL_library_init();
	SSL_load_error_strings();

	OpenSSL_add_all_algorithms();

	/* Init hardware crypto engines. */
	ENGINE_load_builtin_engines();
	ENGINE_register_all_complete();
	inited = 1;
}

int
ssl_setup(SSL_CTX **ctxp, struct pki *pki,
    int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
{
	SSL_CTX	*ctx;
	uint8_t sid[SSL_MAX_SID_CTX_LENGTH];

	ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);

	/*
	 * Set session ID context to a random value.  We don't support
	 * persistent caching of sessions so it is OK to set a temporary
	 * session ID context that is valid during run time.
	 */
	arc4random_buf(sid, sizeof(sid));
	if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
		goto err;

	if (sni_cb)
		SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);

	SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);

	SSL_CTX_set_ecdh_auto(ctx, 1);

	*ctxp = ctx;
	return 1;

err:
	SSL_CTX_free(ctx);
	ssl_error("ssl_setup");
	return 0;
}

char *
ssl_load_file(const char *name, off_t *len, mode_t perm)
{
	struct stat	 st;
	off_t		 size;
	char		*buf = NULL;
	int		 fd, saved_errno;
	char		 mode[12];

	if ((fd = open(name, O_RDONLY)) == -1)
		return (NULL);
	if (fstat(fd, &st) != 0)
		goto fail;
	if (st.st_uid != 0) {
		log_warnx("warn:  %s: not owned by uid 0", name);
		errno = EACCES;
		goto fail;
	}
	if (st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO) & ~perm) {
		strmode(perm, mode);
		log_warnx("warn:  %s: insecure permissions: must be at most %s",
		    name, &mode[1]);
		errno = EACCES;
		goto fail;
	}
	size = st.st_size;
	if ((buf = calloc(1, size + 1)) == NULL)
		goto fail;
	if (read(fd, buf, size) != size)
		goto fail;
	close(fd);

	*len = size + 1;
	return (buf);

fail:
	free(buf);
	saved_errno = errno;
	close(fd);
	errno = saved_errno;
	return (NULL);
}

#if 0
static int
ssl_password_cb(char *buf, int size, int rwflag, void *u)
{
	size_t	len;
	if (u == NULL) {
		explicit_bzero(buf, size);
		return (0);
	}
	if ((len = strlcpy(buf, u, size)) >= (size_t)size)
		return (0);
	return (len);
}
#endif

static int
ssl_password_cb(char *buf, int size, int rwflag, void *u)
{
	int	ret = 0;
	size_t	len;
	char	*pass;

	pass = getpass((const char *)u);
	if (pass == NULL)
		return 0;
	len = strlen(pass);
	if (strlcpy(buf, pass, size) >= (size_t)size)
		goto end;
	ret = len;
end:
	if (len)
		explicit_bzero(pass, len);
	return ret;
}

char *
ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char *pkiname)
{
	FILE		*fp = NULL;
	EVP_PKEY	*key = NULL;
	BIO		*bio = NULL;
	long		 size;
	char		*data, *buf = NULL;
	struct stat	 st;
	char		 mode[12];
	char		 prompt[2048];

	/* Initialize SSL library once */
	ssl_init();

	/*
	 * Read (possibly) encrypted key from file
	 */
	if ((fp = fopen(name, "r")) == NULL)
		return (NULL);

	if (fstat(fileno(fp), &st) != 0)
		goto fail;
	if (st.st_uid != 0) {
		log_warnx("warn:  %s: not owned by uid 0", name);
		errno = EACCES;
		goto fail;
	}
	if (st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO) & ~perm) {
		strmode(perm, mode);
		log_warnx("warn:  %s: insecure permissions: must be at most %s",
		    name, &mode[1]);
		errno = EACCES;
		goto fail;
	}

	(void)snprintf(prompt, sizeof prompt, "passphrase for %s: ", pkiname);
	key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, prompt);
	fclose(fp);
	fp = NULL;
	if (key == NULL)
		goto fail;
	/*
	 * Write unencrypted key to memory buffer
	 */
	if ((bio = BIO_new(BIO_s_mem())) == NULL)
		goto fail;
	if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))
		goto fail;
	if ((size = BIO_get_mem_data(bio, &data)) <= 0)
		goto fail;
	if ((buf = calloc(1, size + 1)) == NULL)
		goto fail;
	memcpy(buf, data, size);

	BIO_free_all(bio);
	EVP_PKEY_free(key);

	*len = (off_t)size + 1;
	return (buf);

fail:
	ssl_error("ssl_load_key");
	free(buf);
	BIO_free_all(bio);
	EVP_PKEY_free(key);
	if (fp)
		fclose(fp);
	return (NULL);
}

SSL_CTX *
ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len, const char *ciphers)
{
	SSL_CTX	*ctx;
	size_t	 pkinamelen = 0;

	ctx = SSL_CTX_new(SSLv23_method());
	if (ctx == NULL) {
		ssl_error("ssl_ctx_create");
		fatal("ssl_ctx_create: could not create SSL context");
	}

	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
	SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
	SSL_CTX_set_options(ctx,
	    SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET);
	SSL_CTX_set_options(ctx,
	    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
	SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

	if (ciphers == NULL)
		ciphers = SSL_CIPHERS;
	if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
		ssl_error("ssl_ctx_create");
		fatal("ssl_ctx_create: could not set cipher list");
	}

	if (cert != NULL) {
		if (pkiname != NULL)
			pkinamelen = strlen(pkiname) + 1;
		if (!SSL_CTX_use_certificate_chain_mem(ctx, cert, cert_len)) {
			ssl_error("ssl_ctx_create");
			fatal("ssl_ctx_create: invalid certificate chain");
		} else if (!ssl_ctx_fake_private_key(ctx,
		    pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {
			ssl_error("ssl_ctx_create");
			fatal("ssl_ctx_create: could not fake private key");
		} else if (!SSL_CTX_check_private_key(ctx)) {
			ssl_error("ssl_ctx_create");
			fatal("ssl_ctx_create: invalid private key");
		}
	}

	return (ctx);
}

int
ssl_load_certificate(struct pki *p, const char *pathname)
{
	p->pki_cert = ssl_load_file(pathname, &p->pki_cert_len, 0755);
	if (p->pki_cert == NULL)
		return 0;
	return 1;
}

int
ssl_load_keyfile(struct pki *p, const char *pathname, const char *pkiname)
{
	char	pass[1024];

	p->pki_key = ssl_load_key(pathname, &p->pki_key_len, pass, 0740, pkiname);
	if (p->pki_key == NULL)
		return 0;
	return 1;
}

int
ssl_load_cafile(struct ca *c, const char *pathname)
{
	c->ca_cert = ssl_load_file(pathname, &c->ca_cert_len, 0755);
	if (c->ca_cert == NULL)
		return 0;
	return 1;
}

const char *
ssl_to_text(const SSL *ssl)
{
	static char buf[256];

	(void)snprintf(buf, sizeof buf, "version=%s, cipher=%s, bits=%d",
	    SSL_get_version(ssl),
	    SSL_get_cipher_name(ssl),
	    SSL_get_cipher_bits(ssl, NULL));

	return (buf);
}

void
ssl_error(const char *where)
{
	unsigned long	code;
	char		errbuf[128];

	for (; (code = ERR_get_error()) != 0 ;) {
		ERR_error_string_n(code, errbuf, sizeof(errbuf));
		log_debug("debug: SSL library error: %s: %s", where, errbuf);
	}
}

int
ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
    X509 **x509ptr, EVP_PKEY **pkeyptr)
{
	BIO		*in;
	X509		*x509 = NULL;
	EVP_PKEY	*pkey = NULL;
	RSA		*rsa = NULL;
	void		*exdata = NULL;

	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB);
		return (0);
	}

	if ((x509 = PEM_read_bio_X509(in, NULL,
	    ssl_password_cb, NULL)) == NULL) {
		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB);
		goto fail;
	}

	if ((pkey = X509_get_pubkey(x509)) == NULL) {
		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_X509_LIB);
		goto fail;
	}

	BIO_free(in);
	in = NULL;

	if (data != NULL && datalen) {
		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
		    (exdata = malloc(datalen)) == NULL) {
			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
			goto fail;
		}

		memcpy(exdata, data, datalen);
		RSA_set_ex_data(rsa, 0, exdata);
		RSA_free(rsa); /* dereference, will be cleaned up with pkey */
	}

	*x509ptr = x509;
	*pkeyptr = pkey;

	return (1);

 fail:
	RSA_free(rsa);
	BIO_free(in);
	EVP_PKEY_free(pkey);
	X509_free(x509);
	free(exdata);

	return (0);
}

int
ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
    char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
{
	int		 ret = 0;
	EVP_PKEY	*pkey = NULL;
	X509		*x509 = NULL;

	if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
		return (0);

	/*
	 * Use the public key as the "private" key - the secret key
	 * parameters are hidden in an extra process that will be
	 * contacted by the RSA engine.  The SSL/TLS library needs at
	 * least the public key parameters in the current process.
	 */
	ret = SSL_CTX_use_PrivateKey(ctx, pkey);
	if (!ret)
		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);

	if (pkeyptr != NULL)
		*pkeyptr = pkey;
	else
		EVP_PKEY_free(pkey);

	if (x509ptr != NULL)
		*x509ptr = x509;
	else
		X509_free(x509);

	return (ret);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: ssl.c,v 1.89 2017/05/17 14:00:06 deraadt Exp $ */
2
3			/*
4			* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
5			* Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org>
6			* Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
7			*
8			* Permission to use, copy, modify, and distribute this software for any
9			* purpose with or without fee is hereby granted, provided that the above
10			* copyright notice and this permission notice appear in all copies.
11			*
12			* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13			* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14			* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15			* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16			* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17			* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18			* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19			*/
20
21			#include <sys/types.h>
22			#include <sys/queue.h>
23			#include <sys/tree.h>
24			#include <sys/socket.h>
25			#include <sys/stat.h>
26
27			#include <ctype.h>
28			#include <event.h>
29			#include <fcntl.h>
30			#include <imsg.h>
31			#include <limits.h>
32			#include <pwd.h>
33			#include <stdio.h>
34			#include <stdlib.h>
35			#include <string.h>
36			#include <unistd.h>
37
38			#include <openssl/ssl.h>
39			#include <openssl/engine.h>
40			#include <openssl/err.h>
41			#include <openssl/rsa.h>
42			#include <openssl/dh.h>
43			#include <openssl/bn.h>
44
45			#include "log.h"
46			#include "ssl.h"
47
48			void
49			ssl_init(void)
50			{
51			static int inited = 0;
52
53			if (inited)
54			return;
55
56			SSL_library_init();
57			SSL_load_error_strings();
58
59			OpenSSL_add_all_algorithms();
60
61			/* Init hardware crypto engines. */
62			ENGINE_load_builtin_engines();
63			ENGINE_register_all_complete();
64			inited = 1;
65			}
66
67			int
68			ssl_setup(SSL_CTX *ctxp, struct pki pki,
69			int (sni_cb)(SSL ,int ,void ), const char *ciphers)
70			{
71			SSL_CTX *ctx;
72			uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
73
74			ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);
75
76			/*
77			* Set session ID context to a random value. We don't support
78			* persistent caching of sessions so it is OK to set a temporary
79			* session ID context that is valid during run time.
80			*/
81			arc4random_buf(sid, sizeof(sid));
82			if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
83			goto err;
84
85			if (sni_cb)
86			SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
87
88			SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
89
90			SSL_CTX_set_ecdh_auto(ctx, 1);
91
92			*ctxp = ctx;
93			return 1;
94
95			err:
96			SSL_CTX_free(ctx);
97			ssl_error("ssl_setup");
98			return 0;
99			}
100
101			char *
102			ssl_load_file(const char name, off_t len, mode_t perm)
103			{
104			struct stat st;
105			off_t size;
106			char *buf = NULL;
107			int fd, saved_errno;
108			char mode[12];
109
110			if ((fd = open(name, O_RDONLY)) == -1)
111			return (NULL);
112			if (fstat(fd, &st) != 0)
113			goto fail;
114			if (st.st_uid != 0) {
115			log_warnx("warn: %s: not owned by uid 0", name);
116			errno = EACCES;
117			goto fail;
118			}
119			if (st.st_mode & (S_IRWXU \| S_IRWXG \| S_IRWXO) & ~perm) {
120			strmode(perm, mode);
121			log_warnx("warn: %s: insecure permissions: must be at most %s",
122			name, &mode[1]);
123			errno = EACCES;
124			goto fail;
125			}
126			size = st.st_size;
127			if ((buf = calloc(1, size + 1)) == NULL)
128			goto fail;
129			if (read(fd, buf, size) != size)
130			goto fail;
131			close(fd);
132
133			*len = size + 1;
134			return (buf);
135
136			fail:
137			free(buf);
138			saved_errno = errno;
139			close(fd);
140			errno = saved_errno;
141			return (NULL);
142			}
143
144			#if 0
145			static int
146			ssl_password_cb(char buf, int size, int rwflag, void u)
147			{
148			size_t len;
149			if (u == NULL) {
150			explicit_bzero(buf, size);
151			return (0);
152			}
153			if ((len = strlcpy(buf, u, size)) >= (size_t)size)
154			return (0);
155			return (len);
156			}
157			#endif
158
159			static int
160			ssl_password_cb(char buf, int size, int rwflag, void u)
161			{
162			int ret = 0;
163			size_t len;
164			char *pass;
165
166			pass = getpass((const char *)u);
167			if (pass == NULL)
168			return 0;
169			len = strlen(pass);
170			if (strlcpy(buf, pass, size) >= (size_t)size)
171			goto end;
172			ret = len;
173			end:
174			if (len)
175			explicit_bzero(pass, len);
176			return ret;
177			}
178
179			char *
180			ssl_load_key(const char name, off_t len, char pass, mode_t perm, const char pkiname)
181			{
182			FILE *fp = NULL;
183			EVP_PKEY *key = NULL;
184			BIO *bio = NULL;
185			long size;
186			char data, buf = NULL;
187			struct stat st;
188			char mode[12];
189			char prompt[2048];
190
191			/* Initialize SSL library once */
192			ssl_init();
193
194			/*
195			* Read (possibly) encrypted key from file
196			*/
197			if ((fp = fopen(name, "r")) == NULL)
198			return (NULL);
199
200			if (fstat(fileno(fp), &st) != 0)
201			goto fail;
202			if (st.st_uid != 0) {
203			log_warnx("warn: %s: not owned by uid 0", name);
204			errno = EACCES;
205			goto fail;
206			}
207			if (st.st_mode & (S_IRWXU \| S_IRWXG \| S_IRWXO) & ~perm) {
208			strmode(perm, mode);
209			log_warnx("warn: %s: insecure permissions: must be at most %s",
210			name, &mode[1]);
211			errno = EACCES;
212			goto fail;
213			}
214
215			(void)snprintf(prompt, sizeof prompt, "passphrase for %s: ", pkiname);
216			key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, prompt);
217			fclose(fp);
218			fp = NULL;
219			if (key == NULL)
220			goto fail;
221			/*
222			* Write unencrypted key to memory buffer
223			*/
224			if ((bio = BIO_new(BIO_s_mem())) == NULL)
225			goto fail;
226			if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))
227			goto fail;
228			if ((size = BIO_get_mem_data(bio, &data)) <= 0)
229			goto fail;
230			if ((buf = calloc(1, size + 1)) == NULL)
231			goto fail;
232			memcpy(buf, data, size);
233
234			BIO_free_all(bio);
235			EVP_PKEY_free(key);
236
237			*len = (off_t)size + 1;
238			return (buf);
239
240			fail:
241			ssl_error("ssl_load_key");
242			free(buf);
243			BIO_free_all(bio);
244			EVP_PKEY_free(key);
245			if (fp)
246			fclose(fp);
247			return (NULL);
248			}
249
250			SSL_CTX *
251			ssl_ctx_create(const char pkiname, char cert, off_t cert_len, const char *ciphers)
252			{
253			SSL_CTX *ctx;
254			size_t pkinamelen = 0;
255
256			ctx = SSL_CTX_new(SSLv23_method());
257			if (ctx == NULL) {
258			ssl_error("ssl_ctx_create");
259			fatal("ssl_ctx_create: could not create SSL context");
260			}
261
262			SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
263			SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
264			SSL_CTX_set_options(ctx,
265			SSL_OP_ALL \| SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3 \| SSL_OP_NO_TICKET);
266			SSL_CTX_set_options(ctx,
267			SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
268			SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
269			SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
270
271			if (ciphers == NULL)
272			ciphers = SSL_CIPHERS;
273			if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
274			ssl_error("ssl_ctx_create");
275			fatal("ssl_ctx_create: could not set cipher list");
276			}
277
278			if (cert != NULL) {
279			if (pkiname != NULL)
280			pkinamelen = strlen(pkiname) + 1;
281			if (!SSL_CTX_use_certificate_chain_mem(ctx, cert, cert_len)) {
282			ssl_error("ssl_ctx_create");
283			fatal("ssl_ctx_create: invalid certificate chain");
284			} else if (!ssl_ctx_fake_private_key(ctx,
285			pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {
286			ssl_error("ssl_ctx_create");
287			fatal("ssl_ctx_create: could not fake private key");
288			} else if (!SSL_CTX_check_private_key(ctx)) {
289			ssl_error("ssl_ctx_create");
290			fatal("ssl_ctx_create: invalid private key");
291			}
292			}
293
294			return (ctx);
295			}
296
297			int
298			ssl_load_certificate(struct pki p, const char pathname)
299			{
300			p->pki_cert = ssl_load_file(pathname, &p->pki_cert_len, 0755);
301			if (p->pki_cert == NULL)
302			return 0;
303			return 1;
304			}
305
306			int
307			ssl_load_keyfile(struct pki p, const char pathname, const char *pkiname)
308			{
309			char pass[1024];
310
311			p->pki_key = ssl_load_key(pathname, &p->pki_key_len, pass, 0740, pkiname);
312			if (p->pki_key == NULL)
313			return 0;
314			return 1;
315			}
316
317			int
318			ssl_load_cafile(struct ca c, const char pathname)
319			{
320			c->ca_cert = ssl_load_file(pathname, &c->ca_cert_len, 0755);
321			if (c->ca_cert == NULL)
322			return 0;
323			return 1;
324			}
325
326			const char *
327			ssl_to_text(const SSL *ssl)
328			{
329			static char buf[256];
330
331			(void)snprintf(buf, sizeof buf, "version=%s, cipher=%s, bits=%d",
332			SSL_get_version(ssl),
333			SSL_get_cipher_name(ssl),
334			SSL_get_cipher_bits(ssl, NULL));
335
336			return (buf);
337			}
338
339			void
340			ssl_error(const char *where)
341			{
342			unsigned long code;
343			char errbuf[128];
344
345			for (; (code = ERR_get_error()) != 0 ;) {
346			ERR_error_string_n(code, errbuf, sizeof(errbuf));
347			log_debug("debug: SSL library error: %s: %s", where, errbuf);
348			}
349			}
350
351			int
352			ssl_load_pkey(const void data, size_t datalen, char buf, off_t len,
353			X509 x509ptr, EVP_PKEY pkeyptr)
354			{
355			BIO *in;
356			X509 *x509 = NULL;
357			EVP_PKEY *pkey = NULL;
358			RSA *rsa = NULL;
359			void *exdata = NULL;
360
361			if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
362			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB);
363			return (0);
364			}
365
366			if ((x509 = PEM_read_bio_X509(in, NULL,
367			ssl_password_cb, NULL)) == NULL) {
368			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB);
369			goto fail;
370			}
371
372			if ((pkey = X509_get_pubkey(x509)) == NULL) {
373			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_X509_LIB);
374			goto fail;
375			}
376
377			BIO_free(in);
378			in = NULL;
379
380			if (data != NULL && datalen) {
381			if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL \|\|
382			(exdata = malloc(datalen)) == NULL) {
383			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
384			goto fail;
385			}
386
387			memcpy(exdata, data, datalen);
388			RSA_set_ex_data(rsa, 0, exdata);
389			RSA_free(rsa); /* dereference, will be cleaned up with pkey */
390			}
391
392			*x509ptr = x509;
393			*pkeyptr = pkey;
394
395			return (1);
396
397			fail:
398			RSA_free(rsa);
399			BIO_free(in);
400			EVP_PKEY_free(pkey);
401			X509_free(x509);
402			free(exdata);
403
404			return (0);
405			}
406
407			int
408			ssl_ctx_fake_private_key(SSL_CTX ctx, const void data, size_t datalen,
409			char buf, off_t len, X509 x509ptr, EVP_PKEY *pkeyptr)
410			{
411			int ret = 0;
412			EVP_PKEY *pkey = NULL;
413			X509 *x509 = NULL;
414
415			if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
416			return (0);
417
418			/*
419			* Use the public key as the "private" key - the secret key
420			* parameters are hidden in an extra process that will be
421			* contacted by the RSA engine. The SSL/TLS library needs at
422			* least the public key parameters in the current process.
423			*/
424			ret = SSL_CTX_use_PrivateKey(ctx, pkey);
425			if (!ret)
426			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
427
428			if (pkeyptr != NULL)
429			*pkeyptr = pkey;
430			else
431			EVP_PKEY_free(pkey);
432
433			if (x509ptr != NULL)
434			*x509ptr = x509;
435			else
436			X509_free(x509);
437
438			return (ret);
439			}