/src/openssl/ssl/ssl_rsa.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* ssl/ssl_rsa.c */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | |
59 | | #include <stdio.h> |
60 | | #include "ssl_locl.h" |
61 | | #include <openssl/bio.h> |
62 | | #include <openssl/objects.h> |
63 | | #include <openssl/evp.h> |
64 | | #include <openssl/x509.h> |
65 | | #include <openssl/pem.h> |
66 | | |
67 | | static int ssl_set_cert(CERT *c, X509 *x509); |
68 | | static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); |
69 | | int SSL_use_certificate(SSL *ssl, X509 *x) |
70 | 0 | { |
71 | 0 | if (x == NULL) { |
72 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); |
73 | 0 | return (0); |
74 | 0 | } |
75 | 0 | if (!ssl_cert_inst(&ssl->cert)) { |
76 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); |
77 | 0 | return (0); |
78 | 0 | } |
79 | 0 | return (ssl_set_cert(ssl->cert, x)); |
80 | 0 | } |
81 | | |
82 | | #ifndef OPENSSL_NO_STDIO |
83 | | int SSL_use_certificate_file(SSL *ssl, const char *file, int type) |
84 | 0 | { |
85 | 0 | int j; |
86 | 0 | BIO *in; |
87 | 0 | int ret = 0; |
88 | 0 | X509 *x = NULL; |
89 | |
|
90 | 0 | in = BIO_new(BIO_s_file_internal()); |
91 | 0 | if (in == NULL) { |
92 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); |
93 | 0 | goto end; |
94 | 0 | } |
95 | | |
96 | 0 | if (BIO_read_filename(in, file) <= 0) { |
97 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); |
98 | 0 | goto end; |
99 | 0 | } |
100 | 0 | if (type == SSL_FILETYPE_ASN1) { |
101 | 0 | j = ERR_R_ASN1_LIB; |
102 | 0 | x = d2i_X509_bio(in, NULL); |
103 | 0 | } else if (type == SSL_FILETYPE_PEM) { |
104 | 0 | j = ERR_R_PEM_LIB; |
105 | 0 | x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback, |
106 | 0 | ssl->ctx->default_passwd_callback_userdata); |
107 | 0 | } else { |
108 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); |
109 | 0 | goto end; |
110 | 0 | } |
111 | | |
112 | 0 | if (x == NULL) { |
113 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); |
114 | 0 | goto end; |
115 | 0 | } |
116 | | |
117 | 0 | ret = SSL_use_certificate(ssl, x); |
118 | 0 | end: |
119 | 0 | if (x != NULL) |
120 | 0 | X509_free(x); |
121 | 0 | if (in != NULL) |
122 | 0 | BIO_free(in); |
123 | 0 | return (ret); |
124 | 0 | } |
125 | | #endif |
126 | | |
127 | | int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) |
128 | 0 | { |
129 | 0 | X509 *x; |
130 | 0 | int ret; |
131 | |
|
132 | 0 | x = d2i_X509(NULL, &d, (long)len); |
133 | 0 | if (x == NULL) { |
134 | 0 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); |
135 | 0 | return (0); |
136 | 0 | } |
137 | | |
138 | 0 | ret = SSL_use_certificate(ssl, x); |
139 | 0 | X509_free(x); |
140 | 0 | return (ret); |
141 | 0 | } |
142 | | |
143 | | #ifndef OPENSSL_NO_RSA |
144 | | int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) |
145 | 0 | { |
146 | 0 | EVP_PKEY *pkey; |
147 | 0 | int ret; |
148 | |
|
149 | 0 | if (rsa == NULL) { |
150 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); |
151 | 0 | return (0); |
152 | 0 | } |
153 | 0 | if (!ssl_cert_inst(&ssl->cert)) { |
154 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); |
155 | 0 | return (0); |
156 | 0 | } |
157 | 0 | if ((pkey = EVP_PKEY_new()) == NULL) { |
158 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); |
159 | 0 | return (0); |
160 | 0 | } |
161 | | |
162 | 0 | RSA_up_ref(rsa); |
163 | 0 | if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { |
164 | 0 | RSA_free(rsa); |
165 | 0 | return 0; |
166 | 0 | } |
167 | | |
168 | 0 | ret = ssl_set_pkey(ssl->cert, pkey); |
169 | 0 | EVP_PKEY_free(pkey); |
170 | 0 | return (ret); |
171 | 0 | } |
172 | | #endif |
173 | | |
174 | | static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) |
175 | 0 | { |
176 | 0 | int i; |
177 | | /* |
178 | | * Special case for DH: check two DH certificate types for a match. This |
179 | | * means for DH certificates we must set the certificate first. |
180 | | */ |
181 | 0 | if (pkey->type == EVP_PKEY_DH) { |
182 | 0 | X509 *x; |
183 | 0 | i = -1; |
184 | 0 | x = c->pkeys[SSL_PKEY_DH_RSA].x509; |
185 | 0 | if (x && X509_check_private_key(x, pkey)) |
186 | 0 | i = SSL_PKEY_DH_RSA; |
187 | 0 | x = c->pkeys[SSL_PKEY_DH_DSA].x509; |
188 | 0 | if (i == -1 && x && X509_check_private_key(x, pkey)) |
189 | 0 | i = SSL_PKEY_DH_DSA; |
190 | 0 | ERR_clear_error(); |
191 | 0 | } else |
192 | 0 | i = ssl_cert_type(NULL, pkey); |
193 | 0 | if (i < 0) { |
194 | 0 | SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
195 | 0 | return (0); |
196 | 0 | } |
197 | | |
198 | 0 | if (c->pkeys[i].x509 != NULL) { |
199 | 0 | EVP_PKEY *pktmp; |
200 | 0 | pktmp = X509_get_pubkey(c->pkeys[i].x509); |
201 | 0 | if (pktmp == NULL) { |
202 | 0 | SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); |
203 | 0 | EVP_PKEY_free(pktmp); |
204 | 0 | return 0; |
205 | 0 | } |
206 | | /* |
207 | | * The return code from EVP_PKEY_copy_parameters is deliberately |
208 | | * ignored. Some EVP_PKEY types cannot do this. |
209 | | */ |
210 | 0 | EVP_PKEY_copy_parameters(pktmp, pkey); |
211 | 0 | EVP_PKEY_free(pktmp); |
212 | 0 | ERR_clear_error(); |
213 | |
|
214 | 0 | #ifndef OPENSSL_NO_RSA |
215 | | /* |
216 | | * Don't check the public/private key, this is mostly for smart |
217 | | * cards. |
218 | | */ |
219 | 0 | if ((pkey->type == EVP_PKEY_RSA) && |
220 | 0 | (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) ; |
221 | 0 | else |
222 | 0 | #endif |
223 | 0 | if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { |
224 | 0 | X509_free(c->pkeys[i].x509); |
225 | 0 | c->pkeys[i].x509 = NULL; |
226 | 0 | return 0; |
227 | 0 | } |
228 | 0 | } |
229 | | |
230 | 0 | if (c->pkeys[i].privatekey != NULL) |
231 | 0 | EVP_PKEY_free(c->pkeys[i].privatekey); |
232 | 0 | CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); |
233 | 0 | c->pkeys[i].privatekey = pkey; |
234 | 0 | c->key = &(c->pkeys[i]); |
235 | |
|
236 | 0 | c->valid = 0; |
237 | 0 | return (1); |
238 | 0 | } |
239 | | |
240 | | #ifndef OPENSSL_NO_RSA |
241 | | # ifndef OPENSSL_NO_STDIO |
242 | | int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) |
243 | 0 | { |
244 | 0 | int j, ret = 0; |
245 | 0 | BIO *in; |
246 | 0 | RSA *rsa = NULL; |
247 | |
|
248 | 0 | in = BIO_new(BIO_s_file_internal()); |
249 | 0 | if (in == NULL) { |
250 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); |
251 | 0 | goto end; |
252 | 0 | } |
253 | | |
254 | 0 | if (BIO_read_filename(in, file) <= 0) { |
255 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); |
256 | 0 | goto end; |
257 | 0 | } |
258 | 0 | if (type == SSL_FILETYPE_ASN1) { |
259 | 0 | j = ERR_R_ASN1_LIB; |
260 | 0 | rsa = d2i_RSAPrivateKey_bio(in, NULL); |
261 | 0 | } else if (type == SSL_FILETYPE_PEM) { |
262 | 0 | j = ERR_R_PEM_LIB; |
263 | 0 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
264 | 0 | ssl->ctx->default_passwd_callback, |
265 | 0 | ssl-> |
266 | 0 | ctx->default_passwd_callback_userdata); |
267 | 0 | } else { |
268 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
269 | 0 | goto end; |
270 | 0 | } |
271 | 0 | if (rsa == NULL) { |
272 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); |
273 | 0 | goto end; |
274 | 0 | } |
275 | 0 | ret = SSL_use_RSAPrivateKey(ssl, rsa); |
276 | 0 | RSA_free(rsa); |
277 | 0 | end: |
278 | 0 | if (in != NULL) |
279 | 0 | BIO_free(in); |
280 | 0 | return (ret); |
281 | 0 | } |
282 | | # endif |
283 | | |
284 | | int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) |
285 | 0 | { |
286 | 0 | int ret; |
287 | 0 | const unsigned char *p; |
288 | 0 | RSA *rsa; |
289 | |
|
290 | 0 | p = d; |
291 | 0 | if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { |
292 | 0 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); |
293 | 0 | return (0); |
294 | 0 | } |
295 | | |
296 | 0 | ret = SSL_use_RSAPrivateKey(ssl, rsa); |
297 | 0 | RSA_free(rsa); |
298 | 0 | return (ret); |
299 | 0 | } |
300 | | #endif /* !OPENSSL_NO_RSA */ |
301 | | |
302 | | int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) |
303 | 0 | { |
304 | 0 | int ret; |
305 | |
|
306 | 0 | if (pkey == NULL) { |
307 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); |
308 | 0 | return (0); |
309 | 0 | } |
310 | 0 | if (!ssl_cert_inst(&ssl->cert)) { |
311 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); |
312 | 0 | return (0); |
313 | 0 | } |
314 | 0 | ret = ssl_set_pkey(ssl->cert, pkey); |
315 | 0 | return (ret); |
316 | 0 | } |
317 | | |
318 | | #ifndef OPENSSL_NO_STDIO |
319 | | int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) |
320 | 0 | { |
321 | 0 | int j, ret = 0; |
322 | 0 | BIO *in; |
323 | 0 | EVP_PKEY *pkey = NULL; |
324 | |
|
325 | 0 | in = BIO_new(BIO_s_file_internal()); |
326 | 0 | if (in == NULL) { |
327 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); |
328 | 0 | goto end; |
329 | 0 | } |
330 | | |
331 | 0 | if (BIO_read_filename(in, file) <= 0) { |
332 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); |
333 | 0 | goto end; |
334 | 0 | } |
335 | 0 | if (type == SSL_FILETYPE_PEM) { |
336 | 0 | j = ERR_R_PEM_LIB; |
337 | 0 | pkey = PEM_read_bio_PrivateKey(in, NULL, |
338 | 0 | ssl->ctx->default_passwd_callback, |
339 | 0 | ssl-> |
340 | 0 | ctx->default_passwd_callback_userdata); |
341 | 0 | } else if (type == SSL_FILETYPE_ASN1) { |
342 | 0 | j = ERR_R_ASN1_LIB; |
343 | 0 | pkey = d2i_PrivateKey_bio(in, NULL); |
344 | 0 | } else { |
345 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
346 | 0 | goto end; |
347 | 0 | } |
348 | 0 | if (pkey == NULL) { |
349 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); |
350 | 0 | goto end; |
351 | 0 | } |
352 | 0 | ret = SSL_use_PrivateKey(ssl, pkey); |
353 | 0 | EVP_PKEY_free(pkey); |
354 | 0 | end: |
355 | 0 | if (in != NULL) |
356 | 0 | BIO_free(in); |
357 | 0 | return (ret); |
358 | 0 | } |
359 | | #endif |
360 | | |
361 | | int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, |
362 | | long len) |
363 | 0 | { |
364 | 0 | int ret; |
365 | 0 | const unsigned char *p; |
366 | 0 | EVP_PKEY *pkey; |
367 | |
|
368 | 0 | p = d; |
369 | 0 | if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { |
370 | 0 | SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); |
371 | 0 | return (0); |
372 | 0 | } |
373 | | |
374 | 0 | ret = SSL_use_PrivateKey(ssl, pkey); |
375 | 0 | EVP_PKEY_free(pkey); |
376 | 0 | return (ret); |
377 | 0 | } |
378 | | |
379 | | int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) |
380 | 0 | { |
381 | 0 | if (x == NULL) { |
382 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); |
383 | 0 | return (0); |
384 | 0 | } |
385 | 0 | if (!ssl_cert_inst(&ctx->cert)) { |
386 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); |
387 | 0 | return (0); |
388 | 0 | } |
389 | 0 | return (ssl_set_cert(ctx->cert, x)); |
390 | 0 | } |
391 | | |
392 | | static int ssl_set_cert(CERT *c, X509 *x) |
393 | 0 | { |
394 | 0 | EVP_PKEY *pkey; |
395 | 0 | int i; |
396 | |
|
397 | 0 | pkey = X509_get_pubkey(x); |
398 | 0 | if (pkey == NULL) { |
399 | 0 | SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); |
400 | 0 | return (0); |
401 | 0 | } |
402 | | |
403 | 0 | i = ssl_cert_type(x, pkey); |
404 | 0 | if (i < 0) { |
405 | 0 | SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
406 | 0 | EVP_PKEY_free(pkey); |
407 | 0 | return (0); |
408 | 0 | } |
409 | | |
410 | 0 | if (c->pkeys[i].privatekey != NULL) { |
411 | | /* |
412 | | * The return code from EVP_PKEY_copy_parameters is deliberately |
413 | | * ignored. Some EVP_PKEY types cannot do this. |
414 | | */ |
415 | 0 | EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); |
416 | 0 | ERR_clear_error(); |
417 | |
|
418 | 0 | #ifndef OPENSSL_NO_RSA |
419 | | /* |
420 | | * Don't check the public/private key, this is mostly for smart |
421 | | * cards. |
422 | | */ |
423 | 0 | if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && |
424 | 0 | (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & |
425 | 0 | RSA_METHOD_FLAG_NO_CHECK)) ; |
426 | 0 | else |
427 | 0 | #endif /* OPENSSL_NO_RSA */ |
428 | 0 | if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { |
429 | | /* |
430 | | * don't fail for a cert/key mismatch, just free current private |
431 | | * key (when switching to a different cert & key, first this |
432 | | * function should be used, then ssl_set_pkey |
433 | | */ |
434 | 0 | EVP_PKEY_free(c->pkeys[i].privatekey); |
435 | 0 | c->pkeys[i].privatekey = NULL; |
436 | | /* clear error queue */ |
437 | 0 | ERR_clear_error(); |
438 | 0 | } |
439 | 0 | } |
440 | |
|
441 | 0 | EVP_PKEY_free(pkey); |
442 | |
|
443 | 0 | if (c->pkeys[i].x509 != NULL) |
444 | 0 | X509_free(c->pkeys[i].x509); |
445 | 0 | CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
446 | 0 | c->pkeys[i].x509 = x; |
447 | 0 | c->key = &(c->pkeys[i]); |
448 | |
|
449 | 0 | c->valid = 0; |
450 | 0 | return (1); |
451 | 0 | } |
452 | | |
453 | | #ifndef OPENSSL_NO_STDIO |
454 | | int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) |
455 | 0 | { |
456 | 0 | int j; |
457 | 0 | BIO *in; |
458 | 0 | int ret = 0; |
459 | 0 | X509 *x = NULL; |
460 | |
|
461 | 0 | in = BIO_new(BIO_s_file_internal()); |
462 | 0 | if (in == NULL) { |
463 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); |
464 | 0 | goto end; |
465 | 0 | } |
466 | | |
467 | 0 | if (BIO_read_filename(in, file) <= 0) { |
468 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); |
469 | 0 | goto end; |
470 | 0 | } |
471 | 0 | if (type == SSL_FILETYPE_ASN1) { |
472 | 0 | j = ERR_R_ASN1_LIB; |
473 | 0 | x = d2i_X509_bio(in, NULL); |
474 | 0 | } else if (type == SSL_FILETYPE_PEM) { |
475 | 0 | j = ERR_R_PEM_LIB; |
476 | 0 | x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, |
477 | 0 | ctx->default_passwd_callback_userdata); |
478 | 0 | } else { |
479 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); |
480 | 0 | goto end; |
481 | 0 | } |
482 | | |
483 | 0 | if (x == NULL) { |
484 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); |
485 | 0 | goto end; |
486 | 0 | } |
487 | | |
488 | 0 | ret = SSL_CTX_use_certificate(ctx, x); |
489 | 0 | end: |
490 | 0 | if (x != NULL) |
491 | 0 | X509_free(x); |
492 | 0 | if (in != NULL) |
493 | 0 | BIO_free(in); |
494 | 0 | return (ret); |
495 | 0 | } |
496 | | #endif |
497 | | |
498 | | int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, |
499 | | const unsigned char *d) |
500 | 0 | { |
501 | 0 | X509 *x; |
502 | 0 | int ret; |
503 | |
|
504 | 0 | x = d2i_X509(NULL, &d, (long)len); |
505 | 0 | if (x == NULL) { |
506 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); |
507 | 0 | return (0); |
508 | 0 | } |
509 | | |
510 | 0 | ret = SSL_CTX_use_certificate(ctx, x); |
511 | 0 | X509_free(x); |
512 | 0 | return (ret); |
513 | 0 | } |
514 | | |
515 | | #ifndef OPENSSL_NO_RSA |
516 | | int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) |
517 | 0 | { |
518 | 0 | int ret; |
519 | 0 | EVP_PKEY *pkey; |
520 | |
|
521 | 0 | if (rsa == NULL) { |
522 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); |
523 | 0 | return (0); |
524 | 0 | } |
525 | 0 | if (!ssl_cert_inst(&ctx->cert)) { |
526 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); |
527 | 0 | return (0); |
528 | 0 | } |
529 | 0 | if ((pkey = EVP_PKEY_new()) == NULL) { |
530 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); |
531 | 0 | return (0); |
532 | 0 | } |
533 | | |
534 | 0 | RSA_up_ref(rsa); |
535 | 0 | if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { |
536 | 0 | RSA_free(rsa); |
537 | 0 | return 0; |
538 | 0 | } |
539 | | |
540 | 0 | ret = ssl_set_pkey(ctx->cert, pkey); |
541 | 0 | EVP_PKEY_free(pkey); |
542 | 0 | return (ret); |
543 | 0 | } |
544 | | |
545 | | # ifndef OPENSSL_NO_STDIO |
546 | | int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) |
547 | 0 | { |
548 | 0 | int j, ret = 0; |
549 | 0 | BIO *in; |
550 | 0 | RSA *rsa = NULL; |
551 | |
|
552 | 0 | in = BIO_new(BIO_s_file_internal()); |
553 | 0 | if (in == NULL) { |
554 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); |
555 | 0 | goto end; |
556 | 0 | } |
557 | | |
558 | 0 | if (BIO_read_filename(in, file) <= 0) { |
559 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); |
560 | 0 | goto end; |
561 | 0 | } |
562 | 0 | if (type == SSL_FILETYPE_ASN1) { |
563 | 0 | j = ERR_R_ASN1_LIB; |
564 | 0 | rsa = d2i_RSAPrivateKey_bio(in, NULL); |
565 | 0 | } else if (type == SSL_FILETYPE_PEM) { |
566 | 0 | j = ERR_R_PEM_LIB; |
567 | 0 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
568 | 0 | ctx->default_passwd_callback, |
569 | 0 | ctx->default_passwd_callback_userdata); |
570 | 0 | } else { |
571 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
572 | 0 | goto end; |
573 | 0 | } |
574 | 0 | if (rsa == NULL) { |
575 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); |
576 | 0 | goto end; |
577 | 0 | } |
578 | 0 | ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); |
579 | 0 | RSA_free(rsa); |
580 | 0 | end: |
581 | 0 | if (in != NULL) |
582 | 0 | BIO_free(in); |
583 | 0 | return (ret); |
584 | 0 | } |
585 | | # endif |
586 | | |
587 | | int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, |
588 | | long len) |
589 | 0 | { |
590 | 0 | int ret; |
591 | 0 | const unsigned char *p; |
592 | 0 | RSA *rsa; |
593 | |
|
594 | 0 | p = d; |
595 | 0 | if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { |
596 | 0 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); |
597 | 0 | return (0); |
598 | 0 | } |
599 | | |
600 | 0 | ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); |
601 | 0 | RSA_free(rsa); |
602 | 0 | return (ret); |
603 | 0 | } |
604 | | #endif /* !OPENSSL_NO_RSA */ |
605 | | |
606 | | int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) |
607 | 0 | { |
608 | 0 | if (pkey == NULL) { |
609 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); |
610 | 0 | return (0); |
611 | 0 | } |
612 | 0 | if (!ssl_cert_inst(&ctx->cert)) { |
613 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); |
614 | 0 | return (0); |
615 | 0 | } |
616 | 0 | return (ssl_set_pkey(ctx->cert, pkey)); |
617 | 0 | } |
618 | | |
619 | | #ifndef OPENSSL_NO_STDIO |
620 | | int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) |
621 | 0 | { |
622 | 0 | int j, ret = 0; |
623 | 0 | BIO *in; |
624 | 0 | EVP_PKEY *pkey = NULL; |
625 | |
|
626 | 0 | in = BIO_new(BIO_s_file_internal()); |
627 | 0 | if (in == NULL) { |
628 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); |
629 | 0 | goto end; |
630 | 0 | } |
631 | | |
632 | 0 | if (BIO_read_filename(in, file) <= 0) { |
633 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); |
634 | 0 | goto end; |
635 | 0 | } |
636 | 0 | if (type == SSL_FILETYPE_PEM) { |
637 | 0 | j = ERR_R_PEM_LIB; |
638 | 0 | pkey = PEM_read_bio_PrivateKey(in, NULL, |
639 | 0 | ctx->default_passwd_callback, |
640 | 0 | ctx->default_passwd_callback_userdata); |
641 | 0 | } else if (type == SSL_FILETYPE_ASN1) { |
642 | 0 | j = ERR_R_ASN1_LIB; |
643 | 0 | pkey = d2i_PrivateKey_bio(in, NULL); |
644 | 0 | } else { |
645 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
646 | 0 | goto end; |
647 | 0 | } |
648 | 0 | if (pkey == NULL) { |
649 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); |
650 | 0 | goto end; |
651 | 0 | } |
652 | 0 | ret = SSL_CTX_use_PrivateKey(ctx, pkey); |
653 | 0 | EVP_PKEY_free(pkey); |
654 | 0 | end: |
655 | 0 | if (in != NULL) |
656 | 0 | BIO_free(in); |
657 | 0 | return (ret); |
658 | 0 | } |
659 | | #endif |
660 | | |
661 | | int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, |
662 | | const unsigned char *d, long len) |
663 | 0 | { |
664 | 0 | int ret; |
665 | 0 | const unsigned char *p; |
666 | 0 | EVP_PKEY *pkey; |
667 | |
|
668 | 0 | p = d; |
669 | 0 | if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { |
670 | 0 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); |
671 | 0 | return (0); |
672 | 0 | } |
673 | | |
674 | 0 | ret = SSL_CTX_use_PrivateKey(ctx, pkey); |
675 | 0 | EVP_PKEY_free(pkey); |
676 | 0 | return (ret); |
677 | 0 | } |
678 | | |
679 | | #ifndef OPENSSL_NO_STDIO |
680 | | /* |
681 | | * Read a file that contains our certificate in "PEM" format, possibly |
682 | | * followed by a sequence of CA certificates that should be sent to the peer |
683 | | * in the Certificate message. |
684 | | */ |
685 | | int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) |
686 | 0 | { |
687 | 0 | BIO *in; |
688 | 0 | int ret = 0; |
689 | 0 | X509 *x = NULL; |
690 | |
|
691 | 0 | ERR_clear_error(); /* clear error stack for |
692 | | * SSL_CTX_use_certificate() */ |
693 | |
|
694 | 0 | in = BIO_new(BIO_s_file_internal()); |
695 | 0 | if (in == NULL) { |
696 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); |
697 | 0 | goto end; |
698 | 0 | } |
699 | | |
700 | 0 | if (BIO_read_filename(in, file) <= 0) { |
701 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); |
702 | 0 | goto end; |
703 | 0 | } |
704 | | |
705 | 0 | x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, |
706 | 0 | ctx->default_passwd_callback_userdata); |
707 | 0 | if (x == NULL) { |
708 | 0 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); |
709 | 0 | goto end; |
710 | 0 | } |
711 | | |
712 | 0 | ret = SSL_CTX_use_certificate(ctx, x); |
713 | |
|
714 | 0 | if (ERR_peek_error() != 0) |
715 | 0 | ret = 0; /* Key/certificate mismatch doesn't imply |
716 | | * ret==0 ... */ |
717 | 0 | if (ret) { |
718 | | /* |
719 | | * If we could set up our certificate, now proceed to the CA |
720 | | * certificates. |
721 | | */ |
722 | 0 | X509 *ca; |
723 | 0 | int r; |
724 | 0 | unsigned long err; |
725 | |
|
726 | 0 | SSL_CTX_clear_chain_certs(ctx); |
727 | |
|
728 | 0 | while ((ca = PEM_read_bio_X509(in, NULL, |
729 | 0 | ctx->default_passwd_callback, |
730 | 0 | ctx->default_passwd_callback_userdata)) |
731 | 0 | != NULL) { |
732 | 0 | r = SSL_CTX_add0_chain_cert(ctx, ca); |
733 | 0 | if (!r) { |
734 | 0 | X509_free(ca); |
735 | 0 | ret = 0; |
736 | 0 | goto end; |
737 | 0 | } |
738 | | /* |
739 | | * Note that we must not free r if it was successfully added to |
740 | | * the chain (while we must free the main certificate, since its |
741 | | * reference count is increased by SSL_CTX_use_certificate). |
742 | | */ |
743 | 0 | } |
744 | | /* When the while loop ends, it's usually just EOF. */ |
745 | 0 | err = ERR_peek_last_error(); |
746 | 0 | if (ERR_GET_LIB(err) == ERR_LIB_PEM |
747 | 0 | && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) |
748 | 0 | ERR_clear_error(); |
749 | 0 | else |
750 | 0 | ret = 0; /* some real error */ |
751 | 0 | } |
752 | | |
753 | 0 | end: |
754 | 0 | if (x != NULL) |
755 | 0 | X509_free(x); |
756 | 0 | if (in != NULL) |
757 | 0 | BIO_free(in); |
758 | 0 | return (ret); |
759 | 0 | } |
760 | | #endif |
761 | | |
762 | | #ifndef OPENSSL_NO_TLSEXT |
763 | | static int serverinfo_find_extension(const unsigned char *serverinfo, |
764 | | size_t serverinfo_length, |
765 | | unsigned int extension_type, |
766 | | const unsigned char **extension_data, |
767 | | size_t *extension_length) |
768 | 0 | { |
769 | 0 | *extension_data = NULL; |
770 | 0 | *extension_length = 0; |
771 | 0 | if (serverinfo == NULL || serverinfo_length == 0) |
772 | 0 | return -1; |
773 | 0 | for (;;) { |
774 | 0 | unsigned int type = 0; |
775 | 0 | size_t len = 0; |
776 | | |
777 | | /* end of serverinfo */ |
778 | 0 | if (serverinfo_length == 0) |
779 | 0 | return 0; /* Extension not found */ |
780 | | |
781 | | /* read 2-byte type field */ |
782 | 0 | if (serverinfo_length < 2) |
783 | 0 | return -1; /* Error */ |
784 | 0 | type = (serverinfo[0] << 8) + serverinfo[1]; |
785 | 0 | serverinfo += 2; |
786 | 0 | serverinfo_length -= 2; |
787 | | |
788 | | /* read 2-byte len field */ |
789 | 0 | if (serverinfo_length < 2) |
790 | 0 | return -1; /* Error */ |
791 | 0 | len = (serverinfo[0] << 8) + serverinfo[1]; |
792 | 0 | serverinfo += 2; |
793 | 0 | serverinfo_length -= 2; |
794 | |
|
795 | 0 | if (len > serverinfo_length) |
796 | 0 | return -1; /* Error */ |
797 | | |
798 | 0 | if (type == extension_type) { |
799 | 0 | *extension_data = serverinfo; |
800 | 0 | *extension_length = len; |
801 | 0 | return 1; /* Success */ |
802 | 0 | } |
803 | | |
804 | 0 | serverinfo += len; |
805 | 0 | serverinfo_length -= len; |
806 | 0 | } |
807 | 0 | return 0; /* Error */ |
808 | 0 | } |
809 | | |
810 | | static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, |
811 | | const unsigned char *in, |
812 | | size_t inlen, int *al, void *arg) |
813 | 0 | { |
814 | |
|
815 | 0 | if (inlen != 0) { |
816 | 0 | *al = SSL_AD_DECODE_ERROR; |
817 | 0 | return 0; |
818 | 0 | } |
819 | | |
820 | 0 | return 1; |
821 | 0 | } |
822 | | |
823 | | static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, |
824 | | const unsigned char **out, size_t *outlen, |
825 | | int *al, void *arg) |
826 | 0 | { |
827 | 0 | const unsigned char *serverinfo = NULL; |
828 | 0 | size_t serverinfo_length = 0; |
829 | | |
830 | | /* Is there serverinfo data for the chosen server cert? */ |
831 | 0 | if ((ssl_get_server_cert_serverinfo(s, &serverinfo, |
832 | 0 | &serverinfo_length)) != 0) { |
833 | | /* Find the relevant extension from the serverinfo */ |
834 | 0 | int retval = serverinfo_find_extension(serverinfo, serverinfo_length, |
835 | 0 | ext_type, out, outlen); |
836 | 0 | if (retval == -1) { |
837 | 0 | *al = SSL_AD_DECODE_ERROR; |
838 | 0 | return -1; /* Error */ |
839 | 0 | } |
840 | 0 | if (retval == 0) |
841 | 0 | return 0; /* No extension found, don't send extension */ |
842 | 0 | return 1; /* Send extension */ |
843 | 0 | } |
844 | 0 | return 0; /* No serverinfo data found, don't send |
845 | | * extension */ |
846 | 0 | } |
847 | | |
848 | | /* |
849 | | * With a NULL context, this function just checks that the serverinfo data |
850 | | * parses correctly. With a non-NULL context, it registers callbacks for |
851 | | * the included extensions. |
852 | | */ |
853 | | static int serverinfo_process_buffer(const unsigned char *serverinfo, |
854 | | size_t serverinfo_length, SSL_CTX *ctx) |
855 | 0 | { |
856 | 0 | if (serverinfo == NULL || serverinfo_length == 0) |
857 | 0 | return 0; |
858 | 0 | for (;;) { |
859 | 0 | unsigned int ext_type = 0; |
860 | 0 | size_t len = 0; |
861 | | |
862 | | /* end of serverinfo */ |
863 | 0 | if (serverinfo_length == 0) |
864 | 0 | return 1; |
865 | | |
866 | | /* read 2-byte type field */ |
867 | 0 | if (serverinfo_length < 2) |
868 | 0 | return 0; |
869 | | /* FIXME: check for types we understand explicitly? */ |
870 | | |
871 | | /* Register callbacks for extensions */ |
872 | 0 | ext_type = (serverinfo[0] << 8) + serverinfo[1]; |
873 | 0 | if (ctx) { |
874 | 0 | int have_ext_cbs = 0; |
875 | 0 | size_t i; |
876 | 0 | custom_ext_methods *exts = &ctx->cert->srv_ext; |
877 | 0 | custom_ext_method *meth = exts->meths; |
878 | |
|
879 | 0 | for (i = 0; i < exts->meths_count; i++, meth++) { |
880 | 0 | if (ext_type == meth->ext_type) { |
881 | 0 | have_ext_cbs = 1; |
882 | 0 | break; |
883 | 0 | } |
884 | 0 | } |
885 | |
|
886 | 0 | if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type, |
887 | 0 | serverinfo_srv_add_cb, |
888 | 0 | NULL, NULL, |
889 | 0 | serverinfo_srv_parse_cb, |
890 | 0 | NULL)) |
891 | 0 | return 0; |
892 | 0 | } |
893 | | |
894 | 0 | serverinfo += 2; |
895 | 0 | serverinfo_length -= 2; |
896 | | |
897 | | /* read 2-byte len field */ |
898 | 0 | if (serverinfo_length < 2) |
899 | 0 | return 0; |
900 | 0 | len = (serverinfo[0] << 8) + serverinfo[1]; |
901 | 0 | serverinfo += 2; |
902 | 0 | serverinfo_length -= 2; |
903 | |
|
904 | 0 | if (len > serverinfo_length) |
905 | 0 | return 0; |
906 | | |
907 | 0 | serverinfo += len; |
908 | 0 | serverinfo_length -= len; |
909 | 0 | } |
910 | 0 | } |
911 | | |
912 | | int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, |
913 | | size_t serverinfo_length) |
914 | 0 | { |
915 | 0 | unsigned char *new_serverinfo; |
916 | |
|
917 | 0 | if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { |
918 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); |
919 | 0 | return 0; |
920 | 0 | } |
921 | 0 | if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { |
922 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); |
923 | 0 | return 0; |
924 | 0 | } |
925 | 0 | if (!ssl_cert_inst(&ctx->cert)) { |
926 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); |
927 | 0 | return 0; |
928 | 0 | } |
929 | 0 | if (ctx->cert->key == NULL) { |
930 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); |
931 | 0 | return 0; |
932 | 0 | } |
933 | 0 | new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, |
934 | 0 | serverinfo_length); |
935 | 0 | if (new_serverinfo == NULL) { |
936 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); |
937 | 0 | return 0; |
938 | 0 | } |
939 | 0 | ctx->cert->key->serverinfo = new_serverinfo; |
940 | 0 | memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); |
941 | 0 | ctx->cert->key->serverinfo_length = serverinfo_length; |
942 | | |
943 | | /* |
944 | | * Now that the serverinfo is validated and stored, go ahead and |
945 | | * register callbacks. |
946 | | */ |
947 | 0 | if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { |
948 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); |
949 | 0 | return 0; |
950 | 0 | } |
951 | 0 | return 1; |
952 | 0 | } |
953 | | |
954 | | # ifndef OPENSSL_NO_STDIO |
955 | | int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) |
956 | 0 | { |
957 | 0 | unsigned char *serverinfo = NULL; |
958 | 0 | size_t serverinfo_length = 0; |
959 | 0 | unsigned char *extension = 0; |
960 | 0 | long extension_length = 0; |
961 | 0 | char *name = NULL; |
962 | 0 | char *header = NULL; |
963 | 0 | char namePrefix[] = "SERVERINFO FOR "; |
964 | 0 | int ret = 0; |
965 | 0 | BIO *bin = NULL; |
966 | 0 | size_t num_extensions = 0; |
967 | 0 | unsigned char *new_serverinfo; |
968 | |
|
969 | 0 | if (ctx == NULL || file == NULL) { |
970 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, |
971 | 0 | ERR_R_PASSED_NULL_PARAMETER); |
972 | 0 | goto end; |
973 | 0 | } |
974 | | |
975 | 0 | bin = BIO_new(BIO_s_file_internal()); |
976 | 0 | if (bin == NULL) { |
977 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB); |
978 | 0 | goto end; |
979 | 0 | } |
980 | 0 | if (BIO_read_filename(bin, file) <= 0) { |
981 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB); |
982 | 0 | goto end; |
983 | 0 | } |
984 | | |
985 | 0 | for (num_extensions = 0;; num_extensions++) { |
986 | 0 | if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) |
987 | 0 | == 0) { |
988 | | /* |
989 | | * There must be at least one extension in this file |
990 | | */ |
991 | 0 | if (num_extensions == 0) { |
992 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, |
993 | 0 | SSL_R_NO_PEM_EXTENSIONS); |
994 | 0 | goto end; |
995 | 0 | } else /* End of file, we're done */ |
996 | 0 | break; |
997 | 0 | } |
998 | | /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ |
999 | 0 | if (strlen(name) < strlen(namePrefix)) { |
1000 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, |
1001 | 0 | SSL_R_PEM_NAME_TOO_SHORT); |
1002 | 0 | goto end; |
1003 | 0 | } |
1004 | 0 | if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { |
1005 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, |
1006 | 0 | SSL_R_PEM_NAME_BAD_PREFIX); |
1007 | 0 | goto end; |
1008 | 0 | } |
1009 | | /* |
1010 | | * Check that the decoded PEM data is plausible (valid length field) |
1011 | | */ |
1012 | 0 | if (extension_length < 4 |
1013 | 0 | || (extension[2] << 8) + extension[3] != extension_length - 4) { |
1014 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); |
1015 | 0 | goto end; |
1016 | 0 | } |
1017 | | /* Append the decoded extension to the serverinfo buffer */ |
1018 | 0 | new_serverinfo = |
1019 | 0 | OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); |
1020 | 0 | if (new_serverinfo == NULL) { |
1021 | 0 | SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); |
1022 | 0 | goto end; |
1023 | 0 | } |
1024 | 0 | serverinfo = new_serverinfo; |
1025 | 0 | memcpy(serverinfo + serverinfo_length, extension, extension_length); |
1026 | 0 | serverinfo_length += extension_length; |
1027 | |
|
1028 | 0 | OPENSSL_free(name); |
1029 | 0 | name = NULL; |
1030 | 0 | OPENSSL_free(header); |
1031 | 0 | header = NULL; |
1032 | 0 | OPENSSL_free(extension); |
1033 | 0 | extension = NULL; |
1034 | 0 | } |
1035 | | |
1036 | 0 | ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); |
1037 | 0 | end: |
1038 | | /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ |
1039 | 0 | OPENSSL_free(name); |
1040 | 0 | OPENSSL_free(header); |
1041 | 0 | OPENSSL_free(extension); |
1042 | 0 | OPENSSL_free(serverinfo); |
1043 | 0 | if (bin != NULL) |
1044 | 0 | BIO_free(bin); |
1045 | 0 | return ret; |
1046 | 0 | } |
1047 | | # endif /* OPENSSL_NO_STDIO */ |
1048 | | #endif /* OPENSSL_NO_TLSEXT */ |