1 1.1.1.2 christos /* 2 1.1.1.2 christos * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1.1.2 christos #include "ssl_local.h" 12 1.1.1.2 christos #include "packet_local.h" 13 1.1 christos #include <openssl/bio.h> 14 1.1 christos #include <openssl/objects.h> 15 1.1 christos #include <openssl/evp.h> 16 1.1 christos #include <openssl/x509.h> 17 1.1 christos #include <openssl/pem.h> 18 1.1 christos 19 1.1 christos static int ssl_set_cert(CERT *c, X509 *x509); 20 1.1 christos static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); 21 1.1.1.2 christos 22 1.1.1.2 christos #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ 23 1.1.1.2 christos | SSL_EXT_CLIENT_HELLO \ 24 1.1.1.2 christos | SSL_EXT_TLS1_2_SERVER_HELLO \ 25 1.1.1.2 christos | SSL_EXT_IGNORE_ON_RESUMPTION) 26 1.1.1.2 christos 27 1.1 christos int SSL_use_certificate(SSL *ssl, X509 *x) 28 1.1 christos { 29 1.1.1.2 christos int rv; 30 1.1 christos if (x == NULL) { 31 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 32 1.1.1.2 christos return 0; 33 1.1 christos } 34 1.1.1.2 christos rv = ssl_security_cert(ssl, NULL, x, 0, 1); 35 1.1.1.2 christos if (rv != 1) { 36 1.1.1.2 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv); 37 1.1.1.2 christos return 0; 38 1.1 christos } 39 1.1.1.2 christos 40 1.1.1.2 christos return ssl_set_cert(ssl->cert, x); 41 1.1 christos } 42 1.1 christos 43 1.1 christos int SSL_use_certificate_file(SSL *ssl, const char *file, int type) 44 1.1 christos { 45 1.1 christos int j; 46 1.1 christos BIO *in; 47 1.1 christos int ret = 0; 48 1.1 christos X509 *x = NULL; 49 1.1 christos 50 1.1.1.2 christos in = BIO_new(BIO_s_file()); 51 1.1 christos if (in == NULL) { 52 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 53 1.1 christos goto end; 54 1.1 christos } 55 1.1 christos 56 1.1 christos if (BIO_read_filename(in, file) <= 0) { 57 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 58 1.1 christos goto end; 59 1.1 christos } 60 1.1 christos if (type == SSL_FILETYPE_ASN1) { 61 1.1 christos j = ERR_R_ASN1_LIB; 62 1.1 christos x = d2i_X509_bio(in, NULL); 63 1.1 christos } else if (type == SSL_FILETYPE_PEM) { 64 1.1 christos j = ERR_R_PEM_LIB; 65 1.1.1.2 christos x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback, 66 1.1.1.2 christos ssl->default_passwd_callback_userdata); 67 1.1 christos } else { 68 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 69 1.1 christos goto end; 70 1.1 christos } 71 1.1 christos 72 1.1 christos if (x == NULL) { 73 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); 74 1.1 christos goto end; 75 1.1 christos } 76 1.1 christos 77 1.1 christos ret = SSL_use_certificate(ssl, x); 78 1.1 christos end: 79 1.1.1.2 christos X509_free(x); 80 1.1.1.2 christos BIO_free(in); 81 1.1.1.2 christos return ret; 82 1.1 christos } 83 1.1 christos 84 1.1 christos int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) 85 1.1 christos { 86 1.1 christos X509 *x; 87 1.1 christos int ret; 88 1.1 christos 89 1.1 christos x = d2i_X509(NULL, &d, (long)len); 90 1.1 christos if (x == NULL) { 91 1.1 christos SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 92 1.1.1.2 christos return 0; 93 1.1 christos } 94 1.1 christos 95 1.1 christos ret = SSL_use_certificate(ssl, x); 96 1.1 christos X509_free(x); 97 1.1.1.2 christos return ret; 98 1.1 christos } 99 1.1 christos 100 1.1 christos #ifndef OPENSSL_NO_RSA 101 1.1 christos int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 102 1.1 christos { 103 1.1 christos EVP_PKEY *pkey; 104 1.1 christos int ret; 105 1.1 christos 106 1.1 christos if (rsa == NULL) { 107 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 108 1.1.1.2 christos return 0; 109 1.1 christos } 110 1.1 christos if ((pkey = EVP_PKEY_new()) == NULL) { 111 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 112 1.1.1.2 christos return 0; 113 1.1 christos } 114 1.1 christos 115 1.1 christos RSA_up_ref(rsa); 116 1.1 christos if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 117 1.1 christos RSA_free(rsa); 118 1.1.1.2 christos EVP_PKEY_free(pkey); 119 1.1 christos return 0; 120 1.1 christos } 121 1.1 christos 122 1.1 christos ret = ssl_set_pkey(ssl->cert, pkey); 123 1.1 christos EVP_PKEY_free(pkey); 124 1.1.1.2 christos return ret; 125 1.1 christos } 126 1.1 christos #endif 127 1.1 christos 128 1.1 christos static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 129 1.1 christos { 130 1.1.1.2 christos size_t i; 131 1.1.1.2 christos 132 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { 133 1.1 christos SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 134 1.1.1.2 christos return 0; 135 1.1 christos } 136 1.1 christos 137 1.1 christos if (c->pkeys[i].x509 != NULL) { 138 1.1 christos EVP_PKEY *pktmp; 139 1.1.1.2 christos pktmp = X509_get0_pubkey(c->pkeys[i].x509); 140 1.1 christos if (pktmp == NULL) { 141 1.1 christos SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); 142 1.1 christos return 0; 143 1.1 christos } 144 1.1 christos /* 145 1.1 christos * The return code from EVP_PKEY_copy_parameters is deliberately 146 1.1 christos * ignored. Some EVP_PKEY types cannot do this. 147 1.1 christos */ 148 1.1 christos EVP_PKEY_copy_parameters(pktmp, pkey); 149 1.1 christos ERR_clear_error(); 150 1.1 christos 151 1.1 christos if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 152 1.1 christos X509_free(c->pkeys[i].x509); 153 1.1 christos c->pkeys[i].x509 = NULL; 154 1.1 christos return 0; 155 1.1 christos } 156 1.1 christos } 157 1.1 christos 158 1.1.1.2 christos EVP_PKEY_free(c->pkeys[i].privatekey); 159 1.1.1.2 christos EVP_PKEY_up_ref(pkey); 160 1.1 christos c->pkeys[i].privatekey = pkey; 161 1.1.1.2 christos c->key = &c->pkeys[i]; 162 1.1.1.2 christos return 1; 163 1.1 christos } 164 1.1 christos 165 1.1 christos #ifndef OPENSSL_NO_RSA 166 1.1 christos int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 167 1.1 christos { 168 1.1 christos int j, ret = 0; 169 1.1 christos BIO *in; 170 1.1 christos RSA *rsa = NULL; 171 1.1 christos 172 1.1.1.2 christos in = BIO_new(BIO_s_file()); 173 1.1 christos if (in == NULL) { 174 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 175 1.1 christos goto end; 176 1.1 christos } 177 1.1 christos 178 1.1 christos if (BIO_read_filename(in, file) <= 0) { 179 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 180 1.1 christos goto end; 181 1.1 christos } 182 1.1 christos if (type == SSL_FILETYPE_ASN1) { 183 1.1 christos j = ERR_R_ASN1_LIB; 184 1.1 christos rsa = d2i_RSAPrivateKey_bio(in, NULL); 185 1.1 christos } else if (type == SSL_FILETYPE_PEM) { 186 1.1 christos j = ERR_R_PEM_LIB; 187 1.1 christos rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 188 1.1.1.2 christos ssl->default_passwd_callback, 189 1.1.1.2 christos ssl->default_passwd_callback_userdata); 190 1.1 christos } else { 191 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 192 1.1 christos goto end; 193 1.1 christos } 194 1.1 christos if (rsa == NULL) { 195 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); 196 1.1 christos goto end; 197 1.1 christos } 198 1.1 christos ret = SSL_use_RSAPrivateKey(ssl, rsa); 199 1.1 christos RSA_free(rsa); 200 1.1 christos end: 201 1.1.1.2 christos BIO_free(in); 202 1.1.1.2 christos return ret; 203 1.1 christos } 204 1.1 christos 205 1.1.1.2 christos int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) 206 1.1 christos { 207 1.1 christos int ret; 208 1.1 christos const unsigned char *p; 209 1.1 christos RSA *rsa; 210 1.1 christos 211 1.1 christos p = d; 212 1.1 christos if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 213 1.1 christos SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 214 1.1.1.2 christos return 0; 215 1.1 christos } 216 1.1 christos 217 1.1 christos ret = SSL_use_RSAPrivateKey(ssl, rsa); 218 1.1 christos RSA_free(rsa); 219 1.1.1.2 christos return ret; 220 1.1 christos } 221 1.1 christos #endif /* !OPENSSL_NO_RSA */ 222 1.1 christos 223 1.1 christos int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 224 1.1 christos { 225 1.1 christos int ret; 226 1.1 christos 227 1.1 christos if (pkey == NULL) { 228 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 229 1.1.1.2 christos return 0; 230 1.1 christos } 231 1.1 christos ret = ssl_set_pkey(ssl->cert, pkey); 232 1.1.1.2 christos return ret; 233 1.1 christos } 234 1.1 christos 235 1.1 christos int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) 236 1.1 christos { 237 1.1 christos int j, ret = 0; 238 1.1 christos BIO *in; 239 1.1 christos EVP_PKEY *pkey = NULL; 240 1.1 christos 241 1.1.1.2 christos in = BIO_new(BIO_s_file()); 242 1.1 christos if (in == NULL) { 243 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 244 1.1 christos goto end; 245 1.1 christos } 246 1.1 christos 247 1.1 christos if (BIO_read_filename(in, file) <= 0) { 248 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 249 1.1 christos goto end; 250 1.1 christos } 251 1.1 christos if (type == SSL_FILETYPE_PEM) { 252 1.1 christos j = ERR_R_PEM_LIB; 253 1.1 christos pkey = PEM_read_bio_PrivateKey(in, NULL, 254 1.1.1.2 christos ssl->default_passwd_callback, 255 1.1.1.2 christos ssl->default_passwd_callback_userdata); 256 1.1 christos } else if (type == SSL_FILETYPE_ASN1) { 257 1.1 christos j = ERR_R_ASN1_LIB; 258 1.1 christos pkey = d2i_PrivateKey_bio(in, NULL); 259 1.1 christos } else { 260 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 261 1.1 christos goto end; 262 1.1 christos } 263 1.1 christos if (pkey == NULL) { 264 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); 265 1.1 christos goto end; 266 1.1 christos } 267 1.1 christos ret = SSL_use_PrivateKey(ssl, pkey); 268 1.1 christos EVP_PKEY_free(pkey); 269 1.1 christos end: 270 1.1.1.2 christos BIO_free(in); 271 1.1.1.2 christos return ret; 272 1.1 christos } 273 1.1 christos 274 1.1 christos int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, 275 1.1 christos long len) 276 1.1 christos { 277 1.1 christos int ret; 278 1.1 christos const unsigned char *p; 279 1.1 christos EVP_PKEY *pkey; 280 1.1 christos 281 1.1 christos p = d; 282 1.1 christos if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 283 1.1 christos SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 284 1.1.1.2 christos return 0; 285 1.1 christos } 286 1.1 christos 287 1.1 christos ret = SSL_use_PrivateKey(ssl, pkey); 288 1.1 christos EVP_PKEY_free(pkey); 289 1.1.1.2 christos return ret; 290 1.1 christos } 291 1.1 christos 292 1.1 christos int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) 293 1.1 christos { 294 1.1.1.2 christos int rv; 295 1.1 christos if (x == NULL) { 296 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 297 1.1.1.2 christos return 0; 298 1.1 christos } 299 1.1.1.2 christos rv = ssl_security_cert(NULL, ctx, x, 0, 1); 300 1.1.1.2 christos if (rv != 1) { 301 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv); 302 1.1.1.2 christos return 0; 303 1.1 christos } 304 1.1.1.2 christos return ssl_set_cert(ctx->cert, x); 305 1.1 christos } 306 1.1 christos 307 1.1 christos static int ssl_set_cert(CERT *c, X509 *x) 308 1.1 christos { 309 1.1 christos EVP_PKEY *pkey; 310 1.1.1.2 christos size_t i; 311 1.1 christos 312 1.1.1.2 christos pkey = X509_get0_pubkey(x); 313 1.1 christos if (pkey == NULL) { 314 1.1 christos SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); 315 1.1.1.2 christos return 0; 316 1.1 christos } 317 1.1 christos 318 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { 319 1.1 christos SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 320 1.1.1.2 christos return 0; 321 1.1 christos } 322 1.1.1.2 christos #ifndef OPENSSL_NO_EC 323 1.1.1.2 christos if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) { 324 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING); 325 1.1.1.2 christos return 0; 326 1.1.1.2 christos } 327 1.1.1.2 christos #endif 328 1.1 christos if (c->pkeys[i].privatekey != NULL) { 329 1.1 christos /* 330 1.1 christos * The return code from EVP_PKEY_copy_parameters is deliberately 331 1.1 christos * ignored. Some EVP_PKEY types cannot do this. 332 1.1 christos */ 333 1.1 christos EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 334 1.1 christos ERR_clear_error(); 335 1.1 christos 336 1.1 christos if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 337 1.1 christos /* 338 1.1 christos * don't fail for a cert/key mismatch, just free current private 339 1.1 christos * key (when switching to a different cert & key, first this 340 1.1 christos * function should be used, then ssl_set_pkey 341 1.1 christos */ 342 1.1 christos EVP_PKEY_free(c->pkeys[i].privatekey); 343 1.1 christos c->pkeys[i].privatekey = NULL; 344 1.1 christos /* clear error queue */ 345 1.1 christos ERR_clear_error(); 346 1.1 christos } 347 1.1 christos } 348 1.1 christos 349 1.1.1.2 christos X509_free(c->pkeys[i].x509); 350 1.1.1.2 christos X509_up_ref(x); 351 1.1 christos c->pkeys[i].x509 = x; 352 1.1 christos c->key = &(c->pkeys[i]); 353 1.1 christos 354 1.1.1.2 christos return 1; 355 1.1 christos } 356 1.1 christos 357 1.1 christos int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) 358 1.1 christos { 359 1.1 christos int j; 360 1.1 christos BIO *in; 361 1.1 christos int ret = 0; 362 1.1 christos X509 *x = NULL; 363 1.1 christos 364 1.1.1.2 christos in = BIO_new(BIO_s_file()); 365 1.1 christos if (in == NULL) { 366 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 367 1.1 christos goto end; 368 1.1 christos } 369 1.1 christos 370 1.1 christos if (BIO_read_filename(in, file) <= 0) { 371 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 372 1.1 christos goto end; 373 1.1 christos } 374 1.1 christos if (type == SSL_FILETYPE_ASN1) { 375 1.1 christos j = ERR_R_ASN1_LIB; 376 1.1 christos x = d2i_X509_bio(in, NULL); 377 1.1 christos } else if (type == SSL_FILETYPE_PEM) { 378 1.1 christos j = ERR_R_PEM_LIB; 379 1.1 christos x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 380 1.1 christos ctx->default_passwd_callback_userdata); 381 1.1 christos } else { 382 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 383 1.1 christos goto end; 384 1.1 christos } 385 1.1 christos 386 1.1 christos if (x == NULL) { 387 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); 388 1.1 christos goto end; 389 1.1 christos } 390 1.1 christos 391 1.1 christos ret = SSL_CTX_use_certificate(ctx, x); 392 1.1 christos end: 393 1.1.1.2 christos X509_free(x); 394 1.1.1.2 christos BIO_free(in); 395 1.1.1.2 christos return ret; 396 1.1 christos } 397 1.1 christos 398 1.1.1.2 christos int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) 399 1.1 christos { 400 1.1 christos X509 *x; 401 1.1 christos int ret; 402 1.1 christos 403 1.1 christos x = d2i_X509(NULL, &d, (long)len); 404 1.1 christos if (x == NULL) { 405 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 406 1.1.1.2 christos return 0; 407 1.1 christos } 408 1.1 christos 409 1.1 christos ret = SSL_CTX_use_certificate(ctx, x); 410 1.1 christos X509_free(x); 411 1.1.1.2 christos return ret; 412 1.1 christos } 413 1.1 christos 414 1.1 christos #ifndef OPENSSL_NO_RSA 415 1.1 christos int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 416 1.1 christos { 417 1.1 christos int ret; 418 1.1 christos EVP_PKEY *pkey; 419 1.1 christos 420 1.1 christos if (rsa == NULL) { 421 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 422 1.1.1.2 christos return 0; 423 1.1 christos } 424 1.1 christos if ((pkey = EVP_PKEY_new()) == NULL) { 425 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 426 1.1.1.2 christos return 0; 427 1.1 christos } 428 1.1 christos 429 1.1 christos RSA_up_ref(rsa); 430 1.1 christos if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 431 1.1 christos RSA_free(rsa); 432 1.1.1.2 christos EVP_PKEY_free(pkey); 433 1.1 christos return 0; 434 1.1 christos } 435 1.1 christos 436 1.1 christos ret = ssl_set_pkey(ctx->cert, pkey); 437 1.1 christos EVP_PKEY_free(pkey); 438 1.1.1.2 christos return ret; 439 1.1 christos } 440 1.1 christos 441 1.1 christos int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) 442 1.1 christos { 443 1.1 christos int j, ret = 0; 444 1.1 christos BIO *in; 445 1.1 christos RSA *rsa = NULL; 446 1.1 christos 447 1.1.1.2 christos in = BIO_new(BIO_s_file()); 448 1.1 christos if (in == NULL) { 449 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 450 1.1 christos goto end; 451 1.1 christos } 452 1.1 christos 453 1.1 christos if (BIO_read_filename(in, file) <= 0) { 454 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 455 1.1 christos goto end; 456 1.1 christos } 457 1.1 christos if (type == SSL_FILETYPE_ASN1) { 458 1.1 christos j = ERR_R_ASN1_LIB; 459 1.1 christos rsa = d2i_RSAPrivateKey_bio(in, NULL); 460 1.1 christos } else if (type == SSL_FILETYPE_PEM) { 461 1.1 christos j = ERR_R_PEM_LIB; 462 1.1 christos rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 463 1.1 christos ctx->default_passwd_callback, 464 1.1 christos ctx->default_passwd_callback_userdata); 465 1.1 christos } else { 466 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 467 1.1 christos goto end; 468 1.1 christos } 469 1.1 christos if (rsa == NULL) { 470 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); 471 1.1 christos goto end; 472 1.1 christos } 473 1.1 christos ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 474 1.1 christos RSA_free(rsa); 475 1.1 christos end: 476 1.1.1.2 christos BIO_free(in); 477 1.1.1.2 christos return ret; 478 1.1 christos } 479 1.1 christos 480 1.1 christos int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, 481 1.1 christos long len) 482 1.1 christos { 483 1.1 christos int ret; 484 1.1 christos const unsigned char *p; 485 1.1 christos RSA *rsa; 486 1.1 christos 487 1.1 christos p = d; 488 1.1 christos if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 489 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 490 1.1.1.2 christos return 0; 491 1.1 christos } 492 1.1 christos 493 1.1 christos ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 494 1.1 christos RSA_free(rsa); 495 1.1.1.2 christos return ret; 496 1.1 christos } 497 1.1 christos #endif /* !OPENSSL_NO_RSA */ 498 1.1 christos 499 1.1 christos int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 500 1.1 christos { 501 1.1 christos if (pkey == NULL) { 502 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 503 1.1.1.2 christos return 0; 504 1.1 christos } 505 1.1.1.2 christos return ssl_set_pkey(ctx->cert, pkey); 506 1.1 christos } 507 1.1 christos 508 1.1 christos int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) 509 1.1 christos { 510 1.1 christos int j, ret = 0; 511 1.1 christos BIO *in; 512 1.1 christos EVP_PKEY *pkey = NULL; 513 1.1 christos 514 1.1.1.2 christos in = BIO_new(BIO_s_file()); 515 1.1 christos if (in == NULL) { 516 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 517 1.1 christos goto end; 518 1.1 christos } 519 1.1 christos 520 1.1 christos if (BIO_read_filename(in, file) <= 0) { 521 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 522 1.1 christos goto end; 523 1.1 christos } 524 1.1 christos if (type == SSL_FILETYPE_PEM) { 525 1.1 christos j = ERR_R_PEM_LIB; 526 1.1 christos pkey = PEM_read_bio_PrivateKey(in, NULL, 527 1.1 christos ctx->default_passwd_callback, 528 1.1 christos ctx->default_passwd_callback_userdata); 529 1.1 christos } else if (type == SSL_FILETYPE_ASN1) { 530 1.1 christos j = ERR_R_ASN1_LIB; 531 1.1 christos pkey = d2i_PrivateKey_bio(in, NULL); 532 1.1 christos } else { 533 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 534 1.1 christos goto end; 535 1.1 christos } 536 1.1 christos if (pkey == NULL) { 537 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); 538 1.1 christos goto end; 539 1.1 christos } 540 1.1 christos ret = SSL_CTX_use_PrivateKey(ctx, pkey); 541 1.1 christos EVP_PKEY_free(pkey); 542 1.1 christos end: 543 1.1.1.2 christos BIO_free(in); 544 1.1.1.2 christos return ret; 545 1.1 christos } 546 1.1 christos 547 1.1 christos int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, 548 1.1 christos const unsigned char *d, long len) 549 1.1 christos { 550 1.1 christos int ret; 551 1.1 christos const unsigned char *p; 552 1.1 christos EVP_PKEY *pkey; 553 1.1 christos 554 1.1 christos p = d; 555 1.1 christos if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 556 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 557 1.1.1.2 christos return 0; 558 1.1 christos } 559 1.1 christos 560 1.1 christos ret = SSL_CTX_use_PrivateKey(ctx, pkey); 561 1.1 christos EVP_PKEY_free(pkey); 562 1.1.1.2 christos return ret; 563 1.1 christos } 564 1.1 christos 565 1.1 christos /* 566 1.1 christos * Read a file that contains our certificate in "PEM" format, possibly 567 1.1 christos * followed by a sequence of CA certificates that should be sent to the peer 568 1.1 christos * in the Certificate message. 569 1.1 christos */ 570 1.1.1.2 christos static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) 571 1.1 christos { 572 1.1 christos BIO *in; 573 1.1 christos int ret = 0; 574 1.1 christos X509 *x = NULL; 575 1.1.1.2 christos pem_password_cb *passwd_callback; 576 1.1.1.2 christos void *passwd_callback_userdata; 577 1.1 christos 578 1.1 christos ERR_clear_error(); /* clear error stack for 579 1.1 christos * SSL_CTX_use_certificate() */ 580 1.1 christos 581 1.1.1.2 christos if (ctx != NULL) { 582 1.1.1.2 christos passwd_callback = ctx->default_passwd_callback; 583 1.1.1.2 christos passwd_callback_userdata = ctx->default_passwd_callback_userdata; 584 1.1.1.2 christos } else { 585 1.1.1.2 christos passwd_callback = ssl->default_passwd_callback; 586 1.1.1.2 christos passwd_callback_userdata = ssl->default_passwd_callback_userdata; 587 1.1.1.2 christos } 588 1.1.1.2 christos 589 1.1.1.2 christos in = BIO_new(BIO_s_file()); 590 1.1 christos if (in == NULL) { 591 1.1.1.2 christos SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 592 1.1 christos goto end; 593 1.1 christos } 594 1.1 christos 595 1.1 christos if (BIO_read_filename(in, file) <= 0) { 596 1.1.1.2 christos SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); 597 1.1 christos goto end; 598 1.1 christos } 599 1.1 christos 600 1.1.1.2 christos x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback, 601 1.1.1.2 christos passwd_callback_userdata); 602 1.1 christos if (x == NULL) { 603 1.1.1.2 christos SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 604 1.1 christos goto end; 605 1.1 christos } 606 1.1 christos 607 1.1.1.2 christos if (ctx) 608 1.1.1.2 christos ret = SSL_CTX_use_certificate(ctx, x); 609 1.1.1.2 christos else 610 1.1.1.2 christos ret = SSL_use_certificate(ssl, x); 611 1.1 christos 612 1.1 christos if (ERR_peek_error() != 0) 613 1.1 christos ret = 0; /* Key/certificate mismatch doesn't imply 614 1.1 christos * ret==0 ... */ 615 1.1 christos if (ret) { 616 1.1 christos /* 617 1.1 christos * If we could set up our certificate, now proceed to the CA 618 1.1 christos * certificates. 619 1.1 christos */ 620 1.1 christos X509 *ca; 621 1.1 christos int r; 622 1.1 christos unsigned long err; 623 1.1 christos 624 1.1.1.2 christos if (ctx) 625 1.1.1.2 christos r = SSL_CTX_clear_chain_certs(ctx); 626 1.1.1.2 christos else 627 1.1.1.2 christos r = SSL_clear_chain_certs(ssl); 628 1.1 christos 629 1.1.1.2 christos if (r == 0) { 630 1.1.1.2 christos ret = 0; 631 1.1.1.2 christos goto end; 632 1.1.1.2 christos } 633 1.1.1.2 christos 634 1.1.1.2 christos while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback, 635 1.1.1.2 christos passwd_callback_userdata)) 636 1.1 christos != NULL) { 637 1.1.1.2 christos if (ctx) 638 1.1.1.2 christos r = SSL_CTX_add0_chain_cert(ctx, ca); 639 1.1.1.2 christos else 640 1.1.1.2 christos r = SSL_add0_chain_cert(ssl, ca); 641 1.1.1.2 christos /* 642 1.1.1.2 christos * Note that we must not free ca if it was successfully added to 643 1.1.1.2 christos * the chain (while we must free the main certificate, since its 644 1.1.1.2 christos * reference count is increased by SSL_CTX_use_certificate). 645 1.1.1.2 christos */ 646 1.1 christos if (!r) { 647 1.1 christos X509_free(ca); 648 1.1 christos ret = 0; 649 1.1 christos goto end; 650 1.1 christos } 651 1.1 christos } 652 1.1 christos /* When the while loop ends, it's usually just EOF. */ 653 1.1 christos err = ERR_peek_last_error(); 654 1.1 christos if (ERR_GET_LIB(err) == ERR_LIB_PEM 655 1.1 christos && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 656 1.1 christos ERR_clear_error(); 657 1.1 christos else 658 1.1 christos ret = 0; /* some real error */ 659 1.1 christos } 660 1.1 christos 661 1.1 christos end: 662 1.1.1.2 christos X509_free(x); 663 1.1.1.2 christos BIO_free(in); 664 1.1.1.2 christos return ret; 665 1.1.1.2 christos } 666 1.1.1.2 christos 667 1.1.1.2 christos int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) 668 1.1.1.2 christos { 669 1.1.1.2 christos return use_certificate_chain_file(ctx, NULL, file); 670 1.1.1.2 christos } 671 1.1.1.2 christos 672 1.1.1.2 christos int SSL_use_certificate_chain_file(SSL *ssl, const char *file) 673 1.1.1.2 christos { 674 1.1.1.2 christos return use_certificate_chain_file(NULL, ssl, file); 675 1.1 christos } 676 1.1 christos 677 1.1 christos static int serverinfo_find_extension(const unsigned char *serverinfo, 678 1.1 christos size_t serverinfo_length, 679 1.1 christos unsigned int extension_type, 680 1.1 christos const unsigned char **extension_data, 681 1.1 christos size_t *extension_length) 682 1.1 christos { 683 1.1.1.2 christos PACKET pkt, data; 684 1.1.1.2 christos 685 1.1 christos *extension_data = NULL; 686 1.1 christos *extension_length = 0; 687 1.1 christos if (serverinfo == NULL || serverinfo_length == 0) 688 1.1 christos return -1; 689 1.1.1.2 christos 690 1.1.1.2 christos if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) 691 1.1.1.2 christos return -1; 692 1.1.1.2 christos 693 1.1 christos for (;;) { 694 1.1 christos unsigned int type = 0; 695 1.1.1.2 christos unsigned long context = 0; 696 1.1 christos 697 1.1 christos /* end of serverinfo */ 698 1.1.1.2 christos if (PACKET_remaining(&pkt) == 0) 699 1.1 christos return 0; /* Extension not found */ 700 1.1 christos 701 1.1.1.2 christos if (!PACKET_get_net_4(&pkt, &context) 702 1.1.1.2 christos || !PACKET_get_net_2(&pkt, &type) 703 1.1.1.2 christos || !PACKET_get_length_prefixed_2(&pkt, &data)) 704 1.1.1.2 christos return -1; 705 1.1 christos 706 1.1 christos if (type == extension_type) { 707 1.1.1.2 christos *extension_data = PACKET_data(&data); 708 1.1.1.2 christos *extension_length = PACKET_remaining(&data);; 709 1.1 christos return 1; /* Success */ 710 1.1 christos } 711 1.1 christos } 712 1.1.1.2 christos /* Unreachable */ 713 1.1 christos } 714 1.1 christos 715 1.1.1.2 christos static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type, 716 1.1.1.2 christos unsigned int context, 717 1.1.1.2 christos const unsigned char *in, 718 1.1.1.2 christos size_t inlen, X509 *x, size_t chainidx, 719 1.1.1.2 christos int *al, void *arg) 720 1.1 christos { 721 1.1 christos 722 1.1 christos if (inlen != 0) { 723 1.1 christos *al = SSL_AD_DECODE_ERROR; 724 1.1 christos return 0; 725 1.1 christos } 726 1.1 christos 727 1.1 christos return 1; 728 1.1 christos } 729 1.1 christos 730 1.1.1.2 christos static size_t extension_contextoff(unsigned int version) 731 1.1.1.2 christos { 732 1.1.1.2 christos return version == SSL_SERVERINFOV1 ? 4 : 0; 733 1.1.1.2 christos } 734 1.1.1.2 christos 735 1.1.1.2 christos static size_t extension_append_length(unsigned int version, size_t extension_length) 736 1.1.1.2 christos { 737 1.1.1.2 christos return extension_length + extension_contextoff(version); 738 1.1.1.2 christos } 739 1.1.1.2 christos 740 1.1.1.2 christos static void extension_append(unsigned int version, 741 1.1.1.2 christos const unsigned char *extension, 742 1.1.1.2 christos const size_t extension_length, 743 1.1.1.2 christos unsigned char *serverinfo) 744 1.1.1.2 christos { 745 1.1.1.2 christos const size_t contextoff = extension_contextoff(version); 746 1.1.1.2 christos 747 1.1.1.2 christos if (contextoff > 0) { 748 1.1.1.2 christos /* We know this only uses the last 2 bytes */ 749 1.1.1.2 christos serverinfo[0] = 0; 750 1.1.1.2 christos serverinfo[1] = 0; 751 1.1.1.2 christos serverinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; 752 1.1.1.2 christos serverinfo[3] = SYNTHV1CONTEXT & 0xff; 753 1.1.1.2 christos } 754 1.1.1.2 christos 755 1.1.1.2 christos memcpy(serverinfo + contextoff, extension, extension_length); 756 1.1.1.2 christos } 757 1.1.1.2 christos 758 1.1.1.2 christos static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, 759 1.1.1.2 christos const unsigned char *in, 760 1.1.1.2 christos size_t inlen, int *al, void *arg) 761 1.1.1.2 christos { 762 1.1.1.2 christos return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al, 763 1.1.1.2 christos arg); 764 1.1.1.2 christos } 765 1.1.1.2 christos 766 1.1.1.2 christos static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type, 767 1.1.1.2 christos unsigned int context, 768 1.1.1.2 christos const unsigned char **out, 769 1.1.1.2 christos size_t *outlen, X509 *x, size_t chainidx, 770 1.1.1.2 christos int *al, void *arg) 771 1.1 christos { 772 1.1 christos const unsigned char *serverinfo = NULL; 773 1.1 christos size_t serverinfo_length = 0; 774 1.1 christos 775 1.1.1.2 christos /* We only support extensions for the first Certificate */ 776 1.1.1.2 christos if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0) 777 1.1.1.2 christos return 0; 778 1.1.1.2 christos 779 1.1 christos /* Is there serverinfo data for the chosen server cert? */ 780 1.1 christos if ((ssl_get_server_cert_serverinfo(s, &serverinfo, 781 1.1 christos &serverinfo_length)) != 0) { 782 1.1 christos /* Find the relevant extension from the serverinfo */ 783 1.1 christos int retval = serverinfo_find_extension(serverinfo, serverinfo_length, 784 1.1 christos ext_type, out, outlen); 785 1.1 christos if (retval == -1) { 786 1.1.1.2 christos *al = SSL_AD_INTERNAL_ERROR; 787 1.1 christos return -1; /* Error */ 788 1.1 christos } 789 1.1 christos if (retval == 0) 790 1.1 christos return 0; /* No extension found, don't send extension */ 791 1.1 christos return 1; /* Send extension */ 792 1.1 christos } 793 1.1 christos return 0; /* No serverinfo data found, don't send 794 1.1 christos * extension */ 795 1.1 christos } 796 1.1 christos 797 1.1.1.2 christos static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, 798 1.1.1.2 christos const unsigned char **out, size_t *outlen, 799 1.1.1.2 christos int *al, void *arg) 800 1.1.1.2 christos { 801 1.1.1.2 christos return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al, 802 1.1.1.2 christos arg); 803 1.1.1.2 christos } 804 1.1.1.2 christos 805 1.1 christos /* 806 1.1 christos * With a NULL context, this function just checks that the serverinfo data 807 1.1 christos * parses correctly. With a non-NULL context, it registers callbacks for 808 1.1 christos * the included extensions. 809 1.1 christos */ 810 1.1.1.2 christos static int serverinfo_process_buffer(unsigned int version, 811 1.1.1.2 christos const unsigned char *serverinfo, 812 1.1 christos size_t serverinfo_length, SSL_CTX *ctx) 813 1.1 christos { 814 1.1.1.2 christos PACKET pkt; 815 1.1.1.2 christos 816 1.1 christos if (serverinfo == NULL || serverinfo_length == 0) 817 1.1 christos return 0; 818 1.1 christos 819 1.1.1.2 christos if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2) 820 1.1.1.2 christos return 0; 821 1.1 christos 822 1.1.1.2 christos if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) 823 1.1.1.2 christos return 0; 824 1.1 christos 825 1.1.1.2 christos while (PACKET_remaining(&pkt)) { 826 1.1.1.2 christos unsigned long context = 0; 827 1.1.1.2 christos unsigned int ext_type = 0; 828 1.1.1.2 christos PACKET data; 829 1.1 christos 830 1.1.1.2 christos if ((version == SSL_SERVERINFOV2 && !PACKET_get_net_4(&pkt, &context)) 831 1.1.1.2 christos || !PACKET_get_net_2(&pkt, &ext_type) 832 1.1.1.2 christos || !PACKET_get_length_prefixed_2(&pkt, &data)) 833 1.1 christos return 0; 834 1.1 christos 835 1.1.1.2 christos if (ctx == NULL) 836 1.1.1.2 christos continue; 837 1.1 christos 838 1.1.1.2 christos /* 839 1.1.1.2 christos * The old style custom extensions API could be set separately for 840 1.1.1.2 christos * server/client, i.e. you could set one custom extension for a client, 841 1.1.1.2 christos * and *for the same extension in the same SSL_CTX* you could set a 842 1.1.1.2 christos * custom extension for the server as well. It seems quite weird to be 843 1.1.1.2 christos * setting a custom extension for both client and server in a single 844 1.1.1.2 christos * SSL_CTX - but theoretically possible. This isn't possible in the 845 1.1.1.2 christos * new API. Therefore, if we have V1 serverinfo we use the old API. We 846 1.1.1.2 christos * also use the old API even if we have V2 serverinfo but the context 847 1.1.1.2 christos * looks like an old style <= TLSv1.2 extension. 848 1.1.1.2 christos */ 849 1.1.1.2 christos if (version == SSL_SERVERINFOV1 || context == SYNTHV1CONTEXT) { 850 1.1.1.2 christos if (!SSL_CTX_add_server_custom_ext(ctx, ext_type, 851 1.1.1.2 christos serverinfo_srv_add_cb, 852 1.1.1.2 christos NULL, NULL, 853 1.1.1.2 christos serverinfo_srv_parse_cb, 854 1.1.1.2 christos NULL)) 855 1.1.1.2 christos return 0; 856 1.1.1.2 christos } else { 857 1.1.1.2 christos if (!SSL_CTX_add_custom_ext(ctx, ext_type, context, 858 1.1.1.2 christos serverinfoex_srv_add_cb, 859 1.1.1.2 christos NULL, NULL, 860 1.1.1.2 christos serverinfoex_srv_parse_cb, 861 1.1.1.2 christos NULL)) 862 1.1.1.2 christos return 0; 863 1.1.1.2 christos } 864 1.1 christos } 865 1.1.1.2 christos 866 1.1.1.2 christos return 1; 867 1.1 christos } 868 1.1 christos 869 1.1.1.2 christos int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, 870 1.1.1.2 christos const unsigned char *serverinfo, 871 1.1.1.2 christos size_t serverinfo_length) 872 1.1 christos { 873 1.1.1.2 christos unsigned char *new_serverinfo = NULL; 874 1.1 christos 875 1.1 christos if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { 876 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER); 877 1.1 christos return 0; 878 1.1 christos } 879 1.1.1.2 christos if (version == SSL_SERVERINFOV1) { 880 1.1.1.2 christos /* 881 1.1.1.2 christos * Convert serverinfo version v1 to v2 and call yourself recursively 882 1.1.1.2 christos * over the converted serverinfo. 883 1.1.1.2 christos */ 884 1.1.1.2 christos const size_t sinfo_length = extension_append_length(SSL_SERVERINFOV1, 885 1.1.1.2 christos serverinfo_length); 886 1.1.1.2 christos unsigned char *sinfo; 887 1.1.1.2 christos int ret; 888 1.1.1.2 christos 889 1.1.1.2 christos sinfo = OPENSSL_malloc(sinfo_length); 890 1.1.1.2 christos if (sinfo == NULL) { 891 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); 892 1.1.1.2 christos return 0; 893 1.1.1.2 christos } 894 1.1.1.2 christos 895 1.1.1.2 christos extension_append(SSL_SERVERINFOV1, serverinfo, serverinfo_length, sinfo); 896 1.1.1.2 christos 897 1.1.1.2 christos ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, sinfo, 898 1.1.1.2 christos sinfo_length); 899 1.1.1.2 christos 900 1.1.1.2 christos OPENSSL_free(sinfo); 901 1.1.1.2 christos return ret; 902 1.1 christos } 903 1.1.1.2 christos if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, 904 1.1.1.2 christos NULL)) { 905 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); 906 1.1 christos return 0; 907 1.1 christos } 908 1.1 christos if (ctx->cert->key == NULL) { 909 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR); 910 1.1 christos return 0; 911 1.1 christos } 912 1.1 christos new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, 913 1.1 christos serverinfo_length); 914 1.1 christos if (new_serverinfo == NULL) { 915 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); 916 1.1 christos return 0; 917 1.1 christos } 918 1.1 christos ctx->cert->key->serverinfo = new_serverinfo; 919 1.1 christos memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); 920 1.1 christos ctx->cert->key->serverinfo_length = serverinfo_length; 921 1.1 christos 922 1.1 christos /* 923 1.1 christos * Now that the serverinfo is validated and stored, go ahead and 924 1.1 christos * register callbacks. 925 1.1 christos */ 926 1.1.1.2 christos if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, 927 1.1.1.2 christos ctx)) { 928 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); 929 1.1 christos return 0; 930 1.1 christos } 931 1.1 christos return 1; 932 1.1 christos } 933 1.1 christos 934 1.1.1.2 christos int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 935 1.1.1.2 christos size_t serverinfo_length) 936 1.1.1.2 christos { 937 1.1.1.2 christos return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo, 938 1.1.1.2 christos serverinfo_length); 939 1.1.1.2 christos } 940 1.1.1.2 christos 941 1.1 christos int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) 942 1.1 christos { 943 1.1 christos unsigned char *serverinfo = NULL; 944 1.1.1.2 christos unsigned char *tmp; 945 1.1 christos size_t serverinfo_length = 0; 946 1.1 christos unsigned char *extension = 0; 947 1.1 christos long extension_length = 0; 948 1.1 christos char *name = NULL; 949 1.1 christos char *header = NULL; 950 1.1.1.2 christos char namePrefix1[] = "SERVERINFO FOR "; 951 1.1.1.2 christos char namePrefix2[] = "SERVERINFOV2 FOR "; 952 1.1 christos int ret = 0; 953 1.1 christos BIO *bin = NULL; 954 1.1 christos size_t num_extensions = 0; 955 1.1 christos 956 1.1 christos if (ctx == NULL || file == NULL) { 957 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); 958 1.1 christos goto end; 959 1.1 christos } 960 1.1 christos 961 1.1.1.2 christos bin = BIO_new(BIO_s_file()); 962 1.1 christos if (bin == NULL) { 963 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB); 964 1.1 christos goto end; 965 1.1 christos } 966 1.1 christos if (BIO_read_filename(bin, file) <= 0) { 967 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB); 968 1.1 christos goto end; 969 1.1 christos } 970 1.1 christos 971 1.1 christos for (num_extensions = 0;; num_extensions++) { 972 1.1.1.2 christos unsigned int version; 973 1.1.1.2 christos size_t append_length; 974 1.1.1.2 christos 975 1.1 christos if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) 976 1.1 christos == 0) { 977 1.1 christos /* 978 1.1 christos * There must be at least one extension in this file 979 1.1 christos */ 980 1.1 christos if (num_extensions == 0) { 981 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 982 1.1 christos SSL_R_NO_PEM_EXTENSIONS); 983 1.1 christos goto end; 984 1.1 christos } else /* End of file, we're done */ 985 1.1 christos break; 986 1.1 christos } 987 1.1 christos /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ 988 1.1.1.2 christos if (strlen(name) < strlen(namePrefix1)) { 989 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT); 990 1.1 christos goto end; 991 1.1 christos } 992 1.1.1.2 christos if (strncmp(name, namePrefix1, strlen(namePrefix1)) == 0) { 993 1.1.1.2 christos version = SSL_SERVERINFOV1; 994 1.1.1.2 christos } else { 995 1.1.1.2 christos if (strlen(name) < strlen(namePrefix2)) { 996 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 997 1.1.1.2 christos SSL_R_PEM_NAME_TOO_SHORT); 998 1.1.1.2 christos goto end; 999 1.1.1.2 christos } 1000 1.1.1.2 christos if (strncmp(name, namePrefix2, strlen(namePrefix2)) != 0) { 1001 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 1002 1.1.1.2 christos SSL_R_PEM_NAME_BAD_PREFIX); 1003 1.1.1.2 christos goto end; 1004 1.1.1.2 christos } 1005 1.1.1.2 christos version = SSL_SERVERINFOV2; 1006 1.1 christos } 1007 1.1 christos /* 1008 1.1 christos * Check that the decoded PEM data is plausible (valid length field) 1009 1.1 christos */ 1010 1.1.1.2 christos if (version == SSL_SERVERINFOV1) { 1011 1.1.1.2 christos /* 4 byte header: 2 bytes type, 2 bytes len */ 1012 1.1.1.2 christos if (extension_length < 4 1013 1.1.1.2 christos || (extension[2] << 8) + extension[3] 1014 1.1.1.2 christos != extension_length - 4) { 1015 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); 1016 1.1.1.2 christos goto end; 1017 1.1.1.2 christos } 1018 1.1.1.2 christos } else { 1019 1.1.1.2 christos /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */ 1020 1.1.1.2 christos if (extension_length < 8 1021 1.1.1.2 christos || (extension[6] << 8) + extension[7] 1022 1.1.1.2 christos != extension_length - 8) { 1023 1.1.1.2 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); 1024 1.1.1.2 christos goto end; 1025 1.1.1.2 christos } 1026 1.1 christos } 1027 1.1 christos /* Append the decoded extension to the serverinfo buffer */ 1028 1.1.1.2 christos append_length = extension_append_length(version, extension_length); 1029 1.1.1.2 christos tmp = OPENSSL_realloc(serverinfo, serverinfo_length + append_length); 1030 1.1.1.2 christos if (tmp == NULL) { 1031 1.1 christos SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); 1032 1.1 christos goto end; 1033 1.1 christos } 1034 1.1.1.2 christos serverinfo = tmp; 1035 1.1.1.2 christos extension_append(version, extension, extension_length, 1036 1.1.1.2 christos serverinfo + serverinfo_length); 1037 1.1.1.2 christos serverinfo_length += append_length; 1038 1.1 christos 1039 1.1 christos OPENSSL_free(name); 1040 1.1 christos name = NULL; 1041 1.1 christos OPENSSL_free(header); 1042 1.1 christos header = NULL; 1043 1.1 christos OPENSSL_free(extension); 1044 1.1 christos extension = NULL; 1045 1.1 christos } 1046 1.1 christos 1047 1.1.1.2 christos ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, serverinfo, 1048 1.1.1.2 christos serverinfo_length); 1049 1.1 christos end: 1050 1.1 christos /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ 1051 1.1 christos OPENSSL_free(name); 1052 1.1 christos OPENSSL_free(header); 1053 1.1 christos OPENSSL_free(extension); 1054 1.1 christos OPENSSL_free(serverinfo); 1055 1.1.1.2 christos BIO_free(bin); 1056 1.1.1.2 christos return ret; 1057 1.1.1.2 christos } 1058 1.1.1.2 christos 1059 1.1.1.2 christos static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, 1060 1.1.1.2 christos STACK_OF(X509) *chain, int override) 1061 1.1.1.2 christos { 1062 1.1.1.2 christos int ret = 0; 1063 1.1.1.2 christos size_t i; 1064 1.1.1.2 christos int j; 1065 1.1.1.2 christos int rv; 1066 1.1.1.2 christos CERT *c = ssl != NULL ? ssl->cert : ctx->cert; 1067 1.1.1.2 christos STACK_OF(X509) *dup_chain = NULL; 1068 1.1.1.2 christos EVP_PKEY *pubkey = NULL; 1069 1.1.1.2 christos 1070 1.1.1.2 christos /* Do all security checks before anything else */ 1071 1.1.1.2 christos rv = ssl_security_cert(ssl, ctx, x509, 0, 1); 1072 1.1.1.2 christos if (rv != 1) { 1073 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); 1074 1.1.1.2 christos goto out; 1075 1.1.1.2 christos } 1076 1.1.1.2 christos for (j = 0; j < sk_X509_num(chain); j++) { 1077 1.1.1.2 christos rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0); 1078 1.1.1.2 christos if (rv != 1) { 1079 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); 1080 1.1.1.2 christos goto out; 1081 1.1.1.2 christos } 1082 1.1.1.2 christos } 1083 1.1.1.2 christos 1084 1.1.1.2 christos pubkey = X509_get_pubkey(x509); /* bumps reference */ 1085 1.1.1.2 christos if (pubkey == NULL) 1086 1.1.1.2 christos goto out; 1087 1.1.1.2 christos if (privatekey == NULL) { 1088 1.1.1.2 christos privatekey = pubkey; 1089 1.1.1.2 christos } else { 1090 1.1.1.2 christos /* For RSA, which has no parameters, missing returns 0 */ 1091 1.1.1.2 christos if (EVP_PKEY_missing_parameters(privatekey)) { 1092 1.1.1.2 christos if (EVP_PKEY_missing_parameters(pubkey)) { 1093 1.1.1.2 christos /* nobody has parameters? - error */ 1094 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS); 1095 1.1.1.2 christos goto out; 1096 1.1.1.2 christos } else { 1097 1.1.1.2 christos /* copy to privatekey from pubkey */ 1098 1.1.1.2 christos EVP_PKEY_copy_parameters(privatekey, pubkey); 1099 1.1.1.2 christos } 1100 1.1.1.2 christos } else if (EVP_PKEY_missing_parameters(pubkey)) { 1101 1.1.1.2 christos /* copy to pubkey from privatekey */ 1102 1.1.1.2 christos EVP_PKEY_copy_parameters(pubkey, privatekey); 1103 1.1.1.2 christos } /* else both have parameters */ 1104 1.1.1.2 christos 1105 1.1.1.2 christos /* check that key <-> cert match */ 1106 1.1.1.2 christos if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { 1107 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); 1108 1.1.1.2 christos goto out; 1109 1.1.1.2 christos } 1110 1.1.1.2 christos } 1111 1.1.1.2 christos if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) { 1112 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1113 1.1.1.2 christos goto out; 1114 1.1.1.2 christos } 1115 1.1.1.2 christos 1116 1.1.1.2 christos if (!override && (c->pkeys[i].x509 != NULL 1117 1.1.1.2 christos || c->pkeys[i].privatekey != NULL 1118 1.1.1.2 christos || c->pkeys[i].chain != NULL)) { 1119 1.1.1.2 christos /* No override, and something already there */ 1120 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE); 1121 1.1.1.2 christos goto out; 1122 1.1.1.2 christos } 1123 1.1.1.2 christos 1124 1.1.1.2 christos if (chain != NULL) { 1125 1.1.1.2 christos dup_chain = X509_chain_up_ref(chain); 1126 1.1.1.2 christos if (dup_chain == NULL) { 1127 1.1.1.2 christos SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE); 1128 1.1.1.2 christos goto out; 1129 1.1.1.2 christos } 1130 1.1.1.2 christos } 1131 1.1.1.2 christos 1132 1.1.1.2 christos sk_X509_pop_free(c->pkeys[i].chain, X509_free); 1133 1.1.1.2 christos c->pkeys[i].chain = dup_chain; 1134 1.1.1.2 christos 1135 1.1.1.2 christos X509_free(c->pkeys[i].x509); 1136 1.1.1.2 christos X509_up_ref(x509); 1137 1.1.1.2 christos c->pkeys[i].x509 = x509; 1138 1.1.1.2 christos 1139 1.1.1.2 christos EVP_PKEY_free(c->pkeys[i].privatekey); 1140 1.1.1.2 christos EVP_PKEY_up_ref(privatekey); 1141 1.1.1.2 christos c->pkeys[i].privatekey = privatekey; 1142 1.1.1.2 christos 1143 1.1.1.2 christos c->key = &(c->pkeys[i]); 1144 1.1.1.2 christos 1145 1.1.1.2 christos ret = 1; 1146 1.1.1.2 christos out: 1147 1.1.1.2 christos EVP_PKEY_free(pubkey); 1148 1.1 christos return ret; 1149 1.1 christos } 1150 1.1.1.2 christos 1151 1.1.1.2 christos int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey, 1152 1.1.1.2 christos STACK_OF(X509) *chain, int override) 1153 1.1.1.2 christos { 1154 1.1.1.2 christos return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override); 1155 1.1.1.2 christos } 1156 1.1.1.2 christos 1157 1.1.1.2 christos int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, 1158 1.1.1.2 christos STACK_OF(X509) *chain, int override) 1159 1.1.1.2 christos { 1160 1.1.1.2 christos return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override); 1161 1.1.1.2 christos } 1162
Indexes created Sun Mar 01 05:31:48 UTC 2026