VirtualBox

source: vbox/trunk/src/libs/openssl-1.1.0g/ssl/ssl_rsa.c@ 69881

Last change on this file since 69881 was 69881, checked in by vboxsync, 7 years ago

Update OpenSSL to 1.1.0g.
bugref:8070: src/libs maintenance
  • Property svn:eol-style set to native
File size: 27.1 KB
Line 
1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "ssl_locl.h"
12#include <openssl/bio.h>
13#include <openssl/objects.h>
14#include <openssl/evp.h>
15#include <openssl/x509.h>
16#include <openssl/pem.h>
17
18static int ssl_set_cert(CERT *c, X509 *x509);
19static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
20int SSL_use_certificate(SSL *ssl, X509 *x)
21{
22 int rv;
23 if (x == NULL) {
24 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
25 return (0);
26 }
27 rv = ssl_security_cert(ssl, NULL, x, 0, 1);
28 if (rv != 1) {
29 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
30 return 0;
31 }
32
33 return (ssl_set_cert(ssl->cert, x));
34}
35
36int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
37{
38 int j;
39 BIO *in;
40 int ret = 0;
41 X509 *x = NULL;
42
43 in = BIO_new(BIO_s_file());
44 if (in == NULL) {
45 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
46 goto end;
47 }
48
49 if (BIO_read_filename(in, file) <= 0) {
50 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
51 goto end;
52 }
53 if (type == SSL_FILETYPE_ASN1) {
54 j = ERR_R_ASN1_LIB;
55 x = d2i_X509_bio(in, NULL);
56 } else if (type == SSL_FILETYPE_PEM) {
57 j = ERR_R_PEM_LIB;
58 x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback,
59 ssl->default_passwd_callback_userdata);
60 } else {
61 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
62 goto end;
63 }
64
65 if (x == NULL) {
66 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
67 goto end;
68 }
69
70 ret = SSL_use_certificate(ssl, x);
71 end:
72 X509_free(x);
73 BIO_free(in);
74 return (ret);
75}
76
77int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
78{
79 X509 *x;
80 int ret;
81
82 x = d2i_X509(NULL, &d, (long)len);
83 if (x == NULL) {
84 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
85 return (0);
86 }
87
88 ret = SSL_use_certificate(ssl, x);
89 X509_free(x);
90 return (ret);
91}
92
93#ifndef OPENSSL_NO_RSA
94int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
95{
96 EVP_PKEY *pkey;
97 int ret;
98
99 if (rsa == NULL) {
100 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
101 return (0);
102 }
103 if ((pkey = EVP_PKEY_new()) == NULL) {
104 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
105 return (0);
106 }
107
108 RSA_up_ref(rsa);
109 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
110 RSA_free(rsa);
111 EVP_PKEY_free(pkey);
112 return 0;
113 }
114
115 ret = ssl_set_pkey(ssl->cert, pkey);
116 EVP_PKEY_free(pkey);
117 return (ret);
118}
119#endif
120
121static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
122{
123 int i;
124 i = ssl_cert_type(NULL, pkey);
125 if (i < 0) {
126 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
127 return (0);
128 }
129
130 if (c->pkeys[i].x509 != NULL) {
131 EVP_PKEY *pktmp;
132 pktmp = X509_get0_pubkey(c->pkeys[i].x509);
133 if (pktmp == NULL) {
134 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
135 return 0;
136 }
137 /*
138 * The return code from EVP_PKEY_copy_parameters is deliberately
139 * ignored. Some EVP_PKEY types cannot do this.
140 */
141 EVP_PKEY_copy_parameters(pktmp, pkey);
142 ERR_clear_error();
143
144#ifndef OPENSSL_NO_RSA
145 /*
146 * Don't check the public/private key, this is mostly for smart
147 * cards.
148 */
149 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
150 && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
151 else
152#endif
153 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
154 X509_free(c->pkeys[i].x509);
155 c->pkeys[i].x509 = NULL;
156 return 0;
157 }
158 }
159
160 EVP_PKEY_free(c->pkeys[i].privatekey);
161 EVP_PKEY_up_ref(pkey);
162 c->pkeys[i].privatekey = pkey;
163 c->key = &(c->pkeys[i]);
164 return (1);
165}
166
167#ifndef OPENSSL_NO_RSA
168int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
169{
170 int j, ret = 0;
171 BIO *in;
172 RSA *rsa = NULL;
173
174 in = BIO_new(BIO_s_file());
175 if (in == NULL) {
176 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
177 goto end;
178 }
179
180 if (BIO_read_filename(in, file) <= 0) {
181 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
182 goto end;
183 }
184 if (type == SSL_FILETYPE_ASN1) {
185 j = ERR_R_ASN1_LIB;
186 rsa = d2i_RSAPrivateKey_bio(in, NULL);
187 } else if (type == SSL_FILETYPE_PEM) {
188 j = ERR_R_PEM_LIB;
189 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
190 ssl->default_passwd_callback,
191 ssl->default_passwd_callback_userdata);
192 } else {
193 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
194 goto end;
195 }
196 if (rsa == NULL) {
197 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
198 goto end;
199 }
200 ret = SSL_use_RSAPrivateKey(ssl, rsa);
201 RSA_free(rsa);
202 end:
203 BIO_free(in);
204 return (ret);
205}
206
207int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
208{
209 int ret;
210 const unsigned char *p;
211 RSA *rsa;
212
213 p = d;
214 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
215 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
216 return (0);
217 }
218
219 ret = SSL_use_RSAPrivateKey(ssl, rsa);
220 RSA_free(rsa);
221 return (ret);
222}
223#endif /* !OPENSSL_NO_RSA */
224
225int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
226{
227 int ret;
228
229 if (pkey == NULL) {
230 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
231 return (0);
232 }
233 ret = ssl_set_pkey(ssl->cert, pkey);
234 return (ret);
235}
236
237int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
238{
239 int j, ret = 0;
240 BIO *in;
241 EVP_PKEY *pkey = NULL;
242
243 in = BIO_new(BIO_s_file());
244 if (in == NULL) {
245 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
246 goto end;
247 }
248
249 if (BIO_read_filename(in, file) <= 0) {
250 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
251 goto end;
252 }
253 if (type == SSL_FILETYPE_PEM) {
254 j = ERR_R_PEM_LIB;
255 pkey = PEM_read_bio_PrivateKey(in, NULL,
256 ssl->default_passwd_callback,
257 ssl->default_passwd_callback_userdata);
258 } else if (type == SSL_FILETYPE_ASN1) {
259 j = ERR_R_ASN1_LIB;
260 pkey = d2i_PrivateKey_bio(in, NULL);
261 } else {
262 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
263 goto end;
264 }
265 if (pkey == NULL) {
266 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
267 goto end;
268 }
269 ret = SSL_use_PrivateKey(ssl, pkey);
270 EVP_PKEY_free(pkey);
271 end:
272 BIO_free(in);
273 return (ret);
274}
275
276int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d,
277 long len)
278{
279 int ret;
280 const unsigned char *p;
281 EVP_PKEY *pkey;
282
283 p = d;
284 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
285 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
286 return (0);
287 }
288
289 ret = SSL_use_PrivateKey(ssl, pkey);
290 EVP_PKEY_free(pkey);
291 return (ret);
292}
293
294int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
295{
296 int rv;
297 if (x == NULL) {
298 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
299 return (0);
300 }
301 rv = ssl_security_cert(NULL, ctx, x, 0, 1);
302 if (rv != 1) {
303 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
304 return 0;
305 }
306 return (ssl_set_cert(ctx->cert, x));
307}
308
309static int ssl_set_cert(CERT *c, X509 *x)
310{
311 EVP_PKEY *pkey;
312 int i;
313
314 pkey = X509_get0_pubkey(x);
315 if (pkey == NULL) {
316 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
317 return (0);
318 }
319
320 i = ssl_cert_type(x, pkey);
321 if (i < 0) {
322 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
323 return 0;
324 }
325#ifndef OPENSSL_NO_EC
326 if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {
327 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
328 return 0;
329 }
330#endif
331 if (c->pkeys[i].privatekey != NULL) {
332 /*
333 * The return code from EVP_PKEY_copy_parameters is deliberately
334 * ignored. Some EVP_PKEY types cannot do this.
335 */
336 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
337 ERR_clear_error();
338
339#ifndef OPENSSL_NO_RSA
340 /*
341 * Don't check the public/private key, this is mostly for smart
342 * cards.
343 */
344 if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
345 && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
346 RSA_METHOD_FLAG_NO_CHECK) ;
347 else
348#endif /* OPENSSL_NO_RSA */
349 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
350 /*
351 * don't fail for a cert/key mismatch, just free current private
352 * key (when switching to a different cert & key, first this
353 * function should be used, then ssl_set_pkey
354 */
355 EVP_PKEY_free(c->pkeys[i].privatekey);
356 c->pkeys[i].privatekey = NULL;
357 /* clear error queue */
358 ERR_clear_error();
359 }
360 }
361
362 X509_free(c->pkeys[i].x509);
363 X509_up_ref(x);
364 c->pkeys[i].x509 = x;
365 c->key = &(c->pkeys[i]);
366
367 return 1;
368}
369
370int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
371{
372 int j;
373 BIO *in;
374 int ret = 0;
375 X509 *x = NULL;
376
377 in = BIO_new(BIO_s_file());
378 if (in == NULL) {
379 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
380 goto end;
381 }
382
383 if (BIO_read_filename(in, file) <= 0) {
384 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
385 goto end;
386 }
387 if (type == SSL_FILETYPE_ASN1) {
388 j = ERR_R_ASN1_LIB;
389 x = d2i_X509_bio(in, NULL);
390 } else if (type == SSL_FILETYPE_PEM) {
391 j = ERR_R_PEM_LIB;
392 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
393 ctx->default_passwd_callback_userdata);
394 } else {
395 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
396 goto end;
397 }
398
399 if (x == NULL) {
400 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
401 goto end;
402 }
403
404 ret = SSL_CTX_use_certificate(ctx, x);
405 end:
406 X509_free(x);
407 BIO_free(in);
408 return (ret);
409}
410
411int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
412{
413 X509 *x;
414 int ret;
415
416 x = d2i_X509(NULL, &d, (long)len);
417 if (x == NULL) {
418 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
419 return (0);
420 }
421
422 ret = SSL_CTX_use_certificate(ctx, x);
423 X509_free(x);
424 return (ret);
425}
426
427#ifndef OPENSSL_NO_RSA
428int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
429{
430 int ret;
431 EVP_PKEY *pkey;
432
433 if (rsa == NULL) {
434 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
435 return (0);
436 }
437 if ((pkey = EVP_PKEY_new()) == NULL) {
438 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
439 return (0);
440 }
441
442 RSA_up_ref(rsa);
443 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
444 RSA_free(rsa);
445 EVP_PKEY_free(pkey);
446 return 0;
447 }
448
449 ret = ssl_set_pkey(ctx->cert, pkey);
450 EVP_PKEY_free(pkey);
451 return (ret);
452}
453
454int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
455{
456 int j, ret = 0;
457 BIO *in;
458 RSA *rsa = NULL;
459
460 in = BIO_new(BIO_s_file());
461 if (in == NULL) {
462 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
463 goto end;
464 }
465
466 if (BIO_read_filename(in, file) <= 0) {
467 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
468 goto end;
469 }
470 if (type == SSL_FILETYPE_ASN1) {
471 j = ERR_R_ASN1_LIB;
472 rsa = d2i_RSAPrivateKey_bio(in, NULL);
473 } else if (type == SSL_FILETYPE_PEM) {
474 j = ERR_R_PEM_LIB;
475 rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
476 ctx->default_passwd_callback,
477 ctx->default_passwd_callback_userdata);
478 } else {
479 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
480 goto end;
481 }
482 if (rsa == NULL) {
483 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
484 goto end;
485 }
486 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
487 RSA_free(rsa);
488 end:
489 BIO_free(in);
490 return (ret);
491}
492
493int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
494 long len)
495{
496 int ret;
497 const unsigned char *p;
498 RSA *rsa;
499
500 p = d;
501 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
502 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
503 return (0);
504 }
505
506 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
507 RSA_free(rsa);
508 return (ret);
509}
510#endif /* !OPENSSL_NO_RSA */
511
512int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
513{
514 if (pkey == NULL) {
515 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
516 return (0);
517 }
518 return (ssl_set_pkey(ctx->cert, pkey));
519}
520
521int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
522{
523 int j, ret = 0;
524 BIO *in;
525 EVP_PKEY *pkey = NULL;
526
527 in = BIO_new(BIO_s_file());
528 if (in == NULL) {
529 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
530 goto end;
531 }
532
533 if (BIO_read_filename(in, file) <= 0) {
534 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
535 goto end;
536 }
537 if (type == SSL_FILETYPE_PEM) {
538 j = ERR_R_PEM_LIB;
539 pkey = PEM_read_bio_PrivateKey(in, NULL,
540 ctx->default_passwd_callback,
541 ctx->default_passwd_callback_userdata);
542 } else if (type == SSL_FILETYPE_ASN1) {
543 j = ERR_R_ASN1_LIB;
544 pkey = d2i_PrivateKey_bio(in, NULL);
545 } else {
546 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
547 goto end;
548 }
549 if (pkey == NULL) {
550 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
551 goto end;
552 }
553 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
554 EVP_PKEY_free(pkey);
555 end:
556 BIO_free(in);
557 return (ret);
558}
559
560int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
561 const unsigned char *d, long len)
562{
563 int ret;
564 const unsigned char *p;
565 EVP_PKEY *pkey;
566
567 p = d;
568 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {
569 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
570 return (0);
571 }
572
573 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
574 EVP_PKEY_free(pkey);
575 return (ret);
576}
577
578/*
579 * Read a file that contains our certificate in "PEM" format, possibly
580 * followed by a sequence of CA certificates that should be sent to the peer
581 * in the Certificate message.
582 */
583static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
584{
585 BIO *in;
586 int ret = 0;
587 X509 *x = NULL;
588 pem_password_cb *passwd_callback;
589 void *passwd_callback_userdata;
590
591 ERR_clear_error(); /* clear error stack for
592 * SSL_CTX_use_certificate() */
593
594 if (ctx != NULL) {
595 passwd_callback = ctx->default_passwd_callback;
596 passwd_callback_userdata = ctx->default_passwd_callback_userdata;
597 } else {
598 passwd_callback = ssl->default_passwd_callback;
599 passwd_callback_userdata = ssl->default_passwd_callback_userdata;
600 }
601
602 in = BIO_new(BIO_s_file());
603 if (in == NULL) {
604 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
605 goto end;
606 }
607
608 if (BIO_read_filename(in, file) <= 0) {
609 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
610 goto end;
611 }
612
613 x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
614 passwd_callback_userdata);
615 if (x == NULL) {
616 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
617 goto end;
618 }
619
620 if (ctx)
621 ret = SSL_CTX_use_certificate(ctx, x);
622 else
623 ret = SSL_use_certificate(ssl, x);
624
625 if (ERR_peek_error() != 0)
626 ret = 0; /* Key/certificate mismatch doesn't imply
627 * ret==0 ... */
628 if (ret) {
629 /*
630 * If we could set up our certificate, now proceed to the CA
631 * certificates.
632 */
633 X509 *ca;
634 int r;
635 unsigned long err;
636
637 if (ctx)
638 r = SSL_CTX_clear_chain_certs(ctx);
639 else
640 r = SSL_clear_chain_certs(ssl);
641
642 if (r == 0) {
643 ret = 0;
644 goto end;
645 }
646
647 while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
648 passwd_callback_userdata))
649 != NULL) {
650 if (ctx)
651 r = SSL_CTX_add0_chain_cert(ctx, ca);
652 else
653 r = SSL_add0_chain_cert(ssl, ca);
654 /*
655 * Note that we must not free ca if it was successfully added to
656 * the chain (while we must free the main certificate, since its
657 * reference count is increased by SSL_CTX_use_certificate).
658 */
659 if (!r) {
660 X509_free(ca);
661 ret = 0;
662 goto end;
663 }
664 }
665 /* When the while loop ends, it's usually just EOF. */
666 err = ERR_peek_last_error();
667 if (ERR_GET_LIB(err) == ERR_LIB_PEM
668 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
669 ERR_clear_error();
670 else
671 ret = 0; /* some real error */
672 }
673
674 end:
675 X509_free(x);
676 BIO_free(in);
677 return (ret);
678}
679
680int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
681{
682 return use_certificate_chain_file(ctx, NULL, file);
683}
684
685int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
686{
687 return use_certificate_chain_file(NULL, ssl, file);
688}
689
690static int serverinfo_find_extension(const unsigned char *serverinfo,
691 size_t serverinfo_length,
692 unsigned int extension_type,
693 const unsigned char **extension_data,
694 size_t *extension_length)
695{
696 *extension_data = NULL;
697 *extension_length = 0;
698 if (serverinfo == NULL || serverinfo_length == 0)
699 return -1;
700 for (;;) {
701 unsigned int type = 0;
702 size_t len = 0;
703
704 /* end of serverinfo */
705 if (serverinfo_length == 0)
706 return 0; /* Extension not found */
707
708 /* read 2-byte type field */
709 if (serverinfo_length < 2)
710 return -1; /* Error */
711 type = (serverinfo[0] << 8) + serverinfo[1];
712 serverinfo += 2;
713 serverinfo_length -= 2;
714
715 /* read 2-byte len field */
716 if (serverinfo_length < 2)
717 return -1; /* Error */
718 len = (serverinfo[0] << 8) + serverinfo[1];
719 serverinfo += 2;
720 serverinfo_length -= 2;
721
722 if (len > serverinfo_length)
723 return -1; /* Error */
724
725 if (type == extension_type) {
726 *extension_data = serverinfo;
727 *extension_length = len;
728 return 1; /* Success */
729 }
730
731 serverinfo += len;
732 serverinfo_length -= len;
733 }
734 /* Unreachable */
735}
736
737static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
738 const unsigned char *in,
739 size_t inlen, int *al, void *arg)
740{
741
742 if (inlen != 0) {
743 *al = SSL_AD_DECODE_ERROR;
744 return 0;
745 }
746
747 return 1;
748}
749
750static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
751 const unsigned char **out, size_t *outlen,
752 int *al, void *arg)
753{
754 const unsigned char *serverinfo = NULL;
755 size_t serverinfo_length = 0;
756
757 /* Is there serverinfo data for the chosen server cert? */
758 if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
759 &serverinfo_length)) != 0) {
760 /* Find the relevant extension from the serverinfo */
761 int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
762 ext_type, out, outlen);
763 if (retval == -1) {
764 *al = SSL_AD_DECODE_ERROR;
765 return -1; /* Error */
766 }
767 if (retval == 0)
768 return 0; /* No extension found, don't send extension */
769 return 1; /* Send extension */
770 }
771 return 0; /* No serverinfo data found, don't send
772 * extension */
773}
774
775/*
776 * With a NULL context, this function just checks that the serverinfo data
777 * parses correctly. With a non-NULL context, it registers callbacks for
778 * the included extensions.
779 */
780static int serverinfo_process_buffer(const unsigned char *serverinfo,
781 size_t serverinfo_length, SSL_CTX *ctx)
782{
783 if (serverinfo == NULL || serverinfo_length == 0)
784 return 0;
785 for (;;) {
786 unsigned int ext_type = 0;
787 size_t len = 0;
788
789 /* end of serverinfo */
790 if (serverinfo_length == 0)
791 return 1;
792
793 /* read 2-byte type field */
794 if (serverinfo_length < 2)
795 return 0;
796 /* FIXME: check for types we understand explicitly? */
797
798 /* Register callbacks for extensions */
799 ext_type = (serverinfo[0] << 8) + serverinfo[1];
800 if (ctx) {
801 int have_ext_cbs = 0;
802 size_t i;
803 custom_ext_methods *exts = &ctx->cert->srv_ext;
804 custom_ext_method *meth = exts->meths;
805
806 for (i = 0; i < exts->meths_count; i++, meth++) {
807 if (ext_type == meth->ext_type) {
808 have_ext_cbs = 1;
809 break;
810 }
811 }
812
813 if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
814 serverinfo_srv_add_cb,
815 NULL, NULL,
816 serverinfo_srv_parse_cb,
817 NULL))
818 return 0;
819 }
820
821 serverinfo += 2;
822 serverinfo_length -= 2;
823
824 /* read 2-byte len field */
825 if (serverinfo_length < 2)
826 return 0;
827 len = (serverinfo[0] << 8) + serverinfo[1];
828 serverinfo += 2;
829 serverinfo_length -= 2;
830
831 if (len > serverinfo_length)
832 return 0;
833
834 serverinfo += len;
835 serverinfo_length -= len;
836 }
837}
838
839int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
840 size_t serverinfo_length)
841{
842 unsigned char *new_serverinfo;
843
844 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) {
845 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER);
846 return 0;
847 }
848 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) {
849 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
850 return 0;
851 }
852 if (ctx->cert->key == NULL) {
853 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
854 return 0;
855 }
856 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
857 serverinfo_length);
858 if (new_serverinfo == NULL) {
859 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
860 return 0;
861 }
862 ctx->cert->key->serverinfo = new_serverinfo;
863 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
864 ctx->cert->key->serverinfo_length = serverinfo_length;
865
866 /*
867 * Now that the serverinfo is validated and stored, go ahead and
868 * register callbacks.
869 */
870 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) {
871 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
872 return 0;
873 }
874 return 1;
875}
876
877int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
878{
879 unsigned char *serverinfo = NULL;
880 unsigned char *tmp;
881 size_t serverinfo_length = 0;
882 unsigned char *extension = 0;
883 long extension_length = 0;
884 char *name = NULL;
885 char *header = NULL;
886 char namePrefix[] = "SERVERINFO FOR ";
887 int ret = 0;
888 BIO *bin = NULL;
889 size_t num_extensions = 0;
890
891 if (ctx == NULL || file == NULL) {
892 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);
893 goto end;
894 }
895
896 bin = BIO_new(BIO_s_file());
897 if (bin == NULL) {
898 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);
899 goto end;
900 }
901 if (BIO_read_filename(bin, file) <= 0) {
902 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);
903 goto end;
904 }
905
906 for (num_extensions = 0;; num_extensions++) {
907 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)
908 == 0) {
909 /*
910 * There must be at least one extension in this file
911 */
912 if (num_extensions == 0) {
913 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
914 SSL_R_NO_PEM_EXTENSIONS);
915 goto end;
916 } else /* End of file, we're done */
917 break;
918 }
919 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
920 if (strlen(name) < strlen(namePrefix)) {
921 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
922 goto end;
923 }
924 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
925 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
926 SSL_R_PEM_NAME_BAD_PREFIX);
927 goto end;
928 }
929 /*
930 * Check that the decoded PEM data is plausible (valid length field)
931 */
932 if (extension_length < 4
933 || (extension[2] << 8) + extension[3] != extension_length - 4) {
934 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);
935 goto end;
936 }
937 /* Append the decoded extension to the serverinfo buffer */
938 tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
939 if (tmp == NULL) {
940 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
941 goto end;
942 }
943 serverinfo = tmp;
944 memcpy(serverinfo + serverinfo_length, extension, extension_length);
945 serverinfo_length += extension_length;
946
947 OPENSSL_free(name);
948 name = NULL;
949 OPENSSL_free(header);
950 header = NULL;
951 OPENSSL_free(extension);
952 extension = NULL;
953 }
954
955 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
956 end:
957 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
958 OPENSSL_free(name);
959 OPENSSL_free(header);
960 OPENSSL_free(extension);
961 OPENSSL_free(serverinfo);
962 BIO_free(bin);
963 return ret;
964}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette