1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "ssl_locl.h" 12 #include <openssl/bio.h> 13 #include <openssl/objects.h> 14 #include <openssl/evp.h> 15 #include <openssl/x509.h> 16 #include <openssl/pem.h> 17 18 static int ssl_set_cert(CERT *c, X509 *x509); 19 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); 20 int SSL_use_certificate(SSL *ssl, X509 *x) 21 { 22 int rv; 23 if (x == NULL) { 24 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 25 return (0); 26 } 27 rv = ssl_security_cert(ssl, NULL, x, 0, 1); 28 if (rv != 1) { 29 SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv); 30 return 0; 31 } 32 33 return (ssl_set_cert(ssl->cert, x)); 34 } 35 36 int SSL_use_certificate_file(SSL *ssl, const char *file, int type) 37 { 38 int j; 39 BIO *in; 40 int ret = 0; 41 X509 *x = NULL; 42 43 in = BIO_new(BIO_s_file()); 44 if (in == NULL) { 45 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 46 goto end; 47 } 48 49 if (BIO_read_filename(in, file) <= 0) { 50 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 51 goto end; 52 } 53 if (type == SSL_FILETYPE_ASN1) { 54 j = ERR_R_ASN1_LIB; 55 x = d2i_X509_bio(in, NULL); 56 } else if (type == SSL_FILETYPE_PEM) { 57 j = ERR_R_PEM_LIB; 58 x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback, 59 ssl->default_passwd_callback_userdata); 60 } else { 61 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 62 goto end; 63 } 64 65 if (x == NULL) { 66 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); 67 goto end; 68 } 69 70 ret = SSL_use_certificate(ssl, x); 71 end: 72 X509_free(x); 73 BIO_free(in); 74 return (ret); 75 } 76 77 int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) 78 { 79 X509 *x; 80 int ret; 81 82 x = d2i_X509(NULL, &d, (long)len); 83 if (x == NULL) { 84 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 85 return (0); 86 } 87 88 ret = SSL_use_certificate(ssl, x); 89 X509_free(x); 90 return (ret); 91 } 92 93 #ifndef OPENSSL_NO_RSA 94 int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 95 { 96 EVP_PKEY *pkey; 97 int ret; 98 99 if (rsa == NULL) { 100 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 101 return (0); 102 } 103 if ((pkey = EVP_PKEY_new()) == NULL) { 104 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 105 return (0); 106 } 107 108 RSA_up_ref(rsa); 109 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 110 RSA_free(rsa); 111 EVP_PKEY_free(pkey); 112 return 0; 113 } 114 115 ret = ssl_set_pkey(ssl->cert, pkey); 116 EVP_PKEY_free(pkey); 117 return (ret); 118 } 119 #endif 120 121 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 122 { 123 int i; 124 i = ssl_cert_type(NULL, pkey); 125 if (i < 0) { 126 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 127 return (0); 128 } 129 130 if (c->pkeys[i].x509 != NULL) { 131 EVP_PKEY *pktmp; 132 pktmp = X509_get0_pubkey(c->pkeys[i].x509); 133 if (pktmp == NULL) { 134 SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE); 135 return 0; 136 } 137 /* 138 * The return code from EVP_PKEY_copy_parameters is deliberately 139 * ignored. Some EVP_PKEY types cannot do this. 140 */ 141 EVP_PKEY_copy_parameters(pktmp, pkey); 142 ERR_clear_error(); 143 144 #ifndef OPENSSL_NO_RSA 145 /* 146 * Don't check the public/private key, this is mostly for smart 147 * cards. 148 */ 149 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA 150 && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ; 151 else 152 #endif 153 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 154 X509_free(c->pkeys[i].x509); 155 c->pkeys[i].x509 = NULL; 156 return 0; 157 } 158 } 159 160 EVP_PKEY_free(c->pkeys[i].privatekey); 161 EVP_PKEY_up_ref(pkey); 162 c->pkeys[i].privatekey = pkey; 163 c->key = &(c->pkeys[i]); 164 return (1); 165 } 166 167 #ifndef OPENSSL_NO_RSA 168 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 169 { 170 int j, ret = 0; 171 BIO *in; 172 RSA *rsa = NULL; 173 174 in = BIO_new(BIO_s_file()); 175 if (in == NULL) { 176 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 177 goto end; 178 } 179 180 if (BIO_read_filename(in, file) <= 0) { 181 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 182 goto end; 183 } 184 if (type == SSL_FILETYPE_ASN1) { 185 j = ERR_R_ASN1_LIB; 186 rsa = d2i_RSAPrivateKey_bio(in, NULL); 187 } else if (type == SSL_FILETYPE_PEM) { 188 j = ERR_R_PEM_LIB; 189 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 190 ssl->default_passwd_callback, 191 ssl->default_passwd_callback_userdata); 192 } else { 193 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 194 goto end; 195 } 196 if (rsa == NULL) { 197 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); 198 goto end; 199 } 200 ret = SSL_use_RSAPrivateKey(ssl, rsa); 201 RSA_free(rsa); 202 end: 203 BIO_free(in); 204 return (ret); 205 } 206 207 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) 208 { 209 int ret; 210 const unsigned char *p; 211 RSA *rsa; 212 213 p = d; 214 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 215 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 216 return (0); 217 } 218 219 ret = SSL_use_RSAPrivateKey(ssl, rsa); 220 RSA_free(rsa); 221 return (ret); 222 } 223 #endif /* !OPENSSL_NO_RSA */ 224 225 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 226 { 227 int ret; 228 229 if (pkey == NULL) { 230 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 231 return (0); 232 } 233 ret = ssl_set_pkey(ssl->cert, pkey); 234 return (ret); 235 } 236 237 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) 238 { 239 int j, ret = 0; 240 BIO *in; 241 EVP_PKEY *pkey = NULL; 242 243 in = BIO_new(BIO_s_file()); 244 if (in == NULL) { 245 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 246 goto end; 247 } 248 249 if (BIO_read_filename(in, file) <= 0) { 250 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 251 goto end; 252 } 253 if (type == SSL_FILETYPE_PEM) { 254 j = ERR_R_PEM_LIB; 255 pkey = PEM_read_bio_PrivateKey(in, NULL, 256 ssl->default_passwd_callback, 257 ssl->default_passwd_callback_userdata); 258 } else if (type == SSL_FILETYPE_ASN1) { 259 j = ERR_R_ASN1_LIB; 260 pkey = d2i_PrivateKey_bio(in, NULL); 261 } else { 262 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 263 goto end; 264 } 265 if (pkey == NULL) { 266 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); 267 goto end; 268 } 269 ret = SSL_use_PrivateKey(ssl, pkey); 270 EVP_PKEY_free(pkey); 271 end: 272 BIO_free(in); 273 return (ret); 274 } 275 276 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, 277 long len) 278 { 279 int ret; 280 const unsigned char *p; 281 EVP_PKEY *pkey; 282 283 p = d; 284 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 285 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 286 return (0); 287 } 288 289 ret = SSL_use_PrivateKey(ssl, pkey); 290 EVP_PKEY_free(pkey); 291 return (ret); 292 } 293 294 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) 295 { 296 int rv; 297 if (x == NULL) { 298 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 299 return (0); 300 } 301 rv = ssl_security_cert(NULL, ctx, x, 0, 1); 302 if (rv != 1) { 303 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv); 304 return 0; 305 } 306 return (ssl_set_cert(ctx->cert, x)); 307 } 308 309 static int ssl_set_cert(CERT *c, X509 *x) 310 { 311 EVP_PKEY *pkey; 312 int i; 313 314 pkey = X509_get0_pubkey(x); 315 if (pkey == NULL) { 316 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); 317 return (0); 318 } 319 320 i = ssl_cert_type(x, pkey); 321 if (i < 0) { 322 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 323 return 0; 324 } 325 #ifndef OPENSSL_NO_EC 326 if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) { 327 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING); 328 return 0; 329 } 330 #endif 331 if (c->pkeys[i].privatekey != NULL) { 332 /* 333 * The return code from EVP_PKEY_copy_parameters is deliberately 334 * ignored. Some EVP_PKEY types cannot do this. 335 */ 336 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 337 ERR_clear_error(); 338 339 #ifndef OPENSSL_NO_RSA 340 /* 341 * Don't check the public/private key, this is mostly for smart 342 * cards. 343 */ 344 if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA 345 && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) & 346 RSA_METHOD_FLAG_NO_CHECK) ; 347 else 348 #endif /* OPENSSL_NO_RSA */ 349 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 350 /* 351 * don't fail for a cert/key mismatch, just free current private 352 * key (when switching to a different cert & key, first this 353 * function should be used, then ssl_set_pkey 354 */ 355 EVP_PKEY_free(c->pkeys[i].privatekey); 356 c->pkeys[i].privatekey = NULL; 357 /* clear error queue */ 358 ERR_clear_error(); 359 } 360 } 361 362 X509_free(c->pkeys[i].x509); 363 X509_up_ref(x); 364 c->pkeys[i].x509 = x; 365 c->key = &(c->pkeys[i]); 366 367 return 1; 368 } 369 370 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) 371 { 372 int j; 373 BIO *in; 374 int ret = 0; 375 X509 *x = NULL; 376 377 in = BIO_new(BIO_s_file()); 378 if (in == NULL) { 379 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 380 goto end; 381 } 382 383 if (BIO_read_filename(in, file) <= 0) { 384 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 385 goto end; 386 } 387 if (type == SSL_FILETYPE_ASN1) { 388 j = ERR_R_ASN1_LIB; 389 x = d2i_X509_bio(in, NULL); 390 } else if (type == SSL_FILETYPE_PEM) { 391 j = ERR_R_PEM_LIB; 392 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 393 ctx->default_passwd_callback_userdata); 394 } else { 395 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 396 goto end; 397 } 398 399 if (x == NULL) { 400 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); 401 goto end; 402 } 403 404 ret = SSL_CTX_use_certificate(ctx, x); 405 end: 406 X509_free(x); 407 BIO_free(in); 408 return (ret); 409 } 410 411 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) 412 { 413 X509 *x; 414 int ret; 415 416 x = d2i_X509(NULL, &d, (long)len); 417 if (x == NULL) { 418 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 419 return (0); 420 } 421 422 ret = SSL_CTX_use_certificate(ctx, x); 423 X509_free(x); 424 return (ret); 425 } 426 427 #ifndef OPENSSL_NO_RSA 428 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 429 { 430 int ret; 431 EVP_PKEY *pkey; 432 433 if (rsa == NULL) { 434 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 435 return (0); 436 } 437 if ((pkey = EVP_PKEY_new()) == NULL) { 438 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 439 return (0); 440 } 441 442 RSA_up_ref(rsa); 443 if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) { 444 RSA_free(rsa); 445 EVP_PKEY_free(pkey); 446 return 0; 447 } 448 449 ret = ssl_set_pkey(ctx->cert, pkey); 450 EVP_PKEY_free(pkey); 451 return (ret); 452 } 453 454 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) 455 { 456 int j, ret = 0; 457 BIO *in; 458 RSA *rsa = NULL; 459 460 in = BIO_new(BIO_s_file()); 461 if (in == NULL) { 462 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 463 goto end; 464 } 465 466 if (BIO_read_filename(in, file) <= 0) { 467 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 468 goto end; 469 } 470 if (type == SSL_FILETYPE_ASN1) { 471 j = ERR_R_ASN1_LIB; 472 rsa = d2i_RSAPrivateKey_bio(in, NULL); 473 } else if (type == SSL_FILETYPE_PEM) { 474 j = ERR_R_PEM_LIB; 475 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 476 ctx->default_passwd_callback, 477 ctx->default_passwd_callback_userdata); 478 } else { 479 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 480 goto end; 481 } 482 if (rsa == NULL) { 483 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); 484 goto end; 485 } 486 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 487 RSA_free(rsa); 488 end: 489 BIO_free(in); 490 return (ret); 491 } 492 493 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, 494 long len) 495 { 496 int ret; 497 const unsigned char *p; 498 RSA *rsa; 499 500 p = d; 501 if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { 502 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 503 return (0); 504 } 505 506 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 507 RSA_free(rsa); 508 return (ret); 509 } 510 #endif /* !OPENSSL_NO_RSA */ 511 512 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 513 { 514 if (pkey == NULL) { 515 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 516 return (0); 517 } 518 return (ssl_set_pkey(ctx->cert, pkey)); 519 } 520 521 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) 522 { 523 int j, ret = 0; 524 BIO *in; 525 EVP_PKEY *pkey = NULL; 526 527 in = BIO_new(BIO_s_file()); 528 if (in == NULL) { 529 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 530 goto end; 531 } 532 533 if (BIO_read_filename(in, file) <= 0) { 534 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 535 goto end; 536 } 537 if (type == SSL_FILETYPE_PEM) { 538 j = ERR_R_PEM_LIB; 539 pkey = PEM_read_bio_PrivateKey(in, NULL, 540 ctx->default_passwd_callback, 541 ctx->default_passwd_callback_userdata); 542 } else if (type == SSL_FILETYPE_ASN1) { 543 j = ERR_R_ASN1_LIB; 544 pkey = d2i_PrivateKey_bio(in, NULL); 545 } else { 546 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 547 goto end; 548 } 549 if (pkey == NULL) { 550 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); 551 goto end; 552 } 553 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 554 EVP_PKEY_free(pkey); 555 end: 556 BIO_free(in); 557 return (ret); 558 } 559 560 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, 561 const unsigned char *d, long len) 562 { 563 int ret; 564 const unsigned char *p; 565 EVP_PKEY *pkey; 566 567 p = d; 568 if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { 569 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 570 return (0); 571 } 572 573 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 574 EVP_PKEY_free(pkey); 575 return (ret); 576 } 577 578 /* 579 * Read a file that contains our certificate in "PEM" format, possibly 580 * followed by a sequence of CA certificates that should be sent to the peer 581 * in the Certificate message. 582 */ 583 static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) 584 { 585 BIO *in; 586 int ret = 0; 587 X509 *x = NULL; 588 pem_password_cb *passwd_callback; 589 void *passwd_callback_userdata; 590 591 ERR_clear_error(); /* clear error stack for 592 * SSL_CTX_use_certificate() */ 593 594 if (ctx != NULL) { 595 passwd_callback = ctx->default_passwd_callback; 596 passwd_callback_userdata = ctx->default_passwd_callback_userdata; 597 } else { 598 passwd_callback = ssl->default_passwd_callback; 599 passwd_callback_userdata = ssl->default_passwd_callback_userdata; 600 } 601 602 in = BIO_new(BIO_s_file()); 603 if (in == NULL) { 604 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 605 goto end; 606 } 607 608 if (BIO_read_filename(in, file) <= 0) { 609 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); 610 goto end; 611 } 612 613 x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback, 614 passwd_callback_userdata); 615 if (x == NULL) { 616 SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 617 goto end; 618 } 619 620 if (ctx) 621 ret = SSL_CTX_use_certificate(ctx, x); 622 else 623 ret = SSL_use_certificate(ssl, x); 624 625 if (ERR_peek_error() != 0) 626 ret = 0; /* Key/certificate mismatch doesn't imply 627 * ret==0 ... */ 628 if (ret) { 629 /* 630 * If we could set up our certificate, now proceed to the CA 631 * certificates. 632 */ 633 X509 *ca; 634 int r; 635 unsigned long err; 636 637 if (ctx) 638 r = SSL_CTX_clear_chain_certs(ctx); 639 else 640 r = SSL_clear_chain_certs(ssl); 641 642 if (r == 0) { 643 ret = 0; 644 goto end; 645 } 646 647 while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback, 648 passwd_callback_userdata)) 649 != NULL) { 650 if (ctx) 651 r = SSL_CTX_add0_chain_cert(ctx, ca); 652 else 653 r = SSL_add0_chain_cert(ssl, ca); 654 /* 655 * Note that we must not free ca if it was successfully added to 656 * the chain (while we must free the main certificate, since its 657 * reference count is increased by SSL_CTX_use_certificate). 658 */ 659 if (!r) { 660 X509_free(ca); 661 ret = 0; 662 goto end; 663 } 664 } 665 /* When the while loop ends, it's usually just EOF. */ 666 err = ERR_peek_last_error(); 667 if (ERR_GET_LIB(err) == ERR_LIB_PEM 668 && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 669 ERR_clear_error(); 670 else 671 ret = 0; /* some real error */ 672 } 673 674 end: 675 X509_free(x); 676 BIO_free(in); 677 return (ret); 678 } 679 680 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) 681 { 682 return use_certificate_chain_file(ctx, NULL, file); 683 } 684 685 int SSL_use_certificate_chain_file(SSL *ssl, const char *file) 686 { 687 return use_certificate_chain_file(NULL, ssl, file); 688 } 689 690 static int serverinfo_find_extension(const unsigned char *serverinfo, 691 size_t serverinfo_length, 692 unsigned int extension_type, 693 const unsigned char **extension_data, 694 size_t *extension_length) 695 { 696 *extension_data = NULL; 697 *extension_length = 0; 698 if (serverinfo == NULL || serverinfo_length == 0) 699 return -1; 700 for (;;) { 701 unsigned int type = 0; 702 size_t len = 0; 703 704 /* end of serverinfo */ 705 if (serverinfo_length == 0) 706 return 0; /* Extension not found */ 707 708 /* read 2-byte type field */ 709 if (serverinfo_length < 2) 710 return -1; /* Error */ 711 type = (serverinfo[0] << 8) + serverinfo[1]; 712 serverinfo += 2; 713 serverinfo_length -= 2; 714 715 /* read 2-byte len field */ 716 if (serverinfo_length < 2) 717 return -1; /* Error */ 718 len = (serverinfo[0] << 8) + serverinfo[1]; 719 serverinfo += 2; 720 serverinfo_length -= 2; 721 722 if (len > serverinfo_length) 723 return -1; /* Error */ 724 725 if (type == extension_type) { 726 *extension_data = serverinfo; 727 *extension_length = len; 728 return 1; /* Success */ 729 } 730 731 serverinfo += len; 732 serverinfo_length -= len; 733 } 734 /* Unreachable */ 735 } 736 737 static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, 738 const unsigned char *in, 739 size_t inlen, int *al, void *arg) 740 { 741 742 if (inlen != 0) { 743 *al = SSL_AD_DECODE_ERROR; 744 return 0; 745 } 746 747 return 1; 748 } 749 750 static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, 751 const unsigned char **out, size_t *outlen, 752 int *al, void *arg) 753 { 754 const unsigned char *serverinfo = NULL; 755 size_t serverinfo_length = 0; 756 757 /* Is there serverinfo data for the chosen server cert? */ 758 if ((ssl_get_server_cert_serverinfo(s, &serverinfo, 759 &serverinfo_length)) != 0) { 760 /* Find the relevant extension from the serverinfo */ 761 int retval = serverinfo_find_extension(serverinfo, serverinfo_length, 762 ext_type, out, outlen); 763 if (retval == -1) { 764 *al = SSL_AD_DECODE_ERROR; 765 return -1; /* Error */ 766 } 767 if (retval == 0) 768 return 0; /* No extension found, don't send extension */ 769 return 1; /* Send extension */ 770 } 771 return 0; /* No serverinfo data found, don't send 772 * extension */ 773 } 774 775 /* 776 * With a NULL context, this function just checks that the serverinfo data 777 * parses correctly. With a non-NULL context, it registers callbacks for 778 * the included extensions. 779 */ 780 static int serverinfo_process_buffer(const unsigned char *serverinfo, 781 size_t serverinfo_length, SSL_CTX *ctx) 782 { 783 if (serverinfo == NULL || serverinfo_length == 0) 784 return 0; 785 for (;;) { 786 unsigned int ext_type = 0; 787 size_t len = 0; 788 789 /* end of serverinfo */ 790 if (serverinfo_length == 0) 791 return 1; 792 793 /* read 2-byte type field */ 794 if (serverinfo_length < 2) 795 return 0; 796 /* FIXME: check for types we understand explicitly? */ 797 798 /* Register callbacks for extensions */ 799 ext_type = (serverinfo[0] << 8) + serverinfo[1]; 800 if (ctx) { 801 int have_ext_cbs = 0; 802 size_t i; 803 custom_ext_methods *exts = &ctx->cert->srv_ext; 804 custom_ext_method *meth = exts->meths; 805 806 for (i = 0; i < exts->meths_count; i++, meth++) { 807 if (ext_type == meth->ext_type) { 808 have_ext_cbs = 1; 809 break; 810 } 811 } 812 813 if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type, 814 serverinfo_srv_add_cb, 815 NULL, NULL, 816 serverinfo_srv_parse_cb, 817 NULL)) 818 return 0; 819 } 820 821 serverinfo += 2; 822 serverinfo_length -= 2; 823 824 /* read 2-byte len field */ 825 if (serverinfo_length < 2) 826 return 0; 827 len = (serverinfo[0] << 8) + serverinfo[1]; 828 serverinfo += 2; 829 serverinfo_length -= 2; 830 831 if (len > serverinfo_length) 832 return 0; 833 834 serverinfo += len; 835 serverinfo_length -= len; 836 } 837 } 838 839 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, 840 size_t serverinfo_length) 841 { 842 unsigned char *new_serverinfo; 843 844 if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { 845 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); 846 return 0; 847 } 848 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { 849 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 850 return 0; 851 } 852 if (ctx->cert->key == NULL) { 853 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); 854 return 0; 855 } 856 new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, 857 serverinfo_length); 858 if (new_serverinfo == NULL) { 859 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); 860 return 0; 861 } 862 ctx->cert->key->serverinfo = new_serverinfo; 863 memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length); 864 ctx->cert->key->serverinfo_length = serverinfo_length; 865 866 /* 867 * Now that the serverinfo is validated and stored, go ahead and 868 * register callbacks. 869 */ 870 if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { 871 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); 872 return 0; 873 } 874 return 1; 875 } 876 877 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) 878 { 879 unsigned char *serverinfo = NULL; 880 unsigned char *tmp; 881 size_t serverinfo_length = 0; 882 unsigned char *extension = 0; 883 long extension_length = 0; 884 char *name = NULL; 885 char *header = NULL; 886 char namePrefix[] = "SERVERINFO FOR "; 887 int ret = 0; 888 BIO *bin = NULL; 889 size_t num_extensions = 0; 890 891 if (ctx == NULL || file == NULL) { 892 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); 893 goto end; 894 } 895 896 bin = BIO_new(BIO_s_file()); 897 if (bin == NULL) { 898 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB); 899 goto end; 900 } 901 if (BIO_read_filename(bin, file) <= 0) { 902 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB); 903 goto end; 904 } 905 906 for (num_extensions = 0;; num_extensions++) { 907 if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) 908 == 0) { 909 /* 910 * There must be at least one extension in this file 911 */ 912 if (num_extensions == 0) { 913 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 914 SSL_R_NO_PEM_EXTENSIONS); 915 goto end; 916 } else /* End of file, we're done */ 917 break; 918 } 919 /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ 920 if (strlen(name) < strlen(namePrefix)) { 921 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT); 922 goto end; 923 } 924 if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { 925 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 926 SSL_R_PEM_NAME_BAD_PREFIX); 927 goto end; 928 } 929 /* 930 * Check that the decoded PEM data is plausible (valid length field) 931 */ 932 if (extension_length < 4 933 || (extension[2] << 8) + extension[3] != extension_length - 4) { 934 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); 935 goto end; 936 } 937 /* Append the decoded extension to the serverinfo buffer */ 938 tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); 939 if (tmp == NULL) { 940 SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); 941 goto end; 942 } 943 serverinfo = tmp; 944 memcpy(serverinfo + serverinfo_length, extension, extension_length); 945 serverinfo_length += extension_length; 946 947 OPENSSL_free(name); 948 name = NULL; 949 OPENSSL_free(header); 950 header = NULL; 951 OPENSSL_free(extension); 952 extension = NULL; 953 } 954 955 ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); 956 end: 957 /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ 958 OPENSSL_free(name); 959 OPENSSL_free(header); 960 OPENSSL_free(extension); 961 OPENSSL_free(serverinfo); 962 BIO_free(bin); 963 return ret; 964 } 965