X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fssl_rsa.c;h=6f9337e1503228253ca19ea7842b78f8b603e7ba;hb=8cb30232ed9c5c0f99b8858eb3b0c85978f8aa36;hp=2837624ae9e387590cba33fdc8ac17259f2defc6;hpb=0b2bde70dd8fc290d640ed64cf7609dc2963a48b;p=openssl.git diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 2837624ae9..6f9337e150 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -66,17 +66,21 @@ static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -#ifndef OPENSSL_NO_TLSEXT -static int ssl_set_authz(CERT *c, unsigned char *authz, - size_t authz_length); -#endif int SSL_use_certificate(SSL *ssl, X509 *x) { + int rv; if (x == NULL) { SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER); return(0); } + rv = ssl_security_cert(ssl, NULL, x, 0, 1); + if (rv != 1) + { + SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv); + return 0; + } + if (!ssl_cert_inst(&ssl->cert)) { SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE); @@ -292,7 +296,7 @@ end: } #endif -int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) +int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) { int ret; const unsigned char *p; @@ -397,11 +401,18 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { + int rv; if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER); return(0); } + rv = ssl_security_cert(NULL, ctx, x, 0, 1); + if (rv != 1) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv); + return 0; + } if (!ssl_cert_inst(&ctx->cert)) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE); @@ -762,19 +773,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) X509 *ca; int r; unsigned long err; - - if (ctx->extra_certs != NULL) - { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } + SSL_CTX_clear_chain_certs(ctx); + while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) { - r = SSL_CTX_add_extra_chain_cert(ctx, ca); + r = SSL_CTX_add0_chain_cert(ctx, ca); if (!r) { X509_free(ca); @@ -802,55 +809,11 @@ end: #endif #ifndef OPENSSL_NO_TLSEXT -/* authz_validate returns true iff authz is well formed, i.e. that it meets the - * wire format as documented in the CERT_PKEY structure and that there are no - * duplicate entries. */ -static char authz_validate(const unsigned char *authz, size_t length) - { - unsigned char types_seen_bitmap[32]; - - if (!authz) - return 1; - - memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap)); - - for (;;) - { - unsigned char type, byte, bit; - unsigned short len; - - if (!length) - return 1; - - type = *(authz++); - length--; - - byte = type / 8; - bit = type & 7; - if (types_seen_bitmap[byte] & (1 << bit)) - return 0; - types_seen_bitmap[byte] |= (1 << bit); - - if (length < 2) - return 0; - len = ((unsigned short) authz[0]) << 8 | - ((unsigned short) authz[1]); - authz += 2; - length -= 2; - - if (length < len) - return 0; - - authz += len; - length -= len; - } - } - static int serverinfo_find_extension(const unsigned char *serverinfo, size_t serverinfo_length, - unsigned short extension_type, + unsigned int extension_type, const unsigned char **extension_data, - unsigned short *extension_length) + size_t *extension_length) { *extension_data = NULL; *extension_length = 0; @@ -858,8 +821,8 @@ static int serverinfo_find_extension(const unsigned char *serverinfo, return 0; for (;;) { - unsigned short type = 0; /* uint16 */ - unsigned short len = 0; /* uint16 */ + unsigned int type = 0; + size_t len = 0; /* end of serverinfo */ if (serverinfo_length == 0) @@ -895,22 +858,24 @@ static int serverinfo_find_extension(const unsigned char *serverinfo, return 0; /* Error */ } -static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type, +static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, - unsigned short inlen, int *al, + size_t inlen, int *al, void *arg) { + if (inlen != 0) { *al = SSL_AD_DECODE_ERROR; return 0; } + return 1; } -static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - void *arg) +static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, size_t *outlen, + int *al, void *arg) { const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; @@ -921,7 +886,7 @@ static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type, { /* Find the relevant extension from the serverinfo */ int retval = serverinfo_find_extension(serverinfo, serverinfo_length, - ext_type, out, outlen); + ext_type, out, outlen); if (retval == 0) return 0; /* Error */ if (retval == -1) @@ -941,8 +906,8 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo, return 0; for (;;) { - unsigned short ext_type = 0; /* uint16 */ - unsigned short len = 0; /* uint16 */ + unsigned int ext_type = 0; + size_t len = 0; /* end of serverinfo */ if (serverinfo_length == 0) @@ -955,9 +920,11 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo, /* Register callbacks for extensions */ ext_type = (serverinfo[0] << 8) + serverinfo[1]; - if (ctx && !SSL_CTX_set_custom_srv_ext(ctx, ext_type, - serverinfo_srv_first_cb, - serverinfo_srv_second_cb, NULL)) + if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type, + serverinfo_srv_add_cb, + NULL, NULL, + serverinfo_srv_parse_cb, + NULL)) return 0; serverinfo += 2; @@ -978,83 +945,6 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo, } } -static const unsigned char *authz_find_data(const unsigned char *authz, - size_t authz_length, - unsigned char data_type, - size_t *data_length) - { - if (authz == NULL) return NULL; - if (!authz_validate(authz, authz_length)) - { - SSLerr(SSL_F_AUTHZ_FIND_DATA,SSL_R_INVALID_AUTHZ_DATA); - return NULL; - } - - for (;;) - { - unsigned char type; - unsigned short len; - if (!authz_length) - return NULL; - - type = *(authz++); - authz_length--; - - /* We've validated the authz data, so we don't have to - * check again that we have enough bytes left. */ - len = ((unsigned short) authz[0]) << 8 | - ((unsigned short) authz[1]); - authz += 2; - authz_length -= 2; - if (type == data_type) - { - *data_length = len; - return authz; - } - authz += len; - authz_length -= len; - } - /* No match */ - return NULL; - } - -static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length) - { - CERT_PKEY *current_key = c->key; - if (current_key == NULL) - return 0; - if (!authz_validate(authz, authz_length)) - { - SSLerr(SSL_F_SSL_SET_AUTHZ,SSL_R_INVALID_AUTHZ_DATA); - return(0); - } - current_key->authz = OPENSSL_realloc(current_key->authz, authz_length); - if (current_key->authz == NULL) - { - SSLerr(SSL_F_SSL_SET_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - current_key->authz_length = authz_length; - memcpy(current_key->authz, authz, authz_length); - return 1; - } - -int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz, - size_t authz_length) - { - if (authz == NULL) - { - SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if (!ssl_cert_inst(&ctx->cert)) - { - SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - return ssl_set_authz(ctx->cert, authz, authz_length); - } - int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length) { @@ -1098,106 +988,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, return 1; } -int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length) - { - if (authz == NULL) - { - SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if (!ssl_cert_inst(&ssl->cert)) - { - SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - return ssl_set_authz(ssl->cert, authz, authz_length); - } - -const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type, - size_t *data_length) - { - CERT_PKEY *current_key; - - if (ctx->cert == NULL) - return NULL; - current_key = ctx->cert->key; - if (current_key->authz == NULL) - return NULL; - return authz_find_data(current_key->authz, - current_key->authz_length, type, data_length); - } - #ifndef OPENSSL_NO_STDIO -/* read_authz returns a newly allocated buffer with authz data */ -static unsigned char *read_authz(const char *file, size_t *authz_length) - { - BIO *authz_in = NULL; - unsigned char *authz = NULL; - /* Allow authzs up to 64KB. */ - static const size_t authz_limit = 65536; - size_t read_length; - unsigned char *ret = NULL; - - authz_in = BIO_new(BIO_s_file_internal()); - if (authz_in == NULL) - { - SSLerr(SSL_F_READ_AUTHZ,ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(authz_in,file) <= 0) - { - SSLerr(SSL_F_READ_AUTHZ,ERR_R_SYS_LIB); - goto end; - } - - authz = OPENSSL_malloc(authz_limit); - read_length = BIO_read(authz_in, authz, authz_limit); - if (read_length == authz_limit || read_length <= 0) - { - SSLerr(SSL_F_READ_AUTHZ,SSL_R_AUTHZ_DATA_TOO_LARGE); - OPENSSL_free(authz); - goto end; - } - *authz_length = read_length; - ret = authz; -end: - if (authz_in != NULL) BIO_free(authz_in); - return ret; - } - -int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file) - { - unsigned char *authz = NULL; - size_t authz_length = 0; - int ret; - - authz = read_authz(file, &authz_length); - if (authz == NULL) - return 0; - - ret = SSL_CTX_use_authz(ctx, authz, authz_length); - /* SSL_CTX_use_authz makes a local copy of the authz. */ - OPENSSL_free(authz); - return ret; - } - -int SSL_use_authz_file(SSL *ssl, const char *file) - { - unsigned char *authz = NULL; - size_t authz_length = 0; - int ret; - - authz = read_authz(file, &authz_length); - if (authz == NULL) - return 0; - - ret = SSL_use_authz(ssl, authz, authz_length); - /* SSL_use_authz makes a local copy of the authz. */ - OPENSSL_free(authz); - return ret; - } - int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; @@ -1206,6 +997,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) long extension_length = 0; char* name = NULL; char* header = NULL; + char namePrefix[] = "SERVERINFO FOR "; int ret = 0; BIO *bin = NULL; size_t num_extensions = 0; @@ -1235,17 +1027,28 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) /* There must be at least one extension in this file */ if (num_extensions == 0) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_NO_PEM_EXTENSIONS); goto end; } else /* End of file, we're done */ break; } + /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ + if (strlen(name) < strlen(namePrefix)) + { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT); + goto end; + } + if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) + { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_BAD_PREFIX); + goto end; + } /* Check that the decoded PEM data is plausible (valid length field) */ if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB); - goto end; + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); + goto end; } /* Append the decoded extension to the serverinfo buffer */ serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);