X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fssl_rsa.c;h=897c8f2e772b515fb98a2cdeb09393b8ed78d069;hb=4746f25ac62e5bbdc07eedcec9c9a27547577141;hp=1ee80568ff7a08d88c31ec181fdc24c7de773ee4;hpb=fb34a0f4e033246ef5f957bc57d2ebc904a519fc;p=openssl.git diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 1ee80568ff..897c8f2e77 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,7 +1,7 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -29,7 +29,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) int rv; if (x == NULL) { SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } rv = ssl_security_cert(ssl, NULL, x, 0, 1); if (rv != 1) { @@ -37,7 +37,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) return 0; } - return (ssl_set_cert(ssl->cert, x)); + return ssl_set_cert(ssl->cert, x); } int SSL_use_certificate_file(SSL *ssl, const char *file, int type) @@ -78,7 +78,7 @@ int SSL_use_certificate_file(SSL *ssl, const char *file, int type) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) @@ -89,12 +89,12 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_certificate(ssl, x); X509_free(x); - return (ret); + return ret; } #ifndef OPENSSL_NO_RSA @@ -105,11 +105,11 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) if (rsa == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); + return 0; } RSA_up_ref(rsa); @@ -121,17 +121,17 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) ret = ssl_set_pkey(ssl->cert, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } #endif static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { - int i; - i = ssl_cert_type(NULL, pkey); - if (i < 0) { + size_t i; + + if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return (0); + return 0; } if (c->pkeys[i].x509 != NULL) { @@ -167,8 +167,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) EVP_PKEY_free(c->pkeys[i].privatekey); EVP_PKEY_up_ref(pkey); c->pkeys[i].privatekey = pkey; - c->key = &(c->pkeys[i]); - return (1); + c->key = &c->pkeys[i]; + return 1; } #ifndef OPENSSL_NO_RSA @@ -208,7 +208,7 @@ int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) RSA_free(rsa); end: BIO_free(in); - return (ret); + return ret; } int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) @@ -220,12 +220,12 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_RSAPrivateKey(ssl, rsa); RSA_free(rsa); - return (ret); + return ret; } #endif /* !OPENSSL_NO_RSA */ @@ -235,10 +235,10 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) if (pkey == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } ret = ssl_set_pkey(ssl->cert, pkey); - return (ret); + return ret; } int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) @@ -277,7 +277,7 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) EVP_PKEY_free(pkey); end: BIO_free(in); - return (ret); + return ret; } int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, @@ -290,12 +290,12 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_PrivateKey(ssl, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) @@ -303,29 +303,28 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) int rv; if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } rv = ssl_security_cert(NULL, ctx, x, 0, 1); if (rv != 1) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv); return 0; } - return (ssl_set_cert(ctx->cert, x)); + return ssl_set_cert(ctx->cert, x); } static int ssl_set_cert(CERT *c, X509 *x) { EVP_PKEY *pkey; - int i; + size_t i; pkey = X509_get0_pubkey(x); if (pkey == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); - return (0); + return 0; } - i = ssl_cert_type(x, pkey); - if (i < 0) { + if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } @@ -412,7 +411,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) @@ -423,12 +422,12 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_certificate(ctx, x); X509_free(x); - return (ret); + return ret; } #ifndef OPENSSL_NO_RSA @@ -439,11 +438,11 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) if (rsa == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); + return 0; } RSA_up_ref(rsa); @@ -455,7 +454,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) ret = ssl_set_pkey(ctx->cert, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) @@ -494,7 +493,7 @@ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) RSA_free(rsa); end: BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, @@ -507,12 +506,12 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); RSA_free(rsa); - return (ret); + return ret; } #endif /* !OPENSSL_NO_RSA */ @@ -520,9 +519,9 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { if (pkey == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } - return (ssl_set_pkey(ctx->cert, pkey)); + return ssl_set_pkey(ctx->cert, pkey); } int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) @@ -561,7 +560,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) EVP_PKEY_free(pkey); end: BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, @@ -574,12 +573,12 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_PrivateKey(ctx, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } /* @@ -681,7 +680,7 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) @@ -1036,3 +1035,114 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) BIO_free(bin); return ret; } + +static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + int ret = 0; + size_t i; + int j; + int rv; + CERT *c = ssl != NULL ? ssl->cert : ctx->cert; + STACK_OF(X509) *dup_chain = NULL; + EVP_PKEY *pubkey = NULL; + + /* Do all security checks before anything else */ + rv = ssl_security_cert(ssl, ctx, x509, 0, 1); + if (rv != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); + goto out; + } + for (j = 0; j < sk_X509_num(chain); j++) { + rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0); + if (rv != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); + goto out; + } + } + + pubkey = X509_get_pubkey(x509); /* bumps reference */ + if (pubkey == NULL) + goto out; + if (privatekey == NULL) { + privatekey = pubkey; + } else { + /* For RSA, which has no parameters, missing returns 0 */ + if (EVP_PKEY_missing_parameters(privatekey)) { + if (EVP_PKEY_missing_parameters(pubkey)) { + /* nobody has parameters? - error */ + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS); + goto out; + } else { + /* copy to privatekey from pubkey */ + EVP_PKEY_copy_parameters(privatekey, pubkey); + } + } else if (EVP_PKEY_missing_parameters(pubkey)) { + /* copy to pubkey from privatekey */ + EVP_PKEY_copy_parameters(pubkey, privatekey); + } /* else both have parameters */ + + /* Copied from ssl_set_cert/pkey */ +#ifndef OPENSSL_NO_RSA + if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) && + ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK))) + /* no-op */ ; + else +#endif + /* check that key <-> cert match */ + if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); + goto out; + } + } + if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto out; + } + + if (!override && (c->pkeys[i].x509 != NULL + || c->pkeys[i].privatekey != NULL + || c->pkeys[i].chain != NULL)) { + /* No override, and something already there */ + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE); + goto out; + } + + if (chain != NULL) { + dup_chain = X509_chain_up_ref(chain); + if (dup_chain == NULL) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE); + goto out; + } + } + + sk_X509_pop_free(c->pkeys[i].chain, X509_free); + c->pkeys[i].chain = dup_chain; + + X509_free(c->pkeys[i].x509); + X509_up_ref(x509); + c->pkeys[i].x509 = x509; + + EVP_PKEY_free(c->pkeys[i].privatekey); + EVP_PKEY_up_ref(privatekey); + c->pkeys[i].privatekey = privatekey; + + c->key = &(c->pkeys[i]); + + ret = 1; + out: + EVP_PKEY_free(pubkey); + return ret; +} + +int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override); +} + +int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override); +}