+
+static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
+ STACK_OF(X509) *chain, int override)
+{
+ int ret = 0;
+ size_t i;
+ int j;
+ int rv;
+ CERT *c;
+ STACK_OF(X509) *dup_chain = NULL;
+ EVP_PKEY *pubkey = NULL;
+ SSL_CONNECTION *sc = NULL;
+
+ if (ctx == NULL &&
+ (sc = SSL_CONNECTION_FROM_SSL(ssl)) == NULL)
+ return 0;
+
+ c = sc != NULL ? sc->cert : ctx->cert;
+ /* Do all security checks before anything else */
+ rv = ssl_security_cert(sc, ctx, x509, 0, 1);
+ if (rv != 1) {
+ ERR_raise(ERR_LIB_SSL, rv);
+ goto out;
+ }
+ for (j = 0; j < sk_X509_num(chain); j++) {
+ rv = ssl_security_cert(sc, ctx, sk_X509_value(chain, j), 0, 0);
+ if (rv != 1) {
+ ERR_raise(ERR_LIB_SSL, rv);
+ goto out;
+ }
+ }
+
+ pubkey = X509_get_pubkey(x509); /* bumps reference */
+ if (pubkey == NULL)
+ goto out;
+ if (privatekey == NULL) {
+ privatekey = pubkey;
+ } else {
+ /* For RSA, which has no parameters, missing returns 0 */
+ if (EVP_PKEY_missing_parameters(privatekey)) {
+ if (EVP_PKEY_missing_parameters(pubkey)) {
+ /* nobody has parameters? - error */
+ ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
+ goto out;
+ } else {
+ /* copy to privatekey from pubkey */
+ if (!EVP_PKEY_copy_parameters(privatekey, pubkey)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_COPY_PARAMETERS_FAILED);
+ goto out;
+ }
+ }
+ } else if (EVP_PKEY_missing_parameters(pubkey)) {
+ /* copy to pubkey from privatekey */
+ if (!EVP_PKEY_copy_parameters(pubkey, privatekey)) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_COPY_PARAMETERS_FAILED);
+ goto out;
+ }
+ } /* else both have parameters */
+
+ /* check that key <-> cert match */
+ if (EVP_PKEY_eq(pubkey, privatekey) != 1) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_PRIVATE_KEY_MISMATCH);
+ goto out;
+ }
+ }
+ if (ssl_cert_lookup_by_pkey(pubkey, &i, ctx) == NULL) {
+ ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+ goto out;
+ }
+
+ if (!override && (c->pkeys[i].x509 != NULL
+ || c->pkeys[i].privatekey != NULL
+ || c->pkeys[i].chain != NULL)) {
+ /* No override, and something already there */
+ ERR_raise(ERR_LIB_SSL, SSL_R_NOT_REPLACING_CERTIFICATE);
+ goto out;
+ }
+
+ if (chain != NULL) {
+ dup_chain = X509_chain_up_ref(chain);
+ if (dup_chain == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
+ goto out;
+ }
+ }
+
+ OSSL_STACK_OF_X509_free(c->pkeys[i].chain);
+ c->pkeys[i].chain = dup_chain;
+
+ X509_free(c->pkeys[i].x509);
+ X509_up_ref(x509);
+ c->pkeys[i].x509 = x509;
+
+ EVP_PKEY_free(c->pkeys[i].privatekey);
+ EVP_PKEY_up_ref(privatekey);
+ c->pkeys[i].privatekey = privatekey;
+
+ c->key = &(c->pkeys[i]);
+
+ ret = 1;
+ out:
+ EVP_PKEY_free(pubkey);
+ return ret;
+}
+
+int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey,
+ STACK_OF(X509) *chain, int override)
+{
+ return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override);
+}
+
+int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
+ STACK_OF(X509) *chain, int override)
+{
+ return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override);
+}