Require ServerInfo PEMs to be named "BEGIN SERVERINFO FOR"...
[openssl.git] / ssl / ssl_rsa.c
index 77abcfc..36d7a1a 100644 (file)
 
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-#ifndef OPENSSL_NO_TLSEXT
-static int ssl_set_authz(CERT *c, unsigned char *authz,
-                        size_t authz_length);
-#endif
 int SSL_use_certificate(SSL *ssl, X509 *x)
        {
        if (x == NULL)
@@ -463,23 +459,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
                X509_free(c->pkeys[i].x509);
        CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
        c->pkeys[i].x509=x;
-#ifndef OPENSSL_NO_TLSEXT
-       /* Free the old authz data, if it exists. */
-       if (c->pkeys[i].authz != NULL)
-               {
-               OPENSSL_free(c->pkeys[i].authz);
-               c->pkeys[i].authz = NULL;
-               c->pkeys[i].authz_length = 0;
-               }
-
-       /* Free the old serverinfo data, if it exists. */
-       if (c->pkeys[i].serverinfo != NULL)
-               {
-               OPENSSL_free(c->pkeys[i].serverinfo);
-               c->pkeys[i].serverinfo = NULL;
-               c->pkeys[i].serverinfo_length = 0;
-               }
-#endif
        c->key= &(c->pkeys[i]);
 
        c->valid=0;
@@ -819,50 +798,6 @@ end:
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
-/* authz_validate returns true iff authz is well formed, i.e. that it meets the
- * wire format as documented in the CERT_PKEY structure and that there are no
- * duplicate entries. */
-static char authz_validate(const unsigned char *authz, size_t length)
-       {
-       unsigned char types_seen_bitmap[32];
-
-       if (!authz)
-               return 1;
-
-       memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap));
-
-       for (;;)
-               {
-               unsigned char type, byte, bit;
-               unsigned short len;
-
-               if (!length)
-                       return 1;
-
-               type = *(authz++);
-               length--;
-
-               byte = type / 8;
-               bit = type & 7;
-               if (types_seen_bitmap[byte] & (1 << bit))
-                       return 0;
-               types_seen_bitmap[byte] |= (1 << bit);
-
-               if (length < 2)
-                       return 0;
-               len = ((unsigned short) authz[0]) << 8 |
-                     ((unsigned short) authz[1]);
-               authz += 2;
-               length -= 2;
-
-               if (length < len)
-                       return 0;
-
-               authz += len;
-               length -= len;
-               }
-       }
-
 static int serverinfo_find_extension(const unsigned char *serverinfo,
                                     size_t serverinfo_length,
                                     unsigned short extension_type,
@@ -995,83 +930,6 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo,
                }
        }
 
-static const unsigned char *authz_find_data(const unsigned char *authz,
-                                           size_t authz_length,
-                                           unsigned char data_type,
-                                           size_t *data_length)
-       {
-       if (authz == NULL) return NULL;
-       if (!authz_validate(authz, authz_length))
-               {
-               SSLerr(SSL_F_AUTHZ_FIND_DATA,SSL_R_INVALID_AUTHZ_DATA);
-               return NULL;
-               }
-
-       for (;;)
-               {
-               unsigned char type;
-               unsigned short len;
-               if (!authz_length)
-                       return NULL;
-
-               type = *(authz++);
-               authz_length--;
-
-               /* We've validated the authz data, so we don't have to
-                * check again that we have enough bytes left. */
-               len = ((unsigned short) authz[0]) << 8 |
-                     ((unsigned short) authz[1]);
-               authz += 2;
-               authz_length -= 2;
-               if (type == data_type)
-                       {
-                       *data_length = len;
-                       return authz;
-                       }
-               authz += len;
-               authz_length -= len;
-               }
-       /* No match */
-       return NULL;
-       }
-
-static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length)
-       {
-       CERT_PKEY *current_key = c->key;
-       if (current_key == NULL)
-               return 0;
-       if (!authz_validate(authz, authz_length))
-               {
-               SSLerr(SSL_F_SSL_SET_AUTHZ,SSL_R_INVALID_AUTHZ_DATA);
-               return(0);
-               }
-       current_key->authz = OPENSSL_realloc(current_key->authz, authz_length);
-       if (current_key->authz == NULL)
-               {
-               SSLerr(SSL_F_SSL_SET_AUTHZ,ERR_R_MALLOC_FAILURE);
-               return 0;
-               }
-       current_key->authz_length = authz_length;
-       memcpy(current_key->authz, authz, authz_length);
-       return 1;
-       }
-
-int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz,
-                     size_t authz_length)
-       {
-       if (authz == NULL)
-               {
-               SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER);
-               return 0;
-               }
-       if (!ssl_cert_inst(&ctx->cert))
-               {
-               SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_MALLOC_FAILURE);
-               return 0;
-               }
-       return ssl_set_authz(ctx->cert, authz, authz_length);
-       }
-
 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
                           size_t serverinfo_length)
        {
@@ -1083,7 +941,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
        if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
                {
                SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-               return(0);
+               return 0;
                }
        if (!ssl_cert_inst(&ctx->cert))
                {
@@ -1110,111 +968,12 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
        if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
                {
                SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,SSL_R_INVALID_SERVERINFO_DATA);
-               return(0);
-               }
-       return 1;
-       }
-
-int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length)
-       {
-       if (authz == NULL)
-               {
-               SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER);
                return 0;
                }
-       if (!ssl_cert_inst(&ssl->cert))
-               {
-               SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_MALLOC_FAILURE);
-               return 0;
-               }
-       return ssl_set_authz(ssl->cert, authz, authz_length);
-       }
-
-const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type,
-                                           size_t *data_length)
-       {
-       CERT_PKEY *current_key;
-
-       if (ctx->cert == NULL)
-               return NULL;
-       current_key = ctx->cert->key;
-       if (current_key->authz == NULL)
-               return NULL;
-       return authz_find_data(current_key->authz,
-               current_key->authz_length, type, data_length);
+       return 1;
        }
 
 #ifndef OPENSSL_NO_STDIO
-/* read_authz returns a newly allocated buffer with authz data */
-static unsigned char *read_authz(const char *file, size_t *authz_length)
-       {
-       BIO *authz_in = NULL;
-       unsigned char *authz = NULL;
-       /* Allow authzs up to 64KB. */
-       static const size_t authz_limit = 65536;
-       size_t read_length;
-       unsigned char *ret = NULL;
-
-       authz_in = BIO_new(BIO_s_file_internal());
-       if (authz_in == NULL)
-               {
-               SSLerr(SSL_F_READ_AUTHZ,ERR_R_BUF_LIB);
-               goto end;
-               }
-
-       if (BIO_read_filename(authz_in,file) <= 0)
-               {
-               SSLerr(SSL_F_READ_AUTHZ,ERR_R_SYS_LIB);
-               goto end;
-               }
-
-       authz = OPENSSL_malloc(authz_limit);
-       read_length = BIO_read(authz_in, authz, authz_limit);
-       if (read_length == authz_limit || read_length <= 0)
-               {
-               SSLerr(SSL_F_READ_AUTHZ,SSL_R_AUTHZ_DATA_TOO_LARGE);
-               OPENSSL_free(authz);
-               goto end;
-               }
-       *authz_length = read_length;
-       ret = authz;
-end:
-       if (authz_in != NULL) BIO_free(authz_in);
-       return ret;
-       }
-
-int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file)
-       {
-       unsigned char *authz = NULL;
-       size_t authz_length = 0;
-       int ret;
-
-       authz = read_authz(file, &authz_length);
-       if (authz == NULL)
-               return 0;
-
-       ret = SSL_CTX_use_authz(ctx, authz, authz_length);
-       /* SSL_CTX_use_authz makes a local copy of the authz. */
-       OPENSSL_free(authz);
-       return ret;
-       }
-
-int SSL_use_authz_file(SSL *ssl, const char *file)
-       {
-       unsigned char *authz = NULL;
-       size_t authz_length = 0;
-       int ret;
-
-       authz = read_authz(file, &authz_length);
-       if (authz == NULL)
-               return 0;
-
-       ret = SSL_use_authz(ssl, authz, authz_length);
-       /* SSL_use_authz makes a local copy of the authz. */
-       OPENSSL_free(authz);
-       return ret;
-       }
-
 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
        {
        unsigned char *serverinfo = NULL;
@@ -1223,6 +982,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
        long extension_length = 0;
        char* name = NULL;
        char* header = NULL;
+       char namePrefix[] = "SERVERINFO FOR ";
        int ret = 0;
        BIO *bin = NULL;
        size_t num_extensions = 0;
@@ -1258,11 +1018,22 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
                        else /* End of file, we're done */
                                break;
                        }
+               /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
+               if (strlen(name) < strlen(namePrefix))
+                       {
+                       SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+                       goto end;
+                       }
+               if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
+                       {
+                       SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+                       goto end;
+                       }
                /* Check that the decoded PEM data is plausible (valid length field) */
                if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
                        {
-                               SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
-                               goto end;
+                       SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PEM_LIB);
+                       goto end;
                        }
                /* Append the decoded extension to the serverinfo buffer */
                serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);