X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_rsa.c;h=c0960b5712b8e596ec4ed057e915da804ec68bde;hp=fde484ba2ffa6b04f219173c9c9010bb8a0cbf8f;hb=861a7e5c9f40875e61a377780d735896762b62e6;hpb=ec577822f95a8bca0023c5c77cef1a4916822d4a diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index fde484ba2f..c0960b5712 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -57,21 +57,15 @@ */ #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" -#ifndef NOPROTO static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -#else -static int ssl_set_cert(); -static int ssl_set_pkey(); -#endif - int SSL_use_certificate(SSL *ssl, X509 *x) { if (x == NULL) @@ -79,7 +73,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ssl->cert, ssl->ctx->default_cert)) + if (!ssl_cert_inst(&ssl->cert)) { SSLerr(SSL_F_SSL_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE); return(0); @@ -87,8 +81,8 @@ int SSL_use_certificate(SSL *ssl, X509 *x) return(ssl_set_cert(ssl->cert,x)); } -#ifndef NO_STDIO -int SSL_use_certificate_file(SSL *ssl, char *file, int type) +#ifndef OPENSSL_NO_STDIO +int SSL_use_certificate_file(SSL *ssl, const char *file, int type) { int j; BIO *in; @@ -115,7 +109,7 @@ int SSL_use_certificate_file(SSL *ssl, char *file, int type) else if (type == SSL_FILETYPE_PEM) { j=ERR_R_PEM_LIB; - x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback); + x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata); } else { @@ -137,7 +131,7 @@ end: } #endif -int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len) +int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) { X509 *x; int ret; @@ -154,7 +148,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len) return(ret); } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { EVP_PKEY *pkey; @@ -165,7 +159,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ssl->cert, ssl->ctx->default_cert)) + if (!ssl_cert_inst(&ssl->cert)) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE); return(0); @@ -176,7 +170,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); ret=ssl_set_pkey(ssl->cert,pkey); @@ -187,7 +181,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { - int i,ok=0,bad=0; + int i; i=ssl_cert_type(NULL,pkey); if (i < 0) @@ -204,47 +198,20 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) EVP_PKEY_free(pktmp); ERR_clear_error(); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA /* Don't check the public/private key, this is mostly * for smart cards. */ if ((pkey->type == EVP_PKEY_RSA) && - (RSA_flags(pkey->pkey.rsa) & - RSA_METHOD_FLAG_NO_CHECK)) - ok=1; + (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) + ; else #endif - if (!X509_check_private_key(c->pkeys[i].x509,pkey)) + if (!X509_check_private_key(c->pkeys[i].x509,pkey)) { - if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) - { - i=(i == SSL_PKEY_DH_RSA)? - SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA; - - if (c->pkeys[i].x509 == NULL) - ok=1; - else - { - if (!X509_check_private_key( - c->pkeys[i].x509,pkey)) - bad=1; - else - ok=1; - } - } - else - bad=1; + X509_free(c->pkeys[i].x509); + c->pkeys[i].x509 = NULL; + return 0; } - else - ok=1; - } - else - ok=1; - - if (bad) - { - X509_free(c->pkeys[i].x509); - c->pkeys[i].x509=NULL; - return(0); } if (c->pkeys[i].privatekey != NULL) @@ -257,9 +224,9 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return(1); } -#ifndef NO_RSA -#ifndef NO_STDIO -int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type) +#ifndef OPENSSL_NO_RSA +#ifndef OPENSSL_NO_STDIO +int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) { int j,ret=0; BIO *in; @@ -286,7 +253,7 @@ int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type) { j=ERR_R_PEM_LIB; rsa=PEM_read_bio_RSAPrivateKey(in,NULL, - ssl->ctx->default_passwd_callback); + ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata); } else { @@ -309,7 +276,7 @@ end: int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; RSA *rsa; p=d; @@ -323,7 +290,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) RSA_free(rsa); return(ret); } -#endif /* !NO_RSA */ +#endif /* !OPENSSL_NO_RSA */ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { @@ -334,7 +301,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ssl->cert, ssl->ctx->default_cert)) + if (!ssl_cert_inst(&ssl->cert)) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE); return(0); @@ -343,8 +310,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) return(ret); } -#ifndef NO_STDIO -int SSL_use_PrivateKey_file(SSL *ssl, char *file, int type) +#ifndef OPENSSL_NO_STDIO +int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) { int j,ret=0; BIO *in; @@ -366,7 +333,12 @@ int SSL_use_PrivateKey_file(SSL *ssl, char *file, int type) { j=ERR_R_PEM_LIB; pkey=PEM_read_bio_PrivateKey(in,NULL, - ssl->ctx->default_passwd_callback); + ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata); + } + else if (type == SSL_FILETYPE_ASN1) + { + j = ERR_R_ASN1_LIB; + pkey = d2i_PrivateKey_bio(in,NULL); } else { @@ -386,10 +358,10 @@ end: } #endif -int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len) +int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; @@ -411,18 +383,18 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ctx->default_cert, NULL)) + if (!ssl_cert_inst(&ctx->cert)) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE,ERR_R_MALLOC_FAILURE); return(0); } - return(ssl_set_cert(ctx->default_cert,x)); + return(ssl_set_cert(ctx->cert, x)); } static int ssl_set_cert(CERT *c, X509 *x) { EVP_PKEY *pkey; - int i,ok=0,bad=0; + int i; pkey=X509_get_pubkey(x); if (pkey == NULL) @@ -444,50 +416,29 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey); ERR_clear_error(); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA /* Don't check the public/private key, this is mostly * for smart cards. */ if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) - ok=1; + ; else -#endif - { +#endif /* OPENSSL_NO_RSA */ if (!X509_check_private_key(x,c->pkeys[i].privatekey)) { - if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) - { - i=(i == SSL_PKEY_DH_RSA)? - SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA; - - if (c->pkeys[i].privatekey == NULL) - ok=1; - else - { - if (!X509_check_private_key(x, - c->pkeys[i].privatekey)) - bad=1; - else - ok=1; - } - } - else - bad=1; + /* don't fail for a cert/key mismatch, just free + * current private key (when switching to a different + * cert & key, first this function should be used, + * then ssl_set_pkey */ + EVP_PKEY_free(c->pkeys[i].privatekey); + c->pkeys[i].privatekey=NULL; + /* clear error queue */ + ERR_clear_error(); } - else - ok=1; - } /* NO_RSA */ } - else - ok=1; EVP_PKEY_free(pkey); - if (bad) - { - EVP_PKEY_free(c->pkeys[i].privatekey); - c->pkeys[i].privatekey=NULL; - } if (c->pkeys[i].x509 != NULL) X509_free(c->pkeys[i].x509); @@ -499,8 +450,8 @@ static int ssl_set_cert(CERT *c, X509 *x) return(1); } -#ifndef NO_STDIO -int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type) +#ifndef OPENSSL_NO_STDIO +int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) { int j; BIO *in; @@ -527,7 +478,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type) else if (type == SSL_FILETYPE_PEM) { j=ERR_R_PEM_LIB; - x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback); + x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); } else { @@ -549,7 +500,7 @@ end: } #endif -int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d) +int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) { X509 *x; int ret; @@ -566,7 +517,7 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d) return(ret); } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { int ret; @@ -577,7 +528,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ctx->default_cert, NULL)) + if (!ssl_cert_inst(&ctx->cert)) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE); return(0); @@ -588,16 +539,16 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); - ret=ssl_set_pkey(ctx->default_cert,pkey); + ret=ssl_set_pkey(ctx->cert, pkey); EVP_PKEY_free(pkey); return(ret); } -#ifndef NO_STDIO -int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type) +#ifndef OPENSSL_NO_STDIO +int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) { int j,ret=0; BIO *in; @@ -624,7 +575,7 @@ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type) { j=ERR_R_PEM_LIB; rsa=PEM_read_bio_RSAPrivateKey(in,NULL, - ctx->default_passwd_callback); + ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); } else { @@ -644,10 +595,10 @@ end: } #endif -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) +int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; RSA *rsa; p=d; @@ -661,7 +612,7 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) RSA_free(rsa); return(ret); } -#endif /* !NO_RSA */ +#endif /* !OPENSSL_NO_RSA */ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { @@ -670,16 +621,16 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER); return(0); } - if (!ssl_cert_instantiate(&ctx->default_cert, NULL)) + if (!ssl_cert_inst(&ctx->cert)) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,ERR_R_MALLOC_FAILURE); return(0); } - return(ssl_set_pkey(ctx->default_cert,pkey)); + return(ssl_set_pkey(ctx->cert,pkey)); } -#ifndef NO_STDIO -int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type) +#ifndef OPENSSL_NO_STDIO +int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) { int j,ret=0; BIO *in; @@ -701,7 +652,12 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type) { j=ERR_R_PEM_LIB; pkey=PEM_read_bio_PrivateKey(in,NULL, - ctx->default_passwd_callback); + ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); + } + else if (type == SSL_FILETYPE_ASN1) + { + j = ERR_R_ASN1_LIB; + pkey = d2i_PrivateKey_bio(in,NULL); } else { @@ -721,11 +677,11 @@ end: } #endif -int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, +int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; @@ -741,3 +697,83 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, } +#ifndef OPENSSL_NO_STDIO +/* Read a file that contains our certificate in "PEM" format, + * possibly followed by a sequence of CA certificates that should be + * sent to the peer in the Certificate message. + */ +int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) + { + BIO *in; + int ret=0; + X509 *x=NULL; + + ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ + + in=BIO_new(BIO_s_file_internal()); + if (in == NULL) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); + goto end; + } + + if (BIO_read_filename(in,file) <= 0) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_SYS_LIB); + goto end; + } + + x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); + if (x == NULL) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); + goto end; + } + + ret=SSL_CTX_use_certificate(ctx,x); + if (ERR_peek_error() != 0) + ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ + if (ret) + { + /* If we could set up our certificate, now proceed to + * the CA certificates. + */ + X509 *ca; + int r; + unsigned long err; + + if (ctx->extra_certs != NULL) + { + sk_X509_pop_free(ctx->extra_certs, X509_free); + ctx->extra_certs = NULL; + } + + while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) + != NULL) + { + r = SSL_CTX_add_extra_chain_cert(ctx, ca); + if (!r) + { + X509_free(ca); + ret = 0; + goto end; + } + /* Note that we must not free r if it was successfully + * added to the chain (while we must free the main + * certificate, since its reference count is increased + * by SSL_CTX_use_certificate). */ + } + /* When the while loop ends, it's usually just EOF. */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) + ERR_clear_error(); + else + ret = 0; /* some real error */ + } + +end: + if (x != NULL) X509_free(x); + if (in != NULL) BIO_free(in); + return(ret); + } +#endif