Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame ssl/ssl_rsa.c

Blob History Raw

Packit	c4476c	`/*`
Packit	c4476c	`* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.`
Packit	c4476c	`*`
Packit	c4476c	`* Licensed under the OpenSSL license (the "License"). You may not use`
Packit	c4476c	`* this file except in compliance with the License. You can obtain a copy`
Packit	c4476c	`* in the file LICENSE in the source distribution or at`
Packit	c4476c	`* https://www.openssl.org/source/license.html`
Packit	c4476c	`*/`
Packit	c4476c
Packit	c4476c	`#include <stdio.h>`
Packit	c4476c	`#include "ssl_local.h"`
Packit	c4476c	`#include "packet_local.h"`
Packit	c4476c	`#include <openssl/bio.h>`
Packit	c4476c	`#include <openssl/objects.h>`
Packit	c4476c	`#include <openssl/evp.h>`
Packit	c4476c	`#include <openssl/x509.h>`
Packit	c4476c	`#include <openssl/pem.h>`
Packit	c4476c
Packit	c4476c	`static int ssl_set_cert(CERT c, X509 x509);`
Packit	c4476c	`static int ssl_set_pkey(CERT c, EVP_PKEY pkey);`
Packit	c4476c
Packit	c4476c	`#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \`
Packit	c4476c	`\| SSL_EXT_CLIENT_HELLO \`
Packit	c4476c	`\| SSL_EXT_TLS1_2_SERVER_HELLO \`
Packit	c4476c	`\| SSL_EXT_IGNORE_ON_RESUMPTION)`
Packit	c4476c
Packit	c4476c	`int SSL_use_certificate(SSL ssl, X509 x)`
Packit	c4476c	`{`
Packit	c4476c	`int rv;`
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`rv = ssl_security_cert(ssl, NULL, x, 0, 1);`
Packit	c4476c	`if (rv != 1) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`return ssl_set_cert(ssl->cert, x);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_certificate_file(SSL ssl, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`int ret = 0;`
Packit	c4476c	`X509 *x = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`x = d2i_X509_bio(in, NULL);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback,`
Packit	c4476c	`ssl->default_passwd_callback_userdata);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_use_certificate(ssl, x);`
Packit	c4476c	`end:`
Packit	c4476c	`X509_free(x);`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_certificate_ASN1(SSL ssl, const unsigned char d, int len)`
Packit	c4476c	`{`
Packit	c4476c	`X509 *x;`
Packit	c4476c	`int ret;`
Packit	c4476c
Packit	c4476c	`x = d2i_X509(NULL, &d, (long)len);`
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_use_certificate(ssl, x);`
Packit	c4476c	`X509_free(x);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`int SSL_use_RSAPrivateKey(SSL ssl, RSA rsa)`
Packit	c4476c	`{`
Packit	c4476c	`EVP_PKEY *pkey;`
Packit	c4476c	`int ret;`
Packit	c4476c
Packit	c4476c	`if (rsa == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if ((pkey = EVP_PKEY_new()) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`RSA_up_ref(rsa);`
Packit	c4476c	`if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = ssl_set_pkey(ssl->cert, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c	`#endif`
Packit	c4476c
Packit	c4476c	`static int ssl_set_pkey(CERT c, EVP_PKEY pkey)`
Packit	c4476c	`{`
Packit	c4476c	`size_t i;`
Packit	c4476c
Packit	c4476c	`if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (c->pkeys[i].x509 != NULL) {`
Packit	c4476c	`EVP_PKEY *pktmp;`
Packit	c4476c	`pktmp = X509_get0_pubkey(c->pkeys[i].x509);`
Packit	c4476c	`if (pktmp == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`/*`
Packit	c4476c	`* The return code from EVP_PKEY_copy_parameters is deliberately`
Packit	c4476c	`* ignored. Some EVP_PKEY types cannot do this.`
Packit	c4476c	`*/`
Packit	c4476c	`EVP_PKEY_copy_parameters(pktmp, pkey);`
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`/*`
Packit	c4476c	`* Don't check the public/private key, this is mostly for smart`
Packit	c4476c	`* cards.`
Packit	c4476c	`*/`
Packit	c4476c	`if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA`
Packit	c4476c	`&& RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;`
Packit	c4476c	`else`
Packit	c4476c	`#endif`
Packit	c4476c	`if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {`
Packit	c4476c	`X509_free(c->pkeys[i].x509);`
Packit	c4476c	`c->pkeys[i].x509 = NULL;`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`EVP_PKEY_free(c->pkeys[i].privatekey);`
Packit	c4476c	`EVP_PKEY_up_ref(pkey);`
Packit	c4476c	`c->pkeys[i].privatekey = pkey;`
Packit	c4476c	`c->key = &c->pkeys[i];`
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`int SSL_use_RSAPrivateKey_file(SSL ssl, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j, ret = 0;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`RSA *rsa = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`rsa = d2i_RSAPrivateKey_bio(in, NULL);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`rsa = PEM_read_bio_RSAPrivateKey(in, NULL,`
Packit	c4476c	`ssl->default_passwd_callback,`
Packit	c4476c	`ssl->default_passwd_callback_userdata);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (rsa == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`ret = SSL_use_RSAPrivateKey(ssl, rsa);`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`end:`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_RSAPrivateKey_ASN1(SSL ssl, const unsigned char d, long len)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c	`const unsigned char *p;`
Packit	c4476c	`RSA *rsa;`
Packit	c4476c
Packit	c4476c	`p = d;`
Packit	c4476c	`if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_use_RSAPrivateKey(ssl, rsa);`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c	`#endif /* !OPENSSL_NO_RSA */`
Packit	c4476c
Packit	c4476c	`int SSL_use_PrivateKey(SSL ssl, EVP_PKEY pkey)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c
Packit	c4476c	`if (pkey == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`ret = ssl_set_pkey(ssl->cert, pkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_PrivateKey_file(SSL ssl, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j, ret = 0;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`EVP_PKEY *pkey = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`pkey = PEM_read_bio_PrivateKey(in, NULL,`
Packit	c4476c	`ssl->default_passwd_callback,`
Packit	c4476c	`ssl->default_passwd_callback_userdata);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`pkey = d2i_PrivateKey_bio(in, NULL);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (pkey == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`ret = SSL_use_PrivateKey(ssl, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`end:`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_PrivateKey_ASN1(int type, SSL ssl, const unsigned char d,`
Packit	c4476c	`long len)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c	`const unsigned char *p;`
Packit	c4476c	`EVP_PKEY *pkey;`
Packit	c4476c
Packit	c4476c	`p = d;`
Packit	c4476c	`if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_use_PrivateKey(ssl, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_certificate(SSL_CTX ctx, X509 x)`
Packit	c4476c	`{`
Packit	c4476c	`int rv;`
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`rv = ssl_security_cert(NULL, ctx, x, 0, 1);`
Packit	c4476c	`if (rv != 1) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`return ssl_set_cert(ctx->cert, x);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int ssl_set_cert(CERT c, X509 x)`
Packit	c4476c	`{`
Packit	c4476c	`EVP_PKEY *pkey;`
Packit	c4476c	`size_t i;`
Packit	c4476c
Packit	c4476c	`pkey = X509_get0_pubkey(x);`
Packit	c4476c	`if (pkey == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`#ifndef OPENSSL_NO_EC`
Packit	c4476c	`if (i == SSL_PKEY_ECC && !EC_KEY_can_sign(EVP_PKEY_get0_EC_KEY(pkey))) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT, SSL_R_ECC_CERT_NOT_FOR_SIGNING);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`#endif`
Packit	c4476c	`if (c->pkeys[i].privatekey != NULL) {`
Packit	c4476c	`/*`
Packit	c4476c	`* The return code from EVP_PKEY_copy_parameters is deliberately`
Packit	c4476c	`* ignored. Some EVP_PKEY types cannot do this.`
Packit	c4476c	`*/`
Packit	c4476c	`EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);`
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`/*`
Packit	c4476c	`* Don't check the public/private key, this is mostly for smart`
Packit	c4476c	`* cards.`
Packit	c4476c	`*/`
Packit	c4476c	`if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA`
Packit	c4476c	`&& RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &`
Packit	c4476c	`RSA_METHOD_FLAG_NO_CHECK) ;`
Packit	c4476c	`else`
Packit	c4476c	`#endif /* OPENSSL_NO_RSA */`
Packit	c4476c	`if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {`
Packit	c4476c	`/*`
Packit	c4476c	`* don't fail for a cert/key mismatch, just free current private`
Packit	c4476c	`* key (when switching to a different cert & key, first this`
Packit	c4476c	`* function should be used, then ssl_set_pkey`
Packit	c4476c	`*/`
Packit	c4476c	`EVP_PKEY_free(c->pkeys[i].privatekey);`
Packit	c4476c	`c->pkeys[i].privatekey = NULL;`
Packit	c4476c	`/* clear error queue */`
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`X509_free(c->pkeys[i].x509);`
Packit	c4476c	`X509_up_ref(x);`
Packit	c4476c	`c->pkeys[i].x509 = x;`
Packit	c4476c	`c->key = &(c->pkeys[i]);`
Packit	c4476c
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_certificate_file(SSL_CTX ctx, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`int ret = 0;`
Packit	c4476c	`X509 *x = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`x = d2i_X509_bio(in, NULL);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,`
Packit	c4476c	`ctx->default_passwd_callback_userdata);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_CTX_use_certificate(ctx, x);`
Packit	c4476c	`end:`
Packit	c4476c	`X509_free(x);`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_certificate_ASN1(SSL_CTX ctx, int len, const unsigned char d)`
Packit	c4476c	`{`
Packit	c4476c	`X509 *x;`
Packit	c4476c	`int ret;`
Packit	c4476c
Packit	c4476c	`x = d2i_X509(NULL, &d, (long)len);`
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_CTX_use_certificate(ctx, x);`
Packit	c4476c	`X509_free(x);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`int SSL_CTX_use_RSAPrivateKey(SSL_CTX ctx, RSA rsa)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c	`EVP_PKEY *pkey;`
Packit	c4476c
Packit	c4476c	`if (rsa == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if ((pkey = EVP_PKEY_new()) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`RSA_up_ref(rsa);`
Packit	c4476c	`if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = ssl_set_pkey(ctx->cert, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX ctx, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j, ret = 0;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`RSA *rsa = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`rsa = d2i_RSAPrivateKey_bio(in, NULL);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`rsa = PEM_read_bio_RSAPrivateKey(in, NULL,`
Packit	c4476c	`ctx->default_passwd_callback,`
Packit	c4476c	`ctx->default_passwd_callback_userdata);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (rsa == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`end:`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX ctx, const unsigned char d,`
Packit	c4476c	`long len)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c	`const unsigned char *p;`
Packit	c4476c	`RSA *rsa;`
Packit	c4476c
Packit	c4476c	`p = d;`
Packit	c4476c	`if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);`
Packit	c4476c	`RSA_free(rsa);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c	`#endif /* !OPENSSL_NO_RSA */`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_PrivateKey(SSL_CTX ctx, EVP_PKEY pkey)`
Packit	c4476c	`{`
Packit	c4476c	`if (pkey == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`return ssl_set_pkey(ctx->cert, pkey);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_PrivateKey_file(SSL_CTX ctx, const char file, int type)`
Packit	c4476c	`{`
Packit	c4476c	`int j, ret = 0;`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`EVP_PKEY *pkey = NULL;`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (type == SSL_FILETYPE_PEM) {`
Packit	c4476c	`j = ERR_R_PEM_LIB;`
Packit	c4476c	`pkey = PEM_read_bio_PrivateKey(in, NULL,`
Packit	c4476c	`ctx->default_passwd_callback,`
Packit	c4476c	`ctx->default_passwd_callback_userdata);`
Packit	c4476c	`} else if (type == SSL_FILETYPE_ASN1) {`
Packit	c4476c	`j = ERR_R_ASN1_LIB;`
Packit	c4476c	`pkey = d2i_PrivateKey_bio(in, NULL);`
Packit	c4476c	`} else {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (pkey == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`ret = SSL_CTX_use_PrivateKey(ctx, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`end:`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,`
Packit	c4476c	`const unsigned char *d, long len)`
Packit	c4476c	`{`
Packit	c4476c	`int ret;`
Packit	c4476c	`const unsigned char *p;`
Packit	c4476c	`EVP_PKEY *pkey;`
Packit	c4476c
Packit	c4476c	`p = d;`
Packit	c4476c	`if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_CTX_use_PrivateKey(ctx, pkey);`
Packit	c4476c	`EVP_PKEY_free(pkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* Read a file that contains our certificate in "PEM" format, possibly`
Packit	c4476c	`* followed by a sequence of CA certificates that should be sent to the peer`
Packit	c4476c	`* in the Certificate message.`
Packit	c4476c	`*/`
Packit	c4476c	`static int use_certificate_chain_file(SSL_CTX ctx, SSL ssl, const char *file)`
Packit	c4476c	`{`
Packit	c4476c	`BIO *in;`
Packit	c4476c	`int ret = 0;`
Packit	c4476c	`X509 *x = NULL;`
Packit	c4476c	`pem_password_cb *passwd_callback;`
Packit	c4476c	`void *passwd_callback_userdata;`
Packit	c4476c
Packit	c4476c	`ERR_clear_error(); /* clear error stack for`
Packit	c4476c	`* SSL_CTX_use_certificate() */`
Packit	c4476c
Packit	c4476c	`if (ctx != NULL) {`
Packit	c4476c	`passwd_callback = ctx->default_passwd_callback;`
Packit	c4476c	`passwd_callback_userdata = ctx->default_passwd_callback_userdata;`
Packit	c4476c	`} else {`
Packit	c4476c	`passwd_callback = ssl->default_passwd_callback;`
Packit	c4476c	`passwd_callback_userdata = ssl->default_passwd_callback_userdata;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`in = BIO_new(BIO_s_file());`
Packit	c4476c	`if (in == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (BIO_read_filename(in, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,`
Packit	c4476c	`passwd_callback_userdata);`
Packit	c4476c	`if (x == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (ctx)`
Packit	c4476c	`ret = SSL_CTX_use_certificate(ctx, x);`
Packit	c4476c	`else`
Packit	c4476c	`ret = SSL_use_certificate(ssl, x);`
Packit	c4476c
Packit	c4476c	`if (ERR_peek_error() != 0)`
Packit	c4476c	`ret = 0; /* Key/certificate mismatch doesn't imply`
Packit	c4476c	`* ret==0 ... */`
Packit	c4476c	`if (ret) {`
Packit	c4476c	`/*`
Packit	c4476c	`* If we could set up our certificate, now proceed to the CA`
Packit	c4476c	`* certificates.`
Packit	c4476c	`*/`
Packit	c4476c	`X509 *ca;`
Packit	c4476c	`int r;`
Packit	c4476c	`unsigned long err;`
Packit	c4476c
Packit	c4476c	`if (ctx)`
Packit	c4476c	`r = SSL_CTX_clear_chain_certs(ctx);`
Packit	c4476c	`else`
Packit	c4476c	`r = SSL_clear_chain_certs(ssl);`
Packit	c4476c
Packit	c4476c	`if (r == 0) {`
Packit	c4476c	`ret = 0;`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,`
Packit	c4476c	`passwd_callback_userdata))`
Packit	c4476c	`!= NULL) {`
Packit	c4476c	`if (ctx)`
Packit	c4476c	`r = SSL_CTX_add0_chain_cert(ctx, ca);`
Packit	c4476c	`else`
Packit	c4476c	`r = SSL_add0_chain_cert(ssl, ca);`
Packit	c4476c	`/*`
Packit	c4476c	`* Note that we must not free ca if it was successfully added to`
Packit	c4476c	`* the chain (while we must free the main certificate, since its`
Packit	c4476c	`* reference count is increased by SSL_CTX_use_certificate).`
Packit	c4476c	`*/`
Packit	c4476c	`if (!r) {`
Packit	c4476c	`X509_free(ca);`
Packit	c4476c	`ret = 0;`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c	`/* When the while loop ends, it's usually just EOF. */`
Packit	c4476c	`err = ERR_peek_last_error();`
Packit	c4476c	`if (ERR_GET_LIB(err) == ERR_LIB_PEM`
Packit	c4476c	`&& ERR_GET_REASON(err) == PEM_R_NO_START_LINE)`
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c	`else`
Packit	c4476c	`ret = 0; /* some real error */`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`end:`
Packit	c4476c	`X509_free(x);`
Packit	c4476c	`BIO_free(in);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_certificate_chain_file(SSL_CTX ctx, const char file)`
Packit	c4476c	`{`
Packit	c4476c	`return use_certificate_chain_file(ctx, NULL, file);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_certificate_chain_file(SSL ssl, const char file)`
Packit	c4476c	`{`
Packit	c4476c	`return use_certificate_chain_file(NULL, ssl, file);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int serverinfo_find_extension(const unsigned char *serverinfo,`
Packit	c4476c	`size_t serverinfo_length,`
Packit	c4476c	`unsigned int extension_type,`
Packit	c4476c	`const unsigned char **extension_data,`
Packit	c4476c	`size_t *extension_length)`
Packit	c4476c	`{`
Packit	c4476c	`PACKET pkt, data;`
Packit	c4476c
Packit	c4476c	`*extension_data = NULL;`
Packit	c4476c	`*extension_length = 0;`
Packit	c4476c	`if (serverinfo == NULL \|\| serverinfo_length == 0)`
Packit	c4476c	`return -1;`
Packit	c4476c
Packit	c4476c	`if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))`
Packit	c4476c	`return -1;`
Packit	c4476c
Packit	c4476c	`for (;;) {`
Packit	c4476c	`unsigned int type = 0;`
Packit	c4476c	`unsigned long context = 0;`
Packit	c4476c
Packit	c4476c	`/* end of serverinfo */`
Packit	c4476c	`if (PACKET_remaining(&pkt) == 0)`
Packit	c4476c	`return 0; /* Extension not found */`
Packit	c4476c
Packit	c4476c	`if (!PACKET_get_net_4(&pkt, &context)`
Packit	c4476c	`\|\| !PACKET_get_net_2(&pkt, &type)`
Packit	c4476c	`\|\| !PACKET_get_length_prefixed_2(&pkt, &data))`
Packit	c4476c	`return -1;`
Packit	c4476c
Packit	c4476c	`if (type == extension_type) {`
Packit	c4476c	`*extension_data = PACKET_data(&data);`
Packit	c4476c	`*extension_length = PACKET_remaining(&data);;`
Packit	c4476c	`return 1; /* Success */`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c	`/* Unreachable */`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type,`
Packit	c4476c	`unsigned int context,`
Packit	c4476c	`const unsigned char *in,`
Packit	c4476c	`size_t inlen, X509 *x, size_t chainidx,`
Packit	c4476c	`int al, void arg)`
Packit	c4476c	`{`
Packit	c4476c
Packit	c4476c	`if (inlen != 0) {`
Packit	c4476c	`*al = SSL_AD_DECODE_ERROR;`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,`
Packit	c4476c	`const unsigned char *in,`
Packit	c4476c	`size_t inlen, int al, void arg)`
Packit	c4476c	`{`
Packit	c4476c	`return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al,`
Packit	c4476c	`arg);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type,`
Packit	c4476c	`unsigned int context,`
Packit	c4476c	`const unsigned char **out,`
Packit	c4476c	`size_t outlen, X509 x, size_t chainidx,`
Packit	c4476c	`int al, void arg)`
Packit	c4476c	`{`
Packit	c4476c	`const unsigned char *serverinfo = NULL;`
Packit	c4476c	`size_t serverinfo_length = 0;`
Packit	c4476c
Packit	c4476c	`/* We only support extensions for the first Certificate */`
Packit	c4476c	`if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0)`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`/* Is there serverinfo data for the chosen server cert? */`
Packit	c4476c	`if ((ssl_get_server_cert_serverinfo(s, &serverinfo,`
Packit	c4476c	`&serverinfo_length)) != 0) {`
Packit	c4476c	`/* Find the relevant extension from the serverinfo */`
Packit	c4476c	`int retval = serverinfo_find_extension(serverinfo, serverinfo_length,`
Packit	c4476c	`ext_type, out, outlen);`
Packit	c4476c	`if (retval == -1) {`
Packit	c4476c	`*al = SSL_AD_INTERNAL_ERROR;`
Packit	c4476c	`return -1; /* Error */`
Packit	c4476c	`}`
Packit	c4476c	`if (retval == 0)`
Packit	c4476c	`return 0; /* No extension found, don't send extension */`
Packit	c4476c	`return 1; /* Send extension */`
Packit	c4476c	`}`
Packit	c4476c	`return 0; /* No serverinfo data found, don't send`
Packit	c4476c	`* extension */`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,`
Packit	c4476c	`const unsigned char *out, size_t outlen,`
Packit	c4476c	`int al, void arg)`
Packit	c4476c	`{`
Packit	c4476c	`return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al,`
Packit	c4476c	`arg);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* With a NULL context, this function just checks that the serverinfo data`
Packit	c4476c	`* parses correctly. With a non-NULL context, it registers callbacks for`
Packit	c4476c	`* the included extensions.`
Packit	c4476c	`*/`
Packit	c4476c	`static int serverinfo_process_buffer(unsigned int version,`
Packit	c4476c	`const unsigned char *serverinfo,`
Packit	c4476c	`size_t serverinfo_length, SSL_CTX *ctx)`
Packit	c4476c	`{`
Packit	c4476c	`PACKET pkt;`
Packit	c4476c
Packit	c4476c	`if (serverinfo == NULL \|\| serverinfo_length == 0)`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2)`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`while (PACKET_remaining(&pkt)) {`
Packit	c4476c	`unsigned long context = 0;`
Packit	c4476c	`unsigned int ext_type = 0;`
Packit	c4476c	`PACKET data;`
Packit	c4476c
Packit	c4476c	`if ((version == SSL_SERVERINFOV2 && !PACKET_get_net_4(&pkt, &context))`
Packit	c4476c	`\|\| !PACKET_get_net_2(&pkt, &ext_type)`
Packit	c4476c	`\|\| !PACKET_get_length_prefixed_2(&pkt, &data))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`if (ctx == NULL)`
Packit	c4476c	`continue;`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* The old style custom extensions API could be set separately for`
Packit	c4476c	`* server/client, i.e. you could set one custom extension for a client,`
Packit	c4476c	`* and for the same extension in the same SSL_CTX you could set a`
Packit	c4476c	`* custom extension for the server as well. It seems quite weird to be`
Packit	c4476c	`* setting a custom extension for both client and server in a single`
Packit	c4476c	`* SSL_CTX - but theoretically possible. This isn't possible in the`
Packit	c4476c	`* new API. Therefore, if we have V1 serverinfo we use the old API. We`
Packit	c4476c	`* also use the old API even if we have V2 serverinfo but the context`
Packit	c4476c	`* looks like an old style <= TLSv1.2 extension.`
Packit	c4476c	`*/`
Packit	c4476c	`if (version == SSL_SERVERINFOV1 \|\| context == SYNTHV1CONTEXT) {`
Packit	c4476c	`if (!SSL_CTX_add_server_custom_ext(ctx, ext_type,`
Packit	c4476c	`serverinfo_srv_add_cb,`
Packit	c4476c	`NULL, NULL,`
Packit	c4476c	`serverinfo_srv_parse_cb,`
Packit	c4476c	`NULL))`
Packit	c4476c	`return 0;`
Packit	c4476c	`} else {`
Packit	c4476c	`if (!SSL_CTX_add_custom_ext(ctx, ext_type, context,`
Packit	c4476c	`serverinfoex_srv_add_cb,`
Packit	c4476c	`NULL, NULL,`
Packit	c4476c	`serverinfoex_srv_parse_cb,`
Packit	c4476c	`NULL))`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,`
Packit	c4476c	`const unsigned char *serverinfo,`
Packit	c4476c	`size_t serverinfo_length)`
Packit	c4476c	`{`
Packit	c4476c	`unsigned char *new_serverinfo;`
Packit	c4476c
Packit	c4476c	`if (ctx == NULL \|\| serverinfo == NULL \|\| serverinfo_length == 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,`
Packit	c4476c	`NULL)) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if (ctx->cert->key == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,`
Packit	c4476c	`serverinfo_length);`
Packit	c4476c	`if (new_serverinfo == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`ctx->cert->key->serverinfo = new_serverinfo;`
Packit	c4476c	`memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);`
Packit	c4476c	`ctx->cert->key->serverinfo_length = serverinfo_length;`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* Now that the serverinfo is validated and stored, go ahead and`
Packit	c4476c	`* register callbacks.`
Packit	c4476c	`*/`
Packit	c4476c	`if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length,`
Packit	c4476c	`ctx)) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_serverinfo(SSL_CTX ctx, const unsigned char serverinfo,`
Packit	c4476c	`size_t serverinfo_length)`
Packit	c4476c	`{`
Packit	c4476c	`return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo,`
Packit	c4476c	`serverinfo_length);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_serverinfo_file(SSL_CTX ctx, const char file)`
Packit	c4476c	`{`
Packit	c4476c	`unsigned char *serverinfo = NULL;`
Packit	c4476c	`unsigned char *tmp;`
Packit	c4476c	`size_t serverinfo_length = 0;`
Packit	c4476c	`unsigned char *extension = 0;`
Packit	c4476c	`long extension_length = 0;`
Packit	c4476c	`char *name = NULL;`
Packit	c4476c	`char *header = NULL;`
Packit	c4476c	`char namePrefix1[] = "SERVERINFO FOR ";`
Packit	c4476c	`char namePrefix2[] = "SERVERINFOV2 FOR ";`
Packit	c4476c	`int ret = 0;`
Packit	c4476c	`BIO *bin = NULL;`
Packit	c4476c	`size_t num_extensions = 0, contextoff = 0;`
Packit	c4476c
Packit	c4476c	`if (ctx == NULL \|\| file == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`bin = BIO_new(BIO_s_file());`
Packit	c4476c	`if (bin == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_BUF_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (BIO_read_filename(bin, file) <= 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_SYS_LIB);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`for (num_extensions = 0;; num_extensions++) {`
Packit	c4476c	`unsigned int version;`
Packit	c4476c
Packit	c4476c	`if (PEM_read_bio(bin, &name, &header, &extension, &extension_length)`
Packit	c4476c	`== 0) {`
Packit	c4476c	`/*`
Packit	c4476c	`* There must be at least one extension in this file`
Packit	c4476c	`*/`
Packit	c4476c	`if (num_extensions == 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,`
Packit	c4476c	`SSL_R_NO_PEM_EXTENSIONS);`
Packit	c4476c	`goto end;`
Packit	c4476c	`} else /* End of file, we're done */`
Packit	c4476c	`break;`
Packit	c4476c	`}`
Packit	c4476c	`/* Check that PEM name starts with "BEGIN SERVERINFO FOR " */`
Packit	c4476c	`if (strlen(name) < strlen(namePrefix1)) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (strncmp(name, namePrefix1, strlen(namePrefix1)) == 0) {`
Packit	c4476c	`version = SSL_SERVERINFOV1;`
Packit	c4476c	`} else {`
Packit	c4476c	`if (strlen(name) < strlen(namePrefix2)) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,`
Packit	c4476c	`SSL_R_PEM_NAME_TOO_SHORT);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (strncmp(name, namePrefix2, strlen(namePrefix2)) != 0) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,`
Packit	c4476c	`SSL_R_PEM_NAME_BAD_PREFIX);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`version = SSL_SERVERINFOV2;`
Packit	c4476c	`}`
Packit	c4476c	`/*`
Packit	c4476c	`* Check that the decoded PEM data is plausible (valid length field)`
Packit	c4476c	`*/`
Packit	c4476c	`if (version == SSL_SERVERINFOV1) {`
Packit	c4476c	`/* 4 byte header: 2 bytes type, 2 bytes len */`
Packit	c4476c	`if (extension_length < 4`
Packit	c4476c	`\|\| (extension[2] << 8) + extension[3]`
Packit	c4476c	`!= extension_length - 4) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`/*`
Packit	c4476c	`* File does not have a context value so we must take account of`
Packit	c4476c	`* this later.`
Packit	c4476c	`*/`
Packit	c4476c	`contextoff = 4;`
Packit	c4476c	`} else {`
Packit	c4476c	`/* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */`
Packit	c4476c	`if (extension_length < 8`
Packit	c4476c	`\|\| (extension[6] << 8) + extension[7]`
Packit	c4476c	`!= extension_length - 8) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c	`/* Append the decoded extension to the serverinfo buffer */`
Packit	c4476c	`tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length`
Packit	c4476c	`+ contextoff);`
Packit	c4476c	`if (tmp == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`serverinfo = tmp;`
Packit	c4476c	`if (contextoff > 0) {`
Packit	c4476c	`unsigned char *sinfo = serverinfo + serverinfo_length;`
Packit	c4476c
Packit	c4476c	`/* We know this only uses the last 2 bytes */`
Packit	c4476c	`sinfo[0] = 0;`
Packit	c4476c	`sinfo[1] = 0;`
Packit	c4476c	`sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff;`
Packit	c4476c	`sinfo[3] = SYNTHV1CONTEXT & 0xff;`
Packit	c4476c	`}`
Packit	c4476c	`memcpy(serverinfo + serverinfo_length + contextoff,`
Packit	c4476c	`extension, extension_length);`
Packit	c4476c	`serverinfo_length += extension_length + contextoff;`
Packit	c4476c
Packit	c4476c	`OPENSSL_free(name);`
Packit	c4476c	`name = NULL;`
Packit	c4476c	`OPENSSL_free(header);`
Packit	c4476c	`header = NULL;`
Packit	c4476c	`OPENSSL_free(extension);`
Packit	c4476c	`extension = NULL;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, serverinfo,`
Packit	c4476c	`serverinfo_length);`
Packit	c4476c	`end:`
Packit	c4476c	`/* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */`
Packit	c4476c	`OPENSSL_free(name);`
Packit	c4476c	`OPENSSL_free(header);`
Packit	c4476c	`OPENSSL_free(extension);`
Packit	c4476c	`OPENSSL_free(serverinfo);`
Packit	c4476c	`BIO_free(bin);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int ssl_set_cert_and_key(SSL ssl, SSL_CTX ctx, X509 x509, EVP_PKEY privatekey,`
Packit	c4476c	`STACK_OF(X509) *chain, int override)`
Packit	c4476c	`{`
Packit	c4476c	`int ret = 0;`
Packit	c4476c	`size_t i;`
Packit	c4476c	`int j;`
Packit	c4476c	`int rv;`
Packit	c4476c	`CERT *c = ssl != NULL ? ssl->cert : ctx->cert;`
Packit	c4476c	`STACK_OF(X509) *dup_chain = NULL;`
Packit	c4476c	`EVP_PKEY *pubkey = NULL;`
Packit	c4476c
Packit	c4476c	`/* Do all security checks before anything else */`
Packit	c4476c	`rv = ssl_security_cert(ssl, ctx, x509, 0, 1);`
Packit	c4476c	`if (rv != 1) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c	`for (j = 0; j < sk_X509_num(chain); j++) {`
Packit	c4476c	`rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0);`
Packit	c4476c	`if (rv != 1) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`pubkey = X509_get_pubkey(x509); /* bumps reference */`
Packit	c4476c	`if (pubkey == NULL)`
Packit	c4476c	`goto out;`
Packit	c4476c	`if (privatekey == NULL) {`
Packit	c4476c	`privatekey = pubkey;`
Packit	c4476c	`} else {`
Packit	c4476c	`/* For RSA, which has no parameters, missing returns 0 */`
Packit	c4476c	`if (EVP_PKEY_missing_parameters(privatekey)) {`
Packit	c4476c	`if (EVP_PKEY_missing_parameters(pubkey)) {`
Packit	c4476c	`/* nobody has parameters? - error */`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS);`
Packit	c4476c	`goto out;`
Packit	c4476c	`} else {`
Packit	c4476c	`/* copy to privatekey from pubkey */`
Packit	c4476c	`EVP_PKEY_copy_parameters(privatekey, pubkey);`
Packit	c4476c	`}`
Packit	c4476c	`} else if (EVP_PKEY_missing_parameters(pubkey)) {`
Packit	c4476c	`/* copy to pubkey from privatekey */`
Packit	c4476c	`EVP_PKEY_copy_parameters(pubkey, privatekey);`
Packit	c4476c	`} /* else both have parameters */`
Packit	c4476c
Packit	c4476c	`/* Copied from ssl_set_cert/pkey */`
Packit	c4476c	`#ifndef OPENSSL_NO_RSA`
Packit	c4476c	`if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&`
Packit	c4476c	`((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))`
Packit	c4476c	`/* no-op */ ;`
Packit	c4476c	`else`
Packit	c4476c	`#endif`
Packit	c4476c	`/* check that key <-> cert match */`
Packit	c4476c	`if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c	`if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (!override && (c->pkeys[i].x509 != NULL`
Packit	c4476c	`\|\| c->pkeys[i].privatekey != NULL`
Packit	c4476c	`\|\| c->pkeys[i].chain != NULL)) {`
Packit	c4476c	`/* No override, and something already there */`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if (chain != NULL) {`
Packit	c4476c	`dup_chain = X509_chain_up_ref(chain);`
Packit	c4476c	`if (dup_chain == NULL) {`
Packit	c4476c	`SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE);`
Packit	c4476c	`goto out;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`sk_X509_pop_free(c->pkeys[i].chain, X509_free);`
Packit	c4476c	`c->pkeys[i].chain = dup_chain;`
Packit	c4476c
Packit	c4476c	`X509_free(c->pkeys[i].x509);`
Packit	c4476c	`X509_up_ref(x509);`
Packit	c4476c	`c->pkeys[i].x509 = x509;`
Packit	c4476c
Packit	c4476c	`EVP_PKEY_free(c->pkeys[i].privatekey);`
Packit	c4476c	`EVP_PKEY_up_ref(privatekey);`
Packit	c4476c	`c->pkeys[i].privatekey = privatekey;`
Packit	c4476c
Packit	c4476c	`c->key = &(c->pkeys[i]);`
Packit	c4476c
Packit	c4476c	`ret = 1;`
Packit	c4476c	`out:`
Packit	c4476c	`EVP_PKEY_free(pubkey);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_use_cert_and_key(SSL ssl, X509 x509, EVP_PKEY *privatekey,`
Packit	c4476c	`STACK_OF(X509) *chain, int override)`
Packit	c4476c	`{`
Packit	c4476c	`return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SSL_CTX_use_cert_and_key(SSL_CTX ctx, X509 x509, EVP_PKEY *privatekey,`
Packit	c4476c	`STACK_OF(X509) *chain, int override)`
Packit	c4476c	`{`
Packit	c4476c	`return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override);`
Packit	c4476c	`}`

source-git / openssl

Source Code

Blame ssl/ssl_rsa.c