kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
76 Cometimentos
12 Ramos
38 MiB
Árvore: e0ddf2706a
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de 'e0ddf2706a'
${ noResults }
boringssl/ssl/ssl_rsa.c

ssl_rsa.c 31 KiB
Em bruto Vista normal Histórico

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
há 10 anos
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <stdio.h>

  58. 

  59. #include <openssl/bio.h>

  60. #include <openssl/err.h>

  61. #include <openssl/evp.h>

  62. #include <openssl/mem.h>

  63. #include <openssl/obj.h>

  64. #include <openssl/pem.h>

  65. #include <openssl/x509.h>

  66. 

  67. #include "ssl_locl.h"

  68. 

  69. static int ssl_set_cert(CERT *c, X509 *x509);

  70. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);

  71. #ifndef OPENSSL_NO_TLSEXT

  72. static int ssl_set_authz(CERT *c, unsigned char *authz,

  73. 			 size_t authz_length);

  74. #endif

  75. int SSL_use_certificate(SSL *ssl, X509 *x)

  76. 	{

  77. 	if (x == NULL)

  78. 		{

  79. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_PASSED_NULL_PARAMETER);

  80. 		return(0);

  81. 		}

  82. 	if (!ssl_cert_inst(&ssl->cert))

  83. 		{

  84. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_MALLOC_FAILURE);

  85. 		return(0);

  86. 		}

  87. 	return(ssl_set_cert(ssl->cert,x));

  88. 	}

  89. 

  90. #ifndef OPENSSL_NO_STDIO

  91. int SSL_use_certificate_file(SSL *ssl, const char *file, int type)

  92. 	{

  93. 	int reason_code;

  94. 	BIO *in;

  95. 	int ret=0;

  96. 	X509 *x=NULL;

  97. 

  98. 	in=BIO_new(BIO_s_file());

  99. 	if (in == NULL)

  100. 		{

  101. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, ERR_R_BUF_LIB);

  102. 		goto end;

  103. 		}

  104. 

  105. 	if (BIO_read_filename(in,file) <= 0)

  106. 		{

  107. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, ERR_R_SYS_LIB);

  108. 		goto end;

  109. 		}

  110. 	if (type == SSL_FILETYPE_ASN1)

  111. 		{

  112. 		reason_code =ERR_R_ASN1_LIB;

  113. 		x=d2i_X509_bio(in,NULL);

  114. 		}

  115. 	else if (type == SSL_FILETYPE_PEM)

  116. 		{

  117. 		reason_code=ERR_R_PEM_LIB;

  118. 		x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);

  119. 		}

  120. 	else

  121. 		{

  122. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file, SSL_R_BAD_SSL_FILETYPE);

  123. 		goto end;

  124. 		}

  125. 

  126. 	if (x == NULL)

  127. 		{

  128. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_file,reason_code);

  129. 		goto end;

  130. 		}

  131. 

  132. 	ret=SSL_use_certificate(ssl,x);

  133. end:

  134. 	if (x != NULL) X509_free(x);

  135. 	if (in != NULL) BIO_free(in);

  136. 	return(ret);

  137. 	}

  138. #endif

  139. 

  140. int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)

  141. 	{

  142. 	X509 *x;

  143. 	int ret;

  144. 

  145. 	x=d2i_X509(NULL,&d,(long)len);

  146. 	if (x == NULL)

  147. 		{

  148. 		OPENSSL_PUT_ERROR(SSL, SSL_use_certificate_ASN1, ERR_R_ASN1_LIB);

  149. 		return(0);

  150. 		}

  151. 

  152. 	ret=SSL_use_certificate(ssl,x);

  153. 	X509_free(x);

  154. 	return(ret);

  155. 	}

  156. 

  157. #ifndef OPENSSL_NO_RSA

  158. int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)

  159. 	{

  160. 	EVP_PKEY *pkey;

  161. 	int ret;

  162. 

  163. 	if (rsa == NULL)

  164. 		{

  165. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_PASSED_NULL_PARAMETER);

  166. 		return(0);

  167. 		}

  168. 	if (!ssl_cert_inst(&ssl->cert))

  169. 		{

  170. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);

  171. 		return(0);

  172. 		}

  173. 	if ((pkey=EVP_PKEY_new()) == NULL)

  174. 		{

  175. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_EVP_LIB);

  176. 		return(0);

  177. 		}

  178. 

  179. 	RSA_up_ref(rsa);

  180. 	EVP_PKEY_assign_RSA(pkey,rsa);

  181. 

  182. 	ret=ssl_set_pkey(ssl->cert,pkey);

  183. 	EVP_PKEY_free(pkey);

  184. 	return(ret);

  185. 	}

  186. #endif

  187. 

  188. static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)

  189. 	{

  190. 	int i;

  191. 	/* Special case for DH: check two DH certificate types for a match.

  192. 	 * This means for DH certificates we must set the certificate first.

  193. 	 */

  194. 	if (pkey->type == EVP_PKEY_DH)

  195. 		{

  196. 		X509 *x;

  197. 		i = -1;

  198. 		x = c->pkeys[SSL_PKEY_DH_RSA].x509;

  199. 		if (x && X509_check_private_key(x, pkey))

  200. 				i = SSL_PKEY_DH_RSA;

  201. 		x = c->pkeys[SSL_PKEY_DH_DSA].x509;

  202. 		if (i == -1 && x && X509_check_private_key(x, pkey))

  203. 				i = SSL_PKEY_DH_DSA;

  204. 		ERR_clear_error();

  205. 		}

  206. 	else 

  207. 		i=ssl_cert_type(NULL,pkey);

  208. 	if (i < 0)

  209. 		{

  210. 		OPENSSL_PUT_ERROR(SSL, ssl_set_pkey, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  211. 		return(0);

  212. 		}

  213. 

  214. 	if (c->pkeys[i].x509 != NULL)

  215. 		{

  216. 		EVP_PKEY *pktmp;

  217. 		pktmp =	X509_get_pubkey(c->pkeys[i].x509);

  218. 		EVP_PKEY_copy_parameters(pktmp,pkey);

  219. 		EVP_PKEY_free(pktmp);

  220. 		ERR_clear_error();

  221. 

  222.                 /* TODO(fork): remove this? */

  223. #if 0

  224. #ifndef OPENSSL_NO_RSA

  225. 		/* Don't check the public/private key, this is mostly

  226. 		 * for smart cards. */

  227. 		if ((pkey->type == EVP_PKEY_RSA) &&

  228. 			(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))

  229. 			;

  230. 		else

  231. #endif

  232. #endif

  233. 		if (!X509_check_private_key(c->pkeys[i].x509,pkey))

  234. 			{

  235. 			X509_free(c->pkeys[i].x509);

  236. 			c->pkeys[i].x509 = NULL;

  237. 			return 0;

  238. 			}

  239. 		}

  240. 

  241. 	if (c->pkeys[i].privatekey != NULL)

  242. 		EVP_PKEY_free(c->pkeys[i].privatekey);

  243. 	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);

  244. 	c->pkeys[i].privatekey=pkey;

  245. 	c->key= &(c->pkeys[i]);

  246. 

  247. 	c->valid=0;

  248. 	return(1);

  249. 	}

  250. 

  251. #ifndef OPENSSL_NO_RSA

  252. #ifndef OPENSSL_NO_STDIO

  253. int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)

  254. 	{

  255. 	int reason_code,ret=0;

  256. 	BIO *in;

  257. 	RSA *rsa=NULL;

  258. 

  259. 	in=BIO_new(BIO_s_file());

  260. 	if (in == NULL)

  261. 		{

  262. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, ERR_R_BUF_LIB);

  263. 		goto end;

  264. 		}

  265. 

  266. 	if (BIO_read_filename(in,file) <= 0)

  267. 		{

  268. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, ERR_R_SYS_LIB);

  269. 		goto end;

  270. 		}

  271. 	if	(type == SSL_FILETYPE_ASN1)

  272. 		{

  273. 		reason_code=ERR_R_ASN1_LIB;

  274. 		rsa=d2i_RSAPrivateKey_bio(in,NULL);

  275. 		}

  276. 	else if (type == SSL_FILETYPE_PEM)

  277. 		{

  278. 		reason_code=ERR_R_PEM_LIB;

  279. 		rsa=PEM_read_bio_RSAPrivateKey(in,NULL,

  280. 			ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);

  281. 		}

  282. 	else

  283. 		{

  284. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file, SSL_R_BAD_SSL_FILETYPE);

  285. 		goto end;

  286. 		}

  287. 	if (rsa == NULL)

  288. 		{

  289. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_file,reason_code);

  290. 		goto end;

  291. 		}

  292. 	ret=SSL_use_RSAPrivateKey(ssl,rsa);

  293. 	RSA_free(rsa);

  294. end:

  295. 	if (in != NULL) BIO_free(in);

  296. 	return(ret);

  297. 	}

  298. #endif

  299. 

  300. int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)

  301. 	{

  302. 	int ret;

  303. 	const unsigned char *p;

  304. 	RSA *rsa;

  305. 

  306. 	p=d;

  307. 	if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)

  308. 		{

  309. 		OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey_ASN1, ERR_R_ASN1_LIB);

  310. 		return(0);

  311. 		}

  312. 

  313. 	ret=SSL_use_RSAPrivateKey(ssl,rsa);

  314. 	RSA_free(rsa);

  315. 	return(ret);

  316. 	}

  317. #endif /* !OPENSSL_NO_RSA */

  318. 

  319. int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)

  320. 	{

  321. 	int ret;

  322. 

  323. 	if (pkey == NULL)

  324. 		{

  325. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_PASSED_NULL_PARAMETER);

  326. 		return(0);

  327. 		}

  328. 	if (!ssl_cert_inst(&ssl->cert))

  329. 		{

  330. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_MALLOC_FAILURE);

  331. 		return(0);

  332. 		}

  333. 	ret=ssl_set_pkey(ssl->cert,pkey);

  334. 	return(ret);

  335. 	}

  336. 

  337. #ifndef OPENSSL_NO_STDIO

  338. int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)

  339. 	{

  340. 	int reason_code,ret=0;

  341. 	BIO *in;

  342. 	EVP_PKEY *pkey=NULL;

  343. 

  344. 	in=BIO_new(BIO_s_file());

  345. 	if (in == NULL)

  346. 		{

  347. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, ERR_R_BUF_LIB);

  348. 		goto end;

  349. 		}

  350. 

  351. 	if (BIO_read_filename(in,file) <= 0)

  352. 		{

  353. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, ERR_R_SYS_LIB);

  354. 		goto end;

  355. 		}

  356. 	if (type == SSL_FILETYPE_PEM)

  357. 		{

  358. 		reason_code=ERR_R_PEM_LIB;

  359. 		pkey=PEM_read_bio_PrivateKey(in,NULL,

  360. 			ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);

  361. 		}

  362. 	else if (type == SSL_FILETYPE_ASN1)

  363. 		{

  364. 		reason_code = ERR_R_ASN1_LIB;

  365. 		pkey = d2i_PrivateKey_bio(in,NULL);

  366. 		}

  367. 	else

  368. 		{

  369. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file, SSL_R_BAD_SSL_FILETYPE);

  370. 		goto end;

  371. 		}

  372. 	if (pkey == NULL)

  373. 		{

  374. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_file,reason_code);

  375. 		goto end;

  376. 		}

  377. 	ret=SSL_use_PrivateKey(ssl,pkey);

  378. 	EVP_PKEY_free(pkey);

  379. end:

  380. 	if (in != NULL) BIO_free(in);

  381. 	return(ret);

  382. 	}

  383. #endif

  384. 

  385. int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)

  386. 	{

  387. 	int ret;

  388. 	const unsigned char *p;

  389. 	EVP_PKEY *pkey;

  390. 

  391. 	p=d;

  392. 	if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)

  393. 		{

  394. 		OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey_ASN1, ERR_R_ASN1_LIB);

  395. 		return(0);

  396. 		}

  397. 

  398. 	ret=SSL_use_PrivateKey(ssl,pkey);

  399. 	EVP_PKEY_free(pkey);

  400. 	return(ret);

  401. 	}

  402. 

  403. int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)

  404. 	{

  405. 	if (x == NULL)

  406. 		{

  407. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_PASSED_NULL_PARAMETER);

  408. 		return(0);

  409. 		}

  410. 	if (!ssl_cert_inst(&ctx->cert))

  411. 		{

  412. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_MALLOC_FAILURE);

  413. 		return(0);

  414. 		}

  415. 	return(ssl_set_cert(ctx->cert, x));

  416. 	}

  417. 

  418. static int ssl_set_cert(CERT *c, X509 *x)

  419. 	{

  420. 	EVP_PKEY *pkey;

  421. 	int i;

  422. 

  423. 	pkey=X509_get_pubkey(x);

  424. 	if (pkey == NULL)

  425. 		{

  426. 		OPENSSL_PUT_ERROR(SSL, ssl_set_cert, SSL_R_X509_LIB);

  427. 		return(0);

  428. 		}

  429. 

  430. 	i=ssl_cert_type(x,pkey);

  431. 	if (i < 0)

  432. 		{

  433. 		OPENSSL_PUT_ERROR(SSL, ssl_set_cert, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  434. 		EVP_PKEY_free(pkey);

  435. 		return(0);

  436. 		}

  437. 

  438. 	if (c->pkeys[i].privatekey != NULL)

  439. 		{

  440. 		EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);

  441. 		ERR_clear_error();

  442. 

  443.                 /* TODO(fork): remove this? */

  444. #if 0

  445. #ifndef OPENSSL_NO_RSA

  446. 		/* Don't check the public/private key, this is mostly

  447. 		 * for smart cards. */

  448. 		if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&

  449. 			(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &

  450. 			 RSA_METHOD_FLAG_NO_CHECK))

  451. 			 ;

  452. 		else

  453. #endif /* OPENSSL_NO_RSA */

  454. #endif

  455. 		if (!X509_check_private_key(x,c->pkeys[i].privatekey))

  456. 			{

  457. 			/* don't fail for a cert/key mismatch, just free

  458. 			 * current private key (when switching to a different

  459. 			 * cert & key, first this function should be used,

  460. 			 * then ssl_set_pkey */

  461. 			EVP_PKEY_free(c->pkeys[i].privatekey);

  462. 			c->pkeys[i].privatekey=NULL;

  463. 			/* clear error queue */

  464. 			ERR_clear_error();

  465. 			}

  466. 		}

  467. 

  468. 	EVP_PKEY_free(pkey);

  469. 

  470. 	if (c->pkeys[i].x509 != NULL)

  471. 		X509_free(c->pkeys[i].x509);

  472. 	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);

  473. 	c->pkeys[i].x509=x;

  474. 	c->key= &(c->pkeys[i]);

  475. 

  476. 	c->valid=0;

  477. 	return(1);

  478. 	}

  479. 

  480. #ifndef OPENSSL_NO_STDIO

  481. int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)

  482. 	{

  483. 	int reason_code;

  484. 	BIO *in;

  485. 	int ret=0;

  486. 	X509 *x=NULL;

  487. 

  488. 	in=BIO_new(BIO_s_file());

  489. 	if (in == NULL)

  490. 		{

  491. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, ERR_R_BUF_LIB);

  492. 		goto end;

  493. 		}

  494. 

  495. 	if (BIO_read_filename(in,file) <= 0)

  496. 		{

  497. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, ERR_R_SYS_LIB);

  498. 		goto end;

  499. 		}

  500. 	if (type == SSL_FILETYPE_ASN1)

  501. 		{

  502. 		reason_code=ERR_R_ASN1_LIB;

  503. 		x=d2i_X509_bio(in,NULL);

  504. 		}

  505. 	else if (type == SSL_FILETYPE_PEM)

  506. 		{

  507. 		reason_code=ERR_R_PEM_LIB;

  508. 		x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);

  509. 		}

  510. 	else

  511. 		{

  512. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file, SSL_R_BAD_SSL_FILETYPE);

  513. 		goto end;

  514. 		}

  515. 

  516. 	if (x == NULL)

  517. 		{

  518. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_file,reason_code);

  519. 		goto end;

  520. 		}

  521. 

  522. 	ret=SSL_CTX_use_certificate(ctx,x);

  523. end:

  524. 	if (x != NULL) X509_free(x);

  525. 	if (in != NULL) BIO_free(in);

  526. 	return(ret);

  527. 	}

  528. #endif

  529. 

  530. int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)

  531. 	{

  532. 	X509 *x;

  533. 	int ret;

  534. 

  535. 	x=d2i_X509(NULL,&d,(long)len);

  536. 	if (x == NULL)

  537. 		{

  538. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_ASN1, ERR_R_ASN1_LIB);

  539. 		return(0);

  540. 		}

  541. 

  542. 	ret=SSL_CTX_use_certificate(ctx,x);

  543. 	X509_free(x);

  544. 	return(ret);

  545. 	}

  546. 

  547. #ifndef OPENSSL_NO_RSA

  548. int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)

  549. 	{

  550. 	int ret;

  551. 	EVP_PKEY *pkey;

  552. 

  553. 	if (rsa == NULL)

  554. 		{

  555. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_PASSED_NULL_PARAMETER);

  556. 		return(0);

  557. 		}

  558. 	if (!ssl_cert_inst(&ctx->cert))

  559. 		{

  560. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);

  561. 		return(0);

  562. 		}

  563. 	if ((pkey=EVP_PKEY_new()) == NULL)

  564. 		{

  565. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_EVP_LIB);

  566. 		return(0);

  567. 		}

  568. 

  569. 	RSA_up_ref(rsa);

  570. 	EVP_PKEY_assign_RSA(pkey,rsa);

  571. 

  572. 	ret=ssl_set_pkey(ctx->cert, pkey);

  573. 	EVP_PKEY_free(pkey);

  574. 	return(ret);

  575. 	}

  576. 

  577. #ifndef OPENSSL_NO_STDIO

  578. int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)

  579. 	{

  580. 	int reason_code,ret=0;

  581. 	BIO *in;

  582. 	RSA *rsa=NULL;

  583. 

  584. 	in=BIO_new(BIO_s_file());

  585. 	if (in == NULL)

  586. 		{

  587. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, ERR_R_BUF_LIB);

  588. 		goto end;

  589. 		}

  590. 

  591. 	if (BIO_read_filename(in,file) <= 0)

  592. 		{

  593. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, ERR_R_SYS_LIB);

  594. 		goto end;

  595. 		}

  596. 	if	(type == SSL_FILETYPE_ASN1)

  597. 		{

  598. 		reason_code=ERR_R_ASN1_LIB;

  599. 		rsa=d2i_RSAPrivateKey_bio(in,NULL);

  600. 		}

  601. 	else if (type == SSL_FILETYPE_PEM)

  602. 		{

  603. 		reason_code=ERR_R_PEM_LIB;

  604. 		rsa=PEM_read_bio_RSAPrivateKey(in,NULL,

  605. 			ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);

  606. 		}

  607. 	else

  608. 		{

  609. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file, SSL_R_BAD_SSL_FILETYPE);

  610. 		goto end;

  611. 		}

  612. 	if (rsa == NULL)

  613. 		{

  614. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_file,reason_code);

  615. 		goto end;

  616. 		}

  617. 	ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);

  618. 	RSA_free(rsa);

  619. end:

  620. 	if (in != NULL) BIO_free(in);

  621. 	return(ret);

  622. 	}

  623. #endif

  624. 

  625. int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)

  626. 	{

  627. 	int ret;

  628. 	const unsigned char *p;

  629. 	RSA *rsa;

  630. 

  631. 	p=d;

  632. 	if ((rsa=d2i_RSAPrivateKey(NULL,&p,(long)len)) == NULL)

  633. 		{

  634. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey_ASN1, ERR_R_ASN1_LIB);

  635. 		return(0);

  636. 		}

  637. 

  638. 	ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);

  639. 	RSA_free(rsa);

  640. 	return(ret);

  641. 	}

  642. #endif /* !OPENSSL_NO_RSA */

  643. 

  644. int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)

  645. 	{

  646. 	if (pkey == NULL)

  647. 		{

  648. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_PASSED_NULL_PARAMETER);

  649. 		return(0);

  650. 		}

  651. 	if (!ssl_cert_inst(&ctx->cert))

  652. 		{

  653. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_MALLOC_FAILURE);

  654. 		return(0);

  655. 		}

  656. 	return(ssl_set_pkey(ctx->cert,pkey));

  657. 	}

  658. 

  659. #ifndef OPENSSL_NO_STDIO

  660. int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)

  661. 	{

  662. 	int reason_code,ret=0;

  663. 	BIO *in;

  664. 	EVP_PKEY *pkey=NULL;

  665. 

  666. 	in=BIO_new(BIO_s_file());

  667. 	if (in == NULL)

  668. 		{

  669. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, ERR_R_BUF_LIB);

  670. 		goto end;

  671. 		}

  672. 

  673. 	if (BIO_read_filename(in,file) <= 0)

  674. 		{

  675. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, ERR_R_SYS_LIB);

  676. 		goto end;

  677. 		}

  678. 	if (type == SSL_FILETYPE_PEM)

  679. 		{

  680. 		reason_code=ERR_R_PEM_LIB;

  681. 		pkey=PEM_read_bio_PrivateKey(in,NULL,

  682. 			ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);

  683. 		}

  684. 	else if (type == SSL_FILETYPE_ASN1)

  685. 		{

  686. 		reason_code = ERR_R_ASN1_LIB;

  687. 		pkey = d2i_PrivateKey_bio(in,NULL);

  688. 		}

  689. 	else

  690. 		{

  691. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file, SSL_R_BAD_SSL_FILETYPE);

  692. 		goto end;

  693. 		}

  694. 	if (pkey == NULL)

  695. 		{

  696. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_file,reason_code);

  697. 		goto end;

  698. 		}

  699. 	ret=SSL_CTX_use_PrivateKey(ctx,pkey);

  700. 	EVP_PKEY_free(pkey);

  701. end:

  702. 	if (in != NULL) BIO_free(in);

  703. 	return(ret);

  704. 	}

  705. #endif

  706. 

  707. int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,

  708. 	     long len)

  709. 	{

  710. 	int ret;

  711. 	const unsigned char *p;

  712. 	EVP_PKEY *pkey;

  713. 

  714. 	p=d;

  715. 	if ((pkey=d2i_PrivateKey(type,NULL,&p,(long)len)) == NULL)

  716. 		{

  717. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey_ASN1, ERR_R_ASN1_LIB);

  718. 		return(0);

  719. 		}

  720. 

  721. 	ret=SSL_CTX_use_PrivateKey(ctx,pkey);

  722. 	EVP_PKEY_free(pkey);

  723. 	return(ret);

  724. 	}

  725. 

  726. 

  727. #ifndef OPENSSL_NO_STDIO

  728. /* Read a file that contains our certificate in "PEM" format,

  729.  * possibly followed by a sequence of CA certificates that should be

  730.  * sent to the peer in the Certificate message.

  731.  */

  732. int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)

  733. 	{

  734. 	BIO *in;

  735. 	int ret=0;

  736. 	X509 *x=NULL;

  737. 

  738. 	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */

  739. 

  740. 	in = BIO_new(BIO_s_file());

  741. 	if (in == NULL)

  742. 		{

  743. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_BUF_LIB);

  744. 		goto end;

  745. 		}

  746. 

  747. 	if (BIO_read_filename(in,file) <= 0)

  748. 		{

  749. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_SYS_LIB);

  750. 		goto end;

  751. 		}

  752. 

  753. 	x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,

  754. 				ctx->default_passwd_callback_userdata);

  755. 	if (x == NULL)

  756. 		{

  757. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate_chain_file, ERR_R_PEM_LIB);

  758. 		goto end;

  759. 		}

  760. 

  761. 	ret = SSL_CTX_use_certificate(ctx, x);

  762. 

  763. 	if (ERR_peek_error() != 0)

  764. 		ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */

  765. 	if (ret)

  766. 		{

  767. 		/* If we could set up our certificate, now proceed to

  768. 		 * the CA certificates.

  769. 		 */

  770. 		X509 *ca;

  771. 		int r;

  772. 		unsigned long err;

  773. 

  774. 		SSL_CTX_clear_chain_certs(ctx);

  775. 		

  776. 		while ((ca = PEM_read_bio_X509(in, NULL,

  777. 					ctx->default_passwd_callback,

  778. 					ctx->default_passwd_callback_userdata))

  779. 			!= NULL)

  780. 			{

  781. 			r = SSL_CTX_add0_chain_cert(ctx, ca);

  782. 			if (!r) 

  783. 				{

  784. 				X509_free(ca);

  785. 				ret = 0;

  786. 				goto end;

  787. 				}

  788. 			/* Note that we must not free r if it was successfully

  789. 			 * added to the chain (while we must free the main

  790. 			 * certificate, since its reference count is increased

  791. 			 * by SSL_CTX_use_certificate). */

  792. 			}

  793. 		/* When the while loop ends, it's usually just EOF. */

  794. 		err = ERR_peek_last_error();

  795. 		if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)

  796. 			ERR_clear_error();

  797. 		else 

  798. 			ret = 0; /* some real error */

  799. 		}

  800. 

  801. end:

  802. 	if (x != NULL) X509_free(x);

  803. 	if (in != NULL) BIO_free(in);

  804. 	return(ret);

  805. 	}

  806. #endif

  807. 

  808. #ifndef OPENSSL_NO_TLSEXT

  809. /* authz_validate returns true iff authz is well formed, i.e. that it meets the

  810.  * wire format as documented in the CERT_PKEY structure and that there are no

  811.  * duplicate entries. */

  812. static char authz_validate(const unsigned char *authz, size_t length)

  813. 	{

  814. 	unsigned char types_seen_bitmap[32];

  815. 

  816. 	if (!authz)

  817. 		return 1;

  818. 

  819. 	memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap));

  820. 

  821. 	for (;;)

  822. 		{

  823. 		unsigned char type, byte, bit;

  824. 		unsigned short len;

  825. 

  826. 		if (!length)

  827. 			return 1;

  828. 

  829. 		type = *(authz++);

  830. 		length--;

  831. 

  832. 		byte = type / 8;

  833. 		bit = type & 7;

  834. 		if (types_seen_bitmap[byte] & (1 << bit))

  835. 			return 0;

  836. 		types_seen_bitmap[byte] |= (1 << bit);

  837. 

  838. 		if (length < 2)

  839. 			return 0;

  840. 		len = ((unsigned short) authz[0]) << 8 |

  841. 		      ((unsigned short) authz[1]);

  842. 		authz += 2;

  843. 		length -= 2;

  844. 

  845. 		if (length < len)

  846. 			return 0;

  847. 

  848. 		authz += len;

  849. 		length -= len;

  850. 		}

  851. 	}

  852. 

  853. static int serverinfo_find_extension(const unsigned char *serverinfo,

  854. 				     size_t serverinfo_length,

  855. 				     unsigned short extension_type,

  856. 				     const unsigned char **extension_data,

  857. 				     unsigned short *extension_length)

  858. 	{

  859. 	*extension_data = NULL;

  860. 	*extension_length = 0;

  861. 	if (serverinfo == NULL || serverinfo_length == 0)

  862. 		return 0;

  863. 	for (;;)

  864. 		{

  865. 		unsigned short type = 0; /* uint16 */

  866. 		unsigned short len = 0;  /* uint16 */

  867. 

  868. 		/* end of serverinfo */

  869. 		if (serverinfo_length == 0)

  870. 			return -1; /* Extension not found */

  871. 

  872. 		/* read 2-byte type field */

  873. 		if (serverinfo_length < 2)

  874. 			return 0; /* Error */

  875. 		type = (serverinfo[0] << 8) + serverinfo[1];

  876. 		serverinfo += 2;

  877. 		serverinfo_length -= 2;

  878. 

  879. 		/* read 2-byte len field */

  880. 		if (serverinfo_length < 2)

  881. 			return 0; /* Error */

  882. 		len = (serverinfo[0] << 8) + serverinfo[1];

  883. 		serverinfo += 2;

  884. 		serverinfo_length -= 2;

  885. 

  886. 		if (len > serverinfo_length)

  887. 			return 0; /* Error */

  888. 

  889. 		if (type == extension_type)

  890. 			{

  891. 			*extension_data = serverinfo;

  892. 			*extension_length = len;

  893. 			return 1; /* Success */

  894. 			}

  895. 

  896. 		serverinfo += len;

  897. 		serverinfo_length -= len;

  898. 		}

  899. 	return 0; /* Error */

  900. 	}

  901. 

  902. static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type,

  903. 				   const unsigned char *in,

  904. 				   unsigned short inlen, int *al,

  905. 				   void *arg)

  906. 	{

  907. 	if (inlen != 0)

  908. 		{

  909. 		*al = SSL_AD_DECODE_ERROR;

  910. 		return 0;

  911. 		}

  912. 	return 1;

  913. 	}

  914. 

  915. static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type,

  916. 			            const unsigned char **out, unsigned short *outlen, 

  917. 			            void *arg)

  918. 	{

  919. 	const unsigned char *serverinfo = NULL;

  920. 	size_t serverinfo_length = 0;

  921. 

  922. 	/* Is there serverinfo data for the chosen server cert? */

  923. 	if ((ssl_get_server_cert_serverinfo(s, &serverinfo,

  924. 					    &serverinfo_length)) != 0)

  925. 		{

  926. 		/* Find the relevant extension from the serverinfo */

  927. 		int retval = serverinfo_find_extension(serverinfo, serverinfo_length,

  928. 					      	       ext_type, out, outlen);

  929. 		if (retval == 0)

  930. 			return 0; /* Error */

  931. 		if (retval == -1)

  932. 			return -1; /* No extension found, don't send extension */

  933. 		return 1; /* Send extension */

  934. 		}

  935. 	return -1; /* No serverinfo data found, don't send extension */

  936. 	}

  937. 

  938. /* With a NULL context, this function just checks that the serverinfo data

  939.    parses correctly.  With a non-NULL context, it registers callbacks for 

  940.    the included extensions. */

  941. static int serverinfo_process_buffer(const unsigned char *serverinfo, 

  942. 			    	     size_t serverinfo_length, SSL_CTX *ctx)

  943. 	{

  944. 	if (serverinfo == NULL || serverinfo_length == 0)

  945. 		return 0;

  946. 	for (;;)

  947. 		{

  948. 		unsigned short ext_type = 0; /* uint16 */

  949. 		unsigned short len = 0;  /* uint16 */

  950. 

  951. 		/* end of serverinfo */

  952. 		if (serverinfo_length == 0)

  953. 			return 1;

  954. 

  955. 		/* read 2-byte type field */

  956. 		if (serverinfo_length < 2)

  957. 			return 0;

  958. 		/* FIXME: check for types we understand explicitly? */

  959. 

  960. 		/* Register callbacks for extensions */

  961. 		ext_type = (serverinfo[0] << 8) + serverinfo[1];

  962. 		if (ctx && !SSL_CTX_set_custom_srv_ext(ctx, ext_type, 

  963. 						       serverinfo_srv_first_cb,

  964. 						       serverinfo_srv_second_cb, NULL))

  965. 			return 0;

  966. 

  967. 		serverinfo += 2;

  968. 		serverinfo_length -= 2;

  969. 

  970. 		/* read 2-byte len field */

  971. 		if (serverinfo_length < 2)

  972. 			return 0;

  973. 		len = (serverinfo[0] << 8) + serverinfo[1];

  974. 		serverinfo += 2;

  975. 		serverinfo_length -= 2;

  976. 

  977. 		if (len > serverinfo_length)

  978. 			return 0;

  979. 

  980. 		serverinfo += len;

  981. 		serverinfo_length -= len;

  982. 		}

  983. 	}

  984. 

  985. static const unsigned char *authz_find_data(const unsigned char *authz,

  986. 					    size_t authz_length,

  987. 					    unsigned char data_type,

  988. 					    size_t *data_length)

  989. 	{

  990. 	if (authz == NULL) return NULL;

  991. 	if (!authz_validate(authz, authz_length))

  992. 		{

  993. 		OPENSSL_PUT_ERROR(SSL, authz_find_data, SSL_R_INVALID_AUTHZ_DATA);

  994. 		return NULL;

  995. 		}

  996. 

  997. 	for (;;)

  998. 		{

  999. 		unsigned char type;

  1000. 		unsigned short len;

  1001. 		if (!authz_length)

  1002. 			return NULL;

  1003. 

  1004. 		type = *(authz++);

  1005. 		authz_length--;

  1006. 

  1007. 		/* We've validated the authz data, so we don't have to

  1008. 		 * check again that we have enough bytes left. */

  1009. 		len = ((unsigned short) authz[0]) << 8 |

  1010. 		      ((unsigned short) authz[1]);

  1011. 		authz += 2;

  1012. 		authz_length -= 2;

  1013. 		if (type == data_type)

  1014. 			{

  1015. 			*data_length = len;

  1016. 			return authz;

  1017. 			}

  1018. 		authz += len;

  1019. 		authz_length -= len;

  1020. 		}

  1021. 	/* No match */

  1022. 	return NULL;

  1023. 	}

  1024. 

  1025. static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length)

  1026. 	{

  1027. 	CERT_PKEY *current_key = c->key;

  1028. 	if (current_key == NULL)

  1029. 		return 0;

  1030. 	if (!authz_validate(authz, authz_length))

  1031. 		{

  1032. 		OPENSSL_PUT_ERROR(SSL, ssl_set_authz, SSL_R_INVALID_AUTHZ_DATA);

  1033. 		return(0);

  1034. 		}

  1035. 	current_key->authz = OPENSSL_realloc(current_key->authz, authz_length);

  1036. 	if (current_key->authz == NULL)

  1037. 		{

  1038. 		OPENSSL_PUT_ERROR(SSL, ssl_set_authz, ERR_R_MALLOC_FAILURE);

  1039. 		return 0;

  1040. 		}

  1041. 	current_key->authz_length = authz_length;

  1042. 	memcpy(current_key->authz, authz, authz_length);

  1043. 	return 1;

  1044. 	}

  1045. 

  1046. int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz,

  1047. 		      size_t authz_length)

  1048. 	{

  1049. 	if (authz == NULL)

  1050. 		{

  1051. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_authz, ERR_R_PASSED_NULL_PARAMETER);

  1052. 		return 0;

  1053. 		}

  1054. 	if (!ssl_cert_inst(&ctx->cert))

  1055. 		{

  1056. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_authz, ERR_R_MALLOC_FAILURE);

  1057. 		return 0;

  1058. 		}

  1059. 	return ssl_set_authz(ctx->cert, authz, authz_length);

  1060. 	}

  1061. 

  1062. int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,

  1063. 			   size_t serverinfo_length)

  1064. 	{

  1065. 	if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)

  1066. 		{

  1067. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_PASSED_NULL_PARAMETER);

  1068. 		return 0;

  1069. 		}

  1070. 	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))

  1071. 		{

  1072. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);

  1073. 		return 0;

  1074. 		}

  1075. 	if (!ssl_cert_inst(&ctx->cert))

  1076. 		{

  1077. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);

  1078. 		return 0;

  1079. 		}

  1080. 	if (ctx->cert->key == NULL)

  1081. 		{

  1082. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_INTERNAL_ERROR);

  1083. 		return 0;

  1084. 		}

  1085. 	ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,

  1086. 						     serverinfo_length);

  1087. 	if (ctx->cert->key->serverinfo == NULL)

  1088. 		{

  1089. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);

  1090. 		return 0;

  1091. 		}

  1092. 	memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);

  1093. 	ctx->cert->key->serverinfo_length = serverinfo_length;

  1094. 

  1095. 	/* Now that the serverinfo is validated and stored, go ahead and 

  1096. 	 * register callbacks. */

  1097. 	if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))

  1098. 		{

  1099. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);

  1100. 		return 0;

  1101. 		}

  1102. 	return 1;

  1103. 	}

  1104. 

  1105. int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length)

  1106. 	{

  1107. 	if (authz == NULL)

  1108. 		{

  1109. 		OPENSSL_PUT_ERROR(SSL, SSL_use_authz, ERR_R_PASSED_NULL_PARAMETER);

  1110. 		return 0;

  1111. 		}

  1112. 	if (!ssl_cert_inst(&ssl->cert))

  1113. 		{

  1114. 		OPENSSL_PUT_ERROR(SSL, SSL_use_authz, ERR_R_MALLOC_FAILURE);

  1115. 		return 0;

  1116. 		}

  1117. 	return ssl_set_authz(ssl->cert, authz, authz_length);

  1118. 	}

  1119. 

  1120. const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type,

  1121. 					    size_t *data_length)

  1122. 	{

  1123. 	CERT_PKEY *current_key;

  1124. 

  1125. 	if (ctx->cert == NULL)

  1126. 		return NULL;

  1127. 	current_key = ctx->cert->key;

  1128. 	if (current_key->authz == NULL)

  1129. 		return NULL;

  1130. 	return authz_find_data(current_key->authz,

  1131. 		current_key->authz_length, type, data_length);

  1132. 	}

  1133. 

  1134. #ifndef OPENSSL_NO_STDIO

  1135. /* read_authz returns a newly allocated buffer with authz data */

  1136. static unsigned char *read_authz(const char *file, size_t *authz_length)

  1137. 	{

  1138. 	BIO *authz_in = NULL;

  1139. 	unsigned char *authz = NULL;

  1140. 	/* Allow authzs up to 64KB. */

  1141. 	static const size_t authz_limit = 65536;

  1142. 	size_t read_length;

  1143. 	unsigned char *ret = NULL;

  1144. 

  1145. 	authz_in = BIO_new(BIO_s_file());

  1146. 	if (authz_in == NULL)

  1147. 		{

  1148. 		OPENSSL_PUT_ERROR(SSL, read_authz, ERR_R_BUF_LIB);

  1149. 		goto end;

  1150. 		}

  1151. 

  1152. 	if (BIO_read_filename(authz_in,file) <= 0)

  1153. 		{

  1154. 		OPENSSL_PUT_ERROR(SSL, read_authz, ERR_R_SYS_LIB);

  1155. 		goto end;

  1156. 		}

  1157. 

  1158. 	authz = OPENSSL_malloc(authz_limit);

  1159. 	read_length = BIO_read(authz_in, authz, authz_limit);

  1160. 	if (read_length == authz_limit || read_length <= 0)

  1161. 		{

  1162. 		OPENSSL_PUT_ERROR(SSL, read_authz, SSL_R_AUTHZ_DATA_TOO_LARGE);

  1163. 		OPENSSL_free(authz);

  1164. 		goto end;

  1165. 		}

  1166. 	*authz_length = read_length;

  1167. 	ret = authz;

  1168. end:

  1169. 	if (authz_in != NULL) BIO_free(authz_in);

  1170. 	return ret;

  1171. 	}

  1172. 

  1173. int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file)

  1174. 	{

  1175. 	unsigned char *authz = NULL;

  1176. 	size_t authz_length = 0;

  1177. 	int ret;

  1178. 

  1179. 	authz = read_authz(file, &authz_length);

  1180. 	if (authz == NULL)

  1181. 		return 0;

  1182. 

  1183. 	ret = SSL_CTX_use_authz(ctx, authz, authz_length);

  1184. 	/* SSL_CTX_use_authz makes a local copy of the authz. */

  1185. 	OPENSSL_free(authz);

  1186. 	return ret;

  1187. 	}

  1188. 

  1189. int SSL_use_authz_file(SSL *ssl, const char *file)

  1190. 	{

  1191. 	unsigned char *authz = NULL;

  1192. 	size_t authz_length = 0;

  1193. 	int ret;

  1194. 

  1195. 	authz = read_authz(file, &authz_length);

  1196. 	if (authz == NULL)

  1197. 		return 0;

  1198. 

  1199. 	ret = SSL_use_authz(ssl, authz, authz_length);

  1200. 	/* SSL_use_authz makes a local copy of the authz. */

  1201. 	OPENSSL_free(authz);

  1202. 	return ret;

  1203. 	}

  1204. 

  1205. int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)

  1206. 	{

  1207. 	unsigned char *serverinfo = NULL;

  1208. 	size_t serverinfo_length = 0;

  1209. 	unsigned char* extension = 0;

  1210. 	long extension_length = 0;

  1211. 	char* name = NULL;

  1212. 	char* header = NULL;

  1213. 	char namePrefix[] = "SERVERINFO FOR ";

  1214. 	int ret = 0;

  1215. 	BIO *bin = NULL;

  1216. 	size_t num_extensions = 0;

  1217. 

  1218. 	if (ctx == NULL || file == NULL)

  1219. 		{

  1220. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_PASSED_NULL_PARAMETER);

  1221. 		goto end;

  1222. 		}

  1223. 

  1224. 	bin = BIO_new(BIO_s_file());

  1225. 	if (bin == NULL)

  1226. 		{

  1227. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_BUF_LIB);

  1228. 		goto end;

  1229. 		}

  1230. 	if (BIO_read_filename(bin, file) <= 0)

  1231. 		{

  1232. 		OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_SYS_LIB);

  1233. 		goto end;

  1234. 		}

  1235. 

  1236. 	for (num_extensions=0;; num_extensions++)

  1237. 		{

  1238. 		if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0)

  1239. 			{

  1240. 			/* There must be at least one extension in this file */

  1241. 			if (num_extensions == 0)

  1242. 				{

  1243. 				OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_NO_PEM_EXTENSIONS);

  1244. 				goto end;

  1245. 				}

  1246. 			else /* End of file, we're done */

  1247. 				break;

  1248. 			}

  1249. 		/* Check that PEM name starts with "BEGIN SERVERINFO FOR " */

  1250. 		if (strlen(name) < strlen(namePrefix))

  1251. 			{

  1252. 			OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_TOO_SHORT);

  1253. 			goto end;

  1254. 			}

  1255. 		if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)

  1256. 			{

  1257. 			OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_BAD_PREFIX);

  1258. 			goto end;

  1259. 			}

  1260. 		/* Check that the decoded PEM data is plausible (valid length field) */

  1261. 		if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)

  1262. 			{

  1263. 			OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_BAD_DATA);

  1264. 			goto end;

  1265. 			}

  1266. 		/* Append the decoded extension to the serverinfo buffer */

  1267. 		serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);

  1268. 		if (serverinfo == NULL)

  1269. 			{

  1270. 			OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_MALLOC_FAILURE);

  1271. 			goto end;

  1272. 			}

  1273. 		memcpy(serverinfo + serverinfo_length, extension, extension_length);

  1274. 		serverinfo_length += extension_length;

  1275. 

  1276. 		OPENSSL_free(name); name = NULL;

  1277. 		OPENSSL_free(header); header = NULL;

  1278. 		OPENSSL_free(extension); extension = NULL;

  1279. 		}

  1280. 

  1281. 	ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);

  1282. end:

  1283. 	/* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */

  1284. 	OPENSSL_free(name);

  1285. 	OPENSSL_free(header);

  1286. 	OPENSSL_free(extension);

  1287. 	OPENSSL_free(serverinfo);

  1288. 	if (bin != NULL)

  1289. 		BIO_free(bin);

  1290. 	return ret;

  1291. 	}

  1292. #endif /* OPENSSL_NO_STDIO */

  1293. #endif /* OPENSSL_NO_TLSEXT */