X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_rsa.c;h=855952d54cfb72454e3770f2d883d7b344a0a2b8;hb=aeda172afd37e6f7b2f285b5f18a5978415cbc9b;hp=80d9f798123cff9a835858141c11cb243a0891f5;hpb=bc36ee6227517edae802bcb0da68d4f04fe1fb5e;p=oweals%2Fopenssl.git diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 80d9f79812..855952d54c 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -57,15 +57,19 @@ */ #include +#include "ssl_locl.h" #include #include #include #include #include -#include "ssl_locl.h" static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); +#ifndef OPENSSL_NO_TLSEXT +static int ssl_set_authz(CERT *c, unsigned char *authz, + size_t authz_length); +#endif int SSL_use_certificate(SSL *ssl, X509 *x) { if (x == NULL) @@ -131,7 +135,7 @@ end: } #endif -int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len) +int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) { X509 *x; int ret; @@ -170,7 +174,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); ret=ssl_set_pkey(ssl->cert,pkey); @@ -181,9 +185,24 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { - int i,ok=0,bad=0; - - i=ssl_cert_type(NULL,pkey); + int i; + /* Special case for DH: check two DH certificate types for a match. + * This means for DH certificates we must set the certificate first. + */ + if (pkey->type == EVP_PKEY_DH) + { + X509 *x; + i = -1; + x = c->pkeys[SSL_PKEY_DH_RSA].x509; + if (x && X509_check_private_key(x, pkey)) + i = SSL_PKEY_DH_RSA; + x = c->pkeys[SSL_PKEY_DH_DSA].x509; + if (i == -1 && x && X509_check_private_key(x, pkey)) + i = SSL_PKEY_DH_DSA; + ERR_clear_error(); + } + else + i=ssl_cert_type(NULL,pkey); if (i < 0) { SSLerr(SSL_F_SSL_SET_PKEY,SSL_R_UNKNOWN_CERTIFICATE_TYPE); @@ -202,43 +221,16 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) /* Don't check the public/private key, this is mostly * for smart cards. */ if ((pkey->type == EVP_PKEY_RSA) && - (RSA_flags(pkey->pkey.rsa) & - RSA_METHOD_FLAG_NO_CHECK)) - ok=1; + (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) + ; else #endif - if (!X509_check_private_key(c->pkeys[i].x509,pkey)) + if (!X509_check_private_key(c->pkeys[i].x509,pkey)) { - if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) - { - i=(i == SSL_PKEY_DH_RSA)? - SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA; - - if (c->pkeys[i].x509 == NULL) - ok=1; - else - { - if (!X509_check_private_key( - c->pkeys[i].x509,pkey)) - bad=1; - else - ok=1; - } - } - else - bad=1; + X509_free(c->pkeys[i].x509); + c->pkeys[i].x509 = NULL; + return 0; } - else - ok=1; - } - else - ok=1; - - if (bad) - { - X509_free(c->pkeys[i].x509); - c->pkeys[i].x509=NULL; - return(0); } if (c->pkeys[i].privatekey != NULL) @@ -362,6 +354,11 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) pkey=PEM_read_bio_PrivateKey(in,NULL, ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata); } + else if (type == SSL_FILETYPE_ASN1) + { + j = ERR_R_ASN1_LIB; + pkey = d2i_PrivateKey_bio(in,NULL); + } else { SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE); @@ -380,10 +377,10 @@ end: } #endif -int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len) +int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; @@ -416,7 +413,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) static int ssl_set_cert(CERT *c, X509 *x) { EVP_PKEY *pkey; - int i,ok=0,bad=0; + int i; pkey=X509_get_pubkey(x); if (pkey == NULL) @@ -444,49 +441,37 @@ static int ssl_set_cert(CERT *c, X509 *x) if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) - ok=1; + ; else -#endif - { +#endif /* OPENSSL_NO_RSA */ if (!X509_check_private_key(x,c->pkeys[i].privatekey)) { - if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) - { - i=(i == SSL_PKEY_DH_RSA)? - SSL_PKEY_DH_DSA:SSL_PKEY_DH_RSA; - - if (c->pkeys[i].privatekey == NULL) - ok=1; - else - { - if (!X509_check_private_key(x, - c->pkeys[i].privatekey)) - bad=1; - else - ok=1; - } - } - else - bad=1; + /* don't fail for a cert/key mismatch, just free + * current private key (when switching to a different + * cert & key, first this function should be used, + * then ssl_set_pkey */ + EVP_PKEY_free(c->pkeys[i].privatekey); + c->pkeys[i].privatekey=NULL; + /* clear error queue */ + ERR_clear_error(); } - else - ok=1; - } /* OPENSSL_NO_RSA */ } - else - ok=1; EVP_PKEY_free(pkey); - if (bad) - { - EVP_PKEY_free(c->pkeys[i].privatekey); - c->pkeys[i].privatekey=NULL; - } if (c->pkeys[i].x509 != NULL) X509_free(c->pkeys[i].x509); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); c->pkeys[i].x509=x; +#ifndef OPENSSL_NO_TLSEXT + /* Free the old authz data, if it exists. */ + if (c->pkeys[i].authz != NULL) + { + OPENSSL_free(c->pkeys[i].authz); + c->pkeys[i].authz = NULL; + c->pkeys[i].authz_length = 0; + } +#endif c->key= &(c->pkeys[i]); c->valid=0; @@ -543,7 +528,7 @@ end: } #endif -int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d) +int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) { X509 *x; int ret; @@ -582,7 +567,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); ret=ssl_set_pkey(ctx->cert, pkey); @@ -638,7 +623,7 @@ end: } #endif -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) +int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) { int ret; const unsigned char *p; @@ -697,6 +682,11 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) pkey=PEM_read_bio_PrivateKey(in,NULL, ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); } + else if (type == SSL_FILETYPE_ASN1) + { + j = ERR_R_ASN1_LIB; + pkey = d2i_PrivateKey_bio(in,NULL); + } else { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE); @@ -715,11 +705,11 @@ end: } #endif -int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, +int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; @@ -746,7 +736,9 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) int ret=0; X509 *x=NULL; - in=BIO_new(BIO_s_file_internal()); + ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ + + in = BIO_new(BIO_s_file_internal()); if (in == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); @@ -759,14 +751,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) goto end; } - x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); + x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); goto end; } - ret=SSL_CTX_use_certificate(ctx,x); + ret = SSL_CTX_use_certificate(ctx, x); + if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ if (ret) @@ -778,13 +772,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) int r; unsigned long err; - if (ctx->extra_certs != NULL) + if (ctx->extra_certs != NULL) { sk_X509_pop_free(ctx->extra_certs, X509_free); ctx->extra_certs = NULL; } - while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) + while ((ca = PEM_read_bio_X509(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata)) != NULL) { r = SSL_CTX_add_extra_chain_cert(ctx, ca); @@ -800,9 +796,9 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) * by SSL_CTX_use_certificate). */ } /* When the while loop ends, it's usually just EOF. */ - err = ERR_peek_error(); + err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - (void) ERR_get_error(); + ERR_clear_error(); else ret = 0; /* some real error */ } @@ -813,3 +809,96 @@ end: return(ret); } #endif + +#ifndef OPENSSL_NO_TLSEXT +/* authz_validate returns true iff authz is well formed, i.e. that it meets the + * wire format as documented in the CERT_PKEY structure and that there are no + * duplicate entries. */ +static char authz_validate(const unsigned char *authz, size_t length) + { + unsigned char types_seen_bitmap[32]; + + if (!authz) + return 1; + + memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap)); + + for (;;) + { + unsigned char type, byte, bit; + unsigned short len; + + if (!length) + return 1; + + type = *(authz++); + length--; + + byte = type / 8; + bit = type & 7; + if (types_seen_bitmap[byte] & (1 << bit)) + return 0; + types_seen_bitmap[byte] |= (1 << bit); + + if (length < 2) + return 0; + len = ((unsigned short) authz[0]) << 8 | + ((unsigned short) authz[1]); + authz += 2; + length -= 2; + + if (length < len) + return 0; + + authz += len; + length -= len; + } + } + +static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length) + { + CERT_PKEY *current_key = c->key; + if (current_key == NULL) + return 0; + if (!authz_validate(authz, authz_length)) + { + SSLerr(SSL_F_SSL_SET_AUTHZ,SSL_R_INVALID_AUTHZ_DATA); + return(0); + } + current_key->authz = OPENSSL_realloc(current_key->authz, authz_length); + current_key->authz_length = authz_length; + memcpy(current_key->authz, authz, authz_length); + return 1; + } + +int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz, + size_t authz_length) + { + if (authz == NULL) + { + SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if (!ssl_cert_inst(&ctx->cert)) + { + SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_MALLOC_FAILURE); + return 0; + } + return ssl_set_authz(ctx->cert, authz, authz_length); + } + +int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length) + { + if (authz == NULL) + { + SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if (!ssl_cert_inst(&ssl->cert)) + { + SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_MALLOC_FAILURE); + return 0; + } + return ssl_set_authz(ssl->cert, authz, authz_length); + } +#endif /* OPENSSL_NO_TLSEXT */