diff options
Diffstat (limited to 'src/lib/libssl/ssl_rsa.c')
| -rw-r--r-- | src/lib/libssl/ssl_rsa.c | 68 |
1 files changed, 44 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 10276a4b2d..c1d24cad52 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_rsa.c,v 1.14 2014/06/12 15:49:31 deraadt Exp $ */ | 1 | /* $OpenBSD: ssl_rsa.c,v 1.15 2014/06/22 19:09:37 guenther Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -103,7 +103,9 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type) | |||
| 103 | x = d2i_X509_bio(in, NULL); | 103 | x = d2i_X509_bio(in, NULL); |
| 104 | } else if (type == SSL_FILETYPE_PEM) { | 104 | } else if (type == SSL_FILETYPE_PEM) { |
| 105 | j = ERR_R_PEM_LIB; | 105 | j = ERR_R_PEM_LIB; |
| 106 | x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback, ssl->ctx->default_passwd_callback_userdata); | 106 | x = PEM_read_bio_X509(in, NULL, |
| 107 | ssl->ctx->default_passwd_callback, | ||
| 108 | ssl->ctx->default_passwd_callback_userdata); | ||
| 107 | } else { | 109 | } else { |
| 108 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); | 110 | SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); |
| 109 | goto end; | 111 | goto end; |
| @@ -184,8 +186,10 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey) | |||
| 184 | EVP_PKEY_free(pktmp); | 186 | EVP_PKEY_free(pktmp); |
| 185 | ERR_clear_error(); | 187 | ERR_clear_error(); |
| 186 | 188 | ||
| 187 | /* Don't check the public/private key, this is mostly | 189 | /* |
| 188 | * for smart cards. */ | 190 | * Don't check the public/private key, this is mostly |
| 191 | * for smart cards. | ||
| 192 | */ | ||
| 189 | if ((pkey->type == EVP_PKEY_RSA) && | 193 | if ((pkey->type == EVP_PKEY_RSA) && |
| 190 | (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) | 194 | (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) |
| 191 | ; | 195 | ; |
| @@ -230,7 +234,8 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) | |||
| 230 | } else if (type == SSL_FILETYPE_PEM) { | 234 | } else if (type == SSL_FILETYPE_PEM) { |
| 231 | j = ERR_R_PEM_LIB; | 235 | j = ERR_R_PEM_LIB; |
| 232 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, | 236 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
| 233 | ssl->ctx->default_passwd_callback, ssl->ctx->default_passwd_callback_userdata); | 237 | ssl->ctx->default_passwd_callback, |
| 238 | ssl->ctx->default_passwd_callback_userdata); | ||
| 234 | } else { | 239 | } else { |
| 235 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); | 240 | SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
| 236 | goto end; | 241 | goto end; |
| @@ -301,7 +306,8 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) | |||
| 301 | if (type == SSL_FILETYPE_PEM) { | 306 | if (type == SSL_FILETYPE_PEM) { |
| 302 | j = ERR_R_PEM_LIB; | 307 | j = ERR_R_PEM_LIB; |
| 303 | pkey = PEM_read_bio_PrivateKey(in, NULL, | 308 | pkey = PEM_read_bio_PrivateKey(in, NULL, |
| 304 | ssl->ctx->default_passwd_callback, ssl->ctx->default_passwd_callback_userdata); | 309 | ssl->ctx->default_passwd_callback, |
| 310 | ssl->ctx->default_passwd_callback_userdata); | ||
| 305 | } else if (type == SSL_FILETYPE_ASN1) { | 311 | } else if (type == SSL_FILETYPE_ASN1) { |
| 306 | j = ERR_R_ASN1_LIB; | 312 | j = ERR_R_ASN1_LIB; |
| 307 | pkey = d2i_PrivateKey_bio(in, NULL); | 313 | pkey = d2i_PrivateKey_bio(in, NULL); |
| @@ -375,18 +381,22 @@ ssl_set_cert(CERT *c, X509 *x) | |||
| 375 | EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); | 381 | EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); |
| 376 | ERR_clear_error(); | 382 | ERR_clear_error(); |
| 377 | 383 | ||
| 378 | /* Don't check the public/private key, this is mostly | 384 | /* |
| 379 | * for smart cards. */ | 385 | * Don't check the public/private key, this is mostly |
| 386 | * for smart cards. | ||
| 387 | */ | ||
| 380 | if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && | 388 | if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && |
| 381 | (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & | 389 | (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & |
| 382 | RSA_METHOD_FLAG_NO_CHECK)) | 390 | RSA_METHOD_FLAG_NO_CHECK)) |
| 383 | ; | 391 | ; |
| 384 | else | 392 | else |
| 385 | if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { | 393 | if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { |
| 386 | /* don't fail for a cert/key mismatch, just free | 394 | /* |
| 395 | * don't fail for a cert/key mismatch, just free | ||
| 387 | * current private key (when switching to a different | 396 | * current private key (when switching to a different |
| 388 | * cert & key, first this function should be used, | 397 | * cert & key, first this function should be used, |
| 389 | * then ssl_set_pkey */ | 398 | * then ssl_set_pkey |
| 399 | */ | ||
| 390 | EVP_PKEY_free(c->pkeys[i].privatekey); | 400 | EVP_PKEY_free(c->pkeys[i].privatekey); |
| 391 | c->pkeys[i].privatekey = NULL; | 401 | c->pkeys[i].privatekey = NULL; |
| 392 | /* clear error queue */ | 402 | /* clear error queue */ |
| @@ -429,7 +439,8 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) | |||
| 429 | x = d2i_X509_bio(in, NULL); | 439 | x = d2i_X509_bio(in, NULL); |
| 430 | } else if (type == SSL_FILETYPE_PEM) { | 440 | } else if (type == SSL_FILETYPE_PEM) { |
| 431 | j = ERR_R_PEM_LIB; | 441 | j = ERR_R_PEM_LIB; |
| 432 | x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); | 442 | x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, |
| 443 | ctx->default_passwd_callback_userdata); | ||
| 433 | } else { | 444 | } else { |
| 434 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); | 445 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); |
| 435 | goto end; | 446 | goto end; |
| @@ -515,7 +526,8 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) | |||
| 515 | } else if (type == SSL_FILETYPE_PEM) { | 526 | } else if (type == SSL_FILETYPE_PEM) { |
| 516 | j = ERR_R_PEM_LIB; | 527 | j = ERR_R_PEM_LIB; |
| 517 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, | 528 | rsa = PEM_read_bio_RSAPrivateKey(in, NULL, |
| 518 | ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); | 529 | ctx->default_passwd_callback, |
| 530 | ctx->default_passwd_callback_userdata); | ||
| 519 | } else { | 531 | } else { |
| 520 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); | 532 | SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); |
| 521 | goto end; | 533 | goto end; |
| @@ -553,7 +565,8 @@ int | |||
| 553 | SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) | 565 | SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) |
| 554 | { | 566 | { |
| 555 | if (pkey == NULL) { | 567 | if (pkey == NULL) { |
| 556 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); | 568 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, |
| 569 | ERR_R_PASSED_NULL_PARAMETER); | ||
| 557 | return (0); | 570 | return (0); |
| 558 | } | 571 | } |
| 559 | if (!ssl_cert_inst(&ctx->cert)) { | 572 | if (!ssl_cert_inst(&ctx->cert)) { |
| @@ -583,12 +596,14 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) | |||
| 583 | if (type == SSL_FILETYPE_PEM) { | 596 | if (type == SSL_FILETYPE_PEM) { |
| 584 | j = ERR_R_PEM_LIB; | 597 | j = ERR_R_PEM_LIB; |
| 585 | pkey = PEM_read_bio_PrivateKey(in, NULL, | 598 | pkey = PEM_read_bio_PrivateKey(in, NULL, |
| 586 | ctx->default_passwd_callback, ctx->default_passwd_callback_userdata); | 599 | ctx->default_passwd_callback, |
| 600 | ctx->default_passwd_callback_userdata); | ||
| 587 | } else if (type == SSL_FILETYPE_ASN1) { | 601 | } else if (type == SSL_FILETYPE_ASN1) { |
| 588 | j = ERR_R_ASN1_LIB; | 602 | j = ERR_R_ASN1_LIB; |
| 589 | pkey = d2i_PrivateKey_bio(in, NULL); | 603 | pkey = d2i_PrivateKey_bio(in, NULL); |
| 590 | } else { | 604 | } else { |
| 591 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); | 605 | SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, |
| 606 | SSL_R_BAD_SSL_FILETYPE); | ||
| 592 | goto end; | 607 | goto end; |
| 593 | } | 608 | } |
| 594 | if (pkey == NULL) { | 609 | if (pkey == NULL) { |
| @@ -622,7 +637,8 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, | |||
| 622 | } | 637 | } |
| 623 | 638 | ||
| 624 | 639 | ||
| 625 | /* Read a file that contains our certificate in "PEM" format, | 640 | /* |
| 641 | * Read a file that contains our certificate in "PEM" format, | ||
| 626 | * possibly followed by a sequence of CA certificates that should be | 642 | * possibly followed by a sequence of CA certificates that should be |
| 627 | * sent to the peer in the Certificate message. | 643 | * sent to the peer in the Certificate message. |
| 628 | */ | 644 | */ |
| @@ -647,7 +663,7 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
| 647 | } | 663 | } |
| 648 | 664 | ||
| 649 | x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, | 665 | x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, |
| 650 | ctx->default_passwd_callback_userdata); | 666 | ctx->default_passwd_callback_userdata); |
| 651 | if (x == NULL) { | 667 | if (x == NULL) { |
| 652 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); | 668 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); |
| 653 | goto end; | 669 | goto end; |
| @@ -659,7 +675,8 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
| 659 | ret = 0; | 675 | ret = 0; |
| 660 | /* Key/certificate mismatch doesn't imply ret==0 ... */ | 676 | /* Key/certificate mismatch doesn't imply ret==0 ... */ |
| 661 | if (ret) { | 677 | if (ret) { |
| 662 | /* If we could set up our certificate, now proceed to | 678 | /* |
| 679 | * If we could set up our certificate, now proceed to | ||
| 663 | * the CA certificates. | 680 | * the CA certificates. |
| 664 | */ | 681 | */ |
| 665 | X509 *ca; | 682 | X509 *ca; |
| @@ -672,23 +689,26 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
| 672 | } | 689 | } |
| 673 | 690 | ||
| 674 | while ((ca = PEM_read_bio_X509(in, NULL, | 691 | while ((ca = PEM_read_bio_X509(in, NULL, |
| 675 | ctx->default_passwd_callback, | 692 | ctx->default_passwd_callback, |
| 676 | ctx->default_passwd_callback_userdata)) | 693 | ctx->default_passwd_callback_userdata)) != NULL) { |
| 677 | != NULL) { | ||
| 678 | r = SSL_CTX_add_extra_chain_cert(ctx, ca); | 694 | r = SSL_CTX_add_extra_chain_cert(ctx, ca); |
| 679 | if (!r) { | 695 | if (!r) { |
| 680 | X509_free(ca); | 696 | X509_free(ca); |
| 681 | ret = 0; | 697 | ret = 0; |
| 682 | goto end; | 698 | goto end; |
| 683 | } | 699 | } |
| 684 | /* Note that we must not free r if it was successfully | 700 | /* |
| 701 | * Note that we must not free r if it was successfully | ||
| 685 | * added to the chain (while we must free the main | 702 | * added to the chain (while we must free the main |
| 686 | * certificate, since its reference count is increased | 703 | * certificate, since its reference count is increased |
| 687 | * by SSL_CTX_use_certificate). */ | 704 | * by SSL_CTX_use_certificate). |
| 705 | */ | ||
| 688 | } | 706 | } |
| 707 | |||
| 689 | /* When the while loop ends, it's usually just EOF. */ | 708 | /* When the while loop ends, it's usually just EOF. */ |
| 690 | err = ERR_peek_last_error(); | 709 | err = ERR_peek_last_error(); |
| 691 | if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) | 710 | if (ERR_GET_LIB(err) == ERR_LIB_PEM && |
| 711 | ERR_GET_REASON(err) == PEM_R_NO_START_LINE) | ||
| 692 | ERR_clear_error(); | 712 | ERR_clear_error(); |
| 693 | else | 713 | else |
| 694 | ret = 0; /* some real error */ | 714 | ret = 0; /* some real error */ |