1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <string.h>
18
19 #include <openssl/asn1.h>
20 #include <openssl/bio.h>
21 #include <openssl/err.h>
22 #include <openssl/mem.h>
23 #include <openssl/pem.h>
24 #include <openssl/stack.h>
25 #include <openssl/x509.h>
26
27 #include "internal.h"
28
29
xname_cmp(const X509_NAME * const * a,const X509_NAME * const * b)30 static int xname_cmp(const X509_NAME *const *a, const X509_NAME *const *b) {
31 return X509_NAME_cmp(*a, *b);
32 }
33
add_bio_cert_subjects_to_stack(STACK_OF (X509_NAME)* out,BIO * bio,bool allow_empty)34 static int add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, BIO *bio,
35 bool allow_empty) {
36 // This function historically sorted |out| after every addition and skipped
37 // duplicates. This implementation preserves that behavior, but only sorts at
38 // the end, to avoid a quadratic running time. Existing duplicates in |out|
39 // are preserved, but do not introduce new duplicates.
40 bssl::UniquePtr<STACK_OF(X509_NAME)> to_append(sk_X509_NAME_new(xname_cmp));
41 if (to_append == nullptr) {
42 return 0;
43 }
44
45 // Temporarily switch the comparison function for |out|.
46 struct RestoreCmpFunc {
47 ~RestoreCmpFunc() { sk_X509_NAME_set_cmp_func(stack, old_cmp); }
48 STACK_OF(X509_NAME) *stack;
49 int (*old_cmp)(const X509_NAME *const *, const X509_NAME *const *);
50 };
51 RestoreCmpFunc restore = {out, sk_X509_NAME_set_cmp_func(out, xname_cmp)};
52
53 sk_X509_NAME_sort(out);
54 bool first = true;
55 for (;;) {
56 bssl::UniquePtr<X509> x509(
57 PEM_read_bio_X509(bio, nullptr, nullptr, nullptr));
58 if (x509 == nullptr) {
59 if (first && !allow_empty) {
60 return 0;
61 }
62 // TODO(davidben): This ignores PEM syntax errors. It should only succeed
63 // on |PEM_R_NO_START_LINE|.
64 ERR_clear_error();
65 break;
66 }
67 first = false;
68
69 X509_NAME *subject = X509_get_subject_name(x509.get());
70 // Skip if already present in |out|. Duplicates in |to_append| will be
71 // handled separately.
72 if (sk_X509_NAME_find(out, /*out_index=*/NULL, subject)) {
73 continue;
74 }
75
76 bssl::UniquePtr<X509_NAME> copy(X509_NAME_dup(subject));
77 if (copy == nullptr ||
78 !bssl::PushToStack(to_append.get(), std::move(copy))) {
79 return 0;
80 }
81 }
82
83 // Append |to_append| to |stack|, skipping any duplicates.
84 sk_X509_NAME_sort(to_append.get());
85 size_t num = sk_X509_NAME_num(to_append.get());
86 for (size_t i = 0; i < num; i++) {
87 bssl::UniquePtr<X509_NAME> name(sk_X509_NAME_value(to_append.get(), i));
88 sk_X509_NAME_set(to_append.get(), i, nullptr);
89 if (i + 1 < num &&
90 X509_NAME_cmp(name.get(), sk_X509_NAME_value(to_append.get(), i + 1)) ==
91 0) {
92 continue;
93 }
94 if (!bssl::PushToStack(out, std::move(name))) {
95 return 0;
96 }
97 }
98
99 // Sort |out| one last time, to preserve the historical behavior of
100 // maintaining the sorted list.
101 sk_X509_NAME_sort(out);
102 return 1;
103 }
104
SSL_add_bio_cert_subjects_to_stack(STACK_OF (X509_NAME)* out,BIO * bio)105 int SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, BIO *bio) {
106 return add_bio_cert_subjects_to_stack(out, bio, /*allow_empty=*/true);
107 }
108
STACK_OF(X509_NAME)109 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
110 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
111 if (in == nullptr) {
112 return nullptr;
113 }
114 bssl::UniquePtr<STACK_OF(X509_NAME)> ret(sk_X509_NAME_new_null());
115 if (ret == nullptr || //
116 !add_bio_cert_subjects_to_stack(ret.get(), in.get(),
117 /*allow_empty=*/false)) {
118 return nullptr;
119 }
120 return ret.release();
121 }
122
SSL_add_file_cert_subjects_to_stack(STACK_OF (X509_NAME)* out,const char * file)123 int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
124 const char *file) {
125 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
126 if (in == nullptr) {
127 return 0;
128 }
129 return SSL_add_bio_cert_subjects_to_stack(out, in.get());
130 }
131
SSL_use_certificate_file(SSL * ssl,const char * file,int type)132 int SSL_use_certificate_file(SSL *ssl, const char *file, int type) {
133 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
134 if (in == nullptr) {
135 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
136 return 0;
137 }
138
139 int reason_code;
140 bssl::UniquePtr<X509> x;
141 if (type == SSL_FILETYPE_ASN1) {
142 reason_code = ERR_R_ASN1_LIB;
143 x.reset(d2i_X509_bio(in.get(), nullptr));
144 } else if (type == SSL_FILETYPE_PEM) {
145 reason_code = ERR_R_PEM_LIB;
146 x.reset(PEM_read_bio_X509(in.get(), nullptr,
147 ssl->ctx->default_passwd_callback,
148 ssl->ctx->default_passwd_callback_userdata));
149 } else {
150 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
151 return 0;
152 }
153
154 if (x == nullptr) {
155 OPENSSL_PUT_ERROR(SSL, reason_code);
156 return 0;
157 }
158
159 return SSL_use_certificate(ssl, x.get());
160 }
161
SSL_use_RSAPrivateKey_file(SSL * ssl,const char * file,int type)162 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) {
163 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
164 if (in == nullptr) {
165 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
166 return 0;
167 }
168
169 int reason_code;
170 bssl::UniquePtr<RSA> rsa;
171 if (type == SSL_FILETYPE_ASN1) {
172 reason_code = ERR_R_ASN1_LIB;
173 rsa.reset(d2i_RSAPrivateKey_bio(in.get(), nullptr));
174 } else if (type == SSL_FILETYPE_PEM) {
175 reason_code = ERR_R_PEM_LIB;
176 rsa.reset(PEM_read_bio_RSAPrivateKey(
177 in.get(), nullptr, ssl->ctx->default_passwd_callback,
178 ssl->ctx->default_passwd_callback_userdata));
179 } else {
180 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
181 return 0;
182 }
183
184 if (rsa == nullptr) {
185 OPENSSL_PUT_ERROR(SSL, reason_code);
186 return 0;
187 }
188 return SSL_use_RSAPrivateKey(ssl, rsa.get());
189 }
190
SSL_use_PrivateKey_file(SSL * ssl,const char * file,int type)191 int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) {
192 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
193 if (in == nullptr) {
194 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
195 return 0;
196 }
197
198 int reason_code;
199 bssl::UniquePtr<EVP_PKEY> pkey;
200 if (type == SSL_FILETYPE_PEM) {
201 reason_code = ERR_R_PEM_LIB;
202 pkey.reset(PEM_read_bio_PrivateKey(
203 in.get(), nullptr, ssl->ctx->default_passwd_callback,
204 ssl->ctx->default_passwd_callback_userdata));
205 } else if (type == SSL_FILETYPE_ASN1) {
206 reason_code = ERR_R_ASN1_LIB;
207 pkey.reset(d2i_PrivateKey_bio(in.get(), nullptr));
208 } else {
209 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
210 return 0;
211 }
212
213 if (pkey == nullptr) {
214 OPENSSL_PUT_ERROR(SSL, reason_code);
215 return 0;
216 }
217
218 return SSL_use_PrivateKey(ssl, pkey.get());
219 }
220
SSL_CTX_use_certificate_file(SSL_CTX * ctx,const char * file,int type)221 int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) {
222 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
223 if (in == nullptr) {
224 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
225 return 0;
226 }
227
228 int reason_code;
229 bssl::UniquePtr<X509> x;
230 if (type == SSL_FILETYPE_ASN1) {
231 reason_code = ERR_R_ASN1_LIB;
232 x.reset(d2i_X509_bio(in.get(), nullptr));
233 } else if (type == SSL_FILETYPE_PEM) {
234 reason_code = ERR_R_PEM_LIB;
235 x.reset(PEM_read_bio_X509(in.get(), nullptr, ctx->default_passwd_callback,
236 ctx->default_passwd_callback_userdata));
237 } else {
238 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
239 return 0;
240 }
241
242 if (x == nullptr) {
243 OPENSSL_PUT_ERROR(SSL, reason_code);
244 return 0;
245 }
246
247 return SSL_CTX_use_certificate(ctx, x.get());
248 }
249
SSL_CTX_use_RSAPrivateKey_file(SSL_CTX * ctx,const char * file,int type)250 int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) {
251 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
252 if (in == nullptr) {
253 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
254 return 0;
255 }
256
257 int reason_code;
258 bssl::UniquePtr<RSA> rsa;
259 if (type == SSL_FILETYPE_ASN1) {
260 reason_code = ERR_R_ASN1_LIB;
261 rsa.reset(d2i_RSAPrivateKey_bio(in.get(), nullptr));
262 } else if (type == SSL_FILETYPE_PEM) {
263 reason_code = ERR_R_PEM_LIB;
264 rsa.reset(PEM_read_bio_RSAPrivateKey(
265 in.get(), nullptr, ctx->default_passwd_callback,
266 ctx->default_passwd_callback_userdata));
267 } else {
268 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
269 return 0;
270 }
271
272 if (rsa == nullptr) {
273 OPENSSL_PUT_ERROR(SSL, reason_code);
274 return 0;
275 }
276 return SSL_CTX_use_RSAPrivateKey(ctx, rsa.get());
277 }
278
SSL_CTX_use_PrivateKey_file(SSL_CTX * ctx,const char * file,int type)279 int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) {
280 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
281 if (in == nullptr) {
282 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
283 return 0;
284 }
285
286 int reason_code;
287 bssl::UniquePtr<EVP_PKEY> pkey;
288 if (type == SSL_FILETYPE_PEM) {
289 reason_code = ERR_R_PEM_LIB;
290 pkey.reset(PEM_read_bio_PrivateKey(in.get(), nullptr,
291 ctx->default_passwd_callback,
292 ctx->default_passwd_callback_userdata));
293 } else if (type == SSL_FILETYPE_ASN1) {
294 reason_code = ERR_R_ASN1_LIB;
295 pkey.reset(d2i_PrivateKey_bio(in.get(), nullptr));
296 } else {
297 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);
298 return 0;
299 }
300
301 if (pkey == nullptr) {
302 OPENSSL_PUT_ERROR(SSL, reason_code);
303 return 0;
304 }
305
306 return SSL_CTX_use_PrivateKey(ctx, pkey.get());
307 }
308
309 // Read a file that contains our certificate in "PEM" format, possibly followed
310 // by a sequence of CA certificates that should be sent to the peer in the
311 // Certificate message.
SSL_CTX_use_certificate_chain_file(SSL_CTX * ctx,const char * file)312 int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
313 bssl::UniquePtr<BIO> in(BIO_new_file(file, "rb"));
314 if (in == nullptr) {
315 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
316 return 0;
317 }
318
319 bssl::UniquePtr<X509> x(
320 PEM_read_bio_X509_AUX(in.get(), nullptr, ctx->default_passwd_callback,
321 ctx->default_passwd_callback_userdata));
322 if (x == nullptr) {
323 OPENSSL_PUT_ERROR(SSL, ERR_R_PEM_LIB);
324 return 0;
325 }
326
327 if (!SSL_CTX_use_certificate(ctx, x.get())) {
328 return 0;
329 }
330
331 // If we could set up our certificate, now proceed to the CA certificates.
332 SSL_CTX_clear_chain_certs(ctx);
333 for (;;) {
334 bssl::UniquePtr<X509> ca(
335 PEM_read_bio_X509(in.get(), nullptr, ctx->default_passwd_callback,
336 ctx->default_passwd_callback_userdata));
337 if (ca == nullptr) {
338 break;
339 }
340 if (!SSL_CTX_add1_chain_cert(ctx, ca.get())) {
341 return 0;
342 }
343 }
344
345 // When the while loop ends, it's usually just EOF.
346 uint32_t err = ERR_peek_last_error();
347 if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
348 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
349 ERR_clear_error();
350 return 1;
351 }
352
353 return 0; // Some real error.
354 }
355
SSL_CTX_set_default_passwd_cb(SSL_CTX * ctx,pem_password_cb * cb)356 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {
357 ctx->default_passwd_callback = cb;
358 }
359
SSL_CTX_get_default_passwd_cb(const SSL_CTX * ctx)360 pem_password_cb *SSL_CTX_get_default_passwd_cb(const SSL_CTX *ctx) {
361 return ctx->default_passwd_callback;
362 }
363
SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX * ctx,void * data)364 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *data) {
365 ctx->default_passwd_callback_userdata = data;
366 }
367
SSL_CTX_get_default_passwd_cb_userdata(const SSL_CTX * ctx)368 void *SSL_CTX_get_default_passwd_cb_userdata(const SSL_CTX *ctx) {
369 return ctx->default_passwd_callback_userdata;
370 }
371