2 * Copyright (c) 2023 Omar Polo <op@omarpolo.com>
3 * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
4 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #include <openssl/err.h>
24 #include <openssl/pem.h>
30 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
33 static void crypto_init(struct privsep *, struct privsep_proc *, void *);
34 static int crypto_dispatch_parent(int, struct privsep_proc *, struct imsg *);
35 static int crypto_dispatch_server(int, struct privsep_proc *, struct imsg *);
37 static struct privsep_proc procs[] = {
38 { "parent", PROC_PARENT, crypto_dispatch_parent },
39 { "server", PROC_SERVER, crypto_dispatch_server },
42 struct imsg_crypto_req {
44 char hash[TLS_CERT_HASH_SIZE];
48 /* followed by flen bytes of `from'. */
51 struct imsg_crypto_res {
55 /* followed by len bytes of reply */
58 static uint64_t reqid;
59 static struct conf *conf;
62 crypto(struct privsep *ps, struct privsep_proc *p)
64 proc_run(ps, p, procs, nitems(procs), crypto_init, NULL);
68 crypto_init(struct privsep *ps, struct privsep_proc *p, void *arg)
71 static volatile int attached;
72 while (!attached) sleep(1);
77 sandbox_crypto_process();
81 crypto_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
83 switch (imsg->hdr.type) {
84 case IMSG_RECONF_START:
85 case IMSG_RECONF_CERT:
88 if (config_recv(conf, imsg) == -1)
99 get_pkey(const char *hash)
103 TAILQ_FOREACH(pki, &conf->pkis, pkis) {
104 if (!strcmp(pki->hash, hash))
112 crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
114 struct privsep *ps = p->p_ps;
116 EC_KEY *ecdsa = NULL;
118 struct imsg_crypto_req req;
119 struct imsg_crypto_res res;
122 unsigned char *data, *to;
128 datalen = IMSG_DATA_SIZE(imsg);
130 switch (imsg->hdr.type) {
131 case IMSG_CRYPTO_RSA_PRIVENC:
132 case IMSG_CRYPTO_RSA_PRIVDEC:
133 if (datalen < sizeof(req))
134 fatalx("size mismatch for imsg %d", imsg->hdr.type);
135 memcpy(&req, data, sizeof(req));
136 if (datalen != sizeof(req) + req.flen)
137 fatalx("size mismatch for imsg %d", imsg->hdr.type);
138 from = data + sizeof(req);
140 if ((pkey = get_pkey(req.hash)) == NULL ||
141 (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
142 fatalx("invalid pkey hash");
144 if ((to = calloc(1, req.tlen)) == NULL)
147 if (imsg->hdr.type == IMSG_CRYPTO_RSA_PRIVENC)
148 ret = RSA_private_encrypt(req.flen, from,
149 to, rsa, req.padding);
151 ret = RSA_private_decrypt(req.flen, from,
152 to, rsa, req.padding);
154 memset(&res, 0, sizeof(res));
158 memset(&iov, 0, sizeof(iov));
160 iov[n].iov_base = &res;
161 iov[n].iov_len = sizeof(res);
166 iov[n].iov_base = to;
167 iov[n].iov_len = ret;
171 log_debug("replying to server #%d", imsg->hdr.pid);
172 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
173 imsg->hdr.type, 0, -1, iov, n) == -1)
174 fatal("proc_composev_imsg");
176 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
177 fatal("proc_flush_imsg");
183 case IMSG_CRYPTO_ECDSA_SIGN:
184 if (datalen < sizeof(req))
185 fatalx("size mismatch for imsg %d", imsg->hdr.type);
186 memcpy(&req, data, sizeof(req));
187 if (datalen != sizeof(req) + req.flen)
188 fatalx("size mismatch for imsg %d", imsg->hdr.type);
189 from = data + sizeof(req);
191 if ((pkey = get_pkey(req.hash)) == NULL ||
192 (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
193 fatalx("invalid pkey hash");
195 len = ECDSA_size(ecdsa);
196 if ((to = calloc(1, len)) == NULL)
198 ret = ECDSA_sign(0, from, req.flen, to, &len, ecdsa);
200 memset(&res, 0, sizeof(res));
204 memset(&iov, 0, sizeof(iov));
206 iov[0].iov_base = &res;
207 iov[0].iov_len = sizeof(res);
212 iov[n].iov_base = to;
213 iov[n].iov_len = len;
217 log_debug("replying to server #%d", imsg->hdr.pid);
218 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
219 imsg->hdr.type, 0, -1, iov, n) == -1)
220 fatal("proc_composev_imsg");
222 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
223 fatal("proc_flush_imsg");
238 * RSA privsep engine (called from unprivileged processes)
241 static const RSA_METHOD *rsa_default;
242 static RSA_METHOD *rsae_method;
245 rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
246 RSA *rsa, int padding, unsigned int cmd)
248 struct imsg_crypto_req req;
250 struct imsg_crypto_res res;
252 struct privsep_proc *p;
253 struct privsep *ps = conf->ps;
254 struct imsgbuf *imsgbuf;
262 if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
266 * Send a synchronous imsg because we cannot defer the RSA
267 * operation in OpenSSL's engine layer.
269 memset(&req, 0, sizeof(req));
271 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
272 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
274 req.tlen = RSA_size(rsa);
275 req.padding = padding;
277 memset(&iov, 0, sizeof(iov));
278 iov[0].iov_base = &req;
279 iov[0].iov_len = sizeof(req);
280 iov[1].iov_base = (void *)from;
281 iov[1].iov_len = flen;
283 if (proc_composev(ps, PROC_CRYPTO, cmd, iov, 2) == -1)
284 fatal("proc_composev");
286 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
287 fatal("proc_flush_imsg");
289 iev = ps->ps_ievs[PROC_CRYPTO];
291 imsgbuf = &iev->ibuf;
294 if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
297 fatalx("pipe closed");
300 if ((n = imsg_get(imsgbuf, &imsg)) == -1)
301 fatalx("imsg_get error");
307 "%s: %s %d got imsg %d id %d from %s %d",
308 __func__, title, 1, imsg_get_type(&imsg),
309 imsg_get_id(&imsg), "crypto", imsg_get_pid(&imsg));
312 if ((p->p_cb)(imsgbuf->fd, p, &imsg) == 0) {
313 /* Message was handled by the callback */
318 switch (imsg_get_type(&imsg)) {
319 case IMSG_CRYPTO_RSA_PRIVENC:
320 case IMSG_CRYPTO_RSA_PRIVDEC:
323 fatalx("%s: %s %d got invalid imsg %d"
325 __func__, "server", ps->ps_instance + 1,
326 imsg_get_type(&imsg), imsg_get_id(&imsg),
327 "crypto", imsg_get_pid(&imsg));
330 if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
331 ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
332 (int)ibuf_size(&ibuf) != res.ret)
333 fatalx("size mismatch for imsg %d",
336 toptr = ibuf_data(&ibuf);
339 fatalx("invalid id; got %llu, want %llu",
340 (unsigned long long)res.id,
341 (unsigned long long)reqid);
343 memcpy(to, toptr, res.len);
356 rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
359 log_debug("debug: %s", __func__);
360 if (RSA_get_ex_data(rsa, 0) != NULL)
361 return (rsae_send_imsg(flen, from, to, rsa, padding,
362 IMSG_CRYPTO_RSA_PRIVENC));
363 return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
367 rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
370 log_debug("debug: %s", __func__);
371 if (RSA_get_ex_data(rsa, 0) != NULL)
372 return (rsae_send_imsg(flen, from, to, rsa, padding,
373 IMSG_CRYPTO_RSA_PRIVDEC));
375 return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
380 * ECDSA privsep engine (called from unprivileged processes)
383 static const EC_KEY_METHOD *ecdsa_default;
384 static EC_KEY_METHOD *ecdsae_method;
387 ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
388 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
390 ECDSA_SIG *sig = NULL;
391 struct imsg_crypto_req req;
393 struct imsg_crypto_res res;
395 struct privsep_proc *p;
396 struct privsep *ps = conf->ps;
397 struct imsgbuf *imsgbuf;
404 if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL)
408 * Send a synchronous imsg because we cannot defer the RSA
409 * operation in OpenSSL's engine layer.
411 memset(&req, 0, sizeof(req));
413 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
414 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
417 memset(&iov, 0, sizeof(iov));
418 iov[0].iov_base = &req;
419 iov[0].iov_len = sizeof(req);
420 iov[1].iov_base = (void *)dgst;
421 iov[1].iov_len = dgst_len;
423 if (proc_composev(ps, PROC_CRYPTO, IMSG_CRYPTO_ECDSA_SIGN, iov, 2) == -1)
424 fatal("proc_composev");
426 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
427 fatal("proc_flush_imsg");
429 iev = ps->ps_ievs[PROC_CRYPTO];
431 imsgbuf = &iev->ibuf;
434 if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
437 fatalx("pipe closed");
440 if ((n = imsg_get(imsgbuf, &imsg)) == -1)
441 fatalx("imsg_get error");
447 "%s: %s %d got imsg %d peerid %d from %s %d",
448 __func__, title, 1, imsg.hdr.type,
449 imsg.hdr.peerid, "crypto", imsg.hdr.pid);
452 if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN &&
453 crypto_dispatch_server(imsgbuf->fd, p, &imsg)
455 /* Message was handled by the callback */
460 if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN)
461 fatalx("%s: %s %d got invalid imsg %d"
462 " peerid %d from %s %d",
463 __func__, "server", ps->ps_instance + 1,
464 imsg.hdr.type, imsg.hdr.peerid,
465 "crypto", imsg.hdr.pid);
467 if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
468 ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
469 ibuf_size(&ibuf) != res.len)
470 fatalx("size mismatch for imsg %d",
473 toptr = ibuf_data(&ibuf);
476 fatalx("invalid response id");
479 (const unsigned char **)&toptr, res.len);
493 ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
494 const BIGNUM *rp, EC_KEY *eckey)
496 ECDSA_SIG *(*psign_sig)(const unsigned char *, int, const BIGNUM *,
497 const BIGNUM *, EC_KEY *);
499 log_debug("debug: %s", __func__);
500 if (EC_KEY_get_ex_data(eckey, 0) != NULL)
501 return (ecdsae_send_enc_imsg(dgst, dgst_len, inv, rp, eckey));
502 EC_KEY_METHOD_get_sign(ecdsa_default, NULL, NULL, &psign_sig);
503 return (psign_sig(dgst, dgst_len, inv, rp, eckey));
508 * Initialize the two engines.
512 rsa_engine_init(void)
516 if ((rsa_default = RSA_get_default_method()) == NULL) {
517 errstr = "RSA_get_default_method";
521 if ((rsae_method = RSA_meth_dup(rsa_default)) == NULL) {
522 errstr = "RSA_meth_dup";
526 RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
527 RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
529 RSA_meth_set_flags(rsae_method,
530 RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK);
531 RSA_meth_set0_app_data(rsae_method,
532 RSA_meth_get0_app_data(rsa_default));
534 RSA_set_default_method(rsae_method);
540 fatalx("%s", errstr);
544 ecdsa_engine_init(void)
546 int (*sign)(int, const unsigned char *, int, unsigned char *,
547 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *);
548 int (*sign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **);
551 if ((ecdsa_default = EC_KEY_get_default_method()) == NULL) {
552 errstr = "EC_KEY_get_default_method";
556 if ((ecdsae_method = EC_KEY_METHOD_new(ecdsa_default)) == NULL) {
557 errstr = "EC_KEY_METHOD_new";
561 EC_KEY_METHOD_get_sign(ecdsa_default, &sign, &sign_setup, NULL);
562 EC_KEY_METHOD_set_sign(ecdsae_method, sign, sign_setup,
565 EC_KEY_set_default_method(ecdsae_method);
571 fatalx("%s", errstr);
575 crypto_engine_init(struct conf *c)