2 * Copyright (c) 2023 Omar Polo <op@omarpolo.com>
3 * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
4 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #include <openssl/err.h>
24 #include <openssl/pem.h>
30 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
33 static void crypto_init(struct privsep *, struct privsep_proc *, void *);
34 static int crypto_dispatch_parent(int, struct privsep_proc *, struct imsg *);
35 static int crypto_dispatch_server(int, struct privsep_proc *, struct imsg *);
37 static struct privsep_proc procs[] = {
38 { "parent", PROC_PARENT, crypto_dispatch_parent },
39 { "server", PROC_SERVER, crypto_dispatch_server },
42 struct imsg_crypto_req {
44 char hash[TLS_CERT_HASH_SIZE];
48 /* followed by flen bytes of `from'. */
51 struct imsg_crypto_res {
55 /* followed by len bytes of reply */
58 static uint64_t reqid;
59 static struct conf *conf;
62 crypto(struct privsep *ps, struct privsep_proc *p)
64 proc_run(ps, p, procs, nitems(procs), crypto_init, NULL);
68 crypto_init(struct privsep *ps, struct privsep_proc *p, void *arg)
71 static volatile int attached;
72 while (!attached) sleep(1);
77 sandbox_crypto_process();
81 crypto_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
83 switch (imsg->hdr.type) {
84 case IMSG_RECONF_START:
85 case IMSG_RECONF_CERT:
88 if (config_recv(conf, imsg) == -1)
99 get_pkey(const char *hash)
103 TAILQ_FOREACH(pki, &conf->pkis, pkis) {
104 if (!strcmp(pki->hash, hash))
112 crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
114 struct privsep *ps = p->p_ps;
116 EC_KEY *ecdsa = NULL;
118 struct imsg_crypto_req req;
119 struct imsg_crypto_res res;
127 if (imsg_get_ibuf(imsg, &ibuf) == -1)
128 fatalx("%s: couldn't get an ibuf", __func__);
130 switch (imsg->hdr.type) {
131 case IMSG_CRYPTO_RSA_PRIVENC:
132 case IMSG_CRYPTO_RSA_PRIVDEC:
133 if (ibuf_get(&ibuf, &req, sizeof(req)) == -1 ||
134 ibuf_size(&ibuf) != req.flen)
135 fatalx("size mismatch for imsg %d", imsg->hdr.type);
136 from = ibuf_data(&ibuf);
138 if ((pkey = get_pkey(req.hash)) == NULL ||
139 (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
140 fatalx("invalid pkey hash");
142 if ((to = calloc(1, req.tlen)) == NULL)
145 if (imsg->hdr.type == IMSG_CRYPTO_RSA_PRIVENC)
146 ret = RSA_private_encrypt(req.flen, from,
147 to, rsa, req.padding);
149 ret = RSA_private_decrypt(req.flen, from,
150 to, rsa, req.padding);
152 memset(&res, 0, sizeof(res));
156 memset(&iov, 0, sizeof(iov));
158 iov[n].iov_base = &res;
159 iov[n].iov_len = sizeof(res);
164 iov[n].iov_base = to;
165 iov[n].iov_len = ret;
169 log_debug("replying to server #%d", imsg->hdr.pid);
170 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
171 imsg->hdr.type, 0, -1, iov, n) == -1)
172 fatal("proc_composev_imsg");
174 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
175 fatal("proc_flush_imsg");
181 case IMSG_CRYPTO_ECDSA_SIGN:
182 if (ibuf_get(&ibuf, &req, sizeof(req)) == -1 ||
183 ibuf_size(&ibuf) != req.flen)
184 fatalx("size mismatch for imsg %d", imsg->hdr.type);
185 from = ibuf_data(&ibuf);
187 if ((pkey = get_pkey(req.hash)) == NULL ||
188 (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
189 fatalx("invalid pkey hash");
191 len = ECDSA_size(ecdsa);
192 if ((to = calloc(1, len)) == NULL)
194 ret = ECDSA_sign(0, from, req.flen, to, &len, ecdsa);
196 memset(&res, 0, sizeof(res));
200 memset(&iov, 0, sizeof(iov));
202 iov[0].iov_base = &res;
203 iov[0].iov_len = sizeof(res);
208 iov[n].iov_base = to;
209 iov[n].iov_len = len;
213 log_debug("replying to server #%d", imsg->hdr.pid);
214 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
215 imsg->hdr.type, 0, -1, iov, n) == -1)
216 fatal("proc_composev_imsg");
218 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
219 fatal("proc_flush_imsg");
234 * RSA privsep engine (called from unprivileged processes)
237 static const RSA_METHOD *rsa_default;
238 static RSA_METHOD *rsae_method;
241 rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
242 RSA *rsa, int padding, unsigned int cmd)
244 struct imsg_crypto_req req;
246 struct imsg_crypto_res res;
248 struct privsep_proc *p;
249 struct privsep *ps = conf->ps;
250 struct imsgbuf *imsgbuf;
258 if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
262 * Send a synchronous imsg because we cannot defer the RSA
263 * operation in OpenSSL's engine layer.
265 memset(&req, 0, sizeof(req));
267 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
268 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
270 req.tlen = RSA_size(rsa);
271 req.padding = padding;
273 memset(&iov, 0, sizeof(iov));
274 iov[0].iov_base = &req;
275 iov[0].iov_len = sizeof(req);
276 iov[1].iov_base = (void *)from;
277 iov[1].iov_len = flen;
279 if (proc_composev(ps, PROC_CRYPTO, cmd, iov, 2) == -1)
280 fatal("proc_composev");
282 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
283 fatal("proc_flush_imsg");
285 iev = ps->ps_ievs[PROC_CRYPTO];
287 imsgbuf = &iev->ibuf;
290 if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
293 fatalx("pipe closed");
296 if ((n = imsg_get(imsgbuf, &imsg)) == -1)
297 fatalx("imsg_get error");
303 "%s: %s %d got imsg %d id %d from %s %d",
304 __func__, title, 1, imsg_get_type(&imsg),
305 imsg_get_id(&imsg), "crypto", imsg_get_pid(&imsg));
308 if ((p->p_cb)(imsgbuf->fd, p, &imsg) == 0) {
309 /* Message was handled by the callback */
314 switch (imsg_get_type(&imsg)) {
315 case IMSG_CRYPTO_RSA_PRIVENC:
316 case IMSG_CRYPTO_RSA_PRIVDEC:
319 fatalx("%s: %s %d got invalid imsg %d"
321 __func__, "server", ps->ps_instance + 1,
322 imsg_get_type(&imsg), imsg_get_id(&imsg),
323 "crypto", imsg_get_pid(&imsg));
326 if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
327 ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
328 (int)ibuf_size(&ibuf) != res.ret)
329 fatalx("size mismatch for imsg %d",
332 toptr = ibuf_data(&ibuf);
335 fatalx("invalid id; got %llu, want %llu",
336 (unsigned long long)res.id,
337 (unsigned long long)reqid);
339 memcpy(to, toptr, res.len);
352 rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
355 log_debug("debug: %s", __func__);
356 if (RSA_get_ex_data(rsa, 0) != NULL)
357 return (rsae_send_imsg(flen, from, to, rsa, padding,
358 IMSG_CRYPTO_RSA_PRIVENC));
359 return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
363 rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
366 log_debug("debug: %s", __func__);
367 if (RSA_get_ex_data(rsa, 0) != NULL)
368 return (rsae_send_imsg(flen, from, to, rsa, padding,
369 IMSG_CRYPTO_RSA_PRIVDEC));
371 return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
376 * ECDSA privsep engine (called from unprivileged processes)
379 static const EC_KEY_METHOD *ecdsa_default;
380 static EC_KEY_METHOD *ecdsae_method;
383 ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
384 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
386 ECDSA_SIG *sig = NULL;
387 struct imsg_crypto_req req;
389 struct imsg_crypto_res res;
391 struct privsep_proc *p;
392 struct privsep *ps = conf->ps;
393 struct imsgbuf *imsgbuf;
400 if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL)
404 * Send a synchronous imsg because we cannot defer the RSA
405 * operation in OpenSSL's engine layer.
407 memset(&req, 0, sizeof(req));
409 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
410 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
413 memset(&iov, 0, sizeof(iov));
414 iov[0].iov_base = &req;
415 iov[0].iov_len = sizeof(req);
416 iov[1].iov_base = (void *)dgst;
417 iov[1].iov_len = dgst_len;
419 if (proc_composev(ps, PROC_CRYPTO, IMSG_CRYPTO_ECDSA_SIGN, iov, 2) == -1)
420 fatal("proc_composev");
422 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
423 fatal("proc_flush_imsg");
425 iev = ps->ps_ievs[PROC_CRYPTO];
427 imsgbuf = &iev->ibuf;
430 if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
433 fatalx("pipe closed");
436 if ((n = imsg_get(imsgbuf, &imsg)) == -1)
437 fatalx("imsg_get error");
443 "%s: %s %d got imsg %d peerid %d from %s %d",
444 __func__, title, 1, imsg.hdr.type,
445 imsg.hdr.peerid, "crypto", imsg.hdr.pid);
448 if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN &&
449 crypto_dispatch_server(imsgbuf->fd, p, &imsg)
451 /* Message was handled by the callback */
456 if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN)
457 fatalx("%s: %s %d got invalid imsg %d"
458 " peerid %d from %s %d",
459 __func__, "server", ps->ps_instance + 1,
460 imsg.hdr.type, imsg.hdr.peerid,
461 "crypto", imsg.hdr.pid);
463 if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
464 ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
465 ibuf_size(&ibuf) != res.len)
466 fatalx("size mismatch for imsg %d",
469 toptr = ibuf_data(&ibuf);
472 fatalx("invalid response id");
475 (const unsigned char **)&toptr, res.len);
489 ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
490 const BIGNUM *rp, EC_KEY *eckey)
492 ECDSA_SIG *(*psign_sig)(const unsigned char *, int, const BIGNUM *,
493 const BIGNUM *, EC_KEY *);
495 log_debug("debug: %s", __func__);
496 if (EC_KEY_get_ex_data(eckey, 0) != NULL)
497 return (ecdsae_send_enc_imsg(dgst, dgst_len, inv, rp, eckey));
498 EC_KEY_METHOD_get_sign(ecdsa_default, NULL, NULL, &psign_sig);
499 return (psign_sig(dgst, dgst_len, inv, rp, eckey));
504 * Initialize the two engines.
508 rsa_engine_init(void)
512 if ((rsa_default = RSA_get_default_method()) == NULL) {
513 errstr = "RSA_get_default_method";
517 if ((rsae_method = RSA_meth_dup(rsa_default)) == NULL) {
518 errstr = "RSA_meth_dup";
522 RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
523 RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
525 RSA_meth_set_flags(rsae_method,
526 RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK);
527 RSA_meth_set0_app_data(rsae_method,
528 RSA_meth_get0_app_data(rsa_default));
530 RSA_set_default_method(rsae_method);
536 fatalx("%s", errstr);
540 ecdsa_engine_init(void)
542 int (*sign)(int, const unsigned char *, int, unsigned char *,
543 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *);
544 int (*sign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **);
547 if ((ecdsa_default = EC_KEY_get_default_method()) == NULL) {
548 errstr = "EC_KEY_get_default_method";
552 if ((ecdsae_method = EC_KEY_METHOD_new(ecdsa_default)) == NULL) {
553 errstr = "EC_KEY_METHOD_new";
557 EC_KEY_METHOD_get_sign(ecdsa_default, &sign, &sign_setup, NULL);
558 EC_KEY_METHOD_set_sign(ecdsae_method, sign, sign_setup,
561 EC_KEY_set_default_method(ecdsae_method);
567 fatalx("%s", errstr);
571 crypto_engine_init(struct conf *c)