1 /*
2  * Copyright (c) 2023 Omar Polo <op@omarpolo.com>
3  * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
4  * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "gmid.h"
20 
21 #include <string.h>
22 
23 #include <openssl/err.h>
24 #include <openssl/pem.h>
25 #include <openssl/engine.h>
26 
27 #include "log.h"
28 #include "proc.h"
29 
30 #ifndef nitems
31 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
32 #endif
33 
34 static void crypto_init(struct privsep *, struct privsep_proc *, void *);
35 static int crypto_dispatch_parent(int, struct privsep_proc *, struct imsg *);
36 static int crypto_dispatch_server(int, struct privsep_proc *, struct imsg *);
37 
38 static struct privsep_proc procs[] = {
39 	{ "parent",	PROC_PARENT,	crypto_dispatch_parent },
40 	{ "server",	PROC_SERVER,	crypto_dispatch_server },
41 };
42 
43 struct imsg_crypto_req {
44 	uint64_t	 id;
45 	char		 hash[TLS_CERT_HASH_SIZE];
46 	size_t		 flen;
47 	size_t		 tlen;
48 	int		 padding;
49 	/* followed by flen bytes of `from'. */
50 };
51 
52 struct imsg_crypto_res {
53 	uint64_t	 id;
54 	int		 ret;
55 	size_t		 len;
56 	/* followed by len bytes of reply */
57 };
58 
59 static uint64_t		 reqid;
60 static struct conf	*conf;
61 
62 void
63 crypto(struct privsep *ps, struct privsep_proc *p)
64 {
65 	proc_run(ps, p, procs, nitems(procs), crypto_init, NULL);
66 }
67 
68 static void
69 crypto_init(struct privsep *ps, struct privsep_proc *p, void *arg)
70 {
71 #if 0
72 	static volatile int attached;
73 	while (!attached) sleep(1);
74 #endif
75 
76 	conf = ps->ps_env;
77 
78 	sandbox_crypto_process();
79 }
80 
81 static int
82 crypto_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
83 {
84 	switch (imsg->hdr.type) {
85 	case IMSG_RECONF_START:
86 	case IMSG_RECONF_CERT:
87 	case IMSG_RECONF_KEY:
88 	case IMSG_RECONF_END:
89 		if (config_recv(conf, imsg) == -1)
90 			return -1;
91 		break;
92 	default:
93 		return -1;
94 	}
95 
96 	return 0;
97 }
98 
99 static EVP_PKEY *
100 get_pkey(const char *hash)
101 {
102 	struct pki *pki;
103 
104 	TAILQ_FOREACH(pki, &conf->pkis, pkis) {
105 		if (!strcmp(pki->hash, hash))
106 			return pki->pkey;
107 	}
108 
109 	return NULL;
110 }
111 
112 static int
113 crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
114 {
115 	struct privsep		*ps = p->p_ps;
116 	RSA			*rsa;
117 	EC_KEY			*ecdsa;
118 	EVP_PKEY		*pkey;
119 	struct imsg_crypto_req	 req;
120 	struct imsg_crypto_res	 res;
121 	struct iovec		 iov[2];
122 	const void		*from;
123 	unsigned char		*data, *to;
124 	size_t			 datalen;
125 	int			 n, ret;
126 	unsigned int		 len;
127 
128 	data = imsg->data;
129 	datalen = IMSG_DATA_SIZE(imsg);
130 
131 	switch (imsg->hdr.type) {
132 	case IMSG_CRYPTO_RSA_PRIVENC:
133 	case IMSG_CRYPTO_RSA_PRIVDEC:
134 		if (datalen < sizeof(req))
135 			fatalx("size mismatch for imsg %d", imsg->hdr.type);
136 		memcpy(&req, data, sizeof(req));
137 		if (datalen != sizeof(req) + req.flen)
138 			fatalx("size mismatch for imsg %d", imsg->hdr.type);
139 		from = data + sizeof(req);
140 
141 		if ((pkey = get_pkey(req.hash)) == NULL ||
142 		    (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
143 			fatalx("invalid pkey hash");
144 
145 		if ((to = calloc(1, req.tlen)) == NULL)
146 			fatal("calloc");
147 
148 		if (imsg->hdr.type == IMSG_CRYPTO_RSA_PRIVENC)
149 			ret = RSA_private_encrypt(req.flen, from,
150 			    to, rsa, req.padding);
151 		else
152 			ret = RSA_private_decrypt(req.flen, from,
153 			    to, rsa, req.padding);
154 
155 		memset(&res, 0, sizeof(res));
156 		res.id = req.id;
157 		res.ret = ret;
158 
159 		memset(&iov, 0, sizeof(iov));
160 		n = 0;
161 		iov[n].iov_base = &res;
162 		iov[n].iov_len = sizeof(res);
163 		n++;
164 
165 		if (ret > 0) {
166 			res.len = ret;
167 			iov[n].iov_base = to;
168 			iov[n].iov_len = ret;
169 			n++;
170 		}
171 
172 		log_debug("replying to server #%d", imsg->hdr.pid);
173 		if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
174 		    imsg->hdr.type, 0, -1, iov, n) == -1)
175 			fatal("proc_composev_imsg");
176 
177 		if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
178 			fatal("proc_flush_imsg");
179 
180 		free(to);
181 		RSA_free(rsa);
182 		break;
183 
184 	case IMSG_CRYPTO_ECDSA_SIGN:
185 		if (datalen < sizeof(req))
186 			fatalx("size mismatch for imsg %d", imsg->hdr.type);
187 		memcpy(&req, data, sizeof(req));
188 		if (datalen != sizeof(req) + req.flen)
189 			fatalx("size mismatch for imsg %d", imsg->hdr.type);
190 		from = data + sizeof(req);
191 
192 		if ((pkey = get_pkey(req.hash)) == NULL ||
193 		    (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
194 			fatalx("invalid pkey hash");
195 
196 		len = ECDSA_size(ecdsa);
197 		if ((to = calloc(1, len)) == NULL)
198 			fatal("calloc");
199 		ret = ECDSA_sign(0, from, req.flen, to, &len, ecdsa);
200 
201 		memset(&res, 0, sizeof(res));
202 		res.id = req.id;
203 		res.ret = ret;
204 
205 		memset(&iov, 0, sizeof(iov));
206 		n = 0;
207 		iov[0].iov_base = &res;
208 		iov[1].iov_len = sizeof(res);
209 		n++;
210 
211 		if (ret > 0) {
212 			res.len = len;
213 			iov[n].iov_base = to;
214 			iov[n].iov_len = len;
215 			n++;
216 		}
217 
218 		log_debug("replying to server #%d", imsg->hdr.pid);
219 		if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
220 		    imsg->hdr.type, 0, -1, iov, n) == -1)
221 			fatal("proc_composev_imsg");
222 
223 		if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
224 			fatal("proc_flush_imsg");
225 
226 		free(to);
227 		EC_KEY_free(ecdsa);
228 		break;
229 
230 	default:
231 		return -1;
232 	}
233 
234 	return 0;
235 }
236 
237 
238 /*
239  * RSA privsep engine (called from unprivileged processes)
240  */
241 
242 static const RSA_METHOD	*rsa_default;
243 static RSA_METHOD	*rsae_method;
244 
245 static int
246 rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
247     RSA *rsa, int padding, unsigned int cmd)
248 {
249 	struct imsg_crypto_req	 req;
250 	struct iovec		 iov[2];
251 	struct imsg_crypto_res	 res;
252 	struct imsgev		*iev;
253 	struct privsep_proc	*p;
254 	struct privsep		*ps = conf->ps;
255 	struct imsgbuf		*ibuf;
256 	struct imsg		 imsg;
257 	int			 ret = 0;
258 	int			 n, done = 0;
259 	const void		*toptr;
260 	char			*hash;
261 	unsigned char		*data;
262 	size_t			 datalen;
263 
264 	if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
265 		return (0);
266 
267 	/*
268 	 * Send a synchronous imsg because we cannot defer the RSA
269 	 * operation in OpenSSL's engine layer.
270 	 */
271 	memset(&req, 0, sizeof(req));
272 	req.id = ++reqid;
273 	if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
274 		fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
275 	req.flen = flen;
276 	req.tlen = RSA_size(rsa);
277 	req.padding = padding;
278 
279 	memset(&iov, 0, sizeof(iov));
280 	iov[0].iov_base = &req;
281 	iov[0].iov_len = sizeof(req);
282 	iov[1].iov_base = (void *)from;
283 	iov[1].iov_len = flen;
284 
285 	if (proc_composev(ps, PROC_CRYPTO, cmd, iov, 2) == -1)
286 		fatal("proc_composev");
287 
288 	if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
289 		fatal("proc_flush_imsg");
290 
291 	iev = ps->ps_ievs[PROC_CRYPTO];
292 	p = iev->proc;
293 	ibuf = &iev->ibuf;
294 
295 	while (!done) {
296 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
297 			fatalx("imsg_read");
298 		if (n == 0)
299 			fatalx("pipe closed");
300 
301 		while (!done) {
302 			if ((n = imsg_get(ibuf, &imsg)) == -1)
303 				fatalx("imsg_get error");
304 			if (n == 0)
305 				break;
306 
307 #if DEBUG > 1
308 			log_debug(
309 			    "%s: %s %d got imsg %d peerid %d from %s %d",
310 			    __func__, title, 1, imsg.hdr.type,
311 			    imsg.hdr.peerid, "crypto", imsg.hdr.pid);
312 #endif
313 
314 			if ((p->p_cb)(ibuf->fd, p, &imsg) == 0) {
315 				/* Message was handled by the callback */
316 				imsg_free(&imsg);
317 				continue;
318 			}
319 
320 			switch (imsg.hdr.type) {
321 			case IMSG_CRYPTO_RSA_PRIVENC:
322 			case IMSG_CRYPTO_RSA_PRIVDEC:
323 				break;
324 			default:
325 				fatalx("%s: %s %d got invalid imsg %d"
326 				    " peerid %d from %s %d",
327 				    __func__, "server", ps->ps_instance + 1,
328 				    imsg.hdr.type, imsg.hdr.peerid,
329 				    "crypto", imsg.hdr.pid);
330 			}
331 
332 			data = imsg.data;
333 			datalen = IMSG_DATA_SIZE(&imsg);
334 			if (datalen < sizeof(res))
335 				fatalx("size mismatch for imsg %d",
336 				    imsg.hdr.type);
337 			memcpy(&res, data, sizeof(res));
338 			if (datalen != sizeof(res) + res.ret)
339 				fatalx("size mismatch for imsg %d",
340 				    imsg.hdr.type);
341 			ret = res.ret;
342 			toptr = data + sizeof(res);
343 
344 			if (res.id != reqid)
345 				fatalx("invalid id; got %llu, want %llu",
346 				    (unsigned long long)res.id,
347 				    (unsigned long long)reqid);
348 			if (res.ret > 0)
349 				memcpy(to, toptr, res.len);
350 
351 			done = 1;
352 
353 			imsg_free(&imsg);
354 		}
355 	}
356 	imsg_event_add(iev);
357 
358 	return (ret);
359 }
360 
361 static int
362 rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
363     int padding)
364 {
365 	log_debug("debug: %s", __func__);
366 	return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
367 }
368 
369 static int
370 rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
371     int padding)
372 {
373 	log_debug("debug: %s", __func__);
374 	return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
375 }
376 
377 static int
378 rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
379     int padding)
380 {
381 	log_debug("debug: %s", __func__);
382 	if (RSA_get_ex_data(rsa, 0) != NULL)
383 		return (rsae_send_imsg(flen, from, to, rsa, padding,
384 		    IMSG_CRYPTO_RSA_PRIVENC));
385 	return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
386 }
387 
388 static int
389 rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
390     int padding)
391 {
392 	log_debug("debug: %s", __func__);
393 	if (RSA_get_ex_data(rsa, 0) != NULL)
394 		return (rsae_send_imsg(flen, from, to, rsa, padding,
395 		    IMSG_CRYPTO_RSA_PRIVDEC));
396 
397 	return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
398 }
399 
400 static int
401 rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
402 {
403 	log_debug("debug: %s", __func__);
404 	return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
405 }
406 
407 static int
408 rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
409     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
410 {
411 	log_debug("debug: %s", __func__);
412 	return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
413 }
414 
415 static int
416 rsae_init(RSA *rsa)
417 {
418 	log_debug("debug: %s", __func__);
419 	if (RSA_meth_get_init(rsa_default) == NULL)
420 		return (1);
421 	return (RSA_meth_get_init(rsa_default)(rsa));
422 }
423 
424 static int
425 rsae_finish(RSA *rsa)
426 {
427 	log_debug("debug: %s", __func__);
428 	if (RSA_meth_get_finish(rsa_default) == NULL)
429 		return (1);
430 	return (RSA_meth_get_finish(rsa_default)(rsa));
431 }
432 
433 static int
434 rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
435 {
436 	log_debug("debug: %s", __func__);
437 	return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
438 }
439 
440 
441 /*
442  * ECDSA privsep engine (called from unprivileged processes)
443  */
444 
445 static const EC_KEY_METHOD	*ecdsa_default;
446 static EC_KEY_METHOD		*ecdsae_method;
447 
448 static ECDSA_SIG *
449 ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
450     const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
451 {
452 	ECDSA_SIG		*sig = NULL;
453 	struct imsg_crypto_req	 req;
454 	struct iovec		 iov[2];
455 	struct imsg_crypto_res	 res;
456 	struct imsgev		*iev;
457 	struct privsep_proc	*p;
458 	struct privsep		*ps = conf->ps;
459 	struct imsgbuf		*ibuf;
460 	struct imsg		 imsg;
461 	int			 n, done = 0;
462 	const void		*toptr;
463 	char			*hash;
464 	unsigned char		*data;
465 	size_t			 datalen;
466 
467 	if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL)
468 		return (0);
469 
470 	/*
471 	 * Send a synchronous imsg because we cannot defer the RSA
472 	 * operation in OpenSSL's engine layer.
473 	 */
474 	memset(&req, 0, sizeof(req));
475 	req.id = reqid++;
476 	if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
477 		fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
478 	req.flen = dgst_len;
479 
480 	memset(&iov, 0, sizeof(iov));
481 	iov[0].iov_base = &req;
482 	iov[0].iov_len = sizeof(req);
483 	iov[1].iov_base = (void *)dgst;
484 	iov[1].iov_len = dgst_len;
485 
486 	if (proc_composev(ps, PROC_CRYPTO, IMSG_CRYPTO_ECDSA_SIGN, iov, 2) == -1)
487 		fatal("proc_composev");
488 
489 	if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
490 		fatal("proc_flush_imsg");
491 
492 	iev = ps->ps_ievs[PROC_CRYPTO];
493 	p = iev->proc;
494 	ibuf = &iev->ibuf;
495 
496 	while (!done) {
497 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
498 			fatalx("imsg_read");
499 		if (n == 0)
500 			fatalx("pipe closed");
501 
502 		while (!done) {
503 			if ((n = imsg_get(ibuf, &imsg)) == -1)
504 				fatalx("imsg_get error");
505 			if (n == 0)
506 				break;
507 
508 #if DEBUG > 1
509 			log_debug(
510 			    "%s: %s %d got imsg %d peerid %d from %s %d",
511 			    __func__, title, 1, imsg.hdr.type,
512 			    imsg.hdr.peerid, "crypto", imsg.hdr.pid);
513 #endif
514 
515 			if (crypto_dispatch_server(ibuf->fd, p, &imsg) == 0) {
516 				/* Message was handled by the callback */
517 				imsg_free(&imsg);
518 				continue;
519 			}
520 
521 			if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN)
522 				fatalx("%s: %s %d got invalid imsg %d"
523 				    " peerid %d from %s %d",
524 				    __func__, "server", ps->ps_instance + 1,
525 				    imsg.hdr.type, imsg.hdr.peerid,
526 				    "crypto", imsg.hdr.pid);
527 
528 			data = imsg.data;
529 			datalen = IMSG_DATA_SIZE(&imsg);
530 			if (datalen < sizeof(res))
531 				fatalx("size mismatch for imsg %d",
532 				    imsg.hdr.type);
533 			memcpy(&res, data, sizeof(res));
534 			if (datalen != sizeof(res) + res.ret)
535 				fatalx("size mismatch for imsg %d",
536 				    imsg.hdr.type);
537 			toptr = data + sizeof(res);
538 
539 			if (res.id != reqid)
540 				fatalx("invalid response id");
541 			if (res.ret > 0) {
542 				d2i_ECDSA_SIG(&sig,
543 				    (const unsigned char **)&toptr, res.len);
544 			}
545 
546 			done = 1;
547 
548 			imsg_free(&imsg);
549 		}
550 	}
551 	imsg_event_add(iev);
552 
553 	return (sig);
554 }
555 
556 static int
557 ecdsae_keygen(EC_KEY *eckey)
558 {
559 	int (*keygen)(EC_KEY *);
560 
561 	log_debug("debug: %s", __func__);
562 	EC_KEY_METHOD_get_keygen(ecdsa_default, &keygen);
563 	return (keygen(eckey));
564 }
565 
566 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3080100fL
567 static int
568 ecdsae_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
569     EC_KEY *ecdh, void *(*kdf)(const void *, size_t, void *, size_t *))
570 {
571 	int (*ckey)(void *, size_t, const EC_POINT *, EC_KEY *,
572 	    void *(*)(const void *, size_t, void *, size_t *));
573 
574 	log_debug("debug: %s", __func__);
575 	EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey);
576 	return (ckey(out, outlen, pub_key, ecdh, kdf));
577 }
578 #else
579 static int
580 ecdsae_compute_key(unsigned char **psec, size_t *pseclen,
581     const EC_POINT *pub_key, const EC_KEY *ecdh)
582 {
583 	int (*ckey)(unsigned char **, size_t *, const EC_POINT *,
584 	    const EC_KEY *);
585 
586 	log_debug("debug: %s", __func__);
587 	EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey);
588 	return (ckey(psec, pseclen, pub_key, ecdh));
589 }
590 #endif
591 
592 static int
593 ecdsae_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
594     unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
595 {
596 	int (*sign)(int, const unsigned char *, int, unsigned char *,
597 	    unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *);
598 
599 	log_debug("debug: %s", __func__);
600 	EC_KEY_METHOD_get_sign(ecdsa_default, &sign, NULL, NULL);
601 	return (sign(type, dgst, dlen, sig, siglen, kinv, r, eckey));
602 }
603 
604 static ECDSA_SIG *
605 ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
606     const BIGNUM *rp, EC_KEY *eckey)
607 {
608 	ECDSA_SIG *(*psign_sig)(const unsigned char *, int, const BIGNUM *,
609 	    const BIGNUM *, EC_KEY *);
610 
611 	log_debug("debug: %s", __func__);
612 	if (EC_KEY_get_ex_data(eckey, 0) != NULL)
613 		return (ecdsae_send_enc_imsg(dgst, dgst_len, inv, rp, eckey));
614 	EC_KEY_METHOD_get_sign(ecdsa_default, NULL, NULL, &psign_sig);
615 	return (psign_sig(dgst, dgst_len, inv, rp, eckey));
616 }
617 
618 static int
619 ecdsae_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **r)
620 {
621 	int (*psign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **);
622 
623 	log_debug("debug: %s", __func__);
624 	EC_KEY_METHOD_get_sign(ecdsa_default, NULL, &psign_setup, NULL);
625 	return (psign_setup(eckey, ctx, kinv, r));
626 }
627 
628 static int
629 ecdsae_verify(int type, const unsigned char *dgst, int dgst_len,
630     const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
631 {
632 	int (*verify)(int, const unsigned char *, int, const unsigned char *,
633 	    int, EC_KEY *);
634 
635 	log_debug("debug: %s", __func__);
636 	EC_KEY_METHOD_get_verify(ecdsa_default, &verify, NULL);
637 	return (verify(type, dgst, dgst_len, sigbuf, sig_len, eckey));
638 }
639 
640 static int
641 ecdsae_do_verify(const unsigned char *dgst, int dgst_len,
642     const ECDSA_SIG *sig, EC_KEY *eckey)
643 {
644 	int (*pverify_sig)(const unsigned char *, int, const ECDSA_SIG *,
645 	    EC_KEY *);
646 
647 	log_debug("debug: %s", __func__);
648 	EC_KEY_METHOD_get_verify(ecdsa_default, NULL, &pverify_sig);
649 	return (pverify_sig(dgst, dgst_len, sig, eckey));
650 }
651 
652 
653 /*
654  * Initialize the two engines.
655  */
656 
657 static void
658 rsa_engine_init(void)
659 {
660 	ENGINE		*e;
661 	const char	*errstr, *name;
662 
663 	if ((rsae_method = RSA_meth_new("RSA privsep engine", 0)) == NULL) {
664 		errstr = "RSA_meth_new";
665 		goto fail;
666 	}
667 
668 	RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc);
669 	RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec);
670 	RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
671 	RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
672 	RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp);
673 	RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp);
674 	RSA_meth_set_init(rsae_method, rsae_init);
675 	RSA_meth_set_finish(rsae_method, rsae_finish);
676 	RSA_meth_set_keygen(rsae_method, rsae_keygen);
677 
678 	if ((e = ENGINE_get_default_RSA()) == NULL) {
679 		if ((e = ENGINE_new()) == NULL) {
680 			errstr = "ENGINE_new";
681 			goto fail;
682 		}
683 		if (!ENGINE_set_name(e, RSA_meth_get0_name(rsae_method))) {
684 			errstr = "ENGINE_set_name";
685 			goto fail;
686 		}
687 		if ((rsa_default = RSA_get_default_method()) == NULL) {
688 			errstr = "RSA_get_default_method";
689 			goto fail;
690 		}
691 	} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
692 		errstr = "ENGINE_get_RSA";
693 		goto fail;
694 	}
695 
696 	if ((name = ENGINE_get_name(e)) == NULL)
697 		name = "unknown RSA engine";
698 
699 	log_debug("debug: %s: using %s", __func__, name);
700 
701 	if (RSA_meth_get_mod_exp(rsa_default) == NULL)
702 		RSA_meth_set_mod_exp(rsae_method, NULL);
703 	if (RSA_meth_get_bn_mod_exp(rsa_default) == NULL)
704 		RSA_meth_set_bn_mod_exp(rsae_method, NULL);
705 	if (RSA_meth_get_keygen(rsa_default) == NULL)
706 		RSA_meth_set_keygen(rsae_method, NULL);
707 	RSA_meth_set_flags(rsae_method,
708 		RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK);
709 	RSA_meth_set0_app_data(rsae_method,
710 		RSA_meth_get0_app_data(rsa_default));
711 
712 	if (!ENGINE_set_RSA(e, rsae_method)) {
713 		errstr = "ENGINE_set_RSA";
714 		goto fail;
715 	}
716 	if (!ENGINE_set_default_RSA(e)) {
717 		errstr = "ENGINE_set_default_RSA";
718 		goto fail;
719 	}
720 
721 	return;
722 
723  fail:
724 	ssl_error(errstr);
725 	fatalx("%s", errstr);
726 }
727 
728 static void
729 ecdsa_engine_init(void)
730 {
731 	ENGINE		*e;
732 	const char	*errstr, *name;
733 
734 	if ((ecdsae_method = EC_KEY_METHOD_new(NULL)) == NULL) {
735 		errstr = "EC_KEY_METHOD_new";
736 		goto fail;
737 	}
738 
739 	EC_KEY_METHOD_set_keygen(ecdsae_method, ecdsae_keygen);
740 	EC_KEY_METHOD_set_compute_key(ecdsae_method, ecdsae_compute_key);
741 	EC_KEY_METHOD_set_sign(ecdsae_method, ecdsae_sign, ecdsae_sign_setup,
742 	    ecdsae_do_sign);
743 	EC_KEY_METHOD_set_verify(ecdsae_method, ecdsae_verify,
744 	    ecdsae_do_verify);
745 
746 	if ((e = ENGINE_get_default_EC()) == NULL) {
747 		if ((e = ENGINE_new()) == NULL) {
748 			errstr = "ENGINE_new";
749 			goto fail;
750 		}
751 		if (!ENGINE_set_name(e, "ECDSA privsep engine")) {
752 			errstr = "ENGINE_set_name";
753 			goto fail;
754 		}
755 		if ((ecdsa_default = EC_KEY_get_default_method()) == NULL) {
756 			errstr = "EC_KEY_get_default_method";
757 			goto fail;
758 		}
759 	} else if ((ecdsa_default = ENGINE_get_EC(e)) == NULL) {
760 		errstr = "ENGINE_get_EC";
761 		goto fail;
762 	}
763 
764 	if ((name = ENGINE_get_name(e)) == NULL)
765 		name = "unknown ECDSA engine";
766 
767 	log_debug("debug: %s: using %s", __func__, name);
768 
769 	if (!ENGINE_set_EC(e, ecdsae_method)) {
770 		errstr = "ENGINE_set_EC";
771 		goto fail;
772 	}
773 	if (!ENGINE_set_default_EC(e)) {
774 		errstr = "ENGINE_set_default_EC";
775 		goto fail;
776 	}
777 
778 	return;
779 
780  fail:
781 	ssl_error(errstr);
782 	fatalx("%s", errstr);
783 }
784 
785 void
786 crypto_engine_init(struct conf *c)
787 {
788 	conf = c;
789 
790 	rsa_engine_init();
791 	ecdsa_engine_init();
792 }
793