2 * Copyright (c) 2023 Omar Polo <op@omarpolo.com>
3 * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
4 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #include <openssl/err.h>
24 #include <openssl/pem.h>
25 #include <openssl/engine.h>
31 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
34 static void crypto_init(struct privsep *, struct privsep_proc *, void *);
35 static int crypto_dispatch_parent(int, struct privsep_proc *, struct imsg *);
36 static int crypto_dispatch_server(int, struct privsep_proc *, struct imsg *);
38 static struct privsep_proc procs[] = {
39 { "parent", PROC_PARENT, crypto_dispatch_parent },
40 { "server", PROC_SERVER, crypto_dispatch_server },
43 struct imsg_crypto_req {
45 char hash[TLS_CERT_HASH_SIZE];
49 /* followed by flen bytes of `from'. */
52 struct imsg_crypto_res {
56 /* followed by len bytes of reply */
59 static uint64_t reqid;
60 static struct conf *conf;
63 crypto(struct privsep *ps, struct privsep_proc *p)
65 proc_run(ps, p, procs, nitems(procs), crypto_init, NULL);
69 crypto_init(struct privsep *ps, struct privsep_proc *p, void *arg)
72 static volatile int attached;
73 while (!attached) sleep(1);
78 sandbox_crypto_process();
82 crypto_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
84 switch (imsg->hdr.type) {
85 case IMSG_RECONF_START:
86 case IMSG_RECONF_CERT:
89 if (config_recv(conf, imsg) == -1)
100 get_pkey(const char *hash)
104 TAILQ_FOREACH(pki, &conf->pkis, pkis) {
105 if (!strcmp(pki->hash, hash))
113 crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
115 struct privsep *ps = p->p_ps;
119 struct imsg_crypto_req req;
120 struct imsg_crypto_res res;
123 unsigned char *data, *to;
129 datalen = IMSG_DATA_SIZE(imsg);
131 switch (imsg->hdr.type) {
132 case IMSG_CRYPTO_RSA_PRIVENC:
133 case IMSG_CRYPTO_RSA_PRIVDEC:
134 if (datalen < sizeof(req))
135 fatalx("size mismatch for imsg %d", imsg->hdr.type);
136 memcpy(&req, data, sizeof(req));
137 if (datalen != sizeof(req) + req.flen)
138 fatalx("size mismatch for imsg %d", imsg->hdr.type);
139 from = data + sizeof(req);
141 if ((pkey = get_pkey(req.hash)) == NULL ||
142 (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
143 fatalx("invalid pkey hash");
145 if ((to = calloc(1, req.tlen)) == NULL)
148 if (imsg->hdr.type == IMSG_CRYPTO_RSA_PRIVENC)
149 ret = RSA_private_encrypt(req.flen, from,
150 to, rsa, req.padding);
152 ret = RSA_private_decrypt(req.flen, from,
153 to, rsa, req.padding);
155 memset(&res, 0, sizeof(res));
159 memset(&iov, 0, sizeof(iov));
161 iov[n].iov_base = &res;
162 iov[n].iov_len = sizeof(res);
167 iov[n].iov_base = to;
168 iov[n].iov_len = ret;
172 log_debug("replying to server #%d", imsg->hdr.pid);
173 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
174 imsg->hdr.type, 0, -1, iov, n) == -1)
175 fatal("proc_composev_imsg");
177 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
178 fatal("proc_flush_imsg");
184 case IMSG_CRYPTO_ECDSA_SIGN:
185 if (datalen < sizeof(req))
186 fatalx("size mismatch for imsg %d", imsg->hdr.type);
187 memcpy(&req, data, sizeof(req));
188 if (datalen != sizeof(req) + req.flen)
189 fatalx("size mismatch for imsg %d", imsg->hdr.type);
190 from = data + sizeof(req);
192 if ((pkey = get_pkey(req.hash)) == NULL ||
193 (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
194 fatalx("invalid pkey hash");
196 len = ECDSA_size(ecdsa);
197 if ((to = calloc(1, len)) == NULL)
199 ret = ECDSA_sign(0, from, req.flen, to, &len, ecdsa);
201 memset(&res, 0, sizeof(res));
205 memset(&iov, 0, sizeof(iov));
207 iov[0].iov_base = &res;
208 iov[1].iov_len = sizeof(res);
213 iov[n].iov_base = to;
214 iov[n].iov_len = len;
218 log_debug("replying to server #%d", imsg->hdr.pid);
219 if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
220 imsg->hdr.type, 0, -1, iov, n) == -1)
221 fatal("proc_composev_imsg");
223 if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
224 fatal("proc_flush_imsg");
239 * RSA privsep engine (called from unprivileged processes)
242 static const RSA_METHOD *rsa_default;
243 static RSA_METHOD *rsae_method;
246 rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
247 RSA *rsa, int padding, unsigned int cmd)
249 struct imsg_crypto_req req;
251 struct imsg_crypto_res res;
253 struct privsep_proc *p;
254 struct privsep *ps = conf->ps;
255 struct imsgbuf *ibuf;
264 if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
268 * Send a synchronous imsg because we cannot defer the RSA
269 * operation in OpenSSL's engine layer.
271 memset(&req, 0, sizeof(req));
273 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
274 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
276 req.tlen = RSA_size(rsa);
277 req.padding = padding;
279 memset(&iov, 0, sizeof(iov));
280 iov[0].iov_base = &req;
281 iov[0].iov_len = sizeof(req);
282 iov[1].iov_base = (void *)from;
283 iov[1].iov_len = flen;
285 if (proc_composev(ps, PROC_CRYPTO, cmd, iov, 2) == -1)
286 fatal("proc_composev");
288 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
289 fatal("proc_flush_imsg");
291 iev = ps->ps_ievs[PROC_CRYPTO];
296 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
299 fatalx("pipe closed");
302 if ((n = imsg_get(ibuf, &imsg)) == -1)
303 fatalx("imsg_get error");
309 "%s: %s %d got imsg %d peerid %d from %s %d",
310 __func__, title, 1, imsg.hdr.type,
311 imsg.hdr.peerid, "crypto", imsg.hdr.pid);
314 if ((p->p_cb)(ibuf->fd, p, &imsg) == 0) {
315 /* Message was handled by the callback */
320 switch (imsg.hdr.type) {
321 case IMSG_CRYPTO_RSA_PRIVENC:
322 case IMSG_CRYPTO_RSA_PRIVDEC:
325 fatalx("%s: %s %d got invalid imsg %d"
326 " peerid %d from %s %d",
327 __func__, "server", ps->ps_instance + 1,
328 imsg.hdr.type, imsg.hdr.peerid,
329 "crypto", imsg.hdr.pid);
333 datalen = IMSG_DATA_SIZE(&imsg);
334 if (datalen < sizeof(res))
335 fatalx("size mismatch for imsg %d",
337 memcpy(&res, data, sizeof(res));
338 if (datalen != sizeof(res) + res.ret)
339 fatalx("size mismatch for imsg %d",
342 toptr = data + sizeof(res);
345 fatalx("invalid id; got %llu, want %llu",
346 (unsigned long long)res.id,
347 (unsigned long long)reqid);
349 memcpy(to, toptr, res.len);
362 rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
365 log_debug("debug: %s", __func__);
366 return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
370 rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
373 log_debug("debug: %s", __func__);
374 return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
378 rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
381 log_debug("debug: %s", __func__);
382 if (RSA_get_ex_data(rsa, 0) != NULL)
383 return (rsae_send_imsg(flen, from, to, rsa, padding,
384 IMSG_CRYPTO_RSA_PRIVENC));
385 return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
389 rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
392 log_debug("debug: %s", __func__);
393 if (RSA_get_ex_data(rsa, 0) != NULL)
394 return (rsae_send_imsg(flen, from, to, rsa, padding,
395 IMSG_CRYPTO_RSA_PRIVDEC));
397 return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
401 rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
403 log_debug("debug: %s", __func__);
404 return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
408 rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
409 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
411 log_debug("debug: %s", __func__);
412 return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
418 log_debug("debug: %s", __func__);
419 if (RSA_meth_get_init(rsa_default) == NULL)
421 return (RSA_meth_get_init(rsa_default)(rsa));
425 rsae_finish(RSA *rsa)
427 log_debug("debug: %s", __func__);
428 if (RSA_meth_get_finish(rsa_default) == NULL)
430 return (RSA_meth_get_finish(rsa_default)(rsa));
434 rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
436 log_debug("debug: %s", __func__);
437 return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
442 * ECDSA privsep engine (called from unprivileged processes)
445 static const EC_KEY_METHOD *ecdsa_default;
446 static EC_KEY_METHOD *ecdsae_method;
449 ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
450 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey)
452 ECDSA_SIG *sig = NULL;
453 struct imsg_crypto_req req;
455 struct imsg_crypto_res res;
457 struct privsep_proc *p;
458 struct privsep *ps = conf->ps;
459 struct imsgbuf *ibuf;
467 if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL)
471 * Send a synchronous imsg because we cannot defer the RSA
472 * operation in OpenSSL's engine layer.
474 memset(&req, 0, sizeof(req));
476 if (strlcpy(req.hash, hash, sizeof(req.hash)) >= sizeof(req.hash))
477 fatalx("%s: hash too long (%zu)", __func__, strlen(hash));
480 memset(&iov, 0, sizeof(iov));
481 iov[0].iov_base = &req;
482 iov[0].iov_len = sizeof(req);
483 iov[1].iov_base = (void *)dgst;
484 iov[1].iov_len = dgst_len;
486 if (proc_composev(ps, PROC_CRYPTO, IMSG_CRYPTO_ECDSA_SIGN, iov, 2) == -1)
487 fatal("proc_composev");
489 if (proc_flush_imsg(ps, PROC_CRYPTO, -1) == -1)
490 fatal("proc_flush_imsg");
492 iev = ps->ps_ievs[PROC_CRYPTO];
497 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
500 fatalx("pipe closed");
503 if ((n = imsg_get(ibuf, &imsg)) == -1)
504 fatalx("imsg_get error");
510 "%s: %s %d got imsg %d peerid %d from %s %d",
511 __func__, title, 1, imsg.hdr.type,
512 imsg.hdr.peerid, "crypto", imsg.hdr.pid);
515 if (crypto_dispatch_server(ibuf->fd, p, &imsg) == 0) {
516 /* Message was handled by the callback */
521 if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN)
522 fatalx("%s: %s %d got invalid imsg %d"
523 " peerid %d from %s %d",
524 __func__, "server", ps->ps_instance + 1,
525 imsg.hdr.type, imsg.hdr.peerid,
526 "crypto", imsg.hdr.pid);
529 datalen = IMSG_DATA_SIZE(&imsg);
530 if (datalen < sizeof(res))
531 fatalx("size mismatch for imsg %d",
533 memcpy(&res, data, sizeof(res));
534 if (datalen != sizeof(res) + res.ret)
535 fatalx("size mismatch for imsg %d",
537 toptr = data + sizeof(res);
540 fatalx("invalid response id");
543 (const unsigned char **)&toptr, res.len);
557 ecdsae_keygen(EC_KEY *eckey)
559 int (*keygen)(EC_KEY *);
561 log_debug("debug: %s", __func__);
562 EC_KEY_METHOD_get_keygen(ecdsa_default, &keygen);
563 return (keygen(eckey));
566 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3080100fL
568 ecdsae_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
569 EC_KEY *ecdh, void *(*kdf)(const void *, size_t, void *, size_t *))
571 int (*ckey)(void *, size_t, const EC_POINT *, EC_KEY *,
572 void *(*)(const void *, size_t, void *, size_t *));
574 log_debug("debug: %s", __func__);
575 EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey);
576 return (ckey(out, outlen, pub_key, ecdh, kdf));
580 ecdsae_compute_key(unsigned char **psec, size_t *pseclen,
581 const EC_POINT *pub_key, const EC_KEY *ecdh)
583 int (*ckey)(unsigned char **, size_t *, const EC_POINT *,
586 log_debug("debug: %s", __func__);
587 EC_KEY_METHOD_get_compute_key(ecdsa_default, &ckey);
588 return (ckey(psec, pseclen, pub_key, ecdh));
593 ecdsae_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
594 unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
596 int (*sign)(int, const unsigned char *, int, unsigned char *,
597 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *);
599 log_debug("debug: %s", __func__);
600 EC_KEY_METHOD_get_sign(ecdsa_default, &sign, NULL, NULL);
601 return (sign(type, dgst, dlen, sig, siglen, kinv, r, eckey));
605 ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
606 const BIGNUM *rp, EC_KEY *eckey)
608 ECDSA_SIG *(*psign_sig)(const unsigned char *, int, const BIGNUM *,
609 const BIGNUM *, EC_KEY *);
611 log_debug("debug: %s", __func__);
612 if (EC_KEY_get_ex_data(eckey, 0) != NULL)
613 return (ecdsae_send_enc_imsg(dgst, dgst_len, inv, rp, eckey));
614 EC_KEY_METHOD_get_sign(ecdsa_default, NULL, NULL, &psign_sig);
615 return (psign_sig(dgst, dgst_len, inv, rp, eckey));
619 ecdsae_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **r)
621 int (*psign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **);
623 log_debug("debug: %s", __func__);
624 EC_KEY_METHOD_get_sign(ecdsa_default, NULL, &psign_setup, NULL);
625 return (psign_setup(eckey, ctx, kinv, r));
629 ecdsae_verify(int type, const unsigned char *dgst, int dgst_len,
630 const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
632 int (*verify)(int, const unsigned char *, int, const unsigned char *,
635 log_debug("debug: %s", __func__);
636 EC_KEY_METHOD_get_verify(ecdsa_default, &verify, NULL);
637 return (verify(type, dgst, dgst_len, sigbuf, sig_len, eckey));
641 ecdsae_do_verify(const unsigned char *dgst, int dgst_len,
642 const ECDSA_SIG *sig, EC_KEY *eckey)
644 int (*pverify_sig)(const unsigned char *, int, const ECDSA_SIG *,
647 log_debug("debug: %s", __func__);
648 EC_KEY_METHOD_get_verify(ecdsa_default, NULL, &pverify_sig);
649 return (pverify_sig(dgst, dgst_len, sig, eckey));
654 * Initialize the two engines.
658 rsa_engine_init(void)
661 const char *errstr, *name;
663 if ((rsae_method = RSA_meth_new("RSA privsep engine", 0)) == NULL) {
664 errstr = "RSA_meth_new";
668 RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc);
669 RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec);
670 RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
671 RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
672 RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp);
673 RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp);
674 RSA_meth_set_init(rsae_method, rsae_init);
675 RSA_meth_set_finish(rsae_method, rsae_finish);
676 RSA_meth_set_keygen(rsae_method, rsae_keygen);
678 if ((e = ENGINE_get_default_RSA()) == NULL) {
679 if ((e = ENGINE_new()) == NULL) {
680 errstr = "ENGINE_new";
683 if (!ENGINE_set_name(e, RSA_meth_get0_name(rsae_method))) {
684 errstr = "ENGINE_set_name";
687 if ((rsa_default = RSA_get_default_method()) == NULL) {
688 errstr = "RSA_get_default_method";
691 } else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
692 errstr = "ENGINE_get_RSA";
696 if ((name = ENGINE_get_name(e)) == NULL)
697 name = "unknown RSA engine";
699 log_debug("debug: %s: using %s", __func__, name);
701 if (RSA_meth_get_mod_exp(rsa_default) == NULL)
702 RSA_meth_set_mod_exp(rsae_method, NULL);
703 if (RSA_meth_get_bn_mod_exp(rsa_default) == NULL)
704 RSA_meth_set_bn_mod_exp(rsae_method, NULL);
705 if (RSA_meth_get_keygen(rsa_default) == NULL)
706 RSA_meth_set_keygen(rsae_method, NULL);
707 RSA_meth_set_flags(rsae_method,
708 RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK);
709 RSA_meth_set0_app_data(rsae_method,
710 RSA_meth_get0_app_data(rsa_default));
712 if (!ENGINE_set_RSA(e, rsae_method)) {
713 errstr = "ENGINE_set_RSA";
716 if (!ENGINE_set_default_RSA(e)) {
717 errstr = "ENGINE_set_default_RSA";
725 fatalx("%s", errstr);
729 ecdsa_engine_init(void)
732 const char *errstr, *name;
734 if ((ecdsae_method = EC_KEY_METHOD_new(NULL)) == NULL) {
735 errstr = "EC_KEY_METHOD_new";
739 EC_KEY_METHOD_set_keygen(ecdsae_method, ecdsae_keygen);
740 EC_KEY_METHOD_set_compute_key(ecdsae_method, ecdsae_compute_key);
741 EC_KEY_METHOD_set_sign(ecdsae_method, ecdsae_sign, ecdsae_sign_setup,
743 EC_KEY_METHOD_set_verify(ecdsae_method, ecdsae_verify,
746 if ((e = ENGINE_get_default_EC()) == NULL) {
747 if ((e = ENGINE_new()) == NULL) {
748 errstr = "ENGINE_new";
751 if (!ENGINE_set_name(e, "ECDSA privsep engine")) {
752 errstr = "ENGINE_set_name";
755 if ((ecdsa_default = EC_KEY_get_default_method()) == NULL) {
756 errstr = "EC_KEY_get_default_method";
759 } else if ((ecdsa_default = ENGINE_get_EC(e)) == NULL) {
760 errstr = "ENGINE_get_EC";
764 if ((name = ENGINE_get_name(e)) == NULL)
765 name = "unknown ECDSA engine";
767 log_debug("debug: %s: using %s", __func__, name);
769 if (!ENGINE_set_EC(e, ecdsae_method)) {
770 errstr = "ENGINE_set_EC";
773 if (!ENGINE_set_default_EC(e)) {
774 errstr = "ENGINE_set_default_EC";
782 fatalx("%s", errstr);
786 crypto_engine_init(struct conf *c)