1 /* $OpenBSD: ca.c,v 1.47 2023/07/11 16:40:22 op Exp $ */ 2 3 /* 4 * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <openssl/err.h> 21 #include <openssl/pem.h> 22 #include <pwd.h> 23 #include <signal.h> 24 #include <string.h> 25 #include <unistd.h> 26 27 #include "smtpd.h" 28 #include "log.h" 29 #include "ssl.h" 30 31 static int rsae_send_imsg(int, const unsigned char *, unsigned char *, 32 RSA *, int, unsigned int); 33 static int rsae_priv_enc(int, const unsigned char *, unsigned char *, 34 RSA *, int); 35 static int rsae_priv_dec(int, const unsigned char *, unsigned char *, 36 RSA *, int); 37 static ECDSA_SIG *ecdsae_do_sign(const unsigned char *, int, const BIGNUM *, 38 const BIGNUM *, EC_KEY *); 39 40 static struct dict pkeys; 41 static uint64_t reqid = 0; 42 43 static void 44 ca_shutdown(void) 45 { 46 log_debug("debug: ca agent exiting"); 47 _exit(0); 48 } 49 50 int 51 ca(void) 52 { 53 struct passwd *pw; 54 55 purge_config(PURGE_LISTENERS|PURGE_TABLES|PURGE_RULES|PURGE_DISPATCHERS); 56 57 if ((pw = getpwnam(SMTPD_USER)) == NULL) 58 fatalx("unknown user " SMTPD_USER); 59 60 if (chroot(PATH_CHROOT) == -1) 61 fatal("ca: chroot"); 62 if (chdir("/") == -1) 63 fatal("ca: chdir(\"/\")"); 64 65 config_process(PROC_CA); 66 67 if (setgroups(1, &pw->pw_gid) || 68 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 69 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 70 fatal("ca: cannot drop privileges"); 71 72 imsg_callback = ca_imsg; 73 event_init(); 74 75 signal(SIGINT, SIG_IGN); 76 signal(SIGTERM, SIG_IGN); 77 signal(SIGPIPE, SIG_IGN); 78 signal(SIGHUP, SIG_IGN); 79 80 config_peer(PROC_CONTROL); 81 config_peer(PROC_PARENT); 82 config_peer(PROC_DISPATCHER); 83 84 /* Ignore them until we get our config */ 85 mproc_disable(p_dispatcher); 86 87 if (pledge("stdio", NULL) == -1) 88 fatal("pledge"); 89 90 event_dispatch(); 91 fatalx("exited event loop"); 92 93 return (0); 94 } 95 96 void 97 ca_init(void) 98 { 99 BIO *in = NULL; 100 EVP_PKEY *pkey = NULL; 101 struct pki *pki; 102 const char *k; 103 void *iter_dict; 104 char *hash; 105 106 log_debug("debug: init private ssl-tree"); 107 dict_init(&pkeys); 108 iter_dict = NULL; 109 while (dict_iter(env->sc_pki_dict, &iter_dict, &k, (void **)&pki)) { 110 if (pki->pki_key == NULL) 111 continue; 112 113 in = BIO_new_mem_buf(pki->pki_key, pki->pki_key_len); 114 if (in == NULL) 115 fatalx("ca_init: key"); 116 pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); 117 if (pkey == NULL) 118 fatalx("ca_init: PEM"); 119 BIO_free(in); 120 121 hash = ssl_pubkey_hash(pki->pki_cert, pki->pki_cert_len); 122 if (dict_check(&pkeys, hash)) 123 EVP_PKEY_free(pkey); 124 else 125 dict_xset(&pkeys, hash, pkey); 126 free(hash); 127 } 128 } 129 130 int 131 ca_X509_verify(void *certificate, void *chain, const char *CAfile, 132 const char *CRLfile, const char **errstr) 133 { 134 X509_STORE *store = NULL; 135 X509_STORE_CTX *xsc = NULL; 136 int ret = 0; 137 long error = 0; 138 139 if ((store = X509_STORE_new()) == NULL) 140 goto end; 141 142 if (!X509_STORE_load_locations(store, CAfile, NULL)) { 143 log_warn("warn: unable to load CA file %s", CAfile); 144 goto end; 145 } 146 X509_STORE_set_default_paths(store); 147 148 if ((xsc = X509_STORE_CTX_new()) == NULL) 149 goto end; 150 151 if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1) 152 goto end; 153 154 ret = X509_verify_cert(xsc); 155 156 end: 157 *errstr = NULL; 158 if (ret != 1) { 159 if (xsc) { 160 error = X509_STORE_CTX_get_error(xsc); 161 *errstr = X509_verify_cert_error_string(error); 162 } 163 else if (ERR_peek_last_error()) 164 *errstr = ERR_error_string(ERR_peek_last_error(), NULL); 165 } 166 167 X509_STORE_CTX_free(xsc); 168 X509_STORE_free(store); 169 170 return ret > 0 ? 1 : 0; 171 } 172 173 void 174 ca_imsg(struct mproc *p, struct imsg *imsg) 175 { 176 EVP_PKEY *pkey; 177 RSA *rsa = NULL; 178 EC_KEY *ecdsa = NULL; 179 const void *from = NULL; 180 unsigned char *to = NULL; 181 struct msg m; 182 const char *hash; 183 size_t flen, tlen, padding; 184 int buf_len; 185 int ret = 0; 186 uint64_t id; 187 int v; 188 189 if (imsg == NULL) 190 ca_shutdown(); 191 192 switch (imsg->hdr.type) { 193 case IMSG_CONF_START: 194 return; 195 case IMSG_CONF_END: 196 ca_init(); 197 198 /* Start fulfilling requests */ 199 mproc_enable(p_dispatcher); 200 return; 201 202 case IMSG_CTL_VERBOSE: 203 m_msg(&m, imsg); 204 m_get_int(&m, &v); 205 m_end(&m); 206 log_trace_verbose(v); 207 return; 208 209 case IMSG_CTL_PROFILE: 210 m_msg(&m, imsg); 211 m_get_int(&m, &v); 212 m_end(&m); 213 profiling = v; 214 return; 215 216 case IMSG_CA_RSA_PRIVENC: 217 case IMSG_CA_RSA_PRIVDEC: 218 m_msg(&m, imsg); 219 m_get_id(&m, &id); 220 m_get_string(&m, &hash); 221 m_get_data(&m, &from, &flen); 222 m_get_size(&m, &tlen); 223 m_get_size(&m, &padding); 224 m_end(&m); 225 226 pkey = dict_get(&pkeys, hash); 227 if (pkey == NULL || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) 228 fatalx("ca_imsg: invalid pkey hash"); 229 230 if ((to = calloc(1, tlen)) == NULL) 231 fatalx("ca_imsg: calloc"); 232 233 switch (imsg->hdr.type) { 234 case IMSG_CA_RSA_PRIVENC: 235 ret = RSA_private_encrypt(flen, from, to, rsa, 236 padding); 237 break; 238 case IMSG_CA_RSA_PRIVDEC: 239 ret = RSA_private_decrypt(flen, from, to, rsa, 240 padding); 241 break; 242 } 243 244 m_create(p, imsg->hdr.type, 0, 0, -1); 245 m_add_id(p, id); 246 m_add_int(p, ret); 247 if (ret > 0) 248 m_add_data(p, to, (size_t)ret); 249 m_close(p); 250 251 free(to); 252 RSA_free(rsa); 253 return; 254 255 case IMSG_CA_ECDSA_SIGN: 256 m_msg(&m, imsg); 257 m_get_id(&m, &id); 258 m_get_string(&m, &hash); 259 m_get_data(&m, &from, &flen); 260 m_end(&m); 261 262 pkey = dict_get(&pkeys, hash); 263 if (pkey == NULL || 264 (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) 265 fatalx("ca_imsg: invalid pkey hash"); 266 267 buf_len = ECDSA_size(ecdsa); 268 if ((to = calloc(1, buf_len)) == NULL) 269 fatalx("ca_imsg: calloc"); 270 ret = ECDSA_sign(0, from, flen, to, &buf_len, ecdsa); 271 m_create(p, imsg->hdr.type, 0, 0, -1); 272 m_add_id(p, id); 273 m_add_int(p, ret); 274 if (ret > 0) 275 m_add_data(p, to, (size_t)buf_len); 276 m_close(p); 277 free(to); 278 EC_KEY_free(ecdsa); 279 return; 280 } 281 282 fatalx("ca_imsg: unexpected %s imsg", imsg_to_str(imsg->hdr.type)); 283 } 284 285 /* 286 * RSA privsep engine (called from unprivileged processes) 287 */ 288 289 const RSA_METHOD *rsa_default = NULL; 290 291 static RSA_METHOD *rsae_method = NULL; 292 293 static int 294 rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to, 295 RSA *rsa, int padding, unsigned int cmd) 296 { 297 int ret = 0; 298 struct imsgbuf *ibuf; 299 struct imsg imsg; 300 int n, done = 0; 301 const void *toptr; 302 char *hash; 303 size_t tlen; 304 struct msg m; 305 uint64_t id; 306 307 if ((hash = RSA_get_ex_data(rsa, 0)) == NULL) 308 return (0); 309 310 /* 311 * Send a synchronous imsg because we cannot defer the RSA 312 * operation in OpenSSL's engine layer. 313 */ 314 m_create(p_ca, cmd, 0, 0, -1); 315 reqid++; 316 m_add_id(p_ca, reqid); 317 m_add_string(p_ca, hash); 318 m_add_data(p_ca, (const void *)from, (size_t)flen); 319 m_add_size(p_ca, (size_t)RSA_size(rsa)); 320 m_add_size(p_ca, (size_t)padding); 321 m_flush(p_ca); 322 323 ibuf = &p_ca->imsgbuf; 324 325 while (!done) { 326 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 327 fatalx("imsg_read"); 328 if (n == 0) 329 fatalx("pipe closed"); 330 331 while (!done) { 332 if ((n = imsg_get(ibuf, &imsg)) == -1) 333 fatalx("imsg_get error"); 334 if (n == 0) 335 break; 336 337 log_imsg(PROC_DISPATCHER, PROC_CA, &imsg); 338 339 switch (imsg.hdr.type) { 340 case IMSG_CA_RSA_PRIVENC: 341 case IMSG_CA_RSA_PRIVDEC: 342 break; 343 default: 344 /* Another imsg is queued up in the buffer */ 345 dispatcher_imsg(p_ca, &imsg); 346 imsg_free(&imsg); 347 continue; 348 } 349 350 m_msg(&m, &imsg); 351 m_get_id(&m, &id); 352 if (id != reqid) 353 fatalx("invalid response id"); 354 m_get_int(&m, &ret); 355 if (ret > 0) 356 m_get_data(&m, &toptr, &tlen); 357 m_end(&m); 358 359 if (ret > 0) 360 memcpy(to, toptr, tlen); 361 done = 1; 362 363 imsg_free(&imsg); 364 } 365 } 366 mproc_event_add(p_ca); 367 368 return (ret); 369 } 370 371 static int 372 rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, 373 int padding) 374 { 375 log_debug("debug: %s: %s", proc_name(smtpd_process), __func__); 376 if (RSA_get_ex_data(rsa, 0) != NULL) 377 return (rsae_send_imsg(flen, from, to, rsa, padding, 378 IMSG_CA_RSA_PRIVENC)); 379 return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding)); 380 } 381 382 static int 383 rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, 384 int padding) 385 { 386 log_debug("debug: %s: %s", proc_name(smtpd_process), __func__); 387 if (RSA_get_ex_data(rsa, 0) != NULL) 388 return (rsae_send_imsg(flen, from, to, rsa, padding, 389 IMSG_CA_RSA_PRIVDEC)); 390 391 return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding)); 392 } 393 394 /* 395 * ECDSA privsep engine (called from unprivileged processes) 396 */ 397 398 const EC_KEY_METHOD *ecdsa_default = NULL; 399 400 static EC_KEY_METHOD *ecdsae_method = NULL; 401 402 static ECDSA_SIG * 403 ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len, 404 const BIGNUM *inv, const BIGNUM *rp, EC_KEY *eckey) 405 { 406 int ret = 0; 407 struct imsgbuf *ibuf; 408 struct imsg imsg; 409 int n, done = 0; 410 const void *toptr; 411 char *hash; 412 size_t tlen; 413 struct msg m; 414 uint64_t id; 415 ECDSA_SIG *sig = NULL; 416 417 if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL) 418 return (0); 419 420 /* 421 * Send a synchronous imsg because we cannot defer the ECDSA 422 * operation in OpenSSL's engine layer. 423 */ 424 m_create(p_ca, IMSG_CA_ECDSA_SIGN, 0, 0, -1); 425 reqid++; 426 m_add_id(p_ca, reqid); 427 m_add_string(p_ca, hash); 428 m_add_data(p_ca, (const void *)dgst, (size_t)dgst_len); 429 m_flush(p_ca); 430 431 ibuf = &p_ca->imsgbuf; 432 433 while (!done) { 434 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 435 fatalx("imsg_read"); 436 if (n == 0) 437 fatalx("pipe closed"); 438 while (!done) { 439 if ((n = imsg_get(ibuf, &imsg)) == -1) 440 fatalx("imsg_get error"); 441 if (n == 0) 442 break; 443 444 log_imsg(PROC_DISPATCHER, PROC_CA, &imsg); 445 446 switch (imsg.hdr.type) { 447 case IMSG_CA_ECDSA_SIGN: 448 break; 449 default: 450 /* Another imsg is queued up in the buffer */ 451 dispatcher_imsg(p_ca, &imsg); 452 imsg_free(&imsg); 453 continue; 454 } 455 456 m_msg(&m, &imsg); 457 m_get_id(&m, &id); 458 if (id != reqid) 459 fatalx("invalid response id"); 460 m_get_int(&m, &ret); 461 if (ret > 0) 462 m_get_data(&m, &toptr, &tlen); 463 m_end(&m); 464 done = 1; 465 466 if (ret > 0) 467 d2i_ECDSA_SIG(&sig, (const unsigned char **)&toptr, tlen); 468 imsg_free(&imsg); 469 } 470 } 471 mproc_event_add(p_ca); 472 473 return (sig); 474 } 475 476 static ECDSA_SIG * 477 ecdsae_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, 478 const BIGNUM *rp, EC_KEY *eckey) 479 { 480 ECDSA_SIG *(*psign_sig)(const unsigned char *, int, const BIGNUM *, 481 const BIGNUM *, EC_KEY *); 482 483 log_debug("debug: %s: %s", proc_name(smtpd_process), __func__); 484 if (EC_KEY_get_ex_data(eckey, 0) != NULL) 485 return (ecdsae_send_enc_imsg(dgst, dgst_len, inv, rp, eckey)); 486 EC_KEY_METHOD_get_sign(ecdsa_default, NULL, NULL, &psign_sig); 487 return (psign_sig(dgst, dgst_len, inv, rp, eckey)); 488 } 489 490 static void 491 rsa_engine_init(void) 492 { 493 const char *errstr; 494 495 if ((rsa_default = RSA_get_default_method()) == NULL) { 496 errstr = "RSA_get_default_method"; 497 goto fail; 498 } 499 500 if ((rsae_method = RSA_meth_dup(rsa_default)) == NULL) { 501 errstr = "RSA_meth_dup"; 502 goto fail; 503 } 504 505 RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc); 506 RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec); 507 508 RSA_meth_set_flags(rsae_method, 509 RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK); 510 RSA_meth_set0_app_data(rsae_method, 511 RSA_meth_get0_app_data(rsa_default)); 512 513 RSA_set_default_method(rsae_method); 514 515 return; 516 517 fail: 518 ssl_error(errstr); 519 fatalx("%s", errstr); 520 } 521 522 static void 523 ecdsa_engine_init(void) 524 { 525 int (*sign)(int, const unsigned char *, int, unsigned char *, 526 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *); 527 int (*sign_setup)(EC_KEY *, BN_CTX *, BIGNUM **, BIGNUM **); 528 const char *errstr; 529 530 if ((ecdsa_default = EC_KEY_get_default_method()) == NULL) { 531 errstr = "EC_KEY_get_default_method"; 532 goto fail; 533 } 534 535 if ((ecdsae_method = EC_KEY_METHOD_new(ecdsa_default)) == NULL) { 536 errstr = "EC_KEY_METHOD_new"; 537 goto fail; 538 } 539 540 EC_KEY_METHOD_get_sign(ecdsa_default, &sign, &sign_setup, NULL); 541 EC_KEY_METHOD_set_sign(ecdsae_method, sign, sign_setup, 542 ecdsae_do_sign); 543 544 EC_KEY_set_default_method(ecdsae_method); 545 546 return; 547 548 fail: 549 ssl_error(errstr); 550 fatalx("%s", errstr); 551 } 552 553 void 554 ca_engine_init(void) 555 { 556 rsa_engine_init(); 557 ecdsa_engine_init(); 558 } 559