1 /*
2 * Copyright (c) 2015 Kazuho Oku, DeNA Co., Ltd.
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a copy
5 * of this software and associated documentation files (the "Software"), to
6 * deal in the Software without restriction, including without limitation the
7 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
8 * sell copies of the Software, and to permit persons to whom the Software is
9 * furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
20 * IN THE SOFTWARE.
21 */
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <grp.h>
27 #include <limits.h>
28 #include <pthread.h>
29 #include <pwd.h>
30 #include <stdarg.h>
31 #include <stdint.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <sys/socket.h>
36 #include <sys/types.h>
37 #include <sys/uio.h>
38 #include <unistd.h>
39 #include <openssl/rand.h>
40 #include <openssl/ssl.h>
41 #include <openssl/rsa.h>
42 #include <openssl/bn.h>
43 #ifdef __linux__
44 #include <sys/prctl.h>
45 #endif
46 #include "neverbleed.h"
47
48 #if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
49 #define OPENSSL_1_1_API 1
50 #else
51 #define OPENSSL_1_1_API 0
52 #endif
53
54 enum neverbleed_type { NEVERBLEED_TYPE_ERROR, NEVERBLEED_TYPE_RSA, NEVERBLEED_TYPE_ECDSA };
55
56 struct expbuf_t {
57 char *buf;
58 char *start;
59 char *end;
60 size_t capacity;
61 };
62
63 struct st_neverbleed_rsa_exdata_t {
64 neverbleed_t *nb;
65 size_t key_index;
66 };
67
68 struct st_neverbleed_thread_data_t {
69 pid_t self_pid;
70 int fd;
71 };
72
warnvf(const char * fmt,va_list args)73 static void warnvf(const char *fmt, va_list args)
74 {
75 char errbuf[256];
76
77 if (errno != 0) {
78 strerror_r(errno, errbuf, sizeof(errbuf));
79 } else {
80 errbuf[0] = '\0';
81 }
82
83 fprintf(stderr, "[openssl-privsep] ");
84 vfprintf(stderr, fmt, args);
85 if (errbuf[0] != '\0')
86 fputs(errbuf, stderr);
87 fputc('\n', stderr);
88 }
89
warnf(const char * fmt,...)90 __attribute__((format(printf, 1, 2))) static void warnf(const char *fmt, ...)
91 {
92 va_list args;
93
94 va_start(args, fmt);
95 warnvf(fmt, args);
96 va_end(args);
97 }
98
dief(const char * fmt,...)99 __attribute__((format(printf, 1, 2), noreturn)) static void dief(const char *fmt, ...)
100 {
101 va_list args;
102
103 va_start(args, fmt);
104 warnvf(fmt, args);
105 va_end(args);
106
107 abort();
108 }
109
dirname(const char * path)110 static char *dirname(const char *path)
111 {
112 const char *last_slash = strrchr(path, '/');
113 char *ret;
114
115 if (last_slash == NULL) {
116 errno = 0;
117 dief("dirname: no slash in given path:%s", path);
118 }
119 if ((ret = malloc(last_slash + 1 - path)) == NULL)
120 dief("no memory");
121 memcpy(ret, path, last_slash - path);
122 ret[last_slash - path] = '\0';
123 return ret;
124 }
125
set_cloexec(int fd)126 static void set_cloexec(int fd)
127 {
128 if (fcntl(fd, F_SETFD, O_CLOEXEC) == -1)
129 dief("failed to set O_CLOEXEC to fd %d", fd);
130 }
131
read_nbytes(int fd,void * p,size_t sz)132 static int read_nbytes(int fd, void *p, size_t sz)
133 {
134 while (sz != 0) {
135 ssize_t r;
136 while ((r = read(fd, p, sz)) == -1 && errno == EINTR)
137 ;
138 if (r == -1) {
139 return -1;
140 } else if (r == 0) {
141 errno = 0;
142 return -1;
143 }
144 p = (char *)p + r;
145 sz -= r;
146 }
147 return 0;
148 }
149
expbuf_size(struct expbuf_t * buf)150 static size_t expbuf_size(struct expbuf_t *buf)
151 {
152 return buf->end - buf->start;
153 }
154
expbuf_dispose(struct expbuf_t * buf)155 static void expbuf_dispose(struct expbuf_t *buf)
156 {
157 if (buf->capacity != 0)
158 OPENSSL_cleanse(buf->buf, buf->capacity);
159 free(buf->buf);
160 memset(buf, 0, sizeof(*buf));
161 }
162
expbuf_reserve(struct expbuf_t * buf,size_t extra)163 static void expbuf_reserve(struct expbuf_t *buf, size_t extra)
164 {
165 char *n;
166
167 if (extra <= buf->buf + buf->capacity - buf->end)
168 return;
169
170 if (buf->capacity == 0)
171 buf->capacity = 4096;
172 while (buf->buf + buf->capacity - buf->end < extra)
173 buf->capacity *= 2;
174 if ((n = realloc(buf->buf, buf->capacity)) == NULL)
175 dief("realloc failed");
176 buf->start += n - buf->buf;
177 buf->end += n - buf->buf;
178 buf->buf = n;
179 }
180
expbuf_push_num(struct expbuf_t * buf,size_t v)181 static void expbuf_push_num(struct expbuf_t *buf, size_t v)
182 {
183 expbuf_reserve(buf, sizeof(v));
184 memcpy(buf->end, &v, sizeof(v));
185 buf->end += sizeof(v);
186 }
187
expbuf_push_str(struct expbuf_t * buf,const char * s)188 static void expbuf_push_str(struct expbuf_t *buf, const char *s)
189 {
190 size_t l = strlen(s) + 1;
191 expbuf_reserve(buf, l);
192 memcpy(buf->end, s, l);
193 buf->end += l;
194 }
195
expbuf_push_bytes(struct expbuf_t * buf,const void * p,size_t l)196 static void expbuf_push_bytes(struct expbuf_t *buf, const void *p, size_t l)
197 {
198 expbuf_push_num(buf, l);
199 expbuf_reserve(buf, l);
200 memcpy(buf->end, p, l);
201 buf->end += l;
202 }
203
expbuf_shift_num(struct expbuf_t * buf,size_t * v)204 static int expbuf_shift_num(struct expbuf_t *buf, size_t *v)
205 {
206 if (expbuf_size(buf) < sizeof(*v))
207 return -1;
208 memcpy(v, buf->start, sizeof(*v));
209 buf->start += sizeof(*v);
210 return 0;
211 }
212
expbuf_shift_str(struct expbuf_t * buf)213 static char *expbuf_shift_str(struct expbuf_t *buf)
214 {
215 char *nul = memchr(buf->start, '\0', expbuf_size(buf)), *ret;
216 if (nul == NULL)
217 return NULL;
218 ret = buf->start;
219 buf->start = nul + 1;
220 return ret;
221 }
222
expbuf_shift_bytes(struct expbuf_t * buf,size_t * l)223 static void *expbuf_shift_bytes(struct expbuf_t *buf, size_t *l)
224 {
225 void *ret;
226 if (expbuf_shift_num(buf, l) != 0)
227 return NULL;
228 if (expbuf_size(buf) < *l)
229 return NULL;
230 ret = buf->start;
231 buf->start += *l;
232 return ret;
233 }
234
expbuf_write(struct expbuf_t * buf,int fd)235 static int expbuf_write(struct expbuf_t *buf, int fd)
236 {
237 struct iovec vecs[2] = {{NULL}};
238 size_t bufsz = expbuf_size(buf);
239 int vecindex;
240 ssize_t r;
241
242 vecs[0].iov_base = &bufsz;
243 vecs[0].iov_len = sizeof(bufsz);
244 vecs[1].iov_base = buf->start;
245 vecs[1].iov_len = bufsz;
246
247 for (vecindex = 0; vecindex != sizeof(vecs) / sizeof(vecs[0]);) {
248 while ((r = writev(fd, vecs + vecindex, sizeof(vecs) / sizeof(vecs[0]) - vecindex)) == -1 && errno == EINTR)
249 ;
250 if (r == -1)
251 return -1;
252 assert(r != 0);
253 while (r != 0 && r >= vecs[vecindex].iov_len) {
254 r -= vecs[vecindex].iov_len;
255 ++vecindex;
256 }
257 if (r != 0) {
258 vecs[vecindex].iov_base = (char *)vecs[vecindex].iov_base + r;
259 vecs[vecindex].iov_len -= r;
260 }
261 }
262
263 return 0;
264 }
265
expbuf_read(struct expbuf_t * buf,int fd)266 static int expbuf_read(struct expbuf_t *buf, int fd)
267 {
268 size_t sz;
269
270 if (read_nbytes(fd, &sz, sizeof(sz)) != 0)
271 return -1;
272 expbuf_reserve(buf, sz);
273 if (read_nbytes(fd, buf->end, sz) != 0)
274 return -1;
275 buf->end += sz;
276 return 0;
277 }
278
279 #if !defined(NAME_MAX) || defined(__linux__)
280 /* readdir(3) is known to be thread-safe on Linux and should be thread-safe on a platform that does not have a predefined value for
281 NAME_MAX */
282 #define FOREACH_DIRENT(dp, dent) \
283 struct dirent *dent; \
284 while ((dent = readdir(dp)) != NULL)
285 #else
286 #define FOREACH_DIRENT(dp, dent) \
287 struct { \
288 struct dirent d; \
289 char s[NAME_MAX + 1]; \
290 } dent_; \
291 struct dirent *dentp, *dent = &dent_.d; \
292 int ret; \
293 while ((ret = readdir_r(dp, dent, &dentp)) == 0 && dentp != NULL)
294 #endif /* FOREACH_DIRENT */
295
unlink_dir(const char * path)296 static void unlink_dir(const char *path)
297 {
298 DIR *dp;
299 char buf[PATH_MAX];
300
301 if ((dp = opendir(path)) != NULL) {
302 FOREACH_DIRENT(dp, entp)
303 {
304 if (strcmp(entp->d_name, ".") == 0 || strcmp(entp->d_name, "..") == 0)
305 continue;
306 snprintf(buf, sizeof(buf), "%s/%s", path, entp->d_name);
307 unlink_dir(buf);
308 }
309 closedir(dp);
310 }
311 unlink(path);
312 rmdir(path);
313 }
314
dispose_thread_data(void * _thdata)315 void dispose_thread_data(void *_thdata)
316 {
317 struct st_neverbleed_thread_data_t *thdata = _thdata;
318 assert(thdata->fd >= 0);
319 close(thdata->fd);
320 thdata->fd = -1;
321 }
322
get_thread_data(neverbleed_t * nb)323 struct st_neverbleed_thread_data_t *get_thread_data(neverbleed_t *nb)
324 {
325 struct st_neverbleed_thread_data_t *thdata;
326 pid_t self_pid = getpid();
327 ssize_t r;
328
329 if ((thdata = pthread_getspecific(nb->thread_key)) != NULL) {
330 if (thdata->self_pid == self_pid)
331 return thdata;
332 /* we have been forked! */
333 close(thdata->fd);
334 } else {
335 if ((thdata = malloc(sizeof(*thdata))) == NULL)
336 dief("malloc failed");
337 }
338
339 thdata->self_pid = self_pid;
340 #ifdef SOCK_CLOEXEC
341 if ((thdata->fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1)
342 dief("socket(2) failed");
343 #else
344 if ((thdata->fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
345 dief("socket(2) failed");
346 set_cloexec(thdata->fd);
347 #endif
348 while (connect(thdata->fd, (void *)&nb->sun_, sizeof(nb->sun_)) != 0)
349 if (errno != EINTR)
350 dief("failed to connect to privsep daemon");
351 while ((r = write(thdata->fd, nb->auth_token, sizeof(nb->auth_token))) == -1 && errno == EINTR)
352 ;
353 if (r != sizeof(nb->auth_token))
354 dief("failed to send authentication token");
355 pthread_setspecific(nb->thread_key, thdata);
356
357 return thdata;
358 }
359
get_privsep_data(const RSA * rsa,struct st_neverbleed_rsa_exdata_t ** exdata,struct st_neverbleed_thread_data_t ** thdata)360 static void get_privsep_data(const RSA *rsa, struct st_neverbleed_rsa_exdata_t **exdata,
361 struct st_neverbleed_thread_data_t **thdata)
362 {
363 *exdata = RSA_get_ex_data(rsa, 0);
364 if (*exdata == NULL)
365 return;
366 *thdata = get_thread_data((*exdata)->nb);
367 }
368
369 static const size_t default_reserved_size = 8192;
370
371 struct key_slots {
372 size_t size;
373 size_t reserved_size;
374 /* bit array slots:
375 * 1-bit slot available
376 * 0-bit slot unavailable
377 */
378 uint8_t *bita_avail;
379 };
380
381 static struct {
382 struct {
383 pthread_mutex_t lock;
384 RSA **keys;
385 struct key_slots rsa_slots;
386 EC_KEY **ecdsa_keys;
387 struct key_slots ecdsa_slots;
388 } keys;
389 neverbleed_t *nb;
390 } daemon_vars = {{PTHREAD_MUTEX_INITIALIZER}};
391
daemon_get_rsa(size_t key_index)392 static RSA *daemon_get_rsa(size_t key_index)
393 {
394 RSA *rsa;
395
396 pthread_mutex_lock(&daemon_vars.keys.lock);
397 rsa = daemon_vars.keys.keys[key_index];
398 if (rsa)
399 RSA_up_ref(rsa);
400 pthread_mutex_unlock(&daemon_vars.keys.lock);
401
402 return rsa;
403 }
404
405 /*
406 * Returns an available slot in bit array B
407 * or if not found, returns SIZE_MAX
408 */
bita_ffirst(const uint8_t * b,const size_t tot,size_t bits)409 static size_t bita_ffirst(const uint8_t *b, const size_t tot, size_t bits)
410 {
411 if (bits >= tot)
412 return SIZE_MAX;
413
414 uint64_t w = *((uint64_t *) b);
415 /* __builtin_ffsll returns one plus the index of the least significant 1-bit, or zero if not found */
416 uint32_t r = __builtin_ffsll(w);
417 if (r)
418 return bits + r - 1; /* adjust result */
419
420 return bita_ffirst(&b[8], tot, bits + 64);
421 }
422
423 /*
424 * bit operation helpers for the bit-array in key_slots
425 */
426 #define BITMASK(b) (1 << ((b) % CHAR_BIT))
427 #define BITBYTE(b) ((b) / CHAR_BIT)
428 #define BITSET(a, b) ((a)[BITBYTE(b)] |= BITMASK(b))
429 #define BITUNSET(a, b) ((a)[BITBYTE(b)] &= ~BITMASK(b))
430 #define BITBYTES(nb) ((nb + CHAR_BIT - 1) / CHAR_BIT)
431 #define BITCHECK(a, b) ((a)[BITBYTE(b)] & BITMASK(b))
432
adjust_slots_reserved_size(int type,struct key_slots * slots)433 static void adjust_slots_reserved_size(int type, struct key_slots *slots)
434 {
435 #define ROUND2WORD(n) (n + 64 - 1 - (n + 64 - 1) % 64)
436 if (!slots->reserved_size || (slots->size >= slots->reserved_size)) {
437 size_t size = slots->reserved_size ? ROUND2WORD((size_t)(slots->reserved_size * 0.50) + slots->reserved_size)
438 : default_reserved_size;
439 #undef ROUND2WORD
440
441 switch (type) {
442 case NEVERBLEED_TYPE_RSA:
443 if ((daemon_vars.keys.keys = realloc(daemon_vars.keys.keys, sizeof(*daemon_vars.keys.keys) * size)) == NULL)
444 dief("no memory");
445 break;
446 case NEVERBLEED_TYPE_ECDSA:
447 if ((daemon_vars.keys.ecdsa_keys = realloc(daemon_vars.keys.ecdsa_keys, sizeof(*daemon_vars.keys.ecdsa_keys) * size)) == NULL)
448 dief("no memory");
449 break;
450 default:
451 dief("invalid type adjusting reserved");
452 }
453
454 uint8_t *b;
455 if ((b = realloc(slots->bita_avail, BITBYTES(size))) == NULL)
456 dief("no memory");
457
458 /* set all bits to 1 making all slots available */
459 memset(&b[BITBYTES(slots->reserved_size)], 0xff, BITBYTES(size - slots->reserved_size));
460
461 slots->bita_avail = b;
462 slots->reserved_size = size;
463 }
464 }
465
daemon_set_rsa(RSA * rsa)466 static size_t daemon_set_rsa(RSA *rsa)
467 {
468 pthread_mutex_lock(&daemon_vars.keys.lock);
469
470 adjust_slots_reserved_size(NEVERBLEED_TYPE_RSA, &daemon_vars.keys.rsa_slots);
471
472 size_t index = bita_ffirst(daemon_vars.keys.rsa_slots.bita_avail, daemon_vars.keys.rsa_slots.reserved_size, 0);
473
474 if (index == SIZE_MAX)
475 dief("no available slot for key");
476
477 /* set slot as unavailable */
478 BITUNSET(daemon_vars.keys.rsa_slots.bita_avail, index);
479
480 daemon_vars.keys.rsa_slots.size++;
481 daemon_vars.keys.keys[index] = rsa;
482 RSA_up_ref(rsa);
483 pthread_mutex_unlock(&daemon_vars.keys.lock);
484
485 return index;
486 }
487
priv_encdec_proxy(const char * cmd,int flen,const unsigned char * from,unsigned char * _to,RSA * rsa,int padding)488 static int priv_encdec_proxy(const char *cmd, int flen, const unsigned char *from, unsigned char *_to, RSA *rsa, int padding)
489 {
490 struct st_neverbleed_rsa_exdata_t *exdata;
491 struct st_neverbleed_thread_data_t *thdata;
492 struct expbuf_t buf = {NULL};
493 size_t ret;
494 unsigned char *to;
495 size_t tolen;
496
497 get_privsep_data(rsa, &exdata, &thdata);
498
499 expbuf_push_str(&buf, cmd);
500 expbuf_push_bytes(&buf, from, flen);
501 expbuf_push_num(&buf, exdata->key_index);
502 expbuf_push_num(&buf, padding);
503 if (expbuf_write(&buf, thdata->fd) != 0)
504 dief(errno != 0 ? "write error" : "connection closed by daemon");
505 expbuf_dispose(&buf);
506
507 if (expbuf_read(&buf, thdata->fd) != 0)
508 dief(errno != 0 ? "read error" : "connection closed by daemon");
509 if (expbuf_shift_num(&buf, &ret) != 0 || (to = expbuf_shift_bytes(&buf, &tolen)) == NULL) {
510 errno = 0;
511 dief("failed to parse response");
512 }
513 memcpy(_to, to, tolen);
514 expbuf_dispose(&buf);
515
516 return (int)ret;
517 }
518
priv_encdec_stub(const char * name,int (* func)(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding),struct expbuf_t * buf)519 static int priv_encdec_stub(const char *name,
520 int (*func)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
521 struct expbuf_t *buf)
522 {
523 unsigned char *from, to[4096];
524 size_t flen;
525 size_t key_index, padding;
526 RSA *rsa;
527 int ret;
528
529 if ((from = expbuf_shift_bytes(buf, &flen)) == NULL || expbuf_shift_num(buf, &key_index) != 0 ||
530 expbuf_shift_num(buf, &padding) != 0) {
531 errno = 0;
532 warnf("%s: failed to parse request", name);
533 return -1;
534 }
535 if ((rsa = daemon_get_rsa(key_index)) == NULL) {
536 errno = 0;
537 warnf("%s: invalid key index:%zu\n", name, key_index);
538 return -1;
539 }
540 ret = func((int)flen, from, to, rsa, (int)padding);
541 expbuf_dispose(buf);
542 RSA_free(rsa);
543
544 expbuf_push_num(buf, ret);
545 expbuf_push_bytes(buf, to, ret > 0 ? ret : 0);
546
547 return 0;
548 }
549
priv_enc_proxy(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)550 static int priv_enc_proxy(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
551 {
552 return priv_encdec_proxy("priv_enc", flen, from, to, rsa, padding);
553 }
554
priv_enc_stub(struct expbuf_t * buf)555 static int priv_enc_stub(struct expbuf_t *buf)
556 {
557 return priv_encdec_stub(__FUNCTION__, RSA_private_encrypt, buf);
558 }
559
priv_dec_proxy(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)560 static int priv_dec_proxy(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
561 {
562 return priv_encdec_proxy("priv_dec", flen, from, to, rsa, padding);
563 }
564
priv_dec_stub(struct expbuf_t * buf)565 static int priv_dec_stub(struct expbuf_t *buf)
566 {
567 return priv_encdec_stub(__FUNCTION__, RSA_private_decrypt, buf);
568 }
569
sign_proxy(int type,const unsigned char * m,unsigned int m_len,unsigned char * _sigret,unsigned * _siglen,const RSA * rsa)570 static int sign_proxy(int type, const unsigned char *m, unsigned int m_len, unsigned char *_sigret, unsigned *_siglen,
571 const RSA *rsa)
572 {
573 struct st_neverbleed_rsa_exdata_t *exdata;
574 struct st_neverbleed_thread_data_t *thdata;
575 struct expbuf_t buf = {NULL};
576 size_t ret, siglen;
577 unsigned char *sigret;
578
579 get_privsep_data(rsa, &exdata, &thdata);
580
581 expbuf_push_str(&buf, "sign");
582 expbuf_push_num(&buf, type);
583 expbuf_push_bytes(&buf, m, m_len);
584 expbuf_push_num(&buf, exdata->key_index);
585 if (expbuf_write(&buf, thdata->fd) != 0)
586 dief(errno != 0 ? "write error" : "connection closed by daemon");
587 expbuf_dispose(&buf);
588
589 if (expbuf_read(&buf, thdata->fd) != 0)
590 dief(errno != 0 ? "read error" : "connection closed by daemon");
591 if (expbuf_shift_num(&buf, &ret) != 0 || (sigret = expbuf_shift_bytes(&buf, &siglen)) == NULL) {
592 errno = 0;
593 dief("failed to parse response");
594 }
595 memcpy(_sigret, sigret, siglen);
596 *_siglen = (unsigned)siglen;
597 expbuf_dispose(&buf);
598
599 return (int)ret;
600 }
601
sign_stub(struct expbuf_t * buf)602 static int sign_stub(struct expbuf_t *buf)
603 {
604 unsigned char *m, sigret[4096];
605 size_t type, m_len, key_index;
606 RSA *rsa;
607 unsigned siglen = 0;
608 int ret;
609
610 if (expbuf_shift_num(buf, &type) != 0 || (m = expbuf_shift_bytes(buf, &m_len)) == NULL ||
611 expbuf_shift_num(buf, &key_index) != 0) {
612 errno = 0;
613 warnf("%s: failed to parse request", __FUNCTION__);
614 return -1;
615 }
616 if ((rsa = daemon_get_rsa(key_index)) == NULL) {
617 errno = 0;
618 warnf("%s: invalid key index:%zu", __FUNCTION__, key_index);
619 return -1;
620 }
621 ret = RSA_sign((int)type, m, (unsigned)m_len, sigret, &siglen, rsa);
622 expbuf_dispose(buf);
623 RSA_free(rsa);
624
625 expbuf_push_num(buf, ret);
626 expbuf_push_bytes(buf, sigret, ret == 1 ? siglen : 0);
627
628 return 0;
629 }
630
631 #if !OPENSSL_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)
632
RSA_get0_key(const RSA * rsa,const BIGNUM ** n,const BIGNUM ** e,const BIGNUM ** d)633 static void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
634 {
635 if (n) {
636 *n = rsa->n;
637 }
638
639 if (e) {
640 *e = rsa->e;
641 }
642
643 if (d) {
644 *d = rsa->d;
645 }
646 }
647
RSA_set0_key(RSA * rsa,BIGNUM * n,BIGNUM * e,BIGNUM * d)648 static int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
649 {
650 if (n == NULL || e == NULL) {
651 return 0;
652 }
653
654 BN_free(rsa->n);
655 BN_free(rsa->e);
656 BN_free(rsa->d);
657 rsa->n = n;
658 rsa->e = e;
659 rsa->d = d;
660
661 return 1;
662 }
663
RSA_set_flags(RSA * r,int flags)664 static void RSA_set_flags(RSA *r, int flags)
665 {
666 r->flags |= flags;
667 }
668 #endif
669
create_pkey(neverbleed_t * nb,size_t key_index,const char * ebuf,const char * nbuf)670 static EVP_PKEY *create_pkey(neverbleed_t *nb, size_t key_index, const char *ebuf, const char *nbuf)
671 {
672 struct st_neverbleed_rsa_exdata_t *exdata;
673 RSA *rsa;
674 EVP_PKEY *pkey;
675 BIGNUM *e = NULL, *n = NULL;
676
677 if ((exdata = malloc(sizeof(*exdata))) == NULL) {
678 fprintf(stderr, "no memory\n");
679 abort();
680 }
681 exdata->nb = nb;
682 exdata->key_index = key_index;
683
684 rsa = RSA_new_method(nb->engine);
685 RSA_set_ex_data(rsa, 0, exdata);
686 if (BN_hex2bn(&e, ebuf) == 0) {
687 fprintf(stderr, "failed to parse e:%s\n", ebuf);
688 abort();
689 }
690 if (BN_hex2bn(&n, nbuf) == 0) {
691 fprintf(stderr, "failed to parse n:%s\n", nbuf);
692 abort();
693 }
694 RSA_set0_key(rsa, n, e, NULL);
695 RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY);
696
697 pkey = EVP_PKEY_new();
698 EVP_PKEY_set1_RSA(pkey, rsa);
699 RSA_free(rsa);
700
701 return pkey;
702 }
703
704 #if OPENSSL_1_1_API
705
daemon_get_ecdsa(size_t key_index)706 static EC_KEY *daemon_get_ecdsa(size_t key_index)
707 {
708 EC_KEY *ec_key;
709
710 pthread_mutex_lock(&daemon_vars.keys.lock);
711 ec_key = daemon_vars.keys.ecdsa_keys[key_index];
712 if (ec_key)
713 EC_KEY_up_ref(ec_key);
714 pthread_mutex_unlock(&daemon_vars.keys.lock);
715
716 return ec_key;
717 }
718
daemon_set_ecdsa(EC_KEY * ec_key)719 static size_t daemon_set_ecdsa(EC_KEY *ec_key)
720 {
721 pthread_mutex_lock(&daemon_vars.keys.lock);
722
723 adjust_slots_reserved_size(NEVERBLEED_TYPE_ECDSA, &daemon_vars.keys.ecdsa_slots);
724
725 size_t index = bita_ffirst(daemon_vars.keys.ecdsa_slots.bita_avail, daemon_vars.keys.ecdsa_slots.reserved_size, 0);
726
727 if (index == SIZE_MAX)
728 dief("no available slot for key");
729
730 /* set slot as unavailable */
731 BITUNSET(daemon_vars.keys.ecdsa_slots.bita_avail, index);
732
733 daemon_vars.keys.ecdsa_slots.size++;
734 daemon_vars.keys.ecdsa_keys[index] = ec_key;
735 EC_KEY_up_ref(ec_key);
736 pthread_mutex_unlock(&daemon_vars.keys.lock);
737
738 return index;
739 }
740
ecdsa_sign_stub(struct expbuf_t * buf)741 static int ecdsa_sign_stub(struct expbuf_t *buf)
742 {
743 unsigned char *m, sigret[4096];
744 size_t type, m_len, key_index;
745 EC_KEY *ec_key;
746 unsigned siglen = 0;
747 int ret;
748
749 if (expbuf_shift_num(buf, &type) != 0 || (m = expbuf_shift_bytes(buf, &m_len)) == NULL ||
750 expbuf_shift_num(buf, &key_index) != 0) {
751 errno = 0;
752 warnf("%s: failed to parse request", __FUNCTION__);
753 return -1;
754 }
755 if ((ec_key = daemon_get_ecdsa(key_index)) == NULL) {
756 errno = 0;
757 warnf("%s: invalid key index:%zu", __FUNCTION__, key_index);
758 return -1;
759 }
760
761 ret = ECDSA_sign((int)type, m, (unsigned)m_len, sigret, &siglen, ec_key);
762 expbuf_dispose(buf);
763
764 EC_KEY_free(ec_key);
765
766 expbuf_push_num(buf, ret);
767 expbuf_push_bytes(buf, sigret, ret == 1 ? siglen : 0);
768
769 return 0;
770 }
771
ecdsa_get_privsep_data(const EC_KEY * ec_key,struct st_neverbleed_rsa_exdata_t ** exdata,struct st_neverbleed_thread_data_t ** thdata)772 static void ecdsa_get_privsep_data(const EC_KEY *ec_key, struct st_neverbleed_rsa_exdata_t **exdata,
773 struct st_neverbleed_thread_data_t **thdata)
774 {
775 *exdata = EC_KEY_get_ex_data(ec_key, 0);
776 if (*exdata == NULL)
777 return;
778 *thdata = get_thread_data((*exdata)->nb);
779 }
780
ecdsa_sign_proxy(int type,const unsigned char * m,int m_len,unsigned char * _sigret,unsigned int * _siglen,const BIGNUM * kinv,const BIGNUM * rp,EC_KEY * ec_key)781 static int ecdsa_sign_proxy(int type, const unsigned char *m, int m_len, unsigned char *_sigret, unsigned int *_siglen,
782 const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *ec_key)
783 {
784 struct st_neverbleed_rsa_exdata_t *exdata;
785 struct st_neverbleed_thread_data_t *thdata;
786 struct expbuf_t buf = {};
787 size_t ret, siglen;
788 unsigned char *sigret;
789
790 ecdsa_get_privsep_data(ec_key, &exdata, &thdata);
791
792 /* as far as I've tested so far, kinv and rp are always NULL.
793 Looks like setup_sign will precompute this, but it is only
794 called sign_sig, and it seems to be not used in TLS ECDSA */
795 if (kinv != NULL || rp != NULL) {
796 errno = 0;
797 dief("unexpected non-NULL kinv and rp");
798 }
799
800 expbuf_push_str(&buf, "ecdsa_sign");
801 expbuf_push_num(&buf, type);
802 expbuf_push_bytes(&buf, m, m_len);
803 expbuf_push_num(&buf, exdata->key_index);
804 if (expbuf_write(&buf, thdata->fd) != 0)
805 dief(errno != 0 ? "write error" : "connection closed by daemon");
806 expbuf_dispose(&buf);
807
808 if (expbuf_read(&buf, thdata->fd) != 0)
809 dief(errno != 0 ? "read error" : "connection closed by daemon");
810 if (expbuf_shift_num(&buf, &ret) != 0 || (sigret = expbuf_shift_bytes(&buf, &siglen)) == NULL) {
811 errno = 0;
812 dief("failed to parse response");
813 }
814 memcpy(_sigret, sigret, siglen);
815 *_siglen = (unsigned)siglen;
816 expbuf_dispose(&buf);
817
818 return (int)ret;
819 }
820
ecdsa_create_pkey(neverbleed_t * nb,size_t key_index,int curve_name,const char * ec_pubkeybuf)821 static EVP_PKEY *ecdsa_create_pkey(neverbleed_t *nb, size_t key_index, int curve_name, const char *ec_pubkeybuf)
822 {
823 struct st_neverbleed_rsa_exdata_t *exdata;
824 EC_KEY *ec_key;
825 EC_GROUP *ec_group;
826 BIGNUM *ec_pubkeybn = NULL;
827 EC_POINT *ec_pubkey;
828 EVP_PKEY *pkey;
829
830 if ((exdata = malloc(sizeof(*exdata))) == NULL) {
831 fprintf(stderr, "no memory\n");
832 abort();
833 }
834 exdata->nb = nb;
835 exdata->key_index = key_index;
836
837 ec_key = EC_KEY_new_method(nb->engine);
838 EC_KEY_set_ex_data(ec_key, 0, exdata);
839
840 ec_group = EC_GROUP_new_by_curve_name(curve_name);
841 if (!ec_group) {
842 fprintf(stderr, "could not create EC_GROUP\n");
843 abort();
844 }
845
846 EC_KEY_set_group(ec_key, ec_group);
847
848 if (BN_hex2bn(&ec_pubkeybn, ec_pubkeybuf) == 0) {
849 fprintf(stderr, "failed to parse ECDSA ephemeral public key:%s\n", ec_pubkeybuf);
850 abort();
851 }
852
853 if ((ec_pubkey = EC_POINT_bn2point(ec_group, ec_pubkeybn, NULL, NULL)) == NULL) {
854 fprintf(stderr, "failed to get ECDSA ephemeral public key from BIGNUM\n");
855 abort();
856 }
857
858 EC_KEY_set_public_key(ec_key, ec_pubkey);
859
860 pkey = EVP_PKEY_new();
861 EVP_PKEY_set1_EC_KEY(pkey, ec_key);
862
863 EC_POINT_free(ec_pubkey);
864 BN_free(ec_pubkeybn);
865 EC_GROUP_free(ec_group);
866 EC_KEY_free(ec_key);
867
868 return pkey;
869 }
870
priv_ecdsa_finish(EC_KEY * key)871 static void priv_ecdsa_finish(EC_KEY *key)
872 {
873 struct st_neverbleed_rsa_exdata_t *exdata;
874 struct st_neverbleed_thread_data_t *thdata;
875
876 ecdsa_get_privsep_data(key, &exdata, &thdata);
877 if (exdata == NULL)
878 return;
879
880 struct expbuf_t buf = {NULL};
881 size_t ret;
882
883 expbuf_push_str(&buf, "del_ecdsa_key");
884 expbuf_push_num(&buf, exdata->key_index);
885 if (expbuf_write(&buf, thdata->fd) != 0)
886 dief(errno != 0 ? "write error" : "connection closed by daemon");
887 expbuf_dispose(&buf);
888
889 if (expbuf_read(&buf, thdata->fd) != 0)
890 dief(errno != 0 ? "read error" : "connection closed by daemon");
891 if (expbuf_shift_num(&buf, &ret) != 0) {
892 errno = 0;
893 dief("failed to parse response");
894 }
895 expbuf_dispose(&buf);
896 }
897
del_ecdsa_key_stub(struct expbuf_t * buf)898 static int del_ecdsa_key_stub(struct expbuf_t *buf)
899 {
900 size_t key_index;
901 int ret = 0;
902
903 if (expbuf_shift_num(buf, &key_index) != 0) {
904 errno = 0;
905 warnf("%s: failed to parse request", __FUNCTION__);
906 return -1;
907 }
908
909 if (!daemon_vars.keys.ecdsa_keys || key_index >= daemon_vars.keys.ecdsa_slots.reserved_size) {
910 errno = 0;
911 warnf("%s: invalid key index %zu", __FUNCTION__, key_index);
912 goto respond;
913 }
914
915 if (BITCHECK(daemon_vars.keys.ecdsa_slots.bita_avail, key_index)) {
916 warnf("%s: index not in use %zu", __FUNCTION__, key_index);
917 goto respond;
918 }
919
920 pthread_mutex_lock(&daemon_vars.keys.lock);
921 /* set slot as available */
922 BITSET(daemon_vars.keys.ecdsa_slots.bita_avail, key_index);
923 daemon_vars.keys.ecdsa_slots.size--;
924 EC_KEY_free(daemon_vars.keys.ecdsa_keys[key_index]);
925 daemon_vars.keys.ecdsa_keys[key_index] = NULL;
926 pthread_mutex_unlock(&daemon_vars.keys.lock);
927
928 ret = 1;
929
930 respond:
931 expbuf_dispose(buf);
932 expbuf_push_num(buf, ret);
933 return 0;
934 }
935
936 #endif
937
neverbleed_load_private_key_file(neverbleed_t * nb,SSL_CTX * ctx,const char * fn,char * errbuf)938 int neverbleed_load_private_key_file(neverbleed_t *nb, SSL_CTX *ctx, const char *fn, char *errbuf)
939 {
940 struct st_neverbleed_thread_data_t *thdata = get_thread_data(nb);
941 struct expbuf_t buf = {NULL};
942 int ret = 1;
943 size_t index, type;
944 EVP_PKEY *pkey;
945
946 expbuf_push_str(&buf, "load_key");
947 expbuf_push_str(&buf, fn);
948 if (expbuf_write(&buf, thdata->fd) != 0)
949 dief(errno != 0 ? "write error" : "connection closed by daemon");
950 expbuf_dispose(&buf);
951
952 if (expbuf_read(&buf, thdata->fd) != 0)
953 dief(errno != 0 ? "read error" : "connection closed by daemon");
954 if (expbuf_shift_num(&buf, &type) != 0 || expbuf_shift_num(&buf, &index) != 0) {
955 errno = 0;
956 dief("failed to parse response");
957 }
958
959 switch (type) {
960 case NEVERBLEED_TYPE_RSA: {
961 char *estr, *nstr;
962
963 if ((estr = expbuf_shift_str(&buf)) == NULL || (nstr = expbuf_shift_str(&buf)) == NULL) {
964 errno = 0;
965 dief("failed to parse response");
966 }
967 pkey = create_pkey(nb, index, estr, nstr);
968 break;
969 }
970 #if OPENSSL_1_1_API
971 case NEVERBLEED_TYPE_ECDSA: {
972 char *ec_pubkeystr;
973 size_t curve_name;
974
975 if (expbuf_shift_num(&buf, &curve_name) != 0 || (ec_pubkeystr = expbuf_shift_str(&buf)) == NULL) {
976 errno = 0;
977 dief("failed to parse response");
978 }
979 pkey = ecdsa_create_pkey(nb, index, curve_name, ec_pubkeystr);
980 break;
981 }
982 #endif
983 default: {
984 char *errstr;
985
986 if ((errstr = expbuf_shift_str(&buf)) == NULL) {
987 errno = 0;
988 dief("failed to parse response");
989 }
990
991 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "%s", errstr);
992 return -1;
993 }
994 }
995
996 expbuf_dispose(&buf);
997
998 /* success */
999 if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
1000 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "SSL_CTX_use_PrivateKey failed");
1001 ret = 0;
1002 }
1003
1004 EVP_PKEY_free(pkey);
1005 return ret;
1006 }
1007
load_key_stub(struct expbuf_t * buf)1008 static int load_key_stub(struct expbuf_t *buf)
1009 {
1010 char *fn;
1011 FILE *fp = NULL;
1012 RSA *rsa = NULL;
1013 size_t key_index = SIZE_MAX;
1014 char *estr = NULL, *nstr = NULL, errbuf[NEVERBLEED_ERRBUF_SIZE] = "";
1015 size_t type = NEVERBLEED_TYPE_ERROR;
1016 EVP_PKEY *pkey = NULL;
1017 const EC_GROUP *ec_group;
1018 BIGNUM *ec_pubkeybn = NULL;
1019 char *ec_pubkeystr = NULL;
1020
1021 if ((fn = expbuf_shift_str(buf)) == NULL) {
1022 warnf("%s: failed to parse request", __FUNCTION__);
1023 return -1;
1024 }
1025
1026 if ((fp = fopen(fn, "rt")) == NULL) {
1027 strerror_r(errno, errbuf, sizeof(errbuf));
1028 goto Respond;
1029 }
1030
1031 if ((pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)) == NULL) {
1032 snprintf(errbuf, sizeof(errbuf), "failed to parse the private key");
1033 goto Respond;
1034 }
1035
1036 switch (EVP_PKEY_base_id(pkey)) {
1037 case EVP_PKEY_RSA: {
1038 const BIGNUM *e, *n;
1039
1040 rsa = EVP_PKEY_get1_RSA(pkey);
1041 type = NEVERBLEED_TYPE_RSA;
1042 key_index = daemon_set_rsa(rsa);
1043 RSA_get0_key(rsa, &n, &e, NULL);
1044 estr = BN_bn2hex(e);
1045 nstr = BN_bn2hex(n);
1046 break;
1047 }
1048 case EVP_PKEY_EC: {
1049 #if OPENSSL_1_1_API
1050 const EC_POINT *ec_pubkey;
1051 EC_KEY *ec_key;
1052
1053 ec_key = EVP_PKEY_get0_EC_KEY(pkey);
1054 type = NEVERBLEED_TYPE_ECDSA;
1055 key_index = daemon_set_ecdsa(ec_key);
1056 ec_group = EC_KEY_get0_group(ec_key);
1057 ec_pubkey = EC_KEY_get0_public_key(ec_key);
1058 ec_pubkeybn = BN_new();
1059 if (!EC_POINT_point2bn(ec_group, ec_pubkey, POINT_CONVERSION_COMPRESSED, ec_pubkeybn, NULL)) {
1060 type = NEVERBLEED_TYPE_ERROR;
1061 snprintf(errbuf, sizeof(errbuf), "failed to convert ECDSA public key to BIGNUM");
1062 goto Respond;
1063 }
1064 ec_pubkeystr = BN_bn2hex(ec_pubkeybn);
1065 break;
1066 #else
1067 snprintf(errbuf, sizeof(errbuf), "ECDSA support requires OpenSSL >= 1.1.0");
1068 goto Respond;
1069 #endif
1070 }
1071 default:
1072 snprintf(errbuf, sizeof(errbuf), "unsupported private key: %d", EVP_PKEY_base_id(pkey));
1073 goto Respond;
1074 }
1075
1076 Respond:
1077 expbuf_dispose(buf);
1078 expbuf_push_num(buf, type);
1079 expbuf_push_num(buf, key_index);
1080 switch (type) {
1081 case NEVERBLEED_TYPE_RSA:
1082 expbuf_push_str(buf, estr != NULL ? estr : "");
1083 expbuf_push_str(buf, nstr != NULL ? nstr : "");
1084 break;
1085 case NEVERBLEED_TYPE_ECDSA:
1086 expbuf_push_num(buf, EC_GROUP_get_curve_name(ec_group));
1087 expbuf_push_str(buf, ec_pubkeystr);
1088 break;
1089 default:
1090 expbuf_push_str(buf, errbuf);
1091 }
1092 if (rsa != NULL)
1093 RSA_free(rsa);
1094 if (pkey != NULL)
1095 EVP_PKEY_free(pkey);
1096 if (estr != NULL)
1097 OPENSSL_free(estr);
1098 if (nstr != NULL)
1099 OPENSSL_free(nstr);
1100 if (ec_pubkeystr != NULL)
1101 OPENSSL_free(ec_pubkeystr);
1102 if (ec_pubkeybn != NULL)
1103 BN_free(ec_pubkeybn);
1104 if (fp != NULL)
1105 fclose(fp);
1106
1107 return 0;
1108 }
1109
neverbleed_setuidgid(neverbleed_t * nb,const char * user,int change_socket_ownership)1110 int neverbleed_setuidgid(neverbleed_t *nb, const char *user, int change_socket_ownership)
1111 {
1112 struct st_neverbleed_thread_data_t *thdata = get_thread_data(nb);
1113 struct expbuf_t buf = {NULL};
1114 size_t ret;
1115
1116 expbuf_push_str(&buf, "setuidgid");
1117 expbuf_push_str(&buf, user);
1118 expbuf_push_num(&buf, change_socket_ownership);
1119 if (expbuf_write(&buf, thdata->fd) != 0)
1120 dief(errno != 0 ? "write error" : "connection closed by daemon");
1121 expbuf_dispose(&buf);
1122
1123 if (expbuf_read(&buf, thdata->fd) != 0)
1124 dief(errno != 0 ? "read error" : "connection closed by daemon");
1125 if (expbuf_shift_num(&buf, &ret) != 0) {
1126 errno = 0;
1127 dief("failed to parse response");
1128 }
1129 expbuf_dispose(&buf);
1130
1131 return (int)ret;
1132 }
1133
setuidgid_stub(struct expbuf_t * buf)1134 static int setuidgid_stub(struct expbuf_t *buf)
1135 {
1136 const char *user;
1137 size_t change_socket_ownership;
1138 struct passwd pwbuf, *pw;
1139 char pwstrbuf[65536]; /* should be large enough */
1140 int ret = -1;
1141
1142 if ((user = expbuf_shift_str(buf)) == NULL || expbuf_shift_num(buf, &change_socket_ownership) != 0) {
1143 errno = 0;
1144 warnf("%s: failed to parse request", __FUNCTION__);
1145 return -1;
1146 }
1147
1148 errno = 0;
1149 if (getpwnam_r(user, &pwbuf, pwstrbuf, sizeof(pwstrbuf), &pw) != 0) {
1150 warnf("%s: getpwnam_r failed", __FUNCTION__);
1151 goto Respond;
1152 }
1153 if (pw == NULL) {
1154 warnf("%s: failed to obtain information of user:%s", __FUNCTION__, user);
1155 goto Respond;
1156 }
1157
1158 if (change_socket_ownership) {
1159 char *dir;
1160 if (chown(daemon_vars.nb->sun_.sun_path, pw->pw_uid, pw->pw_gid) != 0)
1161 dief("chown failed for:%s", daemon_vars.nb->sun_.sun_path);
1162 dir = dirname(daemon_vars.nb->sun_.sun_path);
1163 if (chown(dir, pw->pw_uid, pw->pw_gid) != 0)
1164 dief("chown failed for:%s", dir);
1165 free(dir);
1166 }
1167
1168 /* setuidgid */
1169 if (setgid(pw->pw_gid) != 0) {
1170 warnf("%s: setgid(%d) failed", __FUNCTION__, (int)pw->pw_gid);
1171 goto Respond;
1172 }
1173 if (initgroups(pw->pw_name, pw->pw_gid) != 0) {
1174 warnf("%s: initgroups(%s, %d) failed", __FUNCTION__, pw->pw_name, (int)pw->pw_gid);
1175 goto Respond;
1176 }
1177 if (setuid(pw->pw_uid) != 0) {
1178 warnf("%s: setuid(%d) failed\n", __FUNCTION__, (int)pw->pw_uid);
1179 goto Respond;
1180 }
1181 ret = 0;
1182
1183 Respond:
1184 expbuf_dispose(buf);
1185 expbuf_push_num(buf, ret);
1186 return 0;
1187 }
1188
daemon_close_notify_thread(void * _close_notify_fd)1189 __attribute__((noreturn)) static void *daemon_close_notify_thread(void *_close_notify_fd)
1190 {
1191 int close_notify_fd = (int)((char *)_close_notify_fd - (char *)NULL);
1192 char b;
1193 ssize_t r;
1194
1195 Redo:
1196 r = read(close_notify_fd, &b, 1);
1197 if (r == -1 && errno == EINTR)
1198 goto Redo;
1199 if (r > 0)
1200 goto Redo;
1201 /* close or error */
1202
1203 /* unlink the temporary directory and socket file */
1204 unlink_dir(dirname(daemon_vars.nb->sun_.sun_path));
1205
1206 _exit(0);
1207 }
1208
1209 static int (*rsa_finish)(RSA *rsa);
1210
priv_rsa_finish(RSA * rsa)1211 static int priv_rsa_finish(RSA *rsa)
1212 {
1213 struct st_neverbleed_rsa_exdata_t *exdata;
1214 struct st_neverbleed_thread_data_t *thdata;
1215
1216 get_privsep_data(rsa, &exdata, &thdata);
1217
1218 rsa_finish(rsa);
1219
1220 if (exdata == NULL)
1221 return 1;
1222
1223 struct expbuf_t buf = {NULL};
1224 size_t ret;
1225
1226 expbuf_push_str(&buf, "del_rsa_key");
1227 expbuf_push_num(&buf, exdata->key_index);
1228 if (expbuf_write(&buf, thdata->fd) != 0)
1229 dief(errno != 0 ? "write error" : "connection closed by daemon");
1230 expbuf_dispose(&buf);
1231
1232 if (expbuf_read(&buf, thdata->fd) != 0)
1233 dief(errno != 0 ? "read error" : "connection closed by daemon");
1234 if (expbuf_shift_num(&buf, &ret) != 0) {
1235 errno = 0;
1236 dief("failed to parse response");
1237 }
1238 expbuf_dispose(&buf);
1239
1240 return (int)ret;
1241 }
1242
del_rsa_key_stub(struct expbuf_t * buf)1243 static int del_rsa_key_stub(struct expbuf_t *buf)
1244 {
1245 size_t key_index;
1246
1247 int ret = 0;
1248
1249 if (expbuf_shift_num(buf, &key_index) != 0) {
1250 errno = 0;
1251 warnf("%s: failed to parse request", __FUNCTION__);
1252 return -1;
1253 }
1254
1255 if (!daemon_vars.keys.keys || key_index >= daemon_vars.keys.rsa_slots.reserved_size) {
1256 errno = 0;
1257 warnf("%s: invalid key index %zu", __FUNCTION__, key_index);
1258 goto respond;
1259 }
1260
1261 if (BITCHECK(daemon_vars.keys.rsa_slots.bita_avail, key_index)) {
1262 warnf("%s: index not in use %zu", __FUNCTION__, key_index);
1263 goto respond;
1264 }
1265
1266 pthread_mutex_lock(&daemon_vars.keys.lock);
1267 /* set slot as available */
1268 BITSET(daemon_vars.keys.rsa_slots.bita_avail, key_index);
1269 daemon_vars.keys.rsa_slots.size--;
1270 RSA_free(daemon_vars.keys.keys[key_index]);
1271 daemon_vars.keys.keys[key_index] = NULL;
1272 pthread_mutex_unlock(&daemon_vars.keys.lock);
1273
1274 ret = 1;
1275
1276 respond:
1277 expbuf_dispose(buf);
1278 expbuf_push_num(buf, ret);
1279 return 0;
1280 }
1281
daemon_conn_thread(void * _sock_fd)1282 static void *daemon_conn_thread(void *_sock_fd)
1283 {
1284 int sock_fd = (int)((char *)_sock_fd - (char *)NULL);
1285 struct expbuf_t buf = {NULL};
1286 unsigned char auth_token[NEVERBLEED_AUTH_TOKEN_SIZE];
1287
1288 /* authenticate */
1289 if (read_nbytes(sock_fd, &auth_token, sizeof(auth_token)) != 0) {
1290 warnf("failed to receive authencication token from client");
1291 goto Exit;
1292 }
1293 if (memcmp(auth_token, daemon_vars.nb->auth_token, NEVERBLEED_AUTH_TOKEN_SIZE) != 0) {
1294 warnf("client authentication failed");
1295 goto Exit;
1296 }
1297
1298 while (1) {
1299 char *cmd;
1300 if (expbuf_read(&buf, sock_fd) != 0) {
1301 if (errno != 0)
1302 warnf("read error");
1303 break;
1304 }
1305 if ((cmd = expbuf_shift_str(&buf)) == NULL) {
1306 errno = 0;
1307 warnf("failed to parse request");
1308 break;
1309 }
1310 if (strcmp(cmd, "priv_enc") == 0) {
1311 if (priv_enc_stub(&buf) != 0)
1312 break;
1313 } else if (strcmp(cmd, "priv_dec") == 0) {
1314 if (priv_dec_stub(&buf) != 0)
1315 break;
1316 } else if (strcmp(cmd, "sign") == 0) {
1317 if (sign_stub(&buf) != 0)
1318 break;
1319 #if OPENSSL_1_1_API
1320 } else if (strcmp(cmd, "ecdsa_sign") == 0) {
1321 if (ecdsa_sign_stub(&buf) != 0)
1322 break;
1323 } else if (strcmp(cmd, "del_ecdsa_key") == 0) {
1324 if (del_ecdsa_key_stub(&buf) != 0)
1325 break;
1326 #endif
1327 } else if (strcmp(cmd, "load_key") == 0) {
1328 if (load_key_stub(&buf) != 0)
1329 break;
1330 } else if (strcmp(cmd, "del_rsa_key") == 0) {
1331 if (del_rsa_key_stub(&buf) != 0)
1332 break;
1333 } else if (strcmp(cmd, "setuidgid") == 0) {
1334 if (setuidgid_stub(&buf) != 0)
1335 break;
1336 } else {
1337 warnf("unknown command:%s", cmd);
1338 break;
1339 }
1340 if (expbuf_write(&buf, sock_fd) != 0) {
1341 warnf(errno != 0 ? "write error" : "connection closed by client");
1342 break;
1343 }
1344 expbuf_dispose(&buf);
1345 }
1346
1347 Exit:
1348 expbuf_dispose(&buf);
1349 close(sock_fd);
1350
1351 return NULL;
1352 }
1353
daemon_main(int listen_fd,int close_notify_fd,const char * tempdir)1354 __attribute__((noreturn)) static void daemon_main(int listen_fd, int close_notify_fd, const char *tempdir)
1355 {
1356 pthread_t tid;
1357 pthread_attr_t thattr;
1358 int sock_fd;
1359
1360 { /* close all descriptors (except STDIN, STDOUT, STRERR, listen_fd, close_notify_fd) */
1361 int fd = (int)sysconf(_SC_OPEN_MAX) - 1;
1362 for (; fd > 2; --fd) {
1363 if (fd == listen_fd || fd == close_notify_fd)
1364 continue;
1365 close(fd);
1366 }
1367 }
1368
1369 pthread_attr_init(&thattr);
1370 pthread_attr_setdetachstate(&thattr, 1);
1371
1372 if (pthread_create(&tid, &thattr, daemon_close_notify_thread, (char *)NULL + close_notify_fd) != 0)
1373 dief("pthread_create failed");
1374
1375 while (1) {
1376 while ((sock_fd = accept(listen_fd, NULL, NULL)) == -1)
1377 ;
1378 if (pthread_create(&tid, &thattr, daemon_conn_thread, (char *)NULL + sock_fd) != 0)
1379 dief("pthread_create failed");
1380 }
1381 }
1382
1383 #if !OPENSSL_1_1_API
1384
1385 static RSA_METHOD static_rsa_method = {
1386 "privsep RSA method", /* name */
1387 NULL, /* rsa_pub_enc */
1388 NULL, /* rsa_pub_dec */
1389 priv_enc_proxy, /* rsa_priv_enc */
1390 priv_dec_proxy, /* rsa_priv_dec */
1391 NULL, /* rsa_mod_exp */
1392 NULL, /* bn_mod_exp */
1393 NULL, /* init */
1394 priv_rsa_finish, /* finish */
1395 RSA_FLAG_SIGN_VER, /* flags */
1396 NULL, /* app data */
1397 sign_proxy, /* rsa_sign */
1398 NULL, /* rsa_verify */
1399 NULL /* rsa_keygen */
1400 };
1401
1402 #endif
1403
neverbleed_init(neverbleed_t * nb,char * errbuf)1404 int neverbleed_init(neverbleed_t *nb, char *errbuf)
1405 {
1406 int pipe_fds[2] = {-1, -1}, listen_fd = -1;
1407 char *tempdir = NULL;
1408 #if OPENSSL_1_1_API
1409 const RSA_METHOD *default_method = RSA_PKCS1_OpenSSL();
1410 EC_KEY_METHOD *ecdsa_method;
1411 const EC_KEY_METHOD *ecdsa_default_method;
1412 RSA_METHOD *rsa_method = RSA_meth_dup(RSA_PKCS1_OpenSSL());
1413
1414 rsa_finish = RSA_meth_get_finish(rsa_method);
1415
1416 RSA_meth_set1_name(rsa_method, "privsep RSA method");
1417 RSA_meth_set_priv_enc(rsa_method, priv_enc_proxy);
1418 RSA_meth_set_priv_dec(rsa_method, priv_dec_proxy);
1419 RSA_meth_set_sign(rsa_method, sign_proxy);
1420 RSA_meth_set_finish(rsa_method, priv_rsa_finish);
1421
1422 /* setup EC_KEY_METHOD for ECDSA */
1423 ecdsa_default_method = EC_KEY_get_default_method();
1424 ecdsa_method = EC_KEY_METHOD_new(ecdsa_default_method);
1425
1426 /* it seems sign_sig and sign_setup is not used in TLS ECDSA. */
1427 EC_KEY_METHOD_set_sign(ecdsa_method, ecdsa_sign_proxy, NULL, NULL);
1428 EC_KEY_METHOD_set_init(ecdsa_method, NULL, priv_ecdsa_finish, NULL, NULL, NULL, NULL);
1429 #else
1430 const RSA_METHOD *default_method = RSA_PKCS1_SSLeay();
1431 RSA_METHOD *rsa_method = &static_rsa_method;
1432
1433 rsa_finish = default_method->finish;
1434
1435 rsa_method->rsa_pub_enc = default_method->rsa_pub_enc;
1436 rsa_method->rsa_pub_dec = default_method->rsa_pub_dec;
1437 rsa_method->rsa_verify = default_method->rsa_verify;
1438 rsa_method->bn_mod_exp = default_method->bn_mod_exp;
1439 #endif
1440
1441 /* setup the daemon */
1442 if (pipe(pipe_fds) != 0) {
1443 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "pipe(2) failed:%s", strerror(errno));
1444 goto Fail;
1445 }
1446 set_cloexec(pipe_fds[1]);
1447 if ((tempdir = strdup("/tmp/openssl-privsep.XXXXXX")) == NULL) {
1448 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "no memory");
1449 goto Fail;
1450 }
1451 if (mkdtemp(tempdir) == NULL) {
1452 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to create temporary directory under /tmp:%s", strerror(errno));
1453 goto Fail;
1454 }
1455 memset(&nb->sun_, 0, sizeof(nb->sun_));
1456 nb->sun_.sun_family = AF_UNIX;
1457 snprintf(nb->sun_.sun_path, sizeof(nb->sun_.sun_path), "%s/_", tempdir);
1458 RAND_bytes(nb->auth_token, sizeof(nb->auth_token));
1459 if ((listen_fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) {
1460 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "socket(2) failed:%s", strerror(errno));
1461 goto Fail;
1462 }
1463 if (bind(listen_fd, (void *)&nb->sun_, sizeof(nb->sun_)) != 0) {
1464 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to bind to %s:%s", nb->sun_.sun_path, strerror(errno));
1465 goto Fail;
1466 }
1467 if (listen(listen_fd, SOMAXCONN) != 0) {
1468 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "listen(2) failed:%s", strerror(errno));
1469 goto Fail;
1470 }
1471 nb->daemon_pid = fork();
1472 switch (nb->daemon_pid) {
1473 case -1:
1474 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "fork(2) failed:%s", strerror(errno));
1475 goto Fail;
1476 case 0:
1477 close(pipe_fds[1]);
1478 #ifdef __linux__
1479 prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
1480 #endif
1481 daemon_vars.nb = nb;
1482 daemon_main(listen_fd, pipe_fds[0], tempdir);
1483 break;
1484 default:
1485 break;
1486 }
1487 close(listen_fd);
1488 listen_fd = -1;
1489 close(pipe_fds[0]);
1490 pipe_fds[0] = -1;
1491
1492 /* setup engine */
1493 if ((nb->engine = ENGINE_new()) == NULL || !ENGINE_set_id(nb->engine, "neverbleed") ||
1494 !ENGINE_set_name(nb->engine, "privilege separation software engine") || !ENGINE_set_RSA(nb->engine, rsa_method)
1495 #if OPENSSL_1_1_API
1496 || !ENGINE_set_EC(nb->engine, ecdsa_method)
1497 #endif
1498 ) {
1499 snprintf(errbuf, NEVERBLEED_ERRBUF_SIZE, "failed to initialize the OpenSSL engine");
1500 goto Fail;
1501 }
1502 ENGINE_add(nb->engine);
1503
1504 /* setup thread key */
1505 pthread_key_create(&nb->thread_key, dispose_thread_data);
1506
1507 free(tempdir);
1508 return 0;
1509 Fail:
1510 if (pipe_fds[0] != -1)
1511 close(pipe_fds[0]);
1512 if (pipe_fds[1] != -1)
1513 close(pipe_fds[1]);
1514 if (tempdir != NULL) {
1515 unlink_dir(tempdir);
1516 free(tempdir);
1517 }
1518 if (listen_fd != -1)
1519 close(listen_fd);
1520 if (nb->engine != NULL) {
1521 ENGINE_free(nb->engine);
1522 nb->engine = NULL;
1523 }
1524 return -1;
1525 }
1526