ca.c revision 1.9 
1/*	$OpenBSD: ca.c,v 1.9 2014/07/10 15:54:55 eric Exp $	*/
2
3/*
4 * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
5 * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <sys/types.h>
21#include <sys/queue.h>
22#include <sys/socket.h>
23
24#include <string.h>
25#include <stdlib.h>
26#include <unistd.h>
27#include <imsg.h>
28#include <pwd.h>
29#include <err.h>
30
31#include <openssl/ssl.h>
32#include <openssl/pem.h>
33#include <openssl/evp.h>
34#include <openssl/rsa.h>
35#include <openssl/engine.h>
36
37#include "smtpd.h"
38#include "log.h"
39#include "ssl.h"
40
41static int	 ca_verify_cb(int, X509_STORE_CTX *);
42
43static int	 rsae_send_imsg(int, const u_char *, u_char *, RSA *,
44		    int, u_int);
45static int	 rsae_pub_enc(int, const u_char *, u_char *, RSA *, int);
46static int	 rsae_pub_dec(int,const u_char *, u_char *, RSA *, int);
47static int	 rsae_priv_enc(int, const u_char *, u_char *, RSA *, int);
48static int	 rsae_priv_dec(int, const u_char *, u_char *, RSA *, int);
49static int	 rsae_mod_exp(BIGNUM *, const BIGNUM *, RSA *, BN_CTX *);
50static int	 rsae_bn_mod_exp(BIGNUM *, const BIGNUM *, const BIGNUM *,
51		    const BIGNUM *, BN_CTX *, BN_MONT_CTX *);
52static int	 rsae_init(RSA *);
53static int	 rsae_finish(RSA *);
54static int	 rsae_sign(int, const u_char *, u_int, u_char *, u_int *,
55		    const RSA *);
56static int	 rsae_verify(int dtype, const u_char *m, u_int, const u_char *,
57		    u_int, const RSA *);
58static int	 rsae_keygen(RSA *, int, BIGNUM *, BN_GENCB *);
59
60static uint64_t	 rsae_reqid = 0;
61
62static void
63ca_shutdown(void)
64{
65	log_info("info: ca agent exiting");
66	_exit(0);
67}
68
69static void
70ca_sig_handler(int sig, short event, void *p)
71{
72	switch (sig) {
73	case SIGINT:
74	case SIGTERM:
75		ca_shutdown();
76		break;
77	default:
78		fatalx("ca_sig_handler: unexpected signal");
79	}
80}
81
82pid_t
83ca(void)
84{
85	pid_t		 pid;
86	struct passwd	*pw;
87	struct event	 ev_sigint;
88	struct event	 ev_sigterm;
89
90	switch (pid = fork()) {
91	case -1:
92		fatal("ca: cannot fork");
93	case 0:
94		post_fork(PROC_CA);
95		break;
96	default:
97		return (pid);
98	}
99
100	purge_config(PURGE_LISTENERS|PURGE_TABLES|PURGE_RULES);
101
102	if ((pw = getpwnam(SMTPD_USER)) == NULL)
103		fatalx("unknown user " SMTPD_USER);
104
105	if (chroot(PATH_CHROOT) == -1)
106		fatal("ca: chroot");
107	if (chdir("/") == -1)
108		fatal("ca: chdir(\"/\")");
109
110	config_process(PROC_CA);
111
112	if (setgroups(1, &pw->pw_gid) ||
113	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
114	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
115		fatal("ca: cannot drop privileges");
116
117	imsg_callback = ca_imsg;
118	event_init();
119
120	signal_set(&ev_sigint, SIGINT, ca_sig_handler, NULL);
121	signal_set(&ev_sigterm, SIGTERM, ca_sig_handler, NULL);
122	signal_add(&ev_sigint, NULL);
123	signal_add(&ev_sigterm, NULL);
124	signal(SIGPIPE, SIG_IGN);
125	signal(SIGHUP, SIG_IGN);
126
127	config_peer(PROC_CONTROL);
128	config_peer(PROC_PARENT);
129	config_peer(PROC_PONY);
130	config_done();
131
132	/* Ignore them until we get our config */
133	mproc_disable(p_pony);
134
135	if (event_dispatch() < 0)
136		fatal("event_dispatch");
137	ca_shutdown();
138
139	return (0);
140}
141
142void
143ca_init(void)
144{
145	BIO		*in = NULL;
146	EVP_PKEY	*pkey = NULL;
147	struct pki	*pki;
148	const char	*k;
149	void		*iter_dict;
150
151	log_debug("debug: init private ssl-tree");
152	iter_dict = NULL;
153	while (dict_iter(env->sc_pki_dict, &iter_dict, &k, (void **)&pki)) {
154		if (pki->pki_key == NULL)
155			continue;
156
157		if ((in = BIO_new_mem_buf(pki->pki_key,
158		    pki->pki_key_len)) == NULL)
159			fatalx("ca_launch: key");
160
161		if ((pkey = PEM_read_bio_PrivateKey(in,
162		    NULL, NULL, NULL)) == NULL)
163			fatalx("ca_launch: PEM");
164		BIO_free(in);
165
166		pki->pki_pkey = pkey;
167
168		explicit_bzero(pki->pki_key, pki->pki_key_len);
169		free(pki->pki_key);
170		pki->pki_key = NULL;
171	}
172}
173
174static int
175ca_verify_cb(int ok, X509_STORE_CTX *ctx)
176{
177	switch (X509_STORE_CTX_get_error(ctx)) {
178	case X509_V_OK:
179		break;
180        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
181		log_warnx("warn: unable to get issuer cert");
182		break;
183        case X509_V_ERR_CERT_NOT_YET_VALID:
184        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
185		log_warnx("warn: certificate not yet valid");
186		break;
187        case X509_V_ERR_CERT_HAS_EXPIRED:
188        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
189		log_warnx("warn: certificate has expired");
190		break;
191        case X509_V_ERR_NO_EXPLICIT_POLICY:
192		log_warnx("warn: no explicit policy");
193		break;
194	}
195	return ok;
196}
197
198int
199ca_X509_verify(void *certificate, void *chain, const char *CAfile,
200    const char *CRLfile, const char **errstr)
201{
202	X509_STORE     *store = NULL;
203	X509_STORE_CTX *xsc = NULL;
204	int		ret = 0;
205
206	if ((store = X509_STORE_new()) == NULL)
207		goto end;
208
209	if (! X509_STORE_load_locations(store, CAfile, NULL)) {
210		log_warn("warn: unable to load CA file %s", CAfile);
211		goto end;
212	}
213	X509_STORE_set_default_paths(store);
214
215	if ((xsc = X509_STORE_CTX_new()) == NULL)
216		goto end;
217
218	if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1)
219		goto end;
220
221	X509_STORE_CTX_set_verify_cb(xsc, ca_verify_cb);
222
223	ret = X509_verify_cert(xsc);
224
225end:
226	*errstr = NULL;
227	if (ret != 1) {
228		if (xsc)
229			*errstr = X509_verify_cert_error_string(xsc->error);
230		else if (ERR_peek_last_error())
231			*errstr = ERR_error_string(ERR_peek_last_error(), NULL);
232	}
233
234	if (xsc)
235		X509_STORE_CTX_free(xsc);
236	if (store)
237		X509_STORE_free(store);
238
239	return ret > 0 ? 1 : 0;
240}
241
242void
243ca_imsg(struct mproc *p, struct imsg *imsg)
244{
245	RSA			*rsa;
246	const void		*from = NULL;
247	u_char			 *to = NULL;
248	struct msg		 m;
249	const char		*pkiname;
250	size_t			 flen, tlen, padding;
251	struct pki		*pki;
252	int			 ret = 0;
253	uint64_t		 id;
254	int			 v;
255
256	if (p->proc == PROC_PARENT) {
257		switch (imsg->hdr.type) {
258		case IMSG_CONF_START:
259			return;
260		case IMSG_CONF_END:
261			ca_init();
262
263			/* Start fulfilling requests */
264			mproc_enable(p_pony);
265			return;
266		}
267	}
268
269	if (p->proc == PROC_CONTROL) {
270		switch (imsg->hdr.type) {
271		case IMSG_CTL_VERBOSE:
272			m_msg(&m, imsg);
273			m_get_int(&m, &v);
274			m_end(&m);
275			log_verbose(v);
276			return;
277		case IMSG_CTL_PROFILE:
278			m_msg(&m, imsg);
279			m_get_int(&m, &v);
280			m_end(&m);
281			profiling = v;
282			return;
283		}
284	}
285
286	if (p->proc == PROC_PONY) {
287		switch (imsg->hdr.type) {
288		case IMSG_CA_PRIVENC:
289		case IMSG_CA_PRIVDEC:
290			m_msg(&m, imsg);
291			m_get_id(&m, &id);
292			m_get_string(&m, &pkiname);
293			m_get_data(&m, &from, &flen);
294			m_get_size(&m, &tlen);
295			m_get_size(&m, &padding);
296			m_end(&m);
297
298			pki = dict_get(env->sc_pki_dict, pkiname);
299			if (pki == NULL || pki->pki_pkey == NULL ||
300			    (rsa = EVP_PKEY_get1_RSA(pki->pki_pkey)) == NULL)
301				fatalx("ca_imsg: invalid pki");
302
303			if ((to = calloc(1, tlen)) == NULL)
304				fatalx("ca_imsg: calloc");
305
306			switch (imsg->hdr.type) {
307			case IMSG_CA_PRIVENC:
308				ret = RSA_private_encrypt(flen, from, to, rsa,
309				    padding);
310				break;
311			case IMSG_CA_PRIVDEC:
312				ret = RSA_private_decrypt(flen, from, to, rsa,
313				    padding);
314				break;
315			}
316
317			m_create(p, imsg->hdr.type, 0, 0, -1);
318			m_add_id(p, id);
319			m_add_int(p, ret);
320			if (ret > 0)
321				m_add_data(p, to, (size_t)ret);
322			m_close(p);
323
324			free(to);
325			RSA_free(rsa);
326
327			return;
328		}
329	}
330
331	errx(1, "ca_imsg: unexpected %s imsg", imsg_to_str(imsg->hdr.type));
332}
333
334/*
335 * RSA privsep engine (called from unprivileged processes)
336 */
337
338const RSA_METHOD *rsa_default = NULL;
339
340static RSA_METHOD rsae_method = {
341	"RSA privsep engine",
342	rsae_pub_enc,
343	rsae_pub_dec,
344	rsae_priv_enc,
345	rsae_priv_dec,
346	rsae_mod_exp,
347	rsae_bn_mod_exp,
348	rsae_init,
349	rsae_finish,
350	0,
351	NULL,
352	rsae_sign,
353	rsae_verify,
354	rsae_keygen
355};
356
357static int
358rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
359    int padding, u_int cmd)
360{
361	int		 ret = 0;
362	struct imsgbuf	*ibuf;
363	struct imsg	 imsg;
364	int		 n, done = 0;
365	const void	*toptr;
366	char		*pkiname;
367	size_t		 tlen;
368	struct msg	 m;
369	uint64_t	 id;
370
371	if ((pkiname = RSA_get_ex_data(rsa, 0)) == NULL)
372		return (0);
373
374	/*
375	 * Send a synchronous imsg because we cannot defer the RSA
376	 * operation in OpenSSL's engine layer.
377	 */
378	m_create(p_ca, cmd, 0, 0, -1);
379	rsae_reqid++;
380	m_add_id(p_ca, rsae_reqid);
381	m_add_string(p_ca, pkiname);
382	m_add_data(p_ca, (const void *)from, (size_t)flen);
383	m_add_size(p_ca, (size_t)RSA_size(rsa));
384	m_add_size(p_ca, (size_t)padding);
385	m_flush(p_ca);
386
387	ibuf = &p_ca->imsgbuf;
388
389	while (!done) {
390		if ((n = imsg_read(ibuf)) == -1)
391			fatalx("imsg_read");
392		if (n == 0)
393			fatalx("pipe closed");
394
395		while (!done) {
396			if ((n = imsg_get(ibuf, &imsg)) == -1)
397				fatalx("imsg_get error");
398			if (n == 0)
399				break;
400
401			log_imsg(PROC_PONY, PROC_CA, &imsg);
402
403			switch (imsg.hdr.type) {
404			case IMSG_CA_PRIVENC:
405			case IMSG_CA_PRIVDEC:
406				break;
407			default:
408				/* Another imsg is queued up in the buffer */
409				pony_imsg(p_ca, &imsg);
410				imsg_free(&imsg);
411				continue;
412			}
413
414			m_msg(&m, &imsg);
415			m_get_id(&m, &id);
416			if (id != rsae_reqid)
417				fatalx("invalid response id");
418			m_get_int(&m, &ret);
419			if (ret > 0)
420				m_get_data(&m, &toptr, &tlen);
421			m_end(&m);
422
423			if (ret > 0)
424				memcpy(to, toptr, tlen);
425			done = 1;
426
427			imsg_free(&imsg);
428		}
429	}
430	mproc_event_add(p_ca);
431
432	return (ret);
433}
434
435static int
436rsae_pub_enc(int flen,const u_char *from, u_char *to, RSA *rsa,int padding)
437{
438	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
439	return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
440}
441
442static int
443rsae_pub_dec(int flen,const u_char *from, u_char *to, RSA *rsa,int padding)
444{
445	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
446	return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
447}
448
449static int
450rsae_priv_enc(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
451{
452	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
453	if (RSA_get_ex_data(rsa, 0) != NULL) {
454		return (rsae_send_imsg(flen, from, to, rsa, padding,
455		    IMSG_CA_PRIVENC));
456	}
457	return (rsa_default->rsa_priv_enc(flen, from, to, rsa, padding));
458}
459
460static int
461rsae_priv_dec(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
462{
463	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
464	if (RSA_get_ex_data(rsa, 0) != NULL) {
465		return (rsae_send_imsg(flen, from, to, rsa, padding,
466		    IMSG_CA_PRIVDEC));
467	}
468	return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
469}
470
471static int
472rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
473{
474	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
475	return (rsa_default->rsa_mod_exp(r0, I, rsa, ctx));
476}
477
478static int
479rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
480    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
481{
482	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
483	return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
484}
485
486static int
487rsae_init(RSA *rsa)
488{
489	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
490	if (rsa_default->init == NULL)
491		return (1);
492	return (rsa_default->init(rsa));
493}
494
495static int
496rsae_finish(RSA *rsa)
497{
498	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
499	if (rsa_default->finish == NULL)
500		return (1);
501	return (rsa_default->finish(rsa));
502}
503
504static int
505rsae_sign(int type, const u_char *m, u_int m_length, u_char *sigret,
506    u_int *siglen, const RSA *rsa)
507{
508	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
509	return (rsa_default->rsa_sign(type, m, m_length,
510	    sigret, siglen, rsa));
511}
512
513static int
514rsae_verify(int dtype, const u_char *m, u_int m_length, const u_char *sigbuf,
515    u_int siglen, const RSA *rsa)
516{
517	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
518	return (rsa_default->rsa_verify(dtype, m, m_length,
519	    sigbuf, siglen, rsa));
520}
521
522static int
523rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
524{
525	log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
526	return (rsa_default->rsa_keygen(rsa, bits, e, cb));
527}
528
529void
530ca_engine_init(void)
531{
532	ENGINE		*e;
533	const char	*errstr, *name;
534
535	if ((e = ENGINE_get_default_RSA()) == NULL) {
536		if ((e = ENGINE_new()) == NULL) {
537			errstr = "ENGINE_new";
538			goto fail;
539		}
540		if (!ENGINE_set_name(e, rsae_method.name)) {
541			errstr = "ENGINE_set_name";
542			goto fail;
543		}
544		if ((rsa_default = RSA_get_default_method()) == NULL) {
545			errstr = "RSA_get_default_method";
546			goto fail;
547		}
548	} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {
549		errstr = "ENGINE_get_RSA";
550		goto fail;
551	}
552
553	if ((name = ENGINE_get_name(e)) == NULL)
554		name = "unknown RSA engine";
555
556	log_debug("debug: %s: using %s", __func__, name);
557
558	if (rsa_default->flags & RSA_FLAG_SIGN_VER)
559		fatalx("unsupported RSA engine");
560
561	if (rsa_default->rsa_mod_exp == NULL)
562		rsae_method.rsa_mod_exp = NULL;
563	if (rsa_default->rsa_mod_exp == NULL)
564		rsae_method.rsa_mod_exp = NULL;
565	if (rsa_default->bn_mod_exp == NULL)
566		rsae_method.bn_mod_exp = NULL;
567	if (rsa_default->rsa_keygen == NULL)
568		rsae_method.rsa_keygen = NULL;
569	rsae_method.flags = rsa_default->flags |
570	    RSA_METHOD_FLAG_NO_CHECK;
571	rsae_method.app_data = rsa_default->app_data;
572
573	if (!ENGINE_set_RSA(e, &rsae_method)) {
574		errstr = "ENGINE_set_RSA";
575		goto fail;
576	}
577	if (!ENGINE_set_default_RSA(e)) {
578		errstr = "ENGINE_set_default_RSA";
579		goto fail;
580	}
581
582	return;
583
584 fail:
585	ssl_error(errstr);
586	fatalx("%s", errstr);
587}
588