xref: /freebsd/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c (revision 4d65a7c6951cea0333f1a0c1b32c38489cdfa6c5)
1b9cbc85dSRick Macklem /*-
24d846d26SWarner Losh  * SPDX-License-Identifier: BSD-2-Clause
3b9cbc85dSRick Macklem  *
4b9cbc85dSRick Macklem  * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5b9cbc85dSRick Macklem  * Authors: Doug Rabson <dfr@rabson.org>
6b9cbc85dSRick Macklem  * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
7b9cbc85dSRick Macklem  *
8b9cbc85dSRick Macklem  * Redistribution and use in source and binary forms, with or without
9b9cbc85dSRick Macklem  * modification, are permitted provided that the following conditions
10b9cbc85dSRick Macklem  * are met:
11b9cbc85dSRick Macklem  * 1. Redistributions of source code must retain the above copyright
12b9cbc85dSRick Macklem  *    notice, this list of conditions and the following disclaimer.
13b9cbc85dSRick Macklem  * 2. Redistributions in binary form must reproduce the above copyright
14b9cbc85dSRick Macklem  *    notice, this list of conditions and the following disclaimer in the
15b9cbc85dSRick Macklem  *    documentation and/or other materials provided with the distribution.
16b9cbc85dSRick Macklem  *
17b9cbc85dSRick Macklem  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18b9cbc85dSRick Macklem  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19b9cbc85dSRick Macklem  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20b9cbc85dSRick Macklem  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21b9cbc85dSRick Macklem  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22b9cbc85dSRick Macklem  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23b9cbc85dSRick Macklem  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24b9cbc85dSRick Macklem  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25b9cbc85dSRick Macklem  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26b9cbc85dSRick Macklem  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27b9cbc85dSRick Macklem  * SUCH DAMAGE.
28b9cbc85dSRick Macklem  */
29b9cbc85dSRick Macklem 
30b9cbc85dSRick Macklem /*
31b9cbc85dSRick Macklem  * Extensively modified from /usr/src/usr.sbin/gssd.c r344402 for
32b9cbc85dSRick Macklem  * the client side of kernel RPC-over-TLS by Rick Macklem.
33b9cbc85dSRick Macklem  */
34b9cbc85dSRick Macklem 
35b9cbc85dSRick Macklem #include <sys/param.h>
36b9cbc85dSRick Macklem #include <sys/types.h>
37b9cbc85dSRick Macklem #include <sys/queue.h>
38b9cbc85dSRick Macklem #include <sys/linker.h>
39b9cbc85dSRick Macklem #include <sys/module.h>
40b9cbc85dSRick Macklem #include <sys/stat.h>
41b9cbc85dSRick Macklem #include <sys/sysctl.h>
42b9cbc85dSRick Macklem #include <sys/syslog.h>
43b9cbc85dSRick Macklem #include <sys/time.h>
44b9cbc85dSRick Macklem #include <err.h>
45b9cbc85dSRick Macklem #include <getopt.h>
46b9cbc85dSRick Macklem #include <libutil.h>
47b9cbc85dSRick Macklem #include <netdb.h>
48b9cbc85dSRick Macklem #include <signal.h>
49b9cbc85dSRick Macklem #include <stdarg.h>
50b9cbc85dSRick Macklem #include <stdbool.h>
51b9cbc85dSRick Macklem #include <stdio.h>
52b9cbc85dSRick Macklem #include <stdlib.h>
53b9cbc85dSRick Macklem #include <string.h>
54b9cbc85dSRick Macklem #include <unistd.h>
55b9cbc85dSRick Macklem 
56b9cbc85dSRick Macklem #include <rpc/rpc.h>
57b9cbc85dSRick Macklem #include <rpc/rpc_com.h>
58b9cbc85dSRick Macklem #include <rpc/rpcsec_tls.h>
59b9cbc85dSRick Macklem 
60b9cbc85dSRick Macklem #include <openssl/opensslconf.h>
61b9cbc85dSRick Macklem #include <openssl/bio.h>
62b9cbc85dSRick Macklem #include <openssl/ssl.h>
63b9cbc85dSRick Macklem #include <openssl/err.h>
64b9cbc85dSRick Macklem #include <openssl/x509v3.h>
65b9cbc85dSRick Macklem 
66b9cbc85dSRick Macklem #include "rpctlscd.h"
67b9cbc85dSRick Macklem #include "rpc.tlscommon.h"
68b9cbc85dSRick Macklem 
69b9cbc85dSRick Macklem #ifndef _PATH_RPCTLSCDSOCK
70b9cbc85dSRick Macklem #define _PATH_RPCTLSCDSOCK	"/var/run/rpc.tlsclntd.sock"
71b9cbc85dSRick Macklem #endif
72b9cbc85dSRick Macklem #ifndef	_PATH_CERTANDKEY
73b9cbc85dSRick Macklem #define	_PATH_CERTANDKEY	"/etc/rpc.tlsclntd/"
74b9cbc85dSRick Macklem #endif
75b9cbc85dSRick Macklem #ifndef	_PATH_RPCTLSCDPID
76b9cbc85dSRick Macklem #define	_PATH_RPCTLSCDPID	"/var/run/rpc.tlsclntd.pid"
77b9cbc85dSRick Macklem #endif
78b9cbc85dSRick Macklem 
79b9cbc85dSRick Macklem /* Global variables also used by rpc.tlscommon.c. */
80b9cbc85dSRick Macklem int			rpctls_debug_level;
81b9cbc85dSRick Macklem bool			rpctls_verbose;
82b9cbc85dSRick Macklem SSL_CTX			*rpctls_ctx = NULL;
83b9cbc85dSRick Macklem const char		*rpctls_verify_cafile = NULL;
84b9cbc85dSRick Macklem const char		*rpctls_verify_capath = NULL;
85b9cbc85dSRick Macklem char			*rpctls_crlfile = NULL;
86b9cbc85dSRick Macklem bool			rpctls_cert = false;
87b9cbc85dSRick Macklem bool			rpctls_gothup = false;
88b9cbc85dSRick Macklem struct ssl_list		rpctls_ssllist;
89b9cbc85dSRick Macklem 
90b9cbc85dSRick Macklem static struct pidfh	*rpctls_pfh = NULL;
91b9cbc85dSRick Macklem static const char	*rpctls_certdir = _PATH_CERTANDKEY;
92b9cbc85dSRick Macklem static const char	*rpctls_ciphers = NULL;
93b9cbc85dSRick Macklem static uint64_t		rpctls_ssl_refno = 0;
94b9cbc85dSRick Macklem static uint64_t		rpctls_ssl_sec = 0;
95b9cbc85dSRick Macklem static uint64_t		rpctls_ssl_usec = 0;
9672bf76d6SRick Macklem static int		rpctls_tlsvers = TLS1_3_VERSION;
97b9cbc85dSRick Macklem 
98b9cbc85dSRick Macklem static void		rpctlscd_terminate(int);
99b9cbc85dSRick Macklem static SSL_CTX		*rpctls_setupcl_ssl(void);
100b9cbc85dSRick Macklem static SSL		*rpctls_connect(SSL_CTX *ctx, int s, char *certname,
101b9cbc85dSRick Macklem 			    u_int certlen, X509 **certp);
102b9cbc85dSRick Macklem static void		rpctls_huphandler(int sig __unused);
103b9cbc85dSRick Macklem 
104b9cbc85dSRick Macklem extern void rpctlscd_1(struct svc_req *rqstp, SVCXPRT *transp);
105b9cbc85dSRick Macklem 
106b9cbc85dSRick Macklem static struct option longopts[] = {
10772bf76d6SRick Macklem 	{ "usetls1_2",		no_argument,		NULL,	'2' },
108b9cbc85dSRick Macklem 	{ "certdir",		required_argument,	NULL,	'D' },
109b9cbc85dSRick Macklem 	{ "ciphers",		required_argument,	NULL,	'C' },
110b9cbc85dSRick Macklem 	{ "debuglevel",		no_argument,		NULL,	'd' },
111b9cbc85dSRick Macklem 	{ "verifylocs",		required_argument,	NULL,	'l' },
112b9cbc85dSRick Macklem 	{ "mutualverf",		no_argument,		NULL,	'm' },
113b9cbc85dSRick Macklem 	{ "verifydir",		required_argument,	NULL,	'p' },
114b9cbc85dSRick Macklem 	{ "crl",		required_argument,	NULL,	'r' },
115b9cbc85dSRick Macklem 	{ "verbose",		no_argument,		NULL,	'v' },
116b9cbc85dSRick Macklem 	{ NULL,			0,			NULL,	0  }
117b9cbc85dSRick Macklem };
118b9cbc85dSRick Macklem 
119b9cbc85dSRick Macklem int
main(int argc,char ** argv)120b9cbc85dSRick Macklem main(int argc, char **argv)
121b9cbc85dSRick Macklem {
122b9cbc85dSRick Macklem 	/*
123b9cbc85dSRick Macklem 	 * We provide an RPC service on a local-domain socket. The
124b9cbc85dSRick Macklem 	 * kernel rpctls code will upcall to this daemon to do the initial
125b9cbc85dSRick Macklem 	 * TLS handshake.
126b9cbc85dSRick Macklem 	 */
127b9cbc85dSRick Macklem 	struct sockaddr_un sun;
128b9cbc85dSRick Macklem 	int ch, fd, oldmask;
129b9cbc85dSRick Macklem 	SVCXPRT *xprt;
130b9cbc85dSRick Macklem 	bool tls_enable;
131b9cbc85dSRick Macklem 	struct timeval tm;
132b9cbc85dSRick Macklem 	struct timezone tz;
133b9cbc85dSRick Macklem 	pid_t otherpid;
134b9cbc85dSRick Macklem 	size_t tls_enable_len;
135b9cbc85dSRick Macklem 
136b9cbc85dSRick Macklem 	/* Check that another rpctlscd isn't already running. */
137b9cbc85dSRick Macklem 	rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid);
138b9cbc85dSRick Macklem 	if (rpctls_pfh == NULL) {
139b9cbc85dSRick Macklem 		if (errno == EEXIST)
140b9cbc85dSRick Macklem 			errx(1, "rpctlscd already running, pid: %d.", otherpid);
141b9cbc85dSRick Macklem 		warn("cannot open or create pidfile");
142b9cbc85dSRick Macklem 	}
143b9cbc85dSRick Macklem 
144b9cbc85dSRick Macklem 	/* Check to see that the ktls is enabled. */
145b9cbc85dSRick Macklem 	tls_enable_len = sizeof(tls_enable);
146b9cbc85dSRick Macklem 	if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len,
147b9cbc85dSRick Macklem 	    NULL, 0) != 0 || !tls_enable)
148b9cbc85dSRick Macklem 		errx(1, "Kernel TLS not enabled");
149b9cbc85dSRick Macklem 
150b9cbc85dSRick Macklem 	/* Get the time when this daemon is started. */
151b9cbc85dSRick Macklem 	gettimeofday(&tm, &tz);
152b9cbc85dSRick Macklem 	rpctls_ssl_sec = tm.tv_sec;
153b9cbc85dSRick Macklem 	rpctls_ssl_usec = tm.tv_usec;
154b9cbc85dSRick Macklem 
155b9cbc85dSRick Macklem 	rpctls_verbose = false;
15672bf76d6SRick Macklem 	while ((ch = getopt_long(argc, argv, "2C:D:dl:mp:r:v", longopts,
15715881823SRick Macklem 	    NULL)) != -1) {
158b9cbc85dSRick Macklem 		switch (ch) {
15972bf76d6SRick Macklem 		case '2':
16072bf76d6SRick Macklem 			rpctls_tlsvers = TLS1_2_VERSION;
16172bf76d6SRick Macklem 			break;
162b9cbc85dSRick Macklem 		case 'C':
163b9cbc85dSRick Macklem 			rpctls_ciphers = optarg;
164b9cbc85dSRick Macklem 			break;
165b9cbc85dSRick Macklem 		case 'D':
166b9cbc85dSRick Macklem 			rpctls_certdir = optarg;
167b9cbc85dSRick Macklem 			break;
168b9cbc85dSRick Macklem 		case 'd':
169b9cbc85dSRick Macklem 			rpctls_debug_level++;
170b9cbc85dSRick Macklem 			break;
171b9cbc85dSRick Macklem 		case 'l':
172b9cbc85dSRick Macklem 			rpctls_verify_cafile = optarg;
173b9cbc85dSRick Macklem 			break;
174b9cbc85dSRick Macklem 		case 'm':
175b9cbc85dSRick Macklem 			rpctls_cert = true;
176b9cbc85dSRick Macklem 			break;
177b9cbc85dSRick Macklem 		case 'p':
178b9cbc85dSRick Macklem 			rpctls_verify_capath = optarg;
179b9cbc85dSRick Macklem 			break;
180b9cbc85dSRick Macklem 		case 'r':
181b9cbc85dSRick Macklem 			rpctls_crlfile = optarg;
182b9cbc85dSRick Macklem 			break;
183b9cbc85dSRick Macklem 		case 'v':
184b9cbc85dSRick Macklem 			rpctls_verbose = true;
185b9cbc85dSRick Macklem 			break;
186b9cbc85dSRick Macklem 		default:
187b9cbc85dSRick Macklem 			fprintf(stderr, "usage: %s "
188b387a075SRick Macklem 			    "[-2/--usetls1_2] "
189f5b40aa0SRick Macklem 			    "[-C/--ciphers available_ciphers] "
190b9cbc85dSRick Macklem 			    "[-D/--certdir certdir] [-d/--debuglevel] "
191b9cbc85dSRick Macklem 			    "[-l/--verifylocs CAfile] [-m/--mutualverf] "
192b9cbc85dSRick Macklem 			    "[-p/--verifydir CApath] [-r/--crl CRLfile] "
193b9cbc85dSRick Macklem 			    "[-v/--verbose]\n", argv[0]);
194b9cbc85dSRick Macklem 			exit(1);
195b9cbc85dSRick Macklem 			break;
196b9cbc85dSRick Macklem 		}
197b9cbc85dSRick Macklem 	}
198b9cbc85dSRick Macklem 	if (rpctls_crlfile != NULL && rpctls_verify_cafile == NULL &&
199b9cbc85dSRick Macklem 	    rpctls_verify_capath == NULL)
200b9cbc85dSRick Macklem 		errx(1, "-r requires the -l <CAfile> and/or "
201b9cbc85dSRick Macklem 		    "-p <CApath> options");
202b9cbc85dSRick Macklem 
203b9cbc85dSRick Macklem 	if (modfind("krpc") < 0) {
204b9cbc85dSRick Macklem 		/* Not present in kernel, try loading it */
205b9cbc85dSRick Macklem 		if (kldload("krpc") < 0 || modfind("krpc") < 0)
206b9cbc85dSRick Macklem 			errx(1, "Kernel RPC is not available");
207b9cbc85dSRick Macklem 	}
208b9cbc85dSRick Macklem 
209b9cbc85dSRick Macklem 	/*
210b9cbc85dSRick Macklem 	 * Set up the SSL_CTX *.
211b9cbc85dSRick Macklem 	 * Do it now, before daemonizing, in case the private key
212b9cbc85dSRick Macklem 	 * is encrypted and requires a passphrase to be entered.
213b9cbc85dSRick Macklem 	 */
214b9cbc85dSRick Macklem 	rpctls_ctx = rpctls_setupcl_ssl();
215b9cbc85dSRick Macklem 	if (rpctls_ctx == NULL) {
216b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
217b9cbc85dSRick Macklem 			syslog(LOG_ERR, "Can't set up TLS context");
218b9cbc85dSRick Macklem 			exit(1);
219b9cbc85dSRick Macklem 		}
220b9cbc85dSRick Macklem 		err(1, "Can't set up TLS context");
221b9cbc85dSRick Macklem 	}
222b9cbc85dSRick Macklem 	LIST_INIT(&rpctls_ssllist);
223b9cbc85dSRick Macklem 
224b9cbc85dSRick Macklem 	if (!rpctls_debug_level) {
225b9cbc85dSRick Macklem 		if (daemon(0, 0) != 0)
226b9cbc85dSRick Macklem 			err(1, "Can't daemonize");
227b9cbc85dSRick Macklem 		signal(SIGINT, SIG_IGN);
228b9cbc85dSRick Macklem 		signal(SIGQUIT, SIG_IGN);
229b9cbc85dSRick Macklem 		signal(SIGHUP, SIG_IGN);
230b9cbc85dSRick Macklem 	}
231b9cbc85dSRick Macklem 	signal(SIGTERM, rpctlscd_terminate);
232b9cbc85dSRick Macklem 	signal(SIGPIPE, SIG_IGN);
233b9cbc85dSRick Macklem 	signal(SIGHUP, rpctls_huphandler);
234b9cbc85dSRick Macklem 
235b9cbc85dSRick Macklem 	pidfile_write(rpctls_pfh);
236b9cbc85dSRick Macklem 
237b9cbc85dSRick Macklem 	memset(&sun, 0, sizeof sun);
238b9cbc85dSRick Macklem 	sun.sun_family = AF_LOCAL;
239b9cbc85dSRick Macklem 	unlink(_PATH_RPCTLSCDSOCK);
240b9cbc85dSRick Macklem 	strcpy(sun.sun_path, _PATH_RPCTLSCDSOCK);
241b9cbc85dSRick Macklem 	sun.sun_len = SUN_LEN(&sun);
242b9cbc85dSRick Macklem 	fd = socket(AF_LOCAL, SOCK_STREAM, 0);
243b9cbc85dSRick Macklem 	if (fd < 0) {
244b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
245b9cbc85dSRick Macklem 			syslog(LOG_ERR, "Can't create local rpctlscd socket");
246b9cbc85dSRick Macklem 			exit(1);
247b9cbc85dSRick Macklem 		}
248b9cbc85dSRick Macklem 		err(1, "Can't create local rpctlscd socket");
249b9cbc85dSRick Macklem 	}
250b9cbc85dSRick Macklem 	oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
251b9cbc85dSRick Macklem 	if (bind(fd, (struct sockaddr *)&sun, sun.sun_len) < 0) {
252b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
253b9cbc85dSRick Macklem 			syslog(LOG_ERR, "Can't bind local rpctlscd socket");
254b9cbc85dSRick Macklem 			exit(1);
255b9cbc85dSRick Macklem 		}
256b9cbc85dSRick Macklem 		err(1, "Can't bind local rpctlscd socket");
257b9cbc85dSRick Macklem 	}
258b9cbc85dSRick Macklem 	umask(oldmask);
259b9cbc85dSRick Macklem 	if (listen(fd, SOMAXCONN) < 0) {
260b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
261b9cbc85dSRick Macklem 			syslog(LOG_ERR,
262b9cbc85dSRick Macklem 			    "Can't listen on local rpctlscd socket");
263b9cbc85dSRick Macklem 			exit(1);
264b9cbc85dSRick Macklem 		}
265b9cbc85dSRick Macklem 		err(1, "Can't listen on local rpctlscd socket");
266b9cbc85dSRick Macklem 	}
267b9cbc85dSRick Macklem 	xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE);
268b9cbc85dSRick Macklem 	if (!xprt) {
269b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
270b9cbc85dSRick Macklem 			syslog(LOG_ERR,
271b9cbc85dSRick Macklem 			    "Can't create transport for local rpctlscd socket");
272b9cbc85dSRick Macklem 			exit(1);
273b9cbc85dSRick Macklem 		}
274b9cbc85dSRick Macklem 		err(1, "Can't create transport for local rpctlscd socket");
275b9cbc85dSRick Macklem 	}
276b9cbc85dSRick Macklem 	if (!svc_reg(xprt, RPCTLSCD, RPCTLSCDVERS, rpctlscd_1, NULL)) {
277b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0) {
278b9cbc85dSRick Macklem 			syslog(LOG_ERR,
279b9cbc85dSRick Macklem 			    "Can't register service for local rpctlscd socket");
280b9cbc85dSRick Macklem 			exit(1);
281b9cbc85dSRick Macklem 		}
282b9cbc85dSRick Macklem 		err(1, "Can't register service for local rpctlscd socket");
283b9cbc85dSRick Macklem 	}
284b9cbc85dSRick Macklem 
2853fe0cb66SRick Macklem 	if (rpctls_syscall(RPCTLS_SYSC_CLSETPATH, _PATH_RPCTLSCDSOCK) < 0) {
2863fe0cb66SRick Macklem 		if (rpctls_debug_level == 0) {
2873fe0cb66SRick Macklem 			syslog(LOG_ERR,
2883fe0cb66SRick Macklem 			    "Can't set upcall socket path errno=%d", errno);
2893fe0cb66SRick Macklem 			exit(1);
2903fe0cb66SRick Macklem 		}
2913fe0cb66SRick Macklem 		err(1, "Can't set upcall socket path");
2923fe0cb66SRick Macklem 	}
293b9cbc85dSRick Macklem 
294b9cbc85dSRick Macklem 	rpctls_svc_run();
295b9cbc85dSRick Macklem 
296b9cbc85dSRick Macklem 	rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, "");
297b9cbc85dSRick Macklem 
298b9cbc85dSRick Macklem 	SSL_CTX_free(rpctls_ctx);
299b9cbc85dSRick Macklem 	return (0);
300b9cbc85dSRick Macklem }
301b9cbc85dSRick Macklem 
302b9cbc85dSRick Macklem bool_t
rpctlscd_null_1_svc(__unused void * argp,__unused void * result,__unused struct svc_req * rqstp)303b9cbc85dSRick Macklem rpctlscd_null_1_svc(__unused void *argp, __unused void *result,
304b9cbc85dSRick Macklem     __unused struct svc_req *rqstp)
305b9cbc85dSRick Macklem {
306b9cbc85dSRick Macklem 
307b9cbc85dSRick Macklem 	rpctls_verbose_out("rpctlscd_null: done\n");
308b9cbc85dSRick Macklem 	return (TRUE);
309b9cbc85dSRick Macklem }
310b9cbc85dSRick Macklem 
311b9cbc85dSRick Macklem bool_t
rpctlscd_connect_1_svc(struct rpctlscd_connect_arg * argp,struct rpctlscd_connect_res * result,__unused struct svc_req * rqstp)312b9cbc85dSRick Macklem rpctlscd_connect_1_svc(struct rpctlscd_connect_arg *argp,
313b9cbc85dSRick Macklem     struct rpctlscd_connect_res *result, __unused struct svc_req *rqstp)
314b9cbc85dSRick Macklem {
315b9cbc85dSRick Macklem 	int s;
316b9cbc85dSRick Macklem 	SSL *ssl;
317b9cbc85dSRick Macklem 	struct ssl_entry *newslp;
318b9cbc85dSRick Macklem 	X509 *cert;
319b9cbc85dSRick Macklem 
320b9cbc85dSRick Macklem 	rpctls_verbose_out("rpctlsd_connect: started\n");
321b9cbc85dSRick Macklem 	/* Get the socket fd from the kernel. */
322b9cbc85dSRick Macklem 	s = rpctls_syscall(RPCTLS_SYSC_CLSOCKET, "");
323b9cbc85dSRick Macklem 	if (s < 0) {
324b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_NOSOCKET;
325b9cbc85dSRick Macklem 		return (TRUE);
326b9cbc85dSRick Macklem 	}
327b9cbc85dSRick Macklem 
328b9cbc85dSRick Macklem 	/* Do a TLS connect handshake. */
329b9cbc85dSRick Macklem 	ssl = rpctls_connect(rpctls_ctx, s, argp->certname.certname_val,
330b9cbc85dSRick Macklem 	    argp->certname.certname_len, &cert);
331b9cbc85dSRick Macklem 	if (ssl == NULL) {
332b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctlsd_connect: can't do TLS "
333b9cbc85dSRick Macklem 		    "handshake\n");
334b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_NOSSL;
335b9cbc85dSRick Macklem 	} else {
336b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_OK;
337b9cbc85dSRick Macklem 		result->sec = rpctls_ssl_sec;
338b9cbc85dSRick Macklem 		result->usec = rpctls_ssl_usec;
339b9cbc85dSRick Macklem 		result->ssl = ++rpctls_ssl_refno;
340b9cbc85dSRick Macklem 		/* Hard to believe this will ever wrap around.. */
341b9cbc85dSRick Macklem 		if (rpctls_ssl_refno == 0)
342b9cbc85dSRick Macklem 			result->ssl = ++rpctls_ssl_refno;
343b9cbc85dSRick Macklem 	}
344b9cbc85dSRick Macklem 
345b9cbc85dSRick Macklem 	if (ssl == NULL) {
346b9cbc85dSRick Macklem 		/*
347b9cbc85dSRick Macklem 		 * For RPC-over-TLS, this upcall is expected
348b9cbc85dSRick Macklem 		 * to close off the socket.
349b9cbc85dSRick Macklem 		 */
350b9cbc85dSRick Macklem 		close(s);
351b9cbc85dSRick Macklem 		return (TRUE);
352b9cbc85dSRick Macklem 	}
353b9cbc85dSRick Macklem 
354b9cbc85dSRick Macklem 	/* Maintain list of all current SSL *'s */
355b9cbc85dSRick Macklem 	newslp = malloc(sizeof(*newslp));
356b9cbc85dSRick Macklem 	newslp->refno = rpctls_ssl_refno;
357b9cbc85dSRick Macklem 	newslp->s = s;
358b9cbc85dSRick Macklem 	newslp->shutoff = false;
359b9cbc85dSRick Macklem 	newslp->ssl = ssl;
360b9cbc85dSRick Macklem 	newslp->cert = cert;
361b9cbc85dSRick Macklem 	LIST_INSERT_HEAD(&rpctls_ssllist, newslp, next);
362b9cbc85dSRick Macklem 	return (TRUE);
363b9cbc85dSRick Macklem }
364b9cbc85dSRick Macklem 
365b9cbc85dSRick Macklem bool_t
rpctlscd_handlerecord_1_svc(struct rpctlscd_handlerecord_arg * argp,struct rpctlscd_handlerecord_res * result,__unused struct svc_req * rqstp)366b9cbc85dSRick Macklem rpctlscd_handlerecord_1_svc(struct rpctlscd_handlerecord_arg *argp,
367b9cbc85dSRick Macklem     struct rpctlscd_handlerecord_res *result, __unused struct svc_req *rqstp)
368b9cbc85dSRick Macklem {
369b9cbc85dSRick Macklem 	struct ssl_entry *slp;
370b9cbc85dSRick Macklem 	int ret;
371b9cbc85dSRick Macklem 	char junk;
372b9cbc85dSRick Macklem 
373b9cbc85dSRick Macklem 	slp = NULL;
374b9cbc85dSRick Macklem 	if (argp->sec == rpctls_ssl_sec && argp->usec ==
375b9cbc85dSRick Macklem 	    rpctls_ssl_usec) {
376b9cbc85dSRick Macklem 		LIST_FOREACH(slp, &rpctls_ssllist, next) {
377b9cbc85dSRick Macklem 			if (slp->refno == argp->ssl)
378b9cbc85dSRick Macklem 				break;
379b9cbc85dSRick Macklem 		}
380b9cbc85dSRick Macklem 	}
381b9cbc85dSRick Macklem 
382b9cbc85dSRick Macklem 	if (slp != NULL) {
383b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctlscd_handlerecord fd=%d\n",
384b9cbc85dSRick Macklem 		    slp->s);
385b9cbc85dSRick Macklem 		/*
386b9cbc85dSRick Macklem 		 * An SSL_read() of 0 bytes should fail, but it should
387b9cbc85dSRick Macklem 		 * handle the non-application data record before doing so.
388b9cbc85dSRick Macklem 		 */
389b9cbc85dSRick Macklem 		ret = SSL_read(slp->ssl, &junk, 0);
390b9cbc85dSRick Macklem 		if (ret <= 0) {
391b9cbc85dSRick Macklem 			/* Check to see if this was a close alert. */
392b9cbc85dSRick Macklem 			ret = SSL_get_shutdown(slp->ssl);
393b9cbc85dSRick Macklem 			if ((ret & (SSL_SENT_SHUTDOWN |
394b9cbc85dSRick Macklem 			    SSL_RECEIVED_SHUTDOWN)) == SSL_RECEIVED_SHUTDOWN)
395b9cbc85dSRick Macklem 				SSL_shutdown(slp->ssl);
396b9cbc85dSRick Macklem 		} else {
397b9cbc85dSRick Macklem 			if (rpctls_debug_level == 0)
398b9cbc85dSRick Macklem 				syslog(LOG_ERR, "SSL_read returned %d", ret);
399b9cbc85dSRick Macklem 			else
400b9cbc85dSRick Macklem 				fprintf(stderr, "SSL_read returned %d\n", ret);
401b9cbc85dSRick Macklem 		}
402b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_OK;
403b9cbc85dSRick Macklem 	} else
404b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_NOSSL;
405b9cbc85dSRick Macklem 	return (TRUE);
406b9cbc85dSRick Macklem }
407b9cbc85dSRick Macklem 
408b9cbc85dSRick Macklem bool_t
rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_arg * argp,struct rpctlscd_disconnect_res * result,__unused struct svc_req * rqstp)409b9cbc85dSRick Macklem rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_arg *argp,
410b9cbc85dSRick Macklem     struct rpctlscd_disconnect_res *result, __unused struct svc_req *rqstp)
411b9cbc85dSRick Macklem {
412b9cbc85dSRick Macklem 	struct ssl_entry *slp;
413b9cbc85dSRick Macklem 	int ret;
414b9cbc85dSRick Macklem 
415b9cbc85dSRick Macklem 	slp = NULL;
416b9cbc85dSRick Macklem 	if (argp->sec == rpctls_ssl_sec && argp->usec ==
417b9cbc85dSRick Macklem 	    rpctls_ssl_usec) {
418b9cbc85dSRick Macklem 		LIST_FOREACH(slp, &rpctls_ssllist, next) {
419b9cbc85dSRick Macklem 			if (slp->refno == argp->ssl)
420b9cbc85dSRick Macklem 				break;
421b9cbc85dSRick Macklem 		}
422b9cbc85dSRick Macklem 	}
423b9cbc85dSRick Macklem 
424b9cbc85dSRick Macklem 	if (slp != NULL) {
425b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctlscd_disconnect: fd=%d closed\n",
426b9cbc85dSRick Macklem 		    slp->s);
427b9cbc85dSRick Macklem 		LIST_REMOVE(slp, next);
428b9cbc85dSRick Macklem 		if (!slp->shutoff) {
429b9cbc85dSRick Macklem 			ret = SSL_get_shutdown(slp->ssl);
430b9cbc85dSRick Macklem 			/*
431b9cbc85dSRick Macklem 			 * Do an SSL_shutdown() unless a close alert has
432b9cbc85dSRick Macklem 			 * already been sent.
433b9cbc85dSRick Macklem 			 */
434b9cbc85dSRick Macklem 			if ((ret & SSL_SENT_SHUTDOWN) == 0)
435b9cbc85dSRick Macklem 				SSL_shutdown(slp->ssl);
436b9cbc85dSRick Macklem 		}
437b9cbc85dSRick Macklem 		SSL_free(slp->ssl);
438b9cbc85dSRick Macklem 		if (slp->cert != NULL)
439b9cbc85dSRick Macklem 			X509_free(slp->cert);
440b9cbc85dSRick Macklem 		/*
441b9cbc85dSRick Macklem 		 * For RPC-over-TLS, this upcall is expected
442b9cbc85dSRick Macklem 		 * to close off the socket.
443b9cbc85dSRick Macklem 		 */
444b9cbc85dSRick Macklem 		if (!slp->shutoff)
445b9cbc85dSRick Macklem 			shutdown(slp->s, SHUT_WR);
446b9cbc85dSRick Macklem 		close(slp->s);
447b9cbc85dSRick Macklem 		free(slp);
448b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_OK;
449b9cbc85dSRick Macklem 	} else
450b9cbc85dSRick Macklem 		result->reterr = RPCTLSERR_NOCLOSE;
451b9cbc85dSRick Macklem 	return (TRUE);
452b9cbc85dSRick Macklem }
453b9cbc85dSRick Macklem 
454b9cbc85dSRick Macklem int
rpctlscd_1_freeresult(__unused SVCXPRT * transp,__unused xdrproc_t xdr_result,__unused caddr_t result)455b9cbc85dSRick Macklem rpctlscd_1_freeresult(__unused SVCXPRT *transp, __unused xdrproc_t xdr_result,
456b9cbc85dSRick Macklem     __unused caddr_t result)
457b9cbc85dSRick Macklem {
458b9cbc85dSRick Macklem 
459b9cbc85dSRick Macklem 	return (TRUE);
460b9cbc85dSRick Macklem }
461b9cbc85dSRick Macklem 
462b9cbc85dSRick Macklem static void
rpctlscd_terminate(int sig __unused)463b9cbc85dSRick Macklem rpctlscd_terminate(int sig __unused)
464b9cbc85dSRick Macklem {
465b9cbc85dSRick Macklem 
466b9cbc85dSRick Macklem 	rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, "");
467b9cbc85dSRick Macklem 	pidfile_remove(rpctls_pfh);
468b9cbc85dSRick Macklem 	exit(0);
469b9cbc85dSRick Macklem }
470b9cbc85dSRick Macklem 
471b9cbc85dSRick Macklem static SSL_CTX *
rpctls_setupcl_ssl(void)472b9cbc85dSRick Macklem rpctls_setupcl_ssl(void)
473b9cbc85dSRick Macklem {
474b9cbc85dSRick Macklem 	SSL_CTX *ctx;
475b9cbc85dSRick Macklem 	char path[PATH_MAX];
476b9cbc85dSRick Macklem 	size_t len, rlen;
477b9cbc85dSRick Macklem 	int ret;
478b9cbc85dSRick Macklem 
479b9cbc85dSRick Macklem 	ctx = SSL_CTX_new(TLS_client_method());
480b9cbc85dSRick Macklem 	if (ctx == NULL) {
481b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_setupcl_ssl: SSL_CTX_new "
482b9cbc85dSRick Macklem 		    "failed\n");
483b9cbc85dSRick Macklem 		return (NULL);
484b9cbc85dSRick Macklem 	}
485b9cbc85dSRick Macklem 
486b9cbc85dSRick Macklem 	if (rpctls_ciphers != NULL) {
487b9cbc85dSRick Macklem 		/*
488f5b40aa0SRick Macklem 		 * Set available ciphers, since KERN_TLS only supports a
489b9cbc85dSRick Macklem 		 * few of them.
490b9cbc85dSRick Macklem 		 */
491f5b40aa0SRick Macklem 		ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
492b9cbc85dSRick Macklem 		if (ret == 0) {
493b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_setupcl_ssl: "
494f5b40aa0SRick Macklem 			    "SSL_CTX_set_ciphersuites failed: %s\n",
495b9cbc85dSRick Macklem 			    rpctls_ciphers);
496b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
497b9cbc85dSRick Macklem 			return (NULL);
498b9cbc85dSRick Macklem 		}
499b9cbc85dSRick Macklem 	}
500b9cbc85dSRick Macklem 
501b9cbc85dSRick Macklem 	/*
502b9cbc85dSRick Macklem 	 * If rpctls_cert is true, a certificate and key exists in
503b9cbc85dSRick Macklem 	 * rpctls_certdir, so that it can do mutual authentication.
504b9cbc85dSRick Macklem 	 */
505b9cbc85dSRick Macklem 	if (rpctls_cert) {
506b9cbc85dSRick Macklem 		/* Get the cert.pem and certkey.pem files. */
507b9cbc85dSRick Macklem 		len = strlcpy(path, rpctls_certdir, sizeof(path));
508b9cbc85dSRick Macklem 		rlen = sizeof(path) - len;
509b9cbc85dSRick Macklem 		if (strlcpy(&path[len], "cert.pem", rlen) != 8) {
510b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
511b9cbc85dSRick Macklem 			return (NULL);
512b9cbc85dSRick Macklem 		}
513b9cbc85dSRick Macklem 		ret = SSL_CTX_use_certificate_file(ctx, path,
514b9cbc85dSRick Macklem 		    SSL_FILETYPE_PEM);
515b9cbc85dSRick Macklem 		if (ret != 1) {
516b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_setupcl_ssl: can't use "
517b9cbc85dSRick Macklem 			    "certificate file path=%s ret=%d\n", path, ret);
518b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
519b9cbc85dSRick Macklem 			return (NULL);
520b9cbc85dSRick Macklem 		}
521b9cbc85dSRick Macklem 		if (strlcpy(&path[len], "certkey.pem", rlen) != 11) {
522b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
523b9cbc85dSRick Macklem 			return (NULL);
524b9cbc85dSRick Macklem 		}
525b9cbc85dSRick Macklem 		ret = SSL_CTX_use_PrivateKey_file(ctx, path,
526b9cbc85dSRick Macklem 		    SSL_FILETYPE_PEM);
527b9cbc85dSRick Macklem 		if (ret != 1) {
528b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_setupcl_ssl: Can't use "
529b9cbc85dSRick Macklem 			    "private key path=%s ret=%d\n", path, ret);
530b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
531b9cbc85dSRick Macklem 			return (NULL);
532b9cbc85dSRick Macklem 		}
533b9cbc85dSRick Macklem 	}
534b9cbc85dSRick Macklem 
535b9cbc85dSRick Macklem 	if (rpctls_verify_cafile != NULL || rpctls_verify_capath != NULL) {
536b9cbc85dSRick Macklem 		if (rpctls_crlfile != NULL) {
537b9cbc85dSRick Macklem 			ret = rpctls_loadcrlfile(ctx);
538b9cbc85dSRick Macklem 			if (ret == 0) {
539b9cbc85dSRick Macklem 				rpctls_verbose_out("rpctls_setupcl_ssl: "
540b9cbc85dSRick Macklem 				    "Load CRLfile failed\n");
541b9cbc85dSRick Macklem 				SSL_CTX_free(ctx);
542b9cbc85dSRick Macklem 				return (NULL);
543b9cbc85dSRick Macklem 			}
544b9cbc85dSRick Macklem 		}
545b9cbc85dSRick Macklem #if OPENSSL_VERSION_NUMBER >= 0x30000000
546b9cbc85dSRick Macklem 		ret = 1;
547b9cbc85dSRick Macklem 		if (rpctls_verify_cafile != NULL)
548b9cbc85dSRick Macklem 			ret = SSL_CTX_load_verify_file(ctx,
549b9cbc85dSRick Macklem 			    rpctls_verify_cafile);
550b9cbc85dSRick Macklem 		if (ret != 0 && rpctls_verify_capath != NULL)
551b9cbc85dSRick Macklem 			ret = SSL_CTX_load_verify_dir(ctx,
552b9cbc85dSRick Macklem 			    rpctls_verify_capath);
553b9cbc85dSRick Macklem #else
554b9cbc85dSRick Macklem 		ret = SSL_CTX_load_verify_locations(ctx,
555b9cbc85dSRick Macklem 		    rpctls_verify_cafile, rpctls_verify_capath);
556b9cbc85dSRick Macklem #endif
557b9cbc85dSRick Macklem 		if (ret == 0) {
558b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_setupcl_ssl: "
559b9cbc85dSRick Macklem 			    "Can't load verify locations\n");
560b9cbc85dSRick Macklem 			SSL_CTX_free(ctx);
561b9cbc85dSRick Macklem 			return (NULL);
562b9cbc85dSRick Macklem 		}
563b9cbc85dSRick Macklem 		/*
564b9cbc85dSRick Macklem 		 * The man page says that the
565b9cbc85dSRick Macklem 		 * SSL_CTX_set0_CA_list() call is not normally
566b9cbc85dSRick Macklem 		 * needed, but I believe it is harmless.
567b9cbc85dSRick Macklem 		 */
568b9cbc85dSRick Macklem 		if (rpctls_verify_cafile != NULL)
569b9cbc85dSRick Macklem 			SSL_CTX_set0_CA_list(ctx,
570b9cbc85dSRick Macklem 			    SSL_load_client_CA_file(rpctls_verify_cafile));
571b9cbc85dSRick Macklem 	}
572b9cbc85dSRick Macklem 
57372bf76d6SRick Macklem 	/*
57472bf76d6SRick Macklem 	 * The RFC specifies that RPC-over-TLS must use TLS1.3.
57572bf76d6SRick Macklem 	 * However, early FreeBSD versions (13.0, 13.1) did not
57672bf76d6SRick Macklem 	 * support RX for KTLS1.3, so TLS1.2 needs to be used for
57772bf76d6SRick Macklem 	 * these servers.
57872bf76d6SRick Macklem 	 */
57972bf76d6SRick Macklem 	ret = SSL_CTX_set_min_proto_version(ctx, rpctls_tlsvers);
58072bf76d6SRick Macklem 	if (ret == 0) {
58172bf76d6SRick Macklem 		rpctls_verbose_out("rpctls_setupcl_ssl: "
58272bf76d6SRick Macklem 		    "SSL_CTX_set_min_proto_version failed\n");
58372bf76d6SRick Macklem 		SSL_CTX_free(ctx);
58472bf76d6SRick Macklem 		return (NULL);
58572bf76d6SRick Macklem 	}
58672bf76d6SRick Macklem 	ret = SSL_CTX_set_max_proto_version(ctx, rpctls_tlsvers);
58772bf76d6SRick Macklem 	if (ret == 0) {
58872bf76d6SRick Macklem 		rpctls_verbose_out("rpctls_setupcl_ssl: "
58972bf76d6SRick Macklem 		    "SSL_CTX_set_max_proto_version failed\n");
59072bf76d6SRick Macklem 		SSL_CTX_free(ctx);
59172bf76d6SRick Macklem 		return (NULL);
59272bf76d6SRick Macklem 	}
59372bf76d6SRick Macklem 
594c7bb0f47SJohn Baldwin #ifdef SSL_OP_ENABLE_KTLS
59572bf76d6SRick Macklem 	SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
596c7bb0f47SJohn Baldwin #endif
597c7bb0f47SJohn Baldwin #ifdef SSL_MODE_NO_KTLS_TX
598b9cbc85dSRick Macklem 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
599c7bb0f47SJohn Baldwin #endif
600b9cbc85dSRick Macklem 	return (ctx);
601b9cbc85dSRick Macklem }
602b9cbc85dSRick Macklem 
603b9cbc85dSRick Macklem static SSL *
rpctls_connect(SSL_CTX * ctx,int s,char * certname,u_int certlen,X509 ** certp)604b9cbc85dSRick Macklem rpctls_connect(SSL_CTX *ctx, int s, char *certname, u_int certlen, X509 **certp)
605b9cbc85dSRick Macklem {
606b9cbc85dSRick Macklem 	SSL *ssl;
607b9cbc85dSRick Macklem 	X509 *cert;
608b9cbc85dSRick Macklem 	struct sockaddr_storage ad;
609b9cbc85dSRick Macklem 	struct sockaddr *sad;
610b9cbc85dSRick Macklem 	char hostnam[NI_MAXHOST], path[PATH_MAX];
611b9cbc85dSRick Macklem 	int gethostret, ret;
612b9cbc85dSRick Macklem 	char *cp, *cp2;
613b9cbc85dSRick Macklem 	size_t len, rlen;
614b9cbc85dSRick Macklem 	long verfret;
615b9cbc85dSRick Macklem 
616b9cbc85dSRick Macklem 	*certp = NULL;
617b9cbc85dSRick Macklem 	sad = (struct sockaddr *)&ad;
618b9cbc85dSRick Macklem 	ssl = SSL_new(ctx);
619b9cbc85dSRick Macklem 	if (ssl == NULL) {
620b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_connect: "
621b9cbc85dSRick Macklem 		    "SSL_new failed\n");
622b9cbc85dSRick Macklem 		return (NULL);
623b9cbc85dSRick Macklem 	}
624b9cbc85dSRick Macklem 	if (SSL_set_fd(ssl, s) != 1) {
625b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_connect: "
626b9cbc85dSRick Macklem 		    "SSL_set_fd failed\n");
627b9cbc85dSRick Macklem 		SSL_free(ssl);
628b9cbc85dSRick Macklem 		return (NULL);
629b9cbc85dSRick Macklem 	}
630b9cbc85dSRick Macklem 
631b9cbc85dSRick Macklem 	/*
632b9cbc85dSRick Macklem 	 * If rpctls_cert is true and certname is set, a alternate certificate
633b9cbc85dSRick Macklem 	 * and key exists in files named <certname>.pem and <certname>key.pem
634b9cbc85dSRick Macklem 	 * in rpctls_certdir that is to be used for mutual authentication.
635b9cbc85dSRick Macklem 	 */
636b9cbc85dSRick Macklem 	if (rpctls_cert && certlen > 0) {
637b9cbc85dSRick Macklem 		len = strlcpy(path, rpctls_certdir, sizeof(path));
638b9cbc85dSRick Macklem 		rlen = sizeof(path) - len;
639b9cbc85dSRick Macklem 		if (rlen <= certlen) {
640b9cbc85dSRick Macklem 			SSL_free(ssl);
641b9cbc85dSRick Macklem 			return (NULL);
642b9cbc85dSRick Macklem 		}
643b9cbc85dSRick Macklem 		memcpy(&path[len], certname, certlen);
644b9cbc85dSRick Macklem 		rlen -= certlen;
645b9cbc85dSRick Macklem 		len += certlen;
646b9cbc85dSRick Macklem 		path[len] = '\0';
647b9cbc85dSRick Macklem 		if (strlcpy(&path[len], ".pem", rlen) != 4) {
648b9cbc85dSRick Macklem 			SSL_free(ssl);
649b9cbc85dSRick Macklem 			return (NULL);
650b9cbc85dSRick Macklem 		}
651b9cbc85dSRick Macklem 		ret = SSL_use_certificate_file(ssl, path, SSL_FILETYPE_PEM);
652b9cbc85dSRick Macklem 		if (ret != 1) {
653b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_connect: can't use "
654b9cbc85dSRick Macklem 			    "certificate file path=%s ret=%d\n", path, ret);
655b9cbc85dSRick Macklem 			SSL_free(ssl);
656b9cbc85dSRick Macklem 			return (NULL);
657b9cbc85dSRick Macklem 		}
658b9cbc85dSRick Macklem 		if (strlcpy(&path[len], "key.pem", rlen) != 7) {
659b9cbc85dSRick Macklem 			SSL_free(ssl);
660b9cbc85dSRick Macklem 			return (NULL);
661b9cbc85dSRick Macklem 		}
662b9cbc85dSRick Macklem 		ret = SSL_use_PrivateKey_file(ssl, path, SSL_FILETYPE_PEM);
663b9cbc85dSRick Macklem 		if (ret != 1) {
664b9cbc85dSRick Macklem 			rpctls_verbose_out("rpctls_connect: Can't use "
665b9cbc85dSRick Macklem 			    "private key path=%s ret=%d\n", path, ret);
666b9cbc85dSRick Macklem 			SSL_free(ssl);
667b9cbc85dSRick Macklem 			return (NULL);
668b9cbc85dSRick Macklem 		}
669b9cbc85dSRick Macklem 	}
670b9cbc85dSRick Macklem 
671b9cbc85dSRick Macklem 	ret = SSL_connect(ssl);
672b9cbc85dSRick Macklem 	if (ret != 1) {
673b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_connect: "
6749630e237SVladimir Kotal 		    "SSL_connect failed %d: %s\n",
6759630e237SVladimir Kotal 		    ret, ERR_error_string(ERR_get_error(), NULL));
676b9cbc85dSRick Macklem 		SSL_free(ssl);
677b9cbc85dSRick Macklem 		return (NULL);
678b9cbc85dSRick Macklem 	}
679b9cbc85dSRick Macklem 
680*88ea9628SRick Macklem #if OPENSSL_VERSION_NUMBER >= 0x30000000
681*88ea9628SRick Macklem 	cert = SSL_get1_peer_certificate(ssl);
682*88ea9628SRick Macklem #else
683b9cbc85dSRick Macklem 	cert = SSL_get_peer_certificate(ssl);
684*88ea9628SRick Macklem #endif
685b9cbc85dSRick Macklem 	if (cert == NULL) {
686b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_connect: get peer"
687b9cbc85dSRick Macklem 		    " certificate failed\n");
688b9cbc85dSRick Macklem 		SSL_free(ssl);
689b9cbc85dSRick Macklem 		return (NULL);
690b9cbc85dSRick Macklem 	}
691b9cbc85dSRick Macklem 	gethostret = rpctls_gethost(s, sad, hostnam, sizeof(hostnam));
692b9cbc85dSRick Macklem 	if (gethostret == 0)
693b9cbc85dSRick Macklem 		hostnam[0] = '\0';
694b9cbc85dSRick Macklem 	verfret = SSL_get_verify_result(ssl);
695b9cbc85dSRick Macklem 	if (verfret == X509_V_OK && (rpctls_verify_cafile != NULL ||
696b9cbc85dSRick Macklem 	    rpctls_verify_capath != NULL) && (gethostret == 0 ||
697b9cbc85dSRick Macklem 	    rpctls_checkhost(sad, cert, X509_CHECK_FLAG_NO_WILDCARDS) != 1))
698b9cbc85dSRick Macklem 		verfret = X509_V_ERR_HOSTNAME_MISMATCH;
699b9cbc85dSRick Macklem 	if (verfret != X509_V_OK && (rpctls_verify_cafile != NULL ||
700b9cbc85dSRick Macklem 	    rpctls_verify_capath != NULL)) {
701b9cbc85dSRick Macklem 		if (verfret != X509_V_OK) {
702b9cbc85dSRick Macklem 			cp = X509_NAME_oneline(X509_get_issuer_name(cert),
703b9cbc85dSRick Macklem 			    NULL, 0);
704b9cbc85dSRick Macklem 			cp2 = X509_NAME_oneline(X509_get_subject_name(cert),
705b9cbc85dSRick Macklem 			    NULL, 0);
706b9cbc85dSRick Macklem 			if (rpctls_debug_level == 0)
707b9cbc85dSRick Macklem 				syslog(LOG_INFO | LOG_DAEMON,
708b9cbc85dSRick Macklem 				    "rpctls_connect: client IP %s "
709b9cbc85dSRick Macklem 				    "issuerName=%s subjectName=%s verify "
710b9cbc85dSRick Macklem 				    "failed %s\n", hostnam, cp, cp2,
711b9cbc85dSRick Macklem 				    X509_verify_cert_error_string(verfret));
712b9cbc85dSRick Macklem 			else
713b9cbc85dSRick Macklem 				fprintf(stderr,
714b9cbc85dSRick Macklem 				    "rpctls_connect: client IP %s "
715b9cbc85dSRick Macklem 				    "issuerName=%s subjectName=%s verify "
716b9cbc85dSRick Macklem 				    "failed %s\n", hostnam, cp, cp2,
717b9cbc85dSRick Macklem 				    X509_verify_cert_error_string(verfret));
718b9cbc85dSRick Macklem 		}
719b9cbc85dSRick Macklem 		X509_free(cert);
720b9cbc85dSRick Macklem 		SSL_free(ssl);
721b9cbc85dSRick Macklem 		return (NULL);
722b9cbc85dSRick Macklem 	}
723b9cbc85dSRick Macklem 
724b9cbc85dSRick Macklem 	/* Check to see if ktls is enabled on the connection. */
725b9cbc85dSRick Macklem 	ret = BIO_get_ktls_send(SSL_get_wbio(ssl));
726b9cbc85dSRick Macklem 	rpctls_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret);
727b9cbc85dSRick Macklem 	if (ret != 0) {
728b9cbc85dSRick Macklem 		ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
729b9cbc85dSRick Macklem 		rpctls_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n",
730b9cbc85dSRick Macklem 		    ret);
731b9cbc85dSRick Macklem 	}
732b9cbc85dSRick Macklem 	if (ret == 0) {
733b9cbc85dSRick Macklem 		if (rpctls_debug_level == 0)
734b9cbc85dSRick Macklem 			syslog(LOG_ERR, "ktls not working\n");
735b9cbc85dSRick Macklem 		else
736b9cbc85dSRick Macklem 			fprintf(stderr, "ktls not working\n");
737b9cbc85dSRick Macklem 		X509_free(cert);
738b9cbc85dSRick Macklem 		SSL_free(ssl);
739b9cbc85dSRick Macklem 		return (NULL);
740b9cbc85dSRick Macklem 	}
741b9cbc85dSRick Macklem 	if (ret == X509_V_OK && (rpctls_verify_cafile != NULL ||
742b9cbc85dSRick Macklem 	    rpctls_verify_capath != NULL) && rpctls_crlfile != NULL)
743b9cbc85dSRick Macklem 		*certp = cert;
744b9cbc85dSRick Macklem 	else
745b9cbc85dSRick Macklem 		X509_free(cert);
746b9cbc85dSRick Macklem 
747b9cbc85dSRick Macklem 	return (ssl);
748b9cbc85dSRick Macklem }
749b9cbc85dSRick Macklem 
750b9cbc85dSRick Macklem static void
rpctls_huphandler(int sig __unused)751b9cbc85dSRick Macklem rpctls_huphandler(int sig __unused)
752b9cbc85dSRick Macklem {
753b9cbc85dSRick Macklem 
754b9cbc85dSRick Macklem 	rpctls_gothup = true;
755b9cbc85dSRick Macklem }
756