1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 5 * Authors: Doug Rabson <dfr@rabson.org> 6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 /* 31 * Extensively modified from /usr/src/usr.sbin/gssd.c r344402 for 32 * the client side of kernel RPC-over-TLS by Rick Macklem. 33 */ 34 35 #include <sys/cdefs.h> 36 #include <sys/param.h> 37 #include <sys/types.h> 38 #include <sys/queue.h> 39 #include <sys/linker.h> 40 #include <sys/module.h> 41 #include <sys/stat.h> 42 #include <sys/sysctl.h> 43 #include <sys/syslog.h> 44 #include <sys/time.h> 45 #include <err.h> 46 #include <getopt.h> 47 #include <libutil.h> 48 #include <netdb.h> 49 #include <signal.h> 50 #include <stdarg.h> 51 #include <stdbool.h> 52 #include <stdio.h> 53 #include <stdlib.h> 54 #include <string.h> 55 #include <unistd.h> 56 57 #include <rpc/rpc.h> 58 #include <rpc/rpc_com.h> 59 #include <rpc/rpcsec_tls.h> 60 61 #include <openssl/opensslconf.h> 62 #include <openssl/bio.h> 63 #include <openssl/ssl.h> 64 #include <openssl/err.h> 65 #include <openssl/x509v3.h> 66 67 #include "rpctlscd.h" 68 #include "rpc.tlscommon.h" 69 70 #ifndef _PATH_RPCTLSCDSOCK 71 #define _PATH_RPCTLSCDSOCK "/var/run/rpc.tlsclntd.sock" 72 #endif 73 #ifndef _PATH_CERTANDKEY 74 #define _PATH_CERTANDKEY "/etc/rpc.tlsclntd/" 75 #endif 76 #ifndef _PATH_RPCTLSCDPID 77 #define _PATH_RPCTLSCDPID "/var/run/rpc.tlsclntd.pid" 78 #endif 79 80 /* Global variables also used by rpc.tlscommon.c. */ 81 int rpctls_debug_level; 82 bool rpctls_verbose; 83 SSL_CTX *rpctls_ctx = NULL; 84 const char *rpctls_verify_cafile = NULL; 85 const char *rpctls_verify_capath = NULL; 86 char *rpctls_crlfile = NULL; 87 bool rpctls_cert = false; 88 bool rpctls_gothup = false; 89 struct ssl_list rpctls_ssllist; 90 91 static struct pidfh *rpctls_pfh = NULL; 92 static const char *rpctls_certdir = _PATH_CERTANDKEY; 93 static const char *rpctls_ciphers = NULL; 94 static uint64_t rpctls_ssl_refno = 0; 95 static uint64_t rpctls_ssl_sec = 0; 96 static uint64_t rpctls_ssl_usec = 0; 97 static int rpctls_tlsvers = TLS1_3_VERSION; 98 99 static void rpctlscd_terminate(int); 100 static SSL_CTX *rpctls_setupcl_ssl(void); 101 static SSL *rpctls_connect(SSL_CTX *ctx, int s, char *certname, 102 u_int certlen, X509 **certp); 103 static void rpctls_huphandler(int sig __unused); 104 105 extern void rpctlscd_1(struct svc_req *rqstp, SVCXPRT *transp); 106 107 static struct option longopts[] = { 108 { "usetls1_2", no_argument, NULL, '2' }, 109 { "certdir", required_argument, NULL, 'D' }, 110 { "ciphers", required_argument, NULL, 'C' }, 111 { "debuglevel", no_argument, NULL, 'd' }, 112 { "verifylocs", required_argument, NULL, 'l' }, 113 { "mutualverf", no_argument, NULL, 'm' }, 114 { "verifydir", required_argument, NULL, 'p' }, 115 { "crl", required_argument, NULL, 'r' }, 116 { "verbose", no_argument, NULL, 'v' }, 117 { NULL, 0, NULL, 0 } 118 }; 119 120 int 121 main(int argc, char **argv) 122 { 123 /* 124 * We provide an RPC service on a local-domain socket. The 125 * kernel rpctls code will upcall to this daemon to do the initial 126 * TLS handshake. 127 */ 128 struct sockaddr_un sun; 129 int ch, fd, oldmask; 130 SVCXPRT *xprt; 131 bool tls_enable; 132 struct timeval tm; 133 struct timezone tz; 134 pid_t otherpid; 135 size_t tls_enable_len; 136 137 /* Check that another rpctlscd isn't already running. */ 138 rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid); 139 if (rpctls_pfh == NULL) { 140 if (errno == EEXIST) 141 errx(1, "rpctlscd already running, pid: %d.", otherpid); 142 warn("cannot open or create pidfile"); 143 } 144 145 /* Check to see that the ktls is enabled. */ 146 tls_enable_len = sizeof(tls_enable); 147 if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len, 148 NULL, 0) != 0 || !tls_enable) 149 errx(1, "Kernel TLS not enabled"); 150 151 /* Get the time when this daemon is started. */ 152 gettimeofday(&tm, &tz); 153 rpctls_ssl_sec = tm.tv_sec; 154 rpctls_ssl_usec = tm.tv_usec; 155 156 rpctls_verbose = false; 157 while ((ch = getopt_long(argc, argv, "2C:D:dl:mp:r:v", longopts, 158 NULL)) != -1) { 159 switch (ch) { 160 case '2': 161 rpctls_tlsvers = TLS1_2_VERSION; 162 break; 163 case 'C': 164 rpctls_ciphers = optarg; 165 break; 166 case 'D': 167 rpctls_certdir = optarg; 168 break; 169 case 'd': 170 rpctls_debug_level++; 171 break; 172 case 'l': 173 rpctls_verify_cafile = optarg; 174 break; 175 case 'm': 176 rpctls_cert = true; 177 break; 178 case 'p': 179 rpctls_verify_capath = optarg; 180 break; 181 case 'r': 182 rpctls_crlfile = optarg; 183 break; 184 case 'v': 185 rpctls_verbose = true; 186 break; 187 default: 188 fprintf(stderr, "usage: %s " 189 "[-2/--usetls1_2] " 190 "[-C/--ciphers available_ciphers] " 191 "[-D/--certdir certdir] [-d/--debuglevel] " 192 "[-l/--verifylocs CAfile] [-m/--mutualverf] " 193 "[-p/--verifydir CApath] [-r/--crl CRLfile] " 194 "[-v/--verbose]\n", argv[0]); 195 exit(1); 196 break; 197 } 198 } 199 if (rpctls_crlfile != NULL && rpctls_verify_cafile == NULL && 200 rpctls_verify_capath == NULL) 201 errx(1, "-r requires the -l <CAfile> and/or " 202 "-p <CApath> options"); 203 204 if (modfind("krpc") < 0) { 205 /* Not present in kernel, try loading it */ 206 if (kldload("krpc") < 0 || modfind("krpc") < 0) 207 errx(1, "Kernel RPC is not available"); 208 } 209 210 /* 211 * Set up the SSL_CTX *. 212 * Do it now, before daemonizing, in case the private key 213 * is encrypted and requires a passphrase to be entered. 214 */ 215 rpctls_ctx = rpctls_setupcl_ssl(); 216 if (rpctls_ctx == NULL) { 217 if (rpctls_debug_level == 0) { 218 syslog(LOG_ERR, "Can't set up TLS context"); 219 exit(1); 220 } 221 err(1, "Can't set up TLS context"); 222 } 223 LIST_INIT(&rpctls_ssllist); 224 225 if (!rpctls_debug_level) { 226 if (daemon(0, 0) != 0) 227 err(1, "Can't daemonize"); 228 signal(SIGINT, SIG_IGN); 229 signal(SIGQUIT, SIG_IGN); 230 signal(SIGHUP, SIG_IGN); 231 } 232 signal(SIGTERM, rpctlscd_terminate); 233 signal(SIGPIPE, SIG_IGN); 234 signal(SIGHUP, rpctls_huphandler); 235 236 pidfile_write(rpctls_pfh); 237 238 memset(&sun, 0, sizeof sun); 239 sun.sun_family = AF_LOCAL; 240 unlink(_PATH_RPCTLSCDSOCK); 241 strcpy(sun.sun_path, _PATH_RPCTLSCDSOCK); 242 sun.sun_len = SUN_LEN(&sun); 243 fd = socket(AF_LOCAL, SOCK_STREAM, 0); 244 if (fd < 0) { 245 if (rpctls_debug_level == 0) { 246 syslog(LOG_ERR, "Can't create local rpctlscd socket"); 247 exit(1); 248 } 249 err(1, "Can't create local rpctlscd socket"); 250 } 251 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); 252 if (bind(fd, (struct sockaddr *)&sun, sun.sun_len) < 0) { 253 if (rpctls_debug_level == 0) { 254 syslog(LOG_ERR, "Can't bind local rpctlscd socket"); 255 exit(1); 256 } 257 err(1, "Can't bind local rpctlscd socket"); 258 } 259 umask(oldmask); 260 if (listen(fd, SOMAXCONN) < 0) { 261 if (rpctls_debug_level == 0) { 262 syslog(LOG_ERR, 263 "Can't listen on local rpctlscd socket"); 264 exit(1); 265 } 266 err(1, "Can't listen on local rpctlscd socket"); 267 } 268 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); 269 if (!xprt) { 270 if (rpctls_debug_level == 0) { 271 syslog(LOG_ERR, 272 "Can't create transport for local rpctlscd socket"); 273 exit(1); 274 } 275 err(1, "Can't create transport for local rpctlscd socket"); 276 } 277 if (!svc_reg(xprt, RPCTLSCD, RPCTLSCDVERS, rpctlscd_1, NULL)) { 278 if (rpctls_debug_level == 0) { 279 syslog(LOG_ERR, 280 "Can't register service for local rpctlscd socket"); 281 exit(1); 282 } 283 err(1, "Can't register service for local rpctlscd socket"); 284 } 285 286 if (rpctls_syscall(RPCTLS_SYSC_CLSETPATH, _PATH_RPCTLSCDSOCK) < 0) { 287 if (rpctls_debug_level == 0) { 288 syslog(LOG_ERR, 289 "Can't set upcall socket path errno=%d", errno); 290 exit(1); 291 } 292 err(1, "Can't set upcall socket path"); 293 } 294 295 rpctls_svc_run(); 296 297 rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, ""); 298 299 SSL_CTX_free(rpctls_ctx); 300 return (0); 301 } 302 303 bool_t 304 rpctlscd_null_1_svc(__unused void *argp, __unused void *result, 305 __unused struct svc_req *rqstp) 306 { 307 308 rpctls_verbose_out("rpctlscd_null: done\n"); 309 return (TRUE); 310 } 311 312 bool_t 313 rpctlscd_connect_1_svc(struct rpctlscd_connect_arg *argp, 314 struct rpctlscd_connect_res *result, __unused struct svc_req *rqstp) 315 { 316 int s; 317 SSL *ssl; 318 struct ssl_entry *newslp; 319 X509 *cert; 320 321 rpctls_verbose_out("rpctlsd_connect: started\n"); 322 /* Get the socket fd from the kernel. */ 323 s = rpctls_syscall(RPCTLS_SYSC_CLSOCKET, ""); 324 if (s < 0) { 325 result->reterr = RPCTLSERR_NOSOCKET; 326 return (TRUE); 327 } 328 329 /* Do a TLS connect handshake. */ 330 ssl = rpctls_connect(rpctls_ctx, s, argp->certname.certname_val, 331 argp->certname.certname_len, &cert); 332 if (ssl == NULL) { 333 rpctls_verbose_out("rpctlsd_connect: can't do TLS " 334 "handshake\n"); 335 result->reterr = RPCTLSERR_NOSSL; 336 } else { 337 result->reterr = RPCTLSERR_OK; 338 result->sec = rpctls_ssl_sec; 339 result->usec = rpctls_ssl_usec; 340 result->ssl = ++rpctls_ssl_refno; 341 /* Hard to believe this will ever wrap around.. */ 342 if (rpctls_ssl_refno == 0) 343 result->ssl = ++rpctls_ssl_refno; 344 } 345 346 if (ssl == NULL) { 347 /* 348 * For RPC-over-TLS, this upcall is expected 349 * to close off the socket. 350 */ 351 close(s); 352 return (TRUE); 353 } 354 355 /* Maintain list of all current SSL *'s */ 356 newslp = malloc(sizeof(*newslp)); 357 newslp->refno = rpctls_ssl_refno; 358 newslp->s = s; 359 newslp->shutoff = false; 360 newslp->ssl = ssl; 361 newslp->cert = cert; 362 LIST_INSERT_HEAD(&rpctls_ssllist, newslp, next); 363 return (TRUE); 364 } 365 366 bool_t 367 rpctlscd_handlerecord_1_svc(struct rpctlscd_handlerecord_arg *argp, 368 struct rpctlscd_handlerecord_res *result, __unused struct svc_req *rqstp) 369 { 370 struct ssl_entry *slp; 371 int ret; 372 char junk; 373 374 slp = NULL; 375 if (argp->sec == rpctls_ssl_sec && argp->usec == 376 rpctls_ssl_usec) { 377 LIST_FOREACH(slp, &rpctls_ssllist, next) { 378 if (slp->refno == argp->ssl) 379 break; 380 } 381 } 382 383 if (slp != NULL) { 384 rpctls_verbose_out("rpctlscd_handlerecord fd=%d\n", 385 slp->s); 386 /* 387 * An SSL_read() of 0 bytes should fail, but it should 388 * handle the non-application data record before doing so. 389 */ 390 ret = SSL_read(slp->ssl, &junk, 0); 391 if (ret <= 0) { 392 /* Check to see if this was a close alert. */ 393 ret = SSL_get_shutdown(slp->ssl); 394 if ((ret & (SSL_SENT_SHUTDOWN | 395 SSL_RECEIVED_SHUTDOWN)) == SSL_RECEIVED_SHUTDOWN) 396 SSL_shutdown(slp->ssl); 397 } else { 398 if (rpctls_debug_level == 0) 399 syslog(LOG_ERR, "SSL_read returned %d", ret); 400 else 401 fprintf(stderr, "SSL_read returned %d\n", ret); 402 } 403 result->reterr = RPCTLSERR_OK; 404 } else 405 result->reterr = RPCTLSERR_NOSSL; 406 return (TRUE); 407 } 408 409 bool_t 410 rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_arg *argp, 411 struct rpctlscd_disconnect_res *result, __unused struct svc_req *rqstp) 412 { 413 struct ssl_entry *slp; 414 int ret; 415 416 slp = NULL; 417 if (argp->sec == rpctls_ssl_sec && argp->usec == 418 rpctls_ssl_usec) { 419 LIST_FOREACH(slp, &rpctls_ssllist, next) { 420 if (slp->refno == argp->ssl) 421 break; 422 } 423 } 424 425 if (slp != NULL) { 426 rpctls_verbose_out("rpctlscd_disconnect: fd=%d closed\n", 427 slp->s); 428 LIST_REMOVE(slp, next); 429 if (!slp->shutoff) { 430 ret = SSL_get_shutdown(slp->ssl); 431 /* 432 * Do an SSL_shutdown() unless a close alert has 433 * already been sent. 434 */ 435 if ((ret & SSL_SENT_SHUTDOWN) == 0) 436 SSL_shutdown(slp->ssl); 437 } 438 SSL_free(slp->ssl); 439 if (slp->cert != NULL) 440 X509_free(slp->cert); 441 /* 442 * For RPC-over-TLS, this upcall is expected 443 * to close off the socket. 444 */ 445 if (!slp->shutoff) 446 shutdown(slp->s, SHUT_WR); 447 close(slp->s); 448 free(slp); 449 result->reterr = RPCTLSERR_OK; 450 } else 451 result->reterr = RPCTLSERR_NOCLOSE; 452 return (TRUE); 453 } 454 455 int 456 rpctlscd_1_freeresult(__unused SVCXPRT *transp, __unused xdrproc_t xdr_result, 457 __unused caddr_t result) 458 { 459 460 return (TRUE); 461 } 462 463 static void 464 rpctlscd_terminate(int sig __unused) 465 { 466 467 rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, ""); 468 pidfile_remove(rpctls_pfh); 469 exit(0); 470 } 471 472 static SSL_CTX * 473 rpctls_setupcl_ssl(void) 474 { 475 SSL_CTX *ctx; 476 char path[PATH_MAX]; 477 size_t len, rlen; 478 int ret; 479 480 ctx = SSL_CTX_new(TLS_client_method()); 481 if (ctx == NULL) { 482 rpctls_verbose_out("rpctls_setupcl_ssl: SSL_CTX_new " 483 "failed\n"); 484 return (NULL); 485 } 486 487 if (rpctls_ciphers != NULL) { 488 /* 489 * Set available ciphers, since KERN_TLS only supports a 490 * few of them. 491 */ 492 ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers); 493 if (ret == 0) { 494 rpctls_verbose_out("rpctls_setupcl_ssl: " 495 "SSL_CTX_set_ciphersuites failed: %s\n", 496 rpctls_ciphers); 497 SSL_CTX_free(ctx); 498 return (NULL); 499 } 500 } 501 502 /* 503 * If rpctls_cert is true, a certificate and key exists in 504 * rpctls_certdir, so that it can do mutual authentication. 505 */ 506 if (rpctls_cert) { 507 /* Get the cert.pem and certkey.pem files. */ 508 len = strlcpy(path, rpctls_certdir, sizeof(path)); 509 rlen = sizeof(path) - len; 510 if (strlcpy(&path[len], "cert.pem", rlen) != 8) { 511 SSL_CTX_free(ctx); 512 return (NULL); 513 } 514 ret = SSL_CTX_use_certificate_file(ctx, path, 515 SSL_FILETYPE_PEM); 516 if (ret != 1) { 517 rpctls_verbose_out("rpctls_setupcl_ssl: can't use " 518 "certificate file path=%s ret=%d\n", path, ret); 519 SSL_CTX_free(ctx); 520 return (NULL); 521 } 522 if (strlcpy(&path[len], "certkey.pem", rlen) != 11) { 523 SSL_CTX_free(ctx); 524 return (NULL); 525 } 526 ret = SSL_CTX_use_PrivateKey_file(ctx, path, 527 SSL_FILETYPE_PEM); 528 if (ret != 1) { 529 rpctls_verbose_out("rpctls_setupcl_ssl: Can't use " 530 "private key path=%s ret=%d\n", path, ret); 531 SSL_CTX_free(ctx); 532 return (NULL); 533 } 534 } 535 536 if (rpctls_verify_cafile != NULL || rpctls_verify_capath != NULL) { 537 if (rpctls_crlfile != NULL) { 538 ret = rpctls_loadcrlfile(ctx); 539 if (ret == 0) { 540 rpctls_verbose_out("rpctls_setupcl_ssl: " 541 "Load CRLfile failed\n"); 542 SSL_CTX_free(ctx); 543 return (NULL); 544 } 545 } 546 #if OPENSSL_VERSION_NUMBER >= 0x30000000 547 ret = 1; 548 if (rpctls_verify_cafile != NULL) 549 ret = SSL_CTX_load_verify_file(ctx, 550 rpctls_verify_cafile); 551 if (ret != 0 && rpctls_verify_capath != NULL) 552 ret = SSL_CTX_load_verify_dir(ctx, 553 rpctls_verify_capath); 554 #else 555 ret = SSL_CTX_load_verify_locations(ctx, 556 rpctls_verify_cafile, rpctls_verify_capath); 557 #endif 558 if (ret == 0) { 559 rpctls_verbose_out("rpctls_setupcl_ssl: " 560 "Can't load verify locations\n"); 561 SSL_CTX_free(ctx); 562 return (NULL); 563 } 564 /* 565 * The man page says that the 566 * SSL_CTX_set0_CA_list() call is not normally 567 * needed, but I believe it is harmless. 568 */ 569 if (rpctls_verify_cafile != NULL) 570 SSL_CTX_set0_CA_list(ctx, 571 SSL_load_client_CA_file(rpctls_verify_cafile)); 572 } 573 574 /* 575 * The RFC specifies that RPC-over-TLS must use TLS1.3. 576 * However, early FreeBSD versions (13.0, 13.1) did not 577 * support RX for KTLS1.3, so TLS1.2 needs to be used for 578 * these servers. 579 */ 580 ret = SSL_CTX_set_min_proto_version(ctx, rpctls_tlsvers); 581 if (ret == 0) { 582 rpctls_verbose_out("rpctls_setupcl_ssl: " 583 "SSL_CTX_set_min_proto_version failed\n"); 584 SSL_CTX_free(ctx); 585 return (NULL); 586 } 587 ret = SSL_CTX_set_max_proto_version(ctx, rpctls_tlsvers); 588 if (ret == 0) { 589 rpctls_verbose_out("rpctls_setupcl_ssl: " 590 "SSL_CTX_set_max_proto_version failed\n"); 591 SSL_CTX_free(ctx); 592 return (NULL); 593 } 594 595 #ifdef SSL_OP_ENABLE_KTLS 596 SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); 597 #endif 598 #ifdef SSL_MODE_NO_KTLS_TX 599 SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX); 600 #endif 601 return (ctx); 602 } 603 604 static SSL * 605 rpctls_connect(SSL_CTX *ctx, int s, char *certname, u_int certlen, X509 **certp) 606 { 607 SSL *ssl; 608 X509 *cert; 609 struct sockaddr_storage ad; 610 struct sockaddr *sad; 611 char hostnam[NI_MAXHOST], path[PATH_MAX]; 612 int gethostret, ret; 613 char *cp, *cp2; 614 size_t len, rlen; 615 long verfret; 616 617 *certp = NULL; 618 sad = (struct sockaddr *)&ad; 619 ssl = SSL_new(ctx); 620 if (ssl == NULL) { 621 rpctls_verbose_out("rpctls_connect: " 622 "SSL_new failed\n"); 623 return (NULL); 624 } 625 if (SSL_set_fd(ssl, s) != 1) { 626 rpctls_verbose_out("rpctls_connect: " 627 "SSL_set_fd failed\n"); 628 SSL_free(ssl); 629 return (NULL); 630 } 631 632 /* 633 * If rpctls_cert is true and certname is set, a alternate certificate 634 * and key exists in files named <certname>.pem and <certname>key.pem 635 * in rpctls_certdir that is to be used for mutual authentication. 636 */ 637 if (rpctls_cert && certlen > 0) { 638 len = strlcpy(path, rpctls_certdir, sizeof(path)); 639 rlen = sizeof(path) - len; 640 if (rlen <= certlen) { 641 SSL_free(ssl); 642 return (NULL); 643 } 644 memcpy(&path[len], certname, certlen); 645 rlen -= certlen; 646 len += certlen; 647 path[len] = '\0'; 648 if (strlcpy(&path[len], ".pem", rlen) != 4) { 649 SSL_free(ssl); 650 return (NULL); 651 } 652 ret = SSL_use_certificate_file(ssl, path, SSL_FILETYPE_PEM); 653 if (ret != 1) { 654 rpctls_verbose_out("rpctls_connect: can't use " 655 "certificate file path=%s ret=%d\n", path, ret); 656 SSL_free(ssl); 657 return (NULL); 658 } 659 if (strlcpy(&path[len], "key.pem", rlen) != 7) { 660 SSL_free(ssl); 661 return (NULL); 662 } 663 ret = SSL_use_PrivateKey_file(ssl, path, SSL_FILETYPE_PEM); 664 if (ret != 1) { 665 rpctls_verbose_out("rpctls_connect: Can't use " 666 "private key path=%s ret=%d\n", path, ret); 667 SSL_free(ssl); 668 return (NULL); 669 } 670 } 671 672 ret = SSL_connect(ssl); 673 if (ret != 1) { 674 rpctls_verbose_out("rpctls_connect: " 675 "SSL_connect failed %d: %s\n", 676 ret, ERR_error_string(ERR_get_error(), NULL)); 677 SSL_free(ssl); 678 return (NULL); 679 } 680 681 #if OPENSSL_VERSION_NUMBER >= 0x30000000 682 cert = SSL_get1_peer_certificate(ssl); 683 #else 684 cert = SSL_get_peer_certificate(ssl); 685 #endif 686 if (cert == NULL) { 687 rpctls_verbose_out("rpctls_connect: get peer" 688 " certificate failed\n"); 689 SSL_free(ssl); 690 return (NULL); 691 } 692 gethostret = rpctls_gethost(s, sad, hostnam, sizeof(hostnam)); 693 if (gethostret == 0) 694 hostnam[0] = '\0'; 695 verfret = SSL_get_verify_result(ssl); 696 if (verfret == X509_V_OK && (rpctls_verify_cafile != NULL || 697 rpctls_verify_capath != NULL) && (gethostret == 0 || 698 rpctls_checkhost(sad, cert, X509_CHECK_FLAG_NO_WILDCARDS) != 1)) 699 verfret = X509_V_ERR_HOSTNAME_MISMATCH; 700 if (verfret != X509_V_OK && (rpctls_verify_cafile != NULL || 701 rpctls_verify_capath != NULL)) { 702 if (verfret != X509_V_OK) { 703 cp = X509_NAME_oneline(X509_get_issuer_name(cert), 704 NULL, 0); 705 cp2 = X509_NAME_oneline(X509_get_subject_name(cert), 706 NULL, 0); 707 if (rpctls_debug_level == 0) 708 syslog(LOG_INFO | LOG_DAEMON, 709 "rpctls_connect: client IP %s " 710 "issuerName=%s subjectName=%s verify " 711 "failed %s\n", hostnam, cp, cp2, 712 X509_verify_cert_error_string(verfret)); 713 else 714 fprintf(stderr, 715 "rpctls_connect: client IP %s " 716 "issuerName=%s subjectName=%s verify " 717 "failed %s\n", hostnam, cp, cp2, 718 X509_verify_cert_error_string(verfret)); 719 } 720 X509_free(cert); 721 SSL_free(ssl); 722 return (NULL); 723 } 724 725 /* Check to see if ktls is enabled on the connection. */ 726 ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); 727 rpctls_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret); 728 if (ret != 0) { 729 ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); 730 rpctls_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", 731 ret); 732 } 733 if (ret == 0) { 734 if (rpctls_debug_level == 0) 735 syslog(LOG_ERR, "ktls not working\n"); 736 else 737 fprintf(stderr, "ktls not working\n"); 738 X509_free(cert); 739 SSL_free(ssl); 740 return (NULL); 741 } 742 if (ret == X509_V_OK && (rpctls_verify_cafile != NULL || 743 rpctls_verify_capath != NULL) && rpctls_crlfile != NULL) 744 *certp = cert; 745 else 746 X509_free(cert); 747 748 return (ssl); 749 } 750 751 static void 752 rpctls_huphandler(int sig __unused) 753 { 754 755 rpctls_gothup = true; 756 } 757