2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2021 Rick Macklem
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include <sys/queue.h>
33 #include <sys/syslog.h>
34 #include <sys/select.h>
45 #include <openssl/opensslconf.h>
46 #include <openssl/bio.h>
47 #include <openssl/ssl.h>
48 #include <openssl/err.h>
49 #include <openssl/x509v3.h>
51 #include "rpc.tlscommon.h"
54 * How long to delay a reload of the CRL when there are RPC request(s)
55 * to process, in usec. Must be less than 1second.
57 #define RELOADDELAY 250000
65 uint64_t curtime, nexttime;
69 /* Expand svc_run() here so that we can call rpctls_loadcrlfile(). */
70 curtime = nexttime = 0;
71 sigemptyset(&sighup_mask);
72 sigaddset(&sighup_mask, SIGHUP);
74 clock_gettime(CLOCK_MONOTONIC, &tp);
76 curtime = curtime * 1000000 + tp.tv_nsec / 1000;
77 sigprocmask(SIG_BLOCK, &sighup_mask, NULL);
78 if (rpctls_gothup && curtime >= nexttime) {
79 rpctls_gothup = false;
80 sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL);
81 ret = rpctls_loadcrlfile(rpctls_ctx);
85 rpctls_verbose_out("rpc.tlsservd: Can't "
87 clock_gettime(CLOCK_MONOTONIC, &tp);
89 nexttime = nexttime * 1000000 + tp.tv_nsec / 1000 +
92 sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL);
95 * If a reload is pending, poll for received request(s),
96 * otherwise set a RELOADDELAY timeout, since a SIGHUP
97 * could be processed between the got_sighup test and
98 * the select() system call.
104 tv.tv_usec = RELOADDELAY;
106 switch (select(svc_maxfd + 1, &readfds, NULL, NULL, &tv)) {
108 if (errno == EINTR) {
109 /* Allow a reload now. */
113 syslog(LOG_ERR, "rpc.tls daemon died: select: %m");
116 /* Allow a reload now. */
120 svc_getreqset(&readfds);
126 * (re)load the CRLfile into the certificate verification store.
129 rpctls_loadcrlfile(SSL_CTX *ctx)
131 X509_STORE *certstore;
132 X509_LOOKUP *certlookup;
135 if ((rpctls_verify_cafile != NULL ||
136 rpctls_verify_capath != NULL) &&
137 rpctls_crlfile != NULL) {
138 certstore = SSL_CTX_get_cert_store(ctx);
139 certlookup = X509_STORE_add_lookup(
140 certstore, X509_LOOKUP_file());
142 if (certlookup != NULL)
143 ret = X509_load_crl_file(certlookup,
144 rpctls_crlfile, X509_FILETYPE_PEM);
146 ret = X509_STORE_set_flags(certstore,
147 X509_V_FLAG_CRL_CHECK |
148 X509_V_FLAG_CRL_CHECK_ALL);
151 "rpctls_loadcrlfile: Can't"
152 " load CRLfile=%s\n",
161 * Read the CRL file and check for any extant connections
162 * that might now be revoked.
165 rpctls_checkcrl(void)
167 struct ssl_entry *slp;
170 X509_REVOKED *revoked;
171 char *cp, *cp2, nullstr[1];
174 if (rpctls_crlfile == NULL || (rpctls_verify_cafile == NULL &&
175 rpctls_verify_capath == NULL))
177 infile = BIO_new(BIO_s_file());
178 if (infile == NULL) {
179 rpctls_verbose_out("rpctls_checkcrl: Cannot BIO_new\n");
182 ret = BIO_read_filename(infile, rpctls_crlfile);
184 rpctls_verbose_out("rpctls_checkcrl: Cannot read CRL file\n");
190 for (crl = PEM_read_bio_X509_CRL(infile, NULL, NULL, nullstr);
191 crl != NULL; crl = PEM_read_bio_X509_CRL(infile, NULL, NULL,
193 LIST_FOREACH(slp, &rpctls_ssllist, next) {
194 if (slp->cert != NULL) {
195 ret = X509_CRL_get0_by_cert(crl, &revoked,
198 * Do a shutdown on the socket, so that it
199 * can no longer be used. The kernel RPC
200 * code will notice the socket is disabled
201 * and will do a disconnect upcall, which will
205 cp2 = X509_NAME_oneline(
206 X509_get_subject_name(slp->cert),
208 cp = X509_NAME_oneline(
209 X509_get_issuer_name(slp->cert),
211 if (rpctls_debug_level == 0)
212 syslog(LOG_INFO | LOG_DAEMON,
213 "rpctls_daemon: Certificate"
217 "TCP connection closed",
221 "rpctls_daemon: Certificate"
225 "TCP connection closed",
227 shutdown(slp->s, SHUT_WR);
238 rpctls_verbose_out(const char *fmt, ...)
242 if (rpctls_verbose) {
244 if (rpctls_debug_level == 0)
245 vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap);
247 vfprintf(stderr, fmt, ap);
253 * Check a IP address against any host address in the
254 * certificate. Basically getnameinfo(3) and
258 rpctls_checkhost(struct sockaddr *sad, X509 *cert, unsigned int wildcard)
260 char hostnam[NI_MAXHOST];
263 if (getnameinfo((const struct sockaddr *)sad,
264 sad->sa_len, hostnam, sizeof(hostnam),
265 NULL, 0, NI_NAMEREQD) != 0)
267 rpctls_verbose_out("rpctls_checkhost: DNS %s\n",
269 ret = X509_check_host(cert, hostnam, strlen(hostnam),
275 * Get the peer's IP address.
278 rpctls_gethost(int s, struct sockaddr *sad, char *hostip, size_t hostlen)
283 slen = sizeof(struct sockaddr_storage);
284 if (getpeername(s, sad, &slen) < 0)
287 if (getnameinfo((const struct sockaddr *)sad,
288 sad->sa_len, hostip, hostlen,
289 NULL, 0, NI_NUMERICHOST) == 0) {
290 rpctls_verbose_out("rpctls_gethost: %s\n",