1 /*
2 ** Zabbix
3 ** Copyright (C) 2001-2021 Zabbix SIA
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License as published by
7 ** the Free Software Foundation; either version 2 of the License, or
8 ** (at your option) any later version.
9 **
10 ** This program is distributed in the hope that it will be useful,
11 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
12 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 ** GNU General Public License for more details.
14 **
15 ** You should have received a copy of the GNU General Public License
16 ** along with this program; if not, write to the Free Software
17 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 **/
19
20 #include "common.h"
21
22 #if defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
23
24 #include "comms.h"
25 #include "threads.h"
26 #include "log.h"
27 #include "zbxcrypto.h"
28 #include "tls.h"
29 #include "tls_tcp.h"
30 #include "tls_tcp_active.h"
31
32 #if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
33 /* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) or LibreSSL */
34
35 /* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */
36
37 #ifdef _WINDOWS
38 #include "mutexs.h"
39
40 static zbx_mutex_t *crypto_mutexes = NULL;
41
zbx_openssl_locking_cb(int mode,int n,const char * file,int line)42 static void zbx_openssl_locking_cb(int mode, int n, const char *file, int line)
43 {
44 if (0 != (mode & CRYPTO_LOCK))
45 __zbx_mutex_lock(file, line, *(crypto_mutexes + n));
46 else
47 __zbx_mutex_unlock(file, line, *(crypto_mutexes + n));
48 }
49
zbx_openssl_thread_setup(void)50 static void zbx_openssl_thread_setup(void)
51 {
52 int i, num_locks;
53
54 num_locks = CRYPTO_num_locks();
55
56 if (NULL == (crypto_mutexes = zbx_malloc(crypto_mutexes, num_locks * sizeof(zbx_mutex_t))))
57 {
58 zabbix_log(LOG_LEVEL_CRIT, "cannot allocate mutexes for OpenSSL library");
59 exit(EXIT_FAILURE);
60 }
61
62 zabbix_log(LOG_LEVEL_DEBUG, "%s() creating %d mutexes", __func__, num_locks);
63
64 for (i = 0; i < num_locks; i++)
65 {
66 char *error = NULL;
67
68 if (SUCCEED != zbx_mutex_create(crypto_mutexes + i, NULL, &error))
69 {
70 zabbix_log(LOG_LEVEL_CRIT, "cannot create mutex #%d for OpenSSL library: %s", i, error);
71 zbx_free(error);
72 exit(EXIT_FAILURE);
73 }
74 }
75
76 CRYPTO_set_locking_callback((void (*)(int, int, const char *, int))zbx_openssl_locking_cb);
77
78 /* do not register our own threadid_func() callback, use OpenSSL default one */
79 }
80
zbx_openssl_thread_cleanup(void)81 static void zbx_openssl_thread_cleanup(void)
82 {
83 int i, num_locks;
84
85 CRYPTO_set_locking_callback(NULL);
86
87 num_locks = CRYPTO_num_locks();
88
89 for (i = 0; i < num_locks; i++)
90 zbx_mutex_destroy(crypto_mutexes + i);
91
92 zbx_free(crypto_mutexes);
93 }
94 #endif /* _WINDOWS */
95
zbx_openssl_init_ssl(int opts,void * settings)96 static int zbx_openssl_init_ssl(int opts, void *settings)
97 {
98 #if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL
99 ZBX_UNUSED(opts);
100 ZBX_UNUSED(settings);
101
102 SSL_load_error_strings();
103 ERR_load_BIO_strings();
104 SSL_library_init();
105 #endif
106 #ifdef _WINDOWS
107 ZBX_UNUSED(opts);
108 ZBX_UNUSED(settings);
109 zbx_openssl_thread_setup();
110 #endif
111 return 1;
112 }
113
OPENSSL_cleanup(void)114 static void OPENSSL_cleanup(void)
115 {
116 RAND_cleanup();
117 ERR_free_strings();
118 #ifdef _WINDOWS
119 zbx_openssl_thread_cleanup();
120 #endif
121 }
122 #endif /* defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER) */
123
124 #if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
125 /* OpenSSL 1.1.0 or newer, not LibreSSL */
zbx_openssl_init_ssl(int opts,void * settings)126 static int zbx_openssl_init_ssl(int opts, void *settings)
127 {
128 return OPENSSL_init_ssl(opts, settings);
129 }
130 #endif
131
132 struct zbx_tls_context
133 {
134 #if defined(HAVE_GNUTLS)
135 gnutls_session_t ctx;
136 gnutls_psk_client_credentials_t psk_client_creds;
137 gnutls_psk_server_credentials_t psk_server_creds;
138 #elif defined(HAVE_OPENSSL)
139 SSL *ctx;
140 #endif
141 };
142
143 extern unsigned int configured_tls_connect_mode;
144 extern unsigned int configured_tls_accept_modes;
145
146 extern unsigned char program_type;
147
148 extern int CONFIG_PASSIVE_FORKS;
149 extern int CONFIG_ACTIVE_FORKS;
150
151 extern char *CONFIG_TLS_CONNECT;
152 extern char *CONFIG_TLS_ACCEPT;
153 extern char *CONFIG_TLS_CA_FILE;
154 extern char *CONFIG_TLS_CRL_FILE;
155 extern char *CONFIG_TLS_SERVER_CERT_ISSUER;
156 extern char *CONFIG_TLS_SERVER_CERT_SUBJECT;
157 extern char *CONFIG_TLS_CERT_FILE;
158 extern char *CONFIG_TLS_KEY_FILE;
159 extern char *CONFIG_TLS_PSK_IDENTITY;
160 extern char *CONFIG_TLS_PSK_FILE;
161
162 extern char *CONFIG_TLS_CIPHER_CERT13; /* parameter 'TLSCipherCert13' from server/proxy/agent config file */
163 extern char *CONFIG_TLS_CIPHER_CERT; /* parameter 'TLSCipherCert' from server/proxy/agent config file */
164 extern char *CONFIG_TLS_CIPHER_PSK13; /* parameter 'TLSCipherPSK13' from server/proxy/agent config file */
165 extern char *CONFIG_TLS_CIPHER_PSK; /* parameter 'TLSCipherPSK' from server/proxy/agent config file */
166 extern char *CONFIG_TLS_CIPHER_ALL13; /* parameter 'TLSCipherAll13' from server/proxy/agent config file */
167 extern char *CONFIG_TLS_CIPHER_ALL; /* parameter 'TLSCipherAll' from server/proxy/agent config file */
168 extern char *CONFIG_TLS_CIPHER_CMD13; /* parameter '--tls-cipher13' from sender or zabbix_get command line */
169 extern char *CONFIG_TLS_CIPHER_CMD; /* parameter '--tls-cipher' from sender or zabbix_get command line */
170
171 static ZBX_THREAD_LOCAL char *my_psk_identity = NULL;
172 static ZBX_THREAD_LOCAL size_t my_psk_identity_len = 0;
173 static ZBX_THREAD_LOCAL char *my_psk = NULL;
174 static ZBX_THREAD_LOCAL size_t my_psk_len = 0;
175
176 /* Pointer to DCget_psk_by_identity() initialized at runtime. This is a workaround for linking. */
177 /* Server and proxy link with src/libs/zbxdbcache/dbconfig.o where DCget_psk_by_identity() resides */
178 /* but other components (e.g. agent) do not link dbconfig.o. */
179 size_t (*find_psk_in_cache)(const unsigned char *, unsigned char *, unsigned int *) = NULL;
180
181 /* variable for passing information from callback functions if PSK was found among host PSKs or autoregistration PSK */
182 static unsigned int psk_usage;
183
184 #if defined(HAVE_GNUTLS)
185 static ZBX_THREAD_LOCAL gnutls_certificate_credentials_t my_cert_creds = NULL;
186 static ZBX_THREAD_LOCAL gnutls_psk_client_credentials_t my_psk_client_creds = NULL;
187 static ZBX_THREAD_LOCAL gnutls_psk_server_credentials_t my_psk_server_creds = NULL;
188 static ZBX_THREAD_LOCAL gnutls_priority_t ciphersuites_cert = NULL;
189 static ZBX_THREAD_LOCAL gnutls_priority_t ciphersuites_psk = NULL;
190 static ZBX_THREAD_LOCAL gnutls_priority_t ciphersuites_all = NULL;
191 static int init_done = 0;
192 #elif defined(HAVE_OPENSSL)
193 static ZBX_THREAD_LOCAL const SSL_METHOD *method = NULL;
194 static ZBX_THREAD_LOCAL SSL_CTX *ctx_cert = NULL;
195 #ifdef HAVE_OPENSSL_WITH_PSK
196 static ZBX_THREAD_LOCAL SSL_CTX *ctx_psk = NULL;
197 static ZBX_THREAD_LOCAL SSL_CTX *ctx_all = NULL;
198 /* variables for passing required PSK identity and PSK info to client callback function */
199 static ZBX_THREAD_LOCAL const char *psk_identity_for_cb = NULL;
200 static ZBX_THREAD_LOCAL size_t psk_identity_len_for_cb = 0;
201 static ZBX_THREAD_LOCAL char *psk_for_cb = NULL;
202 static ZBX_THREAD_LOCAL size_t psk_len_for_cb = 0;
203 #endif
204 static int init_done = 0;
205 #ifdef HAVE_OPENSSL_WITH_PSK
206 /* variables for capturing PSK identity from server callback function */
207 static ZBX_THREAD_LOCAL int incoming_connection_has_psk = 0;
208 static ZBX_THREAD_LOCAL char incoming_connection_psk_id[PSK_MAX_IDENTITY_LEN + 1];
209 #endif
210 /* buffer for messages produced by zbx_openssl_info_cb() */
211 ZBX_THREAD_LOCAL char info_buf[256];
212 #endif
213
214 #if defined(HAVE_GNUTLS)
215 /******************************************************************************
216 * *
217 * Function: zbx_gnutls_debug_cb *
218 * *
219 * Purpose: write a GnuTLS debug message into Zabbix log *
220 * *
221 * Comments: *
222 * This is a callback function, its arguments are defined in GnuTLS. *
223 * *
224 ******************************************************************************/
zbx_gnutls_debug_cb(int level,const char * str)225 static void zbx_gnutls_debug_cb(int level, const char *str)
226 {
227 char msg[1024];
228
229 /* remove '\n' from the end of debug message */
230 zbx_strlcpy(msg, str, sizeof(msg));
231 zbx_rtrim(msg, "\n");
232 zabbix_log(LOG_LEVEL_TRACE, "GnuTLS debug: level=%d \"%s\"", level, msg);
233 }
234
235 /******************************************************************************
236 * *
237 * Function: zbx_gnutls_audit_cb *
238 * *
239 * Purpose: write a GnuTLS audit message into Zabbix log *
240 * *
241 * Comments: *
242 * This is a callback function, its arguments are defined in GnuTLS. *
243 * *
244 ******************************************************************************/
zbx_gnutls_audit_cb(gnutls_session_t session,const char * str)245 static void zbx_gnutls_audit_cb(gnutls_session_t session, const char *str)
246 {
247 char msg[1024];
248
249 ZBX_UNUSED(session);
250
251 /* remove '\n' from the end of debug message */
252 zbx_strlcpy(msg, str, sizeof(msg));
253 zbx_rtrim(msg, "\n");
254
255 zabbix_log(LOG_LEVEL_WARNING, "GnuTLS audit: \"%s\"", msg);
256 }
257 #endif /* defined(HAVE_GNUTLS) */
258
259 #if defined(HAVE_OPENSSL)
260 /******************************************************************************
261 * *
262 * Function: zbx_openssl_info_cb *
263 * *
264 * Purpose: get state, alert, error information on TLS connection *
265 * *
266 * Comments: *
267 * This is a callback function, its arguments are defined in OpenSSL. *
268 * *
269 ******************************************************************************/
zbx_openssl_info_cb(const SSL * ssl,int where,int ret)270 static void zbx_openssl_info_cb(const SSL *ssl, int where, int ret)
271 {
272 /* There was an idea of using SSL_CB_LOOP and SSL_state_string_long() to write state changes into Zabbix log */
273 /* if logging level is LOG_LEVEL_TRACE. Unfortunately if OpenSSL for security is compiled without SSLv3 */
274 /* (i.e. OPENSSL_NO_SSL3 is defined) then SSL_state_string_long() does not provide descriptions of many */
275 /* states anymore. The idea was dropped but the code is here for debugging hard problems. */
276 #if 0
277 if (0 != (where & SSL_CB_LOOP))
278 {
279 zabbix_log(LOG_LEVEL_TRACE, "OpenSSL debug: state=0x%x \"%s\"", (unsigned int)SSL_state(ssl),
280 SSL_state_string_long(ssl));
281 }
282 #else
283 ZBX_UNUSED(ssl);
284 #endif
285 if (0 != (where & SSL_CB_ALERT)) /* alert sent or received */
286 {
287 const char *handshake, *direction, *rw;
288
289 if (0 != (where & SSL_CB_EXIT))
290 handshake = " handshake";
291 else
292 handshake = "";
293
294 if (0 != (where & SSL_ST_CONNECT))
295 direction = " connect";
296 else if (0 != (where & SSL_ST_ACCEPT))
297 direction = " accept";
298 else
299 direction = "";
300
301 if (0 != (where & SSL_CB_READ))
302 rw = " read";
303 else if (0 != (where & SSL_CB_WRITE))
304 rw = " write";
305 else
306 rw = "";
307
308 zbx_snprintf(info_buf, sizeof(info_buf), ": TLS%s%s%s %s alert \"%s\"", handshake, direction, rw,
309 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
310 }
311 }
312 #endif
313
314 /******************************************************************************
315 * *
316 * Function: zbx_tls_error_msg *
317 * *
318 * Purpose: compose a TLS error message *
319 * *
320 ******************************************************************************/
321 #if defined(HAVE_OPENSSL)
zbx_tls_error_msg(char ** error,size_t * error_alloc,size_t * error_offset)322 void zbx_tls_error_msg(char **error, size_t *error_alloc, size_t *error_offset)
323 {
324 unsigned long error_code;
325 const char *file, *data;
326 int line, flags;
327 char err[1024];
328
329 /* concatenate all error messages in the queue into one string */
330
331 while (0 != (error_code = ERR_get_error_line_data(&file, &line, &data, &flags)))
332 {
333 ERR_error_string_n(error_code, err, sizeof(err));
334
335 zbx_snprintf_alloc(error, error_alloc, error_offset, " file %s line %d: %s", file, line, err);
336
337 if (NULL != data && 0 != (flags & ERR_TXT_STRING))
338 zbx_snprintf_alloc(error, error_alloc, error_offset, ": %s", data);
339 }
340 }
341 #endif
342
343 /******************************************************************************
344 * *
345 * Function: zbx_tls_parameter_name *
346 * *
347 * Purpose: *
348 * return the name of a configuration file or command line parameter that *
349 * the value of the given parameter comes from *
350 * *
351 * Parameters: *
352 * type - [IN] type of parameter (file or command line) *
353 * param - [IN] address of the global parameter variable *
354 * *
355 ******************************************************************************/
356 #define ZBX_TLS_PARAMETER_CONFIG_FILE 0
357 #define ZBX_TLS_PARAMETER_COMMAND_LINE 1
zbx_tls_parameter_name(int type,char ** param)358 static const char *zbx_tls_parameter_name(int type, char **param)
359 {
360 if (&CONFIG_TLS_CONNECT == param)
361 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSConnect" : "--tls-connect";
362
363 if (&CONFIG_TLS_ACCEPT == param)
364 return "TLSAccept";
365
366 if (&CONFIG_TLS_CA_FILE == param)
367 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSCAFile" : "--tls-ca-file";
368
369 if (&CONFIG_TLS_CRL_FILE == param)
370 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSCRLFile" : "--tls-crl-file";
371
372 if (&CONFIG_TLS_SERVER_CERT_ISSUER == param)
373 {
374 if (ZBX_TLS_PARAMETER_CONFIG_FILE == type)
375 return "TLSServerCertIssuer";
376
377 if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
378 return "--tls-agent-cert-issuer";
379 else
380 return "--tls-server-cert-issuer";
381 }
382
383 if (&CONFIG_TLS_SERVER_CERT_SUBJECT == param)
384 {
385 if (ZBX_TLS_PARAMETER_CONFIG_FILE == type)
386 return "TLSServerCertSubject";
387
388 if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
389 return "--tls-agent-cert-subject";
390 else
391 return "--tls-server-cert-subject";
392 }
393
394 if (&CONFIG_TLS_CERT_FILE == param)
395 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSCertFile" : "--tls-cert-file";
396
397 if (&CONFIG_TLS_KEY_FILE == param)
398 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSKeyFile" : "--tls-key-file";
399
400 if (&CONFIG_TLS_PSK_IDENTITY == param)
401 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKIdentity" : "--tls-psk-identity";
402
403 if (&CONFIG_TLS_PSK_FILE == param)
404 return ZBX_TLS_PARAMETER_CONFIG_FILE == type ? "TLSPSKFile" : "--tls-psk-file";
405
406 if (&CONFIG_TLS_CIPHER_CERT13 == param)
407 return "TLSCipherCert13";
408
409 if (&CONFIG_TLS_CIPHER_CERT == param)
410 return "TLSCipherCert";
411
412 if (&CONFIG_TLS_CIPHER_PSK13 == param)
413 return "TLSCipherPSK13";
414
415 if (&CONFIG_TLS_CIPHER_PSK == param)
416 return "TLSCipherPSK";
417
418 if (&CONFIG_TLS_CIPHER_ALL13 == param)
419 return "TLSCipherAll13";
420
421 if (&CONFIG_TLS_CIPHER_ALL == param)
422 return "TLSCipherAll";
423
424 if (&CONFIG_TLS_CIPHER_CMD13 == param)
425 return "--tls-cipher13";
426
427 if (&CONFIG_TLS_CIPHER_CMD == param)
428 return "--tls-cipher";
429
430 THIS_SHOULD_NEVER_HAPPEN;
431
432 zbx_tls_free();
433 exit(EXIT_FAILURE);
434 }
435
436 /******************************************************************************
437 * *
438 * Function: zbx_tls_parameter_not_empty *
439 * *
440 * Purpose: *
441 * Helper function: check if a configuration parameter is defined it must *
442 * not be empty. Otherwise log error and exit. *
443 * *
444 * Parameters: *
445 * param - [IN] address of the global parameter variable *
446 * *
447 ******************************************************************************/
zbx_tls_parameter_not_empty(char ** param)448 static void zbx_tls_parameter_not_empty(char **param)
449 {
450 const char *value = *param;
451
452 if (NULL != value)
453 {
454 while ('\0' != *value)
455 {
456 if (0 == isspace(*value++))
457 return;
458 }
459
460 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
461 {
462 const char *name1, *name2;
463
464 name1 = zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param);
465 name2 = zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param);
466
467 if (0 != strcmp(name1, name2))
468 {
469 zabbix_log(LOG_LEVEL_CRIT, "configuration parameter \"%s\" or \"%s\" is defined but"
470 " empty", name1, name2);
471 }
472 else
473 {
474 zabbix_log(LOG_LEVEL_CRIT, "configuration parameter \"%s\" is defined but empty",
475 name1);
476 }
477 }
478 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
479 {
480 zabbix_log(LOG_LEVEL_CRIT, "configuration parameter \"%s\" is defined but empty",
481 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param));
482 }
483 else
484 {
485 zabbix_log(LOG_LEVEL_CRIT, "configuration parameter \"%s\" is defined but empty",
486 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param));
487 }
488
489 zbx_tls_free();
490 exit(EXIT_FAILURE);
491 }
492 }
493
494 /******************************************************************************
495 * *
496 * Function: zbx_tls_validation_error *
497 * *
498 * Purpose: *
499 * Helper function: log error message depending on program type and exit. *
500 * *
501 * Parameters: *
502 * type - [IN] type of TLS validation error *
503 * param1 - [IN] address of the first global parameter variable *
504 * param2 - [IN] address of the second global parameter variable (if any) *
505 * *
506 ******************************************************************************/
507 #define ZBX_TLS_VALIDATION_INVALID 0
508 #define ZBX_TLS_VALIDATION_DEPENDENCY 1
509 #define ZBX_TLS_VALIDATION_REQUIREMENT 2
510 #define ZBX_TLS_VALIDATION_UTF8 3
511 #define ZBX_TLS_VALIDATION_NO_PSK 4
zbx_tls_validation_error(int type,char ** param1,char ** param2)512 static void zbx_tls_validation_error(int type, char **param1, char **param2)
513 {
514 if (ZBX_TLS_VALIDATION_INVALID == type)
515 {
516 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
517 {
518 zabbix_log(LOG_LEVEL_CRIT, "invalid value of \"%s\" or \"%s\" parameter",
519 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
520 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
521 }
522 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
523 {
524 zabbix_log(LOG_LEVEL_CRIT, "invalid value of \"%s\" parameter",
525 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
526 }
527 else
528 {
529 zabbix_log(LOG_LEVEL_CRIT, "invalid value of \"%s\" parameter",
530 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1));
531 }
532 }
533 else if (ZBX_TLS_VALIDATION_DEPENDENCY == type)
534 {
535 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
536 {
537 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" or \"%s\" is defined,"
538 " but neither \"%s\" nor \"%s\" is defined",
539 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
540 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
541 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2),
542 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2));
543 }
544 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
545 {
546 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" is defined, but \"%s\" is not defined",
547 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
548 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2));
549 }
550 else
551 {
552 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" is defined, but \"%s\" is not defined",
553 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
554 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2));
555 }
556 }
557 else if (ZBX_TLS_VALIDATION_REQUIREMENT == type)
558 {
559 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
560 {
561 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" or \"%s\" value requires \"%s\" or \"%s\","
562 " but neither of them is defined",
563 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
564 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
565 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2),
566 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2));
567 }
568 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
569 {
570 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" value requires \"%s\", but it is not defined",
571 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
572 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2));
573 }
574 else
575 {
576 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" value requires \"%s\", but it is not defined",
577 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
578 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2));
579 }
580 }
581 else if (ZBX_TLS_VALIDATION_UTF8 == type)
582 {
583 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
584 {
585 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" or \"%s\" value is not a valid UTF-8 string",
586 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
587 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
588 }
589 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
590 {
591 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" value is not a valid UTF-8 string",
592 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
593 }
594 else
595 {
596 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" value is not a valid UTF-8 string",
597 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1));
598 }
599 }
600 else if (ZBX_TLS_VALIDATION_NO_PSK == type)
601 {
602 if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
603 {
604 zabbix_log(LOG_LEVEL_CRIT, "value of parameter \"%s\" or \"%s\" requires support of encrypted"
605 " connection with PSK but support for PSK was not compiled in",
606 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
607 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
608 }
609 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
610 {
611 zabbix_log(LOG_LEVEL_CRIT, "value of parameter \"%s\" requires support of encrypted"
612 " connection with PSK but support for PSK was not compiled in",
613 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1));
614 }
615 else
616 {
617 zabbix_log(LOG_LEVEL_CRIT, "value of parameter \"%s\" requires support of encrypted"
618 " connection with PSK but support for PSK was not compiled in",
619 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1));
620 }
621 }
622 else
623 THIS_SHOULD_NEVER_HAPPEN;
624
625 zbx_tls_free();
626 exit(EXIT_FAILURE);
627 }
628
629 /******************************************************************************
630 * *
631 * Function: zbx_tls_validation_error2 *
632 * *
633 * Purpose: *
634 * Helper function: log error message depending on program type and exit *
635 * *
636 * Parameters: *
637 * type - [IN] type of TLS validation error *
638 * param1 - [IN] address of the first global parameter variable *
639 * param2 - [IN] address of the second global parameter variable *
640 * param3 - [IN] address of the third global parameter variable *
641 * *
642 ******************************************************************************/
zbx_tls_validation_error2(int type,char ** param1,char ** param2,char ** param3)643 static void zbx_tls_validation_error2(int type, char **param1, char **param2, char **param3)
644 {
645 if (ZBX_TLS_VALIDATION_DEPENDENCY == type)
646 {
647 if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD))
648 {
649 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" is defined,"
650 " but neither \"%s\" nor \"%s\" is defined",
651 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param1),
652 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2),
653 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param3));
654 }
655 else if (0 != (program_type & ZBX_PROGRAM_TYPE_GET))
656 {
657 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" is defined,"
658 " but neither \"%s\" nor \"%s\" is defined",
659 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
660 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2),
661 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param3));
662 }
663 else if (0 != (program_type & ZBX_PROGRAM_TYPE_SENDER))
664 {
665 zabbix_log(LOG_LEVEL_CRIT, "parameter \"%s\" is defined,"
666 " but neither \"%s\", nor \"%s\", nor \"%s\", nor \"%s\" is defined",
667 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param1),
668 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param2),
669 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param2),
670 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_CONFIG_FILE, param3),
671 zbx_tls_parameter_name(ZBX_TLS_PARAMETER_COMMAND_LINE, param3));
672 }
673 }
674 else
675 THIS_SHOULD_NEVER_HAPPEN;
676
677 zbx_tls_free();
678 exit(EXIT_FAILURE);
679 }
680
681 /******************************************************************************
682 * *
683 * Function: zbx_tls_validate_config *
684 * *
685 * Purpose: check for allowed combinations of TLS configuration parameters *
686 * *
687 * Comments: *
688 * Valid combinations: *
689 * - either all 3 certificate parameters - CONFIG_TLS_CERT_FILE, *
690 * CONFIG_TLS_KEY_FILE, CONFIG_TLS_CA_FILE - are defined and not *
691 * empty or none of them. Parameter CONFIG_TLS_CRL_FILE is optional *
692 * but may be defined only together with the 3 certificate *
693 * parameters, *
694 * - either both PSK parameters - CONFIG_TLS_PSK_IDENTITY and *
695 * CONFIG_TLS_PSK_FILE - are defined and not empty or none of them, *
696 * (if CONFIG_TLS_PSK_IDENTITY is defined it must be a valid UTF-8 *
697 * string), *
698 * - in active agent, active proxy, zabbix_get, and zabbix_sender the *
699 * certificate and PSK parameters must match the value of *
700 * CONFIG_TLS_CONNECT parameter, *
701 * - in passive agent and passive proxy the certificate and PSK *
702 * parameters must match the value of CONFIG_TLS_ACCEPT parameter. *
703 * *
704 ******************************************************************************/
zbx_tls_validate_config(void)705 void zbx_tls_validate_config(void)
706 {
707 zbx_tls_parameter_not_empty(&CONFIG_TLS_CONNECT);
708 zbx_tls_parameter_not_empty(&CONFIG_TLS_ACCEPT);
709 zbx_tls_parameter_not_empty(&CONFIG_TLS_CA_FILE);
710 zbx_tls_parameter_not_empty(&CONFIG_TLS_CRL_FILE);
711 zbx_tls_parameter_not_empty(&CONFIG_TLS_SERVER_CERT_ISSUER);
712 zbx_tls_parameter_not_empty(&CONFIG_TLS_SERVER_CERT_SUBJECT);
713 zbx_tls_parameter_not_empty(&CONFIG_TLS_CERT_FILE);
714 zbx_tls_parameter_not_empty(&CONFIG_TLS_KEY_FILE);
715 zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_IDENTITY);
716 zbx_tls_parameter_not_empty(&CONFIG_TLS_PSK_FILE);
717
718 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_CERT13);
719 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_PSK13);
720 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_ALL13);
721 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_CMD13);
722
723 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_CERT);
724 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_PSK);
725 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_ALL);
726 zbx_tls_parameter_not_empty(&CONFIG_TLS_CIPHER_CMD);
727
728 /* parse and validate 'TLSConnect' parameter (in zabbix_proxy.conf, zabbix_agentd.conf) and '--tls-connect' */
729 /* parameter (in zabbix_get and zabbix_sender) */
730
731 if (NULL != CONFIG_TLS_CONNECT)
732 {
733 /* 'configured_tls_connect_mode' is shared between threads on MS Windows */
734
735 if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_UNENCRYPTED_TXT))
736 configured_tls_connect_mode = ZBX_TCP_SEC_UNENCRYPTED;
737 else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_CERT_TXT))
738 configured_tls_connect_mode = ZBX_TCP_SEC_TLS_CERT;
739 else if (0 == strcmp(CONFIG_TLS_CONNECT, ZBX_TCP_SEC_TLS_PSK_TXT))
740 #if defined(HAVE_GNUTLS) || (defined(HAVE_OPENSSL) && defined(HAVE_OPENSSL_WITH_PSK))
741 configured_tls_connect_mode = ZBX_TCP_SEC_TLS_PSK;
742 #else
743 zbx_tls_validation_error(ZBX_TLS_VALIDATION_NO_PSK, &CONFIG_TLS_CONNECT, NULL);
744 #endif
745 else
746 zbx_tls_validation_error(ZBX_TLS_VALIDATION_INVALID, &CONFIG_TLS_CONNECT, NULL);
747 }
748
749 /* parse and validate 'TLSAccept' parameter (in zabbix_proxy.conf, zabbix_agentd.conf) */
750
751 if (NULL != CONFIG_TLS_ACCEPT)
752 {
753 char *s, *p, *delim;
754 unsigned int accept_modes_tmp = 0; /* 'configured_tls_accept_modes' is shared between threads on */
755 /* MS Windows. To avoid races make a local temporary */
756 /* variable, modify it and write into */
757 /* 'configured_tls_accept_modes' when done. */
758
759 p = s = zbx_strdup(NULL, CONFIG_TLS_ACCEPT);
760
761 while (1)
762 {
763 delim = strchr(p, ',');
764
765 if (NULL != delim)
766 *delim = '\0';
767
768 if (0 == strcmp(p, ZBX_TCP_SEC_UNENCRYPTED_TXT))
769 accept_modes_tmp |= ZBX_TCP_SEC_UNENCRYPTED;
770 else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_CERT_TXT))
771 accept_modes_tmp |= ZBX_TCP_SEC_TLS_CERT;
772 else if (0 == strcmp(p, ZBX_TCP_SEC_TLS_PSK_TXT))
773 #if defined(HAVE_GNUTLS) || (defined(HAVE_OPENSSL) && defined(HAVE_OPENSSL_WITH_PSK))
774 accept_modes_tmp |= ZBX_TCP_SEC_TLS_PSK;
775 #else
776 zbx_tls_validation_error(ZBX_TLS_VALIDATION_NO_PSK, &CONFIG_TLS_ACCEPT, NULL);
777 #endif
778 else
779 {
780 zbx_free(s);
781 zbx_tls_validation_error(ZBX_TLS_VALIDATION_INVALID, &CONFIG_TLS_ACCEPT, NULL);
782 }
783
784 if (NULL == delim)
785 break;
786
787 p = delim + 1;
788 }
789
790 configured_tls_accept_modes = accept_modes_tmp;
791
792 zbx_free(s);
793 }
794
795 /* either both a certificate and a private key must be defined or none of them */
796
797 if (NULL != CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_KEY_FILE)
798 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_KEY_FILE);
799
800 if (NULL != CONFIG_TLS_KEY_FILE && NULL == CONFIG_TLS_CERT_FILE)
801 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_KEY_FILE, &CONFIG_TLS_CERT_FILE);
802
803 /* CA file must be defined only together with a certificate */
804
805 if (NULL != CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_CA_FILE)
806 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_CA_FILE);
807
808 if (NULL != CONFIG_TLS_CA_FILE && NULL == CONFIG_TLS_CERT_FILE)
809 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CA_FILE, &CONFIG_TLS_CERT_FILE);
810
811 /* CRL file is optional but must be defined only together with a certificate */
812
813 if (NULL == CONFIG_TLS_CERT_FILE && NULL != CONFIG_TLS_CRL_FILE)
814 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CRL_FILE, &CONFIG_TLS_CERT_FILE);
815
816 /* Server certificate issuer is optional but must be defined only together with a certificate */
817
818 if (NULL == CONFIG_TLS_CERT_FILE && NULL != CONFIG_TLS_SERVER_CERT_ISSUER)
819 {
820 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_SERVER_CERT_ISSUER,
821 &CONFIG_TLS_CERT_FILE);
822 }
823
824 /* Server certificate subject is optional but must be defined only together with a certificate */
825
826 if (NULL == CONFIG_TLS_CERT_FILE && NULL != CONFIG_TLS_SERVER_CERT_SUBJECT)
827 {
828 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_SERVER_CERT_SUBJECT,
829 &CONFIG_TLS_CERT_FILE);
830 }
831
832 /* either both a PSK and a PSK identity must be defined or none of them */
833
834 if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_PSK_IDENTITY)
835 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE, &CONFIG_TLS_PSK_IDENTITY);
836
837 if (NULL != CONFIG_TLS_PSK_IDENTITY && NULL == CONFIG_TLS_PSK_FILE)
838 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_IDENTITY, &CONFIG_TLS_PSK_FILE);
839
840 /* PSK identity must be a valid UTF-8 string (RFC 4279 says Unicode) */
841 if (NULL != CONFIG_TLS_PSK_IDENTITY && SUCCEED != zbx_is_utf8(CONFIG_TLS_PSK_IDENTITY))
842 zbx_tls_validation_error(ZBX_TLS_VALIDATION_UTF8, &CONFIG_TLS_PSK_IDENTITY, NULL);
843
844 /* active agentd, active proxy, zabbix_get, and zabbix_sender specific validation */
845
846 if ((0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD) && 0 != CONFIG_ACTIVE_FORKS) ||
847 (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY_ACTIVE | ZBX_PROGRAM_TYPE_GET |
848 ZBX_PROGRAM_TYPE_SENDER))))
849 {
850 /* 'TLSConnect' is the master parameter to be matched by certificate and PSK parameters. */
851
852 if (NULL != CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_CONNECT)
853 {
854 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CERT_FILE,
855 &CONFIG_TLS_CONNECT);
856 }
857
858 if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_CONNECT)
859 {
860 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
861 &CONFIG_TLS_CONNECT);
862 }
863
864 if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
865 {
866 zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_CONNECT,
867 &CONFIG_TLS_CERT_FILE);
868 }
869
870 if (0 != (configured_tls_connect_mode & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
871 {
872 zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_CONNECT,
873 &CONFIG_TLS_PSK_FILE);
874 }
875 }
876
877 /* passive agentd and passive proxy specific validation */
878
879 if ((0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD) && 0 != CONFIG_PASSIVE_FORKS) ||
880 0 != (program_type & ZBX_PROGRAM_TYPE_PROXY_PASSIVE))
881 {
882 /* 'TLSAccept' is the master parameter to be matched by certificate and PSK parameters */
883
884 if (NULL != CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_ACCEPT)
885 {
886 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CERT_FILE,
887 &CONFIG_TLS_ACCEPT);
888 }
889
890 if (NULL != CONFIG_TLS_PSK_FILE && NULL == CONFIG_TLS_ACCEPT)
891 {
892 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_PSK_FILE,
893 &CONFIG_TLS_ACCEPT);
894 }
895
896 if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_CERT) && NULL == CONFIG_TLS_CERT_FILE)
897 {
898 zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_ACCEPT,
899 &CONFIG_TLS_CERT_FILE);
900 }
901
902 if (0 != (configured_tls_accept_modes & ZBX_TCP_SEC_TLS_PSK) && NULL == CONFIG_TLS_PSK_FILE)
903 {
904 zbx_tls_validation_error(ZBX_TLS_VALIDATION_REQUIREMENT, &CONFIG_TLS_ACCEPT,
905 &CONFIG_TLS_PSK_FILE);
906 }
907 }
908
909 /* TLSCipher* and --tls-cipher* parameter validation */
910
911 /* parameters 'TLSCipherCert13' and 'TLSCipherCert' can be used only with certificate */
912
913 if (NULL != CONFIG_TLS_CIPHER_CERT13 && NULL == CONFIG_TLS_CERT_FILE)
914 {
915 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_CERT13,
916 &CONFIG_TLS_CERT_FILE);
917 }
918
919 if (NULL != CONFIG_TLS_CIPHER_CERT && NULL == CONFIG_TLS_CERT_FILE)
920 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_CERT, &CONFIG_TLS_CERT_FILE);
921
922 /* For server and proxy 'TLSCipherPSK13' and 'TLSCipherPSK' are optional and do not depend on other */
923 /* TLS parameters. Validate only in case of agent, zabbix_get and sender. */
924
925 if (0 != (program_type & (ZBX_PROGRAM_TYPE_AGENTD | ZBX_PROGRAM_TYPE_GET | ZBX_PROGRAM_TYPE_SENDER)))
926 {
927 if (NULL != CONFIG_TLS_CIPHER_PSK13 && NULL == CONFIG_TLS_PSK_IDENTITY)
928 {
929 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_PSK13,
930 &CONFIG_TLS_PSK_IDENTITY);
931
932 }
933
934 if (NULL != CONFIG_TLS_CIPHER_PSK && NULL == CONFIG_TLS_PSK_IDENTITY)
935 {
936 zbx_tls_validation_error(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_PSK,
937 &CONFIG_TLS_PSK_IDENTITY);
938 }
939 }
940
941 /* Parameters 'TLSCipherAll13' and 'TLSCipherAll' are used only for incoming connections if a combined list */
942 /* of certificate- and PSK-based ciphersuites is used. They may be defined without other TLS parameters on */
943 /* server and proxy (at least some hosts may be connecting with PSK). */
944 /* 'zabbix_get' and sender do not use these parameters. Validate only in case of agent. */
945
946 if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD) &&
947 NULL == CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_PSK_IDENTITY)
948 {
949 if (NULL != CONFIG_TLS_CIPHER_ALL13)
950 {
951 zbx_tls_validation_error2(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_ALL13,
952 &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_PSK_IDENTITY);
953 }
954
955 if (NULL != CONFIG_TLS_CIPHER_ALL)
956 {
957 zbx_tls_validation_error2(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_ALL,
958 &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_PSK_IDENTITY);
959 }
960 }
961
962 /* Parameters '--tls-cipher13' and '--tls-cipher' can be used only in zabbix_get and sender with */
963 /* certificate or PSK. */
964
965 if (0 != (program_type & (ZBX_PROGRAM_TYPE_GET | ZBX_PROGRAM_TYPE_SENDER)) &&
966 NULL == CONFIG_TLS_CERT_FILE && NULL == CONFIG_TLS_PSK_IDENTITY)
967 {
968 if (NULL != CONFIG_TLS_CIPHER_CMD13)
969 {
970 zbx_tls_validation_error2(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_CMD13,
971 &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_PSK_IDENTITY);
972 }
973
974 if (NULL != CONFIG_TLS_CIPHER_CMD)
975 {
976 zbx_tls_validation_error2(ZBX_TLS_VALIDATION_DEPENDENCY, &CONFIG_TLS_CIPHER_CMD,
977 &CONFIG_TLS_CERT_FILE, &CONFIG_TLS_PSK_IDENTITY);
978 }
979 }
980 }
981
zbx_psk_warn_misconfig(const char * psk_identity)982 static void zbx_psk_warn_misconfig(const char *psk_identity)
983 {
984 zabbix_log(LOG_LEVEL_WARNING, "same PSK identity \"%s\" but different PSK values used in proxy configuration"
985 " file, for host or for autoregistration; autoregistration will not be allowed", psk_identity);
986 }
987
988 #if defined(HAVE_GNUTLS)
989 /******************************************************************************
990 * *
991 * Function: zbx_psk_cb *
992 * *
993 * Purpose: *
994 * find and set the requested pre-shared key upon GnuTLS request *
995 * *
996 * Parameters: *
997 * session - [IN] not used *
998 * psk_identity - [IN] PSK identity for which the PSK should be searched *
999 * and set *
1000 * key - [OUT pre-shared key allocated and set *
1001 * *
1002 * Return value: *
1003 * 0 - required PSK successfully found and set *
1004 * -1 - an error occurred *
1005 * *
1006 * Comments: *
1007 * A callback function, its arguments are defined in GnuTLS. *
1008 * Used in all programs accepting connections. *
1009 * *
1010 ******************************************************************************/
zbx_psk_cb(gnutls_session_t session,const char * psk_identity,gnutls_datum_t * key)1011 static int zbx_psk_cb(gnutls_session_t session, const char *psk_identity, gnutls_datum_t *key)
1012 {
1013 char *psk;
1014 size_t psk_len = 0;
1015 int psk_bin_len;
1016 unsigned char tls_psk_hex[HOST_TLS_PSK_LEN_MAX], psk_buf[HOST_TLS_PSK_LEN / 2];
1017
1018 ZBX_UNUSED(session);
1019
1020 zabbix_log(LOG_LEVEL_DEBUG, "%s() requested PSK identity \"%s\"", __func__, psk_identity);
1021
1022 psk_usage = 0;
1023
1024 if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
1025 {
1026 /* call the function DCget_psk_by_identity() by pointer */
1027 if (0 < find_psk_in_cache((const unsigned char *)psk_identity, tls_psk_hex, &psk_usage))
1028 {
1029 /* The PSK is in configuration cache. Convert PSK to binary form. */
1030 if (0 >= (psk_bin_len = zbx_hex2bin(tls_psk_hex, psk_buf, sizeof(psk_buf))))
1031 {
1032 /* this should have been prevented by validation in frontend or API */
1033 zabbix_log(LOG_LEVEL_WARNING, "cannot convert PSK to binary form for PSK identity"
1034 " \"%s\"", psk_identity);
1035 return -1; /* fail */
1036 }
1037
1038 psk = (char *)psk_buf;
1039 psk_len = (size_t)psk_bin_len;
1040 }
1041
1042 if (0 != (program_type & ZBX_PROGRAM_TYPE_PROXY) &&
1043 0 < my_psk_identity_len &&
1044 0 == strcmp(my_psk_identity, psk_identity))
1045 {
1046 /* the PSK is in proxy configuration file */
1047 psk_usage |= ZBX_PSK_FOR_PROXY;
1048
1049 if (0 < psk_len && (psk_len != my_psk_len || 0 != memcmp(psk, my_psk, psk_len)))
1050 {
1051 /* PSK was also found in configuration cache but with different value */
1052 zbx_psk_warn_misconfig(psk_identity);
1053 psk_usage &= ~(unsigned int)ZBX_PSK_FOR_AUTOREG;
1054 }
1055
1056 psk = my_psk; /* prefer PSK from proxy configuration file */
1057 psk_len = my_psk_len;
1058 }
1059
1060 if (0 == psk_len)
1061 {
1062 zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\"", psk_identity);
1063 return -1; /* fail */
1064 }
1065 }
1066 else if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD))
1067 {
1068 if (0 < my_psk_identity_len)
1069 {
1070 if (0 == strcmp(my_psk_identity, psk_identity))
1071 {
1072 psk = my_psk;
1073 psk_len = my_psk_len;
1074 }
1075 else
1076 {
1077 zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\", available PSK"
1078 " identity \"%s\"", psk_identity, my_psk_identity);
1079 return -1; /* fail */
1080 }
1081 }
1082 }
1083
1084 if (0 < psk_len)
1085 {
1086 if (NULL == (key->data = gnutls_malloc(psk_len)))
1087 {
1088 zabbix_log(LOG_LEVEL_WARNING, "cannot allocate " ZBX_FS_SIZE_T " bytes of memory for PSK with"
1089 " identity \"%s\"", (zbx_fs_size_t)psk_len, psk_identity);
1090 return -1; /* fail */
1091 }
1092
1093 memcpy(key->data, psk, psk_len);
1094 key->size = (unsigned int)psk_len;
1095
1096 return 0; /* success */
1097 }
1098
1099 return -1; /* PSK not found */
1100 }
1101 #elif defined(HAVE_OPENSSL) && defined(HAVE_OPENSSL_WITH_PSK)
1102 /******************************************************************************
1103 * *
1104 * Function: zbx_psk_client_cb *
1105 * *
1106 * Purpose: *
1107 * set pre-shared key for outgoing TLS connection upon OpenSSL request *
1108 * *
1109 * Parameters: *
1110 * ssl - [IN] not used *
1111 * hint - [IN] not used *
1112 * identity - [OUT] buffer to write PSK identity into *
1113 * max_identity_len - [IN] size of the 'identity' buffer *
1114 * psk - [OUT] buffer to write PSK into *
1115 * max_psk_len - [IN] size of the 'psk' buffer *
1116 * *
1117 * Return value: *
1118 * > 0 - length of PSK in bytes *
1119 * 0 - an error occurred *
1120 * *
1121 * Comments: *
1122 * A callback function, its arguments are defined in OpenSSL. *
1123 * Used in all programs making outgoing TLS PSK connections. *
1124 * *
1125 * As a client we use different PSKs depending on connection to be made. *
1126 * Apparently there is no simple way to specify which PSK should be set *
1127 * by this callback function. We use global variables to pass this info. *
1128 * *
1129 ******************************************************************************/
zbx_psk_client_cb(SSL * ssl,const char * hint,char * identity,unsigned int max_identity_len,unsigned char * psk,unsigned int max_psk_len)1130 static unsigned int zbx_psk_client_cb(SSL *ssl, const char *hint, char *identity,
1131 unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
1132 {
1133 ZBX_UNUSED(ssl);
1134 ZBX_UNUSED(hint);
1135
1136 zabbix_log(LOG_LEVEL_DEBUG, "%s() requested PSK identity \"%s\"", __func__, psk_identity_for_cb);
1137
1138 if (max_identity_len < psk_identity_len_for_cb + 1) /* 1 byte for terminating '\0' */
1139 {
1140 zabbix_log(LOG_LEVEL_WARNING, "requested PSK identity \"%s\" does not fit into %u-byte buffer",
1141 psk_identity_for_cb, max_identity_len);
1142 return 0;
1143 }
1144
1145 if (max_psk_len < psk_len_for_cb)
1146 {
1147 zabbix_log(LOG_LEVEL_WARNING, "PSK associated with PSK identity \"%s\" does not fit into %u-byte"
1148 " buffer", psk_identity_for_cb, max_psk_len);
1149 return 0;
1150 }
1151
1152 zbx_strlcpy(identity, psk_identity_for_cb, max_identity_len);
1153 memcpy(psk, psk_for_cb, psk_len_for_cb);
1154
1155 return (unsigned int)psk_len_for_cb;
1156 }
1157
1158 /******************************************************************************
1159 * *
1160 * Function: zbx_psk_server_cb *
1161 * *
1162 * Purpose: *
1163 * set pre-shared key for incoming TLS connection upon OpenSSL request *
1164 * *
1165 * Parameters: *
1166 * ssl - [IN] not used *
1167 * identity - [IN] PSK identity sent by client *
1168 * psk - [OUT] buffer to write PSK into *
1169 * max_psk_len - [IN] size of the 'psk' buffer *
1170 * *
1171 * Return value: *
1172 * > 0 - length of PSK in bytes *
1173 * 0 - PSK identity not found *
1174 * *
1175 * Comments: *
1176 * A callback function, its arguments are defined in OpenSSL. *
1177 * Used in all programs accepting incoming TLS PSK connections. *
1178 * *
1179 ******************************************************************************/
zbx_psk_server_cb(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)1180 static unsigned int zbx_psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
1181 unsigned int max_psk_len)
1182 {
1183 char *psk_loc;
1184 size_t psk_len = 0;
1185 int psk_bin_len;
1186 unsigned char tls_psk_hex[HOST_TLS_PSK_LEN_MAX], psk_buf[HOST_TLS_PSK_LEN / 2];
1187
1188 ZBX_UNUSED(ssl);
1189
1190 zabbix_log(LOG_LEVEL_DEBUG, "%s() requested PSK identity \"%s\"", __func__, identity);
1191
1192 incoming_connection_has_psk = 1;
1193 psk_usage = 0;
1194
1195 if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
1196 {
1197 /* call the function DCget_psk_by_identity() by pointer */
1198 if (0 < find_psk_in_cache((const unsigned char *)identity, tls_psk_hex, &psk_usage))
1199 {
1200 /* The PSK is in configuration cache. Convert PSK to binary form. */
1201 if (0 >= (psk_bin_len = zbx_hex2bin(tls_psk_hex, psk_buf, sizeof(psk_buf))))
1202 {
1203 /* this should have been prevented by validation in frontend or API */
1204 zabbix_log(LOG_LEVEL_WARNING, "cannot convert PSK to binary form for PSK identity"
1205 " \"%s\"", identity);
1206 goto fail;
1207 }
1208
1209 psk_loc = (char *)psk_buf;
1210 psk_len = (size_t)psk_bin_len;
1211 }
1212
1213 if (0 != (program_type & ZBX_PROGRAM_TYPE_PROXY) &&
1214 0 < my_psk_identity_len &&
1215 0 == strcmp(my_psk_identity, identity))
1216 {
1217 /* the PSK is in proxy configuration file */
1218 psk_usage |= ZBX_PSK_FOR_PROXY;
1219
1220 if (0 < psk_len && (psk_len != my_psk_len || 0 != memcmp(psk_loc, my_psk, psk_len)))
1221 {
1222 /* PSK was also found in configuration cache but with different value */
1223 zbx_psk_warn_misconfig(identity);
1224 psk_usage &= ~(unsigned int)ZBX_PSK_FOR_AUTOREG;
1225 }
1226
1227 psk_loc = my_psk; /* prefer PSK from proxy configuration file */
1228 psk_len = my_psk_len;
1229 }
1230
1231 if (0 == psk_len)
1232 {
1233 zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\"", identity);
1234 goto fail;
1235 }
1236 }
1237 else if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD))
1238 {
1239 if (0 < my_psk_identity_len)
1240 {
1241 if (0 == strcmp(my_psk_identity, identity))
1242 {
1243 psk_loc = my_psk;
1244 psk_len = my_psk_len;
1245 }
1246 else
1247 {
1248 zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\", available PSK"
1249 " identity \"%s\"", identity, my_psk_identity);
1250 goto fail;
1251 }
1252 }
1253 }
1254
1255 if (0 < psk_len)
1256 {
1257 if ((size_t)max_psk_len < psk_len)
1258 {
1259 zabbix_log(LOG_LEVEL_WARNING, "PSK associated with PSK identity \"%s\" does not fit into"
1260 " %u-byte buffer", identity, max_psk_len);
1261 goto fail;
1262 }
1263
1264 memcpy(psk, psk_loc, psk_len);
1265 zbx_strlcpy(incoming_connection_psk_id, identity, sizeof(incoming_connection_psk_id));
1266
1267 return (unsigned int)psk_len; /* success */
1268 }
1269 fail:
1270 incoming_connection_psk_id[0] = '\0';
1271 return 0; /* PSK not found */
1272 }
1273 #endif
1274
1275 /******************************************************************************
1276 * *
1277 * Function: zbx_check_psk_identity_len *
1278 * *
1279 * Purpose: Check PSK identity length. Exit if length exceeds the maximum. *
1280 * *
1281 ******************************************************************************/
zbx_check_psk_identity_len(size_t psk_identity_len)1282 static void zbx_check_psk_identity_len(size_t psk_identity_len)
1283 {
1284 if (HOST_TLS_PSK_IDENTITY_LEN < psk_identity_len)
1285 {
1286 zabbix_log(LOG_LEVEL_CRIT, "PSK identity length " ZBX_FS_SIZE_T " exceeds the maximum length of %d"
1287 " bytes.", (zbx_fs_size_t)psk_identity_len, HOST_TLS_PSK_IDENTITY_LEN);
1288 zbx_tls_free();
1289 exit(EXIT_FAILURE);
1290 }
1291 }
1292
1293 /******************************************************************************
1294 * *
1295 * Function: zbx_read_psk_file *
1296 * *
1297 * Purpose: *
1298 * read a pre-shared key from a configured file and convert it from *
1299 * textual representation (ASCII hex digit string) to a binary *
1300 * representation (byte string) *
1301 * *
1302 * Comments: *
1303 * Maximum length of PSK hex-digit string is defined by HOST_TLS_PSK_LEN. *
1304 * Currently it is 512 characters, which encodes a 2048-bit PSK and is *
1305 * supported by GnuTLS and OpenSSL libraries (compiled with default *
1306 * parameters). If the key is longer an error message *
1307 * "ssl_set_psk(): SSL - Bad input parameters to function" will be logged *
1308 * at runtime. *
1309 * *
1310 ******************************************************************************/
zbx_read_psk_file(void)1311 static void zbx_read_psk_file(void)
1312 {
1313 FILE *f;
1314 size_t len;
1315 int len_bin, ret = FAIL;
1316 char buf[HOST_TLS_PSK_LEN_MAX + 2]; /* up to 512 bytes of hex-digits, maybe 1-2 bytes for '\n', */
1317 /* 1 byte for terminating '\0' */
1318 char buf_bin[HOST_TLS_PSK_LEN / 2]; /* up to 256 bytes of binary PSK */
1319
1320 if (NULL == (f = fopen(CONFIG_TLS_PSK_FILE, "r")))
1321 {
1322 zabbix_log(LOG_LEVEL_CRIT, "cannot open file \"%s\": %s", CONFIG_TLS_PSK_FILE, zbx_strerror(errno));
1323 goto out;
1324 }
1325
1326 if (NULL == fgets(buf, (int)sizeof(buf), f))
1327 {
1328 zabbix_log(LOG_LEVEL_CRIT, "cannot read from file \"%s\" or file empty", CONFIG_TLS_PSK_FILE);
1329 goto out;
1330 }
1331
1332 buf[strcspn(buf, "\r\n")] = '\0'; /* discard newline at the end of string */
1333
1334 if (0 == (len = strlen(buf)))
1335 {
1336 zabbix_log(LOG_LEVEL_CRIT, "file \"%s\" is empty", CONFIG_TLS_PSK_FILE);
1337 goto out;
1338 }
1339
1340 if (HOST_TLS_PSK_LEN_MIN > len)
1341 {
1342 zabbix_log(LOG_LEVEL_CRIT, "PSK in file \"%s\" is too short. Minimum is %d hex-digits",
1343 CONFIG_TLS_PSK_FILE, HOST_TLS_PSK_LEN_MIN);
1344 goto out;
1345 }
1346
1347 if (HOST_TLS_PSK_LEN < len)
1348 {
1349 zabbix_log(LOG_LEVEL_CRIT, "PSK in file \"%s\" is too long. Maximum is %d hex-digits",
1350 CONFIG_TLS_PSK_FILE, HOST_TLS_PSK_LEN);
1351 goto out;
1352 }
1353
1354 if (0 >= (len_bin = zbx_hex2bin((unsigned char *)buf, (unsigned char *)buf_bin, sizeof(buf_bin))))
1355 {
1356 zabbix_log(LOG_LEVEL_CRIT, "invalid PSK in file \"%s\"", CONFIG_TLS_PSK_FILE);
1357 goto out;
1358 }
1359
1360 my_psk_len = (size_t)len_bin;
1361 my_psk = zbx_malloc(my_psk, my_psk_len);
1362 memcpy(my_psk, buf_bin, my_psk_len);
1363
1364 ret = SUCCEED;
1365 out:
1366 if (NULL != f && 0 != fclose(f))
1367 {
1368 zabbix_log(LOG_LEVEL_CRIT, "cannot close file \"%s\": %s", CONFIG_TLS_PSK_FILE, zbx_strerror(errno));
1369 ret = FAIL;
1370 }
1371
1372 if (SUCCEED == ret)
1373 return;
1374
1375 zbx_tls_free();
1376 exit(EXIT_FAILURE);
1377 }
1378
1379 #if defined(HAVE_GNUTLS)
1380 /******************************************************************************
1381 * *
1382 * Function: zbx_log_ciphersuites *
1383 * *
1384 * Purpose: write names of enabled GnuTLS ciphersuites into Zabbix log for *
1385 * debugging *
1386 * *
1387 * Parameters: *
1388 * title1 - [IN] name of the calling function *
1389 * title2 - [IN] name of the group of ciphersuites *
1390 * ciphers - [IN] list of ciphersuites *
1391 * *
1392 ******************************************************************************/
zbx_log_ciphersuites(const char * title1,const char * title2,gnutls_priority_t ciphers)1393 static void zbx_log_ciphersuites(const char *title1, const char *title2, gnutls_priority_t ciphers)
1394 {
1395 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
1396 {
1397 char *msg = NULL;
1398 size_t msg_alloc = 0, msg_offset = 0;
1399 int res;
1400 unsigned int idx = 0, sidx;
1401 const char *name;
1402
1403 zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, "%s() %s ciphersuites:", title1, title2);
1404
1405 while (1)
1406 {
1407 if (GNUTLS_E_SUCCESS == (res = gnutls_priority_get_cipher_suite_index(ciphers, idx++, &sidx)))
1408 {
1409 if (NULL != (name = gnutls_cipher_suite_info(sidx, NULL, NULL, NULL, NULL, NULL)))
1410 zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, " %s", name);
1411 }
1412 else if (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE == res)
1413 {
1414 break;
1415 }
1416
1417 /* ignore the 3rd possibility GNUTLS_E_UNKNOWN_CIPHER_SUITE */
1418 /* (see "man gnutls_priority_get_cipher_suite_index") */
1419 }
1420
1421 zabbix_log(LOG_LEVEL_DEBUG, "%s", msg);
1422 zbx_free(msg);
1423 }
1424 }
1425 #elif defined(HAVE_OPENSSL)
1426 /******************************************************************************
1427 * *
1428 * Function: zbx_log_ciphersuites *
1429 * *
1430 * Purpose: write names of enabled OpenSSL ciphersuites into Zabbix log for *
1431 * debugging *
1432 * *
1433 * Parameters: *
1434 * title1 - [IN] name of the calling function *
1435 * title2 - [IN] name of the group of ciphersuites *
1436 * ciphers - [IN] stack of ciphersuites *
1437 * *
1438 ******************************************************************************/
zbx_log_ciphersuites(const char * title1,const char * title2,SSL_CTX * ciphers)1439 static void zbx_log_ciphersuites(const char *title1, const char *title2, SSL_CTX *ciphers)
1440 {
1441 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
1442 {
1443 char *msg = NULL;
1444 size_t msg_alloc = 0, msg_offset = 0;
1445 int i, num;
1446 STACK_OF(SSL_CIPHER) *cipher_list;
1447
1448 zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, "%s() %s ciphersuites:", title1, title2);
1449
1450 cipher_list = SSL_CTX_get_ciphers(ciphers);
1451 num = sk_SSL_CIPHER_num(cipher_list);
1452
1453 for (i = 0; i < num; i++)
1454 {
1455 zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, " %s",
1456 SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipher_list, i)));
1457 }
1458
1459 zabbix_log(LOG_LEVEL_DEBUG, "%s", msg);
1460 zbx_free(msg);
1461 }
1462 }
1463 #endif
1464
1465 #if defined(HAVE_GNUTLS)
1466 /******************************************************************************
1467 * *
1468 * Function: zbx_print_rdn_value *
1469 * *
1470 * Purpose: *
1471 * print an RDN (relative distinguished name) value into buffer *
1472 * *
1473 * Parameters: *
1474 * value - [IN] pointer to RDN value *
1475 * len - [IN] number of bytes in the RDN value *
1476 * buf - [OUT] output buffer *
1477 * size - [IN] output buffer size *
1478 * error - [OUT] dynamically allocated memory with error message. *
1479 * Initially '*error' must be NULL. *
1480 * *
1481 * Return value: *
1482 * number of bytes written into 'buf' *
1483 * '*error' is not NULL if an error occurred *
1484 * *
1485 ******************************************************************************/
zbx_print_rdn_value(const unsigned char * value,size_t len,unsigned char * buf,size_t size,char ** error)1486 static size_t zbx_print_rdn_value(const unsigned char *value, size_t len, unsigned char *buf, size_t size,
1487 char **error)
1488 {
1489 const unsigned char *p_in;
1490 unsigned char *p_out, *p_out_end;
1491
1492 p_in = value;
1493 p_out = buf;
1494 p_out_end = buf + size;
1495
1496 while (value + len > p_in)
1497 {
1498 if (0 == (*p_in & 0x80)) /* ASCII */
1499 {
1500 if (0x1f < *p_in && *p_in < 0x7f) /* printable character */
1501 {
1502 if (p_out_end - 1 > p_out)
1503 {
1504 /* According to RFC 4514: */
1505 /* - escape characters '"' (U+0022), '+' U+002B, ',' U+002C, ';' U+003B, */
1506 /* '<' U+003C, '>' U+003E, '\' U+005C anywhere in string. */
1507 /* - escape characters space (' ' U+0020) or number sign ('#' U+0023) at */
1508 /* the beginning of string. */
1509 /* - escape character space (' ' U+0020) at the end of string. */
1510 /* - escape null (U+0000) character anywhere. <--- we do not allow null. */
1511
1512 if ((0x20 == (*p_in & 0x70) && ('"' == *p_in || '+' == *p_in || ',' == *p_in))
1513 || (0x30 == (*p_in & 0x70) && (';' == *p_in || '<' == *p_in ||
1514 '>' == *p_in)) || '\\' == *p_in ||
1515 (' ' == *p_in && (value == p_in || (value + len - 1) == p_in))
1516 || ('#' == *p_in && value == p_in))
1517 {
1518 *p_out++ = '\\';
1519 }
1520 }
1521 else
1522 goto small_buf;
1523
1524 if (p_out_end - 1 > p_out)
1525 *p_out++ = *p_in++;
1526 else
1527 goto small_buf;
1528 }
1529 else if (0 == *p_in)
1530 {
1531 *error = zbx_strdup(*error, "null byte in certificate, could be an attack");
1532 break;
1533 }
1534 else
1535 {
1536 *error = zbx_strdup(*error, "non-printable character in certificate");
1537 break;
1538 }
1539 }
1540 else if (0xc0 == (*p_in & 0xe0)) /* 11000010-11011111 starts a 2-byte sequence */
1541 {
1542 if (p_out_end - 2 > p_out)
1543 {
1544 *p_out++ = *p_in++;
1545 *p_out++ = *p_in++;
1546 }
1547 else
1548 goto small_buf;
1549 }
1550 else if (0xe0 == (*p_in & 0xf0)) /* 11100000-11101111 starts a 3-byte sequence */
1551 {
1552 if (p_out_end - 3 > p_out)
1553 {
1554 *p_out++ = *p_in++;
1555 *p_out++ = *p_in++;
1556 *p_out++ = *p_in++;
1557 }
1558 else
1559 goto small_buf;
1560 }
1561 else if (0xf0 == (*p_in & 0xf8)) /* 11110000-11110100 starts a 4-byte sequence */
1562 {
1563 if (p_out_end - 4 > p_out)
1564 {
1565 *p_out++ = *p_in++;
1566 *p_out++ = *p_in++;
1567 *p_out++ = *p_in++;
1568 *p_out++ = *p_in++;
1569 }
1570 else
1571 goto small_buf;
1572 }
1573 else /* not a valid UTF-8 character */
1574 {
1575 *error = zbx_strdup(*error, "invalid UTF-8 character");
1576 break;
1577 }
1578 }
1579
1580 *p_out = '\0';
1581
1582 return (size_t)(p_out - buf);
1583 small_buf:
1584 *p_out = '\0';
1585 *error = zbx_strdup(*error, "output buffer too small");
1586
1587 return (size_t)(p_out - buf);
1588 }
1589 #endif
1590
1591 #if defined(HAVE_GNUTLS)
1592 /******************************************************************************
1593 * *
1594 * Function: zbx_x509_dn_gets *
1595 * *
1596 * Purpose: *
1597 * Print distinguished name (i.e. issuer, subject) into buffer. Intended *
1598 * to use as an alternative to GnuTLS gnutls_x509_crt_get_issuer_dn() and *
1599 * gnutls_x509_crt_get_dn() to meet application needs. *
1600 * *
1601 * Parameters: *
1602 * dn - [IN] pointer to distinguished name *
1603 * buf - [OUT] output buffer *
1604 * size - [IN] output buffer size *
1605 * error - [OUT] dynamically allocated memory with error message *
1606 * *
1607 * Return value: *
1608 * SUCCEED - no errors, FAIL - an error occurred *
1609 * *
1610 * Comments: *
1611 * Multi-valued RDNs are not supported currently (only the first value is *
1612 * printed). *
1613 * *
1614 ******************************************************************************/
zbx_x509_dn_gets(const gnutls_x509_dn_t dn,char * buf,size_t size,char ** error)1615 static int zbx_x509_dn_gets(const gnutls_x509_dn_t dn, char *buf, size_t size, char **error)
1616 {
1617 #define ZBX_AVA_BUF_SIZE 20 /* hopefully no more than 20 RDNs */
1618
1619 int res, i_max = 0, i = 0, ava_dyn_size = 0;
1620 char *p, *p_end;
1621 gnutls_x509_ava_st *ava, *ava_dyn = NULL;
1622 char oid_str[128]; /* size equal to MAX_OID_SIZE, internally defined in GnuTLS */
1623 gnutls_x509_ava_st ava_stat[ZBX_AVA_BUF_SIZE];
1624
1625 /* Find index of the last RDN in distinguished name. Remember pointers to RDNs to minimize calling of */
1626 /* gnutls_x509_dn_get_rdn_ava() as it seems a bit expensive. */
1627
1628 while (1)
1629 {
1630 if (ZBX_AVA_BUF_SIZE > i) /* most common case: small number of RDNs, fits in fixed buffer */
1631 {
1632 ava = &ava_stat[i];
1633 }
1634 else if (NULL == ava_dyn) /* fixed buffer full, copy data to dynamic buffer */
1635 {
1636 ava_dyn_size = 2 * ZBX_AVA_BUF_SIZE;
1637 ava_dyn = zbx_malloc(NULL, (size_t)ava_dyn_size * sizeof(gnutls_x509_ava_st));
1638
1639 memcpy(ava_dyn, ava_stat, ZBX_AVA_BUF_SIZE * sizeof(gnutls_x509_ava_st));
1640 ava = ava_dyn + ZBX_AVA_BUF_SIZE;
1641 }
1642 else if (ava_dyn_size > i) /* fits in dynamic buffer */
1643 {
1644 ava = ava_dyn + i;
1645 }
1646 else /* expand dynamic buffer */
1647 {
1648 ava_dyn_size += ZBX_AVA_BUF_SIZE;
1649 ava_dyn = zbx_realloc(ava_dyn, (size_t)ava_dyn_size * sizeof(gnutls_x509_ava_st));
1650 ava = ava_dyn + i;
1651 }
1652
1653 if (0 == (res = gnutls_x509_dn_get_rdn_ava(dn, i, 0, ava))) /* RDN with index 'i' exists */
1654 {
1655 i++;
1656 }
1657 else if (GNUTLS_E_ASN1_ELEMENT_NOT_FOUND == res)
1658 {
1659 i_max = i;
1660 break;
1661 }
1662 else
1663 {
1664 *error = zbx_dsprintf(*error, "zbx_x509_dn_gets(): gnutls_x509_dn_get_rdn_ava() failed: %d %s",
1665 res, gnutls_strerror(res));
1666 zbx_free(ava_dyn);
1667 return FAIL;
1668 }
1669 }
1670
1671 /* "print" RDNs in reverse order (recommended by RFC 4514) */
1672
1673 if (NULL == ava_dyn)
1674 ava = &ava_stat[0];
1675 else
1676 ava = ava_dyn;
1677
1678 p = buf;
1679 p_end = buf + size;
1680
1681 for (i = i_max - 1, ava += i; i >= 0; i--, ava--)
1682 {
1683 if (sizeof(oid_str) <= ava->oid.size)
1684 {
1685 THIS_SHOULD_NEVER_HAPPEN;
1686 zbx_free(ava_dyn);
1687 return FAIL;
1688 }
1689
1690 memcpy(oid_str, ava->oid.data, ava->oid.size);
1691 oid_str[ava->oid.size] = '\0';
1692
1693 if (buf != p) /* not the first RDN being printed */
1694 {
1695 if (p_end - 1 == p)
1696 goto small_buf;
1697
1698 p += zbx_strlcpy(p, ",", (size_t)(p_end - p)); /* separator between RDNs */
1699 }
1700
1701 /* write attribute name */
1702
1703 if (p_end - 1 == p)
1704 goto small_buf;
1705
1706 p += zbx_strlcpy(p, gnutls_x509_dn_oid_name(oid_str, GNUTLS_X509_DN_OID_RETURN_OID),
1707 (size_t)(p_end - p));
1708
1709 if (p_end - 1 == p)
1710 goto small_buf;
1711
1712 p += zbx_strlcpy(p, "=", (size_t)(p_end - p));
1713
1714 /* write attribute value */
1715
1716 if (p_end - 1 == p)
1717 goto small_buf;
1718
1719 p += zbx_print_rdn_value(ava->value.data, ava->value.size, (unsigned char *)p, (size_t)(p_end - p),
1720 error);
1721
1722 if (NULL != *error)
1723 break;
1724 }
1725
1726 zbx_free(ava_dyn);
1727
1728 if (NULL == *error)
1729 return SUCCEED;
1730 else
1731 return FAIL;
1732 small_buf:
1733 zbx_free(ava_dyn);
1734 *error = zbx_strdup(*error, "output buffer too small");
1735
1736 return FAIL;
1737
1738 #undef ZBX_AVA_BUF_SIZE
1739 }
1740 #elif defined(HAVE_OPENSSL)
1741 /******************************************************************************
1742 * *
1743 * Function: zbx_x509_dn_gets *
1744 * *
1745 * Purpose: *
1746 * Print distinguished name (i.e. issuer, subject) into buffer. Intended *
1747 * to use as an alternative to OpenSSL X509_NAME_oneline() and to meet *
1748 * application needs. *
1749 * *
1750 * Parameters: *
1751 * dn - [IN] pointer to distinguished name *
1752 * buf - [OUT] output buffer *
1753 * size - [IN] output buffer size *
1754 * error - [OUT] dynamically allocated memory with error message *
1755 * *
1756 * Return value: *
1757 * SUCCEED - no errors, FAIL - an error occurred *
1758 * *
1759 * Comments: *
1760 * Examples often use OpenSSL X509_NAME_oneline() to print certificate *
1761 * issuer and subject into memory buffers but it is a legacy function and *
1762 * strongly discouraged in new applications. So, we have to use functions *
1763 * writing into BIOs and then turn results into memory buffers. *
1764 * *
1765 ******************************************************************************/
zbx_x509_dn_gets(X509_NAME * dn,char * buf,size_t size,char ** error)1766 static int zbx_x509_dn_gets(X509_NAME *dn, char *buf, size_t size, char **error)
1767 {
1768 BIO *bio;
1769 const char *data;
1770 size_t len;
1771 int ret = FAIL;
1772
1773 if (NULL == (bio = BIO_new(BIO_s_mem())))
1774 {
1775 *error = zbx_strdup(*error, "cannot create BIO");
1776 goto out;
1777 }
1778
1779 /* XN_FLAG_RFC2253 - RFC 2253 is outdated, it was replaced by RFC 4514 "Lightweight Directory Access Protocol */
1780 /* (LDAP): String Representation of Distinguished Names" */
1781
1782 if (0 > X509_NAME_print_ex(bio, dn, 0, XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB))
1783 {
1784 *error = zbx_strdup(*error, "cannot print distinguished name");
1785 goto out;
1786 }
1787
1788 if (size <= (len = (size_t)BIO_get_mem_data(bio, &data)))
1789 {
1790 *error = zbx_strdup(*error, "output buffer too small");
1791 goto out;
1792 }
1793
1794 zbx_strlcpy(buf, data, len + 1);
1795 ret = SUCCEED;
1796 out:
1797 if (NULL != bio)
1798 {
1799 /* ensure that associated memory buffer will be freed by BIO_vfree() */
1800 (void)BIO_set_close(bio, BIO_CLOSE);
1801 BIO_vfree(bio);
1802 }
1803
1804 return ret;
1805 }
1806 #endif
1807
1808 #if defined(HAVE_GNUTLS)
1809 /******************************************************************************
1810 * *
1811 * Function: zbx_get_peer_cert *
1812 * *
1813 * Purpose: get peer certificate from session *
1814 * *
1815 * Parameters: *
1816 * session - [IN] session context *
1817 * error - [OUT] dynamically allocated memory with error message *
1818 * *
1819 * Return value: *
1820 * pointer to peer certificate - success *
1821 * NULL - an error occurred *
1822 * *
1823 * Comments: *
1824 * In case of success it is a responsibility of caller to deallocate *
1825 * the instance of certificate using gnutls_x509_crt_deinit(). *
1826 * *
1827 ******************************************************************************/
zbx_get_peer_cert(const gnutls_session_t session,char ** error)1828 static gnutls_x509_crt_t zbx_get_peer_cert(const gnutls_session_t session, char **error)
1829 {
1830 if (GNUTLS_CRT_X509 == gnutls_certificate_type_get(session))
1831 {
1832 int res;
1833 unsigned int cert_list_size = 0;
1834 const gnutls_datum_t *cert_list;
1835 gnutls_x509_crt_t cert;
1836
1837 if (NULL == (cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
1838 {
1839 *error = zbx_dsprintf(*error, "%s(): gnutls_certificate_get_peers() returned NULL", __func__);
1840 return NULL;
1841 }
1842
1843 if (0 == cert_list_size)
1844 {
1845 *error = zbx_dsprintf(*error, "%s(): gnutls_certificate_get_peers() returned 0 certificates",
1846 __func__);
1847 return NULL;
1848 }
1849
1850 if (GNUTLS_E_SUCCESS != (res = gnutls_x509_crt_init(&cert)))
1851 {
1852 *error = zbx_dsprintf(*error, "%s(): gnutls_x509_crt_init() failed: %d %s", __func__,
1853 res, gnutls_strerror(res));
1854 return NULL;
1855 }
1856
1857 /* the 1st element of the list is peer certificate */
1858
1859 if (GNUTLS_E_SUCCESS != (res = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)))
1860 {
1861 *error = zbx_dsprintf(*error, "%s(): gnutls_x509_crt_import() failed: %d %s", __func__,
1862 res, gnutls_strerror(res));
1863 gnutls_x509_crt_deinit(cert);
1864 return NULL;
1865 }
1866
1867 return cert; /* success */
1868 }
1869 else
1870 {
1871 *error = zbx_dsprintf(*error, "%s(): not an X509 certificate", __func__);
1872 return NULL;
1873 }
1874 }
1875 #endif
1876
1877 /******************************************************************************
1878 * *
1879 * Function: zbx_log_peer_cert *
1880 * *
1881 * Purpose: write peer certificate information into Zabbix log for debugging *
1882 * *
1883 * Parameters: *
1884 * function_name - [IN] caller function name *
1885 * tls_ctx - [IN] TLS context *
1886 * *
1887 ******************************************************************************/
zbx_log_peer_cert(const char * function_name,const zbx_tls_context_t * tls_ctx)1888 static void zbx_log_peer_cert(const char *function_name, const zbx_tls_context_t *tls_ctx)
1889 {
1890 char *error = NULL;
1891 #if defined(HAVE_GNUTLS)
1892 gnutls_x509_crt_t cert;
1893 int res;
1894 gnutls_datum_t cert_print;
1895 #elif defined(HAVE_OPENSSL)
1896 X509 *cert;
1897 char issuer[HOST_TLS_ISSUER_LEN_MAX], subject[HOST_TLS_SUBJECT_LEN_MAX];
1898 #endif
1899
1900 if (SUCCEED != ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
1901 return;
1902 #if defined(HAVE_GNUTLS)
1903 if (NULL == (cert = zbx_get_peer_cert(tls_ctx->ctx, &error)))
1904 {
1905 zabbix_log(LOG_LEVEL_DEBUG, "%s(): cannot obtain peer certificate: %s", function_name, error);
1906 }
1907 else if (GNUTLS_E_SUCCESS != (res = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_ONELINE, &cert_print)))
1908 {
1909 zabbix_log(LOG_LEVEL_DEBUG, "%s(): gnutls_x509_crt_print() failed: %d %s", function_name, res,
1910 gnutls_strerror(res));
1911 }
1912 else
1913 {
1914 zabbix_log(LOG_LEVEL_DEBUG, "%s(): peer certificate: %s", function_name, cert_print.data);
1915 gnutls_free(cert_print.data);
1916 }
1917
1918 if (NULL != cert)
1919 gnutls_x509_crt_deinit(cert);
1920 #elif defined(HAVE_OPENSSL)
1921 if (NULL == (cert = SSL_get_peer_certificate(tls_ctx->ctx)))
1922 {
1923 zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate", function_name);
1924 }
1925 else if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(cert), issuer, sizeof(issuer), &error))
1926 {
1927 zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate issuer: %s", function_name, error);
1928 }
1929 else if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(cert), subject, sizeof(subject), &error))
1930 {
1931 zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate subject: %s", function_name, error);
1932 }
1933 else
1934 {
1935 zabbix_log(LOG_LEVEL_DEBUG, "%s() peer certificate issuer:\"%s\" subject:\"%s\"",
1936 function_name, issuer, subject);
1937 }
1938
1939 if (NULL != cert)
1940 X509_free(cert);
1941 #endif
1942 zbx_free(error);
1943 }
1944
1945 #if defined(HAVE_GNUTLS)
1946 /******************************************************************************
1947 * *
1948 * Function: zbx_verify_peer_cert *
1949 * *
1950 * Purpose: basic verification of peer certificate *
1951 * *
1952 * Return value: *
1953 * SUCCEED - verification successful *
1954 * FAIL - invalid certificate or an error occurred *
1955 * *
1956 ******************************************************************************/
zbx_verify_peer_cert(const gnutls_session_t session,char ** error)1957 static int zbx_verify_peer_cert(const gnutls_session_t session, char **error)
1958 {
1959 int res;
1960 unsigned int status;
1961 gnutls_datum_t status_print;
1962
1963 if (GNUTLS_E_SUCCESS != (res = gnutls_certificate_verify_peers2(session, &status)))
1964 {
1965 *error = zbx_dsprintf(*error, "%s(): gnutls_certificate_verify_peers2() failed: %d %s",
1966 __func__, res, gnutls_strerror(res));
1967 return FAIL;
1968 }
1969
1970 if (GNUTLS_E_SUCCESS != (res = gnutls_certificate_verification_status_print(status,
1971 gnutls_certificate_type_get(session), &status_print, 0)))
1972 {
1973 *error = zbx_dsprintf(*error, "%s(): gnutls_certificate_verification_status_print() failed: %d"
1974 " %s", __func__, res, gnutls_strerror(res));
1975 return FAIL;
1976 }
1977
1978 if (0 != status)
1979 *error = zbx_dsprintf(*error, "invalid peer certificate: %s", status_print.data);
1980
1981 gnutls_free(status_print.data);
1982
1983 if (0 == status)
1984 return SUCCEED;
1985 else
1986 return FAIL;
1987 }
1988 #endif
1989
1990 /******************************************************************************
1991 * *
1992 * Function: zbx_verify_issuer_subject *
1993 * *
1994 * Purpose: *
1995 * verify peer certificate issuer and subject of the given TLS context *
1996 * *
1997 * Parameters: *
1998 * tls_ctx - [IN] TLS context to verify *
1999 * issuer - [IN] required issuer (ignore if NULL or empty string) *
2000 * subject - [IN] required subject (ignore if NULL or empty string) *
2001 * error - [OUT] dynamically allocated memory with error message *
2002 * *
2003 * Return value: *
2004 * SUCCEED or FAIL *
2005 * *
2006 ******************************************************************************/
zbx_verify_issuer_subject(const zbx_tls_context_t * tls_ctx,const char * issuer,const char * subject,char ** error)2007 static int zbx_verify_issuer_subject(const zbx_tls_context_t *tls_ctx, const char *issuer, const char *subject,
2008 char **error)
2009 {
2010 char tls_issuer[HOST_TLS_ISSUER_LEN_MAX], tls_subject[HOST_TLS_SUBJECT_LEN_MAX];
2011 int issuer_mismatch = 0, subject_mismatch = 0;
2012 size_t error_alloc = 0, error_offset = 0;
2013 #if defined(HAVE_GNUTLS)
2014 gnutls_x509_crt_t cert;
2015 gnutls_x509_dn_t dn;
2016 int res;
2017 #elif defined(HAVE_OPENSSL)
2018 X509 *cert;
2019 #endif
2020
2021 if ((NULL == issuer || '\0' == *issuer) && (NULL == subject || '\0' == *subject))
2022 return SUCCEED;
2023
2024 tls_issuer[0] = '\0';
2025 tls_subject[0] = '\0';
2026
2027 #if defined(HAVE_GNUTLS)
2028 if (NULL == (cert = zbx_get_peer_cert(tls_ctx->ctx, error)))
2029 return FAIL;
2030
2031 if (NULL != issuer && '\0' != *issuer)
2032 {
2033 if (0 != (res = gnutls_x509_crt_get_issuer(cert, &dn)))
2034 {
2035 *error = zbx_dsprintf(*error, "gnutls_x509_crt_get_issuer() failed: %d %s", res,
2036 gnutls_strerror(res));
2037 return FAIL;
2038 }
2039
2040 if (SUCCEED != zbx_x509_dn_gets(dn, tls_issuer, sizeof(tls_issuer), error))
2041 return FAIL;
2042 }
2043
2044 if (NULL != subject && '\0' != *subject)
2045 {
2046 if (0 != (res = gnutls_x509_crt_get_subject(cert, &dn)))
2047 {
2048 *error = zbx_dsprintf(*error, "gnutls_x509_crt_get_subject() failed: %d %s", res,
2049 gnutls_strerror(res));
2050 return FAIL;
2051 }
2052
2053 if (SUCCEED != zbx_x509_dn_gets(dn, tls_subject, sizeof(tls_subject), error))
2054 return FAIL;
2055 }
2056
2057 gnutls_x509_crt_deinit(cert);
2058 #elif defined(HAVE_OPENSSL)
2059 if (NULL == (cert = SSL_get_peer_certificate(tls_ctx->ctx)))
2060 {
2061 *error = zbx_strdup(*error, "cannot obtain peer certificate");
2062 return FAIL;
2063 }
2064
2065 if (NULL != issuer && '\0' != *issuer)
2066 {
2067 if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(cert), tls_issuer, sizeof(tls_issuer), error))
2068 return FAIL;
2069 }
2070
2071 if (NULL != subject && '\0' != *subject)
2072 {
2073 if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(cert), tls_subject, sizeof(tls_subject), error))
2074 return FAIL;
2075 }
2076
2077 X509_free(cert);
2078 #endif
2079 /* simplified match, not compliant with RFC 4517, 4518 */
2080
2081 if (NULL != issuer && '\0' != *issuer)
2082 issuer_mismatch = strcmp(tls_issuer, issuer);
2083
2084 if (NULL != subject && '\0' != *subject)
2085 subject_mismatch = strcmp(tls_subject, subject);
2086
2087 if (0 == issuer_mismatch && 0 == subject_mismatch)
2088 return SUCCEED;
2089
2090 if (0 != issuer_mismatch)
2091 {
2092 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "issuer: peer: \"%s\", required: \"%s\"",
2093 tls_issuer, issuer);
2094 }
2095
2096 if (0 != subject_mismatch)
2097 {
2098 if (0 != issuer_mismatch)
2099 zbx_strcpy_alloc(error, &error_alloc, &error_offset, ", ");
2100
2101 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "subject: peer: \"%s\", required: \"%s\"",
2102 tls_subject, subject);
2103 }
2104
2105 return FAIL;
2106 }
2107
2108 /******************************************************************************
2109 * *
2110 * Function: zbx_check_server_issuer_subject *
2111 * *
2112 * Purpose: *
2113 * check server certificate issuer and subject (for passive proxies and *
2114 * agent passive checks) *
2115 * *
2116 * Parameters: *
2117 * sock - [IN] certificate to verify *
2118 * error - [OUT] dynamically allocated memory with error message *
2119 * *
2120 * Return value: *
2121 * SUCCEED or FAIL *
2122 * *
2123 ******************************************************************************/
zbx_check_server_issuer_subject(zbx_socket_t * sock,char ** error)2124 int zbx_check_server_issuer_subject(zbx_socket_t *sock, char **error)
2125 {
2126 zbx_tls_conn_attr_t attr;
2127
2128 if (SUCCEED != zbx_tls_get_attr_cert(sock, &attr))
2129 {
2130 THIS_SHOULD_NEVER_HAPPEN;
2131
2132 *error = zbx_dsprintf(*error, "cannot get connection attributes for connection from %s", sock->peer);
2133 return FAIL;
2134 }
2135
2136 /* simplified match, not compliant with RFC 4517, 4518 */
2137 if (NULL != CONFIG_TLS_SERVER_CERT_ISSUER && 0 != strcmp(CONFIG_TLS_SERVER_CERT_ISSUER, attr.issuer))
2138 {
2139 *error = zbx_dsprintf(*error, "certificate issuer does not match for %s", sock->peer);
2140 return FAIL;
2141 }
2142
2143 /* simplified match, not compliant with RFC 4517, 4518 */
2144 if (NULL != CONFIG_TLS_SERVER_CERT_SUBJECT && 0 != strcmp(CONFIG_TLS_SERVER_CERT_SUBJECT, attr.subject))
2145 {
2146 *error = zbx_dsprintf(*error, "certificate subject does not match for %s", sock->peer);
2147 return FAIL;
2148 }
2149
2150 return SUCCEED;
2151 }
2152
2153 /******************************************************************************
2154 * *
2155 * Function: zbx_tls_library_init *
2156 * *
2157 * Purpose: initialize TLS library, log library version *
2158 * *
2159 * Comments: *
2160 * Some crypto libraries require initialization. On Unix the *
2161 * initialization is done separately in each child process which uses *
2162 * crypto libraries. On MS Windows it is done in the first thread. *
2163 * *
2164 * Flag 'init_done' is used to prevent library deinitialzation on exit if *
2165 * it was not yet initialized (can happen if termination signal is *
2166 * received). *
2167 * *
2168 ******************************************************************************/
zbx_tls_library_init(void)2169 static void zbx_tls_library_init(void)
2170 {
2171 #if defined(HAVE_GNUTLS)
2172 if (GNUTLS_E_SUCCESS != gnutls_global_init())
2173 {
2174 zabbix_log(LOG_LEVEL_CRIT, "cannot initialize GnuTLS library");
2175 exit(EXIT_FAILURE);
2176 }
2177
2178 init_done = 1;
2179
2180 zabbix_log(LOG_LEVEL_DEBUG, "GnuTLS library (version %s) initialized", gnutls_check_version(NULL));
2181 #elif defined(HAVE_OPENSSL)
2182 #if !defined(LIBRESSL_VERSION_NUMBER) /* LibreSSL does not require initialization */
2183 if (1 != zbx_openssl_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL))
2184 {
2185 zabbix_log(LOG_LEVEL_CRIT, "cannot initialize OpenSSL library");
2186 exit(EXIT_FAILURE);
2187 }
2188 #endif
2189 init_done = 1;
2190
2191 zabbix_log(LOG_LEVEL_DEBUG, "OpenSSL library (version %s) initialized", OpenSSL_version(OPENSSL_VERSION));
2192 #endif
2193 }
2194
2195 /******************************************************************************
2196 * *
2197 * Function: zbx_tls_library_deinit *
2198 * *
2199 * Purpose: deinitialize TLS library *
2200 * *
2201 ******************************************************************************/
zbx_tls_library_deinit(void)2202 void zbx_tls_library_deinit(void)
2203 {
2204 #if defined(HAVE_GNUTLS)
2205 if (1 == init_done)
2206 {
2207 init_done = 0;
2208 gnutls_global_deinit();
2209 }
2210 #elif defined(HAVE_OPENSSL)
2211 if (1 == init_done)
2212 {
2213 init_done = 0;
2214 OPENSSL_cleanup();
2215 }
2216 #endif
2217 }
2218
2219 /******************************************************************************
2220 * *
2221 * Function: zbx_tls_init_parent *
2222 * *
2223 * Purpose: initialize TLS library in a parent process *
2224 * *
2225 ******************************************************************************/
zbx_tls_init_parent(void)2226 void zbx_tls_init_parent(void)
2227 {
2228 #if defined(_WINDOWS)
2229 zbx_tls_library_init(); /* on MS Windows initialize crypto libraries in parent thread */
2230 #endif
2231 }
2232
2233 /******************************************************************************
2234 * *
2235 * Function: zbx_tls_init_child *
2236 * *
2237 * Purpose: read available configuration parameters and initialize TLS *
2238 * library in a child process *
2239 * *
2240 ******************************************************************************/
2241 #if defined(HAVE_GNUTLS)
zbx_gnutls_priority_init_or_exit(gnutls_priority_t * ciphersuites,const char * priority_str,const char * err_msg)2242 static void zbx_gnutls_priority_init_or_exit(gnutls_priority_t *ciphersuites, const char *priority_str,
2243 const char *err_msg)
2244 {
2245 const char *err_pos;
2246 int res;
2247
2248 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_init(ciphersuites, priority_str, &err_pos)))
2249 {
2250 zabbix_log(LOG_LEVEL_CRIT, "gnutls_priority_init() for %s failed: %d: %s: error occurred at position:"
2251 " \"%s\"", err_msg, res, gnutls_strerror(res), ZBX_NULL2STR(err_pos));
2252 zbx_tls_free();
2253 exit(EXIT_FAILURE);
2254 }
2255 }
2256
zbx_tls_init_child(void)2257 void zbx_tls_init_child(void)
2258 {
2259 int res;
2260 #ifndef _WINDOWS
2261 sigset_t mask, orig_mask;
2262 #endif
2263 zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
2264
2265 #ifndef _WINDOWS
2266 /* Invalid TLS parameters will cause exit. Once one process exits the parent process will send SIGHUP to */
2267 /* child processes which may be on their way to exit on their own - do not interrupt them, block signal */
2268 /* SIGHUP and unblock it when TLS parameters are good and libraries are initialized. */
2269 sigemptyset(&mask);
2270 sigaddset(&mask, SIGTERM);
2271 sigaddset(&mask, SIGHUP);
2272 sigaddset(&mask, SIGUSR2);
2273 sigaddset(&mask, SIGQUIT);
2274 sigprocmask(SIG_BLOCK, &mask, &orig_mask);
2275
2276 zbx_tls_library_init(); /* on Unix initialize crypto libraries in child processes */
2277 #endif
2278 /* need to allocate certificate credentials store? */
2279
2280 if (NULL != CONFIG_TLS_CERT_FILE)
2281 {
2282 if (GNUTLS_E_SUCCESS != (res = gnutls_certificate_allocate_credentials(&my_cert_creds)))
2283 {
2284 zabbix_log(LOG_LEVEL_CRIT, "gnutls_certificate_allocate_credentials() failed: %d: %s", res,
2285 gnutls_strerror(res));
2286 zbx_tls_free();
2287 exit(EXIT_FAILURE);
2288 }
2289 }
2290
2291 /* 'TLSCAFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf) */
2292 if (NULL != CONFIG_TLS_CA_FILE)
2293 {
2294 if (0 < (res = gnutls_certificate_set_x509_trust_file(my_cert_creds, CONFIG_TLS_CA_FILE,
2295 GNUTLS_X509_FMT_PEM)))
2296 {
2297 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded %d CA certificate(s) from file \"%s\"",
2298 __func__, res, CONFIG_TLS_CA_FILE);
2299 }
2300 else if (0 == res)
2301 {
2302 zabbix_log(LOG_LEVEL_WARNING, "no CA certificate(s) in file \"%s\"", CONFIG_TLS_CA_FILE);
2303 }
2304 else
2305 {
2306 zabbix_log(LOG_LEVEL_CRIT, "cannot parse CA certificate(s) in file \"%s\": %d: %s",
2307 CONFIG_TLS_CA_FILE, res, gnutls_strerror(res));
2308 zbx_tls_free();
2309 exit(EXIT_FAILURE);
2310 }
2311 }
2312
2313 /* 'TLSCRLFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
2314 /* Load CRL (certificate revocation list) file. */
2315 if (NULL != CONFIG_TLS_CRL_FILE)
2316 {
2317 if (0 < (res = gnutls_certificate_set_x509_crl_file(my_cert_creds, CONFIG_TLS_CRL_FILE,
2318 GNUTLS_X509_FMT_PEM)))
2319 {
2320 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded %d CRL(s) from file \"%s\"", __func__, res,
2321 CONFIG_TLS_CRL_FILE);
2322 }
2323 else if (0 == res)
2324 {
2325 zabbix_log(LOG_LEVEL_WARNING, "no CRL(s) in file \"%s\"", CONFIG_TLS_CRL_FILE);
2326 }
2327 else
2328 {
2329 zabbix_log(LOG_LEVEL_CRIT, "cannot parse CRL file \"%s\": %d: %s", CONFIG_TLS_CRL_FILE, res,
2330 gnutls_strerror(res));
2331 zbx_tls_free();
2332 exit(EXIT_FAILURE);
2333 }
2334 }
2335
2336 /* 'TLSCertFile' and 'TLSKeyFile' parameters (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
2337 /* Load certificate and private key. */
2338 if (NULL != CONFIG_TLS_CERT_FILE)
2339 {
2340 if (GNUTLS_E_SUCCESS != (res = gnutls_certificate_set_x509_key_file(my_cert_creds, CONFIG_TLS_CERT_FILE,
2341 CONFIG_TLS_KEY_FILE, GNUTLS_X509_FMT_PEM)))
2342 {
2343 zabbix_log(LOG_LEVEL_CRIT, "cannot load certificate or private key from file \"%s\" or \"%s\":"
2344 " %d: %s", CONFIG_TLS_CERT_FILE, CONFIG_TLS_KEY_FILE, res,
2345 gnutls_strerror(res));
2346 zbx_tls_free();
2347 exit(EXIT_FAILURE);
2348 }
2349 else
2350 {
2351 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded certificate from file \"%s\"", __func__,
2352 CONFIG_TLS_CERT_FILE);
2353 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded private key from file \"%s\"", __func__,
2354 CONFIG_TLS_KEY_FILE);
2355 }
2356 }
2357
2358 /* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */
2359 /* Load pre-shared key and identity to be used with the pre-shared key. */
2360 if (NULL != CONFIG_TLS_PSK_FILE)
2361 {
2362 gnutls_datum_t key;
2363
2364 my_psk_identity = CONFIG_TLS_PSK_IDENTITY;
2365 my_psk_identity_len = strlen(my_psk_identity);
2366
2367 zbx_check_psk_identity_len(my_psk_identity_len);
2368
2369 zbx_read_psk_file();
2370
2371 key.data = (unsigned char *)my_psk;
2372 key.size = (unsigned int)my_psk_len;
2373
2374 /* allocate here only PSK credential stores which do not change (e.g. for proxy communication with */
2375 /* server) */
2376
2377 if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY_ACTIVE | ZBX_PROGRAM_TYPE_AGENTD |
2378 ZBX_PROGRAM_TYPE_SENDER | ZBX_PROGRAM_TYPE_GET)))
2379 {
2380 if (GNUTLS_E_SUCCESS != (res = gnutls_psk_allocate_client_credentials(&my_psk_client_creds)))
2381 {
2382 zabbix_log(LOG_LEVEL_CRIT, "gnutls_psk_allocate_client_credentials() failed: %d: %s",
2383 res, gnutls_strerror(res));
2384 zbx_tls_free();
2385 exit(EXIT_FAILURE);
2386 }
2387
2388 /* Simplified. 'my_psk_identity' should have been prepared as required by RFC 4518. */
2389 if (GNUTLS_E_SUCCESS != (res = gnutls_psk_set_client_credentials(my_psk_client_creds,
2390 my_psk_identity, &key, GNUTLS_PSK_KEY_RAW)))
2391 {
2392 zabbix_log(LOG_LEVEL_CRIT, "gnutls_psk_set_client_credentials() failed: %d: %s", res,
2393 gnutls_strerror(res));
2394 zbx_tls_free();
2395 exit(EXIT_FAILURE);
2396 }
2397 }
2398
2399 if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY_PASSIVE | ZBX_PROGRAM_TYPE_AGENTD)))
2400 {
2401 if (0 != (res = gnutls_psk_allocate_server_credentials(&my_psk_server_creds)))
2402 {
2403 zabbix_log(LOG_LEVEL_CRIT, "gnutls_psk_allocate_server_credentials() failed: %d: %s",
2404 res, gnutls_strerror(res));
2405 zbx_tls_free();
2406 exit(EXIT_FAILURE);
2407 }
2408
2409 /* Apparently GnuTLS does not provide API for setting up static server credentials (with a */
2410 /* fixed PSK identity and key) for a passive proxy and agentd. The only possibility seems to */
2411 /* be to set up credentials dynamically for each incoming connection using a callback */
2412 /* function. */
2413 gnutls_psk_set_server_credentials_function(my_psk_server_creds, zbx_psk_cb);
2414 }
2415
2416 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK identity \"%s\"", __func__, CONFIG_TLS_PSK_IDENTITY);
2417 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK from file \"%s\"", __func__, CONFIG_TLS_PSK_FILE);
2418 }
2419
2420 /* Certificate always comes from configuration file. Set up ciphersuites. */
2421 if (NULL != my_cert_creds)
2422 {
2423 const char *priority_str;
2424
2425 if (NULL == CONFIG_TLS_CIPHER_CERT)
2426 {
2427 /* for GnuTLS 3.1.18 and up */
2428 priority_str = "NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:"
2429 "+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509";
2430
2431 zbx_gnutls_priority_init_or_exit(&ciphersuites_cert, priority_str,
2432 "\"ciphersuites_cert\" with built-in default value");
2433 }
2434 else
2435 {
2436 priority_str = CONFIG_TLS_CIPHER_CERT;
2437
2438 zbx_gnutls_priority_init_or_exit(&ciphersuites_cert, priority_str,
2439 "\"ciphersuites_cert\" with TLSCipherCert or --tls-cipher parameter");
2440 }
2441
2442 zbx_log_ciphersuites(__func__, "certificate", ciphersuites_cert);
2443 }
2444
2445 /* PSK can come from configuration file (in proxy, agentd) and later from database (in server, proxy). */
2446 /* Configure ciphersuites just in case they will be used. */
2447 if (NULL != my_psk_client_creds || NULL != my_psk_server_creds ||
2448 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY)))
2449 {
2450 const char *priority_str;
2451
2452 if (NULL == CONFIG_TLS_CIPHER_PSK)
2453 {
2454 /* for GnuTLS 3.1.18 and up */
2455 priority_str = "NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:"
2456 "+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL";
2457
2458 zbx_gnutls_priority_init_or_exit(&ciphersuites_psk, priority_str,
2459 "\"ciphersuites_psk\" with built-in default value");
2460 }
2461 else
2462 {
2463 priority_str = CONFIG_TLS_CIPHER_PSK;
2464
2465 zbx_gnutls_priority_init_or_exit(&ciphersuites_psk, priority_str,
2466 "\"ciphersuites_psk\" with TLSCipherPSK or --tls-cipher parameter");
2467 }
2468
2469 zbx_log_ciphersuites(__func__, "PSK", ciphersuites_psk);
2470 }
2471
2472 /* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a combined list of */
2473 /* ciphersuites. */
2474 if (NULL != my_cert_creds && (NULL != my_psk_client_creds || NULL != my_psk_server_creds ||
2475 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY))))
2476 {
2477 const char *priority_str;
2478
2479 if (NULL == CONFIG_TLS_CIPHER_ALL)
2480 {
2481 /* for GnuTLS 3.1.18 and up */
2482 priority_str = "NONE:+VERS-TLS1.2:+ECDHE-RSA:"
2483 "+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:"
2484 "+COMP-NULL:+SIGN-ALL:+CTYPE-X.509";
2485
2486 zbx_gnutls_priority_init_or_exit(&ciphersuites_all, priority_str,
2487 "\"ciphersuites_all\" with built-in default value");
2488 }
2489 else
2490 {
2491 priority_str = CONFIG_TLS_CIPHER_ALL;
2492
2493 zbx_gnutls_priority_init_or_exit(&ciphersuites_all, priority_str,
2494 "\"ciphersuites_all\" with TLSCipherAll parameter");
2495 }
2496
2497 zbx_log_ciphersuites(__func__, "certificate and PSK", ciphersuites_all);
2498 }
2499
2500 #ifndef _WINDOWS
2501 sigprocmask(SIG_SETMASK, &orig_mask, NULL);
2502 #endif
2503 zabbix_log(LOG_LEVEL_DEBUG, "End of %s()", __func__);
2504 }
2505 #elif defined(HAVE_OPENSSL)
zbx_ctx_name(SSL_CTX * param)2506 static const char *zbx_ctx_name(SSL_CTX *param)
2507 {
2508 if (ctx_cert == param)
2509 return "certificate-based encryption";
2510
2511 #if defined(HAVE_OPENSSL_WITH_PSK)
2512 if (ctx_psk == param)
2513 return "PSK-based encryption";
2514
2515 if (ctx_all == param)
2516 return "certificate and PSK-based encryption";
2517 #endif
2518 THIS_SHOULD_NEVER_HAPPEN;
2519 return ZBX_NULL2STR(NULL);
2520 }
2521
zbx_set_ecdhe_parameters(SSL_CTX * ctx)2522 static int zbx_set_ecdhe_parameters(SSL_CTX *ctx)
2523 {
2524 const char *msg = "Perfect Forward Secrecy ECDHE ciphersuites will not be available for";
2525 EC_KEY *ecdh;
2526 long res;
2527 int ret = SUCCEED;
2528
2529 /* use curve secp256r1/prime256v1/NIST P-256 */
2530
2531 if (NULL == (ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)))
2532 {
2533 zabbix_log(LOG_LEVEL_WARNING, "%s() EC_KEY_new_by_curve_name() failed. %s %s",
2534 __func__, msg, zbx_ctx_name(ctx));
2535 return FAIL;
2536 }
2537
2538 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
2539
2540 if (1 != (res = SSL_CTX_set_tmp_ecdh(ctx, ecdh)))
2541 {
2542 zabbix_log(LOG_LEVEL_WARNING, "%s() SSL_CTX_set_tmp_ecdh() returned %ld. %s %s",
2543 __func__, res, msg, zbx_ctx_name(ctx));
2544 ret = FAIL;
2545 }
2546
2547 EC_KEY_free(ecdh);
2548
2549 return ret;
2550 }
2551
zbx_tls_init_child(void)2552 void zbx_tls_init_child(void)
2553 {
2554 #define ZBX_CIPHERS_CERT_ECDHE "EECDH+aRSA+AES128:"
2555 #define ZBX_CIPHERS_CERT "RSA+aRSA+AES128"
2556
2557 #if defined(HAVE_OPENSSL_WITH_PSK)
2558 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
2559 /* TLS_AES_256_GCM_SHA384 is excluded from client ciphersuite list for PSK based connections. */
2560 /* By default, in TLS 1.3 only *-SHA256 ciphersuites work with PSK. */
2561 # define ZBX_CIPHERS_PSK_TLS13 "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
2562 #endif
2563 #if OPENSSL_VERSION_NUMBER >= 0x1010000fL /* OpenSSL 1.1.0 or newer */
2564 # define ZBX_CIPHERS_PSK_ECDHE "kECDHEPSK+AES128:"
2565 # define ZBX_CIPHERS_PSK "kPSK+AES128"
2566 #else
2567 # define ZBX_CIPHERS_PSK_ECDHE ""
2568 # define ZBX_CIPHERS_PSK "PSK-AES128-CBC-SHA"
2569 #endif
2570 #endif
2571
2572 char *error = NULL;
2573 size_t error_alloc = 0, error_offset = 0;
2574 #ifndef _WINDOWS
2575 sigset_t mask, orig_mask;
2576 #endif
2577 zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
2578
2579 #ifndef _WINDOWS
2580 /* Invalid TLS parameters will cause exit. Once one process exits the parent process will send SIGHUP to */
2581 /* child processes which may be on their way to exit on their own - do not interrupt them, block signal */
2582 /* SIGHUP and unblock it when TLS parameters are good and libraries are initialized. */
2583 sigemptyset(&mask);
2584 sigaddset(&mask, SIGTERM);
2585 sigaddset(&mask, SIGHUP);
2586 sigaddset(&mask, SIGUSR2);
2587 sigaddset(&mask, SIGQUIT);
2588 sigprocmask(SIG_BLOCK, &mask, &orig_mask);
2589
2590 zbx_tls_library_init(); /* on Unix initialize crypto libraries in child processes */
2591 #endif
2592 if (1 != RAND_status()) /* protect against not properly seeded PRNG */
2593 {
2594 zabbix_log(LOG_LEVEL_CRIT, "cannot initialize PRNG");
2595 zbx_tls_free();
2596 exit(EXIT_FAILURE);
2597 }
2598
2599 /* set protocol version to TLS 1.2 */
2600
2601 if (0 != (program_type & (ZBX_PROGRAM_TYPE_SENDER | ZBX_PROGRAM_TYPE_GET)))
2602 method = TLS_client_method();
2603 else /* ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD */
2604 method = TLS_method();
2605
2606 /* create context for certificate-only authentication if certificate is configured */
2607 if (NULL != CONFIG_TLS_CERT_FILE)
2608 {
2609 if (NULL == (ctx_cert = SSL_CTX_new(method)))
2610 goto out_method;
2611
2612 if (1 != SSL_CTX_set_min_proto_version(ctx_cert, TLS1_2_VERSION))
2613 goto out_method;
2614 }
2615 #if defined(HAVE_OPENSSL_WITH_PSK)
2616 /* Create context for PSK-only authentication. PSK can come from configuration file (in proxy, agentd) */
2617 /* and later from database (in server, proxy). */
2618 if (NULL != CONFIG_TLS_PSK_FILE || 0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY)))
2619 {
2620 if (NULL == (ctx_psk = SSL_CTX_new(method)))
2621 goto out_method;
2622
2623 if (1 != SSL_CTX_set_min_proto_version(ctx_psk, TLS1_2_VERSION))
2624 goto out_method;
2625 }
2626
2627 /* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a universal context */
2628 /* for certificate and PSK authentication to prepare for both. */
2629 if (NULL != ctx_cert && NULL != ctx_psk)
2630 {
2631 if (NULL == (ctx_all = SSL_CTX_new(method)))
2632 goto out_method;
2633
2634 if (1 != SSL_CTX_set_min_proto_version(ctx_all, TLS1_2_VERSION))
2635 goto out_method;
2636 }
2637 #endif
2638 /* 'TLSCAFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf) */
2639 if (NULL != CONFIG_TLS_CA_FILE)
2640 {
2641 #if defined(HAVE_OPENSSL_WITH_PSK)
2642 if (1 != SSL_CTX_load_verify_locations(ctx_cert, CONFIG_TLS_CA_FILE, NULL) ||
2643 (NULL != ctx_all && 1 != SSL_CTX_load_verify_locations(ctx_all, CONFIG_TLS_CA_FILE,
2644 NULL)))
2645 #else
2646 if (1 != SSL_CTX_load_verify_locations(ctx_cert, CONFIG_TLS_CA_FILE, NULL))
2647 #endif
2648 {
2649 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CA certificate(s) from"
2650 " file \"%s\":", CONFIG_TLS_CA_FILE);
2651 goto out;
2652 }
2653
2654 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded CA certificate(s) from file \"%s\"", __func__,
2655 CONFIG_TLS_CA_FILE);
2656
2657 /* It is possible to limit the length of certificate chain being verified. For example: */
2658 /* SSL_CTX_set_verify_depth(ctx_cert, 2); */
2659 /* Currently use the default depth 100. */
2660
2661 SSL_CTX_set_verify(ctx_cert, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
2662
2663 #if defined(HAVE_OPENSSL_WITH_PSK)
2664 if (NULL != ctx_all)
2665 SSL_CTX_set_verify(ctx_all, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
2666 #endif
2667 }
2668
2669 /* 'TLSCRLFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
2670 /* Load CRL (certificate revocation list) file. */
2671 if (NULL != CONFIG_TLS_CRL_FILE)
2672 {
2673 X509_STORE *store_cert;
2674 X509_LOOKUP *lookup_cert;
2675 int count_cert;
2676
2677 store_cert = SSL_CTX_get_cert_store(ctx_cert);
2678
2679 if (NULL == (lookup_cert = X509_STORE_add_lookup(store_cert, X509_LOOKUP_file())))
2680 {
2681 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_add_lookup() #%d failed"
2682 " when loading CRL(s) from file \"%s\":", 1, CONFIG_TLS_CRL_FILE);
2683 goto out;
2684 }
2685
2686 if (0 >= (count_cert = X509_load_crl_file(lookup_cert, CONFIG_TLS_CRL_FILE, X509_FILETYPE_PEM)))
2687 {
2688 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CRL(s) from file \"%s\":",
2689 CONFIG_TLS_CRL_FILE);
2690 goto out;
2691 }
2692
2693 if (1 != X509_STORE_set_flags(store_cert, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL))
2694 {
2695 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_set_flags() #%d failed when"
2696 " loading CRL(s) from file \"%s\":", 1, CONFIG_TLS_CRL_FILE);
2697 goto out;
2698 }
2699 #if defined(HAVE_OPENSSL_WITH_PSK)
2700 if (NULL != ctx_all)
2701 {
2702 X509_STORE *store_all;
2703 X509_LOOKUP *lookup_all;
2704 int count_all;
2705
2706 store_all = SSL_CTX_get_cert_store(ctx_all);
2707
2708 if (NULL == (lookup_all = X509_STORE_add_lookup(store_all, X509_LOOKUP_file())))
2709 {
2710 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_add_lookup() #%d"
2711 " failed when loading CRL(s) from file \"%s\":", 2,
2712 CONFIG_TLS_CRL_FILE);
2713 goto out;
2714 }
2715
2716 if (0 >= (count_all = X509_load_crl_file(lookup_all, CONFIG_TLS_CRL_FILE, X509_FILETYPE_PEM)))
2717 {
2718 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CRL(s) from file"
2719 " \"%s\":", CONFIG_TLS_CRL_FILE);
2720 goto out;
2721 }
2722
2723 if (count_cert != count_all)
2724 {
2725 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "number of CRL(s) loaded from"
2726 " file \"%s\" does not match: %d and %d", CONFIG_TLS_CRL_FILE,
2727 count_cert, count_all);
2728 goto out1;
2729 }
2730
2731 if (1 != X509_STORE_set_flags(store_all, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL))
2732 {
2733 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_set_flags() #%d"
2734 " failed when loading CRL(s) from file \"%s\":", 2,
2735 CONFIG_TLS_CRL_FILE);
2736 goto out;
2737 }
2738 }
2739 #endif
2740 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded %d CRL(s) from file \"%s\"", __func__, count_cert,
2741 CONFIG_TLS_CRL_FILE);
2742 }
2743
2744 /* 'TLSCertFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
2745 /* Load certificate. */
2746 if (NULL != CONFIG_TLS_CERT_FILE)
2747 {
2748 #if defined(HAVE_OPENSSL_WITH_PSK)
2749 if (1 != SSL_CTX_use_certificate_chain_file(ctx_cert, CONFIG_TLS_CERT_FILE) || (NULL != ctx_all &&
2750 1 != SSL_CTX_use_certificate_chain_file(ctx_all, CONFIG_TLS_CERT_FILE)))
2751 #else
2752 if (1 != SSL_CTX_use_certificate_chain_file(ctx_cert, CONFIG_TLS_CERT_FILE))
2753 #endif
2754 {
2755 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load certificate(s) from file"
2756 " \"%s\":", CONFIG_TLS_CERT_FILE);
2757 goto out;
2758 }
2759
2760 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded certificate(s) from file \"%s\"", __func__,
2761 CONFIG_TLS_CERT_FILE);
2762 }
2763
2764 /* 'TLSKeyFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
2765 /* Load private key. */
2766 if (NULL != CONFIG_TLS_KEY_FILE)
2767 {
2768 #if defined(HAVE_OPENSSL_WITH_PSK)
2769 if (1 != SSL_CTX_use_PrivateKey_file(ctx_cert, CONFIG_TLS_KEY_FILE, SSL_FILETYPE_PEM) ||
2770 (NULL != ctx_all && 1 != SSL_CTX_use_PrivateKey_file(ctx_all, CONFIG_TLS_KEY_FILE,
2771 SSL_FILETYPE_PEM)))
2772 #else
2773 if (1 != SSL_CTX_use_PrivateKey_file(ctx_cert, CONFIG_TLS_KEY_FILE, SSL_FILETYPE_PEM))
2774 #endif
2775 {
2776 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load private key from file"
2777 " \"%s\":", CONFIG_TLS_KEY_FILE);
2778 goto out;
2779 }
2780
2781 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded private key from file \"%s\"", __func__, CONFIG_TLS_KEY_FILE);
2782
2783 if (1 != SSL_CTX_check_private_key(ctx_cert))
2784 {
2785 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "certificate and private key do not"
2786 " match:");
2787 goto out;
2788 }
2789 }
2790
2791 /* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */
2792 /* Load pre-shared key and identity to be used with the pre-shared key. */
2793 if (NULL != CONFIG_TLS_PSK_FILE)
2794 {
2795 my_psk_identity = CONFIG_TLS_PSK_IDENTITY;
2796 my_psk_identity_len = strlen(my_psk_identity);
2797
2798 zbx_check_psk_identity_len(my_psk_identity_len);
2799
2800 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK identity \"%s\"", __func__, CONFIG_TLS_PSK_IDENTITY);
2801
2802 zbx_read_psk_file();
2803
2804 zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK from file \"%s\"", __func__, CONFIG_TLS_PSK_FILE);
2805 }
2806 #if defined(HAVE_OPENSSL_WITH_PSK)
2807 /* set up PSK global variables for client callback if PSK comes only from configuration file or command line */
2808
2809 if (NULL != ctx_psk && 0 != (program_type & (ZBX_PROGRAM_TYPE_AGENTD | ZBX_PROGRAM_TYPE_SENDER |
2810 ZBX_PROGRAM_TYPE_GET)))
2811 {
2812 psk_identity_for_cb = my_psk_identity;
2813 psk_identity_len_for_cb = my_psk_identity_len;
2814 psk_for_cb = my_psk;
2815 psk_len_for_cb = my_psk_len;
2816 }
2817 #endif
2818 if (NULL != ctx_cert)
2819 {
2820 const char *ciphers;
2821
2822 SSL_CTX_set_info_callback(ctx_cert, zbx_openssl_info_cb);
2823
2824 /* we're using blocking sockets, deal with renegotiations automatically */
2825 SSL_CTX_set_mode(ctx_cert, SSL_MODE_AUTO_RETRY);
2826
2827 /* use server ciphersuite preference, do not use RFC 4507 ticket extension */
2828 SSL_CTX_set_options(ctx_cert, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
2829
2830 /* do not connect to unpatched servers */
2831 SSL_CTX_clear_options(ctx_cert, SSL_OP_LEGACY_SERVER_CONNECT);
2832
2833 /* disable session caching */
2834 SSL_CTX_set_session_cache_mode(ctx_cert, SSL_SESS_CACHE_OFF);
2835
2836 /* try to enable ECDH ciphersuites */
2837 if (SUCCEED == zbx_set_ecdhe_parameters(ctx_cert))
2838 ciphers = ZBX_CIPHERS_CERT_ECDHE ZBX_CIPHERS_CERT;
2839 else
2840 ciphers = ZBX_CIPHERS_CERT;
2841
2842 /* override TLS 1.3 certificate ciphersuites with user-defined settings */
2843 if (NULL != CONFIG_TLS_CIPHER_CERT13 || NULL != CONFIG_TLS_CIPHER_CMD13)
2844 {
2845 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* only OpenSSL 1.1.1 or newer */
2846 const char *override_ciphers = CONFIG_TLS_CIPHER_CERT13; /* can be NULL */
2847
2848 if (NULL != CONFIG_TLS_CIPHER_CMD13 && ZBX_TCP_SEC_TLS_CERT == configured_tls_connect_mode)
2849 override_ciphers = CONFIG_TLS_CIPHER_CMD13;
2850
2851 if (NULL != override_ciphers && 1 != SSL_CTX_set_ciphersuites(ctx_cert, override_ciphers))
2852 {
2853 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
2854 " certificate ciphersuites from \"TLSCipherCert13\" or"
2855 " \"--tls-cipher13\" parameter:");
2856 goto out;
2857 }
2858 #else
2859 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
2860 " certificate ciphersuites: compiled with OpenSSL version older than 1.1.1 or"
2861 " with LibreSSL. Consider not using parameters \"TLSCipherCert13\" or"
2862 " \"--tls-cipher13\"");
2863 goto out1;
2864 #endif
2865 }
2866
2867 /* override TLS 1.2 certificate ciphersuites with user-defined settings */
2868 if (NULL != CONFIG_TLS_CIPHER_CERT || NULL != CONFIG_TLS_CIPHER_CMD)
2869 {
2870 const char *override_ciphers = CONFIG_TLS_CIPHER_CERT; /* can be NULL */
2871
2872 if (NULL != CONFIG_TLS_CIPHER_CMD && ZBX_TCP_SEC_TLS_CERT == configured_tls_connect_mode)
2873 override_ciphers = CONFIG_TLS_CIPHER_CMD;
2874
2875 if (NULL != override_ciphers && 1 != SSL_CTX_set_cipher_list(ctx_cert, override_ciphers))
2876 {
2877 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
2878 " certificate ciphersuites from \"TLSCipherCert\" or \"--tls-cipher\""
2879 " parameter:");
2880 goto out;
2881 }
2882 }
2883 else if (1 != SSL_CTX_set_cipher_list(ctx_cert, ciphers))
2884 {
2885 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of certificate"
2886 " ciphersuites:");
2887 goto out;
2888 }
2889
2890 zbx_log_ciphersuites(__func__, "certificate", ctx_cert);
2891 }
2892 #if defined(HAVE_OPENSSL_WITH_PSK)
2893 if (NULL != ctx_psk)
2894 {
2895 const char *ciphers;
2896
2897 SSL_CTX_set_info_callback(ctx_psk, zbx_openssl_info_cb);
2898
2899 if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD |
2900 ZBX_PROGRAM_TYPE_SENDER | ZBX_PROGRAM_TYPE_GET)))
2901 {
2902 SSL_CTX_set_psk_client_callback(ctx_psk, zbx_psk_client_cb);
2903 }
2904
2905 if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD)))
2906 SSL_CTX_set_psk_server_callback(ctx_psk, zbx_psk_server_cb);
2907
2908 SSL_CTX_set_mode(ctx_psk, SSL_MODE_AUTO_RETRY);
2909 SSL_CTX_set_options(ctx_psk, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
2910 SSL_CTX_clear_options(ctx_psk, SSL_OP_LEGACY_SERVER_CONNECT);
2911 SSL_CTX_set_session_cache_mode(ctx_psk, SSL_SESS_CACHE_OFF);
2912
2913 if ('\0' != *ZBX_CIPHERS_PSK_ECDHE && SUCCEED == zbx_set_ecdhe_parameters(ctx_psk))
2914 ciphers = ZBX_CIPHERS_PSK_ECDHE ZBX_CIPHERS_PSK;
2915 else
2916 ciphers = ZBX_CIPHERS_PSK;
2917
2918 /* override TLS 1.3 PSK ciphersuites with user-defined settings */
2919 if (NULL != CONFIG_TLS_CIPHER_PSK13 || NULL != CONFIG_TLS_CIPHER_CMD13)
2920 {
2921 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
2922 const char *override_ciphers = CONFIG_TLS_CIPHER_PSK13; /* can be NULL */
2923
2924 if (NULL != CONFIG_TLS_CIPHER_CMD13 && ZBX_TCP_SEC_TLS_PSK == configured_tls_connect_mode)
2925 override_ciphers = CONFIG_TLS_CIPHER_CMD13;
2926
2927 if (NULL != override_ciphers && 1 != SSL_CTX_set_ciphersuites(ctx_psk, override_ciphers))
2928 {
2929 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
2930 " PSK ciphersuites from \"TLSCipherPSK13\" or \"--tls-cipher13\""
2931 " parameter:");
2932 goto out;
2933 }
2934 #else
2935 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
2936 " PSK ciphersuites: compiled with OpenSSL version older than 1.1.1."
2937 " Consider not using parameters \"TLSCipherPSK13\" or \"--tls-cipher13\"");
2938 goto out1;
2939 #endif
2940 }
2941 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
2942 else if (1 != SSL_CTX_set_ciphersuites(ctx_psk, ZBX_CIPHERS_PSK_TLS13))
2943 {
2944 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of PSK TLS 1.3"
2945 " ciphersuites:");
2946 goto out;
2947 }
2948 #endif
2949 /* override TLS 1.2 PSK ciphersuites with user-defined settings */
2950 if (NULL != CONFIG_TLS_CIPHER_PSK || NULL != CONFIG_TLS_CIPHER_CMD)
2951 {
2952 const char *override_ciphers = CONFIG_TLS_CIPHER_PSK; /* can be NULL */
2953
2954 if (NULL != CONFIG_TLS_CIPHER_CMD && ZBX_TCP_SEC_TLS_PSK == configured_tls_connect_mode)
2955 override_ciphers = CONFIG_TLS_CIPHER_CMD;
2956
2957 if (NULL != override_ciphers && 1 != SSL_CTX_set_cipher_list(ctx_psk, override_ciphers))
2958 {
2959 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
2960 " PSK ciphersuites from \"TLSCipherPSK\" or \"--tls-cipher\""
2961 " parameter:");
2962 goto out;
2963 }
2964 }
2965 else if (1 != SSL_CTX_set_cipher_list(ctx_psk, ciphers))
2966 {
2967 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of PSK ciphersuites:");
2968 goto out;
2969 }
2970
2971 zbx_log_ciphersuites(__func__, "PSK", ctx_psk);
2972 }
2973
2974 if (NULL != ctx_all)
2975 {
2976 const char *ciphers;
2977
2978 SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb);
2979
2980 if (0 != (program_type & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD)))
2981 SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb);
2982
2983 SSL_CTX_set_mode(ctx_all, SSL_MODE_AUTO_RETRY);
2984 SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
2985 SSL_CTX_clear_options(ctx_all, SSL_OP_LEGACY_SERVER_CONNECT);
2986 SSL_CTX_set_session_cache_mode(ctx_all, SSL_SESS_CACHE_OFF);
2987
2988 if (SUCCEED == zbx_set_ecdhe_parameters(ctx_all))
2989 ciphers = ZBX_CIPHERS_CERT_ECDHE ZBX_CIPHERS_CERT ":" ZBX_CIPHERS_PSK_ECDHE ZBX_CIPHERS_PSK;
2990 else
2991 ciphers = ZBX_CIPHERS_CERT ":" ZBX_CIPHERS_PSK;
2992
2993 /* override TLS 1.3 ciphersuites with user-defined setting */
2994 if (NULL != CONFIG_TLS_CIPHER_ALL13)
2995 {
2996 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
2997 if (1 != SSL_CTX_set_ciphersuites(ctx_all, CONFIG_TLS_CIPHER_ALL13))
2998 {
2999 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
3000 " ciphersuites from \"TLSCipherAll13\" parameter:");
3001 goto out;
3002 }
3003 #else
3004 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
3005 " ciphersuites: compiled with OpenSSL version older than 1.1.1."
3006 " Consider not using parameter \"TLSCipherAll13\"");
3007 goto out1;
3008 #endif
3009 }
3010
3011 /* override TLS 1.2 ciphersuites with user-defined setting */
3012 if (NULL != CONFIG_TLS_CIPHER_ALL)
3013 {
3014 if (1 != SSL_CTX_set_cipher_list(ctx_all, CONFIG_TLS_CIPHER_ALL))
3015 {
3016 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
3017 " ciphersuites from \"TLSCipherAll\" parameter:");
3018 goto out;
3019 }
3020 }
3021 else if (1 != SSL_CTX_set_cipher_list(ctx_all, ciphers))
3022 {
3023 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of all ciphersuites:");
3024 goto out;
3025 }
3026
3027 zbx_log_ciphersuites(__func__, "certificate and PSK", ctx_all);
3028 }
3029
3030 if (NULL == ctx_psk)
3031 {
3032 /* cannot override TLS 1.3 PSK ciphersuites */
3033 if (NULL != CONFIG_TLS_CIPHER_PSK13)
3034 {
3035 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
3036 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK13\" cannot"
3037 " be applied: the list of PSK ciphersuites is not used");
3038 #else
3039 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK13\" cannot"
3040 " be applied: compiled with OpenSSL version older than 1.1.1");
3041 #endif
3042 goto out1;
3043 }
3044
3045 /* cannot override TLS 1.2 PSK ciphersuites */
3046 if (NULL != CONFIG_TLS_CIPHER_PSK)
3047 {
3048 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK\" cannot"
3049 " be applied: the list of PSK ciphersuites is not used");
3050 goto out1;
3051 }
3052 }
3053
3054 if (NULL == ctx_all)
3055 {
3056 /* cannot override TLS 1.3 ciphersuites */
3057 if (NULL != CONFIG_TLS_CIPHER_ALL13)
3058 {
3059 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
3060 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll13\" cannot"
3061 " be applied: the combined list of certificate and PSK ciphersuites is"
3062 " not used. Most likely parameters \"TLSCipherCert13\" and/or \"TLSCipherPSK13\""
3063 " are sufficient");
3064 #else
3065 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll13\" cannot"
3066 " be applied: compiled with OpenSSL version older than 1.1.1");
3067 #endif
3068 goto out1;
3069 }
3070
3071 /* cannot override TLS 1.2 ciphersuites */
3072 if (NULL != CONFIG_TLS_CIPHER_ALL)
3073 {
3074 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll\" cannot"
3075 " be applied: the combined list of certificate and PSK ciphersuites is"
3076 " not used. Most likely parameters \"TLSCipherCert\" and/or \"TLSCipherPSK\""
3077 " are sufficient");
3078 goto out1;
3079 }
3080 }
3081 #else /* HAVE_OPENSSL_WITH_PSK is not defined */
3082 /* cannot use TLSCipherPSK13, TLSCipherPSK, TLSCipherAll13 and TLSCipherAll13 parameters */
3083 /* if PSK is not supported by crypto library */
3084 if (NULL != CONFIG_TLS_CIPHER_PSK13 || NULL != CONFIG_TLS_CIPHER_PSK ||
3085 NULL != CONFIG_TLS_CIPHER_ALL13 || NULL != CONFIG_TLS_CIPHER_ALL)
3086 {
3087 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "at least one of parameters TLSCipherPSK13,"
3088 " TLSCipherPSK, TLSCipherAll13 or TLSCipherAll is defined. These parameters must not"
3089 " be defined because the program is compiled with OpenSSL without PSK support or"
3090 " LibreSSL");
3091 goto out1;
3092 }
3093 #endif /* defined(HAVE_OPENSSL_WITH_PSK) */
3094 #ifndef _WINDOWS
3095 sigprocmask(SIG_SETMASK, &orig_mask, NULL);
3096 #endif
3097 zabbix_log(LOG_LEVEL_DEBUG, "End of %s()", __func__);
3098
3099 return;
3100
3101 out_method:
3102 zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot initialize TLS method:");
3103 out:
3104 zbx_tls_error_msg(&error, &error_alloc, &error_offset);
3105 out1:
3106 zabbix_log(LOG_LEVEL_CRIT, "%s", error);
3107 zbx_free(error);
3108 zbx_tls_free();
3109 exit(EXIT_FAILURE);
3110
3111 #undef ZBX_CIPHERS_CERT_ECDHE
3112 #undef ZBX_CIPHERS_CERT
3113 #undef ZBX_CIPHERS_PSK_ECDHE
3114 #undef ZBX_CIPHERS_PSK
3115 #undef ZBX_CIPHERS_PSK_TLS13
3116 }
3117 #endif
3118
3119 /******************************************************************************
3120 * *
3121 * Function: zbx_tls_free_on_signal *
3122 * *
3123 * Purpose: TLS cleanup for using in signal handlers *
3124 * *
3125 ******************************************************************************/
zbx_tls_free_on_signal(void)3126 void zbx_tls_free_on_signal(void)
3127 {
3128 if (NULL != my_psk)
3129 zbx_guaranteed_memset(my_psk, 0, my_psk_len);
3130 }
3131
3132 /******************************************************************************
3133 * *
3134 * Function: zbx_tls_free *
3135 * *
3136 * Purpose: release TLS library resources allocated in zbx_tls_init_parent() *
3137 * and zbx_tls_init_child() *
3138 * *
3139 ******************************************************************************/
zbx_tls_free(void)3140 void zbx_tls_free(void)
3141 {
3142 #if defined(HAVE_GNUTLS)
3143 if (NULL != my_cert_creds)
3144 {
3145 gnutls_certificate_free_credentials(my_cert_creds);
3146 my_cert_creds = NULL;
3147 }
3148
3149 if (NULL != my_psk_client_creds)
3150 {
3151 gnutls_psk_free_client_credentials(my_psk_client_creds);
3152 my_psk_client_creds = NULL;
3153 }
3154
3155 if (NULL != my_psk_server_creds)
3156 {
3157 gnutls_psk_free_server_credentials(my_psk_server_creds);
3158 my_psk_server_creds = NULL;
3159 }
3160
3161 /* In GnuTLS versions 2.8.x (RHEL 6 uses v.2.8.5 ?) gnutls_priority_init() in case of error does not release */
3162 /* memory allocated for 'ciphersuites_psk' but releasing it by gnutls_priority_deinit() causes crash. In */
3163 /* GnuTLS versions 3.0.x - 3.1.x (RHEL 7 uses v.3.1.18 ?) gnutls_priority_init() in case of error does */
3164 /* release memory allocated for 'ciphersuites_psk' but does not set pointer to NULL. Newer GnuTLS versions */
3165 /* (e.g. 3.3.8) in case of error in gnutls_priority_init() do release memory and set pointer to NULL. */
3166 /* Therefore we cannot reliably release this memory using the pointer. So, we leave the memory to be cleaned */
3167 /* up by OS - we are in the process of exiting and the data is not secret. */
3168
3169 /* do not release 'ciphersuites_cert', 'ciphersuites_psk' and 'ciphersuites_all' here using */
3170 /* gnutls_priority_deinit() */
3171
3172 if (NULL != my_psk)
3173 {
3174 zbx_guaranteed_memset(my_psk, 0, my_psk_len);
3175 my_psk_len = 0;
3176 zbx_free(my_psk);
3177 }
3178
3179 #if !defined(_WINDOWS)
3180 zbx_tls_library_deinit();
3181 #endif
3182 #elif defined(HAVE_OPENSSL)
3183 if (NULL != ctx_cert)
3184 SSL_CTX_free(ctx_cert);
3185
3186 #if defined(HAVE_OPENSSL_WITH_PSK)
3187 if (NULL != ctx_psk)
3188 SSL_CTX_free(ctx_psk);
3189
3190 if (NULL != ctx_all)
3191 SSL_CTX_free(ctx_all);
3192 #endif
3193 if (NULL != my_psk)
3194 {
3195 zbx_guaranteed_memset(my_psk, 0, my_psk_len);
3196 my_psk_len = 0;
3197 zbx_free(my_psk);
3198 }
3199
3200 #if !defined(_WINDOWS)
3201 zbx_tls_library_deinit();
3202 #endif
3203 #endif
3204 }
3205
3206 /******************************************************************************
3207 * *
3208 * Function: zbx_tls_connect *
3209 * *
3210 * Purpose: establish a TLS connection over an established TCP connection *
3211 * *
3212 * Parameters: *
3213 * s - [IN] socket with opened connection *
3214 * error - [OUT] dynamically allocated memory with error message *
3215 * tls_connect - [IN] how to connect. Allowed values: *
3216 * ZBX_TCP_SEC_TLS_CERT, ZBX_TCP_SEC_TLS_PSK. *
3217 * tls_arg1 - [IN] required issuer of peer certificate (may be NULL *
3218 * or empty string if not important) or PSK identity *
3219 * to connect with depending on value of *
3220 * 'tls_connect'. *
3221 * tls_arg2 - [IN] required subject of peer certificate (may be NULL *
3222 * or empty string if not important) or PSK *
3223 * (in hex-string) to connect with depending on value *
3224 * of 'tls_connect'. *
3225 * *
3226 * Return value: *
3227 * SUCCEED - successful TLS handshake with a valid certificate or PSK *
3228 * FAIL - an error occurred *
3229 * *
3230 ******************************************************************************/
3231 #if defined(HAVE_GNUTLS)
zbx_tls_connect(zbx_socket_t * s,unsigned int tls_connect,const char * tls_arg1,const char * tls_arg2,char ** error)3232 int zbx_tls_connect(zbx_socket_t *s, unsigned int tls_connect, const char *tls_arg1, const char *tls_arg2,
3233 char **error)
3234 {
3235 int ret = FAIL, res;
3236 #if defined(_WINDOWS)
3237 double sec;
3238 #endif
3239
3240 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3241 {
3242 zabbix_log(LOG_LEVEL_DEBUG, "In %s(): issuer:\"%s\" subject:\"%s\"", __func__,
3243 ZBX_NULL2EMPTY_STR(tls_arg1), ZBX_NULL2EMPTY_STR(tls_arg2));
3244 }
3245 else if (ZBX_TCP_SEC_TLS_PSK == tls_connect)
3246 {
3247 zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __func__, ZBX_NULL2EMPTY_STR(tls_arg1));
3248 }
3249 else
3250 {
3251 *error = zbx_strdup(*error, "invalid connection parameters");
3252 THIS_SHOULD_NEVER_HAPPEN;
3253 goto out1;
3254 }
3255
3256 /* set up TLS context */
3257
3258 s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
3259 s->tls_ctx->ctx = NULL;
3260 s->tls_ctx->psk_client_creds = NULL;
3261 s->tls_ctx->psk_server_creds = NULL;
3262
3263 if (GNUTLS_E_SUCCESS != (res = gnutls_init(&s->tls_ctx->ctx, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS)))
3264 /* GNUTLS_NO_EXTENSIONS is used because we do not currently support extensions (e.g. session */
3265 /* tickets and OCSP) */
3266 {
3267 *error = zbx_dsprintf(*error, "gnutls_init() failed: %d %s", res, gnutls_strerror(res));
3268 goto out;
3269 }
3270
3271 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3272 {
3273 if (NULL == ciphersuites_cert)
3274 {
3275 *error = zbx_strdup(*error, "cannot connect with TLS and certificate: no valid certificate"
3276 " loaded");
3277 goto out;
3278 }
3279
3280 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_cert)))
3281 {
3282 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_cert' failed: %d %s",
3283 res, gnutls_strerror(res));
3284 goto out;
3285 }
3286
3287 if (GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx, GNUTLS_CRD_CERTIFICATE,
3288 my_cert_creds)))
3289 {
3290 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for certificate failed: %d %s", res,
3291 gnutls_strerror(res));
3292 goto out;
3293 }
3294 }
3295 else /* use a pre-shared key */
3296 {
3297 if (NULL == ciphersuites_psk)
3298 {
3299 *error = zbx_strdup(*error, "cannot connect with TLS and PSK: no valid PSK loaded");
3300 goto out;
3301 }
3302
3303 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_psk)))
3304 {
3305 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_psk' failed: %d %s", res,
3306 gnutls_strerror(res));
3307 goto out;
3308 }
3309
3310 if (NULL == tls_arg2) /* PSK is not set from DB */
3311 {
3312 /* set up the PSK from a configuration file (always in agentd and a case in active proxy */
3313 /* when it connects to server) */
3314
3315 if (GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx, GNUTLS_CRD_PSK,
3316 my_psk_client_creds)))
3317 {
3318 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for psk failed: %d %s", res,
3319 gnutls_strerror(res));
3320 goto out;
3321 }
3322 }
3323 else
3324 {
3325 /* PSK comes from a database (case for a server/proxy when it connects to an agent for */
3326 /* passive checks, for a server when it connects to a passive proxy) */
3327
3328 gnutls_datum_t key;
3329 int psk_len;
3330 unsigned char psk_buf[HOST_TLS_PSK_LEN / 2];
3331
3332 if (0 >= (psk_len = zbx_hex2bin((const unsigned char *)tls_arg2, psk_buf, sizeof(psk_buf))))
3333 {
3334 *error = zbx_strdup(*error, "invalid PSK");
3335 goto out;
3336 }
3337
3338 if (GNUTLS_E_SUCCESS != (res = gnutls_psk_allocate_client_credentials(
3339 &s->tls_ctx->psk_client_creds)))
3340 {
3341 *error = zbx_dsprintf(*error, "gnutls_psk_allocate_client_credentials() failed: %d %s",
3342 res, gnutls_strerror(res));
3343 goto out;
3344 }
3345
3346 key.data = psk_buf;
3347 key.size = (unsigned int)psk_len;
3348
3349 /* Simplified. 'tls_arg1' (PSK identity) should have been prepared as required by RFC 4518. */
3350 if (GNUTLS_E_SUCCESS != (res = gnutls_psk_set_client_credentials(s->tls_ctx->psk_client_creds,
3351 tls_arg1, &key, GNUTLS_PSK_KEY_RAW)))
3352 {
3353 *error = zbx_dsprintf(*error, "gnutls_psk_set_client_credentials() failed: %d %s", res,
3354 gnutls_strerror(res));
3355 goto out;
3356 }
3357
3358 if (GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx, GNUTLS_CRD_PSK,
3359 s->tls_ctx->psk_client_creds)))
3360 {
3361 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for psk failed: %d %s", res,
3362 gnutls_strerror(res));
3363 goto out;
3364 }
3365 }
3366 }
3367
3368 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_TRACE))
3369 {
3370 /* set our own debug callback function */
3371 gnutls_global_set_log_function(zbx_gnutls_debug_cb);
3372
3373 /* for Zabbix LOG_LEVEL_TRACE, GnuTLS debug level 4 seems the best */
3374 /* (the highest GnuTLS debug level is 9) */
3375 gnutls_global_set_log_level(4);
3376 }
3377 else
3378 gnutls_global_set_log_level(0); /* restore default log level */
3379
3380 /* set our own callback function to log issues into Zabbix log */
3381 gnutls_global_set_audit_log_function(zbx_gnutls_audit_cb);
3382
3383 gnutls_transport_set_int(s->tls_ctx->ctx, ZBX_SOCKET_TO_INT(s->socket));
3384
3385 /* TLS handshake */
3386
3387 #if defined(_WINDOWS)
3388 zbx_alarm_flag_clear();
3389 sec = zbx_time();
3390 #endif
3391 while (GNUTLS_E_SUCCESS != (res = gnutls_handshake(s->tls_ctx->ctx)))
3392 {
3393 #if defined(_WINDOWS)
3394 if (s->timeout < zbx_time() - sec)
3395 zbx_alarm_flag_set();
3396 #endif
3397 if (SUCCEED == zbx_alarm_timed_out())
3398 {
3399 *error = zbx_strdup(*error, "gnutls_handshake() timed out");
3400 goto out;
3401 }
3402
3403 if (GNUTLS_E_INTERRUPTED == res || GNUTLS_E_AGAIN == res)
3404 {
3405 continue;
3406 }
3407 else if (GNUTLS_E_WARNING_ALERT_RECEIVED == res || GNUTLS_E_FATAL_ALERT_RECEIVED == res)
3408 {
3409 const char *msg;
3410 int alert;
3411
3412 /* server sent an alert to us */
3413 alert = gnutls_alert_get(s->tls_ctx->ctx);
3414
3415 if (NULL == (msg = gnutls_alert_get_name(alert)))
3416 msg = "unknown";
3417
3418 if (GNUTLS_E_WARNING_ALERT_RECEIVED == res)
3419 {
3420 zabbix_log(LOG_LEVEL_WARNING, "%s() gnutls_handshake() received a warning alert: %d %s",
3421 __func__, alert, msg);
3422 continue;
3423 }
3424 else /* GNUTLS_E_FATAL_ALERT_RECEIVED */
3425 {
3426 *error = zbx_dsprintf(*error, "%s(): gnutls_handshake() failed with fatal alert: %d %s",
3427 __func__, alert, msg);
3428 goto out;
3429 }
3430 }
3431 else
3432 {
3433 int level;
3434
3435 /* log "peer has closed connection" case with debug level */
3436 level = (GNUTLS_E_PREMATURE_TERMINATION == res ? LOG_LEVEL_DEBUG : LOG_LEVEL_WARNING);
3437
3438 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(level))
3439 {
3440 zabbix_log(level, "%s() gnutls_handshake() returned: %d %s",
3441 __func__, res, gnutls_strerror(res));
3442 }
3443
3444 if (0 != gnutls_error_is_fatal(res))
3445 {
3446 *error = zbx_dsprintf(*error, "%s(): gnutls_handshake() failed: %d %s",
3447 __func__, res, gnutls_strerror(res));
3448 goto out;
3449 }
3450 }
3451 }
3452
3453 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3454 {
3455 /* log peer certificate information for debugging */
3456 zbx_log_peer_cert(__func__, s->tls_ctx);
3457
3458 /* perform basic verification of peer certificate */
3459 if (SUCCEED != zbx_verify_peer_cert(s->tls_ctx->ctx, error))
3460 {
3461 zbx_tls_close(s);
3462 goto out1;
3463 }
3464
3465 /* if required verify peer certificate Issuer and Subject */
3466 if (SUCCEED != zbx_verify_issuer_subject(s->tls_ctx, tls_arg1, tls_arg2, error))
3467 {
3468 zbx_tls_close(s);
3469 goto out1;
3470 }
3471 }
3472
3473 s->connection_type = tls_connect;
3474
3475 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s-%s-%s-" ZBX_FS_SIZE_T ")", __func__,
3476 gnutls_protocol_get_name(gnutls_protocol_get_version(s->tls_ctx->ctx)),
3477 gnutls_kx_get_name(gnutls_kx_get(s->tls_ctx->ctx)),
3478 gnutls_cipher_get_name(gnutls_cipher_get(s->tls_ctx->ctx)),
3479 gnutls_mac_get_name(gnutls_mac_get(s->tls_ctx->ctx)),
3480 (zbx_fs_size_t)gnutls_mac_get_key_size(gnutls_mac_get(s->tls_ctx->ctx)));
3481
3482 return SUCCEED;
3483
3484 out: /* an error occurred */
3485 if (NULL != s->tls_ctx->ctx)
3486 {
3487 gnutls_credentials_clear(s->tls_ctx->ctx);
3488 gnutls_deinit(s->tls_ctx->ctx);
3489 }
3490
3491 if (NULL != s->tls_ctx->psk_client_creds)
3492 gnutls_psk_free_client_credentials(s->tls_ctx->psk_client_creds);
3493
3494 zbx_free(s->tls_ctx);
3495 out1:
3496 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
3497 ZBX_NULL2EMPTY_STR(*error));
3498 return ret;
3499 }
3500 #elif defined(HAVE_OPENSSL)
zbx_tls_connect(zbx_socket_t * s,unsigned int tls_connect,const char * tls_arg1,const char * tls_arg2,char ** error)3501 int zbx_tls_connect(zbx_socket_t *s, unsigned int tls_connect, const char *tls_arg1, const char *tls_arg2,
3502 char **error)
3503 {
3504 int ret = FAIL, res;
3505 size_t error_alloc = 0, error_offset = 0;
3506 #if defined(_WINDOWS)
3507 double sec;
3508 #endif
3509 #if defined(HAVE_OPENSSL_WITH_PSK)
3510 char psk_buf[HOST_TLS_PSK_LEN / 2];
3511 #endif
3512
3513 s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
3514 s->tls_ctx->ctx = NULL;
3515
3516 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3517 {
3518 zabbix_log(LOG_LEVEL_DEBUG, "In %s(): issuer:\"%s\" subject:\"%s\"", __func__,
3519 ZBX_NULL2EMPTY_STR(tls_arg1), ZBX_NULL2EMPTY_STR(tls_arg2));
3520
3521 if (NULL == ctx_cert)
3522 {
3523 *error = zbx_strdup(*error, "cannot connect with TLS and certificate: no valid certificate"
3524 " loaded");
3525 goto out;
3526 }
3527
3528 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
3529 {
3530 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create connection context:");
3531 zbx_tls_error_msg(error, &error_alloc, &error_offset);
3532 goto out;
3533 }
3534 }
3535 else if (ZBX_TCP_SEC_TLS_PSK == tls_connect)
3536 {
3537 zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __func__, ZBX_NULL2EMPTY_STR(tls_arg1));
3538
3539 #if defined(HAVE_OPENSSL_WITH_PSK)
3540 if (NULL == ctx_psk)
3541 {
3542 *error = zbx_strdup(*error, "cannot connect with TLS and PSK: no valid PSK loaded");
3543 goto out;
3544 }
3545
3546 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
3547 {
3548 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create connection context:");
3549 zbx_tls_error_msg(error, &error_alloc, &error_offset);
3550 goto out;
3551 }
3552
3553 if (NULL == tls_arg2) /* PSK is not set from DB */
3554 {
3555 /* Set up PSK global variables from a configuration file (always in agentd and a case when */
3556 /* active proxy connects to server). Here we set it only in case of active proxy */
3557 /* because for other programs it has already been set in zbx_tls_init_child(). */
3558
3559 if (0 != (program_type & ZBX_PROGRAM_TYPE_PROXY_ACTIVE))
3560 {
3561 psk_identity_for_cb = my_psk_identity;
3562 psk_identity_len_for_cb = my_psk_identity_len;
3563 psk_for_cb = my_psk;
3564 psk_len_for_cb = my_psk_len;
3565 }
3566 }
3567 else
3568 {
3569 /* PSK comes from a database (case for a server/proxy when it connects to an agent for */
3570 /* passive checks, for a server when it connects to a passive proxy) */
3571
3572 int psk_len;
3573
3574 if (0 >= (psk_len = zbx_hex2bin((const unsigned char *)tls_arg2, (unsigned char *)psk_buf,
3575 sizeof(psk_buf))))
3576 {
3577 *error = zbx_strdup(*error, "invalid PSK");
3578 goto out;
3579 }
3580
3581 /* some data reside in stack but it will be available at the time when a PSK client callback */
3582 /* function copies the data into buffers provided by OpenSSL within the callback */
3583 psk_identity_for_cb = tls_arg1; /* string is on stack */
3584 /* NULL check to silence analyzer warning */
3585 psk_identity_len_for_cb = (NULL == tls_arg1 ? 0 : strlen(tls_arg1));
3586 psk_for_cb = psk_buf; /* buffer is on stack */
3587 psk_len_for_cb = (size_t)psk_len;
3588 }
3589 #else
3590 *error = zbx_strdup(*error, "cannot connect with TLS and PSK: support for PSK was not compiled in");
3591 goto out;
3592 #endif
3593 }
3594 else
3595 {
3596 *error = zbx_strdup(*error, "invalid connection parameters");
3597 THIS_SHOULD_NEVER_HAPPEN;
3598 goto out1;
3599 }
3600
3601 /* set our connected TCP socket to TLS context */
3602 if (1 != SSL_set_fd(s->tls_ctx->ctx, s->socket))
3603 {
3604 *error = zbx_strdup(*error, "cannot set socket for TLS context");
3605 goto out;
3606 }
3607
3608 /* TLS handshake */
3609
3610 info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
3611 #if defined(_WINDOWS)
3612 zbx_alarm_flag_clear();
3613 sec = zbx_time();
3614 #endif
3615 if (1 != (res = SSL_connect(s->tls_ctx->ctx)))
3616 {
3617 int result_code;
3618
3619 #if defined(_WINDOWS)
3620 if (s->timeout < zbx_time() - sec)
3621 zbx_alarm_flag_set();
3622 #endif
3623 if (SUCCEED == zbx_alarm_timed_out())
3624 {
3625 *error = zbx_strdup(*error, "SSL_connect() timed out");
3626 goto out;
3627 }
3628
3629 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3630 {
3631 long verify_result;
3632
3633 /* In case of certificate error SSL_get_verify_result() provides more helpful diagnostics */
3634 /* than other methods. Include it as first but continue with other diagnostics. */
3635 if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
3636 {
3637 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s: ",
3638 X509_verify_cert_error_string(verify_result));
3639 }
3640 }
3641
3642 result_code = SSL_get_error(s->tls_ctx->ctx, res);
3643
3644 switch (result_code)
3645 {
3646 case SSL_ERROR_NONE: /* handshake successful */
3647 break;
3648 case SSL_ERROR_ZERO_RETURN:
3649 zbx_snprintf_alloc(error, &error_alloc, &error_offset,
3650 "TLS connection has been closed during handshake");
3651 goto out;
3652 case SSL_ERROR_SYSCALL:
3653 if (0 == ERR_peek_error())
3654 {
3655 if (0 == res)
3656 {
3657 zbx_snprintf_alloc(error, &error_alloc, &error_offset,
3658 "connection closed by peer");
3659 }
3660 else if (-1 == res)
3661 {
3662 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "SSL_connect()"
3663 " I/O error: %s",
3664 strerror_from_system(zbx_socket_last_error()));
3665 }
3666 else
3667 {
3668 /* "man SSL_get_error" describes only res == 0 and res == -1 for */
3669 /* SSL_ERROR_SYSCALL case */
3670 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "SSL_connect()"
3671 " returned undocumented code %d", res);
3672 }
3673 }
3674 else
3675 {
3676 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "SSL_connect() set"
3677 " result code to SSL_ERROR_SYSCALL:");
3678 zbx_tls_error_msg(error, &error_alloc, &error_offset);
3679 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s", info_buf);
3680 }
3681 goto out;
3682 case SSL_ERROR_SSL:
3683 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "SSL_connect() set"
3684 " result code to SSL_ERROR_SSL:");
3685 zbx_tls_error_msg(error, &error_alloc, &error_offset);
3686 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s", info_buf);
3687 goto out;
3688 default:
3689 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "SSL_connect() set result code"
3690 " to %d", result_code);
3691 zbx_tls_error_msg(error, &error_alloc, &error_offset);
3692 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s", info_buf);
3693 goto out;
3694 }
3695 }
3696
3697 if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
3698 {
3699 long verify_result;
3700
3701 /* log peer certificate information for debugging */
3702 zbx_log_peer_cert(__func__, s->tls_ctx);
3703
3704 /* perform basic verification of peer certificate */
3705 if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
3706 {
3707 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s",
3708 X509_verify_cert_error_string(verify_result));
3709 zbx_tls_close(s);
3710 goto out1;
3711 }
3712
3713 /* if required verify peer certificate Issuer and Subject */
3714 if (SUCCEED != zbx_verify_issuer_subject(s->tls_ctx, tls_arg1, tls_arg2, error))
3715 {
3716 zbx_tls_close(s);
3717 goto out1;
3718 }
3719 }
3720
3721 s->connection_type = tls_connect;
3722
3723 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s)", __func__,
3724 SSL_get_version(s->tls_ctx->ctx), SSL_get_cipher(s->tls_ctx->ctx));
3725
3726 return SUCCEED;
3727
3728 out: /* an error occurred */
3729 if (NULL != s->tls_ctx->ctx)
3730 SSL_free(s->tls_ctx->ctx);
3731
3732 zbx_free(s->tls_ctx);
3733 out1:
3734 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
3735 ZBX_NULL2EMPTY_STR(*error));
3736 return ret;
3737 }
3738 #endif
3739
3740 /******************************************************************************
3741 * *
3742 * Function: zbx_tls_accept *
3743 * *
3744 * Purpose: establish a TLS connection over an accepted TCP connection *
3745 * *
3746 * Parameters: *
3747 * s - [IN] socket with opened connection *
3748 * error - [OUT] dynamically allocated memory with error message *
3749 * tls_accept - [IN] type of connection to accept. Can be be either *
3750 * ZBX_TCP_SEC_TLS_CERT or ZBX_TCP_SEC_TLS_PSK, or *
3751 * a bitwise 'OR' of both. *
3752 * *
3753 * Return value: *
3754 * SUCCEED - successful TLS handshake with a valid certificate or PSK *
3755 * FAIL - an error occurred *
3756 * *
3757 ******************************************************************************/
3758 #if defined(HAVE_GNUTLS)
zbx_tls_accept(zbx_socket_t * s,unsigned int tls_accept,char ** error)3759 int zbx_tls_accept(zbx_socket_t *s, unsigned int tls_accept, char **error)
3760 {
3761 int ret = FAIL, res;
3762 gnutls_credentials_type_t creds;
3763 #if defined(_WINDOWS)
3764 double sec;
3765 #endif
3766 zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
3767
3768 /* set up TLS context */
3769
3770 s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
3771 s->tls_ctx->ctx = NULL;
3772 s->tls_ctx->psk_client_creds = NULL;
3773 s->tls_ctx->psk_server_creds = NULL;
3774
3775 if (GNUTLS_E_SUCCESS != (res = gnutls_init(&s->tls_ctx->ctx, GNUTLS_SERVER)))
3776 {
3777 *error = zbx_dsprintf(*error, "gnutls_init() failed: %d %s", res, gnutls_strerror(res));
3778 goto out;
3779 }
3780
3781 /* prepare to accept with certificate */
3782
3783 if (0 != (tls_accept & ZBX_TCP_SEC_TLS_CERT))
3784 {
3785 if (NULL != my_cert_creds && GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx,
3786 GNUTLS_CRD_CERTIFICATE, my_cert_creds)))
3787 {
3788 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for certificate failed: %d %s", res,
3789 gnutls_strerror(res));
3790 goto out;
3791 }
3792
3793 /* client certificate is mandatory unless pre-shared key is used */
3794 gnutls_certificate_server_set_request(s->tls_ctx->ctx, GNUTLS_CERT_REQUIRE);
3795 }
3796
3797 /* prepare to accept with pre-shared key */
3798
3799 if (0 != (tls_accept & ZBX_TCP_SEC_TLS_PSK))
3800 {
3801 /* for agentd the only possibility is a PSK from configuration file */
3802 if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD) &&
3803 GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx, GNUTLS_CRD_PSK,
3804 my_psk_server_creds)))
3805 {
3806 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for my_psk_server_creds failed: %d %s",
3807 res, gnutls_strerror(res));
3808 goto out;
3809 }
3810 else if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
3811 {
3812 /* For server or proxy a PSK can come from configuration file or database. */
3813 /* Set up a callback function for finding the requested PSK. */
3814 if (GNUTLS_E_SUCCESS != (res = gnutls_psk_allocate_server_credentials(
3815 &s->tls_ctx->psk_server_creds)))
3816 {
3817 *error = zbx_dsprintf(*error, "gnutls_psk_allocate_server_credentials() for"
3818 " psk_server_creds failed: %d %s", res, gnutls_strerror(res));
3819 goto out;
3820 }
3821
3822 gnutls_psk_set_server_credentials_function(s->tls_ctx->psk_server_creds, zbx_psk_cb);
3823
3824 if (GNUTLS_E_SUCCESS != (res = gnutls_credentials_set(s->tls_ctx->ctx, GNUTLS_CRD_PSK,
3825 s->tls_ctx->psk_server_creds)))
3826 {
3827 *error = zbx_dsprintf(*error, "gnutls_credentials_set() for psk_server_creds failed"
3828 ": %d %s", res, gnutls_strerror(res));
3829 goto out;
3830 }
3831 }
3832 }
3833
3834 /* set up ciphersuites */
3835
3836 if ((ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK) == (tls_accept & (ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK)))
3837 {
3838 /* common case in trapper - be ready for all types of incoming connections */
3839 if (NULL != my_cert_creds)
3840 {
3841 /* it can also be a case in agentd listener - when both certificate and PSK is allowed, e.g. */
3842 /* for switching of TLS connections from PSK to using a certificate */
3843 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_all)))
3844 {
3845 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_all' failed: %d"
3846 " %s", res, gnutls_strerror(res));
3847 goto out;
3848 }
3849 }
3850 else
3851 {
3852 /* assume PSK, although it is not yet known will there be the right PSK available */
3853 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_psk)))
3854 {
3855 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_psk' failed: %d"
3856 " %s", res, gnutls_strerror(res));
3857 goto out;
3858 }
3859 }
3860 }
3861 else if (0 != (tls_accept & ZBX_TCP_SEC_TLS_CERT) && NULL != my_cert_creds)
3862 {
3863 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_cert)))
3864 {
3865 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_cert' failed: %d %s",
3866 res, gnutls_strerror(res));
3867 goto out;
3868 }
3869 }
3870 else if (0 != (tls_accept & ZBX_TCP_SEC_TLS_PSK))
3871 {
3872 if (GNUTLS_E_SUCCESS != (res = gnutls_priority_set(s->tls_ctx->ctx, ciphersuites_psk)))
3873 {
3874 *error = zbx_dsprintf(*error, "gnutls_priority_set() for 'ciphersuites_psk' failed: %d %s", res,
3875 gnutls_strerror(res));
3876 goto out;
3877 }
3878 }
3879
3880 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_TRACE))
3881 {
3882 /* set our own debug callback function */
3883 gnutls_global_set_log_function(zbx_gnutls_debug_cb);
3884
3885 /* for Zabbix LOG_LEVEL_TRACE, GnuTLS debug level 4 seems the best */
3886 /* (the highest GnuTLS debug level is 9) */
3887 gnutls_global_set_log_level(4);
3888 }
3889 else
3890 gnutls_global_set_log_level(0); /* restore default log level */
3891
3892 /* set our own callback function to log issues into Zabbix log */
3893 gnutls_global_set_audit_log_function(zbx_gnutls_audit_cb);
3894
3895 gnutls_transport_set_int(s->tls_ctx->ctx, ZBX_SOCKET_TO_INT(s->socket));
3896
3897 /* TLS handshake */
3898
3899 #if defined(_WINDOWS)
3900 zbx_alarm_flag_clear();
3901 sec = zbx_time();
3902 #endif
3903 while (GNUTLS_E_SUCCESS != (res = gnutls_handshake(s->tls_ctx->ctx)))
3904 {
3905 #if defined(_WINDOWS)
3906 if (s->timeout < zbx_time() - sec)
3907 zbx_alarm_flag_set();
3908 #endif
3909 if (SUCCEED == zbx_alarm_timed_out())
3910 {
3911 *error = zbx_strdup(*error, "gnutls_handshake() timed out");
3912 goto out;
3913 }
3914
3915 if (GNUTLS_E_INTERRUPTED == res || GNUTLS_E_AGAIN == res)
3916 {
3917 continue;
3918 }
3919 else if (GNUTLS_E_WARNING_ALERT_RECEIVED == res || GNUTLS_E_FATAL_ALERT_RECEIVED == res ||
3920 GNUTLS_E_GOT_APPLICATION_DATA == res)
3921 {
3922 const char *msg;
3923 int alert;
3924
3925 /* client sent an alert to us */
3926 alert = gnutls_alert_get(s->tls_ctx->ctx);
3927
3928 if (NULL == (msg = gnutls_alert_get_name(alert)))
3929 msg = "unknown";
3930
3931 if (GNUTLS_E_WARNING_ALERT_RECEIVED == res)
3932 {
3933 zabbix_log(LOG_LEVEL_WARNING, "%s() gnutls_handshake() received a warning alert: %d %s",
3934 __func__, alert, msg);
3935 continue;
3936 }
3937 else if (GNUTLS_E_GOT_APPLICATION_DATA == res)
3938 /* if rehandshake request deal with it as with error */
3939 {
3940 *error = zbx_dsprintf(*error, "%s(): gnutls_handshake() returned"
3941 " GNUTLS_E_GOT_APPLICATION_DATA", __func__);
3942 goto out;
3943 }
3944 else /* GNUTLS_E_FATAL_ALERT_RECEIVED */
3945 {
3946 *error = zbx_dsprintf(*error, "%s(): gnutls_handshake() failed with fatal alert: %d %s",
3947 __func__, alert, msg);
3948 goto out;
3949 }
3950 }
3951 else
3952 {
3953 zabbix_log(LOG_LEVEL_WARNING, "%s() gnutls_handshake() returned: %d %s",
3954 __func__, res, gnutls_strerror(res));
3955
3956 if (0 != gnutls_error_is_fatal(res))
3957 {
3958 *error = zbx_dsprintf(*error, "%s(): gnutls_handshake() failed: %d %s",
3959 __func__, res, gnutls_strerror(res));
3960 goto out;
3961 }
3962 }
3963 }
3964
3965 /* Is this TLS connection using certificate or PSK? */
3966
3967 if (GNUTLS_CRD_CERTIFICATE == (creds = gnutls_auth_get_type(s->tls_ctx->ctx)))
3968 {
3969 s->connection_type = ZBX_TCP_SEC_TLS_CERT;
3970
3971 /* log peer certificate information for debugging */
3972 zbx_log_peer_cert(__func__, s->tls_ctx);
3973
3974 /* perform basic verification of peer certificate */
3975 if (SUCCEED != zbx_verify_peer_cert(s->tls_ctx->ctx, error))
3976 {
3977 zbx_tls_close(s);
3978 goto out1;
3979 }
3980
3981 /* Issuer and Subject will be verified later, after receiving sender type and host name */
3982 }
3983 else if (GNUTLS_CRD_PSK == creds)
3984 {
3985 s->connection_type = ZBX_TCP_SEC_TLS_PSK;
3986
3987 if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
3988 {
3989 const char *psk_identity;
3990
3991 if (NULL != (psk_identity = gnutls_psk_server_get_username(s->tls_ctx->ctx)))
3992 {
3993 zabbix_log(LOG_LEVEL_DEBUG, "%s() PSK identity: \"%s\"", __func__, psk_identity);
3994 }
3995 }
3996 }
3997 else
3998 {
3999 THIS_SHOULD_NEVER_HAPPEN;
4000 zbx_tls_close(s);
4001 return FAIL;
4002 }
4003
4004 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s-%s-%s-" ZBX_FS_SIZE_T ")", __func__,
4005 gnutls_protocol_get_name(gnutls_protocol_get_version(s->tls_ctx->ctx)),
4006 gnutls_kx_get_name(gnutls_kx_get(s->tls_ctx->ctx)),
4007 gnutls_cipher_get_name(gnutls_cipher_get(s->tls_ctx->ctx)),
4008 gnutls_mac_get_name(gnutls_mac_get(s->tls_ctx->ctx)),
4009 (zbx_fs_size_t)gnutls_mac_get_key_size(gnutls_mac_get(s->tls_ctx->ctx)));
4010
4011 return SUCCEED;
4012
4013 out: /* an error occurred */
4014 if (NULL != s->tls_ctx->ctx)
4015 {
4016 gnutls_credentials_clear(s->tls_ctx->ctx);
4017 gnutls_deinit(s->tls_ctx->ctx);
4018 }
4019
4020 if (NULL != s->tls_ctx->psk_server_creds)
4021 gnutls_psk_free_server_credentials(s->tls_ctx->psk_server_creds);
4022
4023 zbx_free(s->tls_ctx);
4024 out1:
4025 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
4026 ZBX_NULL2EMPTY_STR(*error));
4027 return ret;
4028 }
4029 #elif defined(HAVE_OPENSSL)
zbx_tls_accept(zbx_socket_t * s,unsigned int tls_accept,char ** error)4030 int zbx_tls_accept(zbx_socket_t *s, unsigned int tls_accept, char **error)
4031 {
4032 const char *cipher_name;
4033 int ret = FAIL, res;
4034 size_t error_alloc = 0, error_offset = 0;
4035 long verify_result;
4036 #if defined(_WINDOWS)
4037 double sec;
4038 #endif
4039 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer, or LibreSSL */
4040 const unsigned char session_id_context[] = {'Z', 'b', 'x'};
4041 #endif
4042 zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
4043
4044 s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
4045 s->tls_ctx->ctx = NULL;
4046
4047 #if defined(HAVE_OPENSSL_WITH_PSK)
4048 incoming_connection_has_psk = 0; /* assume certificate-based connection by default */
4049 #endif
4050 if ((ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK) == (tls_accept & (ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK)))
4051 {
4052 #if defined(HAVE_OPENSSL_WITH_PSK)
4053 /* common case in trapper - be ready for all types of incoming connections but possible also in */
4054 /* agentd listener */
4055
4056 if (NULL != ctx_all)
4057 {
4058 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_all)))
4059 {
4060 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
4061 " connection:");
4062 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4063 goto out;
4064 }
4065 }
4066 #else
4067 if (0 != (program_type & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
4068 {
4069 /* server or proxy running with OpenSSL or LibreSSL without PSK support */
4070 if (NULL != ctx_cert)
4071 {
4072 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
4073 {
4074 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context"
4075 " to accept connection:");
4076 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4077 goto out;
4078 }
4079 }
4080 else
4081 {
4082 *error = zbx_strdup(*error, "not ready for certificate-based incoming connection:"
4083 " certificate not loaded. PSK support not compiled in.");
4084 goto out;
4085 }
4086 }
4087 #endif
4088 else if (0 != (program_type & ZBX_PROGRAM_TYPE_AGENTD))
4089 {
4090 THIS_SHOULD_NEVER_HAPPEN;
4091 goto out;
4092 }
4093 #if defined(HAVE_OPENSSL_WITH_PSK)
4094 else if (NULL != ctx_psk)
4095 {
4096 /* Server or proxy with no certificate configured. PSK is always assumed to be configured on */
4097 /* server or proxy because PSK can come from database. */
4098
4099 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
4100 {
4101 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
4102 " connection:");
4103 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4104 goto out;
4105 }
4106 }
4107 else
4108 {
4109 THIS_SHOULD_NEVER_HAPPEN;
4110 goto out;
4111 }
4112 #endif
4113 }
4114 else if (0 != (tls_accept & ZBX_TCP_SEC_TLS_CERT))
4115 {
4116 if (NULL != ctx_cert)
4117 {
4118 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
4119 {
4120 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
4121 " connection:");
4122 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4123 goto out;
4124 }
4125 }
4126 else
4127 {
4128 *error = zbx_strdup(*error, "not ready for certificate-based incoming connection: certificate"
4129 " not loaded");
4130 goto out;
4131 }
4132 }
4133 else /* PSK */
4134 {
4135 #if defined(HAVE_OPENSSL_WITH_PSK)
4136 if (NULL != ctx_psk)
4137 {
4138 if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
4139 {
4140 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
4141 " connection:");
4142 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4143 goto out;
4144 }
4145 }
4146 else
4147 {
4148 *error = zbx_strdup(*error, "not ready for PSK-based incoming connection: PSK not loaded");
4149 goto out;
4150 }
4151 #else
4152 *error = zbx_strdup(*error, "support for PSK was not compiled in");
4153 goto out;
4154 #endif
4155 }
4156
4157 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer, or LibreSSL */
4158 if (1 != SSL_set_session_id_context(s->tls_ctx->ctx, session_id_context, sizeof(session_id_context)))
4159 {
4160 *error = zbx_strdup(*error, "cannot set session_id_context");
4161 goto out;
4162 }
4163 #endif
4164 if (1 != SSL_set_fd(s->tls_ctx->ctx, s->socket))
4165 {
4166 *error = zbx_strdup(*error, "cannot set socket for TLS context");
4167 goto out;
4168 }
4169
4170 /* TLS handshake */
4171
4172 info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
4173 #if defined(_WINDOWS)
4174 zbx_alarm_flag_clear();
4175 sec = zbx_time();
4176 #endif
4177 if (1 != (res = SSL_accept(s->tls_ctx->ctx)))
4178 {
4179 int result_code;
4180
4181 #if defined(_WINDOWS)
4182 if (s->timeout < zbx_time() - sec)
4183 zbx_alarm_flag_set();
4184 #endif
4185 if (SUCCEED == zbx_alarm_timed_out())
4186 {
4187 *error = zbx_strdup(*error, "SSL_accept() timed out");
4188 goto out;
4189 }
4190
4191 /* In case of certificate error SSL_get_verify_result() provides more helpful diagnostics */
4192 /* than other methods. Include it as first but continue with other diagnostics. Should be */
4193 /* harmless in case of PSK. */
4194
4195 if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
4196 {
4197 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s: ",
4198 X509_verify_cert_error_string(verify_result));
4199 }
4200
4201 result_code = SSL_get_error(s->tls_ctx->ctx, res);
4202
4203 if (0 == res)
4204 {
4205 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "TLS connection has been closed during"
4206 " handshake:");
4207 }
4208 else
4209 {
4210 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "TLS handshake set result code to %d:",
4211 result_code);
4212 }
4213
4214 zbx_tls_error_msg(error, &error_alloc, &error_offset);
4215 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s", info_buf);
4216 goto out;
4217 }
4218
4219 /* Is this TLS connection using certificate or PSK? */
4220
4221 cipher_name = SSL_get_cipher(s->tls_ctx->ctx);
4222
4223 #if defined(HAVE_OPENSSL_WITH_PSK)
4224 if (1 == incoming_connection_has_psk)
4225 {
4226 s->connection_type = ZBX_TCP_SEC_TLS_PSK;
4227 }
4228 else if (0 != strncmp("(NONE)", cipher_name, ZBX_CONST_STRLEN("(NONE)")))
4229 #endif
4230 {
4231 s->connection_type = ZBX_TCP_SEC_TLS_CERT;
4232
4233 /* log peer certificate information for debugging */
4234 zbx_log_peer_cert(__func__, s->tls_ctx);
4235
4236 /* perform basic verification of peer certificate */
4237 if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
4238 {
4239 zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s",
4240 X509_verify_cert_error_string(verify_result));
4241 zbx_tls_close(s);
4242 goto out1;
4243 }
4244
4245 /* Issuer and Subject will be verified later, after receiving sender type and host name */
4246 }
4247 #if defined(HAVE_OPENSSL_WITH_PSK)
4248 else
4249 {
4250 THIS_SHOULD_NEVER_HAPPEN;
4251 zbx_tls_close(s);
4252 return FAIL;
4253 }
4254 #endif
4255 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s)", __func__,
4256 SSL_get_version(s->tls_ctx->ctx), cipher_name);
4257
4258 return SUCCEED;
4259
4260 out: /* an error occurred */
4261 if (NULL != s->tls_ctx->ctx)
4262 SSL_free(s->tls_ctx->ctx);
4263
4264 zbx_free(s->tls_ctx);
4265 out1:
4266 zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
4267 ZBX_NULL2EMPTY_STR(*error));
4268 return ret;
4269 }
4270 #endif
4271
4272 #if defined(HAVE_GNUTLS)
4273 # define ZBX_TLS_WRITE(ctx, buf, len) gnutls_record_send(ctx, buf, len)
4274 # define ZBX_TLS_READ(ctx, buf, len) gnutls_record_recv(ctx, buf, len)
4275 # define ZBX_TLS_WRITE_FUNC_NAME "gnutls_record_send"
4276 # define ZBX_TLS_READ_FUNC_NAME "gnutls_record_recv"
4277 # define ZBX_TLS_WANT_WRITE(res) (GNUTLS_E_INTERRUPTED == (res) || GNUTLS_E_AGAIN == (res) ? SUCCEED : FAIL)
4278 # define ZBX_TLS_WANT_READ(res) (GNUTLS_E_INTERRUPTED == (res) || GNUTLS_E_AGAIN == (res) ? SUCCEED : FAIL)
4279 #elif defined(HAVE_OPENSSL)
4280 # define ZBX_TLS_WRITE(ctx, buf, len) SSL_write(ctx, buf, (int)(len))
4281 # define ZBX_TLS_READ(ctx, buf, len) SSL_read(ctx, buf, (int)(len))
4282 # define ZBX_TLS_WRITE_FUNC_NAME "SSL_write"
4283 # define ZBX_TLS_READ_FUNC_NAME "SSL_read"
4284 # define ZBX_TLS_WANT_WRITE(res) FAIL
4285 # define ZBX_TLS_WANT_READ(res) FAIL
4286 /* SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE should not be returned here because we set */
4287 /* SSL_MODE_AUTO_RETRY flag in zbx_tls_init_child() */
4288 #endif
4289
zbx_tls_write(zbx_socket_t * s,const char * buf,size_t len,char ** error)4290 ssize_t zbx_tls_write(zbx_socket_t *s, const char *buf, size_t len, char **error)
4291 {
4292 #if defined(_WINDOWS)
4293 double sec;
4294 #endif
4295 #if defined(HAVE_GNUTLS)
4296 ssize_t res;
4297 #elif defined(HAVE_OPENSSL)
4298 int res;
4299 #endif
4300
4301 #if defined(_WINDOWS)
4302 zbx_alarm_flag_clear();
4303 sec = zbx_time();
4304 #endif
4305 #if defined(HAVE_OPENSSL)
4306 info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
4307 #endif
4308 do
4309 {
4310 res = ZBX_TLS_WRITE(s->tls_ctx->ctx, buf, len);
4311 #if defined(_WINDOWS)
4312 if (s->timeout < zbx_time() - sec)
4313 zbx_alarm_flag_set();
4314 #endif
4315 if (SUCCEED == zbx_alarm_timed_out())
4316 {
4317 *error = zbx_strdup(*error, ZBX_TLS_WRITE_FUNC_NAME "() timed out");
4318 return ZBX_PROTO_ERROR;
4319 }
4320 }
4321 while (SUCCEED == ZBX_TLS_WANT_WRITE(res));
4322
4323 #if defined(HAVE_GNUTLS)
4324 if (0 > res)
4325 {
4326 *error = zbx_dsprintf(*error, "gnutls_record_send() failed: " ZBX_FS_SSIZE_T " %s",
4327 (zbx_fs_ssize_t)res, gnutls_strerror(res));
4328
4329 return ZBX_PROTO_ERROR;
4330 }
4331 #elif defined(HAVE_OPENSSL)
4332 if (0 >= res)
4333 {
4334 int result_code;
4335
4336 result_code = SSL_get_error(s->tls_ctx->ctx, res);
4337
4338 if (0 == res && SSL_ERROR_ZERO_RETURN == result_code)
4339 {
4340 *error = zbx_strdup(*error, "connection closed during write");
4341 }
4342 else
4343 {
4344 char *err = NULL;
4345 size_t error_alloc = 0, error_offset = 0;
4346
4347 zbx_snprintf_alloc(&err, &error_alloc, &error_offset, "TLS write set result code to"
4348 " %d:", result_code);
4349 zbx_tls_error_msg(&err, &error_alloc, &error_offset);
4350 *error = zbx_dsprintf(*error, "%s%s", err, info_buf);
4351 zbx_free(err);
4352 }
4353
4354 return ZBX_PROTO_ERROR;
4355 }
4356 #endif
4357
4358 return (ssize_t)res;
4359 }
4360
zbx_tls_read(zbx_socket_t * s,char * buf,size_t len,char ** error)4361 ssize_t zbx_tls_read(zbx_socket_t *s, char *buf, size_t len, char **error)
4362 {
4363 #if defined(_WINDOWS)
4364 double sec;
4365 #endif
4366 #if defined(HAVE_GNUTLS)
4367 ssize_t res;
4368 #elif defined(HAVE_OPENSSL)
4369 int res;
4370 #endif
4371
4372 #if defined(_WINDOWS)
4373 zbx_alarm_flag_clear();
4374 sec = zbx_time();
4375 #endif
4376 #if defined(HAVE_OPENSSL)
4377 info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
4378 #endif
4379 do
4380 {
4381 res = ZBX_TLS_READ(s->tls_ctx->ctx, buf, len);
4382 #if defined(_WINDOWS)
4383 if (s->timeout < zbx_time() - sec)
4384 zbx_alarm_flag_set();
4385 #endif
4386 if (SUCCEED == zbx_alarm_timed_out())
4387 {
4388 *error = zbx_strdup(*error, ZBX_TLS_READ_FUNC_NAME "() timed out");
4389 return ZBX_PROTO_ERROR;
4390 }
4391 }
4392 while (SUCCEED == ZBX_TLS_WANT_READ(res));
4393
4394 #if defined(HAVE_GNUTLS)
4395 if (0 > res)
4396 {
4397 /* in case of rehandshake a GNUTLS_E_REHANDSHAKE will be returned, deal with it as with error */
4398 *error = zbx_dsprintf(*error, "gnutls_record_recv() failed: " ZBX_FS_SSIZE_T " %s",
4399 (zbx_fs_ssize_t)res, gnutls_strerror(res));
4400
4401 return ZBX_PROTO_ERROR;
4402 }
4403 #elif defined(HAVE_OPENSSL)
4404 if (0 >= res)
4405 {
4406 int result_code;
4407
4408 result_code = SSL_get_error(s->tls_ctx->ctx, res);
4409
4410 if (0 == res && SSL_ERROR_ZERO_RETURN == result_code)
4411 {
4412 *error = zbx_strdup(*error, "connection closed during read");
4413 }
4414 else
4415 {
4416 char *err = NULL;
4417 size_t error_alloc = 0, error_offset = 0;
4418
4419 zbx_snprintf_alloc(&err, &error_alloc, &error_offset, "TLS read set result code to"
4420 " %d:", result_code);
4421 zbx_tls_error_msg(&err, &error_alloc, &error_offset);
4422 *error = zbx_dsprintf(*error, "%s%s", err, info_buf);
4423 zbx_free(err);
4424 }
4425
4426 return ZBX_PROTO_ERROR;
4427 }
4428 #endif
4429
4430 return (ssize_t)res;
4431 }
4432
4433 /******************************************************************************
4434 * *
4435 * Function: zbx_tls_close *
4436 * *
4437 * Purpose: close a TLS connection before closing a TCP socket *
4438 * *
4439 ******************************************************************************/
zbx_tls_close(zbx_socket_t * s)4440 void zbx_tls_close(zbx_socket_t *s)
4441 {
4442 int res;
4443
4444 if (NULL == s->tls_ctx)
4445 return;
4446 #if defined(HAVE_GNUTLS)
4447 if (NULL != s->tls_ctx->ctx)
4448 {
4449 #if defined(_WINDOWS)
4450 double sec;
4451
4452 zbx_alarm_flag_clear();
4453 sec = zbx_time();
4454 #endif
4455 /* shutdown TLS connection */
4456 while (GNUTLS_E_SUCCESS != (res = gnutls_bye(s->tls_ctx->ctx, GNUTLS_SHUT_WR)))
4457 {
4458 #if defined(_WINDOWS)
4459 if (s->timeout < zbx_time() - sec)
4460 zbx_alarm_flag_set();
4461 #endif
4462 if (SUCCEED == zbx_alarm_timed_out())
4463 break;
4464
4465 if (GNUTLS_E_INTERRUPTED == res || GNUTLS_E_AGAIN == res)
4466 continue;
4467
4468 zabbix_log(LOG_LEVEL_WARNING, "gnutls_bye() with %s returned error code: %d %s",
4469 s->peer, res, gnutls_strerror(res));
4470
4471 if (0 != gnutls_error_is_fatal(res))
4472 break;
4473 }
4474
4475 gnutls_credentials_clear(s->tls_ctx->ctx);
4476 gnutls_deinit(s->tls_ctx->ctx);
4477 }
4478
4479 if (NULL != s->tls_ctx->psk_client_creds)
4480 gnutls_psk_free_client_credentials(s->tls_ctx->psk_client_creds);
4481
4482 if (NULL != s->tls_ctx->psk_server_creds)
4483 gnutls_psk_free_server_credentials(s->tls_ctx->psk_server_creds);
4484 #elif defined(HAVE_OPENSSL)
4485 if (NULL != s->tls_ctx->ctx)
4486 {
4487 info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
4488
4489 /* After TLS shutdown the TCP connection will be closed. So, there is no need to do a bidirectional */
4490 /* TLS shutdown - unidirectional shutdown is ok. */
4491 if (0 > (res = SSL_shutdown(s->tls_ctx->ctx)))
4492 {
4493 int result_code;
4494 char *error = NULL;
4495 size_t error_alloc = 0, error_offset = 0;
4496
4497 result_code = SSL_get_error(s->tls_ctx->ctx, res);
4498 zbx_tls_error_msg(&error, &error_alloc, &error_offset);
4499 zabbix_log(LOG_LEVEL_WARNING, "SSL_shutdown() with %s set result code to %d:%s%s",
4500 s->peer, result_code, ZBX_NULL2EMPTY_STR(error), info_buf);
4501 zbx_free(error);
4502 }
4503
4504 SSL_free(s->tls_ctx->ctx);
4505 }
4506 #endif
4507 zbx_free(s->tls_ctx);
4508 }
4509
4510 /******************************************************************************
4511 * *
4512 * Function: zbx_tls_get_attr_cert *
4513 * *
4514 * Purpose: get certificate attributes from the context of established *
4515 * connection *
4516 * *
4517 ******************************************************************************/
zbx_tls_get_attr_cert(const zbx_socket_t * s,zbx_tls_conn_attr_t * attr)4518 int zbx_tls_get_attr_cert(const zbx_socket_t *s, zbx_tls_conn_attr_t *attr)
4519 {
4520 char *error = NULL;
4521 #if defined(HAVE_GNUTLS)
4522 gnutls_x509_crt_t peer_cert;
4523 gnutls_x509_dn_t dn;
4524 int res;
4525 #elif defined(HAVE_OPENSSL)
4526 X509 *peer_cert;
4527 #endif
4528
4529 #if defined(HAVE_GNUTLS)
4530 /* here is some inefficiency - we do not know will it be required to verify peer certificate issuer */
4531 /* and subject - but we prepare for it */
4532 if (NULL == (peer_cert = zbx_get_peer_cert(s->tls_ctx->ctx, &error)))
4533 {
4534 zabbix_log(LOG_LEVEL_WARNING, "cannot get peer certificate: %s", error);
4535 zbx_free(error);
4536 return FAIL;
4537 }
4538
4539 if (0 != (res = gnutls_x509_crt_get_issuer(peer_cert, &dn)))
4540 {
4541 zabbix_log(LOG_LEVEL_WARNING, "gnutls_x509_crt_get_issuer() failed: %d %s", res,
4542 gnutls_strerror(res));
4543 gnutls_x509_crt_deinit(peer_cert);
4544 return FAIL;
4545 }
4546
4547 if (SUCCEED != zbx_x509_dn_gets(dn, attr->issuer, sizeof(attr->issuer), &error))
4548 {
4549 zabbix_log(LOG_LEVEL_WARNING, "zbx_x509_dn_gets() failed: %s", error);
4550 zbx_free(error);
4551 gnutls_x509_crt_deinit(peer_cert);
4552 return FAIL;
4553 }
4554
4555 if (0 != (res = gnutls_x509_crt_get_subject(peer_cert, &dn)))
4556 {
4557 zabbix_log(LOG_LEVEL_WARNING, "gnutls_x509_crt_get_subject() failed: %d %s", res,
4558 gnutls_strerror(res));
4559 gnutls_x509_crt_deinit(peer_cert);
4560 return FAIL;
4561 }
4562
4563 if (SUCCEED != zbx_x509_dn_gets(dn, attr->subject, sizeof(attr->subject), &error))
4564 {
4565 zabbix_log(LOG_LEVEL_WARNING, "zbx_x509_dn_gets() failed: %s", error);
4566 zbx_free(error);
4567 gnutls_x509_crt_deinit(peer_cert);
4568 return FAIL;
4569 }
4570
4571 gnutls_x509_crt_deinit(peer_cert);
4572 #elif defined(HAVE_OPENSSL)
4573 if (NULL == (peer_cert = SSL_get_peer_certificate(s->tls_ctx->ctx)))
4574 {
4575 zabbix_log(LOG_LEVEL_WARNING, "no peer certificate, SSL_get_peer_certificate() returned NULL");
4576 return FAIL;
4577 }
4578
4579 if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(peer_cert), attr->issuer, sizeof(attr->issuer), &error))
4580 {
4581 zabbix_log(LOG_LEVEL_WARNING, "error while getting issuer name: \"%s\"", error);
4582 zbx_free(error);
4583 X509_free(peer_cert);
4584 return FAIL;
4585 }
4586
4587 if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(peer_cert), attr->subject, sizeof(attr->subject), &error))
4588 {
4589 zabbix_log(LOG_LEVEL_WARNING, "error while getting subject name: \"%s\"", error);
4590 zbx_free(error);
4591 X509_free(peer_cert);
4592 return FAIL;
4593 }
4594
4595 X509_free(peer_cert);
4596 #endif
4597
4598 return SUCCEED;
4599 }
4600
4601 /******************************************************************************
4602 * *
4603 * Function: zbx_tls_get_attr_psk *
4604 * *
4605 * Purpose: get PSK attributes from the context of established connection *
4606 * *
4607 * Comments: *
4608 * This function can be used only on server-side of TLS connection. *
4609 * GnuTLS makes it asymmetric - see documentation for *
4610 * gnutls_psk_server_get_username() and gnutls_psk_client_get_hint() *
4611 * (the latter function is not used in Zabbix). *
4612 * Implementation for OpenSSL is server-side only, too. *
4613 * *
4614 ******************************************************************************/
4615 #if defined(HAVE_GNUTLS)
zbx_tls_get_attr_psk(const zbx_socket_t * s,zbx_tls_conn_attr_t * attr)4616 int zbx_tls_get_attr_psk(const zbx_socket_t *s, zbx_tls_conn_attr_t *attr)
4617 {
4618 if (NULL == (attr->psk_identity = gnutls_psk_server_get_username(s->tls_ctx->ctx)))
4619 return FAIL;
4620
4621 attr->psk_identity_len = strlen(attr->psk_identity);
4622 return SUCCEED;
4623 }
4624 #elif defined(HAVE_OPENSSL) && defined(HAVE_OPENSSL_WITH_PSK)
zbx_tls_get_attr_psk(const zbx_socket_t * s,zbx_tls_conn_attr_t * attr)4625 int zbx_tls_get_attr_psk(const zbx_socket_t *s, zbx_tls_conn_attr_t *attr)
4626 {
4627 ZBX_UNUSED(s);
4628
4629 /* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
4630 /* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */
4631 if ('\0' == incoming_connection_psk_id[0])
4632 return FAIL;
4633
4634 attr->psk_identity = incoming_connection_psk_id;
4635 attr->psk_identity_len = strlen(attr->psk_identity);
4636 return SUCCEED;
4637 }
4638 #endif
4639
4640 #if defined(_WINDOWS)
4641 /******************************************************************************
4642 * *
4643 * Function: zbx_tls_pass_vars *
4644 * *
4645 * Purpose: pass some TLS variables from one thread to other *
4646 * *
4647 * Comments: used in Zabbix sender on MS Windows *
4648 * *
4649 ******************************************************************************/
zbx_tls_pass_vars(ZBX_THREAD_SENDVAL_TLS_ARGS * args)4650 void zbx_tls_pass_vars(ZBX_THREAD_SENDVAL_TLS_ARGS *args)
4651 {
4652 #if defined(HAVE_GNUTLS)
4653 args->my_cert_creds = my_cert_creds;
4654 args->my_psk_client_creds = my_psk_client_creds;
4655 args->ciphersuites_cert = ciphersuites_cert;
4656 args->ciphersuites_psk = ciphersuites_psk;
4657 #elif defined(HAVE_OPENSSL)
4658 args->ctx_cert = ctx_cert;
4659 #if defined(HAVE_OPENSSL_WITH_PSK)
4660 args->ctx_psk = ctx_psk;
4661 args->psk_identity_for_cb = psk_identity_for_cb;
4662 args->psk_identity_len_for_cb = psk_identity_len_for_cb;
4663 args->psk_for_cb = psk_for_cb;
4664 args->psk_len_for_cb = psk_len_for_cb;
4665 #endif
4666 #endif /* defined(HAVE_OPENSSL) */
4667 }
4668
4669 /******************************************************************************
4670 * *
4671 * Function: zbx_tls_take_vars *
4672 * *
4673 * Purpose: pass some TLS variables from one thread to other *
4674 * *
4675 * Comments: used in Zabbix sender on MS Windows *
4676 * *
4677 ******************************************************************************/
zbx_tls_take_vars(ZBX_THREAD_SENDVAL_TLS_ARGS * args)4678 void zbx_tls_take_vars(ZBX_THREAD_SENDVAL_TLS_ARGS *args)
4679 {
4680 #if defined(HAVE_GNUTLS)
4681 my_cert_creds = args->my_cert_creds;
4682 my_psk_client_creds = args->my_psk_client_creds;
4683 ciphersuites_cert = args->ciphersuites_cert;
4684 ciphersuites_psk = args->ciphersuites_psk;
4685 #elif defined(HAVE_OPENSSL)
4686 ctx_cert = args->ctx_cert;
4687 #if defined(HAVE_OPENSSL_WITH_PSK)
4688 ctx_psk = args->ctx_psk;
4689 psk_identity_for_cb = args->psk_identity_for_cb;
4690 psk_identity_len_for_cb = args->psk_identity_len_for_cb;
4691 psk_for_cb = args->psk_for_cb;
4692 psk_len_for_cb = args->psk_len_for_cb;
4693 #endif
4694 #endif /* defined(HAVE_OPENSSL) */
4695 }
4696 #endif
4697
zbx_tls_get_psk_usage(void)4698 unsigned int zbx_tls_get_psk_usage(void)
4699 {
4700 return psk_usage;
4701 }
4702 #endif
4703