Merge b66f1fb into 68fb8bd

Author: jimklimov

Makefile.am

@@ -874,7 +874,8 @@ SET_PARMAKES_OPT = \
 			fi ; \
 			PARMAKES_OPT="-j $${MAXPARMAKES}" ; \
 		;; \
-	esac
+	esac ; \
+	if [ x"$${V}$(V)" = x ]; then PARMAKES_OPT="$${PARMAKES_OPT} V=0" ; fi
 
 all-quick: @dotMAKE@
 	+@$(SET_PARMAKES_OPT); \

NEWS.adoc

@@ -60,6 +60,27 @@ https://github.com/networkupstools/nut/milestone/13
       query (for protocol version) to verify that handshake succeeded.
       This change impacted also the classic C `libupsclient` library.
       [issue #3387, PR #3402]
+    * Updated OpenSSL code paths in the `libupsclient` C library to support
+      features earlier only available with NSS builds, like specifying the
+      client certificate+key, optionally with password, and pinning expected
+      server certificates. For both backends such pinning should now honour
+      the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
+      connection attempt if that number is '0'). [issue #3331]
+    * Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
+      (optional validation of clients identified by a certificate) also
+      when built with OpenSSL, optionally using the `CERTPATH` with a
+      collection of CA certificates (directory or a big PEM file).
+      Also support `CERTIDENT` to provide a private key password and ensure
+      that the certificate in `CERTFILE` has an expected subject name as an
+      exact string, or that its CN or SAN match the provided string as a
+      standard expression of host name (section 3.5 of RFC 1034) or IP address.
+      [issue #3331]
+    * The `libupsclient` API was extended with a `upscli_init2()` method which
+      allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
+
+ - `upsmon` client updates:
+    * Introduced support for `CERTFILE` option, so the client can identify
+      itself to the data server also in OpenSSL builds. [issue #3331]
 
 
 Release notes for NUT 2.8.5 - what's new since 2.8.4

clients/nutclient.cpp

@@ -244,7 +244,7 @@ class Socket
 	bool isConnected()const;
 	void setDebugConnect(bool d);
 
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name);
 	void setSSLConfig_NSS(bool force_ssl, int certverify, const std::string& certstore_path, const std::string& certstore_pass, const std::string& certstore_prefix, const std::string& certhost_name, const std::string& certident_name);
 
 	void startTLS();
@@ -320,13 +320,28 @@ SSL_CTX* Socket::_ssl_ctx = nullptr;
 
 /*static*/ int Socket::openssl_password_callback(char *buf, int size, int rwflag, void *userdata)	/* pem_passwd_cb, 1.1.0+ */
 {
+	/* See https://docs.openssl.org/1.0.2/man3/SSL_CTX_set_default_passwd_cb */
+	/* is callback used for reading/decryption (rwflag=0) or writing/encryption (rwflag=1)? */
 	NUT_UNUSED_VARIABLE(rwflag);
+	/* "userdata" is generally the user-provided password, possibly cached
+	 * from an earlier loop (e.g. to check interactively typing it twice,
+	 * or to probe several items in a loop). */
 
-	if (size < 1 || !userdata || !*(static_cast<char *>(userdata))) {
+	if (!buf || size < 1) {
+		/* Can not even set buf[0] */
+		return 0;
+	}
+
+	if (!userdata || !*(static_cast<char *>(userdata))) {
 		buf[0] = '\0';
 		return 0;
 	}
 
+	if (strlen((char*)userdata) >= (size_t)size) {
+		/* Do not return truncated trash, just say we could not do it */
+		return 0;
+	}
+
 	strncpy(buf, static_cast<char *>(userdata), static_cast<size_t>(size));
 	buf[size - 1] = '\0';
 	return static_cast<int>(strlen(buf));
@@ -861,7 +876,7 @@ bool Socket::isSSL()const
 #endif
 }
 
-void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass)
+void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name)
 {
 	_force_ssl = force_ssl;
 
@@ -875,6 +890,7 @@ void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::str
 	_cert_file = cert_file;
 	_key_file = key_file;
 	_key_pass = key_pass;
+	_certident_name = certident_name;
 
 	_ssl_configured |= UPSCLI_SSL_CAPS_OPENSSL;
 #else
@@ -884,6 +900,7 @@ void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::str
 	NUT_UNUSED_VARIABLE(cert_file);
 	NUT_UNUSED_VARIABLE(key_file);
 	NUT_UNUSED_VARIABLE(key_pass);
+	NUT_UNUSED_VARIABLE(certident_name);
 
 	_ssl_configured &= ~UPSCLI_SSL_CAPS_OPENSSL;
 #endif
@@ -978,7 +995,12 @@ void Socket::startTLS()
 
 	if (!_ca_file.empty() || !_ca_path.empty()) {
 		if (SSL_CTX_load_verify_locations(_ssl_ctx, _ca_file.empty() ? nullptr : _ca_file.c_str(), _ca_path.empty() ? nullptr : _ca_path.c_str()) != 1) {
-			throw nut::SSLException_OpenSSL("Failed to load CA verify locations");
+			if (!(_ca_file.empty() && !_ca_path.empty()
+				/* Retry in case CERTPATH pointed to PEM file */
+				&& SSL_CTX_load_verify_locations(_ssl_ctx, _ca_path.c_str(), nullptr) == 1)
+			) {
+				throw nut::SSLException_OpenSSL("Failed to load CA verify locations");
+			}
 		}
 	}
 	if (_certverify != -1) {
@@ -990,6 +1012,15 @@ void Socket::startTLS()
 		}
 		if (!_key_pass.empty()) {
 #  if OPENSSL_VERSION_NUMBER < 0x10100000L
+			/* Per https://docs.openssl.org/3.5/man3/SSL_CTX_set_default_passwd_cb,
+			 * the `SSL_CTX*` variants were added in 1.1.
+			 * The SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata()
+			 * for `SSL*` argument were around since the turn of millennium, approx 0.9.6+
+			 * per https://github.com/openssl/openssl/commit/66ebbb6a56bc1688fa37878e4feec985b0c260d7
+			 *
+			 * But to use those, we would need to get that SSL* (maybe from socket FD?);
+			 * that would also unlock us using the ssl_error() elsewhere.
+			 */
 			throw nut::SSLException_OpenSSL("Private key password support not implemented for OpenSSL < 1.1 yet");
 #  else
 			/* OpenSSL 1.1.0+
@@ -1004,6 +1035,59 @@ void Socket::startTLS()
 		if (SSL_CTX_use_PrivateKey_file(_ssl_ctx, _key_file.empty() ? _cert_file.c_str() : _key_file.c_str(), SSL_FILETYPE_PEM) != 1) {
 			throw nut::SSLException_OpenSSL("Failed to load client private key file");
 		}
+
+		if (!_certident_name.empty()) {
+#  if OPENSSL_VERSION_NUMBER >= 0x10002000L
+			X509	*x509 = SSL_CTX_get0_certificate(_ssl_ctx);
+			if (x509) {
+				/* Check if _certident_name matches the host (CN or SAN) */
+				if (X509_check_host(x509, _certident_name.c_str(), 0, 0, nullptr) != 1
+				 && X509_check_ip_asc(x509, _certident_name.c_str(), 0) != 1
+				) {
+					char	*subject = X509_NAME_oneline(X509_get_subject_name(x509), nullptr, 0);
+					char	*subject_CN = (subject ? static_cast<char*>(strstr(subject, "CN=")) + 3 : nullptr);
+					size_t	certident_len = _certident_name.length();
+
+					if (_debugConnect) std::cerr <<
+						"[D4] Socket::startTLS(): My certificate subject: '" << (subject ? subject : "unknown") <<
+						"'; CN: '" << (subject_CN ? subject_CN : "unknown") <<
+						"'; CERTIDENT: [" << certident_len << "]'" << _certident_name << "'" <<
+						std::endl << std::flush;
+
+					/* Check if _certident_name matches the whole subject or just .../CN=.../ part as a string */
+					if (!subject || !(
+						strcmp(subject, _certident_name.c_str()) == 0
+						|| (subject_CN && !strncmp(subject_CN, _certident_name.c_str(), certident_len)
+							&& (subject_CN[certident_len] == '\0' || subject_CN[certident_len] == '/') )
+					)) {
+						/* This way or that, the names differ */
+						std::string err = "Certificate subject (" + std::string(subject ? subject : "unknown") + ") does not match CERTIDENT name (" + _certident_name + ")";
+						if (subject) {
+							OPENSSL_free(subject);
+						}
+						throw nut::SSLException_OpenSSL(err);
+					} else {
+						if (_debugConnect) std::cerr <<
+							"[D2] Socket::startTLS(): Certificate subject verified against CERTIDENT subject name (" << _certident_name << ")" <<
+							std::endl << std::flush;
+					}
+					if (subject) {
+						OPENSSL_free(subject);
+					}
+				} else {
+					if (_debugConnect) std::cerr <<
+						"[D2] Socket::startTLS(): Certificate subject verified against CERTIDENT host name (" << _certident_name << ")" <<
+						std::endl << std::flush;
+				}
+			}
+#  else
+			throw nut::SSLException_OpenSSL("Can not verify CERTIDENT '" + _certident_name + "': not supported in this OpenSSL build (too old)");
+#  endif
+		}
+	} else {
+		if (!_certident_name.empty()) {
+			throw nut::SSLException_OpenSSL("Can not verify CERTIDENT '" + _certident_name + "': no cert_file was provided");
+		}
 	}
 
 	_ssl = SSL_new(_ssl_ctx);
@@ -1419,7 +1503,7 @@ void SSLConfig::apply(TcpClient& client) const
 
 void SSLConfig_OpenSSL::apply(TcpClient& client) const
 {
-	client.setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass);
+	client.setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass, _certident_name);
 }
 
 void SSLConfig_NSS::apply(TcpClient& client) const
@@ -1432,7 +1516,7 @@ void TcpClient::setSSLConfig(const SSLConfig& config)
 	config.apply(*this);
 }
 
-void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	_force_ssl = force_ssl;
 	_certverify = certverify;
@@ -1441,9 +1525,10 @@ void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char
 	if (cert_file) _cert_file = cert_file;
 	if (key_file) _key_file = key_file;
 	if (key_pass) _key_pass = key_pass;
+	if (certident_name) _certident_name = certident_name;
 }
 
-void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass)
+void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name)
 {
 	_force_ssl = force_ssl;
 	_certverify = certverify;
@@ -1452,6 +1537,7 @@ void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::
 	_cert_file = cert_file;
 	_key_file = key_file;
 	_key_pass = key_pass;
+	_certident_name = certident_name;
 }
 
 void TcpClient::setSSLConfig_NSS(bool force_ssl, int certverify, const char *certstore_path, const char *certstore_pass, const char *certstore_prefix, const char *certhost_name, const char *certident_name)
@@ -1493,8 +1579,8 @@ void TcpClient::connect()
 {
 	_socket->connect(_host, _port);
 	if (_try_ssl || _force_ssl) {
-		if (!_ca_path.empty() || !_ca_file.empty() || !_cert_file.empty() || !_key_file.empty()) {
-			_socket->setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass);
+		if (!_ca_path.empty() || !_ca_file.empty() || !_cert_file.empty() || !_key_file.empty() || !_certident_name.empty()) {
+			_socket->setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass, _certident_name);
 		} else if (!_certstore_path.empty() || !_certstore_prefix.empty() || !_certhost_name.empty() || !_certident_name.empty()) {
 			_socket->setSSLConfig_NSS(_force_ssl, _certverify, _certstore_path, _key_pass, _certstore_prefix, _certhost_name, _certident_name);
 		}
@@ -2931,13 +3017,13 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client(const char* host, uint16_t port)
 
 int nutclient_tcp_get_ssl_caps(void) { return nut::TcpClient::getSslCaps(); }
 
-NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16_t port, int try_ssl, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16_t port, int try_ssl, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	nut::TcpClient* client = new nut::TcpClient;
 	try
 	{
 		client->setSSLConfig(nut::SSLConfig_OpenSSL(
-			(force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass
+			(force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass, certident_name
 		));
 		client->connect(host, port, try_ssl != 0);
 		return static_cast<NUTCLIENT_TCP_t>(client);
@@ -2950,15 +3036,15 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16
 	}
 }
 
-void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	if(client)
 	{
 		nut::TcpClient* cl = dynamic_cast<nut::TcpClient*>(static_cast<nut::Client*>(client));
 		if(cl)
 		{
 			cl->setSSLConfig(nut::SSLConfig_OpenSSL((
-				force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass
+				force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass, certident_name
 			));
 		}
 	}

clients/nutclient.h

@@ -109,22 +109,25 @@ class SSLConfig_OpenSSL : public SSLConfig
 	SSLConfig_OpenSSL(bool force_ssl = false, int certverify = -1,
 		const std::string& ca_path = "", const std::string& ca_file = "",
 		const std::string& cert_file = "", const std::string& key_file = "",
-		const std::string& key_pass = "")
+		const std::string& key_pass = "", const std::string& certident_name = "")
 		: SSLConfig(force_ssl, certverify), _ca_path(ca_path), _ca_file(ca_file),
-		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass) {}
+		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass),
+		  _certident_name(certident_name) {}
 
 	SSLConfig_OpenSSL(bool force_ssl, int certverify,
 		const char *ca_path, const char *ca_file,
 		const char *cert_file, const char *key_file,
-		const char *key_pass)
+		const char *key_pass, const char *certident_name = nullptr)
 		: SSLConfig(force_ssl, certverify), _ca_path(ca_path), _ca_file(ca_file),
-		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass) {}
+		  _cert_file(cert_file), _key_file(key_file), _key_pass(key_pass),
+		  _certident_name(certident_name) {}
 
 	const std::string& getCAPath() const { return _ca_path; }
 	const std::string& getCAFile() const { return _ca_file; }
 	const std::string& getCertFile() const { return _cert_file; }
 	const std::string& getKeyFile() const { return _key_file; }
 	const std::string& getKeyPass() const { return _key_pass; }
+	const std::string& getCertIdentName() const { return _certident_name; }
 
 	virtual void apply(TcpClient& client) const override;
 
@@ -134,6 +137,7 @@ class SSLConfig_OpenSSL : public SSLConfig
 	std::string _cert_file;
 	std::string _key_file;
 	std::string _key_pass;
+	std::string _certident_name;
 };
 
 /**
@@ -826,8 +830,9 @@ class TcpClient : public Client
 	 * \param cert_file Path to a client certificate file (PEM format for OpenSSL) or nickname (NSS).
 	 * \param key_file Path to a client private key file (PEM format for OpenSSL).
 	 * \param key_pass Optional passphrase to decrypt the private key.
+	 * \param certident_name Expected name in the client certificate (CN or SAN).
 	 */
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name = nullptr);
 
 	/**
 	 * Set SSL configuration for OpenSSL.
@@ -838,8 +843,9 @@ class TcpClient : public Client
 	 * \param cert_file Path to a client certificate file (PEM format for OpenSSL) or nickname (NSS).
 	 * \param key_file Path to a client private key file (PEM format for OpenSSL).
 	 * \param key_pass Optional passphrase to decrypt the private key.
+	 * \param certident_name Expected name in the client certificate (CN or SAN).
 	 */
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name = "");
 
 	/**
 	 * Set SSL configuration for Mozilla NSS
@@ -1486,11 +1492,13 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(
 	const char* host, uint16_t port, int try_ssl,
 	int force_ssl, int certverify,
 	const char *ca_path, const char *ca_file,
-	const char *cert_file, const char *key_file, const char *key_pass);
+	const char *cert_file, const char *key_file,
+	const char *key_pass, const char *certident_name);
 void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client,
 	int force_ssl, int certverify,
 	const char *ca_path, const char *ca_file,
-	const char *cert_file, const char *key_file, const char *key_pass);
+	const char *cert_file, const char *key_file,
+	const char *key_pass, const char *certident_name);
 
 NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_NSS(
 	const char* host, uint16_t port, int try_ssl,