networkupstools
diff --git a/‎Makefile.am‎
Lines changed: 2 additions & 1 deletion b/‎Makefile.am‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎NEWS.adoc‎
Lines changed: 21 additions & 0 deletions b/‎NEWS.adoc‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎clients/nutclient.cpp‎
Lines changed: 140 additions & 19 deletions b/‎clients/nutclient.cpp‎
Lines changed: 140 additions & 19 deletions
@@ -874,7 +874,8 @@ SET_PARMAKES_OPT = \
 			fi ; \
 			PARMAKES_OPT="-j $${MAXPARMAKES}" ; \
 		;; \
-	esac
+	esac ; \
+	if [ x"$${V}$(V)" = x ]; then PARMAKES_OPT="$${PARMAKES_OPT} V=0" ; fi
 
 all-quick: @dotMAKE@
 	+@$(SET_PARMAKES_OPT); \
 
@@ -60,6 +60,27 @@ https://github.com/networkupstools/nut/milestone/13
       query (for protocol version) to verify that handshake succeeded.
       This change impacted also the classic C `libupsclient` library.
       [issue #3387, PR #3402]
+    * Updated OpenSSL code paths in the `libupsclient` C library to support
+      features earlier only available with NSS builds, like specifying the
+      client certificate+key, optionally with password, and pinning expected
+      server certificates. For both backends such pinning should now honour
+      the 'certverify' setting of the `CERTHOST` entry (e.g. not abort the
+      connection attempt if that number is '0'). [issue #3331]
+    * Updated SSL support in the `upsd` data server to handle `CERTREQUEST`
+      (optional validation of clients identified by a certificate) also
+      when built with OpenSSL, optionally using the `CERTPATH` with a
+      collection of CA certificates (directory or a big PEM file).
+      Also support `CERTIDENT` to provide a private key password and ensure
+      that the certificate in `CERTFILE` has an expected subject name as an
+      exact string, or that its CN or SAN match the provided string as a
+      standard expression of host name (section 3.5 of RFC 1034) or IP address.
+      [issue #3331]
+    * The `libupsclient` API was extended with a `upscli_init2()` method which
+      allows to pass the `certfile` argument needed for OpenSSL builds. [#3331]
+
+ - `upsmon` client updates:
+    * Introduced support for `CERTFILE` option, so the client can identify
+      itself to the data server also in OpenSSL builds. [issue #3331]
 
 
 Release notes for NUT 2.8.5 - what's new since 2.8.4
 
@@ -244,7 +244,7 @@ class Socket
 	bool isConnected()const;
 	void setDebugConnect(bool d);
 
-	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass);
+	void setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name);
 	void setSSLConfig_NSS(bool force_ssl, int certverify, const std::string& certstore_path, const std::string& certstore_pass, const std::string& certstore_prefix, const std::string& certhost_name, const std::string& certident_name);
 
 	void startTLS();
@@ -318,19 +318,45 @@ class Socket
 # ifdef WITH_OPENSSL
 SSL_CTX* Socket::_ssl_ctx = nullptr;
 
-/*static*/ int Socket::openssl_password_callback(char *buf, int size, int rwflag, void *userdata)	/* pem_passwd_cb, 1.1.0+ */
+#  if (defined(HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB) && HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB) || (defined(HAVE_SSL_SET_DEFAULT_PASSWD_CB) && HAVE_SSL_SET_DEFAULT_PASSWD_CB)
+/* Note: availability of these methods seems to predate C++11, but still... */
+/*static*/ int Socket::openssl_password_callback(char *buf, int size, int rwflag, void *userdata)	/* pem_passwd_cb, cca OpenSSL 1.1.0+ */
 {
+	/* See https://docs.openssl.org/1.0.2/man3/SSL_CTX_set_default_passwd_cb */
+	/* is callback used for reading/decryption (rwflag=0) or writing/encryption (rwflag=1)? */
 	NUT_UNUSED_VARIABLE(rwflag);
+	/* "userdata" is generally the user-provided password, possibly cached
+	 * from an earlier loop (e.g. to check interactively typing it twice,
+	 * or to probe several items in a loop). For us, it should be this->_key_pass
+	 * via SSL_CTX_set_default_passwd_cb_userdata(), but most programs out
+	 * there do not have just one variable with one password to think about. */
+
+	if (!buf || size < 1) {
+		/* Can not even set buf[0] */
+		return 0;
+	}
 
-	if (size < 1 || !userdata || !*(static_cast<char *>(userdata))) {
+	if (!userdata || !*(static_cast<char *>(userdata))) {
+#  if (defined(HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB_USERDATA) && HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB_USERDATA) || (defined(HAVE_SSL_SET_DEFAULT_PASSWD_CB_USERDATA) && HAVE_SSL_SET_DEFAULT_PASSWD_CB_USERDATA)
+		/* Use what we were told to use (or not), do not surprise
+		 * anyone by some hard-coded fallback to _key_pass here! */
 		buf[0] = '\0';
 		return 0;
+#  else
+		userdata = static_cast<void *>(this->_key_pass.c_str());
+#  endif
+	}
+
+	if (strlen(static_cast<char *>(userdata)) >= (size_t)size) {
+		/* Do not return truncated trash, just say we could not do it */
+		return 0;
 	}
 
 	strncpy(buf, static_cast<char *>(userdata), static_cast<size_t>(size));
 	buf[size - 1] = '\0';
 	return static_cast<int>(strlen(buf));
 }
+#  endif	/* ...SET_DEFAULT_PASSWD_CB */
 # endif	/* WITH_OPENSSL */
 
 # ifdef WITH_NSS
@@ -861,7 +887,7 @@ bool Socket::isSSL()const
 #endif
 }
 
-void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass)
+void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name)
 {
 	_force_ssl = force_ssl;
 
@@ -875,6 +901,7 @@ void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::str
 	_cert_file = cert_file;
 	_key_file = key_file;
 	_key_pass = key_pass;
+	_certident_name = certident_name;
 
 	_ssl_configured |= UPSCLI_SSL_CAPS_OPENSSL;
 #else
@@ -884,6 +911,7 @@ void Socket::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::str
 	NUT_UNUSED_VARIABLE(cert_file);
 	NUT_UNUSED_VARIABLE(key_file);
 	NUT_UNUSED_VARIABLE(key_pass);
+	NUT_UNUSED_VARIABLE(certident_name);
 
 	_ssl_configured &= ~UPSCLI_SSL_CAPS_OPENSSL;
 #endif
@@ -978,32 +1006,123 @@ void Socket::startTLS()
 
 	if (!_ca_file.empty() || !_ca_path.empty()) {
 		if (SSL_CTX_load_verify_locations(_ssl_ctx, _ca_file.empty() ? nullptr : _ca_file.c_str(), _ca_path.empty() ? nullptr : _ca_path.c_str()) != 1) {
-			throw nut::SSLException_OpenSSL("Failed to load CA verify locations");
+			if (!(_ca_file.empty() && !_ca_path.empty()
+				/* Retry in case CERTPATH pointed to PEM file */
+				&& SSL_CTX_load_verify_locations(_ssl_ctx, _ca_path.c_str(), nullptr) == 1)
+			) {
+				throw nut::SSLException_OpenSSL("Failed to load CA verify locations");
+			}
 		}
 	}
+
 	if (_certverify != -1) {
 		SSL_CTX_set_verify(_ssl_ctx, _certverify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, nullptr);
 	}
+
 	if (!_cert_file.empty()) {
 		if (SSL_CTX_use_certificate_chain_file(_ssl_ctx, _cert_file.c_str()) != 1) {
 			throw nut::SSLException_OpenSSL("Failed to load client certificate file");
 		}
+
 		if (!_key_pass.empty()) {
-#  if OPENSSL_VERSION_NUMBER < 0x10100000L
-			throw nut::SSLException_OpenSSL("Private key password support not implemented for OpenSSL < 1.1 yet");
-#  else
-			/* OpenSSL 1.1.0+
+			/* Note: availability of these methods seems to predate C++11, but still... */
+#  if defined(HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB) && HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB
+			/* Roughly OpenSSL 1.1.0+ or 1.0.2+ with patched distros
 			 * https://docs.openssl.org/3.5/man3/SSL_CTX_set_default_passwd_cb/#return-values
 			 */
 			/* 1. Set the callback function */
 			SSL_CTX_set_default_passwd_cb(_ssl_ctx, openssl_password_callback);
+#   if defined(HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB_USERDATA) && HAVE_SSL_CTX_SET_DEFAULT_PASSWD_CB_USERDATA
 			/* 2. Set the userdata to the password string */
 			SSL_CTX_set_default_passwd_cb_userdata(_ssl_ctx, const_cast<void *>(static_cast<const void *>(_key_pass.c_str())));
-#  endif
+#   endif	/* else callback uses class instance field */
+#  else	/* Not SSL_CTX_* methods */
+			/* Per https://docs.openssl.org/3.5/man3/SSL_CTX_set_default_passwd_cb,
+			 * the `SSL_CTX*` variants were added in 1.1.
+			 * The SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata()
+			 * for `SSL*` argument were around since the turn of millennium, approx 0.9.6+
+			 * per https://github.com/openssl/openssl/commit/66ebbb6a56bc1688fa37878e4feec985b0c260d7
+			 *
+			 * But to use those, we would need to get that SSL* (maybe from socket FD?);
+			 * that would also unlock us using the ssl_error() elsewhere.
+			 *
+			 * Alternately load PEM "manually", see e.g. Apache httpd sources before 2015.
+			 */
+#   if defined(HAVE_SSL_SET_DEFAULT_PASSWD_CB) && HAVE_SSL_SET_DEFAULT_PASSWD_CB
+			/* Theoretical solution - didn't find a build system where such methods
+			 * would actually be available, so this could be tested and used */
+			SSL	*ssl_tmp = SSL_new(ssl_ctx);
+			/* OpenSSL 0.9.6+ at least? */
+			SSL_set_default_passwd_cb(ssl_tmp, openssl_password_callback);
+#    if defined(HAVE_SSL_SET_DEFAULT_PASSWD_CB_USERDATA) && HAVE_SSL_SET_DEFAULT_PASSWD_CB_USERDATA
+			SSL_set_default_passwd_cb_userdata(ssl_tmp, const_cast<void *>(static_cast<const void *>(_key_pass.c_str())));
+#    endif
+			SSL_free(ssl_tmp);
+
+#   else	/* Not SSL_* methods either */
+
+			throw nut::SSLException_OpenSSL("Private key password support not implemented for OpenSSL < 1.1 yet");
+#   endif
+#  endif	/* ...SET_DEFAULT_PASSWD_CB */
 		}
+
 		if (SSL_CTX_use_PrivateKey_file(_ssl_ctx, _key_file.empty() ? _cert_file.c_str() : _key_file.c_str(), SSL_FILETYPE_PEM) != 1) {
 			throw nut::SSLException_OpenSSL("Failed to load client private key file");
 		}
+
+		if (!_certident_name.empty()) {
+#  if (defined(HAVE_SSL_CTX_GET0_CERTIFICATE) && HAVE_SSL_CTX_GET0_CERTIFICATE) && (defined(HAVE_X509_CHECK_HOST) && HAVE_X509_CHECK_HOST) && (defined(HAVE_X509_CHECK_IP_ASC) && HAVE_X509_CHECK_IP_ASC) && (defined(HAVE_X509_NAME_ONELINE) && HAVE_X509_NAME_ONELINE)
+			/* Roughly OpenSSL 1.0.2+ */
+			X509	*x509 = SSL_CTX_get0_certificate(_ssl_ctx);
+			if (x509) {
+				/* Check if _certident_name matches the host (CN or SAN) */
+				if (X509_check_host(x509, _certident_name.c_str(), 0, 0, nullptr) != 1
+				 && X509_check_ip_asc(x509, _certident_name.c_str(), 0) != 1
+				) {
+					char	*subject = X509_NAME_oneline(X509_get_subject_name(x509), nullptr, 0);
+					char	*subject_CN = (subject ? static_cast<char*>(strstr(subject, "CN=")) + 3 : nullptr);
+					size_t	certident_len = _certident_name.length();
+
+					if (_debugConnect) std::cerr <<
+						"[D4] Socket::startTLS(): My certificate subject: '" << (subject ? subject : "unknown") <<
+						"'; CN: '" << (subject_CN ? subject_CN : "unknown") <<
+						"'; CERTIDENT: [" << certident_len << "]'" << _certident_name << "'" <<
+						std::endl << std::flush;
+
+					/* Check if _certident_name matches the whole subject or just .../CN=.../ part as a string */
+					if (!subject || !(
+						strcmp(subject, _certident_name.c_str()) == 0
+						|| (subject_CN && !strncmp(subject_CN, _certident_name.c_str(), certident_len)
+							&& (subject_CN[certident_len] == '\0' || subject_CN[certident_len] == '/') )
+					)) {
+						/* This way or that, the names differ */
+						std::string err = "Certificate subject (" + std::string(subject ? subject : "unknown") + ") does not match CERTIDENT name (" + _certident_name + ")";
+						if (subject) {
+							OPENSSL_free(subject);
+						}
+						throw nut::SSLException_OpenSSL(err);
+					} else {
+						if (_debugConnect) std::cerr <<
+							"[D2] Socket::startTLS(): Certificate subject verified against CERTIDENT subject name (" << _certident_name << ")" <<
+							std::endl << std::flush;
+					}
+					if (subject) {
+						OPENSSL_free(subject);
+					}
+				} else {
+					if (_debugConnect) std::cerr <<
+						"[D2] Socket::startTLS(): Certificate subject verified against CERTIDENT host name (" << _certident_name << ")" <<
+						std::endl << std::flush;
+				}
+			}
+#  else	/* Missing X509 methods wanted above */
+			throw nut::SSLException_OpenSSL("Can not verify CERTIDENT '" + _certident_name + "': not supported in this OpenSSL build (too old)");
+#  endif	/* Got ways to check CERTIDENT? */
+		}
+	} else {
+		if (!_certident_name.empty()) {
+			throw nut::SSLException_OpenSSL("Can not verify CERTIDENT '" + _certident_name + "': no cert_file was provided");
+		}
 	}
 
 	_ssl = SSL_new(_ssl_ctx);
@@ -1419,7 +1538,7 @@ void SSLConfig::apply(TcpClient& client) const
 
 void SSLConfig_OpenSSL::apply(TcpClient& client) const
 {
-	client.setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass);
+	client.setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass, _certident_name);
 }
 
 void SSLConfig_NSS::apply(TcpClient& client) const
@@ -1432,7 +1551,7 @@ void TcpClient::setSSLConfig(const SSLConfig& config)
 	config.apply(*this);
 }
 
-void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	_force_ssl = force_ssl;
 	_certverify = certverify;
@@ -1441,9 +1560,10 @@ void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const char
 	if (cert_file) _cert_file = cert_file;
 	if (key_file) _key_file = key_file;
 	if (key_pass) _key_pass = key_pass;
+	if (certident_name) _certident_name = certident_name;
 }
 
-void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass)
+void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::string& ca_path, const std::string& ca_file, const std::string& cert_file, const std::string& key_file, const std::string& key_pass, const std::string& certident_name)
 {
 	_force_ssl = force_ssl;
 	_certverify = certverify;
@@ -1452,6 +1572,7 @@ void TcpClient::setSSLConfig_OpenSSL(bool force_ssl, int certverify, const std::
 	_cert_file = cert_file;
 	_key_file = key_file;
 	_key_pass = key_pass;
+	_certident_name = certident_name;
 }
 
 void TcpClient::setSSLConfig_NSS(bool force_ssl, int certverify, const char *certstore_path, const char *certstore_pass, const char *certstore_prefix, const char *certhost_name, const char *certident_name)
@@ -1493,8 +1614,8 @@ void TcpClient::connect()
 {
 	_socket->connect(_host, _port);
 	if (_try_ssl || _force_ssl) {
-		if (!_ca_path.empty() || !_ca_file.empty() || !_cert_file.empty() || !_key_file.empty()) {
-			_socket->setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass);
+		if (!_ca_path.empty() || !_ca_file.empty() || !_cert_file.empty() || !_key_file.empty() || !_certident_name.empty()) {
+			_socket->setSSLConfig_OpenSSL(_force_ssl, _certverify, _ca_path, _ca_file, _cert_file, _key_file, _key_pass, _certident_name);
 		} else if (!_certstore_path.empty() || !_certstore_prefix.empty() || !_certhost_name.empty() || !_certident_name.empty()) {
 			_socket->setSSLConfig_NSS(_force_ssl, _certverify, _certstore_path, _key_pass, _certstore_prefix, _certhost_name, _certident_name);
 		}
@@ -2931,13 +3052,13 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client(const char* host, uint16_t port)
 
 int nutclient_tcp_get_ssl_caps(void) { return nut::TcpClient::getSslCaps(); }
 
-NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16_t port, int try_ssl, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16_t port, int try_ssl, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	nut::TcpClient* client = new nut::TcpClient;
 	try
 	{
 		client->setSSLConfig(nut::SSLConfig_OpenSSL(
-			(force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass
+			(force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass, certident_name
 		));
 		client->connect(host, port, try_ssl != 0);
 		return static_cast<NUTCLIENT_TCP_t>(client);
@@ -2950,15 +3071,15 @@ NUTCLIENT_TCP_t nutclient_tcp_create_client_ssl_OpenSSL(const char* host, uint16
 	}
 }
 
-void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass)
+void nutclient_tcp_set_ssl_config_OpenSSL(NUTCLIENT_TCP_t client, int force_ssl, int certverify, const char *ca_path, const char *ca_file, const char *cert_file, const char *key_file, const char *key_pass, const char *certident_name)
 {
 	if(client)
 	{
 		nut::TcpClient* cl = dynamic_cast<nut::TcpClient*>(static_cast<nut::Client*>(client));
 		if(cl)
 		{
 			cl->setSSLConfig(nut::SSLConfig_OpenSSL((
-				force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass
+				force_ssl > 0), certverify, ca_path, ca_file, cert_file, key_file, key_pass, certident_name
 			));
 		}
 	}