/*
** Copyright (C) 2001-2025 Zabbix SIA
**
** This program is free software: you can redistribute it and/or modify it under the terms of
** the GNU Affero General Public License as published by the Free Software Foundation, version 3.
**
** This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
** without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
** See the GNU Affero General Public License for more details.
**
** You should have received a copy of the GNU Affero General Public License along with this program.
** If not, see <https://www.gnu.org/licenses/>.
**/
#include "zbxcomms.h"
#include "comms.h"
#include "tls.h"
#include "zbxlog.h"
#include "zbxstr.h"
#include "zbxcrypto.h"
#if OPENSSL_VERSION_NUMBER < 0x1010000fL
/* for OpenSSL 1.0.1/1.0.2 (before 1.1.0) */
/* mutexes for multi-threaded OpenSSL (see "man 3ssl threads" and example in crypto/threads/mttest.c) */
#include "zbxmutexs.h"
#ifdef _WINDOWS
typedef zbx_mutex_t tls_mutex_t;
int tls_mutex_create(tls_mutex_t *mutex, char **error)
{
return zbx_mutex_create(mutex, NULL, &error);
}
void tls_mutex_destroy(tls_mutex_t *mutex)
{
zbx_mutex_destroy(mutex);
}
void tls_mutex_lock(tls_mutex_t mutex)
{
zbx_mutex_lock(mutex);
}
void tls_mutex_unlock(tls_mutex_t mutex)
{
zbx_mutex_unlock(mutex);
}
#else
typedef pthread_mutex_t * tls_mutex_t;
int tls_mutex_create(tls_mutex_t *mutex, char **error)
{
*mutex = (pthread_mutex_t *)zbx_malloc(NULL, sizeof(pthread_mutex_t));
if (0 != pthread_mutex_init(*mutex, NULL))
{
*error = zbx_dsprintf(*error, "cannot create mutex: %s", zbx_strerror(errno));
return FAIL;
}
return SUCCEED;
}
void tls_mutex_destroy(tls_mutex_t *mutex)
{
pthread_mutex_destroy(*mutex);
zbx_free(*mutex);
}
void tls_mutex_lock(tls_mutex_t mutex)
{
pthread_mutex_lock(mutex);
}
void tls_mutex_unlock(tls_mutex_t mutex)
{
pthread_mutex_unlock(mutex);
}
#endif
static tls_mutex_t *crypto_mutexes = NULL;
static void zbx_openssl_locking_cb(int mode, int n, const char *file, int line)
{
ZBX_UNUSED(file);
ZBX_UNUSED(line);
if (0 != (mode & CRYPTO_LOCK))
tls_mutex_lock(*(crypto_mutexes + n));
else
tls_mutex_unlock(*(crypto_mutexes + n));
}
static void zbx_openssl_thread_setup(void)
{
int i, num_locks;
num_locks = CRYPTO_num_locks();
if (NULL == (crypto_mutexes = zbx_malloc(crypto_mutexes, num_locks * sizeof(tls_mutex_t))))
{
zabbix_log(LOG_LEVEL_CRIT, "cannot allocate mutexes for OpenSSL library");
exit(EXIT_FAILURE);
}
zabbix_log(LOG_LEVEL_DEBUG, "%s() creating %d mutexes", __func__, num_locks);
for (i = 0; i < num_locks; i++)
{
char *error = NULL;
if (SUCCEED != tls_mutex_create(crypto_mutexes + i, &error))
{
zabbix_log(LOG_LEVEL_CRIT, "cannot create mutex #%d for OpenSSL library: %s", i, error);
zbx_free(error);
exit(EXIT_FAILURE);
}
}
CRYPTO_set_locking_callback((void (*)(int, int, const char *, int))zbx_openssl_locking_cb);
/* do not register our own threadid_func() callback, use OpenSSL default one */
}
static void zbx_openssl_thread_cleanup(void)
{
int i, num_locks;
CRYPTO_set_locking_callback(NULL);
num_locks = CRYPTO_num_locks();
for (i = 0; i < num_locks; i++)
tls_mutex_destroy(crypto_mutexes + i);
zbx_free(crypto_mutexes);
}
static int zbx_openssl_init_ssl(zbx_uint64_t opts, void *settings)
{
#if OPENSSL_VERSION_NUMBER < 0x1010000fL
ZBX_UNUSED(opts);
ZBX_UNUSED(settings);
SSL_load_error_strings();
ERR_load_BIO_strings();
SSL_library_init();
#endif
#ifdef _WINDOWS
ZBX_UNUSED(opts);
ZBX_UNUSED(settings);
#endif
zbx_openssl_thread_setup();
return 1;
}
static void OPENSSL_cleanup(void)
{
RAND_cleanup();
ERR_free_strings();
zbx_openssl_thread_cleanup();
}
#endif /* OPENSSL_VERSION_NUMBER < 0x1010000fL */
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
/* OpenSSL 1.1.0 or newer, not LibreSSL */
static int zbx_openssl_init_ssl(zbx_uint64_t opts, void *settings)
{
return OPENSSL_init_ssl(opts, settings);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER) */
static zbx_get_program_type_f zbx_get_program_type_cb = NULL;
static ZBX_THREAD_LOCAL const char *my_psk_identity = NULL;
static ZBX_THREAD_LOCAL size_t my_psk_identity_len = 0;
static ZBX_THREAD_LOCAL char *my_psk = NULL;
static ZBX_THREAD_LOCAL size_t my_psk_len = 0;
/* Pointer to zbx_dc_get_psk_by_identity() initialized at runtime. This is a workaround for linking. */
/* Server and proxy link with src/libs/zbxdbcache/dbconfig.o where zbx_dc_get_psk_by_identity() resides */
/* but other components (e.g. agent) do not link dbconfig.o. */
static zbx_find_psk_in_cache_f find_psk_in_cache_cb = NULL;
/* variable for passing information from callback functions if PSK was found among host PSKs or autoregistration PSK */
static unsigned int psk_usage;
static zbx_tls_status_t tls_status = ZBX_TLS_INIT_NONE;
static ZBX_THREAD_LOCAL const SSL_METHOD *method = NULL;
static ZBX_THREAD_LOCAL SSL_CTX *ctx_cert = NULL;
#ifdef HAVE_OPENSSL_WITH_PSK
static ZBX_THREAD_LOCAL SSL_CTX *ctx_psk = NULL;
static ZBX_THREAD_LOCAL SSL_CTX *ctx_all = NULL;
/* variables for passing required PSK identity and PSK info to client callback function */
static ZBX_THREAD_LOCAL const char *psk_identity_for_cb = NULL;
static ZBX_THREAD_LOCAL size_t psk_identity_len_for_cb = 0;
static ZBX_THREAD_LOCAL char *psk_for_cb = NULL;
static ZBX_THREAD_LOCAL size_t psk_len_for_cb = 0;
#endif
#ifdef HAVE_OPENSSL_WITH_PSK
/* variables for capturing PSK identity from server callback function */
static ZBX_THREAD_LOCAL int incoming_connection_has_psk = 0;
static ZBX_THREAD_LOCAL char incoming_connection_psk_id[PSK_MAX_IDENTITY_LEN + 1];
#endif
/* buffer for messages produced by zbx_openssl_info_cb() */
ZBX_THREAD_LOCAL char info_buf[256];
/******************************************************************************
* *
* Purpose: get state, alert, error information on TLS connection *
* *
* Comments: *
* This is a callback function, its arguments are defined in OpenSSL. *
* *
******************************************************************************/
static void zbx_openssl_info_cb(const SSL *ssl, int where, int ret)
{
/* There was an idea of using SSL_CB_LOOP and SSL_state_string_long() to write state changes into Zabbix log */
/* if logging level is LOG_LEVEL_TRACE. Unfortunately if OpenSSL for security is compiled without SSLv3 */
/* (i.e. OPENSSL_NO_SSL3 is defined) then SSL_state_string_long() does not provide descriptions of many */
/* states anymore. The idea was dropped but the code is here for debugging hard problems. */
#if 0
if (0 != (where & SSL_CB_LOOP))
{
zabbix_log(LOG_LEVEL_TRACE, "OpenSSL debug: state=0x%x \"%s\"", (unsigned int)SSL_state(ssl),
SSL_state_string_long(ssl));
}
#else
ZBX_UNUSED(ssl);
#endif
if (0 != (where & SSL_CB_ALERT)) /* alert sent or received */
{
const char *handshake, *direction, *rw;
if (0 != (where & SSL_CB_EXIT))
handshake = " handshake";
else
handshake = "";
if (0 != (where & SSL_ST_CONNECT))
direction = " connect";
else if (0 != (where & SSL_ST_ACCEPT))
direction = " accept";
else
direction = "";
if (0 != (where & SSL_CB_READ))
rw = " read";
else if (0 != (where & SSL_CB_WRITE))
rw = " write";
else
rw = "";
zbx_snprintf(info_buf, sizeof(info_buf), ": TLS%s%s%s %s alert \"%s\"", handshake, direction, rw,
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
}
static void tls_socket_event(SSL *ctx, ssize_t ssl_err, short *event)
{
ZBX_UNUSED(ctx);
switch (ssl_err)
{
case SSL_ERROR_WANT_WRITE:
*event = POLLOUT;
break;
/*case SSL_ERROR_WANT_READ:*/
default:
*event = POLLIN;
break;
}
}
/******************************************************************************
* *
* Purpose: wait for socket to be available for read or write depending on *
* unfinished operation *
* *
******************************************************************************/
static int tls_socket_wait(ZBX_SOCKET s, SSL *ctx, ssize_t ssl_err)
{
zbx_pollfd_t pd;
int ret;
short event;
ZBX_UNUSED(ctx);
pd.fd = s;
tls_socket_event(ctx, ssl_err, &pd.events);
event = pd.events;
if (0 > (ret = zbx_socket_poll(&pd, 1, ZBX_SOCKET_POLL_TIMEOUT)))
{
if (SUCCEED != zbx_socket_had_nonblocking_error())
return FAIL;
return SUCCEED;
}
if (1 == ret && 0 == (pd.revents & event))
return FAIL;
return SUCCEED;
}
static int tls_is_nonblocking_error(ssize_t err)
{
if (SSL_ERROR_WANT_READ == err || SSL_ERROR_WANT_WRITE == err)
return SUCCEED;
return FAIL;
}
/******************************************************************************
* *
* Purpose: compose a TLS error message *
* *
******************************************************************************/
static void zbx_tls_error_msg(char **error, size_t *error_alloc, size_t *error_offset)
{
unsigned long error_code;
const char *file, *data;
int line, flags;
char err[1024];
/* concatenate all error messages in the queue into one string */
#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_NUMBER >= 3 /* OpenSSL 3.0.0 or newer */
const char *func;
while (0 != (error_code = ERR_get_error_all(&file, &line, &func, &data, &flags)))
#else /* OpenSSL 1.x.x or LibreSSL */
while (0 != (error_code = ERR_get_error_line_data(&file, &line, &data, &flags)))
#endif
{
ERR_error_string_n(error_code, err, sizeof(err));
#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_NUMBER >= 3 /* OpenSSL 3.0.0 or newer */
zbx_snprintf_alloc(error, error_alloc, error_offset, " file %s line %d func %s: %s",
file, line, func, err);
#else /* OpenSSL 1.x.x or LibreSSL */
zbx_snprintf_alloc(error, error_alloc, error_offset, " file %s line %d: %s", file, line, err);
#endif
if (NULL != data && 0 != (flags & ERR_TXT_STRING))
zbx_snprintf_alloc(error, error_alloc, error_offset, ": %s", data);
}
}
#if defined(HAVE_OPENSSL_WITH_PSK)
/******************************************************************************
* *
* Purpose: *
* set pre-shared key for outgoing TLS connection upon OpenSSL request *
* *
* Parameters: *
* ssl - [IN] not used *
* hint - [IN] not used *
* identity - [OUT] buffer to write PSK identity into *
* max_identity_len - [IN] size of the 'identity' buffer *
* psk - [OUT] buffer to write PSK into *
* max_psk_len - [IN] size of the 'psk' buffer *
* *
* Return value: *
* > 0 - length of PSK in bytes *
* 0 - an error occurred *
* *
* Comments: *
* A callback function, its arguments are defined in OpenSSL. *
* Used in all programs making outgoing TLS PSK connections. *
* *
* As a client we use different PSKs depending on connection to be made. *
* Apparently there is no simple way to specify which PSK should be set *
* by this callback function. We use global variables to pass this info. *
* *
******************************************************************************/
static unsigned int zbx_psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
{
ZBX_UNUSED(ssl);
ZBX_UNUSED(hint);
zabbix_log(LOG_LEVEL_DEBUG, "%s() requested PSK identity \"%s\"", __func__, psk_identity_for_cb);
if (max_identity_len < psk_identity_len_for_cb + 1) /* 1 byte for terminating '\0' */
{
zabbix_log(LOG_LEVEL_WARNING, "requested PSK identity \"%s\" does not fit into %u-byte buffer",
psk_identity_for_cb, max_identity_len);
return 0;
}
if (max_psk_len < psk_len_for_cb)
{
zabbix_log(LOG_LEVEL_WARNING, "PSK associated with PSK identity \"%s\" does not fit into %u-byte"
" buffer", psk_identity_for_cb, max_psk_len);
return 0;
}
zbx_strlcpy(identity, psk_identity_for_cb, max_identity_len);
memcpy(psk, psk_for_cb, psk_len_for_cb);
return (unsigned int)psk_len_for_cb;
}
/******************************************************************************
* *
* Purpose: *
* set pre-shared key for incoming TLS connection upon OpenSSL request *
* *
* Parameters: *
* ssl - [IN] not used *
* identity - [IN] PSK identity sent by client *
* psk - [OUT] buffer to write PSK into *
* max_psk_len - [IN] size of the 'psk' buffer *
* *
* Return value: *
* > 0 - length of PSK in bytes *
* 0 - PSK identity not found *
* *
* Comments: *
* A callback function, its arguments are defined in OpenSSL. *
* Used in all programs accepting incoming TLS PSK connections. *
* *
******************************************************************************/
static unsigned int zbx_psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
unsigned int max_psk_len)
{
const char *psk_loc;
size_t psk_len = 0;
int psk_bin_len;
unsigned char tls_psk_hex[HOST_TLS_PSK_LEN_MAX], psk_buf[HOST_TLS_PSK_LEN / 2];
ZBX_UNUSED(ssl);
zabbix_log(LOG_LEVEL_DEBUG, "%s() requested PSK identity \"%s\"", __func__, identity);
incoming_connection_has_psk = 1;
psk_usage = 0;
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
{
/* call the function zbx_dc_get_psk_by_identity() by pointer */
if (0 < find_psk_in_cache_cb((const unsigned char *)identity, tls_psk_hex, &psk_usage))
{
/* The PSK is in configuration cache. Convert PSK to binary form. */
if (0 >= (psk_bin_len = zbx_hex2bin(tls_psk_hex, psk_buf, sizeof(psk_buf))))
{
/* this should have been prevented by validation in frontend or API */
zabbix_log(LOG_LEVEL_WARNING, "cannot convert PSK to binary form for PSK identity"
" \"%s\"", identity);
goto fail;
}
psk_loc = (const char *)psk_buf;
psk_len = (size_t)psk_bin_len;
}
if (0 != (zbx_get_program_type_cb() & ZBX_PROGRAM_TYPE_PROXY) &&
0 < my_psk_identity_len &&
0 == strcmp(my_psk_identity, identity))
{
/* the PSK is in proxy configuration file */
psk_usage |= ZBX_PSK_FOR_PROXY;
if (0 < psk_len && (psk_len != my_psk_len || 0 != memcmp(psk_loc, my_psk, psk_len)))
{
/* PSK was also found in configuration cache but with different value */
zbx_psk_warn_misconfig(identity);
psk_usage &= ~(unsigned int)ZBX_PSK_FOR_AUTOREG;
}
psk_loc = my_psk; /* prefer PSK from proxy configuration file */
psk_len = my_psk_len;
}
if (0 == psk_len)
{
zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\"", identity);
goto fail;
}
}
else if (0 != (zbx_get_program_type_cb() & ZBX_PROGRAM_TYPE_AGENTD))
{
if (0 < my_psk_identity_len)
{
if (0 == strcmp(my_psk_identity, identity))
{
psk_loc = my_psk;
psk_len = my_psk_len;
}
else
{
zabbix_log(LOG_LEVEL_WARNING, "cannot find requested PSK identity \"%s\", available PSK"
" identity \"%s\"", identity, my_psk_identity);
goto fail;
}
}
}
if (0 < psk_len)
{
if ((size_t)max_psk_len < psk_len)
{
zabbix_log(LOG_LEVEL_WARNING, "PSK associated with PSK identity \"%s\" does not fit into"
" %u-byte buffer", identity, max_psk_len);
goto fail;
}
memcpy(psk, psk_loc, psk_len);
zbx_strlcpy(incoming_connection_psk_id, identity, sizeof(incoming_connection_psk_id));
return (unsigned int)psk_len; /* success */
}
fail:
incoming_connection_psk_id[0] = '\0';
return 0; /* PSK not found */
}
#endif
/******************************************************************************
* *
* Purpose: write names of enabled OpenSSL ciphersuites into Zabbix log for *
* debugging *
* *
* Parameters: *
* title1 - [IN] name of the calling function *
* title2 - [IN] name of the group of ciphersuites *
* ciphers - [IN] stack of ciphersuites *
* *
******************************************************************************/
static void zbx_log_ciphersuites(const char *title1, const char *title2, SSL_CTX *ciphers)
{
if (SUCCEED == ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
{
char *msg = NULL;
size_t msg_alloc = 0, msg_offset = 0;
int i, num;
STACK_OF(SSL_CIPHER) *cipher_list;
zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, "%s() %s ciphersuites:", title1, title2);
cipher_list = SSL_CTX_get_ciphers(ciphers);
num = sk_SSL_CIPHER_num(cipher_list);
for (i = 0; i < num; i++)
{
zbx_snprintf_alloc(&msg, &msg_alloc, &msg_offset, " %s",
SSL_CIPHER_get_name(sk_SSL_CIPHER_value(cipher_list, i)));
}
zabbix_log(LOG_LEVEL_DEBUG, "%s", msg);
zbx_free(msg);
}
}
/******************************************************************************
* *
* Purpose: *
* Print distinguished name (i.e. issuer, subject) into buffer. Intended *
* to use as an alternative to OpenSSL X509_NAME_oneline() and to meet *
* application needs. *
* *
* Parameters: *
* dn - [IN] pointer to distinguished name *
* buf - [OUT] output buffer *
* size - [IN] output buffer size *
* error - [OUT] dynamically allocated memory with error message *
* *
* Return value: *
* SUCCEED - no errors, FAIL - an error occurred *
* *
* Comments: *
* Examples often use OpenSSL X509_NAME_oneline() to print certificate *
* issuer and subject into memory buffers but it is a legacy function and *
* strongly discouraged in new applications. So, we have to use functions *
* writing into BIOs and then turn results into memory buffers. *
* *
******************************************************************************/
static int zbx_x509_dn_gets(X509_NAME *dn, char *buf, size_t size, char **error)
{
BIO *bio;
const char *data;
size_t len;
int ret = FAIL;
if (NULL == (bio = BIO_new(BIO_s_mem())))
{
*error = zbx_strdup(*error, "cannot create BIO");
goto out;
}
/* XN_FLAG_RFC2253 - RFC 2253 is outdated, it was replaced by RFC 4514 "Lightweight Directory Access Protocol */
/* (LDAP): String Representation of Distinguished Names" */
if (0 > X509_NAME_print_ex(bio, dn, 0, XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB))
{
*error = zbx_strdup(*error, "cannot print distinguished name");
goto out;
}
if (size <= (len = (size_t)BIO_get_mem_data(bio, &data)))
{
*error = zbx_strdup(*error, "output buffer too small");
goto out;
}
zbx_strlcpy(buf, data, len + 1);
ret = SUCCEED;
out:
if (NULL != bio)
{
/* ensure that associated memory buffer will be freed by BIO_vfree() */
(void)BIO_set_close(bio, BIO_CLOSE);
BIO_vfree(bio);
}
return ret;
}
/******************************************************************************
* *
* Purpose: write peer certificate information into Zabbix log for debugging *
* *
* Parameters: *
* function_name - [IN] caller function name *
* tls_ctx - [IN] TLS context *
* *
******************************************************************************/
static void zbx_log_peer_cert(const char *function_name, const zbx_tls_context_t *tls_ctx)
{
char *error = NULL;
X509 *cert;
char issuer[HOST_TLS_ISSUER_LEN_MAX], subject[HOST_TLS_SUBJECT_LEN_MAX];
if (SUCCEED != ZBX_CHECK_LOG_LEVEL(LOG_LEVEL_DEBUG))
return;
if (NULL == (cert = SSL_get_peer_certificate(tls_ctx->ctx)))
{
zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate", function_name);
}
else if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(cert), issuer, sizeof(issuer), &error))
{
zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate issuer: %s", function_name, error);
}
else if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(cert), subject, sizeof(subject), &error))
{
zabbix_log(LOG_LEVEL_DEBUG, "%s() cannot obtain peer certificate subject: %s", function_name, error);
}
else
{
zabbix_log(LOG_LEVEL_DEBUG, "%s() peer certificate issuer:\"%s\" subject:\"%s\"",
function_name, issuer, subject);
}
if (NULL != cert)
X509_free(cert);
zbx_free(error);
}
/******************************************************************************
* *
* Purpose: *
* verify peer certificate issuer and subject of the given TLS context *
* *
* Parameters: *
* tls_ctx - [IN] TLS context to verify *
* issuer - [IN] required issuer (ignore if NULL or empty string) *
* subject - [IN] required subject (ignore if NULL or empty string) *
* error - [OUT] dynamically allocated memory with error message *
* *
* Return value: *
* SUCCEED or FAIL *
* *
******************************************************************************/
static int zbx_verify_issuer_subject(const zbx_tls_context_t *tls_ctx, const char *issuer, const char *subject,
char **error)
{
char tls_issuer[HOST_TLS_ISSUER_LEN_MAX], tls_subject[HOST_TLS_SUBJECT_LEN_MAX];
int issuer_mismatch = 0, subject_mismatch = 0;
size_t error_alloc = 0, error_offset = 0;
X509 *cert;
if ((NULL == issuer || '\0' == *issuer) && (NULL == subject || '\0' == *subject))
return SUCCEED;
tls_issuer[0] = '\0';
tls_subject[0] = '\0';
if (NULL == (cert = SSL_get_peer_certificate(tls_ctx->ctx)))
{
*error = zbx_strdup(*error, "cannot obtain peer certificate");
return FAIL;
}
if (NULL != issuer && '\0' != *issuer)
{
if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(cert), tls_issuer, sizeof(tls_issuer), error))
{
X509_free(cert);
return FAIL;
}
}
if (NULL != subject && '\0' != *subject)
{
if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(cert), tls_subject, sizeof(tls_subject), error))
{
X509_free(cert);
return FAIL;
}
}
X509_free(cert);
/* simplified match, not compliant with RFC 4517, 4518 */
if (NULL != issuer && '\0' != *issuer)
issuer_mismatch = strcmp(tls_issuer, issuer);
if (NULL != subject && '\0' != *subject)
subject_mismatch = strcmp(tls_subject, subject);
if (0 == issuer_mismatch && 0 == subject_mismatch)
return SUCCEED;
if (0 != issuer_mismatch)
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "issuer: peer: \"%s\", required: \"%s\"",
tls_issuer, issuer);
}
if (0 != subject_mismatch)
{
if (0 != issuer_mismatch)
zbx_strcpy_alloc(error, &error_alloc, &error_offset, ", ");
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "subject: peer: \"%s\", required: \"%s\"",
tls_subject, subject);
}
return FAIL;
}
/******************************************************************************
* *
* Purpose: initialize TLS library, log library version *
* *
* Comments: *
* Some crypto libraries require initialization. On Unix the *
* initialization is done separately in each child process which uses *
* crypto libraries. On MS Windows it is done in the first thread. *
* *
* Flag 'init_status' is used to prevent library deinitialization on exit *
* if it was not yet initialized (can happen if termination signal is *
* received) and library initialization in threads when it was done in *
* parent process. *
* *
******************************************************************************/
static void zbx_tls_library_init(zbx_tls_status_t status)
{
/* skip initialization in threads if it was already done in parent process */
if (ZBX_TLS_INIT_NONE != tls_status)
return;
#if !defined(LIBRESSL_VERSION_NUMBER) /* LibreSSL does not require initialization */
if (1 != zbx_openssl_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL))
{
zabbix_log(LOG_LEVEL_CRIT, "cannot initialize OpenSSL library");
exit(EXIT_FAILURE);
}
#endif
tls_status = status;
zabbix_log(LOG_LEVEL_DEBUG, "OpenSSL library (version %s) initialized", OpenSSL_version(OPENSSL_VERSION));
}
/******************************************************************************
* *
* Purpose: deinitialize TLS library *
* *
******************************************************************************/
void zbx_tls_library_deinit(zbx_tls_status_t status)
{
if (status == tls_status)
{
tls_status = 0;
OPENSSL_cleanup();
}
}
/******************************************************************************
* *
* Purpose: initialize TLS library in a parent process *
* *
******************************************************************************/
void zbx_tls_init_parent(zbx_get_program_type_f zbx_get_program_type_cb_arg)
{
zbx_get_program_type_cb = zbx_get_program_type_cb_arg;
zbx_tls_library_init(ZBX_TLS_INIT_THREADS);
}
static const char *zbx_ctx_name(SSL_CTX *param)
{
if (ctx_cert == param)
return "certificate-based encryption";
#if defined(HAVE_OPENSSL_WITH_PSK)
if (ctx_psk == param)
return "PSK-based encryption";
if (ctx_all == param)
return "certificate and PSK-based encryption";
#endif
THIS_SHOULD_NEVER_HAPPEN;
return ZBX_NULL2STR(NULL);
}
static int zbx_set_ecdhe_parameters(SSL_CTX *ctx)
{
const char *msg = "Perfect Forward Secrecy ECDHE ciphersuites will not be available for";
long res;
int ret = SUCCEED;
#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_NUMBER >= 3 /* OpenSSL 3.0.0 or newer */
int grp_list[1] = { NID_X9_62_prime256v1 }; /* use curve secp256r1/prime256v1/NIST P-256 */
if (1 != (res = SSL_CTX_set1_groups(ctx, grp_list, ARRSIZE(grp_list))))
{
zabbix_log(LOG_LEVEL_WARNING, "%s() SSL_CTX_set1_groups() returned %ld. %s %s",
__func__, res, msg, zbx_ctx_name(ctx));
ret = FAIL;
}
#else /* OpenSSL 1.x.x or LibreSSL */
EC_KEY *ecdh;
/* use curve secp256r1/prime256v1/NIST P-256 */
if (NULL == (ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)))
{
zabbix_log(LOG_LEVEL_WARNING, "%s() EC_KEY_new_by_curve_name() failed. %s %s",
__func__, msg, zbx_ctx_name(ctx));
return FAIL;
}
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
if (1 != (res = SSL_CTX_set_tmp_ecdh(ctx, ecdh)))
{
zabbix_log(LOG_LEVEL_WARNING, "%s() SSL_CTX_set_tmp_ecdh() returned %ld. %s %s",
__func__, res, msg, zbx_ctx_name(ctx));
ret = FAIL;
}
EC_KEY_free(ecdh);
#endif
return ret;
}
/******************************************************************************
* *
* Purpose: read available configuration parameters and initialize TLS *
* library in a child process *
* *
******************************************************************************/
void zbx_tls_init_child(const zbx_config_tls_t *config_tls, zbx_get_program_type_f zbx_get_program_type_cb_arg,
zbx_find_psk_in_cache_f zbx_find_psk_in_cache_cb_arg)
{
#define ZBX_CIPHERS_CERT_ECDHE "EECDH+aRSA+AES128:"
#define ZBX_CIPHERS_CERT "RSA+aRSA+AES128"
#if defined(HAVE_OPENSSL_WITH_PSK)
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
/* TLS_AES_256_GCM_SHA384 is excluded from client ciphersuite list for PSK based connections. */
/* By default, in TLS 1.3 only *-SHA256 ciphersuites work with PSK. */
# define ZBX_CIPHERS_PSK_TLS13 "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
#endif
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL /* OpenSSL 1.1.0 or newer */
# define ZBX_CIPHERS_PSK_ECDHE "kECDHEPSK+AES128:"
# define ZBX_CIPHERS_PSK "kPSK+AES128"
#else
# define ZBX_CIPHERS_PSK_ECDHE ""
# define ZBX_CIPHERS_PSK "PSK-AES128-CBC-SHA"
#endif
#endif
char *error = NULL;
size_t error_alloc = 0, error_offset = 0;
#ifndef _WINDOWS
sigset_t mask, orig_mask;
#endif
zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
zbx_get_program_type_cb = zbx_get_program_type_cb_arg;
find_psk_in_cache_cb = zbx_find_psk_in_cache_cb_arg;
#ifndef _WINDOWS
/* Invalid TLS parameters will cause exit. Once one process exits the parent process will send SIGHUP to */
/* child processes which may be on their way to exit on their own - do not interrupt them, block signal */
/* SIGHUP and unblock it when TLS parameters are good and libraries are initialized. */
sigemptyset(&mask);
sigaddset(&mask, SIGTERM);
sigaddset(&mask, SIGHUP);
sigaddset(&mask, SIGUSR2);
sigaddset(&mask, SIGQUIT);
zbx_sigmask(SIG_BLOCK, &mask, &orig_mask);
#endif
zbx_tls_library_init(ZBX_TLS_INIT_PROCESS);
if (1 != RAND_status()) /* protect against not properly seeded PRNG */
{
zabbix_log(LOG_LEVEL_CRIT, "cannot initialize PRNG");
zbx_tls_free();
exit(EXIT_FAILURE);
}
/* set protocol version to TLS 1.2 */
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_SENDER | ZBX_PROGRAM_TYPE_GET)))
method = TLS_client_method();
else /* ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_AGENTD */
method = TLS_method();
/* create context for certificate-only authentication if certificate is configured */
if (NULL != config_tls->cert_file)
{
if (NULL == (ctx_cert = SSL_CTX_new(method)))
goto out_method;
if (1 != SSL_CTX_set_min_proto_version(ctx_cert, TLS1_2_VERSION))
goto out_method;
}
#if defined(HAVE_OPENSSL_WITH_PSK)
/* Create context for PSK-only authentication. PSK can come from configuration file (in proxy, agentd) */
/* and later from database (in server, proxy). */
if (NULL != config_tls->psk_file || 0 != (zbx_get_program_type_cb() &
(ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY)))
{
if (NULL == (ctx_psk = SSL_CTX_new(method)))
goto out_method;
if (1 != SSL_CTX_set_min_proto_version(ctx_psk, TLS1_2_VERSION))
goto out_method;
}
/* Sometimes we need to be ready for both certificate and PSK whichever comes in. Set up a universal context */
/* for certificate and PSK authentication to prepare for both. */
if (NULL != ctx_cert && NULL != ctx_psk)
{
if (NULL == (ctx_all = SSL_CTX_new(method)))
goto out_method;
if (1 != SSL_CTX_set_min_proto_version(ctx_all, TLS1_2_VERSION))
goto out_method;
}
#endif
/* 'TLSCAFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf) */
if (NULL != config_tls->ca_file)
{
#if defined(HAVE_OPENSSL_WITH_PSK)
if (1 != SSL_CTX_load_verify_locations(ctx_cert, config_tls->ca_file, NULL) ||
(NULL != ctx_all && 1 != SSL_CTX_load_verify_locations(ctx_all,
config_tls->ca_file, NULL)))
#else
if (1 != SSL_CTX_load_verify_locations(ctx_cert, config_tls->ca_file, NULL))
#endif
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CA certificate(s) from"
" file \"%s\":", config_tls->ca_file);
goto out;
}
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded CA certificate(s) from file \"%s\"", __func__,
config_tls->ca_file);
/* It is possible to limit the length of certificate chain being verified. For example: */
/* SSL_CTX_set_verify_depth(ctx_cert, 2); */
/* Currently use the default depth 100. */
SSL_CTX_set_verify(ctx_cert, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
#if defined(HAVE_OPENSSL_WITH_PSK)
if (NULL != ctx_all)
SSL_CTX_set_verify(ctx_all, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
#endif
}
/* 'TLSCRLFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
/* Load CRL (certificate revocation list) file. */
if (NULL != config_tls->crl_file)
{
X509_STORE *store_cert;
X509_LOOKUP *lookup_cert;
int count_cert;
store_cert = SSL_CTX_get_cert_store(ctx_cert);
if (NULL == (lookup_cert = X509_STORE_add_lookup(store_cert, X509_LOOKUP_file())))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_add_lookup() #%d failed"
" when loading CRL(s) from file \"%s\":", 1, config_tls->crl_file);
goto out;
}
if (0 >= (count_cert = X509_load_crl_file(lookup_cert, config_tls->crl_file, X509_FILETYPE_PEM)))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CRL(s) from file \"%s\":",
config_tls->crl_file);
goto out;
}
if (1 != X509_STORE_set_flags(store_cert, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_set_flags() #%d failed when"
" loading CRL(s) from file \"%s\":", 1, config_tls->crl_file);
goto out;
}
#if defined(HAVE_OPENSSL_WITH_PSK)
if (NULL != ctx_all)
{
X509_STORE *store_all;
X509_LOOKUP *lookup_all;
int count_all;
store_all = SSL_CTX_get_cert_store(ctx_all);
if (NULL == (lookup_all = X509_STORE_add_lookup(store_all, X509_LOOKUP_file())))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_add_lookup() #%d"
" failed when loading CRL(s) from file \"%s\":", 2,
config_tls->crl_file);
goto out;
}
if (0 >= (count_all = X509_load_crl_file(lookup_all, config_tls->crl_file,
X509_FILETYPE_PEM)))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load CRL(s) from file"
" \"%s\":", config_tls->crl_file);
goto out;
}
if (count_cert != count_all)
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "number of CRL(s) loaded from"
" file \"%s\" does not match: %d and %d", config_tls->crl_file,
count_cert, count_all);
goto out1;
}
if (1 != X509_STORE_set_flags(store_all, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "X509_STORE_set_flags() #%d"
" failed when loading CRL(s) from file \"%s\":", 2,
config_tls->crl_file);
goto out;
}
}
#endif
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded %d CRL(s) from file \"%s\"", __func__, count_cert,
config_tls->crl_file);
}
/* 'TLSCertFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
/* Load certificate. */
if (NULL != config_tls->cert_file)
{
#if defined(HAVE_OPENSSL_WITH_PSK)
if (1 != SSL_CTX_use_certificate_chain_file(ctx_cert, config_tls->cert_file) ||
(NULL != ctx_all && 1 != SSL_CTX_use_certificate_chain_file(ctx_all,
config_tls->cert_file)))
#else
if (1 != SSL_CTX_use_certificate_chain_file(ctx_cert, config_tls->cert_file))
#endif
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load certificate(s) from file"
" \"%s\":", config_tls->cert_file);
goto out;
}
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded certificate(s) from file \"%s\"", __func__,
config_tls->cert_file);
}
/* 'TLSKeyFile' parameter (in zabbix_server.conf, zabbix_proxy.conf, zabbix_agentd.conf). */
/* Load private key. */
if (NULL != config_tls->key_file)
{
#if defined(HAVE_OPENSSL_WITH_PSK)
if (1 != SSL_CTX_use_PrivateKey_file(ctx_cert, config_tls->key_file, SSL_FILETYPE_PEM) ||
(NULL != ctx_all && 1 != SSL_CTX_use_PrivateKey_file(ctx_all,
config_tls->key_file, SSL_FILETYPE_PEM)))
#else
if (1 != SSL_CTX_use_PrivateKey_file(ctx_cert, config_tls->key_file, SSL_FILETYPE_PEM))
#endif
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot load private key from file"
" \"%s\":", config_tls->key_file);
goto out;
}
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded private key from file \"%s\"", __func__,
config_tls->key_file);
if (1 != SSL_CTX_check_private_key(ctx_cert))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "certificate and private key do not"
" match:");
goto out;
}
}
/* 'TLSPSKIdentity' and 'TLSPSKFile' parameters (in zabbix_proxy.conf, zabbix_agentd.conf). */
/* Load pre-shared key and identity to be used with the pre-shared key. */
if (NULL != config_tls->psk_file)
{
my_psk_identity = config_tls->psk_identity;
my_psk_identity_len = strlen(my_psk_identity);
zbx_check_psk_identity_len(my_psk_identity_len);
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK identity \"%s\"", __func__, config_tls->psk_identity);
zbx_read_psk_file(config_tls->psk_file, &my_psk, &my_psk_len);
zabbix_log(LOG_LEVEL_DEBUG, "%s() loaded PSK from file \"%s\"", __func__,
config_tls->psk_file);
}
#if defined(HAVE_OPENSSL_WITH_PSK)
/* set up PSK global variables for client callback if PSK comes only from configuration file or command line */
if (NULL != ctx_psk && 0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_AGENTD | ZBX_PROGRAM_TYPE_SENDER |
ZBX_PROGRAM_TYPE_GET)))
{
psk_identity_for_cb = my_psk_identity;
psk_identity_len_for_cb = my_psk_identity_len;
psk_for_cb = my_psk;
psk_len_for_cb = my_psk_len;
}
#endif
if (NULL != ctx_cert)
{
const char *ciphers;
SSL_CTX_set_info_callback(ctx_cert, zbx_openssl_info_cb);
/* use server ciphersuite preference, do not use RFC 4507 ticket extension */
SSL_CTX_set_options(ctx_cert, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
/* do not connect to unpatched servers */
SSL_CTX_clear_options(ctx_cert, SSL_OP_LEGACY_SERVER_CONNECT);
/* disable session caching */
SSL_CTX_set_session_cache_mode(ctx_cert, SSL_SESS_CACHE_OFF);
/* try to enable ECDH ciphersuites */
if (SUCCEED == zbx_set_ecdhe_parameters(ctx_cert))
ciphers = ZBX_CIPHERS_CERT_ECDHE ZBX_CIPHERS_CERT;
else
ciphers = ZBX_CIPHERS_CERT;
/* override TLS 1.3 certificate ciphersuites with user-defined settings */
if (NULL != config_tls->cipher_cert13 || NULL != config_tls->cipher_cmd13)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* only OpenSSL 1.1.1 or newer */
const char *override_ciphers = config_tls->cipher_cert13; /* can be NULL */
if (NULL != config_tls->cipher_cmd13 && ZBX_TCP_SEC_TLS_CERT ==
config_tls->connect_mode)
{
override_ciphers = config_tls->cipher_cmd13;
}
if (NULL != override_ciphers && 1 != SSL_CTX_set_ciphersuites(ctx_cert, override_ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" certificate ciphersuites from \"TLSCipherCert13\" or"
" \"--tls-cipher13\" parameter:");
goto out;
}
#else
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" certificate ciphersuites: compiled with OpenSSL version older than 1.1.1 or"
" with LibreSSL. Consider not using parameters \"TLSCipherCert13\" or"
" \"--tls-cipher13\"");
goto out1;
#endif
}
/* override TLS 1.2 certificate ciphersuites with user-defined settings */
if (NULL != config_tls->cipher_cert || NULL != config_tls->cipher_cmd)
{
const char *override_ciphers = config_tls->cipher_cert; /* can be NULL */
if (NULL != config_tls->cipher_cmd && ZBX_TCP_SEC_TLS_CERT ==
config_tls->connect_mode)
{
override_ciphers = config_tls->cipher_cmd;
}
if (NULL != override_ciphers && 1 != SSL_CTX_set_cipher_list(ctx_cert, override_ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
" certificate ciphersuites from \"TLSCipherCert\" or \"--tls-cipher\""
" parameter:");
goto out;
}
}
else if (1 != SSL_CTX_set_cipher_list(ctx_cert, ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of certificate"
" ciphersuites:");
goto out;
}
zbx_log_ciphersuites(__func__, "certificate", ctx_cert);
}
#if defined(HAVE_OPENSSL_WITH_PSK)
if (NULL != ctx_psk)
{
const char *ciphers;
SSL_CTX_set_info_callback(ctx_psk, zbx_openssl_info_cb);
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY |
ZBX_PROGRAM_TYPE_AGENTD | ZBX_PROGRAM_TYPE_SENDER | ZBX_PROGRAM_TYPE_GET)))
{
SSL_CTX_set_psk_client_callback(ctx_psk, zbx_psk_client_cb);
}
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY |
ZBX_PROGRAM_TYPE_AGENTD)))
{
SSL_CTX_set_psk_server_callback(ctx_psk, zbx_psk_server_cb);
}
SSL_CTX_set_options(ctx_psk, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
SSL_CTX_clear_options(ctx_psk, SSL_OP_LEGACY_SERVER_CONNECT);
SSL_CTX_set_session_cache_mode(ctx_psk, SSL_SESS_CACHE_OFF);
if ('\0' != *ZBX_CIPHERS_PSK_ECDHE && SUCCEED == zbx_set_ecdhe_parameters(ctx_psk))
ciphers = ZBX_CIPHERS_PSK_ECDHE ZBX_CIPHERS_PSK;
else
ciphers = ZBX_CIPHERS_PSK;
/* override TLS 1.3 PSK ciphersuites with user-defined settings */
if (NULL != config_tls->cipher_psk13 || NULL != config_tls->cipher_cmd13)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
const char *override_ciphers = config_tls->cipher_psk13; /* can be NULL */
if (NULL != config_tls->cipher_cmd13 && ZBX_TCP_SEC_TLS_PSK ==
config_tls->connect_mode)
{
override_ciphers = config_tls->cipher_cmd13;
}
if (NULL != override_ciphers && 1 != SSL_CTX_set_ciphersuites(ctx_psk, override_ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" PSK ciphersuites from \"TLSCipherPSK13\" or \"--tls-cipher13\""
" parameter:");
goto out;
}
#else
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" PSK ciphersuites: compiled with OpenSSL version older than 1.1.1."
" Consider not using parameters \"TLSCipherPSK13\" or \"--tls-cipher13\"");
goto out1;
#endif
}
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
else if (1 != SSL_CTX_set_ciphersuites(ctx_psk, ZBX_CIPHERS_PSK_TLS13))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of PSK TLS 1.3"
" ciphersuites:");
goto out;
}
#endif
/* override TLS 1.2 PSK ciphersuites with user-defined settings */
if (NULL != config_tls->cipher_psk || NULL != config_tls->cipher_cmd)
{
const char *override_ciphers = config_tls->cipher_psk; /* can be NULL */
if (NULL != config_tls->cipher_cmd && ZBX_TCP_SEC_TLS_PSK ==
config_tls->connect_mode)
{
override_ciphers = config_tls->cipher_cmd;
}
if (NULL != override_ciphers && 1 != SSL_CTX_set_cipher_list(ctx_psk, override_ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
" PSK ciphersuites from \"TLSCipherPSK\" or \"--tls-cipher\""
" parameter:");
goto out;
}
}
else if (1 != SSL_CTX_set_cipher_list(ctx_psk, ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of PSK ciphersuites:");
goto out;
}
zbx_log_ciphersuites(__func__, "PSK", ctx_psk);
}
if (NULL != ctx_all)
{
const char *ciphers;
SSL_CTX_set_info_callback(ctx_all, zbx_openssl_info_cb);
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_SERVER | ZBX_PROGRAM_TYPE_PROXY |
ZBX_PROGRAM_TYPE_AGENTD)))
{
SSL_CTX_set_psk_server_callback(ctx_all, zbx_psk_server_cb);
}
SSL_CTX_set_options(ctx_all, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_TICKET);
SSL_CTX_clear_options(ctx_all, SSL_OP_LEGACY_SERVER_CONNECT);
SSL_CTX_set_session_cache_mode(ctx_all, SSL_SESS_CACHE_OFF);
if (SUCCEED == zbx_set_ecdhe_parameters(ctx_all))
ciphers = ZBX_CIPHERS_CERT_ECDHE ZBX_CIPHERS_CERT ":" ZBX_CIPHERS_PSK_ECDHE ZBX_CIPHERS_PSK;
else
ciphers = ZBX_CIPHERS_CERT ":" ZBX_CIPHERS_PSK;
/* override TLS 1.3 ciphersuites with user-defined setting */
if (NULL != config_tls->cipher_all13)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
if (1 != SSL_CTX_set_ciphersuites(ctx_all, config_tls->cipher_all13))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" ciphersuites from \"TLSCipherAll13\" parameter:");
goto out;
}
#else
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.3"
" ciphersuites: compiled with OpenSSL version older than 1.1.1."
" Consider not using parameter \"TLSCipherAll13\"");
goto out1;
#endif
}
/* override TLS 1.2 ciphersuites with user-defined setting */
if (NULL != config_tls->cipher_all)
{
if (1 != SSL_CTX_set_cipher_list(ctx_all, config_tls->cipher_all))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of TLS 1.2"
" ciphersuites from \"TLSCipherAll\" parameter:");
goto out;
}
}
else if (1 != SSL_CTX_set_cipher_list(ctx_all, ciphers))
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of all ciphersuites:");
goto out;
}
zbx_log_ciphersuites(__func__, "certificate and PSK", ctx_all);
}
if (NULL == ctx_psk)
{
/* cannot override TLS 1.3 PSK ciphersuites */
if (NULL != config_tls->cipher_psk13)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK13\" cannot"
" be applied: the list of PSK ciphersuites is not used");
#else
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK13\" cannot"
" be applied: compiled with OpenSSL version older than 1.1.1");
#endif
goto out1;
}
/* cannot override TLS 1.2 PSK ciphersuites */
if (NULL != config_tls->cipher_psk)
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherPSK\" cannot"
" be applied: the list of PSK ciphersuites is not used");
goto out1;
}
}
if (NULL == ctx_all)
{
/* cannot override TLS 1.3 ciphersuites */
if (NULL != config_tls->cipher_all13)
{
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer */
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll13\" cannot"
" be applied: the combined list of certificate and PSK ciphersuites is"
" not used. Most likely parameters \"TLSCipherCert13\" and/or \"TLSCipherPSK13\""
" are sufficient");
#else
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll13\" cannot"
" be applied: compiled with OpenSSL version older than 1.1.1");
#endif
goto out1;
}
/* cannot override TLS 1.2 ciphersuites */
if (NULL != config_tls->cipher_all)
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "parameter \"TLSCipherAll\" cannot"
" be applied: the combined list of certificate and PSK ciphersuites is"
" not used. Most likely parameters \"TLSCipherCert\" and/or \"TLSCipherPSK\""
" are sufficient");
goto out1;
}
}
#else /* HAVE_OPENSSL_WITH_PSK is not defined */
/* cannot use TLSCipherPSK13, TLSCipherPSK, TLSCipherAll13 and TLSCipherAll13 parameters */
/* if PSK is not supported by crypto library */
if (NULL != config_tls->cipher_psk13 || NULL != config_tls->cipher_psk ||
NULL != config_tls->cipher_all13 || NULL != config_tls->cipher_all)
{
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "at least one of parameters TLSCipherPSK13,"
" TLSCipherPSK, TLSCipherAll13 or TLSCipherAll is defined. These parameters must not"
" be defined because the program is compiled with OpenSSL without PSK support or"
" LibreSSL");
goto out1;
}
#endif /* defined(HAVE_OPENSSL_WITH_PSK) */
#ifndef _WINDOWS
zbx_sigmask(SIG_SETMASK, &orig_mask, NULL);
#endif
zabbix_log(LOG_LEVEL_DEBUG, "End of %s()", __func__);
return;
out_method:
zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot initialize TLS method:");
out:
zbx_tls_error_msg(&error, &error_alloc, &error_offset);
out1:
zabbix_log(LOG_LEVEL_CRIT, "%s", error);
zbx_free(error);
zbx_tls_free();
exit(EXIT_FAILURE);
#undef ZBX_CIPHERS_CERT_ECDHE
#undef ZBX_CIPHERS_CERT
#undef ZBX_CIPHERS_PSK_ECDHE
#undef ZBX_CIPHERS_PSK
#undef ZBX_CIPHERS_PSK_TLS13
}
/******************************************************************************
* *
* Purpose: release TLS library resources allocated in zbx_tls_init_parent() *
* and zbx_tls_init_child() *
* *
******************************************************************************/
void zbx_tls_free(void)
{
if (NULL != ctx_cert)
SSL_CTX_free(ctx_cert);
#if defined(HAVE_OPENSSL_WITH_PSK)
if (NULL != ctx_psk)
SSL_CTX_free(ctx_psk);
if (NULL != ctx_all)
SSL_CTX_free(ctx_all);
#endif
if (NULL != my_psk)
{
zbx_guaranteed_memset(my_psk, 0, my_psk_len);
my_psk_len = 0;
zbx_free(my_psk);
}
zbx_tls_library_deinit(ZBX_TLS_INIT_PROCESS);
}
static int openssl_get_error(const SSL *s, int res, const char *func, size_t *error_alloc, size_t *error_offset,
char **error)
{
int result_code;
result_code = SSL_get_error(s, res);
switch (result_code)
{
case SSL_ERROR_NONE: /* handshake successful */
return SUCCEED;
case SSL_ERROR_ZERO_RETURN:
zbx_snprintf_alloc(error, error_alloc, error_offset,
"%s() TLS connection has been closed during read", func);
return FAIL;
case SSL_ERROR_SYSCALL:
if (0 == ERR_peek_error())
{
if (0 == res)
{
zbx_snprintf_alloc(error, error_alloc, error_offset,
"%s() connection closed by peer", func);
}
else if (-1 == res)
{
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s()"
" I/O error: %s", func,
zbx_strerror_from_system(zbx_socket_last_error()));
}
else
{
/* "man SSL_get_error" describes only res == 0 and res == -1 for */
/* SSL_ERROR_SYSCALL case */
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s()"
" returned undocumented code %d", func, res);
}
}
else
{
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s() set"
" result code to SSL_ERROR_SYSCALL:", func);
zbx_tls_error_msg(error, error_alloc, error_offset);
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s", info_buf);
}
return FAIL;
case SSL_ERROR_SSL:
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s() set"
" result code to SSL_ERROR_SSL:", func);
zbx_tls_error_msg(error, error_alloc, error_offset);
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s", info_buf);
return FAIL;
default:
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s() set result code"
" to %d", func, result_code);
zbx_tls_error_msg(error, error_alloc, error_offset);
zbx_snprintf_alloc(error, error_alloc, error_offset, "%s", info_buf);
return FAIL;
}
}
static const char *tls_error_string(int err)
{
switch (err)
{
case SSL_ERROR_WANT_READ:
return "SSL_ERROR_WANT_READ";
case SSL_ERROR_WANT_WRITE:
return "SSL_ERROR_WANT_WRITE";
default:
return "unknown error";
}
}
/******************************************************************************
* *
* Purpose: establish a TLS connection over an established TCP connection *
* *
* Parameters: *
* s - [IN] socket with opened connection *
* tls_connect - [IN] how to connect. Allowed values: *
* ZBX_TCP_SEC_TLS_CERT, ZBX_TCP_SEC_TLS_PSK. *
* tls_arg1 - [IN] required issuer of peer certificate (may be NULL *
* or empty string if not important) or PSK identity *
* to connect with depending on value of *
* 'tls_connect'. *
* tls_arg2 - [IN] required subject of peer certificate (may be NULL *
* or empty string if not important) or PSK *
* (in hex-string) to connect with depending on value *
* of 'tls_connect'. *
* server_name - [IN] optional server name indication for TLS *
* event - [OUT] may be NULL for blocking TLS handshake, otherwise *
* informs caller to wait for POLLIN or POLLOUT and *
* retry function to complete async TLS handshake *
* error - [OUT] dynamically allocated memory with error message *
* *
* Return value: *
* SUCCEED - successful TLS handshake with a valid certificate or PSK *
* FAIL - an error occurred or retry is needed if event is filled *
* *
******************************************************************************/
int zbx_tls_connect(zbx_socket_t *s, unsigned int tls_connect, const char *tls_arg1, const char *tls_arg2,
const char *server_name, short *event, char **error)
{
int ret = FAIL, res;
size_t error_alloc = 0, error_offset = 0;
unsigned char initialized;
if (NULL != event)
*event = 0;
if (NULL == s->tls_ctx)
{
s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
s->tls_ctx->ctx = NULL;
initialized = 0;
}
else
initialized = 1;
if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
{
if (0 == initialized)
{
zabbix_log(LOG_LEVEL_DEBUG, "In %s(): issuer:\"%s\" subject:\"%s\"", __func__,
ZBX_NULL2EMPTY_STR(tls_arg1), ZBX_NULL2EMPTY_STR(tls_arg2));
if (NULL == ctx_cert)
{
*error = zbx_strdup(*error, "cannot connect with TLS and certificate: no valid"
" certificate loaded");
goto out;
}
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create connection"
" context:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
}
else if (ZBX_TCP_SEC_TLS_PSK == tls_connect)
{
zabbix_log(LOG_LEVEL_DEBUG, "In %s(): psk_identity:\"%s\"", __func__, ZBX_NULL2EMPTY_STR(tls_arg1));
#if defined(HAVE_OPENSSL_WITH_PSK)
if (0 == initialized)
{
if (NULL == ctx_psk)
{
*error = zbx_strdup(*error, "cannot connect with TLS and PSK: no valid PSK loaded");
goto out;
}
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create connection"
" context:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
if (NULL == tls_arg2) /* PSK is not set from DB */
{
/* Set up PSK global variables from a configuration file (always in agentd and a case when */
/* active proxy connects to server). Here we set it only in case of active proxy */
/* because for other programs it has already been set in zbx_tls_init_child(). */
if (0 != (zbx_get_program_type_cb() & ZBX_PROGRAM_TYPE_PROXY_ACTIVE))
{
psk_identity_for_cb = my_psk_identity;
psk_identity_len_for_cb = my_psk_identity_len;
psk_for_cb = my_psk;
psk_len_for_cb = my_psk_len;
}
}
else
{
/* PSK comes from a database (case for a server/proxy when it connects to an agent for */
/* passive checks, for a server when it connects to a passive proxy) */
if (0 == initialized)
{
if (0 >= (s->tls_ctx->psk_len = zbx_hex2bin((const unsigned char *)tls_arg2,
(unsigned char *)s->tls_ctx->psk_buf, sizeof(s->tls_ctx->psk_buf))))
{
*error = zbx_strdup(*error, "invalid PSK");
goto out;
}
s->tls_ctx->identity_len = (NULL == tls_arg1 ? 0 : strlen(tls_arg1));
}
/* some data reside in stack but it will be available at the time when a PSK client callback */
/* function copies the data into buffers provided by OpenSSL within the callback */
psk_identity_for_cb = tls_arg1; /* string is on stack */
/* NULL check to silence analyzer warning */
psk_identity_len_for_cb = s->tls_ctx->identity_len;
psk_for_cb = s->tls_ctx->psk_buf; /* buffer is on stack */
psk_len_for_cb = (size_t)s->tls_ctx->psk_len;
}
#else
*error = zbx_strdup(*error, "cannot connect with TLS and PSK: support for PSK was not compiled in");
goto out;
#endif
}
else
{
*error = zbx_strdup(*error, "invalid connection parameters");
THIS_SHOULD_NEVER_HAPPEN;
goto out1;
}
if (0 == initialized)
{
if (NULL != server_name && ZBX_TCP_SEC_UNENCRYPTED != tls_connect && 1 != SSL_set_tlsext_host_name(
s->tls_ctx->ctx, server_name))
{
zabbix_log(LOG_LEVEL_WARNING, "cannot set %s tls host name", server_name);
}
/* set our connected TCP socket to TLS context */
if (1 != SSL_set_fd(s->tls_ctx->ctx, s->socket))
{
*error = zbx_strdup(*error, "cannot set socket for TLS context");
goto out;
}
}
/* TLS handshake */
info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
while (-1 == (res = SSL_connect(s->tls_ctx->ctx)))
{
int ssl_err;
ssl_err = SSL_get_error(s->tls_ctx->ctx, res);
if (SUCCEED != tls_is_nonblocking_error(ssl_err))
break;
if (NULL != event)
{
tls_socket_event(s->tls_ctx->ctx, ssl_err, event);
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s %s", __func__, tls_error_string(ssl_err),
zbx_result_string(ret));
return FAIL;
}
if (FAIL == tls_socket_wait(s->socket, s->tls_ctx->ctx, ssl_err))
{
*error = zbx_dsprintf(*error, "cannot wait for TLS handshake: %s",
zbx_strerror_from_system(zbx_socket_last_error()));
goto out;
}
if (SUCCEED != zbx_socket_check_deadline(s))
{
*error = zbx_strdup(*error, "SSL_connect() timed out");
goto out;
}
}
if (1 != res)
{
if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
{
long verify_result;
/* In case of certificate error SSL_get_verify_result() provides more helpful diagnostics */
/* than other methods. Include it as first but continue with other diagnostics. */
if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s: ",
X509_verify_cert_error_string(verify_result));
}
}
if (FAIL == openssl_get_error(s->tls_ctx->ctx, res, "SSL_connect", &error_alloc, &error_offset, error))
goto out;
}
if (ZBX_TCP_SEC_TLS_CERT == tls_connect)
{
long verify_result;
/* log peer certificate information for debugging */
zbx_log_peer_cert(__func__, s->tls_ctx);
/* perform basic verification of peer certificate */
if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s",
X509_verify_cert_error_string(verify_result));
zbx_tls_close(s);
goto out1;
}
/* if required verify peer certificate Issuer and Subject */
if (SUCCEED != zbx_verify_issuer_subject(s->tls_ctx, tls_arg1, tls_arg2, error))
{
zbx_tls_close(s);
goto out1;
}
}
s->connection_type = tls_connect;
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s)", __func__,
SSL_get_version(s->tls_ctx->ctx), SSL_get_cipher(s->tls_ctx->ctx));
return SUCCEED;
out: /* an error occurred */
if (NULL != s->tls_ctx->ctx)
SSL_free(s->tls_ctx->ctx);
zbx_free(s->tls_ctx);
out1:
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
ZBX_NULL2EMPTY_STR(*error));
return ret;
}
/******************************************************************************
* *
* Purpose: establish a TLS connection over an accepted TCP connection *
* *
* Parameters: *
* s - [IN] socket with opened connection *
* error - [OUT] dynamically allocated memory with error message *
* tls_accept - [IN] type of connection to accept. Can be be either *
* ZBX_TCP_SEC_TLS_CERT or ZBX_TCP_SEC_TLS_PSK, or *
* a bitwise 'OR' of both. *
* *
* Return value: *
* SUCCEED - successful TLS handshake with a valid certificate or PSK *
* FAIL - an error occurred *
* *
******************************************************************************/
int zbx_tls_accept(zbx_socket_t *s, unsigned int tls_accept, char **error)
{
const char *cipher_name;
int ret = FAIL, res;
size_t error_alloc = 0, error_offset = 0;
long verify_result;
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer, or LibreSSL */
const unsigned char session_id_context[] = {'Z', 'b', 'x'};
#endif
zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __func__);
s->tls_ctx = zbx_malloc(s->tls_ctx, sizeof(zbx_tls_context_t));
s->tls_ctx->ctx = NULL;
#if defined(HAVE_OPENSSL_WITH_PSK)
incoming_connection_has_psk = 0; /* assume certificate-based connection by default */
#endif
if ((ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK) == (tls_accept & (ZBX_TCP_SEC_TLS_CERT | ZBX_TCP_SEC_TLS_PSK)))
{
#if defined(HAVE_OPENSSL_WITH_PSK)
/* common case in trapper - be ready for all types of incoming connections but possible also in */
/* agentd listener */
if (NULL != ctx_all)
{
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_all)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
" connection:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
#else
if (0 != (zbx_get_program_type_cb() & (ZBX_PROGRAM_TYPE_PROXY | ZBX_PROGRAM_TYPE_SERVER)))
{
/* server or proxy running with OpenSSL or LibreSSL without PSK support */
if (NULL != ctx_cert)
{
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context"
" to accept connection:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
else
{
*error = zbx_strdup(*error, "not ready for certificate-based incoming connection:"
" certificate not loaded. PSK support not compiled in.");
goto out;
}
}
#endif
else if (0 != (zbx_get_program_type_cb() & ZBX_PROGRAM_TYPE_AGENTD))
{
THIS_SHOULD_NEVER_HAPPEN;
goto out;
}
#if defined(HAVE_OPENSSL_WITH_PSK)
else if (NULL != ctx_psk)
{
/* Server or proxy with no certificate configured. PSK is always assumed to be configured on */
/* server or proxy because PSK can come from database. */
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
" connection:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
else
{
THIS_SHOULD_NEVER_HAPPEN;
goto out;
}
#endif
}
else if (0 != (tls_accept & ZBX_TCP_SEC_TLS_CERT))
{
if (NULL != ctx_cert)
{
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_cert)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
" connection:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
else
{
*error = zbx_strdup(*error, "not ready for certificate-based incoming connection: certificate"
" not loaded");
goto out;
}
}
else /* PSK */
{
#if defined(HAVE_OPENSSL_WITH_PSK)
if (NULL != ctx_psk)
{
if (NULL == (s->tls_ctx->ctx = SSL_new(ctx_psk)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "cannot create context to accept"
" connection:");
zbx_tls_error_msg(error, &error_alloc, &error_offset);
goto out;
}
}
else
{
*error = zbx_strdup(*error, "not ready for PSK-based incoming connection: PSK not loaded");
goto out;
}
#else
*error = zbx_strdup(*error, "support for PSK was not compiled in");
goto out;
#endif
}
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL /* OpenSSL 1.1.1 or newer, or LibreSSL */
if (1 != SSL_set_session_id_context(s->tls_ctx->ctx, session_id_context, sizeof(session_id_context)))
{
*error = zbx_strdup(*error, "cannot set session_id_context");
goto out;
}
#endif
if (1 != SSL_set_fd(s->tls_ctx->ctx, s->socket))
{
*error = zbx_strdup(*error, "cannot set socket for TLS context");
goto out;
}
/* TLS handshake */
info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
while (-1 == (res = SSL_accept(s->tls_ctx->ctx)))
{
int ssl_err;
ssl_err = SSL_get_error(s->tls_ctx->ctx, res);
if (SSL_ERROR_WANT_READ != ssl_err && SSL_ERROR_WANT_WRITE != ssl_err)
break;
if (FAIL == tls_socket_wait(s->socket, s->tls_ctx->ctx, ssl_err))
{
*error = zbx_dsprintf(*error, "cannot wait for TLS handshake: %s",
zbx_strerror_from_system(zbx_socket_last_error()));
goto out;
}
if (SUCCEED != zbx_socket_check_deadline(s))
{
*error = zbx_strdup(*error, "SSL_accept() timed out");
goto out;
}
}
if (1 != res)
{
int result_code;
/* In case of certificate error SSL_get_verify_result() provides more helpful diagnostics */
/* than other methods. Include it as first but continue with other diagnostics. Should be */
/* harmless in case of PSK. */
if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s: ",
X509_verify_cert_error_string(verify_result));
}
result_code = SSL_get_error(s->tls_ctx->ctx, res);
if (0 == res)
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "TLS connection has been closed during"
" handshake:");
}
else
{
if (SSL_ERROR_SYSCALL == result_code && 0 != errno)
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "TLS handshake set result code"
" to %d (SSL_ERROR_SYSCALL):%s:", result_code, zbx_strerror(errno));
}
else
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "TLS handshake set result code"
" to %d:", result_code);
}
}
zbx_tls_error_msg(error, &error_alloc, &error_offset);
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s", info_buf);
goto out;
}
/* Is this TLS connection using certificate or PSK? */
cipher_name = SSL_get_cipher(s->tls_ctx->ctx);
#if defined(HAVE_OPENSSL_WITH_PSK)
if (1 == incoming_connection_has_psk)
{
s->connection_type = ZBX_TCP_SEC_TLS_PSK;
}
else if (0 != strncmp("(NONE)", cipher_name, ZBX_CONST_STRLEN("(NONE)")))
#endif
{
s->connection_type = ZBX_TCP_SEC_TLS_CERT;
/* log peer certificate information for debugging */
zbx_log_peer_cert(__func__, s->tls_ctx);
/* perform basic verification of peer certificate */
if (X509_V_OK != (verify_result = SSL_get_verify_result(s->tls_ctx->ctx)))
{
zbx_snprintf_alloc(error, &error_alloc, &error_offset, "%s",
X509_verify_cert_error_string(verify_result));
zbx_tls_close(s);
goto out1;
}
/* Issuer and Subject will be verified later, after receiving sender type and host name */
}
#if defined(HAVE_OPENSSL_WITH_PSK)
else
{
THIS_SHOULD_NEVER_HAPPEN;
zbx_tls_close(s);
return FAIL;
}
#endif
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():SUCCEED (established %s %s)", __func__,
SSL_get_version(s->tls_ctx->ctx), cipher_name);
return SUCCEED;
out: /* an error occurred */
if (NULL != s->tls_ctx->ctx)
SSL_free(s->tls_ctx->ctx);
zbx_free(s->tls_ctx);
out1:
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s error:'%s'", __func__, zbx_result_string(ret),
ZBX_NULL2EMPTY_STR(*error));
return ret;
}
/* SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE should not be returned here because we set */
/* SSL_MODE_AUTO_RETRY flag in zbx_tls_init_child() */
ssize_t zbx_tls_write(zbx_socket_t *s, const char *buf, size_t len, short *event, char **error)
{
ssize_t offset = 0;
int n;
info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
while (1)
{
if (0 == (n = SSL_write(s->tls_ctx->ctx, buf + offset, (int)(len - (size_t)offset))))
break;
if (0 > n)
{
ssize_t err;
err = (size_t)SSL_get_error(s->tls_ctx->ctx, n);
if (SUCCEED != tls_is_nonblocking_error(err))
break;
if (NULL != event)
{
tls_socket_event(s->tls_ctx->ctx, err, event);
return offset;
}
if (FAIL == tls_socket_wait(s->socket, s->tls_ctx->ctx, err))
{
*error = zbx_dsprintf(*error, "cannot wait socket: %s",
zbx_strerror_from_system(zbx_socket_last_error()));
return ZBX_PROTO_ERROR;
}
}
else
{
offset += n;
if (offset == (ssize_t)len)
break;
}
if (SUCCEED != zbx_socket_check_deadline(s))
{
*error = zbx_strdup(*error, "write timeout");
return ZBX_PROTO_ERROR;
}
}
if (0 >= n)
{
size_t error_alloc = 0, error_offset = 0;
if (SUCCEED == openssl_get_error(s->tls_ctx->ctx, n, "SSL_write", &error_alloc,
&error_offset, error))
{
*error = zbx_strdup(*error, "SSL_write() unexpected result code");
}
return ZBX_PROTO_ERROR;
}
return offset;
}
ssize_t zbx_tls_read(zbx_socket_t *s, char *buf, size_t len, short *events, char **error)
{
int n = 0;
ssize_t err;
info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
while (1)
{
if (0 <= (n = SSL_read(s->tls_ctx->ctx, buf, (int)len)))
break;
err = (size_t)SSL_get_error(s->tls_ctx->ctx, n);
if (SUCCEED != tls_is_nonblocking_error(err))
break;
if (NULL != events)
{
tls_socket_event(s->tls_ctx->ctx, err, events);
return ZBX_PROTO_ERROR;
}
if (FAIL == tls_socket_wait(s->socket, s->tls_ctx->ctx, err))
{
*error = zbx_dsprintf(*error, "cannot wait socket: %s",
zbx_strerror_from_system(zbx_socket_last_error()));
return ZBX_PROTO_ERROR;
}
if (SUCCEED != zbx_socket_check_deadline(s))
{
*error = zbx_strdup(*error, "read timeout");
return ZBX_PROTO_ERROR;
}
}
if (0 == n)
{
if (SSL_ERROR_ZERO_RETURN != SSL_get_error(s->tls_ctx->ctx, (int)n))
{
size_t error_alloc = 0, error_offset = 0;
if (SUCCEED == openssl_get_error(s->tls_ctx->ctx, n, "SSL_read", &error_alloc,
&error_offset, error))
{
*error = zbx_strdup(*error, "SSL_read() unexpected result code");
}
return ZBX_PROTO_ERROR;
}
return n;
}
if (0 > n)
{
size_t error_alloc = 0, error_offset = 0;
if (SUCCEED == openssl_get_error(s->tls_ctx->ctx, n, "SSL_read", &error_alloc,
&error_offset, error))
{
*error = zbx_strdup(*error, "SSL_read() unexpected result code");
}
return ZBX_PROTO_ERROR;
}
return n;
}
/******************************************************************************
* *
* Purpose: close a TLS connection before closing a TCP socket *
* *
******************************************************************************/
void zbx_tls_close(zbx_socket_t *s)
{
int res;
if (NULL == s->tls_ctx)
return;
zbx_socket_set_deadline(s, s->timeout);
if (NULL != s->tls_ctx->ctx)
{
info_buf[0] = '\0'; /* empty buffer for zbx_openssl_info_cb() messages */
/* After TLS shutdown the TCP connection will be closed. So, there is no need to do a bidirectional */
/* TLS shutdown - unidirectional shutdown is ok. */
if (0 == SSL_in_init(s->tls_ctx->ctx) &&
0 == (SSL_get_shutdown(s->tls_ctx->ctx) & SSL_RECEIVED_SHUTDOWN))
{
while (0 > (res = SSL_shutdown(s->tls_ctx->ctx)))
{
int err = SSL_get_error(s->tls_ctx->ctx, res);
if (SUCCEED != tls_is_nonblocking_error(err))
{
int result_code;
char *error = NULL;
size_t error_alloc = 0, error_offset = 0;
result_code = SSL_get_error(s->tls_ctx->ctx, res);
zbx_tls_error_msg(&error, &error_alloc, &error_offset);
if (SSL_ERROR_SYSCALL == result_code && 0 != errno)
{
zabbix_log(LOG_LEVEL_WARNING, "SSL_shutdown() with %s set result code"
" to %d (SSL_ERROR_SYSCALL):%s%s%s", s->peer,
result_code, ZBX_NULL2EMPTY_STR(error), info_buf,
zbx_strerror(errno));
}
else
{
zabbix_log(LOG_LEVEL_WARNING, "SSL_shutdown() with %s set result code"
" to %d:%s%s", s->peer, result_code,
ZBX_NULL2EMPTY_STR(error), info_buf);
}
zbx_free(error);
break;
}
if (FAIL == tls_socket_wait(s->socket, s->tls_ctx->ctx, err))
{
zabbix_log(LOG_LEVEL_WARNING, "cannot wait socket: %s",
zbx_strerror_from_system(zbx_socket_last_error()));
break;
}
if (SUCCEED != zbx_socket_check_deadline(s))
{
zabbix_log(LOG_LEVEL_DEBUG, "timeout while closing tls connection");
break;
}
}
}
SSL_free(s->tls_ctx->ctx);
}
zbx_free(s->tls_ctx);
}
/******************************************************************************
* *
* Purpose: get certificate attributes from the context of established *
* connection *
* *
******************************************************************************/
int zbx_tls_get_attr_cert(const zbx_socket_t *s, zbx_tls_conn_attr_t *attr)
{
char *error = NULL;
X509 *peer_cert;
if (NULL == (peer_cert = SSL_get_peer_certificate(s->tls_ctx->ctx)))
{
zabbix_log(LOG_LEVEL_WARNING, "no peer certificate, SSL_get_peer_certificate() returned NULL");
return FAIL;
}
if (SUCCEED != zbx_x509_dn_gets(X509_get_issuer_name(peer_cert), attr->issuer, sizeof(attr->issuer), &error))
{
zabbix_log(LOG_LEVEL_WARNING, "error while getting issuer name: \"%s\"", error);
zbx_free(error);
X509_free(peer_cert);
return FAIL;
}
if (SUCCEED != zbx_x509_dn_gets(X509_get_subject_name(peer_cert), attr->subject, sizeof(attr->subject), &error))
{
zabbix_log(LOG_LEVEL_WARNING, "error while getting subject name: \"%s\"", error);
zbx_free(error);
X509_free(peer_cert);
return FAIL;
}
X509_free(peer_cert);
return SUCCEED;
}
/******************************************************************************
* *
* Purpose: get PSK attributes from the context of established connection *
* *
* Comments: *
* This function can be used only on server-side of TLS connection. *
* GnuTLS makes it asymmetric - see documentation for *
* gnutls_psk_server_get_username() and gnutls_psk_client_get_hint() *
* (the latter function is not used in Zabbix). *
* Implementation for OpenSSL is server-side only, too. *
* *
******************************************************************************/
#if defined(HAVE_OPENSSL_WITH_PSK)
int zbx_tls_get_attr_psk(const zbx_socket_t *s, zbx_tls_conn_attr_t *attr)
{
ZBX_UNUSED(s);
/* SSL_get_psk_identity() is not used here. It works with TLS 1.2, */
/* but returns NULL with TLS 1.3 in OpenSSL 1.1.1 */
if ('\0' == incoming_connection_psk_id[0])
return FAIL;
attr->psk_identity = incoming_connection_psk_id;
attr->psk_identity_len = strlen(attr->psk_identity);
return SUCCEED;
}
#endif
/******************************************************************************
* *
* Purpose: get PSK attributes or certificate attributes from the context of *
* established connection *
* *
* Comments: *
* This function can be used only on server-side of TLS connection. *
* GnuTLS makes it asymmetric - see documentation for *
* gnutls_psk_server_get_username() and gnutls_psk_client_get_hint() *
* (the latter function is not used in Zabbix). *
* Implementation for OpenSSL is server-side only, too. *
* *
******************************************************************************/
int zbx_tls_get_attr(const zbx_socket_t *sock, zbx_tls_conn_attr_t *attr, char **error)
{
if (ZBX_TCP_SEC_TLS_CERT == sock->connection_type)
{
if (SUCCEED != zbx_tls_get_attr_cert(sock, attr))
{
*error = zbx_strdup(*error, "internal error: cannot get connection attributes");
THIS_SHOULD_NEVER_HAPPEN;
return FAIL;
}
}
#if defined(HAVE_OPENSSL_WITH_PSK)
else if (ZBX_TCP_SEC_TLS_PSK == sock->connection_type)
{
if (SUCCEED != zbx_tls_get_attr_psk(sock, attr))
{
*error = zbx_strdup(*error, "internal error: cannot get connection attributes");
THIS_SHOULD_NEVER_HAPPEN;
return FAIL;
}
}
#endif
else if (ZBX_TCP_SEC_UNENCRYPTED != sock->connection_type)
{
*error = zbx_strdup(*error, "internal error: invalid connection type");
THIS_SHOULD_NEVER_HAPPEN;
return FAIL;
}
attr->connection_type = sock->connection_type;
return SUCCEED;
}
/******************************************************************************
* *
* Purpose: validate PSK attributes or certificate attributes from the *
* context of established connection *
* *
******************************************************************************/
int zbx_tls_validate_attr(const zbx_tls_conn_attr_t *attr, const char *tls_issuer, const char *tls_subject,
const char *tls_psk_identity, const char **msg)
{
if (ZBX_TCP_SEC_TLS_CERT == attr->connection_type)
{
/* simplified match, not compliant with RFC 4517, 4518 */
if ('\0' != *tls_issuer && 0 != strcmp(tls_issuer, attr->issuer))
{
*msg = "certificate issuer does not match";
return FAIL;
}
/* simplified match, not compliant with RFC 4517, 4518 */
if ('\0' != *tls_subject && 0 != strcmp(tls_subject, attr->subject))
{
*msg = "certificate subject does not match";
return FAIL;
}
}
#if defined(HAVE_OPENSSL_WITH_PSK)
else if (ZBX_TCP_SEC_TLS_PSK == attr->connection_type)
{
if (NULL != tls_psk_identity)
{
if (strlen(tls_psk_identity) != attr->psk_identity_len ||
0 != memcmp(tls_psk_identity, attr->psk_identity,
attr->psk_identity_len))
{
*msg = "false PSK identity";
return FAIL;
}
}
else
{
*msg = "missing PSK";
return FAIL;
}
}
#endif
return SUCCEED;
}
#if defined(_WINDOWS)
/******************************************************************************
* *
* Purpose: pass some TLS variables from one thread to other *
* *
* Comments: used in Zabbix sender on MS Windows *
* *
******************************************************************************/
void zbx_tls_pass_vars(ZBX_THREAD_SENDVAL_TLS_ARGS *args)
{
args->ctx_cert = ctx_cert;
#if defined(HAVE_OPENSSL_WITH_PSK)
args->ctx_psk = ctx_psk;
args->psk_identity_for_cb = psk_identity_for_cb;
args->psk_identity_len_for_cb = psk_identity_len_for_cb;
args->psk_for_cb = psk_for_cb;
args->psk_len_for_cb = psk_len_for_cb;
#endif
}
/******************************************************************************
* *
* Purpose: pass some TLS variables from one thread to other *
* *
* Comments: used in Zabbix sender on MS Windows *
* *
******************************************************************************/
void zbx_tls_take_vars(ZBX_THREAD_SENDVAL_TLS_ARGS *args)
{
ctx_cert = args->ctx_cert;
#if defined(HAVE_OPENSSL_WITH_PSK)
ctx_psk = args->ctx_psk;
psk_identity_for_cb = args->psk_identity_for_cb;
psk_identity_len_for_cb = args->psk_identity_len_for_cb;
psk_for_cb = args->psk_for_cb;
psk_len_for_cb = args->psk_len_for_cb;
#endif
}
#endif
unsigned int zbx_tls_get_psk_usage(void)
{
return psk_usage;
}
/******************************************************************************
* *
* Purpose: TLS cleanup for using in signal handlers *
* *
******************************************************************************/
void zbx_tls_free_on_signal(void)
{
if (NULL != my_psk)
zbx_guaranteed_memset(my_psk, 0, my_psk_len);
}