diff options
Diffstat (limited to '')
-rw-r--r-- | libnetdata/socket/security.c | 562 | ||||
-rw-r--r-- | libnetdata/socket/security.h | 63 | ||||
-rw-r--r-- | libnetdata/socket/socket.c | 115 | ||||
-rw-r--r-- | libnetdata/socket/socket.h | 24 |
4 files changed, 568 insertions, 196 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 7c5092150..d1181ad5f 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -3,13 +3,389 @@ #ifdef ENABLE_HTTPS SSL_CTX *netdata_ssl_exporting_ctx =NULL; -SSL_CTX *netdata_ssl_client_ctx =NULL; -SSL_CTX *netdata_ssl_srv_ctx =NULL; +SSL_CTX *netdata_ssl_streaming_sender_ctx =NULL; +SSL_CTX *netdata_ssl_web_server_ctx =NULL; const char *netdata_ssl_security_key =NULL; const char *netdata_ssl_security_cert =NULL; const char *tls_version=NULL; const char *tls_ciphers=NULL; -int netdata_ssl_validate_server = NETDATA_SSL_VALID_CERTIFICATE; +bool netdata_ssl_validate_certificate = true; +bool netdata_ssl_validate_certificate_sender = true; + +static SOCKET_PEERS netdata_ssl_peers(NETDATA_SSL *ssl) { + int sock_fd; + + if(unlikely(!ssl->conn)) + sock_fd = -1; + else + sock_fd = SSL_get_rfd(ssl->conn); + + return socket_peers(sock_fd); +} + +bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) { + errno = 0; + ssl->ssl_errno = 0; + + if(ssl->conn) { + if(!ctx || SSL_get_SSL_CTX(ssl->conn) != ctx) { + SSL_free(ssl->conn); + ssl->conn = NULL; + } + else if (SSL_clear(ssl->conn) == 0) { + netdata_ssl_log_error_queue("SSL_clear", ssl); + SSL_free(ssl->conn); + ssl->conn = NULL; + } + } + + if(!ssl->conn) { + if(!ctx) { + internal_error(true, "SSL: not CTX given"); + ssl->state = NETDATA_SSL_STATE_FAILED; + return false; + } + + ssl->conn = SSL_new(ctx); + if (!ssl->conn) { + netdata_ssl_log_error_queue("SSL_new", ssl); + ssl->state = NETDATA_SSL_STATE_FAILED; + return false; + } + } + + if(SSL_set_fd(ssl->conn, fd) != 1) { + netdata_ssl_log_error_queue("SSL_set_fd", ssl); + ssl->state = NETDATA_SSL_STATE_FAILED; + return false; + } + + ssl->state = NETDATA_SSL_STATE_INIT; + + ERR_clear_error(); + + return true; +} + +void netdata_ssl_close(NETDATA_SSL *ssl) { + errno = 0; + ssl->ssl_errno = 0; + + if(ssl->conn) { + if(SSL_connection(ssl)) { + int ret = SSL_shutdown(ssl->conn); + if(ret == 0) + SSL_shutdown(ssl->conn); + } + + SSL_free(ssl->conn); + + ERR_clear_error(); + } + + *ssl = NETDATA_SSL_UNSET_CONNECTION; +} + +void netdata_ssl_log_error_queue(const char *call, NETDATA_SSL *ssl) { + error_limit_static_thread_var(erl, 1, 0); + unsigned long err; + while((err = ERR_get_error())) { + char *code; + + switch (err) { + case SSL_ERROR_NONE: + code = "SSL_ERROR_NONE"; + break; + + case SSL_ERROR_SSL: + code = "SSL_ERROR_SSL"; + ssl->state = NETDATA_SSL_STATE_FAILED; + break; + + case SSL_ERROR_WANT_READ: + code = "SSL_ERROR_WANT_READ"; + break; + + case SSL_ERROR_WANT_WRITE: + code = "SSL_ERROR_WANT_WRITE"; + break; + + case SSL_ERROR_WANT_X509_LOOKUP: + code = "SSL_ERROR_WANT_X509_LOOKUP"; + break; + + case SSL_ERROR_SYSCALL: + code = "SSL_ERROR_SYSCALL"; + ssl->state = NETDATA_SSL_STATE_FAILED; + break; + + case SSL_ERROR_ZERO_RETURN: + code = "SSL_ERROR_ZERO_RETURN"; + break; + + case SSL_ERROR_WANT_CONNECT: + code = "SSL_ERROR_WANT_CONNECT"; + break; + + case SSL_ERROR_WANT_ACCEPT: + code = "SSL_ERROR_WANT_ACCEPT"; + break; + +#ifdef SSL_ERROR_WANT_ASYNC + case SSL_ERROR_WANT_ASYNC: + code = "SSL_ERROR_WANT_ASYNC"; + break; +#endif + +#ifdef SSL_ERROR_WANT_ASYNC_JOB + case SSL_ERROR_WANT_ASYNC_JOB: + code = "SSL_ERROR_WANT_ASYNC_JOB"; + break; +#endif + +#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB + case SSL_ERROR_WANT_CLIENT_HELLO_CB: + code = "SSL_ERROR_WANT_CLIENT_HELLO_CB"; + break; +#endif + +#ifdef SSL_ERROR_WANT_RETRY_VERIFY + case SSL_ERROR_WANT_RETRY_VERIFY: + code = "SSL_ERROR_WANT_RETRY_VERIFY"; + break; +#endif + + default: + code = "SSL_ERROR_UNKNOWN"; + break; + } + + char str[1024 + 1]; + ERR_error_string_n(err, str, 1024); + str[1024] = '\0'; + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: %s() on socket local [[%s]:%d] <-> remote [[%s]:%d], returned error %lu (%s): %s", + call, peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, err, code, str); + } +} + +static inline bool is_handshake_complete(NETDATA_SSL *ssl, const char *op) { + error_limit_static_thread_var(erl, 1, 0); + + if(unlikely(!ssl->conn)) { + internal_error(true, "SSL: trying to %s on a NULL connection", op); + return false; + } + + switch(ssl->state) { + case NETDATA_SSL_STATE_NOT_SSL: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + + case NETDATA_SSL_STATE_INIT: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an incomplete connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + + case NETDATA_SSL_STATE_FAILED: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + + case NETDATA_SSL_STATE_COMPLETE: { + return true; + } + } + + return false; +} + +/* + * netdata_ssl_read() should return the same as read(): + * + * Positive value: The read() function succeeded and read some bytes. The exact number of bytes read is returned. + * + * Zero: For files and sockets, a return value of zero signifies end-of-file (EOF), meaning no more data is available + * for reading. For sockets, this usually means the other side has closed the connection. + * + * -1: An error occurred. The specific error can be found by examining the errno variable. + * EAGAIN or EWOULDBLOCK: The file descriptor is in non-blocking mode, and the read operation would block. + * (These are often the same value, but can be different on some systems.) + */ + +ssize_t netdata_ssl_read(NETDATA_SSL *ssl, void *buf, size_t num) { + errno = 0; + ssl->ssl_errno = 0; + + if(unlikely(!is_handshake_complete(ssl, "read"))) + return -1; + + int bytes = SSL_read(ssl->conn, buf, (int)num); + + if(unlikely(bytes <= 0)) { + int err = SSL_get_error(ssl->conn, bytes); + netdata_ssl_log_error_queue("SSL_read", ssl); + if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { + ssl->ssl_errno = err; + errno = EWOULDBLOCK; + } + + bytes = -1; // according to read() or recv() + } + + return bytes; +} + +/* + * netdata_ssl_write() should return the same as write(): + * + * Positive value: The write() function succeeded and wrote some bytes. The exact number of bytes written is returned. + * + * Zero: It's technically possible for write() to return zero, indicating that zero bytes were written. However, for a + * socket, this generally does not happen unless the size of the data to be written is zero. + * + * -1: An error occurred. The specific error can be found by examining the errno variable. + * EAGAIN or EWOULDBLOCK: The file descriptor is in non-blocking mode, and the write operation would block. + * (These are often the same value, but can be different on some systems.) + */ + +ssize_t netdata_ssl_write(NETDATA_SSL *ssl, const void *buf, size_t num) { + errno = 0; + ssl->ssl_errno = 0; + + if(unlikely(!is_handshake_complete(ssl, "write"))) + return -1; + + int bytes = SSL_write(ssl->conn, (uint8_t *)buf, (int)num); + + if(unlikely(bytes <= 0)) { + int err = SSL_get_error(ssl->conn, bytes); + netdata_ssl_log_error_queue("SSL_write", ssl); + if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { + ssl->ssl_errno = err; + errno = EWOULDBLOCK; + } + + bytes = -1; // according to write() or send() + } + + return bytes; +} + +static inline bool is_handshake_initialized(NETDATA_SSL *ssl, const char *op) { + error_limit_static_thread_var(erl, 1, 0); + + if(unlikely(!ssl->conn)) { + internal_error(true, "SSL: trying to %s on a NULL connection", op); + return false; + } + + switch(ssl->state) { + case NETDATA_SSL_STATE_NOT_SSL: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + + case NETDATA_SSL_STATE_INIT: { + return true; + } + + case NETDATA_SSL_STATE_FAILED: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + + case NETDATA_SSL_STATE_COMPLETE: { + SOCKET_PEERS peers = netdata_ssl_peers(ssl); + error_limit(&erl, "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an complete connection", + peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); + return false; + } + } + + return false; +} + +#define WANT_READ_WRITE_TIMEOUT_MS 10 + +static inline bool want_read_write_should_retry(NETDATA_SSL *ssl, int err) { + int ssl_errno = SSL_get_error(ssl->conn, err); + if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_WANT_WRITE) { + struct pollfd pfds[1] = { [0] = { + .fd = SSL_get_rfd(ssl->conn), + .events = (short)(((ssl_errno == SSL_ERROR_WANT_READ ) ? POLLIN : 0) | + ((ssl_errno == SSL_ERROR_WANT_WRITE) ? POLLOUT : 0)), + }}; + + if(poll(pfds, 1, WANT_READ_WRITE_TIMEOUT_MS) <= 0) + return false; // timeout (0) or error (<0) + + return true; // we have activity, so we should retry + } + + return false; // an unknown error +} + +bool netdata_ssl_connect(NETDATA_SSL *ssl) { + errno = 0; + ssl->ssl_errno = 0; + + if(unlikely(!is_handshake_initialized(ssl, "connect"))) + return false; + + SSL_set_connect_state(ssl->conn); + + int err; + while ((err = SSL_connect(ssl->conn)) != 1) { + if(!want_read_write_should_retry(ssl, err)) + break; + } + + if (err != 1) { + netdata_ssl_log_error_queue("SSL_connect", ssl); + ssl->state = NETDATA_SSL_STATE_FAILED; + return false; + } + + ssl->state = NETDATA_SSL_STATE_COMPLETE; + return true; +} + +bool netdata_ssl_accept(NETDATA_SSL *ssl) { + errno = 0; + ssl->ssl_errno = 0; + + if(unlikely(!is_handshake_initialized(ssl, "accept"))) + return false; + + SSL_set_accept_state(ssl->conn); + + int err; + while ((err = SSL_accept(ssl->conn)) != 1) { + if(!want_read_write_should_retry(ssl, err)) + break; + } + + if (err != 1) { + netdata_ssl_log_error_queue("SSL_accept", ssl); + ssl->state = NETDATA_SSL_STATE_FAILED; + return false; + } + + ssl->state = NETDATA_SSL_STATE_COMPLETE; + return true; +} /** * Info Callback @@ -20,7 +396,7 @@ int netdata_ssl_validate_server = NETDATA_SSL_VALID_CERTIFICATE; * @param where the variable with the flags set. * @param ret the return of the caller */ -static void security_info_callback(const SSL *ssl, int where, int ret __maybe_unused) { +static void netdata_ssl_info_callback(const SSL *ssl, int where, int ret __maybe_unused) { (void)ssl; if (where & SSL_CB_ALERT) { debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", SSL_alert_type_string(ret), SSL_alert_desc_string_long(ret)); @@ -32,8 +408,8 @@ static void security_info_callback(const SSL *ssl, int where, int ret __maybe_un * * Starts the openssl library for the Netdata. */ -void security_openssl_library() -{ +void netdata_ssl_initialize_openssl() { + #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 # if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) OPENSSL_config(NULL); @@ -42,10 +418,13 @@ void security_openssl_library() SSL_load_error_strings(); SSL_library_init(); + #else + if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) { error("SSL library cannot be initialized."); } + #endif } @@ -59,7 +438,7 @@ void security_openssl_library() * * @return it returns the version number. */ -int tls_select_version(const char *lversion) { +static int netdata_ssl_select_tls_version(const char *lversion) { if (!strcmp(lversion, "1") || !strcmp(lversion, "1.0")) return TLS1_VERSION; else if (!strcmp(lversion, "1.1")) @@ -80,43 +459,13 @@ int tls_select_version(const char *lversion) { #endif /** - * OpenSSL common options - * - * Clients and SERVER have common options, this function is responsible to set them in the context. - * - * @param ctx the initialized SSL context. - * @param side 0 means server, and 1 client. - */ -void security_openssl_common_options(SSL_CTX *ctx, int side) { -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 - if (!side) { - int version = tls_select_version(tls_version) ; -#endif -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); -#else - SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); - SSL_CTX_set_max_proto_version(ctx, version); - - if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { - if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { - error("SSL error. cannot set the cipher list"); - } - } - } -#endif - - SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -} - -/** * Initialize Openssl Client * * Starts the client context with TLS 1.2. * * @return It returns the context on success or NULL otherwise */ -SSL_CTX * security_initialize_openssl_client() { +SSL_CTX * netdata_ssl_create_client_ctx(unsigned long mode) { SSL_CTX *ctx; #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_client_method()); @@ -138,6 +487,9 @@ SSL_CTX * security_initialize_openssl_client() { #endif } + if(mode) + SSL_CTX_set_mode(ctx, mode); + return ctx; } @@ -148,7 +500,7 @@ SSL_CTX * security_initialize_openssl_client() { * * @return It returns the context on success or NULL otherwise */ -static SSL_CTX * security_initialize_openssl_server() { +static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { SSL_CTX *ctx; char lerror[512]; static int netdata_id_context = 1; @@ -171,7 +523,19 @@ static SSL_CTX * security_initialize_openssl_server() { SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert); #endif - security_openssl_common_options(ctx, 0); + +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); +#else + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, netdata_ssl_select_tls_version(tls_version)); + + if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { + if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { + error("SSL error. cannot set the cipher list"); + } + } +#endif SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM); @@ -183,13 +547,15 @@ static SSL_CTX * security_initialize_openssl_server() { } SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context)); - SSL_CTX_set_info_callback(ctx,security_info_callback); + SSL_CTX_set_info_callback(ctx, netdata_ssl_info_callback); #if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) SSL_CTX_set_verify_depth(ctx,1); #endif debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n"); + SSL_CTX_set_mode(ctx, mode); + return ctx; } @@ -203,39 +569,54 @@ static SSL_CTX * security_initialize_openssl_server() { * NETDATA_SSL_CONTEXT_STREAMING - Starts the streaming context. * NETDATA_SSL_CONTEXT_EXPORTING - Starts the OpenTSDB context */ -void security_start_ssl(int selector) { +void netdata_ssl_initialize_ctx(int selector) { static SPINLOCK sp = NETDATA_SPINLOCK_INITIALIZER; netdata_spinlock_lock(&sp); switch (selector) { - case NETDATA_SSL_CONTEXT_SERVER: { - if(!netdata_ssl_srv_ctx) { + case NETDATA_SSL_WEB_SERVER_CTX: { + if(!netdata_ssl_web_server_ctx) { struct stat statbuf; if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); else { - netdata_ssl_srv_ctx = security_initialize_openssl_server(); - SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + netdata_ssl_web_server_ctx = netdata_ssl_create_server_ctx( + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + // SSL_MODE_AUTO_RETRY | + 0); + + if(netdata_ssl_web_server_ctx && !netdata_ssl_validate_certificate) + SSL_CTX_set_verify(netdata_ssl_web_server_ctx, SSL_VERIFY_NONE, NULL); } } break; } - case NETDATA_SSL_CONTEXT_STREAMING: { - if(!netdata_ssl_client_ctx) { - netdata_ssl_client_ctx = security_initialize_openssl_client(); + case NETDATA_SSL_STREAMING_SENDER_CTX: { + if(!netdata_ssl_streaming_sender_ctx) { //This is necessary for the stream, because it is working sometimes with nonblock socket. //It returns the bitmask after to change, there is not any description of errors in the documentation - SSL_CTX_set_mode(netdata_ssl_client_ctx, - SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | - SSL_MODE_AUTO_RETRY); + netdata_ssl_streaming_sender_ctx = netdata_ssl_create_client_ctx( + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + // SSL_MODE_AUTO_RETRY | + 0 + ); + + if(netdata_ssl_streaming_sender_ctx && !netdata_ssl_validate_certificate_sender) + SSL_CTX_set_verify(netdata_ssl_streaming_sender_ctx, SSL_VERIFY_NONE, NULL); } break; } - case NETDATA_SSL_CONTEXT_EXPORTING: { - if(!netdata_ssl_exporting_ctx) - netdata_ssl_exporting_ctx = security_initialize_openssl_client(); + case NETDATA_SSL_EXPORTING_CTX: { + if(!netdata_ssl_exporting_ctx) { + netdata_ssl_exporting_ctx = netdata_ssl_create_client_ctx(0); + + if(netdata_ssl_exporting_ctx && !netdata_ssl_validate_certificate) + SSL_CTX_set_verify(netdata_ssl_exporting_ctx, SSL_VERIFY_NONE, NULL); + } break; } } @@ -248,18 +629,21 @@ void security_start_ssl(int selector) { * * Clean all the allocated contexts from netdata. */ -void security_clean_openssl() +void netdata_ssl_cleanup() { - if (netdata_ssl_srv_ctx) { - SSL_CTX_free(netdata_ssl_srv_ctx); + if (netdata_ssl_web_server_ctx) { + SSL_CTX_free(netdata_ssl_web_server_ctx); + netdata_ssl_web_server_ctx = NULL; } - if (netdata_ssl_client_ctx) { - SSL_CTX_free(netdata_ssl_client_ctx); + if (netdata_ssl_streaming_sender_ctx) { + SSL_CTX_free(netdata_ssl_streaming_sender_ctx); + netdata_ssl_streaming_sender_ctx = NULL; } if (netdata_ssl_exporting_ctx) { SSL_CTX_free(netdata_ssl_exporting_ctx); + netdata_ssl_exporting_ctx = NULL; } #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 @@ -268,64 +652,6 @@ void security_clean_openssl() } /** - * Process accept - * - * Process the SSL handshake with the client case it is necessary. - * - * @param ssl is a pointer for the SSL structure - * @param msg is a copy of the first 8 bytes of the initial message received - * - * @return it returns 0 case it performs the handshake, 8 case it is clean connection - * and another integer power of 2 otherwise. - */ -int security_process_accept(SSL *ssl,int msg) { - int sock = SSL_get_fd(ssl); - int test; - if (msg > 0x17) - { - return NETDATA_SSL_NO_HANDSHAKE; - } - - ERR_clear_error(); - if ((test = SSL_accept(ssl)) <= 0) { - int sslerrno = SSL_get_error(ssl, test); - switch(sslerrno) { - case SSL_ERROR_WANT_READ: - { - error("SSL handshake did not finish and it wanna read on socket %d!", sock); - return NETDATA_SSL_WANT_READ; - } - case SSL_ERROR_WANT_WRITE: - { - error("SSL handshake did not finish and it wanna read on socket %d!", sock); - return NETDATA_SSL_WANT_WRITE; - } - case SSL_ERROR_NONE: - case SSL_ERROR_SSL: - case SSL_ERROR_SYSCALL: - default: - { - u_long err; - char buf[256]; - int counter = 0; - while ((err = ERR_get_error()) != 0) { - ERR_error_string_n(err, buf, sizeof(buf)); - error("%d SSL Handshake error (%s) on socket %d", counter++, ERR_error_string((long)SSL_get_error(ssl, test), NULL), sock); - } - return NETDATA_SSL_NO_HANDSHAKE; - } - } - } - - if (SSL_is_init_finished(ssl)) - { - debug(D_WEB_CLIENT_ACCESS,"SSL Handshake finished %s errno %d on socket fd %d", ERR_error_string((long)SSL_get_error(ssl, test), NULL), errno, sock); - } - - return NETDATA_SSL_HANDSHAKE_COMPLETE; -} - -/** * Test Certificate * * Check the certificate of Netdata parent diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h index ae7c595e3..c83b60ad1 100644 --- a/libnetdata/socket/security.h +++ b/libnetdata/socket/security.h @@ -1,20 +1,16 @@ #ifndef NETDATA_SECURITY_H # define NETDATA_SECURITY_H -# define NETDATA_SSL_HANDSHAKE_COMPLETE 0 //All the steps were successful -# define NETDATA_SSL_START 1 //Starting handshake, conn variable is NULL -# define NETDATA_SSL_WANT_READ 2 //The connection wanna read from socket -# define NETDATA_SSL_WANT_WRITE 4 //The connection wanna write on socket -# define NETDATA_SSL_NO_HANDSHAKE 8 //Continue without encrypt connection. -# define NETDATA_SSL_OPTIONAL 16 //Flag to define the HTTP request -# define NETDATA_SSL_FORCE 32 //We only accepts HTTPS request -# define NETDATA_SSL_INVALID_CERTIFICATE 64 //Accepts invalid certificate -# define NETDATA_SSL_VALID_CERTIFICATE 128 //Accepts invalid certificate -# define NETDATA_SSL_PROXY_HTTPS 256 //Proxy is using HTTPS - -#define NETDATA_SSL_CONTEXT_SERVER 0 -#define NETDATA_SSL_CONTEXT_STREAMING 1 -#define NETDATA_SSL_CONTEXT_EXPORTING 2 +typedef enum __attribute__((packed)) { + NETDATA_SSL_STATE_NOT_SSL = 1, // This connection is not SSL + NETDATA_SSL_STATE_INIT, // SSL handshake is initialized + NETDATA_SSL_STATE_FAILED, // SSL handshake failed + NETDATA_SSL_STATE_COMPLETE, // SSL handshake successful +} NETDATA_SSL_STATE; + +#define NETDATA_SSL_WEB_SERVER_CTX 0 +#define NETDATA_SSL_STREAMING_SENDER_CTX 1 +#define NETDATA_SSL_EXPORTING_CTX 2 # ifdef ENABLE_HTTPS @@ -37,27 +33,42 @@ #include <openssl/decoder.h> #endif -struct netdata_ssl { - SSL *conn; //SSL connection - uint32_t flags; //The flags for SSL connection -}; +typedef struct netdata_ssl { + SSL *conn; // SSL connection + NETDATA_SSL_STATE state; // The state for SSL connection + unsigned long ssl_errno; // The SSL errno of the last SSL call +} NETDATA_SSL; + +#define NETDATA_SSL_UNSET_CONNECTION (NETDATA_SSL){ .conn = NULL, .state = NETDATA_SSL_STATE_NOT_SSL } + +#define SSL_connection(ssl) ((ssl)->conn && (ssl)->state != NETDATA_SSL_STATE_NOT_SSL) extern SSL_CTX *netdata_ssl_exporting_ctx; -extern SSL_CTX *netdata_ssl_client_ctx; -extern SSL_CTX *netdata_ssl_srv_ctx; +extern SSL_CTX *netdata_ssl_streaming_sender_ctx; +extern SSL_CTX *netdata_ssl_web_server_ctx; extern const char *netdata_ssl_security_key; extern const char *netdata_ssl_security_cert; extern const char *tls_version; extern const char *tls_ciphers; -extern int netdata_ssl_validate_server; +extern bool netdata_ssl_validate_certificate; +extern bool netdata_ssl_validate_certificate_sender; int ssl_security_location_for_context(SSL_CTX *ctx,char *file,char *path); -void security_openssl_library(); -void security_clean_openssl(); -void security_start_ssl(int selector); -int security_process_accept(SSL *ssl,int msg); +void netdata_ssl_initialize_openssl(); +void netdata_ssl_cleanup(); +void netdata_ssl_initialize_ctx(int selector); int security_test_certificate(SSL *ssl); -SSL_CTX * security_initialize_openssl_client(); +SSL_CTX * netdata_ssl_create_client_ctx(unsigned long mode); + +bool netdata_ssl_connect(NETDATA_SSL *ssl); +bool netdata_ssl_accept(NETDATA_SSL *ssl); + +bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd); +void netdata_ssl_close(NETDATA_SSL *ssl); +void netdata_ssl_log_error_queue(const char *call, NETDATA_SSL *ssl); + +ssize_t netdata_ssl_read(NETDATA_SSL *ssl, void *buf, size_t num); +ssize_t netdata_ssl_write(NETDATA_SSL *ssl, const void *buf, size_t num); # endif //ENABLE_HTTPS #endif //NETDATA_SECURITY_H diff --git a/libnetdata/socket/socket.c b/libnetdata/socket/socket.c index 7eb212b33..220db7601 100644 --- a/libnetdata/socket/socket.c +++ b/libnetdata/socket/socket.c @@ -10,6 +10,63 @@ #include "../libnetdata.h" + +SOCKET_PEERS socket_peers(int sock_fd) { + SOCKET_PEERS peers; + + if(sock_fd < 0) { + strncpyz(peers.peer.ip, "unknown", sizeof(peers.peer.ip) - 1); + peers.peer.port = 0; + + strncpyz(peers.local.ip, "unknown", sizeof(peers.local.ip) - 1); + peers.local.port = 0; + + return peers; + } + + struct sockaddr_storage addr; + socklen_t addr_len = sizeof(addr); + + // Get peer info + if (getpeername(sock_fd, (struct sockaddr *)&addr, &addr_len) == 0) { + if (addr.ss_family == AF_INET) { // IPv4 + struct sockaddr_in *s = (struct sockaddr_in *)&addr; + inet_ntop(AF_INET, &s->sin_addr, peers.peer.ip, sizeof(peers.peer.ip)); + peers.peer.port = ntohs(s->sin_port); + } + else { // IPv6 + struct sockaddr_in6 *s = (struct sockaddr_in6 *)&addr; + inet_ntop(AF_INET6, &s->sin6_addr, peers.peer.ip, sizeof(peers.peer.ip)); + peers.peer.port = ntohs(s->sin6_port); + } + } + else { + strncpyz(peers.peer.ip, "unknown", sizeof(peers.peer.ip) - 1); + peers.peer.port = 0; + } + + // Get local info + addr_len = sizeof(addr); + if (getsockname(sock_fd, (struct sockaddr *)&addr, &addr_len) == 0) { + if (addr.ss_family == AF_INET) { // IPv4 + struct sockaddr_in *s = (struct sockaddr_in *) &addr; + inet_ntop(AF_INET, &s->sin_addr, peers.local.ip, sizeof(peers.local.ip)); + peers.local.port = ntohs(s->sin_port); + } else { // IPv6 + struct sockaddr_in6 *s = (struct sockaddr_in6 *) &addr; + inet_ntop(AF_INET6, &s->sin6_addr, peers.local.ip, sizeof(peers.local.ip)); + peers.local.port = ntohs(s->sin6_port); + } + } + else { + strncpyz(peers.local.ip, "unknown", sizeof(peers.local.ip) - 1); + peers.local.port = 0; + } + + return peers; +} + + // -------------------------------------------------------------------------------------------------------------------- // various library calls @@ -967,49 +1024,11 @@ int connect_to_one_of_urls(const char *destination, int default_port, struct tim } -#ifdef ENABLE_HTTPS -ssize_t netdata_ssl_read(SSL *ssl, void *buf, size_t num) { - error_limit_static_thread_var(erl, 1, 0); - - int bytes, err; - - bytes = SSL_read(ssl, buf, (int)num); - err = SSL_get_error(ssl, bytes); - - if(unlikely(bytes <= 0)) { - if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ) { - bytes = 0; - } else - error_limit(&erl, "SSL_write() returned %d bytes, SSL error %d", bytes, err); - } - - return bytes; -} - -ssize_t netdata_ssl_write(SSL *ssl, const void *buf, size_t num) { - error_limit_static_thread_var(erl, 1, 0); - - int bytes, err; - - bytes = SSL_write(ssl, (uint8_t *)buf, (int)num); - err = SSL_get_error(ssl, bytes); - - if(unlikely(bytes <= 0)) { - if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ) { - bytes = 0; - } else - error_limit(&erl, "SSL_write() returned %d bytes, SSL error %d", bytes, err); - } - - return bytes; -} -#endif - // -------------------------------------------------------------------------------------------------------------------- // helpers to send/receive data in one call, in blocking mode, with a timeout #ifdef ENABLE_HTTPS -ssize_t recv_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { +ssize_t recv_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { #else ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) { #endif @@ -1033,24 +1052,24 @@ ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) return -1; } - if(!retval) { + if(!retval) // timeout return 0; - } - if(fd.events & POLLIN) break; + if(fd.revents & POLLIN) + break; } #ifdef ENABLE_HTTPS - if (ssl->conn && ssl->flags == NETDATA_SSL_HANDSHAKE_COMPLETE) - return netdata_ssl_read(ssl->conn, buf, len); + if (SSL_connection(ssl)) + return netdata_ssl_read(ssl, buf, len); #endif return recv(sockfd, buf, len, flags); } #ifdef ENABLE_HTTPS -ssize_t send_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { +ssize_t send_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { #else ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) { #endif @@ -1079,13 +1098,13 @@ ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) return 0; } - if(fd.events & POLLOUT) break; + if(fd.revents & POLLOUT) break; } #ifdef ENABLE_HTTPS if(ssl->conn) { - if (ssl->flags == NETDATA_SSL_HANDSHAKE_COMPLETE) { - return netdata_ssl_write(ssl->conn, buf, len); + if (SSL_connection(ssl)) { + return netdata_ssl_write(ssl, buf, len); } else { error("cannot write to SSL connection - connection is not ready."); diff --git a/libnetdata/socket/socket.h b/libnetdata/socket/socket.h index 110063014..0e29711e0 100644 --- a/libnetdata/socket/socket.h +++ b/libnetdata/socket/socket.h @@ -68,10 +68,8 @@ int connect_to_one_of_urls(const char *destination, int default_port, struct tim #ifdef ENABLE_HTTPS -ssize_t recv_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); -ssize_t send_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); -ssize_t netdata_ssl_read(SSL *ssl, void *buf, size_t num); -ssize_t netdata_ssl_write(SSL *ssl, const void *buf, size_t num); +ssize_t recv_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t send_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); #else ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); @@ -219,4 +217,22 @@ void poll_events(LISTEN_SOCKETS *sockets , size_t max_tcp_sockets ); +#ifndef INET6_ADDRSTRLEN +#define INET6_ADDRSTRLEN 46 +#endif + +typedef struct socket_peers { + struct { + char ip[INET6_ADDRSTRLEN]; + int port; + } local; + + struct { + char ip[INET6_ADDRSTRLEN]; + int port; + } peer; +} SOCKET_PEERS; + +SOCKET_PEERS socket_peers(int sock_fd); + #endif //NETDATA_SOCKET_H |