diff options
Diffstat (limited to '')
-rw-r--r-- | libnetdata/socket/security.c | 76 | ||||
-rw-r--r-- | libnetdata/socket/security.h | 16 | ||||
-rw-r--r-- | libnetdata/socket/socket.c | 169 | ||||
-rw-r--r-- | libnetdata/socket/socket.h | 78 |
4 files changed, 221 insertions, 118 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 6ac512de5..f7b44049b 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -2,14 +2,14 @@ #ifdef ENABLE_HTTPS -SSL_CTX *netdata_exporting_ctx=NULL; -SSL_CTX *netdata_client_ctx=NULL; -SSL_CTX *netdata_srv_ctx=NULL; -const char *security_key=NULL; -const char *security_cert=NULL; +SSL_CTX *netdata_ssl_exporting_ctx =NULL; +SSL_CTX *netdata_ssl_client_ctx =NULL; +SSL_CTX *netdata_ssl_srv_ctx =NULL; +const char *netdata_ssl_security_key =NULL; +const char *netdata_ssl_security_cert =NULL; const char *tls_version=NULL; const char *tls_ciphers=NULL; -int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE; +int netdata_ssl_validate_server = NETDATA_SSL_VALID_CERTIFICATE; /** * Info Callback @@ -161,7 +161,7 @@ static SSL_CTX * security_initialize_openssl_server() { return NULL; } - SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM); + SSL_CTX_use_certificate_file(ctx, netdata_ssl_security_cert, SSL_FILETYPE_PEM); #else ctx = SSL_CTX_new(TLS_server_method()); if (!ctx) { @@ -169,11 +169,11 @@ static SSL_CTX * security_initialize_openssl_server() { return NULL; } - SSL_CTX_use_certificate_chain_file(ctx, security_cert); + SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert); #endif security_openssl_common_options(ctx, 0); - SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM); + SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) { ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror)); @@ -207,24 +207,25 @@ void security_start_ssl(int selector) { switch (selector) { case NETDATA_SSL_CONTEXT_SERVER: { struct stat statbuf; - if (stat(security_key, &statbuf) || stat(security_cert, &statbuf)) { + if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) { info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); return; } - netdata_srv_ctx = security_initialize_openssl_server(); - SSL_CTX_set_mode(netdata_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + netdata_ssl_srv_ctx = security_initialize_openssl_server(); + SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); break; } case NETDATA_SSL_CONTEXT_STREAMING: { - netdata_client_ctx = security_initialize_openssl_client(); + netdata_ssl_client_ctx = security_initialize_openssl_client(); //This is necessary for the stream, because it is working sometimes with nonblock socket. //It returns the bitmask after to change, there is not any description of errors in the documentation - SSL_CTX_set_mode(netdata_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); + SSL_CTX_set_mode( + netdata_ssl_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); break; } case NETDATA_SSL_CONTEXT_EXPORTING: { - netdata_exporting_ctx = security_initialize_openssl_client(); + netdata_ssl_exporting_ctx = security_initialize_openssl_client(); break; } } @@ -237,16 +238,16 @@ void security_start_ssl(int selector) { */ void security_clean_openssl() { - if (netdata_srv_ctx) { - SSL_CTX_free(netdata_srv_ctx); + if (netdata_ssl_srv_ctx) { + SSL_CTX_free(netdata_ssl_srv_ctx); } - if (netdata_client_ctx) { - SSL_CTX_free(netdata_client_ctx); + if (netdata_ssl_client_ctx) { + SSL_CTX_free(netdata_ssl_client_ctx); } - if (netdata_exporting_ctx) { - SSL_CTX_free(netdata_exporting_ctx); + if (netdata_ssl_exporting_ctx) { + SSL_CTX_free(netdata_ssl_exporting_ctx); } #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 @@ -355,32 +356,23 @@ int security_test_certificate(SSL *ssl) { * * @return It returns 0 on success and -1 otherwise. */ -int security_location_for_context(SSL_CTX *ctx, char *file, char *path) { - struct stat statbuf; - if (stat(file, &statbuf)) { - info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); - return 0; - } - - ERR_clear_error(); - u_long err; - char buf[256]; - if(!SSL_CTX_load_verify_locations(ctx, file, path)) { - goto slfc; +int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) { + int load_custom = 1, load_default = 1; + if (file || path) { + if(!SSL_CTX_load_verify_locations(ctx, file, path)) { + info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); + load_custom = 0; + } } if(!SSL_CTX_set_default_verify_paths(ctx)) { - goto slfc; + info("Can not verify default OpenSSL configuration to validate certificates!"); + load_default = 0; } - return 0; + if (load_custom == 0 && load_default == 0) + return -1; -slfc: - while ((err = ERR_get_error()) != 0) { - ERR_error_string_n(err, buf, sizeof(buf)); - error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf); - } - return -1; + return 0; } - #endif diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h index dbf71a6fe..ae7c595e3 100644 --- a/libnetdata/socket/security.h +++ b/libnetdata/socket/security.h @@ -37,20 +37,20 @@ #include <openssl/decoder.h> #endif -struct netdata_ssl{ +struct netdata_ssl { SSL *conn; //SSL connection uint32_t flags; //The flags for SSL connection }; -extern SSL_CTX *netdata_exporting_ctx; -extern SSL_CTX *netdata_client_ctx; -extern SSL_CTX *netdata_srv_ctx; -extern const char *security_key; -extern const char *security_cert; +extern SSL_CTX *netdata_ssl_exporting_ctx; +extern SSL_CTX *netdata_ssl_client_ctx; +extern SSL_CTX *netdata_ssl_srv_ctx; +extern const char *netdata_ssl_security_key; +extern const char *netdata_ssl_security_cert; extern const char *tls_version; extern const char *tls_ciphers; -extern int netdata_validate_server; -extern int security_location_for_context(SSL_CTX *ctx,char *file,char *path); +extern int netdata_ssl_validate_server; +int ssl_security_location_for_context(SSL_CTX *ctx,char *file,char *path); void security_openssl_library(); void security_clean_openssl(); diff --git a/libnetdata/socket/socket.c b/libnetdata/socket/socket.c index df6d3148b..40271b623 100644 --- a/libnetdata/socket/socket.c +++ b/libnetdata/socket/socket.c @@ -779,6 +779,10 @@ int connect_to_this(const char *definition, int default_port, struct timeval *ti char *path = host + 5; return connect_to_unix(path, timeout); } + else if(*host == '/') { + char *path = host; + return connect_to_unix(path, timeout); + } char *e = host; if(*e == '[') { @@ -826,43 +830,141 @@ int connect_to_this(const char *definition, int default_port, struct timeval *ti return connect_to_this_ip46(protocol, socktype, host, scope_id, service, timeout); } -int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size) { - int sock = -1; - +void foreach_entry_in_connection_string(const char *destination, bool (*callback)(char *entry, void *data), void *data) { const char *s = destination; while(*s) { const char *e = s; - // skip path, moving both s(tart) and e(nd) - if(*e == '/') - while(!isspace(*e) && *e != ',') s = ++e; - // skip separators, moving both s(tart) and e(nd) while(isspace(*e) || *e == ',') s = ++e; // move e(nd) to the first separator - while(*e && !isspace(*e) && *e != ',' && *e != '/') e++; + while(*e && !isspace(*e) && *e != ',') e++; // is there anything? if(!*s || s == e) break; char buf[e - s + 1]; strncpyz(buf, s, e - s); - if(reconnects_counter) *reconnects_counter += 1; - sock = connect_to_this(buf, default_port, timeout); - if(sock != -1) { - if(connected_to && connected_to_size) { - strncpy(connected_to, buf, connected_to_size); - connected_to[connected_to_size - 1] = '\0'; - } - break; - } + + if(callback(buf, data)) break; + s = e; } +} - return sock; +struct connect_to_one_of_data { + int default_port; + struct timeval *timeout; + size_t *reconnects_counter; + char *connected_to; + size_t connected_to_size; + int sock; +}; + +static bool connect_to_one_of_callback(char *entry, void *data) { + struct connect_to_one_of_data *t = data; + + if(t->reconnects_counter) + t->reconnects_counter++; + + t->sock = connect_to_this(entry, t->default_port, t->timeout); + if(t->sock != -1) { + if(t->connected_to && t->connected_to_size) { + strncpyz(t->connected_to, entry, t->connected_to_size); + t->connected_to[t->connected_to_size - 1] = '\0'; + } + + return true; + } + + return false; +} + +int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size) { + struct connect_to_one_of_data t = { + .default_port = default_port, + .timeout = timeout, + .reconnects_counter = reconnects_counter, + .connected_to = connected_to, + .connected_to_size = connected_to_size, + .sock = -1, + }; + + foreach_entry_in_connection_string(destination, connect_to_one_of_callback, &t); + + return t.sock; +} + +static bool connect_to_one_of_urls_callback(char *entry, void *data) { + char *s = strchr(entry, '/'); + if(s) *s = '\0'; + + return connect_to_one_of_callback(entry, data); } +int connect_to_one_of_urls(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size) { + struct connect_to_one_of_data t = { + .default_port = default_port, + .timeout = timeout, + .reconnects_counter = reconnects_counter, + .connected_to = connected_to, + .connected_to_size = connected_to_size, + .sock = -1, + }; + + foreach_entry_in_connection_string(destination, connect_to_one_of_urls_callback, &t); + + return t.sock; +} + + +#ifdef ENABLE_HTTPS +ssize_t netdata_ssl_read(SSL *ssl, void *buf, size_t num) { + error_limit_static_thread_var(erl, 1, 0); + + int bytes, err, retries = 0; + + //do { + bytes = SSL_read(ssl, buf, (int)num); + err = SSL_get_error(ssl, bytes); + retries++; + //} while (bytes <= 0 && (err == SSL_ERROR_WANT_READ)); + + if(unlikely(bytes <= 0)) + error("SSL_read() returned %d bytes, SSL error %d", bytes, err); + + if(retries > 1) + error_limit(&erl, "SSL_read() retried %d times", retries); + + return bytes; +} + +ssize_t netdata_ssl_write(SSL *ssl, const void *buf, size_t num) { + error_limit_static_thread_var(erl, 1, 0); + + int bytes, err, retries = 0; + size_t total = 0; + + //do { + bytes = SSL_write(ssl, (uint8_t *)buf + total, (int)(num - total)); + err = SSL_get_error(ssl, bytes); + retries++; + + if(bytes > 0) + total += bytes; + + //} while ((bytes <= 0 && (err == SSL_ERROR_WANT_WRITE)) || (bytes > 0 && total < num)); + + if(unlikely(bytes <= 0)) + error("SSL_write() returned %d bytes, SSL error %d", bytes, err); + + if(retries > 1) + error_limit(&erl, "SSL_write() retried %d times", retries); + + return bytes; +} +#endif // -------------------------------------------------------------------------------------------------------------------- // helpers to send/receive data in one call, in blocking mode, with a timeout @@ -901,12 +1003,10 @@ ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) } #ifdef ENABLE_HTTPS - if (ssl->conn) { - if (!ssl->flags) { - return SSL_read(ssl->conn,buf,len); - } - } + if (ssl->conn && ssl->flags == NETDATA_SSL_HANDSHAKE_COMPLETE) + return netdata_ssl_read(ssl->conn, buf, len); #endif + return recv(sockfd, buf, len, flags); } @@ -945,8 +1045,12 @@ ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) #ifdef ENABLE_HTTPS if(ssl->conn) { - if (!ssl->flags) { - return SSL_write(ssl->conn, buf, len); + if (ssl->flags == NETDATA_SSL_HANDSHAKE_COMPLETE) { + return netdata_ssl_write(ssl->conn, buf, len); + } + else { + error("cannot write to SSL connection - connection is not ready."); + return -1; } } #endif @@ -1087,12 +1191,11 @@ int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *clien if (getnameinfo((struct sockaddr *)&sadr, addrlen, client_ip, (socklen_t)ipsize, client_port, (socklen_t)portsize, NI_NUMERICHOST | NI_NUMERICSERV) != 0) { error("LISTENER: cannot getnameinfo() on received client connection."); - strncpyz(client_ip, "UNKNOWN", ipsize - 1); - strncpyz(client_port, "UNKNOWN", portsize - 1); + strncpyz(client_ip, "UNKNOWN", ipsize); + strncpyz(client_port, "UNKNOWN", portsize); } if (!strcmp(client_ip, "127.0.0.1") || !strcmp(client_ip, "::1")) { - strncpy(client_ip, "localhost", ipsize); - client_ip[ipsize - 1] = '\0'; + strncpyz(client_ip, "localhost", ipsize); } #ifdef __FreeBSD__ @@ -1107,8 +1210,7 @@ int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *clien case AF_UNIX: debug(D_LISTENER, "New UNIX domain web client from %s on socket %d.", client_ip, fd); // set the port - certain versions of libc return garbage on unix sockets - strncpy(client_port, "UNIX", portsize); - client_port[portsize - 1] = '\0'; + strncpyz(client_port, "UNIX", portsize); break; case AF_INET: @@ -1490,8 +1592,9 @@ static int poll_process_new_tcp_connection(POLLJOB *p, POLLINFO *pi, struct poll debug(D_POLLFD, "POLLFD: LISTENER: accept4() slot %zu (fd %d) failed.", pi->slot, pf->fd); if(unlikely(errno == EMFILE)) { - error("POLLFD: LISTENER: too many open files - sleeping for 1ms - used by this thread %zu, max for this thread %zu", p->used, p->limit); - usleep(1000); // 1ms + error_limit_static_global_var(erl, 10, 1000); + error_limit(&erl, "POLLFD: LISTENER: too many open files - used by this thread %zu, max for this thread %zu", + p->used, p->limit); } else if(unlikely(errno != EWOULDBLOCK && errno != EAGAIN)) error("POLLFD: LISTENER: accept() failed."); diff --git a/libnetdata/socket/socket.h b/libnetdata/socket/socket.h index a40d801dd..282324273 100644 --- a/libnetdata/socket/socket.h +++ b/libnetdata/socket/socket.h @@ -10,19 +10,22 @@ #endif typedef enum web_client_acl { - WEB_CLIENT_ACL_NONE = 0, - WEB_CLIENT_ACL_NOCHECK = 0, - WEB_CLIENT_ACL_DASHBOARD = 1 << 0, - WEB_CLIENT_ACL_REGISTRY = 1 << 1, - WEB_CLIENT_ACL_BADGE = 1 << 2, - WEB_CLIENT_ACL_MGMT = 1 << 3, - WEB_CLIENT_ACL_STREAMING = 1 << 4, - WEB_CLIENT_ACL_NETDATACONF = 1 << 5, + WEB_CLIENT_ACL_NONE = 0, + WEB_CLIENT_ACL_NOCHECK = 0, + WEB_CLIENT_ACL_DASHBOARD = 1 << 0, + WEB_CLIENT_ACL_REGISTRY = 1 << 1, + WEB_CLIENT_ACL_BADGE = 1 << 2, + WEB_CLIENT_ACL_MGMT = 1 << 3, + WEB_CLIENT_ACL_STREAMING = 1 << 4, + WEB_CLIENT_ACL_NETDATACONF = 1 << 5, WEB_CLIENT_ACL_SSL_OPTIONAL = 1 << 6, - WEB_CLIENT_ACL_SSL_FORCE = 1 << 7, - WEB_CLIENT_ACL_SSL_DEFAULT = 1 << 8 + WEB_CLIENT_ACL_SSL_FORCE = 1 << 7, + WEB_CLIENT_ACL_SSL_DEFAULT = 1 << 8, + WEB_CLIENT_ACL_ACLK = 1 << 9, } WEB_CLIENT_ACL; +#define WEB_CLIENT_ACL_ALL 0xFFFF + #define web_client_can_access_dashboard(w) ((w)->acl & WEB_CLIENT_ACL_DASHBOARD) #define web_client_can_access_registry(w) ((w)->acl & WEB_CLIENT_ACL_REGISTRY) #define web_client_can_access_badges(w) ((w)->acl & WEB_CLIENT_ACL_BADGE) @@ -49,37 +52,42 @@ typedef struct listen_sockets { WEB_CLIENT_ACL fds_acl_flags[MAX_LISTEN_FDS]; // the acl to apply to the open sockets (dashboard, badges, streaming, netdata.conf, management) } LISTEN_SOCKETS; -extern char *strdup_client_description(int family, const char *protocol, const char *ip, uint16_t port); +char *strdup_client_description(int family, const char *protocol, const char *ip, uint16_t port); -extern int listen_sockets_setup(LISTEN_SOCKETS *sockets); -extern void listen_sockets_close(LISTEN_SOCKETS *sockets); +int listen_sockets_setup(LISTEN_SOCKETS *sockets); +void listen_sockets_close(LISTEN_SOCKETS *sockets); -extern int connect_to_this(const char *definition, int default_port, struct timeval *timeout); -extern int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size); +void foreach_entry_in_connection_string(const char *destination, bool (*callback)(char *entry, void *data), void *data); int connect_to_this_ip46(int protocol, int socktype, const char *host, uint32_t scope_id, const char *service, struct timeval *timeout); +int connect_to_this(const char *definition, int default_port, struct timeval *timeout); +int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size); +int connect_to_one_of_urls(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size); + #ifdef ENABLE_HTTPS -extern ssize_t recv_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); -extern ssize_t send_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t recv_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t send_timeout(struct netdata_ssl *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t netdata_ssl_read(SSL *ssl, void *buf, size_t num); +ssize_t netdata_ssl_write(SSL *ssl, const void *buf, size_t num); #else -extern ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); -extern ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); +ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); #endif -extern int sock_setnonblock(int fd); -extern int sock_delnonblock(int fd); -extern int sock_setreuse(int fd, int reuse); -extern int sock_setreuse_port(int fd, int reuse); -extern int sock_enlarge_in(int fd); -extern int sock_enlarge_out(int fd); +int sock_setnonblock(int fd); +int sock_delnonblock(int fd); +int sock_setreuse(int fd, int reuse); +int sock_setreuse_port(int fd, int reuse); +int sock_enlarge_in(int fd); +int sock_enlarge_out(int fd); -extern int connection_allowed(int fd, char *client_ip, char *client_host, size_t hostsize, +int connection_allowed(int fd, char *client_ip, char *client_host, size_t hostsize, SIMPLE_PATTERN *access_list, const char *patname, int allow_dns); -extern int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *client_port, size_t portsize, +int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *client_port, size_t portsize, char *client_host, size_t hostsize, SIMPLE_PATTERN *access_list, int allow_dns); #ifndef HAVE_ACCEPT4 -extern int accept4(int sock, struct sockaddr *addr, socklen_t *addrlen, int flags); +int accept4(int sock, struct sockaddr *addr, socklen_t *addrlen, int flags); #ifndef SOCK_NONBLOCK #define SOCK_NONBLOCK 00004000 @@ -167,12 +175,12 @@ struct poll { #define pollinfo_from_slot(p, slot) (&((p)->inf[(slot)])) -extern int poll_default_snd_callback(POLLINFO *pi, short int *events); -extern int poll_default_rcv_callback(POLLINFO *pi, short int *events); -extern void poll_default_del_callback(POLLINFO *pi); -extern void *poll_default_add_callback(POLLINFO *pi, short int *events, void *data); +int poll_default_snd_callback(POLLINFO *pi, short int *events); +int poll_default_rcv_callback(POLLINFO *pi, short int *events); +void poll_default_del_callback(POLLINFO *pi); +void *poll_default_add_callback(POLLINFO *pi, short int *events, void *data); -extern POLLINFO *poll_add_fd(POLLJOB *p +POLLINFO *poll_add_fd(POLLJOB *p , int fd , int socktype , WEB_CLIENT_ACL port_acl @@ -186,9 +194,9 @@ extern POLLINFO *poll_add_fd(POLLJOB *p , int (*snd_callback)(POLLINFO *pi, short int *events) , void *data ); -extern void poll_close_fd(POLLINFO *pi); +void poll_close_fd(POLLINFO *pi); -extern void poll_events(LISTEN_SOCKETS *sockets +void poll_events(LISTEN_SOCKETS *sockets , void *(*add_callback)(POLLINFO *pi, short int *events, void *data) , void (*del_callback)(POLLINFO *pi) , int (*rcv_callback)(POLLINFO *pi, short int *events) |