diff options
Diffstat (limited to 'libnetdata/socket')
| -rw-r--r-- | libnetdata/socket/Makefile.am | 8 | ||||
| -rw-r--r-- | libnetdata/socket/README.md | 8 | ||||
| -rw-r--r-- | libnetdata/socket/security.c | 741 | ||||
| -rw-r--r-- | libnetdata/socket/security.h | 74 | ||||
| -rw-r--r-- | libnetdata/socket/socket.c | 2130 | ||||
| -rw-r--r-- | libnetdata/socket/socket.h | 248 |
6 files changed, 0 insertions, 3209 deletions
diff --git a/libnetdata/socket/Makefile.am b/libnetdata/socket/Makefile.am deleted file mode 100644 index 161784b8..00000000 --- a/libnetdata/socket/Makefile.am +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0-or-later - -AUTOMAKE_OPTIONS = subdir-objects -MAINTAINERCLEANFILES = $(srcdir)/Makefile.in - -dist_noinst_DATA = \ - README.md \ - $(NULL) diff --git a/libnetdata/socket/README.md b/libnetdata/socket/README.md deleted file mode 100644 index e339a071..00000000 --- a/libnetdata/socket/README.md +++ /dev/null @@ -1,8 +0,0 @@ -<!-- -Title: "Socket" -custom_edit_url: https://github.com/netdata/netdata/edit/master/libnetdata/socket/README.md -sidebar_label: "Socket" -learn_status: "Published" -learn_topic_type: "References" -learn_rel_path: "Developers/libnetdata" ---> diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c deleted file mode 100644 index 4deb7662..00000000 --- a/libnetdata/socket/security.c +++ /dev/null @@ -1,741 +0,0 @@ -#include "../libnetdata.h" - -#ifdef ENABLE_HTTPS - -SSL_CTX *netdata_ssl_exporting_ctx =NULL; -SSL_CTX *netdata_ssl_streaming_sender_ctx =NULL; -SSL_CTX *netdata_ssl_web_server_ctx =NULL; -const char *netdata_ssl_security_key =NULL; -const char *netdata_ssl_security_cert =NULL; -const char *tls_version=NULL; -const char *tls_ciphers=NULL; -bool netdata_ssl_validate_certificate = true; -bool netdata_ssl_validate_certificate_sender = true; - -static SOCKET_PEERS netdata_ssl_peers(NETDATA_SSL *ssl) { - int sock_fd; - - if(unlikely(!ssl->conn)) - sock_fd = -1; - else - sock_fd = SSL_get_rfd(ssl->conn); - - return socket_peers(sock_fd); -} - -static void netdata_ssl_log_error_queue(const char *call, NETDATA_SSL *ssl, unsigned long err) { - nd_log_limit_static_thread_var(erl, 1, 0); - - if(err == SSL_ERROR_NONE) - err = ERR_get_error(); - - if(err == SSL_ERROR_NONE) - return; - - do { - char *code; - - switch (err) { - case SSL_ERROR_SSL: - code = "SSL_ERROR_SSL"; - ssl->state = NETDATA_SSL_STATE_FAILED; - break; - - case SSL_ERROR_WANT_READ: - code = "SSL_ERROR_WANT_READ"; - break; - - case SSL_ERROR_WANT_WRITE: - code = "SSL_ERROR_WANT_WRITE"; - break; - - case SSL_ERROR_WANT_X509_LOOKUP: - code = "SSL_ERROR_WANT_X509_LOOKUP"; - break; - - case SSL_ERROR_SYSCALL: - code = "SSL_ERROR_SYSCALL"; - ssl->state = NETDATA_SSL_STATE_FAILED; - break; - - case SSL_ERROR_ZERO_RETURN: - code = "SSL_ERROR_ZERO_RETURN"; - break; - - case SSL_ERROR_WANT_CONNECT: - code = "SSL_ERROR_WANT_CONNECT"; - break; - - case SSL_ERROR_WANT_ACCEPT: - code = "SSL_ERROR_WANT_ACCEPT"; - break; - -#ifdef SSL_ERROR_WANT_ASYNC - case SSL_ERROR_WANT_ASYNC: - code = "SSL_ERROR_WANT_ASYNC"; - break; -#endif - -#ifdef SSL_ERROR_WANT_ASYNC_JOB - case SSL_ERROR_WANT_ASYNC_JOB: - code = "SSL_ERROR_WANT_ASYNC_JOB"; - break; -#endif - -#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB - case SSL_ERROR_WANT_CLIENT_HELLO_CB: - code = "SSL_ERROR_WANT_CLIENT_HELLO_CB"; - break; -#endif - -#ifdef SSL_ERROR_WANT_RETRY_VERIFY - case SSL_ERROR_WANT_RETRY_VERIFY: - code = "SSL_ERROR_WANT_RETRY_VERIFY"; - break; -#endif - - default: - code = "SSL_ERROR_UNKNOWN"; - break; - } - - char str[1024 + 1]; - ERR_error_string_n(err, str, 1024); - str[1024] = '\0'; - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_ERR, - "SSL: %s() on socket local [[%s]:%d] <-> remote [[%s]:%d], returned error %lu (%s): %s", - call, peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, err, code, str); - - } while((err = ERR_get_error())); -} - -bool netdata_ssl_open_ext(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd, const unsigned char *alpn_protos, unsigned int alpn_protos_len) { - errno = 0; - ssl->ssl_errno = 0; - - if(ssl->conn) { - if(!ctx || SSL_get_SSL_CTX(ssl->conn) != ctx) { - SSL_free(ssl->conn); - ssl->conn = NULL; - } - else if (SSL_clear(ssl->conn) == 0) { - netdata_ssl_log_error_queue("SSL_clear", ssl, SSL_ERROR_NONE); - SSL_free(ssl->conn); - ssl->conn = NULL; - } - } - - if(!ssl->conn) { - if(!ctx) { - internal_error(true, "SSL: not CTX given"); - ssl->state = NETDATA_SSL_STATE_FAILED; - return false; - } - - ssl->conn = SSL_new(ctx); - if (!ssl->conn) { - netdata_ssl_log_error_queue("SSL_new", ssl, SSL_ERROR_NONE); - ssl->state = NETDATA_SSL_STATE_FAILED; - return false; - } - if (alpn_protos && alpn_protos_len > 0) - SSL_set_alpn_protos(ssl->conn, alpn_protos, alpn_protos_len); - } - - if(SSL_set_fd(ssl->conn, fd) != 1) { - netdata_ssl_log_error_queue("SSL_set_fd", ssl, SSL_ERROR_NONE); - ssl->state = NETDATA_SSL_STATE_FAILED; - return false; - } - - ssl->state = NETDATA_SSL_STATE_INIT; - - ERR_clear_error(); - - return true; -} - -bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd) { - return netdata_ssl_open_ext(ssl, ctx, fd, NULL, 0); -} - -void netdata_ssl_close(NETDATA_SSL *ssl) { - errno = 0; - ssl->ssl_errno = 0; - - if(ssl->conn) { - if(SSL_connection(ssl)) { - int ret = SSL_shutdown(ssl->conn); - if(ret == 0) - SSL_shutdown(ssl->conn); - } - - SSL_free(ssl->conn); - - ERR_clear_error(); - } - - *ssl = NETDATA_SSL_UNSET_CONNECTION; -} - -static inline bool is_handshake_complete(NETDATA_SSL *ssl, const char *op) { - nd_log_limit_static_thread_var(erl, 1, 0); - - if(unlikely(!ssl->conn)) { - internal_error(true, "SSL: trying to %s on a NULL connection", op); - return false; - } - - switch(ssl->state) { - case NETDATA_SSL_STATE_NOT_SSL: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - - case NETDATA_SSL_STATE_INIT: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an incomplete connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - - case NETDATA_SSL_STATE_FAILED: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - - case NETDATA_SSL_STATE_COMPLETE: { - return true; - } - } - - return false; -} - -/* - * netdata_ssl_read() should return the same as read(): - * - * Positive value: The read() function succeeded and read some bytes. The exact number of bytes read is returned. - * - * Zero: For files and sockets, a return value of zero signifies end-of-file (EOF), meaning no more data is available - * for reading. For sockets, this usually means the other side has closed the connection. - * - * -1: An error occurred. The specific error can be found by examining the errno variable. - * EAGAIN or EWOULDBLOCK: The file descriptor is in non-blocking mode, and the read operation would block. - * (These are often the same value, but can be different on some systems.) - */ - -ssize_t netdata_ssl_read(NETDATA_SSL *ssl, void *buf, size_t num) { - errno = 0; - ssl->ssl_errno = 0; - - if(unlikely(!is_handshake_complete(ssl, "read"))) - return -1; - - int bytes = SSL_read(ssl->conn, buf, (int)num); - - if(unlikely(bytes <= 0)) { - int err = SSL_get_error(ssl->conn, bytes); - if (err == SSL_ERROR_ZERO_RETURN) { - ssl->ssl_errno = err; - return 0; - } - - if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { - ssl->ssl_errno = err; - errno = EWOULDBLOCK; - } - else - netdata_ssl_log_error_queue("SSL_read", ssl, err); - - bytes = -1; // according to read() or recv() - } - - return bytes; -} - -/* - * netdata_ssl_write() should return the same as write(): - * - * Positive value: The write() function succeeded and wrote some bytes. The exact number of bytes written is returned. - * - * Zero: It's technically possible for write() to return zero, indicating that zero bytes were written. However, for a - * socket, this generally does not happen unless the size of the data to be written is zero. - * - * -1: An error occurred. The specific error can be found by examining the errno variable. - * EAGAIN or EWOULDBLOCK: The file descriptor is in non-blocking mode, and the write operation would block. - * (These are often the same value, but can be different on some systems.) - */ - -ssize_t netdata_ssl_write(NETDATA_SSL *ssl, const void *buf, size_t num) { - errno = 0; - ssl->ssl_errno = 0; - - if(unlikely(!is_handshake_complete(ssl, "write"))) - return -1; - - int bytes = SSL_write(ssl->conn, (uint8_t *)buf, (int)num); - - if(unlikely(bytes <= 0)) { - int err = SSL_get_error(ssl->conn, bytes); - if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { - ssl->ssl_errno = err; - errno = EWOULDBLOCK; - } - else - netdata_ssl_log_error_queue("SSL_write", ssl, err); - - bytes = -1; // according to write() or send() - } - - return bytes; -} - -static inline bool is_handshake_initialized(NETDATA_SSL *ssl, const char *op) { - nd_log_limit_static_thread_var(erl, 1, 0); - - if(unlikely(!ssl->conn)) { - internal_error(true, "SSL: trying to %s on a NULL connection", op); - return false; - } - - switch(ssl->state) { - case NETDATA_SSL_STATE_NOT_SSL: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on non-SSL connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - - case NETDATA_SSL_STATE_INIT: { - return true; - } - - case NETDATA_SSL_STATE_FAILED: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on a failed connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - - case NETDATA_SSL_STATE_COMPLETE: { - SOCKET_PEERS peers = netdata_ssl_peers(ssl); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_WARNING, - "SSL: on socket local [[%s]:%d] <-> remote [[%s]:%d], attempt to %s on an complete connection", - peers.local.ip, peers.local.port, peers.peer.ip, peers.peer.port, op); - return false; - } - } - - return false; -} - -#define WANT_READ_WRITE_TIMEOUT_MS 10 - -static inline bool want_read_write_should_retry(NETDATA_SSL *ssl, int err) { - int ssl_errno = SSL_get_error(ssl->conn, err); - if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_WANT_WRITE) { - struct pollfd pfds[1] = { [0] = { - .fd = SSL_get_rfd(ssl->conn), - .events = (short)(((ssl_errno == SSL_ERROR_WANT_READ ) ? POLLIN : 0) | - ((ssl_errno == SSL_ERROR_WANT_WRITE) ? POLLOUT : 0)), - }}; - - if(poll(pfds, 1, WANT_READ_WRITE_TIMEOUT_MS) <= 0) - return false; // timeout (0) or error (<0) - - return true; // we have activity, so we should retry - } - - return false; // an unknown error -} - -bool netdata_ssl_connect(NETDATA_SSL *ssl) { - errno = 0; - ssl->ssl_errno = 0; - - if(unlikely(!is_handshake_initialized(ssl, "connect"))) - return false; - - SSL_set_connect_state(ssl->conn); - - int err; - while ((err = SSL_connect(ssl->conn)) != 1) { - if(!want_read_write_should_retry(ssl, err)) - break; - } - - if (err != 1) { - err = SSL_get_error(ssl->conn, err); - netdata_ssl_log_error_queue("SSL_connect", ssl, err); - ssl->state = NETDATA_SSL_STATE_FAILED; - return false; - } - - ssl->state = NETDATA_SSL_STATE_COMPLETE; - return true; -} - -bool netdata_ssl_accept(NETDATA_SSL *ssl) { - errno = 0; - ssl->ssl_errno = 0; - - if(unlikely(!is_handshake_initialized(ssl, "accept"))) - return false; - - SSL_set_accept_state(ssl->conn); - - int err; - while ((err = SSL_accept(ssl->conn)) != 1) { - if(!want_read_write_should_retry(ssl, err)) - break; - } - - if (err != 1) { - err = SSL_get_error(ssl->conn, err); - netdata_ssl_log_error_queue("SSL_accept", ssl, err); - ssl->state = NETDATA_SSL_STATE_FAILED; - return false; - } - - ssl->state = NETDATA_SSL_STATE_COMPLETE; - return true; -} - -/** - * Info Callback - * - * Function used as callback for the OpenSSL Library - * - * @param ssl a pointer to the SSL structure of the client - * @param where the variable with the flags set. - * @param ret the return of the caller - */ -static void netdata_ssl_info_callback(const SSL *ssl, int where, int ret __maybe_unused) { - (void)ssl; - if (where & SSL_CB_ALERT) { - netdata_log_debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", SSL_alert_type_string(ret), SSL_alert_desc_string_long(ret)); - } -} - -/** - * OpenSSL Library - * - * Starts the openssl library for the Netdata. - */ -void netdata_ssl_initialize_openssl() { - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 -# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) - OPENSSL_config(NULL); -# endif - - SSL_load_error_strings(); - - SSL_library_init(); - -#else - - if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) { - netdata_log_error("SSL library cannot be initialized."); - } - -#endif -} - -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 -/** - * TLS version - * - * Returns the TLS version depending of the user input. - * - * @param lversion is the user input. - * - * @return it returns the version number. - */ -static int netdata_ssl_select_tls_version(const char *lversion) { - if (!strcmp(lversion, "1") || !strcmp(lversion, "1.0")) - return TLS1_VERSION; - else if (!strcmp(lversion, "1.1")) - return TLS1_1_VERSION; - else if (!strcmp(lversion, "1.2")) - return TLS1_2_VERSION; -#if defined(TLS1_3_VERSION) - else if (!strcmp(lversion, "1.3")) - return TLS1_3_VERSION; -#endif - -#if defined(TLS_MAX_VERSION) - return TLS_MAX_VERSION; -#else - return TLS1_2_VERSION; -#endif -} -#endif - -/** - * Initialize Openssl Client - * - * Starts the client context with TLS 1.2. - * - * @return It returns the context on success or NULL otherwise - */ -SSL_CTX * netdata_ssl_create_client_ctx(unsigned long mode) { - SSL_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - ctx = SSL_CTX_new(SSLv23_client_method()); -#else - ctx = SSL_CTX_new(TLS_client_method()); -#endif - if(ctx) { -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); -#else - SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); -# if defined(TLS_MAX_VERSION) - SSL_CTX_set_max_proto_version(ctx, TLS_MAX_VERSION); -# elif defined(TLS1_3_VERSION) - SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); -# elif defined(TLS1_2_VERSION) - SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); -# endif -#endif - } - - if(mode) - SSL_CTX_set_mode(ctx, mode); - - return ctx; -} - -/** - * Initialize OpenSSL server - * - * Starts the server context with TLS 1.2 and load the certificate. - * - * @return It returns the context on success or NULL otherwise - */ -static SSL_CTX * netdata_ssl_create_server_ctx(unsigned long mode) { - SSL_CTX *ctx; - char lerror[512]; - static int netdata_id_context = 1; - - //TO DO: Confirm the necessity to check return for other OPENSSL function -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - ctx = SSL_CTX_new(SSLv23_server_method()); - if (!ctx) { - netdata_log_error("Cannot create a new SSL context, netdata won't encrypt communication"); - return NULL; - } - - SSL_CTX_use_certificate_file(ctx, netdata_ssl_security_cert, SSL_FILETYPE_PEM); -#else - ctx = SSL_CTX_new(TLS_server_method()); - if (!ctx) { - netdata_log_error("Cannot create a new SSL context, netdata won't encrypt communication"); - return NULL; - } - - SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert); -#endif - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); -#else - SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); - SSL_CTX_set_max_proto_version(ctx, netdata_ssl_select_tls_version(tls_version)); - - if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { - if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { - netdata_log_error("SSL error. cannot set the cipher list"); - } - } -#endif - - SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM); - - if (!SSL_CTX_check_private_key(ctx)) { - ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror)); - netdata_log_error("SSL cannot check the private key: %s",lerror); - SSL_CTX_free(ctx); - return NULL; - } - - SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context)); - SSL_CTX_set_info_callback(ctx, netdata_ssl_info_callback); - -#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) - SSL_CTX_set_verify_depth(ctx,1); -#endif - netdata_log_debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n"); - - SSL_CTX_set_mode(ctx, mode); - - return ctx; -} - -/** - * Start SSL - * - * Call the correct function to start the SSL context. - * - * @param selector informs the context that must be initialized, the following list has the valid values: - * NETDATA_SSL_CONTEXT_SERVER - the server context - * NETDATA_SSL_CONTEXT_STREAMING - Starts the streaming context. - * NETDATA_SSL_CONTEXT_EXPORTING - Starts the OpenTSDB context - */ -void netdata_ssl_initialize_ctx(int selector) { - static SPINLOCK sp = NETDATA_SPINLOCK_INITIALIZER; - spinlock_lock(&sp); - - switch (selector) { - case NETDATA_SSL_WEB_SERVER_CTX: { - if(!netdata_ssl_web_server_ctx) { - struct stat statbuf; - if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) - netdata_log_info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); - else { - netdata_ssl_web_server_ctx = netdata_ssl_create_server_ctx( - SSL_MODE_ENABLE_PARTIAL_WRITE | - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | - // SSL_MODE_AUTO_RETRY | - 0); - - if(netdata_ssl_web_server_ctx && !netdata_ssl_validate_certificate) - SSL_CTX_set_verify(netdata_ssl_web_server_ctx, SSL_VERIFY_NONE, NULL); - } - } - break; - } - - case NETDATA_SSL_STREAMING_SENDER_CTX: { - if(!netdata_ssl_streaming_sender_ctx) { - //This is necessary for the stream, because it is working sometimes with nonblock socket. - //It returns the bitmask after to change, there is not any description of errors in the documentation - netdata_ssl_streaming_sender_ctx = netdata_ssl_create_client_ctx( - SSL_MODE_ENABLE_PARTIAL_WRITE | - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | - // SSL_MODE_AUTO_RETRY | - 0 - ); - - if(netdata_ssl_streaming_sender_ctx && !netdata_ssl_validate_certificate_sender) - SSL_CTX_set_verify(netdata_ssl_streaming_sender_ctx, SSL_VERIFY_NONE, NULL); - } - break; - } - - case NETDATA_SSL_EXPORTING_CTX: { - if(!netdata_ssl_exporting_ctx) { - netdata_ssl_exporting_ctx = netdata_ssl_create_client_ctx(0); - - if(netdata_ssl_exporting_ctx && !netdata_ssl_validate_certificate) - SSL_CTX_set_verify(netdata_ssl_exporting_ctx, SSL_VERIFY_NONE, NULL); - } - break; - } - } - - spinlock_unlock(&sp); -} - -/** - * Clean Open SSL - * - * Clean all the allocated contexts from netdata. - */ -void netdata_ssl_cleanup() -{ - if (netdata_ssl_web_server_ctx) { - SSL_CTX_free(netdata_ssl_web_server_ctx); - netdata_ssl_web_server_ctx = NULL; - } - - if (netdata_ssl_streaming_sender_ctx) { - SSL_CTX_free(netdata_ssl_streaming_sender_ctx); - netdata_ssl_streaming_sender_ctx = NULL; - } - - if (netdata_ssl_exporting_ctx) { - SSL_CTX_free(netdata_ssl_exporting_ctx); - netdata_ssl_exporting_ctx = NULL; - } - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 - ERR_free_strings(); -#endif -} - -/** - * Test Certificate - * - * Check the certificate of Netdata parent - * - * @param ssl is the connection structure - * - * @return It returns 0 on success and -1 otherwise - */ -int security_test_certificate(SSL *ssl) { - X509* cert = SSL_get_peer_certificate(ssl); - int ret; - long status; - if (!cert) { - return -1; - } - - status = SSL_get_verify_result(ssl); - if((X509_V_OK != status)) - { - char error[512]; - ERR_error_string_n(ERR_get_error(), error, sizeof(error)); - netdata_log_error("SSL RFC4158 check: We have a invalid certificate, the tests result with %ld and message %s", status, error); - ret = -1; - } else { - ret = 0; - } - - return ret; -} - -/** - * Location for context - * - * Case the user give us a directory with the certificates available and - * the Netdata parent certificate, we use this function to validate the certificate. - * - * @param ctx the context where the path will be set. - * @param file the file with Netdata parent certificate. - * @param path the directory where the certificates are stored. - * - * @return It returns 0 on success and -1 otherwise. - */ -int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) { - int load_custom = 1, load_default = 1; - if (file || path) { - if(!SSL_CTX_load_verify_locations(ctx, file, path)) { - netdata_log_info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); - load_custom = 0; - } - } - - if(!SSL_CTX_set_default_verify_paths(ctx)) { - netdata_log_info("Can not verify default OpenSSL configuration to validate certificates!"); - load_default = 0; - } - - if (load_custom == 0 && load_default == 0) - return -1; - - return 0; -} -#endif diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h deleted file mode 100644 index fd17b6f3..00000000 --- a/libnetdata/socket/security.h +++ /dev/null @@ -1,74 +0,0 @@ -#ifndef NETDATA_SECURITY_H -# define NETDATA_SECURITY_H - -typedef enum __attribute__((packed)) { - NETDATA_SSL_STATE_NOT_SSL = 1, // This connection is not SSL - NETDATA_SSL_STATE_INIT, // SSL handshake is initialized - NETDATA_SSL_STATE_FAILED, // SSL handshake failed - NETDATA_SSL_STATE_COMPLETE, // SSL handshake successful -} NETDATA_SSL_STATE; - -#define NETDATA_SSL_WEB_SERVER_CTX 0 -#define NETDATA_SSL_STREAMING_SENDER_CTX 1 -#define NETDATA_SSL_EXPORTING_CTX 2 - -# ifdef ENABLE_HTTPS - -#define OPENSSL_VERSION_095 0x00905100L -#define OPENSSL_VERSION_097 0x0907000L -#define OPENSSL_VERSION_110 0x10100000L -#define OPENSSL_VERSION_111 0x10101000L -#define OPENSSL_VERSION_300 0x30000000L - -# include <openssl/ssl.h> -# include <openssl/err.h> -# include <openssl/evp.h> -# include <openssl/pem.h> -# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) -# include <openssl/conf.h> -# endif - -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300 -#include <openssl/core_names.h> -#include <openssl/decoder.h> -#endif - -typedef struct netdata_ssl { - SSL *conn; // SSL connection - NETDATA_SSL_STATE state; // The state for SSL connection - unsigned long ssl_errno; // The SSL errno of the last SSL call -} NETDATA_SSL; - -#define NETDATA_SSL_UNSET_CONNECTION (NETDATA_SSL){ .conn = NULL, .state = NETDATA_SSL_STATE_NOT_SSL } - -#define SSL_connection(ssl) ((ssl)->conn && (ssl)->state != NETDATA_SSL_STATE_NOT_SSL) - -extern SSL_CTX *netdata_ssl_exporting_ctx; -extern SSL_CTX *netdata_ssl_streaming_sender_ctx; -extern SSL_CTX *netdata_ssl_web_server_ctx; -extern const char *netdata_ssl_security_key; -extern const char *netdata_ssl_security_cert; -extern const char *tls_version; -extern const char *tls_ciphers; -extern bool netdata_ssl_validate_certificate; -extern bool netdata_ssl_validate_certificate_sender; -int ssl_security_location_for_context(SSL_CTX *ctx,char *file,char *path); - -void netdata_ssl_initialize_openssl(); -void netdata_ssl_cleanup(); -void netdata_ssl_initialize_ctx(int selector); -int security_test_certificate(SSL *ssl); -SSL_CTX * netdata_ssl_create_client_ctx(unsigned long mode); - -bool netdata_ssl_connect(NETDATA_SSL *ssl); -bool netdata_ssl_accept(NETDATA_SSL *ssl); - -bool netdata_ssl_open(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd); -bool netdata_ssl_open_ext(NETDATA_SSL *ssl, SSL_CTX *ctx, int fd, const unsigned char *alpn_protos, unsigned int alpn_protos_len); -void netdata_ssl_close(NETDATA_SSL *ssl); - -ssize_t netdata_ssl_read(NETDATA_SSL *ssl, void *buf, size_t num); -ssize_t netdata_ssl_write(NETDATA_SSL *ssl, const void *buf, size_t num); - -# endif //ENABLE_HTTPS -#endif //NETDATA_SECURITY_H diff --git a/libnetdata/socket/socket.c b/libnetdata/socket/socket.c deleted file mode 100644 index 605e8563..00000000 --- a/libnetdata/socket/socket.c +++ /dev/null @@ -1,2130 +0,0 @@ -// SPDX-License-Identifier: GPL-3.0-or-later - -#ifndef _GNU_SOURCE -#define _GNU_SOURCE // for POLLRDHUP -#endif - -#ifndef __BSD_VISIBLE -#define __BSD_VISIBLE // for POLLRDHUP -#endif - -#include "../libnetdata.h" - -bool ip_to_hostname(const char *ip, char *dst, size_t dst_len) { - if(!dst || !dst_len) - return false; - - struct sockaddr_in sa; - struct sockaddr_in6 sa6; - struct sockaddr *sa_ptr; - int sa_len; - - // Try to convert the IP address to sockaddr_in (IPv4) - if (inet_pton(AF_INET, ip, &(sa.sin_addr)) == 1) { - sa.sin_family = AF_INET; - sa_ptr = (struct sockaddr *)&sa; - sa_len = sizeof(sa); - } - // Try to convert the IP address to sockaddr_in6 (IPv6) - else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) == 1) { - sa6.sin6_family = AF_INET6; - sa_ptr = (struct sockaddr *)&sa6; - sa_len = sizeof(sa6); - } - - else { - dst[0] = '\0'; - return false; - } - - // Perform the reverse lookup - int res = getnameinfo(sa_ptr, sa_len, dst, dst_len, NULL, 0, NI_NAMEREQD); - if(res != 0) - return false; - - return true; -} - -SOCKET_PEERS socket_peers(int sock_fd) { - SOCKET_PEERS peers; - - if(sock_fd < 0) { - strncpyz(peers.peer.ip, "not connected", sizeof(peers.peer.ip) - 1); - peers.peer.port = 0; - - strncpyz(peers.local.ip, "not connected", sizeof(peers.local.ip) - 1); - peers.local.port = 0; - - return peers; - } - - struct sockaddr_storage addr; - socklen_t addr_len = sizeof(addr); - - // Get peer info - if (getpeername(sock_fd, (struct sockaddr *)&addr, &addr_len) == 0) { - if (addr.ss_family == AF_INET) { // IPv4 - struct sockaddr_in *s = (struct sockaddr_in *)&addr; - inet_ntop(AF_INET, &s->sin_addr, peers.peer.ip, sizeof(peers.peer.ip)); - peers.peer.port = ntohs(s->sin_port); - } - else { // IPv6 - struct sockaddr_in6 *s = (struct sockaddr_in6 *)&addr; - inet_ntop(AF_INET6, &s->sin6_addr, peers.peer.ip, sizeof(peers.peer.ip)); - peers.peer.port = ntohs(s->sin6_port); - } - } - else { - strncpyz(peers.peer.ip, "unknown", sizeof(peers.peer.ip) - 1); - peers.peer.port = 0; - } - - // Get local info - addr_len = sizeof(addr); - if (getsockname(sock_fd, (struct sockaddr *)&addr, &addr_len) == 0) { - if (addr.ss_family == AF_INET) { // IPv4 - struct sockaddr_in *s = (struct sockaddr_in *) &addr; - inet_ntop(AF_INET, &s->sin_addr, peers.local.ip, sizeof(peers.local.ip)); - peers.local.port = ntohs(s->sin_port); - } else { // IPv6 - struct sockaddr_in6 *s = (struct sockaddr_in6 *) &addr; - inet_ntop(AF_INET6, &s->sin6_addr, peers.local.ip, sizeof(peers.local.ip)); - peers.local.port = ntohs(s->sin6_port); - } - } - else { - strncpyz(peers.local.ip, "unknown", sizeof(peers.local.ip) - 1); - peers.local.port = 0; - } - - return peers; -} - - -// -------------------------------------------------------------------------------------------------------------------- -// various library calls - -#ifdef __gnu_linux__ -#define LARGE_SOCK_SIZE 33554431 // don't ask why - I found it at brubeck source - I guess it is just a large number -#else -#define LARGE_SOCK_SIZE 4096 -#endif - -bool fd_is_socket(int fd) { - int type; - socklen_t len = sizeof(type); - if (getsockopt(fd, SOL_SOCKET, SO_TYPE, &type, &len) == -1) - return false; - - return true; -} - -bool sock_has_output_error(int fd) { - if(fd < 0) { - //internal_error(true, "invalid socket %d", fd); - return false; - } - -// if(!fd_is_socket(fd)) { -// //internal_error(true, "fd %d is not a socket", fd); -// return false; -// } - - short int errors = POLLERR | POLLHUP | POLLNVAL; - -#ifdef POLLRDHUP - errors |= POLLRDHUP; -#endif - - struct pollfd pfd = { - .fd = fd, - .events = POLLOUT | errors, - .revents = 0, - }; - - if(poll(&pfd, 1, 0) == -1) { - //internal_error(true, "poll() failed"); - return false; - } - - return ((pfd.revents & errors) || !(pfd.revents & POLLOUT)); -} - -int sock_setnonblock(int fd) { - int flags; - - flags = fcntl(fd, F_GETFL); - flags |= O_NONBLOCK; - - int ret = fcntl(fd, F_SETFL, flags); - if(ret < 0) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set O_NONBLOCK on socket %d", - fd); - - return ret; -} - -int sock_delnonblock(int fd) { - int flags; - - flags = fcntl(fd, F_GETFL); - flags &= ~O_NONBLOCK; - - int ret = fcntl(fd, F_SETFL, flags); - if(ret < 0) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to remove O_NONBLOCK on socket %d", - fd); - - return ret; -} - -int sock_setreuse(int fd, int reuse) { - int ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse)); - - if(ret == -1) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set SO_REUSEADDR on socket %d", - fd); - - return ret; -} - -int sock_setreuse_port(int fd, int reuse) { - int ret; - -#ifdef SO_REUSEPORT - ret = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &reuse, sizeof(reuse)); - if(ret == -1 && errno != ENOPROTOOPT) - nd_log(NDLS_DAEMON, NDLP_ERR, - "failed to set SO_REUSEPORT on socket %d", - fd); -#else - ret = -1; -#endif - - return ret; -} - -int sock_enlarge_in(int fd) { - int ret, bs = LARGE_SOCK_SIZE; - - ret = setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &bs, sizeof(bs)); - - if(ret == -1) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set SO_RCVBUF on socket %d", - fd); - - return ret; -} - -int sock_enlarge_out(int fd) { - int ret, bs = LARGE_SOCK_SIZE; - ret = setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &bs, sizeof(bs)); - - if(ret == -1) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set SO_SNDBUF on socket %d", - fd); - - return ret; -} - - -// -------------------------------------------------------------------------------------------------------------------- - -char *strdup_client_description(int family, const char *protocol, const char *ip, uint16_t port) { - char buffer[100 + 1]; - - switch(family) { - case AF_INET: - snprintfz(buffer, sizeof(buffer) - 1, "%s:%s:%d", protocol, ip, port); - break; - - case AF_INET6: - default: - snprintfz(buffer, sizeof(buffer) - 1, "%s:[%s]:%d", protocol, ip, port); - break; - - case AF_UNIX: - snprintfz(buffer, sizeof(buffer) - 1, "%s:%s", protocol, ip); - break; - } - - return strdupz(buffer); -} - -// -------------------------------------------------------------------------------------------------------------------- -// listening sockets - -int create_listen_socket_unix(const char *path, int listen_backlog) { - int sock; - - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if(sock < 0) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: UNIX socket() on path '%s' failed.", - path); - - return -1; - } - - sock_setnonblock(sock); - sock_enlarge_in(sock); - - struct sockaddr_un name; - memset(&name, 0, sizeof(struct sockaddr_un)); - name.sun_family = AF_UNIX; - strncpy(name.sun_path, path, sizeof(name.sun_path)-1); - - errno = 0; - if (unlink(path) == -1 && errno != ENOENT) - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: failed to remove existing (probably obsolete or left-over) file on UNIX socket path '%s'.", - path); - - if(bind (sock, (struct sockaddr *) &name, sizeof (name)) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: UNIX bind() on path '%s' failed.", - path); - - return -1; - } - - // we have to chmod this to 0777 so that the client will be able - // to read from and write to this socket. - if(chmod(path, 0777) == -1) - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: failed to chmod() socket file '%s'.", - path); - - if(listen(sock, listen_backlog) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: UNIX listen() on path '%s' failed.", - path); - - return -1; - } - - return sock; -} - -int create_listen_socket4(int socktype, const char *ip, uint16_t port, int listen_backlog) { - int sock; - - sock = socket(AF_INET, socktype, 0); - if(sock < 0) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv4 socket() on ip '%s' port %d, socktype %d failed.", - ip, port, socktype); - - return -1; - } - - sock_setreuse(sock, 1); - sock_setreuse_port(sock, 0); - sock_setnonblock(sock); - sock_enlarge_in(sock); - - struct sockaddr_in name; - memset(&name, 0, sizeof(struct sockaddr_in)); - name.sin_family = AF_INET; - name.sin_port = htons (port); - - int ret = inet_pton(AF_INET, ip, (void *)&name.sin_addr.s_addr); - if(ret != 1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Failed to convert IP '%s' to a valid IPv4 address.", - ip); - - close(sock); - return -1; - } - - if(bind (sock, (struct sockaddr *) &name, sizeof (name)) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv4 bind() on ip '%s' port %d, socktype %d failed.", - ip, port, socktype); - - return -1; - } - - if(socktype == SOCK_STREAM && listen(sock, listen_backlog) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv4 listen() on ip '%s' port %d, socktype %d failed.", - ip, port, socktype); - - return -1; - } - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "LISTENER: Listening on IPv4 ip '%s' port %d, socktype %d", - ip, port, socktype); - - return sock; -} - -int create_listen_socket6(int socktype, uint32_t scope_id, const char *ip, int port, int listen_backlog) { - int sock; - int ipv6only = 1; - - sock = socket(AF_INET6, socktype, 0); - if (sock < 0) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv6 socket() on ip '%s' port %d, socktype %d, failed.", - ip, port, socktype); - - return -1; - } - - sock_setreuse(sock, 1); - sock_setreuse_port(sock, 0); - sock_setnonblock(sock); - sock_enlarge_in(sock); - - /* IPv6 only */ - if(setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&ipv6only, sizeof(ipv6only)) != 0) - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Cannot set IPV6_V6ONLY on ip '%s' port %d, socktype %d.", - ip, port, socktype); - - struct sockaddr_in6 name; - memset(&name, 0, sizeof(struct sockaddr_in6)); - name.sin6_family = AF_INET6; - name.sin6_port = htons ((uint16_t) port); - name.sin6_scope_id = scope_id; - - int ret = inet_pton(AF_INET6, ip, (void *)&name.sin6_addr.s6_addr); - if(ret != 1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Failed to convert IP '%s' to a valid IPv6 address.", - ip); - - close(sock); - return -1; - } - - name.sin6_scope_id = scope_id; - - if (bind (sock, (struct sockaddr *) &name, sizeof (name)) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv6 bind() on ip '%s' port %d, socktype %d failed.", - ip, port, socktype); - - return -1; - } - - if (socktype == SOCK_STREAM && listen(sock, listen_backlog) < 0) { - close(sock); - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: IPv6 listen() on ip '%s' port %d, socktype %d failed.", - ip, port, socktype); - - return -1; - } - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "LISTENER: Listening on IPv6 ip '%s' port %d, socktype %d", - ip, port, socktype); - - return sock; -} - -static inline int listen_sockets_add(LISTEN_SOCKETS *sockets, int fd, int family, int socktype, const char *protocol, const char *ip, uint16_t port, int acl_flags) { - if(sockets->opened >= MAX_LISTEN_FDS) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Too many listening sockets. Failed to add listening %s socket at ip '%s' port %d, protocol %s, socktype %d", - protocol, ip, port, protocol, socktype); - - close(fd); - return -1; - } - - sockets->fds[sockets->opened] = fd; - sockets->fds_types[sockets->opened] = socktype; - sockets->fds_families[sockets->opened] = family; - sockets->fds_names[sockets->opened] = strdup_client_description(family, protocol, ip, port); - sockets->fds_acl_flags[sockets->opened] = acl_flags; - - sockets->opened++; - return 0; -} - -int listen_sockets_check_is_member(LISTEN_SOCKETS *sockets, int fd) { - size_t i; - for(i = 0; i < sockets->opened ;i++) - if(sockets->fds[i] == fd) return 1; - - return 0; -} - -static inline void listen_sockets_init(LISTEN_SOCKETS *sockets) { - size_t i; - for(i = 0; i < MAX_LISTEN_FDS ;i++) { - sockets->fds[i] = -1; - sockets->fds_names[i] = NULL; - sockets->fds_types[i] = -1; - } - - sockets->opened = 0; - sockets->failed = 0; -} - -void listen_sockets_close(LISTEN_SOCKETS *sockets) { - size_t i; - for(i = 0; i < sockets->opened ;i++) { - close(sockets->fds[i]); - sockets->fds[i] = -1; - - freez(sockets->fds_names[i]); - sockets->fds_names[i] = NULL; - - sockets->fds_types[i] = -1; - } - - sockets->opened = 0; - sockets->failed = 0; -} - -/* - * SSL ACL - * - * Search the SSL acl and apply it case it is set. - * - * @param acl is the acl given by the user. - */ -WEB_CLIENT_ACL socket_ssl_acl(char *acl) { - char *ssl = strchr(acl,'^'); - if(ssl) { - //Due the format of the SSL command it is always the last command, - //we finish it here to avoid problems with the ACLs - *ssl = '\0'; -#ifdef ENABLE_HTTPS - ssl++; - if (!strncmp("SSL=",ssl,4)) { - ssl += 4; - if (!strcmp(ssl,"optional")) { - return WEB_CLIENT_ACL_SSL_OPTIONAL; - } - else if (!strcmp(ssl,"force")) { - return WEB_CLIENT_ACL_SSL_FORCE; - } - } -#endif - } - - return WEB_CLIENT_ACL_NONE; -} - -WEB_CLIENT_ACL read_acl(char *st) { - WEB_CLIENT_ACL ret = socket_ssl_acl(st); - - if (!strcmp(st,"dashboard")) ret |= WEB_CLIENT_ACL_DASHBOARD; - if (!strcmp(st,"registry")) ret |= WEB_CLIENT_ACL_REGISTRY; - if (!strcmp(st,"badges")) ret |= WEB_CLIENT_ACL_BADGE; - if (!strcmp(st,"management")) ret |= WEB_CLIENT_ACL_MGMT; - if (!strcmp(st,"streaming")) ret |= WEB_CLIENT_ACL_STREAMING; - if (!strcmp(st,"netdata.conf")) ret |= WEB_CLIENT_ACL_NETDATACONF; - - return ret; -} - -static inline int bind_to_this(LISTEN_SOCKETS *sockets, const char *definition, uint16_t default_port, int listen_backlog) { - int added = 0; - WEB_CLIENT_ACL acl_flags = WEB_CLIENT_ACL_NONE; - - struct addrinfo hints; - struct addrinfo *result = NULL, *rp = NULL; - - char buffer[strlen(definition) + 1]; - strcpy(buffer, definition); - - char buffer2[10 + 1]; - snprintfz(buffer2, 10, "%d", default_port); - - char *ip = buffer, *port = buffer2, *interface = "", *portconfig;; - - int protocol = IPPROTO_TCP, socktype = SOCK_STREAM; - const char *protocol_str = "tcp"; - - if(strncmp(ip, "tcp:", 4) == 0) { - ip += 4; - protocol = IPPROTO_TCP; - socktype = SOCK_STREAM; - protocol_str = "tcp"; - } - else if(strncmp(ip, "udp:", 4) == 0) { - ip += 4; - protocol = IPPROTO_UDP; - socktype = SOCK_DGRAM; - protocol_str = "udp"; - } - else if(strncmp(ip, "unix:", 5) == 0) { - char *path = ip + 5; - socktype = SOCK_STREAM; - protocol_str = "unix"; - int fd = create_listen_socket_unix(path, listen_backlog); - if (fd == -1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Cannot create unix socket '%s'", - path); - - sockets->failed++; - } else { - acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING | WEB_CLIENT_ACL_SSL_DEFAULT; - listen_sockets_add(sockets, fd, AF_UNIX, socktype, protocol_str, path, 0, acl_flags); - added++; - } - return added; - } - - char *e = ip; - if(*e == '[') { - e = ++ip; - while(*e && *e != ']') e++; - if(*e == ']') { - *e = '\0'; - e++; - } - } - else { - while(*e && *e != ':' && *e != '%' && *e != '=') e++; - } - - if(*e == '%') { - *e = '\0'; - e++; - interface = e; - while(*e && *e != ':' && *e != '=') e++; - } - - if(*e == ':') { - port = e + 1; - *e = '\0'; - e++; - while(*e && *e != '=') e++; - } - - if(*e == '=') { - *e='\0'; - e++; - portconfig = e; - while (*e != '\0') { - if (*e == '|') { - *e = '\0'; - acl_flags |= read_acl(portconfig); - e++; - portconfig = e; - continue; - } - e++; - } - acl_flags |= read_acl(portconfig); - } else { - acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING | WEB_CLIENT_ACL_SSL_DEFAULT; - } - - //Case the user does not set the option SSL in the "bind to", but he has - //the certificates, I must redirect, so I am assuming here the default option - if(!(acl_flags & WEB_CLIENT_ACL_SSL_OPTIONAL) && !(acl_flags & WEB_CLIENT_ACL_SSL_FORCE)) { - acl_flags |= WEB_CLIENT_ACL_SSL_DEFAULT; - } - - uint32_t scope_id = 0; - if(*interface) { - scope_id = if_nametoindex(interface); - if(!scope_id) - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Cannot find a network interface named '%s'. " - "Continuing with limiting the network interface", - interface); - } - - if(!*ip || *ip == '*' || !strcmp(ip, "any") || !strcmp(ip, "all")) - ip = NULL; - - if(!*port) - port = buffer2; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ - hints.ai_socktype = socktype; - hints.ai_flags = AI_PASSIVE; /* For wildcard IP address */ - hints.ai_protocol = protocol; - hints.ai_canonname = NULL; - hints.ai_addr = NULL; - hints.ai_next = NULL; - - int r = getaddrinfo(ip, port, &hints, &result); - if (r != 0) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: getaddrinfo('%s', '%s'): %s\n", - ip, port, gai_strerror(r)); - - return -1; - } - - for (rp = result; rp != NULL; rp = rp->ai_next) { - int fd = -1; - int family; - - char rip[INET_ADDRSTRLEN + INET6_ADDRSTRLEN] = "INVALID"; - uint16_t rport = default_port; - - family = rp->ai_addr->sa_family; - switch (family) { - case AF_INET: { - struct sockaddr_in *sin = (struct sockaddr_in *) rp->ai_addr; - inet_ntop(AF_INET, &sin->sin_addr, rip, INET_ADDRSTRLEN); - rport = ntohs(sin->sin_port); - fd = create_listen_socket4(socktype, rip, rport, listen_backlog); - break; - } - - case AF_INET6: { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) rp->ai_addr; - inet_ntop(AF_INET6, &sin6->sin6_addr, rip, INET6_ADDRSTRLEN); - rport = ntohs(sin6->sin6_port); - fd = create_listen_socket6(socktype, scope_id, rip, rport, listen_backlog); - break; - } - - default: - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "LISTENER: Unknown socket family %d", - family); - - break; - } - - if (fd == -1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Cannot bind to ip '%s', port %d", - rip, rport); - - sockets->failed++; - } - else { - listen_sockets_add(sockets, fd, family, socktype, protocol_str, rip, rport, acl_flags); - added++; - } - } - - freeaddrinfo(result); - - return added; -} - -int listen_sockets_setup(LISTEN_SOCKETS *sockets) { - listen_sockets_init(sockets); - - sockets->backlog = (int) appconfig_get_number(sockets->config, sockets->config_section, "listen backlog", sockets->backlog); - - long long int old_port = sockets->default_port; - long long int new_port = appconfig_get_number(sockets->config, sockets->config_section, "default port", sockets->default_port); - if(new_port < 1 || new_port > 65535) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Invalid listen port %lld given. Defaulting to %lld.", - new_port, old_port); - - sockets->default_port = (uint16_t) appconfig_set_number(sockets->config, sockets->config_section, "default port", old_port); - } - else sockets->default_port = (uint16_t)new_port; - - char *s = appconfig_get(sockets->config, sockets->config_section, "bind to", sockets->default_bind_to); - while(*s) { - char *e = s; - - // skip separators, moving both s(tart) and e(nd) - while(isspace(*e) || *e == ',') s = ++e; - - // move e(nd) to the first separator - while(*e && !isspace(*e) && *e != ',') e++; - - // is there anything? - if(!*s || s == e) break; - - char buf[e - s + 1]; - strncpyz(buf, s, e - s); - bind_to_this(sockets, buf, sockets->default_port, sockets->backlog); - - s = e; - } - - if(sockets->failed) { - size_t i; - for(i = 0; i < sockets->opened ;i++) - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "LISTENER: Listen socket %s opened successfully.", - sockets->fds_names[i]); - } - - return (int)sockets->opened; -} - - -// -------------------------------------------------------------------------------------------------------------------- -// connect to another host/port - -// connect_to_this_unix() -// path the path of the unix socket -// timeout the timeout for establishing a connection - -static inline int connect_to_unix(const char *path, struct timeval *timeout) { - int fd = socket(AF_UNIX, SOCK_STREAM, 0); - if(fd == -1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to create UNIX socket() for '%s'", - path); - - return -1; - } - - if(timeout) { - if(setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, (char *) timeout, sizeof(struct timeval)) < 0) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set timeout on UNIX socket '%s'", - path); - } - - struct sockaddr_un addr; - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, path, sizeof(addr.sun_path)-1); - - if (connect(fd, (struct sockaddr*)&addr, sizeof(addr)) == -1) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "Cannot connect to UNIX socket on path '%s'.", - path); - - close(fd); - return -1; - } - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "Connected to UNIX socket on path '%s'.", - path); - - return fd; -} - -// connect_to_this_ip46() -// protocol IPPROTO_TCP, IPPROTO_UDP -// socktype SOCK_STREAM, SOCK_DGRAM -// host the destination hostname or IP address (IPv4 or IPv6) to connect to -// if it resolves to many IPs, all are tried (IPv4 and IPv6) -// scope_id the if_index id of the interface to use for connecting (0 = any) -// (used only under IPv6) -// service the service name or port to connect to -// timeout the timeout for establishing a connection - -int connect_to_this_ip46(int protocol, int socktype, const char *host, uint32_t scope_id, const char *service, struct timeval *timeout) { - struct addrinfo hints; - struct addrinfo *ai_head = NULL, *ai = NULL; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; /* Allow IPv4 or IPv6 */ - hints.ai_socktype = socktype; - hints.ai_protocol = protocol; - - int ai_err = getaddrinfo(host, service, &hints, &ai_head); - if (ai_err != 0) { - - nd_log(NDLS_DAEMON, NDLP_ERR, - "Cannot resolve host '%s', port '%s': %s", - host, service, gai_strerror(ai_err)); - - return -1; - } - - char hostBfr[NI_MAXHOST + 1]; - char servBfr[NI_MAXSERV + 1]; - - ND_LOG_STACK lgs[] = { - ND_LOG_FIELD_TXT(NDF_DST_IP, hostBfr), - ND_LOG_FIELD_TXT(NDF_DST_PORT, servBfr), - ND_LOG_FIELD_END(), - }; - ND_LOG_STACK_PUSH(lgs); - - int fd = -1; - for (ai = ai_head; ai != NULL && fd == -1; ai = ai->ai_next) { - - if (ai->ai_family == PF_INET6) { - struct sockaddr_in6 *pSadrIn6 = (struct sockaddr_in6 *) ai->ai_addr; - if(pSadrIn6->sin6_scope_id == 0) { - pSadrIn6->sin6_scope_id = scope_id; - } - } - - getnameinfo(ai->ai_addr, - ai->ai_addrlen, - hostBfr, - sizeof(hostBfr), - servBfr, - sizeof(servBfr), - NI_NUMERICHOST | NI_NUMERICSERV); - - switch (ai->ai_addr->sa_family) { - case PF_INET: { - struct sockaddr_in *pSadrIn = (struct sockaddr_in *)ai->ai_addr; - (void)pSadrIn; - break; - } - - case PF_INET6: { - struct sockaddr_in6 *pSadrIn6 = (struct sockaddr_in6 *) ai->ai_addr; - (void)pSadrIn6; - break; - } - - default: { - // Unknown protocol family - continue; - } - } - - fd = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); - if(fd != -1) { - if(timeout) { - if(setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, (char *) timeout, sizeof(struct timeval)) < 0) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to set timeout on the socket to ip '%s' port '%s'", - hostBfr, servBfr); - } - - errno = 0; - if(connect(fd, ai->ai_addr, ai->ai_addrlen) < 0) { - if(errno == EALREADY || errno == EINPROGRESS) { - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "Waiting for connection to ip %s port %s to be established", - hostBfr, servBfr); - - // Convert 'struct timeval' to milliseconds for poll(): - int timeout_milliseconds = timeout->tv_sec * 1000 + timeout->tv_usec / 1000; - - struct pollfd fds[1]; - fds[0].fd = fd; - fds[0].events = POLLOUT; // We are looking for the ability to write to the socket - - int ret = poll(fds, 1, timeout_milliseconds); - if (ret > 0) { - // poll() completed normally. We can check the revents to see what happened - if (fds[0].revents & POLLOUT) { - // connect() completed successfully, socket is writable. - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "connect() to ip %s port %s completed successfully", - hostBfr, servBfr); - - } - else { - // This means that the socket is in error. We will close it and set fd to -1 - - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to connect to '%s', port '%s'.", - hostBfr, servBfr); - - close(fd); - fd = -1; - } - } - else if (ret == 0) { - // poll() timed out, the connection is not established within the specified timeout. - errno = 0; - - nd_log(NDLS_DAEMON, NDLP_ERR, - "Timed out while connecting to '%s', port '%s'.", - hostBfr, servBfr); - - close(fd); - fd = -1; - } - else { // ret < 0 - // poll() returned an error. - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to connect to '%s', port '%s'. poll() returned %d", - hostBfr, servBfr, ret); - - close(fd); - fd = -1; - } - } - else { - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to connect to '%s', port '%s'", - hostBfr, servBfr); - - close(fd); - fd = -1; - } - } - } - else - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to socket() to '%s', port '%s'", - hostBfr, servBfr); - } - - freeaddrinfo(ai_head); - - return fd; -} - -// connect_to_this() -// -// definition format: -// -// [PROTOCOL:]IP[%INTERFACE][:PORT] -// -// PROTOCOL = tcp or udp -// IP = IPv4 or IPv6 IP or hostname, optionally enclosed in [] (required for IPv6) -// INTERFACE = for IPv6 only, the network interface to use -// PORT = port number or service name - -int connect_to_this(const char *definition, int default_port, struct timeval *timeout) { - char buffer[strlen(definition) + 1]; - strcpy(buffer, definition); - - char default_service[10 + 1]; - snprintfz(default_service, 10, "%d", default_port); - - char *host = buffer, *service = default_service, *interface = ""; - int protocol = IPPROTO_TCP, socktype = SOCK_STREAM; - uint32_t scope_id = 0; - - if(strncmp(host, "tcp:", 4) == 0) { - host += 4; - protocol = IPPROTO_TCP; - socktype = SOCK_STREAM; - } - else if(strncmp(host, "udp:", 4) == 0) { - host += 4; - protocol = IPPROTO_UDP; - socktype = SOCK_DGRAM; - } - else if(strncmp(host, "unix:", 5) == 0) { - char *path = host + 5; - return connect_to_unix(path, timeout); - } - else if(*host == '/') { - char *path = host; - return connect_to_unix(path, timeout); - } - - char *e = host; - if(*e == '[') { - e = ++host; - while(*e && *e != ']') e++; - if(*e == ']') { - *e = '\0'; - e++; - } - } - else { - while(*e && *e != ':' && *e != '%') e++; - } - - if(*e == '%') { - *e = '\0'; - e++; - interface = e; - while(*e && *e != ':') e++; - } - - if(*e == ':') { - *e = '\0'; - e++; - service = e; - } - - if(!*host) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "Definition '%s' does not specify a host.", - definition); - - return -1; - } - - if(*interface) { - scope_id = if_nametoindex(interface); - if(!scope_id) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Cannot find a network interface named '%s'. Continuing with limiting the network interface", - interface); - } - - if(!*service) - service = default_service; - - - return connect_to_this_ip46(protocol, socktype, host, scope_id, service, timeout); -} - -void foreach_entry_in_connection_string(const char *destination, bool (*callback)(char *entry, void *data), void *data) { - const char *s = destination; - while(*s) { - const char *e = s; - - // skip separators, moving both s(tart) and e(nd) - while(isspace(*e) || *e == ',') s = ++e; - - // move e(nd) to the first separator - while(*e && !isspace(*e) && *e != ',') e++; - - // is there anything? - if(!*s || s == e) break; - - char buf[e - s + 1]; - strncpyz(buf, s, e - s); - - if(callback(buf, data)) break; - - s = e; - } -} - -struct connect_to_one_of_data { - int default_port; - struct timeval *timeout; - size_t *reconnects_counter; - char *connected_to; - size_t connected_to_size; - int sock; -}; - -static bool connect_to_one_of_callback(char *entry, void *data) { - struct connect_to_one_of_data *t = data; - - if(t->reconnects_counter) - t->reconnects_counter++; - - t->sock = connect_to_this(entry, t->default_port, t->timeout); - if(t->sock != -1) { - if(t->connected_to && t->connected_to_size) { - strncpyz(t->connected_to, entry, t->connected_to_size); - t->connected_to[t->connected_to_size - 1] = '\0'; - } - - return true; - } - - return false; -} - -int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size) { - struct connect_to_one_of_data t = { - .default_port = default_port, - .timeout = timeout, - .reconnects_counter = reconnects_counter, - .connected_to = connected_to, - .connected_to_size = connected_to_size, - .sock = -1, - }; - - foreach_entry_in_connection_string(destination, connect_to_one_of_callback, &t); - - return t.sock; -} - -static bool connect_to_one_of_urls_callback(char *entry, void *data) { - char *s = strchr(entry, '/'); - if(s) *s = '\0'; - - return connect_to_one_of_callback(entry, data); -} - -int connect_to_one_of_urls(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size) { - struct connect_to_one_of_data t = { - .default_port = default_port, - .timeout = timeout, - .reconnects_counter = reconnects_counter, - .connected_to = connected_to, - .connected_to_size = connected_to_size, - .sock = -1, - }; - - foreach_entry_in_connection_string(destination, connect_to_one_of_urls_callback, &t); - - return t.sock; -} - - -// -------------------------------------------------------------------------------------------------------------------- -// helpers to send/receive data in one call, in blocking mode, with a timeout - -#ifdef ENABLE_HTTPS -ssize_t recv_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { -#else -ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) { -#endif - - for(;;) { - struct pollfd fd = { - .fd = sockfd, - .events = POLLIN, - .revents = 0 - }; - - errno = 0; - int retval = poll(&fd, 1, timeout * 1000); - - if(retval == -1) { - // failed - - if(errno == EINTR || errno == EAGAIN) - continue; - - return -1; - } - - if(!retval) { - // timeout - return 0; - } - - if(fd.revents & POLLIN) - break; - } - -#ifdef ENABLE_HTTPS - if (SSL_connection(ssl)) { - return netdata_ssl_read(ssl, buf, len); - } -#endif - - return recv(sockfd, buf, len, flags); -} - -#ifdef ENABLE_HTTPS -ssize_t send_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout) { -#else -ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout) { -#endif - - for(;;) { - struct pollfd fd = { - .fd = sockfd, - .events = POLLOUT, - .revents = 0 - }; - - errno = 0; - int retval = poll(&fd, 1, timeout * 1000); - - if(retval == -1) { - // failed - - if(errno == EINTR || errno == EAGAIN) - continue; - - return -1; - } - - if(!retval) { - // timeout - return 0; - } - - if(fd.revents & POLLOUT) break; - } - -#ifdef ENABLE_HTTPS - if(ssl->conn) { - if (SSL_connection(ssl)) { - return netdata_ssl_write(ssl, buf, len); - } - else { - nd_log(NDLS_DAEMON, NDLP_ERR, - "cannot write to SSL connection - connection is not ready."); - - return -1; - } - } -#endif - return send(sockfd, buf, len, flags); -} - - -// -------------------------------------------------------------------------------------------------------------------- -// accept4() replacement for systems that do not have one - -#ifndef HAVE_ACCEPT4 -int accept4(int sock, struct sockaddr *addr, socklen_t *addrlen, int flags) { - int fd = accept(sock, addr, addrlen); - int newflags = 0; - - if (fd < 0) return fd; - - if (flags & SOCK_NONBLOCK) { - newflags |= O_NONBLOCK; - flags &= ~SOCK_NONBLOCK; - } - -#ifdef SOCK_CLOEXEC -#ifdef O_CLOEXEC - if (flags & SOCK_CLOEXEC) { - newflags |= O_CLOEXEC; - flags &= ~SOCK_CLOEXEC; - } -#endif -#endif - - if (flags) { - close(fd); - errno = EINVAL; - return -1; - } - - if (fcntl(fd, F_SETFL, newflags) < 0) { - int saved_errno = errno; - close(fd); - errno = saved_errno; - return -1; - } - - return fd; -} -#endif - -/* - * --------------------------------------------------------------------------------------------------------------------- - * connection_allowed() - if there is an access list then check the connection matches a pattern. - * Numeric patterns are checked against the IP address first, only if they - * do not match is the hostname resolved (reverse-DNS) and checked. If the - * hostname matches then we perform forward DNS resolution to check the IP - * is really associated with the DNS record. This call is repeatable: the - * web server may check more refined matches against the connection. Will - * update the client_host if uninitialized - ensure the hostsize is the number - * of *writable* bytes (i.e. be aware of the strdup used to compact the pollinfo). - */ -int connection_allowed(int fd, char *client_ip, char *client_host, size_t hostsize, SIMPLE_PATTERN *access_list, - const char *patname, int allow_dns) -{ - if (!access_list) - return 1; - if (simple_pattern_matches(access_list, client_ip)) - return 1; - // If the hostname is unresolved (and needed) then attempt the DNS lookups. - //if (client_host[0]==0 && simple_pattern_is_potential_name(access_list)) - if (client_host[0]==0 && allow_dns) - { - struct sockaddr_storage sadr; - socklen_t addrlen = sizeof(sadr); - int err = getpeername(fd, (struct sockaddr*)&sadr, &addrlen); - if (err != 0 || - (err = getnameinfo((struct sockaddr *)&sadr, addrlen, client_host, (socklen_t)hostsize, - NULL, 0, NI_NAMEREQD)) != 0) { - - nd_log(NDLS_DAEMON, NDLP_ERR, - "Incoming %s on '%s' does not match a numeric pattern, and host could not be resolved (err=%s)", - patname, client_ip, gai_strerror(err)); - - if (hostsize >= 8) - strcpy(client_host,"UNKNOWN"); - return 0; - } - struct addrinfo *addr_infos = NULL; - if (getaddrinfo(client_host, NULL, NULL, &addr_infos) !=0 ) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: cannot validate hostname '%s' from '%s' by resolving it", - client_host, client_ip); - - if (hostsize >= 8) - strcpy(client_host,"UNKNOWN"); - return 0; - } - struct addrinfo *scan = addr_infos; - int validated = 0; - while (scan) { - char address[INET6_ADDRSTRLEN]; - address[0] = 0; - switch (scan->ai_addr->sa_family) { - case AF_INET: - inet_ntop(AF_INET, &((struct sockaddr_in*)(scan->ai_addr))->sin_addr, address, INET6_ADDRSTRLEN); - break; - case AF_INET6: - inet_ntop(AF_INET6, &((struct sockaddr_in6*)(scan->ai_addr))->sin6_addr, address, INET6_ADDRSTRLEN); - break; - } - if (!strcmp(client_ip, address)) { - validated = 1; - break; - } - scan = scan->ai_next; - } - if (!validated) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: Cannot validate '%s' as ip of '%s', not listed in DNS", - client_ip, client_host); - - if (hostsize >= 8) - strcpy(client_host,"UNKNOWN"); - } - if (addr_infos!=NULL) - freeaddrinfo(addr_infos); - } - if (!simple_pattern_matches(access_list, client_host)) - return 0; - - return 1; -} - -// -------------------------------------------------------------------------------------------------------------------- -// accept_socket() - accept a socket and store client IP and port -int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *client_port, size_t portsize, - char *client_host, size_t hostsize, SIMPLE_PATTERN *access_list, int allow_dns) { - struct sockaddr_storage sadr; - socklen_t addrlen = sizeof(sadr); - - int nfd = accept4(fd, (struct sockaddr *)&sadr, &addrlen, flags); - if (likely(nfd >= 0)) { - if (getnameinfo((struct sockaddr *)&sadr, addrlen, client_ip, (socklen_t)ipsize, - client_port, (socklen_t)portsize, NI_NUMERICHOST | NI_NUMERICSERV) != 0) { - - nd_log(NDLS_DAEMON, NDLP_ERR, - "LISTENER: cannot getnameinfo() on received client connection."); - - strncpyz(client_ip, "UNKNOWN", ipsize); - strncpyz(client_port, "UNKNOWN", portsize); - } - if (!strcmp(client_ip, "127.0.0.1") || !strcmp(client_ip, "::1")) { - strncpyz(client_ip, "localhost", ipsize); - } - -#ifdef __FreeBSD__ - if(((struct sockaddr *)&sadr)->sa_family == AF_LOCAL) - strncpyz(client_ip, "localhost", ipsize); -#endif - - client_ip[ipsize - 1] = '\0'; - client_port[portsize - 1] = '\0'; - - switch (((struct sockaddr *)&sadr)->sa_family) { - case AF_UNIX: - // netdata_log_debug(D_LISTENER, "New UNIX domain web client from %s on socket %d.", client_ip, fd); - // set the port - certain versions of libc return garbage on unix sockets - strncpyz(client_port, "UNIX", portsize); - break; - - case AF_INET: - // netdata_log_debug(D_LISTENER, "New IPv4 web client from %s port %s on socket %d.", client_ip, client_port, fd); - break; - - case AF_INET6: - if (strncmp(client_ip, "::ffff:", 7) == 0) { - memmove(client_ip, &client_ip[7], strlen(&client_ip[7]) + 1); - // netdata_log_debug(D_LISTENER, "New IPv4 web client from %s port %s on socket %d.", client_ip, client_port, fd); - } - // else - // netdata_log_debug(D_LISTENER, "New IPv6 web client from %s port %s on socket %d.", client_ip, client_port, fd); - break; - - default: - // netdata_log_debug(D_LISTENER, "New UNKNOWN web client from %s port %s on socket %d.", client_ip, client_port, fd); - break; - } - if (!connection_allowed(nfd, client_ip, client_host, hostsize, access_list, "connection", allow_dns)) { - errno = 0; - nd_log(NDLS_DAEMON, NDLP_WARNING, - "Permission denied for client '%s', port '%s'", - client_ip, client_port); - - close(nfd); - nfd = -1; - errno = EPERM; - } - } -#ifdef HAVE_ACCEPT4 - else if (errno == ENOSYS) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Netdata has been compiled with the assumption that the system has the accept4() call, but it is not here. " - "Recompile netdata like this: ./configure --disable-accept4 ..."); -#endif - - return nfd; -} - - -// -------------------------------------------------------------------------------------------------------------------- -// poll() based listener -// this should be the fastest possible listener for up to 100 sockets -// above 100, an epoll() interface is needed on Linux - -#define POLL_FDS_INCREASE_STEP 10 - -inline POLLINFO *poll_add_fd(POLLJOB *p - , int fd - , int socktype - , WEB_CLIENT_ACL port_acl - , uint32_t flags - , const char *client_ip - , const char *client_port - , const char *client_host - , void *(*add_callback)(POLLINFO * /*pi*/, short int * /*events*/, void * /*data*/) - , void (*del_callback)(POLLINFO * /*pi*/) - , int (*rcv_callback)(POLLINFO * /*pi*/, short int * /*events*/) - , int (*snd_callback)(POLLINFO * /*pi*/, short int * /*events*/) - , void *data -) { - if(unlikely(fd < 0)) return NULL; - - //if(p->limit && p->used >= p->limit) { - // nd_log(NDLS_DAEMON, NDLP_WARNING, "Max sockets limit reached (%zu sockets), dropping connection", p->used); - // close(fd); - // return NULL; - //} - - if(unlikely(!p->first_free)) { - size_t new_slots = p->slots + POLL_FDS_INCREASE_STEP; - - p->fds = reallocz(p->fds, sizeof(struct pollfd) * new_slots); - p->inf = reallocz(p->inf, sizeof(POLLINFO) * new_slots); - - // reset all the newly added slots - ssize_t i; - for(i = new_slots - 1; i >= (ssize_t)p->slots ; i--) { - p->fds[i].fd = -1; - p->fds[i].events = 0; - p->fds[i].revents = 0; - - p->inf[i].p = p; - p->inf[i].slot = (size_t)i; - p->inf[i].flags = 0; - p->inf[i].socktype = -1; - p->inf[i].port_acl = -1; - - p->inf[i].client_ip = NULL; - p->inf[i].client_port = NULL; - p->inf[i].client_host = NULL; - p->inf[i].del_callback = p->del_callback; - p->inf[i].rcv_callback = p->rcv_callback; - p->inf[i].snd_callback = p->snd_callback; - p->inf[i].data = NULL; - - // link them so that the first free will be earlier in the array - // (we loop decrementing i) - p->inf[i].next = p->first_free; - p->first_free = &p->inf[i]; - } - - p->slots = new_slots; - } - - POLLINFO *pi = p->first_free; - p->first_free = p->first_free->next; - - struct pollfd *pf = &p->fds[pi->slot]; - pf->fd = fd; - pf->events = POLLIN; - pf->revents = 0; - - pi->fd = fd; - pi->p = p; - pi->socktype = socktype; - pi->port_acl = port_acl; - pi->flags = flags; - pi->next = NULL; - pi->client_ip = strdupz(client_ip); - pi->client_port = strdupz(client_port); - pi->client_host = strdupz(client_host); - - pi->del_callback = del_callback; - pi->rcv_callback = rcv_callback; - pi->snd_callback = snd_callback; - - pi->connected_t = now_boottime_sec(); - pi->last_received_t = 0; - pi->last_sent_t = 0; - pi->last_sent_t = 0; - pi->recv_count = 0; - pi->send_count = 0; - - netdata_thread_disable_cancelability(); - p->used++; - if(unlikely(pi->slot > p->max)) - p->max = pi->slot; - - if(pi->flags & POLLINFO_FLAG_CLIENT_SOCKET) { - pi->data = add_callback(pi, &pf->events, data); - } - - if(pi->flags & POLLINFO_FLAG_SERVER_SOCKET) { - p->min = pi->slot; - } - netdata_thread_enable_cancelability(); - - return pi; -} - -inline void poll_close_fd(POLLINFO *pi) { - POLLJOB *p = pi->p; - - struct pollfd *pf = &p->fds[pi->slot]; - - if(unlikely(pf->fd == -1)) return; - - netdata_thread_disable_cancelability(); - - if(pi->flags & POLLINFO_FLAG_CLIENT_SOCKET) { - pi->del_callback(pi); - - if(likely(!(pi->flags & POLLINFO_FLAG_DONT_CLOSE))) { - if(close(pf->fd) == -1) - nd_log(NDLS_DAEMON, NDLP_ERR, - "Failed to close() poll_events() socket %d", - pf->fd); - } - } - - pf->fd = -1; - pf->events = 0; - pf->revents = 0; - - pi->fd = -1; - pi->socktype = -1; - pi->flags = 0; - pi->data = NULL; - - pi->del_callback = NULL; - pi->rcv_callback = NULL; - pi->snd_callback = NULL; - - freez(pi->client_ip); - pi->client_ip = NULL; - - freez(pi->client_port); - pi->client_port = NULL; - - freez(pi->client_host); - pi->client_host = NULL; - - pi->next = p->first_free; - p->first_free = pi; - - p->used--; - if(unlikely(p->max == pi->slot)) { - p->max = p->min; - ssize_t i; - for(i = (ssize_t)pi->slot; i > (ssize_t)p->min ;i--) { - if (unlikely(p->fds[i].fd != -1)) { - p->max = (size_t)i; - break; - } - } - } - netdata_thread_enable_cancelability(); -} - -void *poll_default_add_callback(POLLINFO *pi, short int *events, void *data) { - (void)pi; - (void)events; - (void)data; - - return NULL; -} - -void poll_default_del_callback(POLLINFO *pi) { - if(pi->data) - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: internal error: del_callback_default() called with data pointer - possible memory leak"); -} - -int poll_default_rcv_callback(POLLINFO *pi, short int *events) { - *events |= POLLIN; - - char buffer[1024 + 1]; - - ssize_t rc; - do { - rc = recv(pi->fd, buffer, 1024, MSG_DONTWAIT); - if (rc < 0) { - // read failed - if (errno != EWOULDBLOCK && errno != EAGAIN) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: poll_default_rcv_callback(): recv() failed with %zd.", - rc); - - return -1; - } - } else if (rc) { - // data received - nd_log(NDLS_DAEMON, NDLP_WARNING, - "POLLFD: internal error: poll_default_rcv_callback() is discarding %zd bytes received on socket %d", - rc, pi->fd); - } - } while (rc != -1); - - return 0; -} - -int poll_default_snd_callback(POLLINFO *pi, short int *events) { - *events &= ~POLLOUT; - - nd_log(NDLS_DAEMON, NDLP_WARNING, - "POLLFD: internal error: poll_default_snd_callback(): nothing to send on socket %d", - pi->fd); - - return 0; -} - -void poll_default_tmr_callback(void *timer_data) { - (void)timer_data; -} - -static void poll_events_cleanup(void *data) { - POLLJOB *p = (POLLJOB *)data; - - size_t i; - for(i = 0 ; i <= p->max ; i++) { - POLLINFO *pi = &p->inf[i]; - poll_close_fd(pi); - } - - freez(p->fds); - freez(p->inf); -} - -static int poll_process_error(POLLINFO *pi, struct pollfd *pf, short int revents) { - ND_LOG_STACK lgs[] = { - ND_LOG_FIELD_TXT(NDF_SRC_IP, pi->client_ip), - ND_LOG_FIELD_TXT(NDF_SRC_PORT, pi->client_port), - ND_LOG_FIELD_END(), - }; - ND_LOG_STACK_PUSH(lgs); - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "POLLFD: LISTENER: received %s %s %s on socket at slot %zu (fd %d) client '%s' port '%s' expecting %s %s %s, having %s %s %s" - , revents & POLLERR ? "POLLERR" : "" - , revents & POLLHUP ? "POLLHUP" : "" - , revents & POLLNVAL ? "POLLNVAL" : "" - , pi->slot - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , pf->events & POLLIN ? "POLLIN" : "", pf->events & POLLOUT ? "POLLOUT" : "", pf->events & POLLPRI ? "POLLPRI" : "" - , revents & POLLIN ? "POLLIN" : "", revents & POLLOUT ? "POLLOUT" : "", revents & POLLPRI ? "POLLPRI" : "" - ); - - pf->events = 0; - poll_close_fd(pi); - return 1; -} - -static inline int poll_process_send(POLLJOB *p, POLLINFO *pi, struct pollfd *pf, time_t now) { - pi->last_sent_t = now; - pi->send_count++; - - pf->events = 0; - - // remember the slot, in case we need to close it later - // the callback may manipulate the socket list and our pf and pi pointers may be invalid after that call - size_t slot = pi->slot; - - if (unlikely(pi->snd_callback(pi, &pf->events) == -1)) - poll_close_fd(&p->inf[slot]); - - // IMPORTANT: - // pf and pi may be invalid below this point, they may have been reallocated. - - return 1; -} - -static inline int poll_process_tcp_read(POLLJOB *p, POLLINFO *pi, struct pollfd *pf, time_t now) { - pi->last_received_t = now; - pi->recv_count++; - - pf->events = 0; - - // remember the slot, in case we need to close it later - // the callback may manipulate the socket list and our pf and pi pointers may be invalid after that call - size_t slot = pi->slot; - - if (pi->rcv_callback(pi, &pf->events) == -1) - poll_close_fd(&p->inf[slot]); - - // IMPORTANT: - // pf and pi may be invalid below this point, they may have been reallocated. - - return 1; -} - -static inline int poll_process_udp_read(POLLINFO *pi, struct pollfd *pf, time_t now __maybe_unused) { - pi->last_received_t = now; - pi->recv_count++; - - // TODO: access_list is not applied to UDP - // but checking the access list on every UDP packet will destroy - // performance, especially for statsd. - - pf->events = 0; - if(pi->rcv_callback(pi, &pf->events) == -1) - return 0; - - // IMPORTANT: - // pf and pi may be invalid below this point, they may have been reallocated. - - return 1; -} - -static int poll_process_new_tcp_connection(POLLJOB *p, POLLINFO *pi, struct pollfd *pf, time_t now) { - pi->last_received_t = now; - pi->recv_count++; - - char client_ip[INET6_ADDRSTRLEN] = ""; - char client_port[NI_MAXSERV] = ""; - char client_host[NI_MAXHOST] = ""; - - int nfd = accept_socket( - pf->fd,SOCK_NONBLOCK, - client_ip, INET6_ADDRSTRLEN, client_port,NI_MAXSERV, client_host, NI_MAXHOST, - p->access_list, p->allow_dns - ); - - if (unlikely(nfd < 0)) { - // accept failed - - if(unlikely(errno == EMFILE)) { - nd_log_limit_static_global_var(erl, 10, 1000); - nd_log_limit(&erl, NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: too many open files - used by this thread %zu, max for this thread %zu", - p->used, p->limit); - } - else if(unlikely(errno != EWOULDBLOCK && errno != EAGAIN)) - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: accept() failed."); - - } - else { - // accept ok - - poll_add_fd(p - , nfd - , SOCK_STREAM - , pi->port_acl - , POLLINFO_FLAG_CLIENT_SOCKET - , client_ip - , client_port - , client_host - , p->add_callback - , p->del_callback - , p->rcv_callback - , p->snd_callback - , NULL - ); - - // IMPORTANT: - // pf and pi may be invalid below this point, they may have been reallocated. - - return 1; - } - - return 0; -} - -void poll_events(LISTEN_SOCKETS *sockets - , void *(*add_callback)(POLLINFO * /*pi*/, short int * /*events*/, void * /*data*/) - , void (*del_callback)(POLLINFO * /*pi*/) - , int (*rcv_callback)(POLLINFO * /*pi*/, short int * /*events*/) - , int (*snd_callback)(POLLINFO * /*pi*/, short int * /*events*/) - , void (*tmr_callback)(void * /*timer_data*/) - , bool (*check_to_stop_callback)(void) - , SIMPLE_PATTERN *access_list - , int allow_dns - , void *data - , time_t tcp_request_timeout_seconds - , time_t tcp_idle_timeout_seconds - , time_t timer_milliseconds - , void *timer_data - , size_t max_tcp_sockets -) { - if(!sockets || !sockets->opened) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: internal error: no listening sockets are opened"); - return; - } - - if(timer_milliseconds <= 0) timer_milliseconds = 0; - - int retval; - - POLLJOB p = { - .slots = 0, - .used = 0, - .max = 0, - .limit = max_tcp_sockets, - .fds = NULL, - .inf = NULL, - .first_free = NULL, - - .complete_request_timeout = tcp_request_timeout_seconds, - .idle_timeout = tcp_idle_timeout_seconds, - .checks_every = (tcp_idle_timeout_seconds / 3) + 1, - - .access_list = access_list, - .allow_dns = allow_dns, - - .timer_milliseconds = timer_milliseconds, - .timer_data = timer_data, - - .add_callback = add_callback?add_callback:poll_default_add_callback, - .del_callback = del_callback?del_callback:poll_default_del_callback, - .rcv_callback = rcv_callback?rcv_callback:poll_default_rcv_callback, - .snd_callback = snd_callback?snd_callback:poll_default_snd_callback, - .tmr_callback = tmr_callback?tmr_callback:poll_default_tmr_callback - }; - - size_t i; - for(i = 0; i < sockets->opened ;i++) { - - POLLINFO *pi = poll_add_fd(&p - , sockets->fds[i] - , sockets->fds_types[i] - , sockets->fds_acl_flags[i] - , POLLINFO_FLAG_SERVER_SOCKET - , (sockets->fds_names[i])?sockets->fds_names[i]:"UNKNOWN" - , "" - , "" - , p.add_callback - , p.del_callback - , p.rcv_callback - , p.snd_callback - , NULL - ); - - pi->data = data; - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "POLLFD: LISTENER: listening on '%s'", - (sockets->fds_names[i])?sockets->fds_names[i]:"UNKNOWN"); - } - - int listen_sockets_active = 1; - - int timeout_ms = 1000; // in milliseconds - time_t last_check = now_boottime_sec(); - - usec_t timer_usec = timer_milliseconds * USEC_PER_MS; - usec_t now_usec = 0, next_timer_usec = 0, last_timer_usec = 0; - (void)last_timer_usec; - - if(unlikely(timer_usec)) { - now_usec = now_boottime_usec(); - next_timer_usec = now_usec - (now_usec % timer_usec) + timer_usec; - } - - netdata_thread_cleanup_push(poll_events_cleanup, &p); - - while(!check_to_stop_callback()) { - if(unlikely(timer_usec)) { - now_usec = now_boottime_usec(); - - if(unlikely(timer_usec && now_usec >= next_timer_usec)) { - last_timer_usec = now_usec; - p.tmr_callback(p.timer_data); - now_usec = now_boottime_usec(); - next_timer_usec = now_usec - (now_usec % timer_usec) + timer_usec; - } - - usec_t dt_usec = next_timer_usec - now_usec; - if(dt_usec < 1000 * USEC_PER_MS) - timeout_ms = 1000; - else - timeout_ms = (int)(dt_usec / USEC_PER_MS); - } - - // enable or disable the TCP listening sockets, based on the current number of sockets used and the limit set - if((listen_sockets_active && (p.limit && p.used >= p.limit)) || (!listen_sockets_active && (!p.limit || p.used < p.limit))) { - listen_sockets_active = !listen_sockets_active; - - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "%s listening sockets (used TCP sockets %zu, max allowed for this worker %zu)", - (listen_sockets_active)?"ENABLING":"DISABLING", p.used, p.limit); - - for (i = 0; i <= p.max; i++) { - if(p.inf[i].flags & POLLINFO_FLAG_SERVER_SOCKET && p.inf[i].socktype == SOCK_STREAM) { - p.fds[i].events = (short int) ((listen_sockets_active) ? POLLIN : 0); - } - } - } - - retval = poll(p.fds, p.max + 1, timeout_ms); - time_t now = now_boottime_sec(); - - if(unlikely(retval == -1)) { - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: poll() failed while waiting on %zu sockets.", - p.max + 1); - - break; - } - else if(unlikely(!retval)) { - // timeout - ; - } - else { - POLLINFO *pi; - struct pollfd *pf; - size_t idx, processed = 0; - short int revents; - - // keep fast lookup arrays per function - // to avoid looping through the entire list every time - size_t sends[p.max + 1], sends_max = 0; - size_t reads[p.max + 1], reads_max = 0; - size_t conns[p.max + 1], conns_max = 0; - size_t udprd[p.max + 1], udprd_max = 0; - - for (i = 0; i <= p.max; i++) { - pi = &p.inf[i]; - pf = &p.fds[i]; - revents = pf->revents; - - if(unlikely(revents == 0 || pf->fd == -1)) - continue; - - if (unlikely(revents & (POLLERR|POLLHUP|POLLNVAL))) { - // something is wrong to one of our sockets - - pf->revents = 0; - processed += poll_process_error(pi, pf, revents); - } - else if (likely(revents & POLLOUT)) { - // a client is ready to receive data - - sends[sends_max++] = i; - } - else if (likely(revents & (POLLIN|POLLPRI))) { - if (pi->flags & POLLINFO_FLAG_CLIENT_SOCKET) { - // a client sent data to us - - reads[reads_max++] = i; - } - else if (pi->flags & POLLINFO_FLAG_SERVER_SOCKET) { - // something is coming to our server sockets - - if(pi->socktype == SOCK_DGRAM) { - // UDP receive, directly on our listening socket - - udprd[udprd_max++] = i; - } - else if(pi->socktype == SOCK_STREAM) { - // new TCP connection - - conns[conns_max++] = i; - } - else - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: server slot %zu (fd %d) connection from %s port %s using unhandled socket type %d." - , i - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , pi->socktype - ); - } - else - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: client slot %zu (fd %d) data from %s port %s using flags %08X is neither client nor server." - , i - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , pi->flags - ); - } - else - nd_log(NDLS_DAEMON, NDLP_ERR, - "POLLFD: LISTENER: socket slot %zu (fd %d) client %s port %s unhandled event id %d." - , i - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , revents - ); - } - - // process sends - for (idx = 0; idx < sends_max; idx++) { - i = sends[idx]; - pi = &p.inf[i]; - pf = &p.fds[i]; - pf->revents = 0; - processed += poll_process_send(&p, pi, pf, now); - } - - // process UDP reads - for (idx = 0; idx < udprd_max; idx++) { - i = udprd[idx]; - pi = &p.inf[i]; - pf = &p.fds[i]; - pf->revents = 0; - processed += poll_process_udp_read(pi, pf, now); - } - - // process TCP reads - for (idx = 0; idx < reads_max; idx++) { - i = reads[idx]; - pi = &p.inf[i]; - pf = &p.fds[i]; - pf->revents = 0; - processed += poll_process_tcp_read(&p, pi, pf, now); - } - - if(!processed && (!p.limit || p.used < p.limit)) { - // nothing processed above (rcv, snd) and we have room for another TCP connection - // so, accept one TCP connection - for (idx = 0; idx < conns_max; idx++) { - i = conns[idx]; - pi = &p.inf[i]; - pf = &p.fds[i]; - pf->revents = 0; - if (poll_process_new_tcp_connection(&p, pi, pf, now)) - break; - } - } - } - - if(unlikely(p.checks_every > 0 && now - last_check > p.checks_every)) { - last_check = now; - - // cleanup old sockets - for(i = 0; i <= p.max; i++) { - POLLINFO *pi = &p.inf[i]; - - if(likely(pi->flags & POLLINFO_FLAG_CLIENT_SOCKET)) { - if (unlikely(pi->send_count == 0 && p.complete_request_timeout > 0 && (now - pi->connected_t) >= p.complete_request_timeout)) { - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "POLLFD: LISTENER: client slot %zu (fd %d) from %s port %s has not sent a complete request in %zu seconds - closing it. " - , i - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , (size_t) p.complete_request_timeout - ); - poll_close_fd(pi); - } - else if(unlikely(pi->recv_count && p.idle_timeout > 0 && now - ((pi->last_received_t > pi->last_sent_t) ? pi->last_received_t : pi->last_sent_t) >= p.idle_timeout )) { - nd_log(NDLS_DAEMON, NDLP_DEBUG, - "POLLFD: LISTENER: client slot %zu (fd %d) from %s port %s is idle for more than %zu seconds - closing it. " - , i - , pi->fd - , pi->client_ip ? pi->client_ip : "<undefined-ip>" - , pi->client_port ? pi->client_port : "<undefined-port>" - , (size_t) p.idle_timeout - ); - poll_close_fd(pi); - } - } - } - } - } - - netdata_thread_cleanup_pop(1); -} diff --git a/libnetdata/socket/socket.h b/libnetdata/socket/socket.h deleted file mode 100644 index e4ca08d4..00000000 --- a/libnetdata/socket/socket.h +++ /dev/null @@ -1,248 +0,0 @@ -// SPDX-License-Identifier: GPL-3.0-or-later - -#ifndef NETDATA_SOCKET_H -#define NETDATA_SOCKET_H - -#include "../libnetdata.h" - -#ifndef MAX_LISTEN_FDS -#define MAX_LISTEN_FDS 50 -#endif - -typedef enum web_client_acl { - WEB_CLIENT_ACL_NONE = (0), - WEB_CLIENT_ACL_NOCHECK = (1 << 0), // Don't check anything - this should work on all channels - WEB_CLIENT_ACL_DASHBOARD = (1 << 1), - WEB_CLIENT_ACL_REGISTRY = (1 << 2), - WEB_CLIENT_ACL_BADGE = (1 << 3), - WEB_CLIENT_ACL_MGMT = (1 << 4), - WEB_CLIENT_ACL_STREAMING = (1 << 5), - WEB_CLIENT_ACL_NETDATACONF = (1 << 6), - WEB_CLIENT_ACL_SSL_OPTIONAL = (1 << 7), - WEB_CLIENT_ACL_SSL_FORCE = (1 << 8), - WEB_CLIENT_ACL_SSL_DEFAULT = (1 << 9), - WEB_CLIENT_ACL_ACLK = (1 << 10), - WEB_CLIENT_ACL_WEBRTC = (1 << 11), - WEB_CLIENT_ACL_BEARER_OPTIONAL = (1 << 12), // allow unprotected access if bearer is not enabled in netdata - WEB_CLIENT_ACL_BEARER_REQUIRED = (1 << 13), // allow access only if a valid bearer is used -} WEB_CLIENT_ACL; - -#define WEB_CLIENT_ACL_DASHBOARD_ACLK_WEBRTC (WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_ACLK | WEB_CLIENT_ACL_WEBRTC | WEB_CLIENT_ACL_BEARER_OPTIONAL) -#define WEB_CLIENT_ACL_ACLK_WEBRTC_DASHBOARD_WITH_BEARER (WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_ACLK | WEB_CLIENT_ACL_WEBRTC | WEB_CLIENT_ACL_BEARER_REQUIRED) - -#ifdef NETDATA_DEV_MODE -#define ACL_DEV_OPEN_ACCESS WEB_CLIENT_ACL_NOCHECK -#else -#define ACL_DEV_OPEN_ACCESS 0 -#endif - -#define WEB_CLIENT_ACL_ALL 0xFFFF - -#define web_client_can_access_dashboard(w) ((w)->acl & WEB_CLIENT_ACL_DASHBOARD) -#define web_client_can_access_registry(w) ((w)->acl & WEB_CLIENT_ACL_REGISTRY) -#define web_client_can_access_badges(w) ((w)->acl & WEB_CLIENT_ACL_BADGE) -#define web_client_can_access_mgmt(w) ((w)->acl & WEB_CLIENT_ACL_MGMT) -#define web_client_can_access_stream(w) ((w)->acl & WEB_CLIENT_ACL_STREAMING) -#define web_client_can_access_netdataconf(w) ((w)->acl & WEB_CLIENT_ACL_NETDATACONF) -#define web_client_is_using_ssl_optional(w) ((w)->port_acl & WEB_CLIENT_ACL_SSL_OPTIONAL) -#define web_client_is_using_ssl_force(w) ((w)->port_acl & WEB_CLIENT_ACL_SSL_FORCE) -#define web_client_is_using_ssl_default(w) ((w)->port_acl & WEB_CLIENT_ACL_SSL_DEFAULT) - -typedef struct listen_sockets { - struct config *config; // the config file to use - const char *config_section; // the netdata configuration section to read settings from - const char *default_bind_to; // the default bind to configuration string - uint16_t default_port; // the default port to use - int backlog; // the default listen backlog to use - - size_t opened; // the number of sockets opened - size_t failed; // the number of sockets attempted to open, but failed - int fds[MAX_LISTEN_FDS]; // the open sockets - char *fds_names[MAX_LISTEN_FDS]; // descriptions for the open sockets - int fds_types[MAX_LISTEN_FDS]; // the socktype for the open sockets (SOCK_STREAM, SOCK_DGRAM) - int fds_families[MAX_LISTEN_FDS]; // the family of the open sockets (AF_UNIX, AF_INET, AF_INET6) - WEB_CLIENT_ACL fds_acl_flags[MAX_LISTEN_FDS]; // the acl to apply to the open sockets (dashboard, badges, streaming, netdata.conf, management) -} LISTEN_SOCKETS; - -char *strdup_client_description(int family, const char *protocol, const char *ip, uint16_t port); - -int listen_sockets_setup(LISTEN_SOCKETS *sockets); -void listen_sockets_close(LISTEN_SOCKETS *sockets); - -void foreach_entry_in_connection_string(const char *destination, bool (*callback)(char *entry, void *data), void *data); -int connect_to_this_ip46(int protocol, int socktype, const char *host, uint32_t scope_id, const char *service, struct timeval *timeout); -int connect_to_this(const char *definition, int default_port, struct timeval *timeout); -int connect_to_one_of(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size); -int connect_to_one_of_urls(const char *destination, int default_port, struct timeval *timeout, size_t *reconnects_counter, char *connected_to, size_t connected_to_size); - - -#ifdef ENABLE_HTTPS -ssize_t recv_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); -ssize_t send_timeout(NETDATA_SSL *ssl,int sockfd, void *buf, size_t len, int flags, int timeout); -#else -ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); -ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout); -#endif - -bool fd_is_socket(int fd); -bool sock_has_output_error(int fd); - -int sock_setnonblock(int fd); -int sock_delnonblock(int fd); -int sock_setreuse(int fd, int reuse); -int sock_setreuse_port(int fd, int reuse); -int sock_enlarge_in(int fd); -int sock_enlarge_out(int fd); - -int connection_allowed(int fd, char *client_ip, char *client_host, size_t hostsize, - SIMPLE_PATTERN *access_list, const char *patname, int allow_dns); -int accept_socket(int fd, int flags, char *client_ip, size_t ipsize, char *client_port, size_t portsize, - char *client_host, size_t hostsize, SIMPLE_PATTERN *access_list, int allow_dns); - -#ifndef HAVE_ACCEPT4 -int accept4(int sock, struct sockaddr *addr, socklen_t *addrlen, int flags); - -#ifndef SOCK_NONBLOCK -#define SOCK_NONBLOCK 00004000 -#endif /* #ifndef SOCK_NONBLOCK */ - -#ifndef SOCK_CLOEXEC -#define SOCK_CLOEXEC 02000000 -#endif /* #ifndef SOCK_CLOEXEC */ - -#endif /* #ifndef HAVE_ACCEPT4 */ - - -// ---------------------------------------------------------------------------- -// poll() based listener - -#define POLLINFO_FLAG_SERVER_SOCKET 0x00000001 -#define POLLINFO_FLAG_CLIENT_SOCKET 0x00000002 -#define POLLINFO_FLAG_DONT_CLOSE 0x00000004 - -typedef struct poll POLLJOB; - -typedef struct pollinfo { - POLLJOB *p; // the parent - size_t slot; // the slot id - - int fd; // the file descriptor - int socktype; // the client socket type - WEB_CLIENT_ACL port_acl; // the access lists permitted on this web server port (it's -1 for client sockets) - char *client_ip; // Max INET6_ADDRSTRLEN bytes - char *client_port; // Max NI_MAXSERV bytes - char *client_host; // Max NI_MAXHOST bytes - - time_t connected_t; // the time the socket connected - time_t last_received_t; // the time the socket last received data - time_t last_sent_t; // the time the socket last sent data - - size_t recv_count; // the number of times the socket was ready for inbound traffic - size_t send_count; // the number of times the socket was ready for outbound traffic - - uint32_t flags; // internal flags - - // callbacks for this socket - void (*del_callback)(struct pollinfo *pi); - int (*rcv_callback)(struct pollinfo *pi, short int *events); - int (*snd_callback)(struct pollinfo *pi, short int *events); - - // the user data - void *data; - - // linking of free pollinfo structures - // for quickly finding the next available - // this is like a stack, it grows and shrinks - // (with gaps - lower empty slots are preferred) - struct pollinfo *next; -} POLLINFO; - -struct poll { - size_t slots; - size_t used; - size_t min; - size_t max; - - size_t limit; - - time_t complete_request_timeout; - time_t idle_timeout; - time_t checks_every; - - time_t timer_milliseconds; - void *timer_data; - - struct pollfd *fds; - struct pollinfo *inf; - struct pollinfo *first_free; - - SIMPLE_PATTERN *access_list; - int allow_dns; - - void *(*add_callback)(POLLINFO *pi, short int *events, void *data); - void (*del_callback)(POLLINFO *pi); - int (*rcv_callback)(POLLINFO *pi, short int *events); - int (*snd_callback)(POLLINFO *pi, short int *events); - void (*tmr_callback)(void *timer_data); -}; - -#define pollinfo_from_slot(p, slot) (&((p)->inf[(slot)])) - -int poll_default_snd_callback(POLLINFO *pi, short int *events); -int poll_default_rcv_callback(POLLINFO *pi, short int *events); -void poll_default_del_callback(POLLINFO *pi); -void *poll_default_add_callback(POLLINFO *pi, short int *events, void *data); - -POLLINFO *poll_add_fd(POLLJOB *p - , int fd - , int socktype - , WEB_CLIENT_ACL port_acl - , uint32_t flags - , const char *client_ip - , const char *client_port - , const char *client_host - , void *(*add_callback)(POLLINFO *pi, short int *events, void *data) - , void (*del_callback)(POLLINFO *pi) - , int (*rcv_callback)(POLLINFO *pi, short int *events) - , int (*snd_callback)(POLLINFO *pi, short int *events) - , void *data -); -void poll_close_fd(POLLINFO *pi); - -void poll_events(LISTEN_SOCKETS *sockets - , void *(*add_callback)(POLLINFO *pi, short int *events, void *data) - , void (*del_callback)(POLLINFO *pi) - , int (*rcv_callback)(POLLINFO *pi, short int *events) - , int (*snd_callback)(POLLINFO *pi, short int *events) - , void (*tmr_callback)(void *timer_data) - , bool (*check_to_stop_callback)(void) - , SIMPLE_PATTERN *access_list - , int allow_dns - , void *data - , time_t tcp_request_timeout_seconds - , time_t tcp_idle_timeout_seconds - , time_t timer_milliseconds - , void *timer_data - , size_t max_tcp_sockets -); - -#ifndef INET6_ADDRSTRLEN -#define INET6_ADDRSTRLEN 46 -#endif - -typedef struct socket_peers { - struct { - char ip[INET6_ADDRSTRLEN]; - int port; - } local; - - struct { - char ip[INET6_ADDRSTRLEN]; - int port; - } peer; -} SOCKET_PEERS; - -SOCKET_PEERS socket_peers(int sock_fd); -bool ip_to_hostname(const char *ip, char *dst, size_t dst_len); - -#endif //NETDATA_SOCKET_H |