From 03bf87dcb06f7021bfb2df2fa8691593c6148aff Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 30 Nov 2022 19:47:00 +0100 Subject: Adding upstream version 1.37.0. Signed-off-by: Daniel Baumann --- libnetdata/socket/security.c | 76 ++++++++++++++++++++------------------------ 1 file changed, 34 insertions(+), 42 deletions(-) (limited to 'libnetdata/socket/security.c') diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 6ac512de5..f7b44049b 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -2,14 +2,14 @@ #ifdef ENABLE_HTTPS -SSL_CTX *netdata_exporting_ctx=NULL; -SSL_CTX *netdata_client_ctx=NULL; -SSL_CTX *netdata_srv_ctx=NULL; -const char *security_key=NULL; -const char *security_cert=NULL; +SSL_CTX *netdata_ssl_exporting_ctx =NULL; +SSL_CTX *netdata_ssl_client_ctx =NULL; +SSL_CTX *netdata_ssl_srv_ctx =NULL; +const char *netdata_ssl_security_key =NULL; +const char *netdata_ssl_security_cert =NULL; const char *tls_version=NULL; const char *tls_ciphers=NULL; -int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE; +int netdata_ssl_validate_server = NETDATA_SSL_VALID_CERTIFICATE; /** * Info Callback @@ -161,7 +161,7 @@ static SSL_CTX * security_initialize_openssl_server() { return NULL; } - SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM); + SSL_CTX_use_certificate_file(ctx, netdata_ssl_security_cert, SSL_FILETYPE_PEM); #else ctx = SSL_CTX_new(TLS_server_method()); if (!ctx) { @@ -169,11 +169,11 @@ static SSL_CTX * security_initialize_openssl_server() { return NULL; } - SSL_CTX_use_certificate_chain_file(ctx, security_cert); + SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert); #endif security_openssl_common_options(ctx, 0); - SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM); + SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) { ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror)); @@ -207,24 +207,25 @@ void security_start_ssl(int selector) { switch (selector) { case NETDATA_SSL_CONTEXT_SERVER: { struct stat statbuf; - if (stat(security_key, &statbuf) || stat(security_cert, &statbuf)) { + if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) { info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); return; } - netdata_srv_ctx = security_initialize_openssl_server(); - SSL_CTX_set_mode(netdata_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + netdata_ssl_srv_ctx = security_initialize_openssl_server(); + SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); break; } case NETDATA_SSL_CONTEXT_STREAMING: { - netdata_client_ctx = security_initialize_openssl_client(); + netdata_ssl_client_ctx = security_initialize_openssl_client(); //This is necessary for the stream, because it is working sometimes with nonblock socket. //It returns the bitmask after to change, there is not any description of errors in the documentation - SSL_CTX_set_mode(netdata_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); + SSL_CTX_set_mode( + netdata_ssl_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); break; } case NETDATA_SSL_CONTEXT_EXPORTING: { - netdata_exporting_ctx = security_initialize_openssl_client(); + netdata_ssl_exporting_ctx = security_initialize_openssl_client(); break; } } @@ -237,16 +238,16 @@ void security_start_ssl(int selector) { */ void security_clean_openssl() { - if (netdata_srv_ctx) { - SSL_CTX_free(netdata_srv_ctx); + if (netdata_ssl_srv_ctx) { + SSL_CTX_free(netdata_ssl_srv_ctx); } - if (netdata_client_ctx) { - SSL_CTX_free(netdata_client_ctx); + if (netdata_ssl_client_ctx) { + SSL_CTX_free(netdata_ssl_client_ctx); } - if (netdata_exporting_ctx) { - SSL_CTX_free(netdata_exporting_ctx); + if (netdata_ssl_exporting_ctx) { + SSL_CTX_free(netdata_ssl_exporting_ctx); } #if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 @@ -355,32 +356,23 @@ int security_test_certificate(SSL *ssl) { * * @return It returns 0 on success and -1 otherwise. */ -int security_location_for_context(SSL_CTX *ctx, char *file, char *path) { - struct stat statbuf; - if (stat(file, &statbuf)) { - info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); - return 0; - } - - ERR_clear_error(); - u_long err; - char buf[256]; - if(!SSL_CTX_load_verify_locations(ctx, file, path)) { - goto slfc; +int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) { + int load_custom = 1, load_default = 1; + if (file || path) { + if(!SSL_CTX_load_verify_locations(ctx, file, path)) { + info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); + load_custom = 0; + } } if(!SSL_CTX_set_default_verify_paths(ctx)) { - goto slfc; + info("Can not verify default OpenSSL configuration to validate certificates!"); + load_default = 0; } - return 0; + if (load_custom == 0 && load_default == 0) + return -1; -slfc: - while ((err = ERR_get_error()) != 0) { - ERR_error_string_n(err, buf, sizeof(buf)); - error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf); - } - return -1; + return 0; } - #endif -- cgit v1.2.3