archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-04-27 06:10:43 +00:00
Code Issues Projects Releases Wiki Activity

SSL_fix_format Fix wrong format used with SSL! ()

Browse source 
* SSL_fix_format Fix wrong format used with SSL!

* SSL_fix_format Remove unnecessary space!

* SSL_fix_format fixing last requests!

* SSL_fix_format fixing spaces!

* SSL_fix_format killing spaces!
This commit is contained in:
thiagoftsm 2019-06-06 16:58:34 +00:00 committed by GitHub
parent 3b72bed2a5
commit 7039044be9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 39 deletions
libnetdata/socket
security.csocket.c

59
libnetdata/socket/security.c
View file

@ -12,8 +12,8 @@ int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE;
static void security_info_callback(const SSL *ssl, int where, int ret) { static void security_info_callback(const SSL *ssl, int where, int ret) {
(void)ssl; (void)ssl;
if ( where & SSL_CB_ALERT ) { if (where & SSL_CB_ALERT) {
debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s",SSL_alert_type_string( ret ),SSL_alert_desc_string_long(ret)); debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", SSL_alert_type_string(ret), SSL_alert_desc_string_long(ret));
} }
} }
@ -30,28 +30,28 @@ void security_openssl_library()
SSL_library_init(); SSL_library_init();
#else #else
if ( OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG,NULL) != 1 ){ if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
error("SSL library cannot be initialized."); error("SSL library cannot be initialized.");
} }
#endif #endif
} }
void security_openssl_common_options(SSL_CTX *ctx){ void security_openssl_common_options(SSL_CTX *ctx) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"}; static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"};
#endif #endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L #if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
#else #else
SSL_CTX_set_min_proto_version(ctx,TLS1_2_VERSION); SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
//We are avoiding the TLS v1.3 for while, because Google Chrome //We are avoiding the TLS v1.3 for while, because Google Chrome
//is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it. //is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it.
SSL_CTX_set_max_proto_version(ctx,TLS1_2_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
#endif #endif
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (!SSL_CTX_set_cipher_list(ctx,ciphers) ){ if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
error("SSL error. cannot set the cipher list"); error("SSL error. cannot set the cipher list");
} }
#endif #endif
@ -71,7 +71,7 @@ static SSL_CTX * security_initialize_openssl_client() {
return ctx; return ctx;
} }
static SSL_CTX * security_initialize_openssl_server(){ static SSL_CTX * security_initialize_openssl_server() {
SSL_CTX *ctx; SSL_CTX *ctx;
char lerror[512]; char lerror[512];
static int netdata_id_context = 1; static int netdata_id_context = 1;
@ -79,7 +79,7 @@ static SSL_CTX * security_initialize_openssl_server(){
//TO DO: Confirm the necessity to check return for other OPENSSL function //TO DO: Confirm the necessity to check return for other OPENSSL function
#if OPENSSL_VERSION_NUMBER < 0x10100000L #if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_server_method()); ctx = SSL_CTX_new(SSLv23_server_method());
if ( !ctx ) { if (!ctx) {
error("Cannot create a new SSL context, netdata won't encrypt communication"); error("Cannot create a new SSL context, netdata won't encrypt communication");
return NULL; return NULL;
} }
@ -87,18 +87,18 @@ static SSL_CTX * security_initialize_openssl_server(){
SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM); SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM);
#else #else
ctx = SSL_CTX_new(TLS_server_method()); ctx = SSL_CTX_new(TLS_server_method());
if ( !ctx ){ if (!ctx) {
error("Cannot create a new SSL context, netdata won't encrypt communication"); error("Cannot create a new SSL context, netdata won't encrypt communication");
return NULL; return NULL;
} }
SSL_CTX_use_certificate_chain_file(ctx, security_cert ); SSL_CTX_use_certificate_chain_file(ctx, security_cert);
#endif #endif
security_openssl_common_options(ctx); security_openssl_common_options(ctx);
SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM);
if ( !SSL_CTX_check_private_key(ctx) ){ if (!SSL_CTX_check_private_key(ctx)) {
ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror)); ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror));
error("SSL cannot check the private key: %s",lerror); error("SSL cannot check the private key: %s",lerror);
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
@ -116,10 +116,10 @@ static SSL_CTX * security_initialize_openssl_server(){
return ctx; return ctx;
} }
void security_start_ssl(int type){ void security_start_ssl(int type) {
if ( !type){ if (!type) {
struct stat statbuf; struct stat statbuf;
if ( (stat(security_key,&statbuf)) || (stat(security_cert,&statbuf)) ){ if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) {
info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
return; return;
} }
@ -131,13 +131,13 @@ void security_start_ssl(int type){
} }
} }
void security_clean_openssl(){ void security_clean_openssl() {
if ( netdata_srv_ctx ) if (netdata_srv_ctx)
{ {
SSL_CTX_free(netdata_srv_ctx); SSL_CTX_free(netdata_srv_ctx);
} }
if ( netdata_cli_ctx ) if (netdata_cli_ctx)
{ {
SSL_CTX_free(netdata_cli_ctx); SSL_CTX_free(netdata_cli_ctx);
} }
@ -161,12 +161,12 @@ int security_process_accept(SSL *ssl,int msg) {
switch(sslerrno) { switch(sslerrno) {
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
{ {
error("SSL handshake did not finish and it wanna read on socket %d!",sock); error("SSL handshake did not finish and it wanna read on socket %d!", sock);
return NETDATA_SSL_WANT_READ; return NETDATA_SSL_WANT_READ;
} }
case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_WRITE:
{ {
error("SSL handshake did not finish and it wanna read on socket %d!",sock); error("SSL handshake did not finish and it wanna read on socket %d!", sock);
return NETDATA_SSL_WANT_WRITE; return NETDATA_SSL_WANT_WRITE;
} }
case SSL_ERROR_NONE: case SSL_ERROR_NONE:
@ -177,28 +177,28 @@ int security_process_accept(SSL *ssl,int msg) {
u_long err; u_long err;
char buf[256]; char buf[256];
int counter = 0; int counter = 0;
while ((err = ERR_get_error()) != 0){ while ((err = ERR_get_error()) != 0) {
ERR_error_string_n(err, buf, sizeof(buf)); ERR_error_string_n(err, buf, sizeof(buf));
info("%d SSL Handshake error (%s) on socket %d ",counter++,ERR_error_string((long)SSL_get_error(ssl,test),NULL),sock); info("%d SSL Handshake error (%s) on socket %d ", counter++, ERR_error_string((long)SSL_get_error(ssl, test), NULL), sock);
} }
return NETDATA_SSL_NO_HANDSHAKE; return NETDATA_SSL_NO_HANDSHAKE;
} }
} }
} }
if ( SSL_is_init_finished(ssl) ) if (SSL_is_init_finished(ssl))
{ {
debug(D_WEB_CLIENT_ACCESS,"SSL Handshake finished %s errno %d on socket fd %d",ERR_error_string((long)SSL_get_error(ssl,test),NULL),errno,sock); debug(D_WEB_CLIENT_ACCESS,"SSL Handshake finished %s errno %d on socket fd %d", ERR_error_string((long)SSL_get_error(ssl, test), NULL), errno, sock);
} }
return 0; return 0;
} }
int security_test_certificate(SSL *ssl){ int security_test_certificate(SSL *ssl) {
X509* cert = SSL_get_peer_certificate(ssl); X509* cert = SSL_get_peer_certificate(ssl);
int ret; int ret;
long status; long status;
if (!cert){ if (!cert) {
return -1; return -1;
} }
@ -206,11 +206,10 @@ int security_test_certificate(SSL *ssl){
if((X509_V_OK != status)) if((X509_V_OK != status))
{ {
char error[512]; char error[512];
ERR_error_string_n(ERR_get_error(),error,sizeof(error)); ERR_error_string_n(ERR_get_error(), error, sizeof(error));
error("SSL RFC4158 check: We have a invalid certificate, the tests result with %ld and message %s",status,error); error("SSL RFC4158 check: We have a invalid certificate, the tests result with %ld and message %s", status, error);
ret = -1; ret = -1;
} } else {
else {
ret = 0; ret = 0;
} }
return ret; return ret;

18
libnetdata/socket/socket.c
View file

@ -301,13 +301,13 @@ void listen_sockets_close(LISTEN_SOCKETS *sockets) {
sockets->failed = 0; sockets->failed = 0;
} }
WEB_CLIENT_ACL socket_ssl_acl(char *ssl){ WEB_CLIENT_ACL socket_ssl_acl(char *ssl) {
#ifdef ENABLE_HTTPS #ifdef ENABLE_HTTPS
if (!strcmp(ssl,"optional")){ if (!strcmp(ssl,"optional")) {
netdata_use_ssl_on_http = NETDATA_SSL_OPTIONAL; netdata_use_ssl_on_http = NETDATA_SSL_OPTIONAL;
return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING; return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
} }
else if (!strcmp(ssl,"force")){ else if (!strcmp(ssl,"force")) {
netdata_use_ssl_on_stream = NETDATA_SSL_FORCE; netdata_use_ssl_on_stream = NETDATA_SSL_FORCE;
return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING; return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
} }
@ -318,9 +318,9 @@ WEB_CLIENT_ACL socket_ssl_acl(char *ssl){
WEB_CLIENT_ACL read_acl(char *st) { WEB_CLIENT_ACL read_acl(char *st) {
char *ssl = strchr(st,'^'); char *ssl = strchr(st,'^');
if (ssl){ if (ssl) {
ssl++; ssl++;
if ( !strncmp("SSL=",ssl,4)){ if (!strncmp("SSL=",ssl,4)) {
ssl += 4; ssl += 4;
} }
socket_ssl_acl(ssl); socket_ssl_acl(ssl);
@ -883,8 +883,8 @@ ssize_t recv_timeout(int sockfd, void *buf, size_t len, int flags, int timeout)
} }
#ifdef ENABLE_HTTPS #ifdef ENABLE_HTTPS
if (ssl->conn){ if (ssl->conn) {
if (!ssl->flags){ if (!ssl->flags) {
return SSL_read(ssl->conn,buf,len); return SSL_read(ssl->conn,buf,len);
} }
} }
@ -926,8 +926,8 @@ ssize_t send_timeout(int sockfd, void *buf, size_t len, int flags, int timeout)
} }
#ifdef ENABLE_HTTPS #ifdef ENABLE_HTTPS
if(ssl->conn){ if(ssl->conn) {
if (!ssl->flags){ if (!ssl->flags) {
return SSL_write(ssl->conn, buf, len); return SSL_write(ssl->conn, buf, len);
} }
} }