archive/netdata_netdata
0
0
Fork 0
mirror of https://github.com/netdata/netdata.git synced 2025-04-24 05:13:08 +00:00
Code Issues Projects Releases Wiki Activity
netdata_netdata/libnetdata/socket/security.c
Andrew Clayton adb7026b14 Make use of GCC's __attribute__((unused)) () 
* configure.ac: Add support for GCC's __attribute__((unused))

When compiling under GCC with -Wextra (along with -Wall) there are a lot
of compiler warnings such as

collectors/cgroups.plugin/cgroup-network.c:89:45: warning: unused parameter ‘scope’ [-Wunused-parameter]
   89 | struct iface *read_proc_net_dev(const char *scope, const char *prefix) {
      |                                 ~~~~~~~~~~~~^~~~~

Some arguments may be able to be got rid off, others won't.

GCC (and at least clang[0]) provide an __attribute__((unused))
annotation that can be used on function parameters (also on variables,
functions, labels, enums, structs etc) to inform the compiler of such
and will squash warnings of the above nature.

A check is added to configure.ac for the use of GCC (I believe $GCC will
be set to 'yes' for clang also) and if found it creates __always_unused
& __maybe_unused #define's set to __attribute__((unused)) otherwise it
just sets them empty.

If other compilers have a similar feature this check can be adjusted to
accommodate them.

The reason for the two defines is that some variables may always be
unused in a function, others may or may not depending on #ifdef's for
example. So we are able to document both cases.

Subsequent commits will start making use of these to squash such
compiler warnings.

[0]: https://clang.llvm.org/docs/AttributeReference.html#maybe-unused-unused

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* collectors/statsd.plugin: Mark a function argument as __maybe_unused

In collectors/statsd.plugin/statsd.c the app function argument to
STATSD_APP_CHART_DIM() might be unused if NETDATA_INTERNAL_CHECKS is not
defined, then the debug() macro that it's used in from
libnetdata/log/log.h will be defined to a dummy function where none of
the arguments are used.

This fixes a compiler warning [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* collectors/apps.plugin: Mark a function argument as __maybe_unused

In collectors/apps.plugin/apps_plugin.c the function
debug_print_process_tree() takes an argument 'msg' that might be unused
if NETDATA_INTERNAL_CHECKS is not defined, then debug_log() will be set
to a dummy function that takes no arguments.

This fixes a compiler warning [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* libnetdata/locks/locks: Mark function arguments as __maybe_unused

In libnetdata/locks/locks.c there a number of functions that take
arguments 'file', 'function' & 'line' that might be unused if
NETDATA_INTERNAL_CHECKS is not defined, then the debug() macro that it's
used in from libnetdata/log/log.h will be defined to a dummy function
where none of the arguments are used.

This fixes compiler warnings [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* libnetdata/socket/security: Mark a function argument as __maybe_unused

In libnetdata/socket/security.c the function security_info_callback()
takes an argument 'ret' that might be unused if NETDATA_INTERNAL_CHECKS
is not defined, then the debug() macro that it's used in from
libnetdata/log/log.h will be defined to a dummy function where none of
the arguments are used.

This fixes a compiler warning [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* collectors/cgroups.plugin: Mark a function argument as __maybe_unused

In collectors/cgroups.plugin/cgroup-network.c the function
read_proc_net_dev() takes an argument 'scope' that might be unused if
the NETDATA_INTERNAL_CHECKS is not defined.

This fixes a compiler warning [-Wunused-parameter] when compiling with
-Wextra *and* -Wall".

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* database/rrddim: Mark function arguments as __maybe_unused

In database/rrddim.c there a couple of functions that take a 'st'
argument that might be unused if NETDATA_INTERNAL_CHECKS is not defined,
then the debug() macro that it's used in from libnetdata/log/log.h will
be defined to a dummy function where none of the arguments are used.

This fixes compiler warnings [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>

* database/rrdvar: Mark a function argument as __maybe_unused

In database/rrdvar.c the function rrdvar_create_and_index() take an
argument 'scope' that might be unused if NETDATA_INTERNAL_CHECKS is not
defined, then the debug() macro that it's used in from
libnetdata/log/log.h will be defined to a dummy function where none of
the arguments are used.

This fixes a compiler warning [-Wunused-parameter] when compiling with
-Wextra *and* -Wall.

Signed-off-by: Andrew Clayton <andrew@zeta.digital-domain.net>
2019-07-23 14:12:41 +02:00

277 lines
7.8 KiB
C
Raw Blame History

#include "../libnetdata.h"
#ifdef ENABLE_HTTPS
SSL_CTX *netdata_opentsdb_ctx=NULL;
SSL_CTX *netdata_client_ctx=NULL;
SSL_CTX *netdata_srv_ctx=NULL;
const char *security_key=NULL;
const char *security_cert=NULL;
int netdata_use_ssl_on_stream = NETDATA_SSL_OPTIONAL;
int netdata_use_ssl_on_http = NETDATA_SSL_FORCE; //We force SSL due safety reasons
int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE;
/**
* Info Callback
*
* Function used as callback for the OpenSSL Library
*
* @param ssl a pointer to the SSL structure of the client
* @param where the variable with the flags set.
* @param ret the return of the caller
*/
static void security_info_callback(const SSL *ssl, int where, int ret __maybe_unused) {
(void)ssl;
if (where & SSL_CB_ALERT) {
debug(D_WEB_CLIENT,"SSL INFO CALLBACK %s %s", SSL_alert_type_string(ret), SSL_alert_desc_string_long(ret));
}
}
/**
* OpenSSL Library
*
* Starts the openssl library for the Netdata.
*/
void security_openssl_library()
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
# if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
OPENSSL_config(NULL);
# endif
# if OPENSSL_API_COMPAT < 0x10100000L
SSL_load_error_strings();
# endif
SSL_library_init();
#else
if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
error("SSL library cannot be initialized.");
}
#endif
}
/**
* OpenSSL common options
*
* Clients and SERVER have common options, this function is responsible to set them in the context.
*
* @param ctx
*/
void security_openssl_common_options(SSL_CTX *ctx) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"};
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
#else
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
//We are avoiding the TLS v1.3 for while, because Google Chrome
//is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it.
SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
#endif
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
error("SSL error. cannot set the cipher list");
}
#endif
}
/**
* Initialize Openssl Client
*
* Starts the client context with TLS 1.2.
*
* @return It returns the context on success or NULL otherwise
*/
static SSL_CTX * security_initialize_openssl_client() {
SSL_CTX *ctx;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_client_method());
#else
ctx = SSL_CTX_new(TLS_client_method());
#endif
if(ctx) {
security_openssl_common_options(ctx);
}
return ctx;
}
/**
* Initialize OpenSSL server
*
* Starts the server context with TLS 1.2 and load the certificate.
*
* @return It returns the context on success or NULL otherwise
*/
static SSL_CTX * security_initialize_openssl_server() {
SSL_CTX *ctx;
char lerror[512];
static int netdata_id_context = 1;
//TO DO: Confirm the necessity to check return for other OPENSSL function
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
error("Cannot create a new SSL context, netdata won't encrypt communication");
return NULL;
}
SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM);
#else
ctx = SSL_CTX_new(TLS_server_method());
if (!ctx) {
error("Cannot create a new SSL context, netdata won't encrypt communication");
return NULL;
}
SSL_CTX_use_certificate_chain_file(ctx, security_cert);
#endif
security_openssl_common_options(ctx);
SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM);
if (!SSL_CTX_check_private_key(ctx)) {
ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror));
error("SSL cannot check the private key: %s",lerror);
SSL_CTX_free(ctx);
return NULL;
}
SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context));
SSL_CTX_set_info_callback(ctx,security_info_callback);
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
SSL_CTX_set_verify_depth(ctx,1);
#endif
debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n");
return ctx;
}
/**
* Start SSL
*
* Call the correct function to start the SSL context.
*
* @param selector informs the context that must be initialized, the following list has the valid values:
* NETDATA_SSL_CONTEXT_SERVER - the server context
* NETDATA_SSL_CONTEXT_STREAMING - Starts the streaming context.
* NETDATA_SSL_CONTEXT_OPENTSDB - Starts the OpenTSDB contextv
*/
void security_start_ssl(int selector) {
switch (selector) {
case NETDATA_SSL_CONTEXT_SERVER: {
struct stat statbuf;
if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) {
info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
return;
}
netdata_srv_ctx = security_initialize_openssl_server();
break;
}
case NETDATA_SSL_CONTEXT_STREAMING: {
netdata_client_ctx = security_initialize_openssl_client();
break;
}
case NETDATA_SSL_CONTEXT_OPENTSDB: {
netdata_opentsdb_ctx = security_initialize_openssl_client();
break;
}
}
}
void security_clean_openssl() {
if (netdata_srv_ctx)
{
SSL_CTX_free(netdata_srv_ctx);
}
if (netdata_client_ctx)
{
SSL_CTX_free(netdata_client_ctx);
}
if ( netdata_opentsdb_ctx )
{
SSL_CTX_free(netdata_opentsdb_ctx);
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_free_strings();
#endif
}
int security_process_accept(SSL *ssl,int msg) {
int sock = SSL_get_fd(ssl);
int test;
if (msg > 0x17)
{
return NETDATA_SSL_NO_HANDSHAKE;
}
ERR_clear_error();
if ((test = SSL_accept(ssl)) <= 0) {
int sslerrno = SSL_get_error(ssl, test);
switch(sslerrno) {
case SSL_ERROR_WANT_READ:
{
error("SSL handshake did not finish and it wanna read on socket %d!", sock);
return NETDATA_SSL_WANT_READ;
}
case SSL_ERROR_WANT_WRITE:
{
error("SSL handshake did not finish and it wanna read on socket %d!", sock);
return NETDATA_SSL_WANT_WRITE;
}
case SSL_ERROR_NONE:
case SSL_ERROR_SSL:
case SSL_ERROR_SYSCALL:
default:
{
u_long err;
char buf[256];
int counter = 0;
while ((err = ERR_get_error()) != 0) {
ERR_error_string_n(err, buf, sizeof(buf));
info("%d SSL Handshake error (%s) on socket %d ", counter++, ERR_error_string((long)SSL_get_error(ssl, test), NULL), sock);
}
return NETDATA_SSL_NO_HANDSHAKE;
}
}
}
if (SSL_is_init_finished(ssl))
{
debug(D_WEB_CLIENT_ACCESS,"SSL Handshake finished %s errno %d on socket fd %d", ERR_error_string((long)SSL_get_error(ssl, test), NULL), errno, sock);
}
return 0;
}
int security_test_certificate(SSL *ssl) {
X509* cert = SSL_get_peer_certificate(ssl);
int ret;
long status;
if (!cert) {
return -1;
}
status = SSL_get_verify_result(ssl);
if((X509_V_OK != status))
{
char error[512];
ERR_error_string_n(ERR_get_error(), error, sizeof(error));
error("SSL RFC4158 check: We have a invalid certificate, the tests result with %ld and message %s", status, error);
ret = -1;
} else {
ret = 0;
}
return ret;
}
#endif
Reference in a new issue View git blame Copy permalink