Backend and SSL! (#6220)

* SSL_backend Begin of the encryptation of backend!

* SSL_backend changing opentsdb!

* SSL_backend fix HTTP message with JSON!

* SSL_backend HTTP API done!

* SSL_fix_format preparing to connect with proxy!

* SSL_backend wip SSL send/receive !

* SSL_backend working with proxy

* SSL_backend removing comments!

* SSL_backend docummentation!

* SSL_backend review]!

* SSL_backend organizing!

* Alarm_backend remove comments!

* SSL_backend!

* SSL_backend typedef!

* SSL_backend bring switch!

* SSL_backend commiting format changes!

* SSL_backend fix github parser!

* SSL_Backend fix format!

* SSL_backend switch everything!

* SSL_backend reviewing!

* SSL_backend comments!

* SSL_backend indentation!

* SSL_backend indentation 3!

* SSL_backend documentation!

* SSL_backend hidden pointer!

* SSL_backend missing space

* SSL_backend change documentation!

* SSL_backend change documentation 2!

2 files changed, 79 insertions, 15 deletions

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 6a02e4ef92..dcbd3f6508 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -2,6 +2,7 @@
 
 #ifdef ENABLE_HTTPS
 
+SSL_CTX *netdata_opentsdb_ctx=NULL;
 SSL_CTX *netdata_client_ctx=NULL;
 SSL_CTX *netdata_srv_ctx=NULL;
 const char *security_key=NULL;
@@ -10,6 +11,15 @@ int netdata_use_ssl_on_stream = NETDATA_SSL_OPTIONAL;
 int netdata_use_ssl_on_http = NETDATA_SSL_FORCE; //We force SSL due safety reasons
 int netdata_validate_server =  NETDATA_SSL_VALID_CERTIFICATE;
 
+/**
+ * Info Callback
+ *
+ * Function used as callback for the OpenSSL Library
+ *
+ * @param ssl a pointer to the SSL structure of the client
+ * @param where the variable with the flags set.
+ * @param ret the return of the caller
+ */
 static void security_info_callback(const SSL *ssl, int where, int ret) {
     (void)ssl;
     if (where & SSL_CB_ALERT) {
@@ -17,6 +27,11 @@ static void security_info_callback(const SSL *ssl, int where, int ret) {
     }
 }
 
+/**
+ * OpenSSL Library
+ *
+ * Starts the openssl library for the Netdata.
+ */
 void security_openssl_library()
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -36,6 +51,13 @@ void security_openssl_library()
 #endif
 }
 
+/**
+ * OpenSSL common options
+ *
+ * Clients and SERVER have common options, this function is responsible to set them in the context.
+ *
+ * @param ctx
+ */
 void security_openssl_common_options(SSL_CTX *ctx) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"};
@@ -55,10 +77,15 @@ void security_openssl_common_options(SSL_CTX *ctx) {
         error("SSL error. cannot set the cipher list");
     }
 #endif
-
-
 }
 
+/**
+ * Initialize Openssl Client
+ *
+ * Starts the client context with TLS 1.2.
+ *
+ * @return It returns the context on success or NULL otherwise
+ */
 static SSL_CTX * security_initialize_openssl_client() {
     SSL_CTX *ctx;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -66,11 +93,20 @@ static SSL_CTX * security_initialize_openssl_client() {
 #else
     ctx = SSL_CTX_new(TLS_client_method());
 #endif
-    security_openssl_common_options(ctx);
+    if(ctx) {
+        security_openssl_common_options(ctx);
+    }
 
     return ctx;
 }
 
+/**
+ * Initialize OpenSSL server
+ *
+ * Starts the server context with TLS 1.2 and load the certificate.
+ *
+ * @return It returns the context on success or NULL otherwise
+ */
 static SSL_CTX * security_initialize_openssl_server() {
     SSL_CTX *ctx;
     char lerror[512];
@@ -116,18 +152,36 @@ static SSL_CTX * security_initialize_openssl_server() {
     return ctx;
 }
 
-void security_start_ssl(int type) {
-    if (!type) {
-        struct stat statbuf;
-        if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) {
-            info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
-            return;
+/**
+ * Start SSL
+ *
+ * Call the correct function to start the SSL context.
+ *
+ * @param selector informs the context that must be initialized, the following list has the valid values:
+ *      NETDATA_SSL_CONTEXT_SERVER - the server context
+ *      NETDATA_SSL_CONTEXT_STREAMING - Starts the streaming context.
+ *      NETDATA_SSL_CONTEXT_OPENTSDB - Starts the OpenTSDB contextv
+ */
+void security_start_ssl(int selector) {
+    switch (selector) {
+        case NETDATA_SSL_CONTEXT_SERVER: {
+            struct stat statbuf;
+            if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) {
+                info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
+                return;
+            }
+
+            netdata_srv_ctx =  security_initialize_openssl_server();
+            break;
+        }
+        case NETDATA_SSL_CONTEXT_STREAMING: {
+            netdata_client_ctx = security_initialize_openssl_client();
+            break;
+        }
+        case NETDATA_SSL_CONTEXT_OPENTSDB: {
+            netdata_opentsdb_ctx = security_initialize_openssl_client();
+            break;
         }
-
-        netdata_srv_ctx =  security_initialize_openssl_server();
-    }
-    else {
-        netdata_client_ctx =  security_initialize_openssl_client();
     }
 }
 
@@ -142,6 +196,11 @@ void security_clean_openssl() {
         SSL_CTX_free(netdata_client_ctx);
     }
 
+    if ( netdata_opentsdb_ctx )
+    {
+        SSL_CTX_free(netdata_opentsdb_ctx);
+    }
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
     ERR_free_strings();
 #endif
diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h
index dc0e910e70..8beb9672f2 100644
--- a/libnetdata/socket/security.h
+++ b/libnetdata/socket/security.h
@@ -11,6 +11,10 @@
 # define NETDATA_SSL_INVALID_CERTIFICATE 64  //Accepts invalid certificate
 # define NETDATA_SSL_VALID_CERTIFICATE 128  //Accepts invalid certificate
 
+#define NETDATA_SSL_CONTEXT_SERVER 0
+#define NETDATA_SSL_CONTEXT_STREAMING 1
+#define NETDATA_SSL_CONTEXT_OPENTSDB 2
+
 # ifdef ENABLE_HTTPS
 
 #  include <openssl/ssl.h>
@@ -24,6 +28,7 @@ struct netdata_ssl{
     int flags;
 };
 
+extern SSL_CTX *netdata_opentsdb_ctx;
 extern SSL_CTX *netdata_client_ctx;
 extern SSL_CTX *netdata_srv_ctx;
 extern const char *security_key;
@@ -34,7 +39,7 @@ extern int netdata_validate_server;
 
 void security_openssl_library();
 void security_clean_openssl();
-void security_start_ssl(int type);
+void security_start_ssl(int selector);
 int security_process_accept(SSL *ssl,int msg);
 int security_test_certificate(SSL *ssl);