root/daemons/execd/remoted_tls.c

/* [previous][next][first][last][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. remoted__read_handshake_data
  2. lrmd_remote_client_msg
  3. lrmd_remote_client_destroy
  4. lrmd_auth_timeout_cb
  5. lrmd_remote_listen
  6. tls_server_dropped
  7. lrmd_tls_server_key_cb
  8. bind_and_listen
  9. get_address_info
  10. lrmd_init_remote_tls_server
  11. execd_stop_tls_server
   1 /*
   2  * Copyright 2012-2025 the Pacemaker project contributors
   3  *
   4  * The version control history for this file may have further details.
   5  *
   6  * This source code is licensed under the GNU Lesser General Public License
   7  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
   8  */
   9 
  10 #include <crm_internal.h>
  11 
  12 #include <glib.h>
  13 #include <unistd.h>
  14 
  15 #include <crm/crm.h>
  16 #include <crm/common/mainloop.h>
  17 #include <crm/common/xml.h>
  18 #include <crm/common/remote_internal.h>
  19 #include <crm/common/tls_internal.h>
  20 #include <crm/lrmd_internal.h>
  21 
  22 #include <netdb.h>
  23 #include <sys/socket.h>
  24 #include <netinet/in.h>
  25 #include <netinet/ip.h>
  26 #include <arpa/inet.h>
  27 
  28 #include "pacemaker-execd.h"
  29 
  30 #include <gnutls/gnutls.h>
  31 
  32 #define LRMD_REMOTE_AUTH_TIMEOUT 10000
  33 
  34 static pcmk__tls_t *tls = NULL;
  35 static int ssock = -1;
  36 extern int lrmd_call_id;
  37 
  38 /*!
  39  * \internal
  40  * \brief Read (more) TLS handshake data from client
  41  *
  42  * \param[in,out] client  IPC client doing handshake
  43  *
  44  * \return 0 on success or more data needed, -1 on error
  45  */
  46 static int
  47 remoted__read_handshake_data(pcmk__client_t *client)
     /* [previous][next][first][last][top][bottom][index][help] */
  48 {
  49     int rc = pcmk__read_handshake_data(client);
  50 
  51     if (rc == EAGAIN) {
  52         /* No more data is available at the moment. Just return for now;
  53          * we'll get invoked again once the client sends more.
  54          */
  55         return 0;
  56     } else if (rc != pcmk_rc_ok) {
  57         return -1;
  58     }
  59 
  60     if (client->remote->auth_timeout) {
  61         g_source_remove(client->remote->auth_timeout);
  62     }
  63     client->remote->auth_timeout = 0;
  64 
  65     pcmk__set_client_flags(client, pcmk__client_tls_handshake_complete);
  66     crm_notice("Remote client connection accepted");
  67 
  68     /* Now that the handshake is done, see if any client TLS certificate is
  69      * close to its expiration date and log if so.  If a TLS certificate is not
  70      * in use, this function will just return so we don't need to check for the
  71      * session type here.
  72      */
  73     pcmk__tls_check_cert_expiration(client->remote->tls_session);
  74 
  75     /* Only a client with access to the TLS key can connect, so we can treat
  76      * it as privileged.
  77      */
  78     pcmk__set_client_flags(client, pcmk__client_privileged);
  79 
  80     // Alert other clients of the new connection
  81     notify_of_new_client(client);
  82     return 0;
  83 }
  84 
  85 static int
  86 lrmd_remote_client_msg(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
  87 {
  88     int id = 0;
  89     int rc = pcmk_rc_ok;
  90     xmlNode *request = NULL;
  91     pcmk__client_t *client = data;
  92 
  93     if (!pcmk_is_set(client->flags, pcmk__client_tls_handshake_complete)) {
  94         return remoted__read_handshake_data(client);
  95     }
  96 
  97     rc = pcmk__remote_ready(client->remote, 0);
  98     switch (rc) {
  99         case pcmk_rc_ok:
 100             break;
 101 
 102         case ETIME:
 103             /* No message available to read */
 104             return 0;
 105 
 106         default:
 107             /* Error */
 108             crm_info("Error polling remote client: %s", pcmk_rc_str(rc));
 109             return -1;
 110     }
 111 
 112     rc = pcmk__read_available_remote_data(client->remote);
 113     switch (rc) {
 114         case pcmk_rc_ok:
 115             break;
 116 
 117         case EAGAIN:
 118             /* We haven't read the whole message yet */
 119             return 0;
 120 
 121         default:
 122             /* Error */
 123             crm_info("Error reading from remote client: %s", pcmk_rc_str(rc));
 124             return -1;
 125     }
 126 
 127     request = pcmk__remote_message_xml(client->remote);
 128     if (request == NULL) {
 129         return 0;
 130     }
 131 
 132     crm_element_value_int(request, PCMK__XA_LRMD_REMOTE_MSG_ID, &id);
 133     crm_trace("Processing remote client request %d", id);
 134     if (!client->name) {
 135         client->name = crm_element_value_copy(request,
 136                                               PCMK__XA_LRMD_CLIENTNAME);
 137     }
 138 
 139     lrmd_call_id++;
 140     if (lrmd_call_id < 1) {
 141         lrmd_call_id = 1;
 142     }
 143 
 144     crm_xml_add(request, PCMK__XA_LRMD_CLIENTID, client->id);
 145     crm_xml_add(request, PCMK__XA_LRMD_CLIENTNAME, client->name);
 146     crm_xml_add_int(request, PCMK__XA_LRMD_CALLID, lrmd_call_id);
 147 
 148     process_lrmd_message(client, id, request);
 149     pcmk__xml_free(request);
 150 
 151     return 0;
 152 }
 153 
 154 static void
 155 lrmd_remote_client_destroy(gpointer user_data)
     /* [previous][next][first][last][top][bottom][index][help] */
 156 {
 157     pcmk__client_t *client = user_data;
 158 
 159     if (client == NULL) {
 160         return;
 161     }
 162 
 163     crm_notice("Cleaning up after remote client %s disconnected",
 164                pcmk__client_name(client));
 165 
 166     ipc_proxy_remove_provider(client);
 167 
 168     /* if this is the last remote connection, stop recurring
 169      * operations */
 170     if (pcmk__ipc_client_count() == 1) {
 171         client_disconnect_cleanup(NULL);
 172     }
 173 
 174     if (client->remote->tls_session) {
 175         int csock = pcmk__tls_get_client_sock(client->remote);
 176 
 177         gnutls_bye(client->remote->tls_session, GNUTLS_SHUT_RDWR);
 178         gnutls_deinit(client->remote->tls_session);
 179         client->remote->tls_session = NULL;
 180         close(csock);
 181     }
 182 
 183     lrmd_client_destroy(client);
 184     return;
 185 }
 186 
 187 static gboolean
 188 lrmd_auth_timeout_cb(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
 189 {
 190     pcmk__client_t *client = data;
 191 
 192     client->remote->auth_timeout = 0;
 193 
 194     if (pcmk_is_set(client->flags,
 195                     pcmk__client_tls_handshake_complete)) {
 196         return FALSE;
 197     }
 198 
 199     mainloop_del_fd(client->remote->source);
 200     client->remote->source = NULL;
 201     crm_err("Remote client authentication timed out");
 202 
 203     return FALSE;
 204 }
 205 
 206 // Dispatch callback for remote server socket
 207 static int
 208 lrmd_remote_listen(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
 209 {
 210     int csock = -1;
 211     gnutls_session_t session = NULL;
 212     pcmk__client_t *new_client = NULL;
 213 
 214     // For client socket
 215     static struct mainloop_fd_callbacks lrmd_remote_fd_cb = {
 216         .dispatch = lrmd_remote_client_msg,
 217         .destroy = lrmd_remote_client_destroy,
 218     };
 219 
 220     CRM_CHECK(ssock >= 0, return TRUE);
 221 
 222     if (pcmk__accept_remote_connection(ssock, &csock) != pcmk_rc_ok) {
 223         return TRUE;
 224     }
 225 
 226     session = pcmk__new_tls_session(tls, csock);
 227     if (session == NULL) {
 228         close(csock);
 229         return TRUE;
 230     }
 231 
 232     new_client = pcmk__new_unauth_client(NULL);
 233     new_client->remote = pcmk__assert_alloc(1, sizeof(pcmk__remote_t));
 234     pcmk__set_client_flags(new_client, pcmk__client_tls);
 235     new_client->remote->tls_session = session;
 236 
 237     // Require the client to authenticate within this time
 238     new_client->remote->auth_timeout = pcmk__create_timer(LRMD_REMOTE_AUTH_TIMEOUT,
 239                                                           lrmd_auth_timeout_cb,
 240                                                           new_client);
 241     crm_info("Remote client pending authentication "
 242              QB_XS " %p id: %s", new_client, new_client->id);
 243 
 244     new_client->remote->source =
 245         mainloop_add_fd("pacemaker-remote-client", G_PRIORITY_DEFAULT, csock,
 246                         new_client, &lrmd_remote_fd_cb);
 247     return TRUE;
 248 }
 249 
 250 static void
 251 tls_server_dropped(gpointer user_data)
     /* [previous][next][first][last][top][bottom][index][help] */
 252 {
 253     crm_notice("TLS server session ended");
 254     return;
 255 }
 256 
 257 // \return 0 on success, -1 on error (gnutls_psk_server_credentials_function)
 258 static int
 259 lrmd_tls_server_key_cb(gnutls_session_t session, const char *username, gnutls_datum_t * key)
     /* [previous][next][first][last][top][bottom][index][help] */
 260 {
 261     return (lrmd__init_remote_key(key) == pcmk_rc_ok)? 0 : -1;
 262 }
 263 
 264 static int
 265 bind_and_listen(struct addrinfo *addr)
     /* [previous][next][first][last][top][bottom][index][help] */
 266 {
 267     int optval;
 268     int fd;
 269     int rc;
 270     char buffer[INET6_ADDRSTRLEN] = { 0, };
 271 
 272     pcmk__sockaddr2str(addr->ai_addr, buffer);
 273     crm_trace("Attempting to bind to address %s", buffer);
 274 
 275     fd = socket(addr->ai_family, addr->ai_socktype, addr->ai_protocol);
 276     if (fd < 0) {
 277         rc = errno;
 278         crm_err("Listener socket creation failed: %", pcmk_rc_str(rc));
 279         return -rc;
 280     }
 281 
 282     /* reuse address */
 283     optval = 1;
 284     rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
 285     if (rc < 0) {
 286         rc = errno;
 287         crm_err("Local address reuse not allowed on %s: %s", buffer, pcmk_rc_str(rc));
 288         close(fd);
 289         return -rc;
 290     }
 291 
 292     if (addr->ai_family == AF_INET6) {
 293         optval = 0;
 294         rc = setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &optval, sizeof(optval));
 295         if (rc < 0) {
 296             rc = errno;
 297             crm_err("Couldn't disable IPV6-only on %s: %s", buffer, pcmk_rc_str(rc));
 298             close(fd);
 299             return -rc;
 300         }
 301     }
 302 
 303     if (bind(fd, addr->ai_addr, addr->ai_addrlen) != 0) {
 304         rc = errno;
 305         crm_err("Cannot bind to %s: %s", buffer, pcmk_rc_str(rc));
 306         close(fd);
 307         return -rc;
 308     }
 309 
 310     if (listen(fd, 10) == -1) {
 311         rc = errno;
 312         crm_err("Cannot listen on %s: %s", buffer, pcmk_rc_str(rc));
 313         close(fd);
 314         return -rc;
 315     }
 316     return fd;
 317 }
 318 
 319 static int
 320 get_address_info(const char *bind_name, int port, struct addrinfo **res)
     /* [previous][next][first][last][top][bottom][index][help] */
 321 {
 322     int rc;
 323     char port_str[6]; // at most "65535"
 324     struct addrinfo hints;
 325 
 326     memset(&hints, 0, sizeof(struct addrinfo));
 327     hints.ai_flags = AI_PASSIVE;
 328     hints.ai_family = AF_UNSPEC; // IPv6 or IPv4
 329     hints.ai_socktype = SOCK_STREAM;
 330     hints.ai_protocol = IPPROTO_TCP;
 331 
 332     snprintf(port_str, sizeof(port_str), "%d", port);
 333     rc = getaddrinfo(bind_name, port_str, &hints, res);
 334     rc = pcmk__gaierror2rc(rc);
 335 
 336     if (rc != pcmk_rc_ok) {
 337         crm_err("Unable to get IP address(es) for %s: %s",
 338                 (bind_name? bind_name : "local node"), pcmk_rc_str(rc));
 339         return rc;
 340     }
 341 
 342     return pcmk_rc_ok;
 343 }
 344 
 345 int
 346 lrmd_init_remote_tls_server(void)
     /* [previous][next][first][last][top][bottom][index][help] */
 347 {
 348     int rc = pcmk_rc_ok;
 349     int filter;
 350     int port = crm_default_remote_port();
 351     struct addrinfo *res = NULL, *iter;
 352     const char *bind_name = pcmk__env_option(PCMK__ENV_REMOTE_ADDRESS);
 353     bool use_cert = pcmk__x509_enabled();
 354 
 355     static struct mainloop_fd_callbacks remote_listen_fd_callbacks = {
 356         .dispatch = lrmd_remote_listen,
 357         .destroy = tls_server_dropped,
 358     };
 359 
 360     CRM_CHECK(ssock == -1, return ssock);
 361 
 362     crm_debug("Starting TLS listener on %s port %d",
 363               (bind_name? bind_name : "all addresses on"), port);
 364 
 365     rc = pcmk__init_tls(&tls, true, use_cert ? GNUTLS_CRD_CERTIFICATE : GNUTLS_CRD_PSK);
 366     if (rc != pcmk_rc_ok) {
 367         return -1;
 368     }
 369 
 370     if (!use_cert) {
 371         gnutls_datum_t psk_key = { NULL, 0 };
 372 
 373         pcmk__tls_add_psk_callback(tls, lrmd_tls_server_key_cb);
 374 
 375         /* The key callback won't get called until the first client connection
 376          * attempt. Do it once here, so we can warn the user at start-up if we can't
 377          * read the key. We don't error out, though, because it's fine if the key is
 378          * going to be added later.
 379          */
 380         if (lrmd__init_remote_key(&psk_key) != pcmk_rc_ok) {
 381             crm_warn("A cluster connection will not be possible until the key is available");
 382         }
 383 
 384         gnutls_free(psk_key.data);
 385     }
 386 
 387     if (get_address_info(bind_name, port, &res) != pcmk_rc_ok) {
 388         return -1;
 389     }
 390 
 391     /* Currently we listen on only one address from the resulting list (the
 392      * first IPv6 address we can bind to if possible, otherwise the first IPv4
 393      * address we can bind to). When bind_name is NULL, this should be the
 394      * respective wildcard address.
 395      *
 396      * @TODO If there is demand for specifying more than one address, allow
 397      * bind_name to be a space-separated list, call getaddrinfo() for each,
 398      * and create a socket for each result (set IPV6_V6ONLY on IPv6 sockets
 399      * since IPv4 listeners will have their own sockets).
 400      */
 401     iter = res;
 402     filter = AF_INET6;
 403     while (iter) {
 404         if (iter->ai_family == filter) {
 405             ssock = bind_and_listen(iter);
 406         }
 407         if (ssock >= 0) {
 408             break;
 409         }
 410 
 411         iter = iter->ai_next;
 412         if (iter == NULL && filter == AF_INET6) {
 413             iter = res;
 414             filter = AF_INET;
 415         }
 416     }
 417 
 418     if (ssock >= 0) {
 419         mainloop_add_fd("pacemaker-remote-server", G_PRIORITY_DEFAULT, ssock,
 420                         NULL, &remote_listen_fd_callbacks);
 421         crm_debug("Started TLS listener on %s port %d",
 422                   (bind_name? bind_name : "all addresses on"), port);
 423     }
 424     freeaddrinfo(res);
 425     return ssock;
 426 }
 427 
 428 void
 429 execd_stop_tls_server(void)
     /* [previous][next][first][last][top][bottom][index][help] */
 430 {
 431     if (tls != NULL) {
 432         pcmk__free_tls(tls);
 433         tls = NULL;
 434     }
 435 
 436     if (ssock >= 0) {
 437         close(ssock);
 438         ssock = -1;
 439     }
 440 }
/* [previous][next][first][last][top][bottom][index][help] */