From 73e72bdf9af542602255f1df9fde680346a36490 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Mon, 10 Jun 2024 18:38:03 +0900 Subject: [PATCH] tls: Verify vhost when tls.verify is enabled Signed-off-by: Hiroshi Hatake --- src/tls/openssl.c | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 03aeb9610b7..e74ab65e20e 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -25,6 +25,7 @@ #include #include #include +#include #ifdef FLB_SYSTEM_WINDOWS #define strtok_r(str, delimiter, context) \ @@ -636,11 +637,33 @@ static int tls_net_write(struct flb_tls_session *session, return ret; } +int setup_hostname_validation(struct tls_session *session, const char *hostname) +{ + X509_VERIFY_PARAM *param; + + param = SSL_get0_param(session->ssl); + + if (!param) { + flb_error("[tls] error: ssl context is invalid"); + return -1; + } + + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if (!X509_VERIFY_PARAM_set1_host(param, hostname, 0)) { + flb_error("[tls] error: hostname parameter vailidation is failed : %s", + hostname); + return -1; + } + + return 0; +} + static int tls_net_handshake(struct flb_tls *tls, char *vhost, void *ptr_session) { int ret = 0; + long ssl_code = 0; char err_buf[256]; struct tls_session *session = ptr_session; struct tls_context *ctx; @@ -669,6 +692,20 @@ static int tls_net_handshake(struct flb_tls *tls, } } + if (tls->verify == FLB_TRUE) { + if (vhost != NULL) { + ret = setup_hostname_validation(session, vhost); + } + else if (tls->vhost) { + ret = setup_hostname_validation(session, tls->vhost); + } + + if (ret != 0) { + pthread_mutex_unlock(&ctx->mutex); + return -1; + } + } + ERR_clear_error(); if (tls->mode == FLB_TLS_CLIENT_MODE) { @@ -686,7 +723,14 @@ static int tls_net_handshake(struct flb_tls *tls, // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected // EOF from the peer. This is fixed in OpenSSL 3.0. if (ret == 0) { - flb_error("[tls] error: unexpected EOF"); + ssl_code = SSL_get_verify_result(session->ssl); + if (ssl_code != X509_V_OK) { + flb_error("[tls] error: unexpected EOF with reason: %s", + ERR_reason_error_string(ERR_get_error())); + } + else { + flb_error("[tls] error: unexpected EOF"); + } } else { ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1); flb_error("[tls] error: %s", err_buf);