Skip to content

Commit

Permalink
tls: Verify vhost when tls.verify is enabled
Browse files Browse the repository at this point in the history
Signed-off-by: Hiroshi Hatake <[email protected]>
  • Loading branch information
cosmo0920 authored and edsiper committed Jun 11, 2024
1 parent c3d1280 commit 73e72bd
Showing 1 changed file with 45 additions and 1 deletion.
46 changes: 45 additions & 1 deletion src/tls/openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include <openssl/x509v3.h>

#ifdef FLB_SYSTEM_WINDOWS
#define strtok_r(str, delimiter, context) \
Expand Down Expand Up @@ -636,11 +637,33 @@ static int tls_net_write(struct flb_tls_session *session,
return ret;
}

int setup_hostname_validation(struct tls_session *session, const char *hostname)
{
X509_VERIFY_PARAM *param;

param = SSL_get0_param(session->ssl);

if (!param) {
flb_error("[tls] error: ssl context is invalid");
return -1;
}

X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
if (!X509_VERIFY_PARAM_set1_host(param, hostname, 0)) {
flb_error("[tls] error: hostname parameter vailidation is failed : %s",
hostname);
return -1;
}

return 0;
}

static int tls_net_handshake(struct flb_tls *tls,
char *vhost,
void *ptr_session)
{
int ret = 0;
long ssl_code = 0;
char err_buf[256];
struct tls_session *session = ptr_session;
struct tls_context *ctx;
Expand Down Expand Up @@ -669,6 +692,20 @@ static int tls_net_handshake(struct flb_tls *tls,
}
}

if (tls->verify == FLB_TRUE) {
if (vhost != NULL) {
ret = setup_hostname_validation(session, vhost);
}
else if (tls->vhost) {
ret = setup_hostname_validation(session, tls->vhost);
}

if (ret != 0) {
pthread_mutex_unlock(&ctx->mutex);
return -1;
}
}

ERR_clear_error();

if (tls->mode == FLB_TLS_CLIENT_MODE) {
Expand All @@ -686,7 +723,14 @@ static int tls_net_handshake(struct flb_tls *tls,
// The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected
// EOF from the peer. This is fixed in OpenSSL 3.0.
if (ret == 0) {
flb_error("[tls] error: unexpected EOF");
ssl_code = SSL_get_verify_result(session->ssl);
if (ssl_code != X509_V_OK) {
flb_error("[tls] error: unexpected EOF with reason: %s",
ERR_reason_error_string(ERR_get_error()));
}
else {
flb_error("[tls] error: unexpected EOF");
}
} else {
ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
flb_error("[tls] error: %s", err_buf);
Expand Down

0 comments on commit 73e72bd

Please sign in to comment.