From 786bdbbb18d67795860eda861571f888b57b5402 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Fri, 14 Jun 2024 21:08:26 +0900 Subject: [PATCH 1/4] tls: openssl: Add a member for storing config to verify hostname Signed-off-by: Hiroshi Hatake --- include/fluent-bit/tls/flb_tls.h | 3 +++ src/tls/flb_tls.c | 17 +++++++++++++++++ src/tls/openssl.c | 3 ++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/include/fluent-bit/tls/flb_tls.h b/include/fluent-bit/tls/flb_tls.h index 70a865f15cf..02165d461a5 100644 --- a/include/fluent-bit/tls/flb_tls.h +++ b/include/fluent-bit/tls/flb_tls.h @@ -92,6 +92,7 @@ struct flb_tls { int debug; /* Debug level */ char *vhost; /* Virtual hostname for SNI */ int mode; /* Client or Server */ + int verify_hostname; /* Verify hostname */ /* Bakend library for TLS */ void *ctx; /* TLS context created */ @@ -112,6 +113,8 @@ int flb_tls_destroy(struct flb_tls *tls); int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn); +int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname); + int flb_tls_load_system_certificates(struct flb_tls *tls); struct mk_list *flb_tls_get_config_map(struct flb_config *config); diff --git a/src/tls/flb_tls.c b/src/tls/flb_tls.c index 8510381a850..6377caec783 100644 --- a/src/tls/flb_tls.c +++ b/src/tls/flb_tls.c @@ -74,6 +74,12 @@ struct flb_config_map tls_configmap[] = { "Hostname to be used for TLS SNI extension" }, + { + FLB_CONFIG_MAP_BOOL, "tls.verify_hostname", "off", + 0, FLB_FALSE, 0, + "Enable or disable to verify hostname" + }, + /* EOF */ {0} }; @@ -191,6 +197,7 @@ struct flb_tls *flb_tls_create(int mode, tls->verify = verify; tls->debug = debug; tls->mode = mode; + tls->verify_hostname = FLB_FALSE; if (vhost != NULL) { tls->vhost = flb_strdup(vhost); @@ -231,6 +238,16 @@ int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn) return 0; } +int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname) +{ + if (!tls) { + return -1; + } + + tls->verify_hostname = !!verify_hostname; + + return 0; +} int flb_tls_net_read(struct flb_tls_session *session, void *buf, size_t len) { diff --git a/src/tls/openssl.c b/src/tls/openssl.c index e74ab65e20e..6307e0d6871 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -692,7 +692,8 @@ static int tls_net_handshake(struct flb_tls *tls, } } - if (tls->verify == FLB_TRUE) { + if (tls->verify == FLB_TRUE && + tls->verify_hostname == FLB_TRUE) { if (vhost != NULL) { ret = setup_hostname_validation(session, vhost); } From 9d818af18af1d082e91027d1304fba7122e45ea4 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Fri, 14 Jun 2024 21:09:25 +0900 Subject: [PATCH 2/4] filter_kubernetes: Provide for restoring behavior option for kublet TLS Signed-off-by: Hiroshi Hatake --- plugins/filter_kubernetes/kube_conf.h | 1 + plugins/filter_kubernetes/kube_meta.c | 20 +++++++++++++++++++- plugins/filter_kubernetes/kubernetes.c | 7 +++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/plugins/filter_kubernetes/kube_conf.h b/plugins/filter_kubernetes/kube_conf.h index 77ae62de931..3c044b8970b 100644 --- a/plugins/filter_kubernetes/kube_conf.h +++ b/plugins/filter_kubernetes/kube_conf.h @@ -80,6 +80,7 @@ struct flb_kube { int dummy_meta; int tls_debug; int tls_verify; + int tls_verify_hostname; int kube_token_ttl; flb_sds_t meta_preload_cache_dir; diff --git a/plugins/filter_kubernetes/kube_meta.c b/plugins/filter_kubernetes/kube_meta.c index 13be9d26ae4..91417a1a3db 100644 --- a/plugins/filter_kubernetes/kube_meta.c +++ b/plugins/filter_kubernetes/kube_meta.c @@ -1681,6 +1681,7 @@ static int wait_for_dns(struct flb_kube *ctx) static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *config) { + int ret; int io_type = FLB_IO_TCP; int api_https = FLB_TRUE; ctx->kubelet_upstream = NULL; @@ -1709,6 +1710,14 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con return -1; } + if (ctx->tls_verify_hostname == FLB_TRUE) { + ret = flb_tls_set_verify_hostname(ctx->kubelet_tls, ctx->tls_verify_hostname); + if (ret == -1) { + flb_plg_debug(ctx->ins, "kubelet network tls set up failed for hostname verification"); + return -1; + } + } + io_type = FLB_IO_TLS; } @@ -1726,12 +1735,13 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con /* Remove async flag from upstream */ flb_stream_disable_async_mode(&ctx->kubelet_upstream->base); - + return 0; } static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config) { + int ret; int io_type = FLB_IO_TCP; int kubelet_network_init_ret = 0; @@ -1753,6 +1763,14 @@ static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config return -1; } + if (ctx->tls_verify_hostname == FLB_TRUE) { + ret = flb_tls_set_verify_hostname(ctx->tls, ctx->tls_verify_hostname); + if (ret == -1) { + flb_plg_debug(ctx->ins, "network tls set up failed for hostname verification"); + return -1; + } + } + io_type = FLB_IO_TLS; } diff --git a/plugins/filter_kubernetes/kubernetes.c b/plugins/filter_kubernetes/kubernetes.c index 76a06573fd0..ccbd4b168e5 100644 --- a/plugins/filter_kubernetes/kubernetes.c +++ b/plugins/filter_kubernetes/kubernetes.c @@ -800,6 +800,13 @@ static struct flb_config_map config_map[] = { "set optional TLS virtual host" }, + /* TLS: set tls.hostame_verification feature */ + { + FLB_CONFIG_MAP_BOOL, "tls.verify_hostname", "off", + 0, FLB_TRUE, offsetof(struct flb_kube, tls_verify_hostname), + "enable or disable to verify hostname" + }, + /* Merge structured record as independent keys */ { FLB_CONFIG_MAP_BOOL, "merge_log", "false", From 1fdb340d9646b5da4647a9660927b40938cbc7ba Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Mon, 17 Jun 2024 14:34:20 +0900 Subject: [PATCH 3/4] input: tls: Add tls.verify_hostname handlers Signed-off-by: Hiroshi Hatake --- include/fluent-bit/flb_input.h | 1 + src/flb_input.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/fluent-bit/flb_input.h b/include/fluent-bit/flb_input.h index 5fb54ca0d86..9140b1dc71f 100644 --- a/include/fluent-bit/flb_input.h +++ b/include/fluent-bit/flb_input.h @@ -359,6 +359,7 @@ struct flb_input_instance { /* TLS settings */ int use_tls; /* bool, try to use TLS for I/O */ int tls_verify; /* Verify certs (default: true) */ + int tls_verify_hostname; /* Verify hostname (default: false) */ int tls_debug; /* mbedtls debug level */ char *tls_vhost; /* Virtual hostname for SNI */ char *tls_ca_path; /* Path to certificates */ diff --git a/src/flb_input.c b/src/flb_input.c index 7b614ccdb44..d3d8052f1b5 100644 --- a/src/flb_input.c +++ b/src/flb_input.c @@ -308,6 +308,7 @@ struct flb_input_instance *flb_input_new(struct flb_config *config, instance->tls = NULL; instance->tls_debug = -1; instance->tls_verify = FLB_TRUE; + instance->tls_verify_hostname = FLB_FALSE; instance->tls_vhost = NULL; instance->tls_ca_path = NULL; instance->tls_ca_file = NULL; @@ -553,6 +554,10 @@ int flb_input_set_property(struct flb_input_instance *ins, ins->tls_verify = flb_utils_bool(tmp); flb_sds_destroy(tmp); } + else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) { + ins->tls_verify_hostname = flb_utils_bool(tmp); + flb_sds_destroy(tmp); + } else if (prop_key_check("tls.debug", k, len) == 0 && tmp) { ins->tls_debug = atoi(tmp); flb_sds_destroy(tmp); @@ -1121,6 +1126,16 @@ int flb_input_instance_init(struct flb_input_instance *ins, return -1; } + + if (ins->tls_verify_hostname == FLB_TRUE) { + ret = flb_tls_set_verify_hostname(ins->tls, ins->tls_verify_hostname); + if (ret == -1) { + flb_error("[input %s] error set up to verify hostname in TLS context", + ins->name); + + return -1; + } + } } struct flb_config_map *m; From b50b8b44a7bf16842328ff088833526b1c93a42e Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Mon, 17 Jun 2024 14:47:44 +0900 Subject: [PATCH 4/4] output: tls: Add tls.verify_hostname handlers Signed-off-by: Hiroshi Hatake --- include/fluent-bit/flb_output.h | 1 + src/flb_output.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/fluent-bit/flb_output.h b/include/fluent-bit/flb_output.h index eab0c983701..58433fcb0d5 100644 --- a/include/fluent-bit/flb_output.h +++ b/include/fluent-bit/flb_output.h @@ -284,6 +284,7 @@ struct flb_output_instance { #ifdef FLB_HAVE_TLS int tls_verify; /* Verify certs (default: true) */ + int tls_verify_hostname; /* Verify hostname (default: false) */ int tls_debug; /* mbedtls debug level */ char *tls_vhost; /* Virtual hostname for SNI */ char *tls_ca_path; /* Path to certificates */ diff --git a/src/flb_output.c b/src/flb_output.c index 98143b4ac8b..1c7853f79f1 100644 --- a/src/flb_output.c +++ b/src/flb_output.c @@ -678,6 +678,7 @@ struct flb_output_instance *flb_output_new(struct flb_config *config, instance->tls = NULL; instance->tls_debug = -1; instance->tls_verify = FLB_TRUE; + instance->tls_verify_hostname = FLB_FALSE; instance->tls_vhost = NULL; instance->tls_ca_path = NULL; instance->tls_ca_file = NULL; @@ -872,6 +873,10 @@ int flb_output_set_property(struct flb_output_instance *ins, ins->tls_verify = flb_utils_bool(tmp); flb_sds_destroy(tmp); } + else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) { + ins->tls_verify_hostname = flb_utils_bool(tmp); + flb_sds_destroy(tmp); + } else if (prop_key_check("tls.debug", k, len) == 0 && tmp) { ins->tls_debug = atoi(tmp); flb_sds_destroy(tmp); @@ -1249,6 +1254,16 @@ int flb_output_init_all(struct flb_config *config) flb_output_instance_destroy(ins); return -1; } + + if (ins->tls_verify_hostname == FLB_TRUE) { + ret = flb_tls_set_verify_hostname(ins->tls, ins->tls_verify_hostname); + if (ret == -1) { + flb_error("[output %s] error set up to verify hostname in TLS context", + ins->name); + + return -1; + } + } } #endif /*