From 4720471ac46f48252c6b458a47169534f40497eb Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Fri, 9 Aug 2024 20:59:04 +0900 Subject: [PATCH 1/3] upstream_node: Process tls.verify_hostname parameter Signed-off-by: Hiroshi Hatake --- include/fluent-bit/flb_upstream_node.h | 2 ++ src/flb_upstream_ha.c | 12 +++++++++++- src/flb_upstream_node.c | 12 ++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/include/fluent-bit/flb_upstream_node.h b/include/fluent-bit/flb_upstream_node.h index 429ebd0ceb7..8f203392f28 100644 --- a/include/fluent-bit/flb_upstream_node.h +++ b/include/fluent-bit/flb_upstream_node.h @@ -36,6 +36,7 @@ struct flb_upstream_node { #ifdef FLB_HAVE_TLS /* TLS: given configuration */ int tls_verify; /* Verify certs (default: true) */ + int tls_verify_hostname; /* Verify hostname (default: false) */ int tls_debug; /* mbedtls debug level */ char *tls_ca_path; /* Path to certificates */ char *tls_ca_file; /* CA root cert */ @@ -65,6 +66,7 @@ struct flb_upstream_node { struct flb_upstream_node *flb_upstream_node_create(flb_sds_t name, flb_sds_t host, flb_sds_t port, int tls, int tls_verify, + int tls_verify_hostname, int tls_debug, const char *tls_vhost, const char *tls_ca_path, diff --git a/src/flb_upstream_ha.c b/src/flb_upstream_ha.c index 4ece420d173..1579261aba5 100644 --- a/src/flb_upstream_ha.c +++ b/src/flb_upstream_ha.c @@ -120,6 +120,7 @@ static struct flb_upstream_node *create_node(int id, int vlen; int tls = FLB_FALSE; int tls_verify = FLB_TRUE; + int tls_verify_hostname = FLB_FALSE; int tls_debug = 1; char key[32]; char *tmp; @@ -138,7 +139,8 @@ static struct flb_upstream_node *create_node(int id, const char *known_keys[] = {"name", "host", "port", "tls", "tls.vhost", "tls.verify", "tls.debug", "tls.ca_path", "tls.ca_file", "tls.crt_file", - "tls.key_file", "tls.key_passwd", NULL}; + "tls.key_file", "tls.key_passwd", + "tls.verify_hostname", NULL}; struct flb_upstream_node *node; @@ -180,6 +182,13 @@ static struct flb_upstream_node *create_node(int id, flb_sds_destroy(tmp); } + /* tls.verify_hostname */ + tmp = flb_cf_section_property_get_string(cf, s, "tls.verify_hostname"); + if (tmp) { + tls_verify_hostname = flb_utils_bool(tmp); + flb_sds_destroy(tmp); + } + /* tls.debug */ tmp = flb_cf_section_property_get_string(cf, s, "tls.debug"); if (tmp) { @@ -252,6 +261,7 @@ static struct flb_upstream_node *create_node(int id, } node = flb_upstream_node_create(name, host, port, tls, tls_verify, + tls_verify_hostname, tls_debug, tls_vhost, tls_ca_path, tls_ca_file, tls_crt_file, tls_key_file, tls_key_passwd, ht, config); diff --git a/src/flb_upstream_node.c b/src/flb_upstream_node.c index 117e8f89f3f..5131efd0d6b 100644 --- a/src/flb_upstream_node.c +++ b/src/flb_upstream_node.c @@ -30,6 +30,7 @@ struct flb_upstream_node *flb_upstream_node_create(flb_sds_t name, flb_sds_t host, flb_sds_t port, int tls, int tls_verify, + int tls_verify_hostname, int tls_debug, const char *tls_vhost, const char *tls_ca_path, @@ -40,6 +41,7 @@ struct flb_upstream_node *flb_upstream_node_create(flb_sds_t name, flb_sds_t hos struct flb_hash_table *ht, struct flb_config *config) { + int ret; int i_port; int io_flags; char tmp[255]; @@ -143,6 +145,16 @@ struct flb_upstream_node *flb_upstream_node_create(flb_sds_t name, flb_sds_t hos return NULL; } node->tls_enabled = FLB_TRUE; + if (tls_verify_hostname == FLB_TRUE) { + ret = flb_tls_set_verify_hostname(node->tls, tls_verify_hostname); + if (ret == -1) { + flb_error("[upstream_node] error set up to verify hostname in TLS context " + "on node '%s'", name); + flb_upstream_node_destroy(node); + + return NULL; + } + } } #endif From 2a91b86bbabe84f5156362db6554b931471b8a73 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Fri, 9 Aug 2024 21:03:00 +0900 Subject: [PATCH 2/3] out_azure_kusto: Follow the creating node function change Signed-off-by: Hiroshi Hatake --- plugins/out_azure_kusto/azure_kusto_conf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/out_azure_kusto/azure_kusto_conf.c b/plugins/out_azure_kusto/azure_kusto_conf.c index 973a91419c6..ec4c23c8d16 100644 --- a/plugins/out_azure_kusto/azure_kusto_conf.c +++ b/plugins/out_azure_kusto/azure_kusto_conf.c @@ -79,6 +79,7 @@ static struct flb_upstream_node *flb_upstream_node_create_url(struct flb_azure_k node = flb_upstream_node_create( NULL, sds_host, sds_port, FLB_TRUE, ctx->ins->tls->verify, + ctx->ins->tls->verify_hostname, ctx->ins->tls->debug, ctx->ins->tls->vhost, NULL, NULL, NULL, NULL, NULL, kv, config); From 600054681cb433098feb7074533af2f89e1bf49a Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Tue, 13 Aug 2024 17:14:49 +0900 Subject: [PATCH 3/3] upstream_ha: Plug memory leaks Signed-off-by: Hiroshi Hatake --- src/flb_upstream_ha.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/flb_upstream_ha.c b/src/flb_upstream_ha.c index 1579261aba5..7856bf3df14 100644 --- a/src/flb_upstream_ha.c +++ b/src/flb_upstream_ha.c @@ -265,6 +265,32 @@ static struct flb_upstream_node *create_node(int id, tls_debug, tls_vhost, tls_ca_path, tls_ca_file, tls_crt_file, tls_key_file, tls_key_passwd, ht, config); + + /* Teardown for created flb_sds_t stuffs by flb_cf_section_property_get_string(). */ + if (tls_vhost != NULL) { + flb_sds_destroy(tls_vhost); + } + + if (tls_ca_path != NULL) { + flb_sds_destroy(tls_ca_path); + } + + if (tls_ca_file != NULL) { + flb_sds_destroy(tls_ca_file); + } + + if (tls_crt_file != NULL) { + flb_sds_destroy(tls_crt_file); + } + + if (tls_key_file != NULL) { + flb_sds_destroy(tls_key_file); + } + + if (tls_key_passwd != NULL) { + flb_sds_destroy(tls_key_passwd); + } + return node; }