add support for skipverifyhost

richm · richm · commit 6ad2947d23a2 · 2019-03-26T09:43:41.000-06:00
https://bugzilla.redhat.com/show_bug.cgi?id=1692074 Add ability to specify the libcurl CURLOPT_SSL_VERIFYHOST option to skip verification of the hostname in the peer cert. WARNING: This option is insecure, and should only be used for testing. The default value is off, meaning, the hostname will be verified by default. (cherry picked from commit 6e0ccf89c20edd85848661c882d8c9cd75ff18de)
diff --git a/rsyslog/vendored_src/rsyslog/rsyslog/contrib/mmkubernetes/mmkubernetes.c b/rsyslog/vendored_src/rsyslog/rsyslog/contrib/mmkubernetes/mmkubernetes.c
@@ -143,6 +143,7 @@ struct modConfData_s {
 	uchar *myCertFile; /* File holding cert corresponding to private key used for client cert auth */
 	uchar *myPrivKeyFile; /* File holding private key corresponding to cert used for client cert auth */
 	sbool allowUnsignedCerts; /* For testing/debugging - do not check for CA certs (CURLOPT_SSL_VERIFYPEER FALSE) */
+	sbool skipVerifyHost; /* For testing/debugging - skip cert hostname verify (CURLOPT_SSL_VERIFYHOST FALSE) */
 	uchar *token; /* The token value to use to authenticate to Kubernetes - takes precedence over tokenFile */
 	uchar *tokenFile; /* The file whose contents is the token value to use to authenticate to Kubernetes */
 	sbool de_dot; /* If true (default), convert '.' characters in labels & annotations to de_dot_separator */
@@ -168,6 +169,7 @@ typedef struct _instanceData {
 	uchar *myCertFile; /* File holding cert corresponding to private key used for client cert auth */
 	uchar *myPrivKeyFile; /* File holding private key corresponding to cert used for client cert auth */
 	sbool allowUnsignedCerts; /* For testing/debugging - do not check for CA certs (CURLOPT_SSL_VERIFYPEER FALSE) */
+	sbool skipVerifyHost; /* For testing/debugging - skip cert hostname verify (CURLOPT_SSL_VERIFYHOST FALSE) */
 	uchar *token; /* The token value to use to authenticate to Kubernetes - takes precedence over tokenFile */
 	uchar *tokenFile; /* The file whose contents is the token value to use to authenticate to Kubernetes */
 	sbool de_dot; /* If true (default), convert '.' characters in labels & annotations to de_dot_separator */
@@ -223,6 +225,7 @@ static struct cnfparamdescr modpdescr[] = {
 	{ "tls.mycert", eCmdHdlrString, 0 },
 	{ "tls.myprivkey", eCmdHdlrString, 0 },
 	{ "allowunsignedcerts", eCmdHdlrBinary, 0 },
+	{ "skipverifyhost", eCmdHdlrBinary, 0 },
 	{ "token", eCmdHdlrString, 0 },
 	{ "tokenfile", eCmdHdlrString, 0 },
 	{ "annotation_match", eCmdHdlrArray, 0 },
@@ -255,6 +258,7 @@ static struct cnfparamdescr actpdescr[] = {
 	{ "tls.mycert", eCmdHdlrString, 0 },
 	{ "tls.myprivkey", eCmdHdlrString, 0 },
 	{ "allowunsignedcerts", eCmdHdlrBinary, 0 },
+	{ "skipverifyhost", eCmdHdlrBinary, 0 },
 	{ "token", eCmdHdlrString, 0 },
 	{ "tokenfile", eCmdHdlrString, 0 },
 	{ "annotation_match", eCmdHdlrArray, 0 },
@@ -637,6 +641,8 @@ CODESTARTsetModCnf
 			}
 		} else if(!strcmp(modpblk.descr[i].name, "allowunsignedcerts")) {
 			loadModConf->allowUnsignedCerts = pvals[i].val.d.n;
+		} else if(!strcmp(modpblk.descr[i].name, "skipverifyhost")) {
+			loadModConf->skipVerifyHost = pvals[i].val.d.n;
 		} else if(!strcmp(modpblk.descr[i].name, "token")) {
 			free(loadModConf->token);
 			loadModConf->token = (uchar *) es_str2cstr(pvals[i].val.d.estr, NULL);
@@ -954,6 +960,8 @@ CODESTARTcreateWrkrInstance
 		curl_easy_setopt(ctx, CURLOPT_SSLKEY, pWrkrData->pData->myPrivKeyFile);
 	if(pWrkrData->pData->allowUnsignedCerts)
 		curl_easy_setopt(ctx, CURLOPT_SSL_VERIFYPEER, 0);
+	if(pWrkrData->pData->skipVerifyHost)
+		curl_easy_setopt(ctx, CURLOPT_SSL_VERIFYHOST, 0);
 #if defined(SUPPORT_SSL_PARTIAL_CHAIN)
 	if(pWrkrData->pData->sslPartialChain) {
 		curl_easy_setopt(ctx, CURLOPT_SSL_CTX_FUNCTION, set_ssl_partial_chain);
@@ -1257,6 +1265,7 @@ CODESTARTnewActInst
 
 	pData->de_dot = loadModConf->de_dot;
 	pData->allowUnsignedCerts = loadModConf->allowUnsignedCerts;
+	pData->skipVerifyHost = loadModConf->skipVerifyHost;
 	pData->busyRetryInterval = loadModConf->busyRetryInterval;
 	pData->sslPartialChain = loadModConf->sslPartialChain;
 	pData->cacheEntryTTL = loadModConf->cacheEntryTTL;
@@ -1322,6 +1331,8 @@ CODESTARTnewActInst
 			}
 		} else if(!strcmp(actpblk.descr[i].name, "allowunsignedcerts")) {
 			pData->allowUnsignedCerts = pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "skipverifyhost")) {
+			pData->skipVerifyHost = pvals[i].val.d.n;
 		} else if(!strcmp(actpblk.descr[i].name, "token")) {
 			free(pData->token);
 			pData->token = (uchar *) es_str2cstr(pvals[i].val.d.estr, NULL);
@@ -1566,6 +1577,7 @@ CODESTARTdbgPrintInstInfo
 	dbgprintf("\ttls.mycert='%s'\n", pData->myCertFile);
 	dbgprintf("\ttls.myprivkey='%s'\n", pData->myPrivKeyFile);
 	dbgprintf("\tallowUnsignedCerts='%d'\n", pData->allowUnsignedCerts);
+	dbgprintf("\tskipVerifyHost='%d'\n", pData->skipVerifyHost);
 	dbgprintf("\ttoken='%s'\n", pData->token);
 	dbgprintf("\ttokenFile='%s'\n", pData->tokenFile);
 	dbgprintf("\tde_dot='%d'\n", pData->de_dot);
diff --git a/rsyslog/vendored_src/rsyslog/rsyslog/plugins/omelasticsearch/omelasticsearch.c b/rsyslog/vendored_src/rsyslog/rsyslog/plugins/omelasticsearch/omelasticsearch.c
@@ -138,6 +138,7 @@ typedef struct instanceConf_s {
 	size_t maxbytes;
 	sbool useHttps;
 	sbool allowUnsignedCerts;
+	sbool skipVerifyHost;
 	uchar *caCertFile;
 	uchar *myCertFile;
 	uchar *myPrivKeyFile;
@@ -206,6 +207,7 @@ static struct cnfparamdescr actpdescr[] = {
 	{ "dynpipelinename", eCmdHdlrBinary, 0 },
 	{ "bulkid", eCmdHdlrGetWord, 0 },
 	{ "allowunsignedcerts", eCmdHdlrBinary, 0 },
+	{ "skipverifyhost", eCmdHdlrBinary, 0 },
 	{ "tls.cacert", eCmdHdlrString, 0 },
 	{ "tls.mycert", eCmdHdlrString, 0 },
 	{ "tls.myprivkey", eCmdHdlrString, 0 },
@@ -342,6 +344,7 @@ CODESTARTdbgPrintInstInfo
 	dbgprintf("\tbulkmode=%d\n", pData->bulkmode);
 	dbgprintf("\tmaxbytes=%zu\n", pData->maxbytes);
 	dbgprintf("\tallowUnsignedCerts=%d\n", pData->allowUnsignedCerts);
+	dbgprintf("\tskipVerifyHost=%d\n", pData->skipVerifyHost);
 	dbgprintf("\terrorfile='%s'\n", pData->errorFile == NULL ?
 		(uchar*)"(not configured)" : pData->errorFile);
 	dbgprintf("\terroronly=%d\n", pData->errorOnly);
@@ -1633,6 +1636,8 @@ curlSetupCommon(wrkrInstanceData_t *const pWrkrData, CURL *const handle)
 	curl_easy_setopt(handle, CURLOPT_WRITEDATA, pWrkrData);
 	if(pWrkrData->pData->allowUnsignedCerts)
 		curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, FALSE);
+	if(pWrkrData->pData->skipVerifyHost)
+		curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, FALSE);
 	if(pWrkrData->pData->authBuf != NULL) {
 		curl_easy_setopt(handle, CURLOPT_USERPWD, pWrkrData->pData->authBuf);
 		curl_easy_setopt(handle, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
@@ -1707,6 +1712,7 @@ setInstParamDefaults(instanceData *const pData)
 	pData->bulkmode = 0;
 	pData->maxbytes = 104857600; //100 MB Is the default max message size that ships with ElasticSearch
 	pData->allowUnsignedCerts = 0;
+	pData->skipVerifyHost = 0;
 	pData->tplName = NULL;
 	pData->errorFile = NULL;
 	pData->errorOnly=0;
@@ -1783,6 +1789,8 @@ CODESTARTnewActInst
 			pData->maxbytes = (size_t) pvals[i].val.d.n;
 		} else if(!strcmp(actpblk.descr[i].name, "allowunsignedcerts")) {
 			pData->allowUnsignedCerts = pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "skipverifyhost")) {
+			pData->skipVerifyHost = pvals[i].val.d.n;
 		} else if(!strcmp(actpblk.descr[i].name, "timeout")) {
 			pData->timeout = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(actpblk.descr[i].name, "usehttps")) {
