fluent · niedbalski · Oct 25, 2024 · Oct 25, 2024
@@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS)
     ${FLB_DEPS}
     "-framework Foundation"
     "-framework IOKit"
+    "-framework Security"
     )
 endif()
 

@@ -27,6 +27,12 @@
 #include <openssl/opensslv.h>
 #include <openssl/x509v3.h>
 
+#ifdef FLB_SYSTEM_MACOS
+#include <Security/Security.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <unistd.h>
+#endif
+
 #ifdef FLB_SYSTEM_WINDOWS
     #define strtok_r(str, delimiter, context) \
             strtok_s(str, delimiter, context)
@@ -312,6 +318,101 @@ static int windows_load_system_certificates(struct tls_context *ctx)
 }
 #endif
 
+#ifdef __APPLE__
+/* macOS-specific system certificate loading */
+static int macos_load_system_certificates(struct tls_context *ctx)
+{
+    X509_STORE *store = NULL;
+    X509 *x509 = NULL;
+    SecCertificateRef cert = NULL;
+    CFArrayRef certs = NULL;
+    CFDataRef certData = NULL;
+    const unsigned char *data = NULL;
+    char *subject = NULL;
+    char *issuer = NULL;
+    OSStatus status;
+    unsigned long err;
+    int ret = -1;
+    int loaded_cert_count = 0;
+
+    /* Retrieve system certificates from macOS Keychain */
+    status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs);
+    if (status != errSecSuccess || !certs) {
+        flb_debug("[tls] failed to load system certificates from keychain, status: %d", status);
+        return -1;
+    }
+
+    flb_debug("[tls] attempting to load macOS keychain system certificates");
+
+    /* Get the SSL context's certificate store */
+    store = SSL_CTX_get_cert_store(ctx->ctx);
+    if (!store) {
+        flb_debug("[tls] failed to get certificate store from SSL context");
+        CFRelease(certs);
+        return -1;
+    }
+
+    /* Load each certificate into the X509 store */
+    for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) {
+        cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i);
+        if (!cert) {
+            flb_debug("[tls] invalid certificate reference at index %ld, skipping", i);
+            continue;
+        }
+
+        certData = SecCertificateCopyData(cert);
+        if (!certData) {
+            flb_debug("[tls] failed to retrieve data for certificate %ld from keychain, skipping", i);
+            continue;
+        }
+
+        /* Convert certificate data to X509 */
+        data = CFDataGetBytePtr(certData);
+        x509 = d2i_X509(NULL, &data, CFDataGetLength(certData));
+        CFRelease(certData);
+
+        if (!x509) {
+            flb_debug("[tls] failed to parse certificate %ld from keychain, skipping", i);
+            continue;
+        }
+
+        subject = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
+        issuer = X509_NAME_oneline(X509_get_issuer_name(x509), NULL, 0);
+        if (subject && issuer) {
+            flb_debug("[tls] certificate %ld details - subject: %s, issuer: %s", i, subject, issuer);
+        }
+
+        /* Attempt to add certificate to trusted store */
+        ret = X509_STORE_add_cert(store, x509);
+        if (ret != 1) {
+            err = ERR_get_error();
+            if (ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+                flb_debug("[tls] certificate %ld already exists in the trusted store (duplicate)", i);
+            } else {
+                flb_debug("[tls] failed to add certificate %ld to trusted store, error code: %lu", i, err);
+            }
+            X509_free(x509);
+            continue;
+        }
+
+        loaded_cert_count++;
+        flb_debug("[tls] successfully loaded and added certificate %ld to trusted store", i);
+
+        if (subject) {
+            OPENSSL_free(subject);
+        }
+        if (issuer) {
+            OPENSSL_free(issuer);
+        }
+        X509_free(x509);
+    }
+
+    CFRelease(certs);
+    flb_debug("[tls] finished loading keychain certificates, total loaded: %d", loaded_cert_count);
+    return 0;
+}
+#endif
+
 static int load_system_certificates(struct tls_context *ctx)
 {
     int ret;
@@ -320,7 +421,9 @@ static int load_system_certificates(struct tls_context *ctx)
     /* For Windows use specific API to read the certs store */
 #ifdef _MSC_VER
     return windows_load_system_certificates(ctx);
-#endif
+#elif defined(__APPLE__)
+    return macos_load_system_certificates(ctx);
+#else
     if (access(ca_file, R_OK) != 0) {
         ca_file = NULL;
     }
@@ -331,8 +434,10 @@ static int load_system_certificates(struct tls_context *ctx)
         ERR_print_errors_fp(stderr);
     }
     return 0;
+#endif
 }
 
+
 static void *tls_context_create(int verify,
                                 int debug,
                                 int mode,
@@ -716,6 +821,7 @@ static int tls_net_handshake(struct flb_tls *tls,
     ctx = session->parent;
     pthread_mutex_lock(&ctx->mutex);
 
+    // Set up SSL connection state if not continuing an existing handshake
     if (!session->continuation_flag) {
         if (tls->mode == FLB_TLS_CLIENT_MODE) {
             SSL_set_connect_state(session->ssl);
@@ -724,11 +830,12 @@ static int tls_net_handshake(struct flb_tls *tls,
             SSL_set_accept_state(session->ssl);
         }
         else {
-            flb_error("[tls] error: invalid tls mode : %d", tls->mode);
+            flb_error("[tls] invalid tls mode: %d", tls->mode);
             pthread_mutex_unlock(&ctx->mutex);
             return -1;
         }
 
+        // Set SNI (Server Name Indication)
         if (vhost != NULL) {
             SSL_set_tlsext_host_name(session->ssl, vhost);
         }
@@ -752,63 +859,64 @@ static int tls_net_handshake(struct flb_tls *tls,
         }
     }
 
+    // Clear any previous SSL errors
     ERR_clear_error();
 
+    // Perform SSL handshake
     if (tls->mode == FLB_TLS_CLIENT_MODE) {
         ret = SSL_connect(session->ssl);
     }
     else if (tls->mode == FLB_TLS_SERVER_MODE) {
         ret = SSL_accept(session->ssl);
     }
 
-    if (ret != 1) {
-        ret = SSL_get_error(session->ssl, ret);
-        if (ret != SSL_ERROR_WANT_READ &&
-            ret != SSL_ERROR_WANT_WRITE) {
-            ret = SSL_get_error(session->ssl, ret);
-            // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected
-            //  EOF from the peer. This is fixed in OpenSSL 3.0.
-            if (ret == 0) {
+    // Exit early if the handshake was successful
+    if (ret == 1) {
+        session->continuation_flag = FLB_FALSE;
+        pthread_mutex_unlock(&ctx->mutex);
+        flb_debug("[tls] connection and handshake ok");
+        return 0;
+    }
+
+    int ssl_err = SSL_get_error(session->ssl, ret);
+
+    // Handle SSL handshake errors
+    switch (ssl_err) {
+        case SSL_ERROR_WANT_READ:
+            // Handle non-blocking read operation
+            pthread_mutex_unlock(&ctx->mutex);
+            session->continuation_flag = FLB_TRUE;
+            return FLB_TLS_WANT_READ;
+
+        case SSL_ERROR_WANT_WRITE:
+            // Handle non-blocking write operation
+            pthread_mutex_unlock(&ctx->mutex);
+            session->continuation_flag = FLB_TRUE;
+            return FLB_TLS_WANT_WRITE;
+
+        case SSL_ERROR_SYSCALL:
+        case SSL_ERROR_SSL:
+        default:
+            // Handle unexpected EOFs and other errors
+            if (ssl_err == 0) {
                 ssl_code = SSL_get_verify_result(session->ssl);
                 if (ssl_code != X509_V_OK) {
-                    /* Refer to: https://x509errors.org/ */
-                    x509_err = X509_verify_cert_error_string(ssl_code);
-                    flb_error("[tls] certificate verification failed, reason: %s (X509 code: %ld)", x509_err, ssl_code);
+                    const char *x509_err = X509_verify_cert_error_string(ssl_code);
+                    flb_error("[tls] certificate verification failed, reason: %s (X509 code: %ld)",
+                              x509_err, ssl_code);
                 }
                 else {
-                    flb_error("[tls] error: unexpected EOF");
+                    flb_error("[tls] unexpected EOF during handshake");
                 }
-            } else {
-                ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
-                flb_error("[tls] error: %s", err_buf);
+            }
+            else {
+                ERR_error_string_n(ssl_err, err_buf, sizeof(err_buf) - 1);
+                flb_error("[tls] handshake error: %s", err_buf);
             }
 
             pthread_mutex_unlock(&ctx->mutex);
-
             return -1;
-        }
-
-        if (ret == SSL_ERROR_WANT_WRITE) {
-            pthread_mutex_unlock(&ctx->mutex);
-
-            session->continuation_flag = FLB_TRUE;
-
-            return FLB_TLS_WANT_WRITE;
-        }
-        else if (ret == SSL_ERROR_WANT_READ) {
-            pthread_mutex_unlock(&ctx->mutex);
-
-            session->continuation_flag = FLB_TRUE;
-
-            return FLB_TLS_WANT_READ;
-        }
     }
-
-    session->continuation_flag = FLB_FALSE;
-
-    pthread_mutex_unlock(&ctx->mutex);
-    flb_trace("[tls] connection and handshake OK");
-    return 0;
 }
 
 /* OpenSSL backend registration */