TCP input TLS - Add TLS configuration.

BonnyAD9 · BonnyAD9 · commit 74fb9b507c27 · 2025-04-03T13:05:35.000+02:00
diff --git a/src/plugins/input/tcp/src/Config.cpp b/src/plugins/input/tcp/src/Config.cpp
@@ -15,6 +15,7 @@
 #include <string>    // string
 #include <cassert>   // assert
 #include <cstdint>   // UINT16_MAX
+#include <cstring>
 
 #include <libfds.h> // fds_*, FDS_*
 
@@ -30,19 +31,24 @@ namespace tcp_in {
  * <params>
  *  <localPort>...</localPort>                    <!-- optional -->
  *  <localIPAddress>...</localIPAddress>          <!-- optional, multiple times -->
+ *  <certificatePath>...</certificatePath>        <!-- optional -->
  * </params>
  */
 
 enum ParamsXmlNodes {
     PARAM_PORT,
     PARAM_IPADDR,
+    PARAM_CERTIFICATE,
+    PARAM_TLS_VERIFY_PEER,
 };
 
 static const struct fds_xml_args args_params[] = {
     FDS_OPTS_ROOT("params"),
-    FDS_OPTS_ELEM(PARAM_PORT  , "localPort"     , FDS_OPTS_T_UINT  , FDS_OPTS_P_OPT),
-    FDS_OPTS_ELEM(PARAM_IPADDR, "localIPAddress", FDS_OPTS_T_STRING, FDS_OPTS_P_OPT
-                                                                   | FDS_OPTS_P_MULTI),
+    FDS_OPTS_ELEM(PARAM_PORT           , "localPort"      , FDS_OPTS_T_UINT  , FDS_OPTS_P_OPT),
+    FDS_OPTS_ELEM(PARAM_IPADDR         , "localIPAddress" , FDS_OPTS_T_STRING, FDS_OPTS_P_OPT
+                                                                             | FDS_OPTS_P_MULTI),
+    FDS_OPTS_ELEM(PARAM_CERTIFICATE    , "certificateFile", FDS_OPTS_T_STRING, FDS_OPTS_P_OPT),
+    FDS_OPTS_ELEM(PARAM_TLS_VERIFY_PEER, "tlsVerifyPeer"  , FDS_OPTS_T_BOOL  , FDS_OPTS_P_OPT),
     FDS_OPTS_END,
 };
 
@@ -69,6 +75,8 @@ Config::Config(ipx_ctx *ctx, const char *params) : local_port(DEFAULT_PORT), loc
 void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
     const struct fds_xml_cont *content;
     bool empty_address = false;
+    bool empty_cert = false;
+    bool verify_set = false;
 
     while (fds_xml_next(params, &content) != FDS_EOC) {
         switch (content->id) {
@@ -85,13 +93,27 @@ void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
             break;
         case PARAM_IPADDR:
             assert(content->type == FDS_OPTS_T_STRING);
-            // check if the string is not empty
-            if (*content->ptr_string) {
+            // check if the string is empty
+            if (std::strcmp(content->ptr_string, "") == 0) {
+                empty_address = true;
+            } else {
                 local_addrs.push_back(IpAddress(content->ptr_string));
+            }
+            break;
+        case PARAM_CERTIFICATE:
+            assert(content->type == FDS_OPTS_T_STRING);
+            // check if the string is empty
+            if (std::strcmp(content->ptr_string, "") == 0) {
+                empty_cert = true;
             } else {
-                empty_address = true;
+                certificate_file = content->ptr_string;
             }
             break;
+        case PARAM_TLS_VERIFY_PEER:
+            assert(content->type == FDS_OPTS_T_BOOL);
+            verify_peer = content->val_bool;
+            verify_set = true;
+            break;
         default:
             throw std::invalid_argument("Unexpected element within <params>.");
         }
@@ -100,10 +122,26 @@ void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
     if (empty_address && local_addrs.size() != 0) {
         IPX_CTX_WARNING(
             ctx,
-            "Empty address in configuration ignored. Tcp plugin will NOT "
+            "Empty address in configuration ignored. TCP plugin will NOT "
             "listen on all interfaces but only on the specified addresses."
         );
     }
+
+    if (empty_cert) {
+        IPX_CTX_WARNING(
+            ctx,
+            "Empty certificate path in configuration ignored. TCP plugin will "
+            "NOT accept TLS connections."
+        )
+    }
+
+    if (verify_set && certificate_file.empty()) {
+        IPX_CTX_WARNING(
+            ctx,
+            "TLS peer verification enabled, but TLS certificate is missing. "
+            "TCP plugin will NOT accept TLS connections."
+        );
+    }
 }
 
 } // namespace tcp_in
diff --git a/src/plugins/input/tcp/src/Config.hpp b/src/plugins/input/tcp/src/Config.hpp
@@ -10,8 +10,9 @@
 
 #pragma once
 
-#include <vector>  // std::vector
 #include <cstdint> // uint16_t
+#include <string>
+#include <vector>  // std::vector
 
 #include <libfds.h> // fds_xml_ctx_t
 
@@ -25,6 +26,13 @@ namespace tcp_in {
 struct Config {
     uint16_t local_port;
     std::vector<IpAddress> local_addrs;
+    /**
+     * @brief Path to file in pem format which contains certificate and private key for TLS. If
+     * empty, TLS connections are not accepted.
+     */
+    std::string certificate_file;
+    /** If true, ipfixcol server will require certificate verification of clients */
+    bool verify_peer = false;
 
     /**
      * @brief Parse configuration of the TCP plugin
