Code Review
/
vpp.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
review
|
tree
raw
|
patch
|
inline
| side by side (parent:
2473858
)
tls: enable host verification by hostname
81/35781/9
author
satna
<satbeervarma9596@gmail.com>
Fri, 25 Mar 2022 08:16:02 +0000
(13:46 +0530)
committer
Florin Coras
<florin.coras@gmail.com>
Fri, 1 Apr 2022 06:45:40 +0000
(06:45 +0000)
Type: improvement
Signed-off-by: satna <satbeervarma9596@gmail.com>
Change-Id: I1b1db60fa1a0e47fce273bc07b01887813fd3c48
src/plugins/tlsopenssl/tls_openssl.c
patch
|
blob
|
history
diff --git
a/src/plugins/tlsopenssl/tls_openssl.c
b/src/plugins/tlsopenssl/tls_openssl.c
index
75494aa
..
0b76425
100644
(file)
--- a/
src/plugins/tlsopenssl/tls_openssl.c
+++ b/
src/plugins/tlsopenssl/tls_openssl.c
@@
-28,6
+28,7
@@
#include <tlsopenssl/tls_openssl.h>
#include <tlsopenssl/tls_bios.h>
#include <openssl/x509_vfy.h>
#include <tlsopenssl/tls_openssl.h>
#include <tlsopenssl/tls_bios.h>
#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
#define MAX_CRYPTO_LEN 64
#define MAX_CRYPTO_LEN 64
@@
-670,7
+671,42
@@
openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
SSL_use_PrivateKey (ssl_connection, pkey);
BIO_free (cert_bio);
TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
SSL_use_PrivateKey (ssl_connection, pkey);
BIO_free (cert_bio);
TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
+ return 0;
+}
+
+static int
+openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
+ int set_hostname_strict_check)
+{
+ openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+ SSL *ssl = oc->ssl;
+
+ if (set_hostname_verification)
+ {
+ X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
+ if (!param)
+ {
+ TLS_DBG (1, "Couldn't fetch SSL param");
+ return -1;
+ }
+ if (set_hostname_strict_check)
+ X509_VERIFY_PARAM_set_hostflags (param,
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ if (!X509_VERIFY_PARAM_set1_host (param,
+ (const char *) ctx->srv_hostname, 0))
+ {
+ TLS_DBG (1, "Couldn't set hostname for verification");
+ return -1;
+ }
+ SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
+ }
+ if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
+ {
+ TLS_DBG (1, "Couldn't set hostname");
+ return -1;
+ }
return 0;
}
return 0;
}
@@
-735,10
+771,11
@@
openssl_ctx_init_client (tls_ctx_t * ctx)
SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
SSL_set_connect_state (oc->ssl);
SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
SSL_set_connect_state (oc->ssl);
- rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname);
- if (rv != 1)
+ /* Hostname validation and strict check by name, are disable by default */
+ rv = openssl_ctx_init_verify (ctx, 0, 0);
+ if (rv)
{
{
- TLS_DBG (1, "
Couldn't set hostname"
);
+ TLS_DBG (1, "
ERROR:verify init failed:%d", rv
);
return -1;
}
if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))
return -1;
}
if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))