From 9a485d01fae0d17da5dbdba264f5f7fd104e3a1a Mon Sep 17 00:00:00 2001
From: satna <satbeervarma9596@gmail.com>
Date: Fri, 25 Mar 2022 13:46:02 +0530
Subject: [PATCH] tls: enable host verification by hostname

Type: improvement

Signed-off-by: satna <satbeervarma9596@gmail.com>
Change-Id: I1b1db60fa1a0e47fce273bc07b01887813fd3c48
---
 src/plugins/tlsopenssl/tls_openssl.c | 43 +++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 75494aac6de..0b76425d60d 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -28,6 +28,7 @@
 #include <tlsopenssl/tls_openssl.h>
 #include <tlsopenssl/tls_bios.h>
 #include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
 
 #define MAX_CRYPTO_LEN 64
 
@@ -670,7 +671,42 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
   SSL_use_PrivateKey (ssl_connection, pkey);
   BIO_free (cert_bio);
   TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
+  return 0;
+}
+
+static int
+openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
+			 int set_hostname_strict_check)
+{
+  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+  SSL *ssl = oc->ssl;
+
+  if (set_hostname_verification)
+    {
+      X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
+      if (!param)
+	{
+	  TLS_DBG (1, "Couldn't fetch SSL param");
+	  return -1;
+	}
 
+      if (set_hostname_strict_check)
+	X509_VERIFY_PARAM_set_hostflags (param,
+					 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+      if (!X509_VERIFY_PARAM_set1_host (param,
+					(const char *) ctx->srv_hostname, 0))
+	{
+	  TLS_DBG (1, "Couldn't set hostname for verification");
+	  return -1;
+	}
+      SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
+    }
+  if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
+    {
+      TLS_DBG (1, "Couldn't set hostname");
+      return -1;
+    }
   return 0;
 }
 
@@ -735,10 +771,11 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
   SSL_set_connect_state (oc->ssl);
 
-  rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname);
-  if (rv != 1)
+  /* Hostname validation and strict check by name, are disable by default */
+  rv = openssl_ctx_init_verify (ctx, 0, 0);
+  if (rv)
     {
-      TLS_DBG (1, "Couldn't set hostname");
+      TLS_DBG (1, "ERROR:verify init failed:%d", rv);
       return -1;
     }
   if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))
-- 
2.16.6