ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tls: enable host verification by hostname

Browse Source 
Type: improvement

Signed-off-by: satna <satbeervarma9596@gmail.com>
Change-Id: I1b1db60fa1a0e47fce273bc07b01887813fd3c48
This commit is contained in:
satna
2022-03-25 13:46:02 +05:30
committed by Florin Coras
parent 2473858233
commit 9a485d01fa
1 changed files with 40 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/plugins/tlsopenssl/tls_openssl.c
View File

@@ -28,6 +28,7 @@
#include <tlsopenssl/tls_openssl.h> #include <tlsopenssl/tls_openssl.h>
#include <tlsopenssl/tls_bios.h> #include <tlsopenssl/tls_bios.h>
#include <openssl/x509_vfy.h> #include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>
#define MAX_CRYPTO_LEN 64 #define MAX_CRYPTO_LEN 64
@@ -670,7 +671,42 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
SSL_use_PrivateKey (ssl_connection, pkey); SSL_use_PrivateKey (ssl_connection, pkey);
BIO_free (cert_bio); BIO_free (cert_bio);
TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index); TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
return 0;
}
static int
openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
int set_hostname_strict_check)
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
SSL *ssl = oc->ssl;
if (set_hostname_verification)
{
X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
if (!param)
{
TLS_DBG (1, "Couldn't fetch SSL param");
return -1;
}
if (set_hostname_strict_check)
X509_VERIFY_PARAM_set_hostflags (param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
if (!X509_VERIFY_PARAM_set1_host (param,
(const char *) ctx->srv_hostname, 0))
{
TLS_DBG (1, "Couldn't set hostname for verification");
return -1;
}
SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
}
if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
{
TLS_DBG (1, "Couldn't set hostname");
return -1;
}
return 0; return 0;
} }
@@ -735,10 +771,11 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
SSL_set_connect_state (oc->ssl); SSL_set_connect_state (oc->ssl);
rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname); /* Hostname validation and strict check by name, are disable by default */
if (rv != 1) rv = openssl_ctx_init_verify (ctx, 0, 0);
if (rv)
{ {
TLS_DBG (1, "Couldn't set hostname"); TLS_DBG (1, "ERROR:verify init failed:%d", rv);
return -1; return -1;
} }
if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index)) if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))