aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/tlsopenssl
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2022-04-04 13:37:10 -0700
committerDamjan Marion <dmarion@me.com>2022-04-04 22:28:56 +0000
commit86aabbbeeec264bf9653992ec2e4affa629fff0f (patch)
tree7d0b80c422499d470f33dd7e6184c11b928a8d35 /src/plugins/tlsopenssl
parent13f34ba4ab18155ac55f15c1b19f59bef9f97d99 (diff)
tls: set client ckpair only for non-test ckp
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7287e40ad95dfe061fd8a7b0e99921d5540e030d
Diffstat (limited to 'src/plugins/tlsopenssl')
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index a1cf3e7e3c4..5bfac0d0b0f 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -630,13 +630,17 @@ openssl_ctx_read (tls_ctx_t *ctx, session_t *ts)
}
static int
-openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
+openssl_set_ckpair (SSL *ssl, u32 ckpair_index)
{
app_cert_key_pair_t *ckpair;
BIO *cert_bio;
EVP_PKEY *pkey;
X509 *srvcert;
+ /* Configure a ckpair index only if non-default/test provided */
+ if (ckpair_index == 0)
+ return 0;
+
ckpair = app_cert_key_pair_get_if_valid (ckpair_index);
if (!ckpair)
return -1;
@@ -657,7 +661,7 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
clib_warning ("unable to parse certificate");
return -1;
}
- SSL_use_certificate (ssl_connection, srvcert);
+ SSL_use_certificate (ssl, srvcert);
BIO_free (cert_bio);
cert_bio = BIO_new (BIO_s_mem ());
@@ -668,19 +672,17 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
clib_warning ("unable to parse pkey");
return -1;
}
- SSL_use_PrivateKey (ssl_connection, pkey);
+ SSL_use_PrivateKey (ssl, pkey);
BIO_free (cert_bio);
TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
return 0;
}
static int
-openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
- int set_hostname_strict_check)
+openssl_client_init_verify (SSL *ssl, const char *srv_hostname,
+ int set_hostname_verification,
+ int set_hostname_strict_check)
{
- openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
- SSL *ssl = oc->ssl;
-
if (set_hostname_verification)
{
X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
@@ -694,15 +696,14 @@ openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
X509_VERIFY_PARAM_set_hostflags (param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
- if (!X509_VERIFY_PARAM_set1_host (param,
- (const char *) ctx->srv_hostname, 0))
+ if (!X509_VERIFY_PARAM_set1_host (param, srv_hostname, 0))
{
TLS_DBG (1, "Couldn't set hostname for verification");
return -1;
}
SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
}
- if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
+ if (!SSL_set_tlsext_host_name (ssl, srv_hostname))
{
TLS_DBG (1, "Couldn't set hostname");
return -1;
@@ -771,8 +772,9 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
SSL_set_connect_state (oc->ssl);
- /* Hostname validation and strict check by name, are disable by default */
- rv = openssl_ctx_init_verify (ctx, 0, 0);
+ /* Hostname validation and strict check by name are disabled by default */
+ rv = openssl_client_init_verify (oc->ssl, (const char *) ctx->srv_hostname,
+ 0, 0);
if (rv)
{
TLS_DBG (1, "ERROR:verify init failed:%d", rv);