diff options
| author |   Florin Coras <fcoras@cisco.com> | 2018-03-05 16:53:07 -0800 |
|---|---|---|
| committer |   Dave Barach <openvpp@barachs.net> | 2018-03-07 13:27:59 +0000 |
| commit | 8f89dd01289ea9e97405432d2351a19c842dd6d5 (patch) | |
| tree | 67ab5d20f9ebbd34ee8d9fec2dfc3d97297fd0f7 /src/vnet/session/session_api.c | |
| parent | 7139e757b13212f3fd8e3f3f401018375fed0c61 (diff) | |
tls: enforce certificate verification
- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
parameters. If hostname is present, certificate validation is
enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
different path can be provided via startup config
Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet/session/session_api.c')
| -rwxr-xr-x | src/vnet/session/session_api.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c index 6694a40c348..b25911eb306 100755 --- a/src/vnet/session/session_api.c +++ b/src/vnet/session/session_api.c @@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp) a->uri = (char *) mp->uri; a->api_context = mp->context; a->app_index = app->index; - a->mp = mp; if ((error = vnet_connect_uri (a))) { rv = clib_error_get_code (error); - if (rv != VNET_API_ERROR_SESSION_REDIRECT) - clib_error_report (error); + clib_error_report (error); } } else @@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp) * the connection is established. In case of the redirects, the reply * will come from the server app. */ - if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT) + if (rv == 0) return; done: @@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp) svm_queue_t *client_q; ip46_address_t *ip46 = (ip46_address_t *) mp->ip; + memset (a, 0, sizeof (*a)); client_q = vl_api_client_index_to_input_queue (mp->client_index); mp->client_queue_address = pointer_to_uword (client_q); a->sep.is_ip4 = mp->is_ip4; @@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp) a->sep.transport_proto = mp->proto; a->sep.fib_index = mp->vrf; a->sep.sw_if_index = ENDPOINT_INVALID_INDEX; + if (mp->hostname_len) + { + vec_validate (a->sep.hostname, mp->hostname_len - 1); + clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len); + } a->api_context = mp->context; a->app_index = app->index; - a->mp = mp; if ((error = vnet_connect (a))) { rv = clib_error_get_code (error); - if (rv != VNET_API_ERROR_SESSION_REDIRECT) - clib_error_report (error); + clib_error_report (error); } + vec_free (a->sep.hostname); } else { rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED; } - if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT) + if (rv == 0) return; /* Got some error, relay it */ |