tls: enforce certificate verification

- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
  parameters. If hostname is present, certificate validation is
  enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
  different path can be provided via startup config

Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>

1 files changed, 13 insertions, 2 deletions

diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h
index 6f6dce66040..b7a5eee4b12 100644
--- a/src/vnet/session/stream_session.h
+++ b/src/vnet/session/stream_session.h
@@ -141,7 +141,6 @@ typedef struct local_session_
 #define foreach_session_endpoint_fields				\
     foreach_transport_connection_fields				\
     _(u8, transport_proto)					\
-    _(u8, app_proto)						\
 
 typedef struct _session_endpoint
 {
@@ -157,6 +156,7 @@ typedef struct _session_endpoint_extended
 #undef _
   u32 app_index;
   u32 opaque;
+  u8 *hostname;
 } session_endpoint_extended_t;
 
 #define SESSION_IP46_ZERO		\
@@ -173,7 +173,18 @@ typedef struct _session_endpoint_extended
   .is_ip4 = 0,				\
   .port = 0,				\
   .transport_proto = 0,			\
-  .app_proto = 0,			\
+}
+#define SESSION_ENDPOINT_EXT_NULL 	\
+{					\
+  .sw_if_index = ENDPOINT_INVALID_INDEX,	\
+  .ip = SESSION_IP46_ZERO,		\
+  .fib_index = ENDPOINT_INVALID_INDEX,	\
+  .is_ip4 = 0,				\
+  .port = 0,				\
+  .transport_proto = 0,			\
+  .app_index = ENDPOINT_INVALID_INDEX,	\
+  .opaque = ENDPOINT_INVALID_INDEX,	\
+  .hostname = 0,				\
 }
 
 #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep)