From 86aabbbeeec264bf9653992ec2e4affa629fff0f Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Mon, 4 Apr 2022 13:37:10 -0700
Subject: tls: set client ckpair only for non-test ckp

Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7287e40ad95dfe061fd8a7b0e99921d5540e030d
---
 src/plugins/tlsopenssl/tls_openssl.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index a1cf3e7e3c4..5bfac0d0b0f 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -630,13 +630,17 @@ openssl_ctx_read (tls_ctx_t *ctx, session_t *ts)
 }
 
 static int
-openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
+openssl_set_ckpair (SSL *ssl, u32 ckpair_index)
 {
   app_cert_key_pair_t *ckpair;
   BIO *cert_bio;
   EVP_PKEY *pkey;
   X509 *srvcert;
 
+  /* Configure a ckpair index only if non-default/test provided */
+  if (ckpair_index == 0)
+    return 0;
+
   ckpair = app_cert_key_pair_get_if_valid (ckpair_index);
   if (!ckpair)
     return -1;
@@ -657,7 +661,7 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
       clib_warning ("unable to parse certificate");
       return -1;
     }
-  SSL_use_certificate (ssl_connection, srvcert);
+  SSL_use_certificate (ssl, srvcert);
   BIO_free (cert_bio);
 
   cert_bio = BIO_new (BIO_s_mem ());
@@ -668,19 +672,17 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
       clib_warning ("unable to parse pkey");
       return -1;
     }
-  SSL_use_PrivateKey (ssl_connection, pkey);
+  SSL_use_PrivateKey (ssl, pkey);
   BIO_free (cert_bio);
   TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
   return 0;
 }
 
 static int
-openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
-			 int set_hostname_strict_check)
+openssl_client_init_verify (SSL *ssl, const char *srv_hostname,
+			    int set_hostname_verification,
+			    int set_hostname_strict_check)
 {
-  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
-  SSL *ssl = oc->ssl;
-
   if (set_hostname_verification)
     {
       X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
@@ -694,15 +696,14 @@ openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
 	X509_VERIFY_PARAM_set_hostflags (param,
 					 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 
-      if (!X509_VERIFY_PARAM_set1_host (param,
-					(const char *) ctx->srv_hostname, 0))
+      if (!X509_VERIFY_PARAM_set1_host (param, srv_hostname, 0))
 	{
 	  TLS_DBG (1, "Couldn't set hostname for verification");
 	  return -1;
 	}
       SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
     }
-  if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
+  if (!SSL_set_tlsext_host_name (ssl, srv_hostname))
     {
       TLS_DBG (1, "Couldn't set hostname");
       return -1;
@@ -771,8 +772,9 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
   SSL_set_connect_state (oc->ssl);
 
-  /* Hostname validation and strict check by name, are disable by default */
-  rv = openssl_ctx_init_verify (ctx, 0, 0);
+  /* Hostname validation and strict check by name are disabled by default */
+  rv = openssl_client_init_verify (oc->ssl, (const char *) ctx->srv_hostname,
+				   0, 0);
   if (rv)
     {
       TLS_DBG (1, "ERROR:verify init failed:%d", rv);
-- 
cgit 1.2.3-korg