From 86aabbbeeec264bf9653992ec2e4affa629fff0f Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Mon, 4 Apr 2022 13:37:10 -0700 Subject: tls: set client ckpair only for non-test ckp Type: improvement Signed-off-by: Florin Coras Change-Id: I7287e40ad95dfe061fd8a7b0e99921d5540e030d --- src/plugins/tlsopenssl/tls_openssl.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index a1cf3e7e3c4..5bfac0d0b0f 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -630,13 +630,17 @@ openssl_ctx_read (tls_ctx_t *ctx, session_t *ts) } static int -openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index) +openssl_set_ckpair (SSL *ssl, u32 ckpair_index) { app_cert_key_pair_t *ckpair; BIO *cert_bio; EVP_PKEY *pkey; X509 *srvcert; + /* Configure a ckpair index only if non-default/test provided */ + if (ckpair_index == 0) + return 0; + ckpair = app_cert_key_pair_get_if_valid (ckpair_index); if (!ckpair) return -1; @@ -657,7 +661,7 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index) clib_warning ("unable to parse certificate"); return -1; } - SSL_use_certificate (ssl_connection, srvcert); + SSL_use_certificate (ssl, srvcert); BIO_free (cert_bio); cert_bio = BIO_new (BIO_s_mem ()); @@ -668,19 +672,17 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index) clib_warning ("unable to parse pkey"); return -1; } - SSL_use_PrivateKey (ssl_connection, pkey); + SSL_use_PrivateKey (ssl, pkey); BIO_free (cert_bio); TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index); return 0; } static int -openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification, - int set_hostname_strict_check) +openssl_client_init_verify (SSL *ssl, const char *srv_hostname, + int set_hostname_verification, + int set_hostname_strict_check) { - openssl_ctx_t *oc = (openssl_ctx_t *) ctx; - SSL *ssl = oc->ssl; - if (set_hostname_verification) { X509_VERIFY_PARAM *param = SSL_get0_param (ssl); @@ -694,15 +696,14 @@ openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification, X509_VERIFY_PARAM_set_hostflags (param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - if (!X509_VERIFY_PARAM_set1_host (param, - (const char *) ctx->srv_hostname, 0)) + if (!X509_VERIFY_PARAM_set1_host (param, srv_hostname, 0)) { TLS_DBG (1, "Couldn't set hostname for verification"); return -1; } SSL_set_verify (ssl, SSL_VERIFY_PEER, 0); } - if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname)) + if (!SSL_set_tlsext_host_name (ssl, srv_hostname)) { TLS_DBG (1, "Couldn't set hostname"); return -1; @@ -771,8 +772,9 @@ openssl_ctx_init_client (tls_ctx_t * ctx) SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); SSL_set_connect_state (oc->ssl); - /* Hostname validation and strict check by name, are disable by default */ - rv = openssl_ctx_init_verify (ctx, 0, 0); + /* Hostname validation and strict check by name are disabled by default */ + rv = openssl_client_init_verify (oc->ssl, (const char *) ctx->srv_hostname, + 0, 0); if (rv) { TLS_DBG (1, "ERROR:verify init failed:%d", rv); -- cgit 1.2.3-korg