From 8f89dd01289ea9e97405432d2351a19c842dd6d5 Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Mon, 5 Mar 2018 16:53:07 -0800
Subject: tls: enforce certificate verification

- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
  parameters. If hostname is present, certificate validation is
  enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
  different path can be provided via startup config

Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>
---
 src/vnet/session/session_api.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'src/vnet/session/session_api.c')

diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c
index 6694a40c348..b25911eb306 100755
--- a/src/vnet/session/session_api.c
+++ b/src/vnet/session/session_api.c
@@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
       a->uri = (char *) mp->uri;
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect_uri (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
     }
   else
@@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
    * the connection is established. In case of the redirects, the reply
    * will come from the server app.
    */
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
 done:
@@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       svm_queue_t *client_q;
       ip46_address_t *ip46 = (ip46_address_t *) mp->ip;
 
+      memset (a, 0, sizeof (*a));
       client_q = vl_api_client_index_to_input_queue (mp->client_index);
       mp->client_queue_address = pointer_to_uword (client_q);
       a->sep.is_ip4 = mp->is_ip4;
@@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
       a->sep.transport_proto = mp->proto;
       a->sep.fib_index = mp->vrf;
       a->sep.sw_if_index = ENDPOINT_INVALID_INDEX;
+      if (mp->hostname_len)
+	{
+	  vec_validate (a->sep.hostname, mp->hostname_len - 1);
+	  clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len);
+	}
       a->api_context = mp->context;
       a->app_index = app->index;
-      a->mp = mp;
       if ((error = vnet_connect (a)))
 	{
 	  rv = clib_error_get_code (error);
-	  if (rv != VNET_API_ERROR_SESSION_REDIRECT)
-	    clib_error_report (error);
+	  clib_error_report (error);
 	}
+      vec_free (a->sep.hostname);
     }
   else
     {
       rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED;
     }
 
-  if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+  if (rv == 0)
     return;
 
   /* Got some error, relay it */
-- 
cgit 1.2.3-korg