diff options
Diffstat (limited to 'grpc/src/core/tsi/ssl_transport_security.cc')
-rw-r--r-- | grpc/src/core/tsi/ssl_transport_security.cc | 49 |
1 files changed, 32 insertions, 17 deletions
diff --git a/grpc/src/core/tsi/ssl_transport_security.cc b/grpc/src/core/tsi/ssl_transport_security.cc index 7f8749ce..4241b6f6 100644 --- a/grpc/src/core/tsi/ssl_transport_security.cc +++ b/grpc/src/core/tsi/ssl_transport_security.cc @@ -45,8 +45,6 @@ #include "absl/strings/match.h" #include "absl/strings/string_view.h" -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wmodule-import-in-extern-c" extern "C" { #include <openssl/bio.h> #include <openssl/crypto.h> /* For OPENSSL_free */ @@ -57,7 +55,6 @@ extern "C" { #include <openssl/x509.h> #include <openssl/x509v3.h> } -#pragma clang diagnostic pop #include "src/core/lib/gpr/useful.h" #include "src/core/tsi/ssl/session_cache/ssl_session_cache.h" @@ -360,13 +357,17 @@ static tsi_result add_subject_alt_names_properties_to_peer( subject_alt_name->type == GEN_URI) { unsigned char* name = nullptr; int name_size; + std::string property_name; if (subject_alt_name->type == GEN_DNS) { name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.dNSName); + property_name = TSI_X509_DNS_PEER_PROPERTY; } else if (subject_alt_name->type == GEN_EMAIL) { name_size = ASN1_STRING_to_UTF8(&name, subject_alt_name->d.rfc822Name); + property_name = TSI_X509_EMAIL_PEER_PROPERTY; } else { name_size = ASN1_STRING_to_UTF8( &name, subject_alt_name->d.uniformResourceIdentifier); + property_name = TSI_X509_URI_PEER_PROPERTY; } if (name_size < 0) { gpr_log(GPR_ERROR, "Could not get utf8 from asn1 string."); @@ -381,12 +382,10 @@ static tsi_result add_subject_alt_names_properties_to_peer( OPENSSL_free(name); break; } - if (subject_alt_name->type == GEN_URI) { - result = tsi_construct_string_peer_property( - TSI_X509_URI_PEER_PROPERTY, reinterpret_cast<const char*>(name), - static_cast<size_t>(name_size), - &peer->properties[(*current_insert_index)++]); - } + result = tsi_construct_string_peer_property( + property_name.c_str(), reinterpret_cast<const char*>(name), + static_cast<size_t>(name_size), + &peer->properties[(*current_insert_index)++]); OPENSSL_free(name); } else if (subject_alt_name->type == GEN_IPADD) { char ntop_buf[INET6_ADDRSTRLEN]; @@ -412,6 +411,10 @@ static tsi_result add_subject_alt_names_properties_to_peer( result = tsi_construct_string_peer_property_from_cstring( TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, name, &peer->properties[(*current_insert_index)++]); + if (result != TSI_OK) break; + result = tsi_construct_string_peer_property_from_cstring( + TSI_X509_IP_PEER_PROPERTY, name, + &peer->properties[(*current_insert_index)++]); } else { result = tsi_construct_string_peer_property_from_cstring( TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "other types of SAN", @@ -441,7 +444,14 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type, for (int i = 0; i < subject_alt_name_count; i++) { GENERAL_NAME* subject_alt_name = sk_GENERAL_NAME_value(subject_alt_names, TSI_SIZE_AS_SIZE(i)); - if (subject_alt_name->type == GEN_URI) { + // TODO(zhenlian): Clean up tsi_peer to avoid duplicate entries. + // URI, DNS, email and ip address SAN fields are plumbed to tsi_peer, in + // addition to all SAN fields (results in duplicate values). This code + // snippet updates property_count accordingly. + if (subject_alt_name->type == GEN_URI || + subject_alt_name->type == GEN_DNS || + subject_alt_name->type == GEN_EMAIL || + subject_alt_name->type == GEN_IPADD) { property_count += 1; } } @@ -1914,14 +1924,16 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options( #else ssl_context = SSL_CTX_new(TLSv1_2_method()); #endif - result = tsi_set_min_and_max_tls_versions( - ssl_context, options->min_tls_version, options->max_tls_version); - if (result != TSI_OK) return result; if (ssl_context == nullptr) { + log_ssl_error_stack(); gpr_log(GPR_ERROR, "Could not create ssl context."); return TSI_INVALID_ARGUMENT; } + result = tsi_set_min_and_max_tls_versions( + ssl_context, options->min_tls_version, options->max_tls_version); + if (result != TSI_OK) return result; + impl = static_cast<tsi_ssl_client_handshaker_factory*>( gpr_zalloc(sizeof(*impl))); tsi_ssl_handshaker_factory_init(&impl->base); @@ -2081,15 +2093,18 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options( #else impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method()); #endif - result = tsi_set_min_and_max_tls_versions(impl->ssl_contexts[i], - options->min_tls_version, - options->max_tls_version); - if (result != TSI_OK) return result; if (impl->ssl_contexts[i] == nullptr) { + log_ssl_error_stack(); gpr_log(GPR_ERROR, "Could not create ssl context."); result = TSI_OUT_OF_RESOURCES; break; } + + result = tsi_set_min_and_max_tls_versions(impl->ssl_contexts[i], + options->min_tls_version, + options->max_tls_version); + if (result != TSI_OK) return result; + result = populate_ssl_context(impl->ssl_contexts[i], &options->pem_key_cert_pairs[i], options->cipher_suites); |