From 02371b7569d789e7ab6dded54ea6dfd4d8a4728d Mon Sep 17 00:00:00 2001
From: Akshay Kumar <akshayku@microsoft.com>
Date: Tue, 7 Jan 2020 11:22:00 -0800
Subject: [PATCH] FullChainExperimental-01-200106-ssl_transport_security_test-4

---
 include/grpc/grpc_security_constants.h        |  9 ++++++---
 .../security/security_connector/ssl_utils.cc  | 19 +++----------------
 .../security/security_connector/ssl_utils.h   |  7 +------
 .../tls/tls_security_connector.cc             |  8 ++++----
 src/core/tsi/ssl_transport_security.cc        |  2 +-
 src/core/tsi/ssl_transport_security.h         |  6 +++---
 src/core/tsi/transport_security_interface.h   | 11 -----------
 7 files changed, 18 insertions(+), 44 deletions(-)

diff --git a/include/grpc/grpc_security_constants.h b/include/grpc/grpc_security_constants.h
index 63900e41cb3..c414101b66d 100644
--- a/include/grpc/grpc_security_constants.h
+++ b/include/grpc/grpc_security_constants.h
@@ -117,12 +117,15 @@ typedef enum {
 
 typedef enum {
   /** Default option: performs server certificate verification and hostname
-     verification */
+     verification. */
   GRPC_TLS_SERVER_VERIFICATION,
   /** Performs server certificate verification, but skips hostname verification
-   */
+     Client is responsible for verifying server's identity via
+     server authorization check callback. */
   GRPC_TLS_SKIP_HOSTNAME_VERIFICATION,
-  /** Skips both server certificate and hostname verification */
+  /** Skips both server certificate and hostname verification.
+     Client is responsible for verifying server's identity and
+     server's certificate via server authorization check callback. */
   GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION
 } grpc_tls_server_verification_option;
 
diff --git a/src/core/lib/security/security_connector/ssl_utils.cc b/src/core/lib/security/security_connector/ssl_utils.cc
index e34c66b35d6..8b99850d048 100644
--- a/src/core/lib/security/security_connector/ssl_utils.cc
+++ b/src/core/lib/security/security_connector/ssl_utils.cc
@@ -108,20 +108,6 @@ grpc_get_tsi_client_certificate_request_type(
   }
 }
 
-tsi_server_verification_option grpc_get_tsi_server_verification_option(
-    grpc_tls_server_verification_option server_verification_option) {
-  switch (server_verification_option) {
-    case GRPC_TLS_SERVER_VERIFICATION:
-      return TSI_SERVER_VERIFICATION;
-    case GRPC_TLS_SKIP_HOSTNAME_VERIFICATION:
-      return TSI_SKIP_HOSTNAME_VERIFICATION;
-    case GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION:
-      return TSI_SKIP_ALL_SERVER_VERIFICATION;
-    default:
-      return TSI_SERVER_VERIFICATION;
-  }
-}
-
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
 #if TSI_OPENSSL_ALPN_SUPPORT
   /* Check the ALPN if ALPN is supported. */
@@ -306,7 +292,7 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
-    tsi_server_verification_option server_verification_option,
+    bool skip_server_certificate_verification,
     tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
   const char* root_certs;
@@ -337,7 +323,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
   }
   options.cipher_suites = grpc_get_ssl_cipher_suites();
   options.session_cache = ssl_session_cache;
-  options.server_verification_option = server_verification_option;
+  options.skip_server_certificate_verification =
+      skip_server_certificate_verification;
   const tsi_result result =
       tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                             handshaker_factory);
diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h
index e6370db9768..bf9607a3e27 100644
--- a/src/core/lib/security/security_connector/ssl_utils.h
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@@ -68,18 +68,13 @@ tsi_client_certificate_request_type
 grpc_get_tsi_client_certificate_request_type(
     grpc_ssl_client_certificate_request_type grpc_request_type);
 
-/* Map from grpc_tls_server_verification_option to
- * tsi_server_verification_option. */
-tsi_server_verification_option grpc_get_tsi_server_verification_option(
-    grpc_tls_server_verification_option server_verification_option);
-
 /* Return an array of strings containing alpn protocols. */
 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 
 /* Initialize TSI SSL server/client handshaker factory. */
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
-    tsi_server_verification_option server_verification_option,
+    bool skip_server_certificate_verification,
     tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 
diff --git a/src/core/lib/security/security_connector/tls/tls_security_connector.cc b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
index 702a6352ef3..3cd83ae1a80 100644
--- a/src/core/lib/security/security_connector/tls/tls_security_connector.cc
+++ b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
@@ -286,9 +286,9 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
     tsi_ssl_session_cache* ssl_session_cache) {
   const TlsCredentials* creds =
       static_cast<const TlsCredentials*>(channel_creds());
-  tsi_server_verification_option server_verification_option =
-      grpc_get_tsi_server_verification_option(
-          creds->options().server_verification_option());
+  bool skip_server_certificate_verification =
+      creds->options().server_verification_option() ==
+      GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION;
   /* Free the client handshaker factory if exists. */
   if (client_handshaker_factory_) {
     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
@@ -297,7 +297,7 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
       key_materials_config_->pem_key_cert_pair_list());
   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
       pem_key_cert_pair, key_materials_config_->pem_root_certs(),
-      server_verification_option, ssl_session_cache,
+      skip_server_certificate_verification, ssl_session_cache,
       &client_handshaker_factory_);
   /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc
index 2063ef0dfc9..2f85074ec89 100644
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@@ -1765,7 +1765,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
     tsi_ssl_handshaker_factory_unref(&impl->base);
     return result;
   }
-  if (options->server_verification_option == TSI_SKIP_ALL_SERVER_VERIFICATION) {
+  if (options->skip_server_certificate_verification) {
     SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, NullVerifyCallback);
   } else {
     SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, nullptr);
diff --git a/src/core/tsi/ssl_transport_security.h b/src/core/tsi/ssl_transport_security.h
index 2ccd15088c9..ae1e413aad3 100644
--- a/src/core/tsi/ssl_transport_security.h
+++ b/src/core/tsi/ssl_transport_security.h
@@ -148,8 +148,8 @@ struct tsi_ssl_client_handshaker_options {
   /* ssl_session_cache is a cache for reusable client-side sessions. */
   tsi_ssl_session_cache* session_cache;
 
-  /* Server verification option */
-  tsi_server_verification_option server_verification_option;
+  /* skip server certificate verification. */
+  bool skip_server_certificate_verification;
 
   tsi_ssl_client_handshaker_options()
       : pem_key_cert_pair(nullptr),
@@ -159,7 +159,7 @@ struct tsi_ssl_client_handshaker_options {
         alpn_protocols(nullptr),
         num_alpn_protocols(0),
         session_cache(nullptr),
-        server_verification_option(TSI_SERVER_VERIFICATION) {}
+        skip_server_certificate_verification(false) {}
 };
 
 /* Creates a client handshaker factory.
diff --git a/src/core/tsi/transport_security_interface.h b/src/core/tsi/transport_security_interface.h
index 6d597e4bdf7..7a0cdc3453a 100644
--- a/src/core/tsi/transport_security_interface.h
+++ b/src/core/tsi/transport_security_interface.h
@@ -55,17 +55,6 @@ typedef enum {
   TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY,
 } tsi_client_certificate_request_type;
 
-typedef enum {
-  /** Default option: performs server certificate verification and hostname
-     verification */
-  TSI_SERVER_VERIFICATION,
-  /** Performs server certificate verification, but skips hostname verification
-   */
-  TSI_SKIP_HOSTNAME_VERIFICATION,
-  /** Skips both server certificate and hostname verification */
-  TSI_SKIP_ALL_SERVER_VERIFICATION,
-} tsi_server_verification_option;
-
 const char* tsi_result_to_string(tsi_result result);
 
 /* --- tsi tracing --- */