FullChainExperimental-01-200106-ssl_transport_security_test-4

5 years ago · 02371b7569
parent 3be7b4362f
commit 02371b7569
7 changed files with 18 additions and 44 deletions
--- a/include/grpc/grpc_security_constants.h
+++ b/include/grpc/grpc_security_constants.h
@ -117,12 +117,15 @@ typedef enum {

 typedef enum {
  /** Default option: performs server certificate verification and hostname
-     verification */
+     verification. */
  GRPC_TLS_SERVER_VERIFICATION,
  /** Performs server certificate verification, but skips hostname verification
-   */
+     Client is responsible for verifying server's identity via
+     server authorization check callback. */
  GRPC_TLS_SKIP_HOSTNAME_VERIFICATION,
-  /** Skips both server certificate and hostname verification */
+  /** Skips both server certificate and hostname verification.
+     Client is responsible for verifying server's identity and
+     server's certificate via server authorization check callback. */
  GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION
 } grpc_tls_server_verification_option;

--- a/src/core/lib/security/security_connector/ssl_utils.cc
+++ b/src/core/lib/security/security_connector/ssl_utils.cc
@ -108,20 +108,6 @@ grpc_get_tsi_client_certificate_request_type(
  }
 }

-tsi_server_verification_option grpc_get_tsi_server_verification_option(
-    grpc_tls_server_verification_option server_verification_option) {
-  switch (server_verification_option) {
-    case GRPC_TLS_SERVER_VERIFICATION:
-      return TSI_SERVER_VERIFICATION;
-    case GRPC_TLS_SKIP_HOSTNAME_VERIFICATION:
-      return TSI_SKIP_HOSTNAME_VERIFICATION;
-    case GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION:
-      return TSI_SKIP_ALL_SERVER_VERIFICATION;
-    default:
-      return TSI_SERVER_VERIFICATION;
-  }
-}
-
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
 #if TSI_OPENSSL_ALPN_SUPPORT
  /* Check the ALPN if ALPN is supported. */
@ -306,7 +292,7 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {

 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
    tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
-    tsi_server_verification_option server_verification_option,
+    bool skip_server_certificate_verification,
    tsi_ssl_session_cache* ssl_session_cache,
    tsi_ssl_client_handshaker_factory** handshaker_factory) {
  const char* root_certs;
@ -337,7 +323,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
  }
  options.cipher_suites = grpc_get_ssl_cipher_suites();
  options.session_cache = ssl_session_cache;
-  options.server_verification_option = server_verification_option;
+  options.skip_server_certificate_verification =
+      skip_server_certificate_verification;
  const tsi_result result =
      tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                            handshaker_factory);
--- a/src/core/lib/security/security_connector/ssl_utils.h
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@ -68,18 +68,13 @@ tsi_client_certificate_request_type
 grpc_get_tsi_client_certificate_request_type(
    grpc_ssl_client_certificate_request_type grpc_request_type);

-/* Map from grpc_tls_server_verification_option to
- * tsi_server_verification_option. */
-tsi_server_verification_option grpc_get_tsi_server_verification_option(
-    grpc_tls_server_verification_option server_verification_option);
-
 /* Return an array of strings containing alpn protocols. */
 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);

 /* Initialize TSI SSL server/client handshaker factory. */
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
    tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
-    tsi_server_verification_option server_verification_option,
+    bool skip_server_certificate_verification,
    tsi_ssl_session_cache* ssl_session_cache,
    tsi_ssl_client_handshaker_factory** handshaker_factory);

--- a/src/core/lib/security/security_connector/tls/tls_security_connector.cc
+++ b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
@ -286,9 +286,9 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
    tsi_ssl_session_cache* ssl_session_cache) {
  const TlsCredentials* creds =
      static_cast<const TlsCredentials*>(channel_creds());
-  tsi_server_verification_option server_verification_option =
-      grpc_get_tsi_server_verification_option(
-          creds->options().server_verification_option());
+  bool skip_server_certificate_verification =
+      creds->options().server_verification_option() ==
+      GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION;
  /* Free the client handshaker factory if exists. */
  if (client_handshaker_factory_) {
    tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
@ -297,7 +297,7 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
      key_materials_config_->pem_key_cert_pair_list());
  grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
      pem_key_cert_pair, key_materials_config_->pem_root_certs(),
-      server_verification_option, ssl_session_cache,
+      skip_server_certificate_verification, ssl_session_cache,
      &client_handshaker_factory_);
  /* Free memory. */
  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@ -1765,7 +1765,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
    tsi_ssl_handshaker_factory_unref(&impl->base);
    return result;
  }
-  if (options->server_verification_option == TSI_SKIP_ALL_SERVER_VERIFICATION) {
+  if (options->skip_server_certificate_verification) {
    SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, NullVerifyCallback);
  } else {
    SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, nullptr);
--- a/src/core/tsi/ssl_transport_security.h
+++ b/src/core/tsi/ssl_transport_security.h
@ -148,8 +148,8 @@ struct tsi_ssl_client_handshaker_options {
  /* ssl_session_cache is a cache for reusable client-side sessions. */
  tsi_ssl_session_cache* session_cache;

-  /* Server verification option */
-  tsi_server_verification_option server_verification_option;
+  /* skip server certificate verification. */
+  bool skip_server_certificate_verification;

  tsi_ssl_client_handshaker_options()
      : pem_key_cert_pair(nullptr),
@ -159,7 +159,7 @@ struct tsi_ssl_client_handshaker_options {
        alpn_protocols(nullptr),
        num_alpn_protocols(0),
        session_cache(nullptr),
-        server_verification_option(TSI_SERVER_VERIFICATION) {}
+        skip_server_certificate_verification(false) {}
 };

 /* Creates a client handshaker factory.
--- a/src/core/tsi/transport_security_interface.h
+++ b/src/core/tsi/transport_security_interface.h
@ -55,17 +55,6 @@ typedef enum {
  TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY,
 } tsi_client_certificate_request_type;

-typedef enum {
-  /** Default option: performs server certificate verification and hostname
-     verification */
-  TSI_SERVER_VERIFICATION,
-  /** Performs server certificate verification, but skips hostname verification
-   */
-  TSI_SKIP_HOSTNAME_VERIFICATION,
-  /** Skips both server certificate and hostname verification */
-  TSI_SKIP_ALL_SERVER_VERIFICATION,
-} tsi_server_verification_option;
-
 const char* tsi_result_to_string(tsi_result result);

 /* --- tsi tracing --- */