Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Implement Zhen's changes.

Browse Source
pull/22168/head
Matthew Stevenson 5 years ago
parent 786e6c3ed3
commit 08cd000364
2 changed files with 18 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      src/core/lib/security/security_connector/tls/tls_security_connector.cc
  2. 8
      src/core/lib/security/security_connector/tls/tls_security_connector.h

25
src/core/lib/security/security_connector/tls/tls_security_connector.cc
Unescape View File

@ -65,24 +65,27 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
grpc_status_code TlsFetchKeyMaterials(
const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
key_materials_config,
const grpc_tls_credentials_options& options, bool server_config,
grpc_ssl_certificate_config_reload_status* reload_status) {
const grpc_tls_credentials_options& options, bool is_server,
grpc_ssl_certificate_config_reload_status* status) {
/** Verify that either |key_materials_config| is populated or |options| has a
* credential reload config. **/
GPR_ASSERT(key_materials_config != nullptr);
GPR_ASSERT(reload_status != nullptr);
GPR_ASSERT(status != nullptr);
bool is_key_materials_empty =
key_materials_config->pem_key_cert_pair_list().empty();
grpc_tls_credential_reload_config* credential_reload_config =
options.credential_reload_config();
/** If there are no key materials and no credential reload config and the
* caller is a server, then return an error. We do not require that a client
* always provision certificates. **/
if (credential_reload_config == nullptr && is_key_materials_empty &&
server_config) {
is_server) {
gpr_log(GPR_ERROR,
"Either credential reload config or key materials should be "
"provisioned.");
return GRPC_STATUS_FAILED_PRECONDITION;
}
grpc_status_code status = GRPC_STATUS_OK;
grpc_status_code reload_status = GRPC_STATUS_OK;
/** Use |credential_reload_config| to update |key_materials_config|. **/
if (credential_reload_config != nullptr) {
grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
@ -92,13 +95,12 @@ grpc_status_code TlsFetchKeyMaterials(
/** Credential reloading is performed async. This is not yet supported.
* **/
gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
*reload_status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
status =
*status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
reload_status =
is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
} else {
/** Credential reloading is performed sync. **/
GPR_ASSERT(reload_status != nullptr);
*reload_status = arg->status;
*status = arg->status;
if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
/* Key materials is not empty. */
gpr_log(GPR_DEBUG, "Credential does not change after reload.");
@ -107,7 +109,8 @@ grpc_status_code TlsFetchKeyMaterials(
if (arg->error_details != nullptr) {
gpr_log(GPR_ERROR, "%s", arg->error_details);
}
status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
reload_status =
is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
}
}
gpr_free((void*)arg->error_details);
@ -120,7 +123,7 @@ grpc_status_code TlsFetchKeyMaterials(
}
delete arg;
}
return status;
return reload_status;
}
grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {

8
src/core/lib/security/security_connector/tls/tls_security_connector.h
Unescape View File

@ -151,7 +151,7 @@ class TlsServerSecurityConnector final : public grpc_server_security_connector {
* - if |options| is equipped with a credential reload config, then this
* methods uses credential reloading to populate |key_materials_config|, and
* afterwards it populates |reload_status| with the status of this operation.
* particular, any data stored in |key_materials_config| is overwritten.
* In particular, any data stored in |key_materials_config| is overwritten.
* - if |options| has no credential reload config, then:
* - if |key_materials_config| already has a non-empty pem-key-cert pair
* list or is called by a client, then the method returns |GRPC_STATUS_OK|.
@ -163,14 +163,14 @@ class TlsServerSecurityConnector final : public grpc_server_security_connector {
* method on success; the caller should not pass in nullptr.
* - options: the TLS credentials options whose credential reloading config
* will be used to populate |key_materials_config|.
* - server_config: true denotes that this method is called by a server, and
* - is_server: true denotes that this method is called by a server, and
* false denotes that this method is called by a client.
* - reload_status: the status of the credential reloading after the method
* - status: the status of the credential reloading after the method
* returns; the caller should not pass in nullptr. **/
grpc_status_code TlsFetchKeyMaterials(
const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
key_materials_config,
const grpc_tls_credentials_options& options, bool server_config,
const grpc_tls_credentials_options& options, bool is_server,
grpc_ssl_certificate_config_reload_status* status);
// TlsCheckHostName checks if |peer_name| matches the identity information

Write Preview
Loading…
Cancel
Save