Fix ssl_transport_security_test.cc when built against OpenSSL 1.0.2. (#25843)

* Add Python mTLS greeter example (#40) * Revert "Add Python mTLS greeter example (#40)" This reverts commit 383c247775. * Fix ssl_transport_security_test.cc when built against OpenSSL 1.0.2. * Fix TSAN flake. Co-authored-by: Ryan Kim <Ryanfsdf@users.noreply.github.com>
4 years ago · 2b0f8b6313
parent 9964ae875b
commit 2b0f8b6313
2 changed files with 30 additions and 13 deletions
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@ -1911,14 +1911,16 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
 #else
  ssl_context = SSL_CTX_new(TLSv1_2_method());
 #endif
-  result = tsi_set_min_and_max_tls_versions(
-      ssl_context, options->min_tls_version, options->max_tls_version);
-  if (result != TSI_OK) return result;
  if (ssl_context == nullptr) {
+    log_ssl_error_stack();
    gpr_log(GPR_ERROR, "Could not create ssl context.");
    return TSI_INVALID_ARGUMENT;
  }

+  result = tsi_set_min_and_max_tls_versions(
+      ssl_context, options->min_tls_version, options->max_tls_version);
+  if (result != TSI_OK) return result;
+
  impl = static_cast<tsi_ssl_client_handshaker_factory*>(
      gpr_zalloc(sizeof(*impl)));
  tsi_ssl_handshaker_factory_init(&impl->base);
@ -2078,15 +2080,18 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
 #else
      impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
 #endif
-      result = tsi_set_min_and_max_tls_versions(impl->ssl_contexts[i],
-                                                options->min_tls_version,
-                                                options->max_tls_version);
-      if (result != TSI_OK) return result;
      if (impl->ssl_contexts[i] == nullptr) {
+        log_ssl_error_stack();
        gpr_log(GPR_ERROR, "Could not create ssl context.");
        result = TSI_OUT_OF_RESOURCES;
        break;
      }
+
+      result = tsi_set_min_and_max_tls_versions(impl->ssl_contexts[i],
+                                                options->min_tls_version,
+                                                options->max_tls_version);
+      if (result != TSI_OK) return result;
+
      result = populate_ssl_context(impl->ssl_contexts[i],
                                    &options->pem_key_cert_pairs[i],
                                    options->cipher_suites);
--- a/test/core/tsi/ssl_transport_security_test.cc
+++ b/test/core/tsi/ssl_transport_security_test.cc
@ -329,12 +329,20 @@ static void ssl_test_check_handshaker_peers(tsi_test_fixture* fixture) {
  // and send an alert to the client as the first application data message. In
  // TLS 1.2, the client-side handshake will fail if the client sends a bad
  // certificate.
+  //
+  // For OpenSSL versions < 1.1, TLS 1.3 is not supported, so the client-side
+  // handshake should succeed precisely when the server-side handshake
+  // succeeds.
  bool expect_server_success =
      !(key_cert_lib->use_bad_server_cert ||
        (key_cert_lib->use_bad_client_cert && ssl_fixture->force_client_auth));
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
  bool expect_client_success = test_tls_version == tsi_tls_version::TSI_TLS1_2
                                   ? expect_server_success
                                   : !key_cert_lib->use_bad_server_cert;
+#else
+  bool expect_client_success = expect_server_success;
+#endif
  if (expect_client_success) {
    GPR_ASSERT(tsi_handshaker_result_extract_peer(
                   ssl_fixture->base.client_result, &peer) == TSI_OK);
@ -693,7 +701,7 @@ static bool is_slow_build() {
 #if defined(GPR_ARCH_32) || defined(__APPLE__)
  return true;
 #else
-  return BuiltUnderMsan();
+  return BuiltUnderMsan() || BuiltUnderTsan();
 #endif
 }

@ -701,11 +709,11 @@ void ssl_tsi_test_do_round_trip_odd_buffer_size() {
  gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_odd_buffer_size");
  const size_t odd_sizes[] = {1025, 2051, 4103, 8207, 16409};
  size_t size = sizeof(odd_sizes) / sizeof(size_t);
-  // 1. avoid test being extremely slow under MSAN
-  // 2. on 32-bit, the test is much slower (probably due to lack of boringssl
-  // asm optimizations) so we only run a subset of tests to avoid timeout
-  // 3. on Mac OS, we have slower testing machines so we only run a subset
-  // of tests to avoid timeout
+  // 1. This test is extremely slow under MSAN and TSAN.
+  // 2. On 32-bit, the test is much slower (probably due to lack of boringssl
+  // asm optimizations) so we only run a subset of tests to avoid timeout.
+  // 3. On Mac OS, we have slower testing machines so we only run a subset
+  // of tests to avoid timeout.
  if (is_slow_build()) {
    size = 1;
  }
@ -956,7 +964,11 @@ void ssl_tsi_test_extract_cert_chain() {
    X509_INFO* certInfo = sk_X509_INFO_value(certInfos, i);
    if (certInfo->x509 != nullptr) {
      GPR_ASSERT(sk_X509_push(cert_chain, certInfo->x509) != 0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
      X509_up_ref(certInfo->x509);
+#else
+      certInfo->x509->references += 1;
+#endif
    }
  }
  tsi_peer_property chain_property;