Chiebot-Mirror
/
grpc
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Softfail when receiving a X509_V_ERR_UNABLE_TO_GET_CRL error (#29124)

Browse Source
reviewable/pr29296/r1
krestofur 3 years ago committed by GitHub
parent 4d40184bb2
commit 2d34ccff42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      src/core/tsi/ssl_transport_security.cc
  2. 38
      test/core/tsi/crl_ssl_transport_security_test.cc

8
src/core/tsi/ssl_transport_security.cc
Unescape View File

@ -1939,8 +1939,16 @@ static void ssl_keylogging_callback(const SSL* ssl, const char* info) {
factory->key_logger->LogSessionKeys(ssl_context, info); factory->key_logger->LogSessionKeys(ssl_context, info);
} }
// This callback is invoked when the CRL has been verified and will soft-fail
// errors in verification depending on certain error types.
static int verify_cb(int ok, X509_STORE_CTX* ctx) { static int verify_cb(int ok, X509_STORE_CTX* ctx) {
int cert_error = X509_STORE_CTX_get_error(ctx); int cert_error = X509_STORE_CTX_get_error(ctx);
if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
gpr_log(
GPR_INFO,
"Certificate verification failed to get CRL files. Ignoring error.");
return 1;
}
if (cert_error != 0) { if (cert_error != 0) {
gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error); gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error);
} }

38
test/core/tsi/crl_ssl_transport_security_test.cc
Unescape View File

@ -43,6 +43,7 @@ const int kSslTsiTestRevokedKeyCertPairsNum = 1;
const int kSslTsiTestValidKeyCertPairsNum = 1; const int kSslTsiTestValidKeyCertPairsNum = 1;
const char* kSslTsiTestCrlSupportedCredentialsDir = const char* kSslTsiTestCrlSupportedCredentialsDir =
"test/core/tsi/test_creds/crl_data/"; "test/core/tsi/test_creds/crl_data/";
const char* kSslTsiTestFaultyCrlsDir = "bad_path/";
class CrlSslTransportSecurityTest class CrlSslTransportSecurityTest
: public testing::TestWithParam<tsi_tls_version> { : public testing::TestWithParam<tsi_tls_version> {
@ -50,10 +51,14 @@ class CrlSslTransportSecurityTest
// A tsi_test_fixture implementation. // A tsi_test_fixture implementation.
class SslTsiTestFixture { class SslTsiTestFixture {
public: public:
// When use_faulty_crl_directory is set, the crl_directory of the
// client is set to a non-existant path.
static SslTsiTestFixture* Create(bool use_revoked_server_cert, static SslTsiTestFixture* Create(bool use_revoked_server_cert,
bool use_revoked_client_cert) { bool use_revoked_client_cert,
bool use_faulty_crl_directory) {
return new SslTsiTestFixture(use_revoked_server_cert, return new SslTsiTestFixture(use_revoked_server_cert,
use_revoked_client_cert); use_revoked_client_cert,
use_faulty_crl_directory);
} }
void Run() { void Run() {
@ -63,9 +68,11 @@ class CrlSslTransportSecurityTest
private: private:
SslTsiTestFixture(bool use_revoked_server_cert, SslTsiTestFixture(bool use_revoked_server_cert,
bool use_revoked_client_cert) bool use_revoked_client_cert,
bool use_faulty_crl_directory)
: use_revoked_server_cert_(use_revoked_server_cert), : use_revoked_server_cert_(use_revoked_server_cert),
use_revoked_client_cert_(use_revoked_client_cert) { use_revoked_client_cert_(use_revoked_client_cert),
use_faulty_crl_directory_(use_faulty_crl_directory) {
tsi_test_fixture_init(&base_); tsi_test_fixture_init(&base_);
base_.test_unused_bytes = true; base_.test_unused_bytes = true;
base_.vtable = &kVtable; base_.vtable = &kVtable;
@ -120,7 +127,11 @@ class CrlSslTransportSecurityTest
} else { } else {
client_options.pem_key_cert_pair = valid_pem_key_cert_pairs_; client_options.pem_key_cert_pair = valid_pem_key_cert_pairs_;
} }
client_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir; if (use_faulty_crl_directory_) {
client_options.crl_directory = kSslTsiTestFaultyCrlsDir;
} else {
client_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir;
}
client_options.root_store = root_store_; client_options.root_store = root_store_;
client_options.min_tls_version = GetParam(); client_options.min_tls_version = GetParam();
client_options.max_tls_version = GetParam(); client_options.max_tls_version = GetParam();
@ -228,6 +239,7 @@ class CrlSslTransportSecurityTest
tsi_test_fixture base_; tsi_test_fixture base_;
bool use_revoked_server_cert_; bool use_revoked_server_cert_;
bool use_revoked_client_cert_; bool use_revoked_client_cert_;
bool use_faulty_crl_directory_;
char* root_cert_; char* root_cert_;
tsi_ssl_root_certs_store* root_store_; tsi_ssl_root_certs_store* root_store_;
tsi_ssl_pem_key_cert_pair* revoked_pem_key_cert_pairs_; tsi_ssl_pem_key_cert_pair* revoked_pem_key_cert_pairs_;
@ -245,19 +257,29 @@ struct tsi_test_fixture_vtable
TEST_P(CrlSslTransportSecurityTest, RevokedServerCert) { TEST_P(CrlSslTransportSecurityTest, RevokedServerCert) {
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/true, auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/true,
/*use_revoked_client_cert=*/false); /*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/false);
fixture->Run(); fixture->Run();
} }
TEST_P(CrlSslTransportSecurityTest, RevokedClientCert) { TEST_P(CrlSslTransportSecurityTest, RevokedClientCert) {
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false, auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/true); /*use_revoked_client_cert=*/true,
/*use_faulty_crl_directory=*/false);
fixture->Run(); fixture->Run();
} }
TEST_P(CrlSslTransportSecurityTest, ValidCerts) { TEST_P(CrlSslTransportSecurityTest, ValidCerts) {
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false, auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/false); /*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/false);
fixture->Run();
}
TEST_P(CrlSslTransportSecurityTest, UseFaultyCrlDirectory) {
auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
/*use_revoked_client_cert=*/false,
/*use_faulty_crl_directory=*/true);
fixture->Run(); fixture->Run();
} }

Write Preview
Loading…
Cancel
Save