Fix client_ssl_test and server_ssl_test when built against OpenSSL 1.0.2. (#25865)

* Add Python mTLS greeter example (#40) * Revert "Add Python mTLS greeter example (#40)" This reverts commit 383c247775. * Postpone EVP_cleanup until after last server_ssl_test run completes. * Fix readahead_hs_server_ssl * Clang fixes and client side initialization fix. * Comment out EVP_cleanup on client side. * remove TLS 1.3 ciphers' * change to using server0 credentials * log what TLS method is used' * check compatibility of private key and cert * Try allowing server to use all ciphers. * Add logging for test server. * Fix private key check logging. * add include for tracing * define tsi_tracing_enabled flag * rename tsi_tracing_enabled flag * try printing bytes to send to peer * Add automatic curve selection * Remove logging from SSL transport security * Add back TLS 1.3 ciphersuites. Co-authored-by: Ryan Kim <Ryanfsdf@users.noreply.github.com>
4 years ago · 57dd2eb02e
parent c46dd9ca9d
commit 57dd2eb02e
5 changed files with 80 additions and 4 deletions
--- a/test/core/handshake/client_ssl.cc
+++ b/test/core/handshake/client_ssl.cc
@ -38,6 +38,8 @@
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>

+#include "src/core/lib/debug/trace.h"
+#include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/gprpp/thd.h"
 #include "src/core/lib/iomgr/load_file.h"
 #include "test/core/util/port.h"
@ -47,10 +49,34 @@
 #define SSL_KEY_PATH "src/core/tsi/test_creds/server1.key"
 #define SSL_CA_PATH "src/core/tsi/test_creds/ca.pem"

+grpc_core::TraceFlag client_ssl_tsi_tracing_enabled(false, "tsi");
+
+class SslLibraryInfo {
+ public:
+  SslLibraryInfo() {}
+
+  void Notify() {
+    grpc_core::MutexLock lock(&mu_);
+    ready_ = true;
+    cv_.Signal();
+  }
+
+  void Await() {
+    grpc_core::MutexLock lock(&mu_);
+    grpc_core::WaitUntil(&cv_, &mu_, [this] { return ready_; });
+  }
+
+ private:
+  grpc_core::Mutex mu_;
+  grpc_core::CondVar cv_;
+  bool ready_ = false;
+};
+
 // Arguments for TLS server thread.
 typedef struct {
  int socket;
  char* alpn_preferred;
+  SslLibraryInfo* ssl_library_info;
 } server_args;

 // Based on https://wiki.openssl.org/index.php/Simple_TLS_Server.
@ -135,6 +161,28 @@ static int alpn_select_cb(SSL* /*ssl*/, const uint8_t** out, uint8_t* out_len,
  return SSL_TLSEXT_ERR_OK;
 }

+static void ssl_log_where_info(const SSL* ssl, int where, int flag,
+                               const char* msg) {
+  if ((where & flag) &&
+      GRPC_TRACE_FLAG_ENABLED(client_ssl_tsi_tracing_enabled)) {
+    gpr_log(GPR_INFO, "%20.20s - %30.30s  - %5.10s", msg,
+            SSL_state_string_long(ssl), SSL_state_string(ssl));
+  }
+}
+
+static void ssl_server_info_callback(const SSL* ssl, int where, int ret) {
+  if (ret == 0) {
+    gpr_log(GPR_ERROR, "ssl_server_info_callback: error occurred.\n");
+    return;
+  }
+
+  ssl_log_where_info(ssl, where, SSL_CB_LOOP, "Server: LOOP");
+  ssl_log_where_info(ssl, where, SSL_CB_HANDSHAKE_START,
+                     "Server: HANDSHAKE START");
+  ssl_log_where_info(ssl, where, SSL_CB_HANDSHAKE_DONE,
+                     "Server: HANDSHAKE DONE");
+}
+
 // Minimal TLS server. This is largely based on the example at
 // https://wiki.openssl.org/index.php/Simple_TLS_Server and the gRPC core
 // internals in src/core/tsi/ssl_transport_security.c.
@ -143,6 +191,7 @@ static void server_thread(void* arg) {

  SSL_load_error_strings();
  OpenSSL_add_ssl_algorithms();
+  args->ssl_library_info->Notify();

  const SSL_METHOD* method = TLSv1_2_server_method();
  SSL_CTX* ctx = SSL_CTX_new(method);
@ -154,16 +203,23 @@ static void server_thread(void* arg) {

  // Load key pair.
  if (SSL_CTX_use_certificate_file(ctx, SSL_CERT_PATH, SSL_FILETYPE_PEM) < 0) {
+    perror("Unable to use certificate file.");
    ERR_print_errors_fp(stderr);
    abort();
  }
  if (SSL_CTX_use_PrivateKey_file(ctx, SSL_KEY_PATH, SSL_FILETYPE_PEM) < 0) {
+    perror("Unable to use private key file.");
+    ERR_print_errors_fp(stderr);
+    abort();
+  }
+  if (SSL_CTX_check_private_key(ctx) != 1) {
+    perror("Check private key failed.");
    ERR_print_errors_fp(stderr);
    abort();
  }

  // Set the cipher list to match the one expressed in
-  // src/core/tsi/ssl_transport_security.c.
+  // src/core/tsi/ssl_transport_security.cc.
  const char* cipher_list =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-"
      "SHA384:ECDHE-RSA-AES256-GCM-SHA384";
@ -173,6 +229,14 @@ static void server_thread(void* arg) {
    abort();
  }

+  // Enable automatic curve selection. This is a NO-OP when using OpenSSL
+  // versions > 1.0.2.
+  if (!SSL_CTX_set_ecdh_auto(ctx, /*onoff=*/1)) {
+    ERR_print_errors_fp(stderr);
+    gpr_log(GPR_ERROR, "Couldn't set automatic curve selection.");
+    abort();
+  }
+
  // Register the ALPN selection callback.
  SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb, args->alpn_preferred);

@ -190,6 +254,7 @@ static void server_thread(void* arg) {

  // Establish a SSL* and accept at SSL layer.
  SSL* ssl = SSL_new(ctx);
+  SSL_set_info_callback(ssl, ssl_server_info_callback);
  GPR_ASSERT(ssl);
  SSL_set_fd(ssl, client);
  if (SSL_accept(ssl) <= 0) {
@ -212,7 +277,6 @@ static void server_thread(void* arg) {
  close(client);
  close(sock);
  SSL_CTX_free(ctx);
-  EVP_cleanup();
 }

 // This test launches a minimal TLS server on a separate thread and then
@ -238,11 +302,13 @@ static bool client_ssl_test(char* server_alpn_preferred) {
  GPR_ASSERT(server_socket > 0 && port > 0);

  // Launch the TLS server thread.
-  server_args args = {server_socket, server_alpn_preferred};
+  SslLibraryInfo ssl_library_info;
+  server_args args = {server_socket, server_alpn_preferred, &ssl_library_info};
  bool ok;
  grpc_core::Thread thd("grpc_client_ssl_test", server_thread, &args, &ok);
  GPR_ASSERT(ok);
  thd.Start();
+  ssl_library_info.Await();

  // Load key pair and establish client SSL credentials.
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair;
@ -326,6 +392,8 @@ int main(int argc, char* argv[]) {
  // preference. This validates the client is correctly validating ALPN returns
  // and sanity checks the client_ssl_test.
  GPR_ASSERT(!client_ssl_test(const_cast<char*>("foo")));
+  // Clean up the SSL libraries.
+  EVP_cleanup();
  return 0;
 }

--- a/test/core/handshake/readahead_handshaker_server_ssl.cc
+++ b/test/core/handshake/readahead_handshaker_server_ssl.cc
@ -83,6 +83,7 @@ int main(int /*argc*/, char* /*argv*/[]) {
      absl::make_unique<grpc_core::ReadAheadHandshakerFactory>());
  const char* full_alpn_list[] = {"grpc-exp", "h2"};
  GPR_ASSERT(server_ssl_test(full_alpn_list, 2, "grpc-exp"));
+  CleanupSslLibrary();
  grpc_shutdown();
  return 0;
 }
--- a/test/core/handshake/server_ssl.cc
+++ b/test/core/handshake/server_ssl.cc
@ -54,5 +54,6 @@ int main(int argc, char* argv[]) {
  // and sanity checks the server_ssl_test.
  const char* fake_alpn_list[] = {"foo"};
  GPR_ASSERT(!server_ssl_test(fake_alpn_list, 1, "foo"));
+  CleanupSslLibrary();
  return 0;
 }
--- a/test/core/handshake/server_ssl_common.cc
+++ b/test/core/handshake/server_ssl_common.cc
@ -269,7 +269,6 @@ bool server_ssl_test(const char* alpn_list[], unsigned int alpn_list_len,
  SSL_free(ssl);
  gpr_free(alpn_protos);
  SSL_CTX_free(ctx);
-  EVP_cleanup();
  close(sock);

  thd.Join();
@ -278,3 +277,5 @@ bool server_ssl_test(const char* alpn_list[], unsigned int alpn_list_len,

  return success;
 }
+
+void CleanupSslLibrary() { EVP_cleanup(); }
--- a/test/core/handshake/server_ssl_common.h
+++ b/test/core/handshake/server_ssl_common.h
@ -33,4 +33,9 @@
 bool server_ssl_test(const char* alpn_list[], unsigned int alpn_list_len,
                     const char* alpn_expected);

+/** Cleans up the SSL library. To be called after the last call to
+ *  server_ssl_test returns. This is a NO-OP when gRPC is built against OpenSSL
+ *  versions > 1.0.2. */
+void CleanupSslLibrary();
+
 #endif  // GRPC_SERVER_SSL_COMMON_H