|
|
|
|
@ -915,38 +915,25 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
// |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version| APIs
|
|
|
|
|
// only exist in this version range.
|
|
|
|
|
switch (min_tls_version) { |
|
|
|
|
case tsi_tls_version::TSI_TLS1_2: |
|
|
|
|
SSL_CTX_set_min_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
// If the library does not support TLS 1.3, and the caller requested a minimum
|
|
|
|
|
// of TLS 1.3, return an error. The caller's request cannot be satisfied.
|
|
|
|
|
#if defined(TLS1_3_VERSION) |
|
|
|
|
case tsi_tls_version::TSI_TLS1_3: |
|
|
|
|
SSL_CTX_set_min_proto_version(ssl_context, TLS1_3_VERSION); |
|
|
|
|
break; |
|
|
|
|
#endif |
|
|
|
|
default: |
|
|
|
|
gpr_log(GPR_INFO, "TLS version is not supported."); |
|
|
|
|
return TSI_FAILED_PRECONDITION; |
|
|
|
|
witch(min_tls_version) {} |
|
|
|
|
|
|
|
|
|
SSL_CTX_set_min_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
// Set the max TLS version of the SSL context.
|
|
|
|
|
switch (max_tls_version) { |
|
|
|
|
case tsi_tls_version::TSI_TLS1_2: |
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
case tsi_tls_version::TSI_TLS1_3: |
|
|
|
|
#if defined(TLS1_3_VERSION) |
|
|
|
|
case tsi_tls_version::TSI_TLS1_3: |
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_3_VERSION); |
|
|
|
|
#else |
|
|
|
|
// The library doesn't support TLS 1.3, so set a maximum of
|
|
|
|
|
// TLS 1.2 instead.
|
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
#endif |
|
|
|
|
break; |
|
|
|
|
#endif |
|
|
|
|
default: |
|
|
|
|
gpr_log(GPR_INFO, "TLS version is not supported."); |
|
|
|
|
return TSI_FAILED_PRECONDITION; |
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
#endif |
|
|
|
|
return TSI_OK; |
|
|
|
|
@ -960,8 +947,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
gpr_log(GPR_ERROR, "The root certificates are empty."); |
|
|
|
|
return nullptr; |
|
|
|
|
} |
|
|
|
|
tsi_ssl_root_certs_store* root_store = |
|
|
|
|
static_cast<tsi_ssl_root_certs_store*>( |
|
|
|
|
tsi_ssl_root_certs_store* root_store = static_cast<tsi_ssl_root_certs_store*>( |
|
|
|
|
gpr_zalloc(sizeof(tsi_ssl_root_certs_store))); |
|
|
|
|
if (root_store == nullptr) { |
|
|
|
|
gpr_log(GPR_ERROR, "Could not allocate buffer for ssl_root_certs_store."); |
|
|
|
|
@ -1009,9 +995,10 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
|
|
|
|
|
/* --- tsi_frame_protector methods implementation. ---*/ |
|
|
|
|
|
|
|
|
|
static tsi_result ssl_protector_protect( |
|
|
|
|
tsi_frame_protector * self, const unsigned char* unprotected_bytes, |
|
|
|
|
size_t* unprotected_bytes_size, unsigned char* protected_output_frames, |
|
|
|
|
static tsi_result ssl_protector_protect(tsi_frame_protector* self, |
|
|
|
|
const unsigned char* unprotected_bytes, |
|
|
|
|
size_t* unprotected_bytes_size, |
|
|
|
|
unsigned char* protected_output_frames, |
|
|
|
|
size_t* protected_output_frames_size) { |
|
|
|
|
tsi_ssl_frame_protector* impl = |
|
|
|
|
reinterpret_cast<tsi_ssl_frame_protector*>(self); |
|
|
|
|
@ -1123,8 +1110,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
|
|
|
|
|
/* Then, try to write some data to ssl. */ |
|
|
|
|
GPR_ASSERT(*protected_frames_bytes_size <= INT_MAX); |
|
|
|
|
written_into_ssl = |
|
|
|
|
BIO_write(impl->network_io, protected_frames_bytes, |
|
|
|
|
written_into_ssl = BIO_write(impl->network_io, protected_frames_bytes, |
|
|
|
|
static_cast<int>(*protected_frames_bytes_size)); |
|
|
|
|
if (written_into_ssl < 0) { |
|
|
|
|
gpr_log(GPR_ERROR, "Sending protected frame to ssl failed with %d", |
|
|
|
|
@ -1160,8 +1146,8 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
|
|
|
|
|
/* --- tsi_server_handshaker_factory methods implementation. --- */ |
|
|
|
|
|
|
|
|
|
static void tsi_ssl_handshaker_factory_destroy(tsi_ssl_handshaker_factory * |
|
|
|
|
factory) { |
|
|
|
|
static void tsi_ssl_handshaker_factory_destroy( |
|
|
|
|
tsi_ssl_handshaker_factory* factory) { |
|
|
|
|
if (factory == nullptr) return; |
|
|
|
|
|
|
|
|
|
if (factory->vtable != nullptr && factory->vtable->destroy != nullptr) { |
|
|
|
|
@ -1179,8 +1165,8 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
return factory; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static void tsi_ssl_handshaker_factory_unref(tsi_ssl_handshaker_factory * |
|
|
|
|
factory) { |
|
|
|
|
static void tsi_ssl_handshaker_factory_unref( |
|
|
|
|
tsi_ssl_handshaker_factory* factory) { |
|
|
|
|
if (factory == nullptr) return; |
|
|
|
|
|
|
|
|
|
if (gpr_unref(&factory->refcount)) { |
|
|
|
|
@ -1188,13 +1174,12 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static tsi_ssl_handshaker_factory_vtable handshaker_factory_vtable = { |
|
|
|
|
nullptr}; |
|
|
|
|
static tsi_ssl_handshaker_factory_vtable handshaker_factory_vtable = {nullptr}; |
|
|
|
|
|
|
|
|
|
/* Initializes a tsi_ssl_handshaker_factory object. Caller is responsible for
|
|
|
|
|
* allocating memory for the factory. */ |
|
|
|
|
static void tsi_ssl_handshaker_factory_init(tsi_ssl_handshaker_factory * |
|
|
|
|
factory) { |
|
|
|
|
static void tsi_ssl_handshaker_factory_init( |
|
|
|
|
tsi_ssl_handshaker_factory* factory) { |
|
|
|
|
GPR_ASSERT(factory != nullptr); |
|
|
|
|
|
|
|
|
|
factory->vtable = &handshaker_factory_vtable; |
|
|
|
|
@ -1284,8 +1269,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
if (result != TSI_OK) return result; |
|
|
|
|
peer->property_count++; |
|
|
|
|
|
|
|
|
|
const char* session_reused = |
|
|
|
|
SSL_session_reused(impl->ssl) ? "true" : "false"; |
|
|
|
|
const char* session_reused = SSL_session_reused(impl->ssl) ? "true" : "false"; |
|
|
|
|
result = tsi_construct_string_peer_property_from_cstring( |
|
|
|
|
TSI_SSL_SESSION_REUSED_PEER_PROPERTY, session_reused, |
|
|
|
|
&peer->properties[peer->property_count]); |
|
|
|
|
@ -1295,8 +1279,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static tsi_result ssl_handshaker_result_create_frame_protector( |
|
|
|
|
const tsi_handshaker_result* self, |
|
|
|
|
size_t* max_output_protected_frame_size, |
|
|
|
|
const tsi_handshaker_result* self, size_t* max_output_protected_frame_size, |
|
|
|
|
tsi_frame_protector** protector) { |
|
|
|
|
size_t actual_max_output_protected_frame_size = |
|
|
|
|
TSI_SSL_MAX_PROTECTED_FRAME_SIZE_UPPER_BOUND; |
|
|
|
|
@ -1319,8 +1302,8 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
actual_max_output_protected_frame_size = *max_output_protected_frame_size; |
|
|
|
|
} |
|
|
|
|
protector_impl->buffer_size = actual_max_output_protected_frame_size - |
|
|
|
|
TSI_SSL_MAX_PROTECTION_OVERHEAD; |
|
|
|
|
protector_impl->buffer_size = |
|
|
|
|
actual_max_output_protected_frame_size - TSI_SSL_MAX_PROTECTION_OVERHEAD; |
|
|
|
|
protector_impl->buffer = |
|
|
|
|
static_cast<unsigned char*>(gpr_malloc(protector_impl->buffer_size)); |
|
|
|
|
if (protector_impl->buffer == nullptr) { |
|
|
|
|
@ -1423,8 +1406,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static tsi_result ssl_handshaker_process_bytes_from_peer( |
|
|
|
|
tsi_ssl_handshaker * impl, const unsigned char* bytes, |
|
|
|
|
size_t* bytes_size) { |
|
|
|
|
tsi_ssl_handshaker* impl, const unsigned char* bytes, size_t* bytes_size) { |
|
|
|
|
int bytes_written_into_ssl_size = 0; |
|
|
|
|
if (bytes == nullptr || bytes_size == nullptr || *bytes_size > INT_MAX) { |
|
|
|
|
return TSI_INVALID_ARGUMENT; |
|
|
|
|
@ -1494,8 +1476,8 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
*bytes_remaining = static_cast<uint8_t*>(gpr_malloc(bytes_in_ssl)); |
|
|
|
|
int bytes_read = BIO_read(SSL_get_rbio(impl->ssl), *bytes_remaining, |
|
|
|
|
static_cast<int>(bytes_in_ssl)); |
|
|
|
|
// If an unexpected number of bytes were read, return an error status and
|
|
|
|
|
// free all of the bytes that were read.
|
|
|
|
|
// If an unexpected number of bytes were read, return an error status and free
|
|
|
|
|
// all of the bytes that were read.
|
|
|
|
|
if (bytes_read < 0 || static_cast<size_t>(bytes_read) != bytes_in_ssl) { |
|
|
|
|
gpr_log(GPR_ERROR, |
|
|
|
|
"Failed to read the expected number of bytes from SSL object."); |
|
|
|
|
@ -1548,9 +1530,9 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
*handshaker_result = nullptr; |
|
|
|
|
} else { |
|
|
|
|
// Any bytes that remain in |impl->ssl|'s read BIO after the handshake is
|
|
|
|
|
// complete must be extracted and set to the unused bytes of the
|
|
|
|
|
// handshaker result. This indicates to the gRPC stack that there are
|
|
|
|
|
// bytes from the peer that must be processed.
|
|
|
|
|
// complete must be extracted and set to the unused bytes of the handshaker
|
|
|
|
|
// result. This indicates to the gRPC stack that there are bytes from the
|
|
|
|
|
// peer that must be processed.
|
|
|
|
|
unsigned char* unused_bytes = nullptr; |
|
|
|
|
size_t unused_bytes_size = 0; |
|
|
|
|
status = ssl_bytes_remaining(impl, &unused_bytes, &unused_bytes_size); |
|
|
|
|
@ -1560,11 +1542,11 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
gpr_free(unused_bytes); |
|
|
|
|
return TSI_INTERNAL_ERROR; |
|
|
|
|
} |
|
|
|
|
status = ssl_handshaker_result_create( |
|
|
|
|
impl, unused_bytes, unused_bytes_size, handshaker_result); |
|
|
|
|
status = ssl_handshaker_result_create(impl, unused_bytes, unused_bytes_size, |
|
|
|
|
handshaker_result); |
|
|
|
|
if (status == TSI_OK) { |
|
|
|
|
/* Indicates that the handshake has completed and that a
|
|
|
|
|
* handshaker_result has been created. */ |
|
|
|
|
/* Indicates that the handshake has completed and that a handshaker_result
|
|
|
|
|
* has been created. */ |
|
|
|
|
self->handshaker_result_created = true; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
@ -1586,8 +1568,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
|
|
|
|
|
static void tsi_ssl_handshaker_resume_session( |
|
|
|
|
SSL* ssl, tsi::SslSessionLRUCache* session_cache) { |
|
|
|
|
const char* server_name = |
|
|
|
|
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
|
|
|
|
const char* server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
|
|
|
|
if (server_name == nullptr) { |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
@ -1598,9 +1579,10 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static tsi_result create_tsi_ssl_handshaker( |
|
|
|
|
SSL_CTX * ctx, int is_client, const char* server_name_indication, |
|
|
|
|
tsi_ssl_handshaker_factory* factory, tsi_handshaker** handshaker) { |
|
|
|
|
static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client, |
|
|
|
|
const char* server_name_indication, |
|
|
|
|
tsi_ssl_handshaker_factory* factory, |
|
|
|
|
tsi_handshaker** handshaker) { |
|
|
|
|
SSL* ssl = SSL_new(ctx); |
|
|
|
|
BIO* network_io = nullptr; |
|
|
|
|
BIO* ssl_io = nullptr; |
|
|
|
|
@ -1642,8 +1624,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
ssl_result = SSL_do_handshake(ssl); |
|
|
|
|
ssl_result = SSL_get_error(ssl, ssl_result); |
|
|
|
|
if (ssl_result != SSL_ERROR_WANT_READ) { |
|
|
|
|
gpr_log( |
|
|
|
|
GPR_ERROR, |
|
|
|
|
gpr_log(GPR_ERROR, |
|
|
|
|
"Unexpected error received from first SSL_do_handshake call: %s", |
|
|
|
|
ssl_error_string(ssl_result)); |
|
|
|
|
SSL_free(ssl); |
|
|
|
|
@ -1660,18 +1641,20 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
impl->result = TSI_HANDSHAKE_IN_PROGRESS; |
|
|
|
|
impl->outgoing_bytes_buffer_size = |
|
|
|
|
TSI_SSL_HANDSHAKER_OUTGOING_BUFFER_INITIAL_SIZE; |
|
|
|
|
impl->outgoing_bytes_buffer = static_cast<unsigned char*>( |
|
|
|
|
gpr_zalloc(impl->outgoing_bytes_buffer_size)); |
|
|
|
|
impl->outgoing_bytes_buffer = |
|
|
|
|
static_cast<unsigned char*>(gpr_zalloc(impl->outgoing_bytes_buffer_size)); |
|
|
|
|
impl->base.vtable = &handshaker_vtable; |
|
|
|
|
impl->factory_ref = tsi_ssl_handshaker_factory_ref(factory); |
|
|
|
|
*handshaker = &impl->base; |
|
|
|
|
return TSI_OK; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static int select_protocol_list( |
|
|
|
|
const unsigned char** out, unsigned char* outlen, |
|
|
|
|
const unsigned char* client_list, size_t client_list_len, |
|
|
|
|
const unsigned char* server_list, size_t server_list_len) { |
|
|
|
|
static int select_protocol_list(const unsigned char** out, |
|
|
|
|
unsigned char* outlen, |
|
|
|
|
const unsigned char* client_list, |
|
|
|
|
size_t client_list_len, |
|
|
|
|
const unsigned char* server_list, |
|
|
|
|
size_t server_list_len) { |
|
|
|
|
const unsigned char* client_current = client_list; |
|
|
|
|
while (static_cast<unsigned int>(client_current - client_list) < |
|
|
|
|
client_list_len) { |
|
|
|
|
@ -1734,8 +1717,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
/* --- tsi_ssl_server_handshaker_factory methods implementation. --- */ |
|
|
|
|
|
|
|
|
|
tsi_result tsi_ssl_server_handshaker_factory_create_handshaker( |
|
|
|
|
tsi_ssl_server_handshaker_factory * factory, |
|
|
|
|
tsi_handshaker * *handshaker) { |
|
|
|
|
tsi_ssl_server_handshaker_factory* factory, tsi_handshaker** handshaker) { |
|
|
|
|
if (factory->ssl_context_count == 0) return TSI_INVALID_ARGUMENT; |
|
|
|
|
/* Create the handshaker with the first context. We will switch if needed
|
|
|
|
|
because of SNI in ssl_server_handshaker_factory_servername_callback. */ |
|
|
|
|
@ -1810,8 +1792,9 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
return !entry.empty() && absl::EqualsIgnoreCase(name_subdomain, entry); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static int ssl_server_handshaker_factory_servername_callback( |
|
|
|
|
SSL * ssl, int* /*ap*/, void* arg) { |
|
|
|
|
static int ssl_server_handshaker_factory_servername_callback(SSL* ssl, |
|
|
|
|
int* /*ap*/, |
|
|
|
|
void* arg) { |
|
|
|
|
tsi_ssl_server_handshaker_factory* impl = |
|
|
|
|
static_cast<tsi_ssl_server_handshaker_factory*>(arg); |
|
|
|
|
size_t i = 0; |
|
|
|
|
@ -1844,8 +1827,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
#endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
|
|
|
|
|
|
|
|
|
static int server_handshaker_factory_npn_advertised_callback( |
|
|
|
|
SSL* /*ssl*/, const unsigned char** out, unsigned int* outlen, |
|
|
|
|
void* arg) { |
|
|
|
|
SSL* /*ssl*/, const unsigned char** out, unsigned int* outlen, void* arg) { |
|
|
|
|
tsi_ssl_server_handshaker_factory* factory = |
|
|
|
|
static_cast<tsi_ssl_server_handshaker_factory*>(arg); |
|
|
|
|
*out = factory->alpn_protocol_list; |
|
|
|
|
@ -1869,8 +1851,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
void* arg = SSL_CTX_get_ex_data(ssl_context, g_ssl_ctx_ex_factory_index); |
|
|
|
|
tsi_ssl_client_handshaker_factory* factory = |
|
|
|
|
static_cast<tsi_ssl_client_handshaker_factory*>(arg); |
|
|
|
|
const char* server_name = |
|
|
|
|
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
|
|
|
|
const char* server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
|
|
|
|
if (server_name == nullptr) { |
|
|
|
|
return 0; |
|
|
|
|
} |
|
|
|
|
@ -1955,11 +1936,10 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
SSL_CTX_set_cert_store(ssl_context, options->root_store->store); |
|
|
|
|
} |
|
|
|
|
#endif |
|
|
|
|
if (OPENSSL_VERSION_NUMBER < 0x10100000 || |
|
|
|
|
options->root_store == nullptr) { |
|
|
|
|
if (OPENSSL_VERSION_NUMBER < 0x10100000 || options->root_store == nullptr) { |
|
|
|
|
result = ssl_ctx_load_verification_certs( |
|
|
|
|
ssl_context, options->pem_root_certs, |
|
|
|
|
strlen(options->pem_root_certs), nullptr); |
|
|
|
|
ssl_context, options->pem_root_certs, strlen(options->pem_root_certs), |
|
|
|
|
nullptr); |
|
|
|
|
if (result != TSI_OK) { |
|
|
|
|
gpr_log(GPR_ERROR, "Cannot load server root certificates."); |
|
|
|
|
break; |
|
|
|
|
@ -2015,8 +1995,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
tsi_ssl_server_handshaker_factory** factory) { |
|
|
|
|
return tsi_create_ssl_server_handshaker_factory_ex( |
|
|
|
|
pem_key_cert_pairs, num_key_cert_pairs, pem_client_root_certs, |
|
|
|
|
force_client_auth |
|
|
|
|
? TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY |
|
|
|
|
force_client_auth ? TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY |
|
|
|
|
: TSI_DONT_REQUEST_CLIENT_CERTIFICATE, |
|
|
|
|
cipher_suites, alpn_protocols, num_alpn_protocols, factory); |
|
|
|
|
} |
|
|
|
|
@ -2026,8 +2005,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
size_t num_key_cert_pairs, const char* pem_client_root_certs, |
|
|
|
|
tsi_client_certificate_request_type client_certificate_request, |
|
|
|
|
const char* cipher_suites, const char** alpn_protocols, |
|
|
|
|
uint16_t num_alpn_protocols, |
|
|
|
|
tsi_ssl_server_handshaker_factory** factory) { |
|
|
|
|
uint16_t num_alpn_protocols, tsi_ssl_server_handshaker_factory** factory) { |
|
|
|
|
tsi_ssl_server_handshaker_options options; |
|
|
|
|
options.pem_key_cert_pairs = pem_key_cert_pairs; |
|
|
|
|
options.num_key_cert_pairs = num_key_cert_pairs; |
|
|
|
|
@ -2149,15 +2127,14 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr); |
|
|
|
|
break; |
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
|
|
|
|
SSL_CTX_set_verify( |
|
|
|
|
impl->ssl_contexts[i], |
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], |
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
|
|
|
|
NullVerifyCallback); |
|
|
|
|
break; |
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: |
|
|
|
|
SSL_CTX_set_verify( |
|
|
|
|
impl->ssl_contexts[i], |
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); |
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], |
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
|
|
|
|
nullptr); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
/* TODO(jboeuf): Add revocation verification. */ |
|
|
|
|
@ -2173,8 +2150,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(impl->ssl_contexts[i], impl); |
|
|
|
|
#if TSI_OPENSSL_ALPN_SUPPORT |
|
|
|
|
SSL_CTX_set_alpn_select_cb(impl->ssl_contexts[i], |
|
|
|
|
server_handshaker_factory_alpn_callback, |
|
|
|
|
impl); |
|
|
|
|
server_handshaker_factory_alpn_callback, impl); |
|
|
|
|
#endif /* TSI_OPENSSL_ALPN_SUPPORT */ |
|
|
|
|
SSL_CTX_set_next_protos_advertised_cb( |
|
|
|
|
impl->ssl_contexts[i], |
|
|
|
|
@ -2233,8 +2209,7 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* --- Testing support. --- */ |
|
|
|
|
const tsi_ssl_handshaker_factory_vtable* |
|
|
|
|
tsi_ssl_handshaker_factory_swap_vtable( |
|
|
|
|
const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable( |
|
|
|
|
tsi_ssl_handshaker_factory* factory, |
|
|
|
|
tsi_ssl_handshaker_factory_vtable* new_vtable) { |
|
|
|
|
GPR_ASSERT(factory != nullptr); |
|
|
|
|
|
Matthew Stevenson
4 years ago