diff options
author | Mark D. Roth <roth@google.com> | 2018-04-27 07:31:28 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-04-27 07:31:28 -0700 |
commit | 198d0f56ce3125ebe60df62f313203034b21d743 (patch) | |
tree | 66d5f0a0a9f522e96a1f2cdd232740b6e85bf082 /src/core/lib/security | |
parent | b6c386106e16de9fed6c2fcd54d4e56005747a31 (diff) | |
parent | 116fd29a36b1b5af454de11bda6d100f9565be91 (diff) |
Merge pull request #14387 from dcow/zone-id
gRPC core: strip zone-id from IPv6 hosts before TLS verification
Diffstat (limited to 'src/core/lib/security')
-rw-r--r-- | src/core/lib/security/security_connector/security_connector.cc | 23 | ||||
-rw-r--r-- | src/core/lib/security/security_connector/security_connector.h | 1 |
2 files changed, 14 insertions, 10 deletions
diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc index 3551061aa4..b6c8d1e497 100644 --- a/src/core/lib/security/security_connector/security_connector.cc +++ b/src/core/lib/security/security_connector/security_connector.cc @@ -786,17 +786,20 @@ static void ssl_server_add_handshakers(grpc_server_security_connector* sc, tsi_create_adapter_handshaker(tsi_hs), &sc->base)); } -static int ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) { +int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) { char* allocated_name = nullptr; int r; - if (strchr(peer_name, ':') != nullptr) { - char* ignored_port; - gpr_split_host_port(peer_name, &allocated_name, &ignored_port); - gpr_free(ignored_port); - peer_name = allocated_name; - if (!peer_name) return 0; - } + char* ignored_port; + gpr_split_host_port(peer_name, &allocated_name, &ignored_port); + gpr_free(ignored_port); + peer_name = allocated_name; + if (!peer_name) return 0; + + // IPv6 zone-id should not be included in comparisons. + char* const zone_id = strchr(allocated_name, '%'); + if (zone_id != nullptr) *zone_id = '\0'; + r = tsi_ssl_peer_matches_name(peer, peer_name); gpr_free(allocated_name); return r; @@ -859,7 +862,7 @@ static grpc_error* ssl_check_peer(grpc_security_connector* sc, } /* Check the peer name if specified. */ - if (peer_name != nullptr && !ssl_host_matches_name(peer, peer_name)) { + if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) { char* msg; gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name); grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg); @@ -968,7 +971,7 @@ static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc, reinterpret_cast<grpc_ssl_channel_security_connector*>(sc); grpc_security_status status = GRPC_SECURITY_ERROR; tsi_peer peer = tsi_shallow_peer_from_ssl_auth_context(auth_context); - if (ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; + if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; /* If the target name was overridden, then the original target_name was 'checked' transitively during the previous peer check at the end of the handshake. */ diff --git a/src/core/lib/security/security_connector/security_connector.h b/src/core/lib/security/security_connector/security_connector.h index c4cc19db81..f2d94d6f1c 100644 --- a/src/core/lib/security/security_connector/security_connector.h +++ b/src/core/lib/security/security_connector/security_connector.h @@ -243,6 +243,7 @@ grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer); tsi_peer tsi_shallow_peer_from_ssl_auth_context( const grpc_auth_context* auth_context); void tsi_shallow_peer_destruct(tsi_peer* peer); +int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name); /* --- Default SSL Root Store. --- */ namespace grpc_core { |