diff options
author | Yang Gao <yangg@google.com> | 2015-06-22 13:36:04 -0700 |
---|---|---|
committer | Yang Gao <yangg@google.com> | 2015-06-22 13:36:04 -0700 |
commit | c4ce71e8665059cabd14fc9fb0bdc8eee357028c (patch) | |
tree | 758255f61f4654e05e6d86ea34bc0e3b35c010e0 /src/core | |
parent | 8222b19eb14273df8124cb5f46f629836e72f6ad (diff) | |
parent | 5b1fdc5c3d14a3715a9d08d4a26b5fe41c207a06 (diff) |
Merge pull request #2123 from jboeuf/ssl_auth_context_fix
Fixing ssl auth context.
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/security/security_connector.c | 32 | ||||
-rw-r--r-- | src/core/security/security_connector.h | 3 |
2 files changed, 13 insertions, 22 deletions
diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c index 4098636a2e..54d151ad5a 100644 --- a/src/core/security/security_connector.c +++ b/src/core/security/security_connector.c @@ -386,29 +386,13 @@ static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) { return r; } -static grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { - /* We bet that iterating over a handful of properties twice will be faster - than having to realloc on average . */ - size_t auth_prop_count = 1; /* for transport_security_type. */ +grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { size_t i; - const char *peer_identity_property_name = NULL; grpc_auth_context *ctx = NULL; - for (i = 0; i < peer->property_count; i++) { - const tsi_peer_property *prop = &peer->properties[i]; - if (prop->name == NULL) continue; - if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { - auth_prop_count++; - /* If there is no subject alt name, have the CN as the identity. */ - if (peer_identity_property_name == NULL) { - peer_identity_property_name = prop->name; - } - } else if (strcmp(prop->name, - TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { - auth_prop_count++; - peer_identity_property_name = prop->name; - } - } - ctx = grpc_auth_context_create(NULL, auth_prop_count); + + /* The caller has checked the certificate type property. */ + GPR_ASSERT(peer->property_count >= 1); + ctx = grpc_auth_context_create(NULL, peer->property_count); ctx->properties[0] = grpc_auth_property_init_from_cstring( GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, GRPC_SSL_TRANSPORT_SECURITY_TYPE); @@ -417,15 +401,19 @@ static grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { const tsi_peer_property *prop = &peer->properties[i]; if (prop->name == NULL) continue; if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { + /* If there is no subject alt name, have the CN as the identity. */ + if (ctx->peer_identity_property_name == NULL) { + ctx->peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME; + } ctx->properties[ctx->property_count++] = grpc_auth_property_init( GRPC_X509_CN_PROPERTY_NAME, prop->value.data, prop->value.length); } else if (strcmp(prop->name, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { + ctx->peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME; ctx->properties[ctx->property_count++] = grpc_auth_property_init( GRPC_X509_SAN_PROPERTY_NAME, prop->value.data, prop->value.length); } } - GPR_ASSERT(auth_prop_count == ctx->property_count); return ctx; } diff --git a/src/core/security/security_connector.h b/src/core/security/security_connector.h index 0617041448..ee3057b43b 100644 --- a/src/core/security/security_connector.h +++ b/src/core/security/security_connector.h @@ -203,4 +203,7 @@ grpc_security_status grpc_ssl_server_security_connector_create( const tsi_peer_property *tsi_peer_get_property_by_name( const tsi_peer *peer, const char *name); +/* Exposed for testing only. */ +grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer); + #endif /* GRPC_INTERNAL_CORE_SECURITY_SECURITY_CONNECTOR_H */ |