aboutsummaryrefslogtreecommitdiffhomepage
path: root/test
diff options
context:
space:
mode:
authorGravatar Ruslan Nigmatullin <elessar@dropbox.com>2018-02-21 16:44:35 -0800
committerGravatar Ruslan Nigmatullin <elessar@dropbox.com>2018-03-20 09:17:28 -0700
commit7ae3733cab31c9c8b06dc5961984e063685de261 (patch)
treeb4d8535830d94b9de4b520761c29ff1162fcf485 /test
parentc4223da3ef38b1ad728e5b6a7ccd3dd0a0008937 (diff)
[grpc] Add SSL session client cache support
Diffstat (limited to 'test')
-rw-r--r--test/core/end2end/BUILD17
-rw-r--r--test/core/end2end/h2_ssl_session_reuse_test.cc280
-rw-r--r--test/core/tsi/BUILD14
-rw-r--r--test/core/tsi/ssl_session_cache_test.cc154
-rw-r--r--test/core/tsi/ssl_transport_security_test.cc159
5 files changed, 580 insertions, 44 deletions
diff --git a/test/core/end2end/BUILD b/test/core/end2end/BUILD
index 952f3505fb..dd16694204 100644
--- a/test/core/end2end/BUILD
+++ b/test/core/end2end/BUILD
@@ -163,3 +163,20 @@ grpc_cc_test(
)
grpc_end2end_tests()
+
+grpc_cc_test(
+ name = "h2_ssl_session_reuse_test",
+ srcs = ["h2_ssl_session_reuse_test.cc"],
+ external_deps = [
+ "gtest",
+ ],
+ language = "C++",
+ deps = [
+ ':end2end_tests',
+ '//:gpr',
+ '//:grpc',
+ '//:tsi',
+ '//test/core/util:gpr_test_util',
+ '//test/core/util:grpc_test_util',
+ ],
+)
diff --git a/test/core/end2end/h2_ssl_session_reuse_test.cc b/test/core/end2end/h2_ssl_session_reuse_test.cc
new file mode 100644
index 0000000000..d5984be93f
--- /dev/null
+++ b/test/core/end2end/h2_ssl_session_reuse_test.cc
@@ -0,0 +1,280 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "test/core/end2end/end2end_tests.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/gpr/env.h"
+#include "src/core/lib/gpr/host_port.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gpr/tmpfile.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "test/core/end2end/cq_verifier.h"
+#include "test/core/end2end/data/ssl_test_data.h"
+#include "test/core/util/port.h"
+#include "test/core/util/test_config.h"
+
+#include <gtest/gtest.h>
+
+namespace grpc {
+namespace testing {
+namespace {
+
+void* tag(intptr_t t) { return (void*)t; }
+
+gpr_timespec five_seconds_time() { return grpc_timeout_seconds_to_deadline(5); }
+
+grpc_server* server_create(grpc_completion_queue* cq, char* server_addr) {
+ grpc_ssl_pem_key_cert_pair pem_cert_key_pair = {test_server1_key,
+ test_server1_cert};
+ grpc_server_credentials* server_creds = grpc_ssl_server_credentials_create_ex(
+ test_root_cert, &pem_cert_key_pair, 1,
+ GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, nullptr);
+
+ grpc_server* server = grpc_server_create(nullptr, nullptr);
+ grpc_server_register_completion_queue(server, cq, nullptr);
+ GPR_ASSERT(
+ grpc_server_add_secure_http2_port(server, server_addr, server_creds));
+ grpc_server_credentials_release(server_creds);
+ grpc_server_start(server);
+
+ return server;
+}
+
+grpc_channel* client_create(char* server_addr, grpc_ssl_session_cache* cache) {
+ grpc_ssl_pem_key_cert_pair signed_client_key_cert_pair = {
+ test_signed_client_key, test_signed_client_cert};
+ grpc_channel_credentials* client_creds = grpc_ssl_credentials_create(
+ test_root_cert, &signed_client_key_cert_pair, nullptr);
+
+ grpc_arg args[] = {
+ grpc_channel_arg_string_create(
+ const_cast<char*>(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG),
+ const_cast<char*>("waterzooi.test.google.be")),
+ grpc_ssl_session_cache_create_channel_arg(cache),
+ };
+
+ grpc_channel_args* client_args =
+ grpc_channel_args_copy_and_add(nullptr, args, GPR_ARRAY_SIZE(args));
+
+ grpc_channel* client = grpc_secure_channel_create(client_creds, server_addr,
+ client_args, nullptr);
+ GPR_ASSERT(client != nullptr);
+ grpc_channel_credentials_release(client_creds);
+
+ {
+ grpc_core::ExecCtx exec_ctx;
+ grpc_channel_args_destroy(client_args);
+ }
+
+ return client;
+}
+
+void do_round_trip(grpc_completion_queue* cq, grpc_server* server,
+ char* server_addr, grpc_ssl_session_cache* cache,
+ bool expect_session_reuse) {
+ grpc_channel* client = client_create(server_addr, cache);
+
+ cq_verifier* cqv = cq_verifier_create(cq);
+ grpc_op ops[6];
+ grpc_op* op;
+ grpc_metadata_array initial_metadata_recv;
+ grpc_metadata_array trailing_metadata_recv;
+ grpc_metadata_array request_metadata_recv;
+ grpc_call_details call_details;
+ grpc_status_code status;
+ grpc_call_error error;
+ grpc_slice details;
+ int was_cancelled = 2;
+
+ gpr_timespec deadline = grpc_timeout_seconds_to_deadline(60);
+ grpc_call* c = grpc_channel_create_call(
+ client, nullptr, GRPC_PROPAGATE_DEFAULTS, cq,
+ grpc_slice_from_static_string("/foo"), nullptr, deadline, nullptr);
+ GPR_ASSERT(c);
+
+ grpc_metadata_array_init(&initial_metadata_recv);
+ grpc_metadata_array_init(&trailing_metadata_recv);
+ grpc_metadata_array_init(&request_metadata_recv);
+ grpc_call_details_init(&call_details);
+
+ memset(ops, 0, sizeof(ops));
+ op = ops;
+ op->op = GRPC_OP_SEND_INITIAL_METADATA;
+ op->data.send_initial_metadata.count = 0;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ op->op = GRPC_OP_RECV_INITIAL_METADATA;
+ op->data.recv_initial_metadata.recv_initial_metadata = &initial_metadata_recv;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ op->op = GRPC_OP_RECV_STATUS_ON_CLIENT;
+ op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv;
+ op->data.recv_status_on_client.status = &status;
+ op->data.recv_status_on_client.status_details = &details;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ error = grpc_call_start_batch(c, ops, static_cast<size_t>(op - ops), tag(1),
+ nullptr);
+ GPR_ASSERT(GRPC_CALL_OK == error);
+
+ grpc_call* s;
+ error = grpc_server_request_call(server, &s, &call_details,
+ &request_metadata_recv, cq, cq, tag(101));
+ GPR_ASSERT(GRPC_CALL_OK == error);
+ CQ_EXPECT_COMPLETION(cqv, tag(101), 1);
+ cq_verify(cqv);
+
+ grpc_auth_context* auth = grpc_call_auth_context(s);
+ grpc_auth_property_iterator it = grpc_auth_context_find_properties_by_name(
+ auth, GRPC_SSL_SESSION_REUSED_PROPERTY);
+ const grpc_auth_property* property = grpc_auth_property_iterator_next(&it);
+ GPR_ASSERT(property != nullptr);
+
+ if (expect_session_reuse) {
+ GPR_ASSERT(strcmp(property->value, "true") == 0);
+ } else {
+ GPR_ASSERT(strcmp(property->value, "false") == 0);
+ }
+ grpc_auth_context_release(auth);
+
+ memset(ops, 0, sizeof(ops));
+ op = ops;
+ op->op = GRPC_OP_SEND_INITIAL_METADATA;
+ op->data.send_initial_metadata.count = 0;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ op->op = GRPC_OP_RECV_CLOSE_ON_SERVER;
+ op->data.recv_close_on_server.cancelled = &was_cancelled;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ op->op = GRPC_OP_SEND_STATUS_FROM_SERVER;
+ op->data.send_status_from_server.trailing_metadata_count = 0;
+ op->data.send_status_from_server.status = GRPC_STATUS_OK;
+ op->flags = 0;
+ op->reserved = nullptr;
+ op++;
+ error = grpc_call_start_batch(s, ops, static_cast<size_t>(op - ops), tag(103),
+ nullptr);
+ GPR_ASSERT(GRPC_CALL_OK == error);
+
+ CQ_EXPECT_COMPLETION(cqv, tag(103), 1);
+ CQ_EXPECT_COMPLETION(cqv, tag(1), 1);
+ cq_verify(cqv);
+
+ grpc_metadata_array_destroy(&initial_metadata_recv);
+ grpc_metadata_array_destroy(&trailing_metadata_recv);
+ grpc_metadata_array_destroy(&request_metadata_recv);
+ grpc_call_details_destroy(&call_details);
+
+ grpc_call_unref(c);
+ grpc_call_unref(s);
+
+ cq_verifier_destroy(cqv);
+
+ grpc_channel_destroy(client);
+}
+
+void drain_cq(grpc_completion_queue* cq) {
+ grpc_event ev;
+ do {
+ ev = grpc_completion_queue_next(cq, five_seconds_time(), nullptr);
+ } while (ev.type != GRPC_QUEUE_SHUTDOWN);
+}
+
+TEST(H2SessionReuseTest, SingleReuse) {
+ int port = grpc_pick_unused_port_or_die();
+
+ char* server_addr;
+ gpr_join_host_port(&server_addr, "localhost", port);
+
+ grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
+ grpc_ssl_session_cache* cache = grpc_ssl_session_cache_create_lru(16);
+
+ grpc_server* server = server_create(cq, server_addr);
+
+ do_round_trip(cq, server, server_addr, cache, false);
+ do_round_trip(cq, server, server_addr, cache, true);
+ do_round_trip(cq, server, server_addr, cache, true);
+
+ gpr_free(server_addr);
+ grpc_ssl_session_cache_destroy(cache);
+
+ GPR_ASSERT(grpc_completion_queue_next(
+ cq, grpc_timeout_milliseconds_to_deadline(100), nullptr)
+ .type == GRPC_QUEUE_TIMEOUT);
+
+ grpc_completion_queue* shutdown_cq =
+ grpc_completion_queue_create_for_pluck(nullptr);
+ grpc_server_shutdown_and_notify(server, shutdown_cq, tag(1000));
+ GPR_ASSERT(grpc_completion_queue_pluck(shutdown_cq, tag(1000),
+ grpc_timeout_seconds_to_deadline(5),
+ nullptr)
+ .type == GRPC_OP_COMPLETE);
+ grpc_server_destroy(server);
+ grpc_completion_queue_destroy(shutdown_cq);
+
+ grpc_completion_queue_shutdown(cq);
+ drain_cq(cq);
+ grpc_completion_queue_destroy(cq);
+}
+
+} // namespace
+} // namespace testing
+} // namespace grpc
+
+int main(int argc, char** argv) {
+ FILE* roots_file;
+ size_t roots_size = strlen(test_root_cert);
+ char* roots_filename;
+
+ grpc_test_init(argc, argv);
+ /* Set the SSL roots env var. */
+ roots_file = gpr_tmpfile("chttp2_ssl_session_reuse_test", &roots_filename);
+ GPR_ASSERT(roots_filename != nullptr);
+ GPR_ASSERT(roots_file != nullptr);
+ GPR_ASSERT(fwrite(test_root_cert, 1, roots_size, roots_file) == roots_size);
+ fclose(roots_file);
+ gpr_setenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR, roots_filename);
+
+ grpc_init();
+ ::testing::InitGoogleTest(&argc, argv);
+ int ret = RUN_ALL_TESTS();
+ grpc_shutdown();
+
+ /* Cleanup. */
+ remove(roots_filename);
+ gpr_free(roots_filename);
+
+ return ret;
+}
diff --git a/test/core/tsi/BUILD b/test/core/tsi/BUILD
index 8ac3e7687c..ae6e8fdc32 100644
--- a/test/core/tsi/BUILD
+++ b/test/core/tsi/BUILD
@@ -41,6 +41,20 @@ grpc_cc_test(
],
)
+grpc_cc_test(
+ name = "ssl_session_cache_test",
+ srcs = ["ssl_session_cache_test.cc"],
+ language = "C++",
+ external_deps = [
+ "gtest",
+ ],
+ deps = [
+ "//:grpc",
+ "//:gpr",
+ "//:tsi",
+ "//test/core/util:gpr_test_util",
+ ],
+)
grpc_cc_test(
name = "ssl_transport_security_test",
diff --git a/test/core/tsi/ssl_session_cache_test.cc b/test/core/tsi/ssl_session_cache_test.cc
new file mode 100644
index 0000000000..72df0e545c
--- /dev/null
+++ b/test/core/tsi/ssl_session_cache_test.cc
@@ -0,0 +1,154 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <string>
+#include <unordered_set>
+
+#include "src/core/tsi/ssl/session_cache/ssl_session_cache.h"
+#include "test/core/util/test_config.h"
+
+#include <grpc/grpc.h>
+#include <grpc/support/log.h>
+#include <gtest/gtest.h>
+
+namespace grpc_core {
+
+namespace {
+
+class SessionTracker;
+
+struct SessionExDataId {
+ SessionTracker* tracker;
+ long id;
+};
+
+class SessionTracker {
+ public:
+ SessionTracker() { ssl_context_ = SSL_CTX_new(TLSv1_2_method()); }
+
+ ~SessionTracker() { SSL_CTX_free(ssl_context_); }
+
+ tsi::SslSessionPtr NewSession(long id) {
+ static int ex_data_id = SSL_SESSION_get_ex_new_index(
+ 0, nullptr, nullptr, nullptr, DestroyExData);
+ GPR_ASSERT(ex_data_id != -1);
+ // OpenSSL and different version of BoringSSL don't agree on API
+ // so try both.
+ tsi::SslSessionPtr session = NewSessionInternal(SSL_SESSION_new);
+ SessionExDataId* data = new SessionExDataId{this, id};
+ int result = SSL_SESSION_set_ex_data(session.get(), ex_data_id, data);
+ EXPECT_EQ(result, 1);
+ alive_sessions_.insert(id);
+ return session;
+ }
+
+ bool IsAlive(long id) const {
+ return alive_sessions_.find(id) != alive_sessions_.end();
+ }
+
+ size_t AliveCount() const { return alive_sessions_.size(); }
+
+ private:
+ tsi::SslSessionPtr NewSessionInternal(SSL_SESSION* (*cb)()) {
+ return tsi::SslSessionPtr(cb());
+ }
+
+ tsi::SslSessionPtr NewSessionInternal(SSL_SESSION* (*cb)(const SSL_CTX*)) {
+ return tsi::SslSessionPtr(cb(ssl_context_));
+ }
+
+ static void DestroyExData(void* parent, void* ptr, CRYPTO_EX_DATA* ad,
+ int index, long argl, void* argp) {
+ SessionExDataId* data = static_cast<SessionExDataId*>(ptr);
+ data->tracker->alive_sessions_.erase(data->id);
+ delete data;
+ }
+
+ SSL_CTX* ssl_context_;
+ std::unordered_set<long> alive_sessions_;
+};
+
+TEST(SslSessionCacheTest, InitialState) {
+ SessionTracker tracker;
+ // Verify session initial state.
+ {
+ tsi::SslSessionPtr tmp_sess = tracker.NewSession(1);
+ EXPECT_EQ(tmp_sess->references, 1);
+ EXPECT_TRUE(tracker.IsAlive(1));
+ EXPECT_EQ(tracker.AliveCount(), 1);
+ }
+ EXPECT_FALSE(tracker.IsAlive(1));
+ EXPECT_EQ(tracker.AliveCount(), 0);
+}
+
+TEST(SslSessionCacheTest, LruCache) {
+ SessionTracker tracker;
+ {
+ RefCountedPtr<tsi::SslSessionLRUCache> cache =
+ tsi::SslSessionLRUCache::Create(3);
+ tsi::SslSessionPtr sess2 = tracker.NewSession(2);
+ SSL_SESSION* sess2_ptr = sess2.get();
+ cache->Put("first.dropbox.com", std::move(sess2));
+ EXPECT_EQ(cache->Get("first.dropbox.com").get(), sess2_ptr);
+ EXPECT_TRUE(tracker.IsAlive(2));
+ EXPECT_EQ(tracker.AliveCount(), 1);
+ // Putting element with the same key destroys old session.
+ tsi::SslSessionPtr sess3 = tracker.NewSession(3);
+ SSL_SESSION* sess3_ptr = sess3.get();
+ cache->Put("first.dropbox.com", std::move(sess3));
+ EXPECT_FALSE(tracker.IsAlive(2));
+ EXPECT_EQ(cache->Get("first.dropbox.com").get(), sess3_ptr);
+ EXPECT_TRUE(tracker.IsAlive(3));
+ EXPECT_EQ(tracker.AliveCount(), 1);
+ // Putting three more elements discards current one.
+ for (long id = 4; id < 7; id++) {
+ EXPECT_TRUE(tracker.IsAlive(3));
+ std::string domain = std::to_string(id) + ".random.domain";
+ cache->Put(domain.c_str(), tracker.NewSession(id));
+ }
+ EXPECT_EQ(cache->Size(), 3);
+ EXPECT_FALSE(tracker.IsAlive(3));
+ EXPECT_EQ(tracker.AliveCount(), 3);
+ // Accessing element moves it into front of the queue.
+ EXPECT_TRUE(cache->Get("4.random.domain"));
+ EXPECT_TRUE(tracker.IsAlive(4));
+ EXPECT_TRUE(tracker.IsAlive(5));
+ EXPECT_TRUE(tracker.IsAlive(6));
+ // One element has to be evicted from cache->
+ cache->Put("7.random.domain", tracker.NewSession(7));
+ EXPECT_TRUE(tracker.IsAlive(4));
+ EXPECT_FALSE(tracker.IsAlive(5));
+ EXPECT_TRUE(tracker.IsAlive(6));
+ EXPECT_TRUE(tracker.IsAlive(7));
+ EXPECT_EQ(tracker.AliveCount(), 3);
+ }
+ // Cache destructor destroys all sessions.
+ EXPECT_EQ(tracker.AliveCount(), 0);
+}
+
+} // namespace
+} // namespace grpc_core
+
+int main(int argc, char** argv) {
+ ::testing::InitGoogleTest(&argc, argv);
+ grpc_test_init(argc, argv);
+ grpc_init();
+ int ret = RUN_ALL_TESTS();
+ grpc_shutdown();
+ return ret;
+}
diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc
index d9eb7470d5..0878c57931 100644
--- a/test/core/tsi/ssl_transport_security_test.cc
+++ b/test/core/tsi/ssl_transport_security_test.cc
@@ -52,8 +52,8 @@ typedef enum AlpnMode {
typedef struct ssl_alpn_lib {
AlpnMode alpn_mode;
- char** server_alpn_protocols;
- char** client_alpn_protocols;
+ const char** server_alpn_protocols;
+ const char** client_alpn_protocols;
uint16_t num_server_alpn_protocols;
uint16_t num_client_alpn_protocols;
} ssl_alpn_lib;
@@ -76,6 +76,10 @@ typedef struct ssl_tsi_test_fixture {
ssl_alpn_lib* alpn_lib;
bool force_client_auth;
char* server_name_indication;
+ tsi_ssl_session_cache* session_cache;
+ bool session_reused;
+ const char* session_ticket_key;
+ size_t session_ticket_key_size;
tsi_ssl_server_handshaker_factory* server_handshaker_factory;
tsi_ssl_client_handshaker_factory* client_handshaker_factory;
} ssl_tsi_test_fixture;
@@ -89,47 +93,60 @@ static void ssl_test_setup_handshakers(tsi_test_fixture* fixture) {
ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
/* Create client handshaker factory. */
- tsi_ssl_pem_key_cert_pair* client_key_cert_pair = nullptr;
+ tsi_ssl_client_handshaker_options client_options;
+ memset(&client_options, 0, sizeof(client_options));
+ client_options.pem_root_certs = key_cert_lib->root_cert;
if (ssl_fixture->force_client_auth) {
- client_key_cert_pair = key_cert_lib->use_bad_client_cert
- ? &key_cert_lib->bad_client_pem_key_cert_pair
- : &key_cert_lib->client_pem_key_cert_pair;
+ client_options.pem_key_cert_pair =
+ key_cert_lib->use_bad_client_cert
+ ? &key_cert_lib->bad_client_pem_key_cert_pair
+ : &key_cert_lib->client_pem_key_cert_pair;
}
- char** client_alpn_protocols = nullptr;
- uint16_t num_client_alpn_protocols = 0;
if (alpn_lib->alpn_mode == ALPN_CLIENT_NO_SERVER ||
alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
- client_alpn_protocols = alpn_lib->client_alpn_protocols;
- num_client_alpn_protocols = alpn_lib->num_client_alpn_protocols;
+ client_options.alpn_protocols = alpn_lib->client_alpn_protocols;
+ client_options.num_alpn_protocols = alpn_lib->num_client_alpn_protocols;
}
- GPR_ASSERT(tsi_create_ssl_client_handshaker_factory(
- client_key_cert_pair, key_cert_lib->root_cert, nullptr,
- (const char**)client_alpn_protocols, num_client_alpn_protocols,
- &ssl_fixture->client_handshaker_factory) == TSI_OK);
+ if (ssl_fixture->session_cache != nullptr) {
+ client_options.session_cache = ssl_fixture->session_cache;
+ }
+ GPR_ASSERT(tsi_create_ssl_client_handshaker_factory_with_options(
+ &client_options, &ssl_fixture->client_handshaker_factory) ==
+ TSI_OK);
/* Create server handshaker factory. */
- char** server_alpn_protocols = nullptr;
- uint16_t num_server_alpn_protocols = 0;
+ tsi_ssl_server_handshaker_options server_options;
+ memset(&server_options, 0, sizeof(server_options));
if (alpn_lib->alpn_mode == ALPN_SERVER_NO_CLIENT ||
alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
- server_alpn_protocols = alpn_lib->server_alpn_protocols;
- num_server_alpn_protocols = alpn_lib->num_server_alpn_protocols;
+ server_options.alpn_protocols = alpn_lib->server_alpn_protocols;
+ server_options.num_alpn_protocols = alpn_lib->num_server_alpn_protocols;
if (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
- num_server_alpn_protocols--;
+ server_options.num_alpn_protocols--;
}
}
- GPR_ASSERT(tsi_create_ssl_server_handshaker_factory(
- key_cert_lib->use_bad_server_cert
- ? key_cert_lib->bad_server_pem_key_cert_pairs
- : key_cert_lib->server_pem_key_cert_pairs,
- key_cert_lib->use_bad_server_cert
- ? key_cert_lib->bad_server_num_key_cert_pairs
- : key_cert_lib->server_num_key_cert_pairs,
- key_cert_lib->root_cert, ssl_fixture->force_client_auth,
- nullptr, (const char**)server_alpn_protocols,
- num_server_alpn_protocols,
- &ssl_fixture->server_handshaker_factory) == TSI_OK);
+ server_options.pem_key_cert_pairs =
+ key_cert_lib->use_bad_server_cert
+ ? key_cert_lib->bad_server_pem_key_cert_pairs
+ : key_cert_lib->server_pem_key_cert_pairs;
+ server_options.num_key_cert_pairs =
+ key_cert_lib->use_bad_server_cert
+ ? key_cert_lib->bad_server_num_key_cert_pairs
+ : key_cert_lib->server_num_key_cert_pairs;
+ server_options.pem_client_root_certs = key_cert_lib->root_cert;
+ if (ssl_fixture->force_client_auth) {
+ server_options.client_certificate_request =
+ TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
+ } else {
+ server_options.client_certificate_request =
+ TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
+ }
+ server_options.session_ticket_key = ssl_fixture->session_ticket_key;
+ server_options.session_ticket_key_size = ssl_fixture->session_ticket_key_size;
+ GPR_ASSERT(tsi_create_ssl_server_handshaker_factory_with_options(
+ &server_options, &ssl_fixture->server_handshaker_factory) ==
+ TSI_OK);
/* Create server and client handshakers. */
tsi_handshaker* client_handshaker = nullptr;
GPR_ASSERT(tsi_ssl_client_handshaker_factory_create_handshaker(
@@ -176,6 +193,18 @@ check_basic_authenticated_peer_and_get_common_name(const tsi_peer* peer) {
return property;
}
+static void check_session_reusage(ssl_tsi_test_fixture* ssl_fixture,
+ tsi_peer* peer) {
+ const tsi_peer_property* session_reused =
+ tsi_peer_get_property_by_name(peer, TSI_SSL_SESSION_REUSED_PEER_PROPERTY);
+ GPR_ASSERT(session_reused != nullptr);
+ if (ssl_fixture->session_reused) {
+ GPR_ASSERT(strcmp(session_reused->value.data, "true") == 0);
+ } else {
+ GPR_ASSERT(strcmp(session_reused->value.data, "false") == 0);
+ }
+}
+
void check_server0_peer(tsi_peer* peer) {
const tsi_peer_property* property =
check_basic_authenticated_peer_and_get_common_name(peer);
@@ -233,7 +262,7 @@ static void check_client_peer(ssl_tsi_test_fixture* ssl_fixture,
ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
if (!ssl_fixture->force_client_auth) {
GPR_ASSERT(peer->property_count ==
- (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ? 1 : 0));
+ (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ? 2 : 1));
} else {
const tsi_peer_property* property =
check_basic_authenticated_peer_and_get_common_name(peer);
@@ -257,8 +286,8 @@ static void ssl_test_check_handshaker_peers(tsi_test_fixture* fixture) {
if (expect_success) {
GPR_ASSERT(tsi_handshaker_result_extract_peer(
ssl_fixture->base.client_result, &peer) == TSI_OK);
+ check_session_reusage(ssl_fixture, &peer);
check_alpn(ssl_fixture, &peer);
-
if (ssl_fixture->server_name_indication != nullptr) {
check_server1_peer(&peer);
} else {
@@ -270,6 +299,7 @@ static void ssl_test_check_handshaker_peers(tsi_test_fixture* fixture) {
if (expect_success) {
GPR_ASSERT(tsi_handshaker_result_extract_peer(
ssl_fixture->base.server_result, &peer) == TSI_OK);
+ check_session_reusage(ssl_fixture, &peer);
check_alpn(ssl_fixture, &peer);
check_client_peer(ssl_fixture, &peer);
} else {
@@ -291,11 +321,11 @@ static void ssl_test_destruct(tsi_test_fixture* fixture) {
/* Destroy ssl_alpn_lib. */
ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
for (size_t i = 0; i < alpn_lib->num_server_alpn_protocols; i++) {
- gpr_free(alpn_lib->server_alpn_protocols[i]);
+ gpr_free(const_cast<char*>(alpn_lib->server_alpn_protocols[i]));
}
gpr_free(alpn_lib->server_alpn_protocols);
for (size_t i = 0; i < alpn_lib->num_client_alpn_protocols; i++) {
- gpr_free(alpn_lib->client_alpn_protocols[i]);
+ gpr_free(const_cast<char*>(alpn_lib->client_alpn_protocols[i]));
}
gpr_free(alpn_lib->client_alpn_protocols);
gpr_free(alpn_lib);
@@ -316,6 +346,9 @@ static void ssl_test_destruct(tsi_test_fixture* fixture) {
key_cert_lib->bad_client_pem_key_cert_pair);
gpr_free(key_cert_lib->root_cert);
gpr_free(key_cert_lib);
+ if (ssl_fixture->session_cache != nullptr) {
+ tsi_ssl_session_cache_unref(ssl_fixture->session_cache);
+ }
/* Unreference others. */
tsi_ssl_server_handshaker_factory_unref(
ssl_fixture->server_handshaker_factory);
@@ -388,10 +421,10 @@ static tsi_test_fixture* ssl_tsi_test_fixture_create() {
/* Create ssl_alpn_lib. */
ssl_alpn_lib* alpn_lib =
static_cast<ssl_alpn_lib*>(gpr_zalloc(sizeof(*alpn_lib)));
- alpn_lib->server_alpn_protocols =
- static_cast<char**>(gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
- alpn_lib->client_alpn_protocols =
- static_cast<char**>(gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
+ alpn_lib->server_alpn_protocols = static_cast<const char**>(
+ gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
+ alpn_lib->client_alpn_protocols = static_cast<const char**>(
+ gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
alpn_lib->server_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN1);
alpn_lib->server_alpn_protocols[1] = gpr_strdup(SSL_TSI_TEST_ALPN3);
alpn_lib->client_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN2);
@@ -402,6 +435,9 @@ static tsi_test_fixture* ssl_tsi_test_fixture_create() {
ssl_fixture->alpn_lib = alpn_lib;
ssl_fixture->base.vtable = &vtable;
ssl_fixture->server_name_indication = nullptr;
+ ssl_fixture->session_reused = false;
+ ssl_fixture->session_ticket_key = nullptr;
+ ssl_fixture->session_ticket_key_size = 0;
ssl_fixture->force_client_auth = false;
return &ssl_fixture->base;
}
@@ -558,6 +594,38 @@ void ssl_tsi_test_do_round_trip_odd_buffer_size() {
}
}
+void ssl_tsi_test_do_handshake_session_cache() {
+ tsi_ssl_session_cache* session_cache = tsi_ssl_session_cache_create_lru(16);
+ char session_ticket_key[48];
+ auto do_handshake = [&session_ticket_key,
+ &session_cache](bool session_reused) {
+ tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
+ ssl_tsi_test_fixture* ssl_fixture =
+ reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
+ ssl_fixture->server_name_indication =
+ const_cast<char*>("waterzooi.test.google.be");
+ ssl_fixture->session_ticket_key = session_ticket_key;
+ ssl_fixture->session_ticket_key_size = 48;
+ tsi_ssl_session_cache_ref(session_cache);
+ ssl_fixture->session_cache = session_cache;
+ ssl_fixture->session_reused = session_reused;
+ tsi_test_do_round_trip(&ssl_fixture->base);
+ tsi_test_fixture_destroy(fixture);
+ };
+ memset(session_ticket_key, 'a', 48);
+ do_handshake(false);
+ do_handshake(true);
+ do_handshake(true);
+ // Changing session_ticket_key on server invalidates ticket.
+ memset(session_ticket_key, 'b', 48);
+ do_handshake(false);
+ do_handshake(true);
+ memset(session_ticket_key, 'c', 48);
+ do_handshake(false);
+ do_handshake(true);
+ tsi_ssl_session_cache_unref(session_cache);
+}
+
static const tsi_ssl_handshaker_factory_vtable* original_vtable;
static bool handshaker_factory_destructor_called;
@@ -575,13 +643,14 @@ static tsi_ssl_handshaker_factory_vtable test_handshaker_factory_vtable = {
void test_tsi_ssl_client_handshaker_factory_refcounting() {
int i;
- const char* cert_chain =
- load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "client.pem");
+ char* cert_chain = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "client.pem");
+ tsi_ssl_client_handshaker_options options;
+ memset(&options, 0, sizeof(options));
+ options.pem_root_certs = cert_chain;
tsi_ssl_client_handshaker_factory* client_handshaker_factory;
- GPR_ASSERT(tsi_create_ssl_client_handshaker_factory(
- nullptr, cert_chain, nullptr, nullptr, 0,
- &client_handshaker_factory) == TSI_OK);
+ GPR_ASSERT(tsi_create_ssl_client_handshaker_factory_with_options(
+ &options, &client_handshaker_factory) == TSI_OK);
handshaker_factory_destructor_called = false;
original_vtable = tsi_ssl_handshaker_factory_swap_vtable(
@@ -608,7 +677,7 @@ void test_tsi_ssl_client_handshaker_factory_refcounting() {
tsi_handshaker_destroy(handshaker[2]);
GPR_ASSERT(handshaker_factory_destructor_called);
- gpr_free((void*)cert_chain);
+ gpr_free(cert_chain);
}
void test_tsi_ssl_server_handshaker_factory_refcounting() {
@@ -673,6 +742,7 @@ void ssl_tsi_test_handshaker_factory_internals() {
int main(int argc, char** argv) {
grpc_test_init(argc, argv);
grpc_init();
+
ssl_tsi_test_do_handshake_tiny_handshake_buffer();
ssl_tsi_test_do_handshake_small_handshake_buffer();
ssl_tsi_test_do_handshake();
@@ -688,6 +758,7 @@ int main(int argc, char** argv) {
#endif
ssl_tsi_test_do_handshake_alpn_server_no_client();
ssl_tsi_test_do_handshake_alpn_client_server_ok();
+ ssl_tsi_test_do_handshake_session_cache();
ssl_tsi_test_do_round_trip_for_all_configs();
ssl_tsi_test_do_round_trip_odd_buffer_size();
ssl_tsi_test_handshaker_factory_internals();
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-27 07:12:09 +0000