diff options
Diffstat (limited to 'src/core/lib/security/security_connector/security_connector.cc')
-rw-r--r-- | src/core/lib/security/security_connector/security_connector.cc | 49 |
1 files changed, 26 insertions, 23 deletions
diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc index 3551061aa4..b54a7643e4 100644 --- a/src/core/lib/security/security_connector/security_connector.cc +++ b/src/core/lib/security/security_connector/security_connector.cc @@ -44,7 +44,6 @@ #include "src/core/lib/security/transport/target_authority_table.h" #include "src/core/tsi/fake_transport_security.h" #include "src/core/tsi/ssl_transport_security.h" -#include "src/core/tsi/transport_security_adapter.h" grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount( false, "security_connector_refcount"); @@ -70,8 +69,11 @@ void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) { /* Defines the cipher suites that we accept by default. All these cipher suites are compliant with HTTP2. */ -#define GRPC_SSL_CIPHER_SUITES \ - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384" +#define GRPC_SSL_CIPHER_SUITES \ + "ECDHE-ECDSA-AES128-GCM-SHA256:" \ + "ECDHE-ECDSA-AES256-GCM-SHA384:" \ + "ECDHE-RSA-AES128-GCM-SHA256:" \ + "ECDHE-RSA-AES256-GCM-SHA384" static gpr_once cipher_suites_once = GPR_ONCE_INIT; static const char* cipher_suites = nullptr; @@ -673,8 +675,7 @@ static void ssl_channel_add_handshakers(grpc_channel_security_connector* sc, } // Create handshakers. grpc_handshake_manager_add( - handshake_mgr, grpc_security_handshaker_create( - tsi_create_adapter_handshaker(tsi_hs), &sc->base)); + handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base)); } static const char** fill_alpn_protocol_strings(size_t* num_alpn_protocols) { @@ -782,27 +783,29 @@ static void ssl_server_add_handshakers(grpc_server_security_connector* sc, } // Create handshakers. grpc_handshake_manager_add( - handshake_mgr, grpc_security_handshaker_create( - tsi_create_adapter_handshaker(tsi_hs), &sc->base)); + handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base)); } -static int ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) { +int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) { char* allocated_name = nullptr; int r; - if (strchr(peer_name, ':') != nullptr) { - char* ignored_port; - gpr_split_host_port(peer_name, &allocated_name, &ignored_port); - gpr_free(ignored_port); - peer_name = allocated_name; - if (!peer_name) return 0; - } + char* ignored_port; + gpr_split_host_port(peer_name, &allocated_name, &ignored_port); + gpr_free(ignored_port); + peer_name = allocated_name; + if (!peer_name) return 0; + + // IPv6 zone-id should not be included in comparisons. + char* const zone_id = strchr(allocated_name, '%'); + if (zone_id != nullptr) *zone_id = '\0'; + r = tsi_ssl_peer_matches_name(peer, peer_name); gpr_free(allocated_name); return r; } -grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer) { +grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) { size_t i; grpc_auth_context* ctx = nullptr; const char* peer_identity_property_name = nullptr; @@ -859,14 +862,14 @@ static grpc_error* ssl_check_peer(grpc_security_connector* sc, } /* Check the peer name if specified. */ - if (peer_name != nullptr && !ssl_host_matches_name(peer, peer_name)) { + if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) { char* msg; gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name); grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg); gpr_free(msg); return error; } - *auth_context = tsi_ssl_peer_to_auth_context(peer); + *auth_context = grpc_ssl_peer_to_auth_context(peer); return GRPC_ERROR_NONE; } @@ -924,7 +927,7 @@ static void add_shallow_auth_property_to_peer(tsi_peer* peer, tsi_prop->value.length = prop->value_length; } -tsi_peer tsi_shallow_peer_from_ssl_auth_context( +tsi_peer grpc_shallow_peer_from_ssl_auth_context( const grpc_auth_context* auth_context) { size_t max_num_props = 0; grpc_auth_property_iterator it; @@ -955,7 +958,7 @@ tsi_peer tsi_shallow_peer_from_ssl_auth_context( return peer; } -void tsi_shallow_peer_destruct(tsi_peer* peer) { +void grpc_shallow_peer_destruct(tsi_peer* peer) { if (peer->properties != nullptr) gpr_free(peer->properties); } @@ -967,8 +970,8 @@ static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc, grpc_ssl_channel_security_connector* c = reinterpret_cast<grpc_ssl_channel_security_connector*>(sc); grpc_security_status status = GRPC_SECURITY_ERROR; - tsi_peer peer = tsi_shallow_peer_from_ssl_auth_context(auth_context); - if (ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; + tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context); + if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; /* If the target name was overridden, then the original target_name was 'checked' transitively during the previous peer check at the end of the handshake. */ @@ -980,7 +983,7 @@ static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc, *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( "call host does not match SSL server name"); } - tsi_shallow_peer_destruct(&peer); + grpc_shallow_peer_destruct(&peer); return true; } |