aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/lib/security/security_connector/security_connector.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/lib/security/security_connector/security_connector.cc')
-rw-r--r--src/core/lib/security/security_connector/security_connector.cc49
1 files changed, 26 insertions, 23 deletions
diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc
index 3551061aa4..b54a7643e4 100644
--- a/src/core/lib/security/security_connector/security_connector.cc
+++ b/src/core/lib/security/security_connector/security_connector.cc
@@ -44,7 +44,6 @@
#include "src/core/lib/security/transport/target_authority_table.h"
#include "src/core/tsi/fake_transport_security.h"
#include "src/core/tsi/ssl_transport_security.h"
-#include "src/core/tsi/transport_security_adapter.h"
grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount(
false, "security_connector_refcount");
@@ -70,8 +69,11 @@ void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
/* Defines the cipher suites that we accept by default. All these cipher suites
are compliant with HTTP2. */
-#define GRPC_SSL_CIPHER_SUITES \
- "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
+#define GRPC_SSL_CIPHER_SUITES \
+ "ECDHE-ECDSA-AES128-GCM-SHA256:" \
+ "ECDHE-ECDSA-AES256-GCM-SHA384:" \
+ "ECDHE-RSA-AES128-GCM-SHA256:" \
+ "ECDHE-RSA-AES256-GCM-SHA384"
static gpr_once cipher_suites_once = GPR_ONCE_INIT;
static const char* cipher_suites = nullptr;
@@ -673,8 +675,7 @@ static void ssl_channel_add_handshakers(grpc_channel_security_connector* sc,
}
// Create handshakers.
grpc_handshake_manager_add(
- handshake_mgr, grpc_security_handshaker_create(
- tsi_create_adapter_handshaker(tsi_hs), &sc->base));
+ handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
}
static const char** fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
@@ -782,27 +783,29 @@ static void ssl_server_add_handshakers(grpc_server_security_connector* sc,
}
// Create handshakers.
grpc_handshake_manager_add(
- handshake_mgr, grpc_security_handshaker_create(
- tsi_create_adapter_handshaker(tsi_hs), &sc->base));
+ handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
}
-static int ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
+int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
char* allocated_name = nullptr;
int r;
- if (strchr(peer_name, ':') != nullptr) {
- char* ignored_port;
- gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
- gpr_free(ignored_port);
- peer_name = allocated_name;
- if (!peer_name) return 0;
- }
+ char* ignored_port;
+ gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
+ gpr_free(ignored_port);
+ peer_name = allocated_name;
+ if (!peer_name) return 0;
+
+ // IPv6 zone-id should not be included in comparisons.
+ char* const zone_id = strchr(allocated_name, '%');
+ if (zone_id != nullptr) *zone_id = '\0';
+
r = tsi_ssl_peer_matches_name(peer, peer_name);
gpr_free(allocated_name);
return r;
}
-grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer) {
+grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) {
size_t i;
grpc_auth_context* ctx = nullptr;
const char* peer_identity_property_name = nullptr;
@@ -859,14 +862,14 @@ static grpc_error* ssl_check_peer(grpc_security_connector* sc,
}
/* Check the peer name if specified. */
- if (peer_name != nullptr && !ssl_host_matches_name(peer, peer_name)) {
+ if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
char* msg;
gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
gpr_free(msg);
return error;
}
- *auth_context = tsi_ssl_peer_to_auth_context(peer);
+ *auth_context = grpc_ssl_peer_to_auth_context(peer);
return GRPC_ERROR_NONE;
}
@@ -924,7 +927,7 @@ static void add_shallow_auth_property_to_peer(tsi_peer* peer,
tsi_prop->value.length = prop->value_length;
}
-tsi_peer tsi_shallow_peer_from_ssl_auth_context(
+tsi_peer grpc_shallow_peer_from_ssl_auth_context(
const grpc_auth_context* auth_context) {
size_t max_num_props = 0;
grpc_auth_property_iterator it;
@@ -955,7 +958,7 @@ tsi_peer tsi_shallow_peer_from_ssl_auth_context(
return peer;
}
-void tsi_shallow_peer_destruct(tsi_peer* peer) {
+void grpc_shallow_peer_destruct(tsi_peer* peer) {
if (peer->properties != nullptr) gpr_free(peer->properties);
}
@@ -967,8 +970,8 @@ static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc,
grpc_ssl_channel_security_connector* c =
reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
grpc_security_status status = GRPC_SECURITY_ERROR;
- tsi_peer peer = tsi_shallow_peer_from_ssl_auth_context(auth_context);
- if (ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
+ tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
+ if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
/* If the target name was overridden, then the original target_name was
'checked' transitively during the previous peer check at the end of the
handshake. */
@@ -980,7 +983,7 @@ static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc,
*error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"call host does not match SSL server name");
}
- tsi_shallow_peer_destruct(&peer);
+ grpc_shallow_peer_destruct(&peer);
return true;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-05 12:53:11 +0000