1 /*
2 *
3 * Copyright 2017 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "src/core/tsi/ssl_transport_security.h"
20
21 #include <grpc/grpc.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/log.h>
24 #include <grpc/support/string_util.h>
25 #include <stdbool.h>
26 #include <stdio.h>
27 #include <string.h>
28
29 #include "src/core/lib/iomgr/load_file.h"
30 #include "src/core/lib/security/security_connector/security_connector.h"
31 #include "src/core/tsi/transport_security.h"
32 #include "src/core/tsi/transport_security_interface.h"
33 #include "test/core/tsi/transport_security_test_lib.h"
34 #include "test/core/util/test_config.h"
35
36 extern "C" {
37 #include <openssl/crypto.h>
38 #include <openssl/pem.h>
39 }
40
41 #define SSL_TSI_TEST_ALPN1 "foo"
42 #define SSL_TSI_TEST_ALPN2 "toto"
43 #define SSL_TSI_TEST_ALPN3 "baz"
44 #define SSL_TSI_TEST_ALPN_NUM 2
45 #define SSL_TSI_TEST_SERVER_KEY_CERT_PAIRS_NUM 2
46 #define SSL_TSI_TEST_BAD_SERVER_KEY_CERT_PAIRS_NUM 1
47 #define SSL_TSI_TEST_CREDENTIALS_DIR "src/core/tsi/test_creds/"
48 #define SSL_TSI_TEST_WRONG_SNI "test.google.cn"
49
50 // OpenSSL 1.1 uses AES256 for encryption session ticket by default so specify
51 // different STEK size.
52 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_IS_BORINGSSL)
53 const size_t kSessionTicketEncryptionKeySize = 80;
54 #else
55 const size_t kSessionTicketEncryptionKeySize = 48;
56 #endif
57
58 // Indicates the TLS version used for the test.
59 static tsi_tls_version test_tls_version = tsi_tls_version::TSI_TLS1_3;
60
61 typedef enum AlpnMode {
62 NO_ALPN,
63 ALPN_CLIENT_NO_SERVER,
64 ALPN_SERVER_NO_CLIENT,
65 ALPN_CLIENT_SERVER_OK,
66 ALPN_CLIENT_SERVER_MISMATCH
67 } AlpnMode;
68
69 typedef struct ssl_alpn_lib {
70 AlpnMode alpn_mode;
71 const char** server_alpn_protocols;
72 const char** client_alpn_protocols;
73 uint16_t num_server_alpn_protocols;
74 uint16_t num_client_alpn_protocols;
75 } ssl_alpn_lib;
76
77 typedef struct ssl_key_cert_lib {
78 bool use_bad_server_cert;
79 bool use_bad_client_cert;
80 bool use_root_store;
81 char* root_cert;
82 tsi_ssl_root_certs_store* root_store;
83 tsi_ssl_pem_key_cert_pair* server_pem_key_cert_pairs;
84 tsi_ssl_pem_key_cert_pair* bad_server_pem_key_cert_pairs;
85 tsi_ssl_pem_key_cert_pair client_pem_key_cert_pair;
86 tsi_ssl_pem_key_cert_pair bad_client_pem_key_cert_pair;
87 uint16_t server_num_key_cert_pairs;
88 uint16_t bad_server_num_key_cert_pairs;
89 } ssl_key_cert_lib;
90
91 typedef struct ssl_tsi_test_fixture {
92 tsi_test_fixture base;
93 ssl_key_cert_lib* key_cert_lib;
94 ssl_alpn_lib* alpn_lib;
95 bool force_client_auth;
96 char* server_name_indication;
97 tsi_ssl_session_cache* session_cache;
98 bool session_reused;
99 const char* session_ticket_key;
100 size_t session_ticket_key_size;
101 tsi_ssl_server_handshaker_factory* server_handshaker_factory;
102 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
103 } ssl_tsi_test_fixture;
104
ssl_test_setup_handshakers(tsi_test_fixture * fixture)105 static void ssl_test_setup_handshakers(tsi_test_fixture* fixture) {
106 ssl_tsi_test_fixture* ssl_fixture =
107 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
108 GPR_ASSERT(ssl_fixture != nullptr);
109 GPR_ASSERT(ssl_fixture->key_cert_lib != nullptr);
110 GPR_ASSERT(ssl_fixture->alpn_lib != nullptr);
111 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
112 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
113 /* Create client handshaker factory. */
114 tsi_ssl_client_handshaker_options client_options;
115 client_options.pem_root_certs = key_cert_lib->root_cert;
116 if (ssl_fixture->force_client_auth) {
117 client_options.pem_key_cert_pair =
118 key_cert_lib->use_bad_client_cert
119 ? &key_cert_lib->bad_client_pem_key_cert_pair
120 : &key_cert_lib->client_pem_key_cert_pair;
121 }
122 if (alpn_lib->alpn_mode == ALPN_CLIENT_NO_SERVER ||
123 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
124 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
125 client_options.alpn_protocols = alpn_lib->client_alpn_protocols;
126 client_options.num_alpn_protocols = alpn_lib->num_client_alpn_protocols;
127 }
128 client_options.root_store =
129 key_cert_lib->use_root_store ? key_cert_lib->root_store : nullptr;
130 if (ssl_fixture->session_cache != nullptr) {
131 client_options.session_cache = ssl_fixture->session_cache;
132 }
133 client_options.min_tls_version = test_tls_version;
134 client_options.max_tls_version = test_tls_version;
135 GPR_ASSERT(tsi_create_ssl_client_handshaker_factory_with_options(
136 &client_options, &ssl_fixture->client_handshaker_factory) ==
137 TSI_OK);
138 /* Create server handshaker factory. */
139 tsi_ssl_server_handshaker_options server_options;
140 if (alpn_lib->alpn_mode == ALPN_SERVER_NO_CLIENT ||
141 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
142 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
143 server_options.alpn_protocols = alpn_lib->server_alpn_protocols;
144 server_options.num_alpn_protocols = alpn_lib->num_server_alpn_protocols;
145 if (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
146 server_options.num_alpn_protocols--;
147 }
148 }
149 server_options.pem_key_cert_pairs =
150 key_cert_lib->use_bad_server_cert
151 ? key_cert_lib->bad_server_pem_key_cert_pairs
152 : key_cert_lib->server_pem_key_cert_pairs;
153 server_options.num_key_cert_pairs =
154 key_cert_lib->use_bad_server_cert
155 ? key_cert_lib->bad_server_num_key_cert_pairs
156 : key_cert_lib->server_num_key_cert_pairs;
157 server_options.pem_client_root_certs = key_cert_lib->root_cert;
158 if (ssl_fixture->force_client_auth) {
159 server_options.client_certificate_request =
160 TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
161 } else {
162 server_options.client_certificate_request =
163 TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
164 }
165 server_options.session_ticket_key = ssl_fixture->session_ticket_key;
166 server_options.session_ticket_key_size = ssl_fixture->session_ticket_key_size;
167 server_options.min_tls_version = test_tls_version;
168 server_options.max_tls_version = test_tls_version;
169 GPR_ASSERT(tsi_create_ssl_server_handshaker_factory_with_options(
170 &server_options, &ssl_fixture->server_handshaker_factory) ==
171 TSI_OK);
172 /* Create server and client handshakers. */
173 GPR_ASSERT(tsi_ssl_client_handshaker_factory_create_handshaker(
174 ssl_fixture->client_handshaker_factory,
175 ssl_fixture->server_name_indication,
176 &ssl_fixture->base.client_handshaker) == TSI_OK);
177 GPR_ASSERT(tsi_ssl_server_handshaker_factory_create_handshaker(
178 ssl_fixture->server_handshaker_factory,
179 &ssl_fixture->base.server_handshaker) == TSI_OK);
180 }
181
check_alpn(ssl_tsi_test_fixture * ssl_fixture,const tsi_peer * peer)182 static void check_alpn(ssl_tsi_test_fixture* ssl_fixture,
183 const tsi_peer* peer) {
184 GPR_ASSERT(ssl_fixture != nullptr);
185 GPR_ASSERT(ssl_fixture->alpn_lib != nullptr);
186 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
187 const tsi_peer_property* alpn_property =
188 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
189 if (alpn_lib->alpn_mode != ALPN_CLIENT_SERVER_OK) {
190 GPR_ASSERT(alpn_property == nullptr);
191 } else {
192 GPR_ASSERT(alpn_property != nullptr);
193 const char* expected_match = "baz";
194 GPR_ASSERT(memcmp(alpn_property->value.data, expected_match,
195 alpn_property->value.length) == 0);
196 }
197 }
198
check_security_level(const tsi_peer * peer)199 static void check_security_level(const tsi_peer* peer) {
200 const tsi_peer_property* security_level =
201 tsi_peer_get_property_by_name(peer, TSI_SECURITY_LEVEL_PEER_PROPERTY);
202 GPR_ASSERT(security_level != nullptr);
203 const char* expected_match = "TSI_PRIVACY_AND_INTEGRITY";
204 GPR_ASSERT(memcmp(security_level->value.data, expected_match,
205 security_level->value.length) == 0);
206 }
207
208 static const tsi_peer_property*
check_basic_authenticated_peer_and_get_common_name(const tsi_peer * peer)209 check_basic_authenticated_peer_and_get_common_name(const tsi_peer* peer) {
210 const tsi_peer_property* cert_type_property =
211 tsi_peer_get_property_by_name(peer, TSI_CERTIFICATE_TYPE_PEER_PROPERTY);
212 GPR_ASSERT(cert_type_property != nullptr);
213 GPR_ASSERT(memcmp(cert_type_property->value.data, TSI_X509_CERTIFICATE_TYPE,
214 cert_type_property->value.length) == 0);
215 const tsi_peer_property* property = tsi_peer_get_property_by_name(
216 peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
217 GPR_ASSERT(property != nullptr);
218 return property;
219 }
220
check_session_reusage(ssl_tsi_test_fixture * ssl_fixture,tsi_peer * peer)221 static void check_session_reusage(ssl_tsi_test_fixture* ssl_fixture,
222 tsi_peer* peer) {
223 const tsi_peer_property* session_reused =
224 tsi_peer_get_property_by_name(peer, TSI_SSL_SESSION_REUSED_PEER_PROPERTY);
225 GPR_ASSERT(session_reused != nullptr);
226 if (ssl_fixture->session_reused) {
227 GPR_ASSERT(strncmp(session_reused->value.data, "true",
228 session_reused->value.length) == 0);
229 } else {
230 GPR_ASSERT(strncmp(session_reused->value.data, "false",
231 session_reused->value.length) == 0);
232 }
233 }
234
check_server0_peer(tsi_peer * peer)235 void check_server0_peer(tsi_peer* peer) {
236 const tsi_peer_property* property =
237 check_basic_authenticated_peer_and_get_common_name(peer);
238 const char* expected_match = "*.test.google.com.au";
239 GPR_ASSERT(memcmp(property->value.data, expected_match,
240 property->value.length) == 0);
241 GPR_ASSERT(tsi_peer_get_property_by_name(
242 peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) ==
243 nullptr);
244 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "foo.test.google.com.au") == 1);
245 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "bar.test.google.com.au") == 1);
246 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "BAR.TEST.GOOGLE.COM.AU") == 1);
247 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "Bar.Test.Google.Com.Au") == 1);
248 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "bAr.TeST.gOOgle.cOm.AU") == 1);
249 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "bar.test.google.blah") == 0);
250 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "foo.bar.test.google.com.au") ==
251 0);
252 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "test.google.com.au") == 0);
253 tsi_peer_destruct(peer);
254 }
255
check_subject_alt_name(tsi_peer * peer,const char * name)256 static bool check_subject_alt_name(tsi_peer* peer, const char* name) {
257 for (size_t i = 0; i < peer->property_count; i++) {
258 const tsi_peer_property* prop = &peer->properties[i];
259 if (strcmp(prop->name, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) ==
260 0) {
261 if (strlen(name) == prop->value.length &&
262 memcmp(prop->value.data, name, prop->value.length) == 0) {
263 return true;
264 }
265 }
266 }
267 return false;
268 }
269
check_uri(tsi_peer * peer,const char * name)270 static bool check_uri(tsi_peer* peer, const char* name) {
271 for (size_t i = 0; i < peer->property_count; i++) {
272 const tsi_peer_property* prop = &peer->properties[i];
273 if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
274 if (strlen(name) == prop->value.length &&
275 memcmp(prop->value.data, name, prop->value.length) == 0) {
276 return true;
277 }
278 }
279 }
280 return false;
281 }
282
check_server1_peer(tsi_peer * peer)283 void check_server1_peer(tsi_peer* peer) {
284 const tsi_peer_property* property =
285 check_basic_authenticated_peer_and_get_common_name(peer);
286 const char* expected_match = "*.test.google.com";
287 GPR_ASSERT(memcmp(property->value.data, expected_match,
288 property->value.length) == 0);
289 GPR_ASSERT(check_subject_alt_name(peer, "*.test.google.fr") == 1);
290 GPR_ASSERT(check_subject_alt_name(peer, "waterzooi.test.google.be") == 1);
291 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "foo.test.google.fr") == 1);
292 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "bar.test.google.fr") == 1);
293 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "waterzooi.test.google.be") == 1);
294 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "foo.test.youtube.com") == 1);
295 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "bar.foo.test.google.com") == 0);
296 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "test.google.fr") == 0);
297 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "tartines.test.google.be") == 0);
298 GPR_ASSERT(tsi_ssl_peer_matches_name(peer, "tartines.youtube.com") == 0);
299 tsi_peer_destruct(peer);
300 }
301
check_client_peer(ssl_tsi_test_fixture * ssl_fixture,tsi_peer * peer)302 static void check_client_peer(ssl_tsi_test_fixture* ssl_fixture,
303 tsi_peer* peer) {
304 GPR_ASSERT(ssl_fixture != nullptr);
305 GPR_ASSERT(ssl_fixture->alpn_lib != nullptr);
306 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
307 if (!ssl_fixture->force_client_auth) {
308 GPR_ASSERT(peer->property_count ==
309 (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ? 3 : 2));
310 } else {
311 const tsi_peer_property* property =
312 check_basic_authenticated_peer_and_get_common_name(peer);
313 const char* expected_match = "testclient";
314 GPR_ASSERT(memcmp(property->value.data, expected_match,
315 property->value.length) == 0);
316 }
317 tsi_peer_destruct(peer);
318 }
319
ssl_test_check_handshaker_peers(tsi_test_fixture * fixture)320 static void ssl_test_check_handshaker_peers(tsi_test_fixture* fixture) {
321 ssl_tsi_test_fixture* ssl_fixture =
322 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
323 GPR_ASSERT(ssl_fixture != nullptr);
324 GPR_ASSERT(ssl_fixture->key_cert_lib != nullptr);
325 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
326 tsi_peer peer;
327 // In TLS 1.3, the client-side handshake succeeds even if the client sends a
328 // bad certificate. In such a case, the server would fail the TLS handshake
329 // and send an alert to the client as the first application data message. In
330 // TLS 1.2, the client-side handshake will fail if the client sends a bad
331 // certificate.
332 bool expect_server_success =
333 !(key_cert_lib->use_bad_server_cert ||
334 (key_cert_lib->use_bad_client_cert && ssl_fixture->force_client_auth));
335 bool expect_client_success = test_tls_version == tsi_tls_version::TSI_TLS1_2
336 ? expect_server_success
337 : !key_cert_lib->use_bad_server_cert;
338 if (expect_client_success) {
339 GPR_ASSERT(tsi_handshaker_result_extract_peer(
340 ssl_fixture->base.client_result, &peer) == TSI_OK);
341 check_session_reusage(ssl_fixture, &peer);
342 check_alpn(ssl_fixture, &peer);
343 check_security_level(&peer);
344 if (ssl_fixture->server_name_indication == nullptr ||
345 strcmp(ssl_fixture->server_name_indication, SSL_TSI_TEST_WRONG_SNI) ==
346 0) {
347 // Expect server to use default server0.pem.
348 check_server0_peer(&peer);
349 } else {
350 // Expect server to use server1.pem.
351 check_server1_peer(&peer);
352 }
353 } else {
354 GPR_ASSERT(ssl_fixture->base.client_result == nullptr);
355 }
356 if (expect_server_success) {
357 GPR_ASSERT(tsi_handshaker_result_extract_peer(
358 ssl_fixture->base.server_result, &peer) == TSI_OK);
359 check_session_reusage(ssl_fixture, &peer);
360 check_alpn(ssl_fixture, &peer);
361 check_security_level(&peer);
362 check_client_peer(ssl_fixture, &peer);
363 } else {
364 GPR_ASSERT(ssl_fixture->base.server_result == nullptr);
365 }
366 }
367
ssl_test_pem_key_cert_pair_destroy(tsi_ssl_pem_key_cert_pair kp)368 static void ssl_test_pem_key_cert_pair_destroy(tsi_ssl_pem_key_cert_pair kp) {
369 gpr_free((void*)kp.private_key);
370 gpr_free((void*)kp.cert_chain);
371 }
372
ssl_test_destruct(tsi_test_fixture * fixture)373 static void ssl_test_destruct(tsi_test_fixture* fixture) {
374 ssl_tsi_test_fixture* ssl_fixture =
375 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
376 if (ssl_fixture == nullptr) {
377 return;
378 }
379 /* Destroy ssl_alpn_lib. */
380 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
381 for (size_t i = 0; i < alpn_lib->num_server_alpn_protocols; i++) {
382 gpr_free(const_cast<char*>(alpn_lib->server_alpn_protocols[i]));
383 }
384 gpr_free(alpn_lib->server_alpn_protocols);
385 for (size_t i = 0; i < alpn_lib->num_client_alpn_protocols; i++) {
386 gpr_free(const_cast<char*>(alpn_lib->client_alpn_protocols[i]));
387 }
388 gpr_free(alpn_lib->client_alpn_protocols);
389 gpr_free(alpn_lib);
390 /* Destroy ssl_key_cert_lib. */
391 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
392 for (size_t i = 0; i < key_cert_lib->server_num_key_cert_pairs; i++) {
393 ssl_test_pem_key_cert_pair_destroy(
394 key_cert_lib->server_pem_key_cert_pairs[i]);
395 }
396 gpr_free(key_cert_lib->server_pem_key_cert_pairs);
397 for (size_t i = 0; i < key_cert_lib->bad_server_num_key_cert_pairs; i++) {
398 ssl_test_pem_key_cert_pair_destroy(
399 key_cert_lib->bad_server_pem_key_cert_pairs[i]);
400 }
401 gpr_free(key_cert_lib->bad_server_pem_key_cert_pairs);
402 ssl_test_pem_key_cert_pair_destroy(key_cert_lib->client_pem_key_cert_pair);
403 ssl_test_pem_key_cert_pair_destroy(
404 key_cert_lib->bad_client_pem_key_cert_pair);
405 gpr_free(key_cert_lib->root_cert);
406 tsi_ssl_root_certs_store_destroy(key_cert_lib->root_store);
407 gpr_free(key_cert_lib);
408 if (ssl_fixture->session_cache != nullptr) {
409 tsi_ssl_session_cache_unref(ssl_fixture->session_cache);
410 }
411 /* Unreference others. */
412 tsi_ssl_server_handshaker_factory_unref(
413 ssl_fixture->server_handshaker_factory);
414 tsi_ssl_client_handshaker_factory_unref(
415 ssl_fixture->client_handshaker_factory);
416 }
417
418 static const struct tsi_test_fixture_vtable vtable = {
419 ssl_test_setup_handshakers, ssl_test_check_handshaker_peers,
420 ssl_test_destruct};
421
load_file(const char * dir_path,const char * file_name)422 static char* load_file(const char* dir_path, const char* file_name) {
423 char* file_path = static_cast<char*>(
424 gpr_zalloc(sizeof(char) * (strlen(dir_path) + strlen(file_name) + 1)));
425 memcpy(file_path, dir_path, strlen(dir_path));
426 memcpy(file_path + strlen(dir_path), file_name, strlen(file_name));
427 grpc_slice slice;
428 GPR_ASSERT(grpc_load_file(file_path, 1, &slice) == GRPC_ERROR_NONE);
429 char* data = grpc_slice_to_c_string(slice);
430 grpc_slice_unref(slice);
431 gpr_free(file_path);
432 return data;
433 }
434
ssl_tsi_test_fixture_create()435 static tsi_test_fixture* ssl_tsi_test_fixture_create() {
436 ssl_tsi_test_fixture* ssl_fixture =
437 static_cast<ssl_tsi_test_fixture*>(gpr_zalloc(sizeof(*ssl_fixture)));
438 tsi_test_fixture_init(&ssl_fixture->base);
439 ssl_fixture->base.test_unused_bytes = true;
440 ssl_fixture->base.vtable = &vtable;
441 /* Create ssl_key_cert_lib. */
442 ssl_key_cert_lib* key_cert_lib =
443 static_cast<ssl_key_cert_lib*>(gpr_zalloc(sizeof(*key_cert_lib)));
444 key_cert_lib->use_bad_server_cert = false;
445 key_cert_lib->use_bad_client_cert = false;
446 key_cert_lib->use_root_store = false;
447 key_cert_lib->server_num_key_cert_pairs =
448 SSL_TSI_TEST_SERVER_KEY_CERT_PAIRS_NUM;
449 key_cert_lib->bad_server_num_key_cert_pairs =
450 SSL_TSI_TEST_BAD_SERVER_KEY_CERT_PAIRS_NUM;
451 key_cert_lib->server_pem_key_cert_pairs =
452 static_cast<tsi_ssl_pem_key_cert_pair*>(
453 gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
454 key_cert_lib->server_num_key_cert_pairs));
455 key_cert_lib->bad_server_pem_key_cert_pairs =
456 static_cast<tsi_ssl_pem_key_cert_pair*>(
457 gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
458 key_cert_lib->bad_server_num_key_cert_pairs));
459 key_cert_lib->server_pem_key_cert_pairs[0].private_key =
460 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server0.key");
461 key_cert_lib->server_pem_key_cert_pairs[0].cert_chain =
462 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server0.pem");
463 key_cert_lib->server_pem_key_cert_pairs[1].private_key =
464 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server1.key");
465 key_cert_lib->server_pem_key_cert_pairs[1].cert_chain =
466 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server1.pem");
467 key_cert_lib->bad_server_pem_key_cert_pairs[0].private_key =
468 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "badserver.key");
469 key_cert_lib->bad_server_pem_key_cert_pairs[0].cert_chain =
470 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "badserver.pem");
471 key_cert_lib->client_pem_key_cert_pair.private_key =
472 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "client.key");
473 key_cert_lib->client_pem_key_cert_pair.cert_chain =
474 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "client.pem");
475 key_cert_lib->bad_client_pem_key_cert_pair.private_key =
476 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "badclient.key");
477 key_cert_lib->bad_client_pem_key_cert_pair.cert_chain =
478 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "badclient.pem");
479 key_cert_lib->root_cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "ca.pem");
480 key_cert_lib->root_store =
481 tsi_ssl_root_certs_store_create(key_cert_lib->root_cert);
482 GPR_ASSERT(key_cert_lib->root_store != nullptr);
483 ssl_fixture->key_cert_lib = key_cert_lib;
484 /* Create ssl_alpn_lib. */
485 ssl_alpn_lib* alpn_lib =
486 static_cast<ssl_alpn_lib*>(gpr_zalloc(sizeof(*alpn_lib)));
487 alpn_lib->server_alpn_protocols = static_cast<const char**>(
488 gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
489 alpn_lib->client_alpn_protocols = static_cast<const char**>(
490 gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
491 alpn_lib->server_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN1);
492 alpn_lib->server_alpn_protocols[1] = gpr_strdup(SSL_TSI_TEST_ALPN3);
493 alpn_lib->client_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN2);
494 alpn_lib->client_alpn_protocols[1] = gpr_strdup(SSL_TSI_TEST_ALPN3);
495 alpn_lib->num_server_alpn_protocols = SSL_TSI_TEST_ALPN_NUM;
496 alpn_lib->num_client_alpn_protocols = SSL_TSI_TEST_ALPN_NUM;
497 alpn_lib->alpn_mode = NO_ALPN;
498 ssl_fixture->alpn_lib = alpn_lib;
499 ssl_fixture->base.vtable = &vtable;
500 ssl_fixture->server_name_indication = nullptr;
501 ssl_fixture->session_reused = false;
502 ssl_fixture->session_ticket_key = nullptr;
503 ssl_fixture->session_ticket_key_size = 0;
504 ssl_fixture->force_client_auth = false;
505 return &ssl_fixture->base;
506 }
507
ssl_tsi_test_do_handshake_tiny_handshake_buffer()508 void ssl_tsi_test_do_handshake_tiny_handshake_buffer() {
509 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_tiny_handshake_buffer");
510 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
511 fixture->handshake_buffer_size = TSI_TEST_TINY_HANDSHAKE_BUFFER_SIZE;
512 // Handshake buffer is too small to hold both handshake messages and the
513 // unused bytes.
514 fixture->test_unused_bytes = false;
515 tsi_test_do_handshake(fixture);
516 tsi_test_fixture_destroy(fixture);
517 }
518
ssl_tsi_test_do_handshake_small_handshake_buffer()519 void ssl_tsi_test_do_handshake_small_handshake_buffer() {
520 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_small_handshake_buffer");
521 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
522 fixture->handshake_buffer_size = TSI_TEST_SMALL_HANDSHAKE_BUFFER_SIZE;
523 tsi_test_do_handshake(fixture);
524 tsi_test_fixture_destroy(fixture);
525 }
526
ssl_tsi_test_do_handshake()527 void ssl_tsi_test_do_handshake() {
528 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake");
529 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
530 tsi_test_do_handshake(fixture);
531 tsi_test_fixture_destroy(fixture);
532 }
533
ssl_tsi_test_do_handshake_with_root_store()534 void ssl_tsi_test_do_handshake_with_root_store() {
535 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_root_store");
536 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
537 ssl_tsi_test_fixture* ssl_fixture =
538 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
539 ssl_fixture->key_cert_lib->use_root_store = true;
540 tsi_test_do_handshake(fixture);
541 tsi_test_fixture_destroy(fixture);
542 }
543
ssl_tsi_test_do_handshake_with_client_authentication()544 void ssl_tsi_test_do_handshake_with_client_authentication() {
545 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_client_authentication");
546 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
547 ssl_tsi_test_fixture* ssl_fixture =
548 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
549 ssl_fixture->force_client_auth = true;
550 tsi_test_do_handshake(fixture);
551 tsi_test_fixture_destroy(fixture);
552 }
553
ssl_tsi_test_do_handshake_with_client_authentication_and_root_store()554 void ssl_tsi_test_do_handshake_with_client_authentication_and_root_store() {
555 gpr_log(
556 GPR_INFO,
557 "ssl_tsi_test_do_handshake_with_client_authentication_and_root_store");
558 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
559 ssl_tsi_test_fixture* ssl_fixture =
560 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
561 ssl_fixture->force_client_auth = true;
562 ssl_fixture->key_cert_lib->use_root_store = true;
563 tsi_test_do_handshake(fixture);
564 tsi_test_fixture_destroy(fixture);
565 }
566
ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain()567 void ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain() {
568 gpr_log(GPR_INFO,
569 "ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain");
570 /* server1 cert contains "waterzooi.test.google.be" in SAN. */
571 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
572 ssl_tsi_test_fixture* ssl_fixture =
573 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
574 ssl_fixture->server_name_indication =
575 const_cast<char*>("waterzooi.test.google.be");
576 tsi_test_do_handshake(fixture);
577 tsi_test_fixture_destroy(fixture);
578 }
579
ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain()580 void ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain() {
581 gpr_log(
582 GPR_INFO,
583 "ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain");
584 /* server1 cert contains "*.test.google.fr" in SAN. */
585 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
586 ssl_tsi_test_fixture* ssl_fixture =
587 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
588 ssl_fixture->server_name_indication =
589 const_cast<char*>("juju.test.google.fr");
590 tsi_test_do_handshake(fixture);
591 tsi_test_fixture_destroy(fixture);
592 }
593
ssl_tsi_test_do_handshake_with_wrong_server_name_indication()594 void ssl_tsi_test_do_handshake_with_wrong_server_name_indication() {
595 gpr_log(GPR_INFO,
596 "ssl_tsi_test_do_handshake_with_wrong_server_name_indication");
597 /* server certs do not contain "test.google.cn". */
598 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
599 ssl_tsi_test_fixture* ssl_fixture =
600 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
601 ssl_fixture->server_name_indication =
602 const_cast<char*>(SSL_TSI_TEST_WRONG_SNI);
603 tsi_test_do_handshake(fixture);
604 tsi_test_fixture_destroy(fixture);
605 }
606
ssl_tsi_test_do_handshake_with_bad_server_cert()607 void ssl_tsi_test_do_handshake_with_bad_server_cert() {
608 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_bad_server_cert");
609 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
610 ssl_tsi_test_fixture* ssl_fixture =
611 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
612 ssl_fixture->key_cert_lib->use_bad_server_cert = true;
613 tsi_test_do_handshake(fixture);
614 tsi_test_fixture_destroy(fixture);
615 }
616
ssl_tsi_test_do_handshake_with_bad_client_cert()617 void ssl_tsi_test_do_handshake_with_bad_client_cert() {
618 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_bad_client_cert");
619 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
620 ssl_tsi_test_fixture* ssl_fixture =
621 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
622 ssl_fixture->key_cert_lib->use_bad_client_cert = true;
623 ssl_fixture->force_client_auth = true;
624 tsi_test_do_handshake(fixture);
625 tsi_test_fixture_destroy(fixture);
626 }
627
ssl_tsi_test_do_handshake_alpn_client_no_server()628 void ssl_tsi_test_do_handshake_alpn_client_no_server() {
629 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_client_no_server");
630 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
631 ssl_tsi_test_fixture* ssl_fixture =
632 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
633 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_NO_SERVER;
634 tsi_test_do_handshake(fixture);
635 tsi_test_fixture_destroy(fixture);
636 }
637
ssl_tsi_test_do_handshake_alpn_server_no_client()638 void ssl_tsi_test_do_handshake_alpn_server_no_client() {
639 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_server_no_client");
640 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
641 ssl_tsi_test_fixture* ssl_fixture =
642 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
643 ssl_fixture->alpn_lib->alpn_mode = ALPN_SERVER_NO_CLIENT;
644 tsi_test_do_handshake(fixture);
645 tsi_test_fixture_destroy(fixture);
646 }
647
ssl_tsi_test_do_handshake_alpn_client_server_mismatch()648 void ssl_tsi_test_do_handshake_alpn_client_server_mismatch() {
649 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_server_no_client");
650 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
651 ssl_tsi_test_fixture* ssl_fixture =
652 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
653 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_SERVER_MISMATCH;
654 tsi_test_do_handshake(fixture);
655 tsi_test_fixture_destroy(fixture);
656 }
657
ssl_tsi_test_do_handshake_alpn_client_server_ok()658 void ssl_tsi_test_do_handshake_alpn_client_server_ok() {
659 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_client_server_ok");
660 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
661 ssl_tsi_test_fixture* ssl_fixture =
662 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
663 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_SERVER_OK;
664 tsi_test_do_handshake(fixture);
665 tsi_test_fixture_destroy(fixture);
666 }
667
ssl_tsi_test_do_round_trip_for_all_configs()668 void ssl_tsi_test_do_round_trip_for_all_configs() {
669 gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_for_all_configs");
670 unsigned int* bit_array = static_cast<unsigned int*>(
671 gpr_zalloc(sizeof(unsigned int) * TSI_TEST_NUM_OF_ARGUMENTS));
672 const unsigned int mask = 1U << (TSI_TEST_NUM_OF_ARGUMENTS - 1);
673 for (unsigned int val = 0; val < TSI_TEST_NUM_OF_COMBINATIONS; val++) {
674 unsigned int v = val;
675 for (unsigned int ind = 0; ind < TSI_TEST_NUM_OF_ARGUMENTS; ind++) {
676 bit_array[ind] = (v & mask) ? 1 : 0;
677 v <<= 1;
678 }
679 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
680 ssl_tsi_test_fixture* ssl_fixture =
681 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
682 tsi_test_frame_protector_config_destroy(ssl_fixture->base.config);
683 ssl_fixture->base.config = tsi_test_frame_protector_config_create(
684 bit_array[0], bit_array[1], bit_array[2], bit_array[3], bit_array[4],
685 bit_array[5], bit_array[6]);
686 tsi_test_do_round_trip(&ssl_fixture->base);
687 tsi_test_fixture_destroy(fixture);
688 }
689 gpr_free(bit_array);
690 }
691
ssl_tsi_test_do_round_trip_odd_buffer_size()692 void ssl_tsi_test_do_round_trip_odd_buffer_size() {
693 gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_odd_buffer_size");
694 #if !defined(MEMORY_SANITIZER) && !defined(GPR_ARCH_32) && !defined(__APPLE__)
695 const size_t odd_sizes[] = {1025, 2051, 4103, 8207, 16409};
696 #else
697 // 1. avoid test being extremely slow under MSAN
698 // 2. on 32-bit, the test is much slower (probably due to lack of boringssl
699 // asm optimizations) so we only run a subset of tests to avoid timeout
700 // 3. on Mac OS, we have slower testing machines so we only run a subset
701 // of tests to avoid timeout
702 const size_t odd_sizes[] = {1025};
703 #endif
704 const size_t size = sizeof(odd_sizes) / sizeof(size_t);
705 for (size_t ind1 = 0; ind1 < size; ind1++) {
706 for (size_t ind2 = 0; ind2 < size; ind2++) {
707 for (size_t ind3 = 0; ind3 < size; ind3++) {
708 for (size_t ind4 = 0; ind4 < size; ind4++) {
709 for (size_t ind5 = 0; ind5 < size; ind5++) {
710 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
711 ssl_tsi_test_fixture* ssl_fixture =
712 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
713 tsi_test_frame_protector_config_set_buffer_size(
714 ssl_fixture->base.config, odd_sizes[ind1], odd_sizes[ind2],
715 odd_sizes[ind3], odd_sizes[ind4], odd_sizes[ind5]);
716 tsi_test_do_round_trip(&ssl_fixture->base);
717 tsi_test_fixture_destroy(fixture);
718 }
719 }
720 }
721 }
722 }
723 }
724
ssl_tsi_test_do_handshake_session_cache()725 void ssl_tsi_test_do_handshake_session_cache() {
726 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_session_cache");
727 tsi_ssl_session_cache* session_cache = tsi_ssl_session_cache_create_lru(16);
728 char session_ticket_key[kSessionTicketEncryptionKeySize];
729 auto do_handshake = [&session_ticket_key,
730 &session_cache](bool session_reused) {
731 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
732 ssl_tsi_test_fixture* ssl_fixture =
733 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
734 ssl_fixture->server_name_indication =
735 const_cast<char*>("waterzooi.test.google.be");
736 ssl_fixture->session_ticket_key = session_ticket_key;
737 ssl_fixture->session_ticket_key_size = sizeof(session_ticket_key);
738 tsi_ssl_session_cache_ref(session_cache);
739 ssl_fixture->session_cache = session_cache;
740 ssl_fixture->session_reused = session_reused;
741 tsi_test_do_round_trip(&ssl_fixture->base);
742 tsi_test_fixture_destroy(fixture);
743 };
744 memset(session_ticket_key, 'a', sizeof(session_ticket_key));
745 do_handshake(false);
746 do_handshake(true);
747 do_handshake(true);
748 // Changing session_ticket_key on server invalidates ticket.
749 memset(session_ticket_key, 'b', sizeof(session_ticket_key));
750 do_handshake(false);
751 do_handshake(true);
752 memset(session_ticket_key, 'c', sizeof(session_ticket_key));
753 do_handshake(false);
754 do_handshake(true);
755 tsi_ssl_session_cache_unref(session_cache);
756 }
757
758 static const tsi_ssl_handshaker_factory_vtable* original_vtable;
759 static bool handshaker_factory_destructor_called;
760
ssl_tsi_test_handshaker_factory_destructor(tsi_ssl_handshaker_factory * factory)761 static void ssl_tsi_test_handshaker_factory_destructor(
762 tsi_ssl_handshaker_factory* factory) {
763 GPR_ASSERT(factory != nullptr);
764 handshaker_factory_destructor_called = true;
765 if (original_vtable != nullptr && original_vtable->destroy != nullptr) {
766 original_vtable->destroy(factory);
767 }
768 }
769
770 static tsi_ssl_handshaker_factory_vtable test_handshaker_factory_vtable = {
771 ssl_tsi_test_handshaker_factory_destructor};
772
test_tsi_ssl_client_handshaker_factory_refcounting()773 void test_tsi_ssl_client_handshaker_factory_refcounting() {
774 int i;
775 char* cert_chain = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "client.pem");
776
777 tsi_ssl_client_handshaker_options options;
778 options.pem_root_certs = cert_chain;
779 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
780 GPR_ASSERT(tsi_create_ssl_client_handshaker_factory_with_options(
781 &options, &client_handshaker_factory) == TSI_OK);
782
783 handshaker_factory_destructor_called = false;
784 original_vtable = tsi_ssl_handshaker_factory_swap_vtable(
785 reinterpret_cast<tsi_ssl_handshaker_factory*>(client_handshaker_factory),
786 &test_handshaker_factory_vtable);
787
788 tsi_handshaker* handshaker[3];
789
790 for (i = 0; i < 3; ++i) {
791 GPR_ASSERT(tsi_ssl_client_handshaker_factory_create_handshaker(
792 client_handshaker_factory, "google.com", &handshaker[i]) ==
793 TSI_OK);
794 }
795
796 tsi_handshaker_destroy(handshaker[1]);
797 GPR_ASSERT(!handshaker_factory_destructor_called);
798
799 tsi_handshaker_destroy(handshaker[0]);
800 GPR_ASSERT(!handshaker_factory_destructor_called);
801
802 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory);
803 GPR_ASSERT(!handshaker_factory_destructor_called);
804
805 tsi_handshaker_destroy(handshaker[2]);
806 GPR_ASSERT(handshaker_factory_destructor_called);
807
808 gpr_free(cert_chain);
809 }
810
test_tsi_ssl_server_handshaker_factory_refcounting()811 void test_tsi_ssl_server_handshaker_factory_refcounting() {
812 int i;
813 tsi_ssl_server_handshaker_factory* server_handshaker_factory;
814 tsi_handshaker* handshaker[3];
815 const char* cert_chain =
816 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server0.pem");
817 tsi_ssl_pem_key_cert_pair cert_pair;
818
819 cert_pair.cert_chain = cert_chain;
820 cert_pair.private_key =
821 load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server0.key");
822 tsi_ssl_server_handshaker_options options;
823 options.pem_key_cert_pairs = &cert_pair;
824 options.num_key_cert_pairs = 1;
825 options.pem_client_root_certs = cert_chain;
826
827 GPR_ASSERT(tsi_create_ssl_server_handshaker_factory_with_options(
828 &options, &server_handshaker_factory) == TSI_OK);
829
830 handshaker_factory_destructor_called = false;
831 original_vtable = tsi_ssl_handshaker_factory_swap_vtable(
832 reinterpret_cast<tsi_ssl_handshaker_factory*>(server_handshaker_factory),
833 &test_handshaker_factory_vtable);
834
835 for (i = 0; i < 3; ++i) {
836 GPR_ASSERT(tsi_ssl_server_handshaker_factory_create_handshaker(
837 server_handshaker_factory, &handshaker[i]) == TSI_OK);
838 }
839
840 tsi_handshaker_destroy(handshaker[1]);
841 GPR_ASSERT(!handshaker_factory_destructor_called);
842
843 tsi_handshaker_destroy(handshaker[0]);
844 GPR_ASSERT(!handshaker_factory_destructor_called);
845
846 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory);
847 GPR_ASSERT(!handshaker_factory_destructor_called);
848
849 tsi_handshaker_destroy(handshaker[2]);
850 GPR_ASSERT(handshaker_factory_destructor_called);
851
852 ssl_test_pem_key_cert_pair_destroy(cert_pair);
853 }
854
855 /* Attempting to create a handshaker factory with invalid parameters should fail
856 * but not crash. */
test_tsi_ssl_client_handshaker_factory_bad_params()857 void test_tsi_ssl_client_handshaker_factory_bad_params() {
858 const char* cert_chain = "This is not a valid PEM file.";
859
860 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
861 tsi_ssl_client_handshaker_options options;
862 options.pem_root_certs = cert_chain;
863 GPR_ASSERT(tsi_create_ssl_client_handshaker_factory_with_options(
864 &options, &client_handshaker_factory) == TSI_INVALID_ARGUMENT);
865 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory);
866 }
867
ssl_tsi_test_handshaker_factory_internals()868 void ssl_tsi_test_handshaker_factory_internals() {
869 gpr_log(GPR_INFO, "ssl_tsi_test_handshaker_factory_internals");
870 test_tsi_ssl_client_handshaker_factory_refcounting();
871 test_tsi_ssl_server_handshaker_factory_refcounting();
872 test_tsi_ssl_client_handshaker_factory_bad_params();
873 }
874
ssl_tsi_test_duplicate_root_certificates()875 void ssl_tsi_test_duplicate_root_certificates() {
876 gpr_log(GPR_INFO, "ssl_tsi_test_duplicate_root_certificates");
877 char* root_cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "ca.pem");
878 char* dup_root_cert = static_cast<char*>(
879 gpr_zalloc(sizeof(char) * (strlen(root_cert) * 2 + 1)));
880 memcpy(dup_root_cert, root_cert, strlen(root_cert));
881 memcpy(dup_root_cert + strlen(root_cert), root_cert, strlen(root_cert));
882 tsi_ssl_root_certs_store* root_store =
883 tsi_ssl_root_certs_store_create(dup_root_cert);
884 GPR_ASSERT(root_store != nullptr);
885 // Free memory.
886 tsi_ssl_root_certs_store_destroy(root_store);
887 gpr_free(root_cert);
888 gpr_free(dup_root_cert);
889 }
890
ssl_tsi_test_extract_x509_subject_names()891 void ssl_tsi_test_extract_x509_subject_names() {
892 gpr_log(GPR_INFO, "ssl_tsi_test_extract_x509_subject_names");
893 char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "multi-domain.pem");
894 tsi_peer peer;
895 GPR_ASSERT(tsi_ssl_extract_x509_subject_names_from_pem_cert(cert, &peer) ==
896 TSI_OK);
897 // tsi_peer should include one common name, one certificate, one security
898 // level, seven SAN fields, three URI fields.
899 size_t expected_property_count = 12;
900 GPR_ASSERT(peer.property_count == expected_property_count);
901 // Check common name
902 const char* expected_cn = "xpigors";
903 const tsi_peer_property* property = tsi_peer_get_property_by_name(
904 &peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
905 GPR_ASSERT(property != nullptr);
906 GPR_ASSERT(
907 memcmp(property->value.data, expected_cn, property->value.length) == 0);
908 // Check certificate data
909 property = tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
910 GPR_ASSERT(property != nullptr);
911 GPR_ASSERT(memcmp(property->value.data, cert, property->value.length) == 0);
912 // Check DNS
913 GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1);
914 GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1);
915 // Check URI
916 // Note that a valid SPIFFE certificate should only have one URI.
917 GPR_ASSERT(check_subject_alt_name(&peer, "spiffe://foo.com/bar/baz") == 1);
918 GPR_ASSERT(
919 check_subject_alt_name(&peer, "https://foo.test.domain.com/test") == 1);
920 GPR_ASSERT(
921 check_subject_alt_name(&peer, "https://bar.test.domain.com/test") == 1);
922 GPR_ASSERT(check_uri(&peer, "spiffe://foo.com/bar/baz") == 1);
923 GPR_ASSERT(check_uri(&peer, "https://foo.test.domain.com/test") == 1);
924 GPR_ASSERT(check_uri(&peer, "https://bar.test.domain.com/test") == 1);
925 // Check email address
926 GPR_ASSERT(check_subject_alt_name(&peer, "foo@test.domain.com") == 1);
927 GPR_ASSERT(check_subject_alt_name(&peer, "bar@test.domain.com") == 1);
928 // Free memory
929 gpr_free(cert);
930 tsi_peer_destruct(&peer);
931 }
932
ssl_tsi_test_extract_cert_chain()933 void ssl_tsi_test_extract_cert_chain() {
934 gpr_log(GPR_INFO, "ssl_tsi_test_extract_cert_chain");
935 char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "server1.pem");
936 char* ca = load_file(SSL_TSI_TEST_CREDENTIALS_DIR, "ca.pem");
937 char* chain = static_cast<char*>(
938 gpr_zalloc(sizeof(char) * (strlen(cert) + strlen(ca) + 1)));
939 memcpy(chain, cert, strlen(cert));
940 memcpy(chain + strlen(cert), ca, strlen(ca));
941 STACK_OF(X509)* cert_chain = sk_X509_new_null();
942 GPR_ASSERT(cert_chain != nullptr);
943 BIO* bio = BIO_new_mem_buf(chain, strlen(chain));
944 GPR_ASSERT(bio != nullptr);
945 STACK_OF(X509_INFO)* certInfos =
946 PEM_X509_INFO_read_bio(bio, nullptr, nullptr, nullptr);
947 GPR_ASSERT(certInfos != nullptr);
948 for (int i = 0; i < sk_X509_INFO_num(certInfos); i++) {
949 X509_INFO* certInfo = sk_X509_INFO_value(certInfos, i);
950 if (certInfo->x509 != nullptr) {
951 GPR_ASSERT(sk_X509_push(cert_chain, certInfo->x509) != 0);
952 X509_up_ref(certInfo->x509);
953 }
954 }
955 tsi_peer_property chain_property;
956 GPR_ASSERT(tsi_ssl_get_cert_chain_contents(cert_chain, &chain_property) ==
957 TSI_OK);
958 GPR_ASSERT(memcmp(chain, chain_property.value.data,
959 chain_property.value.length) == 0);
960 BIO_free(bio);
961 gpr_free(chain);
962 gpr_free(cert);
963 gpr_free(ca);
964 tsi_peer_property_destruct(&chain_property);
965 sk_X509_INFO_pop_free(certInfos, X509_INFO_free);
966 sk_X509_pop_free(cert_chain, X509_free);
967 }
968
main(int argc,char ** argv)969 int main(int argc, char** argv) {
970 grpc::testing::TestEnvironment env(argc, argv);
971 grpc_init();
972 const size_t number_tls_versions = 1;
973 const tsi_tls_version tls_versions[] = {tsi_tls_version::TSI_TLS1_2};
974 for (size_t i = 0; i < number_tls_versions; i++) {
975 // Set the TLS version to be used in the tests.
976 test_tls_version = tls_versions[i];
977 // Run all the tests using that TLS version for both the client and server.
978 ssl_tsi_test_do_handshake_tiny_handshake_buffer();
979 ssl_tsi_test_do_handshake_small_handshake_buffer();
980 ssl_tsi_test_do_handshake();
981 ssl_tsi_test_do_handshake_with_root_store();
982 ssl_tsi_test_do_handshake_with_client_authentication();
983 ssl_tsi_test_do_handshake_with_client_authentication_and_root_store();
984 ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain();
985 ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain();
986 ssl_tsi_test_do_handshake_with_wrong_server_name_indication();
987 ssl_tsi_test_do_handshake_with_bad_server_cert();
988 ssl_tsi_test_do_handshake_with_bad_client_cert();
989 #ifdef OPENSSL_IS_BORINGSSL
990 // BoringSSL and OpenSSL have different behaviors on mismatched ALPN.
991 ssl_tsi_test_do_handshake_alpn_client_no_server();
992 ssl_tsi_test_do_handshake_alpn_client_server_mismatch();
993 #endif
994 ssl_tsi_test_do_handshake_alpn_server_no_client();
995 ssl_tsi_test_do_handshake_alpn_client_server_ok();
996 ssl_tsi_test_do_handshake_session_cache();
997 ssl_tsi_test_do_round_trip_for_all_configs();
998 ssl_tsi_test_do_round_trip_odd_buffer_size();
999 ssl_tsi_test_handshaker_factory_internals();
1000 ssl_tsi_test_duplicate_root_certificates();
1001 ssl_tsi_test_extract_x509_subject_names();
1002 ssl_tsi_test_extract_cert_chain();
1003 }
1004 grpc_shutdown();
1005 return 0;
1006 }
1007