|
|
@@ -96,8 +96,7 @@ struct tsi_ssl_server_handshaker_factory {
|
|
|
typedef struct {
|
|
|
tsi_handshaker base;
|
|
|
SSL* ssl;
|
|
|
- BIO* into_ssl;
|
|
|
- BIO* from_ssl;
|
|
|
+ BIO* network_io;
|
|
|
tsi_result result;
|
|
|
tsi_ssl_handshaker_factory* factory_ref;
|
|
|
} tsi_ssl_handshaker;
|
|
|
@@ -105,8 +104,7 @@ typedef struct {
|
|
|
typedef struct {
|
|
|
tsi_frame_protector base;
|
|
|
SSL* ssl;
|
|
|
- BIO* into_ssl;
|
|
|
- BIO* from_ssl;
|
|
|
+ BIO* network_io;
|
|
|
unsigned char* buffer;
|
|
|
size_t buffer_size;
|
|
|
size_t buffer_offset;
|
|
|
@@ -730,11 +728,11 @@ static tsi_result ssl_protector_protect(tsi_frame_protector* self,
|
|
|
tsi_result result = TSI_OK;
|
|
|
|
|
|
/* First see if we have some pending data in the SSL BIO. */
|
|
|
- int pending_in_ssl = (int)BIO_pending(impl->from_ssl);
|
|
|
+ int pending_in_ssl = (int)BIO_pending(impl->network_io);
|
|
|
if (pending_in_ssl > 0) {
|
|
|
*unprotected_bytes_size = 0;
|
|
|
GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
|
|
|
- read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
|
|
|
+ read_from_ssl = BIO_read(impl->network_io, protected_output_frames,
|
|
|
(int)*protected_output_frames_size);
|
|
|
if (read_from_ssl < 0) {
|
|
|
gpr_log(GPR_ERROR,
|
|
|
@@ -762,7 +760,7 @@ static tsi_result ssl_protector_protect(tsi_frame_protector* self,
|
|
|
if (result != TSI_OK) return result;
|
|
|
|
|
|
GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
|
|
|
- read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
|
|
|
+ read_from_ssl = BIO_read(impl->network_io, protected_output_frames,
|
|
|
(int)*protected_output_frames_size);
|
|
|
if (read_from_ssl < 0) {
|
|
|
gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write.");
|
|
|
@@ -788,20 +786,20 @@ static tsi_result ssl_protector_protect_flush(
|
|
|
impl->buffer_offset = 0;
|
|
|
}
|
|
|
|
|
|
- pending = (int)BIO_pending(impl->from_ssl);
|
|
|
+ pending = (int)BIO_pending(impl->network_io);
|
|
|
GPR_ASSERT(pending >= 0);
|
|
|
*still_pending_size = (size_t)pending;
|
|
|
if (*still_pending_size == 0) return TSI_OK;
|
|
|
|
|
|
GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
|
|
|
- read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
|
|
|
+ read_from_ssl = BIO_read(impl->network_io, protected_output_frames,
|
|
|
(int)*protected_output_frames_size);
|
|
|
if (read_from_ssl <= 0) {
|
|
|
gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write.");
|
|
|
return TSI_INTERNAL_ERROR;
|
|
|
}
|
|
|
*protected_output_frames_size = (size_t)read_from_ssl;
|
|
|
- pending = (int)BIO_pending(impl->from_ssl);
|
|
|
+ pending = (int)BIO_pending(impl->network_io);
|
|
|
GPR_ASSERT(pending >= 0);
|
|
|
*still_pending_size = (size_t)pending;
|
|
|
return TSI_OK;
|
|
|
@@ -831,7 +829,7 @@ static tsi_result ssl_protector_unprotect(
|
|
|
|
|
|
/* Then, try to write some data to ssl. */
|
|
|
GPR_ASSERT(*protected_frames_bytes_size <= INT_MAX);
|
|
|
- written_into_ssl = BIO_write(impl->into_ssl, protected_frames_bytes,
|
|
|
+ written_into_ssl = BIO_write(impl->network_io, protected_frames_bytes,
|
|
|
(int)*protected_frames_bytes_size);
|
|
|
if (written_into_ssl < 0) {
|
|
|
gpr_log(GPR_ERROR, "Sending protected frame to ssl failed with %d",
|
|
|
@@ -853,6 +851,7 @@ static void ssl_protector_destroy(tsi_frame_protector* self) {
|
|
|
tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self;
|
|
|
if (impl->buffer != nullptr) gpr_free(impl->buffer);
|
|
|
if (impl->ssl != nullptr) SSL_free(impl->ssl);
|
|
|
+ if (impl->network_io != nullptr) BIO_free(impl->network_io);
|
|
|
gpr_free(self);
|
|
|
}
|
|
|
|
|
|
@@ -916,10 +915,10 @@ static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(tsi_handshaker* self,
|
|
|
return TSI_INVALID_ARGUMENT;
|
|
|
}
|
|
|
GPR_ASSERT(*bytes_size <= INT_MAX);
|
|
|
- bytes_read_from_ssl = BIO_read(impl->from_ssl, bytes, (int)*bytes_size);
|
|
|
+ bytes_read_from_ssl = BIO_read(impl->network_io, bytes, (int)*bytes_size);
|
|
|
if (bytes_read_from_ssl < 0) {
|
|
|
*bytes_size = 0;
|
|
|
- if (!BIO_should_retry(impl->from_ssl)) {
|
|
|
+ if (!BIO_should_retry(impl->network_io)) {
|
|
|
impl->result = TSI_INTERNAL_ERROR;
|
|
|
return impl->result;
|
|
|
} else {
|
|
|
@@ -927,7 +926,7 @@ static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(tsi_handshaker* self,
|
|
|
}
|
|
|
}
|
|
|
*bytes_size = (size_t)bytes_read_from_ssl;
|
|
|
- return BIO_pending(impl->from_ssl) == 0 ? TSI_OK : TSI_INCOMPLETE_DATA;
|
|
|
+ return BIO_pending(impl->network_io) == 0 ? TSI_OK : TSI_INCOMPLETE_DATA;
|
|
|
}
|
|
|
|
|
|
static tsi_result ssl_handshaker_get_result(tsi_handshaker* self) {
|
|
|
@@ -948,7 +947,7 @@ static tsi_result ssl_handshaker_process_bytes_from_peer(
|
|
|
}
|
|
|
GPR_ASSERT(*bytes_size <= INT_MAX);
|
|
|
bytes_written_into_ssl_size =
|
|
|
- BIO_write(impl->into_ssl, bytes, (int)*bytes_size);
|
|
|
+ BIO_write(impl->network_io, bytes, (int)*bytes_size);
|
|
|
if (bytes_written_into_ssl_size < 0) {
|
|
|
gpr_log(GPR_ERROR, "Could not write to memory BIO.");
|
|
|
impl->result = TSI_INTERNAL_ERROR;
|
|
|
@@ -965,7 +964,7 @@ static tsi_result ssl_handshaker_process_bytes_from_peer(
|
|
|
ssl_result = SSL_get_error(impl->ssl, ssl_result);
|
|
|
switch (ssl_result) {
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
- if (BIO_pending(impl->from_ssl) == 0) {
|
|
|
+ if (BIO_pending(impl->network_io) == 0) {
|
|
|
/* We need more data. */
|
|
|
return TSI_INCOMPLETE_DATA;
|
|
|
} else {
|
|
|
@@ -1058,12 +1057,13 @@ static tsi_result ssl_handshaker_create_frame_protector(
|
|
|
return TSI_INTERNAL_ERROR;
|
|
|
}
|
|
|
|
|
|
- /* Transfer ownership of ssl to the frame protector. It is OK as the caller
|
|
|
- * cannot call anything else but destroy on the handshaker after this call. */
|
|
|
+ /* Transfer ownership of ssl and network_io to the frame protector. It is OK
|
|
|
+ * as the caller cannot call anything else but destroy on the handshaker
|
|
|
+ * after this call. */
|
|
|
protector_impl->ssl = impl->ssl;
|
|
|
impl->ssl = nullptr;
|
|
|
- protector_impl->into_ssl = impl->into_ssl;
|
|
|
- protector_impl->from_ssl = impl->from_ssl;
|
|
|
+ protector_impl->network_io = impl->network_io;
|
|
|
+ impl->network_io = nullptr;
|
|
|
|
|
|
protector_impl->base.vtable = &frame_protector_vtable;
|
|
|
*protector = &protector_impl->base;
|
|
|
@@ -1072,7 +1072,8 @@ static tsi_result ssl_handshaker_create_frame_protector(
|
|
|
|
|
|
static void ssl_handshaker_destroy(tsi_handshaker* self) {
|
|
|
tsi_ssl_handshaker* impl = (tsi_ssl_handshaker*)self;
|
|
|
- SSL_free(impl->ssl); /* The BIO objects are owned by ssl */
|
|
|
+ SSL_free(impl->ssl);
|
|
|
+ BIO_free(impl->network_io);
|
|
|
tsi_ssl_handshaker_factory_unref(impl->factory_ref);
|
|
|
gpr_free(impl);
|
|
|
}
|
|
|
@@ -1094,8 +1095,8 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
|
|
|
tsi_ssl_handshaker_factory* factory,
|
|
|
tsi_handshaker** handshaker) {
|
|
|
SSL* ssl = SSL_new(ctx);
|
|
|
- BIO* into_ssl = nullptr;
|
|
|
- BIO* from_ssl = nullptr;
|
|
|
+ BIO* network_io = nullptr;
|
|
|
+ BIO* ssl_io = nullptr;
|
|
|
tsi_ssl_handshaker* impl = nullptr;
|
|
|
*handshaker = nullptr;
|
|
|
if (ctx == nullptr) {
|
|
|
@@ -1107,16 +1108,12 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
|
|
|
}
|
|
|
SSL_set_info_callback(ssl, ssl_info_callback);
|
|
|
|
|
|
- into_ssl = BIO_new(BIO_s_mem());
|
|
|
- from_ssl = BIO_new(BIO_s_mem());
|
|
|
- if (into_ssl == nullptr || from_ssl == nullptr) {
|
|
|
- gpr_log(GPR_ERROR, "BIO_new failed.");
|
|
|
+ if (!BIO_new_bio_pair(&network_io, 0, &ssl_io, 0)) {
|
|
|
+ gpr_log(GPR_ERROR, "BIO_new_bio_pair failed.");
|
|
|
SSL_free(ssl);
|
|
|
- if (into_ssl != nullptr) BIO_free(into_ssl);
|
|
|
- if (from_ssl != nullptr) BIO_free(into_ssl);
|
|
|
return TSI_OUT_OF_RESOURCES;
|
|
|
}
|
|
|
- SSL_set_bio(ssl, into_ssl, from_ssl);
|
|
|
+ SSL_set_bio(ssl, ssl_io, ssl_io);
|
|
|
if (is_client) {
|
|
|
int ssl_result;
|
|
|
SSL_set_connect_state(ssl);
|
|
|
@@ -1125,6 +1122,7 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
|
|
|
gpr_log(GPR_ERROR, "Invalid server name indication %s.",
|
|
|
server_name_indication);
|
|
|
SSL_free(ssl);
|
|
|
+ BIO_free(network_io);
|
|
|
return TSI_INTERNAL_ERROR;
|
|
|
}
|
|
|
}
|
|
|
@@ -1135,6 +1133,7 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
|
|
|
"Unexpected error received from first SSL_do_handshake call: %s",
|
|
|
ssl_error_string(ssl_result));
|
|
|
SSL_free(ssl);
|
|
|
+ BIO_free(network_io);
|
|
|
return TSI_INTERNAL_ERROR;
|
|
|
}
|
|
|
} else {
|
|
|
@@ -1143,8 +1142,7 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
|
|
|
|
|
|
impl = (tsi_ssl_handshaker*)gpr_zalloc(sizeof(*impl));
|
|
|
impl->ssl = ssl;
|
|
|
- impl->into_ssl = into_ssl;
|
|
|
- impl->from_ssl = from_ssl;
|
|
|
+ impl->network_io = network_io;
|
|
|
impl->result = TSI_HANDSHAKE_IN_PROGRESS;
|
|
|
impl->base.vtable = &handshaker_vtable;
|
|
|
impl->factory_ref = tsi_ssl_handshaker_factory_ref(factory);
|
Jiangtao Li