преди 5 години · ff8ceb700e
--- a/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
+++ b/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
@@ -264,6 +264,8 @@ struct grpc_tls_credentials_options
 
				   grpc_tls_server_verification_option server_verification_option() const {
			
 
				     return server_verification_option_;
			
 
				   }
			
 
				+  grpc_tls_version min_tls_version() const { return min_tls_version_; }
			
 
				+  grpc_tls_version max_tls_version() const { return max_tls_version_; }
			
 
				   grpc_tls_key_materials_config* key_materials_config() const {
			
 
				     return key_materials_config_.get();
			
 
				   }
			
@@ -284,6 +286,12 @@ struct grpc_tls_credentials_options
 
				       const grpc_tls_server_verification_option server_verification_option) {
			
 
				     server_verification_option_ = server_verification_option;
			
 
				   }
			
 
				+  void set_min_tls_version(grpc_tls_version min_tls_version) {
			
 
				+    min_tls_version_ = min_tls_version;
			
 
				+  }
			
 
				+  void set_max_tls_version(grpc_tls_version max_tls_version) {
			
 
				+    max_tls_version_ = max_tls_version;
			
 
				+  }
			
 
				   void set_key_materials_config(
			
 
				       grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
			
 
				     key_materials_config_ = std::move(config);
			
@@ -302,6 +310,8 @@ struct grpc_tls_credentials_options
 
				   grpc_ssl_client_certificate_request_type cert_request_type_;
			
 
				   grpc_tls_server_verification_option server_verification_option_ =
			
 
				       GRPC_TLS_SERVER_VERIFICATION;
			
 
				+  grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
			
 
				+  grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
			
 
				   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
			
 
				   grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
			
 
				       credential_reload_config_;
			
--- a/src/core/lib/security/security_connector/ssl_utils.cc
+++ b/src/core/lib/security/security_connector/ssl_utils.cc
@@ -389,8 +389,8 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 
				 
			
 
				 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
			
 
				     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
			
 
				-    bool skip_server_certificate_verification,
			
 
				-    tsi_ssl_session_cache* ssl_session_cache,
			
 
				+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
			
 
				+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
			
 
				     tsi_ssl_client_handshaker_factory** handshaker_factory) {
			
 
				   const char* root_certs;
			
 
				   const tsi_ssl_root_certs_store* root_store;
			
@@ -422,6 +422,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
 
				   options.session_cache = ssl_session_cache;
			
 
				   options.skip_server_certificate_verification =
			
 
				       skip_server_certificate_verification;
			
 
				+  options.min_tls_version = min_tls_version;
			
 
				+  options.max_tls_version = max_tls_version;
			
 
				   const tsi_result result =
			
 
				       tsi_create_ssl_client_handshaker_factory_with_options(&options,
			
 
				                                                             handshaker_factory);
			
@@ -438,6 +440,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
 
				     tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
			
 
				     const char* pem_root_certs,
			
 
				     grpc_ssl_client_certificate_request_type client_certificate_request,
			
 
				+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
			
 
				     tsi_ssl_server_handshaker_factory** handshaker_factory) {
			
 
				   size_t num_alpn_protocols = 0;
			
 
				   const char** alpn_protocol_strings =
			
@@ -451,6 +454,8 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
 
				   options.cipher_suites = grpc_get_ssl_cipher_suites();
			
 
				   options.alpn_protocols = alpn_protocol_strings;
			
 
				   options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
			
 
				+  options.min_tls_version = min_tls_version;
			
 
				+  options.max_tls_version = max_tls_version;
			
 
				   const tsi_result result =
			
 
				       tsi_create_ssl_server_handshaker_factory_with_options(&options,
			
 
				                                                             handshaker_factory);
			
--- a/src/core/lib/security/security_connector/ssl_utils.h
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@@ -89,14 +89,15 @@ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 
				 /* Initialize TSI SSL server/client handshaker factory. */
			
 
				 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
			
 
				     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
			
 
				-    bool skip_server_certificate_verification,
			
 
				-    tsi_ssl_session_cache* ssl_session_cache,
			
 
				+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
			
 
				+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
			
 
				     tsi_ssl_client_handshaker_factory** handshaker_factory);
			
 
				 
			
 
				 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
			
 
				     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
			
 
				     const char* pem_root_certs,
			
 
				     grpc_ssl_client_certificate_request_type client_certificate_request,
			
 
				+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
			
 
				     tsi_ssl_server_handshaker_factory** handshaker_factory);
			
 
				 
			
 
				 /* Exposed for testing only. */
			
--- a/src/core/lib/security/security_connector/tls/tls_security_connector.cc
+++ b/src/core/lib/security/security_connector/tls/tls_security_connector.cc
@@ -333,8 +333,10 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
 
				       key_materials_config_->pem_key_cert_pair_list());
			
 
				   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
			
 
				       pem_key_cert_pair, key_materials_config_->pem_root_certs(),
			
 
				-      skip_server_certificate_verification, ssl_session_cache,
			
 
				-      &client_handshaker_factory_);
			
 
				+      skip_server_certificate_verification,
			
 
				+      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
			
 
				+      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
			
 
				+      ssl_session_cache, &client_handshaker_factory_);
			
 
				   /* Free memory. */
			
 
				   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
			
 
				   return status;
			
@@ -542,7 +544,10 @@ grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
 
				   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
			
 
				       pem_key_cert_pairs, num_key_cert_pairs,
			
 
				       key_materials_config_->pem_root_certs(),
			
 
				-      creds->options().cert_request_type(), &server_handshaker_factory_);
			
 
				+      creds->options().cert_request_type(),
			
 
				+      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
			
 
				+      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
			
 
				+      &server_handshaker_factory_);
			
 
				   /* Free memory. */
			
 
				   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
			
 
				                                           num_key_cert_pairs);
			
--- a/test/core/end2end/fixtures/h2_tls.cc
+++ b/test/core/end2end/fixtures/h2_tls.cc
@@ -52,22 +52,37 @@ struct fullstack_secure_fixture_data {
 
				     }
			
 
				   }
			
 
				   std::string localaddr;
			
 
				+  grpc_tls_version tls_version;
			
 
				   ThreadList thd_list;
			
 
				 };
			
 
				 
			
 
				 static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack(
			
 
				-    grpc_channel_args* /*client_args*/, grpc_channel_args* /*server_args*/) {
			
 
				+    grpc_channel_args* /*client_args*/, grpc_channel_args* /*server_args*/,
			
 
				+    grpc_tls_version tls_version) {
			
 
				   grpc_end2end_test_fixture f;
			
 
				   int port = grpc_pick_unused_port_or_die();
			
 
				   fullstack_secure_fixture_data* ffd = new fullstack_secure_fixture_data();
			
 
				   memset(&f, 0, sizeof(f));
			
 
				   ffd->localaddr = grpc_core::JoinHostPort("localhost", port);
			
 
				+  ffd->tls_version = tls_version;
			
 
				   f.fixture_data = ffd;
			
 
				   f.cq = grpc_completion_queue_create_for_next(nullptr);
			
 
				   f.shutdown_cq = grpc_completion_queue_create_for_pluck(nullptr);
			
 
				   return f;
			
 
				 }
			
 
				 
			
 
				+static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack_tls1_2(
			
 
				+    grpc_channel_args* client_args, grpc_channel_args* server_args) {
			
 
				+  return chttp2_create_fixture_secure_fullstack(client_args, server_args,
			
 
				+                                                grpc_tls_version::TLS1_2);
			
 
				+}
			
 
				+
			
 
				+static grpc_end2end_test_fixture chttp2_create_fixture_secure_fullstack_tls1_3(
			
 
				+    grpc_channel_args* client_args, grpc_channel_args* server_args) {
			
 
				+  return chttp2_create_fixture_secure_fullstack(client_args, server_args,
			
 
				+                                                grpc_tls_version::TLS1_3);
			
 
				+}
			
 
				+
			
 
				 static void process_auth_failure(void* state, grpc_auth_context* /*ctx*/,
			
 
				                                  const grpc_metadata* /*md*/,
			
 
				                                  size_t /*md_count*/,
			
@@ -217,6 +232,8 @@ static grpc_channel_credentials* create_tls_channel_credentials(
 
				     fullstack_secure_fixture_data* ffd) {
			
 
				   grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
			
 
				   options->set_server_verification_option(GRPC_TLS_SERVER_VERIFICATION);
			
 
				+  options->set_min_tls_version(ffd->tls_version);
			
 
				+  options->set_max_tls_version(ffd->tls_version);
			
 
				   /* Set credential reload config. */
			
 
				   grpc_tls_credential_reload_config* reload_config =
			
 
				       grpc_tls_credential_reload_config_create(nullptr, client_cred_reload_sync,
			
@@ -235,8 +252,11 @@ static grpc_channel_credentials* create_tls_channel_credentials(
 
				 }
			
 
				 
			
 
				 // Create a TLS server credential.
			
 
				-static grpc_server_credentials* create_tls_server_credentials() {
			
 
				+static grpc_server_credentials* create_tls_server_credentials(
			
 
				+    fullstack_secure_fixture_data* ffd) {
			
 
				   grpc_tls_credentials_options* options = grpc_tls_credentials_options_create();
			
 
				+  options->set_min_tls_version(ffd->tls_version);
			
 
				+  options->set_max_tls_version(ffd->tls_version);
			
 
				   /* Set credential reload config. */
			
 
				   grpc_tls_credential_reload_config* reload_config =
			
 
				       grpc_tls_credential_reload_config_create(nullptr, server_cred_reload_sync,
			
@@ -278,7 +298,8 @@ static int fail_server_auth_check(grpc_channel_args* server_args) {
 
				 
			
 
				 static void chttp2_init_server(grpc_end2end_test_fixture* f,
			
 
				                                grpc_channel_args* server_args) {
			
 
				-  grpc_server_credentials* ssl_creds = create_tls_server_credentials();
			
 
				+  grpc_server_credentials* ssl_creds = create_tls_server_credentials(
			
 
				+      static_cast<fullstack_secure_fixture_data*>(f->fixture_data));
			
 
				   if (fail_server_auth_check(server_args)) {
			
 
				     grpc_auth_metadata_processor processor = {process_auth_failure, nullptr,
			
 
				                                               nullptr};
			
@@ -289,12 +310,19 @@ static void chttp2_init_server(grpc_end2end_test_fixture* f,
 
				 
			
 
				 static grpc_end2end_test_config configs[] = {
			
 
				     /* client sync reload async authz + server sync reload. */
			
 
				-    {"chttp2/simple_ssl_fullstack",
			
 
				+    {"chttp2/simple_ssl_fullstack_tls1_2",
			
 
				+     FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
			
 
				+         FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
			
 
				+         FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
			
 
				+         FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
			
 
				+     "foo.test.google.fr", chttp2_create_fixture_secure_fullstack_tls1_2,
			
 
				+     chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
			
 
				+    {"chttp2/simple_ssl_fullstack_tls1_3",
			
 
				      FEATURE_MASK_SUPPORTS_DELAYED_CONNECTION |
			
 
				          FEATURE_MASK_SUPPORTS_PER_CALL_CREDENTIALS |
			
 
				          FEATURE_MASK_SUPPORTS_CLIENT_CHANNEL |
			
 
				          FEATURE_MASK_SUPPORTS_AUTHORITY_HEADER,
			
 
				-     "foo.test.google.fr", chttp2_create_fixture_secure_fullstack,
			
 
				+     "foo.test.google.fr", chttp2_create_fixture_secure_fullstack_tls1_3,
			
 
				      chttp2_init_client, chttp2_init_server, chttp2_tear_down_secure_fullstack},
			
 
				 };