1 //
2 //
3 // Copyright 2017 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/tsi/ssl_transport_security.h"
20
21 #include <stdbool.h>
22 #include <stdio.h>
23 #include <string.h>
24
25 #include <gtest/gtest.h>
26 #include <openssl/crypto.h>
27 #include <openssl/err.h>
28 #include <openssl/pem.h>
29
30 #include "absl/strings/str_cat.h"
31
32 #include <grpc/grpc.h>
33 #include <grpc/support/alloc.h>
34 #include <grpc/support/log.h>
35 #include <grpc/support/string_util.h>
36
37 #include "src/core/lib/gprpp/crash.h"
38 #include "src/core/lib/gprpp/memory.h"
39 #include "src/core/lib/security/security_connector/security_connector.h"
40 #include "src/core/tsi/transport_security.h"
41 #include "src/core/tsi/transport_security_interface.h"
42 #include "test/core/tsi/transport_security_test_lib.h"
43 #include "test/core/util/build.h"
44 #include "test/core/util/test_config.h"
45 #include "test/core/util/tls_utils.h"
46
47 #define SSL_TSI_TEST_ALPN1 "foo"
48 #define SSL_TSI_TEST_ALPN2 "toto"
49 #define SSL_TSI_TEST_ALPN3 "baz"
50 #define SSL_TSI_TEST_ALPN_NUM 2
51 #define SSL_TSI_TEST_SERVER_KEY_CERT_PAIRS_NUM 2
52 #define SSL_TSI_TEST_BAD_SERVER_KEY_CERT_PAIRS_NUM 1
53 #define SSL_TSI_TEST_LEAF_SIGNED_BY_INTERMEDIATE_KEY_CERT_PAIRS_NUM 1
54 #define SSL_TSI_TEST_CREDENTIALS_DIR "src/core/tsi/test_creds/"
55 #define SSL_TSI_TEST_WRONG_SNI "test.google.cn"
56 #define SSL_TSI_TEST_INVALID_SNI "1.2.3.4"
57
58 // OpenSSL 1.1 uses AES256 for encryption session ticket by default so specify
59 // different STEK size.
60 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_IS_BORINGSSL)
61 const size_t kSessionTicketEncryptionKeySize = 80;
62 #else
63 const size_t kSessionTicketEncryptionKeySize = 48;
64 #endif
65
66 // Indicates the TLS version used for the test.
67 static tsi_tls_version test_tls_version = tsi_tls_version::TSI_TLS1_3;
68 static bool test_send_client_ca_list = false;
69
70 typedef enum AlpnMode {
71 NO_ALPN,
72 ALPN_CLIENT_NO_SERVER,
73 ALPN_SERVER_NO_CLIENT,
74 ALPN_CLIENT_SERVER_OK,
75 ALPN_CLIENT_SERVER_MISMATCH
76 } AlpnMode;
77
78 typedef struct ssl_alpn_lib {
79 AlpnMode alpn_mode;
80 const char** server_alpn_protocols;
81 const char** client_alpn_protocols;
82 uint16_t num_server_alpn_protocols;
83 uint16_t num_client_alpn_protocols;
84 } ssl_alpn_lib;
85
86 typedef struct ssl_key_cert_lib {
87 bool use_bad_server_cert;
88 bool use_bad_client_cert;
89 bool use_root_store;
90 bool use_pem_root_certs;
91 bool use_cert_signed_by_intermediate_ca;
92 bool skip_server_certificate_verification;
93 char* root_cert;
94 tsi_ssl_root_certs_store* root_store;
95 tsi_ssl_pem_key_cert_pair* server_pem_key_cert_pairs;
96 tsi_ssl_pem_key_cert_pair* bad_server_pem_key_cert_pairs;
97 tsi_ssl_pem_key_cert_pair* leaf_signed_by_intermediate_key_cert_pairs;
98 tsi_ssl_pem_key_cert_pair client_pem_key_cert_pair;
99 tsi_ssl_pem_key_cert_pair bad_client_pem_key_cert_pair;
100 uint16_t server_num_key_cert_pairs;
101 uint16_t bad_server_num_key_cert_pairs;
102 uint16_t leaf_signed_by_intermediate_num_key_cert_pairs;
103 } ssl_key_cert_lib;
104
105 typedef struct ssl_tsi_test_fixture {
106 tsi_test_fixture base;
107 ssl_key_cert_lib* key_cert_lib;
108 ssl_alpn_lib* alpn_lib;
109 bool force_client_auth;
110 char* server_name_indication;
111 tsi_ssl_session_cache* session_cache;
112 bool session_reused;
113 const char* session_ticket_key;
114 size_t session_ticket_key_size;
115 size_t network_bio_buf_size;
116 size_t ssl_bio_buf_size;
117 bool verify_root_cert_subject;
118 tsi_ssl_server_handshaker_factory* server_handshaker_factory;
119 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
120 } ssl_tsi_test_fixture;
121
ssl_test_setup_handshakers(tsi_test_fixture * fixture)122 static void ssl_test_setup_handshakers(tsi_test_fixture* fixture) {
123 ssl_tsi_test_fixture* ssl_fixture =
124 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
125 ASSERT_NE(ssl_fixture, nullptr);
126 ASSERT_NE(ssl_fixture->key_cert_lib, nullptr);
127 ASSERT_NE(ssl_fixture->alpn_lib, nullptr);
128 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
129 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
130 // Create client handshaker factory.
131 tsi_ssl_client_handshaker_options client_options;
132 if (key_cert_lib->use_pem_root_certs) {
133 client_options.pem_root_certs = key_cert_lib->root_cert;
134 }
135 if (ssl_fixture->force_client_auth) {
136 client_options.pem_key_cert_pair =
137 key_cert_lib->use_bad_client_cert
138 ? &key_cert_lib->bad_client_pem_key_cert_pair
139 : &key_cert_lib->client_pem_key_cert_pair;
140 }
141 if (alpn_lib->alpn_mode == ALPN_CLIENT_NO_SERVER ||
142 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
143 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
144 client_options.alpn_protocols = alpn_lib->client_alpn_protocols;
145 client_options.num_alpn_protocols = alpn_lib->num_client_alpn_protocols;
146 }
147 client_options.root_store =
148 key_cert_lib->use_root_store ? key_cert_lib->root_store : nullptr;
149 if (ssl_fixture->session_cache != nullptr) {
150 client_options.session_cache = ssl_fixture->session_cache;
151 }
152 client_options.min_tls_version = test_tls_version;
153 client_options.max_tls_version = test_tls_version;
154 client_options.skip_server_certificate_verification =
155 key_cert_lib->skip_server_certificate_verification;
156 ASSERT_EQ(tsi_create_ssl_client_handshaker_factory_with_options(
157 &client_options, &ssl_fixture->client_handshaker_factory),
158 TSI_OK);
159 // Create server handshaker factory.
160 tsi_ssl_server_handshaker_options server_options;
161 if (alpn_lib->alpn_mode == ALPN_SERVER_NO_CLIENT ||
162 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ||
163 alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
164 server_options.alpn_protocols = alpn_lib->server_alpn_protocols;
165 server_options.num_alpn_protocols = alpn_lib->num_server_alpn_protocols;
166 if (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_MISMATCH) {
167 server_options.num_alpn_protocols--;
168 }
169 }
170 if (key_cert_lib->use_cert_signed_by_intermediate_ca) {
171 server_options.pem_key_cert_pairs =
172 key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs;
173 server_options.num_key_cert_pairs =
174 key_cert_lib->leaf_signed_by_intermediate_num_key_cert_pairs;
175 } else {
176 server_options.pem_key_cert_pairs =
177 key_cert_lib->use_bad_server_cert
178 ? key_cert_lib->bad_server_pem_key_cert_pairs
179 : key_cert_lib->server_pem_key_cert_pairs;
180 server_options.num_key_cert_pairs =
181 key_cert_lib->use_bad_server_cert
182 ? key_cert_lib->bad_server_num_key_cert_pairs
183 : key_cert_lib->server_num_key_cert_pairs;
184 }
185 server_options.pem_client_root_certs = key_cert_lib->root_cert;
186 if (ssl_fixture->force_client_auth) {
187 server_options.client_certificate_request =
188 TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
189 } else {
190 server_options.client_certificate_request =
191 TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
192 }
193 server_options.send_client_ca_list = test_send_client_ca_list;
194 server_options.session_ticket_key = ssl_fixture->session_ticket_key;
195 server_options.session_ticket_key_size = ssl_fixture->session_ticket_key_size;
196 server_options.min_tls_version = test_tls_version;
197 server_options.max_tls_version = test_tls_version;
198 ASSERT_EQ(tsi_create_ssl_server_handshaker_factory_with_options(
199 &server_options, &ssl_fixture->server_handshaker_factory),
200 TSI_OK);
201 // Create server and client handshakers.
202 ASSERT_EQ(
203 tsi_ssl_client_handshaker_factory_create_handshaker(
204 ssl_fixture->client_handshaker_factory,
205 ssl_fixture->server_name_indication,
206 ssl_fixture->network_bio_buf_size, ssl_fixture->ssl_bio_buf_size,
207 &ssl_fixture->base.client_handshaker),
208 TSI_OK);
209 ASSERT_EQ(
210 tsi_ssl_server_handshaker_factory_create_handshaker(
211 ssl_fixture->server_handshaker_factory,
212 ssl_fixture->network_bio_buf_size, ssl_fixture->ssl_bio_buf_size,
213 &ssl_fixture->base.server_handshaker),
214 TSI_OK);
215 }
216
check_verified_root_cert_subject(ssl_tsi_test_fixture *,const tsi_peer * peer)217 static void check_verified_root_cert_subject(
218 ssl_tsi_test_fixture* /*ssl_fixture*/, const tsi_peer* peer) {
219 const tsi_peer_property* verified_root_cert_subject =
220 tsi_peer_get_property_by_name(
221 peer, TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY);
222 ASSERT_NE(verified_root_cert_subject, nullptr);
223 const char* expected_match =
224 "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
225 ASSERT_EQ(memcmp(verified_root_cert_subject->value.data, expected_match,
226 verified_root_cert_subject->value.length),
227 0);
228 }
229
check_verified_root_cert_subject_unset(ssl_tsi_test_fixture *,const tsi_peer * peer)230 static void check_verified_root_cert_subject_unset(
231 ssl_tsi_test_fixture* /*ssl_fixture*/, const tsi_peer* peer) {
232 const tsi_peer_property* verified_root_cert_subject =
233 tsi_peer_get_property_by_name(
234 peer, TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY);
235 ASSERT_EQ(verified_root_cert_subject, nullptr);
236 }
237
check_alpn(ssl_tsi_test_fixture * ssl_fixture,const tsi_peer * peer)238 static void check_alpn(ssl_tsi_test_fixture* ssl_fixture,
239 const tsi_peer* peer) {
240 ASSERT_NE(ssl_fixture, nullptr);
241 ASSERT_NE(ssl_fixture->alpn_lib, nullptr);
242 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
243 const tsi_peer_property* alpn_property =
244 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
245 if (alpn_lib->alpn_mode != ALPN_CLIENT_SERVER_OK) {
246 ASSERT_EQ(alpn_property, nullptr);
247 } else {
248 ASSERT_NE(alpn_property, nullptr);
249 const char* expected_match = "baz";
250 ASSERT_EQ(memcmp(alpn_property->value.data, expected_match,
251 alpn_property->value.length),
252 0);
253 }
254 }
255
check_security_level(const tsi_peer * peer)256 static void check_security_level(const tsi_peer* peer) {
257 const tsi_peer_property* security_level =
258 tsi_peer_get_property_by_name(peer, TSI_SECURITY_LEVEL_PEER_PROPERTY);
259 ASSERT_NE(security_level, nullptr);
260 const char* expected_match = "TSI_PRIVACY_AND_INTEGRITY";
261 ASSERT_EQ(memcmp(security_level->value.data, expected_match,
262 security_level->value.length),
263 0);
264 }
265
266 static const tsi_peer_property*
check_basic_authenticated_peer_and_get_common_name(const tsi_peer * peer)267 check_basic_authenticated_peer_and_get_common_name(const tsi_peer* peer) {
268 const tsi_peer_property* cert_type_property =
269 tsi_peer_get_property_by_name(peer, TSI_CERTIFICATE_TYPE_PEER_PROPERTY);
270 EXPECT_NE(cert_type_property, nullptr);
271 EXPECT_EQ(memcmp(cert_type_property->value.data, TSI_X509_CERTIFICATE_TYPE,
272 cert_type_property->value.length),
273 0);
274 const tsi_peer_property* property = tsi_peer_get_property_by_name(
275 peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
276 EXPECT_NE(property, nullptr);
277 return property;
278 }
279
check_session_reusage(ssl_tsi_test_fixture * ssl_fixture,tsi_peer * peer)280 static void check_session_reusage(ssl_tsi_test_fixture* ssl_fixture,
281 tsi_peer* peer) {
282 const tsi_peer_property* session_reused =
283 tsi_peer_get_property_by_name(peer, TSI_SSL_SESSION_REUSED_PEER_PROPERTY);
284 ASSERT_NE(session_reused, nullptr);
285 if (ssl_fixture->session_reused) {
286 ASSERT_EQ(strncmp(session_reused->value.data, "true",
287 session_reused->value.length),
288 0);
289 } else {
290 ASSERT_EQ(strncmp(session_reused->value.data, "false",
291 session_reused->value.length),
292 0);
293 }
294 }
295
check_server0_peer(tsi_peer * peer)296 void check_server0_peer(tsi_peer* peer) {
297 const tsi_peer_property* property =
298 check_basic_authenticated_peer_and_get_common_name(peer);
299 const char* expected_match = "*.test.google.com.au";
300 ASSERT_EQ(
301 memcmp(property->value.data, expected_match, property->value.length), 0);
302 ASSERT_EQ(tsi_peer_get_property_by_name(
303 peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY),
304 nullptr);
305 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "foo.test.google.com.au"), 1);
306 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "bar.test.google.com.au"), 1);
307 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "BAR.TEST.GOOGLE.COM.AU"), 1);
308 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "Bar.Test.Google.Com.Au"), 1);
309 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "bAr.TeST.gOOgle.cOm.AU"), 1);
310 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "bar.test.google.blah"), 0);
311 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "foo.bar.test.google.com.au"), 0);
312 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "test.google.com.au"), 0);
313 tsi_peer_destruct(peer);
314 }
315
check_property(tsi_peer * peer,const char * property_name,const char * property_value)316 static bool check_property(tsi_peer* peer, const char* property_name,
317 const char* property_value) {
318 for (size_t i = 0; i < peer->property_count; i++) {
319 const tsi_peer_property* prop = &peer->properties[i];
320 if (strcmp(prop->name, property_name) == 0) {
321 if (strlen(property_value) == prop->value.length &&
322 memcmp(prop->value.data, property_value, prop->value.length) == 0) {
323 return true;
324 }
325 }
326 }
327 return false;
328 }
329
check_server1_peer(tsi_peer * peer)330 void check_server1_peer(tsi_peer* peer) {
331 const tsi_peer_property* property =
332 check_basic_authenticated_peer_and_get_common_name(peer);
333 const char* expected_match = "*.test.google.com";
334 ASSERT_EQ(
335 memcmp(property->value.data, expected_match, property->value.length), 0);
336 ASSERT_EQ(
337 check_property(peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
338 "*.test.google.fr"),
339 1);
340 ASSERT_EQ(
341 check_property(peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
342 "waterzooi.test.google.be"),
343 1);
344 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "foo.test.google.fr"), 1);
345 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "bar.test.google.fr"), 1);
346 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "waterzooi.test.google.be"), 1);
347 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "foo.test.youtube.com"), 1);
348 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "bar.foo.test.google.com"), 0);
349 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "test.google.fr"), 0);
350 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "tartines.test.google.be"), 0);
351 ASSERT_EQ(tsi_ssl_peer_matches_name(peer, "tartines.youtube.com"), 0);
352 tsi_peer_destruct(peer);
353 }
354
check_client_peer(ssl_tsi_test_fixture * ssl_fixture,tsi_peer * peer)355 static void check_client_peer(ssl_tsi_test_fixture* ssl_fixture,
356 tsi_peer* peer) {
357 ASSERT_NE(ssl_fixture, nullptr);
358 ASSERT_NE(ssl_fixture->alpn_lib, nullptr);
359 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
360 if (!ssl_fixture->force_client_auth) {
361 ASSERT_EQ(peer->property_count,
362 (alpn_lib->alpn_mode == ALPN_CLIENT_SERVER_OK ? 3 : 2));
363 } else {
364 const tsi_peer_property* property =
365 check_basic_authenticated_peer_and_get_common_name(peer);
366 const char* expected_match = "testclient";
367 ASSERT_EQ(
368 memcmp(property->value.data, expected_match, property->value.length),
369 0);
370 }
371 tsi_peer_destruct(peer);
372 }
373
ssl_test_check_handshaker_peers(tsi_test_fixture * fixture)374 static void ssl_test_check_handshaker_peers(tsi_test_fixture* fixture) {
375 ssl_tsi_test_fixture* ssl_fixture =
376 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
377 ASSERT_NE(ssl_fixture, nullptr);
378 ASSERT_NE(ssl_fixture->key_cert_lib, nullptr);
379 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
380 tsi_peer peer;
381 // In TLS 1.3, the client-side handshake succeeds even if the client sends a
382 // bad certificate. In such a case, the server would fail the TLS handshake
383 // and send an alert to the client as the first application data message. In
384 // TLS 1.2, the client-side handshake will fail if the client sends a bad
385 // certificate.
386 //
387 // For OpenSSL versions < 1.1, TLS 1.3 is not supported, so the client-side
388 // handshake should succeed precisely when the server-side handshake
389 // succeeds.
390 bool expect_server_success =
391 !(key_cert_lib->use_bad_server_cert ||
392 (key_cert_lib->use_bad_client_cert && ssl_fixture->force_client_auth));
393 #if OPENSSL_VERSION_NUMBER >= 0x10100000
394 bool expect_client_success = test_tls_version == tsi_tls_version::TSI_TLS1_2
395 ? expect_server_success
396 : !key_cert_lib->use_bad_server_cert;
397 #else
398 bool expect_client_success = expect_server_success;
399 #endif
400 if (expect_client_success) {
401 ASSERT_EQ(tsi_handshaker_result_extract_peer(
402 ssl_fixture->base.client_result, &peer),
403 TSI_OK);
404 check_session_reusage(ssl_fixture, &peer);
405 check_alpn(ssl_fixture, &peer);
406 check_security_level(&peer);
407 if (ssl_fixture->verify_root_cert_subject) {
408 if (!ssl_fixture->session_reused) {
409 check_verified_root_cert_subject(ssl_fixture, &peer);
410 } else {
411 check_verified_root_cert_subject_unset(ssl_fixture, &peer);
412 }
413 }
414 if (ssl_fixture->server_name_indication == nullptr ||
415 strcmp(ssl_fixture->server_name_indication, SSL_TSI_TEST_WRONG_SNI) ==
416 0 ||
417 strcmp(ssl_fixture->server_name_indication, SSL_TSI_TEST_INVALID_SNI) ==
418 0) {
419 // Expect server to use default server0.pem.
420 check_server0_peer(&peer);
421 } else {
422 // Expect server to use server1.pem.
423 check_server1_peer(&peer);
424 }
425 } else {
426 ASSERT_EQ(ssl_fixture->base.client_result, nullptr);
427 }
428 if (expect_server_success) {
429 ASSERT_EQ(tsi_handshaker_result_extract_peer(
430 ssl_fixture->base.server_result, &peer),
431 TSI_OK);
432 check_session_reusage(ssl_fixture, &peer);
433 check_alpn(ssl_fixture, &peer);
434 check_security_level(&peer);
435 if (ssl_fixture->force_client_auth && !ssl_fixture->session_reused) {
436 check_verified_root_cert_subject(ssl_fixture, &peer);
437 } else {
438 check_verified_root_cert_subject_unset(ssl_fixture, &peer);
439 }
440 check_client_peer(ssl_fixture, &peer);
441 } else {
442 ASSERT_EQ(ssl_fixture->base.server_result, nullptr);
443 }
444 }
445
ssl_test_pem_key_cert_pair_destroy(tsi_ssl_pem_key_cert_pair kp)446 static void ssl_test_pem_key_cert_pair_destroy(tsi_ssl_pem_key_cert_pair kp) {
447 gpr_free(const_cast<char*>(kp.private_key));
448 gpr_free(const_cast<char*>(kp.cert_chain));
449 }
450
ssl_test_destruct(tsi_test_fixture * fixture)451 static void ssl_test_destruct(tsi_test_fixture* fixture) {
452 ssl_tsi_test_fixture* ssl_fixture =
453 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
454 if (ssl_fixture == nullptr) {
455 return;
456 }
457 // Destroy ssl_alpn_lib.
458 ssl_alpn_lib* alpn_lib = ssl_fixture->alpn_lib;
459 for (size_t i = 0; i < alpn_lib->num_server_alpn_protocols; i++) {
460 gpr_free(const_cast<char*>(alpn_lib->server_alpn_protocols[i]));
461 }
462 gpr_free(alpn_lib->server_alpn_protocols);
463 for (size_t i = 0; i < alpn_lib->num_client_alpn_protocols; i++) {
464 gpr_free(const_cast<char*>(alpn_lib->client_alpn_protocols[i]));
465 }
466 gpr_free(alpn_lib->client_alpn_protocols);
467 gpr_free(alpn_lib);
468 // Destroy ssl_key_cert_lib.
469 ssl_key_cert_lib* key_cert_lib = ssl_fixture->key_cert_lib;
470 for (size_t i = 0; i < key_cert_lib->server_num_key_cert_pairs; i++) {
471 ssl_test_pem_key_cert_pair_destroy(
472 key_cert_lib->server_pem_key_cert_pairs[i]);
473 }
474 gpr_free(key_cert_lib->server_pem_key_cert_pairs);
475 for (size_t i = 0; i < key_cert_lib->bad_server_num_key_cert_pairs; i++) {
476 ssl_test_pem_key_cert_pair_destroy(
477 key_cert_lib->bad_server_pem_key_cert_pairs[i]);
478 }
479 gpr_free(key_cert_lib->bad_server_pem_key_cert_pairs);
480 for (size_t i = 0;
481 i < key_cert_lib->leaf_signed_by_intermediate_num_key_cert_pairs; i++) {
482 ssl_test_pem_key_cert_pair_destroy(
483 key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs[i]);
484 }
485 gpr_free(key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs);
486 ssl_test_pem_key_cert_pair_destroy(key_cert_lib->client_pem_key_cert_pair);
487 ssl_test_pem_key_cert_pair_destroy(
488 key_cert_lib->bad_client_pem_key_cert_pair);
489 gpr_free(key_cert_lib->root_cert);
490 tsi_ssl_root_certs_store_destroy(key_cert_lib->root_store);
491 gpr_free(key_cert_lib);
492 if (ssl_fixture->session_cache != nullptr) {
493 tsi_ssl_session_cache_unref(ssl_fixture->session_cache);
494 }
495 // Unreference others.
496 tsi_ssl_server_handshaker_factory_unref(
497 ssl_fixture->server_handshaker_factory);
498 tsi_ssl_client_handshaker_factory_unref(
499 ssl_fixture->client_handshaker_factory);
500 gpr_free(ssl_fixture);
501 }
502
503 static const struct tsi_test_fixture_vtable vtable = {
504 ssl_test_setup_handshakers, ssl_test_check_handshaker_peers,
505 ssl_test_destruct};
506
load_file(std::string path)507 static char* load_file(std::string path) {
508 std::string data = grpc_core::testing::GetFileContents(path);
509 return gpr_strdup(data.c_str());
510 }
511
is_slow_build()512 static bool is_slow_build() {
513 #if defined(GPR_ARCH_32) || defined(__APPLE__)
514 return true;
515 #else
516 return BuiltUnderMsan() || BuiltUnderTsan() || BuiltUnderUbsan();
517 #endif
518 }
519
GenerateTrustBundle()520 static std::string GenerateTrustBundle() {
521 // Create a trust bundle, consisting of 200 self-signed certs. The self-signed
522 // certs have subject DNs that are sufficiently big and complex that they
523 // substantially increase the server handshake message size.
524 std::string trust_bundle;
525 int trust_bundle_size = is_slow_build() ? 20 : 200;
526 for (int i = 0; i < trust_bundle_size; ++i) {
527 SelfSignedCertificateOptions options;
528 options.common_name =
529 absl::StrCat("{46f0eaed-6e05-43f5-9289-379104612fc", i, "}");
530 options.organization = absl::StrCat("organization-", i);
531 options.organizational_unit = absl::StrCat("organizational-unit-", i);
532 std::string self_signed_cert = GenerateSelfSignedCertificate(options);
533 trust_bundle.append(self_signed_cert);
534 }
535 return trust_bundle;
536 }
537
ssl_tsi_test_fixture_create()538 static tsi_test_fixture* ssl_tsi_test_fixture_create() {
539 ssl_tsi_test_fixture* ssl_fixture = grpc_core::Zalloc<ssl_tsi_test_fixture>();
540 tsi_test_fixture_init(&ssl_fixture->base);
541 ssl_fixture->verify_root_cert_subject = true;
542 ssl_fixture->base.test_unused_bytes = true;
543 ssl_fixture->base.vtable = &vtable;
544 // Create ssl_key_cert_lib.
545 ssl_key_cert_lib* key_cert_lib = grpc_core::Zalloc<ssl_key_cert_lib>();
546 key_cert_lib->use_bad_server_cert = false;
547 key_cert_lib->use_bad_client_cert = false;
548 key_cert_lib->use_root_store = false;
549 key_cert_lib->use_pem_root_certs = true;
550 key_cert_lib->skip_server_certificate_verification = false;
551 key_cert_lib->server_num_key_cert_pairs =
552 SSL_TSI_TEST_SERVER_KEY_CERT_PAIRS_NUM;
553 key_cert_lib->bad_server_num_key_cert_pairs =
554 SSL_TSI_TEST_BAD_SERVER_KEY_CERT_PAIRS_NUM;
555 key_cert_lib->leaf_signed_by_intermediate_num_key_cert_pairs =
556 SSL_TSI_TEST_LEAF_SIGNED_BY_INTERMEDIATE_KEY_CERT_PAIRS_NUM;
557 key_cert_lib->server_pem_key_cert_pairs =
558 static_cast<tsi_ssl_pem_key_cert_pair*>(
559 gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
560 key_cert_lib->server_num_key_cert_pairs));
561 key_cert_lib->bad_server_pem_key_cert_pairs =
562 static_cast<tsi_ssl_pem_key_cert_pair*>(
563 gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
564 key_cert_lib->bad_server_num_key_cert_pairs));
565 key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs =
566 static_cast<tsi_ssl_pem_key_cert_pair*>(gpr_malloc(
567 sizeof(tsi_ssl_pem_key_cert_pair) *
568 key_cert_lib->leaf_signed_by_intermediate_num_key_cert_pairs));
569 key_cert_lib->server_pem_key_cert_pairs[0].private_key =
570 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server0.key");
571 key_cert_lib->server_pem_key_cert_pairs[0].cert_chain =
572 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server0.pem");
573 key_cert_lib->server_pem_key_cert_pairs[1].private_key =
574 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server1.key");
575 key_cert_lib->server_pem_key_cert_pairs[1].cert_chain =
576 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server1.pem");
577 key_cert_lib->bad_server_pem_key_cert_pairs[0].private_key =
578 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "badserver.key");
579 key_cert_lib->bad_server_pem_key_cert_pairs[0].cert_chain =
580 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "badserver.pem");
581 key_cert_lib->client_pem_key_cert_pair.private_key =
582 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "client.key");
583 key_cert_lib->client_pem_key_cert_pair.cert_chain =
584 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "client.pem");
585 key_cert_lib->bad_client_pem_key_cert_pair.private_key =
586 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "badclient.key");
587 key_cert_lib->bad_client_pem_key_cert_pair.cert_chain =
588 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "badclient.pem");
589 key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs[0].private_key =
590 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "leaf_signed_by_intermediate.key");
591 key_cert_lib->leaf_signed_by_intermediate_key_cert_pairs[0].cert_chain =
592 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "leaf_and_intermediate_chain.pem");
593 key_cert_lib->root_cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "ca.pem");
594 key_cert_lib->root_store =
595 tsi_ssl_root_certs_store_create(key_cert_lib->root_cert);
596 EXPECT_NE(key_cert_lib->root_store, nullptr);
597 ssl_fixture->key_cert_lib = key_cert_lib;
598 // Create ssl_alpn_lib.
599 ssl_alpn_lib* alpn_lib = grpc_core::Zalloc<ssl_alpn_lib>();
600 alpn_lib->server_alpn_protocols = static_cast<const char**>(
601 gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
602 alpn_lib->client_alpn_protocols = static_cast<const char**>(
603 gpr_zalloc(sizeof(char*) * SSL_TSI_TEST_ALPN_NUM));
604 alpn_lib->server_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN1);
605 alpn_lib->server_alpn_protocols[1] = gpr_strdup(SSL_TSI_TEST_ALPN3);
606 alpn_lib->client_alpn_protocols[0] = gpr_strdup(SSL_TSI_TEST_ALPN2);
607 alpn_lib->client_alpn_protocols[1] = gpr_strdup(SSL_TSI_TEST_ALPN3);
608 alpn_lib->num_server_alpn_protocols = SSL_TSI_TEST_ALPN_NUM;
609 alpn_lib->num_client_alpn_protocols = SSL_TSI_TEST_ALPN_NUM;
610 alpn_lib->alpn_mode = NO_ALPN;
611 ssl_fixture->alpn_lib = alpn_lib;
612 ssl_fixture->base.vtable = &vtable;
613 ssl_fixture->server_name_indication = nullptr;
614 ssl_fixture->session_reused = false;
615 ssl_fixture->session_ticket_key = nullptr;
616 ssl_fixture->session_ticket_key_size = 0;
617 ssl_fixture->force_client_auth = false;
618 ssl_fixture->network_bio_buf_size = 0;
619 ssl_fixture->ssl_bio_buf_size = 0;
620 return &ssl_fixture->base;
621 }
622
ssl_tsi_test_do_handshake_tiny_handshake_buffer()623 void ssl_tsi_test_do_handshake_tiny_handshake_buffer() {
624 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_tiny_handshake_buffer");
625 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
626 fixture->handshake_buffer_size = TSI_TEST_TINY_HANDSHAKE_BUFFER_SIZE;
627 // Handshake buffer is too small to hold both handshake messages and the
628 // unused bytes.
629 fixture->test_unused_bytes = false;
630 tsi_test_do_handshake(fixture);
631 tsi_test_fixture_destroy(fixture);
632 }
633
ssl_tsi_test_do_handshake_small_handshake_buffer()634 void ssl_tsi_test_do_handshake_small_handshake_buffer() {
635 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_small_handshake_buffer");
636 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
637 fixture->handshake_buffer_size = TSI_TEST_SMALL_HANDSHAKE_BUFFER_SIZE;
638 tsi_test_do_handshake(fixture);
639 tsi_test_fixture_destroy(fixture);
640 }
641
ssl_tsi_test_do_handshake()642 void ssl_tsi_test_do_handshake() {
643 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake");
644 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
645 tsi_test_do_handshake(fixture);
646 tsi_test_fixture_destroy(fixture);
647 }
648
ssl_tsi_test_do_handshake_with_root_store()649 void ssl_tsi_test_do_handshake_with_root_store() {
650 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_root_store");
651 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
652 ssl_tsi_test_fixture* ssl_fixture =
653 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
654 ssl_fixture->key_cert_lib->use_root_store = true;
655 tsi_test_do_handshake(fixture);
656 tsi_test_fixture_destroy(fixture);
657 }
658
ssl_tsi_test_do_handshake_skipping_server_certificate_verification()659 void ssl_tsi_test_do_handshake_skipping_server_certificate_verification() {
660 gpr_log(GPR_INFO,
661 "ssl_tsi_test_do_handshake_skipping_server_certificate_verification");
662 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
663 ssl_tsi_test_fixture* ssl_fixture =
664 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
665 ssl_fixture->verify_root_cert_subject = false;
666 ssl_fixture->key_cert_lib->use_root_store = false;
667 ssl_fixture->key_cert_lib->use_pem_root_certs = false;
668 ssl_fixture->key_cert_lib->skip_server_certificate_verification = true;
669 tsi_test_do_handshake(fixture);
670 tsi_test_fixture_destroy(fixture);
671 }
672
ssl_tsi_test_do_handshake_with_large_server_handshake_messages(const std::string & trust_bundle)673 void ssl_tsi_test_do_handshake_with_large_server_handshake_messages(
674 const std::string& trust_bundle) {
675 gpr_log(GPR_INFO,
676 "ssl_tsi_test_do_handshake_with_large_server_handshake_messages");
677 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
678 // Force the test to read more handshake bytes from the peer than we have room
679 // for in the BIO. The default BIO buffer size is 17kB.
680 fixture->handshake_buffer_size = 18000;
681 ssl_tsi_test_fixture* ssl_fixture =
682 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
683 // Make a copy of the root cert and free the original.
684 std::string root_cert(ssl_fixture->key_cert_lib->root_cert);
685 gpr_free(ssl_fixture->key_cert_lib->root_cert);
686 ssl_fixture->key_cert_lib->root_cert = nullptr;
687 // Create a new root store, consisting of the root cert that is actually
688 // needed and 200 self-signed certs.
689 std::string effective_trust_bundle = absl::StrCat(root_cert, trust_bundle);
690 tsi_ssl_root_certs_store_destroy(ssl_fixture->key_cert_lib->root_store);
691 ssl_fixture->key_cert_lib->root_cert =
692 const_cast<char*>(effective_trust_bundle.c_str());
693 ssl_fixture->key_cert_lib->root_store =
694 tsi_ssl_root_certs_store_create(effective_trust_bundle.c_str());
695 ssl_fixture->key_cert_lib->use_root_store = true;
696 ssl_fixture->force_client_auth = true;
697 tsi_test_do_handshake(fixture);
698 // Overwrite the root_cert pointer so that tsi_test_fixture_destroy does not
699 // try to gpr_free it.
700 ssl_fixture->key_cert_lib->root_cert = nullptr;
701 tsi_test_fixture_destroy(fixture);
702 }
703
ssl_tsi_test_do_handshake_with_client_authentication()704 void ssl_tsi_test_do_handshake_with_client_authentication() {
705 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_client_authentication");
706 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
707 ssl_tsi_test_fixture* ssl_fixture =
708 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
709 ssl_fixture->force_client_auth = true;
710 tsi_test_do_handshake(fixture);
711 tsi_test_fixture_destroy(fixture);
712 }
713
ssl_tsi_test_do_handshake_with_client_authentication_and_root_store()714 void ssl_tsi_test_do_handshake_with_client_authentication_and_root_store() {
715 gpr_log(
716 GPR_INFO,
717 "ssl_tsi_test_do_handshake_with_client_authentication_and_root_store");
718 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
719 ssl_tsi_test_fixture* ssl_fixture =
720 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
721 ssl_fixture->force_client_auth = true;
722 ssl_fixture->key_cert_lib->use_root_store = true;
723 tsi_test_do_handshake(fixture);
724 tsi_test_fixture_destroy(fixture);
725 }
726
ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain()727 void ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain() {
728 gpr_log(GPR_INFO,
729 "ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain");
730 // server1 cert contains "waterzooi.test.google.be" in SAN.
731 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
732 ssl_tsi_test_fixture* ssl_fixture =
733 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
734 ssl_fixture->server_name_indication =
735 const_cast<char*>("waterzooi.test.google.be");
736 tsi_test_do_handshake(fixture);
737 tsi_test_fixture_destroy(fixture);
738 }
739
ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain()740 void ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain() {
741 gpr_log(
742 GPR_INFO,
743 "ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain");
744 // server1 cert contains "*.test.google.fr" in SAN.
745 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
746 ssl_tsi_test_fixture* ssl_fixture =
747 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
748 ssl_fixture->server_name_indication =
749 const_cast<char*>("juju.test.google.fr");
750 tsi_test_do_handshake(fixture);
751 tsi_test_fixture_destroy(fixture);
752 }
753
ssl_tsi_test_do_handshake_with_wrong_server_name_indication()754 void ssl_tsi_test_do_handshake_with_wrong_server_name_indication() {
755 gpr_log(GPR_INFO,
756 "ssl_tsi_test_do_handshake_with_wrong_server_name_indication");
757 // server certs do not contain "test.google.cn".
758 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
759 ssl_tsi_test_fixture* ssl_fixture =
760 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
761 ssl_fixture->server_name_indication =
762 const_cast<char*>(SSL_TSI_TEST_WRONG_SNI);
763 tsi_test_do_handshake(fixture);
764 tsi_test_fixture_destroy(fixture);
765 }
766
ssl_tsi_test_do_handshake_with_invalid_and_ignored_server_name_indication()767 void ssl_tsi_test_do_handshake_with_invalid_and_ignored_server_name_indication() {
768 gpr_log(GPR_INFO,
769 "ssl_tsi_test_do_handshake_with_wrong_server_name_indication");
770 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
771 ssl_tsi_test_fixture* ssl_fixture =
772 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
773 // SNI that's an IP address will be ignored.
774 ssl_fixture->server_name_indication =
775 const_cast<char*>(SSL_TSI_TEST_INVALID_SNI);
776 tsi_test_do_handshake(fixture);
777 tsi_test_fixture_destroy(fixture);
778 }
779
ssl_tsi_test_do_handshake_with_bad_server_cert()780 void ssl_tsi_test_do_handshake_with_bad_server_cert() {
781 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_bad_server_cert");
782 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
783 ssl_tsi_test_fixture* ssl_fixture =
784 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
785 ssl_fixture->key_cert_lib->use_bad_server_cert = true;
786 tsi_test_do_handshake(fixture);
787 tsi_test_fixture_destroy(fixture);
788 }
789
ssl_tsi_test_do_handshake_with_bad_client_cert()790 void ssl_tsi_test_do_handshake_with_bad_client_cert() {
791 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_bad_client_cert");
792 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
793 ssl_tsi_test_fixture* ssl_fixture =
794 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
795 ssl_fixture->key_cert_lib->use_bad_client_cert = true;
796 ssl_fixture->force_client_auth = true;
797 tsi_test_do_handshake(fixture);
798 tsi_test_fixture_destroy(fixture);
799 }
800
ssl_tsi_test_do_handshake_alpn_client_no_server()801 void ssl_tsi_test_do_handshake_alpn_client_no_server() {
802 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_client_no_server");
803 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
804 ssl_tsi_test_fixture* ssl_fixture =
805 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
806 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_NO_SERVER;
807 tsi_test_do_handshake(fixture);
808 tsi_test_fixture_destroy(fixture);
809 }
810
ssl_tsi_test_do_handshake_alpn_server_no_client()811 void ssl_tsi_test_do_handshake_alpn_server_no_client() {
812 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_server_no_client");
813 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
814 ssl_tsi_test_fixture* ssl_fixture =
815 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
816 ssl_fixture->alpn_lib->alpn_mode = ALPN_SERVER_NO_CLIENT;
817 tsi_test_do_handshake(fixture);
818 tsi_test_fixture_destroy(fixture);
819 }
820
ssl_tsi_test_do_handshake_alpn_client_server_mismatch()821 void ssl_tsi_test_do_handshake_alpn_client_server_mismatch() {
822 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_server_no_client");
823 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
824 ssl_tsi_test_fixture* ssl_fixture =
825 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
826 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_SERVER_MISMATCH;
827 tsi_test_do_handshake(fixture);
828 tsi_test_fixture_destroy(fixture);
829 }
830
ssl_tsi_test_do_handshake_alpn_client_server_ok()831 void ssl_tsi_test_do_handshake_alpn_client_server_ok() {
832 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_alpn_client_server_ok");
833 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
834 ssl_tsi_test_fixture* ssl_fixture =
835 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
836 ssl_fixture->alpn_lib->alpn_mode = ALPN_CLIENT_SERVER_OK;
837 tsi_test_do_handshake(fixture);
838 tsi_test_fixture_destroy(fixture);
839 }
840
ssl_tsi_test_do_round_trip_for_all_configs()841 void ssl_tsi_test_do_round_trip_for_all_configs() {
842 gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_for_all_configs");
843 unsigned int* bit_array = static_cast<unsigned int*>(
844 gpr_zalloc(sizeof(unsigned int) * TSI_TEST_NUM_OF_ARGUMENTS));
845 const unsigned int mask = 1U << (TSI_TEST_NUM_OF_ARGUMENTS - 1);
846 for (unsigned int val = 0; val < TSI_TEST_NUM_OF_COMBINATIONS; val++) {
847 unsigned int v = val;
848 for (unsigned int ind = 0; ind < TSI_TEST_NUM_OF_ARGUMENTS; ind++) {
849 bit_array[ind] = (v & mask) ? 1 : 0;
850 v <<= 1;
851 }
852 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
853 ssl_tsi_test_fixture* ssl_fixture =
854 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
855 tsi_test_frame_protector_config_destroy(ssl_fixture->base.config);
856 ssl_fixture->base.config = tsi_test_frame_protector_config_create(
857 bit_array[0], bit_array[1], bit_array[2], bit_array[3], bit_array[4],
858 bit_array[5], bit_array[6]);
859 tsi_test_do_round_trip(&ssl_fixture->base);
860 tsi_test_fixture_destroy(fixture);
861 }
862 gpr_free(bit_array);
863 }
864
ssl_tsi_test_do_round_trip_with_error_on_stack()865 void ssl_tsi_test_do_round_trip_with_error_on_stack() {
866 gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_with_error_on_stack");
867 // Invoke an SSL function that causes an error, and ensure the error
868 // makes it to the stack.
869 ASSERT_FALSE(EC_KEY_new_by_curve_name(NID_rsa));
870 ASSERT_NE(ERR_peek_error(), 0);
871 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
872 tsi_test_do_round_trip(fixture);
873 tsi_test_fixture_destroy(fixture);
874 }
875
ssl_tsi_test_do_round_trip_odd_buffer_size()876 void ssl_tsi_test_do_round_trip_odd_buffer_size() {
877 gpr_log(GPR_INFO, "ssl_tsi_test_do_round_trip_odd_buffer_size");
878 const size_t odd_sizes[] = {1025, 2051, 4103, 8207, 16409};
879 size_t size = sizeof(odd_sizes) / sizeof(size_t);
880 // 1. This test is extremely slow under MSAN and TSAN.
881 // 2. On 32-bit, the test is much slower (probably due to lack of boringssl
882 // asm optimizations) so we only run a subset of tests to avoid timeout.
883 // 3. On Mac OS, we have slower testing machines so we only run a subset
884 // of tests to avoid timeout.
885 if (is_slow_build()) {
886 size = 1;
887 }
888 for (size_t ind1 = 0; ind1 < size; ind1++) {
889 for (size_t ind2 = 0; ind2 < size; ind2++) {
890 for (size_t ind3 = 0; ind3 < size; ind3++) {
891 for (size_t ind4 = 0; ind4 < size; ind4++) {
892 for (size_t ind5 = 0; ind5 < size; ind5++) {
893 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
894 ssl_tsi_test_fixture* ssl_fixture =
895 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
896 tsi_test_frame_protector_config_set_buffer_size(
897 ssl_fixture->base.config, odd_sizes[ind1], odd_sizes[ind2],
898 odd_sizes[ind3], odd_sizes[ind4], odd_sizes[ind5]);
899 tsi_test_do_round_trip(&ssl_fixture->base);
900 tsi_test_fixture_destroy(fixture);
901 }
902 }
903 }
904 }
905 }
906 }
907
ssl_tsi_test_do_handshake_session_cache()908 void ssl_tsi_test_do_handshake_session_cache() {
909 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_session_cache");
910 tsi_ssl_session_cache* session_cache = tsi_ssl_session_cache_create_lru(16);
911 char session_ticket_key[kSessionTicketEncryptionKeySize];
912 auto do_handshake = [&session_ticket_key,
913 &session_cache](bool session_reused) {
914 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
915 ssl_tsi_test_fixture* ssl_fixture =
916 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
917 ssl_fixture->server_name_indication =
918 const_cast<char*>("waterzooi.test.google.be");
919 ssl_fixture->session_ticket_key = session_ticket_key;
920 ssl_fixture->session_ticket_key_size = sizeof(session_ticket_key);
921 tsi_ssl_session_cache_ref(session_cache);
922 ssl_fixture->session_cache = session_cache;
923 ssl_fixture->session_reused = session_reused;
924 tsi_test_do_round_trip(&ssl_fixture->base);
925 tsi_test_fixture_destroy(fixture);
926 };
927 memset(session_ticket_key, 'a', sizeof(session_ticket_key));
928 do_handshake(false);
929 do_handshake(true);
930 do_handshake(true);
931 // Changing session_ticket_key on server invalidates ticket.
932 memset(session_ticket_key, 'b', sizeof(session_ticket_key));
933 do_handshake(false);
934 do_handshake(true);
935 memset(session_ticket_key, 'c', sizeof(session_ticket_key));
936 do_handshake(false);
937 do_handshake(true);
938 tsi_ssl_session_cache_unref(session_cache);
939 }
940
ssl_tsi_test_do_handshake_with_intermediate_ca()941 void ssl_tsi_test_do_handshake_with_intermediate_ca() {
942 gpr_log(
943 GPR_INFO,
944 "ssl_tsi_test_do_handshake_with_client_authentication_and_root_store");
945 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
946 ssl_tsi_test_fixture* ssl_fixture =
947 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
948 ssl_fixture->force_client_auth = true;
949 ssl_fixture->key_cert_lib->use_root_store = true;
950 ssl_fixture->key_cert_lib->use_cert_signed_by_intermediate_ca = true;
951 tsi_test_do_handshake(fixture);
952 tsi_test_fixture_destroy(fixture);
953 }
954
955 static const tsi_ssl_handshaker_factory_vtable* original_vtable;
956 static bool handshaker_factory_destructor_called;
957
ssl_tsi_test_handshaker_factory_destructor(tsi_ssl_handshaker_factory * factory)958 static void ssl_tsi_test_handshaker_factory_destructor(
959 tsi_ssl_handshaker_factory* factory) {
960 ASSERT_NE(factory, nullptr);
961 handshaker_factory_destructor_called = true;
962 if (original_vtable != nullptr && original_vtable->destroy != nullptr) {
963 original_vtable->destroy(factory);
964 }
965 }
966
967 static tsi_ssl_handshaker_factory_vtable test_handshaker_factory_vtable = {
968 ssl_tsi_test_handshaker_factory_destructor};
969
test_tsi_ssl_client_handshaker_factory_refcounting()970 void test_tsi_ssl_client_handshaker_factory_refcounting() {
971 int i;
972 char* cert_chain = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "client.pem");
973
974 tsi_ssl_client_handshaker_options options;
975 options.pem_root_certs = cert_chain;
976 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
977 ASSERT_EQ(tsi_create_ssl_client_handshaker_factory_with_options(
978 &options, &client_handshaker_factory),
979 TSI_OK);
980
981 handshaker_factory_destructor_called = false;
982 original_vtable = tsi_ssl_handshaker_factory_swap_vtable(
983 reinterpret_cast<tsi_ssl_handshaker_factory*>(client_handshaker_factory),
984 &test_handshaker_factory_vtable);
985
986 tsi_handshaker* handshaker[3];
987
988 for (i = 0; i < 3; ++i) {
989 ASSERT_EQ(
990 tsi_ssl_client_handshaker_factory_create_handshaker(
991 client_handshaker_factory, "google.com", 0, 0, &handshaker[i]),
992 TSI_OK);
993 }
994
995 client_handshaker_factory =
996 tsi_ssl_client_handshaker_factory_ref(client_handshaker_factory);
997
998 tsi_handshaker_destroy(handshaker[1]);
999 ASSERT_FALSE(handshaker_factory_destructor_called);
1000
1001 tsi_handshaker_destroy(handshaker[0]);
1002 ASSERT_FALSE(handshaker_factory_destructor_called);
1003
1004 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory);
1005 ASSERT_FALSE(handshaker_factory_destructor_called);
1006
1007 tsi_handshaker_destroy(handshaker[2]);
1008 ASSERT_FALSE(handshaker_factory_destructor_called);
1009
1010 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory);
1011 ASSERT_TRUE(handshaker_factory_destructor_called);
1012 gpr_free(cert_chain);
1013 }
1014
test_tsi_ssl_server_handshaker_factory_refcounting()1015 void test_tsi_ssl_server_handshaker_factory_refcounting() {
1016 int i;
1017 tsi_ssl_server_handshaker_factory* server_handshaker_factory;
1018 tsi_handshaker* handshaker[3];
1019 const char* cert_chain =
1020 load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server0.pem");
1021 tsi_ssl_pem_key_cert_pair cert_pair;
1022
1023 cert_pair.cert_chain = cert_chain;
1024 cert_pair.private_key = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server0.key");
1025 tsi_ssl_server_handshaker_options options;
1026 options.pem_key_cert_pairs = &cert_pair;
1027 options.num_key_cert_pairs = 1;
1028 options.pem_client_root_certs = cert_chain;
1029
1030 ASSERT_EQ(tsi_create_ssl_server_handshaker_factory_with_options(
1031 &options, &server_handshaker_factory),
1032 TSI_OK);
1033
1034 handshaker_factory_destructor_called = false;
1035 original_vtable = tsi_ssl_handshaker_factory_swap_vtable(
1036 reinterpret_cast<tsi_ssl_handshaker_factory*>(server_handshaker_factory),
1037 &test_handshaker_factory_vtable);
1038
1039 for (i = 0; i < 3; ++i) {
1040 ASSERT_EQ(tsi_ssl_server_handshaker_factory_create_handshaker(
1041 server_handshaker_factory, 0, 0, &handshaker[i]),
1042 TSI_OK);
1043 }
1044
1045 tsi_handshaker_destroy(handshaker[1]);
1046 ASSERT_FALSE(handshaker_factory_destructor_called);
1047
1048 tsi_handshaker_destroy(handshaker[0]);
1049 ASSERT_FALSE(handshaker_factory_destructor_called);
1050
1051 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory);
1052 ASSERT_FALSE(handshaker_factory_destructor_called);
1053
1054 tsi_handshaker_destroy(handshaker[2]);
1055 ASSERT_TRUE(handshaker_factory_destructor_called);
1056
1057 ssl_test_pem_key_cert_pair_destroy(cert_pair);
1058 }
1059
1060 // Attempting to create a handshaker factory with invalid parameters should fail
1061 // but not crash.
test_tsi_ssl_client_handshaker_factory_bad_params()1062 void test_tsi_ssl_client_handshaker_factory_bad_params() {
1063 const char* cert_chain = "This is not a valid PEM file.";
1064
1065 tsi_ssl_client_handshaker_factory* client_handshaker_factory;
1066 tsi_ssl_client_handshaker_options options;
1067 options.pem_root_certs = cert_chain;
1068 ASSERT_EQ(tsi_create_ssl_client_handshaker_factory_with_options(
1069 &options, &client_handshaker_factory),
1070 TSI_INVALID_ARGUMENT);
1071 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory);
1072 }
1073
ssl_tsi_test_handshaker_factory_internals()1074 void ssl_tsi_test_handshaker_factory_internals() {
1075 gpr_log(GPR_INFO, "ssl_tsi_test_handshaker_factory_internals");
1076 test_tsi_ssl_client_handshaker_factory_refcounting();
1077 test_tsi_ssl_server_handshaker_factory_refcounting();
1078 test_tsi_ssl_client_handshaker_factory_bad_params();
1079 }
1080
ssl_tsi_test_duplicate_root_certificates()1081 void ssl_tsi_test_duplicate_root_certificates() {
1082 gpr_log(GPR_INFO, "ssl_tsi_test_duplicate_root_certificates");
1083 char* root_cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "ca.pem");
1084 char* dup_root_cert = static_cast<char*>(
1085 gpr_zalloc(sizeof(char) * (strlen(root_cert) * 2 + 1)));
1086 memcpy(dup_root_cert, root_cert, strlen(root_cert));
1087 memcpy(dup_root_cert + strlen(root_cert), root_cert, strlen(root_cert));
1088 tsi_ssl_root_certs_store* root_store =
1089 tsi_ssl_root_certs_store_create(dup_root_cert);
1090 ASSERT_NE(root_store, nullptr);
1091 // Free memory.
1092 tsi_ssl_root_certs_store_destroy(root_store);
1093 gpr_free(root_cert);
1094 gpr_free(dup_root_cert);
1095 }
1096
ssl_tsi_test_extract_x509_subject_names()1097 void ssl_tsi_test_extract_x509_subject_names() {
1098 gpr_log(GPR_INFO, "ssl_tsi_test_extract_x509_subject_names");
1099 char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "multi-domain.pem");
1100 tsi_peer peer;
1101 ASSERT_EQ(tsi_ssl_extract_x509_subject_names_from_pem_cert(cert, &peer),
1102 TSI_OK);
1103 // tsi_peer should include one subject, one common name, one certificate, one
1104 // security level, ten SAN fields, two DNS SAN fields, three URI fields, two
1105 // email addresses and two IP addresses.
1106 size_t expected_property_count = 22;
1107 ASSERT_EQ(peer.property_count, expected_property_count);
1108 // Check subject
1109 const char* expected_subject = "CN=xpigors,OU=Google,L=SF,ST=CA,C=US";
1110 const tsi_peer_property* property =
1111 tsi_peer_get_property_by_name(&peer, TSI_X509_SUBJECT_PEER_PROPERTY);
1112 ASSERT_NE(property, nullptr);
1113 ASSERT_EQ(
1114 memcmp(property->value.data, expected_subject, property->value.length),
1115 0);
1116 // Check common name
1117 const char* expected_cn = "xpigors";
1118 property = tsi_peer_get_property_by_name(
1119 &peer, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
1120 ASSERT_NE(property, nullptr);
1121 ASSERT_EQ(memcmp(property->value.data, expected_cn, property->value.length),
1122 0);
1123 // Check certificate data
1124 property = tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
1125 ASSERT_NE(property, nullptr);
1126 ASSERT_EQ(memcmp(property->value.data, cert, property->value.length), 0);
1127 // Check DNS
1128 ASSERT_EQ(
1129 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1130 "foo.test.domain.com"),
1131 1);
1132 ASSERT_EQ(
1133 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1134 "bar.test.domain.com"),
1135 1);
1136 ASSERT_EQ(
1137 check_property(&peer, TSI_X509_DNS_PEER_PROPERTY, "foo.test.domain.com"),
1138 1);
1139 ASSERT_EQ(
1140 check_property(&peer, TSI_X509_DNS_PEER_PROPERTY, "bar.test.domain.com"),
1141 1);
1142 // Check URI
1143 // Note that a valid SPIFFE certificate should only have one URI.
1144 ASSERT_EQ(
1145 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1146 "spiffe://foo.com/bar/baz"),
1147 1);
1148 ASSERT_EQ(
1149 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1150 "https://foo.test.domain.com/test"),
1151 1);
1152 ASSERT_EQ(
1153 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1154 "https://bar.test.domain.com/test"),
1155 1);
1156 ASSERT_EQ(check_property(&peer, TSI_X509_URI_PEER_PROPERTY,
1157 "spiffe://foo.com/bar/baz"),
1158 1);
1159 ASSERT_EQ(check_property(&peer, TSI_X509_URI_PEER_PROPERTY,
1160 "https://foo.test.domain.com/test"),
1161 1);
1162 ASSERT_EQ(check_property(&peer, TSI_X509_URI_PEER_PROPERTY,
1163 "https://bar.test.domain.com/test"),
1164 1);
1165 // Check email address
1166 ASSERT_EQ(
1167 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1168 "[email protected]"),
1169 1);
1170 ASSERT_EQ(
1171 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1172 "[email protected]"),
1173 1);
1174 ASSERT_EQ(check_property(&peer, TSI_X509_EMAIL_PEER_PROPERTY,
1175 "[email protected]"),
1176 1);
1177 ASSERT_EQ(check_property(&peer, TSI_X509_EMAIL_PEER_PROPERTY,
1178 "[email protected]"),
1179 1);
1180 // Check ip address
1181 ASSERT_EQ(
1182 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1183 "192.168.7.1"),
1184 1);
1185 ASSERT_EQ(
1186 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1187 "13::17"),
1188 1);
1189 ASSERT_EQ(check_property(&peer, TSI_X509_IP_PEER_PROPERTY, "192.168.7.1"), 1);
1190 ASSERT_EQ(check_property(&peer, TSI_X509_IP_PEER_PROPERTY, "13::17"), 1);
1191 // Check other fields
1192 ASSERT_EQ(
1193 check_property(&peer, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
1194 "other types of SAN"),
1195 1);
1196 // Free memory
1197 gpr_free(cert);
1198 tsi_peer_destruct(&peer);
1199 }
1200
ssl_tsi_test_extract_cert_chain()1201 void ssl_tsi_test_extract_cert_chain() {
1202 gpr_log(GPR_INFO, "ssl_tsi_test_extract_cert_chain");
1203 char* cert = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "server1.pem");
1204 char* ca = load_file(SSL_TSI_TEST_CREDENTIALS_DIR "ca.pem");
1205 char* chain = static_cast<char*>(
1206 gpr_zalloc(sizeof(char) * (strlen(cert) + strlen(ca) + 1)));
1207 memcpy(chain, cert, strlen(cert));
1208 memcpy(chain + strlen(cert), ca, strlen(ca));
1209 STACK_OF(X509)* cert_chain = sk_X509_new_null();
1210 ASSERT_NE(cert_chain, nullptr);
1211 BIO* bio = BIO_new_mem_buf(chain, strlen(chain));
1212 ASSERT_NE(bio, nullptr);
1213 STACK_OF(X509_INFO)* certInfos =
1214 PEM_X509_INFO_read_bio(bio, nullptr, nullptr, nullptr);
1215 ASSERT_NE(certInfos, nullptr);
1216 for (size_t i = 0; i < sk_X509_INFO_num(certInfos); i++) {
1217 X509_INFO* certInfo = sk_X509_INFO_value(certInfos, i);
1218 if (certInfo->x509 != nullptr) {
1219 ASSERT_NE(sk_X509_push(cert_chain, certInfo->x509), 0);
1220 #if OPENSSL_VERSION_NUMBER >= 0x10100000
1221 X509_up_ref(certInfo->x509);
1222 #else
1223 certInfo->x509->references += 1;
1224 #endif
1225 }
1226 }
1227 tsi_peer_property chain_property;
1228 ASSERT_EQ(tsi_ssl_get_cert_chain_contents(cert_chain, &chain_property),
1229 TSI_OK);
1230 ASSERT_EQ(
1231 memcmp(chain, chain_property.value.data, chain_property.value.length), 0);
1232 BIO_free(bio);
1233 gpr_free(chain);
1234 gpr_free(cert);
1235 gpr_free(ca);
1236 tsi_peer_property_destruct(&chain_property);
1237 sk_X509_INFO_pop_free(certInfos, X509_INFO_free);
1238 sk_X509_pop_free(cert_chain, X509_free);
1239 }
1240
ssl_tsi_test_do_handshake_with_custom_bio_pair()1241 void ssl_tsi_test_do_handshake_with_custom_bio_pair() {
1242 gpr_log(GPR_INFO, "ssl_tsi_test_do_handshake_with_custom_bio_pair");
1243 tsi_test_fixture* fixture = ssl_tsi_test_fixture_create();
1244 ssl_tsi_test_fixture* ssl_fixture =
1245 reinterpret_cast<ssl_tsi_test_fixture*>(fixture);
1246 #if OPENSSL_VERSION_NUMBER >= 0x10100000
1247 ssl_fixture->network_bio_buf_size = TSI_TEST_DEFAULT_BUFFER_SIZE;
1248 ssl_fixture->ssl_bio_buf_size = 256;
1249 #endif
1250 ssl_fixture->force_client_auth = true;
1251 tsi_test_do_handshake(fixture);
1252 tsi_test_fixture_destroy(fixture);
1253 }
1254
TEST(SslTransportSecurityTest,MainTest)1255 TEST(SslTransportSecurityTest, MainTest) {
1256 grpc_init();
1257 std::string trust_bundle = GenerateTrustBundle();
1258 const size_t number_tls_versions = 2;
1259 const tsi_tls_version tls_versions[] = {tsi_tls_version::TSI_TLS1_2,
1260 tsi_tls_version::TSI_TLS1_3};
1261 for (size_t i = 0; i < number_tls_versions; i++) {
1262 // Set the TLS version to be used in the tests.
1263 test_tls_version = tls_versions[i];
1264 for (bool send_client_ca_list : {true, false}) {
1265 test_send_client_ca_list = send_client_ca_list;
1266 ssl_tsi_test_do_handshake_tiny_handshake_buffer();
1267 ssl_tsi_test_do_handshake_small_handshake_buffer();
1268 ssl_tsi_test_do_handshake();
1269 ssl_tsi_test_do_handshake_with_root_store();
1270 ssl_tsi_test_do_handshake_with_large_server_handshake_messages(
1271 trust_bundle);
1272 ssl_tsi_test_do_handshake_with_client_authentication();
1273 ssl_tsi_test_do_handshake_with_client_authentication_and_root_store();
1274 ssl_tsi_test_do_handshake_with_server_name_indication_exact_domain();
1275 ssl_tsi_test_do_handshake_with_server_name_indication_wild_star_domain();
1276 ssl_tsi_test_do_handshake_with_invalid_and_ignored_server_name_indication();
1277 ssl_tsi_test_do_handshake_with_wrong_server_name_indication();
1278 ssl_tsi_test_do_handshake_with_bad_server_cert();
1279 ssl_tsi_test_do_handshake_with_bad_client_cert();
1280 // TODO(gregorycooke) - failing with OpenSSL1.0.2
1281 #if OPENSSL_VERSION_NUMBER >= 0x10100000
1282 ssl_tsi_test_do_handshake_skipping_server_certificate_verification();
1283 #endif // OPENSSL_VERSION_NUMBER >= 0x10100000
1284
1285 #ifdef OPENSSL_IS_BORINGSSL
1286 // BoringSSL and OpenSSL have different behaviors on mismatched ALPN.
1287 ssl_tsi_test_do_handshake_alpn_client_no_server();
1288 ssl_tsi_test_do_handshake_alpn_client_server_mismatch();
1289 // These tests fail with openssl3 and openssl111 currently but not
1290 // boringssl
1291 ssl_tsi_test_do_handshake_session_cache();
1292 ssl_tsi_test_do_round_trip_for_all_configs();
1293 ssl_tsi_test_do_round_trip_with_error_on_stack();
1294 ssl_tsi_test_do_round_trip_odd_buffer_size();
1295 #endif
1296 ssl_tsi_test_do_handshake_alpn_server_no_client();
1297 ssl_tsi_test_do_handshake_alpn_client_server_ok();
1298 ssl_tsi_test_handshaker_factory_internals();
1299 ssl_tsi_test_duplicate_root_certificates();
1300 ssl_tsi_test_extract_x509_subject_names();
1301 ssl_tsi_test_extract_cert_chain();
1302 ssl_tsi_test_do_handshake_with_custom_bio_pair();
1303 ssl_tsi_test_do_handshake_with_intermediate_ca();
1304 }
1305 }
1306 grpc_shutdown();
1307 }
1308
main(int argc,char ** argv)1309 int main(int argc, char** argv) {
1310 grpc::testing::TestEnvironment env(&argc, argv);
1311 ::testing::InitGoogleTest(&argc, argv);
1312 grpc::testing::TestGrpcScope grpc_scope;
1313 return RUN_ALL_TESTS();
1314 }
1315