Automated fix for refs/heads/master

src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc

@@ -154,6 +154,75 @@ static tsi_result handshaker_result_extract_peer(
   return ok;
 }
 
+static tsi_result handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* self, tsi_peer* local_peer) {
+  if (self == nullptr || local_peer == nullptr) {
+    gpr_log(GPR_ERROR, "Invalid argument to handshaker_result_extract_peer()");
+    return TSI_INVALID_ARGUMENT;
+  }
+  alts_tsi_handshaker_result* result =
+      reinterpret_cast<alts_tsi_handshaker_result*>(
+          const_cast<tsi_handshaker_result*>(self));
+  GPR_ASSERT(kTsiAltsNumOfPeerProperties == 5);
+  tsi_result ok = tsi_construct_peer(kTsiAltsNumOfPeerProperties, local_peer);
+  int index = 0;
+  if (ok != TSI_OK) {
+    gpr_log(GPR_ERROR, "Failed to construct tsi peer");
+    return ok;
+  }
+  GPR_ASSERT(&local_peer->properties[index] != nullptr);
+  ok = tsi_construct_string_peer_property_from_cstring(
+      TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_ALTS_CERTIFICATE_TYPE,
+      &local_peer->properties[index]);
+  if (ok != TSI_OK) {
+    tsi_peer_destruct(local_peer);
+    gpr_log(GPR_ERROR, "Failed to set tsi peer property");
+    return ok;
+  }
+  index++;
+  GPR_ASSERT(&local_peer->properties[index] != nullptr);
+  ok = tsi_construct_string_peer_property_from_cstring(
+      TSI_ALTS_SERVICE_ACCOUNT_PEER_PROPERTY, result->peer_identity,
+      &local_peer->properties[index]);
+  if (ok != TSI_OK) {
+    tsi_peer_destruct(local_peer);
+    gpr_log(GPR_ERROR, "Failed to set tsi peer property");
+  }
+  index++;
+  GPR_ASSERT(&local_peer->properties[index] != nullptr);
+  ok = tsi_construct_string_peer_property(
+      TSI_ALTS_RPC_VERSIONS,
+      reinterpret_cast<char*>(GRPC_SLICE_START_PTR(result->rpc_versions)),
+      GRPC_SLICE_LENGTH(result->rpc_versions), &local_peer->properties[index]);
+  if (ok != TSI_OK) {
+    tsi_peer_destruct(local_peer);
+    gpr_log(GPR_ERROR, "Failed to set tsi peer property");
+  }
+  index++;
+  GPR_ASSERT(&local_peer->properties[index] != nullptr);
+  ok = tsi_construct_string_peer_property(
+      TSI_ALTS_CONTEXT,
+      reinterpret_cast<char*>(GRPC_SLICE_START_PTR(result->serialized_context)),
+      GRPC_SLICE_LENGTH(result->serialized_context),
+      &local_peer->properties[index]);
+  if (ok != TSI_OK) {
+    tsi_peer_destruct(local_peer);
+    gpr_log(GPR_ERROR, "Failed to set tsi peer property");
+  }
+  index++;
+  GPR_ASSERT(&local_peer->properties[index] != nullptr);
+  ok = tsi_construct_string_peer_property_from_cstring(
+      TSI_SECURITY_LEVEL_PEER_PROPERTY,
+      tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
+      &local_peer->properties[index]);
+  if (ok != TSI_OK) {
+    tsi_peer_destruct(local_peer);
+    gpr_log(GPR_ERROR, "Failed to set tsi peer property");
+  }
+  GPR_ASSERT(++index == kTsiAltsNumOfPeerProperties);
+  return ok;
+}
+
 static tsi_result handshaker_result_get_frame_protector_type(
     const tsi_handshaker_result* /*self*/,
     tsi_frame_protector_type* frame_protector_type) {
@@ -257,6 +326,7 @@ static void handshaker_result_destroy(tsi_handshaker_result* self) {
 
 static const tsi_handshaker_result_vtable result_vtable = {
     handshaker_result_extract_peer,
+    handshaker_result_extract_local_peer,
     handshaker_result_get_frame_protector_type,
     handshaker_result_create_zero_copy_grpc_protector,
     handshaker_result_create_frame_protector,

src/core/tsi/fake_transport_security.cc

@@ -545,6 +545,23 @@ static tsi_result fake_handshaker_result_extract_peer(
   return result;
 }
 
+static tsi_result fake_handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* /*self*/, tsi_peer* local_peer) {
+  // Construct a tsi_peer with 1 property: certificate type, security_level.
+  tsi_result result = tsi_construct_peer(2, local_peer);
+  if (result != TSI_OK) return result;
+  result = tsi_construct_string_peer_property_from_cstring(
+      TSI_CERTIFICATE_TYPE_PEER_PROPERTY, TSI_FAKE_CERTIFICATE_TYPE,
+      &local_peer->properties[0]);
+  if (result != TSI_OK) tsi_peer_destruct(local_peer);
+  result = tsi_construct_string_peer_property_from_cstring(
+      TSI_SECURITY_LEVEL_PEER_PROPERTY,
+      tsi_security_level_to_string(TSI_SECURITY_NONE),
+      &local_peer->properties[1]);
+  if (result != TSI_OK) tsi_peer_destruct(local_peer);
+  return result;
+}
+
 static tsi_result fake_handshaker_result_get_frame_protector_type(
     const tsi_handshaker_result* /*self*/,
     tsi_frame_protector_type* frame_protector_type) {
@@ -587,6 +604,7 @@ static void fake_handshaker_result_destroy(tsi_handshaker_result* self) {
 
 static const tsi_handshaker_result_vtable handshaker_result_vtable = {
     fake_handshaker_result_extract_peer,
+    fake_handshaker_result_extract_local_peer,
     fake_handshaker_result_get_frame_protector_type,
     fake_handshaker_result_create_zero_copy_grpc_protector,
     fake_handshaker_result_create_frame_protector,

src/core/tsi/local_transport_security.cc

@@ -58,6 +58,11 @@ tsi_result handshaker_result_extract_peer(const tsi_handshaker_result* /*self*/,
   return TSI_OK;
 }
 
+tsi_result handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* /*self*/, tsi_peer* /*peer*/) {
+  return TSI_OK;
+}
+
 tsi_result handshaker_result_get_frame_protector_type(
     const tsi_handshaker_result* /*self*/,
     tsi_frame_protector_type* frame_protector_type) {
@@ -92,6 +97,7 @@ void handshaker_result_destroy(tsi_handshaker_result* self) {
 
 const tsi_handshaker_result_vtable result_vtable = {
     handshaker_result_extract_peer,
+    handshaker_result_extract_local_peer,
     handshaker_result_get_frame_protector_type,
     nullptr,  // handshaker_result_create_zero_copy_grpc_protector
     nullptr,  // handshaker_result_create_frame_protector

src/core/tsi/ssl_transport_security.cc

@@ -23,6 +23,8 @@
 #include <limits.h>
 #include <string.h>
 
+#include <memory>
+
 // TODO(jboeuf): refactor inet_ntop into a portability header.
 // Note: for whomever reads this and tries to refactor this, this
 // can't be in grpc, it has to be in gpr.
@@ -1254,6 +1256,57 @@ static tsi_result ssl_handshaker_result_extract_peer(
   return result;
 }
 
+static tsi_result ssl_handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* self, tsi_peer* local_peer) {
+  tsi_result result = TSI_OK;
+  const unsigned char* alpn_selected = nullptr;
+  unsigned int alpn_selected_len;
+  const tsi_ssl_handshaker_result* impl =
+      reinterpret_cast<const tsi_ssl_handshaker_result*>(self);
+  X509* local_cert = SSL_get_certificate(impl->ssl);
+  if (local_cert != nullptr) {
+    result = peer_from_x509(local_cert, 1, local_peer);
+    X509_free(local_cert);
+    if (result != TSI_OK) return result;
+  }
+#if TSI_OPENSSL_ALPN_SUPPORT
+  SSL_get0_alpn_selected(impl->ssl, &alpn_selected, &alpn_selected_len);
+#endif  // TSI_OPENSSL_ALPN_SUPPORT
+  if (alpn_selected == nullptr) {
+    // Try npn.
+    SSL_get0_next_proto_negotiated(impl->ssl, &alpn_selected,
+                                   &alpn_selected_len);
+  }
+
+  // 1 is for session reused property.
+  size_t new_property_count = local_peer->property_count + 3;
+  if (alpn_selected != nullptr) new_property_count++;
+  tsi_peer_property* new_properties = static_cast<tsi_peer_property*>(
+      gpr_zalloc(sizeof(*new_properties) * new_property_count));
+  for (size_t i = 0; i < local_peer->property_count; i++) {
+    new_properties[i] = local_peer->properties[i];
+  }
+  if (local_peer->properties != nullptr) gpr_free(local_peer->properties);
+  local_peer->properties = new_properties;
+  if (alpn_selected != nullptr) {
+    result = tsi_construct_string_peer_property(
+        TSI_SSL_ALPN_SELECTED_PROTOCOL,
+        reinterpret_cast<const char*>(alpn_selected), alpn_selected_len,
+        &local_peer->properties[local_peer->property_count]);
+    if (result != TSI_OK) return result;
+    local_peer->property_count++;
+  }
+  // Add security_level peer property.
+  result = tsi_construct_string_peer_property_from_cstring(
+      TSI_SECURITY_LEVEL_PEER_PROPERTY,
+      tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
+      &local_peer->properties[local_peer->property_count]);
+  if (result != TSI_OK) return result;
+  local_peer->property_count++;
+
+  return result;
+}
+
 static tsi_result ssl_handshaker_result_get_frame_protector_type(
     const tsi_handshaker_result* /*self*/,
     tsi_frame_protector_type* frame_protector_type) {
@@ -1327,6 +1380,7 @@ static void ssl_handshaker_result_destroy(tsi_handshaker_result* self) {
 
 static const tsi_handshaker_result_vtable handshaker_result_vtable = {
     ssl_handshaker_result_extract_peer,
+    ssl_handshaker_result_extract_local_peer,
     ssl_handshaker_result_get_frame_protector_type,
     nullptr,  // create_zero_copy_grpc_protector
     ssl_handshaker_result_create_frame_protector,
@@ -1393,6 +1447,16 @@ static tsi_result ssl_handshaker_get_result(tsi_ssl_handshaker* impl) {
   return impl->result;
 }
 
+void print_cert_info(X509* cert) {
+  BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+  X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE);
+  BIO_puts(bio, "\n");
+  X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
+  BIO_puts(bio, "\n");
+
+  BIO_free(bio);
+}
+
 static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl,
                                               std::string* error) {
   if (ssl_handshaker_get_result(impl) != TSI_HANDSHAKE_IN_PROGRESS) {
@@ -1403,6 +1467,11 @@ static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl,
     // Get ready to get some bytes from SSL.
     int ssl_result = SSL_do_handshake(impl->ssl);
     ssl_result = SSL_get_error(impl->ssl, ssl_result);
+    printf("***** Handshake successful p\n");
+    X509* server_cert = SSL_get_certificate(impl->ssl);
+    if (server_cert) {
+      X509_print_fp(stderr, server_cert);
+    }
     switch (ssl_result) {
       case SSL_ERROR_WANT_READ:
         if (BIO_pending(impl->network_io) == 0) {

src/core/tsi/transport_security.cc

@@ -263,6 +263,16 @@ tsi_result tsi_handshaker_result_extract_peer(const tsi_handshaker_result* self,
   return self->vtable->extract_peer(self, peer);
 }
 
+tsi_result tsi_handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* self, tsi_peer* local_peer) {
+  if (self == nullptr || self->vtable == nullptr || local_peer == nullptr) {
+    return TSI_INVALID_ARGUMENT;
+  }
+  memset(local_peer, 0, sizeof(tsi_peer));
+  if (self->vtable->extract_local_peer == nullptr) return TSI_UNIMPLEMENTED;
+  return self->vtable->extract_local_peer(self, local_peer);
+}
+
 tsi_result tsi_handshaker_result_get_frame_protector_type(
     const tsi_handshaker_result* self,
     tsi_frame_protector_type* frame_protector_type) {

src/core/tsi/transport_security.h

@@ -100,6 +100,8 @@ struct tsi_handshaker {
 //
 struct tsi_handshaker_result_vtable {
   tsi_result (*extract_peer)(const tsi_handshaker_result* self, tsi_peer* peer);
+  tsi_result (*extract_local_peer)(const tsi_handshaker_result* self,
+                                   tsi_peer* local_peer);
   tsi_result (*get_frame_protector_type)(
       const tsi_handshaker_result* self,
       tsi_frame_protector_type* frame_protector_type);

src/core/tsi/transport_security_interface.h

@@ -258,6 +258,11 @@ typedef struct tsi_handshaker_result tsi_handshaker_result;
 tsi_result tsi_handshaker_result_extract_peer(const tsi_handshaker_result* self,
                                               tsi_peer* peer);
 
+// This method extracts tsi local peer. It returns TSI_OK assuming there is no
+// fatal error. The caller is responsible for destructing the local peer.
+tsi_result tsi_handshaker_result_extract_local_peer(
+    const tsi_handshaker_result* self, tsi_peer* local_peer);
+
 // This method indicates what type of frame protector is provided by the
 // TSI implementation.
 tsi_result tsi_handshaker_result_get_frame_protector_type(