// // // Copyright 2022 gRPC authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // #ifndef GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H #define GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H #include <grpc/support/port_platform.h> #include <openssl/x509.h> #include "absl/strings/string_view.h" #include <grpc/grpc_security_constants.h> #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h" #include "src/core/tsi/transport_security_interface.h" namespace grpc_core { // Converts an SSL error status code to a readable string. // // error: the SSL error status code. // // return: the corresponding status string. const char* SslErrorString(int error); // Logs the SSL error stack. void LogSslErrorStack(void); // Performs an SSL_write and handle errors. // // ssl: the SSL object to write to. // unprotected_bytes: the buffer containing the bytes for writing to |ssl|. // unprotected_bytes_size: the size of the buffer |unprotected_bytes|. // // return: TSI_OK if the write operation succeeds or corresponding TSI errors. tsi_result DoSslWrite(SSL* ssl, unsigned char* unprotected_bytes, size_t unprotected_bytes_size); // Performs an SSL_read and handle errors. // // ssl: the SSL object to read from. // unprotected_bytes: the buffer to which this function will populate the read // result from |ssl|. // unprotected_bytes_size: the maximum size of the buffer |unprotected_bytes|. // This will be populated with the size of the bytes // read from |ssl| if this function returns TSI_OK. // // return: TSI_OK if the write operation succeeds or corresponding TSI errors. tsi_result DoSslRead(SSL* ssl, unsigned char* unprotected_bytes, size_t* unprotected_bytes_size); // Builds a maximum-size TLS frame if there is enough (|buffer_offset| + // |unprotected_bytes_size| >= |buffers_size|) data. Otherwise it copies the // |unprotected_bytes| into |buffer| and returns TSI_OK. // // unprotected_bytes: pointing to the buffer containing the plaintext to be // protected. // buffer_size: the size of |buffer|. If |buffer_offset| equals |buffer_size|, // then we have enough data to create a TLS frame. // buffer_offset: the offset of |buffer|. The data in |buffer| up to // |buffer_offset| are valid data. This will be updated whenever // new data are copied into |buffer|. // buffer: the buffer holding the data that has not been sent for protecting. // ssl: the |SSL| object that protects the data. // network_io: the |BIO| object associated with |ssl|. // unprotected_bytes_size: the size of the unprotected plaintext. This will be // populated with the size of data that is consumed by // this function. Caller can use this to see the size of // unconsumed data in |unprotected_bytes|. // protected_output_frames: the TLS frames built out of the plaintext. // protected_output_frames_size: the size of the TLS frames built. // // return: TSI_OK if either successfully created a TSI frame or copied the // |unprotected_data| into |buffer|. Returns corresponding TSI errors // otherwise. tsi_result SslProtectorProtect(const unsigned char* unprotected_bytes, const size_t buffer_size, size_t& buffer_offset, unsigned char* buffer, SSL* ssl, BIO* network_io, std::size_t* unprotected_bytes_size, unsigned char* protected_output_frames, size_t* protected_output_frames_size); // Builds a TLS frame out of the remaining plaintext bytes that's left in // buffer. Populates the size of the remianing TLS frame to // |still_pending_size|. // // buffer_size: the size of |buffer|. If |buffer_offset| equals |buffer_size|, // then we have enough data to create a TLS frame. // buffer_offset: the offset of |buffer|. The data in |buffer| up to // |buffer_offset| are valid data. This will be updated whenever // new data are copied into |buffer|. // buffer: the buffer holding the data that has not been sent for protecting. // ssl: the |SSL| object that protects the data. // network_io: the |BIO| object associated with |ssl|. // protected_output_frames: the TLS frames built out of the plaintext. // protected_output_frames_size: the size of the TLS frames built. // still_pending_size: the size of the bytes that remains in |network_io|. // // return: TSI_OK if successfully created a TSI frame. Returns corresponding TSI // errors otherwise. tsi_result SslProtectorProtectFlush(size_t& buffer_offset, unsigned char* buffer, SSL* ssl, BIO* network_io, unsigned char* protected_output_frames, size_t* protected_output_frames_size, size_t* still_pending_size); // Extracts the plaintext from a TLS frame. // // protected_frames_bytes: the TLS frame to extract plaintext from. // ssl: the |SSL| object that protects the data. // network_io: the |BIO| object associated with |ssl|. // unprotected_bytes_size: the size of the unprotected plaintext. This will be // populated with the size of data that is consumed by // this function. Caller can use this to see the size of // unconsumed data in |unprotected_bytes|. // protected_output_frames: the TLS frames built out of the plaintext. // protected_output_frames_size: the size of the TLS frames built. // // return: TSI_OK if either successfully created a TSI frame or copied the // |unprotected_data| into |buffer|. Returns corresponding TSI errors // otherwise. tsi_result SslProtectorUnprotect(const unsigned char* protected_frames_bytes, SSL* ssl, BIO* network_io, size_t* protected_frames_bytes_size, unsigned char* unprotected_bytes, size_t* unprotected_bytes_size); } // namespace grpc_core #endif // GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H
Codebase Browser
chromium