grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advancedTLS: unset a deprecated field after copying it (#7239)

This commit is contained in:
Gregory Cooke 2024-05-21 00:25:48 -04:00 committed by GitHub
parent 2174ea60df
commit 2d2f417db3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/advancedtls/advancedtls.go
View File

@ -315,6 +315,9 @@ func (o *Options) clientConfig() (*tls.Config, error) {
// the setting int the right place. // the setting int the right place.
if o.RootOptions.RootCACerts != nil { if o.RootOptions.RootCACerts != nil {
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
// There are additional checks that only 1 field of `RootOptions` is
// non-nil, so set the deprecated field to nil
o.RootOptions.RootCACerts = nil
} }
if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification") return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification")
@ -425,6 +428,9 @@ func (o *Options) serverConfig() (*tls.Config, error) {
// the setting int the right place. // the setting int the right place.
if o.RootOptions.RootCACerts != nil { if o.RootOptions.RootCACerts != nil {
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
// There are additional checks that only 1 field of `RootOptions` is
// non-nil, so set the deprecated field to nil
o.RootOptions.RootCACerts = nil
} }
if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)") return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")

16
security/advancedtls/advancedtls_test.go
View File

@ -188,6 +188,13 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS13, MaxVersion: tls.VersionTLS13,
}, },
{
desc: "Deprecated option is set and forwarded",
clientVerificationType: CertVerification,
RootOptions: RootCertificateOptions{
RootCACerts: x509.NewCertPool(),
},
},
} }
for _, test := range tests { for _, test := range tests {
test := test test := test
@ -351,6 +358,15 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS13, MaxVersion: tls.VersionTLS13,
}, },
{
desc: "Deprecated option is set and forwarded",
IdentityOptions: IdentityCertificateOptions{
Certificates: []tls.Certificate{},
},
RootOptions: RootCertificateOptions{
RootCACerts: x509.NewCertPool(),
},
},
} }
for _, test := range tests { for _, test := range tests {
test := test test := test