Skip to content
Permalink
Browse files

credentials: Use net.SplitHostPort safely parse IPv6 authorities in C…

…lientHandshake (#3082)
  • Loading branch information...
jpbetz authored and easwars committed Oct 9, 2019
1 parent ff0c603 commit f07f2cffa0a190ea48a4a3adb042d12cb87353ab
Showing with 48 additions and 17 deletions.
  1. +6 −5 credentials/credentials.go
  2. +42 −12 credentials/credentials_test.go
@@ -30,9 +30,9 @@ import (
"fmt"
"io/ioutil"
"net"
"strings"

"github.com/golang/protobuf/proto"

"google.golang.org/grpc/credentials/internal"
ginternal "google.golang.org/grpc/internal"
)
@@ -168,11 +168,12 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon
// use local cfg to avoid clobbering ServerName if using multiple endpoints
cfg := cloneTLSConfig(c.config)
if cfg.ServerName == "" {
colonPos := strings.LastIndex(authority, ":")
if colonPos == -1 {
colonPos = len(authority)
serverName, _, err := net.SplitHostPort(authority)
if err != nil {
// If the authority had no host port or if the authority cannot be parsed, use it as-is.
serverName = authority
}
cfg.ServerName = authority[:colonPos]
cfg.ServerName = serverName
}
conn := tls.Client(rawConn, cfg)
errChannel := make(chan error, 1)
@@ -23,6 +23,7 @@ import (
"crypto/tls"
"net"
"reflect"
"strings"
"testing"

"google.golang.org/grpc/testdata"
@@ -55,18 +56,40 @@ func TestTLSClone(t *testing.T) {
type serverHandshake func(net.Conn) (AuthInfo, error)

func TestClientHandshakeReturnsAuthInfo(t *testing.T) {
done := make(chan AuthInfo, 1)
lis := launchServer(t, tlsServerHandshake, done)
defer lis.Close()
lisAddr := lis.Addr().String()
clientAuthInfo := clientHandle(t, gRPCClientHandshake, lisAddr)
// wait until server sends serverAuthInfo or fails.
serverAuthInfo, ok := <-done
if !ok {
t.Fatalf("Error at server-side")
tcs := []struct {
name string
address string
}{
{
name: "localhost",
address: "localhost:0",
},
{
name: "ipv4",
address: "127.0.0.1:0",
},
{
name: "ipv6",
address: "[::1]:0",
},
}
if !compare(clientAuthInfo, serverAuthInfo) {
t.Fatalf("c.ClientHandshake(_, %v, _) = %v, want %v.", lisAddr, clientAuthInfo, serverAuthInfo)

for _, tc := range tcs {
t.Run(tc.name, func(t *testing.T) {
done := make(chan AuthInfo, 1)
lis := launchServerOnListenAddress(t, tlsServerHandshake, done, tc.address)
defer lis.Close()
lisAddr := lis.Addr().String()
clientAuthInfo := clientHandle(t, gRPCClientHandshake, lisAddr)
// wait until server sends serverAuthInfo or fails.
serverAuthInfo, ok := <-done
if !ok {
t.Fatalf("Error at server-side")
}
if !compare(clientAuthInfo, serverAuthInfo) {
t.Fatalf("c.ClientHandshake(_, %v, _) = %v, want %v.", lisAddr, clientAuthInfo, serverAuthInfo)
}
})
}
}

@@ -121,8 +144,15 @@ func compare(a1, a2 AuthInfo) bool {
}

func launchServer(t *testing.T, hs serverHandshake, done chan AuthInfo) net.Listener {
lis, err := net.Listen("tcp", "localhost:0")
return launchServerOnListenAddress(t, hs, done, "localhost:0")
}

func launchServerOnListenAddress(t *testing.T, hs serverHandshake, done chan AuthInfo, address string) net.Listener {
lis, err := net.Listen("tcp", address)
if err != nil {
if strings.Contains(err.Error(), "bind: cannot assign requested address") {
t.Skip("missing IPv6 support")
}
t.Fatalf("Failed to listen: %v", err)
}
go serverHandle(t, hs, done, lis)

0 comments on commit f07f2cf

Please sign in to comment.
You can’t perform that action at this time.