alts: add gRPC TSI frame protector #3873
Conversation
Signed-off-by: Lizan Zhou <zlizan@google.com>
|
|
||
| // TODO(lizan): tune size later | ||
| unsigned char protected_buffer[16384]; | ||
| size_t protected_buffer_size = sizeof(protected_buffer); |
There was a problem hiding this comment.
nits: make this a const and use it to initialize protected_buffer[]
| input.drain(processed_message_size); | ||
| } | ||
|
|
||
| ASSERT(input.length() == 0); |
There was a problem hiding this comment.
Is this ASSERT redundant as the while condition guarantees input.length()==0 to exit the loop?
|
|
||
| ASSERT(input.length() == 0); | ||
| size_t still_pending_size; | ||
| do { |
There was a problem hiding this comment.
nits: can you add some comments about the need of calling tsi_frame_protector_protect_flush()?
|
|
||
| // TODO(lizan): Tune the buffer size. | ||
| unsigned char unprotected_buffer[16384]; | ||
| size_t unprotected_buffer_size = sizeof(unprotected_buffer); |
|
|
||
| while (input.length() > 0) { | ||
| auto* message_bytes = reinterpret_cast<unsigned char*>(input.linearize(input.length())); | ||
| size_t unprotected_buffer_size_to_send = unprotected_buffer_size; |
There was a problem hiding this comment.
The name |unprotected_buffer_size_to_send| is a confusing. I think unprotect() should be called on receiving path.
|
|
||
| { | ||
| Buffer::OwnedImpl input, encrypted; | ||
| input.add(std::string(20000, 'a')); |
There was a problem hiding this comment.
If you have a const for protected_buffer_size, you can use a relative larger number here instead of hard coding 20000.
There was a problem hiding this comment.
It is a coincidence that the frame size generated by fake frame protector is max at 16K and the buffer size is 16K, the hard code here is not reflecting the buffer size.
There was a problem hiding this comment.
I think this test case is testing protect() with |input| size larger than the buffer. So this line can be something more general, like: input.add(std::string(BUFFER_SIZE + 3620, 'a')); Am I misunderstanding?
There was a problem hiding this comment.
The frame size of fake frame protector output is define here, it is coincidence that is same as BUFFER_SIZE, but the test should be larger than the frame size, it is not depends on BUFFER_SIZE.
There was a problem hiding this comment.
Why is it testing against frame size which is not our implementation? I thought you meant to test protect() with input larger than |protected_buffer| which I think is worth to add if not covered yet.
There was a problem hiding this comment.
I meant the expected output below (L63) is depends on frame size in fake frame protector, the input here is to exceed the BUFFER_SIZE and they are just happened to be same.
We don't have visibility of BUFFER_SIZE in test.cc so I'll have to define BUFFER_SIZE, input.add(std::string(BUFFER_SIZE + 3620, 'a')) won't work anyway.
| input.add("foo"); | ||
|
|
||
| EXPECT_EQ(TSI_OK, frame_protector_.protect(input, encrypted)); | ||
| EXPECT_EQ("\x07\0\0\0foo"s, encrypted.toString()); |
There was a problem hiding this comment.
nits: comment where the prefix "\x07\0\0\0" comes from? I guess fake_frame_protector has a contract about how to generate it.
There was a problem hiding this comment.
There is comment at top of this file (L23)
Signed-off-by: Lizan Zhou <zlizan@google.com>
Signed-off-by: Lizan Zhou <zlizan@google.com>
Signed-off-by: Lizan Zhou <zlizan@google.com>
|
|
||
| // TSI may buffer some of the input in its internal, flushing its buffer to protected_buffer to | ||
| // avoid some of input is not written to socket. | ||
| size_t still_pending_size; |
There was a problem hiding this comment.
// TSI may buffer some of the input internally. Flush its buffer to protected_buffer.
?
| auto* message_bytes = reinterpret_cast<unsigned char*>(input.linearize(input.length())); | ||
| size_t unprotected_buffer_size = BUFFER_SIZE; | ||
| size_t processed_message_size = input.length(); | ||
| tsi_result result = tsi_frame_protector_unprotect(frame_protector_.get(), message_bytes, |
There was a problem hiding this comment.
Sanity check, there's no flushing problem in this direction?
There was a problem hiding this comment.
No, there is no tsi_frame_protector_unprotect_flush.
|
|
||
| /** | ||
| * Wrapper for tsi_frame_protector_protect | ||
| * @param input supplies the input buffer, the method will drain it when it is processed. |
There was a problem hiding this comment.
input supplies the input buffer -> input supplies the data to protect.
ditto below for unprotect
| /** | ||
| * Wrapper for tsi_frame_protector_protect | ||
| * @param input supplies the input buffer, the method will drain it when it is processed. | ||
| * @param output supplies the output buffer |
There was a problem hiding this comment.
output supplies the buffer where the protected data will be stored.
Ditto for unprotect
| protected_buffer, &protected_buffer_size); | ||
| if (result != TSI_OK) { | ||
| ASSERT(result != TSI_INVALID_ARGUMENT && result != TSI_UNIMPLEMENTED); | ||
| return result; |
There was a problem hiding this comment.
Signed-off-by: Lizan Zhou <zlizan@google.com>
Signed-off-by: Lizan Zhou <zlizan@google.com>
Signed-off-by: Lizan Zhou zlizan@google.com
Description:
2nd PR for #3429, add frame protector.
Risk Level: Low (not enabled in main)
Testing:
bazel test //test/...Docs Changes: N/A
Release Notes: N/A