Clean up code and slight refactor for handshake internals functions

Author: anniefrchz

src/core/tsi/ssl_transport_security.cc

@@ -189,8 +189,8 @@ struct tsi_ssl_handshaker : public tsi_handshaker,
   // Will be set if there is a pending call to tsi_handshaker_next(),
   // or nullopt if not.
   std::optional<HandshakerNextArgs> handshaker_next_args ABSL_GUARDED_BY(mu);
-  const void MaybeSetError(std::string error)
-      ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu) {
+  void MaybeSetError(std::string error) const
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
     if (!handshaker_next_args.has_value()) return;
     if (handshaker_next_args->error_ptr == nullptr) return;
     *handshaker_next_args->error_ptr = std::move(error);
@@ -208,7 +208,7 @@ struct tsi_ssl_handshaker : public tsi_handshaker,
 
 static std::pair<tsi_result, std::optional<HandshakerNextArgs>>
 ssl_handshaker_next_async(tsi_ssl_handshaker* self)
-    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&self->mu);
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu);
 
 struct tsi_ssl_handshaker_result {
   tsi_handshaker_result base;
@@ -455,13 +455,8 @@ enum ssl_private_key_result_t TlsPrivateKeySignWrapper(
       &result,
       [&](absl::StatusOr<std::string>* status_or_string)
           ABSL_NO_THREAD_SAFETY_ANALYSIS {
-            if (status_or_string->ok()) {
-              handshaker->signed_bytes = std::move(*status_or_string);
-              return TlsPrivateKeyOffloadComplete(ssl, out, out_len, max_out);
-            } else {
-              handshaker->MaybeSetError(status_or_string->status().ToString());
-              return ssl_private_key_failure;
-            }
+            handshaker->signed_bytes = std::move(*status_or_string);
+            return TlsPrivateKeyOffloadComplete(ssl, out, out_len, max_out);
           },
       [&](std::shared_ptr<grpc_core::PrivateKeySigner::AsyncSigningHandle>*
               async_handler) ABSL_NO_THREAD_SAFETY_ANALYSIS {
@@ -2035,11 +2030,11 @@ static const tsi_handshaker_result_vtable handshaker_result_vtable = {
 
 static tsi_result ssl_handshaker_result_create(
     tsi_ssl_handshaker* handshaker, unsigned char* unused_bytes,
-    size_t unused_bytes_size, tsi_handshaker_result** handshaker_result,
-    std::string* error) {
+    size_t unused_bytes_size, tsi_handshaker_result** handshaker_result)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   if (handshaker == nullptr || handshaker_result == nullptr ||
       (unused_bytes_size > 0 && unused_bytes == nullptr)) {
-    if (error != nullptr) *error = "invalid argument";
+    if (handshaker != nullptr) handshaker->MaybeSetError("invalid argument");
     return TSI_INVALID_ARGUMENT;
   }
   tsi_ssl_handshaker_result* result =
@@ -2060,11 +2055,11 @@ static tsi_result ssl_handshaker_result_create(
 // --- tsi_handshaker methods implementation. ---
 
 static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(
-    tsi_ssl_handshaker* impl, unsigned char* bytes, size_t* bytes_size,
-    std::string* error) {
+    tsi_ssl_handshaker* impl, unsigned char* bytes, size_t* bytes_size)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   int bytes_read_from_ssl = 0;
   if (bytes == nullptr || bytes_size == nullptr || *bytes_size > INT_MAX) {
-    if (error != nullptr) *error = "invalid argument";
+    impl->MaybeSetError("invalid argument");
     return TSI_INVALID_ARGUMENT;
   }
   GRPC_CHECK_LE(*bytes_size, static_cast<size_t>(INT_MAX));
@@ -2073,7 +2068,7 @@ static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(
   if (bytes_read_from_ssl < 0) {
     *bytes_size = 0;
     if (!BIO_should_retry(impl->network_io)) {
-      if (error != nullptr) *error = "error reading from BIO";
+      impl->MaybeSetError("error reading from BIO");
       impl->result = TSI_INTERNAL_ERROR;
       return impl->result;
     } else {
@@ -2092,8 +2087,8 @@ static tsi_result ssl_handshaker_get_result(tsi_ssl_handshaker* impl) {
   return impl->result;
 }
 
-static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl,
-                                              std::string* error) {
+static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   if (ssl_handshaker_get_result(impl) != TSI_HANDSHAKE_IN_PROGRESS) {
     impl->result = TSI_OK;
     return impl->result;
@@ -2130,10 +2125,9 @@ static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl,
         LOG(INFO) << "Handshake failed with error "
                   << tsi::SslErrorString(ssl_result) << ": " << err_str
                   << verify_result_str;
-        if (error != nullptr && error->empty()) {
-          *error = absl::StrCat(tsi::SslErrorString(ssl_result), ": ", err_str,
-                                verify_result_str);
-        }
+        impl->MaybeSetError(absl::StrCat(
+            tsi::SslErrorString(ssl_result), ": ", err_str, verify_result_str,
+            ": ", impl->signed_bytes.status().ToString()));
         impl->result = TSI_PROTOCOL_FAILURE;
         return impl->result;
       }
@@ -2142,24 +2136,24 @@ static tsi_result ssl_handshaker_do_handshake(tsi_ssl_handshaker* impl,
 }
 
 static tsi_result ssl_handshaker_process_bytes_from_peer(
-    tsi_ssl_handshaker* impl, const unsigned char* bytes, size_t* bytes_size,
-    std::string* error) {
+    tsi_ssl_handshaker* impl, const unsigned char* bytes, size_t* bytes_size)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   int bytes_written_into_ssl_size = 0;
   if (bytes == nullptr || bytes_size == nullptr || *bytes_size > INT_MAX) {
-    if (error != nullptr) *error = "invalid argument";
+    impl->MaybeSetError("invalid argument");
     return TSI_INVALID_ARGUMENT;
   }
   GRPC_CHECK_LE(*bytes_size, static_cast<size_t>(INT_MAX));
   bytes_written_into_ssl_size =
       BIO_write(impl->network_io, bytes, static_cast<int>(*bytes_size));
   if (bytes_written_into_ssl_size < 0) {
     LOG(ERROR) << "Could not write to memory BIO.";
-    if (error != nullptr) *error = "could not write to memory BIO";
+    impl->MaybeSetError("could not write to memory BIO");
     impl->result = TSI_INTERNAL_ERROR;
     return impl->result;
   }
   *bytes_size = static_cast<size_t>(bytes_written_into_ssl_size);
-  return ssl_handshaker_do_handshake(impl, error);
+  return ssl_handshaker_do_handshake(impl);
 }
 
 static void ssl_handshaker_destroy(tsi_handshaker* self) {
@@ -2171,11 +2165,11 @@ static void ssl_handshaker_destroy(tsi_handshaker* self) {
 // |bytes_remaining|.
 static tsi_result ssl_bytes_remaining(tsi_ssl_handshaker* impl,
                                       unsigned char** bytes_remaining,
-                                      size_t* bytes_remaining_size,
-                                      std::string* error) {
+                                      size_t* bytes_remaining_size)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   if (impl == nullptr || bytes_remaining == nullptr ||
       bytes_remaining_size == nullptr) {
-    if (error != nullptr) *error = "invalid argument";
+    if (impl != nullptr) impl->MaybeSetError("invalid argument");
     return TSI_INVALID_ARGUMENT;
   }
   // Attempt to read all of the bytes in SSL's read BIO. These bytes should
@@ -2193,9 +2187,8 @@ static tsi_result ssl_bytes_remaining(tsi_ssl_handshaker* impl,
         << "Failed to read the expected number of bytes from SSL object.";
     gpr_free(*bytes_remaining);
     *bytes_remaining = nullptr;
-    if (error != nullptr) {
-      *error = "Failed to read the expected number of bytes from SSL object.";
-    }
+    impl->MaybeSetError(
+        "Failed to read the expected number of bytes from SSL object.");
     return TSI_INTERNAL_ERROR;
   }
   *bytes_remaining_size = static_cast<size_t>(bytes_read);
@@ -2206,16 +2199,15 @@ static tsi_result ssl_bytes_remaining(tsi_ssl_handshaker* impl,
 // By doing that, we drain SSL bio buffer used to hold handshake data.
 // This API needs to be repeatedly called until all handshake data are
 // received from SSL.
-static tsi_result ssl_handshaker_write_output_buffer(tsi_handshaker* self,
-                                                     size_t* bytes_written,
-                                                     std::string* error) {
-  tsi_ssl_handshaker* impl = static_cast<tsi_ssl_handshaker*>(self);
+static tsi_result ssl_handshaker_write_output_buffer(tsi_ssl_handshaker* impl,
+                                                     size_t* bytes_written)
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   tsi_result status = TSI_OK;
   size_t offset = *bytes_written;
   do {
     size_t to_send_size = impl->outgoing_bytes_buffer_size - offset;
     status = ssl_handshaker_get_bytes_to_send_to_peer(
-        impl, impl->outgoing_bytes_buffer + offset, &to_send_size, error);
+        impl, impl->outgoing_bytes_buffer + offset, &to_send_size);
     offset += to_send_size;
     if (status == TSI_INCOMPLETE_DATA) {
       impl->outgoing_bytes_buffer_size *= 2;
@@ -2228,7 +2220,7 @@ static tsi_result ssl_handshaker_write_output_buffer(tsi_handshaker* self,
 }
 
 static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
-    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&self->mu) {
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   // If there are received bytes, process them first.
   tsi_result status = TSI_OK;
   size_t bytes_written = 0;
@@ -2248,19 +2240,16 @@ static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
       size_t bytes_written_to_openssl =
           remaining_bytes_to_write_to_openssl_size;
       status = ssl_handshaker_process_bytes_from_peer(
-          self, remaining_bytes_to_write_to_openssl, &bytes_written_to_openssl,
-          self->handshaker_next_args->error_ptr);
+          self, remaining_bytes_to_write_to_openssl, &bytes_written_to_openssl);
       // As long as the BIO is full, drive the SSL handshake to consume bytes
       // from the BIO. If the SSL handshake returns any bytes, write them to
       // the peer.
       while (status == TSI_DRAIN_BUFFER) {
-        status = ssl_handshaker_write_output_buffer(
-            self, &bytes_written, self->handshaker_next_args->error_ptr);
+        status = ssl_handshaker_write_output_buffer(self, &bytes_written);
         if (status != TSI_OK) {
           return status;
         }
-        status = ssl_handshaker_do_handshake(
-            self, self->handshaker_next_args->error_ptr);
+        status = ssl_handshaker_do_handshake(self);
       }
       // Move the pointer to the first byte not yet successfully written to
       // the BIO.
@@ -2283,17 +2272,15 @@ static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
     // During the PrivateKeyOffload signature, an empty call to
     // ssl_handshaker_do_handshake needs to be forced  after the async offload
     // has completed.
-    status = ssl_handshaker_do_handshake(self,
-                                         self->handshaker_next_args->error_ptr);
+    status = ssl_handshaker_do_handshake(self);
 #endif
   }
 
   if (status != TSI_OK) {
     return status;
   }
   // Get bytes to send to the peer, if available.
-  status = ssl_handshaker_write_output_buffer(
-      self, &bytes_written, self->handshaker_next_args->error_ptr);
+  status = ssl_handshaker_write_output_buffer(self, &bytes_written);
   if (status != TSI_OK) {
     return status;
   }
@@ -2309,8 +2296,7 @@ static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
     // bytes from the peer that must be processed.
     unsigned char* unused_bytes = nullptr;
     size_t unused_bytes_size = 0;
-    status = ssl_bytes_remaining(self, &unused_bytes, &unused_bytes_size,
-                                 self->handshaker_next_args->error_ptr);
+    status = ssl_bytes_remaining(self, &unused_bytes, &unused_bytes_size);
     if (status != TSI_OK) {
       return status;
     }
@@ -2323,8 +2309,7 @@ static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
     }
     status = ssl_handshaker_result_create(
         self, unused_bytes, unused_bytes_size,
-        &self->handshaker_next_args->handshaker_result,
-        self->handshaker_next_args->error_ptr);
+        &self->handshaker_next_args->handshaker_result);
     if (status == TSI_OK) {
       // Indicates that the handshake has completed and that a
       // handshaker_result has been created.
@@ -2350,7 +2335,7 @@ static tsi_result ssl_handshaker_next_impl(tsi_ssl_handshaker* self)
 // For example, this would be called from the key signer's callback.
 static std::pair<tsi_result, std::optional<HandshakerNextArgs>>
 ssl_handshaker_next_async(tsi_ssl_handshaker* self)
-    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&self->mu) {
+    ABSL_EXCLUSIVE_LOCKS_REQUIRED(&tsi_ssl_handshaker::mu) {
   if (self->is_shutdown || !self->handshaker_next_args.has_value()) {
     return {TSI_HANDSHAKE_SHUTDOWN, std::nullopt};
   }

src/cpp/common/tls_certificate_provider.cc

@@ -148,11 +148,11 @@ absl::Status InMemoryCertificateProvider::UpdateIdentityKeyCertPair(
     std::vector<IdentityKeyOrSignerCertPair>
         identity_key_or_signer_cert_pairs) {
   GRPC_CHECK(!identity_key_or_signer_cert_pairs.empty());
-  auto pairs_core_or =
+  auto pairs_core =
       CreatePairsCore(std::move(identity_key_or_signer_cert_pairs));
-  if (!pairs_core_or.ok()) return pairs_core_or.status();
+  if (!pairs_core.ok()) return pairs_core.status();
   return grpc_tls_certificate_provider_in_memory_set_identity_certificate(
-             c_provider_, *pairs_core_or)
+             c_provider_, *pairs_core)
              ? absl::OkStatus()
              : absl::InternalError("Unable to update identity certificate");
 }

test/core/test_util/tls_utils.cc

@@ -73,8 +73,7 @@ PemKeyCertPairList MakeCertKeyPairs(absl::string_view private_key,
   if (private_key.empty() && certs.empty()) {
     return {};
   }
-  return PemKeyCertPairList{PemKeyCertPair(
-      std::string(private_key.data(), private_key.length()), certs)};
+  return PemKeyCertPairList{PemKeyCertPair(std::string(private_key), certs)};
 }
 
 std::string GetFileContents(const std::string& path) {