Line data Source code
1 : /*
2 : *
3 : * Copyright 2015, Google Inc.
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions are
8 : * met:
9 : *
10 : * * Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : * * Redistributions in binary form must reproduce the above
13 : * copyright notice, this list of conditions and the following disclaimer
14 : * in the documentation and/or other materials provided with the
15 : * distribution.
16 : * * Neither the name of Google Inc. nor the names of its
17 : * contributors may be used to endorse or promote products derived from
18 : * this software without specific prior written permission.
19 : *
20 : * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 : * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 : * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 : * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 : * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 : * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 : * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 : * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 : * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 : * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 : *
32 : */
33 :
34 : #include "src/core/security/security_connector.h"
35 :
36 : #include <string.h>
37 :
38 : #include "src/core/security/credentials.h"
39 : #include "src/core/security/handshake.h"
40 : #include "src/core/security/secure_endpoint.h"
41 : #include "src/core/security/security_context.h"
42 : #include "src/core/support/env.h"
43 : #include "src/core/support/file.h"
44 : #include "src/core/support/string.h"
45 : #include "src/core/transport/chttp2/alpn.h"
46 :
47 : #include <grpc/support/alloc.h>
48 : #include <grpc/support/host_port.h>
49 : #include <grpc/support/log.h>
50 : #include <grpc/support/slice_buffer.h>
51 : #include <grpc/support/string_util.h>
52 : #include "src/core/tsi/fake_transport_security.h"
53 : #include "src/core/tsi/ssl_transport_security.h"
54 :
55 : /* -- Constants. -- */
56 :
57 : #ifndef INSTALL_PREFIX
58 : static const char *installed_roots_path = "/usr/share/grpc/roots.pem";
59 : #else
60 : static const char *installed_roots_path =
61 : INSTALL_PREFIX "/share/grpc/roots.pem";
62 : #endif
63 :
64 : /* -- Cipher suites. -- */
65 :
66 : /* Defines the cipher suites that we accept by default. All these cipher suites
67 : are compliant with HTTP2. */
68 : #define GRPC_SSL_CIPHER_SUITES \
69 : "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-" \
70 : "SHA384:ECDHE-RSA-AES256-GCM-SHA384"
71 :
72 : static gpr_once cipher_suites_once = GPR_ONCE_INIT;
73 : static const char *cipher_suites = NULL;
74 :
75 121 : static void init_cipher_suites(void) {
76 121 : char *overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES");
77 121 : cipher_suites = overridden != NULL ? overridden : GRPC_SSL_CIPHER_SUITES;
78 121 : }
79 :
80 872 : static const char *ssl_cipher_suites(void) {
81 872 : gpr_once_init(&cipher_suites_once, init_cipher_suites);
82 872 : return cipher_suites;
83 : }
84 :
85 : /* -- Common methods. -- */
86 :
87 : /* Returns the first property with that name. */
88 732 : const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer,
89 : const char *name) {
90 : size_t i;
91 732 : if (peer == NULL) return NULL;
92 2557 : for (i = 0; i < peer->property_count; i++) {
93 2557 : const tsi_peer_property *property = &peer->properties[i];
94 2557 : if (name == NULL && property->name == NULL) {
95 0 : return property;
96 : }
97 5114 : if (name != NULL && property->name != NULL &&
98 2557 : strcmp(property->name, name) == 0) {
99 732 : return property;
100 : }
101 : }
102 0 : return NULL;
103 : }
104 :
105 897 : void grpc_security_connector_do_handshake(grpc_exec_ctx *exec_ctx,
106 : grpc_security_connector *sc,
107 : grpc_endpoint *nonsecure_endpoint,
108 : grpc_security_handshake_done_cb cb,
109 : void *user_data) {
110 897 : if (sc == NULL || nonsecure_endpoint == NULL) {
111 0 : cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, nonsecure_endpoint, NULL);
112 : } else {
113 897 : sc->vtable->do_handshake(exec_ctx, sc, nonsecure_endpoint, cb, user_data);
114 : }
115 897 : }
116 :
117 878 : grpc_security_status grpc_security_connector_check_peer(
118 : grpc_security_connector *sc, tsi_peer peer, grpc_security_check_cb cb,
119 : void *user_data) {
120 878 : if (sc == NULL) {
121 0 : tsi_peer_destruct(&peer);
122 0 : return GRPC_SECURITY_ERROR;
123 : }
124 878 : return sc->vtable->check_peer(sc, peer, cb, user_data);
125 : }
126 :
127 871 : grpc_security_status grpc_channel_security_connector_check_call_host(
128 : grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc,
129 : const char *host, grpc_security_check_cb cb, void *user_data) {
130 871 : if (sc == NULL || sc->check_call_host == NULL) return GRPC_SECURITY_ERROR;
131 871 : return sc->check_call_host(exec_ctx, sc, host, cb, user_data);
132 : }
133 :
134 : #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG
135 : grpc_security_connector *grpc_security_connector_ref(
136 : grpc_security_connector *sc, const char *file, int line,
137 : const char *reason) {
138 : if (sc == NULL) return NULL;
139 : gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
140 : "SECURITY_CONNECTOR:%p ref %d -> %d %s", sc,
141 : (int)sc->refcount.count, (int)sc->refcount.count + 1, reason);
142 : #else
143 3727 : grpc_security_connector *grpc_security_connector_ref(
144 : grpc_security_connector *sc) {
145 3727 : if (sc == NULL) return NULL;
146 : #endif
147 3727 : gpr_ref(&sc->refcount);
148 3727 : return sc;
149 : }
150 :
151 : #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG
152 : void grpc_security_connector_unref(grpc_security_connector *sc,
153 : const char *file, int line,
154 : const char *reason) {
155 : if (sc == NULL) return;
156 : gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG,
157 : "SECURITY_CONNECTOR:%p unref %d -> %d %s", sc,
158 : (int)sc->refcount.count, (int)sc->refcount.count - 1, reason);
159 : #else
160 4768 : void grpc_security_connector_unref(grpc_security_connector *sc) {
161 9536 : if (sc == NULL) return;
162 : #endif
163 4768 : if (gpr_unref(&sc->refcount)) sc->vtable->destroy(sc);
164 : }
165 :
166 1874 : static void connector_pointer_arg_destroy(void *p) {
167 1874 : GRPC_SECURITY_CONNECTOR_UNREF(p, "connector_pointer_arg");
168 1874 : }
169 :
170 1874 : static void *connector_pointer_arg_copy(void *p) {
171 1874 : return GRPC_SECURITY_CONNECTOR_REF(p, "connector_pointer_arg");
172 : }
173 :
174 518 : grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc) {
175 : grpc_arg result;
176 518 : result.type = GRPC_ARG_POINTER;
177 518 : result.key = GRPC_SECURITY_CONNECTOR_ARG;
178 518 : result.value.pointer.destroy = connector_pointer_arg_destroy;
179 518 : result.value.pointer.copy = connector_pointer_arg_copy;
180 518 : result.value.pointer.p = sc;
181 518 : return result;
182 : }
183 :
184 1899 : grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg) {
185 1899 : if (strcmp(arg->key, GRPC_SECURITY_CONNECTOR_ARG)) return NULL;
186 438 : if (arg->type != GRPC_ARG_POINTER) {
187 0 : gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type,
188 : GRPC_SECURITY_CONNECTOR_ARG);
189 0 : return NULL;
190 : }
191 438 : return arg->value.pointer.p;
192 : }
193 :
194 956 : grpc_security_connector *grpc_find_security_connector_in_args(
195 : const grpc_channel_args *args) {
196 : size_t i;
197 956 : if (args == NULL) return NULL;
198 2342 : for (i = 0; i < args->num_args; i++) {
199 1899 : grpc_security_connector *sc =
200 1899 : grpc_security_connector_from_arg(&args->args[i]);
201 1899 : if (sc != NULL) return sc;
202 : }
203 443 : return NULL;
204 : }
205 :
206 518 : static int check_request_metadata_creds(grpc_credentials *creds) {
207 518 : if (creds != NULL && !grpc_credentials_has_request_metadata(creds)) {
208 0 : gpr_log(GPR_ERROR,
209 : "Incompatible credentials for channel security connector: needs to "
210 : "set request metadata.");
211 0 : return 0;
212 : }
213 518 : return 1;
214 : }
215 :
216 : /* -- Fake implementation. -- */
217 :
218 : typedef struct {
219 : grpc_channel_security_connector base;
220 : int call_host_check_is_async;
221 : } grpc_fake_channel_security_connector;
222 :
223 84 : static void fake_channel_destroy(grpc_security_connector *sc) {
224 84 : grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc;
225 84 : grpc_credentials_unref(c->request_metadata_creds);
226 84 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
227 84 : gpr_free(sc);
228 84 : }
229 :
230 85 : static void fake_server_destroy(grpc_security_connector *sc) {
231 85 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
232 85 : gpr_free(sc);
233 85 : }
234 :
235 146 : static grpc_security_status fake_check_peer(grpc_security_connector *sc,
236 : tsi_peer peer,
237 : grpc_security_check_cb cb,
238 : void *user_data) {
239 : const char *prop_name;
240 146 : grpc_security_status status = GRPC_SECURITY_OK;
241 146 : if (peer.property_count != 1) {
242 0 : gpr_log(GPR_ERROR, "Fake peers should only have 1 property.");
243 0 : status = GRPC_SECURITY_ERROR;
244 0 : goto end;
245 : }
246 146 : prop_name = peer.properties[0].name;
247 292 : if (prop_name == NULL ||
248 146 : strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
249 0 : gpr_log(GPR_ERROR, "Unexpected property in fake peer: %s.",
250 : prop_name == NULL ? "<EMPTY>" : prop_name);
251 0 : status = GRPC_SECURITY_ERROR;
252 0 : goto end;
253 : }
254 146 : if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
255 146 : peer.properties[0].value.length)) {
256 0 : gpr_log(GPR_ERROR, "Invalid value for cert type property.");
257 0 : status = GRPC_SECURITY_ERROR;
258 0 : goto end;
259 : }
260 146 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
261 146 : sc->auth_context = grpc_auth_context_create(NULL);
262 146 : grpc_auth_context_add_cstring_property(
263 : sc->auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
264 : GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
265 :
266 : end:
267 146 : tsi_peer_destruct(&peer);
268 146 : return status;
269 : }
270 :
271 111 : static grpc_security_status fake_channel_check_call_host(
272 : grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc,
273 : const char *host, grpc_security_check_cb cb, void *user_data) {
274 111 : grpc_fake_channel_security_connector *c =
275 : (grpc_fake_channel_security_connector *)sc;
276 111 : if (c->call_host_check_is_async) {
277 111 : cb(exec_ctx, user_data, GRPC_SECURITY_OK);
278 111 : return GRPC_SECURITY_PENDING;
279 : } else {
280 0 : return GRPC_SECURITY_OK;
281 : }
282 : }
283 :
284 73 : static void fake_channel_do_handshake(grpc_exec_ctx *exec_ctx,
285 : grpc_security_connector *sc,
286 : grpc_endpoint *nonsecure_endpoint,
287 : grpc_security_handshake_done_cb cb,
288 : void *user_data) {
289 73 : grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(1), sc,
290 : nonsecure_endpoint, cb, user_data);
291 73 : }
292 :
293 74 : static void fake_server_do_handshake(grpc_exec_ctx *exec_ctx,
294 : grpc_security_connector *sc,
295 : grpc_endpoint *nonsecure_endpoint,
296 : grpc_security_handshake_done_cb cb,
297 : void *user_data) {
298 74 : grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(0), sc,
299 : nonsecure_endpoint, cb, user_data);
300 74 : }
301 :
302 : static grpc_security_connector_vtable fake_channel_vtable = {
303 : fake_channel_destroy, fake_channel_do_handshake, fake_check_peer};
304 :
305 : static grpc_security_connector_vtable fake_server_vtable = {
306 : fake_server_destroy, fake_server_do_handshake, fake_check_peer};
307 :
308 84 : grpc_channel_security_connector *grpc_fake_channel_security_connector_create(
309 : grpc_credentials *request_metadata_creds, int call_host_check_is_async) {
310 84 : grpc_fake_channel_security_connector *c =
311 : gpr_malloc(sizeof(grpc_fake_channel_security_connector));
312 84 : memset(c, 0, sizeof(grpc_fake_channel_security_connector));
313 84 : gpr_ref_init(&c->base.base.refcount, 1);
314 84 : c->base.base.is_client_side = 1;
315 84 : c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
316 84 : c->base.base.vtable = &fake_channel_vtable;
317 84 : GPR_ASSERT(check_request_metadata_creds(request_metadata_creds));
318 84 : c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
319 84 : c->base.check_call_host = fake_channel_check_call_host;
320 84 : c->call_host_check_is_async = call_host_check_is_async;
321 84 : return &c->base;
322 : }
323 :
324 85 : grpc_security_connector *grpc_fake_server_security_connector_create(void) {
325 85 : grpc_security_connector *c = gpr_malloc(sizeof(grpc_security_connector));
326 85 : memset(c, 0, sizeof(grpc_security_connector));
327 85 : gpr_ref_init(&c->refcount, 1);
328 85 : c->is_client_side = 0;
329 85 : c->vtable = &fake_server_vtable;
330 85 : c->url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
331 85 : return c;
332 : }
333 :
334 : /* --- Ssl implementation. --- */
335 :
336 : typedef struct {
337 : grpc_channel_security_connector base;
338 : tsi_ssl_handshaker_factory *handshaker_factory;
339 : char *target_name;
340 : char *overridden_target_name;
341 : tsi_peer peer;
342 : } grpc_ssl_channel_security_connector;
343 :
344 : typedef struct {
345 : grpc_security_connector base;
346 : tsi_ssl_handshaker_factory *handshaker_factory;
347 : } grpc_ssl_server_security_connector;
348 :
349 434 : static void ssl_channel_destroy(grpc_security_connector *sc) {
350 434 : grpc_ssl_channel_security_connector *c =
351 : (grpc_ssl_channel_security_connector *)sc;
352 434 : grpc_credentials_unref(c->base.request_metadata_creds);
353 434 : if (c->handshaker_factory != NULL) {
354 434 : tsi_ssl_handshaker_factory_destroy(c->handshaker_factory);
355 : }
356 434 : if (c->target_name != NULL) gpr_free(c->target_name);
357 434 : if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name);
358 434 : tsi_peer_destruct(&c->peer);
359 434 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
360 434 : gpr_free(sc);
361 434 : }
362 :
363 438 : static void ssl_server_destroy(grpc_security_connector *sc) {
364 438 : grpc_ssl_server_security_connector *c =
365 : (grpc_ssl_server_security_connector *)sc;
366 438 : if (c->handshaker_factory != NULL) {
367 438 : tsi_ssl_handshaker_factory_destroy(c->handshaker_factory);
368 : }
369 438 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
370 438 : gpr_free(sc);
371 438 : }
372 :
373 750 : static grpc_security_status ssl_create_handshaker(
374 : tsi_ssl_handshaker_factory *handshaker_factory, int is_client,
375 : const char *peer_name, tsi_handshaker **handshaker) {
376 750 : tsi_result result = TSI_OK;
377 750 : if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR;
378 750 : result = tsi_ssl_handshaker_factory_create_handshaker(
379 : handshaker_factory, is_client ? peer_name : NULL, handshaker);
380 750 : if (result != TSI_OK) {
381 0 : gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
382 : tsi_result_to_string(result));
383 0 : return GRPC_SECURITY_ERROR;
384 : }
385 750 : return GRPC_SECURITY_OK;
386 : }
387 :
388 373 : static void ssl_channel_do_handshake(grpc_exec_ctx *exec_ctx,
389 : grpc_security_connector *sc,
390 : grpc_endpoint *nonsecure_endpoint,
391 : grpc_security_handshake_done_cb cb,
392 : void *user_data) {
393 373 : grpc_ssl_channel_security_connector *c =
394 : (grpc_ssl_channel_security_connector *)sc;
395 : tsi_handshaker *handshaker;
396 373 : grpc_security_status status = ssl_create_handshaker(
397 : c->handshaker_factory, 1,
398 373 : c->overridden_target_name != NULL ? c->overridden_target_name
399 : : c->target_name,
400 : &handshaker);
401 373 : if (status != GRPC_SECURITY_OK) {
402 0 : cb(exec_ctx, user_data, status, nonsecure_endpoint, NULL);
403 : } else {
404 373 : grpc_do_security_handshake(exec_ctx, handshaker, sc, nonsecure_endpoint, cb,
405 : user_data);
406 : }
407 373 : }
408 :
409 377 : static void ssl_server_do_handshake(grpc_exec_ctx *exec_ctx,
410 : grpc_security_connector *sc,
411 : grpc_endpoint *nonsecure_endpoint,
412 : grpc_security_handshake_done_cb cb,
413 : void *user_data) {
414 377 : grpc_ssl_server_security_connector *c =
415 : (grpc_ssl_server_security_connector *)sc;
416 : tsi_handshaker *handshaker;
417 377 : grpc_security_status status =
418 377 : ssl_create_handshaker(c->handshaker_factory, 0, NULL, &handshaker);
419 377 : if (status != GRPC_SECURITY_OK) {
420 0 : cb(exec_ctx, user_data, status, nonsecure_endpoint, NULL);
421 : } else {
422 377 : grpc_do_security_handshake(exec_ctx, handshaker, sc, nonsecure_endpoint, cb,
423 : user_data);
424 : }
425 377 : }
426 :
427 1125 : static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) {
428 1125 : char *allocated_name = NULL;
429 : int r;
430 :
431 1125 : if (strchr(peer_name, ':') != NULL) {
432 : char *ignored_port;
433 337 : gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
434 337 : gpr_free(ignored_port);
435 337 : peer_name = allocated_name;
436 337 : if (!peer_name) return 0;
437 : }
438 1125 : r = tsi_ssl_peer_matches_name(peer, peer_name);
439 1125 : gpr_free(allocated_name);
440 1125 : return r;
441 : }
442 :
443 737 : grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) {
444 : size_t i;
445 737 : grpc_auth_context *ctx = NULL;
446 737 : const char *peer_identity_property_name = NULL;
447 :
448 : /* The caller has checked the certificate type property. */
449 737 : GPR_ASSERT(peer->property_count >= 1);
450 737 : ctx = grpc_auth_context_create(NULL);
451 737 : grpc_auth_context_add_cstring_property(
452 : ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
453 : GRPC_SSL_TRANSPORT_SECURITY_TYPE);
454 3312 : for (i = 0; i < peer->property_count; i++) {
455 2575 : const tsi_peer_property *prop = &peer->properties[i];
456 2575 : if (prop->name == NULL) continue;
457 2575 : if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
458 : /* If there is no subject alt name, have the CN as the identity. */
459 369 : if (peer_identity_property_name == NULL) {
460 369 : peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
461 : }
462 738 : grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME,
463 369 : prop->value.data, prop->value.length);
464 2206 : } else if (strcmp(prop->name,
465 : TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
466 1102 : peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
467 2204 : grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME,
468 1102 : prop->value.data, prop->value.length);
469 : }
470 : }
471 737 : if (peer_identity_property_name != NULL) {
472 369 : GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
473 : ctx, peer_identity_property_name) == 1);
474 : }
475 737 : return ctx;
476 : }
477 :
478 732 : static grpc_security_status ssl_check_peer(grpc_security_connector *sc,
479 : const char *peer_name,
480 : const tsi_peer *peer) {
481 : /* Check the ALPN. */
482 732 : const tsi_peer_property *p =
483 : tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
484 732 : if (p == NULL) {
485 0 : gpr_log(GPR_ERROR, "Missing selected ALPN property.");
486 0 : return GRPC_SECURITY_ERROR;
487 : }
488 732 : if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
489 0 : gpr_log(GPR_ERROR, "Invalid ALPN value.");
490 0 : return GRPC_SECURITY_ERROR;
491 : }
492 :
493 : /* Check the peer name if specified. */
494 732 : if (peer_name != NULL && !ssl_host_matches_name(peer, peer_name)) {
495 0 : gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate", peer_name);
496 0 : return GRPC_SECURITY_ERROR;
497 : }
498 732 : if (sc->auth_context != NULL) {
499 76 : GRPC_AUTH_CONTEXT_UNREF(sc->auth_context, "connector");
500 : }
501 732 : sc->auth_context = tsi_ssl_peer_to_auth_context(peer);
502 732 : return GRPC_SECURITY_OK;
503 : }
504 :
505 365 : static grpc_security_status ssl_channel_check_peer(grpc_security_connector *sc,
506 : tsi_peer peer,
507 : grpc_security_check_cb cb,
508 : void *user_data) {
509 365 : grpc_ssl_channel_security_connector *c =
510 : (grpc_ssl_channel_security_connector *)sc;
511 : grpc_security_status status;
512 365 : tsi_peer_destruct(&c->peer);
513 365 : c->peer = peer;
514 365 : status = ssl_check_peer(sc, c->overridden_target_name != NULL
515 : ? c->overridden_target_name
516 : : c->target_name,
517 : &peer);
518 365 : return status;
519 : }
520 :
521 367 : static grpc_security_status ssl_server_check_peer(grpc_security_connector *sc,
522 : tsi_peer peer,
523 : grpc_security_check_cb cb,
524 : void *user_data) {
525 367 : grpc_security_status status = ssl_check_peer(sc, NULL, &peer);
526 367 : tsi_peer_destruct(&peer);
527 367 : return status;
528 : }
529 :
530 760 : static grpc_security_status ssl_channel_check_call_host(
531 : grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc,
532 : const char *host, grpc_security_check_cb cb, void *user_data) {
533 760 : grpc_ssl_channel_security_connector *c =
534 : (grpc_ssl_channel_security_connector *)sc;
535 :
536 760 : if (ssl_host_matches_name(&c->peer, host)) return GRPC_SECURITY_OK;
537 :
538 : /* If the target name was overridden, then the original target_name was
539 : 'checked' transitively during the previous peer check at the end of the
540 : handshake. */
541 0 : if (c->overridden_target_name != NULL && strcmp(host, c->target_name) == 0) {
542 0 : return GRPC_SECURITY_OK;
543 : } else {
544 0 : return GRPC_SECURITY_ERROR;
545 : }
546 : }
547 :
548 : static grpc_security_connector_vtable ssl_channel_vtable = {
549 : ssl_channel_destroy, ssl_channel_do_handshake, ssl_channel_check_peer};
550 :
551 : static grpc_security_connector_vtable ssl_server_vtable = {
552 : ssl_server_destroy, ssl_server_do_handshake, ssl_server_check_peer};
553 :
554 : static gpr_slice default_pem_root_certs;
555 :
556 89 : static void init_default_pem_root_certs(void) {
557 : /* First try to load the roots from the environment. */
558 89 : char *default_root_certs_path =
559 : gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
560 89 : if (default_root_certs_path == NULL) {
561 0 : default_pem_root_certs = gpr_empty_slice();
562 : } else {
563 89 : default_pem_root_certs = gpr_load_file(default_root_certs_path, 0, NULL);
564 89 : gpr_free(default_root_certs_path);
565 : }
566 :
567 : /* Fall back to installed certs if needed. */
568 89 : if (GPR_SLICE_IS_EMPTY(default_pem_root_certs)) {
569 0 : default_pem_root_certs = gpr_load_file(installed_roots_path, 0, NULL);
570 : }
571 89 : }
572 :
573 304 : size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) {
574 : /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in
575 : loading all the roots once for the lifetime of the process. */
576 : static gpr_once once = GPR_ONCE_INIT;
577 304 : gpr_once_init(&once, init_default_pem_root_certs);
578 304 : *pem_root_certs = GPR_SLICE_START_PTR(default_pem_root_certs);
579 304 : return GPR_SLICE_LENGTH(default_pem_root_certs);
580 : }
581 :
582 434 : grpc_security_status grpc_ssl_channel_security_connector_create(
583 : grpc_credentials *request_metadata_creds, const grpc_ssl_config *config,
584 : const char *target_name, const char *overridden_target_name,
585 : grpc_channel_security_connector **sc) {
586 434 : size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions();
587 434 : const unsigned char **alpn_protocol_strings =
588 434 : gpr_malloc(sizeof(const char *) * num_alpn_protocols);
589 434 : unsigned char *alpn_protocol_string_lengths =
590 : gpr_malloc(sizeof(unsigned char) * num_alpn_protocols);
591 434 : tsi_result result = TSI_OK;
592 : grpc_ssl_channel_security_connector *c;
593 : size_t i;
594 : const unsigned char *pem_root_certs;
595 : size_t pem_root_certs_size;
596 : char *port;
597 :
598 868 : for (i = 0; i < num_alpn_protocols; i++) {
599 868 : alpn_protocol_strings[i] =
600 434 : (const unsigned char *)grpc_chttp2_get_alpn_version_index(i);
601 868 : alpn_protocol_string_lengths[i] =
602 434 : (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i));
603 : }
604 :
605 434 : if (config == NULL || target_name == NULL) {
606 0 : gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
607 0 : goto error;
608 : }
609 434 : if (!check_request_metadata_creds(request_metadata_creds)) {
610 0 : goto error;
611 : }
612 434 : if (config->pem_root_certs == NULL) {
613 304 : pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs);
614 304 : if (pem_root_certs == NULL || pem_root_certs_size == 0) {
615 0 : gpr_log(GPR_ERROR, "Could not get default pem root certs.");
616 0 : goto error;
617 : }
618 : } else {
619 130 : pem_root_certs = config->pem_root_certs;
620 130 : pem_root_certs_size = config->pem_root_certs_size;
621 : }
622 :
623 434 : c = gpr_malloc(sizeof(grpc_ssl_channel_security_connector));
624 434 : memset(c, 0, sizeof(grpc_ssl_channel_security_connector));
625 :
626 434 : gpr_ref_init(&c->base.base.refcount, 1);
627 434 : c->base.base.vtable = &ssl_channel_vtable;
628 434 : c->base.base.is_client_side = 1;
629 434 : c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
630 434 : c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
631 434 : c->base.check_call_host = ssl_channel_check_call_host;
632 434 : gpr_split_host_port(target_name, &c->target_name, &port);
633 434 : gpr_free(port);
634 434 : if (overridden_target_name != NULL) {
635 434 : c->overridden_target_name = gpr_strdup(overridden_target_name);
636 : }
637 1736 : result = tsi_create_ssl_client_handshaker_factory(
638 434 : config->pem_private_key, config->pem_private_key_size,
639 434 : config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs,
640 : pem_root_certs_size, ssl_cipher_suites(), alpn_protocol_strings,
641 434 : alpn_protocol_string_lengths, (uint16_t)num_alpn_protocols,
642 : &c->handshaker_factory);
643 434 : if (result != TSI_OK) {
644 0 : gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
645 : tsi_result_to_string(result));
646 0 : ssl_channel_destroy(&c->base.base);
647 0 : *sc = NULL;
648 0 : goto error;
649 : }
650 434 : *sc = &c->base;
651 434 : gpr_free((void *)alpn_protocol_strings);
652 434 : gpr_free(alpn_protocol_string_lengths);
653 434 : return GRPC_SECURITY_OK;
654 :
655 : error:
656 0 : gpr_free((void *)alpn_protocol_strings);
657 0 : gpr_free(alpn_protocol_string_lengths);
658 0 : return GRPC_SECURITY_ERROR;
659 : }
660 :
661 438 : grpc_security_status grpc_ssl_server_security_connector_create(
662 : const grpc_ssl_server_config *config, grpc_security_connector **sc) {
663 438 : size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions();
664 438 : const unsigned char **alpn_protocol_strings =
665 438 : gpr_malloc(sizeof(const char *) * num_alpn_protocols);
666 438 : unsigned char *alpn_protocol_string_lengths =
667 : gpr_malloc(sizeof(unsigned char) * num_alpn_protocols);
668 438 : tsi_result result = TSI_OK;
669 : grpc_ssl_server_security_connector *c;
670 : size_t i;
671 :
672 876 : for (i = 0; i < num_alpn_protocols; i++) {
673 876 : alpn_protocol_strings[i] =
674 438 : (const unsigned char *)grpc_chttp2_get_alpn_version_index(i);
675 876 : alpn_protocol_string_lengths[i] =
676 438 : (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i));
677 : }
678 :
679 438 : if (config == NULL || config->num_key_cert_pairs == 0) {
680 0 : gpr_log(GPR_ERROR, "An SSL server needs a key and a cert.");
681 0 : goto error;
682 : }
683 438 : c = gpr_malloc(sizeof(grpc_ssl_server_security_connector));
684 438 : memset(c, 0, sizeof(grpc_ssl_server_security_connector));
685 :
686 438 : gpr_ref_init(&c->base.refcount, 1);
687 438 : c->base.url_scheme = GRPC_SSL_URL_SCHEME;
688 438 : c->base.vtable = &ssl_server_vtable;
689 1752 : result = tsi_create_ssl_server_handshaker_factory(
690 438 : (const unsigned char **)config->pem_private_keys,
691 438 : config->pem_private_keys_sizes,
692 438 : (const unsigned char **)config->pem_cert_chains,
693 438 : config->pem_cert_chains_sizes, config->num_key_cert_pairs,
694 438 : config->pem_root_certs, config->pem_root_certs_size,
695 : config->force_client_auth, ssl_cipher_suites(), alpn_protocol_strings,
696 438 : alpn_protocol_string_lengths, (uint16_t)num_alpn_protocols,
697 : &c->handshaker_factory);
698 438 : if (result != TSI_OK) {
699 0 : gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
700 : tsi_result_to_string(result));
701 0 : ssl_server_destroy(&c->base);
702 0 : *sc = NULL;
703 0 : goto error;
704 : }
705 438 : *sc = &c->base;
706 438 : gpr_free((void *)alpn_protocol_strings);
707 438 : gpr_free(alpn_protocol_string_lengths);
708 438 : return GRPC_SECURITY_OK;
709 :
710 : error:
711 0 : gpr_free((void *)alpn_protocol_strings);
712 0 : gpr_free(alpn_protocol_string_lengths);
713 0 : return GRPC_SECURITY_ERROR;
714 : }
|