1 /* 2 * 3 * Copyright 2018 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include "src/core/lib/gprpp/sync.h" 25 #include "src/core/lib/security/context/security_context.h" 26 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" 27 28 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls" 29 30 namespace grpc_core { 31 32 // TLS channel security connector. 33 class TlsChannelSecurityConnector final 34 : public grpc_channel_security_connector { 35 public: 36 // static factory method to create a TLS channel security connector. 37 static grpc_core::RefCountedPtr<grpc_channel_security_connector> 38 CreateTlsChannelSecurityConnector( 39 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, 40 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, 41 const char* target_name, const char* overridden_target_name, 42 tsi_ssl_session_cache* ssl_session_cache); 43 44 TlsChannelSecurityConnector( 45 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, 46 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, 47 const char* target_name, const char* overridden_target_name); 48 ~TlsChannelSecurityConnector() override; 49 50 void add_handshakers(const grpc_channel_args* args, 51 grpc_pollset_set* interested_parties, 52 grpc_core::HandshakeManager* handshake_mgr) override; 53 54 void check_peer(tsi_peer peer, grpc_endpoint* ep, 55 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, 56 grpc_closure* on_peer_checked) override; 57 58 int cmp(const grpc_security_connector* other_sc) const override; 59 60 bool check_call_host(absl::string_view host, grpc_auth_context* auth_context, 61 grpc_closure* on_call_host_checked, 62 grpc_error** error) override; 63 64 void cancel_check_call_host(grpc_closure* on_call_host_checked, 65 grpc_error* error) override; 66 67 private: 68 // Initialize SSL TSI client handshaker factory. 69 grpc_security_status InitializeHandshakerFactory( 70 tsi_ssl_session_cache* ssl_session_cache); 71 72 // A util function to create a new client handshaker factory to replace 73 // the existing one if exists. 74 grpc_security_status ReplaceHandshakerFactory( 75 tsi_ssl_session_cache* ssl_session_cache); 76 77 // gRPC-provided callback executed by application, which servers to bring the 78 // control back to gRPC core. 79 static void ServerAuthorizationCheckDone( 80 grpc_tls_server_authorization_check_arg* arg); 81 82 // A util function to process server authorization check result. 83 static grpc_error* ProcessServerAuthorizationCheckResult( 84 grpc_tls_server_authorization_check_arg* arg); 85 86 // A util function to create a server authorization check arg instance. 87 static grpc_tls_server_authorization_check_arg* 88 ServerAuthorizationCheckArgCreate(void* user_data); 89 90 // A util function to destroy a server authorization check arg instance. 91 static void ServerAuthorizationCheckArgDestroy( 92 grpc_tls_server_authorization_check_arg* arg); 93 94 // A util function to refresh SSL TSI client handshaker factory with a valid 95 // credential. 96 grpc_security_status RefreshHandshakerFactory(); 97 98 grpc_core::Mutex mu_; 99 grpc_closure* on_peer_checked_; 100 std::string target_name_; 101 std::string overridden_target_name_; 102 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr; 103 grpc_tls_server_authorization_check_arg* check_arg_; 104 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_; 105 }; 106 107 // TLS server security connector. 108 class TlsServerSecurityConnector final : public grpc_server_security_connector { 109 public: 110 // static factory method to create a TLS server security connector. 111 static grpc_core::RefCountedPtr<grpc_server_security_connector> 112 CreateTlsServerSecurityConnector( 113 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds); 114 115 explicit TlsServerSecurityConnector( 116 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds); 117 ~TlsServerSecurityConnector() override; 118 119 void add_handshakers(const grpc_channel_args* args, 120 grpc_pollset_set* interested_parties, 121 grpc_core::HandshakeManager* handshake_mgr) override; 122 123 void check_peer(tsi_peer peer, grpc_endpoint* ep, 124 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, 125 grpc_closure* on_peer_checked) override; 126 127 int cmp(const grpc_security_connector* other) const override; 128 129 private: 130 // Initialize SSL TSI server handshaker factory. 131 grpc_security_status InitializeHandshakerFactory(); 132 133 // A util function to create a new server handshaker factory to replace the 134 // existing once if exists. 135 grpc_security_status ReplaceHandshakerFactory(); 136 137 // A util function to refresh SSL TSI server handshaker factory with a valid 138 // credential. 139 grpc_security_status RefreshHandshakerFactory(); 140 141 grpc_core::Mutex mu_; 142 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr; 143 grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_; 144 }; 145 146 // ---- Functions below are exposed for testing only ----------------------- 147 148 /** The |TlsFetchKeyMaterials| API ensures that |key_materials_config| has a 149 * non-empty pem-key-cert pair list. This is done as follows: 150 * - if |options| is equipped with a credential reload config, then this 151 * methods uses credential reloading to populate |key_materials_config|, and 152 * afterwards it populates |reload_status| with the status of this operation. 153 * In particular, any data stored in |key_materials_config| is overwritten. 154 * - if |options| has no credential reload config, then: 155 * - if |key_materials_config| already has a non-empty pem-key-cert pair 156 * list or is called by a client, then the method returns |GRPC_STATUS_OK|. 157 * - if |key_materials_config| has an empty pem-key-cert pair list and is 158 * called by a server, then the method return an error code. 159 * 160 * The arguments are detailed below: 161 * - key_materials_config: a key materials config that will be populated by the 162 * method on success; the caller should not pass in nullptr. Any data held by 163 * the config will be overwritten. 164 * - options: the TLS credentials options whose credential reloading config 165 * will be used to populate |key_materials_config|. 166 * - is_server: true denotes that this method is called by a server, and 167 * false denotes that this method is called by a client. 168 * - status: the status of the credential reloading after the method 169 * returns; the caller should not pass in nullptr. **/ 170 grpc_status_code TlsFetchKeyMaterials( 171 const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>& 172 key_materials_config, 173 const grpc_tls_credentials_options& options, bool is_server, 174 grpc_ssl_certificate_config_reload_status* status); 175 176 // TlsCheckHostName checks if |peer_name| matches the identity information 177 // contained in |peer|. This is AKA hostname check. 178 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer); 179 180 } // namespace grpc_core 181 182 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H \ 183 */ 184