1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
22
23 #include <cstring>
24
25 #include <grpc/grpc.h>
26 #include <grpc/support/alloc.h>
27 #include <grpc/support/log.h>
28 #include <grpc/support/string_util.h>
29
30 #include "src/core/lib/channel/channel_args.h"
31 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
32
33 #define GRPC_CREDENTIALS_TYPE_TLS "Tls"
34
35 namespace {
36
CredentialOptionSanityCheck(const grpc_tls_credentials_options * options,bool is_client)37 bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
38 bool is_client) {
39 if (options == nullptr) {
40 gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
41 return false;
42 }
43 // TODO(ZhenLian): remove this when it is also supported on server side.
44 if (!is_client && options->server_authorization_check_config() != nullptr) {
45 gpr_log(GPR_INFO,
46 "Server's credentials options should not contain server "
47 "authorization check config.");
48 }
49 if (options->server_verification_option() != GRPC_TLS_SERVER_VERIFICATION &&
50 options->server_authorization_check_config() == nullptr) {
51 gpr_log(GPR_ERROR,
52 "Should provider custom verifications if bypassing default ones.");
53 return false;
54 }
55 return true;
56 }
57
58 } // namespace
59
TlsCredentials(grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)60 TlsCredentials::TlsCredentials(
61 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
62 : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS),
63 options_(std::move(options)) {}
64
~TlsCredentials()65 TlsCredentials::~TlsCredentials() {}
66
67 grpc_core::RefCountedPtr<grpc_channel_security_connector>
create_security_connector(grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,const char * target_name,const grpc_channel_args * args,grpc_channel_args ** new_args)68 TlsCredentials::create_security_connector(
69 grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
70 const char* target_name, const grpc_channel_args* args,
71 grpc_channel_args** new_args) {
72 const char* overridden_target_name = nullptr;
73 tsi_ssl_session_cache* ssl_session_cache = nullptr;
74 for (size_t i = 0; args != nullptr && i < args->num_args; i++) {
75 grpc_arg* arg = &args->args[i];
76 if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 &&
77 arg->type == GRPC_ARG_STRING) {
78 overridden_target_name = arg->value.string;
79 }
80 if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 &&
81 arg->type == GRPC_ARG_POINTER) {
82 ssl_session_cache =
83 static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
84 }
85 }
86 grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
87 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
88 this->Ref(), options_, std::move(call_creds), target_name,
89 overridden_target_name, ssl_session_cache);
90 if (sc == nullptr) {
91 return nullptr;
92 }
93 if (args != nullptr) {
94 grpc_arg new_arg = grpc_channel_arg_string_create(
95 const_cast<char*>(GRPC_ARG_HTTP2_SCHEME), const_cast<char*>("https"));
96 *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
97 }
98 return sc;
99 }
100
TlsServerCredentials(grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)101 TlsServerCredentials::TlsServerCredentials(
102 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
103 : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS),
104 options_(std::move(options)) {}
105
~TlsServerCredentials()106 TlsServerCredentials::~TlsServerCredentials() {}
107
108 grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_channel_args *)109 TlsServerCredentials::create_security_connector(
110 const grpc_channel_args* /* args */) {
111 return grpc_core::TlsServerSecurityConnector::
112 CreateTlsServerSecurityConnector(this->Ref(), options_);
113 }
114
115 /** -- Wrapper APIs declared in grpc_security.h -- **/
116
grpc_tls_credentials_create(grpc_tls_credentials_options * options)117 grpc_channel_credentials* grpc_tls_credentials_create(
118 grpc_tls_credentials_options* options) {
119 if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
120 return nullptr;
121 }
122 return new TlsCredentials(
123 grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
124 }
125
grpc_tls_server_credentials_create(grpc_tls_credentials_options * options)126 grpc_server_credentials* grpc_tls_server_credentials_create(
127 grpc_tls_credentials_options* options) {
128 if (!CredentialOptionSanityCheck(options, false /* is_client */)) {
129 return nullptr;
130 }
131 return new TlsServerCredentials(
132 grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
133 }
134