1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/ssl_utils.h"
22
23 #include <vector>
24
25 #include "absl/strings/str_cat.h"
26
27 #include <grpc/slice_buffer.h>
28 #include <grpc/support/alloc.h>
29 #include <grpc/support/log.h>
30
31 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
32 #include "src/core/lib/channel/channel_args.h"
33 #include "src/core/lib/gpr/string.h"
34 #include "src/core/lib/gprpp/host_port.h"
35 #include "src/core/lib/gprpp/ref_counted_ptr.h"
36 #include "src/core/lib/iomgr/load_file.h"
37 #include "src/core/lib/security/context/security_context.h"
38 #include "src/core/lib/security/security_connector/load_system_roots.h"
39 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
40 #include "src/core/tsi/ssl_transport_security.h"
41
42 /* -- Constants. -- */
43
44 #ifndef INSTALL_PREFIX
45 static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
46 #else
47 static const char* installed_roots_path =
48 INSTALL_PREFIX "/share/grpc/roots.pem";
49 #endif
50
51 #ifndef TSI_OPENSSL_ALPN_SUPPORT
52 #define TSI_OPENSSL_ALPN_SUPPORT 1
53 #endif
54
55 /* -- Overridden default roots. -- */
56
57 static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
58
grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb)59 void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
60 ssl_roots_override_cb = cb;
61 }
62
63 /* -- Cipher suites. -- */
64
65 static gpr_once cipher_suites_once = GPR_ONCE_INIT;
66 static const char* cipher_suites = nullptr;
67
68 // All cipher suites for default are compliant with HTTP2.
69 GPR_GLOBAL_CONFIG_DEFINE_STRING(
70 grpc_ssl_cipher_suites,
71 "TLS_AES_128_GCM_SHA256:"
72 "TLS_AES_256_GCM_SHA384:"
73 "TLS_CHACHA20_POLY1305_SHA256:"
74 "ECDHE-ECDSA-AES128-GCM-SHA256:"
75 "ECDHE-ECDSA-AES256-GCM-SHA384:"
76 "ECDHE-RSA-AES128-GCM-SHA256:"
77 "ECDHE-RSA-AES256-GCM-SHA384",
78 "A colon separated list of cipher suites to use with OpenSSL")
79
init_cipher_suites(void)80 static void init_cipher_suites(void) {
81 grpc_core::UniquePtr<char> value =
82 GPR_GLOBAL_CONFIG_GET(grpc_ssl_cipher_suites);
83 cipher_suites = value.release();
84 }
85
86 /* --- Util --- */
87
grpc_get_ssl_cipher_suites(void)88 const char* grpc_get_ssl_cipher_suites(void) {
89 gpr_once_init(&cipher_suites_once, init_cipher_suites);
90 return cipher_suites;
91 }
92
grpc_tsi_security_level_string_to_enum(const char * security_level)93 grpc_security_level grpc_tsi_security_level_string_to_enum(
94 const char* security_level) {
95 if (strcmp(security_level, "TSI_INTEGRITY_ONLY") == 0) {
96 return GRPC_INTEGRITY_ONLY;
97 } else if (strcmp(security_level, "TSI_PRIVACY_AND_INTEGRITY") == 0) {
98 return GRPC_PRIVACY_AND_INTEGRITY;
99 }
100 return GRPC_SECURITY_NONE;
101 }
102
grpc_security_level_to_string(grpc_security_level security_level)103 const char* grpc_security_level_to_string(grpc_security_level security_level) {
104 if (security_level == GRPC_PRIVACY_AND_INTEGRITY) {
105 return "GRPC_PRIVACY_AND_INTEGRITY";
106 } else if (security_level == GRPC_INTEGRITY_ONLY) {
107 return "GRPC_INTEGRITY_ONLY";
108 }
109 return "GRPC_SECURITY_NONE";
110 }
111
grpc_check_security_level(grpc_security_level channel_level,grpc_security_level call_cred_level)112 bool grpc_check_security_level(grpc_security_level channel_level,
113 grpc_security_level call_cred_level) {
114 return static_cast<int>(channel_level) >= static_cast<int>(call_cred_level);
115 }
116
117 tsi_client_certificate_request_type
grpc_get_tsi_client_certificate_request_type(grpc_ssl_client_certificate_request_type grpc_request_type)118 grpc_get_tsi_client_certificate_request_type(
119 grpc_ssl_client_certificate_request_type grpc_request_type) {
120 switch (grpc_request_type) {
121 case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
122 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
123
124 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
125 return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
126
127 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
128 return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
129
130 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
131 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
132
133 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
134 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
135
136 default:
137 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
138 }
139 }
140
grpc_get_tsi_tls_version(grpc_tls_version tls_version)141 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
142 switch (tls_version) {
143 case grpc_tls_version::TLS1_2:
144 return tsi_tls_version::TSI_TLS1_2;
145 case grpc_tls_version::TLS1_3:
146 return tsi_tls_version::TSI_TLS1_3;
147 default:
148 gpr_log(GPR_INFO, "Falling back to TLS 1.2.");
149 return tsi_tls_version::TSI_TLS1_2;
150 }
151 }
152
grpc_ssl_check_alpn(const tsi_peer * peer)153 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
154 #if TSI_OPENSSL_ALPN_SUPPORT
155 /* Check the ALPN if ALPN is supported. */
156 const tsi_peer_property* p =
157 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
158 if (p == nullptr) {
159 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
160 "Cannot check peer: missing selected ALPN property.");
161 }
162 if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
163 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
164 "Cannot check peer: invalid ALPN value.");
165 }
166 #endif /* TSI_OPENSSL_ALPN_SUPPORT */
167 return GRPC_ERROR_NONE;
168 }
169
grpc_ssl_check_peer_name(absl::string_view peer_name,const tsi_peer * peer)170 grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
171 const tsi_peer* peer) {
172 /* Check the peer name if specified. */
173 if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
174 return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
175 absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
176 .c_str());
177 }
178 return GRPC_ERROR_NONE;
179 }
180
grpc_ssl_check_call_host(absl::string_view host,absl::string_view target_name,absl::string_view overridden_target_name,grpc_auth_context * auth_context,grpc_error ** error)181 bool grpc_ssl_check_call_host(absl::string_view host,
182 absl::string_view target_name,
183 absl::string_view overridden_target_name,
184 grpc_auth_context* auth_context,
185 grpc_error** error) {
186 grpc_security_status status = GRPC_SECURITY_ERROR;
187 tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
188 if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
189 /* If the target name was overridden, then the original target_name was
190 'checked' transitively during the previous peer check at the end of the
191 handshake. */
192 if (!overridden_target_name.empty() && host == target_name) {
193 status = GRPC_SECURITY_OK;
194 }
195 if (status != GRPC_SECURITY_OK) {
196 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
197 "call host does not match SSL server name");
198 }
199 grpc_shallow_peer_destruct(&peer);
200 return true;
201 }
202
grpc_fill_alpn_protocol_strings(size_t * num_alpn_protocols)203 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
204 GPR_ASSERT(num_alpn_protocols != nullptr);
205 *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
206 const char** alpn_protocol_strings = static_cast<const char**>(
207 gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
208 for (size_t i = 0; i < *num_alpn_protocols; i++) {
209 alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
210 }
211 return alpn_protocol_strings;
212 }
213
grpc_ssl_host_matches_name(const tsi_peer * peer,absl::string_view peer_name)214 int grpc_ssl_host_matches_name(const tsi_peer* peer,
215 absl::string_view peer_name) {
216 absl::string_view allocated_name;
217 absl::string_view ignored_port;
218 grpc_core::SplitHostPort(peer_name, &allocated_name, &ignored_port);
219 if (allocated_name.empty()) return 0;
220
221 // IPv6 zone-id should not be included in comparisons.
222 const size_t zone_id = allocated_name.find('%');
223 if (zone_id != absl::string_view::npos) {
224 allocated_name.remove_suffix(allocated_name.size() - zone_id);
225 }
226 return tsi_ssl_peer_matches_name(peer, allocated_name);
227 }
228
grpc_ssl_cmp_target_name(absl::string_view target_name,absl::string_view other_target_name,absl::string_view overridden_target_name,absl::string_view other_overridden_target_name)229 int grpc_ssl_cmp_target_name(absl::string_view target_name,
230 absl::string_view other_target_name,
231 absl::string_view overridden_target_name,
232 absl::string_view other_overridden_target_name) {
233 int c = target_name.compare(other_target_name);
234 if (c != 0) return c;
235 return overridden_target_name.compare(other_overridden_target_name);
236 }
237
IsSpiffeId(absl::string_view uri)238 static bool IsSpiffeId(absl::string_view uri) {
239 // Return false without logging for a non-spiffe uri scheme.
240 if (!absl::StartsWith(uri, "spiffe://")) {
241 return false;
242 };
243 if (uri.size() > 2048) {
244 gpr_log(GPR_INFO, "Invalid SPIFFE ID: ID longer than 2048 bytes.");
245 return false;
246 }
247 std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
248 if (splits.size() < 4 || splits[3] == "") {
249 gpr_log(GPR_INFO, "Invalid SPIFFE ID: workload id is empty.");
250 return false;
251 }
252 if (splits[2].size() > 255) {
253 gpr_log(GPR_INFO, "Invalid SPIFFE ID: domain longer than 255 characters.");
254 return false;
255 }
256 return true;
257 }
258
grpc_ssl_peer_to_auth_context(const tsi_peer * peer,const char * transport_security_type)259 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
260 const tsi_peer* peer, const char* transport_security_type) {
261 size_t i;
262 const char* peer_identity_property_name = nullptr;
263
264 /* The caller has checked the certificate type property. */
265 GPR_ASSERT(peer->property_count >= 1);
266 grpc_core::RefCountedPtr<grpc_auth_context> ctx =
267 grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
268 grpc_auth_context_add_cstring_property(
269 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
270 transport_security_type);
271 const char* spiffe_data = nullptr;
272 size_t spiffe_length = 0;
273 int uri_count = 0;
274 bool has_spiffe_id = false;
275 for (i = 0; i < peer->property_count; i++) {
276 const tsi_peer_property* prop = &peer->properties[i];
277 if (prop->name == nullptr) continue;
278 if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
279 /* If there is no subject alt name, have the CN as the identity. */
280 if (peer_identity_property_name == nullptr) {
281 peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
282 }
283 grpc_auth_context_add_property(ctx.get(), GRPC_X509_CN_PROPERTY_NAME,
284 prop->value.data, prop->value.length);
285 } else if (strcmp(prop->name,
286 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
287 peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
288 grpc_auth_context_add_property(ctx.get(), GRPC_X509_SAN_PROPERTY_NAME,
289 prop->value.data, prop->value.length);
290 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
291 grpc_auth_context_add_property(ctx.get(),
292 GRPC_X509_PEM_CERT_PROPERTY_NAME,
293 prop->value.data, prop->value.length);
294 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_CHAIN_PROPERTY) == 0) {
295 grpc_auth_context_add_property(ctx.get(),
296 GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME,
297 prop->value.data, prop->value.length);
298 } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
299 grpc_auth_context_add_property(ctx.get(),
300 GRPC_SSL_SESSION_REUSED_PROPERTY,
301 prop->value.data, prop->value.length);
302 } else if (strcmp(prop->name, TSI_SECURITY_LEVEL_PEER_PROPERTY) == 0) {
303 grpc_auth_context_add_property(
304 ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
305 prop->value.data, prop->value.length);
306 } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
307 uri_count++;
308 absl::string_view spiffe_id(prop->value.data, prop->value.length);
309 if (IsSpiffeId(spiffe_id)) {
310 spiffe_data = prop->value.data;
311 spiffe_length = prop->value.length;
312 has_spiffe_id = true;
313 }
314 }
315 }
316 if (peer_identity_property_name != nullptr) {
317 GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
318 ctx.get(), peer_identity_property_name) == 1);
319 }
320 // A valid SPIFFE certificate can only have exact one URI SAN field.
321 if (has_spiffe_id) {
322 if (uri_count == 1) {
323 GPR_ASSERT(spiffe_length > 0);
324 GPR_ASSERT(spiffe_data != nullptr);
325 grpc_auth_context_add_property(ctx.get(),
326 GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
327 spiffe_data, spiffe_length);
328 } else {
329 gpr_log(GPR_INFO, "Invalid SPIFFE ID: multiple URI SANs.");
330 }
331 }
332 return ctx;
333 }
334
add_shallow_auth_property_to_peer(tsi_peer * peer,const grpc_auth_property * prop,const char * tsi_prop_name)335 static void add_shallow_auth_property_to_peer(tsi_peer* peer,
336 const grpc_auth_property* prop,
337 const char* tsi_prop_name) {
338 tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
339 tsi_prop->name = const_cast<char*>(tsi_prop_name);
340 tsi_prop->value.data = prop->value;
341 tsi_prop->value.length = prop->value_length;
342 }
343
grpc_shallow_peer_from_ssl_auth_context(const grpc_auth_context * auth_context)344 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
345 const grpc_auth_context* auth_context) {
346 size_t max_num_props = 0;
347 grpc_auth_property_iterator it;
348 const grpc_auth_property* prop;
349 tsi_peer peer;
350 memset(&peer, 0, sizeof(peer));
351
352 it = grpc_auth_context_property_iterator(auth_context);
353 while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
354
355 if (max_num_props > 0) {
356 peer.properties = static_cast<tsi_peer_property*>(
357 gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
358 it = grpc_auth_context_property_iterator(auth_context);
359 while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
360 if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
361 add_shallow_auth_property_to_peer(
362 &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
363 } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
364 add_shallow_auth_property_to_peer(
365 &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
366 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
367 add_shallow_auth_property_to_peer(&peer, prop,
368 TSI_X509_PEM_CERT_PROPERTY);
369 } else if (strcmp(prop->name,
370 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME) == 0) {
371 add_shallow_auth_property_to_peer(&peer, prop,
372 TSI_SECURITY_LEVEL_PEER_PROPERTY);
373 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME) ==
374 0) {
375 add_shallow_auth_property_to_peer(&peer, prop,
376 TSI_X509_PEM_CERT_CHAIN_PROPERTY);
377 } else if (strcmp(prop->name, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME) == 0) {
378 add_shallow_auth_property_to_peer(&peer, prop,
379 TSI_X509_URI_PEER_PROPERTY);
380 }
381 }
382 }
383 return peer;
384 }
385
grpc_shallow_peer_destruct(tsi_peer * peer)386 void grpc_shallow_peer_destruct(tsi_peer* peer) {
387 if (peer->properties != nullptr) gpr_free(peer->properties);
388 }
389
grpc_ssl_tsi_client_handshaker_factory_init(tsi_ssl_pem_key_cert_pair * pem_key_cert_pair,const char * pem_root_certs,bool skip_server_certificate_verification,tsi_tls_version min_tls_version,tsi_tls_version max_tls_version,tsi_ssl_session_cache * ssl_session_cache,tsi_ssl_client_handshaker_factory ** handshaker_factory)390 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
391 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
392 bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
393 tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
394 tsi_ssl_client_handshaker_factory** handshaker_factory) {
395 const char* root_certs;
396 const tsi_ssl_root_certs_store* root_store;
397 if (pem_root_certs == nullptr) {
398 gpr_log(GPR_INFO,
399 "No root certificates specified; use ones stored in system default "
400 "locations instead");
401 // Use default root certificates.
402 root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
403 if (root_certs == nullptr) {
404 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
405 return GRPC_SECURITY_ERROR;
406 }
407 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
408 } else {
409 root_certs = pem_root_certs;
410 root_store = nullptr;
411 }
412 bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
413 pem_key_cert_pair->private_key != nullptr &&
414 pem_key_cert_pair->cert_chain != nullptr;
415 tsi_ssl_client_handshaker_options options;
416 GPR_DEBUG_ASSERT(root_certs != nullptr);
417 options.pem_root_certs = root_certs;
418 options.root_store = root_store;
419 options.alpn_protocols =
420 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
421 if (has_key_cert_pair) {
422 options.pem_key_cert_pair = pem_key_cert_pair;
423 }
424 options.cipher_suites = grpc_get_ssl_cipher_suites();
425 options.session_cache = ssl_session_cache;
426 options.skip_server_certificate_verification =
427 skip_server_certificate_verification;
428 options.min_tls_version = min_tls_version;
429 options.max_tls_version = max_tls_version;
430 const tsi_result result =
431 tsi_create_ssl_client_handshaker_factory_with_options(&options,
432 handshaker_factory);
433 gpr_free(options.alpn_protocols);
434 if (result != TSI_OK) {
435 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
436 tsi_result_to_string(result));
437 return GRPC_SECURITY_ERROR;
438 }
439 return GRPC_SECURITY_OK;
440 }
441
grpc_ssl_tsi_server_handshaker_factory_init(tsi_ssl_pem_key_cert_pair * pem_key_cert_pairs,size_t num_key_cert_pairs,const char * pem_root_certs,grpc_ssl_client_certificate_request_type client_certificate_request,tsi_tls_version min_tls_version,tsi_tls_version max_tls_version,tsi_ssl_server_handshaker_factory ** handshaker_factory)442 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
443 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
444 const char* pem_root_certs,
445 grpc_ssl_client_certificate_request_type client_certificate_request,
446 tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
447 tsi_ssl_server_handshaker_factory** handshaker_factory) {
448 size_t num_alpn_protocols = 0;
449 const char** alpn_protocol_strings =
450 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
451 tsi_ssl_server_handshaker_options options;
452 options.pem_key_cert_pairs = pem_key_cert_pairs;
453 options.num_key_cert_pairs = num_key_cert_pairs;
454 options.pem_client_root_certs = pem_root_certs;
455 options.client_certificate_request =
456 grpc_get_tsi_client_certificate_request_type(client_certificate_request);
457 options.cipher_suites = grpc_get_ssl_cipher_suites();
458 options.alpn_protocols = alpn_protocol_strings;
459 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
460 options.min_tls_version = min_tls_version;
461 options.max_tls_version = max_tls_version;
462 const tsi_result result =
463 tsi_create_ssl_server_handshaker_factory_with_options(&options,
464 handshaker_factory);
465 gpr_free(alpn_protocol_strings);
466 if (result != TSI_OK) {
467 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
468 tsi_result_to_string(result));
469 return GRPC_SECURITY_ERROR;
470 }
471 return GRPC_SECURITY_OK;
472 }
473
474 /* --- Ssl cache implementation. --- */
475
grpc_ssl_session_cache_create_lru(size_t capacity)476 grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
477 tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
478 return reinterpret_cast<grpc_ssl_session_cache*>(cache);
479 }
480
grpc_ssl_session_cache_destroy(grpc_ssl_session_cache * cache)481 void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
482 tsi_ssl_session_cache* tsi_cache =
483 reinterpret_cast<tsi_ssl_session_cache*>(cache);
484 tsi_ssl_session_cache_unref(tsi_cache);
485 }
486
grpc_ssl_session_cache_arg_copy(void * p)487 static void* grpc_ssl_session_cache_arg_copy(void* p) {
488 tsi_ssl_session_cache* tsi_cache =
489 reinterpret_cast<tsi_ssl_session_cache*>(p);
490 // destroy call below will unref the pointer.
491 tsi_ssl_session_cache_ref(tsi_cache);
492 return p;
493 }
494
grpc_ssl_session_cache_arg_destroy(void * p)495 static void grpc_ssl_session_cache_arg_destroy(void* p) {
496 tsi_ssl_session_cache* tsi_cache =
497 reinterpret_cast<tsi_ssl_session_cache*>(p);
498 tsi_ssl_session_cache_unref(tsi_cache);
499 }
500
grpc_ssl_session_cache_arg_cmp(void * p,void * q)501 static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
502 return GPR_ICMP(p, q);
503 }
504
grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache * cache)505 grpc_arg grpc_ssl_session_cache_create_channel_arg(
506 grpc_ssl_session_cache* cache) {
507 static const grpc_arg_pointer_vtable vtable = {
508 grpc_ssl_session_cache_arg_copy,
509 grpc_ssl_session_cache_arg_destroy,
510 grpc_ssl_session_cache_arg_cmp,
511 };
512 return grpc_channel_arg_pointer_create(
513 const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
514 }
515
516 /* --- Default SSL root store implementation. --- */
517
518 namespace grpc_core {
519
520 tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
521 grpc_slice DefaultSslRootStore::default_pem_root_certs_;
522
GetRootStore()523 const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
524 InitRootStore();
525 return default_root_store_;
526 }
527
GetPemRootCerts()528 const char* DefaultSslRootStore::GetPemRootCerts() {
529 InitRootStore();
530 return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
531 ? nullptr
532 : reinterpret_cast<const char*>
533 GRPC_SLICE_START_PTR(default_pem_root_certs_);
534 }
535
ComputePemRootCerts()536 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
537 grpc_slice result = grpc_empty_slice();
538 const bool not_use_system_roots =
539 GPR_GLOBAL_CONFIG_GET(grpc_not_use_system_ssl_roots);
540 // First try to load the roots from the configuration.
541 grpc_core::UniquePtr<char> default_root_certs_path =
542 GPR_GLOBAL_CONFIG_GET(grpc_default_ssl_roots_file_path);
543 if (strlen(default_root_certs_path.get()) > 0) {
544 GRPC_LOG_IF_ERROR(
545 "load_file", grpc_load_file(default_root_certs_path.get(), 1, &result));
546 }
547 // Try overridden roots if needed.
548 grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
549 if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
550 char* pem_root_certs = nullptr;
551 ovrd_res = ssl_roots_override_cb(&pem_root_certs);
552 if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
553 GPR_ASSERT(pem_root_certs != nullptr);
554 result = grpc_slice_from_copied_buffer(
555 pem_root_certs,
556 strlen(pem_root_certs) + 1); // nullptr terminator.
557 }
558 gpr_free(pem_root_certs);
559 }
560 // Try loading roots from OS trust store if flag is enabled.
561 if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
562 result = LoadSystemRootCerts();
563 }
564 // Fallback to roots manually shipped with gRPC.
565 if (GRPC_SLICE_IS_EMPTY(result) &&
566 ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
567 GRPC_LOG_IF_ERROR("load_file",
568 grpc_load_file(installed_roots_path, 1, &result));
569 }
570 return result;
571 }
572
InitRootStore()573 void DefaultSslRootStore::InitRootStore() {
574 static gpr_once once = GPR_ONCE_INIT;
575 gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
576 }
577
InitRootStoreOnce()578 void DefaultSslRootStore::InitRootStoreOnce() {
579 default_pem_root_certs_ = ComputePemRootCerts();
580 if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
581 default_root_store_ =
582 tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
583 GRPC_SLICE_START_PTR(default_pem_root_certs_)));
584 }
585 }
586
587 } // namespace grpc_core
588