• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *
3  * Copyright 2015 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <grpc/support/port_platform.h>
20 
21 #include "src/core/lib/http/httpcli.h"
22 
23 #include <string.h>
24 
25 #include "absl/strings/str_cat.h"
26 #include "absl/strings/string_view.h"
27 
28 #include <grpc/support/alloc.h>
29 #include <grpc/support/log.h>
30 #include <grpc/support/string_util.h>
31 
32 #include "src/core/lib/channel/channel_args.h"
33 #include "src/core/lib/channel/handshaker_registry.h"
34 #include "src/core/lib/gpr/string.h"
35 #include "src/core/lib/gprpp/ref_counted_ptr.h"
36 #include "src/core/lib/iomgr/pollset.h"
37 #include "src/core/lib/security/credentials/credentials.h"
38 #include "src/core/lib/security/security_connector/ssl_utils.h"
39 #include "src/core/lib/security/transport/security_handshaker.h"
40 #include "src/core/lib/slice/slice_internal.h"
41 #include "src/core/tsi/ssl_transport_security.h"
42 
43 class grpc_httpcli_ssl_channel_security_connector final
44     : public grpc_channel_security_connector {
45  public:
grpc_httpcli_ssl_channel_security_connector(char * secure_peer_name)46   explicit grpc_httpcli_ssl_channel_security_connector(char* secure_peer_name)
47       : grpc_channel_security_connector(
48             /*url_scheme=*/nullptr,
49             /*channel_creds=*/nullptr,
50             /*request_metadata_creds=*/nullptr),
51         secure_peer_name_(secure_peer_name) {}
52 
~grpc_httpcli_ssl_channel_security_connector()53   ~grpc_httpcli_ssl_channel_security_connector() override {
54     if (handshaker_factory_ != nullptr) {
55       tsi_ssl_client_handshaker_factory_unref(handshaker_factory_);
56     }
57     if (secure_peer_name_ != nullptr) {
58       gpr_free(secure_peer_name_);
59     }
60   }
61 
InitHandshakerFactory(const char * pem_root_certs,const tsi_ssl_root_certs_store * root_store)62   tsi_result InitHandshakerFactory(const char* pem_root_certs,
63                                    const tsi_ssl_root_certs_store* root_store) {
64     tsi_ssl_client_handshaker_options options;
65     options.pem_root_certs = pem_root_certs;
66     options.root_store = root_store;
67     return tsi_create_ssl_client_handshaker_factory_with_options(
68         &options, &handshaker_factory_);
69   }
70 
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,grpc_core::HandshakeManager * handshake_mgr)71   void add_handshakers(const grpc_channel_args* args,
72                        grpc_pollset_set* /*interested_parties*/,
73                        grpc_core::HandshakeManager* handshake_mgr) override {
74     tsi_handshaker* handshaker = nullptr;
75     if (handshaker_factory_ != nullptr) {
76       tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
77           handshaker_factory_, secure_peer_name_, &handshaker);
78       if (result != TSI_OK) {
79         gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
80                 tsi_result_to_string(result));
81       }
82     }
83     handshake_mgr->Add(
84         grpc_core::SecurityHandshakerCreate(handshaker, this, args));
85   }
86 
handshaker_factory() const87   tsi_ssl_client_handshaker_factory* handshaker_factory() const {
88     return handshaker_factory_;
89   }
90 
check_peer(tsi_peer peer,grpc_endpoint *,grpc_core::RefCountedPtr<grpc_auth_context> *,grpc_closure * on_peer_checked)91   void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
92                   grpc_core::RefCountedPtr<grpc_auth_context>* /*auth_context*/,
93                   grpc_closure* on_peer_checked) override {
94     grpc_error* error = GRPC_ERROR_NONE;
95 
96     /* Check the peer name. */
97     if (secure_peer_name_ != nullptr &&
98         !tsi_ssl_peer_matches_name(&peer, secure_peer_name_)) {
99       error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
100           absl::StrCat("Peer name ", secure_peer_name_,
101                        " is not in peer certificate")
102               .c_str());
103     }
104     grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
105     tsi_peer_destruct(&peer);
106   }
107 
cmp(const grpc_security_connector * other_sc) const108   int cmp(const grpc_security_connector* other_sc) const override {
109     auto* other =
110         reinterpret_cast<const grpc_httpcli_ssl_channel_security_connector*>(
111             other_sc);
112     return strcmp(secure_peer_name_, other->secure_peer_name_);
113   }
114 
check_call_host(absl::string_view,grpc_auth_context *,grpc_closure *,grpc_error ** error)115   bool check_call_host(absl::string_view /*host*/,
116                        grpc_auth_context* /*auth_context*/,
117                        grpc_closure* /*on_call_host_checked*/,
118                        grpc_error** error) override {
119     *error = GRPC_ERROR_NONE;
120     return true;
121   }
122 
cancel_check_call_host(grpc_closure *,grpc_error * error)123   void cancel_check_call_host(grpc_closure* /*on_call_host_checked*/,
124                               grpc_error* error) override {
125     GRPC_ERROR_UNREF(error);
126   }
127 
secure_peer_name() const128   const char* secure_peer_name() const { return secure_peer_name_; }
129 
130  private:
131   tsi_ssl_client_handshaker_factory* handshaker_factory_ = nullptr;
132   char* secure_peer_name_;
133 };
134 
135 static grpc_core::RefCountedPtr<grpc_channel_security_connector>
httpcli_ssl_channel_security_connector_create(const char * pem_root_certs,const tsi_ssl_root_certs_store * root_store,const char * secure_peer_name,grpc_channel_args *)136 httpcli_ssl_channel_security_connector_create(
137     const char* pem_root_certs, const tsi_ssl_root_certs_store* root_store,
138     const char* secure_peer_name, grpc_channel_args* /*channel_args*/) {
139   if (secure_peer_name != nullptr && pem_root_certs == nullptr) {
140     gpr_log(GPR_ERROR,
141             "Cannot assert a secure peer name without a trust root.");
142     return nullptr;
143   }
144   grpc_core::RefCountedPtr<grpc_httpcli_ssl_channel_security_connector> c =
145       grpc_core::MakeRefCounted<grpc_httpcli_ssl_channel_security_connector>(
146           secure_peer_name == nullptr ? nullptr : gpr_strdup(secure_peer_name));
147   tsi_result result = c->InitHandshakerFactory(pem_root_certs, root_store);
148   if (result != TSI_OK) {
149     gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
150             tsi_result_to_string(result));
151     return nullptr;
152   }
153   return c;
154 }
155 
156 /* handshaker */
157 
158 struct on_done_closure {
159   void (*func)(void* arg, grpc_endpoint* endpoint);
160   void* arg;
161   grpc_core::RefCountedPtr<grpc_core::HandshakeManager> handshake_mgr;
162 };
on_handshake_done(void * arg,grpc_error * error)163 static void on_handshake_done(void* arg, grpc_error* error) {
164   auto* args = static_cast<grpc_core::HandshakerArgs*>(arg);
165   on_done_closure* c = static_cast<on_done_closure*>(args->user_data);
166   if (error != GRPC_ERROR_NONE) {
167     const char* msg = grpc_error_string(error);
168     gpr_log(GPR_ERROR, "Secure transport setup failed: %s", msg);
169 
170     c->func(c->arg, nullptr);
171   } else {
172     grpc_channel_args_destroy(args->args);
173     grpc_slice_buffer_destroy_internal(args->read_buffer);
174     gpr_free(args->read_buffer);
175     c->func(c->arg, args->endpoint);
176   }
177   delete c;
178 }
179 
ssl_handshake(void * arg,grpc_endpoint * tcp,const char * host,grpc_millis deadline,void (* on_done)(void * arg,grpc_endpoint * endpoint))180 static void ssl_handshake(void* arg, grpc_endpoint* tcp, const char* host,
181                           grpc_millis deadline,
182                           void (*on_done)(void* arg, grpc_endpoint* endpoint)) {
183   auto* c = new on_done_closure();
184   const char* pem_root_certs =
185       grpc_core::DefaultSslRootStore::GetPemRootCerts();
186   const tsi_ssl_root_certs_store* root_store =
187       grpc_core::DefaultSslRootStore::GetRootStore();
188   if (root_store == nullptr) {
189     gpr_log(GPR_ERROR, "Could not get default pem root certs.");
190     on_done(arg, nullptr);
191     gpr_free(c);
192     return;
193   }
194   c->func = on_done;
195   c->arg = arg;
196   grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
197       httpcli_ssl_channel_security_connector_create(
198           pem_root_certs, root_store, host,
199           static_cast<grpc_core::HandshakerArgs*>(arg)->args);
200 
201   GPR_ASSERT(sc != nullptr);
202   grpc_arg channel_arg = grpc_security_connector_to_arg(sc.get());
203   grpc_channel_args args = {1, &channel_arg};
204   c->handshake_mgr = grpc_core::MakeRefCounted<grpc_core::HandshakeManager>();
205   grpc_core::HandshakerRegistry::AddHandshakers(
206       grpc_core::HANDSHAKER_CLIENT, &args,
207       /*interested_parties=*/nullptr, c->handshake_mgr.get());
208   c->handshake_mgr->DoHandshake(tcp, /*channel_args=*/nullptr, deadline,
209                                 /*acceptor=*/nullptr, on_handshake_done,
210                                 /*user_data=*/c);
211   sc.reset(DEBUG_LOCATION, "httpcli");
212 }
213 
214 const grpc_httpcli_handshaker grpc_httpcli_ssl = {"https", ssl_handshake};
215