1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
20
21 #include <grpc/grpc.h>
22 #include <grpc/grpc_security_constants.h>
23 #include <grpc/impl/channel_arg_names.h>
24 #include <grpc/support/port_platform.h>
25
26 #include <memory>
27 #include <string>
28 #include <utility>
29
30 #include "absl/log/log.h"
31 #include "absl/types/optional.h"
32 #include "src/core/lib/channel/channel_args.h"
33 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
34 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
35 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
36 #include "src/core/tsi/ssl/session_cache/ssl_session_cache.h"
37 #include "src/core/util/useful.h"
38
39 namespace {
40
CredentialOptionSanityCheck(grpc_tls_credentials_options * options,bool is_client)41 bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
42 bool is_client) {
43 if (options == nullptr) {
44 LOG(ERROR) << "TLS credentials options is nullptr.";
45 return false;
46 }
47 // In this case, there will be non-retriable handshake errors.
48 if (options->min_tls_version() > options->max_tls_version()) {
49 LOG(ERROR) << "TLS min version must not be higher than max version.";
50 grpc_tls_credentials_options_destroy(options);
51 return false;
52 }
53 if (options->max_tls_version() > grpc_tls_version::TLS1_3) {
54 LOG(ERROR) << "TLS max version must not be higher than v1.3.";
55 grpc_tls_credentials_options_destroy(options);
56 return false;
57 }
58 if (options->min_tls_version() < grpc_tls_version::TLS1_2) {
59 LOG(ERROR) << "TLS min version must not be lower than v1.2.";
60 grpc_tls_credentials_options_destroy(options);
61 return false;
62 }
63 if (!options->crl_directory().empty() && options->crl_provider() != nullptr) {
64 LOG(ERROR) << "Setting crl_directory and crl_provider not supported. Using "
65 "the crl_provider.";
66 // TODO(gtcooke94) - Maybe return false here. Right now object lifetime of
67 // this options struct is leaky if false is returned and represents a more
68 // complex fix to handle in another PR.
69 }
70 // In the following conditions, there won't be any issues, but it might
71 // indicate callers are doing something wrong with the API.
72 if (is_client && options->cert_request_type() !=
73 GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {
74 LOG(ERROR)
75 << "Client's credentials options should not set cert_request_type.";
76 }
77 if (!is_client && !options->verify_server_cert()) {
78 LOG(ERROR)
79 << "Server's credentials options should not set verify_server_cert.";
80 }
81 // In the following conditions, there could be severe security issues.
82 if (is_client && options->certificate_verifier() == nullptr) {
83 // If no verifier is specified on the client side, use the hostname verifier
84 // as default. Users who want to bypass all the verifier check should
85 // implement an external verifier instead.
86 VLOG(2) << "No verifier specified on the client side. Using default "
87 "hostname verifier";
88 options->set_certificate_verifier(
89 grpc_core::MakeRefCounted<grpc_core::HostNameCertificateVerifier>());
90 }
91 return true;
92 }
93
94 } // namespace
95
TlsCredentials(grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)96 TlsCredentials::TlsCredentials(
97 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
98 : options_(std::move(options)) {}
99
~TlsCredentials()100 TlsCredentials::~TlsCredentials() {}
101
102 grpc_core::RefCountedPtr<grpc_channel_security_connector>
create_security_connector(grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,const char * target_name,grpc_core::ChannelArgs * args)103 TlsCredentials::create_security_connector(
104 grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
105 const char* target_name, grpc_core::ChannelArgs* args) {
106 absl::optional<std::string> overridden_target_name =
107 args->GetOwnedString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
108 auto* ssl_session_cache = args->GetObject<tsi::SslSessionLRUCache>();
109 grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
110 grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
111 this->Ref(), options_, std::move(call_creds), target_name,
112 overridden_target_name.has_value() ? overridden_target_name->c_str()
113 : nullptr,
114 ssl_session_cache == nullptr ? nullptr : ssl_session_cache->c_ptr());
115 if (sc == nullptr) {
116 return nullptr;
117 }
118 *args = args->Set(GRPC_ARG_HTTP2_SCHEME, "https");
119 return sc;
120 }
121
Type()122 grpc_core::UniqueTypeName TlsCredentials::Type() {
123 static grpc_core::UniqueTypeName::Factory kFactory("Tls");
124 return kFactory.Create();
125 }
126
cmp_impl(const grpc_channel_credentials * other) const127 int TlsCredentials::cmp_impl(const grpc_channel_credentials* other) const {
128 const TlsCredentials* o = static_cast<const TlsCredentials*>(other);
129 if (*options_ == *o->options_) return 0;
130 return grpc_core::QsortCompare(
131 static_cast<const grpc_channel_credentials*>(this), other);
132 }
133
TlsServerCredentials(grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)134 TlsServerCredentials::TlsServerCredentials(
135 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
136 : options_(std::move(options)) {}
137
~TlsServerCredentials()138 TlsServerCredentials::~TlsServerCredentials() {}
139
140 grpc_core::RefCountedPtr<grpc_server_security_connector>
create_security_connector(const grpc_core::ChannelArgs &)141 TlsServerCredentials::create_security_connector(
142 const grpc_core::ChannelArgs& /* args */) {
143 return grpc_core::TlsServerSecurityConnector::
144 CreateTlsServerSecurityConnector(this->Ref(), options_);
145 }
146
Type()147 grpc_core::UniqueTypeName TlsServerCredentials::Type() {
148 static grpc_core::UniqueTypeName::Factory kFactory("Tls");
149 return kFactory.Create();
150 }
151
152 /// -- Wrapper APIs declared in grpc_security.h -- *
153
grpc_tls_credentials_create(grpc_tls_credentials_options * options)154 grpc_channel_credentials* grpc_tls_credentials_create(
155 grpc_tls_credentials_options* options) {
156 if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
157 return nullptr;
158 }
159 return new TlsCredentials(
160 grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
161 }
162
grpc_tls_server_credentials_create(grpc_tls_credentials_options * options)163 grpc_server_credentials* grpc_tls_server_credentials_create(
164 grpc_tls_credentials_options* options) {
165 if (!CredentialOptionSanityCheck(options, false /* is_client */)) {
166 return nullptr;
167 }
168 return new TlsServerCredentials(
169 grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
170 }
171