1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/security_connector/ssl_utils.h"
20
21 #include <grpc/credentials.h>
22 #include <grpc/grpc.h>
23 #include <grpc/grpc_crl_provider.h>
24 #include <grpc/impl/channel_arg_names.h>
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/port_platform.h>
27 #include <grpc/support/string_util.h>
28 #include <grpc/support/sync.h>
29 #include <stdint.h>
30 #include <string.h>
31
32 #include <memory>
33 #include <utility>
34 #include <vector>
35
36 #include "absl/log/check.h"
37 #include "absl/log/log.h"
38 #include "absl/strings/match.h"
39 #include "absl/strings/str_cat.h"
40 #include "absl/strings/str_split.h"
41 #include "src/core/config/config_vars.h"
42 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
43 #include "src/core/lib/channel/channel_args.h"
44 #include "src/core/lib/security/context/security_context.h"
45 #include "src/core/lib/security/security_connector/load_system_roots.h"
46 #include "src/core/tsi/ssl_transport_security.h"
47 #include "src/core/tsi/transport_security.h"
48 #include "src/core/util/host_port.h"
49 #include "src/core/util/load_file.h"
50 #include "src/core/util/ref_counted_ptr.h"
51 #include "src/core/util/useful.h"
52
53 // -- Constants. --
54
55 #if defined(GRPC_ROOT_PEM_PATH)
56 static const char* installed_roots_path = GRPC_ROOT_PEM_PATH;
57 #elif defined(INSTALL_PREFIX)
58 static const char* installed_roots_path =
59 INSTALL_PREFIX "/usr/share/grpc/roots.pem";
60 #else
61 static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
62 #endif
63
64 #ifndef TSI_OPENSSL_ALPN_SUPPORT
65 #define TSI_OPENSSL_ALPN_SUPPORT 1
66 #endif
67
68 // -- Overridden default roots. --
69
70 static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
71
grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb)72 void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
73 ssl_roots_override_cb = cb;
74 }
75
76 // -- Cipher suites. --
77
78 static gpr_once cipher_suites_once = GPR_ONCE_INIT;
79 static const char* cipher_suites = nullptr;
80
init_cipher_suites(void)81 static void init_cipher_suites(void) {
82 cipher_suites = gpr_strdup(
83 std::string(grpc_core::ConfigVars::Get().SslCipherSuites()).c_str());
84 }
85
86 // --- Util ---
87
grpc_get_ssl_cipher_suites(void)88 const char* grpc_get_ssl_cipher_suites(void) {
89 gpr_once_init(&cipher_suites_once, init_cipher_suites);
90 return cipher_suites;
91 }
92
93 tsi_client_certificate_request_type
grpc_get_tsi_client_certificate_request_type(grpc_ssl_client_certificate_request_type grpc_request_type)94 grpc_get_tsi_client_certificate_request_type(
95 grpc_ssl_client_certificate_request_type grpc_request_type) {
96 switch (grpc_request_type) {
97 case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
98 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
99
100 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
101 return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
102
103 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
104 return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
105
106 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
107 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
108
109 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
110 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
111
112 default:
113 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
114 }
115 }
116
grpc_get_tsi_tls_version(grpc_tls_version tls_version)117 tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
118 switch (tls_version) {
119 case grpc_tls_version::TLS1_2:
120 return tsi_tls_version::TSI_TLS1_2;
121 case grpc_tls_version::TLS1_3:
122 return tsi_tls_version::TSI_TLS1_3;
123 default:
124 LOG(INFO) << "Falling back to TLS 1.2.";
125 return tsi_tls_version::TSI_TLS1_2;
126 }
127 }
128
grpc_ssl_check_alpn(const tsi_peer * peer)129 grpc_error_handle grpc_ssl_check_alpn(const tsi_peer* peer) {
130 #if TSI_OPENSSL_ALPN_SUPPORT
131 // Check the ALPN if ALPN is supported.
132 const tsi_peer_property* p =
133 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
134 if (p == nullptr) {
135 return GRPC_ERROR_CREATE(
136 "Cannot check peer: missing selected ALPN property.");
137 }
138 if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
139 return GRPC_ERROR_CREATE("Cannot check peer: invalid ALPN value.");
140 }
141 #endif // TSI_OPENSSL_ALPN_SUPPORT
142 return absl::OkStatus();
143 }
144
grpc_ssl_check_peer_name(absl::string_view peer_name,const tsi_peer * peer)145 grpc_error_handle grpc_ssl_check_peer_name(absl::string_view peer_name,
146 const tsi_peer* peer) {
147 // Check the peer name if specified.
148 if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
149 return GRPC_ERROR_CREATE(
150 absl::StrCat("Peer name ", peer_name, " is not in peer certificate"));
151 }
152 return absl::OkStatus();
153 }
154
grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair * kp,size_t num_key_cert_pairs)155 void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
156 size_t num_key_cert_pairs) {
157 if (kp == nullptr) return;
158 for (size_t i = 0; i < num_key_cert_pairs; i++) {
159 gpr_free(const_cast<char*>(kp[i].private_key));
160 gpr_free(const_cast<char*>(kp[i].cert_chain));
161 }
162 gpr_free(kp);
163 }
164
165 namespace grpc_core {
166
SslCheckCallHost(absl::string_view host,absl::string_view target_name,absl::string_view overridden_target_name,grpc_auth_context * auth_context)167 absl::Status SslCheckCallHost(absl::string_view host,
168 absl::string_view target_name,
169 absl::string_view overridden_target_name,
170 grpc_auth_context* auth_context) {
171 grpc_security_status status = GRPC_SECURITY_ERROR;
172 tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
173 if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
174 // If the target name was overridden, then the original target_name was
175 //'checked' transitively during the previous peer check at the end of the
176 // handshake.
177 if (!overridden_target_name.empty() && host == target_name) {
178 status = GRPC_SECURITY_OK;
179 }
180 if (status != GRPC_SECURITY_OK) {
181 LOG(ERROR) << "call host does not match SSL server name";
182 grpc_shallow_peer_destruct(&peer);
183 return absl::UnauthenticatedError(
184 "call host does not match SSL server name");
185 }
186 grpc_shallow_peer_destruct(&peer);
187 return absl::OkStatus();
188 }
189
190 } // namespace grpc_core
191
grpc_fill_alpn_protocol_strings(size_t * num_alpn_protocols)192 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
193 CHECK_NE(num_alpn_protocols, nullptr);
194 *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
195 const char** alpn_protocol_strings = static_cast<const char**>(
196 gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
197 for (size_t i = 0; i < *num_alpn_protocols; i++) {
198 alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
199 }
200 return alpn_protocol_strings;
201 }
202
grpc_ssl_host_matches_name(const tsi_peer * peer,absl::string_view peer_name)203 int grpc_ssl_host_matches_name(const tsi_peer* peer,
204 absl::string_view peer_name) {
205 absl::string_view allocated_name;
206 absl::string_view ignored_port;
207 grpc_core::SplitHostPort(peer_name, &allocated_name, &ignored_port);
208 if (allocated_name.empty()) return 0;
209
210 // IPv6 zone-id should not be included in comparisons.
211 const size_t zone_id = allocated_name.find('%');
212 if (zone_id != absl::string_view::npos) {
213 allocated_name.remove_suffix(allocated_name.size() - zone_id);
214 }
215 return tsi_ssl_peer_matches_name(peer, allocated_name);
216 }
217
grpc_ssl_cmp_target_name(absl::string_view target_name,absl::string_view other_target_name,absl::string_view overridden_target_name,absl::string_view other_overridden_target_name)218 int grpc_ssl_cmp_target_name(absl::string_view target_name,
219 absl::string_view other_target_name,
220 absl::string_view overridden_target_name,
221 absl::string_view other_overridden_target_name) {
222 int c = target_name.compare(other_target_name);
223 if (c != 0) return c;
224 return overridden_target_name.compare(other_overridden_target_name);
225 }
226
IsSpiffeId(absl::string_view uri)227 static bool IsSpiffeId(absl::string_view uri) {
228 // Return false without logging for a non-spiffe uri scheme.
229 if (!absl::StartsWith(uri, "spiffe://")) {
230 return false;
231 };
232 if (uri.size() > 2048) {
233 GRPC_TRACE_LOG(tsi, INFO)
234 << "Invalid SPIFFE ID: ID longer than 2048 bytes.";
235 return false;
236 }
237 std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
238 if (splits.size() < 4 || splits[3].empty()) {
239 GRPC_TRACE_LOG(tsi, INFO) << "Invalid SPIFFE ID: workload id is empty.";
240 return false;
241 }
242 if (splits[2].size() > 255) {
243 GRPC_TRACE_LOG(tsi, INFO)
244 << "Invalid SPIFFE ID: domain longer than 255 characters.";
245 return false;
246 }
247 return true;
248 }
249
grpc_ssl_peer_to_auth_context(const tsi_peer * peer,const char * transport_security_type)250 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
251 const tsi_peer* peer, const char* transport_security_type) {
252 size_t i;
253 const char* peer_identity_property_name = nullptr;
254
255 // The caller has checked the certificate type property.
256 CHECK_GE(peer->property_count, 1u);
257 grpc_core::RefCountedPtr<grpc_auth_context> ctx =
258 grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
259 grpc_auth_context_add_cstring_property(
260 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
261 transport_security_type);
262 const char* spiffe_data = nullptr;
263 size_t spiffe_length = 0;
264 int uri_count = 0;
265 bool has_spiffe_id = false;
266 for (i = 0; i < peer->property_count; i++) {
267 const tsi_peer_property* prop = &peer->properties[i];
268 if (prop->name == nullptr) continue;
269 if (strcmp(prop->name, TSI_X509_SUBJECT_PEER_PROPERTY) == 0) {
270 grpc_auth_context_add_property(ctx.get(), GRPC_X509_SUBJECT_PROPERTY_NAME,
271 prop->value.data, prop->value.length);
272 } else if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) ==
273 0) {
274 // If there is no subject alt name, have the CN as the identity.
275 if (peer_identity_property_name == nullptr) {
276 peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
277 }
278 grpc_auth_context_add_property(ctx.get(), GRPC_X509_CN_PROPERTY_NAME,
279 prop->value.data, prop->value.length);
280 } else if (strcmp(prop->name,
281 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
282 peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
283 grpc_auth_context_add_property(ctx.get(), GRPC_X509_SAN_PROPERTY_NAME,
284 prop->value.data, prop->value.length);
285 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
286 grpc_auth_context_add_property(ctx.get(),
287 GRPC_X509_PEM_CERT_PROPERTY_NAME,
288 prop->value.data, prop->value.length);
289 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_CHAIN_PROPERTY) == 0) {
290 grpc_auth_context_add_property(ctx.get(),
291 GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME,
292 prop->value.data, prop->value.length);
293 } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
294 grpc_auth_context_add_property(ctx.get(),
295 GRPC_SSL_SESSION_REUSED_PROPERTY,
296 prop->value.data, prop->value.length);
297 } else if (strcmp(prop->name, TSI_SECURITY_LEVEL_PEER_PROPERTY) == 0) {
298 grpc_auth_context_add_property(
299 ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
300 prop->value.data, prop->value.length);
301 } else if (strcmp(prop->name, TSI_X509_DNS_PEER_PROPERTY) == 0) {
302 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_DNS_PROPERTY_NAME,
303 prop->value.data, prop->value.length);
304 } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
305 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_URI_PROPERTY_NAME,
306 prop->value.data, prop->value.length);
307 uri_count++;
308 absl::string_view spiffe_id(prop->value.data, prop->value.length);
309 if (IsSpiffeId(spiffe_id)) {
310 spiffe_data = prop->value.data;
311 spiffe_length = prop->value.length;
312 has_spiffe_id = true;
313 }
314 } else if (strcmp(prop->name, TSI_X509_EMAIL_PEER_PROPERTY) == 0) {
315 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_EMAIL_PROPERTY_NAME,
316 prop->value.data, prop->value.length);
317 } else if (strcmp(prop->name, TSI_X509_IP_PEER_PROPERTY) == 0) {
318 grpc_auth_context_add_property(ctx.get(), GRPC_PEER_IP_PROPERTY_NAME,
319 prop->value.data, prop->value.length);
320 }
321 }
322 if (peer_identity_property_name != nullptr) {
323 CHECK(grpc_auth_context_set_peer_identity_property_name(
324 ctx.get(), peer_identity_property_name) == 1);
325 }
326 // A valid SPIFFE certificate can only have exact one URI SAN field.
327 if (has_spiffe_id) {
328 if (uri_count == 1) {
329 CHECK_GT(spiffe_length, 0u);
330 CHECK_NE(spiffe_data, nullptr);
331 grpc_auth_context_add_property(ctx.get(),
332 GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
333 spiffe_data, spiffe_length);
334 } else {
335 GRPC_TRACE_LOG(tsi, INFO) << "Invalid SPIFFE ID: multiple URI SANs.";
336 }
337 }
338 return ctx;
339 }
340
add_shallow_auth_property_to_peer(tsi_peer * peer,const grpc_auth_property * prop,const char * tsi_prop_name)341 static void add_shallow_auth_property_to_peer(tsi_peer* peer,
342 const grpc_auth_property* prop,
343 const char* tsi_prop_name) {
344 tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
345 tsi_prop->name = const_cast<char*>(tsi_prop_name);
346 tsi_prop->value.data = prop->value;
347 tsi_prop->value.length = prop->value_length;
348 }
349
grpc_shallow_peer_from_ssl_auth_context(const grpc_auth_context * auth_context)350 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
351 const grpc_auth_context* auth_context) {
352 size_t max_num_props = 0;
353 grpc_auth_property_iterator it;
354 const grpc_auth_property* prop;
355 tsi_peer peer;
356 memset(&peer, 0, sizeof(peer));
357
358 it = grpc_auth_context_property_iterator(auth_context);
359 while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
360
361 if (max_num_props > 0) {
362 peer.properties = static_cast<tsi_peer_property*>(
363 gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
364 it = grpc_auth_context_property_iterator(auth_context);
365 while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
366 if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
367 add_shallow_auth_property_to_peer(
368 &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
369 } else if (strcmp(prop->name, GRPC_X509_SUBJECT_PROPERTY_NAME) == 0) {
370 add_shallow_auth_property_to_peer(&peer, prop,
371 TSI_X509_SUBJECT_PEER_PROPERTY);
372 } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
373 add_shallow_auth_property_to_peer(
374 &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
375 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
376 add_shallow_auth_property_to_peer(&peer, prop,
377 TSI_X509_PEM_CERT_PROPERTY);
378 } else if (strcmp(prop->name,
379 GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME) == 0) {
380 add_shallow_auth_property_to_peer(&peer, prop,
381 TSI_SECURITY_LEVEL_PEER_PROPERTY);
382 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_CHAIN_PROPERTY_NAME) ==
383 0) {
384 add_shallow_auth_property_to_peer(&peer, prop,
385 TSI_X509_PEM_CERT_CHAIN_PROPERTY);
386 } else if (strcmp(prop->name, GRPC_PEER_DNS_PROPERTY_NAME) == 0) {
387 add_shallow_auth_property_to_peer(&peer, prop,
388 TSI_X509_DNS_PEER_PROPERTY);
389 } else if (strcmp(prop->name, GRPC_PEER_URI_PROPERTY_NAME) == 0) {
390 add_shallow_auth_property_to_peer(&peer, prop,
391 TSI_X509_URI_PEER_PROPERTY);
392 } else if (strcmp(prop->name, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME) == 0) {
393 add_shallow_auth_property_to_peer(&peer, prop,
394 TSI_X509_URI_PEER_PROPERTY);
395 } else if (strcmp(prop->name, GRPC_PEER_EMAIL_PROPERTY_NAME) == 0) {
396 add_shallow_auth_property_to_peer(&peer, prop,
397 TSI_X509_EMAIL_PEER_PROPERTY);
398 } else if (strcmp(prop->name, GRPC_PEER_IP_PROPERTY_NAME) == 0) {
399 add_shallow_auth_property_to_peer(&peer, prop,
400 TSI_X509_IP_PEER_PROPERTY);
401 }
402 }
403 }
404 return peer;
405 }
406
grpc_shallow_peer_destruct(tsi_peer * peer)407 void grpc_shallow_peer_destruct(tsi_peer* peer) {
408 if (peer->properties != nullptr) gpr_free(peer->properties);
409 }
410
grpc_ssl_tsi_client_handshaker_factory_init(tsi_ssl_pem_key_cert_pair * pem_key_cert_pair,const char * pem_root_certs,bool skip_server_certificate_verification,tsi_tls_version min_tls_version,tsi_tls_version max_tls_version,tsi_ssl_session_cache * ssl_session_cache,tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger * tls_session_key_logger,const char * crl_directory,std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,tsi_ssl_client_handshaker_factory ** handshaker_factory)411 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
412 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
413 bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
414 tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
415 tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
416 const char* crl_directory,
417 std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
418 tsi_ssl_client_handshaker_factory** handshaker_factory) {
419 const char* root_certs;
420 const tsi_ssl_root_certs_store* root_store;
421 if (pem_root_certs == nullptr && !skip_server_certificate_verification) {
422 GRPC_TRACE_LOG(tsi, INFO)
423 << "No root certificates specified; use ones stored in system "
424 "default locations instead";
425 // Use default root certificates.
426 root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
427 if (root_certs == nullptr) {
428 LOG(ERROR) << "Could not get default pem root certs.";
429 return GRPC_SECURITY_ERROR;
430 }
431 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
432 } else {
433 root_certs = pem_root_certs;
434 root_store = nullptr;
435 }
436 bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
437 pem_key_cert_pair->private_key != nullptr &&
438 pem_key_cert_pair->cert_chain != nullptr;
439 tsi_ssl_client_handshaker_options options;
440 options.pem_root_certs = root_certs;
441 options.root_store = root_store;
442 options.alpn_protocols =
443 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
444 if (has_key_cert_pair) {
445 options.pem_key_cert_pair = pem_key_cert_pair;
446 }
447 options.cipher_suites = grpc_get_ssl_cipher_suites();
448 options.session_cache = ssl_session_cache;
449 options.key_logger = tls_session_key_logger;
450 options.skip_server_certificate_verification =
451 skip_server_certificate_verification;
452 options.min_tls_version = min_tls_version;
453 options.max_tls_version = max_tls_version;
454 options.crl_directory = crl_directory;
455 options.crl_provider = std::move(crl_provider);
456 const tsi_result result =
457 tsi_create_ssl_client_handshaker_factory_with_options(&options,
458 handshaker_factory);
459 gpr_free(options.alpn_protocols);
460 if (result != TSI_OK) {
461 LOG(ERROR) << "Handshaker factory creation failed with "
462 << tsi_result_to_string(result);
463 return GRPC_SECURITY_ERROR;
464 }
465 return GRPC_SECURITY_OK;
466 }
467
grpc_ssl_tsi_server_handshaker_factory_init(tsi_ssl_pem_key_cert_pair * pem_key_cert_pairs,size_t num_key_cert_pairs,const char * pem_root_certs,grpc_ssl_client_certificate_request_type client_certificate_request,tsi_tls_version min_tls_version,tsi_tls_version max_tls_version,tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger * tls_session_key_logger,const char * crl_directory,bool send_client_ca_list,std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,tsi_ssl_server_handshaker_factory ** handshaker_factory)468 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
469 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
470 const char* pem_root_certs,
471 grpc_ssl_client_certificate_request_type client_certificate_request,
472 tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
473 tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger* tls_session_key_logger,
474 const char* crl_directory, bool send_client_ca_list,
475 std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider,
476 tsi_ssl_server_handshaker_factory** handshaker_factory) {
477 size_t num_alpn_protocols = 0;
478 const char** alpn_protocol_strings =
479 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
480 tsi_ssl_server_handshaker_options options;
481 options.pem_key_cert_pairs = pem_key_cert_pairs;
482 options.num_key_cert_pairs = num_key_cert_pairs;
483 options.pem_client_root_certs = pem_root_certs;
484 options.client_certificate_request =
485 grpc_get_tsi_client_certificate_request_type(client_certificate_request);
486 options.cipher_suites = grpc_get_ssl_cipher_suites();
487 options.alpn_protocols = alpn_protocol_strings;
488 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
489 options.min_tls_version = min_tls_version;
490 options.max_tls_version = max_tls_version;
491 options.key_logger = tls_session_key_logger;
492 options.crl_directory = crl_directory;
493 options.crl_provider = std::move(crl_provider);
494 options.send_client_ca_list = send_client_ca_list;
495 const tsi_result result =
496 tsi_create_ssl_server_handshaker_factory_with_options(&options,
497 handshaker_factory);
498 gpr_free(alpn_protocol_strings);
499 if (result != TSI_OK) {
500 LOG(ERROR) << "Handshaker factory creation failed with "
501 << tsi_result_to_string(result);
502 return GRPC_SECURITY_ERROR;
503 }
504 return GRPC_SECURITY_OK;
505 }
506
507 // --- Ssl cache implementation. ---
508
grpc_ssl_session_cache_create_lru(size_t capacity)509 grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
510 tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
511 return reinterpret_cast<grpc_ssl_session_cache*>(cache);
512 }
513
grpc_ssl_session_cache_destroy(grpc_ssl_session_cache * cache)514 void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
515 tsi_ssl_session_cache* tsi_cache =
516 reinterpret_cast<tsi_ssl_session_cache*>(cache);
517 tsi_ssl_session_cache_unref(tsi_cache);
518 }
519
grpc_ssl_session_cache_arg_copy(void * p)520 static void* grpc_ssl_session_cache_arg_copy(void* p) {
521 tsi_ssl_session_cache* tsi_cache =
522 reinterpret_cast<tsi_ssl_session_cache*>(p);
523 // destroy call below will unref the pointer.
524 tsi_ssl_session_cache_ref(tsi_cache);
525 return p;
526 }
527
grpc_ssl_session_cache_arg_destroy(void * p)528 static void grpc_ssl_session_cache_arg_destroy(void* p) {
529 tsi_ssl_session_cache* tsi_cache =
530 reinterpret_cast<tsi_ssl_session_cache*>(p);
531 tsi_ssl_session_cache_unref(tsi_cache);
532 }
533
grpc_ssl_session_cache_arg_cmp(void * p,void * q)534 static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
535 return grpc_core::QsortCompare(p, q);
536 }
537
grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache * cache)538 grpc_arg grpc_ssl_session_cache_create_channel_arg(
539 grpc_ssl_session_cache* cache) {
540 static const grpc_arg_pointer_vtable vtable = {
541 grpc_ssl_session_cache_arg_copy,
542 grpc_ssl_session_cache_arg_destroy,
543 grpc_ssl_session_cache_arg_cmp,
544 };
545 return grpc_channel_arg_pointer_create(
546 const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
547 }
548
549 // --- Default SSL root store implementation. ---
550
551 namespace grpc_core {
552
553 tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
554 grpc_slice DefaultSslRootStore::default_pem_root_certs_;
555
GetRootStore()556 const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
557 InitRootStore();
558 return default_root_store_;
559 }
560
GetPemRootCerts()561 const char* DefaultSslRootStore::GetPemRootCerts() {
562 InitRootStore();
563 return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
564 ? nullptr
565 : reinterpret_cast<const char*>
566 GRPC_SLICE_START_PTR(default_pem_root_certs_);
567 }
568
ComputePemRootCerts()569 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
570 Slice result;
571 // First try to load the roots from the configuration.
572 std::string default_root_certs_path =
573 ConfigVars::Get().DefaultSslRootsFilePath();
574 if (!default_root_certs_path.empty()) {
575 auto slice =
576 LoadFile(default_root_certs_path, /*add_null_terminator=*/true);
577 if (!slice.ok()) {
578 LOG(ERROR) << "error loading file " << default_root_certs_path << ": "
579 << slice.status();
580 } else {
581 result = std::move(*slice);
582 }
583 }
584 // Try overridden roots if needed.
585 grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
586 if (result.empty() && ssl_roots_override_cb != nullptr) {
587 char* pem_root_certs = nullptr;
588 ovrd_res = ssl_roots_override_cb(&pem_root_certs);
589 if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
590 CHECK_NE(pem_root_certs, nullptr);
591 result = Slice::FromCopiedBuffer(
592 pem_root_certs,
593 strlen(pem_root_certs) + 1); // nullptr terminator.
594 }
595 gpr_free(pem_root_certs);
596 }
597 // Try loading roots from OS trust store if flag is enabled.
598 if (result.empty() && !ConfigVars::Get().NotUseSystemSslRoots()) {
599 result = Slice(LoadSystemRootCerts());
600 }
601 // Fallback to roots manually shipped with gRPC.
602 if (result.empty() && ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
603 auto slice = LoadFile(installed_roots_path, /*add_null_terminator=*/true);
604 if (!slice.ok()) {
605 LOG(ERROR) << "error loading file " << installed_roots_path << ": "
606 << slice.status();
607 } else {
608 result = std::move(*slice);
609 }
610 }
611 return result.TakeCSlice();
612 }
613
InitRootStore()614 void DefaultSslRootStore::InitRootStore() {
615 static gpr_once once = GPR_ONCE_INIT;
616 gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
617 }
618
InitRootStoreOnce()619 void DefaultSslRootStore::InitRootStoreOnce() {
620 default_pem_root_certs_ = ComputePemRootCerts();
621 if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
622 default_root_store_ =
623 tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
624 GRPC_SLICE_START_PTR(default_pem_root_certs_)));
625 }
626 }
627
628 } // namespace grpc_core
629