1 // 2 // 3 // Copyright 2018 gRPC authors. 4 // 5 // Licensed under the Apache License, Version 2.0 (the "License"); 6 // you may not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, software 12 // distributed under the License is distributed on an "AS IS" BASIS, 13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 // See the License for the specific language governing permissions and 15 // limitations under the License. 16 // 17 // 18 19 #ifndef GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 20 #define GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 21 22 #include <grpc/credentials.h> 23 #include <grpc/grpc.h> 24 #include <grpc/grpc_security.h> 25 #include <grpc/support/port_platform.h> 26 27 #include <map> 28 #include <string> 29 30 #include "absl/base/thread_annotations.h" 31 #include "absl/status/status.h" 32 #include "absl/strings/string_view.h" 33 #include "absl/types/optional.h" 34 #include "src/core/handshaker/handshaker.h" 35 #include "src/core/lib/channel/channel_args.h" 36 #include "src/core/lib/iomgr/closure.h" 37 #include "src/core/lib/iomgr/endpoint.h" 38 #include "src/core/lib/iomgr/error.h" 39 #include "src/core/lib/iomgr/iomgr_fwd.h" 40 #include "src/core/lib/promise/arena_promise.h" 41 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h" 42 #include "src/core/lib/security/security_connector/security_connector.h" 43 #include "src/core/lib/security/security_connector/ssl_utils.h" 44 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h" 45 #include "src/core/tsi/ssl_transport_security.h" 46 #include "src/core/tsi/transport_security_interface.h" 47 #include "src/core/util/ref_counted_ptr.h" 48 #include "src/core/util/sync.h" 49 50 using TlsSessionKeyLogger = tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger; 51 52 namespace grpc_core { 53 54 // Channel security connector using TLS as transport security protocol. 55 class TlsChannelSecurityConnector final 56 : public grpc_channel_security_connector { 57 public: 58 // static factory method to create a TLS channel security connector. 59 static RefCountedPtr<grpc_channel_security_connector> 60 CreateTlsChannelSecurityConnector( 61 RefCountedPtr<grpc_channel_credentials> channel_creds, 62 RefCountedPtr<grpc_tls_credentials_options> options, 63 RefCountedPtr<grpc_call_credentials> request_metadata_creds, 64 const char* target_name, const char* overridden_target_name, 65 tsi_ssl_session_cache* ssl_session_cache); 66 67 TlsChannelSecurityConnector( 68 RefCountedPtr<grpc_channel_credentials> channel_creds, 69 RefCountedPtr<grpc_tls_credentials_options> options, 70 RefCountedPtr<grpc_call_credentials> request_metadata_creds, 71 const char* target_name, const char* overridden_target_name, 72 tsi_ssl_session_cache* ssl_session_cache); 73 74 ~TlsChannelSecurityConnector() override; 75 76 void add_handshakers(const ChannelArgs& args, 77 grpc_pollset_set* interested_parties, 78 HandshakeManager* handshake_mgr) override; 79 80 void check_peer(tsi_peer peer, grpc_endpoint* ep, const ChannelArgs& /*args*/, 81 RefCountedPtr<grpc_auth_context>* auth_context, 82 grpc_closure* on_peer_checked) override; 83 84 void cancel_check_peer(grpc_closure* on_peer_checked, 85 grpc_error_handle error) override; 86 87 int cmp(const grpc_security_connector* other_sc) const override; 88 89 ArenaPromise<absl::Status> CheckCallHost( 90 absl::string_view host, grpc_auth_context* auth_context) override; 91 ClientHandshakerFactoryForTesting()92 tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() { 93 MutexLock lock(&mu_); 94 return client_handshaker_factory_; 95 }; 96 RootCertsForTesting()97 absl::optional<absl::string_view> RootCertsForTesting() { 98 MutexLock lock(&mu_); 99 return pem_root_certs_; 100 } 101 KeyCertPairListForTesting()102 absl::optional<PemKeyCertPairList> KeyCertPairListForTesting() { 103 MutexLock lock(&mu_); 104 return pem_key_cert_pair_list_; 105 } 106 107 private: 108 // A watcher that watches certificate updates from 109 // grpc_tls_certificate_distributor. It will never outlive 110 // |security_connector_|. 111 class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor:: 112 TlsCertificatesWatcherInterface { 113 public: TlsChannelCertificateWatcher(TlsChannelSecurityConnector * security_connector)114 explicit TlsChannelCertificateWatcher( 115 TlsChannelSecurityConnector* security_connector) 116 : security_connector_(security_connector) {} 117 void OnCertificatesChanged( 118 absl::optional<absl::string_view> root_certs, 119 absl::optional<PemKeyCertPairList> key_cert_pairs) override; 120 void OnError(grpc_error_handle root_cert_error, 121 grpc_error_handle identity_cert_error) override; 122 123 private: 124 TlsChannelSecurityConnector* security_connector_ = nullptr; 125 }; 126 127 // Use "new" to create a new instance, and no need to delete it later, since 128 // it will be self-destroyed in |OnVerifyDone|. 129 class ChannelPendingVerifierRequest { 130 public: 131 ChannelPendingVerifierRequest( 132 RefCountedPtr<TlsChannelSecurityConnector> security_connector, 133 grpc_closure* on_peer_checked, tsi_peer peer, const char* target_name); 134 135 ~ChannelPendingVerifierRequest(); 136 137 void Start(); 138 request()139 grpc_tls_custom_verification_check_request* request() { return &request_; } 140 141 private: 142 void OnVerifyDone(bool run_callback_inline, absl::Status status); 143 // The request will keep a reference of the security connector to make sure 144 // it won't be destroyed while the request is still ongoing. 145 RefCountedPtr<TlsChannelSecurityConnector> security_connector_; 146 grpc_tls_custom_verification_check_request request_; 147 grpc_closure* on_peer_checked_; 148 }; 149 150 // Updates |client_handshaker_factory_| when the certificates that 151 // |certificate_watcher_| is watching get updated. 152 grpc_security_status UpdateHandshakerFactoryLocked() 153 ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_); 154 155 Mutex mu_; 156 // We need a separate mutex for |pending_verifier_requests_|, otherwise there 157 // would be deadlock errors. 158 Mutex verifier_request_map_mu_; 159 RefCountedPtr<grpc_tls_credentials_options> options_; 160 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 161 certificate_watcher_ = nullptr; 162 std::string target_name_; 163 std::string overridden_target_name_; 164 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ 165 ABSL_GUARDED_BY(mu_) = nullptr; 166 tsi_ssl_session_cache* ssl_session_cache_ ABSL_GUARDED_BY(mu_) = nullptr; 167 RefCountedPtr<TlsSessionKeyLogger> tls_session_key_logger_; 168 absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_); 169 absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_ 170 ABSL_GUARDED_BY(mu_); 171 std::map<grpc_closure* /*on_peer_checked*/, ChannelPendingVerifierRequest*> 172 pending_verifier_requests_ ABSL_GUARDED_BY(verifier_request_map_mu_); 173 }; 174 175 // Server security connector using TLS as transport security protocol. 176 class TlsServerSecurityConnector final : public grpc_server_security_connector { 177 public: 178 // static factory method to create a TLS server security connector. 179 static RefCountedPtr<grpc_server_security_connector> 180 CreateTlsServerSecurityConnector( 181 RefCountedPtr<grpc_server_credentials> server_creds, 182 RefCountedPtr<grpc_tls_credentials_options> options); 183 184 TlsServerSecurityConnector( 185 RefCountedPtr<grpc_server_credentials> server_creds, 186 RefCountedPtr<grpc_tls_credentials_options> options); 187 ~TlsServerSecurityConnector() override; 188 189 void add_handshakers(const ChannelArgs& args, 190 grpc_pollset_set* interested_parties, 191 HandshakeManager* handshake_mgr) override; 192 193 void check_peer(tsi_peer peer, grpc_endpoint* ep, const ChannelArgs& /*args*/, 194 RefCountedPtr<grpc_auth_context>* auth_context, 195 grpc_closure* on_peer_checked) override; 196 197 void cancel_check_peer(grpc_closure* /*on_peer_checked*/, 198 grpc_error_handle error) override; 199 200 int cmp(const grpc_security_connector* other) const override; 201 ServerHandshakerFactoryForTesting()202 tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() { 203 MutexLock lock(&mu_); 204 return server_handshaker_factory_; 205 }; 206 RootCertsForTesting()207 absl::optional<absl::string_view> RootCertsForTesting() { 208 MutexLock lock(&mu_); 209 return pem_root_certs_; 210 } 211 KeyCertPairListForTesting()212 absl::optional<PemKeyCertPairList> KeyCertPairListForTesting() { 213 MutexLock lock(&mu_); 214 return pem_key_cert_pair_list_; 215 } 216 217 private: 218 // A watcher that watches certificate updates from 219 // grpc_tls_certificate_distributor. It will never outlive 220 // |security_connector_|. 221 class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor:: 222 TlsCertificatesWatcherInterface { 223 public: TlsServerCertificateWatcher(TlsServerSecurityConnector * security_connector)224 explicit TlsServerCertificateWatcher( 225 TlsServerSecurityConnector* security_connector) 226 : security_connector_(security_connector) {} 227 void OnCertificatesChanged( 228 absl::optional<absl::string_view> root_certs, 229 absl::optional<PemKeyCertPairList> key_cert_pairs) override; 230 231 void OnError(grpc_error_handle root_cert_error, 232 grpc_error_handle identity_cert_error) override; 233 234 private: 235 TlsServerSecurityConnector* security_connector_ = nullptr; 236 }; 237 238 // Use "new" to create a new instance, and no need to delete it later, since 239 // it will be self-destroyed in |OnVerifyDone|. 240 class ServerPendingVerifierRequest { 241 public: 242 ServerPendingVerifierRequest( 243 RefCountedPtr<TlsServerSecurityConnector> security_connector, 244 grpc_closure* on_peer_checked, tsi_peer peer); 245 246 ~ServerPendingVerifierRequest(); 247 248 void Start(); 249 request()250 grpc_tls_custom_verification_check_request* request() { return &request_; } 251 252 private: 253 void OnVerifyDone(bool run_callback_inline, absl::Status status); 254 // The request will keep a reference of the security connector to make sure 255 // it won't be destroyed while the request is still ongoing. 256 RefCountedPtr<TlsServerSecurityConnector> security_connector_; 257 grpc_tls_custom_verification_check_request request_; 258 grpc_closure* on_peer_checked_; 259 }; 260 261 // Updates |server_handshaker_factory_| when the certificates that 262 // |certificate_watcher_| is watching get updated. 263 grpc_security_status UpdateHandshakerFactoryLocked() 264 ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_); 265 266 Mutex mu_; 267 // We need a separate mutex for |pending_verifier_requests_|, otherwise there 268 // would be deadlock errors. 269 Mutex verifier_request_map_mu_; 270 RefCountedPtr<grpc_tls_credentials_options> options_; 271 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 272 certificate_watcher_ = nullptr; 273 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ 274 ABSL_GUARDED_BY(mu_) = nullptr; 275 absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_); 276 absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_ 277 ABSL_GUARDED_BY(mu_); 278 RefCountedPtr<TlsSessionKeyLogger> tls_session_key_logger_; 279 std::map<grpc_closure* /*on_peer_checked*/, ServerPendingVerifierRequest*> 280 pending_verifier_requests_ ABSL_GUARDED_BY(verifier_request_map_mu_); 281 }; 282 283 } // namespace grpc_core 284 285 #endif // GRPC_SRC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 286