1 /* 2 * 3 * Copyright 2018 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include "src/core/lib/gprpp/sync.h" 25 #include "src/core/lib/security/context/security_context.h" 26 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h" 27 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" 28 29 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls" 30 31 namespace grpc_core { 32 33 // Channel security connector using TLS as transport security protocol. 34 class TlsChannelSecurityConnector final 35 : public grpc_channel_security_connector { 36 public: 37 // static factory method to create a TLS channel security connector. 38 static grpc_core::RefCountedPtr<grpc_channel_security_connector> 39 CreateTlsChannelSecurityConnector( 40 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, 41 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options, 42 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, 43 const char* target_name, const char* overridden_target_name, 44 tsi_ssl_session_cache* ssl_session_cache); 45 46 TlsChannelSecurityConnector( 47 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds, 48 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options, 49 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds, 50 const char* target_name, const char* overridden_target_name, 51 tsi_ssl_session_cache* ssl_session_cache); 52 53 ~TlsChannelSecurityConnector() override; 54 55 void add_handshakers(const grpc_channel_args* args, 56 grpc_pollset_set* interested_parties, 57 grpc_core::HandshakeManager* handshake_mgr) override; 58 59 void check_peer(tsi_peer peer, grpc_endpoint* ep, 60 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, 61 grpc_closure* on_peer_checked) override; 62 63 int cmp(const grpc_security_connector* other_sc) const override; 64 65 bool check_call_host(absl::string_view host, grpc_auth_context* auth_context, 66 grpc_closure* on_call_host_checked, 67 grpc_error** error) override; 68 69 void cancel_check_call_host(grpc_closure* on_call_host_checked, 70 grpc_error* error) override; 71 ClientHandshakerFactoryForTesting()72 tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() { 73 grpc_core::MutexLock lock(&mu_); 74 return client_handshaker_factory_; 75 }; 76 RootCertsForTesting()77 absl::optional<absl::string_view> RootCertsForTesting() { 78 grpc_core::MutexLock lock(&mu_); 79 return pem_root_certs_; 80 } 81 KeyCertPairListForTesting()82 absl::optional<grpc_core::PemKeyCertPairList> KeyCertPairListForTesting() { 83 grpc_core::MutexLock lock(&mu_); 84 return pem_key_cert_pair_list_; 85 } 86 87 private: 88 // A watcher that watches certificate updates from 89 // grpc_tls_certificate_distributor. It will never outlive 90 // |security_connector_|. 91 class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor:: 92 TlsCertificatesWatcherInterface { 93 public: TlsChannelCertificateWatcher(TlsChannelSecurityConnector * security_connector)94 explicit TlsChannelCertificateWatcher( 95 TlsChannelSecurityConnector* security_connector) 96 : security_connector_(security_connector) {} 97 void OnCertificatesChanged( 98 absl::optional<absl::string_view> root_certs, 99 absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override; 100 void OnError(grpc_error* root_cert_error, 101 grpc_error* identity_cert_error) override; 102 103 private: 104 TlsChannelSecurityConnector* security_connector_ = nullptr; 105 }; 106 107 // Updates |client_handshaker_factory_| when the certificates that 108 // |certificate_watcher_| is watching get updated. 109 grpc_security_status UpdateHandshakerFactoryLocked(); 110 111 // gRPC-provided callback executed by application, which servers to bring the 112 // control back to gRPC core. 113 static void ServerAuthorizationCheckDone( 114 grpc_tls_server_authorization_check_arg* arg); 115 116 // A util function to process server authorization check result. 117 static grpc_error* ProcessServerAuthorizationCheckResult( 118 grpc_tls_server_authorization_check_arg* arg); 119 120 // A util function to create a server authorization check arg instance. 121 static grpc_tls_server_authorization_check_arg* 122 ServerAuthorizationCheckArgCreate(void* user_data); 123 124 // A util function to destroy a server authorization check arg instance. 125 static void ServerAuthorizationCheckArgDestroy( 126 grpc_tls_server_authorization_check_arg* arg); 127 128 grpc_core::Mutex mu_; 129 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_; 130 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 131 certificate_watcher_ = nullptr; 132 grpc_closure* on_peer_checked_ = nullptr; 133 std::string target_name_; 134 std::string overridden_target_name_; 135 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr; 136 grpc_tls_server_authorization_check_arg* check_arg_ = nullptr; 137 tsi_ssl_session_cache* ssl_session_cache_ = nullptr; 138 absl::optional<absl::string_view> pem_root_certs_; 139 absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_; 140 }; 141 142 // Server security connector using TLS as transport security protocol. 143 class TlsServerSecurityConnector final : public grpc_server_security_connector { 144 public: 145 // static factory method to create a TLS server security connector. 146 static grpc_core::RefCountedPtr<grpc_server_security_connector> 147 CreateTlsServerSecurityConnector( 148 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds, 149 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options); 150 151 TlsServerSecurityConnector( 152 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds, 153 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options); 154 ~TlsServerSecurityConnector() override; 155 156 void add_handshakers(const grpc_channel_args* args, 157 grpc_pollset_set* interested_parties, 158 grpc_core::HandshakeManager* handshake_mgr) override; 159 160 void check_peer(tsi_peer peer, grpc_endpoint* ep, 161 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context, 162 grpc_closure* on_peer_checked) override; 163 164 int cmp(const grpc_security_connector* other) const override; 165 ServerHandshakerFactoryForTesting()166 tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() { 167 grpc_core::MutexLock lock(&mu_); 168 return server_handshaker_factory_; 169 }; 170 RootCertsForTesting()171 const absl::optional<absl::string_view>& RootCertsForTesting() { 172 grpc_core::MutexLock lock(&mu_); 173 return pem_root_certs_; 174 } 175 176 const absl::optional<grpc_core::PemKeyCertPairList>& KeyCertPairListForTesting()177 KeyCertPairListForTesting() { 178 grpc_core::MutexLock lock(&mu_); 179 return pem_key_cert_pair_list_; 180 } 181 182 private: 183 // A watcher that watches certificate updates from 184 // grpc_tls_certificate_distributor. It will never outlive 185 // |security_connector_|. 186 class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor:: 187 TlsCertificatesWatcherInterface { 188 public: TlsServerCertificateWatcher(TlsServerSecurityConnector * security_connector)189 explicit TlsServerCertificateWatcher( 190 TlsServerSecurityConnector* security_connector) 191 : security_connector_(security_connector) {} 192 void OnCertificatesChanged( 193 absl::optional<absl::string_view> root_certs, 194 absl::optional<grpc_core::PemKeyCertPairList> key_cert_pairs) override; 195 void OnError(grpc_error* root_cert_error, 196 grpc_error* identity_cert_error) override; 197 198 private: 199 TlsServerSecurityConnector* security_connector_ = nullptr; 200 }; 201 202 // Updates |server_handshaker_factory_| when the certificates that 203 // |certificate_watcher_| is watching get updated. 204 grpc_security_status UpdateHandshakerFactoryLocked(); 205 206 grpc_core::Mutex mu_; 207 grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_; 208 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 209 certificate_watcher_ = nullptr; 210 211 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr; 212 absl::optional<absl::string_view> pem_root_certs_; 213 absl::optional<grpc_core::PemKeyCertPairList> pem_key_cert_pair_list_; 214 }; 215 216 // ---- Functions below are exposed for testing only ----------------------- 217 namespace internal { 218 219 // TlsCheckHostName checks if |peer_name| matches the identity information 220 // contained in |peer|. This is AKA hostname check. 221 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer); 222 223 } // namespace internal 224 225 } // namespace grpc_core 226 227 #endif // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 228