1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
22
23 #include <stdbool.h>
24 #include <string.h>
25
26 #include "absl/strings/str_cat.h"
27 #include "absl/strings/string_view.h"
28
29 #include <grpc/grpc.h>
30 #include <grpc/support/alloc.h>
31 #include <grpc/support/log.h>
32 #include <grpc/support/string_util.h>
33
34 #include "src/core/lib/gprpp/host_port.h"
35 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
36 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
37 #include "src/core/lib/security/security_connector/ssl_utils.h"
38 #include "src/core/lib/security/transport/security_handshaker.h"
39 #include "src/core/lib/slice/slice_internal.h"
40 #include "src/core/lib/transport/transport.h"
41 #include "src/core/tsi/ssl_transport_security.h"
42 #include "src/core/tsi/transport_security.h"
43
44 namespace grpc_core {
45
46 namespace {
47
ConvertToTsiPemKeyCertPair(const PemKeyCertPairList & cert_pair_list)48 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
49 const PemKeyCertPairList& cert_pair_list) {
50 tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
51 size_t num_key_cert_pairs = cert_pair_list.size();
52 if (num_key_cert_pairs > 0) {
53 GPR_ASSERT(cert_pair_list.data() != nullptr);
54 tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
55 gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
56 }
57 for (size_t i = 0; i < num_key_cert_pairs; i++) {
58 GPR_ASSERT(!cert_pair_list[i].private_key().empty());
59 GPR_ASSERT(!cert_pair_list[i].cert_chain().empty());
60 tsi_pairs[i].cert_chain =
61 gpr_strdup(cert_pair_list[i].cert_chain().c_str());
62 tsi_pairs[i].private_key =
63 gpr_strdup(cert_pair_list[i].private_key().c_str());
64 }
65 return tsi_pairs;
66 }
67
68 } // namespace
69
70 // -------------------channel security connector-------------------
71 RefCountedPtr<grpc_channel_security_connector>
CreateTlsChannelSecurityConnector(RefCountedPtr<grpc_channel_credentials> channel_creds,RefCountedPtr<grpc_tls_credentials_options> options,RefCountedPtr<grpc_call_credentials> request_metadata_creds,const char * target_name,const char * overridden_target_name,tsi_ssl_session_cache * ssl_session_cache)72 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
73 RefCountedPtr<grpc_channel_credentials> channel_creds,
74 RefCountedPtr<grpc_tls_credentials_options> options,
75 RefCountedPtr<grpc_call_credentials> request_metadata_creds,
76 const char* target_name, const char* overridden_target_name,
77 tsi_ssl_session_cache* ssl_session_cache) {
78 if (channel_creds == nullptr) {
79 gpr_log(GPR_ERROR,
80 "channel_creds is nullptr in "
81 "TlsChannelSecurityConnectorCreate()");
82 return nullptr;
83 }
84 if (options == nullptr) {
85 gpr_log(GPR_ERROR,
86 "options is nullptr in "
87 "TlsChannelSecurityConnectorCreate()");
88 return nullptr;
89 }
90 if (target_name == nullptr) {
91 gpr_log(GPR_ERROR,
92 "target_name is nullptr in "
93 "TlsChannelSecurityConnectorCreate()");
94 return nullptr;
95 }
96 return MakeRefCounted<TlsChannelSecurityConnector>(
97 std::move(channel_creds), std::move(options),
98 std::move(request_metadata_creds), target_name, overridden_target_name,
99 ssl_session_cache);
100 }
101
TlsChannelSecurityConnector(RefCountedPtr<grpc_channel_credentials> channel_creds,RefCountedPtr<grpc_tls_credentials_options> options,RefCountedPtr<grpc_call_credentials> request_metadata_creds,const char * target_name,const char * overridden_target_name,tsi_ssl_session_cache * ssl_session_cache)102 TlsChannelSecurityConnector::TlsChannelSecurityConnector(
103 RefCountedPtr<grpc_channel_credentials> channel_creds,
104 RefCountedPtr<grpc_tls_credentials_options> options,
105 RefCountedPtr<grpc_call_credentials> request_metadata_creds,
106 const char* target_name, const char* overridden_target_name,
107 tsi_ssl_session_cache* ssl_session_cache)
108 : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
109 std::move(channel_creds),
110 std::move(request_metadata_creds)),
111 options_(std::move(options)),
112 overridden_target_name_(
113 overridden_target_name == nullptr ? "" : overridden_target_name),
114 ssl_session_cache_(ssl_session_cache) {
115 if (ssl_session_cache_ != nullptr) {
116 tsi_ssl_session_cache_ref(ssl_session_cache_);
117 }
118 check_arg_ = ServerAuthorizationCheckArgCreate(this);
119 absl::string_view host;
120 absl::string_view port;
121 SplitHostPort(target_name, &host, &port);
122 target_name_ = std::string(host);
123 // Create a watcher.
124 auto watcher_ptr = absl::make_unique<TlsChannelCertificateWatcher>(this);
125 certificate_watcher_ = watcher_ptr.get();
126 // Register the watcher with the distributor.
127 grpc_tls_certificate_distributor* distributor =
128 options_->certificate_distributor();
129 absl::optional<std::string> watched_root_cert_name;
130 if (options_->watch_root_cert()) {
131 watched_root_cert_name = options_->root_cert_name();
132 }
133 absl::optional<std::string> watched_identity_cert_name;
134 if (options_->watch_identity_pair()) {
135 watched_identity_cert_name = options_->identity_cert_name();
136 }
137 // We will use the root certs stored in system default locations if not
138 // watching root certs on the client side. We will handle this case
139 // differently here, because "watching a default roots without the identity
140 // certs" is a valid case(and hence we will need to call
141 // OnCertificatesChanged), but it requires nothing from the provider, and
142 // hence no need to register the watcher.
143 bool use_default_roots = !options_->watch_root_cert();
144 if (use_default_roots && !options_->watch_identity_pair()) {
145 watcher_ptr->OnCertificatesChanged(absl::nullopt, absl::nullopt);
146 } else {
147 distributor->WatchTlsCertificates(std::move(watcher_ptr),
148 watched_root_cert_name,
149 watched_identity_cert_name);
150 }
151 }
152
~TlsChannelSecurityConnector()153 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
154 if (ssl_session_cache_ != nullptr) {
155 tsi_ssl_session_cache_unref(ssl_session_cache_);
156 }
157 // Cancel all the watchers.
158 grpc_tls_certificate_distributor* distributor =
159 options_->certificate_distributor();
160 if (distributor != nullptr) {
161 distributor->CancelTlsCertificatesWatch(certificate_watcher_);
162 }
163 if (client_handshaker_factory_ != nullptr) {
164 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
165 }
166 if (check_arg_ != nullptr) {
167 ServerAuthorizationCheckArgDestroy(check_arg_);
168 }
169 }
170
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,HandshakeManager * handshake_mgr)171 void TlsChannelSecurityConnector::add_handshakers(
172 const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
173 HandshakeManager* handshake_mgr) {
174 MutexLock lock(&mu_);
175 if (client_handshaker_factory_ != nullptr) {
176 // Instantiate TSI handshaker.
177 tsi_handshaker* tsi_hs = nullptr;
178 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
179 client_handshaker_factory_,
180 overridden_target_name_.empty() ? target_name_.c_str()
181 : overridden_target_name_.c_str(),
182 &tsi_hs);
183 if (result != TSI_OK) {
184 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
185 tsi_result_to_string(result));
186 return;
187 }
188 // Create handshakers.
189 handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args));
190 return;
191 }
192 // TODO(ZhenLian): Implement the logic(delegation to
193 // BlockOnInitialCredentialHandshaker) when certificates are not ready.
194 gpr_log(GPR_ERROR, "%s not supported yet.",
195 "Client BlockOnInitialCredentialHandshaker");
196 }
197
check_peer(tsi_peer peer,grpc_endpoint *,RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)198 void TlsChannelSecurityConnector::check_peer(
199 tsi_peer peer, grpc_endpoint* /*ep*/,
200 RefCountedPtr<grpc_auth_context>* auth_context,
201 grpc_closure* on_peer_checked) {
202 const char* target_name = overridden_target_name_.empty()
203 ? target_name_.c_str()
204 : overridden_target_name_.c_str();
205 grpc_error_handle error = grpc_ssl_check_alpn(&peer);
206 if (error != GRPC_ERROR_NONE) {
207 ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
208 tsi_peer_destruct(&peer);
209 return;
210 }
211 *auth_context =
212 grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
213 if (options_->server_verification_option() == GRPC_TLS_SERVER_VERIFICATION) {
214 /* Do the default host name check if specifying the target name. */
215 error = internal::TlsCheckHostName(target_name, &peer);
216 if (error != GRPC_ERROR_NONE) {
217 ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
218 tsi_peer_destruct(&peer);
219 return;
220 }
221 }
222 /* Do the custom server authorization check, if specified by the user. */
223 const grpc_tls_server_authorization_check_config* config =
224 options_->server_authorization_check_config();
225 /* If server authorization config is not null, use it to perform
226 * server authorization check. */
227 if (config != nullptr) {
228 const tsi_peer_property* p =
229 tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
230 if (p == nullptr) {
231 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
232 "Cannot check peer: missing pem cert property.");
233 } else {
234 char* peer_pem = static_cast<char*>(gpr_zalloc(p->value.length + 1));
235 memcpy(peer_pem, p->value.data, p->value.length);
236 GPR_ASSERT(check_arg_ != nullptr);
237 check_arg_->peer_cert = check_arg_->peer_cert == nullptr
238 ? gpr_strdup(peer_pem)
239 : check_arg_->peer_cert;
240 check_arg_->target_name = check_arg_->target_name == nullptr
241 ? gpr_strdup(target_name)
242 : check_arg_->target_name;
243 on_peer_checked_ = on_peer_checked;
244 gpr_free(peer_pem);
245 const tsi_peer_property* chain = tsi_peer_get_property_by_name(
246 &peer, TSI_X509_PEM_CERT_CHAIN_PROPERTY);
247 if (chain != nullptr) {
248 char* peer_pem_chain =
249 static_cast<char*>(gpr_zalloc(chain->value.length + 1));
250 memcpy(peer_pem_chain, chain->value.data, chain->value.length);
251 check_arg_->peer_cert_full_chain =
252 check_arg_->peer_cert_full_chain == nullptr
253 ? gpr_strdup(peer_pem_chain)
254 : check_arg_->peer_cert_full_chain;
255 gpr_free(peer_pem_chain);
256 }
257 // TODO(zhenlian) - This should be cleaned up as part of the custom
258 // verification changes. Fill in the subject alternative names
259 std::vector<char*> subject_alternative_names;
260 for (size_t i = 0; i < peer.property_count; i++) {
261 const tsi_peer_property* prop = &peer.properties[i];
262 if (strcmp(prop->name,
263 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
264 char* san = new char[prop->value.length + 1];
265 memcpy(san, prop->value.data, prop->value.length);
266 san[prop->value.length] = '\0';
267 subject_alternative_names.emplace_back(san);
268 }
269 }
270 if (check_arg_->subject_alternative_names != nullptr) {
271 for (size_t i = 0; i < check_arg_->subject_alternative_names_size;
272 ++i) {
273 delete[] check_arg_->subject_alternative_names[i];
274 }
275 delete[] check_arg_->subject_alternative_names;
276 }
277 check_arg_->subject_alternative_names_size =
278 subject_alternative_names.size();
279 if (subject_alternative_names.empty()) {
280 check_arg_->subject_alternative_names = nullptr;
281 } else {
282 check_arg_->subject_alternative_names =
283 new char*[check_arg_->subject_alternative_names_size];
284 for (size_t i = 0; i < check_arg_->subject_alternative_names_size;
285 ++i) {
286 check_arg_->subject_alternative_names[i] =
287 subject_alternative_names[i];
288 }
289 }
290 int callback_status = config->Schedule(check_arg_);
291 /* Server authorization check is handled asynchronously. */
292 if (callback_status) {
293 tsi_peer_destruct(&peer);
294 return;
295 }
296 /* Server authorization check is handled synchronously. */
297 error = ProcessServerAuthorizationCheckResult(check_arg_);
298 }
299 }
300 ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
301 tsi_peer_destruct(&peer);
302 }
303
cmp(const grpc_security_connector * other_sc) const304 int TlsChannelSecurityConnector::cmp(
305 const grpc_security_connector* other_sc) const {
306 auto* other = reinterpret_cast<const TlsChannelSecurityConnector*>(other_sc);
307 int c = channel_security_connector_cmp(other);
308 if (c != 0) {
309 return c;
310 }
311 return grpc_ssl_cmp_target_name(
312 target_name_.c_str(), other->target_name_.c_str(),
313 overridden_target_name_.c_str(), other->overridden_target_name_.c_str());
314 }
315
check_call_host(absl::string_view host,grpc_auth_context * auth_context,grpc_closure *,grpc_error_handle * error)316 bool TlsChannelSecurityConnector::check_call_host(
317 absl::string_view host, grpc_auth_context* auth_context,
318 grpc_closure* /*on_call_host_checked*/, grpc_error_handle* error) {
319 if (options_->server_verification_option() ==
320 GRPC_TLS_SKIP_HOSTNAME_VERIFICATION ||
321 options_->server_verification_option() ==
322 GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION) {
323 return true;
324 }
325 return grpc_ssl_check_call_host(host, target_name_.c_str(),
326 overridden_target_name_.c_str(), auth_context,
327 error);
328 }
329
cancel_check_call_host(grpc_closure *,grpc_error_handle error)330 void TlsChannelSecurityConnector::cancel_check_call_host(
331 grpc_closure* /*on_call_host_checked*/, grpc_error_handle error) {
332 GRPC_ERROR_UNREF(error);
333 }
334
335 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
OnCertificatesChanged(absl::optional<absl::string_view> root_certs,absl::optional<PemKeyCertPairList> key_cert_pairs)336 OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
337 absl::optional<PemKeyCertPairList> key_cert_pairs) {
338 GPR_ASSERT(security_connector_ != nullptr);
339 MutexLock lock(&security_connector_->mu_);
340 if (root_certs.has_value()) {
341 security_connector_->pem_root_certs_ = root_certs;
342 }
343 if (key_cert_pairs.has_value()) {
344 security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
345 }
346 const bool root_ready = !security_connector_->options_->watch_root_cert() ||
347 security_connector_->pem_root_certs_.has_value();
348 const bool identity_ready =
349 !security_connector_->options_->watch_identity_pair() ||
350 security_connector_->pem_key_cert_pair_list_.has_value();
351 if (root_ready && identity_ready) {
352 if (security_connector_->UpdateHandshakerFactoryLocked() !=
353 GRPC_SECURITY_OK) {
354 gpr_log(GPR_ERROR, "Update handshaker factory failed.");
355 }
356 }
357 }
358
359 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
360 // BlockOnInitialCredentialHandshaker is implemented.
OnError(grpc_error_handle root_cert_error,grpc_error_handle identity_cert_error)361 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError(
362 grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
363 if (root_cert_error != GRPC_ERROR_NONE) {
364 gpr_log(GPR_ERROR,
365 "TlsChannelCertificateWatcher getting root_cert_error: %s",
366 grpc_error_std_string(root_cert_error).c_str());
367 }
368 if (identity_cert_error != GRPC_ERROR_NONE) {
369 gpr_log(GPR_ERROR,
370 "TlsChannelCertificateWatcher getting identity_cert_error: %s",
371 grpc_error_std_string(identity_cert_error).c_str());
372 }
373 GRPC_ERROR_UNREF(root_cert_error);
374 GRPC_ERROR_UNREF(identity_cert_error);
375 }
376
377 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
378 // BlockOnInitialCredentialHandshaker is implemented.
379 grpc_security_status
UpdateHandshakerFactoryLocked()380 TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
381 bool skip_server_certificate_verification =
382 options_->server_verification_option() ==
383 GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION;
384 /* Free the client handshaker factory if exists. */
385 if (client_handshaker_factory_ != nullptr) {
386 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
387 }
388 std::string pem_root_certs;
389 if (pem_root_certs_.has_value()) {
390 // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
391 // std::string and absl::string_view to avoid making another copy here.
392 pem_root_certs = std::string(*pem_root_certs_);
393 }
394 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = nullptr;
395 if (pem_key_cert_pair_list_.has_value()) {
396 pem_key_cert_pair = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
397 }
398 bool use_default_roots = !options_->watch_root_cert();
399 grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
400 pem_key_cert_pair,
401 pem_root_certs.empty() || use_default_roots ? nullptr
402 : pem_root_certs.c_str(),
403 skip_server_certificate_verification,
404 grpc_get_tsi_tls_version(options_->min_tls_version()),
405 grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
406 &client_handshaker_factory_);
407 /* Free memory. */
408 if (pem_key_cert_pair != nullptr) {
409 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
410 }
411 return status;
412 }
413
ServerAuthorizationCheckDone(grpc_tls_server_authorization_check_arg * arg)414 void TlsChannelSecurityConnector::ServerAuthorizationCheckDone(
415 grpc_tls_server_authorization_check_arg* arg) {
416 GPR_ASSERT(arg != nullptr);
417 ExecCtx exec_ctx;
418 grpc_error_handle error = ProcessServerAuthorizationCheckResult(arg);
419 TlsChannelSecurityConnector* connector =
420 static_cast<TlsChannelSecurityConnector*>(arg->cb_user_data);
421 ExecCtx::Run(DEBUG_LOCATION, connector->on_peer_checked_, error);
422 }
423
424 grpc_error_handle
ProcessServerAuthorizationCheckResult(grpc_tls_server_authorization_check_arg * arg)425 TlsChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
426 grpc_tls_server_authorization_check_arg* arg) {
427 grpc_error_handle error = GRPC_ERROR_NONE;
428 /* Server authorization check is cancelled by caller. */
429 if (arg->status == GRPC_STATUS_CANCELLED) {
430 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
431 absl::StrCat("Server authorization check is cancelled by the caller "
432 "with error: ",
433 arg->error_details->error_details())
434 .c_str());
435 } else if (arg->status == GRPC_STATUS_OK) {
436 /* Server authorization check completed successfully but returned check
437 * failure. */
438 if (!arg->success) {
439 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
440 absl::StrCat("Server authorization check failed with error: ",
441 arg->error_details->error_details())
442 .c_str());
443 }
444 /* Server authorization check did not complete correctly. */
445 } else {
446 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
447 absl::StrCat(
448 "Server authorization check did not finish correctly with error: ",
449 arg->error_details->error_details())
450 .c_str());
451 }
452 return error;
453 }
454
455 grpc_tls_server_authorization_check_arg*
ServerAuthorizationCheckArgCreate(void * user_data)456 TlsChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
457 void* user_data) {
458 grpc_tls_server_authorization_check_arg* arg =
459 new grpc_tls_server_authorization_check_arg();
460 arg->target_name = nullptr;
461 arg->peer_cert = nullptr;
462 arg->peer_cert_full_chain = nullptr;
463 arg->subject_alternative_names = nullptr;
464 arg->subject_alternative_names_size = 0;
465 arg->error_details = new grpc_tls_error_details();
466 arg->cb = ServerAuthorizationCheckDone;
467 arg->cb_user_data = user_data;
468 arg->status = GRPC_STATUS_OK;
469 return arg;
470 }
471
ServerAuthorizationCheckArgDestroy(grpc_tls_server_authorization_check_arg * arg)472 void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
473 grpc_tls_server_authorization_check_arg* arg) {
474 if (arg == nullptr) {
475 return;
476 }
477 gpr_free(const_cast<char*>(arg->target_name));
478 gpr_free(const_cast<char*>(arg->peer_cert));
479 gpr_free(const_cast<char*>(arg->peer_cert_full_chain));
480 for (size_t i = 0; i < arg->subject_alternative_names_size; ++i) {
481 delete[] arg->subject_alternative_names[i];
482 }
483 delete[] arg->subject_alternative_names;
484 delete arg->error_details;
485 if (arg->destroy_context != nullptr) {
486 arg->destroy_context(arg->context);
487 }
488 delete arg;
489 }
490
491 // -------------------server security connector-------------------
492 RefCountedPtr<grpc_server_security_connector>
CreateTlsServerSecurityConnector(RefCountedPtr<grpc_server_credentials> server_creds,RefCountedPtr<grpc_tls_credentials_options> options)493 TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
494 RefCountedPtr<grpc_server_credentials> server_creds,
495 RefCountedPtr<grpc_tls_credentials_options> options) {
496 if (server_creds == nullptr) {
497 gpr_log(GPR_ERROR,
498 "server_creds is nullptr in "
499 "TlsServerSecurityConnectorCreate()");
500 return nullptr;
501 }
502 if (options == nullptr) {
503 gpr_log(GPR_ERROR,
504 "options is nullptr in "
505 "TlsServerSecurityConnectorCreate()");
506 return nullptr;
507 }
508 return MakeRefCounted<TlsServerSecurityConnector>(std::move(server_creds),
509 std::move(options));
510 }
511
TlsServerSecurityConnector(RefCountedPtr<grpc_server_credentials> server_creds,RefCountedPtr<grpc_tls_credentials_options> options)512 TlsServerSecurityConnector::TlsServerSecurityConnector(
513 RefCountedPtr<grpc_server_credentials> server_creds,
514 RefCountedPtr<grpc_tls_credentials_options> options)
515 : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
516 std::move(server_creds)),
517 options_(std::move(options)) {
518 // Create a watcher.
519 auto watcher_ptr = absl::make_unique<TlsServerCertificateWatcher>(this);
520 certificate_watcher_ = watcher_ptr.get();
521 // Register the watcher with the distributor.
522 grpc_tls_certificate_distributor* distributor =
523 options_->certificate_distributor();
524 absl::optional<std::string> watched_root_cert_name;
525 if (options_->watch_root_cert()) {
526 watched_root_cert_name = options_->root_cert_name();
527 }
528 absl::optional<std::string> watched_identity_cert_name;
529 if (options_->watch_identity_pair()) {
530 watched_identity_cert_name = options_->identity_cert_name();
531 }
532 // Server side won't use default system roots at any time.
533 distributor->WatchTlsCertificates(std::move(watcher_ptr),
534 watched_root_cert_name,
535 watched_identity_cert_name);
536 }
537
~TlsServerSecurityConnector()538 TlsServerSecurityConnector::~TlsServerSecurityConnector() {
539 // Cancel all the watchers.
540 grpc_tls_certificate_distributor* distributor =
541 options_->certificate_distributor();
542 distributor->CancelTlsCertificatesWatch(certificate_watcher_);
543 if (server_handshaker_factory_ != nullptr) {
544 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
545 }
546 }
547
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,HandshakeManager * handshake_mgr)548 void TlsServerSecurityConnector::add_handshakers(
549 const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
550 HandshakeManager* handshake_mgr) {
551 MutexLock lock(&mu_);
552 if (server_handshaker_factory_ != nullptr) {
553 // Instantiate TSI handshaker.
554 tsi_handshaker* tsi_hs = nullptr;
555 tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
556 server_handshaker_factory_, &tsi_hs);
557 if (result != TSI_OK) {
558 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
559 tsi_result_to_string(result));
560 return;
561 }
562 // Create handshakers.
563 handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args));
564 return;
565 }
566 // TODO(ZhenLian): Implement the logic(delegation to
567 // BlockOnInitialCredentialHandshaker) when certificates are not ready.
568 gpr_log(GPR_ERROR, "%s not supported yet.",
569 "Server BlockOnInitialCredentialHandshaker");
570 }
571
check_peer(tsi_peer peer,grpc_endpoint *,RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)572 void TlsServerSecurityConnector::check_peer(
573 tsi_peer peer, grpc_endpoint* /*ep*/,
574 RefCountedPtr<grpc_auth_context>* auth_context,
575 grpc_closure* on_peer_checked) {
576 grpc_error_handle error = grpc_ssl_check_alpn(&peer);
577 *auth_context =
578 grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
579 tsi_peer_destruct(&peer);
580 ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
581 }
582
cmp(const grpc_security_connector * other) const583 int TlsServerSecurityConnector::cmp(
584 const grpc_security_connector* other) const {
585 return server_security_connector_cmp(
586 static_cast<const grpc_server_security_connector*>(other));
587 }
588
589 void TlsServerSecurityConnector::TlsServerCertificateWatcher::
OnCertificatesChanged(absl::optional<absl::string_view> root_certs,absl::optional<PemKeyCertPairList> key_cert_pairs)590 OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
591 absl::optional<PemKeyCertPairList> key_cert_pairs) {
592 GPR_ASSERT(security_connector_ != nullptr);
593 MutexLock lock(&security_connector_->mu_);
594 if (root_certs.has_value()) {
595 security_connector_->pem_root_certs_ = root_certs;
596 }
597 if (key_cert_pairs.has_value()) {
598 security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
599 }
600 bool root_being_watched = security_connector_->options_->watch_root_cert();
601 bool root_has_value = security_connector_->pem_root_certs_.has_value();
602 bool identity_being_watched =
603 security_connector_->options_->watch_identity_pair();
604 bool identity_has_value =
605 security_connector_->pem_key_cert_pair_list_.has_value();
606 if ((root_being_watched && root_has_value && identity_being_watched &&
607 identity_has_value) ||
608 (root_being_watched && root_has_value && !identity_being_watched) ||
609 (!root_being_watched && identity_being_watched && identity_has_value)) {
610 if (security_connector_->UpdateHandshakerFactoryLocked() !=
611 GRPC_SECURITY_OK) {
612 gpr_log(GPR_ERROR, "Update handshaker factory failed.");
613 }
614 }
615 }
616
617 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
618 // BlockOnInitialCredentialHandshaker is implemented.
OnError(grpc_error_handle root_cert_error,grpc_error_handle identity_cert_error)619 void TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError(
620 grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
621 if (root_cert_error != GRPC_ERROR_NONE) {
622 gpr_log(GPR_ERROR,
623 "TlsServerCertificateWatcher getting root_cert_error: %s",
624 grpc_error_std_string(root_cert_error).c_str());
625 }
626 if (identity_cert_error != GRPC_ERROR_NONE) {
627 gpr_log(GPR_ERROR,
628 "TlsServerCertificateWatcher getting identity_cert_error: %s",
629 grpc_error_std_string(identity_cert_error).c_str());
630 }
631 GRPC_ERROR_UNREF(root_cert_error);
632 GRPC_ERROR_UNREF(identity_cert_error);
633 }
634
635 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
636 // BlockOnInitialCredentialHandshaker is implemented.
637 grpc_security_status
UpdateHandshakerFactoryLocked()638 TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
639 /* Free the server handshaker factory if exists. */
640 if (server_handshaker_factory_ != nullptr) {
641 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
642 }
643 // The identity certs on the server side shouldn't be empty.
644 GPR_ASSERT(pem_key_cert_pair_list_.has_value());
645 GPR_ASSERT(!(*pem_key_cert_pair_list_).empty());
646 std::string pem_root_certs;
647 if (pem_root_certs_.has_value()) {
648 // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
649 // std::string and absl::string_view to avoid making another copy here.
650 pem_root_certs = std::string(*pem_root_certs_);
651 }
652 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
653 pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
654 size_t num_key_cert_pairs = (*pem_key_cert_pair_list_).size();
655 grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
656 pem_key_cert_pairs, num_key_cert_pairs,
657 pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
658 options_->cert_request_type(),
659 grpc_get_tsi_tls_version(options_->min_tls_version()),
660 grpc_get_tsi_tls_version(options_->max_tls_version()),
661 &server_handshaker_factory_);
662 /* Free memory. */
663 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
664 num_key_cert_pairs);
665 return status;
666 }
667
668 namespace internal {
669
TlsCheckHostName(const char * peer_name,const tsi_peer * peer)670 grpc_error_handle TlsCheckHostName(const char* peer_name,
671 const tsi_peer* peer) {
672 /* Check the peer name if specified. */
673 if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
674 return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
675 absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
676 .c_str());
677 }
678 return GRPC_ERROR_NONE;
679 }
680
681 } // namespace internal
682
683 } // namespace grpc_core
684