1 /*
2 *
3 * Copyright 2018 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
22
23 #include <stdbool.h>
24
25 #include "absl/strings/str_cat.h"
26 #include "absl/strings/str_format.h"
27 #include "absl/strings/string_view.h"
28
29 #include <grpc/support/alloc.h>
30 #include <grpc/support/log.h>
31
32 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
33 #include "src/core/lib/channel/handshaker.h"
34 #include "src/core/lib/gpr/string.h"
35 #include "src/core/lib/gprpp/host_port.h"
36 #include "src/core/lib/gprpp/ref_counted_ptr.h"
37 #include "src/core/lib/gprpp/sync.h"
38 #include "src/core/lib/security/context/security_context.h"
39 #include "src/core/lib/security/credentials/credentials.h"
40 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
41 #include "src/core/lib/security/security_connector/load_system_roots.h"
42 #include "src/core/lib/security/security_connector/ssl_utils.h"
43 #include "src/core/lib/security/transport/security_handshaker.h"
44 #include "src/core/tsi/ssl_transport_security.h"
45 #include "src/core/tsi/transport_security.h"
46
47 namespace {
ssl_check_peer(const char * peer_name,const tsi_peer * peer,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context)48 grpc_error_handle ssl_check_peer(
49 const char* peer_name, const tsi_peer* peer,
50 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context) {
51 grpc_error_handle error = grpc_ssl_check_alpn(peer);
52 if (error != GRPC_ERROR_NONE) {
53 return error;
54 }
55 /* Check the peer name if specified. */
56 if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
57 return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
58 absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
59 .c_str());
60 }
61 *auth_context =
62 grpc_ssl_peer_to_auth_context(peer, GRPC_SSL_TRANSPORT_SECURITY_TYPE);
63 return GRPC_ERROR_NONE;
64 }
65
66 class grpc_ssl_channel_security_connector final
67 : public grpc_channel_security_connector {
68 public:
grpc_ssl_channel_security_connector(grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,const grpc_ssl_config * config,const char * target_name,const char * overridden_target_name)69 grpc_ssl_channel_security_connector(
70 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
71 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
72 const grpc_ssl_config* config, const char* target_name,
73 const char* overridden_target_name)
74 : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
75 std::move(channel_creds),
76 std::move(request_metadata_creds)),
77 overridden_target_name_(
78 overridden_target_name == nullptr ? "" : overridden_target_name),
79 verify_options_(&config->verify_options) {
80 absl::string_view host;
81 absl::string_view port;
82 grpc_core::SplitHostPort(target_name, &host, &port);
83 target_name_ = std::string(host);
84 }
85
~grpc_ssl_channel_security_connector()86 ~grpc_ssl_channel_security_connector() override {
87 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
88 }
89
InitializeHandshakerFactory(const grpc_ssl_config * config,const char * pem_root_certs,const tsi_ssl_root_certs_store * root_store,tsi_ssl_session_cache * ssl_session_cache)90 grpc_security_status InitializeHandshakerFactory(
91 const grpc_ssl_config* config, const char* pem_root_certs,
92 const tsi_ssl_root_certs_store* root_store,
93 tsi_ssl_session_cache* ssl_session_cache) {
94 bool has_key_cert_pair =
95 config->pem_key_cert_pair != nullptr &&
96 config->pem_key_cert_pair->private_key != nullptr &&
97 config->pem_key_cert_pair->cert_chain != nullptr;
98 tsi_ssl_client_handshaker_options options;
99 GPR_DEBUG_ASSERT(pem_root_certs != nullptr);
100 options.pem_root_certs = pem_root_certs;
101 options.root_store = root_store;
102 options.alpn_protocols =
103 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
104 if (has_key_cert_pair) {
105 options.pem_key_cert_pair = config->pem_key_cert_pair;
106 }
107 options.cipher_suites = grpc_get_ssl_cipher_suites();
108 options.session_cache = ssl_session_cache;
109 options.min_tls_version = grpc_get_tsi_tls_version(config->min_tls_version);
110 options.max_tls_version = grpc_get_tsi_tls_version(config->max_tls_version);
111 const tsi_result result =
112 tsi_create_ssl_client_handshaker_factory_with_options(
113 &options, &client_handshaker_factory_);
114 gpr_free(options.alpn_protocols);
115 if (result != TSI_OK) {
116 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
117 tsi_result_to_string(result));
118 return GRPC_SECURITY_ERROR;
119 }
120 return GRPC_SECURITY_OK;
121 }
122
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,grpc_core::HandshakeManager * handshake_mgr)123 void add_handshakers(const grpc_channel_args* args,
124 grpc_pollset_set* /*interested_parties*/,
125 grpc_core::HandshakeManager* handshake_mgr) override {
126 // Instantiate TSI handshaker.
127 tsi_handshaker* tsi_hs = nullptr;
128 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
129 client_handshaker_factory_,
130 overridden_target_name_.empty() ? target_name_.c_str()
131 : overridden_target_name_.c_str(),
132 &tsi_hs);
133 if (result != TSI_OK) {
134 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
135 tsi_result_to_string(result));
136 return;
137 }
138 // Create handshakers.
139 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
140 }
141
check_peer(tsi_peer peer,grpc_endpoint *,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)142 void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
143 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
144 grpc_closure* on_peer_checked) override {
145 const char* target_name = overridden_target_name_.empty()
146 ? target_name_.c_str()
147 : overridden_target_name_.c_str();
148 grpc_error_handle error = ssl_check_peer(target_name, &peer, auth_context);
149 if (error == GRPC_ERROR_NONE &&
150 verify_options_->verify_peer_callback != nullptr) {
151 const tsi_peer_property* p =
152 tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
153 if (p == nullptr) {
154 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
155 "Cannot check peer: missing pem cert property.");
156 } else {
157 char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
158 memcpy(peer_pem, p->value.data, p->value.length);
159 peer_pem[p->value.length] = '\0';
160 int callback_status = verify_options_->verify_peer_callback(
161 target_name, peer_pem,
162 verify_options_->verify_peer_callback_userdata);
163 gpr_free(peer_pem);
164 if (callback_status) {
165 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
166 absl::StrFormat("Verify peer callback returned a failure (%d)",
167 callback_status)
168 .c_str());
169 }
170 }
171 }
172 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
173 tsi_peer_destruct(&peer);
174 }
175
cancel_check_peer(grpc_closure *,grpc_error_handle error)176 void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
177 grpc_error_handle error) override {
178 GRPC_ERROR_UNREF(error);
179 }
180
cmp(const grpc_security_connector * other_sc) const181 int cmp(const grpc_security_connector* other_sc) const override {
182 auto* other =
183 reinterpret_cast<const grpc_ssl_channel_security_connector*>(other_sc);
184 int c = channel_security_connector_cmp(other);
185 if (c != 0) return c;
186 c = target_name_.compare(other->target_name_);
187 if (c != 0) return c;
188 return overridden_target_name_.compare(other->overridden_target_name_);
189 }
190
check_call_host(absl::string_view host,grpc_auth_context * auth_context,grpc_closure *,grpc_error_handle * error)191 bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
192 grpc_closure* /*on_call_host_checked*/,
193 grpc_error_handle* error) override {
194 return grpc_ssl_check_call_host(host, target_name_.c_str(),
195 overridden_target_name_.c_str(),
196 auth_context, error);
197 }
198
cancel_check_call_host(grpc_closure *,grpc_error_handle error)199 void cancel_check_call_host(grpc_closure* /*on_call_host_checked*/,
200 grpc_error_handle error) override {
201 GRPC_ERROR_UNREF(error);
202 }
203
204 private:
205 tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
206 std::string target_name_;
207 std::string overridden_target_name_;
208 const verify_peer_options* verify_options_;
209 };
210
211 class grpc_ssl_server_security_connector
212 : public grpc_server_security_connector {
213 public:
grpc_ssl_server_security_connector(grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)214 explicit grpc_ssl_server_security_connector(
215 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
216 : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
217 std::move(server_creds)) {}
218
~grpc_ssl_server_security_connector()219 ~grpc_ssl_server_security_connector() override {
220 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
221 }
222
has_cert_config_fetcher() const223 bool has_cert_config_fetcher() const {
224 return static_cast<const grpc_ssl_server_credentials*>(server_creds())
225 ->has_cert_config_fetcher();
226 }
227
server_handshaker_factory() const228 const tsi_ssl_server_handshaker_factory* server_handshaker_factory() const {
229 return server_handshaker_factory_;
230 }
231
InitializeHandshakerFactory()232 grpc_security_status InitializeHandshakerFactory() {
233 if (has_cert_config_fetcher()) {
234 // Load initial credentials from certificate_config_fetcher:
235 if (!try_fetch_ssl_server_credentials()) {
236 gpr_log(GPR_ERROR,
237 "Failed loading SSL server credentials from fetcher.");
238 return GRPC_SECURITY_ERROR;
239 }
240 } else {
241 auto* server_credentials =
242 static_cast<const grpc_ssl_server_credentials*>(server_creds());
243 size_t num_alpn_protocols = 0;
244 const char** alpn_protocol_strings =
245 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
246 tsi_ssl_server_handshaker_options options;
247 options.pem_key_cert_pairs =
248 server_credentials->config().pem_key_cert_pairs;
249 options.num_key_cert_pairs =
250 server_credentials->config().num_key_cert_pairs;
251 options.pem_client_root_certs =
252 server_credentials->config().pem_root_certs;
253 options.client_certificate_request =
254 grpc_get_tsi_client_certificate_request_type(
255 server_credentials->config().client_certificate_request);
256 options.cipher_suites = grpc_get_ssl_cipher_suites();
257 options.alpn_protocols = alpn_protocol_strings;
258 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
259 options.min_tls_version = grpc_get_tsi_tls_version(
260 server_credentials->config().min_tls_version);
261 options.max_tls_version = grpc_get_tsi_tls_version(
262 server_credentials->config().max_tls_version);
263 const tsi_result result =
264 tsi_create_ssl_server_handshaker_factory_with_options(
265 &options, &server_handshaker_factory_);
266 gpr_free(alpn_protocol_strings);
267 if (result != TSI_OK) {
268 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
269 tsi_result_to_string(result));
270 return GRPC_SECURITY_ERROR;
271 }
272 }
273 return GRPC_SECURITY_OK;
274 }
275
add_handshakers(const grpc_channel_args * args,grpc_pollset_set *,grpc_core::HandshakeManager * handshake_mgr)276 void add_handshakers(const grpc_channel_args* args,
277 grpc_pollset_set* /*interested_parties*/,
278 grpc_core::HandshakeManager* handshake_mgr) override {
279 // Instantiate TSI handshaker.
280 try_fetch_ssl_server_credentials();
281 tsi_handshaker* tsi_hs = nullptr;
282 tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
283 server_handshaker_factory_, &tsi_hs);
284 if (result != TSI_OK) {
285 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
286 tsi_result_to_string(result));
287 return;
288 }
289 // Create handshakers.
290 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
291 }
292
check_peer(tsi_peer peer,grpc_endpoint *,grpc_core::RefCountedPtr<grpc_auth_context> * auth_context,grpc_closure * on_peer_checked)293 void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
294 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
295 grpc_closure* on_peer_checked) override {
296 grpc_error_handle error = ssl_check_peer(nullptr, &peer, auth_context);
297 tsi_peer_destruct(&peer);
298 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
299 }
300
cancel_check_peer(grpc_closure *,grpc_error_handle error)301 void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
302 grpc_error_handle error) override {
303 GRPC_ERROR_UNREF(error);
304 }
305
cmp(const grpc_security_connector * other) const306 int cmp(const grpc_security_connector* other) const override {
307 return server_security_connector_cmp(
308 static_cast<const grpc_server_security_connector*>(other));
309 }
310
311 private:
312 /* Attempts to fetch the server certificate config if a callback is available.
313 * Current certificate config will continue to be used if the callback returns
314 * an error. Returns true if new credentials were successfully loaded. */
try_fetch_ssl_server_credentials()315 bool try_fetch_ssl_server_credentials() {
316 grpc_ssl_server_certificate_config* certificate_config = nullptr;
317 bool status;
318 if (!has_cert_config_fetcher()) return false;
319
320 grpc_core::MutexLock lock(&mu_);
321 grpc_ssl_server_credentials* server_creds =
322 static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
323 grpc_ssl_certificate_config_reload_status cb_result =
324 server_creds->FetchCertConfig(&certificate_config);
325 if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
326 gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
327 status = false;
328 } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
329 status = try_replace_server_handshaker_factory(certificate_config);
330 } else {
331 // Log error, continue using previously-loaded credentials.
332 gpr_log(GPR_ERROR,
333 "Failed fetching new server credentials, continuing to "
334 "use previously-loaded credentials.");
335 status = false;
336 }
337
338 if (certificate_config != nullptr) {
339 grpc_ssl_server_certificate_config_destroy(certificate_config);
340 }
341 return status;
342 }
343
344 /* Attempts to replace the server_handshaker_factory with a new factory using
345 * the provided grpc_ssl_server_certificate_config. Should new factory
346 * creation fail, the existing factory will not be replaced. Returns true on
347 * success (new factory created). */
try_replace_server_handshaker_factory(const grpc_ssl_server_certificate_config * config)348 bool try_replace_server_handshaker_factory(
349 const grpc_ssl_server_certificate_config* config) {
350 if (config == nullptr) {
351 gpr_log(GPR_ERROR,
352 "Server certificate config callback returned invalid (NULL) "
353 "config.");
354 return false;
355 }
356 gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
357
358 size_t num_alpn_protocols = 0;
359 const char** alpn_protocol_strings =
360 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
361 tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
362 const grpc_ssl_server_credentials* server_creds =
363 static_cast<const grpc_ssl_server_credentials*>(this->server_creds());
364 GPR_DEBUG_ASSERT(config->pem_root_certs != nullptr);
365 tsi_ssl_server_handshaker_options options;
366 options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
367 config->pem_key_cert_pairs, config->num_key_cert_pairs);
368 options.num_key_cert_pairs = config->num_key_cert_pairs;
369 options.pem_client_root_certs = config->pem_root_certs;
370 options.client_certificate_request =
371 grpc_get_tsi_client_certificate_request_type(
372 server_creds->config().client_certificate_request);
373 options.cipher_suites = grpc_get_ssl_cipher_suites();
374 options.alpn_protocols = alpn_protocol_strings;
375 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
376 tsi_result result = tsi_create_ssl_server_handshaker_factory_with_options(
377 &options, &new_handshaker_factory);
378 grpc_tsi_ssl_pem_key_cert_pairs_destroy(
379 const_cast<tsi_ssl_pem_key_cert_pair*>(options.pem_key_cert_pairs),
380 options.num_key_cert_pairs);
381 gpr_free(alpn_protocol_strings);
382
383 if (result != TSI_OK) {
384 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
385 tsi_result_to_string(result));
386 return false;
387 }
388 set_server_handshaker_factory(new_handshaker_factory);
389 return true;
390 }
391
set_server_handshaker_factory(tsi_ssl_server_handshaker_factory * new_factory)392 void set_server_handshaker_factory(
393 tsi_ssl_server_handshaker_factory* new_factory) {
394 if (server_handshaker_factory_) {
395 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
396 }
397 server_handshaker_factory_ = new_factory;
398 }
399
400 grpc_core::Mutex mu_;
401 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
402 };
403 } // namespace
404
405 grpc_core::RefCountedPtr<grpc_channel_security_connector>
grpc_ssl_channel_security_connector_create(grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,const grpc_ssl_config * config,const char * target_name,const char * overridden_target_name,tsi_ssl_session_cache * ssl_session_cache)406 grpc_ssl_channel_security_connector_create(
407 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
408 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
409 const grpc_ssl_config* config, const char* target_name,
410 const char* overridden_target_name,
411 tsi_ssl_session_cache* ssl_session_cache) {
412 if (config == nullptr || target_name == nullptr) {
413 gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
414 return nullptr;
415 }
416
417 const char* pem_root_certs;
418 const tsi_ssl_root_certs_store* root_store;
419 if (config->pem_root_certs == nullptr) {
420 // Use default root certificates.
421 pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
422 if (pem_root_certs == nullptr) {
423 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
424 return nullptr;
425 }
426 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
427 } else {
428 pem_root_certs = config->pem_root_certs;
429 root_store = nullptr;
430 }
431
432 grpc_core::RefCountedPtr<grpc_ssl_channel_security_connector> c =
433 grpc_core::MakeRefCounted<grpc_ssl_channel_security_connector>(
434 std::move(channel_creds), std::move(request_metadata_creds), config,
435 target_name, overridden_target_name);
436 const grpc_security_status result = c->InitializeHandshakerFactory(
437 config, pem_root_certs, root_store, ssl_session_cache);
438 if (result != GRPC_SECURITY_OK) {
439 return nullptr;
440 }
441 return c;
442 }
443
444 grpc_core::RefCountedPtr<grpc_server_security_connector>
grpc_ssl_server_security_connector_create(grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials)445 grpc_ssl_server_security_connector_create(
446 grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials) {
447 GPR_ASSERT(server_credentials != nullptr);
448 grpc_core::RefCountedPtr<grpc_ssl_server_security_connector> c =
449 grpc_core::MakeRefCounted<grpc_ssl_server_security_connector>(
450 std::move(server_credentials));
451 const grpc_security_status retval = c->InitializeHandshakerFactory();
452 if (retval != GRPC_SECURITY_OK) {
453 return nullptr;
454 }
455 return c;
456 }
457