1 /* 2 * 3 * Copyright 2018 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 21 22 #include <grpc/support/port_platform.h> 23 24 #include "src/core/lib/gprpp/sync.h" 25 #include "src/core/lib/security/context/security_context.h" 26 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h" 27 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" 28 29 #define GRPC_TLS_TRANSPORT_SECURITY_TYPE "tls" 30 31 namespace grpc_core { 32 33 // Channel security connector using TLS as transport security protocol. 34 class TlsChannelSecurityConnector final 35 : public grpc_channel_security_connector { 36 public: 37 // static factory method to create a TLS channel security connector. 38 static RefCountedPtr<grpc_channel_security_connector> 39 CreateTlsChannelSecurityConnector( 40 RefCountedPtr<grpc_channel_credentials> channel_creds, 41 RefCountedPtr<grpc_tls_credentials_options> options, 42 RefCountedPtr<grpc_call_credentials> request_metadata_creds, 43 const char* target_name, const char* overridden_target_name, 44 tsi_ssl_session_cache* ssl_session_cache); 45 46 TlsChannelSecurityConnector( 47 RefCountedPtr<grpc_channel_credentials> channel_creds, 48 RefCountedPtr<grpc_tls_credentials_options> options, 49 RefCountedPtr<grpc_call_credentials> request_metadata_creds, 50 const char* target_name, const char* overridden_target_name, 51 tsi_ssl_session_cache* ssl_session_cache); 52 53 ~TlsChannelSecurityConnector() override; 54 55 void add_handshakers(const grpc_channel_args* args, 56 grpc_pollset_set* interested_parties, 57 HandshakeManager* handshake_mgr) override; 58 59 void check_peer(tsi_peer peer, grpc_endpoint* ep, 60 RefCountedPtr<grpc_auth_context>* auth_context, 61 grpc_closure* on_peer_checked) override; 62 cancel_check_peer(grpc_closure *,grpc_error_handle error)63 void cancel_check_peer(grpc_closure* /*on_peer_checked*/, 64 grpc_error_handle error) override { 65 // TODO(ZhenLian): call verifier->cancel() once the verifier is ready. 66 GRPC_ERROR_UNREF(error); 67 } 68 69 int cmp(const grpc_security_connector* other_sc) const override; 70 71 bool check_call_host(absl::string_view host, grpc_auth_context* auth_context, 72 grpc_closure* on_call_host_checked, 73 grpc_error_handle* error) override; 74 75 void cancel_check_call_host(grpc_closure* on_call_host_checked, 76 grpc_error_handle error) override; 77 ClientHandshakerFactoryForTesting()78 tsi_ssl_client_handshaker_factory* ClientHandshakerFactoryForTesting() { 79 MutexLock lock(&mu_); 80 return client_handshaker_factory_; 81 }; 82 RootCertsForTesting()83 absl::optional<absl::string_view> RootCertsForTesting() { 84 MutexLock lock(&mu_); 85 return pem_root_certs_; 86 } 87 KeyCertPairListForTesting()88 absl::optional<PemKeyCertPairList> KeyCertPairListForTesting() { 89 MutexLock lock(&mu_); 90 return pem_key_cert_pair_list_; 91 } 92 93 private: 94 // A watcher that watches certificate updates from 95 // grpc_tls_certificate_distributor. It will never outlive 96 // |security_connector_|. 97 class TlsChannelCertificateWatcher : public grpc_tls_certificate_distributor:: 98 TlsCertificatesWatcherInterface { 99 public: TlsChannelCertificateWatcher(TlsChannelSecurityConnector * security_connector)100 explicit TlsChannelCertificateWatcher( 101 TlsChannelSecurityConnector* security_connector) 102 : security_connector_(security_connector) {} 103 void OnCertificatesChanged( 104 absl::optional<absl::string_view> root_certs, 105 absl::optional<PemKeyCertPairList> key_cert_pairs) override; 106 void OnError(grpc_error_handle root_cert_error, 107 grpc_error_handle identity_cert_error) override; 108 109 private: 110 TlsChannelSecurityConnector* security_connector_ = nullptr; 111 }; 112 113 // Updates |client_handshaker_factory_| when the certificates that 114 // |certificate_watcher_| is watching get updated. 115 grpc_security_status UpdateHandshakerFactoryLocked() 116 ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_); 117 118 // gRPC-provided callback executed by application, which servers to bring the 119 // control back to gRPC core. 120 static void ServerAuthorizationCheckDone( 121 grpc_tls_server_authorization_check_arg* arg); 122 123 // A util function to process server authorization check result. 124 static grpc_error_handle ProcessServerAuthorizationCheckResult( 125 grpc_tls_server_authorization_check_arg* arg); 126 127 // A util function to create a server authorization check arg instance. 128 static grpc_tls_server_authorization_check_arg* 129 ServerAuthorizationCheckArgCreate(void* user_data); 130 131 // A util function to destroy a server authorization check arg instance. 132 static void ServerAuthorizationCheckArgDestroy( 133 grpc_tls_server_authorization_check_arg* arg); 134 135 RefCountedPtr<grpc_tls_credentials_options> options_; 136 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 137 certificate_watcher_ = nullptr; 138 grpc_closure* on_peer_checked_ = nullptr; 139 std::string target_name_; 140 std::string overridden_target_name_; 141 grpc_tls_server_authorization_check_arg* check_arg_ = nullptr; 142 143 Mutex mu_; 144 tsi_ssl_client_handshaker_factory* client_handshaker_factory_ 145 ABSL_GUARDED_BY(mu_) = nullptr; 146 tsi_ssl_session_cache* ssl_session_cache_ ABSL_GUARDED_BY(mu_) = nullptr; 147 absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_); 148 absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_ 149 ABSL_GUARDED_BY(mu_); 150 }; 151 152 // Server security connector using TLS as transport security protocol. 153 class TlsServerSecurityConnector final : public grpc_server_security_connector { 154 public: 155 // static factory method to create a TLS server security connector. 156 static RefCountedPtr<grpc_server_security_connector> 157 CreateTlsServerSecurityConnector( 158 RefCountedPtr<grpc_server_credentials> server_creds, 159 RefCountedPtr<grpc_tls_credentials_options> options); 160 161 TlsServerSecurityConnector( 162 RefCountedPtr<grpc_server_credentials> server_creds, 163 RefCountedPtr<grpc_tls_credentials_options> options); 164 ~TlsServerSecurityConnector() override; 165 166 void add_handshakers(const grpc_channel_args* args, 167 grpc_pollset_set* interested_parties, 168 HandshakeManager* handshake_mgr) override; 169 170 void check_peer(tsi_peer peer, grpc_endpoint* ep, 171 RefCountedPtr<grpc_auth_context>* auth_context, 172 grpc_closure* on_peer_checked) override; 173 cancel_check_peer(grpc_closure *,grpc_error_handle error)174 void cancel_check_peer(grpc_closure* /*on_peer_checked*/, 175 grpc_error_handle error) override { 176 // TODO(ZhenLian): call verifier->cancel() once the verifier is ready. 177 GRPC_ERROR_UNREF(error); 178 } 179 180 int cmp(const grpc_security_connector* other) const override; 181 ServerHandshakerFactoryForTesting()182 tsi_ssl_server_handshaker_factory* ServerHandshakerFactoryForTesting() { 183 MutexLock lock(&mu_); 184 return server_handshaker_factory_; 185 }; 186 RootCertsForTesting()187 const absl::optional<absl::string_view>& RootCertsForTesting() { 188 MutexLock lock(&mu_); 189 return pem_root_certs_; 190 } 191 KeyCertPairListForTesting()192 const absl::optional<PemKeyCertPairList>& KeyCertPairListForTesting() { 193 MutexLock lock(&mu_); 194 return pem_key_cert_pair_list_; 195 } 196 197 private: 198 // A watcher that watches certificate updates from 199 // grpc_tls_certificate_distributor. It will never outlive 200 // |security_connector_|. 201 class TlsServerCertificateWatcher : public grpc_tls_certificate_distributor:: 202 TlsCertificatesWatcherInterface { 203 public: TlsServerCertificateWatcher(TlsServerSecurityConnector * security_connector)204 explicit TlsServerCertificateWatcher( 205 TlsServerSecurityConnector* security_connector) 206 : security_connector_(security_connector) {} 207 void OnCertificatesChanged( 208 absl::optional<absl::string_view> root_certs, 209 absl::optional<PemKeyCertPairList> key_cert_pairs) override; 210 void OnError(grpc_error_handle root_cert_error, 211 grpc_error_handle identity_cert_error) override; 212 213 private: 214 TlsServerSecurityConnector* security_connector_ = nullptr; 215 }; 216 217 // Updates |server_handshaker_factory_| when the certificates that 218 // |certificate_watcher_| is watching get updated. 219 grpc_security_status UpdateHandshakerFactoryLocked() 220 ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_); 221 222 RefCountedPtr<grpc_tls_credentials_options> options_; 223 grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* 224 certificate_watcher_ = nullptr; 225 226 Mutex mu_; 227 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ 228 ABSL_GUARDED_BY(mu_) = nullptr; 229 absl::optional<absl::string_view> pem_root_certs_ ABSL_GUARDED_BY(mu_); 230 absl::optional<PemKeyCertPairList> pem_key_cert_pair_list_ 231 ABSL_GUARDED_BY(mu_); 232 }; 233 234 // ---- Functions below are exposed for testing only ----------------------- 235 namespace internal { 236 237 // TlsCheckHostName checks if |peer_name| matches the identity information 238 // contained in |peer|. This is AKA hostname check. 239 grpc_error_handle TlsCheckHostName(const char* peer_name, const tsi_peer* peer); 240 241 } // namespace internal 242 243 } // namespace grpc_core 244 245 #endif // GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H 246