3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/log.h>
27 #include <grpc/support/string_util.h>
29 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
30 #include "src/core/lib/channel/handshaker.h"
31 #include "src/core/lib/gpr/host_port.h"
32 #include "src/core/lib/gpr/string.h"
33 #include "src/core/lib/gprpp/ref_counted_ptr.h"
34 #include "src/core/lib/security/context/security_context.h"
35 #include "src/core/lib/security/credentials/credentials.h"
36 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
37 #include "src/core/lib/security/security_connector/load_system_roots.h"
38 #include "src/core/lib/security/security_connector/ssl_utils.h"
39 #include "src/core/lib/security/transport/security_handshaker.h"
40 #include "src/core/tsi/ssl_transport_security.h"
41 #include "src/core/tsi/transport_security.h"
44 grpc_error* ssl_check_peer(
45 const char* peer_name, const tsi_peer* peer,
46 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context) {
47 grpc_error* error = grpc_ssl_check_alpn(peer);
48 if (error != GRPC_ERROR_NONE) {
51 /* Check the peer name if specified. */
52 if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
54 gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
55 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
59 *auth_context = grpc_ssl_peer_to_auth_context(peer);
60 return GRPC_ERROR_NONE;
63 class grpc_ssl_channel_security_connector final
64 : public grpc_channel_security_connector {
66 grpc_ssl_channel_security_connector(
67 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
68 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
69 const grpc_ssl_config* config, const char* target_name,
70 const char* overridden_target_name)
71 : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
72 std::move(channel_creds),
73 std::move(request_metadata_creds)),
74 overridden_target_name_(overridden_target_name == nullptr
76 : gpr_strdup(overridden_target_name)),
77 verify_options_(&config->verify_options) {
79 gpr_split_host_port(target_name, &target_name_, &port);
83 ~grpc_ssl_channel_security_connector() override {
84 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
85 if (target_name_ != nullptr) gpr_free(target_name_);
86 if (overridden_target_name_ != nullptr) gpr_free(overridden_target_name_);
89 grpc_security_status InitializeHandshakerFactory(
90 const grpc_ssl_config* config, const char* pem_root_certs,
91 const tsi_ssl_root_certs_store* root_store,
92 tsi_ssl_session_cache* ssl_session_cache) {
93 bool has_key_cert_pair =
94 config->pem_key_cert_pair != nullptr &&
95 config->pem_key_cert_pair->private_key != nullptr &&
96 config->pem_key_cert_pair->cert_chain != nullptr;
97 tsi_ssl_client_handshaker_options options;
98 GPR_DEBUG_ASSERT(pem_root_certs != nullptr);
99 options.pem_root_certs = pem_root_certs;
100 options.root_store = root_store;
101 options.alpn_protocols =
102 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
103 if (has_key_cert_pair) {
104 options.pem_key_cert_pair = config->pem_key_cert_pair;
106 options.cipher_suites = grpc_get_ssl_cipher_suites();
107 options.session_cache = ssl_session_cache;
108 const tsi_result result =
109 tsi_create_ssl_client_handshaker_factory_with_options(
110 &options, &client_handshaker_factory_);
111 gpr_free((void*)options.alpn_protocols);
112 if (result != TSI_OK) {
113 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
114 tsi_result_to_string(result));
115 return GRPC_SECURITY_ERROR;
117 return GRPC_SECURITY_OK;
120 void add_handshakers(grpc_pollset_set* interested_parties,
121 grpc_core::HandshakeManager* handshake_mgr) override {
122 // Instantiate TSI handshaker.
123 tsi_handshaker* tsi_hs = nullptr;
124 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
125 client_handshaker_factory_,
126 overridden_target_name_ != nullptr ? overridden_target_name_
129 if (result != TSI_OK) {
130 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
131 tsi_result_to_string(result));
134 // Create handshakers.
135 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
138 void check_peer(tsi_peer peer, grpc_endpoint* ep,
139 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
140 grpc_closure* on_peer_checked) override {
141 const char* target_name = overridden_target_name_ != nullptr
142 ? overridden_target_name_
144 grpc_error* error = ssl_check_peer(target_name, &peer, auth_context);
145 if (error == GRPC_ERROR_NONE &&
146 verify_options_->verify_peer_callback != nullptr) {
147 const tsi_peer_property* p =
148 tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
150 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
151 "Cannot check peer: missing pem cert property.");
153 char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
154 memcpy(peer_pem, p->value.data, p->value.length);
155 peer_pem[p->value.length] = '\0';
156 int callback_status = verify_options_->verify_peer_callback(
157 target_name, peer_pem,
158 verify_options_->verify_peer_callback_userdata);
160 if (callback_status) {
162 gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
164 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
169 GRPC_CLOSURE_SCHED(on_peer_checked, error);
170 tsi_peer_destruct(&peer);
173 int cmp(const grpc_security_connector* other_sc) const override {
175 reinterpret_cast<const grpc_ssl_channel_security_connector*>(other_sc);
176 int c = channel_security_connector_cmp(other);
177 if (c != 0) return c;
178 c = strcmp(target_name_, other->target_name_);
179 if (c != 0) return c;
180 return (overridden_target_name_ == nullptr ||
181 other->overridden_target_name_ == nullptr)
182 ? GPR_ICMP(overridden_target_name_,
183 other->overridden_target_name_)
184 : strcmp(overridden_target_name_,
185 other->overridden_target_name_);
188 bool check_call_host(const char* host, grpc_auth_context* auth_context,
189 grpc_closure* on_call_host_checked,
190 grpc_error** error) override {
191 grpc_security_status status = GRPC_SECURITY_ERROR;
192 tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
193 if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
194 /* If the target name was overridden, then the original target_name was
195 'checked' transitively during the previous peer check at the end of the
197 if (overridden_target_name_ != nullptr && strcmp(host, target_name_) == 0) {
198 status = GRPC_SECURITY_OK;
200 if (status != GRPC_SECURITY_OK) {
201 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
202 "call host does not match SSL server name");
204 grpc_shallow_peer_destruct(&peer);
208 void cancel_check_call_host(grpc_closure* on_call_host_checked,
209 grpc_error* error) override {
210 GRPC_ERROR_UNREF(error);
214 tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
216 char* overridden_target_name_;
217 const verify_peer_options* verify_options_;
220 class grpc_ssl_server_security_connector
221 : public grpc_server_security_connector {
223 grpc_ssl_server_security_connector(
224 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
225 : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
226 std::move(server_creds)) {}
228 ~grpc_ssl_server_security_connector() override {
229 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
232 bool has_cert_config_fetcher() const {
233 return static_cast<const grpc_ssl_server_credentials*>(server_creds())
234 ->has_cert_config_fetcher();
237 const tsi_ssl_server_handshaker_factory* server_handshaker_factory() const {
238 return server_handshaker_factory_;
241 grpc_security_status InitializeHandshakerFactory() {
242 if (has_cert_config_fetcher()) {
243 // Load initial credentials from certificate_config_fetcher:
244 if (!try_fetch_ssl_server_credentials()) {
246 "Failed loading SSL server credentials from fetcher.");
247 return GRPC_SECURITY_ERROR;
250 auto* server_credentials =
251 static_cast<const grpc_ssl_server_credentials*>(server_creds());
252 size_t num_alpn_protocols = 0;
253 const char** alpn_protocol_strings =
254 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
255 tsi_ssl_server_handshaker_options options;
256 options.pem_key_cert_pairs =
257 server_credentials->config().pem_key_cert_pairs;
258 options.num_key_cert_pairs =
259 server_credentials->config().num_key_cert_pairs;
260 options.pem_client_root_certs =
261 server_credentials->config().pem_root_certs;
262 options.client_certificate_request =
263 grpc_get_tsi_client_certificate_request_type(
264 server_credentials->config().client_certificate_request);
265 options.cipher_suites = grpc_get_ssl_cipher_suites();
266 options.alpn_protocols = alpn_protocol_strings;
267 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
268 const tsi_result result =
269 tsi_create_ssl_server_handshaker_factory_with_options(
270 &options, &server_handshaker_factory_);
271 gpr_free((void*)alpn_protocol_strings);
272 if (result != TSI_OK) {
273 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
274 tsi_result_to_string(result));
275 return GRPC_SECURITY_ERROR;
278 return GRPC_SECURITY_OK;
281 void add_handshakers(grpc_pollset_set* interested_parties,
282 grpc_core::HandshakeManager* handshake_mgr) override {
283 // Instantiate TSI handshaker.
284 try_fetch_ssl_server_credentials();
285 tsi_handshaker* tsi_hs = nullptr;
286 tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
287 server_handshaker_factory_, &tsi_hs);
288 if (result != TSI_OK) {
289 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
290 tsi_result_to_string(result));
293 // Create handshakers.
294 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
297 void check_peer(tsi_peer peer, grpc_endpoint* ep,
298 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
299 grpc_closure* on_peer_checked) override {
300 grpc_error* error = ssl_check_peer(nullptr, &peer, auth_context);
301 tsi_peer_destruct(&peer);
302 GRPC_CLOSURE_SCHED(on_peer_checked, error);
305 int cmp(const grpc_security_connector* other) const override {
306 return server_security_connector_cmp(
307 static_cast<const grpc_server_security_connector*>(other));
311 /* Attempts to fetch the server certificate config if a callback is available.
312 * Current certificate config will continue to be used if the callback returns
313 * an error. Returns true if new credentials were sucessfully loaded. */
314 bool try_fetch_ssl_server_credentials() {
315 grpc_ssl_server_certificate_config* certificate_config = nullptr;
317 if (!has_cert_config_fetcher()) return false;
319 grpc_ssl_server_credentials* server_creds =
320 static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
321 grpc_ssl_certificate_config_reload_status cb_result =
322 server_creds->FetchCertConfig(&certificate_config);
323 if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
324 gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
326 } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
327 status = try_replace_server_handshaker_factory(certificate_config);
329 // Log error, continue using previously-loaded credentials.
331 "Failed fetching new server credentials, continuing to "
332 "use previously-loaded credentials.");
336 if (certificate_config != nullptr) {
337 grpc_ssl_server_certificate_config_destroy(certificate_config);
342 /* Attempts to replace the server_handshaker_factory with a new factory using
343 * the provided grpc_ssl_server_certificate_config. Should new factory
344 * creation fail, the existing factory will not be replaced. Returns true on
345 * success (new factory created). */
346 bool try_replace_server_handshaker_factory(
347 const grpc_ssl_server_certificate_config* config) {
348 if (config == nullptr) {
350 "Server certificate config callback returned invalid (NULL) "
354 gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
356 size_t num_alpn_protocols = 0;
357 const char** alpn_protocol_strings =
358 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
359 tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
360 const grpc_ssl_server_credentials* server_creds =
361 static_cast<const grpc_ssl_server_credentials*>(this->server_creds());
362 GPR_DEBUG_ASSERT(config->pem_root_certs != nullptr);
363 tsi_ssl_server_handshaker_options options;
364 options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
365 config->pem_key_cert_pairs, config->num_key_cert_pairs);
366 options.num_key_cert_pairs = config->num_key_cert_pairs;
367 options.pem_client_root_certs = config->pem_root_certs;
368 options.client_certificate_request =
369 grpc_get_tsi_client_certificate_request_type(
370 server_creds->config().client_certificate_request);
371 options.cipher_suites = grpc_get_ssl_cipher_suites();
372 options.alpn_protocols = alpn_protocol_strings;
373 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
374 tsi_result result = tsi_create_ssl_server_handshaker_factory_with_options(
375 &options, &new_handshaker_factory);
376 grpc_tsi_ssl_pem_key_cert_pairs_destroy(
377 const_cast<tsi_ssl_pem_key_cert_pair*>(options.pem_key_cert_pairs),
378 options.num_key_cert_pairs);
379 gpr_free((void*)alpn_protocol_strings);
381 if (result != TSI_OK) {
382 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
383 tsi_result_to_string(result));
386 set_server_handshaker_factory(new_handshaker_factory);
390 void set_server_handshaker_factory(
391 tsi_ssl_server_handshaker_factory* new_factory) {
392 if (server_handshaker_factory_) {
393 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
395 server_handshaker_factory_ = new_factory;
398 tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
402 grpc_core::RefCountedPtr<grpc_channel_security_connector>
403 grpc_ssl_channel_security_connector_create(
404 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
405 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
406 const grpc_ssl_config* config, const char* target_name,
407 const char* overridden_target_name,
408 tsi_ssl_session_cache* ssl_session_cache) {
409 if (config == nullptr || target_name == nullptr) {
410 gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
414 const char* pem_root_certs;
415 const tsi_ssl_root_certs_store* root_store;
416 if (config->pem_root_certs == nullptr) {
417 // Use default root certificates.
418 pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
419 if (pem_root_certs == nullptr) {
420 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
423 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
425 pem_root_certs = config->pem_root_certs;
426 root_store = nullptr;
429 grpc_core::RefCountedPtr<grpc_ssl_channel_security_connector> c =
430 grpc_core::MakeRefCounted<grpc_ssl_channel_security_connector>(
431 std::move(channel_creds), std::move(request_metadata_creds), config,
432 target_name, overridden_target_name);
433 const grpc_security_status result = c->InitializeHandshakerFactory(
434 config, pem_root_certs, root_store, ssl_session_cache);
435 if (result != GRPC_SECURITY_OK) {
441 grpc_core::RefCountedPtr<grpc_server_security_connector>
442 grpc_ssl_server_security_connector_create(
443 grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials) {
444 GPR_ASSERT(server_credentials != nullptr);
445 grpc_core::RefCountedPtr<grpc_ssl_server_security_connector> c =
446 grpc_core::MakeRefCounted<grpc_ssl_server_security_connector>(
447 std::move(server_credentials));
448 const grpc_security_status retval = c->InitializeHandshakerFactory();
449 if (retval != GRPC_SECURITY_OK) {