3 * Copyright 2015 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/security/security_connector/ssl_utils.h"
23 #include <grpc/slice_buffer.h>
24 #include <grpc/support/alloc.h>
25 #include <grpc/support/log.h>
26 #include <grpc/support/string_util.h>
28 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
29 #include "src/core/lib/channel/channel_args.h"
30 #include "src/core/lib/gpr/env.h"
31 #include "src/core/lib/gpr/host_port.h"
32 #include "src/core/lib/gpr/string.h"
33 #include "src/core/lib/gprpp/ref_counted_ptr.h"
34 #include "src/core/lib/iomgr/load_file.h"
35 #include "src/core/lib/security/context/security_context.h"
36 #include "src/core/lib/security/security_connector/load_system_roots.h"
37 #include "src/core/tsi/ssl_transport_security.h"
39 /* -- Constants. -- */
41 #ifndef INSTALL_PREFIX
42 static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
44 static const char* installed_roots_path =
45 INSTALL_PREFIX "/share/grpc/roots.pem";
48 /** Environment variable used as a flag to enable/disable loading system root
49 certificates from the OS trust store. */
50 #ifndef GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR
51 #define GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_NOT_USE_SYSTEM_SSL_ROOTS"
54 #ifndef TSI_OPENSSL_ALPN_SUPPORT
55 #define TSI_OPENSSL_ALPN_SUPPORT 1
58 /* -- Overridden default roots. -- */
60 static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
62 void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
63 ssl_roots_override_cb = cb;
66 /* -- Cipher suites. -- */
68 /* Defines the cipher suites that we accept by default. All these cipher suites
69 are compliant with HTTP2. */
70 #define GRPC_SSL_CIPHER_SUITES \
71 "ECDHE-ECDSA-AES128-GCM-SHA256:" \
72 "ECDHE-ECDSA-AES256-GCM-SHA384:" \
73 "ECDHE-RSA-AES128-GCM-SHA256:" \
74 "ECDHE-RSA-AES256-GCM-SHA384"
76 static gpr_once cipher_suites_once = GPR_ONCE_INIT;
77 static const char* cipher_suites = nullptr;
79 static void init_cipher_suites(void) {
80 char* overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES");
81 cipher_suites = overridden != nullptr ? overridden : GRPC_SSL_CIPHER_SUITES;
86 const char* grpc_get_ssl_cipher_suites(void) {
87 gpr_once_init(&cipher_suites_once, init_cipher_suites);
91 tsi_client_certificate_request_type
92 grpc_get_tsi_client_certificate_request_type(
93 grpc_ssl_client_certificate_request_type grpc_request_type) {
94 switch (grpc_request_type) {
95 case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
96 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
98 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
99 return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
101 case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
102 return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
104 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
105 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
107 case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
108 return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
111 return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
115 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
116 #if TSI_OPENSSL_ALPN_SUPPORT
117 /* Check the ALPN if ALPN is supported. */
118 const tsi_peer_property* p =
119 tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
121 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
122 "Cannot check peer: missing selected ALPN property.");
124 if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
125 return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
126 "Cannot check peer: invalid ALPN value.");
128 #endif /* TSI_OPENSSL_ALPN_SUPPORT */
129 return GRPC_ERROR_NONE;
132 grpc_error* grpc_ssl_check_peer_name(const char* peer_name,
133 const tsi_peer* peer) {
134 /* Check the peer name if specified. */
135 if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
137 gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
138 grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
142 return GRPC_ERROR_NONE;
145 bool grpc_ssl_check_call_host(const char* host, const char* target_name,
146 const char* overridden_target_name,
147 grpc_auth_context* auth_context,
148 grpc_closure* on_call_host_checked,
149 grpc_error** error) {
150 grpc_security_status status = GRPC_SECURITY_ERROR;
151 tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
152 if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
153 if (overridden_target_name != nullptr && strcmp(host, target_name) == 0) {
154 status = GRPC_SECURITY_OK;
156 if (status != GRPC_SECURITY_OK) {
157 *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
158 "call host does not match SSL server name");
160 grpc_shallow_peer_destruct(&peer);
164 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
165 GPR_ASSERT(num_alpn_protocols != nullptr);
166 *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
167 const char** alpn_protocol_strings = static_cast<const char**>(
168 gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
169 for (size_t i = 0; i < *num_alpn_protocols; i++) {
170 alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
172 return alpn_protocol_strings;
175 int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
176 char* allocated_name = nullptr;
180 gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
181 gpr_free(ignored_port);
182 peer_name = allocated_name;
183 if (!peer_name) return 0;
185 // IPv6 zone-id should not be included in comparisons.
186 char* const zone_id = strchr(allocated_name, '%');
187 if (zone_id != nullptr) *zone_id = '\0';
189 r = tsi_ssl_peer_matches_name(peer, peer_name);
190 gpr_free(allocated_name);
194 bool grpc_ssl_cmp_target_name(const char* target_name,
195 const char* other_target_name,
196 const char* overridden_target_name,
197 const char* other_overridden_target_name) {
198 int c = strcmp(target_name, other_target_name);
199 if (c != 0) return c;
200 return (overridden_target_name == nullptr ||
201 other_overridden_target_name == nullptr)
202 ? GPR_ICMP(overridden_target_name, other_overridden_target_name)
203 : strcmp(overridden_target_name, other_overridden_target_name);
206 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
207 const tsi_peer* peer) {
209 const char* peer_identity_property_name = nullptr;
211 /* The caller has checked the certificate type property. */
212 GPR_ASSERT(peer->property_count >= 1);
213 grpc_core::RefCountedPtr<grpc_auth_context> ctx =
214 grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
215 grpc_auth_context_add_cstring_property(
216 ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
217 GRPC_SSL_TRANSPORT_SECURITY_TYPE);
218 for (i = 0; i < peer->property_count; i++) {
219 const tsi_peer_property* prop = &peer->properties[i];
220 if (prop->name == nullptr) continue;
221 if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
222 /* If there is no subject alt name, have the CN as the identity. */
223 if (peer_identity_property_name == nullptr) {
224 peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
226 grpc_auth_context_add_property(ctx.get(), GRPC_X509_CN_PROPERTY_NAME,
227 prop->value.data, prop->value.length);
228 } else if (strcmp(prop->name,
229 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
230 peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
231 grpc_auth_context_add_property(ctx.get(), GRPC_X509_SAN_PROPERTY_NAME,
232 prop->value.data, prop->value.length);
233 } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
234 grpc_auth_context_add_property(ctx.get(),
235 GRPC_X509_PEM_CERT_PROPERTY_NAME,
236 prop->value.data, prop->value.length);
237 } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
238 grpc_auth_context_add_property(ctx.get(),
239 GRPC_SSL_SESSION_REUSED_PROPERTY,
240 prop->value.data, prop->value.length);
243 if (peer_identity_property_name != nullptr) {
244 GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
245 ctx.get(), peer_identity_property_name) == 1);
250 static void add_shallow_auth_property_to_peer(tsi_peer* peer,
251 const grpc_auth_property* prop,
252 const char* tsi_prop_name) {
253 tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
254 tsi_prop->name = const_cast<char*>(tsi_prop_name);
255 tsi_prop->value.data = prop->value;
256 tsi_prop->value.length = prop->value_length;
259 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
260 const grpc_auth_context* auth_context) {
261 size_t max_num_props = 0;
262 grpc_auth_property_iterator it;
263 const grpc_auth_property* prop;
265 memset(&peer, 0, sizeof(peer));
267 it = grpc_auth_context_property_iterator(auth_context);
268 while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
270 if (max_num_props > 0) {
271 peer.properties = static_cast<tsi_peer_property*>(
272 gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
273 it = grpc_auth_context_property_iterator(auth_context);
274 while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
275 if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
276 add_shallow_auth_property_to_peer(
277 &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
278 } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
279 add_shallow_auth_property_to_peer(
280 &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
281 } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
282 add_shallow_auth_property_to_peer(&peer, prop,
283 TSI_X509_PEM_CERT_PROPERTY);
290 void grpc_shallow_peer_destruct(tsi_peer* peer) {
291 if (peer->properties != nullptr) gpr_free(peer->properties);
294 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
295 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
296 tsi_ssl_session_cache* ssl_session_cache,
297 tsi_ssl_client_handshaker_factory** handshaker_factory) {
298 const char* root_certs;
299 const tsi_ssl_root_certs_store* root_store;
300 if (pem_root_certs == nullptr) {
301 // Use default root certificates.
302 root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
303 if (root_certs == nullptr) {
304 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
305 return GRPC_SECURITY_ERROR;
307 root_store = grpc_core::DefaultSslRootStore::GetRootStore();
309 root_certs = pem_root_certs;
310 root_store = nullptr;
312 bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
313 pem_key_cert_pair->private_key != nullptr &&
314 pem_key_cert_pair->cert_chain != nullptr;
315 tsi_ssl_client_handshaker_options options;
316 GPR_DEBUG_ASSERT(root_certs != nullptr);
317 options.pem_root_certs = root_certs;
318 options.root_store = root_store;
319 options.alpn_protocols =
320 grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
321 if (has_key_cert_pair) {
322 options.pem_key_cert_pair = pem_key_cert_pair;
324 options.cipher_suites = grpc_get_ssl_cipher_suites();
325 options.session_cache = ssl_session_cache;
326 const tsi_result result =
327 tsi_create_ssl_client_handshaker_factory_with_options(&options,
329 gpr_free((void*)options.alpn_protocols);
330 if (result != TSI_OK) {
331 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
332 tsi_result_to_string(result));
333 return GRPC_SECURITY_ERROR;
335 return GRPC_SECURITY_OK;
338 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
339 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
340 const char* pem_root_certs,
341 grpc_ssl_client_certificate_request_type client_certificate_request,
342 tsi_ssl_server_handshaker_factory** handshaker_factory) {
343 size_t num_alpn_protocols = 0;
344 const char** alpn_protocol_strings =
345 grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
346 tsi_ssl_server_handshaker_options options;
347 options.pem_key_cert_pairs = pem_key_cert_pairs;
348 options.num_key_cert_pairs = num_key_cert_pairs;
349 options.pem_client_root_certs = pem_root_certs;
350 options.client_certificate_request =
351 grpc_get_tsi_client_certificate_request_type(client_certificate_request);
352 options.cipher_suites = grpc_get_ssl_cipher_suites();
353 options.alpn_protocols = alpn_protocol_strings;
354 options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
355 const tsi_result result =
356 tsi_create_ssl_server_handshaker_factory_with_options(&options,
358 gpr_free((void*)alpn_protocol_strings);
359 if (result != TSI_OK) {
360 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
361 tsi_result_to_string(result));
362 return GRPC_SECURITY_ERROR;
364 return GRPC_SECURITY_OK;
367 /* --- Ssl cache implementation. --- */
369 grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
370 tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
371 return reinterpret_cast<grpc_ssl_session_cache*>(cache);
374 void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
375 tsi_ssl_session_cache* tsi_cache =
376 reinterpret_cast<tsi_ssl_session_cache*>(cache);
377 tsi_ssl_session_cache_unref(tsi_cache);
380 static void* grpc_ssl_session_cache_arg_copy(void* p) {
381 tsi_ssl_session_cache* tsi_cache =
382 reinterpret_cast<tsi_ssl_session_cache*>(p);
383 // destroy call below will unref the pointer.
384 tsi_ssl_session_cache_ref(tsi_cache);
388 static void grpc_ssl_session_cache_arg_destroy(void* p) {
389 tsi_ssl_session_cache* tsi_cache =
390 reinterpret_cast<tsi_ssl_session_cache*>(p);
391 tsi_ssl_session_cache_unref(tsi_cache);
394 static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
395 return GPR_ICMP(p, q);
398 grpc_arg grpc_ssl_session_cache_create_channel_arg(
399 grpc_ssl_session_cache* cache) {
400 static const grpc_arg_pointer_vtable vtable = {
401 grpc_ssl_session_cache_arg_copy,
402 grpc_ssl_session_cache_arg_destroy,
403 grpc_ssl_session_cache_arg_cmp,
405 return grpc_channel_arg_pointer_create(
406 const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
409 /* --- Default SSL root store implementation. --- */
411 namespace grpc_core {
413 tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
414 grpc_slice DefaultSslRootStore::default_pem_root_certs_;
416 const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
418 return default_root_store_;
421 const char* DefaultSslRootStore::GetPemRootCerts() {
423 return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
425 : reinterpret_cast<const char*>
426 GRPC_SLICE_START_PTR(default_pem_root_certs_);
429 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
430 grpc_slice result = grpc_empty_slice();
431 char* not_use_system_roots_env_value =
432 gpr_getenv(GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
433 const bool not_use_system_roots = gpr_is_true(not_use_system_roots_env_value);
434 gpr_free(not_use_system_roots_env_value);
435 // First try to load the roots from the environment.
436 char* default_root_certs_path =
437 gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
438 if (default_root_certs_path != nullptr) {
439 GRPC_LOG_IF_ERROR("load_file",
440 grpc_load_file(default_root_certs_path, 1, &result));
441 gpr_free(default_root_certs_path);
443 // Try overridden roots if needed.
444 grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
445 if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
446 char* pem_root_certs = nullptr;
447 ovrd_res = ssl_roots_override_cb(&pem_root_certs);
448 if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
449 GPR_ASSERT(pem_root_certs != nullptr);
450 result = grpc_slice_from_copied_buffer(
452 strlen(pem_root_certs) + 1); // nullptr terminator.
454 gpr_free(pem_root_certs);
456 // Try loading roots from OS trust store if flag is enabled.
457 if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
458 result = LoadSystemRootCerts();
460 // Fallback to roots manually shipped with gRPC.
461 if (GRPC_SLICE_IS_EMPTY(result) &&
462 ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
463 GRPC_LOG_IF_ERROR("load_file",
464 grpc_load_file(installed_roots_path, 1, &result));
469 void DefaultSslRootStore::InitRootStore() {
470 static gpr_once once = GPR_ONCE_INIT;
471 gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
474 void DefaultSslRootStore::InitRootStoreOnce() {
475 default_pem_root_certs_ = ComputePemRootCerts();
476 if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
477 default_root_store_ =
478 tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
479 GRPC_SLICE_START_PTR(default_pem_root_certs_)));
483 } // namespace grpc_core