Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 1 | /* |
| 2 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 3 | * Copyright 2015 gRPC authors. |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 4 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 8 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 10 | * |
Jan Tattermusch | 7897ae9 | 2017-06-07 22:57:36 +0200 | [diff] [blame] | 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 16 | * |
| 17 | */ |
| 18 | |
Yihua Zhang | 75f0a9f | 2018-02-20 10:09:47 -0800 | [diff] [blame] | 19 | #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H |
| 20 | #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 21 | |
Alexander Polcyn | db3e898 | 2018-02-21 16:59:24 -0800 | [diff] [blame] | 22 | #include <grpc/support/port_platform.h> |
| 23 | |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 24 | #include <stdbool.h> |
| 25 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 26 | #include <grpc/grpc_security.h> |
Mark D. Roth | 963be37 | 2016-11-16 14:17:06 -0800 | [diff] [blame] | 27 | |
| 28 | #include "src/core/lib/channel/handshaker.h" |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 29 | #include "src/core/lib/iomgr/endpoint.h" |
| 30 | #include "src/core/lib/iomgr/tcp_server.h" |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 31 | #include "src/core/tsi/ssl_transport_security.h" |
Craig Tiller | b29f1fe | 2017-03-28 15:49:23 -0700 | [diff] [blame] | 32 | #include "src/core/tsi/transport_security_interface.h" |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 33 | |
ncteisen | 05294b6 | 2017-11-10 16:57:53 -0800 | [diff] [blame] | 34 | extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount; |
ncteisen | 4b58405 | 2017-06-08 16:44:38 -0700 | [diff] [blame] | 35 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 36 | /* --- status enum. --- */ |
| 37 | |
Craig Tiller | be52c6e | 2016-01-04 15:35:26 -0800 | [diff] [blame] | 38 | typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 39 | |
| 40 | /* --- URL schemes. --- */ |
| 41 | |
| 42 | #define GRPC_SSL_URL_SCHEME "https" |
| 43 | #define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security" |
| 44 | |
| 45 | /* --- security_connector object. --- |
| 46 | |
| 47 | A security connector object represents away to configure the underlying |
| 48 | transport security mechanism and check the resulting trusted peer. */ |
| 49 | |
| 50 | typedef struct grpc_security_connector grpc_security_connector; |
| 51 | |
David Garcia Quintas | 0129150 | 2017-02-07 13:26:41 -0800 | [diff] [blame] | 52 | #define GRPC_ARG_SECURITY_CONNECTOR "grpc.security_connector" |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 53 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 54 | typedef struct { |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 55 | void (*destroy)(grpc_security_connector* sc); |
| 56 | void (*check_peer)(grpc_security_connector* sc, tsi_peer peer, |
| 57 | grpc_auth_context** auth_context, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 58 | grpc_closure* on_peer_checked); |
| 59 | int (*cmp)(grpc_security_connector* sc, grpc_security_connector* other); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 60 | } grpc_security_connector_vtable; |
| 61 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 62 | struct grpc_security_connector { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 63 | const grpc_security_connector_vtable* vtable; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 64 | gpr_refcount refcount; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 65 | const char* url_scheme; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 66 | }; |
| 67 | |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 68 | /* Refcounting. */ |
ncteisen | 4b58405 | 2017-06-08 16:44:38 -0700 | [diff] [blame] | 69 | #ifndef NDEBUG |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 70 | #define GRPC_SECURITY_CONNECTOR_REF(p, r) \ |
| 71 | grpc_security_connector_ref((p), __FILE__, __LINE__, (r)) |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 72 | #define GRPC_SECURITY_CONNECTOR_UNREF(p, r) \ |
| 73 | grpc_security_connector_unref((p), __FILE__, __LINE__, (r)) |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 74 | grpc_security_connector* grpc_security_connector_ref( |
| 75 | grpc_security_connector* policy, const char* file, int line, |
| 76 | const char* reason); |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 77 | void grpc_security_connector_unref(grpc_security_connector* policy, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 78 | const char* file, int line, |
| 79 | const char* reason); |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 80 | #else |
| 81 | #define GRPC_SECURITY_CONNECTOR_REF(p, r) grpc_security_connector_ref((p)) |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 82 | #define GRPC_SECURITY_CONNECTOR_UNREF(p, r) grpc_security_connector_unref((p)) |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 83 | grpc_security_connector* grpc_security_connector_ref( |
| 84 | grpc_security_connector* policy); |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 85 | void grpc_security_connector_unref(grpc_security_connector* policy); |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 86 | #endif |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 87 | |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 88 | /* Check the peer. Callee takes ownership of the peer object. |
Mark D. Roth | 71daef7 | 2016-12-06 07:26:52 -0800 | [diff] [blame] | 89 | When done, sets *auth_context and invokes on_peer_checked. */ |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 90 | void grpc_security_connector_check_peer(grpc_security_connector* sc, |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 91 | tsi_peer peer, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 92 | grpc_auth_context** auth_context, |
| 93 | grpc_closure* on_peer_checked); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 94 | |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 95 | /* Compares two security connectors. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 96 | int grpc_security_connector_cmp(grpc_security_connector* sc, |
| 97 | grpc_security_connector* other); |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 98 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 99 | /* Util to encapsulate the connector in a channel arg. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 100 | grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 101 | |
| 102 | /* Util to get the connector from a channel arg. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 103 | grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 104 | |
| 105 | /* Util to find the connector from channel args. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 106 | grpc_security_connector* grpc_security_connector_find_in_args( |
| 107 | const grpc_channel_args* args); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 108 | |
| 109 | /* --- channel_security_connector object. --- |
| 110 | |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 111 | A channel security connector object represents a way to configure the |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 112 | underlying transport security mechanism on the client side. */ |
| 113 | |
| 114 | typedef struct grpc_channel_security_connector grpc_channel_security_connector; |
| 115 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 116 | struct grpc_channel_security_connector { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 117 | grpc_security_connector base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 118 | grpc_channel_credentials* channel_creds; |
| 119 | grpc_call_credentials* request_metadata_creds; |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 120 | bool (*check_call_host)(grpc_channel_security_connector* sc, const char* host, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 121 | grpc_auth_context* auth_context, |
| 122 | grpc_closure* on_call_host_checked, |
| 123 | grpc_error** error); |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 124 | void (*cancel_check_call_host)(grpc_channel_security_connector* sc, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 125 | grpc_closure* on_call_host_checked, |
| 126 | grpc_error* error); |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 127 | void (*add_handshakers)(grpc_channel_security_connector* sc, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 128 | grpc_handshake_manager* handshake_mgr); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 129 | }; |
| 130 | |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 131 | /// A helper function for use in grpc_security_connector_cmp() implementations. |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 132 | int grpc_channel_security_connector_cmp(grpc_channel_security_connector* sc1, |
| 133 | grpc_channel_security_connector* sc2); |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 134 | |
Mark D. Roth | e0778b2 | 2017-07-21 15:42:00 -0700 | [diff] [blame] | 135 | /// Checks that the host that will be set for a call is acceptable. |
| 136 | /// Returns true if completed synchronously, in which case \a error will |
| 137 | /// be set to indicate the result. Otherwise, \a on_call_host_checked |
| 138 | /// will be invoked when complete. |
| 139 | bool grpc_channel_security_connector_check_call_host( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 140 | grpc_channel_security_connector* sc, const char* host, |
| 141 | grpc_auth_context* auth_context, grpc_closure* on_call_host_checked, |
| 142 | grpc_error** error); |
Mark D. Roth | e0778b2 | 2017-07-21 15:42:00 -0700 | [diff] [blame] | 143 | |
| 144 | /// Cancels a pending asychronous call to |
| 145 | /// grpc_channel_security_connector_check_call_host() with |
| 146 | /// \a on_call_host_checked as its callback. |
| 147 | void grpc_channel_security_connector_cancel_check_call_host( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 148 | grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked, |
| 149 | grpc_error* error); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 150 | |
Mark D. Roth | 963be37 | 2016-11-16 14:17:06 -0800 | [diff] [blame] | 151 | /* Registers handshakers with \a handshake_mgr. */ |
Mark D. Roth | 65b79c8 | 2016-12-06 07:20:20 -0800 | [diff] [blame] | 152 | void grpc_channel_security_connector_add_handshakers( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 153 | grpc_channel_security_connector* connector, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 154 | grpc_handshake_manager* handshake_mgr); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 155 | |
| 156 | /* --- server_security_connector object. --- |
| 157 | |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 158 | A server security connector object represents a way to configure the |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 159 | underlying transport security mechanism on the server side. */ |
| 160 | |
| 161 | typedef struct grpc_server_security_connector grpc_server_security_connector; |
| 162 | |
| 163 | struct grpc_server_security_connector { |
| 164 | grpc_security_connector base; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 165 | grpc_server_credentials* server_creds; |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 166 | void (*add_handshakers)(grpc_server_security_connector* sc, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 167 | grpc_handshake_manager* handshake_mgr); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 168 | }; |
| 169 | |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 170 | /// A helper function for use in grpc_security_connector_cmp() implementations. |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 171 | int grpc_server_security_connector_cmp(grpc_server_security_connector* sc1, |
| 172 | grpc_server_security_connector* sc2); |
Mark D. Roth | ccfdfb3 | 2017-10-16 13:26:13 -0700 | [diff] [blame] | 173 | |
Mark D. Roth | 65b79c8 | 2016-12-06 07:20:20 -0800 | [diff] [blame] | 174 | void grpc_server_security_connector_add_handshakers( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 175 | grpc_server_security_connector* sc, grpc_handshake_manager* handshake_mgr); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 176 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 177 | /* --- Creation security connectors. --- */ |
| 178 | |
| 179 | /* For TESTING ONLY! |
| 180 | Creates a fake connector that emulates real channel security. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 181 | grpc_channel_security_connector* grpc_fake_channel_security_connector_create( |
| 182 | grpc_channel_credentials* channel_creds, |
| 183 | grpc_call_credentials* request_metadata_creds, const char* target, |
| 184 | const grpc_channel_args* args); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 185 | |
| 186 | /* For TESTING ONLY! |
| 187 | Creates a fake connector that emulates real server security. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 188 | grpc_server_security_connector* grpc_fake_server_security_connector_create( |
| 189 | grpc_server_credentials* server_creds); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 190 | |
| 191 | /* Config for ssl clients. */ |
Julien Boeuf | b71ef65 | 2017-04-12 21:44:49 -0700 | [diff] [blame] | 192 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 193 | typedef struct { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 194 | tsi_ssl_pem_key_cert_pair* pem_key_cert_pair; |
| 195 | char* pem_root_certs; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 196 | } grpc_ssl_config; |
| 197 | |
| 198 | /* Creates an SSL channel_security_connector. |
| 199 | - request_metadata_creds is the credentials object which metadata |
| 200 | will be sent with each request. This parameter can be NULL. |
| 201 | - config is the SSL config to be used for the SSL channel establishment. |
| 202 | - is_client should be 0 for a server or a non-0 value for a client. |
| 203 | - secure_peer_name is the secure peer name that should be checked in |
| 204 | grpc_channel_security_connector_check_peer. This parameter may be NULL in |
| 205 | which case the peer name will not be checked. Note that if this parameter |
| 206 | is not NULL, then, pem_root_certs should not be NULL either. |
| 207 | - sc is a pointer on the connector to be created. |
| 208 | This function returns GRPC_SECURITY_OK in case of success or a |
| 209 | specific error code otherwise. |
| 210 | */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 211 | grpc_security_status grpc_ssl_channel_security_connector_create( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 212 | grpc_channel_credentials* channel_creds, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 213 | grpc_call_credentials* request_metadata_creds, |
| 214 | const grpc_ssl_config* config, const char* target_name, |
Ruslan Nigmatullin | 7ae3733 | 2018-02-21 16:44:35 -0800 | [diff] [blame] | 215 | const char* overridden_target_name, |
| 216 | tsi_ssl_session_cache* ssl_session_cache, |
| 217 | grpc_channel_security_connector** sc); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 218 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 219 | /* Config for ssl servers. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 220 | typedef struct { |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 221 | tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 222 | size_t num_key_cert_pairs; |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 223 | char* pem_root_certs; |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 224 | grpc_ssl_client_certificate_request_type client_certificate_request; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 225 | } grpc_ssl_server_config; |
| 226 | |
| 227 | /* Creates an SSL server_security_connector. |
| 228 | - config is the SSL config to be used for the SSL channel establishment. |
| 229 | - sc is a pointer on the connector to be created. |
| 230 | This function returns GRPC_SECURITY_OK in case of success or a |
| 231 | specific error code otherwise. |
| 232 | */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 233 | grpc_security_status grpc_ssl_server_security_connector_create( |
Yash Tibrewal | 8cf1470 | 2017-12-06 09:47:54 -0800 | [diff] [blame] | 234 | grpc_server_credentials* server_credentials, |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 235 | grpc_server_security_connector** sc); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 236 | |
Julien Boeuf | cf4124e | 2015-05-18 15:08:50 -0700 | [diff] [blame] | 237 | /* Util. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 238 | const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer, |
| 239 | const char* name); |
Julien Boeuf | cf4124e | 2015-05-18 15:08:50 -0700 | [diff] [blame] | 240 | |
Julien Boeuf | a701ade | 2015-06-18 15:23:40 +0200 | [diff] [blame] | 241 | /* Exposed for testing only. */ |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 242 | grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer); |
Julien Boeuf | ee9d78b | 2015-12-18 09:50:34 -0800 | [diff] [blame] | 243 | tsi_peer tsi_shallow_peer_from_ssl_auth_context( |
Craig Tiller | baa14a9 | 2017-11-03 09:09:36 -0700 | [diff] [blame] | 244 | const grpc_auth_context* auth_context); |
| 245 | void tsi_shallow_peer_destruct(tsi_peer* peer); |
Julien Boeuf | a701ade | 2015-06-18 15:23:40 +0200 | [diff] [blame] | 246 | |
jiangtaoli2016 | 144f555 | 2018-03-23 11:28:48 -0700 | [diff] [blame^] | 247 | /* --- Default SSL Root Store. --- */ |
| 248 | namespace grpc_core { |
| 249 | |
| 250 | // The class implements default SSL root store. |
| 251 | class DefaultSslRootStore { |
| 252 | public: |
| 253 | // Gets the default SSL root store. Returns nullptr if not found. |
| 254 | static const tsi_ssl_root_certs_store* GetRootStore(); |
| 255 | |
| 256 | // Gets the default PEM root certificate. |
| 257 | static const char* GetPemRootCerts(); |
| 258 | |
| 259 | // Initializes the SSL root store's underlying data structure. It does not |
| 260 | // load default SSL root certificates. Should only be called by |
| 261 | // grpc_security_init(). |
| 262 | static void Initialize(); |
| 263 | |
| 264 | // Destroys the default SSL root store. Should only be called by |
| 265 | // grpc_security_shutdown(). |
| 266 | static void Destroy(); |
| 267 | |
| 268 | protected: |
| 269 | // Returns default PEM root certificates in nullptr terminated grpc_slice. |
| 270 | // This function is protected instead of private, so that it can be tested. |
| 271 | static grpc_slice ComputePemRootCerts(); |
| 272 | |
| 273 | private: |
| 274 | // Construct me not! |
| 275 | DefaultSslRootStore(); |
| 276 | |
| 277 | // Initialization of default SSL root store. |
| 278 | static void InitRootStore(); |
| 279 | |
| 280 | // One-time initialization of default SSL root store. |
| 281 | static void InitRootStoreOnce(); |
| 282 | |
| 283 | // SSL root store in tsi_ssl_root_certs_store object. |
| 284 | static tsi_ssl_root_certs_store* default_root_store_; |
| 285 | |
| 286 | // Default PEM root certificates. |
| 287 | static grpc_slice default_pem_root_certs_; |
| 288 | }; |
| 289 | |
| 290 | } // namespace grpc_core |
| 291 | |
Yihua Zhang | 75f0a9f | 2018-02-20 10:09:47 -0800 | [diff] [blame] | 292 | #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H */ |