Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1 | /* |
| 2 | * |
Craig Tiller | 6169d5f | 2016-03-31 07:46:18 -0700 | [diff] [blame] | 3 | * Copyright 2015, Google Inc. |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 4 | * All rights reserved. |
| 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions are |
| 8 | * met: |
| 9 | * |
| 10 | * * Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * * Redistributions in binary form must reproduce the above |
| 13 | * copyright notice, this list of conditions and the following disclaimer |
| 14 | * in the documentation and/or other materials provided with the |
| 15 | * distribution. |
| 16 | * * Neither the name of Google Inc. nor the names of its |
| 17 | * contributors may be used to endorse or promote products derived from |
| 18 | * this software without specific prior written permission. |
| 19 | * |
| 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 21 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 22 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 23 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 24 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 25 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 26 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 27 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 28 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 29 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 30 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 31 | * |
| 32 | */ |
| 33 | |
Julien Boeuf | 8ca294e | 2016-05-02 14:56:30 -0700 | [diff] [blame] | 34 | #include "src/core/lib/security/transport/security_connector.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 35 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 36 | #include <stdbool.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 37 | #include <string.h> |
| 38 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 39 | #include <grpc/support/alloc.h> |
Julien Boeuf | 7fa3f41 | 2015-02-24 19:30:41 -0800 | [diff] [blame] | 40 | #include <grpc/support/host_port.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 41 | #include <grpc/support/log.h> |
| 42 | #include <grpc/support/slice_buffer.h> |
Masood Malekghassemi | 701af60 | 2015-06-03 15:01:17 -0700 | [diff] [blame] | 43 | #include <grpc/support/string_util.h> |
Craig Tiller | 732a875 | 2016-02-22 15:59:19 -0800 | [diff] [blame] | 44 | |
Craig Tiller | d1697d9 | 2016-04-05 16:05:46 -0700 | [diff] [blame] | 45 | #include "src/core/ext/transport/chttp2/alpn/alpn.h" |
Craig Tiller | 8517886 | 2016-05-18 16:09:16 -0700 | [diff] [blame] | 46 | #include "src/core/lib/iomgr/load_file.h" |
Julien Boeuf | 8ca294e | 2016-05-02 14:56:30 -0700 | [diff] [blame] | 47 | #include "src/core/lib/security/context/security_context.h" |
| 48 | #include "src/core/lib/security/credentials/credentials.h" |
| 49 | #include "src/core/lib/security/transport/handshake.h" |
| 50 | #include "src/core/lib/security/transport/secure_endpoint.h" |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 51 | #include "src/core/lib/support/env.h" |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 52 | #include "src/core/lib/support/string.h" |
Craig Tiller | 9533d04 | 2016-03-25 17:11:06 -0700 | [diff] [blame] | 53 | #include "src/core/lib/tsi/fake_transport_security.h" |
| 54 | #include "src/core/lib/tsi/ssl_transport_security.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 55 | |
| 56 | /* -- Constants. -- */ |
| 57 | |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 58 | #ifndef INSTALL_PREFIX |
Nicolas "Pixel" Noble | 161ea23 | 2015-02-22 05:48:53 +0100 | [diff] [blame] | 59 | static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 60 | #else |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 61 | static const char *installed_roots_path = |
| 62 | INSTALL_PREFIX "/share/grpc/roots.pem"; |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 63 | #endif |
| 64 | |
Julien Boeuf | a50da47 | 2016-01-27 16:23:41 -0800 | [diff] [blame] | 65 | /* -- Overridden default roots. -- */ |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 66 | |
Julien Boeuf | aaebf7a | 2016-01-28 17:04:42 -0800 | [diff] [blame] | 67 | static grpc_ssl_roots_override_callback ssl_roots_override_cb = NULL; |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 68 | |
Julien Boeuf | aaebf7a | 2016-01-28 17:04:42 -0800 | [diff] [blame] | 69 | void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) { |
| 70 | ssl_roots_override_cb = cb; |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 71 | } |
| 72 | |
Julien Boeuf | 8d6ec91 | 2015-02-24 20:07:59 -0800 | [diff] [blame] | 73 | /* -- Cipher suites. -- */ |
| 74 | |
| 75 | /* Defines the cipher suites that we accept by default. All these cipher suites |
| 76 | are compliant with HTTP2. */ |
Julien Boeuf | d43f0c3 | 2015-02-24 20:54:12 -0800 | [diff] [blame] | 77 | #define GRPC_SSL_CIPHER_SUITES \ |
| 78 | "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-" \ |
| 79 | "SHA384:ECDHE-RSA-AES256-GCM-SHA384" |
Julien Boeuf | 8d6ec91 | 2015-02-24 20:07:59 -0800 | [diff] [blame] | 80 | |
| 81 | static gpr_once cipher_suites_once = GPR_ONCE_INIT; |
| 82 | static const char *cipher_suites = NULL; |
| 83 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 84 | static void init_cipher_suites(void) { |
| 85 | char *overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES"); |
Julien Boeuf | 8d6ec91 | 2015-02-24 20:07:59 -0800 | [diff] [blame] | 86 | cipher_suites = overridden != NULL ? overridden : GRPC_SSL_CIPHER_SUITES; |
| 87 | } |
| 88 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 89 | static const char *ssl_cipher_suites(void) { |
| 90 | gpr_once_init(&cipher_suites_once, init_cipher_suites); |
Julien Boeuf | 8d6ec91 | 2015-02-24 20:07:59 -0800 | [diff] [blame] | 91 | return cipher_suites; |
| 92 | } |
| 93 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 94 | /* -- Common methods. -- */ |
| 95 | |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 96 | /* Returns the first property with that name. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 97 | const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, |
| 98 | const char *name) { |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 99 | size_t i; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 100 | if (peer == NULL) return NULL; |
| 101 | for (i = 0; i < peer->property_count; i++) { |
| 102 | const tsi_peer_property *property = &peer->properties[i]; |
| 103 | if (name == NULL && property->name == NULL) { |
| 104 | return property; |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 105 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 106 | if (name != NULL && property->name != NULL && |
| 107 | strcmp(property->name, name) == 0) { |
| 108 | return property; |
| 109 | } |
| 110 | } |
Julien Boeuf | 77e8c1c | 2015-05-13 13:50:59 -0700 | [diff] [blame] | 111 | return NULL; |
| 112 | } |
| 113 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 114 | void grpc_server_security_connector_shutdown( |
| 115 | grpc_exec_ctx *exec_ctx, grpc_server_security_connector *connector) { |
yang-g | 5e72a35 | 2015-11-20 09:49:36 -0800 | [diff] [blame] | 116 | grpc_security_connector_handshake_list *tmp; |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 117 | gpr_mu_lock(&connector->mu); |
| 118 | while (connector->handshaking_handshakes) { |
| 119 | tmp = connector->handshaking_handshakes; |
| 120 | grpc_security_handshake_shutdown( |
| 121 | exec_ctx, connector->handshaking_handshakes->handshake); |
| 122 | connector->handshaking_handshakes = tmp->next; |
| 123 | gpr_free(tmp); |
yang-g | 5e72a35 | 2015-11-20 09:49:36 -0800 | [diff] [blame] | 124 | } |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 125 | gpr_mu_unlock(&connector->mu); |
yang-g | 5e7f08a | 2015-11-19 01:27:43 -0800 | [diff] [blame] | 126 | } |
| 127 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 128 | void grpc_channel_security_connector_do_handshake( |
| 129 | grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 130 | grpc_endpoint *nonsecure_endpoint, gpr_slice_buffer *read_buffer, |
| 131 | gpr_timespec deadline, grpc_security_handshake_done_cb cb, |
| 132 | void *user_data) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 133 | if (sc == NULL || nonsecure_endpoint == NULL) { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 134 | gpr_free(read_buffer); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 135 | cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, NULL, NULL); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 136 | } else { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 137 | sc->do_handshake(exec_ctx, sc, nonsecure_endpoint, read_buffer, deadline, |
| 138 | cb, user_data); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 139 | } |
| 140 | } |
| 141 | |
| 142 | void grpc_server_security_connector_do_handshake( |
| 143 | grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, |
| 144 | grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 145 | gpr_slice_buffer *read_buffer, gpr_timespec deadline, |
| 146 | grpc_security_handshake_done_cb cb, void *user_data) { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 147 | if (sc == NULL || nonsecure_endpoint == NULL) { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 148 | gpr_free(read_buffer); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 149 | cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, NULL, NULL); |
| 150 | } else { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 151 | sc->do_handshake(exec_ctx, sc, acceptor, nonsecure_endpoint, read_buffer, |
| 152 | deadline, cb, user_data); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 153 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 154 | } |
| 155 | |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 156 | void grpc_security_connector_check_peer(grpc_exec_ctx *exec_ctx, |
| 157 | grpc_security_connector *sc, |
| 158 | tsi_peer peer, |
| 159 | grpc_security_peer_check_cb cb, |
| 160 | void *user_data) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 161 | if (sc == NULL) { |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 162 | cb(exec_ctx, user_data, GRPC_SECURITY_ERROR, NULL); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 163 | tsi_peer_destruct(&peer); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 164 | } else { |
| 165 | sc->vtable->check_peer(exec_ctx, sc, peer, cb, user_data); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 166 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 167 | } |
| 168 | |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 169 | void grpc_channel_security_connector_check_call_host( |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 170 | grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 171 | const char *host, grpc_auth_context *auth_context, |
| 172 | grpc_security_call_host_check_cb cb, void *user_data) { |
| 173 | if (sc == NULL || sc->check_call_host == NULL) { |
| 174 | cb(exec_ctx, user_data, GRPC_SECURITY_ERROR); |
| 175 | } else { |
| 176 | sc->check_call_host(exec_ctx, sc, host, auth_context, cb, user_data); |
| 177 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 178 | } |
| 179 | |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 180 | #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 181 | grpc_security_connector *grpc_security_connector_ref( |
| 182 | grpc_security_connector *sc, const char *file, int line, |
| 183 | const char *reason) { |
| 184 | if (sc == NULL) return NULL; |
| 185 | gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, |
| 186 | "SECURITY_CONNECTOR:%p ref %d -> %d %s", sc, |
| 187 | (int)sc->refcount.count, (int)sc->refcount.count + 1, reason); |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 188 | #else |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 189 | grpc_security_connector *grpc_security_connector_ref( |
| 190 | grpc_security_connector *sc) { |
| 191 | if (sc == NULL) return NULL; |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 192 | #endif |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 193 | gpr_ref(&sc->refcount); |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 194 | return sc; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 195 | } |
| 196 | |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 197 | #ifdef GRPC_SECURITY_CONNECTOR_REFCOUNT_DEBUG |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 198 | void grpc_security_connector_unref(grpc_security_connector *sc, |
| 199 | const char *file, int line, |
| 200 | const char *reason) { |
| 201 | if (sc == NULL) return; |
| 202 | gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, |
| 203 | "SECURITY_CONNECTOR:%p unref %d -> %d %s", sc, |
| 204 | (int)sc->refcount.count, (int)sc->refcount.count - 1, reason); |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 205 | #else |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 206 | void grpc_security_connector_unref(grpc_security_connector *sc) { |
| 207 | if (sc == NULL) return; |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 208 | #endif |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 209 | if (gpr_unref(&sc->refcount)) sc->vtable->destroy(sc); |
Craig Tiller | 5d44c06 | 2015-07-01 08:55:28 -0700 | [diff] [blame] | 210 | } |
| 211 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 212 | static void connector_pointer_arg_destroy(void *p) { |
David Garcia Quintas | 98da61b | 2016-10-29 08:46:31 +0200 | [diff] [blame] | 213 | GRPC_SECURITY_CONNECTOR_UNREF(p, "connector_pointer_arg_destroy"); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 214 | } |
| 215 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 216 | static void *connector_pointer_arg_copy(void *p) { |
David Garcia Quintas | 98da61b | 2016-10-29 08:46:31 +0200 | [diff] [blame] | 217 | return GRPC_SECURITY_CONNECTOR_REF(p, "connector_pointer_arg_copy"); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 218 | } |
| 219 | |
Craig Tiller | 5de79ee | 2016-01-25 08:16:02 -0800 | [diff] [blame] | 220 | static int connector_pointer_cmp(void *a, void *b) { return GPR_ICMP(a, b); } |
Craig Tiller | edc2fff | 2016-01-13 06:54:27 -0800 | [diff] [blame] | 221 | |
| 222 | static const grpc_arg_pointer_vtable connector_pointer_vtable = { |
Craig Tiller | 5de79ee | 2016-01-25 08:16:02 -0800 | [diff] [blame] | 223 | connector_pointer_arg_copy, connector_pointer_arg_destroy, |
| 224 | connector_pointer_cmp}; |
Craig Tiller | edc2fff | 2016-01-13 06:54:27 -0800 | [diff] [blame] | 225 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 226 | grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 227 | grpc_arg result; |
| 228 | result.type = GRPC_ARG_POINTER; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 229 | result.key = GRPC_SECURITY_CONNECTOR_ARG; |
Craig Tiller | edc2fff | 2016-01-13 06:54:27 -0800 | [diff] [blame] | 230 | result.value.pointer.vtable = &connector_pointer_vtable; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 231 | result.value.pointer.p = sc; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 232 | return result; |
| 233 | } |
| 234 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 235 | grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg) { |
| 236 | if (strcmp(arg->key, GRPC_SECURITY_CONNECTOR_ARG)) return NULL; |
| 237 | if (arg->type != GRPC_ARG_POINTER) { |
| 238 | gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type, |
| 239 | GRPC_SECURITY_CONNECTOR_ARG); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 240 | return NULL; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 241 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 242 | return arg->value.pointer.p; |
| 243 | } |
| 244 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 245 | grpc_security_connector *grpc_find_security_connector_in_args( |
| 246 | const grpc_channel_args *args) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 247 | size_t i; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 248 | if (args == NULL) return NULL; |
| 249 | for (i = 0; i < args->num_args; i++) { |
| 250 | grpc_security_connector *sc = |
| 251 | grpc_security_connector_from_arg(&args->args[i]); |
| 252 | if (sc != NULL) return sc; |
| 253 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 254 | return NULL; |
| 255 | } |
| 256 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 257 | /* -- Fake implementation. -- */ |
| 258 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 259 | static void fake_channel_destroy(grpc_security_connector *sc) { |
| 260 | grpc_channel_security_connector *c = (grpc_channel_security_connector *)sc; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 261 | grpc_call_credentials_unref(c->request_metadata_creds); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 262 | gpr_free(sc); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 263 | } |
| 264 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 265 | static void fake_server_destroy(grpc_security_connector *sc) { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 266 | grpc_server_security_connector *c = (grpc_server_security_connector *)sc; |
| 267 | gpr_mu_destroy(&c->mu); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 268 | gpr_free(sc); |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 269 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 270 | |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 271 | static void fake_check_peer(grpc_exec_ctx *exec_ctx, |
| 272 | grpc_security_connector *sc, tsi_peer peer, |
| 273 | grpc_security_peer_check_cb cb, void *user_data) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 274 | const char *prop_name; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 275 | grpc_security_status status = GRPC_SECURITY_OK; |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 276 | grpc_auth_context *auth_context = NULL; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 277 | if (peer.property_count != 1) { |
| 278 | gpr_log(GPR_ERROR, "Fake peers should only have 1 property."); |
| 279 | status = GRPC_SECURITY_ERROR; |
| 280 | goto end; |
| 281 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 282 | prop_name = peer.properties[0].name; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 283 | if (prop_name == NULL || |
| 284 | strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) { |
| 285 | gpr_log(GPR_ERROR, "Unexpected property in fake peer: %s.", |
| 286 | prop_name == NULL ? "<EMPTY>" : prop_name); |
| 287 | status = GRPC_SECURITY_ERROR; |
| 288 | goto end; |
| 289 | } |
| 290 | if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE, |
| 291 | peer.properties[0].value.length)) { |
| 292 | gpr_log(GPR_ERROR, "Invalid value for cert type property."); |
| 293 | status = GRPC_SECURITY_ERROR; |
| 294 | goto end; |
| 295 | } |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 296 | auth_context = grpc_auth_context_create(NULL); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 297 | grpc_auth_context_add_cstring_property( |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 298 | auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 299 | GRPC_FAKE_TRANSPORT_SECURITY_TYPE); |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 300 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 301 | end: |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 302 | cb(exec_ctx, user_data, status, auth_context); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 303 | grpc_auth_context_unref(auth_context); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 304 | tsi_peer_destruct(&peer); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 305 | } |
| 306 | |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 307 | static void fake_channel_check_call_host(grpc_exec_ctx *exec_ctx, |
| 308 | grpc_channel_security_connector *sc, |
| 309 | const char *host, |
| 310 | grpc_auth_context *auth_context, |
| 311 | grpc_security_call_host_check_cb cb, |
| 312 | void *user_data) { |
| 313 | cb(exec_ctx, user_data, GRPC_SECURITY_OK); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 314 | } |
| 315 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 316 | static void fake_channel_do_handshake(grpc_exec_ctx *exec_ctx, |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 317 | grpc_channel_security_connector *sc, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 318 | grpc_endpoint *nonsecure_endpoint, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 319 | gpr_slice_buffer *read_buffer, |
Craig Tiller | 449c64b | 2016-06-13 16:26:50 -0700 | [diff] [blame] | 320 | gpr_timespec deadline, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 321 | grpc_security_handshake_done_cb cb, |
| 322 | void *user_data) { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 323 | grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(1), &sc->base, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 324 | true, nonsecure_endpoint, read_buffer, deadline, |
| 325 | cb, user_data); |
Julien Boeuf | 87047d7 | 2015-08-21 14:30:33 -0700 | [diff] [blame] | 326 | } |
| 327 | |
Mark D. Roth | a3e7bd8 | 2016-08-04 11:17:22 -0700 | [diff] [blame] | 328 | static void fake_server_do_handshake( |
| 329 | grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, |
| 330 | grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, |
| 331 | gpr_slice_buffer *read_buffer, gpr_timespec deadline, |
| 332 | grpc_security_handshake_done_cb cb, void *user_data) { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 333 | grpc_do_security_handshake(exec_ctx, tsi_create_fake_handshaker(0), &sc->base, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 334 | false, nonsecure_endpoint, read_buffer, deadline, |
| 335 | cb, user_data); |
Julien Boeuf | 87047d7 | 2015-08-21 14:30:33 -0700 | [diff] [blame] | 336 | } |
| 337 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 338 | static grpc_security_connector_vtable fake_channel_vtable = { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 339 | fake_channel_destroy, fake_check_peer}; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 340 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 341 | static grpc_security_connector_vtable fake_server_vtable = {fake_server_destroy, |
| 342 | fake_check_peer}; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 343 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 344 | grpc_channel_security_connector *grpc_fake_channel_security_connector_create( |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 345 | grpc_call_credentials *request_metadata_creds) { |
| 346 | grpc_channel_security_connector *c = gpr_malloc(sizeof(*c)); |
| 347 | memset(c, 0, sizeof(*c)); |
| 348 | gpr_ref_init(&c->base.refcount, 1); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 349 | c->base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; |
| 350 | c->base.vtable = &fake_channel_vtable; |
Craig Tiller | be52c6e | 2016-01-04 15:35:26 -0800 | [diff] [blame] | 351 | c->request_metadata_creds = grpc_call_credentials_ref(request_metadata_creds); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 352 | c->check_call_host = fake_channel_check_call_host; |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 353 | c->do_handshake = fake_channel_do_handshake; |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 354 | return c; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 355 | } |
| 356 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 357 | grpc_server_security_connector *grpc_fake_server_security_connector_create( |
| 358 | void) { |
| 359 | grpc_server_security_connector *c = |
| 360 | gpr_malloc(sizeof(grpc_server_security_connector)); |
| 361 | memset(c, 0, sizeof(*c)); |
| 362 | gpr_ref_init(&c->base.refcount, 1); |
| 363 | c->base.vtable = &fake_server_vtable; |
| 364 | c->base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; |
| 365 | c->do_handshake = fake_server_do_handshake; |
yang-g | 5e7f08a | 2015-11-19 01:27:43 -0800 | [diff] [blame] | 366 | gpr_mu_init(&c->mu); |
yang-g | 5e72a35 | 2015-11-20 09:49:36 -0800 | [diff] [blame] | 367 | return c; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 368 | } |
| 369 | |
| 370 | /* --- Ssl implementation. --- */ |
| 371 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 372 | typedef struct { |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 373 | grpc_channel_security_connector base; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 374 | tsi_ssl_handshaker_factory *handshaker_factory; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 375 | char *target_name; |
| 376 | char *overridden_target_name; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 377 | } grpc_ssl_channel_security_connector; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 378 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 379 | typedef struct { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 380 | grpc_server_security_connector base; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 381 | tsi_ssl_handshaker_factory *handshaker_factory; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 382 | } grpc_ssl_server_security_connector; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 383 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 384 | static void ssl_channel_destroy(grpc_security_connector *sc) { |
| 385 | grpc_ssl_channel_security_connector *c = |
| 386 | (grpc_ssl_channel_security_connector *)sc; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 387 | grpc_call_credentials_unref(c->base.request_metadata_creds); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 388 | if (c->handshaker_factory != NULL) { |
| 389 | tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); |
| 390 | } |
| 391 | if (c->target_name != NULL) gpr_free(c->target_name); |
| 392 | if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 393 | gpr_free(sc); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 394 | } |
| 395 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 396 | static void ssl_server_destroy(grpc_security_connector *sc) { |
| 397 | grpc_ssl_server_security_connector *c = |
| 398 | (grpc_ssl_server_security_connector *)sc; |
yang-g | 5e7f08a | 2015-11-19 01:27:43 -0800 | [diff] [blame] | 399 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 400 | if (c->handshaker_factory != NULL) { |
| 401 | tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); |
| 402 | } |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 403 | gpr_mu_destroy(&c->base.mu); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 404 | gpr_free(sc); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 405 | } |
| 406 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 407 | static grpc_security_status ssl_create_handshaker( |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 408 | tsi_ssl_handshaker_factory *handshaker_factory, bool is_client, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 409 | const char *peer_name, tsi_handshaker **handshaker) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 410 | tsi_result result = TSI_OK; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 411 | if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR; |
| 412 | result = tsi_ssl_handshaker_factory_create_handshaker( |
| 413 | handshaker_factory, is_client ? peer_name : NULL, handshaker); |
| 414 | if (result != TSI_OK) { |
| 415 | gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.", |
| 416 | tsi_result_to_string(result)); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 417 | return GRPC_SECURITY_ERROR; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 418 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 419 | return GRPC_SECURITY_OK; |
| 420 | } |
| 421 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 422 | static void ssl_channel_do_handshake(grpc_exec_ctx *exec_ctx, |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 423 | grpc_channel_security_connector *sc, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 424 | grpc_endpoint *nonsecure_endpoint, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 425 | gpr_slice_buffer *read_buffer, |
Craig Tiller | 449c64b | 2016-06-13 16:26:50 -0700 | [diff] [blame] | 426 | gpr_timespec deadline, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 427 | grpc_security_handshake_done_cb cb, |
| 428 | void *user_data) { |
| 429 | grpc_ssl_channel_security_connector *c = |
| 430 | (grpc_ssl_channel_security_connector *)sc; |
Julien Boeuf | db5282b | 2015-08-21 15:23:52 -0700 | [diff] [blame] | 431 | tsi_handshaker *handshaker; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 432 | grpc_security_status status = ssl_create_handshaker( |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 433 | c->handshaker_factory, true, |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 434 | c->overridden_target_name != NULL ? c->overridden_target_name |
| 435 | : c->target_name, |
| 436 | &handshaker); |
| 437 | if (status != GRPC_SECURITY_OK) { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 438 | gpr_free(read_buffer); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 439 | cb(exec_ctx, user_data, status, NULL, NULL); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 440 | } else { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 441 | grpc_do_security_handshake(exec_ctx, handshaker, &sc->base, true, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 442 | nonsecure_endpoint, read_buffer, deadline, cb, |
| 443 | user_data); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 444 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 445 | } |
| 446 | |
Mark D. Roth | a3e7bd8 | 2016-08-04 11:17:22 -0700 | [diff] [blame] | 447 | static void ssl_server_do_handshake( |
| 448 | grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, |
| 449 | grpc_tcp_server_acceptor *acceptor, grpc_endpoint *nonsecure_endpoint, |
| 450 | gpr_slice_buffer *read_buffer, gpr_timespec deadline, |
| 451 | grpc_security_handshake_done_cb cb, void *user_data) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 452 | grpc_ssl_server_security_connector *c = |
| 453 | (grpc_ssl_server_security_connector *)sc; |
Julien Boeuf | db5282b | 2015-08-21 15:23:52 -0700 | [diff] [blame] | 454 | tsi_handshaker *handshaker; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 455 | grpc_security_status status = |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 456 | ssl_create_handshaker(c->handshaker_factory, false, NULL, &handshaker); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 457 | if (status != GRPC_SECURITY_OK) { |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 458 | gpr_free(read_buffer); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 459 | cb(exec_ctx, user_data, status, NULL, NULL); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 460 | } else { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 461 | grpc_do_security_handshake(exec_ctx, handshaker, &sc->base, false, |
Mark D. Roth | 7d9f276 | 2016-08-04 11:06:49 -0700 | [diff] [blame] | 462 | nonsecure_endpoint, read_buffer, deadline, cb, |
| 463 | user_data); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 464 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 465 | } |
| 466 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 467 | static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) { |
Craig Tiller | deb49dd | 2015-02-25 11:58:49 -0800 | [diff] [blame] | 468 | char *allocated_name = NULL; |
| 469 | int r; |
| 470 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 471 | if (strchr(peer_name, ':') != NULL) { |
| 472 | char *ignored_port; |
| 473 | gpr_split_host_port(peer_name, &allocated_name, &ignored_port); |
| 474 | gpr_free(ignored_port); |
| 475 | peer_name = allocated_name; |
| 476 | if (!peer_name) return 0; |
| 477 | } |
| 478 | r = tsi_ssl_peer_matches_name(peer, peer_name); |
| 479 | gpr_free(allocated_name); |
Craig Tiller | deb49dd | 2015-02-25 11:58:49 -0800 | [diff] [blame] | 480 | return r; |
| 481 | } |
| 482 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 483 | grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 484 | size_t i; |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 485 | grpc_auth_context *ctx = NULL; |
Julien Boeuf | ea456fc | 2015-07-07 15:23:30 -0700 | [diff] [blame] | 486 | const char *peer_identity_property_name = NULL; |
Julien Boeuf | a701ade | 2015-06-18 15:23:40 +0200 | [diff] [blame] | 487 | |
| 488 | /* The caller has checked the certificate type property. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 489 | GPR_ASSERT(peer->property_count >= 1); |
| 490 | ctx = grpc_auth_context_create(NULL); |
| 491 | grpc_auth_context_add_cstring_property( |
| 492 | ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, |
| 493 | GRPC_SSL_TRANSPORT_SECURITY_TYPE); |
| 494 | for (i = 0; i < peer->property_count; i++) { |
| 495 | const tsi_peer_property *prop = &peer->properties[i]; |
| 496 | if (prop->name == NULL) continue; |
| 497 | if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { |
| 498 | /* If there is no subject alt name, have the CN as the identity. */ |
| 499 | if (peer_identity_property_name == NULL) { |
| 500 | peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME; |
| 501 | } |
| 502 | grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME, |
| 503 | prop->value.data, prop->value.length); |
| 504 | } else if (strcmp(prop->name, |
| 505 | TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { |
| 506 | peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME; |
| 507 | grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME, |
| 508 | prop->value.data, prop->value.length); |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 509 | } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) { |
| 510 | grpc_auth_context_add_property(ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME, |
| 511 | prop->value.data, prop->value.length); |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 512 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 513 | } |
| 514 | if (peer_identity_property_name != NULL) { |
| 515 | GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name( |
| 516 | ctx, peer_identity_property_name) == 1); |
| 517 | } |
Julien Boeuf | 84d964a | 2015-04-29 11:31:06 -0700 | [diff] [blame] | 518 | return ctx; |
| 519 | } |
| 520 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 521 | static grpc_security_status ssl_check_peer(grpc_security_connector *sc, |
| 522 | const char *peer_name, |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 523 | const tsi_peer *peer, |
| 524 | grpc_auth_context **auth_context) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 525 | /* Check the ALPN. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 526 | const tsi_peer_property *p = |
| 527 | tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL); |
| 528 | if (p == NULL) { |
| 529 | gpr_log(GPR_ERROR, "Missing selected ALPN property."); |
| 530 | return GRPC_SECURITY_ERROR; |
| 531 | } |
| 532 | if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) { |
| 533 | gpr_log(GPR_ERROR, "Invalid ALPN value."); |
| 534 | return GRPC_SECURITY_ERROR; |
| 535 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 536 | |
| 537 | /* Check the peer name if specified. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 538 | if (peer_name != NULL && !ssl_host_matches_name(peer, peer_name)) { |
| 539 | gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate", peer_name); |
| 540 | return GRPC_SECURITY_ERROR; |
| 541 | } |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 542 | *auth_context = tsi_ssl_peer_to_auth_context(peer); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 543 | return GRPC_SECURITY_OK; |
| 544 | } |
| 545 | |
Craig Tiller | be52c6e | 2016-01-04 15:35:26 -0800 | [diff] [blame] | 546 | static void ssl_channel_check_peer(grpc_exec_ctx *exec_ctx, |
| 547 | grpc_security_connector *sc, tsi_peer peer, |
| 548 | grpc_security_peer_check_cb cb, |
| 549 | void *user_data) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 550 | grpc_ssl_channel_security_connector *c = |
| 551 | (grpc_ssl_channel_security_connector *)sc; |
Julien Boeuf | 5882b53 | 2015-02-17 15:51:43 -0800 | [diff] [blame] | 552 | grpc_security_status status; |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 553 | grpc_auth_context *auth_context = NULL; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 554 | status = ssl_check_peer(sc, c->overridden_target_name != NULL |
| 555 | ? c->overridden_target_name |
| 556 | : c->target_name, |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 557 | &peer, &auth_context); |
| 558 | cb(exec_ctx, user_data, status, auth_context); |
| 559 | grpc_auth_context_unref(auth_context); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 560 | tsi_peer_destruct(&peer); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 561 | } |
| 562 | |
Craig Tiller | be52c6e | 2016-01-04 15:35:26 -0800 | [diff] [blame] | 563 | static void ssl_server_check_peer(grpc_exec_ctx *exec_ctx, |
| 564 | grpc_security_connector *sc, tsi_peer peer, |
| 565 | grpc_security_peer_check_cb cb, |
| 566 | void *user_data) { |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 567 | grpc_auth_context *auth_context = NULL; |
| 568 | grpc_security_status status = ssl_check_peer(sc, NULL, &peer, &auth_context); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 569 | tsi_peer_destruct(&peer); |
Julien Boeuf | 366f42c | 2015-12-16 22:05:46 -0800 | [diff] [blame] | 570 | cb(exec_ctx, user_data, status, auth_context); |
| 571 | grpc_auth_context_unref(auth_context); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 572 | } |
| 573 | |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 574 | static void add_shallow_auth_property_to_peer(tsi_peer *peer, |
| 575 | const grpc_auth_property *prop, |
| 576 | const char *tsi_prop_name) { |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 577 | tsi_peer_property *tsi_prop = &peer->properties[peer->property_count++]; |
| 578 | tsi_prop->name = (char *)tsi_prop_name; |
| 579 | tsi_prop->value.data = prop->value; |
| 580 | tsi_prop->value.length = prop->value_length; |
| 581 | } |
| 582 | |
| 583 | tsi_peer tsi_shallow_peer_from_ssl_auth_context( |
| 584 | const grpc_auth_context *auth_context) { |
| 585 | size_t max_num_props = 0; |
| 586 | grpc_auth_property_iterator it; |
| 587 | const grpc_auth_property *prop; |
| 588 | tsi_peer peer; |
| 589 | memset(&peer, 0, sizeof(peer)); |
| 590 | |
| 591 | it = grpc_auth_context_property_iterator(auth_context); |
| 592 | while (grpc_auth_property_iterator_next(&it) != NULL) max_num_props++; |
| 593 | |
| 594 | if (max_num_props > 0) { |
| 595 | peer.properties = gpr_malloc(max_num_props * sizeof(tsi_peer_property)); |
| 596 | it = grpc_auth_context_property_iterator(auth_context); |
| 597 | while ((prop = grpc_auth_property_iterator_next(&it)) != NULL) { |
| 598 | if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) { |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 599 | add_shallow_auth_property_to_peer( |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 600 | &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY); |
| 601 | } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) { |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 602 | add_shallow_auth_property_to_peer( |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 603 | &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY); |
Deepak Lukose | e61cbe3 | 2016-03-14 14:10:44 -0700 | [diff] [blame] | 604 | } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) { |
| 605 | add_shallow_auth_property_to_peer(&peer, prop, |
| 606 | TSI_X509_PEM_CERT_PROPERTY); |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 607 | } |
| 608 | } |
| 609 | } |
| 610 | return peer; |
| 611 | } |
| 612 | |
| 613 | void tsi_shallow_peer_destruct(tsi_peer *peer) { |
| 614 | if (peer->properties != NULL) gpr_free(peer->properties); |
| 615 | } |
| 616 | |
| 617 | static void ssl_channel_check_call_host(grpc_exec_ctx *exec_ctx, |
| 618 | grpc_channel_security_connector *sc, |
| 619 | const char *host, |
| 620 | grpc_auth_context *auth_context, |
| 621 | grpc_security_call_host_check_cb cb, |
| 622 | void *user_data) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 623 | grpc_ssl_channel_security_connector *c = |
| 624 | (grpc_ssl_channel_security_connector *)sc; |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 625 | grpc_security_status status = GRPC_SECURITY_ERROR; |
| 626 | tsi_peer peer = tsi_shallow_peer_from_ssl_auth_context(auth_context); |
| 627 | if (ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 628 | |
| 629 | /* If the target name was overridden, then the original target_name was |
| 630 | 'checked' transitively during the previous peer check at the end of the |
| 631 | handshake. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 632 | if (c->overridden_target_name != NULL && strcmp(host, c->target_name) == 0) { |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 633 | status = GRPC_SECURITY_OK; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 634 | } |
Julien Boeuf | 1d9ac66 | 2015-12-17 21:35:47 -0800 | [diff] [blame] | 635 | cb(exec_ctx, user_data, status); |
| 636 | tsi_shallow_peer_destruct(&peer); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 637 | } |
| 638 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 639 | static grpc_security_connector_vtable ssl_channel_vtable = { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 640 | ssl_channel_destroy, ssl_channel_check_peer}; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 641 | |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 642 | static grpc_security_connector_vtable ssl_server_vtable = { |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 643 | ssl_server_destroy, ssl_server_check_peer}; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 644 | |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 645 | static gpr_slice compute_default_pem_root_certs_once(void) { |
| 646 | gpr_slice result = gpr_empty_slice(); |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 647 | |
Julien Boeuf | 3e00179 | 2015-02-20 15:02:36 -0800 | [diff] [blame] | 648 | /* First try to load the roots from the environment. */ |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 649 | char *default_root_certs_path = |
| 650 | gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 651 | if (default_root_certs_path != NULL) { |
Craig Tiller | 4727b9b | 2016-05-17 17:19:19 -0700 | [diff] [blame] | 652 | GRPC_LOG_IF_ERROR("load_file", |
Craig Tiller | 8517886 | 2016-05-18 16:09:16 -0700 | [diff] [blame] | 653 | grpc_load_file(default_root_certs_path, 0, &result)); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 654 | gpr_free(default_root_certs_path); |
| 655 | } |
Julien Boeuf | 3e00179 | 2015-02-20 15:02:36 -0800 | [diff] [blame] | 656 | |
Julien Boeuf | 434eda4 | 2016-01-28 17:06:57 -0800 | [diff] [blame] | 657 | /* Try overridden roots if needed. */ |
Julien Boeuf | aaebf7a | 2016-01-28 17:04:42 -0800 | [diff] [blame] | 658 | grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL; |
| 659 | if (GPR_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != NULL) { |
| 660 | char *pem_root_certs = NULL; |
| 661 | ovrd_res = ssl_roots_override_cb(&pem_root_certs); |
| 662 | if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) { |
| 663 | GPR_ASSERT(pem_root_certs != NULL); |
| 664 | result = gpr_slice_new(pem_root_certs, strlen(pem_root_certs), gpr_free); |
| 665 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 666 | } |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 667 | |
| 668 | /* Fall back to installed certs if needed. */ |
Julien Boeuf | aaebf7a | 2016-01-28 17:04:42 -0800 | [diff] [blame] | 669 | if (GPR_SLICE_IS_EMPTY(result) && |
| 670 | ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) { |
Craig Tiller | 4727b9b | 2016-05-17 17:19:19 -0700 | [diff] [blame] | 671 | GRPC_LOG_IF_ERROR("load_file", |
Craig Tiller | 8517886 | 2016-05-18 16:09:16 -0700 | [diff] [blame] | 672 | grpc_load_file(installed_roots_path, 0, &result)); |
Julien Boeuf | 373debd | 2016-01-27 15:41:12 -0800 | [diff] [blame] | 673 | } |
| 674 | return result; |
| 675 | } |
| 676 | |
| 677 | static gpr_slice default_pem_root_certs; |
| 678 | |
| 679 | static void init_default_pem_root_certs(void) { |
| 680 | default_pem_root_certs = compute_default_pem_root_certs_once(); |
| 681 | } |
| 682 | |
| 683 | gpr_slice grpc_get_default_ssl_roots_for_testing(void) { |
| 684 | return compute_default_pem_root_certs_once(); |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 685 | } |
| 686 | |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 687 | static tsi_client_certificate_request_type |
| 688 | get_tsi_client_certificate_request_type( |
| 689 | grpc_ssl_client_certificate_request_type grpc_request_type) { |
| 690 | switch (grpc_request_type) { |
| 691 | case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE: |
| 692 | return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; |
| 693 | |
| 694 | case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
| 695 | return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; |
| 696 | |
| 697 | case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: |
| 698 | return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY; |
| 699 | |
| 700 | case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
| 701 | return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; |
| 702 | |
| 703 | case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: |
| 704 | return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY; |
| 705 | |
| 706 | default: |
| 707 | // Is this a sane default |
| 708 | return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; |
| 709 | } |
| 710 | } |
| 711 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 712 | size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) { |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 713 | /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in |
| 714 | loading all the roots once for the lifetime of the process. */ |
| 715 | static gpr_once once = GPR_ONCE_INIT; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 716 | gpr_once_init(&once, init_default_pem_root_certs); |
| 717 | *pem_root_certs = GPR_SLICE_START_PTR(default_pem_root_certs); |
| 718 | return GPR_SLICE_LENGTH(default_pem_root_certs); |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 719 | } |
| 720 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 721 | grpc_security_status grpc_ssl_channel_security_connector_create( |
Craig Tiller | b113649 | 2015-11-18 11:30:17 -0800 | [diff] [blame] | 722 | grpc_call_credentials *request_metadata_creds, |
| 723 | const grpc_ssl_config *config, const char *target_name, |
| 724 | const char *overridden_target_name, grpc_channel_security_connector **sc) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 725 | size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); |
| 726 | const unsigned char **alpn_protocol_strings = |
| 727 | gpr_malloc(sizeof(const char *) * num_alpn_protocols); |
| 728 | unsigned char *alpn_protocol_string_lengths = |
| 729 | gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 730 | tsi_result result = TSI_OK; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 731 | grpc_ssl_channel_security_connector *c; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 732 | size_t i; |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 733 | const unsigned char *pem_root_certs; |
| 734 | size_t pem_root_certs_size; |
Julien Boeuf | 7fa3f41 | 2015-02-24 19:30:41 -0800 | [diff] [blame] | 735 | char *port; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 736 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 737 | for (i = 0; i < num_alpn_protocols; i++) { |
| 738 | alpn_protocol_strings[i] = |
| 739 | (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); |
| 740 | alpn_protocol_string_lengths[i] = |
| 741 | (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i)); |
| 742 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 743 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 744 | if (config == NULL || target_name == NULL) { |
| 745 | gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name."); |
| 746 | goto error; |
| 747 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 748 | if (config->pem_root_certs == NULL) { |
| 749 | pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); |
| 750 | if (pem_root_certs == NULL || pem_root_certs_size == 0) { |
| 751 | gpr_log(GPR_ERROR, "Could not get default pem root certs."); |
yang-g | 46f2d34 | 2015-08-24 10:43:51 -0700 | [diff] [blame] | 752 | goto error; |
| 753 | } |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 754 | } else { |
| 755 | pem_root_certs = config->pem_root_certs; |
| 756 | pem_root_certs_size = config->pem_root_certs_size; |
| 757 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 758 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 759 | c = gpr_malloc(sizeof(grpc_ssl_channel_security_connector)); |
| 760 | memset(c, 0, sizeof(grpc_ssl_channel_security_connector)); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 761 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 762 | gpr_ref_init(&c->base.base.refcount, 1); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 763 | c->base.base.vtable = &ssl_channel_vtable; |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 764 | c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; |
Julien Boeuf | 441176d | 2015-10-09 21:14:07 -0700 | [diff] [blame] | 765 | c->base.request_metadata_creds = |
| 766 | grpc_call_credentials_ref(request_metadata_creds); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 767 | c->base.check_call_host = ssl_channel_check_call_host; |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 768 | c->base.do_handshake = ssl_channel_do_handshake; |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 769 | gpr_split_host_port(target_name, &c->target_name, &port); |
| 770 | gpr_free(port); |
| 771 | if (overridden_target_name != NULL) { |
| 772 | c->overridden_target_name = gpr_strdup(overridden_target_name); |
| 773 | } |
| 774 | result = tsi_create_ssl_client_handshaker_factory( |
| 775 | config->pem_private_key, config->pem_private_key_size, |
| 776 | config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, |
| 777 | pem_root_certs_size, ssl_cipher_suites(), alpn_protocol_strings, |
| 778 | alpn_protocol_string_lengths, (uint16_t)num_alpn_protocols, |
| 779 | &c->handshaker_factory); |
| 780 | if (result != TSI_OK) { |
| 781 | gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
| 782 | tsi_result_to_string(result)); |
| 783 | ssl_channel_destroy(&c->base.base); |
| 784 | *sc = NULL; |
| 785 | goto error; |
| 786 | } |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 787 | *sc = &c->base; |
Craig Tiller | 565b18b | 2015-09-23 10:09:42 -0700 | [diff] [blame] | 788 | gpr_free((void *)alpn_protocol_strings); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 789 | gpr_free(alpn_protocol_string_lengths); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 790 | return GRPC_SECURITY_OK; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 791 | |
| 792 | error: |
Craig Tiller | 565b18b | 2015-09-23 10:09:42 -0700 | [diff] [blame] | 793 | gpr_free((void *)alpn_protocol_strings); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 794 | gpr_free(alpn_protocol_string_lengths); |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 795 | return GRPC_SECURITY_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 796 | } |
| 797 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 798 | grpc_security_status grpc_ssl_server_security_connector_create( |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 799 | const grpc_ssl_server_config *config, grpc_server_security_connector **sc) { |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 800 | size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); |
| 801 | const unsigned char **alpn_protocol_strings = |
| 802 | gpr_malloc(sizeof(const char *) * num_alpn_protocols); |
| 803 | unsigned char *alpn_protocol_string_lengths = |
| 804 | gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 805 | tsi_result result = TSI_OK; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 806 | grpc_ssl_server_security_connector *c; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 807 | size_t i; |
| 808 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 809 | for (i = 0; i < num_alpn_protocols; i++) { |
| 810 | alpn_protocol_strings[i] = |
| 811 | (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); |
| 812 | alpn_protocol_string_lengths[i] = |
| 813 | (unsigned char)strlen(grpc_chttp2_get_alpn_version_index(i)); |
| 814 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 815 | |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 816 | if (config == NULL || config->num_key_cert_pairs == 0) { |
| 817 | gpr_log(GPR_ERROR, "An SSL server needs a key and a cert."); |
| 818 | goto error; |
| 819 | } |
| 820 | c = gpr_malloc(sizeof(grpc_ssl_server_security_connector)); |
| 821 | memset(c, 0, sizeof(grpc_ssl_server_security_connector)); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 822 | |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 823 | gpr_ref_init(&c->base.base.refcount, 1); |
| 824 | c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; |
| 825 | c->base.base.vtable = &ssl_server_vtable; |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 826 | result = tsi_create_ssl_server_handshaker_factory_ex( |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 827 | (const unsigned char **)config->pem_private_keys, |
| 828 | config->pem_private_keys_sizes, |
| 829 | (const unsigned char **)config->pem_cert_chains, |
| 830 | config->pem_cert_chains_sizes, config->num_key_cert_pairs, |
| 831 | config->pem_root_certs, config->pem_root_certs_size, |
Deepak Lukose | dba4c5f | 2016-03-25 12:54:25 -0700 | [diff] [blame] | 832 | get_tsi_client_certificate_request_type( |
| 833 | config->client_certificate_request), |
| 834 | ssl_cipher_suites(), alpn_protocol_strings, alpn_protocol_string_lengths, |
| 835 | (uint16_t)num_alpn_protocols, &c->handshaker_factory); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 836 | if (result != TSI_OK) { |
| 837 | gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
| 838 | tsi_result_to_string(result)); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 839 | ssl_server_destroy(&c->base.base); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 840 | *sc = NULL; |
| 841 | goto error; |
| 842 | } |
yang-g | 5e72a35 | 2015-11-20 09:49:36 -0800 | [diff] [blame] | 843 | gpr_mu_init(&c->base.mu); |
Julien Boeuf | 4f4d37c | 2016-02-24 22:07:36 -0800 | [diff] [blame] | 844 | c->base.do_handshake = ssl_server_do_handshake; |
Julien Boeuf | 7d1d9ca | 2015-04-17 14:38:48 -0700 | [diff] [blame] | 845 | *sc = &c->base; |
Craig Tiller | 565b18b | 2015-09-23 10:09:42 -0700 | [diff] [blame] | 846 | gpr_free((void *)alpn_protocol_strings); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 847 | gpr_free(alpn_protocol_string_lengths); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 848 | return GRPC_SECURITY_OK; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 849 | |
| 850 | error: |
Craig Tiller | 565b18b | 2015-09-23 10:09:42 -0700 | [diff] [blame] | 851 | gpr_free((void *)alpn_protocol_strings); |
Craig Tiller | a82950e | 2015-09-22 12:33:20 -0700 | [diff] [blame] | 852 | gpr_free(alpn_protocol_string_lengths); |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 853 | return GRPC_SECURITY_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 854 | } |