Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 1 | /* |
| 2 | * |
Craig Tiller | 0605995 | 2015-02-18 08:34:56 -0800 | [diff] [blame] | 3 | * Copyright 2015, Google Inc. |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 4 | * All rights reserved. |
| 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions are |
| 8 | * met: |
| 9 | * |
| 10 | * * Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * * Redistributions in binary form must reproduce the above |
| 13 | * copyright notice, this list of conditions and the following disclaimer |
| 14 | * in the documentation and/or other materials provided with the |
| 15 | * distribution. |
| 16 | * * Neither the name of Google Inc. nor the names of its |
| 17 | * contributors may be used to endorse or promote products derived from |
| 18 | * this software without specific prior written permission. |
| 19 | * |
| 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 21 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 22 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 23 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 24 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 25 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 26 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 27 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 28 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 29 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 30 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 31 | * |
| 32 | */ |
| 33 | |
| 34 | #include "src/core/security/security_context.h" |
| 35 | |
| 36 | #include <string.h> |
| 37 | |
David Klempner | a1e8693 | 2015-01-13 18:13:59 -0800 | [diff] [blame] | 38 | #include "src/core/channel/channel_args.h" |
David Klempner | ed0cbc8 | 2015-01-14 14:46:10 -0800 | [diff] [blame] | 39 | #include "src/core/channel/http_client_filter.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 40 | #include "src/core/security/credentials.h" |
ctiller | 2bbb6c4 | 2014-12-17 09:44:44 -0800 | [diff] [blame] | 41 | #include "src/core/security/secure_endpoint.h" |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 42 | #include "src/core/support/env.h" |
| 43 | #include "src/core/support/file.h" |
Craig Tiller | 485d776 | 2015-01-23 12:54:05 -0800 | [diff] [blame] | 44 | #include "src/core/support/string.h" |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 45 | #include "src/core/transport/chttp2/alpn.h" |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 46 | #include <grpc/support/alloc.h> |
| 47 | #include <grpc/support/log.h> |
| 48 | #include <grpc/support/slice_buffer.h> |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 49 | #include "src/core/tsi/fake_transport_security.h" |
| 50 | #include "src/core/tsi/ssl_transport_security.h" |
| 51 | |
| 52 | /* -- Constants. -- */ |
| 53 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 54 | /* Defines the cipher suites that we accept. All these cipher suites are |
| 55 | compliant with TLS 1.2 and use an RSA public key. We prefer GCM over CBC |
| 56 | and ECDHE-RSA over just RSA. */ |
| 57 | #define GRPC_SSL_CIPHER_SUITES \ |
| 58 | "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:" \ |
| 59 | "AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-" \ |
| 60 | "SHA256:AES256-SHA256" |
| 61 | |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 62 | #ifndef INSTALL_PREFIX |
Nicolas "Pixel" Noble | 161ea23 | 2015-02-22 05:48:53 +0100 | [diff] [blame] | 63 | static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 64 | #else |
Nicolas "Pixel" Noble | 161ea23 | 2015-02-22 05:48:53 +0100 | [diff] [blame] | 65 | static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; |
Nicolas "Pixel" Noble | 7274382 | 2015-02-20 20:59:29 +0100 | [diff] [blame] | 66 | #endif |
| 67 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 68 | /* -- Common methods. -- */ |
| 69 | |
| 70 | grpc_security_status grpc_security_context_create_handshaker( |
| 71 | grpc_security_context *ctx, tsi_handshaker **handshaker) { |
| 72 | if (ctx == NULL || handshaker == NULL) return GRPC_SECURITY_ERROR; |
| 73 | return ctx->vtable->create_handshaker(ctx, handshaker); |
| 74 | } |
| 75 | |
| 76 | grpc_security_status grpc_security_context_check_peer( |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 77 | grpc_security_context *ctx, tsi_peer peer, grpc_security_check_cb cb, |
| 78 | void *user_data) { |
| 79 | if (ctx == NULL) { |
| 80 | tsi_peer_destruct(&peer); |
| 81 | return GRPC_SECURITY_ERROR; |
| 82 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 83 | return ctx->vtable->check_peer(ctx, peer, cb, user_data); |
| 84 | } |
| 85 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 86 | grpc_security_status grpc_channel_security_context_check_call_host( |
| 87 | grpc_channel_security_context *ctx, const char *host, |
| 88 | grpc_security_check_cb cb, void *user_data) { |
| 89 | if (ctx == NULL || ctx->check_call_host == NULL) return GRPC_SECURITY_ERROR; |
| 90 | return ctx->check_call_host(ctx, host, cb, user_data); |
| 91 | } |
| 92 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 93 | void grpc_security_context_unref(grpc_security_context *ctx) { |
| 94 | if (ctx == NULL) return; |
| 95 | if (gpr_unref(&ctx->refcount)) ctx->vtable->destroy(ctx); |
| 96 | } |
| 97 | |
| 98 | grpc_security_context *grpc_security_context_ref(grpc_security_context *ctx) { |
| 99 | if (ctx == NULL) return NULL; |
| 100 | gpr_ref(&ctx->refcount); |
| 101 | return ctx; |
| 102 | } |
| 103 | |
| 104 | static void context_pointer_arg_destroy(void *p) { |
| 105 | grpc_security_context_unref(p); |
| 106 | } |
| 107 | |
| 108 | static void *context_pointer_arg_copy(void *p) { |
| 109 | return grpc_security_context_ref(p); |
| 110 | } |
| 111 | |
| 112 | grpc_arg grpc_security_context_to_arg(grpc_security_context *ctx) { |
| 113 | grpc_arg result; |
| 114 | result.type = GRPC_ARG_POINTER; |
| 115 | result.key = GRPC_SECURITY_CONTEXT_ARG; |
| 116 | result.value.pointer.destroy = context_pointer_arg_destroy; |
| 117 | result.value.pointer.copy = context_pointer_arg_copy; |
| 118 | result.value.pointer.p = ctx; |
| 119 | return result; |
| 120 | } |
| 121 | |
Craig Tiller | b5dcec5 | 2015-01-13 11:13:42 -0800 | [diff] [blame] | 122 | grpc_security_context *grpc_security_context_from_arg(const grpc_arg *arg) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 123 | if (strcmp(arg->key, GRPC_SECURITY_CONTEXT_ARG)) return NULL; |
| 124 | if (arg->type != GRPC_ARG_POINTER) { |
| 125 | gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type, |
| 126 | GRPC_SECURITY_CONTEXT_ARG); |
| 127 | return NULL; |
| 128 | } |
| 129 | return arg->value.pointer.p; |
| 130 | } |
| 131 | |
| 132 | grpc_security_context *grpc_find_security_context_in_args( |
| 133 | const grpc_channel_args *args) { |
| 134 | size_t i; |
| 135 | if (args == NULL) return NULL; |
| 136 | for (i = 0; i < args->num_args; i++) { |
| 137 | grpc_security_context *ctx = grpc_security_context_from_arg(&args->args[i]); |
| 138 | if (ctx != NULL) return ctx; |
| 139 | } |
| 140 | return NULL; |
| 141 | } |
| 142 | |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 143 | static int check_request_metadata_creds(grpc_credentials *creds) { |
| 144 | if (creds != NULL && !grpc_credentials_has_request_metadata(creds)) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 145 | gpr_log(GPR_ERROR, |
| 146 | "Incompatible credentials for channel security context: needs to " |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 147 | "set request metadata."); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 148 | return 0; |
| 149 | } |
| 150 | return 1; |
| 151 | } |
| 152 | |
| 153 | /* -- Fake implementation. -- */ |
| 154 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 155 | typedef struct { |
| 156 | grpc_channel_security_context base; |
| 157 | int call_host_check_is_async; |
| 158 | } grpc_fake_channel_security_context; |
| 159 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 160 | static void fake_channel_destroy(grpc_security_context *ctx) { |
| 161 | grpc_channel_security_context *c = (grpc_channel_security_context *)ctx; |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 162 | grpc_credentials_unref(c->request_metadata_creds); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 163 | gpr_free(ctx); |
| 164 | } |
| 165 | |
Craig Tiller | b5dcec5 | 2015-01-13 11:13:42 -0800 | [diff] [blame] | 166 | static void fake_server_destroy(grpc_security_context *ctx) { gpr_free(ctx); } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 167 | |
| 168 | static grpc_security_status fake_channel_create_handshaker( |
| 169 | grpc_security_context *ctx, tsi_handshaker **handshaker) { |
| 170 | *handshaker = tsi_create_fake_handshaker(1); |
| 171 | return GRPC_SECURITY_OK; |
| 172 | } |
| 173 | |
| 174 | static grpc_security_status fake_server_create_handshaker( |
| 175 | grpc_security_context *ctx, tsi_handshaker **handshaker) { |
| 176 | *handshaker = tsi_create_fake_handshaker(0); |
| 177 | return GRPC_SECURITY_OK; |
| 178 | } |
| 179 | |
| 180 | static grpc_security_status fake_check_peer(grpc_security_context *ctx, |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 181 | tsi_peer peer, |
| 182 | grpc_security_check_cb cb, |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 183 | void *user_data) { |
| 184 | const char *prop_name; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 185 | grpc_security_status status = GRPC_SECURITY_OK; |
| 186 | if (peer.property_count != 1) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 187 | gpr_log(GPR_ERROR, "Fake peers should only have 1 property."); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 188 | status = GRPC_SECURITY_ERROR; |
| 189 | goto end; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 190 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 191 | prop_name = peer.properties[0].name; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 192 | if (prop_name == NULL || |
| 193 | strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) { |
| 194 | gpr_log(GPR_ERROR, "Unexpected property in fake peer: %s.", |
| 195 | prop_name == NULL ? "<EMPTY>" : prop_name); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 196 | status = GRPC_SECURITY_ERROR; |
| 197 | goto end; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 198 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 199 | if (peer.properties[0].type != TSI_PEER_PROPERTY_TYPE_STRING) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 200 | gpr_log(GPR_ERROR, "Invalid type of cert type property."); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 201 | status = GRPC_SECURITY_ERROR; |
| 202 | goto end; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 203 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 204 | if (strncmp(peer.properties[0].value.string.data, TSI_FAKE_CERTIFICATE_TYPE, |
| 205 | peer.properties[0].value.string.length)) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 206 | gpr_log(GPR_ERROR, "Invalid value for cert type property."); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 207 | status = GRPC_SECURITY_ERROR; |
| 208 | goto end; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 209 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 210 | end: |
| 211 | tsi_peer_destruct(&peer); |
| 212 | return status; |
| 213 | } |
| 214 | |
| 215 | static grpc_security_status fake_channel_check_call_host( |
| 216 | grpc_channel_security_context *ctx, const char *host, |
| 217 | grpc_security_check_cb cb, void *user_data) { |
| 218 | grpc_fake_channel_security_context *c = |
| 219 | (grpc_fake_channel_security_context *)ctx; |
| 220 | if (c->call_host_check_is_async) { |
| 221 | cb(user_data, GRPC_SECURITY_OK); |
| 222 | return GRPC_SECURITY_PENDING; |
| 223 | } else { |
| 224 | return GRPC_SECURITY_OK; |
| 225 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 226 | } |
| 227 | |
| 228 | static grpc_security_context_vtable fake_channel_vtable = { |
| 229 | fake_channel_destroy, fake_channel_create_handshaker, fake_check_peer}; |
| 230 | |
| 231 | static grpc_security_context_vtable fake_server_vtable = { |
| 232 | fake_server_destroy, fake_server_create_handshaker, fake_check_peer}; |
| 233 | |
| 234 | grpc_channel_security_context *grpc_fake_channel_security_context_create( |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 235 | grpc_credentials *request_metadata_creds, int call_host_check_is_async) { |
| 236 | grpc_fake_channel_security_context *c = |
| 237 | gpr_malloc(sizeof(grpc_fake_channel_security_context)); |
| 238 | gpr_ref_init(&c->base.base.refcount, 1); |
| 239 | c->base.base.is_client_side = 1; |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 240 | c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 241 | c->base.base.vtable = &fake_channel_vtable; |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 242 | GPR_ASSERT(check_request_metadata_creds(request_metadata_creds)); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 243 | c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); |
| 244 | c->base.check_call_host = fake_channel_check_call_host; |
| 245 | c->call_host_check_is_async = call_host_check_is_async; |
| 246 | return &c->base; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 247 | } |
| 248 | |
| 249 | grpc_security_context *grpc_fake_server_security_context_create(void) { |
| 250 | grpc_security_context *c = gpr_malloc(sizeof(grpc_security_context)); |
| 251 | gpr_ref_init(&c->refcount, 1); |
| 252 | c->vtable = &fake_server_vtable; |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 253 | c->url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 254 | return c; |
| 255 | } |
| 256 | |
| 257 | /* --- Ssl implementation. --- */ |
| 258 | |
| 259 | typedef struct { |
| 260 | grpc_channel_security_context base; |
| 261 | tsi_ssl_handshaker_factory *handshaker_factory; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 262 | char *target_name; |
| 263 | char *overridden_target_name; |
| 264 | tsi_peer peer; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 265 | } grpc_ssl_channel_security_context; |
| 266 | |
| 267 | typedef struct { |
| 268 | grpc_security_context base; |
| 269 | tsi_ssl_handshaker_factory *handshaker_factory; |
| 270 | } grpc_ssl_server_security_context; |
| 271 | |
| 272 | static void ssl_channel_destroy(grpc_security_context *ctx) { |
| 273 | grpc_ssl_channel_security_context *c = |
| 274 | (grpc_ssl_channel_security_context *)ctx; |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 275 | grpc_credentials_unref(c->base.request_metadata_creds); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 276 | if (c->handshaker_factory != NULL) { |
| 277 | tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); |
| 278 | } |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 279 | if (c->target_name != NULL) gpr_free(c->target_name); |
| 280 | if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name); |
| 281 | tsi_peer_destruct(&c->peer); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 282 | gpr_free(ctx); |
| 283 | } |
| 284 | |
| 285 | static void ssl_server_destroy(grpc_security_context *ctx) { |
Craig Tiller | b5dcec5 | 2015-01-13 11:13:42 -0800 | [diff] [blame] | 286 | grpc_ssl_server_security_context *c = (grpc_ssl_server_security_context *)ctx; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 287 | if (c->handshaker_factory != NULL) { |
| 288 | tsi_ssl_handshaker_factory_destroy(c->handshaker_factory); |
| 289 | } |
| 290 | gpr_free(ctx); |
| 291 | } |
| 292 | |
| 293 | static grpc_security_status ssl_create_handshaker( |
| 294 | tsi_ssl_handshaker_factory *handshaker_factory, int is_client, |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 295 | const char *peer_name, tsi_handshaker **handshaker) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 296 | tsi_result result = TSI_OK; |
| 297 | if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR; |
| 298 | result = tsi_ssl_handshaker_factory_create_handshaker( |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 299 | handshaker_factory, is_client ? peer_name : NULL, handshaker); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 300 | if (result != TSI_OK) { |
| 301 | gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.", |
| 302 | tsi_result_to_string(result)); |
| 303 | return GRPC_SECURITY_ERROR; |
| 304 | } |
| 305 | return GRPC_SECURITY_OK; |
| 306 | } |
| 307 | |
| 308 | static grpc_security_status ssl_channel_create_handshaker( |
| 309 | grpc_security_context *ctx, tsi_handshaker **handshaker) { |
| 310 | grpc_ssl_channel_security_context *c = |
| 311 | (grpc_ssl_channel_security_context *)ctx; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 312 | return ssl_create_handshaker(c->handshaker_factory, 1, |
| 313 | c->overridden_target_name != NULL |
| 314 | ? c->overridden_target_name |
| 315 | : c->target_name, |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 316 | handshaker); |
| 317 | } |
| 318 | |
| 319 | static grpc_security_status ssl_server_create_handshaker( |
| 320 | grpc_security_context *ctx, tsi_handshaker **handshaker) { |
Craig Tiller | b5dcec5 | 2015-01-13 11:13:42 -0800 | [diff] [blame] | 321 | grpc_ssl_server_security_context *c = (grpc_ssl_server_security_context *)ctx; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 322 | return ssl_create_handshaker(c->handshaker_factory, 0, NULL, handshaker); |
| 323 | } |
| 324 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 325 | static grpc_security_status ssl_check_peer(const char *peer_name, |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 326 | const tsi_peer *peer) { |
| 327 | /* Check the ALPN. */ |
| 328 | const tsi_peer_property *p = |
| 329 | tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL); |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 330 | if (p == NULL) { |
| 331 | gpr_log(GPR_ERROR, "Missing selected ALPN property."); |
| 332 | return GRPC_SECURITY_ERROR; |
| 333 | } |
| 334 | if (p->type != TSI_PEER_PROPERTY_TYPE_STRING) { |
| 335 | gpr_log(GPR_ERROR, "Invalid selected ALPN property."); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 336 | return GRPC_SECURITY_ERROR; |
| 337 | } |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 338 | if (!grpc_chttp2_is_alpn_version_supported(p->value.string.data, |
| 339 | p->value.string.length)) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 340 | gpr_log(GPR_ERROR, "Invalid ALPN value."); |
| 341 | return GRPC_SECURITY_ERROR; |
| 342 | } |
| 343 | |
| 344 | /* Check the peer name if specified. */ |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 345 | if (peer_name != NULL && |
| 346 | !tsi_ssl_peer_matches_name(peer, peer_name)) { |
| 347 | gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate", peer_name); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 348 | return GRPC_SECURITY_ERROR; |
| 349 | } |
| 350 | return GRPC_SECURITY_OK; |
| 351 | } |
| 352 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 353 | static grpc_security_status ssl_channel_check_peer(grpc_security_context *ctx, |
| 354 | tsi_peer peer, |
| 355 | grpc_security_check_cb cb, |
| 356 | void *user_data) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 357 | grpc_ssl_channel_security_context *c = |
| 358 | (grpc_ssl_channel_security_context *)ctx; |
Julien Boeuf | 5882b53 | 2015-02-17 15:51:43 -0800 | [diff] [blame] | 359 | grpc_security_status status; |
| 360 | tsi_peer_destruct(&c->peer); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 361 | c->peer = peer; |
Julien Boeuf | 5882b53 | 2015-02-17 15:51:43 -0800 | [diff] [blame] | 362 | status = ssl_check_peer(c->overridden_target_name != NULL |
| 363 | ? c->overridden_target_name |
| 364 | : c->target_name, |
| 365 | &peer); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 366 | return status; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 367 | } |
| 368 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 369 | static grpc_security_status ssl_server_check_peer(grpc_security_context *ctx, |
| 370 | tsi_peer peer, |
| 371 | grpc_security_check_cb cb, |
| 372 | void *user_data) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 373 | /* TODO(jboeuf): Find a way to expose the peer to the authorization layer. */ |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 374 | grpc_security_status status = ssl_check_peer(NULL, &peer); |
| 375 | tsi_peer_destruct(&peer); |
| 376 | return status; |
| 377 | } |
| 378 | |
| 379 | static grpc_security_status ssl_channel_check_call_host( |
| 380 | grpc_channel_security_context *ctx, const char *host, |
| 381 | grpc_security_check_cb cb, void *user_data) { |
| 382 | grpc_ssl_channel_security_context *c = |
| 383 | (grpc_ssl_channel_security_context *)ctx; |
| 384 | |
| 385 | if (tsi_ssl_peer_matches_name(&c->peer, host)) return GRPC_SECURITY_OK; |
| 386 | |
| 387 | /* If the target name was overridden, then the original target_name was |
| 388 | 'checked' transitively during the previous peer check at the end of the |
| 389 | handshake. */ |
| 390 | if (c->overridden_target_name != NULL && !strcmp(host, c->target_name)) { |
| 391 | return GRPC_SECURITY_OK; |
| 392 | } else { |
| 393 | return GRPC_SECURITY_ERROR; |
| 394 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 395 | } |
| 396 | |
| 397 | static grpc_security_context_vtable ssl_channel_vtable = { |
| 398 | ssl_channel_destroy, ssl_channel_create_handshaker, ssl_channel_check_peer}; |
| 399 | |
| 400 | static grpc_security_context_vtable ssl_server_vtable = { |
| 401 | ssl_server_destroy, ssl_server_create_handshaker, ssl_server_check_peer}; |
| 402 | |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 403 | static gpr_slice default_pem_root_certs; |
| 404 | |
| 405 | static void init_default_pem_root_certs(void) { |
Julien Boeuf | 3e00179 | 2015-02-20 15:02:36 -0800 | [diff] [blame] | 406 | /* First try to load the roots from the environment. */ |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 407 | char *default_root_certs_path = |
| 408 | gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); |
| 409 | if (default_root_certs_path == NULL) { |
| 410 | default_pem_root_certs = gpr_empty_slice(); |
| 411 | } else { |
| 412 | default_pem_root_certs = gpr_load_file(default_root_certs_path, NULL); |
| 413 | gpr_free(default_root_certs_path); |
| 414 | } |
Julien Boeuf | 3e00179 | 2015-02-20 15:02:36 -0800 | [diff] [blame] | 415 | |
| 416 | /* Fall back to installed certs if needed. */ |
| 417 | if (GPR_SLICE_IS_EMPTY(default_pem_root_certs)) { |
| 418 | default_pem_root_certs = gpr_load_file(installed_roots_path, NULL); |
| 419 | } |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 420 | } |
| 421 | |
Julien Boeuf | 1bc21a4 | 2015-02-20 10:40:11 -0800 | [diff] [blame] | 422 | size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) { |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 423 | /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in |
| 424 | loading all the roots once for the lifetime of the process. */ |
| 425 | static gpr_once once = GPR_ONCE_INIT; |
| 426 | gpr_once_init(&once, init_default_pem_root_certs); |
| 427 | *pem_root_certs = GPR_SLICE_START_PTR(default_pem_root_certs); |
| 428 | return GPR_SLICE_LENGTH(default_pem_root_certs); |
| 429 | } |
| 430 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 431 | grpc_security_status grpc_ssl_channel_security_context_create( |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 432 | grpc_credentials *request_metadata_creds, const grpc_ssl_config *config, |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 433 | const char *target_name, const char *overridden_target_name, |
| 434 | grpc_channel_security_context **ctx) { |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 435 | size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); |
| 436 | const unsigned char **alpn_protocol_strings = |
| 437 | gpr_malloc(sizeof(const char *) * num_alpn_protocols); |
| 438 | unsigned char *alpn_protocol_string_lengths = |
| 439 | gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 440 | tsi_result result = TSI_OK; |
| 441 | grpc_ssl_channel_security_context *c; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 442 | size_t i; |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 443 | const unsigned char *pem_root_certs; |
| 444 | size_t pem_root_certs_size; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 445 | |
| 446 | for (i = 0; i < num_alpn_protocols; i++) { |
| 447 | alpn_protocol_strings[i] = |
| 448 | (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); |
| 449 | alpn_protocol_string_lengths[i] = |
| 450 | strlen(grpc_chttp2_get_alpn_version_index(i)); |
| 451 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 452 | |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 453 | if (config == NULL || target_name == NULL) { |
| 454 | gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name."); |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 455 | goto error; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 456 | } |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 457 | if (!check_request_metadata_creds(request_metadata_creds)) { |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 458 | goto error; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 459 | } |
| 460 | |
| 461 | c = gpr_malloc(sizeof(grpc_ssl_channel_security_context)); |
| 462 | memset(c, 0, sizeof(grpc_ssl_channel_security_context)); |
| 463 | |
| 464 | gpr_ref_init(&c->base.base.refcount, 1); |
| 465 | c->base.base.vtable = &ssl_channel_vtable; |
| 466 | c->base.base.is_client_side = 1; |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 467 | c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 468 | c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds); |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 469 | c->base.check_call_host = ssl_channel_check_call_host; |
| 470 | if (target_name != NULL) { |
| 471 | c->target_name = gpr_strdup(target_name); |
| 472 | } |
| 473 | if (overridden_target_name != NULL) { |
| 474 | c->overridden_target_name = gpr_strdup(overridden_target_name); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 475 | } |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 476 | if (config->pem_root_certs == NULL) { |
Julien Boeuf | 1bc21a4 | 2015-02-20 10:40:11 -0800 | [diff] [blame] | 477 | pem_root_certs_size = grpc_get_default_ssl_roots(&pem_root_certs); |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 478 | if (pem_root_certs == NULL || pem_root_certs_size == 0) { |
| 479 | gpr_log(GPR_ERROR, "Could not get default pem root certs."); |
| 480 | goto error; |
| 481 | } |
| 482 | } else { |
| 483 | pem_root_certs = config->pem_root_certs; |
| 484 | pem_root_certs_size = config->pem_root_certs_size; |
| 485 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 486 | result = tsi_create_ssl_client_handshaker_factory( |
| 487 | config->pem_private_key, config->pem_private_key_size, |
Julien Boeuf | 026a417 | 2015-02-02 18:36:37 -0800 | [diff] [blame] | 488 | config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, |
| 489 | pem_root_certs_size, GRPC_SSL_CIPHER_SUITES, alpn_protocol_strings, |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 490 | alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 491 | if (result != TSI_OK) { |
| 492 | gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
| 493 | tsi_result_to_string(result)); |
| 494 | ssl_channel_destroy(&c->base.base); |
| 495 | *ctx = NULL; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 496 | goto error; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 497 | } |
| 498 | *ctx = &c->base; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 499 | gpr_free(alpn_protocol_strings); |
| 500 | gpr_free(alpn_protocol_string_lengths); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 501 | return GRPC_SECURITY_OK; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 502 | |
| 503 | error: |
| 504 | gpr_free(alpn_protocol_strings); |
| 505 | gpr_free(alpn_protocol_string_lengths); |
| 506 | return GRPC_SECURITY_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 507 | } |
| 508 | |
| 509 | grpc_security_status grpc_ssl_server_security_context_create( |
Julien Boeuf | 8fbcc43 | 2015-01-15 16:44:13 -0800 | [diff] [blame] | 510 | const grpc_ssl_server_config *config, grpc_security_context **ctx) { |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 511 | size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); |
| 512 | const unsigned char **alpn_protocol_strings = |
| 513 | gpr_malloc(sizeof(const char *) * num_alpn_protocols); |
| 514 | unsigned char *alpn_protocol_string_lengths = |
| 515 | gpr_malloc(sizeof(unsigned char) * num_alpn_protocols); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 516 | tsi_result result = TSI_OK; |
| 517 | grpc_ssl_server_security_context *c; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 518 | size_t i; |
| 519 | |
| 520 | for (i = 0; i < num_alpn_protocols; i++) { |
| 521 | alpn_protocol_strings[i] = |
| 522 | (const unsigned char *)grpc_chttp2_get_alpn_version_index(i); |
| 523 | alpn_protocol_string_lengths[i] = |
| 524 | strlen(grpc_chttp2_get_alpn_version_index(i)); |
| 525 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 526 | |
Julien Boeuf | 8fbcc43 | 2015-01-15 16:44:13 -0800 | [diff] [blame] | 527 | if (config == NULL || config->num_key_cert_pairs == 0) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 528 | gpr_log(GPR_ERROR, "An SSL server needs a key and a cert."); |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 529 | goto error; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 530 | } |
| 531 | c = gpr_malloc(sizeof(grpc_ssl_server_security_context)); |
| 532 | memset(c, 0, sizeof(grpc_ssl_server_security_context)); |
| 533 | |
| 534 | gpr_ref_init(&c->base.refcount, 1); |
Julien Boeuf | f47a5cb | 2015-02-18 12:24:08 -0800 | [diff] [blame] | 535 | c->base.url_scheme = GRPC_SSL_URL_SCHEME; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 536 | c->base.vtable = &ssl_server_vtable; |
| 537 | result = tsi_create_ssl_server_handshaker_factory( |
Julien Boeuf | 8fbcc43 | 2015-01-15 16:44:13 -0800 | [diff] [blame] | 538 | (const unsigned char **)config->pem_private_keys, |
| 539 | config->pem_private_keys_sizes, |
| 540 | (const unsigned char **)config->pem_cert_chains, |
| 541 | config->pem_cert_chains_sizes, config->num_key_cert_pairs, |
| 542 | config->pem_root_certs, config->pem_root_certs_size, |
| 543 | GRPC_SSL_CIPHER_SUITES, alpn_protocol_strings, |
| 544 | alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 545 | if (result != TSI_OK) { |
| 546 | gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
| 547 | tsi_result_to_string(result)); |
| 548 | ssl_server_destroy(&c->base); |
| 549 | *ctx = NULL; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 550 | goto error; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 551 | } |
| 552 | *ctx = &c->base; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 553 | gpr_free(alpn_protocol_strings); |
| 554 | gpr_free(alpn_protocol_string_lengths); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 555 | return GRPC_SECURITY_OK; |
ctiller | 48b5a45 | 2014-12-10 08:43:47 -0800 | [diff] [blame] | 556 | |
| 557 | error: |
| 558 | gpr_free(alpn_protocol_strings); |
| 559 | gpr_free(alpn_protocol_string_lengths); |
| 560 | return GRPC_SECURITY_ERROR; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 561 | } |
| 562 | |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 563 | /* -- High level objects. -- */ |
| 564 | |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 565 | grpc_channel *grpc_ssl_channel_create(grpc_credentials *ssl_creds, |
| 566 | grpc_credentials *request_metadata_creds, |
| 567 | const char *target, |
| 568 | const grpc_channel_args *args) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 569 | grpc_channel_security_context *ctx = NULL; |
| 570 | grpc_channel *channel = NULL; |
| 571 | grpc_security_status status = GRPC_SECURITY_OK; |
| 572 | size_t i = 0; |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 573 | const char *overridden_target_name = NULL; |
David Klempner | a1e8693 | 2015-01-13 18:13:59 -0800 | [diff] [blame] | 574 | grpc_arg arg; |
| 575 | grpc_channel_args *new_args; |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 576 | |
yangg | 4105e2b | 2015-01-09 14:19:44 -0800 | [diff] [blame] | 577 | for (i = 0; args && i < args->num_args; i++) { |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 578 | grpc_arg *arg = &args->args[i]; |
| 579 | if (!strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) && |
| 580 | arg->type == GRPC_ARG_STRING) { |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 581 | overridden_target_name = arg->value.string; |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 582 | break; |
| 583 | } |
| 584 | } |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 585 | status = grpc_ssl_channel_security_context_create( |
| 586 | request_metadata_creds, grpc_ssl_credentials_get_config(ssl_creds), |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 587 | target, overridden_target_name, &ctx); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 588 | if (status != GRPC_SECURITY_OK) { |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 589 | return grpc_lame_client_channel_create(); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 590 | } |
David Klempner | a1e8693 | 2015-01-13 18:13:59 -0800 | [diff] [blame] | 591 | arg.type = GRPC_ARG_STRING; |
David Klempner | ed0cbc8 | 2015-01-14 14:46:10 -0800 | [diff] [blame] | 592 | arg.key = GRPC_ARG_HTTP2_SCHEME; |
David Klempner | a1e8693 | 2015-01-13 18:13:59 -0800 | [diff] [blame] | 593 | arg.value.string = "https"; |
| 594 | new_args = grpc_channel_args_copy_and_add(args, &arg); |
| 595 | channel = grpc_secure_channel_create_internal(target, new_args, ctx); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 596 | grpc_security_context_unref(&ctx->base); |
David Klempner | a1e8693 | 2015-01-13 18:13:59 -0800 | [diff] [blame] | 597 | grpc_channel_args_destroy(new_args); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 598 | return channel; |
| 599 | } |
| 600 | |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 601 | grpc_channel *grpc_fake_transport_security_channel_create( |
| 602 | grpc_credentials *fake_creds, grpc_credentials *request_metadata_creds, |
| 603 | const char *target, const grpc_channel_args *args) { |
| 604 | grpc_channel_security_context *ctx = |
Julien Boeuf | 54b2192 | 2015-02-04 16:39:35 -0800 | [diff] [blame] | 605 | grpc_fake_channel_security_context_create(request_metadata_creds, 1); |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 606 | grpc_channel *channel = |
| 607 | grpc_secure_channel_create_internal(target, args, ctx); |
| 608 | grpc_security_context_unref(&ctx->base); |
| 609 | return channel; |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 610 | } |
| 611 | |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 612 | grpc_channel *grpc_secure_channel_create_with_factories( |
| 613 | const grpc_secure_channel_factory *factories, size_t num_factories, |
| 614 | grpc_credentials *creds, const char *target, |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 615 | const grpc_channel_args *args) { |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 616 | size_t i; |
yangg | 4105e2b | 2015-01-09 14:19:44 -0800 | [diff] [blame] | 617 | if (creds == NULL) { |
| 618 | gpr_log(GPR_ERROR, "No credentials to create a secure channel."); |
| 619 | return grpc_lame_client_channel_create(); |
| 620 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 621 | if (grpc_credentials_has_request_metadata_only(creds)) { |
| 622 | gpr_log(GPR_ERROR, |
| 623 | "Credentials is insufficient to create a secure channel."); |
nnoble | 0c475f0 | 2014-12-05 15:37:39 -0800 | [diff] [blame] | 624 | return grpc_lame_client_channel_create(); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 625 | } |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 626 | |
| 627 | for (i = 0; i < num_factories; i++) { |
| 628 | grpc_credentials *composite_creds = NULL; |
| 629 | grpc_credentials *transport_security_creds = NULL; |
| 630 | transport_security_creds = grpc_credentials_contains_type( |
| 631 | creds, factories[i].creds_type, &composite_creds); |
| 632 | if (transport_security_creds != NULL) { |
| 633 | return factories[i].factory(transport_security_creds, composite_creds, |
| 634 | target, args); |
| 635 | } |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 636 | } |
jboeuf | 6ad120e | 2015-01-12 17:08:15 -0800 | [diff] [blame] | 637 | |
| 638 | gpr_log(GPR_ERROR, |
| 639 | "Unknown credentials type %s for creating a secure channel.", |
| 640 | creds->type); |
| 641 | return grpc_lame_client_channel_create(); |
Nicolas Noble | b7ebd3b | 2014-11-26 16:33:03 -0800 | [diff] [blame] | 642 | } |
| 643 | |
| 644 | grpc_channel *grpc_default_secure_channel_create( |
| 645 | const char *target, const grpc_channel_args *args) { |
| 646 | return grpc_secure_channel_create(grpc_default_credentials_create(), target, |
| 647 | args); |
Craig Tiller | 190d360 | 2015-02-18 09:23:38 -0800 | [diff] [blame] | 648 | } |