/* * * Copyright 2018 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "src/core/lib/security/credentials/tls/tls_credentials.h" #include #include #include #include #include #include "src/core/lib/channel/channel_args.h" #include "src/core/lib/security/security_connector/tls/tls_security_connector.h" #define GRPC_CREDENTIALS_TYPE_TLS "Tls" namespace { bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options, bool is_client) { if (options == nullptr) { gpr_log(GPR_ERROR, "TLS credentials options is nullptr."); return false; } // TODO(ZhenLian): remove this when it is also supported on server side. if (!is_client && options->server_authorization_check_config() != nullptr) { gpr_log(GPR_INFO, "Server's credentials options should not contain server " "authorization check config."); } if (options->server_verification_option() != GRPC_TLS_SERVER_VERIFICATION && options->server_authorization_check_config() == nullptr) { gpr_log(GPR_ERROR, "Should provider custom verifications if bypassing default ones."); return false; } return true; } } // namespace TlsCredentials::TlsCredentials( grpc_core::RefCountedPtr options) : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_TLS), options_(std::move(options)) {} TlsCredentials::~TlsCredentials() {} grpc_core::RefCountedPtr TlsCredentials::create_security_connector( grpc_core::RefCountedPtr call_creds, const char* target_name, const grpc_channel_args* args, grpc_channel_args** new_args) { const char* overridden_target_name = nullptr; tsi_ssl_session_cache* ssl_session_cache = nullptr; for (size_t i = 0; args != nullptr && i < args->num_args; i++) { grpc_arg* arg = &args->args[i]; if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 && arg->type == GRPC_ARG_STRING) { overridden_target_name = arg->value.string; } if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 && arg->type == GRPC_ARG_POINTER) { ssl_session_cache = static_cast(arg->value.pointer.p); } } grpc_core::RefCountedPtr sc = grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector( this->Ref(), options_, std::move(call_creds), target_name, overridden_target_name, ssl_session_cache); if (sc == nullptr) { return nullptr; } if (args != nullptr) { grpc_arg new_arg = grpc_channel_arg_string_create( const_cast(GRPC_ARG_HTTP2_SCHEME), const_cast("https")); *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1); } return sc; } TlsServerCredentials::TlsServerCredentials( grpc_core::RefCountedPtr options) : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_TLS), options_(std::move(options)) {} TlsServerCredentials::~TlsServerCredentials() {} grpc_core::RefCountedPtr TlsServerCredentials::create_security_connector( const grpc_channel_args* /* args */) { return grpc_core::TlsServerSecurityConnector:: CreateTlsServerSecurityConnector(this->Ref(), options_); } /** -- Wrapper APIs declared in grpc_security.h -- **/ grpc_channel_credentials* grpc_tls_credentials_create( grpc_tls_credentials_options* options) { if (!CredentialOptionSanityCheck(options, true /* is_client */)) { return nullptr; } return new TlsCredentials( grpc_core::RefCountedPtr(options)); } grpc_server_credentials* grpc_tls_server_credentials_create( grpc_tls_credentials_options* options) { if (!CredentialOptionSanityCheck(options, false /* is_client */)) { return nullptr; } return new TlsServerCredentials( grpc_core::RefCountedPtr(options)); }