/* * * Copyright 2016 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "src/core/lib/security/credentials/ssl/ssl_credentials.h" #include #include "src/core/lib/channel/channel_args.h" #include "src/core/lib/surface/api_trace.h" #include "src/core/tsi/ssl_transport_security.h" #include #include #include // // SSL Channel Credentials. // void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp, size_t num_key_cert_pairs) { if (kp == nullptr) return; for (size_t i = 0; i < num_key_cert_pairs; i++) { gpr_free((void*)kp[i].private_key); gpr_free((void*)kp[i].cert_chain); } gpr_free(kp); } grpc_ssl_credentials::grpc_ssl_credentials( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const grpc_ssl_verify_peer_options* verify_options) : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) { build_config(pem_root_certs, pem_key_cert_pair, verify_options); } grpc_ssl_credentials::~grpc_ssl_credentials() { gpr_free(config_.pem_root_certs); grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pair, 1); if (config_.verify_options.verify_peer_destruct != nullptr) { config_.verify_options.verify_peer_destruct( config_.verify_options.verify_peer_callback_userdata); } } grpc_core::RefCountedPtr grpc_ssl_credentials::create_security_connector( grpc_core::RefCountedPtr call_creds, const char* target, const grpc_channel_args* args, grpc_channel_args** new_args) { const char* overridden_target_name = nullptr; tsi_ssl_session_cache* ssl_session_cache = nullptr; for (size_t i = 0; args && i < args->num_args; i++) { grpc_arg* arg = &args->args[i]; if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 && arg->type == GRPC_ARG_STRING) { overridden_target_name = arg->value.string; } if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 && arg->type == GRPC_ARG_POINTER) { ssl_session_cache = static_cast(arg->value.pointer.p); } } grpc_core::RefCountedPtr sc = grpc_ssl_channel_security_connector_create( this->Ref(), std::move(call_creds), &config_, target, overridden_target_name, ssl_session_cache); if (sc == nullptr) { return sc; } grpc_arg new_arg = grpc_channel_arg_string_create( (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https"); *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1); return sc; } void grpc_ssl_credentials::build_config( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const grpc_ssl_verify_peer_options* verify_options) { config_.pem_root_certs = gpr_strdup(pem_root_certs); if (pem_key_cert_pair != nullptr) { GPR_ASSERT(pem_key_cert_pair->private_key != nullptr); GPR_ASSERT(pem_key_cert_pair->cert_chain != nullptr); config_.pem_key_cert_pair = static_cast( gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair))); config_.pem_key_cert_pair->cert_chain = gpr_strdup(pem_key_cert_pair->cert_chain); config_.pem_key_cert_pair->private_key = gpr_strdup(pem_key_cert_pair->private_key); } else { config_.pem_key_cert_pair = nullptr; } if (verify_options != nullptr) { memcpy(&config_.verify_options, verify_options, sizeof(verify_peer_options)); } else { // Otherwise set all options to default values memset(&config_.verify_options, 0, sizeof(verify_peer_options)); } } /* Deprecated in favor of grpc_ssl_credentials_create_ex. Will be removed * once all of its call sites are migrated to grpc_ssl_credentials_create_ex. */ grpc_channel_credentials* grpc_ssl_credentials_create( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const verify_peer_options* verify_options, void* reserved) { GRPC_API_TRACE( "grpc_ssl_credentials_create(pem_root_certs=%s, " "pem_key_cert_pair=%p, " "verify_options=%p, " "reserved=%p)", 4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved)); GPR_ASSERT(reserved == nullptr); return new grpc_ssl_credentials( pem_root_certs, pem_key_cert_pair, reinterpret_cast(verify_options)); } grpc_channel_credentials* grpc_ssl_credentials_create_ex( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const grpc_ssl_verify_peer_options* verify_options, void* reserved) { GRPC_API_TRACE( "grpc_ssl_credentials_create(pem_root_certs=%s, " "pem_key_cert_pair=%p, " "verify_options=%p, " "reserved=%p)", 4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved)); GPR_ASSERT(reserved == nullptr); return new grpc_ssl_credentials(pem_root_certs, pem_key_cert_pair, verify_options); } // // SSL Server Credentials. // struct grpc_ssl_server_credentials_options { grpc_ssl_client_certificate_request_type client_certificate_request; grpc_ssl_server_certificate_config* certificate_config; grpc_ssl_server_certificate_config_fetcher* certificate_config_fetcher; }; grpc_ssl_server_credentials::grpc_ssl_server_credentials( const grpc_ssl_server_credentials_options& options) : grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) { if (options.certificate_config_fetcher != nullptr) { config_.client_certificate_request = options.client_certificate_request; certificate_config_fetcher_ = *options.certificate_config_fetcher; } else { build_config(options.certificate_config->pem_root_certs, options.certificate_config->pem_key_cert_pairs, options.certificate_config->num_key_cert_pairs, options.client_certificate_request); } } grpc_ssl_server_credentials::~grpc_ssl_server_credentials() { grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pairs, config_.num_key_cert_pairs); gpr_free(config_.pem_root_certs); } grpc_core::RefCountedPtr grpc_ssl_server_credentials::create_security_connector() { return grpc_ssl_server_security_connector_create(this->Ref()); } tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs( const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs) { tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr; if (num_key_cert_pairs > 0) { GPR_ASSERT(pem_key_cert_pairs != nullptr); tsi_pairs = static_cast( gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair))); } for (size_t i = 0; i < num_key_cert_pairs; i++) { GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr); GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr); tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain); tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key); } return tsi_pairs; } void grpc_ssl_server_credentials::build_config( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, grpc_ssl_client_certificate_request_type client_certificate_request) { config_.client_certificate_request = client_certificate_request; config_.pem_root_certs = gpr_strdup(pem_root_certs); config_.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs( pem_key_cert_pairs, num_key_cert_pairs); config_.num_key_cert_pairs = num_key_cert_pairs; } grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create( const char* pem_root_certs, const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs) { grpc_ssl_server_certificate_config* config = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_certificate_config))); config->pem_root_certs = gpr_strdup(pem_root_certs); if (num_key_cert_pairs > 0) { GPR_ASSERT(pem_key_cert_pairs != nullptr); config->pem_key_cert_pairs = static_cast( gpr_zalloc(num_key_cert_pairs * sizeof(grpc_ssl_pem_key_cert_pair))); } config->num_key_cert_pairs = num_key_cert_pairs; for (size_t i = 0; i < num_key_cert_pairs; i++) { GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr); GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr); config->pem_key_cert_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain); config->pem_key_cert_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key); } return config; } void grpc_ssl_server_certificate_config_destroy( grpc_ssl_server_certificate_config* config) { if (config == nullptr) return; for (size_t i = 0; i < config->num_key_cert_pairs; i++) { gpr_free((void*)config->pem_key_cert_pairs[i].private_key); gpr_free((void*)config->pem_key_cert_pairs[i].cert_chain); } gpr_free(config->pem_key_cert_pairs); gpr_free(config->pem_root_certs); gpr_free(config); } grpc_ssl_server_credentials_options* grpc_ssl_server_credentials_create_options_using_config( grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_server_certificate_config* config) { grpc_ssl_server_credentials_options* options = nullptr; if (config == nullptr) { gpr_log(GPR_ERROR, "Certificate config must not be NULL."); goto done; } options = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_credentials_options))); options->client_certificate_request = client_certificate_request; options->certificate_config = config; done: return options; } grpc_ssl_server_credentials_options* grpc_ssl_server_credentials_create_options_using_config_fetcher( grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_server_certificate_config_callback cb, void* user_data) { if (cb == nullptr) { gpr_log(GPR_ERROR, "Invalid certificate config callback parameter."); return nullptr; } grpc_ssl_server_certificate_config_fetcher* fetcher = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_certificate_config_fetcher))); fetcher->cb = cb; fetcher->user_data = user_data; grpc_ssl_server_credentials_options* options = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_credentials_options))); options->client_certificate_request = client_certificate_request; options->certificate_config_fetcher = fetcher; return options; } grpc_server_credentials* grpc_ssl_server_credentials_create( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, void* reserved) { return grpc_ssl_server_credentials_create_ex( pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs, force_client_auth ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, reserved); } grpc_server_credentials* grpc_ssl_server_credentials_create_ex( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, grpc_ssl_client_certificate_request_type client_certificate_request, void* reserved) { GRPC_API_TRACE( "grpc_ssl_server_credentials_create_ex(" "pem_root_certs=%s, pem_key_cert_pairs=%p, num_key_cert_pairs=%lu, " "client_certificate_request=%d, reserved=%p)", 5, (pem_root_certs, pem_key_cert_pairs, (unsigned long)num_key_cert_pairs, client_certificate_request, reserved)); GPR_ASSERT(reserved == nullptr); grpc_ssl_server_certificate_config* cert_config = grpc_ssl_server_certificate_config_create( pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs); grpc_ssl_server_credentials_options* options = grpc_ssl_server_credentials_create_options_using_config( client_certificate_request, cert_config); return grpc_ssl_server_credentials_create_with_options(options); } grpc_server_credentials* grpc_ssl_server_credentials_create_with_options( grpc_ssl_server_credentials_options* options) { grpc_server_credentials* retval = nullptr; if (options == nullptr) { gpr_log(GPR_ERROR, "Invalid options trying to create SSL server credentials."); goto done; } if (options->certificate_config == nullptr && options->certificate_config_fetcher == nullptr) { gpr_log(GPR_ERROR, "SSL server credentials options must specify either " "certificate config or fetcher."); goto done; } else if (options->certificate_config_fetcher != nullptr && options->certificate_config_fetcher->cb == nullptr) { gpr_log(GPR_ERROR, "Certificate config fetcher callback must not be NULL."); goto done; } retval = new grpc_ssl_server_credentials(*options); done: grpc_ssl_server_credentials_options_destroy(options); return retval; } void grpc_ssl_server_credentials_options_destroy( grpc_ssl_server_credentials_options* o) { if (o == nullptr) return; gpr_free(o->certificate_config_fetcher); grpc_ssl_server_certificate_config_destroy(o->certificate_config); gpr_free(o); }