diff options
Diffstat (limited to 'src/core/lib/security/transport')
| -rw-r--r-- | src/core/lib/security/transport/auth_filters.h | 8 | ||||
| -rw-r--r-- | src/core/lib/security/transport/client_auth_filter.cc | 208 | ||||
| -rw-r--r-- | src/core/lib/security/transport/lb_targets_info.cc | 26 | ||||
| -rw-r--r-- | src/core/lib/security/transport/lb_targets_info.h | 6 | ||||
| -rw-r--r-- | src/core/lib/security/transport/secure_endpoint.cc | 141 | ||||
| -rw-r--r-- | src/core/lib/security/transport/secure_endpoint.h | 8 | ||||
| -rw-r--r-- | src/core/lib/security/transport/security_connector.cc | 699 | ||||
| -rw-r--r-- | src/core/lib/security/transport/security_connector.h | 162 | ||||
| -rw-r--r-- | src/core/lib/security/transport/security_handshaker.cc | 200 | ||||
| -rw-r--r-- | src/core/lib/security/transport/security_handshaker.h | 6 | ||||
| -rw-r--r-- | src/core/lib/security/transport/server_auth_filter.cc | 120 | ||||
| -rw-r--r-- | src/core/lib/security/transport/tsi_error.cc | 2 | ||||
| -rw-r--r-- | src/core/lib/security/transport/tsi_error.h | 2 |
13 files changed, 862 insertions, 726 deletions
diff --git a/src/core/lib/security/transport/auth_filters.h b/src/core/lib/security/transport/auth_filters.h index ba5df7fe70..6376929890 100644 --- a/src/core/lib/security/transport/auth_filters.h +++ b/src/core/lib/security/transport/auth_filters.h @@ -19,6 +19,7 @@ #ifndef GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H #define GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H +#include <grpc/grpc_security.h> #include "src/core/lib/channel/channel_stack.h" #ifdef __cplusplus @@ -28,6 +29,13 @@ extern "C" { extern const grpc_channel_filter grpc_client_auth_filter; extern const grpc_channel_filter grpc_server_auth_filter; +void grpc_auth_metadata_context_build( + const char* url_scheme, grpc_slice call_host, grpc_slice call_method, + grpc_auth_context* auth_context, + grpc_auth_metadata_context* auth_md_context); + +void grpc_auth_metadata_context_reset(grpc_auth_metadata_context* context); + #ifdef __cplusplus } #endif diff --git a/src/core/lib/security/transport/client_auth_filter.cc b/src/core/lib/security/transport/client_auth_filter.cc index a8464dbf9e..11f5a13ccc 100644 --- a/src/core/lib/security/transport/client_auth_filter.cc +++ b/src/core/lib/security/transport/client_auth_filter.cc @@ -39,9 +39,9 @@ /* We can have a per-call credentials. */ typedef struct { - grpc_call_stack *owning_call; - grpc_call_combiner *call_combiner; - grpc_call_credentials *creds; + grpc_call_stack* owning_call; + grpc_call_combiner* call_combiner; + grpc_call_credentials* creds; bool have_host; bool have_method; grpc_slice host; @@ -50,7 +50,7 @@ typedef struct { network requests, they should be done under a pollset added to this pollset_set so that work can progress when this call wants work to progress */ - grpc_polling_entity *pollent; + grpc_polling_entity* pollent; grpc_credentials_mdelem_array md_array; grpc_linked_mdelem md_links[MAX_CREDENTIALS_METADATA_COUNT]; grpc_auth_metadata_context auth_md_context; @@ -61,27 +61,27 @@ typedef struct { /* We can have a per-channel credentials. */ typedef struct { - grpc_channel_security_connector *security_connector; - grpc_auth_context *auth_context; + grpc_channel_security_connector* security_connector; + grpc_auth_context* auth_context; } channel_data; -static void reset_auth_metadata_context( - grpc_auth_metadata_context *auth_md_context) { +void grpc_auth_metadata_context_reset( + grpc_auth_metadata_context* auth_md_context) { if (auth_md_context->service_url != NULL) { - gpr_free((char *)auth_md_context->service_url); + gpr_free((char*)auth_md_context->service_url); auth_md_context->service_url = NULL; } if (auth_md_context->method_name != NULL) { - gpr_free((char *)auth_md_context->method_name); + gpr_free((char*)auth_md_context->method_name); auth_md_context->method_name = NULL; } GRPC_AUTH_CONTEXT_UNREF( - (grpc_auth_context *)auth_md_context->channel_auth_context, + (grpc_auth_context*)auth_md_context->channel_auth_context, "grpc_auth_metadata_context"); auth_md_context->channel_auth_context = NULL; } -static void add_error(grpc_error **combined, grpc_error *error) { +static void add_error(grpc_error** combined, grpc_error* error) { if (error == GRPC_ERROR_NONE) return; if (*combined == GRPC_ERROR_NONE) { *combined = GRPC_ERROR_CREATE_FROM_STATIC_STRING( @@ -90,18 +90,18 @@ static void add_error(grpc_error **combined, grpc_error *error) { *combined = grpc_error_add_child(*combined, error); } -static void on_credentials_metadata(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *input_error) { - grpc_transport_stream_op_batch *batch = (grpc_transport_stream_op_batch *)arg; - grpc_call_element *elem = - (grpc_call_element *)batch->handler_private.extra_arg; - call_data *calld = (call_data *)elem->call_data; - reset_auth_metadata_context(&calld->auth_md_context); - grpc_error *error = GRPC_ERROR_REF(input_error); +static void on_credentials_metadata(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* input_error) { + grpc_transport_stream_op_batch* batch = (grpc_transport_stream_op_batch*)arg; + grpc_call_element* elem = + (grpc_call_element*)batch->handler_private.extra_arg; + call_data* calld = (call_data*)elem->call_data; + grpc_auth_metadata_context_reset(&calld->auth_md_context); + grpc_error* error = GRPC_ERROR_REF(input_error); if (error == GRPC_ERROR_NONE) { GPR_ASSERT(calld->md_array.size <= MAX_CREDENTIALS_METADATA_COUNT); GPR_ASSERT(batch->send_initial_metadata); - grpc_metadata_batch *mdb = + grpc_metadata_batch* mdb = batch->payload->send_initial_metadata.send_initial_metadata; for (size_t i = 0; i < calld->md_array.size; ++i) { add_error(&error, grpc_metadata_batch_add_tail( @@ -119,40 +119,47 @@ static void on_credentials_metadata(grpc_exec_ctx *exec_ctx, void *arg, } } -void build_auth_metadata_context(grpc_security_connector *sc, - grpc_auth_context *auth_context, - call_data *calld) { - char *service = grpc_slice_to_c_string(calld->method); - char *last_slash = strrchr(service, '/'); - char *method_name = NULL; - char *service_url = NULL; - reset_auth_metadata_context(&calld->auth_md_context); +void grpc_auth_metadata_context_build( + const char* url_scheme, grpc_slice call_host, grpc_slice call_method, + grpc_auth_context* auth_context, + grpc_auth_metadata_context* auth_md_context) { + char* service = grpc_slice_to_c_string(call_method); + char* last_slash = strrchr(service, '/'); + char* method_name = NULL; + char* service_url = NULL; + grpc_auth_metadata_context_reset(auth_md_context); if (last_slash == NULL) { gpr_log(GPR_ERROR, "No '/' found in fully qualified method name"); service[0] = '\0'; + method_name = gpr_strdup(""); } else if (last_slash == service) { - /* No service part in fully qualified method name: will just be "/". */ - service[1] = '\0'; + method_name = gpr_strdup(""); } else { *last_slash = '\0'; method_name = gpr_strdup(last_slash + 1); } - if (method_name == NULL) method_name = gpr_strdup(""); - char *host = grpc_slice_to_c_string(calld->host); - gpr_asprintf(&service_url, "%s://%s%s", - sc->url_scheme == NULL ? "" : sc->url_scheme, host, service); - calld->auth_md_context.service_url = service_url; - calld->auth_md_context.method_name = method_name; - calld->auth_md_context.channel_auth_context = + char* host_and_port = grpc_slice_to_c_string(call_host); + if (url_scheme != NULL && strcmp(url_scheme, GRPC_SSL_URL_SCHEME) == 0) { + /* Remove the port if it is 443. */ + char* port_delimiter = strrchr(host_and_port, ':'); + if (port_delimiter != NULL && strcmp(port_delimiter + 1, "443") == 0) { + *port_delimiter = '\0'; + } + } + gpr_asprintf(&service_url, "%s://%s%s", url_scheme == NULL ? "" : url_scheme, + host_and_port, service); + auth_md_context->service_url = service_url; + auth_md_context->method_name = method_name; + auth_md_context->channel_auth_context = GRPC_AUTH_CONTEXT_REF(auth_context, "grpc_auth_metadata_context"); gpr_free(service); - gpr_free(host); + gpr_free(host_and_port); } -static void cancel_get_request_metadata(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - grpc_call_element *elem = (grpc_call_element *)arg; - call_data *calld = (call_data *)elem->call_data; +static void cancel_get_request_metadata(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + grpc_call_element* elem = (grpc_call_element*)arg; + call_data* calld = (call_data*)elem->call_data; if (error != GRPC_ERROR_NONE) { grpc_call_credentials_cancel_get_request_metadata( exec_ctx, calld->creds, &calld->md_array, GRPC_ERROR_REF(error)); @@ -161,16 +168,16 @@ static void cancel_get_request_metadata(grpc_exec_ctx *exec_ctx, void *arg, "cancel_get_request_metadata"); } -static void send_security_metadata(grpc_exec_ctx *exec_ctx, - grpc_call_element *elem, - grpc_transport_stream_op_batch *batch) { - call_data *calld = (call_data *)elem->call_data; - channel_data *chand = (channel_data *)elem->channel_data; - grpc_client_security_context *ctx = - (grpc_client_security_context *)batch->payload +static void send_security_metadata(grpc_exec_ctx* exec_ctx, + grpc_call_element* elem, + grpc_transport_stream_op_batch* batch) { + call_data* calld = (call_data*)elem->call_data; + channel_data* chand = (channel_data*)elem->channel_data; + grpc_client_security_context* ctx = + (grpc_client_security_context*)batch->payload ->context[GRPC_CONTEXT_SECURITY] .value; - grpc_call_credentials *channel_call_creds = + grpc_call_credentials* channel_call_creds = chand->security_connector->request_metadata_creds; int call_creds_has_md = (ctx != NULL) && (ctx->creds != NULL); @@ -198,14 +205,15 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx, call_creds_has_md ? ctx->creds : channel_call_creds); } - build_auth_metadata_context(&chand->security_connector->base, - chand->auth_context, calld); + grpc_auth_metadata_context_build( + chand->security_connector->base.url_scheme, calld->host, calld->method, + chand->auth_context, &calld->auth_md_context); GPR_ASSERT(calld->pollent != NULL); GRPC_CLOSURE_INIT(&calld->async_result_closure, on_credentials_metadata, batch, grpc_schedule_on_exec_ctx); - grpc_error *error = GRPC_ERROR_NONE; + grpc_error* error = GRPC_ERROR_NONE; if (grpc_call_credentials_get_request_metadata( exec_ctx, calld->creds, calld->pollent, calld->auth_md_context, &calld->md_array, &calld->async_result_closure, &error)) { @@ -223,17 +231,17 @@ static void send_security_metadata(grpc_exec_ctx *exec_ctx, } } -static void on_host_checked(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - grpc_transport_stream_op_batch *batch = (grpc_transport_stream_op_batch *)arg; - grpc_call_element *elem = - (grpc_call_element *)batch->handler_private.extra_arg; - call_data *calld = (call_data *)elem->call_data; +static void on_host_checked(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + grpc_transport_stream_op_batch* batch = (grpc_transport_stream_op_batch*)arg; + grpc_call_element* elem = + (grpc_call_element*)batch->handler_private.extra_arg; + call_data* calld = (call_data*)elem->call_data; if (error == GRPC_ERROR_NONE) { send_security_metadata(exec_ctx, elem, batch); } else { - char *error_msg; - char *host = grpc_slice_to_c_string(calld->host); + char* error_msg; + char* host = grpc_slice_to_c_string(calld->host); gpr_asprintf(&error_msg, "Invalid host %s set in :authority metadata.", host); gpr_free(host); @@ -247,11 +255,11 @@ static void on_host_checked(grpc_exec_ctx *exec_ctx, void *arg, } } -static void cancel_check_call_host(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - grpc_call_element *elem = (grpc_call_element *)arg; - call_data *calld = (call_data *)elem->call_data; - channel_data *chand = (channel_data *)elem->channel_data; +static void cancel_check_call_host(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + grpc_call_element* elem = (grpc_call_element*)arg; + call_data* calld = (call_data*)elem->call_data; + channel_data* chand = (channel_data*)elem->channel_data; if (error != GRPC_ERROR_NONE) { grpc_channel_security_connector_cancel_check_call_host( exec_ctx, chand->security_connector, &calld->async_result_closure, @@ -261,13 +269,13 @@ static void cancel_check_call_host(grpc_exec_ctx *exec_ctx, void *arg, } static void auth_start_transport_stream_op_batch( - grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - grpc_transport_stream_op_batch *batch) { + grpc_exec_ctx* exec_ctx, grpc_call_element* elem, + grpc_transport_stream_op_batch* batch) { GPR_TIMER_BEGIN("auth_start_transport_stream_op_batch", 0); /* grab pointers to our data from the call element */ - call_data *calld = (call_data *)elem->call_data; - channel_data *chand = (channel_data *)elem->channel_data; + call_data* calld = (call_data*)elem->call_data; + channel_data* chand = (channel_data*)elem->channel_data; if (!batch->cancel_stream) { GPR_ASSERT(batch->payload->context != NULL); @@ -277,8 +285,8 @@ static void auth_start_transport_stream_op_batch( batch->payload->context[GRPC_CONTEXT_SECURITY].destroy = grpc_client_security_context_destroy; } - grpc_client_security_context *sec_ctx = - (grpc_client_security_context *)batch->payload + grpc_client_security_context* sec_ctx = + (grpc_client_security_context*)batch->payload ->context[GRPC_CONTEXT_SECURITY] .value; GRPC_AUTH_CONTEXT_UNREF(sec_ctx->auth_context, "client auth filter"); @@ -287,7 +295,7 @@ static void auth_start_transport_stream_op_batch( } if (batch->send_initial_metadata) { - for (grpc_linked_mdelem *l = batch->payload->send_initial_metadata + for (grpc_linked_mdelem* l = batch->payload->send_initial_metadata .send_initial_metadata->list.head; l != NULL; l = l->next) { grpc_mdelem md = l->md; @@ -311,8 +319,8 @@ static void auth_start_transport_stream_op_batch( batch->handler_private.extra_arg = elem; GRPC_CLOSURE_INIT(&calld->async_result_closure, on_host_checked, batch, grpc_schedule_on_exec_ctx); - char *call_host = grpc_slice_to_c_string(calld->host); - grpc_error *error = GRPC_ERROR_NONE; + char* call_host = grpc_slice_to_c_string(calld->host); + grpc_error* error = GRPC_ERROR_NONE; if (grpc_channel_security_connector_check_call_host( exec_ctx, chand->security_connector, call_host, chand->auth_context, &calld->async_result_closure, &error)) { @@ -340,27 +348,27 @@ static void auth_start_transport_stream_op_batch( } /* Constructor for call_data */ -static grpc_error *init_call_elem(grpc_exec_ctx *exec_ctx, - grpc_call_element *elem, - const grpc_call_element_args *args) { - call_data *calld = (call_data *)elem->call_data; +static grpc_error* init_call_elem(grpc_exec_ctx* exec_ctx, + grpc_call_element* elem, + const grpc_call_element_args* args) { + call_data* calld = (call_data*)elem->call_data; calld->owning_call = args->call_stack; calld->call_combiner = args->call_combiner; return GRPC_ERROR_NONE; } -static void set_pollset_or_pollset_set(grpc_exec_ctx *exec_ctx, - grpc_call_element *elem, - grpc_polling_entity *pollent) { - call_data *calld = (call_data *)elem->call_data; +static void set_pollset_or_pollset_set(grpc_exec_ctx* exec_ctx, + grpc_call_element* elem, + grpc_polling_entity* pollent) { + call_data* calld = (call_data*)elem->call_data; calld->pollent = pollent; } /* Destructor for call_data */ -static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - const grpc_call_final_info *final_info, - grpc_closure *ignored) { - call_data *calld = (call_data *)elem->call_data; +static void destroy_call_elem(grpc_exec_ctx* exec_ctx, grpc_call_element* elem, + const grpc_call_final_info* final_info, + grpc_closure* ignored) { + call_data* calld = (call_data*)elem->call_data; grpc_credentials_mdelem_array_destroy(exec_ctx, &calld->md_array); grpc_call_credentials_unref(exec_ctx, calld->creds); if (calld->have_host) { @@ -369,20 +377,20 @@ static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, if (calld->have_method) { grpc_slice_unref_internal(exec_ctx, calld->method); } - reset_auth_metadata_context(&calld->auth_md_context); + grpc_auth_metadata_context_reset(&calld->auth_md_context); } /* Constructor for channel_data */ -static grpc_error *init_channel_elem(grpc_exec_ctx *exec_ctx, - grpc_channel_element *elem, - grpc_channel_element_args *args) { - grpc_security_connector *sc = +static grpc_error* init_channel_elem(grpc_exec_ctx* exec_ctx, + grpc_channel_element* elem, + grpc_channel_element_args* args) { + grpc_security_connector* sc = grpc_security_connector_find_in_args(args->channel_args); if (sc == NULL) { return GRPC_ERROR_CREATE_FROM_STATIC_STRING( "Security connector missing from client auth filter args"); } - grpc_auth_context *auth_context = + grpc_auth_context* auth_context = grpc_find_auth_context_in_args(args->channel_args); if (auth_context == NULL) { return GRPC_ERROR_CREATE_FROM_STATIC_STRING( @@ -390,7 +398,7 @@ static grpc_error *init_channel_elem(grpc_exec_ctx *exec_ctx, } /* grab pointers to our data from the channel element */ - channel_data *chand = (channel_data *)elem->channel_data; + channel_data* chand = (channel_data*)elem->channel_data; /* The first and the last filters tend to be implemented differently to handle the case that there's no 'next' filter to call on the up or down @@ -399,7 +407,7 @@ static grpc_error *init_channel_elem(grpc_exec_ctx *exec_ctx, /* initialize members */ chand->security_connector = - (grpc_channel_security_connector *)GRPC_SECURITY_CONNECTOR_REF( + (grpc_channel_security_connector*)GRPC_SECURITY_CONNECTOR_REF( sc, "client_auth_filter"); chand->auth_context = GRPC_AUTH_CONTEXT_REF(auth_context, "client_auth_filter"); @@ -407,11 +415,11 @@ static grpc_error *init_channel_elem(grpc_exec_ctx *exec_ctx, } /* Destructor for channel data */ -static void destroy_channel_elem(grpc_exec_ctx *exec_ctx, - grpc_channel_element *elem) { +static void destroy_channel_elem(grpc_exec_ctx* exec_ctx, + grpc_channel_element* elem) { /* grab pointers to our data from the channel element */ - channel_data *chand = (channel_data *)elem->channel_data; - grpc_channel_security_connector *sc = chand->security_connector; + channel_data* chand = (channel_data*)elem->channel_data; + grpc_channel_security_connector* sc = chand->security_connector; if (sc != NULL) { GRPC_SECURITY_CONNECTOR_UNREF(exec_ctx, &sc->base, "client_auth_filter"); } diff --git a/src/core/lib/security/transport/lb_targets_info.cc b/src/core/lib/security/transport/lb_targets_info.cc index 947fc1addf..1655e18f37 100644 --- a/src/core/lib/security/transport/lb_targets_info.cc +++ b/src/core/lib/security/transport/lb_targets_info.cc @@ -25,33 +25,33 @@ * secure naming purposes. */ #define GRPC_ARG_LB_SECURE_NAMING_MAP "grpc.lb_secure_naming_map" -static void *targets_info_copy(void *p) { - return grpc_slice_hash_table_ref((grpc_slice_hash_table *)p); +static void* targets_info_copy(void* p) { + return grpc_slice_hash_table_ref((grpc_slice_hash_table*)p); } -static void targets_info_destroy(grpc_exec_ctx *exec_ctx, void *p) { - grpc_slice_hash_table_unref(exec_ctx, (grpc_slice_hash_table *)p); +static void targets_info_destroy(grpc_exec_ctx* exec_ctx, void* p) { + grpc_slice_hash_table_unref(exec_ctx, (grpc_slice_hash_table*)p); } -static int targets_info_cmp(void *a, void *b) { - return grpc_slice_hash_table_cmp((const grpc_slice_hash_table *)a, - (const grpc_slice_hash_table *)b); +static int targets_info_cmp(void* a, void* b) { + return grpc_slice_hash_table_cmp((const grpc_slice_hash_table*)a, + (const grpc_slice_hash_table*)b); } static const grpc_arg_pointer_vtable server_to_balancer_names_vtable = { targets_info_copy, targets_info_destroy, targets_info_cmp}; grpc_arg grpc_lb_targets_info_create_channel_arg( - grpc_slice_hash_table *targets_info) { - return grpc_channel_arg_pointer_create((char *)GRPC_ARG_LB_SECURE_NAMING_MAP, + grpc_slice_hash_table* targets_info) { + return grpc_channel_arg_pointer_create((char*)GRPC_ARG_LB_SECURE_NAMING_MAP, targets_info, &server_to_balancer_names_vtable); } -grpc_slice_hash_table *grpc_lb_targets_info_find_in_args( - const grpc_channel_args *args) { - const grpc_arg *targets_info_arg = +grpc_slice_hash_table* grpc_lb_targets_info_find_in_args( + const grpc_channel_args* args) { + const grpc_arg* targets_info_arg = grpc_channel_args_find(args, GRPC_ARG_LB_SECURE_NAMING_MAP); if (targets_info_arg != NULL) { GPR_ASSERT(targets_info_arg->type == GRPC_ARG_POINTER); - return (grpc_slice_hash_table *)targets_info_arg->value.pointer.p; + return (grpc_slice_hash_table*)targets_info_arg->value.pointer.p; } return NULL; } diff --git a/src/core/lib/security/transport/lb_targets_info.h b/src/core/lib/security/transport/lb_targets_info.h index 43f0e64556..b4a0bc91da 100644 --- a/src/core/lib/security/transport/lb_targets_info.h +++ b/src/core/lib/security/transport/lb_targets_info.h @@ -27,11 +27,11 @@ extern "C" { /** Return a channel argument containing \a targets_info. */ grpc_arg grpc_lb_targets_info_create_channel_arg( - grpc_slice_hash_table *targets_info); + grpc_slice_hash_table* targets_info); /** Return the instance of targets info in \a args or NULL */ -grpc_slice_hash_table *grpc_lb_targets_info_find_in_args( - const grpc_channel_args *args); +grpc_slice_hash_table* grpc_lb_targets_info_find_in_args( + const grpc_channel_args* args); #ifdef __cplusplus } diff --git a/src/core/lib/security/transport/secure_endpoint.cc b/src/core/lib/security/transport/secure_endpoint.cc index 5964f3ba70..b81b8a41ac 100644 --- a/src/core/lib/security/transport/secure_endpoint.cc +++ b/src/core/lib/security/transport/secure_endpoint.cc @@ -40,15 +40,15 @@ typedef struct { grpc_endpoint base; - grpc_endpoint *wrapped_ep; - struct tsi_frame_protector *protector; - struct tsi_zero_copy_grpc_protector *zero_copy_protector; + grpc_endpoint* wrapped_ep; + struct tsi_frame_protector* protector; + struct tsi_zero_copy_grpc_protector* zero_copy_protector; gpr_mu protector_mu; /* saved upper level callbacks and user_data. */ - grpc_closure *read_cb; - grpc_closure *write_cb; + grpc_closure* read_cb; + grpc_closure* write_cb; grpc_closure on_read; - grpc_slice_buffer *read_buffer; + grpc_slice_buffer* read_buffer; grpc_slice_buffer source_buffer; /* saved handshaker leftover data to unprotect. */ grpc_slice_buffer leftover_bytes; @@ -63,8 +63,8 @@ typedef struct { grpc_core::TraceFlag grpc_trace_secure_endpoint(false, "secure_endpoint"); -static void destroy(grpc_exec_ctx *exec_ctx, secure_endpoint *secure_ep) { - secure_endpoint *ep = secure_ep; +static void destroy(grpc_exec_ctx* exec_ctx, secure_endpoint* secure_ep) { + secure_endpoint* ep = secure_ep; grpc_endpoint_destroy(exec_ctx, ep->wrapped_ep); tsi_frame_protector_destroy(ep->protector); tsi_zero_copy_grpc_protector_destroy(exec_ctx, ep->zero_copy_protector); @@ -82,8 +82,8 @@ static void destroy(grpc_exec_ctx *exec_ctx, secure_endpoint *secure_ep) { secure_endpoint_unref((exec_ctx), (ep), (reason), __FILE__, __LINE__) #define SECURE_ENDPOINT_REF(ep, reason) \ secure_endpoint_ref((ep), (reason), __FILE__, __LINE__) -static void secure_endpoint_unref(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, - const char *reason, const char *file, +static void secure_endpoint_unref(grpc_exec_ctx* exec_ctx, secure_endpoint* ep, + const char* reason, const char* file, int line) { if (grpc_trace_secure_endpoint.enabled()) { gpr_atm val = gpr_atm_no_barrier_load(&ep->ref.count); @@ -96,8 +96,8 @@ static void secure_endpoint_unref(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, } } -static void secure_endpoint_ref(secure_endpoint *ep, const char *reason, - const char *file, int line) { +static void secure_endpoint_ref(secure_endpoint* ep, const char* reason, + const char* file, int line) { if (grpc_trace_secure_endpoint.enabled()) { gpr_atm val = gpr_atm_no_barrier_load(&ep->ref.count); gpr_log(file, line, GPR_LOG_SEVERITY_DEBUG, @@ -110,30 +110,30 @@ static void secure_endpoint_ref(secure_endpoint *ep, const char *reason, #define SECURE_ENDPOINT_UNREF(exec_ctx, ep, reason) \ secure_endpoint_unref((exec_ctx), (ep)) #define SECURE_ENDPOINT_REF(ep, reason) secure_endpoint_ref((ep)) -static void secure_endpoint_unref(grpc_exec_ctx *exec_ctx, - secure_endpoint *ep) { +static void secure_endpoint_unref(grpc_exec_ctx* exec_ctx, + secure_endpoint* ep) { if (gpr_unref(&ep->ref)) { destroy(exec_ctx, ep); } } -static void secure_endpoint_ref(secure_endpoint *ep) { gpr_ref(&ep->ref); } +static void secure_endpoint_ref(secure_endpoint* ep) { gpr_ref(&ep->ref); } #endif -static void flush_read_staging_buffer(secure_endpoint *ep, uint8_t **cur, - uint8_t **end) { +static void flush_read_staging_buffer(secure_endpoint* ep, uint8_t** cur, + uint8_t** end) { grpc_slice_buffer_add(ep->read_buffer, ep->read_staging_buffer); ep->read_staging_buffer = GRPC_SLICE_MALLOC(STAGING_BUFFER_SIZE); *cur = GRPC_SLICE_START_PTR(ep->read_staging_buffer); *end = GRPC_SLICE_END_PTR(ep->read_staging_buffer); } -static void call_read_cb(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, - grpc_error *error) { +static void call_read_cb(grpc_exec_ctx* exec_ctx, secure_endpoint* ep, + grpc_error* error) { if (grpc_trace_secure_endpoint.enabled()) { size_t i; for (i = 0; i < ep->read_buffer->count; i++) { - char *data = grpc_dump_slice(ep->read_buffer->slices[i], + char* data = grpc_dump_slice(ep->read_buffer->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII); gpr_log(GPR_DEBUG, "READ %p: %s", ep, data); gpr_free(data); @@ -144,19 +144,20 @@ static void call_read_cb(grpc_exec_ctx *exec_ctx, secure_endpoint *ep, SECURE_ENDPOINT_UNREF(exec_ctx, ep, "read"); } -static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, - grpc_error *error) { +static void on_read(grpc_exec_ctx* exec_ctx, void* user_data, + grpc_error* error) { unsigned i; uint8_t keep_looping = 0; tsi_result result = TSI_OK; - secure_endpoint *ep = (secure_endpoint *)user_data; - uint8_t *cur = GRPC_SLICE_START_PTR(ep->read_staging_buffer); - uint8_t *end = GRPC_SLICE_END_PTR(ep->read_staging_buffer); + secure_endpoint* ep = (secure_endpoint*)user_data; + uint8_t* cur = GRPC_SLICE_START_PTR(ep->read_staging_buffer); + uint8_t* end = GRPC_SLICE_END_PTR(ep->read_staging_buffer); if (error != GRPC_ERROR_NONE) { grpc_slice_buffer_reset_and_unref_internal(exec_ctx, ep->read_buffer); - call_read_cb(exec_ctx, ep, GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( - "Secure read failed", &error, 1)); + call_read_cb(exec_ctx, ep, + GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( + "Secure read failed", &error, 1)); return; } @@ -169,7 +170,7 @@ static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, /* TODO(yangg) check error, maybe bail out early */ for (i = 0; i < ep->source_buffer.count; i++) { grpc_slice encrypted = ep->source_buffer.slices[i]; - uint8_t *message_bytes = GRPC_SLICE_START_PTR(encrypted); + uint8_t* message_bytes = GRPC_SLICE_START_PTR(encrypted); size_t message_size = GRPC_SLICE_LENGTH(encrypted); while (message_size > 0 || keep_looping) { @@ -230,9 +231,9 @@ static void on_read(grpc_exec_ctx *exec_ctx, void *user_data, call_read_cb(exec_ctx, ep, GRPC_ERROR_NONE); } -static void endpoint_read(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, - grpc_slice_buffer *slices, grpc_closure *cb) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_read(grpc_exec_ctx* exec_ctx, grpc_endpoint* secure_ep, + grpc_slice_buffer* slices, grpc_closure* cb) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; ep->read_cb = cb; ep->read_buffer = slices; grpc_slice_buffer_reset_and_unref_internal(exec_ctx, ep->read_buffer); @@ -249,29 +250,29 @@ static void endpoint_read(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, &ep->on_read); } -static void flush_write_staging_buffer(secure_endpoint *ep, uint8_t **cur, - uint8_t **end) { +static void flush_write_staging_buffer(secure_endpoint* ep, uint8_t** cur, + uint8_t** end) { grpc_slice_buffer_add(&ep->output_buffer, ep->write_staging_buffer); ep->write_staging_buffer = GRPC_SLICE_MALLOC(STAGING_BUFFER_SIZE); *cur = GRPC_SLICE_START_PTR(ep->write_staging_buffer); *end = GRPC_SLICE_END_PTR(ep->write_staging_buffer); } -static void endpoint_write(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, - grpc_slice_buffer *slices, grpc_closure *cb) { +static void endpoint_write(grpc_exec_ctx* exec_ctx, grpc_endpoint* secure_ep, + grpc_slice_buffer* slices, grpc_closure* cb) { GPR_TIMER_BEGIN("secure_endpoint.endpoint_write", 0); unsigned i; tsi_result result = TSI_OK; - secure_endpoint *ep = (secure_endpoint *)secure_ep; - uint8_t *cur = GRPC_SLICE_START_PTR(ep->write_staging_buffer); - uint8_t *end = GRPC_SLICE_END_PTR(ep->write_staging_buffer); + secure_endpoint* ep = (secure_endpoint*)secure_ep; + uint8_t* cur = GRPC_SLICE_START_PTR(ep->write_staging_buffer); + uint8_t* end = GRPC_SLICE_END_PTR(ep->write_staging_buffer); grpc_slice_buffer_reset_and_unref_internal(exec_ctx, &ep->output_buffer); if (grpc_trace_secure_endpoint.enabled()) { for (i = 0; i < slices->count; i++) { - char *data = + char* data = grpc_dump_slice(slices->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII); gpr_log(GPR_DEBUG, "WRITE %p: %s", ep, data); gpr_free(data); @@ -286,7 +287,7 @@ static void endpoint_write(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, // Use frame protector to protect. for (i = 0; i < slices->count; i++) { grpc_slice plain = slices->slices[i]; - uint8_t *message_bytes = GRPC_SLICE_START_PTR(plain); + uint8_t* message_bytes = GRPC_SLICE_START_PTR(plain); size_t message_size = GRPC_SLICE_LENGTH(plain); while (message_size > 0) { size_t protected_buffer_size_to_send = (size_t)(end - cur); @@ -352,45 +353,52 @@ static void endpoint_write(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, GPR_TIMER_END("secure_endpoint.endpoint_write", 0); } -static void endpoint_shutdown(grpc_exec_ctx *exec_ctx, grpc_endpoint *secure_ep, - grpc_error *why) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_shutdown(grpc_exec_ctx* exec_ctx, grpc_endpoint* secure_ep, + grpc_error* why) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; grpc_endpoint_shutdown(exec_ctx, ep->wrapped_ep, why); } -static void endpoint_destroy(grpc_exec_ctx *exec_ctx, - grpc_endpoint *secure_ep) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_destroy(grpc_exec_ctx* exec_ctx, + grpc_endpoint* secure_ep) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; SECURE_ENDPOINT_UNREF(exec_ctx, ep, "destroy"); } -static void endpoint_add_to_pollset(grpc_exec_ctx *exec_ctx, - grpc_endpoint *secure_ep, - grpc_pollset *pollset) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_add_to_pollset(grpc_exec_ctx* exec_ctx, + grpc_endpoint* secure_ep, + grpc_pollset* pollset) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; grpc_endpoint_add_to_pollset(exec_ctx, ep->wrapped_ep, pollset); } -static void endpoint_add_to_pollset_set(grpc_exec_ctx *exec_ctx, - grpc_endpoint *secure_ep, - grpc_pollset_set *pollset_set) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_add_to_pollset_set(grpc_exec_ctx* exec_ctx, + grpc_endpoint* secure_ep, + grpc_pollset_set* pollset_set) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; grpc_endpoint_add_to_pollset_set(exec_ctx, ep->wrapped_ep, pollset_set); } -static char *endpoint_get_peer(grpc_endpoint *secure_ep) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static void endpoint_delete_from_pollset_set(grpc_exec_ctx* exec_ctx, + grpc_endpoint* secure_ep, + grpc_pollset_set* pollset_set) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; + grpc_endpoint_delete_from_pollset_set(exec_ctx, ep->wrapped_ep, pollset_set); +} + +static char* endpoint_get_peer(grpc_endpoint* secure_ep) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; return grpc_endpoint_get_peer(ep->wrapped_ep); } -static int endpoint_get_fd(grpc_endpoint *secure_ep) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static int endpoint_get_fd(grpc_endpoint* secure_ep) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; return grpc_endpoint_get_fd(ep->wrapped_ep); } -static grpc_resource_user *endpoint_get_resource_user( - grpc_endpoint *secure_ep) { - secure_endpoint *ep = (secure_endpoint *)secure_ep; +static grpc_resource_user* endpoint_get_resource_user( + grpc_endpoint* secure_ep) { + secure_endpoint* ep = (secure_endpoint*)secure_ep; return grpc_endpoint_get_resource_user(ep->wrapped_ep); } @@ -398,19 +406,20 @@ static const grpc_endpoint_vtable vtable = {endpoint_read, endpoint_write, endpoint_add_to_pollset, endpoint_add_to_pollset_set, + endpoint_delete_from_pollset_set, endpoint_shutdown, endpoint_destroy, endpoint_get_resource_user, endpoint_get_peer, endpoint_get_fd}; -grpc_endpoint *grpc_secure_endpoint_create( - struct tsi_frame_protector *protector, - struct tsi_zero_copy_grpc_protector *zero_copy_protector, - grpc_endpoint *transport, grpc_slice *leftover_slices, +grpc_endpoint* grpc_secure_endpoint_create( + struct tsi_frame_protector* protector, + struct tsi_zero_copy_grpc_protector* zero_copy_protector, + grpc_endpoint* transport, grpc_slice* leftover_slices, size_t leftover_nslices) { size_t i; - secure_endpoint *ep = (secure_endpoint *)gpr_malloc(sizeof(secure_endpoint)); + secure_endpoint* ep = (secure_endpoint*)gpr_malloc(sizeof(secure_endpoint)); ep->base.vtable = &vtable; ep->wrapped_ep = transport; ep->protector = protector; diff --git a/src/core/lib/security/transport/secure_endpoint.h b/src/core/lib/security/transport/secure_endpoint.h index 4748c8809c..92c457421b 100644 --- a/src/core/lib/security/transport/secure_endpoint.h +++ b/src/core/lib/security/transport/secure_endpoint.h @@ -34,10 +34,10 @@ extern grpc_core::TraceFlag grpc_trace_secure_endpoint; /* Takes ownership of protector, zero_copy_protector, and to_wrap, and refs * leftover_slices. If zero_copy_protector is not NULL, protector will never be * used. */ -grpc_endpoint *grpc_secure_endpoint_create( - struct tsi_frame_protector *protector, - struct tsi_zero_copy_grpc_protector *zero_copy_protector, - grpc_endpoint *to_wrap, grpc_slice *leftover_slices, +grpc_endpoint* grpc_secure_endpoint_create( + struct tsi_frame_protector* protector, + struct tsi_zero_copy_grpc_protector* zero_copy_protector, + grpc_endpoint* to_wrap, grpc_slice* leftover_slices, size_t leftover_nslices); #ifdef __cplusplus diff --git a/src/core/lib/security/transport/security_connector.cc b/src/core/lib/security/transport/security_connector.cc index 9c5c53e67e..23e92c0b8f 100644 --- a/src/core/lib/security/transport/security_connector.cc +++ b/src/core/lib/security/transport/security_connector.cc @@ -34,6 +34,7 @@ #include "src/core/lib/security/context/security_context.h" #include "src/core/lib/security/credentials/credentials.h" #include "src/core/lib/security/credentials/fake/fake_credentials.h" +#include "src/core/lib/security/credentials/ssl/ssl_credentials.h" #include "src/core/lib/security/transport/lb_targets_info.h" #include "src/core/lib/security/transport/secure_endpoint.h" #include "src/core/lib/security/transport/security_handshaker.h" @@ -51,9 +52,9 @@ grpc_core::TraceFlag grpc_trace_security_connector_refcount( /* -- Constants. -- */ #ifndef INSTALL_PREFIX -static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; +static const char* installed_roots_path = "/usr/share/grpc/roots.pem"; #else -static const char *installed_roots_path = +static const char* installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; #endif @@ -73,14 +74,14 @@ void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) { "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384" static gpr_once cipher_suites_once = GPR_ONCE_INIT; -static const char *cipher_suites = NULL; +static const char* cipher_suites = NULL; static void init_cipher_suites(void) { - char *overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES"); + char* overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES"); cipher_suites = overridden != NULL ? overridden : GRPC_SSL_CIPHER_SUITES; } -static const char *ssl_cipher_suites(void) { +static const char* ssl_cipher_suites(void) { gpr_once_init(&cipher_suites_once, init_cipher_suites); return cipher_suites; } @@ -88,12 +89,12 @@ static const char *ssl_cipher_suites(void) { /* -- Common methods. -- */ /* Returns the first property with that name. */ -const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, - const char *name) { +const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer, + const char* name) { size_t i; if (peer == NULL) return NULL; for (i = 0; i < peer->property_count; i++) { - const tsi_peer_property *property = &peer->properties[i]; + const tsi_peer_property* property = &peer->properties[i]; if (name == NULL && property->name == NULL) { return property; } @@ -106,26 +107,26 @@ const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, } void grpc_channel_security_connector_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *connector, - grpc_handshake_manager *handshake_mgr) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* connector, + grpc_handshake_manager* handshake_mgr) { if (connector != NULL) { connector->add_handshakers(exec_ctx, connector, handshake_mgr); } } void grpc_server_security_connector_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_server_security_connector *connector, - grpc_handshake_manager *handshake_mgr) { + grpc_exec_ctx* exec_ctx, grpc_server_security_connector* connector, + grpc_handshake_manager* handshake_mgr) { if (connector != NULL) { connector->add_handshakers(exec_ctx, connector, handshake_mgr); } } -void grpc_security_connector_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, +void grpc_security_connector_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { if (sc == NULL) { GRPC_CLOSURE_SCHED(exec_ctx, on_peer_checked, GRPC_ERROR_CREATE_FROM_STATIC_STRING( @@ -136,43 +137,43 @@ void grpc_security_connector_check_peer(grpc_exec_ctx *exec_ctx, } } -int grpc_security_connector_cmp(grpc_security_connector *sc, - grpc_security_connector *other) { +int grpc_security_connector_cmp(grpc_security_connector* sc, + grpc_security_connector* other) { if (sc == NULL || other == NULL) return GPR_ICMP(sc, other); int c = GPR_ICMP(sc->vtable, other->vtable); if (c != 0) return c; return sc->vtable->cmp(sc, other); } -int grpc_channel_security_connector_cmp(grpc_channel_security_connector *sc1, - grpc_channel_security_connector *sc2) { +int grpc_channel_security_connector_cmp(grpc_channel_security_connector* sc1, + grpc_channel_security_connector* sc2) { GPR_ASSERT(sc1->channel_creds != NULL); GPR_ASSERT(sc2->channel_creds != NULL); int c = GPR_ICMP(sc1->channel_creds, sc2->channel_creds); if (c != 0) return c; c = GPR_ICMP(sc1->request_metadata_creds, sc2->request_metadata_creds); if (c != 0) return c; - c = GPR_ICMP((void *)sc1->check_call_host, (void *)sc2->check_call_host); + c = GPR_ICMP((void*)sc1->check_call_host, (void*)sc2->check_call_host); if (c != 0) return c; - c = GPR_ICMP((void *)sc1->cancel_check_call_host, - (void *)sc2->cancel_check_call_host); + c = GPR_ICMP((void*)sc1->cancel_check_call_host, + (void*)sc2->cancel_check_call_host); if (c != 0) return c; - return GPR_ICMP((void *)sc1->add_handshakers, (void *)sc2->add_handshakers); + return GPR_ICMP((void*)sc1->add_handshakers, (void*)sc2->add_handshakers); } -int grpc_server_security_connector_cmp(grpc_server_security_connector *sc1, - grpc_server_security_connector *sc2) { +int grpc_server_security_connector_cmp(grpc_server_security_connector* sc1, + grpc_server_security_connector* sc2) { GPR_ASSERT(sc1->server_creds != NULL); GPR_ASSERT(sc2->server_creds != NULL); int c = GPR_ICMP(sc1->server_creds, sc2->server_creds); if (c != 0) return c; - return GPR_ICMP((void *)sc1->add_handshakers, (void *)sc2->add_handshakers); + return GPR_ICMP((void*)sc1->add_handshakers, (void*)sc2->add_handshakers); } bool grpc_channel_security_connector_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - const char *host, grpc_auth_context *auth_context, - grpc_closure *on_call_host_checked, grpc_error **error) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + const char* host, grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, grpc_error** error) { if (sc == NULL || sc->check_call_host == NULL) { *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( "cannot check call host -- no security connector"); @@ -183,8 +184,8 @@ bool grpc_channel_security_connector_check_call_host( } void grpc_channel_security_connector_cancel_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_closure *on_call_host_checked, grpc_error *error) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + grpc_closure* on_call_host_checked, grpc_error* error) { if (sc == NULL || sc->cancel_check_call_host == NULL) { GRPC_ERROR_UNREF(error); return; @@ -193,9 +194,9 @@ void grpc_channel_security_connector_cancel_check_call_host( } #ifndef NDEBUG -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *sc, const char *file, int line, - const char *reason) { +grpc_security_connector* grpc_security_connector_ref( + grpc_security_connector* sc, const char* file, int line, + const char* reason) { if (sc == NULL) return NULL; if (grpc_trace_security_connector_refcount.enabled()) { gpr_atm val = gpr_atm_no_barrier_load(&sc->refcount.count); @@ -204,8 +205,8 @@ grpc_security_connector *grpc_security_connector_ref( val, val + 1, reason); } #else -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *sc) { +grpc_security_connector* grpc_security_connector_ref( + grpc_security_connector* sc) { if (sc == NULL) return NULL; #endif gpr_ref(&sc->refcount); @@ -213,10 +214,10 @@ grpc_security_connector *grpc_security_connector_ref( } #ifndef NDEBUG -void grpc_security_connector_unref(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, - const char *file, int line, - const char *reason) { +void grpc_security_connector_unref(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, + const char* file, int line, + const char* reason) { if (sc == NULL) return; if (grpc_trace_security_connector_refcount.enabled()) { gpr_atm val = gpr_atm_no_barrier_load(&sc->refcount.count); @@ -225,87 +226,111 @@ void grpc_security_connector_unref(grpc_exec_ctx *exec_ctx, val, val - 1, reason); } #else -void grpc_security_connector_unref(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc) { +void grpc_security_connector_unref(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc) { if (sc == NULL) return; #endif if (gpr_unref(&sc->refcount)) sc->vtable->destroy(exec_ctx, sc); } -static void connector_arg_destroy(grpc_exec_ctx *exec_ctx, void *p) { - GRPC_SECURITY_CONNECTOR_UNREF(exec_ctx, (grpc_security_connector *)p, +static void connector_arg_destroy(grpc_exec_ctx* exec_ctx, void* p) { + GRPC_SECURITY_CONNECTOR_UNREF(exec_ctx, (grpc_security_connector*)p, "connector_arg_destroy"); } -static void *connector_arg_copy(void *p) { - return GRPC_SECURITY_CONNECTOR_REF((grpc_security_connector *)p, +static void* connector_arg_copy(void* p) { + return GRPC_SECURITY_CONNECTOR_REF((grpc_security_connector*)p, "connector_arg_copy"); } -static int connector_cmp(void *a, void *b) { - return grpc_security_connector_cmp((grpc_security_connector *)a, - (grpc_security_connector *)b); +static int connector_cmp(void* a, void* b) { + return grpc_security_connector_cmp((grpc_security_connector*)a, + (grpc_security_connector*)b); } static const grpc_arg_pointer_vtable connector_arg_vtable = { connector_arg_copy, connector_arg_destroy, connector_cmp}; -grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc) { - return grpc_channel_arg_pointer_create((char *)GRPC_ARG_SECURITY_CONNECTOR, - sc, &connector_arg_vtable); +grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc) { + return grpc_channel_arg_pointer_create((char*)GRPC_ARG_SECURITY_CONNECTOR, sc, + &connector_arg_vtable); } -grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg) { +grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg) { if (strcmp(arg->key, GRPC_ARG_SECURITY_CONNECTOR)) return NULL; if (arg->type != GRPC_ARG_POINTER) { gpr_log(GPR_ERROR, "Invalid type %d for arg %s", arg->type, GRPC_ARG_SECURITY_CONNECTOR); return NULL; } - return (grpc_security_connector *)arg->value.pointer.p; + return (grpc_security_connector*)arg->value.pointer.p; } -grpc_security_connector *grpc_security_connector_find_in_args( - const grpc_channel_args *args) { +grpc_security_connector* grpc_security_connector_find_in_args( + const grpc_channel_args* args) { size_t i; if (args == NULL) return NULL; for (i = 0; i < args->num_args; i++) { - grpc_security_connector *sc = + grpc_security_connector* sc = grpc_security_connector_from_arg(&args->args[i]); if (sc != NULL) return sc; } return NULL; } +static tsi_client_certificate_request_type +get_tsi_client_certificate_request_type( + grpc_ssl_client_certificate_request_type grpc_request_type) { + switch (grpc_request_type) { + case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE: + return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; + + case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: + return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; + + case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: + return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY; + + case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: + return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; + + case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: + return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY; + + default: + return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; + } +} + /* -- Fake implementation. -- */ typedef struct { grpc_channel_security_connector base; - char *target; - char *expected_targets; + char* target; + char* expected_targets; bool is_lb_channel; } grpc_fake_channel_security_connector; -static void fake_channel_destroy(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc) { - grpc_fake_channel_security_connector *c = - (grpc_fake_channel_security_connector *)sc; +static void fake_channel_destroy(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc) { + grpc_fake_channel_security_connector* c = + (grpc_fake_channel_security_connector*)sc; grpc_call_credentials_unref(exec_ctx, c->base.request_metadata_creds); gpr_free(c->target); gpr_free(c->expected_targets); gpr_free(c); } -static void fake_server_destroy(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc) { +static void fake_server_destroy(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc) { gpr_free(sc); } -static bool fake_check_target(const char *target_type, const char *target, - const char *set_str) { +static bool fake_check_target(const char* target_type, const char* target, + const char* set_str) { GPR_ASSERT(target_type != NULL); GPR_ASSERT(target != NULL); - char **set = NULL; + char** set = NULL; size_t set_size = 0; gpr_string_split(set_str, ",", &set, &set_size); bool found = false; @@ -319,11 +344,11 @@ static bool fake_check_target(const char *target_type, const char *target, return found; } -static void fake_secure_name_check(const char *target, - const char *expected_targets, +static void fake_secure_name_check(const char* target, + const char* expected_targets, bool is_lb_channel) { if (expected_targets == NULL) return; - char **lbs_and_backends = NULL; + char** lbs_and_backends = NULL; size_t lbs_and_backends_size = 0; bool success = false; gpr_string_split(expected_targets, ";", &lbs_and_backends, @@ -363,12 +388,12 @@ done: if (!success) abort(); } -static void fake_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { - const char *prop_name; - grpc_error *error = GRPC_ERROR_NONE; +static void fake_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { + const char* prop_name; + grpc_error* error = GRPC_ERROR_NONE; *auth_context = NULL; if (peer.property_count != 1) { error = GRPC_ERROR_CREATE_FROM_STATIC_STRING( @@ -378,7 +403,7 @@ static void fake_check_peer(grpc_exec_ctx *exec_ctx, prop_name = peer.properties[0].name; if (prop_name == NULL || strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) { - char *msg; + char* msg; gpr_asprintf(&msg, "Unexpected property in fake peer: %s.", prop_name == NULL ? "<EMPTY>" : prop_name); error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg); @@ -400,29 +425,29 @@ end: tsi_peer_destruct(&peer); } -static void fake_channel_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { +static void fake_channel_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { fake_check_peer(exec_ctx, sc, peer, auth_context, on_peer_checked); - grpc_fake_channel_security_connector *c = - (grpc_fake_channel_security_connector *)sc; + grpc_fake_channel_security_connector* c = + (grpc_fake_channel_security_connector*)sc; fake_secure_name_check(c->target, c->expected_targets, c->is_lb_channel); } -static void fake_server_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { +static void fake_server_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { fake_check_peer(exec_ctx, sc, peer, auth_context, on_peer_checked); } -static int fake_channel_cmp(grpc_security_connector *sc1, - grpc_security_connector *sc2) { - grpc_fake_channel_security_connector *c1 = - (grpc_fake_channel_security_connector *)sc1; - grpc_fake_channel_security_connector *c2 = - (grpc_fake_channel_security_connector *)sc2; +static int fake_channel_cmp(grpc_security_connector* sc1, + grpc_security_connector* sc2) { + grpc_fake_channel_security_connector* c1 = + (grpc_fake_channel_security_connector*)sc1; + grpc_fake_channel_security_connector* c2 = + (grpc_fake_channel_security_connector*)sc2; int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base); if (c != 0) return c; c = strcmp(c1->target, c2->target); @@ -436,31 +461,31 @@ static int fake_channel_cmp(grpc_security_connector *sc1, return GPR_ICMP(c1->is_lb_channel, c2->is_lb_channel); } -static int fake_server_cmp(grpc_security_connector *sc1, - grpc_security_connector *sc2) { +static int fake_server_cmp(grpc_security_connector* sc1, + grpc_security_connector* sc2) { return grpc_server_security_connector_cmp( - (grpc_server_security_connector *)sc1, - (grpc_server_security_connector *)sc2); + (grpc_server_security_connector*)sc1, + (grpc_server_security_connector*)sc2); } -static bool fake_channel_check_call_host(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, - const char *host, - grpc_auth_context *auth_context, - grpc_closure *on_call_host_checked, - grpc_error **error) { +static bool fake_channel_check_call_host(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, + const char* host, + grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, + grpc_error** error) { return true; } static void fake_channel_cancel_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_closure *on_call_host_checked, grpc_error *error) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + grpc_closure* on_call_host_checked, grpc_error* error) { GRPC_ERROR_UNREF(error); } static void fake_channel_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_handshake_manager *handshake_mgr) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + grpc_handshake_manager* handshake_mgr) { grpc_handshake_manager_add( handshake_mgr, grpc_security_handshaker_create( @@ -468,9 +493,9 @@ static void fake_channel_add_handshakers( &sc->base)); } -static void fake_server_add_handshakers(grpc_exec_ctx *exec_ctx, - grpc_server_security_connector *sc, - grpc_handshake_manager *handshake_mgr) { +static void fake_server_add_handshakers(grpc_exec_ctx* exec_ctx, + grpc_server_security_connector* sc, + grpc_handshake_manager* handshake_mgr) { grpc_handshake_manager_add( handshake_mgr, grpc_security_handshaker_create( @@ -484,12 +509,12 @@ static grpc_security_connector_vtable fake_channel_vtable = { static grpc_security_connector_vtable fake_server_vtable = { fake_server_destroy, fake_server_check_peer, fake_server_cmp}; -grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_channel_credentials *channel_creds, - grpc_call_credentials *request_metadata_creds, const char *target, - const grpc_channel_args *args) { - grpc_fake_channel_security_connector *c = - (grpc_fake_channel_security_connector *)gpr_zalloc(sizeof(*c)); +grpc_channel_security_connector* grpc_fake_channel_security_connector_create( + grpc_channel_credentials* channel_creds, + grpc_call_credentials* request_metadata_creds, const char* target, + const grpc_channel_args* args) { + grpc_fake_channel_security_connector* c = + (grpc_fake_channel_security_connector*)gpr_zalloc(sizeof(*c)); gpr_ref_init(&c->base.base.refcount, 1); c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME; c->base.base.vtable = &fake_channel_vtable; @@ -500,16 +525,16 @@ grpc_channel_security_connector *grpc_fake_channel_security_connector_create( c->base.cancel_check_call_host = fake_channel_cancel_check_call_host; c->base.add_handshakers = fake_channel_add_handshakers; c->target = gpr_strdup(target); - const char *expected_targets = grpc_fake_transport_get_expected_targets(args); + const char* expected_targets = grpc_fake_transport_get_expected_targets(args); c->expected_targets = gpr_strdup(expected_targets); c->is_lb_channel = (grpc_lb_targets_info_find_in_args(args) != NULL); return &c->base; } -grpc_server_security_connector *grpc_fake_server_security_connector_create( - grpc_server_credentials *server_creds) { - grpc_server_security_connector *c = - (grpc_server_security_connector *)gpr_zalloc( +grpc_server_security_connector* grpc_fake_server_security_connector_create( + grpc_server_credentials* server_creds) { + grpc_server_security_connector* c = + (grpc_server_security_connector*)gpr_zalloc( sizeof(grpc_server_security_connector)); gpr_ref_init(&c->base.refcount, 1); c->base.vtable = &fake_server_vtable; @@ -523,20 +548,29 @@ grpc_server_security_connector *grpc_fake_server_security_connector_create( typedef struct { grpc_channel_security_connector base; - tsi_ssl_client_handshaker_factory *client_handshaker_factory; - char *target_name; - char *overridden_target_name; + tsi_ssl_client_handshaker_factory* client_handshaker_factory; + char* target_name; + char* overridden_target_name; } grpc_ssl_channel_security_connector; typedef struct { grpc_server_security_connector base; - tsi_ssl_server_handshaker_factory *server_handshaker_factory; + tsi_ssl_server_handshaker_factory* server_handshaker_factory; } grpc_ssl_server_security_connector; -static void ssl_channel_destroy(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static bool server_connector_has_cert_config_fetcher( + grpc_ssl_server_security_connector* c) { + GPR_ASSERT(c != NULL); + grpc_ssl_server_credentials* server_creds = + (grpc_ssl_server_credentials*)c->base.server_creds; + GPR_ASSERT(server_creds != NULL); + return server_creds->certificate_config_fetcher.cb != NULL; +} + +static void ssl_channel_destroy(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc) { + grpc_ssl_channel_security_connector* c = + (grpc_ssl_channel_security_connector*)sc; grpc_channel_credentials_unref(exec_ctx, c->base.channel_creds); grpc_call_credentials_unref(exec_ctx, c->base.request_metadata_creds); tsi_ssl_client_handshaker_factory_unref(c->client_handshaker_factory); @@ -546,23 +580,23 @@ static void ssl_channel_destroy(grpc_exec_ctx *exec_ctx, gpr_free(sc); } -static void ssl_server_destroy(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc) { - grpc_ssl_server_security_connector *c = - (grpc_ssl_server_security_connector *)sc; +static void ssl_server_destroy(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc) { + grpc_ssl_server_security_connector* c = + (grpc_ssl_server_security_connector*)sc; grpc_server_credentials_unref(exec_ctx, c->base.server_creds); tsi_ssl_server_handshaker_factory_unref(c->server_handshaker_factory); c->server_handshaker_factory = NULL; gpr_free(sc); } -static void ssl_channel_add_handshakers(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, - grpc_handshake_manager *handshake_mgr) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static void ssl_channel_add_handshakers(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, + grpc_handshake_manager* handshake_mgr) { + grpc_ssl_channel_security_connector* c = + (grpc_ssl_channel_security_connector*)sc; // Instantiate TSI handshaker. - tsi_handshaker *tsi_hs = NULL; + tsi_handshaker* tsi_hs = NULL; tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker( c->client_handshaker_factory, c->overridden_target_name != NULL ? c->overridden_target_name @@ -573,7 +607,6 @@ static void ssl_channel_add_handshakers(grpc_exec_ctx *exec_ctx, tsi_result_to_string(result)); return; } - // Create handshakers. grpc_handshake_manager_add( handshake_mgr, @@ -581,13 +614,103 @@ static void ssl_channel_add_handshakers(grpc_exec_ctx *exec_ctx, exec_ctx, tsi_create_adapter_handshaker(tsi_hs), &sc->base)); } -static void ssl_server_add_handshakers(grpc_exec_ctx *exec_ctx, - grpc_server_security_connector *sc, - grpc_handshake_manager *handshake_mgr) { - grpc_ssl_server_security_connector *c = - (grpc_ssl_server_security_connector *)sc; +static const char** fill_alpn_protocol_strings(size_t* num_alpn_protocols) { + GPR_ASSERT(num_alpn_protocols != NULL); + *num_alpn_protocols = grpc_chttp2_num_alpn_versions(); + const char** alpn_protocol_strings = + (const char**)gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)); + for (size_t i = 0; i < *num_alpn_protocols; i++) { + alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i); + } + return alpn_protocol_strings; +} + +/* Attempts to replace the server_handshaker_factory with a new factory using + * the provided grpc_ssl_server_certificate_config. Should new factory creation + * fail, the existing factory will not be replaced. Returns true on success (new + * factory created). */ +static bool try_replace_server_handshaker_factory( + grpc_ssl_server_security_connector* sc, + const grpc_ssl_server_certificate_config* config) { + if (config == NULL) { + gpr_log(GPR_ERROR, + "Server certificate config callback returned invalid (NULL) " + "config."); + return false; + } + gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config); + + size_t num_alpn_protocols = 0; + const char** alpn_protocol_strings = + fill_alpn_protocol_strings(&num_alpn_protocols); + tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs( + config->pem_key_cert_pairs, config->num_key_cert_pairs); + tsi_ssl_server_handshaker_factory* new_handshaker_factory = NULL; + grpc_ssl_server_credentials* server_creds = + (grpc_ssl_server_credentials*)sc->base.server_creds; + tsi_result result = tsi_create_ssl_server_handshaker_factory_ex( + cert_pairs, config->num_key_cert_pairs, config->pem_root_certs, + get_tsi_client_certificate_request_type( + server_creds->config.client_certificate_request), + ssl_cipher_suites(), alpn_protocol_strings, (uint16_t)num_alpn_protocols, + &new_handshaker_factory); + gpr_free(cert_pairs); + gpr_free((void*)alpn_protocol_strings); + + if (result != TSI_OK) { + gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", + tsi_result_to_string(result)); + return false; + } + tsi_ssl_server_handshaker_factory_unref(sc->server_handshaker_factory); + sc->server_handshaker_factory = new_handshaker_factory; + return true; +} + +/* Attempts to fetch the server certificate config if a callback is available. + * Current certificate config will continue to be used if the callback returns + * an error. Returns true if new credentials were sucessfully loaded. */ +static bool try_fetch_ssl_server_credentials( + grpc_ssl_server_security_connector* sc) { + grpc_ssl_server_certificate_config* certificate_config = NULL; + bool status; + + GPR_ASSERT(sc != NULL); + if (!server_connector_has_cert_config_fetcher(sc)) return false; + + grpc_ssl_server_credentials* server_creds = + (grpc_ssl_server_credentials*)sc->base.server_creds; + grpc_ssl_certificate_config_reload_status cb_result = + server_creds->certificate_config_fetcher.cb( + server_creds->certificate_config_fetcher.user_data, + &certificate_config); + if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) { + gpr_log(GPR_DEBUG, "No change in SSL server credentials."); + status = false; + } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) { + status = try_replace_server_handshaker_factory(sc, certificate_config); + } else { + // Log error, continue using previously-loaded credentials. + gpr_log(GPR_ERROR, + "Failed fetching new server credentials, continuing to " + "use previously-loaded credentials."); + status = false; + } + + if (certificate_config != NULL) { + grpc_ssl_server_certificate_config_destroy(certificate_config); + } + return status; +} + +static void ssl_server_add_handshakers(grpc_exec_ctx* exec_ctx, + grpc_server_security_connector* sc, + grpc_handshake_manager* handshake_mgr) { + grpc_ssl_server_security_connector* c = + (grpc_ssl_server_security_connector*)sc; // Instantiate TSI handshaker. - tsi_handshaker *tsi_hs = NULL; + try_fetch_ssl_server_credentials(c); + tsi_handshaker* tsi_hs = NULL; tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker( c->server_handshaker_factory, &tsi_hs); if (result != TSI_OK) { @@ -595,7 +718,6 @@ static void ssl_server_add_handshakers(grpc_exec_ctx *exec_ctx, tsi_result_to_string(result)); return; } - // Create handshakers. grpc_handshake_manager_add( handshake_mgr, @@ -603,12 +725,12 @@ static void ssl_server_add_handshakers(grpc_exec_ctx *exec_ctx, exec_ctx, tsi_create_adapter_handshaker(tsi_hs), &sc->base)); } -static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) { - char *allocated_name = NULL; +static int ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) { + char* allocated_name = NULL; int r; if (strchr(peer_name, ':') != NULL) { - char *ignored_port; + char* ignored_port; gpr_split_host_port(peer_name, &allocated_name, &ignored_port); gpr_free(ignored_port); peer_name = allocated_name; @@ -619,10 +741,10 @@ static int ssl_host_matches_name(const tsi_peer *peer, const char *peer_name) { return r; } -grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { +grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer) { size_t i; - grpc_auth_context *ctx = NULL; - const char *peer_identity_property_name = NULL; + grpc_auth_context* ctx = NULL; + const char* peer_identity_property_name = NULL; /* The caller has checked the certificate type property. */ GPR_ASSERT(peer->property_count >= 1); @@ -631,7 +753,7 @@ grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME, GRPC_SSL_TRANSPORT_SECURITY_TYPE); for (i = 0; i < peer->property_count; i++) { - const tsi_peer_property *prop = &peer->properties[i]; + const tsi_peer_property* prop = &peer->properties[i]; if (prop->name == NULL) continue; if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) { /* If there is no subject alt name, have the CN as the identity. */ @@ -657,11 +779,11 @@ grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer) { return ctx; } -static grpc_error *ssl_check_peer(grpc_security_connector *sc, - const char *peer_name, const tsi_peer *peer, - grpc_auth_context **auth_context) { +static grpc_error* ssl_check_peer(grpc_security_connector* sc, + const char* peer_name, const tsi_peer* peer, + grpc_auth_context** auth_context) { /* Check the ALPN. */ - const tsi_peer_property *p = + const tsi_peer_property* p = tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL); if (p == NULL) { return GRPC_ERROR_CREATE_FROM_STATIC_STRING( @@ -674,9 +796,9 @@ static grpc_error *ssl_check_peer(grpc_security_connector *sc, /* Check the peer name if specified. */ if (peer_name != NULL && !ssl_host_matches_name(peer, peer_name)) { - char *msg; + char* msg; gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name); - grpc_error *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg); + grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg); gpr_free(msg); return error; } @@ -684,35 +806,36 @@ static grpc_error *ssl_check_peer(grpc_security_connector *sc, return GRPC_ERROR_NONE; } -static void ssl_channel_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; - grpc_error *error = ssl_check_peer(sc, c->overridden_target_name != NULL - ? c->overridden_target_name - : c->target_name, +static void ssl_channel_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { + grpc_ssl_channel_security_connector* c = + (grpc_ssl_channel_security_connector*)sc; + grpc_error* error = ssl_check_peer(sc, + c->overridden_target_name != NULL + ? c->overridden_target_name + : c->target_name, &peer, auth_context); GRPC_CLOSURE_SCHED(exec_ctx, on_peer_checked, error); tsi_peer_destruct(&peer); } -static void ssl_server_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked) { - grpc_error *error = ssl_check_peer(sc, NULL, &peer, auth_context); +static void ssl_server_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked) { + grpc_error* error = ssl_check_peer(sc, NULL, &peer, auth_context); tsi_peer_destruct(&peer); GRPC_CLOSURE_SCHED(exec_ctx, on_peer_checked, error); } -static int ssl_channel_cmp(grpc_security_connector *sc1, - grpc_security_connector *sc2) { - grpc_ssl_channel_security_connector *c1 = - (grpc_ssl_channel_security_connector *)sc1; - grpc_ssl_channel_security_connector *c2 = - (grpc_ssl_channel_security_connector *)sc2; +static int ssl_channel_cmp(grpc_security_connector* sc1, + grpc_security_connector* sc2) { + grpc_ssl_channel_security_connector* c1 = + (grpc_ssl_channel_security_connector*)sc1; + grpc_ssl_channel_security_connector* c2 = + (grpc_ssl_channel_security_connector*)sc2; int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base); if (c != 0) return c; c = strcmp(c1->target_name, c2->target_name); @@ -723,27 +846,27 @@ static int ssl_channel_cmp(grpc_security_connector *sc1, : strcmp(c1->overridden_target_name, c2->overridden_target_name); } -static int ssl_server_cmp(grpc_security_connector *sc1, - grpc_security_connector *sc2) { +static int ssl_server_cmp(grpc_security_connector* sc1, + grpc_security_connector* sc2) { return grpc_server_security_connector_cmp( - (grpc_server_security_connector *)sc1, - (grpc_server_security_connector *)sc2); + (grpc_server_security_connector*)sc1, + (grpc_server_security_connector*)sc2); } -static void add_shallow_auth_property_to_peer(tsi_peer *peer, - const grpc_auth_property *prop, - const char *tsi_prop_name) { - tsi_peer_property *tsi_prop = &peer->properties[peer->property_count++]; - tsi_prop->name = (char *)tsi_prop_name; +static void add_shallow_auth_property_to_peer(tsi_peer* peer, + const grpc_auth_property* prop, + const char* tsi_prop_name) { + tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++]; + tsi_prop->name = (char*)tsi_prop_name; tsi_prop->value.data = prop->value; tsi_prop->value.length = prop->value_length; } tsi_peer tsi_shallow_peer_from_ssl_auth_context( - const grpc_auth_context *auth_context) { + const grpc_auth_context* auth_context) { size_t max_num_props = 0; grpc_auth_property_iterator it; - const grpc_auth_property *prop; + const grpc_auth_property* prop; tsi_peer peer; memset(&peer, 0, sizeof(peer)); @@ -751,8 +874,8 @@ tsi_peer tsi_shallow_peer_from_ssl_auth_context( while (grpc_auth_property_iterator_next(&it) != NULL) max_num_props++; if (max_num_props > 0) { - peer.properties = (tsi_peer_property *)gpr_malloc( - max_num_props * sizeof(tsi_peer_property)); + peer.properties = (tsi_peer_property*)gpr_malloc(max_num_props * + sizeof(tsi_peer_property)); it = grpc_auth_context_property_iterator(auth_context); while ((prop = grpc_auth_property_iterator_next(&it)) != NULL) { if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) { @@ -770,18 +893,18 @@ tsi_peer tsi_shallow_peer_from_ssl_auth_context( return peer; } -void tsi_shallow_peer_destruct(tsi_peer *peer) { +void tsi_shallow_peer_destruct(tsi_peer* peer) { if (peer->properties != NULL) gpr_free(peer->properties); } -static bool ssl_channel_check_call_host(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, - const char *host, - grpc_auth_context *auth_context, - grpc_closure *on_call_host_checked, - grpc_error **error) { - grpc_ssl_channel_security_connector *c = - (grpc_ssl_channel_security_connector *)sc; +static bool ssl_channel_check_call_host(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, + const char* host, + grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, + grpc_error** error) { + grpc_ssl_channel_security_connector* c = + (grpc_ssl_channel_security_connector*)sc; grpc_security_status status = GRPC_SECURITY_ERROR; tsi_peer peer = tsi_shallow_peer_from_ssl_auth_context(auth_context); if (ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK; @@ -800,8 +923,8 @@ static bool ssl_channel_check_call_host(grpc_exec_ctx *exec_ctx, } static void ssl_channel_cancel_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_closure *on_call_host_checked, grpc_error *error) { + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + grpc_closure* on_call_host_checked, grpc_error* error) { GRPC_ERROR_UNREF(error); } @@ -816,7 +939,7 @@ static grpc_slice compute_default_pem_root_certs_once(void) { grpc_slice result = grpc_empty_slice(); /* First try to load the roots from the environment. */ - char *default_root_certs_path = + char* default_root_certs_path = gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR); if (default_root_certs_path != NULL) { GRPC_LOG_IF_ERROR("load_file", @@ -827,7 +950,7 @@ static grpc_slice compute_default_pem_root_certs_once(void) { /* Try overridden roots if needed. */ grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL; if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != NULL) { - char *pem_root_certs = NULL; + char* pem_root_certs = NULL; ovrd_res = ssl_roots_override_cb(&pem_root_certs); if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) { GPR_ASSERT(pem_root_certs != NULL); @@ -857,58 +980,29 @@ grpc_slice grpc_get_default_ssl_roots_for_testing(void) { return compute_default_pem_root_certs_once(); } -static tsi_client_certificate_request_type -get_tsi_client_certificate_request_type( - grpc_ssl_client_certificate_request_type grpc_request_type) { - switch (grpc_request_type) { - case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE: - return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; - - case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: - return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; - - case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: - return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY; - - case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: - return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY; - - case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: - return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY; - - default: - // Is this a sane default - return TSI_DONT_REQUEST_CLIENT_CERTIFICATE; - } -} - -const char *grpc_get_default_ssl_roots(void) { +const char* grpc_get_default_ssl_roots(void) { /* TODO(jboeuf@google.com): Maybe revisit the approach which consists in loading all the roots once for the lifetime of the process. */ static gpr_once once = GPR_ONCE_INIT; gpr_once_init(&once, init_default_pem_root_certs); return GRPC_SLICE_IS_EMPTY(default_pem_root_certs) ? NULL - : (const char *)GRPC_SLICE_START_PTR(default_pem_root_certs); + : (const char*)GRPC_SLICE_START_PTR(default_pem_root_certs); } grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_exec_ctx *exec_ctx, grpc_channel_credentials *channel_creds, - grpc_call_credentials *request_metadata_creds, - const grpc_ssl_config *config, const char *target_name, - const char *overridden_target_name, grpc_channel_security_connector **sc) { - size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); - const char **alpn_protocol_strings = - (const char **)gpr_malloc(sizeof(const char *) * num_alpn_protocols); + grpc_exec_ctx* exec_ctx, grpc_channel_credentials* channel_creds, + grpc_call_credentials* request_metadata_creds, + const grpc_ssl_config* config, const char* target_name, + const char* overridden_target_name, grpc_channel_security_connector** sc) { + size_t num_alpn_protocols = 0; + const char** alpn_protocol_strings = + fill_alpn_protocol_strings(&num_alpn_protocols); tsi_result result = TSI_OK; - grpc_ssl_channel_security_connector *c; - size_t i; - const char *pem_root_certs; - char *port; + grpc_ssl_channel_security_connector* c; + const char* pem_root_certs; + char* port; bool has_key_cert_pair; - for (i = 0; i < num_alpn_protocols; i++) { - alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i); - } if (config == NULL || target_name == NULL) { gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name."); @@ -924,7 +1018,7 @@ grpc_security_status grpc_ssl_channel_security_connector_create( pem_root_certs = config->pem_root_certs; } - c = (grpc_ssl_channel_security_connector *)gpr_zalloc( + c = (grpc_ssl_channel_security_connector*)gpr_zalloc( sizeof(grpc_ssl_channel_security_connector)); gpr_ref_init(&c->base.base.refcount, 1); @@ -942,10 +1036,11 @@ grpc_security_status grpc_ssl_channel_security_connector_create( c->overridden_target_name = gpr_strdup(overridden_target_name); } - has_key_cert_pair = config->pem_key_cert_pair.private_key != NULL && - config->pem_key_cert_pair.cert_chain != NULL; + has_key_cert_pair = config->pem_key_cert_pair != NULL && + config->pem_key_cert_pair->private_key != NULL && + config->pem_key_cert_pair->cert_chain != NULL; result = tsi_create_ssl_client_handshaker_factory( - has_key_cert_pair ? &config->pem_key_cert_pair : NULL, pem_root_certs, + has_key_cert_pair ? config->pem_key_cert_pair : NULL, pem_root_certs, ssl_cipher_suites(), alpn_protocol_strings, (uint16_t)num_alpn_protocols, &c->client_handshaker_factory); if (result != TSI_OK) { @@ -956,58 +1051,72 @@ grpc_security_status grpc_ssl_channel_security_connector_create( goto error; } *sc = &c->base; - gpr_free((void *)alpn_protocol_strings); + gpr_free((void*)alpn_protocol_strings); return GRPC_SECURITY_OK; error: - gpr_free((void *)alpn_protocol_strings); + gpr_free((void*)alpn_protocol_strings); return GRPC_SECURITY_ERROR; } -grpc_security_status grpc_ssl_server_security_connector_create( - grpc_exec_ctx *exec_ctx, grpc_server_credentials *server_creds, - const grpc_ssl_server_config *config, grpc_server_security_connector **sc) { - size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions(); - const char **alpn_protocol_strings = - (const char **)gpr_malloc(sizeof(const char *) * num_alpn_protocols); - tsi_result result = TSI_OK; - grpc_ssl_server_security_connector *c; - size_t i; - - for (i = 0; i < num_alpn_protocols; i++) { - alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i); - } - - if (config == NULL || config->num_key_cert_pairs == 0) { - gpr_log(GPR_ERROR, "An SSL server needs a key and a cert."); - goto error; - } - c = (grpc_ssl_server_security_connector *)gpr_zalloc( - sizeof(grpc_ssl_server_security_connector)); - +static grpc_ssl_server_security_connector* +grpc_ssl_server_security_connector_initialize( + grpc_server_credentials* server_creds) { + grpc_ssl_server_security_connector* c = + (grpc_ssl_server_security_connector*)gpr_zalloc( + sizeof(grpc_ssl_server_security_connector)); gpr_ref_init(&c->base.base.refcount, 1); c->base.base.url_scheme = GRPC_SSL_URL_SCHEME; c->base.base.vtable = &ssl_server_vtable; + c->base.add_handshakers = ssl_server_add_handshakers; c->base.server_creds = grpc_server_credentials_ref(server_creds); - result = tsi_create_ssl_server_handshaker_factory_ex( - config->pem_key_cert_pairs, config->num_key_cert_pairs, - config->pem_root_certs, get_tsi_client_certificate_request_type( - config->client_certificate_request), - ssl_cipher_suites(), alpn_protocol_strings, (uint16_t)num_alpn_protocols, - &c->server_handshaker_factory); - if (result != TSI_OK) { - gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", - tsi_result_to_string(result)); - ssl_server_destroy(exec_ctx, &c->base.base); - *sc = NULL; - goto error; + return c; +} + +grpc_security_status grpc_ssl_server_security_connector_create( + grpc_exec_ctx* exec_ctx, grpc_server_credentials* gsc, + grpc_server_security_connector** sc) { + tsi_result result = TSI_OK; + grpc_ssl_server_credentials* server_credentials = + (grpc_ssl_server_credentials*)gsc; + grpc_security_status retval = GRPC_SECURITY_OK; + + GPR_ASSERT(server_credentials != NULL); + GPR_ASSERT(sc != NULL); + + grpc_ssl_server_security_connector* c = + grpc_ssl_server_security_connector_initialize(gsc); + if (server_connector_has_cert_config_fetcher(c)) { + // Load initial credentials from certificate_config_fetcher: + if (!try_fetch_ssl_server_credentials(c)) { + gpr_log(GPR_ERROR, "Failed loading SSL server credentials from fetcher."); + retval = GRPC_SECURITY_ERROR; + } + } else { + size_t num_alpn_protocols = 0; + const char** alpn_protocol_strings = + fill_alpn_protocol_strings(&num_alpn_protocols); + result = tsi_create_ssl_server_handshaker_factory_ex( + server_credentials->config.pem_key_cert_pairs, + server_credentials->config.num_key_cert_pairs, + server_credentials->config.pem_root_certs, + get_tsi_client_certificate_request_type( + server_credentials->config.client_certificate_request), + ssl_cipher_suites(), alpn_protocol_strings, + (uint16_t)num_alpn_protocols, &c->server_handshaker_factory); + gpr_free((void*)alpn_protocol_strings); + if (result != TSI_OK) { + gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", + tsi_result_to_string(result)); + retval = GRPC_SECURITY_ERROR; + } } - c->base.add_handshakers = ssl_server_add_handshakers; - *sc = &c->base; - gpr_free((void *)alpn_protocol_strings); - return GRPC_SECURITY_OK; -error: - gpr_free((void *)alpn_protocol_strings); - return GRPC_SECURITY_ERROR; + if (retval == GRPC_SECURITY_OK) { + *sc = &c->base; + } else { + if (c != NULL) ssl_server_destroy(exec_ctx, &c->base.base); + if (sc != NULL) *sc = NULL; + } + return retval; } diff --git a/src/core/lib/security/transport/security_connector.h b/src/core/lib/security/transport/security_connector.h index f401349fde..10a4ef1a6d 100644 --- a/src/core/lib/security/transport/security_connector.h +++ b/src/core/lib/security/transport/security_connector.h @@ -56,17 +56,17 @@ typedef struct grpc_security_connector grpc_security_connector; #define GRPC_ARG_SECURITY_CONNECTOR "grpc.security_connector" typedef struct { - void (*destroy)(grpc_exec_ctx *exec_ctx, grpc_security_connector *sc); - void (*check_peer)(grpc_exec_ctx *exec_ctx, grpc_security_connector *sc, - tsi_peer peer, grpc_auth_context **auth_context, - grpc_closure *on_peer_checked); - int (*cmp)(grpc_security_connector *sc, grpc_security_connector *other); + void (*destroy)(grpc_exec_ctx* exec_ctx, grpc_security_connector* sc); + void (*check_peer)(grpc_exec_ctx* exec_ctx, grpc_security_connector* sc, + tsi_peer peer, grpc_auth_context** auth_context, + grpc_closure* on_peer_checked); + int (*cmp)(grpc_security_connector* sc, grpc_security_connector* other); } grpc_security_connector_vtable; struct grpc_security_connector { - const grpc_security_connector_vtable *vtable; + const grpc_security_connector_vtable* vtable; gpr_refcount refcount; - const char *url_scheme; + const char* url_scheme; }; /* Refcounting. */ @@ -75,44 +75,44 @@ struct grpc_security_connector { grpc_security_connector_ref((p), __FILE__, __LINE__, (r)) #define GRPC_SECURITY_CONNECTOR_UNREF(exec_ctx, p, r) \ grpc_security_connector_unref((exec_ctx), (p), __FILE__, __LINE__, (r)) -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *policy, const char *file, int line, - const char *reason); -void grpc_security_connector_unref(grpc_exec_ctx *exec_ctx, - grpc_security_connector *policy, - const char *file, int line, - const char *reason); +grpc_security_connector* grpc_security_connector_ref( + grpc_security_connector* policy, const char* file, int line, + const char* reason); +void grpc_security_connector_unref(grpc_exec_ctx* exec_ctx, + grpc_security_connector* policy, + const char* file, int line, + const char* reason); #else #define GRPC_SECURITY_CONNECTOR_REF(p, r) grpc_security_connector_ref((p)) #define GRPC_SECURITY_CONNECTOR_UNREF(exec_ctx, p, r) \ grpc_security_connector_unref((exec_ctx), (p)) -grpc_security_connector *grpc_security_connector_ref( - grpc_security_connector *policy); -void grpc_security_connector_unref(grpc_exec_ctx *exec_ctx, - grpc_security_connector *policy); +grpc_security_connector* grpc_security_connector_ref( + grpc_security_connector* policy); +void grpc_security_connector_unref(grpc_exec_ctx* exec_ctx, + grpc_security_connector* policy); #endif /* Check the peer. Callee takes ownership of the peer object. When done, sets *auth_context and invokes on_peer_checked. */ -void grpc_security_connector_check_peer(grpc_exec_ctx *exec_ctx, - grpc_security_connector *sc, +void grpc_security_connector_check_peer(grpc_exec_ctx* exec_ctx, + grpc_security_connector* sc, tsi_peer peer, - grpc_auth_context **auth_context, - grpc_closure *on_peer_checked); + grpc_auth_context** auth_context, + grpc_closure* on_peer_checked); /* Compares two security connectors. */ -int grpc_security_connector_cmp(grpc_security_connector *sc, - grpc_security_connector *other); +int grpc_security_connector_cmp(grpc_security_connector* sc, + grpc_security_connector* other); /* Util to encapsulate the connector in a channel arg. */ -grpc_arg grpc_security_connector_to_arg(grpc_security_connector *sc); +grpc_arg grpc_security_connector_to_arg(grpc_security_connector* sc); /* Util to get the connector from a channel arg. */ -grpc_security_connector *grpc_security_connector_from_arg(const grpc_arg *arg); +grpc_security_connector* grpc_security_connector_from_arg(const grpc_arg* arg); /* Util to find the connector from channel args. */ -grpc_security_connector *grpc_security_connector_find_in_args( - const grpc_channel_args *args); +grpc_security_connector* grpc_security_connector_find_in_args( + const grpc_channel_args* args); /* --- channel_security_connector object. --- @@ -123,46 +123,46 @@ typedef struct grpc_channel_security_connector grpc_channel_security_connector; struct grpc_channel_security_connector { grpc_security_connector base; - grpc_channel_credentials *channel_creds; - grpc_call_credentials *request_metadata_creds; - bool (*check_call_host)(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, const char *host, - grpc_auth_context *auth_context, - grpc_closure *on_call_host_checked, - grpc_error **error); - void (*cancel_check_call_host)(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, - grpc_closure *on_call_host_checked, - grpc_error *error); - void (*add_handshakers)(grpc_exec_ctx *exec_ctx, - grpc_channel_security_connector *sc, - grpc_handshake_manager *handshake_mgr); + grpc_channel_credentials* channel_creds; + grpc_call_credentials* request_metadata_creds; + bool (*check_call_host)(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, const char* host, + grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, + grpc_error** error); + void (*cancel_check_call_host)(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, + grpc_closure* on_call_host_checked, + grpc_error* error); + void (*add_handshakers)(grpc_exec_ctx* exec_ctx, + grpc_channel_security_connector* sc, + grpc_handshake_manager* handshake_mgr); }; /// A helper function for use in grpc_security_connector_cmp() implementations. -int grpc_channel_security_connector_cmp(grpc_channel_security_connector *sc1, - grpc_channel_security_connector *sc2); +int grpc_channel_security_connector_cmp(grpc_channel_security_connector* sc1, + grpc_channel_security_connector* sc2); /// Checks that the host that will be set for a call is acceptable. /// Returns true if completed synchronously, in which case \a error will /// be set to indicate the result. Otherwise, \a on_call_host_checked /// will be invoked when complete. bool grpc_channel_security_connector_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - const char *host, grpc_auth_context *auth_context, - grpc_closure *on_call_host_checked, grpc_error **error); + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + const char* host, grpc_auth_context* auth_context, + grpc_closure* on_call_host_checked, grpc_error** error); /// Cancels a pending asychronous call to /// grpc_channel_security_connector_check_call_host() with /// \a on_call_host_checked as its callback. void grpc_channel_security_connector_cancel_check_call_host( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *sc, - grpc_closure *on_call_host_checked, grpc_error *error); + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* sc, + grpc_closure* on_call_host_checked, grpc_error* error); /* Registers handshakers with \a handshake_mgr. */ void grpc_channel_security_connector_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_channel_security_connector *connector, - grpc_handshake_manager *handshake_mgr); + grpc_exec_ctx* exec_ctx, grpc_channel_security_connector* connector, + grpc_handshake_manager* handshake_mgr); /* --- server_security_connector object. --- @@ -173,39 +173,39 @@ typedef struct grpc_server_security_connector grpc_server_security_connector; struct grpc_server_security_connector { grpc_security_connector base; - grpc_server_credentials *server_creds; - void (*add_handshakers)(grpc_exec_ctx *exec_ctx, - grpc_server_security_connector *sc, - grpc_handshake_manager *handshake_mgr); + grpc_server_credentials* server_creds; + void (*add_handshakers)(grpc_exec_ctx* exec_ctx, + grpc_server_security_connector* sc, + grpc_handshake_manager* handshake_mgr); }; /// A helper function for use in grpc_security_connector_cmp() implementations. -int grpc_server_security_connector_cmp(grpc_server_security_connector *sc1, - grpc_server_security_connector *sc2); +int grpc_server_security_connector_cmp(grpc_server_security_connector* sc1, + grpc_server_security_connector* sc2); void grpc_server_security_connector_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_server_security_connector *sc, - grpc_handshake_manager *handshake_mgr); + grpc_exec_ctx* exec_ctx, grpc_server_security_connector* sc, + grpc_handshake_manager* handshake_mgr); /* --- Creation security connectors. --- */ /* For TESTING ONLY! Creates a fake connector that emulates real channel security. */ -grpc_channel_security_connector *grpc_fake_channel_security_connector_create( - grpc_channel_credentials *channel_creds, - grpc_call_credentials *request_metadata_creds, const char *target, - const grpc_channel_args *args); +grpc_channel_security_connector* grpc_fake_channel_security_connector_create( + grpc_channel_credentials* channel_creds, + grpc_call_credentials* request_metadata_creds, const char* target, + const grpc_channel_args* args); /* For TESTING ONLY! Creates a fake connector that emulates real server security. */ -grpc_server_security_connector *grpc_fake_server_security_connector_create( - grpc_server_credentials *server_creds); +grpc_server_security_connector* grpc_fake_server_security_connector_create( + grpc_server_credentials* server_creds); /* Config for ssl clients. */ typedef struct { - tsi_ssl_pem_key_cert_pair pem_key_cert_pair; - char *pem_root_certs; + tsi_ssl_pem_key_cert_pair* pem_key_cert_pair; + char* pem_root_certs; } grpc_ssl_config; /* Creates an SSL channel_security_connector. @@ -222,22 +222,22 @@ typedef struct { specific error code otherwise. */ grpc_security_status grpc_ssl_channel_security_connector_create( - grpc_exec_ctx *exec_ctx, grpc_channel_credentials *channel_creds, - grpc_call_credentials *request_metadata_creds, - const grpc_ssl_config *config, const char *target_name, - const char *overridden_target_name, grpc_channel_security_connector **sc); + grpc_exec_ctx* exec_ctx, grpc_channel_credentials* channel_creds, + grpc_call_credentials* request_metadata_creds, + const grpc_ssl_config* config, const char* target_name, + const char* overridden_target_name, grpc_channel_security_connector** sc); /* Gets the default ssl roots. Returns NULL if not found. */ -const char *grpc_get_default_ssl_roots(void); +const char* grpc_get_default_ssl_roots(void); /* Exposed for TESTING ONLY!. */ grpc_slice grpc_get_default_ssl_roots_for_testing(void); /* Config for ssl servers. */ typedef struct { - tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs; + tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs; size_t num_key_cert_pairs; - char *pem_root_certs; + char* pem_root_certs; grpc_ssl_client_certificate_request_type client_certificate_request; } grpc_ssl_server_config; @@ -248,18 +248,18 @@ typedef struct { specific error code otherwise. */ grpc_security_status grpc_ssl_server_security_connector_create( - grpc_exec_ctx *exec_ctx, grpc_server_credentials *server_creds, - const grpc_ssl_server_config *config, grpc_server_security_connector **sc); + grpc_exec_ctx* exec_ctx, grpc_server_credentials* server_credentials, + grpc_server_security_connector** sc); /* Util. */ -const tsi_peer_property *tsi_peer_get_property_by_name(const tsi_peer *peer, - const char *name); +const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer, + const char* name); /* Exposed for testing only. */ -grpc_auth_context *tsi_ssl_peer_to_auth_context(const tsi_peer *peer); +grpc_auth_context* tsi_ssl_peer_to_auth_context(const tsi_peer* peer); tsi_peer tsi_shallow_peer_from_ssl_auth_context( - const grpc_auth_context *auth_context); -void tsi_shallow_peer_destruct(tsi_peer *peer); + const grpc_auth_context* auth_context); +void tsi_shallow_peer_destruct(tsi_peer* peer); #ifdef __cplusplus } diff --git a/src/core/lib/security/transport/security_handshaker.cc b/src/core/lib/security/transport/security_handshaker.cc index 3d19605617..63706f142b 100644 --- a/src/core/lib/security/transport/security_handshaker.cc +++ b/src/core/lib/security/transport/security_handshaker.cc @@ -40,33 +40,33 @@ typedef struct { grpc_handshaker base; // State set at creation time. - tsi_handshaker *handshaker; - grpc_security_connector *connector; + tsi_handshaker* handshaker; + grpc_security_connector* connector; gpr_mu mu; gpr_refcount refs; bool shutdown; // Endpoint and read buffer to destroy after a shutdown. - grpc_endpoint *endpoint_to_destroy; - grpc_slice_buffer *read_buffer_to_destroy; + grpc_endpoint* endpoint_to_destroy; + grpc_slice_buffer* read_buffer_to_destroy; // State saved while performing the handshake. - grpc_handshaker_args *args; - grpc_closure *on_handshake_done; + grpc_handshaker_args* args; + grpc_closure* on_handshake_done; - unsigned char *handshake_buffer; + unsigned char* handshake_buffer; size_t handshake_buffer_size; grpc_slice_buffer outgoing; grpc_closure on_handshake_data_sent_to_peer; grpc_closure on_handshake_data_received_from_peer; grpc_closure on_peer_checked; - grpc_auth_context *auth_context; - tsi_handshaker_result *handshaker_result; + grpc_auth_context* auth_context; + tsi_handshaker_result* handshaker_result; } security_handshaker; -static void security_handshaker_unref(grpc_exec_ctx *exec_ctx, - security_handshaker *h) { +static void security_handshaker_unref(grpc_exec_ctx* exec_ctx, + security_handshaker* h) { if (gpr_unref(&h->refs)) { gpr_mu_destroy(&h->mu); tsi_handshaker_destroy(h->handshaker); @@ -88,8 +88,8 @@ static void security_handshaker_unref(grpc_exec_ctx *exec_ctx, // Set args fields to NULL, saving the endpoint and read buffer for // later destruction. -static void cleanup_args_for_failure_locked(grpc_exec_ctx *exec_ctx, - security_handshaker *h) { +static void cleanup_args_for_failure_locked(grpc_exec_ctx* exec_ctx, + security_handshaker* h) { h->endpoint_to_destroy = h->args->endpoint; h->args->endpoint = NULL; h->read_buffer_to_destroy = h->args->read_buffer; @@ -100,15 +100,15 @@ static void cleanup_args_for_failure_locked(grpc_exec_ctx *exec_ctx, // If the handshake failed or we're shutting down, clean up and invoke the // callback with the error. -static void security_handshake_failed_locked(grpc_exec_ctx *exec_ctx, - security_handshaker *h, - grpc_error *error) { +static void security_handshake_failed_locked(grpc_exec_ctx* exec_ctx, + security_handshaker* h, + grpc_error* error) { if (error == GRPC_ERROR_NONE) { // If we were shut down after the handshake succeeded but before an // endpoint callback was invoked, we need to generate our own error. error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Handshaker shutdown"); } - const char *msg = grpc_error_string(error); + const char* msg = grpc_error_string(error); gpr_log(GPR_DEBUG, "Security handshake failed: %s", msg); if (!h->shutdown) { @@ -128,14 +128,14 @@ static void security_handshake_failed_locked(grpc_exec_ctx *exec_ctx, GRPC_CLOSURE_SCHED(exec_ctx, h->on_handshake_done, error); } -static void on_peer_checked_inner(grpc_exec_ctx *exec_ctx, - security_handshaker *h, grpc_error *error) { +static void on_peer_checked_inner(grpc_exec_ctx* exec_ctx, + security_handshaker* h, grpc_error* error) { if (error != GRPC_ERROR_NONE || h->shutdown) { security_handshake_failed_locked(exec_ctx, h, GRPC_ERROR_REF(error)); return; } // Create zero-copy frame protector, if implemented. - tsi_zero_copy_grpc_protector *zero_copy_protector = NULL; + tsi_zero_copy_grpc_protector* zero_copy_protector = NULL; tsi_result result = tsi_handshaker_result_create_zero_copy_grpc_protector( exec_ctx, h->handshaker_result, NULL, &zero_copy_protector); if (result != TSI_OK && result != TSI_UNIMPLEMENTED) { @@ -147,7 +147,7 @@ static void on_peer_checked_inner(grpc_exec_ctx *exec_ctx, return; } // Create frame protector if zero-copy frame protector is NULL. - tsi_frame_protector *protector = NULL; + tsi_frame_protector* protector = NULL; if (zero_copy_protector == NULL) { result = tsi_handshaker_result_create_frame_protector(h->handshaker_result, NULL, &protector); @@ -160,14 +160,14 @@ static void on_peer_checked_inner(grpc_exec_ctx *exec_ctx, } } // Get unused bytes. - const unsigned char *unused_bytes = NULL; + const unsigned char* unused_bytes = NULL; size_t unused_bytes_size = 0; result = tsi_handshaker_result_get_unused_bytes( h->handshaker_result, &unused_bytes, &unused_bytes_size); // Create secure endpoint. if (unused_bytes_size > 0) { grpc_slice slice = - grpc_slice_from_copied_buffer((char *)unused_bytes, unused_bytes_size); + grpc_slice_from_copied_buffer((char*)unused_bytes, unused_bytes_size); h->args->endpoint = grpc_secure_endpoint_create( protector, zero_copy_protector, h->args->endpoint, &slice, 1); grpc_slice_unref_internal(exec_ctx, slice); @@ -181,7 +181,7 @@ static void on_peer_checked_inner(grpc_exec_ctx *exec_ctx, grpc_slice_buffer_reset_and_unref_internal(exec_ctx, h->args->read_buffer); // Add auth context to channel args. grpc_arg auth_context_arg = grpc_auth_context_to_arg(h->auth_context); - grpc_channel_args *tmp_args = h->args->args; + grpc_channel_args* tmp_args = h->args->args; h->args->args = grpc_channel_args_copy_and_add(tmp_args, &auth_context_arg, 1); grpc_channel_args_destroy(exec_ctx, tmp_args); @@ -192,17 +192,17 @@ static void on_peer_checked_inner(grpc_exec_ctx *exec_ctx, h->shutdown = true; } -static void on_peer_checked(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - security_handshaker *h = (security_handshaker *)arg; +static void on_peer_checked(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + security_handshaker* h = (security_handshaker*)arg; gpr_mu_lock(&h->mu); on_peer_checked_inner(exec_ctx, h, error); gpr_mu_unlock(&h->mu); security_handshaker_unref(exec_ctx, h); } -static grpc_error *check_peer_locked(grpc_exec_ctx *exec_ctx, - security_handshaker *h) { +static grpc_error* check_peer_locked(grpc_exec_ctx* exec_ctx, + security_handshaker* h) { tsi_peer peer; tsi_result result = tsi_handshaker_result_extract_peer(h->handshaker_result, &peer); @@ -215,11 +215,11 @@ static grpc_error *check_peer_locked(grpc_exec_ctx *exec_ctx, return GRPC_ERROR_NONE; } -static grpc_error *on_handshake_next_done_locked( - grpc_exec_ctx *exec_ctx, security_handshaker *h, tsi_result result, - const unsigned char *bytes_to_send, size_t bytes_to_send_size, - tsi_handshaker_result *handshaker_result) { - grpc_error *error = GRPC_ERROR_NONE; +static grpc_error* on_handshake_next_done_locked( + grpc_exec_ctx* exec_ctx, security_handshaker* h, tsi_result result, + const unsigned char* bytes_to_send, size_t bytes_to_send_size, + tsi_handshaker_result* handshaker_result) { + grpc_error* error = GRPC_ERROR_NONE; // Read more if we need to. if (result == TSI_INCOMPLETE_DATA) { GPR_ASSERT(bytes_to_send_size == 0); @@ -239,7 +239,7 @@ static grpc_error *on_handshake_next_done_locked( if (bytes_to_send_size > 0) { // Send data to peer, if needed. grpc_slice to_send = grpc_slice_from_copied_buffer( - (const char *)bytes_to_send, bytes_to_send_size); + (const char*)bytes_to_send, bytes_to_send_size); grpc_slice_buffer_reset_and_unref_internal(exec_ctx, &h->outgoing); grpc_slice_buffer_add(&h->outgoing, to_send); grpc_endpoint_write(exec_ctx, h->args->endpoint, &h->outgoing, @@ -256,14 +256,14 @@ static grpc_error *on_handshake_next_done_locked( } static void on_handshake_next_done_grpc_wrapper( - tsi_result result, void *user_data, const unsigned char *bytes_to_send, - size_t bytes_to_send_size, tsi_handshaker_result *handshaker_result) { - security_handshaker *h = (security_handshaker *)user_data; + tsi_result result, void* user_data, const unsigned char* bytes_to_send, + size_t bytes_to_send_size, tsi_handshaker_result* handshaker_result) { + security_handshaker* h = (security_handshaker*)user_data; // This callback will be invoked by TSI in a non-grpc thread, so it's // safe to create our own exec_ctx here. grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; gpr_mu_lock(&h->mu); - grpc_error *error = + grpc_error* error = on_handshake_next_done_locked(&exec_ctx, h, result, bytes_to_send, bytes_to_send_size, handshaker_result); if (error != GRPC_ERROR_NONE) { @@ -276,13 +276,13 @@ static void on_handshake_next_done_grpc_wrapper( grpc_exec_ctx_finish(&exec_ctx); } -static grpc_error *do_handshaker_next_locked( - grpc_exec_ctx *exec_ctx, security_handshaker *h, - const unsigned char *bytes_received, size_t bytes_received_size) { +static grpc_error* do_handshaker_next_locked( + grpc_exec_ctx* exec_ctx, security_handshaker* h, + const unsigned char* bytes_received, size_t bytes_received_size) { // Invoke TSI handshaker. - const unsigned char *bytes_to_send = NULL; + const unsigned char* bytes_to_send = NULL; size_t bytes_to_send_size = 0; - tsi_handshaker_result *handshaker_result = NULL; + tsi_handshaker_result* handshaker_result = NULL; tsi_result result = tsi_handshaker_next( h->handshaker, bytes_received, bytes_received_size, &bytes_to_send, &bytes_to_send_size, &handshaker_result, @@ -298,14 +298,15 @@ static grpc_error *do_handshaker_next_locked( bytes_to_send_size, handshaker_result); } -static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, - void *arg, grpc_error *error) { - security_handshaker *h = (security_handshaker *)arg; +static void on_handshake_data_received_from_peer(grpc_exec_ctx* exec_ctx, + void* arg, grpc_error* error) { + security_handshaker* h = (security_handshaker*)arg; gpr_mu_lock(&h->mu); if (error != GRPC_ERROR_NONE || h->shutdown) { security_handshake_failed_locked( - exec_ctx, h, GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( - "Handshake read failed", &error, 1)); + exec_ctx, h, + GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( + "Handshake read failed", &error, 1)); gpr_mu_unlock(&h->mu); security_handshaker_unref(exec_ctx, h); return; @@ -318,7 +319,7 @@ static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, } if (bytes_received_size > h->handshake_buffer_size) { h->handshake_buffer = - (uint8_t *)gpr_realloc(h->handshake_buffer, bytes_received_size); + (uint8_t*)gpr_realloc(h->handshake_buffer, bytes_received_size); h->handshake_buffer_size = bytes_received_size; } size_t offset = 0; @@ -341,14 +342,15 @@ static void on_handshake_data_received_from_peer(grpc_exec_ctx *exec_ctx, } } -static void on_handshake_data_sent_to_peer(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - security_handshaker *h = (security_handshaker *)arg; +static void on_handshake_data_sent_to_peer(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + security_handshaker* h = (security_handshaker*)arg; gpr_mu_lock(&h->mu); if (error != GRPC_ERROR_NONE || h->shutdown) { security_handshake_failed_locked( - exec_ctx, h, GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( - "Handshake write failed", &error, 1)); + exec_ctx, h, + GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING( + "Handshake write failed", &error, 1)); gpr_mu_unlock(&h->mu); security_handshaker_unref(exec_ctx, h); return; @@ -373,16 +375,16 @@ static void on_handshake_data_sent_to_peer(grpc_exec_ctx *exec_ctx, void *arg, // public handshaker API // -static void security_handshaker_destroy(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker) { - security_handshaker *h = (security_handshaker *)handshaker; +static void security_handshaker_destroy(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker) { + security_handshaker* h = (security_handshaker*)handshaker; security_handshaker_unref(exec_ctx, h); } -static void security_handshaker_shutdown(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker, - grpc_error *why) { - security_handshaker *h = (security_handshaker *)handshaker; +static void security_handshaker_shutdown(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker, + grpc_error* why) { + security_handshaker* h = (security_handshaker*)handshaker; gpr_mu_lock(&h->mu); if (!h->shutdown) { h->shutdown = true; @@ -393,17 +395,17 @@ static void security_handshaker_shutdown(grpc_exec_ctx *exec_ctx, GRPC_ERROR_UNREF(why); } -static void security_handshaker_do_handshake(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker, - grpc_tcp_server_acceptor *acceptor, - grpc_closure *on_handshake_done, - grpc_handshaker_args *args) { - security_handshaker *h = (security_handshaker *)handshaker; +static void security_handshaker_do_handshake(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker, + grpc_tcp_server_acceptor* acceptor, + grpc_closure* on_handshake_done, + grpc_handshaker_args* args) { + security_handshaker* h = (security_handshaker*)handshaker; gpr_mu_lock(&h->mu); h->args = args; h->on_handshake_done = on_handshake_done; gpr_ref(&h->refs); - grpc_error *error = do_handshaker_next_locked(exec_ctx, h, NULL, 0); + grpc_error* error = do_handshaker_next_locked(exec_ctx, h, NULL, 0); if (error != GRPC_ERROR_NONE) { security_handshake_failed_locked(exec_ctx, h, error); gpr_mu_unlock(&h->mu); @@ -417,18 +419,18 @@ static const grpc_handshaker_vtable security_handshaker_vtable = { security_handshaker_destroy, security_handshaker_shutdown, security_handshaker_do_handshake}; -static grpc_handshaker *security_handshaker_create( - grpc_exec_ctx *exec_ctx, tsi_handshaker *handshaker, - grpc_security_connector *connector) { - security_handshaker *h = - (security_handshaker *)gpr_zalloc(sizeof(security_handshaker)); +static grpc_handshaker* security_handshaker_create( + grpc_exec_ctx* exec_ctx, tsi_handshaker* handshaker, + grpc_security_connector* connector) { + security_handshaker* h = + (security_handshaker*)gpr_zalloc(sizeof(security_handshaker)); grpc_handshaker_init(&security_handshaker_vtable, &h->base); h->handshaker = handshaker; h->connector = GRPC_SECURITY_CONNECTOR_REF(connector, "handshake"); gpr_mu_init(&h->mu); gpr_ref_init(&h->refs, 1); h->handshake_buffer_size = GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE; - h->handshake_buffer = (uint8_t *)gpr_malloc(h->handshake_buffer_size); + h->handshake_buffer = (uint8_t*)gpr_malloc(h->handshake_buffer_size); GRPC_CLOSURE_INIT(&h->on_handshake_data_sent_to_peer, on_handshake_data_sent_to_peer, h, grpc_schedule_on_exec_ctx); @@ -445,22 +447,22 @@ static grpc_handshaker *security_handshaker_create( // fail_handshaker // -static void fail_handshaker_destroy(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker) { +static void fail_handshaker_destroy(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker) { gpr_free(handshaker); } -static void fail_handshaker_shutdown(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker, - grpc_error *why) { +static void fail_handshaker_shutdown(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker, + grpc_error* why) { GRPC_ERROR_UNREF(why); } -static void fail_handshaker_do_handshake(grpc_exec_ctx *exec_ctx, - grpc_handshaker *handshaker, - grpc_tcp_server_acceptor *acceptor, - grpc_closure *on_handshake_done, - grpc_handshaker_args *args) { +static void fail_handshaker_do_handshake(grpc_exec_ctx* exec_ctx, + grpc_handshaker* handshaker, + grpc_tcp_server_acceptor* acceptor, + grpc_closure* on_handshake_done, + grpc_handshaker_args* args) { GRPC_CLOSURE_SCHED(exec_ctx, on_handshake_done, GRPC_ERROR_CREATE_FROM_STATIC_STRING( "Failed to create security handshaker")); @@ -470,8 +472,8 @@ static const grpc_handshaker_vtable fail_handshaker_vtable = { fail_handshaker_destroy, fail_handshaker_shutdown, fail_handshaker_do_handshake}; -static grpc_handshaker *fail_handshaker_create() { - grpc_handshaker *h = (grpc_handshaker *)gpr_malloc(sizeof(*h)); +static grpc_handshaker* fail_handshaker_create() { + grpc_handshaker* h = (grpc_handshaker*)gpr_malloc(sizeof(*h)); grpc_handshaker_init(&fail_handshaker_vtable, h); return h; } @@ -481,27 +483,27 @@ static grpc_handshaker *fail_handshaker_create() { // static void client_handshaker_factory_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_handshaker_factory *handshaker_factory, - const grpc_channel_args *args, grpc_handshake_manager *handshake_mgr) { - grpc_channel_security_connector *security_connector = - (grpc_channel_security_connector *)grpc_security_connector_find_in_args( + grpc_exec_ctx* exec_ctx, grpc_handshaker_factory* handshaker_factory, + const grpc_channel_args* args, grpc_handshake_manager* handshake_mgr) { + grpc_channel_security_connector* security_connector = + (grpc_channel_security_connector*)grpc_security_connector_find_in_args( args); grpc_channel_security_connector_add_handshakers(exec_ctx, security_connector, handshake_mgr); } static void server_handshaker_factory_add_handshakers( - grpc_exec_ctx *exec_ctx, grpc_handshaker_factory *hf, - const grpc_channel_args *args, grpc_handshake_manager *handshake_mgr) { - grpc_server_security_connector *security_connector = - (grpc_server_security_connector *)grpc_security_connector_find_in_args( + grpc_exec_ctx* exec_ctx, grpc_handshaker_factory* hf, + const grpc_channel_args* args, grpc_handshake_manager* handshake_mgr) { + grpc_server_security_connector* security_connector = + (grpc_server_security_connector*)grpc_security_connector_find_in_args( args); grpc_server_security_connector_add_handshakers(exec_ctx, security_connector, handshake_mgr); } static void handshaker_factory_destroy( - grpc_exec_ctx *exec_ctx, grpc_handshaker_factory *handshaker_factory) {} + grpc_exec_ctx* exec_ctx, grpc_handshaker_factory* handshaker_factory) {} static const grpc_handshaker_factory_vtable client_handshaker_factory_vtable = { client_handshaker_factory_add_handshakers, handshaker_factory_destroy}; @@ -519,9 +521,9 @@ static grpc_handshaker_factory server_handshaker_factory = { // exported functions // -grpc_handshaker *grpc_security_handshaker_create( - grpc_exec_ctx *exec_ctx, tsi_handshaker *handshaker, - grpc_security_connector *connector) { +grpc_handshaker* grpc_security_handshaker_create( + grpc_exec_ctx* exec_ctx, tsi_handshaker* handshaker, + grpc_security_connector* connector) { // If no TSI handshaker was created, return a handshaker that always fails. // Otherwise, return a real security handshaker. if (handshaker == NULL) { diff --git a/src/core/lib/security/transport/security_handshaker.h b/src/core/lib/security/transport/security_handshaker.h index 178099bb94..174f70f0dd 100644 --- a/src/core/lib/security/transport/security_handshaker.h +++ b/src/core/lib/security/transport/security_handshaker.h @@ -28,9 +28,9 @@ extern "C" { #endif /// Creates a security handshaker using \a handshaker. -grpc_handshaker *grpc_security_handshaker_create( - grpc_exec_ctx *exec_ctx, tsi_handshaker *handshaker, - grpc_security_connector *connector); +grpc_handshaker* grpc_security_handshaker_create( + grpc_exec_ctx* exec_ctx, tsi_handshaker* handshaker, + grpc_security_connector* connector); /// Registers security handshaker factories. void grpc_security_register_handshaker_factories(); diff --git a/src/core/lib/security/transport/server_auth_filter.cc b/src/core/lib/security/transport/server_auth_filter.cc index f5e02f42fe..e1307410d6 100644 --- a/src/core/lib/security/transport/server_auth_filter.cc +++ b/src/core/lib/security/transport/server_auth_filter.cc @@ -33,37 +33,37 @@ typedef enum { } async_state; typedef struct call_data { - grpc_call_combiner *call_combiner; - grpc_call_stack *owning_call; - grpc_transport_stream_op_batch *recv_initial_metadata_batch; - grpc_closure *original_recv_initial_metadata_ready; + grpc_call_combiner* call_combiner; + grpc_call_stack* owning_call; + grpc_transport_stream_op_batch* recv_initial_metadata_batch; + grpc_closure* original_recv_initial_metadata_ready; grpc_closure recv_initial_metadata_ready; grpc_metadata_array md; - const grpc_metadata *consumed_md; + const grpc_metadata* consumed_md; size_t num_consumed_md; - grpc_auth_context *auth_context; + grpc_auth_context* auth_context; grpc_closure cancel_closure; gpr_atm state; // async_state } call_data; typedef struct channel_data { - grpc_auth_context *auth_context; - grpc_server_credentials *creds; + grpc_auth_context* auth_context; + grpc_server_credentials* creds; } channel_data; static grpc_metadata_array metadata_batch_to_md_array( - const grpc_metadata_batch *batch) { - grpc_linked_mdelem *l; + const grpc_metadata_batch* batch) { + grpc_linked_mdelem* l; grpc_metadata_array result; grpc_metadata_array_init(&result); for (l = batch->list.head; l != NULL; l = l->next) { - grpc_metadata *usr_md = NULL; + grpc_metadata* usr_md = NULL; grpc_mdelem md = l->md; grpc_slice key = GRPC_MDKEY(md); grpc_slice value = GRPC_MDVALUE(md); if (result.count == result.capacity) { result.capacity = GPR_MAX(result.capacity + 8, result.capacity * 2); - result.metadata = (grpc_metadata *)gpr_realloc( + result.metadata = (grpc_metadata*)gpr_realloc( result.metadata, result.capacity * sizeof(grpc_metadata)); } usr_md = &result.metadata[result.count++]; @@ -73,14 +73,14 @@ static grpc_metadata_array metadata_batch_to_md_array( return result; } -static grpc_filtered_mdelem remove_consumed_md(grpc_exec_ctx *exec_ctx, - void *user_data, +static grpc_filtered_mdelem remove_consumed_md(grpc_exec_ctx* exec_ctx, + void* user_data, grpc_mdelem md) { - grpc_call_element *elem = (grpc_call_element *)user_data; - call_data *calld = (call_data *)elem->call_data; + grpc_call_element* elem = (grpc_call_element*)user_data; + call_data* calld = (call_data*)elem->call_data; size_t i; for (i = 0; i < calld->num_consumed_md; i++) { - const grpc_metadata *consumed_md = &calld->consumed_md[i]; + const grpc_metadata* consumed_md = &calld->consumed_md[i]; if (grpc_slice_eq(GRPC_MDKEY(md), consumed_md->key) && grpc_slice_eq(GRPC_MDVALUE(md), consumed_md->value)) return GRPC_FILTERED_REMOVE(); @@ -88,15 +88,15 @@ static grpc_filtered_mdelem remove_consumed_md(grpc_exec_ctx *exec_ctx, return GRPC_FILTERED_MDELEM(md); } -static void on_md_processing_done_inner(grpc_exec_ctx *exec_ctx, - grpc_call_element *elem, - const grpc_metadata *consumed_md, +static void on_md_processing_done_inner(grpc_exec_ctx* exec_ctx, + grpc_call_element* elem, + const grpc_metadata* consumed_md, size_t num_consumed_md, - const grpc_metadata *response_md, + const grpc_metadata* response_md, size_t num_response_md, - grpc_error *error) { - call_data *calld = (call_data *)elem->call_data; - grpc_transport_stream_op_batch *batch = calld->recv_initial_metadata_batch; + grpc_error* error) { + call_data* calld = (call_data*)elem->call_data; + grpc_transport_stream_op_batch* batch = calld->recv_initial_metadata_batch; /* TODO(jboeuf): Implement support for response_md. */ if (response_md != NULL && num_response_md > 0) { gpr_log(GPR_INFO, @@ -116,16 +116,16 @@ static void on_md_processing_done_inner(grpc_exec_ctx *exec_ctx, // Called from application code. static void on_md_processing_done( - void *user_data, const grpc_metadata *consumed_md, size_t num_consumed_md, - const grpc_metadata *response_md, size_t num_response_md, - grpc_status_code status, const char *error_details) { - grpc_call_element *elem = (grpc_call_element *)user_data; - call_data *calld = (call_data *)elem->call_data; + void* user_data, const grpc_metadata* consumed_md, size_t num_consumed_md, + const grpc_metadata* response_md, size_t num_response_md, + grpc_status_code status, const char* error_details) { + grpc_call_element* elem = (grpc_call_element*)user_data; + call_data* calld = (call_data*)elem->call_data; grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; // If the call was not cancelled while we were in flight, process the result. if (gpr_atm_full_cas(&calld->state, (gpr_atm)STATE_INIT, (gpr_atm)STATE_DONE)) { - grpc_error *error = GRPC_ERROR_NONE; + grpc_error* error = GRPC_ERROR_NONE; if (status != GRPC_STATUS_OK) { if (error_details == NULL) { error_details = "Authentication metadata processing failed."; @@ -147,9 +147,9 @@ static void on_md_processing_done( grpc_exec_ctx_finish(&exec_ctx); } -static void cancel_call(grpc_exec_ctx *exec_ctx, void *arg, grpc_error *error) { - grpc_call_element *elem = (grpc_call_element *)arg; - call_data *calld = (call_data *)elem->call_data; +static void cancel_call(grpc_exec_ctx* exec_ctx, void* arg, grpc_error* error) { + grpc_call_element* elem = (grpc_call_element*)arg; + call_data* calld = (call_data*)elem->call_data; // If the result was not already processed, invoke the callback now. if (error != GRPC_ERROR_NONE && gpr_atm_full_cas(&calld->state, (gpr_atm)STATE_INIT, @@ -160,12 +160,12 @@ static void cancel_call(grpc_exec_ctx *exec_ctx, void *arg, grpc_error *error) { GRPC_CALL_STACK_UNREF(exec_ctx, calld->owning_call, "cancel_call"); } -static void recv_initial_metadata_ready(grpc_exec_ctx *exec_ctx, void *arg, - grpc_error *error) { - grpc_call_element *elem = (grpc_call_element *)arg; - channel_data *chand = (channel_data *)elem->channel_data; - call_data *calld = (call_data *)elem->call_data; - grpc_transport_stream_op_batch *batch = calld->recv_initial_metadata_batch; +static void recv_initial_metadata_ready(grpc_exec_ctx* exec_ctx, void* arg, + grpc_error* error) { + grpc_call_element* elem = (grpc_call_element*)arg; + channel_data* chand = (channel_data*)elem->channel_data; + call_data* calld = (call_data*)elem->call_data; + grpc_transport_stream_op_batch* batch = calld->recv_initial_metadata_batch; if (error == GRPC_ERROR_NONE) { if (chand->creds != NULL && chand->creds->processor.process != NULL) { // We're calling out to the application, so we need to make sure @@ -189,9 +189,9 @@ static void recv_initial_metadata_ready(grpc_exec_ctx *exec_ctx, void *arg, } static void auth_start_transport_stream_op_batch( - grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - grpc_transport_stream_op_batch *batch) { - call_data *calld = (call_data *)elem->call_data; + grpc_exec_ctx* exec_ctx, grpc_call_element* elem, + grpc_transport_stream_op_batch* batch) { + call_data* calld = (call_data*)elem->call_data; if (batch->recv_initial_metadata) { // Inject our callback. calld->recv_initial_metadata_batch = batch; @@ -204,11 +204,11 @@ static void auth_start_transport_stream_op_batch( } /* Constructor for call_data */ -static grpc_error *init_call_elem(grpc_exec_ctx *exec_ctx, - grpc_call_element *elem, - const grpc_call_element_args *args) { - call_data *calld = (call_data *)elem->call_data; - channel_data *chand = (channel_data *)elem->channel_data; +static grpc_error* init_call_elem(grpc_exec_ctx* exec_ctx, + grpc_call_element* elem, + const grpc_call_element_args* args) { + call_data* calld = (call_data*)elem->call_data; + channel_data* chand = (channel_data*)elem->channel_data; calld->call_combiner = args->call_combiner; calld->owning_call = args->call_stack; GRPC_CLOSURE_INIT(&calld->recv_initial_metadata_ready, @@ -216,7 +216,7 @@ static grpc_error *init_call_elem(grpc_exec_ctx *exec_ctx, grpc_schedule_on_exec_ctx); // Create server security context. Set its auth context from channel // data and save it in the call context. - grpc_server_security_context *server_ctx = + grpc_server_security_context* server_ctx = grpc_server_security_context_create(); server_ctx->auth_context = grpc_auth_context_create(chand->auth_context); calld->auth_context = server_ctx->auth_context; @@ -231,31 +231,31 @@ static grpc_error *init_call_elem(grpc_exec_ctx *exec_ctx, } /* Destructor for call_data */ -static void destroy_call_elem(grpc_exec_ctx *exec_ctx, grpc_call_element *elem, - const grpc_call_final_info *final_info, - grpc_closure *ignored) {} +static void destroy_call_elem(grpc_exec_ctx* exec_ctx, grpc_call_element* elem, + const grpc_call_final_info* final_info, + grpc_closure* ignored) {} /* Constructor for channel_data */ -static grpc_error *init_channel_elem(grpc_exec_ctx *exec_ctx, - grpc_channel_element *elem, - grpc_channel_element_args *args) { +static grpc_error* init_channel_elem(grpc_exec_ctx* exec_ctx, + grpc_channel_element* elem, + grpc_channel_element_args* args) { GPR_ASSERT(!args->is_last); - channel_data *chand = (channel_data *)elem->channel_data; - grpc_auth_context *auth_context = + channel_data* chand = (channel_data*)elem->channel_data; + grpc_auth_context* auth_context = grpc_find_auth_context_in_args(args->channel_args); GPR_ASSERT(auth_context != NULL); chand->auth_context = GRPC_AUTH_CONTEXT_REF(auth_context, "server_auth_filter"); - grpc_server_credentials *creds = + grpc_server_credentials* creds = grpc_find_server_credentials_in_args(args->channel_args); chand->creds = grpc_server_credentials_ref(creds); return GRPC_ERROR_NONE; } /* Destructor for channel data */ -static void destroy_channel_elem(grpc_exec_ctx *exec_ctx, - grpc_channel_element *elem) { - channel_data *chand = (channel_data *)elem->channel_data; +static void destroy_channel_elem(grpc_exec_ctx* exec_ctx, + grpc_channel_element* elem) { + channel_data* chand = (channel_data*)elem->channel_data; GRPC_AUTH_CONTEXT_UNREF(chand->auth_context, "server_auth_filter"); grpc_server_credentials_unref(exec_ctx, chand->creds); } diff --git a/src/core/lib/security/transport/tsi_error.cc b/src/core/lib/security/transport/tsi_error.cc index 72f9600e84..f71696d35d 100644 --- a/src/core/lib/security/transport/tsi_error.cc +++ b/src/core/lib/security/transport/tsi_error.cc @@ -18,7 +18,7 @@ #include "src/core/lib/security/transport/tsi_error.h" -grpc_error *grpc_set_tsi_error_result(grpc_error *error, tsi_result result) { +grpc_error* grpc_set_tsi_error_result(grpc_error* error, tsi_result result) { return grpc_error_set_int( grpc_error_set_str( error, GRPC_ERROR_STR_TSI_ERROR, diff --git a/src/core/lib/security/transport/tsi_error.h b/src/core/lib/security/transport/tsi_error.h index 4e19daf796..4e8418f3fd 100644 --- a/src/core/lib/security/transport/tsi_error.h +++ b/src/core/lib/security/transport/tsi_error.h @@ -26,7 +26,7 @@ extern "C" { #endif -grpc_error *grpc_set_tsi_error_result(grpc_error *error, tsi_result result); +grpc_error* grpc_set_tsi_error_result(grpc_error* error, tsi_result result); #ifdef __cplusplus } |