/* * * Copyright 2016 gRPC authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "src/core/lib/security/credentials/ssl/ssl_credentials.h" #include #include "src/core/lib/channel/channel_args.h" #include "src/core/lib/surface/api_trace.h" #include "src/core/tsi/ssl_transport_security.h" #include #include #include // // SSL Channel Credentials. // void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp, size_t num_key_cert_pairs) { if (kp == nullptr) return; for (size_t i = 0; i < num_key_cert_pairs; i++) { gpr_free((void*)kp[i].private_key); gpr_free((void*)kp[i].cert_chain); } gpr_free(kp); } static void ssl_destruct(grpc_channel_credentials* creds) { grpc_ssl_credentials* c = reinterpret_cast(creds); gpr_free(c->config.pem_root_certs); grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pair, 1); if (c->config.verify_options.verify_peer_destruct != nullptr) { c->config.verify_options.verify_peer_destruct( c->config.verify_options.verify_peer_callback_userdata); } } static grpc_security_status ssl_create_security_connector( grpc_channel_credentials* creds, grpc_call_credentials* call_creds, const char* target, const grpc_channel_args* args, grpc_channel_security_connector** sc, grpc_channel_args** new_args) { grpc_ssl_credentials* c = reinterpret_cast(creds); grpc_security_status status = GRPC_SECURITY_OK; const char* overridden_target_name = nullptr; tsi_ssl_session_cache* ssl_session_cache = nullptr; for (size_t i = 0; args && i < args->num_args; i++) { grpc_arg* arg = &args->args[i]; if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 && arg->type == GRPC_ARG_STRING) { overridden_target_name = arg->value.string; } if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 && arg->type == GRPC_ARG_POINTER) { ssl_session_cache = static_cast(arg->value.pointer.p); } } status = grpc_ssl_channel_security_connector_create( creds, call_creds, &c->config, target, overridden_target_name, ssl_session_cache, sc); if (status != GRPC_SECURITY_OK) { return status; } grpc_arg new_arg = grpc_channel_arg_string_create( (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https"); *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1); return status; } static grpc_channel_credentials_vtable ssl_vtable = { ssl_destruct, ssl_create_security_connector, nullptr}; static void ssl_build_config(const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const verify_peer_options* verify_options, grpc_ssl_config* config) { if (pem_root_certs != nullptr) { config->pem_root_certs = gpr_strdup(pem_root_certs); } if (pem_key_cert_pair != nullptr) { GPR_ASSERT(pem_key_cert_pair->private_key != nullptr); GPR_ASSERT(pem_key_cert_pair->cert_chain != nullptr); config->pem_key_cert_pair = static_cast( gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair))); config->pem_key_cert_pair->cert_chain = gpr_strdup(pem_key_cert_pair->cert_chain); config->pem_key_cert_pair->private_key = gpr_strdup(pem_key_cert_pair->private_key); } if (verify_options != nullptr) { memcpy(&config->verify_options, verify_options, sizeof(verify_peer_options)); } else { // Otherwise set all options to default values memset(&config->verify_options, 0, sizeof(verify_peer_options)); } } grpc_channel_credentials* grpc_ssl_credentials_create( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, const verify_peer_options* verify_options, void* reserved) { grpc_ssl_credentials* c = static_cast( gpr_zalloc(sizeof(grpc_ssl_credentials))); GRPC_API_TRACE( "grpc_ssl_credentials_create(pem_root_certs=%s, " "pem_key_cert_pair=%p, " "verify_options=%p, " "reserved=%p)", 4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved)); GPR_ASSERT(reserved == nullptr); c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL; c->base.vtable = &ssl_vtable; gpr_ref_init(&c->base.refcount, 1); ssl_build_config(pem_root_certs, pem_key_cert_pair, verify_options, &c->config); return &c->base; } // // SSL Server Credentials. // struct grpc_ssl_server_credentials_options { grpc_ssl_client_certificate_request_type client_certificate_request; grpc_ssl_server_certificate_config* certificate_config; grpc_ssl_server_certificate_config_fetcher* certificate_config_fetcher; }; static void ssl_server_destruct(grpc_server_credentials* creds) { grpc_ssl_server_credentials* c = reinterpret_cast(creds); grpc_tsi_ssl_pem_key_cert_pairs_destroy(c->config.pem_key_cert_pairs, c->config.num_key_cert_pairs); gpr_free(c->config.pem_root_certs); } static grpc_security_status ssl_server_create_security_connector( grpc_server_credentials* creds, grpc_server_security_connector** sc) { return grpc_ssl_server_security_connector_create(creds, sc); } static grpc_server_credentials_vtable ssl_server_vtable = { ssl_server_destruct, ssl_server_create_security_connector}; tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs( const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs) { tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr; if (num_key_cert_pairs > 0) { GPR_ASSERT(pem_key_cert_pairs != nullptr); tsi_pairs = static_cast( gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair))); } for (size_t i = 0; i < num_key_cert_pairs; i++) { GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr); GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr); tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain); tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key); } return tsi_pairs; } static void ssl_build_server_config( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_server_config* config) { config->client_certificate_request = client_certificate_request; if (pem_root_certs != nullptr) { config->pem_root_certs = gpr_strdup(pem_root_certs); } config->pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs( pem_key_cert_pairs, num_key_cert_pairs); config->num_key_cert_pairs = num_key_cert_pairs; } grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create( const char* pem_root_certs, const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs) { grpc_ssl_server_certificate_config* config = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_certificate_config))); if (pem_root_certs != nullptr) { config->pem_root_certs = gpr_strdup(pem_root_certs); } if (num_key_cert_pairs > 0) { GPR_ASSERT(pem_key_cert_pairs != nullptr); config->pem_key_cert_pairs = static_cast( gpr_zalloc(num_key_cert_pairs * sizeof(grpc_ssl_pem_key_cert_pair))); } config->num_key_cert_pairs = num_key_cert_pairs; for (size_t i = 0; i < num_key_cert_pairs; i++) { GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr); GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr); config->pem_key_cert_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain); config->pem_key_cert_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key); } return config; } void grpc_ssl_server_certificate_config_destroy( grpc_ssl_server_certificate_config* config) { if (config == nullptr) return; for (size_t i = 0; i < config->num_key_cert_pairs; i++) { gpr_free((void*)config->pem_key_cert_pairs[i].private_key); gpr_free((void*)config->pem_key_cert_pairs[i].cert_chain); } gpr_free(config->pem_key_cert_pairs); gpr_free(config->pem_root_certs); gpr_free(config); } grpc_ssl_server_credentials_options* grpc_ssl_server_credentials_create_options_using_config( grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_server_certificate_config* config) { grpc_ssl_server_credentials_options* options = nullptr; if (config == nullptr) { gpr_log(GPR_ERROR, "Certificate config must not be NULL."); goto done; } options = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_credentials_options))); options->client_certificate_request = client_certificate_request; options->certificate_config = config; done: return options; } grpc_ssl_server_credentials_options* grpc_ssl_server_credentials_create_options_using_config_fetcher( grpc_ssl_client_certificate_request_type client_certificate_request, grpc_ssl_server_certificate_config_callback cb, void* user_data) { if (cb == nullptr) { gpr_log(GPR_ERROR, "Invalid certificate config callback parameter."); return nullptr; } grpc_ssl_server_certificate_config_fetcher* fetcher = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_certificate_config_fetcher))); fetcher->cb = cb; fetcher->user_data = user_data; grpc_ssl_server_credentials_options* options = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_credentials_options))); options->client_certificate_request = client_certificate_request; options->certificate_config_fetcher = fetcher; return options; } grpc_server_credentials* grpc_ssl_server_credentials_create( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, void* reserved) { return grpc_ssl_server_credentials_create_ex( pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs, force_client_auth ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, reserved); } grpc_server_credentials* grpc_ssl_server_credentials_create_ex( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs, grpc_ssl_client_certificate_request_type client_certificate_request, void* reserved) { GRPC_API_TRACE( "grpc_ssl_server_credentials_create_ex(" "pem_root_certs=%s, pem_key_cert_pairs=%p, num_key_cert_pairs=%lu, " "client_certificate_request=%d, reserved=%p)", 5, (pem_root_certs, pem_key_cert_pairs, (unsigned long)num_key_cert_pairs, client_certificate_request, reserved)); GPR_ASSERT(reserved == nullptr); grpc_ssl_server_certificate_config* cert_config = grpc_ssl_server_certificate_config_create( pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs); grpc_ssl_server_credentials_options* options = grpc_ssl_server_credentials_create_options_using_config( client_certificate_request, cert_config); return grpc_ssl_server_credentials_create_with_options(options); } grpc_server_credentials* grpc_ssl_server_credentials_create_with_options( grpc_ssl_server_credentials_options* options) { grpc_server_credentials* retval = nullptr; grpc_ssl_server_credentials* c = nullptr; if (options == nullptr) { gpr_log(GPR_ERROR, "Invalid options trying to create SSL server credentials."); goto done; } if (options->certificate_config == nullptr && options->certificate_config_fetcher == nullptr) { gpr_log(GPR_ERROR, "SSL server credentials options must specify either " "certificate config or fetcher."); goto done; } else if (options->certificate_config_fetcher != nullptr && options->certificate_config_fetcher->cb == nullptr) { gpr_log(GPR_ERROR, "Certificate config fetcher callback must not be NULL."); goto done; } c = static_cast( gpr_zalloc(sizeof(grpc_ssl_server_credentials))); c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL; gpr_ref_init(&c->base.refcount, 1); c->base.vtable = &ssl_server_vtable; if (options->certificate_config_fetcher != nullptr) { c->config.client_certificate_request = options->client_certificate_request; c->certificate_config_fetcher = *options->certificate_config_fetcher; } else { ssl_build_server_config(options->certificate_config->pem_root_certs, options->certificate_config->pem_key_cert_pairs, options->certificate_config->num_key_cert_pairs, options->client_certificate_request, &c->config); } retval = &c->base; done: grpc_ssl_server_credentials_options_destroy(options); return retval; } void grpc_ssl_server_credentials_options_destroy( grpc_ssl_server_credentials_options* o) { if (o == nullptr) return; gpr_free(o->certificate_config_fetcher); grpc_ssl_server_certificate_config_destroy(o->certificate_config); gpr_free(o); }