git://repos.xcallymotion.com / motion2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Built motion from commit 6a09e18b.|2.6.11
[motion2.git] / legacy-libs / grpc / deps / grpc / src / core / lib / security / security_connector / ssl / ssl_security_connector.cc
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18
19 #include <grpc/support/port_platform.h>
20
21 #include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
22
23 #include <stdbool.h>
24
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/log.h>
27 #include <grpc/support/string_util.h>
28
29 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
30 #include "src/core/lib/channel/handshaker.h"
31 #include "src/core/lib/gpr/string.h"
32 #include "src/core/lib/gprpp/host_port.h"
33 #include "src/core/lib/gprpp/ref_counted_ptr.h"
34 #include "src/core/lib/security/context/security_context.h"
35 #include "src/core/lib/security/credentials/credentials.h"
36 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
37 #include "src/core/lib/security/security_connector/load_system_roots.h"
38 #include "src/core/lib/security/security_connector/ssl_utils.h"
39 #include "src/core/lib/security/transport/security_handshaker.h"
40 #include "src/core/tsi/ssl_transport_security.h"
41 #include "src/core/tsi/transport_security.h"
42
43 namespace {
44 grpc_error* ssl_check_peer(
45     const char* peer_name, const tsi_peer* peer,
46     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context) {
47   grpc_error* error = grpc_ssl_check_alpn(peer);
48   if (error != GRPC_ERROR_NONE) {
49     return error;
50   }
51   /* Check the peer name if specified. */
52   if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
53     char* msg;
54     gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
55     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
56     gpr_free(msg);
57     return error;
58   }
59   *auth_context = grpc_ssl_peer_to_auth_context(peer);
60   return GRPC_ERROR_NONE;
61 }
62
63 class grpc_ssl_channel_security_connector final
64     : public grpc_channel_security_connector {
65  public:
66   grpc_ssl_channel_security_connector(
67       grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
68       grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
69       const grpc_ssl_config* config, const char* target_name,
70       const char* overridden_target_name)
71       : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
72                                         std::move(channel_creds),
73                                         std::move(request_metadata_creds)),
74         overridden_target_name_(overridden_target_name == nullptr
75                                     ? nullptr
76                                     : gpr_strdup(overridden_target_name)),
77         verify_options_(&config->verify_options) {
78     grpc_core::StringView host;
79     grpc_core::StringView port;
80     grpc_core::SplitHostPort(target_name, &host, &port);
81     target_name_ = host.dup();
82   }
83
84   ~grpc_ssl_channel_security_connector() override {
85     tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
86   }
87
88   grpc_security_status InitializeHandshakerFactory(
89       const grpc_ssl_config* config, const char* pem_root_certs,
90       const tsi_ssl_root_certs_store* root_store,
91       tsi_ssl_session_cache* ssl_session_cache) {
92     bool has_key_cert_pair =
93         config->pem_key_cert_pair != nullptr &&
94         config->pem_key_cert_pair->private_key != nullptr &&
95         config->pem_key_cert_pair->cert_chain != nullptr;
96     tsi_ssl_client_handshaker_options options;
97     GPR_DEBUG_ASSERT(pem_root_certs != nullptr);
98     options.pem_root_certs = pem_root_certs;
99     options.root_store = root_store;
100     options.alpn_protocols =
101         grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
102     if (has_key_cert_pair) {
103       options.pem_key_cert_pair = config->pem_key_cert_pair;
104     }
105     options.cipher_suites = grpc_get_ssl_cipher_suites();
106     options.session_cache = ssl_session_cache;
107     const tsi_result result =
108         tsi_create_ssl_client_handshaker_factory_with_options(
109             &options, &client_handshaker_factory_);
110     gpr_free((void*)options.alpn_protocols);
111     if (result != TSI_OK) {
112       gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
113               tsi_result_to_string(result));
114       return GRPC_SECURITY_ERROR;
115     }
116     return GRPC_SECURITY_OK;
117   }
118
119   void add_handshakers(grpc_pollset_set* interested_parties,
120                        grpc_core::HandshakeManager* handshake_mgr) override {
121     // Instantiate TSI handshaker.
122     tsi_handshaker* tsi_hs = nullptr;
123     tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
124         client_handshaker_factory_,
125         overridden_target_name_ != nullptr ? overridden_target_name_.get()
126                                            : target_name_.get(),
127         &tsi_hs);
128     if (result != TSI_OK) {
129       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
130               tsi_result_to_string(result));
131       return;
132     }
133     // Create handshakers.
134     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
135   }
136
137   void check_peer(tsi_peer peer, grpc_endpoint* ep,
138                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
139                   grpc_closure* on_peer_checked) override {
140     const char* target_name = overridden_target_name_ != nullptr
141                                   ? overridden_target_name_.get()
142                                   : target_name_.get();
143     grpc_error* error = ssl_check_peer(target_name, &peer, auth_context);
144     if (error == GRPC_ERROR_NONE &&
145         verify_options_->verify_peer_callback != nullptr) {
146       const tsi_peer_property* p =
147           tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
148       if (p == nullptr) {
149         error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
150             "Cannot check peer: missing pem cert property.");
151       } else {
152         char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
153         memcpy(peer_pem, p->value.data, p->value.length);
154         peer_pem[p->value.length] = '\0';
155         int callback_status = verify_options_->verify_peer_callback(
156             target_name, peer_pem,
157             verify_options_->verify_peer_callback_userdata);
158         gpr_free(peer_pem);
159         if (callback_status) {
160           char* msg;
161           gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
162                        callback_status);
163           error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
164           gpr_free(msg);
165         }
166       }
167     }
168     GRPC_CLOSURE_SCHED(on_peer_checked, error);
169     tsi_peer_destruct(&peer);
170   }
171
172   int cmp(const grpc_security_connector* other_sc) const override {
173     auto* other =
174         reinterpret_cast<const grpc_ssl_channel_security_connector*>(other_sc);
175     int c = channel_security_connector_cmp(other);
176     if (c != 0) return c;
177     c = strcmp(target_name_.get(), other->target_name_.get());
178     if (c != 0) return c;
179     return (overridden_target_name_ == nullptr ||
180             other->overridden_target_name_ == nullptr)
181                ? GPR_ICMP(overridden_target_name_.get(),
182                           other->overridden_target_name_.get())
183                : strcmp(overridden_target_name_.get(),
184                         other->overridden_target_name_.get());
185   }
186
187   bool check_call_host(grpc_core::StringView host,
188                        grpc_auth_context* auth_context,
189                        grpc_closure* on_call_host_checked,
190                        grpc_error** error) override {
191     grpc_security_status status = GRPC_SECURITY_ERROR;
192     tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
193     if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
194     /* If the target name was overridden, then the original target_name was
195        'checked' transitively during the previous peer check at the end of the
196        handshake. */
197     if (overridden_target_name_ != nullptr && host == target_name_.get()) {
198       status = GRPC_SECURITY_OK;
199     }
200     if (status != GRPC_SECURITY_OK) {
201       *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
202           "call host does not match SSL server name");
203     }
204     grpc_shallow_peer_destruct(&peer);
205     return true;
206   }
207
208   void cancel_check_call_host(grpc_closure* on_call_host_checked,
209                               grpc_error* error) override {
210     GRPC_ERROR_UNREF(error);
211   }
212
213  private:
214   tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
215   grpc_core::UniquePtr<char> target_name_;
216   grpc_core::UniquePtr<char> overridden_target_name_;
217   const verify_peer_options* verify_options_;
218 };
219
220 class grpc_ssl_server_security_connector
221     : public grpc_server_security_connector {
222  public:
223   grpc_ssl_server_security_connector(
224       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
225       : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
226                                        std::move(server_creds)) {}
227
228   ~grpc_ssl_server_security_connector() override {
229     tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
230   }
231
232   bool has_cert_config_fetcher() const {
233     return static_cast<const grpc_ssl_server_credentials*>(server_creds())
234         ->has_cert_config_fetcher();
235   }
236
237   const tsi_ssl_server_handshaker_factory* server_handshaker_factory() const {
238     return server_handshaker_factory_;
239   }
240
241   grpc_security_status InitializeHandshakerFactory() {
242     if (has_cert_config_fetcher()) {
243       // Load initial credentials from certificate_config_fetcher:
244       if (!try_fetch_ssl_server_credentials()) {
245         gpr_log(GPR_ERROR,
246                 "Failed loading SSL server credentials from fetcher.");
247         return GRPC_SECURITY_ERROR;
248       }
249     } else {
250       auto* server_credentials =
251           static_cast<const grpc_ssl_server_credentials*>(server_creds());
252       size_t num_alpn_protocols = 0;
253       const char** alpn_protocol_strings =
254           grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
255       tsi_ssl_server_handshaker_options options;
256       options.pem_key_cert_pairs =
257           server_credentials->config().pem_key_cert_pairs;
258       options.num_key_cert_pairs =
259           server_credentials->config().num_key_cert_pairs;
260       options.pem_client_root_certs =
261           server_credentials->config().pem_root_certs;
262       options.client_certificate_request =
263           grpc_get_tsi_client_certificate_request_type(
264               server_credentials->config().client_certificate_request);
265       options.cipher_suites = grpc_get_ssl_cipher_suites();
266       options.alpn_protocols = alpn_protocol_strings;
267       options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
268       const tsi_result result =
269           tsi_create_ssl_server_handshaker_factory_with_options(
270               &options, &server_handshaker_factory_);
271       gpr_free((void*)alpn_protocol_strings);
272       if (result != TSI_OK) {
273         gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
274                 tsi_result_to_string(result));
275         return GRPC_SECURITY_ERROR;
276       }
277     }
278     return GRPC_SECURITY_OK;
279   }
280
281   void add_handshakers(grpc_pollset_set* interested_parties,
282                        grpc_core::HandshakeManager* handshake_mgr) override {
283     // Instantiate TSI handshaker.
284     try_fetch_ssl_server_credentials();
285     tsi_handshaker* tsi_hs = nullptr;
286     tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
287         server_handshaker_factory_, &tsi_hs);
288     if (result != TSI_OK) {
289       gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
290               tsi_result_to_string(result));
291       return;
292     }
293     // Create handshakers.
294     handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
295   }
296
297   void check_peer(tsi_peer peer, grpc_endpoint* ep,
298                   grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
299                   grpc_closure* on_peer_checked) override {
300     grpc_error* error = ssl_check_peer(nullptr, &peer, auth_context);
301     tsi_peer_destruct(&peer);
302     GRPC_CLOSURE_SCHED(on_peer_checked, error);
303   }
304
305   int cmp(const grpc_security_connector* other) const override {
306     return server_security_connector_cmp(
307         static_cast<const grpc_server_security_connector*>(other));
308   }
309
310  private:
311   /* Attempts to fetch the server certificate config if a callback is available.
312    * Current certificate config will continue to be used if the callback returns
313    * an error. Returns true if new credentials were successfully loaded. */
314   bool try_fetch_ssl_server_credentials() {
315     grpc_ssl_server_certificate_config* certificate_config = nullptr;
316     bool status;
317     if (!has_cert_config_fetcher()) return false;
318
319     grpc_ssl_server_credentials* server_creds =
320         static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
321     grpc_ssl_certificate_config_reload_status cb_result =
322         server_creds->FetchCertConfig(&certificate_config);
323     if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
324       gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
325       status = false;
326     } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
327       status = try_replace_server_handshaker_factory(certificate_config);
328     } else {
329       // Log error, continue using previously-loaded credentials.
330       gpr_log(GPR_ERROR,
331               "Failed fetching new server credentials, continuing to "
332               "use previously-loaded credentials.");
333       status = false;
334     }
335
336     if (certificate_config != nullptr) {
337       grpc_ssl_server_certificate_config_destroy(certificate_config);
338     }
339     return status;
340   }
341
342   /* Attempts to replace the server_handshaker_factory with a new factory using
343    * the provided grpc_ssl_server_certificate_config. Should new factory
344    * creation fail, the existing factory will not be replaced. Returns true on
345    * success (new factory created). */
346   bool try_replace_server_handshaker_factory(
347       const grpc_ssl_server_certificate_config* config) {
348     if (config == nullptr) {
349       gpr_log(GPR_ERROR,
350               "Server certificate config callback returned invalid (NULL) "
351               "config.");
352       return false;
353     }
354     gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
355
356     size_t num_alpn_protocols = 0;
357     const char** alpn_protocol_strings =
358         grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
359     tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
360     const grpc_ssl_server_credentials* server_creds =
361         static_cast<const grpc_ssl_server_credentials*>(this->server_creds());
362     GPR_DEBUG_ASSERT(config->pem_root_certs != nullptr);
363     tsi_ssl_server_handshaker_options options;
364     options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
365         config->pem_key_cert_pairs, config->num_key_cert_pairs);
366     options.num_key_cert_pairs = config->num_key_cert_pairs;
367     options.pem_client_root_certs = config->pem_root_certs;
368     options.client_certificate_request =
369         grpc_get_tsi_client_certificate_request_type(
370             server_creds->config().client_certificate_request);
371     options.cipher_suites = grpc_get_ssl_cipher_suites();
372     options.alpn_protocols = alpn_protocol_strings;
373     options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
374     tsi_result result = tsi_create_ssl_server_handshaker_factory_with_options(
375         &options, &new_handshaker_factory);
376     grpc_tsi_ssl_pem_key_cert_pairs_destroy(
377         const_cast<tsi_ssl_pem_key_cert_pair*>(options.pem_key_cert_pairs),
378         options.num_key_cert_pairs);
379     gpr_free((void*)alpn_protocol_strings);
380
381     if (result != TSI_OK) {
382       gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
383               tsi_result_to_string(result));
384       return false;
385     }
386     set_server_handshaker_factory(new_handshaker_factory);
387     return true;
388   }
389
390   void set_server_handshaker_factory(
391       tsi_ssl_server_handshaker_factory* new_factory) {
392     if (server_handshaker_factory_) {
393       tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
394     }
395     server_handshaker_factory_ = new_factory;
396   }
397
398   tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
399 };
400 }  // namespace
401
402 grpc_core::RefCountedPtr<grpc_channel_security_connector>
403 grpc_ssl_channel_security_connector_create(
404     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
405     grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
406     const grpc_ssl_config* config, const char* target_name,
407     const char* overridden_target_name,
408     tsi_ssl_session_cache* ssl_session_cache) {
409   if (config == nullptr || target_name == nullptr) {
410     gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
411     return nullptr;
412   }
413
414   const char* pem_root_certs;
415   const tsi_ssl_root_certs_store* root_store;
416   if (config->pem_root_certs == nullptr) {
417     // Use default root certificates.
418     pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
419     if (pem_root_certs == nullptr) {
420       gpr_log(GPR_ERROR, "Could not get default pem root certs.");
421       return nullptr;
422     }
423     root_store = grpc_core::DefaultSslRootStore::GetRootStore();
424   } else {
425     pem_root_certs = config->pem_root_certs;
426     root_store = nullptr;
427   }
428
429   grpc_core::RefCountedPtr<grpc_ssl_channel_security_connector> c =
430       grpc_core::MakeRefCounted<grpc_ssl_channel_security_connector>(
431           std::move(channel_creds), std::move(request_metadata_creds), config,
432           target_name, overridden_target_name);
433   const grpc_security_status result = c->InitializeHandshakerFactory(
434       config, pem_root_certs, root_store, ssl_session_cache);
435   if (result != GRPC_SECURITY_OK) {
436     return nullptr;
437   }
438   return c;
439 }
440
441 grpc_core::RefCountedPtr<grpc_server_security_connector>
442 grpc_ssl_server_security_connector_create(
443     grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials) {
444   GPR_ASSERT(server_credentials != nullptr);
445   grpc_core::RefCountedPtr<grpc_ssl_server_security_connector> c =
446       grpc_core::MakeRefCounted<grpc_ssl_server_security_connector>(
447           std::move(server_credentials));
448   const grpc_security_status retval = c->InitializeHandshakerFactory();
449   if (retval != GRPC_SECURITY_OK) {
450     return nullptr;
451   }
452   return c;
453 }
xCALLY Motion is the new Realtime asynchronous solution for your multichannel contact center over Asterisk.