1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 //     http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18 
19 #include <grpc/support/port_platform.h>
20 
21 #include <string.h>
22 
23 #include <string>
24 
25 #include "absl/status/status.h"
26 #include "absl/strings/str_cat.h"
27 #include "absl/strings/string_view.h"
28 #include "absl/types/optional.h"
29 
30 #include <grpc/grpc.h>
31 #include <grpc/grpc_security.h>
32 #include <grpc/support/alloc.h>
33 #include <grpc/support/log.h>
34 #include <grpc/support/string_util.h>
35 
36 #include "src/core/lib/channel/channel_args.h"
37 #include "src/core/lib/gprpp/debug_location.h"
38 #include "src/core/lib/gprpp/ref_counted_ptr.h"
39 #include "src/core/lib/gprpp/unique_type_name.h"
40 #include "src/core/lib/iomgr/closure.h"
41 #include "src/core/lib/iomgr/endpoint.h"
42 #include "src/core/lib/iomgr/error.h"
43 #include "src/core/lib/iomgr/exec_ctx.h"
44 #include "src/core/lib/iomgr/iomgr_fwd.h"
45 #include "src/core/lib/promise/arena_promise.h"
46 #include "src/core/lib/promise/promise.h"
47 #include "src/core/lib/security/credentials/credentials.h"
48 #include "src/core/lib/security/security_connector/security_connector.h"
49 #include "src/core/lib/security/security_connector/ssl_utils.h"
50 #include "src/core/lib/security/transport/security_handshaker.h"
51 #include "src/core/lib/transport/handshaker.h"
52 #include "src/core/tsi/ssl_transport_security.h"
53 #include "src/core/tsi/transport_security_interface.h"
54 
55 namespace grpc_core {
56 
57 namespace {
58 
59 class grpc_httpcli_ssl_channel_security_connector final
60     : public grpc_channel_security_connector {
61  public:
grpc_httpcli_ssl_channel_security_connector(char * secure_peer_name)62   explicit grpc_httpcli_ssl_channel_security_connector(char* secure_peer_name)
63       : grpc_channel_security_connector(
64             /*url_scheme=*/{},
65             /*channel_creds=*/nullptr,
66             /*request_metadata_creds=*/nullptr),
67         secure_peer_name_(secure_peer_name) {}
68 
~grpc_httpcli_ssl_channel_security_connector()69   ~grpc_httpcli_ssl_channel_security_connector() override {
70     if (handshaker_factory_ != nullptr) {
71       tsi_ssl_client_handshaker_factory_unref(handshaker_factory_);
72     }
73     if (secure_peer_name_ != nullptr) {
74       gpr_free(secure_peer_name_);
75     }
76   }
77 
InitHandshakerFactory(const char * pem_root_certs,const tsi_ssl_root_certs_store * root_store)78   tsi_result InitHandshakerFactory(const char* pem_root_certs,
79                                    const tsi_ssl_root_certs_store* root_store) {
80     tsi_ssl_client_handshaker_options options;
81     options.pem_root_certs = pem_root_certs;
82     options.root_store = root_store;
83     return tsi_create_ssl_client_handshaker_factory_with_options(
84         &options, &handshaker_factory_);
85   }
86 
add_handshakers(const ChannelArgs & args,grpc_pollset_set *,HandshakeManager * handshake_mgr)87   void add_handshakers(const ChannelArgs& args,
88                        grpc_pollset_set* /*interested_parties*/,
89                        HandshakeManager* handshake_mgr) override {
90     tsi_handshaker* handshaker = nullptr;
91     if (handshaker_factory_ != nullptr) {
92       tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
93           handshaker_factory_, secure_peer_name_, /*network_bio_buf_size=*/0,
94           /*ssl_bio_buf_size=*/0, &handshaker);
95       if (result != TSI_OK) {
96         gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
97                 tsi_result_to_string(result));
98       }
99     }
100     handshake_mgr->Add(SecurityHandshakerCreate(handshaker, this, args));
101   }
102 
handshaker_factory() const103   tsi_ssl_client_handshaker_factory* handshaker_factory() const {
104     return handshaker_factory_;
105   }
106 
check_peer(tsi_peer peer,grpc_endpoint *,const ChannelArgs &,RefCountedPtr<grpc_auth_context> *,grpc_closure * on_peer_checked)107   void check_peer(tsi_peer peer, grpc_endpoint* /*ep*/,
108                   const ChannelArgs& /*args*/,
109                   RefCountedPtr<grpc_auth_context>* /*auth_context*/,
110                   grpc_closure* on_peer_checked) override {
111     grpc_error_handle error;
112 
113     // Check the peer name.
114     if (secure_peer_name_ != nullptr &&
115         !tsi_ssl_peer_matches_name(&peer, secure_peer_name_)) {
116       error = GRPC_ERROR_CREATE(absl::StrCat("Peer name ", secure_peer_name_,
117                                              " is not in peer certificate"));
118     }
119     ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
120     tsi_peer_destruct(&peer);
121   }
122 
cancel_check_peer(grpc_closure *,grpc_error_handle)123   void cancel_check_peer(grpc_closure* /*on_peer_checked*/,
124                          grpc_error_handle /*error*/) override {}
125 
cmp(const grpc_security_connector * other_sc) const126   int cmp(const grpc_security_connector* other_sc) const override {
127     auto* other =
128         reinterpret_cast<const grpc_httpcli_ssl_channel_security_connector*>(
129             other_sc);
130     return strcmp(secure_peer_name_, other->secure_peer_name_);
131   }
132 
CheckCallHost(absl::string_view,grpc_auth_context *)133   ArenaPromise<absl::Status> CheckCallHost(absl::string_view,
134                                            grpc_auth_context*) override {
135     return ImmediateOkStatus();
136   }
137 
secure_peer_name() const138   const char* secure_peer_name() const { return secure_peer_name_; }
139 
140  private:
141   tsi_ssl_client_handshaker_factory* handshaker_factory_ = nullptr;
142   char* secure_peer_name_;
143 };
144 
145 RefCountedPtr<grpc_channel_security_connector>
httpcli_ssl_channel_security_connector_create(const char * pem_root_certs,const tsi_ssl_root_certs_store * root_store,const char * secure_peer_name)146 httpcli_ssl_channel_security_connector_create(
147     const char* pem_root_certs, const tsi_ssl_root_certs_store* root_store,
148     const char* secure_peer_name) {
149   if (secure_peer_name != nullptr && pem_root_certs == nullptr) {
150     gpr_log(GPR_ERROR,
151             "Cannot assert a secure peer name without a trust root.");
152     return nullptr;
153   }
154   RefCountedPtr<grpc_httpcli_ssl_channel_security_connector> c =
155       MakeRefCounted<grpc_httpcli_ssl_channel_security_connector>(
156           secure_peer_name == nullptr ? nullptr : gpr_strdup(secure_peer_name));
157   tsi_result result = c->InitHandshakerFactory(pem_root_certs, root_store);
158   if (result != TSI_OK) {
159     gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
160             tsi_result_to_string(result));
161     return nullptr;
162   }
163   return c;
164 }
165 
166 class HttpRequestSSLCredentials : public grpc_channel_credentials {
167  public:
create_security_connector(RefCountedPtr<grpc_call_credentials>,const char * target,ChannelArgs * args)168   RefCountedPtr<grpc_channel_security_connector> create_security_connector(
169       RefCountedPtr<grpc_call_credentials> /*call_creds*/, const char* target,
170       ChannelArgs* args) override {
171     const char* pem_root_certs = DefaultSslRootStore::GetPemRootCerts();
172     const tsi_ssl_root_certs_store* root_store =
173         DefaultSslRootStore::GetRootStore();
174     if (root_store == nullptr) {
175       gpr_log(GPR_ERROR, "Could not get default pem root certs.");
176       return nullptr;
177     }
178     absl::optional<std::string> target_string =
179         args->GetOwnedString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG)
180             .value_or(target);
181     return httpcli_ssl_channel_security_connector_create(
182         pem_root_certs, root_store, target_string->c_str());
183   }
184 
duplicate_without_call_credentials()185   RefCountedPtr<grpc_channel_credentials> duplicate_without_call_credentials()
186       override {
187     return Ref();
188   }
189 
type() const190   UniqueTypeName type() const override {
191     static UniqueTypeName::Factory kFactory("HttpRequestSSL");
192     return kFactory.Create();
193   }
194 
195  private:
cmp_impl(const grpc_channel_credentials *) const196   int cmp_impl(const grpc_channel_credentials* /* other */) const override {
197     // There's no differentiating factor between two HttpRequestSSLCredentials
198     // objects.
199     return 0;
200   }
201 };
202 
203 }  // namespace
204 
CreateHttpRequestSSLCredentials()205 RefCountedPtr<grpc_channel_credentials> CreateHttpRequestSSLCredentials() {
206   // Create a singleton object for HttpRequestSSLCredentials so that channels to
207   // the same target with HttpRequestSSLCredentials can reuse the subchannels.
208   static auto* creds = new HttpRequestSSLCredentials();
209   return creds->Ref();
210 }
211 
212 }  // namespace grpc_core
213