grpc 1.27.0 → 1.30.2

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -23,12 +23,14 @@
 
 #include <stdbool.h>
 
+#include "absl/strings/str_split.h"
+#include "absl/strings/string_view.h"
+
 #include <grpc/grpc_security.h>
 #include <grpc/slice_buffer.h>
 
 #include "src/core/lib/gprpp/global_config.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
-#include "src/core/lib/gprpp/string_view.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/security_connector/security_connector.h"
 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
@@ -45,19 +47,18 @@
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer);
 
 /* Check peer name information returned from SSL handshakes. */
-grpc_error* grpc_ssl_check_peer_name(grpc_core::StringView peer_name,
+grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
                                      const tsi_peer* peer);
 /* Compare targer_name information extracted from SSL security connectors. */
-int grpc_ssl_cmp_target_name(
-    grpc_core::StringView target_name, grpc_core::StringView other_target_name,
-    grpc_core::StringView overridden_target_name,
-    grpc_core::StringView other_overridden_target_name);
+int grpc_ssl_cmp_target_name(absl::string_view target_name,
+                             absl::string_view other_target_name,
+                             absl::string_view overridden_target_name,
+                             absl::string_view other_overridden_target_name);
 /* Check the host that will be set for a call is acceptable.*/
-bool grpc_ssl_check_call_host(grpc_core::StringView host,
-                              grpc_core::StringView target_name,
-                              grpc_core::StringView overridden_target_name,
+bool grpc_ssl_check_call_host(absl::string_view host,
+                              absl::string_view target_name,
+                              absl::string_view overridden_target_name,
                               grpc_auth_context* auth_context,
-                              grpc_closure* on_call_host_checked,
                               grpc_error** error);
 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
 const char* grpc_get_ssl_cipher_suites(void);
@@ -102,7 +103,7 @@ tsi_peer grpc_shallow_peer_from_ssl_auth_context(
     const grpc_auth_context* auth_context);
 void grpc_shallow_peer_destruct(tsi_peer* peer);
 int grpc_ssl_host_matches_name(const tsi_peer* peer,
-                               grpc_core::StringView peer_name);
+                               absl::string_view peer_name);
 
 /* --- Default SSL Root Store. --- */
 namespace grpc_core {

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -23,6 +23,8 @@
 #include <stdbool.h>
 #include <string.h>
 
+#include "absl/strings/string_view.h"
+
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
@@ -62,54 +64,79 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
 
 }  // namespace
 
-/** -- Util function to fetch TLS server/channel credentials. -- */
 grpc_status_code TlsFetchKeyMaterials(
     const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
         key_materials_config,
-    const grpc_tls_credentials_options& options, bool server_config,
-    grpc_ssl_certificate_config_reload_status* reload_status) {
+    const grpc_tls_credentials_options& options, bool is_server,
+    grpc_ssl_certificate_config_reload_status* status) {
   GPR_ASSERT(key_materials_config != nullptr);
+  GPR_ASSERT(status != nullptr);
   bool is_key_materials_empty =
       key_materials_config->pem_key_cert_pair_list().empty();
-  if (options.credential_reload_config() == nullptr && is_key_materials_empty &&
-      server_config) {
+  grpc_tls_credential_reload_config* credential_reload_config =
+      options.credential_reload_config();
+  /** If there are no key materials and no credential reload config and the
+   *  caller is a server, then return an error. We do not require that a client
+   *  always provision certificates. **/
+  if (credential_reload_config == nullptr && is_key_materials_empty &&
+      is_server) {
     gpr_log(GPR_ERROR,
             "Either credential reload config or key materials should be "
             "provisioned.");
     return GRPC_STATUS_FAILED_PRECONDITION;
   }
-  grpc_status_code status = GRPC_STATUS_OK;
-  /* Use credential reload config to fetch credentials. */
-  if (options.credential_reload_config() != nullptr) {
+  grpc_status_code reload_status = GRPC_STATUS_OK;
+  /** Use |credential_reload_config| to update |key_materials_config|. **/
+  if (credential_reload_config != nullptr) {
     grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
     arg->key_materials_config = key_materials_config.get();
-    int result = options.credential_reload_config()->Schedule(arg);
+    arg->error_details = new grpc_tls_error_details();
+    int result = credential_reload_config->Schedule(arg);
     if (result) {
-      /* Do not support async credential reload. */
+      /** Credential reloading is performed async. This is not yet supported.
+       * **/
       gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
-      status =
+      *status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+      reload_status =
           is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
     } else {
-      GPR_ASSERT(reload_status != nullptr);
-      *reload_status = arg->status;
+      /** Credential reloading is performed sync. **/
+      *status = arg->status;
       if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
         /* Key materials is not empty. */
         gpr_log(GPR_DEBUG, "Credential does not change after reload.");
       } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
         gpr_log(GPR_ERROR, "Credential reload failed with an error:");
         if (arg->error_details != nullptr) {
-          gpr_log(GPR_ERROR, "%s", arg->error_details);
+          gpr_log(GPR_ERROR, "%s", arg->error_details->error_details().c_str());
         }
-        status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
+        reload_status =
+            is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
       }
     }
-    gpr_free((void*)arg->error_details);
+    delete arg->error_details;
+    /** If the credential reload config was constructed via a wrapped language,
+     *  then |arg->context| and |arg->destroy_context| will not be nullptr. In
+     *  this case, we must destroy |arg->context|, which stores the wrapped
+     *  language-version of the credential reload arg. **/
     if (arg->destroy_context != nullptr) {
       arg->destroy_context(arg->context);
     }
     delete arg;
   }
-  return status;
+  return reload_status;
+}
+
+grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
+  /* Check the peer name if specified. */
+  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
+    char* msg;
+    gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
+    grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+    gpr_free(msg);
+    return error;
+  }
+  return GRPC_ERROR_NONE;
 }
 
 TlsChannelSecurityConnector::TlsChannelSecurityConnector(
@@ -119,15 +146,14 @@ TlsChannelSecurityConnector::TlsChannelSecurityConnector(
     : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
                                       std::move(channel_creds),
                                       std::move(request_metadata_creds)),
-      overridden_target_name_(overridden_target_name == nullptr
-                                  ? nullptr
-                                  : gpr_strdup(overridden_target_name)) {
+      overridden_target_name_(
+          overridden_target_name == nullptr ? "" : overridden_target_name) {
   key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
   check_arg_ = ServerAuthorizationCheckArgCreate(this);
-  grpc_core::StringView host;
-  grpc_core::StringView port;
+  absl::string_view host;
+  absl::string_view port;
   grpc_core::SplitHostPort(target_name, &host, &port);
-  target_name_ = grpc_core::StringViewToCString(host);
+  target_name_ = std::string(host);
 }
 
 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
@@ -151,8 +177,8 @@ void TlsChannelSecurityConnector::add_handshakers(
   tsi_handshaker* tsi_hs = nullptr;
   tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
       client_handshaker_factory_,
-      overridden_target_name_ != nullptr ? overridden_target_name_.get()
-                                         : target_name_.get(),
+      overridden_target_name_.empty() ? target_name_.c_str()
+                                      : overridden_target_name_.c_str(),
       &tsi_hs);
   if (result != TSI_OK) {
     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
@@ -167,9 +193,9 @@ void TlsChannelSecurityConnector::check_peer(
     tsi_peer peer, grpc_endpoint* /*ep*/,
     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
     grpc_closure* on_peer_checked) {
-  const char* target_name = overridden_target_name_ != nullptr
-                                ? overridden_target_name_.get()
-                                : target_name_.get();
+  const char* target_name = overridden_target_name_.empty()
+                                ? target_name_.c_str()
+                                : overridden_target_name_.c_str();
   grpc_error* error = grpc_ssl_check_alpn(&peer);
   if (error != GRPC_ERROR_NONE) {
     grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
@@ -180,6 +206,17 @@ void TlsChannelSecurityConnector::check_peer(
       grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
   const TlsCredentials* creds =
       static_cast<const TlsCredentials*>(channel_creds());
+  if (creds->options().server_verification_option() ==
+      GRPC_TLS_SERVER_VERIFICATION) {
+    /* Do the default host name check if specifying the target name. */
+    error = TlsCheckHostName(target_name, &peer);
+    if (error != GRPC_ERROR_NONE) {
+      grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
+      tsi_peer_destruct(&peer);
+      return;
+    }
+  }
+  /* Do the custom server authorization check, if specified by the user. */
   const grpc_tls_server_authorization_check_config* config =
       creds->options().server_authorization_check_config();
   /* If server authorization config is not null, use it to perform
@@ -235,17 +272,17 @@ int TlsChannelSecurityConnector::cmp(
   if (c != 0) {
     return c;
   }
-  return grpc_ssl_cmp_target_name(target_name_.get(), other->target_name_.get(),
-                                  overridden_target_name_.get(),
-                                  other->overridden_target_name_.get());
+  return grpc_ssl_cmp_target_name(
+      target_name_.c_str(), other->target_name_.c_str(),
+      overridden_target_name_.c_str(), other->overridden_target_name_.c_str());
 }
 
 bool TlsChannelSecurityConnector::check_call_host(
-    grpc_core::StringView host, grpc_auth_context* auth_context,
+    absl::string_view host, grpc_auth_context* auth_context,
     grpc_closure* on_call_host_checked, grpc_error** error) {
-  return grpc_ssl_check_call_host(host, target_name_.get(),
-                                  overridden_target_name_.get(), auth_context,
-                                  on_call_host_checked, error);
+  return grpc_ssl_check_call_host(host, target_name_.c_str(),
+                                  overridden_target_name_.c_str(), auth_context,
+                                  error);
 }
 
 void TlsChannelSecurityConnector::cancel_check_call_host(
@@ -311,17 +348,18 @@ grpc_security_status TlsChannelSecurityConnector::InitializeHandshakerFactory(
       static_cast<const TlsCredentials*>(channel_creds());
   grpc_tls_key_materials_config* key_materials_config =
       creds->options().key_materials_config();
-  /* Copy key materials config from credential options. */
+  // key_materials_config_->set_key_materials will handle the copying of the key
+  // materials users provided
   if (key_materials_config != nullptr) {
-    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
-        key_materials_config->pem_key_cert_pair_list();
-    auto pem_root_certs = grpc_core::UniquePtr<char>(
-        gpr_strdup(key_materials_config->pem_root_certs()));
-    key_materials_config_->set_key_materials(std::move(pem_root_certs),
-                                             std::move(cert_pair_list));
+    key_materials_config_->set_key_materials(
+        key_materials_config->pem_root_certs(),
+        key_materials_config->pem_key_cert_pair_list());
   }
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                            &reload_status) != GRPC_STATUS_OK) {
     /* Raise an error if key materials are not populated. */
@@ -336,6 +374,9 @@ grpc_security_status TlsChannelSecurityConnector::RefreshHandshakerFactory() {
       static_cast<const TlsCredentials*>(channel_creds());
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                            &reload_status) != GRPC_STATUS_OK) {
     return GRPC_SECURITY_ERROR;
@@ -367,14 +408,14 @@ grpc_error* TlsChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
     gpr_asprintf(&msg,
                  "Server authorization check is cancelled by the caller with "
                  "error: %s",
-                 arg->error_details);
+                 arg->error_details->error_details().c_str());
     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
   } else if (arg->status == GRPC_STATUS_OK) {
     /* Server authorization check completed successfully but returned check
      * failure. */
     if (!arg->success) {
       gpr_asprintf(&msg, "Server authorization check failed with error: %s",
-                   arg->error_details);
+                   arg->error_details->error_details().c_str());
       error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
     }
     /* Server authorization check did not complete correctly. */
@@ -382,7 +423,7 @@ grpc_error* TlsChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
     gpr_asprintf(
         &msg,
         "Server authorization check did not finish correctly with error: %s",
-        arg->error_details);
+        arg->error_details->error_details().c_str());
     error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
   }
   gpr_free(msg);
@@ -394,6 +435,7 @@ TlsChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
     void* user_data) {
   grpc_tls_server_authorization_check_arg* arg =
       new grpc_tls_server_authorization_check_arg();
+  arg->error_details = new grpc_tls_error_details();
   arg->cb = ServerAuthorizationCheckDone;
   arg->cb_user_data = user_data;
   arg->status = GRPC_STATUS_OK;
@@ -408,7 +450,7 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
   gpr_free((void*)arg->target_name);
   gpr_free((void*)arg->peer_cert);
   if (arg->peer_cert_full_chain) gpr_free((void*)arg->peer_cert_full_chain);
-  gpr_free((void*)arg->error_details);
+  delete arg->error_details;
   if (arg->destroy_context != nullptr) {
     arg->destroy_context(arg->context);
   }
@@ -516,15 +558,17 @@ grpc_security_status TlsServerSecurityConnector::InitializeHandshakerFactory() {
   grpc_tls_key_materials_config* key_materials_config =
       creds->options().key_materials_config();
   if (key_materials_config != nullptr) {
-    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
-        key_materials_config->pem_key_cert_pair_list();
-    auto pem_root_certs = grpc_core::UniquePtr<char>(
-        gpr_strdup(key_materials_config->pem_root_certs()));
-    key_materials_config_->set_key_materials(std::move(pem_root_certs),
-                                             std::move(cert_pair_list));
+    key_materials_config_->set_key_materials(
+        key_materials_config->pem_root_certs(),
+        key_materials_config->pem_key_cert_pair_list());
   }
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
+   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
+   *  credentials, and an error code if not. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                            &reload_status) != GRPC_STATUS_OK) {
     /* Raise an error if key materials are not populated. */
@@ -539,6 +583,11 @@ grpc_security_status TlsServerSecurityConnector::RefreshHandshakerFactory() {
       static_cast<const TlsServerCredentials*>(server_creds());
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
+   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
+   *  credentials, and an error code if not. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                            &reload_status) != GRPC_STATUS_OK) {
     return GRPC_SECURITY_ERROR;

data/src/core/lib/security/security_connector/tls/tls_security_connector.h

@@ -57,8 +57,7 @@ class TlsChannelSecurityConnector final
 
   int cmp(const grpc_security_connector* other_sc) const override;
 
-  bool check_call_host(grpc_core::StringView host,
-                       grpc_auth_context* auth_context,
+  bool check_call_host(absl::string_view host, grpc_auth_context* auth_context,
                        grpc_closure* on_call_host_checked,
                        grpc_error** error) override;
 
@@ -98,8 +97,8 @@ class TlsChannelSecurityConnector final
 
   grpc_core::Mutex mu_;
   grpc_closure* on_peer_checked_;
-  grpc_core::UniquePtr<char> target_name_;
-  grpc_core::UniquePtr<char> overridden_target_name_;
+  std::string target_name_;
+  std::string overridden_target_name_;
   tsi_ssl_client_handshaker_factory* client_handshaker_factory_ = nullptr;
   grpc_tls_server_authorization_check_arg* check_arg_;
   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
@@ -144,13 +143,40 @@ class TlsServerSecurityConnector final : public grpc_server_security_connector {
   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
 };
 
-// Exposed for testing only.
+// ---- Functions below are exposed for testing only -----------------------
+
+/** The |TlsFetchKeyMaterials| API ensures that |key_materials_config| has a
+ *  non-empty pem-key-cert pair list. This is done as follows:
+ *  - if |options| is equipped with a credential reload config, then this
+ *    methods uses credential reloading to populate |key_materials_config|, and
+ *    afterwards it populates |reload_status| with the status of this operation.
+ *    In particular, any data stored in |key_materials_config| is overwritten.
+ *  - if |options| has no credential reload config, then:
+ *    - if |key_materials_config| already has a non-empty pem-key-cert pair
+ *      list or is called by a client, then the method returns |GRPC_STATUS_OK|.
+ *    - if |key_materials_config| has an empty pem-key-cert pair list and is
+ *      called by a server, then the method return an error code.
+ *
+ *  The arguments are detailed below:
+ *  - key_materials_config: a key materials config that will be populated by the
+ *    method on success; the caller should not pass in nullptr. Any data held by
+ *    the config will be overwritten.
+ *  - options: the TLS credentials options whose credential reloading config
+ *    will be used to populate |key_materials_config|.
+ *  - is_server: true denotes that this method is called by a server, and
+ *    false denotes that this method is called by a client.
+ *  - status: the status of the credential reloading after the method
+ *    returns; the caller should not pass in nullptr. **/
 grpc_status_code TlsFetchKeyMaterials(
     const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
         key_materials_config,
-    const grpc_tls_credentials_options& options, bool server_config,
+    const grpc_tls_credentials_options& options, bool is_server,
     grpc_ssl_certificate_config_reload_status* status);
 
+// TlsCheckHostName checks if |peer_name| matches the identity information
+// contained in |peer|. This is AKA hostname check.
+grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer);
+
 }  // namespace grpc_core
 
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_TLS_TLS_SECURITY_CONNECTOR_H \

data/src/core/lib/security/transport/auth_filters.h

@@ -32,9 +32,4 @@ void grpc_auth_metadata_context_build(
     const grpc_slice& call_method, grpc_auth_context* auth_context,
     grpc_auth_metadata_context* auth_md_context);
 
-void grpc_auth_metadata_context_copy(grpc_auth_metadata_context* from,
-                                     grpc_auth_metadata_context* to);
-
-void grpc_auth_metadata_context_reset(grpc_auth_metadata_context* context);
-
 #endif /* GRPC_CORE_LIB_SECURITY_TRANSPORT_AUTH_FILTERS_H */

data/src/core/lib/security/transport/client_auth_filter.cc

@@ -379,8 +379,7 @@ static void client_auth_start_transport_stream_op_batch(
       GRPC_CALL_STACK_REF(calld->owning_call, "check_call_host");
       GRPC_CLOSURE_INIT(&calld->async_result_closure, on_host_checked, batch,
                         grpc_schedule_on_exec_ctx);
-      grpc_core::StringView call_host(
-          grpc_core::StringViewFromSlice(calld->host));
+      absl::string_view call_host(grpc_core::StringViewFromSlice(calld->host));
       grpc_error* error = GRPC_ERROR_NONE;
       if (chand->security_connector->check_call_host(
               call_host, chand->auth_context.get(),

data/src/core/lib/security/transport/security_handshaker.cc

@@ -559,10 +559,10 @@ RefCountedPtr SecurityHandshakerCreate(
 void SecurityRegisterHandshakerFactories() {
   HandshakerRegistry::RegisterHandshakerFactory(
       false /* at_start */, HANDSHAKER_CLIENT,
-      MakeUnique<ClientSecurityHandshakerFactory>());
+      absl::make_unique<ClientSecurityHandshakerFactory>());
   HandshakerRegistry::RegisterHandshakerFactory(
       false /* at_start */, HANDSHAKER_SERVER,
-      MakeUnique<ServerSecurityHandshakerFactory>());
+      absl::make_unique<ServerSecurityHandshakerFactory>());
 }
 
 }  // namespace grpc_core