RubyGems - grpc - Versions diffs - 1.30.2 → 1.32.0 - Mend

grpc 1.30.2 → 1.32.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (674) hide show

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc CHANGED

@@ -22,10 +22,11 @@
 #include <string.h>
+#include "absl/strings/str_cat.h"
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 #include "src/core/lib/slice/slice_internal.h"
@@ -86,11 +87,10 @@ static grpc_error* process_plugin_result(
     size_t num_md, grpc_status_code status, const char* error_details) {
   grpc_error* error = GRPC_ERROR_NONE;
   if (status != GRPC_STATUS_OK) {
-    char* msg;
-    gpr_asprintf(&msg, "Getting metadata from plugin failed with error: %s",
-                 error_details);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Getting metadata from plugin failed with error: ",
+                     error_details)
+            .c_str());
   } else {
     bool seen_illegal_header = false;
     for (size_t i = 0; i < num_md; ++i) {

data/src/core/lib/security/credentials/ssl/ssl_credentials.cc CHANGED

@@ -117,6 +117,16 @@ void grpc_ssl_credentials::build_config(
   }
 }
+void grpc_ssl_credentials::set_min_tls_version(
+    grpc_tls_version min_tls_version) {
+  config_.min_tls_version = min_tls_version;
+}
+void grpc_ssl_credentials::set_max_tls_version(
+    grpc_tls_version max_tls_version) {
+  config_.max_tls_version = max_tls_version;
+}
 /* Deprecated in favor of grpc_ssl_credentials_create_ex. Will be removed
  * once all of its call sites are migrated to grpc_ssl_credentials_create_ex. */
 grpc_channel_credentials* grpc_ssl_credentials_create(
@@ -213,6 +223,16 @@ void grpc_ssl_server_credentials::build_config(
   config_.num_key_cert_pairs = num_key_cert_pairs;
 }
+void grpc_ssl_server_credentials::set_min_tls_version(
+    grpc_tls_version min_tls_version) {
+  config_.min_tls_version = min_tls_version;
+}
+void grpc_ssl_server_credentials::set_max_tls_version(
+    grpc_tls_version max_tls_version) {
+  config_.max_tls_version = max_tls_version;
+}
 grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
     const char* pem_root_certs,
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,

data/src/core/lib/security/credentials/ssl/ssl_credentials.h CHANGED

@@ -38,6 +38,11 @@ class grpc_ssl_credentials : public grpc_channel_credentials {
       const char* target, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
+  // TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
+  // version should be done for testing purposes only.
+  void set_min_tls_version(grpc_tls_version min_tls_version);
+  void set_max_tls_version(grpc_tls_version max_tls_version);
  private:
   void build_config(const char* pem_root_certs,
                     grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
@@ -77,6 +82,11 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
                                           config);
   }
+  // TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
+  // version should be done for testing purposes only.
+  void set_min_tls_version(grpc_tls_version min_tls_version);
+  void set_max_tls_version(grpc_tls_version max_tls_version);
   const grpc_ssl_server_config& config() const { return config_; }
  private:

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h CHANGED

@@ -264,6 +264,8 @@ struct grpc_tls_credentials_options
   grpc_tls_server_verification_option server_verification_option() const {
     return server_verification_option_;
   }
+  grpc_tls_version min_tls_version() const { return min_tls_version_; }
+  grpc_tls_version max_tls_version() const { return max_tls_version_; }
   grpc_tls_key_materials_config* key_materials_config() const {
     return key_materials_config_.get();
   }
@@ -284,6 +286,12 @@ struct grpc_tls_credentials_options
       const grpc_tls_server_verification_option server_verification_option) {
     server_verification_option_ = server_verification_option;
   }
+  void set_min_tls_version(grpc_tls_version min_tls_version) {
+    min_tls_version_ = min_tls_version;
+  }
+  void set_max_tls_version(grpc_tls_version max_tls_version) {
+    max_tls_version_ = max_tls_version;
+  }
   void set_key_materials_config(
       grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
     key_materials_config_ = std::move(config);
@@ -302,6 +310,8 @@ struct grpc_tls_credentials_options
   grpc_ssl_client_certificate_request_type cert_request_type_;
   grpc_tls_server_verification_option server_verification_option_ =
       GRPC_TLS_SERVER_VERIFICATION;
+  grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
   grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
       credential_reload_config_;

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc CHANGED

@@ -22,13 +22,15 @@
 #include <stdbool.h>
+#include "absl/strings/str_cat.h"
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
-#include "src/core/ext/filters/client_channel/xds/xds_channel_args.h"
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
+#include "src/core/ext/xds/xds_channel_args.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/gpr/string.h"
@@ -38,7 +40,6 @@
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/fake/fake_credentials.h"
 #include "src/core/lib/security/transport/security_handshaker.h"
-#include "src/core/lib/security/transport/target_authority_table.h"
 #include "src/core/tsi/fake_transport_security.h"
 namespace {
@@ -227,11 +228,10 @@ static void fake_check_peer(
   prop_name = peer.properties[0].name;
   if (prop_name == nullptr ||
       strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
-    char* msg;
-    gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
-                 prop_name == nullptr ? "<EMPTY>" : prop_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Unexpected property in fake peer: ",
+                     prop_name == nullptr ? "<EMPTY>" : prop_name)
+            .c_str());
     goto end;
   }
   if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
@@ -243,11 +243,10 @@ static void fake_check_peer(
   prop_name = peer.properties[1].name;
   if (prop_name == nullptr ||
       strcmp(prop_name, TSI_SECURITY_LEVEL_PEER_PROPERTY) != 0) {
-    char* msg;
-    gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
-                 prop_name == nullptr ? "<EMPTY>" : prop_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Unexpected property in fake peer: ",
+                     prop_name == nullptr ? "<EMPTY>" : prop_name)
+            .c_str());
     goto end;
   }
   if (strncmp(peer.properties[1].value.data, TSI_FAKE_SECURITY_LEVEL,

data/src/core/lib/security/security_connector/security_connector.cc CHANGED

@@ -46,6 +46,8 @@ grpc_server_security_connector::grpc_server_security_connector(
     : grpc_security_connector(url_scheme),
       server_creds_(std::move(server_creds)) {}
+grpc_server_security_connector::~grpc_server_security_connector() = default;
 grpc_channel_security_connector::grpc_channel_security_connector(
     const char* url_scheme,
     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,

data/src/core/lib/security/security_connector/security_connector.h CHANGED

@@ -151,7 +151,7 @@ class grpc_server_security_connector : public grpc_security_connector {
   grpc_server_security_connector(
       const char* url_scheme,
       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
-  ~grpc_server_security_connector() override = default;
+  ~grpc_server_security_connector() override;
   virtual void add_handshakers(const grpc_channel_args* args,
                                grpc_pollset_set* interested_parties,

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc CHANGED

@@ -22,17 +22,19 @@
 #include <stdbool.h>
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_format.h"
 #include "absl/strings/string_view.h"
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
@@ -52,11 +54,9 @@ grpc_error* ssl_check_peer(
   }
   /* Check the peer name if specified. */
   if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    char* msg;
-    gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
-    return error;
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
   *auth_context =
       grpc_ssl_peer_to_auth_context(peer, GRPC_SSL_TRANSPORT_SECURITY_TYPE);
@@ -106,6 +106,8 @@ class grpc_ssl_channel_security_connector final
     }
     options.cipher_suites = grpc_get_ssl_cipher_suites();
     options.session_cache = ssl_session_cache;
+    options.min_tls_version = grpc_get_tsi_tls_version(config->min_tls_version);
+    options.max_tls_version = grpc_get_tsi_tls_version(config->max_tls_version);
     const tsi_result result =
         tsi_create_ssl_client_handshaker_factory_with_options(
             &options, &client_handshaker_factory_);
@@ -160,11 +162,10 @@ class grpc_ssl_channel_security_connector final
             verify_options_->verify_peer_callback_userdata);
         gpr_free(peer_pem);
         if (callback_status) {
-          char* msg;
-          gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
-                       callback_status);
-          error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-          gpr_free(msg);
+          error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrFormat("Verify peer callback returned a failure (%d)",
+                              callback_status)
+                  .c_str());
         }
       }
     }
@@ -250,6 +251,10 @@ class grpc_ssl_server_security_connector
       options.cipher_suites = grpc_get_ssl_cipher_suites();
       options.alpn_protocols = alpn_protocol_strings;
       options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+      options.min_tls_version = grpc_get_tsi_tls_version(
+          server_credentials->config().min_tls_version);
+      options.max_tls_version = grpc_get_tsi_tls_version(
+          server_credentials->config().max_tls_version);
       const tsi_result result =
           tsi_create_ssl_server_handshaker_factory_with_options(
               &options, &server_handshaker_factory_);
@@ -302,6 +307,7 @@ class grpc_ssl_server_security_connector
     bool status;
     if (!has_cert_config_fetcher()) return false;
+    grpc_core::MutexLock lock(&mu_);
     grpc_ssl_server_credentials* server_creds =
         static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
     grpc_ssl_certificate_config_reload_status cb_result =
@@ -381,6 +387,7 @@ class grpc_ssl_server_security_connector
     server_handshaker_factory_ = new_factory;
   }
+  grpc_core::Mutex mu_;
   tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
 };
 }  // namespace

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h CHANGED

@@ -33,7 +33,10 @@ struct grpc_ssl_config {
   tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
   char* pem_root_certs;
   verify_peer_options verify_options;
+  grpc_tls_version min_tls_version = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version = grpc_tls_version::TLS1_3;
 };
 /* Creates an SSL channel_security_connector.
    - request_metadata_creds is the credentials object which metadata
      will be sent with each request. This parameter can be NULL.
@@ -62,6 +65,8 @@ struct grpc_ssl_server_config {
   char* pem_root_certs = nullptr;
   grpc_ssl_client_certificate_request_type client_certificate_request =
       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
+  grpc_tls_version min_tls_version = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version = grpc_tls_version::TLS1_3;
 };
 /* Creates an SSL server_security_connector.
    - config is the SSL config to be used for the SSL channel establishment.

data/src/core/lib/security/security_connector/ssl_utils.cc CHANGED

@@ -20,12 +20,13 @@
 #include "src/core/lib/security/security_connector/ssl_utils.h"
+#include <vector>
+#include "absl/strings/str_cat.h"
 #include <grpc/slice_buffer.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
-#include <vector>
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
@@ -67,6 +68,9 @@ static const char* cipher_suites = nullptr;
 // All cipher suites for default are compliant with HTTP2.
 GPR_GLOBAL_CONFIG_DEFINE_STRING(
     grpc_ssl_cipher_suites,
+    "TLS_AES_128_GCM_SHA256:"
+    "TLS_AES_256_GCM_SHA384:"
+    "TLS_CHACHA20_POLY1305_SHA256:"
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-ECDSA-AES256-GCM-SHA384:"
     "ECDHE-RSA-AES128-GCM-SHA256:"
@@ -134,6 +138,18 @@ grpc_get_tsi_client_certificate_request_type(
   }
 }
+tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
+  switch (tls_version) {
+    case grpc_tls_version::TLS1_2:
+      return tsi_tls_version::TSI_TLS1_2;
+    case grpc_tls_version::TLS1_3:
+      return tsi_tls_version::TSI_TLS1_3;
+    default:
+      gpr_log(GPR_INFO, "Falling back to TLS 1.2.");
+      return tsi_tls_version::TSI_TLS1_2;
+  }
+}
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
 #if TSI_OPENSSL_ALPN_SUPPORT
   /* Check the ALPN if ALPN is supported. */
@@ -155,12 +171,9 @@ grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
                                      const tsi_peer* peer) {
   /* Check the peer name if specified. */
   if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    char* msg;
-    gpr_asprintf(&msg, "Peer name %s is not in peer certificate",
-                 peer_name.data());
-    grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
-    return error;
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
   return GRPC_ERROR_NONE;
 }
@@ -257,7 +270,8 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
       transport_security_type);
   const char* spiffe_data = nullptr;
   size_t spiffe_length = 0;
-  int spiffe_id_count = 0;
+  int uri_count = 0;
+  bool has_spiffe_id = false;
   for (i = 0; i < peer->property_count; i++) {
     const tsi_peer_property* prop = &peer->properties[i];
     if (prop->name == nullptr) continue;
@@ -290,11 +304,12 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
           ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
           prop->value.data, prop->value.length);
     } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
+      uri_count++;
       absl::string_view spiffe_id(prop->value.data, prop->value.length);
       if (IsSpiffeId(spiffe_id)) {
         spiffe_data = prop->value.data;
         spiffe_length = prop->value.length;
-        spiffe_id_count += 1;
+        has_spiffe_id = true;
       }
     }
   }
@@ -302,16 +317,17 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
     GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
                    ctx.get(), peer_identity_property_name) == 1);
   }
-  // SPIFFE ID should be unique. If we find more than one SPIFFE IDs, we log
-  // the error without returning the error.
-  if (spiffe_id_count > 1) {
-    gpr_log(GPR_INFO, "Invalid SPIFFE ID: SPIFFE ID should be unique.");
-  }
-  if (spiffe_id_count == 1) {
-    GPR_ASSERT(spiffe_length > 0);
-    GPR_ASSERT(spiffe_data != nullptr);
-    grpc_auth_context_add_property(ctx.get(), GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
-                                   spiffe_data, spiffe_length);
+  // A valid SPIFFE certificate can only have exact one URI SAN field.
+  if (has_spiffe_id) {
+    if (uri_count == 1) {
+      GPR_ASSERT(spiffe_length > 0);
+      GPR_ASSERT(spiffe_data != nullptr);
+      grpc_auth_context_add_property(ctx.get(),
+                                     GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
+                                     spiffe_data, spiffe_length);
+    } else {
+      gpr_log(GPR_INFO, "Invalid SPIFFE ID: multiple URI SANs.");
+    }
   }
   return ctx;
 }
@@ -373,8 +389,8 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
-    bool skip_server_certificate_verification,
-    tsi_ssl_session_cache* ssl_session_cache,
+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
   const char* root_certs;
   const tsi_ssl_root_certs_store* root_store;
@@ -406,6 +422,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
   options.session_cache = ssl_session_cache;
   options.skip_server_certificate_verification =
       skip_server_certificate_verification;
+  options.min_tls_version = min_tls_version;
+  options.max_tls_version = max_tls_version;
   const tsi_result result =
       tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                             handshaker_factory);
@@ -422,6 +440,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -435,6 +454,8 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.cipher_suites = grpc_get_ssl_cipher_suites();
   options.alpn_protocols = alpn_protocol_strings;
   options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+  options.min_tls_version = min_tls_version;
+  options.max_tls_version = max_tls_version;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

data/src/core/lib/security/security_connector/ssl_utils.h CHANGED

@@ -73,6 +73,9 @@ grpc_get_tsi_client_certificate_request_type(
 grpc_security_level grpc_tsi_security_level_string_to_enum(
     const char* security_level);
+/* Map grpc_tls_version to tsi_tls_version. */
+tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version);
 /* Map grpc_security_level enum to a string. */
 const char* grpc_security_level_to_string(grpc_security_level security_level);
@@ -86,14 +89,15 @@ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 /* Initialize TSI SSL server/client handshaker factory. */
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
-    bool skip_server_certificate_verification,
-    tsi_ssl_session_cache* ssl_session_cache,
+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 /* Exposed for testing only. */