-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[tls] Add a custom listener handshaker for TLS. #12075
Closed
Closed
Changes from all commits
Commits
Show all changes
42 commits
Select commit
Hold shift + click to select a range
647e23c
[tls] Add a custom listener handshaker for TLS.
ambuc a497d44
[misc] run fix_format
ambuc df9dfb2
Merge branch 'master' of github.com:envoyproxy/envoy into custom-hand…
ambuc 22f2003
[misc] run fix_format
ambuc a403972
[ssl] Rename some HandshakerCallbacks methods.
ambuc 59d5905
[tls] Rename HandOff/HandBack.
ambuc 2168d8b
[misc] run fix_format
ambuc 44b31b8
[misc] remove comment formatting on PemPasswordCallback, breaking che…
ambuc 78656cc
[misc] fix typo in handshaker_test
ambuc 2240f09
[tls] omit rwflag argument entirely
ambuc e6de2a1
[ssl] Remove unnecessary ctor and max_proto_version
ambuc bff00b6
[ssl] initialize() takes a reference
ambuc 1c2a650
Handshakers now raise Connected as part of OnSuccessCb.
ambuc aaae5bf
[tls] HandshakerFactory is of category 'envoy.tls_handshakers'.
ambuc 1266425
[tls] More specific documentation on DoHandshake.
ambuc d9db724
[tls] Factory should hold the config message, not context config
ambuc 48a840e
[tls] Introduce a default HandshakerFactoryImpl
ambuc 32c5095
[tls] requireCertificates as a method on the factory, not the handsha…
ambuc 3b94f43
[tls] Add test for HandshakerWithOutOfProcessComponent
ambuc 08e4183
[tls] Clarify guidance on doHandshake() handling nullptrs
ambuc 0dc6bde
Merge branch 'master' of github.com:envoyproxy/envoy into custom-hand…
ambuc 480e433
[misc] Run fix_format.
ambuc 61b7d5c
[tls] Move SSL into Handshaker and remove extra HandshakerCallbacks m…
ambuc 508ea7a
Merge branch 'master' of github.com:envoyproxy/envoy into custom-hand…
ambuc 2e21ee8
[tls] Remove ::initialize() method
ambuc 51ace82
[tls] Add test with example HandshakerImpl demonstrating special case…
ambuc 5dbb557
Merge branch 'master' of github.com:envoyproxy/envoy into custom-hand…
ambuc 4e3af18
[tls] handshaker_factory_ must be a reseatable reference
ambuc 78e3f2f
[tls] handshaker_test.cc calls SSL_set_cert_cb in ctor
ambuc e4b22fd
[api] Remove typed_config stutter
ambuc 6725f9c
Resolved merge conflicts
ambuc fad305b
[tls] Refactor HandshakerFactory with callback to allow for early val…
ambuc 36c4d83
[tls] More clarity around Handshaker interface documentation.
ambuc 7c3020d
[misc] Add bssl, rbio, wbio to dictionary.
ambuc cb39b1a
[misc] Run fix_format.
ambuc ed5f209
[tls] Clean up initialization order inside context_config_impl
ambuc 2c7d3c8
[tls] Rename methods to onSuccessCb/onFailureCb
ambuc 2d5ec2f
[tls] dedup HandshakerMaker with HandshakerFactoryCb
ambuc f32acbc
[misc] Remove wbio, rbio, bssl from dictionary
ambuc 18dc2c6
[tls] HandshakerPtr is now a shared_ptr; SslSocketInfo retains access…
ambuc c7c40b5
Move HandshakerCallbacks into setCallbacks()
ambuc f711e26
[misc] Rename HandshakerPtr to HandshakerSharedPtr
ambuc File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
3 changes: 3 additions & 0 deletions
3
generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
11 changes: 11 additions & 0 deletions
11
generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
#pragma once | ||
|
||
#include "envoy/api/api.h" | ||
#include "envoy/common/pure.h" | ||
#include "envoy/config/typed_config.h" | ||
#include "envoy/network/transport_socket.h" | ||
#include "envoy/protobuf/message_validator.h" | ||
#include "envoy/ssl/socket_state.h" | ||
|
||
#include "openssl/ssl.h" | ||
|
||
namespace Envoy { | ||
namespace Ssl { | ||
|
||
class HandshakerCallbacks { | ||
public: | ||
virtual ~HandshakerCallbacks() = default; | ||
|
||
/** | ||
* Called when a handshake is successfully performed. | ||
*/ | ||
virtual void onSuccessCb(SSL* ssl) PURE; | ||
/** | ||
* Called when a handshake fails. | ||
*/ | ||
virtual void onFailureCb() PURE; | ||
}; | ||
|
||
/* | ||
* Interface for a Handshaker which is responsible for owning the | ||
* `bssl::UniquePtr<SSL>` and performing handshakes. | ||
*/ | ||
class Handshaker { | ||
public: | ||
virtual ~Handshaker() = default; | ||
|
||
/** | ||
* Do the handshake. | ||
* | ||
* NB: |state| is a mutable reference. | ||
*/ | ||
virtual Network::PostIoAction doHandshake(SocketState& state) PURE; | ||
|
||
/** | ||
* Set internal pointers to Network::TransportSocketCallbacks and | ||
* Ssl::HandshakerCallbacks. | ||
* Depending on impl, these callbacks can be invoked to access connection | ||
* state, raise connection events, etc. | ||
*/ | ||
virtual void setCallbacks(Network::TransportSocketCallbacks& callbacks, | ||
Ssl::HandshakerCallbacks& handshaker_callbacks) PURE; | ||
|
||
/* | ||
* Access the held SSL object as a ptr. Callsites should handle nullptr | ||
* gracefully. | ||
*/ | ||
virtual SSL* ssl() PURE; | ||
}; | ||
|
||
using HandshakerSharedPtr = std::shared_ptr<Handshaker>; | ||
|
||
class HandshakerFactoryContext { | ||
public: | ||
virtual ~HandshakerFactoryContext() = default; | ||
|
||
/** | ||
* @return reference to the Api object | ||
*/ | ||
virtual Api::Api& api() PURE; | ||
|
||
/** | ||
* The list of supported protocols exposed via ALPN, from ContextConfig. | ||
*/ | ||
virtual absl::string_view alpnProtocols() const PURE; | ||
}; | ||
|
||
using HandshakerFactoryCb = std::function<HandshakerSharedPtr(bssl::UniquePtr<SSL>)>; | ||
|
||
class HandshakerFactory : public Config::TypedFactory { | ||
public: | ||
/** | ||
* @returns a callback (of type HandshakerFactoryCb). Accepts the |config| and | ||
* |validation_visitor| for early config validation. This virtual base doesn't | ||
* perform MessageUtil::downcastAndValidate, but an implementation should. | ||
*/ | ||
virtual HandshakerFactoryCb | ||
createHandshakerCb(const Protobuf::Message& message, | ||
HandshakerFactoryContext& handshaker_factory_context, | ||
ProtobufMessage::ValidationVisitor& validation_visitor) PURE; | ||
|
||
std::string category() const override { return "envoy.tls_handshakers"; } | ||
|
||
/** | ||
* Implementations should return true if the tls context accompanying this | ||
* handshaker expects certificates. | ||
*/ | ||
virtual bool requireCertificates() const PURE; | ||
}; | ||
|
||
} // namespace Ssl | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#pragma once | ||
|
||
namespace Envoy { | ||
namespace Ssl { | ||
|
||
enum class SocketState { PreHandshake, HandshakeInProgress, HandshakeComplete, ShutdownSent }; | ||
|
||
} // namespace Ssl | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like we should statically know the lifetime of this, and should be able to use a unique_ptr + references.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the alternative here? @lizan pointed out (#12075 (comment)) that the SslSocketInfo struct expects to have access to the SSL object after the connection has been destroyed, for logging purposes. What do you think of explicitly std::move()ing the SSL object from the handshaker to the SslSocketInfo just before ~SslSocket(), perhaps during SslSocket::shutdown()? @antoniovicente
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might make sense for
Handshaker
to implementSsl::ConnectionInfo
, as the socket info class is basically represent the result of handshake.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Handshaker providing Ssl::ConnectionInfo makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PTAL @ #12571, I am attempting to move the handshaker behavior into SslSocketInfo before adding an extension point.