Line data    Source code

       1             : #pragma once
       2             : 
       3             : #include <array>
       4             : #include <chrono>
       5             : #include <functional>
       6             : #include <string>
       7             : #include <vector>
       8             : 
       9             : #include "envoy/common/pure.h"
      10             : #include "envoy/ssl/certificate_validation_context_config.h"
      11             : #include "envoy/ssl/handshaker.h"
      12             : #include "envoy/ssl/tls_certificate_config.h"
      13             : 
      14             : #include "source/common/network/cidr_range.h"
      15             : 
      16             : #include "absl/types/optional.h"
      17             : 
      18             : namespace Envoy {
      19             : namespace Ssl {
      20             : 
      21             : /**
      22             :  * Supplies the configuration for an SSL context.
      23             :  */
      24             : class ContextConfig {
      25             : public:
      26           0 :   virtual ~ContextConfig() = default;
      27             : 
      28             :   /**
      29             :    * The list of supported protocols exposed via ALPN. Client connections will send these
      30             :    * protocols to the server. Server connections will use these protocols to select the next
      31             :    * protocol if the client supports ALPN.
      32             :    */
      33             :   virtual const std::string& alpnProtocols() const PURE;
      34             : 
      35             :   /**
      36             :    * The ':' delimited list of supported cipher suites
      37             :    */
      38             :   virtual const std::string& cipherSuites() const PURE;
      39             : 
      40             :   /**
      41             :    * The ':' delimited list of supported ECDH curves.
      42             :    */
      43             :   virtual const std::string& ecdhCurves() const PURE;
      44             : 
      45             :   /**
      46             :    * The ':' delimited list of supported signature algorithms.
      47             :    * See https://www.rfc-editor.org/rfc/rfc8446#page-41 for the names.
      48             :    */
      49             :   virtual const std::string& signatureAlgorithms() const PURE;
      50             : 
      51             :   /**
      52             :    * @return std::vector<std::reference_wrapper<const TlsCertificateConfig>> TLS
      53             :    * certificate configs.
      54             :    */
      55             :   virtual std::vector<std::reference_wrapper<const TlsCertificateConfig>>
      56             :   tlsCertificates() const PURE;
      57             : 
      58             :   /**
      59             :    * @return CertificateValidationContextConfig the certificate validation context config.
      60             :    */
      61             :   virtual const CertificateValidationContextConfig* certificateValidationContext() const PURE;
      62             : 
      63             :   /**
      64             :    * @return The minimum TLS protocol version to negotiate.
      65             :    */
      66             :   virtual unsigned minProtocolVersion() const PURE;
      67             : 
      68             :   /**
      69             :    * @return The maximum TLS protocol version to negotiate.
      70             :    */
      71             :   virtual unsigned maxProtocolVersion() const PURE;
      72             : 
      73             :   /**
      74             :    * @return true if the ContextConfig is able to provide secrets to create SSL context,
      75             :    * and false if dynamic secrets are expected but are not downloaded from SDS server yet.
      76             :    */
      77             :   virtual bool isReady() const PURE;
      78             : 
      79             :   /**
      80             :    * Add secret callback into context config. When dynamic secrets are in use and new secrets
      81             :    * are downloaded from SDS server, this callback is invoked to update SSL context.
      82             :    * @param callback callback that is executed by context config.
      83             :    */
      84             :   virtual void setSecretUpdateCallback(std::function<void()> callback) PURE;
      85             : 
      86             :   /**
      87             :    * @return a callback which can be used to create Handshaker instances.
      88             :    */
      89             :   virtual HandshakerFactoryCb createHandshaker() const PURE;
      90             : 
      91             :   /**
      92             :    * @return the set of capabilities for handshaker instances created by this context.
      93             :    */
      94             :   virtual HandshakerCapabilities capabilities() const PURE;
      95             : 
      96             :   /**
      97             :    * @return a callback for configuring an SSL_CTX before use.
      98             :    */
      99             :   virtual SslCtxCb sslctxCb() const PURE;
     100             : 
     101             :   /**
     102             :    * @return the TLS key log local filter.
     103             :    */
     104             :   virtual const Network::Address::IpList& tlsKeyLogLocal() const PURE;
     105             : 
     106             :   /**
     107             :    * @return the TLS key log remote filter.
     108             :    */
     109             :   virtual const Network::Address::IpList& tlsKeyLogRemote() const PURE;
     110             : 
     111             :   /**
     112             :    * @return the TLS key log path
     113             :    */
     114             :   virtual const std::string& tlsKeyLogPath() const PURE;
     115             : 
     116             :   /**
     117             :    * @return the access log manager object reference
     118             :    */
     119             :   virtual AccessLog::AccessLogManager& accessLogManager() const PURE;
     120             : };
     121             : 
     122             : class ClientContextConfig : public virtual ContextConfig {
     123             : public:
     124             :   /**
     125             :    * @return The server name indication if it's set and ssl enabled
     126             :    * Otherwise, ""
     127             :    */
     128             :   virtual const std::string& serverNameIndication() const PURE;
     129             : 
     130             :   /**
     131             :    * @return true if server-initiated TLS renegotiation will be allowed.
     132             :    */
     133             :   virtual bool allowRenegotiation() const PURE;
     134             : 
     135             :   /**
     136             :    * @return The maximum number of session keys to store.
     137             :    */
     138             :   virtual size_t maxSessionKeys() const PURE;
     139             : 
     140             :   /**
     141             :    * @return true if the enforcement that handshake will fail if the keyUsage extension is present
     142             :    * and incompatible with the TLS usage is enabled.
     143             :    */
     144             :   virtual bool enforceRsaKeyUsage() const PURE;
     145             : };
     146             : 
     147             : using ClientContextConfigPtr = std::unique_ptr<ClientContextConfig>;
     148             : 
     149             : class ServerContextConfig : public virtual ContextConfig {
     150             : public:
     151             :   struct SessionTicketKey {
     152             :     std::array<uint8_t, 16> name_;         // 16 == SSL_TICKET_KEY_NAME_LEN
     153             :     std::array<uint8_t, 32> hmac_key_;     // 32 == SHA256_DIGEST_LENGTH
     154             :     std::array<uint8_t, 256 / 8> aes_key_; // AES256 key size, in bytes
     155             :   };
     156             : 
     157             :   enum class OcspStaplePolicy {
     158             :     LenientStapling,
     159             :     StrictStapling,
     160             :     MustStaple,
     161             :   };
     162             : 
     163             :   /**
     164             :    * @return True if client certificate is required, false otherwise.
     165             :    */
     166             :   virtual bool requireClientCertificate() const PURE;
     167             : 
     168             :   /**
     169             :    * @return OcspStaplePolicy The rule for determining whether to staple OCSP
     170             :    * responses on new connections.
     171             :    */
     172             :   virtual OcspStaplePolicy ocspStaplePolicy() const PURE;
     173             : 
     174             :   /**
     175             :    * @return The keys to use for encrypting and decrypting session tickets.
     176             :    * The first element is used for encrypting new tickets, and all elements
     177             :    * are candidates for decrypting received tickets.
     178             :    */
     179             :   virtual const std::vector<SessionTicketKey>& sessionTicketKeys() const PURE;
     180             : 
     181             :   /**
     182             :    * @return timeout in seconds for the session.
     183             :    * Session timeout is used to specify lifetime hint of tls tickets.
     184             :    */
     185             :   virtual absl::optional<std::chrono::seconds> sessionTimeout() const PURE;
     186             : 
     187             :   /**
     188             :    * @return True if stateless TLS session resumption is disabled, false otherwise.
     189             :    */
     190             :   virtual bool disableStatelessSessionResumption() const PURE;
     191             : 
     192             :   /**
     193             :    * @return True if stateful TLS session resumption is disabled, false otherwise.
     194             :    */
     195             :   virtual bool disableStatefulSessionResumption() const PURE;
     196             : 
     197             :   /**
     198             :    * @return True if we allow full scan certificates when there is no cert matching SNI during
     199             :    * downstream TLS handshake, false otherwise.
     200             :    */
     201             :   virtual bool fullScanCertsOnSNIMismatch() const PURE;
     202             : };
     203             : 
     204             : using ServerContextConfigPtr = std::unique_ptr<ServerContextConfig>;
     205             : 
     206             : } // namespace Ssl
     207             : } // namespace Envoy