Line data    Source code

       1             : #pragma once
       2             : 
       3             : #include <cstdint>
       4             : #include <string>
       5             : 
       6             : #include "envoy/network/connection.h"
       7             : #include "envoy/network/transport_socket.h"
       8             : #include "envoy/secret/secret_callbacks.h"
       9             : #include "envoy/ssl/handshaker.h"
      10             : #include "envoy/ssl/private_key/private_key_callbacks.h"
      11             : #include "envoy/ssl/ssl_socket_extended_info.h"
      12             : #include "envoy/ssl/ssl_socket_state.h"
      13             : #include "envoy/stats/scope.h"
      14             : #include "envoy/stats/stats_macros.h"
      15             : 
      16             : #include "source/common/common/logger.h"
      17             : #include "source/common/network/transport_socket_options_impl.h"
      18             : #include "source/extensions/transport_sockets/tls/context_impl.h"
      19             : #include "source/extensions/transport_sockets/tls/ssl_handshaker.h"
      20             : #include "source/extensions/transport_sockets/tls/utility.h"
      21             : 
      22             : #include "absl/container/node_hash_map.h"
      23             : #include "absl/synchronization/mutex.h"
      24             : #include "absl/types/optional.h"
      25             : #include "openssl/ssl.h"
      26             : 
      27             : namespace Envoy {
      28             : namespace Extensions {
      29             : namespace TransportSockets {
      30             : namespace Tls {
      31             : 
      32             : #define ALL_SSL_SOCKET_FACTORY_STATS(COUNTER)                                                      \
      33           0 :   COUNTER(ssl_context_update_by_sds)                                                               \
      34           0 :   COUNTER(upstream_context_secrets_not_ready)                                                      \
      35           0 :   COUNTER(downstream_context_secrets_not_ready)
      36             : 
      37             : /**
      38             :  * Wrapper struct for SSL socket factory stats. @see stats_macros.h
      39             :  */
      40             : struct SslSocketFactoryStats {
      41             :   ALL_SSL_SOCKET_FACTORY_STATS(GENERATE_COUNTER_STRUCT)
      42             : };
      43             : 
      44             : enum class InitialState { Client, Server };
      45             : 
      46             : class SslSocket : public Network::TransportSocket,
      47             :                   public Envoy::Ssl::PrivateKeyConnectionCallbacks,
      48             :                   public Ssl::HandshakeCallbacks,
      49             :                   protected Logger::Loggable<Logger::Id::connection> {
      50             : public:
      51             :   SslSocket(Envoy::Ssl::ContextSharedPtr ctx, InitialState state,
      52             :             const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options,
      53             :             Ssl::HandshakerFactoryCb handshaker_factory_cb);
      54             : 
      55             :   // Network::TransportSocket
      56             :   void setTransportSocketCallbacks(Network::TransportSocketCallbacks& callbacks) override;
      57             :   std::string protocol() const override;
      58             :   absl::string_view failureReason() const override;
      59           0 :   bool canFlushClose() override { return info_->state() == Ssl::SocketState::HandshakeComplete; }
      60             :   void closeSocket(Network::ConnectionEvent close_type) override;
      61             :   Network::IoResult doRead(Buffer::Instance& read_buffer) override;
      62             :   Network::IoResult doWrite(Buffer::Instance& write_buffer, bool end_stream) override;
      63             :   void onConnected() override;
      64             :   Ssl::ConnectionInfoConstSharedPtr ssl() const override;
      65           0 :   bool startSecureTransport() override { return false; }
      66           0 :   void configureInitialCongestionWindow(uint64_t, std::chrono::microseconds) override {}
      67             :   // Ssl::PrivateKeyConnectionCallbacks
      68             :   void onPrivateKeyMethodComplete() override;
      69             :   // Ssl::HandshakeCallbacks
      70             :   Network::Connection& connection() const override;
      71             :   void onSuccess(SSL* ssl) override;
      72             :   void onFailure() override;
      73           0 :   Network::TransportSocketCallbacks* transportSocketCallbacks() override { return callbacks_; }
      74             :   void onAsynchronousCertValidationComplete() override;
      75             : 
      76           0 :   SSL* rawSslForTest() const { return rawSsl(); }
      77             : 
      78             : protected:
      79           0 :   SSL* rawSsl() const { return info_->ssl(); }
      80             : 
      81             : private:
      82             :   struct ReadResult {
      83             :     uint64_t bytes_read_{0};
      84             :     absl::optional<int> error_;
      85             :   };
      86             :   ReadResult sslReadIntoSlice(Buffer::RawSlice& slice);
      87             : 
      88             :   Network::PostIoAction doHandshake();
      89             :   void drainErrorQueue();
      90             :   void shutdownSsl();
      91             :   void shutdownBasic();
      92             :   void resumeHandshake();
      93             : 
      94             :   const Network::TransportSocketOptionsConstSharedPtr transport_socket_options_;
      95             :   Network::TransportSocketCallbacks* callbacks_{};
      96             :   ContextImplSharedPtr ctx_;
      97             :   uint64_t bytes_to_retry_{};
      98             :   std::string failure_reason_;
      99             : 
     100             :   SslHandshakerImplSharedPtr info_;
     101             : };
     102             : 
     103             : class ClientSslSocketFactory : public Network::CommonUpstreamTransportSocketFactory,
     104             :                                public Secret::SecretCallbacks,
     105             :                                Logger::Loggable<Logger::Id::config> {
     106             : public:
     107             :   ClientSslSocketFactory(Envoy::Ssl::ClientContextConfigPtr config,
     108             :                          Envoy::Ssl::ContextManager& manager, Stats::Scope& stats_scope);
     109             : 
     110             :   ~ClientSslSocketFactory() override;
     111             : 
     112             :   Network::TransportSocketPtr
     113             :   createTransportSocket(Network::TransportSocketOptionsConstSharedPtr options,
     114             :                         Upstream::HostDescriptionConstSharedPtr) const override;
     115             :   bool implementsSecureTransport() const override;
     116           0 :   absl::string_view defaultServerNameIndication() const override {
     117           0 :     return clientContextConfig()->serverNameIndication();
     118           0 :   }
     119           0 :   bool supportsAlpn() const override { return true; }
     120             : 
     121             :   // Secret::SecretCallbacks
     122             :   void onAddOrUpdateSecret() override;
     123             : 
     124           0 :   OptRef<const Ssl::ClientContextConfig> clientContextConfig() const override { return {*config_}; }
     125             : 
     126             :   Envoy::Ssl::ClientContextSharedPtr sslCtx() override;
     127             : 
     128             : private:
     129             :   Envoy::Ssl::ContextManager& manager_;
     130             :   Stats::Scope& stats_scope_;
     131             :   SslSocketFactoryStats stats_;
     132             :   Envoy::Ssl::ClientContextConfigPtr config_;
     133             :   mutable absl::Mutex ssl_ctx_mu_;
     134             :   Envoy::Ssl::ClientContextSharedPtr ssl_ctx_ ABSL_GUARDED_BY(ssl_ctx_mu_);
     135             : };
     136             : 
     137             : class ServerSslSocketFactory : public Network::DownstreamTransportSocketFactory,
     138             :                                public Secret::SecretCallbacks,
     139             :                                Logger::Loggable<Logger::Id::config> {
     140             : public:
     141             :   ServerSslSocketFactory(Envoy::Ssl::ServerContextConfigPtr config,
     142             :                          Envoy::Ssl::ContextManager& manager, Stats::Scope& stats_scope,
     143             :                          const std::vector<std::string>& server_names);
     144             : 
     145             :   ~ServerSslSocketFactory() override;
     146             : 
     147             :   Network::TransportSocketPtr createDownstreamTransportSocket() const override;
     148             :   bool implementsSecureTransport() const override;
     149             : 
     150             :   // Secret::SecretCallbacks
     151             :   void onAddOrUpdateSecret() override;
     152             : 
     153             : private:
     154             :   Ssl::ContextManager& manager_;
     155             :   Stats::Scope& stats_scope_;
     156             :   SslSocketFactoryStats stats_;
     157             :   Envoy::Ssl::ServerContextConfigPtr config_;
     158             :   const std::vector<std::string> server_names_;
     159             :   mutable absl::Mutex ssl_ctx_mu_;
     160             :   Envoy::Ssl::ServerContextSharedPtr ssl_ctx_ ABSL_GUARDED_BY(ssl_ctx_mu_);
     161             : };
     162             : 
     163             : } // namespace Tls
     164             : } // namespace TransportSockets
     165             : } // namespace Extensions
     166             : } // namespace Envoy