/proc/self/cwd/envoy/ssl/context_config.h
Line | Count | Source (jump to first uncovered line) |
1 | | #pragma once |
2 | | |
3 | | #include <array> |
4 | | #include <chrono> |
5 | | #include <functional> |
6 | | #include <string> |
7 | | #include <vector> |
8 | | |
9 | | #include "envoy/common/pure.h" |
10 | | #include "envoy/ssl/certificate_validation_context_config.h" |
11 | | #include "envoy/ssl/handshaker.h" |
12 | | #include "envoy/ssl/tls_certificate_config.h" |
13 | | |
14 | | #include "source/common/network/cidr_range.h" |
15 | | |
16 | | #include "absl/types/optional.h" |
17 | | |
18 | | namespace Envoy { |
19 | | namespace Ssl { |
20 | | |
21 | | /** |
22 | | * Supplies the configuration for an SSL context. |
23 | | */ |
24 | | class ContextConfig { |
25 | | public: |
26 | 0 | virtual ~ContextConfig() = default; |
27 | | |
28 | | /** |
29 | | * The list of supported protocols exposed via ALPN. Client connections will send these |
30 | | * protocols to the server. Server connections will use these protocols to select the next |
31 | | * protocol if the client supports ALPN. |
32 | | */ |
33 | | virtual const std::string& alpnProtocols() const PURE; |
34 | | |
35 | | /** |
36 | | * The ':' delimited list of supported cipher suites |
37 | | */ |
38 | | virtual const std::string& cipherSuites() const PURE; |
39 | | |
40 | | /** |
41 | | * The ':' delimited list of supported ECDH curves. |
42 | | */ |
43 | | virtual const std::string& ecdhCurves() const PURE; |
44 | | |
45 | | /** |
46 | | * The ':' delimited list of supported signature algorithms. |
47 | | * See https://www.rfc-editor.org/rfc/rfc8446#page-41 for the names. |
48 | | */ |
49 | | virtual const std::string& signatureAlgorithms() const PURE; |
50 | | |
51 | | /** |
52 | | * @return std::vector<std::reference_wrapper<const TlsCertificateConfig>> TLS |
53 | | * certificate configs. |
54 | | */ |
55 | | virtual std::vector<std::reference_wrapper<const TlsCertificateConfig>> |
56 | | tlsCertificates() const PURE; |
57 | | |
58 | | /** |
59 | | * @return CertificateValidationContextConfig the certificate validation context config. |
60 | | */ |
61 | | virtual const CertificateValidationContextConfig* certificateValidationContext() const PURE; |
62 | | |
63 | | /** |
64 | | * @return The minimum TLS protocol version to negotiate. |
65 | | */ |
66 | | virtual unsigned minProtocolVersion() const PURE; |
67 | | |
68 | | /** |
69 | | * @return The maximum TLS protocol version to negotiate. |
70 | | */ |
71 | | virtual unsigned maxProtocolVersion() const PURE; |
72 | | |
73 | | /** |
74 | | * @return true if the ContextConfig is able to provide secrets to create SSL context, |
75 | | * and false if dynamic secrets are expected but are not downloaded from SDS server yet. |
76 | | */ |
77 | | virtual bool isReady() const PURE; |
78 | | |
79 | | /** |
80 | | * Add secret callback into context config. When dynamic secrets are in use and new secrets |
81 | | * are downloaded from SDS server, this callback is invoked to update SSL context. |
82 | | * @param callback callback that is executed by context config. |
83 | | */ |
84 | | virtual void setSecretUpdateCallback(std::function<absl::Status()> callback) PURE; |
85 | | |
86 | | /** |
87 | | * @return a callback which can be used to create Handshaker instances. |
88 | | */ |
89 | | virtual HandshakerFactoryCb createHandshaker() const PURE; |
90 | | |
91 | | /** |
92 | | * @return the set of capabilities for handshaker instances created by this context. |
93 | | */ |
94 | | virtual HandshakerCapabilities capabilities() const PURE; |
95 | | |
96 | | /** |
97 | | * @return a callback for configuring an SSL_CTX before use. |
98 | | */ |
99 | | virtual SslCtxCb sslctxCb() const PURE; |
100 | | |
101 | | /** |
102 | | * @return the TLS key log local filter. |
103 | | */ |
104 | | virtual const Network::Address::IpList& tlsKeyLogLocal() const PURE; |
105 | | |
106 | | /** |
107 | | * @return the TLS key log remote filter. |
108 | | */ |
109 | | virtual const Network::Address::IpList& tlsKeyLogRemote() const PURE; |
110 | | |
111 | | /** |
112 | | * @return the TLS key log path |
113 | | */ |
114 | | virtual const std::string& tlsKeyLogPath() const PURE; |
115 | | |
116 | | /** |
117 | | * @return the access log manager object reference |
118 | | */ |
119 | | virtual AccessLog::AccessLogManager& accessLogManager() const PURE; |
120 | | }; |
121 | | |
122 | | class ClientContextConfig : public virtual ContextConfig { |
123 | | public: |
124 | | /** |
125 | | * @return The server name indication if it's set and ssl enabled |
126 | | * Otherwise, "" |
127 | | */ |
128 | | virtual const std::string& serverNameIndication() const PURE; |
129 | | |
130 | | /** |
131 | | * @return true if server-initiated TLS renegotiation will be allowed. |
132 | | */ |
133 | | virtual bool allowRenegotiation() const PURE; |
134 | | |
135 | | /** |
136 | | * @return The maximum number of session keys to store. |
137 | | */ |
138 | | virtual size_t maxSessionKeys() const PURE; |
139 | | |
140 | | /** |
141 | | * @return true if the enforcement that handshake will fail if the keyUsage extension is present |
142 | | * and incompatible with the TLS usage is enabled. |
143 | | */ |
144 | | virtual bool enforceRsaKeyUsage() const PURE; |
145 | | }; |
146 | | |
147 | | using ClientContextConfigPtr = std::unique_ptr<ClientContextConfig>; |
148 | | |
149 | | class ServerContextConfig : public virtual ContextConfig { |
150 | | public: |
151 | | struct SessionTicketKey { |
152 | | std::array<uint8_t, 16> name_; // 16 == SSL_TICKET_KEY_NAME_LEN |
153 | | std::array<uint8_t, 32> hmac_key_; // 32 == SHA256_DIGEST_LENGTH |
154 | | std::array<uint8_t, 256 / 8> aes_key_; // AES256 key size, in bytes |
155 | | }; |
156 | | |
157 | | enum class OcspStaplePolicy { |
158 | | LenientStapling, |
159 | | StrictStapling, |
160 | | MustStaple, |
161 | | }; |
162 | | |
163 | | /** |
164 | | * @return True if client certificate is required, false otherwise. |
165 | | */ |
166 | | virtual bool requireClientCertificate() const PURE; |
167 | | |
168 | | /** |
169 | | * @return OcspStaplePolicy The rule for determining whether to staple OCSP |
170 | | * responses on new connections. |
171 | | */ |
172 | | virtual OcspStaplePolicy ocspStaplePolicy() const PURE; |
173 | | |
174 | | /** |
175 | | * @return The keys to use for encrypting and decrypting session tickets. |
176 | | * The first element is used for encrypting new tickets, and all elements |
177 | | * are candidates for decrypting received tickets. |
178 | | */ |
179 | | virtual const std::vector<SessionTicketKey>& sessionTicketKeys() const PURE; |
180 | | |
181 | | /** |
182 | | * @return timeout in seconds for the session. |
183 | | * Session timeout is used to specify lifetime hint of tls tickets. |
184 | | */ |
185 | | virtual absl::optional<std::chrono::seconds> sessionTimeout() const PURE; |
186 | | |
187 | | /** |
188 | | * @return True if stateless TLS session resumption is disabled, false otherwise. |
189 | | */ |
190 | | virtual bool disableStatelessSessionResumption() const PURE; |
191 | | |
192 | | /** |
193 | | * @return True if stateful TLS session resumption is disabled, false otherwise. |
194 | | */ |
195 | | virtual bool disableStatefulSessionResumption() const PURE; |
196 | | |
197 | | /** |
198 | | * @return True if we allow full scan certificates when there is no cert matching SNI during |
199 | | * downstream TLS handshake, false otherwise. |
200 | | */ |
201 | | virtual bool fullScanCertsOnSNIMismatch() const PURE; |
202 | | |
203 | | /** |
204 | | * @return true if the client cipher preference is enabled, false otherwise. |
205 | | */ |
206 | | virtual bool preferClientCiphers() const PURE; |
207 | | |
208 | | /** |
209 | | * @return a factory which can be used to create TLS context provider instances. |
210 | | */ |
211 | | virtual TlsCertificateSelectorFactory tlsCertificateSelectorFactory() const PURE; |
212 | | }; |
213 | | |
214 | | using ServerContextConfigPtr = std::unique_ptr<ServerContextConfig>; |
215 | | |
216 | | } // namespace Ssl |
217 | | } // namespace Envoy |