envoyproxy · ggreenway · Jan 26, 2021 · Jan 20, 2021 · Jan 23, 2021 · Jan 23, 2021
diff --git a/source/extensions/quic_listeners/quiche/BUILD b/source/extensions/quic_listeners/quiche/BUILD
@@ -107,6 +107,7 @@ envoy_cc_library(
         ":envoy_quic_proof_verifier_base_lib",
         ":envoy_quic_utils_lib",
         "//source/extensions/transport_sockets/tls:context_lib",
+        "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
     ],
 )
 

diff --git a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc
@@ -36,7 +36,8 @@ quic::QuicAsyncStatus EnvoyQuicProofVerifier::VerifyCertChain(
       quic::CertificateView::ParseSingleCertificate(certs[0]);
   ASSERT(cert_view != nullptr);
   for (const absl::string_view& config_san : cert_view->subject_alt_name_domains()) {
-    if (Extensions::TransportSockets::Tls::ContextImpl::dnsNameMatch(hostname, config_san)) {
+    if (Extensions::TransportSockets::Tls::DefaultCertValidator::dnsNameMatch(hostname,
+                                                                              config_san)) {
       return quic::QUIC_SUCCESS;
     }
   }

diff --git a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h
@@ -1,6 +1,7 @@
 #pragma once
 
 #include "extensions/quic_listeners/quiche/envoy_quic_proof_verifier_base.h"
+#include "extensions/transport_sockets/tls/cert_validator/default_validator.h"
 #include "extensions/transport_sockets/tls/context_impl.h"
 
 namespace Envoy {

@@ -144,6 +144,7 @@ envoy_cc_library(
     # TLS is core functionality.
     visibility = ["//visibility:public"],
     deps = [
+        ":stats_lib",
         ":utility_lib",
         "//include/envoy/ssl:context_config_interface",
         "//include/envoy/ssl:context_interface",
@@ -161,13 +162,29 @@ envoy_cc_library(
         "//source/common/runtime:runtime_features_lib",
         "//source/common/stats:symbol_table_lib",
         "//source/common/stats:utility_lib",
+        "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
         "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib",
         "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib",
         "@envoy_api//envoy/admin/v3:pkg_cc_proto",
         "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
     ],
 )
 
+envoy_cc_library(
+    name = "stats_lib",
+    srcs = ["stats.cc"],
+    hdrs = ["stats.h"],
+    external_deps = [
+        "ssl",
+    ],
+    deps = [
+        "//include/envoy/stats:stats_interface",
+        "//include/envoy/stats:stats_macros",
+        "//source/common/stats:symbol_table_lib",
+        "//source/common/stats:utility_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],

@@ -0,0 +1,37 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "cert_validator_lib",
+    srcs = [
+        "default_validator.cc",
+    ],
+    hdrs = [
+        "cert_validator.h",
+        "default_validator.h",
+    ],
+    external_deps = [
+        "ssl",
+    ],
+    # TLS is core functionality.
+    visibility = ["//visibility:public"],
+    deps = [
+        "//include/envoy/ssl:context_config_interface",
+        "//include/envoy/ssl:ssl_socket_extended_info_interface",
+        "//source/common/common:assert_lib",
+        "//source/common/common:base64_lib",
+        "//source/common/common:hex_lib",
+        "//source/common/common:utility_lib",
+        "//source/common/stats:symbol_table_lib",
+        "//source/common/stats:utility_lib",
+        "//source/extensions/transport_sockets/tls:stats_lib",
+        "//source/extensions/transport_sockets/tls:utility_lib",
+    ],
+)
@@ -0,0 +1,87 @@
+#pragma once
+
+#include <array>
+#include <deque>
+#include <functional>
+#include <string>
+#include <vector>
+
+#include "envoy/common/pure.h"
+#include "envoy/network/transport_socket.h"
+#include "envoy/ssl/context.h"
+#include "envoy/ssl/context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
+#include "envoy/ssl/ssl_socket_extended_info.h"
+
+#include "common/common/matchers.h"
+#include "common/stats/symbol_table_impl.h"
+
+#include "extensions/transport_sockets/tls/stats.h"
+
+#include "absl/synchronization/mutex.h"
+#include "openssl/ssl.h"
+#include "openssl/x509v3.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class CertValidator {
+public:
+  virtual ~CertValidator() = default;
+
+  /**
+   * Called to add the client validation context information to a given ssl context
+   *
+   * @param context the store context
+   * @param require_client_cert whether or not client cert is required
+   */
+  virtual void addClientValidationContext(SSL_CTX* context, bool require_client_cert) PURE;
+
+  /**
+   * Called by verifyCallback to do the actual cert chain verification.
+   *
+   * @param store_ctx the store context
+   * @param ssl_extended_info the info for storing the validation status
+   * @param leaf_cert the peer certificate to verify
+   * @return 1 to indicate verification success and 0 to indicate verification failure.
+   */
+  virtual int
+  doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info,
+                    X509& leaf_cert,
+                    const Network::TransportSocketOptions* transport_socket_options) PURE;
+
+  /**
+   * Called to initialize all ssl contexts
+   *
+   * @param contexts the store context
+   * @param handshaker_provides_certificates whether or not a handshaker implementation provides
+   * certificates itself.
+   * @return the ssl verification mode flag
+   */
+  virtual int initializeSslContexts(std::vector<SSL_CTX*> contexts,
+                                    bool handshaker_provides_certificates) PURE;
+
+  /**
+   * Called when calculation hash for session context ids
+   *
+   * @param md the store context
+   * @param hash_buffer the buffer used for digest calculation
+   * @param hash_length the expected length of hash
+   */
+  virtual void updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md,
+                                        uint8_t hash_buffer[EVP_MAX_MD_SIZE],
+                                        unsigned hash_length) PURE;
+
+  virtual size_t daysUntilFirstCertExpires() const PURE;
+  virtual std::string getCaFileName() const PURE;
+  virtual Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const PURE;
+};
+
+using CertValidatorPtr = std::unique_ptr<CertValidator>;
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy