tls: add functionality to override requested server name in the upstream cluster

include/envoy/network/transport_socket.h

@@ -4,6 +4,8 @@
 #include "envoy/common/pure.h"
 #include "envoy/ssl/connection.h"
 
+#include "absl/types/optional.h"
+
 namespace Envoy {
 namespace Network {
 
@@ -136,6 +138,18 @@ class TransportSocket {
 
 typedef std::unique_ptr<TransportSocket> TransportSocketPtr;
 
+/**
+ * Options for creating transport sockets.
+ */
+class TransportSocketOptions {
+public:
+  virtual ~TransportSocketOptions() {}
+  virtual const absl::optional<std::string>& overrideServerName() const PURE;
+  virtual void hashKey(std::vector<uint8_t>& key) const PURE;
+};
+
+typedef std::shared_ptr<TransportSocketOptions> TransportSocketOptionsSharedPtr;
+
 /**
  * A factory for creating transport socket. It will be associated to filter chains and clusters.
  */
@@ -149,9 +163,11 @@ class TransportSocketFactory {
   virtual bool implementsSecureTransport() const PURE;
 
   /**
+   * @param options for creating the transport socket
    * @return Network::TransportSocketPtr a transport socket to be passed to connection.
    */
-  virtual TransportSocketPtr createTransportSocket() const PURE;
+  virtual TransportSocketPtr
+  createTransportSocket(TransportSocketOptionsSharedPtr options) const PURE;
 };
 
 typedef std::unique_ptr<TransportSocketFactory> TransportSocketFactoryPtr;

include/envoy/upstream/cluster_manager.h

@@ -131,9 +131,10 @@ class ClusterManager {
    * Can return nullptr if there is no host available in the cluster or if the cluster does not
    * exist.
    */
-  virtual Tcp::ConnectionPool::Instance* tcpConnPoolForCluster(const std::string& cluster,
-                                                               ResourcePriority priority,
-                                                               LoadBalancerContext* context) PURE;
+  virtual Tcp::ConnectionPool::Instance*
+  tcpConnPoolForCluster(const std::string& cluster, ResourcePriority priority,
+                        LoadBalancerContext* context,
+                        Network::TransportSocketOptionsSharedPtr transport_socket_options) PURE;
 
   /**
    * Allocate a load balanced TCP connection for a cluster. The created connection is already
@@ -143,8 +144,9 @@ class ClusterManager {
    * Returns both a connection and the host that backs the connection. Both can be nullptr if there
    * is no host available in the cluster.
    */
-  virtual Host::CreateConnectionData tcpConnForCluster(const std::string& cluster,
-                                                       LoadBalancerContext* context) PURE;
+  virtual Host::CreateConnectionData
+  tcpConnForCluster(const std::string& cluster, LoadBalancerContext* context,
+                    Network::TransportSocketOptionsSharedPtr transport_socket_options) PURE;
 
   /**
    * Returns a client that can be used to make async HTTP calls against the given cluster. The
@@ -271,7 +273,8 @@ class ClusterManagerFactory {
   virtual Tcp::ConnectionPool::InstancePtr
   allocateTcpConnPool(Event::Dispatcher& dispatcher, HostConstSharedPtr host,
                       ResourcePriority priority,
-                      const Network::ConnectionSocket::OptionsSharedPtr& options) PURE;
+                      const Network::ConnectionSocket::OptionsSharedPtr& options,
+                      Network::TransportSocketOptionsSharedPtr transport_socket_options) PURE;
 
   /**
    * Allocate a cluster from configuration proto.

include/envoy/upstream/upstream.h

@@ -73,7 +73,8 @@ class Host : virtual public HostDescription {
    */
   virtual CreateConnectionData
   createConnection(Event::Dispatcher& dispatcher,
-                   const Network::ConnectionSocket::OptionsSharedPtr& options) const PURE;
+                   const Network::ConnectionSocket::OptionsSharedPtr& options,
+                   Network::TransportSocketOptionsSharedPtr transport_socket_options) const PURE;
 
   /**
    * Create a health check connection for this host.

source/common/http/http1/conn_pool.cc

@@ -316,7 +316,7 @@ ConnPoolImpl::ActiveClient::ActiveClient(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
   Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_, nullptr);
   real_host_description_ = data.host_description_;
   codec_client_ = parent_.createCodecClient(data);
   codec_client_->addConnectionCallbacks(*this);

source/common/http/http2/conn_pool.cc

@@ -223,7 +223,7 @@ ConnPoolImpl::ActiveClient::ActiveClient(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
   Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_, nullptr);
   real_host_description_ = data.host_description_;
   client_ = parent_.createCodecClient(data);
   client_->addConnectionCallbacks(*this);

source/common/network/BUILD

@@ -240,3 +240,12 @@ envoy_cc_library(
         "@envoy_api//envoy/api/v2/core:base_cc",
     ],
 )
+
+envoy_cc_library(
+    name = "transport_socket_options_lib",
+    srcs = ["transport_socket_options_impl.cc"],
+    hdrs = ["transport_socket_options_impl.h"],
+    deps = [
+        "//include/envoy/network:transport_socket_interface",
+    ],
+)

source/common/network/raw_buffer_socket.cc

@@ -82,7 +82,8 @@ std::string RawBufferSocket::protocol() const { return EMPTY_STRING; }
 
 void RawBufferSocket::onConnected() { callbacks_->raiseEvent(ConnectionEvent::Connected); }
 
-TransportSocketPtr RawBufferSocketFactory::createTransportSocket() const {
+TransportSocketPtr
+RawBufferSocketFactory::createTransportSocket(TransportSocketOptionsSharedPtr) const {
   return std::make_unique<RawBufferSocket>();
 }
 

source/common/network/raw_buffer_socket.h

@@ -29,7 +29,7 @@ class RawBufferSocket : public TransportSocket, protected Logger::Loggable<Logge
 class RawBufferSocketFactory : public TransportSocketFactory {
 public:
   // Network::TransportSocketFactory
-  TransportSocketPtr createTransportSocket() const override;
+  TransportSocketPtr createTransportSocket(TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
 };
 

source/common/network/transport_socket_options_impl.cc

@@ -0,0 +1,20 @@
+#include "common/network/transport_socket_options_impl.h"
+
+namespace Envoy {
+namespace Network {
+TransportSocketOptionsImpl::TransportSocketOptionsImpl(std::string override_server_name) {
+  if (!override_server_name.empty()) {
+    override_server_name_ = override_server_name;
+  }
+}
+
+void TransportSocketOptionsImpl::hashKey(std::vector<uint8_t>& key) const {
+  if (!override_server_name_.has_value()) {
+    return;
+  }
+
+  std::hash<std::string> hash_function;
+  key.push_back(hash_function(override_server_name_.value()));
+}
+} // namespace Network
+} // namespace Envoy

source/common/network/transport_socket_options_impl.h

@@ -0,0 +1,21 @@
+#pragma once
+
+#include "envoy/network/transport_socket.h"
+
+namespace Envoy {
+namespace Network {
+
+class TransportSocketOptionsImpl : public TransportSocketOptions {
+public:
+  TransportSocketOptionsImpl(std::string override_server_name = "");
+  const absl::optional<std::string>& overrideServerName() const override {
+    return override_server_name_;
+  }
+  void hashKey(std::vector<uint8_t>& key) const override;
+
+private:
+  absl::optional<std::string> override_server_name_;
+};
+
+} // namespace Network
+} // namespace Envoy

source/common/ssl/context_impl.cc

@@ -275,7 +275,7 @@ std::vector<uint8_t> ContextImpl::parseAlpnProtocols(const std::string& alpn_pro
   return out;
 }
 
-bssl::UniquePtr<SSL> ContextImpl::newSsl() const {
+bssl::UniquePtr<SSL> ContextImpl::newSsl(const absl::optional<std::string>&) const {
   return bssl::UniquePtr<SSL>(SSL_new(ctx_.get()));
 }
 
@@ -498,11 +498,15 @@ ClientContextImpl::ClientContextImpl(Stats::Scope& scope, const ClientContextCon
   }
 }
 
-bssl::UniquePtr<SSL> ClientContextImpl::newSsl() const {
-  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl());
+bssl::UniquePtr<SSL>
+ClientContextImpl::newSsl(const absl::optional<std::string>& override_server_name) const {
+  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl(absl::nullopt));
 
-  if (!server_name_indication_.empty()) {
-    int rc = SSL_set_tlsext_host_name(ssl_con.get(), server_name_indication_.c_str());
+  std::string server_name_indication =
+      override_server_name.has_value() ? override_server_name.value() : server_name_indication_;
+
+  if (!server_name_indication.empty()) {
+    int rc = SSL_set_tlsext_host_name(ssl_con.get(), server_name_indication.c_str());
     RELEASE_ASSERT(rc, "");
   }
 

source/common/ssl/context_impl.h

@@ -11,6 +11,7 @@
 
 #include "common/ssl/context_manager_impl.h"
 
+#include "absl/types/optional.h"
 #include "openssl/ssl.h"
 
 namespace Envoy {
@@ -41,7 +42,8 @@ struct SslStats {
 
 class ContextImpl : public virtual Context {
 public:
-  virtual bssl::UniquePtr<SSL> newSsl() const;
+  virtual bssl::UniquePtr<SSL>
+  newSsl(const absl::optional<std::string>& override_server_name) const;
 
   /**
    * Logs successful TLS handshake and updates stats.
@@ -142,7 +144,8 @@ class ClientContextImpl : public ContextImpl, public ClientContext {
   ClientContextImpl(Stats::Scope& scope, const ClientContextConfig& config,
                     TimeSource& time_source);
 
-  bssl::UniquePtr<SSL> newSsl() const override;
+  bssl::UniquePtr<SSL>
+  newSsl(const absl::optional<std::string>& override_server_name) const override;
 
 private:
   const std::string server_name_indication_;

source/common/ssl/ssl_socket.cc

@@ -35,8 +35,12 @@ class NotReadySslSocket : public Network::TransportSocket {
 };
 } // namespace
 
-SslSocket::SslSocket(ContextSharedPtr ctx, InitialState state)
-    : ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)), ssl_(ctx_->newSsl()) {
+SslSocket::SslSocket(ContextSharedPtr ctx, InitialState state,
+                     Network::TransportSocketOptionsSharedPtr transport_socket_options)
+    : ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)),
+      ssl_(ctx_->newSsl(transport_socket_options != nullptr
+                            ? transport_socket_options->overrideServerName()
+                            : absl::nullopt)) {
   if (state == InitialState::Client) {
     SSL_set_connect_state(ssl_.get());
   } else {
@@ -370,7 +374,8 @@ ClientSslSocketFactory::ClientSslSocketFactory(ClientContextConfigPtr config,
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
-Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const {
+Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket(
+    Network::TransportSocketOptionsSharedPtr transport_socket_options) const {
   // onAddOrUpdateSecret() could be invoked in the middle of checking the existence of ssl_ctx and
   // creating SslSocket using ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and
   // use the same ssl_ctx to create SslSocket.
@@ -380,7 +385,8 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() cons
     ssl_ctx = ssl_ctx_;
   }
   if (ssl_ctx) {
-    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Client);
+    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Client,
+                                            transport_socket_options);
   } else {
     ENVOY_LOG(debug, "Create NotReadySslSocket");
     stats_.upstream_context_secrets_not_ready_.inc();
@@ -409,7 +415,8 @@ ServerSslSocketFactory::ServerSslSocketFactory(ServerContextConfigPtr config,
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
-Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const {
+Network::TransportSocketPtr
+ServerSslSocketFactory::createTransportSocket(Network::TransportSocketOptionsSharedPtr) const {
   // onAddOrUpdateSecret() could be invoked in the middle of checking the existence of ssl_ctx and
   // creating SslSocket using ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and
   // use the same ssl_ctx to create SslSocket.
@@ -419,7 +426,7 @@ Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() cons
     ssl_ctx = ssl_ctx_;
   }
   if (ssl_ctx) {
-    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Server);
+    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Server, nullptr);
   } else {
     ENVOY_LOG(debug, "Create NotReadySslSocket");
     stats_.downstream_context_secrets_not_ready_.inc();

source/common/ssl/ssl_socket.h

@@ -39,7 +39,8 @@ class SslSocket : public Network::TransportSocket,
                   public Connection,
                   protected Logger::Loggable<Logger::Id::connection> {
 public:
-  SslSocket(ContextSharedPtr ctx, InitialState state);
+  SslSocket(ContextSharedPtr ctx, InitialState state,
+            Network::TransportSocketOptionsSharedPtr transport_socket_options);
 
   // Ssl::Connection
   bool peerCertificatePresented() const override;
@@ -87,7 +88,8 @@ class ClientSslSocketFactory : public Network::TransportSocketFactory,
   ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager,
                          Stats::Scope& stats_scope);
 
-  Network::TransportSocketPtr createTransportSocket() const override;
+  Network::TransportSocketPtr
+  createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
 
   // Secret::SecretCallbacks
@@ -109,7 +111,8 @@ class ServerSslSocketFactory : public Network::TransportSocketFactory,
   ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager,
                          Stats::Scope& stats_scope, const std::vector<std::string>& server_names);
 
-  Network::TransportSocketPtr createTransportSocket() const override;
+  Network::TransportSocketPtr
+  createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override;
   bool implementsSecureTransport() const override;
 
   // Secret::SecretCallbacks

source/common/stream_info/BUILD

@@ -27,6 +27,15 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "forward_requested_server_name_lib",
+    srcs = ["forward_requested_server_name.cc"],
+    hdrs = ["forward_requested_server_name.h"],
+    deps = [
+        "//include/envoy/stream_info:filter_state_interface",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],

source/common/stream_info/forward_requested_server_name.cc

@@ -0,0 +1,10 @@
+#include "common/stream_info/forward_requested_server_name.h"
+
+namespace Envoy {
+namespace StreamInfo {
+
+const std::string ForwardRequestedServerName::Key =
+    "envoy.stream_info.forward_requested_server_name";
+
+} // namespace StreamInfo
+} // namespace Envoy

source/common/stream_info/forward_requested_server_name.h

@@ -0,0 +1,24 @@
+#pragma once
+
+#include "envoy/stream_info/filter_state.h"
+
+#include "absl/strings/string_view.h"
+
+namespace Envoy {
+namespace StreamInfo {
+
+/**
+ * Original Requested Server Name
+ */
+class ForwardRequestedServerName : public FilterState::Object {
+public:
+  ForwardRequestedServerName(absl::string_view server_name) : server_name_(server_name) {}
+  const std::string& value() const { return server_name_; }
+  static const std::string Key;
+
+private:
+  const std::string server_name_;
+};
+
+} // namespace StreamInfo
+} // namespace Envoy

source/common/tcp/conn_pool.cc

@@ -11,8 +11,10 @@ namespace Tcp {
 
 ConnPoolImpl::ConnPoolImpl(Event::Dispatcher& dispatcher, Upstream::HostConstSharedPtr host,
                            Upstream::ResourcePriority priority,
-                           const Network::ConnectionSocket::OptionsSharedPtr& options)
+                           const Network::ConnectionSocket::OptionsSharedPtr& options,
+                           Network::TransportSocketOptionsSharedPtr transport_socket_options)
     : dispatcher_(dispatcher), host_(host), priority_(priority), socket_options_(options),
+      transport_socket_options_(transport_socket_options),
       upstream_ready_timer_(dispatcher_.createTimer([this]() { onUpstreamReady(); })) {}
 
 ConnPoolImpl::~ConnPoolImpl() {
@@ -356,8 +358,8 @@ ConnPoolImpl::ActiveConn::ActiveConn(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
 
-  Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+  Upstream::Host::CreateConnectionData data = parent_.host_->createConnection(
+      parent_.dispatcher_, parent_.socket_options_, parent_.transport_socket_options_);
   real_host_description_ = data.host_description_;
 
   conn_ = std::move(data.connection_);