[tls] Add a custom listener handshaker for TLS.

include/envoy/ssl/BUILD

@@ -78,6 +78,7 @@ envoy_cc_library(
         ":socket_state",
         "//include/envoy/config:typed_config_interface",
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/protobuf:message_validator_interface",
     ],
 )
 

include/envoy/ssl/context_config.h

@@ -81,9 +81,10 @@ class ContextConfig {
   virtual Ssl::HandshakerPtr createHandshaker(bssl::UniquePtr<SSL> ssl) const PURE;
 
   /**
-   * @return the handshaker factory for attribute evaluation.
+   * @return whether or not this context requires certificates for TLS
+   * handshakes.
    */
-  virtual const Ssl::HandshakerFactory& handshakerFactory() const PURE;
+  virtual bool requireCertificates() const PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

include/envoy/ssl/handshaker.h

@@ -4,6 +4,7 @@
 #include "envoy/common/pure.h"
 #include "envoy/config/typed_config.h"
 #include "envoy/network/transport_socket.h"
+#include "envoy/protobuf/message_validator.h"
 #include "envoy/ssl/socket_state.h"
 
 #include "openssl/ssl.h"
@@ -74,17 +75,22 @@ class HandshakerFactoryContext {
   virtual absl::string_view alpnProtocols() const PURE;
 };
 
+using HandshakerFactoryCb = std::function<HandshakerPtr(bssl::UniquePtr<SSL>)>;
+
 class HandshakerFactory : public Config::TypedFactory {
 public:
-  virtual HandshakerPtr createHandshaker(bssl::UniquePtr<SSL> ssl,
-                                         HandshakerFactoryContext& context) PURE;
-
-  std::string category() const override { return "envoy.tls_handshakers"; }
 
   /**
-   * Set a config for use when creating handshakers.
+   * @returns a callback (of type HandshakerFactoryCb). Accepts the |config| and
+   * |validation_visitor| for early config validation. This virtual base doesn't
+   * perform MessageUtil::downcastAndValidate, but an implementation should.
    */
-  virtual void setConfig(ProtobufTypes::MessagePtr message) PURE;
+  virtual HandshakerFactoryCb
+  createHandshakerCb(const Protobuf::Message& message,
+                     HandshakerFactoryContext& handshaker_factory_context,
+                     ProtobufMessage::ValidationVisitor& validation_visitor) PURE;
+
+  std::string category() const override { return "envoy.tls_handshakers"; }
 
   /**
    * Implementations should return true if the tls context accompanying this

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -179,7 +179,15 @@ ContextConfigImpl::ContextConfigImpl(
                                                 default_min_protocol_version)),
       max_protocol_version_(tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(),
                                                 default_max_protocol_version)),
-      handshaker_factory_(*HandshakerFactoryImpl::getDefaultHandshakerFactory()) {
+      handshaker_factory_cb_([&]() {
+        auto* factory = HandshakerFactoryImpl::getDefaultHandshakerFactory();
+        auto handshaker_factory_context = HandshakerFactoryContextImpl(api_, alpnProtocols());
+        return factory->createHandshakerCb(*factory->createEmptyConfigProto(),
+                                           handshaker_factory_context,
+                                           factory_context.messageValidationVisitor());
+      }()),
+      require_certificates_(
+          HandshakerFactoryImpl::getDefaultHandshakerFactory()->requireCertificates()) {
   if (certificate_validation_context_provider_ != nullptr) {
     if (default_cvc_) {
       // We need to validate combined certificate validation context.
@@ -217,11 +225,13 @@ ContextConfigImpl::ContextConfigImpl(
 
   if (config.has_custom_listener_handshaker()) {
     auto& handshaker_config = config.custom_listener_handshaker();
-    handshaker_factory_ =
+    Ssl::HandshakerFactory& handshaker_factory =
         Config::Utility::getAndCheckFactory<Ssl::HandshakerFactory>(handshaker_config);
-    handshaker_factory_.get().setConfig(Config::Utility::translateAnyToFactoryConfig(
-        handshaker_config.typed_config(), factory_context.messageValidationVisitor(),
-        handshaker_factory_.get()));
+    HandshakerFactoryContextImpl handshaker_factory_context(api_, alpnProtocols());
+    handshaker_factory_cb_ = handshaker_factory.createHandshakerCb(
+        handshaker_config.typed_config(), handshaker_factory_context,
+        factory_context.messageValidationVisitor());
+    require_certificates_ = handshaker_factory.requireCertificates();
   }
 }
 
@@ -235,8 +245,7 @@ Ssl::CertificateValidationContextConfigPtr ContextConfigImpl::getCombinedValidat
 }
 
 Ssl::HandshakerPtr ContextConfigImpl::createHandshaker(bssl::UniquePtr<SSL> ssl) const {
-  HandshakerFactoryContextImpl context(api_, alpnProtocols());
-  return handshaker_factory_.get().createHandshaker(std::move(ssl), context);
+  return handshaker_factory_cb_(std::move(ssl));
 }
 
 void ContextConfigImpl::setSecretUpdateCallback(std::function<void()> callback) {
@@ -419,7 +428,7 @@ ServerContextConfigImpl::ServerContextConfigImpl(
 
   if ((config.common_tls_context().tls_certificates().size() +
        config.common_tls_context().tls_certificate_sds_secret_configs().size()) == 0) {
-    if (handshakerFactory().requireCertificates()) {
+    if (requireCertificates()) {
       throw EnvoyException("No TLS certificates found for server context");
     }
   } else if (!config.common_tls_context().tls_certificates().empty() &&

source/extensions/transport_sockets/tls/context_config_impl.h

@@ -64,7 +64,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
 
   Ssl::HandshakerPtr createHandshaker(bssl::UniquePtr<SSL> ssl) const override;
 
-  const Ssl::HandshakerFactory& handshakerFactory() const override { return handshaker_factory_; }
+  bool requireCertificates() const override { return require_certificates_; }
 
 protected:
   ContextConfigImpl(const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config,
@@ -101,8 +101,8 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
   const unsigned min_protocol_version_;
   const unsigned max_protocol_version_;
 
-  // This reference must be reseatable.
-  std::reference_wrapper<Ssl::HandshakerFactory> handshaker_factory_;
+  Ssl::HandshakerFactoryCb handshaker_factory_cb_;
+  bool require_certificates_;
 };
 
 class ClientContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::ClientContextConfig {

source/extensions/transport_sockets/tls/context_impl.cc

@@ -74,7 +74,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       ssl_versions_(stat_name_set_->add("ssl.versions")),
       ssl_curves_(stat_name_set_->add("ssl.curves")),
       ssl_sigalgs_(stat_name_set_->add("ssl.sigalgs")),
-      require_certificates_(config.handshakerFactory().requireCertificates()) {
+      require_certificates_(config.requireCertificates()) {
   const auto tls_certificates = config.tlsCertificates();
   tls_contexts_.resize(std::max(static_cast<size_t>(1), tls_certificates.size()));
 
@@ -985,7 +985,7 @@ ServerContextImpl::ServerContextImpl(Stats::Scope& scope,
                                      const std::vector<std::string>& server_names,
                                      TimeSource& time_source)
     : ContextImpl(scope, config, time_source), session_ticket_keys_(config.sessionTicketKeys()) {
-  if (config.tlsCertificates().empty() && config.handshakerFactory().requireCertificates()) {
+  if (config.tlsCertificates().empty() && config.requireCertificates()) {
     throw EnvoyException("Server TlsCertificates must have a certificate specified");
   }
 

source/extensions/transport_sockets/tls/handshaker_impl.h

@@ -53,13 +53,14 @@ class HandshakerFactoryImpl : public Ssl::HandshakerFactory {
     return ProtobufTypes::MessagePtr{new Envoy::ProtobufWkt::Struct()};
   }
 
-  Ssl::HandshakerPtr createHandshaker(bssl::UniquePtr<SSL> ssl,
-                                      Ssl::HandshakerFactoryContext&) override {
-    return std::make_unique<HandshakerImpl>(std::move(ssl));
+  Ssl::HandshakerFactoryCb createHandshakerCb(const Protobuf::Message&,
+                                              Ssl::HandshakerFactoryContext&,
+                                              ProtobufMessage::ValidationVisitor&) override {
+    // The default HandshakerImpl doesn't take a config or use the HandshakerFactoryContext.
+    return
+        [](bssl::UniquePtr<SSL> ssl) { return std::make_unique<HandshakerImpl>(std::move(ssl)); };
   }
 
-  void setConfig(ProtobufTypes::MessagePtr) override {}
-
   bool requireCertificates() const override {
     // The default HandshakerImpl does require certificates.
     return true;

test/extensions/transport_sockets/tls/handshaker_test.cc

@@ -174,11 +174,10 @@ class HandshakerImplForTest : public Ssl::Handshaker {
   HandshakerImplForTest(bssl::UniquePtr<SSL> ssl, std::function<void()> requested_cert_cb)
       : ssl_(std::move(ssl)), requested_cert_cb_(requested_cert_cb) {
     SSL_set_cert_cb(
-      ssl_.get(), [](SSL*, void* arg) -> int { return *static_cast<bool*>(arg) ? 1 : -1; },
-      &cert_cb_ok_);
+        ssl_.get(), [](SSL*, void* arg) -> int { return *static_cast<bool*>(arg) ? 1 : -1; },
+        &cert_cb_ok_);
   }
 
-
   Network::PostIoAction doHandshake(Ssl::SocketState& state,
                                     Ssl::HandshakerCallbacks& callbacks) override {
     ASSERT(state != Ssl::SocketState::HandshakeComplete && state != Ssl::SocketState::ShutdownSent);