[tls] Add an extension point for TLS handshaker behavior. (#12658)

Additional Description: This PR necessitated decoupling SslHandshakerImpl from ContextConfig a bit. We now pass an int representing the index of the extended_info struct rather than the ContextConfig. This PR moves SslHandshakerImpl to its own build target, moves SslHandshaker construction into the ContextConfig, and adds a HandshakerFactoryContext and HandshakerFactory for modifying the ContextConfig's behavior when constructing a Handshaker. This PR also adds a control (requireCertificates) to turn off the release asserts that a context must have certificates. This PR builds off work in https://github.com/envoyproxy/envoy/pull/12571 and refines work done (and abandoned) in https://github.com/envoyproxy/envoy/pull/12075/. For more discussion please see the comments section of https://github.com/envoyproxy/envoy/pull/12075/. Risk Level: Low. This PR does not modify existing handshaking behavior, it just adds an extension point for modifying it. Testing: A representative alternative implementation was added under :handshaker_test. Docs Changes: N/a Release Notes: N/a Signed-off-by: James Buckland <jbuckland@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 7d6e7a4e559bdf0346687f7f404412e2412ea6fb
4 years ago · 732109cd35
parent 30115e81d6
commit 732109cd35
2 changed files with 10 additions and 2 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/tls.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls.proto
@ -99,7 +99,7 @@ message DownstreamTlsContext {
 }

 // TLS context shared by both client and server TLS contexts.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";

@ -238,4 +238,8 @@ message CommonTlsContext {
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
+
+  // Custom TLS handshaker. If empty, defaults to native TLS handshaking
+  // behavior.
+  config.core.v3.TypedExtensionConfig custom_handshaker = 13;
 }
--- a/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto
+++ b/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto
@ -98,7 +98,7 @@ message DownstreamTlsContext {
 }

 // TLS context shared by both client and server TLS contexts.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext";
@ -243,4 +243,8 @@ message CommonTlsContext {
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
+
+  // Custom TLS handshaker. If empty, defaults to native TLS handshaking
+  // behavior.
+  config.core.v4alpha.TypedExtensionConfig custom_handshaker = 13;
 }