[tls] Move handshaking behavior into SslSocketInfo.

include/envoy/network/BUILD

@@ -130,12 +130,19 @@ envoy_cc_library(
     hdrs = ["transport_socket.h"],
     deps = [
         ":io_handle_interface",
+        ":post_io_action_interface",
         ":proxy_protocol_options_lib",
         "//include/envoy/buffer:buffer_interface",
         "//include/envoy/ssl:connection_interface",
     ],
 )
 
+envoy_cc_library(
+    name = "post_io_action_interface",
+    hdrs = ["post_io_action.h"],
+    deps = [],
+)
+
 envoy_cc_library(
     name = "connection_balancer_interface",
     hdrs = ["connection_balancer.h"],

include/envoy/network/connection.h

@@ -222,7 +222,7 @@ class Connection : public Event::DeferredDeletable, public FilterManager {
    * @return the const SSL connection data if this is an SSL connection, or nullptr if it is not.
    */
   // TODO(snowp): Remove this in favor of StreamInfo::downstreamSslConnection.
-  virtual Ssl::ConnectionInfoConstSharedPtr ssl() const PURE;
+  virtual Ssl::ConnectionInfoSharedPtr ssl() const PURE;
 
   /**
    * @return requested server name (e.g. SNI in TLS), if any.

include/envoy/network/post_io_action.h

@@ -0,0 +1,17 @@
+#pragma once
+
+namespace Envoy {
+namespace Network {
+
+/**
+ * Action that should occur on a connection after I/O.
+ */
+enum class PostIoAction {
+  // Close the connection.
+  Close,
+  // Keep the connection open.
+  KeepOpen
+};
+
+} // namespace Network
+} // namespace Envoy

include/envoy/network/transport_socket.h

@@ -5,6 +5,7 @@
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/pure.h"
 #include "envoy/network/io_handle.h"
+#include "envoy/network/post_io_action.h"
 #include "envoy/network/proxy_protocol.h"
 #include "envoy/ssl/connection.h"
 
@@ -16,16 +17,6 @@ namespace Network {
 class Connection;
 enum class ConnectionEvent;
 
-/**
- * Action that should occur on a connection after I/O.
- */
-enum class PostIoAction {
-  // Close the connection.
-  Close,
-  // Keep the connection open.
-  KeepOpen
-};
-
 /**
  * Result of each I/O event.
  */
@@ -151,9 +142,9 @@ class TransportSocket {
   virtual void onConnected() PURE;
 
   /**
-   * @return the const SSL connection data if this is an SSL connection, or nullptr if it is not.
+   * @return the SSL connection data if this is an SSL connection, or nullptr if it is not.
    */
-  virtual Ssl::ConnectionInfoConstSharedPtr ssl() const PURE;
+  virtual Ssl::ConnectionInfoSharedPtr ssl() const PURE;
 };
 
 using TransportSocketPtr = std::unique_ptr<TransportSocket>;

include/envoy/ssl/BUILD

@@ -13,7 +13,9 @@ envoy_cc_library(
     hdrs = ["connection.h"],
     external_deps = ["abseil_optional"],
     deps = [
+        ":ssl_socket_state",
         "//include/envoy/common:time_interface",
+        "//include/envoy/network:post_io_action_interface",
     ],
 )
 
@@ -68,3 +70,9 @@ envoy_cc_library(
     deps = [
     ],
 )
+
+envoy_cc_library(
+    name = "ssl_socket_state",
+    hdrs = ["ssl_socket_state.h"],
+    deps = [],
+)

include/envoy/ssl/connection.h

@@ -5,6 +5,7 @@
 
 #include "envoy/common/pure.h"
 #include "envoy/common/time.h"
+#include "envoy/network/post_io_action.h"
 
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
@@ -148,9 +149,15 @@ class ConnectionInfo {
    * exists.
    */
   virtual absl::optional<std::string> x509Extension(absl::string_view extension_name) const PURE;
+
+  /**
+   * Performs a TLS handshake on the SSL object and returns an action indicating
+   * whether the callsite should close the connection or keep it open.
+   */
+  virtual Network::PostIoAction doHandshake() PURE;
 };
 
-using ConnectionInfoConstSharedPtr = std::shared_ptr<const ConnectionInfo>;
+using ConnectionInfoSharedPtr = std::shared_ptr<ConnectionInfo>;
 
 } // namespace Ssl
 } // namespace Envoy

include/envoy/ssl/ssl_socket_state.h

@@ -0,0 +1,9 @@
+#pragma once
+
+namespace Envoy {
+namespace Ssl {
+
+enum class SocketState { PreHandshake, HandshakeInProgress, HandshakeComplete, ShutdownSent };
+
+} // namespace Ssl
+} // namespace Envoy

include/envoy/stream_info/stream_info.h

@@ -462,25 +462,25 @@ class StreamInfo {
    * @param connection_info sets the downstream ssl connection.
    */
   virtual void
-  setDownstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) PURE;
+  setDownstreamSslConnection(const Ssl::ConnectionInfoSharedPtr& ssl_connection_info) PURE;
 
   /**
    * @return the downstream SSL connection. This will be nullptr if the downstream
    * connection does not use SSL.
    */
-  virtual Ssl::ConnectionInfoConstSharedPtr downstreamSslConnection() const PURE;
+  virtual Ssl::ConnectionInfoSharedPtr downstreamSslConnection() const PURE;
 
   /**
    * @param connection_info sets the upstream ssl connection.
    */
   virtual void
-  setUpstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) PURE;
+  setUpstreamSslConnection(const Ssl::ConnectionInfoSharedPtr& ssl_connection_info) PURE;
 
   /**
    * @return the upstream SSL connection. This will be nullptr if the upstream
    * connection does not use SSL.
    */
-  virtual Ssl::ConnectionInfoConstSharedPtr upstreamSslConnection() const PURE;
+  virtual Ssl::ConnectionInfoSharedPtr upstreamSslConnection() const PURE;
 
   /**
    * @return const Router::RouteEntry* Get the route entry selected for this request. Note: this

source/common/network/connection_impl.h

@@ -76,7 +76,7 @@ class ConnectionImpl : public ConnectionImplBase, public TransportSocketCallback
     return socket_->localAddress();
   }
   absl::optional<UnixDomainSocketPeerCredentials> unixSocketPeerCredentials() const override;
-  Ssl::ConnectionInfoConstSharedPtr ssl() const override { return transport_socket_->ssl(); }
+  Ssl::ConnectionInfoSharedPtr ssl() const override { return transport_socket_->ssl(); }
   State state() const override;
   void write(Buffer::Instance& data, bool end_stream) override;
   void setBufferLimits(uint32_t limit) override;

source/common/network/raw_buffer_socket.h

@@ -20,7 +20,7 @@ class RawBufferSocket : public TransportSocket, protected Logger::Loggable<Logge
   void onConnected() override;
   IoResult doRead(Buffer::Instance& buffer) override;
   IoResult doWrite(Buffer::Instance& buffer, bool end_stream) override;
-  Ssl::ConnectionInfoConstSharedPtr ssl() const override { return nullptr; }
+  Ssl::ConnectionInfoSharedPtr ssl() const override { return nullptr; }
 
 private:
   TransportSocketCallbacks* callbacks_{};

source/common/stream_info/stream_info_impl.h

@@ -189,22 +189,19 @@ struct StreamInfoImpl : public StreamInfo {
     return downstream_remote_address_;
   }
 
-  void
-  setDownstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& connection_info) override {
+  void setDownstreamSslConnection(const Ssl::ConnectionInfoSharedPtr& connection_info) override {
     downstream_ssl_info_ = connection_info;
   }
 
-  Ssl::ConnectionInfoConstSharedPtr downstreamSslConnection() const override {
+  Ssl::ConnectionInfoSharedPtr downstreamSslConnection() const override {
     return downstream_ssl_info_;
   }
 
-  void setUpstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& connection_info) override {
+  void setUpstreamSslConnection(const Ssl::ConnectionInfoSharedPtr& connection_info) override {
     upstream_ssl_info_ = connection_info;
   }
 
-  Ssl::ConnectionInfoConstSharedPtr upstreamSslConnection() const override {
-    return upstream_ssl_info_;
-  }
+  Ssl::ConnectionInfoSharedPtr upstreamSslConnection() const override { return upstream_ssl_info_; }
 
   const Router::RouteEntry* routeEntry() const override { return route_entry_; }
 
@@ -303,8 +300,8 @@ struct StreamInfoImpl : public StreamInfo {
   Network::Address::InstanceConstSharedPtr downstream_local_address_;
   Network::Address::InstanceConstSharedPtr downstream_direct_remote_address_;
   Network::Address::InstanceConstSharedPtr downstream_remote_address_;
-  Ssl::ConnectionInfoConstSharedPtr downstream_ssl_info_;
-  Ssl::ConnectionInfoConstSharedPtr upstream_ssl_info_;
+  Ssl::ConnectionInfoSharedPtr downstream_ssl_info_;
+  Ssl::ConnectionInfoSharedPtr upstream_ssl_info_;
   std::string requested_server_name_;
   const Http::RequestHeaderMap* request_headers_{};
   Http::RequestIDExtensionSharedPtr request_id_extension_;

source/common/tcp_proxy/tcp_proxy.cc

@@ -499,7 +499,7 @@ void Filter::onPoolFailure(ConnectionPool::PoolFailureReason reason,
 
 void Filter::onPoolReadyBase(Upstream::HostDescriptionConstSharedPtr& host,
                              const Network::Address::InstanceConstSharedPtr& local_address,
-                             Ssl::ConnectionInfoConstSharedPtr ssl_info) {
+                             Ssl::ConnectionInfoSharedPtr ssl_info) {
   upstream_handle_.reset();
   read_callbacks_->upstreamHost(host);
   getStreamInfo().onUpstreamHostSelected(host);

source/common/tcp_proxy/tcp_proxy.h

@@ -262,7 +262,7 @@ class Filter : public Network::ReadFilter,
 
   void onPoolReadyBase(Upstream::HostDescriptionConstSharedPtr& host,
                        const Network::Address::InstanceConstSharedPtr& local_address,
-                       Ssl::ConnectionInfoConstSharedPtr ssl_info);
+                       Ssl::ConnectionInfoSharedPtr ssl_info);
 
   // Upstream::LoadBalancerContext
   const Router::MetadataMatchCriteria* metadataMatchCriteria() override {

source/extensions/access_loggers/grpc/grpc_access_log_utils.cc

@@ -149,7 +149,7 @@ void Utility::extractCommonAccessLogProperties(
   }
   if (stream_info.downstreamSslConnection() != nullptr) {
     auto* tls_properties = common_access_log.mutable_tls_properties();
-    const Ssl::ConnectionInfoConstSharedPtr downstream_ssl_connection =
+    const Ssl::ConnectionInfoSharedPtr downstream_ssl_connection =
         stream_info.downstreamSslConnection();
 
     tls_properties->set_tls_sni_hostname(stream_info.requestedServerName());

source/extensions/quic_listeners/quiche/quic_filter_manager_connection_impl.cc

@@ -119,7 +119,7 @@ QuicFilterManagerConnectionImpl::localAddress() const {
   return quic_connection_->connectionSocket()->localAddress();
 }
 
-Ssl::ConnectionInfoConstSharedPtr QuicFilterManagerConnectionImpl::ssl() const {
+Ssl::ConnectionInfoSharedPtr QuicFilterManagerConnectionImpl::ssl() const {
   // TODO(danzh): construct Ssl::ConnectionInfo from crypto stream
   return nullptr;
 }

source/extensions/quic_listeners/quiche/quic_filter_manager_connection_impl.h

@@ -56,7 +56,7 @@ class QuicFilterManagerConnectionImpl : public Network::ConnectionImplBase {
     Network::ConnectionImplBase::setConnectionStats(stats);
     quic_connection_->setConnectionStats(stats);
   }
-  Ssl::ConnectionInfoConstSharedPtr ssl() const override;
+  Ssl::ConnectionInfoSharedPtr ssl() const override;
   Network::Connection::State state() const override {
     if (quic_connection_ != nullptr && quic_connection_->connected()) {
       return Network::Connection::State::Open;

source/extensions/transport_sockets/alts/tsi_socket.h

@@ -58,7 +58,7 @@ class TsiSocket : public Network::TransportSocket,
   std::string protocol() const override;
   absl::string_view failureReason() const override;
   bool canFlushClose() override { return handshake_complete_; }
-  Envoy::Ssl::ConnectionInfoConstSharedPtr ssl() const override { return nullptr; }
+  Envoy::Ssl::ConnectionInfoSharedPtr ssl() const override { return nullptr; }
   Network::IoResult doWrite(Buffer::Instance& buffer, bool end_stream) override;
   void closeSocket(Network::ConnectionEvent event) override;
   Network::IoResult doRead(Buffer::Instance& buffer) override;

source/extensions/transport_sockets/common/passthrough.cc

@@ -38,10 +38,8 @@ Network::IoResult PassthroughSocket::doWrite(Buffer::Instance& buffer, bool end_
 
 void PassthroughSocket::onConnected() { transport_socket_->onConnected(); }
 
-Ssl::ConnectionInfoConstSharedPtr PassthroughSocket::ssl() const {
-  return transport_socket_->ssl();
-}
+Ssl::ConnectionInfoSharedPtr PassthroughSocket::ssl() const { return transport_socket_->ssl(); }
 
 } // namespace TransportSockets
 } // namespace Extensions
-} // namespace Envoy
+} // namespace Envoy

source/extensions/transport_sockets/common/passthrough.h

@@ -21,12 +21,12 @@ class PassthroughSocket : public Network::TransportSocket {
   Network::IoResult doRead(Buffer::Instance& buffer) override;
   Network::IoResult doWrite(Buffer::Instance& buffer, bool end_stream) override;
   void onConnected() override;
-  Ssl::ConnectionInfoConstSharedPtr ssl() const override;
+  Ssl::ConnectionInfoSharedPtr ssl() const override;
 
 protected:
   Network::TransportSocketPtr transport_socket_;
 };
 
 } // namespace TransportSockets
 } // namespace Extensions
-} // namespace Envoy
+} // namespace Envoy

source/extensions/transport_sockets/tls/BUILD

@@ -48,6 +48,7 @@ envoy_cc_library(
         "//include/envoy/network:connection_interface",
         "//include/envoy/network:transport_socket_interface",
         "//include/envoy/ssl:ssl_socket_extended_info_interface",
+        "//include/envoy/ssl:ssl_socket_state",
         "//include/envoy/ssl/private_key:private_key_callbacks_interface",
         "//include/envoy/ssl/private_key:private_key_interface",
         "//include/envoy/stats:stats_macros",