Fix the issues in DefaultCertValidator::doVerifyCertChain and ContextImpl::verifyCertChain

[tyxia]

1. In DefaultCertValidator::doVerifyCertChain() function, there is one corner case not handled right now : trusted_ca = false and no hash or SAN matcher . Basically, it means no validation context is provided so no certificate validation is performed. Current code will still return OK for this case. NotValidated seems to be an initial state that needs to be updated to either Failed or Validated eventually. If it stay as NotValidated, it should be treated as Error.
2. It reveals one bug via sds_dynamic_integration_test's QUIC path(The only failure caused by change above. TCP path of this test works fine).
   Basically, the problem is QUIC client side register and then will invoke the verifyCertificate() callback because its cert_verify_mode is set to SSL_VERIFY_PEER but no validation_context is provided. Thus, it will run into NotValidated case I described in 1 and my change return it as ERROR.

Similar to openSSL logic, the error can be treated as non-fatal if mode is SSL_VERIFY_NONE. The proposed fix is in ContextImpl::verifyCertChain( ) (which is only used by QUIC path): Query the true verify_mode that is initialized in DefaultCertValidator::initializeSslContexts(it will be SSL_VERIFY_NONE for this case because there is no validation_context config provided).
(PS: I discussed with QUIC folk, QUIC test could be investigated as well. But I feel the proposed fix is needed regardless)

Signed-off-by: Tianyu Xia tyxia@google.com

Risk Level: Low
Testing: Local test

[repokitteh-read-only]

Hi @tyxia, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #16982 was opened by tyxia.

see: more, trace.

[alyssawilk]

Just to be aware, we've been making some improvements to Envoy tooling for more prompt reviews, but draft PRs are not included in the tooling. I'm updating the contribution guidelines to make that clear (https://github.com/envoyproxy/envoy/pull/17063/files) , but as this PR predates the repokitteh warning I just want to call out that draft PRs are likely not going to get fast turnaround. Please consider marking this as ready for review if it stalls, and you want the assignee to take a look!

[tyxia]

Just to be aware, we've been making some improvements to Envoy tooling for more prompt reviews, but draft PRs are not included in the tooling. I'm updating the contribution guidelines to make that clear (https://github.com/envoyproxy/envoy/pull/17063/files) , but as this PR predates the repokitteh warning I just want to call out that draft PRs are likely not going to get fast turnaround. Please consider marking this as ready for review if it stalls, and you want the assignee to take a look!

Thank you very much for information and pointers! I created this draft PR intentionally to trigger the CI run (as the sanity check):). I will mark it as ready-for-review when when it is ready. Please let me know if you have any other instructions. Thanks!

[tyxia]

Added @rojkov here as we have discussed this issue in details in #16816

[rojkov]

Thanks! LGTM

[lizan]

bool?

[tyxia]

Thanks for review! I think either bool or int will work here as bool <-> int implicit conversion will be triggered, and it will be triggered in either way.
The reason I used int here is to align with value 1 in ternary operator in line 226 and the return type of this function (which is int).

Please let me know what do you think.

[yanavlasov]

I think int is fine given that the function returns the same error code as X509_verify_cert

[yanavlasov]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #16982 (comment) was created by @yanavlasov.

see: more, trace.