xds: Add SNI related field in handshake info (grpc#8965)

This PR is part of [A101
](https://github.com/grpc/proposal/blob/master/A101-SNI-setting-and-SNI-SAN-validation.md)
implementation.

This PR does the following changes: 
1. Add `sni` and `autoSniSanValidation` field to handshake info.
2. Change the TLS config building to add SNI if env variable is true
(currently false by default so will not be set), and `sni` is present
(currently set as empty in handshake so will not be set).
3. Change verify function to match SANs against SNI if set and env
variable and `autoSniSanValidation` is true (currently set to false by
default).
4. Set `sni` to empty and `autoSniSanValidation` to false by default
when creating handshake info in `clusterimpl`
5. Adds tests to verify the happy and failure cases of handshake.

In the next PR :
1. Will decide between hostname and SNI from CDS update in `clusterimpl`
balancer.
2. Add end to end tests to verify the SNI flow.

RELEASE NOTES: None

Author: eshitachandwani

credentials/xds/xds_client_test.go

@@ -35,6 +35,7 @@ import (
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	icredentials "google.golang.org/grpc/internal/credentials"
 	xdsinternal "google.golang.org/grpc/internal/credentials/xds"
+	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/grpc/internal/grpctest"
 	"google.golang.org/grpc/internal/testutils"
 	"google.golang.org/grpc/internal/xds/matcher"
@@ -219,7 +220,7 @@ func makeRootProvider(t *testing.T, caPath string) *fakeProvider {
 
 // newTestContextWithHandshakeInfo returns a copy of parent with HandshakeInfo
 // context value added to it.
-func newTestContextWithHandshakeInfo(parent context.Context, root, identity certprovider.Provider, sanExactMatch string) context.Context {
+func newTestContextWithHandshakeInfo(parent context.Context, root, identity certprovider.Provider, sanExactMatch, sni string, validateSANUsingSNI bool) context.Context {
 	// Creating the HandshakeInfo and adding it to the attributes is very
 	// similar to what the CDS balancer would do when it intercepts calls to
 	// NewSubConn().
@@ -228,7 +229,7 @@ func newTestContextWithHandshakeInfo(parent context.Context, root, identity cert
 		sms = []matcher.StringMatcher{matcher.NewExactStringMatcher(sanExactMatch, false)}
 	}
 	var hiPtr atomic.Pointer[xdsinternal.HandshakeInfo]
-	info := xdsinternal.NewHandshakeInfo(root, identity, sms, false)
+	info := xdsinternal.NewHandshakeInfo(root, identity, sms, false, sni, validateSANUsingSNI)
 	hiPtr.Store(info)
 	addr := xdsinternal.SetHandshakeInfo(resolver.Address{}, &hiPtr)
 
@@ -302,7 +303,7 @@ func (s) TestClientCredsInvalidHandshakeInfo(t *testing.T) {
 
 	pCtx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 	defer cancel()
-	ctx := newTestContextWithHandshakeInfo(pCtx, nil, &fakeProvider{}, "")
+	ctx := newTestContextWithHandshakeInfo(pCtx, nil, &fakeProvider{}, "", "", false)
 	if _, _, err := creds.ClientHandshake(ctx, authority, nil); err == nil {
 		t.Fatal("ClientHandshake succeeded without root certificate provider in HandshakeInfo")
 	}
@@ -339,7 +340,7 @@ func (s) TestClientCredsProviderFailure(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 			defer cancel()
-			ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, test.identityProvider, "")
+			ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, test.identityProvider, "", "", false)
 			if _, _, err := creds.ClientHandshake(ctx, authority, nil); err == nil || !strings.Contains(err.Error(), test.wantErr) {
 				t.Fatalf("ClientHandshake() returned error: %q, wantErr: %q", err, test.wantErr)
 			}
@@ -353,6 +354,7 @@ func (s) TestClientCredsSuccess(t *testing.T) {
 		desc             string
 		handshakeFunc    testHandshakeFunc
 		handshakeInfoCtx func(ctx context.Context) context.Context
+		enableSNIFlag    bool
 	}{
 		{
 			desc:          "fallback",
@@ -367,27 +369,59 @@ func (s) TestClientCredsSuccess(t *testing.T) {
 			desc:          "TLS",
 			handshakeFunc: testServerTLSHandshake,
 			handshakeInfoCtx: func(ctx context.Context) context.Context {
-				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN)
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN, "", false)
 			},
 		},
 		{
 			desc:          "mTLS",
 			handshakeFunc: testServerMutualTLSHandshake,
 			handshakeInfoCtx: func(ctx context.Context) context.Context {
-				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), defaultTestCertSAN)
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), defaultTestCertSAN, "", false)
 			},
 		},
 		{
 			desc:          "mTLS with no acceptedSANs specified",
 			handshakeFunc: testServerMutualTLSHandshake,
 			handshakeInfoCtx: func(ctx context.Context) context.Context {
-				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), "")
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), "", "", false)
 			},
 		},
+		{
+			desc:          "TLS with SNI",
+			handshakeFunc: testServerTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, "bad-match", defaultTestCertSAN, true)
+			},
+			enableSNIFlag: true,
+		},
+		{
+			desc:          "TLS with SNI, env variable disabled, AutoSniSanValidation enabled",
+			handshakeFunc: testServerTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN, "bad-sni", true)
+			},
+		},
+		{
+			desc:          "TLS with SNI, env variable enabled but AutoSniSanValidation disabled",
+			handshakeFunc: testServerTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN, "bad-sni", false)
+			},
+			enableSNIFlag: true,
+		},
+		{
+			desc:          "TLS with empty SNI, env variable enabled, AutoSniSanValidation enabled",
+			handshakeFunc: testServerTLSHandshake,
+			handshakeInfoCtx: func(ctx context.Context) context.Context {
+				return newTestContextWithHandshakeInfo(ctx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN, "", true)
+			},
+			enableSNIFlag: true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
+			testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, test.enableSNIFlag)
 			ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 			defer cancel()
 			ts := newTestServerWithHandshakeFunc(ctx, test.handshakeFunc)
@@ -444,7 +478,7 @@ func (s) TestClientCredsHandshakeTimeout(t *testing.T) {
 
 	sCtx, sCancel := context.WithTimeout(context.Background(), defaultTestShortTimeout)
 	defer sCancel()
-	ctx = newTestContextWithHandshakeInfo(sCtx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN)
+	ctx = newTestContextWithHandshakeInfo(sCtx, makeRootProvider(t, "x509/server_ca_cert.pem"), nil, defaultTestCertSAN, "", false)
 	if _, _, err := creds.ClientHandshake(ctx, authority, conn); err == nil {
 		t.Fatal("ClientHandshake() succeeded when expected to timeout")
 	}
@@ -467,11 +501,14 @@ func (s) TestClientCredsHandshakeTimeout(t *testing.T) {
 // TestClientCredsHandshakeFailure verifies different handshake failure cases.
 func (s) TestClientCredsHandshakeFailure(t *testing.T) {
 	tests := []struct {
-		desc          string
-		handshakeFunc testHandshakeFunc
-		rootProvider  certprovider.Provider
-		san           string
-		wantErr       string
+		desc                string
+		handshakeFunc       testHandshakeFunc
+		rootProvider        certprovider.Provider
+		san                 string
+		sni                 string
+		validateSANUsingSNI bool
+		enableSNIFlag       bool
+		wantErr             string
 	}{
 		{
 			desc:          "cert validation failure",
@@ -487,10 +524,49 @@ func (s) TestClientCredsHandshakeFailure(t *testing.T) {
 			san:           "bad-san",
 			wantErr:       "do not match any of the accepted SANs",
 		},
+		{
+			desc:                "SNI SAN mismatch",
+			handshakeFunc:       testServerTLSHandshake,
+			rootProvider:        makeRootProvider(t, "x509/server_ca_cert.pem"),
+			sni:                 "bad-sni",
+			validateSANUsingSNI: true,
+			wantErr:             "do not match the SNI",
+			enableSNIFlag:       true,
+		},
+		{
+			desc:                "SNI set, AutoSniSanValidation disabled with SAN mismatch",
+			handshakeFunc:       testServerTLSHandshake,
+			rootProvider:        makeRootProvider(t, "x509/server_ca_cert.pem"),
+			sni:                 defaultTestCertSAN,
+			san:                 "bad-san",
+			validateSANUsingSNI: false,
+			wantErr:             "do not match any of the accepted SANs",
+			enableSNIFlag:       true,
+		},
+		{
+			desc:                "SNI set with SAN mismatch and AutoSniSanValidation enabled, environment variable disabled",
+			handshakeFunc:       testServerTLSHandshake,
+			rootProvider:        makeRootProvider(t, "x509/server_ca_cert.pem"),
+			sni:                 defaultTestCertSAN,
+			san:                 "bad-san",
+			validateSANUsingSNI: true,
+			wantErr:             "do not match any of the accepted SANs",
+		},
+		{
+			desc:                "SNI empty, AutoSniSanValidation enabled with SAN mismatch",
+			handshakeFunc:       testServerTLSHandshake,
+			rootProvider:        makeRootProvider(t, "x509/server_ca_cert.pem"),
+			sni:                 "",
+			san:                 "bad-san",
+			validateSANUsingSNI: true,
+			wantErr:             "do not match any of the accepted SANs",
+			enableSNIFlag:       true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
+			testutils.SetEnvConfig(t, &envconfig.XDSSNIEnabled, test.enableSNIFlag)
 			ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout)
 			defer cancel()
 			ts := newTestServerWithHandshakeFunc(ctx, test.handshakeFunc)
@@ -508,7 +584,7 @@ func (s) TestClientCredsHandshakeFailure(t *testing.T) {
 			}
 			defer conn.Close()
 
-			ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, nil, test.san)
+			ctx = newTestContextWithHandshakeInfo(ctx, test.rootProvider, nil, test.san, test.sni, test.validateSANUsingSNI)
 			if _, _, err := creds.ClientHandshake(ctx, authority, conn); err == nil || !strings.Contains(err.Error(), test.wantErr) {
 				t.Fatalf("ClientHandshake() returned %q, wantErr %q", err, test.wantErr)
 			}
@@ -542,7 +618,7 @@ func (s) TestClientCredsProviderSwitch(t *testing.T) {
 	// Create a root provider which will fail the handshake because it does not
 	// use the correct trust roots.
 	root1 := makeRootProvider(t, "x509/client_ca_cert.pem")
-	handshakeInfo := xdsinternal.NewHandshakeInfo(root1, nil, []matcher.StringMatcher{matcher.NewExactStringMatcher(defaultTestCertSAN, false)}, false)
+	handshakeInfo := xdsinternal.NewHandshakeInfo(root1, nil, []matcher.StringMatcher{matcher.NewExactStringMatcher(defaultTestCertSAN, false)}, false, "", false)
 	// We need to repeat most of what newTestContextWithHandshakeInfo() does
 	// here because we need access to the underlying HandshakeInfo so that we
 	// can update it before the next call to ClientHandshake().
@@ -569,7 +645,7 @@ func (s) TestClientCredsProviderSwitch(t *testing.T) {
 	// Create a new root provider which uses the correct trust roots. And update
 	// the HandshakeInfo with the new provider.
 	root2 := makeRootProvider(t, "x509/server_ca_cert.pem")
-	handshakeInfo = xdsinternal.NewHandshakeInfo(root2, nil, []matcher.StringMatcher{matcher.NewExactStringMatcher(defaultTestCertSAN, false)}, false)
+	handshakeInfo = xdsinternal.NewHandshakeInfo(root2, nil, []matcher.StringMatcher{matcher.NewExactStringMatcher(defaultTestCertSAN, false)}, false, "", false)
 	// Update the existing pointer, which address attribute will continue to
 	// point to.
 	hiPtr.Store(handshakeInfo)

credentials/xds/xds_server_test.go

@@ -123,7 +123,7 @@ func (s) TestServerCredsInvalidHandshakeInfo(t *testing.T) {
 		t.Fatalf("NewServerCredentials(%v) failed: %v", opts, err)
 	}
 
-	info := xdsinternal.NewHandshakeInfo(&fakeProvider{}, nil, nil, false)
+	info := xdsinternal.NewHandshakeInfo(&fakeProvider{}, nil, nil, false, "", false)
 	conn := newWrappedConn(nil, info, time.Time{})
 	if _, _, err := creds.ServerHandshake(conn); err == nil {
 		t.Fatal("ServerHandshake succeeded without identity certificate provider in HandshakeInfo")
@@ -159,7 +159,7 @@ func (s) TestServerCredsProviderFailure(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			info := xdsinternal.NewHandshakeInfo(test.rootProvider, test.identityProvider, nil, false)
+			info := xdsinternal.NewHandshakeInfo(test.rootProvider, test.identityProvider, nil, false, "", false)
 			conn := newWrappedConn(nil, info, time.Time{})
 			if _, _, err := creds.ServerHandshake(conn); err == nil || !strings.Contains(err.Error(), test.wantErr) {
 				t.Fatalf("ServerHandshake() returned error: %q, wantErr: %q", err, test.wantErr)
@@ -235,7 +235,7 @@ func (s) TestServerCredsHandshakeTimeout(t *testing.T) {
 	// Create a test server which uses the xDS server credentials created above
 	// to perform TLS handshake on incoming connections.
 	ts := newTestServerWithHandshakeFunc(ctx, func(rawConn net.Conn) handshakeResult {
-		hi := xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/client_ca_cert.pem"), makeIdentityProvider(t, "x509/server2_cert.pem", "x509/server2_key.pem"), nil, true)
+		hi := xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/client_ca_cert.pem"), makeIdentityProvider(t, "x509/server2_cert.pem", "x509/server2_key.pem"), nil, true, "", false)
 
 		// Create a wrapped conn which can return the HandshakeInfo created
 		// above with a very small deadline.
@@ -287,7 +287,7 @@ func (s) TestServerCredsHandshakeFailure(t *testing.T) {
 	ts := newTestServerWithHandshakeFunc(ctx, func(rawConn net.Conn) handshakeResult {
 		// Create a HandshakeInfo which has a root provider which does not match
 		// the certificate sent by the client.
-		hi := xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/client2_cert.pem", "x509/client2_key.pem"), nil, true)
+		hi := xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/client2_cert.pem", "x509/client2_key.pem"), nil, true, "", false)
 
 		// Create a wrapped conn which can return the HandshakeInfo and
 		// configured deadline to the xDS credentials' ServerHandshake()
@@ -368,7 +368,7 @@ func (s) TestServerCredsHandshakeSuccess(t *testing.T) {
 			// created above to perform TLS handshake on incoming connections.
 			ts := newTestServerWithHandshakeFunc(ctx, func(rawConn net.Conn) handshakeResult {
 				// Create a HandshakeInfo with information from the test table.
-				hi := xdsinternal.NewHandshakeInfo(test.rootProvider, test.identityProvider, nil, test.requireClientCert)
+				hi := xdsinternal.NewHandshakeInfo(test.rootProvider, test.identityProvider, nil, test.requireClientCert, "", false)
 
 				// Create a wrapped conn which can return the HandshakeInfo and
 				// configured deadline to the xDS credentials' ServerHandshake()
@@ -448,7 +448,7 @@ func (s) TestServerCredsProviderSwitch(t *testing.T) {
 		if cnt == 1 {
 			// Create a HandshakeInfo which has a root provider which does not match
 			// the certificate sent by the client.
-			hi = xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/client2_cert.pem", "x509/client2_key.pem"), nil, true)
+			hi = xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/client2_cert.pem", "x509/client2_key.pem"), nil, true, "", false)
 
 			// Create a wrapped conn which can return the HandshakeInfo and
 			// configured deadline to the xDS credentials' ServerHandshake()
@@ -462,7 +462,7 @@ func (s) TestServerCredsProviderSwitch(t *testing.T) {
 			return handshakeResult{}
 		}
 
-		hi = xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/client_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), nil, true)
+		hi = xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/client_ca_cert.pem"), makeIdentityProvider(t, "x509/server1_cert.pem", "x509/server1_key.pem"), nil, true, "", false)
 
 		// Create a wrapped conn which can return the HandshakeInfo and
 		// configured deadline to the xDS credentials' ServerHandshake()

internal/credentials/xds/handshake_info.go

@@ -32,6 +32,7 @@ import (
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/credentials/spiffe"
+	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/grpc/internal/xds/matcher"
 	"google.golang.org/grpc/resolver"
 )
@@ -55,6 +56,8 @@ func (hi *HandshakeInfo) Equal(other *HandshakeInfo) bool {
 	if hi.rootProvider != other.rootProvider ||
 		hi.identityProvider != other.identityProvider ||
 		hi.requireClientCert != other.requireClientCert ||
+		hi.sni != other.sni ||
+		hi.validateSANUsingSNI != other.validateSANUsingSNI ||
 		len(hi.sanMatchers) != len(other.sanMatchers) {
 		return false
 	}
@@ -86,20 +89,24 @@ func HandshakeInfoFromAttributes(attr *attributes.Attributes) *atomic.Pointer[Ha
 type HandshakeInfo struct {
 	// All fields written at init time and read only after that, so no
 	// synchronization needed.
-	rootProvider      certprovider.Provider
-	identityProvider  certprovider.Provider
-	sanMatchers       []matcher.StringMatcher // Only on the client side.
-	requireClientCert bool                    // Only on server side.
+	rootProvider        certprovider.Provider
+	identityProvider    certprovider.Provider
+	sanMatchers         []matcher.StringMatcher // Only on the client side.
+	requireClientCert   bool                    // Only on server side.
+	sni                 string                  // Only on client side, used for Server Name Indication in TLS handshake.
+	validateSANUsingSNI bool                    // Only on client side, indicates whether to perform validation of SANs based on SNI value.
 }
 
 // NewHandshakeInfo returns a new handshake info configured with the provided
 // options.
-func NewHandshakeInfo(rootProvider certprovider.Provider, identityProvider certprovider.Provider, sanMatchers []matcher.StringMatcher, requireClientCert bool) *HandshakeInfo {
+func NewHandshakeInfo(rootProvider certprovider.Provider, identityProvider certprovider.Provider, sanMatchers []matcher.StringMatcher, requireClientCert bool, sni string, validateSANUsingSNI bool) *HandshakeInfo {
 	return &HandshakeInfo{
-		rootProvider:      rootProvider,
-		identityProvider:  identityProvider,
-		sanMatchers:       sanMatchers,
-		requireClientCert: requireClientCert,
+		rootProvider:        rootProvider,
+		identityProvider:    identityProvider,
+		sanMatchers:         sanMatchers,
+		requireClientCert:   requireClientCert,
+		sni:                 sni,
+		validateSANUsingSNI: validateSANUsingSNI,
 	}
 }
 
@@ -154,6 +161,10 @@ func (hi *HandshakeInfo) ClientSideTLSConfig(ctx context.Context) (*tls.Config,
 		}
 		cfg.Certificates = km.Certs
 	}
+
+	if envconfig.XDSSNIEnabled && hi.sni != "" {
+		cfg.ServerName = hi.sni
+	}
 	return cfg, nil
 }
 
@@ -200,7 +211,21 @@ func (hi *HandshakeInfo) buildVerifyFunc(km *certprovider.KeyMaterial, isClient
 		if _, err := certs[0].Verify(opts); err != nil {
 			return err
 		}
-		// The SANs sent by the MeshCA are encoded as SPIFFE IDs. We need to
+
+		// If XDSSNIEnabled and AutoSNISANValidation are both true and the SNI is
+		// non-empty, validate only DNS SANs against the SNI. Otherwise, fallback to
+		// validating all received SANs against the control plane provided SAN
+		// matchers.
+		if envconfig.XDSSNIEnabled && hi.validateSANUsingSNI && hi.sni != "" {
+			// Verify SAN of leaf certificate with SNI using exact DNS matcher.
+			for _, san := range certs[0].DNSNames {
+				if dnsMatch(hi.sni, san) {
+					return nil
+				}
+			}
+			return fmt.Errorf("xds: received DNS SANs: %v do not match the SNI: %v", certs[0].DNSNames, hi.sni)
+		}
+		// The SANs sent by the xDS control plane are encoded as SPIFFE IDs. We need to
 		// only look at the SANs on the leaf cert.
 		if cert := certs[0]; !hi.MatchingSANExists(cert) {
 			// TODO: Print the complete certificate once the x509 package