CDRIVER-1154 verify cert on reconnect

Single-threaded clients had not re-checked the server certificate after
a disconnect.

Author: ajdavis

src/mongoc/mongoc-client.c

@@ -340,12 +340,20 @@ mongoc_client_default_stream_initiator (const mongoc_uri_t       *uri,
          connecttimeoutms = mongoc_uri_get_option_as_int32 (
             uri, "connecttimeoutms", MONGOC_DEFAULT_CONNECTTIMEOUTMS);
 
-         if (!mongoc_stream_tls_do_handshake (base_stream, connecttimeoutms) ||
-             !mongoc_stream_tls_check_cert (base_stream, host->host)) {
+         if (!mongoc_stream_tls_do_handshake (base_stream, connecttimeoutms)) {
             bson_set_error (error,
                             MONGOC_ERROR_STREAM,
                             MONGOC_ERROR_STREAM_SOCKET,
-                            "Failed to handshake and validate TLS certificate.");
+                            "TLS handshake failed.");
+            mongoc_stream_destroy (base_stream);
+            return NULL;
+         }
+
+         if (!mongoc_stream_tls_check_cert (base_stream, host->host)) {
+            bson_set_error (error,
+                            MONGOC_ERROR_STREAM,
+                            MONGOC_ERROR_STREAM_SOCKET,
+                            "Failed to verify peer certificate.");
             mongoc_stream_destroy (base_stream);
             return NULL;
          }

src/mongoc/mongoc-cluster.c

@@ -45,7 +45,9 @@
 #include "mongoc-util-private.h"
 #include "mongoc-write-concern-private.h"
 #include "mongoc-uri-private.h"
-
+#ifdef MONGOC_ENABLE_SSL
+#include "mongoc-stream-tls.h"
+#endif
 
 #undef MONGOC_LOG_DOMAIN
 #define MONGOC_LOG_DOMAIN "cluster"
@@ -1441,10 +1443,12 @@ mongoc_cluster_fetch_stream_single (mongoc_cluster_t *cluster,
    mongoc_topology_t *topology;
    mongoc_stream_t *stream;
    mongoc_topology_scanner_node_t *scanner_node;
+   int64_t timeout_ms;
    int64_t expire_at;
    bson_t reply;
 
    topology = cluster->client->topology;
+   timeout_ms = topology->connect_timeout_msec;
 
    scanner_node = mongoc_topology_scanner_get_node (topology->scanner, sd->id);
    BSON_ASSERT (scanner_node && !scanner_node->retired);
@@ -1461,7 +1465,8 @@ mongoc_cluster_fetch_stream_single (mongoc_cluster_t *cluster,
       }
       stream = scanner_node->stream;
 
-      expire_at = bson_get_monotonic_time() + topology->connect_timeout_msec * 1000;
+      expire_at = bson_get_monotonic_time() + timeout_ms * 1000;
+
       if (!mongoc_stream_wait (stream, expire_at)) {
          bson_set_error (error,
                          MONGOC_ERROR_STREAM,
@@ -1473,6 +1478,28 @@ mongoc_cluster_fetch_stream_single (mongoc_cluster_t *cluster,
          return NULL;
       }
 
+#ifdef MONGOC_ENABLE_SSL
+      if (scanner_node->ts->ssl_opts) {
+         if (!mongoc_stream_tls_do_handshake (stream, (int32_t) timeout_ms)) {
+            bson_set_error (error,
+                            MONGOC_ERROR_STREAM,
+                            MONGOC_ERROR_STREAM_SOCKET,
+                            "TLS handshake failed.");
+            mongoc_topology_scanner_node_disconnect (scanner_node, true);
+            return NULL;
+         }
+
+         if (!mongoc_stream_tls_check_cert (stream, scanner_node->host.host)) {
+            bson_set_error (error,
+                            MONGOC_ERROR_STREAM,
+                            MONGOC_ERROR_STREAM_SOCKET,
+                            "Failed to verify peer certificate.");
+            mongoc_topology_scanner_node_disconnect (scanner_node, true);
+            return NULL;
+         }
+      }
+#endif
+
       if (!_mongoc_stream_run_ismaster (cluster, stream, &reply, error)) {
          mongoc_topology_scanner_node_disconnect (scanner_node, true);
          return NULL;

src/mongoc/mongoc-stream-tls.c

@@ -981,6 +981,12 @@ mongoc_stream_tls_new (mongoc_stream_t  *base_stream,
       return NULL;
    }
 
+   if (opt->weak_cert_validation) {
+      SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
+   } else {
+      SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, NULL);
+   }
+
    bio_ssl = BIO_new_ssl (ssl_ctx, client);
    if (!bio_ssl) {
       return NULL;

tests/mock_server/mock-server.c

@@ -54,7 +54,8 @@ struct _mock_server_t
    int64_t start_time;
 
 #ifdef MONGOC_ENABLE_SSL
-   mongoc_ssl_opt_t *ssl_opts;
+   bool ssl;
+   mongoc_ssl_opt_t ssl_opts;
 #endif
 };
 
@@ -200,8 +201,6 @@ mock_server_down (void)
  *
  *       Set server-side SSL options before calling mock_server_run.
  *
- *       opts should be valid for server's lifetime.
- *
  * Returns:
  *       None.
  *
@@ -214,7 +213,10 @@ void
 mock_server_set_ssl_opts (mock_server_t *server,
                           mongoc_ssl_opt_t *opts)
 {
-   server->ssl_opts = opts;
+   mongoc_mutex_lock (&server->mutex);
+   server->ssl = true;
+   memcpy (&server->ssl_opts, opts, sizeof *opts);
+   mongoc_mutex_unlock (&server->mutex);
 }
 
 #endif
@@ -1458,14 +1460,17 @@ main_thread (void *data)
          client_stream = mongoc_stream_socket_new (client_sock);
 
 #ifdef MONGOC_ENABLE_SSL
-         if (server->ssl_opts) {
+         mongoc_mutex_lock (&server->mutex);
+         if (server->ssl) {
             client_stream = mongoc_stream_tls_new (client_stream,
-                                                   server->ssl_opts, 0);
+                                                   &server->ssl_opts, 0);
             if (!client_stream) {
+               mongoc_mutex_unlock (&server->mutex);
                perror ("Failed to attach tls stream");
                break;
             }
          }
+         mongoc_mutex_unlock (&server->mutex);
 #endif
          closure = (worker_closure_t *)bson_malloc (sizeof *closure);
          closure->server = server;
@@ -1519,10 +1524,24 @@ worker_thread (void *data)
    ssize_t i;
    autoresponder_handle_t handle;
 
+#ifdef MONGOC_ENABLE_SSL
+   bool ssl;
+#endif
+
    ENTRY;
 
    BSON_ASSERT(closure);
 
+#ifdef MONGOC_ENABLE_SSL
+   mongoc_mutex_lock (&server->mutex);
+   ssl = server->ssl;
+   mongoc_mutex_unlock (&server->mutex);
+
+   if (ssl) {
+      mongoc_stream_tls_do_handshake (client_stream, TIMEOUT);
+   }
+#endif
+
    _mongoc_buffer_init (&buffer, NULL, 0, NULL, NULL);
    _mongoc_array_init (&autoresponders, sizeof (autoresponder_handle_t));
 

tests/test-mongoc-client.c

@@ -18,6 +18,13 @@
 #undef MONGOC_LOG_DOMAIN
 #define MONGOC_LOG_DOMAIN "client-test"
 
+#define TRUST_DIR "tests/trust_dir"
+#define VERIFY_DIR TRUST_DIR "/verify"
+#define CAFILE TRUST_DIR "/verify/mongo_root.pem"
+#define PEMFILE_LOCALHOST TRUST_DIR "/keys/127.0.0.1.pem"
+#define PEMFILE_NOPASS TRUST_DIR "/keys/mongodb.com.pem"
+
+
 static char *
 gen_test_user (void)
 {
@@ -1105,6 +1112,126 @@ test_mongoc_client_ssl_disabled (void)
 #endif
 
 
+
+#ifdef MONGOC_ENABLE_SSL
+static bool
+_cmd (mock_server_t   *server,
+      mongoc_client_t *client,
+      bool             server_replies,
+      bson_error_t    *error)
+{
+   future_t *future;
+   request_t *request;
+   bool r;
+
+   future = future_client_command_simple (client, "db", tmp_bson ("{'cmd': 1}"),
+                                          NULL, NULL, error);
+   request = mock_server_receives_command (server, "db", MONGOC_QUERY_SLAVE_OK,
+                                           NULL);
+   ASSERT (request);
+
+   if (server_replies) {
+      mock_server_replies_simple (request, "{'ok': 1}");
+   } else {
+      mock_server_hangs_up (request);
+   }
+
+   r = future_get_bool (future);
+
+   future_destroy (future);
+   request_destroy (request);
+
+   return r;
+}
+
+
+
+static void
+_test_ssl_reconnect (bool pooled)
+{
+   mongoc_uri_t *uri;
+   mock_server_t *server;
+   mongoc_ssl_opt_t client_opts = { 0 };
+   mongoc_ssl_opt_t server_opts = { 0 };
+   mongoc_client_pool_t *pool = NULL;
+   mongoc_client_t *client;
+   bson_error_t error;
+   future_t *future;
+
+   client_opts.ca_file = CAFILE;
+
+   server_opts.ca_file = CAFILE;
+   server_opts.pem_file = PEMFILE_LOCALHOST;
+
+   server = mock_server_with_autoismaster (0);
+   mock_server_set_ssl_opts (server, &server_opts);
+   mock_server_run (server);
+
+   uri = mongoc_uri_copy (mock_server_get_uri (server));
+   mongoc_uri_set_option_as_int32 (uri, "serverSelectionTimeoutMS", 100);
+
+   if (pooled) {
+      pool = mongoc_client_pool_new (uri);
+      mongoc_client_pool_set_ssl_opts (pool, &client_opts);
+      client = mongoc_client_pool_pop (pool);
+   } else {
+      client = mongoc_client_new_from_uri (uri);
+      mongoc_client_set_ssl_opts (client, &client_opts);
+   }
+
+   ASSERT_OR_PRINT (_cmd (server, client, true /* server replies */, &error),
+                    error);
+
+   /* man-in-the-middle: hostname switches from 127.0.0.1 to mongodb.com */
+   server_opts.pem_file = PEMFILE_NOPASS;
+   mock_server_set_ssl_opts (server, &server_opts);
+
+   /* server closes connections */
+   if (pooled) {
+      /* bg thread warns "failed to buffer", "handshake failed" */
+      suppress_one_message ();
+      suppress_one_message ();
+   }
+
+   ASSERT (!_cmd (server, client, false /* server hangs up */, &error));
+
+   /* next operation comes on a new connection, server verification fails */
+   future = future_client_command_simple (client, "db", tmp_bson ("{'cmd': 1}"),
+                                          NULL, NULL, &error);
+   ASSERT (!future_get_bool (future));
+   ASSERT_ERROR_CONTAINS (error,
+                          MONGOC_ERROR_STREAM,
+                          MONGOC_ERROR_STREAM_SOCKET,
+                          "Failed to verify peer certificate");
+
+   if (pooled) {
+      mongoc_client_pool_push (pool, client);
+      mongoc_client_pool_destroy (pool);
+   } else {
+      mongoc_client_destroy (client);
+   }
+
+   future_destroy (future);
+   mock_server_destroy (server);
+   mongoc_uri_destroy (uri);
+}
+
+
+static void
+test_ssl_reconnect_single (void)
+{
+   _test_ssl_reconnect (false);
+}
+
+
+static void
+test_ssl_reconnect_pooled (void)
+{
+   _test_ssl_reconnect (true);
+}
+#endif
+
+
 void
 test_client_install (TestSuite *suite)
 {
@@ -1149,6 +1276,10 @@ test_client_install (TestSuite *suite)
 #ifdef MONGOC_ENABLE_SSL
    TestSuite_Add (suite, "/Client/ssl_opts/single", test_ssl_single);
    TestSuite_Add (suite, "/Client/ssl_opts/pooled", test_ssl_pooled);
+   TestSuite_Add (suite, "/Client/ssl/reconnect/single",
+                  test_ssl_reconnect_single);
+   TestSuite_Add (suite, "/Client/ssl/reconnect/pooled",
+                  test_ssl_reconnect_pooled);
 #else
    TestSuite_Add (suite, "/Client/ssl_disabled", test_mongoc_client_ssl_disabled);
 #endif

tests/test-mongoc-stream-tls.c

@@ -150,8 +150,8 @@ test_mongoc_tls_crl (void)
 
    ssl_test (&copt, &sopt, "rev.mongodb.com", &cr, &sr);
 
-   ASSERT (cr.result == SSL_TEST_SSL_VERIFY);
-   ASSERT (sr.result == SSL_TEST_TIMEOUT);
+   ASSERT (cr.result == SSL_TEST_SSL_HANDSHAKE);
+   ASSERT (sr.result == SSL_TEST_SSL_HANDSHAKE);
 }