Merge branch 'cdriver-6045-renegotiation' of https://github.com/Julia-Garland/mongo-c-driver into cdriver-6045-renegotiation

Julia-Garland · Julia-Garland · commit 6c60125aacfd · 2025-10-07T15:30:00.000Z
diff --git a/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel-private.h b/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel-private.h
@@ -24,6 +24,8 @@
 
 #include <mongoc/mongoc-stream-tls.h>
 
+#include <mongoc/mongoc-stream-tls.h>
+
 #include <bson/bson.h>
 
 #include <subauth.h> // For SCH_CREDENTIALS
@@ -54,6 +56,9 @@ typedef enum {
 /* enum for underlying type cred field in mongoc_secure_channel_cred */
 typedef enum { schannel_cred, sch_credentials } schannel_credential_type;
 
+/* enum for underlying type cred field in mongoc_secure_channel_cred */
+typedef enum { schannel_cred, sch_credentials } schannel_credential_type;
+
 /* Structs to store Schannel handles */
 typedef struct {
    CredHandle cred_handle;
@@ -65,6 +70,9 @@ typedef struct _mongoc_secure_channel_cred {
    PCCERT_CONTEXT cert; /* Owning. Optional client cert. */
    schannel_credential_type cred_type;
    void *cred; /* Underlying type is specified by schannel_credential_type. */
+   PCCERT_CONTEXT cert; /* Owning. Optional client cert. */
+   schannel_credential_type cred_type;
+   void *cred; /* Underlying type is specified by schannel_credential_type. */
 } mongoc_secure_channel_cred;
 
 typedef struct {
@@ -81,6 +89,8 @@ typedef struct {
    ssl_connect_state connecting_state;
    mongoc_stream_tls_t *tls;   /* back pointer to parent */
    char *hostname;             /* the host name the stream was created with */
+   mongoc_stream_tls_t *tls;   /* back pointer to parent */
+   char *hostname;             /* the host name the stream was created with */
    mongoc_shared_ptr cred_ptr; // Manages a mongoc_secure_channel_cred.
    mongoc_secure_channel_cred_handle *cred_handle;
    mongoc_secure_channel_ctxt *ctxt;
@@ -92,6 +102,7 @@ typedef struct {
    int recv_unrecoverable_err;  /* _mongoc_stream_tls_secure_channel_read had an
                                    unrecoverable err */
    bool recv_renegotiate;       /* true if server requests renegotiation on TLS 1.3 */
+   bool recv_renegotiate;       /* true if server requests renegotiation on TLS 1.3 */
    bool recv_sspi_close_notify; /* true if connection closed by close_notify */
    bool recv_connection_closed; /* true if connection closed, regardless how */
 } mongoc_stream_tls_secure_channel_t;
diff --git a/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c b/src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c
@@ -78,10 +78,12 @@
 
 #define SECURITY_WIN32
 #define SCHANNEL_USE_BLACKLISTS 1
+#define SCHANNEL_USE_BLACKLISTS 1
 #include <schannel.h>
 #include <schnlsp.h>
 #include <security.h>
 #include <versionhelpers.h>
+#include <versionhelpers.h>
 
 
 /* mingw doesn't define these */
@@ -467,6 +469,7 @@ _mongoc_stream_tls_secure_channel_decrypt(mongoc_stream_tls_secure_channel_t *se
    size_t size = 0;
    size_t remaining;
    bool secbuf_extra_received = false;
+   bool secbuf_extra_received = false;
    SecBuffer inbuf[4];
    SecBufferDesc inbuf_desc;
    SECURITY_STATUS sspi_status = SEC_E_OK;
@@ -479,6 +482,8 @@ _mongoc_stream_tls_secure_channel_decrypt(mongoc_stream_tls_secure_channel_t *se
    while (secure_channel->encdata_offset > 0 && sspi_status == SEC_E_OK) {
       secbuf_extra_received = false;
 
+      secbuf_extra_received = false;
+
       /* prepare data buffer for DecryptMessage call */
       _mongoc_secure_channel_init_sec_buffer(&inbuf[0],
                                              SECBUFFER_DATA,
@@ -541,6 +546,8 @@ _mongoc_stream_tls_secure_channel_decrypt(mongoc_stream_tls_secure_channel_t *se
 
             secbuf_extra_received = true;
 
+            secbuf_extra_received = true;
+
             TRACE("encrypted data cached: offset %d length %d",
                   (int)secure_channel->encdata_offset,
                   (int)secure_channel->encdata_length);
@@ -574,6 +581,27 @@ _mongoc_stream_tls_secure_channel_decrypt(mongoc_stream_tls_secure_channel_t *se
                sspi_status = SEC_E_OK;
                continue;
             }
+
+            if (secbuf_extra_received) {
+               bool ret;
+               bson_error_t error;
+
+               secure_channel->recv_renegotiate = true;
+
+               /* the tls handshake will pass the contents of SECBUFFER_EXTRA to the server */
+               secure_channel->connecting_state = ssl_connect_2_writing;
+               ret = mongoc_secure_channel_handshake_step_2(secure_channel->tls, secure_channel->hostname, &error);
+               if (!ret) {
+                  TRACE("TLS 1.3 renegotiation failed: %s", error.message);
+                  secure_channel->recv_unrecoverable_err = true;
+                  return;
+               }
+
+               /* now continue decrypting data */
+               secure_channel->connecting_state = ssl_connect_done;
+               sspi_status = SEC_E_OK;
+               continue;
+            }
          }
          /* check if the server closed the connection */
          else if (sspi_status == SEC_I_CONTEXT_EXPIRED) {
@@ -712,6 +740,12 @@ _mongoc_stream_tls_secure_channel_readv(
             continue;
          }
 
+         /* used up all read bytes for tls renegotiation, try reading again to get next message */
+         if (read_ret == 0 && secure_channel->recv_renegotiate) {
+            secure_channel->recv_renegotiate = false;
+            continue;
+         }
+
          if (read_ret < 0) {
             RETURN(-1);
          }
@@ -998,6 +1032,8 @@ mongoc_secure_channel_cred_new(const mongoc_ssl_opt_t *opt)
 #else
    cred->cred = _mongoc_secure_channel_schannel_cred_new(opt, &cred->cert, enabled_protocols);
    cred->cred_type = schannel_cred;
+   cred->cred = _mongoc_secure_channel_schannel_cred_new(opt, &cred->cert, enabled_protocols);
+   cred->cred_type = schannel_cred;
 #endif
 
    return cred;
@@ -1026,10 +1062,12 @@ mongoc_stream_tls_secure_channel_new(mongoc_stream_t *base_stream, const char *h
 {
    BSON_UNUSED(client);
    return mongoc_stream_tls_secure_channel_new_with_creds(base_stream, host, opt, MONGOC_SHARED_PTR_NULL);
+   return mongoc_stream_tls_secure_channel_new_with_creds(base_stream, host, opt, MONGOC_SHARED_PTR_NULL);
 }
 
 mongoc_stream_t *
 mongoc_stream_tls_secure_channel_new_with_creds(mongoc_stream_t *base_stream,
+                                                const char *host,
                                                 const char *host,
                                                 const mongoc_ssl_opt_t *opt,
                                                 mongoc_shared_ptr cred_ptr)
@@ -1047,6 +1085,8 @@ mongoc_stream_tls_secure_channel_new_with_creds(mongoc_stream_t *base_stream,
 
    secure_channel->hostname = bson_strdup(host);
 
+   secure_channel->hostname = bson_strdup(host);
+
    secure_channel->decdata_buffer = bson_malloc(MONGOC_SCHANNEL_BUFFER_INIT_SIZE);
    secure_channel->decdata_length = MONGOC_SCHANNEL_BUFFER_INIT_SIZE;
    secure_channel->encdata_buffer = bson_malloc(MONGOC_SCHANNEL_BUFFER_INIT_SIZE);
@@ -1073,6 +1113,8 @@ mongoc_stream_tls_secure_channel_new_with_creds(mongoc_stream_t *base_stream,
 
    secure_channel->tls = tls;
 
+   secure_channel->tls = tls;
+
    TRACE("%s", "SSL/TLS connection with endpoint AcquireCredentialsHandle");
 
    /* setup Schannel API options */
@@ -1099,6 +1141,7 @@ mongoc_stream_tls_secure_channel_new_with_creds(mongoc_stream_t *base_stream,
                                           SECPKG_CRED_OUTBOUND, /* we are preparing outbound connection */
                                           NULL,                 /*  Optional logon */
                                           cred->cred,           /* TLS "configuration", "auth data" */
+                                          cred->cred,           /* TLS "configuration", "auth data" */
                                           NULL,                 /* unused */
                                           NULL,                 /* unused */
                                           &secure_channel->cred_handle->cred_handle, /* credential OUT param */
diff --git a/src/libmongoc/tests/test-mongoc-secure-channel.c b/src/libmongoc/tests/test-mongoc-secure-channel.c
@@ -96,6 +96,7 @@ test_secure_channel_shared_creds_stream(void *unused)
       mongoc_shared_ptr_reset_null(&cred_ptr);
    }
 
+   // Test with bad SCHANNEL CREDENTIALS to exercise error path:
    // Test with bad SCHANNEL CREDENTIALS to exercise error path:
    {
       mongoc_secure_channel_cred *cred = mongoc_secure_channel_cred_new(&ssl_opt);

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,7 @@ test_secure_channel_shared_creds_stream(void *unused)`
`96`	`96`	`mongoc_shared_ptr_reset_null(&cred_ptr);`
`97`	`97`	`}`
`98`	`98`
	`99`	`+ // Test with bad SCHANNEL CREDENTIALS to exercise error path:`
`99`	`100`	`// Test with bad SCHANNEL CREDENTIALS to exercise error path:`
`100`	`101`	`{`
`101`	`102`	`mongoc_secure_channel_cred *cred = mongoc_secure_channel_cred_new(&ssl_opt);`