CDRIVER-3508 add OCSP URI options

- revert changes to schannel that do not account for CRL

Author: kevinAlbs

.evergreen/run-ocsp-test.sh

@@ -128,10 +128,18 @@ if [ "TEST_1" = "$TEST_COLUMN" ]; then
 elif [ "TEST_2" = "$TEST_COLUMN" ]; then
     expect_failure
 elif [ "TEST_3" = "$TEST_COLUMN" ]; then
+    # Window does not soft-fail by default, users can disable revocation checking.
+    if [ "$OS" = "WINDOWS" ]; then
+	   MONGODB_URI="$MONGODB_URI&tlsDisableCertificateRevocationCheck=true"
+	fi
     expect_success
 elif [ "TEST_4" = "$TEST_COLUMN" ]; then
     expect_failure
 elif [ "SOFT_FAIL_TEST" = "$TEST_COLUMN" ]; then
+    # Window does not soft-fail by default, users can disable revocation checking.
+    if [ "$OS" = "WINDOWS" ]; then
+	   MONGODB_URI="$MONGODB_URI&tlsDisableCertificateRevocationCheck=true"
+	fi
     expect_success
 elif [ "MALICIOUS_SERVER_TEST_1" = "$TEST_COLUMN" ]; then
     expect_failure

src/libmongoc/doc/configuring_tls.rst

@@ -3,18 +3,6 @@
 Configuring TLS
 ===============
 
-Building libmongoc with TLS support
------------------------------------
-
-By default, libmongoc will attempt to find a supported TLS library and enable TLS support. This is controlled by the cmake flag ``ENABLE_SSL``, which is set to ``AUTO`` by default. Valid values are:
-
-- ``AUTO`` the default behavior. Link to the system's native TLS library, or attempt to find OpenSSL.
-- ``DARWIN`` link to Secure Transport, the native TLS library on macOS.
-- ``WINDOWS`` link to Secure Channel, the native TLS on Windows.
-- ``OPENSSL`` link to OpenSSL (libssl). An optional install path may be specified with ``OPENSSL_ROOT``.
-- ``LIBRESSL`` link to LibreSSL's libtls. (LibreSSL's compatible libssl may be linked to by setting ``OPENSSL``).
-- ``OFF`` disable TLS support.
-
 Configuration with URI options
 ------------------------------
 
@@ -54,7 +42,7 @@ Client Authentication
 
 When MongoDB is started with TLS enabled, it will by default require the client to provide a client certificate issued by a certificate authority specified by ``--tlsCAFile``, or an authority trusted by the native certificate store in use on the server.
 
-To provide the client certificate, set the ``tlscertificatekeyfile`` in the URI to a PEM armored certificate file.
+To provide the client certificate, set the ``tlsCertificateKeyFile`` in the URI to a PEM armored certificate file.
 
 .. code-block:: c
 
@@ -69,10 +57,26 @@ Server Certificate Verification
 
 The MongoDB C Driver will automatically verify the validity of the server certificate, such as issued by configured Certificate Authority, hostname validation, and expiration.
 
-To overwrite this behaviour, it is possible to disable hostname validation, and/or allow otherwise invalid certificates. This behaviour is controlled using the ``tlsallowinvalidhostnames`` and ``tlsallowinvalidcertificates`` options. By default, both are set to ``false``. It is not recommended to change these defaults as it exposes the client to *Man In The Middle* attacks (when ``tlsallowinvalidhostnames`` is set) and otherwise invalid certificates when ``tlsallowinvalidcertificates`` is set to ``true``.
+To overwrite this behaviour, it is possible to disable hostname validation, OCSP endpoint revocation checking, revocation checking entirely, and allow invalid certificates.
+
+This behaviour is controlled using the ``tlsAllowInvalidHostnames``, ``tlsDisableOCSPEndpointCheck``, ``tlsDisableCertificateRevocationCheck``, and ``tlsAllowInvalidCertificates`` options respectively. By default, all are set to ``false``.
+
+It is not recommended to change these defaults as it exposes the client to *Man In The Middle* attacks (when ``tlsAllowInvalidHostnames`` is set), invalid certificates (when ``tlsAllowInvalidCertificates`` is set), or potentially revoked certificates (when ``tlsDisableOCSPEndpointCheck`` or ``tlsDisableCertificateRevocationCheck`` are set).
+
+Supported Libraries
+-------------------
+
+By default, libmongoc will attempt to find a supported TLS library and enable TLS support. This is controlled by the cmake flag ``ENABLE_SSL``, which is set to ``AUTO`` by default. Valid values are:
+
+- ``AUTO`` the default behavior. Link to the system's native TLS library, or attempt to find OpenSSL.
+- ``DARWIN`` link to Secure Transport, the native TLS library on macOS.
+- ``WINDOWS`` link to Secure Channel, the native TLS on Windows.
+- ``OPENSSL`` link to OpenSSL (libssl). An optional install path may be specified with ``OPENSSL_ROOT``.
+- ``LIBRESSL`` link to LibreSSL's libtls. (LibreSSL's compatible libssl may be linked to by setting ``OPENSSL``).
+- ``OFF`` disable TLS support.
 
 OpenSSL
--------
+```````
 
 The MongoDB C Driver uses OpenSSL, if available, on Linux and Unix platforms (besides macOS). Industry best practices and some regulations require the use of TLS 1.1 or newer, which requires at least OpenSSL 1.0.1. Check your OpenSSL version like so::
 
@@ -82,33 +86,43 @@ Ensure your system's OpenSSL is a recent version (at least 1.0.1), or install a
 
   cmake -DOPENSSL_ROOT_DIR=/absolute/path/to/openssl
 
-When compiled against OpenSSL, the driver will attempt to load the system default certificate store, as configured by the distribution. That can be overridden by setting the ``tlscafile`` URI option or with the fields ``ca_file`` and ``ca_dir`` in the :symbol:`mongoc_ssl_opt_t`.
+When compiled against OpenSSL, the driver will attempt to load the system default certificate store, as configured by the distribution. That can be overridden by setting the ``tlsCAFile`` URI option or with the fields ``ca_file`` and ``ca_dir`` in the :symbol:`mongoc_ssl_opt_t`.
+
+Setting ``tlsDisableOCSPEndpointCheck`` and ``tlsDisableCertificateRevocationCheck`` has no effect.
 
 LibreSSL / libtls
------------------
+`````````````````
 
 The MongoDB C Driver supports LibreSSL through the use of OpenSSL compatibility checks when configured to compile against ``openssl``. It also supports the new ``libtls`` library when configured to build against ``libressl``.
 
+Setting ``tlsDisableOCSPEndpointCheck`` and ``tlsDisableCertificateRevocationCheck`` has no effect.
+
 Native TLS Support on Windows (Secure Channel)
-----------------------------------------------
+``````````````````````````````````````````````
 
 The MongoDB C Driver supports the Windows native TLS library (Secure Channel, or SChannel), and its native crypto library (Cryptography API: Next Generation, or CNG).
 
 When compiled against the Windows native libraries, the ``ca_dir`` option of a :symbol:`mongoc_ssl_opt_t` is not supported, and will issue an error if used.
 
-Encrypted PEM files (e.g., setting ``tlscertificatekeypassword``) are also not supported, and will result in error when attempting to load them.
+Encrypted PEM files (e.g., setting ``tlsCertificateKeyPassword``) are also not supported, and will result in error when attempting to load them.
 
-When ``tlscafile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlscafile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate or the ``Current user certificate store`` if the ``System Local Machine Root`` certificate store is unavailable.
+When ``tlsCAFile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlsCAFile`` is set, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate or the ``Current user certificate store`` if the ``System Local Machine Root`` certificate store is unavailable.
 
 When ``crl_file`` is set with :symbol:`mongoc_ssl_opt_t`, the driver will import the revocation list to the ``System Local Machine Root`` certificate store.
 
+Setting ``tlsDisableOCSPEndpointCheck`` has no effect.
+
+Setting ``tlsAllowInvalidHostnames`` additionally consider certificates with no revocation mechanisms specified (CRL / OCSP) a non-error.
+
 .. _Secure Transport:
 
 Native TLS Support on macOS / Darwin (Secure Transport)
--------------------------------------------------------
+```````````````````````````````````````````````````````
 
 The MongoDB C Driver supports the Darwin (OS X, macOS, iOS, etc.) native TLS library (Secure Transport), and its native crypto library (Common Crypto, or CC).
 
 When compiled against Secure Transport, the ``ca_dir`` option of a :symbol:`mongoc_ssl_opt_t` is not supported, and will issue an error if used.
 
-When ``tlscafile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlscafile`` is set, the driver will use the Certificate Authorities in the currently unlocked keychains.
+When ``tlsCAFile`` is set, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``tlsCAFile`` is set, the driver will use the Certificate Authorities in the currently unlocked keychains.
+
+Setting ``tlsDisableOCSPEndpointCheck`` and ``tlsDisableCertificateRevocationCheck`` has no effect.

src/libmongoc/doc/includes/tls-options.txt

@@ -24,4 +24,10 @@
      - Ignore hostname verification of the certificate (e.g. Man In The Middle, using valid certificate, but issued for another hostname)
    * - MONGOC_URI_TLSINSECURE
      - tlsinsecure
-     - {true|false}, indicating if insecure TLS options should be used. Currently this implies MONGOC_URI_TLSALLOWINVALIDCERTIFICATES and MONGOC_URI_TLSALLOWINVALIDHOSTNAMES.
+     - {true|false}, indicating if insecure TLS options should be used. Currently this implies MONGOC_URI_TLSALLOWINVALIDCERTIFICATES and MONGOC_URI_TLSALLOWINVALIDHOSTNAMES.
+   * - MONGOC_URI_TLSDISABLECERTIFICATEREVOCATIONCHECK
+     - tlsdisablecertificaterevocationcheck
+     - {true|false}, indicates if revocation checking (CRL / OCSP) should be disabled.
+   * - MONGOC_URI_TLSDISABLEOCSPENDPOINTCHECK
+     - tlsdisableocspendpointcheck
+     - {true|false}, indicates if OCSP responder endpoints should not be requested when an OCSP response is not stapled.

src/libmongoc/doc/mongoc_ssl_opt_t.rst

@@ -16,7 +16,8 @@ Synopsis
      const char *crl_file;
      bool weak_cert_validation;
      bool allow_invalid_hostname;
-     void *padding[7];
+     void *internal;
+     void *padding[6];
   } mongoc_ssl_opt_t;
 
 Description

src/libmongoc/src/mongoc/mongoc-client-pool.c

@@ -15,7 +15,6 @@
  */
 
 
-
 #include "mongoc.h"
 #include "mongoc-apm-private.h"
 #include "mongoc-counters-private.h"
@@ -58,17 +57,16 @@ void
 mongoc_client_pool_set_ssl_opts (mongoc_client_pool_t *pool,
                                  const mongoc_ssl_opt_t *opts)
 {
-   BSON_ASSERT (pool);
-
    bson_mutex_lock (&pool->mutex);
 
-   _mongoc_ssl_opts_cleanup (&pool->ssl_opts);
+   _mongoc_ssl_opts_cleanup (&pool->ssl_opts,
+                             false /* don't free internal opts. */);
 
-   memset (&pool->ssl_opts, 0, sizeof pool->ssl_opts);
    pool->ssl_opts_set = false;
 
    if (opts) {
-      _mongoc_ssl_opts_copy_to (opts, &pool->ssl_opts);
+      _mongoc_ssl_opts_copy_to (
+         opts, &pool->ssl_opts, false /* don't overwrite internal opts. */);
       pool->ssl_opts_set = true;
    }
 
@@ -77,6 +75,20 @@ mongoc_client_pool_set_ssl_opts (mongoc_client_pool_t *pool,
 
    bson_mutex_unlock (&pool->mutex);
 }
+
+void
+_mongoc_client_pool_set_internal_tls_opts (
+   mongoc_client_pool_t *pool, _mongoc_internal_tls_opts_t *internal)
+{
+   bson_mutex_lock (&pool->mutex);
+   if (!pool->ssl_opts_set) {
+      return;
+   }
+   pool->ssl_opts.internal = bson_malloc (sizeof (_mongoc_internal_tls_opts_t));
+   memcpy (
+      pool->ssl_opts.internal, internal, sizeof (_mongoc_internal_tls_opts_t));
+   bson_mutex_unlock (&pool->mutex);
+}
 #endif
 
 
@@ -143,10 +155,12 @@ mongoc_client_pool_new (const mongoc_uri_t *uri)
 #ifdef MONGOC_ENABLE_SSL
    if (mongoc_uri_get_tls (pool->uri)) {
       mongoc_ssl_opt_t ssl_opt = {0};
+      _mongoc_internal_tls_opts_t internal_tls_opts = {0};
 
-      _mongoc_ssl_opts_from_uri (&ssl_opt, pool->uri);
+      _mongoc_ssl_opts_from_uri (&ssl_opt, &internal_tls_opts, pool->uri);
       /* sets use_ssl = true */
       mongoc_client_pool_set_ssl_opts (pool, &ssl_opt);
+      _mongoc_client_pool_set_internal_tls_opts (pool, &internal_tls_opts);
    }
 #endif
    mongoc_counter_client_pools_active_inc ();
@@ -184,7 +198,7 @@ mongoc_client_pool_destroy (mongoc_client_pool_t *pool)
    mongoc_cond_destroy (&pool->cond);
 
 #ifdef MONGOC_ENABLE_SSL
-   _mongoc_ssl_opts_cleanup (&pool->ssl_opts);
+   _mongoc_ssl_opts_cleanup (&pool->ssl_opts, true);
 #endif
 
    bson_free (pool);

src/libmongoc/src/mongoc/mongoc-client.c

@@ -975,17 +975,34 @@ mongoc_client_new (const char *uri_string)
  */
 
 #ifdef MONGOC_ENABLE_SSL
+/* Only called internally. Caller must ensure opts->internal is valid. */
+void
+_mongoc_client_set_internal_tls_opts (mongoc_client_t *client,
+                                      _mongoc_internal_tls_opts_t *internal)
+{
+   if (!client->use_ssl) {
+      return;
+   }
+   client->ssl_opts.internal =
+      bson_malloc (sizeof (_mongoc_internal_tls_opts_t));
+   memcpy (client->ssl_opts.internal,
+           internal,
+           sizeof (_mongoc_internal_tls_opts_t));
+}
+
 void
 mongoc_client_set_ssl_opts (mongoc_client_t *client,
                             const mongoc_ssl_opt_t *opts)
 {
    BSON_ASSERT (client);
    BSON_ASSERT (opts);
 
-   _mongoc_ssl_opts_cleanup (&client->ssl_opts);
+   _mongoc_ssl_opts_cleanup (&client->ssl_opts,
+                             false /* don't free internal opts */);
 
    client->use_ssl = true;
-   _mongoc_ssl_opts_copy_to (opts, &client->ssl_opts);
+   _mongoc_ssl_opts_copy_to (
+      opts, &client->ssl_opts, false /* don't overwrite internal opts */);
 
    if (client->topology->single_threaded) {
       mongoc_topology_scanner_set_ssl_opts (client->topology->scanner,
@@ -1091,10 +1108,12 @@ _mongoc_client_new_from_uri (mongoc_topology_t *topology)
    client->use_ssl = false;
    if (mongoc_uri_get_tls (client->uri)) {
       mongoc_ssl_opt_t ssl_opt = {0};
+      _mongoc_internal_tls_opts_t internal_tls_opts = {0};
 
-      _mongoc_ssl_opts_from_uri (&ssl_opt, client->uri);
+      _mongoc_ssl_opts_from_uri (&ssl_opt, &internal_tls_opts, client->uri);
       /* sets use_ssl = true */
       mongoc_client_set_ssl_opts (client, &ssl_opt);
+      _mongoc_client_set_internal_tls_opts (client, &internal_tls_opts);
    }
 #endif
 
@@ -1137,7 +1156,7 @@ mongoc_client_destroy (mongoc_client_t *client)
       mongoc_set_destroy (client->client_sessions);
 
 #ifdef MONGOC_ENABLE_SSL
-      _mongoc_ssl_opts_cleanup (&client->ssl_opts);
+      _mongoc_ssl_opts_cleanup (&client->ssl_opts, true);
 #endif
 
       bson_free (client);
@@ -1638,8 +1657,9 @@ _mongoc_client_retryable_write_command_with_stream (
       retry_server_stream = mongoc_cluster_stream_for_writes (
          &client->cluster, parts->assembled.session, NULL, &ignored_error);
 
-      if (retry_server_stream && retry_server_stream->sd->max_wire_version >=
-                                    WIRE_VERSION_RETRY_WRITES) {
+      if (retry_server_stream &&
+          retry_server_stream->sd->max_wire_version >=
+             WIRE_VERSION_RETRY_WRITES) {
          parts->assembled.server_stream = retry_server_stream;
          bson_destroy (reply);
          GOTO (retry);

src/libmongoc/src/mongoc/mongoc-secure-channel.c

@@ -383,17 +383,8 @@ mongoc_secure_channel_setup_ca (
       L"Root"); /* system store name. "My" or "Root" */
 
    if (cert_store == NULL) {
-      cert_store = CertOpenStore (
-         CERT_STORE_PROV_SYSTEM,                  /* provider */
-         X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, /* certificate encoding */
-         0,                                       /* unused */
-         CERT_SYSTEM_STORE_CURRENT_USER,         /* dwFlags */
-         L"My"); /* system store name. "My" or "Root" */
-
-      if (cert_store == NULL) {
-         MONGOC_ERROR ("Error opening certificate store");
-         return false;
-      }
+      MONGOC_ERROR ("Error opening certificate store");
+      return false;
    }
 
    if (CertAddCertificateContextToStore (
@@ -830,10 +821,10 @@ mongoc_secure_channel_handshake_step_2 (mongoc_stream_tls_t *tls,
                           "has expired");
             break;
          case CRYPT_E_NO_REVOCATION_CHECK:
-            /* This seems to be raised also when hostname doesn't match the
-             * certificate */
-            MONGOC_ERROR ("SSL Certification verification failed: failed "
-                          "revocation/hostname check");
+            MONGOC_ERROR ("SSL Certification verification failed: certificate "
+                          "does not include revocation check. Set "
+                          "tlsDisableCertificateRevocationCheck to disable "
+                          "revocation checking");
             break;
 
          case SEC_E_INSUFFICIENT_MEMORY:

src/libmongoc/src/mongoc/mongoc-ssl-private.h

@@ -25,16 +25,32 @@
 
 BSON_BEGIN_DECLS
 
+typedef struct {
+   bool tls_disable_certificate_revocation_check;
+   bool tls_disable_ocsp_endpoint_check;
+} _mongoc_internal_tls_opts_t;
 
 char *
 mongoc_ssl_extract_subject (const char *filename, const char *passphrase);
 
 void
-_mongoc_ssl_opts_from_uri (mongoc_ssl_opt_t *ssl_opt, mongoc_uri_t *uri);
+_mongoc_ssl_opts_from_uri (mongoc_ssl_opt_t *ssl_opt,
+                           _mongoc_internal_tls_opts_t *internal,
+                           mongoc_uri_t *uri);
 void
-_mongoc_ssl_opts_copy_to (const mongoc_ssl_opt_t *src, mongoc_ssl_opt_t *dst);
+_mongoc_ssl_opts_copy_to (const mongoc_ssl_opt_t *src,
+                          mongoc_ssl_opt_t *dst,
+                          bool copy_internal);
+
+bool
+_mongoc_ssl_opts_disable_certificate_revocation_check (
+   const mongoc_ssl_opt_t *ssl_opt);
+
+bool
+_mongoc_ssl_opts_disable_ocsp_endpoint_check (const mongoc_ssl_opt_t *ssl_opt);
+
 void
-_mongoc_ssl_opts_cleanup (mongoc_ssl_opt_t *opt);
+_mongoc_ssl_opts_cleanup (mongoc_ssl_opt_t *opt, bool free_internal);
 
 BSON_END_DECLS