CDRIVER-4656 driver re-initializes openssl context on every new socket (#1673)

Author: Julia-Garland

src/libmongoc/CMakeLists.txt

@@ -1269,6 +1269,13 @@ if (ENABLE_EXAMPLES AND ENABLE_SHARED)
    mongoc_add_example (appending ${PROJECT_SOURCE_DIR}/examples/tutorial/appending.c)
 endif ()
 
+if (ENABLE_TESTS AND ENABLE_SHARED AND MONGOC_ENABLE_SSL AND NOT WIN32)
+   # Add benchmarks to measure opening many TLS connections.
+   # Benchmarks require SSL, and do not build on Windows.
+   add_executable (benchmark-tls-pooled ${PROJECT_SOURCE_DIR}/tests/benchmark-tls-pooled.c)
+   target_link_libraries (benchmark-tls-pooled mongoc_shared ${LIBRARIES})
+endif ()
+
 file (COPY ${PROJECT_SOURCE_DIR}/tests/binary DESTINATION ${PROJECT_BINARY_DIR}/tests)
 file (COPY ${PROJECT_SOURCE_DIR}/tests/json DESTINATION ${PROJECT_BINARY_DIR}/tests)
 file (COPY ${PROJECT_SOURCE_DIR}/tests/x509gen DESTINATION ${PROJECT_BINARY_DIR}/tests)

src/libmongoc/src/mongoc/mongoc-client-pool.c

@@ -33,6 +33,10 @@
 #include "mongoc-ssl-private.h"
 #endif
 
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+#include "mongoc-openssl-private.h"
+#endif
+
 struct _mongoc_client_pool_t {
    bson_mutex_t mutex;
    mongoc_cond_t cond;
@@ -73,6 +77,13 @@ mongoc_client_pool_set_ssl_opts (mongoc_client_pool_t *pool, const mongoc_ssl_op
    if (opts) {
       _mongoc_ssl_opts_copy_to (opts, &pool->ssl_opts, false /* don't overwrite internal opts. */);
       pool->ssl_opts_set = true;
+
+      /* Update the OpenSSL context associated with this client pool to match new ssl opts. */
+      /* All future clients popped from pool inherit this OpenSSL context. */
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+      SSL_CTX_free (pool->topology->scanner->openssl_ctx);
+      pool->topology->scanner->openssl_ctx = _mongoc_openssl_ctx_new (&pool->ssl_opts);
+#endif
    }
 
    mongoc_topology_scanner_set_ssl_opts (pool->topology->scanner, &pool->ssl_opts);

src/libmongoc/src/mongoc/mongoc-client-private.h

@@ -219,6 +219,7 @@ mongoc_client_connect (bool buffered,
                        void *ssl_opts_void,
                        const mongoc_uri_t *uri,
                        const mongoc_host_list_t *host,
+                       void *openssl_ctx_void,
                        bson_error_t *error);
 
 

src/libmongoc/src/mongoc/mongoc-client.c

@@ -69,6 +69,10 @@
 #include "mongoc-opts-private.h"
 #endif
 
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+#include "mongoc-openssl-private.h"
+#include "mongoc-stream-tls-private.h"
+#endif
 
 #undef MONGOC_LOG_DOMAIN
 #define MONGOC_LOG_DOMAIN "client"
@@ -748,6 +752,7 @@ mongoc_client_connect (bool buffered,
                        void *ssl_opts_void,
                        const mongoc_uri_t *uri,
                        const mongoc_host_list_t *host,
+                       void *openssl_ctx_void,
                        bson_error_t *error)
 {
    mongoc_stream_t *base_stream = NULL;
@@ -797,7 +802,13 @@ mongoc_client_connect (bool buffered,
       if (use_ssl || (mechanism && (0 == strcmp (mechanism, "MONGODB-X509")))) {
          mongoc_stream_t *original = base_stream;
 
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+         // Use shared OpenSSL context.
+         base_stream = mongoc_stream_tls_new_with_hostname_and_openssl_context (
+            base_stream, host->host, ssl_opts, true, (SSL_CTX *) openssl_ctx_void);
+#else
          base_stream = mongoc_stream_tls_new_with_hostname (base_stream, host->host, ssl_opts, true);
+#endif
 
          if (!base_stream) {
             mongoc_stream_destroy (original);
@@ -830,6 +841,8 @@ mongoc_client_connect (bool buffered,
  *       A mongoc_stream_initiator_t that will handle the various type
  *       of supported sockets by MongoDB including TCP and UNIX.
  *
+ *       Also supports sharing of OpenSSL context owned by a client.
+ *
  *       Language binding authors may want to implement an alternate
  *       version of this method to use their native stream format.
  *
@@ -858,7 +871,12 @@ mongoc_client_default_stream_initiator (const mongoc_uri_t *uri,
 
 #endif
 
-   return mongoc_client_connect (true, use_ssl, ssl_opts_void, uri, host, error);
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+   SSL_CTX *ssl_ctx = client->topology->scanner->openssl_ctx;
+   return mongoc_client_connect (true, use_ssl, ssl_opts_void, uri, host, (void *) ssl_ctx, error);
+#else
+   return mongoc_client_connect (true, use_ssl, ssl_opts_void, uri, host, NULL, error);
+#endif
 }
 
 /*
@@ -980,6 +998,13 @@ mongoc_client_set_ssl_opts (mongoc_client_t *client, const mongoc_ssl_opt_t *opt
 
    if (client->topology->single_threaded) {
       mongoc_topology_scanner_set_ssl_opts (client->topology->scanner, &client->ssl_opts);
+
+/* Update the OpenSSL context associated with this client to match new ssl opts. */
+/* Active connections previously made by client can still access original OpenSSL context. */
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+      SSL_CTX_free (client->topology->scanner->openssl_ctx);
+      client->topology->scanner->openssl_ctx = _mongoc_openssl_ctx_new (&client->ssl_opts);
+#endif
    }
 }
 #endif
@@ -1087,6 +1112,7 @@ _mongoc_client_new_from_topology (mongoc_topology_t *topology)
 
       _mongoc_ssl_opts_from_uri (&ssl_opt, &internal_tls_opts, client->uri);
       /* sets use_ssl = true */
+      /* this call creates an ssl ctx only if single-threaded, otherwise client inherits from pool */
       mongoc_client_set_ssl_opts (client, &ssl_opt);
       _mongoc_client_set_internal_tls_opts (client, &internal_tls_opts);
    }

src/libmongoc/src/mongoc/mongoc-openssl.c

@@ -1002,6 +1002,12 @@ _mongoc_openssl_ctx_new (mongoc_ssl_opt_t *opt)
       return NULL;
    }
 
+   if (opt->weak_cert_validation) {
+      SSL_CTX_set_verify (ctx, SSL_VERIFY_NONE, NULL);
+   } else {
+      SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL);
+   }
+
    return ctx;
 }
 

src/libmongoc/src/mongoc/mongoc-server-monitor.c

@@ -855,12 +855,23 @@ _server_monitor_setup_connection (mongoc_server_monitor_t *server_monitor,
          server_monitor->uri, &server_monitor->description->host, server_monitor->initiator_context, error);
    } else {
       void *ssl_opts_void = NULL;
+      void *openssl_ctx_void = NULL;
 
 #ifdef MONGOC_ENABLE_SSL
       ssl_opts_void = server_monitor->ssl_opts;
 #endif
-      server_monitor->stream = mongoc_client_connect (
-         false, ssl_opts_void != NULL, ssl_opts_void, server_monitor->uri, &server_monitor->description->host, error);
+
+#if defined(MONGOC_ENABLE_SSL_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+      openssl_ctx_void = server_monitor->topology->scanner->openssl_ctx;
+#endif
+
+      server_monitor->stream = mongoc_client_connect (false,
+                                                      ssl_opts_void != NULL,
+                                                      ssl_opts_void,
+                                                      server_monitor->uri,
+                                                      &server_monitor->description->host,
+                                                      openssl_ctx_void,
+                                                      error);
    }
 
    if (!server_monitor->stream) {

src/libmongoc/src/mongoc/mongoc-stream-tls-openssl-private.h

@@ -21,6 +21,9 @@
 
 #ifdef MONGOC_ENABLE_SSL_OPENSSL
 #include <bson/bson.h>
+#include <openssl/ssl.h>
+
+#include "mongoc-stream-tls.h"
 
 BSON_BEGIN_DECLS
 
@@ -49,6 +52,14 @@ typedef struct {
    mongoc_openssl_ocsp_opt_t *ocsp_opts;
 } mongoc_stream_tls_openssl_t;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+MONGOC_EXPORT (mongoc_stream_t *)
+mongoc_stream_tls_openssl_new_with_context (mongoc_stream_t *base_stream,
+                                            const char *host,
+                                            mongoc_ssl_opt_t *opt,
+                                            int client,
+                                            SSL_CTX *ssl_ctx) BSON_GNUC_WARN_UNUSED_RESULT;
+#endif
 
 BSON_END_DECLS
 

src/libmongoc/src/mongoc/mongoc-stream-tls-openssl.c

@@ -697,50 +697,35 @@ _mongoc_stream_tls_openssl_should_retry (mongoc_stream_t *stream)
    RETURN (mongoc_stream_should_retry (tls->base_stream));
 }
 
-/*
- *--------------------------------------------------------------------------
- *
- * mongoc_stream_tls_openssl_new --
- *
- *       Creates a new mongoc_stream_tls_openssl_t to communicate with a remote
- *       server using a TLS stream.
- *
- *       @base_stream should be a stream that will become owned by the
- *       resulting tls stream. It will be used for raw I/O.
- *
- *       @trust_store_dir should be a path to the SSL cert db to use for
- *       verifying trust of the remote server.
- *
- * Returns:
- *       NULL on failure, otherwise a mongoc_stream_t.
- *
- * Side effects:
- *       None.
- *
- *--------------------------------------------------------------------------
- */
-
-mongoc_stream_t *
-mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, mongoc_ssl_opt_t *opt, int client)
+/* Creates a new mongoc_stream_tls_openssl_t with ssl_ctx. */
+static mongoc_stream_t *
+create_stream_with_ctx (
+   mongoc_stream_t *base_stream, const char *host, mongoc_ssl_opt_t *opt, int client, SSL_CTX *ssl_ctx)
 {
    mongoc_stream_tls_t *tls;
    mongoc_stream_tls_openssl_t *openssl;
    mongoc_openssl_ocsp_opt_t *ocsp_opts = NULL;
-   SSL_CTX *ssl_ctx = NULL;
    BIO *bio_ssl = NULL;
    BIO *bio_mongoc_shim = NULL;
    BIO_METHOD *meth;
+   SSL *ssl;
 
    BSON_ASSERT (base_stream);
    BSON_ASSERT (opt);
    ENTRY;
 
-   ssl_ctx = _mongoc_openssl_ctx_new (opt);
-
    if (!ssl_ctx) {
       RETURN (NULL);
    }
 
+   bio_ssl = BIO_new_ssl (ssl_ctx, client);
+   if (!bio_ssl) {
+      SSL_CTX_free (ssl_ctx);
+      RETURN (NULL);
+   }
+
+   BIO_get_ssl (bio_ssl, &ssl);
+
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
    if (!opt->allow_invalid_hostname) {
       struct in_addr addr;
@@ -753,30 +738,11 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, m
       } else {
          X509_VERIFY_PARAM_set1_host (param, host, 0);
       }
-      SSL_CTX_set1_param (ssl_ctx, param);
+      SSL_set1_param (ssl, param);
       X509_VERIFY_PARAM_free (param);
    }
 #endif
 
-   if (!client) {
-      /* Only used by the Mock Server.
-       * Set a callback to get the SNI, if provided */
-      MC_DISABLE_CAST_FUNCTION_TYPE_STRICT_WARNING_BEGIN
-      SSL_CTX_set_tlsext_servername_callback (ssl_ctx, _mongoc_stream_tls_openssl_sni);
-      MC_DISABLE_CAST_FUNCTION_TYPE_STRICT_WARNING_END
-   }
-
-   if (opt->weak_cert_validation) {
-      SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
-   } else {
-      SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_PEER, NULL);
-   }
-
-   bio_ssl = BIO_new_ssl (ssl_ctx, client);
-   if (!bio_ssl) {
-      SSL_CTX_free (ssl_ctx);
-      RETURN (NULL);
-   }
    meth = mongoc_stream_tls_openssl_bio_meth_new ();
    bio_mongoc_shim = BIO_new (meth);
    if (!bio_mongoc_shim) {
@@ -789,9 +755,7 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, m
 /* Added in OpenSSL 0.9.8f, as a build time option */
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
    if (client) {
-      SSL *ssl;
       /* Set the SNI hostname we are expecting certificate for */
-      BIO_get_ssl (bio_ssl, &ssl);
       SSL_set_tlsext_host_name (ssl, host);
 #endif
    }
@@ -800,10 +764,6 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, m
 
 #ifdef MONGOC_ENABLE_OCSP_OPENSSL
    if (client && !opt->weak_cert_validation && !_mongoc_ssl_opts_disable_certificate_revocation_check (opt)) {
-      SSL *ssl;
-
-      BIO_get_ssl (bio_ssl, &ssl);
-
       /* Set the status_request extension on the SSL object.
        * Do not use SSL_CTX_set_tlsext_status_type, since that requires OpenSSL
        * 1.1.0.
@@ -857,6 +817,78 @@ mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, m
    RETURN ((mongoc_stream_t *) tls);
 }
 
+/*
+ *--------------------------------------------------------------------------
+ *
+ * mongoc_stream_tls_openssl_new --
+ *
+ *       Creates a new mongoc_stream_tls_openssl_t to communicate with a remote
+ *       server using a TLS stream.
+ *
+ *       @base_stream should be a stream that will become owned by the
+ *       resulting tls stream. It will be used for raw I/O.
+ *
+ * Returns:
+ *       NULL on failure, otherwise a mongoc_stream_t.
+ *
+ * Side effects:
+ *       None.
+ *
+ *--------------------------------------------------------------------------
+ */
+
+mongoc_stream_t *
+mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, mongoc_ssl_opt_t *opt, int client)
+{
+   SSL_CTX *ssl_ctx = _mongoc_openssl_ctx_new (opt);
+
+   if (!ssl_ctx) {
+      RETURN (NULL);
+   }
+
+   if (!client) {
+      /* Only used by the Mock Server.
+       * Set a callback to get the SNI, if provided */
+      SSL_CTX_set_tlsext_servername_callback (ssl_ctx, _mongoc_stream_tls_openssl_sni);
+   }
+
+   return create_stream_with_ctx (base_stream, host, opt, client, ssl_ctx);
+}
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+/*
+ *--------------------------------------------------------------------------
+ *
+ * mongoc_stream_tls_openssl_new_with_context --
+ *
+ *       Creates a new mongoc_stream_tls_openssl_t to communicate with a remote
+ *       server using a TLS stream, using an existing OpenSSL context.
+ *
+ *       Only called by mongoc_stream_tls_new_with_hostname_and_openssl_context.
+ *
+ *       @ssl_ctx is the shared OpenSSL context for the mongoc_client_t
+ *       associated with this function call.
+ *
+ * Returns:
+ *       NULL on failure, otherwise a mongoc_stream_t.
+ *
+ * Side effects:
+ *       None.
+ *
+ *--------------------------------------------------------------------------
+ */
+
+mongoc_stream_t *
+mongoc_stream_tls_openssl_new_with_context (
+   mongoc_stream_t *base_stream, const char *host, mongoc_ssl_opt_t *opt, int client, SSL_CTX *ssl_ctx)
+{
+   BSON_ASSERT_PARAM (ssl_ctx);
+   SSL_CTX_up_ref (ssl_ctx);
+
+   return create_stream_with_ctx (base_stream, host, opt, client, ssl_ctx);
+}
+#endif
+
 void
 mongoc_openssl_ocsp_opt_destroy (void *ocsp_opt)
 {