SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation

author: Sara Golemon <sara.golemon@mongodb.com> 2020-04-10 14:02:35 -0500
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2020-04-13 21:44:42 +0000
commit: ca6f181a96dcb51c159d53062866c31bb62a1b53 (patch)
tree: feb45d7a457b17db21be7d38cacef89cb6ae0361
parent: c0c63ceadc49b95470b1dc0f725f0dca91e86200 (diff)
download: mongo-ca6f181a96dcb51c159d53062866c31bb62a1b53.tar.gz
3 files changed, 22 insertions, 19 deletions
diff --git a/src/mongo/util/net/ssl/apple.hpp b/src/mongo/util/net/ssl/apple.hpp
index 62ac86466bb..c7d28025f1e 100644
--- a/src/mongo/util/net/ssl/apple.hpp
+++ b/src/mongo/util/net/ssl/apple.hpp
@@ -88,7 +88,6 @@ struct Context {
     ::SSLProtocol protoMin = kTLSProtocol1;
     ::SSLProtocol protoMax = kTLSProtocol12;
     CFUniquePtr<::CFArrayRef> certs;
-    bool allowInvalidHostnames = false;
 };
 
 }  // namespace apple
diff --git a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp
index b0d22696a35..c88c0c756f3 100644
--- a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp
+++ b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp
@@ -131,9 +131,6 @@ engine::engine(context::native_handle_type context, const std::string& remoteHos
         }
         _protoMin = context->protoMin;
         _protoMax = context->protoMax;
-        if (context->allowInvalidHostnames) {
-            _remoteHostName.clear();
-        }
     } else {
         apple::Context def;
         _protoMin = def.protoMin;
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index d2c75beb3f8..31740d4e4a4 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1192,6 +1192,26 @@ private:
     CFUniquePtr<::SSLContextRef> _ssl;
 };
 
+CFUniquePtr<::CFArrayRef> CreateSecTrustPolicies(const std::string& remoteHost,
+                                                 bool allowInvalidCertificates) {
+    CFUniquePtr<::CFMutableArrayRef> policiesMutable(
+        ::CFArrayCreateMutable(nullptr, 2, &::kCFTypeArrayCallBacks));
+
+    // Basic X509 policy.
+    CFUniquePtr<::SecPolicyRef> cfX509Policy(::SecPolicyCreateBasicX509());
+    ::CFArrayAppendValue(policiesMutable.get(), cfX509Policy.get());
+
+    // Set Revocation policy.
+    auto policy = ::kSecRevocationNetworkAccessDisabled;
+    if (tlsOCSPEnabled && !remoteHost.empty() && !allowInvalidCertificates) {
+        policy = ::kSecRevocationOCSPMethod;
+    }
+    CFUniquePtr<::SecPolicyRef> cfRevPolicy(::SecPolicyCreateRevocation(policy));
+    ::CFArrayAppendValue(policiesMutable.get(), cfRevPolicy.get());
+
+    return CFUniquePtr<::CFArrayRef>(policiesMutable.release());
+}
+
 }  // namespace
 
 /////////////////////////////////////////////////////////////////////////////
@@ -1341,9 +1361,6 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL
 Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context,
                                        const SSLParams& params,
                                        ConnectionDirection direction) {
-    // Options.
-    context->allowInvalidHostnames = _allowInvalidHostnames;
-
     // Protocol Version.
     const auto swProto = parseProtocolRange(params);
     if (!swProto.isOK()) {
@@ -1530,18 +1547,8 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate(
         ipv6 = true;
     }
 
-    if (tlsOCSPEnabled && !remoteHost.empty() && !_allowInvalidCertificates) {
-        CFArrayRef policies = nullptr;
-        ::SecTrustCopyPolicies(cftrust.get(), &policies);
-        CFUniquePtr<::CFArrayRef> cfpolicies(policies);
-
-        CFUniquePtr<::CFMutableArrayRef> policiesMutable(
-            ::CFArrayCreateMutableCopy(NULL, 0, policies));
-        CFUniquePtr<::SecPolicyRef> cfRevPolicy(
-            ::SecPolicyCreateRevocation(kSecRevocationOCSPMethod));
-        ::CFArrayAppendValue(policiesMutable.get(), cfRevPolicy.get());
-        ::SecTrustSetPolicies(cftrust.get(), policiesMutable.get());
-    }
+    ::SecTrustSetPolicies(cftrust.get(),
+                          CreateSecTrustPolicies(remoteHost, _allowInvalidCertificates).get());
 
     auto result = ::kSecTrustResultInvalid;
     uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed);
author	Sara Golemon <sara.golemon@mongodb.com>	2020-04-10 14:02:35 -0500
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2020-04-13 21:44:42 +0000
commit	ca6f181a96dcb51c159d53062866c31bb62a1b53 (patch)
tree	feb45d7a457b17db21be7d38cacef89cb6ae0361
parent	c0c63ceadc49b95470b1dc0f725f0dca91e86200 (diff)
download	mongo-ca6f181a96dcb51c159d53062866c31bb62a1b53.tar.gz