diff options
| author | Gregory Wlodarek <gregory.wlodarek@mongodb.com> | 2021-02-11 19:07:03 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-02-11 19:42:32 +0000 |
| commit | 3b4f12abc5d118ea461c4613b7d2475f6c4284cf (patch) | |
| tree | 56d5231f0657a0a854d7e183d8b3754e4d64179b /src/mongo/util/net/ssl_manager_openssl.cpp | |
| parent | 330a7b661f2d2f49b638f63508af1b4a2974534a (diff) | |
| download | mongo-3b4f12abc5d118ea461c4613b7d2475f6c4284cf.tar.gz | |
Revert "SERVER-54328: Refactor creation of transient SSLConnectionContext to own its own instance of SSLManagerInterface"
This reverts commit 8e1cd3402cc0c27d1332ac78a93919bd17d3d556.
Diffstat (limited to 'src/mongo/util/net/ssl_manager_openssl.cpp')
| -rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 74 |
1 files changed, 15 insertions, 59 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index a786fb9c984..1dfd01c5805 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1129,9 +1129,7 @@ private: class SSLManagerOpenSSL : public SSLManagerInterface, public std::enable_shared_from_this<SSLManagerOpenSSL> { public: - explicit SSLManagerOpenSSL(const SSLParams& params, - const std::optional<TransientSSLParams>& transientSSLParams, - bool isServer); + explicit SSLManagerOpenSSL(const SSLParams& params, bool isServer); ~SSLManagerOpenSSL() { stopJobs(); } @@ -1142,6 +1140,7 @@ public: */ Status initSSLContext(SSL_CTX* context, const SSLParams& params, + const TransientSSLParams& transientParams, ConnectionDirection direction) final; SSLConnectionInterface* connect(Socket* socket) final; @@ -1170,10 +1169,6 @@ public: return _sslConfiguration; } - bool isTransient() const final; - - std::string getTargetedClusterConnectionString() const final; - int SSL_read(SSLConnectionInterface* conn, void* buf, int num) final; int SSL_write(SSLConnectionInterface* conn, const void* buf, int num) final; @@ -1203,9 +1198,6 @@ private: bool _allowInvalidHostnames; bool _suppressNoCertificateWarning; SSLConfiguration _sslConfiguration; - // If set, this manager is an instance providing authentication with remote server specified - // with TransientSSLParams::targetedClusterConnectionString. - const std::optional<TransientSSLParams> _transientSSLParams; Mutex _sharedResponseMutex = MONGO_MAKE_LATCH("OCSPStaplingJobRunner::_sharedResponseMutex"); std::shared_ptr<OCSPStaplingContext> _ocspStaplingContext; @@ -1271,7 +1263,6 @@ private: std::string _prompt; }; - PasswordFetcher _serverPEMPassword; PasswordFetcher _clusterPEMPassword; @@ -1453,17 +1444,9 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManager, ("SetupOpenSSL", "EndStartupOpt } } -std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create( - const SSLParams& params, - const std::optional<TransientSSLParams>& transientSSLParams, - bool isServer) { - return std::make_shared<SSLManagerOpenSSL>(params, transientSSLParams, isServer); -} - std::shared_ptr<SSLManagerInterface> SSLManagerInterface::create(const SSLParams& params, bool isServer) { - return std::make_shared<SSLManagerOpenSSL>( - params, std::optional<TransientSSLParams>{}, isServer); + return std::make_shared<SSLManagerOpenSSL>(params, isServer); } SSLX509Name getCertificateSubjectX509Name(X509* cert) { @@ -1554,16 +1537,13 @@ SSLConnectionOpenSSL::~SSLConnectionOpenSSL() { } } -SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, - const std::optional<TransientSSLParams>& transientSSLParams, - bool isServer) +SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, bool isServer) : _serverContext(nullptr), _clientContext(nullptr), _weakValidation(params.sslWeakCertificateValidation), _allowInvalidCertificates(params.sslAllowInvalidCertificates), _allowInvalidHostnames(params.sslAllowInvalidHostnames), _suppressNoCertificateWarning(params.suppressNoTLSPeerCertificateWarning), - _transientSSLParams(transientSSLParams), _fetcher(this), _serverPEMPassword(params.sslPEMKeyPassword, "Enter PEM passphrase"), _clusterPEMPassword(params.sslClusterPassword, "Enter cluster certificate passphrase") { @@ -1571,13 +1551,6 @@ SSLManagerOpenSSL::SSLManagerOpenSSL(const SSLParams& params, uasserted(16768, "ssl initialization problem"); } - if (_transientSSLParams.has_value()) { - // No other initialization is necessary: this is egress connection manager that - // is not using local PEM files. - LOGV2_DEBUG(54090, 1, "Default params are ignored for transient SSL manager"); - return; - } - // pick the certificate for use in outgoing connections, std::string clientPEM; PasswordFetcher* clientPassword; @@ -2158,28 +2131,11 @@ Milliseconds SSLManagerOpenSSL::updateOcspStaplingContextWithResponse( return swResponse.getValue().fetchNewResponseDuration(); } -bool SSLManagerOpenSSL::isTransient() const { - return _transientSSLParams.has_value(); -} - -std::string SSLManagerOpenSSL::getTargetedClusterConnectionString() const { - if (_transientSSLParams.has_value()) { - return (*_transientSSLParams).targetedClusterConnectionString.toString(); - } - return {}; -} Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, const SSLParams& params, + const TransientSSLParams& transientParams, ConnectionDirection direction) { - if (isTransient()) { - LOGV2_DEBUG(5270602, - 2, - "Initializing transient egress SSL context", - "targetClusterConnectionString"_attr = - (*_transientSSLParams).targetedClusterConnectionString); - } - // SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's. // SSL_OP_NO_SSLv2 - Disable SSL v2 support // SSL_OP_NO_SSLv3 - Disable SSL v3 support @@ -2241,24 +2197,24 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, } - if (direction == ConnectionDirection::kOutgoing && _transientSSLParams) { + if (direction == ConnectionDirection::kOutgoing && + !transientParams.sslClusterPEMPayload.empty()) { // Transient params for outgoing connection have priority over global params. if (!_setupPEMFromMemoryPayload( context, - (*_transientSSLParams).sslClusterPEMPayload, + transientParams.sslClusterPEMPayload, &_clusterPEMPassword, - (*_transientSSLParams).targetedClusterConnectionString.toString())) { + transientParams.targetedClusterConnectionString.toString())) { return Status(ErrorCodes::InvalidSSLConfiguration, str::stream() << "Can not set up transient ssl cluster certificate for " - << (*_transientSSLParams).targetedClusterConnectionString); + << transientParams.targetedClusterConnectionString); } - auto status = - _parseAndValidateCertificateFromMemory((*_transientSSLParams).sslClusterPEMPayload, - &_clusterPEMPassword, - &_sslConfiguration.clientSubjectName, - nullptr); + auto status = _parseAndValidateCertificateFromMemory(transientParams.sslClusterPEMPayload, + &_clusterPEMPassword, + &_sslConfiguration.clientSubjectName, + nullptr); if (!status.isOK()) { return status.withContext("Could not validate transient certificate"); } @@ -2361,7 +2317,7 @@ bool SSLManagerOpenSSL::_initSynchronousSSLContext(UniqueSSLContext* contextPtr, ConnectionDirection direction) { *contextPtr = UniqueSSLContext(SSL_CTX_new(SSLv23_method())); - uassertStatusOK(initSSLContext(contextPtr->get(), params, direction)); + uassertStatusOK(initSSLContext(contextPtr->get(), params, TransientSSLParams(), direction)); // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. |