Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2844

Some errors ignored when loading certs, CAs, CRLs

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: tls
    • None

      No error if CA configuration fails with Darwin Secure Transport: mongoc_secure_transport_setup_ca returns true even if SSLSetTrustedRoots fails. mongoc_secure_transport_setup_certificate also ignores the return value of SSLSetCertificate and returns true.

      On Windows, mongoc_stream_tls_secure_channel_new logs but succeeds if it cannot load the CA, CRL, or cert. Error messages in mongoc-secure-channel.c are sometimes logged with MONGOC_WARNING, they should all be MONGOC_ERROR.

      With OpenSSL, on the other hand, failure to load a CRL results in a NULL return with no log message.

      Error messages differ from one library to another.

      Let's make the error messages consistent, and let's ensure that an error results in a NULL return from mongoc_stream_tls_new_with_hostname, and on error that the base stream is not destroyed.

      A test like this in test-mongoc-stream-tls-error.c should pass once everything's fixed:

      #define TLS_LOAD_ERR(_msg)                                             \
   do {                                                                \
      capture_logs (true);                                             \
      stream = mongoc_stream_socket_new (                              \
         mongoc_socket_new (AF_INET, SOCK_STREAM, 0)));                \
      BSON_ASSERT (                                                    \
         !mongoc_stream_tls_new_with_hostname (stream, NULL, &opt, 0); \
      ASSERT_CAPTURED_LOG (                                            \
         "bad TLS config file", MONGOC_LOG_LEVEL_ERROR, (_msg));       \
      opt.pem_file = opt.ca_file = opt.ca_dir = opt.crl_file = NULL;   \
   } while (0)


static void
test_mongoc_tls_load_files (void)
{
   mongoc_ssl_opt_t opt = {0};
   mongoc_stream_t *stream;
   mongoc_stream_t *tls_stream = NULL;

   opt.pem_file = "badfile";
   TLS_LOAD_ERR ("Cannot find certificate in 'badfile'");
   opt.ca_file = "badfile";
   TLS_LOAD_ERR ("Cannot load Certificate Authorities from file 'badfile'");

#if !defined(MONGOC_ENABLE_SSL_SECURE_TRANSPORT)
   opt.ca_file = opt.ca_dir = "badfile";
   TLS_LOAD_ERR ("Cannot load Certificate Authorities from file 'badfile'");
   opt.crl_file = "badfile";
   TLS_LOAD_ERR ("Cannot find certificate in 'badfile'");
   /* a bad ca_dir causes no error */
   opt.ca_dir = "badfile";
   tls_stream = mongoc_stream_tls_new_with_hostname (stream, NULL, &opt, 0);
   BSON_ASSERT (tls_stream);
   mongoc_stream_destroy (tls_stream);
#endif
}

            Assignee:
            Unassigned Unassigned
            Reporter:
            jesse@mongodb.com A. Jesse Jiryu Davis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: