CPP-793 Add SNI support to SocketConnector and SSL backend

Author: Michael Penick

cpp-driver/gtests/src/unit/mockssandra.cpp

@@ -228,6 +228,13 @@ int ClientConnection::accept() {
   return uv_read_start(tcp_.as_stream(), on_alloc, on_read);
 }
 
+const char* ClientConnection::sni_server_name() const {
+  if (ssl_) {
+    return SSL_get_servername(ssl_, TLSEXT_NAMETYPE_host_name);
+  }
+  return NULL;
+}
+
 void ClientConnection::on_close(uv_handle_t* handle) {
   ClientConnection* connection = static_cast<ClientConnection*>(handle->data);
   connection->handle_close();

cpp-driver/gtests/src/unit/mockssandra.hpp

@@ -103,6 +103,8 @@ class ClientConnection {
 protected:
   int accept();
 
+  const char* sni_server_name() const;
+
 private:
   static void on_close(uv_handle_t* handle);
   void handle_close();
@@ -144,6 +146,7 @@ class ClientConnection {
 class ClientConnectionFactory {
 public:
   virtual ClientConnection* create(ServerConnection* server) const = 0;
+  virtual ~ClientConnectionFactory() {}
 };
 
 class ServerConnectionTask : public RefCounted<ServerConnectionTask> {
@@ -1246,53 +1249,39 @@ class SimpleCluster : public Cluster {
 
 class SimpleEchoServer {
 public:
-  SimpleEchoServer(const Address& address = Address("127.0.0.1", 8888))
-      : event_loop_group_(1)
-      , server_(new internal::ServerConnection(address, factory_)) {}
+  SimpleEchoServer()
+      : factory_(new EchoClientConnectionFactory())
+      , event_loop_group_(1) {}
 
   ~SimpleEchoServer() { close(); }
 
   void close() {
-    server_->close();
-    server_->wait_close();
+    if (server_) {
+      server_->close();
+      server_->wait_close();
+    }
   }
 
   String use_ssl(const String& cn = "") {
-    String key(Ssl::generate_key());
-    String cert(Ssl::generate_cert(key, cn));
-    if (!server_->use_ssl(key, cert)) {
-      return "";
-    }
-    return cert;
+    ssl_key_ = Ssl::generate_key();
+    ssl_cert_ = Ssl::generate_cert(ssl_key_, cn);
+    return ssl_cert_;
   }
 
-  void use_close_immediately() { factory_.use_close_immediately(); }
+  void use_connection_factory(internal::ClientConnectionFactory* factory) {
+    factory_.reset(factory);
+  }
 
-  int listen() {
+  int listen(const Address& address = Address("127.0.0.1", 8888)) {
+    server_.reset(new internal::ServerConnection(address, *factory_));
+    if (!ssl_key_.empty() && !ssl_cert_.empty() && !server_->use_ssl(ssl_key_, ssl_cert_)) {
+      return -1;
+    }
     server_->listen(&event_loop_group_);
     return server_->wait_listen();
   }
 
-  void reset(const Address& address) {
-    server_.reset(new internal::ServerConnection(address, factory_));
-  }
-
 private:
-  class CloseConnection : public internal::ClientConnection {
-  public:
-    CloseConnection(internal::ServerConnection* server)
-        : internal::ClientConnection(server) {}
-
-    virtual int on_accept() {
-      int rc = accept();
-      if (rc != 0) {
-        return rc;
-      }
-      close();
-      return rc;
-    }
-  };
-
   class EchoConnection : public internal::ClientConnection {
   public:
     EchoConnection(internal::ServerConnection* server)
@@ -1301,29 +1290,19 @@ class SimpleEchoServer {
     virtual void on_read(const char* data, size_t len) { write(data, len); }
   };
 
-  class ClientConnectionFactory : public internal::ClientConnectionFactory {
+  class EchoClientConnectionFactory : public internal::ClientConnectionFactory {
   public:
-    ClientConnectionFactory()
-        : close_immediately_(false) {}
-
-    void use_close_immediately() { close_immediately_ = true; }
-
     virtual internal::ClientConnection* create(internal::ServerConnection* server) const {
-      if (close_immediately_) {
-        return new CloseConnection(server);
-      } else {
-        return new EchoConnection(server);
-      }
+      return new EchoConnection(server);
     }
-
-  private:
-    bool close_immediately_;
   };
 
 private:
-  ClientConnectionFactory factory_;
+  ScopedPtr<internal::ClientConnectionFactory> factory_;
   SimpleEventLoopGroup event_loop_group_;
   internal::ServerConnection::Ptr server_;
+  String ssl_key_;
+  String ssl_cert_;
 };
 
 } // namespace mockssandra

cpp-driver/gtests/src/unit/tests/test_socket.cpp

@@ -24,6 +24,54 @@
 #define SSL_VERIFY_PEER_DNS_ABSOLUTE_HOSTNAME SSL_VERIFY_PEER_DNS_RELATIVE_HOSTNAME "."
 #define SSL_VERIFY_PEER_DNS_IP_ADDRESS "127.254.254.254"
 
+using mockssandra::internal::ClientConnection;
+using mockssandra::internal::ClientConnectionFactory;
+using mockssandra::internal::ServerConnection;
+
+class CloseConnection : public ClientConnection {
+public:
+  CloseConnection(ServerConnection* server)
+      : ClientConnection(server) {}
+
+  virtual int on_accept() {
+    int rc = accept();
+    if (rc != 0) {
+      return rc;
+    }
+    close();
+    return rc;
+  }
+};
+
+class CloseConnectionFactory : public ClientConnectionFactory {
+public:
+  virtual ClientConnection* create(ServerConnection* server) const {
+    return new CloseConnection(server);
+  }
+};
+
+class SniServerNameConnection : public ClientConnection {
+public:
+  SniServerNameConnection(ServerConnection* server)
+      : ClientConnection(server) {}
+
+  virtual void on_read(const char* data, size_t len) {
+    const char* server_name = sni_server_name();
+    if (server_name) {
+      write(String(server_name) + " - Closed");
+    } else {
+      write("<unknown> - Closed");
+    }
+  }
+};
+
+class SniServerNameConnectionFactory : public ClientConnectionFactory {
+public:
+  virtual ClientConnection* create(ServerConnection* server) const {
+    return new SniServerNameConnection(server);
+  }
+};
+
 using namespace datastax;
 using namespace datastax::internal;
 using namespace datastax::internal::core;
@@ -88,13 +136,16 @@ class SocketUnitTest : public LoopTest {
     return settings;
   }
 
-  void listen() { ASSERT_EQ(server_.listen(), 0); }
-
-  void reset(const Address& address) { server_.reset(address); }
+  void listen(const Address& address = Address("127.0.0.1", 8888)) {
+    ASSERT_EQ(server_.listen(address), 0);
+  }
 
   void close() { server_.close(); }
 
-  void use_close_immediately() { server_.use_close_immediately(); }
+  void use_close_immediately() { server_.use_connection_factory(new CloseConnectionFactory()); }
+  void use_sni_server_name() {
+    server_.use_connection_factory(new SniServerNameConnectionFactory());
+  }
 
   virtual void TearDown() {
     LoopTest::TearDown();
@@ -167,10 +218,10 @@ TEST_F(SocketUnitTest, Simple) {
 }
 
 TEST_F(SocketUnitTest, Ssl) {
-  listen();
-
   SocketSettings settings(use_ssl());
 
+  listen();
+
   String result;
   SocketConnector::Ptr connector(
       new SocketConnector(Address("127.0.0.1", 8888), bind_callback(on_socket_connected, &result)));
@@ -182,6 +233,24 @@ TEST_F(SocketUnitTest, Ssl) {
   EXPECT_EQ(result, "The socket is successfully connected and wrote data - Closed");
 }
 
+TEST_F(SocketUnitTest, SslSniServerName) {
+  SocketSettings settings(use_ssl());
+
+  use_sni_server_name();
+  listen();
+
+  String result;
+  SocketConnector::Ptr connector(
+      new SocketConnector(Address("127.0.0.1", 8888, "TestSniServerName"),
+                          bind_callback(on_socket_connected, &result)));
+
+  connector->with_settings(settings)->connect(loop());
+
+  uv_run(loop(), UV_RUN_DEFAULT);
+
+  EXPECT_EQ(result, "TestSniServerName - Closed");
+}
+
 TEST_F(SocketUnitTest, Refused) {
   bool is_refused = false;
   SocketConnector::Ptr connector(new SocketConnector(
@@ -194,11 +263,11 @@ TEST_F(SocketUnitTest, Refused) {
 }
 
 TEST_F(SocketUnitTest, SslClose) {
+  SocketSettings settings(use_ssl());
+
   use_close_immediately();
   listen();
 
-  SocketSettings settings(use_ssl());
-
   Vector<SocketConnector::Ptr> connectors;
 
   bool is_closed = false;
@@ -241,10 +310,10 @@ TEST_F(SocketUnitTest, Cancel) {
 }
 
 TEST_F(SocketUnitTest, SslCancel) {
-  listen();
-
   SocketSettings settings(use_ssl());
 
+  listen();
+
   Vector<SocketConnector::Ptr> connectors;
 
   bool is_canceled = false;
@@ -268,9 +337,10 @@ TEST_F(SocketUnitTest, SslCancel) {
 }
 
 TEST_F(SocketUnitTest, SslVerifyIdentity) {
+  SocketSettings settings(use_ssl("127.0.0.1"));
+
   listen();
 
-  SocketSettings settings(use_ssl("127.0.0.1"));
   settings.ssl_context->set_verify_flags(CASS_SSL_VERIFY_PEER_IDENTITY);
 
   String result;
@@ -295,11 +365,11 @@ TEST_F(SocketUnitTest, SslVerifyIdentityDns) {
     return;
   }
 
-  reset(Address(SSL_VERIFY_PEER_DNS_IP_ADDRESS,
-                8888)); // Ensure the echo server is listening on the correct address
-  listen();
-
   SocketSettings settings(use_ssl(SSL_VERIFY_PEER_DNS_RELATIVE_HOSTNAME));
+
+  listen(Address(SSL_VERIFY_PEER_DNS_IP_ADDRESS,
+                 8888)); // Ensure the echo server is listening on the correct address
+
   settings.ssl_context->set_verify_flags(CASS_SSL_VERIFY_PEER_IDENTITY_DNS);
 
   String result;

cpp-driver/src/socket_connector.cpp

@@ -159,7 +159,8 @@ void SocketConnector::internal_connect(uv_loop_t* loop) {
   }
 
   if (settings_.ssl_context) {
-    ssl_session_.reset(settings_.ssl_context->create_session(address_, hostname_));
+    ssl_session_.reset(
+        settings_.ssl_context->create_session(address_, hostname_, address_.server_name()));
   }
 
   connector_.reset(new TcpConnector(address_));

cpp-driver/src/ssl.hpp

@@ -32,9 +32,11 @@ namespace datastax { namespace internal { namespace core {
 
 class SslSession : public Allocated {
 public:
-  SslSession(const Address& address, const String& hostname, int flags)
+  SslSession(const Address& address, const String& hostname, const String& sni_server_name,
+             int flags)
       : address_(address)
       , hostname_(hostname)
+      , sni_server_name_(sni_server_name)
       , verify_flags_(flags)
       , error_code_(CASS_OK) {}
 
@@ -59,6 +61,7 @@ class SslSession : public Allocated {
 protected:
   Address address_;
   String hostname_;
+  String sni_server_name_;
   int verify_flags_;
   rb::RingBuffer incoming_;
   rb::RingBuffer outgoing_;
@@ -78,7 +81,8 @@ class SslContext : public RefCounted<SslContext> {
   void set_verify_flags(int flags) { verify_flags_ = flags; }
   bool is_cert_validation_enabled() { return verify_flags_ != CASS_SSL_VERIFY_NONE; }
 
-  virtual SslSession* create_session(const Address& address, const String& hostname) = 0;
+  virtual SslSession* create_session(const Address& address, const String& hostname,
+                                     const String& sni_server_name) = 0;
   virtual CassError add_trusted_cert(const char* cert, size_t cert_length) = 0;
   virtual CassError set_cert(const char* cert, size_t cert_length) = 0;
   virtual CassError set_private_key(const char* key, size_t key_length, const char* password,

cpp-driver/src/ssl/ssl_no_impl.cpp

@@ -19,14 +19,16 @@
 using namespace datastax;
 using namespace datastax::internal::core;
 
-NoSslSession::NoSslSession(const Address& address, const String& hostname)
-    : SslSession(address, hostname, CASS_SSL_VERIFY_NONE) {
+NoSslSession::NoSslSession(const Address& address, const String& hostname,
+                           const String& sni_server_name)
+    : SslSession(address, hostname, sni_server_name, CASS_SSL_VERIFY_NONE) {
   error_code_ = CASS_ERROR_LIB_NOT_IMPLEMENTED;
   error_message_ = "SSL support not built into driver";
 }
 
-SslSession* NoSslContext::create_session(const Address& address, const String& hostname) {
-  return new NoSslSession(address, hostname);
+SslSession* NoSslContext::create_session(const Address& address, const String& hostname,
+                                         const String& sni_server_name) {
+  return new NoSslSession(address, hostname, sni_server_name);
 }
 
 CassError NoSslContext::add_trusted_cert(const char* cert, size_t cert_length) {

cpp-driver/src/ssl/ssl_no_impl.hpp

@@ -21,7 +21,7 @@ namespace datastax { namespace internal { namespace core {
 
 class NoSslSession : public SslSession {
 public:
-  NoSslSession(const Address& address, const String& hostname);
+  NoSslSession(const Address& address, const String& hostname, const String& sni_server_name);
 
   virtual bool is_handshake_done() const { return false; }
   virtual void do_handshake() {}