Skip to content

CDRIVER-6045 Support TLS v1.3 in Secure Channel #2141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

CDRIVER-6045 Support TLS v1.3 in Secure Channel #2141

wants to merge 6 commits into from
+73 −7

Conversation

Julia-Garland
Copy link
Contributor

@Julia-Garland Julia-Garland commented Oct 7, 2025
edited
Loading

Summary

Follow up to #2118. Handles the SEC_I_RENEGOTIATE status received when TLS 1.3 is enabled with Windows Secure Channel.

Background

Secure Channel with TLS 1.3 may use the renegotiate status for internal use; instructions on how to handle this are given in Windows documentation:

“The DecryptMessage (Schannel) function will return SEC_I_RENEGOTIATE when Schannel is ready for your application to proceed. When you receive the SEC_I_RENEGOTIATE return code, your application must call AcceptSecurityContext (Schannel) (servers) or InitializeSecurityContext (Schannel) (clients), and pass the contents of SECBUFFER_EXTRA returned from DecryptMessage in the SECBUFFER_TOKEN. After this call returns a value, proceed as though your application were creating a new connection.”

Note the C driver does not handle SEC_I_RENEGOTIATE for TLS 1.1 and 1.2.

Used libcurl as an implementation reference.

Changes

Upon receipt of SEC_I_RENEGOTIATE, the driver will pass the contents of SECBUFFER_EXTRA to InitializeSecurityContext by calling mongoc_secure_channel_handshake_step_2.

In some cases, the data processed by a read may be completely consumed by the renegotiate handling. If this occurs and the read is non-blocking, _mongoc_stream_tls_secure_channel_readv will call read again to receive and decrypt the next message.

Added some extra fields to mongoc_stream_tls_secure_channel to keep the necessary information in scope.

@Julia-Garland Julia-Garland force-pushed the cdriver-6045-renegotiation branch from 6c60125 to d3bb538 Compare October 7, 2025 18:28
@Julia-Garland Julia-Garland marked this pull request as ready for review October 8, 2025 14:06
@Julia-Garland Julia-Garland requested a review from a team as a code owner October 8, 2025 14:06
@kevinAlbs kevinAlbs self-requested a review October 8, 2025 14:36
kevinAlbs
kevinAlbs approved these changes Oct 9, 2025
View reviewed changes
Copy link
Collaborator

@kevinAlbs kevinAlbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done. LGTM with a memory leak fix and possible comment tweak.

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Outdated

secure_channel->recv_renegotiate = true;

/* the tls handshake will pass the contents of SECBUFFER_EXTRA to the server */
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest avoiding "to the server". I expect the call to InitializeSecurityContext processes the received SECBUFFER_EXTRA on the client.

Suggested change
/* the tls handshake will pass the contents of SECBUFFER_EXTRA to the server */
/* mongoc_secure_channel_handshake_step_2 passes the received SECBUFFER_EXTRA to InitializeSecurityContext */

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinAlbs kevinAlbs kevinAlbs approved these changes

@mdb-ad mdb-ad mdb-ad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Julia-Garland @kevinAlbs @mdb-ad