Bug#35089047 Invalid TlsContext used if there are multiple destinatio…

…ns with the same IP.

The Router keeps one SSL_CTX object per destination with a map where a key
is a destination's hostname. This is problematic when there are multiple
destinations on a single host (e.g. local sanbdox cluster) because then
there is a single object for each destination.

This patch uses the whole IP:PORT string as an id in the map so
now there always is one SSL_CTX per destination.

Change-Id: Iad78045e5d98665b44f9a41bf303e34dcd6fbc41

router/src/routing/src/classic_greeting_forwarder.cc

@@ -840,8 +840,9 @@ ServerGreetor::client_greeting_full() {
 static stdx::expected<SSL_CTX *, std::error_code> get_dest_ssl_ctx(
     MySQLRoutingContext &ctx, const std::string &id) {
   return mysql_harness::make_tcp_address(id).and_then(
-      [&ctx](const auto &addr) -> stdx::expected<SSL_CTX *, std::error_code> {
-        return ctx.dest_ssl_ctx(addr.address())->get();
+      [&ctx,
+       &id](const auto &addr) -> stdx::expected<SSL_CTX *, std::error_code> {
+        return ctx.dest_ssl_ctx(id, addr.address())->get();
       });
 }
 

router/src/routing/src/context.h

@@ -134,15 +134,17 @@ class MySQLRoutingContext {
   /**
    * get the SSL context for the server side of the route.
    *
-   * @param dest_id id of the destination
+   * @param dest_id  unique id of the destination
+   * @param hostname name of the destination host
    *
    * @returns a TlsClientContext for the destination.
    * @retval nullptr if creating tls-context failed.
    */
-  TlsClientContext *dest_ssl_ctx(const std::string &dest_id) {
+  TlsClientContext *dest_ssl_ctx(const std::string &dest_id,
+                                 const std::string &hostname) {
     if (destination_tls_context_ == nullptr) return nullptr;
 
-    return destination_tls_context_->get(dest_id);
+    return destination_tls_context_->get(dest_id, hostname);
   }
 
   SharedQuarantineHandler &shared_quarantine() {

router/src/routing/src/destination_ssl_context.cc

@@ -68,7 +68,8 @@ void DestinationTlsContext::ciphers(const std::string &ciphers) {
   ciphers_ = ciphers;
 }
 
-TlsClientContext *DestinationTlsContext::get(const std::string &dest_id) {
+TlsClientContext *DestinationTlsContext::get(const std::string &dest_id,
+                                             const std::string &hostname) {
   std::lock_guard<std::mutex> lk(mtx_);
 
   const auto it = tls_contexts_.find(dest_id);
@@ -86,7 +87,7 @@ TlsClientContext *DestinationTlsContext::get(const std::string &dest_id) {
         tls_ctx->verify(TlsVerify::NONE);
         break;
       case SslVerify::kVerifyIdentity:
-        tls_ctx->verify_hostname(dest_id);
+        tls_ctx->verify_hostname(hostname);
         [[fallthrough]];
       case SslVerify::kVerifyCa:
         tls_ctx->ssl_ca(ca_file_, ca_path_);

router/src/routing/src/destination_ssl_context.h

@@ -94,9 +94,11 @@ class ROUTING_EXPORT DestinationTlsContext {
    * If a TlsClientContext for the destination exists, a pointer to it is
    * returned.
    *
-   * @param dest_id identified of a destination
+   * @param dest_id  unique identifier of a destination
+   * @param hostname name of the destination host
    */
-  TlsClientContext *get(const std::string &dest_id);
+  TlsClientContext *get(const std::string &dest_id,
+                        const std::string &hostname);
 
  private:
   SslVerify ssl_verify_{SslVerify::kDisabled};

router/src/routing/src/x_connection.cc

@@ -1195,8 +1195,9 @@ void MysqlRoutingXConnection::forward_tls_init() {
 static stdx::expected<SSL_CTX *, std::error_code> get_dest_ssl_ctx(
     MySQLRoutingContext &ctx, const std::string &id) {
   return mysql_harness::make_tcp_address(id).and_then(
-      [&ctx](const auto &addr) -> stdx::expected<SSL_CTX *, std::error_code> {
-        return ctx.dest_ssl_ctx(addr.address())->get();
+      [&ctx,
+       &id](const auto &addr) -> stdx::expected<SSL_CTX *, std::error_code> {
+        return ctx.dest_ssl_ctx(id, addr.address())->get();
       });
 }