[XrdCl] Request signing: support sec vector

src/XrdCl/XrdClAsyncSocketHandler.cc

@@ -777,12 +777,15 @@ namespace XrdCl
 
   Status AsyncSocketHandler::SecureMsg( Message *toSign )
   {
+    ClientRequest *thereq  = reinterpret_cast<ClientRequest*>( toSign->GetBuffer() );
+    kXR_unt16 reqid = ntohs( thereq->header.requestid );
+    if( reqid == kXR_sigver ) return Status(); // the message is already signed
+
     XRootDChannelInfo *info = 0;
     pChannelData->Get( info );
     if( info && info->protection )
     {
       SecurityRequest *newreq  = 0;
-      ClientRequest   *thereq  = reinterpret_cast<ClientRequest*>( toSign->GetBuffer() );
       // check if we have to secure the request in the first place
       if( !NEED2SECURE ( info->protection )( *thereq ) ) return Status();
       // secure (sign/encrypt) the request

src/XrdCl/XrdClXRootDChannelInfo.hh

@@ -73,13 +73,13 @@ namespace XrdCl
       openFiles(0),
       waitBarrier(0),
       protection(0),
-      signprot(0)
+      signprot(0),
+      protRespBody(0),
+      protRespSize(0)
     {
       sidManager = new SIDManager();
       memset( sessionId, 0, 16 );
       memset( oldSessionId, 0, 16 );
-
-      // TODO cleanup protection and signprot
     }
 
     //--------------------------------------------------------------------------
@@ -89,33 +89,42 @@ namespace XrdCl
     {
       delete    sidManager;
       delete [] authBuffer;
+      delete    protRespBody;
+
+      if( protection )
+        protection->Delete();
+
+      if( signprot )
+        signprot->Delete();
     }
 
     typedef std::vector<XRootDStreamInfo> StreamInfoVector;
 
     //--------------------------------------------------------------------------
     // Data
     //--------------------------------------------------------------------------
-    uint32_t          serverFlags;
-    uint32_t          protocolVersion;
-    uint8_t           sessionId[16];
-    uint8_t           oldSessionId[16];
-    bool              firstLogIn;
-    SIDManager       *sidManager;
-    char             *authBuffer;
-    XrdSecProtocol   *authProtocol;
-    XrdSecParameters *authParams;
-    XrdOucEnv        *authEnv;
-    StreamInfoVector  stream;
-    std::string       streamName;
-    std::string       authProtocolName;
-    std::set<uint16_t> sentOpens;
-    std::set<uint16_t> sentCloses;
-    uint32_t          openFiles;
-    time_t            waitBarrier;
-    XrdSecProtect    *protection;
-    XrdSecProtocol   *signprot;
-    XrdSysMutex       mutex;
+    uint32_t                     serverFlags;
+    uint32_t                     protocolVersion;
+    uint8_t                      sessionId[16];
+    uint8_t                      oldSessionId[16];
+    bool                         firstLogIn;
+    SIDManager                  *sidManager;
+    char                        *authBuffer;
+    XrdSecProtocol              *authProtocol;
+    XrdSecParameters            *authParams;
+    XrdOucEnv                   *authEnv;
+    StreamInfoVector             stream;
+    std::string                  streamName;
+    std::string                  authProtocolName;
+    std::set<uint16_t>           sentOpens;
+    std::set<uint16_t>           sentCloses;
+    uint32_t                     openFiles;
+    time_t                       waitBarrier;
+    XrdSecProtect               *protection;
+    XrdSecProtocol              *signprot;
+    ServerResponseBody_Protocol *protRespBody;
+    unsigned int                 protRespSize;
+    XrdSysMutex                  mutex;
   };
 
 };

src/XrdCl/XrdClXRootDTransport.cc

@@ -769,7 +769,7 @@ namespace XrdCl
         // kXR_protocol
         //----------------------------------------------------------------------
         case kXR_protocol:
-          if( m->hdr.dlen != 8 )
+          if( m->hdr.dlen < 8 )
             return Status( stError, errInvalidMessage );
           m->body.protocol.pval  = ntohl( m->body.protocol.pval );
           m->body.protocol.flags = ntohl( m->body.protocol.flags );
@@ -1081,6 +1081,7 @@ namespace XrdCl
 
     proto->requestid = htons(kXR_protocol);
     proto->clientpv  = htonl(kXR_PROTOCOLVERSION);
+    proto->flags     = kXR_secreqs;
     return msg;
   }
 
@@ -1167,6 +1168,9 @@ namespace XrdCl
     if( rsp->body.protocol.pval >= 0x297 )
       info->serverFlags = rsp->body.protocol.flags;
 
+    info->protRespBody = new ServerResponseBody_Protocol( rsp->body.protocol );
+    info->protRespSize = rsp->hdr.dlen;
+
     log->Debug( XRootDTransportMsg,
                 "[%s] kXR_protocol successful (%s, protocol version %x)",
                 hsData->streamName.c_str(),
@@ -1504,7 +1508,7 @@ namespace XrdCl
       {
         info->authProtocolName = info->authProtocol->Entity.prot;
 
-        int rc = XrdSecGetProtection( info->protection, *info->authProtocol, info->serverFlags );
+        int rc = XrdSecGetProtection( info->protection, *info->authProtocol, *info->protRespBody, info->protRespSize );
         if( rc > 0 )
         {
           log->Debug( XRootDTransportMsg,
@@ -1517,12 +1521,14 @@ namespace XrdCl
           log->Debug( XRootDTransportMsg,
                       "[%s] XrdSecProtect: no protection needed.",
                       hsData->streamName.c_str() );
+          CleanUpProtection( info );
         }
         else
         {
           log->Debug( XRootDTransportMsg,
                       "[%s] Failed to load XrdSecProtect: %s",
                       hsData->streamName.c_str(), strerror( -rc ) );
+          CleanUpProtection( info );
         }
 
         CleanUpAuthentication( info );
@@ -1684,6 +1690,13 @@ namespace XrdCl
       info->signprot = 0;
     }
 
+    if( info->protRespBody )
+    {
+      delete info->protRespBody;
+      info->protRespBody = 0;
+      info->protRespSize = 0;
+    }
+
     return Status();
   }