[XrdCl] Use XrdTlsSocket::Connect() to do host verification.

xrootd · Oct 16, 2019 · dafe1d5 · dafe1d5
1 parent b1cbb70
commit dafe1d5
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 10 deletions.
diff --git a/src/XrdCl/XrdClAsyncSocketHandler.cc b/src/XrdCl/XrdClAsyncSocketHandler.cc
@@ -31,7 +31,8 @@ namespace XrdCl
   //----------------------------------------------------------------------------
   // Constructor
   //----------------------------------------------------------------------------
-  AsyncSocketHandler::AsyncSocketHandler( Poller           *poller,
+  AsyncSocketHandler::AsyncSocketHandler( const URL        &url,
+                                          Poller           *poller,
                                           TransportHandler *transport,
                                           AnyObject        *channelData,
                                           uint16_t          subStreamNum ):
@@ -54,7 +55,8 @@ namespace XrdCl
     pOutMsgDone( false ),
     pOutHandler( 0 ),
     pIncMsgSize( 0 ),
-    pOutMsgSize( 0 )
+    pOutMsgSize( 0 ),
+    pUrl( url )
   {
     Env *env = DefaultEnv::GetEnv();
 
@@ -729,7 +731,8 @@ namespace XrdCl
     //--------------------------------------------------------------------------
     if( pTransport->UseEncryption( pHandShakeData, *pChannelData ) )
     {
-      if( !pSocket->EnableEncryption( this ).IsOK() )
+      Status st;
+      if( !( st = pSocket->EnableEncryption( this, pUrl.GetHostName() ) ).IsOK() )
       {
         OnFaultWhileHandshaking( st );
         return;

diff --git a/src/XrdCl/XrdClAsyncSocketHandler.hh b/src/XrdCl/XrdClAsyncSocketHandler.hh
@@ -25,6 +25,7 @@
 #include "XrdCl/XrdClPostMasterInterfaces.hh"
 #include "XrdCl/XrdClTaskManager.hh"
 #include "XrdCl/XrdClXRootDResponses.hh"
+#include "XrdCl/XrdClURL.hh"
 
 namespace XrdCl
 {
@@ -66,7 +67,8 @@ namespace XrdCl
       //------------------------------------------------------------------------
       //! Constructor
       //------------------------------------------------------------------------
-      AsyncSocketHandler( Poller           *poller,
+      AsyncSocketHandler( const URL        &url,
+                          Poller           *poller,
                           TransportHandler *transport,
                           AnyObject        *channelData,
                           uint16_t          subStreamNum );
@@ -263,6 +265,7 @@ namespace XrdCl
       uint32_t                       pIncMsgSize;
       uint32_t                       pOutMsgSize;
       time_t                         pLastActivity;
+      URL                            pUrl;
   };
 }
 

diff --git a/src/XrdCl/XrdClSocket.cc b/src/XrdCl/XrdClSocket.cc
@@ -745,13 +745,16 @@ namespace XrdCl
   //------------------------------------------------------------------------
   // Enable encryption
   //------------------------------------------------------------------------
-  Status Socket::EnableEncryption( AsyncSocketHandler *socketHandler )
+  Status Socket::EnableEncryption( AsyncSocketHandler *socketHandler,
+                                   const std::string  &thehost )
   {
     if( pTls ) return Status();
 
     try
     {
       pTls = new Tls( this, socketHandler );
+      Status st = pTls->Connect( thehost, &pServerAddr );
+      if( !st.IsOK() ) return st;
     }
     catch( std::invalid_argument& ex )
     {

diff --git a/src/XrdCl/XrdClSocket.hh b/src/XrdCl/XrdClSocket.hh
@@ -270,8 +270,12 @@ namespace XrdCl
 
       //------------------------------------------------------------------------
       // Enable encryption
+      //
+      // @param socketHandler : the socket handler that is handling the socket
+      // @param the host      : host name for verification
       //------------------------------------------------------------------------
-      Status EnableEncryption( AsyncSocketHandler *socketHandler );
+      Status EnableEncryption( AsyncSocketHandler *socketHandler,
+                               const std::string  &thehost = std::string() );
 
     protected:
       //------------------------------------------------------------------------

diff --git a/src/XrdCl/XrdClStream.cc b/src/XrdCl/XrdClStream.cc
@@ -180,7 +180,7 @@ namespace XrdCl
     if( !pTransport || !pPoller || !pChannelData )
       return Status( stError, errUninitialized );
 
-    AsyncSocketHandler *s = new AsyncSocketHandler( pPoller, pTransport,
+    AsyncSocketHandler *s = new AsyncSocketHandler( *pUrl, pPoller, pTransport,
                                                     pChannelData, 0 );
     s->SetStream( this );
 
@@ -578,8 +578,8 @@ namespace XrdCl
       {
         for( uint16_t i = 1; i < numSub; ++i )
         {
-          AsyncSocketHandler *s = new AsyncSocketHandler( pPoller, pTransport,
-                                                          pChannelData, 0 );
+          AsyncSocketHandler *s = new AsyncSocketHandler( *pUrl, pPoller,
+                                                   pTransport, pChannelData, 0 );
           s->SetStream( this );
           pSubStreams.push_back( new SubStreamData() );
           pSubStreams[i]->socket = s;

diff --git a/src/XrdCl/XrdClTls.cc b/src/XrdCl/XrdClTls.cc
@@ -22,6 +22,7 @@
 
 #include "XrdTls/XrdTlsContext.hh"
 
+#include <openssl/ssl.h>
 
 namespace XrdCl
 {
@@ -35,6 +36,16 @@ namespace XrdCl
                           XrdTlsSocket::TLS_HS_NOBLK, true ) );
   }
 
+  //------------------------------------------------------------------------
+  //! Establish a TLS/SSL session and perform host verification.
+  //------------------------------------------------------------------------
+  Status Tls::Connect( const std::string &thehost, XrdNetAddrInfo *netInfo )
+  {
+    int rc = pTls->Connect( thehost.c_str(), netInfo );
+    if( rc ) return Status( stError, errTlsError, rc );
+    return Status();
+  }
+
   Status Tls::Read( char *buffer, size_t size, int &bytesRead )
   {
     //--------------------------------------------------------------------------

diff --git a/src/XrdCl/XrdClTls.hh b/src/XrdCl/XrdClTls.hh
@@ -47,6 +47,11 @@ namespace XrdCl
       {
       }
 
+      //------------------------------------------------------------------------
+      //! Establish a TLS/SSL session and perform host verification.
+      //------------------------------------------------------------------------
+      Status Connect( const std::string &thehost, XrdNetAddrInfo *netInfo );
+
       //------------------------------------------------------------------------
       //! Read through the TLS layer from the socket
       //! If necessary, will establish a TLS/SSL session.

diff --git a/src/XrdTls/XrdTlsSocket.cc b/src/XrdTls/XrdTlsSocket.cc
@@ -153,7 +153,7 @@ int XrdTlsSocket::Connect(const char *thehost, XrdNetAddrInfo *netInfo,
 {
 
 // Setup host verification of a host has been specified. This is a to-do
-// when we move to new bersions of SSL. For now, we use the notary object.
+// when we move to new versions of SSL. For now, we use the notary object.
 //
 
 // Do the connect.