From dafe1d5d65dae8361606e1f66d4d807c1aa0e4a5 Mon Sep 17 00:00:00 2001 From: Michal Simon Date: Wed, 14 Aug 2019 16:40:24 +0200 Subject: [PATCH] [XrdCl] Use XrdTlsSocket::Connect() to do host verification. --- src/XrdCl/XrdClAsyncSocketHandler.cc | 9 ++++++--- src/XrdCl/XrdClAsyncSocketHandler.hh | 5 ++++- src/XrdCl/XrdClSocket.cc | 5 ++++- src/XrdCl/XrdClSocket.hh | 6 +++++- src/XrdCl/XrdClStream.cc | 6 +++--- src/XrdCl/XrdClTls.cc | 11 +++++++++++ src/XrdCl/XrdClTls.hh | 5 +++++ src/XrdTls/XrdTlsSocket.cc | 2 +- 8 files changed, 39 insertions(+), 10 deletions(-) diff --git a/src/XrdCl/XrdClAsyncSocketHandler.cc b/src/XrdCl/XrdClAsyncSocketHandler.cc index 6ab705c6ff0..c619829bc00 100644 --- a/src/XrdCl/XrdClAsyncSocketHandler.cc +++ b/src/XrdCl/XrdClAsyncSocketHandler.cc @@ -31,7 +31,8 @@ namespace XrdCl //---------------------------------------------------------------------------- // Constructor //---------------------------------------------------------------------------- - AsyncSocketHandler::AsyncSocketHandler( Poller *poller, + AsyncSocketHandler::AsyncSocketHandler( const URL &url, + Poller *poller, TransportHandler *transport, AnyObject *channelData, uint16_t subStreamNum ): @@ -54,7 +55,8 @@ namespace XrdCl pOutMsgDone( false ), pOutHandler( 0 ), pIncMsgSize( 0 ), - pOutMsgSize( 0 ) + pOutMsgSize( 0 ), + pUrl( url ) { Env *env = DefaultEnv::GetEnv(); @@ -729,7 +731,8 @@ namespace XrdCl //-------------------------------------------------------------------------- if( pTransport->UseEncryption( pHandShakeData, *pChannelData ) ) { - if( !pSocket->EnableEncryption( this ).IsOK() ) + Status st; + if( !( st = pSocket->EnableEncryption( this, pUrl.GetHostName() ) ).IsOK() ) { OnFaultWhileHandshaking( st ); return; diff --git a/src/XrdCl/XrdClAsyncSocketHandler.hh b/src/XrdCl/XrdClAsyncSocketHandler.hh index 9c2d34a66b2..783797e5f97 100644 --- a/src/XrdCl/XrdClAsyncSocketHandler.hh +++ b/src/XrdCl/XrdClAsyncSocketHandler.hh @@ -25,6 +25,7 @@ #include "XrdCl/XrdClPostMasterInterfaces.hh" #include "XrdCl/XrdClTaskManager.hh" #include "XrdCl/XrdClXRootDResponses.hh" +#include "XrdCl/XrdClURL.hh" namespace XrdCl { @@ -66,7 +67,8 @@ namespace XrdCl //------------------------------------------------------------------------ //! Constructor //------------------------------------------------------------------------ - AsyncSocketHandler( Poller *poller, + AsyncSocketHandler( const URL &url, + Poller *poller, TransportHandler *transport, AnyObject *channelData, uint16_t subStreamNum ); @@ -263,6 +265,7 @@ namespace XrdCl uint32_t pIncMsgSize; uint32_t pOutMsgSize; time_t pLastActivity; + URL pUrl; }; } diff --git a/src/XrdCl/XrdClSocket.cc b/src/XrdCl/XrdClSocket.cc index 0ffeee03c38..31c8d7210c4 100644 --- a/src/XrdCl/XrdClSocket.cc +++ b/src/XrdCl/XrdClSocket.cc @@ -745,13 +745,16 @@ namespace XrdCl //------------------------------------------------------------------------ // Enable encryption //------------------------------------------------------------------------ - Status Socket::EnableEncryption( AsyncSocketHandler *socketHandler ) + Status Socket::EnableEncryption( AsyncSocketHandler *socketHandler, + const std::string &thehost ) { if( pTls ) return Status(); try { pTls = new Tls( this, socketHandler ); + Status st = pTls->Connect( thehost, &pServerAddr ); + if( !st.IsOK() ) return st; } catch( std::invalid_argument& ex ) { diff --git a/src/XrdCl/XrdClSocket.hh b/src/XrdCl/XrdClSocket.hh index 57c89ce1cf5..d804bccb6e7 100644 --- a/src/XrdCl/XrdClSocket.hh +++ b/src/XrdCl/XrdClSocket.hh @@ -270,8 +270,12 @@ namespace XrdCl //------------------------------------------------------------------------ // Enable encryption + // + // @param socketHandler : the socket handler that is handling the socket + // @param the host : host name for verification //------------------------------------------------------------------------ - Status EnableEncryption( AsyncSocketHandler *socketHandler ); + Status EnableEncryption( AsyncSocketHandler *socketHandler, + const std::string &thehost = std::string() ); protected: //------------------------------------------------------------------------ diff --git a/src/XrdCl/XrdClStream.cc b/src/XrdCl/XrdClStream.cc index bd53fc2d937..6b17f755fcb 100644 --- a/src/XrdCl/XrdClStream.cc +++ b/src/XrdCl/XrdClStream.cc @@ -180,7 +180,7 @@ namespace XrdCl if( !pTransport || !pPoller || !pChannelData ) return Status( stError, errUninitialized ); - AsyncSocketHandler *s = new AsyncSocketHandler( pPoller, pTransport, + AsyncSocketHandler *s = new AsyncSocketHandler( *pUrl, pPoller, pTransport, pChannelData, 0 ); s->SetStream( this ); @@ -578,8 +578,8 @@ namespace XrdCl { for( uint16_t i = 1; i < numSub; ++i ) { - AsyncSocketHandler *s = new AsyncSocketHandler( pPoller, pTransport, - pChannelData, 0 ); + AsyncSocketHandler *s = new AsyncSocketHandler( *pUrl, pPoller, + pTransport, pChannelData, 0 ); s->SetStream( this ); pSubStreams.push_back( new SubStreamData() ); pSubStreams[i]->socket = s; diff --git a/src/XrdCl/XrdClTls.cc b/src/XrdCl/XrdClTls.cc index 8dc5f744e44..6668100a894 100644 --- a/src/XrdCl/XrdClTls.cc +++ b/src/XrdCl/XrdClTls.cc @@ -22,6 +22,7 @@ #include "XrdTls/XrdTlsContext.hh" +#include namespace XrdCl { @@ -35,6 +36,16 @@ namespace XrdCl XrdTlsSocket::TLS_HS_NOBLK, true ) ); } + //------------------------------------------------------------------------ + //! Establish a TLS/SSL session and perform host verification. + //------------------------------------------------------------------------ + Status Tls::Connect( const std::string &thehost, XrdNetAddrInfo *netInfo ) + { + int rc = pTls->Connect( thehost.c_str(), netInfo ); + if( rc ) return Status( stError, errTlsError, rc ); + return Status(); + } + Status Tls::Read( char *buffer, size_t size, int &bytesRead ) { //-------------------------------------------------------------------------- diff --git a/src/XrdCl/XrdClTls.hh b/src/XrdCl/XrdClTls.hh index fe027e16a53..ae774c01513 100644 --- a/src/XrdCl/XrdClTls.hh +++ b/src/XrdCl/XrdClTls.hh @@ -47,6 +47,11 @@ namespace XrdCl { } + //------------------------------------------------------------------------ + //! Establish a TLS/SSL session and perform host verification. + //------------------------------------------------------------------------ + Status Connect( const std::string &thehost, XrdNetAddrInfo *netInfo ); + //------------------------------------------------------------------------ //! Read through the TLS layer from the socket //! If necessary, will establish a TLS/SSL session. diff --git a/src/XrdTls/XrdTlsSocket.cc b/src/XrdTls/XrdTlsSocket.cc index 91f971ec895..27867279f83 100644 --- a/src/XrdTls/XrdTlsSocket.cc +++ b/src/XrdTls/XrdTlsSocket.cc @@ -153,7 +153,7 @@ int XrdTlsSocket::Connect(const char *thehost, XrdNetAddrInfo *netInfo, { // Setup host verification of a host has been specified. This is a to-do -// when we move to new bersions of SSL. For now, we use the notary object. +// when we move to new versions of SSL. For now, we use the notary object. // // Do the connect.