aboutsummaryrefslogtreecommitdiffstats
path: root/jrt
diff options
context:
space:
mode:
authorHåvard Pettersen <havardpe@oath.com>2020-02-12 14:31:29 +0000
committerHåvard Pettersen <havardpe@oath.com>2020-02-12 14:31:29 +0000
commit5da0cd083e73d7f848803e2bfa735e2529d146e7 (patch)
tree3075dc89de08b5e7a77db27b7f365775061a3544 /jrt
parent5d657d4537d753b09f9cedce19f785c35eba2d80 (diff)
pass connection spec to crypto engine
when being a client, for hostname validation
Diffstat (limited to 'jrt')
-rw-r--r--jrt/src/com/yahoo/jrt/Connection.java4
-rw-r--r--jrt/src/com/yahoo/jrt/CryptoEngine.java3
-rw-r--r--jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java15
-rw-r--r--jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java10
-rw-r--r--jrt/src/com/yahoo/jrt/NullCryptoEngine.java7
-rw-r--r--jrt/src/com/yahoo/jrt/TlsCryptoEngine.java11
-rw-r--r--jrt/src/com/yahoo/jrt/Transport.java20
-rw-r--r--jrt/src/com/yahoo/jrt/XorCryptoEngine.java7
8 files changed, 53 insertions, 24 deletions
diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index d4e1a15b957..c9c6d78ffba 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -93,7 +93,7 @@ class Connection extends Target {
this.parent = parent;
this.owner = owner;
- this.socket = parent.transport().createCryptoSocket(channel, true);
+ this.socket = parent.transport().createServerCryptoSocket(channel);
this.spec = null;
server = true;
owner.sessionInit(this);
@@ -171,7 +171,7 @@ class Connection extends Target {
return this;
}
try {
- socket = parent.transport().createCryptoSocket(SocketChannel.open(spec.resolveAddress()), false);
+ socket = parent.transport().createClientCryptoSocket(SocketChannel.open(spec.resolveAddress()), spec);
} catch (Exception e) {
setLostReason(e);
}
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java
index 8812264a3f1..6d1955d7f66 100644
--- a/jrt/src/com/yahoo/jrt/CryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java
@@ -18,7 +18,8 @@ import java.nio.channels.SocketChannel;
* encryption.
**/
public interface CryptoEngine extends AutoCloseable {
- CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer);
+ CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec);
+ CryptoSocket createServerCryptoSocket(SocketChannel channel);
static CryptoEngine createDefault() {
if (!TransportSecurityUtils.isTransportSecurityEnabled()) {
return new NullCryptoEngine();
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
index 801f2075c4e..18549df6f2c 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
@@ -21,17 +21,20 @@ public class MaybeTlsCryptoEngine implements CryptoEngine {
}
@Override
- public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
- if (isServer) {
- return new MaybeTlsCryptoSocket(channel, tlsEngine, isServer);
- } else if (useTlsWhenClient) {
- return tlsEngine.createCryptoSocket(channel, false);
+ public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+ if (useTlsWhenClient) {
+ return tlsEngine.createClientCryptoSocket(channel, spec);
} else {
- return new NullCryptoSocket(channel, isServer);
+ return new NullCryptoSocket(channel, false);
}
}
@Override
+ public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+ return new MaybeTlsCryptoSocket(channel, tlsEngine);
+ }
+
+ @Override
public String toString() { return "MaybeTlsCryptoEngine(useTlsWhenClient:" + useTlsWhenClient + ")"; }
@Override
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index 5c4510665e7..60b7f342c9c 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -61,8 +61,8 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
private TlsCryptoEngine factory;
private Buffer buffer;
- MyCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) {
- super(channel, isServer);
+ MyCryptoSocket(SocketChannel channel, TlsCryptoEngine factory) {
+ super(channel, true);
this.factory = factory;
this.buffer = new Buffer(4096);
}
@@ -81,7 +81,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
data[i] = src.get(i);
}
if (looksLikeTlsToMe(data)) {
- TlsCryptoSocket tlsSocket = factory.createCryptoSocket(channel(), true);
+ TlsCryptoSocket tlsSocket = factory.createServerCryptoSocket(channel());
tlsSocket.injectReadData(buffer);
socket = tlsSocket;
return socket.handshake();
@@ -117,8 +117,8 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
}
}
- public MaybeTlsCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) {
- this.socket = new MyCryptoSocket(channel, factory, isServer);
+ public MaybeTlsCryptoSocket(SocketChannel channel, TlsCryptoEngine factory) {
+ this.socket = new MyCryptoSocket(channel, factory);
}
@Override public SocketChannel channel() { return socket.channel(); }
diff --git a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
index b5a53accf92..b97ec17a5dc 100644
--- a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
@@ -9,7 +9,10 @@ import java.nio.channels.SocketChannel;
* CryptoEngine implementation that performs no encryption.
**/
public class NullCryptoEngine implements CryptoEngine {
- @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
- return new NullCryptoSocket(channel, isServer);
+ @Override public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+ return new NullCryptoSocket(channel, false);
+ }
+ @Override public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+ return new NullCryptoSocket(channel, true);
}
}
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
index 84fbb7d4f01..7474220d4e7 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
@@ -20,9 +20,16 @@ public class TlsCryptoEngine implements CryptoEngine {
}
@Override
- public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
+ public TlsCryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
SSLEngine sslEngine = tlsContext.createSslEngine();
- sslEngine.setUseClientMode(!isServer);
+ sslEngine.setUseClientMode(true);
+ return new TlsCryptoSocket(channel, sslEngine);
+ }
+
+ @Override
+ public TlsCryptoSocket createServerCryptoSocket(SocketChannel channel) {
+ SSLEngine sslEngine = tlsContext.createSslEngine();
+ sslEngine.setUseClientMode(false);
return new TlsCryptoSocket(channel, sslEngine);
}
diff --git a/jrt/src/com/yahoo/jrt/Transport.java b/jrt/src/com/yahoo/jrt/Transport.java
index ad42409c48a..6f5a381fd6b 100644
--- a/jrt/src/com/yahoo/jrt/Transport.java
+++ b/jrt/src/com/yahoo/jrt/Transport.java
@@ -68,14 +68,26 @@ public class Transport {
}
/**
- * Use the underlying CryptoEngine to create a CryptoSocket.
+ * Use the underlying CryptoEngine to create a CryptoSocket for
+ * the client side of a connection.
*
* @return CryptoSocket handling appropriate encryption
* @param channel low-level socket channel to be wrapped by the CryptoSocket
- * @param isServer flag indicating which end of the connection we are
+ * @param spec who we are connecting to, for hostname validation
**/
- CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
- return cryptoEngine.createCryptoSocket(channel, isServer);
+ CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+ return cryptoEngine.createClientCryptoSocket(channel, spec);
+ }
+
+ /**
+ * Use the underlying CryptoEngine to create a CryptoSocket for
+ * the server side of a connection.
+ *
+ * @return CryptoSocket handling appropriate encryption
+ * @param channel low-level socket channel to be wrapped by the CryptoSocket
+ **/
+ CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+ return cryptoEngine.createServerCryptoSocket(channel);
}
/**
diff --git a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
index 4ba6d00faa4..d720ca4dc26 100644
--- a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
@@ -11,7 +11,10 @@ import java.nio.channels.SocketChannel;
* from TLS.
**/
public class XorCryptoEngine implements CryptoEngine {
- @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
- return new XorCryptoSocket(channel, isServer);
+ @Override public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+ return new XorCryptoSocket(channel, false);
+ }
+ @Override public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+ return new XorCryptoSocket(channel, true);
}
}