From 5da0cd083e73d7f848803e2bfa735e2529d146e7 Mon Sep 17 00:00:00 2001
From: Håvard Pettersen <havardpe@oath.com>
Date: Wed, 12 Feb 2020 14:31:29 +0000
Subject: pass connection spec to crypto engine

when being a client, for hostname validation
---
 jrt/src/com/yahoo/jrt/Connection.java           |  4 ++--
 jrt/src/com/yahoo/jrt/CryptoEngine.java         |  3 ++-
 jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java | 15 +++++++++------
 jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java | 10 +++++-----
 jrt/src/com/yahoo/jrt/NullCryptoEngine.java     |  7 +++++--
 jrt/src/com/yahoo/jrt/TlsCryptoEngine.java      | 11 +++++++++--
 jrt/src/com/yahoo/jrt/Transport.java            | 20 ++++++++++++++++----
 jrt/src/com/yahoo/jrt/XorCryptoEngine.java      |  7 +++++--
 8 files changed, 53 insertions(+), 24 deletions(-)

(limited to 'jrt/src')

diff --git a/jrt/src/com/yahoo/jrt/Connection.java b/jrt/src/com/yahoo/jrt/Connection.java
index d4e1a15b957..c9c6d78ffba 100644
--- a/jrt/src/com/yahoo/jrt/Connection.java
+++ b/jrt/src/com/yahoo/jrt/Connection.java
@@ -93,7 +93,7 @@ class Connection extends Target {
 
         this.parent = parent;
         this.owner = owner;
-        this.socket = parent.transport().createCryptoSocket(channel, true);
+        this.socket = parent.transport().createServerCryptoSocket(channel);
         this.spec = null;
         server = true;
         owner.sessionInit(this);
@@ -171,7 +171,7 @@ class Connection extends Target {
             return this;
         }
         try {
-            socket = parent.transport().createCryptoSocket(SocketChannel.open(spec.resolveAddress()), false);
+            socket = parent.transport().createClientCryptoSocket(SocketChannel.open(spec.resolveAddress()), spec);
         } catch (Exception e) {
             setLostReason(e);
         }
diff --git a/jrt/src/com/yahoo/jrt/CryptoEngine.java b/jrt/src/com/yahoo/jrt/CryptoEngine.java
index 8812264a3f1..6d1955d7f66 100644
--- a/jrt/src/com/yahoo/jrt/CryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/CryptoEngine.java
@@ -18,7 +18,8 @@ import java.nio.channels.SocketChannel;
  * encryption.
  **/
 public interface CryptoEngine extends AutoCloseable {
-    CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer);
+    CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec);
+    CryptoSocket createServerCryptoSocket(SocketChannel channel);
     static CryptoEngine createDefault() {
         if (!TransportSecurityUtils.isTransportSecurityEnabled()) {
             return new NullCryptoEngine();
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
index 801f2075c4e..18549df6f2c 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoEngine.java
@@ -21,16 +21,19 @@ public class MaybeTlsCryptoEngine implements CryptoEngine {
     }
 
     @Override
-    public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
-        if (isServer) {
-            return new MaybeTlsCryptoSocket(channel, tlsEngine, isServer);
-        } else if (useTlsWhenClient) {
-            return tlsEngine.createCryptoSocket(channel, false);
+    public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+        if (useTlsWhenClient) {
+            return tlsEngine.createClientCryptoSocket(channel, spec);
         } else {
-            return new NullCryptoSocket(channel, isServer);
+            return new NullCryptoSocket(channel, false);
         }
     }
 
+    @Override
+    public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+        return new MaybeTlsCryptoSocket(channel, tlsEngine);
+    }
+
     @Override
     public String toString() { return "MaybeTlsCryptoEngine(useTlsWhenClient:" + useTlsWhenClient + ")"; }
 
diff --git a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
index 5c4510665e7..60b7f342c9c 100644
--- a/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/MaybeTlsCryptoSocket.java
@@ -61,8 +61,8 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
         private TlsCryptoEngine factory;
         private Buffer buffer;
 
-        MyCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) {
-            super(channel, isServer);
+        MyCryptoSocket(SocketChannel channel, TlsCryptoEngine factory) {
+            super(channel, true);
             this.factory = factory;
             this.buffer = new Buffer(4096);
         }
@@ -81,7 +81,7 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
                     data[i] = src.get(i);
                 }
                 if (looksLikeTlsToMe(data)) {
-                    TlsCryptoSocket tlsSocket = factory.createCryptoSocket(channel(), true);
+                    TlsCryptoSocket tlsSocket = factory.createServerCryptoSocket(channel());
                     tlsSocket.injectReadData(buffer);
                     socket = tlsSocket;
                     return socket.handshake();
@@ -117,8 +117,8 @@ public class MaybeTlsCryptoSocket implements CryptoSocket {
         }
     }
 
-    public MaybeTlsCryptoSocket(SocketChannel channel, TlsCryptoEngine factory, boolean isServer) {
-        this.socket = new MyCryptoSocket(channel, factory, isServer);
+    public MaybeTlsCryptoSocket(SocketChannel channel, TlsCryptoEngine factory) {
+        this.socket = new MyCryptoSocket(channel, factory);
     }
 
     @Override public SocketChannel channel() { return socket.channel(); }
diff --git a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
index b5a53accf92..b97ec17a5dc 100644
--- a/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/NullCryptoEngine.java
@@ -9,7 +9,10 @@ import java.nio.channels.SocketChannel;
  * CryptoEngine implementation that performs no encryption.
  **/
 public class NullCryptoEngine implements CryptoEngine {
-    @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
-        return new NullCryptoSocket(channel, isServer);
+    @Override public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+        return new NullCryptoSocket(channel, false);
+    }
+    @Override public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+        return new NullCryptoSocket(channel, true);
     }
 }
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
index 84fbb7d4f01..7474220d4e7 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java
@@ -20,9 +20,16 @@ public class TlsCryptoEngine implements CryptoEngine {
     }
 
     @Override
-    public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer)  {
+    public TlsCryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec)  {
         SSLEngine sslEngine = tlsContext.createSslEngine();
-        sslEngine.setUseClientMode(!isServer);
+        sslEngine.setUseClientMode(true);
+        return new TlsCryptoSocket(channel, sslEngine);
+    }
+
+    @Override
+    public TlsCryptoSocket createServerCryptoSocket(SocketChannel channel)  {
+        SSLEngine sslEngine = tlsContext.createSslEngine();
+        sslEngine.setUseClientMode(false);
         return new TlsCryptoSocket(channel, sslEngine);
     }
 
diff --git a/jrt/src/com/yahoo/jrt/Transport.java b/jrt/src/com/yahoo/jrt/Transport.java
index ad42409c48a..6f5a381fd6b 100644
--- a/jrt/src/com/yahoo/jrt/Transport.java
+++ b/jrt/src/com/yahoo/jrt/Transport.java
@@ -68,14 +68,26 @@ public class Transport {
     }
 
     /**
-     * Use the underlying CryptoEngine to create a CryptoSocket.
+     * Use the underlying CryptoEngine to create a CryptoSocket for
+     * the client side of a connection.
      *
      * @return CryptoSocket handling appropriate encryption
      * @param channel low-level socket channel to be wrapped by the CryptoSocket
-     * @param isServer flag indicating which end of the connection we are
+     * @param spec who we are connecting to, for hostname validation
      **/
-    CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
-        return cryptoEngine.createCryptoSocket(channel, isServer);
+    CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+        return cryptoEngine.createClientCryptoSocket(channel, spec);
+    }
+
+    /**
+     * Use the underlying CryptoEngine to create a CryptoSocket for
+     * the server side of a connection.
+     *
+     * @return CryptoSocket handling appropriate encryption
+     * @param channel low-level socket channel to be wrapped by the CryptoSocket
+     **/
+    CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+        return cryptoEngine.createServerCryptoSocket(channel);
     }
 
     /**
diff --git a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
index 4ba6d00faa4..d720ca4dc26 100644
--- a/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
+++ b/jrt/src/com/yahoo/jrt/XorCryptoEngine.java
@@ -11,7 +11,10 @@ import java.nio.channels.SocketChannel;
  * from TLS.
  **/
 public class XorCryptoEngine implements CryptoEngine {
-    @Override public CryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) {
-        return new XorCryptoSocket(channel, isServer);
+    @Override public CryptoSocket createClientCryptoSocket(SocketChannel channel, Spec spec) {
+        return new XorCryptoSocket(channel, false);
+    }
+    @Override public CryptoSocket createServerCryptoSocket(SocketChannel channel) {
+        return new XorCryptoSocket(channel, true);
     }
 }
-- 
cgit v1.2.3