thrift git commit: THRIFT-3009 TSSLSocket does not use the correct hostname (breaks certificate checks) Client: Go Patch: Mathias Gottschlag

Fri, 27 Feb 2015 14:17:41 -0800 

Repository: thrift
Updated Branches:
  refs/heads/master 962e41078 -> 00a4e3e80


THRIFT-3009 TSSLSocket does not use the correct hostname (breaks certificate 
checks)
Client: Go
Patch: Mathias Gottschlag <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/thrift/repo
Commit: http://git-wip-us.apache.org/repos/asf/thrift/commit/00a4e3e8
Tree: http://git-wip-us.apache.org/repos/asf/thrift/tree/00a4e3e8
Diff: http://git-wip-us.apache.org/repos/asf/thrift/diff/00a4e3e8

Branch: refs/heads/master
Commit: 00a4e3e802ea68fd992e1fa0061fe6f3f39872ee
Parents: 962e410
Author: Jens Geyer <[email protected]>
Authored: Fri Feb 27 23:06:07 2015 +0100
Committer: Jens Geyer <[email protected]>
Committed: Fri Feb 27 23:15:21 2015 +0100

----------------------------------------------------------------------
 lib/go/thrift/ssl_socket.go | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/thrift/blob/00a4e3e8/lib/go/thrift/ssl_socket.go
----------------------------------------------------------------------
diff --git a/lib/go/thrift/ssl_socket.go b/lib/go/thrift/ssl_socket.go
index 38f66c4..4faaf8c 100644
--- a/lib/go/thrift/ssl_socket.go
+++ b/lib/go/thrift/ssl_socket.go
@@ -26,7 +26,12 @@ import (
 )
 
 type TSSLSocket struct {
-       conn    net.Conn
+       conn net.Conn
+       // hostPort contains host:port (e.g. "asdf.com:12345"). The field is
+       // only valid if addr is nil.
+       hostPort string
+       // addr is nil when hostPort is not "", and is only used when the
+       // TSSLSocket is constructed from a net.Addr.
        addr    net.Addr
        timeout time.Duration
        cfg     *tls.Config
@@ -35,7 +40,7 @@ type TSSLSocket struct {
 // NewTSSLSocket creates a net.Conn-backed TTransport, given a host and port 
and tls Configuration
 //
 // Example:
-//     trans, err := thrift.NewTSocket("localhost:9090")
+//     trans, err := thrift.NewTSSLSocket("localhost:9090", nil)
 func NewTSSLSocket(hostPort string, cfg *tls.Config) (*TSSLSocket, error) {
        return NewTSSLSocketTimeout(hostPort, cfg, 0)
 }
@@ -43,12 +48,7 @@ func NewTSSLSocket(hostPort string, cfg *tls.Config) 
(*TSSLSocket, error) {
 // NewTSSLSocketTimeout creates a net.Conn-backed TTransport, given a host and 
port
 // it also accepts a tls Configuration and a timeout as a time.Duration
 func NewTSSLSocketTimeout(hostPort string, cfg *tls.Config, timeout 
time.Duration) (*TSSLSocket, error) {
-       //conn, err := net.DialTimeout(network, address, timeout)
-       addr, err := net.ResolveTCPAddr("tcp", hostPort)
-       if err != nil {
-               return nil, err
-       }
-       return NewTSSLSocketFromAddrTimeout(addr, cfg, timeout), nil
+       return &TSSLSocket{hostPort: hostPort, timeout: timeout, cfg: cfg}, nil
 }
 
 // Creates a TSSLSocket from a net.Addr
@@ -83,21 +83,29 @@ func (p *TSSLSocket) pushDeadline(read, write bool) {
 
 // Connects the socket, creating a new socket object if necessary.
 func (p *TSSLSocket) Open() error {
-       if p.IsOpen() {
-               return NewTTransportException(ALREADY_OPEN, "Socket already 
connected.")
-       }
-       if p.addr == nil {
-               return NewTTransportException(NOT_OPEN, "Cannot open nil 
address.")
-       }
-       if len(p.addr.Network()) == 0 {
-               return NewTTransportException(NOT_OPEN, "Cannot open bad 
network name.")
-       }
-       if len(p.addr.String()) == 0 {
-               return NewTTransportException(NOT_OPEN, "Cannot open bad 
address.")
-       }
        var err error
-       if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); 
err != nil {
-               return NewTTransportException(NOT_OPEN, err.Error())
+       // If we have a hostname, we need to pass the hostname to tls.Dial for
+       // certificate hostname checks.
+       if p.hostPort != "" {
+               if p.conn, err = tls.Dial("tcp", p.hostPort, p.cfg); err != nil 
{
+                       return NewTTransportException(NOT_OPEN, err.Error())
+               }
+       } else {
+               if p.IsOpen() {
+                       return NewTTransportException(ALREADY_OPEN, "Socket 
already connected.")
+               }
+               if p.addr == nil {
+                       return NewTTransportException(NOT_OPEN, "Cannot open 
nil address.")
+               }
+               if len(p.addr.Network()) == 0 {
+                       return NewTTransportException(NOT_OPEN, "Cannot open 
bad network name.")
+               }
+               if len(p.addr.String()) == 0 {
+                       return NewTTransportException(NOT_OPEN, "Cannot open 
bad address.")
+               }
+               if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), 
p.cfg); err != nil {
+                       return NewTTransportException(NOT_OPEN, err.Error())
+               }
        }
        return nil
 }

Reply via email to