QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 18 insertions, 4 deletions

diff --git a/cpp/src/qpid/broker/SaslAuthenticator.cpp b/cpp/src/qpid/broker/SaslAuthenticator.cpp
index 5611e3ec06..0f72f9643d 100644
--- a/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -26,6 +26,7 @@
 #include "qpid/broker/Connection.h"
 #include "qpid/log/Statement.h"
 #include "qpid/framing/reply_exceptions.h"
+#include "qpid/sys/SecuritySettings.h"
 #include <boost/format.hpp>
 
 #if HAVE_SASL
@@ -36,6 +37,7 @@ using qpid::sys::cyrus::CyrusSecurityLayer;
 
 using namespace qpid::framing;
 using qpid::sys::SecurityLayer;
+using qpid::sys::SecuritySettings;
 using boost::format;
 using boost::str;
 
@@ -152,7 +154,8 @@ void NullAuthenticator::start(const string& mechanism, const string& response)
 #if HAVE_SASL
         // encryption required - check to see if we are running over an
         // encrypted SSL connection.
-        sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF();
+        SecuritySettings external = connection.getExternalSecuritySettings();
+        sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf;
         if (external_ssf < 1)    // < 1 == unencrypted
 #endif
         {
@@ -244,7 +247,9 @@ void CyrusAuthenticator::init()
 
     // If the transport provides encryption, notify the SASL library of
     // the key length and set the ssf range to prevent double encryption.
-    sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF();
+    SecuritySettings external = connection.getExternalSecuritySettings();
+    QPID_LOG(debug, "External ssf=" << external.ssf << " and auth=" << external.authid);
+    sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf;
     if (external_ssf) {
         int result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL, &external_ssf);
         if (result != SASL_OK) {
@@ -258,16 +263,25 @@ void CyrusAuthenticator::init()
              ", max_ssf: " << secprops.max_ssf <<
              ", external_ssf: " << external_ssf );
 
+    if (!external.authid.empty()) {
+        const char* external_authid = external.authid.c_str();
+        int result = sasl_setprop(sasl_conn, SASL_AUTH_EXTERNAL, external_authid);
+        if (result != SASL_OK) {
+            throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external auth: " << result));
+        }
+
+        QPID_LOG(debug, "external auth detected and set to " << external_authid);
+    }
+
     secprops.maxbufsize = 65535;
     secprops.property_names = 0;
     secprops.property_values = 0;
     secprops.security_flags = 0; /* or SASL_SEC_NOANONYMOUS etc as appropriate */
-    
+    if (external.nodict) secprops.security_flags |= SASL_SEC_NODICTIONARY;    
     int result = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
     if (result != SASL_OK) {
         throw framing::InternalErrorException(QPID_MSG("SASL error: " << result));
     }
-
 }
 
 CyrusAuthenticator::~CyrusAuthenticator()