QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 15 insertions, 6 deletions

diff --git a/cpp/src/qpid/client/SaslFactory.cpp b/cpp/src/qpid/client/SaslFactory.cpp
index 5012b75c94..ec5680c8d8 100644
--- a/cpp/src/qpid/client/SaslFactory.cpp
+++ b/cpp/src/qpid/client/SaslFactory.cpp
@@ -61,6 +61,7 @@ std::auto_ptr<SaslFactory> SaslFactory::instance;
 #include "qpid/Exception.h"
 #include "qpid/framing/reply_exceptions.h"
 #include "qpid/sys/SecurityLayer.h"
+#include "qpid/sys/SecuritySettings.h"
 #include "qpid/sys/cyrus/CyrusSecurityLayer.h"
 #include "qpid/log/Statement.h"
 #include <sasl/sasl.h>
@@ -70,6 +71,7 @@ namespace qpid {
 namespace client {
 
 using qpid::sys::SecurityLayer;
+using qpid::sys::SecuritySettings;
 using qpid::sys::cyrus::CyrusSecurityLayer;
 using qpid::framing::InternalErrorException;
 
@@ -80,7 +82,7 @@ class CyrusSasl : public Sasl
   public:
     CyrusSasl(const ConnectionSettings&);
     ~CyrusSasl();
-    std::string start(const std::string& mechanisms, unsigned int ssf);
+    std::string start(const std::string& mechanisms, const SecuritySettings* externalSettings);
     std::string step(const std::string& challenge);
     std::string getMechanism();
     std::string getUserId();
@@ -176,7 +178,7 @@ namespace {
     const std::string SSL("ssl");
 }
 
-std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf)
+std::string CyrusSasl::start(const std::string& mechanisms, const SecuritySettings* externalSettings)
 {
     QPID_LOG(debug, "CyrusSasl::start(" << mechanisms << ")");
     int result = sasl_client_new(settings.service.c_str(),
@@ -190,14 +192,22 @@ std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf)
 
     sasl_security_properties_t secprops;
 
-    if (ssf) {
-        sasl_ssf_t external_ssf = (sasl_ssf_t) ssf;
+    if (externalSettings) {
+        sasl_ssf_t external_ssf = (sasl_ssf_t) externalSettings->ssf;
         if (external_ssf) {
             int result = sasl_setprop(conn, SASL_SSF_EXTERNAL, &external_ssf);
             if (result != SASL_OK) {
                 throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external SSF: " << result));
             }
-            QPID_LOG(debug, "external SSF detected and set to " << ssf);
+            QPID_LOG(debug, "external SSF detected and set to " << external_ssf);
+        }
+        if (externalSettings->authid.size()) {
+            const char* external_authid = externalSettings->authid.c_str();
+            result = sasl_setprop(conn, SASL_AUTH_EXTERNAL, external_authid);
+            if (result != SASL_OK) {
+                throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external auth: " << result));
+            }
+            QPID_LOG(debug, "external auth detected and set to " << external_authid);
         }
     }
 
@@ -216,7 +226,6 @@ std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf)
         throw framing::InternalErrorException(QPID_MSG("SASL error: " << sasl_errdetail(conn)));
     }
 
-
     sasl_interact_t* client_interact = 0;
     const char *out = 0;
     unsigned outlen = 0;