diff options
| author | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
|---|---|---|
| committer | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
| commit | f5e41be93bec9b5556a65292516db07ff845f7d4 (patch) | |
| tree | d26b9519d281dbb36fd6717205462399292896dd /cpp/src | |
| parent | 74d838068a2a24423c0c5af1e33b612e132291fb (diff) | |
| download | qpid-python-f5e41be93bec9b5556a65292516db07ff845f7d4.tar.gz | |
QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.
On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.
The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src')
34 files changed, 284 insertions, 107 deletions
diff --git a/cpp/src/Makefile.am b/cpp/src/Makefile.am index ba1ffabf5f..4fe5d7b85b 100644 --- a/cpp/src/Makefile.am +++ b/cpp/src/Makefile.am @@ -463,6 +463,7 @@ libqpidcommon_la_SOURCES += \ qpid/sys/Runnable.cpp \ qpid/sys/ScopedIncrement.h \ qpid/sys/SecurityLayer.h \ + qpid/sys/SecuritySettings.h \ qpid/sys/Semaphore.h \ qpid/sys/Shlib.cpp \ qpid/sys/Shlib.h \ diff --git a/cpp/src/qpid/broker/Connection.cpp b/cpp/src/qpid/broker/Connection.cpp index 532666ad76..ca018ce4f8 100644 --- a/cpp/src/qpid/broker/Connection.cpp +++ b/cpp/src/qpid/broker/Connection.cpp @@ -23,6 +23,7 @@ #include "qpid/broker/SessionState.h" #include "qpid/broker/Bridge.h" #include "qpid/broker/Broker.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" #include "qpid/ptr_map.h" @@ -72,9 +73,10 @@ struct ConnectionTimeoutTask : public sys::TimerTask { } }; -Connection::Connection(ConnectionOutputHandler* out_, Broker& broker_, const std::string& mgmtId_, unsigned int ssf, bool isLink_, uint64_t objectId, bool shadow_) : +Connection::Connection(ConnectionOutputHandler* out_, Broker& broker_, const std::string& mgmtId_, + const qpid::sys::SecuritySettings& external, bool isLink_, uint64_t objectId, bool shadow_) : ConnectionState(out_, broker_), - ssf(ssf), + securitySettings(external), adapter(*this, isLink_), isLink(isLink_), mgmtClosing(false), diff --git a/cpp/src/qpid/broker/Connection.h b/cpp/src/qpid/broker/Connection.h index d49d9f4d75..30a763411f 100644 --- a/cpp/src/qpid/broker/Connection.h +++ b/cpp/src/qpid/broker/Connection.h @@ -45,6 +45,7 @@ #include "qpid/sys/AggregateOutput.h" #include "qpid/sys/ConnectionInputHandler.h" #include "qpid/sys/ConnectionOutputHandler.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/sys/Socket.h" #include "qpid/sys/TimeoutHandler.h" #include "qpid/sys/Mutex.h" @@ -78,7 +79,8 @@ class Connection : public sys::ConnectionInputHandler, virtual void connectionError(const std::string&) = 0; }; - Connection(sys::ConnectionOutputHandler* out, Broker& broker, const std::string& mgmtId, unsigned int ssf, + Connection(sys::ConnectionOutputHandler* out, Broker& broker, const std::string& mgmtId, + const qpid::sys::SecuritySettings&, bool isLink = false, uint64_t objectId = 0, bool shadow=false); ~Connection (); @@ -136,14 +138,17 @@ class Connection : public sys::ConnectionInputHandler, // Used by cluster to update connection status sys::AggregateOutput& getOutputTasks() { return outputTasks; } - unsigned int getSSF() { return ssf; } + const qpid::sys::SecuritySettings& getExternalSecuritySettings() const + { + return securitySettings; + } private: typedef boost::ptr_map<framing::ChannelId, SessionHandler> ChannelMap; typedef std::vector<Queue::shared_ptr>::iterator queue_iterator; ChannelMap channels; - unsigned int ssf; + qpid::sys::SecuritySettings securitySettings; ConnectionHandler adapter; const bool isLink; bool mgmtClosing; diff --git a/cpp/src/qpid/broker/ConnectionFactory.cpp b/cpp/src/qpid/broker/ConnectionFactory.cpp index ffb0b34b95..9e0020812b 100644 --- a/cpp/src/qpid/broker/ConnectionFactory.cpp +++ b/cpp/src/qpid/broker/ConnectionFactory.cpp @@ -22,12 +22,14 @@ #include "qpid/framing/ProtocolVersion.h" #include "qpid/amqp_0_10/Connection.h" #include "qpid/broker/Connection.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" namespace qpid { namespace broker { using framing::ProtocolVersion; +using qpid::sys::SecuritySettings; typedef std::auto_ptr<amqp_0_10::Connection> ConnectionPtr; typedef std::auto_ptr<sys::ConnectionInputHandler> InputPtr; @@ -37,7 +39,7 @@ ConnectionFactory::~ConnectionFactory() {} sys::ConnectionCodec* ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, - unsigned int ) { + const SecuritySettings& external) { if (broker.getConnectionCounter().allowConnection()) { QPID_LOG(error, "Client max connection count limit exceeded: " << broker.getOptions().maxConnections << " connection refused"); @@ -45,7 +47,7 @@ ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std: } if (v == ProtocolVersion(0, 10)) { ConnectionPtr c(new amqp_0_10::Connection(out, id, false)); - c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, false))); + c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, external, false))); return c.release(); } return 0; @@ -53,10 +55,10 @@ ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std: sys::ConnectionCodec* ConnectionFactory::create(sys::OutputControl& out, const std::string& id, - unsigned int) { + const SecuritySettings& external) { // used to create connections from one broker to another ConnectionPtr c(new amqp_0_10::Connection(out, id, true)); - c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, true))); + c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, external, true))); return c.release(); } diff --git a/cpp/src/qpid/broker/ConnectionFactory.h b/cpp/src/qpid/broker/ConnectionFactory.h index d812292ad1..7c1a9a08e1 100644 --- a/cpp/src/qpid/broker/ConnectionFactory.h +++ b/cpp/src/qpid/broker/ConnectionFactory.h @@ -36,11 +36,10 @@ class ConnectionFactory : public sys::ConnectionCodec::Factory sys::ConnectionCodec* create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + const qpid::sys::SecuritySettings&); sys::ConnectionCodec* - create(sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + create(sys::OutputControl&, const std::string& id, const qpid::sys::SecuritySettings&); private: Broker& broker; diff --git a/cpp/src/qpid/broker/SaslAuthenticator.cpp b/cpp/src/qpid/broker/SaslAuthenticator.cpp index 5611e3ec06..0f72f9643d 100644 --- a/cpp/src/qpid/broker/SaslAuthenticator.cpp +++ b/cpp/src/qpid/broker/SaslAuthenticator.cpp @@ -26,6 +26,7 @@ #include "qpid/broker/Connection.h" #include "qpid/log/Statement.h" #include "qpid/framing/reply_exceptions.h" +#include "qpid/sys/SecuritySettings.h" #include <boost/format.hpp> #if HAVE_SASL @@ -36,6 +37,7 @@ using qpid::sys::cyrus::CyrusSecurityLayer; using namespace qpid::framing; using qpid::sys::SecurityLayer; +using qpid::sys::SecuritySettings; using boost::format; using boost::str; @@ -152,7 +154,8 @@ void NullAuthenticator::start(const string& mechanism, const string& response) #if HAVE_SASL // encryption required - check to see if we are running over an // encrypted SSL connection. - sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF(); + SecuritySettings external = connection.getExternalSecuritySettings(); + sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf; if (external_ssf < 1) // < 1 == unencrypted #endif { @@ -244,7 +247,9 @@ void CyrusAuthenticator::init() // If the transport provides encryption, notify the SASL library of // the key length and set the ssf range to prevent double encryption. - sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF(); + SecuritySettings external = connection.getExternalSecuritySettings(); + QPID_LOG(debug, "External ssf=" << external.ssf << " and auth=" << external.authid); + sasl_ssf_t external_ssf = (sasl_ssf_t) external.ssf; if (external_ssf) { int result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL, &external_ssf); if (result != SASL_OK) { @@ -258,16 +263,25 @@ void CyrusAuthenticator::init() ", max_ssf: " << secprops.max_ssf << ", external_ssf: " << external_ssf ); + if (!external.authid.empty()) { + const char* external_authid = external.authid.c_str(); + int result = sasl_setprop(sasl_conn, SASL_AUTH_EXTERNAL, external_authid); + if (result != SASL_OK) { + throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external auth: " << result)); + } + + QPID_LOG(debug, "external auth detected and set to " << external_authid); + } + secprops.maxbufsize = 65535; secprops.property_names = 0; secprops.property_values = 0; secprops.security_flags = 0; /* or SASL_SEC_NOANONYMOUS etc as appropriate */ - + if (external.nodict) secprops.security_flags |= SASL_SEC_NODICTIONARY; int result = sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops); if (result != SASL_OK) { throw framing::InternalErrorException(QPID_MSG("SASL error: " << result)); } - } CyrusAuthenticator::~CyrusAuthenticator() diff --git a/cpp/src/qpid/broker/SecureConnectionFactory.cpp b/cpp/src/qpid/broker/SecureConnectionFactory.cpp index 5a31dbceeb..754b443c22 100644 --- a/cpp/src/qpid/broker/SecureConnectionFactory.cpp +++ b/cpp/src/qpid/broker/SecureConnectionFactory.cpp @@ -23,12 +23,14 @@ #include "qpid/amqp_0_10/Connection.h" #include "qpid/broker/Connection.h" #include "qpid/broker/SecureConnection.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" namespace qpid { namespace broker { using framing::ProtocolVersion; +using qpid::sys::SecuritySettings; typedef std::auto_ptr<amqp_0_10::Connection> CodecPtr; typedef std::auto_ptr<SecureConnection> SecureConnectionPtr; typedef std::auto_ptr<Connection> ConnectionPtr; @@ -38,7 +40,7 @@ SecureConnectionFactory::SecureConnectionFactory(Broker& b) : broker(b) {} sys::ConnectionCodec* SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, - unsigned int conn_ssf ) { + const SecuritySettings& external) { if (broker.getConnectionCounter().allowConnection()) { QPID_LOG(error, "Client max connection count limit exceeded: " << broker.getOptions().maxConnections << " connection refused"); @@ -47,7 +49,7 @@ SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, cons if (v == ProtocolVersion(0, 10)) { SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, false)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, false)); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, external, false)); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr<sys::ConnectionCodec>(c)); @@ -58,11 +60,11 @@ SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, cons sys::ConnectionCodec* SecureConnectionFactory::create(sys::OutputControl& out, const std::string& id, - unsigned int conn_ssf) { + const SecuritySettings& external) { // used to create connections from one broker to another SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, true)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, true )); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, external, true )); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr<sys::ConnectionCodec>(c)); diff --git a/cpp/src/qpid/broker/SecureConnectionFactory.h b/cpp/src/qpid/broker/SecureConnectionFactory.h index b1af6d4a0f..8a04dfcb15 100644 --- a/cpp/src/qpid/broker/SecureConnectionFactory.h +++ b/cpp/src/qpid/broker/SecureConnectionFactory.h @@ -34,11 +34,10 @@ class SecureConnectionFactory : public sys::ConnectionCodec::Factory sys::ConnectionCodec* create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + const qpid::sys::SecuritySettings&); sys::ConnectionCodec* - create(sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + create(sys::OutputControl&, const std::string& id, const qpid::sys::SecuritySettings&); private: Broker& broker; diff --git a/cpp/src/qpid/client/ConnectionHandler.cpp b/cpp/src/qpid/client/ConnectionHandler.cpp index 8f1cc7b03f..9d68448d9d 100644 --- a/cpp/src/qpid/client/ConnectionHandler.cpp +++ b/cpp/src/qpid/client/ConnectionHandler.cpp @@ -213,7 +213,7 @@ void ConnectionHandler::start(const FieldTable& /*serverProps*/, const Array& me if (sasl.get()) { string response = sasl->start(mechanism.empty() ? mechlist : mechanism, - getSSF ? getSSF() : 0); + getSecuritySettings ? getSecuritySettings() : 0); proxy.startOk(properties, sasl->getMechanism(), response, locale); } else { //TODO: verify that desired mechanism and locale are supported diff --git a/cpp/src/qpid/client/ConnectionHandler.h b/cpp/src/qpid/client/ConnectionHandler.h index ed1e385dcf..5f4b454f53 100644 --- a/cpp/src/qpid/client/ConnectionHandler.h +++ b/cpp/src/qpid/client/ConnectionHandler.h @@ -40,6 +40,11 @@ #include <memory> namespace qpid { + +namespace sys { +struct SecuritySettings; +} + namespace client { class ConnectionHandler : private StateManager, @@ -95,7 +100,7 @@ public: using InputHandler::handle; typedef boost::function<void()> CloseListener; typedef boost::function<void(uint16_t, const std::string&)> ErrorListener; - typedef boost::function<unsigned int()> GetConnSSF; + typedef boost::function<const qpid::sys::SecuritySettings*()> GetSecuritySettings; ConnectionHandler(const ConnectionSettings&, framing::ProtocolVersion&); @@ -123,7 +128,7 @@ public: static framing::connection::CloseCode convert(uint16_t replyCode); const std::string& getUserId() const { return operUserId; } - GetConnSSF getSSF; /** query the connection for its security strength factor */ + GetSecuritySettings getSecuritySettings; /** query the transport for its security details */ }; }} diff --git a/cpp/src/qpid/client/ConnectionImpl.cpp b/cpp/src/qpid/client/ConnectionImpl.cpp index 80cd510886..280d3da924 100644 --- a/cpp/src/qpid/client/ConnectionImpl.cpp +++ b/cpp/src/qpid/client/ConnectionImpl.cpp @@ -165,7 +165,7 @@ ConnectionImpl::ConnectionImpl(framing::ProtocolVersion v, const ConnectionSetti CLOSE_CODE_NORMAL, std::string()); //only set error handler once open handler.onError = boost::bind(&ConnectionImpl::closed, this, _1, _2); - handler.getSSF = boost::bind(&Connector::getSSF, boost::ref(connector)); + handler.getSecuritySettings = boost::bind(&Connector::getSecuritySettings, boost::ref(connector)); } const uint16_t ConnectionImpl::NEXT_CHANNEL = std::numeric_limits<uint16_t>::max(); diff --git a/cpp/src/qpid/client/Connector.h b/cpp/src/qpid/client/Connector.h index 0203895b00..586012f9d6 100644 --- a/cpp/src/qpid/client/Connector.h +++ b/cpp/src/qpid/client/Connector.h @@ -35,6 +35,7 @@ namespace sys { class ShutdownHandler; class SecurityLayer; class Poller; +struct SecuritySettings; } namespace framing { @@ -74,7 +75,7 @@ class Connector : public framing::OutputHandler virtual void activateSecurityLayer(std::auto_ptr<qpid::sys::SecurityLayer>); - virtual unsigned int getSSF() = 0; + virtual const qpid::sys::SecuritySettings* getSecuritySettings() = 0; }; }} diff --git a/cpp/src/qpid/client/RdmaConnector.cpp b/cpp/src/qpid/client/RdmaConnector.cpp index 2bdfb8d68f..42b4649203 100644 --- a/cpp/src/qpid/client/RdmaConnector.cpp +++ b/cpp/src/qpid/client/RdmaConnector.cpp @@ -109,7 +109,7 @@ class RdmaConnector : public Connector, public sys::Codec framing::OutputHandler* getOutputHandler(); const std::string& getIdentifier() const; void activateSecurityLayer(std::auto_ptr<qpid::sys::SecurityLayer>); - unsigned int getSSF() { return 0; } + const qpid::sys::SecuritySettings* getSecuritySettings() { return 0; } size_t decode(const char* buffer, size_t size); size_t encode(const char* buffer, size_t size); diff --git a/cpp/src/qpid/client/Sasl.h b/cpp/src/qpid/client/Sasl.h index 63da37fcb1..56735a5fc3 100644 --- a/cpp/src/qpid/client/Sasl.h +++ b/cpp/src/qpid/client/Sasl.h @@ -30,6 +30,7 @@ namespace qpid { namespace sys { class SecurityLayer; +struct SecuritySettings; } namespace client { @@ -48,17 +49,10 @@ class Sasl * * @param mechanisms Comma-separated list of the SASL mechanism the * client supports. - * @param ssf Security Strength Factor (SSF). SSF is used to negotiate - * a SASL security layer on top of the connection should both - * parties require and support it. The value indicates the - * required level of security for communication. Possible - * values are: - * @li 0 No security - * @li 1 Integrity checking only - * @li >1 Integrity and confidentiality with the number - * giving the encryption key length. + * @param externalSecuritySettings security related details from the underlying transport */ - virtual std::string start(const std::string& mechanisms, unsigned int ssf) = 0; + virtual std::string start(const std::string& mechanisms, + const qpid::sys::SecuritySettings* externalSecuritySettings = 0) = 0; virtual std::string step(const std::string& challenge) = 0; virtual std::string getMechanism() = 0; virtual std::string getUserId() = 0; diff --git a/cpp/src/qpid/client/SaslFactory.cpp b/cpp/src/qpid/client/SaslFactory.cpp index 5012b75c94..ec5680c8d8 100644 --- a/cpp/src/qpid/client/SaslFactory.cpp +++ b/cpp/src/qpid/client/SaslFactory.cpp @@ -61,6 +61,7 @@ std::auto_ptr<SaslFactory> SaslFactory::instance; #include "qpid/Exception.h" #include "qpid/framing/reply_exceptions.h" #include "qpid/sys/SecurityLayer.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/sys/cyrus/CyrusSecurityLayer.h" #include "qpid/log/Statement.h" #include <sasl/sasl.h> @@ -70,6 +71,7 @@ namespace qpid { namespace client { using qpid::sys::SecurityLayer; +using qpid::sys::SecuritySettings; using qpid::sys::cyrus::CyrusSecurityLayer; using qpid::framing::InternalErrorException; @@ -80,7 +82,7 @@ class CyrusSasl : public Sasl public: CyrusSasl(const ConnectionSettings&); ~CyrusSasl(); - std::string start(const std::string& mechanisms, unsigned int ssf); + std::string start(const std::string& mechanisms, const SecuritySettings* externalSettings); std::string step(const std::string& challenge); std::string getMechanism(); std::string getUserId(); @@ -176,7 +178,7 @@ namespace { const std::string SSL("ssl"); } -std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf) +std::string CyrusSasl::start(const std::string& mechanisms, const SecuritySettings* externalSettings) { QPID_LOG(debug, "CyrusSasl::start(" << mechanisms << ")"); int result = sasl_client_new(settings.service.c_str(), @@ -190,14 +192,22 @@ std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf) sasl_security_properties_t secprops; - if (ssf) { - sasl_ssf_t external_ssf = (sasl_ssf_t) ssf; + if (externalSettings) { + sasl_ssf_t external_ssf = (sasl_ssf_t) externalSettings->ssf; if (external_ssf) { int result = sasl_setprop(conn, SASL_SSF_EXTERNAL, &external_ssf); if (result != SASL_OK) { throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external SSF: " << result)); } - QPID_LOG(debug, "external SSF detected and set to " << ssf); + QPID_LOG(debug, "external SSF detected and set to " << external_ssf); + } + if (externalSettings->authid.size()) { + const char* external_authid = externalSettings->authid.c_str(); + result = sasl_setprop(conn, SASL_AUTH_EXTERNAL, external_authid); + if (result != SASL_OK) { + throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external auth: " << result)); + } + QPID_LOG(debug, "external auth detected and set to " << external_authid); } } @@ -216,7 +226,6 @@ std::string CyrusSasl::start(const std::string& mechanisms, unsigned int ssf) throw framing::InternalErrorException(QPID_MSG("SASL error: " << sasl_errdetail(conn))); } - sasl_interact_t* client_interact = 0; const char *out = 0; unsigned outlen = 0; diff --git a/cpp/src/qpid/client/SslConnector.cpp b/cpp/src/qpid/client/SslConnector.cpp index cf6d54d261..0c794145db 100644 --- a/cpp/src/qpid/client/SslConnector.cpp +++ b/cpp/src/qpid/client/SslConnector.cpp @@ -34,6 +34,7 @@ #include "qpid/sys/ssl/SslSocket.h" #include "qpid/sys/Dispatcher.h" #include "qpid/sys/Poller.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/Msg.h" #include <iostream> @@ -86,6 +87,7 @@ class SslConnector : public Connector const uint16_t maxFrameSize; framing::ProtocolVersion version; bool initiated; + SecuritySettings securitySettings; sys::Mutex closedLock; bool closed; @@ -125,7 +127,7 @@ class SslConnector : public Connector sys::ShutdownHandler* getShutdownHandler() const; framing::OutputHandler* getOutputHandler(); const std::string& getIdentifier() const; - unsigned int getSSF() { return socket.getKeyLen(); } + const SecuritySettings* getSecuritySettings(); public: SslConnector(Poller::shared_ptr p, framing::ProtocolVersion pVersion, @@ -366,4 +368,11 @@ void SslConnector::eof(SslIO&) { handleClosed(); } +const SecuritySettings* SslConnector::getSecuritySettings() +{ + securitySettings.ssf = socket.getKeyLen(); + securitySettings.authid = "dummy";//set to non-empty string to enable external authentication + return &securitySettings; +} + }} // namespace qpid::client diff --git a/cpp/src/qpid/client/TCPConnector.h b/cpp/src/qpid/client/TCPConnector.h index 6ca750f52f..6d447def2e 100644 --- a/cpp/src/qpid/client/TCPConnector.h +++ b/cpp/src/qpid/client/TCPConnector.h @@ -92,7 +92,7 @@ class TCPConnector : public Connector, public sys::Codec framing::OutputHandler* getOutputHandler(); const std::string& getIdentifier() const; void activateSecurityLayer(std::auto_ptr<qpid::sys::SecurityLayer>); - unsigned int getSSF() { return 0; } + const qpid::sys::SecuritySettings* getSecuritySettings() { return 0; } size_t decode(const char* buffer, size_t size); size_t encode(const char* buffer, size_t size); diff --git a/cpp/src/qpid/client/windows/SaslFactory.cpp b/cpp/src/qpid/client/windows/SaslFactory.cpp index 87df187ab2..40c112f534 100644 --- a/cpp/src/qpid/client/windows/SaslFactory.cpp +++ b/cpp/src/qpid/client/windows/SaslFactory.cpp @@ -25,6 +25,7 @@ #include "qpid/Exception.h" #include "qpid/framing/reply_exceptions.h" #include "qpid/sys/SecurityLayer.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/log/Statement.h" #include "boost/tokenizer.hpp" @@ -33,6 +34,7 @@ namespace qpid { namespace client { using qpid::sys::SecurityLayer; +using qpid::sys::SecuritySettings; using qpid::framing::InternalErrorException; class WindowsSasl : public Sasl @@ -40,7 +42,7 @@ class WindowsSasl : public Sasl public: WindowsSasl(const ConnectionSettings&); ~WindowsSasl(); - std::string start(const std::string& mechanisms, unsigned int ssf); + std::string start(const std::string& mechanisms, const SecuritySettings* externalSettings); std::string step(const std::string& challenge); std::string getMechanism(); std::string getUserId(); @@ -91,7 +93,7 @@ WindowsSasl::~WindowsSasl() } std::string WindowsSasl::start(const std::string& mechanisms, - unsigned int /*ssf*/) + const SecuritySettings* /*externalSettings*/) { QPID_LOG(debug, "WindowsSasl::start(" << mechanisms << ")"); diff --git a/cpp/src/qpid/cluster/Cluster.cpp b/cpp/src/qpid/cluster/Cluster.cpp index 460f974b36..9da183a14d 100644 --- a/cpp/src/qpid/cluster/Cluster.cpp +++ b/cpp/src/qpid/cluster/Cluster.cpp @@ -510,8 +510,13 @@ ConnectionPtr Cluster::getConnection(const EventFrame& e, Lock&) { assert(cp); } else { // New remote connection, create a shadow. - unsigned int ssf = (announce && announce->hasSsf()) ? announce->getSsf() : 0; - cp = new Connection(*this, shadowOut, announce->getManagementId(), id, ssf); + qpid::sys::SecuritySettings secSettings; + if (announce) { + secSettings.ssf = announce->getSsf(); + secSettings.authid = announce->getAuthid(); + secSettings.nodict = announce->getNodict(); + } + cp = new Connection(*this, shadowOut, announce->getManagementId(), id, secSettings); } connections.insert(ConnectionMap::value_type(id, cp)); } diff --git a/cpp/src/qpid/cluster/Connection.cpp b/cpp/src/qpid/cluster/Connection.cpp index 909ff68d92..6385729a09 100644 --- a/cpp/src/qpid/cluster/Connection.cpp +++ b/cpp/src/qpid/cluster/Connection.cpp @@ -77,9 +77,9 @@ const std::string shadowPrefix("[shadow]"); // Shadow connection Connection::Connection(Cluster& c, sys::ConnectionOutputHandler& out, const std::string& mgmtId, - const ConnectionId& id, unsigned int ssf) + const ConnectionId& id, const qpid::sys::SecuritySettings& external) : cluster(c), self(id), catchUp(false), output(*this, out), - connectionCtor(&output, cluster.getBroker(), mgmtId, ssf, false, 0, true), + connectionCtor(&output, cluster.getBroker(), mgmtId, external, false, 0, true), expectProtocolHeader(false), mcastFrameHandler(cluster.getMulticast(), self), updateIn(c.getUpdateReceiver()) @@ -88,11 +88,11 @@ Connection::Connection(Cluster& c, sys::ConnectionOutputHandler& out, // Local connection Connection::Connection(Cluster& c, sys::ConnectionOutputHandler& out, const std::string& mgmtId, MemberId member, - bool isCatchUp, bool isLink, unsigned int ssf + bool isCatchUp, bool isLink, const qpid::sys::SecuritySettings& external ) : cluster(c), self(member, ++idCounter), catchUp(isCatchUp), output(*this, out), connectionCtor(&output, cluster.getBroker(), mgmtId, - ssf, + external, isLink, isCatchUp ? ++catchUpId : 0, isCatchUp), // isCatchUp => shadow @@ -107,7 +107,10 @@ Connection::Connection(Cluster& c, sys::ConnectionOutputHandler& out, QPID_LOG(info, "new client connection " << *this); giveReadCredit(cluster.getSettings().readMax); cluster.getMulticast().mcastControl( - ClusterConnectionAnnounceBody(ProtocolVersion(), mgmtId, getSsf()), getId()); + ClusterConnectionAnnounceBody(ProtocolVersion(), mgmtId, + connectionCtor.external.ssf, + connectionCtor.external.authid, + connectionCtor.external.nodict), getId()); } else { // Catch-up shadow connections initialized using nextShadow id. @@ -122,7 +125,7 @@ Connection::Connection(Cluster& c, sys::ConnectionOutputHandler& out, void Connection::init() { connection = connectionCtor.construct(); QPID_LOG(debug, cluster << " initialized connection: " << *this - << " ssf=" << connection->getSSF()); + << " ssf=" << connection->getExternalSecuritySettings().ssf); if (isLocalClient()) { // Actively send cluster-order frames from local node connection->setClusterOrderOutput(mcastFrameHandler); @@ -142,9 +145,11 @@ void Connection::giveReadCredit(int credit) { output.giveReadCredit(credit); } -void Connection::announce(const std::string& mgmtId, uint32_t ssf) { +void Connection::announce(const std::string& mgmtId, uint32_t ssf, const std::string& authid, bool nodict) { QPID_ASSERT(mgmtId == connectionCtor.mgmtId); - QPID_ASSERT(ssf == connectionCtor.ssf); + QPID_ASSERT(ssf == connectionCtor.external.ssf); + QPID_ASSERT(authid == connectionCtor.external.authid); + QPID_ASSERT(nodict == connectionCtor.external.nodict); init(); } diff --git a/cpp/src/qpid/cluster/Connection.h b/cpp/src/qpid/cluster/Connection.h index 85fad72948..2f72783418 100644 --- a/cpp/src/qpid/cluster/Connection.h +++ b/cpp/src/qpid/cluster/Connection.h @@ -34,6 +34,7 @@ #include "qpid/sys/AtomicValue.h" #include "qpid/sys/ConnectionInputHandler.h" #include "qpid/sys/ConnectionOutputHandler.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/framing/SequenceNumber.h" #include "qpid/framing/FrameDecoder.h" @@ -66,10 +67,10 @@ class Connection : /** Local connection. */ Connection(Cluster&, sys::ConnectionOutputHandler& out, const std::string& mgmtId, MemberId, bool catchUp, bool isLink, - unsigned int ssf); + const qpid::sys::SecuritySettings& external); /** Shadow connection. */ Connection(Cluster&, sys::ConnectionOutputHandler& out, const std::string& mgmtId, const ConnectionId& id, - unsigned int ssf); + const qpid::sys::SecuritySettings& external); ~Connection(); ConnectionId getId() const { return self; } @@ -163,7 +164,7 @@ class Connection : void exchange(const std::string& encoded); void giveReadCredit(int credit); - void announce(const std::string& mgmtId, uint32_t ssf); + void announce(const std::string& mgmtId, uint32_t ssf, const std::string& authid, bool nodict); void abort(); void deliverClose(); @@ -174,7 +175,7 @@ class Connection : void managementAgents(const std::string& data); void managementSetupState(uint64_t objectNum, uint16_t bootSequence); - uint32_t getSsf() const { return connectionCtor.ssf; } + //uint32_t getSsf() const { return connectionCtor.external.ssf; } private: struct NullFrameHandler : public framing::FrameHandler { @@ -186,7 +187,7 @@ class Connection : sys::ConnectionOutputHandler* out; broker::Broker& broker; std::string mgmtId; - unsigned int ssf; + qpid::sys::SecuritySettings external; bool isLink; uint64_t objectId; bool shadow; @@ -195,17 +196,17 @@ class Connection : sys::ConnectionOutputHandler* out_, broker::Broker& broker_, const std::string& mgmtId_, - unsigned int ssf_, + const qpid::sys::SecuritySettings& external_, bool isLink_=false, uint64_t objectId_=0, bool shadow_=false - ) : out(out_), broker(broker_), mgmtId(mgmtId_), ssf(ssf_), + ) : out(out_), broker(broker_), mgmtId(mgmtId_), external(external_), isLink(isLink_), objectId(objectId_), shadow(shadow_) {} std::auto_ptr<broker::Connection> construct() { return std::auto_ptr<broker::Connection>( - new broker::Connection(out, broker, mgmtId, ssf, isLink, objectId, shadow)); + new broker::Connection(out, broker, mgmtId, external, isLink, objectId, shadow)); } }; diff --git a/cpp/src/qpid/cluster/ConnectionCodec.cpp b/cpp/src/qpid/cluster/ConnectionCodec.cpp index 8f6f1d9ad5..931cda4893 100644 --- a/cpp/src/qpid/cluster/ConnectionCodec.cpp +++ b/cpp/src/qpid/cluster/ConnectionCodec.cpp @@ -37,26 +37,26 @@ using namespace framing; sys::ConnectionCodec* ConnectionCodec::Factory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, - unsigned int ssf) { + const qpid::sys::SecuritySettings& external) { if (v == ProtocolVersion(0, 10)) - return new ConnectionCodec(v, out, id, cluster, false, false, ssf); + return new ConnectionCodec(v, out, id, cluster, false, false, external); else if (v == ProtocolVersion(0x80 + 0, 0x80 + 10)) // Catch-up connection - return new ConnectionCodec(v, out, id, cluster, true, false, ssf); + return new ConnectionCodec(v, out, id, cluster, true, false, external); return 0; } // Used for outgoing Link connections sys::ConnectionCodec* ConnectionCodec::Factory::create(sys::OutputControl& out, const std::string& logId, - unsigned int ssf) { - return new ConnectionCodec(ProtocolVersion(0,10), out, logId, cluster, false, true, ssf); + const qpid::sys::SecuritySettings& external) { + return new ConnectionCodec(ProtocolVersion(0,10), out, logId, cluster, false, true, external); } ConnectionCodec::ConnectionCodec( const ProtocolVersion& v, sys::OutputControl& out, - const std::string& logId, Cluster& cluster, bool catchUp, bool isLink, unsigned int ssf + const std::string& logId, Cluster& cluster, bool catchUp, bool isLink, const qpid::sys::SecuritySettings& external ) : codec(out, logId, isLink), - interceptor(new Connection(cluster, codec, logId, cluster.getId(), catchUp, isLink, ssf)) + interceptor(new Connection(cluster, codec, logId, cluster.getId(), catchUp, isLink, external)) { std::auto_ptr<sys::ConnectionInputHandler> ih(new ProxyInputHandler(interceptor)); codec.setInputHandler(ih); diff --git a/cpp/src/qpid/cluster/ConnectionCodec.h b/cpp/src/qpid/cluster/ConnectionCodec.h index 74cb3c507d..4b919ed351 100644 --- a/cpp/src/qpid/cluster/ConnectionCodec.h +++ b/cpp/src/qpid/cluster/ConnectionCodec.h @@ -53,14 +53,14 @@ class ConnectionCodec : public sys::ConnectionCodec { Factory(boost::shared_ptr<sys::ConnectionCodec::Factory> f, Cluster& c) : next(f), cluster(c) {} sys::ConnectionCodec* create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + const qpid::sys::SecuritySettings& external); sys::ConnectionCodec* create(sys::OutputControl&, const std::string& id, - unsigned int conn_ssf); + const qpid::sys::SecuritySettings& external); }; ConnectionCodec(const framing::ProtocolVersion&, sys::OutputControl& out, const std::string& logId, Cluster& c, bool catchUp, bool isLink, - unsigned int ssf); + const qpid::sys::SecuritySettings& external); ~ConnectionCodec(); // ConnectionCodec functions. diff --git a/cpp/src/qpid/sys/AsynchIOHandler.cpp b/cpp/src/qpid/sys/AsynchIOHandler.cpp index f658b7d50f..5771141d08 100644 --- a/cpp/src/qpid/sys/AsynchIOHandler.cpp +++ b/cpp/src/qpid/sys/AsynchIOHandler.cpp @@ -22,6 +22,7 @@ #include "qpid/sys/AsynchIOHandler.h" #include "qpid/sys/AsynchIO.h" #include "qpid/sys/Socket.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/framing/AMQP_HighestVersion.h" #include "qpid/framing/ProtocolInitiation.h" #include "qpid/log/Statement.h" @@ -144,7 +145,7 @@ void AsynchIOHandler::readbuff(AsynchIO& , AsynchIO::BufferBase* buff) { decoded = in.getPosition(); QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")"); try { - codec = factory->create(protocolInit.getVersion(), *this, identifier, 0); + codec = factory->create(protocolInit.getVersion(), *this, identifier, SecuritySettings()); if (!codec) { //TODO: may still want to revise this... //send valid version header & close connection. @@ -200,7 +201,7 @@ void AsynchIOHandler::nobuffs(AsynchIO&) { void AsynchIOHandler::idle(AsynchIO&){ if (isClient && codec == 0) { - codec = factory->create(*this, identifier, 0); + codec = factory->create(*this, identifier, SecuritySettings()); write(framing::ProtocolInitiation(codec->getVersion())); return; } diff --git a/cpp/src/qpid/sys/ConnectionCodec.h b/cpp/src/qpid/sys/ConnectionCodec.h index 7231b1daa6..c2890f06dc 100644 --- a/cpp/src/qpid/sys/ConnectionCodec.h +++ b/cpp/src/qpid/sys/ConnectionCodec.h @@ -30,6 +30,7 @@ namespace sys { class InputHandlerFactory; class OutputControl; +struct SecuritySettings; /** * Interface of coder/decoder for a connection of a specific protocol @@ -49,27 +50,15 @@ class ConnectionCodec : public Codec { struct Factory { virtual ~Factory() {} - /** Security Strength Factor - indicates the level of security provided - * by the underlying transport. If zero, the transport provides no - * security (e.g. TCP). If non-zero, the transport provides some level - * of security (e.g. SSL). The values for SSF can be interpreted as: - * - * 0 = No protection. - * 1 = Integrity checking only. - * >1 = Supports authentication, integrity and confidentiality. - * The number represents the encryption key length. - */ - /** Return 0 if version unknown */ virtual ConnectionCodec* create( framing::ProtocolVersion, OutputControl&, const std::string& id, - unsigned int conn_ssf + const SecuritySettings& ) = 0; /** Return "preferred" codec for outbound connections. */ virtual ConnectionCodec* create( - OutputControl&, const std::string& id, - unsigned int conn_ssf + OutputControl&, const std::string& id, const SecuritySettings& ) = 0; }; }; diff --git a/cpp/src/qpid/sys/RdmaIOPlugin.cpp b/cpp/src/qpid/sys/RdmaIOPlugin.cpp index b325931793..5a5c10401c 100644 --- a/cpp/src/qpid/sys/RdmaIOPlugin.cpp +++ b/cpp/src/qpid/sys/RdmaIOPlugin.cpp @@ -27,6 +27,7 @@ #include "qpid/log/Statement.h" #include "qpid/sys/rdma/RdmaIO.h" #include "qpid/sys/OutputControl.h" +#include "qpid/sys/SecuritySettings.h" #include <boost/bind.hpp> #include <boost/lexical_cast.hpp> @@ -139,7 +140,7 @@ void RdmaIOHandler::initProtocolOut() { // but we must be able to send assert( codec == 0 ); assert( aio->writable() && aio->bufferAvailable() ); - codec = factory->create(*this, identifier, 0); + codec = factory->create(*this, identifier, SecuritySettings()); write(framing::ProtocolInitiation(codec->getVersion())); } @@ -186,7 +187,7 @@ void RdmaIOHandler::initProtocolIn(Rdma::Buffer* buff) { decoded = in.getPosition(); QPID_LOG(debug, "Rdma: RECV [" << identifier << "] INIT(" << protocolInit << ")"); - codec = factory->create(protocolInit.getVersion(), *this, identifier, 0); + codec = factory->create(protocolInit.getVersion(), *this, identifier, SecuritySettings()); // If we failed to create the codec then we don't understand the offered protocol version if (!codec) { diff --git a/cpp/src/qpid/sys/SecuritySettings.h b/cpp/src/qpid/sys/SecuritySettings.h new file mode 100644 index 0000000000..bfcd08fd0f --- /dev/null +++ b/cpp/src/qpid/sys/SecuritySettings.h @@ -0,0 +1,58 @@ +#ifndef QPID_SYS_SECURITYSETTINGS_H +#define QPID_SYS_SECURITYSETTINGS_H + +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +namespace qpid { +namespace sys { + +/** + * Conveys security information from a given transport to the upper + * layers. + */ +struct SecuritySettings +{ + /** + * Security Strength Factor (SSF). Possible values are: + * + * @li 0 No security + * @li 1 Integrity checking only + * @li >1 Integrity and confidentiality with the number + * giving the encryption key length. + */ + unsigned int ssf; + /** + * An authorisation id + */ + std::string authid; + + /** + * Disables SASL mechanisms that are vulnerable to passive + * dictionary-based password attacks + */ + bool nodict; + + SecuritySettings() : ssf(0), nodict(false) {} +}; + +}} // namespace qpid::sys + +#endif /*!QPID_SYS_SECURITYSETTINGS_H*/ diff --git a/cpp/src/qpid/sys/SslPlugin.cpp b/cpp/src/qpid/sys/SslPlugin.cpp index c143f1f1d0..297787f497 100644 --- a/cpp/src/qpid/sys/SslPlugin.cpp +++ b/cpp/src/qpid/sys/SslPlugin.cpp @@ -41,14 +41,18 @@ struct SslServerOptions : ssl::SslOptions { uint16_t port; bool clientAuth; + bool nodict; SslServerOptions() : port(5671), - clientAuth(false) + clientAuth(false), + nodict(false) { addOptions() ("ssl-port", optValue(port, "PORT"), "Port on which to listen for SSL connections") ("ssl-require-client-authentication", optValue(clientAuth), - "Forces clients to authenticate in order to establish an SSL connection"); + "Forces clients to authenticate in order to establish an SSL connection") + ("ssl-sasl-no-dict", optValue(nodict), + "Disables SASL mechanisms that are vulnerable to passive dictionary-based password attacks"); } }; @@ -57,6 +61,7 @@ class SslProtocolFactory : public ProtocolFactory { qpid::sys::ssl::SslSocket listener; const uint16_t listeningPort; std::auto_ptr<qpid::sys::ssl::SslAcceptor> acceptor; + bool nodict; public: SslProtocolFactory(const SslServerOptions&, int backlog, bool nodelay); @@ -97,7 +102,8 @@ static struct SslPlugin : public Plugin { const broker::Broker::Options& opts = broker->getOptions(); ProtocolFactory::shared_ptr protocol(new SslProtocolFactory(options, - opts.connectionBacklog, opts.tcpNoDelay)); + opts.connectionBacklog, + opts.tcpNoDelay)); QPID_LOG(notice, "Listening for SSL connections on TCP port " << protocol->getPort()); broker->registerProtocolFactory("ssl", protocol); } catch (const std::exception& e) { @@ -109,12 +115,13 @@ static struct SslPlugin : public Plugin { } sslPlugin; SslProtocolFactory::SslProtocolFactory(const SslServerOptions& options, int backlog, bool nodelay) : - tcpNoDelay(nodelay), listeningPort(listener.listen(options.port, backlog, options.certName, options.clientAuth)) + tcpNoDelay(nodelay), listeningPort(listener.listen(options.port, backlog, options.certName, options.clientAuth)), + nodict(options.nodict) {} void SslProtocolFactory::established(Poller::shared_ptr poller, const qpid::sys::ssl::SslSocket& s, ConnectionCodec::Factory* f, bool isClient) { - qpid::sys::ssl::SslHandler* async = new qpid::sys::ssl::SslHandler(s.getPeerAddress(), f); + qpid::sys::ssl::SslHandler* async = new qpid::sys::ssl::SslHandler(s.getPeerAddress(), f, nodict); if (tcpNoDelay) { s.setTcpNoDelay(tcpNoDelay); diff --git a/cpp/src/qpid/sys/ssl/SslHandler.cpp b/cpp/src/qpid/sys/ssl/SslHandler.cpp index 3469f88c0f..5516d72065 100644 --- a/cpp/src/qpid/sys/ssl/SslHandler.cpp +++ b/cpp/src/qpid/sys/ssl/SslHandler.cpp @@ -42,13 +42,14 @@ struct Buff : public SslIO::BufferBase { { delete [] bytes;} }; -SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f) : +SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f, bool _nodict) : identifier(id), aio(0), factory(f), codec(0), readError(false), - isClient(false) + isClient(false), + nodict(_nodict) {} SslHandler::~SslHandler() { @@ -111,7 +112,7 @@ void SslHandler::readbuff(SslIO& , SslIO::BufferBase* buff) { decoded = in.getPosition(); QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")"); try { - codec = factory->create(protocolInit.getVersion(), *this, identifier, aio->getKeyLen()); + codec = factory->create(protocolInit.getVersion(), *this, identifier, getSecuritySettings(aio)); if (!codec) { //TODO: may still want to revise this... //send valid version header & close connection. @@ -166,7 +167,7 @@ void SslHandler::nobuffs(SslIO&) { void SslHandler::idle(SslIO&){ if (isClient && codec == 0) { - codec = factory->create(*this, identifier, aio->getKeyLen()); + codec = factory->create(*this, identifier, getSecuritySettings(aio)); write(framing::ProtocolInitiation(codec->getVersion())); return; } @@ -183,5 +184,12 @@ void SslHandler::idle(SslIO&){ aio->queueWriteClose(); } +SecuritySettings SslHandler::getSecuritySettings(SslIO* aio) +{ + SecuritySettings settings = aio->getSecuritySettings(); + settings.nodict = nodict; + return settings; +} + }}} // namespace qpid::sys::ssl diff --git a/cpp/src/qpid/sys/ssl/SslHandler.h b/cpp/src/qpid/sys/ssl/SslHandler.h index 8f6b8e732a..a340109966 100644 --- a/cpp/src/qpid/sys/ssl/SslHandler.h +++ b/cpp/src/qpid/sys/ssl/SslHandler.h @@ -45,11 +45,13 @@ class SslHandler : public OutputControl { ConnectionCodec* codec; bool readError; bool isClient; + bool nodict; void write(const framing::ProtocolInitiation&); + qpid::sys::SecuritySettings getSecuritySettings(SslIO* aio); public: - SslHandler(std::string id, ConnectionCodec::Factory* f); + SslHandler(std::string id, ConnectionCodec::Factory* f, bool nodict); ~SslHandler(); void init(SslIO* a, int numBuffs); diff --git a/cpp/src/qpid/sys/ssl/SslIo.cpp b/cpp/src/qpid/sys/ssl/SslIo.cpp index c149d6ea74..a57123c182 100644 --- a/cpp/src/qpid/sys/ssl/SslIo.cpp +++ b/cpp/src/qpid/sys/ssl/SslIo.cpp @@ -436,4 +436,9 @@ void SslIO::close(DispatchHandle& h) { } } -int SslIO::getKeyLen() {return socket.getKeyLen();} +SecuritySettings SslIO::getSecuritySettings() { + SecuritySettings settings; + settings.ssf = socket.getKeyLen(); + settings.authid = socket.getClientAuthId(); + return settings; +} diff --git a/cpp/src/qpid/sys/ssl/SslIo.h b/cpp/src/qpid/sys/ssl/SslIo.h index 3162abac40..53ac69d8d6 100644 --- a/cpp/src/qpid/sys/ssl/SslIo.h +++ b/cpp/src/qpid/sys/ssl/SslIo.h @@ -22,6 +22,7 @@ */ #include "qpid/sys/DispatchHandle.h" +#include "qpid/sys/SecuritySettings.h" #include <boost/function.hpp> #include <deque> @@ -156,7 +157,7 @@ public: bool writeQueueEmpty() { return writeQueue.empty(); } BufferBase* getQueuedBuffer(); - int getKeyLen(); + qpid::sys::SecuritySettings getSecuritySettings(); private: ~SslIO(); diff --git a/cpp/src/qpid/sys/ssl/SslSocket.cpp b/cpp/src/qpid/sys/ssl/SslSocket.cpp index aa8cf127d7..22b0909ad4 100644 --- a/cpp/src/qpid/sys/ssl/SslSocket.cpp +++ b/cpp/src/qpid/sys/ssl/SslSocket.cpp @@ -102,6 +102,34 @@ std::string getService(int fd, bool local) return servName; } +const std::string DOMAIN_SEPARATOR("@"); +const std::string DC_SEPARATOR("."); +const std::string DC("DC"); +const std::string DN_DELIMS(" ,="); + +std::string getDomainFromSubject(std::string subject) +{ + std::string::size_type last = subject.find_first_not_of(DN_DELIMS, 0); + std::string::size_type i = subject.find_first_of(DN_DELIMS, last); + + std::string domain; + bool nextTokenIsDC = false; + while (std::string::npos != i || std::string::npos != last) + { + std::string token = subject.substr(last, i - last); + if (nextTokenIsDC) { + if (domain.size()) domain += DC_SEPARATOR; + domain += token; + nextTokenIsDC = false; + } else if (token == DC) { + nextTokenIsDC = true; + } + last = subject.find_first_not_of(DN_DELIMS, i); + i = subject.find_first_of(DN_DELIMS, last); + } + return domain; +} + } SslSocket::SslSocket() : IOHandle(new IOHandlePrivate()), socket(0), prototype(0) @@ -294,4 +322,25 @@ int SslSocket::getKeyLen() const return 0; } +std::string SslSocket::getClientAuthId() const +{ + std::string authId; + CERTCertificate* cert = SSL_PeerCertificate(socket); + if (cert) { + authId = CERT_GetCommonName(&(cert->subject)); + /* + * The NSS function CERT_GetDomainComponentName only returns + * the last component of the domain name, so we have to parse + * the subject manually to extract the full domain. + */ + std::string domain = getDomainFromSubject(cert->subjectName); + if (!domain.empty()) { + authId += DOMAIN_SEPARATOR; + authId += domain; + } + CERT_DestroyCertificate(cert); + } + return authId; +} + }}} // namespace qpid::sys::ssl diff --git a/cpp/src/qpid/sys/ssl/SslSocket.h b/cpp/src/qpid/sys/ssl/SslSocket.h index f1f05e7a98..e2443e31c8 100644 --- a/cpp/src/qpid/sys/ssl/SslSocket.h +++ b/cpp/src/qpid/sys/ssl/SslSocket.h @@ -101,6 +101,7 @@ public: int getError() const; int getKeyLen() const; + std::string getClientAuthId() const; private: mutable std::string connectname; |