QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 58 insertions, 0 deletions

diff --git a/cpp/src/qpid/sys/SecuritySettings.h b/cpp/src/qpid/sys/SecuritySettings.h
new file mode 100644
index 0000000000..bfcd08fd0f
--- /dev/null
+++ b/cpp/src/qpid/sys/SecuritySettings.h
@@ -0,0 +1,58 @@
+#ifndef QPID_SYS_SECURITYSETTINGS_H
+#define QPID_SYS_SECURITYSETTINGS_H
+
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+namespace qpid {
+namespace sys {
+
+/**
+ * Conveys security information from a given transport to the upper
+ * layers.
+ */
+struct SecuritySettings
+{
+    /**
+     * Security Strength Factor (SSF). Possible values are:
+     * 
+     *             @li 0  No security
+     *             @li 1  Integrity checking only
+     *             @li >1 Integrity and confidentiality with the number
+     *                    giving the encryption key length.
+     */
+    unsigned int ssf;
+    /**
+     * An authorisation id
+     */
+    std::string authid;
+
+    /**
+     * Disables SASL mechanisms that are vulnerable to passive
+     * dictionary-based password attacks
+     */
+    bool nodict;
+
+    SecuritySettings() : ssf(0), nodict(false) {}
+};
+
+}} // namespace qpid::sys
+
+#endif  /*!QPID_SYS_SECURITYSETTINGS_H*/