diff options
| author | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
|---|---|---|
| committer | Gordon Sim <gsim@apache.org> | 2010-03-05 16:51:22 +0000 |
| commit | f5e41be93bec9b5556a65292516db07ff845f7d4 (patch) | |
| tree | d26b9519d281dbb36fd6717205462399292896dd /cpp/src/qpid/sys | |
| parent | 74d838068a2a24423c0c5af1e33b612e132291fb (diff) | |
| download | qpid-python-f5e41be93bec9b5556a65292516db07ff845f7d4.tar.gz | |
QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL connections.
On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.
The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/sys')
| -rw-r--r-- | cpp/src/qpid/sys/AsynchIOHandler.cpp | 5 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ConnectionCodec.h | 17 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/RdmaIOPlugin.cpp | 5 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/SecuritySettings.h | 58 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/SslPlugin.cpp | 17 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslHandler.cpp | 16 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslHandler.h | 4 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslIo.cpp | 7 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslIo.h | 3 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslSocket.cpp | 49 | ||||
| -rw-r--r-- | cpp/src/qpid/sys/ssl/SslSocket.h | 1 |
11 files changed, 152 insertions, 30 deletions
diff --git a/cpp/src/qpid/sys/AsynchIOHandler.cpp b/cpp/src/qpid/sys/AsynchIOHandler.cpp index f658b7d50f..5771141d08 100644 --- a/cpp/src/qpid/sys/AsynchIOHandler.cpp +++ b/cpp/src/qpid/sys/AsynchIOHandler.cpp @@ -22,6 +22,7 @@ #include "qpid/sys/AsynchIOHandler.h" #include "qpid/sys/AsynchIO.h" #include "qpid/sys/Socket.h" +#include "qpid/sys/SecuritySettings.h" #include "qpid/framing/AMQP_HighestVersion.h" #include "qpid/framing/ProtocolInitiation.h" #include "qpid/log/Statement.h" @@ -144,7 +145,7 @@ void AsynchIOHandler::readbuff(AsynchIO& , AsynchIO::BufferBase* buff) { decoded = in.getPosition(); QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")"); try { - codec = factory->create(protocolInit.getVersion(), *this, identifier, 0); + codec = factory->create(protocolInit.getVersion(), *this, identifier, SecuritySettings()); if (!codec) { //TODO: may still want to revise this... //send valid version header & close connection. @@ -200,7 +201,7 @@ void AsynchIOHandler::nobuffs(AsynchIO&) { void AsynchIOHandler::idle(AsynchIO&){ if (isClient && codec == 0) { - codec = factory->create(*this, identifier, 0); + codec = factory->create(*this, identifier, SecuritySettings()); write(framing::ProtocolInitiation(codec->getVersion())); return; } diff --git a/cpp/src/qpid/sys/ConnectionCodec.h b/cpp/src/qpid/sys/ConnectionCodec.h index 7231b1daa6..c2890f06dc 100644 --- a/cpp/src/qpid/sys/ConnectionCodec.h +++ b/cpp/src/qpid/sys/ConnectionCodec.h @@ -30,6 +30,7 @@ namespace sys { class InputHandlerFactory; class OutputControl; +struct SecuritySettings; /** * Interface of coder/decoder for a connection of a specific protocol @@ -49,27 +50,15 @@ class ConnectionCodec : public Codec { struct Factory { virtual ~Factory() {} - /** Security Strength Factor - indicates the level of security provided - * by the underlying transport. If zero, the transport provides no - * security (e.g. TCP). If non-zero, the transport provides some level - * of security (e.g. SSL). The values for SSF can be interpreted as: - * - * 0 = No protection. - * 1 = Integrity checking only. - * >1 = Supports authentication, integrity and confidentiality. - * The number represents the encryption key length. - */ - /** Return 0 if version unknown */ virtual ConnectionCodec* create( framing::ProtocolVersion, OutputControl&, const std::string& id, - unsigned int conn_ssf + const SecuritySettings& ) = 0; /** Return "preferred" codec for outbound connections. */ virtual ConnectionCodec* create( - OutputControl&, const std::string& id, - unsigned int conn_ssf + OutputControl&, const std::string& id, const SecuritySettings& ) = 0; }; }; diff --git a/cpp/src/qpid/sys/RdmaIOPlugin.cpp b/cpp/src/qpid/sys/RdmaIOPlugin.cpp index b325931793..5a5c10401c 100644 --- a/cpp/src/qpid/sys/RdmaIOPlugin.cpp +++ b/cpp/src/qpid/sys/RdmaIOPlugin.cpp @@ -27,6 +27,7 @@ #include "qpid/log/Statement.h" #include "qpid/sys/rdma/RdmaIO.h" #include "qpid/sys/OutputControl.h" +#include "qpid/sys/SecuritySettings.h" #include <boost/bind.hpp> #include <boost/lexical_cast.hpp> @@ -139,7 +140,7 @@ void RdmaIOHandler::initProtocolOut() { // but we must be able to send assert( codec == 0 ); assert( aio->writable() && aio->bufferAvailable() ); - codec = factory->create(*this, identifier, 0); + codec = factory->create(*this, identifier, SecuritySettings()); write(framing::ProtocolInitiation(codec->getVersion())); } @@ -186,7 +187,7 @@ void RdmaIOHandler::initProtocolIn(Rdma::Buffer* buff) { decoded = in.getPosition(); QPID_LOG(debug, "Rdma: RECV [" << identifier << "] INIT(" << protocolInit << ")"); - codec = factory->create(protocolInit.getVersion(), *this, identifier, 0); + codec = factory->create(protocolInit.getVersion(), *this, identifier, SecuritySettings()); // If we failed to create the codec then we don't understand the offered protocol version if (!codec) { diff --git a/cpp/src/qpid/sys/SecuritySettings.h b/cpp/src/qpid/sys/SecuritySettings.h new file mode 100644 index 0000000000..bfcd08fd0f --- /dev/null +++ b/cpp/src/qpid/sys/SecuritySettings.h @@ -0,0 +1,58 @@ +#ifndef QPID_SYS_SECURITYSETTINGS_H +#define QPID_SYS_SECURITYSETTINGS_H + +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +namespace qpid { +namespace sys { + +/** + * Conveys security information from a given transport to the upper + * layers. + */ +struct SecuritySettings +{ + /** + * Security Strength Factor (SSF). Possible values are: + * + * @li 0 No security + * @li 1 Integrity checking only + * @li >1 Integrity and confidentiality with the number + * giving the encryption key length. + */ + unsigned int ssf; + /** + * An authorisation id + */ + std::string authid; + + /** + * Disables SASL mechanisms that are vulnerable to passive + * dictionary-based password attacks + */ + bool nodict; + + SecuritySettings() : ssf(0), nodict(false) {} +}; + +}} // namespace qpid::sys + +#endif /*!QPID_SYS_SECURITYSETTINGS_H*/ diff --git a/cpp/src/qpid/sys/SslPlugin.cpp b/cpp/src/qpid/sys/SslPlugin.cpp index c143f1f1d0..297787f497 100644 --- a/cpp/src/qpid/sys/SslPlugin.cpp +++ b/cpp/src/qpid/sys/SslPlugin.cpp @@ -41,14 +41,18 @@ struct SslServerOptions : ssl::SslOptions { uint16_t port; bool clientAuth; + bool nodict; SslServerOptions() : port(5671), - clientAuth(false) + clientAuth(false), + nodict(false) { addOptions() ("ssl-port", optValue(port, "PORT"), "Port on which to listen for SSL connections") ("ssl-require-client-authentication", optValue(clientAuth), - "Forces clients to authenticate in order to establish an SSL connection"); + "Forces clients to authenticate in order to establish an SSL connection") + ("ssl-sasl-no-dict", optValue(nodict), + "Disables SASL mechanisms that are vulnerable to passive dictionary-based password attacks"); } }; @@ -57,6 +61,7 @@ class SslProtocolFactory : public ProtocolFactory { qpid::sys::ssl::SslSocket listener; const uint16_t listeningPort; std::auto_ptr<qpid::sys::ssl::SslAcceptor> acceptor; + bool nodict; public: SslProtocolFactory(const SslServerOptions&, int backlog, bool nodelay); @@ -97,7 +102,8 @@ static struct SslPlugin : public Plugin { const broker::Broker::Options& opts = broker->getOptions(); ProtocolFactory::shared_ptr protocol(new SslProtocolFactory(options, - opts.connectionBacklog, opts.tcpNoDelay)); + opts.connectionBacklog, + opts.tcpNoDelay)); QPID_LOG(notice, "Listening for SSL connections on TCP port " << protocol->getPort()); broker->registerProtocolFactory("ssl", protocol); } catch (const std::exception& e) { @@ -109,12 +115,13 @@ static struct SslPlugin : public Plugin { } sslPlugin; SslProtocolFactory::SslProtocolFactory(const SslServerOptions& options, int backlog, bool nodelay) : - tcpNoDelay(nodelay), listeningPort(listener.listen(options.port, backlog, options.certName, options.clientAuth)) + tcpNoDelay(nodelay), listeningPort(listener.listen(options.port, backlog, options.certName, options.clientAuth)), + nodict(options.nodict) {} void SslProtocolFactory::established(Poller::shared_ptr poller, const qpid::sys::ssl::SslSocket& s, ConnectionCodec::Factory* f, bool isClient) { - qpid::sys::ssl::SslHandler* async = new qpid::sys::ssl::SslHandler(s.getPeerAddress(), f); + qpid::sys::ssl::SslHandler* async = new qpid::sys::ssl::SslHandler(s.getPeerAddress(), f, nodict); if (tcpNoDelay) { s.setTcpNoDelay(tcpNoDelay); diff --git a/cpp/src/qpid/sys/ssl/SslHandler.cpp b/cpp/src/qpid/sys/ssl/SslHandler.cpp index 3469f88c0f..5516d72065 100644 --- a/cpp/src/qpid/sys/ssl/SslHandler.cpp +++ b/cpp/src/qpid/sys/ssl/SslHandler.cpp @@ -42,13 +42,14 @@ struct Buff : public SslIO::BufferBase { { delete [] bytes;} }; -SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f) : +SslHandler::SslHandler(std::string id, ConnectionCodec::Factory* f, bool _nodict) : identifier(id), aio(0), factory(f), codec(0), readError(false), - isClient(false) + isClient(false), + nodict(_nodict) {} SslHandler::~SslHandler() { @@ -111,7 +112,7 @@ void SslHandler::readbuff(SslIO& , SslIO::BufferBase* buff) { decoded = in.getPosition(); QPID_LOG(debug, "RECV [" << identifier << "] INIT(" << protocolInit << ")"); try { - codec = factory->create(protocolInit.getVersion(), *this, identifier, aio->getKeyLen()); + codec = factory->create(protocolInit.getVersion(), *this, identifier, getSecuritySettings(aio)); if (!codec) { //TODO: may still want to revise this... //send valid version header & close connection. @@ -166,7 +167,7 @@ void SslHandler::nobuffs(SslIO&) { void SslHandler::idle(SslIO&){ if (isClient && codec == 0) { - codec = factory->create(*this, identifier, aio->getKeyLen()); + codec = factory->create(*this, identifier, getSecuritySettings(aio)); write(framing::ProtocolInitiation(codec->getVersion())); return; } @@ -183,5 +184,12 @@ void SslHandler::idle(SslIO&){ aio->queueWriteClose(); } +SecuritySettings SslHandler::getSecuritySettings(SslIO* aio) +{ + SecuritySettings settings = aio->getSecuritySettings(); + settings.nodict = nodict; + return settings; +} + }}} // namespace qpid::sys::ssl diff --git a/cpp/src/qpid/sys/ssl/SslHandler.h b/cpp/src/qpid/sys/ssl/SslHandler.h index 8f6b8e732a..a340109966 100644 --- a/cpp/src/qpid/sys/ssl/SslHandler.h +++ b/cpp/src/qpid/sys/ssl/SslHandler.h @@ -45,11 +45,13 @@ class SslHandler : public OutputControl { ConnectionCodec* codec; bool readError; bool isClient; + bool nodict; void write(const framing::ProtocolInitiation&); + qpid::sys::SecuritySettings getSecuritySettings(SslIO* aio); public: - SslHandler(std::string id, ConnectionCodec::Factory* f); + SslHandler(std::string id, ConnectionCodec::Factory* f, bool nodict); ~SslHandler(); void init(SslIO* a, int numBuffs); diff --git a/cpp/src/qpid/sys/ssl/SslIo.cpp b/cpp/src/qpid/sys/ssl/SslIo.cpp index c149d6ea74..a57123c182 100644 --- a/cpp/src/qpid/sys/ssl/SslIo.cpp +++ b/cpp/src/qpid/sys/ssl/SslIo.cpp @@ -436,4 +436,9 @@ void SslIO::close(DispatchHandle& h) { } } -int SslIO::getKeyLen() {return socket.getKeyLen();} +SecuritySettings SslIO::getSecuritySettings() { + SecuritySettings settings; + settings.ssf = socket.getKeyLen(); + settings.authid = socket.getClientAuthId(); + return settings; +} diff --git a/cpp/src/qpid/sys/ssl/SslIo.h b/cpp/src/qpid/sys/ssl/SslIo.h index 3162abac40..53ac69d8d6 100644 --- a/cpp/src/qpid/sys/ssl/SslIo.h +++ b/cpp/src/qpid/sys/ssl/SslIo.h @@ -22,6 +22,7 @@ */ #include "qpid/sys/DispatchHandle.h" +#include "qpid/sys/SecuritySettings.h" #include <boost/function.hpp> #include <deque> @@ -156,7 +157,7 @@ public: bool writeQueueEmpty() { return writeQueue.empty(); } BufferBase* getQueuedBuffer(); - int getKeyLen(); + qpid::sys::SecuritySettings getSecuritySettings(); private: ~SslIO(); diff --git a/cpp/src/qpid/sys/ssl/SslSocket.cpp b/cpp/src/qpid/sys/ssl/SslSocket.cpp index aa8cf127d7..22b0909ad4 100644 --- a/cpp/src/qpid/sys/ssl/SslSocket.cpp +++ b/cpp/src/qpid/sys/ssl/SslSocket.cpp @@ -102,6 +102,34 @@ std::string getService(int fd, bool local) return servName; } +const std::string DOMAIN_SEPARATOR("@"); +const std::string DC_SEPARATOR("."); +const std::string DC("DC"); +const std::string DN_DELIMS(" ,="); + +std::string getDomainFromSubject(std::string subject) +{ + std::string::size_type last = subject.find_first_not_of(DN_DELIMS, 0); + std::string::size_type i = subject.find_first_of(DN_DELIMS, last); + + std::string domain; + bool nextTokenIsDC = false; + while (std::string::npos != i || std::string::npos != last) + { + std::string token = subject.substr(last, i - last); + if (nextTokenIsDC) { + if (domain.size()) domain += DC_SEPARATOR; + domain += token; + nextTokenIsDC = false; + } else if (token == DC) { + nextTokenIsDC = true; + } + last = subject.find_first_not_of(DN_DELIMS, i); + i = subject.find_first_of(DN_DELIMS, last); + } + return domain; +} + } SslSocket::SslSocket() : IOHandle(new IOHandlePrivate()), socket(0), prototype(0) @@ -294,4 +322,25 @@ int SslSocket::getKeyLen() const return 0; } +std::string SslSocket::getClientAuthId() const +{ + std::string authId; + CERTCertificate* cert = SSL_PeerCertificate(socket); + if (cert) { + authId = CERT_GetCommonName(&(cert->subject)); + /* + * The NSS function CERT_GetDomainComponentName only returns + * the last component of the domain name, so we have to parse + * the subject manually to extract the full domain. + */ + std::string domain = getDomainFromSubject(cert->subjectName); + if (!domain.empty()) { + authId += DOMAIN_SEPARATOR; + authId += domain; + } + CERT_DestroyCertificate(cert); + } + return authId; +} + }}} // namespace qpid::sys::ssl diff --git a/cpp/src/qpid/sys/ssl/SslSocket.h b/cpp/src/qpid/sys/ssl/SslSocket.h index f1f05e7a98..e2443e31c8 100644 --- a/cpp/src/qpid/sys/ssl/SslSocket.h +++ b/cpp/src/qpid/sys/ssl/SslSocket.h @@ -101,6 +101,7 @@ public: int getError() const; int getKeyLen() const; + std::string getClientAuthId() const; private: mutable std::string connectname; |