QPID-5356: stop default search for client certificate when not specified

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1547951 13f79535-47bb-0310-9956-ffa450edef68
author: Clifford Allan Jansen <cliffjansen@apache.org> 2013-12-04 22:58:44 +0000
committer: Clifford Allan Jansen <cliffjansen@apache.org> 2013-12-04 22:58:44 +0000
commit: af0fdf8ada297333f29136328aa90ca68e6c16e7 (patch)
tree: 9859ad3c4fd2bd2fe51815b84770e3dfc873ddae /qpid/cpp/src
parent: 6460f4d8e8ca25b1141f454fa93dee433c60cfb2 (diff)
download: qpid-python-af0fdf8ada297333f29136328aa90ca68e6c16e7.tar.gz
3 files changed, 24 insertions, 5 deletions
diff --git a/qpid/cpp/src/qpid/client/windows/SslConnector.cpp b/qpid/cpp/src/qpid/client/windows/SslConnector.cpp
index a60ced9059..df6c43c25f 100644
--- a/qpid/cpp/src/qpid/client/windows/SslConnector.cpp
+++ b/qpid/cpp/src/qpid/client/windows/SslConnector.cpp
@@ -121,6 +121,7 @@ SslConnector::SslConnector(boost::shared_ptr<qpid::sys::Poller> p,
     SecInvalidateHandle(&credHandle);
     memset(&cred, 0, sizeof(cred));
     cred.dwVersion = SCHANNEL_CRED_VERSION;
+    cred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS;
 
     // In case EXTERNAL SASL mechanism has been selected, we need to find
     // the client certificate with the private key which should be used
diff --git a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
index a9d43ae0ee..a733ece74c 100644
--- a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
+++ b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
@@ -435,7 +435,7 @@ ClientSslAsynchIO::ClientSslAsynchIO(const std::string& brokerHost,
                                      IdleCallback iCb,
                                      NegotiateDoneCallback nCb) :
     SslAsynchIO(s, hCred, rCb, eofCb, disCb, cCb, eCb, iCb, nCb),
-    serverHost(brokerHost)
+    serverHost(brokerHost), clientCertRequested(false)
 {
 }
 
@@ -445,7 +445,7 @@ void ClientSslAsynchIO::startNegotiate() {
 
     // Need a buffer to receive the token to send to the server.
     BufferBase *buff = aio->getQueuedBuffer();
-    ULONG ctxtRequested = ISC_REQ_STREAM;
+    ULONG ctxtRequested = ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS;
     ULONG ctxtAttrs;
     // sendBuffs gets information to forward to the peer.
     SecBuffer sendBuffs[2];
@@ -471,6 +471,7 @@ void ClientSslAsynchIO::startNegotiate() {
                                                          &sendBuffDesc,
                                                          &ctxtAttrs,
                                                          NULL);
+
     if (status == SEC_I_CONTINUE_NEEDED) {
         buff->dataCount = sendBuffs[0].cbBuffer;
         aio->queueWrite(buff);
@@ -480,7 +481,7 @@ void ClientSslAsynchIO::startNegotiate() {
 void ClientSslAsynchIO::negotiateStep(BufferBase* buff) {
     // SEC_CHAR is non-const, so do all the typing here.
     SEC_CHAR *host = const_cast<SEC_CHAR *>(serverHost.c_str());
-    ULONG ctxtRequested = ISC_REQ_STREAM;
+    ULONG ctxtRequested = ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS;
     ULONG ctxtAttrs;
 
     // tokenBuffs describe the buffer that's coming in. It should have
@@ -535,6 +536,17 @@ void ClientSslAsynchIO::negotiateStep(BufferBase* buff) {
     if (buff)
         aio->queueReadBuffer(buff);
     if (status == SEC_I_CONTINUE_NEEDED) {
+        // check if server has requested a client certificate
+        if (!clientCertRequested) {
+            SecPkgContext_IssuerListInfoEx caList;
+            memset(&caList, 0, sizeof(caList));
+            ::QueryContextAttributes(&ctxtHandle, SECPKG_ATTR_ISSUER_LIST_EX, &caList);
+            if (caList.cIssuers > 0)
+                clientCertRequested = true;
+            if (caList.aIssuers)
+                ::FreeContextBuffer(caList.aIssuers);
+        }
+
         sendbuff->dataCount = sendBuffs[0].cbBuffer;
         aio->queueWrite(sendbuff);
         return;
@@ -545,8 +557,13 @@ void ClientSslAsynchIO::negotiateStep(BufferBase* buff) {
     // either session stop or negotiation done (session up).
     if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED)
         negotiationDone();
-    else
+    else {
+        if (clientCertRequested && status == SEC_E_CERT_UNKNOWN)
+            // ISC_REQ_USE_SUPPLIED_CREDS makes us reponsible for this case
+            // (no client cert).  Map it to its counterpart:
+            status = SEC_E_INCOMPLETE_CREDENTIALS;
         negotiationFailed(status);
+    }
 }
 
 /*************************************************/
diff --git a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.h b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.h
index 2f6842b135..f80285c305 100644
--- a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.h
+++ b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.h
@@ -38,7 +38,7 @@
 namespace qpid {
 namespace sys {
 namespace windows {
-    
+
 /*
  * SSL/Schannel shim between the frame-handling and AsynchIO layers.
  * SslAsynchIO creates a regular AsynchIO object to handle I/O and this class
@@ -147,6 +147,7 @@ public:
 
 private:
     std::string serverHost;
+    bool clientCertRequested;
 
     // Client- and server-side SSL subclasses implement these to do the
     // proper negotiation steps. negotiateStep() is called with a buffer
author	Clifford Allan Jansen <cliffjansen@apache.org>	2013-12-04 22:58:44 +0000
committer	Clifford Allan Jansen <cliffjansen@apache.org>	2013-12-04 22:58:44 +0000
commit	af0fdf8ada297333f29136328aa90ca68e6c16e7 (patch)
tree	9859ad3c4fd2bd2fe51815b84770e3dfc873ddae /qpid/cpp/src
parent	6460f4d8e8ca25b1141f454fa93dee433c60cfb2 (diff)
download	qpid-python-af0fdf8ada297333f29136328aa90ca68e6c16e7.tar.gz