diff options
Diffstat (limited to 'cpp/src/qpid/broker')
| -rw-r--r-- | cpp/src/qpid/broker/Connection.cpp | 3 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/Connection.h | 6 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/ConnectionFactory.cpp | 6 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/ConnectionFactory.h | 6 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/SaslAuthenticator.cpp | 33 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/SecureConnectionFactory.cpp | 10 | ||||
| -rw-r--r-- | cpp/src/qpid/broker/SecureConnectionFactory.h | 6 |
7 files changed, 51 insertions, 19 deletions
diff --git a/cpp/src/qpid/broker/Connection.cpp b/cpp/src/qpid/broker/Connection.cpp index 824a2ee75d..7aa632c5a5 100644 --- a/cpp/src/qpid/broker/Connection.cpp +++ b/cpp/src/qpid/broker/Connection.cpp @@ -71,8 +71,9 @@ struct ConnectionTimeoutTask : public sys::TimerTask { } }; -Connection::Connection(ConnectionOutputHandler* out_, Broker& broker_, const std::string& mgmtId_, bool isLink_, uint64_t objectId) : +Connection::Connection(ConnectionOutputHandler* out_, Broker& broker_, const std::string& mgmtId_, unsigned int ssf, bool isLink_, uint64_t objectId) : ConnectionState(out_, broker_), + ssf(ssf), adapter(*this, isLink_), isLink(isLink_), mgmtClosing(false), diff --git a/cpp/src/qpid/broker/Connection.h b/cpp/src/qpid/broker/Connection.h index 42409969b9..66ede59df5 100644 --- a/cpp/src/qpid/broker/Connection.h +++ b/cpp/src/qpid/broker/Connection.h @@ -78,7 +78,8 @@ class Connection : public sys::ConnectionInputHandler, virtual void connectionError(const std::string&) = 0; }; - Connection(sys::ConnectionOutputHandler* out, Broker& broker, const std::string& mgmtId, bool isLink = false, uint64_t objectId = 0); + Connection(sys::ConnectionOutputHandler* out, Broker& broker, const std::string& mgmtId, unsigned int ssf, + bool isLink = false, uint64_t objectId = 0); ~Connection (); /** Get the SessionHandler for channel. Create if it does not already exist */ @@ -138,11 +139,14 @@ class Connection : public sys::ConnectionInputHandler, // Used by cluster to update connection status sys::AggregateOutput& getOutputTasks() { return outputTasks; } + unsigned int getSSF() { return ssf; } + private: typedef boost::ptr_map<framing::ChannelId, SessionHandler> ChannelMap; typedef std::vector<Queue::shared_ptr>::iterator queue_iterator; ChannelMap channels; + unsigned int ssf; ConnectionHandler adapter; const bool isLink; bool mgmtClosing; diff --git a/cpp/src/qpid/broker/ConnectionFactory.cpp b/cpp/src/qpid/broker/ConnectionFactory.cpp index 93108b35f7..dd794d7d95 100644 --- a/cpp/src/qpid/broker/ConnectionFactory.cpp +++ b/cpp/src/qpid/broker/ConnectionFactory.cpp @@ -35,7 +35,8 @@ ConnectionFactory::ConnectionFactory(Broker& b) : broker(b) {} ConnectionFactory::~ConnectionFactory() {} sys::ConnectionCodec* -ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id) { +ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, + unsigned int ) { if (v == ProtocolVersion(0, 10)) { ConnectionPtr c(new amqp_0_10::Connection(out, id, false)); c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, false))); @@ -45,7 +46,8 @@ ConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std: } sys::ConnectionCodec* -ConnectionFactory::create(sys::OutputControl& out, const std::string& id) { +ConnectionFactory::create(sys::OutputControl& out, const std::string& id, + unsigned int) { // used to create connections from one broker to another ConnectionPtr c(new amqp_0_10::Connection(out, id, true)); c->setInputHandler(InputPtr(new broker::Connection(c.get(), broker, id, true))); diff --git a/cpp/src/qpid/broker/ConnectionFactory.h b/cpp/src/qpid/broker/ConnectionFactory.h index c61da81024..d812292ad1 100644 --- a/cpp/src/qpid/broker/ConnectionFactory.h +++ b/cpp/src/qpid/broker/ConnectionFactory.h @@ -35,10 +35,12 @@ class ConnectionFactory : public sys::ConnectionCodec::Factory virtual ~ConnectionFactory(); sys::ConnectionCodec* - create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id); + create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id, + unsigned int conn_ssf); sys::ConnectionCodec* - create(sys::OutputControl&, const std::string& id); + create(sys::OutputControl&, const std::string& id, + unsigned int conn_ssf); private: Broker& broker; diff --git a/cpp/src/qpid/broker/SaslAuthenticator.cpp b/cpp/src/qpid/broker/SaslAuthenticator.cpp index 7e7334fda1..0e509c8d93 100644 --- a/cpp/src/qpid/broker/SaslAuthenticator.cpp +++ b/cpp/src/qpid/broker/SaslAuthenticator.cpp @@ -48,8 +48,9 @@ class NullAuthenticator : public SaslAuthenticator Connection& connection; framing::AMQP_ClientProxy::Connection client; std::string realm; + const bool encrypt; public: - NullAuthenticator(Connection& connection, bool dummy=false/*dummy arg to match CyrusAuthenticator*/); + NullAuthenticator(Connection& connection, bool encrypt); ~NullAuthenticator(); void getMechanisms(framing::Array& mechanisms); void start(const std::string& mechanism, const std::string& response); @@ -130,12 +131,12 @@ std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connecti } else { QPID_LOG(debug, "SASL: No Authentication Performed"); needWarning = false; - return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c)); + return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted)); } } - NullAuthenticator::NullAuthenticator(Connection& c, bool /*dummy*/) : connection(c), client(c.getOutput()), - realm(c.getBroker().getOptions().realm) {} +NullAuthenticator::NullAuthenticator(Connection& c, bool e) : connection(c), client(c.getOutput()), + realm(c.getBroker().getOptions().realm), encrypt(e) {} NullAuthenticator::~NullAuthenticator() {} void NullAuthenticator::getMechanisms(Array& mechanisms) @@ -146,6 +147,10 @@ void NullAuthenticator::getMechanisms(Array& mechanisms) void NullAuthenticator::start(const string& mechanism, const string& response) { + if (encrypt) { + QPID_LOG(error, "Rejected un-encrypted connection."); + throw ConnectionForcedException("Connection must be encrypted."); + } if (mechanism == "PLAIN") { // Old behavior if (response.size() > 0) { string uid; @@ -227,10 +232,24 @@ void CyrusAuthenticator::init() //TODO: should the actual SSF values be configurable here? secprops.min_ssf = encrypt ? 10: 0; secprops.max_ssf = 256; - secprops.maxbufsize = 65535; - QPID_LOG(debug, "min_ssf: " << secprops.min_ssf << ", max_ssf: " << secprops.max_ssf); - + // If the transport provides encryption, notify the SASL library of + // the key length and set the ssf range to prevent double encryption. + sasl_ssf_t external_ssf = (sasl_ssf_t) connection.getSSF(); + if (external_ssf) { + int result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL, &external_ssf); + if (result != SASL_OK) { + throw framing::InternalErrorException(QPID_MSG("SASL error: unable to set external SSF: " << result)); + } + + secprops.max_ssf = secprops.min_ssf = 0; + } + + QPID_LOG(debug, "min_ssf: " << secprops.min_ssf << + ", max_ssf: " << secprops.max_ssf << + ", external_ssf: " << external_ssf ); + + secprops.maxbufsize = 65535; secprops.property_names = 0; secprops.property_values = 0; secprops.security_flags = 0; /* or SASL_SEC_NOANONYMOUS etc as appropriate */ diff --git a/cpp/src/qpid/broker/SecureConnectionFactory.cpp b/cpp/src/qpid/broker/SecureConnectionFactory.cpp index e1f003cb1c..4926851f95 100644 --- a/cpp/src/qpid/broker/SecureConnectionFactory.cpp +++ b/cpp/src/qpid/broker/SecureConnectionFactory.cpp @@ -36,11 +36,12 @@ typedef std::auto_ptr<sys::ConnectionInputHandler> InputPtr; SecureConnectionFactory::SecureConnectionFactory(Broker& b) : broker(b) {} sys::ConnectionCodec* -SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id) { +SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, const std::string& id, + unsigned int conn_ssf ) { if (v == ProtocolVersion(0, 10)) { SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, false)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, false)); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, false)); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr<sys::ConnectionCodec>(c)); @@ -50,11 +51,12 @@ SecureConnectionFactory::create(ProtocolVersion v, sys::OutputControl& out, cons } sys::ConnectionCodec* -SecureConnectionFactory::create(sys::OutputControl& out, const std::string& id) { +SecureConnectionFactory::create(sys::OutputControl& out, const std::string& id, + unsigned int conn_ssf) { // used to create connections from one broker to another SecureConnectionPtr sc(new SecureConnection()); CodecPtr c(new amqp_0_10::Connection(out, id, true)); - ConnectionPtr i(new broker::Connection(c.get(), broker, id, true)); + ConnectionPtr i(new broker::Connection(c.get(), broker, id, conn_ssf, true )); i->setSecureConnection(sc.get()); c->setInputHandler(InputPtr(i.release())); sc->setCodec(std::auto_ptr<sys::ConnectionCodec>(c)); diff --git a/cpp/src/qpid/broker/SecureConnectionFactory.h b/cpp/src/qpid/broker/SecureConnectionFactory.h index 048fb250d6..b1af6d4a0f 100644 --- a/cpp/src/qpid/broker/SecureConnectionFactory.h +++ b/cpp/src/qpid/broker/SecureConnectionFactory.h @@ -33,10 +33,12 @@ class SecureConnectionFactory : public sys::ConnectionCodec::Factory SecureConnectionFactory(Broker& b); sys::ConnectionCodec* - create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id); + create(framing::ProtocolVersion, sys::OutputControl&, const std::string& id, + unsigned int conn_ssf); sys::ConnectionCodec* - create(sys::OutputControl&, const std::string& id); + create(sys::OutputControl&, const std::string& id, + unsigned int conn_ssf); private: Broker& broker; |