From f5e41be93bec9b5556a65292516db07ff845f7d4 Mon Sep 17 00:00:00 2001
From: Gordon Sim <gsim@apache.org>
Date: Fri, 5 Mar 2010 16:51:22 +0000
Subject: QPID-2412: Support for EXTERNAL mechanism on client-authenticated SSL
 connections.

On SSL connection where the clients certificate is authenticated (requires the --ssl-require-client-authentication option at present), the clients identity will be taken from that certificate (it will be the CN with any DCs present appended as the domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of bob@acme.com). This will enable the EXTERNAL mechanism when cyrus sasl is in use.

The client can still negotiate their desired mechanism. There is a new option on the ssl module (--ssl-sasl-no-dict) that allows the options on ssl connections to be restricted to those that are not vulnerable to dictionary attacks (EXTERNAL being the primary example).



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@919487 13f79535-47bb-0310-9956-ffa450edef68
---
 cpp/src/qpid/client/Sasl.h | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

(limited to 'cpp/src/qpid/client/Sasl.h')

diff --git a/cpp/src/qpid/client/Sasl.h b/cpp/src/qpid/client/Sasl.h
index 63da37fcb1..56735a5fc3 100644
--- a/cpp/src/qpid/client/Sasl.h
+++ b/cpp/src/qpid/client/Sasl.h
@@ -30,6 +30,7 @@ namespace qpid {
 
 namespace sys {
 class SecurityLayer;
+struct SecuritySettings;
 }
 
 namespace client {
@@ -48,17 +49,10 @@ class Sasl
      *
      * @param mechanisms Comma-separated list of the SASL mechanism the
      *             client supports.
-     * @param ssf  Security Strength Factor (SSF). SSF is used to negotiate
-     *             a SASL security layer on top of the connection should both
-     *             parties require and support it. The value indicates the
-     *             required level of security for communication. Possible
-     *             values are:
-     *             @li 0  No security
-     *             @li 1  Integrity checking only
-     *             @li >1 Integrity and confidentiality with the number
-     *                    giving the encryption key length.
+     * @param externalSecuritySettings security related details from the underlying transport
      */
-    virtual std::string start(const std::string& mechanisms, unsigned int ssf) = 0;
+    virtual std::string start(const std::string& mechanisms,
+                              const qpid::sys::SecuritySettings* externalSecuritySettings = 0) = 0;
     virtual std::string step(const std::string& challenge) = 0;
     virtual std::string getMechanism() = 0;
     virtual std::string getUserId() = 0;
-- 
cgit v1.2.1