Skip to content

Commit

Permalink
Issue #1599: make sslProfile configuration updatable (#1600)
Browse files Browse the repository at this point in the history
This does not solve #1572. It is part of a series of changes that will
address #1572.
  • Loading branch information
kgiusti authored Oct 1, 2024
1 parent 7462d96 commit eac7c17
Show file tree
Hide file tree
Showing 81 changed files with 5,314 additions and 1,553 deletions.
19 changes: 0 additions & 19 deletions include/qpid/dispatch/connection_manager.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,24 +27,10 @@
#include "qpid/dispatch/server.h"

typedef struct qd_connection_manager_t qd_connection_manager_t;
typedef struct qd_config_ssl_profile_t qd_config_ssl_profile_t;
typedef struct qd_connection_t qd_connection_t;

typedef void (*qd_connection_manager_handler_t) (void *context, qd_connection_t *conn);

struct qd_config_ssl_profile_t {
DEQ_LINKS(qd_config_ssl_profile_t);
char *name;
char *ssl_password;
char *ssl_trusted_certificate_db;
char *ssl_uid_format;
char *uid_name_mapping_file;
char *ssl_certificate_file;
char *ssl_private_key_file;
char *ssl_ciphers;
char *ssl_protocols;
};

/**
* Allocate a connection manager
*
Expand All @@ -69,9 +55,4 @@ void qd_connection_manager_free(qd_connection_manager_t *cm);
*/
QD_EXPORT void qd_connection_manager_start(qd_dispatch_t *qd);

/**
* Find named qd_config_ssl_profile_t object
*/
qd_config_ssl_profile_t *qd_find_ssl_profile(const qd_connection_manager_t *cm, const char *name);

#endif
1 change: 1 addition & 0 deletions include/qpid/dispatch/protocol_adaptor.h
Original file line number Diff line number Diff line change
Expand Up @@ -932,6 +932,7 @@ qdr_connection_info_t *qdr_connection_info(bool is_encrypted,
bool connection_trunking);

void qdr_connection_info_set_group_correlator(qdr_connection_info_t *info, const char *correlator);
void qdr_connection_info_set_tls(qdr_connection_info_t *info, bool enabled, char *version, char *ciphers, int ssf);

void qd_adaptor_listener_init(void);
void qd_adaptor_listener_finalize(void);
Expand Down
12 changes: 1 addition & 11 deletions include/qpid/dispatch/server.h
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@

#include <proton/engine.h>
#include <proton/event.h>
#include <proton/ssl.h>

typedef struct qd_server_t qd_server_t;
typedef struct qd_container_t qd_container_t;
Expand Down Expand Up @@ -108,14 +107,6 @@ typedef enum {
*/
void qd_server_set_container(qd_dispatch_t *qd, struct qd_container_t *container);

/**
* Store address of display name service py object for C code use
*
* @param qd The dispatch handle returned by qd_dispatch.
* @param display_name_service address of python object
*/
qd_error_t qd_register_display_name_service(qd_dispatch_t *qd, void *display_name_service);

pn_proactor_t *qd_server_proactor(const qd_server_t *qd_server);
qd_http_server_t *qd_server_http(const qd_server_t *qd_server);
uint64_t qd_server_allocate_connection_id(qd_server_t *server);
Expand All @@ -130,8 +121,7 @@ typedef struct qd_handler_context_t {
qd_server_event_handler_t handler;
} qd_handler_context_t;

// Use displayName lookup to translate user_id to user name
char *qd_server_query_user_name(const qd_server_t *server, const char *ssl_profile, const char *user_id);

const char *qd_server_get_container_name(const qd_server_t *server);
sys_mutex_t *qd_server_get_activation_lock(qd_server_t *server);

Expand Down
55 changes: 55 additions & 0 deletions include/qpid/dispatch/tls_amqp.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#ifndef __tls_amqp_h__
#define __tls_amqp_h__ 1
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

#include "qpid/dispatch/tls_common.h"

typedef struct pn_transport_t pn_transport_t;

/**
* API for TLS operations specific to Proton AMQP connections.
*
* Note well: these APIs apply only to TLS config/sessions of type QD_TLS_TYPE_PROTON_AMQP! Proton raw connection based
* TLS sessions are not supported. See tls.h and tls_raw_io.h.
*/


/**
* Create a new TLS session
*
* @param config the TLS configuration used to create the session
* @param tport transport associated with the session's connection
* @param allow_unencrypted if true permit accepting incoming unencrypted connections
* @return a new TLS session or 0 on error. If error qd_error() is set.
*/
qd_tls_session_t *qd_tls_session_amqp(qd_tls_config_t *config, pn_transport_t *tport, bool allow_unencrypted);


/**
* Get the user identifier associated with the TLS session.
*
* @param session the active TLS session to retrieve the user id from.
* @return string containing user name if query succeeds else 0. Caller must free() returned user name string when no
* longer used.
*/
char *qd_tls_session_get_user_id(qd_tls_session_t *session);

#endif

183 changes: 183 additions & 0 deletions include/qpid/dispatch/tls_common.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
#ifndef __tls_common_h__
#define __tls_common_h__ 1
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

/**@file
* Management of TLS configuration and state
*/


#include "qpid/dispatch/log.h"

#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>


typedef struct qd_tls_config_t qd_tls_config_t; // run-time TLS configuration state
typedef struct qd_tls_session_t qd_tls_session_t; // per connection TLS state
typedef struct qd_ssl2_profile_t qd_ssl2_profile_t; // sslProfile configuration record

// Proton has two different TLS implementations: one for AMQP and a buffer-based one for use with Raw Connections:
typedef enum {
QD_TLS_TYPE_NONE = 0, // unset
QD_TLS_TYPE_PROTON_AMQP, // for use with AMQP transport
QD_TLS_TYPE_PROTON_RAW, // use raw connection/qd_buffer_t interface
} qd_tls_type_t;

typedef enum {
QD_TLS_CONFIG_MODE_NONE = 0, // unset
QD_TLS_CONFIG_SERVER_MODE, // Operate as a TLS server (i.e. listener socket)
QD_TLS_CONFIG_CLIENT_MODE, // Operate as an TLS client (i.e. outgoing connections)
} qd_tls_config_mode_t;

// sslProfile configuration record
struct qd_ssl2_profile_t {
char *ciphers;
char *protocols;
char *trusted_certificate_db;
char *certificate_file;
char *private_key_file;
char *password;

/**
* Holds the list of component fields of the client certificate from which a unique identifier is constructed. For
* e.g, this field could have the format of 'cou' indicating that the uid will consist of c - common name
* concatenated with o - organization-company name concatenated with u - organization unit
*
* Allowed values can be any combination of the comma separated codes (no duplicates):
* 'c'( ISO3166 two character country code),
* 's'(state or province),
* 'l'(Locality; generally - city),
* 'o'(Organization - Company Name),
* 'u'(Organization Unit - typically certificate type or brand),
* 'n'(CommonName - typically a user name for client certificates)
*
* and one of the following:
* '1'(sha1 certificate fingerprint, the fingerprint, as displayed in the fingerprints section when looking at a certificate
* with say a web browser is the hash of the entire certificate in DER form)
* '2'(sha256 certificate fingerprint)
* '5'(sha512 certificate fingerprint)
*/
char *uid_format;

/**
* Full path to the file that contains the uid to display name mapping.
*/
char *uid_name_mapping_file;

/**
* version: Version assigned to the current configuration
* oldest_valid_version: Previous sslProfile updates with versions values < oldest_valid_version have expired.
*/
long version;
long oldest_valid_version;
};

/**
* Create a new TLS qd_tls_config_t instance with the given configuration
*
* @param ssl_profile_name the name of the sslProfile configuration to use
* @param p_type protocol type for the child connections (TCP or AMQP)
* @param mode the operational use case (TLS Server or Client)
* @param verify_hostname enforce host name checking (Client mode)
* @param authenticate_peer validate peer's certificate (Server mode)
*
* @return a new qd_tls_config_t instance or 0 on error. qd_error() set if error.
*/
qd_tls_config_t *qd_tls_config(const char *ssl_profile_name,
qd_tls_type_t p_type,
qd_tls_config_mode_t mode,
bool verify_hostname,
bool authenticate_peer);


/**
* Release a reference to the qd_tls_config_t
*
* @param config to be released. The config pointer must no longer be referenced
*/
void qd_tls_config_decref(qd_tls_config_t *config);


/**
* Release a TLS session context.
*
* See the session constructor API in tls_amqp.h and tls_raw.h
*
* @param session the session to free. It must no longer be referenced after this call.
*/
void qd_tls_session_free(qd_tls_session_t *session);


/**
* Get the version of TLS in use by the session.
*
* @param session to be queried.
* @return Null terminated string containing the TLS version description. Returned string buffer must be free()d by
* caller. Return 0 if version not known.
*/
char *qd_tls_session_get_protocol_version(const qd_tls_session_t *session);

/**
* Get the cipher in use by the session.
*
* @param session to be queried.
* @return Null terminated string containing a description of the active cipher. Returned string buffer must be free()d
* by caller. Return 0 if version not known.
*/
char *qd_tls_session_get_protocol_ciphers(const qd_tls_session_t *session);

/**
* Get the Security Strength Factor (SSF) of the Cipher in use by the session
*
* @param session to be queried.
* @return the SSF value of the session
*/
int qd_tls_session_get_ssf(const qd_tls_session_t *session);


/**
* Fill out the given *profile with the configuration from the named sslProfile record.
*
* @param the name of the sslProfile
* @param a pointer to an uninitialized qd_ssl2_profile_t instance.
* @return a pointer to the passed in qd_ssl2_profile_t on success else 0. Use qd_tls_cleanup_ssl_profile() release
* resources in use by *profile when done.
*/
qd_ssl2_profile_t *qd_tls_read_ssl_profile(const char *ssl_profile_name, qd_ssl2_profile_t *profile);

/**
* Release any resources allocated by qd_tls_get_ssl_profile() and reset the profile.
*
* @param a pointer to an qd_ssl2_profile_t instance initialized by qd_tls_read_ssl_profile().
*
* Note this only releases internal resources associated with the profile, the memory pointed to by *profile is owned
* by the caller.
*/
void qd_tls_cleanup_ssl_profile(qd_ssl2_profile_t *profile);


// Module initialization/finalization
void qd_tls_initialize(void);
void qd_tls_finalize(void);

#endif

Loading

0 comments on commit eac7c17

Please sign in to comment.