-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
Showing
81 changed files
with
5,314 additions
and
1,553 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
#ifndef __tls_amqp_h__ | ||
#define __tls_amqp_h__ 1 | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
#include "qpid/dispatch/tls_common.h" | ||
|
||
typedef struct pn_transport_t pn_transport_t; | ||
|
||
/** | ||
* API for TLS operations specific to Proton AMQP connections. | ||
* | ||
* Note well: these APIs apply only to TLS config/sessions of type QD_TLS_TYPE_PROTON_AMQP! Proton raw connection based | ||
* TLS sessions are not supported. See tls.h and tls_raw_io.h. | ||
*/ | ||
|
||
|
||
/** | ||
* Create a new TLS session | ||
* | ||
* @param config the TLS configuration used to create the session | ||
* @param tport transport associated with the session's connection | ||
* @param allow_unencrypted if true permit accepting incoming unencrypted connections | ||
* @return a new TLS session or 0 on error. If error qd_error() is set. | ||
*/ | ||
qd_tls_session_t *qd_tls_session_amqp(qd_tls_config_t *config, pn_transport_t *tport, bool allow_unencrypted); | ||
|
||
|
||
/** | ||
* Get the user identifier associated with the TLS session. | ||
* | ||
* @param session the active TLS session to retrieve the user id from. | ||
* @return string containing user name if query succeeds else 0. Caller must free() returned user name string when no | ||
* longer used. | ||
*/ | ||
char *qd_tls_session_get_user_id(qd_tls_session_t *session); | ||
|
||
#endif | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,183 @@ | ||
#ifndef __tls_common_h__ | ||
#define __tls_common_h__ 1 | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
/**@file | ||
* Management of TLS configuration and state | ||
*/ | ||
|
||
|
||
#include "qpid/dispatch/log.h" | ||
|
||
#include <stdbool.h> | ||
#include <stddef.h> | ||
#include <stdint.h> | ||
|
||
|
||
typedef struct qd_tls_config_t qd_tls_config_t; // run-time TLS configuration state | ||
typedef struct qd_tls_session_t qd_tls_session_t; // per connection TLS state | ||
typedef struct qd_ssl2_profile_t qd_ssl2_profile_t; // sslProfile configuration record | ||
|
||
// Proton has two different TLS implementations: one for AMQP and a buffer-based one for use with Raw Connections: | ||
typedef enum { | ||
QD_TLS_TYPE_NONE = 0, // unset | ||
QD_TLS_TYPE_PROTON_AMQP, // for use with AMQP transport | ||
QD_TLS_TYPE_PROTON_RAW, // use raw connection/qd_buffer_t interface | ||
} qd_tls_type_t; | ||
|
||
typedef enum { | ||
QD_TLS_CONFIG_MODE_NONE = 0, // unset | ||
QD_TLS_CONFIG_SERVER_MODE, // Operate as a TLS server (i.e. listener socket) | ||
QD_TLS_CONFIG_CLIENT_MODE, // Operate as an TLS client (i.e. outgoing connections) | ||
} qd_tls_config_mode_t; | ||
|
||
// sslProfile configuration record | ||
struct qd_ssl2_profile_t { | ||
char *ciphers; | ||
char *protocols; | ||
char *trusted_certificate_db; | ||
char *certificate_file; | ||
char *private_key_file; | ||
char *password; | ||
|
||
/** | ||
* Holds the list of component fields of the client certificate from which a unique identifier is constructed. For | ||
* e.g, this field could have the format of 'cou' indicating that the uid will consist of c - common name | ||
* concatenated with o - organization-company name concatenated with u - organization unit | ||
* | ||
* Allowed values can be any combination of the comma separated codes (no duplicates): | ||
* 'c'( ISO3166 two character country code), | ||
* 's'(state or province), | ||
* 'l'(Locality; generally - city), | ||
* 'o'(Organization - Company Name), | ||
* 'u'(Organization Unit - typically certificate type or brand), | ||
* 'n'(CommonName - typically a user name for client certificates) | ||
* | ||
* and one of the following: | ||
* '1'(sha1 certificate fingerprint, the fingerprint, as displayed in the fingerprints section when looking at a certificate | ||
* with say a web browser is the hash of the entire certificate in DER form) | ||
* '2'(sha256 certificate fingerprint) | ||
* '5'(sha512 certificate fingerprint) | ||
*/ | ||
char *uid_format; | ||
|
||
/** | ||
* Full path to the file that contains the uid to display name mapping. | ||
*/ | ||
char *uid_name_mapping_file; | ||
|
||
/** | ||
* version: Version assigned to the current configuration | ||
* oldest_valid_version: Previous sslProfile updates with versions values < oldest_valid_version have expired. | ||
*/ | ||
long version; | ||
long oldest_valid_version; | ||
}; | ||
|
||
/** | ||
* Create a new TLS qd_tls_config_t instance with the given configuration | ||
* | ||
* @param ssl_profile_name the name of the sslProfile configuration to use | ||
* @param p_type protocol type for the child connections (TCP or AMQP) | ||
* @param mode the operational use case (TLS Server or Client) | ||
* @param verify_hostname enforce host name checking (Client mode) | ||
* @param authenticate_peer validate peer's certificate (Server mode) | ||
* | ||
* @return a new qd_tls_config_t instance or 0 on error. qd_error() set if error. | ||
*/ | ||
qd_tls_config_t *qd_tls_config(const char *ssl_profile_name, | ||
qd_tls_type_t p_type, | ||
qd_tls_config_mode_t mode, | ||
bool verify_hostname, | ||
bool authenticate_peer); | ||
|
||
|
||
/** | ||
* Release a reference to the qd_tls_config_t | ||
* | ||
* @param config to be released. The config pointer must no longer be referenced | ||
*/ | ||
void qd_tls_config_decref(qd_tls_config_t *config); | ||
|
||
|
||
/** | ||
* Release a TLS session context. | ||
* | ||
* See the session constructor API in tls_amqp.h and tls_raw.h | ||
* | ||
* @param session the session to free. It must no longer be referenced after this call. | ||
*/ | ||
void qd_tls_session_free(qd_tls_session_t *session); | ||
|
||
|
||
/** | ||
* Get the version of TLS in use by the session. | ||
* | ||
* @param session to be queried. | ||
* @return Null terminated string containing the TLS version description. Returned string buffer must be free()d by | ||
* caller. Return 0 if version not known. | ||
*/ | ||
char *qd_tls_session_get_protocol_version(const qd_tls_session_t *session); | ||
|
||
/** | ||
* Get the cipher in use by the session. | ||
* | ||
* @param session to be queried. | ||
* @return Null terminated string containing a description of the active cipher. Returned string buffer must be free()d | ||
* by caller. Return 0 if version not known. | ||
*/ | ||
char *qd_tls_session_get_protocol_ciphers(const qd_tls_session_t *session); | ||
|
||
/** | ||
* Get the Security Strength Factor (SSF) of the Cipher in use by the session | ||
* | ||
* @param session to be queried. | ||
* @return the SSF value of the session | ||
*/ | ||
int qd_tls_session_get_ssf(const qd_tls_session_t *session); | ||
|
||
|
||
/** | ||
* Fill out the given *profile with the configuration from the named sslProfile record. | ||
* | ||
* @param the name of the sslProfile | ||
* @param a pointer to an uninitialized qd_ssl2_profile_t instance. | ||
* @return a pointer to the passed in qd_ssl2_profile_t on success else 0. Use qd_tls_cleanup_ssl_profile() release | ||
* resources in use by *profile when done. | ||
*/ | ||
qd_ssl2_profile_t *qd_tls_read_ssl_profile(const char *ssl_profile_name, qd_ssl2_profile_t *profile); | ||
|
||
/** | ||
* Release any resources allocated by qd_tls_get_ssl_profile() and reset the profile. | ||
* | ||
* @param a pointer to an qd_ssl2_profile_t instance initialized by qd_tls_read_ssl_profile(). | ||
* | ||
* Note this only releases internal resources associated with the profile, the memory pointed to by *profile is owned | ||
* by the caller. | ||
*/ | ||
void qd_tls_cleanup_ssl_profile(qd_ssl2_profile_t *profile); | ||
|
||
|
||
// Module initialization/finalization | ||
void qd_tls_initialize(void); | ||
void qd_tls_finalize(void); | ||
|
||
#endif | ||
|
Oops, something went wrong.