You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2012/09/19 23:35:44 UTC
svn commit: r1387781 - in /qpid/proton/branches/openssl: examples/mailbox/
proton-c/bindings/python/ proton-c/include/proton/ proton-c/src/
proton-c/src/ssl/
Author: kgiusti
Date: Wed Sep 19 21:35:43 2012
New Revision: 1387781
URL: http://svn.apache.org/viewvc?rev=1387781&view=rev
Log:
PROTON-2: updates based on review input.
Modified:
qpid/proton/branches/openssl/examples/mailbox/fetch
qpid/proton/branches/openssl/examples/mailbox/post
qpid/proton/branches/openssl/examples/mailbox/server
qpid/proton/branches/openssl/proton-c/bindings/python/python.i
qpid/proton/branches/openssl/proton-c/include/proton/driver.h
qpid/proton/branches/openssl/proton-c/include/proton/ssl.h
qpid/proton/branches/openssl/proton-c/src/driver.c
qpid/proton/branches/openssl/proton-c/src/ssl/openssl.c
qpid/proton/branches/openssl/proton-c/src/ssl/ssl-internal.h
qpid/proton/branches/openssl/proton-c/src/ssl/ssl_stub.c
Modified: qpid/proton/branches/openssl/examples/mailbox/fetch
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/examples/mailbox/fetch?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/examples/mailbox/fetch (original)
+++ qpid/proton/branches/openssl/examples/mailbox/fetch Wed Sep 19 21:35:43 2012
@@ -87,7 +87,9 @@ class FetchClient(object):
if self.ca_database:
self.log("Using SSL, CA database = %s" % self.ca_database)
- ssl_client = pn_connector_ssl(self.cxtr)
+ transport = pn_connector_transport(self.cxtr);
+ assert(transport);
+ ssl_client = pn_ssl(transport)
assert(ssl_client)
rc = pn_ssl_set_trusted_ca_db(ssl_client, self.ca_database)
assert(rc == 0)
Modified: qpid/proton/branches/openssl/examples/mailbox/post
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/examples/mailbox/post?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/examples/mailbox/post (original)
+++ qpid/proton/branches/openssl/examples/mailbox/post Wed Sep 19 21:35:43 2012
@@ -88,7 +88,9 @@ class PostClient(object):
if self.ca_database:
self.log("Using SSL, CA database = %s" % self.ca_database)
- ssl_client = pn_connector_ssl(self.cxtr)
+ transport = pn_connector_transport(self.cxtr);
+ assert(transport);
+ ssl_client = pn_ssl(transport)
assert(ssl_client)
rc = pn_ssl_set_trusted_ca_db(ssl_client, self.ca_database)
assert(rc == 0)
Modified: qpid/proton/branches/openssl/examples/mailbox/server
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/examples/mailbox/server?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/examples/mailbox/server (original)
+++ qpid/proton/branches/openssl/examples/mailbox/server Wed Sep 19 21:35:43 2012
@@ -138,8 +138,12 @@ class MailboxServer(object):
# configure SSL
if self.certificate_file:
- ssl_server = pn_connector_ssl(cxtr)
+ transport = pn_connector_transport(cxtr);
+ assert(transport);
+ ssl_server = pn_ssl(transport)
assert(ssl_server)
+ rc = pn_ssl_init(ssl_server, PN_SSL_MODE_SERVER);
+ assert(rc == 0)
rc = pn_ssl_set_credentials(ssl_server,
self.certificate_file,
self.certificate_key_file,
Modified: qpid/proton/branches/openssl/proton-c/bindings/python/python.i
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/bindings/python/python.i?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/bindings/python/python.i (original)
+++ qpid/proton/branches/openssl/proton-c/bindings/python/python.i Wed Sep 19 21:35:43 2012
@@ -6,7 +6,7 @@
#include <proton/sasl.h>
#include <proton/driver.h>
#include <proton/messenger.h>
-#include <proton/ssl.h>
+#include <proton/ssl.h>
%}
typedef unsigned int size_t;
Modified: qpid/proton/branches/openssl/proton-c/include/proton/driver.h
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/include/proton/driver.h?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/include/proton/driver.h (original)
+++ qpid/proton/branches/openssl/proton-c/include/proton/driver.h Wed Sep 19 21:35:43 2012
@@ -309,12 +309,12 @@ void *pn_connector_context(pn_connector_
*/
void pn_connector_set_context(pn_connector_t *connector, void *context);
-/** Access the SSL/TLS context of the connector.
+/** Access the transport used by this connector.
*
- * @param[in] connector connector whose SSL/TLS context will be returned
- * @return the SSL/TLS context for the connector, or NULL if none
+ * @param[in] connector connector whose transport will be returned
+ * @return the transport, or NULL if none
*/
-pn_ssl_t *pn_connector_ssl(pn_connector_t *connector);
+pn_transport_t *pn_connector_transport(pn_connector_t *connector);
/** Close the socket used by the connector.
*
Modified: qpid/proton/branches/openssl/proton-c/include/proton/ssl.h
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/include/proton/ssl.h?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/include/proton/ssl.h (original)
+++ qpid/proton/branches/openssl/proton-c/include/proton/ssl.h Wed Sep 19 21:35:43 2012
@@ -53,6 +53,35 @@ extern "C" {
typedef struct pn_ssl_t pn_ssl_t;
+/** Get the SSL object associated with a transport.
+ *
+ * This method returns the SSL object associated with the transport. If no SSL object
+ * exists, one will be allocated and returned. A transport must have a configured SSL
+ * object in order to "speak" SSL over its connection.
+ *
+ * By default, a new SSL object is configured to be a Client. Use :pn_ssl_init to change
+ * the SSL object's mode to Server if desired.
+ *
+ * @return a pointer to the SSL object configured for this transport. Returns NULL if SSL
+ * cannot be provided, which would occur if no SSL support is available.
+ */
+pn_ssl_t *pn_ssl(pn_transport_t *transport);
+
+/** Initialize the pn_ssl_t object.
+ *
+ * An SSL object be either an SSL server or an SSL client. It cannot be both. Those
+ * transports that will be used to accept incoming connection requests must be configured
+ * as an SSL server. Those transports that will be used to initiate outbound connections
+ * must be configured as an SSL client.
+ *
+ * @return 0 if configuration succeeded, else an error code.
+ */
+typedef enum {
+ PN_SSL_MODE_CLIENT=1, /**< Local connection endpoint is an SSL client */
+ PN_SSL_MODE_SERVER /**< Local connection endpoint is an SSL server */
+} pn_ssl_mode_t;
+int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode);
+
/** Set the certificate that identifies the local node to the remote.
*
* This certificate establishes the identity for the local node. It will be sent to the
Modified: qpid/proton/branches/openssl/proton-c/src/driver.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/src/driver.c?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/src/driver.c (original)
+++ qpid/proton/branches/openssl/proton-c/src/driver.c Wed Sep 19 21:35:43 2012
@@ -392,15 +392,9 @@ pn_sasl_t *pn_connector_sasl(pn_connecto
return ctor ? ctor->sasl : NULL;
}
-pn_ssl_t *pn_connector_ssl(pn_connector_t *ctor)
+pn_transport_t *pn_connector_transport(pn_connector_t *ctor)
{
- if (ctor) {
- // use server mode SSL if this connector was created by a listener
- if (ctor->listener)
- return pn_ssl_server(ctor->transport);
- return pn_ssl_client(ctor->transport);
- }
- return NULL;
+ return ctor ? ctor->transport : NULL;
}
void pn_connector_set_connection(pn_connector_t *ctor, pn_connection_t *connection)
Modified: qpid/proton/branches/openssl/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/src/ssl/openssl.c?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/branches/openssl/proton-c/src/ssl/openssl.c Wed Sep 19 21:35:43 2012
@@ -43,13 +43,12 @@
static int ssl_initialized;
-typedef enum { SSL_MODE_CLIENT, SSL_MODE_SERVER } ssl_mode_t;
typedef enum { UNKNOWN_CONNECTION, SSL_CONNECTION, CLEAR_CONNECTION } connection_mode_t;
struct pn_ssl_t {
SSL_CTX *ctx;
SSL *ssl;
- ssl_mode_t mode;
+ pn_ssl_mode_t mode;
bool allow_unsecured;
bool ca_db; // true when CA database configured
char *keyfile_pw;
@@ -178,9 +177,9 @@ int pn_ssl_set_credentials( pn_ssl_t *ss
const char *private_key_file,
const char *password)
{
- if (!ssl) return 0;
+ if (!ssl) return -1;
if (ssl->ssl) {
- _log_error("Error: attempting to set credentials after SSL connection initialized.\n");
+ _log_error("Error: attempting to set credentials while SSL in use.\n");
return -1;
}
@@ -245,7 +244,7 @@ int pn_ssl_set_trusted_ca_db(pn_ssl_t *s
int pn_ssl_allow_unsecured_client(pn_ssl_t *ssl)
{
if (ssl) {
- if (ssl->mode != SSL_MODE_SERVER) {
+ if (ssl->mode != PN_SSL_MODE_SERVER) {
_log_error("Cannot permit unsecured clients - not a server.\n");
return -1;
}
@@ -271,7 +270,7 @@ int pn_ssl_set_peer_authentication(pn_ss
switch (mode) {
case PN_SSL_VERIFY_PEER:
- if (ssl->mode == SSL_MODE_SERVER) {
+ if (ssl->mode == PN_SSL_MODE_SERVER) {
// openssl requires that server connections supply a list of trusted CAs which is
// sent to the client
if (!trusted_CAs) {
@@ -336,57 +335,54 @@ int pn_ssl_get_peer_authentication(pn_ss
}
-pn_ssl_t *pn_ssl_server(pn_transport_t *transport)
+int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode)
{
- if (!transport) return NULL;
- if (transport->ssl) {
- if (transport->ssl->mode != SSL_MODE_SERVER) {
- _log_error("Error: transport already configured as a client.\n");
- return NULL;
- }
- return transport->ssl;
+ if (!ssl) return -1;
+ if (ssl->mode == mode) return 0; // already set
+ if (ssl->ssl) {
+ _log_error("Unable to change mode once SSL is active.\n");
+ return -1;
}
- if (!ssl_initialized) {
- ssl_initialized = 1;
- SSL_library_init();
- SSL_load_error_strings();
- }
+ // if changing the mode from the default, must release old context
+ if (ssl->ctx) SSL_CTX_free( ssl->ctx );
- pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
- if (!ssl) return NULL;
+ switch (mode) {
+ case PN_SSL_MODE_CLIENT:
+ _log( ssl, "Setting up Client SSL object.\n" );
+ ssl->ctx = SSL_CTX_new(SSLv23_client_method());
+ if (!ssl->ctx) {
+ _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
+ return -1;
+ }
+ // default: always verify the remote server
+ ssl->verify_mode = PN_SSL_VERIFY_PEER;
+ SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL );
+#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+ SSL_CTX_set_verify_depth(ssl->ctx, 1);
+#endif
+ break;
- ssl->ctx = SSL_CTX_new(SSLv23_server_method());
- if (!ssl->ctx) {
- _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
- free(ssl);
- return NULL;
+ case PN_SSL_MODE_SERVER:
+ _log( ssl, "Setting up Server SSL object.\n" );
+ ssl->ctx = SSL_CTX_new(SSLv23_server_method());
+ if (!ssl->ctx) {
+ _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
+ return -1;
+ }
+ // default: no client authentication
+ ssl->verify_mode = PN_SSL_NO_VERIFY_PEER;
+ SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_NONE, NULL );
+ ssl->mode = PN_SSL_MODE_SERVER;
+ break;
}
- ssl->verify_mode = PN_SSL_NO_VERIFY_PEER;
- SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_NONE, NULL ); // default: no client authentication
-
- ssl->mode = SSL_MODE_SERVER;
- ssl->transport = transport;
- ssl->process_input = process_input_ssl;
- ssl->process_output = process_output_ssl;
- transport->ssl = ssl;
-
- ssl->trace = PN_TRACE_OFF;
-
- _log( ssl, "Setting up Server SSL connection.\n" );
- return ssl;
+ return 0;
}
-pn_ssl_t *pn_ssl_client(pn_transport_t *transport)
+pn_ssl_t *pn_ssl(pn_transport_t *transport)
{
if (!transport) return NULL;
- if (transport->ssl) {
- if (transport->ssl->mode != SSL_MODE_CLIENT) {
- _log_error("Error: transport already configured as a server.\n");
- return NULL;
- }
- return transport->ssl;
- }
+ if (transport->ssl) return transport->ssl;
if (!ssl_initialized) {
ssl_initialized = 1;
@@ -397,20 +393,6 @@ pn_ssl_t *pn_ssl_client(pn_transport_t *
pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
if (!ssl) return NULL;
- ssl->ctx = SSL_CTX_new(SSLv23_client_method());
- if (!ssl->ctx) {
- _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
- free(ssl);
- return NULL;
- }
- ssl->verify_mode = PN_SSL_VERIFY_PEER;
- SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL );
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ssl->ctx, 1);
-#endif
-
- ssl->mode = SSL_MODE_CLIENT;
-
ssl->transport = transport;
ssl->process_input = process_input_ssl;
ssl->process_output = process_output_ssl;
@@ -418,10 +400,15 @@ pn_ssl_t *pn_ssl_client(pn_transport_t *
ssl->trace = PN_TRACE_OFF;
- _log( ssl, "Setting up Client SSL connection.\n" );
+ // default mode is client
+ if (pn_ssl_init(ssl, PN_SSL_MODE_CLIENT)) {
+ free(ssl);
+ return NULL;
+ }
return ssl;
}
+
void pn_ssl_free( pn_ssl_t *ssl)
{
if (!ssl) return;
@@ -711,7 +698,7 @@ static int init_ssl_socket( pn_ssl_t *ss
}
SSL_set_bio(ssl->ssl, ssl->bio_ssl_io, ssl->bio_ssl_io);
- if (ssl->mode == SSL_MODE_SERVER) {
+ if (ssl->mode == PN_SSL_MODE_SERVER) {
SSL_set_accept_state(ssl->ssl);
BIO_set_ssl_mode(ssl->bio_ssl, 0); // server mode
_log( ssl, "Server SSL socket created.\n" );
Modified: qpid/proton/branches/openssl/proton-c/src/ssl/ssl-internal.h
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/src/ssl/ssl-internal.h?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/src/ssl/ssl-internal.h (original)
+++ qpid/proton/branches/openssl/proton-c/src/ssl/ssl-internal.h Wed Sep 19 21:35:43 2012
@@ -32,54 +32,9 @@
*
*/
-/** Get the SSL server object associated with a transport.
- *
- * A transport may be configured to be either an SSL server or an SSL client. Those
- * transports that will be used to accept incoming connections must be configured as an
- * SSL server.
- *
- * @return a pointer to the SSL server object configured for this transport. Returns NULL
- * if the server cannot be configured, which would occur if no SSL support is available,
- * or the transport has already been configured as an SSL client.
- */
-pn_ssl_t *pn_ssl_server(pn_transport_t *transport);
-
-/** Get the SSL client object associated with a transport.
- *
- * A transport may be configured to be either an SSL server or an SSL client. Those
- * transports that will be used to initiate outbound connections must be configured as an
- * SSL client.
- *
- * @return a pointer to the SSL client object configured for this transport. Returns NULL
- * if the client cannot be configured, which would occur if no SSL support is available,
- * or the transport has already been configured as an SSL server.
- */
-pn_ssl_t *pn_ssl_client(pn_transport_t *transport);
-
-/** Start the SSL/TLS shutdown handshake.
- *
- * The SSL/TLS shutdown involves a protocol handshake. This call will initiate the
- * shutdown process, which may not complete on return from this function. Once the
- * handshake is completed, the connector will be closed and pn_connector_closed() will
- * return TRUE.
- *
- * @param[in,out] c the connector to shutdown.
- */
-void pn_ssl_shutdown( pn_ssl_t *ssl);
-
-/** Release any SSL/TLS related resources used by the listener.
- *
- * @param[in,out] l the listener to clean up.
- */
+// release the SSL context
void pn_ssl_free( pn_ssl_t *ssl);
-/** Check if the SSL/TLS layer has data ready for reading or writing
- *
- * @param[in] d the driver
- * @return 0 if no data ready, else !0
- */
-//int pn_driver_ssl_data_ready( pn_driver_t *d );
-
// move data received from the network into the SSL layer
ssize_t pn_ssl_input(pn_ssl_t *ssl, char *bytes, size_t available);
Modified: qpid/proton/branches/openssl/proton-c/src/ssl/ssl_stub.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/openssl/proton-c/src/ssl/ssl_stub.c?rev=1387781&r1=1387780&r2=1387781&view=diff
==============================================================================
--- qpid/proton/branches/openssl/proton-c/src/ssl/ssl_stub.c (original)
+++ qpid/proton/branches/openssl/proton-c/src/ssl/ssl_stub.c Wed Sep 19 21:35:43 2012
@@ -32,14 +32,14 @@
* used if there is no SSL/TLS support in the system's environment.
*/
-pn_ssl_t *pn_ssl_server(pn_transport_t *transport)
+pn_ssl_t *pn_ssl(pn_transport_t *transport)
{
return NULL;
}
-pn_ssl_t *pn_ssl_client(pn_transport_t *transport)
+int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode)
{
- return NULL;
+ return -1;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org