You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2012/12/17 23:05:09 UTC
svn commit: r1423185 - in /qpid/proton/branches/kgiusti-proton-136:
proton-c/bindings/python/proton.py proton-c/include/proton/ssl.h
proton-c/src/messenger.c proton-c/src/ssl/openssl.c
proton-c/src/ssl/ssl_stub.c proton-j/proton/src/main/scripts/proton.py
Author: kgiusti
Date: Mon Dec 17 22:05:06 2012
New Revision: 1423185
URL: http://svn.apache.org/viewvc?rev=1423185&view=rev
Log:
PROTON-136: move allow_unsecured_client to domain
Modified:
qpid/proton/branches/kgiusti-proton-136/proton-c/bindings/python/proton.py
qpid/proton/branches/kgiusti-proton-136/proton-c/include/proton/ssl.h
qpid/proton/branches/kgiusti-proton-136/proton-c/src/messenger.c
qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/openssl.c
qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/ssl_stub.c
qpid/proton/branches/kgiusti-proton-136/proton-j/proton/src/main/scripts/proton.py
Modified: qpid/proton/branches/kgiusti-proton-136/proton-c/bindings/python/proton.py
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-c/bindings/python/proton.py?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-c/bindings/python/proton.py (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-c/bindings/python/proton.py Mon Dec 17 22:05:06 2012
@@ -2317,13 +2317,12 @@ class SSLDomain(object):
return self._check( pn_ssl_domain_set_trusted_ca_db(self._domain,
certificate_db) )
def set_peer_authentication(self, verify_mode, trusted_CAs=None):
- return self._check( pn_ssl_domain_set_default_peer_authentication(self._domain,
- verify_mode,
- trusted_CAs) )
-
- def allow_unsecured_client(self, allow_unsecured = True):
- return self._check( pn_ssl_domain_allow_unsecured_client(self._domain,
- allow_unsecured ))
+ return self._check( pn_ssl_domain_set_peer_authentication(self._domain,
+ verify_mode,
+ trusted_CAs) )
+
+ def allow_unsecured_client(self):
+ return self._check( pn_ssl_domain_allow_unsecured_client(self._domain) )
class SSL(object):
@@ -2334,19 +2333,14 @@ class SSL(object):
else:
return err
- def __init__(self, transport, domain=None, session_details=None):
- if domain:
- session_id = None
- if session_details:
- session_id = session_details.get_session_id()
- self._ssl = pn_ssl_new( domain._domain, transport._trans, session_id )
- else: # old api:
- self._ssl = pn_ssl(transport._trans)
+ def __init__(self, transport, domain, session_details=None):
+ session_id = None
+ if session_details:
+ session_id = session_details.get_session_id()
+ self._ssl = pn_ssl( transport._trans )
if self._ssl is None:
raise SSLUnavailable()
-
- def init(self, mode):
- return self._check( pn_ssl_init(self._ssl, mode) )
+ pn_ssl_init( self._ssl, domain._domain, session_id )
def cipher_name(self):
rc, name = pn_ssl_get_cipher_name( self._ssl, 128 )
Modified: qpid/proton/branches/kgiusti-proton-136/proton-c/include/proton/ssl.h
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-c/include/proton/ssl.h?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-c/include/proton/ssl.h (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-c/include/proton/ssl.h Mon Dec 17 22:05:06 2012
@@ -177,10 +177,6 @@ typedef enum {
* @note Servers must provide their own certificate when verifying a peer. See
* ::pn_ssl_set_credentials().
*
- * @note This method sets the default behavior for all SSL sessions associated with
- * this domain. This attribute can be overridden on a per-session basis if desired (see
- * ::pn_ssl_set_default_peer_authentication)
- *
* @note This setting effects only those pn_ssl_t objects created after this call
* returns. pn_ssl_t objects created before invoking this method will use the domain's
* previous setting.
@@ -191,27 +187,9 @@ typedef enum {
* to the peer client if the server has been configured to verify its peer.
* @return 0 on success
*/
-int pn_ssl_domain_set_default_peer_authentication(pn_ssl_domain_t *domain,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs);
-
-/** Create an SSL session for a given transport.
- *
- * A transport must have an SSL object in order to "speak" SSL over its connection. This
- * method allocates an SSL object using the given domain, and associates it with the
- * transport.
- *
- * @param[in] domain the ssl domain used to configure the SSL session.
- * @param[in] transport the transport that will use the SSL session.
- * @param[in] session_id if supplied, attempt to resume a previous SSL session that used
- * the same session_id. The resulting session will be identified by the given session_id
- * and stored for future session restore.
- * @return a pointer to the SSL object configured for this transport. Returns NULL if SSL
- * cannot be provided, which would occur if no SSL support is available.
- */
-pn_ssl_t *pn_ssl_new( pn_ssl_domain_t *domain,
- pn_transport_t *transport,
- const char *session_id);
+int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
+ const pn_ssl_verify_mode_t mode,
+ const char *trusted_CAs);
/** Permit a server to accept connection requests from non-SSL clients.
*
@@ -219,45 +197,37 @@ pn_ssl_t *pn_ssl_new( pn_ssl_domain_t *d
* determine whether SSL/TLS is being used. This option is disabled by default: only
* clients using SSL/TLS are accepted.
*
- * @param[in] ssl the SSL server that will accept the client connection.
+ * @param[in] domain the domain (server) that will accept the client connections.
* @return 0 on success
*/
-int pn_ssl_allow_unsecured_client(pn_ssl_t *ssl);
+int pn_ssl_domain_allow_unsecured_client(pn_ssl_domain_t *domain);
-/** Override the default verification level for this session.
+/** Create a new SSL session object associated with a transport.
*
- * This method can be used to override the default verification level provided by the
- * parent domain. See ::pn_ssl_domain_set_default_peer_authentication. It must be called
- * before the session is used to transfer data.
+ * A transport must have an SSL object in order to "speak" SSL over its connection. This
+ * method allocates an SSL object associates it with the transport.
*
- * @param[in] ssl the ssl client/server to configure.
- * @param[in] mode the level of validation to apply to the peer
- * @param[in] trusted_CAs path to a database of trusted CAs that the server will advertise
- * to the peer client if the server has been configured to verify its peer.
- * @return 0 on success
+ * @param[in] transport the transport that will own the new SSL session.
+ * @return a pointer to the SSL object configured for this transport. Returns NULL if
+ * no SSL session is associated with the transport.
*/
-int pn_ssl_set_peer_authentication(pn_ssl_t *ssl,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs);
+pn_ssl_t *pn_ssl(pn_transport_t *transport);
-/** Get the level of verification to be used on the peer certificate.
+/** Initialize an SSL session.
*
- * Access the current peer certificate validation level. See
- * ::pn_ssl_set_peer_authentication().
+ * This method configures an SSL object using the configuration provided by the given
+ * domain.
*
- * @param[in] ssl the ssl client/server to query.
- * @param[out] mode the level of validation that will be applied to the peer's certificate.
- * @param[out] trusted_CAs set to a buffer to hold the path to the database of trusted CAs
- * that the server will advertise to the peer client. If NULL, the path will not be
- * returned.
- * @param[in,out] trusted_CAs_size on input set to the number of octets in trusted_CAs.
- * on output, set to the number of octets needed to hold the value of trusted_CAs plus a
- * null byte.
- * @return 0 on success
+ * @param[in] ssl the ssl session to configured.
+ * @param[in] domain the ssl domain used to configure the SSL session.
+ * @param[in] session_id if supplied, attempt to resume a previous SSL session that used
+ * the same session_id. The resulting session will be identified by the given session_id
+ * and stored for future session restore.
+ * @return 0 on success, else an error code.
*/
-int pn_ssl_get_peer_authentication(pn_ssl_t *ssl,
- pn_ssl_verify_mode_t *mode,
- char *trusted_CAs, size_t *trusted_CAs_size);
+int pn_ssl_init( pn_ssl_t *ssl,
+ pn_ssl_domain_t *domain,
+ const char *session_id);
/** Get the name of the Cipher that is currently in use.
*
@@ -300,31 +270,6 @@ bool pn_ssl_get_protocol_name(pn_ssl_t *
pn_ssl_resume_status_t pn_ssl_resume_status( pn_ssl_t *ssl );
-/** original API: */
-
-/** Get the SSL session object associated with a transport.
- *
- * This method returns the SSL object associated with the transport.
- *
- * @return a pointer to the SSL object configured for this transport. Returns NULL if
- * no SSL session is associated with the transport.
- *
- * @deprecated The semantics have changed - need to deprecate old behavior.
- */
-pn_ssl_t *pn_ssl(pn_transport_t *transport);
-
-/** @deprecated see ::pn_ssl_domain, ::pn_ssl_new */
-int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode);
-/** @deprecated see ::pn_ssl_domain_set_credentails */
-int pn_ssl_set_credentials( pn_ssl_t *ssl,
- const char *certificate_file,
- const char *private_key_file,
- const char *password);
-/** @deprecated see ::pn_ssl_domain_set_trusted_ca_db */
-int pn_ssl_set_trusted_ca_db(pn_ssl_t *ssl,
- const char *certificate_db);
-
-
#ifdef __cplusplus
}
#endif
Modified: qpid/proton/branches/kgiusti-proton-136/proton-c/src/messenger.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-c/src/messenger.c?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-c/src/messenger.c (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-c/src/messenger.c Mon Dec 17 22:05:06 2012
@@ -490,16 +490,20 @@ int pn_messenger_tsync(pn_messenger_t *m
char *scheme = sub->scheme;
pn_connector_t *c = pn_listener_accept(l);
pn_transport_t *t = pn_connector_transport(c);
- pn_ssl_t *ssl = pn_ssl(t);
- pn_ssl_init(ssl, PN_SSL_MODE_SERVER);
+
+ pn_ssl_domain_t *d = pn_ssl_domain( PN_SSL_MODE_SERVER );
if (messenger->certificate) {
- pn_ssl_set_credentials(ssl, messenger->certificate,
- messenger->private_key,
- messenger->password);
+ pn_ssl_domain_set_credentials(d, messenger->certificate,
+ messenger->private_key,
+ messenger->password);
}
if (!(scheme && !strcmp(scheme, "amqps"))) {
- pn_ssl_allow_unsecured_client(ssl);
+ pn_ssl_domain_allow_unsecured_client(d);
}
+ pn_ssl_t *ssl = pn_ssl(t);
+ pn_ssl_init(ssl, d, NULL);
+ pn_ssl_domain_free( d );
+
pn_sasl_t *sasl = pn_sasl(t);
pn_sasl_mechanisms(sasl, "ANONYMOUS");
pn_sasl_server(sasl);
@@ -628,19 +632,21 @@ pn_connection_t *pn_messenger_resolve(pn
if (!connector) return NULL;
pn_transport_t *transport = pn_connector_transport(connector);
if (scheme && !strcmp(scheme, "amqps")) {
- pn_ssl_t *ssl = pn_ssl(transport);
- pn_ssl_init(ssl, PN_SSL_MODE_CLIENT);
+ pn_ssl_domain_t *d = pn_ssl_domain( PN_SSL_MODE_CLIENT );
if (messenger->certificate && messenger->private_key) {
- pn_ssl_set_credentials(ssl, messenger->certificate,
- messenger->private_key,
- messenger->password);
+ pn_ssl_domain_set_credentials( d, messenger->certificate,
+ messenger->private_key,
+ messenger->password);
}
if (messenger->trusted_certificates) {
- pn_ssl_set_trusted_ca_db(ssl, messenger->trusted_certificates);
- pn_ssl_set_peer_authentication(ssl, PN_SSL_VERIFY_PEER, NULL);
+ pn_ssl_domain_set_trusted_ca_db(d, messenger->trusted_certificates);
+ pn_ssl_domain_set_peer_authentication(d, PN_SSL_VERIFY_PEER, NULL);
} else {
- pn_ssl_set_peer_authentication(ssl, PN_SSL_ANONYMOUS_PEER, NULL);
+ pn_ssl_domain_set_peer_authentication(d, PN_SSL_ANONYMOUS_PEER, NULL);
}
+ pn_ssl_t *ssl = pn_ssl(transport);
+ pn_ssl_init(ssl, d, NULL);
+ pn_ssl_domain_free( d );
}
pn_sasl_t *sasl = pn_sasl(transport);
Modified: qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/openssl.c?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/openssl.c Mon Dec 17 22:05:06 2012
@@ -57,8 +57,9 @@ struct pn_ssl_domain_t {
char *keyfile_pw;
// settings used for all connections
- char *default_trusted_CAs;
- pn_ssl_verify_mode_t default_verify_mode;
+ char *trusted_CAs;
+ pn_ssl_verify_mode_t verify_mode;
+ bool allow_unsecured;
// session cache
pn_ssl_session_t *ssn_cache_head;
@@ -68,17 +69,11 @@ struct pn_ssl_domain_t {
struct pn_ssl_t {
- pn_ssl_domain_t *domain;
- bool private_domain; // domain used exclusive to this SSL
+ pn_transport_t *transport;
+ pn_ssl_domain_t *domain;
+ const char *session_id;
SSL *ssl;
- bool allow_unsecured; // allow non-SSL connections
- pn_ssl_verify_mode_t verify_mode; // can be overridden
- const char *trusted_CAs; // for this connection
- const char *session_id;
-
- pn_transport_t *transport;
-
BIO *bio_ssl; // i/o from/to SSL socket layer
BIO *bio_ssl_io; // SSL "half" of network-facing BIO
BIO *bio_net_io; // socket-side "half" of network-facing BIO
@@ -372,7 +367,7 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
}
// ditto: by default do not authenticate the peer (can be done by SASL).
- if (pn_ssl_domain_set_default_peer_authentication( domain, PN_SSL_ANONYMOUS_PEER, NULL )) {
+ if (pn_ssl_domain_set_peer_authentication( domain, PN_SSL_ANONYMOUS_PEER, NULL )) {
pn_ssl_domain_free(domain);
return NULL;
}
@@ -401,7 +396,7 @@ void pn_ssl_domain_free( pn_ssl_domain_t
if (domain->ctx) SSL_CTX_free(domain->ctx);
if (domain->keyfile_pw) free(domain->keyfile_pw);
- if (domain->default_trusted_CAs) free(domain->default_trusted_CAs);
+ if (domain->trusted_CAs) free(domain->trusted_CAs);
free(domain);
}
}
@@ -484,9 +479,9 @@ int pn_ssl_domain_set_trusted_ca_db(pn_s
}
-int pn_ssl_domain_set_default_peer_authentication(pn_ssl_domain_t *domain,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs)
+int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
+ const pn_ssl_verify_mode_t mode,
+ const char *trusted_CAs)
{
if (!domain) return -1;
@@ -511,10 +506,10 @@ int pn_ssl_domain_set_default_peer_authe
" Use pn_ssl_domain_set_credentials()\n");
}
- if (domain->default_trusted_CAs) free(domain->default_trusted_CAs);
- domain->default_trusted_CAs = pn_strdup( trusted_CAs );
+ if (domain->trusted_CAs) free(domain->trusted_CAs);
+ domain->trusted_CAs = pn_strdup( trusted_CAs );
STACK_OF(X509_NAME) *cert_names;
- cert_names = SSL_load_client_CA_file( domain->default_trusted_CAs );
+ cert_names = SSL_load_client_CA_file( domain->trusted_CAs );
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(domain->ctx, cert_names);
else {
@@ -539,156 +534,44 @@ int pn_ssl_domain_set_default_peer_authe
return -1;
}
- domain->default_verify_mode = mode;
+ domain->verify_mode = mode;
return 0;
}
-pn_ssl_t *pn_ssl_new( pn_ssl_domain_t *domain, pn_transport_t *transport, const char *session_id)
+int pn_ssl_init( pn_ssl_t *ssl, pn_ssl_domain_t *domain, const char *session_id)
{
- if (!transport || !domain) return NULL;
- if (transport->ssl) return transport->ssl;
-
- pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
- if (!ssl) return NULL;
+ if (!ssl || !domain || ssl->domain) return -1;
ssl->domain = domain;
domain->ref_count++;
- if (session_id && domain->mode == PN_SSL_MODE_CLIENT)
- ssl->session_id = pn_strdup(session_id);
-
- if (init_ssl_socket(ssl)) {
- pn_ssl_free(ssl);
- return NULL;
- }
-
- ssl->transport = transport;
- ssl->process_input = process_input_ssl;
- ssl->process_output = process_output_ssl;
- transport->ssl = ssl;
-
- ssl->trace = (transport->disp) ? transport->disp->trace : PN_TRACE_OFF;
-
- return ssl;
-}
-
-
-int pn_ssl_allow_unsecured_client(pn_ssl_t *ssl)
-{
- if (ssl) {
- if (ssl->domain && ssl->domain->mode != PN_SSL_MODE_SERVER) {
- _log_error("Cannot permit unsecured clients - not a server.\n");
- return -1;
- }
- ssl->allow_unsecured = true;
+ if (domain->allow_unsecured) {
ssl->process_input = process_input_unknown;
ssl->process_output = process_output_unknown;
- _log( ssl, "Allowing connections from unsecured clients.\n" );
- }
- return 0;
-}
-
-
-
-int pn_ssl_set_peer_authentication(pn_ssl_t *ssl,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs)
-{
- if (!ssl) return -1;
- if (!ssl->domain) return -1;
- pn_ssl_domain_t *domain = ssl->domain;
- if (!ssl->ssl) {
- int rc = init_ssl_socket(ssl);
- if (rc) return rc;
+ } else {
+ ssl->process_input = process_input_ssl;
+ ssl->process_output = process_output_ssl;
}
- switch (mode) {
- case PN_SSL_VERIFY_PEER:
-
- if (!domain->has_ca_db) {
- _log_error("Error: cannot verify peer without a trusted CA configured.\n"
- " Use pn_ssl_domain_set_trusted_ca_db()\n");
- return -1;
- }
-
- if (domain->mode == PN_SSL_MODE_SERVER) {
- // openssl requires that server connections supply a list of trusted CAs which is
- // sent to the client
- if (!trusted_CAs) {
- _log_error("Error: a list of trusted CAs must be provided.\n");
- return -1;
- }
- if (!domain->has_certificate) {
- _log_error("Error: Server cannot verify peer without configuring a certificate.\n"
- " Use pn_ssl_domain_set_credentials()\n");
- }
-
- if (ssl->trusted_CAs) free( (void *)ssl->trusted_CAs);
- ssl->trusted_CAs = pn_strdup( trusted_CAs );
- STACK_OF(X509_NAME) *cert_names;
- cert_names = SSL_load_client_CA_file( ssl->trusted_CAs );
- if (cert_names != NULL)
- SSL_set_client_CA_list(ssl->ssl, cert_names);
- else {
- _log_error("Unable to process file of trusted CAs: %s\n", trusted_CAs);
- return -1;
- }
- }
+ if (session_id && domain->mode == PN_SSL_MODE_CLIENT)
+ ssl->session_id = pn_strdup(session_id);
- SSL_set_verify( ssl->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
- // verify_callback /*?verify callback?*/ );
-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_set_verify_depth(ssl->ssl, 1);
-#endif
- _log( ssl, "Peer authentication mode set to VERIFY-PEER\n");
- break;
+ return init_ssl_socket(ssl);
+}
- case PN_SSL_ANONYMOUS_PEER: // hippie free love mode... :)
- SSL_set_verify( ssl->ssl, SSL_VERIFY_NONE, NULL );
- _log( ssl, "Peer authentication mode set to ANONYMOUS-PEER\n");
- break;
- default:
- _log_error( "Invalid peer authentication mode given.\n" );
+int pn_ssl_domain_allow_unsecured_client(pn_ssl_domain_t *domain)
+{
+ if (!domain) return -1;
+ if (domain->mode != PN_SSL_MODE_SERVER) {
+ _log_error("Cannot permit unsecured clients - not a server.\n");
return -1;
}
-
- ssl->verify_mode = mode;
+ domain->allow_unsecured = true;
return 0;
}
-int pn_ssl_get_peer_authentication(pn_ssl_t *ssl,
- pn_ssl_verify_mode_t *mode,
- char *trusted_CAs, size_t *trusted_CAs_size)
-{
- if (!ssl) return -1;
-
- pn_ssl_verify_mode_t my_mode = ssl->verify_mode;
- const char *my_trusted_CAs = ssl->trusted_CAs;
-
- if (ssl->verify_mode == PN_SSL_VERIFY_NULL && ssl->domain) {
- // using the parent domain's values:
- my_mode = ssl->domain->default_verify_mode;
- my_trusted_CAs = ssl->domain->default_trusted_CAs;
- }
-
- if (mode) *mode = my_mode;
- if (trusted_CAs && trusted_CAs_size && *trusted_CAs_size) {
- if (my_trusted_CAs) {
- strncpy( trusted_CAs, my_trusted_CAs, *trusted_CAs_size );
- trusted_CAs[*trusted_CAs_size - 1] = '\0';
- *trusted_CAs_size = strlen(my_trusted_CAs) + 1;
- } else {
- *trusted_CAs = '\0';
- *trusted_CAs_size = 0;
- }
- } else if (trusted_CAs_size) {
- *trusted_CAs_size = (my_trusted_CAs) ? strlen(my_trusted_CAs) + 1 : 0;
- }
- return 0;
-}
-
bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *buffer, size_t size )
{
const SSL_CIPHER *c;
@@ -726,7 +609,6 @@ void pn_ssl_free( pn_ssl_t *ssl)
_log( ssl, "SSL socket freed.\n" );
release_ssl_socket( ssl );
if (ssl->domain) pn_ssl_domain_free(ssl->domain);
- if (ssl->trusted_CAs) free((void *)ssl->trusted_CAs);
if (ssl->session_id) free((void *)ssl->session_id);
free(ssl);
@@ -745,118 +627,18 @@ ssize_t pn_ssl_output(pn_ssl_t *ssl, cha
}
-
-// Deprecated (old non-domain based api)
-int pn_ssl_set_credentials( pn_ssl_t *ssl,
- const char *certificate_file,
- const char *private_key_file,
- const char *password)
-{
- if (!ssl || !ssl->domain) return -1;
- if (!ssl->private_domain) {
- _log_error("Error: use pn_ssl_domain_set_credentials() instead\n");
- return -1;
- }
- if (ssl->ssl) {
- _log_error("Error: attempting to set credentials while SSL in use.\n");
- return -1;
- }
-
- int rc = pn_ssl_domain_set_credentials( ssl->domain, certificate_file, private_key_file, password );
- _log( ssl, "Configured local certificate file %s (%d)\n", certificate_file, rc );
- return rc;
-}
-
-
-// Deprecated (old non-domain based api)
-int pn_ssl_set_trusted_ca_db(pn_ssl_t *ssl,
- const char *certificate_db)
-{
- if (!ssl || !ssl->domain) return -1;
- if (!ssl->private_domain) {
- _log_error("Error: use pn_ssl_domain_trusted_ca_db() instead.\n");
- return -1;
- }
- if (ssl->ssl) {
- _log_error("Error: attempting to set trusted CA db after SSL connection initialized.\n");
- return -1;
- }
-
- int rc = pn_ssl_domain_set_trusted_ca_db( ssl->domain, certificate_db );
- if (!rc) _log( ssl, "loaded trusted CA database %s\n", certificate_db );
- return rc;
-}
-
-
-// Deprecated (old non-domain based api)
-int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode)
-{
- if (!ssl) return -1;
- if (!ssl->private_domain) {
- _log_error("Error: deprecated, use pn_ssl_domain_*() api instead.\n");
- return -1;
- }
- if (ssl->domain && ssl->domain->mode == mode) return 0; // already set
-
- // if changing modes, must teardown any exising configuration
- if (ssl->ssl) pn_ssl_free( ssl );
- if (ssl->domain) pn_ssl_domain_free( ssl->domain );
-
- switch (mode) {
- case PN_SSL_MODE_CLIENT:
- _log( ssl, "Setting up Client SSL object.\n" );
- ssl->domain = pn_ssl_domain(PN_SSL_MODE_CLIENT);
- if (!ssl->domain) {
- _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
- return -1;
- }
- break;
-
- case PN_SSL_MODE_SERVER:
- _log( ssl, "Setting up Server SSL object.\n" );
- ssl->domain = pn_ssl_domain(PN_SSL_MODE_SERVER);
- if (!ssl->domain) {
- _log_error("Unable to initialize SSL context: %s\n", strerror(errno));
- return -1;
- }
- break;
-
- default:
- _log_error("Invalid valid for pn_ssl_mode_t: %d\n", mode);
- return -1;
- }
- return 0;
-}
-
-// Deprecated (old non-domain based api)
pn_ssl_t *pn_ssl(pn_transport_t *transport)
{
if (!transport) return NULL;
if (transport->ssl) return transport->ssl;
- if (!ssl_initialized) {
- ssl_initialized = 1;
- SSL_library_init();
- SSL_load_error_strings();
- OpenSSL_add_all_algorithms();
- }
-
pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
if (!ssl) return NULL;
-
- ssl->private_domain = true;
ssl->transport = transport;
- ssl->process_input = process_input_ssl;
- ssl->process_output = process_output_ssl;
transport->ssl = ssl;
- ssl->trace = PN_TRACE_OFF;
+ ssl->trace = (transport->disp) ? transport->disp->trace : PN_TRACE_OFF;
- // default mode is client
- if (pn_ssl_init(ssl, PN_SSL_MODE_CLIENT)) {
- free(ssl);
- return NULL;
- }
return ssl;
}
@@ -1145,6 +927,7 @@ static ssize_t process_output_ssl( pn_tr
static int init_ssl_socket( pn_ssl_t *ssl )
{
if (ssl->ssl) return 0;
+ if (!ssl->domain) return -1;
ssl->ssl = SSL_new(ssl->domain->ctx);
if (!ssl->ssl) {
Modified: qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/ssl_stub.c
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/ssl_stub.c?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/ssl_stub.c (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-c/src/ssl/ssl_stub.c Mon Dec 17 22:05:06 2012
@@ -35,43 +35,8 @@ pn_ssl_t *pn_ssl(pn_transport_t *transpo
return NULL;
}
-int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode)
-{
- return -1;
-}
-
-
-int pn_ssl_set_credentials(pn_ssl_t *ssl,
- const char *certificate_file,
- const char *private_key_file,
- const char *password)
-{
- return -1;
-}
-
-int pn_ssl_set_trusted_ca_db(pn_ssl_t *ssl,
- const char *certificate_db)
-{
- return -1;
-}
-
-int pn_ssl_allow_unsecured_client(pn_ssl_t *ssl)
-{
- return -1;
-}
-
-
-int pn_ssl_set_peer_authentication(pn_ssl_t *ssl,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs)
-{
- return -1;
-}
-
-
-int pn_ssl_get_peer_authentication(pn_ssl_t *ssl,
- pn_ssl_verify_mode_t *mode,
- char *trusted_CAs, size_t *trusted_CAs_size)
+int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_domain_t *domain,
+ const char *session_id)
{
return -1;
}
@@ -108,13 +73,9 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
{
return NULL;
}
-void pn_ssl_domain_free( pn_ssl_domain_t *d )
-{
-}
-pn_ssl_t *pn_ssl_new( pn_ssl_domain_t *d, pn_transport_t *t, const char *i)
+void pn_ssl_domain_free( pn_ssl_domain_t *d )
{
- return NULL;
}
int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
@@ -131,9 +92,14 @@ int pn_ssl_domain_set_trusted_ca_db(pn_s
return -1;
}
-int pn_ssl_domain_set_default_peer_authentication(pn_ssl_domain_t *domain,
- const pn_ssl_verify_mode_t mode,
- const char *trusted_CAs)
+int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
+ const pn_ssl_verify_mode_t mode,
+ const char *trusted_CAs)
+{
+ return -1;
+}
+
+int pn_ssl_domain_allow_unsecured_client(pn_ssl_domain_t *domain)
{
return -1;
}
Modified: qpid/proton/branches/kgiusti-proton-136/proton-j/proton/src/main/scripts/proton.py
URL: http://svn.apache.org/viewvc/qpid/proton/branches/kgiusti-proton-136/proton-j/proton/src/main/scripts/proton.py?rev=1423185&r1=1423184&r2=1423185&view=diff
==============================================================================
--- qpid/proton/branches/kgiusti-proton-136/proton-j/proton/src/main/scripts/proton.py (original)
+++ qpid/proton/branches/kgiusti-proton-136/proton-j/proton/src/main/scripts/proton.py Mon Dec 17 22:05:06 2012
@@ -872,9 +872,6 @@ class SSL(object):
self._ssl = transport.impl.ssl(domain._domain, internal_session_details)
self._session_details = session_details
- def init(self, mode):
- self._ssl.init(mode)
-
def get_session_details(self):
return self._session_details
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org