You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2021/10/28 12:30:15 UTC
[qpid-dispatch] branch 1.17.x updated (607f57b -> c949a77)
This is an automated email from the ASF dual-hosted git repository.
gsim pushed a change to branch 1.17.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git.
from 607f57b Updating console dependencies to latest minor version
new 9ffeba1 DISPATCH-2257: test address and disable ipv6 if it is an ipv4 address
new c949a77 DISPATCH-2259: use hostname when setting connection hostname
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
include/qpid/dispatch/server.h | 4 ++++
src/connection_manager.c | 15 +++++++++------
src/http-libwebsockets.c | 19 +++++++++++++++++++
src/remote_sasl.c | 23 ++++++++++++++---------
src/remote_sasl.h | 2 +-
src/server.c | 2 +-
6 files changed, 48 insertions(+), 17 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[qpid-dispatch] 01/02: DISPATCH-2257: test address and disable ipv6
if it is an ipv4 address
Posted by gs...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gsim pushed a commit to branch 1.17.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit 9ffeba1b81f850c03c1e752103bec58f5f2a25bb
Author: Gordon Sim <gs...@redhat.com>
AuthorDate: Wed Oct 20 17:49:30 2021 +0100
DISPATCH-2257: test address and disable ipv6 if it is an ipv4 address
---
src/http-libwebsockets.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 3f156b4..02d7994 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -299,6 +299,21 @@ static const struct lws_protocol_vhost_options mime_types[] = {
{ NULL, NULL, "*", "application/octet-stream" }
};
+static int is_ipv6_address(qd_http_server_t *hs, const char* host, const char* port)
+{
+ int result = 0;
+ struct addrinfo *addr;
+ struct addrinfo hints = {0, AF_UNSPEC, SOCK_STREAM};
+ int code = getaddrinfo(host, port, &hints, &addr);
+ if (code) {
+ qd_log(hs->log, QD_LOG_ERROR, "getaddrinfo(%s, %s) failed with %s", host, port, gai_strerror(code));
+ } else {
+ result = addr->ai_family == AF_INET6;
+ freeaddrinfo(addr);
+ }
+ return result;
+}
+
static void listener_start(qd_lws_listener_t *hl, qd_http_server_t *hs) {
log_init(); /* Update log flags at each listener */
@@ -346,6 +361,10 @@ static void listener_start(qd_lws_listener_t *hl, qd_http_server_t *hs) {
info.keepalive_timeout = 1;
info.ssl_cipher_list = CIPHER_LIST;
info.options |= LWS_SERVER_OPTION_VALIDATE_UTF8;
+ if (!is_ipv6_address(hs, config->host, config->port)) {
+ qd_log(hs->log, QD_LOG_NOTICE, "Disabling ipv6 on %s", config->host_port);
+ info.options |= LWS_SERVER_OPTION_DISABLE_IPV6;
+ }
if (config->ssl_profile) {
info.ssl_cert_filepath = config->ssl_certificate_file;
info.ssl_private_key_filepath = config->ssl_private_key_file;
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[qpid-dispatch] 02/02: DISPATCH-2259: use hostname when setting
connection hostname
Posted by gs...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gsim pushed a commit to branch 1.17.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit c949a770807773c3f05a61b792dd67070f360b0b
Author: Gordon Sim <gs...@redhat.com>
AuthorDate: Mon Oct 25 13:20:08 2021 +0100
DISPATCH-2259: use hostname when setting connection hostname
(Previously used host:port which is not a valid dns name)
---
include/qpid/dispatch/server.h | 4 ++++
src/connection_manager.c | 15 +++++++++------
src/remote_sasl.c | 23 ++++++++++++++---------
src/remote_sasl.h | 2 +-
src/server.c | 2 +-
5 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index 7f71912..fd02570 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -182,6 +182,10 @@ typedef struct qd_server_config_t {
*/
char *auth_service;
/**
+ * Hostname to set on connection (used for SNI in TLS connections).
+ */
+ char *hostname;
+ /**
* Hostname to set on sasl-init sent to authentication service.
*/
char *sasl_init_hostname;
diff --git a/src/connection_manager.c b/src/connection_manager.c
index c77999b..905e335 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -54,6 +54,7 @@ struct qd_config_sasl_plugin_t {
DEQ_LINKS(qd_config_sasl_plugin_t);
char *name;
char *auth_service;
+ char *hostname;
char *sasl_init_hostname;
char *auth_ssl_profile;
};
@@ -184,6 +185,7 @@ void qd_server_config_free(qd_server_config_t *cf)
if (cf->ssl_uid_name_mapping_file) free(cf->ssl_uid_name_mapping_file);
if (cf->sasl_plugin_config.auth_service) free(cf->sasl_plugin_config.auth_service);
+ if (cf->sasl_plugin_config.hostname) free(cf->sasl_plugin_config.hostname);
if (cf->sasl_plugin_config.sasl_init_hostname) free(cf->sasl_plugin_config.sasl_init_hostname);
if (cf->sasl_plugin_config.ssl_certificate_file) free(cf->sasl_plugin_config.ssl_certificate_file);
if (cf->sasl_plugin_config.ssl_private_key_file) free(cf->sasl_plugin_config.ssl_private_key_file);
@@ -511,6 +513,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin);
if (sasl_plugin) {
config->sasl_plugin_config.auth_service = SSTRDUP(sasl_plugin->auth_service);
+ config->sasl_plugin_config.hostname = SSTRDUP(sasl_plugin->hostname);
config->sasl_plugin_config.sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname);
qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->sasl_plugin_config.auth_service, config->sasl_plugin);
@@ -581,6 +584,7 @@ static bool config_sasl_plugin_free(qd_connection_manager_t *cm, qd_config_sasl_
free(sasl_plugin->name);
free(sasl_plugin->auth_service);
+ free(sasl_plugin->hostname);
free(sasl_plugin->sasl_init_hostname);
free(sasl_plugin->auth_ssl_profile);
free(sasl_plugin);
@@ -658,24 +662,23 @@ qd_config_sasl_plugin_t *qd_dispatch_configure_sasl_plugin(qd_dispatch_t *qd, qd
DEQ_INSERT_TAIL(cm->config_sasl_plugins, sasl_plugin);
sasl_plugin->name = qd_entity_opt_string(entity, "name", 0); CHECK();
- char *auth_host = qd_entity_opt_string(entity, "host", 0);
+ sasl_plugin->hostname = qd_entity_opt_string(entity, "host", 0);
char *auth_port = qd_entity_opt_string(entity, "port", 0);
- if (auth_host && auth_port) {
- int strlen_auth_host = strlen(auth_host);
+ if (sasl_plugin->hostname && auth_port) {
+ int strlen_auth_host = strlen(sasl_plugin->hostname);
int strlen_auth_port = strlen(auth_port);
if (strlen_auth_host > 0 && strlen_auth_port > 0) {
- int hplen = strlen(auth_host) + strlen(auth_port) + 2;
+ int hplen = strlen_auth_host + strlen_auth_port + 2;
if (hplen > 2) {
sasl_plugin->auth_service = malloc(hplen);
- snprintf(sasl_plugin->auth_service, hplen, "%s:%s", auth_host, auth_port);
+ snprintf(sasl_plugin->auth_service, hplen, "%s:%s", sasl_plugin->hostname, auth_port);
}
}
}
- free(auth_host);
free(auth_port);
if (!sasl_plugin->auth_service) {
diff --git a/src/remote_sasl.c b/src/remote_sasl.c
index 1ffd66f..db1fd9b 100644
--- a/src/remote_sasl.c
+++ b/src/remote_sasl.c
@@ -101,6 +101,7 @@ static void init_permissions(permissions_t* permissions)
typedef struct
{
char* authentication_service_address;
+ char* hostname;
char* sasl_init_hostname;
pn_ssl_domain_t* ssl_domain;
pn_proactor_t* proactor;
@@ -135,13 +136,16 @@ static void copy_bytes(const pn_bytes_t* from, qdr_owned_bytes_t* to)
memcpy(to->start, from->start, from->size);
}
-static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* sasl_init_hostname, pn_proactor_t* proactor)
+static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* hostname, const char* sasl_init_hostname, pn_proactor_t* proactor)
{
qdr_sasl_relay_t* instance = NEW(qdr_sasl_relay_t);
ZERO(instance);
- instance->authentication_service_address = strdup(address);
+ instance->authentication_service_address = qd_strdup(address);
+ if (hostname) {
+ instance->hostname = qd_strdup(hostname);
+ }
if (sasl_init_hostname) {
- instance->sasl_init_hostname = strdup(sasl_init_hostname);
+ instance->sasl_init_hostname = qd_strdup(sasl_init_hostname);
}
instance->proactor = proactor;
init_permissions(&instance->permissions);
@@ -152,6 +156,7 @@ static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* s
static void delete_qdr_sasl_relay_t(qdr_sasl_relay_t* instance)
{
if (instance->authentication_service_address) free(instance->authentication_service_address);
+ if (instance->hostname) free(instance->hostname);
if (instance->sasl_init_hostname) free(instance->sasl_init_hostname);
if (instance->ssl_domain) pn_ssl_domain_free(instance->ssl_domain);
if (instance->mechlist) free(instance->mechlist);
@@ -208,7 +213,7 @@ static bool remote_sasl_init_server(pn_transport_t* transport)
pn_proactor_t* proactor = impl->proactor;
if (!proactor) return false;
impl->downstream = pn_connection();
- pn_connection_set_hostname(impl->downstream, impl->authentication_service_address);
+ pn_connection_set_hostname(impl->downstream, impl->hostname);
set_sasl_relay_context(impl->downstream, impl);
//request permissions in response if supported by peer:
pn_data_t* data = pn_connection_desired_capabilities(impl->downstream);
@@ -381,7 +386,7 @@ static bool remote_sasl_process_mechanisms(pn_transport_t *transport, const char
{
qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport);
if (impl) {
- impl->mechlist = strdup(mechs);
+ impl->mechlist = qd_strdup(mechs);
if (notify_upstream(impl, DOWNSTREAM_MECHANISMS_RECEIVED)) {
return true;
} else {
@@ -440,7 +445,7 @@ static void remote_sasl_process_init(pn_transport_t *transport, const char *mech
{
qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport);
if (impl) {
- impl->selected_mechanism = strdup(mechanism);
+ impl->selected_mechanism = qd_strdup(mechanism);
copy_bytes(recv, &(impl->response));
if (!notify_downstream(impl, UPSTREAM_INIT_RECEIVED)) {
pnx_sasl_set_desired_state(transport, SASL_ERROR);
@@ -501,10 +506,10 @@ static void set_remote_impl(pn_transport_t *transport, qdr_sasl_relay_t* context
pnx_sasl_set_implementation(transport, &remote_sasl_impl, context);
}
-void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor)
+void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor)
{
auth_service_log = qd_log_source("AUTHSERVICE");
- qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, sasl_init_hostname, proactor);
+ qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, hostname, sasl_init_hostname, proactor);
context->ssl_domain = ssl_domain;
set_remote_impl(transport, context);
}
@@ -691,7 +696,7 @@ void qdr_handle_authentication_service_connection_event(pn_event_t *e)
if (authid.start && authid.size) {
context->username = strndup(authid.start, authid.size);
} else {
- context->username = strdup("");
+ context->username = qd_strdup("");
}
//notify upstream connection of successful authentication
notify_upstream(context, DOWNSTREAM_OUTCOME_RECEIVED);
diff --git a/src/remote_sasl.h b/src/remote_sasl.h
index 2dd763a..2afab61 100644
--- a/src/remote_sasl.h
+++ b/src/remote_sasl.h
@@ -24,7 +24,7 @@
#include <proton/ssl.h>
#include <proton/types.h>
-void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor);
+void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor);
bool qdr_is_authentication_service_connection(pn_connection_t* conn);
void qdr_handle_authentication_service_connection_event(pn_event_t *e);
diff --git a/src/server.c b/src/server.c
index 75527b2..24ece14 100644
--- a/src/server.c
+++ b/src/server.c
@@ -752,7 +752,7 @@ static void on_connection_bound(qd_server_t *server, pn_event_t *e) {
}
}
}
- qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor);
+ qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.hostname, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor);
}
pn_transport_require_auth(tport, config->requireAuthentication);
pn_transport_require_encryption(tport, config->requireEncryption);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org