You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2021/10/26 13:20:04 UTC
[qpid-dispatch] branch main updated: DISPATCH-2259: use hostname
when setting connection hostname
This is an automated email from the ASF dual-hosted git repository.
gsim pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/main by this push:
new 0c50157 DISPATCH-2259: use hostname when setting connection hostname
0c50157 is described below
commit 0c5015791353fd8630474e0ced17a7898c2e54c1
Author: Gordon Sim <gs...@redhat.com>
AuthorDate: Mon Oct 25 13:20:08 2021 +0100
DISPATCH-2259: use hostname when setting connection hostname
(Previously used host:port which is not a valid dns name)
---
include/qpid/dispatch/server.h | 4 ++++
src/connection_manager.c | 15 +++++++++------
src/remote_sasl.c | 23 ++++++++++++++---------
src/remote_sasl.h | 2 +-
src/server.c | 2 +-
5 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index 7f71912..fd02570 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -182,6 +182,10 @@ typedef struct qd_server_config_t {
*/
char *auth_service;
/**
+ * Hostname to set on connection (used for SNI in TLS connections).
+ */
+ char *hostname;
+ /**
* Hostname to set on sasl-init sent to authentication service.
*/
char *sasl_init_hostname;
diff --git a/src/connection_manager.c b/src/connection_manager.c
index c77999b..905e335 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -54,6 +54,7 @@ struct qd_config_sasl_plugin_t {
DEQ_LINKS(qd_config_sasl_plugin_t);
char *name;
char *auth_service;
+ char *hostname;
char *sasl_init_hostname;
char *auth_ssl_profile;
};
@@ -184,6 +185,7 @@ void qd_server_config_free(qd_server_config_t *cf)
if (cf->ssl_uid_name_mapping_file) free(cf->ssl_uid_name_mapping_file);
if (cf->sasl_plugin_config.auth_service) free(cf->sasl_plugin_config.auth_service);
+ if (cf->sasl_plugin_config.hostname) free(cf->sasl_plugin_config.hostname);
if (cf->sasl_plugin_config.sasl_init_hostname) free(cf->sasl_plugin_config.sasl_init_hostname);
if (cf->sasl_plugin_config.ssl_certificate_file) free(cf->sasl_plugin_config.ssl_certificate_file);
if (cf->sasl_plugin_config.ssl_private_key_file) free(cf->sasl_plugin_config.ssl_private_key_file);
@@ -511,6 +513,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin);
if (sasl_plugin) {
config->sasl_plugin_config.auth_service = SSTRDUP(sasl_plugin->auth_service);
+ config->sasl_plugin_config.hostname = SSTRDUP(sasl_plugin->hostname);
config->sasl_plugin_config.sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname);
qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->sasl_plugin_config.auth_service, config->sasl_plugin);
@@ -581,6 +584,7 @@ static bool config_sasl_plugin_free(qd_connection_manager_t *cm, qd_config_sasl_
free(sasl_plugin->name);
free(sasl_plugin->auth_service);
+ free(sasl_plugin->hostname);
free(sasl_plugin->sasl_init_hostname);
free(sasl_plugin->auth_ssl_profile);
free(sasl_plugin);
@@ -658,24 +662,23 @@ qd_config_sasl_plugin_t *qd_dispatch_configure_sasl_plugin(qd_dispatch_t *qd, qd
DEQ_INSERT_TAIL(cm->config_sasl_plugins, sasl_plugin);
sasl_plugin->name = qd_entity_opt_string(entity, "name", 0); CHECK();
- char *auth_host = qd_entity_opt_string(entity, "host", 0);
+ sasl_plugin->hostname = qd_entity_opt_string(entity, "host", 0);
char *auth_port = qd_entity_opt_string(entity, "port", 0);
- if (auth_host && auth_port) {
- int strlen_auth_host = strlen(auth_host);
+ if (sasl_plugin->hostname && auth_port) {
+ int strlen_auth_host = strlen(sasl_plugin->hostname);
int strlen_auth_port = strlen(auth_port);
if (strlen_auth_host > 0 && strlen_auth_port > 0) {
- int hplen = strlen(auth_host) + strlen(auth_port) + 2;
+ int hplen = strlen_auth_host + strlen_auth_port + 2;
if (hplen > 2) {
sasl_plugin->auth_service = malloc(hplen);
- snprintf(sasl_plugin->auth_service, hplen, "%s:%s", auth_host, auth_port);
+ snprintf(sasl_plugin->auth_service, hplen, "%s:%s", sasl_plugin->hostname, auth_port);
}
}
}
- free(auth_host);
free(auth_port);
if (!sasl_plugin->auth_service) {
diff --git a/src/remote_sasl.c b/src/remote_sasl.c
index 1ffd66f..db1fd9b 100644
--- a/src/remote_sasl.c
+++ b/src/remote_sasl.c
@@ -101,6 +101,7 @@ static void init_permissions(permissions_t* permissions)
typedef struct
{
char* authentication_service_address;
+ char* hostname;
char* sasl_init_hostname;
pn_ssl_domain_t* ssl_domain;
pn_proactor_t* proactor;
@@ -135,13 +136,16 @@ static void copy_bytes(const pn_bytes_t* from, qdr_owned_bytes_t* to)
memcpy(to->start, from->start, from->size);
}
-static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* sasl_init_hostname, pn_proactor_t* proactor)
+static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* hostname, const char* sasl_init_hostname, pn_proactor_t* proactor)
{
qdr_sasl_relay_t* instance = NEW(qdr_sasl_relay_t);
ZERO(instance);
- instance->authentication_service_address = strdup(address);
+ instance->authentication_service_address = qd_strdup(address);
+ if (hostname) {
+ instance->hostname = qd_strdup(hostname);
+ }
if (sasl_init_hostname) {
- instance->sasl_init_hostname = strdup(sasl_init_hostname);
+ instance->sasl_init_hostname = qd_strdup(sasl_init_hostname);
}
instance->proactor = proactor;
init_permissions(&instance->permissions);
@@ -152,6 +156,7 @@ static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* s
static void delete_qdr_sasl_relay_t(qdr_sasl_relay_t* instance)
{
if (instance->authentication_service_address) free(instance->authentication_service_address);
+ if (instance->hostname) free(instance->hostname);
if (instance->sasl_init_hostname) free(instance->sasl_init_hostname);
if (instance->ssl_domain) pn_ssl_domain_free(instance->ssl_domain);
if (instance->mechlist) free(instance->mechlist);
@@ -208,7 +213,7 @@ static bool remote_sasl_init_server(pn_transport_t* transport)
pn_proactor_t* proactor = impl->proactor;
if (!proactor) return false;
impl->downstream = pn_connection();
- pn_connection_set_hostname(impl->downstream, impl->authentication_service_address);
+ pn_connection_set_hostname(impl->downstream, impl->hostname);
set_sasl_relay_context(impl->downstream, impl);
//request permissions in response if supported by peer:
pn_data_t* data = pn_connection_desired_capabilities(impl->downstream);
@@ -381,7 +386,7 @@ static bool remote_sasl_process_mechanisms(pn_transport_t *transport, const char
{
qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport);
if (impl) {
- impl->mechlist = strdup(mechs);
+ impl->mechlist = qd_strdup(mechs);
if (notify_upstream(impl, DOWNSTREAM_MECHANISMS_RECEIVED)) {
return true;
} else {
@@ -440,7 +445,7 @@ static void remote_sasl_process_init(pn_transport_t *transport, const char *mech
{
qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport);
if (impl) {
- impl->selected_mechanism = strdup(mechanism);
+ impl->selected_mechanism = qd_strdup(mechanism);
copy_bytes(recv, &(impl->response));
if (!notify_downstream(impl, UPSTREAM_INIT_RECEIVED)) {
pnx_sasl_set_desired_state(transport, SASL_ERROR);
@@ -501,10 +506,10 @@ static void set_remote_impl(pn_transport_t *transport, qdr_sasl_relay_t* context
pnx_sasl_set_implementation(transport, &remote_sasl_impl, context);
}
-void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor)
+void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor)
{
auth_service_log = qd_log_source("AUTHSERVICE");
- qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, sasl_init_hostname, proactor);
+ qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, hostname, sasl_init_hostname, proactor);
context->ssl_domain = ssl_domain;
set_remote_impl(transport, context);
}
@@ -691,7 +696,7 @@ void qdr_handle_authentication_service_connection_event(pn_event_t *e)
if (authid.start && authid.size) {
context->username = strndup(authid.start, authid.size);
} else {
- context->username = strdup("");
+ context->username = qd_strdup("");
}
//notify upstream connection of successful authentication
notify_upstream(context, DOWNSTREAM_OUTCOME_RECEIVED);
diff --git a/src/remote_sasl.h b/src/remote_sasl.h
index 2dd763a..2afab61 100644
--- a/src/remote_sasl.h
+++ b/src/remote_sasl.h
@@ -24,7 +24,7 @@
#include <proton/ssl.h>
#include <proton/types.h>
-void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor);
+void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor);
bool qdr_is_authentication_service_connection(pn_connection_t* conn);
void qdr_handle_authentication_service_connection_event(pn_event_t *e);
diff --git a/src/server.c b/src/server.c
index 0d46665..e936593 100644
--- a/src/server.c
+++ b/src/server.c
@@ -752,7 +752,7 @@ static void on_connection_bound(qd_server_t *server, pn_event_t *e) {
}
}
}
- qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor);
+ qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.hostname, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor);
}
pn_transport_require_auth(tport, config->requireAuthentication);
pn_transport_require_encryption(tport, config->requireEncryption);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org