You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@qpid.apache.org by as...@apache.org on 2015/08/04 16:57:01 UTC

[1/2] qpid-proton git commit: PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection

Repository: qpid-proton
Updated Branches:
  refs/heads/master 28f2d1c01 -> 7c9e5673f


PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/a1888591
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/a1888591
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/a1888591

Branch: refs/heads/master
Commit: a1888591789d3db2ebd6016d7e7d112902e07598
Parents: 28f2d1c
Author: Andrew Stitcher <as...@apache.org>
Authored: Tue Jul 28 16:33:54 2015 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Tue Aug 4 10:53:57 2015 -0400

----------------------------------------------------------------------
 proton-c/include/proton/messenger.h | 26 ++++++++++++++++++++++++++
 proton-c/src/messenger/messenger.c  | 16 ++++++++++++++--
 2 files changed, 40 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/a1888591/proton-c/include/proton/messenger.h
----------------------------------------------------------------------
diff --git a/proton-c/include/proton/messenger.h b/proton-c/include/proton/messenger.h
index 6ef684f..87cb35c 100644
--- a/proton-c/include/proton/messenger.h
+++ b/proton-c/include/proton/messenger.h
@@ -132,6 +132,27 @@ extern "C" {
  * ::pn_messenger_recv() will do whatever they can without blocking,
  * and then return. You can then look at the number of incoming and
  * outgoing messages to see how much outstanding work still remains.
+ *
+ * Authentication Mechanims
+ * ========================
+ *
+ * The messenger API authenticates using some specific mechanisms. In prior versions
+ * of Proton the only authentication mechanism available was the PLAIN mechanism
+ * which transports the user's password over the network unencrypted. The Proton versions
+ * 0.10 and newer support other more secure mechanisms which avoid sending the users's
+ * password over the network unencrypted. For backwards compatibility the 0.10 version
+ * of the messenger API will also allow the use of the unencrypted PLAIN mechanism. From the
+ * 0.11 version and onwards you will need to set the flag PN_FLAGS_ALLOW_INSECURE_MECHS to
+ * carry on using the unencrypted PLAIN mechanism.
+ *
+ * The code for this looks like:
+ *
+ *   ...
+ *   pn_messenger_set_flags(messenger, PN_FLAGS_ALLOW_INSECURE_MECHS);
+ *   ...
+ *
+ * Note that the use of the PLAIN mechanism over an SSL connection is allowed as the
+ * password is not sent unencrypted.
  */
 typedef struct pn_messenger_t pn_messenger_t;
 
@@ -960,6 +981,11 @@ PN_EXTERN pn_timestamp_t pn_messenger_deadline(pn_messenger_t *messenger);
             to pn_messenger_start should check that                            \
             any defined routes are valid */
 
+#define PN_FLAGS_ALLOW_INSECURE_MECHS                                          \
+  (0x2) /** Messenger flag to indicate that the PLAIN                          \
+            mechanism is allowed on an unencrypted                             \
+            connection */
+
 /** Sets control flags to enable additional function for the Messenger.
  *
  * @param[in] messenger the messenger

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/a1888591/proton-c/src/messenger/messenger.c
----------------------------------------------------------------------
diff --git a/proton-c/src/messenger/messenger.c b/proton-c/src/messenger/messenger.c
index 8e63208..a1418ed 100644
--- a/proton-c/src/messenger/messenger.c
+++ b/proton-c/src/messenger/messenger.c
@@ -334,7 +334,10 @@ static void pni_listener_readable(pn_selectable_t *sel)
 
   pn_transport_t *t = pn_transport();
   pn_transport_set_server(t);
-
+  if (ctx->messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS) {
+      pn_sasl_t *s = pn_sasl(t);
+      pn_sasl_set_allow_insecure_mechs(s, true);
+  }
   pn_ssl_t *ssl = pn_ssl(t);
   pn_ssl_init(ssl, ctx->domain, NULL);
 
@@ -661,7 +664,7 @@ pn_messenger_t *pn_messenger(const char *name)
     m->rewritten = pn_string(NULL);
     m->domain = pn_string(NULL);
     m->connection_error = 0;
-    m->flags = 0;
+    m->flags = PN_FLAGS_ALLOW_INSECURE_MECHS; // TODO: Change this back to 0 for the Proton 0.11 release
     m->snd_settle_mode = PN_SND_SETTLED;
     m->rcv_settle_mode = PN_RCV_FIRST;
     m->tracer = NULL;
@@ -1140,6 +1143,11 @@ void pn_messenger_process_connection(pn_messenger_t *messenger, pn_event_t *even
       pn_transport_unbind(pn_connection_transport(conn));
       pn_connection_reset(conn);
       pn_transport_t *t = pn_transport();
+      if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS &&
+          messenger->address.user && messenger->address.pass) {
+        pn_sasl_t *s = pn_sasl(t);
+        pn_sasl_set_allow_insecure_mechs(s, true);
+      }
       pn_transport_bind(t, conn);
       pn_decref(t);
       pn_transport_config(messenger, conn);
@@ -1671,6 +1679,10 @@ pn_connection_t *pn_messenger_resolve(pn_messenger_t *messenger, const char *add
   pn_connection_t *connection =
     pn_messenger_connection(messenger, sock, scheme, user, pass, host, port, NULL);
   pn_transport_t *transport = pn_transport();
+  if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS && user && pass) {
+      pn_sasl_t *s = pn_sasl(transport);
+      pn_sasl_set_allow_insecure_mechs(s, true);
+  }
   pn_transport_bind(transport, connection);
   pn_decref(transport);
   pn_connection_ctx_t *ctx = (pn_connection_ctx_t *) pn_connection_get_context(connection);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org

[2/2] qpid-proton git commit: NO-JIRA: Add a valgrind suppression for memory leak cyrus sasl before v2.1.26

Posted by as...@apache.org.

NO-JIRA: Add a valgrind suppression for memory leak cyrus sasl before v2.1.26


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/7c9e5673
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/7c9e5673
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/7c9e5673

Branch: refs/heads/master
Commit: 7c9e5673fec21668f144a4b6a2d8449ccc965b91
Parents: a188859
Author: Andrew Stitcher <as...@apache.org>
Authored: Thu Jul 30 00:26:12 2015 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Tue Aug 4 10:56:19 2015 -0400

----------------------------------------------------------------------
 tests/python/proton_tests/valgrind.supp | 8 ++++++++
 1 file changed, 8 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/7c9e5673/tests/python/proton_tests/valgrind.supp
----------------------------------------------------------------------
diff --git a/tests/python/proton_tests/valgrind.supp b/tests/python/proton_tests/valgrind.supp
index eb4ba0f..17974aa 100644
--- a/tests/python/proton_tests/valgrind.supp
+++ b/tests/python/proton_tests/valgrind.supp
@@ -83,3 +83,11 @@
    fun:CRYPTO_malloc
 }
 
+{
+   Known memory leak in cyrus-sasl (fixed in 2.1.26)
+   Memcheck:Leak
+   fun:malloc
+   fun:*
+   fun:sasl_config_init
+   fun:sasl_server_init
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org