You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2012/12/14 20:17:13 UTC

svn commit: r1422045 - in /qpid/proton/trunk: proton-c/include/proton/ssl.h proton-c/src/ssl/openssl.c tests/proton_tests/ssl.py tests/proton_tests/ssl_db/README.txt tests/proton_tests/ssl_db/ca-private-key.pem

Author: kgiusti
Date: Fri Dec 14 19:17:08 2012
New Revision: 1422045

URL: http://svn.apache.org/viewvc?rev=1422045&view=rev
Log:
PROTON-161: test exact match hostname check

Added:
    qpid/proton/trunk/tests/proton_tests/ssl_db/ca-private-key.pem
Modified:
    qpid/proton/trunk/proton-c/include/proton/ssl.h
    qpid/proton/trunk/proton-c/src/ssl/openssl.c
    qpid/proton/trunk/tests/proton_tests/ssl.py
    qpid/proton/trunk/tests/proton_tests/ssl_db/README.txt

Modified: qpid/proton/trunk/proton-c/include/proton/ssl.h
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/include/proton/ssl.h?rev=1422045&r1=1422044&r2=1422045&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/include/proton/ssl.h (original)
+++ qpid/proton/trunk/proton-c/include/proton/ssl.h Fri Dec 14 19:17:08 2012
@@ -140,7 +140,7 @@ int pn_ssl_allow_unsecured_client(pn_ssl
  *  These settings can be changed via ::pn_ssl_set_peer_authentication()
  */
 typedef enum {
-  PN_SSL_VERIFY_PEER,     /**< require peer to provide a valid identifying certificate */
+  PN_SSL_VERIFY_PEER,     /**< require peer to provide a valid certificate */
   PN_SSL_ANONYMOUS_PEER,  /**< do not require a certificate nor cipher authorization */
 } pn_ssl_verify_mode_t;
 
@@ -212,12 +212,52 @@ bool pn_ssl_get_cipher_name(pn_ssl_t *ss
 bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *buffer, size_t size);
 
 
+/** Set the DNS name of the server that the client expects to authenticate.
+ *
+ * Setting this name causes the client to 1) send this name to the server during the
+ * handshake (if Server Name Indication is supported), and 2) check this name against the
+ * CommonName provided in the server's certificate. If the supplied name does not exactly
+ * match a CommonName entry in the server's certificate, the server is considered
+ * unauthenticated, and the SSL connection is aborted.
+ *
+ * @note Verification of the CommonName is only done if PN_SSL_VERIFY_PEER is enabled.
+ * See ::pn_ssl_set_peer_authentication.
+ *
+ * @note the CommonName check algorithm can be modified using
+ * ::pn_ssl_set_peer_hostname_match.
+ *
+ * @param[in] ssl the ssl client
+ * @param[in] hostname the value to check against the peer's CommonName field.  Expected
+ * to conform to the syntax as given in RFC1034, Section 3.5.
+ */
 void pn_ssl_set_peer_hostname( pn_ssl_t *ssl, const char *hostname);
 
+/** Specify how to match the server's CommonName field
+ *
+ * Expects the CommonName field to contain a DNS name as described in RFC1034, Sec 3.5
+ * Host Name Syntax.
+ */
 typedef enum {
-  PN_SSL_MATCH_EXACT,
-  PN_SSL_MATCH_WILDCARD
+  PN_SSL_MATCH_EXACT,   /**< case insensitive text match */
+  PN_SSL_MATCH_WILDCARD /**< domain label wildcard match */
 } pn_ssl_match_flag;
+
+/** Check the server's CommonName field to ensure authenticity.
+ *
+ * Controls how the SSL client will check the CommonName field in the server's
+ * certificate.  This check must be used in order to ensure the certificate belongs to the
+ * expected target.  If the check fails, the SSL connection is aborted.
+ *
+ * @note Verification of the CommonName is only done if PN_SSL_VERIFY_PEER is enabled.
+ * See ::pn_ssl_set_peer_authentication.
+ *
+ * @param[in] ssl the ssl client
+ * @param[in] pattern if not NULL the pattern to use to check against the peer's
+ * CommonName field, based on the match flag.  If NULL, CommonName checking is disabled.
+ * @param[in] flag describes how pattern should be used to match against the CommonName
+ * field
+ * @return 0 if pattern/flag is valid, < 0 if error.
+ */
 int pn_ssl_set_peer_hostname_match( pn_ssl_t *ssl, const char *pattern, pn_ssl_match_flag flag);
 
 #ifdef __cplusplus

Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1422045&r1=1422044&r2=1422045&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Fri Dec 14 19:17:08 2012
@@ -1061,11 +1061,12 @@ void pn_ssl_set_peer_hostname( pn_ssl_t 
   }
 }
 
-// uses RFC1034, Sec 3.5 host name syntax
 int pn_ssl_set_peer_hostname_match( pn_ssl_t *ssl, const char *pattern, pn_ssl_match_flag flag)
 {
   if (!ssl) return -1;
 
+  if (flag != PN_SSL_MATCH_EXACT) return -1;  // @todo support for wildcard
+
   if (ssl->peer_match_pattern) free(ssl->peer_match_pattern);
   ssl->peer_match_pattern = NULL;
   if (pattern) {

Modified: qpid/proton/trunk/tests/proton_tests/ssl.py
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/tests/proton_tests/ssl.py?rev=1422045&r1=1422044&r2=1422045&view=diff
==============================================================================
--- qpid/proton/trunk/tests/proton_tests/ssl.py (original)
+++ qpid/proton/trunk/tests/proton_tests/ssl.py Fri Dec 14 19:17:08 2012
@@ -288,7 +288,7 @@ class SslTest(common.Test):
         #self.t_client.trace( Transport.TRACE_DRV )
         self.client.set_trusted_ca_db(self._testpath("ca-certificate.pem"))
         self.client.set_peer_authentication( SSL.VERIFY_PEER )
-        self.client.set_peer_hostname( "127.0.0.1" )
+        self.client.set_peer_hostname( "a1.good.server.domain.com" )
 
         client_conn = Connection()
         self.t_client.bind(client_conn)
@@ -313,7 +313,7 @@ class SslTest(common.Test):
         #self.t_client.trace( Transport.TRACE_DRV )
         self.client.set_trusted_ca_db(self._testpath("ca-certificate.pem"))
         self.client.set_peer_authentication( SSL.VERIFY_PEER )
-        self.client.set_peer_hostname( "127.0.0.1x" )
+        self.client.set_peer_hostname( "A1.Good.Server.domain.comx" )
 
         client_conn = Connection()
         self.t_client.bind(client_conn)

Modified: qpid/proton/trunk/tests/proton_tests/ssl_db/README.txt
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/tests/proton_tests/ssl_db/README.txt?rev=1422045&r1=1422044&r2=1422045&view=diff
==============================================================================
--- qpid/proton/trunk/tests/proton_tests/ssl_db/README.txt (original)
+++ qpid/proton/trunk/tests/proton_tests/ssl_db/README.txt Fri Dec 14 19:17:08 2012
@@ -4,6 +4,9 @@ ca-certificate.pem - contains the public
 Authority.  This certificate is used to sign the certificates that identify the SSL
 servers and clients run by the tests.
 
+ca-private-key.pem - encrypted key used to sign certificate requests.  Password is
+"ca-password"
+
 client-certificate.pem - the public certificate used to identify the client.  Signed by
 the CA.
 
@@ -11,7 +14,7 @@ client-private-key.pem - encrypted key u
 "client-password"
 
 server-certificate.pem - the public certificate used to identify the server.  Signed by
-the CA.
+the CA.  The CommonName is "A1.Good.Server.domain.com", and is checked by some unit tests.
 
 server-private-key.pem - encrypted key used to create server-certificate.pem. Password is
 "server-password"

Added: qpid/proton/trunk/tests/proton_tests/ssl_db/ca-private-key.pem
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/tests/proton_tests/ssl_db/ca-private-key.pem?rev=1422045&view=auto
==============================================================================
--- qpid/proton/trunk/tests/proton_tests/ssl_db/ca-private-key.pem (added)
+++ qpid/proton/trunk/tests/proton_tests/ssl_db/ca-private-key.pem Fri Dec 14 19:17:08 2012
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuSRTuf3QjCcCAggA
+MBQGCCqGSIb3DQMHBAgeye9bVfr9tQSCBMjnORw1m3HAovlacxIXCqAMXBFWTwhC
+X8+zHSqv+xw6Bt8UWnRsCs3/W3KfLR6mHHhqXV7PJDE8qXc3yLa1YE6JjqftoA+5
+2wxdfcodwt734g+p0WrAruUqrt0dh305Mg3CgD0gPJ/+lrbqorCHiL6gz3ndxZxT
+ut2O4dJxYHbRdx+es7IOHpIZFA9LUWFyP0LUXxwEEeUfDoN/76w2NeRANxa3QBVN
+tuPUWL8mj5albvfca7PpWMPx0fILnH2K+o1ZIxzqrnpaKLdP+w2x/9TYZd1goVZT
+cMbdsbt1Pv6KH5LLf0T0ichD1hlon8kSOs/DoF5q8zexocXhUObVWNnwC99UvZiZ
+g9BaxtkDGvNEGqEoLyf5qJp1VFbVAep16FP4SHEFm3i2WfIofE8DoXYONC4pql6v
+j5tx2b6qDnT+HKMPpMRqd66ErFYEJ7f7gE3uv/L7c4PJ95G6KhuE/MSeNQtd2zzz
+nFw0gWNBQOdkYoaFEoLWwdpRgdjfBrKjEmKio82v2UhCMISs7zRyQuaMhSpKdAnB
+qkS7S119yHqiTkr3sVgcR05w1Dny4HJW2kWGm6EBYteLqVHk6pyP21qB5gMJguKA
+iP0dt+7+P6sNQfa7tVNdyICvhY0NfVV6nRw+1/3HS3lWV+p1pompXOLImGlUufsc
+Vr/XVgONIbRir+66VX14X1ZD+wYTUsKVtBwizrCS6aPs2FqtKaKrE2e/mbmDpKt/
+eQCdULNyc4WDcfC+PTE0Wyl00PekuotaWGAiUxZ/Sqo0gKxKqn1qwsc4Rd2rey62
+mZnZMyxVY6vysnq1+/8KOshrlzJlJzR4r3yNkNtILxr7Rr1Z26z9EgxIt4DzsKWl
+7Y/oprkJuhagRiZ/ctD+0pPHfgNWmIKa/uNgZWP2w353CqHsH0NUMUBFtf6PriI0
+LQdotrYgpqKthWRkDgIs2oetMOuE56iFqzxhp9xOzVqaPK9DqWGMxnshA7Y61l0Q
+X37bBvubWzINw3qhHXdUtUzPiT6v66PoNBecAvzf1dFx8mMDEm1Ytv7abihNnAbA
+SXDLZ6U66ekGwH/vXEOq22yyBP5R2OW98E542Nvj8+b5GHwk2qtSddQzJFX72Jn6
+jr6CmBOrKlS+Ko4Pkb6GIX4yi47MXiDD9YHX9RQNFuo3MqBcuoitG4ouP9XeEHRQ
+FOzMNQi3atcM7T4yh5qlprrXYSav8+mejClSaE/Cd8vNwsD7a7wZ23TkxBA6G6uK
+79ohUeHYi1duGrcHq6SKy7gBwDAbItLnxESIExNgW5i8qrN4zdGZWDLdBilgtTEB
+9eUE9j926dyzx+S6ZG0sMr+zOpSyq4NOjx39Q9p931QXEyAzqJ1R11FMUdYlCcfi
+GQPrKtfaXNa+0Dbgu9P3jmAbwG/3FJcWqKZ2PB8j0JF6VnF1x/BQjN3QXgnayXPY
+KT+PieZkYKpQwObhlYmdqUexfFnh3/0MMU8CI32hUaqdQuRxhspXiK0ouWb/i95s
+XBTuYjdjO2nGojGWM1yDB4oACylCo0265Dw8PhpFrF7kULop3oslGs4lY4fmc9bb
+60X7LomiB/FTsH0y2HI2zH8/G2D83IBxEsUjfpG9nfyAmhv/KZDG+Dv8ZOqQ9FAb
+K6k=
+-----END ENCRYPTED PRIVATE KEY-----



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org