qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g...@apache.org
Subject [22/50] [abbrv] qpid-proton git commit: PROTON-719 : prevent ssl3 connections in Windows with schannel
Date Fri, 14 Nov 2014 11:03:31 GMT
PROTON-719 : prevent ssl3 connections in Windows with schannel

git-svn-id: https://svn.apache.org/repos/asf/qpid/proton/trunk@1632702 13f79535-47bb-0310-9956-ffa450edef68


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/7e8b6b6c
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/7e8b6b6c
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/7e8b6b6c

Branch: refs/heads/examples
Commit: 7e8b6b6c4cd422771fd3094c718745c094f5a735
Parents: ad5e094
Author: Clifford Jansen <cliffjansen@apache.org>
Authored: Sat Oct 18 00:16:01 2014 +0000
Committer: Clifford Jansen <cliffjansen@apache.org>
Committed: Sat Oct 18 00:16:01 2014 +0000

----------------------------------------------------------------------
 proton-c/src/windows/schannel.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/7e8b6b6c/proton-c/src/windows/schannel.c
----------------------------------------------------------------------
diff --git a/proton-c/src/windows/schannel.c b/proton-c/src/windows/schannel.c
index 385267f..373dc51 100644
--- a/proton-c/src/windows/schannel.c
+++ b/proton-c/src/windows/schannel.c
@@ -209,7 +209,7 @@ static size_t _pni_min(size_t a, size_t b)
 }
 
 // unrecoverable SSL failure occured, notify transport and generate error code.
-static int ssl_failed(pn_ssl_t *ssl, char *reason)
+static int ssl_failed(pn_ssl_t *ssl, const char *reason)
 {
   char buf[512] = "Unknown error.";
   if (!reason) {
@@ -521,6 +521,16 @@ int pn_ssl_get_peer_hostname( pn_ssl_t *ssl, char *hostname, size_t *bufsize
)
 
 /** SChannel specific: */
 
+const char *tls_version_check(pn_ssl_t *ssl)
+{
+  SecPkgContext_ConnectionInfo info;
+  QueryContextAttributes(&ssl->ctxt_handle, SECPKG_ATTR_CONNECTION_INFO, &info);
+  // Ascending bit patterns denote newer SSL/TLS protocol versions.
+  // SP_PROT_TLS1_0_SERVER is not defined until VS2010.
+  return (info.dwProtocol < SP_PROT_TLS1_SERVER) ?
+    "peer does not support TLS 1.0 security" : NULL;
+}
+
 static void ssl_encrypt(pn_ssl_t *ssl, char *app_data, size_t count)
 {
   // Get SChannel to encrypt exactly one Record.
@@ -732,6 +742,10 @@ static void client_handshake( pn_ssl_t* ssl) {
       ssl_failed(ssl, "unexpected final server token");
       break;
     }
+    if (const char *err = tls_version_check(ssl)) {
+      ssl_failed(ssl, err);
+      break;
+    }
     if (token_buffs[1].BufferType == SECBUFFER_EXTRA && token_buffs[1].cbBuffer >
0) {
       // This seems to work but not documented, plus logic differs from decrypt message
       // since the pvBuffer value is not set.  Grrr.


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message