qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From astitc...@apache.org
Subject [2/3] qpid-proton git commit: PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection
Date Tue, 04 Aug 2015 16:33:49 GMT
PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/e26e5976
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/e26e5976
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/e26e5976

Branch: refs/heads/0.10.x
Commit: e26e5976db2d32506651deb32d85ddebd631e1f5
Parents: 134a3c5
Author: Andrew Stitcher <astitcher@apache.org>
Authored: Tue Jul 28 16:33:54 2015 -0400
Committer: Andrew Stitcher <astitcher@apache.org>
Committed: Tue Aug 4 12:25:12 2015 -0400

----------------------------------------------------------------------
 proton-c/include/proton/messenger.h | 26 ++++++++++++++++++++++++++
 proton-c/src/messenger/messenger.c  | 16 ++++++++++++++--
 2 files changed, 40 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/e26e5976/proton-c/include/proton/messenger.h
----------------------------------------------------------------------
diff --git a/proton-c/include/proton/messenger.h b/proton-c/include/proton/messenger.h
index 6ef684f..87cb35c 100644
--- a/proton-c/include/proton/messenger.h
+++ b/proton-c/include/proton/messenger.h
@@ -132,6 +132,27 @@ extern "C" {
  * ::pn_messenger_recv() will do whatever they can without blocking,
  * and then return. You can then look at the number of incoming and
  * outgoing messages to see how much outstanding work still remains.
+ *
+ * Authentication Mechanims
+ * ========================
+ *
+ * The messenger API authenticates using some specific mechanisms. In prior versions
+ * of Proton the only authentication mechanism available was the PLAIN mechanism
+ * which transports the user's password over the network unencrypted. The Proton versions
+ * 0.10 and newer support other more secure mechanisms which avoid sending the users's
+ * password over the network unencrypted. For backwards compatibility the 0.10 version
+ * of the messenger API will also allow the use of the unencrypted PLAIN mechanism. From
the
+ * 0.11 version and onwards you will need to set the flag PN_FLAGS_ALLOW_INSECURE_MECHS to
+ * carry on using the unencrypted PLAIN mechanism.
+ *
+ * The code for this looks like:
+ *
+ *   ...
+ *   pn_messenger_set_flags(messenger, PN_FLAGS_ALLOW_INSECURE_MECHS);
+ *   ...
+ *
+ * Note that the use of the PLAIN mechanism over an SSL connection is allowed as the
+ * password is not sent unencrypted.
  */
 typedef struct pn_messenger_t pn_messenger_t;
 
@@ -960,6 +981,11 @@ PN_EXTERN pn_timestamp_t pn_messenger_deadline(pn_messenger_t *messenger);
             to pn_messenger_start should check that                            \
             any defined routes are valid */
 
+#define PN_FLAGS_ALLOW_INSECURE_MECHS                                          \
+  (0x2) /** Messenger flag to indicate that the PLAIN                          \
+            mechanism is allowed on an unencrypted                             \
+            connection */
+
 /** Sets control flags to enable additional function for the Messenger.
  *
  * @param[in] messenger the messenger

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/e26e5976/proton-c/src/messenger/messenger.c
----------------------------------------------------------------------
diff --git a/proton-c/src/messenger/messenger.c b/proton-c/src/messenger/messenger.c
index 8e63208..a1418ed 100644
--- a/proton-c/src/messenger/messenger.c
+++ b/proton-c/src/messenger/messenger.c
@@ -334,7 +334,10 @@ static void pni_listener_readable(pn_selectable_t *sel)
 
   pn_transport_t *t = pn_transport();
   pn_transport_set_server(t);
-
+  if (ctx->messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS) {
+      pn_sasl_t *s = pn_sasl(t);
+      pn_sasl_set_allow_insecure_mechs(s, true);
+  }
   pn_ssl_t *ssl = pn_ssl(t);
   pn_ssl_init(ssl, ctx->domain, NULL);
 
@@ -661,7 +664,7 @@ pn_messenger_t *pn_messenger(const char *name)
     m->rewritten = pn_string(NULL);
     m->domain = pn_string(NULL);
     m->connection_error = 0;
-    m->flags = 0;
+    m->flags = PN_FLAGS_ALLOW_INSECURE_MECHS; // TODO: Change this back to 0 for the Proton
0.11 release
     m->snd_settle_mode = PN_SND_SETTLED;
     m->rcv_settle_mode = PN_RCV_FIRST;
     m->tracer = NULL;
@@ -1140,6 +1143,11 @@ void pn_messenger_process_connection(pn_messenger_t *messenger, pn_event_t
*even
       pn_transport_unbind(pn_connection_transport(conn));
       pn_connection_reset(conn);
       pn_transport_t *t = pn_transport();
+      if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS &&
+          messenger->address.user && messenger->address.pass) {
+        pn_sasl_t *s = pn_sasl(t);
+        pn_sasl_set_allow_insecure_mechs(s, true);
+      }
       pn_transport_bind(t, conn);
       pn_decref(t);
       pn_transport_config(messenger, conn);
@@ -1671,6 +1679,10 @@ pn_connection_t *pn_messenger_resolve(pn_messenger_t *messenger, const
char *add
   pn_connection_t *connection =
     pn_messenger_connection(messenger, sock, scheme, user, pass, host, port, NULL);
   pn_transport_t *transport = pn_transport();
+  if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS && user &&
pass) {
+      pn_sasl_t *s = pn_sasl(transport);
+      pn_sasl_set_allow_insecure_mechs(s, true);
+  }
   pn_transport_bind(transport, connection);
   pn_decref(transport);
   pn_connection_ctx_t *ctx = (pn_connection_ctx_t *) pn_connection_get_context(connection);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message