Issue skupperproject#1599: make sslProfile configuration updatable

This does not solve skupperproject#1572. It is part of a series of changes that will address skupperproject#1572.
kgiusti · Aug 15, 2024 · 401c025 · 401c025
1 parent a0d6986
commit 401c025
Show file tree

Hide file tree

Showing 77 changed files with 4,309 additions and 1,463 deletions.
diff --git a/include/qpid/dispatch/connection_manager.h b/include/qpid/dispatch/connection_manager.h
@@ -27,24 +27,10 @@
 #include "qpid/dispatch/server.h"
 
 typedef struct qd_connection_manager_t qd_connection_manager_t;
-typedef struct qd_config_ssl_profile_t qd_config_ssl_profile_t;
 typedef struct qd_connection_t         qd_connection_t;
 
 typedef void (*qd_connection_manager_handler_t) (void *context, qd_connection_t *conn);
 
-struct qd_config_ssl_profile_t {
-    DEQ_LINKS(qd_config_ssl_profile_t);
-    char        *name;
-    char        *ssl_password;
-    char        *ssl_trusted_certificate_db;
-    char        *ssl_uid_format;
-    char        *uid_name_mapping_file;
-    char        *ssl_certificate_file;
-    char        *ssl_private_key_file;
-    char        *ssl_ciphers;
-    char        *ssl_protocols;
-};
-
 /**
  * Allocate a connection manager
  *
@@ -69,9 +55,4 @@ void qd_connection_manager_free(qd_connection_manager_t *cm);
  */
 QD_EXPORT void qd_connection_manager_start(qd_dispatch_t *qd);
 
-/**
- * Find named qd_config_ssl_profile_t object
- */
-qd_config_ssl_profile_t *qd_find_ssl_profile(const qd_connection_manager_t *cm, const char *name);
-
 #endif
diff --git a/include/qpid/dispatch/protocol_adaptor.h b/include/qpid/dispatch/protocol_adaptor.h
@@ -932,6 +932,7 @@ qdr_connection_info_t *qdr_connection_info(bool             is_encrypted,
                                            bool             connection_trunking);
 
 void qdr_connection_info_set_group_correlator(qdr_connection_info_t *info, const char *correlator);
+void qdr_connection_info_set_tls(qdr_connection_info_t *info, bool enabled, char *version, char *ciphers, int ssf);
 
 void qd_adaptor_listener_init(void);
 void qd_adaptor_listener_finalize(void);

diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
@@ -24,7 +24,6 @@
 
 #include <proton/engine.h>
 #include <proton/event.h>
-#include <proton/ssl.h>
 
 typedef struct qd_server_t      qd_server_t;
 typedef struct qd_container_t   qd_container_t;
@@ -108,14 +107,6 @@ typedef enum {
  */
 void qd_server_set_container(qd_dispatch_t *qd, struct qd_container_t *container);
 
-/**
- * Store address of display name service py object for C code use
- *
- * @param qd The dispatch handle returned by qd_dispatch.
- * @param display_name_service address of python object
- */
-qd_error_t qd_register_display_name_service(qd_dispatch_t *qd, void *display_name_service);
-
 pn_proactor_t *qd_server_proactor(const qd_server_t *qd_server);
 qd_http_server_t *qd_server_http(const qd_server_t *qd_server);
 uint64_t qd_server_allocate_connection_id(qd_server_t *server);
@@ -130,8 +121,7 @@ typedef struct qd_handler_context_t {
     qd_server_event_handler_t  handler;
 } qd_handler_context_t;
 
-// Use displayName lookup to translate user_id to user name
-char *qd_server_query_user_name(const qd_server_t *server, const char *ssl_profile, const char *user_id);
+
 const char *qd_server_get_container_name(const qd_server_t *server);
 sys_mutex_t *qd_server_get_activation_lock(qd_server_t *server);
 

diff --git a/include/qpid/dispatch/tls.h b/include/qpid/dispatch/tls.h
@@ -0,0 +1,176 @@
+#ifndef __tls_h__
+#define __tls_h__ 1
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**@file
+ * Management of TLS configuration and state
+ */
+
+
+#include "qpid/dispatch/log.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+
+typedef struct qd_tls2_domain_t  qd_tls2_domain_t;   // SSL configuration domain
+typedef struct qd_tls2_session_t qd_tls2_session_t;  // per connection SSL state
+typedef struct qd_ssl2_profile_t qd_ssl2_profile_t;  // sslProfile configuration record
+
+// Proton has two different SSL/TLS implementations: one for AMQP and a buffer-based one for use with Raw Connections:
+typedef enum {
+    QD_TLS_TYPE_NONE = 0,     // unset
+    QD_TLS_TYPE_PROTON_AMQP,  // for use with AMQP transport
+    QD_TLS_TYPE_PROTON_RAW,   // use raw connection/qd_buffer_t interface
+} qd_tls_type_t;
+
+typedef enum {
+    QD_TLS_DOMAIN_MODE_NONE = 0,  // unset
+    QD_TLS_DOMAIN_SERVER_MODE,    // Operate as an SSL server (i.e. listener socket)
+    QD_TLS_DOMAIN_CLIENT_MODE,    // Operate as an SSL client (i.e. outgoing connections)
+} qd_tls_domain_mode_t;
+
+// sslProfile configuration record
+struct qd_ssl2_profile_t {
+    char *ssl_ciphers;
+    char *ssl_protocols;
+    char *ssl_trusted_certificate_db;
+    char *ssl_certificate_file;
+    char *ssl_private_key_file;
+    char *ssl_password;
+
+    /**
+     * Holds the list of component fields of the client certificate from which a unique identifier is constructed.  For
+     * e.g, this field could have the format of 'cou' indicating that the uid will consist of c - common name
+     * concatenated with o - organization-company name concatenated with u - organization unit
+     *
+     * Allowed values can be any combination of the comma separated codes (no duplicates):
+     * 'c'( ISO3166 two character country code),
+     * 's'(state or province),
+     * 'l'(Locality; generally - city),
+     * 'o'(Organization - Company Name),
+     * 'u'(Organization Unit - typically certificate type or brand),
+     * 'n'(CommonName - typically a user name for client certificates)
+     *
+     * and one of the following:
+     * '1'(sha1 certificate fingerprint, the fingerprint, as displayed in the fingerprints section when looking at a certificate
+     *  with say a web browser is the hash of the entire certificate in DER form)
+     * '2'(sha256 certificate fingerprint)
+     * '5'(sha512 certificate fingerprint)
+     */
+    char *ssl_uid_format;
+
+    /**
+     * Full path to the file that contains the uid to display name mapping.
+     */
+    char *uid_name_mapping_file;
+};
+
+/**
+ * Create a new TLS domain instance with the given configuration
+ *
+ * @param ssl_profile_name the name of the sslProfile configuration to use
+ * @param p_type protocol type for the domain (TCP or AMQP)
+ * @param mode the operational use case (TLS Server or Client)
+ * @param verify_hostname enforce host name checking (Client mode)
+ * @param authenticate_peer validate peer's certificate (Server mode)
+ *
+ * @return a new TLS Domain instance or 0 on error. qd_error() set if error.
+ */
+qd_tls2_domain_t *qd_tls2_domain(const char *ssl_profile_name,
+                                 qd_tls_type_t p_type,
+                                 qd_tls_domain_mode_t mode,
+                                 bool verify_hostname,
+                                 bool authenticate_peer);
+
+
+/**
+ * Release a reference to the domain
+ *
+ * @param domain to be released. The domain pointer must no longer be referenced
+ */
+void qd_tls2_domain_decref(qd_tls2_domain_t *domain);
+
+
+/**
+ * Release a TLS session context.
+ *
+ * See the session constructor API in tls_amqp.h and tls_raw.h
+ *
+ * @param session the session to free. It must no longer be referenced after this call.
+ */
+void qd_tls2_session_free(qd_tls2_session_t *session);
+
+
+/**
+ * Get the version of TLS/SSL in use by the session.
+ *
+ * @param session to be queried.
+ * @return Null terminated string containing the TLS/SSL version description. Returned string buffer must be free()d by
+ * caller. Return 0 if version not known.
+ */
+char *qd_tls2_session_get_protocol_version(const qd_tls2_session_t *session);
+
+/**
+ * Get the cipher in use by the session.
+ *
+ * @param session to be queried.
+ * @return Null terminated string containing a description of the active cipher. Returned string buffer must be free()d
+ * by caller. Return 0 if version not known.
+ */
+char *qd_tls2_session_get_protocol_ciphers(const qd_tls2_session_t *session);
+
+/**
+ * Get the Security Strength Factor (SSF) of the Cipher in use by the session
+ *
+ * @param session to be queried.
+ * @return the SSF value of the session
+ */
+int qd_tls2_session_get_ssf(const qd_tls2_session_t *session);
+
+
+/**
+ * Fill out the given *profile with the configuration from the named sslProfile record.
+ *
+ * @param the name of the sslProfile
+ * @param a pointer to an uninitialized qd_ssl2_profile_t instance.
+ * @return a pointer to the passed in qd_ssl2_profile_t on success else 0. Use qd_tls2_cleanup_ssl_profile() release
+ * resources in use by *profile when done.
+ */
+qd_ssl2_profile_t *qd_tls2_read_ssl_profile(const char *ssl_profile_name, qd_ssl2_profile_t *profile);
+
+/**
+ * Release any resources allocated by qd_tls2_get_ssl_profile() and reset the profile.
+ *
+ * @param a pointer to an qd_ssl2_profile_t instance initialized by qd_tls2_read_ssl_profile().
+ *
+ * Note this only releases internal resources associated with the profile, the memory pointed to by *profile is owned
+ * by the caller.
+ */
+void qd_tls2_cleanup_ssl_profile(qd_ssl2_profile_t *profile);
+
+
+// Module initialization/finalization
+void qd_tls2_initialize(void);
+void qd_tls2_finalize(void);
+
+#endif
+
diff --git a/include/qpid/dispatch/tls_amqp.h b/include/qpid/dispatch/tls_amqp.h
@@ -0,0 +1,55 @@
+#ifndef __tls_amqp_h__
+#define __tls_amqp_h__ 1
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "qpid/dispatch/tls.h"
+
+typedef struct pn_transport_t pn_transport_t;
+
+/**
+ * API for TLS operations specific to Proton AMQP connections.
+ *
+ * Note well: these APIs apply only to TLS domain/sessions of type QD_TLS_TYPE_PROTON_AMQP!  Proton raw connection
+ * based TLS sessions are not supported.  See tls.h and tls_raw_io.h.
+ */
+
+
+/**
+ * Create a new TLS session
+ *
+ * @param domain the TLS domain mused when creating the session
+ * @param tport transport associated with the session's connection
+ * @param allow_unencrypted if true permit accepting incoming unencrypted connections
+ * @return a new TLS session or 0 on error. If error qd_error() is set.
+ */
+qd_tls2_session_t *qd_tls2_session_amqp(qd_tls2_domain_t *domain, pn_transport_t *tport, bool allow_unencrypted);
+
+
+/**
+ * Get the user identifier associated with the TLS session.
+ *
+ * @param session the active TLS session to retrieve the user id from.
+ * @return string containing user name if query succeeds else 0. Caller must free() returned user name string when no
+ * longer used.
+ */
+char *qd_tls_session_get_user_id(qd_tls2_session_t *session);
+
+#endif
+