From f17693a8c695c41b8326e1b7231bcb268d2e73c6 Mon Sep 17 00:00:00 2001 From: Kenneth Giusti Date: Thu, 15 Aug 2024 17:02:09 -0400 Subject: [PATCH] fixup: remove the obsolete term 'ssl' Replace with 'tls' where appropriate. Only use the term 'ssl' when referring to an sslProfile record. --- include/qpid/dispatch/tls.h | 22 ++--- src/adaptors/legacy_tls.c | 42 ++++---- src/http-libwebsockets.c | 10 +- src/router_core/agent_connection.c | 28 +++--- src/router_core/connections.c | 44 ++++----- src/router_core/router_core_private.h | 8 +- src/tls/tls.c | 96 +++++++++---------- src/tls/tls_amqp.c | 50 +++++----- src/tls/tls_raw.c | 32 +++---- .../test_connection_manager_static.cpp | 2 +- tests/system_tests_one_router.py | 10 +- tests/system_tests_ssl.py | 4 +- 12 files changed, 174 insertions(+), 174 deletions(-) diff --git a/include/qpid/dispatch/tls.h b/include/qpid/dispatch/tls.h index d34c3892c..a2e4b9235 100644 --- a/include/qpid/dispatch/tls.h +++ b/include/qpid/dispatch/tls.h @@ -44,18 +44,18 @@ typedef enum { typedef enum { QD_TLS_DOMAIN_MODE_NONE = 0, // unset - QD_TLS_DOMAIN_SERVER_MODE, // Operate as an SSL server (i.e. listener socket) - QD_TLS_DOMAIN_CLIENT_MODE, // Operate as an SSL client (i.e. outgoing connections) + QD_TLS_DOMAIN_SERVER_MODE, // Operate as a TLS server (i.e. listener socket) + QD_TLS_DOMAIN_CLIENT_MODE, // Operate as an TLS client (i.e. outgoing connections) } qd_tls_domain_mode_t; // sslProfile configuration record struct qd_ssl2_profile_t { - char *ssl_ciphers; - char *ssl_protocols; - char *ssl_trusted_certificate_db; - char *ssl_certificate_file; - char *ssl_private_key_file; - char *ssl_password; + char *ciphers; + char *protocols; + char *trusted_certificate_db; + char *certificate_file; + char *private_key_file; + char *password; /** * Holds the list of component fields of the client certificate from which a unique identifier is constructed. For @@ -76,7 +76,7 @@ struct qd_ssl2_profile_t { * '2'(sha256 certificate fingerprint) * '5'(sha512 certificate fingerprint) */ - char *ssl_uid_format; + char *uid_format; /** * Full path to the file that contains the uid to display name mapping. @@ -121,10 +121,10 @@ void qd_tls2_session_free(qd_tls2_session_t *session); /** - * Get the version of TLS/SSL in use by the session. + * Get the version of TLS in use by the session. * * @param session to be queried. - * @return Null terminated string containing the TLS/SSL version description. Returned string buffer must be free()d by + * @return Null terminated string containing the TLS version description. Returned string buffer must be free()d by * caller. Return 0 if version not known. */ char *qd_tls2_session_get_protocol_version(const qd_tls2_session_t *session); diff --git a/src/adaptors/legacy_tls.c b/src/adaptors/legacy_tls.c index 16cde7e33..ef6966c21 100644 --- a/src/adaptors/legacy_tls.c +++ b/src/adaptors/legacy_tls.c @@ -259,9 +259,9 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) break; } - if (config_ssl_profile->ssl_trusted_certificate_db) { + if (config_ssl_profile->trusted_certificate_db) { res = pn_tls_config_set_trusted_certs(tls_domain->pn_tls_config, - config_ssl_profile->ssl_trusted_certificate_db); + config_ssl_profile->trusted_certificate_db); if (res != 0) { qd_log(tls_domain->log_module, QD_LOG_ERROR, @@ -269,18 +269,18 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) role, tls_domain->name, tls_domain->ssl_profile_name, - config_ssl_profile->ssl_trusted_certificate_db, + config_ssl_profile->trusted_certificate_db, res); break; } } // Call pn_tls_config_set_credentials only if "certFile" is provided. - if (config_ssl_profile->ssl_certificate_file) { + if (config_ssl_profile->certificate_file) { res = pn_tls_config_set_credentials(tls_domain->pn_tls_config, - config_ssl_profile->ssl_certificate_file, - config_ssl_profile->ssl_private_key_file, - config_ssl_profile->ssl_password); + config_ssl_profile->certificate_file, + config_ssl_profile->private_key_file, + config_ssl_profile->password); if (res != 0) { qd_log(tls_domain->log_module, QD_LOG_ERROR, @@ -288,7 +288,7 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) role, tls_domain->name, tls_domain->ssl_profile_name, - config_ssl_profile->ssl_certificate_file, + config_ssl_profile->certificate_file, res); break; } @@ -301,8 +301,8 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) tls_domain->ssl_profile_name); } - if (!!config_ssl_profile->ssl_ciphers) { - res = pn_tls_config_set_impl_ciphers(tls_domain->pn_tls_config, config_ssl_profile->ssl_ciphers); + if (!!config_ssl_profile->ciphers) { + res = pn_tls_config_set_impl_ciphers(tls_domain->pn_tls_config, config_ssl_profile->ciphers); if (res != 0) { qd_log(tls_domain->log_module, QD_LOG_ERROR, @@ -310,7 +310,7 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) role, tls_domain->name, tls_domain->ssl_profile_name, - config_ssl_profile->ssl_ciphers, + config_ssl_profile->ciphers, res); break; } @@ -319,7 +319,7 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) if (tls_domain->is_listener) { if (tls_domain->authenticate_peer) { res = pn_tls_config_set_peer_authentication( - tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER, config_ssl_profile->ssl_trusted_certificate_db); + tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER, config_ssl_profile->trusted_certificate_db); } else { res = pn_tls_config_set_peer_authentication(tls_domain->pn_tls_config, PN_TLS_ANONYMOUS_PEER, 0); } @@ -327,10 +327,10 @@ static qd_tls_domain_t *_tls_domain_init(qd_tls_domain_t *tls_domain) // Connector. if (tls_domain->verify_host_name) { res = pn_tls_config_set_peer_authentication( - tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER_NAME, config_ssl_profile->ssl_trusted_certificate_db); + tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER_NAME, config_ssl_profile->trusted_certificate_db); } else { res = pn_tls_config_set_peer_authentication( - tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER, config_ssl_profile->ssl_trusted_certificate_db); + tls_domain->pn_tls_config, PN_TLS_VERIFY_PEER, config_ssl_profile->trusted_certificate_db); } } @@ -427,17 +427,17 @@ void qd_tls_update_connection_info(qd_tls_t *tls, qdr_connection_info_t *conn_in // connection_info. This same lock is being used in the agent_connection.c's qdr_connection_insert_column_CT // sys_mutex_lock(&conn_info->connection_info_lock); - free(conn_info->ssl_cipher); - conn_info->ssl_cipher = 0; - free(conn_info->ssl_proto); - conn_info->ssl_proto = 0; - conn_info->ssl = true; + free(conn_info->tls_cipher); + conn_info->tls_cipher = 0; + free(conn_info->tls_proto); + conn_info->tls_proto = 0; + conn_info->tls = true; conn_info->is_encrypted = true; if (protocol_cipher) { - conn_info->ssl_cipher = protocol_cipher; + conn_info->tls_cipher = protocol_cipher; } if (protocol_ver) { - conn_info->ssl_proto = protocol_ver; + conn_info->tls_proto = protocol_ver; } sys_mutex_unlock(&conn_info->connection_info_lock); diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c index e675a84ed..b886a08c6 100644 --- a/src/http-libwebsockets.c +++ b/src/http-libwebsockets.c @@ -397,11 +397,11 @@ static void listener_start(qd_lws_listener_t *hl, qd_http_server_t *hs) { info.options |= LWS_SERVER_OPTION_DISABLE_IPV6; } if (config->ssl_profile_name) { - info.ssl_cert_filepath = hl->ssl_config.ssl_certificate_file; - info.ssl_private_key_filepath = hl->ssl_config.ssl_private_key_file; - info.ssl_private_key_password = hl->ssl_config.ssl_password; - info.ssl_ca_filepath = hl->ssl_config.ssl_trusted_certificate_db; - info.ssl_cipher_list = hl->ssl_config.ssl_ciphers; + info.ssl_cert_filepath = hl->ssl_config.certificate_file; + info.ssl_private_key_filepath = hl->ssl_config.private_key_file; + info.ssl_private_key_password = hl->ssl_config.password; + info.ssl_ca_filepath = hl->ssl_config.trusted_certificate_db; + info.ssl_cipher_list = hl->ssl_config.ciphers; info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT | LWS_SERVER_OPTION_ALLOW_HTTP_ON_HTTPS_LISTENER) | diff --git a/src/router_core/agent_connection.c b/src/router_core/agent_connection.c index fc718872c..b4b8f6fdc 100644 --- a/src/router_core/agent_connection.c +++ b/src/router_core/agent_connection.c @@ -35,12 +35,12 @@ #define QDR_CONNECTION_IS_AUTHENTICATED 8 #define QDR_CONNECTION_USER 9 #define QDR_CONNECTION_IS_ENCRYPTED 10 -#define QDR_CONNECTION_SSLPROTO 11 -#define QDR_CONNECTION_SSLCIPHER 12 +#define QDR_CONNECTION_TLSPROTO 11 +#define QDR_CONNECTION_TLSCIPHER 12 #define QDR_CONNECTION_PROPERTIES 13 -#define QDR_CONNECTION_SSLSSF 14 +#define QDR_CONNECTION_TLSSSF 14 #define QDR_CONNECTION_TYPE 15 -#define QDR_CONNECTION_SSL 16 +#define QDR_CONNECTION_TLS 16 #define QDR_CONNECTION_OPENED 17 #define QDR_CONNECTION_ACTIVE 18 #define QDR_CONNECTION_ADMIN_STATUS 19 @@ -195,30 +195,30 @@ static void qdr_connection_insert_column_CT(qdr_core_t *core, qdr_connection_t * qd_compose_insert_bool(body, conn->connection_info->is_encrypted); break; - case QDR_CONNECTION_SSLPROTO: - if (conn->connection_info->ssl_proto && conn->connection_info->ssl_proto[0] != '\0') - qd_compose_insert_string(body, conn->connection_info->ssl_proto); + case QDR_CONNECTION_TLSPROTO: + if (conn->connection_info->tls_proto && conn->connection_info->tls_proto[0] != '\0') + qd_compose_insert_string(body, conn->connection_info->tls_proto); else qd_compose_insert_null(body); break; - case QDR_CONNECTION_SSLCIPHER: - if (conn->connection_info->ssl_cipher && conn->connection_info->ssl_cipher[0] != '\0') - qd_compose_insert_string(body, conn->connection_info->ssl_cipher); + case QDR_CONNECTION_TLSCIPHER: + if (conn->connection_info->tls_cipher && conn->connection_info->tls_cipher[0] != '\0') + qd_compose_insert_string(body, conn->connection_info->tls_cipher); else qd_compose_insert_null(body); break; - case QDR_CONNECTION_SSLSSF: - qd_compose_insert_long(body, conn->connection_info->ssl_ssf); + case QDR_CONNECTION_TLSSSF: + qd_compose_insert_long(body, conn->connection_info->tls_ssf); break; case QDR_CONNECTION_TYPE: qd_compose_insert_string(body, CONNECTION_TYPE); break; - case QDR_CONNECTION_SSL: - qd_compose_insert_bool(body, conn->connection_info->ssl); + case QDR_CONNECTION_TLS: + qd_compose_insert_bool(body, conn->connection_info->tls); break; case QDR_CONNECTION_OPENED: diff --git a/src/router_core/connections.c b/src/router_core/connections.c index ffd08fd9f..e722ef958 100644 --- a/src/router_core/connections.c +++ b/src/router_core/connections.c @@ -145,7 +145,7 @@ qdr_connection_t *qdr_connection_opened(qdr_core_t *core, "] Connection Opened: dir=%s host=%s encrypted=%s" " auth=%s user=%s container_id=%s props=%s", management_id, incoming ? "in" : "out", connection_info->host, - connection_info->is_encrypted ? connection_info->ssl_proto : "no", + connection_info->is_encrypted ? connection_info->tls_proto : "no", connection_info->is_authenticated ? connection_info->sasl_mechanisms : "no", connection_info->user, connection_info->container, props_str); @@ -186,13 +186,13 @@ qdr_connection_info_t *qdr_connection_info(bool is_encrypted, char *sasl_mechanisms, qd_direction_t dir, const char *host, - const char *ssl_proto, - const char *ssl_cipher, + const char *tls_proto, + const char *tls_cipher, const char *user, const char *container, pn_data_t *connection_properties, - int ssl_ssf, - bool ssl, + int tls_ssf, + bool tls, const char *version, bool streaming_links, bool connection_trunking) @@ -210,10 +210,10 @@ qdr_connection_info_t *qdr_connection_info(bool is_encrypted, connection_info->dir = dir; if (host) connection_info->host = strdup(host); - if (ssl_proto) - connection_info->ssl_proto = strdup(ssl_proto); - if (ssl_cipher) - connection_info->ssl_cipher = strdup(ssl_cipher); + if (tls_proto) + connection_info->tls_proto = strdup(tls_proto); + if (tls_cipher) + connection_info->tls_cipher = strdup(tls_cipher); if (user) connection_info->user = strdup(user); if (version) @@ -224,8 +224,8 @@ qdr_connection_info_t *qdr_connection_info(bool is_encrypted, pn_data_copy(qdr_conn_properties, connection_properties); connection_info->connection_properties = qdr_conn_properties; - connection_info->ssl_ssf = ssl_ssf; - connection_info->ssl = ssl; + connection_info->tls_ssf = tls_ssf; + connection_info->tls = tls; connection_info->streaming_links = streaming_links; connection_info->connection_trunking = connection_trunking; sys_mutex_init(&connection_info->connection_info_lock); @@ -246,19 +246,19 @@ void qdr_connection_info_set_tls(qdr_connection_info_t *conn_info, bool enabled, // connection_info. This same lock is being used in the agent_connection.c's qdr_connection_insert_column_CT // sys_mutex_lock(&conn_info->connection_info_lock); - free(conn_info->ssl_cipher); - free(conn_info->ssl_proto); - conn_info->ssl = enabled; + free(conn_info->tls_cipher); + free(conn_info->tls_proto); + conn_info->tls = enabled; conn_info->is_encrypted = enabled; if (enabled) { - conn_info->ssl_proto = version; - conn_info->ssl_cipher = ciphers; - conn_info->ssl_ssf = ssf; + conn_info->tls_proto = version; + conn_info->tls_cipher = ciphers; + conn_info->tls_ssf = ssf; } else { assert(!version && !ciphers); - conn_info->ssl_cipher = 0; - conn_info->ssl_proto = 0; - conn_info->ssl_ssf = 0; + conn_info->tls_cipher = 0; + conn_info->tls_proto = 0; + conn_info->tls_ssf = 0; } sys_mutex_unlock(&conn_info->connection_info_lock); } @@ -269,8 +269,8 @@ static void qdr_connection_info_free(qdr_connection_info_t *ci) free(ci->container); free(ci->sasl_mechanisms); free(ci->host); - free(ci->ssl_proto); - free(ci->ssl_cipher); + free(ci->tls_proto); + free(ci->tls_cipher); free(ci->user); free(ci->version); sys_mutex_free(&ci->connection_info_lock); diff --git a/src/router_core/router_core_private.h b/src/router_core/router_core_private.h index 6fb36334a..b6e7b6c73 100644 --- a/src/router_core/router_core_private.h +++ b/src/router_core/router_core_private.h @@ -639,8 +639,8 @@ struct qdr_connection_info_t { char *container; char *sasl_mechanisms; char *host; - char *ssl_proto; - char *ssl_cipher; + char *tls_proto; + char *tls_cipher; char *user; bool is_authenticated; bool is_encrypted; @@ -650,8 +650,8 @@ struct qdr_connection_info_t { qd_direction_t dir; qdr_connection_role_t role; pn_data_t *connection_properties; - bool ssl; - int ssl_ssf; //ssl strength factor + bool tls; + int tls_ssf; // TLS strength factor char *version; // if role is router or edge sys_mutex_t connection_info_lock; char group_correlator[QD_DISCRIMINATOR_SIZE]; // Used to associate inter-router-data connections to their inter-router connection diff --git a/src/tls/tls.c b/src/tls/tls.c index 7ea198be6..2292ac2a6 100644 --- a/src/tls/tls.c +++ b/src/tls/tls.c @@ -244,7 +244,7 @@ qd_tls2_domain_t *qd_tls2_domain(const char *ssl_profile_name, sys_mutex_init(&tls_domain->lock); tls_domain->ssl_profile_name = qd_strdup(ssl_profile_name); - tls_domain->uid_format = CHECKED_STRDUP(tls_context->config.ssl_uid_format); + tls_domain->uid_format = CHECKED_STRDUP(tls_context->config.uid_format); tls_domain->authenticate_peer = authenticate_peer; tls_domain->verify_hostname = verify_hostname; tls_domain->is_listener = is_listener; @@ -384,20 +384,20 @@ qd_tls2_session_t *qd_tls2_session_amqp(qd_tls2_domain_t *tls_domain, pn_transpo tls_session->pn_amqp = pn_ssl(tport); if (!tls_session->pn_amqp) { sys_mutex_unlock(&tls_domain->lock); - qd_error(QD_ERROR_RUNTIME, "Failed to create an AMQP SSL session"); + qd_error(QD_ERROR_RUNTIME, "Failed to create an AMQP TLS session"); goto error; } int rc = pn_ssl_init(tls_session->pn_amqp, tls_domain->pn_amqp, 0); if (rc) { sys_mutex_unlock(&tls_domain->lock); - qd_error(QD_ERROR_RUNTIME, "Failed to initialize AMQP SSL session (%d)", rc); + qd_error(QD_ERROR_RUNTIME, "Failed to initialize AMQP TLS session (%d)", rc); goto error; } sys_mutex_unlock(&tls_domain->lock); - // By default adding ssl to a transport forces encryption to be required, so if it's not set that here + // By default adding tls to a transport forces encryption to be required, so if it's not set that here if (allow_unencrypted) { pn_transport_require_encryption(tport, false); } @@ -440,7 +440,7 @@ void qd_tls2_session_free(qd_tls2_session_t *tls_session) if (tls_session->pn_raw) { pn_tls_free(tls_session->pn_raw); } else { - // Proton does not provide a way to explicitly free the AMQP SSL session. It is owned by the parent + // Proton does not provide a way to explicitly free the AMQP TLS session. It is owned by the parent // pn_transport_t and will be released when the transport is closed (I think). } sys_mutex_unlock(&tls_session->tls_domain->lock); @@ -536,14 +536,14 @@ qd_ssl2_profile_t *qd_tls2_read_ssl_profile(const char *ssl_profile_name, qd_ssl return 0; } - profile->ssl_ciphers = CHECKED_STRDUP(tls_context->config.ssl_ciphers); - profile->ssl_protocols = CHECKED_STRDUP(tls_context->config.ssl_protocols); - profile->ssl_password = CHECKED_STRDUP(tls_context->config.ssl_password); - profile->ssl_uid_format = CHECKED_STRDUP(tls_context->config.ssl_uid_format); - profile->ssl_certificate_file = CHECKED_STRDUP(tls_context->config.ssl_certificate_file); - profile->ssl_private_key_file = CHECKED_STRDUP(tls_context->config.ssl_private_key_file); - profile->uid_name_mapping_file = CHECKED_STRDUP(tls_context->config.uid_name_mapping_file); - profile->ssl_trusted_certificate_db = CHECKED_STRDUP(tls_context->config.ssl_trusted_certificate_db); + profile->ciphers = CHECKED_STRDUP(tls_context->config.ciphers); + profile->protocols = CHECKED_STRDUP(tls_context->config.protocols); + profile->password = CHECKED_STRDUP(tls_context->config.password); + profile->uid_format = CHECKED_STRDUP(tls_context->config.uid_format); + profile->certificate_file = CHECKED_STRDUP(tls_context->config.certificate_file); + profile->private_key_file = CHECKED_STRDUP(tls_context->config.private_key_file); + profile->uid_name_mapping_file = CHECKED_STRDUP(tls_context->config.uid_name_mapping_file); + profile->trusted_certificate_db = CHECKED_STRDUP(tls_context->config.trusted_certificate_db); return profile; } @@ -552,13 +552,13 @@ qd_ssl2_profile_t *qd_tls2_read_ssl_profile(const char *ssl_profile_name, qd_ssl void qd_tls2_cleanup_ssl_profile(qd_ssl2_profile_t *profile) { if (profile) { - free(profile->ssl_ciphers); - free(profile->ssl_protocols); - free(profile->ssl_trusted_certificate_db); - free(profile->ssl_certificate_file); - free(profile->ssl_private_key_file); - free(profile->ssl_password); - free(profile->ssl_uid_format); + free(profile->ciphers); + free(profile->protocols); + free(profile->trusted_certificate_db); + free(profile->certificate_file); + free(profile->private_key_file); + free(profile->password); + free(profile->uid_format); free(profile->uid_name_mapping_file); ZERO(profile); } @@ -572,54 +572,54 @@ static qd_error_t _read_tls_config(qd_entity_t *entity, qd_ssl2_profile_t *confi { ZERO(config); - config->ssl_ciphers = qd_entity_opt_string(entity, "ciphers", 0); + config->ciphers = qd_entity_opt_string(entity, "ciphers", 0); if (qd_error_code()) goto error; - config->ssl_protocols = qd_entity_opt_string(entity, "protocols", 0); + config->protocols = qd_entity_opt_string(entity, "protocols", 0); if (qd_error_code()) goto error; - config->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "caCertFile", 0); + config->trusted_certificate_db = qd_entity_opt_string(entity, "caCertFile", 0); if (qd_error_code()) goto error; - config->ssl_certificate_file = qd_entity_opt_string(entity, "certFile", 0); + config->certificate_file = qd_entity_opt_string(entity, "certFile", 0); if (qd_error_code()) goto error; - config->ssl_private_key_file = qd_entity_opt_string(entity, "privateKeyFile", 0); + config->private_key_file = qd_entity_opt_string(entity, "privateKeyFile", 0); if (qd_error_code()) goto error; - config->ssl_password = qd_entity_opt_string(entity, "password", 0); + config->password = qd_entity_opt_string(entity, "password", 0); if (qd_error_code()) goto error; - config->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); + config->uid_format = qd_entity_opt_string(entity, "uidFormat", 0); if (qd_error_code()) goto error; config->uid_name_mapping_file = qd_entity_opt_string(entity, "uidNameMappingFile", 0); if (qd_error_code()) goto error; - if (config->ssl_uid_format) { - if (!tls_private_validate_uid_format(config->ssl_uid_format)) { + if (config->uid_format) { + if (!tls_private_validate_uid_format(config->uid_format)) { char *name = qd_entity_opt_string(entity, "name", "UNKNOWN"); // backward compatibility: this isn't treated as a hard error - the fallback behavior is to use the user // name from the transport. I have no idea why that is the case but changing it to a hard error results in // CI test failures so for now I go along to get along: qd_log(LOG_AGENT, QD_LOG_ERROR, "Invalid format for uidFormat field in sslProfile '%s': %s", - name, config->ssl_uid_format); + name, config->uid_format); free(name); - free(config->ssl_uid_format); - config->ssl_uid_format = 0; + free(config->uid_format); + config->uid_format = 0; } } - if (config->ssl_password) { + if (config->password) { // // Process the password to handle any modifications or lookups needed // char *actual_pass = 0; bool is_file_path = 0; - qd_server_config_process_password(&actual_pass, config->ssl_password, &is_file_path, true); + qd_server_config_process_password(&actual_pass, config->password, &is_file_path, true); if (qd_error_code()) goto error; if (actual_pass) { if (is_file_path) { - qd_set_password_from_file(actual_pass, &config->ssl_password); + qd_set_password_from_file(actual_pass, &config->password); free(actual_pass); } else { - free(config->ssl_password); - config->ssl_password = actual_pass; + free(config->password); + config->password = actual_pass; } } } @@ -636,13 +636,13 @@ static qd_error_t _read_tls_config(qd_entity_t *entity, qd_ssl2_profile_t *confi */ static void _cleanup_tls_config(qd_ssl2_profile_t *config) { - free(config->ssl_ciphers); - free(config->ssl_protocols); - free(config->ssl_trusted_certificate_db); - free(config->ssl_certificate_file); - free(config->ssl_private_key_file); - free(config->ssl_password); - free(config->ssl_uid_format); + free(config->ciphers); + free(config->protocols); + free(config->trusted_certificate_db); + free(config->certificate_file); + free(config->private_key_file); + free(config->password); + free(config->uid_format); free(config->uid_name_mapping_file); ZERO(config); } @@ -754,23 +754,23 @@ static qd_error_t _validate_config(const qd_ssl2_profile_t *config, const char * { if (is_listener) { // self identifying certificate is required for a listener: - if (!config->ssl_certificate_file) { + if (!config->certificate_file) { qd_error(QD_ERROR_CONFIG, "Listener requires a self-identifying certificate (sslProfile: %s)", ssl_profile_name); return QD_ERROR_CONFIG; } if (authenticate_peer) { - if (!config->ssl_trusted_certificate_db) { + if (!config->trusted_certificate_db) { qd_error(QD_ERROR_CONFIG, "Listener requires a CA for peer authentication (sslProfile: %s)", ssl_profile_name); return QD_ERROR_CONFIG; } } - } else if (!config->ssl_trusted_certificate_db) { + } else if (!config->trusted_certificate_db) { // CA must be provided for a connector: qd_error(QD_ERROR_CONFIG, "Connector requires a CA certificate (sslProfile: %s)", ssl_profile_name); return QD_ERROR_CONFIG; } - if (config->ssl_certificate_file && !config->ssl_private_key_file) { + if (config->certificate_file && !config->private_key_file) { // missing private key file qd_error(QD_ERROR_CONFIG, "Missing Private Keyfile (sslProfile: %s)", ssl_profile_name); return QD_ERROR_CONFIG; diff --git a/src/tls/tls_amqp.c b/src/tls/tls_amqp.c index 623c65f48..7c86d80d9 100644 --- a/src/tls/tls_amqp.c +++ b/src/tls/tls_amqp.c @@ -241,7 +241,7 @@ char *qd_tls_session_get_user_id(qd_tls2_session_t *session) /** - * Allocate a Proton AMQP SSL domain. + * Allocate a Proton AMQP TLS domain. * * @param ssl_profile_name name of the sslProfile configuration record to use * @param config the sslProfile configuration values @@ -260,7 +260,7 @@ pn_ssl_domain_t *tls_private_allocate_amqp_domain(const char *ssl_profile_name, do { domain = pn_ssl_domain(is_listener ? PN_SSL_MODE_SERVER : PN_SSL_MODE_CLIENT); if (!domain) { - qd_error(QD_ERROR_CONFIG, "Failed to create SSL domain from sslProfile '%s' (SSL not available)", + qd_error(QD_ERROR_CONFIG, "Failed to create TLS domain from sslProfile '%s' (TLS not available)", ssl_profile_name); break; } @@ -268,10 +268,10 @@ pn_ssl_domain_t *tls_private_allocate_amqp_domain(const char *ssl_profile_name, // // Configure the CA certificate for verifying the peer: // - if (config->ssl_trusted_certificate_db) { - if (pn_ssl_domain_set_trusted_ca_db(domain, config->ssl_trusted_certificate_db)) { - qd_error(QD_ERROR_CONFIG, "Failed to configure SSL caCertFile '%s' from sslProfile '%s'", - config->ssl_trusted_certificate_db, ssl_profile_name); + if (config->trusted_certificate_db) { + if (pn_ssl_domain_set_trusted_ca_db(domain, config->trusted_certificate_db)) { + qd_error(QD_ERROR_CONFIG, "Failed to configure TLS caCertFile '%s' from sslProfile '%s'", + config->trusted_certificate_db, ssl_profile_name); break; } } @@ -280,13 +280,13 @@ pn_ssl_domain_t *tls_private_allocate_amqp_domain(const char *ssl_profile_name, // Configure my self-identifying cert: // - if (config->ssl_certificate_file) { + if (config->certificate_file) { if (pn_ssl_domain_set_credentials(domain, - config->ssl_certificate_file, - config->ssl_private_key_file, - config->ssl_password)) { - qd_error(QD_ERROR_CONFIG, "Failed to configure SSL certFile '%s' from sslProfile '%s'", - config->ssl_certificate_file, ssl_profile_name); + config->certificate_file, + config->private_key_file, + config->password)) { + qd_error(QD_ERROR_CONFIG, "Failed to configure TLS certFile '%s' from sslProfile '%s'", + config->certificate_file, ssl_profile_name); break; } } @@ -300,44 +300,44 @@ pn_ssl_domain_t *tls_private_allocate_amqp_domain(const char *ssl_profile_name, // do we force the peer to send a cert? if (authenticate_peer) { assert(config->ssl_trusted_certificate_db); - rc = pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER, config->ssl_trusted_certificate_db); + rc = pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER, config->trusted_certificate_db); } else { rc = pn_ssl_domain_set_peer_authentication(domain, PN_SSL_ANONYMOUS_PEER, 0); } if (rc) { - qd_error(QD_ERROR_CONFIG, "Failed to configure SSL peer authentication for sslProfile '%s'", ssl_profile_name); + qd_error(QD_ERROR_CONFIG, "Failed to configure TLS peer authentication for sslProfile '%s'", ssl_profile_name); break; } } else { // Connector if (verify_hostname) { rc = pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER_NAME, - config->ssl_trusted_certificate_db); + config->trusted_certificate_db); } else { // verify cert but ignore hostname rc = pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER, - config->ssl_trusted_certificate_db); + config->trusted_certificate_db); } if (rc) { - qd_error(QD_ERROR_CONFIG, "Failed to configure SSL peer hostname verification for sslProfile '%s'", ssl_profile_name); + qd_error(QD_ERROR_CONFIG, "Failed to configure TLS peer hostname verification for sslProfile '%s'", ssl_profile_name); break; } } - if (config->ssl_protocols) { - if (pn_ssl_domain_set_protocols(domain, config->ssl_protocols)) { + if (config->protocols) { + if (pn_ssl_domain_set_protocols(domain, config->protocols)) { qd_error(QD_ERROR_CONFIG, - "Failed to configure SSL Protocols '%s' for sslProfile '%s')", - config->ssl_protocols, ssl_profile_name); + "Failed to configure TLS Protocols '%s' for sslProfile '%s')", + config->protocols, ssl_profile_name); break; } } - if (config->ssl_ciphers) { - if (pn_ssl_domain_set_ciphers(domain, config->ssl_ciphers)) { + if (config->ciphers) { + if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) { qd_error(QD_ERROR_CONFIG, - "Failed to configure SSL Ciphers '%s' for sslProfile '%s'. Use openssl ciphers -v to validate", - config->ssl_ciphers, ssl_profile_name); + "Failed to configure TLS Ciphers '%s' for sslProfile '%s'. Use openssl ciphers -v to validate", + config->ciphers, ssl_profile_name); break; } } diff --git a/src/tls/tls_raw.c b/src/tls/tls_raw.c index 350eb4788..7b352f3c5 100644 --- a/src/tls/tls_raw.c +++ b/src/tls/tls_raw.c @@ -47,11 +47,11 @@ pn_tls_config_t *tls_private_allocate_raw_domain(const char *ssl_profile_name, c break; } - if (config->ssl_trusted_certificate_db) { - res = pn_tls_config_set_trusted_certs(domain, config->ssl_trusted_certificate_db); + if (config->trusted_certificate_db) { + res = pn_tls_config_set_trusted_certs(domain, config->trusted_certificate_db); if (res != 0) { qd_error(QD_ERROR_CONFIG, "Failed to configure TLS caCertFile %s for sslProfile '%s': (%d)", - config->ssl_trusted_certificate_db, ssl_profile_name, res); + config->trusted_certificate_db, ssl_profile_name, res); break; } } @@ -60,15 +60,15 @@ pn_tls_config_t *tls_private_allocate_raw_domain(const char *ssl_profile_name, c // Configure my self-identifying cert: // - if (config->ssl_certificate_file) { + if (config->certificate_file) { res = pn_tls_config_set_credentials(domain, - config->ssl_certificate_file, - config->ssl_private_key_file, - config->ssl_password); + config->certificate_file, + config->private_key_file, + config->password); if (res != 0) { qd_error(QD_ERROR_CONFIG, "Failed to set TLS certFile '%s' for sslProfile '%s': (%d)", - config->ssl_certificate_file, ssl_profile_name, res); + config->certificate_file, ssl_profile_name, res); break; } } @@ -76,7 +76,7 @@ pn_tls_config_t *tls_private_allocate_raw_domain(const char *ssl_profile_name, c if (is_listener) { if (authenticate_peer) { assert(config->ssl_trusted_certificate_db); - res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER, config->ssl_trusted_certificate_db); + res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER, config->trusted_certificate_db); } else { res = pn_tls_config_set_peer_authentication(domain, PN_TLS_ANONYMOUS_PEER, 0); } @@ -86,24 +86,24 @@ pn_tls_config_t *tls_private_allocate_raw_domain(const char *ssl_profile_name, c } } else { // Connector if (verify_hostname) { - res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER_NAME, config->ssl_trusted_certificate_db); + res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER_NAME, config->trusted_certificate_db); } else { - res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER, config->ssl_trusted_certificate_db); + res = pn_tls_config_set_peer_authentication(domain, PN_TLS_VERIFY_PEER, config->trusted_certificate_db); } if (res != 0) { - qd_error(QD_ERROR_CONFIG, "Failed to configure SSL peer host name verification for sslProfile '%s'", ssl_profile_name); + qd_error(QD_ERROR_CONFIG, "Failed to configure TLS peer host name verification for sslProfile '%s'", ssl_profile_name); break; } } // Note: Proton Raw TLS does not support setting the protocol version! - if (!!config->ssl_ciphers) { - res = pn_tls_config_set_impl_ciphers(domain, config->ssl_ciphers); + if (!!config->ciphers) { + res = pn_tls_config_set_impl_ciphers(domain, config->ciphers); if (res != 0) { qd_error(QD_ERROR_CONFIG, - "Failed to configure SSL Ciphers '%s' for sslProfile '%s'. Use openssl ciphers -v to validate", - config->ssl_ciphers, ssl_profile_name); + "Failed to configure TLS Ciphers '%s' for sslProfile '%s'. Use openssl ciphers -v to validate", + config->ciphers, ssl_profile_name); break; } } diff --git a/tests/cpp/cpp_system/test_connection_manager_static.cpp b/tests/cpp/cpp_system/test_connection_manager_static.cpp index 71bfcc6fc..b48da21f6 100644 --- a/tests/cpp/cpp_system/test_connection_manager_static.cpp +++ b/tests/cpp/cpp_system/test_connection_manager_static.cpp @@ -60,7 +60,7 @@ static void check_password(qd_dispatch_t *qd, const char *password, const char * qd_ssl2_profile_t profile; REQUIRE(phandle != nullptr); CHECK(qd_tls2_read_ssl_profile("profileName", &profile) != nullptr); - CHECK(profile.ssl_password == std::string{expected}); + CHECK(profile.password == std::string{expected}); qd_tls2_cleanup_ssl_profile(&profile); qd_tls_delete_ssl_profile(qd, phandle); } else { diff --git a/tests/system_tests_one_router.py b/tests/system_tests_one_router.py index beae782a3..0dec00925 100644 --- a/tests/system_tests_one_router.py +++ b/tests/system_tests_one_router.py @@ -741,7 +741,7 @@ def test_48_router_in_error(self): for index in [28, 29, 31, 32]: self.routers[index].wait_log_message(err, timeout=1.0) - err = "Failed to configure SSL Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'" + err = "Failed to configure TLS Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'" self.routers[33].wait_log_message(err, timeout=1.0) err = "sslProfile BadCipherProfile: failed to configure ciphers Blah-Blah-Blabbity-Blab" @@ -751,16 +751,16 @@ def test_48_router_in_error(self): err = f"Failed to set TLS certFile '{SERVER_CERTIFICATE}' for sslProfile 'BadProfile'" self.routers[36].wait_log_message(err, timeout=1.0) - err = "Failed to configure SSL caCertFile '/does/not/exist.pem' from sslProfile 'BrokenProfile'" + err = "Failed to configure TLS caCertFile '/does/not/exist.pem' from sslProfile 'BrokenProfile'" self.routers[37].wait_log_message(err, timeout=1.0) - err = "Failed to configure SSL certFile '/does/not/exist.pem' from sslProfile 'BrokenProfile'" + err = "Failed to configure TLS certFile '/does/not/exist.pem' from sslProfile 'BrokenProfile'" self.routers[38].wait_log_message(err, timeout=1.0) - err = f"Failed to configure SSL certFile '{CLIENT_CERTIFICATE}' from sslProfile 'BrokenProfile'" + err = f"Failed to configure TLS certFile '{CLIENT_CERTIFICATE}' from sslProfile 'BrokenProfile'" self.routers[39].wait_log_message(err, timeout=1.0) - err = "Failed to configure SSL Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'" + err = "Failed to configure TLS Ciphers 'Blah-Blah-Blabbity-Blab' for sslProfile 'BadCipherProfile'" self.routers[40].wait_log_message(err, timeout=1.0) diff --git a/tests/system_tests_ssl.py b/tests/system_tests_ssl.py index bb91e156f..e1ebb4baa 100644 --- a/tests/system_tests_ssl.py +++ b/tests/system_tests_ssl.py @@ -705,9 +705,9 @@ def test_invalid_cert_paths(self): self.skipTest("Cyrus library not available. skipping test") self.routers[0].wait_log_message(r"\(critical\) Router start-up failed:") - self.routers[0].wait_log_message("Failed to configure SSL certFile") + self.routers[0].wait_log_message("Failed to configure TLS certFile") self.routers[1].wait_log_message(r"\(critical\) Router start-up failed:") - self.routers[1].wait_log_message("Failed to configure SSL caCertFile") + self.routers[1].wait_log_message("Failed to configure TLS caCertFile") # race fix: on slow CI systems the test will exit before the routers # have cleanly shutdown - this will cause the test to fail. Manually