forked from skupperproject/skupper-router
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue skupperproject#1572: make sslProfile configuration updatable (p…
…art 1: raw conn only) This does not solve skupperproject#1572. It is part of a series of changes that will address skupperproject#1572.
- Loading branch information
Showing
29 changed files
with
1,744 additions
and
301 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| #ifndef __tls_h__ | ||
| #define __tls_h__ 1 | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| /**@file | ||
| * Management of TLS configuration and state | ||
| */ | ||
|
|
||
|
|
||
| #include "qpid/dispatch/log.h" | ||
|
|
||
| #include <stdbool.h> | ||
| #include <stddef.h> | ||
| #include <stdint.h> | ||
|
|
||
|
|
||
| typedef struct qd_tls2_domain_t qd_tls2_domain_t; // SSL configuration domain | ||
| typedef struct qd_tls2_session_t qd_tls2_session_t; // per connection SSL state | ||
| typedef struct qd_ssl2_profile_t qd_ssl2_profile_t; // sslProfile configuration record | ||
|
|
||
| // Proton has two different SSL/TLS implementations: one for AMQP and a buffer-based one for use with Raw Connections: | ||
| typedef enum { | ||
| QD_TLS_TYPE_NONE = 0, // unset | ||
| QD_TLS_TYPE_PROTON_AMQP, // for use with AMQP transport | ||
| QD_TLS_TYPE_PROTON_RAW, // use raw connection/qd_buffer_t interface | ||
| } qd_tls_type_t; | ||
|
|
||
| typedef enum { | ||
| QD_TLS_DOMAIN_MODE_NONE = 0, // unset | ||
| QD_TLS_DOMAIN_SERVER_MODE, // Operate as an SSL server (i.e. listener socket) | ||
| QD_TLS_DOMAIN_CLIENT_MODE, // Operate as an SSL client (i.e. outgoing connections) | ||
| } qd_tls_domain_mode_t; | ||
|
|
||
| // sslProfile configuration record | ||
| struct qd_ssl2_profile_t { | ||
| char *ssl_ciphers; | ||
| char *ssl_protocols; | ||
| char *ssl_trusted_certificate_db; | ||
| char *ssl_certificate_file; | ||
| char *ssl_private_key_file; | ||
| char *ssl_password; | ||
| char *ssl_uid_format; | ||
| char *uid_name_mapping_file; | ||
| }; | ||
|
|
||
| void qd_tls2_initialize(void); | ||
| void qd_tls2_finalize(void); | ||
|
|
||
| qd_tls2_domain_t *qd_tls2_new_domain(const char *name, | ||
| const char *ssl_profile_name, | ||
| qd_tls_type_t p_type, | ||
| qd_tls_domain_mode_t mode, | ||
| bool verify_hostname, // for client mode | ||
| bool authenticate_peer, // for server mode | ||
| const char **alpn_protocols, // for server mode | ||
| size_t alpn_protocol_count, | ||
| qd_log_module_t log_module); | ||
| void qd_tls2_domain_decref(qd_tls2_domain_t *domain); | ||
|
|
||
| typedef void qd_tls2_session_on_secure_cb_t(qd_tls2_session_t *session, void *context); | ||
| qd_tls2_session_t *qd_tls2_domain_new_session(qd_tls2_domain_t *domain, | ||
| uint64_t conn_id, | ||
| const char *peer_hostname, | ||
| // override default ALPN config for this session | ||
| const char **alpn_protocols, size_t alpn_protocol_count, | ||
| void *context, qd_tls2_session_on_secure_cb_t *on_secure); | ||
|
|
||
| void qd_tls2_session_free(qd_tls2_session_t *session); | ||
|
|
||
|
|
||
| // Get the negotiated ALPN value from the session. Returned string buffer must be free()d by caller. Return 0 if no ALPN | ||
| // (yet) negotiated. | ||
| char *qd_tls2_session_get_alpn_protocol(const qd_tls2_session_t *session); | ||
|
|
||
| // Get the version of TLS/SSL in use by the session. Returned string buffer must be free()d by caller. Return 0 if | ||
| // version not known. | ||
| char *qd_tls2_session_get_protocol_version(const qd_tls2_session_t *session); | ||
|
|
||
| // Get the cipher string for the ciphers in use by the session. Returned string buffer must be free()d by caller. Return | ||
| // 0 if ciphers not known. | ||
| char *qd_tls2_session_get_protocol_ciphers(const qd_tls2_session_t *session); | ||
|
|
||
| // Fill out the given *profile with the configuration from the named sslProfile record. Return a pointer to the profile | ||
| // parameter on success else 0. Use qd_tls2_cleanup_ssl_profile() release resources in use by *profile when done. | ||
| qd_ssl2_profile_t *qd_tls2_read_ssl_profile(const char *ssl_profile_name, qd_ssl2_profile_t *profile); | ||
|
|
||
| // Release any resources allocated by qd_tls2_get_ssl_profile() and reset the *profile. Note this only releases | ||
| // internal resources associated with the profile, the memory pointed to by *profile is not modified. | ||
| void qd_tls2_cleanup_ssl_profile(qd_ssl2_profile_t *profile); | ||
|
|
||
| #endif | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| #ifndef __tls_raw_io_h__ | ||
| #define __tls_raw_io_h__ 1 | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one | ||
| * or more contributor license agreements. See the NOTICE file | ||
| * distributed with this work for additional information | ||
| * regarding copyright ownership. The ASF licenses this file | ||
| * to you under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance | ||
| * with the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| #include "qpid/dispatch/tls.h" | ||
| #include "qpid/dispatch/buffer.h" | ||
|
|
||
| typedef struct pn_raw_connection_t pn_raw_connection_t; | ||
|
|
||
| /** | ||
| * API for TLS encryption/decryption using raw connections and qd_buffer_t data. | ||
| * See tls_manager.h for qd_tls_session_t management. | ||
| * | ||
| * Note well: these APIs are intended to work for qd_tls_session_t of type QD_SSL_PROTON_RAW ONLY! AMQP-based TLS | ||
| * encryption/decryption is done internally by Proton - these APIs are not necessary for AMQP TLS and should not be used | ||
| * by AMQP connections! | ||
| */ | ||
|
|
||
|
|
||
| /** | ||
| * Fetch output (cleartext) buffers from the application for encryption and transmission. | ||
| * | ||
| * This callback is supplied by the application when calling the qd_tls2_session_do_io() work loop. The work loop will | ||
| * call this callback to get output data buffers from the application. The work loop will encrypt these buffers via TLS | ||
| * and send them out the raw connection. | ||
| * | ||
| * @param context - application supplied context (see qd_tls2_session_do_io()) | ||
| * @param blist - buffer list for output buffers. The application should append output buffers to the end of the list in | ||
| * FIFO order of transmission. | ||
| * @param limit - limit the number of buffers that can be appended to the list during the call. The application may | ||
| * append up to limit buffers but not more. | ||
| * @return - the total number of octets worth of data appended to blist. Zero if there is no output available at the | ||
| * time of the call. QD_IO_EOS to force the work loop to close the output side of the stream. No buffers | ||
| * should be appended to blist when QD_IO_EOS is returned. Once QD_IO_EOS is returned no further output | ||
| * buffers will be taken/sent. | ||
| */ | ||
| #define QD_IO_EOS (-1) | ||
| typedef int64_t qd_tls2_take_output_buffers_cb_t(void *context, qd_buffer_list_t *blist, size_t limit); | ||
|
|
||
|
|
||
| /** | ||
| * TLS I/O work loop. | ||
| * | ||
| * This API will perform TLS data encryption and decryption between a raw connection and and application. Outgoing | ||
| * application cleartext data will be fetched from the application as needed via the take_output_cb() callback. The | ||
| * cleartext data will be encrypted and written to the raw connection (write buffers). On return any incoming decrypted | ||
| * (cleartext) data will be appended to the input_data list. Ownership of the input_data buffers is transferred to the | ||
| * caller: the application must release them when no longer needed. | ||
| * | ||
| * This function will close the raw_conn connection when TLS cleanly closes or if a TLS error occurs. | ||
| * | ||
| * @param session - the TLS session context | ||
| * @param raw_conn - the raw connection for reading/writing encrypted buffers. | ||
| * @param take_output_cb - invoked by the I/O loop to get outgoing cleartext application data | ||
| * @param take_output_context - passed back to take_output_cb() | ||
| * @param input_data - incoming decrypted data is appended to this list. | ||
| * @param input_data_count - (output) total number of cleartext octets added to input_data | ||
| * | ||
| * @return 0 if I/O in progress, QD_TLS_DONE if the TLS session has closed, or fatal error if < 0 | ||
| */ | ||
| #define QD_TLS_DONE 1 | ||
| int qd_tls2_session_do_io(qd_tls2_session_t *session, | ||
| pn_raw_connection_t *raw_conn, | ||
| qd_tls2_take_output_buffers_cb_t *take_output_cb, | ||
| void *take_output_context, | ||
| qd_buffer_list_t *input_data, | ||
| uint64_t *input_data_count); | ||
|
|
||
| /* True if the given session has failed | ||
| */ | ||
| bool qd_tls2_session_is_error(const qd_tls2_session_t *session); | ||
|
|
||
| /* True after the TLS handshake has completed successfully | ||
| */ | ||
| bool qd_tls2_session_is_secure(const qd_tls2_session_t *session); | ||
|
|
||
| /** | ||
| * True if all input (decrypt) data has been received and the receive side of the raw connection has closed. No further | ||
| * input data is available from this TLS session. | ||
| * | ||
| * Sets close_notify to true if a proper close_notify was received from the peer. A missing close_notify is allowed in | ||
| * HTTP/1.x if the received message has an explicit length and the framing is valid (see RFC9112, section TLS Connection | ||
| * Closure) | ||
| */ | ||
| bool qd_tls2_session_is_input_drained(const qd_tls2_session_t *session, bool *close_notify); | ||
|
|
||
| /** | ||
| * True if the output (encrypt) side of the TLS session is closed and all pending output has been written to the raw | ||
| * connection (including close_notify). | ||
| */ | ||
| bool qd_tls2_session_is_output_flushed(const qd_tls2_session_t *session); | ||
|
|
||
| /** | ||
| * Retrieve octet counters for encrypted I/O. It is expected that the application maintains counters for the cleartext data | ||
| * itself. | ||
| */ | ||
| uint64_t qd_tls2_session_encrypted_output_octet_count(const qd_tls2_session_t *session); // outbound to network | ||
| uint64_t qd_tls2_session_encrypted_input_octet_count(const qd_tls2_session_t *session); // inbound from network | ||
|
|
||
| #endif | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.