PROTON-719 : prevent ssl3 connections in Windows with schannel git-svn-id: https://svn.apache.org/repos/asf/qpid/proton/trunk@1632702 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/7e8b6b6c Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/7e8b6b6c Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/7e8b6b6c Branch: refs/heads/examples Commit: 7e8b6b6c4cd422771fd3094c718745c094f5a735 Parents: ad5e094 Author: Clifford Jansen <[email protected]> Authored: Sat Oct 18 00:16:01 2014 +0000 Committer: Clifford Jansen <[email protected]> Committed: Sat Oct 18 00:16:01 2014 +0000 ---------------------------------------------------------------------- proton-c/src/windows/schannel.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/7e8b6b6c/proton-c/src/windows/schannel.c ---------------------------------------------------------------------- diff --git a/proton-c/src/windows/schannel.c b/proton-c/src/windows/schannel.c index 385267f..373dc51 100644 --- a/proton-c/src/windows/schannel.c +++ b/proton-c/src/windows/schannel.c @@ -209,7 +209,7 @@ static size_t _pni_min(size_t a, size_t b) } // unrecoverable SSL failure occured, notify transport and generate error code. -static int ssl_failed(pn_ssl_t *ssl, char *reason) +static int ssl_failed(pn_ssl_t *ssl, const char *reason) { char buf[512] = "Unknown error."; if (!reason) { @@ -521,6 +521,16 @@ int pn_ssl_get_peer_hostname( pn_ssl_t *ssl, char *hostname, size_t *bufsize ) /** SChannel specific: */ +const char *tls_version_check(pn_ssl_t *ssl) +{ + SecPkgContext_ConnectionInfo info; + QueryContextAttributes(&ssl->ctxt_handle, SECPKG_ATTR_CONNECTION_INFO, &info); + // Ascending bit patterns denote newer SSL/TLS protocol versions. + // SP_PROT_TLS1_0_SERVER is not defined until VS2010. + return (info.dwProtocol < SP_PROT_TLS1_SERVER) ? + "peer does not support TLS 1.0 security" : NULL; +} + static void ssl_encrypt(pn_ssl_t *ssl, char *app_data, size_t count) { // Get SChannel to encrypt exactly one Record. @@ -732,6 +742,10 @@ static void client_handshake( pn_ssl_t* ssl) { ssl_failed(ssl, "unexpected final server token"); break; } + if (const char *err = tls_version_check(ssl)) { + ssl_failed(ssl, err); + break; + } if (token_buffs[1].BufferType == SECBUFFER_EXTRA && token_buffs[1].cbBuffer > 0) { // This seems to work but not documented, plus logic differs from decrypt message // since the pvBuffer value is not set. Grrr. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
