Repository: qpid-proton Updated Branches: refs/heads/master 28f2d1c01 -> 7c9e5673f
PROTON-950: Add a flag to the messenger API to allow PLAIN over an unencrypted connection Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/a1888591 Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/a1888591 Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/a1888591 Branch: refs/heads/master Commit: a1888591789d3db2ebd6016d7e7d112902e07598 Parents: 28f2d1c Author: Andrew Stitcher <astitc...@apache.org> Authored: Tue Jul 28 16:33:54 2015 -0400 Committer: Andrew Stitcher <astitc...@apache.org> Committed: Tue Aug 4 10:53:57 2015 -0400 ---------------------------------------------------------------------- proton-c/include/proton/messenger.h | 26 ++++++++++++++++++++++++++ proton-c/src/messenger/messenger.c | 16 ++++++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/a1888591/proton-c/include/proton/messenger.h ---------------------------------------------------------------------- diff --git a/proton-c/include/proton/messenger.h b/proton-c/include/proton/messenger.h index 6ef684f..87cb35c 100644 --- a/proton-c/include/proton/messenger.h +++ b/proton-c/include/proton/messenger.h @@ -132,6 +132,27 @@ extern "C" { * ::pn_messenger_recv() will do whatever they can without blocking, * and then return. You can then look at the number of incoming and * outgoing messages to see how much outstanding work still remains. + * + * Authentication Mechanims + * ======================== + * + * The messenger API authenticates using some specific mechanisms. In prior versions + * of Proton the only authentication mechanism available was the PLAIN mechanism + * which transports the user's password over the network unencrypted. The Proton versions + * 0.10 and newer support other more secure mechanisms which avoid sending the users's + * password over the network unencrypted. For backwards compatibility the 0.10 version + * of the messenger API will also allow the use of the unencrypted PLAIN mechanism. From the + * 0.11 version and onwards you will need to set the flag PN_FLAGS_ALLOW_INSECURE_MECHS to + * carry on using the unencrypted PLAIN mechanism. + * + * The code for this looks like: + * + * ... + * pn_messenger_set_flags(messenger, PN_FLAGS_ALLOW_INSECURE_MECHS); + * ... + * + * Note that the use of the PLAIN mechanism over an SSL connection is allowed as the + * password is not sent unencrypted. */ typedef struct pn_messenger_t pn_messenger_t; @@ -960,6 +981,11 @@ PN_EXTERN pn_timestamp_t pn_messenger_deadline(pn_messenger_t *messenger); to pn_messenger_start should check that \ any defined routes are valid */ +#define PN_FLAGS_ALLOW_INSECURE_MECHS \ + (0x2) /** Messenger flag to indicate that the PLAIN \ + mechanism is allowed on an unencrypted \ + connection */ + /** Sets control flags to enable additional function for the Messenger. * * @param[in] messenger the messenger http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/a1888591/proton-c/src/messenger/messenger.c ---------------------------------------------------------------------- diff --git a/proton-c/src/messenger/messenger.c b/proton-c/src/messenger/messenger.c index 8e63208..a1418ed 100644 --- a/proton-c/src/messenger/messenger.c +++ b/proton-c/src/messenger/messenger.c @@ -334,7 +334,10 @@ static void pni_listener_readable(pn_selectable_t *sel) pn_transport_t *t = pn_transport(); pn_transport_set_server(t); - + if (ctx->messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS) { + pn_sasl_t *s = pn_sasl(t); + pn_sasl_set_allow_insecure_mechs(s, true); + } pn_ssl_t *ssl = pn_ssl(t); pn_ssl_init(ssl, ctx->domain, NULL); @@ -661,7 +664,7 @@ pn_messenger_t *pn_messenger(const char *name) m->rewritten = pn_string(NULL); m->domain = pn_string(NULL); m->connection_error = 0; - m->flags = 0; + m->flags = PN_FLAGS_ALLOW_INSECURE_MECHS; // TODO: Change this back to 0 for the Proton 0.11 release m->snd_settle_mode = PN_SND_SETTLED; m->rcv_settle_mode = PN_RCV_FIRST; m->tracer = NULL; @@ -1140,6 +1143,11 @@ void pn_messenger_process_connection(pn_messenger_t *messenger, pn_event_t *even pn_transport_unbind(pn_connection_transport(conn)); pn_connection_reset(conn); pn_transport_t *t = pn_transport(); + if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS && + messenger->address.user && messenger->address.pass) { + pn_sasl_t *s = pn_sasl(t); + pn_sasl_set_allow_insecure_mechs(s, true); + } pn_transport_bind(t, conn); pn_decref(t); pn_transport_config(messenger, conn); @@ -1671,6 +1679,10 @@ pn_connection_t *pn_messenger_resolve(pn_messenger_t *messenger, const char *add pn_connection_t *connection = pn_messenger_connection(messenger, sock, scheme, user, pass, host, port, NULL); pn_transport_t *transport = pn_transport(); + if (messenger->flags & PN_FLAGS_ALLOW_INSECURE_MECHS && user && pass) { + pn_sasl_t *s = pn_sasl(transport); + pn_sasl_set_allow_insecure_mechs(s, true); + } pn_transport_bind(transport, connection); pn_decref(transport); pn_connection_ctx_t *ctx = (pn_connection_ctx_t *) pn_connection_get_context(connection); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
