This is an automated email from the ASF dual-hosted git repository. gsim pushed a commit to branch 1.17.x in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit c949a770807773c3f05a61b792dd67070f360b0b Author: Gordon Sim <g...@redhat.com> AuthorDate: Mon Oct 25 13:20:08 2021 +0100 DISPATCH-2259: use hostname when setting connection hostname (Previously used host:port which is not a valid dns name) --- include/qpid/dispatch/server.h | 4 ++++ src/connection_manager.c | 15 +++++++++------ src/remote_sasl.c | 23 ++++++++++++++--------- src/remote_sasl.h | 2 +- src/server.c | 2 +- 5 files changed, 29 insertions(+), 17 deletions(-) diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h index 7f71912..fd02570 100644 --- a/include/qpid/dispatch/server.h +++ b/include/qpid/dispatch/server.h @@ -182,6 +182,10 @@ typedef struct qd_server_config_t { */ char *auth_service; /** + * Hostname to set on connection (used for SNI in TLS connections). + */ + char *hostname; + /** * Hostname to set on sasl-init sent to authentication service. */ char *sasl_init_hostname; diff --git a/src/connection_manager.c b/src/connection_manager.c index c77999b..905e335 100644 --- a/src/connection_manager.c +++ b/src/connection_manager.c @@ -54,6 +54,7 @@ struct qd_config_sasl_plugin_t { DEQ_LINKS(qd_config_sasl_plugin_t); char *name; char *auth_service; + char *hostname; char *sasl_init_hostname; char *auth_ssl_profile; }; @@ -184,6 +185,7 @@ void qd_server_config_free(qd_server_config_t *cf) if (cf->ssl_uid_name_mapping_file) free(cf->ssl_uid_name_mapping_file); if (cf->sasl_plugin_config.auth_service) free(cf->sasl_plugin_config.auth_service); + if (cf->sasl_plugin_config.hostname) free(cf->sasl_plugin_config.hostname); if (cf->sasl_plugin_config.sasl_init_hostname) free(cf->sasl_plugin_config.sasl_init_hostname); if (cf->sasl_plugin_config.ssl_certificate_file) free(cf->sasl_plugin_config.ssl_certificate_file); if (cf->sasl_plugin_config.ssl_private_key_file) free(cf->sasl_plugin_config.ssl_private_key_file); @@ -511,6 +513,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin); if (sasl_plugin) { config->sasl_plugin_config.auth_service = SSTRDUP(sasl_plugin->auth_service); + config->sasl_plugin_config.hostname = SSTRDUP(sasl_plugin->hostname); config->sasl_plugin_config.sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname); qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->sasl_plugin_config.auth_service, config->sasl_plugin); @@ -581,6 +584,7 @@ static bool config_sasl_plugin_free(qd_connection_manager_t *cm, qd_config_sasl_ free(sasl_plugin->name); free(sasl_plugin->auth_service); + free(sasl_plugin->hostname); free(sasl_plugin->sasl_init_hostname); free(sasl_plugin->auth_ssl_profile); free(sasl_plugin); @@ -658,24 +662,23 @@ qd_config_sasl_plugin_t *qd_dispatch_configure_sasl_plugin(qd_dispatch_t *qd, qd DEQ_INSERT_TAIL(cm->config_sasl_plugins, sasl_plugin); sasl_plugin->name = qd_entity_opt_string(entity, "name", 0); CHECK(); - char *auth_host = qd_entity_opt_string(entity, "host", 0); + sasl_plugin->hostname = qd_entity_opt_string(entity, "host", 0); char *auth_port = qd_entity_opt_string(entity, "port", 0); - if (auth_host && auth_port) { - int strlen_auth_host = strlen(auth_host); + if (sasl_plugin->hostname && auth_port) { + int strlen_auth_host = strlen(sasl_plugin->hostname); int strlen_auth_port = strlen(auth_port); if (strlen_auth_host > 0 && strlen_auth_port > 0) { - int hplen = strlen(auth_host) + strlen(auth_port) + 2; + int hplen = strlen_auth_host + strlen_auth_port + 2; if (hplen > 2) { sasl_plugin->auth_service = malloc(hplen); - snprintf(sasl_plugin->auth_service, hplen, "%s:%s", auth_host, auth_port); + snprintf(sasl_plugin->auth_service, hplen, "%s:%s", sasl_plugin->hostname, auth_port); } } } - free(auth_host); free(auth_port); if (!sasl_plugin->auth_service) { diff --git a/src/remote_sasl.c b/src/remote_sasl.c index 1ffd66f..db1fd9b 100644 --- a/src/remote_sasl.c +++ b/src/remote_sasl.c @@ -101,6 +101,7 @@ static void init_permissions(permissions_t* permissions) typedef struct { char* authentication_service_address; + char* hostname; char* sasl_init_hostname; pn_ssl_domain_t* ssl_domain; pn_proactor_t* proactor; @@ -135,13 +136,16 @@ static void copy_bytes(const pn_bytes_t* from, qdr_owned_bytes_t* to) memcpy(to->start, from->start, from->size); } -static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* sasl_init_hostname, pn_proactor_t* proactor) +static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* hostname, const char* sasl_init_hostname, pn_proactor_t* proactor) { qdr_sasl_relay_t* instance = NEW(qdr_sasl_relay_t); ZERO(instance); - instance->authentication_service_address = strdup(address); + instance->authentication_service_address = qd_strdup(address); + if (hostname) { + instance->hostname = qd_strdup(hostname); + } if (sasl_init_hostname) { - instance->sasl_init_hostname = strdup(sasl_init_hostname); + instance->sasl_init_hostname = qd_strdup(sasl_init_hostname); } instance->proactor = proactor; init_permissions(&instance->permissions); @@ -152,6 +156,7 @@ static qdr_sasl_relay_t* new_qdr_sasl_relay_t(const char* address, const char* s static void delete_qdr_sasl_relay_t(qdr_sasl_relay_t* instance) { if (instance->authentication_service_address) free(instance->authentication_service_address); + if (instance->hostname) free(instance->hostname); if (instance->sasl_init_hostname) free(instance->sasl_init_hostname); if (instance->ssl_domain) pn_ssl_domain_free(instance->ssl_domain); if (instance->mechlist) free(instance->mechlist); @@ -208,7 +213,7 @@ static bool remote_sasl_init_server(pn_transport_t* transport) pn_proactor_t* proactor = impl->proactor; if (!proactor) return false; impl->downstream = pn_connection(); - pn_connection_set_hostname(impl->downstream, impl->authentication_service_address); + pn_connection_set_hostname(impl->downstream, impl->hostname); set_sasl_relay_context(impl->downstream, impl); //request permissions in response if supported by peer: pn_data_t* data = pn_connection_desired_capabilities(impl->downstream); @@ -381,7 +386,7 @@ static bool remote_sasl_process_mechanisms(pn_transport_t *transport, const char { qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport); if (impl) { - impl->mechlist = strdup(mechs); + impl->mechlist = qd_strdup(mechs); if (notify_upstream(impl, DOWNSTREAM_MECHANISMS_RECEIVED)) { return true; } else { @@ -440,7 +445,7 @@ static void remote_sasl_process_init(pn_transport_t *transport, const char *mech { qdr_sasl_relay_t* impl = (qdr_sasl_relay_t*) pnx_sasl_get_context(transport); if (impl) { - impl->selected_mechanism = strdup(mechanism); + impl->selected_mechanism = qd_strdup(mechanism); copy_bytes(recv, &(impl->response)); if (!notify_downstream(impl, UPSTREAM_INIT_RECEIVED)) { pnx_sasl_set_desired_state(transport, SASL_ERROR); @@ -501,10 +506,10 @@ static void set_remote_impl(pn_transport_t *transport, qdr_sasl_relay_t* context pnx_sasl_set_implementation(transport, &remote_sasl_impl, context); } -void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor) +void qdr_use_remote_authentication_service(pn_transport_t *transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor) { auth_service_log = qd_log_source("AUTHSERVICE"); - qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, sasl_init_hostname, proactor); + qdr_sasl_relay_t* context = new_qdr_sasl_relay_t(address, hostname, sasl_init_hostname, proactor); context->ssl_domain = ssl_domain; set_remote_impl(transport, context); } @@ -691,7 +696,7 @@ void qdr_handle_authentication_service_connection_event(pn_event_t *e) if (authid.start && authid.size) { context->username = strndup(authid.start, authid.size); } else { - context->username = strdup(""); + context->username = qd_strdup(""); } //notify upstream connection of successful authentication notify_upstream(context, DOWNSTREAM_OUTCOME_RECEIVED); diff --git a/src/remote_sasl.h b/src/remote_sasl.h index 2dd763a..2afab61 100644 --- a/src/remote_sasl.h +++ b/src/remote_sasl.h @@ -24,7 +24,7 @@ #include <proton/ssl.h> #include <proton/types.h> -void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor); +void qdr_use_remote_authentication_service(pn_transport_t* transport, const char* address, const char* hostname, const char* sasl_init_hostname, pn_ssl_domain_t* ssl_domain, pn_proactor_t* proactor); bool qdr_is_authentication_service_connection(pn_connection_t* conn); void qdr_handle_authentication_service_connection_event(pn_event_t *e); diff --git a/src/server.c b/src/server.c index 75527b2..24ece14 100644 --- a/src/server.c +++ b/src/server.c @@ -752,7 +752,7 @@ static void on_connection_bound(qd_server_t *server, pn_event_t *e) { } } } - qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor); + qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.hostname, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor); } pn_transport_require_auth(tport, config->requireAuthentication); pn_transport_require_encryption(tport, config->requireEncryption); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org