Issue #1599: make sslProfile configuration updatable

include/qpid/dispatch/connection_manager.h

@@ -27,24 +27,10 @@
 #include "qpid/dispatch/server.h"
 
 typedef struct qd_connection_manager_t qd_connection_manager_t;
-typedef struct qd_config_ssl_profile_t qd_config_ssl_profile_t;
 typedef struct qd_connection_t         qd_connection_t;
 
 typedef void (*qd_connection_manager_handler_t) (void *context, qd_connection_t *conn);
 
-struct qd_config_ssl_profile_t {
-    DEQ_LINKS(qd_config_ssl_profile_t);
-    char        *name;
-    char        *ssl_password;
-    char        *ssl_trusted_certificate_db;
-    char        *ssl_uid_format;
-    char        *uid_name_mapping_file;
-    char        *ssl_certificate_file;
-    char        *ssl_private_key_file;
-    char        *ssl_ciphers;
-    char        *ssl_protocols;
-};
-
 /**
  * Allocate a connection manager
  *
@@ -69,9 +55,4 @@ void qd_connection_manager_free(qd_connection_manager_t *cm);
  */
 QD_EXPORT void qd_connection_manager_start(qd_dispatch_t *qd);
 
-/**
- * Find named qd_config_ssl_profile_t object
- */
-qd_config_ssl_profile_t *qd_find_ssl_profile(const qd_connection_manager_t *cm, const char *name);
-
 #endif

include/qpid/dispatch/protocol_adaptor.h

@@ -932,6 +932,7 @@ qdr_connection_info_t *qdr_connection_info(bool             is_encrypted,
                                            bool             connection_trunking);
 
 void qdr_connection_info_set_group_correlator(qdr_connection_info_t *info, const char *correlator);
+void qdr_connection_info_set_tls(qdr_connection_info_t *info, bool enabled, char *version, char *ciphers, int ssf);
 
 void qd_adaptor_listener_init(void);
 void qd_adaptor_listener_finalize(void);

include/qpid/dispatch/server.h

@@ -24,7 +24,6 @@
 
 #include <proton/engine.h>
 #include <proton/event.h>
-#include <proton/ssl.h>
 
 typedef struct qd_server_t      qd_server_t;
 typedef struct qd_container_t   qd_container_t;
@@ -108,14 +107,6 @@ typedef enum {
  */
 void qd_server_set_container(qd_dispatch_t *qd, struct qd_container_t *container);
 
-/**
- * Store address of display name service py object for C code use
- *
- * @param qd The dispatch handle returned by qd_dispatch.
- * @param display_name_service address of python object
- */
-qd_error_t qd_register_display_name_service(qd_dispatch_t *qd, void *display_name_service);
-
 pn_proactor_t *qd_server_proactor(const qd_server_t *qd_server);
 qd_http_server_t *qd_server_http(const qd_server_t *qd_server);
 uint64_t qd_server_allocate_connection_id(qd_server_t *server);
@@ -130,8 +121,7 @@ typedef struct qd_handler_context_t {
     qd_server_event_handler_t  handler;
 } qd_handler_context_t;
 
-// Use displayName lookup to translate user_id to user name
-char *qd_server_query_user_name(const qd_server_t *server, const char *ssl_profile, const char *user_id);
+
 const char *qd_server_get_container_name(const qd_server_t *server);
 sys_mutex_t *qd_server_get_activation_lock(qd_server_t *server);
 

include/qpid/dispatch/tls.h

@@ -0,0 +1,183 @@
+#ifndef __tls_h__
+#define __tls_h__ 1
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**@file
+ * Management of TLS configuration and state
+ */
+
+
+#include "qpid/dispatch/log.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+
+typedef struct qd_tls_config_t   qd_tls_config_t;    // run-time TLS configuration state
+typedef struct qd_tls_session_t  qd_tls_session_t;  // per connection TLS state
+typedef struct qd_ssl2_profile_t qd_ssl2_profile_t;  // sslProfile configuration record
+
+// Proton has two different TLS implementations: one for AMQP and a buffer-based one for use with Raw Connections:
+typedef enum {
+    QD_TLS_TYPE_NONE = 0,     // unset
+    QD_TLS_TYPE_PROTON_AMQP,  // for use with AMQP transport
+    QD_TLS_TYPE_PROTON_RAW,   // use raw connection/qd_buffer_t interface
+} qd_tls_type_t;
+
+typedef enum {
+    QD_TLS_CONFIG_MODE_NONE = 0,  // unset
+    QD_TLS_CONFIG_SERVER_MODE,    // Operate as a TLS server (i.e. listener socket)
+    QD_TLS_CONFIG_CLIENT_MODE,    // Operate as an TLS client (i.e. outgoing connections)
+} qd_tls_config_mode_t;
+
+// sslProfile configuration record
+struct qd_ssl2_profile_t {
+    char *ciphers;
+    char *protocols;
+    char *trusted_certificate_db;
+    char *certificate_file;
+    char *private_key_file;
+    char *password;
+
+    /**
+     * Holds the list of component fields of the client certificate from which a unique identifier is constructed.  For
+     * e.g, this field could have the format of 'cou' indicating that the uid will consist of c - common name
+     * concatenated with o - organization-company name concatenated with u - organization unit
+     *
+     * Allowed values can be any combination of the comma separated codes (no duplicates):
+     * 'c'( ISO3166 two character country code),
+     * 's'(state or province),
+     * 'l'(Locality; generally - city),
+     * 'o'(Organization - Company Name),
+     * 'u'(Organization Unit - typically certificate type or brand),
+     * 'n'(CommonName - typically a user name for client certificates)
+     *
+     * and one of the following:
+     * '1'(sha1 certificate fingerprint, the fingerprint, as displayed in the fingerprints section when looking at a certificate
+     *  with say a web browser is the hash of the entire certificate in DER form)
+     * '2'(sha256 certificate fingerprint)
+     * '5'(sha512 certificate fingerprint)
+     */
+    char *uid_format;
+
+    /**
+     * Full path to the file that contains the uid to display name mapping.
+     */
+    char *uid_name_mapping_file;
+
+    /**
+     * version: Version assigned to the current configuration
+     * oldest_valid_version: Previous sslProfile updates with versions values < oldest_valid_version have expired.
+     */
+    long version;
+    long oldest_valid_version;
+};
+
+/**
+ * Create a new TLS qd_tls_config_t instance with the given configuration
+ *
+ * @param ssl_profile_name the name of the sslProfile configuration to use
+ * @param p_type protocol type for the child connections (TCP or AMQP)
+ * @param mode the operational use case (TLS Server or Client)
+ * @param verify_hostname enforce host name checking (Client mode)
+ * @param authenticate_peer validate peer's certificate (Server mode)
+ *
+ * @return a new qd_tls_config_t instance or 0 on error. qd_error() set if error.
+ */
+qd_tls_config_t *qd_tls_config(const char *ssl_profile_name,
+                               qd_tls_type_t p_type,
+                               qd_tls_config_mode_t mode,
+                               bool verify_hostname,
+                               bool authenticate_peer);
+
+
+/**
+ * Release a reference to the qd_tls_config_t
+ *
+ * @param config to be released. The config pointer must no longer be referenced
+ */
+void qd_tls_config_decref(qd_tls_config_t *config);
+
+
+/**
+ * Release a TLS session context.
+ *
+ * See the session constructor API in tls_amqp.h and tls_raw.h
+ *
+ * @param session the session to free. It must no longer be referenced after this call.
+ */
+void qd_tls_session_free(qd_tls_session_t *session);
+
+
+/**
+ * Get the version of TLS in use by the session.
+ *
+ * @param session to be queried.
+ * @return Null terminated string containing the TLS version description. Returned string buffer must be free()d by
+ * caller. Return 0 if version not known.
+ */
+char *qd_tls_session_get_protocol_version(const qd_tls_session_t *session);
+
+/**
+ * Get the cipher in use by the session.
+ *
+ * @param session to be queried.
+ * @return Null terminated string containing a description of the active cipher. Returned string buffer must be free()d
+ * by caller. Return 0 if version not known.
+ */
+char *qd_tls_session_get_protocol_ciphers(const qd_tls_session_t *session);
+
+/**
+ * Get the Security Strength Factor (SSF) of the Cipher in use by the session
+ *
+ * @param session to be queried.
+ * @return the SSF value of the session
+ */
+int qd_tls_session_get_ssf(const qd_tls_session_t *session);
+
+
+/**
+ * Fill out the given *profile with the configuration from the named sslProfile record.
+ *
+ * @param the name of the sslProfile
+ * @param a pointer to an uninitialized qd_ssl2_profile_t instance.
+ * @return a pointer to the passed in qd_ssl2_profile_t on success else 0. Use qd_tls_cleanup_ssl_profile() release
+ * resources in use by *profile when done.
+ */
+qd_ssl2_profile_t *qd_tls_read_ssl_profile(const char *ssl_profile_name, qd_ssl2_profile_t *profile);
+
+/**
+ * Release any resources allocated by qd_tls_get_ssl_profile() and reset the profile.
+ *
+ * @param a pointer to an qd_ssl2_profile_t instance initialized by qd_tls_read_ssl_profile().
+ *
+ * Note this only releases internal resources associated with the profile, the memory pointed to by *profile is owned
+ * by the caller.
+ */
+void qd_tls_cleanup_ssl_profile(qd_ssl2_profile_t *profile);
+
+
+// Module initialization/finalization
+void qd_tls_initialize(void);
+void qd_tls_finalize(void);
+
+#endif
+

include/qpid/dispatch/tls_amqp.h

@@ -0,0 +1,55 @@
+#ifndef __tls_amqp_h__
+#define __tls_amqp_h__ 1
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include "qpid/dispatch/tls.h"
+
+typedef struct pn_transport_t pn_transport_t;
+
+/**
+ * API for TLS operations specific to Proton AMQP connections.
+ *
+ * Note well: these APIs apply only to TLS config/sessions of type QD_TLS_TYPE_PROTON_AMQP!  Proton raw connection based
+ * TLS sessions are not supported.  See tls.h and tls_raw_io.h.
+ */
+
+
+/**
+ * Create a new TLS session
+ *
+ * @param config the TLS configuration used to create the session
+ * @param tport transport associated with the session's connection
+ * @param allow_unencrypted if true permit accepting incoming unencrypted connections
+ * @return a new TLS session or 0 on error. If error qd_error() is set.
+ */
+qd_tls_session_t *qd_tls_session_amqp(qd_tls_config_t *config, pn_transport_t *tport, bool allow_unencrypted);
+
+
+/**
+ * Get the user identifier associated with the TLS session.
+ *
+ * @param session the active TLS session to retrieve the user id from.
+ * @return string containing user name if query succeeds else 0. Caller must free() returned user name string when no
+ * longer used.
+ */
+char *qd_tls_session_get_user_id(qd_tls_session_t *session);
+
+#endif
+