ssl.py

kgiusti Thu, 11 Oct 2012 11:44:59 -0700

Author: kgiusti
Date: Thu Oct 11 18:44:09 2012
New Revision: 1397230

URL: http://svn.apache.org/viewvc?rev=1397230&view=rev
Log:
PROTON-53: add hooks into SSL to verify handshake completed.


Modified:
    qpid/proton/trunk/proton-c/bindings/python/proton.py
    qpid/proton/trunk/proton-c/bindings/python/python.i
    qpid/proton/trunk/proton-c/bindings/ruby/ruby.i
    qpid/proton/trunk/proton-c/include/proton/ssl.h
    qpid/proton/trunk/proton-c/src/ssl/openssl.c
    qpid/proton/trunk/tests/proton_tests/ssl.py

Modified: qpid/proton/trunk/proton-c/bindings/python/proton.py
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/bindings/python/proton.py?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/bindings/python/proton.py (original)
+++ qpid/proton/trunk/proton-c/bindings/python/proton.py Thu Oct 11 18:44:09 
2012
@@ -1825,6 +1825,17 @@ class SSL(object):
     # @TODO: fix up buffer return value...
     pass
 
+  def cipher_name(self):
+    rc, name = pn_ssl_get_cipher_name( self._ssl, 128 )
+    if rc:
+      return name
+    return None
+
+  def protocol_name(self):
+    rc, name = pn_ssl_get_protocol_name( self._ssl, 128 )
+    if rc:
+      return name
+    return None
 
 __all__ = ["Messenger", "Message", "ProtonException", "MessengerException",
            "MessageException", "Timeout", "Data", "Endpoint", "Connection",

Modified: qpid/proton/trunk/proton-c/bindings/python/python.i
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/bindings/python/python.i?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/bindings/python/python.i (original)
+++ qpid/proton/trunk/proton-c/bindings/python/python.i Thu Oct 11 18:44:09 2012
@@ -13,6 +13,7 @@
 
 %cstring_output_withsize(char *OUTPUT, size_t *OUTPUT_SIZE)
 %cstring_output_allocate_size(char **ALLOC_OUTPUT, size_t *ALLOC_SIZE, 
free(*$1));
+%cstring_output_maxsize(char *OUTPUT, size_t MAX_OUTPUT_SIZE)
 
 %typemap(in) pn_bytes_t {
   if ($input == Py_None) {
@@ -393,4 +394,11 @@ ssize_t pn_data_decode(pn_data_t *data, 
 int pn_data_format(pn_data_t *data, char *OUTPUT, size_t *OUTPUT_SIZE);
 %ignore pn_data_format;
 
+bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *OUTPUT, size_t 
MAX_OUTPUT_SIZE);
+%ignore pn_ssl_get_cipher_name;
+
+bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *OUTPUT, size_t 
MAX_OUTPUT_SIZE);
+%ignore pn_ssl_get_protocol_name;
+
+
 %include "proton/cproton.i"

Modified: qpid/proton/trunk/proton-c/bindings/ruby/ruby.i
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/bindings/ruby/ruby.i?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/bindings/ruby/ruby.i (original)
+++ qpid/proton/trunk/proton-c/bindings/ruby/ruby.i Thu Oct 11 18:44:09 2012
@@ -20,6 +20,7 @@ typedef int int32_t;
 
 %cstring_output_withsize(char *OUTPUT, size_t *OUTPUT_SIZE)
 %cstring_output_allocate_size(char **ALLOC_OUTPUT, size_t *ALLOC_SIZE, 
free(*$1));
+%cstring_output_maxsize(char *OUTPUT, size_t MAX_OUTPUT_SIZE)
 
 %{
 #if !defined(RSTRING_LEN)
@@ -265,4 +266,11 @@ ssize_t pn_transport_input(pn_transport_
 %}
 %ignore pn_message_data;
 
+bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *OUTPUT, size_t 
MAX_OUTPUT_SIZE);
+%ignore pn_ssl_get_cipher_name;
+
+bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *OUTPUT, size_t 
MAX_OUTPUT_SIZE);
+%ignore pn_ssl_get_protocol_name;
+
+
 %include "proton/cproton.i"

Modified: qpid/proton/trunk/proton-c/include/proton/ssl.h
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/include/proton/ssl.h?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/include/proton/ssl.h (original)
+++ qpid/proton/trunk/proton-c/include/proton/ssl.h Thu Oct 11 18:44:09 2012
@@ -179,13 +179,37 @@ int pn_ssl_set_peer_authentication(pn_ss
  * returned.
  * @param[in,out] trusted_CAs_size on input set to the number of octets in 
trusted_CAs.
  * on output, set to the number of octets needed to hold the value of 
trusted_CAs plus a
- * null byte.  @return 0 on success
+ * null byte.
+ * @return 0 on success
  */
 int pn_ssl_get_peer_authentication(pn_ssl_t *ssl,
                                    pn_ssl_verify_mode_t *mode,
                                    char *trusted_CAs, size_t 
*trusted_CAs_size);
 
+/** Get the name of the Cipher that is currently in use.
+ *
+ * Gets a text description of the cipher that is currently active, or returns 
FALSE if SSL
+ * is not active (no cipher).  Note that the cipher in use may change over 
time due to
+ * renegotiation or other changes to the SSL state.
+ *
+ * @param[in] ssl the ssl client/server to query.
+ * @param[in,out] buffer buffer of size bytes to hold cipher name
+ * @param[in] size maximum number of bytes in buffer.
+ * @return True if cipher name written to buffer, False if no cipher in use.
+ */
+bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *buffer, size_t size);
 
+/** Get the name of the SSL protocol that is currently in use.
+ *
+ * Gets a text description of the SSL protocol that is currently active, or 
returns FALSE if SSL
+ * is not active.  Note that the protocol may change over time due to 
renegotiation.
+ *
+ * @param[in] ssl the ssl client/server to query.
+ * @param[in,out] buffer buffer of size bytes to hold the version identifier
+ * @param[in] size maximum number of bytes in buffer.
+ * @return True if the version information was to buffer, False if SSL 
connection not ready.
+ */
+bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *buffer, size_t size);
 #ifdef __cplusplus
 }
 #endif

Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 11 18:44:09 2012
@@ -451,6 +451,39 @@ int pn_ssl_get_peer_authentication(pn_ss
   return 0;
 }
 
+bool pn_ssl_get_cipher_name(pn_ssl_t *ssl, char *buffer, size_t size )
+{
+  const SSL_CIPHER *c;
+
+  if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) {
+    const char *v = SSL_CIPHER_get_name(c);
+    if (v) {
+      size_t len = pn_min( strlen(v), size );
+      strncpy(buffer, v, len);
+      buffer[len] = 0;
+      return true;
+    }
+  }
+  return false;
+}
+
+bool pn_ssl_get_protocol_name(pn_ssl_t *ssl, char *buffer, size_t size )
+{
+  const SSL_CIPHER *c;
+
+  if (ssl->ssl && (c = SSL_get_current_cipher( ssl->ssl ))) {
+    const char *v = SSL_CIPHER_get_version(c);
+    if (v) {
+      size_t len = pn_min( strlen(v), size );
+      strncpy(buffer, v, len);
+      buffer[len] = 0;
+      return true;
+    }
+  }
+  return false;
+}
+
+
 
 int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mode_t mode)
 {

Modified: qpid/proton/trunk/tests/proton_tests/ssl.py
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/tests/proton_tests/ssl.py?rev=1397230&r1=1397229&r2=1397230&view=diff
==============================================================================
--- qpid/proton/trunk/tests/proton_tests/ssl.py (original)
+++ qpid/proton/trunk/tests/proton_tests/ssl.py Thu Oct 11 18:44:09 2012
@@ -55,15 +55,25 @@ class SslTest(common.Test):
 
     def test_defaults(self):
         """ By default, both the server and the client support anonymous
-        ciphers.
+        ciphers - they should connect without need for a certificate.
         """
         client_conn = Connection()
         self.t_client.bind(client_conn)
         server_conn = Connection()
         self.t_server.bind(server_conn)
+
+        # check that no SSL connection exists
+        assert not self.server.cipher_name()
+        assert not self.client.protocol_name()
+
         client_conn.open()
         server_conn.open()
         self._pump()
+
+        # now SSL should be active
+        assert self.server.cipher_name() is not None
+        assert self.client.protocol_name() is not None
+
         client_conn.close()
         server_conn.close()
         self._pump()
@@ -83,6 +93,7 @@ class SslTest(common.Test):
         client_conn.open()
         server_conn.open()
         self._pump()
+        assert self.client.protocol_name() is not None
         client_conn.close()
         server_conn.close()
         self._pump()
@@ -104,6 +115,7 @@ class SslTest(common.Test):
         client_conn.open()
         server_conn.open()
         self._pump()
+        assert self.client.protocol_name() is not None
         client_conn.close()
         server_conn.close()
         self._pump()
@@ -133,6 +145,7 @@ class SslTest(common.Test):
         client_conn.open()
         server_conn.open()
         self._pump()
+        assert self.client.protocol_name() is not None
         client_conn.close()
         server_conn.close()
         self._pump()
@@ -161,6 +174,7 @@ class SslTest(common.Test):
         client_conn.open()
         server_conn.open()
         self._pump()
+        assert self.client.protocol_name() is not None
         client_conn.close()
         server_conn.close()
         self._pump()



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1397230 - in /qpid/proton/trunk: proton-c/bindings/python/proton.py proton-c/bindings/python/python.i proton-c/bindings/ruby/ruby.i proton-c/include/proton/ssl.h proton-c/src/ssl/openssl.c tests/proton_tests/ssl.py

Reply via email to