static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
{
bool eos = pn_transport_capacity(transport)==PN_EOS;
pni_protocol_type_t protocol = pni_sniff_header(bytes, available);
switch (protocol) {
case PNI_PROTOCOL_AMQP_SASL:
if (transport->io_layers[layer] == &sasl_read_header_layer) {
transport->io_layers[layer] = &sasl_layer;
} else {
transport->io_layers[layer] = &sasl_write_header_layer;
}
if (transport->trace & PN_TRACE_FRM)
pn_transport_logf(transport, " <- %s", "SASL");
pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport));
return SASL_HEADER_LEN;
case PNI_PROTOCOL_INSUFFICIENT:
if (!eos) return 0;
/* Fallthru */
default:
break;
}
char quoted[1024];
pn_quote_data(quoted, 1024, bytes, available);
pn_do_error(transport, "amqp:connection:framing-error",
"%s header mismatch: %s ['%s']%s", "SASL", pni_protocol_name(protocol), quoted,
!eos ? "" : " (connection aborted)");
pn_set_error_layer(transport);
return PN_EOS;
}
static ssize_t pn_input_read_sasl(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
{
pni_sasl_t *sasl = transport->sasl;
bool eos = pn_transport_capacity(transport)==PN_EOS;
if (eos) {
pn_do_error(transport, "amqp:connection:framing-error", "connection aborted");
pn_set_error_layer(transport);
return PN_EOS;
}
pni_sasl_start_server_if_needed(transport);
if (!pni_sasl_is_final_input_state(sasl)) {
return pn_dispatcher_input(transport, bytes, available, false, &transport->halt);
}
if (pni_sasl_impl_can_encrypt(transport)) {
sasl->max_encrypt_size = pni_sasl_impl_max_encrypt_size(transport);
if (transport->trace & PN_TRACE_DRV)
pn_transport_logf(transport, "SASL Encryption enabled: buffer=%d", sasl->max_encrypt_size);
transport->io_layers[layer] = &sasl_encrypt_layer;
} else if (sasl->client) {
transport->io_layers[layer] = &pni_passthru_layer;
} else {
return pni_passthru_layer.process_input(transport, layer, bytes, available);
}
return transport->io_layers[layer]->process_input(transport, layer, bytes, available);
}
// unrecoverable SSL failure occured, notify transport and generate error code.
static int ssl_failed(pn_transport_t *transport)
{
pni_ssl_t *ssl = transport->ssl;
SSL_set_shutdown(ssl->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
ssl->ssl_closed = true;
ssl->app_input_closed = ssl->app_output_closed = PN_EOS;
// fake a shutdown so the i/o processing code will close properly
SSL_set_shutdown(ssl->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
// try to grab the first SSL error to add to the failure log
char buf[128] = "Unknown error.";
unsigned long ssl_err = ERR_get_error();
if (ssl_err) {
ERR_error_string_n( ssl_err, buf, sizeof(buf) );
}
ssl_log_flush(transport); // spit out any remaining errors to the log file
pn_do_error(transport, "amqp:connection:framing-error", "SSL Failure: %s", buf);
return PN_EOS;
}
// Post SASL frame
static void pni_post_sasl_frame(pn_transport_t *transport)
{
pni_sasl_t *sasl = transport->sasl;
pn_bytes_t out = sasl->bytes_out;
enum pni_sasl_state desired_state = sasl->desired_state;
while (sasl->desired_state > sasl->last_state) {
switch (desired_state) {
case SASL_POSTED_INIT:
pn_post_frame(transport, SASL_FRAME_TYPE, 0, "DL[sz]", SASL_INIT, sasl->selected_mechanism,
out.size, out.start);
pni_emit(transport);
break;
case SASL_PRETEND_OUTCOME:
if (sasl->last_state < SASL_POSTED_INIT) {
desired_state = SASL_POSTED_INIT;
continue;
}
break;
case SASL_POSTED_MECHANISMS: {
// TODO: Hardcoded limit of 16 mechanisms
char *mechs[16];
char *mechlist = NULL;
int count = 0;
if (pni_sasl_impl_list_mechs(transport, &mechlist) > 0) {
pni_split_mechs(mechlist, sasl->included_mechanisms, mechs, &count);
}
pn_post_frame(transport, SASL_FRAME_TYPE, 0, "DL[@T[*s]]", SASL_MECHANISMS, PN_SYMBOL, count, mechs);
free(mechlist);
pni_emit(transport);
break;
}
case SASL_POSTED_RESPONSE:
pn_post_frame(transport, SASL_FRAME_TYPE, 0, "DL[z]", SASL_RESPONSE, out.size, out.start);
pni_emit(transport);
break;
case SASL_POSTED_CHALLENGE:
if (sasl->last_state < SASL_POSTED_MECHANISMS) {
desired_state = SASL_POSTED_MECHANISMS;
continue;
}
pn_post_frame(transport, SASL_FRAME_TYPE, 0, "DL[z]", SASL_CHALLENGE, out.size, out.start);
pni_emit(transport);
break;
case SASL_POSTED_OUTCOME:
if (sasl->last_state < SASL_POSTED_MECHANISMS) {
desired_state = SASL_POSTED_MECHANISMS;
continue;
}
pn_post_frame(transport, SASL_FRAME_TYPE, 0, "DL[B]", SASL_OUTCOME, sasl->outcome);
pni_emit(transport);
if (sasl->outcome!=PN_SASL_OK) {
pn_do_error(transport, "amqp:unauthorized-access", "Failed to authenticate client [mech=%s]", transport->sasl->selected_mechanism);
desired_state = SASL_ERROR;
}
break;
case SASL_RECVED_OUTCOME_SUCCEED:
if (sasl->last_state < SASL_POSTED_INIT) {
desired_state = SASL_POSTED_INIT;
continue;
}
break;
case SASL_RECVED_OUTCOME_FAIL:
pn_do_error(transport, "amqp:unauthorized-access", "Authentication failed [mech=%s]", transport->sasl->selected_mechanism);
desired_state = SASL_ERROR;
break;
case SASL_ERROR:
break;
case SASL_NONE:
return;
}
sasl->last_state = desired_state;
desired_state = sasl->desired_state;
}
}
