Menu
▾
▴
[Firebird-checkins] SF.net SVN: firebird:[60302] firebird/trunk/src/remote
|
From: <ale...@us...> - 2014-11-28 11:58:16
|
Revision: 60302
http://sourceforge.net/p/firebird/code/60302
Author: alexpeshkoff
Date: 2014-11-28 11:58:08 +0000 (Fri, 28 Nov 2014)
Log Message:
-----------
Misc encryption enhancements
Modified Paths:
--------------
firebird/trunk/src/remote/remote.cpp
firebird/trunk/src/remote/remote.h
firebird/trunk/src/remote/server/server.cpp
Modified: firebird/trunk/src/remote/remote.cpp
===================================================================
--- firebird/trunk/src/remote/remote.cpp 2014-11-28 06:28:01 UTC (rev 60301)
+++ firebird/trunk/src/remote/remote.cpp 2014-11-28 11:58:08 UTC (rev 60302)
@@ -1666,8 +1666,8 @@
signed char wcCompatible[3][3] = {
-/* DISABLED ENABLED REQUIRED */
-/* DISABLED */ {0, 0, -1},
-/* ENABLED */ {0, 1, 2},
-/* REQUIRED */ {-1, 2, 2}
+/* DISABLED ENABLED REQUIRED */
+/* DISABLED */ {WIRECRYPT_DISABLED, WIRECRYPT_DISABLED, WIRECRYPT_BROKEN},
+/* ENABLED */ {WIRECRYPT_DISABLED, WIRECRYPT_ENABLED, WIRECRYPT_REQUIRED},
+/* REQUIRED */ {WIRECRYPT_BROKEN, WIRECRYPT_REQUIRED, WIRECRYPT_REQUIRED}
};
Modified: firebird/trunk/src/remote/remote.h
===================================================================
--- firebird/trunk/src/remote/remote.h 2014-11-28 06:28:01 UTC (rev 60301)
+++ firebird/trunk/src/remote/remote.h 2014-11-28 11:58:08 UTC (rev 60302)
@@ -739,6 +739,10 @@
AuthServerPlugins* plugins;
Auth::WriterImplementation authBlockWriter;
+ // extractNewKeys flags
+ static const ULONG EXTRACT_PLUGINS_LIST = 0x1;
+ static const ULONG ONLY_CLEANUP = 0x2;
+
explicit SrvAuthBlock(rem_port* p_port)
: port(p_port),
userName(getPool()), pluginName(getPool()), pluginList(getPool()),
@@ -771,7 +775,7 @@
void createPluginsItr();
void setDataForPlugin(const p_auth_continue* data);
void reset();
- bool extractNewKeys(CSTRING* to, bool flagPlugList = false);
+ bool extractNewKeys(CSTRING* to, ULONG flags);
bool hasDataForPlugin();
// Firebird::IServerBlock implementation
@@ -810,6 +814,11 @@
const UCHAR TAG_KEY_PLUGINS = 1;
const UCHAR TAG_KNOWN_PLUGINS = 2;
+const signed char WIRECRYPT_BROKEN = -1;
+const signed char WIRECRYPT_DISABLED = 0;
+const signed char WIRECRYPT_ENABLED = 1;
+const signed char WIRECRYPT_REQUIRED = 2;
+
// port_flags
const USHORT PORT_symmetric = 0x0001; // Server/client architectures are symmetic
const USHORT PORT_async = 0x0002; // Port is asynchronous channel for events
@@ -916,11 +925,9 @@
ServerAuthBase* port_srv_auth;
SrvAuthBlock* port_srv_auth_block;
Firebird::HalfStaticArray<InternalCryptKey*, 2> port_crypt_keys; // available wire crypt keys
- bool port_need_disk_crypt; // set when appropriate DPB/SPB item is present
- // requires wire crypt active before attachDatabase()
bool port_crypt_complete; // wire crypt init is complete one way or another,
// up to being turned off in firebird.conf
- bool port_required_encryption; // encryption is required on port
+ signed char port_crypt_level; // encryption level for port
Firebird::ObjectsArray<KnownServerKey> port_known_server_keys; // Server sends to client
// keys known by it, they are stored here
Firebird::IWireCryptPlugin* port_crypt_plugin; // plugin used by port, when not NULL - crypts wire data
@@ -966,8 +973,7 @@
port_requests_queued(0), port_xcc(0), port_deferred_packets(0), port_last_object_id(0),
port_queue(getPool()), port_qoffset(0),
port_srv_auth(NULL), port_srv_auth_block(NULL),
- port_crypt_keys(getPool()), port_need_disk_crypt(false), port_crypt_complete(false),
- port_required_encryption(true), // safe default
+ port_crypt_keys(getPool()), port_crypt_complete(false), port_crypt_level(WIRECRYPT_REQUIRED),
port_known_server_keys(getPool()), port_crypt_plugin(NULL),
port_client_crypt_callback(NULL), port_server_crypt_callback(NULL),
port_buffer(FB_NEW(getPool()) UCHAR[rpt]),
@@ -991,6 +997,13 @@
const Firebird::RefPtr<Config>& getPortConfig() const;
void versionInfo(Firebird::string& version);
+ bool extractNewKeys(CSTRING* to, bool flagPlugList = false)
+ {
+ return port_srv_auth_block->extractNewKeys(to,
+ (flagPlugList ? SrvAuthBlock::EXTRACT_PLUGINS_LIST : 0) |
+ (port_crypt_level <= WIRECRYPT_DISABLED ? SrvAuthBlock::ONLY_CLEANUP : 0));
+ }
+
template <typename T>
void getHandle(T*& blk, OBJCT id)
{
Modified: firebird/trunk/src/remote/server/server.cpp
===================================================================
--- firebird/trunk/src/remote/server/server.cpp 2014-11-28 06:28:01 UTC (rev 60301)
+++ firebird/trunk/src/remote/server/server.cpp 2014-11-28 11:58:08 UTC (rev 60302)
@@ -470,14 +470,14 @@
HANDSHAKE_DEBUG(fprintf(stderr, "Srv: authenticate: send op_cond_accept\n"));
send->p_operation = op_cond_accept;
authPort->port_srv_auth_block->extractDataFromPluginTo(&send->p_acpd);
- authPort->port_srv_auth_block->extractNewKeys(&send->p_acpd.p_acpt_keys);
+ authPort->extractNewKeys(&send->p_acpd.p_acpt_keys);
}
else
{
HANDSHAKE_DEBUG(fprintf(stderr, "Srv: authenticate: send op_cont_auth\n"));
send->p_operation = op_cont_auth;
authPort->port_srv_auth_block->extractDataFromPluginTo(&send->p_auth_cont);
- authPort->port_srv_auth_block->extractNewKeys(&send->p_auth_cont.p_keys);
+ authPort->extractNewKeys(&send->p_auth_cont.p_keys);
}
}
else
@@ -1575,7 +1575,7 @@
{
if (port->port_type == rem_port::XNET) // local connection
{
- port->port_required_encryption = false;
+ port->port_crypt_level = WIRECRYPT_DISABLED;
return false;
}
@@ -1592,13 +1592,13 @@
}
int serverCrypt = port->getPortConfig()->getWireCrypt(WC_SERVER);
- if (wcCompatible[clientCrypt][serverCrypt] < 0)
+ if (wcCompatible[clientCrypt][serverCrypt] == WIRECRYPT_BROKEN)
{
Arg::Gds(isc_wirecrypt_incompatible).raise();
}
- port->port_required_encryption = wcCompatible[clientCrypt][serverCrypt] == 2;
- return wcCompatible[clientCrypt][serverCrypt] > 0;
+ port->port_crypt_level = wcCompatible[clientCrypt][serverCrypt];
+ return wcCompatible[clientCrypt][serverCrypt] >= WIRECRYPT_ENABLED;
}
@@ -1748,9 +1748,9 @@
return true;
}
- if (port->port_required_encryption)
+ if (port->port_crypt_level == WIRECRYPT_REQUIRED)
{
- HANDSHAKE_DEBUG(fprintf(stderr, "port_required_encryption, reset accepted\n"));
+ HANDSHAKE_DEBUG(fprintf(stderr, "WIRECRYPT_REQUIRED, reset accepted\n"));
accepted = false;
}
}
@@ -1858,7 +1858,7 @@
// extractNewKeys() will also send to client list of known plugins
if (version >= PROTOCOL_VERSION13 &&
- port->port_srv_auth_block->extractNewKeys(&send->p_acpd.p_acpt_keys, returnData))
+ port->extractNewKeys(&send->p_acpd.p_acpt_keys, returnData))
{
returnData = true;
}
@@ -1883,7 +1883,7 @@
if (useResponse)
{
CSTRING* const s = &send->p_resp.p_resp_data;
- authPort->port_srv_auth_block->extractNewKeys(s);
+ authPort->extractNewKeys(s);
ISC_STATUS sv[] = {1, 0, 0};
authPort->send_response(send, 0, s->cstr_length, sv, false);
}
@@ -1891,7 +1891,7 @@
{
send->p_operation = op_accept_data;
CSTRING* const s = &send->p_acpd.p_acpt_keys;
- authPort->port_srv_auth_block->extractNewKeys(s);
+ authPort->extractNewKeys(s);
send->p_acpd.p_acpt_authenticated = 1;
authPort->send(send);
if (send->p_acpt.p_acpt_type & pflag_compress)
@@ -2125,7 +2125,7 @@
*
**************************************/
WIRECRYPT_DEBUG(fprintf(stderr, "Line encryption %sabled on attach\n", port->port_crypt_complete ? "en" : "dis"));
- if (port->port_required_encryption && !port->port_crypt_complete)
+ if (port->port_crypt_level == WIRECRYPT_REQUIRED && !port->port_crypt_complete)
{
Arg::Gds(isc_miss_wirecrypt).raise();
}
@@ -2213,7 +2213,7 @@
}
CSTRING* const s = &send->p_resp.p_resp_data;
- authPort->port_srv_auth_block->extractNewKeys(s);
+ authPort->extractNewKeys(s);
authPort->send_response(send, 0, s->cstr_length, &status_vector, false);
}
@@ -5213,7 +5213,7 @@
static void attach_service(rem_port* port, P_ATCH* attach, PACKET* sendL)
{
WIRECRYPT_DEBUG(fprintf(stderr, "Line encryption %sabled on attach svc\n", port->port_crypt_complete ? "en" : "dis"));
- if (port->port_required_encryption && !port->port_crypt_complete)
+ if (port->port_crypt_level == WIRECRYPT_REQUIRED && !port->port_crypt_complete)
{
Arg::Gds(isc_miss_wirecrypt).raise();
}
@@ -5236,7 +5236,7 @@
void ServiceAttachAuth::accept(PACKET* sendL, Auth::WriterImplementation* authBlock)
{
authBlock->store(pb, isc_spb_auth_block);
- authPort->port_srv_auth_block->extractNewKeys(&sendL->p_resp.p_resp_data);
+ authPort->extractNewKeys(&sendL->p_resp.p_resp_data);
authPort->service_attach(managerName.c_str(), pb, sendL);
}
@@ -6410,23 +6410,27 @@
plugins = NULL;
}
-bool SrvAuthBlock::extractNewKeys(CSTRING* to, bool flagPluginsList)
+bool SrvAuthBlock::extractNewKeys(CSTRING* to, ULONG flags)
{
lastExtractedKeys.reset();
- for (unsigned n = 0; n < newKeys.getCount(); ++n)
+
+ if (!(flags & ONLY_CLEANUP))
{
- const PathName& t = newKeys[n];
- PathName plugins = knownCryptKeyTypes()[t];
- if (plugins.hasData())
+ for (unsigned n = 0; n < newKeys.getCount(); ++n)
{
- lastExtractedKeys.insertPath(TAG_KEY_TYPE, t);
- lastExtractedKeys.insertPath(TAG_KEY_PLUGINS, plugins);
+ const PathName& t = newKeys[n];
+ PathName plugins = knownCryptKeyTypes()[t];
+ if (plugins.hasData())
+ {
+ lastExtractedKeys.insertPath(TAG_KEY_TYPE, t);
+ lastExtractedKeys.insertPath(TAG_KEY_PLUGINS, plugins);
+ }
}
- }
- if (flagPluginsList && dataFromPlugin.getCount() == 0)
- {
- lastExtractedKeys.insertPath(TAG_KNOWN_PLUGINS, pluginList);
+ if ((flags & EXTRACT_PLUGINS_LIST) && (dataFromPlugin.getCount() == 0))
+ {
+ lastExtractedKeys.insertPath(TAG_KNOWN_PLUGINS, pluginList);
+ }
}
to->cstr_length = (ULONG) lastExtractedKeys.getBufferLength();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
