Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 84631 Details for
Bug 195644
Add security support to New Agent Controller
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read
this important communication.
FD for Pluggable Layer
TPTP_FD_195644.html (text/html), 8.29 KB, created by
Igor Alelekov
on 2007-12-06 10:32:11 EST
(
hide
)
Description:
FD for Pluggable Layer
Filename:
MIME Type:
Creator:
Igor Alelekov
Created:
2007-12-06 10:32:11 EST
Size:
8.29 KB
patch
obsolete
><!-- ----------------------------------------------------------------------------- --> ><!-- >Project: Eclipse Test and Performance Tools Platform Project >--> ><!-- ----------------------------------------------------------------------------- --> > ><!doctype html public "-//w3c//dtd html 4.0 transitional//en"> ><html> > <head> > <title>TPTP feature bugzilla_number 195644</title> > <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> > <link rel="stylesheet" type="text/css" href="http://www.eclipse.org/tptp/eclipse_style.css" > > <style> ></style> > </head> > <body> > ><h1>TPTP feature: <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=195644">195644</a></h1> ><table border="0" cellpadding="2" cellspacing="2"> > <tbody> > <tr> > <td width="100">Author:</td> > <td>Igor Alelekov</td> > </tr> > <tr> > <td width="100">email:</td> > <td><a href="mailto:igor.alelekov@intel.com">igor.alelekov@intel.com</a></td> > </tr> > <tr> > <td width="100">Last updated:</td> > <td> > <!--webbot bot="Timestamp" S-Type="EDITED" S-Format="%m/%d/%Y %H:%M %Z" startspan -->12/06/2007 17:28 +0300<!--webbot bot="Timestamp" endspan i-checksum="29237" --></td> > </tr> > </tbody> ></table> ><br/> ><font color="red">Rough workload estimate in person weeks:</font> ><br/> ><table border="1"> > <tbody> > <tr> > <th>Process</th> > <th>Sizing</th> > <th>Names of people doing the work</th> > </tr> > <tr> > <td>Design</td> > <td>0.5</td> > <td rowspan="4"> </td> > </tr> > <tr> > <td>Code</td> > <td>1</td> > </tr> > <tr> > <td>Test</td> > <td>0.5</td> > </tr> > <tr> > <td>Documentation</td> > <td>0.2</td> > </tr> > <tr> > <td>Build and infrastructure</td> > <td>0</td> > <td> </td> > </tr> > <tr> > <td>Code review & other committer work <br/> > (e.g. check-in, contribution tracking) <br/> > if this is to be contributed by someone who <br/> > is not a committer in the component > </td> > <td>0</td> > <td>N/A - will be done by committer</td> > </tr> > <tr> > <td><b><font color="red">Total</font></b></td> > <td colspan="2"><font color="#FF0000"><b>2.2</b></font></td> > </tr> > </tbody> ></table> ><br> ><h2>Requirement summary</h2> ><p>This feature should cover the work required to enhance TPTP Agent Controller to provide a pluggable layer for > external ssl providers. Pluggable module with required ssl provider (JSSE, OpenSSL) should be > set in AC configuration file and should be loaded dynamically during AC startup. ></p> > ><h2>Design summary</h2> >All ssl specific things should be incapsulated into ssl provider modules and AC will delegate all ssl >processing to them. The pluggable layer dynamically loads ssl modules according to current configuration. >Suggested the following logic and API to be implemented by ssl providers:<br><br> ><ul><li><font size="3" face="Times New Roman"><b><u>Logic</u></b>. To simplify AC it is suggested don't add once more network port for ssl communications > but use single server port for all connections. To do this AC could create insecure ServerSocket > and listen to client requests on configured network port (10006 defaults) as before. > AC accepts insecure incoming connection and, if security is enabled, responses with CONNECTION_REFUSE > protocol message with SECURITY_REQUIRED reason. After that AC passes this socket to ssl module > for ssl handshaking over already established insecure connection. So pluggable ssl modules should > support two data exchange modes - secure and insecure. After accepting connection and before ssl > handshaking, module should use insecure mode, after handshaking - secure. It gives ability to do some > insecure negotiations (sending securityRequest..) before ssl handshaking. Clients, receiving > SECURITY_REQUIRED, mesage don't close the connection but use it for ssl handshaking as well.<br> ><br>In current implementation ServerSocket, listening to clients, is resided in ><i>Socket Transport Layer</i>. > But taking in account that pluggable modules may be native as weel as Java based, and we can't do > ssl handshaking in Java over native AC's sockets, we will not create ServerSocket and accept > insecure connections in AC. Instead of this, ServerSocket should reside in a pluggable module, > which should be dynamically loaded if security is enabled. Note, when security is disabled, no pluggable > modules are loaded and clients are listened to in <i>Socket Transport Layer</i> as before.<br> ><br></font></li> ><li><font size="3" face="Times New Roman"><b><u>API</u></b>. It is suggested that the pluggable layer dynamically loads ssl provider modules and > use the following API, which modules should provide: ><ul> > <li><font size="3" face="Times New Roman">int <b>sslInit</b>(log_service_t* logService, int portToListen) - initializes the > module and opens provided port to listen to client's requests. logService - pointer to the > structure providing common AC logging service. sslInit() returns 0 on success and -1 > on initialization error;<br><br></font></li> > <li><font size="3" face="Times New Roman">void* <b>sslAccept</b>() - accepts incoming insecure connection, initializes internal > connection resources and returns a connection reference. Connection reference is a pointer > to internal data of the pluggable module. It might be any structure or just an integer number;<br> > <br></font></li> > <li><font size="3" face="Times New Roman">int <b>sslHandshake</b>(void* con) - negotiates ssl connection over opened insecure > connection. Returns 0 on success and -1 on error. Parameter con - connection reference > given by sslAccept();<br><br></font></li> > <li><font size="3" face="Times New Roman">int <b>sslRead</b>(void* con, char* buffer, int length) - reads data from the connection > into provided buffer. Before sslHandshake() is called, sslRead() reads from plain insecure socket, > after - uses ssl service to read. Returns the total number of bytes read into the buffer, > or -1 on error;<br><br></font></li> > <li><font size="3" face="Times New Roman">int <b>sslWrite</b>(void* con, char* buffer, int length) - writes data to the connection. > Before sslHandshake() is called, sslWrite() writes to the plain insecure socket, after - using ssl service. > Returns the total number of written bytes, or -1 on error;<br><br> > </font></li> > <li><font size="3" face="Times New Roman">int <b>sslClose</b>(void* con) - closes connection and releases allocated connection > resources;<br><br></font></li> > <li><font size="3" face="Times New Roman">int <b>sslReset</b>() - closes server socket, releases all internal allocated resources;<br> > <br></font></li> > <li><font size="3" face="Times New Roman">void <b>sslSetValue</b>(const char* name, const char* value) – passes configuration > information to the pluggable module;<br><br></font></li> > <li><font size="3" face="Times New Roman">char* <b>sslGetValue</b>() - retrieves information from the pluggable layer;<br> > <br></font></li> > <li><font size="3" face="Times New Roman">char* <b>sslGetProviderName</b>() - provides ssl provider name and its version;<br> > <br></font></li> ></ul></font></li> > > <li><font size="3" face="Times New Roman"><b><u>Configuration</u></b>.<br> > <ul><li><font size="3" face="Times New Roman">all configuration information is stored in AC’s configuration file serviceconfig.xml in > parent tags <TransportLayer loadlib=”socketTL”..><Configuration>… > </Configuration></TransportLayer></font></li> > <li><font size="3" face="Times New Roman">AC recognizes and processes the two following > configuration tags: > <ul><li><font size="3" face="Times New Roman"><SecurityEnabled>true</SecurityEnabled> - > enabling security, security is disabled by default;</font></li> > <li><font size="3" face="Times New Roman"><SSLproviderLib>library name</SSLproviderName> - library name of pluggable > module to be dynamically loaded by the pluggable layer;</font></li> > </ul></font> > </li> > <li><font size="3" face="Times New Roman">all other tags are assumed to be configuration parameters of pluggable module and passed to > the module via sslSetValue() call; These parameters might include path to ssl key and certificate files, path to jvm > library and so on;</font></li> > </ul></font> > </li> > </ul> > </div> ></div> > > </body> ></html>
<!-- ----------------------------------------------------------------------------- --> <!-- Project: Eclipse Test and Performance Tools Platform Project --> <!-- ----------------------------------------------------------------------------- --> <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <title>TPTP feature bugzilla_number 195644</title> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="http://www.eclipse.org/tptp/eclipse_style.css" > <style> </style> </head> <body> <h1>TPTP feature: <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=195644">195644</a></h1> <table border="0" cellpadding="2" cellspacing="2"> <tbody> <tr> <td width="100">Author:</td> <td>Igor Alelekov</td> </tr> <tr> <td width="100">email:</td> <td><a href="mailto:igor.alelekov@intel.com">igor.alelekov@intel.com</a></td> </tr> <tr> <td width="100">Last updated:</td> <td> <!--webbot bot="Timestamp" S-Type="EDITED" S-Format="%m/%d/%Y %H:%M %Z" startspan -->12/06/2007 17:28 +0300<!--webbot bot="Timestamp" endspan i-checksum="29237" --></td> </tr> </tbody> </table> <br/> <font color="red">Rough workload estimate in person weeks:</font> <br/> <table border="1"> <tbody> <tr> <th>Process</th> <th>Sizing</th> <th>Names of people doing the work</th> </tr> <tr> <td>Design</td> <td>0.5</td> <td rowspan="4"> </td> </tr> <tr> <td>Code</td> <td>1</td> </tr> <tr> <td>Test</td> <td>0.5</td> </tr> <tr> <td>Documentation</td> <td>0.2</td> </tr> <tr> <td>Build and infrastructure</td> <td>0</td> <td> </td> </tr> <tr> <td>Code review & other committer work <br/> (e.g. check-in, contribution tracking) <br/> if this is to be contributed by someone who <br/> is not a committer in the component </td> <td>0</td> <td>N/A - will be done by committer</td> </tr> <tr> <td><b><font color="red">Total</font></b></td> <td colspan="2"><font color="#FF0000"><b>2.2</b></font></td> </tr> </tbody> </table> <br> <h2>Requirement summary</h2> <p>This feature should cover the work required to enhance TPTP Agent Controller to provide a pluggable layer for external ssl providers. Pluggable module with required ssl provider (JSSE, OpenSSL) should be set in AC configuration file and should be loaded dynamically during AC startup. </p> <h2>Design summary</h2> All ssl specific things should be incapsulated into ssl provider modules and AC will delegate all ssl processing to them. The pluggable layer dynamically loads ssl modules according to current configuration. Suggested the following logic and API to be implemented by ssl providers:<br><br> <ul><li><font size="3" face="Times New Roman"><b><u>Logic</u></b>. To simplify AC it is suggested don't add once more network port for ssl communications but use single server port for all connections. To do this AC could create insecure ServerSocket and listen to client requests on configured network port (10006 defaults) as before. AC accepts insecure incoming connection and, if security is enabled, responses with CONNECTION_REFUSE protocol message with SECURITY_REQUIRED reason. After that AC passes this socket to ssl module for ssl handshaking over already established insecure connection. So pluggable ssl modules should support two data exchange modes - secure and insecure. After accepting connection and before ssl handshaking, module should use insecure mode, after handshaking - secure. It gives ability to do some insecure negotiations (sending securityRequest..) before ssl handshaking. Clients, receiving SECURITY_REQUIRED, mesage don't close the connection but use it for ssl handshaking as well.<br> <br>In current implementation ServerSocket, listening to clients, is resided in <i>Socket Transport Layer</i>. But taking in account that pluggable modules may be native as weel as Java based, and we can't do ssl handshaking in Java over native AC's sockets, we will not create ServerSocket and accept insecure connections in AC. Instead of this, ServerSocket should reside in a pluggable module, which should be dynamically loaded if security is enabled. Note, when security is disabled, no pluggable modules are loaded and clients are listened to in <i>Socket Transport Layer</i> as before.<br> <br></font></li> <li><font size="3" face="Times New Roman"><b><u>API</u></b>. It is suggested that the pluggable layer dynamically loads ssl provider modules and use the following API, which modules should provide: <ul> <li><font size="3" face="Times New Roman">int <b>sslInit</b>(log_service_t* logService, int portToListen) - initializes the module and opens provided port to listen to client's requests. logService - pointer to the structure providing common AC logging service. sslInit() returns 0 on success and -1 on initialization error;<br><br></font></li> <li><font size="3" face="Times New Roman">void* <b>sslAccept</b>() - accepts incoming insecure connection, initializes internal connection resources and returns a connection reference. Connection reference is a pointer to internal data of the pluggable module. It might be any structure or just an integer number;<br> <br></font></li> <li><font size="3" face="Times New Roman">int <b>sslHandshake</b>(void* con) - negotiates ssl connection over opened insecure connection. Returns 0 on success and -1 on error. Parameter con - connection reference given by sslAccept();<br><br></font></li> <li><font size="3" face="Times New Roman">int <b>sslRead</b>(void* con, char* buffer, int length) - reads data from the connection into provided buffer. Before sslHandshake() is called, sslRead() reads from plain insecure socket, after - uses ssl service to read. Returns the total number of bytes read into the buffer, or -1 on error;<br><br></font></li> <li><font size="3" face="Times New Roman">int <b>sslWrite</b>(void* con, char* buffer, int length) - writes data to the connection. Before sslHandshake() is called, sslWrite() writes to the plain insecure socket, after - using ssl service. Returns the total number of written bytes, or -1 on error;<br><br> </font></li> <li><font size="3" face="Times New Roman">int <b>sslClose</b>(void* con) - closes connection and releases allocated connection resources;<br><br></font></li> <li><font size="3" face="Times New Roman">int <b>sslReset</b>() - closes server socket, releases all internal allocated resources;<br> <br></font></li> <li><font size="3" face="Times New Roman">void <b>sslSetValue</b>(const char* name, const char* value) – passes configuration information to the pluggable module;<br><br></font></li> <li><font size="3" face="Times New Roman">char* <b>sslGetValue</b>() - retrieves information from the pluggable layer;<br> <br></font></li> <li><font size="3" face="Times New Roman">char* <b>sslGetProviderName</b>() - provides ssl provider name and its version;<br> <br></font></li> </ul></font></li> <li><font size="3" face="Times New Roman"><b><u>Configuration</u></b>.<br> <ul><li><font size="3" face="Times New Roman">all configuration information is stored in AC’s configuration file serviceconfig.xml in parent tags <TransportLayer loadlib=”socketTL”..><Configuration>… </Configuration></TransportLayer></font></li> <li><font size="3" face="Times New Roman">AC recognizes and processes the two following configuration tags: <ul><li><font size="3" face="Times New Roman"><SecurityEnabled>true</SecurityEnabled> - enabling security, security is disabled by default;</font></li> <li><font size="3" face="Times New Roman"><SSLproviderLib>library name</SSLproviderName> - library name of pluggable module to be dynamically loaded by the pluggable layer;</font></li> </ul></font> </li> <li><font size="3" face="Times New Roman">all other tags are assumed to be configuration parameters of pluggable module and passed to the module via sslSetValue() call; These parameters might include path to ssl key and certificate files, path to jvm library and so on;</font></li> </ul></font> </li> </ul> </div> </div> </body> </html>
View Attachment As Raw
Actions:
View
Attachments on
bug 195644
:
73419
|
73421
|
73422
|
73423
|
73425
|
73429
|
77241
|
77242
|
77243
|
80051
|
80132
|
80870
|
84612
| 84631
