misc/amqp/security.xml

<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="amqp.xsl"?>  <!DOCTYPE amqp SYSTEM "amqp.dtd"> <amqp xmlns="http://www.amqp.org/schema/amqp.xsd" name="security" label="working version"> <section name="security-layers" title="Security Layers" label="Security Layers"> <doc> Security Layers are used to establish an authenticated and/or encrypted transport over which regular AMQP traffic can be tunneled. Security Layers may be tunneled over one another (for instance a Security Layer used by the peers to do authentication may be tunneled over a Security Layer established for encryption purposes). The framing and protocol definitions for security layers are expected to be defined externally to the AMQP specification as in the case of TLS. An exception to this is the SASL security layer which depends on its host protocol to provide framing. Because of this we define the frames necessary for SASL to function in <xref name="sasl"/> below. When a security layer terminates (either before or after a secure tunnel is established), the TCP Connection MUST be closed by first shutting down the outgoing stream and then reading the incoming stream until it is terminated. </doc> </section> <section name="tls" title="TLS" label="TLS Security Layer"> <doc> To establish a TLS tunnel, each peer MUST start by sending a protocol header. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of two, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently <xref name="TLS-MAJOR"/>, <xref name="TLS-MINOR"/>, <xref name="TLS-REVISION"/>). In total this is an 8-octet sequence: <picture><![CDATA[ 4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d2 | major | minor | revision | +----------+---------+---------+---------+----------+ ]]> </picture> Other than using a protocol id of two, the exchange of TLS tunnel headers follows the same rules specified in the version negotiation section of the transport specification (See <xref name="version-negotiation"/>). </doc> <doc> The following diagram illustrates the interaction involved in creating a TLS Security Layer: <picture><![CDATA[ TCP Client TCP Server ========================================= AMQP%d2.1.0.0 ---------> <--------- AMQP%d2.1.0.0 : : <TLS negotiation> : : AMQP%d0.1.0.0 ---------> (over TLS secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open ]]> </picture> When the use of the TLS Security Layer is negotiated, the following rules apply: <ul> <li> The TLS client peer and TLS server peer are determined by the TCP client peer and TCP server peer respectively. </li> <li> The TLS client peer SHOULD use the server name indication extension as described in RFC-4366. If it does so, then it is implementation-specific what happens if this differs to hostname in the <xref type="type" name="sasl-init"/> and <xref type="type" name="open"/> frame frames. This field can be used by AMQP proxies to determine the correct back-end service to connect the client to, and to determine the domain to validate the client's credentials against if TLS client certificates are being used. </li> <li> The TLS client MUST validate the certificate presented by the TLS server. </li> <li> Implementations MAY choose to use TLS with unidirectional shutdown, i.e. an application initiating shutdown using close_notify is not obliged to wait for the peer to respond, and MAY close the write-half of the TCP socket. </li> </ul> </doc> <doc title="Alternative Establishment"> In certain situations, such as connecting through firewalls, it may not be possible to establish a TLS security layer using tunnelling. This might be because a deep packet inspecting firewall sees the first few bytes of the connection 'as not being TLS'. As an alternative, implementations MAY run a pure TLS server, i.e., one that does not expect the tunnel negotiation handshake. The IANA service name for this is amqps and the port is <xref name="SECURE-PORT"/> (5671). Implementations may also choose to run this pure TLS server on other ports, should this be operationally required (e.g. to tunnel through a legacy firewall that only expects TLS traffic on port 443). </doc> <definition name="TLS-MAJOR" value="1" label="major protocol version" /> <definition name="TLS-MINOR" value="0" label="minor protocol version" /> <definition name="TLS-REVISION" value="0" label="protocol revision" /> </section>  <section name="sasl" title="SASL" label="SASL Security Layer"> <doc> To establish a SASL tunnel, each peer MUST start by sending a protocol header. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of three, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently <xref name="SASL-MAJOR"/>, <xref name="SASL-MINOR"/>, <xref name="SASL-REVISION"/>). In total this is an 8-octet sequence: <picture><![CDATA[ 4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d3 | major | minor | revision | +----------+---------+---------+---------+----------+ ]]> </picture> Other than using a protocol id of three, the exchange of SASL tunnel headers follows the same rules specified in the version negotiation section of the transport specification (See <xref name="version-negotiation"/>). The following diagram illustrates the interaction involved in creating a SASL Security Layer: <picture><![CDATA[ TCP Client TCP Server ========================================= AMQP%d3.1.0.0 ---------> <--------- AMQP%d3.1.0.0 : : <SASL negotiation> : : AMQP%d0.1.0.0 ---------> (over SASL secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open ]]> </picture> </doc> <doc title="SASL Frames"> SASL is negotiated using <xref name="framing"/>. A SASL frame has a type code of 0x01. Bytes 6 and 7 of the header are ignored. Implementations SHOULD set these to 0x00. The extended header is ignored. Implementations SHOULD therefore set DOFF to 0x02. <picture title="SASL Frame"><![CDATA[ type: 0x01 - SASL frame +0 +1 +2 +3 +-----------------------------------+ -. 0 | SIZE | | +-----------------------------------+ |---> Frame Header 4 | DOFF | TYPE | <IGNORED>*1 | | (8 bytes) +-----------------------------------+ -' +-----------------------------------+ -. 8 | ... | | . . |---> Extended Header . <IGNORED>*2 . | (DOFF * 4 - 8) bytes | ... | | +-----------------------------------+ -' +-----------------------------------+ -. 4*DOFF | | | . . | . . | . Sasl Mechanisms / Sasl Init . | . Sasl Challenge / Sasl Response . |---> Frame Body . Sasl Outcome . | (SIZE - DOFF * 4) bytes . . | . . | . ________| | | ... | | +--------------------------+ -' *1 SHOULD be set to 0x0000 *2 Ignored, so DOFF should be set to 0x02 ]]> </picture> The maximum size of a SASL frame is defined by <xref name="MIN-MAX-FRAME-SIZE"/>. There is no mechanism within the SASL negotiation to negotiate a different size. The frame body of a SASL frame may contain exactly one AMQP type, whose type encoding must have <![CDATA[ provides="sasl-frame" ]]>. Receipt of an empty frame is an irrecoverable error. </doc> <doc title="SASL Negotiation"> The peer acting as the SASL Server must announce supported authentication mechanisms using the <xref name="sasl-mechanisms"/> frame. The partner must then choose one of the supported mechanisms and initiate a sasl exchange. <picture title="SASL Exchange"><![CDATA[ SASL Client SASL Server ================================ <-- SASL-MECHANISMS SASL-INIT --> ... <-- SASL-CHALLENGE * SASL-RESPONSE --> ... <-- SASL-OUTCOME -------------------------------- * Note that the SASL challenge/response step may occur zero or more times depending on the details of the SASL mechanism chosen. ]]> </picture> The peer playing the role of the SASL Client and the peer playing the role of the SASL server MUST correspond to the TCP client and server respectively. </doc> <doc title="Security Frame Bodies"/>  <type class="composite" name="sasl-mechanisms" source="list" provides="sasl-frame" label="advertise available sasl mechanisms"> <doc> Advertises the available SASL mechanisms that may be used for authentication. </doc> <descriptor name="amqp:sasl-mechanisms:list" code="0x00000000:0x00000040"/> <field name="sasl-server-mechanisms" type="symbol" multiple="true" mandatory="true" label="supported sasl mechanisms"> <doc> A list of the sasl security mechanisms supported by the sending peer. It is invalid for this list to be null or empty. If the sending peer does not require its partner to authenticate with it, then it should send a list of one element with its value as the SASL mechanism ANONYMOUS. The server mechanisms are ordered in decreasing level of preference. </doc> </field> </type>  <type class="composite" name="sasl-init" source="list" provides="sasl-frame" label="initiate sasl exchange"> <doc> Selects the sasl mechanism and provides the initial response if needed. </doc> <descriptor name="amqp:sasl-init:list" code="0x00000000:0x00000041"/> <field name="mechanism" type="symbol" label="selected security mechanism" mandatory="true"> <doc> The name of the SASL mechanism used for the SASL exchange. If the selected mechanism is not supported by the receiving peer, it MUST close the Connection with the authentication-failure close-code. Each peer MUST authenticate using the highest-level security profile it can handle from the list provided by the partner. </doc> </field> <field name="initial-response" type="binary" label="security response data"> <doc> A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism. </doc> </field> <field name="hostname" type="string" label="the name of the target host"> <doc> The DNS name of the host (either fully qualified or relative) to which the sending peer is connecting. It is not mandatory to provide the hostname. If no hostname is provided the receiving peer should select a default based on its own configuration. This field can be used by AMQP proxies to determine the correct back-end service to connect the client to, and to determine the domain to validate the client's credentials against. This field may already have been specified by the server name indication extension as described in RFC-4366, if a TLS layer is used, in which case this field SHOULD be null or contain the same value. It is undefined what a different value to those already specific means. </doc> </field> </type>  <type class="composite" name="sasl-challenge" source="list" provides="sasl-frame" label="security mechanism challenge"> <doc> Send the SASL challenge data as defined by the SASL specification. </doc> <descriptor name="amqp:sasl-challenge:list" code="0x00000000:0x00000042"/> <field name="challenge" type="binary" label="security challenge data" mandatory="true"> <doc> Challenge information, a block of opaque binary data passed to the security mechanism. </doc> </field> </type>  <type class="composite" name="sasl-response" source="list" provides="sasl-frame" label="security mechanism response"> <doc> Send the SASL response data as defined by the SASL specification. </doc> <descriptor name="amqp:sasl-response:list" code="0x00000000:0x00000043"/> <field name="response" type="binary" label="security response data" mandatory="true"> <doc> A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism. </doc> </field> </type>  <type class="composite" name="sasl-outcome" source="list" provides="sasl-frame" label="indicates the outcome of the sasl dialog"> <doc> This frame indicates the outcome of the SASL dialog. Upon successful completion of the SASL dialog the Security Layer has been established, and the peers must exchange protocol headers to either start a nested Security Layer, or to establish the AMQP Connection. </doc> <descriptor name="amqp:sasl-outcome:list" code="0x00000000:0x00000044"/> <field name="code" type="sasl-code" mandatory="true" label="indicates the outcome of the sasl dialog"> <doc> A reply-code indicating the outcome of the SASL dialog. </doc> </field> <field name="additional-data" type="binary" label="additional data as specified in RFC-4422"> <doc> The additional-data field carries additional data on successful authentication outcome as specified by the SASL specification (RFC-4422). If the authentication is unsuccessful, this field is not set. </doc> </field> </type> <type class="restricted" name="sasl-code" source="ubyte" label="codes to indicate the outcome of the sasl dialog"> <choice name="ok" value="0"> <doc> Connection authentication succeeded. </doc> </choice> <choice name="auth" value="1"> <doc> Connection authentication failed due to an unspecified problem with the supplied credentials. </doc> </choice> <choice name="sys" value="2"> <doc> Connection authentication failed due to a system error. </doc> </choice> <choice name="sys-perm" value="3"> <doc> Connection authentication failed due to a system error that is unlikely to be corrected without intervention. </doc> </choice> <choice name="sys-temp" value="4"> <doc> Connection authentication failed due to a transient system error. </doc> </choice> </type> <definition name="SASL-MAJOR" value="1" label="major protocol version" /> <definition name="SASL-MINOR" value="0" label="minor protocol version" /> <definition name="SASL-REVISION" value="0" label="protocol revision" /> </section> </amqp>

misc/amqp/security.xml (213 lines of code) (raw):