From 1445516c41de0a3942d2c3ed09017564b9a7723e Mon Sep 17 00:00:00 2001 From: Mike Gatny Date: Thu, 3 Oct 2013 13:43:20 -0500 Subject: [PATCH] Establishing GSSAPI sec context is working now --- configure.ac | 1 + src/gssapi_client.cpp | 182 +++++++---------- src/gssapi_client.hpp | 19 +- src/gssapi_mechanism_base.cpp | 47 ++++- src/gssapi_mechanism_base.hpp | 25 +++ src/gssapi_server.cpp | 373 +++++++--------------------------- src/gssapi_server.hpp | 27 +-- 7 files changed, 240 insertions(+), 434 deletions(-) diff --git a/configure.ac b/configure.ac index 96463fc1..db0e2847 100644 --- a/configure.ac +++ b/configure.ac @@ -305,6 +305,7 @@ else AC_CHECK_LIB([sodium], [sodium_init],,AC_MSG_WARN(libsodium is needed for CURVE security)) fi +AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],,AC_MSG_WARN(libgssapi_krb5 is needed for GSSAPI security)) # # Check if the compiler supports -fvisibility=hidden flag. MinGW32 uses __declspec diff --git a/src/gssapi_client.cpp b/src/gssapi_client.cpp index f04e0888..5ef45ffe 100644 --- a/src/gssapi_client.cpp +++ b/src/gssapi_client.cpp @@ -34,12 +34,24 @@ zmq::gssapi_client_t::gssapi_client_t (const options_t &options_) : gssapi_mechanism_base_t (), mechanism_t (options_), - state (sending_hello) + state (send_next_token), + token_ptr (GSS_C_NO_BUFFER), + mechs (), + security_context_established (false) { + maj_stat = GSS_S_COMPLETE; + service_name = strdup("host"); /// FIXME add service_name to options + mechs.elements = NULL; + mechs.count = 0; } zmq::gssapi_client_t::~gssapi_client_t () { + if(service_name) + free (service_name); + /// FIXME release this or not? + if(cred) + gss_release_cred(&min_stat, &cred); } int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_) @@ -47,24 +59,18 @@ int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_) int rc = 0; switch (state) { - case sending_hello: - rc = produce_hello (msg_); + case send_next_token: + rc = produce_next_token (msg_); if (rc == 0) - state = waiting_for_welcome; + state = recv_next_token; break; - case sending_initiate: - rc = produce_initiate (msg_); - if (rc == 0) - state = waiting_for_token; - break; - case sending_token: - rc = produce_token (msg_, 0, (char *) "o, hai!", 7); - if (rc == 0) - state = waiting_for_ready; //state = expecting_another_token? waiting_for_token: waiting_for_ready; + case almost_ready: + state = ready; break; default: errno = EAGAIN; rc = -1; + break; } return rc; } @@ -72,135 +78,99 @@ int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_) int zmq::gssapi_client_t::process_handshake_command (msg_t *msg_) { int rc = 0; - int flags = 0; - gss_buffer_desc buf; - buf.value = NULL; - buf.length = 0; switch (state) { - case waiting_for_welcome: - rc = process_welcome (msg_); + case recv_next_token: + rc = process_next_token (msg_); if (rc == 0) - state = sending_initiate; + state = security_context_established? almost_ready: send_next_token; break; - case waiting_for_token: - rc = process_token (msg_, flags, &buf.value, buf.length); - if (rc == 0) - state = sending_token; // state = expecting_another_token? sending_token: sending_ready; - break; - case waiting_for_ready: - rc = process_ready (msg_); - if (rc == 0) - state = ready; + case almost_ready: + state = ready; break; default: errno = EPROTO; rc = -1; break; } - - if (buf.value) { - free (buf.value); - } - if (rc == 0) { rc = msg_->close (); errno_assert (rc == 0); rc = msg_->init (); errno_assert (rc == 0); } - return rc; } bool zmq::gssapi_client_t::is_handshake_complete () const { + fprintf(stderr, "%s:%d: is_handshake_complete=%d, security_context_established=%d\n", __FILE__, __LINE__, (state==ready), security_context_established); /// FIXME remove return state == ready; } -int zmq::gssapi_client_t::produce_hello (msg_t *msg_) const +int zmq::gssapi_client_t::produce_next_token (msg_t *msg_) { - const std::string username = "admin"; - zmq_assert (username.length () < 256); + // First time through, import service_name into target_name + if (target_name == GSS_C_NO_NAME) { + send_tok.value = service_name; + send_tok.length = strlen(service_name); + OM_uint32 maj = gss_import_name(&min_stat, &send_tok, + gss_nt_service_name, &target_name); + + if (maj != GSS_S_COMPLETE) { + fprintf(stderr, "%s:%d: failed to import service name\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat); + return -1; + } + } - const std::string password = "secret"; - zmq_assert (password.length () < 256); + maj_stat = gss_init_sec_context(&init_sec_min_stat, cred, &context, + target_name, mechs.elements, + gss_flags, 0, NULL, token_ptr, NULL, + &send_tok, &ret_flags, NULL); - const size_t command_size = 6 + 1 + username.length () - + 1 + password.length (); - const int rc = msg_->init_size (command_size); - errno_assert (rc == 0); + if (token_ptr != GSS_C_NO_BUFFER) + free(recv_tok.value); + + if (send_tok.length != 0) { // server expects another token + fprintf(stderr, "%s:%d: producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat); + if (produce_token (msg_, TOKEN_CONTEXT, send_tok.value, send_tok.length) < 0) { + gss_release_buffer(&min_stat, &send_tok); + gss_release_name(&min_stat, &target_name); + return -1; + } + } + else + fprintf(stderr, "%s:%d: skip producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat); - unsigned char *ptr = static_cast (msg_->data ()); - memcpy (ptr, "\x05HELLO", 6); - ptr += 6; + gss_release_buffer(&min_stat, &send_tok); - *ptr++ = static_cast (username.length ()); - memcpy (ptr, username.c_str (), username.length ()); - ptr += username.length (); - - *ptr++ = static_cast (password.length ()); - memcpy (ptr, password.c_str (), password.length ()); - ptr += password.length (); - - return 0; -} - -int zmq::gssapi_client_t::process_welcome (msg_t *msg_) -{ - const unsigned char *ptr = static_cast (msg_->data ()); - size_t bytes_left = msg_->size (); - - if (bytes_left != 8 || memcmp (ptr, "\x07WELCOME", 8)) { - errno = EPROTO; + if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) { + fprintf(stderr, "%s:%d: failed to create GSSAPI security context\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + gss_release_name(&min_stat, &target_name); + if (context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); return -1; } - return 0; -} - -int zmq::gssapi_client_t::produce_initiate (msg_t *msg_) const -{ - unsigned char * const command_buffer = (unsigned char *) malloc (512); - alloc_assert (command_buffer); - - unsigned char *ptr = command_buffer; - - // Add mechanism string - memcpy (ptr, "\x08INITIATE", 9); - ptr += 9; - - // Add socket type property - const char *socket_type = socket_type_string (options.type); - ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type)); - - // Add identity property - if (options.type == ZMQ_REQ - || options.type == ZMQ_DEALER - || options.type == ZMQ_ROUTER) { - ptr += add_property (ptr, "Identity", - options.identity, options.identity_size); - } - - const size_t command_size = ptr - command_buffer; - const int rc = msg_->init_size (command_size); - errno_assert (rc == 0); - memcpy (msg_->data (), command_buffer, command_size); - free (command_buffer); return 0; } -int zmq::gssapi_client_t::process_ready (msg_t *msg_) +int zmq::gssapi_client_t::process_next_token (msg_t *msg_) { - const unsigned char *ptr = static_cast (msg_->data ()); - size_t bytes_left = msg_->size (); - - if (bytes_left < 6 || memcmp (ptr, "\x05READY", 6)) { - errno = EPROTO; - return -1; + if (maj_stat == GSS_S_CONTINUE_NEEDED) { + fprintf(stderr, "%s:%d: processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat); + if (process_token(msg_, token_flags, &recv_tok.value, recv_tok.length) < 0) { + gss_release_name(&min_stat, &target_name); + return -1; + } + token_ptr = &recv_tok; } - ptr += 6; - bytes_left -= 6; - return parse_metadata (ptr, bytes_left); + else + fprintf(stderr, "%s:%d: skip processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat); + + if (maj_stat == GSS_S_COMPLETE) + security_context_established = true; + + return 0; } diff --git a/src/gssapi_client.hpp b/src/gssapi_client.hpp index c603703a..5613ce59 100644 --- a/src/gssapi_client.hpp +++ b/src/gssapi_client.hpp @@ -46,22 +46,19 @@ namespace zmq private: enum state_t { - sending_hello, - waiting_for_welcome, - sending_initiate, - sending_token, - waiting_for_token, - waiting_for_ready, + send_next_token, + recv_next_token, + almost_ready, ready }; state_t state; + gss_buffer_desc *token_ptr; + gss_OID_set_desc mechs; + bool security_context_established; - int produce_hello (msg_t *msg_) const; - int produce_initiate (msg_t *msg_) const; - - int process_welcome (msg_t *msg); - int process_ready (msg_t *msg_); + int produce_next_token (msg_t *msg_); + int process_next_token (msg_t *msg_); }; } diff --git a/src/gssapi_mechanism_base.cpp b/src/gssapi_mechanism_base.cpp index ea9a5bf6..3d8ed71e 100644 --- a/src/gssapi_mechanism_base.cpp +++ b/src/gssapi_mechanism_base.cpp @@ -31,12 +31,29 @@ #include "gssapi_mechanism_base.hpp" #include "wire.hpp" -zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t () +zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t () : + send_tok (), + recv_tok (), + in_buf (), + target_name (GSS_C_NO_NAME), + service_name (NULL), + maj_stat (GSS_S_COMPLETE), + min_stat (0), + init_sec_min_stat (0), + ret_flags (0), + gss_flags (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG), + token_flags (0), + cred (GSS_C_NO_CREDENTIAL), + context (GSS_C_NO_CONTEXT) { } zmq::gssapi_mechanism_base_t::~gssapi_mechanism_base_t () { + if(target_name) + gss_release_name(&min_stat, &target_name); + if(context) + gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); } int zmq::gssapi_mechanism_base_t::produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_) @@ -128,3 +145,31 @@ int zmq::gssapi_mechanism_base_t::process_token (msg_t *msg_, int &flags_, void return 0; } +int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss_cred_id_t * cred_) +{ + OM_uint32 maj_stat; + OM_uint32 min_stat; + gss_name_t server_name; + + gss_buffer_desc name_buf; + name_buf.value = service_name_; + name_buf.length = strlen ((char *) name_buf.value) + 1; + + maj_stat = gss_import_name (&min_stat, &name_buf, + gss_nt_service_name, &server_name); + + if (maj_stat != GSS_S_COMPLETE) + return -1; + + maj_stat = gss_acquire_cred (&min_stat, server_name, 0, + GSS_C_NO_OID_SET, GSS_C_ACCEPT, + cred_, NULL, NULL); + + if (maj_stat != GSS_S_COMPLETE) + return -1; + + gss_release_name(&min_stat, &server_name); + + return 0; +} + diff --git a/src/gssapi_mechanism_base.hpp b/src/gssapi_mechanism_base.hpp index b3b5ed0b..8beafda9 100644 --- a/src/gssapi_mechanism_base.hpp +++ b/src/gssapi_mechanism_base.hpp @@ -41,6 +41,31 @@ namespace zmq protected: int produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_); int process_token (msg_t *msg_, int &flags_, void **token_value_, size_t &token_length_); + static int acquire_credentials (char * service_name_, gss_cred_id_t * cred_); + + protected: + const static int TOKEN_NOOP = (1<<0); + const static int TOKEN_CONTEXT = (1<<1); + const static int TOKEN_DATA = (1<<2); + const static int TOKEN_MIC = (1<<3); + const static int TOKEN_CONTEXT_NEXT = (1<<4); + const static int TOKEN_WRAPPED = (1<<5); + const static int TOKEN_ENCRYPTED = (1<<6); + const static int TOKEN_SEND_MIC = (1<<7); + + gss_buffer_desc send_tok; + gss_buffer_desc recv_tok; + gss_buffer_desc in_buf; + gss_name_t target_name; + char * service_name; + OM_uint32 maj_stat; + OM_uint32 min_stat; + OM_uint32 init_sec_min_stat; + OM_uint32 ret_flags; + OM_uint32 gss_flags; + int token_flags; + gss_cred_id_t cred; + gss_ctx_id_t context; }; } diff --git a/src/gssapi_server.cpp b/src/gssapi_server.cpp index c19d0424..c09b898c 100644 --- a/src/gssapi_server.cpp +++ b/src/gssapi_server.cpp @@ -38,13 +38,25 @@ zmq::gssapi_server_t::gssapi_server_t (session_base_t *session_, mechanism_t (options_), session (session_), peer_address (peer_address_), - expecting_zap_reply (false), - state (waiting_for_hello) + state (recv_next_token), + security_context_established (false) { + service_name = (char *) "host"; /// FIXME add service_name to options + int rc = acquire_credentials (service_name, &cred); /// FIXME add creds to options too? + if (rc == 0) { + fprintf(stderr, "%s:%d: acquire creds successful\n", __FILE__, __LINE__); /// FIXME remove + maj_stat = GSS_S_CONTINUE_NEEDED; + } + else { + fprintf(stderr, "%s:%d: acquire creds failed\n", __FILE__, __LINE__); /// FIXME remove + maj_stat = GSS_S_FAILURE; + } } zmq::gssapi_server_t::~gssapi_server_t () { + if(cred) + gss_release_cred(&min_stat, &cred); } int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_) @@ -52,24 +64,18 @@ int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_) int rc = 0; switch (state) { - case sending_welcome: - rc = produce_welcome (msg_); + case send_next_token: + rc = produce_next_token (msg_); if (rc == 0) - state = waiting_for_initiate; + state = security_context_established? almost_ready: recv_next_token; break; - case sending_token: - rc = produce_token (msg_, 0, (char *) "kthx! bye!", 10); - if (rc == 0) - state = waiting_for_token; //state = expecting_another_token? waiting_for_token: waiting_for_ready; - break; - case sending_ready: - rc = produce_ready (msg_); - if (rc == 0) - state = ready; + case almost_ready: + state = ready; break; default: - errno = EAGAIN; + errno = EPROTO; rc = -1; + break; } return rc; } @@ -77,319 +83,94 @@ int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_) int zmq::gssapi_server_t::process_handshake_command (msg_t *msg_) { int rc = 0; - int flags = 0; - gss_buffer_desc buf; - buf.value = NULL; - buf.length = 0; switch (state) { - case waiting_for_hello: - rc = process_hello (msg_); + case recv_next_token: + rc = process_next_token (msg_); if (rc == 0) - state = expecting_zap_reply? waiting_for_zap_reply: sending_welcome; + state = send_next_token; break; - case waiting_for_initiate: - rc = process_initiate (msg_); - if (rc == 0) - state = sending_token; - break; - case waiting_for_token: - rc = process_token (msg_, flags, &buf.value, buf.length); - if (rc == 0) - state = sending_ready; // state = expecting_another_token? sending_token: sending_ready; + case almost_ready: + state = ready; break; default: - errno = EPROTO; + errno = EAGAIN; rc = -1; break; } - - if (buf.value) { - free (buf.value); - } - if (rc == 0) { rc = msg_->close (); errno_assert (rc == 0); rc = msg_->init (); errno_assert (rc == 0); } - return rc; } -bool zmq::gssapi_server_t::is_handshake_complete () const -{ - return state == ready; -} - int zmq::gssapi_server_t::zap_msg_available () { - if (state != waiting_for_zap_reply) { - errno = EFSM; - return -1; - } - const int rc = receive_and_process_zap_reply (); - if (rc == 0) - state = sending_welcome; - return rc; + return 0; } -int zmq::gssapi_server_t::process_hello (msg_t *msg_) +bool zmq::gssapi_server_t::is_handshake_complete () const { - const unsigned char *ptr = static_cast (msg_->data ()); - size_t bytes_left = msg_->size (); + fprintf(stderr, "%s:%d: is_handshake_complete=%d\n", __FILE__, __LINE__, (state==ready)); /// FIXME remove + return state == ready; +} - if (bytes_left < 6 || memcmp (ptr, "\x05HELLO", 6)) { - errno = EPROTO; - return -1; +int zmq::gssapi_server_t::produce_next_token (msg_t *msg_) +{ + if (send_tok.length != 0) { // client expects another token + fprintf(stderr, "%s:%d: producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + if (produce_token(msg_, TOKEN_CONTEXT, send_tok.value, send_tok.length) < 0) { + fprintf(stderr, "%s:%d: failed to produce token!\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + return -1; + } + gss_release_buffer(&min_stat, &send_tok); } - ptr += 6; - bytes_left -= 6; + else + fprintf(stderr, "%s:%d: skip producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); - if (bytes_left < 1) { - errno = EPROTO; - return -1; - } - const size_t username_length = static_cast (*ptr++); - bytes_left -= 1; - - if (bytes_left < username_length) { - errno = EPROTO; - return -1; - } - const std::string username = std::string ((char *) ptr, username_length); - ptr += username_length; - bytes_left -= username_length; - - if (bytes_left < 1) { - errno = EPROTO; - return -1; - } - const size_t password_length = static_cast (*ptr++); - bytes_left -= 1; - - if (bytes_left < password_length) { - errno = EPROTO; - return -1; - } - const std::string password = std::string ((char *) ptr, password_length); - ptr += password_length; - bytes_left -= password_length; - - if (bytes_left > 0) { - errno = EPROTO; + if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) { + fprintf(stderr, "%s:%d: failed to create GSSAPI security context\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + gss_release_name(&min_stat, &target_name); + if (context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER); return -1; } - // Use ZAP protocol (RFC 27) to authenticate the user. - int rc = session->zap_connect (); - if (rc == 0) { - send_zap_request (username, password); - rc = receive_and_process_zap_reply (); - if (rc != 0) { - if (errno != EAGAIN) - return -1; - expecting_zap_reply = true; + if (maj_stat == GSS_S_COMPLETE) { + gss_release_name(&min_stat, &target_name); + security_context_established = true; + } + + return 0; +} + +int zmq::gssapi_server_t::process_next_token (msg_t *msg_) +{ + if (maj_stat == GSS_S_CONTINUE_NEEDED) { + fprintf(stderr, "%s:%d: processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + if (process_token(msg_, token_flags, &recv_tok.value, recv_tok.length) < 0) { + if (target_name != GSS_C_NO_NAME) + gss_release_name(&min_stat, &target_name); + fprintf(stderr, "%s:%d: failed to process token!\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + return -1; } } + else + fprintf(stderr, "%s:%d: skip processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat); + + maj_stat = gss_accept_sec_context(&init_sec_min_stat, &context, cred, + &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, + &target_name, &doid, &send_tok, + &ret_flags, NULL, NULL); + if (recv_tok.value) { + free (recv_tok.value); + recv_tok.value = NULL; + } + return 0; } -int zmq::gssapi_server_t::produce_welcome (msg_t *msg_) const -{ - const int rc = msg_->init_size (8); - errno_assert (rc == 0); - memcpy (msg_->data (), "\x07WELCOME", 8); - return 0; -} - -int zmq::gssapi_server_t::process_initiate (msg_t *msg_) -{ - const unsigned char *ptr = static_cast (msg_->data ()); - size_t bytes_left = msg_->size (); - - if (bytes_left < 9 || memcmp (ptr, "\x08INITIATE", 9)) { - errno = EPROTO; - return -1; - } - ptr += 9; - bytes_left -= 9; - return parse_metadata (ptr, bytes_left); -} - -int zmq::gssapi_server_t::produce_ready (msg_t *msg_) const -{ - unsigned char * const command_buffer = (unsigned char *) malloc (512); - alloc_assert (command_buffer); - - unsigned char *ptr = command_buffer; - - // Add command name - memcpy (ptr, "\x05READY", 6); - ptr += 6; - - // Add socket type property - const char *socket_type = socket_type_string (options.type); - ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type)); - - // Add identity property - if (options.type == ZMQ_REQ - || options.type == ZMQ_DEALER - || options.type == ZMQ_ROUTER) { - ptr += add_property (ptr, "Identity", - options.identity, options.identity_size); - } - - const size_t command_size = ptr - command_buffer; - const int rc = msg_->init_size (command_size); - errno_assert (rc == 0); - memcpy (msg_->data (), command_buffer, command_size); - free (command_buffer); - - return 0; -} - -void zmq::gssapi_server_t::send_zap_request (const std::string &username, - const std::string &password) -{ - int rc; - msg_t msg; - - // Address delimiter frame - rc = msg.init (); - errno_assert (rc == 0); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Version frame - rc = msg.init_size (3); - errno_assert (rc == 0); - memcpy (msg.data (), "1.0", 3); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Request id frame - rc = msg.init_size (1); - errno_assert (rc == 0); - memcpy (msg.data (), "1", 1); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Domain frame - rc = msg.init_size (options.zap_domain.length ()); - errno_assert (rc == 0); - memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ()); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Address frame - rc = msg.init_size (peer_address.length ()); - errno_assert (rc == 0); - memcpy (msg.data (), peer_address.c_str (), peer_address.length ()); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Identity frame - rc = msg.init_size (options.identity_size); - errno_assert (rc == 0); - memcpy (msg.data (), options.identity, options.identity_size); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Mechanism frame - rc = msg.init_size (6); - errno_assert (rc == 0); - memcpy (msg.data (), "GSSAPI", 6); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Username frame - rc = msg.init_size (username.length ()); - errno_assert (rc == 0); - memcpy (msg.data (), username.c_str (), username.length ()); - msg.set_flags (msg_t::more); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); - - // Password frame - rc = msg.init_size (password.length ()); - errno_assert (rc == 0); - memcpy (msg.data (), password.c_str (), password.length ()); - rc = session->write_zap_msg (&msg); - errno_assert (rc == 0); -} - -int zmq::gssapi_server_t::receive_and_process_zap_reply () -{ - int rc = 0; - msg_t msg [7]; // ZAP reply consists of 7 frames - - // Initialize all reply frames - for (int i = 0; i < 7; i++) { - rc = msg [i].init (); - errno_assert (rc == 0); - } - - for (int i = 0; i < 7; i++) { - rc = session->read_zap_msg (&msg [i]); - if (rc == -1) - break; - if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) { - errno = EPROTO; - rc = -1; - break; - } - } - - if (rc != 0) - goto error; - - // Address delimiter frame - if (msg [0].size () > 0) { - rc = -1; - errno = EPROTO; - goto error; - } - - // Version frame - if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) { - rc = -1; - errno = EPROTO; - goto error; - } - - // Request id frame - if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) { - rc = -1; - errno = EPROTO; - goto error; - } - - // Status code frame - if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) { - rc = -1; - errno = EACCES; - goto error; - } - - // Process metadata frame - rc = parse_metadata (static_cast (msg [6].data ()), - msg [6].size ()); - -error: - for (int i = 0; i < 7; i++) { - const int rc2 = msg [i].close (); - errno_assert (rc2 == 0); - } - - return rc; -} diff --git a/src/gssapi_server.hpp b/src/gssapi_server.hpp index ebe1c40d..492c77ec 100644 --- a/src/gssapi_server.hpp +++ b/src/gssapi_server.hpp @@ -50,34 +50,21 @@ namespace zmq private: enum state_t { - waiting_for_hello, - sending_welcome, - waiting_for_initiate, - sending_token, - waiting_for_token, - sending_ready, + send_next_token, + recv_next_token, waiting_for_zap_reply, + almost_ready, ready }; session_base_t * const session; - const std::string peer_address; - - // True iff we are awaiting reply from ZAP reply. - bool expecting_zap_reply; - state_t state; + bool security_context_established; + gss_OID doid; - int produce_welcome (msg_t *msg_) const; - int produce_ready (msg_t *msg_) const; - - int process_hello (msg_t *msg_); - int process_initiate (msg_t *msg_); - - void send_zap_request (const std::string &username, - const std::string &password); - int receive_and_process_zap_reply (); + int produce_next_token(msg_t *msg_); + int process_next_token(msg_t *msg_); }; }