generic-library/libzmq
1
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2024-12-12 18:40:27 +01:00
Code Issues Projects Releases Wiki Activity

Establishing GSSAPI sec context is working now

Browse Source
This commit is contained in:
Mike Gatny 2013-10-03 13:43:20 -05:00 committed by Chris Busbey
parent 6290ba168f
commit 1445516c41
7 changed files with 240 additions and 434 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configure.ac
View File

@ -305,6 +305,7 @@ else
AC_CHECK_LIB([sodium], [sodium_init],,AC_MSG_WARN(libsodium is needed for CURVE security)) AC_CHECK_LIB([sodium], [sodium_init],,AC_MSG_WARN(libsodium is needed for CURVE security))
fi fi
AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],,AC_MSG_WARN(libgssapi_krb5 is needed for GSSAPI security))
# #
# Check if the compiler supports -fvisibility=hidden flag. MinGW32 uses __declspec # Check if the compiler supports -fvisibility=hidden flag. MinGW32 uses __declspec

182
src/gssapi_client.cpp
View File

@ -34,12 +34,24 @@
zmq::gssapi_client_t::gssapi_client_t (const options_t &options_) : zmq::gssapi_client_t::gssapi_client_t (const options_t &options_) :
gssapi_mechanism_base_t (), gssapi_mechanism_base_t (),
mechanism_t (options_), mechanism_t (options_),
state (sending_hello) state (send_next_token),
token_ptr (GSS_C_NO_BUFFER),
mechs (),
security_context_established (false)
{ {
maj_stat = GSS_S_COMPLETE;
service_name = strdup("host"); /// FIXME add service_name to options
mechs.elements = NULL;
mechs.count = 0;
} }
zmq::gssapi_client_t::~gssapi_client_t () zmq::gssapi_client_t::~gssapi_client_t ()
{ {
if(service_name)
free (service_name);
/// FIXME release this or not?
if(cred)
gss_release_cred(&min_stat, &cred);
} }
int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_) int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_)
@ -47,24 +59,18 @@ int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_)
int rc = 0; int rc = 0;
switch (state) { switch (state) {
case sending_hello: case send_next_token:
rc = produce_hello (msg_); rc = produce_next_token (msg_);
if (rc == 0) if (rc == 0)
state = waiting_for_welcome; state = recv_next_token;
break; break;
case sending_initiate: case almost_ready:
rc = produce_initiate (msg_); state = ready;
if (rc == 0)
state = waiting_for_token;
break;
case sending_token:
rc = produce_token (msg_, 0, (char *) "o, hai!", 7);
if (rc == 0)
state = waiting_for_ready; //state = expecting_another_token? waiting_for_token: waiting_for_ready;
break; break;
default: default:
errno = EAGAIN; errno = EAGAIN;
rc = -1; rc = -1;
break;
} }
return rc; return rc;
} }
@ -72,135 +78,99 @@ int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_)
int zmq::gssapi_client_t::process_handshake_command (msg_t *msg_) int zmq::gssapi_client_t::process_handshake_command (msg_t *msg_)
{ {
int rc = 0; int rc = 0;
int flags = 0;
gss_buffer_desc buf;
buf.value = NULL;
buf.length = 0;
switch (state) { switch (state) {
case waiting_for_welcome: case recv_next_token:
rc = process_welcome (msg_); rc = process_next_token (msg_);
if (rc == 0) if (rc == 0)
state = sending_initiate; state = security_context_established? almost_ready: send_next_token;
break; break;
case waiting_for_token: case almost_ready:
rc = process_token (msg_, flags, &buf.value, buf.length); state = ready;
if (rc == 0)
state = sending_token; // state = expecting_another_token? sending_token: sending_ready;
break;
case waiting_for_ready:
rc = process_ready (msg_);
if (rc == 0)
state = ready;
break; break;
default: default:
errno = EPROTO; errno = EPROTO;
rc = -1; rc = -1;
break; break;
} }
if (buf.value) {
free (buf.value);
}
if (rc == 0) { if (rc == 0) {
rc = msg_->close (); rc = msg_->close ();
errno_assert (rc == 0); errno_assert (rc == 0);
rc = msg_->init (); rc = msg_->init ();
errno_assert (rc == 0); errno_assert (rc == 0);
} }
return rc; return rc;
} }
bool zmq::gssapi_client_t::is_handshake_complete () const bool zmq::gssapi_client_t::is_handshake_complete () const
{ {
fprintf(stderr, "%s:%d: is_handshake_complete=%d, security_context_established=%d\n", __FILE__, __LINE__, (state==ready), security_context_established); /// FIXME remove
return state == ready; return state == ready;
} }
int zmq::gssapi_client_t::produce_hello (msg_t *msg_) const int zmq::gssapi_client_t::produce_next_token (msg_t *msg_)
{ {
const std::string username = "admin"; // First time through, import service_name into target_name
zmq_assert (username.length () < 256); if (target_name == GSS_C_NO_NAME) {
send_tok.value = service_name;
send_tok.length = strlen(service_name);
OM_uint32 maj = gss_import_name(&min_stat, &send_tok,
gss_nt_service_name, &target_name);
if (maj != GSS_S_COMPLETE) {
fprintf(stderr, "%s:%d: failed to import service name\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
return -1;
}
}
const std::string password = "secret"; maj_stat = gss_init_sec_context(&init_sec_min_stat, cred, &context,
zmq_assert (password.length () < 256); target_name, mechs.elements,
gss_flags, 0, NULL, token_ptr, NULL,
&send_tok, &ret_flags, NULL);
const size_t command_size = 6 + 1 + username.length () if (token_ptr != GSS_C_NO_BUFFER)
+ 1 + password.length (); free(recv_tok.value);
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0); if (send_tok.length != 0) { // server expects another token
fprintf(stderr, "%s:%d: producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
if (produce_token (msg_, TOKEN_CONTEXT, send_tok.value, send_tok.length) < 0) {
gss_release_buffer(&min_stat, &send_tok);
gss_release_name(&min_stat, &target_name);
return -1;
}
}
else
fprintf(stderr, "%s:%d: skip producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
unsigned char *ptr = static_cast <unsigned char *> (msg_->data ()); gss_release_buffer(&min_stat, &send_tok);
memcpy (ptr, "\x05HELLO", 6);
ptr += 6;
*ptr++ = static_cast <unsigned char> (username.length ()); if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
memcpy (ptr, username.c_str (), username.length ()); fprintf(stderr, "%s:%d: failed to create GSSAPI security context\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
ptr += username.length (); gss_release_name(&min_stat, &target_name);
if (context != GSS_C_NO_CONTEXT)
*ptr++ = static_cast <unsigned char> (password.length ()); gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
memcpy (ptr, password.c_str (), password.length ());
ptr += password.length ();
return 0;
}
int zmq::gssapi_client_t::process_welcome (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left != 8 || memcmp (ptr, "\x07WELCOME", 8)) {
errno = EPROTO;
return -1; return -1;
} }
return 0;
}
int zmq::gssapi_client_t::produce_initiate (msg_t *msg_) const
{
unsigned char * const command_buffer = (unsigned char *) malloc (512);
alloc_assert (command_buffer);
unsigned char *ptr = command_buffer;
// Add mechanism string
memcpy (ptr, "\x08INITIATE", 9);
ptr += 9;
// Add socket type property
const char *socket_type = socket_type_string (options.type);
ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type));
// Add identity property
if (options.type == ZMQ_REQ
|| options.type == ZMQ_DEALER
|| options.type == ZMQ_ROUTER) {
ptr += add_property (ptr, "Identity",
options.identity, options.identity_size);
}
const size_t command_size = ptr - command_buffer;
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
memcpy (msg_->data (), command_buffer, command_size);
free (command_buffer);
return 0; return 0;
} }
int zmq::gssapi_client_t::process_ready (msg_t *msg_) int zmq::gssapi_client_t::process_next_token (msg_t *msg_)
{ {
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ()); if (maj_stat == GSS_S_CONTINUE_NEEDED) {
size_t bytes_left = msg_->size (); fprintf(stderr, "%s:%d: processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
if (process_token(msg_, token_flags, &recv_tok.value, recv_tok.length) < 0) {
if (bytes_left < 6 || memcmp (ptr, "\x05READY", 6)) { gss_release_name(&min_stat, &target_name);
errno = EPROTO; return -1;
return -1; }
token_ptr = &recv_tok;
} }
ptr += 6; else
bytes_left -= 6; fprintf(stderr, "%s:%d: skip processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
return parse_metadata (ptr, bytes_left);
if (maj_stat == GSS_S_COMPLETE)
security_context_established = true;
return 0;
} }

19
src/gssapi_client.hpp
View File

@ -46,22 +46,19 @@ namespace zmq
private: private:
enum state_t { enum state_t {
sending_hello, send_next_token,
waiting_for_welcome, recv_next_token,
sending_initiate, almost_ready,
sending_token,
waiting_for_token,
waiting_for_ready,
ready ready
}; };
state_t state; state_t state;
gss_buffer_desc *token_ptr;
gss_OID_set_desc mechs;
bool security_context_established;
int produce_hello (msg_t *msg_) const; int produce_next_token (msg_t *msg_);
int produce_initiate (msg_t *msg_) const; int process_next_token (msg_t *msg_);
int process_welcome (msg_t *msg);
int process_ready (msg_t *msg_);
}; };
} }

47
src/gssapi_mechanism_base.cpp
View File

@ -31,12 +31,29 @@
#include "gssapi_mechanism_base.hpp" #include "gssapi_mechanism_base.hpp"
#include "wire.hpp" #include "wire.hpp"
zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t () zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t () :
send_tok (),
recv_tok (),
in_buf (),
target_name (GSS_C_NO_NAME),
service_name (NULL),
maj_stat (GSS_S_COMPLETE),
min_stat (0),
init_sec_min_stat (0),
ret_flags (0),
gss_flags (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG),
token_flags (0),
cred (GSS_C_NO_CREDENTIAL),
context (GSS_C_NO_CONTEXT)
{ {
} }
zmq::gssapi_mechanism_base_t::~gssapi_mechanism_base_t () zmq::gssapi_mechanism_base_t::~gssapi_mechanism_base_t ()
{ {
if(target_name)
gss_release_name(&min_stat, &target_name);
if(context)
gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
} }
int zmq::gssapi_mechanism_base_t::produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_) int zmq::gssapi_mechanism_base_t::produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_)
@ -128,3 +145,31 @@ int zmq::gssapi_mechanism_base_t::process_token (msg_t *msg_, int &flags_, void
return 0; return 0;
} }
int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss_cred_id_t * cred_)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_name_t server_name;
gss_buffer_desc name_buf;
name_buf.value = service_name_;
name_buf.length = strlen ((char *) name_buf.value) + 1;
maj_stat = gss_import_name (&min_stat, &name_buf,
gss_nt_service_name, &server_name);
if (maj_stat != GSS_S_COMPLETE)
return -1;
maj_stat = gss_acquire_cred (&min_stat, server_name, 0,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
cred_, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE)
return -1;
gss_release_name(&min_stat, &server_name);
return 0;
}

25
src/gssapi_mechanism_base.hpp
View File

@ -41,6 +41,31 @@ namespace zmq
protected: protected:
int produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_); int produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_);
int process_token (msg_t *msg_, int &flags_, void **token_value_, size_t &token_length_); int process_token (msg_t *msg_, int &flags_, void **token_value_, size_t &token_length_);
static int acquire_credentials (char * service_name_, gss_cred_id_t * cred_);
protected:
const static int TOKEN_NOOP = (1<<0);
const static int TOKEN_CONTEXT = (1<<1);
const static int TOKEN_DATA = (1<<2);
const static int TOKEN_MIC = (1<<3);
const static int TOKEN_CONTEXT_NEXT = (1<<4);
const static int TOKEN_WRAPPED = (1<<5);
const static int TOKEN_ENCRYPTED = (1<<6);
const static int TOKEN_SEND_MIC = (1<<7);
gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc in_buf;
gss_name_t target_name;
char * service_name;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 init_sec_min_stat;
OM_uint32 ret_flags;
OM_uint32 gss_flags;
int token_flags;
gss_cred_id_t cred;
gss_ctx_id_t context;
}; };
} }

373
src/gssapi_server.cpp
View File

@ -38,13 +38,25 @@ zmq::gssapi_server_t::gssapi_server_t (session_base_t *session_,
mechanism_t (options_), mechanism_t (options_),
session (session_), session (session_),
peer_address (peer_address_), peer_address (peer_address_),
expecting_zap_reply (false), state (recv_next_token),
state (waiting_for_hello) security_context_established (false)
{ {
service_name = (char *) "host"; /// FIXME add service_name to options
int rc = acquire_credentials (service_name, &cred); /// FIXME add creds to options too?
if (rc == 0) {
fprintf(stderr, "%s:%d: acquire creds successful\n", __FILE__, __LINE__); /// FIXME remove
maj_stat = GSS_S_CONTINUE_NEEDED;
}
else {
fprintf(stderr, "%s:%d: acquire creds failed\n", __FILE__, __LINE__); /// FIXME remove
maj_stat = GSS_S_FAILURE;
}
} }
zmq::gssapi_server_t::~gssapi_server_t () zmq::gssapi_server_t::~gssapi_server_t ()
{ {
if(cred)
gss_release_cred(&min_stat, &cred);
} }
int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_) int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_)
@ -52,24 +64,18 @@ int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_)
int rc = 0; int rc = 0;
switch (state) { switch (state) {
case sending_welcome: case send_next_token:
rc = produce_welcome (msg_); rc = produce_next_token (msg_);
if (rc == 0) if (rc == 0)
state = waiting_for_initiate; state = security_context_established? almost_ready: recv_next_token;
break; break;
case sending_token: case almost_ready:
rc = produce_token (msg_, 0, (char *) "kthx! bye!", 10); state = ready;
if (rc == 0)
state = waiting_for_token; //state = expecting_another_token? waiting_for_token: waiting_for_ready;
break;
case sending_ready:
rc = produce_ready (msg_);
if (rc == 0)
state = ready;
break; break;
default: default:
errno = EAGAIN; errno = EPROTO;
rc = -1; rc = -1;
break;
} }
return rc; return rc;
} }
@ -77,319 +83,94 @@ int zmq::gssapi_server_t::next_handshake_command (msg_t *msg_)
int zmq::gssapi_server_t::process_handshake_command (msg_t *msg_) int zmq::gssapi_server_t::process_handshake_command (msg_t *msg_)
{ {
int rc = 0; int rc = 0;
int flags = 0;
gss_buffer_desc buf;
buf.value = NULL;
buf.length = 0;
switch (state) { switch (state) {
case waiting_for_hello: case recv_next_token:
rc = process_hello (msg_); rc = process_next_token (msg_);
if (rc == 0) if (rc == 0)
state = expecting_zap_reply? waiting_for_zap_reply: sending_welcome; state = send_next_token;
break; break;
case waiting_for_initiate: case almost_ready:
rc = process_initiate (msg_); state = ready;
if (rc == 0)
state = sending_token;
break;
case waiting_for_token:
rc = process_token (msg_, flags, &buf.value, buf.length);
if (rc == 0)
state = sending_ready; // state = expecting_another_token? sending_token: sending_ready;
break; break;
default: default:
errno = EPROTO; errno = EAGAIN;
rc = -1; rc = -1;
break; break;
} }
if (buf.value) {
free (buf.value);
}
if (rc == 0) { if (rc == 0) {
rc = msg_->close (); rc = msg_->close ();
errno_assert (rc == 0); errno_assert (rc == 0);
rc = msg_->init (); rc = msg_->init ();
errno_assert (rc == 0); errno_assert (rc == 0);
} }
return rc; return rc;
} }
bool zmq::gssapi_server_t::is_handshake_complete () const
{
return state == ready;
}
int zmq::gssapi_server_t::zap_msg_available () int zmq::gssapi_server_t::zap_msg_available ()
{ {
if (state != waiting_for_zap_reply) { return 0;
errno = EFSM;
return -1;
}
const int rc = receive_and_process_zap_reply ();
if (rc == 0)
state = sending_welcome;
return rc;
} }
int zmq::gssapi_server_t::process_hello (msg_t *msg_) bool zmq::gssapi_server_t::is_handshake_complete () const
{ {
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ()); fprintf(stderr, "%s:%d: is_handshake_complete=%d\n", __FILE__, __LINE__, (state==ready)); /// FIXME remove
size_t bytes_left = msg_->size (); return state == ready;
}
if (bytes_left < 6 || memcmp (ptr, "\x05HELLO", 6)) { int zmq::gssapi_server_t::produce_next_token (msg_t *msg_)
errno = EPROTO; {
return -1; if (send_tok.length != 0) { // client expects another token
fprintf(stderr, "%s:%d: producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
if (produce_token(msg_, TOKEN_CONTEXT, send_tok.value, send_tok.length) < 0) {
fprintf(stderr, "%s:%d: failed to produce token!\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
return -1;
}
gss_release_buffer(&min_stat, &send_tok);
} }
ptr += 6; else
bytes_left -= 6; fprintf(stderr, "%s:%d: skip producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
if (bytes_left < 1) { if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
errno = EPROTO; fprintf(stderr, "%s:%d: failed to create GSSAPI security context\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
return -1; gss_release_name(&min_stat, &target_name);
} if (context != GSS_C_NO_CONTEXT)
const size_t username_length = static_cast <size_t> (*ptr++); gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
bytes_left -= 1;
if (bytes_left < username_length) {
errno = EPROTO;
return -1;
}
const std::string username = std::string ((char *) ptr, username_length);
ptr += username_length;
bytes_left -= username_length;
if (bytes_left < 1) {
errno = EPROTO;
return -1;
}
const size_t password_length = static_cast <size_t> (*ptr++);
bytes_left -= 1;
if (bytes_left < password_length) {
errno = EPROTO;
return -1;
}
const std::string password = std::string ((char *) ptr, password_length);
ptr += password_length;
bytes_left -= password_length;
if (bytes_left > 0) {
errno = EPROTO;
return -1; return -1;
} }
// Use ZAP protocol (RFC 27) to authenticate the user. if (maj_stat == GSS_S_COMPLETE) {
int rc = session->zap_connect (); gss_release_name(&min_stat, &target_name);
if (rc == 0) { security_context_established = true;
send_zap_request (username, password); }
rc = receive_and_process_zap_reply ();
if (rc != 0) { return 0;
if (errno != EAGAIN) }
return -1;
expecting_zap_reply = true; int zmq::gssapi_server_t::process_next_token (msg_t *msg_)
{
if (maj_stat == GSS_S_CONTINUE_NEEDED) {
fprintf(stderr, "%s:%d: processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
if (process_token(msg_, token_flags, &recv_tok.value, recv_tok.length) < 0) {
if (target_name != GSS_C_NO_NAME)
gss_release_name(&min_stat, &target_name);
fprintf(stderr, "%s:%d: failed to process token!\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
return -1;
} }
} }
else
fprintf(stderr, "%s:%d: skip processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
maj_stat = gss_accept_sec_context(&init_sec_min_stat, &context, cred,
&recv_tok, GSS_C_NO_CHANNEL_BINDINGS,
&target_name, &doid, &send_tok,
&ret_flags, NULL, NULL);
if (recv_tok.value) {
free (recv_tok.value);
recv_tok.value = NULL;
}
return 0; return 0;
} }
int zmq::gssapi_server_t::produce_welcome (msg_t *msg_) const
{
const int rc = msg_->init_size (8);
errno_assert (rc == 0);
memcpy (msg_->data (), "\x07WELCOME", 8);
return 0;
}
int zmq::gssapi_server_t::process_initiate (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left < 9 || memcmp (ptr, "\x08INITIATE", 9)) {
errno = EPROTO;
return -1;
}
ptr += 9;
bytes_left -= 9;
return parse_metadata (ptr, bytes_left);
}
int zmq::gssapi_server_t::produce_ready (msg_t *msg_) const
{
unsigned char * const command_buffer = (unsigned char *) malloc (512);
alloc_assert (command_buffer);
unsigned char *ptr = command_buffer;
// Add command name
memcpy (ptr, "\x05READY", 6);
ptr += 6;
// Add socket type property
const char *socket_type = socket_type_string (options.type);
ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type));
// Add identity property
if (options.type == ZMQ_REQ
|| options.type == ZMQ_DEALER
|| options.type == ZMQ_ROUTER) {
ptr += add_property (ptr, "Identity",
options.identity, options.identity_size);
}
const size_t command_size = ptr - command_buffer;
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
memcpy (msg_->data (), command_buffer, command_size);
free (command_buffer);
return 0;
}
void zmq::gssapi_server_t::send_zap_request (const std::string &username,
const std::string &password)
{
int rc;
msg_t msg;
// Address delimiter frame
rc = msg.init ();
errno_assert (rc == 0);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Version frame
rc = msg.init_size (3);
errno_assert (rc == 0);
memcpy (msg.data (), "1.0", 3);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Request id frame
rc = msg.init_size (1);
errno_assert (rc == 0);
memcpy (msg.data (), "1", 1);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Domain frame
rc = msg.init_size (options.zap_domain.length ());
errno_assert (rc == 0);
memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Address frame
rc = msg.init_size (peer_address.length ());
errno_assert (rc == 0);
memcpy (msg.data (), peer_address.c_str (), peer_address.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Identity frame
rc = msg.init_size (options.identity_size);
errno_assert (rc == 0);
memcpy (msg.data (), options.identity, options.identity_size);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Mechanism frame
rc = msg.init_size (6);
errno_assert (rc == 0);
memcpy (msg.data (), "GSSAPI", 6);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Username frame
rc = msg.init_size (username.length ());
errno_assert (rc == 0);
memcpy (msg.data (), username.c_str (), username.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Password frame
rc = msg.init_size (password.length ());
errno_assert (rc == 0);
memcpy (msg.data (), password.c_str (), password.length ());
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
}
int zmq::gssapi_server_t::receive_and_process_zap_reply ()
{
int rc = 0;
msg_t msg [7]; // ZAP reply consists of 7 frames
// Initialize all reply frames
for (int i = 0; i < 7; i++) {
rc = msg [i].init ();
errno_assert (rc == 0);
}
for (int i = 0; i < 7; i++) {
rc = session->read_zap_msg (&msg [i]);
if (rc == -1)
break;
if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) {
errno = EPROTO;
rc = -1;
break;
}
}
if (rc != 0)
goto error;
// Address delimiter frame
if (msg [0].size () > 0) {
rc = -1;
errno = EPROTO;
goto error;
}
// Version frame
if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) {
rc = -1;
errno = EPROTO;
goto error;
}
// Request id frame
if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) {
rc = -1;
errno = EPROTO;
goto error;
}
// Status code frame
if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) {
rc = -1;
errno = EACCES;
goto error;
}
// Process metadata frame
rc = parse_metadata (static_cast <const unsigned char*> (msg [6].data ()),
msg [6].size ());
error:
for (int i = 0; i < 7; i++) {
const int rc2 = msg [i].close ();
errno_assert (rc2 == 0);
}
return rc;
}

27
src/gssapi_server.hpp
View File

@ -50,34 +50,21 @@ namespace zmq
private: private:
enum state_t { enum state_t {
waiting_for_hello, send_next_token,
sending_welcome, recv_next_token,
waiting_for_initiate,
sending_token,
waiting_for_token,
sending_ready,
waiting_for_zap_reply, waiting_for_zap_reply,
almost_ready,
ready ready
}; };
session_base_t * const session; session_base_t * const session;
const std::string peer_address; const std::string peer_address;
// True iff we are awaiting reply from ZAP reply.
bool expecting_zap_reply;
state_t state; state_t state;
bool security_context_established;
gss_OID doid;
int produce_welcome (msg_t *msg_) const; int produce_next_token(msg_t *msg_);
int produce_ready (msg_t *msg_) const; int process_next_token(msg_t *msg_);
int process_hello (msg_t *msg_);
int process_initiate (msg_t *msg_);
void send_zap_request (const std::string &username,
const std::string &password);
int receive_and_process_zap_reply ();
}; };
} }