mirror of
				https://github.com/zeromq/libzmq.git
				synced 2025-10-25 10:09:38 +02:00 
			
		
		
		
	Fixed ZAP authentication
- if ZAP server returns anything except 200, connection is closed - all security tests now pass correctly - test_security_curve now does proper client key authentication using test key - test_security_plain now does proper password authentication
This commit is contained in:
		| @@ -588,24 +588,28 @@ int zmq::curve_server_t::receive_and_process_zap_reply () | |||||||
|  |  | ||||||
|     //  Address delimiter frame |     //  Address delimiter frame | ||||||
|     if (msg [0].size () > 0) { |     if (msg [0].size () > 0) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Version frame |     //  Version frame | ||||||
|     if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) { |     if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Request id frame |     //  Request id frame | ||||||
|     if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) { |     if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Status code frame |     //  Status code frame | ||||||
|     if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) { |     if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EACCES; |         errno = EACCES; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|   | |||||||
| @@ -439,24 +439,28 @@ int zmq::plain_mechanism_t::receive_and_process_zap_reply () | |||||||
|  |  | ||||||
|     //  Address delimiter frame |     //  Address delimiter frame | ||||||
|     if (msg [0].size () > 0) { |     if (msg [0].size () > 0) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Version frame |     //  Version frame | ||||||
|     if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) { |     if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Request id frame |     //  Request id frame | ||||||
|     if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) { |     if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EPROTO; |         errno = EPROTO; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     //  Status code frame |     //  Status code frame | ||||||
|     if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) { |     if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) { | ||||||
|  |         rc = -1; | ||||||
|         errno = EACCES; |         errno = EACCES; | ||||||
|         goto error; |         goto error; | ||||||
|     } |     } | ||||||
|   | |||||||
| @@ -18,10 +18,17 @@ | |||||||
| */ | */ | ||||||
|  |  | ||||||
| #include "platform.hpp" | #include "platform.hpp" | ||||||
| #include "../include/zmq_utils.h" |  | ||||||
| #include <string.h> | #include <string.h> | ||||||
| #include <stdlib.h> | #include <stdlib.h> | ||||||
| #include "testutil.hpp" | #include "testutil.hpp" | ||||||
|  | #include "../include/zmq_utils.h" | ||||||
|  | #include "../src/z85_codec.hpp" | ||||||
|  |  | ||||||
|  | //  Test keys from the zmq_curve man page | ||||||
|  | static char client_public [] = "Yne@$w-vo<fVvi]a<NY6T1ed:M$fCG*[IaLV{hID"; | ||||||
|  | static char client_secret [] = "D:)Q[IlAW!ahhC2ac:9*A}h:p?([4%wOTJ%JR%cs"; | ||||||
|  | static char server_public [] = "rq:rM>}U?@Lns47E1%kR.o@n%FcmmsL/@{H8]yf7"; | ||||||
|  | static char server_secret [] = "JTKVSB%%)wK0E.X)V>+}o?pNmC{O&4W4b!Ni{Lh6"; | ||||||
|  |  | ||||||
| static void zap_handler (void *ctx) | static void zap_handler (void *ctx) | ||||||
| { | { | ||||||
| @@ -42,7 +49,12 @@ static void zap_handler (void *ctx) | |||||||
|         char *address = s_recv (zap); |         char *address = s_recv (zap); | ||||||
|         char *identity = s_recv (zap); |         char *identity = s_recv (zap); | ||||||
|         char *mechanism = s_recv (zap); |         char *mechanism = s_recv (zap); | ||||||
|         char *client_key = s_recv (zap); |         uint8_t client_key [32]; | ||||||
|  |         int size = zmq_recv (zap, client_key, 32, 0); | ||||||
|  |         assert (size == 32); | ||||||
|  |  | ||||||
|  |         char client_key_text [40]; | ||||||
|  |         Z85_encode (client_key_text, client_key, 32); | ||||||
|  |  | ||||||
|         assert (streq (version, "1.0")); |         assert (streq (version, "1.0")); | ||||||
|         assert (streq (mechanism, "CURVE")); |         assert (streq (mechanism, "CURVE")); | ||||||
| @@ -50,18 +62,25 @@ static void zap_handler (void *ctx) | |||||||
|  |  | ||||||
|         s_sendmore (zap, version); |         s_sendmore (zap, version); | ||||||
|         s_sendmore (zap, sequence); |         s_sendmore (zap, sequence); | ||||||
|  |          | ||||||
|  |         if (streq (client_key_text, client_public)) { | ||||||
|             s_sendmore (zap, "200"); |             s_sendmore (zap, "200"); | ||||||
|             s_sendmore (zap, "OK"); |             s_sendmore (zap, "OK"); | ||||||
|             s_sendmore (zap, "anonymous"); |             s_sendmore (zap, "anonymous"); | ||||||
|             s_send (zap, ""); |             s_send (zap, ""); | ||||||
|          |         } | ||||||
|  |         else { | ||||||
|  |             s_sendmore (zap, "400"); | ||||||
|  |             s_sendmore (zap, "Invalid username or password"); | ||||||
|  |             s_sendmore (zap, ""); | ||||||
|  |             s_send (zap, ""); | ||||||
|  |         } | ||||||
|         free (version); |         free (version); | ||||||
|         free (sequence); |         free (sequence); | ||||||
|         free (domain); |         free (domain); | ||||||
|         free (address); |         free (address); | ||||||
|         free (identity); |         free (identity); | ||||||
|         free (mechanism); |         free (mechanism); | ||||||
|         free (client_key); |  | ||||||
|     } |     } | ||||||
|     rc = zmq_close (zap); |     rc = zmq_close (zap); | ||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
| @@ -81,12 +100,6 @@ int main (void) | |||||||
|     //  Spawn ZAP handler |     //  Spawn ZAP handler | ||||||
|     void *zap_thread = zmq_threadstart (&zap_handler, ctx); |     void *zap_thread = zmq_threadstart (&zap_handler, ctx); | ||||||
|  |  | ||||||
|     //  Test keys from the zmq_curve man page |  | ||||||
|     char client_public [] = "Yne@$w-vo<fVvi]a<NY6T1ed:M$fCG*[IaLV{hID"; |  | ||||||
|     char client_secret [] = "D:)Q[IlAW!ahhC2ac:9*A}h:p?([4%wOTJ%JR%cs"; |  | ||||||
|     char server_public [] = "rq:rM>}U?@Lns47E1%kR.o@n%FcmmsL/@{H8]yf7"; |  | ||||||
|     char server_secret [] = "JTKVSB%%)wK0E.X)V>+}o?pNmC{O&4W4b!Ni{Lh6"; |  | ||||||
|  |  | ||||||
|     //  Server socket will accept connections |     //  Server socket will accept connections | ||||||
|     void *server = zmq_socket (ctx, ZMQ_DEALER); |     void *server = zmq_socket (ctx, ZMQ_DEALER); | ||||||
|     assert (server); |     assert (server); | ||||||
| @@ -176,8 +189,7 @@ int main (void) | |||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|     rc = zmq_connect (client, "tcp://localhost:9998"); |     rc = zmq_connect (client, "tcp://localhost:9998"); | ||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|     //  TODO: does not handle ZAP failures properly |     expect_bounce_fail (server, client); | ||||||
|     //     expect_bounce_fail (server, client); |  | ||||||
|     close_zero_linger (client); |     close_zero_linger (client); | ||||||
|      |      | ||||||
|     //  Shutdown |     //  Shutdown | ||||||
|   | |||||||
| @@ -114,6 +114,18 @@ int main (void) | |||||||
|     rc = zmq_close (client); |     rc = zmq_close (client); | ||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|  |  | ||||||
|  |     //  Check PLAIN security with badly configured client (as_server) | ||||||
|  |     //  This will be caught by the plain_server class, not passed to ZAP | ||||||
|  |     client = zmq_socket (ctx, ZMQ_DEALER); | ||||||
|  |     assert (client); | ||||||
|  |     as_server = 1; | ||||||
|  |     rc = zmq_setsockopt (client, ZMQ_PLAIN_SERVER, &as_server, sizeof (int)); | ||||||
|  |     assert (rc == 0); | ||||||
|  |     rc = zmq_connect (client, "tcp://localhost:9998"); | ||||||
|  |     assert (rc == 0); | ||||||
|  |     expect_bounce_fail (server, client); | ||||||
|  |     close_zero_linger (client); | ||||||
|  |      | ||||||
|     //  Check PLAIN security -- failed authentication |     //  Check PLAIN security -- failed authentication | ||||||
|     client = zmq_socket (ctx, ZMQ_DEALER); |     client = zmq_socket (ctx, ZMQ_DEALER); | ||||||
|     assert (client); |     assert (client); | ||||||
| @@ -125,20 +137,7 @@ int main (void) | |||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|     rc = zmq_connect (client, "tcp://localhost:9998"); |     rc = zmq_connect (client, "tcp://localhost:9998"); | ||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|     //  TODO: this does not fail as it should |     expect_bounce_fail (server, client); | ||||||
|     //     expect_bounce_fail (server, client); |  | ||||||
|     close_zero_linger (client); |  | ||||||
|  |  | ||||||
|     //  Check PLAIN security with badly configured client (as_server) |  | ||||||
|     client = zmq_socket (ctx, ZMQ_DEALER); |  | ||||||
|     assert (client); |  | ||||||
|     as_server = 1; |  | ||||||
|     rc = zmq_setsockopt (client, ZMQ_PLAIN_SERVER, &as_server, sizeof (int)); |  | ||||||
|     assert (rc == 0); |  | ||||||
|     rc = zmq_connect (client, "tcp://localhost:9998"); |  | ||||||
|     assert (rc == 0); |  | ||||||
|     //  TODO: this does not fail as it should |  | ||||||
|     //     expect_bounce_fail (server, client); |  | ||||||
|     close_zero_linger (client); |     close_zero_linger (client); | ||||||
|  |  | ||||||
|     //  Shutdown |     //  Shutdown | ||||||
|   | |||||||
| @@ -102,18 +102,19 @@ expect_bounce_fail (void *server, void *client) | |||||||
|     int timeout = 150; |     int timeout = 150; | ||||||
|     rc = zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (int)); |     rc = zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (int)); | ||||||
|     assert (rc == 0); |     assert (rc == 0); | ||||||
|     rc = zmq_setsockopt (client, ZMQ_RCVTIMEO, &timeout, sizeof (int)); |  | ||||||
|     assert (rc == 0); |  | ||||||
|      |  | ||||||
|     rc = zmq_recv (server, buffer, 32, 0); |     rc = zmq_recv (server, buffer, 32, 0); | ||||||
|     assert (rc == -1); |     assert (rc == -1); | ||||||
|     assert (zmq_errno () == EAGAIN); |     assert (zmq_errno () == EAGAIN); | ||||||
|  |  | ||||||
|  |     //  Send message from server to client to test other direction | ||||||
|     rc = zmq_send (server, content, 32, ZMQ_SNDMORE); |     rc = zmq_send (server, content, 32, ZMQ_SNDMORE); | ||||||
|     assert (rc == 32); |     assert (rc == 32); | ||||||
|     rc = zmq_send (server, content, 32, 0); |     rc = zmq_send (server, content, 32, 0); | ||||||
|     assert (rc == 32); |     assert (rc == 32); | ||||||
|  |  | ||||||
|  |     //  Receive message at client side (should not succeed) | ||||||
|  |     rc = zmq_setsockopt (client, ZMQ_RCVTIMEO, &timeout, sizeof (int)); | ||||||
|  |     assert (rc == 0); | ||||||
|     rc = zmq_recv (client, buffer, 32, 0); |     rc = zmq_recv (client, buffer, 32, 0); | ||||||
|     assert (rc == -1); |     assert (rc == -1); | ||||||
|     assert (zmq_errno () == EAGAIN); |     assert (zmq_errno () == EAGAIN); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Pieter Hintjens
					Pieter Hintjens