Problem: ZAP is allowed to be configured incorrectly or not to work

Solution: if inproc://zeromq.zap.01 exists, which means ZAP is enabled, abort immediately if it cannot be used (eg: out of memory) or it is configured incorrectly (eg: wrong socket type). Otherwise authentication failures will simply be ignored and unauthorised peers will be allowed to slip in.

Problem: ZAP is allowed to be configured incorrectly or not to work
Solution: if inproc://zeromq.zap.01 exists, which means ZAP is enabled, abort immediately if it cannot be used (eg: out of memory) or it is configured incorrectly (eg: wrong socket type). Otherwise authentication failures will simply be ignored and unauthorised peers will be allowed to slip in.
33695d1d · Luca Boccassi · 10a9ba09 · 33695d1d · 33695d1d · 33695d1d
Commit 33695d1d authored Jun 13, 2017 by Luca Boccassi
Showing with 20 additions and 10 deletions

curve_server.cpp src/curve_server.cpp +3 -0

gssapi_server.cpp src/gssapi_server.cpp +2 -0

plain_server.cpp src/plain_server.cpp +3 -0

session_base.cpp src/session_base.cpp +12 -10

No files found.
--- a/src/curve_server.cpp
+++ b/src/curve_server.cpp
@@ -490,6 +490,9 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    zmq_assert (rc == 0);

    //  Use ZAP protocol (RFC 27) to authenticate the user.
+    //  Note that rc will be -1 only if ZAP is not set up (Stonehouse pattern -
+    //  encryption without authentication), but if it was requested and it does
+    //  not work properly the program will abort.
    rc = session->zap_connect ();
    if (rc != 0)
        return -1;

--- a/src/gssapi_server.cpp
+++ b/src/gssapi_server.cpp
@@ -120,6 +120,8 @@ int zmq::gssapi_server_t::process_handshake_command (msg_t *msg_)

    if (security_context_established) {
        //  Use ZAP protocol (RFC 27) to authenticate the user.
+        //  Note that rc will be -1 only if ZAP is not set up, but if it was
+        //  requested and it does not work properly the program will abort.
        int rc = session->zap_connect ();
        if (rc != 0)
            return -1;

--- a/src/plain_server.cpp
+++ b/src/plain_server.cpp
@@ -189,6 +189,9 @@ int zmq::plain_server_t::process_hello (msg_t *msg_)
    }

    //  Use ZAP protocol (RFC 27) to authenticate the user.
+    //  Note that there is no point to PLAIN if ZAP is not set up to handle the
+    //  username and password, so if ZAP is not configured it is considered a
+    //  failure.
    int rc = session->zap_connect ();
    if (rc != 0)
        return -1;

--- a/src/session_base.cpp
+++ b/src/session_base.cpp
@@ -315,6 +315,12 @@ void zmq::session_base_t::process_plug ()
        start_connecting (false);
 }

+//  This functions can return 0 on success or -1 and errno=ECONNREFUSED if ZAP
+//  is not setup (IE: inproc://zeromq.zap.01 does not exist in the same context)
+//  or it aborts on any other error. In other words, either ZAP is not
+//  configured or if it is configured it MUST be configured correctly and it
+//  MUST work, otherwise authentication cannot be guaranteed and it would be a
+//  security flaw.
 int zmq::session_base_t::zap_connect ()
 {
    zmq_assert (zap_pipe == NULL);
@@ -324,12 +330,9 @@ int zmq::session_base_t::zap_connect ()
        errno = ECONNREFUSED;
        return -1;
    }
-    if (peer.options.type != ZMQ_REP
-    &&  peer.options.type != ZMQ_ROUTER
-    &&  peer.options.type != ZMQ_SERVER) {
-        errno = ECONNREFUSED;
-        return -1;
-    }
+    zmq_assert (peer.options.type == ZMQ_REP ||
+            peer.options.type == ZMQ_ROUTER ||
+            peer.options.type == ZMQ_SERVER);

    //  Create a bi-directional pipe that will connect
    //  session with zap socket.
@@ -353,10 +356,9 @@ int zmq::session_base_t::zap_connect ()
        rc = id.init ();
        errno_assert (rc == 0);
        id.set_flags (msg_t::identity);
-        if (zap_pipe->write (&id))
-            zap_pipe->flush ();
-        else
-            return -1;
+        bool ok = zap_pipe->write (&id);
+        zmq_assert (ok);
+        zap_pipe->flush ();
    }

    return 0;