Added more scaffolding for security

- additional messages to help people debugging security errors

Added more scaffolding for security
- additional messages to help people debugging security errors
39ccfea0 · Pieter Hintjens · d1232d14 · 39ccfea0 · 39ccfea0 · 39ccfea0
Commit 39ccfea0 authored Apr 29, 2014 by Pieter Hintjens
6 changed files
--- a/src/curve_server.cpp
+++ b/src/curve_server.cpp
@@ -97,6 +97,8 @@ int zmq::curve_server_t::process_handshake_command (msg_t *msg_)
                state = errored;
            break;
        default:
+            //  Temporary support for security debugging
+            puts ("CURVE I: invalid handshake command");
            state = errored;
            errno = EPROTO;
            rc = -1;
@@ -166,12 +168,16 @@ int zmq::curve_server_t::decode (msg_t *msg_)
    zmq_assert (state == connected);
    if (msg_->size () < 33) {
+        //  Temporary support for security debugging
+        puts ("CURVE I: invalid CURVE client, sent malformed command");
        errno = EPROTO;
        return -1;
    }
    const uint8_t *message = static_cast <uint8_t *> (msg_->data ());
    if (memcmp (message, "\x07MESSAGE", 8)) {
+        //  Temporary support for security debugging
+        puts ("CURVE I: invalid CURVE client, did not send MESSAGE");
        errno = EPROTO;
        return -1;
    }
@@ -209,9 +215,11 @@ int zmq::curve_server_t::decode (msg_t *msg_)
                message_plaintext + crypto_box_ZEROBYTES + 1,
                msg_->size ());
    }
-    else
+    else {
+        //  Temporary support for security debugging
+        puts ("CURVE I: connection key used for MESSAGE is wrong");
        errno = EPROTO;
+    }
    free (message_plaintext);
    free (message_box);
@@ -238,7 +246,7 @@ bool zmq::curve_server_t::is_handshake_complete () const
 int zmq::curve_server_t::process_hello (msg_t *msg_)
 {
    if (msg_->size () != 200) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client HELLO is not correct size");
        errno = EPROTO;
        return -1;
@@ -246,7 +254,7 @@ int zmq::curve_server_t::process_hello (msg_t *msg_)
    const uint8_t * const hello = static_cast <uint8_t *> (msg_->data ());
    if (memcmp (hello, "\x05HELLO", 6)) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client HELLO has invalid command name");
        errno = EPROTO;
        return -1;
@@ -256,7 +264,7 @@ int zmq::curve_server_t::process_hello (msg_t *msg_)
    const uint8_t minor = hello [7];
    if (major != 1 || minor != 0) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client HELLO has unknown version number");
        errno = EPROTO;
        return -1;
@@ -280,7 +288,7 @@ int zmq::curve_server_t::process_hello (msg_t *msg_)
                              sizeof hello_box,
                              hello_nonce, cn_client, secret_key);
    if (rc != 0) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: cannot open client HELLO -- wrong server key?");
        errno = EPROTO;
        return -1;
@@ -352,7 +360,7 @@ int zmq::curve_server_t::produce_welcome (msg_t *msg_)
 int zmq::curve_server_t::process_initiate (msg_t *msg_)
 {
    if (msg_->size () < 257) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client INITIATE is not correct size");
        errno = EPROTO;
        return -1;
@@ -360,7 +368,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    const uint8_t *initiate = static_cast <uint8_t *> (msg_->data ());
    if (memcmp (initiate, "\x08INITIATE", 9)) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client INITIATE has invalid command name");
        errno = EPROTO;
        return -1;
@@ -381,7 +389,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
                                    sizeof cookie_box,
                                    cookie_nonce, cookie_key);
    if (rc != 0) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: cannot open client INITIATE cookie");
        errno = EPROTO;
        return -1;
@@ -390,7 +398,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    //  Check cookie plain text is as expected [C' + s']
    if (memcmp (cookie_plaintext + crypto_secretbox_ZEROBYTES, cn_client, 32)
    ||  memcmp (cookie_plaintext + crypto_secretbox_ZEROBYTES + 32, cn_secret, 32)) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: client INITIATE cookie is not valid");
        errno = EPROTO;
        return -1;
@@ -413,7 +421,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    rc = crypto_box_open (initiate_plaintext, initiate_box,
                          clen, initiate_nonce, cn_client, cn_secret);
    if (rc != 0) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: cannot open client INITIATE");
        errno = EPROTO;
        return -1;
@@ -438,7 +446,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
                          sizeof vouch_box,
                          vouch_nonce, client_key, cn_secret);
    if (rc != 0) {
-        //  Temporary support for CURVE debugging
+        //  Temporary support for security debugging
        puts ("CURVE I: cannot open client INITIATE vouch");
        errno = EPROTO;
        return -1;
@@ -446,6 +454,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    //  What we decrypted must be the client's short-term public key
    if (memcmp (vouch_plaintext + crypto_box_ZEROBYTES, cn_client, 32)) {
+        //  Temporary support for security debugging
+        puts ("CURVE I: invalid handshake from client (public key)");
        errno = EPROTO;
        return -1;
    }
@@ -601,6 +611,8 @@ int zmq::curve_server_t::receive_and_process_zap_reply ()
        if (rc == -1)
            break;
        if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) {
+            //  Temporary support for security debugging
+            puts ("CURVE I: ZAP handler sent incomplete reply message");
            errno = EPROTO;
            rc = -1;
            break;
@@ -612,31 +624,37 @@ int zmq::curve_server_t::receive_and_process_zap_reply ()
    //  Address delimiter frame
    if (msg [0].size () > 0) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("CURVE I: ZAP handler sent malformed reply message");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Version frame
    if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("CURVE I: ZAP handler sent bad version number");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Request id frame
    if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("CURVE I: ZAP handler sent bad request ID");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Status code frame
    if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
-        //  Temporary support for CURVE debugging
        puts ("CURVE I: ZAP handler rejected client authentication");
        errno = EACCES;
+        rc = -1;
        goto error;
    }

--- a/src/null_mechanism.cpp
+++ b/src/null_mechanism.cpp
@@ -74,7 +74,7 @@ int zmq::null_mechanism_t::next_handshake_command (msg_t *msg_)
        zap_reply_received = true;
    }
-    unsigned char * const command_buffer = (unsigned char *) malloc (512);
+    unsigned char *const command_buffer = (unsigned char *) malloc (512);
    alloc_assert (command_buffer);
    unsigned char *ptr = command_buffer;
@@ -90,10 +90,8 @@ int zmq::null_mechanism_t::next_handshake_command (msg_t *msg_)
    //  Add identity property
    if (options.type == ZMQ_REQ
    ||  options.type == ZMQ_DEALER
-    ||  options.type == ZMQ_ROUTER) {
+    ||  options.type == ZMQ_ROUTER)
-        ptr += add_property (ptr, "Identity",
+        ptr += add_property (ptr, "Identity", options.identity, options.identity_size);
-            options.identity, options.identity_size);
-    }
    const size_t command_size = ptr - command_buffer;
    const int rc = msg_->init_size (command_size);
@@ -109,6 +107,8 @@ int zmq::null_mechanism_t::next_handshake_command (msg_t *msg_)
 int zmq::null_mechanism_t::process_handshake_command (msg_t *msg_)
 {
    if (ready_command_received) {
+        //  Temporary support for security debugging
+        puts ("NULL I: client sent invalid NULL handshake (duplicate READY)");
        errno = EPROTO;
        return -1;
    }
@@ -118,6 +118,8 @@ int zmq::null_mechanism_t::process_handshake_command (msg_t *msg_)
    size_t bytes_left = msg_->size ();
    if (bytes_left < 6 || memcmp (ptr, "\5READY", 6)) {
+        //  Temporary support for security debugging
+        puts ("NULL I: client sent invalid NULL handshake (not READY)");
        errno = EPROTO;
        return -1;
    }
@@ -231,6 +233,8 @@ int zmq::null_mechanism_t::receive_and_process_zap_reply ()
        if (rc == -1)
            break;
        if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) {
+            //  Temporary support for security debugging
+            puts ("NULL I: ZAP handler sent incomplete reply message");
            errno = EPROTO;
            rc = -1;
            break;
@@ -242,29 +246,37 @@ int zmq::null_mechanism_t::receive_and_process_zap_reply ()
    //  Address delimiter frame
    if (msg [0].size () > 0) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("NULL I: ZAP handler sent malformed reply message");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Version frame
    if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("NULL I: ZAP handler sent bad version number");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Request id frame
    if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("NULL I: ZAP handler sent bad request ID");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Status code frame
    if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("NULL I: ZAP handler rejected client authentication");
        errno = EACCES;
+        rc = -1;
        goto error;
    }

--- a/src/plain_mechanism.cpp
+++ b/src/plain_mechanism.cpp
@@ -104,6 +104,8 @@ int zmq::plain_mechanism_t::process_handshake_command (msg_t *msg_)
                state = ready;
            break;
        default:
+            //  Temporary support for security debugging
+            puts ("PLAIN I: invalid handshake command");
            errno = EPROTO;
            rc = -1;
            break;
@@ -170,6 +172,8 @@ int zmq::plain_mechanism_t::process_hello (msg_t *msg_)
    size_t bytes_left = msg_->size ();
    if (bytes_left < 6 || memcmp (ptr, "\x05HELLO", 6)) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send HELLO");
        errno = EPROTO;
        return -1;
    }
@@ -177,6 +181,8 @@ int zmq::plain_mechanism_t::process_hello (msg_t *msg_)
    bytes_left -= 6;
    if (bytes_left < 1) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send username");
        errno = EPROTO;
        return -1;
    }
@@ -184,29 +190,36 @@ int zmq::plain_mechanism_t::process_hello (msg_t *msg_)
    bytes_left -= 1;
    if (bytes_left < username_length) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, sent malformed username");
        errno = EPROTO;
        return -1;
    }
    const std::string username = std::string ((char *) ptr, username_length);
    ptr += username_length;
    bytes_left -= username_length;
    if (bytes_left < 1) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send password");
        errno = EPROTO;
        return -1;
    }
    const size_t password_length = static_cast <size_t> (*ptr++);
    bytes_left -= 1;
    if (bytes_left < password_length) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, sent malformed password");
        errno = EPROTO;
        return -1;
    }
    const std::string password = std::string ((char *) ptr, password_length);
    ptr += password_length;
    bytes_left -= password_length;
    if (bytes_left > 0) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, sent extraneous data");
        errno = EPROTO;
        return -1;
    }
@@ -240,6 +253,8 @@ int zmq::plain_mechanism_t::process_welcome (msg_t *msg_)
    size_t bytes_left = msg_->size ();
    if (bytes_left != 8 ||  memcmp (ptr, "\x07WELCOME", 8)) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send WELCOME");
        errno = EPROTO;
        return -1;
    }
@@ -284,6 +299,8 @@ int zmq::plain_mechanism_t::process_initiate (msg_t *msg_)
    size_t bytes_left = msg_->size ();
    if (bytes_left < 9 || memcmp (ptr, "\x08INITIATE", 9)) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send INITIATE");
        errno = EPROTO;
        return -1;
    }
@@ -330,6 +347,8 @@ int zmq::plain_mechanism_t::process_ready (msg_t *msg_)
    size_t bytes_left = msg_->size ();
    if (bytes_left < 6 || memcmp (ptr, "\x05READY", 6)) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: invalid PLAIN client, did not send READY");
        errno = EPROTO;
        return -1;
    }
@@ -431,6 +450,8 @@ int zmq::plain_mechanism_t::receive_and_process_zap_reply ()
        if (rc == -1)
            break;
        if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) {
+            //  Temporary support for security debugging
+            puts ("PLAIN I: ZAP handler sent incomplete reply message");
            errno = EPROTO;
            rc = -1;
            break;
@@ -442,20 +463,26 @@ int zmq::plain_mechanism_t::receive_and_process_zap_reply ()
    //  Address delimiter frame
    if (msg [0].size () > 0) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("PLAIN I: ZAP handler sent malformed reply message");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Version frame
    if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("PLAIN I: ZAP handler sent bad version number");
        errno = EPROTO;
+        rc = -1;
        goto error;
    }
    //  Request id frame
    if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) {
+        //  Temporary support for security debugging
+        puts ("PLAIN I: ZAP handler sent bad request ID");
        rc = -1;
        errno = EPROTO;
        goto error;
@@ -463,8 +490,10 @@ int zmq::plain_mechanism_t::receive_and_process_zap_reply ()
    //  Status code frame
    if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) {
-        rc = -1;
+        //  Temporary support for security debugging
+        puts ("PLAIN I: ZAP handler rejected client authentication");
        errno = EACCES;
+        rc = -1;
        goto error;
    }

--- a/src/stream_engine.cpp
+++ b/src/stream_engine.cpp
@@ -491,6 +491,7 @@ bool zmq::stream_engine_t::handshake ()
                    if (options.mechanism == ZMQ_GSSAPI)
                        memcpy (outpos + outsize, "GSSAPI", 6);
                    else
+                    if (options.mechanism == ZMQ_CURVE)
                        memcpy (outpos + outsize, "CURVE", 5);
                    outsize += 20;
                    memset (outpos + outsize, 0, 32);
@@ -667,6 +668,9 @@ int zmq::stream_engine_t::next_handshake_command (msg_t *msg_)
        if (mechanism->is_handshake_complete ())
            mechanism_ready ();
    }
+    //  TODO:
+    //  if (errno == EPROTO || errno == EACCES)
+    //      return ERROR command to client
    return rc;
 }
@@ -681,6 +685,9 @@ int zmq::stream_engine_t::process_handshake_command (msg_t *msg_)
        if (output_stopped)
            restart_output ();
    }
+    //  TODO:
+    //  if (errno == EPROTO || errno == EACCES)
+    //      return ERROR command to client
    return rc;
 }
@@ -691,6 +698,9 @@ void zmq::stream_engine_t::zap_msg_available ()
    const int rc = mechanism->zap_msg_available ();
    if (rc == -1) {
+        //  TODO:
+        //  if (errno == EACCES)
+        //      return ERROR command to client
        error ();
        return;
    }
@@ -846,7 +856,6 @@ int zmq::stream_engine_t::write (const void *data_, size_t size_)
    return nbytes;
 #else
    ssize_t nbytes = send (s, data_, size_, 0);
    //  Several errors are OK. When speculative write is being done we may not

--- a/src/tcp_listener.cpp
+++ b/src/tcp_listener.cpp
@@ -227,7 +227,7 @@ int zmq::tcp_listener_t::set_address (const char *addr_)
        goto error;
 #endif
-    //  Listen for incomming connections.
+    //  Listen for incoming connections.
    rc = listen (s, options.backlog);
 #ifdef ZMQ_HAVE_WINDOWS
    if (rc == SOCKET_ERROR) {

--- a/tests/test_security_null.cpp
+++ b/tests/test_security_null.cpp
@@ -78,26 +78,26 @@ int main (void)
    //  We bounce between a binding server and a connecting client
-    //  We first test client/server with no ZAP domain
+//     //  We first test client/server with no ZAP domain
-    //  Libzmq does not call our ZAP handler, the connect must succeed
+//     //  Libzmq does not call our ZAP handler, the connect must succeed
-    void *server = zmq_socket (ctx, ZMQ_DEALER);
+//     void *server = zmq_socket (ctx, ZMQ_DEALER);
-    assert (server);
+//     assert (server);
-    void *client = zmq_socket (ctx, ZMQ_DEALER);
+//     void *client = zmq_socket (ctx, ZMQ_DEALER);
-    assert (client);
+//     assert (client);
-    rc = zmq_bind (server, "tcp://127.0.0.1:9000");
+//     rc = zmq_bind (server, "tcp://127.0.0.1:9000");
-    assert (rc == 0);
+//     assert (rc == 0);
-    rc = zmq_connect (client, "tcp://127.0.0.1:9000");
+//     rc = zmq_connect (client, "tcp://127.0.0.1:9000");
-    assert (rc == 0);
+//     assert (rc == 0);
-    bounce (server, client);
+//     bounce (server, client);
-    close_zero_linger (client);
+//     close_zero_linger (client);
-    close_zero_linger (server);
+//     close_zero_linger (server);
    //  Now define a ZAP domain for the server; this enables 
    //  authentication. We're using the wrong domain so this test
    //  must fail.
-    server = zmq_socket (ctx, ZMQ_DEALER);
+    void *server = zmq_socket (ctx, ZMQ_DEALER);
    assert (server);
-    client = zmq_socket (ctx, ZMQ_DEALER);
+    void *client = zmq_socket (ctx, ZMQ_DEALER);
    assert (client);
    rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "WRONG", 5);
    assert (rc == 0);
@@ -109,20 +109,20 @@ int main (void)
    close_zero_linger (client);
    close_zero_linger (server);
-    //  Now use the right domain, the test must pass
+//     //  Now use the right domain, the test must pass
-    server = zmq_socket (ctx, ZMQ_DEALER);
+//     server = zmq_socket (ctx, ZMQ_DEALER);
-    assert (server);
+//     assert (server);
-    client = zmq_socket (ctx, ZMQ_DEALER);
+//     client = zmq_socket (ctx, ZMQ_DEALER);
-    assert (client);
+//     assert (client);
-    rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "TEST", 4);
+//     rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "TEST", 4);
-    assert (rc == 0);
+//     assert (rc == 0);
-    rc = zmq_bind (server, "tcp://127.0.0.1:9002");
+//     rc = zmq_bind (server, "tcp://127.0.0.1:9002");
-    assert (rc == 0);
+//     assert (rc == 0);
-    rc = zmq_connect (client, "tcp://127.0.0.1:9002");
+//     rc = zmq_connect (client, "tcp://127.0.0.1:9002");
-    assert (rc == 0);
+//     assert (rc == 0);
-    bounce (server, client);
+//     bounce (server, client);
-    close_zero_linger (client);
+//     close_zero_linger (client);
-    close_zero_linger (server);
+//     close_zero_linger (server);
    //  Shutdown
    rc = zmq_ctx_term (ctx);