Skip to content

L
libzmq
Commit 4b1c851d authored by Mike Gatny's avatar Mike Gatny Committed by Chris Busbey
Browse files
Options

Stubbed in gssapi security mechanism.

parent d1bdd45e
Hide whitespace changes
Inline Side-by-side
Showing with 619 additions and 3 deletions
include/zmq.h
View file @ 4b1c851d
......@@ -296,6 +296,8 @@ ZMQ_EXPORT char *zmq_msg_gets (zmq_msg_t *msg, char *property);
#define ZMQ_IPC_FILTER_UID 59
#define ZMQ_IPC_FILTER_GID 60
#define ZMQ_CONNECT_RID 61
#define ZMQ_GSSAPI_SERVER 62
#define ZMQ_GSSAPI_CLIENT 63
/* Message options */
#define ZMQ_MORE 1
......@@ -309,6 +311,7 @@ ZMQ_EXPORT char *zmq_msg_gets (zmq_msg_t *msg, char *property);
#define ZMQ_NULL 0
#define ZMQ_PLAIN 1
#define ZMQ_CURVE 2
#define ZMQ_GSSAPI 3
/* Deprecated options and aliases */
#define ZMQ_IPV4ONLY 31
......
src/Makefile.am
View file @ 4b1c851d
......@@ -25,6 +25,7 @@ libzmq_la_SOURCES = \
err.hpp \
fd.hpp \
fq.hpp \
gssapi_mechanism.hpp \
i_encoder.hpp \
i_decoder.hpp \
i_engine.hpp \
......@@ -101,6 +102,7 @@ libzmq_la_SOURCES = \
epoll.cpp \
err.cpp \
fq.cpp \
gssapi_mechanism.cpp \
io_object.cpp \
io_thread.cpp \
ip.cpp \
......
src/gssapi_mechanism.cpp 0 → 100644
View file @ 4b1c851d
/*
Copyright (c) 2007-2013 Contributors as noted in the AUTHORS file
This file is part of 0MQ.
0MQ is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
0MQ is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "platform.hpp"
#ifdef ZMQ_HAVE_WINDOWS
#include "windows.hpp"
#endif
#include <string.h>
#include <string>
#include "msg.hpp"
#include "session_base.hpp"
#include "err.hpp"
#include "gssapi_mechanism.hpp"
#include "wire.hpp"
zmq::gssapi_mechanism_t::gssapi_mechanism_t (session_base_t *session_,
const std::string &peer_address_,
const options_t &options_) :
mechanism_t (options_),
session (session_),
peer_address (peer_address_),
expecting_zap_reply (false),
state (options.as_server? waiting_for_hello: sending_hello)
{
}
zmq::gssapi_mechanism_t::~gssapi_mechanism_t ()
{
}
int zmq::gssapi_mechanism_t::next_handshake_command (msg_t *msg_)
{
int rc = 0;
switch (state) {
case sending_hello:
rc = produce_hello (msg_);
if (rc == 0)
state = waiting_for_welcome;
break;
case sending_welcome:
rc = produce_welcome (msg_);
if (rc == 0)
state = waiting_for_initiate;
break;
case sending_initiate:
rc = produce_initiate (msg_);
if (rc == 0)
state = waiting_for_ready;
break;
case sending_ready:
rc = produce_ready (msg_);
if (rc == 0)
state = ready;
break;
default:
errno = EAGAIN;
rc = -1;
}
return rc;
}
int zmq::gssapi_mechanism_t::process_handshake_command (msg_t *msg_)
{
int rc = 0;
switch (state) {
case waiting_for_hello:
rc = process_hello (msg_);
if (rc == 0)
state = expecting_zap_reply? waiting_for_zap_reply: sending_welcome;
break;
case waiting_for_welcome:
rc = process_welcome (msg_);
if (rc == 0)
state = sending_initiate;
break;
case waiting_for_initiate:
rc = process_initiate (msg_);
if (rc == 0)
state = sending_ready;
break;
case waiting_for_ready:
rc = process_ready (msg_);
if (rc == 0)
state = ready;
break;
default:
errno = EPROTO;
rc = -1;
break;
}
if (rc == 0) {
rc = msg_->close ();
errno_assert (rc == 0);
rc = msg_->init ();
errno_assert (rc == 0);
}
return rc;
}
bool zmq::gssapi_mechanism_t::is_handshake_complete () const
{
return state == ready;
}
int zmq::gssapi_mechanism_t::zap_msg_available ()
{
if (state != waiting_for_zap_reply) {
errno = EFSM;
return -1;
}
const int rc = receive_and_process_zap_reply ();
if (rc == 0)
state = sending_welcome;
return rc;
}
int zmq::gssapi_mechanism_t::produce_hello (msg_t *msg_) const
{
const std::string username = "admin";
zmq_assert (username.length () < 256);
const std::string password = "secret";
zmq_assert (password.length () < 256);
const size_t command_size = 6 + 1 + username.length ()
+ 1 + password.length ();
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
memcpy (ptr, "\x05HELLO", 6);
ptr += 6;
*ptr++ = static_cast <unsigned char> (username.length ());
memcpy (ptr, username.c_str (), username.length ());
ptr += username.length ();
*ptr++ = static_cast <unsigned char> (password.length ());
memcpy (ptr, password.c_str (), password.length ());
ptr += password.length ();
return 0;
}
int zmq::gssapi_mechanism_t::process_hello (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left < 6 || memcmp (ptr, "\x05HELLO", 6)) {
errno = EPROTO;
return -1;
}
ptr += 6;
bytes_left -= 6;
if (bytes_left < 1) {
errno = EPROTO;
return -1;
}
const size_t username_length = static_cast <size_t> (*ptr++);
bytes_left -= 1;
if (bytes_left < username_length) {
errno = EPROTO;
return -1;
}
const std::string username = std::string ((char *) ptr, username_length);
ptr += username_length;
bytes_left -= username_length;
if (bytes_left < 1) {
errno = EPROTO;
return -1;
}
const size_t password_length = static_cast <size_t> (*ptr++);
bytes_left -= 1;
if (bytes_left < password_length) {
errno = EPROTO;
return -1;
}
const std::string password = std::string ((char *) ptr, password_length);
ptr += password_length;
bytes_left -= password_length;
if (bytes_left > 0) {
errno = EPROTO;
return -1;
}
// Use ZAP protocol (RFC 27) to authenticate the user.
int rc = session->zap_connect ();
if (rc == 0) {
send_zap_request (username, password);
rc = receive_and_process_zap_reply ();
if (rc != 0) {
if (errno != EAGAIN)
return -1;
expecting_zap_reply = true;
}
}
return 0;
}
int zmq::gssapi_mechanism_t::produce_welcome (msg_t *msg_) const
{
const int rc = msg_->init_size (8);
errno_assert (rc == 0);
memcpy (msg_->data (), "\x07WELCOME", 8);
return 0;
}
int zmq::gssapi_mechanism_t::process_welcome (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left != 8 || memcmp (ptr, "\x07WELCOME", 8)) {
errno = EPROTO;
return -1;
}
return 0;
}
int zmq::gssapi_mechanism_t::produce_initiate (msg_t *msg_) const
{
unsigned char * const command_buffer = (unsigned char *) malloc (512);
alloc_assert (command_buffer);
unsigned char *ptr = command_buffer;
// Add mechanism string
memcpy (ptr, "\x08INITIATE", 9);
ptr += 9;
// Add socket type property
const char *socket_type = socket_type_string (options.type);
ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type));
// Add identity property
if (options.type == ZMQ_REQ
|| options.type == ZMQ_DEALER
|| options.type == ZMQ_ROUTER) {
ptr += add_property (ptr, "Identity",
options.identity, options.identity_size);
}
const size_t command_size = ptr - command_buffer;
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
memcpy (msg_->data (), command_buffer, command_size);
free (command_buffer);
return 0;
}
int zmq::gssapi_mechanism_t::process_initiate (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left < 9 || memcmp (ptr, "\x08INITIATE", 9)) {
errno = EPROTO;
return -1;
}
ptr += 9;
bytes_left -= 9;
return parse_metadata (ptr, bytes_left);
}
int zmq::gssapi_mechanism_t::produce_ready (msg_t *msg_) const
{
unsigned char * const command_buffer = (unsigned char *) malloc (512);
alloc_assert (command_buffer);
unsigned char *ptr = command_buffer;
// Add command name
memcpy (ptr, "\x05READY", 6);
ptr += 6;
// Add socket type property
const char *socket_type = socket_type_string (options.type);
ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type));
// Add identity property
if (options.type == ZMQ_REQ
|| options.type == ZMQ_DEALER
|| options.type == ZMQ_ROUTER) {
ptr += add_property (ptr, "Identity",
options.identity, options.identity_size);
}
const size_t command_size = ptr - command_buffer;
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
memcpy (msg_->data (), command_buffer, command_size);
free (command_buffer);
return 0;
}
int zmq::gssapi_mechanism_t::process_ready (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
if (bytes_left < 6 || memcmp (ptr, "\x05READY", 6)) {
errno = EPROTO;
return -1;
}
ptr += 6;
bytes_left -= 6;
return parse_metadata (ptr, bytes_left);
}
void zmq::gssapi_mechanism_t::send_zap_request (const std::string &username,
const std::string &password)
{
int rc;
msg_t msg;
// Address delimiter frame
rc = msg.init ();
errno_assert (rc == 0);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Version frame
rc = msg.init_size (3);
errno_assert (rc == 0);
memcpy (msg.data (), "1.0", 3);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Request id frame
rc = msg.init_size (1);
errno_assert (rc == 0);
memcpy (msg.data (), "1", 1);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Domain frame
rc = msg.init_size (options.zap_domain.length ());
errno_assert (rc == 0);
memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Address frame
rc = msg.init_size (peer_address.length ());
errno_assert (rc == 0);
memcpy (msg.data (), peer_address.c_str (), peer_address.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Identity frame
rc = msg.init_size (options.identity_size);
errno_assert (rc == 0);
memcpy (msg.data (), options.identity, options.identity_size);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Mechanism frame
rc = msg.init_size (6);
errno_assert (rc == 0);
memcpy (msg.data (), "GSSAPI", 6);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Username frame
rc = msg.init_size (username.length ());
errno_assert (rc == 0);
memcpy (msg.data (), username.c_str (), username.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
// Password frame
rc = msg.init_size (password.length ());
errno_assert (rc == 0);
memcpy (msg.data (), password.c_str (), password.length ());
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
}
int zmq::gssapi_mechanism_t::receive_and_process_zap_reply ()
{
int rc = 0;
msg_t msg [7]; // ZAP reply consists of 7 frames
// Initialize all reply frames
for (int i = 0; i < 7; i++) {
rc = msg [i].init ();
errno_assert (rc == 0);
}
for (int i = 0; i < 7; i++) {
rc = session->read_zap_msg (&msg [i]);
if (rc == -1)
break;
if ((msg [i].flags () & msg_t::more) == (i < 6? 0: msg_t::more)) {
errno = EPROTO;
rc = -1;
break;
}
}
if (rc != 0)
goto error;
// Address delimiter frame
if (msg [0].size () > 0) {
rc = -1;
errno = EPROTO;
goto error;
}
// Version frame
if (msg [1].size () != 3 || memcmp (msg [1].data (), "1.0", 3)) {
rc = -1;
errno = EPROTO;
goto error;
}
// Request id frame
if (msg [2].size () != 1 || memcmp (msg [2].data (), "1", 1)) {
rc = -1;
errno = EPROTO;
goto error;
}
// Status code frame
if (msg [3].size () != 3 || memcmp (msg [3].data (), "200", 3)) {
rc = -1;
errno = EACCES;
goto error;
}
// Process metadata frame
rc = parse_metadata (static_cast <const unsigned char*> (msg [6].data ()),
msg [6].size ());
error:
for (int i = 0; i < 7; i++) {
const int rc2 = msg [i].close ();
errno_assert (rc2 == 0);
}
return rc;
}
src/gssapi_mechanism.hpp 0 → 100644
View file @ 4b1c851d
/*
Copyright (c) 2007-2013 Contributors as noted in the AUTHORS file
This file is part of 0MQ.
0MQ is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
0MQ is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef __ZMQ_GSSAPI_MECHANISM_HPP_INCLUDED__
#define __ZMQ_GSSAPI_MECHANISM_HPP_INCLUDED__
#include "mechanism.hpp"
#include "options.hpp"
namespace zmq
{
class msg_t;
class session_base_t;
class gssapi_mechanism_t : public mechanism_t
{
public:
gssapi_mechanism_t (session_base_t *session_,
const std::string &peer_address,
const options_t &options_);
virtual ~gssapi_mechanism_t ();
// mechanism implementation
virtual int next_handshake_command (msg_t *msg_);
virtual int process_handshake_command (msg_t *msg_);
virtual int zap_msg_available ();
virtual bool is_handshake_complete () const;
private:
enum state_t {
sending_hello,
waiting_for_hello,
sending_welcome,
waiting_for_welcome,
sending_initiate,
waiting_for_initiate,
sending_ready,
waiting_for_ready,
waiting_for_zap_reply,
ready
};
session_base_t * const session;
const std::string peer_address;
// True iff we are awaiting reply from ZAP reply.
bool expecting_zap_reply;
state_t state;
int produce_hello (msg_t *msg_) const;
int produce_welcome (msg_t *msg_) const;
int produce_initiate (msg_t *msg_) const;
int produce_ready (msg_t *msg_) const;
int process_hello (msg_t *msg_);
int process_welcome (msg_t *msg);
int process_ready (msg_t *msg_);
int process_initiate (msg_t *msg_);
void send_zap_request (const std::string &username,
const std::string &password);
int receive_and_process_zap_reply ();
};
}
#endif
src/options.cpp
View file @ 4b1c851d
......@@ -394,13 +394,29 @@ int zmq::options_t::setsockopt (int option_, const void *optval_,
}
break;
# endif
case ZMQ_CONFLATE:
if (is_int && (value == 0 || value == 1)) {
conflate = (value != 0);
return 0;
}
break;
case ZMQ_GSSAPI_SERVER:
if (is_int && (value == 0 || value == 1)) {
as_server = value;
mechanism = ZMQ_GSSAPI;
return 0;
}
break;
case ZMQ_GSSAPI_CLIENT:
if (is_int && (value == 0 || value == 1)) {
as_server = (value == 0);
mechanism = ZMQ_GSSAPI;
return 0;
}
break;
default:
break;
......@@ -681,8 +697,23 @@ int zmq::options_t::getsockopt (int option_, void *optval_, size_t *optvallen_)
return 0;
}
break;
case ZMQ_GSSAPI_SERVER:
if (is_int) {
*value = as_server && mechanism == ZMQ_GSSAPI;
return 0;
}
break;
case ZMQ_GSSAPI_CLIENT:
if (is_int) {
*value = (as_server == 0) && mechanism == ZMQ_GSSAPI;
return 0;
}
break;
}
}
errno = EINVAL;
return -1;
}
src/stream_engine.cpp
View file @ 4b1c851d
......@@ -43,6 +43,7 @@
#include "v2_decoder.hpp"
#include "null_mechanism.hpp"
#include "plain_mechanism.hpp"
#include "gssapi_mechanism.hpp"
#include "curve_client.hpp"
#include "curve_server.hpp"
#include "raw_decoder.hpp"
......@@ -477,13 +478,17 @@ bool zmq::stream_engine_t::handshake ()
zmq_assert (options.mechanism == ZMQ_NULL
|| options.mechanism == ZMQ_PLAIN
|| options.mechanism == ZMQ_CURVE);
|| options.mechanism == ZMQ_CURVE
|| options.mechanism == ZMQ_GSSAPI);
if (options.mechanism == ZMQ_NULL)
memcpy (outpos + outsize, "NULL", 4);
else
if (options.mechanism == ZMQ_PLAIN)
memcpy (outpos + outsize, "PLAIN", 5);
else
if (options.mechanism == ZMQ_GSSAPI)
memcpy (outpos + outsize, "GSSAPI", 6);
else
memcpy (outpos + outsize, "CURVE", 5);
outsize += 20;
......@@ -589,6 +594,12 @@ bool zmq::stream_engine_t::handshake ()
alloc_assert (mechanism);
}
#endif
else
if (memcmp (greeting_recv + 12, "GSSAPI\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 20) == 0) {
mechanism = new (std::nothrow)
gssapi_mechanism_t (session, peer_address, options);
alloc_assert (mechanism);
}
else {
error ();
return false;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment