Security fix for V3 protocol downgrade: zeromq/libzmq#1273

testing/ok aja@ Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
bitrig · May 25, 2015 · db98384 · db98384
1 parent d524c52
commit db98384
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 2 deletions.
diff --git a/net/zeromq/Makefile b/net/zeromq/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.14 2015/01/25 09:36:55 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.15 2015/05/13 05:08:26 jasper Exp $
 
 # Note: use 'ulimit -n 1024' for regress tests
 
@@ -7,7 +7,7 @@ SHARED_ONLY =		Yes
 COMMENT =		open source message queue optimised for performance
 
 DISTNAME =		zeromq-4.0.5
-REVISION =		0
+REVISION =		1
 
 SHARED_LIBS +=  zmq                  4.0      # 4.0
 

diff --git a/net/zeromq/patches/patch-src_session_base_cpp b/net/zeromq/patches/patch-src_session_base_cpp
@@ -0,0 +1,22 @@
+$OpenBSD: patch-src_session_base_cpp,v 1.1 2015/05/13 05:08:26 jasper Exp $
+
+Security fix for V3 protocol downgrade
+https://github.com/zeromq/libzmq/issues/1273
+
+--- src/session_base.cpp.orig	Tue Oct 14 10:06:40 2014
++++ src/session_base.cpp	Tue May 12 09:04:21 2015
+@@ -323,6 +323,14 @@ int zmq::session_base_t::zap_connect ()
+     return 0;
+ }
+
++bool zmq::session_base_t::zap_enabled ()
++{
++    return (
++         options.mechanism != ZMQ_NULL ||
++        (options.mechanism == ZMQ_NULL && options.zap_domain.length() > 0)
++    );
++}
++
+ void zmq::session_base_t::process_attach (i_engine *engine_)
+ {
+     zmq_assert (engine_ != NULL);
diff --git a/net/zeromq/patches/patch-src_session_base_hpp b/net/zeromq/patches/patch-src_session_base_hpp
@@ -0,0 +1,17 @@
+$OpenBSD: patch-src_session_base_hpp,v 1.1 2015/05/13 05:08:26 jasper Exp $
+
+Security fix for V3 protocol downgrade
+https://github.com/zeromq/libzmq/issues/1273
+
+--- src/session_base.hpp.orig	Wed Nov 13 18:57:50 2013
++++ src/session_base.hpp	Tue May 12 09:04:21 2015
+@@ -68,7 +68,8 @@ namespace zmq
+         int push_msg (msg_t *msg_);
+
+         int zap_connect ();
+-
++        bool zap_enabled ();
++        
+         //  Fetches a message. Returns 0 if successful; -1 otherwise.
+         //  The caller is responsible for freeing the message when no
+         //  longer used.
diff --git a/net/zeromq/patches/patch-src_stream_engine_cpp b/net/zeromq/patches/patch-src_stream_engine_cpp
@@ -0,0 +1,43 @@
+$OpenBSD: patch-src_stream_engine_cpp,v 1.1 2015/05/13 05:08:26 jasper Exp $
+
+Security fix for V3 protocol downgrade
+https://github.com/zeromq/libzmq/issues/1273
+
+--- src/stream_engine.cpp.orig	Tue Oct 14 10:06:40 2014
++++ src/stream_engine.cpp	Tue May 12 09:04:21 2015
+@@ -464,6 +464,11 @@ bool zmq::stream_engine_t::handshake ()
+     //  Is the peer using ZMTP/1.0 with no revision number?
+     //  If so, we send and receive rest of identity message
+     if (greeting_recv [0] != 0xff || !(greeting_recv [9] & 0x01)) {
++        if (session->zap_enabled ()) {
++            //  Reject ZMTP 1.0 connections if ZAP is enabled
++            error ();
++            return false;
++        }
+         encoder = new (std::nothrow) v1_encoder_t (out_batch_size);
+         alloc_assert (encoder);
+
+@@ -505,6 +510,11 @@ bool zmq::stream_engine_t::handshake ()
+     }
+     else
+     if (greeting_recv [revision_pos] == ZMTP_1_0) {
++        if (session->zap_enabled ()) {
++            //  Reject ZMTP 1.0 connections if ZAP is enabled
++            error ();
++            return false;
++        }
+         encoder = new (std::nothrow) v1_encoder_t (
+             out_batch_size);
+         alloc_assert (encoder);
+@@ -515,6 +525,11 @@ bool zmq::stream_engine_t::handshake ()
+     }
+     else
+     if (greeting_recv [revision_pos] == ZMTP_2_0) {
++        if (session->zap_enabled ()) {
++            //  Reject ZMTP 1.0 connections if ZAP is enabled
++            error ();
++            return false;
++        }
+         encoder = new (std::nothrow) v2_encoder_t (out_batch_size);
+         alloc_assert (encoder);
+