Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

certificates being ignored? #385

Closed
genjix opened this Issue · 15 comments

2 participants

@genjix
Owner

I'm using the ironhouse2 example. If I comment out the line where it saves the client's public key for the server, the example still works. I expect the server should refuse the connection since the key isn't installed. This is with 2.0.3.

I tried running the (unmodified) example with git but it was giving this error:

ironhouse: zsockopt.c:397: zsocket_set_curve_secretkey_bin: Assertion `rc == 0 || zmq_errno () == (156384712 + 53)' failed.
Aborted (core dumped)

@genjix
Owner

Same thing with zauth_allow()

@hintjens
Owner
@genjix
Owner

updated to latest zmq and czmq from github:

/tmp/czmq/examples/security> ./ironhouse
ironhouse: zsockopt.c:397: zsocket_set_curve_secretkey_bin: Assertion `rc == 0 || zmq_errno () == (156384712 + 53)' failed.
Aborted (core dumped)
/tmp/czmq/examples/security> gdb ironhouse core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /tmp/czmq/examples/security/ironhouse...(no debugging symbols found)...done.
[New LWP 13504]
[New LWP 13505]
[New LWP 13503]
[New LWP 13507]
[New LWP 13508]
[New LWP 13502]
[New LWP 13506]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./ironhouse'.
Program terminated with signal 6, Aborted.
#0 0x00007fa9cfe92475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007fa9cfe92475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fa9cfe956f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fa9cfe8b621 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007fa9d06ca49b in zsocket_set_curve_secretkey_bin (zocket=zocket@entry=0x7fa9c8003f90,
curve_secretkey=curve_secretkey@entry=0x7fa9c8000990 "/9'Q\204\264\361\244\217̳\372\345\374pЕ\357$\230\375P\377\200Qj$\212k\350\025\345DSF0P}H)p.D(D}^FGH&NwZc[GmlTAE6kdqxqzYBz") at zsockopt.c:397
#4 0x00007fa9d06b8355 in zcert_apply (self=0x7fa9c8000970, zocket=0x7fa9c8003f90) at zcert.c:352
#5 0x000000000040115b in client_task ()
#6 0x00007fa9d06ced4f in s_thread_shim (args=0x1520a70) at zthread.c:95
#7 0x00007fa9cfc46b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#8 0x00007fa9cff3aa7d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#9 0x0000000000000000 in ?? ()
(gdb)

@genjix
Owner

BTW I can give you access to my server to test if you email me your SSH pubkey encrypted.

@hintjens
Owner
@genjix
Owner

ok posted there.

@hintjens
Owner

Perhaps you're using an old libzmq. That would explain why the set_curve_secretkey call is failing.

@hintjens
Owner

It's perhaps that you still have certificates on disk from previous tests. Remove client_cert.txt and .curve/testcert.pub.

Then you should get:

I: PASSED (whitelist) address=127.0.0.1
I: DENIED (CURVE) client_key=+8>U[RHBWLq6hdF/7>qOUe}w]?WYuZhp.rwpvs
CURVE I: ZAP handler rejected client authentication
I: PASSED (whitelist) address=127.0.0.1
I: DENIED (CURVE) client_key=+8>U[RHBWLq6hdF/7>qOUe}w]?WYuZhp.rwpvs
CURVE I: ZAP handler rejected client authentication

@genjix
Owner

If I delete client_cert.txt and change .curve to .foo in zauth_configure_curve (auth, "*", ".foo"); [server_task()] then it still passes. Anyway surely a new cert is generated with every call to zctx_t *ctx = zctx_new ();

Hmmm, I'm going to test with a new Debian install and report back.

@genjix
Owner

Output from my current system (check the IP address):

~/czmq-2.0.3/examples/security> cat stonehouse.c 
//  The Stonehouse Pattern
//
//  Where we allow any clients to connect, but we promise clients
//  that we are who we claim to be, and our conversations won't be
//  tampered with or modified, or spied on.

#include <czmq.h>

int main (void) 
{
    //  Create context and start authentication engine
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    zauth_set_verbose (auth, true);
    zauth_allow (auth, "8.4.4.6");

    //  Tell the authenticator how to handle CURVE requests
    zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);

    //  We need two certificates, one for the client and one for
    //  the server. The client must know the server's public key
    //  to make a CURVE connection.
    zcert_t *client_cert = zcert_new ();
    zcert_t *server_cert = zcert_new ();
    char *server_key = zcert_public_txt (server_cert);

    //  Create and bind server socket
    void *server = zsocket_new (ctx, ZMQ_PUSH);
    zcert_apply (server_cert, server);
    zsocket_set_curve_server (server, 1);
    zsocket_bind (server, "tcp://*:9000");

    //  Create and connect client socket
    void *client = zsocket_new (ctx, ZMQ_PULL);
    zcert_apply (client_cert, client);
    zsocket_set_curve_serverkey (client, server_key);
    zsocket_connect (client, "tcp://127.0.0.1:9000");

    //  Send a single message from server to client
    zstr_send (server, "Hello");
    char *message = zstr_recv (client);
    assert (streq (message, "Hello"));
    free (message);
    puts ("Stonehouse test OK");

    zcert_destroy (&client_cert);
    zcert_destroy (&server_cert);
    zauth_destroy (&auth);
    zctx_destroy (&ctx);
    return 0;
}
~/czmq-2.0.3/examples/security> gcc -o stonehouse stonehouse.c -lczmq -lzmq
-lsodium -I /home/genjix/usr/include/ -L /home/genjix/usr/lib/
~/czmq-2.0.3/examples/security> ./stonehouse
Stonehouse test OK
@genjix
Owner

OK brand new Debian Wheezy:

genjix@debian7:~/czmq-2.0.3/examples/security$ gcc -o stonehouse stonehouse.c -lczmq -lzmq -lsodium -I /home/genjix/usr/include/ -L /home/genjix/usr/lib/
genjix@debian7:~/czmq-2.0.3/examples/security$ ./stonehouse
Stonehouse test OK
genjix@debian7:~/czmq-2.0.3/examples/security$ cd
genjix@debian7:~$ ls
czmq-2.0.3 czmq-2.0.3.tar.gz libsodium-0.4.5 libsodium-0.4.5.tar.gz zeromq-4.0.3 zeromq-4.0.3.tar.gz

Same code as above (replacing "127.0.0.1" with a mangled IP address) using all latest packages.

@hintjens
Owner

I'm not sure what you're showing me here. The problem was with stonehouse2.c when a client certificate wasn't being saved, yet seemed to work. I've explained how that probably happened.

@genjix
Owner

If I set zauth_allow (auth, "8.4.4.6"); (whitelist the IP 8.4.4.6) then surely the program should fail to work because it isn't accepting connections from localhost (127.0.0.1)?

@genjix
Owner

Also with ironhouse2 (not stonehouse2 ;) it generates a new key everytime, so it shouldn't matter what keys are remaining from last time. The client_task will generate a new keypair which doesn't get added to the store (because we comment out that line), and the server_task should refuse your connection because it doesn't have the key. Instead ironhouse2 test passes fine.

@genjix
Owner

Also I have zauth_set_verbose (auth, true); but I don't see the output you're seeing. All I see is:

$ ./ironhouse2
Ironhouse test OK
$ ./stonehouse
Stonehouse test OK

If I modify the address in strawhouse, I do however get denied a connection:

$ ./strawhouse
I: DENIED (not in whitelist) address=127.0.0.1

Check this output from brand new Debian Wheezy install. There's no zauth debug output (despite it being enabled), and no existing files. The whitelist should disable any new connections but isn't. And the test still passes even when I comment the line zcert_save_public() with "Ironhouse test OK".

genjix@debian7:~/czmq-2.0.3/examples/security$ rm -fr .curve/ client_cert.txt
genjix@debian7:~/czmq-2.0.3/examples/security$ ./ironhouse
Ironhouse test OK
genjix@debian7:~/czmq-2.0.3/examples/security$ cat ironhouse.c 
//  The Ironhouse Pattern
//
//  Security doesn't get any stronger than this. An attacker is going to
//  have to break into your systems to see data before/after encryption.

#include <czmq.h>

int main (void) 
{
    //  Create context and start authentication engine
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    zauth_set_verbose (auth, true);
    // ------------------------------------------------
    // @@@ LOOK AT THIS LINE @@@
    // ------------------------------------------------
    zauth_allow (auth, "127.4.6.1");

    //  Tell authenticator to use the certificate store in .curve
    zauth_configure_curve (auth, "*", ".curve");

    //  We'll generate a new client certificate and save the public part
    //  in the certificate store (in practice this would be done by hand
    //  or some out-of-band process).
    zcert_t *client_cert = zcert_new ();
    zsys_dir_create (".curve");
    zcert_set_meta (client_cert, "name", "Client test certificate");
    zcert_save_public (client_cert, ".curve/testcert.pub");

    //  Prepare the server certificate as we did in Stonehouse
    zcert_t *server_cert = zcert_new ();
    char *server_key = zcert_public_txt (server_cert);

    //  Create and bind server socket
    void *server = zsocket_new (ctx, ZMQ_PUSH);
    zcert_apply (server_cert, server);
    zsocket_set_curve_server (server, 1);
    zsocket_bind (server, "tcp://*:9000");

    //  Create and connect client socket
    void *client = zsocket_new (ctx, ZMQ_PULL);
    zcert_apply (client_cert, client);
    zsocket_set_curve_serverkey (client, server_key);
    zsocket_connect (client, "tcp://127.0.0.1:9000");

    //  Send a single message from server to client
    zstr_send (server, "Hello");
    char *message = zstr_recv (client);
    assert (streq (message, "Hello"));
    free (message);
    puts ("Ironhouse test OK");

    zcert_destroy (&client_cert);
    zcert_destroy (&server_cert);
    zauth_destroy (&auth);
    zctx_destroy (&ctx);
    return 0;
}
@hintjens hintjens referenced this issue from a commit in hintjens/czmq
@hintjens hintjens Fixed issue #385 9044a60
@genjix genjix closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.