Skip to content

Commit

Permalink
Establishing GSSAPI sec context is working now
Browse files Browse the repository at this point in the history
  • Loading branch information
@mgatny @cbusbey
mgatny authored and cbusbey committed Apr 24, 2014
1 parent 6290ba1 commit 1445516
Show file tree
Hide file tree
Showing 7 changed files with 232 additions and 426 deletions.
1 change: 1 addition & 0 deletions configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,7 @@ else
AC_CHECK_LIB([sodium], [sodium_init],,AC_MSG_WARN(libsodium is needed for CURVE security))
fi

AC_CHECK_LIB([gssapi_krb5], [gss_init_sec_context],,AC_MSG_WARN(libgssapi_krb5 is needed for GSSAPI security))

#
# Check if the compiler supports -fvisibility=hidden flag. MinGW32 uses __declspec
Expand Down
180 changes: 75 additions & 105 deletions src/gssapi_client.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,173 +34,143 @@
zmq::gssapi_client_t::gssapi_client_t (const options_t &options_) :
gssapi_mechanism_base_t (),
mechanism_t (options_),
state (sending_hello)
state (send_next_token),
token_ptr (GSS_C_NO_BUFFER),
mechs (),
security_context_established (false)
{
maj_stat = GSS_S_COMPLETE;
service_name = strdup("host"); /// FIXME add service_name to options
mechs.elements = NULL;
mechs.count = 0;
}

zmq::gssapi_client_t::~gssapi_client_t ()
{
if(service_name)
free (service_name);
/// FIXME release this or not?
if(cred)
gss_release_cred(&min_stat, &cred);
}

int zmq::gssapi_client_t::next_handshake_command (msg_t *msg_)
{
int rc = 0;

switch (state) {
case sending_hello:
rc = produce_hello (msg_);
case send_next_token:
rc = produce_next_token (msg_);
if (rc == 0)
state = waiting_for_welcome;
state = recv_next_token;
break;
case sending_initiate:
rc = produce_initiate (msg_);
if (rc == 0)
state = waiting_for_token;
break;
case sending_token:
rc = produce_token (msg_, 0, (char *) "o, hai!", 7);
if (rc == 0)
state = waiting_for_ready; //state = expecting_another_token? waiting_for_token: waiting_for_ready;
case almost_ready:
state = ready;
break;
default:
errno = EAGAIN;
rc = -1;
break;
}
return rc;
}

int zmq::gssapi_client_t::process_handshake_command (msg_t *msg_)
{
int rc = 0;
int flags = 0;
gss_buffer_desc buf;
buf.value = NULL;
buf.length = 0;

switch (state) {
case waiting_for_welcome:
rc = process_welcome (msg_);
case recv_next_token:
rc = process_next_token (msg_);
if (rc == 0)
state = sending_initiate;
state = security_context_established? almost_ready: send_next_token;
break;
case waiting_for_token:
rc = process_token (msg_, flags, &buf.value, buf.length);
if (rc == 0)
state = sending_token; // state = expecting_another_token? sending_token: sending_ready;
break;
case waiting_for_ready:
rc = process_ready (msg_);
if (rc == 0)
state = ready;
case almost_ready:
state = ready;
break;
default:
errno = EPROTO;
rc = -1;
break;
}

if (buf.value) {
free (buf.value);
}

if (rc == 0) {
rc = msg_->close ();
errno_assert (rc == 0);
rc = msg_->init ();
errno_assert (rc == 0);
}

return rc;
}

bool zmq::gssapi_client_t::is_handshake_complete () const
{
fprintf(stderr, "%s:%d: is_handshake_complete=%d, security_context_established=%d\n", __FILE__, __LINE__, (state==ready), security_context_established); /// FIXME remove
return state == ready;
}

int zmq::gssapi_client_t::produce_hello (msg_t *msg_) const
int zmq::gssapi_client_t::produce_next_token (msg_t *msg_)
{
const std::string username = "admin";
zmq_assert (username.length () < 256);

const std::string password = "secret";
zmq_assert (password.length () < 256);

const size_t command_size = 6 + 1 + username.length ()
+ 1 + password.length ();
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);

unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
memcpy (ptr, "\x05HELLO", 6);
ptr += 6;

*ptr++ = static_cast <unsigned char> (username.length ());
memcpy (ptr, username.c_str (), username.length ());
ptr += username.length ();

*ptr++ = static_cast <unsigned char> (password.length ());
memcpy (ptr, password.c_str (), password.length ());
ptr += password.length ();
// First time through, import service_name into target_name
if (target_name == GSS_C_NO_NAME) {
send_tok.value = service_name;
send_tok.length = strlen(service_name);
OM_uint32 maj = gss_import_name(&min_stat, &send_tok,
gss_nt_service_name, &target_name);

if (maj != GSS_S_COMPLETE) {
fprintf(stderr, "%s:%d: failed to import service name\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
return -1;
}
}

return 0;
}
maj_stat = gss_init_sec_context(&init_sec_min_stat, cred, &context,
target_name, mechs.elements,
gss_flags, 0, NULL, token_ptr, NULL,
&send_tok, &ret_flags, NULL);

if (token_ptr != GSS_C_NO_BUFFER)
free(recv_tok.value);

if (send_tok.length != 0) { // server expects another token
fprintf(stderr, "%s:%d: producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
if (produce_token (msg_, TOKEN_CONTEXT, send_tok.value, send_tok.length) < 0) {
gss_release_buffer(&min_stat, &send_tok);
gss_release_name(&min_stat, &target_name);
return -1;
}
}
else
fprintf(stderr, "%s:%d: skip producing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);

int zmq::gssapi_client_t::process_welcome (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();
gss_release_buffer(&min_stat, &send_tok);

if (bytes_left != 8 || memcmp (ptr, "\x07WELCOME", 8)) {
errno = EPROTO;
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) {
fprintf(stderr, "%s:%d: failed to create GSSAPI security context\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat);
gss_release_name(&min_stat, &target_name);
if (context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
return -1;
}

return 0;
}

int zmq::gssapi_client_t::produce_initiate (msg_t *msg_) const
int zmq::gssapi_client_t::process_next_token (msg_t *msg_)
{
unsigned char * const command_buffer = (unsigned char *) malloc (512);
alloc_assert (command_buffer);

unsigned char *ptr = command_buffer;

// Add mechanism string
memcpy (ptr, "\x08INITIATE", 9);
ptr += 9;

// Add socket type property
const char *socket_type = socket_type_string (options.type);
ptr += add_property (ptr, "Socket-Type", socket_type, strlen (socket_type));

// Add identity property
if (options.type == ZMQ_REQ
|| options.type == ZMQ_DEALER
|| options.type == ZMQ_ROUTER) {
ptr += add_property (ptr, "Identity",
options.identity, options.identity_size);
if (maj_stat == GSS_S_CONTINUE_NEEDED) {
fprintf(stderr, "%s:%d: processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);
if (process_token(msg_, token_flags, &recv_tok.value, recv_tok.length) < 0) {
gss_release_name(&min_stat, &target_name);
return -1;
}
token_ptr = &recv_tok;
}
else
fprintf(stderr, "%s:%d: skip processing token\n", __FILE__, __LINE__); /// FIXME die("creating context", maj_stat, init_sec_min_stat); /// FIXME die("parsing name", maj_stat, min_stat);

const size_t command_size = ptr - command_buffer;
const int rc = msg_->init_size (command_size);
errno_assert (rc == 0);
memcpy (msg_->data (), command_buffer, command_size);
free (command_buffer);
if (maj_stat == GSS_S_COMPLETE)
security_context_established = true;

return 0;
}

int zmq::gssapi_client_t::process_ready (msg_t *msg_)
{
const unsigned char *ptr = static_cast <unsigned char *> (msg_->data ());
size_t bytes_left = msg_->size ();

if (bytes_left < 6 || memcmp (ptr, "\x05READY", 6)) {
errno = EPROTO;
return -1;
}
ptr += 6;
bytes_left -= 6;
return parse_metadata (ptr, bytes_left);
}

19 changes: 8 additions & 11 deletions src/gssapi_client.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,22 +46,19 @@ namespace zmq
private:

enum state_t {
sending_hello,
waiting_for_welcome,
sending_initiate,
sending_token,
waiting_for_token,
waiting_for_ready,
send_next_token,
recv_next_token,
almost_ready,
ready
};

state_t state;
gss_buffer_desc *token_ptr;
gss_OID_set_desc mechs;
bool security_context_established;

int produce_hello (msg_t *msg_) const;
int produce_initiate (msg_t *msg_) const;

int process_welcome (msg_t *msg);
int process_ready (msg_t *msg_);
int produce_next_token (msg_t *msg_);
int process_next_token (msg_t *msg_);
};

}
Expand Down
47 changes: 46 additions & 1 deletion src/gssapi_mechanism_base.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,29 @@
#include "gssapi_mechanism_base.hpp"
#include "wire.hpp"

zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t ()
zmq::gssapi_mechanism_base_t::gssapi_mechanism_base_t () :
send_tok (),
recv_tok (),
in_buf (),
target_name (GSS_C_NO_NAME),
service_name (NULL),
maj_stat (GSS_S_COMPLETE),
min_stat (0),
init_sec_min_stat (0),
ret_flags (0),
gss_flags (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG),
token_flags (0),
cred (GSS_C_NO_CREDENTIAL),
context (GSS_C_NO_CONTEXT)
{
}

zmq::gssapi_mechanism_base_t::~gssapi_mechanism_base_t ()
{
if(target_name)
gss_release_name(&min_stat, &target_name);
if(context)
gss_delete_sec_context(&min_stat, &context, GSS_C_NO_BUFFER);
}

int zmq::gssapi_mechanism_base_t::produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_)
Expand Down Expand Up @@ -128,3 +145,31 @@ int zmq::gssapi_mechanism_base_t::process_token (msg_t *msg_, int &flags_, void
return 0;
}

int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss_cred_id_t * cred_)
{
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_name_t server_name;

gss_buffer_desc name_buf;
name_buf.value = service_name_;
name_buf.length = strlen ((char *) name_buf.value) + 1;

maj_stat = gss_import_name (&min_stat, &name_buf,
gss_nt_service_name, &server_name);

if (maj_stat != GSS_S_COMPLETE)
return -1;

maj_stat = gss_acquire_cred (&min_stat, server_name, 0,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
cred_, NULL, NULL);

if (maj_stat != GSS_S_COMPLETE)
return -1;

gss_release_name(&min_stat, &server_name);

return 0;
}

25 changes: 25 additions & 0 deletions src/gssapi_mechanism_base.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,31 @@ namespace zmq
protected:
int produce_token (msg_t *msg_, int flags_, void *token_value_, size_t token_length_);
int process_token (msg_t *msg_, int &flags_, void **token_value_, size_t &token_length_);
static int acquire_credentials (char * service_name_, gss_cred_id_t * cred_);

protected:
const static int TOKEN_NOOP = (1<<0);
const static int TOKEN_CONTEXT = (1<<1);
const static int TOKEN_DATA = (1<<2);
const static int TOKEN_MIC = (1<<3);
const static int TOKEN_CONTEXT_NEXT = (1<<4);
const static int TOKEN_WRAPPED = (1<<5);
const static int TOKEN_ENCRYPTED = (1<<6);
const static int TOKEN_SEND_MIC = (1<<7);

gss_buffer_desc send_tok;
gss_buffer_desc recv_tok;
gss_buffer_desc in_buf;
gss_name_t target_name;
char * service_name;
OM_uint32 maj_stat;
OM_uint32 min_stat;
OM_uint32 init_sec_min_stat;
OM_uint32 ret_flags;
OM_uint32 gss_flags;
int token_flags;
gss_cred_id_t cred;
gss_ctx_id_t context;
};

}
Expand Down
Loading

0 comments on commit 1445516

Please sign in to comment.