Problem: ZAP is allowed to be configured incorrectly or not to work

Solution: if inproc://zeromq.zap.01 exists, which means ZAP is enabled, abort immediately if it cannot be used (eg: out of memory) or it is configured incorrectly (eg: wrong socket type). Otherwise authentication failures will simply be ignored and unauthorised peers will be allowed to slip in.
SageAxcess · Jun 13, 2017 · 33695d1 · 33695d1
1 parent 10a9ba0
commit 33695d1
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 10 deletions.
diff --git a/src/curve_server.cpp b/src/curve_server.cpp
@@ -490,6 +490,9 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
     zmq_assert (rc == 0);
 
     //  Use ZAP protocol (RFC 27) to authenticate the user.
+    //  Note that rc will be -1 only if ZAP is not set up (Stonehouse pattern -
+    //  encryption without authentication), but if it was requested and it does
+    //  not work properly the program will abort.
     rc = session->zap_connect ();
     if (rc != 0)
         return -1;

diff --git a/src/gssapi_server.cpp b/src/gssapi_server.cpp
@@ -120,6 +120,8 @@ int zmq::gssapi_server_t::process_handshake_command (msg_t *msg_)
 
     if (security_context_established) {
         //  Use ZAP protocol (RFC 27) to authenticate the user.
+        //  Note that rc will be -1 only if ZAP is not set up, but if it was
+        //  requested and it does not work properly the program will abort.
         int rc = session->zap_connect ();
         if (rc != 0)
             return -1;

diff --git a/src/plain_server.cpp b/src/plain_server.cpp
@@ -189,6 +189,9 @@ int zmq::plain_server_t::process_hello (msg_t *msg_)
     }
 
     //  Use ZAP protocol (RFC 27) to authenticate the user.
+    //  Note that there is no point to PLAIN if ZAP is not set up to handle the
+    //  username and password, so if ZAP is not configured it is considered a
+    //  failure.
     int rc = session->zap_connect ();
     if (rc != 0)
         return -1;

diff --git a/src/session_base.cpp b/src/session_base.cpp
@@ -315,6 +315,12 @@ void zmq::session_base_t::process_plug ()
         start_connecting (false);
 }
 
+//  This functions can return 0 on success or -1 and errno=ECONNREFUSED if ZAP
+//  is not setup (IE: inproc://zeromq.zap.01 does not exist in the same context)
+//  or it aborts on any other error. In other words, either ZAP is not
+//  configured or if it is configured it MUST be configured correctly and it
+//  MUST work, otherwise authentication cannot be guaranteed and it would be a
+//  security flaw.
 int zmq::session_base_t::zap_connect ()
 {
     zmq_assert (zap_pipe == NULL);
@@ -324,12 +330,9 @@ int zmq::session_base_t::zap_connect ()
         errno = ECONNREFUSED;
         return -1;
     }
-    if (peer.options.type != ZMQ_REP
-    &&  peer.options.type != ZMQ_ROUTER
-    &&  peer.options.type != ZMQ_SERVER) {
-        errno = ECONNREFUSED;
-        return -1;
-    }
+    zmq_assert (peer.options.type == ZMQ_REP ||
+            peer.options.type == ZMQ_ROUTER ||
+            peer.options.type == ZMQ_SERVER);
 
     //  Create a bi-directional pipe that will connect
     //  session with zap socket.
@@ -353,10 +356,9 @@ int zmq::session_base_t::zap_connect ()
         rc = id.init ();
         errno_assert (rc == 0);
         id.set_flags (msg_t::identity);
-        if (zap_pipe->write (&id))
-            zap_pipe->flush ();
-        else
-            return -1;
+        bool ok = zap_pipe->write (&id);
+        zmq_assert (ok);
+        zap_pipe->flush ();
     }
 
     return 0;