2013-06-18 23:38:24 +02:00
|
|
|
/*
|
2016-01-28 15:07:31 +01:00
|
|
|
Copyright (c) 2007-2016 Contributors as noted in the AUTHORS file
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2015-06-02 22:33:55 +02:00
|
|
|
This file is part of libzmq, the ZeroMQ core engine in C++.
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2015-06-02 22:33:55 +02:00
|
|
|
libzmq is free software; you can redistribute it and/or modify it under
|
|
|
|
the terms of the GNU Lesser General Public License (LGPL) as published
|
|
|
|
by the Free Software Foundation; either version 3 of the License, or
|
2013-06-18 23:38:24 +02:00
|
|
|
(at your option) any later version.
|
|
|
|
|
2015-06-02 22:33:55 +02:00
|
|
|
As a special exception, the Contributors give you permission to link
|
|
|
|
this library with independent modules to produce an executable,
|
|
|
|
regardless of the license terms of these independent modules, and to
|
|
|
|
copy and distribute the resulting executable under terms of your choice,
|
|
|
|
provided that you also meet, for each linked independent module, the
|
|
|
|
terms and conditions of the license of that module. An independent
|
|
|
|
module is a module which is not derived from or based on this library.
|
|
|
|
If you modify this library, you must extend this exception to your
|
|
|
|
version of the library.
|
|
|
|
|
|
|
|
libzmq is distributed in the hope that it will be useful, but WITHOUT
|
|
|
|
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
|
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
|
|
|
License for more details.
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
2016-02-18 10:56:52 -06:00
|
|
|
#include "precompiled.hpp"
|
|
|
|
#include "macros.hpp"
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2016-02-11 13:32:01 +01:00
|
|
|
#ifdef ZMQ_HAVE_CURVE
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
#include "msg.hpp"
|
|
|
|
#include "session_base.hpp"
|
|
|
|
#include "err.hpp"
|
|
|
|
#include "curve_server.hpp"
|
|
|
|
#include "wire.hpp"
|
2019-07-11 12:59:46 +02:00
|
|
|
#include "secure_allocator.hpp"
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
zmq::curve_server_t::curve_server_t (session_base_t *session_,
|
2013-07-18 09:39:19 +02:00
|
|
|
const std::string &peer_address_,
|
2020-05-03 17:29:19 +01:00
|
|
|
const options_t &options_,
|
|
|
|
const bool downgrade_sub_) :
|
2017-08-18 10:04:58 +02:00
|
|
|
mechanism_base_t (session_, options_),
|
2017-08-16 15:48:59 +02:00
|
|
|
zap_client_common_handshake_t (
|
|
|
|
session_, peer_address_, options_, sending_ready),
|
2020-05-03 17:29:19 +01:00
|
|
|
curve_mechanism_base_t (session_,
|
|
|
|
options_,
|
|
|
|
"CurveZMQMESSAGES",
|
|
|
|
"CurveZMQMESSAGEC",
|
|
|
|
downgrade_sub_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
2014-11-08 10:50:17 +01:00
|
|
|
int rc;
|
2013-06-18 23:38:24 +02:00
|
|
|
// Fetch our secret key from socket options
|
2018-05-27 11:10:39 +02:00
|
|
|
memcpy (_secret_key, options_.curve_secret_key, crypto_box_SECRETKEYBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2013-09-17 14:05:55 +02:00
|
|
|
// Generate short-term key pair
|
2020-05-21 13:56:02 +01:00
|
|
|
memset (_cn_secret, 0, crypto_box_SECRETKEYBYTES);
|
|
|
|
memset (_cn_public, 0, crypto_box_PUBLICKEYBYTES);
|
2018-05-27 11:10:39 +02:00
|
|
|
rc = crypto_box_keypair (_cn_public, _cn_secret);
|
2013-06-18 23:38:24 +02:00
|
|
|
zmq_assert (rc == 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
zmq::curve_server_t::~curve_server_t ()
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2013-09-04 17:59:45 +02:00
|
|
|
int zmq::curve_server_t::next_handshake_command (msg_t *msg_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
switch (state) {
|
2017-08-16 15:25:08 +02:00
|
|
|
case sending_welcome:
|
2013-09-04 17:59:45 +02:00
|
|
|
rc = produce_welcome (msg_);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc == 0)
|
2017-08-16 15:25:08 +02:00
|
|
|
state = waiting_for_initiate;
|
2013-06-18 23:38:24 +02:00
|
|
|
break;
|
2017-08-16 15:25:08 +02:00
|
|
|
case sending_ready:
|
2013-09-04 17:59:45 +02:00
|
|
|
rc = produce_ready (msg_);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc == 0)
|
2017-08-16 15:25:08 +02:00
|
|
|
state = ready;
|
2013-06-18 23:38:24 +02:00
|
|
|
break;
|
2017-08-16 15:25:08 +02:00
|
|
|
case sending_error:
|
2014-05-16 07:25:29 +02:00
|
|
|
rc = produce_error (msg_);
|
|
|
|
if (rc == 0)
|
|
|
|
state = error_sent;
|
|
|
|
break;
|
2013-06-18 23:38:24 +02:00
|
|
|
default:
|
|
|
|
errno = EAGAIN;
|
|
|
|
rc = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-09-04 17:59:45 +02:00
|
|
|
int zmq::curve_server_t::process_handshake_command (msg_t *msg_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
switch (state) {
|
2017-08-16 15:25:08 +02:00
|
|
|
case waiting_for_hello:
|
2013-06-18 23:38:24 +02:00
|
|
|
rc = process_hello (msg_);
|
|
|
|
break;
|
2017-08-16 15:25:08 +02:00
|
|
|
case waiting_for_initiate:
|
2013-06-18 23:38:24 +02:00
|
|
|
rc = process_initiate (msg_);
|
|
|
|
break;
|
|
|
|
default:
|
2017-08-15 16:28:24 +02:00
|
|
|
// TODO I think this is not a case reachable with a misbehaving
|
|
|
|
// client. It is not an "invalid handshake command", but would be
|
|
|
|
// trying to process a handshake command in an invalid state,
|
|
|
|
// which is purely under control of this peer.
|
|
|
|
// Therefore, it should be changed to zmq_assert (false);
|
|
|
|
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: invalid handshake command
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_UNSPECIFIED);
|
2013-06-22 08:11:55 +02:00
|
|
|
errno = EPROTO;
|
2013-06-18 23:38:24 +02:00
|
|
|
rc = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (rc == 0) {
|
|
|
|
rc = msg_->close ();
|
|
|
|
errno_assert (rc == 0);
|
|
|
|
rc = msg_->init ();
|
|
|
|
errno_assert (rc == 0);
|
|
|
|
}
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-06-22 11:46:40 +02:00
|
|
|
int zmq::curve_server_t::encode (msg_t *msg_)
|
|
|
|
{
|
2017-08-16 15:25:08 +02:00
|
|
|
zmq_assert (state == ready);
|
2017-08-18 11:34:22 +02:00
|
|
|
return curve_mechanism_base_t::encode (msg_);
|
2013-06-22 11:46:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
int zmq::curve_server_t::decode (msg_t *msg_)
|
|
|
|
{
|
2017-08-16 15:25:08 +02:00
|
|
|
zmq_assert (state == ready);
|
2017-08-18 11:34:22 +02:00
|
|
|
return curve_mechanism_base_t::decode (msg_);
|
2013-06-22 11:46:40 +02:00
|
|
|
}
|
|
|
|
|
2013-06-18 23:38:24 +02:00
|
|
|
int zmq::curve_server_t::process_hello (msg_t *msg_)
|
|
|
|
{
|
2017-08-17 17:54:07 +02:00
|
|
|
int rc = check_basic_command_structure (msg_);
|
|
|
|
if (rc == -1)
|
|
|
|
return -1;
|
|
|
|
|
2017-08-17 18:16:31 +02:00
|
|
|
const size_t size = msg_->size ();
|
2017-08-17 17:54:07 +02:00
|
|
|
const uint8_t *const hello = static_cast<uint8_t *> (msg_->data ());
|
2017-08-17 18:16:31 +02:00
|
|
|
|
|
|
|
if (size < 6 || memcmp (hello, "\x05HELLO", 6)) {
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_UNEXPECTED_COMMAND);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-08-17 18:16:31 +02:00
|
|
|
if (size != 200) {
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (),
|
|
|
|
ZMQ_PROTOCOL_ERROR_ZMTP_MALFORMED_COMMAND_HELLO);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2013-06-28 11:42:54 +02:00
|
|
|
const uint8_t major = hello[6];
|
|
|
|
const uint8_t minor = hello[7];
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
if (major != 1 || minor != 0) {
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: client HELLO has unknown version number
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (),
|
|
|
|
ZMQ_PROTOCOL_ERROR_ZMTP_MALFORMED_COMMAND_HELLO);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2013-09-17 14:05:55 +02:00
|
|
|
// Save client's short-term public key (C')
|
2018-05-27 11:10:39 +02:00
|
|
|
memcpy (_cn_client, hello + 80, 32);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
uint8_t hello_nonce[crypto_box_NONCEBYTES];
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > hello_plaintext (
|
|
|
|
crypto_box_ZEROBYTES + 64);
|
2013-06-18 23:38:24 +02:00
|
|
|
uint8_t hello_box[crypto_box_BOXZEROBYTES + 80];
|
|
|
|
|
|
|
|
memcpy (hello_nonce, "CurveZMQHELLO---", 16);
|
|
|
|
memcpy (hello_nonce + 16, hello + 112, 8);
|
2020-02-03 11:56:37 +01:00
|
|
|
set_peer_nonce (get_uint64 (hello + 112));
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
memset (hello_box, 0, crypto_box_BOXZEROBYTES);
|
|
|
|
memcpy (hello_box + crypto_box_BOXZEROBYTES, hello + 120, 80);
|
|
|
|
|
|
|
|
// Open Box [64 * %x0](C'->S)
|
2019-07-11 12:59:46 +02:00
|
|
|
rc = crypto_box_open (&hello_plaintext[0], hello_box, sizeof hello_box,
|
2018-05-27 11:10:39 +02:00
|
|
|
hello_nonce, _cn_client, _secret_key);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc != 0) {
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: cannot open client HELLO -- wrong server key?
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
|
2017-03-29 10:43:56 -07:00
|
|
|
errno = EPROTO;
|
2016-12-30 18:26:56 +01:00
|
|
|
return -1;
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
2017-03-29 10:43:56 -07:00
|
|
|
|
2017-08-16 15:25:08 +02:00
|
|
|
state = sending_welcome;
|
2013-06-18 23:38:24 +02:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2013-09-04 17:59:45 +02:00
|
|
|
int zmq::curve_server_t::produce_welcome (msg_t *msg_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
|
|
|
uint8_t cookie_nonce[crypto_secretbox_NONCEBYTES];
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > cookie_plaintext (
|
|
|
|
crypto_secretbox_ZEROBYTES + 64);
|
2013-06-18 23:38:24 +02:00
|
|
|
uint8_t cookie_ciphertext[crypto_secretbox_BOXZEROBYTES + 80];
|
|
|
|
|
|
|
|
// Create full nonce for encryption
|
|
|
|
// 8-byte prefix plus 16-byte random nonce
|
2020-05-21 13:56:02 +01:00
|
|
|
memset (cookie_nonce, 0, crypto_secretbox_NONCEBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
memcpy (cookie_nonce, "COOKIE--", 8);
|
|
|
|
randombytes (cookie_nonce + 8, 16);
|
|
|
|
|
|
|
|
// Generate cookie = Box [C' + s'](t)
|
2019-07-11 12:59:46 +02:00
|
|
|
std::fill (cookie_plaintext.begin (),
|
|
|
|
cookie_plaintext.begin () + crypto_secretbox_ZEROBYTES, 0);
|
|
|
|
memcpy (&cookie_plaintext[crypto_secretbox_ZEROBYTES], _cn_client, 32);
|
|
|
|
memcpy (&cookie_plaintext[crypto_secretbox_ZEROBYTES + 32], _cn_secret, 32);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
// Generate fresh cookie key
|
2020-05-21 13:56:02 +01:00
|
|
|
memset (_cookie_key, 0, crypto_secretbox_KEYBYTES);
|
2018-05-27 11:10:39 +02:00
|
|
|
randombytes (_cookie_key, crypto_secretbox_KEYBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
// Encrypt using symmetric cookie key
|
|
|
|
int rc =
|
2019-07-11 12:59:46 +02:00
|
|
|
crypto_secretbox (cookie_ciphertext, &cookie_plaintext[0],
|
|
|
|
cookie_plaintext.size (), cookie_nonce, _cookie_key);
|
2013-06-18 23:38:24 +02:00
|
|
|
zmq_assert (rc == 0);
|
|
|
|
|
|
|
|
uint8_t welcome_nonce[crypto_box_NONCEBYTES];
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > welcome_plaintext (
|
|
|
|
crypto_box_ZEROBYTES + 128);
|
2013-06-18 23:38:24 +02:00
|
|
|
uint8_t welcome_ciphertext[crypto_box_BOXZEROBYTES + 144];
|
|
|
|
|
|
|
|
// Create full nonce for encryption
|
|
|
|
// 8-byte prefix plus 16-byte random nonce
|
2020-05-21 13:56:02 +01:00
|
|
|
memset (welcome_nonce, 0, crypto_box_NONCEBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
memcpy (welcome_nonce, "WELCOME-", 8);
|
|
|
|
randombytes (welcome_nonce + 8, crypto_box_NONCEBYTES - 8);
|
|
|
|
|
|
|
|
// Create 144-byte Box [S' + cookie](S->C')
|
2019-07-11 12:59:46 +02:00
|
|
|
std::fill (welcome_plaintext.begin (),
|
|
|
|
welcome_plaintext.begin () + crypto_box_ZEROBYTES, 0);
|
|
|
|
memcpy (&welcome_plaintext[crypto_box_ZEROBYTES], _cn_public, 32);
|
|
|
|
memcpy (&welcome_plaintext[crypto_box_ZEROBYTES + 32], cookie_nonce + 8,
|
2013-06-18 23:38:24 +02:00
|
|
|
16);
|
2019-07-11 12:59:46 +02:00
|
|
|
memcpy (&welcome_plaintext[crypto_box_ZEROBYTES + 48],
|
2013-06-18 23:38:24 +02:00
|
|
|
cookie_ciphertext + crypto_secretbox_BOXZEROBYTES, 80);
|
|
|
|
|
2019-07-11 12:59:46 +02:00
|
|
|
rc = crypto_box (welcome_ciphertext, &welcome_plaintext[0],
|
|
|
|
welcome_plaintext.size (), welcome_nonce, _cn_client,
|
2018-05-27 11:10:39 +02:00
|
|
|
_secret_key);
|
2017-08-15 16:28:24 +02:00
|
|
|
|
|
|
|
// TODO I think we should change this back to zmq_assert (rc == 0);
|
|
|
|
// as it was before https://github.com/zeromq/libzmq/pull/1832
|
|
|
|
// The reason given there was that secret_key might be 0ed.
|
|
|
|
// But if it were, we would never get this far, since we could
|
|
|
|
// not have opened the client's hello box with a 0ed key.
|
|
|
|
|
2016-03-01 15:01:23 +01:00
|
|
|
if (rc == -1)
|
|
|
|
return -1;
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
rc = msg_->init_size (168);
|
|
|
|
errno_assert (rc == 0);
|
|
|
|
|
|
|
|
uint8_t *const welcome = static_cast<uint8_t *> (msg_->data ());
|
2013-09-04 17:59:45 +02:00
|
|
|
memcpy (welcome, "\x07WELCOME", 8);
|
2013-06-18 23:38:24 +02:00
|
|
|
memcpy (welcome + 8, welcome_nonce + 8, 16);
|
|
|
|
memcpy (welcome + 24, welcome_ciphertext + crypto_box_BOXZEROBYTES, 144);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int zmq::curve_server_t::process_initiate (msg_t *msg_)
|
|
|
|
{
|
2017-08-17 17:54:07 +02:00
|
|
|
int rc = check_basic_command_structure (msg_);
|
|
|
|
if (rc == -1)
|
|
|
|
return -1;
|
|
|
|
|
2017-08-17 18:16:31 +02:00
|
|
|
const size_t size = msg_->size ();
|
2017-08-17 17:54:07 +02:00
|
|
|
const uint8_t *initiate = static_cast<uint8_t *> (msg_->data ());
|
2017-08-17 18:16:31 +02:00
|
|
|
|
|
|
|
if (size < 9 || memcmp (initiate, "\x08INITIATE", 9)) {
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_UNEXPECTED_COMMAND);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-08-17 18:16:31 +02:00
|
|
|
if (size < 257) {
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (),
|
|
|
|
ZMQ_PROTOCOL_ERROR_ZMTP_MALFORMED_COMMAND_INITIATE);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t cookie_nonce[crypto_secretbox_NONCEBYTES];
|
|
|
|
uint8_t cookie_plaintext[crypto_secretbox_ZEROBYTES + 64];
|
|
|
|
uint8_t cookie_box[crypto_secretbox_BOXZEROBYTES + 80];
|
|
|
|
|
|
|
|
// Open Box [C' + s'](t)
|
|
|
|
memset (cookie_box, 0, crypto_secretbox_BOXZEROBYTES);
|
2013-06-28 11:42:54 +02:00
|
|
|
memcpy (cookie_box + crypto_secretbox_BOXZEROBYTES, initiate + 25, 80);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
memcpy (cookie_nonce, "COOKIE--", 8);
|
2013-06-28 11:42:54 +02:00
|
|
|
memcpy (cookie_nonce + 8, initiate + 9, 16);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2017-08-17 17:54:07 +02:00
|
|
|
rc = crypto_secretbox_open (cookie_plaintext, cookie_box, sizeof cookie_box,
|
2018-05-27 11:10:39 +02:00
|
|
|
cookie_nonce, _cookie_key);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc != 0) {
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: cannot open client INITIATE cookie
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check cookie plain text is as expected [C' + s']
|
2018-05-27 11:10:39 +02:00
|
|
|
if (memcmp (cookie_plaintext + crypto_secretbox_ZEROBYTES, _cn_client, 32)
|
2013-09-24 15:31:10 +02:00
|
|
|
|| memcmp (cookie_plaintext + crypto_secretbox_ZEROBYTES + 32,
|
2018-05-27 11:10:39 +02:00
|
|
|
_cn_secret, 32)) {
|
2017-08-15 16:28:24 +02:00
|
|
|
// TODO this case is very hard to test, as it would require a modified
|
|
|
|
// client that knows the server's secret temporary cookie key
|
|
|
|
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: client INITIATE cookie is not valid
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
|
2013-10-04 08:20:55 +02:00
|
|
|
errno = EPROTO;
|
2013-06-18 23:38:24 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-08-17 18:16:31 +02:00
|
|
|
const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
uint8_t initiate_nonce[crypto_box_NONCEBYTES];
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > initiate_plaintext (
|
|
|
|
crypto_box_ZEROBYTES + clen);
|
2019-07-10 11:57:18 +02:00
|
|
|
std::vector<uint8_t> initiate_box (crypto_box_BOXZEROBYTES + clen);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
// Open Box [C + vouch + metadata](C'->S')
|
2019-07-10 11:57:18 +02:00
|
|
|
std::fill (initiate_box.begin (),
|
|
|
|
initiate_box.begin () + crypto_box_BOXZEROBYTES, 0);
|
|
|
|
memcpy (&initiate_box[crypto_box_BOXZEROBYTES], initiate + 113,
|
2013-06-28 11:42:54 +02:00
|
|
|
clen - crypto_box_BOXZEROBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
memcpy (initiate_nonce, "CurveZMQINITIATE", 16);
|
2013-06-28 11:42:54 +02:00
|
|
|
memcpy (initiate_nonce + 16, initiate + 105, 8);
|
2020-02-03 11:56:37 +01:00
|
|
|
set_peer_nonce (get_uint64 (initiate + 105));
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2019-07-10 11:57:18 +02:00
|
|
|
const uint8_t *client_key = &initiate_plaintext[crypto_box_ZEROBYTES];
|
2019-07-02 01:24:19 +01:00
|
|
|
|
2019-07-10 11:57:18 +02:00
|
|
|
rc = crypto_box_open (&initiate_plaintext[0], &initiate_box[0], clen,
|
2018-05-27 11:10:39 +02:00
|
|
|
initiate_nonce, _cn_client, _cn_secret);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc != 0) {
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: cannot open client INITIATE
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
2019-07-10 11:57:18 +02:00
|
|
|
return -1;
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t vouch_nonce[crypto_box_NONCEBYTES];
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > vouch_plaintext (
|
|
|
|
crypto_box_ZEROBYTES + 64);
|
2013-09-24 15:31:10 +02:00
|
|
|
uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2013-09-24 15:31:10 +02:00
|
|
|
// Open Box Box [C',S](C->S') and check contents
|
2013-06-18 23:38:24 +02:00
|
|
|
memset (vouch_box, 0, crypto_box_BOXZEROBYTES);
|
|
|
|
memcpy (vouch_box + crypto_box_BOXZEROBYTES,
|
2019-07-10 11:57:18 +02:00
|
|
|
&initiate_plaintext[crypto_box_ZEROBYTES + 48], 80);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2020-05-21 13:56:02 +01:00
|
|
|
memset (vouch_nonce, 0, crypto_box_NONCEBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
memcpy (vouch_nonce, "VOUCH---", 8);
|
2019-07-10 11:57:18 +02:00
|
|
|
memcpy (vouch_nonce + 8, &initiate_plaintext[crypto_box_ZEROBYTES + 32],
|
2013-06-18 23:38:24 +02:00
|
|
|
16);
|
|
|
|
|
2019-07-11 12:59:46 +02:00
|
|
|
rc = crypto_box_open (&vouch_plaintext[0], vouch_box, sizeof vouch_box,
|
2018-05-27 11:10:39 +02:00
|
|
|
vouch_nonce, client_key, _cn_secret);
|
2013-06-18 23:38:24 +02:00
|
|
|
if (rc != 0) {
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: cannot open client INITIATE vouch
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
2019-07-10 11:57:18 +02:00
|
|
|
return -1;
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
|
|
|
|
2013-09-17 14:05:55 +02:00
|
|
|
// What we decrypted must be the client's short-term public key
|
2019-07-11 12:59:46 +02:00
|
|
|
if (memcmp (&vouch_plaintext[crypto_box_ZEROBYTES], _cn_client, 32)) {
|
2017-08-15 16:28:24 +02:00
|
|
|
// TODO this case is very hard to test, as it would require a modified
|
|
|
|
// client that knows the server's secret short-term key
|
|
|
|
|
2017-08-03 15:15:56 +02:00
|
|
|
// CURVE I: invalid handshake from client (public key)
|
2017-08-17 17:54:07 +02:00
|
|
|
session->get_socket ()->event_handshake_failed_protocol (
|
|
|
|
session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno = EPROTO;
|
2019-07-10 11:57:18 +02:00
|
|
|
return -1;
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Precompute connection secret from client key
|
2020-02-03 11:56:37 +01:00
|
|
|
rc = crypto_box_beforenm (get_writable_precom_buffer (), _cn_client,
|
|
|
|
_cn_secret);
|
2013-06-18 23:38:24 +02:00
|
|
|
zmq_assert (rc == 0);
|
|
|
|
|
2017-10-07 18:34:18 +01:00
|
|
|
// Given this is a backward-incompatible change, it's behind a socket
|
|
|
|
// option disabled by default.
|
|
|
|
if (zap_required () || !options.zap_enforce_domain) {
|
2017-09-18 15:24:10 +02:00
|
|
|
// Use ZAP protocol (RFC 27) to authenticate the user.
|
2017-09-18 11:48:14 +02:00
|
|
|
rc = session->zap_connect ();
|
|
|
|
if (rc == 0) {
|
|
|
|
send_zap_request (client_key);
|
2017-09-18 15:24:10 +02:00
|
|
|
state = waiting_for_zap_reply;
|
|
|
|
|
|
|
|
// TODO actually, it is quite unlikely that we can read the ZAP
|
|
|
|
// reply already, but removing this has some strange side-effect
|
|
|
|
// (probably because the pipe's in_active flag is true until a read
|
|
|
|
// is attempted)
|
2019-07-10 11:57:18 +02:00
|
|
|
if (-1 == receive_and_process_zap_reply ())
|
|
|
|
return -1;
|
2017-10-07 18:34:18 +01:00
|
|
|
} else if (!options.zap_enforce_domain) {
|
|
|
|
// This supports the Stonehouse pattern (encryption without
|
|
|
|
// authentication) in legacy mode (domain set but no handler).
|
|
|
|
state = sending_ready;
|
2017-09-18 11:48:14 +02:00
|
|
|
} else {
|
|
|
|
session->get_socket ()->event_handshake_failed_no_detail (
|
|
|
|
session->get_endpoint (), EFAULT);
|
2019-07-10 11:57:18 +02:00
|
|
|
return -1;
|
2017-09-18 11:48:14 +02:00
|
|
|
}
|
2017-09-18 15:24:10 +02:00
|
|
|
} else {
|
|
|
|
// This supports the Stonehouse pattern (encryption without authentication).
|
2017-08-16 15:25:08 +02:00
|
|
|
state = sending_ready;
|
2017-09-18 15:24:10 +02:00
|
|
|
}
|
2013-06-22 15:33:44 +02:00
|
|
|
|
2019-07-10 11:57:18 +02:00
|
|
|
return parse_metadata (&initiate_plaintext[crypto_box_ZEROBYTES + 128],
|
|
|
|
clen - crypto_box_ZEROBYTES - 128);
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
|
|
|
|
2013-09-04 17:59:45 +02:00
|
|
|
int zmq::curve_server_t::produce_ready (msg_t *msg_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
2017-08-15 19:42:31 +02:00
|
|
|
const size_t metadata_length = basic_properties_len ();
|
2013-06-18 23:38:24 +02:00
|
|
|
uint8_t ready_nonce[crypto_box_NONCEBYTES];
|
2017-08-15 19:42:31 +02:00
|
|
|
|
2019-07-11 12:59:46 +02:00
|
|
|
std::vector<uint8_t, secure_allocator_t<uint8_t> > ready_plaintext (
|
|
|
|
crypto_box_ZEROBYTES + metadata_length);
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
// Create Box [metadata](S'->C')
|
2019-07-10 11:57:18 +02:00
|
|
|
std::fill (ready_plaintext.begin (),
|
|
|
|
ready_plaintext.begin () + crypto_box_ZEROBYTES, 0);
|
|
|
|
uint8_t *ptr = &ready_plaintext[crypto_box_ZEROBYTES];
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2017-08-15 19:42:31 +02:00
|
|
|
ptr += add_basic_properties (ptr, metadata_length);
|
2019-07-10 11:57:18 +02:00
|
|
|
const size_t mlen = ptr - &ready_plaintext[0];
|
2013-06-18 23:38:24 +02:00
|
|
|
|
|
|
|
memcpy (ready_nonce, "CurveZMQREADY---", 16);
|
2020-02-03 11:56:37 +01:00
|
|
|
put_uint64 (ready_nonce + 16, get_and_inc_nonce ());
|
2013-06-18 23:38:24 +02:00
|
|
|
|
2019-07-10 11:57:18 +02:00
|
|
|
std::vector<uint8_t> ready_box (crypto_box_BOXZEROBYTES + 16
|
|
|
|
+ metadata_length);
|
2017-08-15 19:42:31 +02:00
|
|
|
|
2019-07-10 11:57:18 +02:00
|
|
|
int rc = crypto_box_afternm (&ready_box[0], &ready_plaintext[0], mlen,
|
2020-02-03 11:56:37 +01:00
|
|
|
ready_nonce, get_precom_buffer ());
|
2013-06-18 23:38:24 +02:00
|
|
|
zmq_assert (rc == 0);
|
|
|
|
|
2013-06-28 11:42:54 +02:00
|
|
|
rc = msg_->init_size (14 + mlen - crypto_box_BOXZEROBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
errno_assert (rc == 0);
|
|
|
|
|
|
|
|
uint8_t *ready = static_cast<uint8_t *> (msg_->data ());
|
|
|
|
|
2013-09-04 17:59:45 +02:00
|
|
|
memcpy (ready, "\x05READY", 6);
|
2013-06-18 23:38:24 +02:00
|
|
|
// Short nonce, prefixed by "CurveZMQREADY---"
|
2014-09-19 18:07:57 -06:00
|
|
|
memcpy (ready + 6, ready_nonce + 16, 8);
|
2013-06-18 23:38:24 +02:00
|
|
|
// Box [metadata](S'->C')
|
2019-07-10 11:57:18 +02:00
|
|
|
memcpy (ready + 14, &ready_box[crypto_box_BOXZEROBYTES],
|
2013-06-18 23:38:24 +02:00
|
|
|
mlen - crypto_box_BOXZEROBYTES);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-05-16 07:25:29 +02:00
|
|
|
int zmq::curve_server_t::produce_error (msg_t *msg_) const
|
|
|
|
{
|
2017-08-04 16:54:46 +02:00
|
|
|
const size_t expected_status_code_length = 3;
|
2014-05-16 07:25:29 +02:00
|
|
|
zmq_assert (status_code.length () == 3);
|
2017-08-04 16:54:46 +02:00
|
|
|
const int rc = msg_->init_size (6 + 1 + expected_status_code_length);
|
2014-05-16 07:25:29 +02:00
|
|
|
zmq_assert (rc == 0);
|
|
|
|
char *msg_data = static_cast<char *> (msg_->data ());
|
|
|
|
memcpy (msg_data, "\5ERROR", 6);
|
2017-08-04 16:54:46 +02:00
|
|
|
msg_data[6] = expected_status_code_length;
|
|
|
|
memcpy (msg_data + 7, status_code.c_str (), expected_status_code_length);
|
2014-05-16 07:25:29 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-05-24 17:58:30 +02:00
|
|
|
void zmq::curve_server_t::send_zap_request (const uint8_t *key_)
|
2013-06-18 23:38:24 +02:00
|
|
|
{
|
2018-05-24 17:58:30 +02:00
|
|
|
zap_client_t::send_zap_request ("CURVE", 5, key_,
|
|
|
|
crypto_box_PUBLICKEYBYTES);
|
2013-06-18 23:38:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|