[Zope-Checkins] CVS: ZODB3/ZEO - ClientStorage.py:

Jeremy Hylton jeremy at zope.com
Fri Sep 19 15:01:58 EDT 2003

Update of /cvs-repository/ZODB3/ZEO
In directory cvs.zope.org:/tmp/cvs-serv25006/ZEO

Modified Files:
      Tag: Zope-2_7-branch
Log Message:
Fix security problem in ZEO authentication code.

There were two serious bugs:

- The smac layer would accept a message without a MAC even after the
  session key was established.

- The client never initialized its session key, so it never checked
  incoming messages or created MACs for outgoing messags.

Fixed both, but still need to change the smac layer so that it has
separate HMAC objects for each end of the connection.

=== ZODB3/ZEO/ClientStorage.py => ===
--- ZODB3/ZEO/ClientStorage.py:	Mon Sep 15 14:02:59 2003
+++ ZODB3/ZEO/ClientStorage.py	Fri Sep 19 15:01:27 2003
@@ -434,8 +434,10 @@
         auth = stub.getAuthProtocol()
         log2(INFO, "Server authentication protocol %r" % auth)
         if auth:
-            if self.doAuth(auth, stub):
+            skey = self.doAuth(auth, stub)
+            if skey:
                 log2(INFO, "Client authentication successful")
+                conn.setSessionKey(skey)
                 log2(ERROR, "Authentication failed")
                 raise AuthError, "Authentication failed"

More information about the Zope-Checkins mailing list