void
zcert_test (bool verbose)
{
printf (" * zcert: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcert"
zsys_dir_create (TESTDIR);
// Create a simple certificate with metadata
zcert_t *cert = zcert_new ();
# if defined (HAVE_LIBSODIUM)
zcert_set_meta (cert, "email", "*****@*****.**");
zcert_set_meta (cert, "name", "Pieter Hintjens");
zcert_set_meta (cert, "organization", "iMatix Corporation");
zcert_set_meta (cert, "version", "%d", 1);
assert (streq (zcert_meta (cert, "email"), "*****@*****.**"));
zlist_t *keys = zcert_meta_keys (cert);
assert (zlist_size (keys) == 4);
zlist_destroy (&keys);
// Check the dup and eq methods
zcert_t *shadow = zcert_dup (cert);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Check we can save and load certificate
zcert_save (cert, TESTDIR "/mycert.txt");
assert (zsys_file_exists (TESTDIR "/mycert.txt"));
assert (zsys_file_exists (TESTDIR "/mycert.txt_secret"));
// Load certificate, will in fact load secret one
shadow = zcert_load (TESTDIR "/mycert.txt");
assert (shadow);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Delete secret certificate, load public one
int rc = zsys_file_delete (TESTDIR "/mycert.txt_secret");
assert (rc == 0);
shadow = zcert_load (TESTDIR "/mycert.txt");
// 32-byte null key encodes as 40 '0' characters
assert (streq (zcert_secret_txt (shadow),
"0000000000000000000000000000000000000000"));
zcert_destroy (&shadow);
zcert_destroy (&cert);
# else
// Libsodium isn't installed; should have returned NULL
assert (cert == NULL);
# endif
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
void zyre_set_zcert(zyre_t *self, zcert_t *zcert)
{
assert (zcert);
// actor will assert check the keys
zstr_sendx (self->actor, "SET PUBLICKEY", zcert_public_txt(zcert), NULL);
zstr_sendx (self->actor, "SET SECRETKEY", zcert_secret_txt(zcert), NULL);
}
int main(int argc, char **argv)
{
char *a = argv[1]; // name of cert
char sa[500]; // name of serv_cert
char ca[500]; // name of client_cert
uint8_t serv_priv[32];
uint8_t serv_pub[32];
uint8_t cli_priv[32];
uint8_t cli_pub[32];
zcert_t *serv_cert = zcert_new();
zcert_t *cli_cert = zcert_new();
uint8_t *serv_privp = zcert_secret_key(serv_cert);
uint8_t *serv_pubp = zcert_public_key(serv_cert);
uint8_t *cli_privp = zcert_secret_key(cli_cert);
uint8_t *cli_pubp = zcert_public_key(cli_cert);
memmove(serv_priv, serv_privp, sizeof(serv_priv));
memmove(serv_pub, serv_pubp, sizeof(serv_pub));
memmove(cli_priv, cli_privp, sizeof(cli_priv));
memmove(cli_pub, cli_pubp, sizeof(cli_pub));
char *serv_cprivp = zcert_secret_txt(serv_cert);
char *serv_cpubp = zcert_public_txt(serv_cert);
char *cli_cprivp = zcert_secret_txt(cli_cert);
char *cli_cpubp = zcert_public_txt(cli_cert);
char servhnam[1000];
char clihnam[1000];
sprintf(servhnam, "servcert_%s.h", a);
sprintf(clihnam, "clicert_%s.h", a);
FILE *serv = fopen(servhnam, "w");
FILE *cli = fopen(clihnam, "w");
fprintf(serv, "char *%s_server_private_txt = \"%s\";\n", a, serv_cprivp);
fprintf(serv, "char *%s_server_public_txt = \"%s\";\n\n\n", a, serv_cpubp);
fprintf(cli, "char *%s_cli_private_txt = \"%s\";\n", a, cli_cprivp);
fprintf(cli, "char *%s_cli_public_txt = \"%s\";\n\n\n", a, cli_cpubp);
sprintf(sa, "server_%s", a);
sprintf(ca, "client_%s", a);
zcert_save(serv_cert, sa);
zcert_save(cli_cert, ca);
// we don't need the secret keys on disk; just a security hazard
unlink("server_banshare_secret");
unlink("client_banshare_secret");
fprintf
(serv, "uint8_t %s_server_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_priv[0], serv_priv[1], serv_priv[2], serv_priv[3], serv_priv[4], serv_priv[5], serv_priv[6],
serv_priv[7], serv_priv[8], serv_priv[9], serv_priv[10], serv_priv[11], serv_priv[12], serv_priv[13],
serv_priv[14], serv_priv[15], serv_priv[16], serv_priv[17], serv_priv[18], serv_priv[19], serv_priv[20],
serv_priv[21], serv_priv[22], serv_priv[23], serv_priv[24], serv_priv[25], serv_priv[26], serv_priv[27],
serv_priv[28], serv_priv[29], serv_priv[30], serv_priv[31]);
fprintf
(serv, "uint8_t %s_server_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_pub[0], serv_pub[1], serv_pub[2], serv_pub[3], serv_pub[4], serv_pub[5], serv_pub[6], serv_pub[7],
serv_pub[8], serv_pub[9], serv_pub[10], serv_pub[11], serv_pub[12], serv_pub[13], serv_pub[14], serv_pub[15],
serv_pub[16], serv_pub[17], serv_pub[18], serv_pub[19], serv_pub[20], serv_pub[21], serv_pub[22], serv_pub[23],
serv_pub[24], serv_pub[25], serv_pub[26], serv_pub[27], serv_pub[28], serv_pub[29], serv_pub[30], serv_pub[31]);
fprintf
(cli, "uint8_t %s_client_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_priv[0], cli_priv[1], cli_priv[2], cli_priv[3], cli_priv[4], cli_priv[5], cli_priv[6],
cli_priv[7], cli_priv[8], cli_priv[9], cli_priv[10], cli_priv[11], cli_priv[12], cli_priv[13],
cli_priv[14], cli_priv[15], cli_priv[16], cli_priv[17], cli_priv[18], cli_priv[19], cli_priv[20],
cli_priv[21], cli_priv[22], cli_priv[23], cli_priv[24], cli_priv[25], cli_priv[26], cli_priv[27],
cli_priv[28], cli_priv[29], cli_priv[30], cli_priv[31]);
fprintf
(cli, "uint8_t %s_client_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_pub[0], cli_pub[1], cli_pub[2], cli_pub[3], cli_pub[4], cli_pub[5], cli_pub[6], cli_pub[7],
cli_pub[8], cli_pub[9], cli_pub[10], cli_pub[11], cli_pub[12], cli_pub[13], cli_pub[14], cli_pub[15],
cli_pub[16], cli_pub[17], cli_pub[18], cli_pub[19], cli_pub[20], cli_pub[21], cli_pub[22], cli_pub[23],
cli_pub[24], cli_pub[25], cli_pub[26], cli_pub[27], cli_pub[28], cli_pub[29], cli_pub[30], cli_pub[31]);
fclose(serv);
fclose(cli);
exit(0);
}
///
// Return secret part of key pair as Z85 armored string
const QString QmlZcert::secretTxt () {
return QString (zcert_secret_txt (self));
};
///
// Return secret part of key pair as Z85 armored string
const QString QZcert::secretTxt ()
{
const QString rv = QString (zcert_secret_txt (self));
return rv;
}
void
zgossip_test (bool verbose)
{
printf (" * zgossip: ");
if (verbose)
printf ("\n");
// @selftest
// Test basic client-to-server operation of the protocol
zactor_t *server = zactor_new (zgossip, "server");
assert (server);
if (verbose)
zstr_send (server, "VERBOSE");
zstr_sendx (server, "BIND", "inproc://zgossip", NULL);
zsock_t *client = zsock_new (ZMQ_DEALER);
assert (client);
zsock_set_rcvtimeo (client, 2000);
int rc = zsock_connect (client, "inproc://zgossip");
assert (rc == 0);
// Send HELLO, which gets no message
zgossip_msg_t *message = zgossip_msg_new ();
zgossip_msg_set_id (message, ZGOSSIP_MSG_HELLO);
zgossip_msg_send (message, client);
// Send PING, expect PONG back
zgossip_msg_set_id (message, ZGOSSIP_MSG_PING);
zgossip_msg_send (message, client);
zgossip_msg_recv (message, client);
assert (zgossip_msg_id (message) == ZGOSSIP_MSG_PONG);
zgossip_msg_destroy (&message);
zactor_destroy (&server);
zsock_destroy (&client);
// Test peer-to-peer operations
zactor_t *base = zactor_new (zgossip, "base");
assert (base);
if (verbose)
zstr_send (base, "VERBOSE");
// Set a 100msec timeout on clients so we can test expiry
zstr_sendx (base, "SET", "server/timeout", "100", NULL);
zstr_sendx (base, "BIND", "inproc://base", NULL);
zactor_t *alpha = zactor_new (zgossip, "alpha");
assert (alpha);
zstr_sendx (alpha, "CONNECT", "inproc://base", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-1", "service1", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-2", "service2", NULL);
zactor_t *beta = zactor_new (zgossip, "beta");
assert (beta);
zstr_sendx (beta, "CONNECT", "inproc://base", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-1", "service1", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-2", "service2", NULL);
// got nothing
zclock_sleep (200);
zstr_send (alpha, "STATUS");
char *command, *status, *key, *value;
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &status, NULL);
assert (streq (command, "STATUS"));
assert (atoi (status) == 4);
zstr_free (&command);
zstr_free (&status);
zactor_destroy (&base);
zactor_destroy (&alpha);
zactor_destroy (&beta);
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// curve
if (zsys_has_curve()) {
if (verbose)
printf("testing CURVE support");
zclock_sleep (2000);
zactor_t *auth = zactor_new(zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
zstr_sendx(auth,"ALLOW","127.0.0.1",NULL);
zsock_wait(auth);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
server = zactor_new (zgossip, "server");
if (verbose)
zstr_send (server, "VERBOSE");
assert (server);
zcert_t *client1_cert = zcert_new ();
zcert_t *server_cert = zcert_new ();
zstr_sendx (server, "SET PUBLICKEY", zcert_public_txt (server_cert), NULL);
zstr_sendx (server, "SET SECRETKEY", zcert_secret_txt (server_cert), NULL);
zstr_sendx (server, "ZAP DOMAIN", "TEST", NULL);
zstr_sendx (server, "BIND", "tcp://127.0.0.1:*", NULL);
zstr_sendx (server, "PORT", NULL);
zstr_recvx (server, &command, &value, NULL);
assert (streq (command, "PORT"));
int port = atoi (value);
zstr_free (&command);
zstr_free (&value);
char endpoint [32];
sprintf (endpoint, "tcp://127.0.0.1:%d", port);
zactor_t *client1 = zactor_new (zgossip, "client");
if (verbose)
zstr_send (client1, "VERBOSE");
assert (client1);
zstr_sendx (client1, "SET PUBLICKEY", zcert_public_txt (client1_cert), NULL);
zstr_sendx (client1, "SET SECRETKEY", zcert_secret_txt (client1_cert), NULL);
zstr_sendx (client1, "ZAP DOMAIN", "TEST", NULL);
const char *public_txt = zcert_public_txt (server_cert);
zstr_sendx (client1, "CONNECT", endpoint, public_txt, NULL);
zstr_sendx (client1, "PUBLISH", "tcp://127.0.0.1:9001", "service1", NULL);
zclock_sleep (500);
zstr_send (server, "STATUS");
zclock_sleep (500);
zstr_recvx (server, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_sendx (client1, "$TERM", NULL);
zstr_sendx (server, "$TERM", NULL);
zclock_sleep(500);
zcert_destroy (&client1_cert);
zcert_destroy (&server_cert);
zactor_destroy (&client1);
zactor_destroy (&server);
zactor_destroy (&auth);
}
#endif
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
// Authentication test procedure for zproxy sockets - matches zauth_test steps
static void
zproxy_test_authentication (int selected_sockets, bool verbose)
{
# define TESTDIR ".test_zproxy"
# define TESTPWDS TESTDIR "/password-file"
# define TESTCERT TESTDIR "/mycert.txt"
# define TESTFRONTEND (selected_sockets & FRONTEND_SOCKET)
# define TESTBACKEND (selected_sockets & BACKEND_SOCKET)
// Demarcate test boundaries
zsys_info ("zproxy: TEST authentication type=%s%s%s",
TESTFRONTEND? "FRONTEND": "",
TESTFRONTEND && TESTBACKEND? "+": "",
TESTBACKEND? "BACKEND": "");
// Create temporary directory for test files
zsys_dir_create (TESTDIR);
// Clear out any test files from previous run
if (zsys_file_exists (TESTPWDS))
zsys_file_delete (TESTPWDS);
if (zsys_file_exists (TESTCERT))
zsys_file_delete (TESTCERT);
zactor_t *proxy = NULL;
zsock_t *faucet = NULL;
zsock_t *sink = NULL;
char *frontend = NULL;
char *backend = NULL;
// Check there's no authentication
s_create_test_sockets (&proxy, &faucet, &sink, verbose);
s_bind_proxy_sockets (proxy, &frontend, &backend);
bool success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Blacklist 127.0.0.1, connection should fail
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Whitelist our address, which overrides the blacklist
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Try PLAIN authentication
// Test negative case (no server-side passwords defined)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test positive case (server-side passwords defined)
FILE *password = fopen (TESTPWDS, "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
zstr_sendx (auth, "PLAIN", TESTPWDS, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test negative case (bad client password)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Bogus");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
if (zsys_has_curve ()) {
// We'll create two new certificates and save the client public
// certificate on disk
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *public_key = zcert_public_txt (server_cert);
char *secret_key = zcert_secret_txt (server_cert);
// Try CURVE authentication
// Test without setting-up any authentication
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test CURVE_ALLOW_ANY
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test with client certificate file in authentication folder
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zcert_save_public (client_cert, TESTCERT);
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zsock_destroy (&faucet);
zsock_destroy (&sink);
zactor_destroy (&proxy);
zstr_free (&frontend);
zstr_free (&backend);
}
String HHVM_METHOD(ZMQCert, getSecretTxt) {
return String(zcert_secret_txt(Native::data<ZMQCert>(this_)->zcert), CopyString);
}
