void
zcert_test (bool verbose)
{
printf (" * zcert: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcert"
zsys_dir_create (TESTDIR);
// Create a simple certificate with metadata
zcert_t *cert = zcert_new ();
# if defined (HAVE_LIBSODIUM)
zcert_set_meta (cert, "email", "*****@*****.**");
zcert_set_meta (cert, "name", "Pieter Hintjens");
zcert_set_meta (cert, "organization", "iMatix Corporation");
zcert_set_meta (cert, "version", "%d", 1);
assert (streq (zcert_meta (cert, "email"), "*****@*****.**"));
zlist_t *keys = zcert_meta_keys (cert);
assert (zlist_size (keys) == 4);
zlist_destroy (&keys);
// Check the dup and eq methods
zcert_t *shadow = zcert_dup (cert);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Check we can save and load certificate
zcert_save (cert, TESTDIR "/mycert.txt");
assert (zsys_file_exists (TESTDIR "/mycert.txt"));
assert (zsys_file_exists (TESTDIR "/mycert.txt_secret"));
// Load certificate, will in fact load secret one
shadow = zcert_load (TESTDIR "/mycert.txt");
assert (shadow);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Delete secret certificate, load public one
int rc = zsys_file_delete (TESTDIR "/mycert.txt_secret");
assert (rc == 0);
shadow = zcert_load (TESTDIR "/mycert.txt");
// 32-byte null key encodes as 40 '0' characters
assert (streq (zcert_secret_txt (shadow),
"0000000000000000000000000000000000000000"));
zcert_destroy (&shadow);
zcert_destroy (&cert);
# else
// Libsodium isn't installed; should have returned NULL
assert (cert == NULL);
# endif
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
int main (int argc, char *argv [])
{
int argn = 1;
char *filename = "mycert.txt";
if (argn < argc)
filename = argv [argn++];
zsys_info ("Creating new CURVE certificate in %s", filename);
zcert_t *cert = zcert_new ();
if (s_get_meta (cert, "Enter your full name:", "name")
|| s_get_meta (cert, "Enter your email address:", "email")
|| s_get_meta (cert, "Enter your organization:", "organization"))
return -1;
char *timestr = zclock_timestr ();
zcert_set_meta (cert, "created-by", "CZMQ zmakecert");
zcert_set_meta (cert, "date-created", "%s", timestr);
free (timestr);
zcert_dump (cert);
zcert_save (cert, filename);
zsys_info ("CURVE certificate created in %s and %s_secret", filename, filename);
zcert_destroy (&cert);
return 0;
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
void HHVM_METHOD(ZMQCert, __construct, const Variant& filename) {
auto cert = Native::data<ZMQCert>(this_);
if (filename.isNull()) {
cert->zcert = zcert_new();
if (!cert->zcert) {
throwExceptionClass(s_ZMQCertExceptionClass, "Failed to create the underlying zcert object. Is libsodium installed?", PHP_ZMQ_INTERNAL_ERROR);
}
} else {
cert->zcert = zcert_load(filename.asCStrRef().c_str());
if (!cert->zcert) {
throwExceptionClassFmt(s_ZMQCertExceptionClass, "Failed to load the certificate from {}", filename.asCStrRef());
}
}
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
printf ("OK\n");
}
int main (void)
{
puts ("Creating new CURVE certificate");
zcert_t *cert = zcert_new ();
if (s_get_meta (cert, "Enter your full name:", "name")
|| s_get_meta (cert, "Enter your email address:", "email")
|| s_get_meta (cert, "Enter your organization:", "organization"))
return -1;
char *timestr = zclock_timestr ();
zcert_set_meta (cert, "created-by", "CZMQ makecert");
zcert_set_meta (cert, "date-created", timestr);
free (timestr);
zcert_dump (cert);
zcert_save (cert, "mycert.txt");
puts ("I: CURVE certificate created in mycert.txt and mycert.txt_secret");
zcert_destroy (&cert);
return 0;
}
static void *
client_task (void *args)
{
bool verbose = *((bool *) args);
char filename [256];
snprintf (filename, 255, TESTDIR "/client-%07d.cert", randof (10000000));
zcert_t *client_cert = zcert_new ();
zcert_save_public (client_cert, filename);
curve_client_t *client = curve_client_new (&client_cert);
curve_client_set_verbose (client, verbose);
zcert_t *server_cert = zcert_load (TESTDIR "/server.cert");
assert (server_cert);
curve_client_connect (client, "tcp://127.0.0.1:9006", zcert_public_key (server_cert));
zcert_destroy (&server_cert);
curve_client_sendstr (client, "Hello, World");
char *reply = curve_client_recvstr (client);
assert (streq (reply, "Hello, World"));
free (reply);
// Try a multipart message
zmsg_t *msg = zmsg_new ();
zmsg_addstr (msg, "Hello, World");
zmsg_addstr (msg, "Second frame");
curve_client_send (client, &msg);
msg = curve_client_recv (client);
assert (zmsg_size (msg) == 2);
zmsg_destroy (&msg);
// Now send messages of increasing size, check they work
int count;
int size = 0;
for (count = 0; count < 18; count++) {
zframe_t *data = zframe_new (NULL, size);
int byte_nbr;
// Set data to sequence 0...255 repeated
for (byte_nbr = 0; byte_nbr < size; byte_nbr++)
zframe_data (data)[byte_nbr] = (byte) byte_nbr;
msg = zmsg_new ();
zmsg_prepend (msg, &data);
curve_client_send (client, &msg);
msg = curve_client_recv (client);
data = zmsg_pop (msg);
assert (data);
assert (zframe_size (data) == size);
for (byte_nbr = 0; byte_nbr < size; byte_nbr++) {
assert (zframe_data (data)[byte_nbr] == (byte) byte_nbr);
}
zframe_destroy (&data);
zmsg_destroy (&msg);
size = size * 2 + 1;
}
// Signal end of test
curve_client_sendstr (client, "END");
reply = curve_client_recvstr (client);
free (reply);
curve_client_destroy (&client);
return NULL;
}
void
curve_server_test (bool verbose)
{
printf (" * curve_server: ");
// @selftest
// Create temporary directory for test files
srand (time (NULL));
zsys_dir_create (TESTDIR);
zcert_t *server_cert = zcert_new ();
zcert_save (server_cert, TESTDIR "/server.cert");
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
zauth_configure_curve (auth, "*", TESTDIR);
// We'll run a set of clients as background tasks, and the
// server in this foreground thread. Don't pass verbose to
// the clients as the results are unreadable.
int live_clients;
for (live_clients = 0; live_clients < 5; live_clients++)
zthread_new (client_task, &verbose);
curve_server_t *server = curve_server_new (ctx, &server_cert);
curve_server_set_verbose (server, verbose);
curve_server_bind (server, "tcp://127.0.0.1:9006");
while (live_clients > 0) {
zmsg_t *msg = curve_server_recv (server);
if (memcmp (zframe_data (zmsg_last (msg)), "END", 3) == 0)
live_clients--;
curve_server_send (server, &msg);
}
// Try an invalid client/server combination
byte bad_server_key [32] = { 0 };
zcert_t *unknown = zcert_new ();
curve_client_t *client = curve_client_new (&unknown);
curve_client_set_verbose (client, true);
curve_client_connect (client, "tcp://127.0.0.1:9006", bad_server_key);
curve_client_sendstr (client, "Hello, World");
// Expect no reply after 250msec
zmq_pollitem_t pollitems [] = {
{ curve_client_handle (client), 0, ZMQ_POLLIN, 0 }
};
assert (zmq_poll (pollitems, 1, 250) == 0);
curve_client_destroy (&client);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
curve_server_destroy (&server);
zauth_destroy (&auth);
zctx_destroy (&ctx);
// @end
// Ensure client threads have exited before we do
zclock_sleep (100);
printf ("OK\n");
}
///
// Create and initialize a new certificate in memory
QZcert::QZcert (QObject *qObjParent) : QObject (qObjParent)
{
this->self = zcert_new ();
}
void
curve_client_test (bool verbose)
{
printf (" * curve_client: ");
// @selftest
// Create temporary directory for test files
zsys_dir_create (TESTDIR);
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_save (server_cert, TESTDIR "/server.cert");
// We'll run the server as a background task, and the
// client in this foreground thread.
zthread_new (server_task, &verbose);
zcert_t *client_cert = zcert_new ();
zcert_save_public (client_cert, TESTDIR "/client.cert");
curve_client_t *client = curve_client_new (&client_cert);
curve_client_set_metadata (client, "Client", "CURVEZMQ/curve_client");
curve_client_set_metadata (client, "Identity", "E475DA11");
curve_client_set_verbose (client, verbose);
curve_client_connect (client, "tcp://127.0.0.1:9005", (byte *)zcert_public_key (server_cert));
curve_client_sendstr (client, "Hello, World");
char *reply = curve_client_recvstr (client);
assert (streq (reply, "Hello, World"));
free (reply);
// Try a multipart message
zmsg_t *msg = zmsg_new ();
zmsg_addstr (msg, "Hello, World");
zmsg_addstr (msg, "Second frame");
curve_client_send (client, &msg);
msg = curve_client_recv (client);
assert (zmsg_size (msg) == 2);
zmsg_destroy (&msg);
// Now send messages of increasing size, check they work
int count;
int size = 0;
for (count = 0; count < 18; count++) {
if (verbose)
printf ("Testing message of size=%d...\n", size);
zframe_t *data = zframe_new (NULL, size);
int byte_nbr;
// Set data to sequence 0...255 repeated
for (byte_nbr = 0; byte_nbr < size; byte_nbr++)
zframe_data (data)[byte_nbr] = (byte) byte_nbr;
msg = zmsg_new ();
zmsg_prepend (msg, &data);
curve_client_send (client, &msg);
msg = curve_client_recv (client);
data = zmsg_pop (msg);
assert (data);
assert (zframe_size (data) == size);
for (byte_nbr = 0; byte_nbr < size; byte_nbr++) {
assert (zframe_data (data)[byte_nbr] == (byte) byte_nbr);
}
zframe_destroy (&data);
zmsg_destroy (&msg);
size = size * 2 + 1;
}
// Signal end of test
curve_client_sendstr (client, "END");
reply = curve_client_recvstr (client);
free (reply);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
curve_client_destroy (&client);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
// Ensure server thread has exited before we do
zclock_sleep (100);
printf ("OK\n");
}
int main(int argc, char **argv)
{
char *a = argv[1]; // name of cert
char sa[500]; // name of serv_cert
char ca[500]; // name of client_cert
uint8_t serv_priv[32];
uint8_t serv_pub[32];
uint8_t cli_priv[32];
uint8_t cli_pub[32];
zcert_t *serv_cert = zcert_new();
zcert_t *cli_cert = zcert_new();
uint8_t *serv_privp = zcert_secret_key(serv_cert);
uint8_t *serv_pubp = zcert_public_key(serv_cert);
uint8_t *cli_privp = zcert_secret_key(cli_cert);
uint8_t *cli_pubp = zcert_public_key(cli_cert);
memmove(serv_priv, serv_privp, sizeof(serv_priv));
memmove(serv_pub, serv_pubp, sizeof(serv_pub));
memmove(cli_priv, cli_privp, sizeof(cli_priv));
memmove(cli_pub, cli_pubp, sizeof(cli_pub));
char *serv_cprivp = zcert_secret_txt(serv_cert);
char *serv_cpubp = zcert_public_txt(serv_cert);
char *cli_cprivp = zcert_secret_txt(cli_cert);
char *cli_cpubp = zcert_public_txt(cli_cert);
char servhnam[1000];
char clihnam[1000];
sprintf(servhnam, "servcert_%s.h", a);
sprintf(clihnam, "clicert_%s.h", a);
FILE *serv = fopen(servhnam, "w");
FILE *cli = fopen(clihnam, "w");
fprintf(serv, "char *%s_server_private_txt = \"%s\";\n", a, serv_cprivp);
fprintf(serv, "char *%s_server_public_txt = \"%s\";\n\n\n", a, serv_cpubp);
fprintf(cli, "char *%s_cli_private_txt = \"%s\";\n", a, cli_cprivp);
fprintf(cli, "char *%s_cli_public_txt = \"%s\";\n\n\n", a, cli_cpubp);
sprintf(sa, "server_%s", a);
sprintf(ca, "client_%s", a);
zcert_save(serv_cert, sa);
zcert_save(cli_cert, ca);
// we don't need the secret keys on disk; just a security hazard
unlink("server_banshare_secret");
unlink("client_banshare_secret");
fprintf
(serv, "uint8_t %s_server_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_priv[0], serv_priv[1], serv_priv[2], serv_priv[3], serv_priv[4], serv_priv[5], serv_priv[6],
serv_priv[7], serv_priv[8], serv_priv[9], serv_priv[10], serv_priv[11], serv_priv[12], serv_priv[13],
serv_priv[14], serv_priv[15], serv_priv[16], serv_priv[17], serv_priv[18], serv_priv[19], serv_priv[20],
serv_priv[21], serv_priv[22], serv_priv[23], serv_priv[24], serv_priv[25], serv_priv[26], serv_priv[27],
serv_priv[28], serv_priv[29], serv_priv[30], serv_priv[31]);
fprintf
(serv, "uint8_t %s_server_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_pub[0], serv_pub[1], serv_pub[2], serv_pub[3], serv_pub[4], serv_pub[5], serv_pub[6], serv_pub[7],
serv_pub[8], serv_pub[9], serv_pub[10], serv_pub[11], serv_pub[12], serv_pub[13], serv_pub[14], serv_pub[15],
serv_pub[16], serv_pub[17], serv_pub[18], serv_pub[19], serv_pub[20], serv_pub[21], serv_pub[22], serv_pub[23],
serv_pub[24], serv_pub[25], serv_pub[26], serv_pub[27], serv_pub[28], serv_pub[29], serv_pub[30], serv_pub[31]);
fprintf
(cli, "uint8_t %s_client_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_priv[0], cli_priv[1], cli_priv[2], cli_priv[3], cli_priv[4], cli_priv[5], cli_priv[6],
cli_priv[7], cli_priv[8], cli_priv[9], cli_priv[10], cli_priv[11], cli_priv[12], cli_priv[13],
cli_priv[14], cli_priv[15], cli_priv[16], cli_priv[17], cli_priv[18], cli_priv[19], cli_priv[20],
cli_priv[21], cli_priv[22], cli_priv[23], cli_priv[24], cli_priv[25], cli_priv[26], cli_priv[27],
cli_priv[28], cli_priv[29], cli_priv[30], cli_priv[31]);
fprintf
(cli, "uint8_t %s_client_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_pub[0], cli_pub[1], cli_pub[2], cli_pub[3], cli_pub[4], cli_pub[5], cli_pub[6], cli_pub[7],
cli_pub[8], cli_pub[9], cli_pub[10], cli_pub[11], cli_pub[12], cli_pub[13], cli_pub[14], cli_pub[15],
cli_pub[16], cli_pub[17], cli_pub[18], cli_pub[19], cli_pub[20], cli_pub[21], cli_pub[22], cli_pub[23],
cli_pub[24], cli_pub[25], cli_pub[26], cli_pub[27], cli_pub[28], cli_pub[29], cli_pub[30], cli_pub[31]);
fclose(serv);
fclose(cli);
exit(0);
}
zcert_t* new_cert()
{
return zcert_new();
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not
// go through our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (ctx, &server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsocket_set_zap_domain (server, "global");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsocket_set_zap_domain (server, "global");
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsocket_set_zap_domain (server, "global");
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Try PLAIN authentication
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (ctx, &server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (ctx, &server, &client);
assert (success);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (ctx, &server, &client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_t *client_cert = zcert_new ();
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (ctx, &server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (ctx, &server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (ctx, &server, &client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not go through
// our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (server, client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection will
// be allowed.
//
// TODO: libzmq should accept new security options after unbind/bind
// but for now we have to create a new server socket each time.
server = zsocket_new (ctx, ZMQ_PUSH);
zsocket_set_zap_domain (server, "global");
success = s_can_connect (server, client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (success);
// Try PLAIN authentication
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (server, client);
assert (!success);
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (server, client);
assert (success);
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (server, client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_apply (server_cert, server);
zsocket_set_curve_server (server, 1);
zcert_t *client_cert = zcert_new ();
zcert_apply (client_cert, client);
char *server_key = zcert_public_txt (server_cert);
zsocket_set_curve_serverkey (client, server_key);
// We've not set-up any authentication, connection will fail
success = s_can_connect (server, client);
assert (!success);
// PH: 2013/09/18
// There's an issue with libzmq where it sometimes fails to
// connect even if the ZAP handler allows it. It's timing
// dependent, so this is a voodoo hack. To be removed, I've
// no idea this even applies to all boxes.
sleep (1);
// Test CURVE_ALLOW_ANY
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (server, client);
assert (success);
// Test full client authentication using certificates
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (server, client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (server, client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
// Authentication test procedure for zproxy sockets - matches zauth_test steps
static void
zproxy_test_authentication (int selected_sockets, bool verbose)
{
# define TESTDIR ".test_zproxy"
# define TESTPWDS TESTDIR "/password-file"
# define TESTCERT TESTDIR "/mycert.txt"
# define TESTFRONTEND (selected_sockets & FRONTEND_SOCKET)
# define TESTBACKEND (selected_sockets & BACKEND_SOCKET)
// Demarcate test boundaries
zsys_info ("zproxy: TEST authentication type=%s%s%s",
TESTFRONTEND? "FRONTEND": "",
TESTFRONTEND && TESTBACKEND? "+": "",
TESTBACKEND? "BACKEND": "");
// Create temporary directory for test files
zsys_dir_create (TESTDIR);
// Clear out any test files from previous run
if (zsys_file_exists (TESTPWDS))
zsys_file_delete (TESTPWDS);
if (zsys_file_exists (TESTCERT))
zsys_file_delete (TESTCERT);
zactor_t *proxy = NULL;
zsock_t *faucet = NULL;
zsock_t *sink = NULL;
char *frontend = NULL;
char *backend = NULL;
// Check there's no authentication
s_create_test_sockets (&proxy, &faucet, &sink, verbose);
s_bind_proxy_sockets (proxy, &frontend, &backend);
bool success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Blacklist 127.0.0.1, connection should fail
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Whitelist our address, which overrides the blacklist
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Try PLAIN authentication
// Test negative case (no server-side passwords defined)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test positive case (server-side passwords defined)
FILE *password = fopen (TESTPWDS, "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
zstr_sendx (auth, "PLAIN", TESTPWDS, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test negative case (bad client password)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Bogus");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
if (zsys_has_curve ()) {
// We'll create two new certificates and save the client public
// certificate on disk
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *public_key = zcert_public_txt (server_cert);
char *secret_key = zcert_secret_txt (server_cert);
// Try CURVE authentication
// Test without setting-up any authentication
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test CURVE_ALLOW_ANY
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test with client certificate file in authentication folder
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zcert_save_public (client_cert, TESTCERT);
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zsock_destroy (&faucet);
zsock_destroy (&sink);
zactor_destroy (&proxy);
zstr_free (&frontend);
zstr_free (&backend);
}
void
zyre_test (bool verbose)
{
printf (" * zyre: ");
if (verbose)
printf ("\n");
// @selftest
// We'll use inproc gossip discovery so that this works without networking
uint64_t version = zyre_version ();
assert ((version / 10000) % 100 == ZYRE_VERSION_MAJOR);
assert ((version / 100) % 100 == ZYRE_VERSION_MINOR);
assert (version % 100 == ZYRE_VERSION_PATCH);
// Create two nodes
zyre_t *node1 = zyre_new ("node1");
assert (node1);
assert (streq (zyre_name (node1), "node1"));
zyre_set_header (node1, "X-HELLO", "World");
if (verbose)
zyre_set_verbose (node1);
// Set inproc endpoint for this node
int rc = zyre_set_endpoint (node1, "inproc://zyre-node1");
assert (rc == 0);
// Set up gossip network for this node
zyre_gossip_bind (node1, "inproc://gossip-hub");
rc = zyre_start (node1);
assert (rc == 0);
zyre_t *node2 = zyre_new ("node2");
assert (node2);
assert (streq (zyre_name (node2), "node2"));
if (verbose)
zyre_set_verbose (node2);
// Set inproc endpoint for this node
// First, try to use existing name, it'll fail
rc = zyre_set_endpoint (node2, "inproc://zyre-node1");
assert (rc == -1);
// Now use available name and confirm that it succeeds
rc = zyre_set_endpoint (node2, "inproc://zyre-node2");
assert (rc == 0);
// Set up gossip network for this node
zyre_gossip_connect (node2, "inproc://gossip-hub");
rc = zyre_start (node2);
assert (rc == 0);
assert (strneq (zyre_uuid (node1), zyre_uuid (node2)));
zyre_join (node1, "GLOBAL");
zyre_join (node2, "GLOBAL");
// Give time for them to interconnect
zclock_sleep (250);
if (verbose)
zyre_dump (node1);
zlist_t *peers = zyre_peers (node1);
assert (peers);
assert (zlist_size (peers) == 1);
zlist_destroy (&peers);
zyre_join (node1, "node1 group of one");
zyre_join (node2, "node2 group of one");
// Give them time to join their groups
zclock_sleep (250);
zlist_t *own_groups = zyre_own_groups (node1);
assert (own_groups);
assert (zlist_size (own_groups) == 2);
zlist_destroy (&own_groups);
zlist_t *peer_groups = zyre_peer_groups (node1);
assert (peer_groups);
assert (zlist_size (peer_groups) == 2);
zlist_destroy (&peer_groups);
char *value = zyre_peer_header_value (node2, zyre_uuid (node1), "X-HELLO");
assert (streq (value, "World"));
zstr_free (&value);
// One node shouts to GLOBAL
zyre_shouts (node1, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
zmsg_t *msg = zyre_recv (node2);
assert (msg);
char *command = zmsg_popstr (msg);
assert (streq (command, "ENTER"));
zstr_free (&command);
assert (zmsg_size (msg) == 4);
char *peerid = zmsg_popstr (msg);
char *name = zmsg_popstr (msg);
assert (streq (name, "node1"));
zstr_free (&name);
zframe_t *headers_packed = zmsg_pop (msg);
char *address = zmsg_popstr (msg);
char *endpoint = zyre_peer_address (node2, peerid);
assert (streq (address, endpoint));
zstr_free (&peerid);
zstr_free (&endpoint);
zstr_free (&address);
assert (headers_packed);
zhash_t *headers = zhash_unpack (headers_packed);
assert (headers);
zframe_destroy (&headers_packed);
assert (streq ((char *) zhash_lookup (headers, "X-HELLO"), "World"));
zhash_destroy (&headers);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
assert (zmsg_size (msg) == 3);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
assert (zmsg_size (msg) == 3);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "SHOUT"));
zstr_free (&command);
zmsg_destroy (&msg);
zyre_stop (node2);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "STOP"));
zstr_free (&command);
zmsg_destroy (&msg);
zyre_stop (node1);
zyre_destroy (&node1);
zyre_destroy (&node2);
printf ("OK\n");
#ifdef ZYRE_BUILD_DRAFT_API
if (zsys_has_curve()){
printf (" * zyre-curve: ");
if (verbose)
printf ("\n");
if (verbose)
zsys_debug("----------------TESTING CURVE --------------");
zactor_t *speaker = zactor_new (zbeacon, NULL);
assert (speaker);
if (verbose)
zstr_sendx (speaker, "VERBOSE", NULL);
// ensuring we have a broadcast address
zsock_send (speaker, "si", "CONFIGURE", 9999);
char *hostname = zstr_recv (speaker);
if (!*hostname) {
printf ("OK (skipping test, no UDP broadcasting)\n");
zactor_destroy (&speaker);
freen (hostname);
return;
}
freen (hostname);
zactor_destroy (&speaker);
// zap setup
zactor_t *auth = zactor_new(zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx(auth, "VERBOSE", NULL);
zsock_wait(auth);
}
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
zyre_t *node3 = zyre_new ("node3");
zyre_t *node4 = zyre_new ("node4");
assert (node3);
assert (node4);
zyre_set_verbose (node3);
zyre_set_verbose (node4);
zyre_set_zap_domain(node3, "TEST");
zyre_set_zap_domain(node4, "TEST");
zsock_set_rcvtimeo(node3->inbox, 10000);
zsock_set_rcvtimeo(node4->inbox, 10000);
zcert_t *node3_cert = zcert_new ();
zcert_t *node4_cert = zcert_new ();
assert (node3_cert);
assert (node4_cert);
zyre_set_zcert(node3, node3_cert);
zyre_set_zcert(node4, node4_cert);
zyre_set_header(node3, "X-PUBLICKEY", "%s", zcert_public_txt(node3_cert));
zyre_set_header(node4, "X-PUBLICKEY", "%s", zcert_public_txt(node4_cert));
// test beacon
if (verbose)
zsys_debug ("----------------TESTING BEACON----------------");
rc = zyre_start(node3);
assert (rc == 0);
rc = zyre_start(node4);
assert (rc == 0);
zyre_join (node3, "GLOBAL");
zyre_join (node4, "GLOBAL");
zclock_sleep (1500);
if (verbose) {
zyre_dump (node3);
zyre_dump (node4);
}
zyre_shouts (node3, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "ENTER"));
zstr_free (&command);
char *peerid = zmsg_popstr (msg);
assert (peerid);
name = zmsg_popstr (msg);
assert (streq (name, "node3"));
zmsg_destroy (&msg);
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
zmsg_destroy(&msg);
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "SHOUT"));
zstr_free (&command);
zmsg_destroy(&msg);
zyre_leave(node3, "GLOBAL");
zyre_leave(node4, "GLOBAL");
zstr_free (&name);
zstr_free (&peerid);
zstr_free (&command);
zyre_stop (node3);
zyre_stop (node4);
// give things a chance to settle...
zclock_sleep (250);
zyre_destroy(&node3);
zyre_destroy(&node4);
zcert_destroy(&node3_cert);
zcert_destroy(&node4_cert);
// test gossip
if (verbose)
zsys_debug ("----------------TESTING GOSSIP----------------");
zyre_t *node5 = zyre_new ("node5");
zyre_t *node6 = zyre_new ("node6");
assert (node5);
assert (node6);
if (verbose) {
zyre_set_verbose (node5);
zyre_set_verbose (node6);
}
// if it takes more than 10s, something probably went terribly wrong
zsock_set_rcvtimeo(node5->inbox, 10000);
zsock_set_rcvtimeo(node6->inbox, 10000);
zcert_t *node5_cert = zcert_new ();
zcert_t *node6_cert = zcert_new ();
assert (node5_cert);
assert (node6_cert);
zyre_set_zcert(node5, node5_cert);
zyre_set_zcert(node6, node6_cert);
zyre_set_header(node5, "X-PUBLICKEY", "%s", zcert_public_txt(node5_cert));
zyre_set_header(node6, "X-PUBLICKEY", "%s", zcert_public_txt(node6_cert));
const char *gossip_cert = zcert_public_txt (node5_cert);
// TODO- need to add zyre_gossip_port functions to get port from gossip bind(?)
zyre_gossip_bind(node5, "tcp://127.0.0.1:9001");
zyre_gossip_connect_curve(node6, gossip_cert, "tcp://127.0.0.1:9001");
zyre_start(node5);
zsock_wait(node5);
zyre_start(node6);
zsock_wait(node6);
zyre_join (node5, "GLOBAL");
zyre_join (node6, "GLOBAL");
// give things a chance to settle...
zclock_sleep (1500);
if (verbose) {
zyre_dump (node5);
zyre_dump (node6);
}
zyre_shouts (node5, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
msg = zyre_recv (node6);
assert (msg);
command = zmsg_popstr (msg);
zsys_info(command);
assert (streq (command, "ENTER"));
zstr_free (&command);
peerid = zmsg_popstr (msg);
assert (peerid);
name = zmsg_popstr (msg);
zmsg_destroy (&msg);
assert (streq (name, "node5"));
zstr_free (&name);
zyre_leave(node5, "GLOBAL");
zyre_leave(node6, "GLOBAL");
zyre_stop (node5);
zyre_stop (node6);
// give things a chance to settle...
zclock_sleep (250);
zstr_free (&peerid);
zcert_destroy (&node5_cert);
zcert_destroy (&node6_cert);
zyre_destroy(&node5);
zyre_destroy(&node6);
zactor_destroy(&auth);
printf ("OK\n");
}
#endif
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* Turn off CZMQ signal handling */
/* ----------------------------- */
putenv ("ZSYS_SIGHANDLER=false");
/* Create the authentication actor */
/* ------------------------------ */
pData->authActor = zactor_new(zauth, NULL);
if (!pData->authActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth actor");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: auth actor started\n");
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(pData->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((pData->beacon != NULL) && (pData->beaconport > 0)) {
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", pData->beaconport);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beacon, strlen(pData->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, pData->beaconport);
zstr_free (&hostname);
}
/* Load certs for auth if auth is used */
/* ----------------------------------- */
if (pData->authType != NULL) {
/* CURVESERVER */
/* ---------- */
if (!strcmp(pData->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
DBGPRINTF("omczmq: CURVESERVER: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVESERVER: clientCertPath: '%s'\n", pData->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(pData->authType, "CURVECLIENT")) {
if (!strcmp(pData->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(pData->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("omczmq: CURVECLIENT: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVECLIENT: clientCertPath: '%s'\n", pData->clientCertPath);
DBGPRINTF("omczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", pData->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
switch (pData->sockType) {
case ZMQ_PUB:
pData->serverish = true;
break;
case ZMQ_PUSH:
case ZMQ_DEALER:
pData->serverish = false;
break;
}
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, pData->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
finalize_it:
RETiRet;
}
void ZeroMQEngine::Initialize(const string endPoint, const string instanceName, const string instanceID)
{
zcert_t* localCertificate = nullptr;
// Handle common security initialization for server and client instances
if (SecurityEnabled())
{
if (!zsys_has_curve())
throw runtime_error("Failed to locate needed curve security libraries, cannot initialize ZeroMQ security");
string localCertDirectory = CURVECERTLOCALDIR "/";
string publicCertFileName;
string privateCertFileName;
// Make sure certificate store directories exist
if (zsys_dir_create(CURVECERTLOCALDIR) != 0)
throw runtime_error("Failed to create local curve security store, cannot initialize ZeroMQ security");
if (zsys_dir_create(CURVECERTREMOTEDIR) != 0)
throw runtime_error("Failed to create remote curve security store, cannot initialize ZeroMQ security");
// Derive certificate file names based on engine mode
if (ServerMode())
{
publicCertFileName = localCertDirectory + SVRPUBCERTFILENAME;
privateCertFileName = localCertDirectory + SVRPVTCERTFILENAME;
}
else
{
publicCertFileName = localCertDirectory + instanceName + PUBCERTFILENAMEEXT;
privateCertFileName = localCertDirectory + instanceName + PVTCERTFILENAMEEXT;
}
// See if private certificate already exists
if (zsys_file_exists(privateCertFileName.c_str()))
{
// Load existing local certificate
localCertificate = zcert_load(privateCertFileName.c_str());
if (localCertificate == nullptr)
throw runtime_error("Failed to load local curve certificate, cannot initialize ZeroMQ security");
}
else
{
// Create a new full certificate (public + private)
localCertificate = zcert_new();
if (localCertificate == nullptr)
throw runtime_error("Failed to create local curve certificate, cannot initialize ZeroMQ security");
zcert_set_meta(localCertificate, "name", instanceName.c_str());
zcert_set_meta(localCertificate, "id", instanceID.c_str());
zcert_set_meta(localCertificate, "type", ServerMode() ? "server" : "client");
// Persist certificates for future runs
if (zcert_save_public(localCertificate, publicCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve public certificate, cannot initialize ZeroMQ security");
if (zcert_save_secret(localCertificate, privateCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve private certificate, cannot initialize ZeroMQ security");
}
}
// Create new ZeroMQ engine instance
if (ServerMode())
m_instance = new ZeroMQServer(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
else
m_instance = new ZeroMQClient(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
m_instance->Initialize(endPoint, instanceName, instanceID);
log_info("\nEstablished ZeroMQ socket [%s]\n", ConnectionID().ToString().c_str());
}
void
zgossip_test (bool verbose)
{
printf (" * zgossip: ");
if (verbose)
printf ("\n");
// @selftest
// Test basic client-to-server operation of the protocol
zactor_t *server = zactor_new (zgossip, "server");
assert (server);
if (verbose)
zstr_send (server, "VERBOSE");
zstr_sendx (server, "BIND", "inproc://zgossip", NULL);
zsock_t *client = zsock_new (ZMQ_DEALER);
assert (client);
zsock_set_rcvtimeo (client, 2000);
int rc = zsock_connect (client, "inproc://zgossip");
assert (rc == 0);
// Send HELLO, which gets no message
zgossip_msg_t *message = zgossip_msg_new ();
zgossip_msg_set_id (message, ZGOSSIP_MSG_HELLO);
zgossip_msg_send (message, client);
// Send PING, expect PONG back
zgossip_msg_set_id (message, ZGOSSIP_MSG_PING);
zgossip_msg_send (message, client);
zgossip_msg_recv (message, client);
assert (zgossip_msg_id (message) == ZGOSSIP_MSG_PONG);
zgossip_msg_destroy (&message);
zactor_destroy (&server);
zsock_destroy (&client);
// Test peer-to-peer operations
zactor_t *base = zactor_new (zgossip, "base");
assert (base);
if (verbose)
zstr_send (base, "VERBOSE");
// Set a 100msec timeout on clients so we can test expiry
zstr_sendx (base, "SET", "server/timeout", "100", NULL);
zstr_sendx (base, "BIND", "inproc://base", NULL);
zactor_t *alpha = zactor_new (zgossip, "alpha");
assert (alpha);
zstr_sendx (alpha, "CONNECT", "inproc://base", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-1", "service1", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-2", "service2", NULL);
zactor_t *beta = zactor_new (zgossip, "beta");
assert (beta);
zstr_sendx (beta, "CONNECT", "inproc://base", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-1", "service1", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-2", "service2", NULL);
// got nothing
zclock_sleep (200);
zstr_send (alpha, "STATUS");
char *command, *status, *key, *value;
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &status, NULL);
assert (streq (command, "STATUS"));
assert (atoi (status) == 4);
zstr_free (&command);
zstr_free (&status);
zactor_destroy (&base);
zactor_destroy (&alpha);
zactor_destroy (&beta);
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// curve
if (zsys_has_curve()) {
if (verbose)
printf("testing CURVE support");
zclock_sleep (2000);
zactor_t *auth = zactor_new(zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
zstr_sendx(auth,"ALLOW","127.0.0.1",NULL);
zsock_wait(auth);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
server = zactor_new (zgossip, "server");
if (verbose)
zstr_send (server, "VERBOSE");
assert (server);
zcert_t *client1_cert = zcert_new ();
zcert_t *server_cert = zcert_new ();
zstr_sendx (server, "SET PUBLICKEY", zcert_public_txt (server_cert), NULL);
zstr_sendx (server, "SET SECRETKEY", zcert_secret_txt (server_cert), NULL);
zstr_sendx (server, "ZAP DOMAIN", "TEST", NULL);
zstr_sendx (server, "BIND", "tcp://127.0.0.1:*", NULL);
zstr_sendx (server, "PORT", NULL);
zstr_recvx (server, &command, &value, NULL);
assert (streq (command, "PORT"));
int port = atoi (value);
zstr_free (&command);
zstr_free (&value);
char endpoint [32];
sprintf (endpoint, "tcp://127.0.0.1:%d", port);
zactor_t *client1 = zactor_new (zgossip, "client");
if (verbose)
zstr_send (client1, "VERBOSE");
assert (client1);
zstr_sendx (client1, "SET PUBLICKEY", zcert_public_txt (client1_cert), NULL);
zstr_sendx (client1, "SET SECRETKEY", zcert_secret_txt (client1_cert), NULL);
zstr_sendx (client1, "ZAP DOMAIN", "TEST", NULL);
const char *public_txt = zcert_public_txt (server_cert);
zstr_sendx (client1, "CONNECT", endpoint, public_txt, NULL);
zstr_sendx (client1, "PUBLISH", "tcp://127.0.0.1:9001", "service1", NULL);
zclock_sleep (500);
zstr_send (server, "STATUS");
zclock_sleep (500);
zstr_recvx (server, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_sendx (client1, "$TERM", NULL);
zstr_sendx (server, "$TERM", NULL);
zclock_sleep(500);
zcert_destroy (&client1_cert);
zcert_destroy (&server_cert);
zactor_destroy (&client1);
zactor_destroy (&server);
zactor_destroy (&auth);
}
#endif
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
///
// Create and initialize a new certificate in memory
QmlZcert *QmlZcertAttached::construct () {
QmlZcert *qmlSelf = new QmlZcert ();
qmlSelf->self = zcert_new ();
return qmlSelf;
};
static rsRetVal addListener(instanceConf_t* iconf){
struct lstn_s* pData;
DEFiRet;
CHKmalloc(pData=(struct lstn_s*)MALLOC(sizeof(struct lstn_s)));
pData->next = NULL;
pData->pRuleset = iconf->pBindRuleset;
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(iconf->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF ("imczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((iconf->beacon != NULL) && (iconf->beaconPort > 0)) {
DBGPRINTF ("imczmq: starting beacon actor...\n");
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", iconf->beaconPort);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor,
"sbi", "PUBLISH", pData->beaconActor, strlen(iconf->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, iconf->beaconPort);
}
DBGPRINTF("imczmq: authtype is: %s\n", iconf->authType);
if (iconf->authType != NULL) {
/* CURVESERVER */
/* ----------- */
if (!strcmp(iconf->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(authActor, "CURVE", iconf->clientCertPath, NULL);
zsock_wait(authActor);
DBGPRINTF("imczmq: CURVESERVER: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("mczmq: CURVESERVER: clientCertPath: '%s'\n", iconf->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(iconf->authType, "CURVECLIENT")) {
if (!strcmp(iconf->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(iconf->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("imczmq: CURVECLIENT: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("imczmq: CURVECLIENT: clientCertPath: '%s'\n", iconf->clientCertPath);
DBGPRINTF("imczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", iconf->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
/* subscribe to topics */
/* ------------------- */
if (iconf->sockType == ZMQ_SUB) {
char topic[256], *list = iconf->topicList;
while (list) {
char *delimiter = strchr(list, ',');
if (!delimiter) {
delimiter = list + strlen (list);
}
if (delimiter - list > 255) {
errmsg.LogError(0, NO_ERRCODE,
"iconf->topicList must be under 256 characters");
ABORT_FINALIZE(RS_RET_ERR);
}
memcpy(topic, list, delimiter - list);
topic[delimiter - list] = 0;
zsock_set_subscribe(pData->sock, topic);
if (*delimiter == 0) {
break;
}
list = delimiter + 1;
}
}
switch (iconf->sockType) {
case ZMQ_SUB:
iconf->serverish = false;
break;
case ZMQ_PULL:
case ZMQ_ROUTER:
iconf->serverish = true;
break;
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
/* add this struct to the global */
/* ----------------------------- */
if(lcnfRoot == NULL) {
lcnfRoot = pData;
}
if(lcnfLast == NULL) {
lcnfLast = pData;
} else {
lcnfLast->next = pData;
lcnfLast = pData;
}
finalize_it:
RETiRet;
}
void
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Check there's no authentication
zsock_t *server = zsock_new (ZMQ_PUSH);
assert (server);
zsock_t *client = zsock_new (ZMQ_PULL);
assert (client);
bool success = s_can_connect (&server, &client);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
success = s_can_connect (&server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsock_set_zap_domain (server, "global");
success = s_can_connect (&server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Try PLAIN authentication
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
success = s_can_connect (&server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
zstr_sendx (auth, "PLAIN", TESTDIR "/password-file", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Bogus");
success = s_can_connect (&server, &client);
assert (!success);
if (zsys_has_curve ()) {
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
success = s_can_connect (&server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_destroy (&client);
zsock_destroy (&server);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
const char *SELFTEST_DIR_RW = "src/selftest-rw";
const char *testbasedir = ".test_zcertstore";
const char *testfile = "mycert.txt";
char *basedirpath = NULL; // subdir in a test, under SELFTEST_DIR_RW
char *filepath = NULL; // pathname to testfile in a test, in dirpath
basedirpath = zsys_sprintf ("%s/%s", SELFTEST_DIR_RW, testbasedir);
assert (basedirpath);
filepath = zsys_sprintf ("%s/%s", basedirpath, testfile);
assert (filepath);
// Make sure old aborted tests do not hinder us
zdir_t *dir = zdir_new (basedirpath, NULL);
if (dir) {
zdir_remove (dir, true);
zdir_destroy (&dir);
}
zsys_file_delete (filepath);
zsys_dir_delete (basedirpath);
// Create temporary directory for test files
zsys_dir_create (basedirpath);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (basedirpath);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, filepath);
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// Iterate through certs
zlistx_t *certs = zcertstore_certs(certstore);
cert = (zcert_t *) zlistx_first(certs);
int cert_count = 0;
while (cert) {
assert (streq (zcert_meta (cert, "name"), "John Doe"));
cert = (zcert_t *) zlistx_next(certs);
cert_count++;
}
assert(cert_count==1);
zlistx_destroy(&certs);
#endif
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
freen (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
dir = zdir_new (basedirpath, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
zstr_free (&basedirpath);
zstr_free (&filepath);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
