void
zcertstore_insert (zcertstore_t *self, zcert_t **cert_p)
{
int rc = zhashx_insert (self->certs, zcert_public_txt (*cert_p), *cert_p);
assert (rc == 0);
*cert_p = NULL; // We own this now
}
void
zcertstore_insert (zcertstore_t *self, zcert_t **cert_p)
{
zlist_append (self->cert_list, *cert_p);
zhash_insert (self->cert_hash, zcert_public_txt (*cert_p), *cert_p);
*cert_p = NULL; // We own this now
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
void zyre_set_zcert(zyre_t *self, zcert_t *zcert)
{
assert (zcert);
// actor will assert check the keys
zstr_sendx (self->actor, "SET PUBLICKEY", zcert_public_txt(zcert), NULL);
zstr_sendx (self->actor, "SET SECRETKEY", zcert_secret_txt(zcert), NULL);
}
static void
s_empty_store (zcertstore_t *self)
{
zcert_t *cert = (zcert_t *) zlist_pop (self->cert_list);
while (cert) {
zhash_delete (self->cert_hash, zcert_public_txt (cert));
zcert_destroy (&cert);
cert = (zcert_t *) zlist_pop (self->cert_list);
}
assert (zlist_size (self->cert_list) == 0);
assert (zhash_size (self->cert_hash) == 0);
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
printf ("OK\n");
}
void
zgossip_test (bool verbose)
{
printf (" * zgossip: ");
if (verbose)
printf ("\n");
// @selftest
// Test basic client-to-server operation of the protocol
zactor_t *server = zactor_new (zgossip, "server");
assert (server);
if (verbose)
zstr_send (server, "VERBOSE");
zstr_sendx (server, "BIND", "inproc://zgossip", NULL);
zsock_t *client = zsock_new (ZMQ_DEALER);
assert (client);
zsock_set_rcvtimeo (client, 2000);
int rc = zsock_connect (client, "inproc://zgossip");
assert (rc == 0);
// Send HELLO, which gets no message
zgossip_msg_t *message = zgossip_msg_new ();
zgossip_msg_set_id (message, ZGOSSIP_MSG_HELLO);
zgossip_msg_send (message, client);
// Send PING, expect PONG back
zgossip_msg_set_id (message, ZGOSSIP_MSG_PING);
zgossip_msg_send (message, client);
zgossip_msg_recv (message, client);
assert (zgossip_msg_id (message) == ZGOSSIP_MSG_PONG);
zgossip_msg_destroy (&message);
zactor_destroy (&server);
zsock_destroy (&client);
// Test peer-to-peer operations
zactor_t *base = zactor_new (zgossip, "base");
assert (base);
if (verbose)
zstr_send (base, "VERBOSE");
// Set a 100msec timeout on clients so we can test expiry
zstr_sendx (base, "SET", "server/timeout", "100", NULL);
zstr_sendx (base, "BIND", "inproc://base", NULL);
zactor_t *alpha = zactor_new (zgossip, "alpha");
assert (alpha);
zstr_sendx (alpha, "CONNECT", "inproc://base", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-1", "service1", NULL);
zstr_sendx (alpha, "PUBLISH", "inproc://alpha-2", "service2", NULL);
zactor_t *beta = zactor_new (zgossip, "beta");
assert (beta);
zstr_sendx (beta, "CONNECT", "inproc://base", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-1", "service1", NULL);
zstr_sendx (beta, "PUBLISH", "inproc://beta-2", "service2", NULL);
// got nothing
zclock_sleep (200);
zstr_send (alpha, "STATUS");
char *command, *status, *key, *value;
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://alpha-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-1"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (key, "inproc://beta-2"));
assert (streq (value, "service2"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_recvx (alpha, &command, &status, NULL);
assert (streq (command, "STATUS"));
assert (atoi (status) == 4);
zstr_free (&command);
zstr_free (&status);
zactor_destroy (&base);
zactor_destroy (&alpha);
zactor_destroy (&beta);
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// curve
if (zsys_has_curve()) {
if (verbose)
printf("testing CURVE support");
zclock_sleep (2000);
zactor_t *auth = zactor_new(zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
zstr_sendx(auth,"ALLOW","127.0.0.1",NULL);
zsock_wait(auth);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
server = zactor_new (zgossip, "server");
if (verbose)
zstr_send (server, "VERBOSE");
assert (server);
zcert_t *client1_cert = zcert_new ();
zcert_t *server_cert = zcert_new ();
zstr_sendx (server, "SET PUBLICKEY", zcert_public_txt (server_cert), NULL);
zstr_sendx (server, "SET SECRETKEY", zcert_secret_txt (server_cert), NULL);
zstr_sendx (server, "ZAP DOMAIN", "TEST", NULL);
zstr_sendx (server, "BIND", "tcp://127.0.0.1:*", NULL);
zstr_sendx (server, "PORT", NULL);
zstr_recvx (server, &command, &value, NULL);
assert (streq (command, "PORT"));
int port = atoi (value);
zstr_free (&command);
zstr_free (&value);
char endpoint [32];
sprintf (endpoint, "tcp://127.0.0.1:%d", port);
zactor_t *client1 = zactor_new (zgossip, "client");
if (verbose)
zstr_send (client1, "VERBOSE");
assert (client1);
zstr_sendx (client1, "SET PUBLICKEY", zcert_public_txt (client1_cert), NULL);
zstr_sendx (client1, "SET SECRETKEY", zcert_secret_txt (client1_cert), NULL);
zstr_sendx (client1, "ZAP DOMAIN", "TEST", NULL);
const char *public_txt = zcert_public_txt (server_cert);
zstr_sendx (client1, "CONNECT", endpoint, public_txt, NULL);
zstr_sendx (client1, "PUBLISH", "tcp://127.0.0.1:9001", "service1", NULL);
zclock_sleep (500);
zstr_send (server, "STATUS");
zclock_sleep (500);
zstr_recvx (server, &command, &key, &value, NULL);
assert (streq (command, "DELIVER"));
assert (streq (value, "service1"));
zstr_free (&command);
zstr_free (&key);
zstr_free (&value);
zstr_sendx (client1, "$TERM", NULL);
zstr_sendx (server, "$TERM", NULL);
zclock_sleep(500);
zcert_destroy (&client1_cert);
zcert_destroy (&server_cert);
zactor_destroy (&client1);
zactor_destroy (&server);
zactor_destroy (&auth);
}
#endif
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not go through
// our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (server, client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection will
// be allowed.
//
// TODO: libzmq should accept new security options after unbind/bind
// but for now we have to create a new server socket each time.
server = zsocket_new (ctx, ZMQ_PUSH);
zsocket_set_zap_domain (server, "global");
success = s_can_connect (server, client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (success);
// Try PLAIN authentication
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (server, client);
assert (!success);
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (server, client);
assert (success);
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (server, client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_apply (server_cert, server);
zsocket_set_curve_server (server, 1);
zcert_t *client_cert = zcert_new ();
zcert_apply (client_cert, client);
char *server_key = zcert_public_txt (server_cert);
zsocket_set_curve_serverkey (client, server_key);
// We've not set-up any authentication, connection will fail
success = s_can_connect (server, client);
assert (!success);
// PH: 2013/09/18
// There's an issue with libzmq where it sometimes fails to
// connect even if the ZAP handler allows it. It's timing
// dependent, so this is a voodoo hack. To be removed, I've
// no idea this even applies to all boxes.
sleep (1);
// Test CURVE_ALLOW_ANY
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (server, client);
assert (success);
// Test full client authentication using certificates
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (server, client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (server, client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
int main(int argc, char **argv)
{
if( argc < 4 ) {
printf("HEY! Usage:\n banshare-report [-d] <program-name> <jail-name> <banned-ip>\n\n");
printf(" where -d sets debug mode\n");
exit(1);
}
int baseind = 1;
if( argv[1][0] == '-' && argv[1][1] == 'd') {
debug = 1;
baseind = 2;
}
char *progname = argv[baseind];
char *jailname = argv[baseind+1];
char *bannedip = argv[baseind+2];
zauth_t *auth;
zcert_t *cert;
zcert_t *server_public_cert;
char certdir[256];
char servercert[512];
if (access("/etc/ssl/certs/banshare/", R_OK) == 0 ) { // ubuntu, CentOS 6.x
strcpy(certdir, "/etc/ssl/certs/banshare");
strcpy(servercert, "/etc/ssl/certs/banshare/server_banshare");
} else if (access("/etc/pki/tls/certs/banshare/", R_OK) == 0 ) { // CentOS 5.x
strcpy(certdir, "/etc/pki/tls/certs/banshare");
strcpy(servercert, "/etc/pki/tls/certs/banshare/server_banshare");
}
zctx_t *ctx = zctx_new();
if (enc) {
auth = zauth_new (ctx);
zauth_set_verbose (auth, true);
zauth_configure_curve (auth, "*", certdir);
cert = zcert_new_from(banshare_client_public, banshare_client_private);
server_public_cert = zcert_load(servercert);
}
void *rep_sock = zsocket_new(ctx, ZMQ_REQ); // This will be request socket to complement the server's REP socket!
if (enc) {
zcert_apply (cert, rep_sock);
zsocket_set_curve_serverkey (rep_sock, zcert_public_txt(server_public_cert));
}
zsocket_set_rcvtimeo(rep_sock, 3000); // set read and write timeouts to 3 sec.
zsocket_set_sndtimeo(rep_sock, 3000);
int rc;
char *servip;
if (server_is_local()) {
servip = "127.0.0.1";
} else {
servip = BANSHARE_SERVER_IP;
}
rc = zsocket_connect(rep_sock, "tcp://%s:%d", servip, SERVER_REPORT_PORT);
if (rc != 0) {
printf("Connect to REQ socket to %s:%d FAILED with rc=%d\n", servip, SERVER_REPORT_PORT, rc);
exit(0);
}
if (debug) printf("Connected to tcp://%s:%d Just fine...\n", servip, SERVER_REPORT_PORT);
zclock_sleep(500);
while (!zctx_interrupted) {
char buf[1000];
int ret1 = zstr_sendf(rep_sock, "%s;%s;%s;%s", progname, jailname, bannedip, this_ip);
if (ret1 == -1) {
printf("Timeout while sending report! Server is DOWN?\n");
exit(1);
}
if( debug) printf("Sent: %s;%s;%s;%s to %s\n", progname, jailname, bannedip, this_ip, servip);
// and like all good req-rep sockets, we should get a response!
char *rec = zstr_recv(rep_sock);
if (!rec) {
printf("Timeout while waiting for OK! Server is DOWN?\n");
exit(1);
}
if (debug) printf("Got %s back from server\n", rec);
zstr_free(&rec);
// Oh, all that was really difficult, wasn't it? we are done. disconnect and exit
exit(0);
}
}
///
// Return public part of key pair as Z85 armored string
const QString QZcert::publicTxt ()
{
const QString rv = QString (zcert_public_txt (self));
return rv;
}
static rsRetVal addListener(instanceConf_t* iconf){
DEFiRet;
DBGPRINTF("imczmq: addListener called..\n");
struct listener_t* pData;
CHKmalloc(pData=(struct listener_t*)MALLOC(sizeof(struct listener_t)));
pData->ruleset = iconf->pBindRuleset;
pData->sock = zsock_new(iconf->sockType);
if(!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF("imczmq: created socket of type %d..\n", iconf->sockType);
if(runModConf->authType) {
if(!strcmp(runModConf->authType, "CURVESERVER")) {
DBGPRINTF("imczmq: we are a CURVESERVER\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
zcert_apply(serverCert, pData->sock);
zcert_destroy(&serverCert);
}
else if(!strcmp(runModConf->authType, "CURVECLIENT")) {
DBGPRINTF("imczmq: we are a CURVECLIENT\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
const char *server_key = zcert_public_txt(serverCert);
zcert_destroy(&serverCert);
zsock_set_curve_serverkey(pData->sock, server_key);
zcert_t *clientCert = zcert_load(runModConf->clientCertPath);
if(!clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->clientCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(clientCert, pData->sock);
zcert_destroy(&clientCert);
}
}
switch(iconf->sockType) {
case ZMQ_SUB:
#if defined(ZMQ_DISH)
case ZMQ_DISH:
#endif
iconf->serverish = true;
break;
case ZMQ_PULL:
#if defined(ZMQ_GATHER)
case ZMQ_GATHER:
#endif
case ZMQ_ROUTER:
#if defined(ZMQ_SERVER)
case ZMQ_SERVER:
#endif
iconf->serverish = true;
break;
}
if(iconf->topics) {
char topic[256];
while(*iconf->topics) {
char *delimiter = strchr(iconf->topics, ',');
if(!delimiter) {
delimiter = iconf->topics + strlen(iconf->topics);
}
memcpy (topic, iconf->topics, delimiter - iconf->topics);
topic[delimiter-iconf->topics] = 0;
DBGPRINTF("imczmq: subscribing to %s\n", topic);
if(iconf->sockType == ZMQ_SUB) {
zsock_set_subscribe (pData->sock, topic);
}
#if defined(ZMQ_DISH)
else if(iconf->sockType == ZMQ_DISH) {
int rc = zsock_join (pData->sock, topic);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not join group %s", topic);
ABORT_FINALIZE(RS_RET_ERR);
}
}
#endif
if(*delimiter == 0) {
break;
}
iconf->topics = delimiter + 1;
}
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
DBGPRINTF("imczmq: attached socket to %s\n", iconf->sockEndpoints);
rc = zlist_append(listenerList, (void *)pData);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not append listener");
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
std::string certificate::public_text() const
{
return std::string(zcert_public_txt(self_));
}
int main(int argc, char **argv)
{
char *a = argv[1]; // name of cert
char sa[500]; // name of serv_cert
char ca[500]; // name of client_cert
uint8_t serv_priv[32];
uint8_t serv_pub[32];
uint8_t cli_priv[32];
uint8_t cli_pub[32];
zcert_t *serv_cert = zcert_new();
zcert_t *cli_cert = zcert_new();
uint8_t *serv_privp = zcert_secret_key(serv_cert);
uint8_t *serv_pubp = zcert_public_key(serv_cert);
uint8_t *cli_privp = zcert_secret_key(cli_cert);
uint8_t *cli_pubp = zcert_public_key(cli_cert);
memmove(serv_priv, serv_privp, sizeof(serv_priv));
memmove(serv_pub, serv_pubp, sizeof(serv_pub));
memmove(cli_priv, cli_privp, sizeof(cli_priv));
memmove(cli_pub, cli_pubp, sizeof(cli_pub));
char *serv_cprivp = zcert_secret_txt(serv_cert);
char *serv_cpubp = zcert_public_txt(serv_cert);
char *cli_cprivp = zcert_secret_txt(cli_cert);
char *cli_cpubp = zcert_public_txt(cli_cert);
char servhnam[1000];
char clihnam[1000];
sprintf(servhnam, "servcert_%s.h", a);
sprintf(clihnam, "clicert_%s.h", a);
FILE *serv = fopen(servhnam, "w");
FILE *cli = fopen(clihnam, "w");
fprintf(serv, "char *%s_server_private_txt = \"%s\";\n", a, serv_cprivp);
fprintf(serv, "char *%s_server_public_txt = \"%s\";\n\n\n", a, serv_cpubp);
fprintf(cli, "char *%s_cli_private_txt = \"%s\";\n", a, cli_cprivp);
fprintf(cli, "char *%s_cli_public_txt = \"%s\";\n\n\n", a, cli_cpubp);
sprintf(sa, "server_%s", a);
sprintf(ca, "client_%s", a);
zcert_save(serv_cert, sa);
zcert_save(cli_cert, ca);
// we don't need the secret keys on disk; just a security hazard
unlink("server_banshare_secret");
unlink("client_banshare_secret");
fprintf
(serv, "uint8_t %s_server_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_priv[0], serv_priv[1], serv_priv[2], serv_priv[3], serv_priv[4], serv_priv[5], serv_priv[6],
serv_priv[7], serv_priv[8], serv_priv[9], serv_priv[10], serv_priv[11], serv_priv[12], serv_priv[13],
serv_priv[14], serv_priv[15], serv_priv[16], serv_priv[17], serv_priv[18], serv_priv[19], serv_priv[20],
serv_priv[21], serv_priv[22], serv_priv[23], serv_priv[24], serv_priv[25], serv_priv[26], serv_priv[27],
serv_priv[28], serv_priv[29], serv_priv[30], serv_priv[31]);
fprintf
(serv, "uint8_t %s_server_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, serv_pub[0], serv_pub[1], serv_pub[2], serv_pub[3], serv_pub[4], serv_pub[5], serv_pub[6], serv_pub[7],
serv_pub[8], serv_pub[9], serv_pub[10], serv_pub[11], serv_pub[12], serv_pub[13], serv_pub[14], serv_pub[15],
serv_pub[16], serv_pub[17], serv_pub[18], serv_pub[19], serv_pub[20], serv_pub[21], serv_pub[22], serv_pub[23],
serv_pub[24], serv_pub[25], serv_pub[26], serv_pub[27], serv_pub[28], serv_pub[29], serv_pub[30], serv_pub[31]);
fprintf
(cli, "uint8_t %s_client_private[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_priv[0], cli_priv[1], cli_priv[2], cli_priv[3], cli_priv[4], cli_priv[5], cli_priv[6],
cli_priv[7], cli_priv[8], cli_priv[9], cli_priv[10], cli_priv[11], cli_priv[12], cli_priv[13],
cli_priv[14], cli_priv[15], cli_priv[16], cli_priv[17], cli_priv[18], cli_priv[19], cli_priv[20],
cli_priv[21], cli_priv[22], cli_priv[23], cli_priv[24], cli_priv[25], cli_priv[26], cli_priv[27],
cli_priv[28], cli_priv[29], cli_priv[30], cli_priv[31]);
fprintf
(cli, "uint8_t %s_client_public[32] = {0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,\n 0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx,0x%hhx };\n",
a, cli_pub[0], cli_pub[1], cli_pub[2], cli_pub[3], cli_pub[4], cli_pub[5], cli_pub[6], cli_pub[7],
cli_pub[8], cli_pub[9], cli_pub[10], cli_pub[11], cli_pub[12], cli_pub[13], cli_pub[14], cli_pub[15],
cli_pub[16], cli_pub[17], cli_pub[18], cli_pub[19], cli_pub[20], cli_pub[21], cli_pub[22], cli_pub[23],
cli_pub[24], cli_pub[25], cli_pub[26], cli_pub[27], cli_pub[28], cli_pub[29], cli_pub[30], cli_pub[31]);
fclose(serv);
fclose(cli);
exit(0);
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not
// go through our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (ctx, &server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsocket_set_zap_domain (server, "global");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsocket_set_zap_domain (server, "global");
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsocket_set_zap_domain (server, "global");
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Try PLAIN authentication
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (ctx, &server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (ctx, &server, &client);
assert (success);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (ctx, &server, &client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_t *client_cert = zcert_new ();
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (ctx, &server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (ctx, &server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (ctx, &server, &client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
// Authentication test procedure for zproxy sockets - matches zauth_test steps
static void
zproxy_test_authentication (int selected_sockets, bool verbose)
{
# define TESTDIR ".test_zproxy"
# define TESTPWDS TESTDIR "/password-file"
# define TESTCERT TESTDIR "/mycert.txt"
# define TESTFRONTEND (selected_sockets & FRONTEND_SOCKET)
# define TESTBACKEND (selected_sockets & BACKEND_SOCKET)
// Demarcate test boundaries
zsys_info ("zproxy: TEST authentication type=%s%s%s",
TESTFRONTEND? "FRONTEND": "",
TESTFRONTEND && TESTBACKEND? "+": "",
TESTBACKEND? "BACKEND": "");
// Create temporary directory for test files
zsys_dir_create (TESTDIR);
// Clear out any test files from previous run
if (zsys_file_exists (TESTPWDS))
zsys_file_delete (TESTPWDS);
if (zsys_file_exists (TESTCERT))
zsys_file_delete (TESTCERT);
zactor_t *proxy = NULL;
zsock_t *faucet = NULL;
zsock_t *sink = NULL;
char *frontend = NULL;
char *backend = NULL;
// Check there's no authentication
s_create_test_sockets (&proxy, &faucet, &sink, verbose);
s_bind_proxy_sockets (proxy, &frontend, &backend);
bool success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Blacklist 127.0.0.1, connection should fail
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Whitelist our address, which overrides the blacklist
s_send_proxy_command (proxy, "DOMAIN", selected_sockets, "global", NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Try PLAIN authentication
// Test negative case (no server-side passwords defined)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test positive case (server-side passwords defined)
FILE *password = fopen (TESTPWDS, "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Password");
zstr_sendx (auth, "PLAIN", TESTPWDS, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test negative case (bad client password)
s_send_proxy_command (proxy, "PLAIN", selected_sockets, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_plain_auth (faucet, sink, selected_sockets, "admin", "Bogus");
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
if (zsys_has_curve ()) {
// We'll create two new certificates and save the client public
// certificate on disk
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *public_key = zcert_public_txt (server_cert);
char *secret_key = zcert_secret_txt (server_cert);
// Try CURVE authentication
// Test without setting-up any authentication
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (!success);
// Test CURVE_ALLOW_ANY
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
// Test with client certificate file in authentication folder
s_send_proxy_command (proxy, "CURVE", selected_sockets, public_key, secret_key, NULL);
s_bind_proxy_sockets (proxy, &frontend, &backend);
s_configure_curve_auth (faucet, sink, selected_sockets, client_cert, public_key);
zcert_save_public (client_cert, TESTCERT);
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
s_bind_proxy_sockets (proxy, &frontend, &backend);
success = s_can_connect (&proxy, &faucet, &sink, frontend, backend, verbose);
assert (success);
zsock_destroy (&faucet);
zsock_destroy (&sink);
zactor_destroy (&proxy);
zstr_free (&frontend);
zstr_free (&backend);
}
void
zyre_test (bool verbose)
{
printf (" * zyre: ");
if (verbose)
printf ("\n");
// @selftest
// We'll use inproc gossip discovery so that this works without networking
uint64_t version = zyre_version ();
assert ((version / 10000) % 100 == ZYRE_VERSION_MAJOR);
assert ((version / 100) % 100 == ZYRE_VERSION_MINOR);
assert (version % 100 == ZYRE_VERSION_PATCH);
// Create two nodes
zyre_t *node1 = zyre_new ("node1");
assert (node1);
assert (streq (zyre_name (node1), "node1"));
zyre_set_header (node1, "X-HELLO", "World");
if (verbose)
zyre_set_verbose (node1);
// Set inproc endpoint for this node
int rc = zyre_set_endpoint (node1, "inproc://zyre-node1");
assert (rc == 0);
// Set up gossip network for this node
zyre_gossip_bind (node1, "inproc://gossip-hub");
rc = zyre_start (node1);
assert (rc == 0);
zyre_t *node2 = zyre_new ("node2");
assert (node2);
assert (streq (zyre_name (node2), "node2"));
if (verbose)
zyre_set_verbose (node2);
// Set inproc endpoint for this node
// First, try to use existing name, it'll fail
rc = zyre_set_endpoint (node2, "inproc://zyre-node1");
assert (rc == -1);
// Now use available name and confirm that it succeeds
rc = zyre_set_endpoint (node2, "inproc://zyre-node2");
assert (rc == 0);
// Set up gossip network for this node
zyre_gossip_connect (node2, "inproc://gossip-hub");
rc = zyre_start (node2);
assert (rc == 0);
assert (strneq (zyre_uuid (node1), zyre_uuid (node2)));
zyre_join (node1, "GLOBAL");
zyre_join (node2, "GLOBAL");
// Give time for them to interconnect
zclock_sleep (250);
if (verbose)
zyre_dump (node1);
zlist_t *peers = zyre_peers (node1);
assert (peers);
assert (zlist_size (peers) == 1);
zlist_destroy (&peers);
zyre_join (node1, "node1 group of one");
zyre_join (node2, "node2 group of one");
// Give them time to join their groups
zclock_sleep (250);
zlist_t *own_groups = zyre_own_groups (node1);
assert (own_groups);
assert (zlist_size (own_groups) == 2);
zlist_destroy (&own_groups);
zlist_t *peer_groups = zyre_peer_groups (node1);
assert (peer_groups);
assert (zlist_size (peer_groups) == 2);
zlist_destroy (&peer_groups);
char *value = zyre_peer_header_value (node2, zyre_uuid (node1), "X-HELLO");
assert (streq (value, "World"));
zstr_free (&value);
// One node shouts to GLOBAL
zyre_shouts (node1, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
zmsg_t *msg = zyre_recv (node2);
assert (msg);
char *command = zmsg_popstr (msg);
assert (streq (command, "ENTER"));
zstr_free (&command);
assert (zmsg_size (msg) == 4);
char *peerid = zmsg_popstr (msg);
char *name = zmsg_popstr (msg);
assert (streq (name, "node1"));
zstr_free (&name);
zframe_t *headers_packed = zmsg_pop (msg);
char *address = zmsg_popstr (msg);
char *endpoint = zyre_peer_address (node2, peerid);
assert (streq (address, endpoint));
zstr_free (&peerid);
zstr_free (&endpoint);
zstr_free (&address);
assert (headers_packed);
zhash_t *headers = zhash_unpack (headers_packed);
assert (headers);
zframe_destroy (&headers_packed);
assert (streq ((char *) zhash_lookup (headers, "X-HELLO"), "World"));
zhash_destroy (&headers);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
assert (zmsg_size (msg) == 3);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
assert (zmsg_size (msg) == 3);
zmsg_destroy (&msg);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "SHOUT"));
zstr_free (&command);
zmsg_destroy (&msg);
zyre_stop (node2);
msg = zyre_recv (node2);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "STOP"));
zstr_free (&command);
zmsg_destroy (&msg);
zyre_stop (node1);
zyre_destroy (&node1);
zyre_destroy (&node2);
printf ("OK\n");
#ifdef ZYRE_BUILD_DRAFT_API
if (zsys_has_curve()){
printf (" * zyre-curve: ");
if (verbose)
printf ("\n");
if (verbose)
zsys_debug("----------------TESTING CURVE --------------");
zactor_t *speaker = zactor_new (zbeacon, NULL);
assert (speaker);
if (verbose)
zstr_sendx (speaker, "VERBOSE", NULL);
// ensuring we have a broadcast address
zsock_send (speaker, "si", "CONFIGURE", 9999);
char *hostname = zstr_recv (speaker);
if (!*hostname) {
printf ("OK (skipping test, no UDP broadcasting)\n");
zactor_destroy (&speaker);
freen (hostname);
return;
}
freen (hostname);
zactor_destroy (&speaker);
// zap setup
zactor_t *auth = zactor_new(zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx(auth, "VERBOSE", NULL);
zsock_wait(auth);
}
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
zyre_t *node3 = zyre_new ("node3");
zyre_t *node4 = zyre_new ("node4");
assert (node3);
assert (node4);
zyre_set_verbose (node3);
zyre_set_verbose (node4);
zyre_set_zap_domain(node3, "TEST");
zyre_set_zap_domain(node4, "TEST");
zsock_set_rcvtimeo(node3->inbox, 10000);
zsock_set_rcvtimeo(node4->inbox, 10000);
zcert_t *node3_cert = zcert_new ();
zcert_t *node4_cert = zcert_new ();
assert (node3_cert);
assert (node4_cert);
zyre_set_zcert(node3, node3_cert);
zyre_set_zcert(node4, node4_cert);
zyre_set_header(node3, "X-PUBLICKEY", "%s", zcert_public_txt(node3_cert));
zyre_set_header(node4, "X-PUBLICKEY", "%s", zcert_public_txt(node4_cert));
// test beacon
if (verbose)
zsys_debug ("----------------TESTING BEACON----------------");
rc = zyre_start(node3);
assert (rc == 0);
rc = zyre_start(node4);
assert (rc == 0);
zyre_join (node3, "GLOBAL");
zyre_join (node4, "GLOBAL");
zclock_sleep (1500);
if (verbose) {
zyre_dump (node3);
zyre_dump (node4);
}
zyre_shouts (node3, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "ENTER"));
zstr_free (&command);
char *peerid = zmsg_popstr (msg);
assert (peerid);
name = zmsg_popstr (msg);
assert (streq (name, "node3"));
zmsg_destroy (&msg);
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "JOIN"));
zstr_free (&command);
zmsg_destroy(&msg);
msg = zyre_recv (node4);
assert (msg);
command = zmsg_popstr (msg);
assert (streq (command, "SHOUT"));
zstr_free (&command);
zmsg_destroy(&msg);
zyre_leave(node3, "GLOBAL");
zyre_leave(node4, "GLOBAL");
zstr_free (&name);
zstr_free (&peerid);
zstr_free (&command);
zyre_stop (node3);
zyre_stop (node4);
// give things a chance to settle...
zclock_sleep (250);
zyre_destroy(&node3);
zyre_destroy(&node4);
zcert_destroy(&node3_cert);
zcert_destroy(&node4_cert);
// test gossip
if (verbose)
zsys_debug ("----------------TESTING GOSSIP----------------");
zyre_t *node5 = zyre_new ("node5");
zyre_t *node6 = zyre_new ("node6");
assert (node5);
assert (node6);
if (verbose) {
zyre_set_verbose (node5);
zyre_set_verbose (node6);
}
// if it takes more than 10s, something probably went terribly wrong
zsock_set_rcvtimeo(node5->inbox, 10000);
zsock_set_rcvtimeo(node6->inbox, 10000);
zcert_t *node5_cert = zcert_new ();
zcert_t *node6_cert = zcert_new ();
assert (node5_cert);
assert (node6_cert);
zyre_set_zcert(node5, node5_cert);
zyre_set_zcert(node6, node6_cert);
zyre_set_header(node5, "X-PUBLICKEY", "%s", zcert_public_txt(node5_cert));
zyre_set_header(node6, "X-PUBLICKEY", "%s", zcert_public_txt(node6_cert));
const char *gossip_cert = zcert_public_txt (node5_cert);
// TODO- need to add zyre_gossip_port functions to get port from gossip bind(?)
zyre_gossip_bind(node5, "tcp://127.0.0.1:9001");
zyre_gossip_connect_curve(node6, gossip_cert, "tcp://127.0.0.1:9001");
zyre_start(node5);
zsock_wait(node5);
zyre_start(node6);
zsock_wait(node6);
zyre_join (node5, "GLOBAL");
zyre_join (node6, "GLOBAL");
// give things a chance to settle...
zclock_sleep (1500);
if (verbose) {
zyre_dump (node5);
zyre_dump (node6);
}
zyre_shouts (node5, "GLOBAL", "Hello, World");
// Second node should receive ENTER, JOIN, and SHOUT
msg = zyre_recv (node6);
assert (msg);
command = zmsg_popstr (msg);
zsys_info(command);
assert (streq (command, "ENTER"));
zstr_free (&command);
peerid = zmsg_popstr (msg);
assert (peerid);
name = zmsg_popstr (msg);
zmsg_destroy (&msg);
assert (streq (name, "node5"));
zstr_free (&name);
zyre_leave(node5, "GLOBAL");
zyre_leave(node6, "GLOBAL");
zyre_stop (node5);
zyre_stop (node6);
// give things a chance to settle...
zclock_sleep (250);
zstr_free (&peerid);
zcert_destroy (&node5_cert);
zcert_destroy (&node6_cert);
zyre_destroy(&node5);
zyre_destroy(&node6);
zactor_destroy(&auth);
printf ("OK\n");
}
#endif
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* tell czmq to not use it's own signal handler */
putenv ("ZSYS_SIGHANDLER=false");
/* create new auth actor */
DBGPRINTF ("omczmq: starting auth actor...\n");
pData->authActor = zactor_new (zauth, NULL);
if (!pData->authActor) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
/* create our zeromq socket */
DBGPRINTF ("omczmq: creating zeromq socket...\n");
pData->sock = zsock_new (pData->sockType);
if (!pData->sock) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
bool is_server = false;
/* if we are a CURVE server */
if (!strcmp(pData->authType, "CURVESERVER")) {
DBGPRINTF("omczmq: we are a curve server...\n");
is_server = true;
/* set global auth domain */
zsock_set_zap_domain(pData->sock, "global");
/* set that we are a curve server */
zsock_set_curve_server(pData->sock, 1);
/* get and set our server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
/* set allowed clients */
DBGPRINTF("omczmq: allowed clients are %s...\n", pData->clientCertPath);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
}
/* if we are a CURVE client */
if (!strcmp(pData->authType, "CURVECLIENT")) {
DBGPRINTF("omczmq: we are a curve client...\n");
is_server = false;
/* get our client cert */
pData->clientCert = zcert_load(pData->clientCertPath);
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* apply the client cert to the socket */
zcert_apply(pData->clientCert, pData->sock);
/* get the server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* get the server public key and set it for the socket */
char *server_key = zcert_public_txt(pData->serverCert);
DBGPRINTF("omczmq: server public key is %s...\n", server_key);
zsock_set_curve_serverkey (pData->sock, server_key);
}
/* we default to CONNECT unless told otherwise */
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, is_server);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
String HHVM_METHOD(ZMQCert, getPublicTxt) {
return String(zcert_public_txt(Native::data<ZMQCert>(this_)->zcert), CopyString);
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* Turn off CZMQ signal handling */
/* ----------------------------- */
putenv ("ZSYS_SIGHANDLER=false");
/* Create the authentication actor */
/* ------------------------------ */
pData->authActor = zactor_new(zauth, NULL);
if (!pData->authActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth actor");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: auth actor started\n");
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(pData->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((pData->beacon != NULL) && (pData->beaconport > 0)) {
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", pData->beaconport);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beacon, strlen(pData->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, pData->beaconport);
zstr_free (&hostname);
}
/* Load certs for auth if auth is used */
/* ----------------------------------- */
if (pData->authType != NULL) {
/* CURVESERVER */
/* ---------- */
if (!strcmp(pData->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
DBGPRINTF("omczmq: CURVESERVER: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVESERVER: clientCertPath: '%s'\n", pData->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(pData->authType, "CURVECLIENT")) {
if (!strcmp(pData->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(pData->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("omczmq: CURVECLIENT: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVECLIENT: clientCertPath: '%s'\n", pData->clientCertPath);
DBGPRINTF("omczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", pData->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
switch (pData->sockType) {
case ZMQ_PUB:
pData->serverish = true;
break;
case ZMQ_PUSH:
case ZMQ_DEALER:
pData->serverish = false;
break;
}
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, pData->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
finalize_it:
RETiRet;
}
///
// Return public part of key pair as Z85 armored string
const QString QmlZcert::publicTxt () {
return QString (zcert_public_txt (self));
};
static rsRetVal addListener(instanceConf_t* iconf){
struct lstn_s* pData;
DEFiRet;
CHKmalloc(pData=(struct lstn_s*)MALLOC(sizeof(struct lstn_s)));
pData->next = NULL;
pData->pRuleset = iconf->pBindRuleset;
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(iconf->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF ("imczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((iconf->beacon != NULL) && (iconf->beaconPort > 0)) {
DBGPRINTF ("imczmq: starting beacon actor...\n");
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", iconf->beaconPort);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor,
"sbi", "PUBLISH", pData->beaconActor, strlen(iconf->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, iconf->beaconPort);
}
DBGPRINTF("imczmq: authtype is: %s\n", iconf->authType);
if (iconf->authType != NULL) {
/* CURVESERVER */
/* ----------- */
if (!strcmp(iconf->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(authActor, "CURVE", iconf->clientCertPath, NULL);
zsock_wait(authActor);
DBGPRINTF("imczmq: CURVESERVER: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("mczmq: CURVESERVER: clientCertPath: '%s'\n", iconf->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(iconf->authType, "CURVECLIENT")) {
if (!strcmp(iconf->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(iconf->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("imczmq: CURVECLIENT: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("imczmq: CURVECLIENT: clientCertPath: '%s'\n", iconf->clientCertPath);
DBGPRINTF("imczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", iconf->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
/* subscribe to topics */
/* ------------------- */
if (iconf->sockType == ZMQ_SUB) {
char topic[256], *list = iconf->topicList;
while (list) {
char *delimiter = strchr(list, ',');
if (!delimiter) {
delimiter = list + strlen (list);
}
if (delimiter - list > 255) {
errmsg.LogError(0, NO_ERRCODE,
"iconf->topicList must be under 256 characters");
ABORT_FINALIZE(RS_RET_ERR);
}
memcpy(topic, list, delimiter - list);
topic[delimiter - list] = 0;
zsock_set_subscribe(pData->sock, topic);
if (*delimiter == 0) {
break;
}
list = delimiter + 1;
}
}
switch (iconf->sockType) {
case ZMQ_SUB:
iconf->serverish = false;
break;
case ZMQ_PULL:
case ZMQ_ROUTER:
iconf->serverish = true;
break;
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
/* add this struct to the global */
/* ----------------------------- */
if(lcnfRoot == NULL) {
lcnfRoot = pData;
}
if(lcnfLast == NULL) {
lcnfLast = pData;
} else {
lcnfLast->next = pData;
lcnfLast = pData;
}
finalize_it:
RETiRet;
}
void
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Check there's no authentication
zsock_t *server = zsock_new (ZMQ_PUSH);
assert (server);
zsock_t *client = zsock_new (ZMQ_PULL);
assert (client);
bool success = s_can_connect (&server, &client);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
success = s_can_connect (&server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsock_set_zap_domain (server, "global");
success = s_can_connect (&server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Try PLAIN authentication
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
success = s_can_connect (&server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
zstr_sendx (auth, "PLAIN", TESTDIR "/password-file", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Bogus");
success = s_can_connect (&server, &client);
assert (!success);
if (zsys_has_curve ()) {
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
success = s_can_connect (&server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_destroy (&client);
zsock_destroy (&server);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
const char *SELFTEST_DIR_RW = "src/selftest-rw";
const char *testbasedir = ".test_zcertstore";
const char *testfile = "mycert.txt";
char *basedirpath = NULL; // subdir in a test, under SELFTEST_DIR_RW
char *filepath = NULL; // pathname to testfile in a test, in dirpath
basedirpath = zsys_sprintf ("%s/%s", SELFTEST_DIR_RW, testbasedir);
assert (basedirpath);
filepath = zsys_sprintf ("%s/%s", basedirpath, testfile);
assert (filepath);
// Make sure old aborted tests do not hinder us
zdir_t *dir = zdir_new (basedirpath, NULL);
if (dir) {
zdir_remove (dir, true);
zdir_destroy (&dir);
}
zsys_file_delete (filepath);
zsys_dir_delete (basedirpath);
// Create temporary directory for test files
zsys_dir_create (basedirpath);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (basedirpath);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, filepath);
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// Iterate through certs
zlistx_t *certs = zcertstore_certs(certstore);
cert = (zcert_t *) zlistx_first(certs);
int cert_count = 0;
while (cert) {
assert (streq (zcert_meta (cert, "name"), "John Doe"));
cert = (zcert_t *) zlistx_next(certs);
cert_count++;
}
assert(cert_count==1);
zlistx_destroy(&certs);
#endif
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
freen (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
dir = zdir_new (basedirpath, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
zstr_free (&basedirpath);
zstr_free (&filepath);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
