void
zcert_test (bool verbose)
{
printf (" * zcert: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcert"
zsys_dir_create (TESTDIR);
// Create a simple certificate with metadata
zcert_t *cert = zcert_new ();
# if defined (HAVE_LIBSODIUM)
zcert_set_meta (cert, "email", "*****@*****.**");
zcert_set_meta (cert, "name", "Pieter Hintjens");
zcert_set_meta (cert, "organization", "iMatix Corporation");
zcert_set_meta (cert, "version", "%d", 1);
assert (streq (zcert_meta (cert, "email"), "*****@*****.**"));
zlist_t *keys = zcert_meta_keys (cert);
assert (zlist_size (keys) == 4);
zlist_destroy (&keys);
// Check the dup and eq methods
zcert_t *shadow = zcert_dup (cert);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Check we can save and load certificate
zcert_save (cert, TESTDIR "/mycert.txt");
assert (zsys_file_exists (TESTDIR "/mycert.txt"));
assert (zsys_file_exists (TESTDIR "/mycert.txt_secret"));
// Load certificate, will in fact load secret one
shadow = zcert_load (TESTDIR "/mycert.txt");
assert (shadow);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Delete secret certificate, load public one
int rc = zsys_file_delete (TESTDIR "/mycert.txt_secret");
assert (rc == 0);
shadow = zcert_load (TESTDIR "/mycert.txt");
// 32-byte null key encodes as 40 '0' characters
assert (streq (zcert_secret_txt (shadow),
"0000000000000000000000000000000000000000"));
zcert_destroy (&shadow);
zcert_destroy (&cert);
# else
// Libsodium isn't installed; should have returned NULL
assert (cert == NULL);
# endif
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
static void
s_load_certs_from_disk (zcertstore_t *self)
{
s_empty_store (self);
zdir_t *dir = zdir_new (self->location, NULL);
if (dir) {
// Load all certificates including those in subdirectories
zfile_t **filelist = zdir_flatten (dir);
uint index;
for (index = 0;; index++) {
zfile_t *file = filelist [index];
if (!file)
break; // End of list
if (zfile_is_regular (file)) {
zcert_t *cert = zcert_load (zfile_filename (file, NULL));
if (cert)
zcertstore_insert (self, &cert);
}
}
zdir_flatten_free (&filelist);
self->modified = zdir_modified (dir);
self->count = zdir_count (dir);
self->cursize = zdir_cursize (dir);
zdir_destroy (&dir);
}
}
void HHVM_METHOD(ZMQCert, __construct, const Variant& filename) {
auto cert = Native::data<ZMQCert>(this_);
if (filename.isNull()) {
cert->zcert = zcert_new();
if (!cert->zcert) {
throwExceptionClass(s_ZMQCertExceptionClass, "Failed to create the underlying zcert object. Is libsodium installed?", PHP_ZMQ_INTERNAL_ERROR);
}
} else {
cert->zcert = zcert_load(filename.asCStrRef().c_str());
if (!cert->zcert) {
throwExceptionClassFmt(s_ZMQCertExceptionClass, "Failed to load the certificate from {}", filename.asCStrRef());
}
}
}
static void
s_disk_loader (zcertstore_t *certstore)
{
disk_loader_state *state = (disk_loader_state *)certstore->state;
zdir_t *dir = zdir_new (state->location, NULL);
if (dir
&& (state->modified != zdir_modified (dir)
|| state->count != zdir_count (dir)
|| state->cursize != (size_t) zdir_cursize (dir)))
{
zhashx_purge (certstore->certs);
// Load all certificates including those in subdirectories
zfile_t **filelist = zdir_flatten (dir);
assert (filelist);
zrex_t *rex = zrex_new ("_secret$");
assert (rex);
uint index;
for (index = 0;; index++) {
zfile_t *file = filelist [index];
if (!file)
break; // End of list
if (zfile_is_regular (file)
&& !zrex_matches (rex, zfile_filename (file, NULL))) {
zcert_t *cert = zcert_load (zfile_filename (file, NULL));
if (cert)
zcertstore_insert (certstore, &cert);
}
}
zdir_flatten_free (&filelist);
state->modified = zdir_modified (dir);
state->count = zdir_count (dir);
state->cursize = zdir_cursize (dir);
zrex_destroy (&rex);
}
zdir_destroy (&dir);
}
///
// Load certificate from file
QmlZcert *QmlZcertAttached::load (const QString &filename) {
QmlZcert *qmlSelf = new QmlZcert ();
qmlSelf->self = zcert_load (filename.toUtf8().data());
return qmlSelf;
};
void ZeroMQEngine::Initialize(const string endPoint, const string instanceName, const string instanceID)
{
zcert_t* localCertificate = nullptr;
// Handle common security initialization for server and client instances
if (SecurityEnabled())
{
if (!zsys_has_curve())
throw runtime_error("Failed to locate needed curve security libraries, cannot initialize ZeroMQ security");
string localCertDirectory = CURVECERTLOCALDIR "/";
string publicCertFileName;
string privateCertFileName;
// Make sure certificate store directories exist
if (zsys_dir_create(CURVECERTLOCALDIR) != 0)
throw runtime_error("Failed to create local curve security store, cannot initialize ZeroMQ security");
if (zsys_dir_create(CURVECERTREMOTEDIR) != 0)
throw runtime_error("Failed to create remote curve security store, cannot initialize ZeroMQ security");
// Derive certificate file names based on engine mode
if (ServerMode())
{
publicCertFileName = localCertDirectory + SVRPUBCERTFILENAME;
privateCertFileName = localCertDirectory + SVRPVTCERTFILENAME;
}
else
{
publicCertFileName = localCertDirectory + instanceName + PUBCERTFILENAMEEXT;
privateCertFileName = localCertDirectory + instanceName + PVTCERTFILENAMEEXT;
}
// See if private certificate already exists
if (zsys_file_exists(privateCertFileName.c_str()))
{
// Load existing local certificate
localCertificate = zcert_load(privateCertFileName.c_str());
if (localCertificate == nullptr)
throw runtime_error("Failed to load local curve certificate, cannot initialize ZeroMQ security");
}
else
{
// Create a new full certificate (public + private)
localCertificate = zcert_new();
if (localCertificate == nullptr)
throw runtime_error("Failed to create local curve certificate, cannot initialize ZeroMQ security");
zcert_set_meta(localCertificate, "name", instanceName.c_str());
zcert_set_meta(localCertificate, "id", instanceID.c_str());
zcert_set_meta(localCertificate, "type", ServerMode() ? "server" : "client");
// Persist certificates for future runs
if (zcert_save_public(localCertificate, publicCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve public certificate, cannot initialize ZeroMQ security");
if (zcert_save_secret(localCertificate, privateCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve private certificate, cannot initialize ZeroMQ security");
}
}
// Create new ZeroMQ engine instance
if (ServerMode())
m_instance = new ZeroMQServer(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
else
m_instance = new ZeroMQClient(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
m_instance->Initialize(endPoint, instanceName, instanceID);
log_info("\nEstablished ZeroMQ socket [%s]\n", ConnectionID().ToString().c_str());
}
static void *
client_task (void *args)
{
bool verbose = *((bool *) args);
char filename [256];
snprintf (filename, 255, TESTDIR "/client-%07d.cert", randof (10000000));
zcert_t *client_cert = zcert_new ();
zcert_save_public (client_cert, filename);
curve_client_t *client = curve_client_new (&client_cert);
curve_client_set_verbose (client, verbose);
zcert_t *server_cert = zcert_load (TESTDIR "/server.cert");
assert (server_cert);
curve_client_connect (client, "tcp://127.0.0.1:9006", zcert_public_key (server_cert));
zcert_destroy (&server_cert);
curve_client_sendstr (client, "Hello, World");
char *reply = curve_client_recvstr (client);
assert (streq (reply, "Hello, World"));
free (reply);
// Try a multipart message
zmsg_t *msg = zmsg_new ();
zmsg_addstr (msg, "Hello, World");
zmsg_addstr (msg, "Second frame");
curve_client_send (client, &msg);
msg = curve_client_recv (client);
assert (zmsg_size (msg) == 2);
zmsg_destroy (&msg);
// Now send messages of increasing size, check they work
int count;
int size = 0;
for (count = 0; count < 18; count++) {
zframe_t *data = zframe_new (NULL, size);
int byte_nbr;
// Set data to sequence 0...255 repeated
for (byte_nbr = 0; byte_nbr < size; byte_nbr++)
zframe_data (data)[byte_nbr] = (byte) byte_nbr;
msg = zmsg_new ();
zmsg_prepend (msg, &data);
curve_client_send (client, &msg);
msg = curve_client_recv (client);
data = zmsg_pop (msg);
assert (data);
assert (zframe_size (data) == size);
for (byte_nbr = 0; byte_nbr < size; byte_nbr++) {
assert (zframe_data (data)[byte_nbr] == (byte) byte_nbr);
}
zframe_destroy (&data);
zmsg_destroy (&msg);
size = size * 2 + 1;
}
// Signal end of test
curve_client_sendstr (client, "END");
reply = curve_client_recvstr (client);
free (reply);
curve_client_destroy (&client);
return NULL;
}
static void *
server_task (void *args)
{
bool verbose = *((bool *) args);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
zauth_configure_curve (auth, "*", TESTDIR);
void *router = zsocket_new (ctx, ZMQ_ROUTER);
int rc = zsocket_bind (router, "tcp://127.0.0.1:9005");
assert (rc != -1);
zcert_t *server_cert = zcert_load (TESTDIR "/server.cert");
assert (server_cert);
curve_codec_t *server = curve_codec_new_server (server_cert, ctx);
assert (server);
zcert_destroy (&server_cert);
curve_codec_set_verbose (server, verbose);
// Set some metadata properties
curve_codec_set_metadata (server, "Server", "CURVEZMQ/curve_codec");
// Execute incoming frames until ready or exception
// In practice we'd want a server instance per unique client
while (!curve_codec_connected (server)) {
zframe_t *sender = zframe_recv (router);
zframe_t *input = zframe_recv (router);
assert (input);
zframe_t *output = curve_codec_execute (server, &input);
assert (output);
zframe_send (&sender, router, ZFRAME_MORE);
zframe_send (&output, router, 0);
}
// Check client metadata
char *client_name = (char *) zhash_lookup (curve_codec_metadata (server), "client");
assert (client_name);
assert (streq (client_name, "CURVEZMQ/curve_client"));
bool finished = false;
while (!finished) {
// Now act as echo service doing a full decode and encode
zframe_t *sender = zframe_recv (router);
zframe_t *encrypted = zframe_recv (router);
assert (encrypted);
zframe_t *cleartext = curve_codec_decode (server, &encrypted);
assert (cleartext);
if (memcmp (cleartext, "END", 3) == 0)
finished = true;
// Echo message back
encrypted = curve_codec_encode (server, &cleartext);
assert (encrypted);
zframe_send (&sender, router, ZFRAME_MORE);
zframe_send (&encrypted, router, 0);
}
curve_codec_destroy (&server);
zauth_destroy (&auth);
zctx_destroy (&ctx);
return NULL;
}
///
// Load certificate from file
QZcert* QZcert::load (const QString &filename, QObject *qObjParent)
{
return new QZcert (zcert_load (filename.toUtf8().data()), qObjParent);
}
static rsRetVal addListener(instanceConf_t* iconf){
DEFiRet;
DBGPRINTF("imczmq: addListener called..\n");
struct listener_t* pData;
CHKmalloc(pData=(struct listener_t*)MALLOC(sizeof(struct listener_t)));
pData->ruleset = iconf->pBindRuleset;
pData->sock = zsock_new(iconf->sockType);
if(!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF("imczmq: created socket of type %d..\n", iconf->sockType);
if(runModConf->authType) {
if(!strcmp(runModConf->authType, "CURVESERVER")) {
DBGPRINTF("imczmq: we are a CURVESERVER\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
zcert_apply(serverCert, pData->sock);
zcert_destroy(&serverCert);
}
else if(!strcmp(runModConf->authType, "CURVECLIENT")) {
DBGPRINTF("imczmq: we are a CURVECLIENT\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
const char *server_key = zcert_public_txt(serverCert);
zcert_destroy(&serverCert);
zsock_set_curve_serverkey(pData->sock, server_key);
zcert_t *clientCert = zcert_load(runModConf->clientCertPath);
if(!clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->clientCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(clientCert, pData->sock);
zcert_destroy(&clientCert);
}
}
switch(iconf->sockType) {
case ZMQ_SUB:
#if defined(ZMQ_DISH)
case ZMQ_DISH:
#endif
iconf->serverish = true;
break;
case ZMQ_PULL:
#if defined(ZMQ_GATHER)
case ZMQ_GATHER:
#endif
case ZMQ_ROUTER:
#if defined(ZMQ_SERVER)
case ZMQ_SERVER:
#endif
iconf->serverish = true;
break;
}
if(iconf->topics) {
char topic[256];
while(*iconf->topics) {
char *delimiter = strchr(iconf->topics, ',');
if(!delimiter) {
delimiter = iconf->topics + strlen(iconf->topics);
}
memcpy (topic, iconf->topics, delimiter - iconf->topics);
topic[delimiter-iconf->topics] = 0;
DBGPRINTF("imczmq: subscribing to %s\n", topic);
if(iconf->sockType == ZMQ_SUB) {
zsock_set_subscribe (pData->sock, topic);
}
#if defined(ZMQ_DISH)
else if(iconf->sockType == ZMQ_DISH) {
int rc = zsock_join (pData->sock, topic);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not join group %s", topic);
ABORT_FINALIZE(RS_RET_ERR);
}
}
#endif
if(*delimiter == 0) {
break;
}
iconf->topics = delimiter + 1;
}
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
DBGPRINTF("imczmq: attached socket to %s\n", iconf->sockEndpoints);
rc = zlist_append(listenerList, (void *)pData);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not append listener");
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
static rsRetVal addListener(instanceConf_t* iconf){
struct lstn_s* pData;
DEFiRet;
CHKmalloc(pData=(struct lstn_s*)MALLOC(sizeof(struct lstn_s)));
pData->next = NULL;
pData->pRuleset = iconf->pBindRuleset;
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(iconf->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF ("imczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((iconf->beacon != NULL) && (iconf->beaconPort > 0)) {
DBGPRINTF ("imczmq: starting beacon actor...\n");
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", iconf->beaconPort);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor,
"sbi", "PUBLISH", pData->beaconActor, strlen(iconf->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, iconf->beaconPort);
}
DBGPRINTF("imczmq: authtype is: %s\n", iconf->authType);
if (iconf->authType != NULL) {
/* CURVESERVER */
/* ----------- */
if (!strcmp(iconf->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(authActor, "CURVE", iconf->clientCertPath, NULL);
zsock_wait(authActor);
DBGPRINTF("imczmq: CURVESERVER: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("mczmq: CURVESERVER: clientCertPath: '%s'\n", iconf->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(iconf->authType, "CURVECLIENT")) {
if (!strcmp(iconf->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(iconf->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("imczmq: CURVECLIENT: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("imczmq: CURVECLIENT: clientCertPath: '%s'\n", iconf->clientCertPath);
DBGPRINTF("imczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", iconf->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
/* subscribe to topics */
/* ------------------- */
if (iconf->sockType == ZMQ_SUB) {
char topic[256], *list = iconf->topicList;
while (list) {
char *delimiter = strchr(list, ',');
if (!delimiter) {
delimiter = list + strlen (list);
}
if (delimiter - list > 255) {
errmsg.LogError(0, NO_ERRCODE,
"iconf->topicList must be under 256 characters");
ABORT_FINALIZE(RS_RET_ERR);
}
memcpy(topic, list, delimiter - list);
topic[delimiter - list] = 0;
zsock_set_subscribe(pData->sock, topic);
if (*delimiter == 0) {
break;
}
list = delimiter + 1;
}
}
switch (iconf->sockType) {
case ZMQ_SUB:
iconf->serverish = false;
break;
case ZMQ_PULL:
case ZMQ_ROUTER:
iconf->serverish = true;
break;
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
/* add this struct to the global */
/* ----------------------------- */
if(lcnfRoot == NULL) {
lcnfRoot = pData;
}
if(lcnfLast == NULL) {
lcnfLast = pData;
} else {
lcnfLast->next = pData;
lcnfLast = pData;
}
finalize_it:
RETiRet;
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* tell czmq to not use it's own signal handler */
putenv ("ZSYS_SIGHANDLER=false");
/* create new auth actor */
DBGPRINTF ("omczmq: starting auth actor...\n");
pData->authActor = zactor_new (zauth, NULL);
if (!pData->authActor) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
/* create our zeromq socket */
DBGPRINTF ("omczmq: creating zeromq socket...\n");
pData->sock = zsock_new (pData->sockType);
if (!pData->sock) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
bool is_server = false;
/* if we are a CURVE server */
if (!strcmp(pData->authType, "CURVESERVER")) {
DBGPRINTF("omczmq: we are a curve server...\n");
is_server = true;
/* set global auth domain */
zsock_set_zap_domain(pData->sock, "global");
/* set that we are a curve server */
zsock_set_curve_server(pData->sock, 1);
/* get and set our server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
/* set allowed clients */
DBGPRINTF("omczmq: allowed clients are %s...\n", pData->clientCertPath);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
}
/* if we are a CURVE client */
if (!strcmp(pData->authType, "CURVECLIENT")) {
DBGPRINTF("omczmq: we are a curve client...\n");
is_server = false;
/* get our client cert */
pData->clientCert = zcert_load(pData->clientCertPath);
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* apply the client cert to the socket */
zcert_apply(pData->clientCert, pData->sock);
/* get the server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* get the server public key and set it for the socket */
char *server_key = zcert_public_txt(pData->serverCert);
DBGPRINTF("omczmq: server public key is %s...\n", server_key);
zsock_set_curve_serverkey (pData->sock, server_key);
}
/* we default to CONNECT unless told otherwise */
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, is_server);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* Turn off CZMQ signal handling */
/* ----------------------------- */
putenv ("ZSYS_SIGHANDLER=false");
/* Create the authentication actor */
/* ------------------------------ */
pData->authActor = zactor_new(zauth, NULL);
if (!pData->authActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth actor");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: auth actor started\n");
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(pData->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((pData->beacon != NULL) && (pData->beaconport > 0)) {
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", pData->beaconport);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beacon, strlen(pData->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, pData->beaconport);
zstr_free (&hostname);
}
/* Load certs for auth if auth is used */
/* ----------------------------------- */
if (pData->authType != NULL) {
/* CURVESERVER */
/* ---------- */
if (!strcmp(pData->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
DBGPRINTF("omczmq: CURVESERVER: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVESERVER: clientCertPath: '%s'\n", pData->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(pData->authType, "CURVECLIENT")) {
if (!strcmp(pData->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(pData->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("omczmq: CURVECLIENT: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVECLIENT: clientCertPath: '%s'\n", pData->clientCertPath);
DBGPRINTF("omczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", pData->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
switch (pData->sockType) {
case ZMQ_PUB:
pData->serverish = true;
break;
case ZMQ_PUSH:
case ZMQ_DEALER:
pData->serverish = false;
break;
}
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, pData->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
finalize_it:
RETiRet;
}
int main(int argc, char **argv)
{
if( argc < 4 ) {
printf("HEY! Usage:\n banshare-report [-d] <program-name> <jail-name> <banned-ip>\n\n");
printf(" where -d sets debug mode\n");
exit(1);
}
int baseind = 1;
if( argv[1][0] == '-' && argv[1][1] == 'd') {
debug = 1;
baseind = 2;
}
char *progname = argv[baseind];
char *jailname = argv[baseind+1];
char *bannedip = argv[baseind+2];
zauth_t *auth;
zcert_t *cert;
zcert_t *server_public_cert;
char certdir[256];
char servercert[512];
if (access("/etc/ssl/certs/banshare/", R_OK) == 0 ) { // ubuntu, CentOS 6.x
strcpy(certdir, "/etc/ssl/certs/banshare");
strcpy(servercert, "/etc/ssl/certs/banshare/server_banshare");
} else if (access("/etc/pki/tls/certs/banshare/", R_OK) == 0 ) { // CentOS 5.x
strcpy(certdir, "/etc/pki/tls/certs/banshare");
strcpy(servercert, "/etc/pki/tls/certs/banshare/server_banshare");
}
zctx_t *ctx = zctx_new();
if (enc) {
auth = zauth_new (ctx);
zauth_set_verbose (auth, true);
zauth_configure_curve (auth, "*", certdir);
cert = zcert_new_from(banshare_client_public, banshare_client_private);
server_public_cert = zcert_load(servercert);
}
void *rep_sock = zsocket_new(ctx, ZMQ_REQ); // This will be request socket to complement the server's REP socket!
if (enc) {
zcert_apply (cert, rep_sock);
zsocket_set_curve_serverkey (rep_sock, zcert_public_txt(server_public_cert));
}
zsocket_set_rcvtimeo(rep_sock, 3000); // set read and write timeouts to 3 sec.
zsocket_set_sndtimeo(rep_sock, 3000);
int rc;
char *servip;
if (server_is_local()) {
servip = "127.0.0.1";
} else {
servip = BANSHARE_SERVER_IP;
}
rc = zsocket_connect(rep_sock, "tcp://%s:%d", servip, SERVER_REPORT_PORT);
if (rc != 0) {
printf("Connect to REQ socket to %s:%d FAILED with rc=%d\n", servip, SERVER_REPORT_PORT, rc);
exit(0);
}
if (debug) printf("Connected to tcp://%s:%d Just fine...\n", servip, SERVER_REPORT_PORT);
zclock_sleep(500);
while (!zctx_interrupted) {
char buf[1000];
int ret1 = zstr_sendf(rep_sock, "%s;%s;%s;%s", progname, jailname, bannedip, this_ip);
if (ret1 == -1) {
printf("Timeout while sending report! Server is DOWN?\n");
exit(1);
}
if( debug) printf("Sent: %s;%s;%s;%s to %s\n", progname, jailname, bannedip, this_ip, servip);
// and like all good req-rep sockets, we should get a response!
char *rec = zstr_recv(rep_sock);
if (!rec) {
printf("Timeout while waiting for OK! Server is DOWN?\n");
exit(1);
}
if (debug) printf("Got %s back from server\n", rec);
zstr_free(&rec);
// Oh, all that was really difficult, wasn't it? we are done. disconnect and exit
exit(0);
}
}
zcert_t* load_cert(const std::string& filename)
{
return zcert_load(filename.c_str());
}
