static zsock_t * s_self_create_socket (self_t *self, char *type_name, char *endpoints, proxy_socket selected_socket) { // This array matches ZMQ_XXX type definitions assert (ZMQ_PAIR == 0); char *type_names [] = { "PAIR", "PUB", "SUB", "REQ", "REP", "DEALER", "ROUTER", "PULL", "PUSH", "XPUB", "XSUB", type_name }; // We always match type at least at end of table int index; for (index = 0; strneq (type_name, type_names [index]); index++) ; if (index > ZMQ_XSUB) { zsys_error ("zproxy: invalid socket type '%s'", type_name); return NULL; } zsock_t *sock = zsock_new (index); if (sock) { #if (ZMQ_VERSION_MAJOR == 4) if (self->domain [selected_socket]) { // Apply authentication domain zsock_set_zap_domain (sock, self->domain [selected_socket]); } if (self->auth_type [selected_socket] == AUTH_PLAIN) { // Enable plain authentication zsock_set_plain_server (sock, 1); } else if (self->auth_type [selected_socket] == AUTH_CURVE) { // Apply certificate keys char *public_key = self->public_key [selected_socket]; assert(public_key); char *secret_key = self->secret_key [selected_socket]; assert(secret_key); zsock_set_curve_publickey (sock, public_key); zsock_set_curve_secretkey (sock, secret_key); // Enable curve authentication zsock_set_curve_server (sock, 1); } #endif if (zsock_attach (sock, endpoints, true)) { zsys_error ("zproxy: invalid endpoints '%s'", endpoints); zsock_destroy (&sock); } } return sock; }
void MessageProcessor::init(int port, zcert_t* transportKey) { if (port == 0) { OT_FAIL; } if (!zsys_has_curve()) { Log::vError("Error: libzmq has no libsodium support"); OT_FAIL; } zstr_sendx(zmqAuth_, "CURVE", CURVE_ALLOW_ANY, NULL); zsock_wait(zmqAuth_); zsock_set_zap_domain(zmqSocket_, "global"); zsock_set_curve_server(zmqSocket_, 1); zcert_apply(transportKey, zmqSocket_); zsock_bind(zmqSocket_, "tcp://*:%d", port); }
void zauth_test (bool verbose) { printf (" * zauth: "); #if (ZMQ_VERSION_MAJOR == 4) if (verbose) printf ("\n"); // @selftest // Create temporary directory for test files # define TESTDIR ".test_zauth" zsys_dir_create (TESTDIR); // Check there's no authentication zsock_t *server = zsock_new (ZMQ_PUSH); assert (server); zsock_t *client = zsock_new (ZMQ_PULL); assert (client); bool success = s_can_connect (&server, &client); assert (success); // Install the authenticator zactor_t *auth = zactor_new (zauth, NULL); assert (auth); if (verbose) { zstr_sendx (auth, "VERBOSE", NULL); zsock_wait (auth); } // Check there's no authentication on a default NULL server success = s_can_connect (&server, &client); assert (success); // When we set a domain on the server, we switch on authentication // for NULL sockets, but with no policies, the client connection // will be allowed. zsock_set_zap_domain (server, "global"); success = s_can_connect (&server, &client); assert (success); // Blacklist 127.0.0.1, connection should fail zsock_set_zap_domain (server, "global"); zstr_sendx (auth, "DENY", "127.0.0.1", NULL); zsock_wait (auth); success = s_can_connect (&server, &client); assert (!success); // Whitelist our address, which overrides the blacklist zsock_set_zap_domain (server, "global"); zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL); zsock_wait (auth); success = s_can_connect (&server, &client); assert (success); // Try PLAIN authentication zsock_set_plain_server (server, 1); zsock_set_plain_username (client, "admin"); zsock_set_plain_password (client, "Password"); success = s_can_connect (&server, &client); assert (!success); FILE *password = fopen (TESTDIR "/password-file", "w"); assert (password); fprintf (password, "admin=Password\n"); fclose (password); zsock_set_plain_server (server, 1); zsock_set_plain_username (client, "admin"); zsock_set_plain_password (client, "Password"); zstr_sendx (auth, "PLAIN", TESTDIR "/password-file", NULL); zsock_wait (auth); success = s_can_connect (&server, &client); assert (success); zsock_set_plain_server (server, 1); zsock_set_plain_username (client, "admin"); zsock_set_plain_password (client, "Bogus"); success = s_can_connect (&server, &client); assert (!success); if (zsys_has_curve ()) { // Try CURVE authentication // We'll create two new certificates and save the client public // certificate on disk; in a real case we'd transfer this securely // from the client machine to the server machine. zcert_t *server_cert = zcert_new (); assert (server_cert); zcert_t *client_cert = zcert_new (); assert (client_cert); char *server_key = zcert_public_txt (server_cert); // Test without setting-up any authentication zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsock_set_curve_server (server, 1); zsock_set_curve_serverkey (client, server_key); success = s_can_connect (&server, &client); assert (!success); // Test CURVE_ALLOW_ANY zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsock_set_curve_server (server, 1); zsock_set_curve_serverkey (client, server_key); zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL); zsock_wait (auth); success = s_can_connect (&server, &client); assert (success); // Test full client authentication using certificates zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsock_set_curve_server (server, 1); zsock_set_curve_serverkey (client, server_key); zcert_save_public (client_cert, TESTDIR "/mycert.txt"); zstr_sendx (auth, "CURVE", TESTDIR, NULL); zsock_wait (auth); success = s_can_connect (&server, &client); assert (success); zcert_destroy (&server_cert); zcert_destroy (&client_cert); } // Remove the authenticator and check a normal connection works zactor_destroy (&auth); success = s_can_connect (&server, &client); assert (success); zsock_destroy (&client); zsock_destroy (&server); // Delete all test files zdir_t *dir = zdir_new (TESTDIR, NULL); assert (dir); zdir_remove (dir, true); zdir_destroy (&dir); // @end #endif printf ("OK\n"); }
/// // Set socket option `curve_server`. void QZsock::setCurveServer (int curveServer) { zsock_set_curve_server (self, curveServer); }
static rsRetVal addListener(instanceConf_t* iconf){ DEFiRet; DBGPRINTF("imczmq: addListener called..\n"); struct listener_t* pData; CHKmalloc(pData=(struct listener_t*)MALLOC(sizeof(struct listener_t))); pData->ruleset = iconf->pBindRuleset; pData->sock = zsock_new(iconf->sockType); if(!pData->sock) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "imczmq: new socket failed for endpoints: %s", iconf->sockEndpoints); ABORT_FINALIZE(RS_RET_NO_ERRCODE); } DBGPRINTF("imczmq: created socket of type %d..\n", iconf->sockType); if(runModConf->authType) { if(!strcmp(runModConf->authType, "CURVESERVER")) { DBGPRINTF("imczmq: we are a CURVESERVER\n"); zcert_t *serverCert = zcert_load(runModConf->serverCertPath); if(!serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load cert %s", runModConf->serverCertPath); ABORT_FINALIZE(RS_RET_ERR); } zsock_set_zap_domain(pData->sock, "global"); zsock_set_curve_server(pData->sock, 1); zcert_apply(serverCert, pData->sock); zcert_destroy(&serverCert); } else if(!strcmp(runModConf->authType, "CURVECLIENT")) { DBGPRINTF("imczmq: we are a CURVECLIENT\n"); zcert_t *serverCert = zcert_load(runModConf->serverCertPath); if(!serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load cert %s", runModConf->serverCertPath); ABORT_FINALIZE(RS_RET_ERR); } const char *server_key = zcert_public_txt(serverCert); zcert_destroy(&serverCert); zsock_set_curve_serverkey(pData->sock, server_key); zcert_t *clientCert = zcert_load(runModConf->clientCertPath); if(!clientCert) { errmsg.LogError(0, NO_ERRCODE, "could not load cert %s", runModConf->clientCertPath); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(clientCert, pData->sock); zcert_destroy(&clientCert); } } switch(iconf->sockType) { case ZMQ_SUB: #if defined(ZMQ_DISH) case ZMQ_DISH: #endif iconf->serverish = true; break; case ZMQ_PULL: #if defined(ZMQ_GATHER) case ZMQ_GATHER: #endif case ZMQ_ROUTER: #if defined(ZMQ_SERVER) case ZMQ_SERVER: #endif iconf->serverish = true; break; } if(iconf->topics) { char topic[256]; while(*iconf->topics) { char *delimiter = strchr(iconf->topics, ','); if(!delimiter) { delimiter = iconf->topics + strlen(iconf->topics); } memcpy (topic, iconf->topics, delimiter - iconf->topics); topic[delimiter-iconf->topics] = 0; DBGPRINTF("imczmq: subscribing to %s\n", topic); if(iconf->sockType == ZMQ_SUB) { zsock_set_subscribe (pData->sock, topic); } #if defined(ZMQ_DISH) else if(iconf->sockType == ZMQ_DISH) { int rc = zsock_join (pData->sock, topic); if(rc != 0) { errmsg.LogError(0, NO_ERRCODE, "could not join group %s", topic); ABORT_FINALIZE(RS_RET_ERR); } } #endif if(*delimiter == 0) { break; } iconf->topics = delimiter + 1; } } int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints, iconf->serverish); if (rc == -1) { errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed", iconf->sockEndpoints); ABORT_FINALIZE(RS_RET_ERR); } DBGPRINTF("imczmq: attached socket to %s\n", iconf->sockEndpoints); rc = zlist_append(listenerList, (void *)pData); if(rc != 0) { errmsg.LogError(0, NO_ERRCODE, "could not append listener"); ABORT_FINALIZE(RS_RET_ERR); } finalize_it: RETiRet; }
static rsRetVal addListener(instanceConf_t* iconf){ struct lstn_s* pData; DEFiRet; CHKmalloc(pData=(struct lstn_s*)MALLOC(sizeof(struct lstn_s))); pData->next = NULL; pData->pRuleset = iconf->pBindRuleset; /* Create the zeromq socket */ /* ------------------------ */ pData->sock = zsock_new(iconf->sockType); if (!pData->sock) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "imczmq: new socket failed for endpoints: %s", iconf->sockEndpoints); ABORT_FINALIZE(RS_RET_NO_ERRCODE); } DBGPRINTF ("imczmq: created socket...\n"); /* Create the beacon actor if configured */ /* ------------------------------------- */ if((iconf->beacon != NULL) && (iconf->beaconPort > 0)) { DBGPRINTF ("imczmq: starting beacon actor...\n"); pData->beaconActor = zactor_new(zbeacon, NULL); if (!pData->beaconActor) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "imczmq: could not create beacon service"); ABORT_FINALIZE (RS_RET_NO_ERRCODE); } zsock_send(pData->beaconActor, "si", "CONFIGURE", iconf->beaconPort); char *hostname = zstr_recv(pData->beaconActor); if (!*hostname) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "imczmq: no UDP broadcasting available"); ABORT_FINALIZE (RS_RET_NO_ERRCODE); } zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beaconActor, strlen(iconf->beacon)); DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n", hostname, iconf->beaconPort); } DBGPRINTF("imczmq: authtype is: %s\n", iconf->authType); if (iconf->authType != NULL) { /* CURVESERVER */ /* ----------- */ if (!strcmp(iconf->authType, "CURVESERVER")) { zsock_set_zap_domain(pData->sock, "global"); zsock_set_curve_server(pData->sock, 1); pData->serverCert = zcert_load(iconf->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(pData->serverCert, pData->sock); zstr_sendx(authActor, "CURVE", iconf->clientCertPath, NULL); zsock_wait(authActor); DBGPRINTF("imczmq: CURVESERVER: serverCertPath: '%s'\n", iconf->serverCertPath); DBGPRINTF("mczmq: CURVESERVER: clientCertPath: '%s'\n", iconf->clientCertPath); } /* CURVECLIENT */ /* ----------- */ else if (!strcmp(iconf->authType, "CURVECLIENT")) { if (!strcmp(iconf->clientCertPath, "*")) { pData->clientCert = zcert_new(); } else { pData->clientCert = zcert_load(iconf->clientCertPath); } if (!pData->clientCert) { errmsg.LogError(0, NO_ERRCODE, "could not load client cert"); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(pData->clientCert, pData->sock); pData->serverCert = zcert_load(iconf->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } char *server_key = zcert_public_txt(pData->serverCert); zsock_set_curve_serverkey (pData->sock, server_key); DBGPRINTF("imczmq: CURVECLIENT: serverCertPath: '%s'\n", iconf->serverCertPath); DBGPRINTF("imczmq: CURVECLIENT: clientCertPath: '%s'\n", iconf->clientCertPath); DBGPRINTF("imczmq: CURVECLIENT: server_key: '%s'\n", server_key); } else { errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", iconf->authType); ABORT_FINALIZE(RS_RET_ERR); } } /* subscribe to topics */ /* ------------------- */ if (iconf->sockType == ZMQ_SUB) { char topic[256], *list = iconf->topicList; while (list) { char *delimiter = strchr(list, ','); if (!delimiter) { delimiter = list + strlen (list); } if (delimiter - list > 255) { errmsg.LogError(0, NO_ERRCODE, "iconf->topicList must be under 256 characters"); ABORT_FINALIZE(RS_RET_ERR); } memcpy(topic, list, delimiter - list); topic[delimiter - list] = 0; zsock_set_subscribe(pData->sock, topic); if (*delimiter == 0) { break; } list = delimiter + 1; } } switch (iconf->sockType) { case ZMQ_SUB: iconf->serverish = false; break; case ZMQ_PULL: case ZMQ_ROUTER: iconf->serverish = true; break; } int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints, iconf->serverish); if (rc == -1) { errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s", iconf->sockEndpoints); ABORT_FINALIZE(RS_RET_ERR); } /* add this struct to the global */ /* ----------------------------- */ if(lcnfRoot == NULL) { lcnfRoot = pData; } if(lcnfLast == NULL) { lcnfLast = pData; } else { lcnfLast->next = pData; lcnfLast = pData; } finalize_it: RETiRet; }
JNIEXPORT void JNICALL Java_org_zeromq_czmq_Zsock__1_1setCurveServer (JNIEnv *env, jclass c, jlong self, jint curve_server) { zsock_set_curve_server ((zsock_t *) (intptr_t) self, (int) curve_server); }
static rsRetVal initCZMQ(instanceData* pData) { DEFiRet; /* tell czmq to not use it's own signal handler */ putenv ("ZSYS_SIGHANDLER=false"); /* create new auth actor */ DBGPRINTF ("omczmq: starting auth actor...\n"); pData->authActor = zactor_new (zauth, NULL); if (!pData->authActor) { errmsg.LogError (0, RS_RET_NO_ERRCODE, "omczmq: could not create auth service"); ABORT_FINALIZE (RS_RET_NO_ERRCODE); } /* create our zeromq socket */ DBGPRINTF ("omczmq: creating zeromq socket...\n"); pData->sock = zsock_new (pData->sockType); if (!pData->sock) { errmsg.LogError (0, RS_RET_NO_ERRCODE, "omczmq: new socket failed for endpoints: %s", pData->sockEndpoints); ABORT_FINALIZE(RS_RET_NO_ERRCODE); } bool is_server = false; /* if we are a CURVE server */ if (!strcmp(pData->authType, "CURVESERVER")) { DBGPRINTF("omczmq: we are a curve server...\n"); is_server = true; /* set global auth domain */ zsock_set_zap_domain(pData->sock, "global"); /* set that we are a curve server */ zsock_set_curve_server(pData->sock, 1); /* get and set our server cert */ DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath); pData->serverCert = zcert_load(pData->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(pData->serverCert, pData->sock); /* set allowed clients */ DBGPRINTF("omczmq: allowed clients are %s...\n", pData->clientCertPath); zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL); zsock_wait(pData->authActor); } /* if we are a CURVE client */ if (!strcmp(pData->authType, "CURVECLIENT")) { DBGPRINTF("omczmq: we are a curve client...\n"); is_server = false; /* get our client cert */ pData->clientCert = zcert_load(pData->clientCertPath); if (!pData->clientCert) { errmsg.LogError(0, NO_ERRCODE, "could not load client cert"); ABORT_FINALIZE(RS_RET_ERR); } /* apply the client cert to the socket */ zcert_apply(pData->clientCert, pData->sock); /* get the server cert */ DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath); pData->serverCert = zcert_load(pData->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } /* get the server public key and set it for the socket */ char *server_key = zcert_public_txt(pData->serverCert); DBGPRINTF("omczmq: server public key is %s...\n", server_key); zsock_set_curve_serverkey (pData->sock, server_key); } /* we default to CONNECT unless told otherwise */ int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, is_server); if (rc == -1) { errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed", pData->sockEndpoints); ABORT_FINALIZE(RS_RET_ERR); } finalize_it: RETiRet; }
static rsRetVal initCZMQ(instanceData* pData) { DEFiRet; /* Turn off CZMQ signal handling */ /* ----------------------------- */ putenv ("ZSYS_SIGHANDLER=false"); /* Create the authentication actor */ /* ------------------------------ */ pData->authActor = zactor_new(zauth, NULL); if (!pData->authActor) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "omczmq: could not create auth actor"); ABORT_FINALIZE (RS_RET_SUSPENDED); } DBGPRINTF ("omczmq: auth actor started\n"); /* Create the zeromq socket */ /* ------------------------ */ pData->sock = zsock_new(pData->sockType); if (!pData->sock) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "omczmq: new socket failed for endpoints: %s", pData->sockEndpoints); ABORT_FINALIZE(RS_RET_SUSPENDED); } DBGPRINTF ("omczmq: created socket...\n"); /* Create the beacon actor if configured */ /* ------------------------------------- */ if((pData->beacon != NULL) && (pData->beaconport > 0)) { pData->beaconActor = zactor_new(zbeacon, NULL); if (!pData->beaconActor) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "omczmq: could not create beacon service"); ABORT_FINALIZE (RS_RET_SUSPENDED); } zsock_send(pData->beaconActor, "si", "CONFIGURE", pData->beaconport); char *hostname = zstr_recv(pData->beaconActor); if (!*hostname) { errmsg.LogError(0, RS_RET_NO_ERRCODE, "omczmq: no UDP broadcasting available"); ABORT_FINALIZE (RS_RET_SUSPENDED); } zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beacon, strlen(pData->beacon)); DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n", hostname, pData->beaconport); zstr_free (&hostname); } /* Load certs for auth if auth is used */ /* ----------------------------------- */ if (pData->authType != NULL) { /* CURVESERVER */ /* ---------- */ if (!strcmp(pData->authType, "CURVESERVER")) { zsock_set_zap_domain(pData->sock, "global"); zsock_set_curve_server(pData->sock, 1); pData->serverCert = zcert_load(pData->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(pData->serverCert, pData->sock); zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL); zsock_wait(pData->authActor); DBGPRINTF("omczmq: CURVESERVER: serverCertPath: '%s'\n", pData->serverCertPath); DBGPRINTF("omczmq: CURVESERVER: clientCertPath: '%s'\n", pData->clientCertPath); } /* CURVECLIENT */ /* ----------- */ else if (!strcmp(pData->authType, "CURVECLIENT")) { if (!strcmp(pData->clientCertPath, "*")) { pData->clientCert = zcert_new(); } else { pData->clientCert = zcert_load(pData->clientCertPath); } if (!pData->clientCert) { errmsg.LogError(0, NO_ERRCODE, "could not load client cert"); ABORT_FINALIZE(RS_RET_ERR); } zcert_apply(pData->clientCert, pData->sock); pData->serverCert = zcert_load(pData->serverCertPath); if (!pData->serverCert) { errmsg.LogError(0, NO_ERRCODE, "could not load server cert"); ABORT_FINALIZE(RS_RET_ERR); } char *server_key = zcert_public_txt(pData->serverCert); zsock_set_curve_serverkey (pData->sock, server_key); DBGPRINTF("omczmq: CURVECLIENT: serverCertPath: '%s'\n", pData->serverCertPath); DBGPRINTF("omczmq: CURVECLIENT: clientCertPath: '%s'\n", pData->clientCertPath); DBGPRINTF("omczmq: CURVECLIENT: server_key: '%s'\n", server_key); } else { errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", pData->authType); ABORT_FINALIZE(RS_RET_ERR); } } switch (pData->sockType) { case ZMQ_PUB: pData->serverish = true; break; case ZMQ_PUSH: case ZMQ_DEALER: pData->serverish = false; break; } int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, pData->serverish); if (rc == -1) { errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed", pData->sockEndpoints); ABORT_FINALIZE(RS_RET_SUSPENDED); } finalize_it: RETiRet; }