static void
s_configure_curve_auth (zsock_t *faucet, zsock_t *sink, int selected_sockets, zcert_t *client_cert, const char *public_key)
{
assert (client_cert);
assert (public_key);
if (selected_sockets & FRONTEND_SOCKET) {
assert (faucet);
zcert_apply (client_cert, faucet);
zsock_set_curve_serverkey (faucet, public_key);
}
if (selected_sockets & BACKEND_SOCKET) {
assert (sink);
zcert_apply (client_cert, sink);
zsock_set_curve_serverkey (sink, public_key);
}
}
server_connect (server_t *self, const char *endpoint)
#endif
{
zsock_t *remote = zsock_new (ZMQ_DEALER);
assert (remote); // No recovery if exhausted
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
if (public_key){
zcert_t *cert = zcert_new_from_txt (self->public_key, self->secret_key);
zcert_apply(cert, remote);
zsock_set_curve_serverkey (remote, public_key);
#ifndef ZMQ_CURVE
// legacy ZMQ support
// inline incase the underlying assert is removed
bool ZMQ_CURVE = false;
#endif
assert (zsock_mechanism (remote) == ZMQ_CURVE);
zcert_destroy(&cert);
}
#endif
// Never block on sending; we use an infinite HWM and buffer as many
// messages as needed in outgoing pipes. Note that the maximum number
// is the overall tuple set size.
zsock_set_unbounded (remote);
if (zsock_connect (remote, "%s", endpoint)) {
zsys_warning ("bad zgossip endpoint '%s'", endpoint);
zsock_destroy (&remote);
return;
}
// Send HELLO and then PUBLISH for each tuple we have
zgossip_msg_t *gossip = zgossip_msg_new ();
zgossip_msg_set_id (gossip, ZGOSSIP_MSG_HELLO);
zgossip_msg_send (gossip, remote);
tuple_t *tuple = (tuple_t *) zhashx_first (self->tuples);
while (tuple) {
zgossip_msg_set_id (gossip, ZGOSSIP_MSG_PUBLISH);
zgossip_msg_set_key (gossip, tuple->key);
zgossip_msg_set_value (gossip, tuple->value);
zgossip_msg_send (gossip, remote);
tuple = (tuple_t *) zhashx_next (self->tuples);
}
// Now monitor this remote for incoming messages
zgossip_msg_destroy (&gossip);
engine_handle_socket (self, remote, remote_handler);
zlistx_add_end (self->remotes, remote);
}
void MessageProcessor::init(int port, zcert_t* transportKey)
{
if (port == 0) {
OT_FAIL;
}
if (!zsys_has_curve()) {
Log::vError("Error: libzmq has no libsodium support");
OT_FAIL;
}
zstr_sendx(zmqAuth_, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait(zmqAuth_);
zsock_set_zap_domain(zmqSocket_, "global");
zsock_set_curve_server(zmqSocket_, 1);
zcert_apply(transportKey, zmqSocket_);
zsock_bind(zmqSocket_, "tcp://*:%d", port);
}
void
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Check there's no authentication
zsock_t *server = zsock_new (ZMQ_PUSH);
assert (server);
zsock_t *client = zsock_new (ZMQ_PULL);
assert (client);
bool success = s_can_connect (&server, &client);
assert (success);
// Install the authenticator
zactor_t *auth = zactor_new (zauth, NULL);
assert (auth);
if (verbose) {
zstr_sendx (auth, "VERBOSE", NULL);
zsock_wait (auth);
}
// Check there's no authentication on a default NULL server
success = s_can_connect (&server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsock_set_zap_domain (server, "global");
success = s_can_connect (&server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "DENY", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsock_set_zap_domain (server, "global");
zstr_sendx (auth, "ALLOW", "127.0.0.1", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Try PLAIN authentication
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
success = s_can_connect (&server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Password");
zstr_sendx (auth, "PLAIN", TESTDIR "/password-file", NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_set_plain_server (server, 1);
zsock_set_plain_username (client, "admin");
zsock_set_plain_password (client, "Bogus");
success = s_can_connect (&server, &client);
assert (!success);
if (zsys_has_curve ()) {
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
assert (server_cert);
zcert_t *client_cert = zcert_new ();
assert (client_cert);
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
success = s_can_connect (&server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zstr_sendx (auth, "CURVE", CURVE_ALLOW_ANY, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsock_set_curve_server (server, 1);
zsock_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zstr_sendx (auth, "CURVE", TESTDIR, NULL);
zsock_wait (auth);
success = s_can_connect (&server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
}
// Remove the authenticator and check a normal connection works
zactor_destroy (&auth);
success = s_can_connect (&server, &client);
assert (success);
zsock_destroy (&client);
zsock_destroy (&server);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
///
// Apply certificate to socket, i.e. use for CURVE security on socket.
// If certificate was loaded from public file, the secret key will be
// undefined, and this certificate will not work successfully.
void QmlZcert::apply (void *zocket) {
zcert_apply (self, zocket);
};
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not
// go through our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (ctx, &server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsocket_set_zap_domain (server, "global");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsocket_set_zap_domain (server, "global");
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsocket_set_zap_domain (server, "global");
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Try PLAIN authentication
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (ctx, &server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (ctx, &server, &client);
assert (success);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (ctx, &server, &client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_t *client_cert = zcert_new ();
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (ctx, &server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (ctx, &server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (ctx, &server, &client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not go through
// our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (server, client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection will
// be allowed.
//
// TODO: libzmq should accept new security options after unbind/bind
// but for now we have to create a new server socket each time.
server = zsocket_new (ctx, ZMQ_PUSH);
zsocket_set_zap_domain (server, "global");
success = s_can_connect (server, client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (success);
// Try PLAIN authentication
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (server, client);
assert (!success);
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (server, client);
assert (success);
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (server, client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_apply (server_cert, server);
zsocket_set_curve_server (server, 1);
zcert_t *client_cert = zcert_new ();
zcert_apply (client_cert, client);
char *server_key = zcert_public_txt (server_cert);
zsocket_set_curve_serverkey (client, server_key);
// We've not set-up any authentication, connection will fail
success = s_can_connect (server, client);
assert (!success);
// PH: 2013/09/18
// There's an issue with libzmq where it sometimes fails to
// connect even if the ZAP handler allows it. It's timing
// dependent, so this is a voodoo hack. To be removed, I've
// no idea this even applies to all boxes.
sleep (1);
// Test CURVE_ALLOW_ANY
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (server, client);
assert (success);
// Test full client authentication using certificates
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (server, client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (server, client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
///
// Apply certificate to socket, i.e. use for CURVE security on socket.
// If certificate was loaded from public file, the secret key will be
// undefined, and this certificate will not work successfully.
void QZcert::apply (void *socket)
{
zcert_apply (self, socket);
}
static rsRetVal addListener(instanceConf_t* iconf){
DEFiRet;
DBGPRINTF("imczmq: addListener called..\n");
struct listener_t* pData;
CHKmalloc(pData=(struct listener_t*)MALLOC(sizeof(struct listener_t)));
pData->ruleset = iconf->pBindRuleset;
pData->sock = zsock_new(iconf->sockType);
if(!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF("imczmq: created socket of type %d..\n", iconf->sockType);
if(runModConf->authType) {
if(!strcmp(runModConf->authType, "CURVESERVER")) {
DBGPRINTF("imczmq: we are a CURVESERVER\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
zcert_apply(serverCert, pData->sock);
zcert_destroy(&serverCert);
}
else if(!strcmp(runModConf->authType, "CURVECLIENT")) {
DBGPRINTF("imczmq: we are a CURVECLIENT\n");
zcert_t *serverCert = zcert_load(runModConf->serverCertPath);
if(!serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->serverCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
const char *server_key = zcert_public_txt(serverCert);
zcert_destroy(&serverCert);
zsock_set_curve_serverkey(pData->sock, server_key);
zcert_t *clientCert = zcert_load(runModConf->clientCertPath);
if(!clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load cert %s",
runModConf->clientCertPath);
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(clientCert, pData->sock);
zcert_destroy(&clientCert);
}
}
switch(iconf->sockType) {
case ZMQ_SUB:
#if defined(ZMQ_DISH)
case ZMQ_DISH:
#endif
iconf->serverish = true;
break;
case ZMQ_PULL:
#if defined(ZMQ_GATHER)
case ZMQ_GATHER:
#endif
case ZMQ_ROUTER:
#if defined(ZMQ_SERVER)
case ZMQ_SERVER:
#endif
iconf->serverish = true;
break;
}
if(iconf->topics) {
char topic[256];
while(*iconf->topics) {
char *delimiter = strchr(iconf->topics, ',');
if(!delimiter) {
delimiter = iconf->topics + strlen(iconf->topics);
}
memcpy (topic, iconf->topics, delimiter - iconf->topics);
topic[delimiter-iconf->topics] = 0;
DBGPRINTF("imczmq: subscribing to %s\n", topic);
if(iconf->sockType == ZMQ_SUB) {
zsock_set_subscribe (pData->sock, topic);
}
#if defined(ZMQ_DISH)
else if(iconf->sockType == ZMQ_DISH) {
int rc = zsock_join (pData->sock, topic);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not join group %s", topic);
ABORT_FINALIZE(RS_RET_ERR);
}
}
#endif
if(*delimiter == 0) {
break;
}
iconf->topics = delimiter + 1;
}
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
DBGPRINTF("imczmq: attached socket to %s\n", iconf->sockEndpoints);
rc = zlist_append(listenerList, (void *)pData);
if(rc != 0) {
errmsg.LogError(0, NO_ERRCODE, "could not append listener");
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
static rsRetVal addListener(instanceConf_t* iconf){
struct lstn_s* pData;
DEFiRet;
CHKmalloc(pData=(struct lstn_s*)MALLOC(sizeof(struct lstn_s)));
pData->next = NULL;
pData->pRuleset = iconf->pBindRuleset;
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(iconf->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: new socket failed for endpoints: %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
DBGPRINTF ("imczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((iconf->beacon != NULL) && (iconf->beaconPort > 0)) {
DBGPRINTF ("imczmq: starting beacon actor...\n");
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", iconf->beaconPort);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"imczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
zsock_send(pData->beaconActor,
"sbi", "PUBLISH", pData->beaconActor, strlen(iconf->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, iconf->beaconPort);
}
DBGPRINTF("imczmq: authtype is: %s\n", iconf->authType);
if (iconf->authType != NULL) {
/* CURVESERVER */
/* ----------- */
if (!strcmp(iconf->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(authActor, "CURVE", iconf->clientCertPath, NULL);
zsock_wait(authActor);
DBGPRINTF("imczmq: CURVESERVER: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("mczmq: CURVESERVER: clientCertPath: '%s'\n", iconf->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(iconf->authType, "CURVECLIENT")) {
if (!strcmp(iconf->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(iconf->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(iconf->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("imczmq: CURVECLIENT: serverCertPath: '%s'\n", iconf->serverCertPath);
DBGPRINTF("imczmq: CURVECLIENT: clientCertPath: '%s'\n", iconf->clientCertPath);
DBGPRINTF("imczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", iconf->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
/* subscribe to topics */
/* ------------------- */
if (iconf->sockType == ZMQ_SUB) {
char topic[256], *list = iconf->topicList;
while (list) {
char *delimiter = strchr(list, ',');
if (!delimiter) {
delimiter = list + strlen (list);
}
if (delimiter - list > 255) {
errmsg.LogError(0, NO_ERRCODE,
"iconf->topicList must be under 256 characters");
ABORT_FINALIZE(RS_RET_ERR);
}
memcpy(topic, list, delimiter - list);
topic[delimiter - list] = 0;
zsock_set_subscribe(pData->sock, topic);
if (*delimiter == 0) {
break;
}
list = delimiter + 1;
}
}
switch (iconf->sockType) {
case ZMQ_SUB:
iconf->serverish = false;
break;
case ZMQ_PULL:
case ZMQ_ROUTER:
iconf->serverish = true;
break;
}
int rc = zsock_attach(pData->sock, (const char*)iconf->sockEndpoints,
iconf->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s",
iconf->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
/* add this struct to the global */
/* ----------------------------- */
if(lcnfRoot == NULL) {
lcnfRoot = pData;
}
if(lcnfLast == NULL) {
lcnfLast = pData;
} else {
lcnfLast->next = pData;
lcnfLast = pData;
}
finalize_it:
RETiRet;
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* tell czmq to not use it's own signal handler */
putenv ("ZSYS_SIGHANDLER=false");
/* create new auth actor */
DBGPRINTF ("omczmq: starting auth actor...\n");
pData->authActor = zactor_new (zauth, NULL);
if (!pData->authActor) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth service");
ABORT_FINALIZE (RS_RET_NO_ERRCODE);
}
/* create our zeromq socket */
DBGPRINTF ("omczmq: creating zeromq socket...\n");
pData->sock = zsock_new (pData->sockType);
if (!pData->sock) {
errmsg.LogError (0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
bool is_server = false;
/* if we are a CURVE server */
if (!strcmp(pData->authType, "CURVESERVER")) {
DBGPRINTF("omczmq: we are a curve server...\n");
is_server = true;
/* set global auth domain */
zsock_set_zap_domain(pData->sock, "global");
/* set that we are a curve server */
zsock_set_curve_server(pData->sock, 1);
/* get and set our server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
/* set allowed clients */
DBGPRINTF("omczmq: allowed clients are %s...\n", pData->clientCertPath);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
}
/* if we are a CURVE client */
if (!strcmp(pData->authType, "CURVECLIENT")) {
DBGPRINTF("omczmq: we are a curve client...\n");
is_server = false;
/* get our client cert */
pData->clientCert = zcert_load(pData->clientCertPath);
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* apply the client cert to the socket */
zcert_apply(pData->clientCert, pData->sock);
/* get the server cert */
DBGPRINTF("omczmq: server cert is %s...\n", pData->serverCertPath);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
/* get the server public key and set it for the socket */
char *server_key = zcert_public_txt(pData->serverCert);
DBGPRINTF("omczmq: server public key is %s...\n", server_key);
zsock_set_curve_serverkey (pData->sock, server_key);
}
/* we default to CONNECT unless told otherwise */
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, is_server);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_ERR);
}
finalize_it:
RETiRet;
}
void HHVM_METHOD(ZMQCert, apply, const Object& sockObj) {
auto cert = Native::data<ZMQCert>(this_);
auto sock = Native::data<ZMQSocket>(sockObj);
zcert_apply(cert->zcert, sock->socket->z_socket);
}
static rsRetVal initCZMQ(instanceData* pData) {
DEFiRet;
/* Turn off CZMQ signal handling */
/* ----------------------------- */
putenv ("ZSYS_SIGHANDLER=false");
/* Create the authentication actor */
/* ------------------------------ */
pData->authActor = zactor_new(zauth, NULL);
if (!pData->authActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create auth actor");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: auth actor started\n");
/* Create the zeromq socket */
/* ------------------------ */
pData->sock = zsock_new(pData->sockType);
if (!pData->sock) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: new socket failed for endpoints: %s",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
DBGPRINTF ("omczmq: created socket...\n");
/* Create the beacon actor if configured */
/* ------------------------------------- */
if((pData->beacon != NULL) && (pData->beaconport > 0)) {
pData->beaconActor = zactor_new(zbeacon, NULL);
if (!pData->beaconActor) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: could not create beacon service");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "si", "CONFIGURE", pData->beaconport);
char *hostname = zstr_recv(pData->beaconActor);
if (!*hostname) {
errmsg.LogError(0, RS_RET_NO_ERRCODE,
"omczmq: no UDP broadcasting available");
ABORT_FINALIZE (RS_RET_SUSPENDED);
}
zsock_send(pData->beaconActor, "sbi", "PUBLISH", pData->beacon, strlen(pData->beacon));
DBGPRINTF ("omczmq: beacon is lit: hostname: '%s', port: '%d'...\n",
hostname, pData->beaconport);
zstr_free (&hostname);
}
/* Load certs for auth if auth is used */
/* ----------------------------------- */
if (pData->authType != NULL) {
/* CURVESERVER */
/* ---------- */
if (!strcmp(pData->authType, "CURVESERVER")) {
zsock_set_zap_domain(pData->sock, "global");
zsock_set_curve_server(pData->sock, 1);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->serverCert, pData->sock);
zstr_sendx(pData->authActor, "CURVE", pData->clientCertPath, NULL);
zsock_wait(pData->authActor);
DBGPRINTF("omczmq: CURVESERVER: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVESERVER: clientCertPath: '%s'\n", pData->clientCertPath);
}
/* CURVECLIENT */
/* ----------- */
else if (!strcmp(pData->authType, "CURVECLIENT")) {
if (!strcmp(pData->clientCertPath, "*")) {
pData->clientCert = zcert_new();
}
else {
pData->clientCert = zcert_load(pData->clientCertPath);
}
if (!pData->clientCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load client cert");
ABORT_FINALIZE(RS_RET_ERR);
}
zcert_apply(pData->clientCert, pData->sock);
pData->serverCert = zcert_load(pData->serverCertPath);
if (!pData->serverCert) {
errmsg.LogError(0, NO_ERRCODE, "could not load server cert");
ABORT_FINALIZE(RS_RET_ERR);
}
char *server_key = zcert_public_txt(pData->serverCert);
zsock_set_curve_serverkey (pData->sock, server_key);
DBGPRINTF("omczmq: CURVECLIENT: serverCertPath: '%s'\n", pData->serverCertPath);
DBGPRINTF("omczmq: CURVECLIENT: clientCertPath: '%s'\n", pData->clientCertPath);
DBGPRINTF("omczmq: CURVECLIENT: server_key: '%s'\n", server_key);
}
else {
errmsg.LogError(0, NO_ERRCODE, "unrecognized auth type: '%s'", pData->authType);
ABORT_FINALIZE(RS_RET_ERR);
}
}
switch (pData->sockType) {
case ZMQ_PUB:
pData->serverish = true;
break;
case ZMQ_PUSH:
case ZMQ_DEALER:
pData->serverish = false;
break;
}
int rc = zsock_attach(pData->sock, (const char*)pData->sockEndpoints, pData->serverish);
if (rc == -1) {
errmsg.LogError(0, NO_ERRCODE, "zsock_attach to %s failed",
pData->sockEndpoints);
ABORT_FINALIZE(RS_RET_SUSPENDED);
}
finalize_it:
RETiRet;
}
int main(int argc, char **argv)
{
if( argc < 4 ) {
printf("HEY! Usage:\n banshare-report [-d] <program-name> <jail-name> <banned-ip>\n\n");
printf(" where -d sets debug mode\n");
exit(1);
}
int baseind = 1;
if( argv[1][0] == '-' && argv[1][1] == 'd') {
debug = 1;
baseind = 2;
}
char *progname = argv[baseind];
char *jailname = argv[baseind+1];
char *bannedip = argv[baseind+2];
zauth_t *auth;
zcert_t *cert;
zcert_t *server_public_cert;
char certdir[256];
char servercert[512];
if (access("/etc/ssl/certs/banshare/", R_OK) == 0 ) { // ubuntu, CentOS 6.x
strcpy(certdir, "/etc/ssl/certs/banshare");
strcpy(servercert, "/etc/ssl/certs/banshare/server_banshare");
} else if (access("/etc/pki/tls/certs/banshare/", R_OK) == 0 ) { // CentOS 5.x
strcpy(certdir, "/etc/pki/tls/certs/banshare");
strcpy(servercert, "/etc/pki/tls/certs/banshare/server_banshare");
}
zctx_t *ctx = zctx_new();
if (enc) {
auth = zauth_new (ctx);
zauth_set_verbose (auth, true);
zauth_configure_curve (auth, "*", certdir);
cert = zcert_new_from(banshare_client_public, banshare_client_private);
server_public_cert = zcert_load(servercert);
}
void *rep_sock = zsocket_new(ctx, ZMQ_REQ); // This will be request socket to complement the server's REP socket!
if (enc) {
zcert_apply (cert, rep_sock);
zsocket_set_curve_serverkey (rep_sock, zcert_public_txt(server_public_cert));
}
zsocket_set_rcvtimeo(rep_sock, 3000); // set read and write timeouts to 3 sec.
zsocket_set_sndtimeo(rep_sock, 3000);
int rc;
char *servip;
if (server_is_local()) {
servip = "127.0.0.1";
} else {
servip = BANSHARE_SERVER_IP;
}
rc = zsocket_connect(rep_sock, "tcp://%s:%d", servip, SERVER_REPORT_PORT);
if (rc != 0) {
printf("Connect to REQ socket to %s:%d FAILED with rc=%d\n", servip, SERVER_REPORT_PORT, rc);
exit(0);
}
if (debug) printf("Connected to tcp://%s:%d Just fine...\n", servip, SERVER_REPORT_PORT);
zclock_sleep(500);
while (!zctx_interrupted) {
char buf[1000];
int ret1 = zstr_sendf(rep_sock, "%s;%s;%s;%s", progname, jailname, bannedip, this_ip);
if (ret1 == -1) {
printf("Timeout while sending report! Server is DOWN?\n");
exit(1);
}
if( debug) printf("Sent: %s;%s;%s;%s to %s\n", progname, jailname, bannedip, this_ip, servip);
// and like all good req-rep sockets, we should get a response!
char *rec = zstr_recv(rep_sock);
if (!rec) {
printf("Timeout while waiting for OK! Server is DOWN?\n");
exit(1);
}
if (debug) printf("Got %s back from server\n", rec);
zstr_free(&rec);
// Oh, all that was really difficult, wasn't it? we are done. disconnect and exit
exit(0);
}
}
void certificate::apply(socket& sock)
{
zcert_apply(self_, sock.self());
}
