Skip to content

L
libzmq
Commit ccf0e61b authored by Richard Newton's avatar Richard Newton
Browse files
Options

Merge remote-tracking branch 'upstream/master'

parents 64e1c181 25c89cac
Show whitespace changes
Inline Side-by-side
Showing with 82 additions and 29 deletions
doc/zmq_getsockopt.txt
View file @ ccf0e61b
......@@ -579,6 +579,20 @@ Default value:: null
Applicable socket types:: all, when using TCP transport
ZMQ_ZAP_DOMAIN: Retrieve RFC 27 authentication domain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The 'ZMQ_ZAP_DOMAIN' option shall retrieve the last ZAP domain set for
the socket. The returned value shall be a NULL-terminated string and MAY
be empty. The returned size SHALL include the terminating null byte.
[horizontal]
Option value type:: character string
Option value unit:: N/A
Default value:: not set
Applicable socket types:: all, when using TCP transport
RETURN VALUE
------------
The _zmq_getsockopt()_ function shall return zero if successful. Otherwise it
......
doc/zmq_setsockopt.txt
View file @ ccf0e61b
......@@ -682,6 +682,22 @@ Default value:: NULL
Applicable socket types:: all, when using TCP transport
ZMQ_ZAP_DOMAIN: Set RFC 27 authentication domain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sets the domain for ZAP (ZMQ RFC 27) authentication. For NULL security (the
default on all tcp:// connections), ZAP authentication only happens if you
set a non-empty domain. For PLAIN and CURVE security, ZAP requests are always
made, if there is a ZAP handler present. See http://rfc.zeromq.org/spec:27
for more details.
[horizontal]
Option value type:: character string
Option value unit:: N/A
Default value:: not set
Applicable socket types:: all, when using TCP transport
ZMQ_CONFLATE: Keep only last message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......
include/zmq.h
View file @ ccf0e61b
......@@ -280,6 +280,7 @@ ZMQ_EXPORT int zmq_msg_set (zmq_msg_t *msg, int option, int optval);
#define ZMQ_REQ_REQUEST_IDS 52
#define ZMQ_REQ_STRICT 53
#define ZMQ_CONFLATE 54
#define ZMQ_ZAP_DOMAIN 55
/* Message options */
#define ZMQ_MORE 1
......
src/curve_server.cpp
View file @ ccf0e61b
......@@ -523,8 +523,9 @@ void zmq::curve_server_t::send_zap_request (const uint8_t *key)
errno_assert (rc == 0);
// Domain frame
rc = msg.init ();
rc = msg.init_size (options.zap_domain.length ());
errno_assert (rc == 0);
memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
......@@ -539,7 +540,7 @@ void zmq::curve_server_t::send_zap_request (const uint8_t *key)
// Identity frame
rc = msg.init_size (options.identity_size);
errno_assert(rc == 0);
errno_assert (rc == 0);
memcpy (msg.data (), options.identity, options.identity_size);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
......
src/null_mechanism.cpp
View file @ ccf0e61b
......@@ -44,8 +44,10 @@ zmq::null_mechanism_t::null_mechanism_t (session_base_t *session_,
zap_request_sent (false),
zap_reply_received (false)
{
const int rc = session->zap_connect ();
if (rc == 0)
// NULL mechanism only uses ZAP if there's a domain defined
// This prevents ZAP requests on naive sockets
if (options.zap_domain.size () > 0
&& session->zap_connect () == 0)
zap_connected = true;
}
......@@ -182,8 +184,9 @@ void zmq::null_mechanism_t::send_zap_request ()
errno_assert (rc == 0);
// Domain frame
rc = msg.init ();
rc = msg.init_size (options.zap_domain.length ());
errno_assert (rc == 0);
memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
......@@ -205,9 +208,9 @@ void zmq::null_mechanism_t::send_zap_request ()
errno_assert (rc == 0);
// Mechanism frame
rc = msg.init_size (5);
rc = msg.init_size (4);
errno_assert (rc == 0);
memcpy (msg.data (), "NULL", 5);
memcpy (msg.data (), "NULL", 4);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
}
......
src/options.cpp
View file @ ccf0e61b
......@@ -285,6 +285,13 @@ int zmq::options_t::setsockopt (int option_, const void *optval_,
}
break;
case ZMQ_ZAP_DOMAIN:
if (optvallen_ >= 0 && optvallen_ < 256) {
zap_domain.assign ((const char *) optval_, optvallen_);
return 0;
}
break;
// If libsodium isn't installed, these options provoke EINVAL
# ifdef HAVE_LIBSODIUM
case ZMQ_CURVE_SERVER:
......@@ -560,6 +567,14 @@ int zmq::options_t::getsockopt (int option_, void *optval_, size_t *optvallen_)
}
break;
case ZMQ_ZAP_DOMAIN:
if (*optvallen_ >= zap_domain.size () + 1) {
memcpy (optval_, zap_domain.c_str (), zap_domain.size () + 1);
*optvallen_ = zap_domain.size () + 1;
return 0;
}
break;
// If libsodium isn't installed, these options provoke EINVAL
# ifdef HAVE_LIBSODIUM
case ZMQ_CURVE_SERVER:
......
src/options.hpp
View file @ ccf0e61b
......@@ -123,6 +123,9 @@ namespace zmq
// If peer is acting as server for PLAIN or CURVE mechanisms
int as_server;
// ZAP authentication domain
std::string zap_domain;
// Security credentials for PLAIN mechanism
std::string plain_username;
std::string plain_password;
......
src/plain_mechanism.cpp
View file @ ccf0e61b
......@@ -368,8 +368,9 @@ void zmq::plain_mechanism_t::send_zap_request (const std::string &username,
errno_assert (rc == 0);
// Domain frame
rc = msg.init ();
rc = msg.init_size (options.zap_domain.length ());
errno_assert (rc == 0);
memcpy (msg.data (), options.zap_domain.c_str (), options.zap_domain.length ());
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
errno_assert (rc == 0);
......@@ -384,7 +385,7 @@ void zmq::plain_mechanism_t::send_zap_request (const std::string &username,
// Identity frame
rc = msg.init_size (options.identity_size);
errno_assert(rc == 0);
errno_assert (rc == 0);
memcpy (msg.data (), options.identity, options.identity_size);
msg.set_flags (msg_t::more);
rc = session->write_zap_msg (&msg);
......
tests/test_security_curve.cpp
View file @ ccf0e61b
......@@ -49,6 +49,8 @@ static void zap_handler (void *ctx)
char *address = s_recv (zap);
char *identity = s_recv (zap);
char *mechanism = s_recv (zap);
printf ("CURVE domain=%s address=%s identity=%s mechanism=%s\n",
domain, address, identity, mechanism);
uint8_t client_key [32];
int size = zmq_recv (zap, client_key, 32, 0);
assert (size == 32);
......
tests/test_security_null.cpp
View file @ ccf0e61b
......@@ -43,12 +43,11 @@ zap_handler (void *ctx)
char *identity = s_recv (zap);
char *mechanism = s_recv (zap);
printf ("domain=%s address=%s identity=%s mechanism=%s\n",
domain, address, identity, mechanism);
assert (streq (version, "1.0"));
assert (streq (mechanism, "NULL"));
// TODO: null_mechanism.cpp issues ZAP requests for connections other
// than the expected one. In these cases identity is not set, and the
// test fails. We'd expect one ZAP request per real client connection.
// assert (streq (identity, "IDENT"));
assert (streq (identity, "IDENT"));
s_sendmore (zap, version);
s_sendmore (zap, sequence);
......@@ -82,6 +81,8 @@ int main (void)
assert (server);
int rc = zmq_setsockopt (server, ZMQ_IDENTITY, "IDENT", 6);
assert (rc == 0);
rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "TEST", 4);
assert (rc == 0);
rc = zmq_bind (server, "tcp://*:9999");
assert (rc == 0);
......
tests/test_security_plain.cpp
View file @ ccf0e61b
......@@ -43,6 +43,8 @@ zap_handler (void *ctx)
char *mechanism = s_recv (zap);
char *username = s_recv (zap);
char *password = s_recv (zap);
printf ("PLAIN domain=%s address=%s identity=%s mechanism=%s\n",
domain, address, identity, mechanism);
assert (streq (version, "1.0"));
assert (streq (mechanism, "PLAIN"));
......
tools/curve_keygen.c
View file @ ccf0e61b
......@@ -3,15 +3,12 @@
This file is part of 0MQ.
This tool generates a keypair for the libzmq CURVE security mechanism,
and encodes the keypair to give two printable strings that you can use
in configuration files or source code. The encoding uses Z85, which is
a base-85 format that is described in 0MQ RFC 32, and which has an
implementation in the Z85.c source used by this tool. The keypair
This tool generates a CurveZMQ keypair, as two printable strings you can
use in configuration files or source code. The encoding uses Z85, which
is a base-85 format that is described in 0MQ RFC 32, and which has an
implementation in the z85_codec.h source used by this tool. The keypair
always works with the secret key held by one party and the public key
distributed (securely!) to peers wishing to connect to it. CURVE is
defined by http://rfc.zeromq.org/spec:25. Z85 is defined by
http://rfc.zeromq.org/spec:32.
distributed (securely!) to peers wishing to connect to it.
0MQ is free software; you can redistribute it and/or modify it under
the terms of the GNU Lesser General Public License as published by
......@@ -40,15 +37,12 @@ int main (void)
# error "libsodium not built correctly"
# endif
puts ("This tool generates a keypair for the libzmq CURVE security mechanism,");
puts ("and encodes the keypair to give two printable strings that you can use");
puts ("in configuration files or source code. The encoding uses Z85, which is");
puts ("a base-85 format that is described in 0MQ RFC 32, and which has an");
puts ("implementation in the Z85.c source used by this tool. The keypair");
puts ("This tool generates a CurveZMQ keypair, as two printable strings you can");
puts ("use in configuration files or source code. The encoding uses Z85, which");
puts ("is a base-85 format that is described in 0MQ RFC 32, and which has an");
puts ("implementation in the z85_codec.h source used by this tool. The keypair");
puts ("always works with the secret key held by one party and the public key");
puts ("distributed (securely!) to peers wishing to connect to it. CURVE is");
puts ("defined by http://rfc.zeromq.org/spec:25. Z85 is defined by");
puts ("http://rfc.zeromq.org/spec:32.");
puts ("distributed (securely!) to peers wishing to connect to it.");
uint8_t public_key [32];
uint8_t secret_key [32];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment