[zeromq-dev] Authentication with CURVE doesn't fail

Goswin von Brederlow goswin-v-b at web.de
Mon Jan 13 15:01:38 CET 2014


Hi,

I'm started playing around with the CURVE examples posted on [1] but
in python and everything looked promising. But when I implemented
something myself I run into some problems:

I first start a ZAP class as a seperate thread to handle
authentication and create the server socket and bind it. Next I create
a client class (again as thread), which creates its socket, and a
monitor class (and again a thread) that monitors the client socket. I
start the monitor and then the client threads, which then connects and
waits for a message. Last I have the server send out "Hello".

If the ZAP server authenticates the connection the following happens:
----------------------------------------------------------------------
% python3 test.py
server keys:
 b'/L-mKOF=(8^?hIeKfv4FAv7N2dfj!t%4%c2H8}(K'
 b'8Ya*P00E0NP[x*4rGf=WXp2tXF^{p!Bh@}=}abG('
Zap.run()
client keys:
 b'4e33!IOc>APPz74^y<X at t{yPiu-UCB[o+uUJw&Cc'
 b'&bQIT?.O]{D:=6lNjjK6.&YqKB5QuVsJ[1=I2XdR'
Monitor.run()
Client.run()
sending 'b'Hello''
monitor recieved EVENT_CONNECT_DELAYED:115 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECTED:15 from b'tcp://127.0.0.1:9000'
Zap request:
  version     = b'1.0'
  req_id      = b'1'
  domain      = b''
  address     = b'127.0.0.1'
  identity    = b''
  mechanism   = b'CURVE'
  credentials = ['4e33!IOc>APPz74^y<X at t{yPiu-UCB[o+uUJw&Cc']
client recieved 'b'Hello''
client done
closing server
zap done
monitor done
context terminated
----------------------------------------------------------------------

So far so good. But what happens when the ZAP server rejects the
client? I've changed the code so the ZAP server replies with a 400
"login failure":
----------------------------------------------------------------------
% python3 test.py
server keys:
 b'T#@vjjSBy&66a^Rs^c]oa&QS.h6$T#yBTr*qSL8O'
 b'E]w#Htgb0/RJ/&rIGQA^I[wjd1=R&mvLaFjRC7:j'
Zap.run()
client keys:
 b'/{ug}{Z(3Zy2P*n}64s#N[n at C&?VgqJ$]ndOYQaS'
 b'h+s:7w0TROh*)Bw9AhE3aDb*aX>JnuvY{]aZ==WL'
Monitor.run()
Client.run()
sending 'b'Hello''
monitor recieved EVENT_CONNECT_DELAYED:115 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECTED:15 from b'tcp://127.0.0.1:9000'
Zap request:
  version     = b'1.0'
  req_id      = b'1'
  domain      = b''
  address     = b'127.0.0.1'
  identity    = b''
  mechanism   = b'CURVE'
  credentials = ['/{ug}{Z(3Zy2P*n}64s#N[n at C&?VgqJ$]ndOYQaS']
monitor recieved DISCONNECTED:15 from b'tcp://127.0.0.1:9000'
monitor recieved CONNECT_RETRIED:125 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECT_DELAYED:115 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECTED:15 from b'tcp://127.0.0.1:9000'
Zap request:
  version     = b'1.0'
  req_id      = b'1'
  domain      = b''
  address     = b'127.0.0.1'
  identity    = b''
  mechanism   = b'CURVE'
  credentials = ['/{ug}{Z(3Zy2P*n}64s#N[n at C&?VgqJ$]ndOYQaS']
monitor recieved DISCONNECTED:15 from b'tcp://127.0.0.1:9000'
monitor recieved CONNECT_RETRIED:141 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECT_DELAYED:115 from b'tcp://127.0.0.1:9000'
monitor recieved EVENT_CONNECTED:15 from b'tcp://127.0.0.1:9000'
Zap request:
  version     = b'1.0'
  req_id      = b'1'
  domain      = b''
  address     = b'127.0.0.1'
  identity    = b''
  mechanism   = b'CURVE'
  credentials = ['/{ug}{Z(3Zy2P*n}64s#N[n at C&?VgqJ$]ndOYQaS']
monitor recieved DISCONNECTED:15 from b'tcp://127.0.0.1:9000'
...
----------------------------------------------------------------------

It looks like the result of ZAP rejecting a client is that the sockets
gets closed. And then zmq will just reconnect. Over and over and over
and over.

So here are my problems:

1) How does the client detect a login failure (as opposed to an
   unreachable, unresponsive, crashing server?

2) How do I get at the status text from the ZAP reply in the client?

3) Why does ZMQ reconnect on a 400 status code at all? It should mark
   the connection as bad and fail all further send/recv attempts.

4) The example from the wiki used PUSH/PULL from server to client and
   that is what I started from. But what if the server has a PULL or REP
   socket and gets messages from clients. How do I get at the credetials
   from the ZAP request or user_id or metadata fields from the ZAP reply
   on the server?

   This is probably a duplicate of [2] but that doesn't have a
   solution yet.


I think there could be an ZMQ_EVENT_SERVER_AUTH_SUCCESS/FAILED and
ZMQ_EVENT_CLIENT_AUTH_SUCCESS/FAILED events for the monitoring socket.

The server auth events would come in 9 frames, unlike previous events:

Frame 1: event_id + value
Frame 2: address string
Frame 3: client routing_id
Frame 4-9: ZAP reply

The client auth events would come as 4 frames:
Frame 1: event_id + value
Frame 2: address string
Frame 3: status code
Frame 4: status text

How does that sound?

The reason I suggest seperate SUCCESS/FAILED events is that simple
server will only want to know about success and clients generally will
only want to know about failure.

MfG
	Goswin

[1] http://hintjens.com/blog:49
[2] http://lists.zeromq.org/pipermail/zeromq-dev/2014-January/024434.html



More information about the zeromq-dev mailing list