diff --git a/include/bitcoin/protocol/zmq/authenticator.hpp b/include/bitcoin/protocol/zmq/authenticator.hpp index e5cbf905..45dba260 100644 --- a/include/bitcoin/protocol/zmq/authenticator.hpp +++ b/include/bitcoin/protocol/zmq/authenticator.hpp @@ -62,9 +62,10 @@ class BCP_API authenticator /// Stop the router (optional). virtual bool stop(); - // This must be called on the socket thread. + /// This must be called on the socket thread, empty domain allowed. + /// Set secure false to enable NULL mechanism, otherwise curve is required. + /// By not applying this method authentication is bypassed altogether. /// Apply authentication to the socket for the given arbitrary domain. - /// Set secure false to enable null security, otherwise curve is required. virtual bool apply(socket& socket, const std::string& domain, bool secure); /// Set the server private key (required for curve security). diff --git a/include/bitcoin/protocol/zmq/socket.hpp b/include/bitcoin/protocol/zmq/socket.hpp index baee37e4..d33ab787 100644 --- a/include/bitcoin/protocol/zmq/socket.hpp +++ b/include/bitcoin/protocol/zmq/socket.hpp @@ -33,6 +33,7 @@ namespace protocol { namespace zmq { class message; +class authenticator; /// This class is thread safe except as noted. /// Because the socket is only set on construct, sockets are not restartable. @@ -60,8 +61,10 @@ class BCP_API socket /// A shared socket pointer. typedef std::shared_ptr ptr; - /// Construct a socket. + /// Construct a socket from an existing zeromq socket. socket(void* zmq_socket); + + /// Construct a socket of the given context and role. socket(context& context, role socket_role); /// This class is not copyable. diff --git a/src/zmq/authenticator.cpp b/src/zmq/authenticator.cpp index 9a1af4ef..e2a4fca8 100644 --- a/src/zmq/authenticator.cpp +++ b/src/zmq/authenticator.cpp @@ -229,18 +229,17 @@ void authenticator::work() } // This must be called on the socket thread. +// Addresses and client keys may be updated after this is applied. +// The configuration at the time of this call determines the mode of security. bool authenticator::apply(socket& socket, const std::string& domain, bool secure) { - // ZAP authentication will not occur with an empty domain. - if (domain.empty() || !socket.set_authentication_domain(domain)) - return false; - /////////////////////////////////////////////////////////////////////////// // Critical Section mutex_.lock_shared(); const auto private_key = private_key_; const auto have_public_keys = !keys_.empty(); + const auto require_address = require_address_; mutex_.unlock_shared(); /////////////////////////////////////////////////////////////////////////// @@ -250,15 +249,23 @@ bool authenticator::apply(socket& socket, const std::string& domain, if (!secure) { - // This persists after a socket closes so don't reuse domain names. - weak_domains_.emplace(domain); + if (require_address) + { + // These persist after a socket closes so don't reuse domain names. + weak_domains_.emplace(domain); + return socket.set_authentication_domain(domain); + } + + // There are no address or curve rules to apply so bypass ZAP. return true; } if (private_key) { - return socket.set_private_key(private_key) && - socket.set_curve_server(); + return + socket.set_private_key(private_key) && + socket.set_curve_server() && + socket.set_authentication_domain(domain); } // We do not have a private key to set so we cannot set secure. diff --git a/src/zmq/socket.cpp b/src/zmq/socket.cpp index 9a04c6ce..489b7ea7 100644 --- a/src/zmq/socket.cpp +++ b/src/zmq/socket.cpp @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include