Add CurveAllowedClients: server-side CURVE client public key whitelist#1156
Draft
drewnoakes with Copilot wants to merge 5 commits into
Draft
Add CurveAllowedClients: server-side CURVE client public key whitelist#1156drewnoakes with Copilot wants to merge 5 commits into
drewnoakes with Copilot wants to merge 5 commits into
Conversation
…ey whitelist Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838 Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
… ToArray() allocation Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838 Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
…non-empty Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/f166bdbe-9fb4-4148-ad85-7eb065157838 Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add logging for client public keys presented to server
Add CurveAllowedClients: server-side CURVE client public key whitelist
May 1, 2026
drewnoakes
reviewed
May 2, 2026
Comment on lines
+365
to
+369
| /// <summary> | ||
| /// The set of allowed client public keys for a CURVE server socket. | ||
| /// When non-empty, only clients whose long-term public key is present in this set will be allowed to connect. | ||
| /// </summary> | ||
| CurveAllowedClients = 61 |
Member
There was a problem hiding this comment.
@copilot I don't think we can just add this here. These are standardised across ZeroMQ libraries.
Contributor
Author
There was a problem hiding this comment.
Good catch. CurveAllowedClients has been removed from ZmqSocketOption entirely. It is now a NetMQ-specific internal property on SocketBase (backed directly by m_options.CurveAllowedClients), and SocketOptions/ThreadSafeSocketOptions expose it by accessing that property directly without routing through the ZMQ option infrastructure. (commit 2f44dd2)
…SocketBase Agent-Logs-Url: https://github.com/zeromq/netmq/sessions/4c5608bd-8fa2-4db2-af6d-711ce7c90b0e Co-authored-by: drewnoakes <350947+drewnoakes@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CURVE server sockets had no built-in way to restrict which clients could connect based on their long-term public key, making it impossible to implement a client whitelist without an external ZAP handler.
Changes
Options—HashSet<byte[]> CurveAllowedClients(backed byByteArrayEqualityComparer)SocketBase— InternalCurveAllowedClientsproperty that exposesm_options.CurveAllowedClientsdirectly, without routing through the ZMQ socket option infrastructureCurveServerMechanism.ProcessInitiate()— After vouch verification, rejects the connection ifCurveAllowedClientsis non-empty and the client's long-term public key is absent. UsesSpan<byte>to stay zero-allocation when no whitelist is configured; allocatesbyte[]only for the HashSet lookup when neededSocketOptions/ThreadSafeSocketOptions— ExposesHashSet<byte[]> CurveAllowedClientsproperty, backed by theSocketBaseinternal propertyUsage
Clients whose long-term public key is not in the set are rejected during the CURVE handshake before any application messages are exchanged.