Building ZeroMQ with encryption support

Overview

The ZeroMQ library uses a slightly modified CURVE protocoll in order to secure your messages against manipulation and eaves-dropping.

See https://curvecp.org/ and http://hintjens.com/blog:48 for detailed background.

Building ZeroMQ with encryption support

The code in ZeroMQ implementing the CURVE protocol utilizes crypto primitives from the NaCL library, see https://nacl.cr.yp.to/ for detailed background.

However ZeroMQ does not use NaCL itself currently. The reason for this is that the build system of NaCL assumes that the machine building the code will be the machine running the code. NaCL targets for maximal performance at the cost of portability of the binary code.

Luckily there exist two libraries providing an API compatible to NaCL(at least for the subset ZeroMQ uses):

ZeroMQ supports building with each of these two libraries. By default1 it will use tweetnacl, a copy of the required sources is embedded in the git repo.

If you enable libsodium the embedded files will not be used and instead the resulting library of ZeroMQ will be linked against the shared libsodium library.

Choosing between libsodium and tweetnacl

So now you have the choice between two implementation, here is a recommendation how to choose, based on a single critria:

If you plan to distribute your code in binary form: Use libsodium.

Motivation: It is easier to provide security updates if the security library is separated from other libraries.

The embedded copy of tweetnacl is provided in order to support for minimum hassle prototyping and to provide security by default if you build from source.

howto enable building with libsodium

autoconf

  • add the —with-libsodium switch to the configure script

cmake

  • add the -DWITH_LIBSODIUM=ON switch to the cmake call.

builds/msvc/configure.bat

  • Place libsodium at this location ..\..\..\libsodium and run configure.bat

others