rustzmq2 0.1.0

A native async Rust implementation of ZeroMQ
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

//! Minimal SOCKS5 client. Supports NO-AUTH and username/password auth.
//!
//! Inline implementation (no external crate) to keep the dependency graph
//! unchanged. Generic over any stream implementing `futures::AsyncRead +
//! AsyncWrite`, so the same code handles both tokio and smol TCP streams
//! (tokio's stream is adapted via `tokio_util::compat` at the call site).

use futures::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
use std::io;

/// Perform the SOCKS5 handshake on an already-connected stream. Returns
/// `Ok(())` once the proxy has confirmed the CONNECT request; subsequent
/// I/O on the stream is tunnelled to the target.
pub(crate) async fn handshake<S>(
    stream: &mut S,
    target_host: &str,
    target_port: u16,
    credentials: Option<(&str, &str)>,
) -> io::Result<()>
where
    S: AsyncRead + AsyncWrite + Unpin,
{
    // ── Step 1: method negotiation ────────────────────────────────────────
    let methods: &[u8] = if credentials.is_some() {
        &[0x00, 0x02] // no-auth + user/pass
    } else {
        &[0x00] // no-auth only
    };
    let mut greeting = vec![0x05, methods.len() as u8];
    greeting.extend_from_slice(methods);
    stream.write_all(&greeting).await?;

    let mut sel = [0u8; 2];
    stream.read_exact(&mut sel).await?;
    if sel[0] != 0x05 {
        return Err(io::Error::new(
            io::ErrorKind::InvalidData,
            "SOCKS5: bad version from proxy",
        ));
    }
    match sel[1] {
        0x00 => {} // no auth
        0x02 => {
            let (user, pass) = credentials.ok_or_else(|| {
                io::Error::new(
                    io::ErrorKind::PermissionDenied,
                    "SOCKS5: proxy requires auth but none configured",
                )
            })?;
            auth_userpass(stream, user, pass).await?;
        }
        0xFF => {
            return Err(io::Error::new(
                io::ErrorKind::PermissionDenied,
                "SOCKS5: no acceptable auth method",
            ))
        }
        other => {
            return Err(io::Error::new(
                io::ErrorKind::InvalidData,
                format!("SOCKS5: unsupported auth method {:#x}", other),
            ))
        }
    }

    // ── Step 2: CONNECT request ───────────────────────────────────────────
    let mut req = vec![0x05, 0x01, 0x00]; // VER, CMD=CONNECT, RSV
                                          // Prefer IPv4/IPv6 literal if target_host parses as one; otherwise use
                                          // DOMAINNAME address type and let the proxy resolve.
    if let Ok(ip) = target_host.parse::<std::net::IpAddr>() {
        match ip {
            std::net::IpAddr::V4(v4) => {
                req.push(0x01);
                req.extend_from_slice(&v4.octets());
            }
            std::net::IpAddr::V6(v6) => {
                req.push(0x04);
                req.extend_from_slice(&v6.octets());
            }
        }
    } else {
        if target_host.len() > 255 {
            return Err(io::Error::new(
                io::ErrorKind::InvalidInput,
                "SOCKS5: domain name too long",
            ));
        }
        req.push(0x03);
        req.push(target_host.len() as u8);
        req.extend_from_slice(target_host.as_bytes());
    }
    req.extend_from_slice(&target_port.to_be_bytes());
    stream.write_all(&req).await?;

    // ── Step 3: reply ─────────────────────────────────────────────────────
    let mut hdr = [0u8; 4];
    stream.read_exact(&mut hdr).await?;
    if hdr[0] != 0x05 {
        return Err(io::Error::new(
            io::ErrorKind::InvalidData,
            "SOCKS5: bad reply version",
        ));
    }
    if hdr[1] != 0x00 {
        return Err(io::Error::other(format!(
            "SOCKS5: CONNECT failed (reply code {:#x})",
            hdr[1]
        )));
    }
    // Drain the bound-addr portion (ATYP + addr + port).
    match hdr[3] {
        0x01 => {
            let mut buf = [0u8; 4 + 2];
            stream.read_exact(&mut buf).await?;
        }
        0x04 => {
            let mut buf = [0u8; 16 + 2];
            stream.read_exact(&mut buf).await?;
        }
        0x03 => {
            let mut len = [0u8; 1];
            stream.read_exact(&mut len).await?;
            let mut buf = vec![0u8; len[0] as usize + 2];
            stream.read_exact(&mut buf).await?;
        }
        other => {
            return Err(io::Error::new(
                io::ErrorKind::InvalidData,
                format!("SOCKS5: bad ATYP {:#x}", other),
            ))
        }
    }
    Ok(())
}

async fn auth_userpass<S>(stream: &mut S, user: &str, pass: &str) -> io::Result<()>
where
    S: AsyncRead + AsyncWrite + Unpin,
{
    if user.len() > 255 || pass.len() > 255 {
        return Err(io::Error::new(
            io::ErrorKind::InvalidInput,
            "SOCKS5: credentials exceed 255 bytes",
        ));
    }
    let mut buf = vec![0x01, user.len() as u8];
    buf.extend_from_slice(user.as_bytes());
    buf.push(pass.len() as u8);
    buf.extend_from_slice(pass.as_bytes());
    stream.write_all(&buf).await?;

    let mut reply = [0u8; 2];
    stream.read_exact(&mut reply).await?;
    if reply[1] != 0x00 {
        return Err(io::Error::new(
            io::ErrorKind::PermissionDenied,
            "SOCKS5: username/password authentication failed",
        ));
    }
    Ok(())
}