go-zeromq · jhawk28 · May 22, 2025 · May 23, 2025 · May 23, 2025 · May 23, 2025
diff --git a/conn.go b/conn.go
@@ -5,7 +5,6 @@
 package zmq4
 
 import (
-	"bytes"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -28,15 +27,19 @@ type Conn struct {
 	Server bool
 	Meta   Metadata
 	Peer   struct {
-		Server bool
-		Meta   Metadata
+		Server   bool
+		Meta     Metadata
+		NonceIdx uint64
 	}
 
 	mu     sync.RWMutex
 	topics map[string]struct{} // set of subscribed topics
 
 	closed         int32
 	onCloseErrorCB func(c *Conn)
+
+	NonceIdx  uint64
+	SharedKey *[32]byte
 }
 
 func (c *Conn) Close() error {
@@ -61,6 +64,14 @@ func (c *Conn) Write(p []byte) (int, error) {
 	return n, err
 }
 
+func (c *Conn) LocalAddr() net.Addr {
+	return c.rw.LocalAddr()
+}
+
+func (c *Conn) RemoteAddr() net.Addr {
+	return c.rw.RemoteAddr()
+}
+
 // Open opens a ZMTP connection over rw with the given security, socket type and identity.
 // An optional onCloseErrorCB can be provided to inform the caller when this Conn is closed.
 // Open performs a complete ZMTP handshake.
@@ -169,7 +180,7 @@ func (c *Conn) SendCmd(name string, body []byte) error {
 	if err != nil {
 		return err
 	}
-	return c.send(true, buf, 0)
+	return c.send(true, buf, false)
 }
 
 // SendMsg sends a ZMTP message over the wire.
@@ -183,11 +194,11 @@ func (c *Conn) SendMsg(msg Msg) error {
 
 	nframes := len(msg.Frames)
 	for i, frame := range msg.Frames {
-		var flag byte
+		var more bool
 		if i < nframes-1 {
-			flag ^= hasMoreBitFlag
+			more = true
 		}
-		err := c.send(false, frame, flag)
+		err := c.send(false, frame, more)
 		if err != nil {
 			return fmt.Errorf("zmq4: error sending frame %d/%d: %w", i+1, nframes, err)
 		}
@@ -286,8 +297,18 @@ func (c *Conn) sendMulti(msg Msg) error {
 	nframes := len(msg.Frames)
 	for i, frame := range msg.Frames {
 		var flag byte
+		var more bool
 		if i < nframes-1 {
 			flag ^= hasMoreBitFlag
+			more = true
+		}
+
+		if sec, ok := c.sec.(SecurityEncryption); ok {
+			encrypt, err := sec.Encrypt(c, frame, more)
+			if err != nil {
+				return err
+			}
+			frame = encrypt
 		}
 
 		size := len(frame)
@@ -308,16 +329,7 @@ func (c *Conn) sendMulti(msg Msg) error {
 			hdr[1] = uint8(size)
 		}
 
-		switch c.sec.Type() {
-		case NullSecurity:
-			buffers = append(buffers, hdr[:hsz], frame)
-		default:
-			var secBuf bytes.Buffer
-			if _, err := c.sec.Encrypt(&secBuf, frame); err != nil {
-				return err
-			}
-			buffers = append(buffers, hdr[:hsz], secBuf.Bytes())
-		}
+		buffers = append(buffers, hdr[:hsz], frame)
 	}
 
 	if _, err := buffers.WriteTo(c.rw); err != nil {
@@ -328,7 +340,21 @@ func (c *Conn) sendMulti(msg Msg) error {
 	return nil
 }
 
-func (c *Conn) send(isCommand bool, body []byte, flag byte) error {
+func (c *Conn) send(isCommand bool, body []byte, more bool) error {
+	var flag byte
+
+	// commands should not be encrypted.
+	if sec, ok := c.sec.(SecurityEncryption); ok && !isCommand {
+		encrypt, err := sec.Encrypt(c, body, more)
+		if err != nil {
+			c.checkIO(err)
+			return err
+		}
+		body = encrypt
+	} else if more {
+		flag ^= hasMoreBitFlag
+	}
+
 	// Long flag
 	size := len(body)
 	isLong := size > 255
@@ -358,7 +384,7 @@ func (c *Conn) send(isCommand bool, body []byte, flag byte) error {
 		return err
 	}
 
-	if _, err := c.sec.Encrypt(c.rw, body); err != nil {
+	if _, err := c.rw.Write(body); err != nil {
 		c.checkIO(err)
 		return err
 	}
@@ -427,11 +453,16 @@ func (c *Conn) read() Msg {
 			continue
 		}
 
-		buf := new(bytes.Buffer)
-		if _, msg.err = c.sec.Decrypt(buf, body); msg.err != nil {
-			return msg
+		if sec, ok := c.sec.(SecurityEncryption); ok && !isCmd {
+			decrypt, more, err := sec.Decrypt(c, body)
+			if err != nil {
+				msg.err = err
+				return msg
+			}
+			body = decrypt
+			hasMore = more
 		}
-		msg.Frames = append(msg.Frames, buf.Bytes())
+		msg.Frames = append(msg.Frames, body)
 	}
 	if isCmd {
 		msg.Type = CmdMsg

diff --git a/go.mod b/go.mod
@@ -1,10 +1,15 @@
 module github.com/go-zeromq/zmq4
 
-go 1.21
+go 1.23.0
+
+toolchain go1.24.2
 
 require (
 	github.com/go-zeromq/goczmq/v4 v4.2.2
 	go.uber.org/goleak v1.3.0
-	golang.org/x/sync v0.7.0
-	golang.org/x/text v0.15.0
+	golang.org/x/crypto v0.38.0
+	golang.org/x/sync v0.14.0
+	golang.org/x/text v0.25.0
 )
+
+require golang.org/x/sys v0.33.0 // indirect
diff --git a/go.sum b/go.sum
@@ -8,9 +8,13 @@ github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PK
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/security.go b/security.go
@@ -6,7 +6,6 @@ package zmq4
 
 import (
 	"fmt"
-	"io"
 )
 
 // Security is an interface for ZMTP security mechanisms
@@ -21,12 +20,14 @@ type Security interface {
 	//  https://rfc.zeromq.org/spec:24/ZMTP-PLAIN/
 	//  https://rfc.zeromq.org/spec:25/ZMTP-CURVE/
 	Handshake(conn *Conn, server bool) error
+}
 
+type SecurityEncryption interface {
 	// Encrypt writes the encrypted form of data to w.
-	Encrypt(w io.Writer, data []byte) (int, error)
+	Encrypt(conn *Conn, data []byte, more bool) ([]byte, error)
 
 	// Decrypt writes the decrypted form of data to w.
-	Decrypt(w io.Writer, data []byte) (int, error)
+	Decrypt(conn *Conn, data []byte) ([]byte, bool, error)
 }
 
 // SecurityType denotes types of ZMTP security mechanisms
@@ -90,16 +91,6 @@ func (nullSecurity) Handshake(conn *Conn, server bool) error {
 	return nil
 }
 
-// Encrypt writes the encrypted form of data to w.
-func (nullSecurity) Encrypt(w io.Writer, data []byte) (int, error) {
-	return w.Write(data)
-}
-
-// Decrypt writes the decrypted form of data to w.
-func (nullSecurity) Decrypt(w io.Writer, data []byte) (int, error) {
-	return w.Write(data)
-}
-
 var (
 	_ Security = (*nullSecurity)(nil)
 )