Skip to content

Commit

Permalink
refactor tsig rcode enum
Browse files Browse the repository at this point in the history
  • Loading branch information
Litr0 committed Jul 25, 2024
1 parent e363f8a commit c92bf4c
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 32 deletions.
48 changes: 19 additions & 29 deletions src/tsig.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
pub mod tsig_algorithm;

use std::fmt::Debug;
use crypto::mac::MacResult;
use crate::domain_name::DomainName;
use std::time::SystemTime;
Expand All @@ -13,18 +12,9 @@ use crypto::hmac::Hmac as crypto_hmac;
use crypto::mac::Mac as crypto_mac;
use crypto::{sha1::Sha1,sha2::Sha256};
use tsig_algorithm::TsigAlgorithm;
use crate::message::rcode::Rcode;


#[derive(PartialEq)]
#[derive(Debug)]
pub enum TsigErrorCode{
NOERR = 0,
FORMERR = 1,
BADSIG = 16,
BADKEY = 17,
BADTIME = 18,

}
//TODO: Encontrar alguna manera de pasar una referencia Digest u Hmac de un algoritmo no especificado
// función auxiliar para evitar la redundancia de código en sign_tsig
fn set_tsig_rd(name: String, original_id: u16, result: MacResult,
Expand Down Expand Up @@ -270,22 +260,22 @@ fn check_last_one_is_tsig(add_rec: &Vec<ResourceRecord>) -> bool {

#[doc = r"This function process a tsig message, checking for errors in the DNS message"]
pub fn process_tsig(msg: &DnsMessage, key:&[u8], key_name: String, time: u64,
available_algorithm: Vec<(String, bool)>, mac_to_process: Vec<u8>) -> (bool, TsigErrorCode) {
available_algorithm: Vec<(String, bool)>, mac_to_process: Vec<u8>) -> (bool, Rcode) {
let mut retmsg = msg.clone();
let mut addit = retmsg.get_additional();
//RFC 8945 5.2 y 5.4
//verificar que existen los resource records que corresponden a tsig
//vector con resource records que son TSIG. Luego se Verifica si hay algún tsig rr
if check_exists_tsig_rr(&addit) {
println!("RCODE 1: FORMERR");
return (false, TsigErrorCode::FORMERR);
return (false, Rcode::FORMERR);
}

//Debe haber un único tsig
//Tsig RR debe ser el último en la sección adicional, y debe ser único
if check_last_one_is_tsig(&addit) {
println!("RCODE 1: FORMERR");
return (false, TsigErrorCode::FORMERR);
return (false, Rcode::FORMERR);
}

//sacar el último elemento del vector resource record, y disminuir elvalor de ARCOUNT
Expand All @@ -308,14 +298,14 @@ pub fn process_tsig(msg: &DnsMessage, key:&[u8], key_name: String, time: u64,
let flag = check_alg_name(&name_alg, available_algorithm);
if !flag {
println!("RCODE 9: NOAUTH\n TSIG ERROR 17: BADKEY");
return (false, TsigErrorCode::BADKEY);
return (false, Rcode::BADKEY);
}

let cond1 = check_key(key_in_rr.clone(), key_name.clone());
if !cond1 {
println!("RCODE 9: NOAUTH\n TSIG ERROR 17: BADKEY");
println!("key in rr: {:?} key given {:?}", key_in_rr, key_name);
return (false, TsigErrorCode::BADKEY);
return (false, Rcode::BADKEY);
}

//RFC 8945 5.2.2
Expand Down Expand Up @@ -346,20 +336,20 @@ pub fn process_tsig(msg: &DnsMessage, key:&[u8], key_name: String, time: u64,

if !cond2 {
println!("RCODE 9: NOAUTH\n TSIG ERROR 16: BADSIG");
return (false, TsigErrorCode::BADSIG)
return (false, Rcode::BADSIG)
}
//let mytime = SystemTime::now().duration_since(UNIX_EPOCH).expect("no debería fallar el tiempo");
let cond3 = check_time_values(time, fudge, time_signed);
if !cond3 {
println!("RCODE 9: NOAUTH\n TSIG ERROR 18: BADTIME");
return (false, TsigErrorCode::BADTIME)
return (false, Rcode::BADTIME)
}
(true, TsigErrorCode::NOERR)
(true, Rcode::NOERROR)

}

pub fn immediate_process_tsig(msg: &DnsMessage, key:&[u8], key_name: String,
available_algorithm: Vec<(String, bool)>, mac_to_process: Vec<u8>) -> (bool, TsigErrorCode) {
available_algorithm: Vec<(String, bool)>, mac_to_process: Vec<u8>) -> (bool, Rcode) {

let time = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
process_tsig(msg, key, key_name, time, available_algorithm, mac_to_process)
Expand Down Expand Up @@ -404,7 +394,7 @@ mod tsig_test {
lista.push((String::from("hmac-sha256"),true));
let (answer, error) = process_tsig(& response, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error,TsigErrorCode::FORMERR);
assert_eq!(error,Rcode::FORMERR);
}

#[test]
Expand All @@ -429,7 +419,7 @@ mod tsig_test {
assert!(control_answer);
let (answer, error) = process_tsig(& response_capture, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error, TsigErrorCode::FORMERR);
assert_eq!(error, Rcode::FORMERR);
}

// verificar que no se haya añadido otro resource record en el additionals luego de añadir un tsig_rr
Expand Down Expand Up @@ -459,7 +449,7 @@ mod tsig_test {
lista.push((String::from("hmac-sha256"),true));
let (answer, error) = process_tsig(& response_capture, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error, TsigErrorCode::FORMERR);
assert_eq!(error, Rcode::FORMERR);
}
#[test]
fn check_process_tsig_alg_name() {
Expand All @@ -479,7 +469,7 @@ mod tsig_test {
lista.push((String::from("hmac-sha1"),true));
let (answer, error) = process_tsig(& response_capture, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error,TsigErrorCode::BADKEY);
assert_eq!(error,Rcode::BADKEY);
}
#[test]
fn check_process_tsig_alg_name2() {
Expand All @@ -499,7 +489,7 @@ mod tsig_test {
lista.push((String::from("hmac-sha256"),false));
let (answer, error) = process_tsig(& response_capture, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error,TsigErrorCode::BADKEY);
assert_eq!(error,Rcode::BADKEY);
}
#[test]
fn check_process_tsig_key(){
Expand All @@ -519,7 +509,7 @@ mod tsig_test {
lista.push((String::from("hmac-sha256"),false));
let (answer, error) = process_tsig(& response_capture, server_key, key_name, 21010, lista, vec![]);
assert!(!answer);
assert_eq!(error,TsigErrorCode::BADKEY);
assert_eq!(error,Rcode::BADKEY);
}
//TODO: completar este test, hay cosas que faltan por implementar
#[test]
Expand All @@ -540,7 +530,7 @@ mod tsig_test {
let key_name = "".to_string();
let key2 = b"12345678909";
let (_, error) = process_tsig(&mut msg1, key2, key_name, time_signed,lista, vec![]);
assert_eq!(error,TsigErrorCode::BADSIG);
assert_eq!(error,Rcode::BADSIG);
}
#[test]
fn check_proces_tsig_badtime(){
Expand All @@ -561,7 +551,7 @@ mod tsig_test {
let (answer, error) = process_tsig(& response_capture, server_key, key_name,
22010, lista, vec![]);
assert!(!answer);
assert_eq!(error,TsigErrorCode::BADTIME);
assert_eq!(error,Rcode::BADTIME);
}
#[test]
fn check_process_tsig() {
Expand All @@ -581,7 +571,7 @@ mod tsig_test {
let (answer, error) = process_tsig(& response_capture, server_key, key_name,
21010, lista, vec![]);
assert!(answer);
assert_eq!(error,TsigErrorCode::NOERR);
assert_eq!(error,Rcode::NOERROR);
}
//Unitary test to verify that the signer function is working properly
#[test]
Expand Down
7 changes: 4 additions & 3 deletions tests/tsig_integration_tests.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use std::{collections::HashMap, net:: UdpSocket, thread, time::Duration};
use dns_rust::{domain_name::DomainName, message::{rdata::{tsig_rdata::TSigRdata, Rdata}, rrtype::Rrtype, DnsMessage},tsig::{process_tsig, sign_tsig, TsigErrorCode}};
use dns_rust::{domain_name::DomainName, message::{rdata::{tsig_rdata::TSigRdata, Rdata}, rrtype::Rrtype, DnsMessage},tsig::{process_tsig, sign_tsig}};
use dns_rust::tsig::tsig_algorithm::TsigAlgorithm;
use dns_rust::message::rcode::Rcode;
use dns_rust::message::rclass::Rclass;


Expand Down Expand Up @@ -119,7 +120,7 @@ async fn tsig_signature() {
sign_tsig(&mut data, key_found,TsigAlgorithm::from(alg_name),fudge,time, key_name, mac);
let response = &DnsMessage::to_bytes(&data);
//se verifica que la request haya pasado proces_tsig
assert_eq!(error,TsigErrorCode::NOERR);
assert_eq!(error,Rcode::NOERROR);

// se envia la respuesta si lo anterior resultó ser correcto
udp_socket
Expand Down Expand Up @@ -166,7 +167,7 @@ async fn tsig_signature() {
let (answer, error ) = process_tsig(&data, key, name.to_string(), time_signed, a_algs, mac);
// se verifica que el mensaje haya pasado process_tsig
assert!(answer);
assert_eq!(error,TsigErrorCode::NOERR);
assert_eq!(error,Rcode::NOERROR);
}
Err(e) => {
eprintln!("Error receiving data: {}", e);
Expand Down

0 comments on commit c92bf4c

Please sign in to comment.