apfsds-protocol 0.4.0

Wire protocol and frame definitions for APFSDS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

//! Frame validation utilities

use crate::frame::{ArchivedProxyFrame, ProxyFrame};
use thiserror::Error;

/// Validation errors
#[derive(Error, Debug)]
pub enum ValidationError {
    #[error("Duplicate frame UUID detected")]
    DuplicateUuid,

    #[error("Checksum mismatch: expected {expected}, got {actual}")]
    ChecksumMismatch { expected: u32, actual: u32 },

    #[error("Timestamp out of range: {0}ms drift")]
    TimestampOutOfRange(i64),

    #[error("Invalid connection ID")]
    InvalidConnId,

    #[error("Payload too large: {size} bytes (max: {max})")]
    PayloadTooLarge { size: usize, max: usize },
}

/// Maximum allowed payload size (64KB)
pub const MAX_PAYLOAD_SIZE: usize = 65536;

/// Maximum allowed timestamp drift (30 seconds)
pub const MAX_TIMESTAMP_DRIFT_MS: i64 = 30_000;

/// Validate a ProxyFrame
pub fn validate_frame(frame: &ProxyFrame, current_time_ms: u64) -> Result<(), ValidationError> {
    // Check payload size
    if frame.payload.len() > MAX_PAYLOAD_SIZE {
        return Err(ValidationError::PayloadTooLarge {
            size: frame.payload.len(),
            max: MAX_PAYLOAD_SIZE,
        });
    }

    // Verify checksum
    let computed = crc32fast::hash(&frame.payload);
    if computed != frame.checksum {
        return Err(ValidationError::ChecksumMismatch {
            expected: frame.checksum,
            actual: computed,
        });
    }

    // Check timestamp
    let drift = current_time_ms as i64 - frame.timestamp as i64;
    if drift.abs() > MAX_TIMESTAMP_DRIFT_MS {
        return Err(ValidationError::TimestampOutOfRange(drift));
    }

    Ok(())
}

/// Validate an archived frame (zero-copy)
pub fn validate_archived_frame(
    frame: &ArchivedProxyFrame,
    current_time_ms: u64,
) -> Result<(), ValidationError> {
    // Check payload size
    if frame.payload.len() > MAX_PAYLOAD_SIZE {
        return Err(ValidationError::PayloadTooLarge {
            size: frame.payload.len(),
            max: MAX_PAYLOAD_SIZE,
        });
    }

    // Verify checksum - convert from rkyv's archived type
    let frame_checksum: u32 = frame.checksum.to_native();
    let computed = crc32fast::hash(&frame.payload);
    if computed != frame_checksum {
        return Err(ValidationError::ChecksumMismatch {
            expected: frame_checksum,
            actual: computed,
        });
    }

    // Check timestamp - convert from rkyv's archived type
    let frame_timestamp: u64 = frame.timestamp.to_native();
    let drift = current_time_ms as i64 - frame_timestamp as i64;
    if drift.abs() > MAX_TIMESTAMP_DRIFT_MS {
        return Err(ValidationError::TimestampOutOfRange(drift));
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_valid_frame() {
        let frame = ProxyFrame::new_data(1, [0; 16], 443, vec![1, 2, 3]);
        let result = validate_frame(&frame, frame.timestamp);
        assert!(result.is_ok());
    }

    #[test]
    fn test_checksum_mismatch() {
        let mut frame = ProxyFrame::new_data(1, [0; 16], 443, vec![1, 2, 3]);
        frame.checksum = 0xDEADBEEF; // Wrong checksum

        let result = validate_frame(&frame, frame.timestamp);
        assert!(matches!(
            result,
            Err(ValidationError::ChecksumMismatch { .. })
        ));
    }

    #[test]
    fn test_timestamp_drift() {
        let frame = ProxyFrame::new_data(1, [0; 16], 443, vec![1, 2, 3]);
        let future_time = frame.timestamp + 60_000; // 60 seconds later

        let result = validate_frame(&frame, future_time);
        assert!(matches!(
            result,
            Err(ValidationError::TimestampOutOfRange(_))
        ));
    }

    #[test]
    fn test_payload_too_large() {
        let large_payload = vec![0u8; MAX_PAYLOAD_SIZE + 1];
        let frame = ProxyFrame::new_data(1, [0; 16], 443, large_payload);

        let result = validate_frame(&frame, frame.timestamp);
        assert!(matches!(
            result,
            Err(ValidationError::PayloadTooLarge { .. })
        ));
    }
}