ceal 0.1.0

Opportunistic E-Mail Encryption - Stand-Alone Library and Extensions for Lettre
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

#[cfg(feature = "tokio")]
use hickory_resolver::net::runtime::TokioRuntimeProvider;
use hickory_resolver::{
	proto::{
		op::Query,
		rr::{Name, Record, RecordType}
	},
	recursor::{DnssecConfig, DnssecPolicy, Recursor, RecursorError, RecursorOptions}
};
use log::{debug, error};
use openssl::sha::sha256;
use std::{sync::LazyLock, time::Instant};

#[cfg(feature = "tokio")]
type DnsRuntimeProvider = TokioRuntimeProvider;

static DNS_CLIENT: LazyLock<Recursor<DnsRuntimeProvider>> = LazyLock::new(|| {
	// https://www.iana.org/domains/root/servers
	let roots = [
		// a.root-servers.net
		"2001:503:ba3e::2:30".parse().unwrap(),
		"198.41.0.4".parse().unwrap(),
		// b.root-servers.net
		"2801:1b8:10::b".parse().unwrap(),
		"170.247.170.2".parse().unwrap(),
		// c.root-servers.net
		"2001:500:2::c".parse().unwrap(),
		"192.33.4.12".parse().unwrap(),
		// d.root-servers.net
		"2001:500:2d::d".parse().unwrap(),
		"199.7.91.13".parse().unwrap(),
		// e.root-servers.net belongs to NASA and thus US Gov
		// f.root-servers.net
		"2001:500:2f::f".parse().unwrap(),
		"192.5.5.241".parse().unwrap(),
		// g.root-servers.net belongs to US Gov
		// h.root-servers.net belongs to US Gov
		// i.root-servers.net
		"2001:7fe::53".parse().unwrap(),
		"192.36.148.17".parse().unwrap(),
		// j.root-servers.net
		"2001:503:c27::2:30".parse().unwrap(),
		"192.58.128.30".parse().unwrap(),
		// k.root-servers.net
		"2001:7fd::1".parse().unwrap(),
		"193.0.14.129".parse().unwrap(),
		// l.root-servers.net
		"2001:500:9f::42".parse().unwrap(),
		"199.7.83.42".parse().unwrap(),
		// m.root-servers.net
		"2001:dc3::35".parse().unwrap(),
		"202.12.27.33".parse().unwrap()
	];
	Recursor::new(
		&roots,
		DnssecPolicy::ValidateWithStaticKey(DnssecConfig::default()),
		None,
		RecursorOptions::default(),
		DnsRuntimeProvider::new()
	)
	.expect("Failed to initialise DNS client")
});

/// Query a DNS record and filter-map the result to some bytes.
pub(crate) async fn query_record<F, T>(
	name: &Name,
	ty: RecordType,
	filter_map: F
) -> Result<Vec<T>, RecursorError>
where
	F: Fn(Record) -> Option<T>
{
	let query = Query::query(name.clone(), ty);
	debug!("Querying {ty} DNS record for {name}");
	let instant = Instant::now();
	let res = DNS_CLIENT.resolve(query, instant, true).await;
	let elapsed = instant.elapsed().as_secs_f32();
	match res {
		Ok(msg) => {
			debug!(
				"Received {} DNS records in {elapsed} seconds",
				msg.answers.len()
			);
			Ok(msg.answers.into_iter().filter_map(filter_map).collect())
		},
		Err(err) if err.is_no_records_found() || err.is_nx_domain() => {
			debug!("Received 0 DNS records in {elapsed} seconds");
			Ok(Vec::new())
		},
		Err(err) => {
			error!(
				"Error querying {ty} DNS record for {name} after {elapsed} seconds: {err}"
			);
			Err(err)
		}
	}
}

/// Compute the 224-byte truncated SHA-256 hash.
pub(crate) fn sha256_truncated(bytes: &[u8]) -> String {
	let hash = sha256(bytes);
	let hex = hash
		.into_iter()
		.take(28)
		.map(|byte| format!("{byte:02x}"))
		.collect::<Vec<_>>();
	hex.join("")
}

#[cfg(test)]
mod tests {
	use super::*;

	#[test]
	fn test_sha256_truncated() {
		assert_eq!(
			sha256_truncated(b"git"),
			"9a881b9b9f23849475296a8cd768ea1965bc3152df7118e60c145975"
		);
	}
}