Struct trust_dns_client::rr::dnssec::tsig::TSigner

pub struct TSigner(_);

This is supported on crate feature dnssec only.

Struct to pass to a client for it to authenticate requests using TSIG.

Implementations

impl TSigner

pub fn new(
    key: Vec<u8>,
    algorithm: TsigAlgorithm,
    signer_name: Name,
    fudge: u16
) -> ProtoResult<Self>

Create a new Tsigner from its parts

Arguments

• key - cryptographic key used to authenticate exchanges
• algorithm - algorithm used to authenticate exchanges
• signer_name - name of the key. Must match the name known to the server
• fudge - maximum difference between client and server time, in seconds, see fudge for details

pub fn key(&self) -> &[u8]

Return the key used for message authentication

pub fn algorithm(&self) -> &TsigAlgorithm

Return the algorithm used for message authentication

pub fn signer_name(&self) -> &Name

Name of the key used by this signer

pub fn fudge(&self) -> u16

Maximum time difference between client time when issuing a message, and server time when receiving it, in second. If time is out, the server will consider the request invalid. Longer values means more room for replay by an attacker. A few minutes are usually a good value.

pub fn sign(&self, tbs: &[u8]) -> ProtoResult<Vec<u8>>

Compute authentication tag for a buffer

pub fn sign_message(
    &self,
    message: &Message,
    pre_tsig: &TSIG
) -> ProtoResult<Vec<u8>>

Compute authentication tag for a message

pub fn verify(&self, tbv: &[u8], tag: &[u8]) -> ProtoResult<()>

Verify hmac in constant time to prevent timing attacks

pub fn verify_message_byte(
    &self,
    previous_hash: Option<&[u8]>,
    message: &[u8],
    first_message: bool
) -> ProtoResult<(Vec<u8>, Range<u64>, u64)>

Verify the message is correctly signed This does not perform time verification on its own, instead one should verify current time lie in returned Range

Arguments

• previous_hash - Hash of the last message received before this one, or of the query for the first message
• message - byte buffer containing current message
• first_message - is this the first response message

Returns

Return Ok(_) on valid signature. Inner tuple contain the following values, in order:

• a byte buffer containing the hash of this message. Need to be passed back when authenticating next message
• a Range of time that is acceptable
• the time the signature was emited. It must be greater or equal to the time of previous messages, if any

Trait Implementations

impl Clone for TSigner

fn clone(&self) -> TSigner

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl From<TSigner> for Signer

fn from(s: TSigner) -> Self

Converts to this type from the input type.

impl MessageFinalizer for TSigner

fn finalize_message(
    &self,
    message: &Message,
    current_time: u32
) -> ProtoResult<(Vec<Record>, Option<MessageVerifier>)>

The message taken in should be processed and then return Records which should be appended to the additional section of the message.

fn should_finalize_message(&self, message: &Message) -> bool

Return whether the message require futher processing before being sent By default, returns true for AXFR and IXFR queries, and Update and Notify messages