summaryrefslogtreecommitdiffstats
path: root/dnscrypt.cc
diff options
context:
space:
mode:
Diffstat (limited to 'dnscrypt.cc')
-rw-r--r--dnscrypt.cc868
1 files changed, 868 insertions, 0 deletions
diff --git a/dnscrypt.cc b/dnscrypt.cc
new file mode 100644
index 0000000..74d9182
--- /dev/null
+++ b/dnscrypt.cc
@@ -0,0 +1,868 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "config.h"
+#ifdef HAVE_DNSCRYPT
+#include <fstream>
+#include "dolog.hh"
+#include "dnscrypt.hh"
+#include "dnswriter.hh"
+
+DNSCryptPrivateKey::DNSCryptPrivateKey()
+{
+ sodium_memzero(key, sizeof(key));
+ sodium_mlock(key, sizeof(key));
+}
+
+void DNSCryptPrivateKey::loadFromFile(const std::string& keyFile)
+{
+ ifstream file(keyFile);
+ sodium_memzero(key, sizeof(key));
+ file.read((char*) key, sizeof(key));
+
+ if (file.fail()) {
+ sodium_memzero(key, sizeof(key));
+ file.close();
+ throw std::runtime_error("Invalid DNSCrypt key file " + keyFile);
+ }
+
+ file.close();
+}
+
+void DNSCryptPrivateKey::saveToFile(const std::string& keyFile) const
+{
+ ofstream file(keyFile);
+ file.write(reinterpret_cast<const char*>(key), sizeof(key));
+ file.close();
+}
+
+DNSCryptPrivateKey::~DNSCryptPrivateKey()
+{
+ sodium_munlock(key, sizeof(key));
+}
+
+DNSCryptExchangeVersion DNSCryptQuery::getVersion() const
+{
+ if (d_pair == nullptr) {
+ throw std::runtime_error("Unable to determine the version of a DNSCrypt query if there is not associated cert");
+ }
+
+ return DNSCryptContext::getExchangeVersion(d_pair->cert);
+}
+
+#ifdef HAVE_CRYPTO_BOX_EASY_AFTERNM
+DNSCryptQuery::~DNSCryptQuery()
+{
+ if (d_sharedKeyComputed) {
+ sodium_munlock(d_sharedKey, sizeof(d_sharedKey));
+ }
+}
+
+int DNSCryptQuery::computeSharedKey()
+{
+ assert(d_pair != nullptr);
+
+ int res = 0;
+
+ if (d_sharedKeyComputed) {
+ return res;
+ }
+
+ const DNSCryptExchangeVersion version = DNSCryptContext::getExchangeVersion(d_pair->cert);
+
+ sodium_mlock(d_sharedKey, sizeof(d_sharedKey));
+
+ if (version == DNSCryptExchangeVersion::VERSION1) {
+ res = crypto_box_beforenm(d_sharedKey,
+ d_header.clientPK,
+ d_pair->privateKey.key);
+ }
+ else if (version == DNSCryptExchangeVersion::VERSION2) {
+#ifdef HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY
+ res = crypto_box_curve25519xchacha20poly1305_beforenm(d_sharedKey,
+ d_header.clientPK,
+ d_pair->privateKey.key);
+#else /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ res = -1;
+#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ }
+ else {
+ res = -1;
+ }
+
+ if (res != 0) {
+ sodium_munlock(d_sharedKey, sizeof(d_sharedKey));
+ return res;
+ }
+
+ d_sharedKeyComputed = true;
+ return res;
+}
+#else
+DNSCryptQuery::~DNSCryptQuery()
+{
+}
+#endif /* HAVE_CRYPTO_BOX_EASY_AFTERNM */
+
+
+DNSCryptContext::~DNSCryptContext() {
+}
+
+DNSCryptContext::DNSCryptContext(const std::string& pName, const std::vector<CertKeyPaths>& certKeys): d_certKeyPaths(certKeys), providerName(pName)
+{
+ reloadCertificates();
+}
+
+DNSCryptContext::DNSCryptContext(const std::string& pName, const DNSCryptCert& certificate, const DNSCryptPrivateKey& pKey): providerName(pName)
+{
+ addNewCertificate(certificate, pKey);
+}
+
+void DNSCryptContext::generateProviderKeys(unsigned char publicKey[DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE], unsigned char privateKey[DNSCRYPT_PROVIDER_PRIVATE_KEY_SIZE])
+{
+ int res = crypto_sign_ed25519_keypair(publicKey, privateKey);
+
+ if (res != 0) {
+ throw std::runtime_error("Error generating DNSCrypt provider keys");
+ }
+}
+
+std::string DNSCryptContext::getProviderFingerprint(unsigned char publicKey[DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE])
+{
+ boost::format fmt("%02X%02X");
+ ostringstream ret;
+
+ for (size_t idx = 0; idx < DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE; idx += 2)
+ {
+ ret << (fmt % static_cast<int>(publicKey[idx]) % static_cast<int>(publicKey[idx+1]));
+ if (idx < (DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE - 2)) {
+ ret << ":";
+ }
+ }
+
+ return ret.str();
+}
+
+void DNSCryptContext::setExchangeVersion(const DNSCryptExchangeVersion& version, unsigned char esVersion[sizeof(DNSCryptCert::esVersion)])
+{
+ esVersion[0] = 0x00;
+
+ if (version == DNSCryptExchangeVersion::VERSION1) {
+ esVersion[1] = { 0x01 };
+ }
+ else if (version == DNSCryptExchangeVersion::VERSION2) {
+ esVersion[1] = { 0x02 };
+ }
+ else {
+ throw std::runtime_error("Unknown DNSCrypt exchange version");
+ }
+}
+
+DNSCryptExchangeVersion DNSCryptContext::getExchangeVersion(const unsigned char esVersion[sizeof(DNSCryptCert::esVersion)])
+{
+ if (esVersion[0] != 0x00) {
+ throw std::runtime_error("Unknown DNSCrypt exchange version");
+ }
+
+ if (esVersion[1] == 0x01) {
+ return DNSCryptExchangeVersion::VERSION1;
+ }
+ else if (esVersion[1] == 0x02) {
+ return DNSCryptExchangeVersion::VERSION2;
+ }
+
+ throw std::runtime_error("Unknown DNSCrypt exchange version");
+}
+
+DNSCryptExchangeVersion DNSCryptContext::getExchangeVersion(const DNSCryptCert& cert)
+{
+ return getExchangeVersion(cert.esVersion);
+}
+
+
+void DNSCryptContext::generateCertificate(uint32_t serial, time_t begin, time_t end, const DNSCryptExchangeVersion& version, const unsigned char providerPrivateKey[DNSCRYPT_PROVIDER_PRIVATE_KEY_SIZE], DNSCryptPrivateKey& privateKey, DNSCryptCert& cert)
+{
+ unsigned char magic[DNSCRYPT_CERT_MAGIC_SIZE] = DNSCRYPT_CERT_MAGIC_VALUE;
+ unsigned char protocolMinorVersion[] = DNSCRYPT_CERT_PROTOCOL_MINOR_VERSION_VALUE;
+ unsigned char pubK[DNSCRYPT_PUBLIC_KEY_SIZE];
+ unsigned char esVersion[sizeof(DNSCryptCert::esVersion)];
+ setExchangeVersion(version, esVersion);
+
+ generateResolverKeyPair(privateKey, pubK);
+
+ memcpy(cert.magic, magic, sizeof(magic));
+ memcpy(cert.esVersion, esVersion, sizeof(esVersion));
+ memcpy(cert.protocolMinorVersion, protocolMinorVersion, sizeof(protocolMinorVersion));
+ memcpy(cert.signedData.resolverPK, pubK, sizeof(cert.signedData.resolverPK));
+ memcpy(cert.signedData.clientMagic, pubK, sizeof(cert.signedData.clientMagic));
+ cert.signedData.serial = htonl(serial);
+ cert.signedData.tsStart = htonl((uint32_t) begin);
+ cert.signedData.tsEnd = htonl((uint32_t) end);
+
+ unsigned long long signatureSize = 0;
+
+ int res = crypto_sign_ed25519(cert.signature,
+ &signatureSize,
+ (unsigned char*) &cert.signedData,
+ sizeof(cert.signedData),
+ providerPrivateKey);
+
+ if (res == 0) {
+ assert(signatureSize == sizeof(DNSCryptCertSignedData) + DNSCRYPT_SIGNATURE_SIZE);
+ }
+ else {
+ throw std::runtime_error("Error generating DNSCrypt certificate");
+ }
+}
+
+void DNSCryptContext::loadCertFromFile(const std::string&filename, DNSCryptCert& dest)
+{
+ ifstream file(filename);
+ file.read((char *) &dest, sizeof(dest));
+
+ if (file.fail())
+ throw std::runtime_error("Invalid dnscrypt certificate file " + filename);
+
+ file.close();
+}
+
+void DNSCryptContext::saveCertFromFile(const DNSCryptCert& cert, const std::string&filename)
+{
+ ofstream file(filename);
+ file.write(reinterpret_cast<const char *>(&cert), sizeof(cert));
+ file.close();
+}
+
+void DNSCryptContext::generateResolverKeyPair(DNSCryptPrivateKey& privK, unsigned char pubK[DNSCRYPT_PUBLIC_KEY_SIZE])
+{
+ int res = crypto_box_keypair(pubK, privK.key);
+
+ if (res != 0) {
+ throw std::runtime_error("Error generating DNSCrypt resolver keys");
+ }
+}
+
+void DNSCryptContext::computePublicKeyFromPrivate(const DNSCryptPrivateKey& privK, unsigned char* pubK)
+{
+ int res = crypto_scalarmult_base(pubK,
+ privK.key);
+
+ if (res != 0) {
+ throw std::runtime_error("Error computing dnscrypt public key from the private one");
+ }
+}
+
+std::string DNSCryptContext::certificateDateToStr(uint32_t date)
+{
+ char buf[20];
+ time_t tdate = static_cast<time_t>(ntohl(date));
+ struct tm date_tm;
+
+ localtime_r(&tdate, &date_tm);
+ strftime(buf, sizeof(buf), "%Y-%m-%d %H:%M:%S", &date_tm);
+
+ return string(buf);
+}
+
+void DNSCryptContext::addNewCertificate(std::shared_ptr<DNSCryptCertificatePair>& newCert, bool reload)
+{
+ auto certs = d_certs.write_lock();
+
+ for (auto pair : *certs) {
+ if (pair->cert.getSerial() == newCert->cert.getSerial()) {
+ if (reload) {
+ /* on reload we just assume that this is the same certificate */
+ return;
+ }
+ else {
+ throw std::runtime_error("Error adding a new certificate: we already have a certificate with the same serial");
+ }
+ }
+ }
+
+ certs->push_back(newCert);
+}
+
+void DNSCryptContext::addNewCertificate(const DNSCryptCert& newCert, const DNSCryptPrivateKey& newKey, bool active, bool reload)
+{
+ auto pair = std::make_shared<DNSCryptCertificatePair>();
+ pair->cert = newCert;
+ pair->privateKey = newKey;
+ computePublicKeyFromPrivate(pair->privateKey, pair->publicKey);
+ pair->active = active;
+
+ addNewCertificate(pair, reload);
+}
+
+std::shared_ptr<DNSCryptCertificatePair> DNSCryptContext::loadCertificatePair(const std::string& certFile, const std::string& keyFile)
+{
+ auto pair = std::make_shared<DNSCryptCertificatePair>();
+ loadCertFromFile(certFile, pair->cert);
+ pair->privateKey.loadFromFile(keyFile);
+ pair->active = true;
+ computePublicKeyFromPrivate(pair->privateKey, pair->publicKey);
+ return pair;
+}
+
+void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std::string& keyFile, bool active, bool reload)
+{
+ auto newPair = DNSCryptContext::loadCertificatePair(certFile, keyFile);
+ newPair->active = active;
+ addNewCertificate(newPair, reload);
+ d_certKeyPaths.write_lock()->push_back({certFile, keyFile});
+}
+
+void DNSCryptContext::reloadCertificates()
+{
+ std::vector<std::shared_ptr<DNSCryptCertificatePair>> newCerts;
+ {
+ auto paths = d_certKeyPaths.read_lock();
+ newCerts.reserve(paths->size());
+ for (const auto& pair : *paths) {
+ newCerts.push_back(DNSCryptContext::loadCertificatePair(pair.cert, pair.key));
+ }
+ }
+
+ {
+ *(d_certs.write_lock()) = std::move(newCerts);
+ }
+}
+
+std::vector<std::shared_ptr<DNSCryptCertificatePair>> DNSCryptContext::getCertificates() {
+ std::vector<std::shared_ptr<DNSCryptCertificatePair>> ret = *(d_certs.read_lock());
+ return ret;
+};
+
+void DNSCryptContext::markActive(uint32_t serial)
+{
+ for (auto pair : *d_certs.write_lock()) {
+ if (pair->active == false && pair->cert.getSerial() == serial) {
+ pair->active = true;
+ return;
+ }
+ }
+ throw std::runtime_error("No inactive certificate found with this serial");
+}
+
+void DNSCryptContext::markInactive(uint32_t serial)
+{
+ for (auto pair : *d_certs.write_lock()) {
+ if (pair->active == true && pair->cert.getSerial() == serial) {
+ pair->active = false;
+ return;
+ }
+ }
+ throw std::runtime_error("No active certificate found with this serial");
+}
+
+void DNSCryptContext::removeInactiveCertificate(uint32_t serial)
+{
+ auto certs = d_certs.write_lock();
+
+ for (auto it = certs->begin(); it != certs->end(); ) {
+ if ((*it)->active == false && (*it)->cert.getSerial() == serial) {
+ it = certs->erase(it);
+ return;
+ } else {
+ it++;
+ }
+ }
+ throw std::runtime_error("No inactive certificate found with this serial");
+}
+
+bool DNSCryptQuery::parsePlaintextQuery(const PacketBuffer& packet)
+{
+ assert(d_ctx != nullptr);
+
+ if (packet.size() < sizeof(dnsheader)) {
+ return false;
+ }
+
+ const struct dnsheader * dh = reinterpret_cast<const struct dnsheader *>(packet.data());
+ if (dh->qr || ntohs(dh->qdcount) != 1 || dh->ancount != 0 || dh->nscount != 0 || dh->opcode != Opcode::Query)
+ return false;
+
+ unsigned int qnameWireLength;
+ uint16_t qtype, qclass;
+ DNSName qname(reinterpret_cast<const char*>(packet.data()), packet.size(), sizeof(dnsheader), false, &qtype, &qclass, &qnameWireLength);
+ if ((packet.size() - sizeof(dnsheader)) < (qnameWireLength + sizeof(qtype) + sizeof(qclass))) {
+ return false;
+ }
+
+ if (qtype != QType::TXT || qclass != QClass::IN) {
+ return false;
+ }
+
+ if (qname != d_ctx->getProviderName()) {
+ return false;
+ }
+
+ d_qname = qname;
+ d_id = dh->id;
+ d_valid = true;
+
+ return true;
+}
+
+void DNSCryptContext::getCertificateResponse(time_t now, const DNSName& qname, uint16_t qid, PacketBuffer& response)
+{
+ GenericDNSPacketWriter<PacketBuffer> pw(response, qname, QType::TXT, QClass::IN, Opcode::Query);
+ struct dnsheader * dh = pw.getHeader();
+ dh->id = qid;
+ dh->qr = true;
+ dh->rcode = RCode::NoError;
+
+ auto certs = d_certs.read_lock();
+ for (const auto& pair : *certs) {
+ if (!pair->active || !pair->cert.isValid(now)) {
+ continue;
+ }
+
+ pw.startRecord(qname, QType::TXT, (DNSCRYPT_CERTIFICATE_RESPONSE_TTL), QClass::IN, DNSResourceRecord::ANSWER, true);
+ std::string scert;
+ uint8_t certSize = sizeof(pair->cert);
+ scert.assign((const char*) &certSize, sizeof(certSize));
+ scert.append((const char*) &pair->cert, certSize);
+
+ pw.xfrBlob(scert);
+ pw.commit();
+ }
+}
+
+bool DNSCryptContext::magicMatchesAPublicKey(DNSCryptQuery& query, time_t now)
+{
+ const unsigned char* magic = query.getClientMagic();
+
+ auto certs = d_certs.read_lock();
+ for (const auto& pair : *certs) {
+ if (pair->cert.isValid(now) && memcmp(magic, pair->cert.signedData.clientMagic, DNSCRYPT_CLIENT_MAGIC_SIZE) == 0) {
+ query.setCertificatePair(pair);
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool DNSCryptQuery::isEncryptedQuery(const PacketBuffer& packet, bool tcp, time_t now)
+{
+ assert(d_ctx != nullptr);
+
+ d_encrypted = false;
+
+ if (packet.size() < sizeof(DNSCryptQueryHeader)) {
+ return false;
+ }
+
+ if (!tcp && packet.size() < DNSCryptQuery::s_minUDPLength) {
+ return false;
+ }
+
+ const struct DNSCryptQueryHeader* header = reinterpret_cast<const struct DNSCryptQueryHeader*>(packet.data());
+
+ d_header = *header;
+
+ if (!d_ctx->magicMatchesAPublicKey(*this, now)) {
+ return false;
+ }
+
+ d_encrypted = true;
+
+ return true;
+}
+
+void DNSCryptQuery::getDecrypted(bool tcp, PacketBuffer& packet)
+{
+ assert(d_encrypted);
+ assert(d_pair != nullptr);
+ assert(d_valid == false);
+
+#ifdef DNSCRYPT_STRICT_PADDING_LENGTH
+ if (tcp && ((packet.size() - sizeof(DNSCryptQueryHeader)) % DNSCRYPT_PADDED_BLOCK_SIZE) != 0) {
+ vinfolog("Dropping encrypted query with invalid size of %d (should be a multiple of %d)", (packet.size() - sizeof(DNSCryptQueryHeader)), DNSCRYPT_PADDED_BLOCK_SIZE);
+ return;
+ }
+#endif
+
+ unsigned char nonce[DNSCRYPT_NONCE_SIZE];
+ static_assert(sizeof(nonce) == (2* sizeof(d_header.clientNonce)), "Nonce should be larger than clientNonce (half)");
+ static_assert(sizeof(d_header.clientPK) == DNSCRYPT_PUBLIC_KEY_SIZE, "Client Public key size is not right");
+ static_assert(sizeof(d_pair->privateKey.key) == DNSCRYPT_PRIVATE_KEY_SIZE, "Private key size is not right");
+
+ memcpy(nonce, &d_header.clientNonce, sizeof(d_header.clientNonce));
+ memset(nonce + sizeof(d_header.clientNonce), 0, sizeof(nonce) - sizeof(d_header.clientNonce));
+
+#ifdef HAVE_CRYPTO_BOX_EASY_AFTERNM
+ int res = computeSharedKey();
+ if (res != 0) {
+ vinfolog("Dropping encrypted query we can't compute the shared key for");
+ return;
+ }
+
+ const DNSCryptExchangeVersion version = getVersion();
+
+ if (version == DNSCryptExchangeVersion::VERSION1) {
+ res = crypto_box_open_easy_afternm(reinterpret_cast<unsigned char*>(packet.data()),
+ reinterpret_cast<unsigned char*>(&packet.at(sizeof(DNSCryptQueryHeader))),
+ packet.size() - sizeof(DNSCryptQueryHeader),
+ nonce,
+ d_sharedKey);
+ }
+ else if (version == DNSCryptExchangeVersion::VERSION2) {
+#ifdef HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY
+ res = crypto_box_curve25519xchacha20poly1305_open_easy_afternm(reinterpret_cast<unsigned char*>(packet.data()),
+ reinterpret_cast<unsigned char*>(&packet.at(sizeof(DNSCryptQueryHeader))),
+ packet.size() - sizeof(DNSCryptQueryHeader),
+ nonce,
+ d_sharedKey);
+#else /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ res = -1;
+#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ } else {
+ res = -1;
+ }
+
+#else /* HAVE_CRYPTO_BOX_EASY_AFTERNM */
+ int res = crypto_box_open_easy(reinterpret_cast<unsigned char*>(packet.data()),
+ reinterpret_cast<unsigned char*>(&packet.at(sizeof(DNSCryptQueryHeader))),
+ packet.size() - sizeof(DNSCryptQueryHeader),
+ nonce,
+ d_header.clientPK,
+ d_pair->privateKey.key);
+#endif /* HAVE_CRYPTO_BOX_EASY_AFTERNM */
+
+ if (res != 0) {
+ vinfolog("Dropping encrypted query we can't decrypt");
+ return;
+ }
+
+ uint16_t decryptedQueryLen = packet.size() - sizeof(DNSCryptQueryHeader) - DNSCRYPT_MAC_SIZE;
+ uint16_t pos = decryptedQueryLen;
+ assert(pos < packet.size());
+ d_paddedLen = decryptedQueryLen;
+
+ while (pos > 0 && packet.at(pos - 1) == 0) pos--;
+
+ if (pos == 0 || packet.at(pos - 1) != 0x80) {
+ vinfolog("Dropping encrypted query with invalid padding value");
+ return;
+ }
+
+ pos--;
+
+ size_t paddingLen = decryptedQueryLen - pos;
+ packet.resize(pos);
+
+ if (tcp && paddingLen > DNSCRYPT_MAX_TCP_PADDING_SIZE) {
+ vinfolog("Dropping encrypted query with too long padding size");
+ return;
+ }
+
+ d_len = pos;
+ d_valid = true;
+}
+
+void DNSCryptQuery::getCertificateResponse(time_t now, PacketBuffer& response) const
+{
+ assert(d_ctx != nullptr);
+ d_ctx->getCertificateResponse(now, d_qname, d_id, response);
+}
+
+void DNSCryptQuery::parsePacket(PacketBuffer& packet, bool tcp, time_t now)
+{
+ d_valid = false;
+
+ /* might be a plaintext certificate request or an authenticated request */
+ if (isEncryptedQuery(packet, tcp, now)) {
+ getDecrypted(tcp, packet);
+ }
+ else {
+ parsePlaintextQuery(packet);
+ }
+}
+
+void DNSCryptQuery::fillServerNonce(unsigned char* nonce) const
+{
+ uint32_t* dest = reinterpret_cast<uint32_t*>(nonce);
+ static const size_t nonceSize = DNSCRYPT_NONCE_SIZE / 2;
+
+ for (size_t pos = 0; pos < (nonceSize / sizeof(*dest)); pos++)
+ {
+ const uint32_t value = randombytes_random();
+ memcpy(dest + pos, &value, sizeof(value));
+ }
+}
+
+/*
+ "The length of <resolver-response-pad> must be between 0 and 256 bytes,
+ and must be constant for a given (<resolver-sk>, <client-nonce>) tuple."
+*/
+uint16_t DNSCryptQuery::computePaddingSize(uint16_t unpaddedLen, size_t maxLen) const
+{
+ size_t paddedSize = 0;
+ uint16_t result = 0;
+ uint32_t rnd = 0;
+ assert(d_header.clientNonce);
+ assert(d_pair != nullptr);
+
+ unsigned char nonce[DNSCRYPT_NONCE_SIZE];
+ memcpy(nonce, d_header.clientNonce, (DNSCRYPT_NONCE_SIZE / 2));
+ memcpy(&(nonce[DNSCRYPT_NONCE_SIZE / 2]), d_header.clientNonce, (DNSCRYPT_NONCE_SIZE / 2));
+ crypto_stream((unsigned char*) &rnd, sizeof(rnd), nonce, d_pair->privateKey.key);
+
+ paddedSize = unpaddedLen + rnd % (maxLen - unpaddedLen + 1);
+ paddedSize += DNSCRYPT_PADDED_BLOCK_SIZE - (paddedSize % DNSCRYPT_PADDED_BLOCK_SIZE);
+
+ if (paddedSize > maxLen)
+ paddedSize = maxLen;
+
+ result = paddedSize - unpaddedLen;
+
+ return result;
+}
+
+int DNSCryptQuery::encryptResponse(PacketBuffer& response, size_t maxResponseSize, bool tcp)
+{
+ struct DNSCryptResponseHeader responseHeader;
+ assert(response.size() > 0);
+ assert(maxResponseSize >= response.size());
+ assert(d_encrypted == true);
+ assert(d_pair != nullptr);
+
+ /* a DNSCrypt UDP response can't be larger than the (padded) DNSCrypt query */
+ if (!tcp && d_paddedLen < response.size()) {
+ /* so we need to truncate it */
+ size_t questionSize = 0;
+
+ if (response.size() > sizeof(dnsheader)) {
+ unsigned int qnameWireLength = 0;
+ DNSName tempQName(reinterpret_cast<const char*>(response.data()), response.size(), sizeof(dnsheader), false, 0, 0, &qnameWireLength);
+ if (qnameWireLength > 0) {
+ questionSize = qnameWireLength + DNS_TYPE_SIZE + DNS_CLASS_SIZE;
+ }
+ }
+
+ response.resize(sizeof(dnsheader) + questionSize);
+
+ if (response.size() > d_paddedLen) {
+ /* that does not seem right but let's truncate even more */
+ response.resize(d_paddedLen);
+ }
+ struct dnsheader* dh = reinterpret_cast<struct dnsheader*>(response.data());
+ dh->ancount = dh->arcount = dh->nscount = 0;
+ dh->tc = 1;
+ }
+
+ size_t requiredSize = sizeof(responseHeader) + DNSCRYPT_MAC_SIZE + response.size();
+ size_t maxSize = std::min(maxResponseSize, requiredSize + DNSCRYPT_MAX_RESPONSE_PADDING_SIZE);
+ uint16_t paddingSize = computePaddingSize(requiredSize, maxSize);
+ requiredSize += paddingSize;
+
+ if (requiredSize > maxResponseSize) {
+ return ENOBUFS;
+ }
+
+ memcpy(&responseHeader.nonce, &d_header.clientNonce, sizeof d_header.clientNonce);
+ fillServerNonce(&(responseHeader.nonce[sizeof(d_header.clientNonce)]));
+
+ size_t responseLen = response.size();
+ /* moving the existing response after the header + MAC */
+ response.resize(requiredSize);
+ std::copy_backward(response.begin(), response.begin() + responseLen, response.begin() + responseLen + sizeof(responseHeader) + DNSCRYPT_MAC_SIZE);
+
+ uint16_t pos = 0;
+ /* copying header */
+ memcpy(&response.at(pos), &responseHeader, sizeof(responseHeader));
+ pos += sizeof(responseHeader);
+ /* setting MAC bytes to 0 */
+ memset(&response.at(pos), 0, DNSCRYPT_MAC_SIZE);
+ pos += DNSCRYPT_MAC_SIZE;
+ uint16_t toEncryptPos = pos;
+ /* skipping response */
+ pos += responseLen;
+ /* padding */
+ response.at(pos) = static_cast<uint8_t>(0x80);
+ pos++;
+ memset(&response.at(pos), 0, paddingSize - 1);
+ pos += (paddingSize - 1);
+
+ /* encrypting */
+#ifdef HAVE_CRYPTO_BOX_EASY_AFTERNM
+ int res = computeSharedKey();
+ if (res != 0) {
+ return res;
+ }
+
+ const DNSCryptExchangeVersion version = getVersion();
+
+ if (version == DNSCryptExchangeVersion::VERSION1) {
+ res = crypto_box_easy_afternm(reinterpret_cast<unsigned char*>(&response.at(sizeof(responseHeader))),
+ reinterpret_cast<unsigned char*>(&response.at(toEncryptPos)),
+ responseLen + paddingSize,
+ responseHeader.nonce,
+ d_sharedKey);
+ }
+ else if (version == DNSCryptExchangeVersion::VERSION2) {
+#ifdef HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY
+ res = crypto_box_curve25519xchacha20poly1305_easy_afternm(reinterpret_cast<unsigned char*>(&response.at(sizeof(responseHeader))),
+ reinterpret_cast<unsigned char*>(&response.at(toEncryptPos)),
+ responseLen + paddingSize,
+ responseHeader.nonce,
+ d_sharedKey);
+#else /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ res = -1;
+#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ }
+ else {
+ res = -1;
+ }
+#else
+ int res = crypto_box_easy(reinterpret_cast<unsigned char*>(&response.at(sizeof(responseHeader))),
+ reinterpret_cast<unsigned char*>(&response.at(toEncryptPos)),
+ responseLen + paddingSize,
+ responseHeader.nonce,
+ d_header.clientPK,
+ d_pair->privateKey.key);
+#endif /* HAVE_CRYPTO_BOX_EASY_AFTERNM */
+
+ if (res == 0) {
+ assert(pos == requiredSize);
+ }
+
+ return res;
+}
+
+int DNSCryptContext::encryptQuery(PacketBuffer& packet, size_t maximumSize, const unsigned char clientPublicKey[DNSCRYPT_PUBLIC_KEY_SIZE], const DNSCryptPrivateKey& clientPrivateKey, const unsigned char clientNonce[DNSCRYPT_NONCE_SIZE / 2], bool tcp, const std::shared_ptr<DNSCryptCert>& cert) const
+{
+ assert(packet.size() > 0);
+ assert(cert != nullptr);
+
+ size_t queryLen = packet.size();
+ unsigned char nonce[DNSCRYPT_NONCE_SIZE];
+ size_t requiredSize = sizeof(DNSCryptQueryHeader) + DNSCRYPT_MAC_SIZE + queryLen;
+ /* this is not optimal, we should compute a random padding size, multiple of DNSCRYPT_PADDED_BLOCK_SIZE,
+ DNSCRYPT_PADDED_BLOCK_SIZE <= padding size <= 4096? */
+ uint16_t paddingSize = DNSCRYPT_PADDED_BLOCK_SIZE - (queryLen % DNSCRYPT_PADDED_BLOCK_SIZE);
+ requiredSize += paddingSize;
+
+ if (!tcp && requiredSize < DNSCryptQuery::s_minUDPLength) {
+ paddingSize += (DNSCryptQuery::s_minUDPLength - requiredSize);
+ requiredSize = DNSCryptQuery::s_minUDPLength;
+ }
+
+ if (requiredSize > maximumSize) {
+ return ENOBUFS;
+ }
+
+ /* moving the existing query after the header + MAC */
+ packet.resize(requiredSize);
+ std::copy_backward(packet.begin(), packet.begin() + queryLen, packet.begin() + queryLen + sizeof(DNSCryptQueryHeader) + DNSCRYPT_MAC_SIZE);
+
+ size_t pos = 0;
+ /* client magic */
+ memcpy(&packet.at(pos), cert->signedData.clientMagic, sizeof(cert->signedData.clientMagic));
+ pos += sizeof(cert->signedData.clientMagic);
+
+ /* client PK */
+ memcpy(&packet.at(pos), clientPublicKey, DNSCRYPT_PUBLIC_KEY_SIZE);
+ pos += DNSCRYPT_PUBLIC_KEY_SIZE;
+
+ /* client nonce */
+ memcpy(&packet.at(pos), clientNonce, DNSCRYPT_NONCE_SIZE / 2);
+ pos += DNSCRYPT_NONCE_SIZE / 2;
+ size_t encryptedPos = pos;
+
+ /* clear the MAC bytes */
+ memset(&packet.at(pos), 0, DNSCRYPT_MAC_SIZE);
+ pos += DNSCRYPT_MAC_SIZE;
+
+ /* skipping data */
+ pos += queryLen;
+
+ /* padding */
+ packet.at(pos) = static_cast<uint8_t>(0x80);
+ pos++;
+ memset(&packet.at(pos), 0, paddingSize - 1);
+ pos += paddingSize - 1;
+
+ memcpy(nonce, clientNonce, DNSCRYPT_NONCE_SIZE / 2);
+ memset(nonce + (DNSCRYPT_NONCE_SIZE / 2), 0, DNSCRYPT_NONCE_SIZE / 2);
+
+ const DNSCryptExchangeVersion version = getExchangeVersion(*cert);
+ int res = -1;
+
+ if (version == DNSCryptExchangeVersion::VERSION1) {
+ res = crypto_box_easy(reinterpret_cast<unsigned char*>(&packet.at(encryptedPos)),
+ reinterpret_cast<unsigned char*>(&packet.at(encryptedPos + DNSCRYPT_MAC_SIZE)),
+ queryLen + paddingSize,
+ nonce,
+ cert->signedData.resolverPK,
+ clientPrivateKey.key);
+ }
+ else if (version == DNSCryptExchangeVersion::VERSION2) {
+#ifdef HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY
+ res = crypto_box_curve25519xchacha20poly1305_easy(reinterpret_cast<unsigned char*>(&packet.at(encryptedPos)),
+ reinterpret_cast<unsigned char*>(&packet.at(encryptedPos + DNSCRYPT_MAC_SIZE)),
+ queryLen + paddingSize,
+ nonce,
+ cert->signedData.resolverPK,
+ clientPrivateKey.key);
+#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
+ }
+ else {
+ throw std::runtime_error("Unknown DNSCrypt exchange version");
+ }
+
+ if (res == 0) {
+ assert(pos == requiredSize);
+ }
+
+ return res;
+}
+
+bool generateDNSCryptCertificate(const std::string& providerPrivateKeyFile, uint32_t serial, time_t begin, time_t end, DNSCryptExchangeVersion version, DNSCryptCert& certOut, DNSCryptPrivateKey& keyOut)
+{
+ bool success = false;
+ unsigned char providerPrivateKey[DNSCRYPT_PROVIDER_PRIVATE_KEY_SIZE];
+ sodium_mlock(providerPrivateKey, sizeof(providerPrivateKey));
+ sodium_memzero(providerPrivateKey, sizeof(providerPrivateKey));
+
+ try {
+ ifstream providerKStream(providerPrivateKeyFile);
+ providerKStream.read((char*) providerPrivateKey, sizeof(providerPrivateKey));
+ if (providerKStream.fail()) {
+ providerKStream.close();
+ throw std::runtime_error("Invalid DNSCrypt provider key file " + providerPrivateKeyFile);
+ }
+
+ DNSCryptContext::generateCertificate(serial, begin, end, version, providerPrivateKey, keyOut, certOut);
+ success = true;
+ }
+ catch(const std::exception& e) {
+ errlog(e.what());
+ }
+
+ sodium_memzero(providerPrivateKey, sizeof(providerPrivateKey));
+ sodium_munlock(providerPrivateKey, sizeof(providerPrivateKey));
+ return success;
+}
+
+#endif