...
 
Commits (247)
This diff is collapsed.
* Version 2.0.16
- On Unix-like systems, the server can run as an unprivileged user,
and the main process will automatically restart if an error occurs.
- pledge() on OpenBSD.
- New "offline" mode to serve queries locally without contacting any
upstream servers. This can be especially useful along with the
cloaking module for local development.
- New logo.
- TTL of OPT records is properly ignored by the caching module.
- The proxy doesn't quit any more if new TCP connections cannot be
created.
* Version 2.0.15
- Support for proxies (HTTP/SOCKS) was added. All it takes to route
all TCP queries to Tor is add `proxy = "socks5://127.0.0.1:9050"` to
the configuration file.
- Querylog files have a new record indicating the outcome of each
transaction.
- Pre-built binaries for Linux are statically linked on all
architectures.
* Version 2.0.14
- Supports DNS-over-HTTPS draft 08.
- Netprobes don't use port 0 by default, as this causes issues with
Little Snitch and FreeBSD.
* Version 2.0.13
- This version fixes a crash when using DoH for queries whose size
were a multiple of the block size. Reported by @char101, thanks!
* Version 2.0.12
- Further compatibility fixes for Alpine Linux/i386 and Android/i386
have been made. Thanks to @aead for his help!
- The proxy will now wait for network connectivity before starting.
This is useful if the proxy is automatically started at boot, possibly
before the network is fully configured.
- The IPv6 blocking module now returns synthetic SOA records to
improve compatibility with downstream resolvers and stub resolvers.
* Version 2.0.11
- This release fixes a long-standing bug that caused the proxy to
block or crash when Position-Independent Executables were produced.
This bug only showed up when compiled on (not for) Alpine Linux and
Android, for some CPU architectures.
- New configuration settings: cache_neg_min_ttl and
cache_neg_max_ttl, to clamp the negative caching TTL.
* Version 2.0.10
- This version fixes a crash when an incomplete size is sent by a
local client for a query over TCP.
- Slight performance improvement of DNSCrypt on non-Intel CPUs such
as Raspberry Pi.
* Version 2.0.9
- Whitelists have been implemented: one a name matches a pattern in
the whitelist, rules from the name-based and IP-based blacklists will
be bypassed. Whitelists support the same patterns as blacklists, as
well as time-based rules, so that some website can be normally
blocked, but accessible on specific days or times of the day.
- Lists are now faster to load, and large lists require significantly
less memory than before.
- New options have been added to disable TLS session tickets as well
as use a specific cipher suite. See the example configuration file for
a recommended configuration to speed up DoH servers on ARM such as
Android devices and Raspberry Pi.
- The `-service install` command now remembers what the current
directory was when the service was installed, in order to later load
configuration files with relative paths.
- DoH: The "Cache-Control: max-age" header is now ignored.
- Patterns can now be prefixed with `=` to do exact matching:
`=example.com` matches `example.com` but will not match `www.example.com`.
- Patterns are now fully supported by the cloaking module.
- A new option was added to use a specific cipher suite instead of
the server's provided one. Using RSA+ChaChaPoly over ECDSA+AES-GCM has
shown to decrease CPU usage and latency when connecting to Cloudflare,
especially on Mips and ARM systems.
- The ephemeral keys mode of dnscrypt-proxy v1.x was reimplemented: this
creates a new unique key for every single query.
* Version 2.0.8
- Multiple URLs can be defined for a source in order to improve
resiliency when servers are temporarily unreachable.
- Connections over IPv6 will be preferred over IPv4 for DoH servers
when using a fallback resolver if `ipv6_servers` is set.
- Improvements have been made to the example systemd configuration
files.
- The chacha20 implementation was updated to possibly fix a bug on
Android/x86.
- `generate-domains-blacklist.py` can now parse dnsmasq-style rules.
- FreeBSD/arm builds have been added.
- `dnscrypt-proxy -list -json` and `-list-all -json` now include the
remove servers names and IP addresses.
* Version 2.0.7
- Bug fix: optional ports were not properly parsed with IPv6
addresses -- thanks to @bleeee for the report and fix.
- Bug fix: truncate TCP queries to the prefixed length.
- Certificates are force-refreshed after a time jump (e.g. when a
system resumes from hibernation).
* Version 2.0.6
- Automatic log files rotation was finally implemented.
- A new -pidfile command-line option to write the PID file was added.
......
......@@ -13,23 +13,17 @@
revision = "b24eb346a94c3ba12c1da1e564dbac1b498a77ce"
version = "v1.1.1"
[[projects]]
branch = "master"
name = "github.com/VividCortex/godaemon"
packages = ["."]
revision = "3d9f6e0b234fe7d17448b345b2e14ac05814a758"
[[projects]]
branch = "master"
name = "github.com/aead/chacha20"
packages = ["chacha"]
revision = "c8d29375923a8e1d2a0f0dc0fc1d8a0aba5b97ba"
revision = "e2538746bfea853aaa589feb8ec46bd46ee78f86"
[[projects]]
branch = "master"
name = "github.com/aead/poly1305"
packages = ["."]
revision = "6cf43fdfd7a228cf3003ae23d10ddbf65e85997b"
revision = "969857f48f7ae439b6d2449ed1dcd9aaabc49c67"
[[projects]]
branch = "master"
......@@ -46,8 +40,8 @@
"activation",
"daemon"
]
revision = "40e2722dffead74698ca12a750f64ef313ddce05"
version = "v16"
revision = "39ca1b05acc7ad1220e09f133283b8859a8b71ab"
version = "v17"
[[projects]]
branch = "master"
......@@ -92,19 +86,37 @@
branch = "master"
name = "github.com/jedisct1/dlog"
packages = ["."]
revision = "52c32ac39e436cd9295a4629a91f0613ce67052f"
revision = "f81e5af176e59fc11674b2777fe465fc506c27fe"
[[projects]]
branch = "master"
name = "github.com/jedisct1/go-clocksmith"
packages = ["."]
revision = "c35da9bed550558a4797c74e34957071214342e7"
[[projects]]
branch = "master"
name = "github.com/jedisct1/go-dnsstamps"
packages = ["."]
revision = "1e4999280f861b465e03e21e4f84d838f2f02b38"
[[projects]]
branch = "master"
name = "github.com/jedisct1/go-minisign"
packages = ["."]
revision = "f404c079ea5f0d4669fe617c553651f75167494e"
revision = "f4dbde220b4f73d450949b9ba27fa941faa05a78"
[[projects]]
branch = "master"
name = "github.com/jedisct1/xsecretbox"
packages = ["."]
revision = "88b1956e8d9a013c98dda528d3a5b77f168b057f"
revision = "7a679c0bcd9a5bbfe097fb7d48497bc06d17be76"
[[projects]]
name = "github.com/k-sone/critbitgo"
packages = ["."]
revision = "658116ef1e826b72c603cfe2091b12503f9bca43"
version = "v1.2.0"
[[projects]]
branch = "master"
......@@ -116,19 +128,13 @@
branch = "master"
name = "github.com/kardianos/service"
packages = ["."]
revision = "89346fbadecfd8c0ca98cfd31523f8eba9b4abbf"
revision = "615a14ed75099c9eaac6949e22ac2341bf9d3197"
[[projects]]
name = "github.com/miekg/dns"
packages = ["."]
revision = "5364553f1ee9cddc7ac8b62dce148309c386695b"
version = "v1.0.4"
[[projects]]
branch = "master"
name = "github.com/pquerna/cachecontrol"
packages = ["cacheobject"]
revision = "0dec1b30a0215bb68605dfc568e8855066c9202d"
revision = "5a2b9fab83ff0f8bfc99684bd5f43a37abe560f1"
version = "v1.0.8"
[[projects]]
branch = "master"
......@@ -137,36 +143,66 @@
"curve25519",
"ed25519",
"ed25519/internal/edwards25519",
"internal/subtle",
"nacl/box",
"nacl/secretbox",
"poly1305",
"salsa20/salsa"
]
revision = "91a49db82a88618983a78a06c1cbd4e00ab749ab"
revision = "a49355c7e3f8fe157a85be2f77e6e269a0f89602"
[[projects]]
branch = "master"
name = "golang.org/x/net"
packages = [
"bpf",
"http/httpguts",
"http2",
"http2/hpack",
"idna",
"internal/iana",
"internal/socket",
"internal/socks",
"ipv4",
"ipv6"
"ipv6",
"proxy"
]
revision = "22ae77b79946ea320088417e4d50825671d82d57"
revision = "32a936f46389aa10549d60bd7833e54b01685d09"
[[projects]]
branch = "master"
name = "golang.org/x/sys"
packages = [
"cpu",
"unix",
"windows",
"windows/registry",
"windows/svc",
"windows/svc/eventlog",
"windows/svc/mgr"
]
revision = "dd2ff4accc098aceecb86b36eaa7829b2a17b1c9"
revision = "3c6ecd8f22c6f40fbeec94c000a069d7d87c7624"
[[projects]]
name = "golang.org/x/text"
packages = [
"collate",
"collate/build",
"internal/colltab",
"internal/gen",
"internal/tag",
"internal/triegen",
"internal/ucd",
"language",
"secure/bidirule",
"transform",
"unicode/bidi",
"unicode/cldr",
"unicode/norm",
"unicode/rangetable"
]
revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
version = "v0.3.0"
[[projects]]
name = "gopkg.in/natefinch/lumberjack.v2"
......@@ -177,6 +213,6 @@
[solve-meta]
analyzer-name = "dep"
analyzer-version = 1
inputs-digest = "32f9b1bb4dd9f1ca13e9daedf85fc6cc9f3a97a023171a32ac7a2144ba9c1956"
inputs-digest = "2e3662737bdfec3295cf1f397f5584d97fbfd99973ab0351fafe66049bfa79bb"
solver-name = "gps-cdcl"
solver-version = 1
......@@ -6,17 +6,13 @@
name = "github.com/VividCortex/ewma"
version = "1.1.1"
[[constraint]]
branch = "master"
name = "github.com/VividCortex/godaemon"
[[constraint]]
branch = "master"
name = "github.com/agl/ed25519"
[[constraint]]
name = "github.com/coreos/go-systemd"
version = "16.0.0"
version = "17.0.0"
[[constraint]]
branch = "master"
......@@ -38,6 +34,14 @@
branch = "master"
name = "github.com/jedisct1/dlog"
[[constraint]]
branch = "master"
name = "github.com/jedisct1/go-clocksmith"
[[constraint]]
branch = "master"
name = "github.com/jedisct1/go-dnsstamps"
[[constraint]]
branch = "master"
name = "github.com/jedisct1/go-minisign"
......@@ -46,21 +50,25 @@
branch = "master"
name = "github.com/jedisct1/xsecretbox"
[[constraint]]
name = "github.com/k-sone/critbitgo"
version = "1.2.0"
[[constraint]]
branch = "master"
name = "github.com/kardianos/service"
[[constraint]]
name = "github.com/miekg/dns"
version = "1.0.4"
version = "1.0.8"
[[constraint]]
branch = "master"
name = "github.com/pquerna/cachecontrol"
name = "golang.org/x/crypto"
[[constraint]]
branch = "master"
name = "golang.org/x/crypto"
name = "golang.org/x/net"
[[constraint]]
name = "gopkg.in/natefinch/lumberjack.v2"
......
[![Build Status](https://travis-ci.org/jedisct1/dnscrypt-proxy.svg?branch=master)](https://travis-ci.org/jedisct1/dnscrypt-proxy?branch=master)
# ![dnscrypt-proxy 2](https://raw.github.com/jedisct1/dnscrypt-proxy/master/logo.png?2)
# ![dnscrypt-proxy 2](https://raw.github.com/jedisct1/dnscrypt-proxy/master/logo.png?3)
A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt) and [DNS-over-HTTP/2](https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-03).
A flexible DNS proxy, with support for modern encrypted DNS protocols such as [DNSCrypt v2](https://dnscrypt.info/protocol) and [DNS-over-HTTPS](https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-12).
## [dnscrypt-proxy 2.0.6 final is available for download!](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
## [dnscrypt-proxy 2.0.16 final is available for download!](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
## [Documentation](https://dnscrypt.info/doc)
* [dnscrypt-proxy documentation](https://dnscrypt.info/doc) – This project's documentation (Wiki)
* [DNSCrypt project home page](https://dnscrypt.info/)
* [DNS-over-HTTPS and DNSCrypt resolvers](https://dnscrypt.info/public-servers)
* [Server and client implementations](https://dnscrypt.info/implementations)
* [DNS stamps](https://dnscrypt.info/stamps)
* [FAQ](https://dnscrypt.info/faq)
## Features
* DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) and DNSCrypt.
* DNSSEC compatible
* DNS query monitoring, with separate log files for regular and suspicious queries
* Pattern-based local blocking of DNS names and IP addresses
* Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
* Time-based filtering, with a flexible weekly schedule
* Transparent redirection of specific domains to specific resolvers
* DNS caching, to reduce latency and improve privacy
......@@ -21,9 +25,9 @@ A flexible DNS proxy, with support for modern encrypted DNS protocols such as [D
* Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones.
* Cloaking: like a `HOSTS` file on steroids, that can return preconfigured addresses for specific names, or resolve and return the IP address of other names. This can be used for local development as well as to enforce safe search results on Google, Yahoo and Bing.
* Automatic background updates of resolvers lists
* Can force outgoing connections to use TCP; useful with tunnels such as Tor.
It includes all the major features from dnscrypt-proxy 1.9.5, with improved reliability, flexibility, usability and performance.
* Can force outgoing connections to use TCP
* Supports SOCKS proxies
* Compatible with DNSSEC
## Pre-built binaries
......@@ -34,6 +38,7 @@ Up-to-date, pre-built binaries are available for:
* Android/x86
* Android/x86_64
* Dragonfly BSD
* FreeBSD/arm
* FreeBSD/x86
* FreeBSD/x86_64
* Linux/arm
......@@ -51,3 +56,5 @@ Up-to-date, pre-built binaries are available for:
* OpenBSD/x86_64
* Windows
* Windows 64 bit
How to use these files, as well as how to verify their signatures, are documented in the [installation instructions](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation).
dnscrypt-proxy (2.0.16-1) experimental; urgency=medium
* New upstream release.
* Switch to debhelper 11
* Standards-Version to 4.1.5
* Reenable socket activation and privilege dropping
-- Eric Dorland <eric@debian.org> Thu, 02 Aug 2018 22:26:45 -0400
dnscrypt-proxy (2.0.6-2) experimental; urgency=medium
* Fix server_names config parameter
......
......@@ -2,7 +2,7 @@ Source: dnscrypt-proxy
Section: net
Priority: optional
Maintainer: Eric Dorland <eric@debian.org>
Build-Depends: debhelper (>= 10),
Build-Depends: debhelper (>= 11),
dh-golang,
dh-systemd,
golang-ed25519-dev,
......@@ -26,7 +26,7 @@ Build-Depends: debhelper (>= 10),
golang-github-miekg-dns-dev,
golang-github-vividcortex-ewma-dev,
golang-github-vividcortex-godaemon-dev,
Standards-Version: 3.9.8
Standards-Version: 4.1.5
Homepage: https://github.com/jedisct1/dnscrypt-proxy
Vcs-Git: https://salsa.debian.org/eric/dnscrypt-proxy.git
Vcs-Browser: https://salsa.debian.org/eric/dnscrypt-proxy
......
[Unit]
Description=DNSCrypt proxy resolvconf support
Documentation=man:dnscrypt-proxy(8)
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
After=dnscrypt-proxy.socket
Requires=dnscrypt-proxy.socket
ConditionFileIsExecutable=/sbin/resolvconf
......
debian/tmp/usr/bin/* usr/sbin
debian/dnscrypt-proxy.toml /etc/dnscrypt-proxy
debian/dnscrypt-proxy.service /lib/systemd/system
debian/dnscrypt-proxy.socket /lib/systemd/system
debian/dnscrypt-proxy-resolvconf.service /lib/systemd/system
[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
# Requires=dnscrypt-proxy.socket
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target
[Install]
# Also=dnscrypt-proxy.socket
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target
[Service]
Type=simple
NonBlocking=true
# Put this back
# User=_dnscrypt-proxy
ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Restart=always
#ProtectSystem=strict
#ProtectHome=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
User=_dnscrypt-proxy
CacheDirectory=dnscrypt-proxy
LogsDirectory=dnscrypt-proxy
RuntimeDirectory=dnscrypt-proxy
[Unit]
Description=dnscrypt-proxy listening socket
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
Before=nss-lookup.target
Wants=nss-lookup.target
Wants=dnscrypt-proxy-resolvconf.service
[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53
ListenStream=127.0.2.1:53
ListenDatagram=127.0.2.1:53
NoDelay=true
DeferAcceptSec=1
......
listen_addresses = ['127.0.2.1:53']
# Empty listen_addresses to use systemd socket activation
listen_addresses = []
server_names = ['cloudflare']
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
[sources]
[sources.'public-resolvers']
url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
cache_file = 'public-resolvers.md'
cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
refresh_delay = 72
prefix = ''
......@@ -11,22 +11,13 @@ export DH_GOPKG := github.com/jedisct1/dnscrypt-proxy
%:
dh $@ --buildsystem=golang --with=golang
override_dh_installsystemd:
dh_installsystemd dnscrypt-proxy.service dnscrypt-proxy.socket \
dnscrypt-proxy-resolvconf.service
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp
override_dh_install:
dh_install
# Fix once socket activation is fixed.
# install -m755 -d debian/dnscrypt-proxy/lib/systemd/system
# install -m644 -p debian/dnscrypt-proxy-resolvconf.service \
# debian/dnscrypt-proxy/lib/systemd/system
override_dh_installinit:
dh_installinit --restart-after-upgrade
override_dh_systemd_start:
dh_systemd_start --restart-after-upgrade
# Tests may fail on build servers and aren't useful in release builds anyway
override_dh_auto_test:
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -3,10 +3,13 @@ package main
import (
"encoding/binary"
"errors"
"fmt"
"net"
"runtime"
"strconv"
"strings"
"unicode"
"os"
)
type CryptoConstruction uint16
......@@ -34,6 +37,11 @@ var (
InitialMinQuestionSize = 256
)
var (
FileDescriptors = make([]*os.File, 0)
FileDescriptorNum = 0
)
func PrefixWithSize(packet []byte) ([]byte, error) {
packetLen := len(packet)
if packetLen > 0xffff {
......@@ -45,7 +53,7 @@ func PrefixWithSize(packet []byte) ([]byte, error) {
return packet, nil
}
func ReadPrefixed(conn *net.TCPConn) ([]byte, error) {
func ReadPrefixed(conn *net.Conn) ([]byte, error) {
buf := make([]byte, 2+MaxDNSPacketSize)
packetLength, pos := -1, 0
for {
......@@ -63,8 +71,8 @@ func ReadPrefixed(conn *net.TCPConn) ([]byte, error) {
return buf, errors.New("Packet too short")
}
}
if pos >= 2+packetLength {
return buf[2:pos], nil
if packetLength >= 0 && pos >= 2+packetLength {
return buf[2 : 2+packetLength], nil
}
}
}
......@@ -124,3 +132,41 @@ func StringQuote(str string) string {
str = strconv.QuoteToGraphic(str)
return str[1 : len(str)-1]
}
func ExtractPort(str string, defaultPort int) int {
port := defaultPort
if idx := strings.LastIndex(str, ":"); idx >= 0 && idx < len(str)-1 {
if portX, err := strconv.Atoi(str[idx+1:]); err == nil {
port = portX
}
}
return port
}
func ExtractHost(str string) string {
if idx := strings.LastIndex(str, ":"); idx >= 0 && idx < len(str)-1 {
if _, err := strconv.Atoi(str[idx+1:]); err == nil {
str = str[:idx]
}
}
return str
}
func ExtractHostAndPort(str string, defaultPort int) (host string, port int) {
host, port = str, defaultPort
if idx := strings.LastIndex(str, ":"); idx >= 0 && idx < len(str)-1 {
if portX, err := strconv.Atoi(str[idx+1:]); err == nil {
host, port = host[:idx], portX
}
}
return
}
func MemUsage() {
var m runtime.MemStats
runtime.ReadMemStats(&m)
fmt.Printf("Alloc = %v MiB", m.Alloc/1024/1024)
fmt.Printf("\tTotalAlloc = %v MiB", m.TotalAlloc/1024/1024)
fmt.Printf("\tSys = %v MiB", m.Sys/1024/1024)
fmt.Printf("\tNumGC = %v\n", m.NumGC)
}
This diff is collapsed.
......@@ -3,9 +3,13 @@ package main
import (
"bytes"
"crypto/rand"
"crypto/sha512"
"errors"
"github.com/jedisct1/dlog"
"github.com/jedisct1/xsecretbox"
"golang.org/x/crypto/curve25519"
"golang.org/x/crypto/nacl/box"
"golang.org/x/crypto/nacl/secretbox"
)
......@@ -40,10 +44,39 @@ func unpad(packet []byte) ([]byte, error) {
}
}
func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string) (encrypted []byte, clientNonce []byte, err error) {
func ComputeSharedKey(cryptoConstruction CryptoConstruction, secretKey *[32]byte, serverPk *[32]byte, providerName *string) (sharedKey [32]byte) {
if cryptoConstruction == XChacha20Poly1305 {
var err error
sharedKey, err = xsecretbox.SharedKey(*secretKey, *serverPk)
if err != nil {
dlog.Criticalf("[%v] Weak public key", providerName)
}
} else {
box.Precompute(&sharedKey, serverPk, secretKey)
}
return
}
func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string) (sharedKey *[32]byte, encrypted []byte, clientNonce []byte, err error) {
nonce, clientNonce := make([]byte, NonceSize), make([]byte, HalfNonceSize)
rand.Read(clientNonce)
copy(nonce, clientNonce)
var publicKey *[PublicKeySize]byte
if proxy.ephemeralKeys {
h := sha512.New512_256()
h.Write(clientNonce)
h.Write(proxy.proxySecretKey[:])
var ephSk [32]byte
h.Sum(ephSk[:0])
var xPublicKey [PublicKeySize]byte
curve25519.ScalarBaseMult(&xPublicKey, &ephSk)
publicKey = &xPublicKey
xsharedKey := ComputeSharedKey(serverInfo.CryptoConstruction, &ephSk, &serverInfo.ServerPk, nil)
sharedKey = &xsharedKey
} else {
sharedKey = &serverInfo.SharedKey
publicKey = &proxy.proxyPublicKey
}
minQuestionSize := QueryOverhead + len(packet)
if proto == "udp" {
minQuestionSize = Max(proxy.questionSizeEstimator.MinQuestionSize(), minQuestionSize)
......@@ -57,20 +90,20 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
err = errors.New("Question too large; cannot be padded")
return
}
encrypted = append(serverInfo.MagicQuery[:], proxy.proxyPublicKey[:]...)
encrypted = append(serverInfo.MagicQuery[:], publicKey[:]...)
encrypted = append(encrypted, nonce[:HalfNonceSize]...)
padded := pad(packet, paddedLength-QueryOverhead)
if serverInfo.CryptoConstruction == XChacha20Poly1305 {
encrypted = xsecretbox.Seal(encrypted, nonce, padded, serverInfo.SharedKey[:])
encrypted = xsecretbox.Seal(encrypted, nonce, padded, sharedKey[:])
} else {
var xsalsaNonce [24]byte
copy(xsalsaNonce[:], nonce)
encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, &serverInfo.SharedKey)
encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)
}
return
}
func (proxy *Proxy) Decrypt(serverInfo *ServerInfo, encrypted []byte, nonce []byte) ([]byte, error) {
func (proxy *Proxy) Decrypt(serverInfo *ServerInfo, sharedKey *[32]byte, encrypted []byte, nonce []byte) ([]byte, error) {
serverMagicLen := len(ServerMagic)
responseHeaderLen := serverMagicLen + NonceSize
if len(encrypted) < responseHeaderLen+TagSize+int(MinDNSPacketSize) ||
......@@ -85,12 +118,12 @@ func (proxy *Proxy) Decrypt(serverInfo *ServerInfo, encrypted []byte, nonce []by
var packet []byte
var err error
if serverInfo.CryptoConstruction == XChacha20Poly1305 {
packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], serverInfo.SharedKey[:])
packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], sharedKey[:])
} else {
var xsalsaServerNonce [24]byte
copy(xsalsaServerNonce[:], serverNonce)
var ok bool
packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, &serverInfo.SharedKey)
packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, sharedKey)
if !ok {
err = errors.New("Incorrect tag")
}
......
// +build linux
package main
import "github.com/VividCortex/godaemon"
func Daemonize() {
godaemon.MakeDaemon(&godaemon.DaemonAttr{})
}