dnscrypt-proxy/dnscrypt-proxy/crypto.go

package main

import (
	"bytes"
	"crypto/rand"
	"crypto/sha512"
	"errors"

	"github.com/jedisct1/dlog"
	"github.com/jedisct1/xsecretbox"
	"golang.org/x/crypto/curve25519"
	"golang.org/x/crypto/nacl/box"
	"golang.org/x/crypto/nacl/secretbox"
)

const (
	NonceSize        = xsecretbox.NonceSize
	HalfNonceSize    = xsecretbox.NonceSize / 2
	TagSize          = xsecretbox.TagSize
	PublicKeySize    = 32
	QueryOverhead    = ClientMagicLen + PublicKeySize + HalfNonceSize + TagSize
	ResponseOverhead = len(ServerMagic) + NonceSize + TagSize
)

func pad(packet []byte, minSize int) []byte {
	packet = append(packet, 0x80)
	for len(packet) < minSize {
		packet = append(packet, 0)
	}
	return packet
}

func unpad(packet []byte) ([]byte, error) {
	for i := len(packet); ; {
		if i == 0 {
			return nil, errors.New("Invalid padding (short packet)")
		}
		i--
		if packet[i] == 0x80 {
			return packet[:i], nil
		} else if packet[i] != 0x00 {
			return nil, errors.New("Invalid padding (delimiter not found)")
		}
	}
}

func ComputeSharedKey(cryptoConstruction CryptoConstruction, secretKey *[32]byte, serverPk *[32]byte, providerName *string) (sharedKey [32]byte) {
	if cryptoConstruction == XChacha20Poly1305 {
		var err error
		sharedKey, err = xsecretbox.SharedKey(*secretKey, *serverPk)
		if err != nil {
			dlog.Criticalf("[%v] Weak public key", providerName)
		}
	} else {
		box.Precompute(&sharedKey, serverPk, secretKey)
	}
	return
}

func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string) (sharedKey *[32]byte, encrypted []byte, clientNonce []byte, err error) {
	nonce, clientNonce := make([]byte, NonceSize), make([]byte, HalfNonceSize)
	rand.Read(clientNonce)
	copy(nonce, clientNonce)
	var publicKey *[PublicKeySize]byte
	if proxy.ephemeralKeys {
		h := sha512.New512_256()
		h.Write(clientNonce)
		h.Write(proxy.proxySecretKey[:])
		var ephSk [32]byte
		h.Sum(ephSk[:0])
		var xPublicKey [PublicKeySize]byte
		curve25519.ScalarBaseMult(&xPublicKey, &ephSk)
		publicKey = &xPublicKey
		xsharedKey := ComputeSharedKey(serverInfo.CryptoConstruction, &ephSk, &serverInfo.ServerPk, nil)
		sharedKey = &xsharedKey
	} else {
		sharedKey = &serverInfo.SharedKey
		publicKey = &proxy.proxyPublicKey
	}
	minQuestionSize := QueryOverhead + len(packet)
	if proto == "udp" {
		minQuestionSize = Max(proxy.questionSizeEstimator.MinQuestionSize(), minQuestionSize)
	} else {
		var xpad [1]byte
		rand.Read(xpad[:])
		minQuestionSize += int(xpad[0])
	}
	paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+63) & ^63)
	if QueryOverhead+len(packet)+1 > paddedLength {
		err = errors.New("Question too large; cannot be padded")
		return
	}
	encrypted = append(serverInfo.MagicQuery[:], publicKey[:]...)
	encrypted = append(encrypted, nonce[:HalfNonceSize]...)
	padded := pad(packet, paddedLength-QueryOverhead)
	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
		encrypted = xsecretbox.Seal(encrypted, nonce, padded, sharedKey[:])
	} else {
		var xsalsaNonce [24]byte
		copy(xsalsaNonce[:], nonce)
		encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)
	}
	return
}

func (proxy *Proxy) Decrypt(serverInfo *ServerInfo, sharedKey *[32]byte, encrypted []byte, nonce []byte) ([]byte, error) {
	serverMagicLen := len(ServerMagic)
	responseHeaderLen := serverMagicLen + NonceSize
	if len(encrypted) < responseHeaderLen+TagSize+int(MinDNSPacketSize) ||
		len(encrypted) > responseHeaderLen+TagSize+int(MaxDNSPacketSize) ||
		!bytes.Equal(encrypted[:serverMagicLen], ServerMagic[:]) {
		return encrypted, errors.New("Invalid message size or prefix")
	}
	serverNonce := encrypted[serverMagicLen:responseHeaderLen]
	if !bytes.Equal(nonce[:HalfNonceSize], serverNonce[:HalfNonceSize]) {
		return encrypted, errors.New("Unexpected nonce")
	}
	var packet []byte
	var err error
	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
		packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], sharedKey[:])
	} else {
		var xsalsaServerNonce [24]byte
		copy(xsalsaServerNonce[:], serverNonce)
		var ok bool
		packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, sharedKey)
		if !ok {
			err = errors.New("Incorrect tag")
		}
	}
	if err != nil {
		return encrypted, err
	}
	packet, err = unpad(packet)
	if err != nil || len(packet) < MinDNSPacketSize {
		return encrypted, errors.New("Incorrect padding")
	}
	return packet, nil
}
Desuglify a bit 2018-01-09 13:27:03 +01:00			`package main`

			`import (`
			`"bytes"`
			`"crypto/rand"`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`"crypto/sha512"`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`"errors"`

Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`"github.com/jedisct1/dlog"`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`"github.com/jedisct1/xsecretbox"`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`"golang.org/x/crypto/curve25519"`
			`"golang.org/x/crypto/nacl/box"`
Many improvements 2018-01-10 16:01:29 +01:00			`"golang.org/x/crypto/nacl/secretbox"`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`)`

			`const (`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`NonceSize = xsecretbox.NonceSize`
			`HalfNonceSize = xsecretbox.NonceSize / 2`
			`TagSize = xsecretbox.TagSize`
Many improvements 2018-01-10 16:01:29 +01:00			`PublicKeySize = 32`
			`QueryOverhead = ClientMagicLen + PublicKeySize + HalfNonceSize + TagSize`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`ResponseOverhead = len(ServerMagic) + NonceSize + TagSize`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`)`

			`func pad(packet []byte, minSize int) []byte {`
			`packet = append(packet, 0x80)`
			`for len(packet) < minSize {`
			`packet = append(packet, 0)`
			`}`
			`return packet`
			`}`

			`func unpad(packet []byte) ([]byte, error) {`
			`for i := len(packet); ; {`
			`if i == 0 {`
			`return nil, errors.New("Invalid padding (short packet)")`
			`}`
			`i--`
			`if packet[i] == 0x80 {`
			`return packet[:i], nil`
			`} else if packet[i] != 0x00 {`
			`return nil, errors.New("Invalid padding (delimiter not found)")`
			`}`
			`}`
			`}`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`func ComputeSharedKey(cryptoConstruction CryptoConstruction, secretKey [32]byte, serverPk [32]byte, providerName *string) (sharedKey [32]byte) {`
			`if cryptoConstruction == XChacha20Poly1305 {`
			`var err error`
			`sharedKey, err = xsecretbox.SharedKey(secretKey, serverPk)`
			`if err != nil {`
			`dlog.Criticalf("[%v] Weak public key", providerName)`
			`}`
			`} else {`
			`box.Precompute(&sharedKey, serverPk, secretKey)`
			`}`
			`return`
			`}`

			`func (proxy Proxy) Encrypt(serverInfo ServerInfo, packet []byte, proto string) (sharedKey *[32]byte, encrypted []byte, clientNonce []byte, err error) {`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`nonce, clientNonce := make([]byte, NonceSize), make([]byte, HalfNonceSize)`
			`rand.Read(clientNonce)`
			`copy(nonce, clientNonce)`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`var publicKey *[PublicKeySize]byte`
			`if proxy.ephemeralKeys {`
			`h := sha512.New512_256()`
			`h.Write(clientNonce)`
			`h.Write(proxy.proxySecretKey[:])`
			`var ephSk [32]byte`
			`h.Sum(ephSk[:0])`
			`var xPublicKey [PublicKeySize]byte`
			`curve25519.ScalarBaseMult(&xPublicKey, &ephSk)`
			`publicKey = &xPublicKey`
			`xsharedKey := ComputeSharedKey(serverInfo.CryptoConstruction, &ephSk, &serverInfo.ServerPk, nil)`
			`sharedKey = &xsharedKey`
			`} else {`
			`sharedKey = &serverInfo.SharedKey`
			`publicKey = &proxy.proxyPublicKey`
			`}`
Many improvements 2018-01-10 16:01:29 +01:00			`minQuestionSize := QueryOverhead + len(packet)`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`if proto == "udp" {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`minQuestionSize = Max(proxy.questionSizeEstimator.MinQuestionSize(), minQuestionSize)`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`} else {`
			`var xpad [1]byte`
			`rand.Read(xpad[:])`
			`minQuestionSize += int(xpad[0])`
			`}`
Many improvements 2018-01-10 16:01:29 +01:00			`paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+63) & ^63)`
			`if QueryOverhead+len(packet)+1 > paddedLength {`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`err = errors.New("Question too large; cannot be padded")`
			`return`
			`}`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`encrypted = append(serverInfo.MagicQuery[:], publicKey[:]...)`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`encrypted = append(encrypted, nonce[:HalfNonceSize]...)`
Many improvements 2018-01-10 16:01:29 +01:00			`padded := pad(packet, paddedLength-QueryOverhead)`
			`if serverInfo.CryptoConstruction == XChacha20Poly1305 {`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`encrypted = xsecretbox.Seal(encrypted, nonce, padded, sharedKey[:])`
Many improvements 2018-01-10 16:01:29 +01:00			`} else {`
			`var xsalsaNonce [24]byte`
			`copy(xsalsaNonce[:], nonce)`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)`
Many improvements 2018-01-10 16:01:29 +01:00			`}`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`return`
			`}`

Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`func (proxy Proxy) Decrypt(serverInfo ServerInfo, sharedKey *[32]byte, encrypted []byte, nonce []byte) ([]byte, error) {`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`serverMagicLen := len(ServerMagic)`
			`responseHeaderLen := serverMagicLen + NonceSize`
			`if len(encrypted) < responseHeaderLen+TagSize+int(MinDNSPacketSize) \|\|`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`len(encrypted) > responseHeaderLen+TagSize+int(MaxDNSPacketSize) \|\|`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`!bytes.Equal(encrypted[:serverMagicLen], ServerMagic[:]) {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`return encrypted, errors.New("Invalid message size or prefix")`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`}`
			`serverNonce := encrypted[serverMagicLen:responseHeaderLen]`
			`if !bytes.Equal(nonce[:HalfNonceSize], serverNonce[:HalfNonceSize]) {`
			`return encrypted, errors.New("Unexpected nonce")`
			`}`
Many improvements 2018-01-10 16:01:29 +01:00			`var packet []byte`
			`var err error`
			`if serverInfo.CryptoConstruction == XChacha20Poly1305 {`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], sharedKey[:])`
Many improvements 2018-01-10 16:01:29 +01:00			`} else {`
			`var xsalsaServerNonce [24]byte`
			`copy(xsalsaServerNonce[:], serverNonce)`
			`var ok bool`
Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00			`packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, sharedKey)`
Many improvements 2018-01-10 16:01:29 +01:00			`if !ok {`
			`err = errors.New("Incorrect tag")`
			`}`
			`}`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`if err != nil {`
Many improvements 2018-01-10 16:01:29 +01:00			`return encrypted, err`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`}`
			`packet, err = unpad(packet)`
			`if err != nil \|\| len(packet) < MinDNSPacketSize {`
			`return encrypted, errors.New("Incorrect padding")`
			`}`
			`return packet, nil`
			`}`