Archives
/
encrypted-dns-server
mirror of https://github.com/jedisct1/encrypted-dns-server
2
0
Fork 0
Code Issues Releases Wiki Activity

Relax cert response check for legacy proxies

Browse Source
pull/12/head
Frank Denis 5 years ago
parent 283bac4405
commit dd657faaab
2 changed files with 8 additions and 13 deletions
Show Stats Download Patch File Download Diff File

17
src/anonymized_dns.rs
Unescape Escape View File

@ -96,9 +96,8 @@ pub async fn handle_anonymized_dns(
let fut = ext_socket.recv_from(&mut response[..]);
let (response_len, response_addr) = fut.await?;
if response_addr == upstream_address
&& response_len <= encrypted_packet_len
&& (is_encrypted_response(&response, response_len)
|| is_certificate_response(&response, response_len))
|| is_certificate_response(&response, response_len, &encrypted_packet))
{
response.truncate(response_len);
break;
@ -118,11 +117,11 @@ fn is_encrypted_response(response: &[u8], response_len: usize) -> bool {
}
#[inline]
fn is_certificate_response(response: &[u8], response_len: usize) -> bool {
(DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()
..=DNS_MAX_PACKET_SIZE)
.contains(&response_len)
&& response[DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET
..DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()]
== DNSCRYPT_RESPONSE_CERT_PREFIX
fn is_certificate_response(response: &[u8], response_len: usize, query: &[u8]) -> bool {
response_len <= query.len()
&& (DNS_HEADER_SIZE..=DNS_MAX_PACKET_SIZE).contains(&response_len)
&& dns::tid(response) == dns::tid(query)
&& dns::is_response(response)
&& !dns::is_response(query)
&& dns::qname(response).ok() == dns::qname(query).ok()
}

4
src/dnscrypt.rs
Unescape Escape View File

@ -23,10 +23,6 @@ pub const DNSCRYPT_QUERY_MIN_OVERHEAD: usize =
pub const DNSCRYPT_RESPONSE_MAGIC_SIZE: usize = 8;
pub const DNSCRYPT_RESPONSE_MAGIC: [u8; DNSCRYPT_RESPONSE_MAGIC_SIZE] =
[0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38];
pub const DNSCRYPT_RESPONSE_CERT_PREFIX: [u8; 24] = [
0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x32, 0x0d, 0x64, 0x6e, 0x73, 0x63, 0x72,
0x79, 0x70, 0x74, 0x2d, 0x63, 0x65, 0x72, 0x74,
];
pub const DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET: usize = 4;
pub const DNSCRYPT_RESPONSE_NONCE_SIZE: usize = DNSCRYPT_FULL_NONCE_SIZE;
pub const DNSCRYPT_RESPONSE_HEADER_SIZE: usize =

Write Preview
Loading…
Cancel
Save