|
|
|
@ -96,9 +96,8 @@ pub async fn handle_anonymized_dns(
|
|
|
|
|
let fut = ext_socket.recv_from(&mut response[..]);
|
|
|
|
|
let (response_len, response_addr) = fut.await?;
|
|
|
|
|
if response_addr == upstream_address
|
|
|
|
|
&& response_len <= encrypted_packet_len
|
|
|
|
|
&& (is_encrypted_response(&response, response_len)
|
|
|
|
|
|| is_certificate_response(&response, response_len))
|
|
|
|
|
|| is_certificate_response(&response, response_len, &encrypted_packet))
|
|
|
|
|
{
|
|
|
|
|
response.truncate(response_len);
|
|
|
|
|
break;
|
|
|
|
@ -118,11 +117,11 @@ fn is_encrypted_response(response: &[u8], response_len: usize) -> bool {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[inline]
|
|
|
|
|
fn is_certificate_response(response: &[u8], response_len: usize) -> bool {
|
|
|
|
|
(DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()
|
|
|
|
|
..=DNS_MAX_PACKET_SIZE)
|
|
|
|
|
.contains(&response_len)
|
|
|
|
|
&& response[DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET
|
|
|
|
|
..DNSCRYPT_RESPONSE_CERT_PREFIX_OFFSET + DNSCRYPT_RESPONSE_CERT_PREFIX.len()]
|
|
|
|
|
== DNSCRYPT_RESPONSE_CERT_PREFIX
|
|
|
|
|
fn is_certificate_response(response: &[u8], response_len: usize, query: &[u8]) -> bool {
|
|
|
|
|
response_len <= query.len()
|
|
|
|
|
&& (DNS_HEADER_SIZE..=DNS_MAX_PACKET_SIZE).contains(&response_len)
|
|
|
|
|
&& dns::tid(response) == dns::tid(query)
|
|
|
|
|
&& dns::is_response(response)
|
|
|
|
|
&& !dns::is_response(query)
|
|
|
|
|
&& dns::qname(response).ok() == dns::qname(query).ok()
|
|
|
|
|
}
|
|
|
|
|