encrypted-dns-server/src/dnscrypt_certs.rs

use crate::anonymized_dns::*;
use crate::config::*;
use crate::crypto::*;
use crate::dnscrypt::*;
use crate::globals::*;

use byteorder::{BigEndian, ByteOrder};
use cart_cache::CartCache;
use parking_lot::Mutex;
use std::mem;
use std::slice;
use std::sync::Arc;
use std::time::SystemTime;

pub const DNSCRYPT_CERTS_TTL: u32 = 86400;
pub const DNSCRYPT_CERTS_RENEWAL: u32 = 28800;

fn now() -> u32 {
    SystemTime::now()
        .duration_since(SystemTime::UNIX_EPOCH)
        .expect("The clock is completely off")
        .as_secs() as _
}

#[derive(Debug, Default, Copy, Clone, Serialize, Deserialize)]
#[repr(C, packed)]
pub struct DNSCryptCertInner {
    resolver_pk: [u8; 32],
    client_magic: [u8; 8],
    serial: [u8; 4],
    ts_start: [u8; 4],
    ts_end: [u8; 4],
}

impl DNSCryptCertInner {
    pub fn as_bytes(&self) -> &[u8] {
        unsafe { slice::from_raw_parts(self as *const _ as *const u8, mem::size_of_val(self)) }
    }
}

big_array! { BigArray; 64 }

#[derive(Derivative, Serialize, Deserialize)]
#[derivative(Debug, Default, Clone)]
#[repr(C, packed)]
pub struct DNSCryptCert {
    cert_magic: [u8; 4],
    es_version: [u8; 2],
    minor_version: [u8; 2],
    #[derivative(Debug = "ignore", Default(value = "[0u8; 64]"))]
    #[serde(with = "BigArray")]
    signature: [u8; 64],
    inner: DNSCryptCertInner,
}

impl DNSCryptCert {
    pub fn new(provider_kp: &SignKeyPair, resolver_kp: &CryptKeyPair) -> Self {
        let ts_start = now();
        let ts_end = ts_start + DNSCRYPT_CERTS_TTL;

        let mut dnscrypt_cert = DNSCryptCert::default();

        let dnscrypt_cert_inner = &mut dnscrypt_cert.inner;
        dnscrypt_cert_inner
            .resolver_pk
            .copy_from_slice(resolver_kp.pk.as_bytes());
        dnscrypt_cert_inner
            .client_magic
            .copy_from_slice(&dnscrypt_cert_inner.resolver_pk[..8]);
        BigEndian::write_u32(&mut dnscrypt_cert_inner.serial, 1);
        BigEndian::write_u32(&mut dnscrypt_cert_inner.ts_start, ts_start);
        BigEndian::write_u32(&mut dnscrypt_cert_inner.ts_end, ts_end);

        BigEndian::write_u32(&mut dnscrypt_cert.cert_magic, 0x44_4e_53_43);
        BigEndian::write_u16(&mut dnscrypt_cert.es_version, 2);
        BigEndian::write_u16(&mut dnscrypt_cert.minor_version, 0);

        dnscrypt_cert.signature.copy_from_slice(
            provider_kp
                .sk
                .sign(dnscrypt_cert_inner.as_bytes())
                .as_bytes(),
        );
        dnscrypt_cert
    }

    pub fn as_bytes(&self) -> &[u8] {
        unsafe { slice::from_raw_parts(self as *const _ as *const u8, mem::size_of_val(self)) }
    }

    pub fn client_magic(&self) -> &[u8] {
        &self.inner.client_magic
    }

    pub fn ts_end(&self) -> u32 {
        BigEndian::read_u32(&self.inner.ts_end)
    }
}

#[derive(Serialize, Deserialize, Clone, Derivative)]
#[derivative(Debug)]
pub struct DNSCryptEncryptionParams {
    dnscrypt_cert: DNSCryptCert,
    resolver_kp: CryptKeyPair,
    #[serde(skip)]
    #[derivative(Debug = "ignore")]
    pub cache: Option<Arc<Mutex<CartCache<[u8; DNSCRYPT_QUERY_PK_SIZE], SharedKey>>>>,
}

impl DNSCryptEncryptionParams {
    pub fn new(provider_kp: &SignKeyPair, cache_capacity: usize) -> Self {
        let mut resolver_kp;
        while {
            resolver_kp = CryptKeyPair::new();
            resolver_kp.pk.as_bytes()
                == &ANONYMIZED_DNSCRYPT_QUERY_MAGIC[..DNSCRYPT_QUERY_MAGIC_SIZE]
        } {}
        let dnscrypt_cert = DNSCryptCert::new(&provider_kp, &resolver_kp);
        let cache = CartCache::new(cache_capacity).unwrap();
        DNSCryptEncryptionParams {
            dnscrypt_cert,
            resolver_kp,
            cache: Some(Arc::new(Mutex::new(cache))),
        }
    }

    pub fn add_key_cache(&mut self, cache_capacity: usize) {
        let cache = CartCache::new(cache_capacity).unwrap();
        self.cache = Some(Arc::new(Mutex::new(cache)));
    }

    pub fn client_magic(&self) -> &[u8] {
        self.dnscrypt_cert.client_magic()
    }

    pub fn dnscrypt_cert(&self) -> &DNSCryptCert {
        &self.dnscrypt_cert
    }

    pub fn resolver_kp(&self) -> &CryptKeyPair {
        &self.resolver_kp
    }
}

pub struct DNSCryptEncryptionParamsUpdater {
    globals: Arc<Globals>,
}

impl DNSCryptEncryptionParamsUpdater {
    pub fn new(globals: Arc<Globals>) -> Self {
        DNSCryptEncryptionParamsUpdater { globals }
    }

    pub fn update(&self) {
        let now = now();
        let mut new_params_set = vec![];
        {
            let params_set = self.globals.dnscrypt_encryption_params_set.read();
            for params in &**params_set {
                if params.dnscrypt_cert().ts_end() >= now {
                    new_params_set.push(params.clone());
                }
            }
        }
        let new_params = DNSCryptEncryptionParams::new(
            &self.globals.provider_kp,
            self.globals.key_cache_capacity,
        );
        new_params_set.push(Arc::new(new_params));
        let state = State {
            provider_kp: self.globals.provider_kp.clone(),
            dnscrypt_encryption_params_set: new_params_set.iter().map(|x| (**x).clone()).collect(),
        };
        let state_file = self.globals.state_file.to_path_buf();
        self.globals.runtime_handle.spawn(async move {
            let _ = state.async_save(state_file).await;
        });
        *self.globals.dnscrypt_encryption_params_set.write() = Arc::new(new_params_set);
        debug!("New certificate issued");
    }

    pub async fn run(self) {
        let mut fut_interval = tokio::time::interval(std::time::Duration::from_secs(u64::from(
            DNSCRYPT_CERTS_RENEWAL,
        )));
        let fut = async move {
            loop {
                fut_interval.tick().await;
                self.update();
                debug!("New cert issued");
            }
        };
        fut.await
    }
}
Preliminary support for Anonymized DNS 2019-10-13 20:34:46 +00:00			`use crate::anonymized_dns::*;`
kaboom the compiler 2019-09-19 18:47:44 +00:00			`use crate::config::*;`
up 2019-09-02 21:02:23 +00:00			`use crate::crypto::*;`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`use crate::dnscrypt::*;`
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`use crate::globals::*;`
up 2019-09-02 21:02:23 +00:00
			`use byteorder::{BigEndian, ByteOrder};`
Try CART cache 2021-01-31 11:24:02 +00:00			`use cart_cache::CartCache;`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`use parking_lot::Mutex;`
up 2019-09-02 21:02:23 +00:00			`use std::mem;`
			`use std::slice;`
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`use std::sync::Arc;`
Use SystemTime for the certificate's time Also don't use mem::forget() for the updater, because who knows, Rust optimizations may be too aggressive. Maybe Fixes #13 2019-11-05 10:38:45 +00:00			`use std::time::SystemTime;`
up 2019-09-02 21:02:23 +00:00
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`pub const DNSCRYPT_CERTS_TTL: u32 = 86400;`
			`pub const DNSCRYPT_CERTS_RENEWAL: u32 = 28800;`

up 2019-09-02 21:02:23 +00:00			`fn now() -> u32 {`
Use SystemTime for the certificate's time Also don't use mem::forget() for the updater, because who knows, Rust optimizations may be too aggressive. Maybe Fixes #13 2019-11-05 10:38:45 +00:00			`SystemTime::now()`
			`.duration_since(SystemTime::UNIX_EPOCH)`
			`.expect("The clock is completely off")`
			`.as_secs() as _`
up 2019-09-02 21:02:23 +00:00			`}`

Serialization now requires the Copy trait 2020-06-24 11:46:28 +00:00			`#[derive(Debug, Default, Copy, Clone, Serialize, Deserialize)]`
up 2019-09-02 21:02:23 +00:00			`#[repr(C, packed)]`
			`pub struct DNSCryptCertInner {`
			`resolver_pk: [u8; 32],`
			`client_magic: [u8; 8],`
up 2019-09-02 23:10:35 +00:00			`serial: [u8; 4],`
up 2019-09-02 21:02:23 +00:00			`ts_start: [u8; 4],`
			`ts_end: [u8; 4],`
			`}`

			`impl DNSCryptCertInner {`
			`pub fn as_bytes(&self) -> &[u8] {`
			`unsafe { slice::from_raw_parts(self as const _ as const u8, mem::size_of_val(self)) }`
			`}`
			`}`

Use specific lengths for big arrays 2020-05-04 06:54:08 +00:00			`big_array! { BigArray; 64 }`
kaboom the compiler 2019-09-19 18:47:44 +00:00
			`#[derive(Derivative, Serialize, Deserialize)]`
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`#[derivative(Debug, Default, Clone)]`
up 2019-09-02 21:02:23 +00:00			`#[repr(C, packed)]`
			`pub struct DNSCryptCert {`
			`cert_magic: [u8; 4],`
			`es_version: [u8; 2],`
			`minor_version: [u8; 2],`
			`#[derivative(Debug = "ignore", Default(value = "[0u8; 64]"))]`
kaboom the compiler 2019-09-19 18:47:44 +00:00			`#[serde(with = "BigArray")]`
up 2019-09-02 21:02:23 +00:00			`signature: [u8; 64],`
			`inner: DNSCryptCertInner,`
			`}`

			`impl DNSCryptCert {`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`pub fn new(provider_kp: &SignKeyPair, resolver_kp: &CryptKeyPair) -> Self {`
up 2019-09-02 21:02:23 +00:00			`let ts_start = now();`
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`let ts_end = ts_start + DNSCRYPT_CERTS_TTL;`
up 2019-09-02 21:02:23 +00:00
			`let mut dnscrypt_cert = DNSCryptCert::default();`

			`let dnscrypt_cert_inner = &mut dnscrypt_cert.inner;`
			`dnscrypt_cert_inner`
			`.resolver_pk`
			`.copy_from_slice(resolver_kp.pk.as_bytes());`
			`dnscrypt_cert_inner`
			`.client_magic`
			`.copy_from_slice(&dnscrypt_cert_inner.resolver_pk[..8]);`
up 2019-09-02 23:10:35 +00:00			`BigEndian::write_u32(&mut dnscrypt_cert_inner.serial, 1);`
up 2019-09-02 21:02:23 +00:00			`BigEndian::write_u32(&mut dnscrypt_cert_inner.ts_start, ts_start);`
			`BigEndian::write_u32(&mut dnscrypt_cert_inner.ts_end, ts_end);`

			`BigEndian::write_u32(&mut dnscrypt_cert.cert_magic, 0x44_4e_53_43);`
			`BigEndian::write_u16(&mut dnscrypt_cert.es_version, 2);`
			`BigEndian::write_u16(&mut dnscrypt_cert.minor_version, 0);`

			`dnscrypt_cert.signature.copy_from_slice(`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`provider_kp`
up 2019-09-02 21:02:23 +00:00			`.sk`
			`.sign(dnscrypt_cert_inner.as_bytes())`
			`.as_bytes(),`
			`);`
			`dnscrypt_cert`
			`}`

			`pub fn as_bytes(&self) -> &[u8] {`
			`unsafe { slice::from_raw_parts(self as const _ as const u8, mem::size_of_val(self)) }`
			`}`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00
			`pub fn client_magic(&self) -> &[u8] {`
			`&self.inner.client_magic`
			`}`
Clean a few things 2019-09-18 11:40:05 +00:00
Better auto renewal 2019-09-19 14:23:04 +00:00			`pub fn ts_end(&self) -> u32 {`
			`BigEndian::read_u32(&self.inner.ts_end)`
Clean a few things 2019-09-18 11:40:05 +00:00			`}`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`}`

ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`#[derive(Serialize, Deserialize, Clone, Derivative)]`
			`#[derivative(Debug)]`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`pub struct DNSCryptEncryptionParams {`
			`dnscrypt_cert: DNSCryptCert,`
			`resolver_kp: CryptKeyPair,`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`#[serde(skip)]`
			`#[derivative(Debug = "ignore")]`
Try CART cache 2021-01-31 11:24:02 +00:00			`pub cache: Option<Arc<Mutex<CartCache<[u8; DNSCRYPT_QUERY_PK_SIZE], SharedKey>>>>,`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`}`

			`impl DNSCryptEncryptionParams {`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`pub fn new(provider_kp: &SignKeyPair, cache_capacity: usize) -> Self {`
Ensure that PK prefixes don't match the Anonymized DNSCrypt query magic 2019-10-09 15:55:49 +00:00			`let mut resolver_kp;`
			`while {`
			`resolver_kp = CryptKeyPair::new();`
			`resolver_kp.pk.as_bytes()`
			`== &ANONYMIZED_DNSCRYPT_QUERY_MAGIC[..DNSCRYPT_QUERY_MAGIC_SIZE]`
			`} {}`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`let dnscrypt_cert = DNSCryptCert::new(&provider_kp, &resolver_kp);`
Try CART cache 2021-01-31 11:24:02 +00:00			`let cache = CartCache::new(cache_capacity).unwrap();`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`DNSCryptEncryptionParams {`
			`dnscrypt_cert,`
			`resolver_kp,`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`cache: Some(Arc::new(Mutex::new(cache))),`
Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`}`
			`}`

ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`pub fn add_key_cache(&mut self, cache_capacity: usize) {`
Try CART cache 2021-01-31 11:24:02 +00:00			`let cache = CartCache::new(cache_capacity).unwrap();`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`self.cache = Some(Arc::new(Mutex::new(cache)));`
			`}`

Start decrypting DNSCrypt queries 2019-09-17 20:33:15 +00:00			`pub fn client_magic(&self) -> &[u8] {`
			`self.dnscrypt_cert.client_magic()`
			`}`

			`pub fn dnscrypt_cert(&self) -> &DNSCryptCert {`
			`&self.dnscrypt_cert`
			`}`

			`pub fn resolver_kp(&self) -> &CryptKeyPair {`
			`&self.resolver_kp`
			`}`
up 2019-09-02 21:02:23 +00:00			`}`
Automatic cert renewal 2019-09-19 13:51:27 +00:00
			`pub struct DNSCryptEncryptionParamsUpdater {`
			`globals: Arc<Globals>,`
			`}`

			`impl DNSCryptEncryptionParamsUpdater {`
			`pub fn new(globals: Arc<Globals>) -> Self {`
			`DNSCryptEncryptionParamsUpdater { globals }`
			`}`

Add TTL and serve-stale support to the DNS cache Force certificate refresh on load 2019-09-21 09:53:40 +00:00			`pub fn update(&self) {`
Better auto renewal 2019-09-19 14:23:04 +00:00			`let now = now();`
			`let mut new_params_set = vec![];`
			`{`
			`let params_set = self.globals.dnscrypt_encryption_params_set.read();`
			`for params in &**params_set {`
			`if params.dnscrypt_cert().ts_end() >= now {`
			`new_params_set.push(params.clone());`
			`}`
			`}`
			`}`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`let new_params = DNSCryptEncryptionParams::new(`
			`&self.globals.provider_kp,`
			`self.globals.key_cache_capacity,`
			`);`
Better auto renewal 2019-09-19 14:23:04 +00:00			`new_params_set.push(Arc::new(new_params));`
kaboom the compiler 2019-09-19 18:47:44 +00:00			`let state = State {`
			`provider_kp: self.globals.provider_kp.clone(),`
Save resolver keys and certificates in the state 2019-09-19 19:08:49 +00:00			`dnscrypt_encryption_params_set: new_params_set.iter().map(\|x\| (**x).clone()).collect(),`
kaboom the compiler 2019-09-19 18:47:44 +00:00			`};`
Save states asynchronously 2019-09-20 00:31:31 +00:00			`let state_file = self.globals.state_file.to_path_buf();`
Update to tokio 0.2 2019-12-04 16:14:11 +00:00			`self.globals.runtime_handle.spawn(async move {`
Save states asynchronously 2019-09-20 00:31:31 +00:00			`let _ = state.async_save(state_file).await;`
			`});`
Better auto renewal 2019-09-19 14:23:04 +00:00			`*self.globals.dnscrypt_encryption_params_set.write() = Arc::new(new_params_set);`
ADd a key cache and improve logging 2019-09-20 08:39:42 +00:00			`debug!("New certificate issued");`
Better auto renewal 2019-09-19 14:23:04 +00:00			`}`

Automatic cert renewal 2019-09-19 13:51:27 +00:00			`pub async fn run(self) {`
Update to tokio 0.2 2019-12-04 16:14:11 +00:00			`let mut fut_interval = tokio::time::interval(std::time::Duration::from_secs(u64::from(`
			`DNSCRYPT_CERTS_RENEWAL,`
			`)));`
Better auto renewal 2019-09-19 14:23:04 +00:00			`let fut = async move {`
Update to tokio 0.2 2019-12-04 16:14:11 +00:00			`loop {`
			`fut_interval.tick().await;`
Better auto renewal 2019-09-19 14:23:04 +00:00			`self.update();`
Automatic cert renewal 2019-09-19 13:51:27 +00:00			`debug!("New cert issued");`
			`}`
			`};`
			`fut.await`
			`}`
			`}`