-
Notifications
You must be signed in to change notification settings - Fork 14
/
constants.go
116 lines (86 loc) · 4.11 KB
/
constants.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package dnscrypt
// Error represents a dnscrypt error.
type Error string
func (e Error) Error() string { return "dnscrypt: " + string(e) }
const (
// ErrTooShort means that the DNS query is shorter than possible
ErrTooShort = Error("message is too short")
// ErrQueryTooLarge means that the DNS query is larger than max allowed size
ErrQueryTooLarge = Error("DNSCrypt query is too large")
// ErrEsVersion means that the cert contains unsupported es-version
ErrEsVersion = Error("unsupported es-version")
// ErrInvalidDate means that the cert is not valid for the current time
ErrInvalidDate = Error("cert has invalid ts-start or ts-end")
// ErrInvalidCertSignature means that the cert has invalid signature
ErrInvalidCertSignature = Error("cert has invalid signature")
// ErrInvalidQuery means that it failed to decrypt a DNSCrypt query
ErrInvalidQuery = Error("DNSCrypt query is invalid and cannot be decrypted")
// ErrInvalidClientMagic means that client-magic does not match
ErrInvalidClientMagic = Error("DNSCrypt query contains invalid client magic")
// ErrInvalidResolverMagic means that server-magic does not match
ErrInvalidResolverMagic = Error("DNSCrypt response contains invalid resolver magic")
// ErrInvalidResponse means that it failed to decrypt a DNSCrypt response
ErrInvalidResponse = Error("DNSCrypt response is invalid and cannot be decrypted")
// ErrInvalidPadding means that it failed to unpad a query
ErrInvalidPadding = Error("invalid padding")
// ErrInvalidDNSStamp means an invalid DNS stamp
ErrInvalidDNSStamp = Error("invalid DNS stamp")
// ErrFailedToFetchCert means that it failed to fetch DNSCrypt certificate
ErrFailedToFetchCert = Error("failed to fetch DNSCrypt certificate")
// ErrCertTooShort means that it failed to deserialize cert, too short
ErrCertTooShort = Error("cert is too short")
// ErrCertMagic means an invalid cert magic
ErrCertMagic = Error("invalid cert magic")
// ErrServerConfig means that it failed to start the DNSCrypt server - invalid configuration
ErrServerConfig = Error("invalid server configuration")
// ErrServerNotStarted is returned if there's nothing to shutdown
ErrServerNotStarted = Error("server is not started")
)
const (
// <min-query-len> is a variable length, initially set to 256 bytes, and
// must be a multiple of 64 bytes. (see https://dnscrypt.info/protocol)
// Some servers do not work if padded length is less than 256. Example: Quad9
minUDPQuestionSize = 256
// Minimum possible DNS packet size
minDNSPacketSize = 12 + 5
// See 11. Authenticated encryption and key exchange algorithm
// The public and secret keys are 32 bytes long in storage
keySize = 32
// size of the shared key used to encrypt/decrypt messages
sharedKeySize = 32
// ClientMagic is the first 8 bytes of a client query that is to be built
// using the information from this certificate. It may be a truncated
// public key. Two valid certificates cannot share the same <client-magic>.
clientMagicSize = 8
// When using X25519-XSalsa20Poly1305, this construction requires a 24 bytes
// nonce, that must not be reused for a given shared secret.
nonceSize = 24
// the first 8 bytes of every dnscrypt response. must match resolverMagic.
resolverMagicSize = 8
)
var (
// certMagic is a bytes sequence that must be in the beginning of the serialized cert
certMagic = [4]byte{0x44, 0x4e, 0x53, 0x43}
// resolverMagic is a byte sequence that must be in the beginning of every response
resolverMagic = []byte{0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38}
)
// CryptoConstruction represents the encryption algorithm (either XSalsa20Poly1305 or XChacha20Poly1305)
type CryptoConstruction uint16
const (
// UndefinedConstruction is the default value for empty CertInfo only
UndefinedConstruction CryptoConstruction = iota
// XSalsa20Poly1305 encryption
XSalsa20Poly1305 CryptoConstruction = 0x0001
// XChacha20Poly1305 encryption
XChacha20Poly1305 CryptoConstruction = 0x0002
)
func (c CryptoConstruction) String() string {
switch c {
case XChacha20Poly1305:
return "XChacha20Poly1305"
case XSalsa20Poly1305:
return "XSalsa20Poly1305"
default:
return "Unknown"
}
}