./pdns/dns.cc
./pdns/dns.hh
./pdns/dnsbulktest.cc
-./pdns/dnscrypt.cc
-./pdns/dnscrypt.hh
./pdns/dnsdemog.cc
./pdns/dnsdistdist/connection-management.hh
./pdns/dnsdistdist/dnsdist-backend.cc
./pdns/test-base64_cc.cc
./pdns/test-common.hh
./pdns/test-distributor_hh.cc
-./pdns/test-dnscrypt_cc.cc
./pdns/test-dnsname_cc.cc
./pdns/test-dnsparser_cc.cc
./pdns/test-dnsparser_hh.cc
DNSCryptQuery::~DNSCryptQuery() = default;
#endif /* HAVE_CRYPTO_BOX_EASY_AFTERNM */
-
DNSCryptContext::~DNSCryptContext() = default;
-DNSCryptContext::DNSCryptContext(const std::string& pName, const std::vector<CertKeyPaths>& certKeys): d_certKeyPaths(certKeys), providerName(pName)
+DNSCryptContext::DNSCryptContext(const std::string& pName, const std::vector<CertKeyPaths>& certKeys) :
+ d_certKeyPaths(certKeys), providerName(pName)
{
reloadCertificates();
}
-DNSCryptContext::DNSCryptContext(const std::string& pName, const DNSCryptCert& certificate, const DNSCryptPrivateKey& pKey): providerName(pName)
+DNSCryptContext::DNSCryptContext(const std::string& pName, const DNSCryptCert& certificate, const DNSCryptPrivateKey& pKey) :
+ providerName(pName)
{
addNewCertificate(certificate, pKey);
}
boost::format fmt("%02X%02X");
ostringstream ret;
- for (size_t idx = 0; idx < DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE; idx += 2)
- {
- ret << (fmt % static_cast<int>(publicKey.at(idx)) % static_cast<int>(publicKey.at(idx+1)));
+ for (size_t idx = 0; idx < DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE; idx += 2) {
+ ret << (fmt % static_cast<int>(publicKey.at(idx)) % static_cast<int>(publicKey.at(idx + 1)));
if (idx < (DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE - 2)) {
ret << ":";
}
esVersion.at(0) = 0x00;
if (version == DNSCryptExchangeVersion::VERSION1) {
- esVersion.at(1) = { 0x01 };
+ esVersion.at(1) = {0x01};
}
else if (version == DNSCryptExchangeVersion::VERSION2) {
- esVersion.at(1) = { 0x02 };
+ esVersion.at(1) = {0x02};
}
else {
throw std::runtime_error("Unknown DNSCrypt exchange version");
}
}
-void DNSCryptContext::loadCertFromFile(const std::string&filename, DNSCryptCert& dest)
+void DNSCryptContext::loadCertFromFile(const std::string& filename, DNSCryptCert& dest)
{
ifstream file(filename);
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): this is the API we have
- file.read(reinterpret_cast<char *>(&dest), sizeof(dest));
+ file.read(reinterpret_cast<char*>(&dest), sizeof(dest));
if (file.fail()) {
throw std::runtime_error("Invalid dnscrypt certificate file " + filename);
file.close();
}
-void DNSCryptContext::saveCertFromFile(const DNSCryptCert& cert, const std::string&filename)
+void DNSCryptContext::saveCertFromFile(const DNSCryptCert& cert, const std::string& filename)
{
ofstream file(filename);
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast): this is the API we have
- file.write(reinterpret_cast<const char *>(&cert), sizeof(cert));
+ file.write(reinterpret_cast<const char*>(&cert), sizeof(cert));
file.close();
}
}
}
-std::vector<std::shared_ptr<DNSCryptCertificatePair>> DNSCryptContext::getCertificates() {
+std::vector<std::shared_ptr<DNSCryptCertificatePair>> DNSCryptContext::getCertificates()
+{
std::vector<std::shared_ptr<DNSCryptCertificatePair>> ret = *(d_certs.read_lock());
return ret;
};
{
auto certs = d_certs.write_lock();
- for (auto it = certs->begin(); it != certs->end(); ) {
+ for (auto it = certs->begin(); it != certs->end();) {
if (!(*it)->active && (*it)->cert.getSerial() == serial) {
it = certs->erase(it);
return;
void DNSCryptContext::getCertificateResponse(time_t now, const DNSName& qname, uint16_t qid, PacketBuffer& response)
{
GenericDNSPacketWriter<PacketBuffer> packetWriter(response, qname, QType::TXT, QClass::IN, Opcode::Query);
- struct dnsheader * dnsHeader = packetWriter.getHeader();
+ struct dnsheader* dnsHeader = packetWriter.getHeader();
dnsHeader->id = qid;
dnsHeader->qr = true;
dnsHeader->rcode = RCode::NoError;
packetWriter.startRecord(qname, QType::TXT, (DNSCRYPT_CERTIFICATE_RESPONSE_TTL), QClass::IN, DNSResourceRecord::ANSWER, true);
std::string scert;
uint8_t certSize = sizeof(pair->cert);
- // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+ // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
scert.assign(reinterpret_cast<const char*>(&certSize), sizeof(certSize));
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
scert.append(reinterpret_cast<const char*>(&pair->cert), certSize);
#else /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
res = -1;
#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
- } else {
+ }
+ else {
res = -1;
}
DNSCryptContext::generateCertificate(serial, begin, end, version, providerPrivateKey, keyOut, certOut);
success = true;
}
- catch(const std::exception& e) {
+ catch (const std::exception& e) {
errlog(e.what());
}
class DNSCryptQuery
{
- DNSCryptQuery(const std::shared_ptr<DNSCryptContext>& ctx): d_ctx(ctx)
+ DNSCryptQuery(const std::shared_ptr<DNSCryptContext>& ctx) :
+ d_ctx(ctx)
{
}
+
private:
std::shared_ptr<DNSCryptContext> d_ctx{nullptr};
};
#endif /* HAVE_CRYPTO_BOX_CURVE25519XCHACHA20POLY1305_EASY */
#define DNSCRYPT_CERT_MAGIC_SIZE (4)
-#define DNSCRYPT_CERT_MAGIC_VALUE { 0x44, 0x4e, 0x53, 0x43 }
-#define DNSCRYPT_CERT_PROTOCOL_MINOR_VERSION_VALUE { 0x00, 0x00 }
+#define DNSCRYPT_CERT_MAGIC_VALUE \
+ { \
+ 0x44, 0x4e, 0x53, 0x43 \
+ }
+#define DNSCRYPT_CERT_PROTOCOL_MINOR_VERSION_VALUE \
+ { \
+ 0x00, 0x00 \
+ }
#define DNSCRYPT_CLIENT_MAGIC_SIZE (8)
-#define DNSCRYPT_RESOLVER_MAGIC { 0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38 }
+#define DNSCRYPT_RESOLVER_MAGIC \
+ { \
+ 0x72, 0x36, 0x66, 0x6e, 0x76, 0x57, 0x6a, 0x38 \
+ }
#define DNSCRYPT_RESOLVER_MAGIC_SIZE (8)
#define DNSCRYPT_PADDED_BLOCK_SIZE (64)
#define DNSCRYPT_MAX_TCP_PADDING_SIZE (256)
static_assert(DNSCRYPT_CLIENT_MAGIC_SIZE <= DNSCRYPT_PUBLIC_KEY_SIZE, "DNSCrypt Client Nonce size should be smaller or equal to public key size.");
-#define DNSCRYPT_CERT_ES_VERSION1_VALUE { 0x00, 0x01 }
-#define DNSCRYPT_CERT_ES_VERSION2_VALUE { 0x00, 0x02 }
+#define DNSCRYPT_CERT_ES_VERSION1_VALUE \
+ { \
+ 0x00, 0x01 \
+ }
+#define DNSCRYPT_CERT_ES_VERSION2_VALUE \
+ { \
+ 0x00, 0x02 \
+ }
class DNSCryptContext;
struct DNSCryptCertSignedData
{
- using ResolverPublicKeyType = std::array<unsigned char, DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE>;
+ using ResolverPublicKeyType = std::array<unsigned char, DNSCRYPT_PROVIDER_PUBLIC_KEY_SIZE>;
using ResolverPrivateKeyType = std::array<unsigned char, DNSCRYPT_PROVIDER_PRIVATE_KEY_SIZE>;
using ClientMagicType = std::array<unsigned char, DNSCRYPT_CLIENT_MAGIC_SIZE>;
ResolverPublicKeyType resolverPK;
static_assert(sizeof(DNSCryptResponseHeader) == (DNSCRYPT_RESOLVER_MAGIC_SIZE + DNSCRYPT_NONCE_SIZE), "Dnscrypt response header size is incorrect!");
static_assert(std::is_trivially_copyable_v<DNSCryptResponseHeader> == true);
-typedef enum {
+typedef enum
+{
VERSION1,
VERSION2
} DNSCryptExchangeVersion;
class DNSCryptQuery
{
public:
- DNSCryptQuery(const std::shared_ptr<DNSCryptContext>& ctx): d_ctx(ctx)
+ DNSCryptQuery(const std::shared_ptr<DNSCryptContext>& ctx) :
+ d_ctx(ctx)
{
memset(&d_header, 0, sizeof(d_header));
#ifdef HAVE_CRYPTO_BOX_EASY_AFTERNM
static void generateProviderKeys(DNSCryptCertSignedData::ResolverPublicKeyType& publicKey, DNSCryptCertSignedData::ResolverPrivateKeyType& privateKey);
static std::string getProviderFingerprint(const DNSCryptCertSignedData::ResolverPublicKeyType& publicKey);
static void generateCertificate(uint32_t serial, time_t begin, time_t end, const DNSCryptExchangeVersion& version, const DNSCryptCertSignedData::ResolverPrivateKeyType& providerPrivateKey, DNSCryptPrivateKey& privateKey, DNSCryptCert& cert);
- static void saveCertFromFile(const DNSCryptCert& cert, const std::string&filename);
+ static void saveCertFromFile(const DNSCryptCert& cert, const std::string& filename);
static std::string certificateDateToStr(uint32_t date);
static void generateResolverKeyPair(DNSCryptPrivateKey& privK, DNSCryptPublicKeyType& pubK);
static void setExchangeVersion(const DNSCryptExchangeVersion& version, DNSCryptCert::ESVersionType& esVersion);
~DNSCryptContext();
void reloadCertificates();
- void loadNewCertificate(const std::string& certFile, const std::string& keyFile, bool active=true, bool reload=false);
- void addNewCertificate(const DNSCryptCert& newCert, const DNSCryptPrivateKey& newKey, bool active=true, bool reload=false);
+ void loadNewCertificate(const std::string& certFile, const std::string& keyFile, bool active = true, bool reload = false);
+ void addNewCertificate(const DNSCryptCert& newCert, const DNSCryptPrivateKey& newKey, bool active = true, bool reload = false);
void markActive(uint32_t serial);
void markInactive(uint32_t serial);
private:
static void computePublicKeyFromPrivate(const DNSCryptPrivateKey& privK, DNSCryptCertificatePair::PublicKeyType& pubK);
- static void loadCertFromFile(const std::string&filename, DNSCryptCert& dest);
+ static void loadCertFromFile(const std::string& filename, DNSCryptCert& dest);
static std::shared_ptr<DNSCryptCertificatePair> loadCertificatePair(const std::string& certFile, const std::string& keyFile);
- void addNewCertificate(std::shared_ptr<DNSCryptCertificatePair>& newCert, bool reload=false);
+ void addNewCertificate(std::shared_ptr<DNSCryptCertificatePair>& newCert, bool reload = false);
SharedLockGuarded<std::vector<std::shared_ptr<DNSCryptCertificatePair>>> d_certs;
SharedLockGuarded<std::vector<CertKeyPaths>> d_certKeyPaths;
#ifdef HAVE_DNSCRYPT
// plaintext query for cert
-BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQuery) {
+BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQuery)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
query->getCertificateResponse(now, response);
- MOADNSParser mdp(false, (char*) response.data(), response.size());
+ MOADNSParser mdp(false, (char*)response.data(), response.size());
BOOST_CHECK_EQUAL(mdp.d_header.qdcount, 1U);
BOOST_CHECK_EQUAL(mdp.d_header.ancount, 1U);
}
// invalid plaintext query (A)
-BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQueryInvalidA) {
+BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQueryInvalidA)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
}
// invalid plaintext query (wrong provider name)
-BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQueryInvalidProviderName) {
+BOOST_AUTO_TEST_CASE(DNSCryptPlaintextQueryInvalidProviderName)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
}
// valid encrypted query
-BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValid) {
+BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValid)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
DNSCryptPublicKeyType clientPublicKey;
DNSCryptContext::generateResolverKeyPair(clientPrivateKey, clientPublicKey);
- DNSCryptClientNonceType clientNonce{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B };
+ DNSCryptClientNonceType clientNonce{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B};
DNSName name("www.powerdns.com.");
PacketBuffer plainQuery;
BOOST_CHECK_EQUAL(query->isValid(), true);
BOOST_CHECK_EQUAL(query->isEncrypted(), true);
- MOADNSParser mdp(true, (char*) plainQuery.data(), plainQuery.size());
+ MOADNSParser mdp(true, (char*)plainQuery.data(), plainQuery.size());
BOOST_CHECK_EQUAL(mdp.d_header.qdcount, 1U);
BOOST_CHECK_EQUAL(mdp.d_header.ancount, 0U);
}
// valid encrypted query with not enough room
-BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValidButShort) {
+BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValidButShort)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
DNSCryptContext::generateResolverKeyPair(clientPrivateKey, clientPublicKey);
- DNSCryptClientNonceType clientNonce{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B };
+ DNSCryptClientNonceType clientNonce{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B};
DNSName name("www.powerdns.com.");
PacketBuffer plainQuery;
}
// valid encrypted query with old key
-BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValidWithOldKey) {
+BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryValidWithOldKey)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
DNSCryptContext::generateResolverKeyPair(clientPrivateKey, clientPublicKey);
- DNSCryptClientNonceType clientNonce{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B };
+ DNSCryptClientNonceType clientNonce{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B};
DNSName name("www.powerdns.com.");
PacketBuffer plainQuery;
BOOST_CHECK_EQUAL(query->isValid(), true);
BOOST_CHECK_EQUAL(query->isEncrypted(), true);
- MOADNSParser mdp(true, (char*) plainQuery.data(), plainQuery.size());
+ MOADNSParser mdp(true, (char*)plainQuery.data(), plainQuery.size());
BOOST_CHECK_EQUAL(mdp.d_header.qdcount, 1U);
BOOST_CHECK_EQUAL(mdp.d_header.ancount, 0U);
}
// valid encrypted query with wrong key
-BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryInvalidWithWrongKey) {
+BOOST_AUTO_TEST_CASE(DNSCryptEncryptedQueryInvalidWithWrongKey)
+{
DNSCryptPrivateKey resolverPrivateKey;
DNSCryptCert resolverCert;
DNSCryptCertSignedData::ResolverPublicKeyType providerPublicKey;
DNSCryptContext::generateResolverKeyPair(clientPrivateKey, clientPublicKey);
- DNSCryptClientNonceType clientNonce{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B };
+ DNSCryptClientNonceType clientNonce{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x08, 0x09, 0x0A, 0x0B};
DNSName name("www.powerdns.com.");
PacketBuffer plainQuery;
projects / thirdparty / pdns.git / commitdiff
