1
0
Fork 0
mirror of https://github.com/SamTherapy/dnscrypt.git synced 2024-12-22 08:50:43 +00:00

added certinfo fields: notbefore, notafter

This commit is contained in:
Andrey Meshkov 2018-12-17 11:21:45 +03:00
parent 80e749d9e4
commit 875723a3f9
2 changed files with 12 additions and 18 deletions

View file

@ -61,12 +61,13 @@ type Client struct {
// CertInfo contains DnsCrypt server certificate data retrieved from the server
type CertInfo struct {
Serial uint32
ServerPk [32]byte
SharedKey [32]byte
Serial uint32 // Cert serial number (the cert can be superseded by another one with a higher serial number)
ServerPk [32]byte // Server public key
SharedKey [32]byte // Shared key
MagicQuery [clientMagicLen]byte
CryptoConstruction CryptoConstruction
ForwardSecurity bool
CryptoConstruction CryptoConstruction // Encryption algorithm
NotBefore uint32 // Cert is valid starting from this date (epoch time)
NotAfter uint32 // Cert is valid until this date (epoch time)
}
// ServerInfo contains DNSCrypt server information necessary for decryption/encryption
@ -405,22 +406,15 @@ func txtToCertInfo(answerRr dns.RR, serverInfo *ServerInfo) (CertInfo, error) {
certInfo.Serial = binary.BigEndian.Uint32(binCert[112:116])
// Validate the certificate date
tsBegin := binary.BigEndian.Uint32(binCert[116:120])
tsEnd := binary.BigEndian.Uint32(binCert[120:124])
if tsBegin >= tsEnd {
return certInfo, fmt.Errorf("certificate ends before it starts (%v >= %v)", tsBegin, tsEnd)
certInfo.NotBefore = binary.BigEndian.Uint32(binCert[116:120])
certInfo.NotAfter = binary.BigEndian.Uint32(binCert[120:124])
if certInfo.NotBefore >= certInfo.NotAfter {
return certInfo, fmt.Errorf("certificate ends before it starts (%v >= %v)", certInfo.NotBefore, certInfo.NotAfter)
}
if now > tsEnd || now < tsBegin {
if now > certInfo.NotAfter || now < certInfo.NotBefore {
return certInfo, errors.New("certificate not valid at the current date")
}
ttl := tsEnd - tsBegin
if ttl > 86400*7 {
certInfo.ForwardSecurity = false
} else {
certInfo.ForwardSecurity = true
}
var serverPk [32]byte
copy(serverPk[:], binCert[72:104])
certInfo.SharedKey = computeSharedKey(certInfo.CryptoConstruction, &serverInfo.SecretKey, &serverPk, &serverInfo.ProviderName)

View file

@ -102,7 +102,7 @@ func checkDnsCryptServer(t *testing.T, stampStr string, proto string) {
t.Fatalf("Could not establish connection with %s", stampStr)
}
log.Printf("Established a connection with %s, rtt=%v, proto=%s", serverInfo.ProviderName, rtt, proto)
log.Printf("Established a connection with %s, ttl=%v, rtt=%v, proto=%s", serverInfo.ProviderName, time.Unix(int64(serverInfo.ServerCert.NotAfter), 0), rtt, proto)
req := dns.Msg{}
req.Id = dns.Id()
req.RecursionDesired = true