Revert "Remove support for xsalsapoly"

Apparently, a bunch of popular resolvers such as adguard, cleanbrowsing
and comodo still only support xsalsapoly o_O

Add a lying resolver check for old DNSCrypt servers.

Author: jedisct1

dnscrypt-proxy/common.go

@@ -18,6 +18,7 @@ type CryptoConstruction uint16
 
 const (
 	UndefinedConstruction CryptoConstruction = iota
+	XSalsa20Poly1305
 	XChacha20Poly1305
 )
 

dnscrypt-proxy/config.go

@@ -154,6 +154,7 @@ func newConfig() Config {
 		BlockedQueryResponse:     "hinfo",
 		BrokenImplementations: BrokenImplementationsConfig{
 			FragmentsBlocked: []string{
+				"cisco", "cisco-ipv6", "cisco-familyshield", "cisco-familyshield-ipv6",
 				"cleanbrowsing-adult", "cleanbrowsing-adult-ipv6", "cleanbrowsing-family", "cleanbrowsing-family-ipv6", "cleanbrowsing-security", "cleanbrowsing-security-ipv6",
 			},
 		},

dnscrypt-proxy/crypto.go

@@ -9,6 +9,8 @@ import (
 	"github.com/jedisct1/dlog"
 	"github.com/jedisct1/xsecretbox"
 	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/nacl/box"
+	"golang.org/x/crypto/nacl/secretbox"
 )
 
 const (
@@ -55,9 +57,19 @@ func ComputeSharedKey(
 			dlog.Criticalf("[%v] Weak XChaCha20 public key", providerName)
 		}
 	} else {
-		dlog.Criticalf("[%v] Unsupported encryption system", providerName)
+		box.Precompute(&sharedKey, serverPk, secretKey)
+		c := byte(0)
+		for i := 0; i < 32; i++ {
+			c |= sharedKey[i]
+		}
+		if c == 0 {
+			dlog.Criticalf("[%v] Weak XSalsa20 public key", providerName)
+			if _, err := crypto_rand.Read(sharedKey[:]); err != nil {
+				dlog.Fatal(err)
+			}
+		}
 	}
-	return sharedKey
+	return
 }
 
 func (proxy *Proxy) Encrypt(
@@ -112,7 +124,9 @@ func (proxy *Proxy) Encrypt(
 	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
 		encrypted = xsecretbox.Seal(encrypted, nonce, padded, sharedKey[:])
 	} else {
-		err = errors.New("Unsupported encryption system")
+		var xsalsaNonce [24]byte
+		copy(xsalsaNonce[:], nonce)
+		encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)
 	}
 	return
 }
@@ -139,7 +153,13 @@ func (proxy *Proxy) Decrypt(
 	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
 		packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], sharedKey[:])
 	} else {
-		err = errors.New("Unsupported encryption system")
+		var xsalsaServerNonce [24]byte
+		copy(xsalsaServerNonce[:], serverNonce)
+		var ok bool
+		packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, sharedKey)
+		if !ok {
+			err = errors.New("Incorrect tag")
+		}
 	}
 	if err != nil {
 		return encrypted, err

dnscrypt-proxy/dnscrypt_certs.go

@@ -95,12 +95,12 @@ func FetchCurrentDNSCryptCert(
 		cryptoConstruction := CryptoConstruction(0)
 		switch esVersion := binary.BigEndian.Uint16(binCert[4:6]); esVersion {
 		case 0x0001:
-			dlog.Noticef("[%v] Deprecated, now unsupported encryption system", *serverName)
-			continue
+			cryptoConstruction = XSalsa20Poly1305
+			dlog.Noticef("[%v] should upgrade to XChaCha20 for encryption", *serverName)
 		case 0x0002:
 			cryptoConstruction = XChacha20Poly1305
 		default:
-			dlog.Noticef("[%v] Unsupported encryption system", *serverName)
+			dlog.Debugf("[%v] uses an unsupported encryption system", *serverName)
 			continue
 		}
 		signature := binCert[8:72]
@@ -164,7 +164,7 @@ func FetchCurrentDNSCryptCert(
 				dlog.Debugf("[%v] Upgrading the construction from %v to %v", *serverName, certInfo.CryptoConstruction, cryptoConstruction)
 			}
 		}
-		if cryptoConstruction != XChacha20Poly1305 {
+		if cryptoConstruction != XChacha20Poly1305 && cryptoConstruction != XSalsa20Poly1305 {
 			dlog.Noticef("[%v] Cryptographic construction %v not supported", *serverName, cryptoConstruction)
 			continue
 		}

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -774,14 +774,18 @@ format = 'tsv'
 
 [broken_implementations]
 
+## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
+## truncate responses larger than questions as expected by the DNSCrypt protocol.
+## This prevents large responses from being received over UDP and over relays.
+##
 ## Older versions of the `dnsdist` server software had a bug with queries larger
 ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
 ## some server may still run an outdated version.
 ##
 ## The list below enables workarounds to make non-relayed usage more reliable
 ## until the servers are fixed.
 
-fragments_blocked = ['cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cisco-sandbox', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
 
 
 

dnscrypt-proxy/serversInfo.go

@@ -608,6 +608,27 @@ func fetchDNSCryptServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp
 	if err != nil {
 		return ServerInfo{}, err
 	}
+
+	if certInfo.CryptoConstruction == XSalsa20Poly1305 {
+		query := plainNXTestPacket(0xcafe)
+		msg, _, _, err := DNSExchange(
+			proxy,
+			proxy.mainProto,
+			&query,
+			stamp.ServerAddrStr,
+			dnscryptRelay,
+			&name,
+			false,
+		)
+		if err == nil {
+			if msg.Rcode != dns.RcodeNameError && msg.Id == 0xcafe {
+				dlog.Warnf("[%s] may be a lying resolver -- skipping", name)
+				return ServerInfo{}, fmt.Errorf("[%s] unexpected catchall response", name)
+			}
+			dlog.Debugf("[%s] seems to be also accessible over plain DNS", name)
+		}
+	}
+
 	return ServerInfo{
 		Proto:              stamps.StampProtoTypeDNSCrypt,
 		MagicQuery:         certInfo.MagicQuery,
@@ -665,6 +686,19 @@ func dohNXTestPacket(msgID uint16) []byte {
 	return body
 }
 
+func plainNXTestPacket(msgID uint16) dns.Msg {
+	msg := dns.Msg{}
+	qName := make([]byte, 16)
+	charset := "abcdefghijklmnopqrstuvwxyz"
+	for i := range qName {
+		qName[i] = charset[rand.Intn(len(charset))]
+	}
+	msg.SetQuestion(string(qName)+".test.dnscrypt.", dns.TypeNS)
+	msg.Id = msgID
+	msg.MsgHdr.RecursionDesired = true
+	return msg
+}
+
 func fetchDoHServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, isNew bool) (ServerInfo, error) {
 	// If an IP has been provided, use it forever.
 	// Or else, if the fallback server and the DoH server are operated