Remove support for xsalsapoly

2025-03-04 02:14:40 +01:00 · 2025-01-10 12:07:20 +01:00 · 2025-01-10 12:07:20 +01:00 · 8987906653
commit 8987906653
parent 699a6a1ebc
3 changed files with 8 additions and 28 deletions
--- a/dnscrypt-proxy/common.go
+++ b/dnscrypt-proxy/common.go
@ -18,7 +18,6 @@ type CryptoConstruction uint16

 const (
 	UndefinedConstruction CryptoConstruction = iota
-	XSalsa20Poly1305
 	XChacha20Poly1305
 )

--- a/dnscrypt-proxy/crypto.go
+++ b/dnscrypt-proxy/crypto.go
@ -9,8 +9,6 @@ import (
 	"github.com/jedisct1/dlog"
 	"github.com/jedisct1/xsecretbox"
 	"golang.org/x/crypto/curve25519"
-	"golang.org/x/crypto/nacl/box"
-	"golang.org/x/crypto/nacl/secretbox"
 )

 const (
@ -57,19 +55,9 @@ func ComputeSharedKey(
 			dlog.Criticalf("[%v] Weak XChaCha20 public key", providerName)
 		}
 	} else {
-		box.Precompute(&sharedKey, serverPk, secretKey)
-		c := byte(0)
-		for i := 0; i < 32; i++ {
-			c |= sharedKey[i]
-		}
-		if c == 0 {
-			dlog.Criticalf("[%v] Weak XSalsa20 public key", providerName)
-			if _, err := crypto_rand.Read(sharedKey[:]); err != nil {
-				dlog.Fatal(err)
-			}
-		}
+		dlog.Criticalf("[%v] Unsupported encryption system", providerName)
 	}
-	return
+	return sharedKey
 }

 func (proxy *Proxy) Encrypt(
@ -124,9 +112,7 @@ func (proxy *Proxy) Encrypt(
 	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
 		encrypted = xsecretbox.Seal(encrypted, nonce, padded, sharedKey[:])
 	} else {
-		var xsalsaNonce [24]byte
-		copy(xsalsaNonce[:], nonce)
-		encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)
+		err = errors.New("Unsupported encryption system")
 	}
 	return
 }
@ -153,13 +139,7 @@ func (proxy *Proxy) Decrypt(
 	if serverInfo.CryptoConstruction == XChacha20Poly1305 {
 		packet, err = xsecretbox.Open(nil, serverNonce, encrypted[responseHeaderLen:], sharedKey[:])
 	} else {
-		var xsalsaServerNonce [24]byte
-		copy(xsalsaServerNonce[:], serverNonce)
-		var ok bool
-		packet, ok = secretbox.Open(nil, encrypted[responseHeaderLen:], &xsalsaServerNonce, sharedKey)
-		if !ok {
-			err = errors.New("Incorrect tag")
-		}
+		err = errors.New("Unsupported encryption system")
 	}
 	if err != nil {
 		return encrypted, err
--- a/dnscrypt-proxy/dnscrypt_certs.go
+++ b/dnscrypt-proxy/dnscrypt_certs.go
@ -95,11 +95,12 @@ func FetchCurrentDNSCryptCert(
 		cryptoConstruction := CryptoConstruction(0)
 		switch esVersion := binary.BigEndian.Uint16(binCert[4:6]); esVersion {
 		case 0x0001:
-			cryptoConstruction = XSalsa20Poly1305
+			dlog.Noticef("[%v] Deprecated, now unsupported encryption system", *serverName)
+			continue
 		case 0x0002:
 			cryptoConstruction = XChacha20Poly1305
 		default:
-			dlog.Noticef("[%v] Unsupported crypto construction", *serverName)
+			dlog.Noticef("[%v] Unsupported encryption system", *serverName)
 			continue
 		}
 		signature := binCert[8:72]
@ -163,7 +164,7 @@ func FetchCurrentDNSCryptCert(
 				dlog.Debugf("[%v] Upgrading the construction from %v to %v", *serverName, certInfo.CryptoConstruction, cryptoConstruction)
 			}
 		}
-		if cryptoConstruction != XChacha20Poly1305 && cryptoConstruction != XSalsa20Poly1305 {
+		if cryptoConstruction != XChacha20Poly1305 {
 			dlog.Noticef("[%v] Cryptographic construction %v not supported", *serverName, cryptoConstruction)
 			continue
 		}