Nits

Author: jedisct1

dnscrypt-proxy/config_loader.go

@@ -157,7 +157,7 @@ func configureDoHClientAuth(proxy *Proxy, config *Config) error {
 		dlog.Noticef("Enabling TLS authentication")
 		configClientCred := dohClientCreds[0]
 		if len(dohClientCreds) > 1 {
-			dlog.Fatal("Only one tls_client_auth entry is currently supported")
+			dlog.Fatal("Only one doh_client_x509_auth entry is currently supported")
 		}
 		proxy.xTransport.tlsClientCreds = DOHClientCreds{
 			clientCert: configClientCred.ClientCert,
@@ -188,7 +188,7 @@ func configureServerParams(proxy *Proxy, config *Config) {
 	// Configure certificate refresh parameters
 	proxy.certRefreshConcurrency = Max(1, config.CertRefreshConcurrency)
 	proxy.certRefreshDelay = time.Duration(Max(60, config.CertRefreshDelay)) * time.Minute
-	proxy.certRefreshDelayAfterFailure = time.Duration(10 * time.Second)
+	proxy.certRefreshDelayAfterFailure = 10 * time.Second
 	proxy.certIgnoreTimestamp = config.CertIgnoreTimestamp
 	proxy.ephemeralKeys = config.EphemeralKeys
 	proxy.monitoringUI = config.MonitoringUI
@@ -335,7 +335,7 @@ func configureBlockedNames(proxy *Proxy, config *Config) error {
 // configureAllowedNames - Configures allowed names
 func configureAllowedNames(proxy *Proxy, config *Config) error {
 	if len(config.AllowedName.File) > 0 && len(config.WhitelistNameLegacy.File) > 0 {
-		return errors.New("Don't specify both [whitelist] and [allowed_names] sections - Update your config file")
+		return errors.New("Don't specify both [allowed_names] and [whitelist] sections - Update your config file")
 	}
 	if len(config.WhitelistNameLegacy.File) > 0 {
 		dlog.Notice("Use of [whitelist] is deprecated - Update your config file")

dnscrypt-proxy/config_watcher.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"crypto/sha256"
 	"errors"
 	"io"
@@ -299,13 +300,5 @@ func getFileHash(path string) ([]byte, error) {
 
 // hashesEqual compares two hashes for equality
 func hashesEqual(h1, h2 []byte) bool {
-	if len(h1) != len(h2) {
-		return false
-	}
-	for i := range h1 {
-		if h1[i] != h2[i] {
-			return false
-		}
-	}
-	return true
+	return bytes.Equal(h1, h2)
 }

dnscrypt-proxy/crypto.go

@@ -55,6 +55,9 @@ func ComputeSharedKey(
 		sharedKey, err = xsecretbox.SharedKey(*secretKey, *serverPk)
 		if err != nil {
 			dlog.Criticalf("[%v] Weak XChaCha20 public key", providerName)
+			if _, err := crypto_rand.Read(sharedKey[:]); err != nil {
+				dlog.Fatal(err)
+			}
 		}
 	} else {
 		box.Precompute(&sharedKey, serverPk, secretKey)

dnscrypt-proxy/dnscrypt_certs.go

@@ -112,7 +112,7 @@ func FetchCurrentDNSCryptCert(
 		tsBegin := binary.BigEndian.Uint32(binCert[116:120])
 		tsEnd := binary.BigEndian.Uint32(binCert[120:124])
 		if tsBegin >= tsEnd {
-			dlog.Warnf("[%v] certificate ends before it starts (%v >= %v)", *serverName, tsBegin, tsEnd)
+			dlog.Warnf("[%v] certificate has invalid time range: start >= end (%v >= %v)", *serverName, tsBegin, tsEnd)
 			continue
 		}
 		ttl := tsEnd - tsBegin
@@ -135,9 +135,6 @@ func FetchCurrentDNSCryptCert(
 			} else {
 				dlog.Debugf("[%v] certificate still valid for %d days", *serverName, daysLeft)
 			}
-			certInfo.ForwardSecurity = false
-		} else {
-			certInfo.ForwardSecurity = true
 		}
 		if !proxy.certIgnoreTimestamp {
 			if now > tsEnd || now < tsBegin {
@@ -152,7 +149,7 @@ func FetchCurrentDNSCryptCert(
 			}
 		}
 		if serial < highestSerial {
-			dlog.Debugf("[%v] Superseded by a previous certificate", *serverName)
+			dlog.Debugf("[%v] Superseded by a more recent certificate", *serverName)
 			continue
 		}
 		if serial == highestSerial {
@@ -167,6 +164,7 @@ func FetchCurrentDNSCryptCert(
 			dlog.Noticef("[%v] Cryptographic construction %v not supported", *serverName, cryptoConstruction)
 			continue
 		}
+		certInfo.ForwardSecurity = ttl <= 86400*7
 		var serverPk [32]byte
 		copy(serverPk[:], binCert[72:104])
 		sharedKey := ComputeSharedKey(cryptoConstruction, &proxy.proxySecretKey, &serverPk, &providerName)

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -189,7 +189,7 @@ keepalive = 30
 
 ## Set to `true` to constantly try to estimate the latency of all the resolvers
 ## and adjust the load-balancing parameters accordingly, or to `false` to disable.
-## Default is `true` that makes 'p2' `lb_strategy` work well.
+## Default is `true`, which makes the `wp2` `lb_strategy` work well.
 
 # lb_estimator = true
 
@@ -289,7 +289,7 @@ cert_refresh_delay = 240
 
 ## Prefer RSA certificates over ECDSA for TLS connections.
 ## When this is enabled, some servers may become impossible to use,
-## or may stop to work later as they upgrade their configuratione.
+## or may stop working later as they upgrade their configuration.
 ## Changing this setting is generally not recommended, but it may
 ## reduce CPU usage on small routers with slow CPUs.
 
@@ -525,7 +525,7 @@ cache_neg_max_ttl = 600
 ## Path of the DoH URL. This is not a file, but the part after the hostname
 ## in the URL. By convention, `/dns-query` is frequently chosen.
 ## For each `listen_address` the complete URL to access the server will be:
-## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
+## `https://<listen_address><path>` (ex: `https://127.0.0.1:3000/dns-query`)
 
 # path = '/dns-query'
 
@@ -840,7 +840,7 @@ prefix = ''
 ##
 ## Older versions of the `dnsdist` server software had a bug with queries larger
 ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
-## some server may still run an outdated version.
+## some servers may still run an outdated version.
 ##
 ## The list below enables workarounds to make non-relayed usage more reliable
 ## until the servers are fixed.
@@ -988,6 +988,7 @@ algorithm = "none"
 ## - ipcrypt-deterministic: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
 ## - ipcrypt-nd: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
 ## - ipcrypt-ndx: 64 hex chars (32 bytes) - Generate with: openssl rand -hex 32
+## - ipcrypt-pfx: 64 hex chars (32 bytes) - Generate with: openssl rand -hex 32
 ## Example for deterministic/nd: key = "1234567890abcdef1234567890abcdef"
 ## Example for ndx: key = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
 ## IMPORTANT: Keep this key secret

dnscrypt-proxy/ipcrypt.go

@@ -41,7 +41,7 @@ func NewIPCryptConfig(keyHex string, algorithm string) (*IPCryptConfig, error) {
 
 	config := &IPCryptConfig{
 		Key:       key,
-		Algorithm: algorithm,
+		Algorithm: strings.ToLower(algorithm),
 	}
 
 	// Validate key length and prepare config based on algorithm

dnscrypt-proxy/pattern_matcher.go

@@ -95,7 +95,7 @@ func (patternMatcher *PatternMatcher) Add(pattern string, val any, position int)
 		pattern = strings.TrimPrefix(pattern, ".") // Remove leading dot if present
 	}
 	if len(pattern) == 0 {
-		dlog.Errorf("Syntax error in the rule file at line %d", position)
+		return fmt.Errorf("Syntax error in the rule file at line %d", position)
 	}
 
 	pattern = strings.ToLower(pattern)
@@ -139,9 +139,9 @@ func (patternMatcher *PatternMatcher) Eval(qName string) (reject bool, reason st
 		if len(match) < len(revQname) && len(revQname) > 0 {
 			if i := strings.LastIndex(revQname, "."); i > 0 {
 				pName := revQname[:i]
-				if match, _, found := patternMatcher.suffixes.LongestPrefix([]byte(pName)); found {
+				if match, xval2, found := patternMatcher.suffixes.LongestPrefix([]byte(pName)); found {
 					if len(match) == len(pName) || pName[len(match)] == '.' {
-						return true, "*." + StringReverse(string(match)), xval
+						return true, "*." + StringReverse(string(match)), xval2
 					}
 				}
 			}

dnscrypt-proxy/plugin_allow_ip.go

@@ -34,7 +34,7 @@ func (plugin *PluginAllowedIP) Name() string {
 }
 
 func (plugin *PluginAllowedIP) Description() string {
-	return "Allows DNS queries containing specific IP addresses"
+	return "Allows DNS responses containing specific IP addresses"
 }
 
 func (plugin *PluginAllowedIP) Init(proxy *Proxy) error {

dnscrypt-proxy/plugin_block_ipv6.go

@@ -39,7 +39,7 @@ func (plugin *PluginBlockIPv6) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 		Name: question.Header().Name, Class: dns.ClassINET, TTL: 86400,
 	}
 	hinfo.Cpu = "AAAA queries have been locally blocked by dnscrypt-proxy"
-	hinfo.Os = "Set block_ipv6 to false to disable that feature"
+	hinfo.Os = "Set block_ipv6 to false to disable this feature"
 	synth.Answer = []dns.RR{hinfo}
 	qName := question.Header().Name
 	i := strings.Index(qName, ".")

dnscrypt-proxy/plugin_captive_portal.go

@@ -14,7 +14,7 @@ func (plugin *PluginCaptivePortal) Name() string {
 }
 
 func (plugin *PluginCaptivePortal) Description() string {
-	return "Handle test queries operating systems make to detect Wi-Fi captive portal"
+	return "Handle test queries that operating systems make to detect Wi-Fi captive portals"
 }
 
 func (plugin *PluginCaptivePortal) Init(proxy *Proxy) error {