dnscrypt-proxy/dnscrypt-proxy/local-doh.go

package main

import (
	"encoding/base64"
	"fmt"
	"io"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/jedisct1/dlog"
	"github.com/miekg/dns"
)

type localDoHHandler struct {
	proxy *Proxy
}

func (handler localDoHHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
	proxy := handler.proxy
	if !proxy.clientsCountInc() {
		dlog.Warnf("Too many incoming connections (max=%d)", proxy.maxClients)
		return
	}
	defer proxy.clientsCountDec()
	dataType := "application/dns-message"
	writer.Header().Set("Server", "dnscrypt-proxy")
	if request.URL.Path != proxy.localDoHPath {
		writer.WriteHeader(404)
		return
	}
	packet := []byte{}
	var err error
	start := time.Now()
	if request.Method == "POST" &&
		request.Header.Get("Content-Type") == dataType {
		packet, err = io.ReadAll(io.LimitReader(request.Body, int64(MaxDNSPacketSize)))
		if err != nil {
			dlog.Warnf("No body in a local DoH query")
			return
		}
	} else if request.Method == "GET" && request.Header.Get("Accept") == dataType {
		encodedPacket := request.URL.Query().Get("dns")
		if len(encodedPacket) >= MinDNSPacketSize*4/3 && len(encodedPacket) <= MaxDNSPacketSize*4/3 {
			packet, err = base64.RawURLEncoding.DecodeString(encodedPacket)
			if err != nil {
				dlog.Warnf("Invalid base64 in a local DoH query")
				return
			}
		}
	}
	if len(packet) < MinDNSPacketSize {
		writer.Header().Set("Content-Type", "text/plain")
		writer.WriteHeader(400)
		writer.Write([]byte("dnscrypt-proxy local DoH server\n"))
		return
	}
	clientAddr, err := net.ResolveTCPAddr("tcp", request.RemoteAddr)
	if err != nil {
		dlog.Errorf("Unable to get the client address: [%v]", err)
		return
	}
	xClientAddr := net.Addr(clientAddr)
	hasEDNS0Padding, err := hasEDNS0Padding(packet)
	if err != nil {
		writer.WriteHeader(400)
		return
	}
	response := proxy.processIncomingQuery("local_doh", proxy.mainProto, packet, &xClientAddr, nil, start, false)
	if len(response) == 0 {
		writer.WriteHeader(500)
		return
	}
	msg := dns.Msg{}
	if err := msg.Unpack(packet); err != nil {
		writer.WriteHeader(500)
		return
	}
	responseLen := len(response)
	paddedLen := dohPaddedLen(responseLen)
	padLen := paddedLen - responseLen
	if hasEDNS0Padding {
		response, err = addEDNS0PaddingIfNoneFound(&msg, response, padLen)
		if err != nil {
			dlog.Critical(err)
			return
		}
	} else {
		pad := strings.Repeat("X", padLen)
		writer.Header().Set("X-Pad", pad)
	}
	writer.Header().Set("Content-Type", dataType)
	writer.Header().Set("Content-Length", fmt.Sprint(len(response)))
	writer.WriteHeader(200)
	writer.Write(response)
}

func (proxy *Proxy) localDoHListener(acceptPc *net.TCPListener) {
	defer acceptPc.Close()
	if len(proxy.localDoHCertFile) == 0 || len(proxy.localDoHCertKeyFile) == 0 {
		dlog.Fatal("A certificate and a key are required to start a local DoH service")
	}
	httpServer := &http.Server{
		ReadTimeout:  proxy.timeout,
		WriteTimeout: proxy.timeout,
		Handler:      localDoHHandler{proxy: proxy},
	}
	httpServer.SetKeepAlivesEnabled(true)
	if err := httpServer.ServeTLS(acceptPc, proxy.localDoHCertFile, proxy.localDoHCertKeyFile); err != nil {
		dlog.Fatal(err)
	}
}

func dohPaddedLen(unpaddedLen int) int {
	boundaries := [...]int{
		64,
		128,
		192,
		256,
		320,
		384,
		512,
		704,
		768,
		896,
		960,
		1024,
		1088,
		1152,
		2688,
		4080,
		MaxDNSPacketSize,
	}
	for _, boundary := range boundaries {
		if boundary >= unpaddedLen {
			return boundary
		}
	}
	return unpaddedLen
}
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`package main`

			`import (`
Local DoH: add support for request using the GET method Fixes #2012 2022-01-31 14:56:46 +01:00			`"encoding/base64"`
			`"fmt"`
Limit the query body size 2019-11-28 23:32:56 +01:00			`"io"`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`"net"`
			`"net/http"`
Don't add padding unless the query has padding Or else Firefox craps out 2020-01-31 11:17:36 +01:00			`"strings"`
up 2019-11-26 01:36:35 +01:00			`"time"`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00
			`"github.com/jedisct1/dlog"`
Use EDNS0 padding for local DoH 2020-01-06 03:12:29 +01:00			`"github.com/miekg/dns"`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`)`

			`type localDoHHandler struct {`
up 2019-11-26 01:36:35 +01:00			`proxy *Proxy`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`}`

			`func (handler localDoHHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {`
Make the local DoH path configurable 2019-11-28 23:49:28 +01:00			`proxy := handler.proxy`
Handle clientsCount in the local DoH handler, too 2019-12-03 13:04:58 +01:00			`if !proxy.clientsCountInc() {`
			`dlog.Warnf("Too many incoming connections (max=%d)", proxy.maxClients)`
			`return`
			`}`
			`defer proxy.clientsCountDec()`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`dataType := "application/dns-message"`
Local DoH support, continued 2019-11-28 16:46:25 +01:00			`writer.Header().Set("Server", "dnscrypt-proxy")`
Make the local DoH path configurable 2019-11-28 23:49:28 +01:00			`if request.URL.Path != proxy.localDoHPath {`
			`writer.WriteHeader(404)`
			`return`
			`}`
Local DoH: add support for request using the GET method Fixes #2012 2022-01-31 14:56:46 +01:00			`packet := []byte{}`
			`var err error`
			`start := time.Now()`
			`if request.Method == "POST" &&`
			`request.Header.Get("Content-Type") == dataType {`
Mostly get rid of ioutil 2023-02-02 19:38:24 +01:00			`packet, err = io.ReadAll(io.LimitReader(request.Body, int64(MaxDNSPacketSize)))`
Local DoH: add support for request using the GET method Fixes #2012 2022-01-31 14:56:46 +01:00			`if err != nil {`
			`dlog.Warnf("No body in a local DoH query")`
			`return`
			`}`
			`} else if request.Method == "GET" && request.Header.Get("Accept") == dataType {`
			`encodedPacket := request.URL.Query().Get("dns")`
			`if len(encodedPacket) >= MinDNSPacketSize4/3 && len(encodedPacket) <= MaxDNSPacketSize4/3 {`
			`packet, err = base64.RawURLEncoding.DecodeString(encodedPacket)`
			`if err != nil {`
			`dlog.Warnf("Invalid base64 in a local DoH query")`
			`return`
			`}`
			`}`
			`}`
			`if len(packet) < MinDNSPacketSize {`
Print something useful when browsing the local DoH URL 2019-11-28 23:30:54 +01:00			`writer.Header().Set("Content-Type", "text/plain")`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`writer.WriteHeader(400)`
Print something useful when browsing the local DoH URL 2019-11-28 23:30:54 +01:00			`writer.Write([]byte("dnscrypt-proxy local DoH server\n"))`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`return`
			`}`
up 2019-11-26 01:36:35 +01:00			`clientAddr, err := net.ResolveTCPAddr("tcp", request.RemoteAddr)`
			`if err != nil {`
			`dlog.Errorf("Unable to get the client address: [%v]", err)`
			`return`
			`}`
			`xClientAddr := net.Addr(clientAddr)`
Don't add padding unless the query has padding Or else Firefox craps out 2020-01-31 11:17:36 +01:00			`hasEDNS0Padding, err := hasEDNS0Padding(packet)`
			`if err != nil {`
			`writer.WriteHeader(400)`
			`return`
			`}`
On overflow, only respond to cached/synthesized queries 2021-08-04 14:25:56 +02:00			`response := proxy.processIncomingQuery("local_doh", proxy.mainProto, packet, &xClientAddr, nil, start, false)`
up 2019-11-26 01:36:35 +01:00			`if len(response) == 0 {`
			`writer.WriteHeader(500)`
			`return`
			`}`
Use EDNS0 padding for local DoH 2020-01-06 03:12:29 +01:00			`msg := dns.Msg{}`
			`if err := msg.Unpack(packet); err != nil {`
			`writer.WriteHeader(500)`
			`return`
			`}`
Use constant, but arbitrary long padding 2020-01-29 17:57:59 +01:00			`responseLen := len(response)`
			`paddedLen := dohPaddedLen(responseLen)`
Properly compute the padding length for local DoH Fixes #1173 2020-01-31 10:00:07 +01:00			`padLen := paddedLen - responseLen`
Don't add padding unless the query has padding Or else Firefox craps out 2020-01-31 11:17:36 +01:00			`if hasEDNS0Padding {`
			`response, err = addEDNS0PaddingIfNoneFound(&msg, response, padLen)`
			`if err != nil {`
			`dlog.Critical(err)`
			`return`
			`}`
			`} else {`
			`pad := strings.Repeat("X", padLen)`
			`writer.Header().Set("X-Pad", pad)`
Use EDNS0 padding for local DoH 2020-01-06 03:12:29 +01:00			`}`
Reuse dataType 2019-11-28 23:33:34 +01:00			`writer.Header().Set("Content-Type", dataType)`
Local DoH: add support for request using the GET method Fixes #2012 2022-01-31 14:56:46 +01:00			`writer.Header().Set("Content-Length", fmt.Sprint(len(response)))`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`writer.WriteHeader(200)`
Don't add padding unless the query has padding Or else Firefox craps out 2020-01-31 11:17:36 +01:00			`writer.Write(response)`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`}`

			`func (proxy Proxy) localDoHListener(acceptPc net.TCPListener) {`
			`defer acceptPc.Close()`
Improve error message when local DoH is enabled without a certificate Fixes #1136 2020-01-06 01:02:57 +01:00			`if len(proxy.localDoHCertFile) == 0 \|\| len(proxy.localDoHCertKeyFile) == 0 {`
			`dlog.Fatal("A certificate and a key are required to start a local DoH service")`
			`}`
up 2019-11-26 01:36:35 +01:00			`httpServer := &http.Server{`
			`ReadTimeout: proxy.timeout,`
			`WriteTimeout: proxy.timeout,`
			`Handler: localDoHHandler{proxy: proxy},`
			`}`
Local DoH tweaks 2019-11-28 23:08:23 +01:00			`httpServer.SetKeepAlivesEnabled(true)`
Local DoH support, continued 2019-11-28 16:46:25 +01:00			`if err := httpServer.ServeTLS(acceptPc, proxy.localDoHCertFile, proxy.localDoHCertKeyFile); err != nil {`
First bits towards providing access over DoH in addition to DNS Mainly to deal with the Firefox+ESNI situation 2019-11-24 22:45:43 +01:00			`dlog.Fatal(err)`
			`}`
			`}`
Use constant, but arbitrary long padding 2020-01-29 17:57:59 +01:00
			`func dohPaddedLen(unpaddedLen int) int {`
Keep lines short $ golines -w -m 120 --shorten-comments . 2022-03-23 17:48:48 +01:00			`boundaries := [...]int{`
			`64,`
			`128,`
			`192,`
			`256,`
			`320,`
			`384,`
			`512,`
			`704,`
			`768,`
			`896,`
			`960,`
			`1024,`
			`1088,`
			`1152,`
			`2688,`
			`4080,`
			`MaxDNSPacketSize,`
			`}`
Use constant, but arbitrary long padding 2020-01-29 17:57:59 +01:00			`for _, boundary := range boundaries {`
			`if boundary >= unpaddedLen {`
			`return boundary`
			`}`
			`}`
			`return unpaddedLen`
			`}`