dnscrypt-proxy/dnscrypt-proxy/main.go

package main

import (
	"crypto/rand"
	"fmt"
	"log"
	"net"
	"time"

	"golang.org/x/crypto/curve25519"
)

type Proxy struct {
	proxyPublicKey        [32]byte
	proxySecretKey        [32]byte
	questionSizeEstimator QuestionSizeEstimator
	serversInfo           ServersInfo
	timeout               time.Duration
	mainProto             string
}

func main() {
	log.SetFlags(0)
	stamp, _ := NewServerStampFromLegacy("212.47.228.136:443", "E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D", "2.dnscrypt-cert.fr.dnscrypt.org")
	NewProxy("127.0.0.1:5399", "dnscrypt.org-fr", stamp, "udp")
}

func NewProxy(listenAddrStr string, serverName string, stamp ServerStamp, mainProto string) {
	proxy := Proxy{questionSizeEstimator: NewQuestionSizeEstimator(), timeout: TimeoutMax, mainProto: mainProto}
	if _, err := rand.Read(proxy.proxySecretKey[:]); err != nil {
		log.Fatal(err)
	}
	curve25519.ScalarBaseMult(&proxy.proxyPublicKey, &proxy.proxySecretKey)
	proxy.serversInfo.registerServer(&proxy, serverName, stamp)
	listenUDPAddr, err := net.ResolveUDPAddr("udp", listenAddrStr)
	if err != nil {
		log.Fatal(err)
	}
	listenTCPAddr, err := net.ResolveTCPAddr("tcp", listenAddrStr)
	if err != nil {
		log.Fatal(err)
	}
	go func() {
		proxy.udpListener(listenUDPAddr)
	}()
	go func() {
		proxy.tcpListener(listenTCPAddr)
	}()
	for {
		time.Sleep(CertRefreshDelay)
		proxy.serversInfo.refresh(&proxy)
	}
}

func (proxy *Proxy) udpListener(listenAddr *net.UDPAddr) error {
	clientPc, err := net.ListenUDP("udp", listenAddr)
	if err != nil {
		return err
	}
	defer clientPc.Close()
	fmt.Printf("Now listening to %v [UDP]\n", listenAddr)
	for {
		buffer := make([]byte, MaxDNSPacketSize-1)
		length, clientAddr, err := clientPc.ReadFrom(buffer)
		if err != nil {
			return err
		}
		packet := buffer[:length]
		go func() {
			proxy.processIncomingQuery(proxy.serversInfo.getOne(), proxy.mainProto, packet, &clientAddr, clientPc)
		}()
	}
}

func (proxy *Proxy) tcpListener(listenAddr *net.TCPAddr) error {
	acceptPc, err := net.ListenTCP("tcp", listenAddr)
	if err != nil {
		return err
	}
	defer acceptPc.Close()
	fmt.Printf("Now listening to %v [TCP]\n", listenAddr)
	for {
		clientPc, err := acceptPc.Accept()
		if err != nil {
			continue
		}
		go func() {
			defer clientPc.Close()
			clientPc.SetDeadline(time.Now().Add(proxy.timeout))
			packet, err := ReadPrefixed(clientPc.(*net.TCPConn))
			if err != nil || len(packet) < MinDNSPacketSize {
				return
			}
			proxy.processIncomingQuery(proxy.serversInfo.getOne(), "tcp", packet, nil, clientPc)
		}()
	}
}

func (proxy *Proxy) exchangeWithUDPServer(serverInfo *ServerInfo, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {
	pc, err := net.DialUDP("udp", nil, serverInfo.UDPAddr)
	if err != nil {
		return nil, err
	}
	pc.SetDeadline(time.Now().Add(serverInfo.Timeout))
	pc.Write(encryptedQuery)

	encryptedResponse := make([]byte, MaxDNSPacketSize)
	length, err := pc.Read(encryptedResponse)
	pc.Close()
	if err != nil {
		return nil, err
	}
	encryptedResponse = encryptedResponse[:length]
	return proxy.Decrypt(serverInfo, encryptedResponse, clientNonce)
}

func (proxy *Proxy) exchangeWithTCPServer(serverInfo *ServerInfo, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {
	pc, err := net.DialTCP("tcp", nil, serverInfo.TCPAddr)
	if err != nil {
		return nil, err
	}
	pc.SetDeadline(time.Now().Add(serverInfo.Timeout))
	encryptedQuery, err = PrefixWithSize(encryptedQuery)
	if err != nil {
		return nil, err
	}
	pc.Write(encryptedQuery)

	encryptedResponse, err := ReadPrefixed(pc)
	pc.Close()
	if err != nil {
		return nil, err
	}
	return proxy.Decrypt(serverInfo, encryptedResponse, clientNonce)
}

func (proxy *Proxy) processIncomingQuery(serverInfo *ServerInfo, serverProto string, query []byte, clientAddr *net.Addr, clientPc net.Conn) {
	if len(query) < MinDNSPacketSize {
		return
	}
	pluginsState := NewPluginsState()
	query, _ = pluginsState.ApplyQueryPlugins(query)
	encryptedQuery, clientNonce, err := proxy.Encrypt(serverInfo, query, serverProto)
	if err != nil {
		return
	}
	var response []byte
	if serverProto == "udp" {
		response, err = proxy.exchangeWithUDPServer(serverInfo, encryptedQuery, clientNonce)
	} else {
		response, err = proxy.exchangeWithTCPServer(serverInfo, encryptedQuery, clientNonce)
	}
	if err != nil {
		return
	}
	if clientAddr != nil {
		if len(response) > MaxDNSUDPPacketSize {
			response, err = TruncatedResponse(response)
			if err != nil {
				return
			}
		}
		clientPc.(net.PacketConn).WriteTo(response, *clientAddr)
		if HasTCFlag(response) {
			proxy.questionSizeEstimator.blindAdjust()
		} else {
			proxy.questionSizeEstimator.adjust(len(response))
		}
	} else {
		response, err = PrefixWithSize(response)
		if err != nil {
			return
		}
		clientPc.Write(response)
	}
}
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`package main`

			`import (`
			`"crypto/rand"`
			`"fmt"`
			`"log"`
			`"net"`
			`"time"`

			`"golang.org/x/crypto/curve25519"`
			`)`

			`type Proxy struct {`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`proxyPublicKey [32]byte`
			`proxySecretKey [32]byte`
			`questionSizeEstimator QuestionSizeEstimator`
We want to support multiple servers simultaneously Prepare for that 2018-01-09 16:59:06 +01:00			`serversInfo ServersInfo`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`timeout time.Duration`
The preferred protocol will be a global (for Tor users) 2018-01-09 18:42:24 +01:00			`mainProto string`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`

Move a few things around 2018-01-09 13:35:10 +01:00			`func main() {`
			`log.SetFlags(0)`
Stamps are not expected to include a name 2018-01-09 18:27:04 +01:00			`stamp, _ := NewServerStampFromLegacy("212.47.228.136:443", "E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D", "2.dnscrypt-cert.fr.dnscrypt.org")`
The preferred protocol will be a global (for Tor users) 2018-01-09 18:42:24 +01:00			`NewProxy("127.0.0.1:5399", "dnscrypt.org-fr", stamp, "udp")`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`

The preferred protocol will be a global (for Tor users) 2018-01-09 18:42:24 +01:00			`func NewProxy(listenAddrStr string, serverName string, stamp ServerStamp, mainProto string) {`
			`proxy := Proxy{questionSizeEstimator: NewQuestionSizeEstimator(), timeout: TimeoutMax, mainProto: mainProto}`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`if _, err := rand.Read(proxy.proxySecretKey[:]); err != nil {`
			`log.Fatal(err)`
			`}`
			`curve25519.ScalarBaseMult(&proxy.proxyPublicKey, &proxy.proxySecretKey)`
Refresh certificates We may later want to register a stamp even if no certificate was found 2018-01-09 17:34:19 +01:00			`proxy.serversInfo.registerServer(&proxy, serverName, stamp)`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`listenUDPAddr, err := net.ResolveUDPAddr("udp", listenAddrStr)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`listenTCPAddr, err := net.ResolveTCPAddr("tcp", listenAddrStr)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`go func() {`
			`proxy.udpListener(listenUDPAddr)`
			`}()`
			`go func() {`
			`proxy.tcpListener(listenTCPAddr)`
			`}()`
			`for {`
Stamps are not expected to include a name 2018-01-09 18:27:04 +01:00			`time.Sleep(CertRefreshDelay)`
Refresh certificates We may later want to register a stamp even if no certificate was found 2018-01-09 17:34:19 +01:00			`proxy.serversInfo.refresh(&proxy)`
Move a few things around 2018-01-09 13:35:10 +01:00			`}`
			`}`

Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`func (proxy Proxy) udpListener(listenAddr net.UDPAddr) error {`
			`clientPc, err := net.ListenUDP("udp", listenAddr)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`if err != nil {`
Move a few things around 2018-01-09 13:35:10 +01:00			`return err`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`
			`defer clientPc.Close()`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`fmt.Printf("Now listening to %v [UDP]\n", listenAddr)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`for {`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`buffer := make([]byte, MaxDNSPacketSize-1)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`length, clientAddr, err := clientPc.ReadFrom(buffer)`
			`if err != nil {`
Move a few things around 2018-01-09 13:35:10 +01:00			`return err`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`
			`packet := buffer[:length]`
			`go func() {`
We can now receive queries on UDP and forward them on TCP Something that had never been possible with the old implementation 2018-01-09 20:10:06 +01:00			`proxy.processIncomingQuery(proxy.serversInfo.getOne(), proxy.mainProto, packet, &clientAddr, clientPc)`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`}()`
			`}`
			`}`

			`func (proxy Proxy) tcpListener(listenAddr net.TCPAddr) error {`
			`acceptPc, err := net.ListenTCP("tcp", listenAddr)`
			`if err != nil {`
			`return err`
			`}`
			`defer acceptPc.Close()`
			`fmt.Printf("Now listening to %v [TCP]\n", listenAddr)`
			`for {`
			`clientPc, err := acceptPc.Accept()`
			`if err != nil {`
			`continue`
			`}`
			`go func() {`
			`defer clientPc.Close()`
			`clientPc.SetDeadline(time.Now().Add(proxy.timeout))`
Support TCP connection to the backend 2018-01-09 19:47:24 +01:00			`packet, err := ReadPrefixed(clientPc.(*net.TCPConn))`
			`if err != nil \|\| len(packet) < MinDNSPacketSize {`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`return`
			`}`
Support TCP connection to the backend 2018-01-09 19:47:24 +01:00			`proxy.processIncomingQuery(proxy.serversInfo.getOne(), "tcp", packet, nil, clientPc)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}()`
			`}`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`}`

Cleanups 2018-01-10 00:31:12 +01:00			`func (proxy Proxy) exchangeWithUDPServer(serverInfo ServerInfo, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {`
			`pc, err := net.DialUDP("udp", nil, serverInfo.UDPAddr)`
			`if err != nil {`
			`return nil, err`
			`}`
			`pc.SetDeadline(time.Now().Add(serverInfo.Timeout))`
			`pc.Write(encryptedQuery)`

			`encryptedResponse := make([]byte, MaxDNSPacketSize)`
			`length, err := pc.Read(encryptedResponse)`
			`pc.Close()`
			`if err != nil {`
			`return nil, err`
			`}`
			`encryptedResponse = encryptedResponse[:length]`
			`return proxy.Decrypt(serverInfo, encryptedResponse, clientNonce)`
			`}`

			`func (proxy Proxy) exchangeWithTCPServer(serverInfo ServerInfo, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {`
			`pc, err := net.DialTCP("tcp", nil, serverInfo.TCPAddr)`
			`if err != nil {`
			`return nil, err`
			`}`
			`pc.SetDeadline(time.Now().Add(serverInfo.Timeout))`
			`encryptedQuery, err = PrefixWithSize(encryptedQuery)`
			`if err != nil {`
			`return nil, err`
			`}`
			`pc.Write(encryptedQuery)`

			`encryptedResponse, err := ReadPrefixed(pc)`
			`pc.Close()`
			`if err != nil {`
			`return nil, err`
			`}`
			`return proxy.Decrypt(serverInfo, encryptedResponse, clientNonce)`
			`}`

			`func (proxy Proxy) processIncomingQuery(serverInfo ServerInfo, serverProto string, query []byte, clientAddr *net.Addr, clientPc net.Conn) {`
			`if len(query) < MinDNSPacketSize {`
Desuglify a bit 2018-01-09 13:27:03 +01:00			`return`
			`}`
Transform queries via an initial edns mangling plugin Yet another thing that was utterly broken in dnscrypt-proxy v1.x 2018-01-10 09:04:03 +01:00			`pluginsState := NewPluginsState()`
			`query, _ = pluginsState.ApplyQueryPlugins(query)`
Cleanups 2018-01-10 00:31:12 +01:00			`encryptedQuery, clientNonce, err := proxy.Encrypt(serverInfo, query, serverProto)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`if err != nil {`
			`return`
			`}`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`var response []byte`
Support TCP connection to the backend 2018-01-09 19:47:24 +01:00			`if serverProto == "udp" {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`response, err = proxy.exchangeWithUDPServer(serverInfo, encryptedQuery, clientNonce)`
Support TCP connection to the backend 2018-01-09 19:47:24 +01:00			`} else {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`response, err = proxy.exchangeWithTCPServer(serverInfo, encryptedQuery, clientNonce)`
Nits 2018-01-10 00:32:16 +01:00			`}`
			`if err != nil {`
			`return`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`if clientAddr != nil {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`if len(response) > MaxDNSUDPPacketSize {`
			`response, err = TruncatedResponse(response)`
			`if err != nil {`
			`return`
			`}`
			`}`
			`clientPc.(net.PacketConn).WriteTo(response, *clientAddr)`
			`if HasTCFlag(response) {`
Cleanups 2018-01-10 00:31:12 +01:00			`proxy.questionSizeEstimator.blindAdjust()`
Implement an actual estimator for the response size Scale back the minimum question size when relevant. Did I mention that this is yet another thing that was never properly implemented in dnscrypt-proxy 1.x? 2018-01-10 09:46:27 +01:00			`} else {`
			`proxy.questionSizeEstimator.adjust(len(response))`
Cleanups 2018-01-10 00:31:12 +01:00			`}`
Handle TCP, padding, etc. 2018-01-09 16:40:37 +01:00			`} else {`
Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00			`response, err = PrefixWithSize(response)`
Support TCP connection to the backend 2018-01-09 19:47:24 +01:00			`if err != nil {`
			`return`
			`}`
Cleanups 2018-01-10 00:31:12 +01:00			`clientPc.Write(response)`
Let's start with a 15 minutes ugly PoC hack before going to bed Who said the DNSCrypt protocol was "complex"? 2018-01-09 00:24:51 +01:00			`}`
			`}`