Support workarounds for ancient/broken implementations

Fixes #984
2019-11-16 18:51:16 +01:00 · 2019-11-16 18:51:16 +01:00 · 15b405b552
parent f76e0fd8cf
commit 15b405b552
5 changed files with 90 additions and 47 deletions
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@ -63,6 +63,7 @@ type Config struct {
 	CloakFile                string                      `toml:"cloaking_rules"`
 	StaticsConfig            map[string]StaticConfig     `toml:"static"`
 	SourcesConfig            map[string]SourceConfig     `toml:"sources"`
+	BrokenImplementations    BrokenImplementationsConfig `toml:"broken_implementations"`
 	SourceRequireDNSSEC      bool                        `toml:"require_dnssec"`
 	SourceRequireNoLog       bool                        `toml:"require_nolog"`
 	SourceRequireNoFilter    bool                        `toml:"require_nofilter"`
@ -181,6 +182,10 @@ type AnonymizedDNSConfig struct {
 	Routes []AnonymizedDNSRouteConfig `toml:"routes"`
 }

+type BrokenImplementationsConfig struct {
+	IncorrectPadding []string `toml:"incorrect_padding"`
+}
+
 type ServerSummary struct {
 	Name        string   `json:"name"`
 	Proto       string   `json:"proto"`
@ -436,6 +441,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 		}
 		proxy.routes = &routes
 	}
+	proxy.serversWithIncorrectPadding = config.BrokenImplementations.IncorrectPadding

 	if *flags.ListAll {
 		config.ServerNames = nil
--- a/dnscrypt-proxy/crypto.go
+++ b/dnscrypt-proxy/crypto.go
@ -79,6 +79,7 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
 		publicKey = &proxy.proxyPublicKey
 	}
 	minQuestionSize := QueryOverhead + len(packet)
+	if !serverInfo.knownBugs.incorrectPadding {
 		if proto == "udp" {
 			minQuestionSize = Max(proxy.questionSizeEstimator.MinQuestionSize(), minQuestionSize)
 		} else {
@ -86,6 +87,7 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
 			rand.Read(xpad[:])
 			minQuestionSize += int(xpad[0])
 		}
+	}
 	paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+63) & ^63)
 	if serverInfo.RelayUDPAddr != nil && proto == "tcp" {
 		// XXX - Note: Cisco's broken implementation doesn't accept more than 1472 bytes
--- a/dnscrypt-proxy/example-dnscrypt-proxy.toml
+++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml
@ -567,6 +567,22 @@ cache_neg_max_ttl = 600
  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'


+
+
+#########################################
+#        Servers with known bugs        #
+#########################################
+
+[broken_implementations]
+
+# Cisco servers currently cannot handle queries larger than 1472 bytes.
+# This prevents large DNSCrypt responses from being received, and breaks relaying.
+
+incorrect_padding = ['cisco', 'cisco-ipv6', 'cisco-familyshield']
+
+
+
+
 ################################
 #        Anonymized DNS        #
 ################################
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@ -71,6 +71,7 @@ type Proxy struct {
 	blockedQueryResponse         string
 	queryMeta                    []string
 	routes                       *map[string][]string
+	serversWithIncorrectPadding  []string
 	showCerts                    bool
 }

--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
@ -31,6 +31,10 @@ type RegisteredServer struct {
 	description string
 }

+type ServerBugs struct {
+	incorrectPadding bool
+}
+
 type ServerInfo struct {
 	Proto              stamps.StampProtoType
 	MagicQuery         [8]byte
@ -45,6 +49,7 @@ type ServerInfo struct {
 	TCPAddr            *net.TCPAddr
 	RelayUDPAddr       *net.UDPAddr
 	RelayTCPAddr       *net.TCPAddr
+	knownBugs          ServerBugs
 	lastActionTS       time.Time
 	rtt                ewma.MovingAverage
 	initialRtt         int
@ -293,7 +298,19 @@ func fetchDNSCryptServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp
 		dlog.Warnf("Public key [%s] shouldn't be hex-encoded any more", string(stamp.ServerPk))
 		stamp.ServerPk = serverPk
 	}
+	knownBugs := ServerBugs{}
+	for _, buggyServerName := range proxy.serversWithIncorrectPadding {
+		if buggyServerName == name {
+			knownBugs.incorrectPadding = true
+			dlog.Infof("Known bug in [%v]: padding is not correctly implemented", name)
+			break
+		}
+	}
 	relayUDPAddr, relayTCPAddr, err := route(proxy, name)
+	if knownBugs.incorrectPadding && (relayUDPAddr != nil || relayTCPAddr != nil) {
+		relayTCPAddr, relayUDPAddr = nil, nil
+		dlog.Warnf("[%v] is incompatible with anonymization", name)
+	}
 	if err != nil {
 		return ServerInfo{}, err
 	}
@ -322,6 +339,7 @@ func fetchDNSCryptServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp
 		RelayUDPAddr:       relayUDPAddr,
 		RelayTCPAddr:       relayTCPAddr,
 		initialRtt:         rtt,
+		knownBugs:          knownBugs,
 	}, nil
 }