- NLnetLabs#1217. DNSCrypt support, with --enable-dnscrypt, libsodium…

… and then enabled in the config file from Manu Bretelle. git-svn-id: file:///svn/unbound/trunk@4065 be551aaa-1e26-0410-a405-d3ace91eadb9
Talkabout · Mar 20, 2017 · 7c9584e · 7c9584e
1 parent f952ac1
commit 7c9584e
Show file tree

Hide file tree

Showing 25 changed files with 1,123 additions and 37 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 /config.log
 /config.status
 /dnstap/dnstap_config.h
+/dnscrypt/dnscrypt_config.h
 /doc/example.conf
 /doc/libunbound.3
 /doc/unbound-anchor.8

diff --git a/Makefile.in b/Makefile.in
@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
 CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
 DNSTAP_SRC=@DNSTAP_SRC@
 DNSTAP_OBJ=@DNSTAP_OBJ@
+DNSCRYPT_SRC=@DNSCRYPT_SRC@
+DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
 WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
 WITH_PYUNBOUND=@WITH_PYUNBOUND@
 PY_MAJOR_VERSION=@PY_MAJOR_VERSION@
@@ -115,7 +117,7 @@ validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
 validator/val_nsec3.c validator/val_nsec.c validator/val_secalgo.c \
 validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
 cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -126,7 +128,7 @@ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ)
+$(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
 COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
@@ -382,6 +384,13 @@ dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto
 
 dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h
 
+# dnscrypt
+dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
+	dnscrypt/dnscrypt_config.h \
+	$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+	$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
+	$(srcdir)/util/netevent.h
+
 # Python Module
 pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
 	pythonmod/interface.h \
@@ -587,6 +596,7 @@ depend:
 			-e 's?$$(srcdir)/util/configparser.c?util/configparser.c?g' \
 			-e 's?$$(srcdir)/util/configparser.h?util/configparser.h?g' \
 			-e 's?$$(srcdir)/dnstap/dnstap_config.h??g' \
+			-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
 			-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
 			-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
 			> $(DEPEND_TMP)

diff --git a/config.h.in b/config.h.in
@@ -660,6 +660,9 @@
 /* Define to 1 to use cachedb support */
 #undef USE_CACHEDB
 
+/* Define to 1 to enable dnscrypt support */
+#undef USE_DNSCRYPT
+
 /* Define to 1 to enable dnstap support */
 #undef USE_DNSTAP
 

diff --git a/configure.ac b/configure.ac
@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
 sinclude(acx_python.m4)
 sinclude(ac_pkg_swig.m4)
 sinclude(dnstap/dnstap.m4)
+sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
@@ -1314,6 +1315,19 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock],
     ]
 )
 
+# check for dnscrypt if requested
+dnsc_DNSCRYPT([
+        AC_DEFINE([USE_DNSCRYPT], [1], [Define to 1 to enable dnscrypt support])
+        AC_SUBST([ENABLE_DNSCRYPT], [1])
+
+        AC_SUBST([DNSCRYPT_SRC], ["dnscrypt/dnscrypt.c"])
+        AC_SUBST([DNSCRYPT_OBJ], ["dnscrypt.lo"])
+    ],
+    [
+        AC_SUBST([ENABLE_DNSCRYPT], [0])
+    ]
+)
+
 # check for cachedb if requested
 AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
 case "$enable_cachedb" in
@@ -1617,6 +1631,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh
 AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
 AC_SUBST(date, [`date +'%b %e, %Y'`])
 
-AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service])
+AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service])
 AC_CONFIG_HEADER([config.h])
 AC_OUTPUT
diff --git a/daemon/daemon.c b/daemon/daemon.c
@@ -574,6 +574,17 @@ daemon_fork(struct daemon* daemon)
 
 	if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views))
 		fatal_exit("Could not setup access control list");
+	if(daemon->cfg->dnscrypt) {
+#ifdef USE_DNSCRYPT
+		daemon->dnscenv = dnsc_create();
+		if (!daemon->dnscenv)
+			fatal_exit("dnsc_create failed");
+		dnsc_apply_cfg(daemon->dnscenv, daemon->cfg);
+#else
+		fatal_exit("dnscrypt enabled in config but unbound was not built with "
+				   "dnscypt support");
+#endif
+	}
 	/* create global local_zones */
 	if(!(daemon->local_zones = local_zones_create()))
 		fatal_exit("Could not create local zones: out of memory");

diff --git a/daemon/daemon.h b/daemon/daemon.h
@@ -64,6 +64,11 @@ struct shm_main_info;
 struct dt_env;
 #endif
 
+#include "dnscrypt/dnscrypt_config.h"
+#ifdef USE_DNSCRYPT
+struct dnsc_env;
+#endif
+
 /**
  * Structure holding worker list.
  * Holds globally visible information.
@@ -125,6 +130,10 @@ struct daemon {
 	struct respip_set* respip_set;
 	/** some response-ip tags or actions are configured if true */
 	int use_response_ip;
+#ifdef USE_DNSCRYPT
+	/** the dnscrypt environment */
+	struct dnsc_env* dnscenv;
+#endif
 };
 
 /**

diff --git a/daemon/worker.c b/daemon/worker.c
@@ -75,6 +75,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/wire2str.h"
 #include "util/shm_side/shm_main.h"
+#include "dnscrypt/dnscrypt.h"
 
 #ifdef HAVE_SYS_TYPES_H
 #  include <sys/types.h>
@@ -973,6 +974,40 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		verbose(VERB_ALGO, "handle request called with err=%d", error);
 		return 0;
 	}
+#ifdef USE_DNSCRYPT
+    repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
+    if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
+        return 0;
+    }
+    if(c->dnscrypt && !repinfo->is_dnscrypted) {
+        char buf[LDNS_MAX_DOMAINLEN+1];
+        // Check if this is unencrypted and asking for certs
+        if(worker_check_request(c->buffer, worker) != 0) {
+            verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
+            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+            comm_point_drop_reply(repinfo);
+            return 0;
+        }
+        if(!query_info_parse(&qinfo, c->buffer)) {
+            verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
+            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+            comm_point_drop_reply(repinfo);
+            return 0;
+        }
+        dname_str(qinfo.qname, buf);
+        if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
+             strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
+            verbose(VERB_ALGO,
+                    "dnscrypt: not TXT %s. Receive: %s %s",
+                    worker->daemon->dnscenv->provider_name,
+                    sldns_rr_descript(qinfo.qtype)->_name,
+                    buf);
+            comm_point_drop_reply(repinfo);
+            return 0;
+        }
+        sldns_buffer_rewind(c->buffer);
+    }
+#endif
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_query_messages)
 		dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, c->type,
@@ -1340,6 +1375,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		log_reply_info(0, &qinfo, &repinfo->addr, repinfo->addrlen,
 			tv, 1, c->buffer);
 	}
+#ifdef USE_DNSCRYPT
+    if(!dnsc_handle_uncurved_request(repinfo)) {
+        return 0;
+    }
+#endif
 	return rc;
 }
 

diff --git a/dnscrypt/cert.h b/dnscrypt/cert.h
@@ -0,0 +1,27 @@
+#ifndef UNBOUND_DNSCRYPT_CERT_H
+#define UNBOUND_DNSCRYPT_CERT_H
+
+#include <sodium.h>
+#define CERT_MAGIC_CERT "DNSC"
+#define CERT_MAJOR_VERSION 1
+#define CERT_MINOR_VERSION 0
+#define CERT_OLD_MAGIC_HEADER "7PYqwfzt"
+
+#define CERT_FILE_EXPIRE_DAYS 365
+
+struct SignedCert {
+    uint8_t magic_cert[4];
+    uint8_t version_major[2];
+    uint8_t version_minor[2];
+
+    // Signed Content
+    uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
+    uint8_t magic_query[8];
+    uint8_t serial[4];
+    uint8_t ts_begin[4];
+    uint8_t ts_end[4];
+    uint8_t end[64];
+};
+
+
+#endif