-adding DNS exit-from-mesh functionality to gnunet-service-dns

4 files changed, 344 insertions, 9 deletions

diff --git a/src/dns/Makefile.am b/src/dns/Makefile.am
index d8c2cd1c1..a9b1d652e 100644
--- a/src/dns/Makefile.am
+++ b/src/dns/Makefile.am
@@ -74,6 +74,7 @@ gnunet_service_dns_SOURCES = \
  gnunet-service-dns.c 
 gnunet_service_dns_LDADD = \
   $(top_builddir)/src/tun/libgnunettun.la \
+  $(top_builddir)/src/mesh/libgnunetmesh.la \
   $(top_builddir)/src/statistics/libgnunetstatistics.la \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
diff --git a/src/dns/dns.conf.in b/src/dns/dns.conf.in
index a99f7fec3..d2c67958a 100644
--- a/src/dns/dns.conf.in
+++ b/src/dns/dns.conf.in
@@ -1,17 +1,34 @@
 [dns]
 AUTOSTART = YES
-@UNIXONLY@ PORT = 0
 HOSTNAME = localhost
 HOME = $SERVICEHOME
 CONFIG = $DEFAULTCONFIG
 BINARY = gnunet-service-dns
 UNIXPATH = /tmp/gnunet-service-dns.sock
+
+# Access to this service can compromise all DNS queries in this
+# system.  Thus access should be restricted to the same UID.
+# (see https://gnunet.org/gnunet-access-control-model)
 UNIX_MATCH_UID = YES
 UNIX_MATCH_GID = YES
+
+# As there is no sufficiently restrictive access control for TCP, 
+# we never use it, even if @UNIXONLY@ is not set (just to be safe)
+@UNIXONLY@ PORT = 0
+
+# This option should be set to YES to allow the DNS service to 
+# perform lookups against the locally configured DNS resolver.
+# (set to "NO" if no normal ISP is locally available and thus
+# requests for normal ".com"/".org"/etc. must be routed via 
+# the GNUnet VPN (the GNUNET PT daemon then needs to be configured
+# to intercept and route DNS queries via mesh).
 PROVIDE_EXIT = YES
+
+# Name of the virtual interface we use to intercept DNS traffic.
 IFNAME = gnunet-dns
 
 # Use RFC 3849-style documentation IPv6 address (RFC 4773 might provide an alternative in the future)
+# FIXME: or just default to a site-local address scope as we do for VPN!?
 IPV6ADDR = 2001:DB8::1
 IPV6PREFIX = 126
 
@@ -19,3 +36,9 @@ IPV6PREFIX = 126
 IPV4ADDR = 169.254.1.1
 IPV4MASK = 255.255.0.0
 
+# Enable GNUnet-wide DNS-EXIT service by setting this value to the IP address (IPv4 or IPv6)
+# of a DNS resolver to use.  Only works if "PROVIDE_EXIT" is also set to YES.  Must absolutely
+# NOT be an address of any of GNUnet's virtual tunnel interfaces.  Use a well-known
+# public DNS resolver or your ISP's resolver from /etc/resolv.conf.
+# DNS_EXIT = 8.8.8.8
+
diff --git a/src/dns/dns.h b/src/dns/dns.h
index 29a9f937b..2b0ad0376 100644
--- a/src/dns/dns.h
+++ b/src/dns/dns.h
@@ -19,7 +19,7 @@
  */
 
 /**
- * @file dns/dns_new.h
+ * @file dns/dns.h
  * @brief IPC messages between DNS API and DNS service
  * @author Christian Grothoff
  */
diff --git a/src/dns/gnunet-service-dns.c b/src/dns/gnunet-service-dns.c
index 690b4887e..9f3a64334 100644
--- a/src/dns/gnunet-service-dns.c
+++ b/src/dns/gnunet-service-dns.c
@@ -25,11 +25,13 @@
  */
 #include "platform.h"
 #include "gnunet_util_lib.h"
+#include "gnunet_applications.h"
 #include "gnunet_constants.h"
 #include "gnunet_protocols.h"
 #include "gnunet_signatures.h"
 #include "dns.h"
 #include "gnunet_dns_service.h"
+#include "gnunet_mesh_service.h"
 #include "gnunet_statistics_service.h"
 #include "gnunet_tun_lib.h"
 
@@ -162,6 +164,55 @@ struct RequestRecord
 };
 
 
+
+/**
+ * State we keep for each DNS tunnel that terminates at this node.
+ */
+struct TunnelState
+{
+
+  /**
+   * Associated MESH tunnel.
+   */
+  struct GNUNET_MESH_Tunnel *tunnel;
+
+  /**
+   * Active request for sending a reply.
+   */
+  struct GNUNET_MESH_TransmitHandle *th;
+
+  /**
+   * DNS reply ready for transmission.
+   */
+  char *reply;
+
+  /**
+   * Address we sent the DNS request to.
+   */
+  struct sockaddr_storage addr;
+
+  /**
+   * Number of bytes in 'addr'.
+   */
+  socklen_t addrlen;
+
+  /**
+   * Number of bytes in 'reply'.
+   */
+  size_t reply_length;
+
+  /**
+   * Original DNS request ID as used by the client.
+   */
+  uint16_t original_id;
+
+  /**
+   * DNS request ID that we used for forwarding.
+   */
+  uint16_t my_id;
+};
+
+
 /**
  * The IPv4 UDP-Socket through which DNS-Resolves will be sent if they are not to be
  * sent through gnunet. The port of this socket will not be hijacked.
@@ -231,10 +282,27 @@ static struct GNUNET_SERVER_NotificationContext *nc;
 static struct RequestRecord requests[UINT16_MAX + 1];
 
 /**
+ * Array of all open requests from tunnels.
+ */
+static struct TunnelState *tunnels[UINT16_MAX + 1];
+
+/**
  * Generator for unique request IDs.
  */
 static uint64_t request_id_gen;
 
+/**
+ * IP address to use for the DNS server if we are a DNS exit service
+ * (for VPN via mesh); otherwise NULL.
+ */
+static char *dns_exit;
+
+/**
+ * Handle to the MESH service (for receiving DNS queries), or NULL 
+ * if we are not a DNS exit.
+ */
+static struct GNUNET_MESH_Handle *mesh;
+
 
 /**
  * We're done processing a DNS request, free associated memory.
@@ -298,6 +366,11 @@ cleanup_task (void *cls GNUNET_UNUSED,
     GNUNET_STATISTICS_destroy (stats, GNUNET_YES);
     stats = NULL;
   }
+  if (NULL != dns_exit)
+  {
+    GNUNET_free (dns_exit);
+    dns_exit = NULL;
+  }
 }
 
 
@@ -657,6 +730,52 @@ client_disconnect (void *cls, struct GNUNET_SERVER_Client *client)
 
 
 /**
+ * We got a reply from DNS for a request of a MESH tunnel.  Send it
+ * via the tunnel (after changing the request ID back).
+ *
+ * @param cls the 'struct TunnelState'
+ * @param size number of bytes available in buf
+ * @param buf where to copy the reply
+ * @return number of bytes written to buf
+ */
+static size_t
+transmit_reply_to_mesh (void *cls,
+                        size_t size,
+                        void *buf)
+{
+  struct TunnelState *ts = cls;
+  size_t off;
+  size_t ret;
+  char *cbuf = buf;
+  struct GNUNET_MessageHeader hdr;
+  struct GNUNET_TUN_DnsHeader dns;
+
+  ts->th = NULL;
+  GNUNET_assert (ts->reply != NULL);
+  if (size == 0)
+    return 0;
+  ret = sizeof (struct GNUNET_MessageHeader) + ts->reply_length; 
+  GNUNET_assert (ret <= size);
+  hdr.size = htons (ret);
+  hdr.type = htons (GNUNET_MESSAGE_TYPE_VPN_DNS_FROM_INTERNET);
+  memcpy (&dns, ts->reply, sizeof (dns));
+  dns.id = ts->original_id;
+  off = 0;
+  memcpy (&cbuf[off], &hdr, sizeof (hdr));
+  off += sizeof (hdr);
+  memcpy (&cbuf[off], &dns, sizeof (dns));
+  off += sizeof (dns);
+  memcpy (&cbuf[off], &ts->reply[sizeof (dns)], ts->reply_length - sizeof (dns));
+  off += ts->reply_length - sizeof (dns);
+  GNUNET_free (ts->reply);
+  ts->reply = NULL;
+  ts->reply_length = 0;  
+  GNUNET_assert (ret == off);
+  return ret;
+}
+
+
+/**
  * Read a DNS response from the (unhindered) UDP-Socket
  *
  * @param cls socket to read from
@@ -673,6 +792,7 @@ read_response (void *cls,
   struct GNUNET_TUN_DnsHeader *dns;
   socklen_t addrlen;
   struct RequestRecord *rr;
+  struct TunnelState *ts;
   ssize_t r;
   int len;
 
@@ -728,19 +848,48 @@ read_response (void *cls,
       return;
     }
     dns = (struct GNUNET_TUN_DnsHeader *) buf;
+    /* Handle case that this is a reply to a request from a MESH DNS tunnel */
+    ts = tunnels[dns->id];
+    if ( (NULL == ts) ||
+         (addrlen != ts->addrlen) ||
+         (0 != memcmp (&ts->addr,
+                       addr,
+                       addrlen)) )
+      ts = NULL; /* DNS responder address missmatch */
+    if (NULL != ts)
+    {
+      tunnels[dns->id] = NULL;
+      GNUNET_free_non_null (ts->reply);
+      ts->reply = GNUNET_malloc (r);
+      ts->reply_length = r;
+      memcpy (ts->reply, dns, r);
+      if (ts->th != NULL)
+        GNUNET_MESH_notify_transmit_ready_cancel (ts->th);
+      ts->th = GNUNET_MESH_notify_transmit_ready (ts->tunnel,
+                                                  GNUNET_NO, 0,
+                                                  GNUNET_TIME_UNIT_FOREVER_REL,
+                                                  NULL,
+                                                  sizeof (struct GNUNET_MessageHeader) + r,
+                                                  &transmit_reply_to_mesh,
+                                                  ts);
+    }
+    /* Handle case that this is a reply to a local request (intercepted from TUN interface) */
     rr = &requests[dns->id];
     if (rr->phase != RP_INTERNET_DNS) 
     {
-      /* unexpected / bogus reply */
-      GNUNET_STATISTICS_update (stats,
-                                gettext_noop ("# External DNS response discarded (no matching request)"),
-                                1, GNUNET_NO);
+      if (NULL == ts)
+      {
+        /* unexpected / bogus reply */
+        GNUNET_STATISTICS_update (stats,
+                                  gettext_noop ("# External DNS response discarded (no matching request)"),
+                                  1, GNUNET_NO);
+      }
       return; 
     }
     GNUNET_free_non_null (rr->payload);
-    rr->payload = GNUNET_malloc (len);
-    memcpy (rr->payload, buf, len);
-    rr->payload_length = len;
+    rr->payload = GNUNET_malloc (r);
+    memcpy (rr->payload, buf, r);
+    rr->payload_length = r;
     next_phase (rr);
   }  
 }
@@ -1123,6 +1272,147 @@ process_helper_messages (void *cls GNUNET_UNUSED, void *client,
 
 
 /**
+ * Process a request via mesh to perform a DNS query.
+ *
+ * @param cls closure, NULL
+ * @param tunnel connection to the other end
+ * @param tunnel_ctx pointer to our 'struct TunnelState *'
+ * @param sender who sent the message
+ * @param message the actual message
+ * @param atsi performance data for the connection
+ * @return GNUNET_OK to keep the connection open,
+ *         GNUNET_SYSERR to close it (signal serious error)
+ */
+static int
+receive_dns_request (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
+                     void **tunnel_ctx,
+                     const struct GNUNET_PeerIdentity *sender GNUNET_UNUSED,
+                     const struct GNUNET_MessageHeader *message,
+                     const struct GNUNET_ATS_Information *atsi GNUNET_UNUSED)
+{
+  struct TunnelState *ts = *tunnel_ctx;
+  const struct GNUNET_TUN_DnsHeader *dns;
+  size_t mlen = ntohs (message->size);
+  size_t dlen = mlen - sizeof (struct GNUNET_MessageHeader);
+  char buf[dlen];
+  struct GNUNET_TUN_DnsHeader *dout;
+  struct sockaddr_in v4;
+  struct sockaddr_in6 v6;
+  struct sockaddr *so;
+  socklen_t salen;
+  struct GNUNET_NETWORK_Handle *dnsout;
+
+  if (dlen < sizeof (struct GNUNET_TUN_DnsHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
+  dns = (const struct GNUNET_TUN_DnsHeader *) &message[1];
+  ts->original_id = dns->id;
+  if (tunnels[ts->my_id] == ts)
+    tunnels[ts->my_id] = NULL;
+  ts->my_id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, 
+                                                   65536);
+  tunnels[ts->my_id] = ts;
+  memcpy (buf, dns, dlen);
+  dout = (struct GNUNET_TUN_DnsHeader*) buf;
+  dout->id = ts->my_id;
+  
+  memset (&v4, 0, sizeof (v4));
+  memset (&v6, 0, sizeof (v6));
+  dnsout = NULL;
+  if (1 == inet_pton (AF_INET, dns_exit, &v4.sin_addr))
+  {
+    salen = sizeof (v4);
+    v4.sin_family = AF_INET;
+    v4.sin_port = htons (53);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+    v4.sin_len = (u_char) salen;
+#endif
+    so = (struct sockaddr *) &v4;
+    dnsout = dnsout4;
+  } 
+  if (1 == inet_pton (AF_INET6, dns_exit, &v6.sin6_addr))
+  {
+    salen = sizeof (v6);
+    v6.sin6_family = AF_INET6;
+    v6.sin6_port = htons (53);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+    v6.sin6_len = (u_char) salen;
+#endif
+    so = (struct sockaddr *) &v6;
+    dnsout = dnsout6;
+  }
+  if (NULL == dnsout)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("Configured DNS exit `%s' is not working / valid.\n"),
+                dns_exit);
+    return GNUNET_SYSERR;
+  }
+  memcpy (&ts->addr,
+          so,
+          salen);
+  ts->addrlen = salen;
+  GNUNET_NETWORK_socket_sendto (dnsout,
+                                buf, dlen, so, salen); 
+  return GNUNET_OK;
+}
+
+
+/**
+ * Callback from GNUNET_MESH for new tunnels.
+ *
+ * @param cls closure
+ * @param tunnel new handle to the tunnel
+ * @param initiator peer that started the tunnel
+ * @param atsi performance information for the tunnel
+ * @return initial tunnel context for the tunnel
+ */
+static void *
+accept_dns_tunnel (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
+                   const struct GNUNET_PeerIdentity *initiator GNUNET_UNUSED,
+                   const struct GNUNET_ATS_Information *ats GNUNET_UNUSED)
+{
+  struct TunnelState *ts = GNUNET_malloc (sizeof (struct TunnelState));
+
+  GNUNET_STATISTICS_update (stats,
+                            gettext_noop ("# Inbound MESH tunnels created"),
+                            1, GNUNET_NO);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received inbound tunnel from `%s'\n",
+              GNUNET_i2s (initiator));
+  ts->tunnel = tunnel;
+  return ts;
+}
+
+
+/**
+ * Function called by mesh whenever an inbound tunnel is destroyed.
+ * Should clean up any associated state.
+ *
+ * @param cls closure (set from GNUNET_MESH_connect)
+ * @param tunnel connection to the other end (henceforth invalid)
+ * @param tunnel_ctx place where local state associated
+ *                   with the tunnel is stored
+ */
+static void
+destroy_dns_tunnel (void *cls GNUNET_UNUSED, 
+                    const struct GNUNET_MESH_Tunnel *tunnel,
+                    void *tunnel_ctx)
+{
+  struct TunnelState *ts = tunnel_ctx;
+
+  if (tunnels[ts->my_id] == ts)
+    tunnels[ts->my_id] = NULL;
+  if (NULL != ts->th)
+    GNUNET_MESH_notify_transmit_ready_cancel (ts->th);
+  GNUNET_free_non_null (ts->reply);
+  GNUNET_free (ts);
+}
+
+
+/**
  * @param cls closure
  * @param server the initialized server
  * @param cfg_ configuration to use
@@ -1150,6 +1440,9 @@ run (void *cls, struct GNUNET_SERVER_Handle *server,
   nc = GNUNET_SERVER_notification_context_create (server, 1);
   GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &cleanup_task,
                                 cls);
+  (void) GNUNET_CONFIGURATION_get_value_string (cfg, "dns", 
+                                                "DNS_EXIT",
+                                                &dns_exit);  
   if (GNUNET_YES ==
       GNUNET_CONFIGURATION_get_value_yesno (cfg_, "dns", "PROVIDE_EXIT"))
   {
@@ -1220,6 +1513,24 @@ run (void *cls, struct GNUNET_SERVER_Handle *server,
                    (unsigned int) dnsoutport);
   helper_argv[6] = GNUNET_strdup (port_s);
   helper_argv[7] = NULL;
+
+  if (NULL != dns_exit)
+  {
+    static struct GNUNET_MESH_MessageHandler mesh_handlers[] = {
+      {&receive_dns_request, GNUNET_MESSAGE_TYPE_VPN_DNS_TO_INTERNET, 0},
+      {NULL, 0, 0}
+    };
+    static GNUNET_MESH_ApplicationType mesh_types[] = {
+      GNUNET_APPLICATION_TYPE_INTERNET_RESOLVER,
+      GNUNET_APPLICATION_TYPE_END
+    };
+    mesh = GNUNET_MESH_connect (cfg,
+                                1, NULL,
+                                &accept_dns_tunnel, 
+                                &destroy_dns_tunnel,
+                                mesh_handlers,
+                                mesh_types);
+  }
   hijacker = GNUNET_HELPER_start ("gnunet-helper-dns",
                                   helper_argv,
                                   &process_helper_messages,